sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Merge pull request #340 from ansible-lockdown/interactive_user_update

Browse source 
Updated variable naming for interactive_users
This commit is contained in:
uk-bolly 2025-05-28 18:42:20 +01:00 committed by GitHub
commit f70821bf7e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
6 changed files with 74 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

8
tasks/parse_etc_password.yml
View file

@ -7,12 +7,12 @@
ansible.builtin.shell: cat /etc/passwd | grep -v '^#' ansible.builtin.shell: cat /etc/passwd | grep -v '^#'
changed_when: false changed_when: false
check_mode: false check_mode: false
register: prelim_passwd_file_audit register: prelim_capture_passwd_file
- name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Split passwd entries" - name: "PRELIM | 5.4.2 | 7.2.8 | Split passwd entries"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_passwd: "{{ prelim_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" prelim_captured_passwd_data: "{{ prelim_capture_passwd_file.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}"
loop: "{{ prelim_passwd_file_audit.stdout_lines }}" loop: "{{ prelim_capture_passwd_file.stdout_lines }}"
vars: vars:
ld_passwd_regex: >- ld_passwd_regex: >-
^(?P<id>[^:]*):(?P<password>[^:]*):(?P<uid>[^:]*):(?P<gid>[^:]*):(?P<gecos>[^:]*):(?P<dir>[^:]*):(?P<shell>[^:]*) ^(?P<id>[^:]*):(?P<password>[^:]*):(?P<uid>[^:]*):(?P<gid>[^:]*):(?P<gecos>[^:]*):(?P<dir>[^:]*):(?P<shell>[^:]*)

2
tasks/post_remediation_audit.yml
View file

@ -33,7 +33,7 @@
when: audit_format == "documentation" when: audit_format == "documentation"
block: block:
- name: Post Audit | Capture audit data if documentation format - name: Post Audit | Capture audit data if documentation format
ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' ansible.builtin.shell: tail -2 "{{ post_audit_outfile }}" | tac | tr '\n' ' '
changed_when: false changed_when: false
register: post_audit_summary register: post_audit_summary

10
tasks/prelim.yml
View file

@ -31,9 +31,17 @@
- name: "PRELIM | AUDIT | Interactive Users (reformat)" - name: "PRELIM | AUDIT | Interactive Users (reformat)"
tags: always tags: always
ansible.builtin.set_fact: ansible.builtin.set_fact:
prelim_interactive_usernames: "{{ prelim_interactive_users | default([]) + [dict([('username', item.split(':')[0]), ('uid', item.split(':')[1]), ('home', item.split(':')[2])])] }}" prelim_interactive_users: "{{ prelim_interactive_users | default([]) + [dict([('username', item.split(':')[0]), ('uid', item.split(':')[1]), ('home', item.split(':')[2])])] }}"
loop: "{{ prelim_interactive_users_raw.stdout_lines }}" loop: "{{ prelim_interactive_users_raw.stdout_lines }}"
- name: "PRELIM | AUDIT | Interactive User accounts home directories"
tags: always
ansible.builtin.shell: >
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $6 }'
changed_when: false
check_mode: false
register: prelim_interactive_users_home
- name: "PRELIM | AUDIT | Interactive UIDs" - name: "PRELIM | AUDIT | Interactive UIDs"
tags: always tags: always
ansible.builtin.shell: > ansible.builtin.shell: >

8
tasks/section_5/cis_5.4.1.x.yml
View file

@ -29,7 +29,7 @@
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS" - name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS"
when: when:
- discovered_max_days.stdout_lines | length > 0 - discovered_max_days.stdout_lines | length > 0
- item in prelim_interactive_usernames | map(attribute='username') | list - item in prelim_interactive_users | map(attribute='username') | list
- rhel9cis_force_user_maxdays - rhel9cis_force_user_maxdays
ansible.builtin.user: ansible.builtin.user:
name: "{{ item }}" name: "{{ item }}"
@ -60,7 +60,7 @@
- name: "5.4.1.2 | PATCH | Ensure minimum password days is configured | Set existing users PASS_MIN_DAYS" - name: "5.4.1.2 | PATCH | Ensure minimum password days is configured | Set existing users PASS_MIN_DAYS"
when: when:
- discovered_min_days.stdout_lines | length > 0 - discovered_min_days.stdout_lines | length > 0
- item in prelim_interactive_usernames | map(attribute='username') | list - item in prelim_interactive_users | map(attribute='username') | list
- rhel9cis_force_user_mindays - rhel9cis_force_user_mindays
ansible.builtin.user: ansible.builtin.user:
name: "{{ item }}" name: "{{ item }}"
@ -91,7 +91,7 @@
- name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Set existing users WARN_DAYS" - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Set existing users WARN_DAYS"
when: when:
- discovered_warn_days.stdout_lines | length > 0 - discovered_warn_days.stdout_lines | length > 0
- item in prelim_interactive_usernames | map(attribute='username') | list - item in prelim_interactive_users | map(attribute='username') | list
- rhel9cis_force_user_warnage - rhel9cis_force_user_warnage
ansible.builtin.command: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}" ansible.builtin.command: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}"
changed_when: true changed_when: true
@ -140,7 +140,7 @@
register: discovered_passwdlck_user_list register: discovered_passwdlck_user_list
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" - name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
when: item in prelim_interactive_usernames | map(attribute='username') | list when: item in prelim_interactive_users | map(attribute='username') | list
ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
changed_when: true changed_when: true
loop: "{{ discovered_passwdlck_user_list.stdout_lines }}" loop: "{{ discovered_passwdlck_user_list.stdout_lines }}"

8
tasks/section_5/cis_5.4.2.x.yml
View file

@ -195,7 +195,7 @@
- name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell" - name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell"
when: when:
- rhel9cis_rule_5_4_2_7 - rhel9cis_rule_5_4_2_7
- "item.id not in prelim_interactive_usernames | map(attribute='username')" - "item.id not in prelim_interactive_users | map(attribute='username')"
- item.id not in rhel9cis_system_users_shell - item.id not in rhel9cis_system_users_shell
- "'root' not in item.id" - "'root' not in item.id"
- rhel9cis_disruption_high - rhel9cis_disruption_high
@ -212,7 +212,7 @@
ansible.builtin.user: ansible.builtin.user:
name: "{{ item.id }}" name: "{{ item.id }}"
shell: /usr/sbin/nologin shell: /usr/sbin/nologin
loop: "{{ rhel9cis_passwd }}" loop: "{{ prelim_captured_passwd_data }}"
loop_control: loop_control:
label: "{{ item.id }}" label: "{{ item.id }}"
@ -220,7 +220,7 @@
when: when:
- rhel9cis_rule_5_4_2_8 - rhel9cis_rule_5_4_2_8
- rhel9cis_disruption_high - rhel9cis_disruption_high
- "item.id not in prelim_interactive_usernames | map(attribute='username')" - "item.id not in prelim_interactive_users | map(attribute='username')"
- "'root' not in item.id" - "'root' not in item.id"
tags: tags:
- level1-server - level1-server
@ -235,6 +235,6 @@
ansible.builtin.user: ansible.builtin.user:
name: "{{ item.id }}" name: "{{ item.id }}"
password_lock: true password_lock: true
loop: "{{ rhel9cis_passwd }}" loop: "{{ prelim_captured_passwd_data }}"
loop_control: loop_control:
label: "{{ item.id }}" label: "{{ item.id }}"

66
tasks/section_7/cis_7.2.x.yml
View file

@ -243,7 +243,7 @@
state: directory state: directory
owner: "{{ item.id }}" owner: "{{ item.id }}"
group: "{{ item.gid }}" group: "{{ item.gid }}"
loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', prelim_min_int_uid | int) | selectattr('uid', '<=', prelim_max_int_uid | int) | list }}" loop: "{{ prelim_captured_passwd_data | selectattr('uid', '>=', prelim_min_int_uid | int) | selectattr('uid', '<=', prelim_max_int_uid | int) | list }}"
loop_control: loop_control:
label: "{{ item.id }}" label: "{{ item.id }}"
@ -286,8 +286,8 @@
vars: vars:
warn_control_id: '7.2.9' warn_control_id: '7.2.9'
block: block:
- name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Check for files" - name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured"
ansible.builtin.shell: find /home/ -name "\.*" ansible.builtin.shell: find {{ prelim_interactive_users_home.stdout_lines | list | join(' ') }} -name "\.*" -type f
changed_when: false changed_when: false
failed_when: discovered_homedir_hidden_files.rc not in [ 0, 1 ] failed_when: discovered_homedir_hidden_files.rc not in [ 0, 1 ]
check_mode: false check_mode: false
@ -296,25 +296,63 @@
- name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Warning on files found" - name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Warning on files found"
when: when:
- discovered_homedir_hidden_files.stdout | length > 0 - discovered_homedir_hidden_files.stdout | length > 0
- rhel9cis_dotperm_ansiblemanaged - not rhel9cis_dotperm_ansiblemanaged
ansible.builtin.debug: ansible.builtin.debug:
msg: msg:
- "Warning!! We have discovered group or world-writable dot files on your system and this host is configured for manual intervention. Please investigate these files further." - "Warning!! Please investigate that hidden files found in users home directories match control requirements."
- name: "7.2.9 | PATCH | Ensure local interactive user dot files access is configured | Set warning count" - name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Set warning count"
when: when:
- discovered_homedir_hidden_files.stdout | length > 0 - discovered_homedir_hidden_files.stdout | length > 0
- rhel9cis_dotperm_ansiblemanaged - not rhel9cis_dotperm_ansiblemanaged
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: warning_facts.yml file: warning_facts.yml
- name: "7.2.9 | PATCH | Ensure local interactive user dot files access is configured | Changes files if configured" - name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured"
when: when:
- discovered_homedir_hidden_files.stdout | length > 0 - discovered_homedir_hidden_files.stdout | length > 0
- rhel9cis_dotperm_ansiblemanaged - rhel9cis_dotperm_ansiblemanaged
ansible.builtin.file: block:
path: '{{ item }}' - name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Changes files if configured .bash_history & .netrc"
mode: 'go-w' when:
owner: "{{ rhel9cis_passwd | selectattr('dir', 'in', prelim_interactive_users_raw.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='uid') | last }}" - discovered_homedir_hidden_files.stdout | length > 0
group: "{{ rhel9cis_passwd | selectattr('dir', 'in', prelim_interactive_users_raw.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='gid') | last }}" - item | basename in ['.bash_history','.netrc']
with_items: "{{ discovered_homedir_hidden_files.stdout_lines }}" ansible.builtin.file:
path: "{{ item }}"
mode: 'u-x,go-rwx'
failed_when: discovered_dot_bash_history_to_change.state not in '[ file, absent ]'
register: discovered_dot_bash_history_to_change
loop: "{{ discovered_homedir_hidden_files.stdout_lines }}"
- name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Changes files if configured file mode"
ansible.builtin.file:
path: '{{ item }}'
mode: 'u-x,go-wx'
failed_when: discovered_dot_bash_history_to_change.state not in '[ file, absent ]'
register: discovered_dot_bash_history_to_change
loop: "{{ discovered_homedir_hidden_files.stdout_lines }}"
- name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Changes files ownerships"
ansible.builtin.file:
path: "{{ item }}"
owner: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='uid') | last }}"
group: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='gid') | last }}"
failed_when: discovered_dot_bash_history_to_change.state not in '[ file, absent ]'
register: discovered_dot_bash_history_to_change
loop: "{{ discovered_homedir_hidden_files.stdout_lines }}"
- name: "7.2.9 | PATCH | Ensure local interactive user dot files access is configured | Changes files if configured"
ansible.builtin.file:
path: '{{ item }}'
mode: 'go-w'
owner: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='uid') | last }}"
group: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='gid') | last }}"
with_items: "{{ discovered_homedir_hidden_files.stdout_lines }}"
- name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | rename .forward or .rhosts files"
when:
- item | basename in ['.forward','.rhosts']
- item is not search ("CIS")
ansible.builtin.command: "mv {{ item }} {{ item }}_CIS_TOBEREVIEWED"
changed_when: true
loop: "{{ discovered_homedir_hidden_files.stdout_lines }}"