sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Updated mountpoints controls

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-12-10 17:29:27 +00:00
parent bab28dda45
commit fd97459b6a
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
10 changed files with 628 additions and 214 deletions
Download patch file Download diff file Expand all files Collapse all files

5
defaults/main.yml
View file

@ -495,6 +495,11 @@ rhel9cis_rule_7_2_9: true
## Section 1 vars ## Section 1 vars
## Ability to enabe debug on mounts to assist in troubleshooting
# Mount point changes are set based upon facts created in Prelim
# these then build the variable and options that is passed to the handler to set the mount point for the controls in section1.
rhel9cis_debug_mount_data: false
## Control 1.1.2 ## Control 1.1.2
# If set to `true`, rule will be implemented using the `tmp.mount` systemd-service, # If set to `true`, rule will be implemented using the `tmp.mount` systemd-service,
# otherwise fstab configuration will be used. # otherwise fstab configuration will be used.

148
handlers/main.yml
View file

@ -1,6 +1,149 @@
--- ---
# handlers file for RHEL9-CIS # handlers file for RHEL9-CIS
- name: "Adding options for /tmp"
when: not rhel9cis_tmp_svc
vars:
mount_point: '/tmp'
ansible.posix.mount:
path: "{{ mount_point }}"
src: "{{ mount_point_fs_and_options[mount_point]['src'] }}"
state: present
fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}"
opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
listen: "Remount /tmp"
- name: "Remounting /tmp"
vars:
mount_point: '/tmp'
ansible.posix.mount:
path: "{{ mount_point }}"
state: remounted
listen: "Remount /tmp"
- name: "Remounting /tmp systemd"
vars:
mount_point: '/tmp'
ansible.builtin.systemd:
name: tmp.mount
state: restarted
daemon_reload: true
listen: "Remount /tmp"
- name: "Adding options for /dev/shm"
vars:
mount_point: '/dev/shm'
ansible.posix.mount:
path: "{{ mount_point }}"
src: "{{ mount_point_fs_and_options[mount_point]['src'] }}"
state: present
fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}"
opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
listen: "Remount /dev/shm"
- name: "Remounting /dev/shm"
vars:
mount_point: '/dev/shm'
ansible.posix.mount:
path: "{{ mount_point }}"
state: remounted
listen: "Remount /dev/shm"
- name: "Adding options for /home"
vars:
mount_point: '/home'
ansible.posix.mount:
path: "{{ mount_point }}"
src: "{{ mount_point_fs_and_options[mount_point]['src'] }}"
state: present
fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}"
opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
listen: "Remount /home"
- name: "Remounting /home"
vars:
mount_point: '/home'
ansible.posix.mount:
path: "{{ mount_point }}"
state: remounted
listen: "Remount /home"
- name: "Adding options for /var"
vars:
mount_point: '/var'
ansible.posix.mount:
path: "{{ mount_point }}"
src: "{{ mount_point_fs_and_options[mount_point]['src'] }}"
state: present
fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}"
opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
listen: "Remount /var"
- name: "Remounting /var"
vars:
mount_point: '/var'
ansible.posix.mount:
path: "{{ mount_point }}"
state: remounted
listen: "Remount /var"
- name: "Adding options for /var/tmp"
vars:
mount_point: '/var/tmp'
ansible.posix.mount:
path: "{{ mount_point }}"
src: "{{ mount_point_fs_and_options[mount_point]['src'] }}"
state: present
fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}"
opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
listen: "Remount /var/tmp"
- name: "Remounting /var/tmp"
vars:
mount_point: '/var/tmp'
ansible.posix.mount:
path: "{{ mount_point }}"
state: remounted
listen: "Remount /var/tmp"
- name: "Adding options for /var/log"
vars:
mount_point: '/var/log'
ansible.posix.mount:
path: "{{ mount_point }}"
src: "{{ mount_point_fs_and_options[mount_point]['src'] }}"
state: present
fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}"
opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
listen: "Remount /var/log"
- name: "Remounting /var/log"
vars:
mount_point: '/var/log'
ansible.posix.mount:
path: "{{ mount_point }}"
state: remounted
listen: "Remount /var/log"
- name: "Adding options for /var/log/audit"
vars:
mount_point: '/var/log/audit'
ansible.posix.mount:
path: "{{ mount_point }}"
src: "{{ mount_point_fs_and_options[mount_point]['src'] }}"
state: present
fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}"
opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
listen: "Remount /var/log/audit"
- name: "Remounting /var/log/audit"
vars:
mount_point: '/var/log/audit'
ansible.posix.mount:
path: "{{ mount_point }}"
state: remounted
listen: "Remount /var/log/audit"
- name: Reload sysctl - name: Reload sysctl
ansible.builtin.shell: sysctl --system ansible.builtin.shell: sysctl --system
@ -31,11 +174,6 @@
masked: false masked: false
state: reloaded state: reloaded
- name: Remount tmp
ansible.posix.mount:
path: /tmp
state: remounted
- name: Update Crypto Policy - name: Update Crypto Policy
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{% if rhel9cis_crypto_policy_module | length > 0 %}{{ rhel9cis_crypto_policy_module }}{% endif %}" rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{% if rhel9cis_crypto_policy_module | length > 0 %}{{ rhel9cis_crypto_policy_module }}{% endif %}"

29
tasks/prelim.yml
View file

@ -58,12 +58,35 @@
name: python3-libselinux name: python3-libselinux
state: present state: present
- name: "PRELIM | AUDIT | Section 1.1 | Create list of mount points" - name: PRELIM | AUDIT | Section 1.1 | Create list of mount points
tags: tags: always
- Always
ansible.builtin.set_fact: ansible.builtin.set_fact:
mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}"
- name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options
tags: always
block:
- name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - call mount # noqa command-instead-of-module
ansible.builtin.shell: |
mount | awk '{print $1, $3, $5, $6}'
changed_when: false
register: mount_output
- name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - build fact
ansible.builtin.set_fact:
mount_point_fs_and_options: >-
{%- set mount_point_fs_and_options = {} -%}
{%- for line in mount_output.stdout_lines -%}
{%- set fields = line.split() -%}
{%- set _ = mount_point_fs_and_options.update({fields[1]: {'src': fields[0], 'fs_type': fields[2], 'original_options': fields[3][1:-1].split(','), 'options': fields[3][1:-1].split(',')}}) -%}
{%- endfor -%}
{{ mount_point_fs_and_options }}
- name: "PRELIM | AUDIT | Debug of mount variables to assist in troubleshooting"
when: rhel9cis_debug_mount_data
ansible.builtin.debug:
msg: "{{ mount_point_fs_and_options }}"
- name: "PRELIM | PATCH | Update to latest gpg keys" - name: "PRELIM | PATCH | Update to latest gpg keys"
when: when:
- rhel9cis_rule_1_2_1_1 - rhel9cis_rule_1_2_1_1

118
tasks/section_1/cis_1.1.2.1.x.yml
View file

@ -12,62 +12,104 @@
- rule_1.1.2.1.1 - rule_1.1.2.1.1
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
vars: vars:
warn_control_id: '1.1.2.1.1' warn_control_id: "1.1.2.1.1"
required_mount: '/tmp' required_mount: "/tmp"
block: block:
- name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition | Absent" - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | check for mount"
ansible.builtin.debug: ansible.builtin.command: findmnt -kn "{{ required_mount }}"
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" changed_when: false
failed_when: discovered_tmp_mount.rc not in [ 0, 1 ]
register: discovered_tmp_mount
- name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition | Present" - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | Absent"
when: discovered_tmp_mount is undefined
ansible.builtin.debug:
msg: "Warning!! {{ required_mount }} is not mounted on a separate partition"
- name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | Present"
when: discovered_tmp_mount is undefined
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: warning_facts.yml file: warning_facts.yml
# via fstab # via fstab
- name: | - name: "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition"
"1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition"
"1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition"
"1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition"
ansible.posix.mount:
name: /tmp
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_1_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_1_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_1_4) %},noexec{% endif %}"
notify: Remount tmp
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.device }}"
when: when:
- item.mount == "/tmp" - mount_point_fs_and_options[mount_point] is defined
- not mount_point_fs_and_options[mount_point]['src'] == "tmpfs"
- rhel9cis_rule_1_1_2_1_2
- not rhel9cis_tmp_svc - not rhel9cis_tmp_svc
- rhel9cis_rule_1_1_2_1_2 or
rhel9cis_rule_1_1_2_1_3 or
rhel9cis_rule_1_1_2_1_4
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- mounts - mounts
- rule_1.1.2.1.2 - rule_1.1.2.1.2
- rule_1.1.2.1.3
- rule_1.1.2.1.4
- NIST800-53R5_CM-7
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
- NIST800-53R5_MP-2 - NIST800-53R5_MP-2
vars:
mount_point: "/tmp"
required_option: nodev
notify: &mount_option_notify
- "Remount {{ mount_point }}"
ansible.builtin.set_fact: &mount_option_set_fact
mount_point_fs_and_options: |
{{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }}
changed_when: &mount_option_changed_when
- required_option not in mount_point_fs_and_options[mount_point]['original_options']
- name: "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition"
when:
- mount_point_fs_and_options[mount_point] is defined
- not mount_point_fs_and_options[mount_point]['src'] == "tmpfs"
- rhel9cis_rule_1_1_2_1_3
- not rhel9cis_tmp_svc
tags:
- level1-server
- level1-workstation
- patch
- mounts
- rule_1.1.2.1.3
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
vars:
mount_point: "/tmp"
required_option: nosuid
notify: *mount_option_notify
ansible.builtin.set_fact:
<<: *mount_option_set_fact
changed_when: *mount_option_changed_when
- name: "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition"
when:
- mount_point_fs_and_options[mount_point] is defined
- not mount_point_fs_and_options[mount_point]['src'] == "tmpfs"
- rhel9cis_rule_1_1_2_1_4
- not rhel9cis_tmp_svc
tags:
- level1-server
- level1-workstation
- patch
- mounts
- rule_1.1.2.1.4
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
vars:
mount_point: "/tmp"
required_option: noexec
notify: *mount_option_notify
ansible.builtin.set_fact:
<<: *mount_option_set_fact
changed_when: *mount_option_changed_when
# via systemd # via systemd
- name: | - name: |
"1.1.2.1.1 | PATCH | Ensure /tmp is configured" "1.1.2.1.1 | PATCH | Ensure /tmp is configured
"1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition" 1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition
"1.1.2.1.3 | PATCH | Ensure noexec option set on /tmp partition" 1.1.2.1.3 | PATCH | Ensure noexec option set on /tmp partition
"1.1.2.1.4 | PATCH | Ensure nosuid option set on /tmp partition" 1.1.2.1.4 | PATCH | Ensure nosuid option set on /tmp partition"
when: when:
- rhel9cis_tmp_svc - rhel9cis_tmp_svc
- rhel9cis_rule_1_1_2_1_1 or - rhel9cis_rule_1_1_2_1_1 or rhel9cis_rule_1_1_2_1_2 or rhel9cis_rule_1_1_2_1_3 or rhel9cis_rule_1_1_2_1_4
rhel9cis_rule_1_1_2_1_2 or
rhel9cis_rule_1_1_2_1_3 or
rhel9cis_rule_1_1_2_1_4
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -79,10 +121,12 @@
- rule_1.1.2.1.4 - rule_1.1.2.1.4
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
- NIST800-53R5_MP-2 - NIST800-53R5_MP-2
vars:
mount_point: "/tmp"
ansible.builtin.template: ansible.builtin.template:
src: etc/systemd/system/tmp.mount.j2 src: etc/systemd/system/tmp.mount.j2
dest: /etc/systemd/system/tmp.mount dest: /etc/systemd/system/tmp.mount
owner: root owner: root
group: root group: root
mode: '0644' mode: "go-wx"
notify: Systemd restart tmp.mount notify: *mount_option_notify

96
tasks/section_1/cis_1.1.2.2.x.yml
View file

@ -1,9 +1,9 @@
--- ---
# Skips if mount is absent - name: "1.1.2.2.1 | PATCH | Ensure /dev/shm is a separate partition"
- name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition"
when: when:
- rhel9cis_rule_1_1_2_2_1 - rhel9cis_rule_1_1_2_2_1
- required_mount not in mount_names
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -12,46 +12,84 @@
- rule_1.1.2.2.1 - rule_1.1.2.2.1
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
vars: vars:
warn_control_id: '1.1.2.2.1' warn_control_id: "1.1.2.2.1"
required_mount: "/dev/shm"
block: block:
- name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check exists" - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check for mount"
ansible.builtin.shell: mount -l | grep -w /dev/shm ansible.builtin.command: findmnt -kn "{{ required_mount }}"
changed_when: false changed_when: false
register: discovered_dev_shm_mount_check failed_when: discovered_dev_shm_mount.rc not in [ 0, 1 ]
register: discovered_dev_shm_mount
- name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition" - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent"
when: discovered_dev_shm_mount_check.rc == 1 when: discovered_dev_shm_mount is undefined
block: ansible.builtin.debug:
- name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" msg: "Warning!! {{ required_mount }} is not mounted on a separate partition"
ansible.builtin.debug:
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
- name: "1.1.2.2.1 | AUDIT | Ensure separate partition exists for /home | Present" - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Present"
ansible.builtin.import_tasks: when: discovered_dev_shm_mount is undefined
file: warning_facts.yml ansible.builtin.import_tasks:
file: warning_facts.yml
- name: | - name: "1.1.2.2.2 | PATCH | Ensure nodev option set on /dev/shm partition"
"1.1.2.2.2 | PATCH | Ensure nodev option set on /dev/shm partition
1.1.2.2.3 | PATCH | Ensure nosuid option set on /dev/shm partition
1.1.2.2.4 | PATCH | Ensure noexec option set on /dev/shm partition"
when: when:
- rhel9cis_rule_1_1_2_2_2 or - mount_point_fs_and_options[mount_point] is defined
rhel9cis_rule_1_1_2_2_3 or - rhel9cis_rule_1_1_2_2_2
rhel9cis_rule_1_1_2_2_4
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- mounts - mounts
- rule_1.1.2.2.2 - rule_1.1.2.2.2
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
vars:
mount_point: "/dev/shm"
required_option: nodev
notify: &mount_option_notify
- "Remount {{ mount_point }}"
ansible.builtin.set_fact: &mount_option_set_fact
mount_point_fs_and_options: |
{{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }}
changed_when: &mount_option_changed_when
- required_option not in mount_point_fs_and_options[mount_point]['original_options']
- name: "1.1.2.2.3 | PATCH | Ensure nosuid option set on /dev/shm partition"
when:
- mount_point_fs_and_options[mount_point] is defined
- rhel9cis_rule_1_1_2_2_3
tags:
- level1-server
- level1-workstation
- patch
- mounts
- rule_1.1.2.2.3 - rule_1.1.2.2.3
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
vars:
mount_point: "/dev/shm"
required_option: nosuid
notify: *mount_option_notify
ansible.builtin.set_fact:
<<: *mount_option_set_fact
changed_when: *mount_option_changed_when
- name: "1.1.2.2.4 | PATCH | Ensure noexec option set on /dev/shm partition"
when:
- mount_point_fs_and_options[mount_point] is defined
- rhel9cis_rule_1_1_2_2_4
tags:
- level1-server
- level1-workstation
- patch
- mounts
- rule_1.1.2.2.4 - rule_1.1.2.2.4
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
- NIST800-53R5_MP-2 - NIST800-53R5_MP-2
ansible.posix.mount: vars:
name: /dev/shm mount_point: "/dev/shm"
src: tmpfs required_option: noexec
fstype: tmpfs notify: *mount_option_notify
state: mounted ansible.builtin.set_fact:
opts: defaults,{% if rhel9cis_rule_1_1_2_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_2_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_2_4 %}noexec{% endif %} <<: *mount_option_set_fact
notify: Change_requires_reboot changed_when: *mount_option_changed_when

82
tasks/section_1/cis_1.1.2.3.x.yml
View file

@ -1,52 +1,74 @@
--- ---
- name: "1.1.2.3.1 | PATCH | Ensure /home is a separate partition"
- name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home"
when: when:
- required_mount not in mount_names
- rhel9cis_rule_1_1_2_3_1 - rhel9cis_rule_1_1_2_3_1
- required_mount not in mount_names
tags: tags:
- level2-server - level1-server
- level2-workstation - level1-workstation
- audit - audit
- mounts - mounts
- rule_1_1_2.3.1 - rule_1.1.2.3.1
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
vars: vars:
warn_control_id: '1.1.2.3.1' warn_control_id: "1.1.2.3.1"
required_mount: '/home' required_mount: "/home"
block: block:
- name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Absent" - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | check for mount"
ansible.builtin.debug: ansible.builtin.command: findmnt -kn "{{ required_mount }}"
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" changed_when: false
failed_when: discovered_home_mount.rc not in [ 0, 1 ]
register: discovered_home_mount
- name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Present" - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Absent"
when: discovered_dev_shm_mount is undefined
ansible.builtin.debug:
msg: "Warning!! {{ required_mount }} is not mounted on a separate partition"
- name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Present"
when: discovered_dev_shm_mount is undefined
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: warning_facts.yml file: warning_facts.yml
- name: | - name: "1.1.2.3.2 | PATCH | Ensure nodev option set on /home partition"
"1.1.2.3.2 | PATCH | Ensure nodev option set on /home partition
1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition"
when: when:
- item.mount == "/home" - mount_point_fs_and_options[mount_point] is defined
- rhel9cis_rule_1_1_2_3_2 or - rhel9cis_rule_1_1_2_3_2
rhel9cis_rule_1_1_2_3_3
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- mounts - mounts
- rule_1.1.2.3.2 - rule_1.1.2.3.2
- rule_1.1.2.3.3
- NIST800-53R5_CM-7
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
- NIST800-53R5_MP-2 - NIST800-53R5_MP-2
ansible.posix.mount: vars:
name: /home mount_point: "/home"
src: "{{ item.device }}" required_option: nodev
fstype: "{{ item.fstype }}" notify: &mount_option_notify
state: present - "Remount {{ mount_point }}"
opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_3_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_3_3) %},nosuid{% endif %}" ansible.builtin.set_fact: &mount_option_set_fact
loop: "{{ ansible_facts.mounts }}" mount_point_fs_and_options: |
loop_control: {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }}
label: "{{ item.device }}" changed_when: &mount_option_changed_when
notify: Change_requires_reboot - required_option not in mount_point_fs_and_options[mount_point]['original_options']
- name: "1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition"
when:
- mount_point_fs_and_options[mount_point] is defined
- rhel9cis_rule_1_1_2_3_3
tags:
- level1-server
- level1-workstation
- patch
- mounts
- rule_1.1.2.3.3
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
vars:
mount_point: "/home"
required_option: nosuid
notify: *mount_option_notify
ansible.builtin.set_fact:
<<: *mount_option_set_fact
changed_when: *mount_option_changed_when

77
tasks/section_1/cis_1.1.2.4.x.yml
View file

@ -1,52 +1,75 @@
--- ---
- name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var" - name: "1.1.2.4.1 | PATCH | Ensure /var is a separate partition"
when: when:
- required_mount not in mount_names
- rhel9cis_rule_1_1_2_4_1 - rhel9cis_rule_1_1_2_4_1
- required_mount not in mount_names
tags: tags:
- level2-server - level1-server
- level2-workstation - level1-workstation
- patch - audit
- mounts - mounts
- rule_1_1_2.4.1 - rule_1.1.2.4.1
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
vars: vars:
warn_control_id: '1.1.2.4.1' warn_control_id: '1.1.2.4.1'
required_mount: '/var' required_mount: '/var'
block: block:
- name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var | Absent" - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | check for mount"
ansible.builtin.debug: ansible.builtin.command: findmnt -kn "{{ required_mount }}"
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" changed_when: false
failed_when: discovered_var_mount.rc not in [ 0, 1 ]
register: discovered_var_mount
- name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var | Present" - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Absent"
when: discovered_dev_shm_mount is undefined
ansible.builtin.debug:
msg: "Warning!! {{ required_mount }} is not mounted on a separate partition"
- name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Present"
when: discovered_dev_shm_mount is undefined
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: warning_facts.yml file: warning_facts.yml
# skips if mount is absent - name: "1.1.2.4.2 | PATCH | Ensure nodev option set on /var partition"
- name: |
"1.1.2.4.2 | PATCH | Ensure nodev option set on /var partition
1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition"
when: when:
- item.mount == "/var" - mount_point_fs_and_options[mount_point] is defined
- rhel9cis_rule_1_1_2_4_2 or - rhel9cis_rule_1_1_2_4_2
rhel9cis_rule_1_1_2_4_3
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- mounts - mounts
- rule_1.1.2.4.2 - rule_1.1.2.4.2
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
vars:
mount_point: "/var"
required_option: nodev
notify: &mount_option_notify
- "Remount {{ mount_point }}"
ansible.builtin.set_fact: &mount_option_set_fact
mount_point_fs_and_options: |
{{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }}
changed_when: &mount_option_changed_when
- required_option not in mount_point_fs_and_options[mount_point]['original_options']
- name: "1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition"
when:
- mount_point_fs_and_options[mount_point] is defined
- rhel9cis_rule_1_1_2_4_3
tags:
- level1-server
- level1-workstation
- patch
- mounts
- rule_1.1.2.4.3 - rule_1.1.2.4.3
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
- NIST800-53R5_MP-2 - NIST800-53R5_MP-2
ansible.posix.mount: vars:
name: /var mount_point: "/var"
src: "{{ item.device }}" required_option: nosuid
fstype: "{{ item.fstype }}" notify: *mount_option_notify
state: present ansible.builtin.set_fact:
opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_4_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_4_2) %},nosuid{% endif %}" <<: *mount_option_set_fact
loop: "{{ ansible_facts.mounts }}" changed_when: *mount_option_changed_when
loop_control:
label: "{{ item.device }}"
notify: Change_requires_reboot

97
tasks/section_1/cis_1.1.2.5.x.yml
View file

@ -1,56 +1,95 @@
--- ---
# Skips if mount is absent - name: "1.1.2.5.1 | PATCH | Ensure /var/tmp is a separate partition"
- name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp"
when: when:
- required_mount not in mount_names
- rhel9cis_rule_1_1_2_5_1 - rhel9cis_rule_1_1_2_5_1
- required_mount not in mount_names
tags: tags:
- level2-server - level1-server
- level2-workstation - level1-workstation
- audit - audit
- mounts - mounts
- rule_1_1_2.5.1 - rule_1.1.2.5.1
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
vars: vars:
warn_control_id: '1.1.2.5.1' warn_control_id: '1.1.2.5.1'
required_mount: '/var/tmp' required_mount: '/var/tmp'
block: block:
- name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" - name: "1.1.2.5.1 | AUDIT | Ensure /var/tmp is a separate partition | check for mount"
ansible.builtin.debug: ansible.builtin.command: findmnt -kn "{{ required_mount }}"
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" changed_when: false
failed_when: discovered_var_tmp_mount.rc not in [ 0, 1 ]
register: discovered_var_tmp_mount
- name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" - name: "1.1.2.5.1 | AUDIT | Ensure /var/tmp is a separate partition | Absent"
when: discovered_var_tmp_mount is undefined
ansible.builtin.debug:
msg: "Warning!! {{ required_mount }} is not mounted on a separate partition"
- name: "1.1.2.5.1 | AUDIT | Ensure /var/tmp is a separate partition | Present"
when: discovered_var_tmp_mount is undefined
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: warning_facts.yml file: warning_facts.yml
# skips if mount is absent - name: "1.1.2.5.2 | PATCH | Ensure nodev option set on /var/tmp partition"
- name: |
"1.1.2.5.2 | PATCH | Ensure nodev option set on /var/tmp partition
1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition
1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition"
when: when:
- item.mount == "/var/tmp" - mount_point_fs_and_options[mount_point] is defined
- rhel9cis_rule_1_1_2_5_2 or - rhel9cis_rule_1_1_2_5_2
rhel9cis_rule_1_1_2_5_3 or
rhel9cis_rule_1_1_2_5_4
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- mounts - mounts
- rule_1.1.2.5.2 - rule_1.1.2.5.2
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
vars:
mount_point: "/var/tmp"
required_option: nodev
notify: &mount_option_notify
- "Remount {{ mount_point }}"
ansible.builtin.set_fact: &mount_option_set_fact
mount_point_fs_and_options: |
{{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }}
changed_when: &mount_option_changed_when
- required_option not in mount_point_fs_and_options[mount_point]['original_options']
- name: "1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition"
when:
- mount_point_fs_and_options[mount_point] is defined
- rhel9cis_rule_1_1_2_5_3
tags:
- level1-server
- level1-workstation
- patch
- mounts
- rule_1.1.2.5.3 - rule_1.1.2.5.3
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
vars:
mount_point: "/var/tmp"
required_option: nosuid
notify: *mount_option_notify
ansible.builtin.set_fact:
<<: *mount_option_set_fact
changed_when: *mount_option_changed_when
- name: "1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition"
when:
- mount_point_fs_and_options[mount_point] is defined
- rhel9cis_rule_1_1_2_5_4
tags:
- level1-server
- level1-workstation
- patch
- mounts
- rule_1.1.2.5.4 - rule_1.1.2.5.4
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
- NIST800-53R5_MP-2 - NIST800-53R5_MP-2
ansible.posix.mount: vars:
name: /var/tmp mount_point: "/var/tmp"
src: "{{ item.device }}" required_option: noexec
fstype: "{{ item.fstype }}" notify: *mount_option_notify
state: present ansible.builtin.set_fact:
opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_5_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_5_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_5_4) %},noexec{% endif %}" <<: *mount_option_set_fact
loop: "{{ ansible_facts.mounts }}" changed_when: *mount_option_changed_when
loop_control:
label: "{{ item.device }}"
notify: Change_requires_reboot

95
tasks/section_1/cis_1.1.2.6.x.yml
View file

@ -1,54 +1,95 @@
--- ---
- name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log" - name: "1/.1 | PATCH | Ensure /var/log is a separate partition"
when: when:
- required_mount not in mount_names
- rhel9cis_rule_1_1_2_6_1 - rhel9cis_rule_1_1_2_6_1
- required_mount not in mount_names
tags: tags:
- level2-server - level1-server
- level2-workstation - level1-workstation
- audit - audit
- mounts - mounts
- rule_1_1_2.6.1 - rule_1.1.2.6.1
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
vars: vars:
warn_control_id: '1.1.2.6.1' warn_control_id: '1.1.2.6.1'
required_mount: '/var/log' required_mount: '/var/log'
block: block:
- name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Absent" - name: "1.1.2.6.1 | AUDIT | Ensure /var/log is a separate partition | check for mount"
ansible.builtin.debug: ansible.builtin.command: findmnt -kn "{{ required_mount }}"
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" changed_when: false
failed_when: discovered_var_log_mount.rc not in [ 0, 1 ]
register: discovered_var_log_mount
- name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Present" - name: "1.1.2.6.1 | AUDIT | Ensure /var/log is a separate partition | Absent"
when: discovered_var_log_mount is undefined
ansible.builtin.debug:
msg: "Warning!! {{ required_mount }} is not mounted on a separate partition"
- name: "1.1.2.6.1 | AUDIT | Ensure /var/log is a separate partition | Present"
when: discovered_var_log_mount is undefined
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: warning_facts.yml file: warning_facts.yml
- name: | - name: "1.1.2.6.2 | PATCH | Ensure nodev option set on /var/log partition"
"1.1.2.6.2 | PATCH | Ensure nodev option set on /var/log partition
1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition
1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition"
when: when:
- item.mount == "/var/log" - mount_point_fs_and_options[mount_point] is defined
- rhel9cis_rule_1_1_2_6_2 or - rhel9cis_rule_1_1_2_6_2
rhel9cis_rule_1_1_2_6_3 or
rhel9cis_rule_1_1_2_6_4
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- mounts - mounts
- rule_1.1.2.6.2 - rule_1.1.2.6.2
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
vars:
mount_point: "/var/log"
required_option: nodev
notify: &mount_option_notify
- "Remount {{ mount_point }}"
ansible.builtin.set_fact: &mount_option_set_fact
mount_point_fs_and_options: |
{{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }}
changed_when: &mount_option_changed_when
- required_option not in mount_point_fs_and_options[mount_point]['original_options']
- name: "1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition"
when:
- mount_point_fs_and_options[mount_point] is defined
- rhel9cis_rule_1_1_2_6_3
tags:
- level1-server
- level1-workstation
- patch
- mounts
- rule_1.1.2.6.3 - rule_1.1.2.6.3
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
vars:
mount_point: "/var/log"
required_option: nosuid
notify: *mount_option_notify
ansible.builtin.set_fact:
<<: *mount_option_set_fact
changed_when: *mount_option_changed_when
- name: "1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition"
when:
- mount_point_fs_and_options[mount_point] is defined
- rhel9cis_rule_1_1_2_6_4
tags:
- level1-server
- level1-workstation
- patch
- mounts
- rule_1.1.2.6.4 - rule_1.1.2.6.4
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
- NIST800-53R5_MP-2 - NIST800-53R5_MP-2
ansible.posix.mount: vars:
name: /var/log mount_point: "/var/log"
src: "{{ item.device }}" required_option: noexec
fstype: "{{ item.fstype }}" notify: *mount_option_notify
state: present ansible.builtin.set_fact:
opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_6_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_6_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_6_4) %},noexec{% endif %}" <<: *mount_option_set_fact
loop: "{{ ansible_facts.mounts }}" changed_when: *mount_option_changed_when
loop_control:
label: "{{ item.device }}"
notify: Change_requires_reboot

95
tasks/section_1/cis_1.1.2.7.x.yml
View file

@ -1,54 +1,95 @@
--- ---
- name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit" - name: "1/.1 | PATCH | Ensure /var/log/audit is a separate partition"
when: when:
- required_mount not in mount_names
- rhel9cis_rule_1_1_2_7_1 - rhel9cis_rule_1_1_2_7_1
- required_mount not in mount_names
tags: tags:
- level2-server - level1-server
- level2-workstation - level1-workstation
- audit - audit
- mounts - mounts
- rule_1_1_2.7.1 - rule_1.1.2.7.1
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
vars: vars:
warn_control_id: '1.1.2.7.1' warn_control_id: '1.1.2.7.1'
required_mount: '/var/log/audit' required_mount: '/var/log/audit'
block: block:
- name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent" - name: "1.1.2.7.1 | AUDIT | Ensure /var/log/audit is a separate partition | check for mount"
ansible.builtin.debug: ansible.builtin.command: findmnt -kn "{{ required_mount }}"
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" changed_when: false
failed_when: discovered_var_log_audit_mount.rc not in [ 0, 1 ]
register: discovered_var_log_audit_mount
- name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" - name: "1.1.2.7.1 | AUDIT | Ensure /var/log/audit is a separate partition | Absent"
when: discovered_var_log_audit_mount is undefined
ansible.builtin.debug:
msg: "Warning!! {{ required_mount }} is not mounted on a separate partition"
- name: "1.1.2.7.1 | AUDIT | Ensure /var/log/audit is a separate partition | Present"
when: discovered_var_log_audit_mount is undefined
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: warning_facts.yml file: warning_facts.yml
- name: | - name: "1.1.2.7.2 | PATCH | Ensure nodev option set on /var/log/audit partition"
"1.1.2.7.2 | PATCH | Ensure nodev option set on /var/log/audit partition
1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition
1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition"
when: when:
- item.mount == "/var/log/audit" - mount_point_fs_and_options[mount_point] is defined
- rhel9cis_rule_1_1_2_7_2 or - rhel9cis_rule_1_1_2_7_2
rhel9cis_rule_1_1_2_7_3 or
rhel9cis_rule_1_1_2_7_4
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- mounts - mounts
- rule_1.1.2.7.2 - rule_1.1.2.7.2
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
vars:
mount_point: "/var/log/audit"
required_option: nodev
notify: &mount_option_notify
- "Remount {{ mount_point }}"
ansible.builtin.set_fact: &mount_option_set_fact
mount_point_fs_and_options: |
{{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }}
changed_when: &mount_option_changed_when
- required_option not in mount_point_fs_and_options[mount_point]['original_options']
- name: "1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition"
when:
- mount_point_fs_and_options[mount_point] is defined
- rhel9cis_rule_1_1_2_7_3
tags:
- level1-server
- level1-workstation
- patch
- mounts
- rule_1.1.2.7.3 - rule_1.1.2.7.3
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
vars:
mount_point: "/var/log/audit"
required_option: nosuid
notify: *mount_option_notify
ansible.builtin.set_fact:
<<: *mount_option_set_fact
changed_when: *mount_option_changed_when
- name: "1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition"
when:
- mount_point_fs_and_options[mount_point] is defined
- rhel9cis_rule_1_1_2_7_4
tags:
- level1-server
- level1-workstation
- patch
- mounts
- rule_1.1.2.7.4 - rule_1.1.2.7.4
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
- NIST800-53R5_MP-2 - NIST800-53R5_MP-2
ansible.posix.mount: vars:
name: /var/log/audit mount_point: "/var/log/audit"
src: "{{ item.device }}" required_option: noexec
fstype: "{{ item.fstype }}" notify: *mount_option_notify
state: present ansible.builtin.set_fact:
opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_7_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_7_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_7_4) %},noexec{% endif %}" <<: *mount_option_set_fact
loop: "{{ ansible_facts.mounts }}" changed_when: *mount_option_changed_when
loop_control:
label: "{{ item.device }}"
notify: Change_requires_reboot