diff --git a/.ansible-lint b/.ansible-lint index 8d34382..3b7c373 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,9 +1,9 @@ --- +parseable: true quiet: true skip_list: - 'package-latest' - 'risky-shell-pipe' - - 'var-naming[read-only]' use_default_rules: true verbosity: 0 diff --git a/.github/workflows/add_repo_issue_to_gh_project.yml b/.github/workflows/add_repo_issue_to_gh_project.yml index 80d7344..4a056eb 100644 --- a/.github/workflows/add_repo_issue_to_gh_project.yml +++ b/.github/workflows/add_repo_issue_to_gh_project.yml @@ -14,4 +14,4 @@ jobs: - uses: actions/add-to-project@main with: project-url: https://github.com/orgs/ansible-lockdown/projects/1 - github-token: ${{ secrets.ALD_GH_PROJECT }} + github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/export_badges_private.yml b/.github/workflows/export_badges_private.yml index 761c42e..d316cbf 100644 --- a/.github/workflows/export_badges_private.yml +++ b/.github/workflows/export_badges_private.yml @@ -12,6 +12,8 @@ on: push: branches: - latest + schedule: + - cron: '0 */6 * * *' workflow_dispatch: jobs: diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml new file mode 100644 index 0000000..b6ee6a1 --- /dev/null +++ b/.github/workflows/update_galaxy.yml @@ -0,0 +1,19 @@ +--- + + name: update galaxy + + on: + push: + branches: + - main + jobs: + update_role: + runs-on: ubuntu-latest + steps: + - name: Checkout repo + uses: actions/checkout@v4 + + - name: Action Ansible Galaxy Release ${{ github.ref_name }} + uses: ansible-actions/ansible-galaxy-action@main + with: + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6abad7b..0091b2a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -39,16 +39,14 @@ repos: rev: v1.5.0 hooks: - id: detect-secrets - name: Detect Secrets test - repo: https://github.com/gitleaks/gitleaks - rev: v8.30.0 + rev: v8.28.0 hooks: - id: gitleaks - name: Run Gitleaks test - repo: https://github.com/ansible-community/ansible-lint - rev: v26.1.1 + rev: v25.9.2 hooks: - id: ansible-lint name: Ansible-lint @@ -67,7 +65,7 @@ repos: # - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.38.0 # or higher tag + rev: v1.37.1 # or higher tag hooks: - id: yamllint name: Check YAML Lint diff --git a/.yamllint b/.yamllint index af0d9ab..fa7b697 100644 --- a/.yamllint +++ b/.yamllint @@ -1,5 +1,4 @@ --- - extends: default ignore: | tests/ diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index d7cdcbf..13e0b49 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -7,7 +7,7 @@ Rules 2) All commits must have Signed-off-by (Signed-off-by: Joan Doe ) in the commit message (details in Signing section) 3) All work is done in your own branch 4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing) -5) Be open and nice to each other +5) Be open and nice to eachother Workflow -------- diff --git a/Changelog.md b/Changelog.md index 035d685..737f860 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,87 +1,8 @@ -# Changes to RHEL9CIS +# Changes to rhel9CIS -## 2.0.5 - Based on CIS v2.0.0 - -- QA Fixes -- .j2 Branding Update -- Added rhel9cis_uses_root variable definition for 5.4.2.5 root PATH integrity task -- fixed spelling and grammar across defaults/main.yml, Changelog.md, README.md, tasks/main.yml, and vars/main.yml -- Fixed incorrect product reference in vars/main.yml comment (ubtu24cis -> rhel9cis) -- Fixed broken Changelog link in README.md (case mismatch) -- Added var-naming[read-only] to ansible-lint skip list for molecule files -- Bootloader password logic updated with salt and hash options -- Added passlib dependency documentation for bootloader password hash -- Updated company title -- Tidied up comments and variables for bootloader password -- Removed scheduled tasks -- Fixed typo thanks to Eugene @Frequentis -- Unused variable audit: wired up all unused variables, removed legacy references -- Updated chrony template to use rhel9cis_chrony_server_makestep, rtcsync, and minsources variables instead of hardcoded values -- Wired up rhel9cis_authselect_custom_profile_create toggle in authselect profile creation task -- Fixed task 5.3.3.2.7/5.3.3.2.8 mislabeling: separated password quality enforce and root enforce into correct tasks -- Wired up audit_capture_files_dir in audit_only workflow for file capture to control node -- Clarified rhel9cis_root_unlock_time documentation for commented-out alternative usage -- Removed legacy rhel9cis_rule_1_1_10 from molecule converge files and is_container.yml -- Fixed wrong variable name rhel9cis_unowned_group to rhel9cis_ungrouped_group in tasks/section_7/cis_7.1.x.yml -- Added rhel9cis_install_network_manager toggle to 3.1.2 wireless interfaces task ## 2.0.4 - Based on CIS v2.0.0 -addressed issue #419, thank you @aaronk1 -addressed issue #418 thank you @bbaassssiiee -Added better sysctl logic to disable IPv6 -Added option to disable IPv6 via sysctl (original method) or via the kernel -pre-commit updates -public issue #410 thanks to @kpi-nourman -public issue #413 thanks to @bbaassssiiee -Public issues incorporated -Workflow updates -Pre-commit updates -README latest versions -Audit improvements and max-concurrent option added -Benchmark version variable in audit template -fixed typo thanks to @fragglexarmy #393 -fixed typo thanks to @trumbaut #397 & #399 -updated auditd template to be 2.19 compliant -PR345 thanks to thulium-drake boot password hash - if used needs passlib module -tidy up tags on tasks/main.yml - -## 2.0.3 - Based on CIS v2.0.0 - -- Thank you @fragglexarmy - - addressed Public issue 387 -- Addressed Public issue 382 to improve regex logic on 5.4.2.4 -- Improvement on crypto policy managed controls with var logic -- Thanks to @polski-g - - addressed issue 384 -- update command to shell module on tasks -- Thanks to @numericillustration - - Public PR 380 - - systemd_service rolled back to systemd for < ansible 2.14 -- Thanks to @bgro and @Kodebach - - Public PR 371 - - updated to user sudo check 5.2.4 -- Thanks to @DianaMariaDDM - - Public PR 367 - - updated several typos -- Thanks to @polski-g - - Public PR 364 - - gdm section 1.8 improvements -- Thanks to @chrispipo - - Public PR 350 - - change insert before for rsyslog setting -- Thanks to @thesmilinglord - - public issue 377 - - change 1.3 from include task to import for tagging -- Thanks to @Fredouye - - public issue 372 - - allow password with different locale - -## 2.0.4 - Based on CIS v2.0.0 - -- addressed issue #419, thank you @aaronk1 -- addressed issue #418 thank you @bbaassssiiee -- addressed issue #416 thank you @georgenalen and @bbaassssiiee - addressed issue #393 thank you to @fragglexarmy - addressed issue #394 thank you to @dbeuker - addressed issues #390 and #391 thanks to @polski-g @@ -90,9 +11,6 @@ tidy up tags on tasks/main.yml - work flow updates - audit logic improvements - auditd template 2.19 compatible -- pre-commit updates -- #410 thanks to @kpi-nourman -- #413 thanks to @bbaassssiiee ## 2.0.3 - Based on CIS v2.0.0 - addressed issue #387, thank you @fragglexarmy @@ -141,7 +59,7 @@ tidy up tags on tasks/main.yml - updated controls 6.2.10-6.2.14 - audit - steps moved to prelim - - update to copy and archive logic and variables + - update to coipy and archive logic and variables - removed vars not used - updated quotes used in mode tasks - pre-commit update @@ -175,7 +93,7 @@ tidy up tags on tasks/main.yml - lint updates - .secrets updated - file mode quoted -- updated 5.6.5 thanks to feedback from S!ghs on discord community +- updated 5.6.5 thansk to feedback from S!ghs on discord community ## 1.1.1 - Based on CIS v1.0.0 @@ -207,7 +125,7 @@ tidy up tags on tasks/main.yml ## 1.0.10 - [#72](https://github.com/ansible-lockdown/RHEL9-CIS/issues/72) - - Only run check when playbook user not a superuser + - Only run check when paybook user not a superuser - fix for 5.5.3 thanks to @nrg-fv ## 1.0.9 @@ -279,7 +197,7 @@ Jan-2023 release - updated ansible minimum to 2.10 - Lint file updates and improvements -- auditd now shows diff after initial template added +- auditd now shows diff ater initial template added - many control rewritten - Many controls moved ID references - Audit updates aligned @@ -304,7 +222,7 @@ Jan-2023 release - #209 5.6.5 rewrite umask settings - #220 tidy up and align variables - #226 Thanks to Thulium-Drake - -Extended the auditd config required value for auditd space left percentage (not part of CIS Benchmark but required for auditd to run correctly in some cases) + -Extended the auditd config required value for auditd space left percentage (not part of CIS Benchmark but required fopr auditd to run correctly in some cases) - #227 thanks to OscarElits - chrony files now RH expected locations @@ -344,9 +262,9 @@ Jan-2023 release - not all controls work with rhel8 releases any longer - selinux disabled 1.6.1.4 - logrotate - 4.3.x -- updated to rhel8cis v2.0 benchmark requirements +- updated to rhel8cis v2.0 benchamrk requirements - removed iptables firewall controls (not valid on rhel9) -- added more to logrotate 4.3.x - sure to logrotate now a separate package +- added more to logrotate 4.3.x - sure to logrotate now a seperate package - grub path now standard to /boot/grub2/grub.cfg - 1.6.1.4 from rh8 removed as selinux.cfg doesnt disable selinux any longer - workflow update @@ -365,7 +283,7 @@ args: ``` - update boolean values to true/false -- 3.4.2 improved checks for package presence +- 3.4.2 improved checks for p[ackage presence - changed to assert for OS/release and ansible version ## Initial diff --git a/LICENSE b/LICENSE index bed11b4..7e51eb7 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2026 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown +Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index 15b5823..65a8fca 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,7 @@ ## Lint & Pre-Commit Tools 🔧 +[![Pre-Commit.ci](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/RHEL9-CIS/pre-commit-ci.json)](https://results.pre-commit.ci/latest/github/ansible-lockdown/RHEL9-CIS/devel) ![YamlLint](https://img.shields.io/badge/yamllint-Present-brightgreen?style=flat&logo=yaml&logoColor=white) ![Ansible-Lint](https://img.shields.io/badge/ansible--lint-Present-brightgreen?style=flat&logo=ansible&logoColor=white) @@ -48,6 +49,7 @@ ![Private Benchmark Version](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/benchmark-version.json) [![Private Remediate Pipeline](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/remediate.json)](https://github.com/ansible-lockdown/Private-RHEL9-CIS/actions/workflows/main_pipeline_validation.yml) +[![Private GPO Pipeline](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/gpo.json)](https://github.com/ansible-lockdown/Private-RHEL9-CIS/actions/workflows/main_pipeline_validation_gpo.yml) ![Private Pull Requests](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/prs.json) ![Private Closed Issues](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/issues-closed.json) @@ -56,9 +58,9 @@ ## Looking for support? 🤝 -[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_RH9-CIS) +[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_RHEL9-CIS) -[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_RH9-CIS) +[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_RHEL9-CIS) ### Community 💬 @@ -84,10 +86,10 @@ This role **will make changes to the system** which may have unintended conseque ## Coming From A Previous Release ⏪ -CIS release always contains changes, it is highly recommended to review the new references and available variables. These have changed significantly since ansible-lockdown initial release. +CIS release always contains changes, it is highly recommended to review the new references and available variables. This have changed significantly since ansible-lockdown initial release. This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly. -Further details can be seen in the [Changelog](./Changelog.md) +Further details can be seen in the [Changelog](./ChangeLog.md) --- @@ -101,7 +103,7 @@ This is managed using tags: - level2-server - level2-workstation -The controls found in defaults/main.yml also need to reflect this, as they control the testing that takes place if you are using the audit component. +The control found in defaults main also need to reflect this as this control the testing that takes place if you are using the audit component. --- ## Requirements ✅ @@ -128,9 +130,6 @@ RHEL Family OS 9 - python-def - libselinux-python -If you are using the option to create your own bootloader hash the ansible controller -- passlib - --- ## Auditing 🔍 diff --git a/defaults/main.yml b/defaults/main.yml index 4245f53..fbe81eb 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,5 @@ --- - -# defaults file for RHEL9-CIS +# defaults file for rhel9-cis # WARNING: # These values may be overridden by other vars-setting options(e.g. like the below 'container_vars_file'), as explained here: # https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable @@ -64,7 +63,7 @@ benchmark: RHEL9-CIS # System will reboot if false, can give better audit results skip_reboot: true -# default value will change to true but won't reboot if not enabled but will error +# default value will change to true but wont reboot if not enabled but will error change_requires_reboot: false ### @@ -94,11 +93,17 @@ audit_max_concurrent: 50 ## Only run Audit do not remediate audit_only: false +### As part of audit_only ### +# Path to copy the files to will create dir structure in audit_only mode +audit_capture_files_dir: /some/location to copy to on control node ############################# -# How to retrieve audit binary -# Options are copy or download - detailed settings at the bottom of this file -# you will need access to either github or the file already downloaded +## How to retrieve audit binary(Goss) +# Options are 'copy' or 'download' - detailed settings at the bottom of this file +# - if 'copy': +# - the filepath mentioned via the below 'audit_bin_copy_location' var will be used to access already downloaded Goss +# - if 'download': +# - the GitHub Goss-releases URL will be used for a fresh-download, via 'audit_bin_url' and 'audit_pkg_arch_name' vars get_audit_binary_method: download ## if get_audit_binary_method - copy the following needs to be updated for your environment @@ -252,8 +257,9 @@ rhel9cis_rule_1_8_8: true rhel9cis_rule_1_8_9: true rhel9cis_rule_1_8_10: true +## Section 2 Fixes # Section 2 rules are controlling Services (Special Purpose Services, and service clients) -## Configure Server Services +# Configure Server Services rhel9cis_rule_2_1_1: true rhel9cis_rule_2_1_2: true rhel9cis_rule_2_1_3: true @@ -394,6 +400,7 @@ rhel9cis_rule_5_3_3_2_4: true rhel9cis_rule_5_3_3_2_5: true rhel9cis_rule_5_3_3_2_6: true rhel9cis_rule_5_3_3_2_7: true +rhel9cis_rule_5_3_3_2_8: true # 5.3.3.3 Configure pam_pwhistory module # These are added as part of 5.3.2.4 using jinja2 template rhel9cis_rule_5_3_3_3_1: true @@ -532,7 +539,7 @@ rhel9cis_rule_7_2_9: true ## Ability to enable debug on mounts to assist in troubleshooting # Mount point changes are set based upon facts created in Prelim -# these then build the variable and options that are passed to the handler to set the mount point for the controls in section1. +# these then build the variable and options that is passed to the handler to set the mount point for the controls in section1. rhel9cis_debug_mount_data: false ## Control 1.1.2 @@ -576,33 +583,14 @@ rhel9cis_selinux_pol: targeted rhel9cis_selinux_enforce: enforcing ## Control 1.4.1 -# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file. -rhel9cis_set_boot_pass: false - -################### bootloader password ############################################################ -# -# Two options for setting the bootloader password -# -# Option 1: Set the bootloader password and salt – requires the passlib Python module -# to be available on the Ansible controller. -# Set this value to something secure to have predictable hashes, -# which will prevent unnecessary changes. - -rhel9cis_bootloader_salt: '' - -# This variable stores the GRUB bootloader password to be written -# to the '/boot/grub2/user.cfg' file. The default value must be changed. - -rhel9cis_bootloader_password: 'password' # pragma: allowlist secret - -# Option 2: Set the bootloader password hash – if the salt value is empty, -# the password will be set using the variable below. -# If you are not using the bootloader hash filter, you can set it here -# in encrypted format, e.g. grub.pbkdf2.sha512.hashstring - +# This variable will store the hashed GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value +# must be changed to a value that may be generated with this command 'grub2-mkpasswd-pbkdf2' and must comply with +# this format: 'grub.pbkdf2.sha512...' rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret -###################################################################################################### +## Control 1.4.1 +# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file. +rhel9cis_set_boot_pass: true ## Controls 1.6.x and Controls 5.1.x # This variable governs if current Ansible role should manage system-wide crypto policy. @@ -614,7 +602,14 @@ rhel9cis_crypto_policy_ansiblemanaged: true # -'FUTURE': conservative security level that is believed to withstand any near-term future attacks # -'FIPS': A level that conforms to the FIPS140-2 requirements rhel9cis_crypto_policy: 'DEFAULT' -## Control 1.6 +# This variable contains the value of the crypto policy module(combinations of policies and +# sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file, +# using 'rhel9cis_allowed_crypto_policies_modules' variable, which currently are: +# - 'OSPP' +# - 'AD-SUPPORT' +# - 'AD-SUPPORT-LEGACY' +rhel9cis_crypto_policy_module: '' +## Controls 1.6.x # This variable contains the value of the crypto policy module(combinations of policies and # sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file, # using those listed in the 'rhel9cis_allowed_crypto_policies_modules' variable. @@ -624,7 +619,7 @@ rhel9cis_additional_crypto_policy_module: '' # - 1.7.1 - Ensure message of the day is configured properly # - 1.7.2 - Ensure local login warning banner is configured properly # - 1.7.3 - Ensure remote login warning banner is configured properly -# This variable stores the content for the Warning Banner(relevant for issue, issue.net, motd). +# This variable stores the content for the Warning Banner(relevant for issue, issue.net, motd). rhel9cis_warning_banner: Authorized users only. All activity may be monitored and reported. # End Banner @@ -807,8 +802,6 @@ rhel9cis_tftp_client: false ## Control 3.1.1 - Ensure IPv6 status is identified # This variable governs whether ipv6 is enabled or disabled. rhel9cis_ipv6_required: true -# rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel -rhel9cis_ipv6_disable_method: "sysctl" ## Control 3.1.2 - Ensure wireless interfaces are disabled # if wireless adapter found allow network manager to be installed @@ -914,8 +907,8 @@ rhel9cis_sshd_clientalivecountmax: 3 # keep the connection alive and prevent it being terminated due to inactivity. rhel9cis_sshd_clientaliveinterval: 15 -## Control 5.1.12 - disable forwarding -# By Default this will also disable X11 forwarding +## Control 5.1.10 - Ensure sshd DisableForwarding is enabled +# By Default this will also disablex11 forwarding # set 'yes' if x11 is required this can be changed to run in /etc/ssh/ssh_config.d/50-redhat.conf # This variable's value is used in the `/etc/ssh/ssh_config.d/50-redhat.conf` file to # disable X11Forwarding. If X11 is required, set this variable's value to `yes`! @@ -959,7 +952,14 @@ rhel9cis_ssh_maxsessions: 4 # This variable defines the path and file name of the sudo log file. rhel9cis_sudolog_location: "/var/log/sudo.log" -## Control 5.2.x - Ensure sudo authentication timeout is configured correctly +## Control 5.2.4 - Ensure users must provide password for escalation +# The following variable specifies a list of users that should not be required to provide a password +# for escalation. Feel free to edit it according to your needs. +rhel9cis_sudoers_exclude_nopasswd_list: + - ec2-user + - vagrant + +## Control 5.2.6 - Ensure sudo authentication timeout is configured correctly # This variable sets the duration (in minutes) during which a user's authentication credentials # are cached after successfully authenticating using "sudo". This allows the user to execute # multiple commands with elevated privileges without needing to re-enter their password for each @@ -999,38 +999,19 @@ rhel9cis_authselect_default_profile_to_copy: "sssd --symlink-meta" ## Control 5.3.3.1.1 - # This variable sets the amount of tries a password can be entered, before a user is locked. rhel9cis_pam_faillock_deny: 5 - -# - 5.3.3.1.2 +## Control 5.3.3.2, 5.3.2.2 # This variable sets the amount of time a user will be unlocked after the max amount of # password failures. rhel9cis_pam_faillock_unlock_time: 900 -##################################################################################################################### -# 5.3.3.1.3 | Ensure pam_faillock is configured - root account lockout behavior -# -# Controls how root is handled when the failed login threshold is reached. -#################### Two mutually exclusive options ################################################################# -# -# -> even_deny_root : Lock root just like any other account -# -> root_unlock_time = : Lock root but auto-unlock after seconds -# -# Note: The default value is set to 'even_deny_root' to align with the CIS Benchmark recommendation of locking root -# identically to regular users when the failed login threshold is reached. If you prefer to have root auto-unlock -# after a specified time, set 'rhel9cis_pamroot_lock_option' to "root_unlock_time = {{ rhel9cis_root_unlock_time }}" -# and adjust 'rhel9cis_root_unlock_time' as needed. -# -# Set ONE of the following: -# -# Option 1: root is locked identically to regular users when the failed login threshold is reached +## Control 5.3.3.1.3 - Ensure password failed attempts lockout includes root account +# This variable is used in the task that ensures that even the root account +# is included in the password failed attempts lockout measure. +# The following variable is used in the 'regexp' field. This field is used to find the +# line in the file. If the line matches the regular expression, it will be replaced +# with the line parameter's value. rhel9cis_pamroot_lock_option: even_deny_root -# Option 2: root is locked but auto-unlocks after the specified seconds. -# Seconds before root is automatically unlocked (only used when rhel9cis_pamroot_lock_option includes root_unlock_time) -rhel9cis_root_unlock_time: 60 -# rhel9cis_pamroot_lock_option: "root_unlock_time = {{ rhel9cis_root_unlock_time }}" -# -######################################################################################################################## - ## Control 5.3.3.2.1 - Ensure password number of changed characters is configured # This variable holds the path to the configuration file that will be created (or overwritten if already existing) # in order to implement the 'Ensure password number of changed characters is configured' control. @@ -1103,9 +1084,14 @@ rhel9cis_passwd_dictcheck_file: etc/security/pwquality.conf.d/50-pwdictcheck.con # When set to '0', dictionary checks are disabled. CIS states that it shall always be set to '1'. rhel9cis_passwd_dictcheck_value: 1 -# 5.3.3.2.7 - Ensure password quality is enforced for the root user -rhel9cis_passwd_quality_enforce_file: etc/security/pwquality.conf.d/50-pwquality_enforce.conf # pragma: allowlist secret +# This variable is used in one of the config files to ensure password quality checking is enforced rhel9cis_passwd_quality_enforce_value: 1 + +## Control 5.3.3.2.7 - Ensure password quality is enforced for the root user +# This variable holds the path to the configuration file that will be created (or overwritten if already existing) +# in order to implement the 'Ensure password quality is enforced for the root user' control. +rhel9cis_passwd_quality_enforce_root_file: etc/security/pwquality.conf.d/50-pwroot.conf # pragma: allowlist secret +# The following variable enforces that the root user must adhere to the same password quality policies as other users. rhel9cis_passwd_quality_enforce_root_value: enforce_for_root # pragma: allowlist secret ## Control 5.3.3.3.1 - Ensure password history remember is configured @@ -1145,21 +1131,21 @@ rhel9cis_inactivelock: # CIS requires a value of 30 days or less. lock_days: 30 -## Control 5.4.1.x - Ensure all users last password change date is in the past +## Control 5.4.1.6 - Ensure all users last password change date is in the past # Allow ansible to expire password for account with a last changed date in the future. Setting it # to 'false' will just display users in violation, while 'true' will expire those users passwords. rhel9cis_futurepwchgdate_autofix: true -# 5.4.2.x - -## 5.4.2.5 Root user used -# Root by default is not used unless setup by user -# The role will only run certain commands if set to true -# This allows the ability to skip tasks that may cause an issue -# With the understanding root has full access -rhel9cis_uses_root: false - -## 5.4.2.6 - Ensure root home directory permissions are 750 or more restrictive +## Control 5.4.2.6 - Ensure root user umask is configured +# The following variable specifies the "umask" to configure for the root user. +# The user file-creation mode mask ( umask ) is used to determine the file +# permission for newly created directories and files. In Linux, the default +# permissions for any newly created directory is 0777 ( rwxrwxrwx ), and for +# any newly created file it is 0666 ( rw-rw-rw- ). The umask modifies the default +# Linux permissions by restricting (masking) these permissions. The umask is not +# simply subtracted, but is processed bitwise. Bits set in the umask are cleared +# in the resulting file mode. CIS recommends setting 'umask' to '0027' or more +# restrictive. rhel9cis_root_umask: '0027' # 0027 or more restrictive ## Control 5.4.2.7 - Ensure system accounts are secured | Set nologin @@ -1176,7 +1162,7 @@ rhel9cis_shell_session_timeout: 900 # This variable specifies the path of the timeout setting file. # (TMOUT setting can be set in multiple files, but only one is required for the # rule to pass. Options are: -# - a file in `/etc/profile.d/` ending in `.sh`, +# - a file in `/etc/profile.d/` ending in `.s`, # - `/etc/profile`, or # - `/etc/bash.bashrc`. rhel9cis_shell_session_file: /etc/profile.d/tmout.sh @@ -1204,8 +1190,9 @@ rhel9cis_aide_db_file_age: 1w # If AIDE is already setup this variable forces a new database # file to be created. rhel9cis_aide_db_recreate: false - -# allows changing the db file; note the config needs to be adjusted too +# This variable is used to check if there is already an existing database file +# created by AIDE on the target system. If it is not present, the role will generate +# a database file with the same name as the value of this variable. rhel9cis_aide_db_file: /var/lib/aide/aide.db.gz ## Control 6.1.2 - Ensure filesystem integrity is regularly checked @@ -1235,12 +1222,12 @@ rhel9cis_aide_cron: # This variable governs the day of the month when the AIDE cronjob is run. # `*` signifies that the job is run on all days; furthermore, specific days # can be given in the range `1-31`; several days can be concatenated with a comma. - # The specified day(s) must be in the range `1-31`. + # The specified day(s) can must be in the range `1-31`. aide_day: '*' # This variable governs months when the AIDE cronjob is run. # `*` signifies that the job is run in every month; furthermore, specific months # can be given in the range `1-12`; several months can be concatenated with commas. - # The specified month(s) must be in the range `1-12`. + # The specified month(s) can must be in the range `1-12`. aide_month: '*' # This variable governs the weekdays, when the AIDE cronjob is run. # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays @@ -1280,7 +1267,7 @@ rhel9cis_journald_runtimekeepfree: 100G # Current variable governs the settings for log retention(how long the log files will be kept). # Thus, it specifies the maximum time to store entries in a single journal # file before rotating to the next one. Set to 0 to turn off this feature. -# The given value is interpreted as seconds, unless suffixed with the units +# The given values is interpreted as seconds, unless suffixed with the units # `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds. # Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks # ATTENTION: Uncomment the keyword below when values are set! diff --git a/filter_plugins/grub_hash.py b/filter_plugins/grub_hash.py deleted file mode 100644 index 245756b..0000000 --- a/filter_plugins/grub_hash.py +++ /dev/null @@ -1,73 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding: utf-8 -*- -# Copyright (c) 2025, Jeffrey van Pelt -# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) -# SPDX-License-Identifier: GPL-3.0-or-later - -from __future__ import annotations - -DOCUMENTATION = r""" -name: grub_hash -short_description: Generate a GRUB2 password hash -version_added: 1.0.0 -author: Jeffrey van Pelt (@Thulium-Drake) -description: - - Generate a GRUB2 password hash from the input -options: - _input: - description: The desired password for the GRUB bootloader - type: string - required: true - salt: - description: The salt used to generate the hash - type: string - required: false - rounds: - description: The amount of rounds to run the PBKDF2 function - type: int - required: false -""" - -EXAMPLES = r""" -- name: 'Generate hash with defaults' - ansible.builtin.debug: - msg: "{{ 'mango123!' | grub_hash }}" - -- name: 'Generate hash with custom rounds and salt' - ansible.builtin.debug: - msg: "{{ 'mango123!' | grub_hash(rounds=10001, salt='andpepper') }}" - # Produces: grub.pbkdf2.sha512.10001.616E64706570706572.4C6AEA2A811B4059D4F47AEA36B77DB185B41E9F08ECC3C4C694427DB876C21B24E6CBA0319053E4F1431CDEE83076398C73B9AA8F50A7355E446229BC69A97C -""" - -RETURN = r""" -_value: - description: A GRUB2 password hash - type: string -""" - -from ansible.errors import AnsibleFilterError -import os -import base64 -from passlib.hash import grub_pbkdf2_sha512 - -def grub_hash(password, rounds=10000, salt=None): - if salt is None: - # Generate 64-byte salt if not provided - salt = os.urandom(64) - - # Check if the salt, when not generated, is a valid bytes value and attempt to convert if needed - if not isinstance(salt, bytes): - try: - salt = salt.encode("utf-8") - except AttributeError: - raise TypeError("Salt must be a string, not int.") - - # Configure hash generator - pbkdf2_generator = grub_pbkdf2_sha512.using(rounds=rounds, salt=salt) - return pbkdf2_generator.hash(password) - -class FilterModule(object): - def filters(self): - return { - 'grub_hash': grub_hash - } diff --git a/handlers/main.yml b/handlers/main.yml index 9c4f3c1..1ef6ccf 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -11,7 +11,6 @@ state: present fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" - become: true listen: "Remount /tmp" - name: "Remounting /tmp" @@ -20,7 +19,6 @@ ansible.posix.mount: path: "{{ mount_point }}" state: remounted - become: true listen: "Remount /tmp" - name: "Remounting /tmp systemd" @@ -30,7 +28,6 @@ name: tmp.mount state: restarted daemon_reload: true - become: true listen: "Remount /tmp" - name: "Adding options for /dev/shm" @@ -42,7 +39,6 @@ state: present fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" - become: true listen: "Remount /dev/shm" - name: "Remounting /dev/shm" @@ -51,7 +47,6 @@ ansible.posix.mount: path: "{{ mount_point }}" state: remounted - become: true listen: "Remount /dev/shm" - name: "Adding options for /home" @@ -63,7 +58,6 @@ state: present fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" - become: true listen: "Remount /home" - name: "Remounting /home" @@ -72,7 +66,6 @@ ansible.posix.mount: path: "{{ mount_point }}" state: remounted - become: true listen: "Remount /home" - name: "Adding options for /var" @@ -84,7 +77,6 @@ state: present fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" - become: true listen: "Remount /var" - name: "Remounting /var" @@ -93,7 +85,6 @@ ansible.posix.mount: path: "{{ mount_point }}" state: remounted - become: true listen: "Remount /var" - name: "Adding options for /var/tmp" @@ -105,7 +96,6 @@ state: present fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" - become: true listen: "Remount /var/tmp" - name: "Remounting /var/tmp" @@ -114,7 +104,6 @@ ansible.posix.mount: path: "{{ mount_point }}" state: remounted - become: true listen: "Remount /var/tmp" - name: "Adding options for /var/log" @@ -126,7 +115,6 @@ state: present fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" - become: true listen: "Remount /var/log" - name: "Remounting /var/log" @@ -135,7 +123,6 @@ ansible.posix.mount: path: "{{ mount_point }}" state: remounted - become: true listen: "Remount /var/log" - name: "Adding options for /var/log/audit" @@ -147,7 +134,6 @@ state: present fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" - become: true listen: "Remount /var/log/audit" - name: "Remounting /var/log/audit" @@ -156,7 +142,6 @@ ansible.posix.mount: path: "{{ mount_point }}" state: remounted - become: true listen: "Remount /var/log/audit" - name: "Remounting /boot/efi" @@ -165,8 +150,7 @@ ansible.posix.mount: path: "{{ mount_point }}" state: remounted - notify: Set reboot required - become: true + notify: Change_requires_reboot listen: "Remount /boot/efi" - name: Reload sysctl @@ -210,7 +194,7 @@ ansible.builtin.command: update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}" changed_when: true notify: - - Set reboot required + - Change_requires_reboot - Restart sshd - name: Restart firewalld @@ -271,21 +255,19 @@ when: discovered_auditd_immutable_check.stdout == '1' ansible.builtin.debug: msg: "Reboot required for auditd to apply new rules as immutable set" - notify: Set reboot required + notify: Change_requires_reboot - name: Stop auditd process ansible.builtin.command: systemctl kill auditd changed_when: true - become: true listen: Restart auditd - name: Start auditd process ansible.builtin.systemd: name: auditd state: started - become: true listen: Restart auditd -- name: Set reboot required +- name: Change_requires_reboot ansible.builtin.set_fact: change_requires_reboot: true diff --git a/meta/main.yml b/meta/main.yml index 9418c84..8f8b65f 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,11 +1,11 @@ --- galaxy_info: - author: "Ansible-Lockdown" + author: "MindPoint Group" description: "Apply the RHEL 9 CIS" - company: "MindPoint Group - A Tyto Athene Company" + company: "MindPoint Group" license: MIT role_name: rhel9_cis - namespace: ansible-lockdown + namespace: mindpointgroup min_ansible_version: 2.10.1 platforms: - name: EL diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 348d0ab..27172b2 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -10,6 +10,7 @@ system_is_container: true rhel9cis_selinux_disable: true rhel9cis_rule_5_2_4: false + rhel9cis_rule_1_1_10: false rhel9cis_firewall: "none" rhel9cis_rule_4_1_1_1: false rhel9cis_rule_4_1_1_2: false diff --git a/molecule/wsl/converge.yml b/molecule/wsl/converge.yml index daa9d18..5128600 100644 --- a/molecule/wsl/converge.yml +++ b/molecule/wsl/converge.yml @@ -8,15 +8,16 @@ vars: ansible_user: "{{ lookup('env', 'USER') }}" system_is_container: true - rhel9cis_selinux_disable: true + rhel8cis_selinux_disable: true role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" - rhel9cis_rule_5_3_4: false - rhel9cis_rsyslog_ansiblemanaged: false - rhel9cis_rule_3_4_1_3: false - rhel9cis_rule_3_4_1_4: false - rhel9cis_rule_4_2_1_2: false - rhel9cis_rule_4_2_1_4: false - rhel9cis_rule_5_1_1: false + rhel8cis_rule_5_3_4: false + rhel8cis_rule_1_1_10: false + rhel8cis_rsyslog_ansiblemanaged: false + rhel8cis_rule_3_4_1_3: false + rhel8cis_rule_3_4_1_4: false + rhel8cis_rule_4_2_1_2: false + rhel8cis_rule_4_2_1_4: false + rhel8cis_rule_5_1_1: false pre_tasks: tasks: diff --git a/site.yml b/site.yml index 4386b04..f3f0fae 100644 --- a/site.yml +++ b/site.yml @@ -1,7 +1,7 @@ --- - name: Apply ansible-lockdown hardening - hosts: "{{ hosts | default('all') }}" + hosts: all become: true roles: - role: "{{ playbook_dir }}" diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 53293e7..d784dc1 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -1,5 +1,4 @@ --- - - name: Pre Audit Setup | Set audit package name block: - name: Pre Audit Setup | Set audit package name | 64bit diff --git a/tasks/main.yml b/tasks/main.yml index 6aed0d0..63bcfad 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -11,16 +11,18 @@ that: (ansible_facts.distribution != 'CentOS' and ansible_facts.os_family == 'RedHat' or ansible_facts.os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==') fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported." success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}" - + - name: "Check ansible version" tags: always ansible.builtin.assert: that: ansible_version.full is version_compare(min_ansible_version, '>=') fail_msg: "You must use Ansible {{ min_ansible_version }} or greater" success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" - + - name: "Setup rules if container" - when: ansible_connection == 'docker' or ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] + when: + - ansible_connection == 'docker' or + ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] tags: - container_discovery - always @@ -28,34 +30,34 @@ - name: "Discover and set container variable if required" ansible.builtin.set_fact: system_is_container: true - + - name: "Load variable for container" ansible.builtin.include_vars: file: "{{ container_vars_file }}" - + - name: "Output if discovered is a container" when: system_is_container ansible.builtin.debug: msg: system has been discovered as a container - + - name: "Check crypto-policy input" ansible.builtin.assert: that: rhel9cis_crypto_policy in rhel9cis_allowed_crypto_policies fail_msg: "Crypto policy is not a permitted version" success_msg: "Crypto policy is a permitted version" - - - name: "Check rhel9cis_bootloader_password variable has been changed" + + - name: "Check rhel9cis_bootloader_password_hash variable has been changed" when: - rhel9cis_set_boot_pass - rhel9cis_rule_1_4_1 tags: always ansible.builtin.assert: - that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' or (rhel9cis_bootloader_salt != '' and rhel9cis_bootloader_password != 'password') # pragma: allowlist secret - msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password or rhel9cis_bootloader_password_hash variable has not been set correctly" - + that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret + msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly" + - name: "Check crypto-policy module input" when: - - rhel9cis_crypto_policy_ansiblemanaged + - rhel9cis_rule_1_6_1 - rhel9cis_crypto_policy_module | length > 0 tags: - rule_1.6.1 @@ -65,7 +67,7 @@ that: rhel9cis_additional_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules fail_msg: "Crypto policy module is not a permitted version" success_msg: "Crypto policy module is a permitted version" - + - name: "Check password set for {{ ansible_env.SUDO_USER }}" when: - rhel9cis_rule_5_2_4 @@ -83,12 +85,12 @@ failed_when: false check_mode: false register: prelim_ansible_user_password_set - + - name: "Check for local account {{ ansible_env.SUDO_USER }} | Check for local account" # noqa name[template] when: prelim_ansible_user_password_set.stdout == "not found" ansible.builtin.debug: msg: "No local account found for {{ ansible_env.SUDO_USER }} user. Skipping local account checks." - + - name: "Check local account" when: prelim_ansible_user_password_set.stdout != "not found" block: @@ -100,15 +102,15 @@ or (ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list) ) - fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or the user is not included in the exception list for rule 5.2.4 - It can break access" + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or or the user is not included in the exception list for rule 5.2.4 - It can break access" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user or the user is included in the exception list for rule 5.2.4" - + - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" # noqa name[template] ansible.builtin.assert: that: (not prelim_ansible_user_password_set.stdout.startswith("!")) or (ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list) fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access" success_msg: "The local account {{ ansible_env.SUDO_USER }} is not locked or included in the exception list for rule 5.2.4" - + - name: "Check authselect profile is selected" when: rhel9cis_allow_authselect_updates tags: always @@ -117,13 +119,13 @@ ansible.builtin.assert: that: rhel9cis_authselect_custom_profile_name != 'cis_example_profile' fail_msg: "You still have the default name for your authselect profile" - + - name: "Check authselect profile is selected | Check current profile" ansible.builtin.command: authselect list changed_when: false - failed_when: prelim_authselect_profile_list.rc not in [ 0, 1 ] - register: prelim_authselect_profile_list - + failed_when: prelim_authselect_current_profile.rc not in [ 0, 1 ] + register: prelim_authselect_current_profile + - name: "Ensure root password is set" when: rhel9cis_rule_5_4_2_4 tags: @@ -135,86 +137,88 @@ - rule_5.4.2.4 block: - name: "Ensure root password is set" - ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Alternate authentication|Password set|Password locked)" + ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set|Password locked)" changed_when: false failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ] register: prelim_root_passwd_set - + - name: "Ensure root password is set" ansible.builtin.assert: that: prelim_root_passwd_set.rc == 0 fail_msg: "You have rule 5.4.2.4 enabled this requires that you have a root password set" success_msg: "You have a root password set" - + - name: "Gather the package facts" tags: always ansible.builtin.package_facts: manager: auto - + - name: "Include OS specific variables" tags: always ansible.builtin.include_vars: file: "{{ ansible_facts.distribution }}.yml" - + - name: "Include preliminary steps" - tags: prelim_tasks + tags: + - prelim_tasks + - always ansible.builtin.import_tasks: file: prelim.yml - + - name: "Run Section 1 tasks" when: rhel9cis_section1 ansible.builtin.import_tasks: file: section_1/main.yml - + - name: "Run Section 2 tasks" when: rhel9cis_section2 ansible.builtin.import_tasks: file: section_2/main.yml - + - name: "Run Section 3 tasks" when: rhel9cis_section3 ansible.builtin.import_tasks: file: section_3/main.yml - + - name: "Run Section 4 tasks" when: rhel9cis_section4 ansible.builtin.import_tasks: file: section_4/main.yml - + - name: "Run Section 5 tasks" when: rhel9cis_section5 ansible.builtin.import_tasks: file: section_5/main.yml - + - name: "Run Section 6 tasks" when: rhel9cis_section6 ansible.builtin.import_tasks: file: section_6/main.yml - + - name: "Run Section 7 tasks" when: rhel9cis_section7 ansible.builtin.import_tasks: file: section_7/main.yml - + - name: "Run auditd logic" when: update_audit_template tags: always ansible.builtin.import_tasks: file: auditd.yml - + - name: "Run post remediation tasks" tags: - post_tasks - always ansible.builtin.import_tasks: file: post.yml - + - name: "Run post_remediation audit" when: run_audit tags: always ansible.builtin.import_tasks: file: post_remediation_audit.yml - + - name: Add ansible file showing Benchmark and levels applied if audit details not present when: - create_benchmark_facts @@ -231,7 +235,7 @@ owner: root group: root mode: 'u=rwx,go=rx' - + - name: Create ansible facts file and levels applied if audit facts not present ansible.builtin.template: src: etc/ansible/compliance_facts.j2 @@ -239,7 +243,7 @@ owner: root group: root mode: 'u-x,go=r' - + - name: Fetch audit files when: - fetch_audit_output @@ -247,13 +251,13 @@ tags: always ansible.builtin.import_tasks: file: fetch_audit_output.yml - + - name: "Show Audit Summary" when: run_audit tags: always ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" - + - name: "If Warnings found Output count and control IDs affected" when: warn_count != 0 tags: always diff --git a/tasks/post.yml b/tasks/post.yml index b6efdfe..383cdf6 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -28,7 +28,8 @@ - name: POST | reboot system if changes require it and not skipped when: change_requires_reboot - tags: always + tags: + - always vars: warn_control_id: Reboot_required block: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 09e3620..7c31c25 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,12 +1,10 @@ --- -# Preliminary tasks that should always run -# List users in order to look up files inside each home directory +# Preliminary tasks that should always be run +# List users in order to look files inside each home directory - name: "PRELIM | Include audit specific variables" - when: - - run_audit or audit_only - - setup_audit + when: run_audit or audit_only or setup_audit tags: - setup_audit - run_audit @@ -14,8 +12,7 @@ file: audit.yml - name: "PRELIM | Include pre-remediation audit tasks" - when: - - run_audit or audit_only + when: run_audit or audit_only or setup_audit tags: run_audit ansible.builtin.import_tasks: pre_remediation_audit.yml @@ -95,11 +92,6 @@ - rhel9cis_rule_1_2_1_1 - ansible_facts.distribution != 'RedHat' - ansible_facts.distribution != 'OracleLinux' - tags: - - level1-server - - level1-workstation - - rule_1.2.1.1 - - gpg ansible.builtin.package: name: "{{ gpg_key_package }}" state: latest @@ -214,15 +206,14 @@ block: - name: "PRELIM | AUDIT | Discover is wireless adapter on system" ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless - register: prelim_wireless_adapters + register: discover_wireless_adapters changed_when: false check_mode: false - failed_when: prelim_wireless_adapters.rc not in [ 0, 1 ] + failed_when: discover_wireless_adapters.rc not in [ 0, 1 ] - name: "PRELIM | PATCH | Install Network-Manager | if wireless adapter present" when: - - rhel9cis_install_network_manager - - prelim_wireless_adapters.rc == 0 + - discover_wireless_adapters.rc == 0 - "'NetworkManager' not in ansible_facts.packages" ansible.builtin.package: name: NetworkManager @@ -286,7 +277,8 @@ - name: "PRELIM | PATCH | Create journald config directory" when: - rhel9cis_syslog == 'journald' - - rhel9cis_rule_6_2_1_3 or rhel9cis_rule_6_2_1_4 + - rhel9cis_rule_6_2_1_3 or + rhel9cis_rule_6_2_1_4 tags: always ansible.builtin.file: path: /etc/systemd/journald.conf.d diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index e67bb39..adc094d 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -27,7 +27,8 @@ mode: 'go-rwx' - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs" - when: not system_is_container + when: + - not system_is_container community.general.modprobe: name: cramfs state: absent diff --git a/tasks/section_1/cis_1.1.2.3.x.yml b/tasks/section_1/cis_1.1.2.3.x.yml index efb1dc3..635648d 100644 --- a/tasks/section_1/cis_1.1.2.3.x.yml +++ b/tasks/section_1/cis_1.1.2.3.x.yml @@ -1,5 +1,4 @@ --- - - name: "1.1.2.3.1 | PATCH | Ensure /home is a separate partition" when: - rhel9cis_rule_1_1_2_3_1 diff --git a/tasks/section_1/cis_1.2.2.x.yml b/tasks/section_1/cis_1.2.2.x.yml index 379b92d..2ccb59f 100644 --- a/tasks/section_1/cis_1.2.2.x.yml +++ b/tasks/section_1/cis_1.2.2.x.yml @@ -13,4 +13,4 @@ ansible.builtin.package: name: "*" state: latest - notify: Set reboot required + notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 4476d30..5969dff 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -13,7 +13,7 @@ - NIST800-53R5_AC-3 ansible.builtin.copy: dest: /boot/grub2/user.cfg - content: "GRUB2_PASSWORD={{ rhel9_compiled_bootloader_password }}" # noqa template-instead-of-copy + content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy owner: root group: root mode: 'go-rwx' diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index b6bff9d..a20c0e9 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -16,35 +16,19 @@ - rule_3.1.1 - NIST800-53R5_CM-7 block: - - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Set vars for sysctl template" - when: "'sysctl' in rhel9cis_ipv6_disable_method" + - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh" ansible.builtin.set_fact: rhel9cis_sysctl_update: true rhel9cis_flush_ipv6_route: true - - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Message out implementation info" - when: "'sysctl' in rhel9cis_ipv6_disable_method" + - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable" ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" - - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Find IPv6 status" - when: "'kernel' in rhel9cis_ipv6_disable_method" - ansible.builtin.command: grubby --info=ALL - changed_when: false - failed_when: false - register: discovered_rhel9cis_3_1_1_ipv6_status - - - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Disable IPV6 via Kernel" - when: - - "'kernel' in rhel9cis_ipv6_disable_method" - - "'ipv6.disable=1' not in discovered_rhel9cis_3_1_1_ipv6_status.stdout" - ansible.builtin.command: grubby --update-kernel=ALL --args="ipv6.disable=1" - changed_when: discovered_rhel9cis_3_1_1_ipv6_status.rc == 0 - - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" when: - rhel9cis_rule_3_1_2 - - prelim_wireless_adapters.rc == 0 + - discover_wireless_adapters.rc == 0 tags: - level1-server - patch diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index a75e444..dc450ea 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -411,8 +411,6 @@ path: "{{ rhel9cis_sshd_config_file }}" regexp: '^(#)?MaxAuthTries \d' line: 'MaxAuthTries {{ rhel9cis_ssh_maxauthtries }}' - insertbefore: "^Match" - firstmatch: true validate: sshd -t -f %s notify: Restart sshd @@ -433,8 +431,6 @@ path: "{{ rhel9cis_sshd_config_file }}" regexp: (?i)^(#|)\s*MaxStartups line: 'MaxStartups {{ rhel9cis_ssh_maxstartups }}' - insertbefore: "^Match" - firstmatch: true validate: sshd -t -f %s notify: Restart sshd diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml index 51f032e..6e1919c 100644 --- a/tasks/section_5/cis_5.3.2.x.yml +++ b/tasks/section_5/cis_5.3.2.x.yml @@ -14,7 +14,7 @@ - rule_5.3.2.1 block: - name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Create custom profiles" - when: rhel9cis_authselect_custom_profile_name not in prelim_authselect_profile_list.stdout + when: rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout ansible.builtin.command: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}" changed_when: false args: @@ -93,10 +93,10 @@ loop: - regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth" after: "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons - line: "auth required pam_faillock.so preauth silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons + line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons - regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail" before: "auth\\s+required\\s+pam_deny.so" - line: "auth required pam_faillock.so authfail silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons + line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons - regexp: "account\\s+required\\s+pam_faillock.so" before: "account\\s+required\\s+pam_unix.so" line: "account required pam_faillock.so" # yamllint disable-line rule:colons @@ -112,10 +112,10 @@ loop: - regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth" after: "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons - line: "auth required pam_faillock.so preauth silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons + line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons - regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail" before: "auth\\s+required\\s+pam_deny.so" - line: "auth required pam_faillock.so authfail silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons + line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons - regexp: "account\\s+required\\s+pam_faillock.so" before: "account\\s+required\\s+pam_unix.so" line: "account required pam_faillock.so" # yamllint disable-line rule:colons diff --git a/tasks/section_5/cis_5.3.3.2.x.yml b/tasks/section_5/cis_5.3.3.2.x.yml index aa2e0f8..e8e1530 100644 --- a/tasks/section_5/cis_5.3.3.2.x.yml +++ b/tasks/section_5/cis_5.3.3.2.x.yml @@ -340,7 +340,7 @@ - system notify: Authselect update -- name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced" +- name: "5.3.3.2.7 | PATCH | Ensure password quality is enforced for the root user" when: rhel9cis_rule_5_3_3_2_7 tags: - level1-server @@ -350,8 +350,8 @@ - NIST800-53R5_IA-5 - pam ansible.builtin.template: - src: "{{ rhel9cis_passwd_quality_enforce_file }}.j2" - dest: "/{{ rhel9cis_passwd_quality_enforce_file }}" + src: "{{ rhel9cis_passwd_quality_enforce_root_file }}.j2" + dest: "/{{ rhel9cis_passwd_quality_enforce_root_file }}" owner: root group: root mode: 'o-rwx' diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml index d1ba865..b291cc2 100644 --- a/tasks/section_5/cis_5.4.2.x.yml +++ b/tasks/section_5/cis_5.4.2.x.yml @@ -179,7 +179,7 @@ - item.stat.exists - item.stat.isdir - item.stat.pw_name != 'root' or item.stat.gr_name != 'root' or item.stat.woth or item.stat.wgrp - - (item != 'root') and (not rhel9cis_uses_root ) + - (item != 'root') and (not rhel9cis_uses_root) ansible.builtin.file: path: "{{ item.stat.path }}" state: directory diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index 3d4db89..09a2fdd 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -10,12 +10,14 @@ file: cis_5.1.x.yml - name: "SECTION | 5.2 | Configure privilege escalation" - when: rhel9cis_section5_2 + when: + - rhel9cis_section5_2 ansible.builtin.import_tasks: file: cis_5.2.x.yml - name: "SECTION | 5.3" - when: rhel9cis_section5_3 + when: + - rhel9cis_section5_3 block: - name: "SECTION | 5.3.1.x | Configure PAM software packages" ansible.builtin.import_tasks: @@ -42,7 +44,8 @@ file: cis_5.3.3.4.x.yml - name: "SECTION | 5.4" - when: rhel9cis_section5_4 + when: + - rhel9cis_section5_4 block: - name: "SECTION | 5.4.1.x | Configure shadow password suite parameters" ansible.builtin.import_tasks: diff --git a/tasks/section_6/cis_6.2.2.x.yml b/tasks/section_6/cis_6.2.2.x.yml index 82302ed..fe0f8c4 100644 --- a/tasks/section_6/cis_6.2.2.x.yml +++ b/tasks/section_6/cis_6.2.2.x.yml @@ -25,7 +25,7 @@ - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries" ansible.builtin.replace: path: /etc/systemd/journald.conf - regexp: ^(\s*ForwardToSyslog\s*=.*) + regexp: ^(\s*ForwardToSyslog) replace: '#\1' - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured" @@ -50,7 +50,7 @@ - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries" ansible.builtin.replace: path: /etc/systemd/journald.conf - regexp: ^(\s*Compress\s*=.*) + regexp: (?i)(\s*compress=) replace: '#\1' - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured" @@ -76,5 +76,5 @@ - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries" ansible.builtin.replace: path: /etc/systemd/journald.conf - regexp: ^(\s*Storage\s*=.*) + regexp: (?i)(\s*storage=) replace: '#\1' diff --git a/tasks/section_6/cis_6.2.3.x.yml b/tasks/section_6/cis_6.2.3.x.yml index 42c7725..eaa3bd1 100644 --- a/tasks/section_6/cis_6.2.3.x.yml +++ b/tasks/section_6/cis_6.2.3.x.yml @@ -195,7 +195,7 @@ register: discovered_rsyslog_remote_host notify: Restart rsyslog -- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client" +- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client" when: rhel9cis_rule_6_2_3_7 tags: - level1-server @@ -208,7 +208,7 @@ - NIST800-53R5_AU-12 - NIST800-53R5_CM-6 block: - - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client. | When not log host" + - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client. | When not log host" when: not rhel9cis_system_is_log_server ansible.builtin.replace: path: /etc/rsyslog.conf @@ -221,7 +221,7 @@ - '^(module\(load="imtcp"\))' - '^(input\(type="imtcp")' - - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote clients. | When log host" + - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote clients. | When log host" when: rhel9cis_system_is_log_server ansible.builtin.replace: path: /etc/rsyslog.conf diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml index b7655aa..b23fb89 100644 --- a/tasks/section_7/cis_7.1.x.yml +++ b/tasks/section_7/cis_7.1.x.yml @@ -58,7 +58,7 @@ - level1-server - level1-workstation - patch - - permissions + - permissionss - rule_7.1.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 @@ -254,7 +254,7 @@ ansible.builtin.file: path: "{{ item }}" owner: "{{ rhel9cis_unowned_owner }}" - group: "{{ rhel9cis_ungrouped_group }}" + group: "{{ rhel9cis_unowned_group }}" with_items: - "{{ discovered_unowned_files_flatten }}" diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index a0343ee..cbaa125 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -1,7 +1,7 @@ --- -# Enable long running potential resource intensive tests +# Enable logrunning potential resource intensive tests run_heavy_tests: {{ audit_run_heavy_tests }} # Extend default command timeout for longer running tests @@ -206,7 +206,6 @@ rhel9cis_rule_2_4_2_1: {{ rhel9cis_rule_2_4_2_1 }} rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }} rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }} rhel9cis_rule_3_1_3: {{ rhel9cis_rule_3_1_3 }} - ## Network Kernel Modules rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }} rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }} @@ -292,6 +291,7 @@ rhel9cis_rule_5_3_3_2_4: {{ rhel9cis_rule_5_3_3_2_4 }} rhel9cis_rule_5_3_3_2_5: {{ rhel9cis_rule_5_3_3_2_5 }} rhel9cis_rule_5_3_3_2_6: {{ rhel9cis_rule_5_3_3_2_6 }} rhel9cis_rule_5_3_3_2_7: {{ rhel9cis_rule_5_3_3_2_7 }} +rhel9cis_rule_5_3_3_2_8: {{ rhel9cis_rule_5_3_3_2_8 }} # 5.3.3.3 Configure pam_pwhistory module # This are added as part of 5.3.2.4 using jinja2 template rhel9cis_rule_5_3_3_3_1: {{ rhel9cis_rule_5_3_3_3_1 }} @@ -530,8 +530,6 @@ rhel9cis_bluetooth_mask: {{ rhel9cis_bluetooth_mask }} ## 3.1 IPv6 requirement toggle # This variable governs whether ipv6 is enabled or disabled. rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }} -# rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel -rhel9cis_ipv6_disable_method: {{ rhel9cis_ipv6_disable_method }} # 3.3 System network parameters (host only OR host and router) # This variable governs whether specific CIS rules diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 index d3e394a..70ebd03 100644 --- a/templates/audit/98_auditd_exception.rules.j2 +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -1,4 +1,6 @@ -{{ file_managed_by_ansible }} +## Ansible controlled file +# Added as part of ansible-lockdown CIS baseline +# provided by Mindpoint Group - A Tyto Athene Company ### YOUR CHANGES WILL BE LOST! # This file contains users whose actions are not logged by auditd diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index af65935..c3c2b6c 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,4 +1,6 @@ -{{ file_managed_by_ansible }} +## Ansible controlled file +# Added as part of ansible-lockdown CIS baseline +# provided by Mindpoint Group - A Tyto Athene Company ### YOUR CHANGES WILL BE LOST! # This template will set all of the auditd configurations via a handler in the role in one task instead of individually diff --git a/templates/etc/aide.conf.d/crypt_audit_procs.conf.j2 b/templates/etc/aide.conf.d/crypt_audit_procs.conf.j2 index b28aea1..fb12b29 100644 --- a/templates/etc/aide.conf.d/crypt_audit_procs.conf.j2 +++ b/templates/etc/aide.conf.d/crypt_audit_procs.conf.j2 @@ -1,4 +1,3 @@ -{{ file_managed_by_ansible }} # Audit Tools /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 diff --git a/templates/etc/ansible/compliance_facts.j2 b/templates/etc/ansible/compliance_facts.j2 index 0da1b18..f8725e1 100644 --- a/templates/etc/ansible/compliance_facts.j2 +++ b/templates/etc/ansible/compliance_facts.j2 @@ -1,4 +1,6 @@ -{{ file_managed_by_ansible }} +# CIS Hardening Carried out +# Added as part of ansible-lockdown CIS baseline +# provided by Mindpoint Group - A Tyto Athene Company [lockdown_details] # Benchmark release diff --git a/templates/etc/chrony.conf.j2 b/templates/etc/chrony.conf.j2 index 671e2f0..cc5cd84 100644 --- a/templates/etc/chrony.conf.j2 +++ b/templates/etc/chrony.conf.j2 @@ -1,4 +1,4 @@ -{{ file_managed_by_ansible }} +{{ ansible_managed | comment }} # Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). @@ -11,19 +11,17 @@ driftfile /var/lib/chrony/drift # Allow the system clock to be stepped in the first three updates # if its offset is larger than 1 second. -makestep {{ rhel9cis_chrony_server_makestep }} +makestep 1.0 3 -{% if rhel9cis_chrony_server_rtcsync %} # Enable kernel synchronization of the real-time clock (RTC). rtcsync -{% endif %} # Enable hardware timestamping on all interfaces that support it. #hwtimestamp * # Increase the minimum number of selectable sources required to adjust # the system clock. -minsources {{ rhel9cis_chrony_server_minsources }} +#minsources 2 # Allow NTP client access from local network. #allow 192.168.0.0/16 diff --git a/templates/etc/cron.d/aide.cron.j2 b/templates/etc/cron.d/aide.cron.j2 index df0b1a5..4c1af92 100644 --- a/templates/etc/cron.d/aide.cron.j2 +++ b/templates/etc/cron.d/aide.cron.j2 @@ -1,5 +1,7 @@ -{{ file_managed_by_ansible }} # Run AIDE integrity check +## Ansible controlled file +# Added as part of ansible-lockdown CIS baseline +# provided by Mindpoint Group - A Tyto Athene Company ### YOUR CHANGES WILL BE LOST! # CIS 1.3.2 diff --git a/templates/etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2 b/templates/etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2 index 7b907ab..fd6eaff 100644 --- a/templates/etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2 +++ b/templates/etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2 @@ -1,4 +1,3 @@ -{{ file_managed_by_ansible }} # This is a subpolicy dropping the SHA1 hash and signature support # Carried out as part of CIS Benchmark rule 1.6.3 diff --git a/templates/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2 b/templates/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2 index 3619008..9092036 100644 --- a/templates/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2 +++ b/templates/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2 @@ -1,4 +1,3 @@ -{{ file_managed_by_ansible }} # This is a subpolicy to disable all CBC mode ciphers # for the SSH protocol (libssh and OpenSSH) # Carried out as part of CIS Benchmark rule 1.6.5 diff --git a/templates/etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2 b/templates/etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2 index 570048c..cebc2ad 100644 --- a/templates/etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2 +++ b/templates/etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2 @@ -1,4 +1,3 @@ -{{ file_managed_by_ansible }} # This is a subpolicy to disable Encrypt then MAC # for the SSH protocol (libssh and OpenSSH) # Carried out as part of CIS Benchmark rule 1.6.7 diff --git a/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2 b/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2 index f03cd05..393cf88 100644 --- a/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2 +++ b/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2 @@ -1,4 +1,3 @@ -{{ file_managed_by_ansible }} # This is a subpolicy to disable weak ciphers # for the SSH protocol (libssh and OpenSSH) # Carried out as part of CIS Benchmark rules combined 1.6.6 and 5.1.4 diff --git a/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2 b/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2 index 25e2336..f040399 100644 --- a/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2 +++ b/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2 @@ -1,4 +1,3 @@ -{{ file_managed_by_ansible }} # This is a subpolicy to disable weak macs # Carried out as part of CIS Benchmark control 5.1.6 diff --git a/templates/etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2 b/templates/etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2 index 984106a..0020e6d 100644 --- a/templates/etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2 +++ b/templates/etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2 @@ -1,4 +1,3 @@ -{{ file_managed_by_ansible }} # This is a subpolicy to disable weak macs # Carried out as part of CIS Benchmark rule 1.6.4 diff --git a/templates/etc/dconf/db/00-automount_lock.j2 b/templates/etc/dconf/db/00-automount_lock.j2 index f3c3b74..0e55b5a 100644 --- a/templates/etc/dconf/db/00-automount_lock.j2 +++ b/templates/etc/dconf/db/00-automount_lock.j2 @@ -1,4 +1,6 @@ -{{ file_managed_by_ansible }} +## Ansible controlled file +# Added as part of ansible-lockdown CIS baseline +# provided by Mindpoint Group - A Tyto Athene Company # Lock desktop media-handling automount setting /org/gnome/desktop/media-handling/automount diff --git a/templates/etc/dconf/db/00-autorun_lock.j2 b/templates/etc/dconf/db/00-autorun_lock.j2 index a09aca5..cf9ed5d 100644 --- a/templates/etc/dconf/db/00-autorun_lock.j2 +++ b/templates/etc/dconf/db/00-autorun_lock.j2 @@ -1,4 +1,6 @@ -{{ file_managed_by_ansible }} +## Ansible controlled file +# Added as part of ansible-lockdown CIS baseline +# provided by Mindpoint Group - A Tyto Athene Company # Lock desktop media-handling settings /org/gnome/desktop/media-handling/autorun-never diff --git a/templates/etc/dconf/db/00-media-automount.j2 b/templates/etc/dconf/db/00-media-automount.j2 index f81aaea..640538c 100644 --- a/templates/etc/dconf/db/00-media-automount.j2 +++ b/templates/etc/dconf/db/00-media-automount.j2 @@ -1,4 +1,6 @@ -{{ file_managed_by_ansible }} +## Ansible controlled file +# Added as part of ansible-lockdown CIS baseline +# provided by Mindpoint Group - A Tyto Athene Company [org/gnome/desktop/media-handling] automount=false diff --git a/templates/etc/dconf/db/00-media-autorun.j2 b/templates/etc/dconf/db/00-media-autorun.j2 index 6928d80..382469c 100644 --- a/templates/etc/dconf/db/00-media-autorun.j2 +++ b/templates/etc/dconf/db/00-media-autorun.j2 @@ -1,4 +1,6 @@ -{{ file_managed_by_ansible }} +## Ansible controlled file +# Added as part of ansible-lockdown CIS baseline +# provided by Mindpoint Group - A Tyto Athene Company [org/gnome/desktop/media-handling] autorun-never=true diff --git a/templates/etc/dconf/db/00-screensaver.j2 b/templates/etc/dconf/db/00-screensaver.j2 index 1445dcc..a747336 100644 --- a/templates/etc/dconf/db/00-screensaver.j2 +++ b/templates/etc/dconf/db/00-screensaver.j2 @@ -1,4 +1,6 @@ -{{ file_managed_by_ansible }} +## Ansible controlled file +# Added as part of ansible-lockdown CIS baseline +# provided by Mindpoint Group - A Tyto Athene Company # Specify the dconf path [org/gnome/desktop/session] diff --git a/templates/etc/dconf/db/00-screensaver_lock.j2 b/templates/etc/dconf/db/00-screensaver_lock.j2 index eafc95e..5988316 100644 --- a/templates/etc/dconf/db/00-screensaver_lock.j2 +++ b/templates/etc/dconf/db/00-screensaver_lock.j2 @@ -1,4 +1,6 @@ -{{ file_managed_by_ansible }} +## Ansible controlled file +# Added as part of ansible-lockdown CIS baseline +# provided by Mindpoint Group - A Tyto Athene Company # Lock desktop screensaver idle-delay setting /org/gnome/desktop/session/idle-delay diff --git a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 index 54562d2..901e9e0 100644 --- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 +++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 @@ -1,5 +1,7 @@ -{{ file_managed_by_ansible }} +## Ansible controlled file +# Added as part of ansible-lockdown CIS baseline +# provided by Mindpoint Group - A Tyto Athene Company [org/gnome/login-screen] banner-message-enable=true -banner-message-text="{{ rhel9cis_warning_banner | trim | replace("\n", "\\n") }}" +banner-message-text="{{ rhel9cis_warning_banner }}" diff --git a/templates/etc/logrotate.d/rsyslog_log.j2 b/templates/etc/logrotate.d/rsyslog_log.j2 index d9aa2a7..8acb53e 100644 --- a/templates/etc/logrotate.d/rsyslog_log.j2 +++ b/templates/etc/logrotate.d/rsyslog_log.j2 @@ -1,4 +1,3 @@ -{{ file_managed_by_ansible }} /var/log/rsyslog/*.log { {{ rhel9cis_rsyslog_logrotate_rotated_when }} rotate {{ rhel9cis_rsyslog_logrotate_rotatation_keep }} diff --git a/templates/etc/modprobe.d/modprobe.conf.j2 b/templates/etc/modprobe.d/modprobe.conf.j2 index 6c3d7d8..77b8cd5 100644 --- a/templates/etc/modprobe.d/modprobe.conf.j2 +++ b/templates/etc/modprobe.d/modprobe.conf.j2 @@ -1,4 +1,6 @@ -{{ file_managed_by_ansible }} -## YOUR CHANGES WILL BE LOST! +# Disable usage of protocol {{ item }} +# Set by ansible {{ benchmark }} remediation role +# https://github.com/ansible-lockdown +## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! install {{ item }} /bin/true diff --git a/templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2 index d8cdb67..c223c84 100644 --- a/templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2 +++ b/templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2 @@ -1,4 +1,3 @@ -{{ file_managed_by_ansible }} # CIS Configurations # 5.3.3.2.3 Ensure password complexity is configured {% if rhel9cis_passwd_complex_option == 'minclass' %} # pragma: allowlist secret diff --git a/templates/etc/security/pwquality.conf.d/50-pwdictcheck.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwdictcheck.conf.j2 index e7cd0e0..09b6ee3 100644 --- a/templates/etc/security/pwquality.conf.d/50-pwdictcheck.conf.j2 +++ b/templates/etc/security/pwquality.conf.d/50-pwdictcheck.conf.j2 @@ -1,4 +1,3 @@ -{{ file_managed_by_ansible }} # CIS Configurations # 5.3.3.2.6 Ensure password dictionary check is enabled dictcheck = {{ rhel9cis_passwd_dictcheck_value }} diff --git a/templates/etc/security/pwquality.conf.d/50-pwdifok.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwdifok.conf.j2 index d69120a..2e8ae2d 100644 --- a/templates/etc/security/pwquality.conf.d/50-pwdifok.conf.j2 +++ b/templates/etc/security/pwquality.conf.d/50-pwdifok.conf.j2 @@ -1,4 +1,3 @@ -{{ file_managed_by_ansible }} # CIS Configurations # 5.3.3.2.1 Ensure password number of changed characters is configured difok = {{ rhel9cis_passwd_difok_value }} diff --git a/templates/etc/security/pwquality.conf.d/50-pwlength.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwlength.conf.j2 index 0f893ac..9e874ee 100644 --- a/templates/etc/security/pwquality.conf.d/50-pwlength.conf.j2 +++ b/templates/etc/security/pwquality.conf.d/50-pwlength.conf.j2 @@ -1,4 +1,3 @@ -{{ file_managed_by_ansible }} # CIS Configurations # 5.3.3.2.2 Ensure minimum password length is configured minlen = {{ rhel9cis_passwd_minlen_value }} diff --git a/templates/etc/security/pwquality.conf.d/50-pwmaxsequence.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwmaxsequence.conf.j2 index d200904..a561fec 100644 --- a/templates/etc/security/pwquality.conf.d/50-pwmaxsequence.conf.j2 +++ b/templates/etc/security/pwquality.conf.d/50-pwmaxsequence.conf.j2 @@ -1,4 +1,3 @@ -{{ file_managed_by_ansible }} # CIS Configurations # 5.3.3.2.5 Ensure password maximum sequential characters is configured maxsequence = {{ rhel9cis_passwd_maxsequence_value }} diff --git a/templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2 index c8fff7e..6fea8db 100644 --- a/templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2 +++ b/templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2 @@ -1,4 +1,3 @@ -{{ file_managed_by_ansible }} # CIS Configurations # 5.3.3.2.7 Ensure password quality checking is enforced enforcing = {{ rhel9cis_passwd_quality_enforce_value }} diff --git a/templates/etc/security/pwquality.conf.d/50-pwrepeat.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwrepeat.conf.j2 index 0b2c592..28b8dde 100644 --- a/templates/etc/security/pwquality.conf.d/50-pwrepeat.conf.j2 +++ b/templates/etc/security/pwquality.conf.d/50-pwrepeat.conf.j2 @@ -1,4 +1,3 @@ -{{ file_managed_by_ansible }} # CIS Configurations # 5.3.3.2.4 Ensure password same consecutive characters is configured maxrepeat = {{ rhel9cis_passwd_maxrepeat_value }} diff --git a/templates/etc/security/pwquality.conf.d/50-pwroot.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwroot.conf.j2 index 243d7fb..9effdae 100644 --- a/templates/etc/security/pwquality.conf.d/50-pwroot.conf.j2 +++ b/templates/etc/security/pwquality.conf.d/50-pwroot.conf.j2 @@ -1,4 +1,3 @@ -{{ file_managed_by_ansible }} # CIS Configurations -# 5.3.3.2.7 Ensure password quality is enforced for the root user +# 5.3.3.2.8 Ensure password quality is enforced for the root user {{ rhel9cis_passwd_quality_enforce_root_value }} diff --git a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 index dfca519..bdded40 100644 --- a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 +++ b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 @@ -1,11 +1,7 @@ -{{ file_managed_by_ansible }} -## YOUR CHANGES WILL BE LOST! +## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! # IPv6 disable {% if rhel9cis_rule_3_1_1 and not rhel9cis_ipv6_required %} net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 -{% for interface in ansible_interfaces %} -net.ipv6.conf.{{ interface }}.disable_ipv6 = 1 -{% endfor %} {% endif %} diff --git a/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 b/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 index 12901dc..11a93f2 100644 --- a/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 +++ b/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 @@ -1,5 +1,4 @@ -{{ file_managed_by_ansible }} -## YOUR CHANGES WILL BE LOST! +## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! {% if rhel9cis_rule_1_5_1 %} # Adress space randomise diff --git a/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 index 8d27e8f..336071c 100644 --- a/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 +++ b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 @@ -1,5 +1,4 @@ -{{ file_managed_by_ansible }} -## YOUR CHANGES WILL BE LOST! +## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! # IPv4 Network sysctl {% if rhel9cis_rule_3_3_1 %} diff --git a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 index 3ef53f4..07e045d 100644 --- a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 +++ b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 @@ -1,5 +1,4 @@ -{{ file_managed_by_ansible }} -## YOUR CHANGES WILL BE LOST! +## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! # IPv6 Network sysctl {% if rhel9cis_ipv6_required %} diff --git a/templates/etc/systemd/journald.conf.d/forwardtosyslog.conf.j2 b/templates/etc/systemd/journald.conf.d/forwardtosyslog.conf.j2 index 682cdd5..3b00ce1 100644 --- a/templates/etc/systemd/journald.conf.d/forwardtosyslog.conf.j2 +++ b/templates/etc/systemd/journald.conf.d/forwardtosyslog.conf.j2 @@ -1,4 +1,4 @@ -{{ file_managed_by_ansible }} +# File created for CIS benchmark # CIS rule 6_2_2_2 [Journal] ForwardToSyslog=no diff --git a/templates/etc/systemd/journald.conf.d/rotation.conf.j2 b/templates/etc/systemd/journald.conf.d/rotation.conf.j2 index 4a3174b..07eedba 100644 --- a/templates/etc/systemd/journald.conf.d/rotation.conf.j2 +++ b/templates/etc/systemd/journald.conf.d/rotation.conf.j2 @@ -1,4 +1,4 @@ -{{ file_managed_by_ansible }} +# File created for CIS benchmark # CIS rule 6_2_1_3 [Journal] SystemMaxUse={{ rhel9cis_journald_systemmaxuse }} diff --git a/templates/etc/systemd/journald.conf.d/storage.conf.j2 b/templates/etc/systemd/journald.conf.d/storage.conf.j2 index 5e5726d..214f9db 100644 --- a/templates/etc/systemd/journald.conf.d/storage.conf.j2 +++ b/templates/etc/systemd/journald.conf.d/storage.conf.j2 @@ -1,4 +1,4 @@ -{{ file_managed_by_ansible }} +# File created for CIS benchmark [Journal] {% if rhel9cis_rule_6_2_2_3 %} # Set compress CIS rule 6_2_2_3 diff --git a/templates/etc/systemd/system/tmp.mount.j2 b/templates/etc/systemd/system/tmp.mount.j2 index 245102f..7f64547 100644 --- a/templates/etc/systemd/system/tmp.mount.j2 +++ b/templates/etc/systemd/system/tmp.mount.j2 @@ -1,4 +1,3 @@ -{{ file_managed_by_ansible }} # SPDX-License-Identifier: LGPL-2.1+ # # This file is part of systemd. @@ -8,7 +7,7 @@ # the Free Software Foundation; either version 2.1 of the License, or # (at your option) any later version. -## YOUR CHANGED WILL BE LOST! +## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! [Unit] Description=Temporary Directory (/tmp) diff --git a/vars/OracleLinux.yml b/vars/OracleLinux.yml index f407fa5..64927cc 100644 --- a/vars/OracleLinux.yml +++ b/vars/OracleLinux.yml @@ -1,5 +1,4 @@ --- - # OS Specific Settings os_gpg_key_pubkey_name: gpg-pubkey-8d8b756f-629e59ec os_gpg_key_pubkey_content: "Oracle Linux (release key 1) " diff --git a/vars/is_container.yml b/vars/is_container.yml index bcc4cd4..1a69784 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -2,7 +2,7 @@ # File to skip controls if container # Based on standard image no changes -# it expected all pkgs required for the container are already installed +# it expected all pkgs required for the container are alreday installed ## controls @@ -57,6 +57,7 @@ rhel9cis_rule_1_1_6: false rhel9cis_rule_1_1_7: false rhel9cis_rule_1_1_8: false rhel9cis_rule_1_1_9: false +rhel9cis_rule_1_1_10: false # /var/log rhel9cis_rule_1_1_11: false # /var/log/audit diff --git a/vars/main.yml b/vars/main.yml index 2225042..9337d58 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -24,8 +24,6 @@ rhel9cis_allowed_crypto_policies_modules: - 'NO-SSHWEAKMAC' - 'NO-WEAKMAC' -rhel9_compiled_bootloader_password: "{% if rhel9cis_bootloader_salt != '' %}{{ (rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}{% else %}{{ rhel9cis_bootloader_password_hash }}{% endif %}" # noqa template-instead-of-copy - # Used to control warning summary warn_control_list: "" warn_count: 0 @@ -41,7 +39,7 @@ gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys" ## Controls 6.3.3.x - Audit template # This variable is set to true by tasks 6.3.3.1 to 6.3.3.20. As a result, the # audit settings are overwritten with the role's template. In order to exclude -# specific rules, you must set the variable of form `rhel9cis_rule_6_3_3_x` above +# specific rules, you must set the variable of form `ubtu24cis_rule_6_3_3_x` above # to `false`. update_audit_template: false @@ -52,7 +50,7 @@ update_audit_template: false # system_is_container the true. Otherwise, the default value # 'false' is left unchanged. system_is_container: false -# The filename of the existing yml file in role's 'vars/' sub-directory +# The filename of the existing yml file in role's 'vars/' sub-directory # to be used for managing the role-behavior when a container was detected: # (de)activating rules or for other tasks(e.g. disabling Selinux or a specific # firewall-type). @@ -76,10 +74,3 @@ audit_bins: - /sbin/autrace - /sbin/auditd - /sbin/augenrules - -company_title: 'MindPoint Group - A Tyto Athene Company' - -file_managed_by_ansible: |- - # File managed by ansible as part of {{ benchmark }} benchmark - # As part of Ansible-lockdown - # Provided by {{ company_title }}