--- - name: "6.1.1 | PATCH | Ensure permissions on /etc/passwd are configured" ansible.builtin.file: path: /etc/passwd owner: root group: root mode: '0644' when: - rhel9cis_rule_6_1_1 tags: - level1-server - level1-workstation - patch - permissions - rule_6.1.1 - name: "6.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured" ansible.builtin.file: path: /etc/passwd- owner: root group: root mode: '0644' when: - rhel9cis_rule_6_1_2 tags: - level1-server - level1-workstation - patch - permissions - rule_6.1.2 - name: "6.1.3 | PATCH | Ensure permissions on /etc/group are configured" ansible.builtin.file: path: /etc/group owner: root group: root mode: '0644' when: - rhel9cis_rule_6_1_3 tags: - level1-server - level1-workstation - patch - permissions - rule_6.1.3 - name: "6.1.4 | PATCH | Ensure permissions on /etc/group- are configured" ansible.builtin.file: path: /etc/group- owner: root group: root mode: '0644' when: - rhel9cis_rule_6_1_4 tags: - level1-server - level1-workstation - patch - permissionss - rule_6.1.4 - name: "6.1.5 | PATCH | Ensure permissions on /etc/shadow are configured" ansible.builtin.file: path: /etc/shadow owner: root group: root mode: '0000' when: - rhel9cis_rule_6_1_5 tags: - level1-server - level1-workstation - patch - permissions - rule_6.1.5 - name: "6.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured" ansible.builtin.file: path: /etc/shadow- owner: root group: root mode: '0000' when: - rhel9cis_rule_6_1_6 tags: - level1-server - level1-workstation - patch - permissions - rule_6.1.6 - name: "6.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured" ansible.builtin.file: path: /etc/gshadow owner: root group: root mode: '0000' when: - rhel9cis_rule_6_1_7 tags: - level1-server - level1-workstation - patch - permissions - rule_6.1.7 - name: "6.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured" ansible.builtin.file: path: /etc/gshadow- owner: root group: root mode: '0000' when: - rhel9cis_rule_6_1_8 tags: - level1-server - level1-workstation - patch - permissions - rule_6.1.8 - name: "6.1.9 | PATCH | Ensure no world writable files exist" block: - name: "6.1.9 | AUDIT | Ensure no world writable files exist | Get list of world-writable files" ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 failed_when: false changed_when: false register: rhel_09_6_1_9_perms_results - name: "6.1.9 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" ansible.builtin.file: path: '{{ item }}' mode: o-w state: touch loop: "{{ rhel_09_6_1_9_perms_results.stdout_lines }}" when: - rhel_09_6_1_9_perms_results.stdout_lines is defined - rhel9cis_no_world_write_adjust when: - rhel9cis_rule_6_1_9 tags: - level1-server - level1-workstation - patch - files - permissions - rule_6.1.9 - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist" block: - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories" ansible.builtin.shell: find "{{ item.mount }}" -xdev -nouser -not -fstype nfs changed_when: false failed_when: false check_mode: false register: rhel_09_6_1_10_audit loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.mount }}" when: - item['device'].startswith('/dev') - not 'bind' in item['options'] - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Flatten no_user_items results for easier use" ansible.builtin.set_fact: discovered_unowned_files_flatten: "{{ rhel_09_6_1_10_audit.results | selectattr('stdout_lines', 'defined') | map(attribute='stdout_lines') | flatten }}" - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" ansible.builtin.debug: msg: "Warning!! Missing owner on items in {{ discovered_unowned_files_flatten }}" when: discovered_unowned_files_flatten | length > 0 - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning" ansible.builtin.import_tasks: file: warning_facts.yml vars: warn_control_id: '6.1.10' when: discovered_unowned_files_flatten | length > 0 when: - rhel9cis_rule_6_1_10 tags: - level1-server - level1-workstation - audit - files - permissions - rule_6.1.10 - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist" block: - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Finding all ungrouped files or directories" ansible.builtin.shell: find "{{ item.mount }}" -xdev -nogroup check_mode: false failed_when: false changed_when: false register: rhel_09_6_1_11_audit loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.mount }}" when: - item['device'].startswith('/dev') - not 'bind' in item['options'] - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Flatten no_user_items results for easier use" ansible.builtin.set_fact: discovered_ungrouped_files_flatten: "{{ rhel_09_6_1_11_audit.results | selectattr('stdout_lines', 'defined') | map(attribute='stdout_lines') | flatten }}" - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" ansible.builtin.debug: msg: "Warning!! Missing group on items in {{ discovered_ungrouped_files_flatten }}" when: discovered_ungrouped_files_flatten | length > 0 - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning" ansible.builtin.import_tasks: file: warning_facts.yml vars: warn_control_id: '6.1.11' when: discovered_ungrouped_files_flatten | length > 0 when: - rhel9cis_rule_6_1_11 tags: - level1-server - level1-workstation - audit - files - permissions - rule_6.1.11 - name: "6.1.12 | PATCH | Ensure sticky bit is set on all world-writable directories" ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t changed_when: false failed_when: false when: - rhel9cis_rule_6_1_12 tags: - level1-server - level1-workstation - patch - stickybits - permissons - rule_6.1.12 - name: "6.1.13 | AUDIT | Audit SUID executables" block: - name: "6.1.13 | AUDIT | Audit SUID executables | Find all SUID executables" ansible.builtin.shell: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000" failed_when: false changed_when: false register: rhel_09_6_1_13_suid_perms - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" ansible.builtin.debug: msg: "Warning!! SUID set on items in {{ rhel_09_6_1_13_suid_perms.stdout_lines }}" when: - rhel_09_6_1_13_suid_perms.stdout is defined - rhel_09_6_1_13_suid_perms.stdout | length > 0 - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning" ansible.builtin.import_tasks: file: warning_facts.yml vars: warn_control_id: '6.1.13' when: - rhel_09_6_1_13_suid_perms.stdout is defined - rhel_09_6_1_13_suid_perms.stdout | length > 0 vars: rhel9_6_1_13_suid_found: false when: - rhel9cis_rule_6_1_13 tags: - level1-server - level1-workstation - manual - audit - files - rule_6.1.13 - name: "6.1.14 | AUDIT | Audit SGID executables" block: - name: "6.1.14 | AUDIT | Audit SGID executables | Find all SGID executables" ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 failed_when: false changed_when: false register: rhel_09_6_1_14_sgid_perms - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" ansible.builtin.debug: msg: "Warning!! SGID set on items in {{ rhel_09_6_1_14_sgid_perms.stdout_lines }}" when: - rhel_09_6_1_14_sgid_perms.stdout is defined - rhel_09_6_1_14_sgid_perms.stdout | length > 0 - name: "6.1.14 | AUDIT | Audit SGID executables| warning" ansible.builtin.import_tasks: file: warning_facts.yml vars: warn_control_id: '6.1.14' when: - rhel_09_6_1_14_sgid_perms.stdout is defined - rhel_09_6_1_14_sgid_perms.stdout | length > 0 vars: rhel9_6_1_14_sgid_found: false when: - rhel9cis_rule_6_1_14 tags: - level1-server - level1-workstation - manual - audit - files - rule_6.1.14 - name: "6.1.15 | AUDIT | Audit system file permissions" block: - name: "6.1.15 | AUDIT | Audit system file permissions | Audit the packages" ansible.builtin.shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto changed_when: false failed_when: false register: rhel9cis_6_1_15_packages_rpm - name: "6.1.15 | AUDIT | Audit system file permissions | Create list and warning" block: - name: "6.1.15 | AUDIT | Audit system file permissions | Add file discrepancy list to system" ansible.builtin.copy: dest: "{{ rhel9cis_rpm_audit_file }}" # noqa template-instead-of-copy content: "{{ rhel9cis_6_1_15_packages_rpm.stdout }}" owner: root group: root mode: '0640' - name: "6.1.15 | AUDIT | Audit system file permissions | Message out alert for package descrepancies" ansible.builtin.debug: msg: | "Warning!! You have some package descrepancies issues. The file list can be found in {{ rhel9cis_rpm_audit_file }}" - name: "6.1.15 | AUDIT | Audit system file permissions | warning count" ansible.builtin.import_tasks: file: warning_facts.yml vars: warn_control_id: '6.1.15' when: rhel9cis_6_1_15_packages_rpm.stdout|length > 0 when: - rhel9cis_rule_6_1_15 tags: - level2-server - level2-workstation - manual - audit - permissions - rule_6.1.15