sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity
RHEL9-CIS/tasks/main.yml
Mark Bolwell 5a612675e2
improve authselect logic 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2025-02-26 14:04:01 +00:00

224 lines
8.1 KiB
YAML
Raw Blame History

---
# tasks file for RHEL9-CIS
- name: "Check OS version and family"
when: os_check
tags: always
ansible.builtin.assert:
that: (ansible_facts.distribution != 'CentOS' and ansible_facts.os_family == 'RedHat' or ansible_facts.os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==')
fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported."
success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}"
- name: "Check ansible version"
tags: always
ansible.builtin.assert:
that: ansible_version.full is version_compare(min_ansible_version, '>=')
fail_msg: "You must use Ansible {{ min_ansible_version }} or greater"
success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
- name: "Setup rules if container"
when:
- ansible_connection == 'docker' or
ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- container_discovery
- always
block:
- name: "Discover and set container variable if required"
ansible.builtin.set_fact:
system_is_container: true
- name: "Load variable for container"
ansible.builtin.include_vars:
file: "{{ container_vars_file }}"
- name: "Output if discovered is a container"
when: system_is_container
ansible.builtin.debug:
msg: system has been discovered as a container
- name: "Check crypto-policy input"
ansible.builtin.assert:
that: rhel9cis_crypto_policy in rhel9cis_allowed_crypto_policies
fail_msg: "Crypto policy is not a permitted version"
success_msg: "Crypto policy is a permitted version"
- name: "Check rhel9cis_bootloader_password_hash variable has been changed"
when:
- rhel9cis_set_boot_pass
- rhel9cis_rule_1_4_1
tags: always
ansible.builtin.assert:
that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
- name: "Check crypto-policy module input"
when:
- rhel9cis_rule_1_6_1
- rhel9cis_crypto_policy_module | length > 0
tags:
- rule_1.6.1
- crypto
- NIST800-53R5_SC-6
ansible.builtin.assert:
that: rhel9cis_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules
fail_msg: "Crypto policy module is not a permitted version"
success_msg: "Crypto policy module is a permitted version"
- name: "Check password set for {{ ansible_env.SUDO_USER }}"
when:
- rhel9cis_rule_5_2_4
- ansible_env.SUDO_USER is defined
- not system_is_ec2
tags:
- user_passwd
- rule_5.2.4
vars:
sudo_password_rule: rhel9cis_rule_5_2_4 # pragma: allowlist secret
block:
- name: "Check password set for {{ ansible_env.SUDO_USER }} | password state" # noqa name[template]
ansible.builtin.shell: "(grep {{ ansible_env.SUDO_USER }} /etc/shadow || echo 'not found:not found') | awk -F: '{print $2}'"
changed_when: false
failed_when: false
check_mode: false
register: prelim_ansible_user_password_set
- name: "Check for local account {{ ansible_env.SUDO_USER }} | Check for local account" # noqa name[template]
when: prelim_ansible_user_password_set.stdout == "not found"
ansible.builtin.debug:
msg: "No local account found for {{ ansible_env.SUDO_USER }} user. Skipping local account checks."
- name: "Check local account"
when: prelim_ansible_user_password_set.stdout != "not found"
block:
- name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" # noqa name[template]
ansible.builtin.assert:
that:
- prelim_ansible_user_password_set.stdout | length != 0
- prelim_ansible_user_password_set.stdout != "!!"
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user"
- name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" # noqa name[template]
ansible.builtin.assert:
that:
- not prelim_ansible_user_password_set.stdout.startswith("!")
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access"
success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user"
- name: "Check authselect profile is selected"
when: rhel9cis_allow_authselect_updates
tags: always
block:
- name: "Check authselect profile name has been updated | Ensure name from default is changed"
ansible.builtin.assert:
that: rhel9cis_authselect_custom_profile_name != 'cis_example_profile'
fail_msg: "You still have the default name for your authselect profile"
- name: "Check authselect profile is selected | Check current profile"
ansible.builtin.shell: authselect list
changed_when: false
failed_when: prelim_authselect_current_profile.rc not in [ 0, 1 ]
register: prelim_authselect_current_profile
- name: "Ensure root password is set"
when: rhel9cis_rule_5_4_2_4
tags:
- level1-server
- level1-workstation
- patch
- accounts
- root
- rule_5.4.2.4
block:
- name: "Ensure root password is set"
ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)"
changed_when: false
register: prelim_root_passwd_set
- name: "Ensure root password is set"
ansible.builtin.assert:
that: prelim_root_passwd_set.rc == 0
fail_msg: "You have rule 5.4.2.4 enabled this requires that you have a root password set"
success_msg: "You have a root password set"
- name: "Gather the package facts"
tags: always
ansible.builtin.package_facts:
manager: auto
- name: "Include OS specific variables"
tags: always
ansible.builtin.include_vars:
file: "{{ ansible_facts.distribution }}.yml"
- name: "Include preliminary steps"
tags:
- prelim_tasks
- always
ansible.builtin.import_tasks:
file: prelim.yml
- name: "Run Section 1 tasks"
when: rhel9cis_section1
ansible.builtin.import_tasks:
file: section_1/main.yml
- name: "Run Section 2 tasks"
when: rhel9cis_section2
ansible.builtin.import_tasks:
file: section_2/main.yml
- name: "Run Section 3 tasks"
when: rhel9cis_section3
ansible.builtin.import_tasks:
file: section_3/main.yml
- name: "Run Section 4 tasks"
when: rhel9cis_section4
ansible.builtin.import_tasks:
file: section_4/main.yml
- name: "Run Section 5 tasks"
when: rhel9cis_section5
ansible.builtin.import_tasks:
file: section_5/main.yml
- name: "Run Section 6 tasks"
when: rhel9cis_section6
ansible.builtin.import_tasks:
file: section_6/main.yml
- name: "Run Section 7 tasks"
when: rhel9cis_section7
ansible.builtin.import_tasks:
file: section_7/main.yml
- name: "Run auditd logic"
when: update_audit_template
tags: always
ansible.builtin.import_tasks:
file: auditd.yml
- name: "Run post remediation tasks"
tags:
- post_tasks
- always
ansible.builtin.import_tasks:
file: post.yml
- name: "Run post_remediation audit"
when: run_audit
ansible.builtin.import_tasks:
file: post_remediation_audit.yml
- name: "Show Audit Summary"
when: run_audit
ansible.builtin.debug:
msg: "{{ audit_results.split('\n') }}"
- name: "If Warnings found Output count and control IDs affected"
when: warn_count != 0
tags: always
ansible.builtin.debug:
msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}"
View git blame Copy permalink