sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity
RHEL9-CIS/tasks/section_5/cis_5.6.x.yml
Mark Bolwell bd7c4e3da2
improved tests based upon #190 thanks to @ipruteanu-sie 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2024-06-05 08:01:17 +01:00

149 lines
4.7 KiB
YAML
Raw Blame History

---
- name: "5.6.2 | PATCH | Ensure system accounts are secured"
block:
- name: "5.6.2 | PATCH | Ensure system accounts are secured | Set nologin"
ansible.builtin.user:
name: "{{ item.id }}"
shell: /usr/sbin/nologin
loop: "{{ rhel9cis_passwd }}"
when:
- item.id != "root"
- item.id != "sync"
- item.id != "shutdown"
- item.id != "halt"
- item.id != "nfsnobody"
- item.uid < min_int_uid | int
- item.shell != "/bin/false"
- item.shell != "/usr/sbin/nologin"
- item.shell != "/sbin/nologin"
- item.shell != "/dev/null"
loop_control:
label: "{{ item.id }}"
- name: "5.6.2 | PATCH | Ensure system accounts are secured | Lock accounts"
ansible.builtin.user:
name: "{{ item.id }}"
password_lock: true
loop: "{{ rhel9cis_passwd }}"
when:
- item.id != "halt"
- item.id != "shutdown"
- item.id != "sync"
- item.id != "root"
- item.id != "nfsnobody"
- item.uid < min_int_uid | int
- item.shell != "/bin/false"
- item.shell != "/usr/sbin/nologin"
- item.shell != "/sbin/nologin"
- item.shell != "/dev/null"
loop_control:
label: "{{ item.id }}"
when:
- rhel9cis_rule_5_6_2
tags:
- level1-server
- level1-workstation
- patch
- accounts
- rule_5.6.2
- name: "5.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less"
ansible.builtin.blockinfile:
path: "{{ item.path }}"
state: "{{ item.state }}"
marker: "# {mark} - CIS benchmark - Ansible-lockdown"
create: true
mode: '0644'
block: |
TMOUT={{ rhel9cis_shell_session_timeout.timeout }}
export TMOUT
readonly TMOUT
loop:
- { path: "{{ rhel9cis_shell_session_timeout.file }}", state: present }
- { path: /etc/profile, state: "{{ (rhel9cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" }
when:
- rhel9cis_rule_5_6_3
tags:
- level1-server
- level1-workstation
- patch
- accounts
- rule_5.6.3
- name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0"
ansible.builtin.user:
name: root
group: 0
when:
- rhel9cis_rule_5_6_4
tags:
- level1-server
- level1-workstation
- patch
- accounts
- rule_5.6.4
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive"
block:
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings"
ansible.builtin.replace:
path: "{{ item.path }}"
regexp: (?i)(umask\s+\d\d\d)
replace: '{{ item.line }} 027'
with_items:
- { path: '/etc/bashrc', line: 'umask' }
- { path: '/etc/profile', line: 'umask' }
- { path: '/etc/login.defs', line: 'UMASK' }
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc"
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^USERGROUPS_ENAB'
line: USERGROUPS_ENAB no
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Add umask sessions for pamd"
community.general.pamd:
name: "{{ item }}"
type: session
control: required
module_path: pam_limits.so
new_type: session
new_module_path: pam_umask.so
new_control: optional
state: before
register: rhel9cis_pamd_umask_added
loop:
- system-auth
- password-auth
- name: "5.6.5 | AUDIT | Ensure default user umask is 027 or more restrictive | update umask settings if required"
ansible.builtin.replace:
path: "/etc/pam.d/{{ item }}"
regexp: ^(session\s+)(requisite|required)(\s+pam_umask.so)$
replace: \1optional\3
loop:
- system-auth
- password-auth
when:
- rhel9cis_rule_5_6_5
tags:
- level1-server
- level1-workstation
- patch
- accounts
- rule_5.6.5
- name: "5.6.6 | PATCH | Ensure root password is set"
ansible.builtin.debug:
msg: "The root password has been set as per the assert in early stages"
when:
- rhel9cis_rule_5_6_6
tags:
- level1-server
- level1-workstation
- patch
- accounts
- root
- rule_5.6.6
View git blame Copy permalink