Skip to content

Commit

Permalink
Merge pull request #210 from ansible-lockdown/devel
Browse files Browse the repository at this point in the history
Release to main
  • Loading branch information
uk-bolly authored Jun 10, 2024
2 parents 7661bc0 + f652ee4 commit 306eb59
Show file tree
Hide file tree
Showing 13 changed files with 217 additions and 32 deletions.
6 changes: 3 additions & 3 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,20 +30,20 @@ repos:

# Scan for passwords
- repo: https://github.com/Yelp/detect-secrets
rev: v1.4.0
rev: v1.5.0
hooks:
- id: detect-secrets
args: [ '--baseline', '.config/.secrets.baseline' ]
exclude: .config/.gitleaks-report.json

- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.2
rev: v8.18.3
hooks:
- id: gitleaks
args: ['--baseline-path', '.config/.gitleaks-report.json']

- repo: https://github.com/ansible-community/ansible-lint
rev: v24.2.2
rev: v24.5.0
hooks:
- id: ansible-lint
name: Ansible-lint
Expand Down
8 changes: 8 additions & 0 deletions Changelog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,13 @@
# Changes to rhel9CIS

## 1.1.6 - Based on CIS v1.0.0

- #190 - thanks to @ipruteanu-sie
- addressed requirements in PR with alternate method
- #191 - thanks to @numericillustration
- Addressed authselect for pam
- #193 thanks to brakkio86

## 1.1.5 - Based on CIS v1.0.0

- added new interactive user discoveries
Expand Down
2 changes: 1 addition & 1 deletion defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -403,7 +403,7 @@ rhel9cis_tmp_svc: false

## Control 1.2.1
# For new systems that have not yet run update the gpg key is not yet imported
# Setting to `true` will allow a test on the package and the foce the import of the key
# Setting to `true` will allow a test on the package and force the import of the key
rhel9cis_force_gpg_key_import: true

## Control 1.2.4
Expand Down
7 changes: 7 additions & 0 deletions handlers/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,13 @@
ansible.builtin.systemd:
daemon-reload: true

- name: Apply_authselect
ansible.builtin.shell: authselect apply-changes
when: not rhel9cis_rule_5_4_2

- name: Apply_authselect
ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }} --force --backup=rhel9cis_commit_{{ ansible_date_time.epoch}}"
when: rhel9cis_rule_5_4_2
## Auditd tasks note order for handlers to run

- name: Auditd immutable check
Expand Down
2 changes: 1 addition & 1 deletion tasks/prelim.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
tags:
- always
ansible.builtin.shell: >
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $1 }'
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }'
changed_when: false
register: discovered_interactive_usernames

Expand Down
2 changes: 1 addition & 1 deletion tasks/section_2/cis_2.4.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
register: rhel9cis_2_4_services

- name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Get list of sockets"
ansible.builtin.shell: systemctl list-units --type=sockets
ansible.builtin.shell: systemctl list-units --type=socket
changed_when: false
failed_when: false
check_mode: false
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_4/cis_4.2.1.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@
- name: "4.2.1.5 | PATCH | Ensure logging is configured"
block:
- name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out"
ansible.builtin.shell: cat /etc/rsyslog.conf
ansible.builtin.shell: cat /etc/rsyslog.conf | grep -Ev "^#|^$"
changed_when: false
failed_when: false
check_mode: false
Expand Down
32 changes: 18 additions & 14 deletions tasks/section_5/cis_5.4.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,21 +3,25 @@
- name: "5.4.1 | PATCH | Ensure custom authselect profile is used"
block:
- name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Gather profiles"
ansible.builtin.shell: 'authselect current | grep "Profile ID: custom/"'
ansible.builtin.shell: 'authselect list | grep custom'
failed_when: false
changed_when: false
check_mode: false
register: rhel9cis_5_4_1_profiles

- name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Show profiles"
ansible.builtin.debug:
msg:
- "Below are the current custom profiles"
- "{{ rhel9cis_5_4_1_profiles.stdout_lines }}"
register: rhel9cis_5_4_1_current_profile

- name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles"
ansible.builtin.shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }}
when: rhel9cis_authselect_custom_profile_create
when:
- rhel9cis_authselect_custom_profile_create
- "rhel9cis_authselect.custom_profile_name not in rhel9cis_5_4_1_current_profile.stdout"

- name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Force custom profile creates backup"
ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} --force --backup=rhel9cis_5_4_1_{{ ansible_date_time.epoch}}"
register: authselect_5_4_1_select
when:
- rhel9cis_authselect_custom_profile_create
- "rhel9cis_authselect.custom_profile_name not in rhel9cis_5_4_1_current_profile.stdout"

when:
- rhel9cis_rule_5_4_1
tags:
Expand All @@ -28,7 +32,7 @@
- authselect
- rule_5.4.1

- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | with auth select profile"
- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Get Authselect profile options"
block:
- name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features"
ansible.builtin.shell: "authselect current | grep with-faillock"
Expand All @@ -43,11 +47,11 @@
- "Below are the current custom profiles"
- "{{ rhel9cis_5_4_2_profiles_faillock.stdout_lines }}"

- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles"
ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }}"
- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Authselect add options"
ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }} --force"
when: rhel9cis_authselect_custom_profile_select

- name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile"
- name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not Authselect profile"
ansible.builtin.lineinfile:
path: "/etc/pam.d/password-auth"
regexp: "{{ item.regexp }}"
Expand All @@ -61,7 +65,7 @@
- rhel9cis_add_faillock_without_authselect
- rhel9cis_5_4_2_risks == 'ACCEPT'

- name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile"
- name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not Authselect profile"
ansible.builtin.lineinfile:
path: "/etc/pam.d/system-auth"
regexp: "{{ item.regexp }}"
Expand Down
23 changes: 17 additions & 6 deletions tasks/section_5/cis_5.5.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,14 @@
- { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" }
- { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" }

- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings"
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings | not Authselect"
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: '^password\s*requisite\s*pam_pwquality.so'
line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
insertbefore: '^#?password ?'

- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings"
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set password-auth retry settings | not Authselect"
ansible.builtin.lineinfile:
path: /etc/pam.d/password-auth
regexp: '^password\s*requisite\s*pam_pwquality.so'
Expand All @@ -42,6 +42,7 @@
loop:
- { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = {{ rhel9cis_pam_faillock.deny }}' }
- { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = {{ rhel9cis_pam_faillock.unlock_time }}' }

- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set preauth"
ansible.builtin.lineinfile:
path: "{{ item }}"
Expand All @@ -51,6 +52,7 @@
loop:
- "/etc/pam.d/system-auth"
- "/etc/pam.d/password-auth"

- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set authfail"
ansible.builtin.lineinfile:
path: "{{ item }}"
Expand All @@ -60,6 +62,7 @@
loop:
- "/etc/pam.d/system-auth"
- "/etc/pam.d/password-auth"

- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Load account faillock.so"
ansible.builtin.lineinfile:
path: "{{ item }}"
Expand All @@ -78,10 +81,18 @@
- rule_5.5.2

- name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality"
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
insertafter: '^password\s*requisite\s*pam_pwquality.so'
block:
- name: "5.5.3 | PATCH | Ensure password reuse is limited | Set system-auth remember Settings"
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
insertafter: '^password\s*requisite\s*pam_pwquality.so'

- name: "5.5.3 | PATCH | Ensure password reuse is limited | Set password-auth remember Settings"
ansible.builtin.lineinfile:
path: /etc/pam.d/password-auth
line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
insertafter: '^password\s*requisite\s*pam_pwquality.so'
when:
- rhel9cis_rule_5_5_3
tags:
Expand Down
144 changes: 144 additions & 0 deletions tasks/section_5/cis_5.5.x_authselect.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,144 @@
---

- name: "5.5.1 | PATCH | Ensure password creation requirements are configured"
block:
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings"
ansible.builtin.lineinfile:
path: /etc/security/pwquality.conf
regexp: ^{{ item.name }}
line: "{{ item.name }} = {{ item.value }}"
loop:
- { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" }
- { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" }

- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings | not Authselect"
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
regexp: '^password\s*requisite\s*pam_pwquality.so'
line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
insertbefore: '^#?password ?'
notify: Apply_authselect

- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set password-auth retry settings | not Authselect"
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
regexp: '^password\s*requisite\s*pam_pwquality.so'
line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
insertbefore: '^#?password ?'
notify: Apply_authselect
when:
- rhel9cis_rule_5_5_1
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.1

- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured"
block:
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set faillock.conf configs"
ansible.builtin.lineinfile:
path: /etc/security/faillock.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
loop:
- { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = {{ rhel9cis_pam_faillock.deny }}' }
- { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = {{ rhel9cis_pam_faillock.unlock_time }}' }

- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set preauth"
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*preauth(.*)'
line: "auth required pam_faillock.so preauth silent audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}"
insertafter: 'auth\s*(sufficient|required)\s*pam_env.so$'
loop:
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
notify: Apply_authselect

- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set authfail"
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*authfail(.*)'
line: "auth required pam_faillock.so authfail audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}"
insertbefore: 'auth\s*(sufficient|required)\s*pam_deny.so$'
loop:
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
notify: Apply_authselect

- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Load account faillock.so"
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: '^account\s*(sufficient|required)\s*pam_faillock.so$'
line: "account required pam_faillock.so"
insertbefore: '^account\s*(sufficient|required)\s*pam_unix.so$'
loop:
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
notify: Apply_authselect
when:
- rhel9cis_rule_5_5_2
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.2

- name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality"
block:
- name: "5.5.3 | PATCH | Ensure password reuse is limited | Set system-auth remember Settings"
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
insertafter: '^password\s*requisite\s*pam_pwquality.so'
notify: Apply_authselect

- name: "5.5.3 | PATCH | Ensure password reuse is limited | Set password-auth remember Settings"
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
insertafter: '^password\s*requisite\s*pam_pwquality.so'
notify: Apply_authselect
when:
- rhel9cis_rule_5_5_3
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.3

- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 or yescrypt"
block:
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf"
ansible.builtin.replace:
path: /etc/libuser.conf
regexp: '^crypt_style\s*=\s*.*$'
replace: 'crypt_style = sha512'

- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs"
ansible.builtin.replace:
path: /etc/login.defs
regexp: '^ENCRYPT_METHOD.*'
replace: 'ENCRYPT_METHOD SHA512'

- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth"
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
regexp: '^password\s*sufficient\s*pam_unix.so.*$'
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
notify: Apply_authselect

- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth"
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
regexp: '^password\s*sufficient\s*pam_unix.so.*$'
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
notify: Apply_authselect
when:
- rhel9cis_rule_5_5_4
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.4
1 change: 1 addition & 0 deletions tasks/section_5/cis_5.6.1.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,7 @@
- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
loop: "{{ rhel9cis_5_6_1_4_user_list.stdout_lines }}"
when: item in discovered_interactive_usernames.stdout
when:
- rhel9cis_rule_5_6_1_4
tags:
Expand Down
12 changes: 8 additions & 4 deletions tasks/section_5/cis_5.6.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,10 @@
- item.id != "halt"
- item.id != "nfsnobody"
- item.uid < min_int_uid | int
- item.shell != " /bin/false"
- item.shell != " /usr/sbin/nologin"
- item.shell != "/bin/false"
- item.shell != "/usr/sbin/nologin"
- item.shell != "/sbin/nologin"
- item.shell != "/dev/null"
loop_control:
label: "{{ item.id }}"

Expand All @@ -31,8 +33,10 @@
- item.id != "root"
- item.id != "nfsnobody"
- item.uid < min_int_uid | int
- item.shell != " /bin/false"
- item.shell != " /usr/sbin/nologin"
- item.shell != "/bin/false"
- item.shell != "/usr/sbin/nologin"
- item.shell != "/sbin/nologin"
- item.shell != "/dev/null"
loop_control:
label: "{{ item.id }}"
when:
Expand Down
Loading

0 comments on commit 306eb59

Please sign in to comment.