Skip to content

Commit

Permalink
Merge pull request #18 from ansible-lockdown/updates
Browse files Browse the repository at this point in the history
logic, idempotency, auditd, sysctl improvements
  • Loading branch information
uk-bolly authored Sep 24, 2022
2 parents ceb6543 + cdf8bab commit 5098bee
Show file tree
Hide file tree
Showing 65 changed files with 801 additions and 461 deletions.
3 changes: 3 additions & 0 deletions .ansible-lint
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
parseable: true
quiet: true
skip_list:
- 'schema'
- 'no-changed-when'
- 'fqcn-builtins'
- '204'
- '305'
- '303'
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/github_vars.tfvars
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ environment = "lockdown_github_repo_workflow"

// Matching pair name found in AWS for keypairs PEM key
ami_key_pair_name = "github_actions"
private_key = "'.ssh/github_actions.pem'"
private_key = ".ssh/github_actions.pem"
main_vpc_cidr = "172.22.0.0/24"
public_subnets = "172.22.0.128/26"
private_subnets = "172.22.0.192/26"
15 changes: 3 additions & 12 deletions .github/workflows/linux_benchmark_testing.yml
Original file line number Diff line number Diff line change
Expand Up @@ -81,18 +81,9 @@ jobs:
working-directory: .github/workflows
run: cat hosts.yml

# Centos 7 images take a while to come up insert sleep or playbook fails
# Aws deployments taking a while to come up insert sleep or playbook fails

- name: Check if test os is rhel7
working-directory: .github/workflows
id: test_os
run: >-
echo "::set-output name=RHEL7::$(
grep -c RHEL7 OS.tfvars
)"
- name: if RHEL7 - Sleep for 60 seconds
#if: steps.test_os.outputs.RHEL7 >= 1
- name: Sleep for 60 seconds
run: sleep 60s
shell: bash

Expand All @@ -117,4 +108,4 @@ jobs:
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false
run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false
38 changes: 25 additions & 13 deletions .yamllint
Original file line number Diff line number Diff line change
Expand Up @@ -2,22 +2,34 @@
ignore: |
tests/
molecule/
.github/
.gitlab-ci.yml
*molecule.yml

extends: default

rules:
indentation:
# Requiring 4 space indentation
spaces: 4
# Requiring consistent indentation within a file, either indented or not
indent-sequences: consistent
truthy: disable
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
line-length: disable
indentation:
# Requiring 4 space indentation
spaces: 4
# Requiring consistent indentation within a file, either indented or not
indent-sequences: consistent
truthy: disable
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
indentation:
indent-sequences: consistent
level: error
line-length: disable
key-duplicates: enable
new-line-at-end-of-file: enable
new-lines:
type: unix
trailing-spaces: enable
truthy:
allowed-values: ['true', 'false']
check-keys: false
28 changes: 28 additions & 0 deletions Changelog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,33 @@
# Changes to rhel9CIS

## 0.4

- Added assertion that ansible_user has password set for rule 5.3.4
- RockyLinux now supported - release since initial branches
- gpg check updates
- audit out dir now /opt
- lint updates and improvements
- workflow updates and improvements moved to rocky image
- selinux regexp improvements
- warning summary now at end of play
- advanced auditd options to exclude users in POST section
- Issues fixed thanks to fgierlinger
- [#21](https://github.com/ansible-lockdown/RHEL9-CIS/issues/21)
- [#22](https://github.com/ansible-lockdown/RHEL9-CIS/issues/22)

## 0.3

- update to auditd template
- uses facts and template new variable
- update_audit_template (default false)
- sysctl template updates and idempotency improvements
- container discovery usage improvements
- 3.4.1.5 discovery improvement
- 5.6.1.4 discovery improvement
- logrotate process logrotate.timer
- tidy up become:
- logic improvements

## 0.2

- not all controls work with rhel8 releases any longer
Expand Down
8 changes: 5 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Development Only

## RHEL 9 CIS (predicted) - ALPHA - CIS baselines or OS not yet GA
## RHEL 9 CIS (predicted) - Beta - CIS baselines or OS not yet GA

## Testing if you have access to the RH developer branches

Expand All @@ -17,7 +17,7 @@ Based on [CIS RedHat Enterprise Linux 8 Benchmark v2.0.0. - 02-23-2022 ](https:/

## Join us

On our [Discord Server](https://discord.gg/JFxpSgPFEJ) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users

## Caution(s)

Expand Down Expand Up @@ -49,7 +49,9 @@ Refer to [RHEL9-CIS-Audit](https://github.com/ansible-lockdown/RHEL9-CIS-Audit).

## Requirements

RHEL 9 - Other versions are not supported.
RHEL 9
Almalinux 9
Rocky 9

- Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.)

Expand Down
23 changes: 15 additions & 8 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -369,7 +369,6 @@ rhel9cis_rh_sub_password: password
# RedHat Satellite Subscription items
rhel9cis_rhnsd_required: false


# 1.4.2 Bootloader password
rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'
rhel9cis_bootloader_password: random
Expand Down Expand Up @@ -460,6 +459,11 @@ rhel9cis_tftp_client: false


## Section3 vars
## Sysctl
sysctl_update: false
flush_ipv4_route: false
flush_ipv6_route: false

### Firewall Service - either firewalld, iptables, or nftables
#### Some control allow for services to be removed or masked
#### The options are under each heading
Expand Down Expand Up @@ -498,6 +502,12 @@ rhel9cis_audit_back_log_limit: 8192
# The max_log_file parameter should be based on your sites policy
rhel9cis_max_log_file_size: 10

### 4.1.3.x audit template
update_audit_template: false

## Advanced option found in auditd post
allow_auditd_uid_user_exclusions: false

## Preferred method of logging
## Whether rsyslog or journald preferred method for local logging
## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5
Expand Down Expand Up @@ -633,8 +643,8 @@ audit_run_script_environment:

### Goss binary settings ###
goss_version:
release: v0.3.16
checksum: 'sha256:827e354b48f93bce933f5efcd1f00dc82569c42a179cf2d384b040d8a80bfbfb'
release: v0.3.18
checksum: 'sha256:432308ebca0caf8165d45bd27e3262126aad9d15572ac8cb3149b3c91f75aace'
audit_bin_path: /usr/local/bin/
audit_bin: "{{ audit_bin_path }}goss"
audit_format: json
Expand All @@ -651,20 +661,17 @@ copy_goss_from_path: /some/accessible/path
## managed by the control audit_content
# git
audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
audit_git_version: main
audit_git_version: devel

# copy:
audit_local_copy: "some path to copy from"

# get_url:
audit_files_url: "some url maybe s3?"

# Where the goss audit configuration will be stored
audit_files: "/var/tmp/{{ benchmark }}-Audit/"

## Goss configuration information
# Where the goss configs and outputs are stored
audit_out_dir: '/var/tmp'
audit_out_dir: '/opt'
audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/"
pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
Expand Down
89 changes: 35 additions & 54 deletions handlers/main.yml
Original file line number Diff line number Diff line change
@@ -1,14 +1,23 @@
---
# handlers file for RHEL9-CIS

- name: reload sysctl
shell: sysctl --system
args:
warn: false
when:
- sysctl_updated.changed

- name: sysctl flush ipv4 route table
become: true
sysctl:
name: net.ipv4.route.flush
value: '1'
sysctl_set: true
ignore_errors: true
when: ansible_virtualization_type != "docker"
ignore_errors: true # noqa ignore-errors
when:
- flush_ipv4_route
- not system_is_container
tags:
- skip_ansible_lint

Expand All @@ -18,35 +27,9 @@
name: net.ipv6.route.flush
value: '1'
sysctl_set: true
when: ansible_virtualization_type != "docker"

- name: update sysctl
template:
src: "etc/sysctl.d/{{ item }}.j2"
dest: "/etc/sysctl.d/{{ item }}"
owner: root
group: root
mode: 0600
notify: reload sysctl
with_items:
- 60-kernel_sysctl.conf
- 60-disable_ipv6.conf
- 60-netipv4_sysctl.conf
- 60-netipv6_sysctl.conf
when:
- ansible_virtualization_type != "docker"
- "'procps-ng' in ansible_facts.packages"

- name: reload sysctl
sysctl:
name: net.ipv4.route.flush
value: '1'
state: present
reload: true
ignoreerrors: true
when:
- ansible_virtualization_type != "docker"
- "'systemd' in ansible_facts.packages"
- flush_ipv6_route
- not system_is_container

- name: systemd restart tmp.mount
become: true
Expand All @@ -72,53 +55,30 @@
warn: false

- name: restart firewalld
become: true
service:
name: firewalld
state: restarted

- name: restart sshd
become: true
service:
name: sshd
state: restarted

- name: restart postfix
become: true
service:
name: postfix
state: restarted

- name: reload dconf
become: true
shell: dconf update
args:
warn: false

- name: update auditd
template:
src: audit/99_auditd.rules.j2
dest: /etc/audit/rules.d/99_auditd.rules
owner: root
group: root
mode: 0600
notify: restart auditd

- name: restart auditd
shell: /sbin/service auditd restart
changed_when: false
check_mode: false
failed_when: false
args:
warn: false
tags:
- skip_ansible_lint

- name: grub2cfg
shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
args:
warn: false
ignore_errors: True
ignore_errors: true # noqa ignore-errors
tags:
- skip_ansible_lint

Expand All @@ -142,6 +102,27 @@
systemd:
daemon-reload: true

## Auditd tasks note order for handlers to run

- name: auditd_immutable_check
shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
changed_when: false
register: auditd_immutable_check

- name: audit_immutable_fact
debug:
msg: "Reboot required for auditd to apply new rules as immutable set"
notify: change_requires_reboot
when:
- auditd_immutable_check.stdout == '1'

- name: restart auditd
shell: service auditd restart
args:
warn: false
tags:
- skip_ansible_lint

- name: change_requires_reboot
set_fact:
change_requires_reboot: true
1 change: 0 additions & 1 deletion site.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
---
- hosts: all
become: true

roles:

- role: "{{ playbook_dir }}"
2 changes: 1 addition & 1 deletion tasks/LE_audit_setup.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
- get_goss_file == 'copy'

- name: install git if not present
package:
package:
name: git
state: present
register: git_installed
Expand Down
Loading

0 comments on commit 5098bee

Please sign in to comment.