From 078c091232b7997444e24e2b83a599e1263073c7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Sep 2024 14:39:19 +0100 Subject: [PATCH 01/22] removed unneccesary vars Signed-off-by: Mark Bolwell --- defaults/main.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 622af55..0b24c57 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -49,15 +49,10 @@ rhel9cis_selinux_disable: false # UEFI boot('/etc/grub2-efi.cfg') or in case of BIOS legacy-boot('/etc/grub2.cfg'). rhel9cis_legacy_boot: false -## Python Binary -## This is used for python3 Installations where python2 OS modules are used in ansible -python2_bin: /bin/python2.7 - ## Benchmark name used by audting control role # The audit variable found at the base ## metadata for Audit benchmark benchmark_version: 'v1.0.0' - benchmark: RHEL9-CIS # Whether to skip the system reboot before audit From 9d8cef3c30c1c69aa8efcbd7e9f6b400e5a138a6 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 17:48:44 +0000 Subject: [PATCH 02/22] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.18.4 → v8.19.2](https://github.com/gitleaks/gitleaks/compare/v8.18.4...v8.19.2) - [github.com/ansible-community/ansible-lint: v24.7.0 → v24.9.0](https://github.com/ansible-community/ansible-lint/compare/v24.7.0...v24.9.0) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 260cffe..f009319 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,13 +37,13 @@ repos: exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.4 + rev: v8.19.2 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v24.7.0 + rev: v24.9.0 hooks: - id: ansible-lint name: Ansible-lint From b12b5dcf5004b14af5ebca9bff583f7b5e05e27a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Sep 2024 12:38:49 +0100 Subject: [PATCH 03/22] Added gui discovery and updated comments Signed-off-by: Mark Bolwell --- defaults/main.yml | 10 ++++------ tasks/prelim.yml | 7 +++++++ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0b24c57..5b1b81c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -521,6 +521,10 @@ rhel9cis_selinux_pol: targeted rhel9cis_selinux_enforce: enforcing # Whether or not to run tasks related to auditing/patching the desktop environment +## Control 1.8.1-10 +# This variable governs whether rules dealing with GUI specific packages(and/or their settings) +# Discovered value can be overridden to true is required +rhel9stig_gui: "{{ prelim_gnome_present.stat.exists | default(false) }}" ## Section 2. Services @@ -562,12 +566,6 @@ rhel9cis_chrony_server_minsources: 2 # Set the respective variable to true to keep the service, # otherwise the service is stopped and disabled -## Control 1.8.10-10, 2.2.1 -# This variable governs whether rules dealing with GUI specific packages(and/or their settings) should -# be executed either to: -# - secure GDM, if GUI is needed('rhel9cis_gui: true') -# - or remove GDM and X-Windows-system, if no GUI is needed('rhel9cis_gui: false') -rhel9cis_gui: false ## Control 2.2.2 - Ensure Avahi Server is not installed # This variable, when set to false, will specify that Avahi Server packages should be uninstalled. rhel9cis_avahi_server: false diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 1db6db5..13afd85 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -190,6 +190,13 @@ - rhel9cis_force_gpg_key_import - ansible_facts.distribution == 'RedHat' +- name: "PRELIM | Discover Gnome Desktop Environment" + ansible.builtin.stat: + path: /usr/share/gnome/gnome-version.xml + register: prelim_gnome_present + tags: + - always + - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" ansible.builtin.package: name: audit From 810d0e639f6ed100b6f5ebc163f00ddb04a3601d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Sep 2024 09:33:57 +0100 Subject: [PATCH 04/22] updated typo for gui default Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5b1b81c..e3dc9b5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -524,7 +524,7 @@ rhel9cis_selinux_enforce: enforcing ## Control 1.8.1-10 # This variable governs whether rules dealing with GUI specific packages(and/or their settings) # Discovered value can be overridden to true is required -rhel9stig_gui: "{{ prelim_gnome_present.stat.exists | default(false) }}" +rhel9cis_gui: "{{ prelim_gnome_present.stat.exists | default(false) }}" ## Section 2. Services From 93f136f5263ad18e61e93acb8b64dcbcc99e9de8 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 23 Sep 2024 17:49:02 +0000 Subject: [PATCH 05/22] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v24.9.0 → v24.9.2](https://github.com/ansible-community/ansible-lint/compare/v24.9.0...v24.9.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f009319..51202b8 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -43,7 +43,7 @@ repos: args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v24.9.0 + rev: v24.9.2 hooks: - id: ansible-lint name: Ansible-lint From 506433ee46eb23bc4f080152397bdbf84be4521b Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 17:52:58 +0000 Subject: [PATCH 06/22] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.19.2 → v8.19.3](https://github.com/gitleaks/gitleaks/compare/v8.19.2...v8.19.3) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 51202b8..f4fb400 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,7 +37,7 @@ repos: exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.19.2 + rev: v8.19.3 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] From 0f94ed9637c884acddcdf2aeab18be196899bb0e Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 7 Oct 2024 18:26:50 +0000 Subject: [PATCH 07/22] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/pre-commit/pre-commit-hooks: v4.6.0 → v5.0.0](https://github.com/pre-commit/pre-commit-hooks/compare/v4.6.0...v5.0.0) - [github.com/gitleaks/gitleaks: v8.19.3 → v8.20.0](https://github.com/gitleaks/gitleaks/compare/v8.19.3...v8.20.0) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f4fb400..cf8c7b9 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.6.0 + rev: v5.0.0 hooks: # Safety - id: detect-aws-credentials @@ -37,7 +37,7 @@ repos: exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.19.3 + rev: v8.20.0 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] From 41bc1e2aa07e6ec3d8c98ea1d497d6aa6668faa5 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 14 Oct 2024 17:59:52 +0000 Subject: [PATCH 08/22] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.20.0 → v8.20.1](https://github.com/gitleaks/gitleaks/compare/v8.20.0...v8.20.1) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index cf8c7b9..bedf1b3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,7 +37,7 @@ repos: exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.20.0 + rev: v8.20.1 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] From ef00aa00b30cbdb4df508fa98e197eebcd39be12 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 21 Oct 2024 17:54:56 +0000 Subject: [PATCH 09/22] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.20.1 → v8.21.1](https://github.com/gitleaks/gitleaks/compare/v8.20.1...v8.21.1) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index bedf1b3..8f6c2b3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,7 +37,7 @@ repos: exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.20.1 + rev: v8.21.1 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] From aee4c2a25ebcb19205c7803236997153efc0c8bd Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 28 Oct 2024 18:01:21 +0000 Subject: [PATCH 10/22] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.21.1 → v8.21.2](https://github.com/gitleaks/gitleaks/compare/v8.21.1...v8.21.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 8f6c2b3..300b2e2 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,7 +37,7 @@ repos: exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.21.1 + rev: v8.21.2 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] From 988c42f8aacd2dcfbb4360bcda78522a9974d333 Mon Sep 17 00:00:00 2001 From: yinggs Date: Wed, 30 Oct 2024 17:48:51 +0800 Subject: [PATCH 11/22] Added selectattr filter to fix #249 Signed-off-by: yinggs --- tasks/section_6/cis_6.1.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index a0e8dd6..a89c16c 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -164,7 +164,7 @@ - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Flatten no_user_items results for easier use" ansible.builtin.set_fact: - discovered_unowned_files_flatten: "{{ rhel_09_6_1_10_audit.results | map(attribute='stdout_lines') | flatten }}" + discovered_unowned_files_flatten: "{{ rhel_09_6_1_10_audit.results | selectattr('stdout_lines', 'defined') | map(attribute='stdout_lines') | flatten }}" - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" ansible.builtin.debug: @@ -204,7 +204,7 @@ - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Flatten no_user_items results for easier use" ansible.builtin.set_fact: - discovered_ungrouped_files_flatten: "{{ rhel_09_6_1_11_audit.results | map(attribute='stdout_lines') | flatten }}" + discovered_ungrouped_files_flatten: "{{ rhel_09_6_1_11_audit.results | selectattr('stdout_lines', 'defined') | map(attribute='stdout_lines') | flatten }}" - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" ansible.builtin.debug: From 272ac4efb42fd773f83cc5cc52916e8c93877065 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Nov 2024 16:57:27 +0000 Subject: [PATCH 12/22] updated to enable greater idempotence on filemounts Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.7.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index d113361..a123426 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -32,7 +32,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_7_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_7_3) %},nosuid{% endif %}" loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" From efd86bf8052d0f8d0c12c344d20170a8e2aac1d8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Nov 2024 17:01:46 +0000 Subject: [PATCH 13/22] updated for first interaction step Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 912b3db..c9328cb 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -27,7 +27,7 @@ jobs: # This will create messages for first time contributers and direct them to the Discord server welcome: - runs-on: self-hosted + runs-on: ubuntu-latest steps: - uses: actions/first-interaction@main From bb631b10dbe470e3679715640e15de83b3ec62e8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Nov 2024 15:43:44 +0000 Subject: [PATCH 14/22] improved idempotence on mount point options Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.2.x.yml | 2 +- tasks/section_1/cis_1.1.3.x.yml | 4 +--- tasks/section_1/cis_1.1.4.x.yml | 2 +- tasks/section_1/cis_1.1.5.x.yml | 2 +- tasks/section_1/cis_1.1.6.x.yml | 2 +- tasks/section_1/cis_1.1.8.x.yml | 2 +- 6 files changed, 6 insertions(+), 8 deletions(-) diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 10d6d2d..861e679 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -32,7 +32,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_2) %},nodev{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_3) %},noexec{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_4) %},nosuid{% endif %}" notify: Remount tmp loop: "{{ ansible_facts.mounts }}" loop_control: diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 3a64a06..423b15c 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -31,9 +31,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}nosuid{% endif %} - loop: "{{ ansible_facts.mounts }}" - loop_control: + opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_3_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_3_3) %},nosuid" label: "{{ item.device }}" notify: Change_requires_reboot when: diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 713dba6..4487e9b 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -33,7 +33,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev{% endif %} + opts: "{{ item.options }}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_4_2) %},noexec{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_4_3) %},nosuid{% endif %}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_4_4) %},nodev{% endif %}" loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index ac8b827..8c4732f 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -33,7 +33,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_5_2) %},nodev{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_5_3) %},noexec{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_5_4) %},nosuid{% endif %}" loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 5a7c8f4..709a206 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -32,7 +32,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_6_4 %}nosuid{% endif %} + opts: "{{ item.options }}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_6_2) %},noexec{% endif %}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_6_3) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_6_4) %},nosuid{% endif %}" loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 6a50de8..506c1a6 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -40,7 +40,7 @@ src: tmpfs fstype: tmpfs state: mounted - opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_4 %}nosuid{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_8_2) %},nodev{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_8_3) %},noexec{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_8_4) %},nosuid{% endif %}" notify: Change_requires_reboot when: - rhel9cis_rule_1_1_8_2 or From 1c1a39c58b5e7b2ea129c15aad4cdda1d4fdc963 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Nov 2024 15:46:17 +0000 Subject: [PATCH 15/22] improved gpg regex Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.2.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index fc0bf27..babf869 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -44,7 +44,7 @@ - name: "1.2.2 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" ansible.builtin.replace: name: "{{ item.path }}" - regexp: "^gpgcheck=0" + regexp: ^gpgcheck\s*=\s*0 replace: "gpgcheck=1" loop: "{{ yum_repos.files }}" loop_control: @@ -104,7 +104,7 @@ - name: "1.2.4 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files" ansible.builtin.replace: path: "{{ item.path }}" - regexp: '^repo_gpgcheck( |)=( |)0' + regexp: ^repo_gpgcheck\s*=\s*0 replace: repo_gpgcheck=1 loop: "{{ repo_files.files }}" loop_control: From fbf16ec54dc9664b9380fe887ca2c37eb859fa96 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Nov 2024 15:59:07 +0000 Subject: [PATCH 16/22] readded lines removed in error Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.3.x.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 423b15c..e6d0705 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -31,7 +31,9 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_3_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_3_3) %},nosuid" + opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_3_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_3_3) %},nosuid{% endif %}" + loop: "{{ ansible_facts.mounts }}" + loop_control: label: "{{ item.device }}" notify: Change_requires_reboot when: From d6c9e426855bac16047a75ae72238816279c1e2b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Nov 2024 16:00:01 +0000 Subject: [PATCH 17/22] reverted back to original Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.8.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 506c1a6..6a50de8 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -40,7 +40,7 @@ src: tmpfs fstype: tmpfs state: mounted - opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_8_2) %},nodev{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_8_3) %},noexec{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_8_4) %},nosuid{% endif %}" + opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_4 %}nosuid{% endif %} notify: Change_requires_reboot when: - rhel9cis_rule_1_1_8_2 or From 28a35960d7acb7e6c69cdaa9c90fe3663d00ba97 Mon Sep 17 00:00:00 2001 From: Jeffrey van Pelt Date: Mon, 11 Nov 2024 17:38:04 +0100 Subject: [PATCH 18/22] Added a means to allow system users to have a shell Signed-off-by: Jeffrey van Pelt --- defaults/main.yml | 5 +++++ tasks/section_5/cis_5.6.x.yml | 1 + 2 files changed, 6 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index e3dc9b5..0cc7a2b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1137,6 +1137,11 @@ rhel9cis_force_user_mindays: false # This can break current connecting user access rhel9cis_force_user_warnage: false +## Control 5.6.2 - Ensure system accounts are secured | Set nologin +# The system users on this list are allowed to have a shell (e.g. applications +# that require a shell to function) +rhel9cis_system_users_shell: [] + ## Control 5.6.3 - Ensure default user shell timeout is 900 seconds or less # Session timeout setting file (TMOUT setting can be set in multiple files) # Timeout value is in seconds. (60 seconds * 10 = 600) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 5271388..11bed39 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -13,6 +13,7 @@ - item.id != "shutdown" - item.id != "halt" - item.id != "nfsnobody" + - item.id not in rhel9cis_system_users_shell - item.uid < min_int_uid | int - item.shell != "/bin/false" - item.shell != "/usr/sbin/nologin" From c4b489fe4c0cd109a574ed734c5d63cccc1c536f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 12 Nov 2024 15:45:20 +0000 Subject: [PATCH 19/22] fixed filename thanks to @levaillx Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.8.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index ce35a48..36f6052 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -131,7 +131,7 @@ - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock file" ansible.builtin.template: src: etc/dconf/db/00-screensaver_lock.j2 - dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver" + dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver_lock" owner: root group: root mode: '0644' From 1166b8b9c5962b67e15a631e93a2541b18d684c3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 18 Nov 2024 17:38:04 +0000 Subject: [PATCH 20/22] updated typos Signed-off-by: Mark Bolwell --- README.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 3260cb0..86ebd36 100644 --- a/README.md +++ b/README.md @@ -53,7 +53,7 @@ Refer to [Contributing Guide](./CONTRIBUTING.rst) This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. -Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. The RHEL8-CIS-Audit role or a compliance scanner should be used for compliance checking over check mode. +Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. The RHEL9-CIS-Audit role or a compliance scanner should be used for compliance checking over check mode. This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed. @@ -128,11 +128,9 @@ os_check: false **Technical Dependencies:** - Python3 -- Ansible 2.10+ +- Ansible 2.12+ - python-def (should be included in RHEL 9) - libselinux-python -- pip packages - - jmespath - collections found in collections/requirements.yml pre-commit is available if installed on your host for pull request testing. From f591dc2507c2e4e68ecd5e319214bf5324ffa811 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 18 Nov 2024 17:55:23 +0000 Subject: [PATCH 21/22] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v24.9.2 → v24.10.0](https://github.com/ansible-community/ansible-lint/compare/v24.9.2...v24.10.0) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 300b2e2..1c69745 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -43,7 +43,7 @@ repos: args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v24.9.2 + rev: v24.10.0 hooks: - id: ansible-lint name: Ansible-lint From 576475d851de7a2ce1dd6ebb3c6b2f0d4af3056f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 19 Nov 2024 14:03:46 +0000 Subject: [PATCH 22/22] removed skip_ansible_lint tag Signed-off-by: Mark Bolwell --- handlers/main.yml | 4 ---- tasks/section_1/cis_1.1.3.x.yml | 1 - tasks/section_1/cis_1.1.4.x.yml | 1 - tasks/section_1/cis_1.1.5.x.yml | 2 -- tasks/section_1/cis_1.1.6.x.yml | 1 - tasks/section_1/cis_1.1.7.x.yml | 2 -- tasks/section_1/cis_1.1.8.x.yml | 1 - tasks/section_1/cis_1.2.x.yml | 1 - tasks/section_1/cis_1.9.yml | 2 -- 9 files changed, 15 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index dd97fec..c302106 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -57,8 +57,6 @@ - name: Grub2cfg ansible.builtin.shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" ignore_errors: true # noqa ignore-errors - tags: - - skip_ansible_lint - name: Restart rsyslog ansible.builtin.systemd: @@ -102,8 +100,6 @@ - name: Restart auditd ansible.builtin.shell: service auditd restart - tags: - - skip_ansible_lint - name: Change_requires_reboot ansible.builtin.set_fact: diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index e6d0705..d219b39 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -45,6 +45,5 @@ - level1-workstation - patch - mounts - - skip_ansible_lint - rule_1.1.3.2 - rule_1.1.3.3 diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 4487e9b..d04ac02 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -48,7 +48,6 @@ - level1-workstation - patch - mounts - - skip_ansible_lint - rule_1.1.4.2 - rule_1.1.4.3 - rule_1.1.4.4 diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index 8c4732f..af4e230 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -22,7 +22,6 @@ - audit - mounts - rule_1.1.5.1 - - skip_ansible_lint - name: | "1.1.5.2 | PATCH | Ensure nodev option set on /var/log partition" @@ -48,7 +47,6 @@ - level1-workstation - patch - mounts - - skip_ansible_lint - rule_1.1.5.2 - rule_1.1.5.3 - rule_1.1.5.4 diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 709a206..d20e83d 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -47,7 +47,6 @@ - level1-workstation - patch - mounts - - skip_ansible_lint - rule_1.1.6.2 - rule_1.1.6.3 - rule_1.1.6.4 diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index a123426..d081811 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -22,7 +22,6 @@ - audit - mounts - rule_1.1.7.1 - - skip_ansible_lint - name: | "1.1.7.2 | PATCH | Ensure nodev option set on /home partition @@ -48,4 +47,3 @@ - mounts - rule_1.1.7.2 - rule_1.1.7.3 - - skip_ansible_lint diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 6a50de8..5ebf666 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -29,7 +29,6 @@ - audit - mounts - rule_1.1.8.1 - - skip_ansible_lint - name: | "1.1.8.2 | PATCH | Ensure nodev option set on /dev/shm partition | Set nodev option diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index babf869..3c57e41 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -85,7 +85,6 @@ - manual - audit - rule_1.2.3 - - skip_ansible_lint - name: "1.2.4 | AUDIT | Ensure repo_gpgcheck is globally activated" block: diff --git a/tasks/section_1/cis_1.9.yml b/tasks/section_1/cis_1.9.yml index e226948..39f0cd9 100644 --- a/tasks/section_1/cis_1.9.yml +++ b/tasks/section_1/cis_1.9.yml @@ -7,10 +7,8 @@ notify: Change_requires_reboot when: - rhel9cis_rule_1_9 - - not system_is_ec2 tags: - level1-server - level1-workstation - patch - rule_1.9 - - skip_ansible_lint