From 6d78fc1c06f82f10525676172767048d95eb35ec Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 7 Jan 2022 09:22:40 +0000 Subject: [PATCH 001/454] updated Signed-off-by: Mark Bolwell --- LICENSE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE b/LICENSE index 5b33d4ad..4f5e4fdb 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2020 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases +Copyright (c) 2022 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal From e5887e529379053bc93ff5b576e726e00bb195b7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 7 Jan 2022 09:23:01 +0000 Subject: [PATCH 002/454] Updated Signed-off-by: Mark Bolwell --- Changelog.md | 93 ++-------------------------------------------------- 1 file changed, 3 insertions(+), 90 deletions(-) diff --git a/Changelog.md b/Changelog.md index 09ba0bed..c830cbcf 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,93 +1,6 @@ # Changes to rhel9CIS -## 1.3.3 +# Initial -- update to audit script - - variable for audit OS agnostic - - removal of included library module (not required) - -- Issues included - - #135 - running levels - upadted tags - - #138 - auditd immutable - - #139 - 5.2.13 valus updated - - #140 - - #141 - check mode update - - #142 - - #143 - labels added - - #144 - - #146 - undefined variable added - - #147 - removed warn statement - - #149 - shell timeout - -## 1.3.2 - -- issues with crypto policies on ec2 - added skip for rules if system_is_ec2 variable - - cis_1.10 ## Change crypto breaks installing products - - cis_1.11 ## Change crypto breaks installing products - -## 1.3.1 - -- CIS 1.0.1 updates -- Added Issue and PR templates -- Added better reboot logic -- Added options to ensure idempotence -- Enhanced flush handlers -- Typo fixes -- mount check improvements -- Linting fixes -- Added systemd tmp mount -- Added systemd tmpfs block -- #110 tmp.mount support - - thanks to @erpadmin - -## 1.3 - -- extentions to LE audit capability -- more lint and layout changes -- sugroup assertion added 5.7 -- added extra logic variable to authselect/config section 5.3 related -- AlmaLinux and Rocky tested (comments in readme - also rsyslog installed at build or will fail) -- section 1.1 mount work has been rewritten and systemd tmp mount options added - -## 1.2.3 - -- #117 sugroup enhancements - - thanks to @ihotz -- #112 use of dnf module not shell - - thanks to @wolskie - -## 1.2.2 - -- #33 mkgrub missing variable issues - efi and bios path resolution - - thanks to @mrampant & @mickey1928geo -- #102 2.2.2 xorg pkg removal extended - - thanks to @RosarioVinoth -- #104 5.4.1 pwquality logic - - thanks to @RosarioVinoth -- #107 Idempotence improvement for 4.1.1.3 and 4.1.1.4 - - thanks to @andreyzher -- lint changes and updates to sync with ansible-galaxy - -## v1.2.1 - -- bootloader and default variables -- empty strings lint updates -- #87 -- rule 6.1.1 - audit only - outputs file discrepancies to {{ rhel9cis_rpm_audit_file }} -- #88 -- checkmode_improvements added to relevant tasks -- PR #96 -- crypto policy idempotency - -## v1.2.0 - -- #86 -- Adding on the goss auditing tool -- remove deprecated warnings -- format and layout -- general improvements -- readme updates -- use ansible package_facts -- #90 -- cis fix - nfs-server not nfs - - Thanks to danderemer +- based on RHEL8 currently as RH or CIS not GA +- Changes to systctl and auditd changes to utilise templates From 115999956fce7b4a8ba553b945b2ecc99e6e18b1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 7 Jan 2022 11:09:28 +0000 Subject: [PATCH 003/454] updated Signed-off-by: Mark Bolwell --- Changelog.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index c830cbcf..693e425a 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,8 @@ # Changes to rhel9CIS -# Initial +## Initial - based on RHEL8 currently as RH or CIS not GA -- Changes to systctl and auditd changes to utilise templates +- Changes to systctl, auditd, aide cron changes to utilise templates - see issue #1 +- Collection statement added to meta/main.yml using only community-general +- aide crontab moved to template due to module change From 2d83b7f06d83f9baf7ae69e59745f73242c19bed Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 7 Jan 2022 11:10:53 +0000 Subject: [PATCH 004/454] 1.4.2 to use template Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.4.x.yml | 16 ++++++---------- templates/aide.cron.j2 | 5 +++++ 2 files changed, 11 insertions(+), 10 deletions(-) create mode 100644 templates/aide.cron.j2 diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 5956ae6e..6bd3bc21 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -28,16 +28,12 @@ - rule_1.4.1 - name: "1.4.2 | L1 | PATCH | Ensure filesystem integrity is regularly checked" - cron: - name: Run AIDE integrity check - cron_file: "{{ rhel9cis_aide_cron['cron_file'] }}" - user: "{{ rhel9cis_aide_cron['cron_user'] }}" - minute: "{{ rhel9cis_aide_cron['aide_minute'] | default('0') }}" - hour: "{{ rhel9cis_aide_cron['aide_hour'] | default('5') }}" - day: "{{ rhel9cis_aide_cron['aide_day'] | default('*') }}" - month: "{{ rhel9cis_aide_cron['aide_month'] | default('*') }}" - weekday: "{{ rhel9cis_aide_cron['aide_weekday'] | default('*') }}" - job: "{{ rhel9cis_aide_cron['aide_job'] }}" + template: + src: aide.cron.j2 + dest: /etc/cron.d/aide.cron + owner: root + group: root + mode: 0644 when: - rhel9cis_rule_1_4_2 tags: diff --git a/templates/aide.cron.j2 b/templates/aide.cron.j2 new file mode 100644 index 00000000..848dcca4 --- /dev/null +++ b/templates/aide.cron.j2 @@ -0,0 +1,5 @@ +# Run AIDE integrity check +# added via ansible-lockdown remediation +# CIS 1.4.2 + +{{ rhel9cis_aide_cron['aide_minute'] }} {{ rhel9cis_aide_cron['aide_hour'] }} {{ rhel9cis_aide_cron['aide_month'] }} {{ rhel9cis_aide_cron['aide_weekday'] }} {{ rhel9cis_aide_cron['aide_job'] }} From 59bbf71971b65a1a43563868b1eb1b043959b4b2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 7 Jan 2022 11:11:06 +0000 Subject: [PATCH 005/454] crontab file locations updated Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index e9c7a4b3..7edfc83e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -393,7 +393,7 @@ rhel9cis_config_aide: true # AIDE cron settings rhel9cis_aide_cron: cron_user: root - cron_file: /etc/crontab + cron_file: /etc/cron.d/aide.cron aide_job: '/usr/sbin/aide --check' aide_minute: 0 aide_hour: 5 From fd9747248b1717c90619140d05cbebdb76f30b91 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 7 Jan 2022 11:15:43 +0000 Subject: [PATCH 006/454] Allow testing on RH8 as dev Signed-off-by: Mark Bolwell --- tasks/main.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index ef1cef5c..843850ce 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,10 +2,11 @@ # tasks file for RHEL9-CIS - name: Check OS version and family fail: - msg: "This role can only be run against RHEL 8. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." + msg: "This role can only be run against RHEL 8 or 9. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." when: - ansible_os_family == 'RedHat' - - ansible_distribution_major_version is version_compare('9', '!=') + - ansible_distribution_major_version == 8 or + ansible_distribution_major_version == 9 tags: - always From 812efaa015757a975ff95612cbd83b0bbcdc3736 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 7 Jan 2022 11:16:13 +0000 Subject: [PATCH 007/454] Added community.general collection Signed-off-by: Mark Bolwell --- meta/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/main.yml b/meta/main.yml index cf060a31..186f06ef 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -15,4 +15,7 @@ galaxy_info: - security - cis - hardening + - benchmark +collections: + - community.general dependencies: [] From ac42f8a28fe6263de2135e4a14a4773b165d84c9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 13 Jan 2022 11:25:42 +0000 Subject: [PATCH 008/454] updated Signed-off-by: Mark Bolwell --- Changelog.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Changelog.md b/Changelog.md index 693e425a..738bed74 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,11 @@ # Changes to rhel9CIS +## 0.1 + +- change to include statements +- prelim and package facts discovery +- commands module removed and moved to shell + ## Initial - based on RHEL8 currently as RH or CIS not GA From 3b19db6812813dfe88b9682f782cc2edb52b16b9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 13 Jan 2022 11:27:26 +0000 Subject: [PATCH 009/454] replaced command with shell Signed-off-by: Mark Bolwell --- handlers/main.yml | 8 ++++---- tasks/check_prereqs.yml | 4 ++-- tasks/parse_etc_password.yml | 2 +- tasks/post.yml | 4 ++-- tasks/post_remediation_audit.yml | 4 ++-- tasks/pre_remediation_audit.yml | 12 +++++------ tasks/prelim.yml | 28 ++++++++++++++------------ tasks/section_1/cis_1.2.x.yml | 4 ++-- tasks/section_1/cis_1.4.x.yml | 2 +- tasks/section_3/cis_3.4.2.x.yml | 2 +- tasks/section_3/cis_3.4.3.x.yml | 34 ++++++++++++++++---------------- tasks/section_3/cis_3.5.yml | 12 +++++------ tasks/section_4/cis_4.2.1.x.yml | 2 +- tasks/section_4/cis_4.2.3.yml | 2 +- tasks/section_5/cis_5.5.1.x.yml | 6 +++--- tasks/section_5/cis_5.5.x.yml | 2 +- tasks/section_5/cis_5.6.yml | 2 +- tasks/section_6/cis_6.1.x.yml | 4 ++-- tasks/section_6/cis_6.2.x.yml | 16 +++++++-------- 19 files changed, 75 insertions(+), 75 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index fdd93548..628d4818 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -58,7 +58,7 @@ state: reloaded - name: remount tmp - command: mount -o remount /tmp + shell: mount -o remount /tmp args: warn: false @@ -88,7 +88,7 @@ - name: reload dconf become: yes - command: dconf update + shell: dconf update - name: update auditd template: @@ -100,7 +100,7 @@ notify: restart auditd - name: restart auditd - command: /sbin/service auditd restart + shell: /sbin/service auditd restart changed_when: no check_mode: no failed_when: no @@ -112,7 +112,7 @@ - skip_ansible_lint - name: grub2cfg - command: "grub2-mkconfig -o {{ grub_cfg.stat.lnk_source }}" + shell: "grub2-mkconfig -o {{ grub_cfg.stat.lnk_source }}" ignore_errors: True tags: - skip_ansible_lint diff --git a/tasks/check_prereqs.yml b/tasks/check_prereqs.yml index 5ce4ab44..cdaf9309 100644 --- a/tasks/check_prereqs.yml +++ b/tasks/check_prereqs.yml @@ -3,7 +3,7 @@ - name: "PREREQ | Add the required packages | Python 3" block: - name: Check if python36-rpm package installed - command: rpm -q python36-rpm + shell: rpm -q python36-rpm failed_when: ( python36_rpm_present.rc not in [ 0, 1 ] ) changed_when: false args: @@ -28,7 +28,7 @@ - libselinux-python3 - name: Disable Epel repo if installed earlier - command: yum-config-manager disable epel + shell: yum-config-manager disable epel when: epel_installed.changed when: - ( ansible_python.version.major == 3 and ansible_python.version.minor == 6 ) diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index de29ff12..29b7d86c 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -3,7 +3,7 @@ - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd" block: - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd" - command: cat /etc/passwd + shell: cat /etc/passwd changed_when: no check_mode: no register: rhel9cis_passwd_file_audit diff --git a/tasks/post.yml b/tasks/post.yml index 35c3b79d..a3eae23f 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -7,7 +7,7 @@ changed_when: no - name: trigger update sysctl - command: /bin/true + shell: /bin/true changed_when: false check_mode: false notify: update sysctl @@ -29,7 +29,7 @@ - sysctl - name: trigger update auditd - command: /bin/true + shell: /bin/true notify: update auditd changed_when: false check_mode: false diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 17ef3f87..9a14c5c0 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -17,7 +17,7 @@ - name: Post Audit | Capture audit data if json format block: - name: "capture data {{ post_audit_outfile }}" - command: "cat {{ post_audit_outfile }}" + shell: "cat {{ post_audit_outfile }}" register: post_audit changed_when: false @@ -32,7 +32,7 @@ - name: Post Audit | Capture audit data if documentation format block: - name: "Post Audit | capture data {{ post_audit_outfile }}" - command: "tail -2 {{ post_audit_outfile }}" + shell: "tail -2 {{ post_audit_outfile }}" register: post_audit changed_when: false diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 4e568dc2..2821cd20 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -59,11 +59,11 @@ path: "{{ audit_bin }}" register: goss_available - - name: Pre Audit | If audit ensure goss is available + - name: Pre Audit | Alert if goss not available assert: - msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - when: - - not goss_available.stat.exists + that: goss_available.stat.exists + fail_msg: "Audit binary file {{ audit_bin }} does not exist" + success_msg: "Audit binary file {{ audit_bin }} exists" when: - run_audit @@ -92,7 +92,7 @@ - name: Pre Audit | Capture audit data if json format block: - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - command: "cat {{ pre_audit_outfile }}" + shell: "cat {{ pre_audit_outfile }}" register: pre_audit changed_when: false @@ -107,7 +107,7 @@ - name: Pre Audit | Capture audit data if documentation format block: - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - command: "tail -2 {{ pre_audit_outfile }}" + shell: "tail -2 {{ pre_audit_outfile }}" register: pre_audit changed_when: false diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 5451c31d..239c7b62 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -2,7 +2,7 @@ # Preliminary tasks that should always be run # List users in order to look files inside each home directory - name: "PRELIM | List users accounts" - command: "awk -F: '{print $1}' /etc/passwd" + shell: "awk -F: '{print $1}' /etc/passwd" args: warn: no changed_when: no @@ -48,7 +48,11 @@ package: name: audit state: present - when: rhel9cis_level_2 + become: true + when: + - rhel9cis_level_2 or + rhel9cis_rule_4_1_1_1 + - '"auditd" not in ansible_facts.packages' - name: "PRELIM | 4.1.12 | Ensure successful file system mounts are collected" shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done @@ -63,16 +67,23 @@ package: name: cronie state: present + become: true + when: + - rhel9cis_rule_5_1_1 + - '"cronie" not in ansible_facts.packages' - name: "PRELIM | Install authconfig" package: name: authconfig state: present + become: true when: - rhel9cis_use_authconfig - rhel9cis_rule_5_3_1 or rhel9cis_rule_5_3_2 or - rhel9cis_rule_5_3_3 + rhel9cis_rule_5_3_3 or + '"authconfig" not in ansible_facts.packages' or + '"auditd-lib" not in ansible_facts.packages' - name: "PRELIM | Set facts based on boot type" block: @@ -92,26 +103,17 @@ grub2_path: /etc/grub2-efi.cfg when: rhel_09_efi_boot.stat.exists -# - name: debug legacy boot var -# debug: -# msg: | -# legacy_boot={{ rhel9cis_legacy_boot }} -# grub2_path={{ grub2_path }} - - name: "PRELIM | AUDIT | Ensure permissions on bootloader config are configured | Get grub config file stats" stat: path: "{{ grub2_path }}" changed_when: false register: grub_cfg -# - name: debug grub stat -# debug: -# var: grub_cfg.stat - - name: "PRELIM | Check for rhnsd service" shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2" changed_when: false check_mode: false + become: true register: rhnsd_service_status when: - rhel9cis_rule_1_2_2 diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 07a8285a..79935efd 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -37,7 +37,7 @@ - rule_1.2.2 - name: "1.2.3 | L1 | AUDIT | Ensure GPG keys are configured" - command: gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-release + shell: gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-release when: - rhel9cis_rule_1_2_3 - ansible_distribution == "RedHat" @@ -76,7 +76,7 @@ - name: "1.2.5 | L1 | Ensure package manager repositories are configured" block: - name: "1.2.5 | L1 | AUDIT | Ensure package manager repositories are configured | Get repo list" - command: dnf repolist + shell: dnf repolist changed_when: false failed_when: false register: dnf_configured diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 6bd3bc21..56819b41 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -8,7 +8,7 @@ state: present - name: "1.4.1 | L1 | PATCH | Ensure AIDE is installed | Configure AIDE" - command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' + shell: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' changed_when: false failed_when: false async: 45 diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 9f90c674..bcb8f890 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -45,7 +45,7 @@ - rule_3_4_2_3 - name: "3.4.2.4 | L1 | PATCH | Ensure default zone is set" - command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" + shell: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" when: - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_2_4 diff --git a/tasks/section_3/cis_3.4.3.x.yml b/tasks/section_3/cis_3.4.3.x.yml index 202daa02..4677b6a7 100644 --- a/tasks/section_3/cis_3.4.3.x.yml +++ b/tasks/section_3/cis_3.4.3.x.yml @@ -1,7 +1,7 @@ --- - name: "3.4.3.1 | L1 | PATCH | Ensure iptables are flushed with nftables" - command: ip6tables -F + shell: ip6tables -F when: - rhel9cis_rule_3_4_3_1 - rhel9cis_firewall != "iptables" @@ -15,7 +15,7 @@ - name: "3.4.3.2 | L1 | AUDIT | Ensure an nftables table exists" block: - name: "3.4.3.2 | L1 | AUDIT | Ensure a table exists | Check for tables" - command: nft list tables + shell: nft list tables changed_when: false failed_when: false register: rhel9cis_3_4_3_2_nft_tables @@ -31,13 +31,13 @@ debug: msg: - "Warning! You currently have no nft tables, please review your setup" - - 'Use the command "nft create table inet " to create a new table' + - 'Use the shell "nft create table inet
" to create a new table' when: - rhel9cis_3_4_3_2_nft_tables.stdout | length == 0 - not rhel9cis_nft_tables_autonewtable - name: "3.4.3.2 | L1 | PATCH | Ensure a table exists | Create table if needed" - command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" + shell: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" failed_when: no when: rhel9cis_nft_tables_autonewtable when: @@ -120,15 +120,15 @@ register: rhel9cis_3_4_3_4_ip6saddr - name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept + shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept when: '"iif \"lo\" accept" not in rhel9cis_3_4_3_4_iiflo.stdout' - name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop + shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_3_4_ipsaddr.stdout' - name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop + shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_3_4_ip6saddr.stdout' when: - rhel9cis_firewall == "nftables" @@ -154,27 +154,27 @@ register: rhel9cis_3_4_3_5_outconnectionrule - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input tcp established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept + shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept when: '"ip protocol tcp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout' - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input udp established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept + shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept when: '"ip protocol udp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout' - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input icmp established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept + shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept when: '"ip protocol icmp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout' - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output tcp new, related, established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept + shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept when: '"ip protocol tcp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout' - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output udp new, related, established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept + shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept when: '"ip protocol udp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout' - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output icmp new, related, established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept + shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout' when: - rhel9cis_firewall == "nftables" @@ -212,19 +212,19 @@ register: rhel9cis_3_4_3_6_sshallowcheck - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept + shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept when: '"tcp dport ssh accept" not in rhel9cis_3_4_3_6_sshallowcheck.stdout' - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" - command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } + shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } when: '"type filter hook input priority 0; policy drop;" not in rhel9cis_3_4_3_6_inputpolicy.stdout' - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy" - command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } + shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } when: '"type filter hook forward priority 0; policy drop;" not in rhel9cis_3_4_3_6_forwardpolicy.stdout' - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" - command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } + shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_3_6_outputpolicy.stdout' when: - rhel9cis_firewall == "nftables" diff --git a/tasks/section_3/cis_3.5.yml b/tasks/section_3/cis_3.5.yml index 5a60a5e6..1d24b7d6 100644 --- a/tasks/section_3/cis_3.5.yml +++ b/tasks/section_3/cis_3.5.yml @@ -3,23 +3,21 @@ - name: "3.5 | L1 | PATCH | Ensure wireless interfaces are disabled" block: - name: "3.5 | L1 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" - command: rpm -q NetworkManager - changed_when: false - failed_when: false + shell: rpm -q NetworkManager +# changed_when: false +# failed_when: false check_mode: no - args: - warn: no register: rhel_09_nmcli_available - name: "3.5 | L1 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" - command: nmcli radio wifi + shell: nmcli radio wifi register: rhel_09_wifi_enabled changed_when: rhel_09_wifi_enabled.stdout != "disabled" failed_when: false when: rhel_09_nmcli_available.rc == 0 - name: "3.5 | L1 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" - command: nmcli radio all off + shell: nmcli radio all off changed_when: false failed_when: false when: rhel_09_wifi_enabled is changed diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index b9d525ea..911e23c0 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -43,7 +43,7 @@ - name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured" block: - name: "4.2.1.4 | L1 | AUDIT | Ensure logging is configured | rsyslog current config message out" - command: cat /etc/rsyslog.conf + shell: cat /etc/rsyslog.conf become: yes changed_when: false failed_when: no diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index d1992696..ece189be 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -1,7 +1,7 @@ --- - name: "4.2.3 | L1 | PATCH | Ensure permissions on all logfiles are configured" - command: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + + shell: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + changed_when: false failed_when: false when: diff --git a/tasks/section_5/cis_5.5.1.x.yml b/tasks/section_5/cis_5.5.1.x.yml index 453f31b7..570e83cb 100644 --- a/tasks/section_5/cis_5.5.1.x.yml +++ b/tasks/section_5/cis_5.5.1.x.yml @@ -52,7 +52,7 @@ register: rhel9cis_5_5_1_4_inactive_settings - name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting" - command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} + shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} when: rhel9cis_5_5_1_4_inactive_settings.stdout | length == 0 - name: "5.5.1.4 | L1 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" @@ -62,7 +62,7 @@ changed_when: false - name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" - command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" + shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" with_items: - "{{ rhel_09_5_5_1_4_audit.stdout_lines }}" when: @@ -102,7 +102,7 @@ - not rhel9cis_futurepwchgdate_autofix - name: "5.5.1.5 | L1 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" - command: passwd --expire {{ item }} + shell: passwd --expire {{ item }} when: - rhel9cis_5_5_1_5_user_list | length > 0 - rhel9cis_futurepwchgdate_autofix diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 856e6b44..5b23d838 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -63,7 +63,7 @@ - rule_5.5.3 - name: "5.5.4 | L1 | PATCH | Ensure default group for the root account is GID 0" - command: usermod -g 0 root + shell: usermod -g 0 root changed_when: false failed_when: false when: diff --git a/tasks/section_5/cis_5.6.yml b/tasks/section_5/cis_5.6.yml index 58eb7e54..973b1d6b 100644 --- a/tasks/section_5/cis_5.6.yml +++ b/tasks/section_5/cis_5.6.yml @@ -9,7 +9,7 @@ register: rhel9cis_securetty_check - name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Capture consoles" - command: cat /etc/securetty + shell: cat /etc/securetty changed_when: false register: rhel_09_5_6_audit when: rhel9cis_securetty_check.stat.exists diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index ad162e34..9650e5d6 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -182,7 +182,7 @@ - name: "6.1.11 | L1 | AUDIT | Ensure no unowned files or directories exist" block: - name: "6.1.11 | L1 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories" - command: find "{{ item.mount }}" -xdev -nouser + shell: find "{{ item.mount }}" -xdev -nouser check_mode: false failed_when: false changed_when: false @@ -208,7 +208,7 @@ - name: "6.1.12 | L1 | AUDIT | Ensure no ungrouped files or directories exist" block: - name: "6.1.12 | L1 | AUDIT | Ensure no ungrouped files or directories exist | Finding all ungrouped files or directories" - command: find "{{ item.mount }}" -xdev -nogroup + shell: find "{{ item.mount }}" -xdev -nogroup check_mode: false failed_when: false changed_when: false diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 1edab263..43c57f21 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -1,7 +1,7 @@ --- - name: "6.2.1 | L1 | AUDIT | Ensure password fields are not empty" - command: passwd -l {{ item }} + shell: passwd -l {{ item }} changed_when: false failed_when: false with_items: "{{ empty_password_accounts.stdout_lines }}" @@ -15,7 +15,7 @@ - rule_6.2.1 - name: "6.2.2 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/passwd" - command: sed -i '/^+/ d' /etc/passwd + shell: sed -i '/^+/ d' /etc/passwd changed_when: false failed_when: false when: @@ -74,7 +74,7 @@ - rule_6.2.3 - name: "6.2.4 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/shadow" - command: sed -i '/^+/ d' /etc/shadow + shell: sed -i '/^+/ d' /etc/shadow changed_when: false failed_when: false when: @@ -87,7 +87,7 @@ - skip_ansible_lint - name: "6.2.5 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/group" - command: sed -i '/^+/ d' /etc/group + shell: sed -i '/^+/ d' /etc/group changed_when: false failed_when: false when: @@ -100,7 +100,7 @@ - skip_ansible_lint - name: "6.2.6 | L1 | PATCH | Ensure root is the only UID 0 account" - command: passwd -l {{ item }} + shell: passwd -l {{ item }} changed_when: false failed_when: false with_items: "{{ uid_zero_accounts_except_root.stdout_lines }}" @@ -122,7 +122,7 @@ register: rhel_09_6_2_7_audit - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" - command: find -H {{ item.0 | quote }} -not -type l -perm /027 + shell: find -H {{ item.0 | quote }} -not -type l -perm /027 check_mode: false changed_when: rhel_09_6_2_7_patch_audit.stdout | length > 0 register: rhel_09_6_2_7_patch_audit @@ -251,7 +251,7 @@ - rule_6.2.11 - name: "6.2.12 | L1 | PATCH | Ensure users' .netrc Files are not group or world accessible" - command: /bin/true + shell: /bin/true changed_when: false failed_when: false when: @@ -464,7 +464,7 @@ with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" - name: "6.2.20 | L1 | AUDIT | Ensure all users' home directories exist" - command: find -H {{ item.0 | quote }} -not -type l -perm /027 + shell: find -H {{ item.0 | quote }} -not -type l -perm /027 check_mode: false changed_when: rhel_09_6_2_20_patch_audit.stdout | length > 0 register: rhel_09_6_2_20_patch_audit From 819c942d8f3664b4774c9b223999a4e89f4fe2e6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 13 Jan 2022 11:27:38 +0000 Subject: [PATCH 010/454] updated include/import tasks Signed-off-by: Mark Bolwell --- tasks/main.yml | 58 +++++++++++++++++++++++++--------------- tasks/section_1/main.yml | 24 ++++++++--------- tasks/section_2/main.yml | 8 +++--- tasks/section_3/main.yml | 20 +++++++------- tasks/section_4/main.yml | 14 +++++----- tasks/section_5/main.yml | 16 +++++------ tasks/section_6/main.yml | 4 +-- 7 files changed, 80 insertions(+), 64 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 843850ce..123858a8 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -49,59 +49,75 @@ tags: - rule_5.7 -- include: prelim.yml - become: yes +- name: Gather the package facts + package_facts: + manager: auto + tags: + - always + +- name: Include preliminary steps + import_tasks: prelim.yml + become: tags: - prelim_tasks - always -- import_tasks: pre_remediation_audit.yml +- name: run pre_remediation audit + import_tasks: pre_remediation_audit.yml when: - run_audit -- name: Gather the package facts +- name: Gather the package facts after prelim package_facts: manager: auto tags: - always -- include: parse_etc_password.yml - become: yes +- name: capture /etc/password variables + include_tasks: parse_etc_password.yml when: rhel9cis_section6 -- include: section_1/main.yml - become: yes +- name: run Section 1 tasks + import_tasks: section_1/main.yml + become: true when: rhel9cis_section1 tags: - rhel9cis_section1 -- include: section_2/main.yml - become: yes +- name: run Section 2 tasks + import_tasks: section_2/main.yml + become: true when: rhel9cis_section2 -- include: section_3/main.yml - become: yes +- name: run Section 3 tasks + import_tasks: section_3/main.yml + become: true when: rhel9cis_section3 -- include: section_4/main.yml - become: yes +- name: run Section 4 tasks + import_tasks: section_4/main.yml + become: true when: rhel9cis_section4 -- include: section_5/main.yml - become: yes +- name: run Section 5 tasks + import_tasks: section_5/main.yml + become: true when: rhel9cis_section5 -- include: section_6/main.yml - become: yes +- name: run Section 6 tasks + import_tasks: section_6/main.yml + become: true when: rhel9cis_section6 -- include: post.yml - become: yes +- name: run post remediation tasks + import_tasks: post.yml + become: true tags: - post_tasks - always -- import_tasks: post_remediation_audit.yml +- name: run post_remediation audit + import_tasks: post_remediation_audit.yml when: - run_audit diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index 5c7b083a..b8c8e8e5 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -2,41 +2,41 @@ - name: "SECTION | 1.1 | FileSystem Configurations\n SECTION | 1.1.1.x | Disable unused filesystems" - include: cis_1.1.1.x.yml -- include: cis_1.1.x.yml + include_tasks: cis_1.1.1.x.yml +- include_tasks: cis_1.1.x.yml - name: "SECTION | 1.2 | Configure Software Updates" - include: cis_1.2.x.yml + include_tasks: cis_1.2.x.yml - name: "SECTION | 1.3 | Configure sudo" - include: cis_1.3.x.yml + include_tasks: cis_1.3.x.yml - name: "SECTION | 1.4 | Filesystem Integrity" - include: cis_1.4.x.yml + import_tasks: cis_1.4.x.yml when: rhel9cis_config_aide - name: "SECTION | 1.5 | Secure Boot Settings" - include: cis_1.5.x.yml + include_tasks: cis_1.5.x.yml - name: "SECTION | 1.6 | Additional Process Hardening" - include: cis_1.6.x.yml + include_tasks: cis_1.6.x.yml - name: "SECTION | 1.7 | bootloader and Mandatory Access Control" - include: cis_1.7.1.x.yml + import_tasks: cis_1.7.1.x.yml when: not rhel9cis_selinux_disable - name: "SECTION | 1.8 | Warning Banners" - include: cis_1.8.1.x.yml + include_tasks: cis_1.8.1.x.yml - name: "SECTION | 1.9 | Updated and Patches" - include: cis_1.9.yml + include_tasks: cis_1.9.yml - name: "SECTION | 1.10 | Crypto policies" - include: cis_1.10.yml + import_tasks: cis_1.10.yml when: - not system_is_ec2 - name: "SECTION | 1.11 | FIPS/FUTURE Crypto policies" - include: cis_1.11.yml + import_tasks: cis_1.11.yml when: - not system_is_ec2 diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index 1c99c032..f2ed2325 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -1,13 +1,13 @@ --- - name: "SECTION | 2.1 | xinetd" - include: cis_2.1.1.yml + include_tasks: cis_2.1.1.yml - name: "SECTION | 2.2.1 | Time Synchronization" - include: cis_2.2.1.x.yml + include_tasks: cis_2.2.1.x.yml - name: "SECTION | 2.2 | Special Purpose Services" - include: cis_2.2.x.yml + include_tasks: cis_2.2.x.yml - name: "SECTION | 2.3 | Service Clients" - include: cis_2.3.x.yml + include_tasks: cis_2.3.x.yml diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index 752ba852..7d6af68a 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -1,41 +1,41 @@ --- - name: "SECTION | 3.1.x | Packet and IP redirection" - include: cis_3.1.x.yml + include_tasks: cis_3.1.x.yml - name: "SECTION | 3.2.x | Network Parameters (Host Only)" - include: cis_3.2.x.yml + include_tasks: cis_3.2.x.yml - name: "SECTION | 3.3.x | Uncommon Network Protocols" - include: cis_3.3.x.yml + include_tasks: cis_3.3.x.yml - name: "SECTION | 3.4.1.x | firewall defined" - include: cis_3.4.1.1.yml + include_tasks: cis_3.4.1.1.yml - name: "SECTION | 3.4.2.x | firewalld firewall" - include: cis_3.4.2.x.yml + import_tasks: cis_3.4.2.x.yml when: - rhel9cis_firewall == "firewalld" - name: "SECTION | 3.4.3.x | Configure nftables firewall" - include: cis_3.4.3.x.yml + import_tasks: cis_3.4.3.x.yml when: - rhel9cis_firewall == "nftables" - name: "SECTION | 3.4.4.1.x | Configure iptables IPv4" - include: cis_3.4.4.1.x.yml + import_tasks: cis_3.4.4.1.x.yml when: - rhel9cis_firewall == "iptables" - name: "SECTION | 3.4.4.2.x | Configure iptables IPv6" - include: cis_3.4.4.2.x.yml + import_tasks: cis_3.4.4.2.x.yml when: - ( rhel9cis_firewall == "iptables" and rhel9cis_ipv6_required ) - name: "SECTION | 3.5 | Configure wireless" - include: cis_3.5.yml + include_tasks: cis_3.5.yml - name: "SECTION | 3.5 | disable IPv6" - include: cis_3.5.yml + import_tasks: cis_3.5.yml when: - not rhel9cis_ipv6_required diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index aecac9f5..910a9e24 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -1,23 +1,23 @@ --- - name: "SECTION | 4.1| Configure System Accounting (auditd)" - include: cis_4.1.1.x.yml + include_tasks: cis_4.1.1.x.yml - name: "SECTION | 4.1.2.x| Configure Data Retention" - include: cis_4.1.2.x.yml + include_tasks: cis_4.1.2.x.yml - name: "SECTION | 4.1.x| Auditd rules" - include: cis_4.1.x.yml + include_tasks: cis_4.1.x.yml - name: "SECTION | 4.2.x| Configure Logging" - include: cis_4.2.1.x.yml + import_tasks: cis_4.2.1.x.yml when: rhel9cis_syslog == 'rsyslog' - name: "SECTION | 4.2.2.x| Configure journald" - include: cis_4.2.2.x.yml + include_tasks: cis_4.2.2.x.yml - name: "SECTION | 4.2.3 | Configure logile perms" - include: cis_4.2.3.yml + include_tasks: cis_4.2.3.yml - name: "SECTION | 4.3 | Configure logrotate" - include: cis_4.3.yml + include_tasks: cis_4.3.yml diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index f290165e..6195af5b 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -1,27 +1,27 @@ --- - name: "SECTION | 5.1 | Configure time-based job schedulers" - include: cis_5.1.x.yml + include_tasks: cis_5.1.x.yml - name: "SECTION | 5.2 | Configure SSH Server" - include: cis_5.2.x.yml + include_tasks: cis_5.2.x.yml - name: "SECTION | 5.3 | Configure Profiles" - include: cis_5.3.x.yml + import_tasks: cis_5.3.x.yml when: - rhel9cis_use_authconfig - name: "SECTION | 5.4 | Configure PAM " - include: cis_5.4.x.yml + include_tasks: cis_5.4.x.yml - name: "SECTION | 5.5.1.x | Passwords and Accounts" - include: cis_5.5.1.x.yml + include_tasks: cis_5.5.1.x.yml - name: "SECTION | 5.5.x | System Accounts and User Settings" - include: cis_5.5.x.yml + include_tasks: cis_5.5.x.yml - name: "SECTION | 5.6 | Root Login" - include: cis_5.6.yml + include_tasks: cis_5.6.yml - name: Section | 5.7 | su Command Restriction - include: cis_5.7.yml + include_tasks: cis_5.7.yml diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index bf6943af..479b9c86 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -1,7 +1,7 @@ --- - name: "SECTION | 6.1 | System File Permissions" - include: cis_6.1.x.yml + include_tasks: cis_6.1.x.yml - name: "SECTION | 6.2 | User and Group Settings" - include: cis_6.2.x.yml + include_tasks: cis_6.2.x.yml From e9a390c693feaa0681685272571ad88e6f306213 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 13 Jan 2022 11:40:59 +0000 Subject: [PATCH 011/454] updated checks to assertions Signed-off-by: Mark Bolwell --- tasks/main.yml | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 123858a8..89e9ffc3 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,25 +1,29 @@ --- # tasks file for RHEL9-CIS - name: Check OS version and family - fail: - msg: "This role can only be run against RHEL 8 or 9. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." - when: - - ansible_os_family == 'RedHat' - - ansible_distribution_major_version == 8 or - ansible_distribution_major_version == 9 + assert: + that: + - ansible_os_family == 'RedHat' + - ansible_distribution_major_version |int >= 8 + fail_msg: "This role can only be run against RHEL 8 or 9. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." + success_msg: "Supported OS release and version" tags: - always - name: Check ansible version - fail: - msg: You must use ansible 2.9 or greater - when: not ansible_version.full is version_compare('2.9', '>=') + assert: + that: + - "ansible_version.full is version_compare ('2.9', '>=')" + fail_msg: "You must use ansible 2.9 or greater" + success_msg: "Supported ansible_version" tags: - always - name: Check crypto-policy input assert: that: rhel9cis_crypto_policy in rhel9cis_allowed_crypto_policies + fail_msg: "Crypto policy is not a permitted version" + success_msg: "Crypto policy is a permitted version" - name: Check rhel9cis_bootloader_password_hash variable has been changed assert: From 66814a6f016b55b7c75436c397c8654b966305a3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 13 Jan 2022 11:46:13 +0000 Subject: [PATCH 012/454] added args warn for shell Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 ++ tasks/post.yml | 4 ++++ tasks/post_remediation_audit.yml | 6 +++++- tasks/pre_remediation_audit.yml | 6 +++++- 4 files changed, 16 insertions(+), 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 89e9ffc3..29e0a198 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -37,6 +37,8 @@ block: - name: "Check su group exists if defined" shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group + args: + warn: false register: sugroup_exists changed_when: false failed_when: sugroup_exists.rc >= 2 diff --git a/tasks/post.yml b/tasks/post.yml index a3eae23f..ec5c5c36 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -8,6 +8,8 @@ - name: trigger update sysctl shell: /bin/true + args: + warn: false changed_when: false check_mode: false notify: update sysctl @@ -30,6 +32,8 @@ - name: trigger update auditd shell: /bin/true + args: + warn: false notify: update auditd changed_when: false check_mode: false diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 9a14c5c0..c1c413fb 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -2,7 +2,7 @@ - name: "Post Audit | Run post_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" - vars: + args: warn: false - name: Post Audit | ensure audit files readable by users @@ -18,6 +18,8 @@ block: - name: "capture data {{ post_audit_outfile }}" shell: "cat {{ post_audit_outfile }}" + args: + warn: false register: post_audit changed_when: false @@ -33,6 +35,8 @@ block: - name: "Post Audit | capture data {{ post_audit_outfile }}" shell: "tail -2 {{ post_audit_outfile }}" + args: + warn: false register: post_audit changed_when: false diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 2821cd20..4fca3c5f 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -86,13 +86,15 @@ - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" - vars: + args: warn: false - name: Pre Audit | Capture audit data if json format block: - name: "Pre Audit | capture data {{ pre_audit_outfile }}" shell: "cat {{ pre_audit_outfile }}" + args: + warn: false register: pre_audit changed_when: false @@ -108,6 +110,8 @@ block: - name: "Pre Audit | capture data {{ pre_audit_outfile }}" shell: "tail -2 {{ pre_audit_outfile }}" + args: + warn: false register: pre_audit changed_when: false From 95d81526031b652042711abfe0d81fcba782739a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 13 Jan 2022 12:08:30 +0000 Subject: [PATCH 013/454] added args warn for shell Signed-off-by: Mark Bolwell --- handlers/main.yml | 6 +++- tasks/check_prereqs.yml | 6 ++-- tasks/section_1/cis_1.1.x.yml | 4 ++- tasks/section_1/cis_1.10.yml | 2 ++ tasks/section_1/cis_1.11.yml | 2 ++ tasks/section_1/cis_1.2.x.yml | 6 ++-- tasks/section_1/cis_1.4.x.yml | 5 +-- tasks/section_1/cis_1.7.1.x.yml | 2 ++ tasks/section_2/cis_2.2.x.yml | 4 +-- tasks/section_3/cis_3.4.2.x.yml | 6 ++++ tasks/section_3/cis_3.4.3.x.yml | 58 ++++++++++++++++++++++++++++++- tasks/section_3/cis_3.4.4.1.x.yml | 4 +++ tasks/section_3/cis_3.5.yml | 12 +++---- tasks/section_4/cis_4.1.1.x.yml | 4 +++ tasks/section_4/cis_4.1.x.yml | 2 ++ tasks/section_4/cis_4.2.1.x.yml | 2 ++ tasks/section_4/cis_4.2.3.yml | 2 ++ tasks/section_5/cis_5.2.x.yml | 2 +- tasks/section_5/cis_5.3.x.yml | 12 ++++--- tasks/section_5/cis_5.5.1.x.yml | 14 ++++++++ tasks/section_5/cis_5.5.x.yml | 2 ++ tasks/section_5/cis_5.6.yml | 2 ++ tasks/section_6/cis_6.1.x.yml | 12 ++++++- tasks/section_6/cis_6.2.x.yml | 40 +++++++++++++++++++++ 24 files changed, 187 insertions(+), 24 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 628d4818..e512f6b2 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -89,6 +89,8 @@ - name: reload dconf become: yes shell: dconf update + args: + warn: false - name: update auditd template: @@ -105,7 +107,7 @@ check_mode: no failed_when: no args: - warn: no + warn: false when: - not rhel9cis_skip_for_travis tags: @@ -113,6 +115,8 @@ - name: grub2cfg shell: "grub2-mkconfig -o {{ grub_cfg.stat.lnk_source }}" + args: + warn: false ignore_errors: True tags: - skip_ansible_lint diff --git a/tasks/check_prereqs.yml b/tasks/check_prereqs.yml index cdaf9309..36f19993 100644 --- a/tasks/check_prereqs.yml +++ b/tasks/check_prereqs.yml @@ -4,10 +4,10 @@ block: - name: Check if python36-rpm package installed shell: rpm -q python36-rpm - failed_when: ( python36_rpm_present.rc not in [ 0, 1 ] ) - changed_when: false args: warn: false + failed_when: ( python36_rpm_present.rc not in [ 0, 1 ] ) + changed_when: false register: python36_rpm_present - name: Add the EPEL repository required for the python36-rpm pkg @@ -29,6 +29,8 @@ - name: Disable Epel repo if installed earlier shell: yum-config-manager disable epel + args: + warn: false when: epel_installed.changed when: - ( ansible_python.version.major == 3 and ansible_python.version.minor == 6 ) diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index 65e2260d..279084dc 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -252,6 +252,8 @@ 1.1.16 | L1 | AUDIT | Ensure nosuid option set on /dev/shm partition | Check for /dev/shm existence 1.1.17 | L1 | AUDIT | Ensure noexec option set on /dev/shm partition | Check for /dev/shm existence" shell: mount -l | grep -E '\s/dev/shm\s' + args: + warn: false changed_when: false failed_when: false check_mode: no @@ -306,7 +308,7 @@ - name: "1.1.21 | L1 | PATCH | Ensure sticky bit is set on all world-writable directories" shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t args: - warn: no + warn: false changed_when: false failed_when: false when: diff --git a/tasks/section_1/cis_1.10.yml b/tasks/section_1/cis_1.10.yml index 91b8cade..6b4a1611 100644 --- a/tasks/section_1/cis_1.10.yml +++ b/tasks/section_1/cis_1.10.yml @@ -4,6 +4,8 @@ shell: | update-crypto-policies --set "{{ rhel9cis_crypto_policy }}" update-crypto-policies + args: + warn: false when: - rhel9cis_rule_1_10 - system_wide_crypto_policy['stdout'] == 'LEGACY' diff --git a/tasks/section_1/cis_1.11.yml b/tasks/section_1/cis_1.11.yml index 34245b18..bfd88069 100644 --- a/tasks/section_1/cis_1.11.yml +++ b/tasks/section_1/cis_1.11.yml @@ -4,6 +4,8 @@ shell: | update-crypto-policies --set "{{ rhel9cis_crypto_policy }}" update-crypto-policies + args: + warn: false when: - rhel9cis_rule_1_11 - system_wide_crypto_policy['stdout'] not in rhel9cis_allowed_crypto_policies diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 79935efd..12c4d03d 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -38,6 +38,8 @@ - name: "1.2.3 | L1 | AUDIT | Ensure GPG keys are configured" shell: gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-release + args: + warn: false when: - rhel9cis_rule_1_2_3 - ansible_distribution == "RedHat" @@ -77,12 +79,12 @@ block: - name: "1.2.5 | L1 | AUDIT | Ensure package manager repositories are configured | Get repo list" shell: dnf repolist + args: + warn: false changed_when: false failed_when: false register: dnf_configured check_mode: no - args: - warn: false - name: "1.2.5 | L1 | AUDIT | Ensure package manager repositories are configured | Display repo list" debug: diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 56819b41..a5b1f3b5 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -9,12 +9,13 @@ - name: "1.4.1 | L1 | PATCH | Ensure AIDE is installed | Configure AIDE" shell: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' + args: + warn: false + creates: /var/lib/aide/aide.db.gz changed_when: false failed_when: false async: 45 poll: 0 - args: - creates: /var/lib/aide/aide.db.gz when: not ansible_check_mode when: - rhel9cis_config_aide diff --git a/tasks/section_1/cis_1.7.1.x.yml b/tasks/section_1/cis_1.7.1.x.yml index ea1f8056..378da5cd 100644 --- a/tasks/section_1/cis_1.7.1.x.yml +++ b/tasks/section_1/cis_1.7.1.x.yml @@ -66,6 +66,8 @@ block: - name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist | Find the unconfined daemons" shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' + args: + warn: false register: rhelcis_1_7_1_5_unconf_daemons failed_when: false changed_when: false diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index f6203dab..08197cca 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -5,7 +5,7 @@ - name: "2.2.2 | L1 | AUDIT | Ensure X Window System is not installed | capture xorg-x11 packages" shell: rpm -qa | grep xorg-x11 args: - warn: no + warn: false failed_when: xorg_x11_installed.rc >=2 check_mode: no changed_when: false @@ -14,7 +14,7 @@ - name: "2.2.2 | L1 | PATCH | Ensure X Window System is not installed | remove packages if found" shell: "dnf remove {{ item }}" args: - warn: no + warn: false with_items: - xorg_x11_installed.stdout_lines when: xorg_x11_installed.stdout | length > 0 diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index bcb8f890..1a13db99 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -46,6 +46,8 @@ - name: "3.4.2.4 | L1 | PATCH | Ensure default zone is set" shell: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" + args: + warn: false when: - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_2_4 @@ -59,6 +61,8 @@ block: - name: "3.4.2.5 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies" shell: "nmcli -t connection show | awk -F: '{ if($4){print $4} }' | while read INT; do firewall-cmd --get-active-zones | grep -B1 $INT; done" + args: + warn: false changed_when: false failed_when: false check_mode: no @@ -82,6 +86,8 @@ block: - name: "3.4.2.6 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports" shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done" + args: + warn: false changed_when: false failed_when: false check_mode: no diff --git a/tasks/section_3/cis_3.4.3.x.yml b/tasks/section_3/cis_3.4.3.x.yml index 4677b6a7..46c8f017 100644 --- a/tasks/section_3/cis_3.4.3.x.yml +++ b/tasks/section_3/cis_3.4.3.x.yml @@ -2,6 +2,8 @@ - name: "3.4.3.1 | L1 | PATCH | Ensure iptables are flushed with nftables" shell: ip6tables -F + args: + warn: false when: - rhel9cis_rule_3_4_3_1 - rhel9cis_firewall != "iptables" @@ -16,6 +18,8 @@ block: - name: "3.4.3.2 | L1 | AUDIT | Ensure a table exists | Check for tables" shell: nft list tables + args: + warn: false changed_when: false failed_when: false register: rhel9cis_3_4_3_2_nft_tables @@ -38,6 +42,8 @@ - name: "3.4.3.2 | L1 | PATCH | Ensure a table exists | Create table if needed" shell: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" + args: + warn: false failed_when: no when: rhel9cis_nft_tables_autonewtable when: @@ -53,18 +59,24 @@ block: - name: "3.4.3.3 | L1 | Ensure nftables base chains exist | Get current chains for INPUT" shell: nft list ruleset | grep 'hook input' + args: + warn: false changed_when: false failed_when: false register: rhel9cis_3_4_3_3_input_chains - name: "3.4.3.3 | L1 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD" shell: nft list ruleset | grep 'hook forward' + args: + warn: false changed_when: false failed_when: false register: rhel9cis_3_4_3_3_forward_chains - name: "3.4.3.3 | L1 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT" shell: nft list ruleset | grep 'hook output' + args: + warn: false changed_when: false failed_when: false register: rhel9cis_3_4_3_3_output_chains @@ -83,7 +95,7 @@ - name: "3.4.3.3 | L1 | PATCH | Ensure nftables base chains exist | Create chains if needed" shell: "{{ item }}" args: - warn: no + warn: false failed_when: no with_items: - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } @@ -103,32 +115,44 @@ block: - name: "3.4.3.4 | L1 | AUDIT | Ensure nftables loopback traffic is configured | Gather iif lo accept existence" shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' + args: + warn: false changed_when: false failed_when: false register: rhel9cis_3_4_3_4_iiflo - name: "3.4.3.4 | L1 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip saddr existence" shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' + args: + warn: false changed_when: false failed_when: false register: rhel9cis_3_4_3_4_ipsaddr - name: "3.4.3.4 | L1 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip6 saddr existence" shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' + args: + warn: false changed_when: false failed_when: false register: rhel9cis_3_4_3_4_ip6saddr - name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule" shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept + args: + warn: false when: '"iif \"lo\" accept" not in rhel9cis_3_4_3_4_iiflo.stdout' - name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule" shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop + args: + warn: false when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_3_4_ipsaddr.stdout' - name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule" shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop + args: + warn: false when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_3_4_ip6saddr.stdout' when: - rhel9cis_firewall == "nftables" @@ -143,38 +167,54 @@ block: - name: "3.4.3.5 | L1 | AUDIT | Ensure nftables outbound and established connections are configured | Gather incoming connection rules" shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + args: + warn: false changed_when: false failed_when: false register: rhel9cis_3_4_3_5_inconnectionrule - name: "3.4.3.5 | L1 | AUDIT | Ensure nftables outbound and established connections are configured | Gather outbound connection rules" shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + args: + warn: false changed_when: false failed_when: false register: rhel9cis_3_4_3_5_outconnectionrule - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input tcp established accept policy" shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept + args: + warn: false when: '"ip protocol tcp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout' - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input udp established accept policy" shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept + args: + warn: false when: '"ip protocol udp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout' - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input icmp established accept policy" shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept + args: + warn: false when: '"ip protocol icmp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout' - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output tcp new, related, established accept policy" shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept + args: + warn: false when: '"ip protocol tcp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout' - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output udp new, related, established accept policy" shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept + args: + warn: false when: '"ip protocol udp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout' - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output icmp new, related, established accept policy" shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept + args: + warn: false when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout' when: - rhel9cis_firewall == "nftables" @@ -189,42 +229,58 @@ block: - name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for hook input deny policy" shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input' + args: + warn: false failed_when: false changed_when: false register: rhel9cis_3_4_3_6_inputpolicy - name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy" shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward' + args: + warn: false failed_when: false changed_when: false register: rhel9cis_3_4_3_6_forwardpolicy - name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy" shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output' + args: + warn: false failed_when: false changed_when: false register: rhel9cis_3_4_3_6_outputpolicy - name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow" shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh' + args: + warn: false failed_when: false changed_when: false register: rhel9cis_3_4_3_6_sshallowcheck - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept + args: + warn: false when: '"tcp dport ssh accept" not in rhel9cis_3_4_3_6_sshallowcheck.stdout' - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } + args: + warn: false when: '"type filter hook input priority 0; policy drop;" not in rhel9cis_3_4_3_6_inputpolicy.stdout' - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy" shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } + args: + warn: false when: '"type filter hook forward priority 0; policy drop;" not in rhel9cis_3_4_3_6_forwardpolicy.stdout' - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } + args: + warn: false when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_3_6_outputpolicy.stdout' when: - rhel9cis_firewall == "nftables" diff --git a/tasks/section_3/cis_3.4.4.1.x.yml b/tasks/section_3/cis_3.4.4.1.x.yml index edeb4980..e36fa3b9 100644 --- a/tasks/section_3/cis_3.4.4.1.x.yml +++ b/tasks/section_3/cis_3.4.4.1.x.yml @@ -85,12 +85,16 @@ block: - name: "3.4.4.1.4 | L1 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of TCP open ports" shell: netstat -ant |grep "tcp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://' + args: + warn: false changed_when: false failed_when: false register: rhel9cis_3_4_4_1_4_otcp - name: "3.4.4.1.4 | L1 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get the list of udp open ports" shell: netstat -ant |grep "udp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://' + args: + warn: false changed_when: false failed_when: false register: rhel9cis_3_4_4_1_4_oudp diff --git a/tasks/section_3/cis_3.5.yml b/tasks/section_3/cis_3.5.yml index 1d24b7d6..59b3e649 100644 --- a/tasks/section_3/cis_3.5.yml +++ b/tasks/section_3/cis_3.5.yml @@ -2,15 +2,10 @@ - name: "3.5 | L1 | PATCH | Ensure wireless interfaces are disabled" block: - - name: "3.5 | L1 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" - shell: rpm -q NetworkManager -# changed_when: false -# failed_when: false - check_mode: no - register: rhel_09_nmcli_available - - name: "3.5 | L1 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" shell: nmcli radio wifi + args: + warn: false register: rhel_09_wifi_enabled changed_when: rhel_09_wifi_enabled.stdout != "disabled" failed_when: false @@ -18,10 +13,13 @@ - name: "3.5 | L1 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" shell: nmcli radio all off + args: + warn: false changed_when: false failed_when: false when: rhel_09_wifi_enabled is changed when: + - '"NetworkManager" in ansible_facts.packages' - rhel9cis_rule_3_5 tags: - level1-server diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index 69c395d4..43dab23f 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -41,6 +41,8 @@ block: - name: "4.1.1.3 | L2 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' + args: + warn: false changed_when: false failed_when: false check_mode: no @@ -74,6 +76,8 @@ block: - name: "4.1.1.4 | L2 | AUDIT | Ensure audit_backlog_limit is sufficient | Get GRUB_CMDLINE_LINUX" shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' + args: + warn: false changed_when: false failed_when: false check_mode: no diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml index fd43b3cb..e54265e7 100644 --- a/tasks/section_4/cis_4.1.x.yml +++ b/tasks/section_4/cis_4.1.x.yml @@ -121,6 +121,8 @@ block: - name: "4.1.12 | L2 | AUDIT | Ensure successful file system mounts are collected" shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done + args: + warn: false changed_when: false failed_when: false check_mode: no diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 911e23c0..63b86c58 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -44,6 +44,8 @@ block: - name: "4.2.1.4 | L1 | AUDIT | Ensure logging is configured | rsyslog current config message out" shell: cat /etc/rsyslog.conf + args: + warn: false become: yes changed_when: false failed_when: no diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index ece189be..bd13030a 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -2,6 +2,8 @@ - name: "4.2.3 | L1 | PATCH | Ensure permissions on all logfiles are configured" shell: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + + args: + warn: false changed_when: false failed_when: false when: diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index cce02269..0629cc7f 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -334,7 +334,7 @@ - name: "5.2.20 | L1 | PATCH | Ensure system-wide crypto policy is not over-ridden" shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd args: - warn: no + warn: false notify: restart sshd when: - rhel9cis_rule_5_2_20 diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index c643b0e5..7e2242ea 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -4,6 +4,8 @@ block: - name: "5.3.1 | L1 | PATCH | Create custom authselect profile | Gather profiles" shell: 'authselect current | grep "Profile ID: custom/"' + args: + warn: false failed_when: false changed_when: false check_mode: no @@ -18,7 +20,7 @@ - name: "5.3.1 | L1 | PATCH | Create custom authselect profile | Create custom profiles" shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }} args: - warn: no + warn: false when: rhel9cis_authselect_custom_profile_create when: - rhel9cis_rule_5_3_1 @@ -34,7 +36,7 @@ - name: "5.3.2 | L1 | AUDIT | Select authselect profile | Gather profiles and enabled features" shell: "authselect current" args: - warn: no + warn: false failed_when: false changed_when: false check_mode: no @@ -49,7 +51,7 @@ - name: "5.3.2 | L1 | PATCH | Select authselect profile | Create custom profiles" shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }}" args: - warn: no + warn: false when: rhel9cis_authselect_custom_profile_select when: - rhel9cis_rule_5_3_2 @@ -64,6 +66,8 @@ block: - name: "5.3.3 | L1 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features" shell: "authselect current | grep with-faillock" + args: + warn: false failed_when: false changed_when: false check_mode: no @@ -78,7 +82,7 @@ - name: "5.3.3 | L1 | PATCH | Ensure authselect includes with-faillock | Create custom profiles" shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock" args: - warn: no + warn: false when: rhel9cis_authselect_custom_profile_select when: - rhel9cis_rule_5_3_3 diff --git a/tasks/section_5/cis_5.5.1.x.yml b/tasks/section_5/cis_5.5.1.x.yml index 570e83cb..3ad80a6a 100644 --- a/tasks/section_5/cis_5.5.1.x.yml +++ b/tasks/section_5/cis_5.5.1.x.yml @@ -46,6 +46,8 @@ block: - name: "5.5.1.4 | L1 | AUDIT | Ensure inactive password lock is 30 days or less | Check current settings" shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d= + args: + warn: false changed_when: false failed_when: false check_mode: no @@ -53,16 +55,22 @@ - name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting" shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} + args: + warn: false when: rhel9cis_5_5_1_4_inactive_settings.stdout | length == 0 - name: "5.5.1.4 | L1 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" shell: 'egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1' + args: + warn: false check_mode: no register: rhel_09_5_5_1_4_audit changed_when: false - name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" + args: + warn: false with_items: - "{{ rhel_09_5_5_1_4_audit.stdout_lines }}" when: @@ -77,6 +85,8 @@ block: - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" shell: echo $(($(date --utc --date "$1" +%s)/86400)) + args: + warn: false failed_when: false changed_when: false check_mode: no @@ -84,6 +94,8 @@ - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future" shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_5_1_5_currentut.stdout }})print$1}'" + args: + warn: false changed_when: false failed_when: false check_mode: no @@ -103,6 +115,8 @@ - name: "5.5.1.5 | L1 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" shell: passwd --expire {{ item }} + args: + warn: false when: - rhel9cis_5_5_1_5_user_list | length > 0 - rhel9cis_futurepwchgdate_autofix diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 5b23d838..6d1fcf3c 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -64,6 +64,8 @@ - name: "5.5.4 | L1 | PATCH | Ensure default group for the root account is GID 0" shell: usermod -g 0 root + args: + warn: false changed_when: false failed_when: false when: diff --git a/tasks/section_5/cis_5.6.yml b/tasks/section_5/cis_5.6.yml index 973b1d6b..6262c3c2 100644 --- a/tasks/section_5/cis_5.6.yml +++ b/tasks/section_5/cis_5.6.yml @@ -10,6 +10,8 @@ - name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Capture consoles" shell: cat /etc/securetty + args: + warn: false changed_when: false register: rhel_09_5_6_audit when: rhel9cis_securetty_check.stat.exists diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 9650e5d6..c596ed13 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -5,7 +5,7 @@ - name: "6.1.1 | L2 | AUDIT | Audit system file permissions | Audit the packages" shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto args: - warn: no + warn: false changed_when: false failed_when: false register: rhel9cis_6_1_1_packages_rpm @@ -152,6 +152,8 @@ block: - name: "6.1.10 | L1 | AUDIT | Ensure no world writable files exist | Get list of world-writable files" shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 + args: + warn: false failed_when: false changed_when: false register: rhel_09_6_1_10_perms_results @@ -183,6 +185,8 @@ block: - name: "6.1.11 | L1 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories" shell: find "{{ item.mount }}" -xdev -nouser + args: + warn: false check_mode: false failed_when: false changed_when: false @@ -209,6 +213,8 @@ block: - name: "6.1.12 | L1 | AUDIT | Ensure no ungrouped files or directories exist | Finding all ungrouped files or directories" shell: find "{{ item.mount }}" -xdev -nogroup + args: + warn: false check_mode: false failed_when: false changed_when: false @@ -235,6 +241,8 @@ block: - name: "6.1.13 | L1 | AUDIT | Audit SUID executables | Find all SUID executables" shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 + args: + warn: false failed_when: false changed_when: false register: rhel_09_6_1_13_perms_results @@ -266,6 +274,8 @@ block: - name: "6.1.14 | L1 | AUDIT | Audit SGID executables | Find all SGID executables" shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 + args: + warn: false failed_when: false changed_when: false register: rhel_09_6_1_14_perms_results diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 43c57f21..8464790b 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -2,6 +2,8 @@ - name: "6.2.1 | L1 | AUDIT | Ensure password fields are not empty" shell: passwd -l {{ item }} + args: + warn: false changed_when: false failed_when: false with_items: "{{ empty_password_accounts.stdout_lines }}" @@ -16,6 +18,8 @@ - name: "6.2.2 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/passwd" shell: sed -i '/^+/ d' /etc/passwd + args: + warn: false changed_when: false failed_when: false when: @@ -31,6 +35,8 @@ block: - name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determine empty value" shell: 'echo $PATH | grep ::' + args: + warn: false check_mode: no register: path_colon changed_when: False @@ -38,6 +44,8 @@ - name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determin colon end" shell: 'echo $PATH | grep :$' + args: + warn: false check_mode: no register: path_colon_end changed_when: False @@ -45,6 +53,8 @@ - name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determine dot in path" shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'" + args: + warn: false check_mode: no register: dot_in_path changed_when: False @@ -75,6 +85,8 @@ - name: "6.2.4 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/shadow" shell: sed -i '/^+/ d' /etc/shadow + args: + warn: false changed_when: false failed_when: false when: @@ -88,6 +100,8 @@ - name: "6.2.5 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/group" shell: sed -i '/^+/ d' /etc/group + args: + warn: false changed_when: false failed_when: false when: @@ -101,6 +115,8 @@ - name: "6.2.6 | L1 | PATCH | Ensure root is the only UID 0 account" shell: passwd -l {{ item }} + args: + warn: false changed_when: false failed_when: false with_items: "{{ uid_zero_accounts_except_root.stdout_lines }}" @@ -123,6 +139,8 @@ - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" shell: find -H {{ item.0 | quote }} -not -type l -perm /027 + args: + warn: false check_mode: false changed_when: rhel_09_6_2_7_patch_audit.stdout | length > 0 register: rhel_09_6_2_7_patch_audit @@ -198,6 +216,8 @@ block: - name: "6.2.9 | L1 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files" shell: find /home/ -name "\.*" -perm /g+w,o+w + args: + warn: false changed_when: false failed_when: false register: rhel9cis_6_2_9_audit @@ -252,6 +272,8 @@ - name: "6.2.12 | L1 | PATCH | Ensure users' .netrc Files are not group or world accessible" shell: /bin/true + args: + warn: false changed_when: false failed_when: false when: @@ -279,6 +301,8 @@ block: - name: "6.2.14 | L1 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' + args: + warn: false changed_when: false failed_when: false check_mode: false @@ -305,6 +329,8 @@ block: - name: "6.2.15 | L1 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" + args: + warn: false changed_when: false failed_when: false register: user_uid_check @@ -330,6 +356,8 @@ block: - name: "6.2.16 | L1 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" + args: + warn: false changed_when: false failed_when: false register: user_user_check @@ -355,6 +383,8 @@ block: - name: "6.2.17 | L1 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" + args: + warn: false changed_when: false failed_when: false register: user_username_check @@ -380,6 +410,8 @@ block: - name: "6.2.18 | L1 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' + args: + warn: false changed_when: false failed_when: false check_mode: no @@ -406,6 +438,8 @@ block: - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check for shadow group and pull group id" shell: "getent group shadow | cut -d: -f3" + args: + warn: false changed_when: false failed_when: false check_mode: no @@ -413,6 +447,8 @@ - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check /etc/group for empty shadow group" shell: grep ^shadow:[^:]*:[^:]*:[^:]+ /etc/group + args: + warn: false changed_when: false failed_when: false check_mode: no @@ -420,6 +456,8 @@ - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check for users assigned to shadow" shell: "getent passwd | awk -F: '$4 == '{{ rhel9cis_shadow_gid.stdout }}' {print $1}'" + args: + warn: false changed_when: false failed_when: false check_mode: no @@ -465,6 +503,8 @@ - name: "6.2.20 | L1 | AUDIT | Ensure all users' home directories exist" shell: find -H {{ item.0 | quote }} -not -type l -perm /027 + args: + warn: false check_mode: false changed_when: rhel_09_6_2_20_patch_audit.stdout | length > 0 register: rhel_09_6_2_20_patch_audit From 40530c594c3ff338fb3c1ec524f5f25db9222a5d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 13 Jan 2022 12:31:18 +0000 Subject: [PATCH 014/454] fixed changed_when for auditd sysctl Signed-off-by: Mark Bolwell --- tasks/post.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/post.yml b/tasks/post.yml index ec5c5c36..89d85846 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -10,7 +10,7 @@ shell: /bin/true args: warn: false - changed_when: false + changed_when: true check_mode: false notify: update sysctl when: @@ -35,7 +35,7 @@ args: warn: false notify: update auditd - changed_when: false + changed_when: true check_mode: false when: - rhel9cis_rule_4_1_3 or From ca7b275c88d00dc69148ce0a83cc072d9a47cdfd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 13 Jan 2022 12:31:41 +0000 Subject: [PATCH 015/454] fixed improved logic Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.5.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/section_3/cis_3.5.yml b/tasks/section_3/cis_3.5.yml index 59b3e649..abe73d57 100644 --- a/tasks/section_3/cis_3.5.yml +++ b/tasks/section_3/cis_3.5.yml @@ -9,7 +9,6 @@ register: rhel_09_wifi_enabled changed_when: rhel_09_wifi_enabled.stdout != "disabled" failed_when: false - when: rhel_09_nmcli_available.rc == 0 - name: "3.5 | L1 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" shell: nmcli radio all off From dfedc652cb8b0f5e0fedc8457f9e0e1c5d1012f4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 13 Jan 2022 12:37:47 +0000 Subject: [PATCH 016/454] bool values now true/false Signed-off-by: Mark Bolwell --- handlers/main.yml | 52 +++++++++++++++++++++++------------------------ 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index e512f6b2..d96737d7 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -2,22 +2,22 @@ # handlers file for RHEL9-CIS - name: sysctl flush ipv4 route table - become: yes + become: true sysctl: name: net.ipv4.route.flush value: '1' - sysctl_set: yes - ignore_errors: yes + sysctl_set: true + ignore_errors: true when: ansible_virtualization_type != "docker" tags: - skip_ansible_lint - name: sysctl flush ipv6 route table - become: yes + become: true sysctl: name: net.ipv6.route.flush value: '1' - sysctl_set: yes + sysctl_set: true when: ansible_virtualization_type != "docker" - name: update sysctl @@ -35,26 +35,26 @@ name: net.ipv4.route.flush value: '1' state: present - reload: yes - ignoreerrors: yes + reload: true + ignoreerrors: true when: ansible_virtualization_type != "docker" - name: systemd restart tmp.mount - become: yes + become: true systemd: name: tmp.mount - daemon_reload: yes - enabled: yes - masked: no + daemon_reload: true + enabled: true + masked: false state: reloaded - name: systemd restart var-tmp.mount - become: yes + become: true systemd: name: var-tmp.mount - daemon_reload: yes - enabled: yes - masked: no + daemon_reload: true + enabled: true + masked: false state: reloaded - name: remount tmp @@ -63,31 +63,31 @@ warn: false - name: restart firewalld - become: yes + become: true service: name: firewalld state: restarted - name: restart xinetd - become: yes + become: true service: name: xinetd state: restarted - name: restart sshd - become: yes + become: true service: name: sshd state: restarted - name: restart postfix - become: yes + become: true service: name: postfix state: restarted - name: reload dconf - become: yes + become: true shell: dconf update args: warn: false @@ -103,9 +103,9 @@ - name: restart auditd shell: /sbin/service auditd restart - changed_when: no - check_mode: no - failed_when: no + changed_when: false + check_mode: false + failed_when: false args: warn: false when: @@ -122,17 +122,17 @@ - skip_ansible_lint - name: restart rsyslog - become: yes + become: true service: name: rsyslog state: restarted - name: restart syslog-ng - become: yes + become: true service: name: syslog-ng state: restarted - name: systemd_daemon_reload systemd: - daemon-reload: yes + daemon-reload: true From 5469adcf4b187add41be57a85805043436c3af2d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 13 Jan 2022 15:31:02 +0000 Subject: [PATCH 017/454] Set boolean true/false Signed-off-by: Mark Bolwell --- tasks/post.yml | 2 +- tasks/section_4/cis_4.2.1.x.yml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/tasks/post.yml b/tasks/post.yml index 89d85846..c51fc76c 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -3,7 +3,7 @@ - name: Perform DNF package cleanup dnf: - autoremove: yes + autoremove: true changed_when: no - name: trigger update sysctl diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 63b86c58..addf9068 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -16,7 +16,7 @@ - name: "4.2.1.2 | L1 | PATCH | Ensure rsyslog Service is enabled" service: name: rsyslog - enabled: yes + enabled: true when: - rhel9cis_rule_4_2_1_2 tags: @@ -46,10 +46,10 @@ shell: cat /etc/rsyslog.conf args: warn: false - become: yes + become: true changed_when: false - failed_when: no - check_mode: no + failed_when: false + check_mode: false register: rhel_09_4_2_1_4_audit - name: "4.2.1.4 | L1 | AUDIT | Ensure logging is configured | rsyslog current config message out" @@ -157,7 +157,7 @@ with_items: - '^(\$ModLoad imtcp)' - '^(\$InputTCPServerRun)' - when: not rhel9cis_system_is_log_server + when: falset rhel9cis_system_is_log_server - name: "4.2.1.6 | L1 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts. | When log host" replace: From 727095ca354d79b4dea138dec2cb8292cf08c72a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 13 Jan 2022 16:50:39 +0000 Subject: [PATCH 018/454] add doc dir temp Signed-off-by: Mark Bolwell --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index b1c61c0e..8dd29c69 100644 --- a/.gitignore +++ b/.gitignore @@ -11,6 +11,8 @@ packer_cache delete* ignore* test_inv +# temp remove doc while this is built up +doc/ # VSCode .vscode From 54f4e0b4b83a04e9dcdb74c6346e16c3cfa67b42 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 13 Jan 2022 16:51:17 +0000 Subject: [PATCH 019/454] boolean variable true/false Signed-off-by: Mark Bolwell --- defaults/main.yml | 4 ++-- tasks/parse_etc_password.yml | 4 ++-- tasks/post.yml | 2 +- tasks/prelim.yml | 29 ++++++++++++++-------------- tasks/section_1/cis_1.1.1.x.yml | 8 ++++---- tasks/section_1/cis_1.1.x.yml | 6 +++--- tasks/section_1/cis_1.2.x.yml | 4 ++-- tasks/section_1/cis_1.7.1.x.yml | 2 +- tasks/section_1/cis_1.8.2.yml | 2 +- tasks/section_2/cis_2.2.1.x.yml | 2 +- tasks/section_2/cis_2.2.x.yml | 32 +++++++++++++++---------------- tasks/section_3/cis_3.3.x.yml | 8 ++++---- tasks/section_3/cis_3.4.2.x.yml | 9 +++++---- tasks/section_3/cis_3.4.3.x.yml | 6 +++--- tasks/section_3/cis_3.4.4.1.x.yml | 2 +- tasks/section_3/cis_3.4.4.2.x.yml | 2 +- tasks/section_3/cis_3.6.yml | 2 +- tasks/section_4/cis_4.1.1.x.yml | 6 +++--- tasks/section_4/cis_4.1.x.yml | 2 +- tasks/section_4/cis_4.2.1.x.yml | 2 +- tasks/section_5/cis_5.1.x.yml | 2 +- tasks/section_5/cis_5.3.x.yml | 6 +++--- tasks/section_5/cis_5.4.x.yml | 4 ++-- tasks/section_5/cis_5.5.1.x.yml | 8 ++++---- tasks/section_5/cis_5.5.x.yml | 2 +- tasks/section_6/cis_6.2.x.yml | 26 ++++++++++++------------- 26 files changed, 92 insertions(+), 90 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 7edfc83e..1bffc3fd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -405,7 +405,7 @@ rhel9cis_aide_cron: rhel9cis_selinux_pol: targeted # Whether or not to run tasks related to auditing/patching the desktop environment -rhel9cis_gui: no +rhel9cis_gui: false # Set to 'true' if X Windows is needed in your environment rhel9cis_xwindows_required: false @@ -539,7 +539,7 @@ rhel9cis_vartmp: source: /tmp fstype: none opts: "defaults,nodev,nosuid,noexec,bind" - enabled: no + enabled: false ## PAM rhel9cis_pam_password: minlen: "14" diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index 29b7d86c..6a9ef7b9 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -4,8 +4,8 @@ block: - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd" shell: cat /etc/passwd - changed_when: no - check_mode: no + changed_when: false + check_mode: false register: rhel9cis_passwd_file_audit - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Split passwd entries" diff --git a/tasks/post.yml b/tasks/post.yml index c51fc76c..c5f225f7 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -4,7 +4,7 @@ - name: Perform DNF package cleanup dnf: autoremove: true - changed_when: no + changed_when: false - name: trigger update sysctl shell: /bin/true diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 239c7b62..43206cb9 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -4,33 +4,33 @@ - name: "PRELIM | List users accounts" shell: "awk -F: '{print $1}' /etc/passwd" args: - warn: no - changed_when: no - check_mode: no + warn: false + changed_when: false + check_mode: false register: users - name: "PRELIM | Gather accounts with empty password fields" shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'" args: - warn: no - changed_when: no - check_mode: no + warn: false + changed_when: false + check_mode: false register: empty_password_accounts - name: "PRELIM | Gather UID 0 accounts other than root" shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" args: - warn: no - changed_when: no - check_mode: no + warn: false + changed_when: false + check_mode: false register: uid_zero_accounts_except_root - name: "PRELIM | Gather system-wide crypto-policy" shell: update-crypto-policies --show args: - warn: no - changed_when: no - check_mode: no + warn: false + changed_when: false + check_mode: false register: system_wide_crypto_policy - name: "PRELIM | if systemd coredump" @@ -50,15 +50,16 @@ state: present become: true when: + - '"auditd" not in ansible_facts.packages' - rhel9cis_level_2 or rhel9cis_rule_4_1_1_1 - - '"auditd" not in ansible_facts.packages' + - name: "PRELIM | 4.1.12 | Ensure successful file system mounts are collected" shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done changed_when: false failed_when: false - check_mode: no + check_mode: false register: priv_procs tags: - always diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index fa381ad4..dc8ae32b 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -7,7 +7,7 @@ dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install cramfs(\\s|$)" line: "install cramfs /bin/true" - create: yes + create: true mode: 0600 - name: "1.1.1.1 | L1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs" @@ -32,7 +32,7 @@ dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install vfat(\\s|$)" line: "install vfat /bin/true" - create: yes + create: true mode: 0600 - name: "1.1.1.2 | L2 | PATCH | Ensure mounting of vFAT filesystems is limited | Disable vFAT" @@ -58,7 +58,7 @@ dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" - create: yes + create: true mode: 0600 - name: "1.1.1.3 | L1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" @@ -83,7 +83,7 @@ dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" - create: yes + create: true mode: 0600 - name: "1.1.1.4 | L1 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index 279084dc..2becc11c 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -256,7 +256,7 @@ warn: false changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_1_1_15_dev_shm_status - name: | @@ -325,7 +325,7 @@ - name: "1.1.22 | L1 | PATCH | Disable Automounting" service: name: autofs - enabled: no + enabled: false when: - not rhel9cis_allow_autofs - "'autofs' in ansible_facts.packages" @@ -345,7 +345,7 @@ dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install usb-storage(\\s|$)" line: "install usb-storage /bin/true" - create: yes + create: true owner: root group: root mode: 0600 diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 12c4d03d..9580f53a 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -23,7 +23,7 @@ service: name: rhnsd state: stopped - enabled: no + enabled: false masked: true when: - ansible_distribution == "RedHat" @@ -84,7 +84,7 @@ changed_when: false failed_when: false register: dnf_configured - check_mode: no + check_mode: false - name: "1.2.5 | L1 | AUDIT | Ensure package manager repositories are configured | Display repo list" debug: diff --git a/tasks/section_1/cis_1.7.1.x.yml b/tasks/section_1/cis_1.7.1.x.yml index 378da5cd..ded71283 100644 --- a/tasks/section_1/cis_1.7.1.x.yml +++ b/tasks/section_1/cis_1.7.1.x.yml @@ -19,7 +19,7 @@ regexp: '(selinux|enforcing)\s*=\s*0\s*' replace: '' register: selinux_grub_patch - ignore_errors: yes + ignore_errors: true notify: grub2cfg when: - rhel9cis_rule_1_7_1_2 diff --git a/tasks/section_1/cis_1.8.2.yml b/tasks/section_1/cis_1.8.2.yml index 2062c69f..be371dcf 100644 --- a/tasks/section_1/cis_1.8.2.yml +++ b/tasks/section_1/cis_1.8.2.yml @@ -6,7 +6,7 @@ regexp: "{{ item.regexp }}" line: "{{ item.line }}" state: present - create: yes + create: true owner: root group: root mode: 0644 diff --git a/tasks/section_2/cis_2.2.1.x.yml b/tasks/section_2/cis_2.2.1.x.yml index fbdf9c1e..78f52aed 100644 --- a/tasks/section_2/cis_2.2.1.x.yml +++ b/tasks/section_2/cis_2.2.1.x.yml @@ -29,7 +29,7 @@ regexp: "^(#)?OPTIONS" line: "OPTIONS=\"-u chrony\"" state: present - create: yes + create: true mode: 0644 when: - rhel9cis_time_synchronization == "chrony" diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 08197cca..f21bcd05 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -7,7 +7,7 @@ args: warn: false failed_when: xorg_x11_installed.rc >=2 - check_mode: no + check_mode: false changed_when: false register: xorg_x11_installed @@ -32,7 +32,7 @@ service: name: rsyncd state: stopped - enabled: no + enabled: false when: - not rhel9cis_rsyncd_server - "'rsyncd' in ansible_facts.packages" @@ -47,7 +47,7 @@ service: name: avahi-daemon state: stopped - enabled: no + enabled: false when: - not rhel9cis_avahi_server - "'avahi' in ansible_facts.packages" @@ -65,7 +65,7 @@ service: name: snmpd state: stopped - enabled: no + enabled: false when: - not rhel9cis_snmp_server - "'net-snmp' in ansible_facts.packages" @@ -80,7 +80,7 @@ service: name: squid state: stopped - enabled: no + enabled: false when: - not rhel9cis_squid_server - "'squid' in ansible_facts.packages" @@ -95,7 +95,7 @@ service: name: smb state: stopped - enabled: no + enabled: false when: - not rhel9cis_smb_server - "'samba' in ansible_facts.packages" @@ -110,7 +110,7 @@ service: name: dovecot state: stopped - enabled: no + enabled: false when: - not rhel9cis_dovecot_server - "'dovecot' in ansible_facts.packages" @@ -125,7 +125,7 @@ service: name: httpd state: stopped - enabled: no + enabled: false when: - not rhel9cis_httpd_server - "'httpd' in ansible_facts.packages" @@ -140,7 +140,7 @@ service: name: vsftpd state: stopped - enabled: no + enabled: false when: - not rhel9cis_vsftpd_server - "'vsftpd' in ansible_facts.packages" @@ -155,7 +155,7 @@ service: name: named state: stopped - enabled: no + enabled: false when: - not rhel9cis_named_server - "'bind' in ansible_facts.packages" @@ -170,7 +170,7 @@ service: name: nfs-server state: stopped - enabled: no + enabled: false when: - not rhel9cis_nfs_rpc_server - "'nfs-utils' in ansible_facts.packages" @@ -188,7 +188,7 @@ service: name: rpcbind state: stopped - enabled: no + enabled: false when: - not rhel9cis_nfs_rpc_server - "'rpcbind' in ansible_facts.packages" @@ -206,7 +206,7 @@ service: name: slapd state: stopped - enabled: no + enabled: false when: - not rhel9cis_ldap_server - "'openldap-servers' in ansible_facts.packages" @@ -224,7 +224,7 @@ service: name: dhcpd state: stopped - enabled: no + enabled: false when: - not rhel9cis_dhcp_server - "'dhcp' in ansible_facts.packages" @@ -242,7 +242,7 @@ service: name: cups state: stopped - enabled: no + enabled: false when: - not rhel9cis_cups_server - "'cups' in ansible_facts.packages" @@ -260,7 +260,7 @@ service: name: ypserv state: stopped - enabled: no + enabled: false when: - not rhel9cis_nis_server - "'ypserv' in ansible_facts.packages" diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 8789558c..0b49ba42 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -5,7 +5,7 @@ dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install dccp(\\s|$)" line: "install dccp /bin/true" - create: yes + create: true mode: 0600 when: - rhel9cis_rule_3_3_1 @@ -20,7 +20,7 @@ dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install sctp(\\s|$)" line: "install sctp /bin/true" - create: yes + create: true mode: 0600 when: - rhel9cis_rule_3_3_2 @@ -35,7 +35,7 @@ dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install rds(\\s|$)" line: "install rds /bin/true" - create: yes + create: true mode: 0600 when: - rhel9cis_rule_3_3_3 @@ -50,7 +50,7 @@ dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install tipc(\\s|$)" line: "install tipc /bin/true" - create: yes + create: true mode: 0600 when: - rhel9cis_rule_3_3_4 diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 1a13db99..b199ac94 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -4,7 +4,7 @@ service: name: firewalld state: started - enabled: yes + enabled: true when: - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_2_1 @@ -19,9 +19,9 @@ name: iptables enabled: false masked: true - ignore_errors: true when: - rhel9cis_firewall == "firewalld" + - "'iptables' in ansible_facts.packages" - rhel9cis_rule_3_4_2_2 tags: - skip_ansible_lint @@ -37,6 +37,7 @@ masked: true when: - rhel9cis_firewall == "firewalld" + - "'nftables' in ansible_facts.packages" - rhel9cis_rule_3_4_2_3 tags: - level1-server @@ -65,7 +66,7 @@ warn: false changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_3_4_2_5_interfacepolicy - name: "3.4.2.5 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies | Show the interface to policy" @@ -90,7 +91,7 @@ warn: false changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_3_4_2_6_servicesport - name: "3.4.2.6 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports" diff --git a/tasks/section_3/cis_3.4.3.x.yml b/tasks/section_3/cis_3.4.3.x.yml index 46c8f017..42121395 100644 --- a/tasks/section_3/cis_3.4.3.x.yml +++ b/tasks/section_3/cis_3.4.3.x.yml @@ -44,7 +44,7 @@ shell: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" args: warn: false - failed_when: no + failed_when: false when: rhel9cis_nft_tables_autonewtable when: - rhel9cis_firewall == "nftables" @@ -96,7 +96,7 @@ shell: "{{ item }}" args: warn: false - failed_when: no + failed_when: false with_items: - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { type filter hook forward priority 0 \; } @@ -294,7 +294,7 @@ - name: "3.4.3.7 | L1 | PATCH | Ensure nftables service is enabled | Check if nftables is enabled" service: name: nftables - enabled: yes + enabled: true when: - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_3_7 diff --git a/tasks/section_3/cis_3.4.4.1.x.yml b/tasks/section_3/cis_3.4.4.1.x.yml index e36fa3b9..a18e7eff 100644 --- a/tasks/section_3/cis_3.4.4.1.x.yml +++ b/tasks/section_3/cis_3.4.4.1.x.yml @@ -136,7 +136,7 @@ - name: "3.4.4.1.5 | L1 | PATCH | Ensure iptables service is enabled and active | Check if iptables is enabled" service: name: iptables - enabled: yes + enabled: true state: started when: - rhel9cis_firewall == "iptables" diff --git a/tasks/section_3/cis_3.4.4.2.x.yml b/tasks/section_3/cis_3.4.4.2.x.yml index 4e96f49c..be4bf540 100644 --- a/tasks/section_3/cis_3.4.4.2.x.yml +++ b/tasks/section_3/cis_3.4.4.2.x.yml @@ -124,7 +124,7 @@ - name: "3.4.4.2.5 | L1 | PATCH | Ensure ip6tables service is enabled and active | Check if ip6tables is enabled" service: name: ip6tables - enabled: yes + enabled: true state: started when: - rhel9cis_firewall == "iptables" diff --git a/tasks/section_3/cis_3.6.yml b/tasks/section_3/cis_3.6.yml index 9b393184..4fa1ae50 100644 --- a/tasks/section_3/cis_3.6.yml +++ b/tasks/section_3/cis_3.6.yml @@ -5,7 +5,7 @@ dest: /etc/default/grub regexp: '(^GRUB_CMDLINE_LINUX\s*\=\s*)(?:")(.+)(? Date: Thu, 13 Jan 2022 16:51:23 +0000 Subject: [PATCH 020/454] update Signed-off-by: Mark Bolwell --- Changelog.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Changelog.md b/Changelog.md index 738bed74..03e48788 100644 --- a/Changelog.md +++ b/Changelog.md @@ -5,6 +5,16 @@ - change to include statements - prelim and package facts discovery - commands module removed and moved to shell + - added + +```yml +args: + warn: false +``` + +- update boolean values to true/false +- 3.4.2 improved checks for p[ackage presence +- changed to assert for OS/release and ansible version ## Initial From 02a36f7f8d3acb4fe2f83cbdb0d6df5124c9024b Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Wed, 2 Feb 2022 11:25:03 +0000 Subject: [PATCH 021/454] Fix in logic for Alma (#4) * container standards Signed-off-by: Mark Bolwell * logic on handlers Signed-off-by: Mark Bolwell * initial container ignore Signed-off-by: Mark Bolwell * tags and containder discovery Signed-off-by: Mark Bolwell * logic on auditd task Signed-off-by: Mark Bolwell * tags and crypto logic Signed-off-by: Mark Bolwell * distro update for rocky Signed-off-by: Mark Bolwell * system_is_container updates Signed-off-by: Mark Bolwell * ssh pkg check Signed-off-by: Mark Bolwell * logrotate pkg check Signed-off-by: Mark Bolwell * logic in container check Signed-off-by: Mark Bolwell * add pkg fact and audit conditionals Signed-off-by: Mark Bolwell * tidy up crypto step Signed-off-by: Mark Bolwell * Added missing tags Signed-off-by: Mark Bolwell * container vars file now a variable Signed-off-by: Mark Bolwell * added uid discovery and usage Signed-off-by: Mark Bolwell * Updated OS checks and conditionals Signed-off-by: Mark Bolwell * fixed empty become Signed-off-by: Mark Bolwell * change audit to include task Signed-off-by: Mark Bolwell * Added OS_specific vars Signed-off-by: Mark Bolwell * updated import/include Signed-off-by: Mark Bolwell * OS Specific vars Signed-off-by: Mark Bolwell * updated tags Signed-off-by: Mark Bolwell * updated changed_when Signed-off-by: Mark Bolwell * fixed UID logic Signed-off-by: Mark Bolwell * changed reboot var Signed-off-by: Mark Bolwell * changed skip_reboot var name Signed-off-by: Mark Bolwell * masked only Signed-off-by: Mark Bolwell * fix logic Signed-off-by: Mark Bolwell * remove debug update logic 6.2.8 Signed-off-by: Mark Bolwell * initial Signed-off-by: Mark Bolwell * removed CentOS Signed-off-by: Mark Bolwell --- defaults/main.yml | 16 +++- handlers/main.yml | 8 +- local.yml | 5 +- site.yml | 4 - tasks/main.yml | 72 ++++++++++++---- tasks/post.yml | 16 +++- tasks/prelim.yml | 127 +++++++++++++++++++++++++---- tasks/section_1/cis_1.2.x.yml | 5 +- tasks/section_1/main.yml | 24 +++--- tasks/section_2/cis_2.2.1.x.yml | 4 +- tasks/section_2/main.yml | 8 +- tasks/section_3/cis_3.4.1.1.yml | 1 + tasks/section_3/cis_3.4.2.x.yml | 1 - tasks/section_3/main.yml | 20 ++--- tasks/section_4/cis_4.1.1.x.yml | 4 +- tasks/section_4/cis_4.3.yml | 1 + tasks/section_4/main.yml | 12 +-- tasks/section_5/cis_5.5.x.yml | 4 +- tasks/section_5/main.yml | 18 ++-- tasks/section_6/cis_6.2.x.yml | 12 +-- tasks/section_6/main.yml | 4 +- templates/audit/99_auditd.rules.j2 | 30 +++---- vars/AlmaLinux.yml | 4 + vars/RedHat.yml | 4 + vars/Rocky.yml | 4 + vars/is_container.yml | 95 +++++++++++++++++++++ vars/main.yml | 2 + 27 files changed, 392 insertions(+), 113 deletions(-) create mode 100644 vars/AlmaLinux.yml create mode 100644 vars/RedHat.yml create mode 100644 vars/Rocky.yml create mode 100644 vars/is_container.yml diff --git a/defaults/main.yml b/defaults/main.yml index 1bffc3fd..23f8efdb 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,11 +2,15 @@ # defaults file for rhel9-cis rhel9cis_skip_for_travis: false -rhel9cis_system_is_container: false +system_is_container: false +container_vars_file: is_container.yml # rhel9cis is left off the front of this var for consistency in testing pipeline # system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks system_is_ec2: false +# Run the OS validation check +os_check: true + rhel9cis_notauto: false rhel9cis_section1: true rhel9cis_section2: true @@ -30,7 +34,7 @@ python2_bin: /bin/python2.7 benchmark: RHEL9-CIS # Whether to skip the reboot -rhel9cis_skip_reboot: true +skip_reboot: true #### Basic external goss audit enablement settings #### #### Precise details - per setting can be found at the bottom of this file #### @@ -545,8 +549,12 @@ rhel9cis_pam_password: minlen: "14" minclass: "4" -# Starting GID for interactive users -rhel9cis_int_gid: 1000 +# UID settings for interactive users +# These are discovered via logins.def is set true +discover_int_uid: false +min_int_uid: 1000 +max_int_uid: 65533 + # RHEL-09-5.4.5 # Session timeout setting file (TMOUT setting can be set in multiple files) diff --git a/handlers/main.yml b/handlers/main.yml index d96737d7..ad56e8b8 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -28,7 +28,9 @@ group: root mode: 0600 notify: reload sysctl - when: ansible_virtualization_type != "docker" + when: + - ansible_virtualization_type != "docker" + - "'procps-ng' in ansible_facts.packages" - name: reload sysctl sysctl: @@ -37,7 +39,9 @@ state: present reload: true ignoreerrors: true - when: ansible_virtualization_type != "docker" + when: + - ansible_virtualization_type != "docker" + - "'systemd' in ansible_facts.packages" - name: systemd restart tmp.mount become: true diff --git a/local.yml b/local.yml index 2c649b2f..3f17560f 100644 --- a/local.yml +++ b/local.yml @@ -3,10 +3,7 @@ - hosts: localhost connection: local become: true - vars: - is_container: false roles: - role: "{{ playbook_dir }}" - rhel9cis_system_is_container: "{{ is_container | default(false) }}" - rhel9cis_skip_for_travis: false + diff --git a/site.yml b/site.yml index 2763e43b..379549f7 100644 --- a/site.yml +++ b/site.yml @@ -1,11 +1,7 @@ --- - hosts: all become: true - vars: - is_container: false roles: - role: "{{ playbook_dir }}" - rhel9cis_system_is_container: "{{ is_container | default(false) }}" - rhel9cis_skip_for_travis: false diff --git a/tasks/main.yml b/tasks/main.yml index 29e0a198..b316f67e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,23 +1,46 @@ --- # tasks file for RHEL9-CIS + - name: Check OS version and family assert: - that: - - ansible_os_family == 'RedHat' - - ansible_distribution_major_version |int >= 8 - fail_msg: "This role can only be run against RHEL 8 or 9. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." - success_msg: "Supported OS release and version" + that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==') + fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." + success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" + when: + - os_check + - not system_is_ec2 tags: - - always + - always - name: Check ansible version assert: - that: - - "ansible_version.full is version_compare ('2.9', '>=')" - fail_msg: "You must use ansible 2.9 or greater" - success_msg: "Supported ansible_version" + that: ansible_version.full is version_compare(min_ansible_version, '>=') + fail_msg: "You must use Ansible {{ min_ansible_version }} or greater" + success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" tags: - - always + - always + +- name: Setup rules if container + block: + - name: Discover and set container variable if required + set_fact: + system_is_container: true + + - name: Load variable for container + include_vars: + file: "{{ container_vars_file }}" + + - name: output if discovered is a container + debug: + msg: system has been discovered as a container + when: + - system_is_container + when: + - ansible_connection == 'docker' or + ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - container_discovery + - always - name: Check crypto-policy input assert: @@ -61,15 +84,19 @@ tags: - always +- name: Include OS specific variables + include_vars: "{{ ansible_distribution }}.yml" + tags: + - always + - name: Include preliminary steps import_tasks: prelim.yml - become: tags: - prelim_tasks - always - name: run pre_remediation audit - import_tasks: pre_remediation_audit.yml + include_tasks: pre_remediation_audit.yml when: - run_audit @@ -81,7 +108,14 @@ - name: capture /etc/password variables include_tasks: parse_etc_password.yml - when: rhel9cis_section6 + when: + - rhel9cis_section6 + tags: + - rule_5.5.2 + - rule_6.2.7 + - rule_6.2.8 + - rule_6.2.20 + - rhel9cis_section6 - name: run Section 1 tasks import_tasks: section_1/main.yml @@ -94,26 +128,36 @@ import_tasks: section_2/main.yml become: true when: rhel9cis_section2 + tags: + - rhel9cis_section2 - name: run Section 3 tasks import_tasks: section_3/main.yml become: true when: rhel9cis_section3 + tags: + - rhel9cis_section3 - name: run Section 4 tasks import_tasks: section_4/main.yml become: true when: rhel9cis_section4 + tags: + - rhel9cis_section4 - name: run Section 5 tasks import_tasks: section_5/main.yml become: true when: rhel9cis_section5 + tags: + - rhel9cis_section5 - name: run Section 6 tasks import_tasks: section_6/main.yml become: true when: rhel9cis_section6 + tags: + - rhel9cis_section6 - name: run post remediation tasks import_tasks: post.yml diff --git a/tasks/post.yml b/tasks/post.yml index c5f225f7..5f547374 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -6,6 +6,12 @@ autoremove: true changed_when: false +- name: Gather the package facts after remediation + package_facts: + manager: auto + tags: + - always + - name: trigger update sysctl shell: /bin/true args: @@ -38,7 +44,13 @@ changed_when: true check_mode: false when: - - rhel9cis_rule_4_1_3 or + - rhel9cis_rule_4_1_1_1 or + rhel9cis_rule_4_1_1_2 or + rhel9cis_rule_4_1_1_3 or + rhel9cis_rule_4_1_2_1 or + rhel9cis_rule_4_1_2_2 or + rhel9cis_rule_4_1_2_3 or + rhel9cis_rule_4_1_3 or rhel9cis_rule_4_1_4 or rhel9cis_rule_4_1_5 or rhel9cis_rule_4_1_6 or @@ -57,4 +69,4 @@ - name: Reboot host reboot: when: - - not rhel9cis_skip_reboot + - not skip_reboot diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 43206cb9..5521a8d2 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,4 +1,5 @@ --- + # Preliminary tasks that should always be run # List users in order to look files inside each home directory - name: "PRELIM | List users accounts" @@ -8,6 +9,10 @@ changed_when: false check_mode: false register: users + tags: + - level1-server + - level1-workstation + - users - name: "PRELIM | Gather accounts with empty password fields" shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'" @@ -16,6 +21,10 @@ changed_when: false check_mode: false register: empty_password_accounts + tags: + - level1-server + - level1-workstation + - passwords - name: "PRELIM | Gather UID 0 accounts other than root" shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" @@ -24,14 +33,36 @@ changed_when: false check_mode: false register: uid_zero_accounts_except_root + tags: + - level1-server + - level1-workstation + - users -- name: "PRELIM | Gather system-wide crypto-policy" - shell: update-crypto-policies --show - args: - warn: false - changed_when: false - check_mode: false - register: system_wide_crypto_policy +- name: "PRELIM | Setup crypto-policy" + block: + - name: "PRELIM | Install crypto-policies" + dnf: + name: + - crypto-policies + - crypto-policies-scripts + state: present + + - name: "PRELIM | Gather system-wide crypto-policy" + shell: update-crypto-policies --show + args: + warn: false + changed_when: false + check_mode: false + register: system_wide_crypto_policy + when: + - rhel9cis_rule_1_10 or + rhel9cis_rule_1_11 + tags: + - level1-server + - level1-workstation + - rule_1.10 or + rule_1.11 + - crypto - name: "PRELIM | if systemd coredump" stat: @@ -39,10 +70,18 @@ register: systemd_coredump when: - rhel9cis_rule_1_6_1 + tags: + - level1-server + - level1-workstation + - rule_1.6.1 + - systemd - name: "PRELIM | Section 1.1 | Create list of mount points" set_fact: mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}" + tags: + - level1-server + - level1-workstation - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" package: @@ -51,9 +90,13 @@ become: true when: - '"auditd" not in ansible_facts.packages' - - rhel9cis_level_2 or - rhel9cis_rule_4_1_1_1 - + - rhel9cis_rule_4_1_1_1 + tags: + - level2-server + - level2-workstation + - patch + - rule_4.1.1.1 + - auditd - name: "PRELIM | 4.1.12 | Ensure successful file system mounts are collected" shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done @@ -62,16 +105,23 @@ check_mode: false register: priv_procs tags: - - always + - level1-server + - level1-workstation + - always - name: "PRELIM | Section 5.1 | Configure cron" package: name: cronie state: present become: true - when: + when: - rhel9cis_rule_5_1_1 - '"cronie" not in ansible_facts.packages' + tags: + - level1-server + - level1-workstation + - rule_5.1.1 + - cron - name: "PRELIM | Install authconfig" package: @@ -83,8 +133,16 @@ - rhel9cis_rule_5_3_1 or rhel9cis_rule_5_3_2 or rhel9cis_rule_5_3_3 or - '"authconfig" not in ansible_facts.packages' or - '"auditd-lib" not in ansible_facts.packages' + '"authconfig" not in ansible_facts.packages or + "auditd-lib" not in ansible_facts.packages' + tags: + - level1-server + - level1-workstation + - rule_5.3.1 or + rule_5.3.2 or + rule_5.3.3 + - authconfig + - auditd - name: "PRELIM | Set facts based on boot type" block: @@ -103,12 +161,22 @@ set_fact: grub2_path: /etc/grub2-efi.cfg when: rhel_09_efi_boot.stat.exists + when: + - not system_is_container + tags: + - bootloader + - grub - name: "PRELIM | AUDIT | Ensure permissions on bootloader config are configured | Get grub config file stats" stat: path: "{{ grub2_path }}" changed_when: false register: grub_cfg + when: + - not system_is_container + tags: + - bootloader + - grub - name: "PRELIM | Check for rhnsd service" shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2" @@ -118,5 +186,36 @@ register: rhnsd_service_status when: - rhel9cis_rule_1_2_2 + - ansible_distribution == "RedHat" tags: + - rule_1.2.2 - skip_ansible_lint + +- name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def" + block: + - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def" + shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' + changed_when: false + register: uid_min_id + + - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" + shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' + changed_when: false + register: uid_max_id + + - name: "PRELIM | AUDIT | Capture GID_MIN information from logins.def" + shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}' + changed_when: false + register: gid_min_id + + - name: "PRELIM | AUDIT | set_facts for interactive uid/gid" + set_fact: + min_int_uid: "{{ uid_min_id.stdout }}" + max_int_uid: "{{ uid_max_id.stdout }}" + min_int_gid: "{{ gid_min_id.stdout }}" +- debug: + msg: "{{ min_int_uid }} {{ max_int_uid }}" + + when: + - not discover_int_uid + diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 9580f53a..52372a3e 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -37,12 +37,13 @@ - rule_1.2.2 - name: "1.2.3 | L1 | AUDIT | Ensure GPG keys are configured" - shell: gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-release + shell: gpg --quiet --with-fingerprint "{{ rpm_gpg_key }}" args: warn: false when: - rhel9cis_rule_1_2_3 - - ansible_distribution == "RedHat" + - ansible_distribution == "RedHat" or + ansible_distribution == "Rocky" tags: - level1-server - level1-workstation diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index b8c8e8e5..933804e1 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -2,41 +2,41 @@ - name: "SECTION | 1.1 | FileSystem Configurations\n SECTION | 1.1.1.x | Disable unused filesystems" - include_tasks: cis_1.1.1.x.yml -- include_tasks: cis_1.1.x.yml + import_tasks: cis_1.1.1.x.yml +- import_tasks: cis_1.1.x.yml - name: "SECTION | 1.2 | Configure Software Updates" - include_tasks: cis_1.2.x.yml + import_tasks: cis_1.2.x.yml - name: "SECTION | 1.3 | Configure sudo" - include_tasks: cis_1.3.x.yml + import_tasks: cis_1.3.x.yml - name: "SECTION | 1.4 | Filesystem Integrity" - import_tasks: cis_1.4.x.yml + include_tasks: cis_1.4.x.yml when: rhel9cis_config_aide - name: "SECTION | 1.5 | Secure Boot Settings" - include_tasks: cis_1.5.x.yml + import_tasks: cis_1.5.x.yml - name: "SECTION | 1.6 | Additional Process Hardening" - include_tasks: cis_1.6.x.yml + import_tasks: cis_1.6.x.yml - name: "SECTION | 1.7 | bootloader and Mandatory Access Control" - import_tasks: cis_1.7.1.x.yml + include_tasks: cis_1.7.1.x.yml when: not rhel9cis_selinux_disable - name: "SECTION | 1.8 | Warning Banners" - include_tasks: cis_1.8.1.x.yml + import_tasks: cis_1.8.1.x.yml - name: "SECTION | 1.9 | Updated and Patches" - include_tasks: cis_1.9.yml + import_tasks: cis_1.9.yml - name: "SECTION | 1.10 | Crypto policies" - import_tasks: cis_1.10.yml + include_tasks: cis_1.10.yml when: - not system_is_ec2 - name: "SECTION | 1.11 | FIPS/FUTURE Crypto policies" - import_tasks: cis_1.11.yml + include_tasks: cis_1.11.yml when: - not system_is_ec2 diff --git a/tasks/section_2/cis_2.2.1.x.yml b/tasks/section_2/cis_2.2.1.x.yml index 78f52aed..8b8b39c8 100644 --- a/tasks/section_2/cis_2.2.1.x.yml +++ b/tasks/section_2/cis_2.2.1.x.yml @@ -6,7 +6,7 @@ state: present when: - rhel9cis_rule_2_2_1_1 - - not rhel9cis_system_is_container + - not system_is_container tags: - level1-server - level1-workstation @@ -34,7 +34,7 @@ when: - rhel9cis_time_synchronization == "chrony" - rhel9cis_rule_2_2_1_2 - - not rhel9cis_system_is_container + - not system_is_container tags: - level1-server - level1-workstation diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index f2ed2325..2b705ae8 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -1,13 +1,13 @@ --- - name: "SECTION | 2.1 | xinetd" - include_tasks: cis_2.1.1.yml + import_tasks: cis_2.1.1.yml - name: "SECTION | 2.2.1 | Time Synchronization" - include_tasks: cis_2.2.1.x.yml + import_tasks: cis_2.2.1.x.yml - name: "SECTION | 2.2 | Special Purpose Services" - include_tasks: cis_2.2.x.yml + import_tasks: cis_2.2.x.yml - name: "SECTION | 2.3 | Service Clients" - include_tasks: cis_2.3.x.yml + import_tasks: cis_2.3.x.yml diff --git a/tasks/section_3/cis_3.4.1.1.yml b/tasks/section_3/cis_3.4.1.1.yml index 3373d97c..fc78b06c 100644 --- a/tasks/section_3/cis_3.4.1.1.yml +++ b/tasks/section_3/cis_3.4.1.1.yml @@ -6,6 +6,7 @@ state: present when: - rhel9cis_rule_3_4_1_1 + - not system_is_container tags: - level1-server - level1-workstation diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index b199ac94..68b08dca 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -17,7 +17,6 @@ - name: "3.4.2.2 | L1 | PATCH | Ensure iptables is not enabled with firewalld" systemd: name: iptables - enabled: false masked: true when: - rhel9cis_firewall == "firewalld" diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index 7d6af68a..13b42fcf 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -1,41 +1,41 @@ --- - name: "SECTION | 3.1.x | Packet and IP redirection" - include_tasks: cis_3.1.x.yml + import_tasks: cis_3.1.x.yml - name: "SECTION | 3.2.x | Network Parameters (Host Only)" - include_tasks: cis_3.2.x.yml + import_tasks: cis_3.2.x.yml - name: "SECTION | 3.3.x | Uncommon Network Protocols" - include_tasks: cis_3.3.x.yml + import_tasks: cis_3.3.x.yml - name: "SECTION | 3.4.1.x | firewall defined" - include_tasks: cis_3.4.1.1.yml + import_tasks: cis_3.4.1.1.yml - name: "SECTION | 3.4.2.x | firewalld firewall" - import_tasks: cis_3.4.2.x.yml + include_tasks: cis_3.4.2.x.yml when: - rhel9cis_firewall == "firewalld" - name: "SECTION | 3.4.3.x | Configure nftables firewall" - import_tasks: cis_3.4.3.x.yml + include_tasks: cis_3.4.3.x.yml when: - rhel9cis_firewall == "nftables" - name: "SECTION | 3.4.4.1.x | Configure iptables IPv4" - import_tasks: cis_3.4.4.1.x.yml + include_tasks: cis_3.4.4.1.x.yml when: - rhel9cis_firewall == "iptables" - name: "SECTION | 3.4.4.2.x | Configure iptables IPv6" - import_tasks: cis_3.4.4.2.x.yml + include_tasks: cis_3.4.4.2.x.yml when: - ( rhel9cis_firewall == "iptables" and rhel9cis_ipv6_required ) - name: "SECTION | 3.5 | Configure wireless" - include_tasks: cis_3.5.yml + import_tasks: cis_3.5.yml - name: "SECTION | 3.5 | disable IPv6" - import_tasks: cis_3.5.yml + include_tasks: cis_3.5.yml when: - not rhel9cis_ipv6_required diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index 13b49d95..0257bf89 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -20,6 +20,7 @@ - level2-workstation - patch - rule_4.1.1.1 + - auditd - name: "4.1.1.2 | L2 | PATCH | Ensure auditd service is enabled" service: @@ -29,7 +30,7 @@ when: - not rhel9cis_skip_for_travis - rhel9cis_rule_4_1_1_2 - - ansible_connection != 'docker' + - not system_is_container tags: - level2-server - level2-workstation @@ -104,4 +105,5 @@ - level2-server - level2-workstation - patch + - auditd - rule_4.1.1.4 diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index 853a2159..7e7fafbc 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -17,6 +17,7 @@ - { path: "/etc/logrotate.conf" } when: - rhel9cis_rule_4_3 + - "'logrotate' in ansible_facts.packages" tags: - level1-server - level1-workstation diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index 910a9e24..8e84241a 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -2,22 +2,24 @@ - name: "SECTION | 4.1| Configure System Accounting (auditd)" include_tasks: cis_4.1.1.x.yml + when: + - not system_is_container - name: "SECTION | 4.1.2.x| Configure Data Retention" - include_tasks: cis_4.1.2.x.yml + import_tasks: cis_4.1.2.x.yml - name: "SECTION | 4.1.x| Auditd rules" - include_tasks: cis_4.1.x.yml + import_tasks: cis_4.1.x.yml - name: "SECTION | 4.2.x| Configure Logging" import_tasks: cis_4.2.1.x.yml when: rhel9cis_syslog == 'rsyslog' - name: "SECTION | 4.2.2.x| Configure journald" - include_tasks: cis_4.2.2.x.yml + import_tasks: cis_4.2.2.x.yml - name: "SECTION | 4.2.3 | Configure logile perms" - include_tasks: cis_4.2.3.yml + import_tasks: cis_4.2.3.yml - name: "SECTION | 4.3 | Configure logrotate" - include_tasks: cis_4.3.yml + import_tasks: cis_4.3.yml diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 0d8cfa02..ebed1bdd 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -13,7 +13,7 @@ - item.id != "sync" - item.id != "shutdown" - item.id != "halt" - - item.gid < rhel9cis_int_gid + - item.uid < 1000 - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" @@ -28,7 +28,7 @@ - item.id != "shutdown" - item.id != "sync" - item.id != "root" - - item.gid < rhel9cis_int_gid + - min_int_uid | int >= item.uid - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" when: diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index 6195af5b..08e5c452 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -1,27 +1,29 @@ --- - name: "SECTION | 5.1 | Configure time-based job schedulers" - include_tasks: cis_5.1.x.yml + import_tasks: cis_5.1.x.yml - name: "SECTION | 5.2 | Configure SSH Server" include_tasks: cis_5.2.x.yml + when: + - "'openssh-server' in ansible_facts.packages" - name: "SECTION | 5.3 | Configure Profiles" - import_tasks: cis_5.3.x.yml + include_tasks: cis_5.3.x.yml when: - - rhel9cis_use_authconfig + - rhel9cis_use_authconfig - name: "SECTION | 5.4 | Configure PAM " - include_tasks: cis_5.4.x.yml + import_tasks: cis_5.4.x.yml - name: "SECTION | 5.5.1.x | Passwords and Accounts" - include_tasks: cis_5.5.1.x.yml + import_tasks: cis_5.5.1.x.yml - name: "SECTION | 5.5.x | System Accounts and User Settings" - include_tasks: cis_5.5.x.yml + import_tasks: cis_5.5.x.yml - name: "SECTION | 5.6 | Root Login" - include_tasks: cis_5.6.yml + import_tasks: cis_5.6.yml - name: Section | 5.7 | su Command Restriction - include_tasks: cis_5.7.yml + import_tasks: cis_5.7.yml diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index b618417a..c8252299 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -134,7 +134,7 @@ - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" stat: path: "{{ item }}" - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<', max_int_uid | int) | selectattr('dir', '!=', '/') | map(attribute='dir') | list }}" register: rhel_09_6_2_7_audit - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" @@ -177,7 +177,8 @@ recursive: true etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: not rhel9cis_system_is_container + when: + - not system_is_container with_nested: - "{{ (ansible_check_mode | ternary(rhel_09_6_2_7_patch_audit, rhel_09_6_2_7_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" @@ -203,7 +204,7 @@ loop_control: label: "{{ rhel9cis_passwd_label }}" when: - - item.uid >= rhel9cis_int_gid + - min_int_uid | int >= item.uid - rhel9cis_rule_6_2_8 tags: - skip_ansible_lint # settings found on 6_2_7 @@ -499,7 +500,7 @@ stat: path: "{{ item }}" register: rhel_09_6_2_20_audit - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<', max_int_uid | int) | selectattr('dir', '!=', '/') | map(attribute='dir') | list }}" - name: "6.2.20 | L1 | AUDIT | Ensure all users' home directories exist" shell: find -H {{ item.0 | quote }} -not -type l -perm /027 @@ -541,7 +542,8 @@ recursive: true etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: not rhel9cis_system_is_container + when: + - not system_is_container with_nested: - "{{ (ansible_check_mode | ternary(rhel_09_6_2_20_patch_audit, rhel_09_6_2_20_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index 479b9c86..b6acabf8 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -1,7 +1,7 @@ --- - name: "SECTION | 6.1 | System File Permissions" - include_tasks: cis_6.1.x.yml + import_tasks: cis_6.1.x.yml - name: "SECTION | 6.2 | User and Group Settings" - include_tasks: cis_6.2.x.yml + import_tasks: cis_6.2.x.yml diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index da5664ba..43897d74 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -32,18 +32,18 @@ -w /etc/sysconfig/network -p wa -k system-locale {% endif %} {% if rhel9cis_rule_4_1_9 %} --a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod {% endif %} {% if rhel9cis_rule_4_1_10 %} --a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access --a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access --a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access --a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access {% endif %} {% if rhel9cis_rule_4_1_11 %} -w /etc/group -p wa -k identity @@ -53,17 +53,17 @@ -w /etc/security/opasswd -p wa -k identity {% endif %} {% if rhel9cis_rule_4_1_12 %} --a always,exit -F arch=b32 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts --a always,exit -F arch=b64 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>={{ min_int_uid }} -F auid!=4294967295 -k mounts +-a always,exit -F arch=b64 -S mount -F auid>={{ min_int_uid }} -F auid!=4294967295 -k mounts {% endif %} {% if rhel9cis_rule_4_1_13 %} {% for proc in priv_procs.stdout_lines -%} --a always,exit -F path={{ proc }} -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k privileged +-a always,exit -F path={{ proc }} -F perm=x -F auid>={{ min_int_uid }} -F auid!=4294967295 -k privileged {% endfor %} {% endif %} {% if rhel9cis_rule_4_1_14 %} --a always,exit -F arch=b32 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete --a always,exit -F arch=b64 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete +-a always,exit -F arch=b32 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=delete +-a always,exit -F arch=b64 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=delete {% endif %} {% if rhel9cis_rule_4_1_15 %} -w /usr/sbin/insmod -p x -k modules diff --git a/vars/AlmaLinux.yml b/vars/AlmaLinux.yml new file mode 100644 index 00000000..8f9f4b77 --- /dev/null +++ b/vars/AlmaLinux.yml @@ -0,0 +1,4 @@ +--- +# OS Specific Settings + +rpm_gpg_key: RPM-GPG-KEY-AlmaLinux \ No newline at end of file diff --git a/vars/RedHat.yml b/vars/RedHat.yml new file mode 100644 index 00000000..d67cedc4 --- /dev/null +++ b/vars/RedHat.yml @@ -0,0 +1,4 @@ +--- +# OS Specific Settings + +rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-official diff --git a/vars/Rocky.yml b/vars/Rocky.yml new file mode 100644 index 00000000..7c8ae0ba --- /dev/null +++ b/vars/Rocky.yml @@ -0,0 +1,4 @@ +--- +# OS Specific Settings + +rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial diff --git a/vars/is_container.yml b/vars/is_container.yml new file mode 100644 index 00000000..a8ac4fb0 --- /dev/null +++ b/vars/is_container.yml @@ -0,0 +1,95 @@ +--- + +# File to skip controls if container +# Based on standard image no changes +# it expected all pkgs required for the container are alreday installed + +## controls + +# Authconfig +rhel9cis_use_authconfig: false + +# Firewall +rhel9cis_firewall: None + +# SElinux +rhel9cis_selinux_disable: true + + +## Related individual rules +# Aide +rhel9cis_rule_1_4_1: false +rhel9cis_rule_1_4_2: false + +# auditd +rhel9cis_rule_4_1_1_1: false +rhel9cis_rule_4_1_2_1: false +rhel9cis_rule_4_1_2_2: false +rhel9cis_rule_4_1_2_3: false + +# time sync +rhel9cis_rule_2_2_1_1: false +rhel9cis_rule_2_2_1_2: false + +# cron +rhel9cis_rule_5_1_1: false +rhel9cis_rule_5_1_2: false +rhel9cis_rule_5_1_3: false +rhel9cis_rule_5_1_4: false +rhel9cis_rule_5_1_5: false +rhel9cis_rule_5_1_6: false +rhel9cis_rule_5_1_7: false +rhel9cis_rule_5_1_8: false + +# crypto +rhel9cis_rule_1_10: false +rhel9cis_rule_1_11: false + +# grub +rhel9cis_rule_1_5_1: false +rhel9cis_rule_1_5_2: false +rhel9cis_rule_1_5_3: false + +## mounts +# /tmp +rhel9cis_rule_1_1_2: false +rhel9cis_rule_1_1_3: false +rhel9cis_rule_1_1_4: false +rhel9cis_rule_1_1_5: false +#/var +rhel9cis_rule_1_1_6: false +# /var/tmp +rhel9cis_rule_1_1_7: false +rhel9cis_rule_1_1_8: false +rhel9cis_rule_1_1_9: false +rhel9cis_rule_1_1_10: false +# /var/log +rhel9cis_rule_1_1_11: false +# /var/log/audit +rhel9cis_rule_1_1_12: false +# /home +rhel9cis_rule_1_1_13: false +rhel9cis_rule_1_1_14: false +# /dev/shm +rhel9cis_rule_1_1_15: false +rhel9cis_rule_1_1_16: false +rhel9cis_rule_1_1_17: false +# usb-storage +rhel9cis_rule_1_1_23: false + +# logging +rhel9cis_rule_4_2_1_1: false +rhel9cis_rule_4_2_1_2: false +rhel9cis_rule_4_2_1_3: false +rhel9cis_rule_4_2_1_4: false +rhel9cis_rule_4_2_1_5: false +rhel9cis_rule_4_2_1_6: false +rhel9cis_rule_4_2_2_1: false +rhel9cis_rule_4_2_2_2: false +rhel9cis_rule_4_2_2_3: false + +# systemd +rhel9cis_rule_1_6_1: false + +# Users/passwords/accounts +rhel9cis_rule_5_5_2: false diff --git a/vars/main.yml b/vars/main.yml index 83b0489f..b18097bf 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,5 +1,7 @@ --- # vars file for RHEL9-CIS + +min_ansible_version: 2.9 rhel9cis_allowed_crypto_policies: - 'FUTURE' - 'FIPS' From 9db4b7fd810be4113711296deb6d285e138923cd Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Wed, 2 Feb 2022 11:34:50 +0000 Subject: [PATCH 022/454] Improvements (#5) * container standards Signed-off-by: Mark Bolwell * logic on handlers Signed-off-by: Mark Bolwell * initial container ignore Signed-off-by: Mark Bolwell * tags and containder discovery Signed-off-by: Mark Bolwell * logic on auditd task Signed-off-by: Mark Bolwell * tags and crypto logic Signed-off-by: Mark Bolwell * distro update for rocky Signed-off-by: Mark Bolwell * system_is_container updates Signed-off-by: Mark Bolwell * ssh pkg check Signed-off-by: Mark Bolwell * logrotate pkg check Signed-off-by: Mark Bolwell * logic in container check Signed-off-by: Mark Bolwell * add pkg fact and audit conditionals Signed-off-by: Mark Bolwell * tidy up crypto step Signed-off-by: Mark Bolwell * Added missing tags Signed-off-by: Mark Bolwell * container vars file now a variable Signed-off-by: Mark Bolwell * added uid discovery and usage Signed-off-by: Mark Bolwell * Updated OS checks and conditionals Signed-off-by: Mark Bolwell * fixed empty become Signed-off-by: Mark Bolwell * change audit to include task Signed-off-by: Mark Bolwell * Added OS_specific vars Signed-off-by: Mark Bolwell * updated import/include Signed-off-by: Mark Bolwell * OS Specific vars Signed-off-by: Mark Bolwell * updated tags Signed-off-by: Mark Bolwell * updated changed_when Signed-off-by: Mark Bolwell * fixed UID logic Signed-off-by: Mark Bolwell * added github templates Signed-off-by: Mark Bolwell * updated layout Signed-off-by: Mark Bolwell * Added .github ignore again Signed-off-by: Mark Bolwell --- .github/ISSUE_TEMPLATE/bug_report.md | 34 ++++++++++++++++ .../feature-request-or-enhancement.md | 22 ++++++++++ .github/ISSUE_TEMPLATE/question.md | 18 +++++++++ .github/pull_request_template.md | 12 ++++++ .github/workflows/communitytodevel.yml | 39 ++++++++++++++++++ .github/workflows/develtomain.yml | 40 +++++++++++++++++++ tasks/section_6/cis_6.2.x.yml | 3 ++ 7 files changed, 168 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/feature-request-or-enhancement.md create mode 100644 .github/ISSUE_TEMPLATE/question.md create mode 100644 .github/pull_request_template.md create mode 100644 .github/workflows/communitytodevel.yml create mode 100644 .github/workflows/develtomain.yml diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 00000000..d3828eaf --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,34 @@ +--- +name: Report Issue +about: Create a bug issue ticket to help us improve +title: '' +labels: bug +assignees: '' + +--- + +**Describe the Issue** +A clear and concise description of what the bug is. + +**Expected Behavior** +A clear and concise description of what you expected to happen. + +**Actual Behavior** +A clear and concise description of what's happening. + +**Control(s) Affected** +What controls are being affected by the issue + +**Environment (please complete the following information):** + +- branch being used: [e.g. devel] +- Ansible Version: [e.g. 2.10] +- Host Python Version: [e.g. Python 3.7.6] +- Ansible Server Python Version: [e.g. Python 3.7.6] +- Additional Details: + +**Additional Notes** +Anything additional goes here + +**Possible Solution** +Enter a suggested fix here diff --git a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md b/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md new file mode 100644 index 00000000..3908075d --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md @@ -0,0 +1,22 @@ +--- +name: Feature Request or Enhancement +about: Suggest an idea for this project +title: '' +labels: enhancement +assignees: '' + +--- + +## Feature Request or Enhancement + +- Feature [] +- Enhancement [] + +**Summary of Request** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Suggested Code** +Please provide any code you have in mind to fulfill the request diff --git a/.github/ISSUE_TEMPLATE/question.md b/.github/ISSUE_TEMPLATE/question.md new file mode 100644 index 00000000..ad0629e3 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/question.md @@ -0,0 +1,18 @@ +--- +name: Question +about: Ask away....... +title: '' +labels: question +assignees: '' + +--- + +**Question** +Pose question here. + +**Environment (please complete the following information):** + +- Ansible Version: [e.g. 2.10] +- Host Python Version: [e.g. Python 3.7.6] +- Ansible Server Python Version: [e.g. Python 3.7.6] +- Additional Details: diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 00000000..05dadb6b --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,12 @@ +**Overall Review of Changes:** +A general description of the changes made that are being requested for merge + +**Issue Fixes:** +Please list (using linking) any open issues this PR addresses + +**Enhancements:** +Please list any enhancements/features that are not open issue tickets + +**How has this been tested?:** +Please give an overview of how these changes were tested. If they were not please use N/A + diff --git a/.github/workflows/communitytodevel.yml b/.github/workflows/communitytodevel.yml new file mode 100644 index 00000000..9ad4d787 --- /dev/null +++ b/.github/workflows/communitytodevel.yml @@ -0,0 +1,39 @@ +--- +# This is a basic workflow to help you get started with Actions + +name: CommunityToDevel + +# Controls when the action will run. Triggers the workflow on push or pull request +# events but only for the devel branch +on: + pull_request: + branches: [ devel ] + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v2 + + # Refactr pipeline for devel pull request/merge + - name: Refactr - Run Pipeline (to devel) + # You may pin to the exact commit or the version. + # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53 + uses: refactr/action-run-pipeline@v0.1.2 + with: + # API token + api_token: '${{ secrets.REFACTR_KEY }}' + # Project ID + project_id: 5f47f0c4a13c7b18373e5556 + # Job ID + job_id: 5f933cbcf9c74e86b1609c00 + # Variables + variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL9-CIS.git", "image": "ami-04483b15b4268d18d", "githubBranch": "${{ github.head_ref }}", "username": "centos" }' + # Refactr API base URL + api_url: # optional diff --git a/.github/workflows/develtomain.yml b/.github/workflows/develtomain.yml new file mode 100644 index 00000000..11781c6c --- /dev/null +++ b/.github/workflows/develtomain.yml @@ -0,0 +1,40 @@ +--- +# This is a basic workflow to help you get started with Actions + +name: DevelToMain + +# Controls when the action will run. Triggers the workflow on push or pull request +# events but only for the devel branch +on: + pull_request: + branches: [ main ] + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel + +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v2 + + # Refactr pipeline for devel pull request/merge + - name: Refactr - Run Pipeline (to main) + # You may pin to the exact commit or the version. + # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53 + uses: refactr/action-run-pipeline@v0.1.2 + with: + # API token + api_token: '${{ secrets.REFACTR_KEY }}' + # Project ID + project_id: 5f47f0c4a13c7b18373e5556 + # Job ID + job_id: 5f90ad90f9c74e6d1e606e33 + # Variables + variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL9-CIS.git", "image": "ami-04483b15b4268d18d", "username": "centos" }' + # Refactr API base URL + api_url: # optional diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index c8252299..7b9523bb 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -137,6 +137,9 @@ with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<', max_int_uid | int) | selectattr('dir', '!=', '/') | map(attribute='dir') | list }}" register: rhel_09_6_2_7_audit + - debug: + var: rhel_09_6_2_7_audit + - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" shell: find -H {{ item.0 | quote }} -not -type l -perm /027 args: From 59e22e860035a9abf60858f677a47c09638489f9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 7 Feb 2022 16:44:41 +0000 Subject: [PATCH 023/454] fixed thanks to cf-sewe Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.4.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 681db737..05ccefba 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -24,7 +24,7 @@ dest: /etc/pam.d/system-auth state: present regexp: '^password requisite pam_pwquality.so' - line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce-for-root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" + line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" insertbefore: '^#?password ?' when: - rhel9cis_rule_5_4_1 or @@ -35,7 +35,7 @@ dest: /etc/pam.d/password-auth state: present regexp: '^password requisite pam_pwquality.so' - line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce-for-root retry=3" + line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" insertbefore: '^#?password ?' when: rhel9cis_rule_5_4_1 From e6d129914e2e02e22052b7c8a36029bbaed264bd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 7 Feb 2022 16:49:28 +0000 Subject: [PATCH 024/454] updated to use rocky image Signed-off-by: Mark Bolwell --- .github/workflows/communitytodevel.yml | 2 +- .github/workflows/develtomain.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/communitytodevel.yml b/.github/workflows/communitytodevel.yml index 9ad4d787..abd55946 100644 --- a/.github/workflows/communitytodevel.yml +++ b/.github/workflows/communitytodevel.yml @@ -34,6 +34,6 @@ jobs: # Job ID job_id: 5f933cbcf9c74e86b1609c00 # Variables - variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL9-CIS.git", "image": "ami-04483b15b4268d18d", "githubBranch": "${{ github.head_ref }}", "username": "centos" }' + variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL8-CIS.git", "image": "ami-0335e1660e1197d63", "githubBranch": "${{ github.head_ref }}", "username": "rocky" }' # Refactr API base URL api_url: # optional diff --git a/.github/workflows/develtomain.yml b/.github/workflows/develtomain.yml index 11781c6c..b5534ed4 100644 --- a/.github/workflows/develtomain.yml +++ b/.github/workflows/develtomain.yml @@ -35,6 +35,6 @@ jobs: # Job ID job_id: 5f90ad90f9c74e6d1e606e33 # Variables - variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL9-CIS.git", "image": "ami-04483b15b4268d18d", "username": "centos" }' + variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL8-CIS.git", "image": "ami-0335e1660e1197d63", "username": "rocky" }' # Refactr API base URL api_url: # optional From c333a085b5ac376a250a19321f44561204fbff99 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 7 Feb 2022 13:43:56 -0500 Subject: [PATCH 025/454] updated gitrepo path in workflows Signed-off-by: George Nalen --- .github/workflows/communitytodevel.yml | 2 +- .github/workflows/develtomain.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/communitytodevel.yml b/.github/workflows/communitytodevel.yml index abd55946..ed9f0c75 100644 --- a/.github/workflows/communitytodevel.yml +++ b/.github/workflows/communitytodevel.yml @@ -34,6 +34,6 @@ jobs: # Job ID job_id: 5f933cbcf9c74e86b1609c00 # Variables - variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL8-CIS.git", "image": "ami-0335e1660e1197d63", "githubBranch": "${{ github.head_ref }}", "username": "rocky" }' + variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL9-CIS.git", "image": "ami-0335e1660e1197d63", "githubBranch": "${{ github.head_ref }}", "username": "rocky" }' # Refactr API base URL api_url: # optional diff --git a/.github/workflows/develtomain.yml b/.github/workflows/develtomain.yml index b5534ed4..467bc3e2 100644 --- a/.github/workflows/develtomain.yml +++ b/.github/workflows/develtomain.yml @@ -35,6 +35,6 @@ jobs: # Job ID job_id: 5f90ad90f9c74e6d1e606e33 # Variables - variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL8-CIS.git", "image": "ami-0335e1660e1197d63", "username": "rocky" }' + variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL9-CIS.git", "image": "ami-0335e1660e1197d63", "username": "rocky" }' # Refactr API base URL api_url: # optional From ac744cb5ae56a987f196f734ad52b57ac1fecc65 Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Wed, 2 Mar 2022 13:19:54 +0000 Subject: [PATCH 026/454] Collections (#7) * added collections requiremenst for tower integration Signed-off-by: Mark Bolwell * added crypto & posix Signed-off-by: Mark Bolwell * removed older files Signed-off-by: Mark Bolwell * updated workflow uses rocky8 Signed-off-by: Mark Bolwell * updated tags Signed-off-by: Mark Bolwell * updated ansible ver Signed-off-by: Mark Bolwell * updated Signed-off-by: Mark Bolwell * updated discord info Signed-off-by: Mark Bolwell --- .github/workflows/OS.tfvars | 9 ++ .github/workflows/communitytodevel.yml | 39 ------ .github/workflows/develtomain.yml | 40 ------ .github/workflows/github_networks.tf | 11 ++ .github/workflows/github_vars.tfvars | 12 ++ .github/workflows/linux_benchmark_testing.yml | 120 ++++++++++++++++++ .github/workflows/main.tf | 83 ++++++++++++ .github/workflows/terraform.tfvars | 5 + .github/workflows/test.sh | 6 + .github/workflows/variables.tf | 65 ++++++++++ README.md | 4 + collections/requirements.yml | 8 ++ meta/main.yml | 11 +- vars/main.yml | 2 +- 14 files changed, 333 insertions(+), 82 deletions(-) create mode 100644 .github/workflows/OS.tfvars delete mode 100644 .github/workflows/communitytodevel.yml delete mode 100644 .github/workflows/develtomain.yml create mode 100644 .github/workflows/github_networks.tf create mode 100644 .github/workflows/github_vars.tfvars create mode 100644 .github/workflows/linux_benchmark_testing.yml create mode 100644 .github/workflows/main.tf create mode 100644 .github/workflows/terraform.tfvars create mode 100644 .github/workflows/test.sh create mode 100644 .github/workflows/variables.tf create mode 100644 collections/requirements.yml diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars new file mode 100644 index 00000000..99064fbd --- /dev/null +++ b/.github/workflows/OS.tfvars @@ -0,0 +1,9 @@ +#Ami Rocky 85 +ami_id = "ami-043ceee68871e0bb5" +ami_os = "rocky8" +ami_username = "rocky" +ami_user_home = "/home/rocky" +instance_tags = { + Name = "RHEL9-CIS" + Environment = "lockdown_github_repo_workflow" +} diff --git a/.github/workflows/communitytodevel.yml b/.github/workflows/communitytodevel.yml deleted file mode 100644 index ed9f0c75..00000000 --- a/.github/workflows/communitytodevel.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -# This is a basic workflow to help you get started with Actions - -name: CommunityToDevel - -# Controls when the action will run. Triggers the workflow on push or pull request -# events but only for the devel branch -on: - pull_request: - branches: [ devel ] - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -jobs: - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: ubuntu-latest - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 - - # Refactr pipeline for devel pull request/merge - - name: Refactr - Run Pipeline (to devel) - # You may pin to the exact commit or the version. - # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53 - uses: refactr/action-run-pipeline@v0.1.2 - with: - # API token - api_token: '${{ secrets.REFACTR_KEY }}' - # Project ID - project_id: 5f47f0c4a13c7b18373e5556 - # Job ID - job_id: 5f933cbcf9c74e86b1609c00 - # Variables - variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL9-CIS.git", "image": "ami-0335e1660e1197d63", "githubBranch": "${{ github.head_ref }}", "username": "rocky" }' - # Refactr API base URL - api_url: # optional diff --git a/.github/workflows/develtomain.yml b/.github/workflows/develtomain.yml deleted file mode 100644 index 467bc3e2..00000000 --- a/.github/workflows/develtomain.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -# This is a basic workflow to help you get started with Actions - -name: DevelToMain - -# Controls when the action will run. Triggers the workflow on push or pull request -# events but only for the devel branch -on: - pull_request: - branches: [ main ] - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel - -jobs: - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: ubuntu-latest - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 - - # Refactr pipeline for devel pull request/merge - - name: Refactr - Run Pipeline (to main) - # You may pin to the exact commit or the version. - # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53 - uses: refactr/action-run-pipeline@v0.1.2 - with: - # API token - api_token: '${{ secrets.REFACTR_KEY }}' - # Project ID - project_id: 5f47f0c4a13c7b18373e5556 - # Job ID - job_id: 5f90ad90f9c74e6d1e606e33 - # Variables - variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL9-CIS.git", "image": "ami-0335e1660e1197d63", "username": "rocky" }' - # Refactr API base URL - api_url: # optional diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf new file mode 100644 index 00000000..d5a0db02 --- /dev/null +++ b/.github/workflows/github_networks.tf @@ -0,0 +1,11 @@ +resource "aws_vpc" "Main" { + cidr_block = var.main_vpc_cidr + tags = var.instance_tags +} + +resource "aws_internet_gateway" "IGW" { + vpc_id = aws_vpc.Main.id + tags = { + Name = "${var.namespace}-IGW" + } +} diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars new file mode 100644 index 00000000..38be3edc --- /dev/null +++ b/.github/workflows/github_vars.tfvars @@ -0,0 +1,12 @@ +// github_actions variables +// Resourced in github_networks.tf +// Declared in variables.tf +// + +namespace = "github_actions" + +// Matching pair name found in AWS for keypairs PEM key +ami_key_pair_name = "github_actions" +main_vpc_cidr = "172.22.0.0/24" +public_subnets = "172.22.0.128/26" +private_subnets = "172.22.0.192/26" \ No newline at end of file diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml new file mode 100644 index 00000000..3c4cf3f5 --- /dev/null +++ b/.github/workflows/linux_benchmark_testing.yml @@ -0,0 +1,120 @@ +# This is a basic workflow to help you get started with Actions + +name: linux_benchmark_pipeline + +# Controls when the action will run. +# Triggers the workflow on push or pull request +# events but only for the devel branch +on: + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + +# A workflow run is made up of one or more jobs +# that can run sequentially or in parallel +jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: ubuntu-latest + + steps: + - uses: actions/first-interaction@v1.1.0 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://discord.gg/JFxpSgPFEJ) as well. + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + env: + ENABLE_DEBUG: false + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, + # so your job can access it + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Add_ssh_key + working-directory: .github/workflows + env: + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + run: | + mkdir .ssh + chmod 700 .ssh + echo $PRIVATE_KEY > .ssh/github_actions.pem + chmod 600 .ssh/github_actions.pem + +### Build out the server + - name: Terraform_Init + working-directory: .github/workflows + run: terraform init + + - name: Terraform_Validate + working-directory: .github/workflows + run: terraform validate + + - name: Terraform_Apply + working-directory: .github/workflows + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false + +## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + working-directory: .github/workflows + run: cat hosts.yml + +# Centos 7 images take a while to come up insert sleep or playbook fails + + - name: Check if test os is rhel7 + working-directory: .github/workflows + id: test_os + run: >- + echo "::set-output name=RHEL7::$( + grep -c RHEL7 OS.tfvars + )" + + - name: if RHEL7 - Sleep for 60 seconds + if: steps.test_os.outputs.RHEL7 >= 1 + run: sleep 60s + shell: bash + +# Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} +# verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + +# Remove test system - User secrets to keep if necessary + + - name: Terraform_Destroy + working-directory: .github/workflows + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + run: terraform destroy -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf new file mode 100644 index 00000000..9ad9240b --- /dev/null +++ b/.github/workflows/main.tf @@ -0,0 +1,83 @@ +provider "aws" { + profile = "" + region = var.aws_region +} + +// Create a security group with access to port 22 and port 80 open to serve HTTP traffic + +data "aws_vpc" "default" { + default = true +} + +resource "random_id" "server" { + keepers = { + # Generate a new id each time we switch to a new AMI id + ami_id = "${var.ami_id}" + } + + byte_length = 8 +} + +resource "aws_security_group" "github_actions" { + name = "${var.namespace}-${random_id.server.hex}" + vpc_id = data.aws_vpc.default.id + + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + tags = { + Name = "${var.namespace}-SG" + } +} + +// instance setup + +resource "aws_instance" "testing_vm" { + ami = var.ami_id + associate_public_ip_address = true + key_name = var.ami_key_pair_name # This is the key as known in the ec2 key_pairs + instance_type = var.instance_type + tags = var.instance_tags + vpc_security_group_ids = [aws_security_group.github_actions.id] + root_block_device { + delete_on_termination = true + } +} + +// generate inventory file +resource "local_file" "inventory" { + filename = "./hosts.yml" + directory_permission = "0755" + file_permission = "0644" + content = < Date: Wed, 30 Mar 2022 09:42:12 +0100 Subject: [PATCH 027/454] update section1_2 Signed-off-by: Mark Bolwell --- defaults/main.yml | 101 ++++++++++++++++++++++++++-------------------- 1 file changed, 57 insertions(+), 44 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 23f8efdb..2a6bd1b8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -54,7 +54,7 @@ audit_content: git run_audit: false # Timeout for those cmds that take longer to run where timeout set -audit_cmd_timeout: 30000 +audit_cmd_timeout: 60000 ### End Goss enablements #### #### Detailed settings found at the end of this document #### @@ -67,59 +67,73 @@ audit_cmd_timeout: 30000 rhel9cis_rule_1_1_1_1: true rhel9cis_rule_1_1_1_2: true rhel9cis_rule_1_1_1_3: true -rhel9cis_rule_1_1_1_4: true -rhel9cis_rule_1_1_1_5: true -rhel9cis_rule_1_1_2: true -rhel9cis_rule_1_1_3: true -rhel9cis_rule_1_1_4: true -rhel9cis_rule_1_1_5: true -rhel9cis_rule_1_1_6: true -rhel9cis_rule_1_1_7: true -rhel9cis_rule_1_1_8: true -rhel9cis_rule_1_1_9: true -rhel9cis_rule_1_1_10: true -rhel9cis_rule_1_1_11: true -rhel9cis_rule_1_1_12: true -rhel9cis_rule_1_1_13: true -rhel9cis_rule_1_1_14: true -rhel9cis_rule_1_1_15: true -rhel9cis_rule_1_1_16: true -rhel9cis_rule_1_1_17: true +rhel9cis_rule_1_1_2_1: true +rhel9cis_rule_1_1_2_2: true +rhel9cis_rule_1_1_2_3: true +rhel9cis_rule_1_1_2_4: true +rhel9cis_rule_1_1_3_1: true +rhel9cis_rule_1_1_3_2: true +rhel9cis_rule_1_1_3_3: true +rhel9cis_rule_1_1_3_4: true +rhel9cis_rule_1_1_4_1: true +rhel9cis_rule_1_1_4_2: true +rhel9cis_rule_1_1_4_3: true +rhel9cis_rule_1_1_4_4: true +rhel9cis_rule_1_1_5_1: true +rhel9cis_rule_1_1_5_2: true +rhel9cis_rule_1_1_5_3: true +rhel9cis_rule_1_1_5_4: true +rhel9cis_rule_1_1_6_1: true +rhel9cis_rule_1_1_6_2: true +rhel9cis_rule_1_1_6_3: true +rhel9cis_rule_1_1_6_4: true +rhel9cis_rule_1_1_7_1: true +rhel9cis_rule_1_1_7_2: true +rhel9cis_rule_1_1_7_3: true +rhel9cis_rule_1_1_7_4: true +rhel9cis_rule_1_1_7_5: true +rhel9cis_rule_1_1_8_1: true +rhel9cis_rule_1_1_8_2: true +rhel9cis_rule_1_1_8_3: true rhel9cis_rule_1_1_18: true rhel9cis_rule_1_1_19: true rhel9cis_rule_1_1_20: true rhel9cis_rule_1_1_21: true -rhel9cis_rule_1_1_22: true -rhel9cis_rule_1_1_23: true +rhel9cis_rule_1_1_9: true +rhel9cis_rule_1_1_10: true rhel9cis_rule_1_2_1: true rhel9cis_rule_1_2_2: true rhel9cis_rule_1_2_3: true rhel9cis_rule_1_2_4: true -rhel9cis_rule_1_2_5: true rhel9cis_rule_1_3_1: true rhel9cis_rule_1_3_2: true -rhel9cis_rule_1_3_3: true rhel9cis_rule_1_4_1: true rhel9cis_rule_1_4_2: true +rhel9cis_rule_1_4_3: true rhel9cis_rule_1_5_1: true rhel9cis_rule_1_5_2: true rhel9cis_rule_1_5_3: true rhel9cis_rule_1_6_1: true rhel9cis_rule_1_6_2: true -rhel9cis_rule_1_7_1_1: true -rhel9cis_rule_1_7_1_2: true -rhel9cis_rule_1_7_1_3: true -rhel9cis_rule_1_7_1_4: true -rhel9cis_rule_1_7_1_5: true -rhel9cis_rule_1_7_1_6: true -rhel9cis_rule_1_7_1_7: true -rhel9cis_rule_1_8_1_1: true -rhel9cis_rule_1_8_1_2: true -rhel9cis_rule_1_8_1_3: true -rhel9cis_rule_1_8_1_4: true -rhel9cis_rule_1_8_1_5: true -rhel9cis_rule_1_8_1_6: true +rhel9cis_rule_1_6_1_1: true +rhel9cis_rule_1_6_1_2: true +rhel9cis_rule_1_6_1_3: true +rhel9cis_rule_1_6_1_4: true +rhel9cis_rule_1_6_1_5: true +rhel9cis_rule_1_6_1_6: true +rhel9cis_rule_1_6_1_7: true +rhel9cis_rule_1_6_1_8: true +rhel9cis_rule_1_7_1: true +rhel9cis_rule_1_7_2: true +rhel9cis_rule_1_7_3: true +rhel9cis_rule_1_7_4: true +rhel9cis_rule_1_7_5: true +rhel9cis_rule_1_7_6: true +rhel9cis_rule_1_8_1: true rhel9cis_rule_1_8_2: true +rhel9cis_rule_1_8_3: true +rhel9cis_rule_1_8_4: true +rhel9cis_rule_1_8_5: true rhel9cis_rule_1_9: true rhel9cis_rule_1_10: true rhel9cis_rule_1_11: true @@ -127,14 +141,7 @@ rhel9cis_rule_1_11: true # Section 2 rules rhel9cis_rule_2_1_1: true rhel9cis_rule_2_1_2: true -rhel9cis_rule_2_1_3: true -rhel9cis_rule_2_1_4: true -rhel9cis_rule_2_1_5: true -rhel9cis_rule_2_1_6: true -rhel9cis_rule_2_1_7: true -rhel9cis_rule_2_2_1_1: true -rhel9cis_rule_2_2_1_2: true -rhel9cis_rule_2_2_1_3: true +rhel9cis_rule_2_2_1: true rhel9cis_rule_2_2_2: true rhel9cis_rule_2_2_3: true rhel9cis_rule_2_2_4: true @@ -152,9 +159,15 @@ rhel9cis_rule_2_2_15: true rhel9cis_rule_2_2_16: true rhel9cis_rule_2_2_17: true rhel9cis_rule_2_2_18: true +rhel9cis_rule_2_2_19: true +rhel9cis_rule_2_2_20: true rhel9cis_rule_2_3_1: true rhel9cis_rule_2_3_2: true rhel9cis_rule_2_3_3: true +rhel9cis_rule_2_3_4: true +rhel9cis_rule_2_3_5: true +rhel9cis_rule_2_3_6: true +rhel9cis_rule_2_4: true # Section 3 rules rhel9cis_rule_3_1_1: true From efdcb0b6f5fc316e87d8fab950833fcda946d20b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 11:02:30 +0100 Subject: [PATCH 028/454] section_1 updates Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.2.x.yml | 77 ++++++++++++++++++ tasks/section_1/cis_1.1.3.x.yml | 63 +++++++++++++++ tasks/section_1/cis_1.1.4.x.yml | 64 +++++++++++++++ tasks/section_1/cis_1.1.5.x.yml | 62 +++++++++++++++ tasks/section_1/cis_1.1.6.x.yml | 61 +++++++++++++++ tasks/section_1/cis_1.1.7.x.yml | 64 +++++++++++++++ tasks/section_1/cis_1.1.8.x.yml | 43 ++++++++++ tasks/section_1/cis_1.6.1.x.yml | 135 ++++++++++++++++++++++++++++++++ tasks/section_1/cis_1.7.x.yml | 102 ++++++++++++++++++++++++ tasks/section_1/cis_1.8.x.yml | 111 ++++++++++++++++++++++++++ 10 files changed, 782 insertions(+) create mode 100644 tasks/section_1/cis_1.1.2.x.yml create mode 100644 tasks/section_1/cis_1.1.3.x.yml create mode 100644 tasks/section_1/cis_1.1.4.x.yml create mode 100644 tasks/section_1/cis_1.1.5.x.yml create mode 100644 tasks/section_1/cis_1.1.6.x.yml create mode 100644 tasks/section_1/cis_1.1.7.x.yml create mode 100644 tasks/section_1/cis_1.1.8.x.yml create mode 100644 tasks/section_1/cis_1.6.1.x.yml create mode 100644 tasks/section_1/cis_1.7.x.yml create mode 100644 tasks/section_1/cis_1.8.x.yml diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml new file mode 100644 index 00000000..bb189930 --- /dev/null +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -0,0 +1,77 @@ +--- + +- name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition" + debug: + msg: "WARNING!! /tmp is not mounted on a separate partition" + when: + - rhel9cis_rule_1_1_2_1 + - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0 + tags: + - level1-server + - level1-workstation + - automated + - audit + - mounts + - rule_1.1.2.1 + +# via fstab +- name: | + "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition" + "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition" + "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition" + mount: + name: /tmp + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %} + notify: remount tmp + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" + when: + - item.mount == "/tmp" + - not rhel9cis_tmp_svc + - rhel9cis_rule_1_1_2_2 or + rhel9cis_rule_1_1_2_3 or + rhel9cis_rule_1_1_2_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - mounts + - rule_1.1.2.2 + - rule_1.1.2.3 + - rule_1.1.2.4 + +# via systemd +- name: | + "1.1.2.1 | PATCH | Ensure /tmp is configured" + "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition" + "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition" + "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition" + template: + src: etc/systemd/system/tmp.mount.j2 + dest: /etc/systemd/system/tmp.mount + owner: root + group: root + mode: 0644 + notify: systemd restart tmp.mount + when: + - rhel9cis_tmp_svc + - rhel9cis_rule_1_1_2_1 or + rhel9cis_rule_1_1_2_2 or + rhel9cis_rule_1_1_2_3 or + rhel9cis_rule_1_1_2_4 + tags: + - level1-server + - level1-workstation + - scored + - patch + - mounts + - rule_1.1.2.1 + - rule_1.1.2.2 + - rule_1.1.2.3 + - rule_1.1.2.4 diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml new file mode 100644 index 00000000..c7fb9867 --- /dev/null +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -0,0 +1,63 @@ +--- + +- name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var" + block: + - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Absent" + debug: + msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + register: var_mount_absent + changed_when: var_mount_absent.skipped is undefined + when: + - required_mount not in mount_names + + - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" + debug: + msg: "Congratulations: {{ required_mount }} exists." + register: var_mount_present + when: + - required_mount in mount_names + vars: + required_mount: '/var' + when: + - rhel9cis_rule_1_1_3_1 + tags: + - level2-server + - level2-workstation + - automated + - patch + - mounts + - rule_1.1.3.1 + +# skips if mount is absent +- name: | + "1.1.3.2 | PATCH | Ensure nodev option set on /var partition" + "1.1.3.3 | PATCH | Ensure noexec option set on /var partition" + "1.1.3.4 | PATCH | Ensure nosuid option set on /var partition" + mount: + name: /var + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %} + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" + notify: change_requires_reboot + when: + - var_mount_present is defined + - item.mount == "/var" + - rhel9cis_rule_1_1_3_1 # This is required so the check takes place + - rhel9cis_rule_1_1_3_2 or + rhel9cis_rule_1_1_3_3 or + rhel9cis_rule_1_1_3_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - mounts + - skip_ansible_lint + - rule_1.1.3.2 + - rule_1.1.3.3 + - rule_1.1.3.4 diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml new file mode 100644 index 00000000..dbeab96e --- /dev/null +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -0,0 +1,64 @@ +--- + +# Skips if mount is absent +- name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp" + block: + - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" + debug: + msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + register: var_tmp_mount_absent + changed_when: var_tmp_mount_absent.skipped is undefined + when: + - required_mount not in mount_names + + - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" + debug: + msg: "Congratulations: {{ required_mount }} exists." + register: var_tmp_mount_present + when: + - required_mount in mount_names + vars: + required_mount: '/var/tmp' + when: + - rhel9cis_rule_1_1_4_1 + tags: + - level2-server + - level2-workstation + - automated + - audit + - mounts + - rule_1.1.4.1 + +# skips if mount is absent +- name: | + "1.1.4.2 | PATCH | Ensure noexec option set on /var/tmp partition" + "1.1.4.3 | PATCH | Ensure nosuid option set on /var/tmp partition" + "1.1.4.4 | PATCH | Ensure nodev option set on /var/tmp partition" + mount: + name: /var/tmp + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid{% endif %} + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" + notify: change_requires_reboot + when: + - var_tmp_mount_present is defined + - item.mount == "/var/tmp" + - rhel9cis_rule_1_1_4_1 # This is required so the check takes place + - rhel9cis_rule_1_1_4_2 or + rhel9cis_rule_1_1_4_3 or + rhel9cis_rule_1_1_4_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - mounts + - skip_ansible_lint + - rule_1.1.4.2 + - rule_1.1.4.3 + - rule_1.1.4.4 \ No newline at end of file diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml new file mode 100644 index 00000000..f286fcc8 --- /dev/null +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -0,0 +1,62 @@ +--- + +- name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log" + block: + - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Absent" + debug: + msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + register: var_log_mount_absent + changed_when: var_log_mount_absent.skipped is undefined + when: + - required_mount not in mount_names + - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present" + debug: + msg: "Congratulations: {{ required_mount }} exists." + register: var_log_mount_present + when: + - required_mount in mount_names + vars: + required_mount: '/var/log' + when: + - rhel9cis_rule_1_1_5_1 + tags: + - level2-server + - level2-workstation + - automated + - audit + - mounts + - rule_1.1.5.1 + - skip_ansible_lint + +- name: | + "1.1.5.2 | PATCH | Ensure nodev option set on /var/log partition" + "1.1.5.3 | PATCH | Ensure noexec option set on /var/log partition" + "1.1.5.4 | PATCH | Ensure nosuid option set on /var/log partition" + mount: + name: /var/log + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" + notify: change_requires_reboot + when: + - var_log_mount_present is defined + - item.mount == "/var/log" + - rhel9cis_rule_1_1_5_1 # This is required so the check takes place + - rhel9cis_rule_1_1_5_2 or + rhel9cis_rule_1_1_5_3 or + rhel9cis_rule_1_1_5_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - mounts + - skip_ansible_lint + - rule_1.1.5.2 + - rule_1.1.5.3 + - rule_1.1.5.4 diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml new file mode 100644 index 00000000..94e85d2b --- /dev/null +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -0,0 +1,61 @@ +--- + +- name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit" + block: + - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent" + debug: + msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + register: var_log_audit_mount_absent + changed_when: var_log_audit_mount_absent.skipped is undefined + when: + - required_mount not in mount_names + - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" + debug: + msg: "Congratulations: {{ required_mount }} exists." + register: var_log_audit_mount_present + when: + - required_mount in mount_names + vars: + required_mount: '/var/log/audit' + when: + - rhel9cis_rule_1_1_6_1 + tags: + - level2-server + - level2-workstation + - automated + - audit + - mounts + - rule_1.1.6.1 + +- name: | + "1.1.6.2 | PATCH | Ensure noexec option set on /var/log/audit partition" + "1.1.6.3 | PATCH | Ensure nodev option set on /var/log/audit partition" + "1.1.6.4 | PATCH | Ensure nosuid option set on /var/log/audit partition" + mount: + name: /var/log/audit + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if rhel9cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_6_4 %}nosuid{% endif %} + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" + notify: change_requires_reboot + when: + - var_log_audit_mount_present is defined + - item.mount == "/var/log/audit" + - rhel9cis_rule_1_1_6_1 # This is required so the check takes place + - rhel9cis_rule_1_1_6_2 or + rhel9cis_rule_1_1_6_3 or + rhel9cis_rule_1_1_6_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - mounts + - skip_ansible_lint + - rule_1.1.6.2 + - rule_1.1.6.3 + - rule_1.1.6.4 \ No newline at end of file diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml new file mode 100644 index 00000000..453fef53 --- /dev/null +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -0,0 +1,64 @@ +--- + +- name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home" + block: + - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Absent" + debug: + msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + register: home_mount_absent + changed_when: home_mount_absent.skipped is undefined + when: + - required_mount not in mount_names + - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present" + debug: + msg: "Congratulations: {{ required_mount }} exists." + register: home_mount_present + when: + - required_mount in mount_names + vars: + required_mount: '/home' + when: + - rhel9cis_rule_1_1_7_1 + tags: + - level2-server + - level2-workstation + - automated + - audit + - mounts + - rule_1.1.7.1 + - skip_ansible_lint + +- name: | + "1.1.7.2 | PATCH | Ensure nodev option set on /home partition + 1.1.7.3 | PATCH | Ensure nosuid option set on /home partition + 1.1.7.4 | PATCH | Ensure usrquota option set on /home partition + 1.1.7.5 | PATCH | Ensure grpquota option set on /home partition" + mount: + name: /home + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_7_4 %}usrquota,{% endif %}{% if rhel9cis_rule_1_1_7_5 %}grpquota{% endif %} + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" + notify: change_requires_reboot + when: + - home_mount_present is defined + - item.mount == "/home" + - rhel9cis_rule_1_1_7_1 + - rhel9cis_rule_1_1_7_2 or + rhel9cis_rule_1_1_7_3 or + rhel9cis_rule_1_1_7_4 or + rhel9cis_rule_1_1_7_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - mounts + - rule_1.1.7.2 + - rule_1.1.7.3 + - rule_1.1.7.4 + - skip_ansible_lint diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml new file mode 100644 index 00000000..a61a6aff --- /dev/null +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -0,0 +1,43 @@ +--- + +# Skips if mount is absent +- name: | + "1.1.8.1 | PATCH | Ensure nodev option set on /dev/shm partition + 1.1.8.2 | PATCH | Ensure nosuid option set on /dev/shm partition + 1.1.8.3 | PATCH | Ensure noexec option set on /dev/shm partition" + block: + - name: | + "1.1.8.1 | AUDIT | Ensure nodev option set on /dev/shm partition | Check for /dev/shm existence + 1.1.8.2 | AUDIT | Ensure nosuid option set on /dev/shm partition | Check for /dev/shm existence + 1.1.8.3 | AUDIT | Ensure noexec option set on /dev/shm partition | Check for /dev/shm existence" + shell: mount -l | grep -E '\s/dev/shm\s' + changed_when: false + failed_when: false + check_mode: no + register: rhel9cis_1_1_8_x_dev_shm_status + + - name: | + "1.1.8.1 | PATCH | Ensure nodev option set on /dev/shm partition | Set nodev option + 1.1.8.2 | PATCH | Ensure noexec option set on /dev/shm partition | Set nosuid option + 1.1.8.3 | PATCH | Ensure nosuid option set on /dev/shm partition | Set noexec option" + mount: + name: /dev/shm + src: tmpfs + fstype: tmpfs + state: mounted + opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %} + when: "'dev/shm' in rhel9cis_1_1_8_x_dev_shm_status.stdout" + notify: change_requires_reboot + when: + - rhel9cis_rule_1_1_8_1 or + rhel9cis_rule_1_1_8_2 or + rhel9cis_rule_1_1_8_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - mounts + - rule_1.1.8.1 + - rule_1.1.8.2 + - rule_1.1.8.3 diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml new file mode 100644 index 00000000..b31600a7 --- /dev/null +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -0,0 +1,135 @@ +--- + +- name: "1.6.1.1 | PATCH | Ensure SELinux is installed" + package: + name: libselinux + state: present + when: + - rhel9cis_rule_1_6_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.6.1.1 + +- name: "1.6.1.2 | PATCH | Ensure SELinux is not disabled in bootloader configuration" + replace: + dest: /etc/default/grub + regexp: '(selinux|enforcing)\s*=\s*0\s*' + replace: '' + register: selinux_grub_patch + ignore_errors: yes + notify: grub2cfg + when: + - rhel9cis_rule_1_6_1_2 + tags: + - level1-server + - level1-workstation + - scored + - patch + - rule_1.6.1.2 + +# State set to enforcing because control 1.6.1.5 requires enforcing to be set +- name: "1.6.1.3 | PATCH | Ensure SELinux policy is configured" + selinux: + conf: /etc/selinux/config + policy: "{{ rhel9cis_selinux_pol }}" + state: enforcing + when: + - not rhel9cis_selinux_disable + - rhel9cis_rule_1_6_1_3 + tags: + - level1-server + - level1-workstation + - automated + - selinux + - patch + - rule_1.6.1.3 + +# State set to enforcing because control 1.6.1.5 requires enforcing to be set +- name: "1.6.1.4 | PATCH | Ensure the SELinux mode is not disabled" + selinux: + conf: /etc/selinux/config + policy: "{{ rhel9cis_selinux_pol }}" + state: enforcing + when: + - not rhel9cis_selinux_disable + - rhel9cis_rule_1_6_1_4 + tags: + - level1-server + - level1-workstation + - auotmated + - selinux + - patch + - rule_1.6.1.4 + +- name: "1.6.1.5 | PATCH | Ensure the SELinux state is enforcing" + selinux: + conf: /etc/selinux/config + policy: "{{ rhel9cis_selinux_pol }}" + state: enforcing + when: + - not rhel9cis_selinux_disable + - rhel9cis_rule_1_6_1_5 + tags: + - level2-server + - level2-workstation + - automated + - selinux + - patch + - rule_1.6.1.5 + +- name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist" + block: + - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Find the unconfined services" + shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' + register: rhelcis_1_6_1_6_unconf_services + failed_when: false + changed_when: false + + - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Message on no unconfined services" + debug: + msg: "Good News! There are no services found on your system" + when: rhelcis_1_6_1_6_unconf_services.stdout | length == 0 + + - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Message on unconfined services" + debug: + msg: "Warning! You have unconfined services: {{ rhelcis_1_6_1_6_unconf_services.stdout_lines }}" + when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 + when: + - rhel9cis_rule_1_6_1_6 + tags: + - level1-server + - level1-workstation + - automated + - audit + - services + - rule_1.6.1.6 + +- name: "1.6.1.7 | PATCH | Ensure SETroubleshoot is not installed" + package: + name: setroubleshoot + state: absent + when: + - rhel9cis_rule_1_6_1_7 + - "'setroubleshoot' in ansible_facts.packages" + tags: + - level1-server + - automated + - selinux + - patch + - rule_1.6.1.7 + +- name: "1.6.1.8 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" + package: + name: mcstrans + state: absent + when: + - rhel9cis_rule_1_6_1_8 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.6.1.8 diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml new file mode 100644 index 00000000..1ee55791 --- /dev/null +++ b/tasks/section_1/cis_1.7.x.yml @@ -0,0 +1,102 @@ +--- + +- name: "1.7.1 | PATCH | Ensure message of the day is configured properly" + template: + src: etc/motd.j2 + dest: /etc/motd + owner: root + group: root + mode: 0644 + when: + - rhel9cis_rule_1_7_1 + tags: + - level1-server + - level1-workstation + - automated + - banner + - patch + - rule_1.7.1 + +- name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly" + template: + src: etc/issue.j2 + dest: /etc/issue + owner: root + group: root + mode: 0644 + when: + - rhel9cis_rule_1_7_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.7.2 + +- name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly" + template: + src: etc/issue.net.j2 + dest: /etc/issue.net + owner: root + group: root + mode: 0644 + when: + - rhel9cis_rule_1_7_3 + tags: + - level1-server + - level1-workstation + - automated + - banner + - patch + - rule_1.7.3 + +- name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured" + file: + dest: /etc/motd + state: file + owner: root + group: root + mode: 0644 + when: + - rhel9cis_rule_1_7_4 + tags: + - level1-server + - level1-workstation + - automated + - perms + - patch + - rule_1.7.4 + +- name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured" + file: + dest: /etc/issue + state: file + owner: root + group: root + mode: 0644 + when: + - rhel9cis_rule_1_7_5 + tags: + - level1-server + - level1-workstation + - automated + - perms + - patch + - rule_1.7.5 + +- name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured" + file: + dest: /etc/issue.net + state: file + owner: root + group: root + mode: 0644 + when: + - rhel9cis_rule_1_7_6 + tags: + - level1-server + - level1-workstation + - automated + - perms + - patch + - rule_1.7.6 diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml new file mode 100644 index 00000000..1edc7048 --- /dev/null +++ b/tasks/section_1/cis_1.8.x.yml @@ -0,0 +1,111 @@ +--- + +- name: "1.8.1 | PATCH | Ensure GNOME Display Manager is removed" + package: + name: gdm + state: absent + when: + - rhel9cis_rule_1_8_1 + - "'gdm' in ansible_facts.packages" + tags: + - level2-server + - automated + - patch + - gui + - gdm + - rule_1.8.1 + +- name: "1.8.2 | PATCH | Ensure GDM login banner is configured" + lineinfile: + dest: "{{ item.file }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + state: present + create: yes + owner: root + group: root + mode: 0644 + notify: reload dconf + with_items: + - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } + - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } + - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } + - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } + - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' } + - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ rhel9cis_warning_banner }}' " } + when: + - rhel9cis_rule_1_8_2 + - rhel9cis_gui + tags: + - level1-server + - level1-workstation + - automated + - patch + - gui + - gdm + - rule_1.8.2 + +- name: "1.8.3 | PATCH | Ensure last logged in user display is disabled" + lineinfile: + path: "{{ item.file }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + create: yes + owner: root + group: root + mode: 0644 + notify: reload dconf + with_items: + - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } + - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } + - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults'} + - { file: '/etc/dconf/db/gdm.d/00-login-screen', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } + - { file: '/etc/dconf/db/gdm.d/00-login-screen', regexp: 'disable-user-list=', line: 'disable-user-list=true' } + when: + - rhel9cis_rule_1_8_3 + - rhel9cis_gui + tags: + - level1-server + - level1-workstation + - automated + - patch + - gui + - rule_1.8.3 + +- name: "1.8.4 | PATCH | Ensure XDMCP is not enabled" + lineinfile: + path: /etc/gdm/custom.conf + regexp: 'Enable=true' + state: absent + when: + - rhel9cis_rule_1_8_4 + - rhel9cis_gui + tags: + - level1-server + - level1-workstation + - automated + - patch + - gui + - rule_1.8.4 + +- name: "1.8.5 | PATCH | Ensure automatic mounting of removable media is disabled" + lineinfile: + path: /etc/dconf/db/local.d/00-media-automount + regex: "{{ item.regex }}" + line: "{{ item.line }}" + create: yes + notify: reload dconf + with_items: + - { regex: '\[org\/gnome\/desktop\/media-handling\]', line: '[org/gnome/desktop/media-handling]' } + - { regex: 'automount=', line: 'automount=false' } + - { regex: 'automount-open=', line: 'automount-open=false'} + when: + - rhel9cis_rule_1_8_5 + - rhel9cis_gui + tags: + - level1-server + - level2-workstation + - automated + - patch + - gui + - rule_1.8.5 From f808f30173c58456028d4c5d7a9fe0581f7198be Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 11:08:18 +0100 Subject: [PATCH 029/454] updated Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 74 ++---- tasks/section_1/cis_1.1.2.x.yml | 22 +- tasks/section_1/cis_1.1.3.x.yml | 12 +- tasks/section_1/cis_1.1.4.x.yml | 12 +- tasks/section_1/cis_1.1.5.x.yml | 12 +- tasks/section_1/cis_1.1.6.x.yml | 12 +- tasks/section_1/cis_1.1.7.x.yml | 14 +- tasks/section_1/cis_1.1.8.x.yml | 12 +- tasks/section_1/cis_1.1.x.yml | 346 +-------------------------- tasks/section_1/cis_1.10.yml | 10 +- tasks/section_1/cis_1.2.x.yml | 77 +++--- tasks/section_1/cis_1.3.x.yml | 65 ++--- tasks/section_1/cis_1.4.x.yml | 93 +++++--- tasks/section_1/cis_1.5.x.yml | 82 +++---- tasks/section_1/cis_1.6.1.x.yml | 28 +-- tasks/section_1/cis_1.7.x.yml | 12 +- tasks/section_1/cis_1.8.x.yml | 20 +- tasks/section_1/cis_1.9.yml | 6 +- tasks/section_1/main.yml | 59 +++-- tasks/section_2/cis_2.1.x.yml | 43 ++++ tasks/section_2/cis_2.2.x.yml | 411 ++++++++++++++++++-------------- tasks/section_2/cis_2.3.x.yml | 76 +++++- tasks/section_2/cis_2.4.yml | 26 ++ tasks/section_2/main.yml | 10 +- 24 files changed, 690 insertions(+), 844 deletions(-) create mode 100644 tasks/section_2/cis_2.1.x.yml create mode 100644 tasks/section_2/cis_2.4.yml diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index dc8ae32b..b9fb6749 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -1,102 +1,76 @@ --- -- name: "1.1.1.1 | L1 | PATCH | Ensure mounting of cramfs filesystems is disabled" +- name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled" block: - - name: "1.1.1.1 | L1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config" + - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install cramfs(\\s|$)" line: "install cramfs /bin/true" - create: true + create: yes mode: 0600 - - name: "1.1.1.1 | L1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs" + - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs" modprobe: name: cramfs state: absent when: ansible_connection != 'docker' when: - - rhel9cis_rule_1_1_1_1 + - rhel8cis_rule_1_1_1_1 tags: - level1-server - level1-workstation - - scored + - automated - patch - rule_1.1.1.1 - cramfs -- name: "1.1.1.2 | L2 | PATCH | Ensure mounting of vFAT filesystems is limited" +- name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled" block: - - name: "1.1.1.2 | L2 | PATCH | Ensure mounting of vFAT filesystems is limited | Edit modprobe config" - lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install vfat(\\s|$)" - line: "install vfat /bin/true" - create: true - mode: 0600 - - - name: "1.1.1.2 | L2 | PATCH | Ensure mounting of vFAT filesystems is limited | Disable vFAT" - modprobe: - name: vfat - state: absent - when: ansible_connection != 'docker' - when: - - rhel9cis_rule_1_1_1_2 - - rhel9cis_legacy_boot - tags: - - level2-server - - level2-workstation - - scored - - patch - - rule_1.1.1.2 - - vfat - -- name: "1.1.1.3 | L1 | PATCH | Ensure mounting of squashfs filesystems is disabled" - block: - - name: "1.1.1.3 | L1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config" + - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" - create: true + create: yes mode: 0600 - - name: "1.1.1.3 | L1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" + - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" modprobe: name: squashfs state: absent when: ansible_connection != 'docker' when: - - rhel9cis_rule_1_1_1_3 + - rhel8cis_rule_1_1_1_2 tags: - - level1-server - - level1-workstation - - scored + - level2-server + - level2-workstation + - automated - patch - - rule_1.1.1.3 + - rule_1.1.1.2 - squashfs -- name: "1.1.1.4 | L1 | PATCH | Ensure mounting of udf filesystems is disabled" +- name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disabled" block: - - name: "1.1.1.4 | L1 | PATCH | Ensure mounting of udf filesystems is disable | Edit modprobe config" + - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disable | Edit modprobe config" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" - create: true + create: yes mode: 0600 - - name: "1.1.1.4 | L1 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" + - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" modprobe: name: udf state: absent when: ansible_connection != 'docker' when: - - rhel9cis_rule_1_1_1_4 + - rhel8cis_rule_1_1_1_3 tags: - - level1-server - - level1-workstation - - scored + - level2-server + - level2-workstation + - automated - patch - - rule_1.1.1.4 + - rule_1.1.1.3 - udf diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index bb189930..06c4eefa 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -4,7 +4,7 @@ debug: msg: "WARNING!! /tmp is not mounted on a separate partition" when: - - rhel9cis_rule_1_1_2_1 + - rhel8cis_rule_1_1_2_1 - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0 tags: - level1-server @@ -24,7 +24,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %} + opts: defaults,{% if rhel8cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_2_4 %}nosuid{% endif %} notify: remount tmp with_items: - "{{ ansible_mounts }}" @@ -32,10 +32,10 @@ label: "{{ item.device }}" when: - item.mount == "/tmp" - - not rhel9cis_tmp_svc - - rhel9cis_rule_1_1_2_2 or - rhel9cis_rule_1_1_2_3 or - rhel9cis_rule_1_1_2_4 + - not rhel8cis_tmp_svc + - rhel8cis_rule_1_1_2_2 or + rhel8cis_rule_1_1_2_3 or + rhel8cis_rule_1_1_2_4 tags: - level1-server - level1-workstation @@ -60,11 +60,11 @@ mode: 0644 notify: systemd restart tmp.mount when: - - rhel9cis_tmp_svc - - rhel9cis_rule_1_1_2_1 or - rhel9cis_rule_1_1_2_2 or - rhel9cis_rule_1_1_2_3 or - rhel9cis_rule_1_1_2_4 + - rhel8cis_tmp_svc + - rhel8cis_rule_1_1_2_1 or + rhel8cis_rule_1_1_2_2 or + rhel8cis_rule_1_1_2_3 or + rhel8cis_rule_1_1_2_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index c7fb9867..31696f89 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -19,7 +19,7 @@ vars: required_mount: '/var' when: - - rhel9cis_rule_1_1_3_1 + - rhel8cis_rule_1_1_3_1 tags: - level2-server - level2-workstation @@ -38,7 +38,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %} + opts: defaults,{% if rhel8cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_3_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -47,10 +47,10 @@ when: - var_mount_present is defined - item.mount == "/var" - - rhel9cis_rule_1_1_3_1 # This is required so the check takes place - - rhel9cis_rule_1_1_3_2 or - rhel9cis_rule_1_1_3_3 or - rhel9cis_rule_1_1_3_4 + - rhel8cis_rule_1_1_3_1 # This is required so the check takes place + - rhel8cis_rule_1_1_3_2 or + rhel8cis_rule_1_1_3_3 or + rhel8cis_rule_1_1_3_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index dbeab96e..b2ddbf02 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -20,7 +20,7 @@ vars: required_mount: '/var/tmp' when: - - rhel9cis_rule_1_1_4_1 + - rhel8cis_rule_1_1_4_1 tags: - level2-server - level2-workstation @@ -39,7 +39,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid{% endif %} + opts: defaults,{% if rhel8cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_4_3 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -48,10 +48,10 @@ when: - var_tmp_mount_present is defined - item.mount == "/var/tmp" - - rhel9cis_rule_1_1_4_1 # This is required so the check takes place - - rhel9cis_rule_1_1_4_2 or - rhel9cis_rule_1_1_4_3 or - rhel9cis_rule_1_1_4_4 + - rhel8cis_rule_1_1_4_1 # This is required so the check takes place + - rhel8cis_rule_1_1_4_2 or + rhel8cis_rule_1_1_4_3 or + rhel8cis_rule_1_1_4_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index f286fcc8..662c8da5 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -18,7 +18,7 @@ vars: required_mount: '/var/log' when: - - rhel9cis_rule_1_1_5_1 + - rhel8cis_rule_1_1_5_1 tags: - level2-server - level2-workstation @@ -37,7 +37,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} + opts: defaults,{% if rhel8cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_5_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -46,10 +46,10 @@ when: - var_log_mount_present is defined - item.mount == "/var/log" - - rhel9cis_rule_1_1_5_1 # This is required so the check takes place - - rhel9cis_rule_1_1_5_2 or - rhel9cis_rule_1_1_5_3 or - rhel9cis_rule_1_1_5_4 + - rhel8cis_rule_1_1_5_1 # This is required so the check takes place + - rhel8cis_rule_1_1_5_2 or + rhel8cis_rule_1_1_5_3 or + rhel8cis_rule_1_1_5_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 94e85d2b..89434f8d 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -18,7 +18,7 @@ vars: required_mount: '/var/log/audit' when: - - rhel9cis_rule_1_1_6_1 + - rhel8cis_rule_1_1_6_1 tags: - level2-server - level2-workstation @@ -36,7 +36,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_6_4 %}nosuid{% endif %} + opts: defaults,{% if rhel8cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_6_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -45,10 +45,10 @@ when: - var_log_audit_mount_present is defined - item.mount == "/var/log/audit" - - rhel9cis_rule_1_1_6_1 # This is required so the check takes place - - rhel9cis_rule_1_1_6_2 or - rhel9cis_rule_1_1_6_3 or - rhel9cis_rule_1_1_6_4 + - rhel8cis_rule_1_1_6_1 # This is required so the check takes place + - rhel8cis_rule_1_1_6_2 or + rhel8cis_rule_1_1_6_3 or + rhel8cis_rule_1_1_6_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 453fef53..a4aa38d1 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -18,7 +18,7 @@ vars: required_mount: '/home' when: - - rhel9cis_rule_1_1_7_1 + - rhel8cis_rule_1_1_7_1 tags: - level2-server - level2-workstation @@ -38,7 +38,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_7_4 %}usrquota,{% endif %}{% if rhel9cis_rule_1_1_7_5 %}grpquota{% endif %} + opts: defaults,{% if rhel8cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_7_3 %}nosuid,{% endif %}{% if rhel8cis_rule_1_1_7_4 %}usrquota,{% endif %}{% if rhel8cis_rule_1_1_7_5 %}grpquota{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -47,11 +47,11 @@ when: - home_mount_present is defined - item.mount == "/home" - - rhel9cis_rule_1_1_7_1 - - rhel9cis_rule_1_1_7_2 or - rhel9cis_rule_1_1_7_3 or - rhel9cis_rule_1_1_7_4 or - rhel9cis_rule_1_1_7_5 + - rhel8cis_rule_1_1_7_1 + - rhel8cis_rule_1_1_7_2 or + rhel8cis_rule_1_1_7_3 or + rhel8cis_rule_1_1_7_4 or + rhel8cis_rule_1_1_7_5 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index a61a6aff..b2ec06c7 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -14,7 +14,7 @@ changed_when: false failed_when: false check_mode: no - register: rhel9cis_1_1_8_x_dev_shm_status + register: rhel8cis_1_1_8_x_dev_shm_status - name: | "1.1.8.1 | PATCH | Ensure nodev option set on /dev/shm partition | Set nodev option @@ -25,13 +25,13 @@ src: tmpfs fstype: tmpfs state: mounted - opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %} - when: "'dev/shm' in rhel9cis_1_1_8_x_dev_shm_status.stdout" + opts: defaults,{% if rhel8cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_8_3 %}nosuid{% endif %} + when: "'dev/shm' in rhel8cis_1_1_8_x_dev_shm_status.stdout" notify: change_requires_reboot when: - - rhel9cis_rule_1_1_8_1 or - rhel9cis_rule_1_1_8_2 or - rhel9cis_rule_1_1_8_3 + - rhel8cis_rule_1_1_8_1 or + rhel8cis_rule_1_1_8_2 or + rhel8cis_rule_1_1_8_3 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index 2becc11c..4498978a 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -1,365 +1,45 @@ --- -- name: | - "SCORED | 1.1.2 | PATCH | Ensure /tmp is configured" - "SCORED | 1.1.3 | PATCH | Ensure nodev option set on /tmp partition" - "SCORED | 1.1.4 | PATCH | Ensure nosuid option set on /tmp partition" - "SCORED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition" - "via fstab" - mount: - name: /tmp - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: defaults,{% if rhel9cis_rule_1_1_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5 %}nosuid{% endif %} - notify: remount tmp - loop: "{{ ansible_mounts }}" - when: - - item.mount == "/tmp" - - not rhel9cis_tmp_svc - - rhel9cis_rule_1_1_2 or - rhel9cis_rule_1_1_3 or - rhel9cis_rule_1_1_4 or - rhel9cis_rule_1_1_5 - tags: - - level1-server - - level1-workstation - - scored - - patch - - mounts - - rule_1.1.3 - - rule_1.1.4 - - rule_1.1.5 - -- name: | - "SCORED | 1.1.2 | PATCH | Ensure /tmp is configured" - "SCORED | 1.1.3 | PATCH | Ensure nodev option set on /tmp partition" - "SCORED | 1.1.4 | PATCH | Ensure nosuid option set on /tmp partition" - "SCORED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition" - "via systemd" - template: - src: etc/systemd/system/tmp.mount.j2 - dest: /etc/systemd/system/tmp.mount - owner: root - group: root - mode: 0644 - notify: systemd restart tmp.mount - when: - - rhel9cis_tmp_svc - - rhel9cis_rule_1_1_2 or - rhel9cis_rule_1_1_3 or - rhel9cis_rule_1_1_4 or - rhel9cis_rule_1_1_5 - tags: - - level1-server - - level1-workstation - - scored - - patch - - mounts - - rule_1.1.3 - - rule_1.1.4 - - rule_1.1.5 - -- name: "1.1.6 | L2 | AUDIT | Ensure separate partition exists for /var" - block: - - name: "1.1.6 | L2 | AUDIT | Ensure separate partition exists for /var | Absent" - debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" - register: var_mount_absent - changed_when: var_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.6 | L2 | AUDIT | Ensure separate partition exists for /var | Present" - debug: - msg: "Congratulations: {{ required_mount }} exists." - when: - - required_mount in mount_names - vars: - required_mount: '/var' - when: - - rhel9cis_rule_1_1_6 - tags: - - level2-server - - level2-workstation - - scored - - patch - - mounts - - rule_1.1.6 - -- name: "1.1.7 | L2 | AUDIT | Ensure separate partition exists for /var/tmp | skips if mount absent" - block: - - name: "1.1.7 | L2 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" - debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" - register: var_tmp_mount_absent - changed_when: var_tmp_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.7 | L2 | AUDIT | Ensure separate partition exists for /var/tmp | Present" - debug: - msg: "Congratulations: {{ required_mount }} exists." - register: var_tmp_mount_present - when: - - required_mount in mount_names - vars: - required_mount: '/var/tmp' - when: - - rhel9cis_rule_1_1_7 - tags: - - level2-server - - level2-workstation - - scored - - audit - - mounts - - rule_1.1.7 - -- name: | - "1.1.8 | L1 | PATCH | Ensure nodev option set on /var/tmp partition | skips if mount absent" - "1.1.9 | L1 | PATCH | Ensure nosuid option set on /var/tmp partition | skips if mount absent" - "1.1.10 | L1 | PATCH | Ensure noexec option set on /var/tmp partition | skips if mount absent" - mount: - name: /var/tmp - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: defaults,{% if rhel9cis_rule_1_1_10 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_9 %}nosuid{% endif %} - loop: "{{ ansible_mounts }}" - when: - - var_tmp_mount_present is defined - - item.mount == "/var/tmp" - - rhel9cis_rule_1_1_7 # This is required so the check takes place - - rhel9cis_rule_1_1_8 or - rhel9cis_rule_1_1_9 or - rhel9cis_rule_1_1_10 - tags: - - level1-server - - level1-workstation - - scored - - patch - - mounts - - skip_ansible_lint - -- name: "1.1.11 | L2 | AUDIT | Ensure separate partition exists for /var/log" - block: - - name: "1.1.11 | L2 | AUDIT | Ensure separate partition exists for /var/log | Absent" - debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" - register: var_log_mount_absent - changed_when: var_log_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.11 | L2 | AUDIT | Ensure separate partition exists for /var/log | Present" - debug: - msg: "Congratulations: {{ required_mount }} exists." - when: - - required_mount in mount_names - vars: - required_mount: '/var/log' - when: - - rhel9cis_rule_1_1_11 - tags: - - level2-server - - level2-workstation - - scored - - audit - - mounts - - rule_1.1.11 - - skip_ansible_lint - -- name: "1.1.12 | L2 | AUDIT | Ensure separate partition exists for /var/log/audit" - block: - - name: "1.1.12 | L2 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent" - debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" - register: var_log_audit_mount_absent - changed_when: var_log_audit_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.12 | L2 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" - debug: - msg: "Congratulations: {{ required_mount }} exists." - when: - - required_mount in mount_names - vars: - required_mount: '/var/log/audit' - when: - - rhel9cis_rule_1_1_12 - tags: - - level2-server - - level2-workstation - - scored - - audit - - mounts - - rule_1.1.12 - - -- name: "1.1.13 | L2 | AUDIT | Ensure separate partition exists for /home" - block: - - name: "1.1.13 | L2 | AUDIT | Ensure separate partition exists for /home | Absent" - debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" - register: home_mount_absent - changed_when: home_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.13 | L2 | AUDIT | Ensure separate partition exists for /home | Present" - debug: - msg: "Congratulations: {{ required_mount }} exists." - register: home_mount_present - when: - - required_mount in mount_names - vars: - required_mount: '/home' - when: - - rhel9cis_rule_1_1_13 - tags: - - level2-server - - level2-workstation - - scored - - audit - - mounts - - rule_1.1.13 - - skip_ansible_lint - -- name: "1.1.14 | L1 | PATCH | Ensure nodev option set on /home partition | skips if mount absent" - mount: - name: /home - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: defaults,{% if rhel9cis_rule_1_1_14 %}nodev{% endif %} - loop: "{{ ansible_mounts }}" - when: - - home_mount_present is defined - - item.mount == "/home" - - rhel9cis_rule_1_1_14 - tags: - - level1-server - - level1-workstation - - scored - - patch - - mounts - - rule_1.1.13 - - skip_ansible_lint - -- name: | - "1.1.15 | L1 | PATCH | Ensure nodev option set on /dev/shm partition | skips if mount absent - 1.1.16 | L1 | PATCH | Ensure nosuid option set on /dev/shm partition | skips if mount absent - 1.1.17 | L1 | PATCH | Ensure noexec option set on /dev/shm partition | skips if mount absent" - block: - - name: | - "1.1.15 | L1 | AUDIT | Ensure nodev option set on /dev/shm partition | Check for /dev/shm existence - 1.1.16 | L1 | AUDIT | Ensure nosuid option set on /dev/shm partition | Check for /dev/shm existence - 1.1.17 | L1 | AUDIT | Ensure noexec option set on /dev/shm partition | Check for /dev/shm existence" - shell: mount -l | grep -E '\s/dev/shm\s' - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_1_1_15_dev_shm_status - - - name: | - "1.1.15 | L1 | PATCH | Ensure nodev option set on /dev/shm partition | skips if mount absent - 1.1.16 | L1 | PATCH | Ensure nosuid option set on /dev/shm partition | skips if mount absent - 1.1.17 | L1 | PATCH | Ensure noexec option set on /dev/shm partition | skips if mount absent" - mount: - name: /dev/shm - src: tmpfs - fstype: tmpfs - state: mounted - opts: defaults,{% if rhel9cis_rule_1_1_17 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_15 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_16 %}nosuid{% endif %} - when: "'dev/shm' in rhel9cis_1_1_15_dev_shm_status.stdout" - when: - - rhel9cis_rule_1_1_15 or - rhel9cis_rule_1_1_16 or - rhel9cis_rule_1_1_17 - tags: - - level1-server - - level1-workstation - - scored - - patch - - mounts - - rule_1.1.15 - - rule_1.1.16 - - rule_1.1.17 - -- name: | - "1.1.18 | L1 | PATCH | Ensure nodev option set on removable media partitions" - "1.1.19 | L1 | PATCH | Ensure nosuid option set on removable media partitions" - "1.1.20 | L1 | PATCH | Ensure noexec option set on removable media partitions" - debug: - msg: "--> Not relevant" - changed_when: false - when: - - rhel9cis_rule_1_1_18 or - rhel9cis_rule_1_1_19 or - rhel9cis_rule_1_1_20 - tags: - - level1-server - - level1-workstation - - notscored - - audit - - mounts - - rule_1.1.18 - - rule_1.1.19 - - rule_1.1.20 - -- name: "1.1.21 | L1 | PATCH | Ensure sticky bit is set on all world-writable directories" - shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t - args: - warn: false - changed_when: false - failed_when: false - when: - - rhel9cis_rule_1_1_21 - tags: - - skip_ansible_lint - - level1-server - - level1-workstation - - patch - - stickybits - - permissons - - rule_1.1.21 - -- name: "1.1.22 | L1 | PATCH | Disable Automounting" +- name: "1.1.9 | PATCH | Disable Automounting" service: name: autofs - enabled: false + enabled: no when: - - not rhel9cis_allow_autofs + - not rhel8cis_allow_autofs - "'autofs' in ansible_facts.packages" - - rhel9cis_rule_1_1_22 + - rhel8cis_rule_1_1_9 tags: - level1-server - level2-workstation + - automated - patch - mounts - automounting - - rule_1.1.22 + - rule_1.1.9 -- name: "1.1.23 | L1 | PATCH | Disable USB Storage" +- name: "1.1.10 | PATCH | Disable USB Storage" block: - - name: "1.1.23 | L1 | PATCH | Disable USB Storage | Edit modprobe config" + - name: "1.1.10 | PATCH | Disable USB Storage | Edit modprobe config" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install usb-storage(\\s|$)" line: "install usb-storage /bin/true" - create: true + create: yes owner: root group: root mode: 0600 - - name: "1.1.23 | L1 | PATCH | Disable USB Storage | Edit modprobe config" + - name: "1.1.10 | PATCH | Disable USB Storage | Edit modprobe config" modprobe: name: usb-storage state: absent when: - - rhel9cis_rule_1_1_23 + - rhel8cis_rule_1_1_10 tags: - level1-server - level2-workstation + - automated - patch - mounts - removable_storage - - rule_1.1.23 + - rule_1.1.10 diff --git a/tasks/section_1/cis_1.10.yml b/tasks/section_1/cis_1.10.yml index 6b4a1611..82ec26ff 100644 --- a/tasks/section_1/cis_1.10.yml +++ b/tasks/section_1/cis_1.10.yml @@ -1,17 +1,17 @@ --- -- name: "1.10 | L1 | PATCH | Ensure system-wide crypto policy is not legacy" +- name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy" shell: | - update-crypto-policies --set "{{ rhel9cis_crypto_policy }}" + update-crypto-policies --set "{{ rhel8cis_crypto_policy }}" update-crypto-policies - args: - warn: false + notify: change_requires_reboot when: - - rhel9cis_rule_1_10 + - rhel8cis_rule_1_10 - system_wide_crypto_policy['stdout'] == 'LEGACY' tags: - level1-server - level1-workstation + - automated - no system_is_ec2 - patch - rule_1.10 diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 52372a3e..a095c966 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -1,103 +1,86 @@ --- -- name: "1.2.1 | L1 | PATCH | Ensure Red Hat Subscription Manager connection is configured" +- name: "1.2.1 | PATCH | Ensure Red Hat Subscription Manager connection is configured" redhat_subscription: state: present - username: "{{ rhel9cis_rh_sub_user }}" - password: "{{ rhel9cis_rh_sub_password }}" + username: "{{ rhel8cis_rh_sub_user }}" + password: "{{ rhel8cis_rh_sub_password }}" auto_attach: true no_log: true when: - ansible_distribution == "RedHat" - - rhel9cis_rhnsd_required - - rhel9cis_rule_1_2_1 + - rhel8cis_rhnsd_required + - rhel8cis_rule_1_2_1 tags: - level1-server - level1-workstation - - notscored + - manual - patch - rule_1.2.1 - skip_ansible_lint # Added as no_log still errors on ansuible-lint -- name: "1.2.2 | L1 | PATCH | Disable the rhnsd Daemon" - service: - name: rhnsd - state: stopped - enabled: false - masked: true +- name: "1.2.2 | AUDIT | Ensure GPG keys are configured" + command: gpg --quiet --with-fingerprint "{{ rpm_gpg_key }}" when: - - ansible_distribution == "RedHat" - - rhnsd_service_status.stdout == "loaded" and not rhel9cis_rhnsd_required - - rhel9cis_rule_1_2_2 - tags: - - level1-server - - level1-workstation - - notscored - - patch - - rule_1.2.2 - -- name: "1.2.3 | L1 | AUDIT | Ensure GPG keys are configured" - shell: gpg --quiet --with-fingerprint "{{ rpm_gpg_key }}" - args: - warn: false - when: - - rhel9cis_rule_1_2_3 + - rhel8cis_rule_1_2_2 - ansible_distribution == "RedHat" or ansible_distribution == "Rocky" tags: - level1-server - level1-workstation - - notscored + - manual - patch - - rule_1.2.3 + - rule_1.2.2 -- name: "1.2.4 | L1 | PATCH | Ensure gpgcheck is globally activated" +- name: "1.2.3| PATCH | Ensure gpgcheck is globally activated" block: - - name: "1.2.4 | L1 | AUDIT | Ensure gpgcheck is globally activated | Find repos" + - name: "1.2.3 | AUDIT | Ensure gpgcheck is globally activated | Find repos" find: paths: /etc/yum.repos.d patterns: "*.repo" register: yum_repos changed_when: false - - name: "1.2.4 | L1 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" + - name: "1.2.3 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" replace: name: "{{ item.path }}" regexp: "^gpgcheck=0" replace: "gpgcheck=1" with_items: - "{{ yum_repos.files }}" + loop_control: + label: "{{ item.path }}" when: - - rhel9cis_rule_1_2_4 + - rhel8cis_rule_1_2_3 tags: - level1-server - level1-workstation - - scored + - automated - patch - - rule_1.2.4 + - rule_1.2.3 -- name: "1.2.5 | L1 | Ensure package manager repositories are configured" +- name: "1.2.4 | AUDIT | Ensure package manager repositories are configured" block: - - name: "1.2.5 | L1 | AUDIT | Ensure package manager repositories are configured | Get repo list" - shell: dnf repolist - args: - warn: false + - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Get repo list" + command: dnf repolist changed_when: false failed_when: false register: dnf_configured - check_mode: false + check_mode: no + args: + warn: false - - name: "1.2.5 | L1 | AUDIT | Ensure package manager repositories are configured | Display repo list" + - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Display repo list" debug: msg: - "Alert! Below are the configured repos. Please review and make sure all align with site policy" - "{{ dnf_configured.stdout_lines }}" when: - - rhel9cis_rule_1_2_5 + - rhel8cis_rule_1_2_4 tags: - level1-server - level1-workstation - - notscored - - patch - - rule_1.2.5 + - manual + - audit + - rule_1.2.4 - skip_ansible_lint diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index 8456bc13..d89aa673 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -1,44 +1,51 @@ --- -- name: "1.3.1 | L1 | PATCH | Ensure sudo is installed" - package: - name: sudo - state: present +- name: "1.3.1 | PATCH | Ensure AIDE is installed" + block: + - name: "1.3.1 | PATCH | Ensure AIDE is installed | Install AIDE" + package: + name: aide + state: present + + - name: "1.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE" + command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' + changed_when: false + failed_when: false + async: 45 + poll: 0 + args: + creates: /var/lib/aide/aide.db.gz + when: not ansible_check_mode when: - - rhel9cis_rule_1_3_1 + - rhel8cis_config_aide + - rhel8cis_rule_1_3_1 tags: - level1-server - level1-workstation - - scored - - sudo + - automated + - aide - patch - rule_1.3.1 -- name: "1.3.2 | L1 | PATCH | Ensure sudo commands use pty" - lineinfile: - dest: /etc/sudoers - line: "Defaults use_pty" - state: present +- name: "1.3.2 | PATCH | Ensure filesystem integrity is regularly checked" + cron: + name: Run AIDE integrity check + cron_file: "{{ rhel8cis_aide_cron['cron_file'] }}" + user: "{{ rhel8cis_aide_cron['cron_user'] }}" + minute: "{{ rhel8cis_aide_cron['aide_minute'] | default('0') }}" + hour: "{{ rhel8cis_aide_cron['aide_hour'] | default('5') }}" + day: "{{ rhel8cis_aide_cron['aide_day'] | default('*') }}" + month: "{{ rhel8cis_aide_cron['aide_month'] | default('*') }}" + weekday: "{{ rhel8cis_aide_cron['aide_weekday'] | default('*') }}" + job: "{{ rhel8cis_aide_cron['aide_job'] }}" when: - - rhel9cis_rule_1_3_2 + - rhel8cis_rule_1_3_2 + - not system_is_ec2 tags: - level1-server - level1-workstation - - scored + - automated + - aide + - file_integrity - patch - rule_1.3.2 - -- name: "1.3.3 | L1 | PATCH | Ensure sudo log file exists" - lineinfile: - dest: /etc/sudoers - regexp: '^Defaults logfile=' - line: 'Defaults logfile="{{ rhel9cis_varlog_location }}"' - state: present - when: - - rhel9cis_rule_1_3_3 - tags: - - level1-server - - level1-workstation - - scored - - patch - - rule_1.3.3 diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index a5b1f3b5..96936024 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -1,47 +1,76 @@ --- -- name: "1.4.1 | L1 | PATCH | Ensure AIDE is installed" - block: - - name: "1.4.1 | L1 | PATCH | Ensure AIDE is installed | Install AIDE" - package: - name: aide - state: present - - - name: "1.4.1 | L1 | PATCH | Ensure AIDE is installed | Configure AIDE" - shell: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' - args: - warn: false - creates: /var/lib/aide/aide.db.gz - changed_when: false - failed_when: false - async: 45 - poll: 0 - when: not ansible_check_mode +- name: "1.4.1 | PATCH | Ensure bootloader password is set" + copy: + dest: /boot/grub2/user.cfg + content: "GRUB2_PASSWORD={{ rhel8cis_bootloader_password_hash }}" + owner: root + group: root + mode: 0600 + notify: grub2cfg when: - - rhel9cis_config_aide - - rhel9cis_rule_1_4_1 + - rhel8cis_set_boot_pass + - grub_pass is defined and grub_pass.passhash is defined + - grub_pass.passhash | length > 0 + - rhel8cis_rule_1_4_1 tags: - level1-server - level1-workstation - - scored - - aide + - automated + - grub - patch - rule_1.4.1 -- name: "1.4.2 | L1 | PATCH | Ensure filesystem integrity is regularly checked" - template: - src: aide.cron.j2 - dest: /etc/cron.d/aide.cron - owner: root - group: root - mode: 0644 +- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" + block: + - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" + file: + path: "{{ grub_cfg.stat.lnk_source }}" + owner: root + group: root + mode: 0600 + + - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | UEFI" + mount: + name: /boot/efi + src: "UUID={{ item.uuid }}" + fstype: vfat + state: present + opts: defaults,umask=0027,fmask=0077,uid=0,gid=0 + passno: '0' + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.mount }}" + when: + - not rhel8cis_legacy_boot + - item.mount == "/boot/efi" when: - - rhel9cis_rule_1_4_2 + - rhel8cis_rule_1_4_2 + - grub_cfg.stat.exists + - grub_cfg.stat.islnk tags: - level1-server - level1-workstation - - scored - - aide - - file_integrity + - automated + - grub - patch - rule_1.4.2 + +- name: "1.4.3 | PATCH | Ensure authentication is required when booting into rescue mode" + lineinfile: + path: /etc/systemd/system/rescue.service.d/00-require-auth.conf + regexp: '^ExecStart=' + line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" + create: yes + owner: root + group: root + mode: 0644 + when: + - rhel8cis_rule_1_4_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.4.3 diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 5b169468..a791860d 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -1,76 +1,50 @@ --- -- name: "1.5.1 | L1 | PATCH | Ensure permissions on bootloader config are configured" - block: - - name: "1.5.1 | L1 | PATCH | Ensure permissions on bootloader config are configured" - file: - path: "{{ grub_cfg.stat.lnk_source }}" - owner: root - group: root - mode: 0600 - - - name: "1.5.1 | L1 | PATCH | Ensure permissions on bootloader config are configured | UEFI" - mount: - name: /boot/efi - src: "UUID={{ item.uuid }}" - fstype: vfat - state: present - opts: defaults,umask=0027,fmask=0077,uid=0,gid=0 - passno: '0' - loop: "{{ ansible_mounts }}" - when: - - not rhel9cis_legacy_boot - - item.mount == "/boot/efi" +- name: "1.5.1 | PATCH | Ensure core dump storage is disabled" + lineinfile: + path: /etc/systemd/coredump.conf + regexp: 'Storage=' + line: 'Storage=none' + notify: systemd_daemon_reload when: - - rhel9cis_rule_1_5_1 - - grub_cfg.stat.exists - - grub_cfg.stat.islnk + - rhel8cis_rule_1_5_1 + - systemd_coredump.stat.exists tags: - level1-server - level1-workstation - - scored - - grub + - automated - patch - rule_1.5.1 -- name: "1.5.2 | L1 | PATCH | Ensure bootloader password is set" - copy: - dest: /boot/grub2/user.cfg - content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" - owner: root - group: root - mode: 0600 - notify: grub2cfg +- name: "1.5.2 | PATCH | Ensure core dump backtraces are disabled" + lineinfile: + path: /etc/systemd/coredump.conf + regexp: 'ProcessSizeMax=' + line: 'ProcessSizeMax=0' when: - - rhel9cis_set_boot_pass - - grub_pass is defined and grub_pass.passhash is defined - - grub_pass.passhash | length > 0 - - rhel9cis_rule_1_5_2 + - rhel8cis_rule_1_5_2 tags: - level1-server - level1-workstation - - scored - - grub + - automated - patch + - sysctl - rule_1.5.2 -- name: "1.5.3 | L1 | PATCH | Ensure authentication required for single user mode" - block: - - name: "1.5.3 | L1 | PATCH | Ensure authentication required for single user mode | Emergency service" - lineinfile: - dest: /usr/lib/systemd/system/emergency.service - regexp: '/sbin/sulogin' - line: 'ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency' - - - name: "1.5.3 | L1 | PATCH | Ensure authentication required for single user mode | Rescue service" - lineinfile: - dest: /usr/lib/systemd/system/rescue.service - regexp: '/sbin/sulogin' - line: 'ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue' +- name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" + sysctl: + name: kernel.randomize_va_space + value: '2' + state: present + reload: yes + sysctl_set: yes + ignoreerrors: yes when: - - rhel9cis_rule_1_5_3 + - rhel8cis_rule_1_5_3 tags: - level1-server - level1-workstation + - automated - patch + - sysctl - rule_1.5.3 diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index b31600a7..84dc5204 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -5,7 +5,7 @@ name: libselinux state: present when: - - rhel9cis_rule_1_6_1_1 + - rhel8cis_rule_1_6_1_1 tags: - level1-server - level1-workstation @@ -22,7 +22,7 @@ ignore_errors: yes notify: grub2cfg when: - - rhel9cis_rule_1_6_1_2 + - rhel8cis_rule_1_6_1_2 tags: - level1-server - level1-workstation @@ -34,11 +34,11 @@ - name: "1.6.1.3 | PATCH | Ensure SELinux policy is configured" selinux: conf: /etc/selinux/config - policy: "{{ rhel9cis_selinux_pol }}" + policy: "{{ rhel8cis_selinux_pol }}" state: enforcing when: - - not rhel9cis_selinux_disable - - rhel9cis_rule_1_6_1_3 + - not rhel8cis_selinux_disable + - rhel8cis_rule_1_6_1_3 tags: - level1-server - level1-workstation @@ -51,11 +51,11 @@ - name: "1.6.1.4 | PATCH | Ensure the SELinux mode is not disabled" selinux: conf: /etc/selinux/config - policy: "{{ rhel9cis_selinux_pol }}" + policy: "{{ rhel8cis_selinux_pol }}" state: enforcing when: - - not rhel9cis_selinux_disable - - rhel9cis_rule_1_6_1_4 + - not rhel8cis_selinux_disable + - rhel8cis_rule_1_6_1_4 tags: - level1-server - level1-workstation @@ -67,11 +67,11 @@ - name: "1.6.1.5 | PATCH | Ensure the SELinux state is enforcing" selinux: conf: /etc/selinux/config - policy: "{{ rhel9cis_selinux_pol }}" + policy: "{{ rhel8cis_selinux_pol }}" state: enforcing when: - - not rhel9cis_selinux_disable - - rhel9cis_rule_1_6_1_5 + - not rhel8cis_selinux_disable + - rhel8cis_rule_1_6_1_5 tags: - level2-server - level2-workstation @@ -98,7 +98,7 @@ msg: "Warning! You have unconfined services: {{ rhelcis_1_6_1_6_unconf_services.stdout_lines }}" when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 when: - - rhel9cis_rule_1_6_1_6 + - rhel8cis_rule_1_6_1_6 tags: - level1-server - level1-workstation @@ -112,7 +112,7 @@ name: setroubleshoot state: absent when: - - rhel9cis_rule_1_6_1_7 + - rhel8cis_rule_1_6_1_7 - "'setroubleshoot' in ansible_facts.packages" tags: - level1-server @@ -126,7 +126,7 @@ name: mcstrans state: absent when: - - rhel9cis_rule_1_6_1_8 + - rhel8cis_rule_1_6_1_8 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index 1ee55791..586a8812 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -8,7 +8,7 @@ group: root mode: 0644 when: - - rhel9cis_rule_1_7_1 + - rhel8cis_rule_1_7_1 tags: - level1-server - level1-workstation @@ -25,7 +25,7 @@ group: root mode: 0644 when: - - rhel9cis_rule_1_7_2 + - rhel8cis_rule_1_7_2 tags: - level1-server - level1-workstation @@ -41,7 +41,7 @@ group: root mode: 0644 when: - - rhel9cis_rule_1_7_3 + - rhel8cis_rule_1_7_3 tags: - level1-server - level1-workstation @@ -58,7 +58,7 @@ group: root mode: 0644 when: - - rhel9cis_rule_1_7_4 + - rhel8cis_rule_1_7_4 tags: - level1-server - level1-workstation @@ -75,7 +75,7 @@ group: root mode: 0644 when: - - rhel9cis_rule_1_7_5 + - rhel8cis_rule_1_7_5 tags: - level1-server - level1-workstation @@ -92,7 +92,7 @@ group: root mode: 0644 when: - - rhel9cis_rule_1_7_6 + - rhel8cis_rule_1_7_6 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 1edc7048..a512e01d 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -5,7 +5,7 @@ name: gdm state: absent when: - - rhel9cis_rule_1_8_1 + - rhel8cis_rule_1_8_1 - "'gdm' in ansible_facts.packages" tags: - level2-server @@ -32,10 +32,10 @@ - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ rhel9cis_warning_banner }}' " } + - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ rhel8cis_warning_banner }}' " } when: - - rhel9cis_rule_1_8_2 - - rhel9cis_gui + - rhel8cis_rule_1_8_2 + - rhel8cis_gui tags: - level1-server - level1-workstation @@ -62,8 +62,8 @@ - { file: '/etc/dconf/db/gdm.d/00-login-screen', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } - { file: '/etc/dconf/db/gdm.d/00-login-screen', regexp: 'disable-user-list=', line: 'disable-user-list=true' } when: - - rhel9cis_rule_1_8_3 - - rhel9cis_gui + - rhel8cis_rule_1_8_3 + - rhel8cis_gui tags: - level1-server - level1-workstation @@ -78,8 +78,8 @@ regexp: 'Enable=true' state: absent when: - - rhel9cis_rule_1_8_4 - - rhel9cis_gui + - rhel8cis_rule_1_8_4 + - rhel8cis_gui tags: - level1-server - level1-workstation @@ -100,8 +100,8 @@ - { regex: 'automount=', line: 'automount=false' } - { regex: 'automount-open=', line: 'automount-open=false'} when: - - rhel9cis_rule_1_8_5 - - rhel9cis_gui + - rhel8cis_rule_1_8_5 + - rhel8cis_gui tags: - level1-server - level2-workstation diff --git a/tasks/section_1/cis_1.9.yml b/tasks/section_1/cis_1.9.yml index a67d5dbd..f6239e37 100644 --- a/tasks/section_1/cis_1.9.yml +++ b/tasks/section_1/cis_1.9.yml @@ -1,15 +1,17 @@ --- -- name: "1.9 | L1 | PATCH | Ensure updates, patches, and additional security software are installed" +- name: "1.9 | PATCH | Ensure updates, patches, and additional security software are installed" package: name: "*" state: latest + notify: change_requires_reboot when: - - rhel9cis_rule_1_9 + - rhel8cis_rule_1_9 - not system_is_ec2 tags: - level1-server - level1-workstation + - automated - patch - rule_1.9 - skip_ansible_lint diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index 933804e1..c5c8e09d 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -1,42 +1,59 @@ --- -- name: "SECTION | 1.1 | FileSystem Configurations\n - SECTION | 1.1.1.x | Disable unused filesystems" +- name: "SECTION | 1.1.1.x | Disable unused filesystems" import_tasks: cis_1.1.1.x.yml -- import_tasks: cis_1.1.x.yml + +- name: "SECTION | 1.1.2.x | Configure /tmp" + import_tasks: cis_1.1.2.x.yml + +- name: "SECTION | 1.1.3.x | Configure /var" + import_tasks: cis_1.1.3.x.yml + +- name: "SECTION | 1.1.4.x | Configure /var/tmp" + import_tasks: cis_1.1.4.x.yml + +- name: "SECTION | 1.1.5.x | Configure /var/log" + import_tasks: cis_1.1.5.x.yml + +- name: "SECTION | 1.1.6.x | Configure /var/log/audit" + import_tasks: cis_1.1.6.x.yml + +- name: "SECTION | 1.1.7.x | Configure /home" + import_tasks: cis_1.1.7.x.yml + +- name: "SECTION | 1.1.8.x | Configure /dev/shm" + import_tasks: cis_1.1.8.x.yml + +- name: "SECTION | 1.1.x | Disable various mounting" + import_tasks: cis_1.1.x.yml - name: "SECTION | 1.2 | Configure Software Updates" import_tasks: cis_1.2.x.yml -- name: "SECTION | 1.3 | Configure sudo" +- name: "SECTION | 1.3 | Filesystem Integrity Checking" import_tasks: cis_1.3.x.yml + when: rhel8cis_config_aide -- name: "SECTION | 1.4 | Filesystem Integrity" - include_tasks: cis_1.4.x.yml - when: rhel9cis_config_aide +- name: "SECTION | 1.4 | Secure Boot Settings" + import_tasks: cis_1.4.x.yml -- name: "SECTION | 1.5 | Secure Boot Settings" +- name: "SECTION | 1.5 | Additional Process Hardening" import_tasks: cis_1.5.x.yml -- name: "SECTION | 1.6 | Additional Process Hardening" - import_tasks: cis_1.6.x.yml +- name: "SECTION | 1.6 | Mandatory Access Control" + include_tasks: cis_1.6.1.x.yml + when: not rhel8cis_selinux_disable -- name: "SECTION | 1.7 | bootloader and Mandatory Access Control" - include_tasks: cis_1.7.1.x.yml - when: not rhel9cis_selinux_disable +- name: "SECTION | 1.7 | Command Line Warning Banners" + import_tasks: cis_1.7.x.yml -- name: "SECTION | 1.8 | Warning Banners" - import_tasks: cis_1.8.1.x.yml +- name: "SECTION | 1.8 | Gnome Display Manager" + import_tasks: cis_1.8.x.yml -- name: "SECTION | 1.9 | Updated and Patches" +- name: "SECTION | 1.9 | Updates and Patches" import_tasks: cis_1.9.yml - name: "SECTION | 1.10 | Crypto policies" include_tasks: cis_1.10.yml when: - not system_is_ec2 - -- name: "SECTION | 1.11 | FIPS/FUTURE Crypto policies" - include_tasks: cis_1.11.yml - when: - - not system_is_ec2 diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml new file mode 100644 index 00000000..c627db0e --- /dev/null +++ b/tasks/section_2/cis_2.1.x.yml @@ -0,0 +1,43 @@ +--- + +- name: "2.1.1 | PATCH | Ensure time synchronization is in use" + package: + name: "{{ rhel8cis_time_synchronization }}" + state: present + when: + - rhel8cis_rule_2_1_1 + - not rhel8cis_system_is_container + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.1.1 + +- name: "2.1.2 | PATCH | Ensure chrony is configured" + block: + - name: "2.1.2 | PATCH | Ensure chrony is configured | Set configuration" + template: + src: chrony.conf.j2 + dest: /etc/chrony.conf + owner: root + group: root + mode: 0644 + + - name: "2.1.2 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1" + lineinfile: + dest: /etc/sysconfig/chronyd + regexp: "^(#)?OPTIONS" + line: "OPTIONS=\"-u chrony\"" + state: present + create: yes + mode: 0644 + when: + - rhel8cis_time_synchronization == "chrony" + - rhel8cis_rule_2_1_2 + - not rhel8cis_system_is_container + tags: + - level1-server + - level1-workstation + - patch + - rule_2.1.2 diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index f21bcd05..f8b492b6 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -1,288 +1,345 @@ --- -- name: "2.2.2 | L1 | PATCH | Ensure X Window System is not installed" - block: - - name: "2.2.2 | L1 | AUDIT | Ensure X Window System is not installed | capture xorg-x11 packages" - shell: rpm -qa | grep xorg-x11 - args: - warn: false - failed_when: xorg_x11_installed.rc >=2 - check_mode: false - changed_when: false - register: xorg_x11_installed +- name: "2.2.1 | PATCH | Ensure xinetd is not installed" + package: + name: xinetd + state: absent + when: + - rhel8cis_rule_2_2_1 + - not rhel8cis_xinetd_server + - "'xinetd' in ansible_facts.packages" + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.2.1 - - name: "2.2.2 | L1 | PATCH | Ensure X Window System is not installed | remove packages if found" - shell: "dnf remove {{ item }}" - args: - warn: false - with_items: - - xorg_x11_installed.stdout_lines - when: xorg_x11_installed.stdout | length > 0 +- name: "2.2.2 | PATCH | Ensure xorg-x11-server-common is not installed" + package: + name: xorg-x11-server-common + state: absent when: - - not rhel9cis_xwindows_required - - rhel9cis_rule_2_2_2 + - rhel8cis_rule_2_2_2 + - "'xorg-x11-server-common' in ansible_facts.packages" tags: - level1-server - - scored - - xwindows + - automated - patch + - x11 - rule_2.2.2 -- name: "2.2.3 | L1 | PATCH | Ensure rsync service is not enabled " - service: - name: rsyncd - state: stopped - enabled: false +- name: "2.2.3 | PATCH | Ensure Avahi Server is not installed" + package: + name: + - avahi-autoipd + - avahi + state: absent when: - - not rhel9cis_rsyncd_server - - "'rsyncd' in ansible_facts.packages" - - rhel9cis_rule_2_2_3 + - rhel8cis_rule_2_2_3 + - not rhel8cis_avahi_server + - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages" tags: - level1-server - - level1-workstation + - level2-workstation + - automated - patch + - avahi - rule_2.2.3 -- name: "2.2.4 | L1 | PATCH | Ensure Avahi Server is not enabled" - service: - name: avahi-daemon - state: stopped - enabled: false +- name: "2.2.4 | PATCH | Ensure CUPS is not installed" + package: + name: cups + state: absent when: - - not rhel9cis_avahi_server - - "'avahi' in ansible_facts.packages" - - rhel9cis_rule_2_2_4 + - not rhel8cis_cups_server + - "'cups' in ansible_facts.packages" + - rhel8cis_rule_2_2_3 tags: - level1-server - - level1-workstation - - scored - - avahi - - services + - automated - patch - - rule_2.2.4 + - cups + - rule_2.2.3 -- name: "2.2.5 | L1 | PATCH | Ensure SNMP Server is not enabled" - service: - name: snmpd - state: stopped - enabled: false +- name: "2.2.5 | PATCH | Ensure DHCP Server is not installed" + package: + name: dhcp-server + state: absent when: - - not rhel9cis_snmp_server - - "'net-snmp' in ansible_facts.packages" - - rhel9cis_rule_2_2_5 + - not rhel8cis_dhcp_server + - "'dhcp-server' in ansible_facts.packages" + - rhel8cis_rule_2_2_5 tags: - level1-server - level1-workstation + - audtomated - patch + - dhcp - rule_2.2.5 -- name: "2.2.6 | L1 | PATCH | Ensure HTTP Proxy Server is not enabled" - service: - name: squid - state: stopped - enabled: false +- name: "2.2.6 | PATCH | Ensure DNS Server is not installed" + package: + name: bind + state: absent when: - - not rhel9cis_squid_server - - "'squid' in ansible_facts.packages" - - rhel9cis_rule_2_2_6 + - not rhel8cis_dns_server + - "'bind' in ansible_facts.packages" + - rhel8cis_rule_2_2_6 tags: - level1-server - level1-workstation + - automated - patch + - dns - rule_2.2.6 -- name: "2.2.7 | L1 | PATCH | Ensure Samba is not enabled" - service: - name: smb - state: stopped - enabled: false +- name: "2.2.7 | PATCH | Ensure FTP Server is not installed" + package: + name: ftp + state: absent when: - - not rhel9cis_smb_server - - "'samba' in ansible_facts.packages" - - rhel9cis_rule_2_2_7 + - not rhel8cis_ftp_server + - "'ftp' in ansible_facts.packages" + - rhel8cis_rule_2_2_7 tags: - level1-server - level1-workstation + - automation - patch + - ftp - rule_2.2.7 -- name: "2.2.8 | L1 | PATCH | Ensure IMAP and POP3 server is not enabled" - service: - name: dovecot - state: stopped - enabled: false +- name: "2.2.8 | PATCH | Ensure VSFTP Server is not installed" + package: + name: vsftpd + state: absent when: - - not rhel9cis_dovecot_server - - "'dovecot' in ansible_facts.packages" - - rhel9cis_rule_2_2_8 + - not rhel8cis_vsftpd_server + - "'vsftpd' in ansible_facts.packages" + - rhel8cis_rule_2_2_8 tags: - level1-server - level1-workstation + - automated - patch + - vsftpd - rule_2.2.8 -- name: "2.2.9 | L1 | PATCH | Ensure HTTP server is not enabled" - service: - name: httpd - state: stopped - enabled: false +- name: "2.2.9 | PACH | Ensure TFTP Server is not installed" + package: + name: tftp-server + state: absent when: - - not rhel9cis_httpd_server - - "'httpd' in ansible_facts.packages" - - rhel9cis_rule_2_2_9 + - not rhel8cis_tftp_server + - "'tftp-server' in ansible_facts.packages" + - rhel8cis_rule_2_2_9 tags: - level1-server - level1-workstation + - automated - patch + - tftp - rule_2.2.9 -- name: "2.2.10 | L1 | PATCH | Ensure FTP Server is not enabled" - service: - name: vsftpd - state: stopped - enabled: false +- name: "2.2.10 | PATCH | Ensure a web server is not installed" + block: + - name: "2.2.10 | PATCH | Ensure a web server is not installed | Remove httpd server" + package: + name: httpd + state: absent + when: + - not rhel8cis_httpd_server + - "'httpd' in ansible_facts.packages" + + - name: "2.2.10 | PATCH | Ensure a web server is not installed | Remove nginx server" + package: + name: nginx + state: absent + when: + - not rhel8cis_nginx_server + - "'nginx' in ansible_facts.packages" when: - - not rhel9cis_vsftpd_server - - "'vsftpd' in ansible_facts.packages" - - rhel9cis_rule_2_2_10 + - rhel8cis_rule_2_2_9 tags: - level1-server - level1-workstation + - automated - patch - - rule_2.2.10 + - httpd + - nginx + - webserver + - rule_2.2.9 -- name: "2.2.11 | L1 | PATCH | Ensure DNS Server is not enabled" - service: - name: named - state: stopped - enabled: false +- name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed" + package: + name: + - dovecot + - cyrus-imapd + state: absent when: - - not rhel9cis_named_server - - "'bind' in ansible_facts.packages" - - rhel9cis_rule_2_2_11 + - not rhel8cis_dovecot_cyrus_server + - "'dovecot' in ansible_facts.packages or 'cyrus-imapd' in ansible_facts.packages" + - rhel8cis_rule_2_2_11 tags: - level1-server - level1-workstation + - automated - patch + - dovecot + - imap + - pop3 - rule_2.2.11 -- name: "2.2.12 | L1 | PATCH | Ensure NFS is not enabled" - service: - name: nfs-server - state: stopped - enabled: false +- name: "2.2.12 | PATCH | Ensure Samba is not enabled" + package: + name: samba + state: absent when: - - not rhel9cis_nfs_rpc_server - - "'nfs-utils' in ansible_facts.packages" - - rhel9cis_rule_2_2_12 + - not rhel8cis_samba_server + - "'samba' in ansible_facts.packages" + - rhel8cis_rule_2_2_12 tags: - level1-server - level1-workstation - - scored - - nfs - - services + - automated - patch + - samba - rule_2.2.12 -- name: "2.2.13 | L1 | PATCH | Ensure RPC is not enabled" - service: - name: rpcbind - state: stopped - enabled: false +- name: "2.2.13 | PATCH | Ensure HTTP Proxy Server is not installed" + package: + name: squid + state: absent when: - - not rhel9cis_nfs_rpc_server - - "'rpcbind' in ansible_facts.packages" - - rhel9cis_rule_2_2_13 + - not rhel8cis_squid_server + - "'squid' in ansible_facts.packages" + - rhel8cis_rule_2_2_6 tags: - level1-server - level1-workstation - - scored - - rpc - - services + - automation - patch - - rule_2.2.7 + - squid + - rule_2.2.13 -- name: "2.2.14 | L1 | PATCH | Ensure LDAP server is not enabled" - service: - name: slapd - state: stopped - enabled: false +- name: "2.2.14 | PATCH | Ensure net-snmp is not installed" + package: + name: net-snmp + state: absent when: - - not rhel9cis_ldap_server - - "'openldap-servers' in ansible_facts.packages" - - rhel9cis_rule_2_2_14 + - not rhel8cis_snmp_server + - "'net-snmp' in ansible_facts.packages" + - rhel8cis_rule_2_2_14 tags: - level1-server - level1-workstation - - scored - - ldap - - services + - automation - patch - - rule_2.2.6 + - snmp + - rule_2.2.14 -- name: "2.2.15 | L1 | PATCH | Ensure DHCP Server is not enabled" - service: - name: dhcpd - state: stopped - enabled: false +- name: "2.2.15 | PATCH | Ensure NIS Server is not installed" + package: + name: ypserv + state: absent when: - - not rhel9cis_dhcp_server - - "'dhcp' in ansible_facts.packages" - - rhel9cis_rule_2_2_15 + - not rhel8cis_nis_server + - "'ypserv' in ansible_facts.packages" + - rhel8cis_rule_2_2_17 tags: - level1-server - level1-workstation - - scored - - dhcp - - services + - automated - patch - - rule_2.2.15 + - nis + - rule_2.2.17 -- name: "2.2.16 | L1 | PATCH | Ensure CUPS is not enabled" - service: - name: cups - state: stopped - enabled: false +- name: "2.2.16 | PATCH | Ensure telnet-server is not installed" + package: + name: telnet-server + state: absent when: - - not rhel9cis_cups_server - - "'cups' in ansible_facts.packages" - - rhel9cis_rule_2_2_16 + - not rhel8cis_telnet_server + - "'telnet-server' in ansible_facts.packages" + - rhel8cis_rule_2_2_16 tags: - level1-server - - level2-workstation - - scored - - cups - - services + - level1-workstation + - automated - patch + - telnet - rule_2.2.16 -- name: "2.2.17 | L1 | PATCH | Ensure NIS Server is not enabled" - service: - name: ypserv - state: stopped - enabled: false +- name: "2.2.17 | PATCH | Ensure mail transfer agent is configured for local-only mode" + lineinfile: + dest: /etc/postfix/main.cf + regexp: "^(#)?inet_interfaces" + line: "inet_interfaces = loopback-only" + notify: restart postfix when: - - not rhel9cis_nis_server - - "'ypserv' in ansible_facts.packages" - - rhel9cis_rule_2_2_17 + - not rhel8cis_is_mail_server + - "'postfix' in ansible_facts.packages" + - rhel8cis_rule_2_2_17 tags: - level1-server - level1-workstation + - automated - patch + - postfix - rule_2.2.17 -- name: "2.2.18 | L1 | PATCH | Ensure mail transfer agent is configured for local-only mode" - lineinfile: - dest: /etc/postfix/main.cf - regexp: "^(#)?inet_interfaces" - line: "inet_interfaces = loopback-only" - notify: restart postfix +# The name title of the service says mask the service, but the fix allows for both options +# We went with removing to remove the security/update overhead with having the package installed +- name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked" + package: + name: nfs-utils + state: absent when: - - not rhel9cis_is_mail_server - - "'postfix' in ansible_facts.packages" - - rhel9cis_rule_2_2_18 + - not rhel8cis_nfs_server + - "'nfs-utils' in ansible_facts.packages" + - rhel8cis_rule_2_2_18 tags: - level1-server - level1-workstation + - automated - patch - - rule_2.2.1 + - nfs + - services + - rule_2.2.18 + +# The name title of the service says mask the service, but the fix allows for both options +# We went with removing to remove the security/update overhead with having the package installed +- name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked" + package: + name: rpcbind + state: absent + when: + - not rhel8cis_rpc_server + - "'rpcbind' in ansible_facts.packages" + - rhel8cis_rule_2_2_19 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rpc + - rule_2.2.19 + +# The name title of the service says mask the service, but the fix allows for both options +# We went with removing to remove the security/update overhead with having the package installed +- name: "2.2.20 | PATCH | Ensure rsync service is not enabled " + package: + name: rsync + state: absent + when: + - not rhel8cis_rsync_server + - "'rsync' in ansible_facts.packages" + - rhel8cis_rule_2_2_20 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rsync + - rule_2.2.20 diff --git a/tasks/section_2/cis_2.3.x.yml b/tasks/section_2/cis_2.3.x.yml index 875eff8d..ee52a752 100644 --- a/tasks/section_2/cis_2.3.x.yml +++ b/tasks/section_2/cis_2.3.x.yml @@ -1,43 +1,97 @@ --- -- name: "2.3.1 | L1 | PATCH | Ensure NIS Client is not installed" +- name: "2.3.1 | PATCH | Ensure NIS Client is not installed" package: name: ypbind state: absent when: - - not rhel9cis_ypbind_required + - not rhel8cis_ypbind_required - "'ypbind' in ansible_facts.packages" - - rhel9cis_rule_2_3_1 + - rhel8cis_rule_2_3_1 tags: - level1-server - level1-workstation + - automated - patch + - nis - rule_2.3.1 -- name: "2.3.2 | L1 | PATCH | Ensure telnet client is not installed" +- name: "2.3.2 | PATCH | Ensure rsh client is not installed" + package: + name: rsh + state: absent + when: + - not rhel8cis_rsh_required + - "'rsh' in ansible_facts.packages" + - rhel8cis_rule_2_3_2 + tags: + - level1-server + - level2-server + - automated + - patch + - rsh + - rule_2.3.2 + +- name: "2.3.3 | PATCH | Ensure talk client is not installed" + package: + name: talk + state: absent + when: + - not rhel8cis_talk_required + - "'talk' in ansible_facts.packages" + - rhel8cis_rule_2_3_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - talk + - rule_2.3.3 + +- name: "2.3.4 | PATCH | Ensure telnet client is not installed" package: name: telnet state: absent when: - - not rhel9cis_telnet_required + - not rhel8cis_telnet_required - "'telnet' in ansible_facts.packages" - - rhel9cis_rule_2_3_2 + - rhel8cis_rule_2_3_4 tags: - level1-server - level1-workstation + - automated - patch - - rule_2.3.2 + - telnet + - rule_2.3.4 -- name: "2.3.3 | L1 | PATCH | Ensure LDAP client is not installed" +- name: "2.3.5 | PATCH | Ensure LDAP client is not installed" package: name: openldap-clients state: absent when: - - not rhel9cis_openldap_clients_required + - not rhel8cis_openldap_clients_required - "'openldap-clients' in ansible_facts.packages" - - rhel9cis_rule_2_3_3 + - rhel8cis_rule_2_3_5 tags: - level1-server - level1-workstation + - automated - patch - - rule_2.3.3 + - ldap + - rule_2.3.5 + +- name: "2.3.6 | PATCH | Ensure TFTP client is not installed" + package: + name: tftp + state: absent + when: + - not rhel8cis_tftp_client + - "'tftp' in ansible_facts.packages" + - rhel8cis_rule_2_3_6 + tags: + - level1-server + - level1-workstation + - automated + - patch + - tftp + - rule_2.3.6 diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml new file mode 100644 index 00000000..84608741 --- /dev/null +++ b/tasks/section_2/cis_2.4.yml @@ -0,0 +1,26 @@ +--- + +- name: "2.4 | AUDIT | Ensure nonessential services are removed or masked" + block: + - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Get list of services" + shell: systemctl list-units --type=service + changed_when: false + failed_when: false + check_mode: no + register: rhel8cis_2_4_services + + - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Display list of services" + debug: + msg: + - "Alert! Below are the list of services, both active and inactive" + - "Please review to make sure all are essential" + - "{{ rhel8cis_2_4_services.stdout_lines }}" + when: + - rhel8cis_rule_2_4 + tags: + - level1-server + - level1-workstation + - manual + - audit + - services + - rule_2.4 \ No newline at end of file diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index 2b705ae8..731f10c1 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -1,13 +1,13 @@ --- -- name: "SECTION | 2.1 | xinetd" - import_tasks: cis_2.1.1.yml - -- name: "SECTION | 2.2.1 | Time Synchronization" - import_tasks: cis_2.2.1.x.yml +- name: "SECTION | 2.1 | Time Synchronization" + import_tasks: cis_2.1.x.yml - name: "SECTION | 2.2 | Special Purpose Services" import_tasks: cis_2.2.x.yml - name: "SECTION | 2.3 | Service Clients" import_tasks: cis_2.3.x.yml + +- name: "SECTION | 2.4 | Nonessential services removed" + import_tasks: cis_2.4.yml \ No newline at end of file From dc5f71d461dc514a4c1629f33e76d2d1b03f60bd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 11:09:55 +0100 Subject: [PATCH 030/454] removed not required files Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.11.yml | 17 ----- tasks/section_1/cis_1.6.x.yml | 54 --------------- tasks/section_1/cis_1.7.1.x.yml | 117 -------------------------------- tasks/section_1/cis_1.8.1.x.yml | 96 -------------------------- tasks/section_1/cis_1.8.2.yml | 27 -------- tasks/section_2/cis_2.1.1.yml | 14 ---- tasks/section_2/cis_2.2.1.x.yml | 42 ------------ 7 files changed, 367 deletions(-) delete mode 100644 tasks/section_1/cis_1.11.yml delete mode 100644 tasks/section_1/cis_1.6.x.yml delete mode 100644 tasks/section_1/cis_1.7.1.x.yml delete mode 100644 tasks/section_1/cis_1.8.1.x.yml delete mode 100644 tasks/section_1/cis_1.8.2.yml delete mode 100644 tasks/section_2/cis_2.1.1.yml delete mode 100644 tasks/section_2/cis_2.2.1.x.yml diff --git a/tasks/section_1/cis_1.11.yml b/tasks/section_1/cis_1.11.yml deleted file mode 100644 index bfd88069..00000000 --- a/tasks/section_1/cis_1.11.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -- name: "1.11 | L2 | PATCH | Ensure system-wide crypto policy is FUTURE or FIPS" - shell: | - update-crypto-policies --set "{{ rhel9cis_crypto_policy }}" - update-crypto-policies - args: - warn: false - when: - - rhel9cis_rule_1_11 - - system_wide_crypto_policy['stdout'] not in rhel9cis_allowed_crypto_policies - tags: - - level2-server - - level2-workstation - - not system_is_ec2 - - patch - - rule_1.11 diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml deleted file mode 100644 index 1b37c0de..00000000 --- a/tasks/section_1/cis_1.6.x.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- - -- name: "1.6.1 | L1 | PATCH | Ensure core dumps are restricted" - block: - - name: "1.6.1 | L1 | Ensure core dumps are restricted | Update limits.conf file" - lineinfile: - state: present - dest: /etc/security/limits.conf - regexp: '^#?\\*.*core' - line: '* hard core 0' - insertbefore: '^# End of file' - - - name: "1.6.1 | L1 | PATCH | Ensure core dumps are restricted | Set active kernel parameter" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - - - name: "1.6.1 | L1 | PATCH | Ensure core dumps are restricted | if systemd coredump" - lineinfile: - path: /etc/systemd/coredump.conf - regexp: "{{ item.regexp }}" - line: "{{ item.regexp }}{{ item.line }}" - state: present - with_items: - - {'regexp': 'Storage=', 'line': 'none'} - - {'regexp': 'ProcessSizeMax=', 'line': '0'} - notify: - - systemd_daemon_reload - when: - - systemd_coredump.stat.exists - when: - - rhel9cis_rule_1_6_1 - tags: - - level1-server - - level1-workstation - - scored - - sysctl - - patch - - rule_1.6.1 - -- name: "1.6.2 | L1 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - when: - - rhel9cis_rule_1_6_2 - tags: - - level1-server - - level1-workstation - - scored - - patch - - rule_1.6.2 diff --git a/tasks/section_1/cis_1.7.1.x.yml b/tasks/section_1/cis_1.7.1.x.yml deleted file mode 100644 index ded71283..00000000 --- a/tasks/section_1/cis_1.7.1.x.yml +++ /dev/null @@ -1,117 +0,0 @@ ---- - -- name: "1.7.1.1 | L2 | PATCH | Ensure SELinux is installed" - package: - name: libselinux - state: present - when: - - rhel9cis_rule_1_7_1_1 - tags: - - level2-server - - level2-workstation - - scored - - patch - - rule_1.7.1.1 - -- name: "1.7.1.2 | L2 | PATCH | Ensure SELinux is not disabled in bootloader configuration" - replace: - dest: /etc/default/grub - regexp: '(selinux|enforcing)\s*=\s*0\s*' - replace: '' - register: selinux_grub_patch - ignore_errors: true - notify: grub2cfg - when: - - rhel9cis_rule_1_7_1_2 - tags: - - level2-server - - level2-workstation - - scored - - patch - - rule_1.7.1.2 - -- name: "1.7.1.3 | L2 | PATCH | Ensure SELinux policy is configured" - selinux: - conf: /etc/selinux/config - policy: "{{ rhel9cis_selinux_pol }}" - state: enforcing - when: - - not rhel9cis_selinux_disable - - rhel9cis_rule_1_7_1_3 - tags: - - level2-server - - level2-workstation - - scored - - selinux - - patch - - rule_1.7.1.3 - -- name: "1.7.1.4 | L2 | PATCH | Ensure the SELinux state is enforcing" - selinux: - conf: /etc/selinux/config - policy: "{{ rhel9cis_selinux_pol }}" - state: enforcing - when: - - not rhel9cis_selinux_disable - - rhel9cis_rule_1_7_1_4 - tags: - - level2-server - - level2-workstation - - scored - - selinux - - patch - - rule_1.7.1.4 - -- name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist" - block: - - name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist | Find the unconfined daemons" - shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' - args: - warn: false - register: rhelcis_1_7_1_5_unconf_daemons - failed_when: false - changed_when: false - - - name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist | Message on no unconfined daemones" - debug: - msg: "Good News! There are no unconfined daemons found on your system" - when: rhelcis_1_7_1_5_unconf_daemons.stdout | length == 0 - - - name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist | Message on unconfined daemones" - debug: - msg: "Warning! You have unconfined daemons: {{ rhelcis_1_7_1_5_unconf_daemons.stdout_lines }}" - when: rhelcis_1_7_1_5_unconf_daemons.stdout | length > 0 - when: - - rhel9cis_rule_1_7_1_5 - tags: - - level2-server - - level2-workstation - - audit - - rule_1.7.1.5 - -- name: "1.7.1.6 | L2 | PATCH | Ensure SETroubleshoot is not installed" - package: - name: setroubleshoot - state: absent - when: - - rhel9cis_rule_1_7_1_6 - - "'setroubleshoot' in ansible_facts.packages" - tags: - - level2-server - - scored - - selinux - - patch - - rule_1.7.1.6 - -- name: "1.7.1.7 | L2 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" - package: - name: mcstrans - state: absent - when: - - rhel9cis_rule_1_7_1_7 - tags: - - level2-server - - level2-workstation - - scored - - patch - - rule_1.7.1.7 diff --git a/tasks/section_1/cis_1.8.1.x.yml b/tasks/section_1/cis_1.8.1.x.yml deleted file mode 100644 index d8cbec37..00000000 --- a/tasks/section_1/cis_1.8.1.x.yml +++ /dev/null @@ -1,96 +0,0 @@ ---- - -- name: "1.8.1.1 | L1 | PATCH | Ensure message of the day is configured properly" - template: - src: etc/motd.j2 - dest: /etc/motd - owner: root - group: root - mode: 0644 - when: - - rhel9cis_rule_1_8_1_1 - tags: - - level1-server - - level1-workstation - - banner - - patch - - rule_1.8.1.1 - -- name: "1.8.1.2 | L1 | PATCH | Ensure local login warning banner is configured properly" - template: - src: etc/issue.j2 - dest: /etc/issue - owner: root - group: root - mode: 0644 - when: - - rhel9cis_rule_1_8_1_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.8.1.2 - -- name: "1.8.1.3 | L1 | PATCH | Ensure remote login warning banner is configured properly" - template: - src: etc/issue.net.j2 - dest: /etc/issue.net - owner: root - group: root - mode: 0644 - when: - - rhel9cis_rule_1_8_1_3 - tags: - - level1-server - - level1-workstation - - banner - - patch - - rule_1.8.1.3 - -- name: "1.8.1.4 | L1 | PATCH | Ensure permissions on /etc/motd are configured" - file: - dest: /etc/motd - state: file - owner: root - group: root - mode: 0644 - when: - - rhel9cis_rule_1_8_1_4 - tags: - - level1-server - - level1-workstation - - perms - - patch - - rule_1.8.1.4 - -- name: "1.8.1.5 | L1 | PATCH | Ensure permissions on /etc/issue are configured" - file: - dest: /etc/issue - state: file - owner: root - group: root - mode: 0644 - when: - - rhel9cis_rule_1_8_1_5 - tags: - - level1-server - - level1-workstation - - perms - - patch - - rule_1.8.1.5 - -- name: "1.8.1.6 | L1 | PATCH | Ensure permissions on /etc/issue.net are configured" - file: - dest: /etc/issue.net - state: file - owner: root - group: root - mode: 0644 - when: - - rhel9cis_rule_1_8_1_6 - tags: - - level1-server - - level1-workstation - - perms - - patch - - rule_1.8.1.6 diff --git a/tasks/section_1/cis_1.8.2.yml b/tasks/section_1/cis_1.8.2.yml deleted file mode 100644 index be371dcf..00000000 --- a/tasks/section_1/cis_1.8.2.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- - -- name: "1.8.2 | L1 | PATCH | Ensure GDM login banner is configured" - lineinfile: - dest: "{{ item.file }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - state: present - create: true - owner: root - group: root - mode: 0644 - with_items: - - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } - - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } - - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ rhel9cis_warning_banner }}' " } - when: - - rhel9cis_gui - - rhel9cis_rule_1_8_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.8.2 diff --git a/tasks/section_2/cis_2.1.1.yml b/tasks/section_2/cis_2.1.1.yml deleted file mode 100644 index 5b563645..00000000 --- a/tasks/section_2/cis_2.1.1.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- - -- name: "2.1.1 | L1 | PATCH | Ensure xinetd is not installed" - package: - name: xinetd - state: absent - when: - - rhel9cis_rule_2_1_1 - tags: - - level1-server - - level1-workstation - - scored - - patch - - rule_2.1.1 diff --git a/tasks/section_2/cis_2.2.1.x.yml b/tasks/section_2/cis_2.2.1.x.yml deleted file mode 100644 index 8b8b39c8..00000000 --- a/tasks/section_2/cis_2.2.1.x.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- - -- name: "2.2.1.1 | L1 | PATCH | Ensure time synchronization is in use - service install" - package: - name: "{{ rhel9cis_time_synchronization }}" - state: present - when: - - rhel9cis_rule_2_2_1_1 - - not system_is_container - tags: - - level1-server - - level1-workstation - - patch - - rule_2.2.1.1 - -- name: "2.2.1.2 | L1 | PATCH | Ensure chrony is configured" - block: - - name: "2.2.1.2 | L1 | PATCH | Ensure chrony is configured | Set configuration" - template: - src: chrony.conf.j2 - dest: /etc/chrony.conf - owner: root - group: root - mode: 0644 - - - name: "2.2.1.2 | L1 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1" - lineinfile: - dest: /etc/sysconfig/chronyd - regexp: "^(#)?OPTIONS" - line: "OPTIONS=\"-u chrony\"" - state: present - create: true - mode: 0644 - when: - - rhel9cis_time_synchronization == "chrony" - - rhel9cis_rule_2_2_1_2 - - not system_is_container - tags: - - level1-server - - level1-workstation - - patch - - rule_2.2.1.2 From 8c79bfe7fb7b12cee8dd3307d0b590827faedf98 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 11:22:30 +0100 Subject: [PATCH 031/454] updated Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 6 +- tasks/section_1/cis_1.1.2.x.yml | 22 +++---- tasks/section_1/cis_1.1.3.x.yml | 12 ++-- tasks/section_1/cis_1.1.4.x.yml | 12 ++-- tasks/section_1/cis_1.1.5.x.yml | 12 ++-- tasks/section_1/cis_1.1.6.x.yml | 12 ++-- tasks/section_1/cis_1.1.7.x.yml | 14 ++--- tasks/section_1/cis_1.1.8.x.yml | 12 ++-- tasks/section_1/cis_1.1.x.yml | 6 +- tasks/section_1/cis_1.10.yml | 4 +- tasks/section_1/cis_1.2.x.yml | 14 ++--- tasks/section_1/cis_1.3.x.yml | 22 +++---- tasks/section_1/cis_1.4.x.yml | 12 ++-- tasks/section_1/cis_1.5.x.yml | 6 +- tasks/section_1/cis_1.6.1.x.yml | 28 ++++----- tasks/section_1/cis_1.7.x.yml | 12 ++-- tasks/section_1/cis_1.8.x.yml | 20 +++--- tasks/section_1/cis_1.9.yml | 2 +- tasks/section_1/main.yml | 4 +- tasks/section_2/cis_2.1.x.yml | 12 ++-- tasks/section_2/cis_2.2.x.yml | 80 ++++++++++++------------ tasks/section_2/cis_2.3.x.yml | 24 ++++---- tasks/section_2/cis_2.4.yml | 6 +- tasks/section_3/cis_3.1.x.yml | 104 +++++++++++++++++++++++--------- tasks/section_3/cis_3.3.x.yml | 61 ------------------- 25 files changed, 253 insertions(+), 266 deletions(-) delete mode 100644 tasks/section_3/cis_3.3.x.yml diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index b9fb6749..8cf70dc1 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -16,7 +16,7 @@ state: absent when: ansible_connection != 'docker' when: - - rhel8cis_rule_1_1_1_1 + - rhel9cis_rule_1_1_1_1 tags: - level1-server - level1-workstation @@ -41,7 +41,7 @@ state: absent when: ansible_connection != 'docker' when: - - rhel8cis_rule_1_1_1_2 + - rhel9cis_rule_1_1_1_2 tags: - level2-server - level2-workstation @@ -66,7 +66,7 @@ state: absent when: ansible_connection != 'docker' when: - - rhel8cis_rule_1_1_1_3 + - rhel9cis_rule_1_1_1_3 tags: - level2-server - level2-workstation diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 06c4eefa..bb189930 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -4,7 +4,7 @@ debug: msg: "WARNING!! /tmp is not mounted on a separate partition" when: - - rhel8cis_rule_1_1_2_1 + - rhel9cis_rule_1_1_2_1 - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0 tags: - level1-server @@ -24,7 +24,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel8cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_2_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %} notify: remount tmp with_items: - "{{ ansible_mounts }}" @@ -32,10 +32,10 @@ label: "{{ item.device }}" when: - item.mount == "/tmp" - - not rhel8cis_tmp_svc - - rhel8cis_rule_1_1_2_2 or - rhel8cis_rule_1_1_2_3 or - rhel8cis_rule_1_1_2_4 + - not rhel9cis_tmp_svc + - rhel9cis_rule_1_1_2_2 or + rhel9cis_rule_1_1_2_3 or + rhel9cis_rule_1_1_2_4 tags: - level1-server - level1-workstation @@ -60,11 +60,11 @@ mode: 0644 notify: systemd restart tmp.mount when: - - rhel8cis_tmp_svc - - rhel8cis_rule_1_1_2_1 or - rhel8cis_rule_1_1_2_2 or - rhel8cis_rule_1_1_2_3 or - rhel8cis_rule_1_1_2_4 + - rhel9cis_tmp_svc + - rhel9cis_rule_1_1_2_1 or + rhel9cis_rule_1_1_2_2 or + rhel9cis_rule_1_1_2_3 or + rhel9cis_rule_1_1_2_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 31696f89..c7fb9867 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -19,7 +19,7 @@ vars: required_mount: '/var' when: - - rhel8cis_rule_1_1_3_1 + - rhel9cis_rule_1_1_3_1 tags: - level2-server - level2-workstation @@ -38,7 +38,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel8cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_3_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -47,10 +47,10 @@ when: - var_mount_present is defined - item.mount == "/var" - - rhel8cis_rule_1_1_3_1 # This is required so the check takes place - - rhel8cis_rule_1_1_3_2 or - rhel8cis_rule_1_1_3_3 or - rhel8cis_rule_1_1_3_4 + - rhel9cis_rule_1_1_3_1 # This is required so the check takes place + - rhel9cis_rule_1_1_3_2 or + rhel9cis_rule_1_1_3_3 or + rhel9cis_rule_1_1_3_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index b2ddbf02..dbeab96e 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -20,7 +20,7 @@ vars: required_mount: '/var/tmp' when: - - rhel8cis_rule_1_1_4_1 + - rhel9cis_rule_1_1_4_1 tags: - level2-server - level2-workstation @@ -39,7 +39,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel8cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_4_3 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -48,10 +48,10 @@ when: - var_tmp_mount_present is defined - item.mount == "/var/tmp" - - rhel8cis_rule_1_1_4_1 # This is required so the check takes place - - rhel8cis_rule_1_1_4_2 or - rhel8cis_rule_1_1_4_3 or - rhel8cis_rule_1_1_4_4 + - rhel9cis_rule_1_1_4_1 # This is required so the check takes place + - rhel9cis_rule_1_1_4_2 or + rhel9cis_rule_1_1_4_3 or + rhel9cis_rule_1_1_4_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index 662c8da5..f286fcc8 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -18,7 +18,7 @@ vars: required_mount: '/var/log' when: - - rhel8cis_rule_1_1_5_1 + - rhel9cis_rule_1_1_5_1 tags: - level2-server - level2-workstation @@ -37,7 +37,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel8cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_5_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -46,10 +46,10 @@ when: - var_log_mount_present is defined - item.mount == "/var/log" - - rhel8cis_rule_1_1_5_1 # This is required so the check takes place - - rhel8cis_rule_1_1_5_2 or - rhel8cis_rule_1_1_5_3 or - rhel8cis_rule_1_1_5_4 + - rhel9cis_rule_1_1_5_1 # This is required so the check takes place + - rhel9cis_rule_1_1_5_2 or + rhel9cis_rule_1_1_5_3 or + rhel9cis_rule_1_1_5_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 89434f8d..94e85d2b 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -18,7 +18,7 @@ vars: required_mount: '/var/log/audit' when: - - rhel8cis_rule_1_1_6_1 + - rhel9cis_rule_1_1_6_1 tags: - level2-server - level2-workstation @@ -36,7 +36,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel8cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_6_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_6_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -45,10 +45,10 @@ when: - var_log_audit_mount_present is defined - item.mount == "/var/log/audit" - - rhel8cis_rule_1_1_6_1 # This is required so the check takes place - - rhel8cis_rule_1_1_6_2 or - rhel8cis_rule_1_1_6_3 or - rhel8cis_rule_1_1_6_4 + - rhel9cis_rule_1_1_6_1 # This is required so the check takes place + - rhel9cis_rule_1_1_6_2 or + rhel9cis_rule_1_1_6_3 or + rhel9cis_rule_1_1_6_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index a4aa38d1..453fef53 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -18,7 +18,7 @@ vars: required_mount: '/home' when: - - rhel8cis_rule_1_1_7_1 + - rhel9cis_rule_1_1_7_1 tags: - level2-server - level2-workstation @@ -38,7 +38,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel8cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_7_3 %}nosuid,{% endif %}{% if rhel8cis_rule_1_1_7_4 %}usrquota,{% endif %}{% if rhel8cis_rule_1_1_7_5 %}grpquota{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_7_4 %}usrquota,{% endif %}{% if rhel9cis_rule_1_1_7_5 %}grpquota{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -47,11 +47,11 @@ when: - home_mount_present is defined - item.mount == "/home" - - rhel8cis_rule_1_1_7_1 - - rhel8cis_rule_1_1_7_2 or - rhel8cis_rule_1_1_7_3 or - rhel8cis_rule_1_1_7_4 or - rhel8cis_rule_1_1_7_5 + - rhel9cis_rule_1_1_7_1 + - rhel9cis_rule_1_1_7_2 or + rhel9cis_rule_1_1_7_3 or + rhel9cis_rule_1_1_7_4 or + rhel9cis_rule_1_1_7_5 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index b2ec06c7..a61a6aff 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -14,7 +14,7 @@ changed_when: false failed_when: false check_mode: no - register: rhel8cis_1_1_8_x_dev_shm_status + register: rhel9cis_1_1_8_x_dev_shm_status - name: | "1.1.8.1 | PATCH | Ensure nodev option set on /dev/shm partition | Set nodev option @@ -25,13 +25,13 @@ src: tmpfs fstype: tmpfs state: mounted - opts: defaults,{% if rhel8cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_8_3 %}nosuid{% endif %} - when: "'dev/shm' in rhel8cis_1_1_8_x_dev_shm_status.stdout" + opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %} + when: "'dev/shm' in rhel9cis_1_1_8_x_dev_shm_status.stdout" notify: change_requires_reboot when: - - rhel8cis_rule_1_1_8_1 or - rhel8cis_rule_1_1_8_2 or - rhel8cis_rule_1_1_8_3 + - rhel9cis_rule_1_1_8_1 or + rhel9cis_rule_1_1_8_2 or + rhel9cis_rule_1_1_8_3 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index 4498978a..ed2872e9 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -5,9 +5,9 @@ name: autofs enabled: no when: - - not rhel8cis_allow_autofs + - not rhel9cis_allow_autofs - "'autofs' in ansible_facts.packages" - - rhel8cis_rule_1_1_9 + - rhel9cis_rule_1_1_9 tags: - level1-server - level2-workstation @@ -34,7 +34,7 @@ name: usb-storage state: absent when: - - rhel8cis_rule_1_1_10 + - rhel9cis_rule_1_1_10 tags: - level1-server - level2-workstation diff --git a/tasks/section_1/cis_1.10.yml b/tasks/section_1/cis_1.10.yml index 82ec26ff..19ddc3f3 100644 --- a/tasks/section_1/cis_1.10.yml +++ b/tasks/section_1/cis_1.10.yml @@ -2,11 +2,11 @@ - name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy" shell: | - update-crypto-policies --set "{{ rhel8cis_crypto_policy }}" + update-crypto-policies --set "{{ rhel9cis_crypto_policy }}" update-crypto-policies notify: change_requires_reboot when: - - rhel8cis_rule_1_10 + - rhel9cis_rule_1_10 - system_wide_crypto_policy['stdout'] == 'LEGACY' tags: - level1-server diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index a095c966..19ef3d0d 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -3,14 +3,14 @@ - name: "1.2.1 | PATCH | Ensure Red Hat Subscription Manager connection is configured" redhat_subscription: state: present - username: "{{ rhel8cis_rh_sub_user }}" - password: "{{ rhel8cis_rh_sub_password }}" + username: "{{ rhel9cis_rh_sub_user }}" + password: "{{ rhel9cis_rh_sub_password }}" auto_attach: true no_log: true when: - ansible_distribution == "RedHat" - - rhel8cis_rhnsd_required - - rhel8cis_rule_1_2_1 + - rhel9cis_rhnsd_required + - rhel9cis_rule_1_2_1 tags: - level1-server - level1-workstation @@ -22,7 +22,7 @@ - name: "1.2.2 | AUDIT | Ensure GPG keys are configured" command: gpg --quiet --with-fingerprint "{{ rpm_gpg_key }}" when: - - rhel8cis_rule_1_2_2 + - rhel9cis_rule_1_2_2 - ansible_distribution == "RedHat" or ansible_distribution == "Rocky" tags: @@ -51,7 +51,7 @@ loop_control: label: "{{ item.path }}" when: - - rhel8cis_rule_1_2_3 + - rhel9cis_rule_1_2_3 tags: - level1-server - level1-workstation @@ -76,7 +76,7 @@ - "Alert! Below are the configured repos. Please review and make sure all align with site policy" - "{{ dnf_configured.stdout_lines }}" when: - - rhel8cis_rule_1_2_4 + - rhel9cis_rule_1_2_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index d89aa673..4dd7bcdb 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -17,8 +17,8 @@ creates: /var/lib/aide/aide.db.gz when: not ansible_check_mode when: - - rhel8cis_config_aide - - rhel8cis_rule_1_3_1 + - rhel9cis_config_aide + - rhel9cis_rule_1_3_1 tags: - level1-server - level1-workstation @@ -30,16 +30,16 @@ - name: "1.3.2 | PATCH | Ensure filesystem integrity is regularly checked" cron: name: Run AIDE integrity check - cron_file: "{{ rhel8cis_aide_cron['cron_file'] }}" - user: "{{ rhel8cis_aide_cron['cron_user'] }}" - minute: "{{ rhel8cis_aide_cron['aide_minute'] | default('0') }}" - hour: "{{ rhel8cis_aide_cron['aide_hour'] | default('5') }}" - day: "{{ rhel8cis_aide_cron['aide_day'] | default('*') }}" - month: "{{ rhel8cis_aide_cron['aide_month'] | default('*') }}" - weekday: "{{ rhel8cis_aide_cron['aide_weekday'] | default('*') }}" - job: "{{ rhel8cis_aide_cron['aide_job'] }}" + cron_file: "{{ rhel9cis_aide_cron['cron_file'] }}" + user: "{{ rhel9cis_aide_cron['cron_user'] }}" + minute: "{{ rhel9cis_aide_cron['aide_minute'] | default('0') }}" + hour: "{{ rhel9cis_aide_cron['aide_hour'] | default('5') }}" + day: "{{ rhel9cis_aide_cron['aide_day'] | default('*') }}" + month: "{{ rhel9cis_aide_cron['aide_month'] | default('*') }}" + weekday: "{{ rhel9cis_aide_cron['aide_weekday'] | default('*') }}" + job: "{{ rhel9cis_aide_cron['aide_job'] }}" when: - - rhel8cis_rule_1_3_2 + - rhel9cis_rule_1_3_2 - not system_is_ec2 tags: - level1-server diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 96936024..9eac4eb8 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -3,16 +3,16 @@ - name: "1.4.1 | PATCH | Ensure bootloader password is set" copy: dest: /boot/grub2/user.cfg - content: "GRUB2_PASSWORD={{ rhel8cis_bootloader_password_hash }}" + content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" owner: root group: root mode: 0600 notify: grub2cfg when: - - rhel8cis_set_boot_pass + - rhel9cis_set_boot_pass - grub_pass is defined and grub_pass.passhash is defined - grub_pass.passhash | length > 0 - - rhel8cis_rule_1_4_1 + - rhel9cis_rule_1_4_1 tags: - level1-server - level1-workstation @@ -43,10 +43,10 @@ loop_control: label: "{{ item.mount }}" when: - - not rhel8cis_legacy_boot + - not rhel9cis_legacy_boot - item.mount == "/boot/efi" when: - - rhel8cis_rule_1_4_2 + - rhel9cis_rule_1_4_2 - grub_cfg.stat.exists - grub_cfg.stat.islnk tags: @@ -67,7 +67,7 @@ group: root mode: 0644 when: - - rhel8cis_rule_1_4_3 + - rhel9cis_rule_1_4_3 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index a791860d..d3602b21 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -7,7 +7,7 @@ line: 'Storage=none' notify: systemd_daemon_reload when: - - rhel8cis_rule_1_5_1 + - rhel9cis_rule_1_5_1 - systemd_coredump.stat.exists tags: - level1-server @@ -22,7 +22,7 @@ regexp: 'ProcessSizeMax=' line: 'ProcessSizeMax=0' when: - - rhel8cis_rule_1_5_2 + - rhel9cis_rule_1_5_2 tags: - level1-server - level1-workstation @@ -40,7 +40,7 @@ sysctl_set: yes ignoreerrors: yes when: - - rhel8cis_rule_1_5_3 + - rhel9cis_rule_1_5_3 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index 84dc5204..b31600a7 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -5,7 +5,7 @@ name: libselinux state: present when: - - rhel8cis_rule_1_6_1_1 + - rhel9cis_rule_1_6_1_1 tags: - level1-server - level1-workstation @@ -22,7 +22,7 @@ ignore_errors: yes notify: grub2cfg when: - - rhel8cis_rule_1_6_1_2 + - rhel9cis_rule_1_6_1_2 tags: - level1-server - level1-workstation @@ -34,11 +34,11 @@ - name: "1.6.1.3 | PATCH | Ensure SELinux policy is configured" selinux: conf: /etc/selinux/config - policy: "{{ rhel8cis_selinux_pol }}" + policy: "{{ rhel9cis_selinux_pol }}" state: enforcing when: - - not rhel8cis_selinux_disable - - rhel8cis_rule_1_6_1_3 + - not rhel9cis_selinux_disable + - rhel9cis_rule_1_6_1_3 tags: - level1-server - level1-workstation @@ -51,11 +51,11 @@ - name: "1.6.1.4 | PATCH | Ensure the SELinux mode is not disabled" selinux: conf: /etc/selinux/config - policy: "{{ rhel8cis_selinux_pol }}" + policy: "{{ rhel9cis_selinux_pol }}" state: enforcing when: - - not rhel8cis_selinux_disable - - rhel8cis_rule_1_6_1_4 + - not rhel9cis_selinux_disable + - rhel9cis_rule_1_6_1_4 tags: - level1-server - level1-workstation @@ -67,11 +67,11 @@ - name: "1.6.1.5 | PATCH | Ensure the SELinux state is enforcing" selinux: conf: /etc/selinux/config - policy: "{{ rhel8cis_selinux_pol }}" + policy: "{{ rhel9cis_selinux_pol }}" state: enforcing when: - - not rhel8cis_selinux_disable - - rhel8cis_rule_1_6_1_5 + - not rhel9cis_selinux_disable + - rhel9cis_rule_1_6_1_5 tags: - level2-server - level2-workstation @@ -98,7 +98,7 @@ msg: "Warning! You have unconfined services: {{ rhelcis_1_6_1_6_unconf_services.stdout_lines }}" when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 when: - - rhel8cis_rule_1_6_1_6 + - rhel9cis_rule_1_6_1_6 tags: - level1-server - level1-workstation @@ -112,7 +112,7 @@ name: setroubleshoot state: absent when: - - rhel8cis_rule_1_6_1_7 + - rhel9cis_rule_1_6_1_7 - "'setroubleshoot' in ansible_facts.packages" tags: - level1-server @@ -126,7 +126,7 @@ name: mcstrans state: absent when: - - rhel8cis_rule_1_6_1_8 + - rhel9cis_rule_1_6_1_8 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index 586a8812..1ee55791 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -8,7 +8,7 @@ group: root mode: 0644 when: - - rhel8cis_rule_1_7_1 + - rhel9cis_rule_1_7_1 tags: - level1-server - level1-workstation @@ -25,7 +25,7 @@ group: root mode: 0644 when: - - rhel8cis_rule_1_7_2 + - rhel9cis_rule_1_7_2 tags: - level1-server - level1-workstation @@ -41,7 +41,7 @@ group: root mode: 0644 when: - - rhel8cis_rule_1_7_3 + - rhel9cis_rule_1_7_3 tags: - level1-server - level1-workstation @@ -58,7 +58,7 @@ group: root mode: 0644 when: - - rhel8cis_rule_1_7_4 + - rhel9cis_rule_1_7_4 tags: - level1-server - level1-workstation @@ -75,7 +75,7 @@ group: root mode: 0644 when: - - rhel8cis_rule_1_7_5 + - rhel9cis_rule_1_7_5 tags: - level1-server - level1-workstation @@ -92,7 +92,7 @@ group: root mode: 0644 when: - - rhel8cis_rule_1_7_6 + - rhel9cis_rule_1_7_6 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index a512e01d..1edc7048 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -5,7 +5,7 @@ name: gdm state: absent when: - - rhel8cis_rule_1_8_1 + - rhel9cis_rule_1_8_1 - "'gdm' in ansible_facts.packages" tags: - level2-server @@ -32,10 +32,10 @@ - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ rhel8cis_warning_banner }}' " } + - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ rhel9cis_warning_banner }}' " } when: - - rhel8cis_rule_1_8_2 - - rhel8cis_gui + - rhel9cis_rule_1_8_2 + - rhel9cis_gui tags: - level1-server - level1-workstation @@ -62,8 +62,8 @@ - { file: '/etc/dconf/db/gdm.d/00-login-screen', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } - { file: '/etc/dconf/db/gdm.d/00-login-screen', regexp: 'disable-user-list=', line: 'disable-user-list=true' } when: - - rhel8cis_rule_1_8_3 - - rhel8cis_gui + - rhel9cis_rule_1_8_3 + - rhel9cis_gui tags: - level1-server - level1-workstation @@ -78,8 +78,8 @@ regexp: 'Enable=true' state: absent when: - - rhel8cis_rule_1_8_4 - - rhel8cis_gui + - rhel9cis_rule_1_8_4 + - rhel9cis_gui tags: - level1-server - level1-workstation @@ -100,8 +100,8 @@ - { regex: 'automount=', line: 'automount=false' } - { regex: 'automount-open=', line: 'automount-open=false'} when: - - rhel8cis_rule_1_8_5 - - rhel8cis_gui + - rhel9cis_rule_1_8_5 + - rhel9cis_gui tags: - level1-server - level2-workstation diff --git a/tasks/section_1/cis_1.9.yml b/tasks/section_1/cis_1.9.yml index f6239e37..42c27b1e 100644 --- a/tasks/section_1/cis_1.9.yml +++ b/tasks/section_1/cis_1.9.yml @@ -6,7 +6,7 @@ state: latest notify: change_requires_reboot when: - - rhel8cis_rule_1_9 + - rhel9cis_rule_1_9 - not system_is_ec2 tags: - level1-server diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index c5c8e09d..1d6ab556 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -32,7 +32,7 @@ - name: "SECTION | 1.3 | Filesystem Integrity Checking" import_tasks: cis_1.3.x.yml - when: rhel8cis_config_aide + when: rhel9cis_config_aide - name: "SECTION | 1.4 | Secure Boot Settings" import_tasks: cis_1.4.x.yml @@ -42,7 +42,7 @@ - name: "SECTION | 1.6 | Mandatory Access Control" include_tasks: cis_1.6.1.x.yml - when: not rhel8cis_selinux_disable + when: not rhel9cis_selinux_disable - name: "SECTION | 1.7 | Command Line Warning Banners" import_tasks: cis_1.7.x.yml diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index c627db0e..5b5cf130 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -2,11 +2,11 @@ - name: "2.1.1 | PATCH | Ensure time synchronization is in use" package: - name: "{{ rhel8cis_time_synchronization }}" + name: "{{ rhel9cis_time_synchronization }}" state: present when: - - rhel8cis_rule_2_1_1 - - not rhel8cis_system_is_container + - rhel9cis_rule_2_1_1 + - not rhel9cis_system_is_container tags: - level1-server - level1-workstation @@ -33,9 +33,9 @@ create: yes mode: 0644 when: - - rhel8cis_time_synchronization == "chrony" - - rhel8cis_rule_2_1_2 - - not rhel8cis_system_is_container + - rhel9cis_time_synchronization == "chrony" + - rhel9cis_rule_2_1_2 + - not rhel9cis_system_is_container tags: - level1-server - level1-workstation diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index f8b492b6..bd93fbdf 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -5,8 +5,8 @@ name: xinetd state: absent when: - - rhel8cis_rule_2_2_1 - - not rhel8cis_xinetd_server + - rhel9cis_rule_2_2_1 + - not rhel9cis_xinetd_server - "'xinetd' in ansible_facts.packages" tags: - level1-server @@ -20,7 +20,7 @@ name: xorg-x11-server-common state: absent when: - - rhel8cis_rule_2_2_2 + - rhel9cis_rule_2_2_2 - "'xorg-x11-server-common' in ansible_facts.packages" tags: - level1-server @@ -36,8 +36,8 @@ - avahi state: absent when: - - rhel8cis_rule_2_2_3 - - not rhel8cis_avahi_server + - rhel9cis_rule_2_2_3 + - not rhel9cis_avahi_server - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages" tags: - level1-server @@ -52,9 +52,9 @@ name: cups state: absent when: - - not rhel8cis_cups_server + - not rhel9cis_cups_server - "'cups' in ansible_facts.packages" - - rhel8cis_rule_2_2_3 + - rhel9cis_rule_2_2_3 tags: - level1-server - automated @@ -67,9 +67,9 @@ name: dhcp-server state: absent when: - - not rhel8cis_dhcp_server + - not rhel9cis_dhcp_server - "'dhcp-server' in ansible_facts.packages" - - rhel8cis_rule_2_2_5 + - rhel9cis_rule_2_2_5 tags: - level1-server - level1-workstation @@ -83,9 +83,9 @@ name: bind state: absent when: - - not rhel8cis_dns_server + - not rhel9cis_dns_server - "'bind' in ansible_facts.packages" - - rhel8cis_rule_2_2_6 + - rhel9cis_rule_2_2_6 tags: - level1-server - level1-workstation @@ -99,9 +99,9 @@ name: ftp state: absent when: - - not rhel8cis_ftp_server + - not rhel9cis_ftp_server - "'ftp' in ansible_facts.packages" - - rhel8cis_rule_2_2_7 + - rhel9cis_rule_2_2_7 tags: - level1-server - level1-workstation @@ -115,9 +115,9 @@ name: vsftpd state: absent when: - - not rhel8cis_vsftpd_server + - not rhel9cis_vsftpd_server - "'vsftpd' in ansible_facts.packages" - - rhel8cis_rule_2_2_8 + - rhel9cis_rule_2_2_8 tags: - level1-server - level1-workstation @@ -131,9 +131,9 @@ name: tftp-server state: absent when: - - not rhel8cis_tftp_server + - not rhel9cis_tftp_server - "'tftp-server' in ansible_facts.packages" - - rhel8cis_rule_2_2_9 + - rhel9cis_rule_2_2_9 tags: - level1-server - level1-workstation @@ -149,7 +149,7 @@ name: httpd state: absent when: - - not rhel8cis_httpd_server + - not rhel9cis_httpd_server - "'httpd' in ansible_facts.packages" - name: "2.2.10 | PATCH | Ensure a web server is not installed | Remove nginx server" @@ -157,10 +157,10 @@ name: nginx state: absent when: - - not rhel8cis_nginx_server + - not rhel9cis_nginx_server - "'nginx' in ansible_facts.packages" when: - - rhel8cis_rule_2_2_9 + - rhel9cis_rule_2_2_9 tags: - level1-server - level1-workstation @@ -178,9 +178,9 @@ - cyrus-imapd state: absent when: - - not rhel8cis_dovecot_cyrus_server + - not rhel9cis_dovecot_cyrus_server - "'dovecot' in ansible_facts.packages or 'cyrus-imapd' in ansible_facts.packages" - - rhel8cis_rule_2_2_11 + - rhel9cis_rule_2_2_11 tags: - level1-server - level1-workstation @@ -196,9 +196,9 @@ name: samba state: absent when: - - not rhel8cis_samba_server + - not rhel9cis_samba_server - "'samba' in ansible_facts.packages" - - rhel8cis_rule_2_2_12 + - rhel9cis_rule_2_2_12 tags: - level1-server - level1-workstation @@ -212,9 +212,9 @@ name: squid state: absent when: - - not rhel8cis_squid_server + - not rhel9cis_squid_server - "'squid' in ansible_facts.packages" - - rhel8cis_rule_2_2_6 + - rhel9cis_rule_2_2_6 tags: - level1-server - level1-workstation @@ -228,9 +228,9 @@ name: net-snmp state: absent when: - - not rhel8cis_snmp_server + - not rhel9cis_snmp_server - "'net-snmp' in ansible_facts.packages" - - rhel8cis_rule_2_2_14 + - rhel9cis_rule_2_2_14 tags: - level1-server - level1-workstation @@ -244,9 +244,9 @@ name: ypserv state: absent when: - - not rhel8cis_nis_server + - not rhel9cis_nis_server - "'ypserv' in ansible_facts.packages" - - rhel8cis_rule_2_2_17 + - rhel9cis_rule_2_2_17 tags: - level1-server - level1-workstation @@ -260,9 +260,9 @@ name: telnet-server state: absent when: - - not rhel8cis_telnet_server + - not rhel9cis_telnet_server - "'telnet-server' in ansible_facts.packages" - - rhel8cis_rule_2_2_16 + - rhel9cis_rule_2_2_16 tags: - level1-server - level1-workstation @@ -278,9 +278,9 @@ line: "inet_interfaces = loopback-only" notify: restart postfix when: - - not rhel8cis_is_mail_server + - not rhel9cis_is_mail_server - "'postfix' in ansible_facts.packages" - - rhel8cis_rule_2_2_17 + - rhel9cis_rule_2_2_17 tags: - level1-server - level1-workstation @@ -296,9 +296,9 @@ name: nfs-utils state: absent when: - - not rhel8cis_nfs_server + - not rhel9cis_nfs_server - "'nfs-utils' in ansible_facts.packages" - - rhel8cis_rule_2_2_18 + - rhel9cis_rule_2_2_18 tags: - level1-server - level1-workstation @@ -315,9 +315,9 @@ name: rpcbind state: absent when: - - not rhel8cis_rpc_server + - not rhel9cis_rpc_server - "'rpcbind' in ansible_facts.packages" - - rhel8cis_rule_2_2_19 + - rhel9cis_rule_2_2_19 tags: - level1-server - level1-workstation @@ -333,9 +333,9 @@ name: rsync state: absent when: - - not rhel8cis_rsync_server + - not rhel9cis_rsync_server - "'rsync' in ansible_facts.packages" - - rhel8cis_rule_2_2_20 + - rhel9cis_rule_2_2_20 tags: - level1-server - level1-workstation diff --git a/tasks/section_2/cis_2.3.x.yml b/tasks/section_2/cis_2.3.x.yml index ee52a752..52159bcb 100644 --- a/tasks/section_2/cis_2.3.x.yml +++ b/tasks/section_2/cis_2.3.x.yml @@ -5,9 +5,9 @@ name: ypbind state: absent when: - - not rhel8cis_ypbind_required + - not rhel9cis_ypbind_required - "'ypbind' in ansible_facts.packages" - - rhel8cis_rule_2_3_1 + - rhel9cis_rule_2_3_1 tags: - level1-server - level1-workstation @@ -21,9 +21,9 @@ name: rsh state: absent when: - - not rhel8cis_rsh_required + - not rhel9cis_rsh_required - "'rsh' in ansible_facts.packages" - - rhel8cis_rule_2_3_2 + - rhel9cis_rule_2_3_2 tags: - level1-server - level2-server @@ -37,9 +37,9 @@ name: talk state: absent when: - - not rhel8cis_talk_required + - not rhel9cis_talk_required - "'talk' in ansible_facts.packages" - - rhel8cis_rule_2_3_3 + - rhel9cis_rule_2_3_3 tags: - level1-server - level1-workstation @@ -53,9 +53,9 @@ name: telnet state: absent when: - - not rhel8cis_telnet_required + - not rhel9cis_telnet_required - "'telnet' in ansible_facts.packages" - - rhel8cis_rule_2_3_4 + - rhel9cis_rule_2_3_4 tags: - level1-server - level1-workstation @@ -69,9 +69,9 @@ name: openldap-clients state: absent when: - - not rhel8cis_openldap_clients_required + - not rhel9cis_openldap_clients_required - "'openldap-clients' in ansible_facts.packages" - - rhel8cis_rule_2_3_5 + - rhel9cis_rule_2_3_5 tags: - level1-server - level1-workstation @@ -85,9 +85,9 @@ name: tftp state: absent when: - - not rhel8cis_tftp_client + - not rhel9cis_tftp_client - "'tftp' in ansible_facts.packages" - - rhel8cis_rule_2_3_6 + - rhel9cis_rule_2_3_6 tags: - level1-server - level1-workstation diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index 84608741..a80d340f 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -7,16 +7,16 @@ changed_when: false failed_when: false check_mode: no - register: rhel8cis_2_4_services + register: rhel9cis_2_4_services - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Display list of services" debug: msg: - "Alert! Below are the list of services, both active and inactive" - "Please review to make sure all are essential" - - "{{ rhel8cis_2_4_services.stdout_lines }}" + - "{{ rhel9cis_2_4_services.stdout_lines }}" when: - - rhel8cis_rule_2_4 + - rhel9cis_rule_2_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index ad692faf..dbc35075 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -1,43 +1,91 @@ --- -- name: "3.1.1 | L1 | PATCH | Ensure IP forwarding is disabled" - block: - - name: "3.1.1 | L1 | PATCH | Ensure IP forwarding is disabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table - - - name: "3.1.1 | L1 | PATCH | Ensure IP forwarding is disabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - sysctl flush ipv6 route table - - update sysctl - when: rhel9cis_ipv6_required +# The CIS Control wants IPv6 disabled if not in use. +# We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use +- name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" + sysctl: + name: "{{ item }}" + value: '1' + state: present + reload: yes + with_items: + - net.ipv6.conf.all.disable_ipv6 + - net.ipv6.conf.default.disable_ipv6 + - net.ipv6.conf.lo.disable_ipv6 when: - - not rhel9cis_is_router + - not rhel9cis_ipv6_required - rhel9cis_rule_3_1_1 tags: - level1-server - level1-workstation - - sysctl + - manual - patch + - ipv6 + - networking - rule_3.1.1 -- name: "3.1.2 | L1 | PATCH | Ensure packet redirect sending is disabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table +- name: "3.1.2 | PATCH | Ensure SCTP is disabled" + lineinfile: + dest: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install sctp(\\s|$)" + line: "install sctp /bin/true" + create: yes + mode: 0600 when: - - not rhel9cis_is_router - rhel9cis_rule_3_1_2 tags: - - level1-server - - level1-workstation - - sysctl + - level2-server + - level2-workstation + - automated - patch + - sctp - rule_3.1.2 + +- name: "3.1.3 | PATCH | Ensure DCCP is disabled" + lineinfile: + dest: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install dccp(\\s|$)" + line: "install dccp /bin/true" + create: yes + mode: 0600 + when: + - rhel9cis_rule_3_1_3 + tags: + - level2-server + - level2-workstation + - automated + - dccp + - patch + - rule_3.1.3 + +- name: "3.1.4 | PATCH | Ensure wireless interfaces are disabled" + block: + - name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" + command: rpm -q NetworkManager + changed_when: false + failed_when: false + check_mode: no + args: + warn: no + register: rhel_08_nmcli_available + + - name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" + command: nmcli radio wifi + register: rhel_08_wifi_enabled + changed_when: rhel_08_wifi_enabled.stdout != "disabled" + failed_when: false + when: rhel_08_nmcli_available.rc == 0 + + - name: "3.1.4 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" + command: nmcli radio all off + changed_when: false + failed_when: false + when: rhel_08_wifi_enabled is changed + when: + - rhel9cis_rule_3_1_4 + tags: + - level1-server + - automated + - patch + - wireless + - rule_3.1.4 \ No newline at end of file diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml deleted file mode 100644 index 0b49ba42..00000000 --- a/tasks/section_3/cis_3.3.x.yml +++ /dev/null @@ -1,61 +0,0 @@ ---- - -- name: "3.3.1 | L2 | PATCH | Ensure DCCP is disabled" - lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install dccp(\\s|$)" - line: "install dccp /bin/true" - create: true - mode: 0600 - when: - - rhel9cis_rule_3_3_1 - tags: - - level2-server - - level2-workstation - - patch - - rule_3.3.1 - -- name: "3.3.2 | L2 | PATCH | Ensure SCTP is disabled" - lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install sctp(\\s|$)" - line: "install sctp /bin/true" - create: true - mode: 0600 - when: - - rhel9cis_rule_3_3_2 - tags: - - level2-server - - level2-workstation - - patch - - rule_3.3.2 - -- name: "3.3.3 | L2 | PATCH | Ensure RDS is disabled" - lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install rds(\\s|$)" - line: "install rds /bin/true" - create: true - mode: 0600 - when: - - rhel9cis_rule_3_3_3 - tags: - - level2-server - - level2-workstation - - patch - - rule_3.3.3 - -- name: "3.3.4 | L2 | PATCH | Ensure TIPC is disabled" - lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install tipc(\\s|$)" - line: "install tipc /bin/true" - create: true - mode: 0600 - when: - - rhel9cis_rule_3_3_4 - tags: - - level2-server - - level2-workstation - - patch - - rule_3.3.4 From c85e9ba43f3069dd2868c103c78fc8fae15328b9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 11:36:36 +0100 Subject: [PATCH 032/454] updated ipv6 rules Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index dbc35075..241ec207 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -3,15 +3,11 @@ # The CIS Control wants IPv6 disabled if not in use. # We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" - sysctl: - name: "{{ item }}" - value: '1' - state: present - reload: yes - with_items: - - net.ipv6.conf.all.disable_ipv6 - - net.ipv6.conf.default.disable_ipv6 - - net.ipv6.conf.lo.disable_ipv6 + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - update sysctl + - sysctl flush ipv6 route table when: - not rhel9cis_ipv6_required - rhel9cis_rule_3_1_1 From 42410b4cd0a99833ff03a3b5eecfd1a24845bb40 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 11:37:10 +0100 Subject: [PATCH 033/454] added ipv6 rules template Signed-off-by: Mark Bolwell --- templates/etc/60-disable_ipv6.conf.j2 | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 templates/etc/60-disable_ipv6.conf.j2 diff --git a/templates/etc/60-disable_ipv6.conf.j2 b/templates/etc/60-disable_ipv6.conf.j2 new file mode 100644 index 00000000..855d03d6 --- /dev/null +++ b/templates/etc/60-disable_ipv6.conf.j2 @@ -0,0 +1,4 @@ +{% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %} +net.ipv6.conf.all.disable_ipv6 = 1 +net.ipv6.conf.default.disable_ipv6 = 1 +{% endif %} From e043274c34f83b40b47498ac411d4e5a1fddf2fb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 11:48:50 +0100 Subject: [PATCH 034/454] updated netwokr sysctl rules Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.3.x.yml | 155 ++++++++++++++++++++++++++++++++ templates/etc/99-sysctl.conf.j2 | 50 +++++------ 2 files changed, 180 insertions(+), 25 deletions(-) create mode 100644 tasks/section_3/cis_3.3.x.yml diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml new file mode 100644 index 00000000..ce855070 --- /dev/null +++ b/tasks/section_3/cis_3.3.x.yml @@ -0,0 +1,155 @@ +--- + +- name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted" + block: + - name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - update sysctl + - sysctl flush ipv4 route table + + - name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - sysctl flush ipv6 route table + - update sysctl + when: rhel9cis_ipv6_required + when: + - rhel9cis_rule_3_2_1 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.1 + +- name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" + block: + - name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - update sysctl + - sysctl flush ipv4 route table + + - name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - sysctl flush ipv6 route table + - update sysctl + when: rhel9cis_ipv6_required + when: + - rhel9cis_rule_3_2_2 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.2 + +- name: "3.2.3 | L1 | PATCH | Ensure secure ICMP redirects are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: update sysctl + when: + - rhel9cis_rule_3_2_3 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.3 + +- name: "3.2.4 | L1 | PATCH | Ensure suspicious packets are logged" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: update sysctl + when: + - rhel9cis_rule_3_2_4 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.4 + +- name: "3.2.5 | L1 | PATCH | Ensure broadcast ICMP requests are ignored" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: update sysctl + when: + - rhel9cis_rule_3_2_5 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.5 + +- name: "3.2.6 | L1 | PATCH | Ensure bogus ICMP responses are ignored" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: update sysctl + when: + - rhel9cis_rule_3_2_6 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.6 + +- name: "3.2.7 | L1 | PATCH | Ensure Reverse Path Filtering is enabled" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: update sysctl + when: + - rhel9cis_rule_3_2_7 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.7 + +- name: "3.2.8 | L1 | PATCH | Ensure TCP SYN Cookies is enabled" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: update sysctl + when: + - rhel9cis_rule_3_2_8 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.8 + +- name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" + block: + - name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - update sysctl + - sysctl flush ipv4 route table + + - name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - sysctl flush ipv6 route table + - update sysctl + when: rhel9cis_ipv6_required + when: + - rhel9cis_ipv6_required + - rhel9cis_rule_3_2_9 + tags: + - level2-server + - level2-workstation + - sysctl + - patch + - rule_3.2.9 diff --git a/templates/etc/99-sysctl.conf.j2 b/templates/etc/99-sysctl.conf.j2 index 61f4dfa4..8feb96d6 100644 --- a/templates/etc/99-sysctl.conf.j2 +++ b/templates/etc/99-sysctl.conf.j2 @@ -12,64 +12,64 @@ kernel.randomize_va_space = 2 {% endif %} # Network sysctl -{% if rhel9cis_rule_3_1_1 %} -# CIS 3.1.1 +{% if rhel9cis_rule_3_2_1 %} +# CIS 3.2.1 net.ipv4.ip_forward = 0 -{% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %} +{% if rhel9cis_rule_3_2_1 and rhel9cis_ipv6_required %} net.ipv6.conf.all.forwarding = 0 {% endif %} {% endif %} -{% if rhel9cis_rule_3_1_2 %} -# CIS 3.1.2 +{% if rhel9cis_rule_3_2_2 %} +# CIS 3.2.2 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 {% endif %} -{% if rhel9cis_rule_3_2_1 %} -# CIS 3.2.1 +{% if rhel9cis_rule_3_3_1 %} +# CIS 3.3.1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 -{% if rhel9cis_rule_3_2_1 and rhel9cis_ipv6_required %} +{% if rhel9cis_rule_3_3_1 and rhel9cis_ipv6_required %} net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 {% endif %} {% endif %} -{% if rhel9cis_rule_3_2_2 %} -# CIS 3.2.2 +{% if rhel9cis_rule_3_3_2 %} +# CIS 3.3.2 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 -{% if rhel9cis_rule_3_2_2 and rhel9cis_ipv6_required %} +{% if rhel9cis_rule_3_3_2 and rhel9cis_ipv6_required %} net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 {% endif %} {% endif %} -{% if rhel9cis_rule_3_2_3 %} -# CIS 3.2.3 +{% if rhel9cis_rule_3_3_3 %} +# CIS 3.3.3 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 {% endif %} -{% if rhel9cis_rule_3_2_4 %} -# CIS 3.2.4 +{% if rhel9cis_rule_3_3_4 %} +# CIS 3.3.4 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 {% endif %} -{% if rhel9cis_rule_3_2_5 %} -# CIS 3.2.5 +{% if rhel9cis_rule_3_3_5 %} +# CIS 3.3.5 net.ipv4.icmp_echo_ignore_broadcasts = 1 {% endif %} -{% if rhel9cis_rule_3_2_6 %} -# CIS 3.2.6 +{% if rhel9cis_rule_3_3_6 %} +# CIS 3.3.6 net.ipv4.icmp_ignore_bogus_error_responses = 1 {% endif %} -{% if rhel9cis_rule_3_2_7 %} -# CIS 3.2.7 +{% if rhel9cis_rule_3_3_7 %} +# CIS 3.3.7 net.ipv4.conf.default.rp_filter = 1 {% endif %} -{% if rhel9cis_rule_3_2_8 %} -# CIS 3.2.8 +{% if rhel9cis_rule_3_3_8 %} +# CIS 3.3.8 net.ipv4.tcp_syncookies = 1 {% endif %} -{% if rhel9cis_rule_3_2_9 %} -# CIS 3.2.9 +{% if rhel9cis_rule_3_3_9 %} +# CIS 3.3.9 net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0 {% endif %} \ No newline at end of file From 555e443dec8d00234ce426d35c39e7850c7acf05 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 11:49:23 +0100 Subject: [PATCH 035/454] renamd updated Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.2.x.yml | 155 ---------------------------------- 1 file changed, 155 deletions(-) delete mode 100644 tasks/section_3/cis_3.2.x.yml diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml deleted file mode 100644 index ce855070..00000000 --- a/tasks/section_3/cis_3.2.x.yml +++ /dev/null @@ -1,155 +0,0 @@ ---- - -- name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted" - block: - - name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table - - - name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - sysctl flush ipv6 route table - - update sysctl - when: rhel9cis_ipv6_required - when: - - rhel9cis_rule_3_2_1 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.2.1 - -- name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" - block: - - name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table - - - name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - sysctl flush ipv6 route table - - update sysctl - when: rhel9cis_ipv6_required - when: - - rhel9cis_rule_3_2_2 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.2.2 - -- name: "3.2.3 | L1 | PATCH | Ensure secure ICMP redirects are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: update sysctl - when: - - rhel9cis_rule_3_2_3 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.2.3 - -- name: "3.2.4 | L1 | PATCH | Ensure suspicious packets are logged" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: update sysctl - when: - - rhel9cis_rule_3_2_4 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.2.4 - -- name: "3.2.5 | L1 | PATCH | Ensure broadcast ICMP requests are ignored" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: update sysctl - when: - - rhel9cis_rule_3_2_5 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.2.5 - -- name: "3.2.6 | L1 | PATCH | Ensure bogus ICMP responses are ignored" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: update sysctl - when: - - rhel9cis_rule_3_2_6 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.2.6 - -- name: "3.2.7 | L1 | PATCH | Ensure Reverse Path Filtering is enabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: update sysctl - when: - - rhel9cis_rule_3_2_7 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.2.7 - -- name: "3.2.8 | L1 | PATCH | Ensure TCP SYN Cookies is enabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: update sysctl - when: - - rhel9cis_rule_3_2_8 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.2.8 - -- name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" - block: - - name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table - - - name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - sysctl flush ipv6 route table - - update sysctl - when: rhel9cis_ipv6_required - when: - - rhel9cis_ipv6_required - - rhel9cis_rule_3_2_9 - tags: - - level2-server - - level2-workstation - - sysctl - - patch - - rule_3.2.9 From 35db8136b5bc5d31b8eea4edd80aedd407b4bfb4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 11:55:03 +0100 Subject: [PATCH 036/454] updated Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.2.yml | 51 +++++++++++++++++++++++++++ tasks/section_3/cis_3.3.x.yml | 66 +++++++++++++++++------------------ 2 files changed, 84 insertions(+), 33 deletions(-) create mode 100644 tasks/section_3/cis_3.2.yml diff --git a/tasks/section_3/cis_3.2.yml b/tasks/section_3/cis_3.2.yml new file mode 100644 index 00000000..ec397d37 --- /dev/null +++ b/tasks/section_3/cis_3.2.yml @@ -0,0 +1,51 @@ +--- + +- name: "3.2.1 | PATCH | Ensure source routed packets are not accepted" + block: + - name: "3.2.1 | PATCH | Ensure source routed packets are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - update sysctl + - sysctl flush ipv4 route table + + - name: "3.2.1 | PATCH | Ensure source routed packets are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - sysctl flush ipv6 route table + - update sysctl + when: rhel9cis_ipv6_required + when: + - rhel9cis_rule_3.2.1 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.1 + +- name: "3.2.2 | PATCH | Ensure ICMP redirects are not accepted" + block: + - name: "3.2.2 | PATCH | Ensure ICMP redirects are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - update sysctl + - sysctl flush ipv4 route table + + - name: "3.2.2 | PATCH | Ensure ICMP redirects are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - sysctl flush ipv6 route table + - update sysctl + when: rhel9cis_ipv6_required + when: + - rhel9cis_rule_3.2.2 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.2 \ No newline at end of file diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index ce855070..ecd00a4d 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -1,15 +1,15 @@ --- -- name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted" +- name: "3.3.1 | L1 | PATCH | Ensure source routed packets are not accepted" block: - - name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted" + - name: "3.3.1 | L1 | PATCH | Ensure source routed packets are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: - update sysctl - sysctl flush ipv4 route table - - name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted" + - name: "3.3.1 | L1 | PATCH | Ensure source routed packets are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: @@ -17,24 +17,24 @@ - update sysctl when: rhel9cis_ipv6_required when: - - rhel9cis_rule_3_2_1 + - rhel9cis_rule_3.3.1 tags: - level1-server - level1-workstation - sysctl - patch - - rule_3.2.1 + - rule_3.3.1 -- name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" +- name: "3.3.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" block: - - name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" + - name: "3.3.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: - update sysctl - sysctl flush ipv4 route table - - name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" + - name: "3.3.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: @@ -42,102 +42,102 @@ - update sysctl when: rhel9cis_ipv6_required when: - - rhel9cis_rule_3_2_2 + - rhel9cis_rule_3.3.2 tags: - level1-server - level1-workstation - sysctl - patch - - rule_3.2.2 + - rule_3.3.2 -- name: "3.2.3 | L1 | PATCH | Ensure secure ICMP redirects are not accepted" +- name: "3.3.3 | L1 | PATCH | Ensure secure ICMP redirects are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3_2_3 + - rhel9cis_rule_3.3.3 tags: - level1-server - level1-workstation - sysctl - patch - - rule_3.2.3 + - rule_3.3.3 -- name: "3.2.4 | L1 | PATCH | Ensure suspicious packets are logged" +- name: "3.3.4 | L1 | PATCH | Ensure suspicious packets are logged" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3_2_4 + - rhel9cis_rule_3.3.4 tags: - level1-server - level1-workstation - sysctl - patch - - rule_3.2.4 + - rule_3.3.4 -- name: "3.2.5 | L1 | PATCH | Ensure broadcast ICMP requests are ignored" +- name: "3.3.5 | L1 | PATCH | Ensure broadcast ICMP requests are ignored" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3_2_5 + - rhel9cis_rule_3.3.5 tags: - level1-server - level1-workstation - sysctl - patch - - rule_3.2.5 + - rule_3.3.5 -- name: "3.2.6 | L1 | PATCH | Ensure bogus ICMP responses are ignored" +- name: "3.3.6 | L1 | PATCH | Ensure bogus ICMP responses are ignored" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3_2_6 + - rhel9cis_rule_3.3.6 tags: - level1-server - level1-workstation - sysctl - patch - - rule_3.2.6 + - rule_3.3.6 -- name: "3.2.7 | L1 | PATCH | Ensure Reverse Path Filtering is enabled" +- name: "3.3.7 | L1 | PATCH | Ensure Reverse Path Filtering is enabled" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3_2_7 + - rhel9cis_rule_3.3.7 tags: - level1-server - level1-workstation - sysctl - patch - - rule_3.2.7 + - rule_3.3.7 -- name: "3.2.8 | L1 | PATCH | Ensure TCP SYN Cookies is enabled" +- name: "3.3.8 | L1 | PATCH | Ensure TCP SYN Cookies is enabled" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3_2_8 + - rhel9cis_rule_3.3.8 tags: - level1-server - level1-workstation - sysctl - patch - - rule_3.2.8 + - rule_3.3.8 -- name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" +- name: "3.3.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" block: - - name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" + - name: "3.3.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: - update sysctl - sysctl flush ipv4 route table - - name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" + - name: "3.3.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: @@ -146,10 +146,10 @@ when: rhel9cis_ipv6_required when: - rhel9cis_ipv6_required - - rhel9cis_rule_3_2_9 + - rhel9cis_rule_3.3.9 tags: - level2-server - level2-workstation - sysctl - patch - - rule_3.2.9 + - rule_3.3.9 From d65bb7f2571614e35122e235835e9edde2fd6da7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 13:54:29 +0100 Subject: [PATCH 037/454] renamed and updated Signed-off-by: Mark Bolwell --- tasks/section_3/{cis_3.2.yml => cis_3.2.x.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename tasks/section_3/{cis_3.2.yml => cis_3.2.x.yml} (100%) diff --git a/tasks/section_3/cis_3.2.yml b/tasks/section_3/cis_3.2.x.yml similarity index 100% rename from tasks/section_3/cis_3.2.yml rename to tasks/section_3/cis_3.2.x.yml From 398bc5bd0cb8549a9cdb02a02f586b7d5368115f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 13:55:04 +0100 Subject: [PATCH 038/454] renamed and updated Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.3.x.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index ecd00a4d..28697f1e 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -1,15 +1,15 @@ --- -- name: "3.3.1 | L1 | PATCH | Ensure source routed packets are not accepted" +- name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" block: - - name: "3.3.1 | L1 | PATCH | Ensure source routed packets are not accepted" + - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: - update sysctl - sysctl flush ipv4 route table - - name: "3.3.1 | L1 | PATCH | Ensure source routed packets are not accepted" + - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: @@ -25,16 +25,16 @@ - patch - rule_3.3.1 -- name: "3.3.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" +- name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" block: - - name: "3.3.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" + - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: - update sysctl - sysctl flush ipv4 route table - - name: "3.3.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" + - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: @@ -50,7 +50,7 @@ - patch - rule_3.3.2 -- name: "3.3.3 | L1 | PATCH | Ensure secure ICMP redirects are not accepted" +- name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl @@ -63,7 +63,7 @@ - patch - rule_3.3.3 -- name: "3.3.4 | L1 | PATCH | Ensure suspicious packets are logged" +- name: "3.3.4 | PATCH | Ensure suspicious packets are logged" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl @@ -76,7 +76,7 @@ - patch - rule_3.3.4 -- name: "3.3.5 | L1 | PATCH | Ensure broadcast ICMP requests are ignored" +- name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl @@ -89,7 +89,7 @@ - patch - rule_3.3.5 -- name: "3.3.6 | L1 | PATCH | Ensure bogus ICMP responses are ignored" +- name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl @@ -102,7 +102,7 @@ - patch - rule_3.3.6 -- name: "3.3.7 | L1 | PATCH | Ensure Reverse Path Filtering is enabled" +- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl @@ -115,7 +115,7 @@ - patch - rule_3.3.7 -- name: "3.3.8 | L1 | PATCH | Ensure TCP SYN Cookies is enabled" +- name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl From c6caa90059ee6637872d07d6c23ab1b70fb093e4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 16:18:11 +0100 Subject: [PATCH 039/454] updated Signed-off-by: Mark Bolwell --- README.md | 1 + defaults/main.yml | 137 ++-- tasks/section_3/cis_3.3.x.yml | 6 +- tasks/section_3/cis_3.4.1.1.yml | 14 - tasks/section_3/cis_3.4.1.x.yml | 138 ++++ tasks/section_3/cis_3.4.2.x.yml | 340 +++++++-- tasks/section_3/cis_3.4.3.1.x.yml | 50 ++ .../{cis_3.4.4.1.x.yml => cis_3.4.3.2.x.yml} | 133 ++-- .../{cis_3.4.4.2.x.yml => cis_3.4.3.3.x.yml} | 127 ++-- tasks/section_3/cis_3.4.3.x.yml | 320 -------- tasks/section_3/cis_3.5.yml | 27 - tasks/section_3/cis_3.6.yml | 17 - tasks/section_4/cis_4.1.1.x.yml | 48 +- tasks/section_4/cis_4.1.2.x.yml | 15 +- tasks/section_4/cis_4.1.3.x.yml | 322 ++++++++ tasks/section_4/cis_4.1.x.yml | 207 ----- tasks/section_4/cis_4.2.1.x.yml | 112 ++- tasks/section_4/cis_4.2.2.x.yml | 189 ++++- tasks/section_4/cis_4.2.3.yml | 8 +- tasks/section_4/cis_4.3.yml | 11 +- tasks/section_4/main.yml | 10 +- tasks/section_5/cis_5.1.x.yml | 78 +- tasks/section_5/cis_5.2.x.yml | 296 +++++--- tasks/section_5/cis_5.3.x.yml | 178 +++-- tasks/section_5/cis_5.4.x.yml | 172 ++--- tasks/section_5/cis_5.5.1.x.yml | 131 ---- tasks/section_5/cis_5.5.x.yml | 28 +- tasks/section_5/cis_5.6.1.x.yml | 125 +++ tasks/section_5/cis_5.6.x.yml | 108 +++ tasks/section_5/cis_5.6.yml | 37 - tasks/section_5/cis_5.7.yml | 22 - tasks/section_5/main.yml | 21 +- tasks/section_6/cis_6.1.x.yml | 227 +++--- tasks/section_6/cis_6.2.x.yml | 718 ++++++++---------- tasks/section_6/main.yml | 2 +- templates/audit/99_auditd.rules.j2 | 123 +-- 36 files changed, 2502 insertions(+), 1996 deletions(-) delete mode 100644 tasks/section_3/cis_3.4.1.1.yml create mode 100644 tasks/section_3/cis_3.4.1.x.yml create mode 100644 tasks/section_3/cis_3.4.3.1.x.yml rename tasks/section_3/{cis_3.4.4.1.x.yml => cis_3.4.3.2.x.yml} (51%) rename tasks/section_3/{cis_3.4.4.2.x.yml => cis_3.4.3.3.x.yml} (54%) delete mode 100644 tasks/section_3/cis_3.4.3.x.yml delete mode 100644 tasks/section_3/cis_3.5.yml delete mode 100644 tasks/section_3/cis_3.6.yml create mode 100644 tasks/section_4/cis_4.1.3.x.yml delete mode 100644 tasks/section_4/cis_4.1.x.yml delete mode 100644 tasks/section_5/cis_5.5.1.x.yml create mode 100644 tasks/section_5/cis_5.6.1.x.yml create mode 100644 tasks/section_5/cis_5.6.x.yml delete mode 100644 tasks/section_5/cis_5.6.yml delete mode 100644 tasks/section_5/cis_5.7.yml diff --git a/README.md b/README.md index d629e1fd..ea3ead56 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,7 @@ ![Release](https://img.shields.io/github/v/release/ansible-lockdown/RHEL9-CIS?style=plastic) Configure RHEL 9 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant with RHEL8 settings (RHEL9 not yet released) +Based on v2.0.0 RHEL8 Based on [CIS RedHat Enterprise Linux 8 Benchmark v1.0.1 - 05-19-2021 ](https://www.cisecurity.org/cis-benchmarks/) diff --git a/defaults/main.yml b/defaults/main.yml index 2a6bd1b8..d2a2372c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -169,49 +169,55 @@ rhel9cis_rule_2_3_5: true rhel9cis_rule_2_3_6: true rhel9cis_rule_2_4: true -# Section 3 rules + Section 3 rules rhel9cis_rule_3_1_1: true rhel9cis_rule_3_1_2: true +rhel9cis_rule_3_1_3: true +rhel9cis_rule_3_1_4: true rhel9cis_rule_3_2_1: true rhel9cis_rule_3_2_2: true -rhel9cis_rule_3_2_3: true -rhel9cis_rule_3_2_4: true -rhel9cis_rule_3_2_5: true -rhel9cis_rule_3_2_6: true -rhel9cis_rule_3_2_7: true -rhel9cis_rule_3_2_8: true -rhel9cis_rule_3_2_9: true rhel9cis_rule_3_3_1: true rhel9cis_rule_3_3_2: true rhel9cis_rule_3_3_3: true rhel9cis_rule_3_3_4: true +rhel9cis_rule_3_3_5: true +rhel9cis_rule_3_3_6: true +rhel9cis_rule_3_3_7: true +rhel9cis_rule_3_3_8: true +rhel9cis_rule_3_3_9: true rhel9cis_rule_3_4_1_1: true +rhel9cis_rule_3_4_1_2: true +rhel9cis_rule_3_4_1_3: true +rhel9cis_rule_3_4_1_4: true +rhel9cis_rule_3_4_1_5: true +rhel9cis_rule_3_4_1_6: true +rhel9cis_rule_3_4_1_7: true rhel9cis_rule_3_4_2_1: true rhel9cis_rule_3_4_2_2: true rhel9cis_rule_3_4_2_3: true rhel9cis_rule_3_4_2_4: true rhel9cis_rule_3_4_2_5: true rhel9cis_rule_3_4_2_6: true -rhel9cis_rule_3_4_3_1: true -rhel9cis_rule_3_4_3_2: true -rhel9cis_rule_3_4_3_3: true -rhel9cis_rule_3_4_3_4: true -rhel9cis_rule_3_4_3_5: true -rhel9cis_rule_3_4_3_6: true -rhel9cis_rule_3_4_3_7: true -rhel9cis_rule_3_4_3_8: true -rhel9cis_rule_3_4_4_1_1: true -rhel9cis_rule_3_4_4_1_2: true -rhel9cis_rule_3_4_4_1_3: true -rhel9cis_rule_3_4_4_1_4: true -rhel9cis_rule_3_4_4_1_5: true -rhel9cis_rule_3_4_4_2_1: true -rhel9cis_rule_3_4_4_2_2: true -rhel9cis_rule_3_4_4_2_3: true -rhel9cis_rule_3_4_4_2_4: true -rhel9cis_rule_3_4_4_2_5: true -rhel9cis_rule_3_5: true -rhel9cis_rule_3_6: true +rhel9cis_rule_3_4_2_7: true +rhel9cis_rule_3_4_2_8: true +rhel9cis_rule_3_4_2_9: true +rhel9cis_rule_3_4_2_10: true +rhel9cis_rule_3_4_2_11: true +rhel9cis_rule_3_4_3_1_1: true +rhel9cis_rule_3_4_3_1_2: true +rhel9cis_rule_3_4_3_1_3: true +rhel9cis_rule_3_4_3_2_1: true +rhel9cis_rule_3_4_3_2_2: true +rhel9cis_rule_3_4_3_2_3: true +rhel9cis_rule_3_4_3_2_4: true +rhel9cis_rule_3_4_3_2_5: true +rhel9cis_rule_3_4_3_2_6: true +rhel9cis_rule_3_4_3_3_1: true +rhel9cis_rule_3_4_3_3_2: true +rhel9cis_rule_3_4_3_3_3: true +rhel9cis_rule_3_4_3_3_4: true +rhel9cis_rule_3_4_3_3_5: true +rhel9cis_rule_3_4_3_3_6: true # Section 4 rules rhel9cis_rule_4_1_1_1: true @@ -221,30 +227,44 @@ rhel9cis_rule_4_1_1_4: true rhel9cis_rule_4_1_2_1: true rhel9cis_rule_4_1_2_2: true rhel9cis_rule_4_1_2_3: true -rhel9cis_rule_4_1_3: true -rhel9cis_rule_4_1_4: true -rhel9cis_rule_4_1_5: true -rhel9cis_rule_4_1_6: true -rhel9cis_rule_4_1_7: true -rhel9cis_rule_4_1_8: true -rhel9cis_rule_4_1_9: true -rhel9cis_rule_4_1_10: true -rhel9cis_rule_4_1_11: true -rhel9cis_rule_4_1_12: true -rhel9cis_rule_4_1_13: true -rhel9cis_rule_4_1_14: true -rhel9cis_rule_4_1_15: true -rhel9cis_rule_4_1_16: true -rhel9cis_rule_4_1_17: true +rhel9cis_rule_4_1_3_1: true +rhel9cis_rule_4_1_3_2: true +rhel9cis_rule_4_1_3_3: true +rhel9cis_rule_4_1_3_4: true +rhel9cis_rule_4_1_3_5: true +rhel9cis_rule_4_1_3_6: true +rhel9cis_rule_4_1_3_7: true +rhel9cis_rule_4_1_3_8: true +rhel9cis_rule_4_1_3_9: true +rhel9cis_rule_4_1_3_10: true +rhel9cis_rule_4_1_3_11: true +rhel9cis_rule_4_1_3_12: true +rhel9cis_rule_4_1_3_13: true +rhel9cis_rule_4_1_3_14: true +rhel9cis_rule_4_1_3_15: true +rhel9cis_rule_4_1_3_16: true +rhel9cis_rule_4_1_3_17: true +rhel9cis_rule_4_1_3_18: true +rhel9cis_rule_4_1_3_19: true +rhel9cis_rule_4_1_3_20: true +rhel9cis_rule_4_1_3_21: true rhel9cis_rule_4_2_1_1: true rhel9cis_rule_4_2_1_2: true rhel9cis_rule_4_2_1_3: true rhel9cis_rule_4_2_1_4: true rhel9cis_rule_4_2_1_5: true rhel9cis_rule_4_2_1_6: true -rhel9cis_rule_4_2_2_1: true +rhel9cis_rule_4_2_1_7: true +rhel9cis_rule_4_2_2_1_1: true +rhel9cis_rule_4_2_2_1_2: true +rhel9cis_rule_4_2_2_1_3: true +rhel9cis_rule_4_2_2_1_4: true rhel9cis_rule_4_2_2_2: true rhel9cis_rule_4_2_2_3: true +rhel9cis_rule_4_2_2_4: true +rhel9cis_rule_4_2_2_5: true +rhel9cis_rule_4_2_2_6: true +rhel9cis_rule_4_2_2_7: true rhel9cis_rule_4_2_3: true rhel9cis_rule_4_3: true @@ -257,6 +277,7 @@ rhel9cis_rule_5_1_5: true rhel9cis_rule_5_1_6: true rhel9cis_rule_5_1_7: true rhel9cis_rule_5_1_8: true +rhel9cis_rule_5_1_9: true rhel9cis_rule_5_2_1: true rhel9cis_rule_5_2_2: true rhel9cis_rule_5_2_3: true @@ -280,21 +301,26 @@ rhel9cis_rule_5_2_20: true rhel9cis_rule_5_3_1: true rhel9cis_rule_5_3_2: true rhel9cis_rule_5_3_3: true +rhel9cis_rule_5_3_4: true +rhel9cis_rule_5_3_5: true +rhel9cis_rule_5_3_6: true +rhel9cis_rule_5_3_7: true rhel9cis_rule_5_4_1: true rhel9cis_rule_5_4_2: true -rhel9cis_rule_5_4_3: true -rhel9cis_rule_5_4_4: true -rhel9cis_rule_5_5_1_1: true -rhel9cis_rule_5_5_1_2: true -rhel9cis_rule_5_5_1_3: true -rhel9cis_rule_5_5_1_4: true -rhel9cis_rule_5_5_1_5: true +rhel9cis_rule_5_5_1: true rhel9cis_rule_5_5_2: true rhel9cis_rule_5_5_3: true rhel9cis_rule_5_5_4: true rhel9cis_rule_5_5_5: true -rhel9cis_rule_5_6: true -rhel9cis_rule_5_7: true +rhel9cis_rule_5_6_1_1: true +rhel9cis_rule_5_6_1_2: true +rhel9cis_rule_5_6_1_3: true +rhel9cis_rule_5_6_1_4: true +rhel9cis_rule_5_6_1_5: true +rhel9cis_rule_5_6_2: true +rhel9cis_rule_5_6_3: true +rhel9cis_rule_5_6_4: true +rhel9cis_rule_5_6_5: true # Section 6 rules rhel9cis_rule_6_1_1: true @@ -311,6 +337,7 @@ rhel9cis_rule_6_1_11: true rhel9cis_rule_6_1_12: true rhel9cis_rule_6_1_13: true rhel9cis_rule_6_1_14: true +rhel9cis_rule_6_1_15: true rhel9cis_rule_6_2_1: true rhel9cis_rule_6_2_2: true rhel9cis_rule_6_2_3: true @@ -327,10 +354,6 @@ rhel9cis_rule_6_2_13: true rhel9cis_rule_6_2_14: true rhel9cis_rule_6_2_15: true rhel9cis_rule_6_2_16: true -rhel9cis_rule_6_2_17: true -rhel9cis_rule_6_2_18: true -rhel9cis_rule_6_2_19: true -rhel9cis_rule_6_2_20: true # Service configuration booleans set true to keep service rhel9cis_avahi_server: false diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 28697f1e..7187816a 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -128,16 +128,16 @@ - patch - rule_3.3.8 -- name: "3.3.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" +- name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" block: - - name: "3.3.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" + - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: - update sysctl - sysctl flush ipv4 route table - - name: "3.3.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" + - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: diff --git a/tasks/section_3/cis_3.4.1.1.yml b/tasks/section_3/cis_3.4.1.1.yml deleted file mode 100644 index fc78b06c..00000000 --- a/tasks/section_3/cis_3.4.1.1.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- - -- name: "3.4.1.1 | L1 | PATCH | Ensure a Firewall package is installed" - package: - name: "{{ rhel9cis_firewall }}" - state: present - when: - - rhel9cis_rule_3_4_1_1 - - not system_is_container - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.1.1 diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml new file mode 100644 index 00000000..753a4e57 --- /dev/null +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -0,0 +1,138 @@ +--- + +- name: "3.4.1.1 | PATCH | Ensure firewalld is installed" + package: + name: + - firewalld + - iptables + state: present + when: + - rhel9cis_rule_3_4_1_1 + - rhel9cis_firewall == "firewalld" + tags: + - level1-server + - level1-workstation + - automated + - patch + - firewalld + - rule_3.4.1.1 + +- name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld" + block: + - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | Stop running services" + systemd: + name: "{{ item }}" + enabled: false + masked: true + with_items: + - iptables + - ip6tables + when: item in ansible_facts.packages + + - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | Remove IPTables" + package: + name: iptables-services + state: absent + when: + - rhel9cis_rule_3_4_1_2 + - rhel9cis_firewall == "firewalld" + tags: + - level1-server + - level1-workstation + - automated + - patch + - firewalld + - rule_3.4.1.2 + +- name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld" + systemd: + name: nftables + state: stopped + masked: yes + when: + - rhel9cis_firewall == "firewalld" + - rhel9cis_rule_3_4_1_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - firewalld + - rule_3_4_1_3 + +- name: "3.4.1.4 | PATCH | Ensure firewalld service is enabled and running" + systemd: + name: firewalld + state: started + enabled: yes + when: + - rhel9cis_firewall == "firewalld" + - rhel9cis_rule_3_4_1_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - firewalld + - rule_3_4_1_4 + +- name: "3.4.1.5 | PATCH | Ensure firewalld default zone is set" + command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" + when: + - rhel9cis_firewall == "firewalld" + - rhel9cis_rule_3_4_1_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - firewalld + - rule_3.4.1.5 + +- name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone" + block: + - name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies" + shell: "nmcli -t connection show | awk -F: '{ if($4){print $4} }' | while read INT; do firewall-cmd --get-active-zones | grep -B1 $INT; done" + changed_when: false + failed_when: false + check_mode: no + register: rhel9cis_3_4_1_6_interfacepolicy + + - name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies | Show the interface to policy" + debug: + msg: + - "The items below are the policies tied to the interfaces, please correct as needed" + - "{{ rhel9cis_3_4_1_6_interfacepolicy.stdout_lines }}" + when: + - rhel9cis_firewall == "firewalld" + - rhel9cis_rule_3_4_1_6 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_3.4.1.6 + +- name: "3.4.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports" + block: + - name: "3.4.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports" + shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done" + changed_when: false + failed_when: false + check_mode: no + register: rhel9cis_3_4_1_7_servicesport + + - name: "3.4.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports" + debug: + msg: + - "The items below are the services and ports that are accepted, please correct as needed" + - "{{ rhel9cis_3_4_1_7_servicesport.stdout_lines }}" + when: + - rhel9cis_firewall == "firewalld" + - rhel9cis_rule_3_4_1_7 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_3.4.1.7 diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 68b08dca..e5b0c9a7 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -1,108 +1,344 @@ --- -- name: "3.4.2.1 | L1 | PATCH | Ensure firewalld service is enabled and running" - service: - name: firewalld - state: started - enabled: true +- name: "3.4.2.1 | PATCH | Ensure nftables is installed" + package: + name: nftables + state: present when: - - rhel9cis_firewall == "firewalld" + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_1 tags: - level1-server - level1-workstation + - automated - patch - - rule_3_4_2_1 + - nftables + - rule_3.4.2.1 -- name: "3.4.2.2 | L1 | PATCH | Ensure iptables is not enabled with firewalld" - systemd: - name: iptables - masked: true +# The control allows the service it be masked or not installed +# We have chosen not installed +- name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables" + package: + name: firewalld + state: absent when: - - rhel9cis_firewall == "firewalld" - - "'iptables' in ansible_facts.packages" + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_2 tags: - - skip_ansible_lint - level1-server - level1-workstation + - automated - patch - - rule_3_4_2_2 + - nftables + - rule_3.4.2.2 -- name: "3.4.2.3 | L1 | PATCH | Ensure nftables is not enabled with firewalld" - systemd: - name: nftables - enabled: false - masked: true +- name: "3.4.2.3 | PATCH | Ensure iptables-services not installed with nftables" + block: + - name: "3.4.2.3 | PATCH | Ensure iptables-services not installed with nftables | Stop services" + systemd: + name: "{{ item }}" + enabled: false + masked: true + ignore_errors: true + with_items: + - iptables + - ip6tables + + - name: "3.4.2.3 | PATCH | Ensure iptables-services not installed with nftables | Remove IPTables" + package: + name: iptables-service + state: absent when: - - rhel9cis_firewall == "firewalld" - - "'nftables' in ansible_facts.packages" + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_3 tags: - level1-server - level1-workstation + - automated - patch - - rule_3_4_2_3 + - nftables + - rule_3.4.2.3 -- name: "3.4.2.4 | L1 | PATCH | Ensure default zone is set" - shell: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" - args: - warn: false +- name: "3.4.2.4 | PATCH | Ensure iptables are flushed with nftables" + block: + - name: "3.4.2.4 | PATCH | Ensure iptables are flushed with nftables | IPv4" + command: iptables -F + + - name: "3.4.2.4 | PATCH | Ensure iptables are flushed with nftables | IPv6" + command: ip6tables -F + when: rhel9cis_ipv6_required when: - - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_2_4 + - rhel9cis_firewall != "firewalld" tags: - level1-server - level1-workstation + - manual - patch + - nftables - rule_3.4.2.4 -- name: "3.4.2.5 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone" +- name: "3.4.2.5 | AUDIT | Ensure an nftables table exists" block: - - name: "3.4.2.5 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies" - shell: "nmcli -t connection show | awk -F: '{ if($4){print $4} }' | while read INT; do firewall-cmd --get-active-zones | grep -B1 $INT; done" - args: - warn: false + - name: "3.4.2.5 | AUDIT | Ensure a table exists | Check for tables" + command: nft list tables changed_when: false failed_when: false - check_mode: false - register: rhel9cis_3_4_2_5_interfacepolicy + register: rhel9cis_3_4_2_5_nft_tables + + - name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Show existing tables" + debug: + msg: + - "Below are the current nft tables, please review" + - "{{ rhel9cis_3_4_2_5_nft_tables.stdout_lines }}" + when: rhel9cis_3_4_2_5_nft_tables.stdout | length > 0 - - name: "3.4.2.5 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies | Show the interface to policy" + - name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Alert on no tables" debug: msg: - - "The items below are the policies tied to the interfaces, please correct as needed" - - "{{ rhel9cis_3_4_2_5_interfacepolicy.stdout_lines }}" + - "Warning! You currently have no nft tables, please review your setup" + - 'Use the command "nft create table inet
" to create a new table' + when: + - rhel9cis_3_4_2_5_nft_tables.stdout | length == 0 + - not rhel9cis_nft_tables_autonewtable + + - name: "3.4.2.5 | PATCH | Ensure a table exists | Create table if needed" + command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" + failed_when: no + when: rhel9cis_nft_tables_autonewtable when: - - rhel9cis_firewall == "firewalld" + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_5 tags: - level1-server - level1-workstation - - audit + - automated + - patch + - nftables - rule_3.4.2.5 -- name: "3.4.2.6 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports" +- name: "3.4.2.6 | PATCH | Ensure nftables base chains exist" block: - - name: "3.4.2.6 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports" - shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done" - args: - warn: false + - name: "3.4.2.6 | AUDIT | Ensure nftables base chains exist | Get current chains for INPUT" + shell: nft list ruleset | grep 'hook input' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_6_input_chains + + - name: "3.4.2.6 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD" + shell: nft list ruleset | grep 'hook forward' changed_when: false failed_when: false - check_mode: false - register: rhel9cis_3_4_2_6_servicesport + register: rhel9cis_3_4_2_6_forward_chains - - name: "3.4.2.6 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports" + - name: "3.4.2.6 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT" + shell: nft list ruleset | grep 'hook output' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_6_output_chains + + - name: "3.4.2.6 | AUDIT | Ensure nftables base chains exist | Display chains for review" debug: msg: - - "The items below are the services and ports that are accepted, please correct as needed" - - "{{ rhel9cis_3_4_2_6_servicesport.stdout_lines }}" + - "Below are the current INPUT chains" + - "{{ rhel9cis_3_4_2_6_input_chains.stdout_lines }}" + - "Below are the current FORWARD chains" + - "{{ rhel9cis_3_4_2_6_forward_chains.stdout_lines }}" + - "Below are teh current OUTPUT chains" + - "{{ rhel9cis_3_4_2_6_output_chains.stdout_lines }}" + when: not rhel9cis_nft_tables_autochaincreate + + - name: "3.4.2.6 | PATCH | Ensure nftables base chains exist | Create chains if needed" + shell: "{{ item }}" + args: + warn: no + failed_when: no + with_items: + - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } + - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { type filter hook forward priority 0 \; } + - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; } + when: rhel9cis_nft_tables_autochaincreate when: - - rhel9cis_firewall == "firewalld" + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_6 tags: - level1-server - level1-workstation - - audit + - automate + - patch + - nftables - rule_3.4.2.6 + +- name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured" + block: + - name: "3.4.2.7 | AUDIT | Ensure nftables loopback traffic is configured | Gather iif lo accept existence" + shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_7_iiflo + + - name: "3.4.2.7 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip saddr existence" + shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_7_ipsaddr + + - name: "3.4.2.7 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip6 saddr existence" + shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_7_ip6saddr + + - name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept + when: '"iif \"lo\" accept" not in rhel9cis_3_4_2_7_iiflo.stdout' + + - name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop + when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_7_ipsaddr.stdout' + + - name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop + when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_7_ip6saddr.stdout' + when: + - rhel9cis_firewall == "nftables" + - rhel9cis_rule_3_4_2_7 + tags: + - level1-server + - level1-workstation + - automated + - patch + - nftables + - rule_3.4.2.7 + +- name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured" + block: + - name: "3.4.2.8 | AUDIT | Ensure nftables outbound and established connections are configured | Gather incoming connection rules" + shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_8_inconnectionrule + + - name: "3.4.2.8| AUDIT | Ensure nftables outbound and established connections are configured | Gather outbound connection rules" + shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_8_outconnectionrule + + - name: "3.4.2.8| PATCH | Ensure nftables outbound and established connections are configured | Add input tcp established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept + when: '"ip protocol tcp ct state established accept" not in rhel9cis_3_4_2_8_inconnectionrule.stdout' + + - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add input udp established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept + when: '"ip protocol udp ct state established accept" not in rhel9cis_3_4_2_8_inconnectionrule.stdout' + + - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add input icmp established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept + when: '"ip protocol icmp ct state established accept" not in rhel9cis_3_4_2_8_inconnectionrule.stdout' + + - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add output tcp new, related, established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept + when: '"ip protocol tcp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout' + + - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add output udp new, related, established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept + when: '"ip protocol udp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout' + + - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add output icmp new, related, established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept + when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout' + when: + - rhel9cis_firewall == "nftables" + - rhel9cis_rule_3_4_2_8 + tags: + - level1-server + - level1-workstation + - automated + - patch + - nftables + - rule_3.4.3.5 + +- name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy" + block: + - name: "3.4.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for hook input deny policy" + shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input' + failed_when: false + changed_when: false + register: rhel9cis_3_4_2_9_inputpolicy + + - name: "3.4.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy" + shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward' + failed_when: false + changed_when: false + register: rhel9cis_3_4_2_9_forwardpolicy + + - name: "3.4.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy" + shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output' + failed_when: false + changed_when: false + register: rhel9cis_3_4_2_9_outputpolicy + + - name: "3.4.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow" + shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh' + failed_when: false + changed_when: false + register: rhel9cis_3_4_2_9_sshallowcheck + + - name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept + when: '"tcp dport ssh accept" not in rhel9cis_3_4_2_9_sshallowcheck.stdout' + + - name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" + command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } + when: '"type filter hook input priority 0; policy drop;" not in rhel9cis_3_4_2_9_inputpolicy.stdout' + + - name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy" + command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } + when: '"type filter hook forward priority 0; policy drop;" not in rhel9cis_3_4_2_9_forwardpolicy.stdout' + + - name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" + command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } + when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_2_9_outputpolicy.stdout' + when: + - rhel9cis_firewall == "nftables" + - rhel9cis_rule_3_4_2_9 + tags: + - level1-server + - level1-workstation + - automated + - patch + - nftables + - rule_3.4.2.9 + +- name: "3.4.2.10 | PATCH | Ensure nftables service is enabled" + service: + name: nftables + enabled: yes + when: + - rhel9cis_firewall == "nftables" + - rhel9cis_rule_3_4_2_10 + tags: + - level1-server + - level1-workstation + - automated + - patch + - nftables + - rule_3.4.3.7 + +- name: "3.4.2.11 | PATCH | Ensure nftables rules are permanent" + lineinfile: + path: /etc/sysconfig/nftables.conf + state: present + insertafter: EOF + line: include "/etc/nftables/inet-{{ rhel9cis_nft_tables_tablename }}" + when: + - rhel9cis_firewall == "nftables" + - rhel9cis_rule_3_4_2_11 + tags: + - level1-server + - level1-workstation + - automated + - patch + - nftables + - rule_3.4.2.11 diff --git a/tasks/section_3/cis_3.4.3.1.x.yml b/tasks/section_3/cis_3.4.3.1.x.yml new file mode 100644 index 00000000..926c6854 --- /dev/null +++ b/tasks/section_3/cis_3.4.3.1.x.yml @@ -0,0 +1,50 @@ +--- + +- name: "3.4.3.1.1 | PATCH | Ensure iptables packages are installed" + package: + name: + - iptables + - iptables-services + state: present + when: + - rhel9cis_firewall == "iptables" + - rhel9cis_rule_3_4_3_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - iptables + - rule_3.4.3.1.1 + +- name: "3.4.3.1.2 | PATCH | Ensure nftables is not installed with iptables" + package: + name: nftables + state: absent + when: + - rhel9cis_firewall == "iptables" + - rhel9cis_rule_3_4_3_1_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - iptables + - rule_3.4.3.1.2 + +# The control allows the service it be masked or not installed +# We have chosen not installed +- name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables" + package: + name: firewalld + state: absent + when: + - rhel9cis_firewall == "iptables" + - rhel9cis_rule_3_4_3_1_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - iptables + - rule_3.4.3.1.3 diff --git a/tasks/section_3/cis_3.4.4.1.x.yml b/tasks/section_3/cis_3.4.3.2.x.yml similarity index 51% rename from tasks/section_3/cis_3.4.4.1.x.yml rename to tasks/section_3/cis_3.4.3.2.x.yml index a18e7eff..3348fb5c 100644 --- a/tasks/section_3/cis_3.4.4.1.x.yml +++ b/tasks/section_3/cis_3.4.3.2.x.yml @@ -1,48 +1,22 @@ --- -- name: "3.4.4.1.1 | L1 | PATCH | Ensure iptables default deny firewall policy" +- name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured" block: - - name: "3.4.4.1.1 | L1 | PATCH | Ensure iptables default deny firewall policy | Configure ssh to be allowed" - iptables: - chain: INPUT - protocol: tcp - destination_port: "22" - jump: ACCEPT - - - name: "3.4.4.1.1 | L1 | PATCH | Ensure iptables default deny firewall policy | Set drop items" - iptables: - policy: DROP - chain: "{{ item }}" - with_items: - - INPUT - - FORWARD - - OUTPUT - when: - - rhel9cis_rule_3_4_4_1_1 - - rhel9cis_firewall == "iptables" - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.4.1.1 - -- name: "3.4.4.1.2 | L1 | PATCH | Ensure iptables loopback traffic is configured" - block: - - name: "3.4.4.1.2 | L1 | Ensure iptables loopback traffic is configured | INPUT Loopback ACCEPT" + - name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT Loopback ACCEPT" iptables: action: append chain: INPUT in_interface: lo jump: ACCEPT - - name: "3.4.4.1.2 | L1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT Loopback ACCEPT" + - name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT Loopback ACCEPT" iptables: action: append chain: OUTPUT out_interface: lo jump: ACCEPT - - name: "3.4.4.1.2 | L1 | PATCH | Ensure iptables loopback traffic is configured | INPUT Loopback 127.0.0.0/8" + - name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT Loopback 127.0.0.0/8" iptables: action: append chain: INPUT @@ -50,14 +24,16 @@ jump: DROP when: - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_1_2 + - rhel9cis_rule_3_4_3_2_1 tags: - level1-server - level1-workstation + - automated - patch - - rule_3.4.4.1.2 + - iptables + - rule_3.4.3.2.1 -- name: "3.4.4.1.3 | L1 | PATCH | Ensure iptables outbound and established connections are configured" +- name: "3.4.3.2.2 | PATCH | Ensure iptables outbound and established connections are configured" iptables: action: append chain: '{{ item.chain }}' @@ -74,32 +50,30 @@ - { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED } when: - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_1_3 + - rhel9cis_rule_3_4_3_2_2 tags: - level1-server - level1-workstation + - manual - patch - - rule_3.4.4.1.3 + - iptables + - rule_3.4.3.2.2 -- name: "3.4.4.1.4 | L1 | PATCH | Ensure iptables firewall rules exist for all open ports" +- name: "3.4.3.2.3 | PATCH | Ensure iptables rules exist for all open ports" block: - - name: "3.4.4.1.4 | L1 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of TCP open ports" + - name: "3.4.3.2.3 | AUDIT | Ensure iptables rules exist for all open ports | Get list of TCP open ports" shell: netstat -ant |grep "tcp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://' - args: - warn: false changed_when: false failed_when: false - register: rhel9cis_3_4_4_1_4_otcp + register: rhel9cis_3_4_3_2_3_otcp - - name: "3.4.4.1.4 | L1 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get the list of udp open ports" + - name: "3.4.3.2.3 | AUDIT | Ensure iptables rules exist for all open ports | Get the list of udp open ports" shell: netstat -ant |grep "udp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://' - args: - warn: false changed_when: false failed_when: false - register: rhel9cis_3_4_4_1_4_oudp + register: rhel9cis_3_4_3_2_3_oudp - - name: "3.4.4.1.4 | L1 | PATCH | Ensure iptables firewall rules exist for all open ports | Adjust open tcp ports" + - name: "3.4.3.2.3 | PATCH | Ensure iptables rules exist for all open ports | Adjust open tcp ports" iptables: action: append chain: INPUT @@ -109,10 +83,10 @@ ctstate: NEW jump: ACCEPT with_items: - - "{{ rhel9cis_3_4_4_1_4_otcp.stdout_lines }}" - when: rhel9cis_3_4_4_1_4_otcp.stdout is defined + - "{{ rhel9cis_3_4_3_2_3_otcp.stdout_lines }}" + when: rhel9cis_3_4_3_2_3_otcp.stdout is defined - - name: "3.4.4.1.4 | L1 | PATCH | Ensure iptables firewall rules exist for all open ports | Adjust open udp ports" + - name: "3.4.3.2.3 | PATCH | Ensure iptables rules exist for all open ports | Adjust open udp ports" iptables: action: append chain: INPUT @@ -122,27 +96,74 @@ ctstate: NEW jump: ACCEPT with_items: - - "{{ rhel9cis_3_4_4_1_4_oudp.stdout_lines }}" - when: rhel9cis_3_4_4_1_4_otcp.stdout is defined + - "{{ rhel9cis_3_4_3_2_3_oudp.stdout_lines }}" + when: rhel9cis_3_4_3_2_3_otcp.stdout is defined + when: + - rhel9cis_firewall == "iptables" + - rhel9cis_rule_3_4_3_2_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - iptables + - rule_3.4.3.2.3 + +- name: "3.4.3.2.4 | PATCH | Ensure iptables default deny firewall policy" + block: + - name: "3.4.3.2.4 | PATCH | Ensure iptables default deny firewall policy | Configure ssh to be allowed" + iptables: + chain: INPUT + protocol: tcp + destination_port: "22" + jump: ACCEPT + + - name: "3.4.3.2.4 | PATCH | Ensure iptables default deny firewall policy | Set drop items" + iptables: + policy: DROP + chain: "{{ item }}" + with_items: + - INPUT + - FORWARD + - OUTPUT + when: + - rhel9cis_rule_3_4_3_2_4 + - rhel9cis_firewall == "iptables" + tags: + - level1-server + - level1-workstation + - automated + - patch + - iptables + - rule_3.4.3.2.4 + +- name: "3.4.3.2.5 | PATCH | Ensure iptables rules are saved" + iptables_state: + state: saved + path: /etc/sysconfig/iptables when: + - rhel9cis_rule_3_4_3_2_5 - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_1_4 tags: - level1-server - level1-workstation + - automated - patch - - rule_3.4.4.1.4 + - iptables + - rule_3.4.3.2.5 -- name: "3.4.4.1.5 | L1 | PATCH | Ensure iptables service is enabled and active | Check if iptables is enabled" +- name: "3.4.3.2.6 | PATCH | Ensure iptables service is enabled and active" service: name: iptables - enabled: true + enabled: yes state: started when: - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_1_5 + - rhel9cis_rule_3_4_3_2_6 tags: - level1-server - level1-workstation + - automated - patch - - rule_3.4.4.1.5 + - iptables + - rule_3.4.3.2.6 diff --git a/tasks/section_3/cis_3.4.4.2.x.yml b/tasks/section_3/cis_3.4.3.3.x.yml similarity index 54% rename from tasks/section_3/cis_3.4.4.2.x.yml rename to tasks/section_3/cis_3.4.3.3.x.yml index be4bf540..f3bcfa12 100644 --- a/tasks/section_3/cis_3.4.4.2.x.yml +++ b/tasks/section_3/cis_3.4.3.3.x.yml @@ -1,37 +1,8 @@ --- -- name: "3.4.4.2.1 | L1 | PATCH | Ensure ip6tables default deny firewall policy" +- name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured" block: - - name: "3.4.4.2.1 | L1 | Ensure ip6tables default deny firewall policy | Configure ssh to be allowed" - iptables: - chain: INPUT - protocol: tcp - destination_port: "22" - jump: ACCEPT - ip_version: ipv6 - - - name: "3.4.4.2.1 | L1 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" - iptables: - policy: DROP - chain: "{{ item }}" - ip_version: ipv6 - with_items: - - INPUT - - FORWARD - - OUTPUT - when: - - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_2_1 - - rhel9cis_ipv6_required - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.4.2.1 - -- name: "3.4.4.2.2 | L1 | PATCH | Ensure ip6tables loopback traffic is configured" - block: - - name: "3.4.4.2.2 | L1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT Loopback ACCEPT" + - name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT Loopback ACCEPT" iptables: action: append chain: INPUT @@ -39,7 +10,7 @@ jump: ACCEPT ip_version: ipv6 - - name: "3.4.4.2.2 | L1 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT Loopback ACCEPT" + - name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT Loopback ACCEPT" iptables: action: append chain: OUTPUT @@ -47,7 +18,7 @@ jump: ACCEPT ip_version: ipv6 - - name: "3.4.4.2.2 | L1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT Loopback 127.0.0.0/8" + - name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT Loopback 127.0.0.0/8" iptables: action: append chain: INPUT @@ -56,15 +27,17 @@ ip_version: ipv6 when: - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_2_2 + - rhel9cis_rule_3_4_3_3_1 - rhel9cis_ipv6_required tags: - level1-server - level1-workstation + - automated - patch - - rule_3.4.4.2.2 + - ip6tables + - rule_3.4.3.3.1 -- name: "3.4.4.2.3 | L1 | PATCH | Ensure ip6tables outbound and established connections are configured" +- name: "3.4.3.3.2 | PATCH | Ensure ip6tables outbound and established connections are configured" iptables: action: append chain: '{{ item.chain }}' @@ -82,23 +55,25 @@ - { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED } when: - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_2_3 + - rhel9cis_rule_3_4_3_3_2 - rhel9cis_ipv6_required tags: - level1-server - level1-workstation + - manual - patch - - rule_3.4.4.2.3 + - ip6tables + - rule_3.4.3.3.2 -- name: "3.4.4.2.4 | L1 | PATCH | Ensure ip6tables firewall rules exist for all open ports" +- name: "3.4.3.3.3 | PATCH | Ensure ip6tables firewall rules exist for all open ports" block: - - name: "3.4.4.2.4 | L1 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of TCP6 open ports" + - name: "3.4.3.3.3 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of TCP6 open ports" shell: netstat -ant |grep "tcp6.*LISTEN" | awk '{ print $4 }'| sed 's/.*://' changed_when: false failed_when: false - register: rhel9cis_3_4_4_2_4_otcp + register: rhel9cis_3_4_3_3_3_otcp - - name: "3.4.4.2.4 | L1 | PATCH |Ensure ip6tables firewall rules exist for all open ports| Adjust open tcp6 ports" + - name: "3.4.3.3.3 | PATCH |Ensure ip6tables firewall rules exist for all open ports| Adjust open tcp6 ports" iptables: action: append chain: INPUT @@ -109,28 +84,80 @@ jump: ACCEPT ip_version: ipv6 with_items: - - "{{ rhel9cis_3_4_4_2_4_otcp.stdout_lines }}" - when: rhel9cis_3_4_4_2_4_otcp.stdout is defined + - "{{ rhel9cis_3_4_3_3_3_otcp.stdout_lines }}" + when: rhel9cis_3_4_3_3_3_otcp.stdout is defined + when: + - rhel9cis_firewall == "iptables" + - rhel9cis_rule_3_4_3_3_3 + - rhel9cis_ipv6_required + tags: + - level1-server + - level1-workstation + - automated + - patch + - ip6tables + - rule_3.4.3.3.3 + +- name: "3.4.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy" + block: + - name: "3.4.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy | Configure ssh to be allowed" + iptables: + chain: INPUT + protocol: tcp + destination_port: "22" + jump: ACCEPT + ip_version: ipv6 + + - name: "3.4.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" + iptables: + policy: DROP + chain: "{{ item }}" + ip_version: ipv6 + with_items: + - INPUT + - FORWARD + - OUTPUT + when: + - rhel9cis_firewall == "iptables" + - rhel9cis_rule_3_4_3_3_4 + - rhel9cis_ipv6_required + tags: + - level1-server + - level1-workstation + - automated + - patch + - ip6tables + - rule_3.4.3.3.4 + +- name: "3.4.3.3.5 | PATCH | Ensure ip6tables rules are saved" + iptables_state: + state: saved + path: /etc/sysconfig/ip6tables + ip_version: ipv6 when: - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_2_4 - rhel9cis_ipv6_required + - rhel9cis_rule_3_4_3_3_5 tags: - level1-server - level1-workstation + - automated - patch - - rule_3.4.4.2.4 + - ip6tables + - rule_3.4.3.3.5 -- name: "3.4.4.2.5 | L1 | PATCH | Ensure ip6tables service is enabled and active | Check if ip6tables is enabled" +- name: "3.4.3.3.6 | PATCH | Ensure ip6tables service is enabled and active" service: name: ip6tables - enabled: true + enabled: yes state: started when: - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_2_5 + - rhel9cis_rule_3_4_3_3_6 tags: - level1-server - level1-workstation + - automated - patch - - rule_3.4.4.2.5 + - ip6tables + - rule_3.4.3.3.6 diff --git a/tasks/section_3/cis_3.4.3.x.yml b/tasks/section_3/cis_3.4.3.x.yml deleted file mode 100644 index 42121395..00000000 --- a/tasks/section_3/cis_3.4.3.x.yml +++ /dev/null @@ -1,320 +0,0 @@ ---- - -- name: "3.4.3.1 | L1 | PATCH | Ensure iptables are flushed with nftables" - shell: ip6tables -F - args: - warn: false - when: - - rhel9cis_rule_3_4_3_1 - - rhel9cis_firewall != "iptables" - - rhel9cis_ipv6_required - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.3.1 - -- name: "3.4.3.2 | L1 | AUDIT | Ensure an nftables table exists" - block: - - name: "3.4.3.2 | L1 | AUDIT | Ensure a table exists | Check for tables" - shell: nft list tables - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_2_nft_tables - - - name: "3.4.3.2 | L1 | AUDIT | Ensure an nftables table exists | Show existing tables" - debug: - msg: - - "Below are the current nft tables, please review" - - "{{ rhel9cis_3_4_3_2_nft_tables.stdout_lines }}" - when: rhel9cis_3_4_3_2_nft_tables.stdout | length > 0 - - - name: "3.4.3.2 | L1 | AUDIT | Ensure an nftables table exists | Alert on no tables" - debug: - msg: - - "Warning! You currently have no nft tables, please review your setup" - - 'Use the shell "nft create table inet
" to create a new table' - when: - - rhel9cis_3_4_3_2_nft_tables.stdout | length == 0 - - not rhel9cis_nft_tables_autonewtable - - - name: "3.4.3.2 | L1 | PATCH | Ensure a table exists | Create table if needed" - shell: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" - args: - warn: false - failed_when: false - when: rhel9cis_nft_tables_autonewtable - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_3_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.3.2 - -- name: "3.4.3.3 | L1 | PATCH | Ensure nftables base chains exist" - block: - - name: "3.4.3.3 | L1 | Ensure nftables base chains exist | Get current chains for INPUT" - shell: nft list ruleset | grep 'hook input' - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_3_input_chains - - - name: "3.4.3.3 | L1 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD" - shell: nft list ruleset | grep 'hook forward' - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_3_forward_chains - - - name: "3.4.3.3 | L1 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT" - shell: nft list ruleset | grep 'hook output' - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_3_output_chains - - - name: "3.4.3.3 | L1 | AUDIT | Ensure nftables base chains exist | Display chains for review" - debug: - msg: - - "Below are the current INPUT chains" - - "{{ rhel9cis_3_4_3_3_input_chains.stdout_lines }}" - - "Below are the current FORWARD chains" - - "{{ rhel9cis_3_4_3_3_forward_chains.stdout_lines }}" - - "Below are teh current OUTPUT chains" - - "{{ rhel9cis_3_4_3_3_output_chains.stdout_lines }}" - when: not rhel9cis_nft_tables_autochaincreate - - - name: "3.4.3.3 | L1 | PATCH | Ensure nftables base chains exist | Create chains if needed" - shell: "{{ item }}" - args: - warn: false - failed_when: false - with_items: - - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } - - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { type filter hook forward priority 0 \; } - - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; } - when: rhel9cis_nft_tables_autochaincreate - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_3_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.3.3 - -- name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured" - block: - - name: "3.4.3.4 | L1 | AUDIT | Ensure nftables loopback traffic is configured | Gather iif lo accept existence" - shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_4_iiflo - - - name: "3.4.3.4 | L1 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip saddr existence" - shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_4_ipsaddr - - - name: "3.4.3.4 | L1 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip6 saddr existence" - shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_4_ip6saddr - - - name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept - args: - warn: false - when: '"iif \"lo\" accept" not in rhel9cis_3_4_3_4_iiflo.stdout' - - - name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop - args: - warn: false - when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_3_4_ipsaddr.stdout' - - - name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop - args: - warn: false - when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_3_4_ip6saddr.stdout' - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_3_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.3.4 - -- name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured" - block: - - name: "3.4.3.5 | L1 | AUDIT | Ensure nftables outbound and established connections are configured | Gather incoming connection rules" - shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_5_inconnectionrule - - - name: "3.4.3.5 | L1 | AUDIT | Ensure nftables outbound and established connections are configured | Gather outbound connection rules" - shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_5_outconnectionrule - - - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input tcp established accept policy" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept - args: - warn: false - when: '"ip protocol tcp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout' - - - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input udp established accept policy" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept - args: - warn: false - when: '"ip protocol udp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout' - - - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input icmp established accept policy" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept - args: - warn: false - when: '"ip protocol icmp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout' - - - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output tcp new, related, established accept policy" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept - args: - warn: false - when: '"ip protocol tcp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout' - - - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output udp new, related, established accept policy" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept - args: - warn: false - when: '"ip protocol udp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout' - - - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output icmp new, related, established accept policy" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept - args: - warn: false - when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout' - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_3_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.3.5 - -- name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy" - block: - - name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for hook input deny policy" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input' - args: - warn: false - failed_when: false - changed_when: false - register: rhel9cis_3_4_3_6_inputpolicy - - - name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward' - args: - warn: false - failed_when: false - changed_when: false - register: rhel9cis_3_4_3_6_forwardpolicy - - - name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output' - args: - warn: false - failed_when: false - changed_when: false - register: rhel9cis_3_4_3_6_outputpolicy - - - name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh' - args: - warn: false - failed_when: false - changed_when: false - register: rhel9cis_3_4_3_6_sshallowcheck - - - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept - args: - warn: false - when: '"tcp dport ssh accept" not in rhel9cis_3_4_3_6_sshallowcheck.stdout' - - - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" - shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } - args: - warn: false - when: '"type filter hook input priority 0; policy drop;" not in rhel9cis_3_4_3_6_inputpolicy.stdout' - - - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy" - shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } - args: - warn: false - when: '"type filter hook forward priority 0; policy drop;" not in rhel9cis_3_4_3_6_forwardpolicy.stdout' - - - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" - shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } - args: - warn: false - when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_3_6_outputpolicy.stdout' - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_3_6 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.3.6 - -- name: "3.4.3.7 | L1 | PATCH | Ensure nftables service is enabled | Check if nftables is enabled" - service: - name: nftables - enabled: true - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_3_7 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.3.7 - -- name: "3.4.3.8 | L1 | PATCH | Ensure nftables rules are permanent" - lineinfile: - path: /etc/sysconfig/nftables.conf - state: present - insertafter: EOF - line: include "/etc/nftables/inet-{{ rhel9cis_nft_tables_tablename }}" - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_3_8 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.3.8 diff --git a/tasks/section_3/cis_3.5.yml b/tasks/section_3/cis_3.5.yml deleted file mode 100644 index abe73d57..00000000 --- a/tasks/section_3/cis_3.5.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- - -- name: "3.5 | L1 | PATCH | Ensure wireless interfaces are disabled" - block: - - name: "3.5 | L1 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" - shell: nmcli radio wifi - args: - warn: false - register: rhel_09_wifi_enabled - changed_when: rhel_09_wifi_enabled.stdout != "disabled" - failed_when: false - - - name: "3.5 | L1 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" - shell: nmcli radio all off - args: - warn: false - changed_when: false - failed_when: false - when: rhel_09_wifi_enabled is changed - when: - - '"NetworkManager" in ansible_facts.packages' - - rhel9cis_rule_3_5 - tags: - - level1-server - - level2-workstation - - patch - - rule_3.5 diff --git a/tasks/section_3/cis_3.6.yml b/tasks/section_3/cis_3.6.yml deleted file mode 100644 index 4fa1ae50..00000000 --- a/tasks/section_3/cis_3.6.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -- name: "3.6 | L2 | PATCH | Disable IPv6" - replace: - dest: /etc/default/grub - regexp: '(^GRUB_CMDLINE_LINUX\s*\=\s*)(?:")(.+)(?/dev/null; done + changed_when: false + failed_when: false + check_mode: no + register: priv_procs + + - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_6 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.6 + +- name: "4.1.3.7 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_7 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3_7 + +- name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_8 + tags: + - level2-server + - level2-workstation + - autoamted + - patch + - auditd + - rule_4.1.3.8 + +- name: "4.1.3.9 | PATCH | Ensure discretionary access control permission modification events are collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_9 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.9 + +- name: "4.1.3.10 | PATCH | Ensure successful file system mounts are collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_10 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.10 + +- name: "4.1.3.11 | PATCH | Ensure session initiation information is collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_11 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.11 + +- name: "4.1.3.12 | PATCH | Ensure login and logout events are collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_12 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.12 + +- name: "4.1.3.13 | PATCH | Ensure file deletion events by users are collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_13 + tags: + - level2-server + - level2-workstation + - auditd + - patch + - rule_4.1.3.13 + +- name: "4.1.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_14 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.14 + +- name: "4.1.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_15 + tags: + - level2-server + - level2- workstation + - automated + - patch + - auditd + - rule_4.1.3.15 + +- name: "4.1.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_16 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.16 + +- name: "4.1.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_17 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.17 + +- name: "4.1.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_18 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.18 + +- name: "4.1.3.19 | PATCH | Ensure kernel module loading and unloading is collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_19 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.19 + +- name: "4.1.3.20 | PATCH | Ensure the audit configuration is immutable" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_20 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.20 + +- name: "4.1.3.21 | AUDIT | Ensure the running and on disk configuration is the same" + debug: + msg: + - "Please run augenrules --load if you suspect there is a configuration that is not active" + when: + - rhel9cis_rule_4_1_3_21 + tags: + - level2-server + - level2-workstation + - manual + - patch + - auditd + - rule_4.1.3.21 diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml deleted file mode 100644 index ba14ec06..00000000 --- a/tasks/section_4/cis_4.1.x.yml +++ /dev/null @@ -1,207 +0,0 @@ ---- - -- name: "4.1.3 | L2 | PATCH | Ensure changes to system administration scope (sudoers) is collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_3 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.3 - -- name: "4.1.4 | L2 | PATCH | Ensure login and logout events are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_4 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.4 - -- name: "4.1.5 | L2 | PATCH | Ensure session initiation information is collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_5 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.5 - -- name: "4.1.6 | L2 | PATCH | Ensure events that modify date and time information are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_6 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.6 - -- name: "4.1.7 | L2 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_7 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.7 - -- name: "4.1.8 | L2 | PATCH | Ensure events that modify the system's network environment are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_8 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.8 - -- name: "4.1.9 | L2 | PATCH | Ensure discretionary access control permission modification events are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_9 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.9 - -- name: "4.1.10 | L2 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_10 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.10 - -- name: "4.1.11 | L2 | PATCH | Ensure events that modify user/group information are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_11 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.11 - -- name: "4.1.12 | L2 | PATCH | Ensure successful file system mounts are collected" - block: - - name: "4.1.12 | L2 | AUDIT | Ensure successful file system mounts are collected" - shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: priv_procs - - - name: "4.1.12 | L2 | PATCH | Ensure successful file system mounts are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_12 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.12 - -- name: "4.1.13 | L2 | PATCH | Ensure use of privileged commands is collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_13 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.13 - -- name: "4.1.14 | L2 | PATCH | Ensure file deletion events by users are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_14 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.14 - -- name: "4.1.15 | L2 | PATCH | Ensure kernel module loading and unloading is collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_15 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.15 - -- name: "4.1.16 | L2 | PATCH | Ensure system administrator actions (sudolog) are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_16 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.16 - -- name: "4.1.17 | L2 | PATCH | Ensure the audit configuration is immutable" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_17 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.17 diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index dd9cdceb..0d9d0ee6 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -1,6 +1,6 @@ --- -- name: "4.2.1.1 | L1 | PATCH | Ensure rsyslog installed" +- name: "4.2.1.1 | PATCH | Ensure rsyslog installed" package: name: rsyslog state: present @@ -10,55 +10,74 @@ tags: - level1-server - level1-workstation + - automated - patch + - rsyslog - rule_4.2.1.1 -- name: "4.2.1.2 | L1 | PATCH | Ensure rsyslog Service is enabled" +- name: "4.2.1.2 | PATCH | Ensure rsyslog Service is enabled" service: name: rsyslog - enabled: true + enabled: yes when: - rhel9cis_rule_4_2_1_2 tags: - level1-server - level1-workstation + - autoamted - patch - rsyslog - rule_4.2.1.2 -- name: "4.2.1.3 | L1 | PATCH | Ensure rsyslog default file permissions configured" +# This is counter to control 4.2.1.5?? +- name: "4.2.1.3 | PATCH | Ensure journald is configured to send logs to rsyslog" + lineinfile: + dest: /etc/systemd/journald.conf + regexp: "^#ForwardToSyslog=|^ForwardToSyslog=" + line: ForwardToSyslog=yes + state: present + when: + - rhel9cis_rule_4_2_1_3 + tags: + - level1-server + - level1-workstation + - manual + - patch + - rule_4.2.1.3 + +- name: "4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured" lineinfile: dest: /etc/rsyslog.conf regexp: '^\$FileCreateMode' line: '$FileCreateMode 0640' notify: restart rsyslog when: - - rhel9cis_rule_4_2_1_3 + - rhel9cis_rule_4_2_1_4 tags: - level1-server - level1-workstation + - automated - patch - - rule_4.2.1.3 + - rsyslog + - rule_4.2.1.4 -- name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured" +- name: "4.2.1.5 | PATCH | Ensure logging is configured" block: - - name: "4.2.1.4 | L1 | AUDIT | Ensure logging is configured | rsyslog current config message out" - shell: cat /etc/rsyslog.conf - args: - warn: false - become: true + - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" + command: cat /etc/rsyslog.conf + become: yes changed_when: false - failed_when: false - check_mode: false - register: rhel_09_4_2_1_4_audit + failed_when: no + check_mode: no + register: rhel_08_4_2_1_5_audit - - name: "4.2.1.4 | L1 | AUDIT | Ensure logging is configured | rsyslog current config message out" + - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" debug: msg: - "These are the current logging configurations for rsyslog, please review:" - - "{{ rhel_09_4_2_1_4_audit.stdout_lines }}" + - "{{ rhel_08_4_2_1_5_audit.stdout_lines }}" - - name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured | mail.* log setting" + - name: "4.2.1.5 | PATCH | Ensure logging is configured | mail.* log setting" blockinfile: path: /etc/rsyslog.conf state: present @@ -73,7 +92,7 @@ notify: restart rsyslog when: rhel9cis_rsyslog_ansiblemanaged - - name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured | news.crit log setting" + - name: "4.2.1.5 | PATCH | Ensure logging is configured | news.crit log setting" blockinfile: path: /etc/rsyslog.conf state: present @@ -86,7 +105,7 @@ notify: restart rsyslog when: rhel9cis_rsyslog_ansiblemanaged - - name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured | Misc. log setting" + - name: "4.2.1.5 | PATCH | Ensure logging is configured | Misc. log setting" blockinfile: path: /etc/rsyslog.conf state: present @@ -100,13 +119,13 @@ notify: restart rsyslog when: rhel9cis_rsyslog_ansiblemanaged - - name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured | Local log settings" + - name: "4.2.1.5 | PATCH | Ensure logging is configured | Local log settings" blockinfile: path: /etc/rsyslog.conf state: present marker: "#{mark} LOCAL LOG SETTINGS (ANSIBLE MANAGED)" block: | - # local log settings + # local log settings to meet CIS standards local0,local1.* -/var/log/localmessages local2,local3.* -/var/log/localmessages local4,local5.* -/var/log/localmessages @@ -114,16 +133,39 @@ *.emrg :omusrmsg:* insertafter: '#### RULES ####' notify: restart rsyslog + + - name: "4.2.1.5 | PATCH | Ensure logging is configured | Auth Settings" + blockinfile: + path: /etc/rsyslog.conf + state: present + marker: "#{mark} Auth SETTINGS (ANSIBLE MANAGED)" + block: | + # Private settings to meet CIS standards + auth,authpriv.* -/var/log/secure + insertafter: '#### RULES ####' + notify: restart rsyslog + + - name: "4.2.1.5 | PATCH | Ensure logging is configured | Cron Settings" + blockinfile: + path: /etc/rsyslog.conf + state: present + marker: "#{mark} Auth SETTINGS (ANSIBLE MANAGED)" + block: | + # Cron settings to meet CIS standards + cron.* /var/log/cron + insertafter: '#### RULES ####' + notify: restart rsyslog when: - - rhel9cis_rule_4_2_1_4 + - rhel9cis_rule_4_2_1_5 tags: - level1-server - level1-workstation + - manual - patch - rsyslog - - rule_4.2.1.4 + - rule_4.2.1.5 -- name: "4.2.1.5 | L1 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" +- name: "4.2.1.6 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" blockinfile: path: /etc/rsyslog.conf state: present @@ -137,18 +179,19 @@ - result.rc != 257 notify: restart rsyslog when: - - rhel9cis_rule_4_2_1_5 + - rhel9cis_rule_4_2_1_6 - rhel9cis_remote_log_server is defined tags: - level1-server - level1-workstation + - manual - patch - - rule_4.2.1.5 - rsyslog + - rule_4.2.1.6 -- name: "4.2.1.6 | L1 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts." +- name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client" block: - - name: "4.2.1.6 | L1 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts. | When not log host" + - name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client. | When not log host" replace: path: /etc/rsyslog.conf regexp: '({{ item }})' @@ -157,9 +200,11 @@ with_items: - '^(\$ModLoad imtcp)' - '^(\$InputTCPServerRun)' + - '^(module\(load="imtcp"\))' + - '^(input\(type="imtcp")' when: not rhel9cis_system_is_log_server - - name: "4.2.1.6 | L1 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts. | When log host" + - name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote clients. | When log host" replace: path: /etc/rsyslog.conf regexp: '^#(.*{{ item }}.*)' @@ -168,12 +213,15 @@ with_items: - 'ModLoad imtcp' - 'InputTCPServerRun' + - 'module\(load="imtcp"\)' + - 'input\(type="imtcp"' when: rhel9cis_system_is_log_server when: - - rhel9cis_rule_4_2_1_6 + - rhel9cis_rule_4_2_1_7 tags: - level1-server - level1-workstation + - automated - patch - - rule_4.2.1.6 - rsyslog + - rule_4.2.1.7 diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 1c87ed47..e83d97c2 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -1,43 +1,206 @@ --- -- name: "4.2.2.1 | L1 | PATCH | Ensure journald is configured to send logs to rsyslog" - lineinfile: - dest: /etc/systemd/journald.conf - regexp: "^#ForwardToSyslog=|^ForwardToSyslog=" - line: ForwardToSyslog=yes +- name: "4.2.2.1.1 | PATCH | Ensure systemd-journal-remote is installed" + package: + name: systemd-journal-remote state: present when: - - rhel9cis_rule_4_2_2_1 + - rhel9cis_rule_4_2_2_1_1 + tags: + - level1-server + - level1-workstation + - manual + - patch + - journald + - rule_4.2.2.1.1 + +- name: "4.2.2.1.2 | PATCH | Ensure systemd-journal-remote is configured" + lineinfile: + path: /etc/systemd/journal-upload.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + notify: restart systemd_journal_upload + with_items: + - { regexp: 'URL=', line: 'URL={{ rhel9cis_journal_upload_url }}'} + - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ rhel9cis_journal_upload_serverkeyfile }}'} + - { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ rhel9cis_journal_servercertificatefile }}'} + - { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ rhel9cis_journal_trustedcertificatefile }}'} + when: + - rhel9cis_rule_4_2_2_1_2 + tags: + - level1-server + - level1-workstation + - manual + - patch + - journald + - rule_4.2.2.1.2 + +- name: "4.2.2.1.3 | PATCH | Ensure systemd-journal-remote is enabled" + systemd: + name: systemd-journal-upload + state: started + enabled: yes + when: + - rhel9cis_rule_4_2_2_1_3 tags: - level1-server - level1-workstation + - manual - patch - - rule_4.2.2.1 + - journald + - rule_4.2.2.1.3 + +- name: "4.2.2.1.4 | PATCH | Ensure journald is not configured to recieve logs from a remote client" + systemd: + name: systemd-journal-remote + state: stopped + enabled: no + masked: yes + when: + - rhel9cis_rule_4_2_2_1_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - journald + - rule_4.2.2.1.4 + +- name: "4.2.2.2 | PATCH | Ensure journald service is enabled" + block: + - name: "4.2.2.2 | PATCH | Ensure journald service is enabled | Enable service" + systemd: + name: systemd-journald + state: started + enabled: yes + + - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Capture status" + shell: systemctl is-enabled systemd-journald.service + changed_when: false + failed_when: false + register: rhel9cis_4_2_2_2_status + + - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Alert on bad status" + debug: + msg: + - "ALERT! The status of systemd-journald should be static and it is not. Please investigate" + when: "'static' not in rhel9cis_4_2_2_2_status.stdout" + when: + - rhel9cis_rule_4_2_2_2 + tags: + - level1-server + - level1-workstation + - automated + - audit + - journald + - rule_4.2.2.2 -- name: "4.2.2.2 | L1 | PATCH | Ensure journald is configured to compress large log files" +- name: "4.2.2.3 | PATCH | Ensure journald is configured to compress large log files" lineinfile: dest: /etc/systemd/journald.conf regexp: "^#Compress=|^Compress=" line: Compress=yes state: present when: - - rhel9cis_rule_4_2_2_2 + - rhel9cis_rule_4_2_2_3 tags: - level1-server - level1-workstation + - automated - patch - - rule_4.2.2.2 + - journald + - rule_4.2.2.3 -- name: "4.2.2.3 | L1 | PATCH | Ensure journald is configured to write logfiles to persistent disk" +- name: "4.2.2.4 | PATCH | Ensure journald is configured to write logfiles to persistent disk" lineinfile: dest: /etc/systemd/journald.conf regexp: "^#Storage=|^Storage=" line: Storage=persistent state: present when: - - rhel9cis_rule_4_2_2_3 + - rhel9cis_rule_4_2_2_4 tags: - level1-server - level1-workstation + - automated - patch - - rule_4.2.2.3 + - journald + - rule_4.2.2.4 + +# This is counter to control 4.2.1.3?? +- name: "4.2.2.5 | PATCH | Ensure journald is not configured to send logs to rsyslog" + lineinfile: + dest: /etc/systemd/journald.conf + regexp: "^ForwardToSyslog=" + line: "#ForwardToSyslog=yes" + state: present + notify: restart systemd_journal_upload + when: + - rhel9cis_rule_4_2_2_5 + tags: + - level1-server + - level2-workstation + - manual + - patch + - journald + - rule_4.2.2.5 + +- name: "4.2.2.6 | PATCH | Ensure journald log rotation is configured per site policy" + lineinfile: + path: /etc/systemd/journald.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + notify: restart journald + with_items: + - { regexp: '^#SystemMaxUse=|^SystemMaxUse=', line: 'SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}'} + - { regexp: '^#SystemKeepFree=|^SystemKeepFree=', line: 'SystemKeepFree={{ rhel9cis_journald_systemkeepfree }}' } + - { regexp: '^#RuntimeMaxUse=|^RuntimeMaxUse=', line: 'RuntimeMaxUse={{ rhel9cis_journald_runtimemaxuse }}'} + - { regexp: '^#RuntimeKeepFree=|^RuntimeKeepFree=', line: 'RuntimeKeepFree={{ rhel9cis_journald_runtimekeepfree }}'} + - { regexp: '^#MaxFileSec=|^MaxFileSec=', line: 'MaxFileSec={{ rhel9cis_journald_maxfilesec }}'} + when: + - rhel9cis_rule_4_2_2_6 + tags: + - level1-server + - level1-workstation + - manual + - patch + - journald + - rule_4.2.2.6 + +- name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured" + block: + - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Check for override file" + find: + paths: /etc/tmpfiles.d + patterns: systemd.conf + register: rhel9cis_4_2_2_7_override_status + + - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Get override file settings" + shell: cat /etc/tmpfiles.d/systemd.conf + changed_when: false + failed_when: false + register: rhel9cis_4_2_2_7_override_settings + when: rhel9cis_4_2_2_7_override_status.matched >= 1 + + - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Get non-override file settings" + shell: cat /usr/lib/tmpfiles.d/systemd.conf + changed_when: false + failed_when: false + register: rhel9cis_4_2_2_7_notoverride_settings + when: rhel9cis_4_2_2_7_override_status.matched == 0 + + - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Display file settings" + debug: + msg: + - "Alert! Below are the current default settings for journald, please confirm they align with your site policies" + # - "{{ rhel9cis_4_2_2_7_override_settings.stdout_lines }}" + - "{{ (rhel9cis_4_2_2_7_override_status.matched >= 1) | ternary(rhel9cis_4_2_2_7_override_settings.stdout_lines, rhel9cis_4_2_2_7_notoverride_settings.stdout_lines) }}" + when: + - rhel9cis_rule_4_2_2_7 + tags: + - level1-server + - level1-workstation + - manual + - patch + - journald + - rule_4.2.2.7 diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index bd13030a..a1b3bb76 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -1,9 +1,7 @@ --- -- name: "4.2.3 | L1 | PATCH | Ensure permissions on all logfiles are configured" - shell: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + - args: - warn: false +- name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured" + command: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + changed_when: false failed_when: false when: @@ -11,5 +9,7 @@ tags: - level1-server - level1-workstation + - automated - patch + - logfiles - rule_4.2.3 diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index 7e7fafbc..e8a47808 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -1,13 +1,13 @@ --- -- name: "4.3 | L1 | PATCH | Ensure logrotate is configured" +- name: "4.3 | PATCH | Ensure logrotate is configured" block: - - name: "4.3 | L1 | AUDIT | Ensure logrotate is configured | Get logrotate settings" + - name: "4.3 | AUDIT | Ensure logrotate is configured | Get logrotate settings" find: paths: /etc/logrotate.d/ register: log_rotates - - name: "4.3 | L1 | PATCH | Ensure logrotate is configured" + - name: "4.3 | PATCH | Ensure logrotate is configured" replace: path: "{{ item.path }}" regexp: '^(\s*)(daily|weekly|monthly|yearly)$' @@ -15,11 +15,14 @@ with_items: - "{{ log_rotates.files }}" - { path: "/etc/logrotate.conf" } + loop_control: + label: "{{ item.path }}" when: - rhel9cis_rule_4_3 - - "'logrotate' in ansible_facts.packages" tags: - level1-server - level1-workstation + - manual - patch + - logrotate - rule_4.3 diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index 8e84241a..3b3ab95c 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -1,21 +1,21 @@ --- -- name: "SECTION | 4.1| Configure System Accounting (auditd)" +- name: "SECTION | 4.1 | Configure System Accounting (auditd)" include_tasks: cis_4.1.1.x.yml when: - not system_is_container -- name: "SECTION | 4.1.2.x| Configure Data Retention" +- name: "SECTION | 4.1.2 | Configure Data Retention" import_tasks: cis_4.1.2.x.yml -- name: "SECTION | 4.1.x| Auditd rules" +- name: "SECTION | 4.1.3 | Configure Auditd rules" import_tasks: cis_4.1.x.yml -- name: "SECTION | 4.2.x| Configure Logging" +- name: "SECTION | 4.2 | Configure Logging" import_tasks: cis_4.2.1.x.yml when: rhel9cis_syslog == 'rsyslog' -- name: "SECTION | 4.2.2.x| Configure journald" +- name: "SECTION | 4.2.2 Configure journald" import_tasks: cis_4.2.2.x.yml - name: "SECTION | 4.2.3 | Configure logile perms" diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index dffbeaf9..9e8657ee 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -1,18 +1,20 @@ --- -- name: "5.1.1 | L1 | PATCH | Ensure cron daemon is enabled" +- name: "5.1.1 | PATCH | Ensure cron daemon is enabled" service: name: crond - enabled: true + enabled: yes when: - rhel9cis_rule_5_1_1 tags: - level1-server - level1-workstation + - automated - patch + - cron - rule_5.1.1 -- name: "5.1.2 | L1 | PATCH | Ensure permissions on /etc/crontab are configured" +- name: "5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" file: dest: /etc/crontab owner: root @@ -23,10 +25,12 @@ tags: - level1-server - level1-workstation + - automated - patch + - cron - rule_5.1.2 -- name: "5.1.3 | L1 | PATCH | Ensure permissions on /etc/cron.hourly are configured" +- name: "5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" file: dest: /etc/cron.hourly state: directory @@ -38,10 +42,12 @@ tags: - level1-server - level1-workstation + - automated - patch + - cron - rule_5.1.3 -- name: "5.1.4 | L1 | PATCH | Ensure permissions on /etc/cron.daily are configured" +- name: "5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" file: dest: /etc/cron.daily state: directory @@ -53,10 +59,12 @@ tags: - level1-server - level1-workstation + - automated - patch + - cron - rule_5.1.4 -- name: "5.1.5 | L1 | PATCH | Ensure permissions on /etc/cron.weekly are configured" +- name: "5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" file: dest: /etc/cron.weekly state: directory @@ -71,7 +79,7 @@ - patch - rule_5.1.5 -- name: "5.1.6 | L1 | PATCH | Ensure permissions on /etc/cron.monthly are configured" +- name: "5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" file: dest: /etc/cron.monthly state: directory @@ -83,10 +91,11 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.1.6 -- name: "5.1.7 | L1 | PATCH | Ensure permissions on /etc/cron.d are configured" +- name: "5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" file: dest: /etc/cron.d state: directory @@ -98,50 +107,65 @@ tags: - level1-server - level1-workstation + - automated - patch + - cron - rule_5.1.7 -- name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users" +- name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users" block: - - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Remove at.deny" + - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny" file: - dest: /etc/at.deny + dest: /etc/cron.deny state: absent - - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Check if at.allow exists" + - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Check if cron.allow exists" stat: - path: "/etc/at.allow" - register: p + path: "/etc/cron.allow" + register: rhel9cis_5_1_8_cron_allow_state - - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Ensure at.allow is restricted to authorized users" + - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users" file: - dest: /etc/at.allow - state: '{{ "file" if p.stat.exists else "touch" }}' + dest: /etc/cron.allow + state: '{{ "file" if rhel9cis_5_1_8_cron_allow_state.stat.exists else "touch" }}' owner: root group: root mode: 0600 + when: + - rhel9cis_rule_5_1_8 + tags: + - level1-server + - level1-workstation + - automated + - patch + - cron + - rule_5.1.8 - - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Remove cron.deny" +- name: "5.1.9 | PATCH | Ensure at is restricted to authorized users" + block: + - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" file: - dest: /etc/cron.deny + dest: /etc/at.deny state: absent - - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Check if cron.allow exists" + - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists" stat: - path: "/etc/cron.allow" - register: p + path: "/etc/at.allow" + register: rhel9cis_5_1_9_at_allow_state - - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users" + - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users" file: - dest: /etc/cron.allow - state: '{{ "file" if p.stat.exists else "touch" }}' + dest: /etc/at.allow + state: '{{ "file" if rhel9cis_5_1_9_at_allow_state.stat.exists else "touch" }}' owner: root group: root mode: 0600 when: - - rhel9cis_rule_5_1_8 + - rhel9cis_rule_5_1_9 tags: - level1-server - level1-workstation + - automated - patch - - rule_5.1.8 + - cron + - rule_5.1.9 \ No newline at end of file diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 0629cc7f..4b28f5be 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -1,6 +1,6 @@ --- -- name: "5.2.1 | L1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" +- name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured" file: dest: /etc/ssh/sshd_config state: file @@ -12,107 +12,121 @@ tags: - level1-server - level1-workstation + - automated - patch + - ssh + - permissions - rule_5.2.1 -- name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited" +- name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured" block: - - name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers" - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^AllowUsers" - line: AllowUsers {{ rhel9cis_sshd['allowusers'] }} - notify: restart sshd - when: "rhel9cis_sshd['allowusers']|default('') | length > 0" - - - name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups" - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^AllowGroups" - line: AllowGroups {{ rhel9cis_sshd['allowgroups'] }} - notify: restart sshd - when: "rhel9cis_sshd['allowgroups']|default('') | length > 0" - - - name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers" - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^DenyUsers" - line: DenyUsers {{ rhel9cis_sshd['denyusers'] }} - notify: restart sshd - when: "rhel9cis_sshd['denyusers']|default('') | length > 0" - - - name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups" - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^DenyGroups" - line: DenyGroups {{ rhel9cis_sshd['denygroups'] }} - notify: restart sshd - when: "rhel9cis_sshd['denygroups']|default('') | length > 0" - when: - - rhel9cis_rule_5_2_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.2 - -- name: "5.2.3 | L1 | PATCH | Ensure permissions on SSH private host key files are configured" - block: - - name: "5.2.3 | L1 | AUDIT | Ensure permissions on SSH private host key files are configured | Find the SSH private host keys" + - name: "5.2.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find the SSH private host keys" find: paths: /etc/ssh patterns: 'ssh_host_*_key' recurse: true file_type: any - register: rhel9cis_5_2_3_ssh_private_host_key + register: rhel9cis_5_2_2_ssh_private_host_key - - name: "5.2.3 | L1 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions on SSH private host keys" + - name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions on SSH private host keys" file: path: "{{ item.path }}" owner: root group: root mode: 0600 with_items: - - "{{ rhel9cis_5_2_3_ssh_private_host_key.files }}" + - "{{ rhel9cis_5_2_2_ssh_private_host_key.files }}" + loop_control: + label: "{{ item.path }}" when: - - rhel9cis_rule_5_2_3 + - rhel9cis_rule_5_2_2 tags: - level1-server - level1-workstation + - automated - patch - - rule_5.2.3 + - ssh + - permissions + - rule_5.2.2 -- name: "5.2.4 | L1 | PATCH | Ensure permissions on SSH public host key files are configured" +- name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured" block: - - name: "5.2.4 | L1 | AUDIT | Ensure permissions on SSH public host key files are configured | Find the SSH public host keys" + - name: "5.2.3 | AUDIT | Ensure permissions on SSH public host key files are configured | Find the SSH public host keys" find: paths: /etc/ssh patterns: 'ssh_host_*_key.pub' recurse: true file_type: any - register: rhel9cis_5_2_4_ssh_public_host_key + register: rhel9cis_5_2_3_ssh_public_host_key - - name: "5.2.4 | L1 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions on SSH public host keys" + - name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions on SSH public host keys" file: path: "{{ item.path }}" owner: root group: root mode: 0644 with_items: - - "{{ rhel9cis_5_2_4_ssh_public_host_key.files }}" + - "{{ rhel9cis_5_2_3_ssh_public_host_key.files }}" + loop_control: + label: "{{ item.path }}" + when: + - rhel9cis_rule_5_2_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - ssh + - rule_5.2.3 + +- name: "5.2.4 | PATCH | Ensure SSH access is limited" + block: + - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: "^AllowUsers" + line: AllowUsers {{ rhel9cis_sshd['allowusers'] }} + notify: restart sshd + when: "rhel9cis_sshd['allowusers']|default('') | length > 0" + + - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: "^AllowGroups" + line: AllowGroups {{ rhel9cis_sshd['allowgroups'] }} + notify: restart sshd + when: "rhel9cis_sshd['allowgroups']|default('') | length > 0" + + - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: "^DenyUsers" + line: DenyUsers {{ rhel9cis_sshd['denyusers'] }} + notify: restart sshd + when: "rhel9cis_sshd['denyusers']|default('') | length > 0" + + - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: "^DenyGroups" + line: DenyGroups {{ rhel9cis_sshd['denygroups'] }} + notify: restart sshd + when: "rhel9cis_sshd['denygroups']|default('') | length > 0" when: - rhel9cis_rule_5_2_4 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.4 -- name: "5.2.5 | L1 | PATCH | Ensure SSH LogLevel is appropriate" +- name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate" lineinfile: state: present dest: /etc/ssh/sshd_config @@ -123,145 +137,155 @@ tags: - level1-server - level1-workstation + - automated - patch + - sshs - rule_5.2.5 -- name: "5.2.6 | L2 | PATCH | Ensure SSH X11 forwarding is disabled" +- name: "5.2.6 | PATCH | Ensure SSH PAM is enabled" lineinfile: state: present dest: /etc/ssh/sshd_config - regexp: "^#X11Forwarding|^X11Forwarding" - line: 'X11Forwarding no' + regexp: "^#UsePAM|^UsePAM" + line: 'UsePAM yes' when: - rhel9cis_rule_5_2_6 tags: - - level2-server + - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.6 -- name: "5.2.7 | L1 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" +- name: "5.2.7 | PATCH | Ensure SSH root login is disabled" lineinfile: state: present dest: /etc/ssh/sshd_config - regexp: '^(#)?MaxAuthTries \d' - line: 'MaxAuthTries 4' + regexp: "^#PermitRootLogin|^PermitRootLogin" + line: 'PermitRootLogin no' when: - rhel9cis_rule_5_2_7 tags: - level1-server - level1-workstation + - autoamted - patch + - ssh - rule_5.2.7 -- name: "5.2.8 | L1 | PATCH | Ensure SSH IgnoreRhosts is enabled" +- name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled" lineinfile: state: present dest: /etc/ssh/sshd_config - regexp: "^#IgnoreRhosts|^IgnoreRhosts" - line: 'IgnoreRhosts yes' + regexp: ^#HostbasedAuthentication|^HostbasedAuthentication" + line: 'HostbasedAuthentication no' when: - rhel9cis_rule_5_2_8 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.8 -- name: "5.2.9 | L1 | PATCH | Ensure SSH HostbasedAuthentication is disabled" +- name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" lineinfile: state: present dest: /etc/ssh/sshd_config - regexp: ^#HostbasedAuthentication|^HostbasedAuthentication" - line: 'HostbasedAuthentication no' + regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords" + line: 'PermitEmptyPasswords no' when: - rhel9cis_rule_5_2_9 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.9 -- name: "5.2.10 | L1 | PATCH | Ensure SSH root login is disabled" +- name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled" lineinfile: state: present dest: /etc/ssh/sshd_config - regexp: "^#PermitRootLogin|^PermitRootLogin" - line: 'PermitRootLogin no' + regexp: "^#PermitUserEnvironment|^PermitUserEnvironment" + line: 'PermitUserEnvironment no' when: - rhel9cis_rule_5_2_10 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.10 -- name: "5.2.11 | L1 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" +- name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled" lineinfile: state: present dest: /etc/ssh/sshd_config - regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords" - line: 'PermitEmptyPasswords no' + regexp: "^#IgnoreRhosts|^IgnoreRhosts" + line: 'IgnoreRhosts yes' when: - rhel9cis_rule_5_2_11 tags: - level1-server - level1-workstation + - autoamted - patch + - ssh - rule_5.2.11 -- name: "5.2.12 | L1 | PATCH | Ensure SSH PermitUserEnvironment is disabled" +- name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled" lineinfile: state: present dest: /etc/ssh/sshd_config - regexp: "^#PermitUserEnvironment|^PermitUserEnvironment" - line: 'PermitUserEnvironment no' + regexp: "^#X11Forwarding|^X11Forwarding" + line: 'X11Forwarding no' when: - rhel9cis_rule_5_2_12 tags: - - level1-server + - level2-server - level1-workstation + - autoamted - patch + - ssh - rule_5.2.12 -- name: "5.2.13 | L1 | PATCH | Ensure SSH Idle Timeout Interval is configured" - block: - - name: "5.2.13 | L1 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval" - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: '^ClientAliveInterval' - line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}" - - - name: "5.2.13 | L1 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: '^ClientAliveCountMax' - line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}" +- name: "5.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: "^#AllowTcpForwarding|^AllowTcpForwarding" + line: 'AllowTcpForwarding no' when: - rhel9cis_rule_5_2_13 tags: - - level1-server - - level1-workstation + - level2-server + - level2-workstation + - autoamted - patch + - ssh - rule_5.2.13 -- name: "5.2.14 | L1 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^#LoginGraceTime|^LoginGraceTime" - line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}" +- name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden" + shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd + args: + warn: no + notify: restart sshd when: - rhel9cis_rule_5_2_14 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.14 -- name: "5.2.15 | L1 | PATCH | Ensure SSH warning banner is configured" +- name: "5.2.15 | PATCH | Ensure SSH warning banner is configured" lineinfile: state: present dest: /etc/ssh/sshd_config @@ -272,74 +296,96 @@ tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.15 -- name: "5.2.16 | L1 | PATCH | Ensure SSH PAM is enabled" +- name: "5.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" lineinfile: state: present dest: /etc/ssh/sshd_config - regexp: "^#UsePAM|^UsePAM" - line: 'UsePAM yes' + regexp: '^(#)?MaxAuthTries \d' + line: 'MaxAuthTries 4' when: - rhel9cis_rule_5_2_16 tags: - level1-server - level1-workstation + - autoamted - patch + - ssh - rule_5.2.16 -- name: "5.2.17 | L2 | PATCH | Ensure SSH AllowTcpForwarding is disabled" +- name: "5.2.17 | PATCH | Ensure SSH MaxStartups is configured" lineinfile: state: present dest: /etc/ssh/sshd_config - regexp: "^#AllowTcpForwarding|^AllowTcpForwarding" - line: 'AllowTcpForwarding no' + regexp: "^#MaxStartups|^MaxStartups" + line: 'MaxStartups 10:30:60' when: - rhel9cis_rule_5_2_17 tags: - - level2-server - - level2-workstation + - level1-server + - level1-workstation + - autoamted - patch + - ssh - rule_5.2.17 -- name: "5.2.18 | L1 | PATCH | Ensure SSH MaxStartups is configured" +- name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" lineinfile: state: present dest: /etc/ssh/sshd_config - regexp: "^#MaxStartups|^MaxStartups" - line: 'MaxStartups 10:30:60' + regexp: "^#MaxSessions|^MaxSessions" + line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' when: - rhel9cis_rule_5_2_18 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.18 -- name: "5.2.19 | L1 | PATCH | Ensure SSH MaxSessions is set to 4 or less" +- name: "5.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" lineinfile: state: present dest: /etc/ssh/sshd_config - regexp: "^#MaxSessions|^MaxSessions" - line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' + regexp: "^#LoginGraceTime|^LoginGraceTime" + line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}" when: - rhel9cis_rule_5_2_19 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.19 -- name: "5.2.20 | L1 | PATCH | Ensure system-wide crypto policy is not over-ridden" - shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd - args: - warn: false - notify: restart sshd +- name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured" + block: + - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^ClientAliveInterval' + line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}" + + - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^ClientAliveCountMax' + line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}" when: - rhel9cis_rule_5_2_20 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.20 diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index 27623024..b6dc07a9 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -1,94 +1,138 @@ --- -- name: "5.3.1 | L1 | PATCH | Create custom authselect profile" - block: - - name: "5.3.1 | L1 | PATCH | Create custom authselect profile | Gather profiles" - shell: 'authselect current | grep "Profile ID: custom/"' - args: - warn: false - failed_when: false - changed_when: false - check_mode: false - register: rhel9cis_5_3_1_profiles - - - name: "5.3.1 | L1 | AUDIT | Create custom authselect profile | Show profiles" - debug: - msg: - - "Below are the current custom profiles" - - "{{ rhel9cis_5_3_1_profiles.stdout_lines }}" - - - name: "5.3.1 | L1 | PATCH | Create custom authselect profile | Create custom profiles" - shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }} - args: - warn: false - when: rhel9cis_authselect_custom_profile_create +- name: "5.3.1 | PATCH | Ensure sudo is installed" + package: + name: sudo + state: present when: - rhel9cis_rule_5_3_1 tags: - level1-server - level1-workstation + - automated - patch - - authselect + - sudo - rule_5.3.1 -- name: "5.3.2 | L1 | PATCH | Select authselect profile" - block: - - name: "5.3.2 | L1 | AUDIT | Select authselect profile | Gather profiles and enabled features" - shell: "authselect current" - args: - warn: false - failed_when: false - changed_when: false - check_mode: false - register: rhel9cis_5_3_2_profiles - - - name: "5.3.2 | L1 | AUDIT | Select authselect profile | Show profiles" - debug: - msg: - - "Below are the current custom profiles" - - "{{ rhel9cis_5_3_2_profiles.stdout_lines }}" - - - name: "5.3.2 | L1 | PATCH | Select authselect profile | Create custom profiles" - shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }}" - args: - warn: false - when: rhel9cis_authselect_custom_profile_select +- name: "5.3.2 | PATCH | Ensure sudo commands use pty" + lineinfile: + dest: /etc/sudoers + line: "Defaults use_pty" + state: present when: - rhel9cis_rule_5_3_2 tags: - level1-server - level1-workstation + - automated - patch - - authselect + - sudo - rule_5.3.2 -- name: "5.3.3 | L1 | PATCH | Ensure authselect includes with-faillock" +- name: "5.3.3 | PATCH | Ensure sudo log file exists" + lineinfile: + dest: /etc/sudoers + regexp: '^Defaults logfile=' + line: 'Defaults logfile="{{ rhel9cis_varlog_location }}"' + state: present + when: + - rhel9cis_rule_5_3_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - sudo + - rule_5.3.3 + +- name: "5.3.4 | PATCH | Ensure users must provide password for escalation" + replace: + path: "{{ item }}" + regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' + replace: '\1PASSWD\2' + with_items: + - "{{ rhel9cis_sudoers_files.stdout_lines }}" + when: + - rhel9cis_rule_5_3_4 + tags: + - level2-server + - level2-workstation + - automated + - patch + - sudo + - rule_5.3.4 + +- name: "5.3.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally" + replace: + path: "{{ item }}" + regexp: '^([^#].*)!authenticate(.*)' + replace: '\1authenticate\2' + with_items: + - "{{ rhel9cis_sudoers_files.stdout_lines }}" + when: + - rhel9cis_rule_5_3_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - sudo + - rule_5.3.5 + +- name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly" block: - - name: "5.3.3 | L1 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features" - shell: "authselect current | grep with-faillock" - args: - warn: false - failed_when: false + - name: "5.3.6 | AUDIT | Ensure sudo authentication timeout is configured correctly | Get files with timeout set" + shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort changed_when: false - check_mode: false - register: rhel9cis_5_3_3_profiles_faillock + failed_when: false + register: rhel9cis_5_3_6_timeout_files - - name: "5.3.3 | L1 | AUDIT | Ensure authselect includes with-faillock| Show profiles" - debug: - msg: - - "Below are the current custom profiles" - - "{{ rhel9cis_5_3_3_profiles_faillock.stdout_lines }}" + - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results" + lineinfile: + path: /etc/sudoers + regexp: 'Defaults timestamp_timeout=' + line: "Defaults timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}" + validate: '/usr/sbin/visudo -cf %s' + when: rhel9cis_5_3_6_timeout_files.stdout | length == 0 - - name: "5.3.3 | L1 | PATCH | Ensure authselect includes with-faillock | Create custom profiles" - shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock" - args: - warn: false - when: rhel9cis_authselect_custom_profile_select + - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results" + replace: + path: "{{ item }}" + regexp: 'timestamp_timeout=(\d+)' + replace: "timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}" + validate: '/usr/sbin/visudo -cf %s' + with_items: + - "{{ rhel9cis_5_3_6_timeout_files.stdout_lines }}" + when: rhel9cis_5_3_6_timeout_files.stdout | length > 0 when: - - rhel9cis_rule_5_3_3 + - rhel9cis_rule_5_3_6 tags: - level1-server - level1-workstation + - automated - patch - - authselect - - rule_5.3.3 + - sudo + - rule_5.3.6 + +- name: "5.3.7 | PATCH | Ensure access to the su command is restricted" + block: + - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid" + lineinfile: + state: present + dest: /etc/pam.d/su + regexp: '^(#)?auth\s+required\s+pam_wheel\.so' + line: 'auth required pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}' + + - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | wheel group contains root" + user: + name: "{{ rhel9cis_sugroup_users }}" + groups: "{{ rhel9cis_sugroup | default('wheel') }}" + when: + - rhel9cis_rule_5_3_7 + tags: + - level1-server + - level1-workstation + - automated + - patch + - sudo + - rule_5.3.7 diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 05ccefba..501af418 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -1,131 +1,61 @@ --- -- name: | - "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured - 5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured - 5.4.3 | L1 | PATCH | Ensure password reuse is limited - 5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512" +- name: "5.4.1 | PATCH | Ensure custom authselect profile is used" block: - - name: "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings" - lineinfile: - state: present - dest: /etc/security/pwquality.conf - regexp: ^{{ item.name }} - line: "{{ item.name }} = {{ item.value }}" - with_items: - - { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" } - - { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" } - when: rhel9cis_rule_5_4_1 - - - name: | - "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings - 5.4.3| L1 | PATCH | Ensure password reuse is limited | Set system-auth remember settings" - lineinfile: - dest: /etc/pam.d/system-auth - state: present - regexp: '^password requisite pam_pwquality.so' - line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" - insertbefore: '^#?password ?' - when: - - rhel9cis_rule_5_4_1 or - rhel9cis_rule_5_4_3 - - - name: "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" - lineinfile: - dest: /etc/pam.d/password-auth - state: present - regexp: '^password requisite pam_pwquality.so' - line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" - insertbefore: '^#?password ?' - when: rhel9cis_rule_5_4_1 - - - name: "5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured | Add deny count and unlock time for preauth" - lineinfile: - dest: /etc/pam.d/{{ item }} - state: present - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}" - insertafter: '^#?auth ?' - with_items: - - "system-auth" - - "password-auth" - when: rhel9cis_rule_5_4_2 - - - name: "5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured | Add deny count and unlock times for authfail" - lineinfile: - dest: /etc/pam.d/{{ item }} - state: present - regexp: '^auth required pam_faillock.so authfail' - line: "auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}" - insertafter: '^#?auth ?' - with_items: - - "system-auth" - - "password-auth" - when: rhel9cis_rule_5_4_2 - - - name: | - "5.4.3 | L1 | PATCH | Ensure password reuse is limited | Set system-auth remember remember settings - 5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512 | Set system-auth pwhash settings" - lineinfile: - dest: /etc/pam.d/system-auth - state: present - regexp: '^password sufficient pam_unix.so' - line: "password sufficient pam_unix.so {{ rhel9cis_pam_faillock.pwhash }} shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}" - insertafter: '^#?password ?' - when: - - rhel9cis_rule_5_4_3 or - rhel9cis_rule_5_4_4 - - - name: "5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512 | Set system-auth pwhash settings" - lineinfile: - dest: /etc/pam.d/password-auth - state: present - regexp: '^password sufficient pam_unix.so' - line: "password sufficient pam_unix.so {{ rhel9cis_pam_faillock.pwhash }} shadow try_first_pass use_authtok" - insertafter: '^#?password ?' - when: rhel9cis_rule_5_4_4 - - # The two steps below were added to keep authconfig from overwritting the above configs. This follows steps from here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-hardening_your_system_with_tools_and_services - # With the steps below you will score five (5) points lower due to false positive results - - name: | - "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured - 5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured - 5.4.3 | L1 | PATCH | Ensure password reuse is limited - 5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512" - copy: - src: /etc/pam.d/{{ item }} - dest: /etc/pam.d/{{ item }}-local - remote_src: true - owner: root - group: root - mode: '0644' - with_items: - - "system-auth" - - "password-auth" - - - name: | - "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured - 5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured - 5.4.3 | L1 | PATCH | Ensure password reuse is limited - 5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512" - file: - src: /etc/pam.d/{{ item }}-local - dest: /etc/pam.d/{{ item }} - state: link - force: true - with_items: - - "system-auth" - - "password-auth" + - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Gather profiles" + shell: 'authselect current | grep "Profile ID: custom/"' + failed_when: false + changed_when: false + check_mode: no + register: rhel9cis_5_4_1_profiles + + - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Show profiles" + debug: + msg: + - "Below are the current custom profiles" + - "{{ rhel9cis_5_4_1_profiles.stdout_lines }}" + + - name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles" + shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }} + args: + warn: no + when: rhel9cis_authselect_custom_profile_create when: - - rhel9cis_rule_5_4_1 or - rhel9cis_rule_5_4_2 or - rhel9cis_rule_5_4_3 or - rhel9cis_rule_5_4_4 + - rhel9cis_rule_5_4_1 tags: - level1-server - level1-workstation + - manual - patch + - authselect - rule_5.4.1 + +- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock" + block: + - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features" + shell: "authselect current | grep with-faillock" + failed_when: false + changed_when: false + check_mode: no + register: rhel9cis_5_4_2_profiles_faillock + + - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock| Show profiles" + debug: + msg: + - "Below are the current custom profiles" + - "{{ rhel9cis_5_4_2_profiles_faillock.stdout_lines }}" + + - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles" + shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock" + args: + warn: no + when: rhel9cis_authselect_custom_profile_select + when: + - rhel9cis_rule_5_4_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - authselect - rule_5.4.2 - - rule_5.4.3 - - rule_5.4.4 diff --git a/tasks/section_5/cis_5.5.1.x.yml b/tasks/section_5/cis_5.5.1.x.yml deleted file mode 100644 index c7486e16..00000000 --- a/tasks/section_5/cis_5.5.1.x.yml +++ /dev/null @@ -1,131 +0,0 @@ ---- - -- name: "5.5.1.1 | L1 | PATCH | Ensure password expiration is 365 days or less" - lineinfile: - state: present - dest: /etc/login.defs - regexp: '^PASS_MAX_DAYS' - line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}" - when: - - rhel9cis_rule_5_5_1_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.1.1 - -- name: "5.5.1.2 | L1 | PATCH | Ensure minimum days between password changes is 7 or more" - lineinfile: - state: present - dest: /etc/login.defs - regexp: '^PASS_MIN_DAYS' - line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}" - when: - - rhel9cis_rule_5_5_1_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.1.2 - -- name: "5.5.1.3 | L1 | PATCH | Ensure password expiration warning days is 7 or more" - lineinfile: - state: present - dest: /etc/login.defs - regexp: '^PASS_WARN_AGE' - line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}" - when: - - rhel9cis_rule_5_5_1_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.1.3 - -- name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less" - block: - - name: "5.5.1.4 | L1 | AUDIT | Ensure inactive password lock is 30 days or less | Check current settings" - shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d= - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_5_5_1_4_inactive_settings - - - name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting" - shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} - args: - warn: false - when: rhel9cis_5_5_1_4_inactive_settings.stdout | length == 0 - - - name: "5.5.1.4 | L1 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" - shell: 'egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1' - args: - warn: false - check_mode: false - register: rhel_09_5_5_1_4_audit - changed_when: false - - - name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" - shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" - args: - warn: false - with_items: - - "{{ rhel_09_5_5_1_4_audit.stdout_lines }}" - when: - - rhel9cis_rule_5_5_1_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.1.4 - -- name: "5.5.1.5 | L1 | PATCH | Ensure all users last password change date is in the past" - block: - - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" - shell: echo $(($(date --utc --date "$1" +%s)/86400)) - args: - warn: false - failed_when: false - changed_when: false - check_mode: false - register: rhel9cis_5_5_1_5_currentut - - - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future" - shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_5_1_5_currentut.stdout }})print$1}'" - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_5_5_1_5_user_list - - - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist" - debug: - msg: "Good News! All accounts have PW change dates that are in the past" - when: rhel9cis_5_5_1_5_user_list.stdout | length == 0 - - - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future" - debug: - msg: "Warning! The following accounts have the last PW change date in the future: {{ rhel9cis_5_5_1_5_user_list.stdout_lines }}" - when: - - rhel9cis_5_5_1_5_user_list.stdout | length > 0 - - not rhel9cis_futurepwchgdate_autofix - - - name: "5.5.1.5 | L1 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" - shell: passwd --expire {{ item }} - args: - warn: false - when: - - rhel9cis_5_5_1_5_user_list | length > 0 - - rhel9cis_futurepwchgdate_autofix - with_items: - - "{{ rhel9cis_5_5_1_5_user_list.stdout_lines }}" - when: - - rhel9cis_rule_5_5_1_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.1.5 diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index ebed1bdd..8c5d301f 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -1,8 +1,8 @@ --- -- name: "5.5.2 | L1 | PATCH | Ensure system accounts are secured" +- name: "5.5.2 | PATCH | Ensure system accounts are secured" block: - - name: "5.5.2 | L1 | Ensure system accounts are secured | Set nologin" + - name: "5.5.2 | Ensure system accounts are secured | Set nologin" user: name: "{{ item.id }}" shell: /usr/sbin/nologin @@ -13,11 +13,11 @@ - item.id != "sync" - item.id != "shutdown" - item.id != "halt" - - item.uid < 1000 + - rhel9cis_int_gid | int > item.gid - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" - - name: "5.5.2 | L1 | PATCH | Ensure system accounts are secured | Lock accounts" + - name: "5.5.2 | PATCH | Ensure system accounts are secured | Lock accounts" user: name: "{{ item.id }}" password_lock: true @@ -28,7 +28,7 @@ - item.id != "shutdown" - item.id != "sync" - item.id != "root" - - min_int_uid | int >= item.uid + - rhel9cis_int_gid | int > item.gid - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" when: @@ -39,15 +39,15 @@ - patch - rule_5.5.2 -- name: "5.5.3 | L1 | PATCH | Ensure default user shell timeout is 900 seconds or less" +- name: "5.5.3 | PATCH | Ensure default user shell timeout is 900 seconds or less" blockinfile: - create: true + create: yes mode: 0644 dest: "{{ item.dest }}" state: "{{ item.state }}" marker: "# {mark} ANSIBLE MANAGED" block: | - # Set session timeout - CIS ID RHEL-09-5.4.5 + # Set session timeout - CIS ID RHEL-08-5.4.5 TMOUT={{ rhel9cis_shell_session_timeout.timeout }} export TMOUT readonly TMOUT @@ -62,10 +62,8 @@ - patch - rule_5.5.3 -- name: "5.5.4 | L1 | PATCH | Ensure default group for the root account is GID 0" - shell: usermod -g 0 root - args: - warn: false +- name: "5.5.4 | PATCH | Ensure default group for the root account is GID 0" + command: usermod -g 0 root changed_when: false failed_when: false when: @@ -76,15 +74,15 @@ - patch - rule_5.5.4 -- name: "5.5.5 | L1 | PATCH | Ensure default user umask is 027 or more restrictive" +- name: "5.5.5 | PATCH | Ensure default user umask is 027 or more restrictive" block: - - name: "5.5.5 | L1 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" + - name: "5.5.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" replace: path: /etc/bashrc regexp: '(^\s+umask) 0[012][0-6]' replace: '\1 027' - - name: "5.5.5 | L1 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile" + - name: "5.5.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile" replace: path: /etc/profile regexp: '(^\s+umask) 0[012][0-6]' diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml new file mode 100644 index 00000000..744c6d68 --- /dev/null +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -0,0 +1,125 @@ +--- + +- name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less" + lineinfile: + state: present + dest: /etc/login.defs + regexp: '^PASS_MAX_DAYS' + line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}" + when: + - rhel9cis_rule_5_6_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - password + - rule_5.5.1.1 + +- name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more" + lineinfile: + state: present + dest: /etc/login.defs + regexp: '^PASS_MIN_DAYS' + line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}" + when: + - rhel9cis_rule_5_6_1_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - password + - rule_5.6.1.2 + +- name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more" + lineinfile: + state: present + dest: /etc/login.defs + regexp: '^PASS_WARN_AGE' + line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}" + when: + - rhel9cis_rule_5_6_1_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - password + - rule_5.5.1.3 + +- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less" + block: + - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Check current settings" + shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d= + changed_when: false + failed_when: false + check_mode: no + register: rhel9cis_5_6_1_4_inactive_settings + + - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting" + command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} + when: rhel9cis_5_6_1_4_inactive_settings.stdout | length == 0 + + - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" + shell: 'egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1' + changed_when: false + check_mode: no + register: rhel_8_5_6_1_4_user_list + + - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" + command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" + with_items: + - "{{ rhel_8_5_6_1_4_user_list.stdout_lines }}" + when: + - rhel9cis_rule_5_6_1_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - password + - rule_5.6.1.4 + +- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past" + block: + - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" + shell: echo $(($(date --utc --date "$1" +%s)/86400)) + changed_when: false + failed_when: false + check_mode: no + register: rhel9cis_5_6_1_5_currentut + + - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future" + shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_6_1_5_currentut.stdout }})print$1}'" + changed_when: false + failed_when: false + check_mode: no + register: rhel9cis_5_6_1_5_user_list + + - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist" + debug: + msg: "Good News! All accounts have PW change dates that are in the past" + when: rhel9cis_5_6_1_5_user_list.stdout | length == 0 + + - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future" + debug: + msg: "Warning! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" + when: + - rhel9cis_5_6_1_5_user_list.stdout | length > 0 + - not rhel9cis_futurepwchgdate_autofix + + - name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" + command: passwd --expire {{ item }} + when: + - rhel9cis_5_6_1_5_user_list | length > 0 + - rhel9cis_futurepwchgdate_autofix + with_items: + - "{{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" + when: + - rhel9cis_rule_5_6_1_5 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.5.1.5 diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml new file mode 100644 index 00000000..3d9cf327 --- /dev/null +++ b/tasks/section_5/cis_5.6.x.yml @@ -0,0 +1,108 @@ +--- + +- name: "5.6.2 | PATCH | Ensure system accounts are secured" + block: + - name: "5.6.2 | Ensure system accounts are secured | Set nologin" + user: + name: "{{ item.id }}" + shell: /usr/sbin/nologin + with_items: + - "{{ rhel9cis_passwd }}" + when: + - item.id != "root" + - item.id != "sync" + - item.id != "shutdown" + - item.id != "halt" + - rhel9cis_int_gid | int < item.gid + - item.shell != " /bin/false" + - item.shell != " /usr/sbin/nologin" + loop_control: + label: "{{ item.id }}" + + - name: "5.6.2 | PATCH | Ensure system accounts are secured | Lock accounts" + user: + name: "{{ item.id }}" + password_lock: true + with_items: + - "{{ rhel9cis_passwd }}" + when: + - item.id != "halt" + - item.id != "shutdown" + - item.id != "sync" + - item.id != "root" + - rhel9cis_int_gid | int < item.gid + - item.shell != " /bin/false" + - item.shell != " /usr/sbin/nologin" + loop_control: + label: "{{ item.id }}" + when: + - rhel9cis_rule_5_6_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - accounts + - rule_5.6.2 + +- name: "5.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less" + blockinfile: + create: yes + mode: 0644 + dest: "{{ item.dest }}" + state: "{{ item.state }}" + marker: "# {mark} ANSIBLE MANAGED" + block: | + # Set session timeout - CIS ID RHEL-08-5.4.5 + TMOUT={{ rhel9cis_shell_session_timeout.timeout }} + export TMOUT + readonly TMOUT + with_items: + - { dest: "{{ rhel9cis_shell_session_timeout.file }}", state: present } + - { dest: /etc/profile, state: "{{ (rhel9cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" } + when: + - rhel9cis_rule_5_6_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - accounts + - rule_5.6.3 + +- name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0" + command: usermod -g 0 root + changed_when: false + failed_when: false + when: + - rhel9cis_rule_5_6_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - accounts + - rule_5.6.4 + +- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive" + block: + - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" + replace: + path: /etc/bashrc + regexp: '(^\s+umask) 0[012][0-6]' + replace: '\1 027' + + - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile" + replace: + path: /etc/profile + regexp: '(^\s+umask) 0[012][0-6]' + replace: '\1 027' + when: + - rhel9cis_rule_5_6_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - accounts + - rule_5.6.5 diff --git a/tasks/section_5/cis_5.6.yml b/tasks/section_5/cis_5.6.yml deleted file mode 100644 index 6262c3c2..00000000 --- a/tasks/section_5/cis_5.6.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- - -# this will just display the list of consoles. The site will need to confirm the allowed consoles are correct and change manually if needed. -- name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console" - block: - - name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Check if securetty file exists" - stat: - path: /etc/securetty - register: rhel9cis_securetty_check - - - name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Capture consoles" - shell: cat /etc/securetty - args: - warn: false - changed_when: false - register: rhel_09_5_6_audit - when: rhel9cis_securetty_check.stat.exists - - - name: "5.6 | L1 | AUDIT |Ensure root login is restricted to system console | Display Console" - debug: - msg: - - "These are the consoles with root login access, please review:" - - "{{ rhel_09_5_6_audit.stdout_lines }}" - when: rhel9cis_securetty_check.stat.exists - - - name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Display that no securetty file exists" - debug: - msg: - - "There is no /etc/securetty file, this has been removed by default in RHEL9" - when: not rhel9cis_securetty_check.stat.exists - when: - - rhel9cis_rule_5_6 - tags: - - level1-server - - level1-workstation - - audit - - rule_5.6 diff --git a/tasks/section_5/cis_5.7.yml b/tasks/section_5/cis_5.7.yml deleted file mode 100644 index 9e7bbec8..00000000 --- a/tasks/section_5/cis_5.7.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- - -- name: "5.7 | L1 | PATCH | Ensure access to the su command is restricted" - block: - - name: "5.7 | L1 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid" - lineinfile: - state: present - dest: /etc/pam.d/su - regexp: '^(#)?auth\s+required\s+pam_wheel\.so' - line: 'auth required pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}' - - - name: "5.7 | L1 | PATCH | Ensure access to the su command is restricted | wheel group contains root" - user: - name: "{{ rhel9cis_sugroup_users }}" - groups: "{{ rhel9cis_sugroup | default('wheel') }}" - when: - - rhel9cis_rule_5_7 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.7 diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index 08e5c452..b7db8599 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -1,5 +1,7 @@ --- +# Access, Authentication, and Authorization + - name: "SECTION | 5.1 | Configure time-based job schedulers" import_tasks: cis_5.1.x.yml @@ -8,22 +10,17 @@ when: - "'openssh-server' in ansible_facts.packages" -- name: "SECTION | 5.3 | Configure Profiles" +- name: "SECTION | 5.3 | Configure privilege escalation" include_tasks: cis_5.3.x.yml - when: - - rhel9cis_use_authconfig -- name: "SECTION | 5.4 | Configure PAM " +- name: "SECTION | 5.4 | Configure authselect" import_tasks: cis_5.4.x.yml -- name: "SECTION | 5.5.1.x | Passwords and Accounts" - import_tasks: cis_5.5.1.x.yml - -- name: "SECTION | 5.5.x | System Accounts and User Settings" +- name: "SECTION | 5.5 | Configure PAM " import_tasks: cis_5.5.x.yml -- name: "SECTION | 5.6 | Root Login" - import_tasks: cis_5.6.yml +- name: "SECTION | 5.6.1.x | Shadow Password Suite Parameters" + import_tasks: cis_5.6.1.x.yml -- name: Section | 5.7 | su Command Restriction - import_tasks: cis_5.7.yml +- name: "SECTION | 5.6.x | Misc. User Account Settings" + import_tasks: cis_5.6.x.yml diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index c596ed13..be85af00 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -1,30 +1,30 @@ --- -- name: "6.1.1 | L2 | AUDIT | Audit system file permissions" +- name: "6.1.1 | AUDIT | Audit system file permissions" block: - - name: "6.1.1 | L2 | AUDIT | Audit system file permissions | Audit the packages" + - name: "6.1.1 | AUDIT | Audit system file permissions | Audit the packages" shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto args: - warn: false + warn: no changed_when: false failed_when: false register: rhel9cis_6_1_1_packages_rpm - - name: "6.1.1 | L2 | AUDIT | Audit system file permissions | Create list and warning" + - name: "6.1.1 | AUDIT | Audit system file permissions | Create list and warning" block: - - name: "6.1.1 | L2 | Audit system file permissions | Add file discrepancy list to system" + - name: "6.1.1 | Audit system file permissions | Add file discrepancy list to system" copy: dest: "{{ rhel9cis_rpm_audit_file }}" content: "{{ rhel9cis_6_1_1_packages_rpm.stdout }}" - - name: "6.1.1 | L2 | AUDIT | Audit system file permissions | Message out alert for package descrepancies" + - name: "6.1.1 | AUDIT | Audit system file permissions | Message out alert for package descrepancies" debug: msg: | "Warning! You have some package descrepancies issues. The file list can be found in {{ rhel9cis_rpm_audit_file }}" when: rhel9cis_6_1_1_packages_rpm.stdout|length > 0 - - name: "6.1.1 | L2 | AUDIT | Audit system file permissions | Message out no package descrepancies" + - name: "6.1.1 | AUDIT | Audit system file permissions | Message out no package descrepancies" debug: msg: "Good News! There are no package descrepancies" when: rhel9cis_6_1_1_packages_rpm.stdout|length == 0 @@ -33,26 +33,32 @@ tags: - level2-server - level2-workstation + - manual - audit + - permissions - rule_6.1.1 -- name: "6.1.2 | L1 | PATCH | Ensure permissions on /etc/passwd are configured" - file: - dest: /etc/passwd - owner: root - group: root - mode: 0644 +- name: "6.1.2 | PATCH | Ensure sticky bit is set on all world-writable directories" + shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t + args: + warn: no + changed_when: false + failed_when: false when: - rhel9cis_rule_6_1_2 tags: + - skip_ansible_lint - level1-server - level1-workstation + - automated - patch - - rule_6.1.2 + - stickybits + - permissons + - rule_1.1.21 -- name: "6.1.3 | L1 | PATCH | Ensure permissions on /etc/passwd- are configured" +- name: "6.1.3 | PATCH | Ensure permissions on /etc/passwd are configured" file: - dest: /etc/passwd- + dest: /etc/passwd owner: root group: root mode: 0644 @@ -61,10 +67,12 @@ tags: - level1-server - level1-workstation + - automated - patch + - permissions - rule_6.1.3 -- name: "6.1.4 | L1 | PATCH | Ensure permissions on /etc/shadow are configured" +- name: "6.1.4 | PATCH | Ensure permissions on /etc/shadow are configured" file: dest: /etc/shadow owner: root @@ -75,24 +83,28 @@ tags: - level1-server - level1-workstation + - automated - patch + - permissions - rule_6.1.4 -- name: "6.1.5 | L1 | PATCH | Ensure permissions on /etc/shadow- are configured" +- name: "6.1.5 | PATCH | Ensure permissions on /etc/group are configured" file: - dest: /etc/shadow- + dest: /etc/group- owner: root group: root - mode: 0000 + mode: 0644 when: - rhel9cis_rule_6_1_5 tags: - level1-server - level1-workstation + - automated - patch + - permissions - rule_6.1.5 -- name: "6.1.6 | L1 | PATCH | Ensure permissions on /etc/gshadow are configured" +- name: "6.1.6 | PATCH | Ensure permissions on /etc/gshadow are configured" file: dest: /etc/gshadow owner: root @@ -103,38 +115,44 @@ tags: - level1-server - level1-workstation + - automated - patch + - permissions - rule_6.1.6 -- name: "6.1.7 | L1 | PATCH | Ensure permissions on /etc/gshadow- are configured" +- name: "6.1.7 | PATCH | Ensure permissions on /etc/passwd- are configured" file: - dest: /etc/gshadow- + dest: /etc/passwd- owner: root group: root - mode: 0000 + mode: 0644 when: - rhel9cis_rule_6_1_7 tags: - level1-server - level1-workstation + - autoamted - patch + - permissions - rule_6.1.7 -- name: "6.1.8 | L1 | PATCH | Ensure permissions on /etc/group are configured" +- name: "6.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured" file: - dest: /etc/group- + dest: /etc/shadow- owner: root group: root - mode: 0644 + mode: 0000 when: - - rhel9cis_rule_6_1_8 + - rhel9cis_rule_6_1_6 tags: - level1-server - level1-workstation + - automated - patch - - rule_6.1.8 + - permissions + - rule_6.1.6 -- name: "6.1.9 | L1 | PATCH | Ensure permissions on /etc/group- are configured" +- name: "6.1.9 | PATCH | Ensure permissions on /etc/group- are configured" file: dest: /etc/group- owner: root @@ -145,160 +163,189 @@ tags: - level1-server - level1-workstation + - automated - patch + - permissionss - rule_6.1.9 -- name: "6.1.10 | L1 | PATCH | Ensure no world writable files exist" +- name: "6.1.10 | PATCH | Ensure permissions on /etc/gshadow- are configured" + file: + dest: /etc/gshadow- + owner: root + group: root + mode: 0000 + when: + - rhel9cis_rule_6_1_10 + tags: + - level1-server + - level1-workstation + - automated + - patch + - permissions + - rule_6.1.10 + +- name: "6.1.11 | PATCH | Ensure no world writable files exist" block: - - name: "6.1.10 | L1 | AUDIT | Ensure no world writable files exist | Get list of world-writable files" + - name: "6.1.11 | AUDIT | Ensure no world writable files exist | Get list of world-writable files" shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 - args: - warn: false failed_when: false changed_when: false - register: rhel_09_6_1_10_perms_results + register: rhel_08_6_1_11_perms_results - - name: "6.1.10 | L1 | AUDIT | Ensure no world writable files exist | Alert no world-writable files exist" + - name: "6.1.11 | AUDIT | Ensure no world writable files exist | Alert no world-writable files exist" debug: msg: "Good news! We have not found any world-writable files on your system" when: - - rhel_09_6_1_10_perms_results.stdout is not defined + - rhel_08_6_1_11_perms_results.stdout is not defined - - name: "6.1.10 | L1 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" + - name: "6.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" file: path: '{{ item }}' mode: o-w state: touch - with_items: "{{ rhel_09_6_1_10_perms_results.stdout_lines }}" + with_items: "{{ rhel_08_6_1_11_perms_results.stdout_lines }}" when: - - rhel_09_6_1_10_perms_results.stdout_lines is defined + - rhel_08_6_1_11_perms_results.stdout_lines is defined - rhel9cis_no_world_write_adjust when: - - rhel9cis_rule_6_1_10 + - rhel9cis_rule_6_1_11 tags: - level1-server - level1-workstation + - automated - patch - - rule_6.1.10 + - files + - permissions + - rule_6.1.11 -- name: "6.1.11 | L1 | AUDIT | Ensure no unowned files or directories exist" +- name: "6.1.12 | AUDIT | Ensure no unowned files or directories exist" block: - - name: "6.1.11 | L1 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories" - shell: find "{{ item.mount }}" -xdev -nouser - args: - warn: false - check_mode: false - failed_when: false + - name: "6.1.12 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories" + command: find "{{ item.mount }}" -xdev -nouser changed_when: false + failed_when: false + check_mode: false + register: rhel_08_6_1_12_audit with_items: "{{ ansible_mounts }}" - register: rhel_09_6_1_11_audit + loop_control: + label: "{{ item.mount }}" when: item['device'].startswith('/dev') and not 'bind' in item['options'] - - name: "6.1.11 | L1 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" + - name: "6.1.12 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" debug: msg: "Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" - with_items: "{{ rhel_09_6_1_11_audit.results }}" + with_items: "{{ rhel_08_6_1_12_audit.results }}" when: - item.stdout_lines is defined - item.stdout_lines | length > 0 when: - - rhel9cis_rule_6_1_11 + - rhel9cis_rule_6_1_12 tags: - level1-server - level1-workstation + - automated - audit - - rule_6.1.11 + - files + - permissions + - rule_6.1.12 -- name: "6.1.12 | L1 | AUDIT | Ensure no ungrouped files or directories exist" +- name: "6.1.13 | AUDIT | Ensure no ungrouped files or directories exist" block: - - name: "6.1.12 | L1 | AUDIT | Ensure no ungrouped files or directories exist | Finding all ungrouped files or directories" - shell: find "{{ item.mount }}" -xdev -nogroup - args: - warn: false + - name: "6.1.13 | AUDIT | Ensure no ungrouped files or directories exist | Finding all ungrouped files or directories" + command: find "{{ item.mount }}" -xdev -nogroup check_mode: false failed_when: false changed_when: false - register: rhel_09_6_1_12_audit + register: rhel_08_6_1_13_audit with_items: "{{ ansible_mounts }}" + loop_control: + label: "{{ item.mount }}" when: item['device'].startswith('/dev') and not 'bind' in item['options'] - - name: "6.1.12 | L1 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" + - name: "6.1.13 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" debug: msg: "Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" - with_items: "{{ rhel_09_6_1_12_audit.results }}" + with_items: "{{ rhel_08_6_1_13_audit.results }}" when: - item.stdout_lines is defined - item.stdout_lines | length > 0 when: - - rhel9cis_rule_6_1_12 + - rhel9cis_rule_6_1_13 tags: - level1-server - level1-workstation - - patch - - rule_6.1.12 + - automated + - audit + - files + - permissions + - rule_6.1.13 -- name: "6.1.13 | L1 | AUDIT | Audit SUID executables" +- name: "6.1.14 | AUDIT | Audit SUID executables" block: - - name: "6.1.13 | L1 | AUDIT | Audit SUID executables | Find all SUID executables" + - name: "6.1.14 | AUDIT | Audit SUID executables | Find all SUID executables" shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 - args: - warn: false failed_when: false changed_when: false - register: rhel_09_6_1_13_perms_results + register: rhel_08_6_1_14_perms_results with_items: "{{ ansible_mounts }}" + loop_control: + label: "{{ item.mount }}" - - name: "6.1.13 | L1 | AUDIT | Audit SUID executables | Alert no SUID executables exist" + - name: "6.1.14 | AUDIT | Audit SUID executables | Alert no SUID executables exist" debug: msg: "Good news! We have not found any SUID executable files on your system" failed_when: false changed_when: false when: - - rhel_09_6_1_13_perms_results.stdout is not defined + - rhel_08_6_1_14_perms_results.stdout is not defined - - name: "6.1.13 | L1 | AUDIT | Audit SUID executables | Alert SUID executables exist" + - name: "6.1.14 | AUDIT | Audit SUID executables | Alert SUID executables exist" debug: msg: "Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" - with_items: "{{ rhel_09_6_1_13_perms_results.stdout_lines }}" + with_items: "{{ rhel_08_6_1_14_perms_results.stdout_lines }}" when: - - rhel_09_6_1_13_perms_results.stdout is defined + - rhel_08_6_1_14_perms_results.stdout is defined when: - - rhel9cis_rule_6_1_13 + - rhel9cis_rule_6_1_14 tags: - level1-server - level1-workstation + - manual - audit - - rule_6.1.13 + - files + - rule_6.1.14 -- name: "6.1.14 | L1 | AUDIT | Audit SGID executables" +- name: "6.1.15 | AUDIT | Audit SGID executables" block: - - name: "6.1.14 | L1 | AUDIT | Audit SGID executables | Find all SGID executables" + - name: "6.1.15 | AUDIT | Audit SGID executables | Find all SGID executables" shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 - args: - warn: false failed_when: false changed_when: false - register: rhel_09_6_1_14_perms_results + register: rhel_08_6_1_15_perms_results with_items: "{{ ansible_mounts }}" + loop_control: + label: "{{ item.mount }}" - - name: "6.1.14 | L1 | AUDIT | Audit SGID executables | Alert no SGID executables exist" + - name: "6.1.15 | AUDIT | Audit SGID executables | Alert no SGID executables exist" debug: msg: "Good news! We have not found any SGID executable files on your system" failed_when: false changed_when: false when: - - rhel_09_6_1_14_perms_results.stdout is not defined + - rhel_08_6_1_15_perms_results.stdout is not defined - - name: "6.1.14 | L1 | AUDIT | Audit SGID executables | Alert SGID executables exist" + - name: "6.1.15 | AUDIT | Audit SGID executables | Alert SGID executables exist" debug: msg: "Manual intervention is required -- SGID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" - with_items: "{{ rhel_09_6_1_14_perms_results.stdout_lines }}" + with_items: "{{ rhel_08_6_1_15_perms_results.stdout_lines }}" when: - - rhel_09_6_1_14_perms_results.stdout is defined + - rhel_08_6_1_15_perms_results.stdout is defined when: - - rhel9cis_rule_6_1_14 + - rhel9cis_rule_6_1_15 tags: - level1-server - level1-workstation - - patch - - rule_6.1.14 + - manual + - audit + - files + - rule_6.1.15 diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 7b9523bb..ff2b0c3a 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -1,9 +1,7 @@ --- -- name: "6.2.1 | L1 | AUDIT | Ensure password fields are not empty" - shell: passwd -l {{ item }} - args: - warn: false +- name: "6.2.1 | PATCH | Ensure password fields are not empty" + command: passwd -l {{ item }} changed_when: false failed_when: false with_items: "{{ empty_password_accounts.stdout_lines }}" @@ -13,177 +11,268 @@ tags: - level1-server - level1-workstation + - automated - patch + - accounts - rule_6.2.1 -- name: "6.2.2 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/passwd" - shell: sed -i '/^+/ d' /etc/passwd - args: - warn: false - changed_when: false - failed_when: false + +- name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" + block: + - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" + shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' + changed_when: false + failed_when: false + check_mode: false + register: rhel9cis_6_2_2_passwd_gid_check + + - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" + debug: + msg: "Good News! There are no users that have non-existent GUIDs (Groups)" + when: rhel9cis_6_2_2_passwd_gid_check.stdout is not defined + + - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" + debug: + msg: "WARNING: The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}" + when: rhel9cis_6_2_2_passwd_gid_check.stdout is defined when: - rhel9cis_rule_6_2_2 tags: - level1-server - level1-workstation - - patch + - automated + - audit + - accounts + - groups - rule_6.2.2 - - skip_ansible_lint -- name: "6.2.3 | L1 | PATCH | Ensure root PATH Integrity" +- name: "6.2.3 | AUDIT Ensure no duplicate UIDs exist" block: - - name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determine empty value" - shell: 'echo $PATH | grep ::' - args: - warn: false - check_mode: false - register: path_colon - changed_when: False - failed_when: path_colon.rc == 0 - - - name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determin colon end" - shell: 'echo $PATH | grep :$' - args: - warn: false - check_mode: false - register: path_colon_end - changed_when: False - failed_when: path_colon_end.rc == 0 - - - name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determine dot in path" - shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'" - args: - warn: false - check_mode: false - register: dot_in_path - changed_when: False - failed_when: '"." in dot_in_path.stdout_lines' + - name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" + shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" + changed_when: false + failed_when: false + register: rhel9cis_6_2_3_user_uid_check - - name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path" + - name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" debug: - msg: - - "The following paths have an empty value: {{ path_colon.stdout_lines }}" - - "The following paths have colon end: {{ path_colon_end.stdout_lines }}" - - "The following paths have a dot in the path: {{ dot_in_path.stdout_lines }}" + msg: "Good News! There are no duplicate UID's in the system" + when: rhel9cis_6_2_3_user_uid_check.stdout is not defined - - name: "6.2.3 | L1 | PATCH | Ensure root PATH Integrity (Scored) | Determine rights and owner" - file: > - path='{{ item }}' - follow=yes - state=directory - owner=root - mode='o-w,g-w' - with_items: "{{ dot_in_path.stdout_lines }}" + - name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" + debug: + msg: "Warning: The following users have UIDs that are duplicates: {{ rhel9cis_6_2_3_user_uid_check.stdout_lines }}" + when: rhel9cis_6_2_3_user_uid_check.stdout is defined when: - rhel9cis_rule_6_2_3 tags: - level1-server - level1-workstation - - patch + - automated + - audit + - accounts + - users - rule_6.2.3 -- name: "6.2.4 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/shadow" - shell: sed -i '/^+/ d' /etc/shadow - args: - warn: false - changed_when: false - failed_when: false +- name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist" + block: + - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" + shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" + changed_when: false + failed_when: false + register: rhel9cis_6_2_4_user_user_check + + - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" + debug: + msg: "Good News! There are no duplicate GIDs in the system" + when: rhel9cis_6_2_4_user_user_check.stdout is not defined + + - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" + debug: + msg: "Warning: The following groups have duplicate GIDs: {{ rhel9cis_6_2_4_user_user_check.stdout_lines }}" + when: rhel9cis_6_2_4_user_user_check.stdout is defined when: - rhel9cis_rule_6_2_4 tags: - level1-server - level1-workstation - - patch + - automated + - audit + - accounts + - groups - rule_6.2.4 - - skip_ansible_lint -- name: "6.2.5 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/group" - shell: sed -i '/^+/ d' /etc/group - args: - warn: false - changed_when: false - failed_when: false +- name: "6.2.5 | AUDIT | Ensure no duplicate user names exist" + block: + - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" + shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" + changed_when: false + failed_when: false + register: rhel9cis_6_2_5_user_username_check + + - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist" + debug: + msg: "Good News! There are no duplicate user names in the system" + when: rhel9cis_6_2_5_user_username_check.stdout is not defined + + - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" + debug: + msg: "Warning: The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}" + when: rhel9cis_6_2_5_user_username_check.stdout is defined when: - rhel9cis_rule_6_2_5 tags: - level1-server - level1-workstation - - patch + - automated + - audit + - accounts + - users - rule_6.2.5 - - skip_ansible_lint -- name: "6.2.6 | L1 | PATCH | Ensure root is the only UID 0 account" - shell: passwd -l {{ item }} - args: - warn: false +- name: "6.2.6 | AUDIT |Ensure no duplicate group names exist" + block: + - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" + shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' + changed_when: false + failed_when: false + check_mode: no + register: rhel9cis_6_2_6_group_group_check + + - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" + debug: + msg: "Good News! There are no duplicate group names in the system" + when: rhel9cis_6_2_6_group_group_check.stdout is defined + + - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" + debug: + msg: "Warning: The following group names are duplicates: {{ rhel9cis_6_2_6_group_group_check.stdout_lines }}" + when: rhel9cis_6_2_6_group_group_check.stdout is not defined + when: + - rhel9cis_rule_6_2_6 + tags: + - level1-server + - level1-workstation + - automated + - audit + - accounts + - groups + - rule_6.2.6 + +- name: "6.2.7 | PATCH | Ensure root PATH Integrity" + block: + - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine empty value" + shell: 'echo $PATH | grep ::' + changed_when: False + failed_when: rhel9cis_6_2_7_path_colon.rc == 0 + check_mode: no + register: rhel9cis_6_2_7_path_colon + + - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determin colon end" + shell: 'echo $PATH | grep :$' + changed_when: False + failed_when: rhel9cis_6_2_7_path_colon_end.rc == 0 + check_mode: no + register: rhel9cis_6_2_7_path_colon_end + + - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine dot in path" + shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'" + changed_when: False + failed_when: '"." in rhel9cis_6_2_7_dot_in_path.stdout_lines' + check_mode: no + register: rhel9cis_6_2_7_dot_in_path + + - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path" + debug: + msg: + - "The following paths have an empty value: {{ rhel9cis_6_2_7_path_colon.stdout_lines }}" + - "The following paths have colon end: {{ rhel9cis_6_2_7_path_colon_end.stdout_lines }}" + - "The following paths have a dot in the path: {{ rhel9cis_6_2_7_dot_in_path.stdout_lines }}" + + - name: "6.2.7 | PATCH | Ensure root PATH Integrity (Scored) | Determine rights and owner" + file: > + path='{{ item }}' + follow=yes + state=directory + owner=root + mode='o-w,g-w' + with_items: "{{ rhel9cis_6_2_7_dot_in_path.stdout_lines }}" + when: + - rhel9cis_rule_6_2_7 + tags: + - level1-server + - level1-workstation + - automated + - patch + - paths + - rule_6.2.7 + +- name: "6.2.8 | PATCH | Ensure root is the only UID 0 account" + command: passwd -l {{ item }} changed_when: false failed_when: false - with_items: "{{ uid_zero_accounts_except_root.stdout_lines }}" + with_items: "{{ rhel9cis_uid_zero_accounts_except_root.stdout_lines }}" when: - - uid_zero_accounts_except_root.rc - - rhel9cis_rule_6_2_6 + - rhel9cis_uid_zero_accounts_except_root.rc + - rhel9cis_rule_6_2_8 tags: - level1-server - level1-workstation + - automated - patch - - rule_6.2.6 + - accounts + - users + - rule_6.2.8 -- name: "6.2.7 | L1 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" +- name: "6.2.9 | PATCH | Ensure all users' home directories exist" block: - - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" + - name: "6.2.9 | AUDIT | Ensure all users' home directories exist" stat: path: "{{ item }}" - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<', max_int_uid | int) | selectattr('dir', '!=', '/') | map(attribute='dir') | list }}" - register: rhel_09_6_2_7_audit - - - debug: - var: rhel_09_6_2_7_audit + register: rhel_08_6_2_9_audit + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" - - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" - shell: find -H {{ item.0 | quote }} -not -type l -perm /027 - args: - warn: false + - name: "6.2.9 | AUDIT | Ensure all users' home directories exist" + command: find -H {{ item.0 | quote }} -not -type l -perm /027 check_mode: false - changed_when: rhel_09_6_2_7_patch_audit.stdout | length > 0 - register: rhel_09_6_2_7_patch_audit + changed_when: rhel_08_6_2_9_patch_audit.stdout | length > 0 + register: rhel_08_6_2_9_patch_audit when: - ansible_check_mode - item.1.exists with_together: - - "{{ rhel_09_6_2_7_audit.results | map(attribute='item') | list }}" - - "{{ rhel_09_6_2_7_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_08_6_2_9_audit.results | map(attribute='item') | list }}" + - "{{ rhel_08_6_2_9_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" - - name: "6.2.7 | L1 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" + - name: "6.2.9 | PATCH | Ensure all users' home directories exist" file: path: "{{ item.0 }}" - recurse: true + recurse: yes mode: a-st,g-w,o-rwx - register: rhel_09_6_2_7_patch + register: rhel_08_6_2_9_patch when: - not ansible_check_mode - item.1.exists with_together: - - "{{ rhel_09_6_2_7_audit.results | map(attribute='item') | list }}" - - "{{ rhel_09_6_2_7_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_08_6_2_9_audit.results | map(attribute='item') | list }}" + - "{{ rhel_08_6_2_9_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" # set default ACLs so the homedir has an effective umask of 0027 - - name: "6.2.7 | L1 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" + - name: "6.2.9 | PATCH | Ensure all users' home directories exist" acl: path: "{{ item.0 }}" - default: true + default: yes state: present - recursive: true + recursive: yes etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: - - not system_is_container + when: not rhel9cis_system_is_container with_nested: - - "{{ (ansible_check_mode | ternary(rhel_09_6_2_7_patch_audit, rhel_09_6_2_7_patch)).results | + - "{{ (ansible_check_mode | ternary(rhel_08_6_2_9_patch_audit, rhel_08_6_2_9_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" - - etype: group @@ -191,14 +280,17 @@ - etype: other mode: '0' when: - - rhel9cis_rule_6_2_7 + - rhel9cis_rule_6_2_9 tags: - level1-server - level1-workstation + - automated - patch - - rule_6.2.7 + - users + - rule_6.2.9 + -- name: "6.2.8 | L1 | PATCH | Ensure users own their home directories" +- name: "6.2.10 | PATCH | Ensure users own their home directories" file: path: "{{ item.dir }}" owner: "{{ item.id }}" @@ -207,358 +299,178 @@ loop_control: label: "{{ rhel9cis_passwd_label }}" when: - - min_int_uid | int >= item.uid - - rhel9cis_rule_6_2_8 + - item.uid >= rhel9cis_int_gid + - rhel9cis_rule_6_2_10 tags: - skip_ansible_lint # settings found on 6_2_7 - level1-server - level1-workstation + - autoamted - patch - - rule_6.2.8 + - users + - rule_6.2.10 -- name: "6.2.9 | L1 | PATCH | Ensure users' dot files are not group or world-writable" +- name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" block: - - name: "6.2.9 | L1 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files" - shell: find /home/ -name "\.*" -perm /g+w,o+w - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_6_2_9_audit + - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" + stat: + path: "{{ item }}" + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" + register: rhel_08_6_2_11_audit - - name: "6.2.9 | L1 | AUDIT | Ensure users' dot files are not group or world-writable | Alert on files found" - debug: - msg: "Good news! We have not found any group or world-writable dot files on your sytem" + - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" + command: find -H {{ item.0 | quote }} -not -type l -perm /027 + check_mode: false + changed_when: rhel_08_6_2_11_patch_audit.stdout | length > 0 + register: rhel_08_6_2_11_patch_audit when: - - rhel9cis_6_2_9_audit.stdout is not defined + - ansible_check_mode + - item.1.exists + with_together: + - "{{ rhel_08_6_2_11_audit.results | map(attribute='item') | list }}" + - "{{ rhel_08_6_2_11_audit.results | map(attribute='stat') | list }}" + loop_control: + label: "{{ item.0 }}" - - name: "6.2.9 | L1 | PATCH | Ensure users' dot files are not group or world-writable | Changes files if configured" + - name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" file: - path: '{{ item }}' - mode: go-w - with_items: "{{ rhel9cis_6_2_9_audit.stdout_lines }}" + path: "{{ item.0 }}" + recurse: yes + mode: a-st,g-w,o-rwx + register: rhel_08_6_2_11_patch when: - - rhel9cis_6_2_9_audit.stdout is defined - - rhel9cis_dotperm_ansiblemanaged - when: - - rhel9cis_rule_6_2_9 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.9 - -- name: "6.2.10 | L1 | PATCH | Ensure no users have .forward files" - file: - state: absent - dest: "~{{ item }}/.forward" - with_items: "{{ users.stdout_lines }}" - when: - - rhel9cis_rule_6_2_10 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.10 + - not ansible_check_mode + - item.1.exists + with_together: + - "{{ rhel_08_6_2_11_audit.results | map(attribute='item') | list }}" + - "{{ rhel_08_6_2_11_audit.results | map(attribute='stat') | list }}" + loop_control: + label: "{{ item.0 }}" -- name: "6.2.11 | L1 | PATCH | Ensure no users have .netrc files" - file: - state: absent - dest: "~{{ item }}/.netrc" - with_items: "{{ users.stdout_lines }}" + # set default ACLs so the homedir has an effective umask of 0027 + - name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" + acl: + path: "{{ item.0 }}" + default: yes + state: present + recursive: yes + etype: "{{ item.1.etype }}" + permissions: "{{ item.1.mode }}" + when: not rhel9cis_system_is_container + with_nested: + - "{{ (ansible_check_mode | ternary(rhel_08_6_2_11_patch_audit, rhel_08_6_2_11_patch)).results | + rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" + - + - etype: group + mode: rx + - etype: other + mode: '0' when: - rhel9cis_rule_6_2_11 tags: - level1-server - level1-workstation + - automated - patch + - users + - permissions - rule_6.2.11 -- name: "6.2.12 | L1 | PATCH | Ensure users' .netrc Files are not group or world accessible" - shell: /bin/true - args: - warn: false - changed_when: false - failed_when: false +- name: "6.2.12 | PATCH | Ensure users' dot files are not group or world-writable" + block: + - name: "6.2.12 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files" + shell: find /home/ -maxdepth 2 -name "\.*" -perm /g+w,o+w + changed_when: false + failed_when: false + register: rhel9cis_6_2_12_audit + + - name: "6.2.12 | AUDIT | Ensure users' dot files are not group or world-writable | Alert on files found" + debug: + msg: "Good news! We have not found any group or world-writable dot files on your sytem" + when: + - rhel9cis_6_2_12_audit.stdout is not defined + + - name: "6.2.12 | PATCH | Ensure users' dot files are not group or world-writable | Changes files if configured" + file: + path: '{{ item }}' + mode: go-w + with_items: "{{ rhel9cis_6_2_12_audit.stdout_lines }}" + when: + - rhel9cis_6_2_12_audit.stdout is defined + - rhel9cis_dotperm_ansiblemanaged when: - rhel9cis_rule_6_2_12 tags: - level1-server - level1-workstation + - automated - patch + - users + - permissions - rule_6.2.12 -- name: "6.2.13 | L1 | PATCH | Ensure no users have .rhosts files" - file: - state: absent - dest: "~{{ item }}/.rhosts" - with_items: "{{ users.stdout_lines }}" +- name: "6.2.13 | PATCH | Ensure users' .netrc Files are not group or world accessible" + command: /bin/true + changed_when: false + failed_when: false when: - rhel9cis_rule_6_2_13 tags: - level1-server - level1-workstation + - automated - patch + - users + - permissions + - notimplemented - rule_6.2.13 -- name: "6.2.14 | L1 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" - block: - - name: "6.2.14 | L1 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" - shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: passwd_gid_check - - - name: "6.2.14 | L1 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" - debug: - msg: "Good News! There are no users that have non-existent GUIDs (Groups)" - when: passwd_gid_check.stdout is not defined - - - name: "6.2.14 | L1 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" - debug: - msg: "WARNING: The following users have non-existent GIDs (Groups): {{ passwd_gid_check.stdout_lines | join (', ') }}" - when: passwd_gid_check.stdout is defined +- name: "6.2.14 | PATCH | Ensure no users have .forward files" + file: + state: absent + dest: "~{{ item }}/.forward" + with_items: + - "{{ users.stdout_lines }}" when: - rhel9cis_rule_6_2_14 tags: - level1-server - level1-workstation - - audit + - automated + - patch + - users + - files - rule_6.2.14 -- name: "6.2.15 | L1 | AUDIT Ensure no duplicate UIDs exist" - block: - - name: "6.2.15 | L1 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" - shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" - args: - warn: false - changed_when: false - failed_when: false - register: user_uid_check - - - name: "6.2.15 | L1 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" - debug: - msg: "Good News! There are no duplicate UID's in the system" - when: user_uid_check.stdout is not defined - - - name: "6.2.15 | L1 | AUDIT| Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" - debug: - msg: "Warning: The following users have UIDs that are duplicates: {{ user_uid_check.stdout_lines }}" - when: user_uid_check.stdout is defined +- name: "6.2.15 | PATCH | Ensure no users have .netrc files" + file: + state: absent + dest: "~{{ item }}/.netrc" + with_items: + - "{{ users.stdout_lines }}" when: - rhel9cis_rule_6_2_15 tags: - level1-server - level1-workstation + - automated - patch + - users + - files - rule_6.2.15 -- name: "6.2.16 | L1 | AUDIT | Ensure no duplicate GIDs exist" - block: - - name: "6.2.16 | L1 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" - shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" - args: - warn: false - changed_when: false - failed_when: false - register: user_user_check - - - name: "6.2.16 | L1 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" - debug: - msg: "Good News! There are no duplicate GIDs in the system" - when: user_user_check.stdout is not defined - - - name: "6.2.16 | L1 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" - debug: - msg: "Warning: The following groups have duplicate GIDs: {{ user_user_check.stdout_lines }}" - when: user_user_check.stdout is defined +- name: "6.2.16 | PATCH | Ensure no users have .rhosts files" + file: + state: absent + dest: "~{{ item }}/.rhosts" + with_items: "{{ users.stdout_lines }}" when: - rhel9cis_rule_6_2_16 tags: - level1-server - level1-workstation - - audit - - rule_6.2.16 - -- name: "6.2.17 | L1 | AUDIT | Ensure no duplicate user names exist" - block: - - name: "6.2.17 | L1 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" - shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" - args: - warn: false - changed_when: false - failed_when: false - register: user_username_check - - - name: "6.2.17 | L1 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist" - debug: - msg: "Good News! There are no duplicate user names in the system" - when: user_username_check.stdout is not defined - - - name: "6.2.17 | L1 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" - debug: - msg: "Warning: The following user names are duplicates: {{ user_username_check.stdout_lines }}" - when: user_username_check.stdout is defined - when: - - rhel9cis_rule_6_2_17 - tags: - - level1-server - - level1-workstation - - audit - - rule_6.2.17 - -- name: "6.2.18 | L1 | AUDIT |Ensure no duplicate group names exist" - block: - - name: "6.2.18 | L1 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" - shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: group_group_check - - - name: "6.2.18 | L1 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" - debug: - msg: "Good News! There are no duplicate group names in the system" - when: group_group_check.stdout is defined - - - name: "6.2.18 | L1 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" - debug: - msg: "Warning: The following group names are duplicates: {{ group_group_check.stdout_lines }}" - when: group_group_check.stdout is not defined - when: - - rhel9cis_rule_6_2_18 - tags: - - level1-server - - level1-workstation - - audit - - rule_6.2.18 - -- name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty" - block: - - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check for shadow group and pull group id" - shell: "getent group shadow | cut -d: -f3" - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_shadow_gid - - - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check /etc/group for empty shadow group" - shell: grep ^shadow:[^:]*:[^:]*:[^:]+ /etc/group - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_empty_shadow - - - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check for users assigned to shadow" - shell: "getent passwd | awk -F: '$4 == '{{ rhel9cis_shadow_gid.stdout }}' {print $1}'" - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_shadow_passwd - - - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Alert shadow group is empty and no users assigned" - debug: - msg: - - " Good News! The shadow group is empty and there are no users assigned to shadow" - when: - - rhel9cis_empty_shadow.stdout | length == 0 - - rhel9cis_shadow_passwd.stdout | length == 0 - - - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Alert shadow group is not empty" - debug: - msg: - - "Alert! The shadow group is not empty" - when: - - rhel9cis_empty_shadow.stdout | length > 0 - - - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Alert users are using shadow group" - debug: - msg: - - "Alert! The following users are assigned to the shadow group, please assing them to the appropriate group" - - "{{ rhel9cis_shadow_passwd.stdout_lines }}" - when: - - rhel9cis_shadow_passwd.stdout | length > 0 - when: - - rhel9cis_rule_6_2_19 - tags: - - level1-server - - level1-workstation - - audit - - rule_6.2.19 - -- name: "6.2.20 | L1 | PATCH | Ensure all users' home directories exist" - block: - - name: "6.2.20 | L1 | AUDIT | Ensure all users' home directories exist" - stat: - path: "{{ item }}" - register: rhel_09_6_2_20_audit - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<', max_int_uid | int) | selectattr('dir', '!=', '/') | map(attribute='dir') | list }}" - - - name: "6.2.20 | L1 | AUDIT | Ensure all users' home directories exist" - shell: find -H {{ item.0 | quote }} -not -type l -perm /027 - args: - warn: false - check_mode: false - changed_when: rhel_09_6_2_20_patch_audit.stdout | length > 0 - register: rhel_09_6_2_20_patch_audit - when: - - ansible_check_mode - - item.1.exists - with_together: - - "{{ rhel_09_6_2_20_audit.results | map(attribute='item') | list }}" - - "{{ rhel_09_6_2_20_audit.results | map(attribute='stat') | list }}" - loop_control: - label: "{{ item.0 }}" - - - name: "6.2.20 | L1 | PATCH | Ensure all users' home directories exist" - file: - path: "{{ item.0 }}" - recurse: true - mode: a-st,g-w,o-rwx - register: rhel_09_6_2_20_patch - when: - - not ansible_check_mode - - item.1.exists - with_together: - - "{{ rhel_09_6_2_20_audit.results | map(attribute='item') | list }}" - - "{{ rhel_09_6_2_20_audit.results | map(attribute='stat') | list }}" - loop_control: - label: "{{ item.0 }}" - - # set default ACLs so the homedir has an effective umask of 0027 - - name: "6.2.20 | L1 | PATCH | Ensure all users' home directories exist" - acl: - path: "{{ item.0 }}" - default: true - state: present - recursive: true - etype: "{{ item.1.etype }}" - permissions: "{{ item.1.mode }}" - when: - - not system_is_container - with_nested: - - "{{ (ansible_check_mode | ternary(rhel_09_6_2_20_patch_audit, rhel_09_6_2_20_patch)).results | - rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" - - - - etype: group - mode: rx - - etype: other - mode: '0' - when: - - rhel9cis_rule_6_2_20 - tags: - - level1-server - - level1-workstation + - automated - patch - - rule_6.2.20 + - users + - files + - rule_6.2.16 diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index b6acabf8..61612730 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -4,4 +4,4 @@ import_tasks: cis_6.1.x.yml - name: "SECTION | 6.2 | User and Group Settings" - import_tasks: cis_6.2.x.yml + import_tasks: cis_6.2.x.yml \ No newline at end of file diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 43897d74..4716376b 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,79 +1,92 @@ -# File created initially via RHEL9 CIS ansible-lockdown remdiation role -{% if rhel9cis_rule_4_1_3 %} +# This template will set all of the auditd configurations via a handler in the role in one task instead of individually +{% if rhel9cis_rule_4_1_3_1 %} -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d/ -p wa -k scope {% endif %} -{% if rhel9cis_rule_4_1_4 %} --w /var/log/faillog -p wa -k logins --w /var/log/lastlog -p wa -k logins +{% if rhel9cis_rule_4_1_3_2 %} +-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation +-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation {% endif %} -{% if rhel9cis_rule_4_1_5 %} --w /var/run/utmp -p wa -k session --w /var/log/wtmp -p wa -k logins --w /var/log/btmp -p wa -k logins -{% endif %} -{% if rhel9cis_rule_4_1_6 %} --a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change --a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change --a always,exit -F arch=b64 -S clock_settime -k time-change --a always,exit -F arch=b32 -S clock_settime -k time-change --w /etc/localtime -p wa -k time-change +{% if rhel9cis_rule_4_1_3_3 %} +-w {{ rhel9cis_varlog_location }} -p wa -k sudo_log_file {% endif %} -{% if rhel9cis_rule_4_1_7 %} --w /etc/selinux/ -p wa -k MAC-policy --w /usr/share/selinux/ -p wa -k MAC-policy +{% if rhel9cis_rule_4_1_3_4 %} +-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change +-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change +-w /etc/localtime -p wa -k time-change {% endif %} -{% if rhel9cis_rule_4_1_8 %} --a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale --a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +{% if rhel9cis_rule_4_1_3_5 %} +-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale +-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale +-w /etc/sysconfig/network-scripts -p wa -k system-locale {% endif %} -{% if rhel9cis_rule_4_1_9 %} --a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod -{% endif %} -{% if rhel9cis_rule_4_1_10 %} --a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access --a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access --a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access --a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access -{% endif %} -{% if rhel9cis_rule_4_1_11 %} +{% if rhel9cis_rule_4_1_3_6 %} +{% for proc in priv_procs.stdout_lines -%} +-a always,exit -F path={{ proc }} -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k privileged +{% endfor %} +{% endif %} +{% if rhel9cis_rule_4_1_3_7 %} +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=-4294967295 -F key=access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access +{% endif %} +{% if rhel9cis_rule_4_1_3_8 %} -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity {% endif %} -{% if rhel9cis_rule_4_1_12 %} --a always,exit -F arch=b32 -S mount -F auid>={{ min_int_uid }} -F auid!=4294967295 -k mounts --a always,exit -F arch=b64 -S mount -F auid>={{ min_int_uid }} -F auid!=4294967295 -k mounts +{% if rhel9cis_rule_4_1_3_9 %} +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod +-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod +-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod +-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod {% endif %} -{% if rhel9cis_rule_4_1_13 %} -{% for proc in priv_procs.stdout_lines -%} --a always,exit -F path={{ proc }} -F perm=x -F auid>={{ min_int_uid }} -F auid!=4294967295 -k privileged -{% endfor %} +{% if rhel9cis_rule_4_1_3_10 %} +-a always,exit -F arch=b32 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts +-a always,exit -F arch=b64 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts +{% endif %} +{% if rhel9cis_rule_4_1_3_11 %} +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k session +-w /var/log/btmp -p wa -k session +{% endif %} +{% if rhel9cis_rule_4_1_3_12 %} +-w /var/log/lastlog -p wa -k logins +-w /var/run/faillock -p wa -k logins +{% endif %} +{% if rhel9cis_rule_4_1_3_13 %} +-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete +-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete +{% endif %} +{% if rhel9cis_rule_4_1_3_14 %} +-w /etc/selinux/ -p wa -k MAC-policy +-w /usr/share/selinux/ -p wa -k MAC-policy +{% endif %} +{% if rhel9cis_rule_4_1_3_15 %} +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_chng +{% endif %} +{% if rhel9cis_rule_4_1_3_16 %} +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_chng {% endif %} -{% if rhel9cis_rule_4_1_14 %} --a always,exit -F arch=b32 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=delete --a always,exit -F arch=b64 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=delete +{% if rhel9cis_rule_4_1_3_17 %} +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k priv_cmd {% endif %} -{% if rhel9cis_rule_4_1_15 %} --w /usr/sbin/insmod -p x -k modules --w /usr/sbin/rmmod -p x -k modules --w /usr/sbin/modprobe -p x -k modules --a always,exit -F arch=b64 -S init_module -S delete_module -k modules +{% if rhel9cis_rule_4_1_3_18 %} +-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k usermod {% endif %} -{% if rhel9cis_rule_4_1_16 %} --w /var/log/sudo.log -p wa -k actions +{% if rhel9cis_rule_4_1_3_19 %} +-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k kernel_modules +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k kernel_modules {% endif %} -{% if rhel9cis_rule_4_1_17 %} +{% if rhel9cis_rule_4_1_3_20 %} -e 2 {% endif %} From 19a218390d7f29ba2f5ad02ea8db3aa959934661 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 16:34:33 +0100 Subject: [PATCH 040/454] updates Signed-off-by: Mark Bolwell --- handlers/main.yml | 8 ++++++-- tasks/section_1/cis_1.5.x.yml | 11 ++++------- templates/{ => etc/cron.d}/aide.cron.j2 | 2 +- templates/etc/{ => sysctl.d}/60-disable_ipv6.conf.j2 | 3 +++ templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 | 8 ++++++++ templates/etc/{ => sysctl.d}/99-sysctl.conf.j2 | 11 ----------- 6 files changed, 22 insertions(+), 21 deletions(-) rename templates/{ => etc/cron.d}/aide.cron.j2 (95%) rename templates/etc/{ => sysctl.d}/60-disable_ipv6.conf.j2 (67%) create mode 100644 templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 rename templates/etc/{ => sysctl.d}/99-sysctl.conf.j2 (89%) diff --git a/handlers/main.yml b/handlers/main.yml index ad56e8b8..d2cf453d 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -22,12 +22,16 @@ - name: update sysctl template: - src: etc/99-sysctl.conf.j2 - dest: /etc/sysctl.d/99-sysctl.conf + src: "etc/sysctl.d/{{ item }}.j2" + dest: "/etc/sysctl.d/{{ item }}" owner: root group: root mode: 0600 notify: reload sysctl + with_items: + - 60-kernel_sysctl.conf + - 60-disable_ipv6.conf + - 99-sysctl.conf when: - ansible_virtualization_type != "docker" - "'procps-ng' in ansible_facts.packages" diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index d3602b21..a969def9 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -32,13 +32,10 @@ - rule_1.5.2 - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - sysctl: - name: kernel.randomize_va_space - value: '2' - state: present - reload: yes - sysctl_set: yes - ignoreerrors: yes + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - update sysctl when: - rhel9cis_rule_1_5_3 tags: diff --git a/templates/aide.cron.j2 b/templates/etc/cron.d/aide.cron.j2 similarity index 95% rename from templates/aide.cron.j2 rename to templates/etc/cron.d/aide.cron.j2 index 848dcca4..f9014fad 100644 --- a/templates/aide.cron.j2 +++ b/templates/etc/cron.d/aide.cron.j2 @@ -1,5 +1,5 @@ # Run AIDE integrity check # added via ansible-lockdown remediation -# CIS 1.4.2 +# CIS 1.3.2 {{ rhel9cis_aide_cron['aide_minute'] }} {{ rhel9cis_aide_cron['aide_hour'] }} {{ rhel9cis_aide_cron['aide_month'] }} {{ rhel9cis_aide_cron['aide_weekday'] }} {{ rhel9cis_aide_cron['aide_job'] }} diff --git a/templates/etc/60-disable_ipv6.conf.j2 b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 similarity index 67% rename from templates/etc/60-disable_ipv6.conf.j2 rename to templates/etc/sysctl.d/60-disable_ipv6.conf.j2 index 855d03d6..34ee10ca 100644 --- a/templates/etc/60-disable_ipv6.conf.j2 +++ b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 @@ -1,3 +1,6 @@ +# Setting added via ansible CIS remediation playbook + +# IPv6 disable {% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %} net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 diff --git a/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 b/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 new file mode 100644 index 00000000..cbfffeda --- /dev/null +++ b/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 @@ -0,0 +1,8 @@ +# Setting added via ansible CIS remediation playbook + + +{% if rhel9cis_rule_1_5_3 %} +# Kernel sysctl +# CIS 1.5.3 +kernel.randomize_va_space = 2 +{% endif %} \ No newline at end of file diff --git a/templates/etc/99-sysctl.conf.j2 b/templates/etc/sysctl.d/99-sysctl.conf.j2 similarity index 89% rename from templates/etc/99-sysctl.conf.j2 rename to templates/etc/sysctl.d/99-sysctl.conf.j2 index 8feb96d6..177db219 100644 --- a/templates/etc/99-sysctl.conf.j2 +++ b/templates/etc/sysctl.d/99-sysctl.conf.j2 @@ -1,16 +1,5 @@ # Setting added via ansible CIS remediation playbook -{% if rhel9cis_rule_1_6_1 %} -# Filesystem sysctl -# CIS 1.6.1 -fs.suid_dumpable = 0 -{% endif %} -{% if rhel9cis_rule_1_6_2 %} -# Kernel sysctl -# CIS 1.6.2 -kernel.randomize_va_space = 2 -{% endif %} - # Network sysctl {% if rhel9cis_rule_3_2_1 %} # CIS 3.2.1 From f0c4701dbd45c49b19648adc3e30929d4ba2bb1a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 1 Apr 2022 15:26:13 +0100 Subject: [PATCH 041/454] updated controls Signed-off-by: Mark Bolwell --- defaults/main.yml | 160 ++++++++++++++++------------- group_vars/docker | 28 ----- group_vars/vagrant | 28 ----- handlers/main.yml | 20 ++-- tasks/main.yml | 8 +- tasks/post.yml | 31 +++++- tasks/prelim.yml | 16 ++- tasks/section_2/cis_2.1.x.yml | 9 +- tasks/section_3/cis_3.2.x.yml | 4 +- tasks/section_3/cis_3.3.x.yml | 18 ++-- tasks/section_3/cis_3.4.1.x.yml | 1 - tasks/section_3/main.yml | 34 +++--- tasks/section_4/main.yml | 2 +- tasks/section_5/cis_5.3.x.yml | 2 +- tasks/section_5/cis_5.5.x.yml | 4 +- tasks/section_5/cis_5.6.x.yml | 4 +- tasks/section_6/cis_6.2.x.yml | 12 +-- templates/ansible_vars_goss.yml.j2 | 96 +++++------------ templates/audit/99_auditd.rules.j2 | 51 ++++----- templates/{ => etc}/chrony.conf.j2 | 0 templates/hosts.allow.j2 | 11 -- templates/ntp.conf.j2 | 59 ----------- vars/is_container.yml | 2 - 23 files changed, 237 insertions(+), 363 deletions(-) delete mode 100644 group_vars/docker delete mode 100644 group_vars/vagrant rename templates/{ => etc}/chrony.conf.j2 (100%) delete mode 100644 templates/hosts.allow.j2 delete mode 100644 templates/ntp.conf.j2 diff --git a/defaults/main.yml b/defaults/main.yml index d2a2372c..78a2c0dc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -36,6 +36,9 @@ benchmark: RHEL9-CIS # Whether to skip the reboot skip_reboot: true +# default value will change to true but wont reboot if not enabled but will error +change_requires_reboot: false + #### Basic external goss audit enablement settings #### #### Precise details - per setting can be found at the bottom of this file #### @@ -345,7 +348,7 @@ rhel9cis_rule_6_2_4: true rhel9cis_rule_6_2_5: true rhel9cis_rule_6_2_6: true rhel9cis_rule_6_2_7: true -rhel9cis_rule_6_2_8: false +rhel9cis_rule_6_2_8: true rhel9cis_rule_6_2_9: true rhel9cis_rule_6_2_10: true rhel9cis_rule_6_2_11: true @@ -355,46 +358,19 @@ rhel9cis_rule_6_2_14: true rhel9cis_rule_6_2_15: true rhel9cis_rule_6_2_16: true -# Service configuration booleans set true to keep service -rhel9cis_avahi_server: false -rhel9cis_cups_server: false -rhel9cis_dhcp_server: false -rhel9cis_ldap_server: false -rhel9cis_telnet_server: false -rhel9cis_nfs_server: false -rhel9cis_rpc_server: false -rhel9cis_ntalk_server: false -rhel9cis_rsyncd_server: false -rhel9cis_tftp_server: false -rhel9cis_rsh_server: false -rhel9cis_nis_server: false -rhel9cis_snmp_server: false -rhel9cis_squid_server: false -rhel9cis_smb_server: false -rhel9cis_dovecot_server: false -rhel9cis_httpd_server: false -rhel9cis_vsftpd_server: false -rhel9cis_named_server: false -rhel9cis_nfs_rpc_server: false -rhel9cis_is_mail_server: false -rhel9cis_bind: false -rhel9cis_vsftpd: false -rhel9cis_httpd: false -rhel9cis_dovecot: false -rhel9cis_samba: false -rhel9cis_squid: false -rhel9cis_net_snmp: false -rhel9cis_allow_autofs: false ## Section 1 vars -# 1.1.2 +#### 1.1.2 # These settings go into the /etc/fstab file for the /tmp mount settings # The value must contain nosuid,nodev,noexec to conform to CIS standards # rhel9cis_tmp_tmpfs_settings: "defaults,rw,nosuid,nodev,noexec,relatime 0 0" # If set true uses the tmp.mount service else using fstab configuration rhel9cis_tmp_svc: false +#### 1.1.9 +rhel9cis_allow_autofs: false + # 1.2.1 # This is the login information for your RedHat Subscription # DO NOT USE PLAIN TEXT PASSWORDS!!!!! @@ -407,17 +383,15 @@ rhel9cis_rh_sub_password: password # RedHat Satellite Subscription items rhel9cis_rhnsd_required: false -# 1.3.3 var log location variable -rhel9cis_varlog_location: "/var/log/sudo.log" -# xinetd required -rhel9cis_xinetd_required: false + # 1.4.2 Bootloader password rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' rhel9cis_bootloader_password: random rhel9cis_set_boot_pass: false + # 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS) # Control 1.10 sates not ot use LEGACY and control 1.11 says to use FUTURE or FIPS. rhel9cis_crypto_policy: "FUTURE" @@ -433,7 +407,7 @@ rhel9cis_config_aide: true # AIDE cron settings rhel9cis_aide_cron: cron_user: root - cron_file: /etc/cron.d/aide.cron + cron_file: /etc/cron.d/aide_cron aide_job: '/usr/sbin/aide --check' aide_minute: 0 aide_hour: 5 @@ -445,92 +419,124 @@ rhel9cis_aide_cron: rhel9cis_selinux_pol: targeted # Whether or not to run tasks related to auditing/patching the desktop environment -rhel9cis_gui: false -# Set to 'true' if X Windows is needed in your environment -rhel9cis_xwindows_required: false - -rhel9cis_openldap_clients_required: false -rhel9cis_telnet_required: false -rhel9cis_talk_required: false -rhel9cis_rsh_required: false -rhel9cis_ypbind_required: false +## 2. Services -# 2.2.1.1 Time Synchronization - Either chrony or ntp -rhel9cis_time_synchronization: chrony -# 2.2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 +### 2.1 Time Synchronization +#### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 rhel9cis_time_synchronization_servers: - 0.pool.ntp.org - 1.pool.ntp.org - 2.pool.ntp.org - 3.pool.ntp.org - rhel9cis_chrony_server_options: "minpoll 8" -rhel9cis_ntp_server_options: "iburst" -## Section3 vars -# 3.4.2 | PATCH | Ensure /etc/hosts.allow is configured -rhel9cis_host_allow: - - "10.0.0.0/255.0.0.0" - - "172.16.0.0/255.240.0.0" - - "192.168.0.0/255.255.0.0" +### 2.2 Special Purposes +##### Service configuration booleans set true to keep service +rhel9cis_xinetd_server: false +rhel9cis_gui: false +rhel9cis_avahi_server: false +rhel9cis_cups_server: false +rhel9cis_dhcp_server: false +rhel9cis_dns_server: false +rhel9cis_ftp_server: false +rhel9cis_vsftpd_server: false +rhel9cis_tftp_server: false +rhel9cis_httpd_server: false +rhel9cis_nginx_server: false +rhel9cis_dovecot_cyrus_server: false +rhel9cis_samba_server: false +rhel9cis_squid_server: false +rhel9cis_snmp_server: false +rhel9cis_nis_server: false +rhel9cis_telnet_server: false +rhel9cis_is_mail_server: false +rhel9cis_nfs_server: false +rhel9cis_rpc_server: false +rhel9cis_rsync_server: false + +#### 2.3 Service clients +rhel9cis_ypbind_required: false +rhel9cis_rsh_required: false +rhel9cis_talk_required: false +rhel9cis_telnet_required: false +rhel9cis_openldap_clients_required: false +rhel9cis_tftp_client: false -# Firewall Service - either firewalld, iptables, or nftables + +## Section3 vars +### Firewall Service - either firewalld, iptables, or nftables rhel9cis_firewall: firewalld -# 3.4.2.4 Default zone setting +##### firewalld rhel9cis_default_zone: public - -# 3.4.2.5 Zone and Interface setting -rhel9cis_int_zone: customezone +rhel9cis_int_zone: customzone rhel9cis_interface: eth0 - rhel9cis_firewall_services: - ssh - dhcpv6-client -# 3.4.3.2 Set nftables new table create +#### nftables rhel9cis_nft_tables_autonewtable: true rhel9cis_nft_tables_tablename: filter - -# 3.4.3.3 Set nftables new chain create rhel9cis_nft_tables_autochaincreate: true +#### iptables + # Warning Banner Content (issue, issue.net, motd) rhel9cis_warning_banner: | Authorized uses only. All activity may be monitored and reported. # End Banner ## Section4 vars - +### 4.1 Configure System Accounting +#### 4.1.2 Configure Data Retention rhel9cis_auditd: space_left_action: email action_mail_acct: root admin_space_left_action: halt max_log_file_action: keep_logs -rhel9cis_logrotate: "daily" - # The audit_back_log_limit value should never be below 8192 rhel9cis_audit_back_log_limit: 8192 # The max_log_file parameter should be based on your sites policy rhel9cis_max_log_file_size: 10 -# RHEL-09-4.2.1.4/4.2.1.5 remote and destation log server name +#### 4.2.1.6 remote and destation log server name rhel9cis_remote_log_server: logagg.example.com -# RHEL-09-4.2.1.5 +#### 4.2.1.7 rhel9cis_system_is_log_server: false +# 4.2.2.1.2 +# rhel9cis_journal_upload_url is the ip address to upload the journal entries to +rhel9cis_journal_upload_url: 192.168.50.42 +# The paths below have the default paths/files, but allow user to create custom paths/filenames +rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem" +rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem" +rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem" + +# 4.2.2.1 +# The variables below related to journald, please set these to your site specific values +# rhel9cis_journald_systemmaxuse is the max amount of disk space the logs will use +rhel9cis_journald_systemmaxuse: 10M +# rhel9cis_journald_systemkeepfree is the amount of disk space to keep free +rhel9cis_journald_systemkeepfree: 100G +rhel9cis_journald_runtimemaxuse: 10M +rhel9cis_journald_runtimekeepfree: 100G +# rhel9cis_journald_MaxFileSec is how long in time to keep log files. Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks +rhel9cis_journald_maxfilesec: 1month + +#### 4.3 +rhel9cis_logrotate: "daily" + ## Section5 vars rhel9cis_sshd: clientalivecountmax: 0 clientaliveinterval: 900 - ciphers: "aes256-ctr,aes192-ctr,aes128-ctr" - macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com" logingracetime: 60 # WARNING: make sure you understand the precedence when working with these values!! # allowusers: @@ -553,9 +559,10 @@ rhel9cis_ssh_maxsessions: 4 rhel9cis_inactivelock: lock_days: 30 + +rhel9cis_use_authconfig: false # 5.3.1/5.3.2 Custom authselect profile settings. Settings in place now will fail, they are place holders from the control example # Due to the way many multiple options and ways to configure this control needs to be enabled and settings adjusted to minimise risk -rhel9cis_use_authconfig: false rhel9cis_authselect: custom_profile_name: custom-profile default_file_to_copy: "sssd --symlink-meta" @@ -591,6 +598,11 @@ discover_int_uid: false min_int_uid: 1000 max_int_uid: 65533 +# 5.3.3 var log location variable +rhel9cis_sudolog_location: "/var/log/sudo.log" + +#### 5.3.6 +rhel9cis_sudo_timestamp_timeout: 15 # RHEL-09-5.4.5 # Session timeout setting file (TMOUT setting can be set in multiple files) diff --git a/group_vars/docker b/group_vars/docker deleted file mode 100644 index 5b6e3b29..00000000 --- a/group_vars/docker +++ /dev/null @@ -1,28 +0,0 @@ ---- -ansible_user: root -# AIDE cron settings -rhel9cis_aide_cron: - cron_user: root - cron_file: /var/spool/cron/root - aide_job: '/usr/sbin/aide --check' - aide_minute: 0 - aide_hour: 5 - aide_day: '*' - aide_month: '*' - aide_weekday: '*' - -rhel9cis_sshd: - clientalivecountmax: 3 - clientaliveinterval: 300 - ciphers: "aes256-ctr,aes192-ctr,aes128-ctr" - macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com" - logingracetime: 60 - # - make sure you understand the precedence when working with these values!! - allowusers: vagrant - allowgroups: vagrant - denyusers: root - denygroups: root - -# Workarounds for Docker -rhel9cis_skip_for_travis: true -rhel9cis_selinux_disable: true diff --git a/group_vars/vagrant b/group_vars/vagrant deleted file mode 100644 index 1c0fb37f..00000000 --- a/group_vars/vagrant +++ /dev/null @@ -1,28 +0,0 @@ ---- -ansible_user: vagrant -# AIDE cron settings -rhel9cis_aide_cron: - cron_user: root - cron_file: /var/spool/cron/root - aide_job: '/usr/sbin/aide --check' - aide_minute: 0 - aide_hour: 5 - aide_day: '*' - aide_month: '*' - aide_weekday: '*' - -rhel9cis_sshd: - clientalivecountmax: 3 - clientaliveinterval: 300 - ciphers: 'aes256-ctr,aes192-ctr,aes128-ctr' - macs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' - logingracetime: 60 - # - make sure you understand the precedence when working with these values!! - allowusers: vagrant - allowgroups: vagrant - denyusers: root - denygroups: root - -# Vagrant can touch code that Docker cannot -rhel9cis_skip_for_travis: false -rhel9cis_selinux_disable: false diff --git a/handlers/main.yml b/handlers/main.yml index d2cf453d..9a99c242 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -76,12 +76,6 @@ name: firewalld state: restarted -- name: restart xinetd - become: true - service: - name: xinetd - state: restarted - - name: restart sshd become: true service: @@ -135,12 +129,20 @@ name: rsyslog state: restarted -- name: restart syslog-ng - become: true +- name: restart journald service: - name: syslog-ng + name: systemd-journald + state: restarted + +- name: restart systemd_journal_upload + service: + name: systemd-journal-upload state: restarted - name: systemd_daemon_reload systemd: daemon-reload: true + +- name: change_requires_reboot + set_fact: + change_requires_reboot: true diff --git a/tasks/main.yml b/tasks/main.yml index b316f67e..f44197ca 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -112,9 +112,11 @@ - rhel9cis_section6 tags: - rule_5.5.2 - - rule_6.2.7 - - rule_6.2.8 - - rule_6.2.20 + - rule_5.6.2 + - rule_6.2.9 + - rule_6.2.10 + - rule_6.2.11 + - rhel9cis_section5 - rhel9cis_section6 - name: run Section 1 tasks diff --git a/tasks/post.yml b/tasks/post.yml index 5f547374..28a2e9ef 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -66,7 +66,30 @@ - name: flush handlers meta: flush_handlers -- name: Reboot host - reboot: - when: - - not skip_reboot +- name: POST | reboot system if changes require it and not skipped + block: + - name: POST | Reboot system if changes require it and not skipped + reboot: + when: + - change_requires_reboot + - not skip_reboot + + - name: POST | Warning a reboot required but skip option set + debug: + msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" + changed_when: true + when: + - change_requires_reboot + - skip_reboot + tags: + - grub + - level1-server + - level1-workstation + - level2-server + - level2-workstation + - rhel9cis_section1 + - rhel9cis_section2 + - rhel9cis_section3 + - rhel9cis_section4 + - rhel9cis_section5 + - rhel9cis_section6 diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 5521a8d2..1cb873c1 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -32,8 +32,9 @@ warn: false changed_when: false check_mode: false - register: uid_zero_accounts_except_root + register: rhel9cis_uid_zero_accounts_except_root tags: + - rule_6.2.8 - level1-server - level1-workstation - users @@ -144,6 +145,19 @@ - authconfig - auditd +- name: "PRELIM | 5.3.4 | Find all sudoers files." + command: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" + changed_when: false + failed_when: false + check_mode: false + register: rhel9cis_sudoers_files + when: + - rhel9cis_rule_5_3_4 or + rhel9cis_rule_5_3_5 + tags: + - rule_5.3.4 + - rule_5.3.5 + - name: "PRELIM | Set facts based on boot type" block: - name: "PRELIM | Check whether machine is UEFI-based" diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 5b5cf130..ba927e9c 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -2,11 +2,11 @@ - name: "2.1.1 | PATCH | Ensure time synchronization is in use" package: - name: "{{ rhel9cis_time_synchronization }}" + name: chrony state: present when: - rhel9cis_rule_2_1_1 - - not rhel9cis_system_is_container + - not system_is_container tags: - level1-server - level1-workstation @@ -18,7 +18,7 @@ block: - name: "2.1.2 | PATCH | Ensure chrony is configured | Set configuration" template: - src: chrony.conf.j2 + src: etc/chrony.conf.j2 dest: /etc/chrony.conf owner: root group: root @@ -33,9 +33,8 @@ create: yes mode: 0644 when: - - rhel9cis_time_synchronization == "chrony" - rhel9cis_rule_2_1_2 - - not rhel9cis_system_is_container + - not system_is_container tags: - level1-server - level1-workstation diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index ec397d37..38c94334 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -17,7 +17,7 @@ - update sysctl when: rhel9cis_ipv6_required when: - - rhel9cis_rule_3.2.1 + - rhel9cis_rule_3_2_1 tags: - level1-server - level1-workstation @@ -42,7 +42,7 @@ - update sysctl when: rhel9cis_ipv6_required when: - - rhel9cis_rule_3.2.2 + - rhel9cis_rule_3_2_2 tags: - level1-server - level1-workstation diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 7187816a..8c15cde3 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -17,7 +17,7 @@ - update sysctl when: rhel9cis_ipv6_required when: - - rhel9cis_rule_3.3.1 + - rhel9cis_rule_3_3_1 tags: - level1-server - level1-workstation @@ -42,7 +42,7 @@ - update sysctl when: rhel9cis_ipv6_required when: - - rhel9cis_rule_3.3.2 + - rhel9cis_rule_3_3_2 tags: - level1-server - level1-workstation @@ -55,7 +55,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3.3.3 + - rhel9cis_rule_3_3_3 tags: - level1-server - level1-workstation @@ -68,7 +68,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3.3.4 + - rhel9cis_rule_3_3_4 tags: - level1-server - level1-workstation @@ -81,7 +81,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3.3.5 + - rhel9cis_rule_3_3_5 tags: - level1-server - level1-workstation @@ -94,7 +94,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3.3.6 + - rhel9cis_rule_3_3_6 tags: - level1-server - level1-workstation @@ -107,7 +107,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3.3.7 + - rhel9cis_rule_3_3_7 tags: - level1-server - level1-workstation @@ -120,7 +120,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3.3.8 + - rhel9cis_rule_3_3_8 tags: - level1-server - level1-workstation @@ -146,7 +146,7 @@ when: rhel9cis_ipv6_required when: - rhel9cis_ipv6_required - - rhel9cis_rule_3.3.9 + - rhel9cis_rule_3_3_9 tags: - level2-server - level2-workstation diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index 753a4e57..5bd6a3c0 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -22,7 +22,6 @@ - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | Stop running services" systemd: name: "{{ item }}" - enabled: false masked: true with_items: - iptables diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index 13b42fcf..7c6dc9b9 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -1,41 +1,35 @@ --- -- name: "SECTION | 3.1.x | Packet and IP redirection" +- name: "SECTION | 3.1.x | Disable unused network protocols and devices" import_tasks: cis_3.1.x.yml - name: "SECTION | 3.2.x | Network Parameters (Host Only)" import_tasks: cis_3.2.x.yml -- name: "SECTION | 3.3.x | Uncommon Network Protocols" +- name: "SECTION | 3.3.x | Network Parameters (host and Router)" import_tasks: cis_3.3.x.yml -- name: "SECTION | 3.4.1.x | firewall defined" - import_tasks: cis_3.4.1.1.yml - -- name: "SECTION | 3.4.2.x | firewalld firewall" - include_tasks: cis_3.4.2.x.yml +- name: "SECTION | 3.4.1.x | Configure firewalld" + import_tasks: cis_3.4.1.x.yml when: - rhel9cis_firewall == "firewalld" -- name: "SECTION | 3.4.3.x | Configure nftables firewall" - include_tasks: cis_3.4.3.x.yml +- name: "SECTION | 3.4.2.x | Configure nftables" + include_tasks: cis_3.4.2.x.yml when: - rhel9cis_firewall == "nftables" -- name: "SECTION | 3.4.4.1.x | Configure iptables IPv4" - include_tasks: cis_3.4.4.1.x.yml +- name: "SECTION | 3.4.3.1.x | Configure iptables" + include_tasks: cis_3.4.3.1.x.yml when: - rhel9cis_firewall == "iptables" -- name: "SECTION | 3.4.4.2.x | Configure iptables IPv6" - include_tasks: cis_3.4.4.2.x.yml +- name: "SECTION | 3.4.3.2.x | Configure iptables IPv4" + include_tasks: cis_3.4.3.2.x.yml when: - - ( rhel9cis_firewall == "iptables" and rhel9cis_ipv6_required ) - -- name: "SECTION | 3.5 | Configure wireless" - import_tasks: cis_3.5.yml + - rhel9cis_firewall == "iptables" -- name: "SECTION | 3.5 | disable IPv6" - include_tasks: cis_3.5.yml +- name: "SECTION | 3.4.3.3.x | Configure iptables IPv6" + include_tasks: cis_3.4.3.3.x.yml when: - - not rhel9cis_ipv6_required + - ( rhel9cis_firewall == "iptables" and rhel9cis_ipv6_required ) diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index 3b3ab95c..d28e3cef 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -9,7 +9,7 @@ import_tasks: cis_4.1.2.x.yml - name: "SECTION | 4.1.3 | Configure Auditd rules" - import_tasks: cis_4.1.x.yml + import_tasks: cis_4.1.3.x.yml - name: "SECTION | 4.2 | Configure Logging" import_tasks: cis_4.2.1.x.yml diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index b6dc07a9..bd97cc3c 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -33,7 +33,7 @@ lineinfile: dest: /etc/sudoers regexp: '^Defaults logfile=' - line: 'Defaults logfile="{{ rhel9cis_varlog_location }}"' + line: 'Defaults logfile="{{ rhel9cis_sudolog_location }}"' state: present when: - rhel9cis_rule_5_3_3 diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 8c5d301f..71a37e54 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -13,7 +13,7 @@ - item.id != "sync" - item.id != "shutdown" - item.id != "halt" - - rhel9cis_int_gid | int > item.gid + - min_int_uid | int > item.gid - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" @@ -28,7 +28,7 @@ - item.id != "shutdown" - item.id != "sync" - item.id != "root" - - rhel9cis_int_gid | int > item.gid + - min_int_uid | int > item.gid - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" when: diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 3d9cf327..6106e6e5 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -13,7 +13,7 @@ - item.id != "sync" - item.id != "shutdown" - item.id != "halt" - - rhel9cis_int_gid | int < item.gid + - min_int_uid | int < item.gid - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" loop_control: @@ -30,7 +30,7 @@ - item.id != "shutdown" - item.id != "sync" - item.id != "root" - - rhel9cis_int_gid | int < item.gid + - min_int_uid | int < item.gid - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" loop_control: diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index ff2b0c3a..096a3106 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -230,7 +230,7 @@ stat: path: "{{ item }}" register: rhel_08_6_2_9_audit - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" - name: "6.2.9 | AUDIT | Ensure all users' home directories exist" command: find -H {{ item.0 | quote }} -not -type l -perm /027 @@ -270,7 +270,7 @@ recursive: yes etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: not rhel9cis_system_is_container + when: not system_is_container with_nested: - "{{ (ansible_check_mode | ternary(rhel_08_6_2_9_patch_audit, rhel_08_6_2_9_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" @@ -299,13 +299,13 @@ loop_control: label: "{{ rhel9cis_passwd_label }}" when: - - item.uid >= rhel9cis_int_gid + - min_int_uid | int <= item.uid - rhel9cis_rule_6_2_10 tags: - skip_ansible_lint # settings found on 6_2_7 - level1-server - level1-workstation - - autoamted + - automated - patch - users - rule_6.2.10 @@ -315,7 +315,7 @@ - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" stat: path: "{{ item }}" - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" register: rhel_08_6_2_11_audit - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" @@ -356,7 +356,7 @@ recursive: yes etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: not rhel9cis_system_is_container + when: not system_is_container with_nested: - "{{ (ansible_check_mode | ternary(rhel_08_6_2_11_patch_audit, rhel_08_6_2_11_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index ec9dac64..babc8d6e 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -281,39 +281,36 @@ rhel9cis_rule_6_2_20: {{ rhel9cis_rule_6_2_20 }} rhel9cis_avahi_server: {{ rhel9cis_avahi_server }} rhel9cis_cups_server: {{ rhel9cis_cups_server }} rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }} -rhel9cis_ldap_server: {{ rhel9cis_ldap_server }} -rhel9cis_telnet_server: {{ rhel9cis_telnet_server }} -rhel9cis_nfs_server: {{ rhel9cis_nfs_server }} -rhel9cis_rpc_server: {{ rhel9cis_rpc_server }} -rhel9cis_ntalk_server: {{ rhel9cis_ntalk_server }} -rhel9cis_rsyncd_server: {{ rhel9cis_rsyncd_server }} +rhel9cis_dns_server: {{ rhel9cis_dns_server }} +rhel9cis_ftp_server: {{ rhel9cis_ftp_server }} +rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }} rhel9cis_tftp_server: {{ rhel9cis_tftp_server }} -rhel9cis_rsh_server: {{ rhel9cis_rsh_server }} -rhel9cis_nis_server: {{ rhel9cis_nis_server }} -rhel9cis_snmp_server: {{ rhel9cis_snmp_server }} -rhel9cis_squid_server: {{ rhel9cis_squid_server }} -rhel9cis_smb_server: {{ rhel9cis_smb_server }} -rhel9cis_dovecot_server: {{ rhel9cis_dovecot_server }} rhel9cis_httpd_server: {{ rhel9cis_httpd_server }} -rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }} -rhel9cis_named_server: {{ rhel9cis_named_server }} -rhel9cis_nfs_rpc_server: {{ rhel9cis_nfs_rpc_server }} +rhel9cis_nginx_server: {{ rhel9cis_nginx_server }} +rhel9cis_dovecot_cyrus_server: {{ rhel9cis_dovecot_cyrus_server }} +rhel9cis_samba_server: {{ rhel9cis_samba_server }} +rhel9cis_squid_server: {{ rhel9cis_squid_server }} +rhel9cis_snmp_server: {{ rhel9cis_snmp_server }} +rhel9cis_nis_server: {{ rhel9cis_nis_server }} +rhel9cis_telnet_server: {{ rhel9cis_telnet_server }} rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }} -rhel9cis_bind: {{ rhel9cis_bind }} -rhel9cis_vsftpd: {{ rhel9cis_vsftpd }} -rhel9cis_httpd: {{ rhel9cis_httpd }} -rhel9cis_dovecot: {{ rhel9cis_dovecot }} -rhel9cis_samba: {{ rhel9cis_samba }} -rhel9cis_squid: {{ rhel9cis_squid }} -rhel9cis_net_snmp: {{ rhel9cis_net_snmp}} +rhel9cis_nfs_server: {{ rhel9cis_nfs_server }} +rhel9cis_rpc_server: {{ rhel9cis_rpc_server }} +rhel9cis_rsync_server: {{ rhel9cis_rsync_server }} + + rhel9cis_allow_autofs: {{ rhel9cis_allow_autofs }} # client services -rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }} -rhel9cis_telnet_required: {{ rhel9cis_telnet_required }} -rhel9cis_talk_required: {{ rhel9cis_talk_required }} -rhel9cis_rsh_required: {{ rhel9cis_rsh_required }} rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }} +rhel9cis_rsh_required: {{ rhel9cis_rsh_required }} +rhel9cis_talk_required: {{ rhel9cis_talk_required }} +rhel9cis_telnet_required: {{ rhel9cis_telnet_required }} +rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }} +rhel9cis_tftp_client: {{ rhel9cis_tftp_client }} + + + # AIDE rhel9cis_config_aide: {{ rhel9cis_config_aide }} @@ -343,14 +340,12 @@ rhel9cis_crypto_policy: {{ rhel9cis_crypto_policy }} rhel9cis_warning_banner: {{ rhel9cis_warning_banner }} # End Banner -# Set to 'true' if X Windows is needed in your environment -rhel9cis_xwindows_required: {{ rhel9cis_xwindows_required }} # Whether or not to run tasks related to auditing/patching the desktop environment rhel9cis_gui: {{ rhel9cis_gui }} # xinetd required -rhel9cis_xinetd_required: {{ rhel9cis_xinetd_required }} +rhel9cis_xinetd_server: {{ rhel9cis_xinetd_server }} # IPv6 required rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }} @@ -358,10 +353,6 @@ rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }} # System network parameters (host only OR host and router) rhel9cis_is_router: {{ rhel9cis_is_router }} -# Time Synchronization -rhel9cis_time_synchronization: {{ rhel9cis_time_synchronization }} - -rhel9cis_varlog_location: {{ rhel9cis_varlog_location }} rhel9cis_firewall: {{ rhel9cis_firewall }} #rhel9cis_firewall: iptables @@ -373,7 +364,6 @@ rhel9cis_firewall_interface: rhel9cis_firewall_services: {{ rhel9cis_firewall_services }} - ### Section 4 ## auditd settings rhel9cis_auditd: @@ -395,45 +385,11 @@ rhel9cis_sshd_access: DenyUser: DenyGroup: -rhel9cis_ssh_strong_ciphers: Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128- gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr -rhel9cis_ssh_weak_ciphers: - 3des-cbc - aes128-cbc - aes192-cbc - aes256-cbc - arcfour - arcfour128 - arcfour256 - blowfish-cbc - cast128-cbc - rijndael-cbc@lysator.liu.se - -rhel9cis_ssh_strong_macs: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2- 512,hmac-sha2-256 -rhel9cis_ssh_weak_macs: - hmac-md5 - hmac-md5-96 - hmac-ripemd160 - hmac-sha1 - hmac-sha1-96 - umac-64@openssh.com - umac-128@openssh.com - hmac-md5-etm@openssh.com - hmac-md5-96-etm@openssh.com - hmac-ripemd160-etm@openssh.com - hmac-sha1-etm@openssh.com - hmac-sha1-96-etm@openssh.com - umac-64-etm@openssh.com - umac-128-etm@openssh.com - -rhel9cis_ssh_strong_kex: KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman- group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 -rhel9cis_ssh_weak_kex: - diffie-hellman-group1-sha1 - diffie-hellman-group14-sha1 - diffie-hellman-group-exchange-sha1 - rhel9cis_ssh_aliveinterval: "300" rhel9cis_ssh_countmax: "3" +rhel9cis_sudolog_location: {{ rhel9cis_sudolog_location }} + ## PAM rhel9cis_pam_password: minlen: {{ rhel9cis_pam_password.minlen }} diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 4716376b..90bddb43 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,14 +1,14 @@ # This template will set all of the auditd configurations via a handler in the role in one task instead of individually {% if rhel9cis_rule_4_1_3_1 %} -w /etc/sudoers -p wa -k scope --w /etc/sudoers.d/ -p wa -k scope +-w /etc/sudoers.d -p wa -k scope {% endif %} {% if rhel9cis_rule_4_1_3_2 %} -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation {% endif %} {% if rhel9cis_rule_4_1_3_3 %} --w {{ rhel9cis_varlog_location }} -p wa -k sudo_log_file +-w {{ rhel9cis_sudolog_location }} -p wa -k sudo_log_file {% endif %} {% if rhel9cis_rule_4_1_3_4 %} -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change @@ -26,14 +26,14 @@ {% endif %} {% if rhel9cis_rule_4_1_3_6 %} {% for proc in priv_procs.stdout_lines -%} --a always,exit -F path={{ proc }} -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k privileged +-a always,exit -F path={{ proc }} -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k privileged {% endfor %} {% endif %} {% if rhel9cis_rule_4_1_3_7 %} --a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access --a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access --a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=-4294967295 -F key=access --a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=-unset -F key=access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -F key=access {% endif %} {% if rhel9cis_rule_4_1_3_8 %} -w /etc/group -p wa -k identity @@ -43,16 +43,16 @@ -w /etc/security/opasswd -p wa -k identity {% endif %} {% if rhel9cis_rule_4_1_3_9 %} --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod --a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod --a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod --a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod {% endif %} {% if rhel9cis_rule_4_1_3_10 %} --a always,exit -F arch=b32 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts --a always,exit -F arch=b64 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>={{ min_int_uid }} -F auid!=unset -k mounts +-a always,exit -F arch=b64 -S mount -F auid>={{ min_int_uid }} -F auid!=unset -k mounts {% endif %} {% if rhel9cis_rule_4_1_3_11 %} -w /var/run/utmp -p wa -k session @@ -64,29 +64,30 @@ -w /var/run/faillock -p wa -k logins {% endif %} {% if rhel9cis_rule_4_1_3_13 %} --a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete --a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete +-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>={{ min_int_uid }} -F auid!=unset -F key=delete +-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>={{ min_int_uid }} -F auid!=unset -F key=delete {% endif %} {% if rhel9cis_rule_4_1_3_14 %} --w /etc/selinux/ -p wa -k MAC-policy --w /usr/share/selinux/ -p wa -k MAC-policy +-w /etc/selinux -p wa -k MAC-policy +-w /usr/share/selinux -p wa -k MAC-policy {% endif %} {% if rhel9cis_rule_4_1_3_15 %} --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_chng +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k perm_chng {% endif %} {% if rhel9cis_rule_4_1_3_16 %} --a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_chng +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k perm_chng {% endif %} {% if rhel9cis_rule_4_1_3_17 %} --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k priv_cmd +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k priv_cmd {% endif %} {% if rhel9cis_rule_4_1_3_18 %} --a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k usermod +-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k usermod {% endif %} {% if rhel9cis_rule_4_1_3_19 %} --a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k kernel_modules --a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k kernel_modules +-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ min_int_uid }} -F auid!=unset -k kernel_modules +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k kernel_modules {% endif %} {% if rhel9cis_rule_4_1_3_20 %} -e 2 + {% endif %} diff --git a/templates/chrony.conf.j2 b/templates/etc/chrony.conf.j2 similarity index 100% rename from templates/chrony.conf.j2 rename to templates/etc/chrony.conf.j2 diff --git a/templates/hosts.allow.j2 b/templates/hosts.allow.j2 deleted file mode 100644 index 4bab3d1f..00000000 --- a/templates/hosts.allow.j2 +++ /dev/null @@ -1,11 +0,0 @@ -# -# hosts.allow This file contains access rules which are used to -# allow or deny connections to network services that -# either use the tcp_wrappers library or that have been -# started through a tcp_wrappers-enabled xinetd. -# -# See 'man 5 hosts_options' and 'man 5 hosts_access' -# for information on rule syntax. -# See 'man tcpd' for information on tcp_wrappers -# -ALL: {% for iprange in rhel9cis_host_allow -%}{{ iprange }}{% if not loop.last %}, {% endif %}{% endfor %} diff --git a/templates/ntp.conf.j2 b/templates/ntp.conf.j2 deleted file mode 100644 index c745ab14..00000000 --- a/templates/ntp.conf.j2 +++ /dev/null @@ -1,59 +0,0 @@ -# For more information about this file, see the man pages -# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5). - -driftfile /var/lib/ntp/drift - -# Permit time synchronization with our time source, but do not -# permit the source to query or modify the service on this system. -#restrict default nomodify notrap nopeer noquery -restrict -4 default kod nomodify notrap nopeer noquery -restrict -6 default kod nomodify notrap nopeer noquery - -# Permit all access over the loopback interface. This could -# be tightened as well, but to do so would effect some of -# the administrative functions. -restrict 127.0.0.1 -restrict ::1 - -# Hosts on local network are less restricted. -#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap - -# Use public servers from the pool.ntp.org project. -# Please consider joining the pool (http://www.pool.ntp.org/join.html). -{% for server in rhel9cis_time_synchronization_servers -%} -server {{ server }} {{ rhel9cis_ntp_server_options }} -{% endfor %} - -#broadcast 192.168.1.255 autokey # broadcast server -#broadcastclient # broadcast client -#broadcast 224.0.1.1 autokey # multicast server -#multicastclient 224.0.1.1 # multicast client -#manycastserver 239.255.254.254 # manycast server -#manycastclient 239.255.254.254 autokey # manycast client - -# Enable public key cryptography. -#crypto - -includefile /etc/ntp/crypto/pw - -# Key file containing the keys and key identifiers used when operating -# with symmetric key cryptography. -keys /etc/ntp/keys - -# Specify the key identifiers which are trusted. -#trustedkey 4 8 42 - -# Specify the key identifier to use with the ntpdc utility. -#requestkey 8 - -# Specify the key identifier to use with the ntpq utility. -#controlkey 8 - -# Enable writing of statistics records. -#statistics clockstats cryptostats loopstats peerstats - -# Disable the monitoring facility to prevent amplification attacks using ntpdc -# monlist command when default restrict does not include the noquery flag. See -# CVE-2013-5211 for more details. -# Note: Monitoring will not be disabled with the limited restriction flag. -disable monitor diff --git a/vars/is_container.yml b/vars/is_container.yml index a8ac4fb0..33a23e80 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -6,8 +6,6 @@ ## controls -# Authconfig -rhel9cis_use_authconfig: false # Firewall rhel9cis_firewall: None From a7403f860f32afedcd218ed5b9df6bce7b5edb43 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 1 Apr 2022 16:37:24 +0100 Subject: [PATCH 042/454] removed travis variable Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 - handlers/main.yml | 2 -- tasks/section_4/cis_4.1.1.x.yml | 1 - 3 files changed, 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 78a2c0dc..d60f34a7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,6 @@ --- # defaults file for rhel9-cis -rhel9cis_skip_for_travis: false system_is_container: false container_vars_file: is_container.yml # rhel9cis is left off the front of this var for consistency in testing pipeline diff --git a/handlers/main.yml b/handlers/main.yml index 9a99c242..88616083 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -110,8 +110,6 @@ failed_when: false args: warn: false - when: - - not rhel9cis_skip_for_travis tags: - skip_ansible_lint diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index 8b9eeff5..c78be9b7 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -29,7 +29,6 @@ state: started enabled: yes when: - - not rhel9cis_skip_for_travis - rhel9cis_rule_4_1_1_2 - ansible_connection != 'docker' tags: From 2565df604754aef20df4ba6bbb0773e936f86b46 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 1 Apr 2022 16:41:05 +0100 Subject: [PATCH 043/454] removed notauto var as not used Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 - templates/ansible_vars_goss.yml.j2 | 3 +-- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d60f34a7..9777816c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -10,7 +10,6 @@ system_is_ec2: false # Run the OS validation check os_check: true -rhel9cis_notauto: false rhel9cis_section1: true rhel9cis_section2: true rhel9cis_section3: true diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index babc8d6e..cc0c7bd9 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -9,8 +9,7 @@ rhel9cis_os_distribution: {{ ansible_distribution | lower }} # timeout for each command to run where set - default = 10seconds/10000ms timeout_ms: {{ audit_cmd_timeout }} -# Taken from LE rhel9-cis -rhel9cis_notauto: {{ rhel9cis_notauto }} +# Taken from LE rhel8-cis rhel9cis_section1: {{ rhel9cis_section1 }} rhel9cis_section2: {{ rhel9cis_section2 }} rhel9cis_section3: {{ rhel9cis_section3 }} From 2d21f8a98e2ba33ab9c349ff169832e143503d78 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 1 Apr 2022 17:09:53 +0100 Subject: [PATCH 044/454] tidy up vars Signed-off-by: Mark Bolwell --- defaults/main.yml | 21 +--------- tasks/prelim.yml | 10 ++--- tasks/section_3/cis_3.2.x.yml | 66 ++++++++++++++++-------------- tasks/section_3/cis_3.4.1.x.yml | 7 ---- tasks/section_3/cis_3.4.2.x.yml | 10 ----- tasks/section_3/cis_3.4.3.1.x.yml | 3 -- tasks/section_3/cis_3.4.3.2.x.yml | 6 --- tasks/section_3/cis_3.4.3.3.x.yml | 11 ----- templates/ansible_vars_goss.yml.j2 | 6 +-- vars/is_container.yml | 4 +- 10 files changed, 45 insertions(+), 99 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9777816c..b93995bf 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -114,8 +114,6 @@ rhel9cis_rule_1_4_3: true rhel9cis_rule_1_5_1: true rhel9cis_rule_1_5_2: true rhel9cis_rule_1_5_3: true -rhel9cis_rule_1_6_1: true -rhel9cis_rule_1_6_2: true rhel9cis_rule_1_6_1_1: true rhel9cis_rule_1_6_1_2: true rhel9cis_rule_1_6_1_3: true @@ -137,7 +135,6 @@ rhel9cis_rule_1_8_4: true rhel9cis_rule_1_8_5: true rhel9cis_rule_1_9: true rhel9cis_rule_1_10: true -rhel9cis_rule_1_11: true # Section 2 rules rhel9cis_rule_2_1_1: true @@ -469,11 +466,6 @@ rhel9cis_firewall: firewalld ##### firewalld rhel9cis_default_zone: public -rhel9cis_int_zone: customzone -rhel9cis_interface: eth0 -rhel9cis_firewall_services: - - ssh - - dhcpv6-client #### nftables rhel9cis_nft_tables_autonewtable: true @@ -541,13 +533,6 @@ rhel9cis_sshd: # allowgroups: systems dba # denyusers: # denygroups: -rhel9cis_pam_faillock: - attempts: 5 - interval: 900 - unlock_time: 900 - fail_for_root: no - remember: 5 - pwhash: sha512 # 5.2.5 SSH LogLevel setting. Options are INFO or VERBOSE rhel9cis_ssh_loglevel: INFO @@ -580,11 +565,7 @@ rhel9cis_pass: rhel9cis_syslog: rsyslog rhel9cis_rsyslog_ansiblemanaged: true -rhel9cis_vartmp: - source: /tmp - fstype: none - opts: "defaults,nodev,nosuid,noexec,bind" - enabled: false + ## PAM rhel9cis_pam_password: minlen: "14" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 1cb873c1..47d1434d 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -56,13 +56,11 @@ check_mode: false register: system_wide_crypto_policy when: - - rhel9cis_rule_1_10 or - rhel9cis_rule_1_11 + - rhel9cis_rule_1_10 tags: - level1-server - level1-workstation - - rule_1.10 or - rule_1.11 + - rule_1.10 - crypto - name: "PRELIM | if systemd coredump" @@ -70,11 +68,11 @@ path: /etc/systemd/coredump.conf register: systemd_coredump when: - - rhel9cis_rule_1_6_1 + - rhel9cis_rule_1_5_1 tags: - level1-server - level1-workstation - - rule_1.6.1 + - rule_1.5.1 - systemd - name: "PRELIM | Section 1.1 | Create list of mount points" diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index 38c94334..f9a759c3 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -1,51 +1,55 @@ --- -- name: "3.2.1 | PATCH | Ensure source routed packets are not accepted" +- name: "3.2.1 | PATCH | Ensure IP forwarding is disabled" block: - - name: "3.2.1 | PATCH | Ensure source routed packets are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table + - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding" + sysctl: + name: net.ipv4.ip_forward + value: '0' + state: present + reload: yes + ignoreerrors: yes + notify: sysctl flush ipv4 route table - - name: "3.2.1 | PATCH | Ensure source routed packets are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - sysctl flush ipv6 route table - - update sysctl + - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding" + sysctl: + name: net.ipv6.conf.all.forwarding + value: '0' + state: present + reload: yes + ignoreerrors: yes + notify: sysctl flush ipv6 route table when: rhel9cis_ipv6_required when: + - not rhel9cis_is_router - rhel9cis_rule_3_2_1 tags: - level1-server - level1-workstation + - automated - sysctl - patch - rule_3.2.1 -- name: "3.2.2 | PATCH | Ensure ICMP redirects are not accepted" - block: - - name: "3.2.2 | PATCH | Ensure ICMP redirects are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table - - - name: "3.2.2 | PATCH | Ensure ICMP redirects are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - sysctl flush ipv6 route table - - update sysctl - when: rhel9cis_ipv6_required +- name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled" + sysctl: + name: '{{ item.name }}' + value: '{{ item.value }}' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + notify: sysctl flush ipv4 route table + with_items: + - { name: net.ipv4.conf.all.send_redirects, value: 0 } + - { name: net.ipv4.conf.default.send_redirects, value: 0 } when: + - not rhel9cis_is_router - rhel9cis_rule_3_2_2 tags: - level1-server - level1-workstation - - sysctl + - automated - patch - - rule_3.2.2 \ No newline at end of file + - sysctl + - rule_3.2.2 diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index 5bd6a3c0..51fb5b03 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -8,7 +8,6 @@ state: present when: - rhel9cis_rule_3_4_1_1 - - rhel9cis_firewall == "firewalld" tags: - level1-server - level1-workstation @@ -34,7 +33,6 @@ state: absent when: - rhel9cis_rule_3_4_1_2 - - rhel9cis_firewall == "firewalld" tags: - level1-server - level1-workstation @@ -49,7 +47,6 @@ state: stopped masked: yes when: - - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_1_3 tags: - level1-server @@ -65,7 +62,6 @@ state: started enabled: yes when: - - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_1_4 tags: - level1-server @@ -78,7 +74,6 @@ - name: "3.4.1.5 | PATCH | Ensure firewalld default zone is set" command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" when: - - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_1_5 tags: - level1-server @@ -103,7 +98,6 @@ - "The items below are the policies tied to the interfaces, please correct as needed" - "{{ rhel9cis_3_4_1_6_interfacepolicy.stdout_lines }}" when: - - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_1_6 tags: - level1-server @@ -127,7 +121,6 @@ - "The items below are the services and ports that are accepted, please correct as needed" - "{{ rhel9cis_3_4_1_7_servicesport.stdout_lines }}" when: - - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_1_7 tags: - level1-server diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index e5b0c9a7..23717c2a 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -5,7 +5,6 @@ name: nftables state: present when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_1 tags: - level1-server @@ -22,7 +21,6 @@ name: firewalld state: absent when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_2 tags: - level1-server @@ -49,7 +47,6 @@ name: iptables-service state: absent when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_3 tags: - level1-server @@ -107,7 +104,6 @@ failed_when: no when: rhel9cis_nft_tables_autonewtable when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_5 tags: - level1-server @@ -159,7 +155,6 @@ - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; } when: rhel9cis_nft_tables_autochaincreate when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_6 tags: - level1-server @@ -201,7 +196,6 @@ command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_7_ip6saddr.stdout' when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_7 tags: - level1-server @@ -249,7 +243,6 @@ command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout' when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_8 tags: - level1-server @@ -301,7 +294,6 @@ command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_2_9_outputpolicy.stdout' when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_9 tags: - level1-server @@ -316,7 +308,6 @@ name: nftables enabled: yes when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_10 tags: - level1-server @@ -333,7 +324,6 @@ insertafter: EOF line: include "/etc/nftables/inet-{{ rhel9cis_nft_tables_tablename }}" when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_11 tags: - level1-server diff --git a/tasks/section_3/cis_3.4.3.1.x.yml b/tasks/section_3/cis_3.4.3.1.x.yml index 926c6854..5d07856c 100644 --- a/tasks/section_3/cis_3.4.3.1.x.yml +++ b/tasks/section_3/cis_3.4.3.1.x.yml @@ -7,7 +7,6 @@ - iptables-services state: present when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_1_1 tags: - level1-server @@ -22,7 +21,6 @@ name: nftables state: absent when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_1_2 tags: - level1-server @@ -39,7 +37,6 @@ name: firewalld state: absent when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_1_3 tags: - level1-server diff --git a/tasks/section_3/cis_3.4.3.2.x.yml b/tasks/section_3/cis_3.4.3.2.x.yml index 3348fb5c..e600ae73 100644 --- a/tasks/section_3/cis_3.4.3.2.x.yml +++ b/tasks/section_3/cis_3.4.3.2.x.yml @@ -23,7 +23,6 @@ source: 127.0.0.0/8 jump: DROP when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_2_1 tags: - level1-server @@ -49,7 +48,6 @@ - { chain: INPUT, protocol: udp, ctstate: ESTABLISHED } - { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED } when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_2_2 tags: - level1-server @@ -99,7 +97,6 @@ - "{{ rhel9cis_3_4_3_2_3_oudp.stdout_lines }}" when: rhel9cis_3_4_3_2_3_otcp.stdout is defined when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_2_3 tags: - level1-server @@ -128,7 +125,6 @@ - OUTPUT when: - rhel9cis_rule_3_4_3_2_4 - - rhel9cis_firewall == "iptables" tags: - level1-server - level1-workstation @@ -143,7 +139,6 @@ path: /etc/sysconfig/iptables when: - rhel9cis_rule_3_4_3_2_5 - - rhel9cis_firewall == "iptables" tags: - level1-server - level1-workstation @@ -158,7 +153,6 @@ enabled: yes state: started when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_2_6 tags: - level1-server diff --git a/tasks/section_3/cis_3.4.3.3.x.yml b/tasks/section_3/cis_3.4.3.3.x.yml index f3bcfa12..83479db9 100644 --- a/tasks/section_3/cis_3.4.3.3.x.yml +++ b/tasks/section_3/cis_3.4.3.3.x.yml @@ -26,9 +26,7 @@ jump: DROP ip_version: ipv6 when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_3_1 - - rhel9cis_ipv6_required tags: - level1-server - level1-workstation @@ -54,9 +52,7 @@ - { chain: INPUT, protocol: udp, ctstate: ESTABLISHED } - { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED } when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_3_2 - - rhel9cis_ipv6_required tags: - level1-server - level1-workstation @@ -87,9 +83,7 @@ - "{{ rhel9cis_3_4_3_3_3_otcp.stdout_lines }}" when: rhel9cis_3_4_3_3_3_otcp.stdout is defined when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_3_3 - - rhel9cis_ipv6_required tags: - level1-server - level1-workstation @@ -118,9 +112,7 @@ - FORWARD - OUTPUT when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_3_4 - - rhel9cis_ipv6_required tags: - level1-server - level1-workstation @@ -135,8 +127,6 @@ path: /etc/sysconfig/ip6tables ip_version: ipv6 when: - - rhel9cis_firewall == "iptables" - - rhel9cis_ipv6_required - rhel9cis_rule_3_4_3_3_5 tags: - level1-server @@ -152,7 +142,6 @@ enabled: yes state: started when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_3_6 tags: - level1-server diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index cc0c7bd9..f10c74f9 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -73,11 +73,11 @@ rhel9cis_rule_1_3_2: {{ rhel9cis_rule_1_3_2 }} rhel9cis_rule_1_3_3: {{ rhel9cis_rule_1_3_3 }} rhel9cis_rule_1_4_1: {{ rhel9cis_rule_1_4_1 }} rhel9cis_rule_1_4_2: {{ rhel9cis_rule_1_4_2 }} +rhel9cis_rule_1_4_3: {{ rhel9cis_rule_1_4_3 }} rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }} rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }} rhel9cis_rule_1_5_3: {{ rhel9cis_rule_1_5_3 }} -rhel9cis_rule_1_6_1: {{ rhel9cis_rule_1_6_1 }} -rhel9cis_rule_1_6_2: {{ rhel9cis_rule_1_6_2 }} + rhel9cis_rule_1_7_1_1: {{ rhel9cis_rule_1_7_1_1 }} rhel9cis_rule_1_7_1_2: {{ rhel9cis_rule_1_7_1_2 }} rhel9cis_rule_1_7_1_3: {{ rhel9cis_rule_1_7_1_3 }} @@ -94,7 +94,7 @@ rhel9cis_rule_1_8_1_6: {{ rhel9cis_rule_1_8_1_6 }} rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }} rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }} rhel9cis_rule_1_10: {{ rhel9cis_rule_1_10 }} -rhel9cis_rule_1_11: {{ rhel9cis_rule_1_11 }} + # section 2 rules rhel9cis_rule_2_1_1: {{ rhel9cis_rule_2_1_1 }} diff --git a/vars/is_container.yml b/vars/is_container.yml index 33a23e80..1a395919 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -41,7 +41,7 @@ rhel9cis_rule_5_1_8: false # crypto rhel9cis_rule_1_10: false -rhel9cis_rule_1_11: false + # grub rhel9cis_rule_1_5_1: false @@ -87,7 +87,7 @@ rhel9cis_rule_4_2_2_2: false rhel9cis_rule_4_2_2_3: false # systemd -rhel9cis_rule_1_6_1: false + # Users/passwords/accounts rhel9cis_rule_5_5_2: false From bfbcede072217276597c7fe17dfe3e58cf3fbe58 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 1 Apr 2022 17:19:52 +0100 Subject: [PATCH 045/454] fixed tags Signed-off-by: Mark Bolwell --- tasks/post.yml | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/tasks/post.yml b/tasks/post.yml index 28a2e9ef..a8e1d002 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -20,19 +20,20 @@ check_mode: false notify: update sysctl when: - - rhel9cis_rule_1_6_1 or - rhel9cis_rule_1_6_2 or - rhel9cis_rule_3_1_2 or + - rhel9cis_rule_3_1_1 or rhel9cis_rule_3_1_2 or + rhel9cis_rule_3_1_3 or rhel9cis_rule_3_2_1 or rhel9cis_rule_3_2_2 or - rhel9cis_rule_3_2_3 or - rhel9cis_rule_3_2_4 or - rhel9cis_rule_3_2_5 or - rhel9cis_rule_3_2_6 or - rhel9cis_rule_3_2_7 or - rhel9cis_rule_3_2_8 or - rhel9cis_rule_3_2_9 + rhel9cis_rule_3_3_1 or + rhel9cis_rule_3_3_2 or + rhel9cis_rule_3_3_3 or + rhel9cis_rule_3_3_4 or + rhel9cis_rule_3_3_5 or + rhel9cis_rule_3_3_6 or + rhel9cis_rule_3_3_7 or + rhel9cis_rule_3_3_8 or + rhel9cis_rule_3_3_9 tags: - sysctl From 39780562c1d2c58eb6f27608de412e2f668a5559 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 12:07:07 +0100 Subject: [PATCH 046/454] section 1 updates Signed-off-by: Mark Bolwell --- README.md | 2 +- defaults/main.yml | 4 ++++ tasks/section_1/cis_1.1.3.x.yml | 2 +- tasks/section_1/cis_1.1.4.x.yml | 2 +- tasks/section_1/cis_1.1.5.x.yml | 2 +- tasks/section_1/cis_1.1.8.x.yml | 2 +- tasks/section_1/cis_1.2.x.yml | 2 +- tasks/section_1/cis_1.5.x.yml | 6 +++--- tasks/section_1/cis_1.6.1.x.yml | 2 +- 9 files changed, 14 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index ea3ead56..048c85fd 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ Configure RHEL 9 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant with RHEL8 settings (RHEL9 not yet released) Based on v2.0.0 RHEL8 -Based on [CIS RedHat Enterprise Linux 8 Benchmark v1.0.1 - 05-19-2021 ](https://www.cisecurity.org/cis-benchmarks/) +Based on [CIS RedHat Enterprise Linux 8 Benchmark v2.0.0. - 02-23-2022 ](https://www.cisecurity.org/cis-benchmarks/) ## Join us diff --git a/defaults/main.yml b/defaults/main.yml index b93995bf..68ea1dd0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -17,6 +17,10 @@ rhel9cis_section4: true rhel9cis_section5: true rhel9cis_section6: true +# This is used for audit purposes to run only specifc level use the tags +# e.g. +# - level1-server +# - level2-workstation rhel9cis_level_1: true rhel9cis_level_2: true diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index c7fb9867..8fa9e4b2 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -38,7 +38,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index dbeab96e..7ea36279 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -39,7 +39,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}noexec{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index f286fcc8..c9343c4a 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -37,7 +37,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index a61a6aff..75bdabbe 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -25,7 +25,7 @@ src: tmpfs fstype: tmpfs state: mounted - opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %} when: "'dev/shm' in rhel9cis_1_1_8_x_dev_shm_status.stdout" notify: change_requires_reboot when: diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 19ef3d0d..9ddfc98e 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -44,7 +44,7 @@ - name: "1.2.3 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" replace: name: "{{ item.path }}" - regexp: "^gpgcheck=0" + regexp: "^gpgcheck\s*=\s*0" replace: "gpgcheck=1" with_items: - "{{ yum_repos.files }}" diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index a969def9..f9f4c310 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -3,7 +3,7 @@ - name: "1.5.1 | PATCH | Ensure core dump storage is disabled" lineinfile: path: /etc/systemd/coredump.conf - regexp: 'Storage=' + regexp: '^Storage\s*=\s*(?!none).*' line: 'Storage=none' notify: systemd_daemon_reload when: @@ -19,7 +19,7 @@ - name: "1.5.2 | PATCH | Ensure core dump backtraces are disabled" lineinfile: path: /etc/systemd/coredump.conf - regexp: 'ProcessSizeMax=' + regexp: '^ProcessSizeMax\s*=\s*.*[1-9]$' line: 'ProcessSizeMax=0' when: - rhel9cis_rule_1_5_2 @@ -33,7 +33,7 @@ - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf" notify: - update sysctl when: diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index b31600a7..93e2eae7 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -16,7 +16,7 @@ - name: "1.6.1.2 | PATCH | Ensure SELinux is not disabled in bootloader configuration" replace: dest: /etc/default/grub - regexp: '(selinux|enforcing)\s*=\s*0\s*' + regexp: '(selinux|enforcing)\s*=(\s0|0).*' replace: '' register: selinux_grub_patch ignore_errors: yes From 4dfacd9e3bfb3d1964f16c710efaaa85c66cce09 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 12:50:41 +0100 Subject: [PATCH 047/454] updated server/service vars Signed-off-by: Mark Bolwell --- defaults/main.yml | 18 +++++-- tasks/section_2/cis_2.2.x.yml | 99 ++++++++++++++++++++++++++--------- 2 files changed, 89 insertions(+), 28 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 68ea1dd0..cbac9b46 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -444,16 +444,26 @@ rhel9cis_vsftpd_server: false rhel9cis_tftp_server: false rhel9cis_httpd_server: false rhel9cis_nginx_server: false -rhel9cis_dovecot_cyrus_server: false +rhel9cis_dovecot_server: false +rhel9cis_imap_server: false rhel9cis_samba_server: false rhel9cis_squid_server: false rhel9cis_snmp_server: false rhel9cis_nis_server: false rhel9cis_telnet_server: false rhel9cis_is_mail_server: false -rhel9cis_nfs_server: false -rhel9cis_rpc_server: false -rhel9cis_rsync_server: false +# Note the options +# Packages are used for client services and Server- only remove if you dont use the client service +# +rhel9cis_use_nfs: + - service: false + - server: false +rhel9_use_rpc: + - service: false + - server: false +rhel9cis_use_rsync: + - service: false + - server: false #### 2.3 Service clients rhel9cis_ypbind_required: false diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index bd93fbdf..9c0dc862 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -73,7 +73,7 @@ tags: - level1-server - level1-workstation - - audtomated + - automated - patch - dhcp - rule_2.2.5 @@ -160,7 +160,7 @@ - not rhel9cis_nginx_server - "'nginx' in ansible_facts.packages" when: - - rhel9cis_rule_2_2_9 + - rhel9cis_rule_2_2_10 tags: - level1-server - level1-workstation @@ -172,14 +172,26 @@ - rule_2.2.9 - name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed" - package: - name: - - dovecot - - cyrus-imapd - state: absent + block: + - name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed" + package: + name: + - dovecot + state: absent + when: + - not rhel9cis_dovecot_server + - "'dovecot' in ansible_facts.packages" + + - name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed" + package: + name: + - cyrus-imapd + state: absent + when: + - not rhel9cis_imap_server + - "'cyrus-imapd' in ansible_facts.packages" + when: - - not rhel9cis_dovecot_cyrus_server - - "'dovecot' in ansible_facts.packages or 'cyrus-imapd' in ansible_facts.packages" - rhel9cis_rule_2_2_11 tags: - level1-server @@ -290,13 +302,26 @@ - rule_2.2.17 # The name title of the service says mask the service, but the fix allows for both options -# We went with removing to remove the security/update overhead with having the package installed +# Options available in default/main if to remove the package default is false just mask the server service - name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked" - package: - name: nfs-utils - state: absent + block: + - name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | remove package" + package: + name: nfs-utils + state: absent + when: + - not rhel9cis_use_nfs.server + - not rhel9cis_use_nfs.service + + - name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | mask service" + systemd: + name: nfs-server + masked: true + enabled: false + when: + - not rhel9cis_use_nfs.server + - rhel9cis_use_nfs.service when: - - not rhel9cis_nfs_server - "'nfs-utils' in ansible_facts.packages" - rhel9cis_rule_2_2_18 tags: @@ -309,13 +334,26 @@ - rule_2.2.18 # The name title of the service says mask the service, but the fix allows for both options -# We went with removing to remove the security/update overhead with having the package installed +# Options available in default/main if to remove the package default is false just mask the server service - name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked" - package: - name: rpcbind - state: absent + block: + - name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | remove package" + package: + name: rpcbind + state: absent + when: + - not rhel9cis_use_rpc.server + - not rhel9cis_use_rpc.service + + - name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | mask service" + systemd: + name: rpcbind.socket + masked: true + enabled: false + when: + - rhel9cis_use_rpc.server + - not rhel9cis_use_rpc.service when: - - not rhel9cis_rpc_server - "'rpcbind' in ansible_facts.packages" - rhel9cis_rule_2_2_19 tags: @@ -327,13 +365,26 @@ - rule_2.2.19 # The name title of the service says mask the service, but the fix allows for both options -# We went with removing to remove the security/update overhead with having the package installed +# Options available in default/main if to remove the package default is false just mask the server service - name: "2.2.20 | PATCH | Ensure rsync service is not enabled " - package: - name: rsync - state: absent + block: + - name: "2.2.20 | PATCH | Ensure rsync service is not enabled | remove package" + package: + name: rsync + state: absent + when: + - not rhel9cis_use_rsync.server + - not rhel9cis_use_rsync.service + + - name: "2.2.20 | PATCH | Ensure rsync service is not enabled | mask service" + systemd: + name: rsyncd + masked: true + enabled: false + when: + - rhel9cis_use_rsync.server + - not rhel9cis_use_rsync.service when: - - not rhel9cis_rsync_server - "'rsync' in ansible_facts.packages" - rhel9cis_rule_2_2_20 tags: From 8b8aef291baf0b49bf59640748d470a2f8ee147c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 14:40:58 +0100 Subject: [PATCH 048/454] updated masked options Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.2.x.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 9c0dc862..be264288 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -317,7 +317,6 @@ systemd: name: nfs-server masked: true - enabled: false when: - not rhel9cis_use_nfs.server - rhel9cis_use_nfs.service @@ -349,7 +348,6 @@ systemd: name: rpcbind.socket masked: true - enabled: false when: - rhel9cis_use_rpc.server - not rhel9cis_use_rpc.service @@ -380,7 +378,6 @@ systemd: name: rsyncd masked: true - enabled: false when: - rhel9cis_use_rsync.server - not rhel9cis_use_rsync.service From fef891dc1bd8949270d53c1c7c88f63855e13b1a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 15:14:13 +0100 Subject: [PATCH 049/454] tidy up sysctl templates Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 30 ++++++++------ tasks/section_3/cis_3.2.x.yml | 40 +++++++------------ tasks/section_3/cis_3.3.x.yml | 24 +++++------ ...sctl.conf.j2 => 60-netipv4_sysctl.conf.j2} | 18 +-------- .../etc/sysctl.d/60-netipv6_sysctl.conf.j2 | 21 ++++++++++ 5 files changed, 66 insertions(+), 67 deletions(-) rename templates/etc/sysctl.d/{99-sysctl.conf.j2 => 60-netipv4_sysctl.conf.j2} (68%) create mode 100644 templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 241ec207..327ec960 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -4,7 +4,7 @@ # We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" notify: - update sysctl - sysctl flush ipv6 route table @@ -21,12 +21,14 @@ - rule_3.1.1 - name: "3.1.2 | PATCH | Ensure SCTP is disabled" - lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install sctp(\\s|$)" - line: "install sctp /bin/true" - create: yes - mode: 0600 + template: + src: "/etc/modprobe.d/modprobe.conf.j2" + dest: "/etc/modprobe.d/{{ item }}.conf" + mode: "0600" + owner: root + group: root + with_items: + - sctp when: - rhel9cis_rule_3_1_2 tags: @@ -38,12 +40,14 @@ - rule_3.1.2 - name: "3.1.3 | PATCH | Ensure DCCP is disabled" - lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install dccp(\\s|$)" - line: "install dccp /bin/true" - create: yes - mode: 0600 + template: + src: "/etc/modprobe.d/modprobe.conf.j2" + dest: "/etc/modprobe.d/{{ item }}.conf" + mode: "0600" + owner: root + group: root + with_items: + - dccp when: - rhel9cis_rule_3_1_3 tags: diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index f9a759c3..b7f0f6b5 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -3,22 +3,18 @@ - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled" block: - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding" - sysctl: - name: net.ipv4.ip_forward - value: '0' - state: present - reload: yes - ignoreerrors: yes - notify: sysctl flush ipv4 route table + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + notify: + - update sysctl + - sysctl flush ipv4 route table - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding" - sysctl: - name: net.ipv6.conf.all.forwarding - value: '0' - state: present - reload: yes - ignoreerrors: yes - notify: sysctl flush ipv6 route table + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" + notify: + - update sysctl + - sysctl flush ipv6 route table when: rhel9cis_ipv6_required when: - not rhel9cis_is_router @@ -32,17 +28,11 @@ - rule_3.2.1 - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled" - sysctl: - name: '{{ item.name }}' - value: '{{ item.value }}' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - notify: sysctl flush ipv4 route table - with_items: - - { name: net.ipv4.conf.all.send_redirects, value: 0 } - - { name: net.ipv4.conf.default.send_redirects, value: 0 } + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + notify: + - update sysctl + - sysctl flush ipv4 route table when: - not rhel9cis_is_router - rhel9cis_rule_3_2_2 diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 8c15cde3..e6d4952a 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -4,14 +4,14 @@ block: - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: - update sysctl - sysctl flush ipv4 route table - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" notify: - sysctl flush ipv6 route table - update sysctl @@ -29,14 +29,14 @@ block: - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: - update sysctl - sysctl flush ipv4 route table - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" notify: - sysctl flush ipv6 route table - update sysctl @@ -52,7 +52,7 @@ - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_3 @@ -65,7 +65,7 @@ - name: "3.3.4 | PATCH | Ensure suspicious packets are logged" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_4 @@ -78,7 +78,7 @@ - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_5 @@ -91,7 +91,7 @@ - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_6 @@ -104,7 +104,7 @@ - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_7 @@ -117,7 +117,7 @@ - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_8 @@ -132,14 +132,14 @@ block: - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: - update sysctl - sysctl flush ipv4 route table - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl" notify: - sysctl flush ipv6 route table - update sysctl diff --git a/templates/etc/sysctl.d/99-sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 similarity index 68% rename from templates/etc/sysctl.d/99-sysctl.conf.j2 rename to templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 index 177db219..19a9fd37 100644 --- a/templates/etc/sysctl.d/99-sysctl.conf.j2 +++ b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 @@ -1,12 +1,9 @@ # Setting added via ansible CIS remediation playbook -# Network sysctl +# IPv4 Network sysctl {% if rhel9cis_rule_3_2_1 %} # CIS 3.2.1 net.ipv4.ip_forward = 0 -{% if rhel9cis_rule_3_2_1 and rhel9cis_ipv6_required %} -net.ipv6.conf.all.forwarding = 0 -{% endif %} {% endif %} {% if rhel9cis_rule_3_2_2 %} # CIS 3.2.2 @@ -17,19 +14,11 @@ net.ipv4.conf.default.send_redirects = 0 # CIS 3.3.1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 -{% if rhel9cis_rule_3_3_1 and rhel9cis_ipv6_required %} -net.ipv6.conf.all.accept_source_route = 0 -net.ipv6.conf.default.accept_source_route = 0 -{% endif %} {% endif %} {% if rhel9cis_rule_3_3_2 %} # CIS 3.3.2 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 -{% if rhel9cis_rule_3_3_2 and rhel9cis_ipv6_required %} -net.ipv6.conf.all.accept_redirects = 0 -net.ipv6.conf.default.accept_redirects = 0 -{% endif %} {% endif %} {% if rhel9cis_rule_3_3_3 %} # CIS 3.3.3 @@ -57,8 +46,3 @@ net.ipv4.conf.default.rp_filter = 1 # CIS 3.3.8 net.ipv4.tcp_syncookies = 1 {% endif %} -{% if rhel9cis_rule_3_3_9 %} -# CIS 3.3.9 -net.ipv6.conf.all.accept_ra = 0 -net.ipv6.conf.default.accept_ra = 0 -{% endif %} \ No newline at end of file diff --git a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 new file mode 100644 index 00000000..0b23c559 --- /dev/null +++ b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 @@ -0,0 +1,21 @@ +# Setting added via ansible CIS remediation playbook + +# IPv6 Network sysctl +{% if rhel9cis_ipv6_required %} +{% if rhel9cis_rule_3_2_1 %} +net.ipv6.conf.all.forwarding = 0 +{% endif %} +{% if rhel9cis_rule_3_3_1 %} +net.ipv6.conf.all.accept_source_route = 0 +net.ipv6.conf.default.accept_source_route = 0 +{% endif %} +{% if rhel9cis_rule_3_3_2 %} +net.ipv6.conf.all.accept_redirects = 0 +net.ipv6.conf.default.accept_redirects = 0 +{% endif %} +{% if rhel9cis_rule_3_3_9 %} +# CIS 3.3.9 +net.ipv6.conf.all.accept_ra = 0 +net.ipv6.conf.default.accept_ra = 0 +{% endif %} +{% endif %} \ No newline at end of file From b4eefdbdd3b2fd2d0d36d073dccabc66582b78a9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 15:14:24 +0100 Subject: [PATCH 050/454] 2.2.18 update Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.2.x.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index be264288..31c5db7d 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -317,6 +317,7 @@ systemd: name: nfs-server masked: true + state: stopped when: - not rhel9cis_use_nfs.server - rhel9cis_use_nfs.service @@ -348,6 +349,7 @@ systemd: name: rpcbind.socket masked: true + state: stopped when: - rhel9cis_use_rpc.server - not rhel9cis_use_rpc.service @@ -378,6 +380,7 @@ systemd: name: rsyncd masked: true + state: stopped when: - rhel9cis_use_rsync.server - not rhel9cis_use_rsync.service From adcc647dd4059c870f5d5463830841499723bf22 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 15:14:59 +0100 Subject: [PATCH 051/454] masked or removal options Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.4.1.x.yml | 19 +++++++++++++++---- tasks/section_3/cis_3.4.2.x.yml | 18 +++++++++++++++--- tasks/section_3/cis_3.4.3.1.x.yml | 18 +++++++++++++++--- 3 files changed, 45 insertions(+), 10 deletions(-) diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index 51fb5b03..bb5cf97a 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -42,10 +42,21 @@ - rule_3.4.1.2 - name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld" - systemd: - name: nftables - state: stopped - masked: yes + block: + - name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld | mask service" + systemd: + name: nftables + state: stopped + masked: yes + when: + - rhel9cis_firewalld_nftables_state == "masked" + + - name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld | pkg removed" + package: + name: nftables + state: absent + when: + - rhel9cis_firewalld_nftables_state == "absent" when: - rhel9cis_rule_3_4_1_3 tags: diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 23717c2a..f3c7e5ef 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -17,9 +17,21 @@ # The control allows the service it be masked or not installed # We have chosen not installed - name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables" - package: - name: firewalld - state: absent + block: + - name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables | mask service" + systemd: + name: firewalld + masked: true + state: stopped + when: + - rhel9cis_nftables_firewalld_state == "masked" + + - name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables | pkg removed" + package: + name: firewalld + state: absent + when: + - rhel9cis_nftables_firewalld_state == "absent" when: - rhel9cis_rule_3_4_2_2 tags: diff --git a/tasks/section_3/cis_3.4.3.1.x.yml b/tasks/section_3/cis_3.4.3.1.x.yml index 5d07856c..56ce0766 100644 --- a/tasks/section_3/cis_3.4.3.1.x.yml +++ b/tasks/section_3/cis_3.4.3.1.x.yml @@ -33,9 +33,21 @@ # The control allows the service it be masked or not installed # We have chosen not installed - name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables" - package: - name: firewalld - state: absent + block: + - name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables | mask service" + systemd: + name: firewalld + masked: true + state: stopped + when: + - rhel9cis_iptables_firewalld_state == "masked" + + - name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables | mask service" + package: + name: firewalld + state: absent + when: + - rhel9cis_iptables_firewalld_state == "absent" when: - rhel9cis_rule_3_4_3_1_3 tags: From 842b295ecfce764d68976ba29796ce9830fd61a0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 15:15:40 +0100 Subject: [PATCH 052/454] firewall pkg control - prefer log capture Signed-off-by: Mark Bolwell --- defaults/main.yml | 12 ++++++++++++ tasks/section_4/cis_4.2.1.x.yml | 3 ++- tasks/section_4/cis_4.2.2.x.yml | 1 + 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index cbac9b46..79746ba6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -476,17 +476,24 @@ rhel9cis_tftp_client: false ## Section3 vars ### Firewall Service - either firewalld, iptables, or nftables +#### Some control allow for services to be removed or masked +#### The options are under each heading +#### absent = remove the package +#### masked = leave package if installed and mask the service rhel9cis_firewall: firewalld ##### firewalld rhel9cis_default_zone: public +rhel9cis_firewalld_nftables_state: absent #### nftables +rhel9cis_nftables_firewalld_state: absent rhel9cis_nft_tables_autonewtable: true rhel9cis_nft_tables_tablename: filter rhel9cis_nft_tables_autochaincreate: true #### iptables +rhel9cis_iptables_firewalld_state: absent # Warning Banner Content (issue, issue.net, motd) rhel9cis_warning_banner: | @@ -508,6 +515,11 @@ rhel9cis_audit_back_log_limit: 8192 # The max_log_file parameter should be based on your sites policy rhel9cis_max_log_file_size: 10 +## Preferred method of logging +## Whether rsyslog or journald preferred method for local logging +## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5 +rhel9cis_preferred_log_capture: rsyslog + #### 4.2.1.6 remote and destation log server name rhel9cis_remote_log_server: logagg.example.com diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 0d9d0ee6..27ec2955 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -29,7 +29,7 @@ - rsyslog - rule_4.2.1.2 -# This is counter to control 4.2.1.5?? +# This is counter to control 4.2.2.5?? - name: "4.2.1.3 | PATCH | Ensure journald is configured to send logs to rsyslog" lineinfile: dest: /etc/systemd/journald.conf @@ -38,6 +38,7 @@ state: present when: - rhel9cis_rule_4_2_1_3 + - rhel9cis_preferred_log_capture == "rsyslog" tags: - level1-server - level1-workstation diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index e83d97c2..5b59d630 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -137,6 +137,7 @@ notify: restart systemd_journal_upload when: - rhel9cis_rule_4_2_2_5 + - rhel9cis_preferred_log_capture == "journald" tags: - level1-server - level2-workstation From 49760449d0718824fd64faa466d661e6e16c3b8a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 15:15:54 +0100 Subject: [PATCH 053/454] netwokr protocol template Signed-off-by: Mark Bolwell --- templates/etc/modprobe.d/modprobe.conf.j2 | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 templates/etc/modprobe.d/modprobe.conf.j2 diff --git a/templates/etc/modprobe.d/modprobe.conf.j2 b/templates/etc/modprobe.d/modprobe.conf.j2 new file mode 100644 index 00000000..1a1a48d8 --- /dev/null +++ b/templates/etc/modprobe.d/modprobe.conf.j2 @@ -0,0 +1,5 @@ +# Disable usage of protocol {{ item }} +# Set by ansible {{ benchmark }} remediation role +# https://github.com/ansible-lockdown + +install {{ item }} /bin/true \ No newline at end of file From ca24e923c42877003fd9049fbe03f5d1851da3c7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 15:16:17 +0100 Subject: [PATCH 054/454] updated template names Signed-off-by: Mark Bolwell --- handlers/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/handlers/main.yml b/handlers/main.yml index 88616083..9a8b657a 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -31,7 +31,8 @@ with_items: - 60-kernel_sysctl.conf - 60-disable_ipv6.conf - - 99-sysctl.conf + - 60-netipv4_sysctl.conf + - 60-netipv6_sysctl.conf when: - ansible_virtualization_type != "docker" - "'procps-ng' in ansible_facts.packages" From 790db75501165a5b328c08e0d652826391e382d7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 16:12:47 +0100 Subject: [PATCH 055/454] added validate & typo fixes Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.2.x.yml | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 4b28f5be..f62ddfb5 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -87,6 +87,7 @@ dest: /etc/ssh/sshd_config regexp: "^AllowUsers" line: AllowUsers {{ rhel9cis_sshd['allowusers'] }} + validate: sshd -t -f %s notify: restart sshd when: "rhel9cis_sshd['allowusers']|default('') | length > 0" @@ -96,6 +97,7 @@ dest: /etc/ssh/sshd_config regexp: "^AllowGroups" line: AllowGroups {{ rhel9cis_sshd['allowgroups'] }} + validate: sshd -t -f %s notify: restart sshd when: "rhel9cis_sshd['allowgroups']|default('') | length > 0" @@ -105,6 +107,7 @@ dest: /etc/ssh/sshd_config regexp: "^DenyUsers" line: DenyUsers {{ rhel9cis_sshd['denyusers'] }} + validate: sshd -t -f %s notify: restart sshd when: "rhel9cis_sshd['denyusers']|default('') | length > 0" @@ -114,6 +117,7 @@ dest: /etc/ssh/sshd_config regexp: "^DenyGroups" line: DenyGroups {{ rhel9cis_sshd['denygroups'] }} + validate: sshd -t -f %s notify: restart sshd when: "rhel9cis_sshd['denygroups']|default('') | length > 0" when: @@ -132,6 +136,7 @@ dest: /etc/ssh/sshd_config regexp: "^#LogLevel|^LogLevel" line: 'LogLevel {{ rhel9cis_ssh_loglevel }}' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_5 tags: @@ -148,6 +153,7 @@ dest: /etc/ssh/sshd_config regexp: "^#UsePAM|^UsePAM" line: 'UsePAM yes' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_6 tags: @@ -164,6 +170,7 @@ dest: /etc/ssh/sshd_config regexp: "^#PermitRootLogin|^PermitRootLogin" line: 'PermitRootLogin no' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_7 tags: @@ -178,8 +185,9 @@ lineinfile: state: present dest: /etc/ssh/sshd_config - regexp: ^#HostbasedAuthentication|^HostbasedAuthentication" + regexp: "^#HostbasedAuthentication|^HostbasedAuthentication" line: 'HostbasedAuthentication no' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_8 tags: @@ -196,6 +204,7 @@ dest: /etc/ssh/sshd_config regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords" line: 'PermitEmptyPasswords no' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_9 tags: @@ -212,6 +221,7 @@ dest: /etc/ssh/sshd_config regexp: "^#PermitUserEnvironment|^PermitUserEnvironment" line: 'PermitUserEnvironment no' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_10 tags: @@ -228,12 +238,13 @@ dest: /etc/ssh/sshd_config regexp: "^#IgnoreRhosts|^IgnoreRhosts" line: 'IgnoreRhosts yes' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_11 tags: - level1-server - level1-workstation - - autoamted + - automated - patch - ssh - rule_5.2.11 @@ -244,12 +255,13 @@ dest: /etc/ssh/sshd_config regexp: "^#X11Forwarding|^X11Forwarding" line: 'X11Forwarding no' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_12 tags: - level2-server - level1-workstation - - autoamted + - automated - patch - ssh - rule_5.2.12 @@ -260,12 +272,13 @@ dest: /etc/ssh/sshd_config regexp: "^#AllowTcpForwarding|^AllowTcpForwarding" line: 'AllowTcpForwarding no' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_13 tags: - level2-server - level2-workstation - - autoamted + - automated - patch - ssh - rule_5.2.13 @@ -307,6 +320,7 @@ dest: /etc/ssh/sshd_config regexp: '^(#)?MaxAuthTries \d' line: 'MaxAuthTries 4' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_16 tags: @@ -323,6 +337,7 @@ dest: /etc/ssh/sshd_config regexp: "^#MaxStartups|^MaxStartups" line: 'MaxStartups 10:30:60' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_17 tags: @@ -339,6 +354,7 @@ dest: /etc/ssh/sshd_config regexp: "^#MaxSessions|^MaxSessions" line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_18 tags: @@ -355,6 +371,7 @@ dest: /etc/ssh/sshd_config regexp: "^#LoginGraceTime|^LoginGraceTime" line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}" + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_19 tags: @@ -373,6 +390,7 @@ dest: /etc/ssh/sshd_config regexp: '^ClientAliveInterval' line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}" + validate: sshd -t -f %s - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" lineinfile: @@ -380,6 +398,7 @@ dest: /etc/ssh/sshd_config regexp: '^ClientAliveCountMax' line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}" + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_20 tags: From e03f7194ff96ee6bd4fe2d3c28098f44e760c1eb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 16:16:31 +0100 Subject: [PATCH 056/454] added validate Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.3.x.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index bd97cc3c..9aa864a9 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -19,6 +19,7 @@ dest: /etc/sudoers line: "Defaults use_pty" state: present + validate: '/usr/sbin/visudo -cf %s' when: - rhel9cis_rule_5_3_2 tags: @@ -35,6 +36,7 @@ regexp: '^Defaults logfile=' line: 'Defaults logfile="{{ rhel9cis_sudolog_location }}"' state: present + validate: '/usr/sbin/visudo -cf %s' when: - rhel9cis_rule_5_3_3 tags: @@ -50,6 +52,7 @@ path: "{{ item }}" regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' replace: '\1PASSWD\2' + validate: '/usr/sbin/visudo -cf %s' with_items: - "{{ rhel9cis_sudoers_files.stdout_lines }}" when: @@ -67,6 +70,7 @@ path: "{{ item }}" regexp: '^([^#].*)!authenticate(.*)' replace: '\1authenticate\2' + validate: '/usr/sbin/visudo -cf %s' with_items: - "{{ rhel9cis_sudoers_files.stdout_lines }}" when: From 9a0ac2233198f773a5b6ef06075272f8a64c43e2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 16:20:27 +0100 Subject: [PATCH 057/454] fix tag typo Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.2.x.yml | 6 +++--- tasks/section_3/cis_3.4.2.x.yml | 2 +- tasks/section_4/cis_4.1.3.x.yml | 2 +- tasks/section_4/cis_4.2.1.x.yml | 2 +- tasks/section_5/cis_5.2.x.yml | 6 +++--- tasks/section_6/cis_6.1.x.yml | 2 +- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 31c5db7d..53e01ae3 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -105,7 +105,7 @@ tags: - level1-server - level1-workstation - - automation + - automated - patch - ftp - rule_2.2.7 @@ -230,7 +230,7 @@ tags: - level1-server - level1-workstation - - automation + - automated - patch - squid - rule_2.2.13 @@ -246,7 +246,7 @@ tags: - level1-server - level1-workstation - - automation + - automated - patch - snmp - rule_2.2.14 diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index f3c7e5ef..3484bf66 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -171,7 +171,7 @@ tags: - level1-server - level1-workstation - - automate + - automated - patch - nftables - rule_3.4.2.6 diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index 6f7635cf..dee0f21d 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -123,7 +123,7 @@ tags: - level2-server - level2-workstation - - autoamted + - automated - patch - auditd - rule_4.1.3.8 diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 27ec2955..9670309b 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -24,7 +24,7 @@ tags: - level1-server - level1-workstation - - autoamted + - automated - patch - rsyslog - rule_4.2.1.2 diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index f62ddfb5..d6065071 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -176,7 +176,7 @@ tags: - level1-server - level1-workstation - - autoamted + - automated - patch - ssh - rule_5.2.7 @@ -326,7 +326,7 @@ tags: - level1-server - level1-workstation - - autoamted + - automated - patch - ssh - rule_5.2.16 @@ -343,7 +343,7 @@ tags: - level1-server - level1-workstation - - autoamted + - automated - patch - ssh - rule_5.2.17 diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index be85af00..c169d4b7 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -131,7 +131,7 @@ tags: - level1-server - level1-workstation - - autoamted + - automated - patch - permissions - rule_6.1.7 From 2eeccbdc69d4e455d5ad8c5534f2d48d11c9f676 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 19:30:14 +0100 Subject: [PATCH 058/454] fixed regex Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.2.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 9ddfc98e..23583d5d 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -44,7 +44,7 @@ - name: "1.2.3 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" replace: name: "{{ item.path }}" - regexp: "^gpgcheck\s*=\s*0" + regexp: '^gpgcheck\s+=\s+0' replace: "gpgcheck=1" with_items: - "{{ yum_repos.files }}" From b3a6f89ae0471b3126aed9ac121e9cf3acd1cb17 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 19:30:40 +0100 Subject: [PATCH 059/454] lint Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.2.x.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 53e01ae3..7ba7bb48 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -176,8 +176,8 @@ - name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed" package: name: - - dovecot - state: absent + - dovecot + state: absent when: - not rhel9cis_dovecot_server - "'dovecot' in ansible_facts.packages" @@ -185,8 +185,8 @@ - name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed" package: name: - - cyrus-imapd - state: absent + - cyrus-imapd + state: absent when: - not rhel9cis_imap_server - "'cyrus-imapd' in ansible_facts.packages" From 223254b5c964059d25ff75689af17cc73c1df2ee Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 19:30:52 +0100 Subject: [PATCH 060/454] rewrite Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.5.x.yml | 168 ++++++++++++++++++++-------------- 1 file changed, 100 insertions(+), 68 deletions(-) diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 71a37e54..24288bbe 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -1,59 +1,91 @@ --- -- name: "5.5.2 | PATCH | Ensure system accounts are secured" +- name: "5.5.1 | PATCH | " block: - - name: "5.5.2 | Ensure system accounts are secured | Set nologin" - user: - name: "{{ item.id }}" - shell: /usr/sbin/nologin - with_items: - - "{{ rhel9cis_passwd }}" - when: - - item.id != "root" - - item.id != "sync" - - item.id != "shutdown" - - item.id != "halt" - - min_int_uid | int > item.gid - - item.shell != " /bin/false" - - item.shell != " /usr/sbin/nologin" + - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings" + blockinfile: + path: /etc/security/pwquality.conf + marker: "" + block: "{{ rhel9cis_pam_password }}" - - name: "5.5.2 | PATCH | Ensure system accounts are secured | Lock accounts" - user: - name: "{{ item.id }}" - password_lock: true - with_items: - - "{{ rhel9cis_passwd }}" - when: - - item.id != "halt" - - item.id != "shutdown" - - item.id != "sync" - - item.id != "root" - - min_int_uid | int > item.gid - - item.shell != " /bin/false" - - item.shell != " /usr/sbin/nologin" + - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" + lineinfile: + dest: /etc/pam.d/system-auth + state: present + regexp: '^password\s*requisite\s*pam_pwquality.so' + line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" + insertbefore: '^#?password ?' + + - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" + lineinfile: + dest: /etc/pam.d/password-auth + state: present + regexp: '^password\s*requisite\s*pam_pwquality.so' + line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" + insertbefore: '^#?password ?' when: - - rhel9cis_rule_5_5_2 + - rhel9cis_rule_5_5_1 tags: - level1-server - level1-workstation - patch - - rule_5.5.2 + - rule_5.5.1 + +- name: "5.5.2 | PATCH | Ensure system accounts are secured | pre RHEL8.2" + block: + - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock time for preauth" + lineinfile: + dest: /etc/pam.d/{{ item }} + state: present + regexp: '^auth\s*required\s*pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}" + insertafter: '^#?auth ?' + with_items: + - "system-auth" + - "password-auth" -- name: "5.5.3 | PATCH | Ensure default user shell timeout is 900 seconds or less" - blockinfile: - create: yes - mode: 0644 - dest: "{{ item.dest }}" - state: "{{ item.state }}" - marker: "# {mark} ANSIBLE MANAGED" - block: | - # Set session timeout - CIS ID RHEL-08-5.4.5 - TMOUT={{ rhel9cis_shell_session_timeout.timeout }} - export TMOUT - readonly TMOUT + - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock times for authfail" + lineinfile: + dest: /etc/pam.d/{{ item }} + state: present + regexp: '^auth\s*required\s*pam_faillock.so authfail' + line: "auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}" + insertafter: '^#?auth ?' + with_items: + - "system-auth" + - "password-auth" + when: + - ansible_distribution_version <= "8.1" + - rhel9cis_rule_5_5_2 + +- name: "5.5.2 | PATCH | Ensure system accounts are secured | RHEL8.2+ " + lineinfile: + dest: /etc/security/faillock.conf + state: present + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" with_items: - - { dest: "{{ rhel9cis_shell_session_timeout.file }}", state: present } - - { dest: /etc/profile, state: "{{ (rhel9cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" } + - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = 5' } + - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = 900' } + when: + - ansible_distribution_version >= "8.2" + - rhel9cis_rule_5_5_2 + +- name: "5.5.3 | PATCH | Ensure password reuse is limited" + block: + - name: "5.5.3 | PATCH | Ensure password reuse is limited | pwhistory" + lineinfile: + path: /etc/pam.d/system-auth + state: present + line: "password requisite pam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" + insertafter: '^password\s*requisite\s*pam_pwquality.so' + + - name: "5.5.3 | PATCH | Ensure password reuse is limited | pam_unix" + replace: + path: /etc/pam.d/system-auth + regexp: '^password\s*sufficient\s*pam_unix.so.*$' + #after: '^password\s*requisite\s*pam_pwhistory.so' + replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' when: - rhel9cis_rule_5_5_3 tags: @@ -62,35 +94,35 @@ - patch - rule_5.5.3 -- name: "5.5.4 | PATCH | Ensure default group for the root account is GID 0" - command: usermod -g 0 root - changed_when: false - failed_when: false - when: - - rhel9cis_rule_5_5_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.4 - -- name: "5.5.5 | PATCH | Ensure default user umask is 027 or more restrictive" +- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512" block: - - name: "5.5.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" + - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf" + replace: + path: /etc/libuser.conf + regexp: '^crypt_style\s*=\s*.*$' + replace: 'crypt_style = sha512' + + - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs" replace: - path: /etc/bashrc - regexp: '(^\s+umask) 0[012][0-6]' - replace: '\1 027' + path: /etc/login.defs + regexp: '^ENCRYPT_METHOD.*' + replace: 'ENCRYPT_METHOD SHA512' - - name: "5.5.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile" + - name: "5.5.4 | PATCH | Ensure password reuse is limited | pwhistory" replace: - path: /etc/profile - regexp: '(^\s+umask) 0[012][0-6]' - replace: '\1 027' + path: /etc/pam.d/password-auth + regexp: '^password\s*sufficient\s*pam_unix.so.*$' + replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' + + - name: "5.5.4 | PATCH | Ensure password reuse is limited | pam_unix" + replace: + path: /etc/pam.d/system-auth + regexp: '^password\s*sufficient\s*pam_unix.so.*' + replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' when: - - rhel9cis_rule_5_5_5 + - rhel9cis_rule_5_5_4 tags: - level1-server - level1-workstation - patch - - rule_5.5.5 + - rule_5.5.4 From 3d5fd41ed8eea2d3cf9ec93c65ac11cd52214ea4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 19:31:02 +0100 Subject: [PATCH 061/454] pam vars Signed-off-by: Mark Bolwell --- defaults/main.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 79746ba6..d4f5394c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -583,6 +583,7 @@ rhel9cis_authselect_custom_profile_create: false # 5.3.2 Enable automation to select custom profile options, using the settings above rhel9cis_authselect_custom_profile_select: false + rhel9cis_pass: max_days: 365 min_days: 7 @@ -591,14 +592,17 @@ rhel9cis_pass: rhel9cis_syslog: rsyslog rhel9cis_rsyslog_ansiblemanaged: true - +# 5.5.1 ## PAM -rhel9cis_pam_password: - minlen: "14" - minclass: "4" +rhel9cis_pam_password: | + minlen = 14 + minclass = 4 + +rhel9cis_pam_faillock: + remember: 5 # UID settings for interactive users -# These are discovered via logins.def is set true +# These are discovered via logins.def if set true discover_int_uid: false min_int_uid: 1000 max_int_uid: 65533 From d9b807c325d6bfb2917c1c2985fcf1903ebbed58 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 08:45:11 +0100 Subject: [PATCH 062/454] change lineinfile to path Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.5.x.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 24288bbe..c5fba6b0 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -10,7 +10,7 @@ - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" lineinfile: - dest: /etc/pam.d/system-auth + path: /etc/pam.d/system-auth state: present regexp: '^password\s*requisite\s*pam_pwquality.so' line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" @@ -18,7 +18,7 @@ - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" lineinfile: - dest: /etc/pam.d/password-auth + path: /etc/pam.d/password-auth state: present regexp: '^password\s*requisite\s*pam_pwquality.so' line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" @@ -35,7 +35,7 @@ block: - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock time for preauth" lineinfile: - dest: /etc/pam.d/{{ item }} + path: /etc/pam.d/{{ item }} state: present regexp: '^auth\s*required\s*pam_faillock.so preauth' line: "auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}" @@ -46,7 +46,7 @@ - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock times for authfail" lineinfile: - dest: /etc/pam.d/{{ item }} + path: /etc/pam.d/{{ item }} state: present regexp: '^auth\s*required\s*pam_faillock.so authfail' line: "auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}" @@ -60,7 +60,7 @@ - name: "5.5.2 | PATCH | Ensure system accounts are secured | RHEL8.2+ " lineinfile: - dest: /etc/security/faillock.conf + path: /etc/security/faillock.conf state: present regexp: "{{ item.regexp }}" line: "{{ item.line }}" From 0ef9e990cc51f2dafedd036fa665c833961f31fb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 08:48:53 +0100 Subject: [PATCH 063/454] tidy and fix titles Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.5.x.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index c5fba6b0..bed1b282 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -84,7 +84,6 @@ replace: path: /etc/pam.d/system-auth regexp: '^password\s*sufficient\s*pam_unix.so.*$' - #after: '^password\s*requisite\s*pam_pwhistory.so' replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' when: - rhel9cis_rule_5_5_3 @@ -108,16 +107,16 @@ regexp: '^ENCRYPT_METHOD.*' replace: 'ENCRYPT_METHOD SHA512' - - name: "5.5.4 | PATCH | Ensure password reuse is limited | pwhistory" + - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth" replace: path: /etc/pam.d/password-auth regexp: '^password\s*sufficient\s*pam_unix.so.*$' replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' - - name: "5.5.4 | PATCH | Ensure password reuse is limited | pam_unix" + - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth" replace: path: /etc/pam.d/system-auth - regexp: '^password\s*sufficient\s*pam_unix.so.*' + regexp: '^password\s*sufficient\s*pam_unix.so.*$' replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' when: - rhel9cis_rule_5_5_4 From 96abe45eb231c28de526a63b90986bb2f10379e9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 10:08:06 +0100 Subject: [PATCH 064/454] fix template path Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 327ec960..5033e5a5 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -22,7 +22,7 @@ - name: "3.1.2 | PATCH | Ensure SCTP is disabled" template: - src: "/etc/modprobe.d/modprobe.conf.j2" + src: "etc/modprobe.d/modprobe.conf.j2" dest: "/etc/modprobe.d/{{ item }}.conf" mode: "0600" owner: root @@ -41,7 +41,7 @@ - name: "3.1.3 | PATCH | Ensure DCCP is disabled" template: - src: "/etc/modprobe.d/modprobe.conf.j2" + src: "etc/modprobe.d/modprobe.conf.j2" dest: "/etc/modprobe.d/{{ item }}.conf" mode: "0600" owner: root From 32c409cb48469951bf42045bc5c8889720d27dcd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 10:08:21 +0100 Subject: [PATCH 065/454] reorder 3.4.1.2 Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.4.1.x.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index bb5cf97a..b7b50331 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -21,16 +21,18 @@ - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | Stop running services" systemd: name: "{{ item }}" - masked: true + state: stopped + enabled: false with_items: - iptables - ip6tables when: item in ansible_facts.packages - - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | Remove IPTables" + - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | remove iptables-services pkg " package: name: iptables-services state: absent + when: "'iptables-services' in ansible_facts.packages" when: - rhel9cis_rule_3_4_1_2 tags: From 2bf95bf3dabf6a3eb2debf6e2334d36cab24bcc2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 10:08:42 +0100 Subject: [PATCH 066/454] default mask nftable for firewalld Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index d4f5394c..3effee26 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -484,7 +484,7 @@ rhel9cis_firewall: firewalld ##### firewalld rhel9cis_default_zone: public -rhel9cis_firewalld_nftables_state: absent +rhel9cis_firewalld_nftables_state: masked # Note if absent removes the firewalld pkg dependancy #### nftables rhel9cis_nftables_firewalld_state: absent From d5065c1a82d04de47c180acecdf57a036060dd54 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 10:08:53 +0100 Subject: [PATCH 067/454] lint Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 744c6d68..66090262 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -81,7 +81,7 @@ - password - rule_5.6.1.4 -- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past" +- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past" block: - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" shell: echo $(($(date --utc --date "$1" +%s)/86400)) From 4e873bc0d6e51596068c26671c79361d2aff6cfa Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 10:09:06 +0100 Subject: [PATCH 068/454] added nfsnobody Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 6106e6e5..8d96b4b9 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -13,6 +13,7 @@ - item.id != "sync" - item.id != "shutdown" - item.id != "halt" + - item.id != "nfsnobody" - min_int_uid | int < item.gid - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" @@ -30,6 +31,7 @@ - item.id != "shutdown" - item.id != "sync" - item.id != "root" + - item.id != "nfsnobody" - min_int_uid | int < item.gid - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" @@ -51,9 +53,8 @@ mode: 0644 dest: "{{ item.dest }}" state: "{{ item.state }}" - marker: "# {mark} ANSIBLE MANAGED" + marker: "# {mark} CIS 5.6.3 ANSIBLE MANAGED" block: | - # Set session timeout - CIS ID RHEL-08-5.4.5 TMOUT={{ rhel9cis_shell_session_timeout.timeout }} export TMOUT readonly TMOUT @@ -71,9 +72,9 @@ - rule_5.6.3 - name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0" - command: usermod -g 0 root - changed_when: false - failed_when: false + user: + name: root + group: 0 when: - rhel9cis_rule_5_6_4 tags: From 13a6746997cab89006f5c8007c631653ca60c4ef Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 10:24:47 +0100 Subject: [PATCH 069/454] lint Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 +-- handlers/main.yml | 14 ++--- local.yml | 1 - meta/main.yml | 6 +-- tasks/main.yml | 96 ++++++++++++++++----------------- tasks/post.yml | 2 +- tasks/prelim.yml | 7 ++- tasks/section_1/cis_1.1.4.x.yml | 2 +- tasks/section_1/cis_1.1.6.x.yml | 2 +- tasks/section_1/cis_1.5.x.yml | 2 +- tasks/section_2/cis_2.2.x.yml | 6 +-- tasks/section_2/cis_2.3.x.yml | 2 +- tasks/section_2/cis_2.4.yml | 2 +- tasks/section_2/main.yml | 2 +- tasks/section_3/cis_3.1.x.yml | 6 +-- tasks/section_3/cis_3.2.x.yml | 2 +- tasks/section_3/cis_3.3.x.yml | 18 +++---- tasks/section_4/cis_4.1.3.x.yml | 1 + tasks/section_5/cis_5.1.x.yml | 2 +- tasks/section_5/cis_5.5.x.yml | 24 ++++----- tasks/section_5/cis_5.6.x.yml | 4 +- tasks/section_6/main.yml | 2 +- vars/AlmaLinux.yml | 2 +- vars/is_container.yml | 2 +- 24 files changed, 105 insertions(+), 108 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3effee26..a0bf8639 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -383,8 +383,6 @@ rhel9cis_rh_sub_password: password rhel9cis_rhnsd_required: false - - # 1.4.2 Bootloader password rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' rhel9cis_bootloader_password: random @@ -454,7 +452,7 @@ rhel9cis_telnet_server: false rhel9cis_is_mail_server: false # Note the options # Packages are used for client services and Server- only remove if you dont use the client service -# +# rhel9cis_use_nfs: - service: false - server: false @@ -484,7 +482,7 @@ rhel9cis_firewall: firewalld ##### firewalld rhel9cis_default_zone: public -rhel9cis_firewalld_nftables_state: masked # Note if absent removes the firewalld pkg dependancy +rhel9cis_firewalld_nftables_state: masked # Note if absent removes the firewalld pkg dependancy #### nftables rhel9cis_nftables_firewalld_state: absent diff --git a/handlers/main.yml b/handlers/main.yml index 9a8b657a..b0f3e7dd 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -33,18 +33,18 @@ - 60-disable_ipv6.conf - 60-netipv4_sysctl.conf - 60-netipv6_sysctl.conf - when: + when: - ansible_virtualization_type != "docker" - "'procps-ng' in ansible_facts.packages" - name: reload sysctl sysctl: - name: net.ipv4.route.flush - value: '1' - state: present - reload: true - ignoreerrors: true - when: + name: net.ipv4.route.flush + value: '1' + state: present + reload: true + ignoreerrors: true + when: - ansible_virtualization_type != "docker" - "'systemd' in ansible_facts.packages" diff --git a/local.yml b/local.yml index 3f17560f..18c2f438 100644 --- a/local.yml +++ b/local.yml @@ -6,4 +6,3 @@ roles: - role: "{{ playbook_dir }}" - diff --git a/meta/main.yml b/meta/main.yml index 266a4685..aac8be87 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -22,7 +22,7 @@ galaxy_info: - disa - rhel9 collections: - - community.general - - community.crypto - - ansible.posix + - community.general + - community.crypto + - ansible.posix dependencies: [] diff --git a/tasks/main.yml b/tasks/main.yml index f44197ca..8bda2a64 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -6,9 +6,9 @@ that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==') fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" - when: - - os_check - - not system_is_ec2 + when: + - os_check + - not system_is_ec2 tags: - always @@ -29,7 +29,7 @@ - name: Load variable for container include_vars: file: "{{ container_vars_file }}" - + - name: output if discovered is a container debug: msg: system has been discovered as a container @@ -53,128 +53,128 @@ that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set" when: - - rhel9cis_set_boot_pass - - rhel9cis_rule_1_5_2 + - rhel9cis_set_boot_pass + - rhel9cis_rule_1_5_2 - name: "check sugroup exists if used" block: - - name: "Check su group exists if defined" - shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group - args: - warn: false - register: sugroup_exists - changed_when: false - failed_when: sugroup_exists.rc >= 2 - tags: - - skip_ansible_lint - - - name: Check sugroup if defined exists before continuing - assert: - that: sugroup_exists.rc == 0 - msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify" + - name: "Check su group exists if defined" + shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group + args: + warn: false + register: sugroup_exists + changed_when: false + failed_when: sugroup_exists.rc >= 2 + tags: + - skip_ansible_lint + + - name: Check sugroup if defined exists before continuing + assert: + that: sugroup_exists.rc == 0 + msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify" when: - - rhel9cis_sugroup is defined - - rhel9cis_rule_5_7 + - rhel9cis_sugroup is defined + - rhel9cis_rule_5_7 tags: - - rule_5.7 + - rule_5.7 - name: Gather the package facts package_facts: manager: auto tags: - - always + - always - name: Include OS specific variables include_vars: "{{ ansible_distribution }}.yml" tags: - - always + - always - name: Include preliminary steps import_tasks: prelim.yml tags: - - prelim_tasks - - always + - prelim_tasks + - always - name: run pre_remediation audit include_tasks: pre_remediation_audit.yml when: - - run_audit + - run_audit - name: Gather the package facts after prelim package_facts: manager: auto tags: - - always + - always - name: capture /etc/password variables include_tasks: parse_etc_password.yml - when: - - rhel9cis_section6 + when: + - rhel9cis_section6 tags: - - rule_5.5.2 - - rule_5.6.2 - - rule_6.2.9 - - rule_6.2.10 - - rule_6.2.11 - - rhel9cis_section5 - - rhel9cis_section6 + - rule_5.5.2 + - rule_5.6.2 + - rule_6.2.9 + - rule_6.2.10 + - rule_6.2.11 + - rhel9cis_section5 + - rhel9cis_section6 - name: run Section 1 tasks import_tasks: section_1/main.yml become: true when: rhel9cis_section1 tags: - - rhel9cis_section1 + - rhel9cis_section1 - name: run Section 2 tasks import_tasks: section_2/main.yml become: true when: rhel9cis_section2 tags: - - rhel9cis_section2 + - rhel9cis_section2 - name: run Section 3 tasks import_tasks: section_3/main.yml become: true when: rhel9cis_section3 tags: - - rhel9cis_section3 + - rhel9cis_section3 - name: run Section 4 tasks import_tasks: section_4/main.yml become: true when: rhel9cis_section4 tags: - - rhel9cis_section4 + - rhel9cis_section4 - name: run Section 5 tasks import_tasks: section_5/main.yml become: true when: rhel9cis_section5 tags: - - rhel9cis_section5 + - rhel9cis_section5 - name: run Section 6 tasks import_tasks: section_6/main.yml become: true when: rhel9cis_section6 tags: - - rhel9cis_section6 + - rhel9cis_section6 - name: run post remediation tasks import_tasks: post.yml become: true tags: - - post_tasks - - always + - post_tasks + - always - name: run post_remediation audit import_tasks: post_remediation_audit.yml when: - - run_audit + - run_audit - name: Show Audit Summary debug: msg: "{{ audit_results.split('\n') }}" when: - - run_audit + - run_audit diff --git a/tasks/post.yml b/tasks/post.yml index a8e1d002..69783ab0 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -10,7 +10,7 @@ package_facts: manager: auto tags: - - always + - always - name: trigger update sysctl shell: /bin/true diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 47d1434d..eb02040d 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -87,7 +87,7 @@ name: audit state: present become: true - when: + when: - '"auditd" not in ansible_facts.packages' - rhel9cis_rule_4_1_1_1 tags: @@ -209,7 +209,7 @@ shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' changed_when: false register: uid_min_id - + - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' changed_when: false @@ -226,8 +226,7 @@ max_int_uid: "{{ uid_max_id.stdout }}" min_int_gid: "{{ gid_min_id.stdout }}" - debug: - msg: "{{ min_int_uid }} {{ max_int_uid }}" + msg: "{{ min_int_uid }} {{ max_int_uid }}" when: - not discover_int_uid - diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 7ea36279..5a901c23 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -61,4 +61,4 @@ - skip_ansible_lint - rule_1.1.4.2 - rule_1.1.4.3 - - rule_1.1.4.4 \ No newline at end of file + - rule_1.1.4.4 diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 94e85d2b..1df3e849 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -58,4 +58,4 @@ - skip_ansible_lint - rule_1.1.6.2 - rule_1.1.6.3 - - rule_1.1.6.4 \ No newline at end of file + - rule_1.1.6.4 diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index f9f4c310..6573e518 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -34,7 +34,7 @@ - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf" - notify: + notify: - update sysctl when: - rhel9cis_rule_1_5_3 diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 7ba7bb48..577ea45a 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -65,7 +65,7 @@ - name: "2.2.5 | PATCH | Ensure DHCP Server is not installed" package: name: dhcp-server - state: absent + state: absent when: - not rhel9cis_dhcp_server - "'dhcp-server' in ansible_facts.packages" @@ -113,7 +113,7 @@ - name: "2.2.8 | PATCH | Ensure VSFTP Server is not installed" package: name: vsftpd - state: absent + state: absent when: - not rhel9cis_vsftpd_server - "'vsftpd' in ansible_facts.packages" @@ -222,7 +222,7 @@ - name: "2.2.13 | PATCH | Ensure HTTP Proxy Server is not installed" package: name: squid - state: absent + state: absent when: - not rhel9cis_squid_server - "'squid' in ansible_facts.packages" diff --git a/tasks/section_2/cis_2.3.x.yml b/tasks/section_2/cis_2.3.x.yml index 52159bcb..a1941da8 100644 --- a/tasks/section_2/cis_2.3.x.yml +++ b/tasks/section_2/cis_2.3.x.yml @@ -32,7 +32,7 @@ - rsh - rule_2.3.2 -- name: "2.3.3 | PATCH | Ensure talk client is not installed" +- name: "2.3.3 | PATCH | Ensure talk client is not installed" package: name: talk state: absent diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index a80d340f..5db134ea 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -23,4 +23,4 @@ - manual - audit - services - - rule_2.4 \ No newline at end of file + - rule_2.4 diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index 731f10c1..8f79854d 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -10,4 +10,4 @@ import_tasks: cis_2.3.x.yml - name: "SECTION | 2.4 | Nonessential services removed" - import_tasks: cis_2.4.yml \ No newline at end of file + import_tasks: cis_2.4.yml diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 5033e5a5..db3c0fd6 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -1,11 +1,11 @@ --- -# The CIS Control wants IPv6 disabled if not in use. +# The CIS Control wants IPv6 disabled if not in use. # We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" - notify: + notify: - update sysctl - sysctl flush ipv6 route table when: @@ -88,4 +88,4 @@ - automated - patch - wireless - - rule_3.1.4 \ No newline at end of file + - rule_3.1.4 diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index b7f0f6b5..46295ec4 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -5,7 +5,7 @@ - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: + notify: - update sysctl - sysctl flush ipv4 route table diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index e6d4952a..139ca659 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -5,7 +5,7 @@ - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: + notify: - update sysctl - sysctl flush ipv4 route table @@ -30,7 +30,7 @@ - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: + notify: - update sysctl - sysctl flush ipv4 route table @@ -52,7 +52,7 @@ - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_3 @@ -65,7 +65,7 @@ - name: "3.3.4 | PATCH | Ensure suspicious packets are logged" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_4 @@ -78,7 +78,7 @@ - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_5 @@ -91,7 +91,7 @@ - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_6 @@ -104,7 +104,7 @@ - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_7 @@ -117,7 +117,7 @@ - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_8 @@ -133,7 +133,7 @@ - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: + notify: - update sysctl - sysctl flush ipv4 route table diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index dee0f21d..0c392678 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -1,3 +1,4 @@ +--- - name: "4.1.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected" debug: diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 9e8657ee..734b434a 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -168,4 +168,4 @@ - automated - patch - cron - - rule_5.1.9 \ No newline at end of file + - rule_5.1.9 diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index bed1b282..10b18a70 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -54,7 +54,7 @@ with_items: - "system-auth" - "password-auth" - when: + when: - ansible_distribution_version <= "8.1" - rhel9cis_rule_5_5_2 @@ -67,7 +67,7 @@ with_items: - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = 5' } - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = 900' } - when: + when: - ansible_distribution_version >= "8.2" - rhel9cis_rule_5_5_2 @@ -79,9 +79,9 @@ state: present line: "password requisite pam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" insertafter: '^password\s*requisite\s*pam_pwquality.so' - + - name: "5.5.3 | PATCH | Ensure password reuse is limited | pam_unix" - replace: + replace: path: /etc/pam.d/system-auth regexp: '^password\s*sufficient\s*pam_unix.so.*$' replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' @@ -97,15 +97,15 @@ block: - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf" replace: - path: /etc/libuser.conf - regexp: '^crypt_style\s*=\s*.*$' - replace: 'crypt_style = sha512' - + path: /etc/libuser.conf + regexp: '^crypt_style\s*=\s*.*$' + replace: 'crypt_style = sha512' + - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs" replace: - path: /etc/login.defs - regexp: '^ENCRYPT_METHOD.*' - replace: 'ENCRYPT_METHOD SHA512' + path: /etc/login.defs + regexp: '^ENCRYPT_METHOD.*' + replace: 'ENCRYPT_METHOD SHA512' - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth" replace: @@ -114,7 +114,7 @@ replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth" - replace: + replace: path: /etc/pam.d/system-auth regexp: '^password\s*sufficient\s*pam_unix.so.*$' replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 8d96b4b9..420ce12a 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -73,8 +73,8 @@ - name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0" user: - name: root - group: 0 + name: root + group: 0 when: - rhel9cis_rule_5_6_4 tags: diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index 61612730..b6acabf8 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -4,4 +4,4 @@ import_tasks: cis_6.1.x.yml - name: "SECTION | 6.2 | User and Group Settings" - import_tasks: cis_6.2.x.yml \ No newline at end of file + import_tasks: cis_6.2.x.yml diff --git a/vars/AlmaLinux.yml b/vars/AlmaLinux.yml index 8f9f4b77..69e59941 100644 --- a/vars/AlmaLinux.yml +++ b/vars/AlmaLinux.yml @@ -1,4 +1,4 @@ --- # OS Specific Settings -rpm_gpg_key: RPM-GPG-KEY-AlmaLinux \ No newline at end of file +rpm_gpg_key: RPM-GPG-KEY-AlmaLinux diff --git a/vars/is_container.yml b/vars/is_container.yml index 1a395919..32504ee3 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -54,7 +54,7 @@ rhel9cis_rule_1_1_2: false rhel9cis_rule_1_1_3: false rhel9cis_rule_1_1_4: false rhel9cis_rule_1_1_5: false -#/var +# /var rhel9cis_rule_1_1_6: false # /var/tmp rhel9cis_rule_1_1_7: false From bb7869adadd4ffbdbc7595fa9ba08bb295c35291 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 13:06:46 +0100 Subject: [PATCH 070/454] fixed 4.2.1.5 cron settings Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.2.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 9670309b..d7385dea 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -150,7 +150,7 @@ blockinfile: path: /etc/rsyslog.conf state: present - marker: "#{mark} Auth SETTINGS (ANSIBLE MANAGED)" + marker: "#{mark} Cron SETTINGS (ANSIBLE MANAGED)" block: | # Cron settings to meet CIS standards cron.* /var/log/cron From e9d212437a34f6fcd30ace6009a6d956f5613b33 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 13:07:36 +0100 Subject: [PATCH 071/454] firewall pkgs to masked as default Signed-off-by: Mark Bolwell --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index a0bf8639..b8e3d8b1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -485,13 +485,13 @@ rhel9cis_default_zone: public rhel9cis_firewalld_nftables_state: masked # Note if absent removes the firewalld pkg dependancy #### nftables -rhel9cis_nftables_firewalld_state: absent +rhel9cis_nftables_firewalld_state: masked rhel9cis_nft_tables_autonewtable: true rhel9cis_nft_tables_tablename: filter rhel9cis_nft_tables_autochaincreate: true #### iptables -rhel9cis_iptables_firewalld_state: absent +rhel9cis_iptables_firewalld_state: masked # Warning Banner Content (issue, issue.net, motd) rhel9cis_warning_banner: | From 0b684a5d43e0738b3c7c238cc53e8e5f3c640e28 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 16:56:02 +0100 Subject: [PATCH 072/454] fix typo Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.2.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index d7385dea..6196c80f 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -142,7 +142,7 @@ marker: "#{mark} Auth SETTINGS (ANSIBLE MANAGED)" block: | # Private settings to meet CIS standards - auth,authpriv.* -/var/log/secure + auth,authpriv.* /var/log/secure insertafter: '#### RULES ####' notify: restart rsyslog From 21bd88bdac11f7f38888e661f8b7b955c2531948 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 16:56:12 +0100 Subject: [PATCH 073/454] fixed control Signed-off-by: Mark Bolwell --- templates/audit/99_auditd.rules.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 90bddb43..3537c48f 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -30,10 +30,10 @@ {% endfor %} {% endif %} {% if rhel9cis_rule_4_1_3_7 %} --a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=unset -F key=access --a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -F key=access --a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=-unset -F key=access --a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=-unset -k access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -k access {% endif %} {% if rhel9cis_rule_4_1_3_8 %} -w /etc/group -p wa -k identity From 783c45d622dd32184a43fba920c4e000e5840a01 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 16:56:27 +0100 Subject: [PATCH 074/454] changed logic Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 420ce12a..a9eaf758 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -90,14 +90,14 @@ - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" replace: path: /etc/bashrc - regexp: '(^\s+umask) 0[012][0-6]' - replace: '\1 027' + regexp: '^(\s+UMASK|UMASK)\s0[0-2][0-6]' + replace: 'UMASK 027' - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile" replace: path: /etc/profile - regexp: '(^\s+umask) 0[012][0-6]' - replace: '\1 027' + regexp: '^(\s+UMASK|UMASK)\s0[0-2][0-6]' + replace: 'UMASK 027' when: - rhel9cis_rule_5_6_5 tags: From c451f15546c2ece9aac4bb777278b2913e158adb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Apr 2022 15:42:05 +0100 Subject: [PATCH 075/454] audit vars Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 475 ++++++++++++++++------------ templates/ansible_vars_goss.yml.old | 429 +++++++++++++++++++++++++ 2 files changed, 708 insertions(+), 196 deletions(-) create mode 100644 templates/ansible_vars_goss.yml.old diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index f10c74f9..35d3aa20 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -1,15 +1,17 @@ +## metadata for benchmark + ## metadata for Audit benchmark -benchmark_version: '1.0.1' +benchmark_version: '2.0.0' # Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS -is_redhat_os: {% if ansible_distribution == "RedHat" %}true{% else %}false{% endif %} +# If run via script this is discovered and set +host_os_distribution: {{ ansible_distribution | lower }} -rhel9cis_os_distribution: {{ ansible_distribution | lower }} -# timeout for each command to run where set - default = 10seconds/10000ms -timeout_ms: {{ audit_cmd_timeout }} +# timeout for each command to run where set - default = 10seconds/10000ms +timeout_ms: 60000 -# Taken from LE rhel8-cis +# Taken from LE rhel9-cis rhel9cis_section1: {{ rhel9cis_section1 }} rhel9cis_section2: {{ rhel9cis_section2 }} rhel9cis_section3: {{ rhel9cis_section3 }} @@ -22,84 +24,115 @@ rhel9cis_level_2: {{ rhel9cis_level_2 }} rhel9cis_selinux_disable: {{ rhel9cis_selinux_disable }} - - -# to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy +# to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy run_heavy_tests: true + +# True is BIOS based system else set to false {% if rhel9cis_legacy_boot is defined %} rhel9cis_legacy_boot: {{ rhel9cis_legacy_boot }} {% endif %} - rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }} + # These variables correspond with the CIS rule IDs or paragraph numbers defined in # the CIS benchmark documents. # PLEASE NOTE: These work in coordination with the section # group variables and tags. # You must enable an entire section in order for the variables below to take effect. # Section 1 rules +# 1.1.1 Disable unused filesystems rhel9cis_rule_1_1_1_1: {{ rhel9cis_rule_1_1_1_1 }} rhel9cis_rule_1_1_1_2: {{ rhel9cis_rule_1_1_1_2 }} rhel9cis_rule_1_1_1_3: {{ rhel9cis_rule_1_1_1_3 }} -rhel9cis_rule_1_1_1_4: {{ rhel9cis_rule_1_1_1_4 }} -rhel9cis_rule_1_1_2: {{ rhel9cis_rule_1_1_2 }} -rhel9cis_rule_1_1_3: {{ rhel9cis_rule_1_1_3 }} -rhel9cis_rule_1_1_4: {{ rhel9cis_rule_1_1_4 }} -rhel9cis_rule_1_1_5: {{ rhel9cis_rule_1_1_5 }} -rhel9cis_rule_1_1_6: {{ rhel9cis_rule_1_1_6 }} -rhel9cis_rule_1_1_7: {{ rhel9cis_rule_1_1_7 }} -rhel9cis_rule_1_1_8: {{ rhel9cis_rule_1_1_8 }} +# 1.1.2 Configure /tmp +rhel9cis_rule_1_1_2_1: {{ rhel9cis_rule_1_1_2_1 }} +rhel9cis_rule_1_1_2_2: {{ rhel9cis_rule_1_1_2_2 }} +rhel9cis_rule_1_1_2_3: {{ rhel9cis_rule_1_1_2_3 }} +rhel9cis_rule_1_1_2_4: {{ rhel9cis_rule_1_1_2_4 }} +# 1.1.3 Configure /var +rhel9cis_rule_1_1_3_1: {{ rhel9cis_rule_1_1_3_1 }} +rhel9cis_rule_1_1_3_2: {{ rhel9cis_rule_1_1_3_2 }} +rhel9cis_rule_1_1_3_3: {{ rhel9cis_rule_1_1_3_3 }} +rhel9cis_rule_1_1_3_4: {{ rhel9cis_rule_1_1_3_4 }} +# 1.1.4 Configure /var/tmp +rhel9cis_rule_1_1_4_1: {{ rhel9cis_rule_1_1_4_1 }} +rhel9cis_rule_1_1_4_2: {{ rhel9cis_rule_1_1_4_2 }} +rhel9cis_rule_1_1_4_3: {{ rhel9cis_rule_1_1_4_3 }} +rhel9cis_rule_1_1_4_4: {{ rhel9cis_rule_1_1_4_4 }} +# 1.1.5 Configure /var/log +rhel9cis_rule_1_1_5_1: {{ rhel9cis_rule_1_1_5_1 }} +rhel9cis_rule_1_1_5_2: {{ rhel9cis_rule_1_1_5_2 }} +rhel9cis_rule_1_1_5_3: {{ rhel9cis_rule_1_1_5_3 }} +rhel9cis_rule_1_1_5_4: {{ rhel9cis_rule_1_1_5_4 }} +# 1.1.6 Configure /var/log/audit +rhel9cis_rule_1_1_6_1: {{ rhel9cis_rule_1_1_6_1 }} +rhel9cis_rule_1_1_6_2: {{ rhel9cis_rule_1_1_6_2 }} +rhel9cis_rule_1_1_6_3: {{ rhel9cis_rule_1_1_6_3 }} +rhel9cis_rule_1_1_6_4: {{ rhel9cis_rule_1_1_6_4 }} +# 1.1.7 Configure /home +rhel9cis_rule_1_1_7_1: {{ rhel9cis_rule_1_1_7_1 }} +rhel9cis_rule_1_1_7_2: {{ rhel9cis_rule_1_1_7_2 }} +rhel9cis_rule_1_1_7_3: {{ rhel9cis_rule_1_1_7_3 }} +rhel9cis_rule_1_1_7_4: {{ rhel9cis_rule_1_1_7_4 }} +rhel9cis_rule_1_1_7_5: {{ rhel9cis_rule_1_1_7_5 }} +# 1.1.8 Configure /dev/shm +rhel9cis_rule_1_1_8_1: {{ rhel9cis_rule_1_1_8_1 }} +rhel9cis_rule_1_1_8_2: {{ rhel9cis_rule_1_1_8_2 }} +rhel9cis_rule_1_1_8_3: {{ rhel9cis_rule_1_1_8_3 }} +# 1.9 autofs rhel9cis_rule_1_1_9: {{ rhel9cis_rule_1_1_9 }} +# 1.10 usb-storage rhel9cis_rule_1_1_10: {{ rhel9cis_rule_1_1_10 }} -rhel9cis_rule_1_1_11: {{ rhel9cis_rule_1_1_11 }} -rhel9cis_rule_1_1_12: {{ rhel9cis_rule_1_1_12 }} -rhel9cis_rule_1_1_13: {{ rhel9cis_rule_1_1_13 }} -rhel9cis_rule_1_1_14: {{ rhel9cis_rule_1_1_14 }} -rhel9cis_rule_1_1_15: {{ rhel9cis_rule_1_1_15 }} -rhel9cis_rule_1_1_16: {{ rhel9cis_rule_1_1_16 }} -rhel9cis_rule_1_1_17: {{ rhel9cis_rule_1_1_17 }} -rhel9cis_rule_1_1_18: {{ rhel9cis_rule_1_1_18 }} -rhel9cis_rule_1_1_19: {{ rhel9cis_rule_1_1_19 }} -rhel9cis_rule_1_1_20: {{ rhel9cis_rule_1_1_20 }} -rhel9cis_rule_1_1_21: {{ rhel9cis_rule_1_1_21 }} -rhel9cis_rule_1_1_22: {{ rhel9cis_rule_1_1_22 }} -rhel9cis_rule_1_1_23: {{ rhel9cis_rule_1_1_23 }} +# 1.2 Configure Software Updates rhel9cis_rule_1_2_1: {% if ansible_distribution == "RedHat" %}True{% else %}False{% endif %} # Only run if Redhat and Subscribed rhel9cis_rule_1_2_2: {{ rhel9cis_rule_1_2_2 }} rhel9cis_rule_1_2_3: {{ rhel9cis_rule_1_2_3 }} rhel9cis_rule_1_2_4: {{ rhel9cis_rule_1_2_4 }} -rhel9cis_rule_1_2_5: {{ rhel9cis_rule_1_2_5 }} +# 1.3 Filesystem Integrity Checking rhel9cis_rule_1_3_1: {{ rhel9cis_rule_1_3_1 }} rhel9cis_rule_1_3_2: {{ rhel9cis_rule_1_3_2 }} -rhel9cis_rule_1_3_3: {{ rhel9cis_rule_1_3_3 }} +# 1.4 Secure Boot Settings rhel9cis_rule_1_4_1: {{ rhel9cis_rule_1_4_1 }} rhel9cis_rule_1_4_2: {{ rhel9cis_rule_1_4_2 }} rhel9cis_rule_1_4_3: {{ rhel9cis_rule_1_4_3 }} +# 1.5 Additional Process Hardening rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }} rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }} rhel9cis_rule_1_5_3: {{ rhel9cis_rule_1_5_3 }} - -rhel9cis_rule_1_7_1_1: {{ rhel9cis_rule_1_7_1_1 }} -rhel9cis_rule_1_7_1_2: {{ rhel9cis_rule_1_7_1_2 }} -rhel9cis_rule_1_7_1_3: {{ rhel9cis_rule_1_7_1_3 }} -rhel9cis_rule_1_7_1_4: {{ rhel9cis_rule_1_7_1_4 }} -rhel9cis_rule_1_7_1_5: {{ rhel9cis_rule_1_7_1_5 }} -rhel9cis_rule_1_7_1_6: {{ rhel9cis_rule_1_7_1_6 }} -rhel9cis_rule_1_7_1_7: {{ rhel9cis_rule_1_7_1_7 }} -rhel9cis_rule_1_8_1_1: {{ rhel9cis_rule_1_8_1_1 }} -rhel9cis_rule_1_8_1_2: {{ rhel9cis_rule_1_8_1_2 }} -rhel9cis_rule_1_8_1_3: {{ rhel9cis_rule_1_8_1_3 }} -rhel9cis_rule_1_8_1_4: {{ rhel9cis_rule_1_8_1_4 }} -rhel9cis_rule_1_8_1_5: {{ rhel9cis_rule_1_8_1_5 }} -rhel9cis_rule_1_8_1_6: {{ rhel9cis_rule_1_8_1_6 }} -rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }} +# 1.6 Mandatory Access Control +rhel9cis_rule_1_6_1: {{ rhel9cis_rule_1_6_1 }} +rhel9cis_rule_1_6_2: {{ rhel9cis_rule_1_6_2 }} +rhel9cis_rule_1_6_3: {{ rhel9cis_rule_1_6_3 }} +rhel9cis_rule_1_6_4: {{ rhel9cis_rule_1_6_4 }} +rhel9cis_rule_1_6_5: {{ rhel9cis_rule_1_6_5 }} +rhel9cis_rule_1_6_6: {{ rhel9cis_rule_1_6_6 }} +rhel9cis_rule_1_6_7: {{ rhel9cis_rule_1_6_7 }} +rhel9cis_rule_1_6_8: {{ rhel9cis_rule_1_6_8 }} +# 1.7 Command Line Warning Banners +rhel9cis_rule_1_7_1: {{ rhel9cis_rule_1_7_1 }} +rhel9cis_rule_1_7_2: {{ rhel9cis_rule_1_7_2 }} +rhel9cis_rule_1_7_3: {{ rhel9cis_rule_1_7_3 }} +rhel9cis_rule_1_7_4: {{ rhel9cis_rule_1_7_4 }} +rhel9cis_rule_1_7_5: {{ rhel9cis_rule_1_7_5 }} +rhel9cis_rule_1_7_6: {{ rhel9cis_rule_1_7_6 }} +rhel9cis_rule_1_7_7: {{ rhel9cis_rule_1_7_7 }} +rhel9cis_rule_1_8_1: {{ rhel9cis_rule_1_7_8 }} +rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_1 }} +rhel9cis_rule_1_8_3: {{ rhel9cis_rule_1_8_2 }} +rhel9cis_rule_1_8_4: {{ rhel9cis_rule_1_8_3 }} +rhel9cis_rule_1_8_5: {{ rhel9cis_rule_1_8_4 }} +# 1.9 Ensure updates, patches, and additional security software are installed rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }} +# Ensure system-wide crypto policy is not legacy rhel9cis_rule_1_10: {{ rhel9cis_rule_1_10 }} -# section 2 rules +# section 2 +# Services +# 2.1 Time Synchronization rhel9cis_rule_2_1_1: {{ rhel9cis_rule_2_1_1 }} -rhel9cis_rule_2_2_1_1: {{ rhel9cis_rule_2_2_1_1 }} -rhel9cis_rule_2_2_1_2: {{ rhel9cis_rule_2_2_1_2 }} +rhel9cis_rule_2_1_2: {{ rhel9cis_rule_2_1_2 }} +# 2.2 Special Purpose Services +rhel9cis_rule_2_2_1: {{ rhel9cis_rule_2_2_1 }} rhel9cis_rule_2_2_2: {{ rhel9cis_rule_2_2_2 }} rhel9cis_rule_2_2_3: {{ rhel9cis_rule_2_2_3 }} rhel9cis_rule_2_2_4: {{ rhel9cis_rule_2_2_4 }} @@ -117,74 +150,138 @@ rhel9cis_rule_2_2_15: {{ rhel9cis_rule_2_2_15 }} rhel9cis_rule_2_2_16: {{ rhel9cis_rule_2_2_16 }} rhel9cis_rule_2_2_17: {{ rhel9cis_rule_2_2_17 }} rhel9cis_rule_2_2_18: {{ rhel9cis_rule_2_2_18 }} +rhel9cis_rule_2_2_19: {{ rhel9cis_rule_2_2_19 }} +rhel9cis_rule_2_2_20: {{ rhel9cis_rule_2_2_20 }} +# 2.3 service clients rhel9cis_rule_2_3_1: {{ rhel9cis_rule_2_3_1 }} rhel9cis_rule_2_3_2: {{ rhel9cis_rule_2_3_2 }} rhel9cis_rule_2_3_3: {{ rhel9cis_rule_2_3_3 }} +rhel9cis_rule_2_3_4: {{ rhel9cis_rule_2_3_4 }} +rhel9cis_rule_2_3_5: {{ rhel9cis_rule_2_3_5 }} +rhel9cis_rule_2_4: true # todo # Section 3 rules +# 3.1 Disable unused network protocols and devices rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }} rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }} +rhel9cis_rule_3_1_3: {{ rhel9cis_rule_3_1_3 }} +rhel9cis_rule_3_1_4: {{ rhel9cis_rule_3_1_4 }} +# 3.2 Network Parameters (Host Only) rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }} rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }} -rhel9cis_rule_3_2_3: {{ rhel9cis_rule_3_2_3 }} -rhel9cis_rule_3_2_4: {{ rhel9cis_rule_3_2_4 }} -rhel9cis_rule_3_2_5: {{ rhel9cis_rule_3_2_5 }} -rhel9cis_rule_3_2_6: {{ rhel9cis_rule_3_2_6 }} -rhel9cis_rule_3_2_7: {{ rhel9cis_rule_3_2_7 }} -rhel9cis_rule_3_2_8: {{ rhel9cis_rule_3_2_8 }} -rhel9cis_rule_3_2_9: {{ rhel9cis_rule_3_2_9 }} +# 3.3 Network Parameters (Host and Router) rhel9cis_rule_3_3_1: {{ rhel9cis_rule_3_3_1 }} rhel9cis_rule_3_3_2: {{ rhel9cis_rule_3_3_2 }} rhel9cis_rule_3_3_3: {{ rhel9cis_rule_3_3_3 }} rhel9cis_rule_3_3_4: {{ rhel9cis_rule_3_3_4 }} +rhel9cis_rule_3_3_5: {{ rhel9cis_rule_3_3_5 }} +rhel9cis_rule_3_3_6: {{ rhel9cis_rule_3_3_6 }} +rhel9cis_rule_3_3_7: {{ rhel9cis_rule_3_3_7 }} +rhel9cis_rule_3_3_8: {{ rhel9cis_rule_3_3_8 }} +rhel9cis_rule_3_3_9: {{ rhel9cis_rule_3_3_9 }} +# 3.4.1 Configure firewalld rhel9cis_rule_3_4_1_1: {{ rhel9cis_rule_3_4_1_1 }} +rhel9cis_rule_3_4_1_2: {{ rhel9cis_rule_3_4_1_2 }} +rhel9cis_rule_3_4_1_3: {{ rhel9cis_rule_3_4_1_3 }} +rhel9cis_rule_3_4_1_4: {{ rhel9cis_rule_3_4_1_4 }} +rhel9cis_rule_3_4_1_5: {{ rhel9cis_rule_3_4_1_5 }} +rhel9cis_rule_3_4_1_6: {{ rhel9cis_rule_3_4_1_6 }} +rhel9cis_rule_3_4_1_7: {{ rhel9cis_rule_3_4_1_7 }} +# 3.4.1 Configure nftables rhel9cis_rule_3_4_2_1: {{ rhel9cis_rule_3_4_2_1 }} rhel9cis_rule_3_4_2_2: {{ rhel9cis_rule_3_4_2_2 }} rhel9cis_rule_3_4_2_3: {{ rhel9cis_rule_3_4_2_3 }} rhel9cis_rule_3_4_2_4: {{ rhel9cis_rule_3_4_2_4 }} rhel9cis_rule_3_4_2_5: {{ rhel9cis_rule_3_4_2_5 }} rhel9cis_rule_3_4_2_6: {{ rhel9cis_rule_3_4_2_6 }} -rhel9cis_rule_3_5: {{ rhel9cis_rule_3_5 }} -rhel9cis_rule_3_6: {{ rhel9cis_rule_3_6 }} - - -# Section 4 rules +rhel9cis_rule_3_4_2_7: {{ rhel9cis_rule_3_4_2_7 }} +rhel9cis_rule_3_4_2_8: {{ rhel9cis_rule_3_4_2_8 }} +rhel9cis_rule_3_4_2_9: {{ rhel9cis_rule_3_4_2_9 }} +rhel9cis_rule_3_4_2_10: {{ rhel9cis_rule_3_4_2_10 }} +rhel9cis_rule_3_4_2_11: {{ rhel9cis_rule_3_4_2_11 }} +# 3.4.3.1 Configure iptables +rhel9cis_rule_3_4_3_1_1: {{ rhel9cis_rule_3_4_3_1_1 }} +rhel9cis_rule_3_4_3_1_2: {{ rhel9cis_rule_3_4_3_1_2 }} +rhel9cis_rule_3_4_3_1_3: {{ rhel9cis_rule_3_4_3_1_3 }} +# 3.4.3.2 iptables ipv4 +rhel9cis_rule_3_4_3_2_1: {{ rhel9cis_rule_3_4_3_2_1 }} +rhel9cis_rule_3_4_3_2_2: {{ rhel9cis_rule_3_4_3_2_2 }} +rhel9cis_rule_3_4_3_2_3: {{ rhel9cis_rule_3_4_3_2_3 }} +rhel9cis_rule_3_4_3_2_4: {{ rhel9cis_rule_3_4_3_2_4 }} +rhel9cis_rule_3_4_3_2_5: {{ rhel9cis_rule_3_4_3_2_5 }} +rhel9cis_rule_3_4_3_2_6: {{ rhel9cis_rule_3_4_3_2_6 }} +# 3.4.3.2 iptables ipv6 +rhel9cis_rule_3_4_3_3_1: {{ rhel9cis_rule_3_4_3_3_1 }} +rhel9cis_rule_3_4_3_3_2: {{ rhel9cis_rule_3_4_3_3_2 }} +rhel9cis_rule_3_4_3_3_3: {{ rhel9cis_rule_3_4_3_3_3 }} +rhel9cis_rule_3_4_3_3_4: {{ rhel9cis_rule_3_4_3_3_4 }} +rhel9cis_rule_3_4_3_3_5: {{ rhel9cis_rule_3_4_3_3_5 }} +rhel9cis_rule_3_4_3_3_6: {{ rhel9cis_rule_3_4_3_3_6 }} + + +# Section 4 rules +# 4.1 Configure System Accounting rhel9cis_rule_4_1_1_1: {{ rhel9cis_rule_4_1_1_1 }} rhel9cis_rule_4_1_1_2: {{ rhel9cis_rule_4_1_1_2 }} rhel9cis_rule_4_1_1_3: {{ rhel9cis_rule_4_1_1_3 }} rhel9cis_rule_4_1_1_4: {{ rhel9cis_rule_4_1_1_4 }} + +# 4.1.2 Configure Data retention rhel9cis_rule_4_1_2_1: {{ rhel9cis_rule_4_1_2_1 }} rhel9cis_rule_4_1_2_2: {{ rhel9cis_rule_4_1_2_2 }} rhel9cis_rule_4_1_2_3: {{ rhel9cis_rule_4_1_2_3 }} -rhel9cis_rule_4_1_3: {{ rhel9cis_rule_4_1_3 }} -rhel9cis_rule_4_1_4: {{ rhel9cis_rule_4_1_4 }} -rhel9cis_rule_4_1_5: {{ rhel9cis_rule_4_1_5 }} -rhel9cis_rule_4_1_6: {{ rhel9cis_rule_4_1_6 }} -rhel9cis_rule_4_1_7: {{ rhel9cis_rule_4_1_7 }} -rhel9cis_rule_4_1_8: {{ rhel9cis_rule_4_1_8 }} -rhel9cis_rule_4_1_9: {{ rhel9cis_rule_4_1_9 }} -rhel9cis_rule_4_1_10: {{ rhel9cis_rule_4_1_10 }} -rhel9cis_rule_4_1_11: {{ rhel9cis_rule_4_1_11 }} -rhel9cis_rule_4_1_12: {{ rhel9cis_rule_4_1_12 }} -rhel9cis_rule_4_1_13: {{ rhel9cis_rule_4_1_13 }} -rhel9cis_rule_4_1_14: {{ rhel9cis_rule_4_1_14 }} -rhel9cis_rule_4_1_15: {{ rhel9cis_rule_4_1_15 }} -rhel9cis_rule_4_1_16: {{ rhel9cis_rule_4_1_16 }} -rhel9cis_rule_4_1_17: {{ rhel9cis_rule_4_1_17 }} + +# 4.1.3 Configure auditd rules +rhel9cis_rule_4_1_3_1: {{ rhel9cis_rule_4_1_3_1 }} +rhel9cis_rule_4_1_3_2: {{ rhel9cis_rule_4_1_3_2 }} +rhel9cis_rule_4_1_3_3: {{ rhel9cis_rule_4_1_3_3 }} +rhel9cis_rule_4_1_3_4: {{ rhel9cis_rule_4_1_3_4 }} +rhel9cis_rule_4_1_3_5: {{ rhel9cis_rule_4_1_3_5 }} +rhel9cis_rule_4_1_3_6: {{ rhel9cis_rule_4_1_3_6 }} +rhel9cis_rule_4_1_3_7: {{ rhel9cis_rule_4_1_3_7 }} +rhel9cis_rule_4_1_3_8: {{ rhel9cis_rule_4_1_3_8 }} +rhel9cis_rule_4_1_3_9: {{ rhel9cis_rule_4_1_3_9 }} +rhel9cis_rule_4_1_3_10: {{ rhel9cis_rule_4_1_3_10 }} +rhel9cis_rule_4_1_3_11: {{ rhel9cis_rule_4_1_3_11 }} +rhel9cis_rule_4_1_3_12: {{ rhel9cis_rule_4_1_3_12 }} +rhel9cis_rule_4_1_3_13: {{ rhel9cis_rule_4_1_3_13 }} +rhel9cis_rule_4_1_3_14: {{ rhel9cis_rule_4_1_3_14 }} +rhel9cis_rule_4_1_3_15: {{ rhel9cis_rule_4_1_3_15 }} +rhel9cis_rule_4_1_3_16: {{ rhel9cis_rule_4_1_3_16 }} +rhel9cis_rule_4_1_3_17: {{ rhel9cis_rule_4_1_3_17 }} +rhel9cis_rule_4_1_3_18: {{ rhel9cis_rule_4_1_3_18 }} +rhel9cis_rule_4_1_3_19: {{ rhel9cis_rule_4_1_3_19 }} +rhel9cis_rule_4_1_3_20: {{ rhel9cis_rule_4_1_3_20 }} +rhel9cis_rule_4_1_3_21: {{ rhel9cis_rule_4_1_3_21 }} + +# 4.2.1 Configure rsyslog rhel9cis_rule_4_2_1_1: {{ rhel9cis_rule_4_2_1_1 }} rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_2 }} +rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_3 }} rhel9cis_rule_4_2_1_3: {{ rhel9cis_rule_4_2_1_3 }} rhel9cis_rule_4_2_1_4: {{ rhel9cis_rule_4_2_1_4 }} rhel9cis_rule_4_2_1_5: {{ rhel9cis_rule_4_2_1_5 }} rhel9cis_rule_4_2_1_6: {{ rhel9cis_rule_4_2_1_6 }} -rhel9cis_rule_4_2_2_1: {{ rhel9cis_rule_4_2_2_1 }} +rhel9cis_rule_4_2_1_7: {{ rhel9cis_rule_4_2_1_7 }} + +# 4.2.2 Configure journald +rhel9cis_rule_4_2_2_1_1: {{ rhel9cis_rule_4_2_2_1_1 }} +rhel9cis_rule_4_2_2_1_2: {{ rhel9cis_rule_4_2_2_1_2 }} +rhel9cis_rule_4_2_2_1_3: {{ rhel9cis_rule_4_2_2_1_3 }} +rhel9cis_rule_4_2_2_1_4: {{ rhel9cis_rule_4_2_2_1_4 }} rhel9cis_rule_4_2_2_2: {{ rhel9cis_rule_4_2_2_2 }} rhel9cis_rule_4_2_2_3: {{ rhel9cis_rule_4_2_2_3 }} +rhel9cis_rule_4_2_2_4: {{ rhel9cis_rule_4_2_2_4 }} +rhel9cis_rule_4_2_2_5: {{ rhel9cis_rule_4_2_2_5 }} +rhel9cis_rule_4_2_2_6: {{ rhel9cis_rule_4_2_2_6 }} +rhel9cis_rule_4_2_2_7: {{ rhel9cis_rule_4_2_2_7 }} rhel9cis_rule_4_2_3: {{ rhel9cis_rule_4_2_3 }} rhel9cis_rule_4_3: {{ rhel9cis_rule_4_3 }} # Section 5 +# Authentication and Authorization +# 5.1 Configure time-based job schedulers rhel9cis_rule_5_1_1: {{ rhel9cis_rule_5_1_1 }} rhel9cis_rule_5_1_2: {{ rhel9cis_rule_5_1_2 }} rhel9cis_rule_5_1_3: {{ rhel9cis_rule_5_1_3 }} @@ -194,6 +291,7 @@ rhel9cis_rule_5_1_6: {{ rhel9cis_rule_5_1_6 }} rhel9cis_rule_5_1_7: {{ rhel9cis_rule_5_1_7 }} rhel9cis_rule_5_1_8: {{ rhel9cis_rule_5_1_8 }} +# 5.2 Configure SSH Server rhel9cis_rule_5_2_1: {{ rhel9cis_rule_5_2_1 }} rhel9cis_rule_5_2_2: {{ rhel9cis_rule_5_2_2 }} rhel9cis_rule_5_2_3: {{ rhel9cis_rule_5_2_3 }} @@ -214,31 +312,41 @@ rhel9cis_rule_5_2_17: {{ rhel9cis_rule_5_2_17 }} rhel9cis_rule_5_2_18: {{ rhel9cis_rule_5_2_18 }} rhel9cis_rule_5_2_19: {{ rhel9cis_rule_5_2_19 }} rhel9cis_rule_5_2_20: {{ rhel9cis_rule_5_2_20 }} - +# 5.3 Configure privilege escalation rhel9cis_rule_5_3_1: {{ rhel9cis_rule_5_3_1 }} rhel9cis_rule_5_3_2: {{ rhel9cis_rule_5_3_2 }} rhel9cis_rule_5_3_3: {{ rhel9cis_rule_5_3_3 }} +rhel9cis_rule_5_3_4: {{ rhel9cis_rule_5_3_4 }} +rhel9cis_rule_5_3_5: {{ rhel9cis_rule_5_3_5 }} +rhel9cis_rule_5_3_6: {{ rhel9cis_rule_5_3_6 }} +rhel9cis_rule_5_3_7: {{ rhel9cis_rule_5_3_7 }} + +# 5.4 Configure authselect rhel9cis_rule_5_4_1: {{ rhel9cis_rule_5_4_1 }} rhel9cis_rule_5_4_2: {{ rhel9cis_rule_5_4_2 }} -rhel9cis_rule_5_4_3: {{ rhel9cis_rule_5_4_3 }} -rhel9cis_rule_5_4_4: {{ rhel9cis_rule_5_4_4 }} - -rhel9cis_rule_5_5_1_1: {{ rhel9cis_rule_5_5_1_1 }} -rhel9cis_rule_5_5_1_2: {{ rhel9cis_rule_5_5_1_2 }} -rhel9cis_rule_5_5_1_3: {{ rhel9cis_rule_5_5_1_3 }} -rhel9cis_rule_5_5_1_4: {{ rhel9cis_rule_5_5_1_4 }} -rhel9cis_rule_5_5_1_5: {{ rhel9cis_rule_5_5_1_5 }} +# 5.5 Configure PAM +rhel9cis_rule_5_5_1: {{ rhel9cis_rule_5_5_1 }} rhel9cis_rule_5_5_2: {{ rhel9cis_rule_5_5_2 }} rhel9cis_rule_5_5_3: {{ rhel9cis_rule_5_5_3 }} rhel9cis_rule_5_5_4: {{ rhel9cis_rule_5_5_4 }} -rhel9cis_rule_5_5_5: {{ rhel9cis_rule_5_5_5 }} -rhel9cis_rule_5_6: {{ rhel9cis_rule_5_6 }} -rhel9cis_rule_5_7: {{ rhel9cis_rule_5_7 }} +# 5.6 User Accounts and Environment +# 5.6.1 Set Shadow Password Suite Parameters +rhel9cis_rule_5_6_1_1: {{ rhel9cis_rule_5_6_1_1 }} +rhel9cis_rule_5_6_1_2: {{ rhel9cis_rule_5_6_1_2 }} +rhel9cis_rule_5_6_1_3: {{ rhel9cis_rule_5_6_1_3 }} +rhel9cis_rule_5_6_1_4: {{ rhel9cis_rule_5_6_1_4 }} +rhel9cis_rule_5_6_1_5: {{ rhel9cis_rule_5_6_1_5 }} +rhel9cis_rule_5_6_2: {{ rhel9cis_rule_5_6_2 }} +rhel9cis_rule_5_6_3: {{ rhel9cis_rule_5_6_3 }} +rhel9cis_rule_5_6_4: {{ rhel9cis_rule_5_6_4 }} +rhel9cis_rule_5_6_5: {{ rhel9cis_rule_5_6_5 }} # Section 6 +# 6 System Maintenance +# 6.1 System File Permissions rhel9cis_rule_6_1_1: {{ rhel9cis_rule_6_1_1 }} rhel9cis_rule_6_1_2: {{ rhel9cis_rule_6_1_2 }} rhel9cis_rule_6_1_3: {{ rhel9cis_rule_6_1_3 }} @@ -253,7 +361,9 @@ rhel9cis_rule_6_1_11: {{ rhel9cis_rule_6_1_11 }} rhel9cis_rule_6_1_12: {{ rhel9cis_rule_6_1_12 }} rhel9cis_rule_6_1_13: {{ rhel9cis_rule_6_1_13 }} rhel9cis_rule_6_1_14: {{ rhel9cis_rule_6_1_14 }} +rhel9cis_rule_6_1_15: {{ rhel9cis_rule_6_1_15 }} +# 6.2 User and Group Settings rhel9cis_rule_6_2_1: {{ rhel9cis_rule_6_2_1 }} rhel9cis_rule_6_2_2: {{ rhel9cis_rule_6_2_2 }} rhel9cis_rule_6_2_3: {{ rhel9cis_rule_6_2_3 }} @@ -270,160 +380,133 @@ rhel9cis_rule_6_2_13: {{ rhel9cis_rule_6_2_13 }} rhel9cis_rule_6_2_14: {{ rhel9cis_rule_6_2_14 }} rhel9cis_rule_6_2_15: {{ rhel9cis_rule_6_2_15 }} rhel9cis_rule_6_2_16: {{ rhel9cis_rule_6_2_16 }} -rhel9cis_rule_6_2_17: {{ rhel9cis_rule_6_2_17 }} -rhel9cis_rule_6_2_18: {{ rhel9cis_rule_6_2_18 }} -rhel9cis_rule_6_2_19: {{ rhel9cis_rule_6_2_19 }} -rhel9cis_rule_6_2_20: {{ rhel9cis_rule_6_2_20 }} +############ + +# Section 1 + +# AIDE +rhel9cis_config_aide: {{ rhel9cis_config_aide }} -# Service configuration booleans set true to keep service +# Whether or not to run tasks related to auditing/patching the desktop environment +rhel9cis_gui: {{ rhel9cis_gui }} + +# Warning Banner Content (issue, issue.net, motd) +rhel9cis_warning_banner: {{ rhel9cis_warning_banner }} +# End Banner + +# aide setup via - cron, timer +rhel9_aide_scan: cron + +# Section 2 +## 2.2 Special Purposes +# Set to 'true' if X Windows is needed in your environment +rhel9cis_xwindows_required: false +### Service configuration booleans set true to keep service +rhel9cis_xinetd_server: {{ rhel9cis_xinetd_server }} rhel9cis_avahi_server: {{ rhel9cis_avahi_server }} rhel9cis_cups_server: {{ rhel9cis_cups_server }} rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }} rhel9cis_dns_server: {{ rhel9cis_dns_server }} rhel9cis_ftp_server: {{ rhel9cis_ftp_server }} -rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }} +rhel9cis_vsftpd_server: {{ rhel9cis_vsftp_server }} rhel9cis_tftp_server: {{ rhel9cis_tftp_server }} rhel9cis_httpd_server: {{ rhel9cis_httpd_server }} rhel9cis_nginx_server: {{ rhel9cis_nginx_server }} -rhel9cis_dovecot_cyrus_server: {{ rhel9cis_dovecot_cyrus_server }} +rhel9cis_dovecot_server: {{ rhel9cis_dovecot_server }} +rhel9cis_imap_server: {{ rhel9cis_imap_server }} rhel9cis_samba_server: {{ rhel9cis_samba_server }} rhel9cis_squid_server: {{ rhel9cis_squid_server }} rhel9cis_snmp_server: {{ rhel9cis_snmp_server }} rhel9cis_nis_server: {{ rhel9cis_nis_server }} rhel9cis_telnet_server: {{ rhel9cis_telnet_server }} rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }} -rhel9cis_nfs_server: {{ rhel9cis_nfs_server }} -rhel9cis_rpc_server: {{ rhel9cis_rpc_server }} -rhel9cis_rsync_server: {{ rhel9cis_rsync_server }} - -rhel9cis_allow_autofs: {{ rhel9cis_allow_autofs }} - -# client services +# Note the options +# Packages are used for client services and Server- only remove if you dont use the client service +# +rhel9cis_use_nfs_server: {{ rhel9cis_use_nfs.server }} +rhel9cis_use_nfs_service: {{ rhel9cis_use_nfs.service }} +rhel9cis_use_rpc_server: {{ rhel9cis_use_rpc.server }} +rhel9cis_use_rpc_service: {{ rhel9cis_use_rpc.service }} +rhel9cis_use_rsync_server: {{ rhel9cis_use_rsync.server }} +rhel9cis_use_rsync_service: {{ rhel9cis_use_rsync.service }} + +#### 2.3 Service clients rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }} rhel9cis_rsh_required: {{ rhel9cis_rsh_required }} rhel9cis_talk_required: {{ rhel9cis_talk_required }} rhel9cis_telnet_required: {{ rhel9cis_telnet_required }} -rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }} +rhel9cis_openldap_clients_required: {{ openldap_clients_required }} rhel9cis_tftp_client: {{ rhel9cis_tftp_client }} +# Section 3 - - -# AIDE -rhel9cis_config_aide: {{ rhel9cis_config_aide }} - -# aide setup via - cron, timer -rhel9_aide_scan: cron - -# AIDE cron settings -rhel9cis_aide_cron: - cron_user: {{ rhel9cis_aide_cron.cron_user }} - cron_file: '{{ rhel9cis_aide_cron.cron_file }}' - aide_job: ' {{ rhel9cis_aide_cron.aide_job }}' - aide_minute: '{{ rhel9cis_aide_cron.aide_minute }}' - aide_hour: '{{ rhel9cis_aide_cron.aide_hour }}' - aide_day: '{{ rhel9cis_aide_cron.aide_day }}' - aide_month: '{{ rhel9cis_aide_cron.aide_month }}' - aide_weekday: '{{ rhel9cis_aide_cron.aide_weekday }}' - -# 1.5.1 Bootloader password -rhel9cis_bootloader_password: {{ rhel9cis_bootloader_password_hash }} -rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }} - -# 1.10 crypto -rhel9cis_crypto_policy: {{ rhel9cis_crypto_policy }} - -# Warning Banner Content (issue, issue.net, motd) -rhel9cis_warning_banner: {{ rhel9cis_warning_banner }} -# End Banner - - -# Whether or not to run tasks related to auditing/patching the desktop environment -rhel9cis_gui: {{ rhel9cis_gui }} - -# xinetd required -rhel9cis_xinetd_server: {{ rhel9cis_xinetd_server }} - -# IPv6 required +## IPv6 required rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }} -# System network parameters (host only OR host and router) +## 3.2 System network parameters (host only OR host and router) rhel9cis_is_router: {{ rhel9cis_is_router }} - +## Section 3.4 +### Firewall rhel9cis_firewall: {{ rhel9cis_firewall }} -#rhel9cis_firewall: iptables -rhel9cis_default_firewall_zone: {{ rhel9cis_default_zone }} -rhel9cis_firewall_interface: -- enp0s3 -- enp0s8 - -rhel9cis_firewall_services: {{ rhel9cis_firewall_services }} - - -### Section 4 -## auditd settings -rhel9cis_auditd: - space_left_action: {{ rhel9cis_auditd.space_left_action}} - action_mail_acct: {{ rhel9cis_auditd.action_mail_acct }} - admin_space_left_action: {{ rhel9cis_auditd.admin_space_left_action }} - max_log_file_action: {{ rhel9cis_auditd.max_log_file_action }} - auditd_backlog_limit: {{ rhel9cis_audit_back_log_limit }} +##### firewalld +rhel9cis_default_zone: {{ rhel9cis_default_zone }} +rhel9cis_firewalld_nftables_state: {{ rhel9cis_firewalld_nftables_state }} # Note if absent removes the firewalld pkg dependancy +#### nftables +rhel9cis_nftables_firewalld_state: {{ rhel9cis_nftables_firewalld_state }} +rhel9cis_nft_tables_autonewtable: {{ rhel9cis_nft_tables_autonewtable }} +rhel9cis_nft_tables_tablename: {{ rhel9cis_nft_tables_tablename }} +rhel9cis_nft_tables_autochaincreate: {{ rhel9cis_nft_tables_autochaincreate }} +#### iptables +rhel9cis_iptables_firewalld_state: {{ rhel9cis_iptables_firewalld_state }} + +# Section 4 ## syslog -rhel9_cis_rsyslog: true +rhel9_cis_rsyslog: {{ rhel9cis_syslog }} -### Section 5 +# Section 5 +## 5.2.4 Note the following to understand precedence and layout rhel9cis_sshd_limited: false -#Note the following to understand precedence and layout rhel9cis_sshd_access: - AllowUser: - AllowGroup: - DenyUser: - DenyGroup: + - AllowUser + - AllowGroup + - DenyUser + - DenyGroup + +## 5.3.2 & 5.4.2 Enable automation to select custom profile options, using the settings above +rhel9cis_authselect_custom_profile_select: {{ rhel9cis_authselect_custom_profile_select }} + +## 5.3.2 Authselect select false if using AD or RHEL ID mgmt +rhel9cis_authselect: + custom_profile_name: {{ rhel9cis_authselect['custom_profile_name'] }} + default_file_to_copy: {{ rhel9cis_authselect.default_file_to_copy }} -rhel9cis_ssh_aliveinterval: "300" -rhel9cis_ssh_countmax: "3" -rhel9cis_sudolog_location: {{ rhel9cis_sudolog_location }} +## 5.4.1 Enable automation to create custom profile settings, using the setings above +rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile_create }} +# 5.5.1 ## PAM rhel9cis_pam_password: minlen: {{ rhel9cis_pam_password.minlen }} minclass: {{ rhel9cis_pam_password.minclass }} rhel9cis_pam_passwd_retry: "3" -# faillock or tally2 -rhel9cis_accountlock: faillock - -## note this is to skip tests -skip_rhel9cis_pam_passwd_auth: true -skip_rhel9cis_pam_system_auth: true -# choose one of below +## 5.5.3 choose one of below rhel9cis_pwhistory_so: "14" -rhel9cis_unix_so: false rhel9cis_passwd_remember: "5" -# logins.def password settings +## 5.6.x login.defs password settings rhel9cis_pass: max_days: {{ rhel9cis_pass.max_days }} min_days: {{ rhel9cis_pass.min_days }} warn_age: {{ rhel9cis_pass.warn_age }} -# 5.3.1/5.3.2 Custon authselect profile settings. Settings in place now will fail, they are place holders from the control example -rhel9cis_authselect: - custom_profile_name: {{ rhel9cis_authselect['custom_profile_name'] }} - default_file_to_copy: {{ rhel9cis_authselect.default_file_to_copy }} - options: {{ rhel9cis_authselect.options }} - -# 5.3.1 Enable automation to creat custom profile settings, using the setings above -rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile_create }} - -# 5.3.2 Enable automation to select custom profile options, using the settings above -rhel9cis_authselect_custom_profile_select: {{ rhel9cis_authselect_custom_profile_select }} +## 5.3.7 set sugroup if differs from wheel +rhel9cis_sugroup: {% if rhel9cis_sugroup is undefined %}wheel{% else %}{{ rhel9cis_sugroup }}{% endif %} -# 5.7 -rhel9cis_sugroup: {{ rhel9cis_sugroup| default('wheel') }} -rhel9cis_sugroup_users: {{ rhel9cis_sugroup_users }} +## 5.3.7 sugroup users list +rhel9cis_sugroup_users: {{ rhel9cis_sugroup_users }} \ No newline at end of file diff --git a/templates/ansible_vars_goss.yml.old b/templates/ansible_vars_goss.yml.old new file mode 100644 index 00000000..f10c74f9 --- /dev/null +++ b/templates/ansible_vars_goss.yml.old @@ -0,0 +1,429 @@ +## metadata for Audit benchmark +benchmark_version: '1.0.1' + +# Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS +is_redhat_os: {% if ansible_distribution == "RedHat" %}true{% else %}false{% endif %} + +rhel9cis_os_distribution: {{ ansible_distribution | lower }} + +# timeout for each command to run where set - default = 10seconds/10000ms +timeout_ms: {{ audit_cmd_timeout }} + +# Taken from LE rhel8-cis +rhel9cis_section1: {{ rhel9cis_section1 }} +rhel9cis_section2: {{ rhel9cis_section2 }} +rhel9cis_section3: {{ rhel9cis_section3 }} +rhel9cis_section4: {{ rhel9cis_section4 }} +rhel9cis_section5: {{ rhel9cis_section5 }} +rhel9cis_section6: {{ rhel9cis_section6 }} + +rhel9cis_level_1: {{ rhel9cis_level_1 }} +rhel9cis_level_2: {{ rhel9cis_level_2 }} + +rhel9cis_selinux_disable: {{ rhel9cis_selinux_disable }} + + + +# to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy +run_heavy_tests: true +{% if rhel9cis_legacy_boot is defined %} +rhel9cis_legacy_boot: {{ rhel9cis_legacy_boot }} +{% endif %} + + +rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }} +# These variables correspond with the CIS rule IDs or paragraph numbers defined in +# the CIS benchmark documents. +# PLEASE NOTE: These work in coordination with the section # group variables and tags. +# You must enable an entire section in order for the variables below to take effect. +# Section 1 rules +rhel9cis_rule_1_1_1_1: {{ rhel9cis_rule_1_1_1_1 }} +rhel9cis_rule_1_1_1_2: {{ rhel9cis_rule_1_1_1_2 }} +rhel9cis_rule_1_1_1_3: {{ rhel9cis_rule_1_1_1_3 }} +rhel9cis_rule_1_1_1_4: {{ rhel9cis_rule_1_1_1_4 }} +rhel9cis_rule_1_1_2: {{ rhel9cis_rule_1_1_2 }} +rhel9cis_rule_1_1_3: {{ rhel9cis_rule_1_1_3 }} +rhel9cis_rule_1_1_4: {{ rhel9cis_rule_1_1_4 }} +rhel9cis_rule_1_1_5: {{ rhel9cis_rule_1_1_5 }} +rhel9cis_rule_1_1_6: {{ rhel9cis_rule_1_1_6 }} +rhel9cis_rule_1_1_7: {{ rhel9cis_rule_1_1_7 }} +rhel9cis_rule_1_1_8: {{ rhel9cis_rule_1_1_8 }} +rhel9cis_rule_1_1_9: {{ rhel9cis_rule_1_1_9 }} +rhel9cis_rule_1_1_10: {{ rhel9cis_rule_1_1_10 }} +rhel9cis_rule_1_1_11: {{ rhel9cis_rule_1_1_11 }} +rhel9cis_rule_1_1_12: {{ rhel9cis_rule_1_1_12 }} +rhel9cis_rule_1_1_13: {{ rhel9cis_rule_1_1_13 }} +rhel9cis_rule_1_1_14: {{ rhel9cis_rule_1_1_14 }} +rhel9cis_rule_1_1_15: {{ rhel9cis_rule_1_1_15 }} +rhel9cis_rule_1_1_16: {{ rhel9cis_rule_1_1_16 }} +rhel9cis_rule_1_1_17: {{ rhel9cis_rule_1_1_17 }} +rhel9cis_rule_1_1_18: {{ rhel9cis_rule_1_1_18 }} +rhel9cis_rule_1_1_19: {{ rhel9cis_rule_1_1_19 }} +rhel9cis_rule_1_1_20: {{ rhel9cis_rule_1_1_20 }} +rhel9cis_rule_1_1_21: {{ rhel9cis_rule_1_1_21 }} +rhel9cis_rule_1_1_22: {{ rhel9cis_rule_1_1_22 }} +rhel9cis_rule_1_1_23: {{ rhel9cis_rule_1_1_23 }} +rhel9cis_rule_1_2_1: {% if ansible_distribution == "RedHat" %}True{% else %}False{% endif %} # Only run if Redhat and Subscribed +rhel9cis_rule_1_2_2: {{ rhel9cis_rule_1_2_2 }} +rhel9cis_rule_1_2_3: {{ rhel9cis_rule_1_2_3 }} +rhel9cis_rule_1_2_4: {{ rhel9cis_rule_1_2_4 }} +rhel9cis_rule_1_2_5: {{ rhel9cis_rule_1_2_5 }} +rhel9cis_rule_1_3_1: {{ rhel9cis_rule_1_3_1 }} +rhel9cis_rule_1_3_2: {{ rhel9cis_rule_1_3_2 }} +rhel9cis_rule_1_3_3: {{ rhel9cis_rule_1_3_3 }} +rhel9cis_rule_1_4_1: {{ rhel9cis_rule_1_4_1 }} +rhel9cis_rule_1_4_2: {{ rhel9cis_rule_1_4_2 }} +rhel9cis_rule_1_4_3: {{ rhel9cis_rule_1_4_3 }} +rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }} +rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }} +rhel9cis_rule_1_5_3: {{ rhel9cis_rule_1_5_3 }} + +rhel9cis_rule_1_7_1_1: {{ rhel9cis_rule_1_7_1_1 }} +rhel9cis_rule_1_7_1_2: {{ rhel9cis_rule_1_7_1_2 }} +rhel9cis_rule_1_7_1_3: {{ rhel9cis_rule_1_7_1_3 }} +rhel9cis_rule_1_7_1_4: {{ rhel9cis_rule_1_7_1_4 }} +rhel9cis_rule_1_7_1_5: {{ rhel9cis_rule_1_7_1_5 }} +rhel9cis_rule_1_7_1_6: {{ rhel9cis_rule_1_7_1_6 }} +rhel9cis_rule_1_7_1_7: {{ rhel9cis_rule_1_7_1_7 }} +rhel9cis_rule_1_8_1_1: {{ rhel9cis_rule_1_8_1_1 }} +rhel9cis_rule_1_8_1_2: {{ rhel9cis_rule_1_8_1_2 }} +rhel9cis_rule_1_8_1_3: {{ rhel9cis_rule_1_8_1_3 }} +rhel9cis_rule_1_8_1_4: {{ rhel9cis_rule_1_8_1_4 }} +rhel9cis_rule_1_8_1_5: {{ rhel9cis_rule_1_8_1_5 }} +rhel9cis_rule_1_8_1_6: {{ rhel9cis_rule_1_8_1_6 }} +rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }} +rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }} +rhel9cis_rule_1_10: {{ rhel9cis_rule_1_10 }} + + +# section 2 rules +rhel9cis_rule_2_1_1: {{ rhel9cis_rule_2_1_1 }} +rhel9cis_rule_2_2_1_1: {{ rhel9cis_rule_2_2_1_1 }} +rhel9cis_rule_2_2_1_2: {{ rhel9cis_rule_2_2_1_2 }} +rhel9cis_rule_2_2_2: {{ rhel9cis_rule_2_2_2 }} +rhel9cis_rule_2_2_3: {{ rhel9cis_rule_2_2_3 }} +rhel9cis_rule_2_2_4: {{ rhel9cis_rule_2_2_4 }} +rhel9cis_rule_2_2_5: {{ rhel9cis_rule_2_2_5 }} +rhel9cis_rule_2_2_6: {{ rhel9cis_rule_2_2_6 }} +rhel9cis_rule_2_2_7: {{ rhel9cis_rule_2_2_7 }} +rhel9cis_rule_2_2_8: {{ rhel9cis_rule_2_2_8 }} +rhel9cis_rule_2_2_9: {{ rhel9cis_rule_2_2_9 }} +rhel9cis_rule_2_2_10: {{ rhel9cis_rule_2_2_10 }} +rhel9cis_rule_2_2_11: {{ rhel9cis_rule_2_2_11 }} +rhel9cis_rule_2_2_12: {{ rhel9cis_rule_2_2_12 }} +rhel9cis_rule_2_2_13: {{ rhel9cis_rule_2_2_13 }} +rhel9cis_rule_2_2_14: {{ rhel9cis_rule_2_2_14 }} +rhel9cis_rule_2_2_15: {{ rhel9cis_rule_2_2_15 }} +rhel9cis_rule_2_2_16: {{ rhel9cis_rule_2_2_16 }} +rhel9cis_rule_2_2_17: {{ rhel9cis_rule_2_2_17 }} +rhel9cis_rule_2_2_18: {{ rhel9cis_rule_2_2_18 }} +rhel9cis_rule_2_3_1: {{ rhel9cis_rule_2_3_1 }} +rhel9cis_rule_2_3_2: {{ rhel9cis_rule_2_3_2 }} +rhel9cis_rule_2_3_3: {{ rhel9cis_rule_2_3_3 }} + + +# Section 3 rules +rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }} +rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }} +rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }} +rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }} +rhel9cis_rule_3_2_3: {{ rhel9cis_rule_3_2_3 }} +rhel9cis_rule_3_2_4: {{ rhel9cis_rule_3_2_4 }} +rhel9cis_rule_3_2_5: {{ rhel9cis_rule_3_2_5 }} +rhel9cis_rule_3_2_6: {{ rhel9cis_rule_3_2_6 }} +rhel9cis_rule_3_2_7: {{ rhel9cis_rule_3_2_7 }} +rhel9cis_rule_3_2_8: {{ rhel9cis_rule_3_2_8 }} +rhel9cis_rule_3_2_9: {{ rhel9cis_rule_3_2_9 }} +rhel9cis_rule_3_3_1: {{ rhel9cis_rule_3_3_1 }} +rhel9cis_rule_3_3_2: {{ rhel9cis_rule_3_3_2 }} +rhel9cis_rule_3_3_3: {{ rhel9cis_rule_3_3_3 }} +rhel9cis_rule_3_3_4: {{ rhel9cis_rule_3_3_4 }} +rhel9cis_rule_3_4_1_1: {{ rhel9cis_rule_3_4_1_1 }} +rhel9cis_rule_3_4_2_1: {{ rhel9cis_rule_3_4_2_1 }} +rhel9cis_rule_3_4_2_2: {{ rhel9cis_rule_3_4_2_2 }} +rhel9cis_rule_3_4_2_3: {{ rhel9cis_rule_3_4_2_3 }} +rhel9cis_rule_3_4_2_4: {{ rhel9cis_rule_3_4_2_4 }} +rhel9cis_rule_3_4_2_5: {{ rhel9cis_rule_3_4_2_5 }} +rhel9cis_rule_3_4_2_6: {{ rhel9cis_rule_3_4_2_6 }} +rhel9cis_rule_3_5: {{ rhel9cis_rule_3_5 }} +rhel9cis_rule_3_6: {{ rhel9cis_rule_3_6 }} + + +# Section 4 rules +rhel9cis_rule_4_1_1_1: {{ rhel9cis_rule_4_1_1_1 }} +rhel9cis_rule_4_1_1_2: {{ rhel9cis_rule_4_1_1_2 }} +rhel9cis_rule_4_1_1_3: {{ rhel9cis_rule_4_1_1_3 }} +rhel9cis_rule_4_1_1_4: {{ rhel9cis_rule_4_1_1_4 }} +rhel9cis_rule_4_1_2_1: {{ rhel9cis_rule_4_1_2_1 }} +rhel9cis_rule_4_1_2_2: {{ rhel9cis_rule_4_1_2_2 }} +rhel9cis_rule_4_1_2_3: {{ rhel9cis_rule_4_1_2_3 }} +rhel9cis_rule_4_1_3: {{ rhel9cis_rule_4_1_3 }} +rhel9cis_rule_4_1_4: {{ rhel9cis_rule_4_1_4 }} +rhel9cis_rule_4_1_5: {{ rhel9cis_rule_4_1_5 }} +rhel9cis_rule_4_1_6: {{ rhel9cis_rule_4_1_6 }} +rhel9cis_rule_4_1_7: {{ rhel9cis_rule_4_1_7 }} +rhel9cis_rule_4_1_8: {{ rhel9cis_rule_4_1_8 }} +rhel9cis_rule_4_1_9: {{ rhel9cis_rule_4_1_9 }} +rhel9cis_rule_4_1_10: {{ rhel9cis_rule_4_1_10 }} +rhel9cis_rule_4_1_11: {{ rhel9cis_rule_4_1_11 }} +rhel9cis_rule_4_1_12: {{ rhel9cis_rule_4_1_12 }} +rhel9cis_rule_4_1_13: {{ rhel9cis_rule_4_1_13 }} +rhel9cis_rule_4_1_14: {{ rhel9cis_rule_4_1_14 }} +rhel9cis_rule_4_1_15: {{ rhel9cis_rule_4_1_15 }} +rhel9cis_rule_4_1_16: {{ rhel9cis_rule_4_1_16 }} +rhel9cis_rule_4_1_17: {{ rhel9cis_rule_4_1_17 }} +rhel9cis_rule_4_2_1_1: {{ rhel9cis_rule_4_2_1_1 }} +rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_2 }} +rhel9cis_rule_4_2_1_3: {{ rhel9cis_rule_4_2_1_3 }} +rhel9cis_rule_4_2_1_4: {{ rhel9cis_rule_4_2_1_4 }} +rhel9cis_rule_4_2_1_5: {{ rhel9cis_rule_4_2_1_5 }} +rhel9cis_rule_4_2_1_6: {{ rhel9cis_rule_4_2_1_6 }} +rhel9cis_rule_4_2_2_1: {{ rhel9cis_rule_4_2_2_1 }} +rhel9cis_rule_4_2_2_2: {{ rhel9cis_rule_4_2_2_2 }} +rhel9cis_rule_4_2_2_3: {{ rhel9cis_rule_4_2_2_3 }} +rhel9cis_rule_4_2_3: {{ rhel9cis_rule_4_2_3 }} +rhel9cis_rule_4_3: {{ rhel9cis_rule_4_3 }} + +# Section 5 +rhel9cis_rule_5_1_1: {{ rhel9cis_rule_5_1_1 }} +rhel9cis_rule_5_1_2: {{ rhel9cis_rule_5_1_2 }} +rhel9cis_rule_5_1_3: {{ rhel9cis_rule_5_1_3 }} +rhel9cis_rule_5_1_4: {{ rhel9cis_rule_5_1_4 }} +rhel9cis_rule_5_1_5: {{ rhel9cis_rule_5_1_5 }} +rhel9cis_rule_5_1_6: {{ rhel9cis_rule_5_1_6 }} +rhel9cis_rule_5_1_7: {{ rhel9cis_rule_5_1_7 }} +rhel9cis_rule_5_1_8: {{ rhel9cis_rule_5_1_8 }} + +rhel9cis_rule_5_2_1: {{ rhel9cis_rule_5_2_1 }} +rhel9cis_rule_5_2_2: {{ rhel9cis_rule_5_2_2 }} +rhel9cis_rule_5_2_3: {{ rhel9cis_rule_5_2_3 }} +rhel9cis_rule_5_2_4: {{ rhel9cis_rule_5_2_4 }} +rhel9cis_rule_5_2_5: {{ rhel9cis_rule_5_2_5 }} +rhel9cis_rule_5_2_6: {{ rhel9cis_rule_5_2_6 }} +rhel9cis_rule_5_2_7: {{ rhel9cis_rule_5_2_7 }} +rhel9cis_rule_5_2_8: {{ rhel9cis_rule_5_2_8 }} +rhel9cis_rule_5_2_9: {{ rhel9cis_rule_5_2_9 }} +rhel9cis_rule_5_2_10: {{ rhel9cis_rule_5_2_10 }} +rhel9cis_rule_5_2_11: {{ rhel9cis_rule_5_2_11 }} +rhel9cis_rule_5_2_12: {{ rhel9cis_rule_5_2_12 }} +rhel9cis_rule_5_2_13: {{ rhel9cis_rule_5_2_13 }} +rhel9cis_rule_5_2_14: {{ rhel9cis_rule_5_2_14 }} +rhel9cis_rule_5_2_15: {{ rhel9cis_rule_5_2_15 }} +rhel9cis_rule_5_2_16: {{ rhel9cis_rule_5_2_16 }} +rhel9cis_rule_5_2_17: {{ rhel9cis_rule_5_2_17 }} +rhel9cis_rule_5_2_18: {{ rhel9cis_rule_5_2_18 }} +rhel9cis_rule_5_2_19: {{ rhel9cis_rule_5_2_19 }} +rhel9cis_rule_5_2_20: {{ rhel9cis_rule_5_2_20 }} + +rhel9cis_rule_5_3_1: {{ rhel9cis_rule_5_3_1 }} +rhel9cis_rule_5_3_2: {{ rhel9cis_rule_5_3_2 }} +rhel9cis_rule_5_3_3: {{ rhel9cis_rule_5_3_3 }} + +rhel9cis_rule_5_4_1: {{ rhel9cis_rule_5_4_1 }} +rhel9cis_rule_5_4_2: {{ rhel9cis_rule_5_4_2 }} +rhel9cis_rule_5_4_3: {{ rhel9cis_rule_5_4_3 }} +rhel9cis_rule_5_4_4: {{ rhel9cis_rule_5_4_4 }} + +rhel9cis_rule_5_5_1_1: {{ rhel9cis_rule_5_5_1_1 }} +rhel9cis_rule_5_5_1_2: {{ rhel9cis_rule_5_5_1_2 }} +rhel9cis_rule_5_5_1_3: {{ rhel9cis_rule_5_5_1_3 }} +rhel9cis_rule_5_5_1_4: {{ rhel9cis_rule_5_5_1_4 }} +rhel9cis_rule_5_5_1_5: {{ rhel9cis_rule_5_5_1_5 }} + +rhel9cis_rule_5_5_2: {{ rhel9cis_rule_5_5_2 }} +rhel9cis_rule_5_5_3: {{ rhel9cis_rule_5_5_3 }} +rhel9cis_rule_5_5_4: {{ rhel9cis_rule_5_5_4 }} +rhel9cis_rule_5_5_5: {{ rhel9cis_rule_5_5_5 }} + +rhel9cis_rule_5_6: {{ rhel9cis_rule_5_6 }} +rhel9cis_rule_5_7: {{ rhel9cis_rule_5_7 }} + +# Section 6 +rhel9cis_rule_6_1_1: {{ rhel9cis_rule_6_1_1 }} +rhel9cis_rule_6_1_2: {{ rhel9cis_rule_6_1_2 }} +rhel9cis_rule_6_1_3: {{ rhel9cis_rule_6_1_3 }} +rhel9cis_rule_6_1_4: {{ rhel9cis_rule_6_1_4 }} +rhel9cis_rule_6_1_5: {{ rhel9cis_rule_6_1_5 }} +rhel9cis_rule_6_1_6: {{ rhel9cis_rule_6_1_6 }} +rhel9cis_rule_6_1_7: {{ rhel9cis_rule_6_1_7 }} +rhel9cis_rule_6_1_8: {{ rhel9cis_rule_6_1_8 }} +rhel9cis_rule_6_1_9: {{ rhel9cis_rule_6_1_9 }} +rhel9cis_rule_6_1_10: {{ rhel9cis_rule_6_1_10 }} +rhel9cis_rule_6_1_11: {{ rhel9cis_rule_6_1_11 }} +rhel9cis_rule_6_1_12: {{ rhel9cis_rule_6_1_12 }} +rhel9cis_rule_6_1_13: {{ rhel9cis_rule_6_1_13 }} +rhel9cis_rule_6_1_14: {{ rhel9cis_rule_6_1_14 }} + +rhel9cis_rule_6_2_1: {{ rhel9cis_rule_6_2_1 }} +rhel9cis_rule_6_2_2: {{ rhel9cis_rule_6_2_2 }} +rhel9cis_rule_6_2_3: {{ rhel9cis_rule_6_2_3 }} +rhel9cis_rule_6_2_4: {{ rhel9cis_rule_6_2_4 }} +rhel9cis_rule_6_2_5: {{ rhel9cis_rule_6_2_5 }} +rhel9cis_rule_6_2_6: {{ rhel9cis_rule_6_2_6 }} +rhel9cis_rule_6_2_7: {{ rhel9cis_rule_6_2_7 }} +rhel9cis_rule_6_2_8: {{ rhel9cis_rule_6_2_8 }} +rhel9cis_rule_6_2_9: {{ rhel9cis_rule_6_2_9 }} +rhel9cis_rule_6_2_10: {{ rhel9cis_rule_6_2_10 }} +rhel9cis_rule_6_2_11: {{ rhel9cis_rule_6_2_11 }} +rhel9cis_rule_6_2_12: {{ rhel9cis_rule_6_2_12 }} +rhel9cis_rule_6_2_13: {{ rhel9cis_rule_6_2_13 }} +rhel9cis_rule_6_2_14: {{ rhel9cis_rule_6_2_14 }} +rhel9cis_rule_6_2_15: {{ rhel9cis_rule_6_2_15 }} +rhel9cis_rule_6_2_16: {{ rhel9cis_rule_6_2_16 }} +rhel9cis_rule_6_2_17: {{ rhel9cis_rule_6_2_17 }} +rhel9cis_rule_6_2_18: {{ rhel9cis_rule_6_2_18 }} +rhel9cis_rule_6_2_19: {{ rhel9cis_rule_6_2_19 }} +rhel9cis_rule_6_2_20: {{ rhel9cis_rule_6_2_20 }} + + +# Service configuration booleans set true to keep service +rhel9cis_avahi_server: {{ rhel9cis_avahi_server }} +rhel9cis_cups_server: {{ rhel9cis_cups_server }} +rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }} +rhel9cis_dns_server: {{ rhel9cis_dns_server }} +rhel9cis_ftp_server: {{ rhel9cis_ftp_server }} +rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }} +rhel9cis_tftp_server: {{ rhel9cis_tftp_server }} +rhel9cis_httpd_server: {{ rhel9cis_httpd_server }} +rhel9cis_nginx_server: {{ rhel9cis_nginx_server }} +rhel9cis_dovecot_cyrus_server: {{ rhel9cis_dovecot_cyrus_server }} +rhel9cis_samba_server: {{ rhel9cis_samba_server }} +rhel9cis_squid_server: {{ rhel9cis_squid_server }} +rhel9cis_snmp_server: {{ rhel9cis_snmp_server }} +rhel9cis_nis_server: {{ rhel9cis_nis_server }} +rhel9cis_telnet_server: {{ rhel9cis_telnet_server }} +rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }} +rhel9cis_nfs_server: {{ rhel9cis_nfs_server }} +rhel9cis_rpc_server: {{ rhel9cis_rpc_server }} +rhel9cis_rsync_server: {{ rhel9cis_rsync_server }} + + +rhel9cis_allow_autofs: {{ rhel9cis_allow_autofs }} + +# client services +rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }} +rhel9cis_rsh_required: {{ rhel9cis_rsh_required }} +rhel9cis_talk_required: {{ rhel9cis_talk_required }} +rhel9cis_telnet_required: {{ rhel9cis_telnet_required }} +rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }} +rhel9cis_tftp_client: {{ rhel9cis_tftp_client }} + + + + +# AIDE +rhel9cis_config_aide: {{ rhel9cis_config_aide }} + +# aide setup via - cron, timer +rhel9_aide_scan: cron + +# AIDE cron settings +rhel9cis_aide_cron: + cron_user: {{ rhel9cis_aide_cron.cron_user }} + cron_file: '{{ rhel9cis_aide_cron.cron_file }}' + aide_job: ' {{ rhel9cis_aide_cron.aide_job }}' + aide_minute: '{{ rhel9cis_aide_cron.aide_minute }}' + aide_hour: '{{ rhel9cis_aide_cron.aide_hour }}' + aide_day: '{{ rhel9cis_aide_cron.aide_day }}' + aide_month: '{{ rhel9cis_aide_cron.aide_month }}' + aide_weekday: '{{ rhel9cis_aide_cron.aide_weekday }}' + +# 1.5.1 Bootloader password +rhel9cis_bootloader_password: {{ rhel9cis_bootloader_password_hash }} +rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }} + +# 1.10 crypto +rhel9cis_crypto_policy: {{ rhel9cis_crypto_policy }} + +# Warning Banner Content (issue, issue.net, motd) +rhel9cis_warning_banner: {{ rhel9cis_warning_banner }} +# End Banner + + +# Whether or not to run tasks related to auditing/patching the desktop environment +rhel9cis_gui: {{ rhel9cis_gui }} + +# xinetd required +rhel9cis_xinetd_server: {{ rhel9cis_xinetd_server }} + +# IPv6 required +rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }} + +# System network parameters (host only OR host and router) +rhel9cis_is_router: {{ rhel9cis_is_router }} + + +rhel9cis_firewall: {{ rhel9cis_firewall }} +#rhel9cis_firewall: iptables +rhel9cis_default_firewall_zone: {{ rhel9cis_default_zone }} +rhel9cis_firewall_interface: +- enp0s3 +- enp0s8 + +rhel9cis_firewall_services: {{ rhel9cis_firewall_services }} + + +### Section 4 +## auditd settings +rhel9cis_auditd: + space_left_action: {{ rhel9cis_auditd.space_left_action}} + action_mail_acct: {{ rhel9cis_auditd.action_mail_acct }} + admin_space_left_action: {{ rhel9cis_auditd.admin_space_left_action }} + max_log_file_action: {{ rhel9cis_auditd.max_log_file_action }} + auditd_backlog_limit: {{ rhel9cis_audit_back_log_limit }} + +## syslog +rhel9_cis_rsyslog: true + +### Section 5 +rhel9cis_sshd_limited: false +#Note the following to understand precedence and layout +rhel9cis_sshd_access: + AllowUser: + AllowGroup: + DenyUser: + DenyGroup: + +rhel9cis_ssh_aliveinterval: "300" +rhel9cis_ssh_countmax: "3" + +rhel9cis_sudolog_location: {{ rhel9cis_sudolog_location }} + +## PAM +rhel9cis_pam_password: + minlen: {{ rhel9cis_pam_password.minlen }} + minclass: {{ rhel9cis_pam_password.minclass }} +rhel9cis_pam_passwd_retry: "3" +# faillock or tally2 +rhel9cis_accountlock: faillock + +## note this is to skip tests +skip_rhel9cis_pam_passwd_auth: true +skip_rhel9cis_pam_system_auth: true + +# choose one of below +rhel9cis_pwhistory_so: "14" +rhel9cis_unix_so: false +rhel9cis_passwd_remember: "5" + +# logins.def password settings +rhel9cis_pass: + max_days: {{ rhel9cis_pass.max_days }} + min_days: {{ rhel9cis_pass.min_days }} + warn_age: {{ rhel9cis_pass.warn_age }} + +# 5.3.1/5.3.2 Custon authselect profile settings. Settings in place now will fail, they are place holders from the control example +rhel9cis_authselect: + custom_profile_name: {{ rhel9cis_authselect['custom_profile_name'] }} + default_file_to_copy: {{ rhel9cis_authselect.default_file_to_copy }} + options: {{ rhel9cis_authselect.options }} + +# 5.3.1 Enable automation to creat custom profile settings, using the setings above +rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile_create }} + +# 5.3.2 Enable automation to select custom profile options, using the settings above +rhel9cis_authselect_custom_profile_select: {{ rhel9cis_authselect_custom_profile_select }} + +# 5.7 +rhel9cis_sugroup: {{ rhel9cis_sugroup| default('wheel') }} +rhel9cis_sugroup_users: {{ rhel9cis_sugroup_users }} From 7374c37510d31301d939384d1335d4d61e462f2e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Apr 2022 16:31:57 +0100 Subject: [PATCH 076/454] updates var naming Signed-off-by: Mark Bolwell --- defaults/main.yml | 24 ++++++++++++------------ tasks/section_2/cis_2.2.x.yml | 24 ++++++++++++------------ 2 files changed, 24 insertions(+), 24 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index b8e3d8b1..21f70b0b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -453,15 +453,15 @@ rhel9cis_is_mail_server: false # Note the options # Packages are used for client services and Server- only remove if you dont use the client service # -rhel9cis_use_nfs: - - service: false - - server: false -rhel9_use_rpc: - - service: false - - server: false -rhel9cis_use_rsync: - - service: false - - server: false + +rhel9cis_use_nfs_server: false +rhel9cis_use_nfs_service: false + +rhel9cis_use_rpc_server: false +rhel9cis_use_rpc_service: false + +rhel9cis_use_rsync_server: false +rhel9cis_use_rsync_service: false #### 2.3 Service clients rhel9cis_ypbind_required: false @@ -592,9 +592,9 @@ rhel9cis_rsyslog_ansiblemanaged: true # 5.5.1 ## PAM -rhel9cis_pam_password: | - minlen = 14 - minclass = 4 +rhel9cis_pam_password: + minlen: 14 + minclass: 4 rhel9cis_pam_faillock: remember: 5 diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 577ea45a..00a61efe 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -310,8 +310,8 @@ name: nfs-utils state: absent when: - - not rhel9cis_use_nfs.server - - not rhel9cis_use_nfs.service + - not rhel9cis_use_nfs_server + - not rhel9cis_use_nfs_service - name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | mask service" systemd: @@ -319,8 +319,8 @@ masked: true state: stopped when: - - not rhel9cis_use_nfs.server - - rhel9cis_use_nfs.service + - not rhel9cis_use_nfs_server + - rhel9cis_use_nfs_service when: - "'nfs-utils' in ansible_facts.packages" - rhel9cis_rule_2_2_18 @@ -342,8 +342,8 @@ name: rpcbind state: absent when: - - not rhel9cis_use_rpc.server - - not rhel9cis_use_rpc.service + - not rhel9cis_use_rpc_server + - not rhel9cis_use_rpc_service - name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | mask service" systemd: @@ -351,8 +351,8 @@ masked: true state: stopped when: - - rhel9cis_use_rpc.server - - not rhel9cis_use_rpc.service + - rhel9cis_use_rpc_server + - not rhel9cis_use_rpc_service when: - "'rpcbind' in ansible_facts.packages" - rhel9cis_rule_2_2_19 @@ -373,8 +373,8 @@ name: rsync state: absent when: - - not rhel9cis_use_rsync.server - - not rhel9cis_use_rsync.service + - not rhel9cis_use_rsync_server + - not rhel9cis_use_rsync_service - name: "2.2.20 | PATCH | Ensure rsync service is not enabled | mask service" systemd: @@ -382,8 +382,8 @@ masked: true state: stopped when: - - rhel9cis_use_rsync.server - - not rhel9cis_use_rsync.service + - rhel9cis_use_rsync_server + - not rhel9cis_use_rsync_service when: - "'rsync' in ansible_facts.packages" - rhel9cis_rule_2_2_20 From 9c771e03e4944663cf290563f8bc565c46e96b19 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Apr 2022 16:32:14 +0100 Subject: [PATCH 077/454] use new var name Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.5.x.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 10b18a70..3aaf27b0 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -3,10 +3,14 @@ - name: "5.5.1 | PATCH | " block: - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings" - blockinfile: + lineinfile: path: /etc/security/pwquality.conf - marker: "" - block: "{{ rhel9cis_pam_password }}" + state: present + regexp: ^{{ item.name }} + line: "{{ item.name }} = {{ item.value }}" + with_items: + - { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" } + - { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" } - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" lineinfile: From e4275b21316c82e3e00f57641056ad6bdb65d931 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Apr 2022 16:32:25 +0100 Subject: [PATCH 078/454] updated conditional Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.4.1.x.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index b7b50331..7c25ff2a 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -23,18 +23,15 @@ name: "{{ item }}" state: stopped enabled: false - with_items: - - iptables - - ip6tables - when: item in ansible_facts.packages - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | remove iptables-services pkg " package: name: iptables-services state: absent - when: "'iptables-services' in ansible_facts.packages" + when: when: - rhel9cis_rule_3_4_1_2 + - "'iptables-services' in ansible_facts.packages" tags: - level1-server - level1-workstation From ae6b6866e0892ad3aa94bbc7b4c501d67fb0a2f5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Apr 2022 16:32:36 +0100 Subject: [PATCH 079/454] fix typo Signed-off-by: Mark Bolwell --- templates/audit/99_auditd.rules.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 3537c48f..7abe895b 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -32,7 +32,7 @@ {% if rhel9cis_rule_4_1_3_7 %} -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=unset -k access -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -k access --a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=-unset -k access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=unset -k access -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -k access {% endif %} {% if rhel9cis_rule_4_1_3_8 %} From e27e5276e4d9426a624ce1c01bb43f87d1dcf941 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Apr 2022 16:32:53 +0100 Subject: [PATCH 080/454] updated Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 56 +++++++++++++++--------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 35d3aa20..e3ca2243 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -99,14 +99,14 @@ rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }} rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }} rhel9cis_rule_1_5_3: {{ rhel9cis_rule_1_5_3 }} # 1.6 Mandatory Access Control -rhel9cis_rule_1_6_1: {{ rhel9cis_rule_1_6_1 }} -rhel9cis_rule_1_6_2: {{ rhel9cis_rule_1_6_2 }} -rhel9cis_rule_1_6_3: {{ rhel9cis_rule_1_6_3 }} -rhel9cis_rule_1_6_4: {{ rhel9cis_rule_1_6_4 }} -rhel9cis_rule_1_6_5: {{ rhel9cis_rule_1_6_5 }} -rhel9cis_rule_1_6_6: {{ rhel9cis_rule_1_6_6 }} -rhel9cis_rule_1_6_7: {{ rhel9cis_rule_1_6_7 }} -rhel9cis_rule_1_6_8: {{ rhel9cis_rule_1_6_8 }} +rhel9cis_rule_1_6_1_1: {{ rhel9cis_rule_1_6_1_1 }} +rhel9cis_rule_1_6_1_2: {{ rhel9cis_rule_1_6_1_2 }} +rhel9cis_rule_1_6_1_3: {{ rhel9cis_rule_1_6_1_3 }} +rhel9cis_rule_1_6_1_4: {{ rhel9cis_rule_1_6_1_4 }} +rhel9cis_rule_1_6_1_5: {{ rhel9cis_rule_1_6_1_5 }} +rhel9cis_rule_1_6_1_6: {{ rhel9cis_rule_1_6_1_6 }} +rhel9cis_rule_1_6_1_7: {{ rhel9cis_rule_1_6_1_7 }} +rhel9cis_rule_1_6_1_8: {{ rhel9cis_rule_1_6_1_8 }} # 1.7 Command Line Warning Banners rhel9cis_rule_1_7_1: {{ rhel9cis_rule_1_7_1 }} rhel9cis_rule_1_7_2: {{ rhel9cis_rule_1_7_2 }} @@ -114,12 +114,12 @@ rhel9cis_rule_1_7_3: {{ rhel9cis_rule_1_7_3 }} rhel9cis_rule_1_7_4: {{ rhel9cis_rule_1_7_4 }} rhel9cis_rule_1_7_5: {{ rhel9cis_rule_1_7_5 }} rhel9cis_rule_1_7_6: {{ rhel9cis_rule_1_7_6 }} -rhel9cis_rule_1_7_7: {{ rhel9cis_rule_1_7_7 }} -rhel9cis_rule_1_8_1: {{ rhel9cis_rule_1_7_8 }} -rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_1 }} -rhel9cis_rule_1_8_3: {{ rhel9cis_rule_1_8_2 }} -rhel9cis_rule_1_8_4: {{ rhel9cis_rule_1_8_3 }} -rhel9cis_rule_1_8_5: {{ rhel9cis_rule_1_8_4 }} +# 1.8 Gnome Display Manager +rhel9cis_rule_1_8_1: {{ rhel9cis_rule_1_8_1 }} +rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }} +rhel9cis_rule_1_8_3: {{ rhel9cis_rule_1_8_3 }} +rhel9cis_rule_1_8_4: {{ rhel9cis_rule_1_8_4 }} +rhel9cis_rule_1_8_5: {{ rhel9cis_rule_1_8_5 }} # 1.9 Ensure updates, patches, and additional security software are installed rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }} # Ensure system-wide crypto policy is not legacy @@ -409,7 +409,7 @@ rhel9cis_cups_server: {{ rhel9cis_cups_server }} rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }} rhel9cis_dns_server: {{ rhel9cis_dns_server }} rhel9cis_ftp_server: {{ rhel9cis_ftp_server }} -rhel9cis_vsftpd_server: {{ rhel9cis_vsftp_server }} +rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }} rhel9cis_tftp_server: {{ rhel9cis_tftp_server }} rhel9cis_httpd_server: {{ rhel9cis_httpd_server }} rhel9cis_nginx_server: {{ rhel9cis_nginx_server }} @@ -425,19 +425,19 @@ rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }} # Note the options # Packages are used for client services and Server- only remove if you dont use the client service # -rhel9cis_use_nfs_server: {{ rhel9cis_use_nfs.server }} -rhel9cis_use_nfs_service: {{ rhel9cis_use_nfs.service }} -rhel9cis_use_rpc_server: {{ rhel9cis_use_rpc.server }} -rhel9cis_use_rpc_service: {{ rhel9cis_use_rpc.service }} -rhel9cis_use_rsync_server: {{ rhel9cis_use_rsync.server }} -rhel9cis_use_rsync_service: {{ rhel9cis_use_rsync.service }} +rhel9cis_use_nfs_server: {{ rhel9cis_use_nfs_server }} +rhel9cis_use_nfs_service: {{ rhel9cis_use_nfs_service }} +rhel9cis_use_rpc_server: {{ rhel9cis_use_rpc_server }} +rhel9cis_use_rpc_service: {{ rhel9cis_use_rpc_service }} +rhel9cis_use_rsync_server: {{ rhel9cis_use_rsync_server }} +rhel9cis_use_rsync_service: {{ rhel9cis_use_rsync_service }} #### 2.3 Service clients rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }} rhel9cis_rsh_required: {{ rhel9cis_rsh_required }} rhel9cis_talk_required: {{ rhel9cis_talk_required }} rhel9cis_telnet_required: {{ rhel9cis_telnet_required }} -rhel9cis_openldap_clients_required: {{ openldap_clients_required }} +rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }} rhel9cis_tftp_client: {{ rhel9cis_tftp_client }} # Section 3 @@ -482,7 +482,7 @@ rhel9cis_authselect_custom_profile_select: {{ rhel9cis_authselect_custom_profile ## 5.3.2 Authselect select false if using AD or RHEL ID mgmt rhel9cis_authselect: custom_profile_name: {{ rhel9cis_authselect['custom_profile_name'] }} - default_file_to_copy: {{ rhel9cis_authselect.default_file_to_copy }} + default_file_to_copy: {{ rhel9cis_authselect['default_file_to_copy'] }} ## 5.4.1 Enable automation to create custom profile settings, using the setings above @@ -491,8 +491,8 @@ rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile # 5.5.1 ## PAM rhel9cis_pam_password: - minlen: {{ rhel9cis_pam_password.minlen }} - minclass: {{ rhel9cis_pam_password.minclass }} + minlen: {{ rhel9cis_pam_password['minlen'] }} + minclass: {{ rhel9cis_pam_password['minclass'] }} rhel9cis_pam_passwd_retry: "3" ## 5.5.3 choose one of below @@ -501,9 +501,9 @@ rhel9cis_passwd_remember: "5" ## 5.6.x login.defs password settings rhel9cis_pass: - max_days: {{ rhel9cis_pass.max_days }} - min_days: {{ rhel9cis_pass.min_days }} - warn_age: {{ rhel9cis_pass.warn_age }} + max_days: {{ rhel9cis_pass['max_days'] }} + min_days: {{ rhel9cis_pass['min_days'] }} + warn_age: {{ rhel9cis_pass['warn_age'] }} ## 5.3.7 set sugroup if differs from wheel rhel9cis_sugroup: {% if rhel9cis_sugroup is undefined %}wheel{% else %}{{ rhel9cis_sugroup }}{% endif %} From 02d686f920352ccac596a5b19bedb50a85045c59 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Apr 2022 16:38:24 +0100 Subject: [PATCH 081/454] removed default state Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.5.x.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 3aaf27b0..9b4c7d33 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -5,7 +5,6 @@ - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings" lineinfile: path: /etc/security/pwquality.conf - state: present regexp: ^{{ item.name }} line: "{{ item.name }} = {{ item.value }}" with_items: @@ -15,7 +14,6 @@ - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" lineinfile: path: /etc/pam.d/system-auth - state: present regexp: '^password\s*requisite\s*pam_pwquality.so' line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" insertbefore: '^#?password ?' @@ -23,7 +21,6 @@ - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" lineinfile: path: /etc/pam.d/password-auth - state: present regexp: '^password\s*requisite\s*pam_pwquality.so' line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" insertbefore: '^#?password ?' @@ -40,7 +37,6 @@ - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock time for preauth" lineinfile: path: /etc/pam.d/{{ item }} - state: present regexp: '^auth\s*required\s*pam_faillock.so preauth' line: "auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}" insertafter: '^#?auth ?' @@ -51,7 +47,6 @@ - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock times for authfail" lineinfile: path: /etc/pam.d/{{ item }} - state: present regexp: '^auth\s*required\s*pam_faillock.so authfail' line: "auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}" insertafter: '^#?auth ?' @@ -65,7 +60,6 @@ - name: "5.5.2 | PATCH | Ensure system accounts are secured | RHEL8.2+ " lineinfile: path: /etc/security/faillock.conf - state: present regexp: "{{ item.regexp }}" line: "{{ item.line }}" with_items: @@ -80,7 +74,6 @@ - name: "5.5.3 | PATCH | Ensure password reuse is limited | pwhistory" lineinfile: path: /etc/pam.d/system-auth - state: present line: "password requisite pam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" insertafter: '^password\s*requisite\s*pam_pwquality.so' From 82d1d185043e60bff7da7cdb252caaa83353f93b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Apr 2022 16:58:03 +0100 Subject: [PATCH 082/454] consistent lineinfile usage Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 6 ++-- tasks/section_1/cis_1.1.x.yml | 2 +- tasks/section_1/cis_1.8.x.yml | 2 +- tasks/section_2/cis_2.1.x.yml | 3 +- tasks/section_2/cis_2.2.x.yml | 2 +- tasks/section_3/cis_3.4.2.x.yml | 1 - tasks/section_4/cis_4.1.2.x.yml | 9 ++--- tasks/section_4/cis_4.2.1.x.yml | 5 ++- tasks/section_4/cis_4.2.2.x.yml | 9 ++--- tasks/section_5/cis_5.2.x.yml | 60 +++++++++++---------------------- tasks/section_5/cis_5.3.x.yml | 9 ++--- tasks/section_5/cis_5.6.1.x.yml | 9 ++--- 12 files changed, 41 insertions(+), 76 deletions(-) diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 8cf70dc1..f687901e 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -4,7 +4,7 @@ block: - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config" lineinfile: - dest: /etc/modprobe.d/CIS.conf + path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install cramfs(\\s|$)" line: "install cramfs /bin/true" create: yes @@ -29,7 +29,7 @@ block: - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config" lineinfile: - dest: /etc/modprobe.d/CIS.conf + path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" create: yes @@ -54,7 +54,7 @@ block: - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disable | Edit modprobe config" lineinfile: - dest: /etc/modprobe.d/CIS.conf + path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" create: yes diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index ed2872e9..a77e5242 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -21,7 +21,7 @@ block: - name: "1.1.10 | PATCH | Disable USB Storage | Edit modprobe config" lineinfile: - dest: /etc/modprobe.d/CIS.conf + path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install usb-storage(\\s|$)" line: "install usb-storage /bin/true" create: yes diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 1edc7048..e056ceff 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -17,7 +17,7 @@ - name: "1.8.2 | PATCH | Ensure GDM login banner is configured" lineinfile: - dest: "{{ item.file }}" + path: "{{ item.file }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" state: present diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index ba927e9c..effe8067 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -26,10 +26,9 @@ - name: "2.1.2 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1" lineinfile: - dest: /etc/sysconfig/chronyd + path: /etc/sysconfig/chronyd regexp: "^(#)?OPTIONS" line: "OPTIONS=\"-u chrony\"" - state: present create: yes mode: 0644 when: diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 00a61efe..6a195ca8 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -285,7 +285,7 @@ - name: "2.2.17 | PATCH | Ensure mail transfer agent is configured for local-only mode" lineinfile: - dest: /etc/postfix/main.cf + path: /etc/postfix/main.cf regexp: "^(#)?inet_interfaces" line: "inet_interfaces = loopback-only" notify: restart postfix diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 3484bf66..a9284c51 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -332,7 +332,6 @@ - name: "3.4.2.11 | PATCH | Ensure nftables rules are permanent" lineinfile: path: /etc/sysconfig/nftables.conf - state: present insertafter: EOF line: include "/etc/nftables/inet-{{ rhel9cis_nft_tables_tablename }}" when: diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index a7e0282a..0eec0b29 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -2,10 +2,9 @@ - name: "4.1.2.1 | PATCH | Ensure audit log storage size is configured" lineinfile: - dest: /etc/audit/auditd.conf + path: /etc/audit/auditd.conf regexp: "^max_log_file( |=)" line: "max_log_file = {{ rhel9cis_max_log_file_size }}" - state: present notify: restart auditd when: - rhel9cis_rule_4_1_2_1 @@ -19,10 +18,9 @@ - name: "4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted" lineinfile: - dest: /etc/audit/auditd.conf + path: /etc/audit/auditd.conf regexp: "^max_log_file_action" line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}" - state: present notify: restart auditd when: - rhel9cis_rule_4_1_2_2 @@ -36,10 +34,9 @@ - name: "4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full" lineinfile: - dest: /etc/audit/auditd.conf + path: /etc/audit/auditd.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" - state: present notify: restart auditd with_items: - { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ rhel9cis_auditd.admin_space_left_action }}' } diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 6196c80f..7e70a024 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -32,10 +32,9 @@ # This is counter to control 4.2.2.5?? - name: "4.2.1.3 | PATCH | Ensure journald is configured to send logs to rsyslog" lineinfile: - dest: /etc/systemd/journald.conf + path: /etc/systemd/journald.conf regexp: "^#ForwardToSyslog=|^ForwardToSyslog=" line: ForwardToSyslog=yes - state: present when: - rhel9cis_rule_4_2_1_3 - rhel9cis_preferred_log_capture == "rsyslog" @@ -48,7 +47,7 @@ - name: "4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured" lineinfile: - dest: /etc/rsyslog.conf + path: /etc/rsyslog.conf regexp: '^\$FileCreateMode' line: '$FileCreateMode 0640' notify: restart rsyslog diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 5b59d630..8523066c 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -97,10 +97,9 @@ - name: "4.2.2.3 | PATCH | Ensure journald is configured to compress large log files" lineinfile: - dest: /etc/systemd/journald.conf + path: /etc/systemd/journald.conf regexp: "^#Compress=|^Compress=" line: Compress=yes - state: present when: - rhel9cis_rule_4_2_2_3 tags: @@ -113,10 +112,9 @@ - name: "4.2.2.4 | PATCH | Ensure journald is configured to write logfiles to persistent disk" lineinfile: - dest: /etc/systemd/journald.conf + path: /etc/systemd/journald.conf regexp: "^#Storage=|^Storage=" line: Storage=persistent - state: present when: - rhel9cis_rule_4_2_2_4 tags: @@ -130,10 +128,9 @@ # This is counter to control 4.2.1.3?? - name: "4.2.2.5 | PATCH | Ensure journald is not configured to send logs to rsyslog" lineinfile: - dest: /etc/systemd/journald.conf + path: /etc/systemd/journald.conf regexp: "^ForwardToSyslog=" line: "#ForwardToSyslog=yes" - state: present notify: restart systemd_journal_upload when: - rhel9cis_rule_4_2_2_5 diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index d6065071..7234da6e 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -83,8 +83,7 @@ block: - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^AllowUsers" line: AllowUsers {{ rhel9cis_sshd['allowusers'] }} validate: sshd -t -f %s @@ -93,8 +92,7 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^AllowGroups" line: AllowGroups {{ rhel9cis_sshd['allowgroups'] }} validate: sshd -t -f %s @@ -103,8 +101,7 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^DenyUsers" line: DenyUsers {{ rhel9cis_sshd['denyusers'] }} validate: sshd -t -f %s @@ -113,8 +110,7 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^DenyGroups" line: DenyGroups {{ rhel9cis_sshd['denygroups'] }} validate: sshd -t -f %s @@ -132,8 +128,7 @@ - name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#LogLevel|^LogLevel" line: 'LogLevel {{ rhel9cis_ssh_loglevel }}' validate: sshd -t -f %s @@ -149,8 +144,7 @@ - name: "5.2.6 | PATCH | Ensure SSH PAM is enabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#UsePAM|^UsePAM" line: 'UsePAM yes' validate: sshd -t -f %s @@ -166,8 +160,7 @@ - name: "5.2.7 | PATCH | Ensure SSH root login is disabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#PermitRootLogin|^PermitRootLogin" line: 'PermitRootLogin no' validate: sshd -t -f %s @@ -183,8 +176,7 @@ - name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#HostbasedAuthentication|^HostbasedAuthentication" line: 'HostbasedAuthentication no' validate: sshd -t -f %s @@ -200,8 +192,7 @@ - name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords" line: 'PermitEmptyPasswords no' validate: sshd -t -f %s @@ -217,8 +208,7 @@ - name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#PermitUserEnvironment|^PermitUserEnvironment" line: 'PermitUserEnvironment no' validate: sshd -t -f %s @@ -234,8 +224,7 @@ - name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#IgnoreRhosts|^IgnoreRhosts" line: 'IgnoreRhosts yes' validate: sshd -t -f %s @@ -251,8 +240,7 @@ - name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#X11Forwarding|^X11Forwarding" line: 'X11Forwarding no' validate: sshd -t -f %s @@ -268,8 +256,7 @@ - name: "5.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#AllowTcpForwarding|^AllowTcpForwarding" line: 'AllowTcpForwarding no' validate: sshd -t -f %s @@ -300,8 +287,7 @@ - name: "5.2.15 | PATCH | Ensure SSH warning banner is configured" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: '^Banner' line: 'Banner /etc/issue.net' when: @@ -316,8 +302,7 @@ - name: "5.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: '^(#)?MaxAuthTries \d' line: 'MaxAuthTries 4' validate: sshd -t -f %s @@ -333,8 +318,7 @@ - name: "5.2.17 | PATCH | Ensure SSH MaxStartups is configured" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#MaxStartups|^MaxStartups" line: 'MaxStartups 10:30:60' validate: sshd -t -f %s @@ -350,8 +334,7 @@ - name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#MaxSessions|^MaxSessions" line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' validate: sshd -t -f %s @@ -367,8 +350,7 @@ - name: "5.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#LoginGraceTime|^LoginGraceTime" line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}" validate: sshd -t -f %s @@ -386,16 +368,14 @@ block: - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: '^ClientAliveInterval' line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}" validate: sshd -t -f %s - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: '^ClientAliveCountMax' line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}" validate: sshd -t -f %s diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index 9aa864a9..f9dad143 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -16,9 +16,8 @@ - name: "5.3.2 | PATCH | Ensure sudo commands use pty" lineinfile: - dest: /etc/sudoers + path: /etc/sudoers line: "Defaults use_pty" - state: present validate: '/usr/sbin/visudo -cf %s' when: - rhel9cis_rule_5_3_2 @@ -32,10 +31,9 @@ - name: "5.3.3 | PATCH | Ensure sudo log file exists" lineinfile: - dest: /etc/sudoers + path: /etc/sudoers regexp: '^Defaults logfile=' line: 'Defaults logfile="{{ rhel9cis_sudolog_location }}"' - state: present validate: '/usr/sbin/visudo -cf %s' when: - rhel9cis_rule_5_3_3 @@ -122,8 +120,7 @@ block: - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid" lineinfile: - state: present - dest: /etc/pam.d/su + path: /etc/pam.d/su regexp: '^(#)?auth\s+required\s+pam_wheel\.so' line: 'auth required pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}' diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 66090262..c728d90b 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -2,8 +2,7 @@ - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less" lineinfile: - state: present - dest: /etc/login.defs + path: /etc/login.defs regexp: '^PASS_MAX_DAYS' line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}" when: @@ -18,8 +17,7 @@ - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more" lineinfile: - state: present - dest: /etc/login.defs + path: /etc/login.defs regexp: '^PASS_MIN_DAYS' line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}" when: @@ -34,8 +32,7 @@ - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more" lineinfile: - state: present - dest: /etc/login.defs + path: /etc/login.defs regexp: '^PASS_WARN_AGE' line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}" when: From b8bb7912a195c5a48db69e31f63938aa108ea674 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Apr 2022 17:29:57 +0100 Subject: [PATCH 083/454] removed iptables - not valid in rh9 Signed-off-by: Mark Bolwell --- defaults/main.yml | 18 +--- tasks/section_3/cis_3.4.3.1.x.yml | 59 ----------- tasks/section_3/cis_3.4.3.2.x.yml | 163 ----------------------------- tasks/section_3/cis_3.4.3.3.x.yml | 152 --------------------------- tasks/section_3/main.yml | 14 --- templates/ansible_vars_goss.yml.j2 | 22 +--- 6 files changed, 2 insertions(+), 426 deletions(-) delete mode 100644 tasks/section_3/cis_3.4.3.1.x.yml delete mode 100644 tasks/section_3/cis_3.4.3.2.x.yml delete mode 100644 tasks/section_3/cis_3.4.3.3.x.yml diff --git a/defaults/main.yml b/defaults/main.yml index 21f70b0b..66e8060f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -205,21 +205,7 @@ rhel9cis_rule_3_4_2_8: true rhel9cis_rule_3_4_2_9: true rhel9cis_rule_3_4_2_10: true rhel9cis_rule_3_4_2_11: true -rhel9cis_rule_3_4_3_1_1: true -rhel9cis_rule_3_4_3_1_2: true -rhel9cis_rule_3_4_3_1_3: true -rhel9cis_rule_3_4_3_2_1: true -rhel9cis_rule_3_4_3_2_2: true -rhel9cis_rule_3_4_3_2_3: true -rhel9cis_rule_3_4_3_2_4: true -rhel9cis_rule_3_4_3_2_5: true -rhel9cis_rule_3_4_3_2_6: true -rhel9cis_rule_3_4_3_3_1: true -rhel9cis_rule_3_4_3_3_2: true -rhel9cis_rule_3_4_3_3_3: true -rhel9cis_rule_3_4_3_3_4: true -rhel9cis_rule_3_4_3_3_5: true -rhel9cis_rule_3_4_3_3_6: true + # Section 4 rules rhel9cis_rule_4_1_1_1: true @@ -490,8 +476,6 @@ rhel9cis_nft_tables_autonewtable: true rhel9cis_nft_tables_tablename: filter rhel9cis_nft_tables_autochaincreate: true -#### iptables -rhel9cis_iptables_firewalld_state: masked # Warning Banner Content (issue, issue.net, motd) rhel9cis_warning_banner: | diff --git a/tasks/section_3/cis_3.4.3.1.x.yml b/tasks/section_3/cis_3.4.3.1.x.yml deleted file mode 100644 index 56ce0766..00000000 --- a/tasks/section_3/cis_3.4.3.1.x.yml +++ /dev/null @@ -1,59 +0,0 @@ ---- - -- name: "3.4.3.1.1 | PATCH | Ensure iptables packages are installed" - package: - name: - - iptables - - iptables-services - state: present - when: - - rhel9cis_rule_3_4_3_1_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - iptables - - rule_3.4.3.1.1 - -- name: "3.4.3.1.2 | PATCH | Ensure nftables is not installed with iptables" - package: - name: nftables - state: absent - when: - - rhel9cis_rule_3_4_3_1_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - iptables - - rule_3.4.3.1.2 - -# The control allows the service it be masked or not installed -# We have chosen not installed -- name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables" - block: - - name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables | mask service" - systemd: - name: firewalld - masked: true - state: stopped - when: - - rhel9cis_iptables_firewalld_state == "masked" - - - name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables | mask service" - package: - name: firewalld - state: absent - when: - - rhel9cis_iptables_firewalld_state == "absent" - when: - - rhel9cis_rule_3_4_3_1_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - iptables - - rule_3.4.3.1.3 diff --git a/tasks/section_3/cis_3.4.3.2.x.yml b/tasks/section_3/cis_3.4.3.2.x.yml deleted file mode 100644 index e600ae73..00000000 --- a/tasks/section_3/cis_3.4.3.2.x.yml +++ /dev/null @@ -1,163 +0,0 @@ ---- - -- name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured" - block: - - name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT Loopback ACCEPT" - iptables: - action: append - chain: INPUT - in_interface: lo - jump: ACCEPT - - - name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT Loopback ACCEPT" - iptables: - action: append - chain: OUTPUT - out_interface: lo - jump: ACCEPT - - - name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT Loopback 127.0.0.0/8" - iptables: - action: append - chain: INPUT - source: 127.0.0.0/8 - jump: DROP - when: - - rhel9cis_rule_3_4_3_2_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - iptables - - rule_3.4.3.2.1 - -- name: "3.4.3.2.2 | PATCH | Ensure iptables outbound and established connections are configured" - iptables: - action: append - chain: '{{ item.chain }}' - protocol: '{{ item.protocol }}' - match: state - ctstate: '{{ item.ctstate }}' - jump: ACCEPT - with_items: - - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - - { chain: INPUT, protocol: tcp, ctstate: ESTABLISHED } - - { chain: INPUT, protocol: udp, ctstate: ESTABLISHED } - - { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED } - when: - - rhel9cis_rule_3_4_3_2_2 - tags: - - level1-server - - level1-workstation - - manual - - patch - - iptables - - rule_3.4.3.2.2 - -- name: "3.4.3.2.3 | PATCH | Ensure iptables rules exist for all open ports" - block: - - name: "3.4.3.2.3 | AUDIT | Ensure iptables rules exist for all open ports | Get list of TCP open ports" - shell: netstat -ant |grep "tcp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://' - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_2_3_otcp - - - name: "3.4.3.2.3 | AUDIT | Ensure iptables rules exist for all open ports | Get the list of udp open ports" - shell: netstat -ant |grep "udp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://' - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_2_3_oudp - - - name: "3.4.3.2.3 | PATCH | Ensure iptables rules exist for all open ports | Adjust open tcp ports" - iptables: - action: append - chain: INPUT - protocol: tcp - destination_port: "{{ item }}" - match: state - ctstate: NEW - jump: ACCEPT - with_items: - - "{{ rhel9cis_3_4_3_2_3_otcp.stdout_lines }}" - when: rhel9cis_3_4_3_2_3_otcp.stdout is defined - - - name: "3.4.3.2.3 | PATCH | Ensure iptables rules exist for all open ports | Adjust open udp ports" - iptables: - action: append - chain: INPUT - protocol: udp - destination_port: "{{ item }}" - match: state - ctstate: NEW - jump: ACCEPT - with_items: - - "{{ rhel9cis_3_4_3_2_3_oudp.stdout_lines }}" - when: rhel9cis_3_4_3_2_3_otcp.stdout is defined - when: - - rhel9cis_rule_3_4_3_2_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - iptables - - rule_3.4.3.2.3 - -- name: "3.4.3.2.4 | PATCH | Ensure iptables default deny firewall policy" - block: - - name: "3.4.3.2.4 | PATCH | Ensure iptables default deny firewall policy | Configure ssh to be allowed" - iptables: - chain: INPUT - protocol: tcp - destination_port: "22" - jump: ACCEPT - - - name: "3.4.3.2.4 | PATCH | Ensure iptables default deny firewall policy | Set drop items" - iptables: - policy: DROP - chain: "{{ item }}" - with_items: - - INPUT - - FORWARD - - OUTPUT - when: - - rhel9cis_rule_3_4_3_2_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - iptables - - rule_3.4.3.2.4 - -- name: "3.4.3.2.5 | PATCH | Ensure iptables rules are saved" - iptables_state: - state: saved - path: /etc/sysconfig/iptables - when: - - rhel9cis_rule_3_4_3_2_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - iptables - - rule_3.4.3.2.5 - -- name: "3.4.3.2.6 | PATCH | Ensure iptables service is enabled and active" - service: - name: iptables - enabled: yes - state: started - when: - - rhel9cis_rule_3_4_3_2_6 - tags: - - level1-server - - level1-workstation - - automated - - patch - - iptables - - rule_3.4.3.2.6 diff --git a/tasks/section_3/cis_3.4.3.3.x.yml b/tasks/section_3/cis_3.4.3.3.x.yml deleted file mode 100644 index 83479db9..00000000 --- a/tasks/section_3/cis_3.4.3.3.x.yml +++ /dev/null @@ -1,152 +0,0 @@ ---- - -- name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured" - block: - - name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT Loopback ACCEPT" - iptables: - action: append - chain: INPUT - in_interface: lo - jump: ACCEPT - ip_version: ipv6 - - - name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT Loopback ACCEPT" - iptables: - action: append - chain: OUTPUT - out_interface: lo - jump: ACCEPT - ip_version: ipv6 - - - name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT Loopback 127.0.0.0/8" - iptables: - action: append - chain: INPUT - source: ::1 - jump: DROP - ip_version: ipv6 - when: - - rhel9cis_rule_3_4_3_3_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - ip6tables - - rule_3.4.3.3.1 - -- name: "3.4.3.3.2 | PATCH | Ensure ip6tables outbound and established connections are configured" - iptables: - action: append - chain: '{{ item.chain }}' - protocol: '{{ item.protocol }}' - match: state - ctstate: '{{ item.ctstate }}' - jump: ACCEPT - ip_version: ipv6 - with_items: - - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - - { chain: INPUT, protocol: tcp, ctstate: ESTABLISHED } - - { chain: INPUT, protocol: udp, ctstate: ESTABLISHED } - - { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED } - when: - - rhel9cis_rule_3_4_3_3_2 - tags: - - level1-server - - level1-workstation - - manual - - patch - - ip6tables - - rule_3.4.3.3.2 - -- name: "3.4.3.3.3 | PATCH | Ensure ip6tables firewall rules exist for all open ports" - block: - - name: "3.4.3.3.3 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of TCP6 open ports" - shell: netstat -ant |grep "tcp6.*LISTEN" | awk '{ print $4 }'| sed 's/.*://' - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_3_3_otcp - - - name: "3.4.3.3.3 | PATCH |Ensure ip6tables firewall rules exist for all open ports| Adjust open tcp6 ports" - iptables: - action: append - chain: INPUT - protocol: tcp - destination_port: "{{ item }}" - match: state - ctstate: NEW - jump: ACCEPT - ip_version: ipv6 - with_items: - - "{{ rhel9cis_3_4_3_3_3_otcp.stdout_lines }}" - when: rhel9cis_3_4_3_3_3_otcp.stdout is defined - when: - - rhel9cis_rule_3_4_3_3_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - ip6tables - - rule_3.4.3.3.3 - -- name: "3.4.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy" - block: - - name: "3.4.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy | Configure ssh to be allowed" - iptables: - chain: INPUT - protocol: tcp - destination_port: "22" - jump: ACCEPT - ip_version: ipv6 - - - name: "3.4.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" - iptables: - policy: DROP - chain: "{{ item }}" - ip_version: ipv6 - with_items: - - INPUT - - FORWARD - - OUTPUT - when: - - rhel9cis_rule_3_4_3_3_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - ip6tables - - rule_3.4.3.3.4 - -- name: "3.4.3.3.5 | PATCH | Ensure ip6tables rules are saved" - iptables_state: - state: saved - path: /etc/sysconfig/ip6tables - ip_version: ipv6 - when: - - rhel9cis_rule_3_4_3_3_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - ip6tables - - rule_3.4.3.3.5 - -- name: "3.4.3.3.6 | PATCH | Ensure ip6tables service is enabled and active" - service: - name: ip6tables - enabled: yes - state: started - when: - - rhel9cis_rule_3_4_3_3_6 - tags: - - level1-server - - level1-workstation - - automated - - patch - - ip6tables - - rule_3.4.3.3.6 diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index 7c6dc9b9..a263c0b8 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -19,17 +19,3 @@ when: - rhel9cis_firewall == "nftables" -- name: "SECTION | 3.4.3.1.x | Configure iptables" - include_tasks: cis_3.4.3.1.x.yml - when: - - rhel9cis_firewall == "iptables" - -- name: "SECTION | 3.4.3.2.x | Configure iptables IPv4" - include_tasks: cis_3.4.3.2.x.yml - when: - - rhel9cis_firewall == "iptables" - -- name: "SECTION | 3.4.3.3.x | Configure iptables IPv6" - include_tasks: cis_3.4.3.3.x.yml - when: - - ( rhel9cis_firewall == "iptables" and rhel9cis_ipv6_required ) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index e3ca2243..c779fb20 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -200,25 +200,6 @@ rhel9cis_rule_3_4_2_8: {{ rhel9cis_rule_3_4_2_8 }} rhel9cis_rule_3_4_2_9: {{ rhel9cis_rule_3_4_2_9 }} rhel9cis_rule_3_4_2_10: {{ rhel9cis_rule_3_4_2_10 }} rhel9cis_rule_3_4_2_11: {{ rhel9cis_rule_3_4_2_11 }} -# 3.4.3.1 Configure iptables -rhel9cis_rule_3_4_3_1_1: {{ rhel9cis_rule_3_4_3_1_1 }} -rhel9cis_rule_3_4_3_1_2: {{ rhel9cis_rule_3_4_3_1_2 }} -rhel9cis_rule_3_4_3_1_3: {{ rhel9cis_rule_3_4_3_1_3 }} -# 3.4.3.2 iptables ipv4 -rhel9cis_rule_3_4_3_2_1: {{ rhel9cis_rule_3_4_3_2_1 }} -rhel9cis_rule_3_4_3_2_2: {{ rhel9cis_rule_3_4_3_2_2 }} -rhel9cis_rule_3_4_3_2_3: {{ rhel9cis_rule_3_4_3_2_3 }} -rhel9cis_rule_3_4_3_2_4: {{ rhel9cis_rule_3_4_3_2_4 }} -rhel9cis_rule_3_4_3_2_5: {{ rhel9cis_rule_3_4_3_2_5 }} -rhel9cis_rule_3_4_3_2_6: {{ rhel9cis_rule_3_4_3_2_6 }} -# 3.4.3.2 iptables ipv6 -rhel9cis_rule_3_4_3_3_1: {{ rhel9cis_rule_3_4_3_3_1 }} -rhel9cis_rule_3_4_3_3_2: {{ rhel9cis_rule_3_4_3_3_2 }} -rhel9cis_rule_3_4_3_3_3: {{ rhel9cis_rule_3_4_3_3_3 }} -rhel9cis_rule_3_4_3_3_4: {{ rhel9cis_rule_3_4_3_3_4 }} -rhel9cis_rule_3_4_3_3_5: {{ rhel9cis_rule_3_4_3_3_5 }} -rhel9cis_rule_3_4_3_3_6: {{ rhel9cis_rule_3_4_3_3_6 }} - # Section 4 rules # 4.1 Configure System Accounting @@ -459,8 +440,7 @@ rhel9cis_nftables_firewalld_state: {{ rhel9cis_nftables_firewalld_state }} rhel9cis_nft_tables_autonewtable: {{ rhel9cis_nft_tables_autonewtable }} rhel9cis_nft_tables_tablename: {{ rhel9cis_nft_tables_tablename }} rhel9cis_nft_tables_autochaincreate: {{ rhel9cis_nft_tables_autochaincreate }} -#### iptables -rhel9cis_iptables_firewalld_state: {{ rhel9cis_iptables_firewalld_state }} + # Section 4 From 9c519482a8955fcabaa560e0b48b317db2bcf253 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 7 Apr 2022 10:04:46 +0100 Subject: [PATCH 084/454] fixed typo Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.4.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 5a901c23..c7800132 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -39,7 +39,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}noexec{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: From 08e48fbe8376c5d1269459f9837d6ab3d330e9c0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Apr 2022 17:38:01 +0100 Subject: [PATCH 085/454] updated grub controls Signed-off-by: Mark Bolwell --- handlers/main.yml | 2 +- tasks/prelim.yml | 34 ---------------------------------- tasks/section_1/cis_1.4.x.yml | 4 +--- 3 files changed, 2 insertions(+), 38 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index b0f3e7dd..08c80264 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -115,7 +115,7 @@ - skip_ansible_lint - name: grub2cfg - shell: "grub2-mkconfig -o {{ grub_cfg.stat.lnk_source }}" + shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" args: warn: false ignore_errors: True diff --git a/tasks/prelim.yml b/tasks/prelim.yml index eb02040d..eb17d008 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -156,40 +156,6 @@ - rule_5.3.4 - rule_5.3.5 -- name: "PRELIM | Set facts based on boot type" - block: - - name: "PRELIM | Check whether machine is UEFI-based" - stat: - path: /sys/firmware/efi - register: rhel_09_efi_boot - - - name: "PRELIM | AUDIT | set legacy boot and grub path | Bios" - set_fact: - rhel9cis_legacy_boot: true - grub2_path: /etc/grub2.cfg - when: not rhel_09_efi_boot.stat.exists - - - name: "PRELIM | set grub fact | UEFI" - set_fact: - grub2_path: /etc/grub2-efi.cfg - when: rhel_09_efi_boot.stat.exists - when: - - not system_is_container - tags: - - bootloader - - grub - -- name: "PRELIM | AUDIT | Ensure permissions on bootloader config are configured | Get grub config file stats" - stat: - path: "{{ grub2_path }}" - changed_when: false - register: grub_cfg - when: - - not system_is_container - tags: - - bootloader - - grub - - name: "PRELIM | Check for rhnsd service" shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2" changed_when: false diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 9eac4eb8..45414cdf 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -25,7 +25,7 @@ block: - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" file: - path: "{{ grub_cfg.stat.lnk_source }}" + path: /boot/grub2/grub.cfg owner: root group: root mode: 0600 @@ -47,8 +47,6 @@ - item.mount == "/boot/efi" when: - rhel9cis_rule_1_4_2 - - grub_cfg.stat.exists - - grub_cfg.stat.islnk tags: - level1-server - level1-workstation From 4bd971fdcdb98f16323638dc6c042556af013304 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Apr 2022 17:38:26 +0100 Subject: [PATCH 086/454] selinux updates Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.6.1.x.yml | 53 +++++++++++---------------------- 1 file changed, 18 insertions(+), 35 deletions(-) diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index 93e2eae7..f917a99a 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -47,8 +47,7 @@ - patch - rule_1.6.1.3 -# State set to enforcing because control 1.6.1.5 requires enforcing to be set -- name: "1.6.1.4 | PATCH | Ensure the SELinux mode is not disabled" +- name: "1.6.1.4 | PATCH | Ensure the SELinux state is enforcing" selinux: conf: /etc/selinux/config policy: "{{ rhel9cis_selinux_pol }}" @@ -56,80 +55,64 @@ when: - not rhel9cis_selinux_disable - rhel9cis_rule_1_6_1_4 - tags: - - level1-server - - level1-workstation - - auotmated - - selinux - - patch - - rule_1.6.1.4 - -- name: "1.6.1.5 | PATCH | Ensure the SELinux state is enforcing" - selinux: - conf: /etc/selinux/config - policy: "{{ rhel9cis_selinux_pol }}" - state: enforcing - when: - - not rhel9cis_selinux_disable - - rhel9cis_rule_1_6_1_5 tags: - level2-server - level2-workstation - automated - selinux - patch - - rule_1.6.1.5 + - rule_1.6.1.4 -- name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist" +- name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist" block: - - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Find the unconfined services" + - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Find the unconfined services" shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' - register: rhelcis_1_6_1_6_unconf_services + register: rhelcis_1_6_1_5_unconf_services failed_when: false changed_when: false - - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Message on no unconfined services" + - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Message on no unconfined services" debug: msg: "Good News! There are no services found on your system" - when: rhelcis_1_6_1_6_unconf_services.stdout | length == 0 + when: rhelcis_1_6_1_5_unconf_services.stdout | length == 0 - - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Message on unconfined services" + - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Message on unconfined services" debug: - msg: "Warning! You have unconfined services: {{ rhelcis_1_6_1_6_unconf_services.stdout_lines }}" - when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 + msg: "Warning! You have unconfined services: {{ rhelcis_1_6_1_5_unconf_services.stdout_lines }}" + when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0 when: - - rhel9cis_rule_1_6_1_6 + - rhel9cis_rule_1_6_1_5 tags: - level1-server - level1-workstation - automated - audit - services - - rule_1.6.1.6 + - rule_1.6.1.5 -- name: "1.6.1.7 | PATCH | Ensure SETroubleshoot is not installed" +- name: "1.6.1.6 | PATCH | Ensure SETroubleshoot is not installed" package: name: setroubleshoot state: absent when: - - rhel9cis_rule_1_6_1_7 + - rhel9cis_rule_1_6_1_6 - "'setroubleshoot' in ansible_facts.packages" tags: - level1-server - automated - selinux - patch - - rule_1.6.1.7 + - rule_1.6.1.6 -- name: "1.6.1.8 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" +- name: "1.6.1.7 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" package: name: mcstrans state: absent when: - - rhel9cis_rule_1_6_1_8 + - rhel9cis_rule_1_6_1_7 tags: - level1-server - level1-workstation - automated - patch - - rule_1.6.1.8 + - rule_1.6.1.7 From 2a421fcea6933f70a2259182f8aba2447d693ad6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Apr 2022 17:39:13 +0100 Subject: [PATCH 087/454] logrotate changes reflected Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.3.yml | 39 ++++++++++++++++++++++++++++++++----- 1 file changed, 34 insertions(+), 5 deletions(-) diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index e8a47808..f82dc9e2 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -1,13 +1,42 @@ --- -- name: "4.3 | PATCH | Ensure logrotate is configured" +- name: "4.3.1 | PATCH | Ensure logrotate is installed" + package: + name: rsyslog-logrotate + state: present + when: + - rhel9cis_rule_4_3_1 + tags: + - level1-server + - level1-workstation + - manual + - patch + - logrotate + - rule_4.3.1 + +- name: "4.3.2 | PATCH | Ensure logrotate is running and enabled" + systemd: + name: rsyslog-logrotate + state: started + enabled: true + when: + - rhel9cis_rule_4_3_2 + tags: + - level1-server + - level1-workstation + - manual + - patch + - logrotate + - rule_4.3.2 + +- name: "4.3.3 | PATCH | Ensure logrotate is configured" block: - - name: "4.3 | AUDIT | Ensure logrotate is configured | Get logrotate settings" + - name: "4.3.3 | AUDIT | Ensure logrotate is configured | Get logrotate settings" find: paths: /etc/logrotate.d/ register: log_rotates - - name: "4.3 | PATCH | Ensure logrotate is configured" + - name: "4.3.3 | PATCH | Ensure logrotate is configured" replace: path: "{{ item.path }}" regexp: '^(\s*)(daily|weekly|monthly|yearly)$' @@ -18,11 +47,11 @@ loop_control: label: "{{ item.path }}" when: - - rhel9cis_rule_4_3 + - rhel9cis_rule_4_3_3 tags: - level1-server - level1-workstation - manual - patch - logrotate - - rule_4.3 + - rule_4.3.3 From f66d271ceed36d986c2c2b0eb3f82f1f00eba44f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Apr 2022 17:39:30 +0100 Subject: [PATCH 088/454] controlid updates Signed-off-by: Mark Bolwell --- defaults/main.yml | 5 +++-- templates/ansible_vars_goss.yml.j2 | 7 +++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 66e8060f..290bbb61 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -125,7 +125,6 @@ rhel9cis_rule_1_6_1_4: true rhel9cis_rule_1_6_1_5: true rhel9cis_rule_1_6_1_6: true rhel9cis_rule_1_6_1_7: true -rhel9cis_rule_1_6_1_8: true rhel9cis_rule_1_7_1: true rhel9cis_rule_1_7_2: true rhel9cis_rule_1_7_3: true @@ -254,7 +253,9 @@ rhel9cis_rule_4_2_2_5: true rhel9cis_rule_4_2_2_6: true rhel9cis_rule_4_2_2_7: true rhel9cis_rule_4_2_3: true -rhel9cis_rule_4_3: true +rhel9cis_rule_4_3_1: true +rhel9cis_rule_4_3_2: true +rhel9cis_rule_4_3_3: true # Section 5 rules rhel9cis_rule_5_1_1: true diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index c779fb20..0947ce3c 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -106,7 +106,6 @@ rhel9cis_rule_1_6_1_4: {{ rhel9cis_rule_1_6_1_4 }} rhel9cis_rule_1_6_1_5: {{ rhel9cis_rule_1_6_1_5 }} rhel9cis_rule_1_6_1_6: {{ rhel9cis_rule_1_6_1_6 }} rhel9cis_rule_1_6_1_7: {{ rhel9cis_rule_1_6_1_7 }} -rhel9cis_rule_1_6_1_8: {{ rhel9cis_rule_1_6_1_8 }} # 1.7 Command Line Warning Banners rhel9cis_rule_1_7_1: {{ rhel9cis_rule_1_7_1 }} rhel9cis_rule_1_7_2: {{ rhel9cis_rule_1_7_2 }} @@ -258,7 +257,11 @@ rhel9cis_rule_4_2_2_5: {{ rhel9cis_rule_4_2_2_5 }} rhel9cis_rule_4_2_2_6: {{ rhel9cis_rule_4_2_2_6 }} rhel9cis_rule_4_2_2_7: {{ rhel9cis_rule_4_2_2_7 }} rhel9cis_rule_4_2_3: {{ rhel9cis_rule_4_2_3 }} -rhel9cis_rule_4_3: {{ rhel9cis_rule_4_3 }} + +# 4.3 Logrotate +rhel9cis_rule_4_3_1: {{ rhel9cis_rule_4_3_1 }} +rhel9cis_rule_4_3_2: {{ rhel9cis_rule_4_3_2 }} +rhel9cis_rule_4_3_3: {{ rhel9cis_rule_4_3_3 }} # Section 5 # Authentication and Authorization From 49ab8c6f9f2e300f1f41ffca922ac82c8848c691 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Apr 2022 17:40:50 +0100 Subject: [PATCH 089/454] updates for rh9 Signed-off-by: Mark Bolwell --- Changelog.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/Changelog.md b/Changelog.md index 03e48788..b120eee4 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,16 @@ # Changes to rhel9CIS +## 0.2 + +- not all controls work with rhel8 releases any longer + - selinux disabled 1.6.1.4 + - logrotate - 4.3.x +- updated to rhel8cis v2.0 benchamrk requirements +- removed iptables firewall controls (not valid on rhel9) +- added more to logrotate 4.3.x - sure to logrotate now a seperate package +- grub path now standard to /boot/grub2/grub.cfg +- 1.6.1.4 from rh8 removed as selinux.cfg doesnt disable selinux any longer + ## 0.1 - change to include statements From a8602689b87523e11a80349c2be79ba77dc8cb93 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Apr 2022 16:58:11 +0100 Subject: [PATCH 090/454] updated issues and added improvements Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 +++--- tasks/main.yml | 8 +++++--- tasks/section_1/cis_1.4.x.yml | 2 -- tasks/section_1/cis_1.8.x.yml | 2 +- tasks/section_3/cis_3.4.1.x.yml | 7 +++++-- vars/RedHat.yml | 4 +++- vars/main.yml | 1 + 7 files changed, 18 insertions(+), 12 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 290bbb61..02b04225 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -376,9 +376,9 @@ rhel9cis_bootloader_password: random rhel9cis_set_boot_pass: false -# 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS) -# Control 1.10 sates not ot use LEGACY and control 1.11 says to use FUTURE or FIPS. -rhel9cis_crypto_policy: "FUTURE" +# 1.10 Set crypto policy DEFAULT +# Control 1.10 states not to use LEGACY +rhel9cis_crypto_policy: "DEFAULT" # System network parameters (host only OR host and router) rhel9cis_is_router: false diff --git a/tasks/main.yml b/tasks/main.yml index 8bda2a64..94ab74c7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -50,11 +50,13 @@ - name: Check rhel9cis_bootloader_password_hash variable has been changed assert: - that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' - msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set" + that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' + msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly" when: - rhel9cis_set_boot_pass - - rhel9cis_rule_1_5_2 + - rhel9cis_rule_1_4_1 + tags: + - always - name: "check sugroup exists if used" block: diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 45414cdf..6ac49792 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -10,8 +10,6 @@ notify: grub2cfg when: - rhel9cis_set_boot_pass - - grub_pass is defined and grub_pass.passhash is defined - - grub_pass.passhash | length > 0 - rhel9cis_rule_1_4_1 tags: - level1-server diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index e056ceff..a126a0ab 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -91,7 +91,7 @@ - name: "1.8.5 | PATCH | Ensure automatic mounting of removable media is disabled" lineinfile: path: /etc/dconf/db/local.d/00-media-automount - regex: "{{ item.regex }}" + regexp: "{{ item.regex }}" line: "{{ item.line }}" create: yes notify: reload dconf diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index 7c25ff2a..3518b42c 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -21,8 +21,11 @@ - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | Stop running services" systemd: name: "{{ item }}" - state: stopped - enabled: false + masked: true + with_items: + - iptables + - ip6tables + when: item in ansible_facts.packages - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | remove iptables-services pkg " package: diff --git a/vars/RedHat.yml b/vars/RedHat.yml index d67cedc4..0b1c2cc9 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -1,4 +1,6 @@ --- # OS Specific Settings -rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-official +rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-release +rpm_packager: "Red Hat, Inc" +rpm_key: "199e2f91fd431d51" # found on https://access.redhat.com/security/team/key/ diff --git a/vars/main.yml b/vars/main.yml index e68cec00..dbbc71f6 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -3,5 +3,6 @@ min_ansible_version: 2.10 rhel9cis_allowed_crypto_policies: + - 'DEFAULT' - 'FUTURE' - 'FIPS' From 9a1ab79199dbf53155815ccb5a364528a8586409 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Apr 2022 18:29:53 +0100 Subject: [PATCH 091/454] updated test Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.2.x.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 23583d5d..0023f2dd 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -20,7 +20,8 @@ - skip_ansible_lint # Added as no_log still errors on ansuible-lint - name: "1.2.2 | AUDIT | Ensure GPG keys are configured" - command: gpg --quiet --with-fingerprint "{{ rpm_gpg_key }}" + shell: "PKG=`rpm -qf {{ rpm_gpg_key }}` && rpm -q --queryformat \"%{PACKAGER} %{SIGPGP:pgpsig}\\n\" \"${PKG}\" | grep \"^{{ rpm_packager }}.*Key.ID.{{ rpm_key }}\"" + changed_when: false when: - rhel9cis_rule_1_2_2 - ansible_distribution == "RedHat" or From 2c9587e666df77f87939538a32550ad1b388b31f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Apr 2022 18:30:43 +0100 Subject: [PATCH 092/454] updated for rh9 only Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 94ab74c7..264120ae 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,7 +3,7 @@ - name: Check OS version and family assert: - that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==') + that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('9', '==') fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" when: From e807498ed8e2e5d87f234dd441b78c9361a071cf Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Apr 2022 18:32:33 +0100 Subject: [PATCH 093/454] updated for correct service name Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index f82dc9e2..2ba5f1f5 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -16,7 +16,7 @@ - name: "4.3.2 | PATCH | Ensure logrotate is running and enabled" systemd: - name: rsyslog-logrotate + name: logrotate state: started enabled: true when: From 83f0fb30ecaaa0af68a1eda9b0d07b497cb1238f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Apr 2022 12:01:06 +0100 Subject: [PATCH 094/454] updated regex Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index a9eaf758..91540ea2 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -90,13 +90,13 @@ - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" replace: path: /etc/bashrc - regexp: '^(\s+UMASK|UMASK)\s0[0-2][0-6]' + regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]' replace: 'UMASK 027' - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile" replace: path: /etc/profile - regexp: '^(\s+UMASK|UMASK)\s0[0-2][0-6]' + regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]' replace: 'UMASK 027' when: - rhel9cis_rule_5_6_5 From 32f5817007691d6c93b7fe210d4a49f8221c1eb2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Apr 2022 12:01:20 +0100 Subject: [PATCH 095/454] added missing test to 3.3.7 Signed-off-by: Mark Bolwell --- templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 index 19a9fd37..308b914b 100644 --- a/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 +++ b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 @@ -40,6 +40,7 @@ net.ipv4.icmp_ignore_bogus_error_responses = 1 {% endif %} {% if rhel9cis_rule_3_3_7 %} # CIS 3.3.7 +net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 {% endif %} {% if rhel9cis_rule_3_3_8 %} From 91600af8894f40690a4f1a9a19f8f8a4766e3642 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Apr 2022 16:01:56 +0100 Subject: [PATCH 096/454] yamllint Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 +- tasks/section_3/cis_3.4.1.x.yml | 2 +- tasks/section_3/main.yml | 1 - tasks/section_4/cis_4.3.yml | 10 +++++----- 4 files changed, 7 insertions(+), 8 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 264120ae..1b240f7d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -55,7 +55,7 @@ when: - rhel9cis_set_boot_pass - rhel9cis_rule_1_4_1 - tags: + tags: - always - name: "check sugroup exists if used" diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index 3518b42c..caabdb52 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -31,7 +31,7 @@ package: name: iptables-services state: absent - when: + when: when: - rhel9cis_rule_3_4_1_2 - "'iptables-services' in ansible_facts.packages" diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index a263c0b8..6795a67d 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -18,4 +18,3 @@ include_tasks: cis_3.4.2.x.yml when: - rhel9cis_firewall == "nftables" - diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index 2ba5f1f5..959fd62c 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -2,8 +2,8 @@ - name: "4.3.1 | PATCH | Ensure logrotate is installed" package: - name: rsyslog-logrotate - state: present + name: rsyslog-logrotate + state: present when: - rhel9cis_rule_4_3_1 tags: @@ -16,9 +16,9 @@ - name: "4.3.2 | PATCH | Ensure logrotate is running and enabled" systemd: - name: logrotate - state: started - enabled: true + name: logrotate + state: started + enabled: true when: - rhel9cis_rule_4_3_2 tags: From 627f6e291d6f4880883d87c6f03d5cbf66029012 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 3 May 2022 10:22:00 +0100 Subject: [PATCH 097/454] updated environment options Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 ++++++ tasks/post_remediation_audit.yml | 3 +++ tasks/pre_remediation_audit.yml | 3 +++ 3 files changed, 12 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 02b04225..b5315a99 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -622,6 +622,12 @@ rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | de # 6.2.9 rhel9cis_dotperm_ansiblemanaged: true #### Goss Configuration Settings #### +# Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" +audit_run_script_environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_FILE: 'goss.yml' + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + ### Goss binary settings ### goss_version: diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index c1c413fb..c36cc3b7 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -2,6 +2,9 @@ - name: "Post Audit | Run post_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" + Environment: "{{ audit_run_script_environment|default({}) }}" + changed_when: audit_run_post_remediation.rc == 0 + register: audit_run_post_remediation args: warn: false diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 4fca3c5f..d4d98402 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -86,6 +86,9 @@ - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" + Environment: "{{ audit_run_script_environment|default({}) }}" + changed_when: audit_run_pre_remediation.rc == 0 + register: audit_run_pre_remediation args: warn: false From 3fc813361fb66cdf651a73e3c562cb49e44a8465 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 3 May 2022 16:34:31 +0100 Subject: [PATCH 098/454] fixed typo Signed-off-by: Mark Bolwell --- tasks/post_remediation_audit.yml | 2 +- tasks/pre_remediation_audit.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index c36cc3b7..0ab61b2e 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -2,7 +2,7 @@ - name: "Post Audit | Run post_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" - Environment: "{{ audit_run_script_environment|default({}) }}" + environment: "{{ audit_run_script_environment|default({}) }}" changed_when: audit_run_post_remediation.rc == 0 register: audit_run_post_remediation args: diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index d4d98402..0111a397 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -86,7 +86,7 @@ - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" - Environment: "{{ audit_run_script_environment|default({}) }}" + environment: "{{ audit_run_script_environment|default({}) }}" changed_when: audit_run_pre_remediation.rc == 0 register: audit_run_pre_remediation args: From 85afda6413165220eb719b9128ad663ab00a34c2 Mon Sep 17 00:00:00 2001 From: Adam Lewandowski Date: Thu, 5 May 2022 10:28:41 -0400 Subject: [PATCH 099/454] Add missing variable defaults for 'rhel9cis_pam_faillock' Signed-off-by: Adam Lewandowski --- defaults/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index b5315a99..248b492a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -582,6 +582,9 @@ rhel9cis_pam_password: minclass: 4 rhel9cis_pam_faillock: + attempts: 5 + unlock_time: 900 + fail_for_root: no remember: 5 # UID settings for interactive users From 62649cb6c50fb19d1f22068cb8a64322122c1d1f Mon Sep 17 00:00:00 2001 From: Adam Lewandowski Date: Fri, 6 May 2022 08:36:15 -0400 Subject: [PATCH 100/454] Updated rhel9cis_pam_faillock defaults to only those needed for RHEL9 Signed-off-by: Adam Lewandowski --- defaults/main.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 248b492a..608b3c7d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -582,10 +582,8 @@ rhel9cis_pam_password: minclass: 4 rhel9cis_pam_faillock: - attempts: 5 unlock_time: 900 - fail_for_root: no - remember: 5 + deny: 5 # UID settings for interactive users # These are discovered via logins.def if set true From 581eb70b485e7b4cdca7cc36fedd0518d2e8810b Mon Sep 17 00:00:00 2001 From: Adam Lewandowski Date: Fri, 6 May 2022 10:59:53 -0400 Subject: [PATCH 101/454] Restore rhel9cis_pam_faillock.remember, as it is used by rules 5.5.3 and 5.5.4 Signed-off-by: Adam Lewandowski --- defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/defaults/main.yml b/defaults/main.yml index 608b3c7d..6dfa4046 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -584,6 +584,7 @@ rhel9cis_pam_password: rhel9cis_pam_faillock: unlock_time: 900 deny: 5 + remember: 5 # UID settings for interactive users # These are discovered via logins.def if set true From b9a3e3d2c6c7ed102d08bd8069ddd8c85224444d Mon Sep 17 00:00:00 2001 From: Adam Lewandowski Date: Mon, 9 May 2022 13:47:12 -0400 Subject: [PATCH 102/454] Fix UMASK hardening Signed-off-by: Adam Lewandowski --- tasks/section_5/cis_5.6.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 91540ea2..0541f9b6 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -91,13 +91,13 @@ replace: path: /etc/bashrc regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]' - replace: 'UMASK 027' + replace: '\1 027' - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile" replace: path: /etc/profile regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]' - replace: 'UMASK 027' + replace: '\1 027' when: - rhel9cis_rule_5_6_5 tags: From 63c82f8305cf65eb95a26bb4696c8d8b71e0444c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 May 2022 09:42:31 +0100 Subject: [PATCH 103/454] Removed python 2/3 checks for rh7/8 Signed-off-by: Mark Bolwell --- tasks/pre_remediation_audit.yml | 26 +++++--------------------- 1 file changed, 5 insertions(+), 21 deletions(-) diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 0111a397..bb9344af 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -13,27 +13,11 @@ state: directory mode: '0755' -- name: Pre Audit | If using git for content set up - block: - - name: Pre Audit | Install git (rh8 python3) - package: - name: git - state: present - when: ansible_distribution_major_version == 8 - - - name: Pre Audit | Install git (rh7 python2) - package: - name: git - state: present - vars: - ansible_python_interpreter: "{{ python2_bin }}" - when: ansible_distribution_major_version == 7 - - - name: Pre Audit | retrieve audit content files from git - git: - repo: "{{ audit_file_git }}" - dest: "{{ audit_conf_dir }}" - version: "{{ audit_git_version }}" +- name: Pre Audit | retrieve audit content files from git + git: + repo: "{{ audit_file_git }}" + dest: "{{ audit_conf_dir }}" + version: "{{ audit_git_version }}" when: - audit_content == 'git' From 5ce4b873d7232570b630cbdf77b45aa5cfbc9e21 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 May 2022 09:57:33 +0100 Subject: [PATCH 104/454] removed rh8 checks Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.5.x.yml | 28 +--------------------------- 1 file changed, 1 insertion(+), 27 deletions(-) diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 9b4c7d33..d16d91f6 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -32,32 +32,7 @@ - patch - rule_5.5.1 -- name: "5.5.2 | PATCH | Ensure system accounts are secured | pre RHEL8.2" - block: - - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock time for preauth" - lineinfile: - path: /etc/pam.d/{{ item }} - regexp: '^auth\s*required\s*pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}" - insertafter: '^#?auth ?' - with_items: - - "system-auth" - - "password-auth" - - - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock times for authfail" - lineinfile: - path: /etc/pam.d/{{ item }} - regexp: '^auth\s*required\s*pam_faillock.so authfail' - line: "auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}" - insertafter: '^#?auth ?' - with_items: - - "system-auth" - - "password-auth" - when: - - ansible_distribution_version <= "8.1" - - rhel9cis_rule_5_5_2 - -- name: "5.5.2 | PATCH | Ensure system accounts are secured | RHEL8.2+ " +- name: "5.5.2 | PATCH | Ensure system accounts are secured" lineinfile: path: /etc/security/faillock.conf regexp: "{{ item.regexp }}" @@ -66,7 +41,6 @@ - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = 5' } - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = 900' } when: - - ansible_distribution_version >= "8.2" - rhel9cis_rule_5_5_2 - name: "5.5.3 | PATCH | Ensure password reuse is limited" From 9368c1e17e89920044610059e3b9596ac0f21c72 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 May 2022 09:57:44 +0100 Subject: [PATCH 105/454] updated for rh9 Signed-off-by: Mark Bolwell --- tasks/check_prereqs.yml | 40 +++++----------------------------------- 1 file changed, 5 insertions(+), 35 deletions(-) diff --git a/tasks/check_prereqs.yml b/tasks/check_prereqs.yml index 36f19993..abe6248e 100644 --- a/tasks/check_prereqs.yml +++ b/tasks/check_prereqs.yml @@ -1,38 +1,8 @@ --- -- name: "PREREQ | Add the required packages | Python 3" - block: - - name: Check if python36-rpm package installed - shell: rpm -q python36-rpm - args: - warn: false - failed_when: ( python36_rpm_present.rc not in [ 0, 1 ] ) - changed_when: false - register: python36_rpm_present - - - name: Add the EPEL repository required for the python36-rpm pkg - package: - name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm - state: present - register: epel_installed - when: - - python36_rpm_present.rc != '0' - - - name: "PREREQ | Check required packages installed | Python3 " - package: - name: "{{ item }}" - state: present - register: python3reqs_installed - loop: - - python36-rpm - - libselinux-python3 - - - name: Disable Epel repo if installed earlier - shell: yum-config-manager disable epel - args: - warn: false - when: epel_installed.changed +- name: "PREREQ | If required install libselinux package to manage file changes." + package: + name: libselinux-python3 + state: present when: - - ( ansible_python.version.major == 3 and ansible_python.version.minor == 6 ) - vars: - ansible_python_interpreter: "{{ python2_bin }}" + - '"libselinux-python3" not in ansible_facts.packages' From cbb5ff7cc26078308012d0749105f73403a97c65 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 May 2022 11:19:33 +0100 Subject: [PATCH 106/454] Added git install to step Signed-off-by: Mark Bolwell --- tasks/LE_audit_setup.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 61a4cdf1..e4cac492 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -20,3 +20,11 @@ group: root when: - get_goss_file == 'copy' + +- name: install git if not present + package: + name: git + state: present + register: git_installed + when: + - '"git" not in ansible_facts.packages' From 2ecc61649e6bc457dc874d57aa1d3fb215f304b1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 May 2022 11:19:50 +0100 Subject: [PATCH 107/454] Std Warning msg Signed-off-by: Mark Bolwell --- tasks/post.yml | 2 +- tasks/section_1/cis_1.1.2.x.yml | 2 +- tasks/section_1/cis_1.2.x.yml | 2 +- tasks/section_2/cis_2.4.yml | 2 +- tasks/section_4/cis_4.2.2.x.yml | 4 ++-- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/tasks/post.yml b/tasks/post.yml index 69783ab0..c0f6be87 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -77,7 +77,7 @@ - name: POST | Warning a reboot required but skip option set debug: - msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" + msg: "Warning! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" changed_when: true when: - change_requires_reboot diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index bb189930..a50797d7 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -2,7 +2,7 @@ - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition" debug: - msg: "WARNING!! /tmp is not mounted on a separate partition" + msg: "Warning! /tmp is not mounted on a separate partition" when: - rhel9cis_rule_1_1_2_1 - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0 diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 0023f2dd..960815f4 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -74,7 +74,7 @@ - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Display repo list" debug: msg: - - "Alert! Below are the configured repos. Please review and make sure all align with site policy" + - "Warning! Below are the configured repos. Please review and make sure all align with site policy" - "{{ dnf_configured.stdout_lines }}" when: - rhel9cis_rule_1_2_4 diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index 5db134ea..e17ab764 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -12,7 +12,7 @@ - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Display list of services" debug: msg: - - "Alert! Below are the list of services, both active and inactive" + - "Warning! Below are the list of services, both active and inactive" - "Please review to make sure all are essential" - "{{ rhel9cis_2_4_services.stdout_lines }}" when: diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 8523066c..96606706 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -83,7 +83,7 @@ - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Alert on bad status" debug: msg: - - "ALERT! The status of systemd-journald should be static and it is not. Please investigate" + - "Warning! The status of systemd-journald should be static and it is not. Please investigate" when: "'static' not in rhel9cis_4_2_2_2_status.stdout" when: - rhel9cis_rule_4_2_2_2 @@ -190,7 +190,7 @@ - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Display file settings" debug: msg: - - "Alert! Below are the current default settings for journald, please confirm they align with your site policies" + - "Warning! Below are the current default settings for journald, please confirm they align with your site policies" # - "{{ rhel9cis_4_2_2_7_override_settings.stdout_lines }}" - "{{ (rhel9cis_4_2_2_7_override_status.matched >= 1) | ternary(rhel9cis_4_2_2_7_override_settings.stdout_lines, rhel9cis_4_2_2_7_notoverride_settings.stdout_lines) }}" when: From 93e3f7bf463e02f3b4ba23b209e44c2a2ece7444 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 May 2022 11:20:12 +0100 Subject: [PATCH 108/454] conditional and warning msg std Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 096a3106..a1558db9 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -29,12 +29,12 @@ - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" debug: msg: "Good News! There are no users that have non-existent GUIDs (Groups)" - when: rhel9cis_6_2_2_passwd_gid_check.stdout is not defined + when: rhel9cis_6_2_2_passwd_gid_check.stdout | length == 0 - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" debug: - msg: "WARNING: The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}" - when: rhel9cis_6_2_2_passwd_gid_check.stdout is defined + msg: "Warning! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}" + when: rhel9cis_6_2_2_passwd_gid_check.stdout | length > 0 when: - rhel9cis_rule_6_2_2 tags: @@ -57,12 +57,12 @@ - name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" debug: msg: "Good News! There are no duplicate UID's in the system" - when: rhel9cis_6_2_3_user_uid_check.stdout is not defined + when: rhel9cis_6_2_3_user_uid_check.stdout | length == 0 - name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" debug: - msg: "Warning: The following users have UIDs that are duplicates: {{ rhel9cis_6_2_3_user_uid_check.stdout_lines }}" - when: rhel9cis_6_2_3_user_uid_check.stdout is defined + msg: "Warning! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_3_user_uid_check.stdout_lines }}" + when: rhel9cis_6_2_3_user_uid_check.stdout | length > 0 when: - rhel9cis_rule_6_2_3 tags: @@ -85,12 +85,12 @@ - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" debug: msg: "Good News! There are no duplicate GIDs in the system" - when: rhel9cis_6_2_4_user_user_check.stdout is not defined + when: rhel9cis_6_2_4_user_user_check.stdout | length == 0 - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" debug: - msg: "Warning: The following groups have duplicate GIDs: {{ rhel9cis_6_2_4_user_user_check.stdout_lines }}" - when: rhel9cis_6_2_4_user_user_check.stdout is defined + msg: "Warning! The following groups have duplicate GIDs: {{ rhel9cis_6_2_4_user_user_check.stdout_lines }}" + when: rhel9cis_6_2_4_user_user_check.stdout | length > 0 when: - rhel9cis_rule_6_2_4 tags: @@ -113,12 +113,12 @@ - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist" debug: msg: "Good News! There are no duplicate user names in the system" - when: rhel9cis_6_2_5_user_username_check.stdout is not defined + when: rhel9cis_6_2_5_user_username_check.stdout | length == 0 - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" debug: - msg: "Warning: The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}" - when: rhel9cis_6_2_5_user_username_check.stdout is defined + msg: "Warning! The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}" + when: rhel9cis_6_2_5_user_username_check.stdout | length > 0 when: - rhel9cis_rule_6_2_5 tags: @@ -142,12 +142,12 @@ - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" debug: msg: "Good News! There are no duplicate group names in the system" - when: rhel9cis_6_2_6_group_group_check.stdout is defined + when: rhel9cis_6_2_6_group_group_check.stdout | length == 0 - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" debug: - msg: "Warning: The following group names are duplicates: {{ rhel9cis_6_2_6_group_group_check.stdout_lines }}" - when: rhel9cis_6_2_6_group_group_check.stdout is not defined + msg: "Warning! The following group names are duplicates: {{ rhel9cis_6_2_6_group_group_check.stdout_lines }}" + when: rhel9cis_6_2_6_group_group_check.stdout | length > 0 when: - rhel9cis_rule_6_2_6 tags: From 2c4718fb75729889da8ac3f310194f685895ed4a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Jun 2022 10:07:19 +0100 Subject: [PATCH 109/454] fix title Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index a1558db9..31dafa81 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -189,7 +189,7 @@ - "The following paths have colon end: {{ rhel9cis_6_2_7_path_colon_end.stdout_lines }}" - "The following paths have a dot in the path: {{ rhel9cis_6_2_7_dot_in_path.stdout_lines }}" - - name: "6.2.7 | PATCH | Ensure root PATH Integrity (Scored) | Determine rights and owner" + - name: "6.2.7 | PATCH | Ensure root PATH Integrity | Determine rights and owner" file: > path='{{ item }}' follow=yes @@ -230,7 +230,7 @@ stat: path: "{{ item }}" register: rhel_08_6_2_9_audit - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<', max_int_uid | int ) | map(attribute='dir') | list }}" - name: "6.2.9 | AUDIT | Ensure all users' home directories exist" command: find -H {{ item.0 | quote }} -not -type l -perm /027 @@ -315,7 +315,7 @@ - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" stat: path: "{{ item }}" - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<', max_int_uid | int ) | map(attribute='dir') | list }}" register: rhel_08_6_2_11_audit - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" From 2090cc4a45d84488225e7a29ebfc1a7f621909f1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Jun 2022 10:07:26 +0100 Subject: [PATCH 110/454] not required file Signed-off-by: Mark Bolwell --- tasks/audit_homedirperms.yml | 46 ------------------------------------ 1 file changed, 46 deletions(-) delete mode 100644 tasks/audit_homedirperms.yml diff --git a/tasks/audit_homedirperms.yml b/tasks/audit_homedirperms.yml deleted file mode 100644 index 596fed5a..00000000 --- a/tasks/audit_homedirperms.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -- name: "SCORED | 6.2.8 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" - find: - paths: - - "{{ homedir }}" - recurse: true - file_type: any - register: rhel_09_6_2_8_results - when: - - rhel9cis_rule_6_2_8|bool - tags: - - level1 - - patch - - rule_6.2.8 - -- name: "SCORED | 6.2.8 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" - file: - path: "{{ line_item.path }}" - mode: 0640 - loop: "{{ rhel_09_6_2_8_results.files }}" - loop_control: - label: "{{ line_item.path }}" - loop_var: line_item - when: - - rhel_09_6_2_8_results.files.isreg is defined - - rhel9cis_rule_6_2_8|bool - tags: - - level1 - - patch - - rule_6.2.8 - -- name: "SCORED | 6.2.8 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" - file: - path: "{{ line_item.path }}" - mode: 0750 - loop: "{{ rhel_09_6_2_8_results.files }}" - loop_control: - label: "{{ line_item.path }}" - loop_var: line_item - when: - - rhel_09_6_2_8_results.files.isdir is defined - - rhel9cis_rule_6_2_8|bool - tags: - - level1 - - patch - - rule_6.2.8 From a8446b989b53156d9e62820f1bbb105f4d915944 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Jun 2022 10:23:18 +0100 Subject: [PATCH 111/454] added latest rhel9 image Signed-off-by: Mark Bolwell --- .github/workflows/OS.tfvars | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars index 99064fbd..5baddfc5 100644 --- a/.github/workflows/OS.tfvars +++ b/.github/workflows/OS.tfvars @@ -1,8 +1,8 @@ #Ami Rocky 85 -ami_id = "ami-043ceee68871e0bb5" -ami_os = "rocky8" -ami_username = "rocky" -ami_user_home = "/home/rocky" +ami_id = "ami-0c41531b8d18cc72b" +ami_os = "rhel9" +ami_username = "ec2-user" +ami_user_home = "/home/ec2-user" instance_tags = { Name = "RHEL9-CIS" Environment = "lockdown_github_repo_workflow" From fdb3eb62862f3aba5fccbdf753d8049bf52d3a31 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Jun 2022 12:01:30 +0100 Subject: [PATCH 112/454] terraform format Signed-off-by: Mark Bolwell --- .github/workflows/github_networks.tf | 4 +- .github/workflows/github_vars.tfvars | 2 +- .github/workflows/main.tf | 10 +- .github/workflows/terraform.tfstate | 8 + .github/workflows/terraform.tfstate.backup | 370 +++++++++++++++++++++ .github/workflows/variables.tf | 2 +- 6 files changed, 387 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/terraform.tfstate create mode 100644 .github/workflows/terraform.tfstate.backup diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf index d5a0db02..4db9025a 100644 --- a/.github/workflows/github_networks.tf +++ b/.github/workflows/github_networks.tf @@ -1,11 +1,11 @@ resource "aws_vpc" "Main" { cidr_block = var.main_vpc_cidr - tags = var.instance_tags + tags = var.instance_tags } resource "aws_internet_gateway" "IGW" { vpc_id = aws_vpc.Main.id tags = { - Name = "${var.namespace}-IGW" + Name = "${var.namespace}-IGW" } } diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars index 38be3edc..4d40f72a 100644 --- a/.github/workflows/github_vars.tfvars +++ b/.github/workflows/github_vars.tfvars @@ -3,7 +3,7 @@ // Declared in variables.tf // -namespace = "github_actions" +namespace = "github_actions" // Matching pair name found in AWS for keypairs PEM key ami_key_pair_name = "github_actions" diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 9ad9240b..29fd6f30 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -28,7 +28,7 @@ resource "aws_security_group" "github_actions" { protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } - + ingress { from_port = 80 to_port = 80 @@ -44,7 +44,7 @@ resource "aws_security_group" "github_actions" { } tags = { Name = "${var.namespace}-SG" - } + } } // instance setup @@ -57,16 +57,16 @@ resource "aws_instance" "testing_vm" { tags = var.instance_tags vpc_security_group_ids = [aws_security_group.github_actions.id] root_block_device { - delete_on_termination = true + delete_on_termination = true } } // generate inventory file resource "local_file" "inventory" { - filename = "./hosts.yml" + filename = "./hosts.yml" directory_permission = "0755" file_permission = "0644" - content = < Date: Wed, 8 Jun 2022 12:31:29 +0100 Subject: [PATCH 113/454] updted syslog logic for audit Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 0947ce3c..6654addf 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -448,7 +448,7 @@ rhel9cis_nft_tables_autochaincreate: {{ rhel9cis_nft_tables_autochaincreate }} # Section 4 ## syslog -rhel9_cis_rsyslog: {{ rhel9cis_syslog }} +rhel9cis_syslog: {{ rhel9cis_preferred_log_capture }} # Section 5 ## 5.2.4 Note the following to understand precedence and layout From 193fded908b508939532cee83f238ed4da0b4960 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 13 Jun 2022 17:04:43 +0100 Subject: [PATCH 114/454] removed tfstate files Signed-off-by: Mark Bolwell --- .github/workflows/terraform.tfstate | 8 - .github/workflows/terraform.tfstate.backup | 370 --------------------- 2 files changed, 378 deletions(-) delete mode 100644 .github/workflows/terraform.tfstate delete mode 100644 .github/workflows/terraform.tfstate.backup diff --git a/.github/workflows/terraform.tfstate b/.github/workflows/terraform.tfstate deleted file mode 100644 index 6a8982d1..00000000 --- a/.github/workflows/terraform.tfstate +++ /dev/null @@ -1,8 +0,0 @@ -{ - "version": 4, - "terraform_version": "1.2.2", - "serial": 15, - "lineage": "826bcba6-7d74-b65e-f687-a6f4945dd69e", - "outputs": {}, - "resources": [] -} diff --git a/.github/workflows/terraform.tfstate.backup b/.github/workflows/terraform.tfstate.backup deleted file mode 100644 index ffbb4b0a..00000000 --- a/.github/workflows/terraform.tfstate.backup +++ /dev/null @@ -1,370 +0,0 @@ -{ - "version": 4, - "terraform_version": "1.2.2", - "serial": 7, - "lineage": "826bcba6-7d74-b65e-f687-a6f4945dd69e", - "outputs": {}, - "resources": [ - { - "mode": "data", - "type": "aws_vpc", - "name": "default", - "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", - "instances": [ - { - "schema_version": 0, - "attributes": { - "arn": "arn:aws:ec2:us-east-1:817651307868:vpc/vpc-05ef27c517862c3b1", - "cidr_block": "172.31.0.0/16", - "cidr_block_associations": [ - { - "association_id": "vpc-cidr-assoc-0a0f361027d9f91f3", - "cidr_block": "172.31.0.0/16", - "state": "associated" - } - ], - "default": true, - "dhcp_options_id": "dopt-c5dfccbe", - "enable_dns_hostnames": true, - "enable_dns_support": true, - "filter": null, - "id": "vpc-05ef27c517862c3b1", - "instance_tenancy": "default", - "ipv6_association_id": "", - "ipv6_cidr_block": "", - "main_route_table_id": "rtb-0a40eb856c7d79f1d", - "owner_id": "817651307868", - "state": null, - "tags": { - "Name": "Default VPC" - } - }, - "sensitive_attributes": [] - } - ] - }, - { - "mode": "managed", - "type": "aws_instance", - "name": "testing_vm", - "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", - "instances": [ - { - "schema_version": 1, - "attributes": { - "ami": "ami-0c41531b8d18cc72b", - "arn": "arn:aws:ec2:us-east-1:817651307868:instance/i-0d997714170ce8898", - "associate_public_ip_address": true, - "availability_zone": "us-east-1a", - "capacity_reservation_specification": [ - { - "capacity_reservation_preference": "open", - "capacity_reservation_target": [] - } - ], - "cpu_core_count": 1, - "cpu_threads_per_core": 2, - "credit_specification": [ - { - "cpu_credits": "unlimited" - } - ], - "disable_api_termination": false, - "ebs_block_device": [], - "ebs_optimized": false, - "enclave_options": [ - { - "enabled": false - } - ], - "ephemeral_block_device": [], - "get_password_data": false, - "hibernation": false, - "host_id": null, - "iam_instance_profile": "", - "id": "i-0d997714170ce8898", - "instance_initiated_shutdown_behavior": "stop", - "instance_state": "running", - "instance_type": "t3.micro", - "ipv6_address_count": 0, - "ipv6_addresses": [], - "key_name": "github_actions", - "launch_template": [], - "maintenance_options": [ - { - "auto_recovery": "default" - } - ], - "metadata_options": [ - { - "http_endpoint": "enabled", - "http_put_response_hop_limit": 1, - "http_tokens": "optional", - "instance_metadata_tags": "disabled" - } - ], - "monitoring": false, - "network_interface": [], - "outpost_arn": "", - "password_data": "", - "placement_group": "", - "placement_partition_number": null, - "primary_network_interface_id": "eni-0417127dc77918518", - "private_dns": "ip-172-31-8-170.ec2.internal", - "private_ip": "172.31.8.170", - "public_dns": "ec2-3-238-53-150.compute-1.amazonaws.com", - "public_ip": "3.238.53.150", - "root_block_device": [ - { - "delete_on_termination": true, - "device_name": "/dev/sda1", - "encrypted": false, - "iops": 100, - "kms_key_id": "", - "tags": null, - "throughput": 0, - "volume_id": "vol-0392840b878024a68", - "volume_size": 10, - "volume_type": "gp2" - } - ], - "secondary_private_ips": [], - "security_groups": [ - "github_actions-5eb7d7f8d9c46a1c" - ], - "source_dest_check": true, - "subnet_id": "subnet-0ad8888b9fd53204f", - "tags": { - "Environment": "lockdown_github_repo_workflow", - "Name": "RHEL9-CIS" - }, - "tags_all": { - "Environment": "lockdown_github_repo_workflow", - "Name": "RHEL9-CIS" - }, - "tenancy": "default", - "timeouts": null, - "user_data": null, - "user_data_base64": null, - "user_data_replace_on_change": false, - "volume_tags": null, - "vpc_security_group_ids": [ - "sg-054e3f94c98fc64f2" - ] - }, - "sensitive_attributes": [], - "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6MTIwMDAwMDAwMDAwMCwidXBkYXRlIjo2MDAwMDAwMDAwMDB9LCJzY2hlbWFfdmVyc2lvbiI6IjEifQ==", - "dependencies": [ - "aws_security_group.github_actions", - "data.aws_vpc.default", - "random_id.server" - ] - } - ] - }, - { - "mode": "managed", - "type": "aws_internet_gateway", - "name": "IGW", - "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", - "instances": [ - { - "schema_version": 0, - "attributes": { - "arn": "arn:aws:ec2:us-east-1:817651307868:internet-gateway/igw-0ef39abda6f14481d", - "id": "igw-0ef39abda6f14481d", - "owner_id": "817651307868", - "tags": { - "Name": "github_actions-IGW" - }, - "tags_all": { - "Name": "github_actions-IGW" - }, - "vpc_id": "vpc-068452c798d98b17f" - }, - "sensitive_attributes": [], - "private": "bnVsbA==", - "dependencies": [ - "aws_vpc.Main" - ] - } - ] - }, - { - "mode": "managed", - "type": "aws_security_group", - "name": "github_actions", - "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", - "instances": [ - { - "schema_version": 1, - "attributes": { - "arn": "arn:aws:ec2:us-east-1:817651307868:security-group/sg-054e3f94c98fc64f2", - "description": "Managed by Terraform", - "egress": [ - { - "cidr_blocks": [ - "0.0.0.0/0" - ], - "description": "", - "from_port": 0, - "ipv6_cidr_blocks": [], - "prefix_list_ids": [], - "protocol": "-1", - "security_groups": [], - "self": false, - "to_port": 0 - } - ], - "id": "sg-054e3f94c98fc64f2", - "ingress": [ - { - "cidr_blocks": [ - "0.0.0.0/0" - ], - "description": "", - "from_port": 22, - "ipv6_cidr_blocks": [], - "prefix_list_ids": [], - "protocol": "tcp", - "security_groups": [], - "self": false, - "to_port": 22 - }, - { - "cidr_blocks": [ - "0.0.0.0/0" - ], - "description": "", - "from_port": 80, - "ipv6_cidr_blocks": [], - "prefix_list_ids": [], - "protocol": "tcp", - "security_groups": [], - "self": false, - "to_port": 80 - } - ], - "name": "github_actions-5eb7d7f8d9c46a1c", - "name_prefix": "", - "owner_id": "817651307868", - "revoke_rules_on_delete": false, - "tags": { - "Name": "github_actions-SG" - }, - "tags_all": { - "Name": "github_actions-SG" - }, - "timeouts": null, - "vpc_id": "vpc-05ef27c517862c3b1" - }, - "sensitive_attributes": [], - "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6OTAwMDAwMDAwMDAwfSwic2NoZW1hX3ZlcnNpb24iOiIxIn0=", - "dependencies": [ - "data.aws_vpc.default", - "random_id.server" - ] - } - ] - }, - { - "mode": "managed", - "type": "aws_vpc", - "name": "Main", - "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", - "instances": [ - { - "schema_version": 1, - "attributes": { - "arn": "arn:aws:ec2:us-east-1:817651307868:vpc/vpc-068452c798d98b17f", - "assign_generated_ipv6_cidr_block": false, - "cidr_block": "172.22.0.0/24", - "default_network_acl_id": "acl-08a831aefd0ff6f65", - "default_route_table_id": "rtb-09ae50e860e80fb1f", - "default_security_group_id": "sg-01ff3ec71f0cd3115", - "dhcp_options_id": "dopt-c5dfccbe", - "enable_classiclink": false, - "enable_classiclink_dns_support": false, - "enable_dns_hostnames": false, - "enable_dns_support": true, - "id": "vpc-068452c798d98b17f", - "instance_tenancy": "default", - "ipv4_ipam_pool_id": null, - "ipv4_netmask_length": null, - "ipv6_association_id": "", - "ipv6_cidr_block": "", - "ipv6_cidr_block_network_border_group": "", - "ipv6_ipam_pool_id": "", - "ipv6_netmask_length": 0, - "main_route_table_id": "rtb-09ae50e860e80fb1f", - "owner_id": "817651307868", - "tags": { - "Environment": "lockdown_github_repo_workflow", - "Name": "RHEL9-CIS" - }, - "tags_all": { - "Environment": "lockdown_github_repo_workflow", - "Name": "RHEL9-CIS" - } - }, - "sensitive_attributes": [], - "private": "eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ==" - } - ] - }, - { - "mode": "managed", - "type": "local_file", - "name": "inventory", - "provider": "provider[\"registry.terraform.io/hashicorp/local\"]", - "instances": [ - { - "schema_version": 0, - "attributes": { - "content": " # benchmark host\n all:\n hosts:\n rhel9:\n ansible_host: 3.238.53.150\n ansible_user: ec2-user\n vars:\n setup_audit: true\n run_audit: true\n system_is_ec2: true\n audit_git_version: devel\n", - "content_base64": null, - "directory_permission": "0755", - "file_permission": "0644", - "filename": "./hosts.yml", - "id": "697bfe9ff397a4b5e3f46caf3c48481a3d485375", - "sensitive_content": null, - "source": null - }, - "sensitive_attributes": [], - "private": "bnVsbA==", - "dependencies": [ - "aws_instance.testing_vm", - "aws_security_group.github_actions", - "data.aws_vpc.default", - "random_id.server" - ] - } - ] - }, - { - "mode": "managed", - "type": "random_id", - "name": "server", - "provider": "provider[\"registry.terraform.io/hashicorp/random\"]", - "instances": [ - { - "schema_version": 0, - "attributes": { - "b64_std": "XrfX+NnEahw=", - "b64_url": "XrfX-NnEahw", - "byte_length": 8, - "dec": "6825161224108665372", - "hex": "5eb7d7f8d9c46a1c", - "id": "XrfX-NnEahw", - "keepers": { - "ami_id": "ami-0c41531b8d18cc72b" - }, - "prefix": null - }, - "sensitive_attributes": [], - "private": "bnVsbA==" - } - ] - } - ] -} From 70942f45ea7cd97f73c5231e75b8492a245b06a6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 13 Jun 2022 17:05:20 +0100 Subject: [PATCH 115/454] updated to use almalinux image Signed-off-by: Mark Bolwell --- .github/workflows/OS.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars index 5baddfc5..f9dc5280 100644 --- a/.github/workflows/OS.tfvars +++ b/.github/workflows/OS.tfvars @@ -1,5 +1,5 @@ #Ami Rocky 85 -ami_id = "ami-0c41531b8d18cc72b" +ami_id = "ami-0d824d9c499f27c8a" ami_os = "rhel9" ami_username = "ec2-user" ami_user_home = "/home/ec2-user" From c0c24ec8efc17cea0ab9aba16c88c000307ea0db Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 17 Jun 2022 11:23:44 +0100 Subject: [PATCH 116/454] improved test with idempotency Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.4.1.x.yml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index caabdb52..cef70de8 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -83,10 +83,20 @@ - patch - firewalld - rule_3_4_1_4 - - name: "3.4.1.5 | PATCH | Ensure firewalld default zone is set" - command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" + block: + - name: "3.4.1.5 | AUDIT | Ensure firewalld default zone is set" + shell: "firewall-cmd --get-default-zone | grep {{ rhel9cis_default_zone }}" + changed_when: false + failed_when: ( firewalld_zone_set.rc not in [ 0, 1 ] ) + register: firewalld_zone_set + + - name: "3.4.1.5 | AUDIT | Ensure firewalld default zone is set" + command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" + when: + - firewalld_zone_set.rc != 0 when: + - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_1_5 tags: - level1-server From 91da6ffaa245d0be1f5c78d6924c86769c9d4f0b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 17 Jun 2022 11:23:57 +0100 Subject: [PATCH 117/454] updated testing Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index c728d90b..d8ea2143 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -59,7 +59,7 @@ when: rhel9cis_5_6_1_4_inactive_settings.stdout | length == 0 - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" - shell: 'egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1' + shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" changed_when: false check_mode: no register: rhel_8_5_6_1_4_user_list From fb1c6e923268e7a9306c6cce313d635c6ed405e1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 17 Jun 2022 11:24:14 +0100 Subject: [PATCH 118/454] added libselinux requirement Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index eb17d008..53b1350a 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -82,6 +82,14 @@ - level1-server - level1-workstation +- name: "PRELIM | Ensure python3-libselinux is installed" + package: + name: python3-libselinux + state: present + become: true + when: + - '"python3-libselinux" not in ansible_facts.packages' + - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" package: name: audit From 33ebfea653915a12acf75eb8a564d17fe592ca30 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Jun 2022 17:03:18 +0100 Subject: [PATCH 119/454] sysctl control improvements Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.5.x.yml | 11 +-- tasks/section_3/cis_3.1.x.yml | 14 ++-- tasks/section_3/cis_3.2.x.yml | 34 +++++---- tasks/section_3/cis_3.3.x.yml | 131 +++++++++++++++++++++------------- 4 files changed, 118 insertions(+), 72 deletions(-) diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 6573e518..031ba5c8 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -32,10 +32,13 @@ - rule_1.5.2 - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf" - notify: - - update sysctl + block: + - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" + set_fact: + sysctl_update: true + - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf" when: - rhel9cis_rule_1_5_3 tags: diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index db3c0fd6..bb6d09c1 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -3,11 +3,15 @@ # The CIS Control wants IPv6 disabled if not in use. # We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" - notify: - - update sysctl - - sysctl flush ipv6 route table + block: + - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" + set_fact: + sysctl_update: true + flush_ipv6_route: true + + - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" when: - not rhel9cis_ipv6_required - rhel9cis_rule_3_1_1 diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index 46295ec4..36a46282 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -2,19 +2,22 @@ - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled" block: + - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding | Set Fact" + set_fact: + sysctl_update: true + flush_ipv4_route: true - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table + - block: + - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding | Set Fact" + set_fact: + flush_ipv6_route: true - - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv6 route table + - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" + when: rhel9cis_ipv6_required when: - not rhel9cis_is_router @@ -28,11 +31,14 @@ - rule_3.2.1 - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table + block: + - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled | Set Fact" + set_fact: + sysctl_update: true + flush_ipv4_route: true + - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - not rhel9cis_is_router - rhel9cis_rule_3_2_2 diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 139ca659..42cd4fb1 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -2,19 +2,23 @@ - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" block: - - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" + - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4 | Set Fact" + set_fact: + sysctl_update: true + flush_ipv4_route: true + - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table - - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" - notify: - - sysctl flush ipv6 route table - - update sysctl + - block: + - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 | Set Fact" + set_fact: + flush_ipv6_route: true + + - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" + when: rhel9cis_ipv6_required when: - rhel9cis_rule_3_3_1 @@ -27,19 +31,23 @@ - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" block: - - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" + - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4 | Set Fact" + set_fact: + sysctl_update: true + flush_ipv4_route: true + + - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table - - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" - notify: - - sysctl flush ipv6 route table - - update sysctl + - block: + - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 | Set Fact" + set_fact: + flush_ipv6_route: true + + - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" when: rhel9cis_ipv6_required when: - rhel9cis_rule_3_3_2 @@ -51,9 +59,14 @@ - rule_3.3.2 - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: update sysctl + block: + - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted | Set Fact" + set_fact: + sysctl_update: true + flush_ipv4_route: true + - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - rhel9cis_rule_3_3_3 tags: @@ -64,9 +77,14 @@ - rule_3.3.3 - name: "3.3.4 | PATCH | Ensure suspicious packets are logged" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: update sysctl + block: + - name: "3.3.4 | PATCH | Ensure suspicious packets are logged | Set Fact" + set_fact: + sysctl_update: true + flush_ipv4_route: true + - name: "3.3.4 | PATCH | Ensure suspicious packets are logged" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - rhel9cis_rule_3_3_4 tags: @@ -77,9 +95,14 @@ - rule_3.3.4 - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: update sysctl + block: + - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored | Set Fact" + set_fact: + sysctl_update: true + flush_ipv4_route: true + - name: 3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - rhel9cis_rule_3_3_5 tags: @@ -90,9 +113,15 @@ - rule_3.3.5 - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: update sysctl + block: + - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored | Set Fact" + set_fact: + sysctl_update: true + flush_ipv4_route: true + + - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - rhel9cis_rule_3_3_6 tags: @@ -103,9 +132,14 @@ - rule_3.3.6 - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: update sysctl + block: + - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled | Set Fact" + set_fact: + sysctl_update: true + flush_ipv4_route: true + - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - rhel9cis_rule_3_3_7 tags: @@ -116,9 +150,14 @@ - rule_3.3.7 - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: update sysctl + block: + - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled | Set Fact" + set_fact: + sysctl_update: true + flush_ipv4_route: true + - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - rhel9cis_rule_3_3_8 tags: @@ -130,20 +169,14 @@ - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" block: - - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table + - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6 | Set Fact" + set_fact: + sysctl_update: true + flush_ipv6_route: true - - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" + - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl" - notify: - - sysctl flush ipv6 route table - - update sysctl - when: rhel9cis_ipv6_required when: - rhel9cis_ipv6_required - rhel9cis_rule_3_3_9 From b0e038bd453b5a6d5a5c3b0f4b03a01dbf2ce394 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Jun 2022 17:03:45 +0100 Subject: [PATCH 120/454] container var usage improvement Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index f687901e..d0a9eaa5 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -14,7 +14,7 @@ modprobe: name: cramfs state: absent - when: ansible_connection != 'docker' + when: not system_is_container when: - rhel9cis_rule_1_1_1_1 tags: @@ -39,7 +39,7 @@ modprobe: name: squashfs state: absent - when: ansible_connection != 'docker' + when: not system_is_container when: - rhel9cis_rule_1_1_1_2 tags: @@ -64,7 +64,7 @@ modprobe: name: udf state: absent - when: ansible_connection != 'docker' + when: not system_is_container when: - rhel9cis_rule_1_1_1_3 tags: From c3c668bb8eca2df8ef52f9dcca00be943a9960fb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Jun 2022 17:04:44 +0100 Subject: [PATCH 121/454] crypto idempotency Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.2.x.yml | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 7234da6e..73b804f3 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -271,10 +271,21 @@ - rule_5.2.13 - name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden" - shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd - args: - warn: no - notify: restart sshd + block: + - name: "5.2.14 | AUDIT | Ensure system-wide crypto policy is not over-ridden" + shell: grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd + args: + warn: no + changed_when: false + failed_when: ( ssh_crypto_discovery.rc not in [ 0, 1 ] ) + register: ssh_crypto_discovery + + - name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden" + shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd + args: + warn: no + notify: restart sshd + when: ssh_crypto_discovery.stdout | length > 0 when: - rhel9cis_rule_5_2_14 tags: From d2684c1e9d060229d0ce01d352edea41291396dd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Jun 2022 17:05:23 +0100 Subject: [PATCH 122/454] auditd, sysctl vars goss version update Signed-off-by: Mark Bolwell --- defaults/main.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 6dfa4046..2a5a4908 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -460,6 +460,11 @@ rhel9cis_tftp_client: false ## Section3 vars +## Sysctl +sysctl_update: false +flush_ipv4_route: false +flush_ipv6_route: false + ### Firewall Service - either firewalld, iptables, or nftables #### Some control allow for services to be removed or masked #### The options are under each heading @@ -498,6 +503,9 @@ rhel9cis_audit_back_log_limit: 8192 # The max_log_file parameter should be based on your sites policy rhel9cis_max_log_file_size: 10 +### 4.1.3.x audit template +update_audit_template: false + ## Preferred method of logging ## Whether rsyslog or journald preferred method for local logging ## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5 @@ -633,8 +641,8 @@ audit_run_script_environment: ### Goss binary settings ### goss_version: - release: v0.3.16 - checksum: 'sha256:827e354b48f93bce933f5efcd1f00dc82569c42a179cf2d384b040d8a80bfbfb' + release: v0.3.18 + checksum: 'sha256:432308ebca0caf8165d45bd27e3262126aad9d15572ac8cb3149b3c91f75aace' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json From 02c843f11067e516476bbab77c40eddeedfc3385 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Jun 2022 17:05:59 +0100 Subject: [PATCH 123/454] sysctl improvements, become usage Signed-off-by: Mark Bolwell --- handlers/main.yml | 56 +++++++++++++++-------------------------------- 1 file changed, 18 insertions(+), 38 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 08c80264..7ff5ea25 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,6 +1,11 @@ --- # handlers file for RHEL9-CIS +- name: reload sysctl + shell: sysctl --system + args: + warn: false + - name: sysctl flush ipv4 route table become: true sysctl: @@ -8,7 +13,9 @@ value: '1' sysctl_set: true ignore_errors: true - when: ansible_virtualization_type != "docker" + when: + - flush_ipv4_route + - not system_is_container tags: - skip_ansible_lint @@ -18,35 +25,9 @@ name: net.ipv6.route.flush value: '1' sysctl_set: true - when: ansible_virtualization_type != "docker" - -- name: update sysctl - template: - src: "etc/sysctl.d/{{ item }}.j2" - dest: "/etc/sysctl.d/{{ item }}" - owner: root - group: root - mode: 0600 - notify: reload sysctl - with_items: - - 60-kernel_sysctl.conf - - 60-disable_ipv6.conf - - 60-netipv4_sysctl.conf - - 60-netipv6_sysctl.conf - when: - - ansible_virtualization_type != "docker" - - "'procps-ng' in ansible_facts.packages" - -- name: reload sysctl - sysctl: - name: net.ipv4.route.flush - value: '1' - state: present - reload: true - ignoreerrors: true - when: - - ansible_virtualization_type != "docker" - - "'systemd' in ansible_facts.packages" + when: + - flush_ipv6_route + - not system_is_container - name: systemd restart tmp.mount become: true @@ -72,25 +53,21 @@ warn: false - name: restart firewalld - become: true service: name: firewalld state: restarted - name: restart sshd - become: true service: name: sshd state: restarted - name: restart postfix - become: true service: name: postfix state: restarted - name: reload dconf - become: true shell: dconf update args: warn: false @@ -102,15 +79,18 @@ owner: root group: root mode: 0600 + register: auditd_template_update notify: restart auditd - name: restart auditd - shell: /sbin/service auditd restart - changed_when: false - check_mode: false - failed_when: false + shell: service auditd restart args: warn: false + when: + - audit_rules_updated.changed or + rule_4_1_2_1.changed or + rule_4_1_2_2.changed or + rule_4_1_2_3.changed tags: - skip_ansible_lint From 97a6a6199722e2404aef0b41dbd5ef216135ecf4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Jun 2022 17:06:16 +0100 Subject: [PATCH 124/454] container var usage Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.1.x.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index c78be9b7..ffe72052 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -30,7 +30,6 @@ enabled: yes when: - rhel9cis_rule_4_1_1_2 - - ansible_connection != 'docker' tags: - level2-server - level2-workstation From 1dd2b46be604f77d85c8a744369feeed0ca4e4ca Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Jun 2022 17:06:41 +0100 Subject: [PATCH 125/454] logrotate process update Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index 959fd62c..2283d6a5 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -16,7 +16,7 @@ - name: "4.3.2 | PATCH | Ensure logrotate is running and enabled" systemd: - name: logrotate + name: logrotate.timer state: started enabled: true when: From b934cbef3f259500f920b9729274e6cfbadd4775 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Jun 2022 17:06:56 +0100 Subject: [PATCH 126/454] suditd improvements Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.2.x.yml | 3 + tasks/section_4/cis_4.1.3.x.yml | 126 ++++++++++++-------------------- 2 files changed, 50 insertions(+), 79 deletions(-) diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index 0eec0b29..afad08bc 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -5,6 +5,7 @@ path: /etc/audit/auditd.conf regexp: "^max_log_file( |=)" line: "max_log_file = {{ rhel9cis_max_log_file_size }}" + register: rule_4_1_2_1 notify: restart auditd when: - rhel9cis_rule_4_1_2_1 @@ -21,6 +22,7 @@ path: /etc/audit/auditd.conf regexp: "^max_log_file_action" line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}" + register: rule_4_1_2_2 notify: restart auditd when: - rhel9cis_rule_4_1_2_2 @@ -37,6 +39,7 @@ path: /etc/audit/auditd.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" + register: rule_4_1_2_3 notify: restart auditd with_items: - { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ rhel9cis_auditd.admin_space_left_action }}' } diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index 0c392678..c05b93cf 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -1,10 +1,8 @@ --- - name: "4.1.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_1 tags: @@ -16,10 +14,8 @@ - rule_4.1.3.1 - name: "4.1.3.2 | PATCH | Ensure actions as another user are always logged" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_2 tags: @@ -31,10 +27,8 @@ - rule_4.1.3.2 - name: "4.1.3.3 | PATCH | Ensure events that modify the sudo log file are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_3 tags: @@ -46,10 +40,8 @@ - rule_4.1.3.3 - name: "4.1.3.4 | PATCH | Ensure events that modify date and time information are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_4 tags: @@ -61,10 +53,8 @@ - rule_4.1.3.4 - name: "4.1.3.5 | PATCH | Ensure events that modify the system's network environment are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_5 tags: @@ -85,9 +75,8 @@ register: priv_procs - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true + set_fact: + update_audit_template: true notify: update auditd when: - rhel9cis_rule_4_1_3_6 @@ -100,10 +89,8 @@ - rule_4.1.3.6 - name: "4.1.3.7 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_7 tags: @@ -115,10 +102,8 @@ - rule_4.1.3_7 - name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_8 tags: @@ -130,10 +115,8 @@ - rule_4.1.3.8 - name: "4.1.3.9 | PATCH | Ensure discretionary access control permission modification events are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_9 tags: @@ -145,10 +128,8 @@ - rule_4.1.3.9 - name: "4.1.3.10 | PATCH | Ensure successful file system mounts are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_10 tags: @@ -160,10 +141,8 @@ - rule_4.1.3.10 - name: "4.1.3.11 | PATCH | Ensure session initiation information is collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_11 tags: @@ -175,10 +154,8 @@ - rule_4.1.3.11 - name: "4.1.3.12 | PATCH | Ensure login and logout events are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_12 tags: @@ -190,10 +167,8 @@ - rule_4.1.3.12 - name: "4.1.3.13 | PATCH | Ensure file deletion events by users are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_13 tags: @@ -204,10 +179,8 @@ - rule_4.1.3.13 - name: "4.1.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_14 tags: @@ -219,10 +192,8 @@ - rule_4.1.3.14 - name: "4.1.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_15 tags: @@ -234,10 +205,8 @@ - rule_4.1.3.15 - name: "4.1.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_16 tags: @@ -249,10 +218,8 @@ - rule_4.1.3.16 - name: "4.1.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_17 tags: @@ -264,10 +231,8 @@ - rule_4.1.3.17 - name: "4.1.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_18 tags: @@ -279,10 +244,8 @@ - rule_4.1.3.18 - name: "4.1.3.19 | PATCH | Ensure kernel module loading and unloading is collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_19 tags: @@ -294,10 +257,8 @@ - rule_4.1.3.19 - name: "4.1.3.20 | PATCH | Ensure the audit configuration is immutable" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_20 tags: @@ -321,3 +282,10 @@ - patch - auditd - rule_4.1.3.21 + +- name: Auditd | 4.1.3 | Auditd controls updated + debug: + msg: "Auditd Controls handled in POST using template - updating /etc/auditd/rules.d/99_auditd.rules" + changed_when: false + when: + - update_audit_template From 4336bbf6b627302b7a9880b1e14d54000e5d6326 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Jun 2022 17:07:39 +0100 Subject: [PATCH 127/454] auditd, sysctl, become tidy up Signed-off-by: Mark Bolwell --- tasks/auditd.yml | 25 ++++++++++++++++++ tasks/main.yml | 14 +++++----- tasks/post.yml | 67 ++++++++++++------------------------------------ 3 files changed, 49 insertions(+), 57 deletions(-) create mode 100644 tasks/auditd.yml diff --git a/tasks/auditd.yml b/tasks/auditd.yml new file mode 100644 index 00000000..f3fc1fdf --- /dev/null +++ b/tasks/auditd.yml @@ -0,0 +1,25 @@ +- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added + template: + src: audit/99_auditd.rules.j2 + dest: /etc/audit/rules.d/99_auditd.rules + owner: root + group: root + mode: 0600 + register: audit_rules_updated + notify: restart auditd + +- name: POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable + block: + - name: POST | AUDITD | Discover if auditd immutable - will require reboot if auditd template applied + shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules + changed_when: false + register: auditd_immutable_check + + - name: POST | AUDITD | Set reboot required if auditd immutable + debug: + msg: "Reboot required for auditd to apply new rules as immutable set" + notify: change_requires_reboot + when: + - auditd_immutable_check.stdout == '1' + when: + - audit_rules_updated.changed \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 1b240f7d..9a6ee311 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -123,49 +123,49 @@ - name: run Section 1 tasks import_tasks: section_1/main.yml - become: true when: rhel9cis_section1 tags: - rhel9cis_section1 - name: run Section 2 tasks import_tasks: section_2/main.yml - become: true when: rhel9cis_section2 tags: - rhel9cis_section2 - name: run Section 3 tasks import_tasks: section_3/main.yml - become: true when: rhel9cis_section3 tags: - rhel9cis_section3 - name: run Section 4 tasks import_tasks: section_4/main.yml - become: true when: rhel9cis_section4 tags: - rhel9cis_section4 - name: run Section 5 tasks import_tasks: section_5/main.yml - become: true when: rhel9cis_section5 tags: - rhel9cis_section5 - name: run Section 6 tasks import_tasks: section_6/main.yml - become: true when: rhel9cis_section6 tags: - rhel9cis_section6 +- name: run auditd logic + import_tasks: auditd.yml + when: + - update_audit_template + tags: + - always + - name: run post remediation tasks import_tasks: post.yml - become: true tags: - post_tasks - always diff --git a/tasks/post.yml b/tasks/post.yml index c0f6be87..bca18aed 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -12,57 +12,24 @@ tags: - always -- name: trigger update sysctl - shell: /bin/true - args: - warn: false - changed_when: true - check_mode: false - notify: update sysctl +- name: update sysctl + template: + src: "etc/sysctl.d/{{ item }}.j2" + dest: "/etc/sysctl.d/{{ item }}" + owner: root + group: root + mode: 0600 + register: sysctl_updated + notify: reload sysctl + with_items: + - 60-kernel_sysctl.conf + - 60-disable_ipv6.conf + - 60-netipv4_sysctl.conf + - 60-netipv6_sysctl.conf when: - - rhel9cis_rule_3_1_1 or - rhel9cis_rule_3_1_2 or - rhel9cis_rule_3_1_3 or - rhel9cis_rule_3_2_1 or - rhel9cis_rule_3_2_2 or - rhel9cis_rule_3_3_1 or - rhel9cis_rule_3_3_2 or - rhel9cis_rule_3_3_3 or - rhel9cis_rule_3_3_4 or - rhel9cis_rule_3_3_5 or - rhel9cis_rule_3_3_6 or - rhel9cis_rule_3_3_7 or - rhel9cis_rule_3_3_8 or - rhel9cis_rule_3_3_9 - tags: - - sysctl - -- name: trigger update auditd - shell: /bin/true - args: - warn: false - notify: update auditd - changed_when: true - check_mode: false - when: - - rhel9cis_rule_4_1_1_1 or - rhel9cis_rule_4_1_1_2 or - rhel9cis_rule_4_1_1_3 or - rhel9cis_rule_4_1_2_1 or - rhel9cis_rule_4_1_2_2 or - rhel9cis_rule_4_1_2_3 or - rhel9cis_rule_4_1_3 or - rhel9cis_rule_4_1_4 or - rhel9cis_rule_4_1_5 or - rhel9cis_rule_4_1_6 or - rhel9cis_rule_4_1_7 or - rhel9cis_rule_4_1_8 or - rhel9cis_rule_4_1_9 or - rhel9cis_rule_4_1_10 or - rhel9cis_rule_4_1_11 or - rhel9cis_rule_4_1_12 - tags: - - auditd + - sysctl_update + - not system_is_container + - "'procps-ng' in ansible_facts.packages" - name: flush handlers meta: flush_handlers From 6165191c085bac0300340857ae8a952d84b968bf Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Jun 2022 17:08:14 +0100 Subject: [PATCH 128/454] updates Signed-off-by: Mark Bolwell --- Changelog.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/Changelog.md b/Changelog.md index b120eee4..90329ca4 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,18 @@ # Changes to rhel9CIS +## 0.3 + +- update to auditd template + - uses facts and template new variable + - update_audit_template (default false) +- sysctl template updates and idempotency improvements +- container discovery usage improvements +- 3.4.1.5 discovery improvement +- 5.6.1.4 discovery improvement +- logrotate process logrotate.timer +- tidy up become: +- logic improvements + ## 0.2 - not all controls work with rhel8 releases any longer From 1ab63c73d6e24f7d0a6bb836fbc5f03e835090a8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Jun 2022 17:33:06 +0100 Subject: [PATCH 129/454] added pause for rhel9 aswell Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 3c4cf3f5..229becd5 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -83,16 +83,16 @@ jobs: # Centos 7 images take a while to come up insert sleep or playbook fails - - name: Check if test os is rhel7 + - name: Check if test os is rhel7 or rhel9 working-directory: .github/workflows id: test_os run: >- - echo "::set-output name=RHEL7::$( - grep -c RHEL7 OS.tfvars + echo "::set-output name=Pause::$( + grep -c "RHEL\(7\|9\)" OS.tfvars )" - - name: if RHEL7 - Sleep for 60 seconds - if: steps.test_os.outputs.RHEL7 >= 1 + - name: if RHEL(7|9) - Sleep for 60 seconds + if: steps.test_os.outputs.Pause >= 1 run: sleep 60s shell: bash From c02024ef6947f025838e900f047c85894bdd1513 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Jun 2022 09:01:14 +0100 Subject: [PATCH 130/454] changed to check ssh for all hosts Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 229becd5..c375c7e8 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -81,20 +81,14 @@ jobs: working-directory: .github/workflows run: cat hosts.yml -# Centos 7 images take a while to come up insert sleep or playbook fails +# Ensure system is up for connections before continuing - - name: Check if test os is rhel7 or rhel9 + - name: Check system is up and runnimn working-directory: .github/workflows id: test_os run: >- - echo "::set-output name=Pause::$( - grep -c "RHEL\(7\|9\)" OS.tfvars - )" - - - name: if RHEL(7|9) - Sleep for 60 seconds - if: steps.test_os.outputs.Pause >= 1 - run: sleep 60s - shell: bash + ansible all -i hosts.yml -m wait_for -a "host='{{ (ansible_ssh_host|default(ansible_host) }}' port=22 delay=10" + # Run the ansible playbook - name: Run_Ansible_Playbook From 1836ae14d79666db4190dc51aa2a7a0be53363b1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Jun 2022 09:15:26 +0100 Subject: [PATCH 131/454] fix typo Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index c375c7e8..b4c7df4c 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -83,13 +83,12 @@ jobs: # Ensure system is up for connections before continuing - - name: Check system is up and runnimn + - name: Check system is up and running working-directory: .github/workflows id: test_os run: >- ansible all -i hosts.yml -m wait_for -a "host='{{ (ansible_ssh_host|default(ansible_host) }}' port=22 delay=10" - # Run the ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master From a8ec3e343ac31f56c4f37fff13c144ff3dd124ad Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Jun 2022 13:23:34 +0100 Subject: [PATCH 132/454] updated timeout test Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index b4c7df4c..8a9805c8 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,7 +87,7 @@ jobs: working-directory: .github/workflows id: test_os run: >- - ansible all -i hosts.yml -m wait_for -a "host='{{ (ansible_ssh_host|default(ansible_host) }}' port=22 delay=10" + ansible all -i hosts.yml -m ping -e retries=20 -e delay=20 # Run the ansible playbook - name: Run_Ansible_Playbook From cf6e08c3903e881c1a555ef8505659fe424913c0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Jun 2022 14:16:58 +0100 Subject: [PATCH 133/454] added legacy mount check again Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 53b1350a..2646e985 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -90,6 +90,24 @@ when: - '"python3-libselinux" not in ansible_facts.packages' +- name: "PRELIM | Set facts based on boot type" + block: + - name: "PRELIM | Check whether machine is UEFI-based" + stat: + path: /sys/firmware/efi + register: rhel_09_efi_boot + + - name: "PRELIM | AUDIT | set legacy boot and grub path | Bios" + set_fact: + rhel9cis_legacy_boot: true + grub2_path: /etc/grub2.cfg + when: not rhel_09_efi_boot.stat.exists + + - name: "PRELIM | set grub fact | UEFI" + set_fact: + grub2_path: /etc/grub2-efi.cfg + when: rhel_09_efi_boot.stat.exists + - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" package: name: audit From b68e8a3cddaa14a0cf20d3ec5d862714ce8108b3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 22 Jun 2022 09:53:27 +0100 Subject: [PATCH 134/454] Added Managed by Ansible Changes will be lost Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 2 ++ templates/audit/99_auditd.rules.j2 | 2 ++ templates/etc/chrony.conf.j2 | 2 ++ templates/etc/modprobe.d/modprobe.conf.j2 | 1 + templates/etc/sysctl.d/60-disable_ipv6.conf.j2 | 2 +- templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 | 2 +- templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 | 2 +- templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 | 2 +- templates/etc/systemd/system/tmp.mount.j2 | 2 ++ 9 files changed, 13 insertions(+), 4 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 6654addf..f5a7921e 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -1,3 +1,5 @@ + +## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! ## metadata for benchmark ## metadata for Audit benchmark diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 7abe895b..2d270cce 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,3 +1,5 @@ +## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! + # This template will set all of the auditd configurations via a handler in the role in one task instead of individually {% if rhel9cis_rule_4_1_3_1 %} -w /etc/sudoers -p wa -k scope diff --git a/templates/etc/chrony.conf.j2 b/templates/etc/chrony.conf.j2 index 6513faac..54c1b6c7 100644 --- a/templates/etc/chrony.conf.j2 +++ b/templates/etc/chrony.conf.j2 @@ -1,3 +1,5 @@ +## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! + # This the default chrony.conf file for the Debian chrony package. After # editing this file use the command 'invoke-rc.d chrony restart' to make # your changes take effect. John Hasler 1998-2008 diff --git a/templates/etc/modprobe.d/modprobe.conf.j2 b/templates/etc/modprobe.d/modprobe.conf.j2 index 1a1a48d8..a4d9d3d8 100644 --- a/templates/etc/modprobe.d/modprobe.conf.j2 +++ b/templates/etc/modprobe.d/modprobe.conf.j2 @@ -1,5 +1,6 @@ # Disable usage of protocol {{ item }} # Set by ansible {{ benchmark }} remediation role # https://github.com/ansible-lockdown +## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! install {{ item }} /bin/true \ No newline at end of file diff --git a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 index 34ee10ca..b172b97c 100644 --- a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 +++ b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 @@ -1,4 +1,4 @@ -# Setting added via ansible CIS remediation playbook +## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! # IPv6 disable {% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %} diff --git a/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 b/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 index cbfffeda..bf8e8582 100644 --- a/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 +++ b/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 @@ -1,4 +1,4 @@ -# Setting added via ansible CIS remediation playbook +## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! {% if rhel9cis_rule_1_5_3 %} diff --git a/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 index 308b914b..4b2dabca 100644 --- a/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 +++ b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 @@ -1,4 +1,4 @@ -# Setting added via ansible CIS remediation playbook +## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! # IPv4 Network sysctl {% if rhel9cis_rule_3_2_1 %} diff --git a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 index 0b23c559..895f23ee 100644 --- a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 +++ b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 @@ -1,4 +1,4 @@ -# Setting added via ansible CIS remediation playbook +## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! # IPv6 Network sysctl {% if rhel9cis_ipv6_required %} diff --git a/templates/etc/systemd/system/tmp.mount.j2 b/templates/etc/systemd/system/tmp.mount.j2 index 2a97a56b..f2c4fe28 100644 --- a/templates/etc/systemd/system/tmp.mount.j2 +++ b/templates/etc/systemd/system/tmp.mount.j2 @@ -7,6 +7,8 @@ # the Free Software Foundation; either version 2.1 of the License, or # (at your option) any later version. +## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! + [Unit] Description=Temporary Directory (/tmp) Documentation=man:hier(7) From c4945598829b95215e8b63a333f6a5e3c3058b9d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 20 Jul 2022 17:12:41 +0100 Subject: [PATCH 135/454] updated handler conditional Signed-off-by: Mark Bolwell --- handlers/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/handlers/main.yml b/handlers/main.yml index 7ff5ea25..d9838403 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -5,6 +5,8 @@ shell: sysctl --system args: warn: false + when: + - sysctl_updated.changed - name: sysctl flush ipv4 route table become: true From 6b6a4a32c876f78c4e8de9dbccdd09113b91868f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 20 Jul 2022 17:13:33 +0100 Subject: [PATCH 136/454] added warning count Signed-off-by: Mark Bolwell --- tasks/main.yml | 6 +++ tasks/section_1/cis_1.1.2.x.yml | 26 +++++++++-- tasks/section_1/cis_1.1.3.x.yml | 11 ++++- tasks/section_1/cis_1.1.4.x.yml | 13 ++++-- tasks/section_1/cis_1.1.5.x.yml | 12 ++++- tasks/section_1/cis_1.1.6.x.yml | 12 ++++- tasks/section_1/cis_1.1.7.x.yml | 10 ++++- tasks/section_1/cis_1.1.8.x.yml | 2 +- tasks/section_1/cis_1.2.x.yml | 12 +++-- tasks/section_1/cis_1.6.1.x.yml | 8 +++- tasks/section_2/cis_2.4.yml | 9 +++- tasks/section_3/cis_3.4.2.x.yml | 41 ++++++++++------- tasks/section_4/cis_4.2.2.x.yml | 21 ++++++--- tasks/section_5/cis_5.6.1.x.yml | 12 ++++- tasks/section_6/cis_6.1.x.yml | 9 +++- tasks/section_6/cis_6.2.x.yml | 80 +++++++++++++++++++++++---------- vars/main.yml | 6 ++- 17 files changed, 219 insertions(+), 71 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 9a6ee311..a55063a8 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -180,3 +180,9 @@ msg: "{{ audit_results.split('\n') }}" when: - run_audit + +- name: Output Warning count and control IDs affected + debug: + msg: "You have {{ warn_count }} warning(s) that require investigating that are related to the following benchmark ID(s) {{ control_number }}" + tags: + - always diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index a50797d7..d43d7684 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -1,11 +1,30 @@ --- - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition" - debug: - msg: "Warning! /tmp is not mounted on a separate partition" + block: + - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Absent" + debug: + msg: "Warning!! /tmp is not mounted on a separate partition" + when: + - required_mount not in mount_names + + - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Warn Count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_1.1.2.1' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: + - required_mount not in mount_names + + - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" + debug: + msg: "Congratulations: {{ required_mount }} exists." + register: var_mount_present + when: + - required_mount in mount_names + vars: + required_mount: '/tmp' when: - rhel9cis_rule_1_1_2_1 - - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0 tags: - level1-server - level1-workstation @@ -68,7 +87,6 @@ tags: - level1-server - level1-workstation - - scored - patch - mounts - rule_1.1.2.1 diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 8fa9e4b2..6dbc1d2a 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -4,12 +4,19 @@ block: - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Absent" debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: var_mount_absent changed_when: var_mount_absent.skipped is undefined when: - required_mount not in mount_names + - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Warn Count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_1.1.3.1' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: + - required_mount not in mount_names + - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" debug: msg: "Congratulations: {{ required_mount }} exists." @@ -38,7 +45,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index c7800132..62c43068 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -5,12 +5,19 @@ block: - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: var_tmp_mount_absent changed_when: var_tmp_mount_absent.skipped is undefined when: - required_mount not in mount_names + - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn Count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_1.1.4.1' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: + - required_mount not in mount_names + - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" debug: msg: "Congratulations: {{ required_mount }} exists." @@ -39,7 +46,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -61,4 +68,4 @@ - skip_ansible_lint - rule_1.1.4.2 - rule_1.1.4.3 - - rule_1.1.4.4 + - rule_1.1.4.4 \ No newline at end of file diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index c9343c4a..985b3d8d 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -4,11 +4,19 @@ block: - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Absent" debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: var_log_mount_absent changed_when: var_log_mount_absent.skipped is undefined when: - required_mount not in mount_names + + - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Warn Count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_1.1.5.1' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: + - required_mount not in mount_names + - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present" debug: msg: "Congratulations: {{ required_mount }} exists." @@ -37,7 +45,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 1df3e849..47bcba77 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -4,11 +4,19 @@ block: - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent" debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: var_log_audit_mount_absent changed_when: var_log_audit_mount_absent.skipped is undefined when: - required_mount not in mount_names + + - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn Count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_1.1.6.1' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: + - required_mount not in mount_names + - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" debug: msg: "Congratulations: {{ required_mount }} exists." @@ -58,4 +66,4 @@ - skip_ansible_lint - rule_1.1.6.2 - rule_1.1.6.3 - - rule_1.1.6.4 + - rule_1.1.6.4 \ No newline at end of file diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 453fef53..6ba442db 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -4,11 +4,19 @@ block: - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Absent" debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: home_mount_absent changed_when: home_mount_absent.skipped is undefined when: - required_mount not in mount_names + + - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Warn Count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_1.1.7.1' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: + - required_mount not in mount_names + - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present" debug: msg: "Congratulations: {{ required_mount }} exists." diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 75bdabbe..a61a6aff 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -25,7 +25,7 @@ src: tmpfs fstype: tmpfs state: mounted - opts: defaults,{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %} when: "'dev/shm' in rhel9cis_1_1_8_x_dev_shm_status.stdout" notify: change_requires_reboot when: diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 960815f4..4ad09dfa 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -25,7 +25,8 @@ when: - rhel9cis_rule_1_2_2 - ansible_distribution == "RedHat" or - ansible_distribution == "Rocky" + ansible_distribution == "Rocky" or + ansible_distribution == "AlmaLinux" tags: - level1-server - level1-workstation @@ -45,7 +46,7 @@ - name: "1.2.3 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" replace: name: "{{ item.path }}" - regexp: '^gpgcheck\s+=\s+0' + regexp: "^gpgcheck=0" replace: "gpgcheck=1" with_items: - "{{ yum_repos.files }}" @@ -74,8 +75,13 @@ - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Display repo list" debug: msg: - - "Warning! Below are the configured repos. Please review and make sure all align with site policy" + - "Warning!! Below are the configured repos. Please review and make sure all align with site policy" - "{{ dnf_configured.stdout_lines }}" + + - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Warn Count" + set_fact: + control_number: "{{ control_number }} + ['rule_1.2.4']" + warn_count: "{{ warn_count|int + 1 }}" when: - rhel9cis_rule_1_2_4 tags: diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index f917a99a..f0ea11af 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -80,6 +80,12 @@ debug: msg: "Warning! You have unconfined services: {{ rhelcis_1_6_1_5_unconf_services.stdout_lines }}" when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0 + + - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_1.6.1.5 ]" + warn_count: "{{ warn_count|int + 1 }}" + when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0 when: - rhel9cis_rule_1_6_1_5 tags: @@ -115,4 +121,4 @@ - level1-workstation - automated - patch - - rule_1.6.1.7 + - rule_1.6.1.7 \ No newline at end of file diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index e17ab764..14b86eda 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -12,9 +12,14 @@ - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Display list of services" debug: msg: - - "Warning! Below are the list of services, both active and inactive" + - "Warning!! Below are the list of services, both active and inactive" - "Please review to make sure all are essential" - "{{ rhel9cis_2_4_services.stdout_lines }}" + + - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Warn Count" + set_fact: + control_number: "{{ control_number }} + ['rule_2.4']" + warn_count: "{{ warn_count|int + 1 }}" when: - rhel9cis_rule_2_4 tags: @@ -23,4 +28,4 @@ - manual - audit - services - - rule_2.4 + - rule_2.4 \ No newline at end of file diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index a9284c51..b74eda17 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -5,6 +5,7 @@ name: nftables state: present when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_1 tags: - level1-server @@ -17,22 +18,11 @@ # The control allows the service it be masked or not installed # We have chosen not installed - name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables" - block: - - name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables | mask service" - systemd: - name: firewalld - masked: true - state: stopped - when: - - rhel9cis_nftables_firewalld_state == "masked" - - - name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables | pkg removed" - package: - name: firewalld - state: absent - when: - - rhel9cis_nftables_firewalld_state == "absent" + package: + name: firewalld + state: absent when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_2 tags: - level1-server @@ -59,6 +49,7 @@ name: iptables-service state: absent when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_3 tags: - level1-server @@ -105,17 +96,26 @@ - name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Alert on no tables" debug: msg: - - "Warning! You currently have no nft tables, please review your setup" + - "Warning!! You currently have no nft tables, please review your setup" - 'Use the command "nft create table inet
" to create a new table' when: - rhel9cis_3_4_2_5_nft_tables.stdout | length == 0 - not rhel9cis_nft_tables_autonewtable + - name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_3.4.2.5' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: + - rhel9cis_3_4_2_5_nft_tables.stdout | length == 0 + - not rhel9cis_nft_tables_autonewtable + - name: "3.4.2.5 | PATCH | Ensure a table exists | Create table if needed" command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" failed_when: no when: rhel9cis_nft_tables_autonewtable when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_5 tags: - level1-server @@ -167,11 +167,12 @@ - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; } when: rhel9cis_nft_tables_autochaincreate when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_6 tags: - level1-server - level1-workstation - - automated + - automate - patch - nftables - rule_3.4.2.6 @@ -208,6 +209,7 @@ command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_7_ip6saddr.stdout' when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_7 tags: - level1-server @@ -255,6 +257,7 @@ command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout' when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_8 tags: - level1-server @@ -306,6 +309,7 @@ command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_2_9_outputpolicy.stdout' when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_9 tags: - level1-server @@ -320,6 +324,7 @@ name: nftables enabled: yes when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_10 tags: - level1-server @@ -332,9 +337,11 @@ - name: "3.4.2.11 | PATCH | Ensure nftables rules are permanent" lineinfile: path: /etc/sysconfig/nftables.conf + state: present insertafter: EOF line: include "/etc/nftables/inet-{{ rhel9cis_nft_tables_tablename }}" when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_11 tags: - level1-server diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 96606706..7a35d8ff 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -41,6 +41,7 @@ state: started enabled: yes when: + - rhel9cis_system_is_log_server - rhel9cis_rule_4_2_2_1_3 tags: - level1-server @@ -52,11 +53,12 @@ - name: "4.2.2.1.4 | PATCH | Ensure journald is not configured to recieve logs from a remote client" systemd: - name: systemd-journal-remote + name: systemd-journal-remote.socket state: stopped enabled: no masked: yes when: + - not rhel9cis_system_is_log_server - rhel9cis_rule_4_2_2_1_4 tags: - level1-server @@ -83,7 +85,13 @@ - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Alert on bad status" debug: msg: - - "Warning! The status of systemd-journald should be static and it is not. Please investigate" + - "Warning!! The status of systemd-journald should be static and it is not. Please investigate" + when: "'static' not in rhel9cis_4_2_2_2_status.stdout" + + - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_4.2.2.2' ]" + warn_count: "{{ warn_count|int + 1 }}" when: "'static' not in rhel9cis_4_2_2_2_status.stdout" when: - rhel9cis_rule_4_2_2_2 @@ -134,7 +142,6 @@ notify: restart systemd_journal_upload when: - rhel9cis_rule_4_2_2_5 - - rhel9cis_preferred_log_capture == "journald" tags: - level1-server - level2-workstation @@ -190,9 +197,13 @@ - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Display file settings" debug: msg: - - "Warning! Below are the current default settings for journald, please confirm they align with your site policies" - # - "{{ rhel9cis_4_2_2_7_override_settings.stdout_lines }}" + - "Warning!! Below are the current default settings for journald, please confirm they align with your site policies" - "{{ (rhel9cis_4_2_2_7_override_status.matched >= 1) | ternary(rhel9cis_4_2_2_7_override_settings.stdout_lines, rhel9cis_4_2_2_7_notoverride_settings.stdout_lines) }}" + + - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Warn Count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_4.2.2.7' ]" + warn_count: "{{ warn_count|int + 1 }}" when: - rhel9cis_rule_4_2_2_7 tags: diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index d8ea2143..790e876d 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -78,7 +78,7 @@ - password - rule_5.6.1.4 -- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past" +- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past" block: - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" shell: echo $(($(date --utc --date "$1" +%s)/86400)) @@ -101,7 +101,15 @@ - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future" debug: - msg: "Warning! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" + msg: "Warning!! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" + when: + - rhel9cis_5_6_1_5_user_list.stdout | length > 0 + - not rhel9cis_futurepwchgdate_autofix + + - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_5.6.1.5' ]" + warn_count: "{{ warn_count|int + 1 }}" when: - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - not rhel9cis_futurepwchgdate_autofix diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index c169d4b7..c61b51e7 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -12,7 +12,7 @@ - name: "6.1.1 | AUDIT | Audit system file permissions | Create list and warning" block: - - name: "6.1.1 | Audit system file permissions | Add file discrepancy list to system" + - name: "6.1.1 | AUDIT | Audit system file permissions | Add file discrepancy list to system" copy: dest: "{{ rhel9cis_rpm_audit_file }}" content: "{{ rhel9cis_6_1_1_packages_rpm.stdout }}" @@ -20,8 +20,13 @@ - name: "6.1.1 | AUDIT | Audit system file permissions | Message out alert for package descrepancies" debug: msg: | - "Warning! You have some package descrepancies issues. + "Warning!! You have some package descrepancies issues. The file list can be found in {{ rhel9cis_rpm_audit_file }}" + + - name: "6.1.1 | AUDIT | Audit system file permissions | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_6.1.1' ]" + warn_count: "{{ warn_count|int + 1 }}" when: rhel9cis_6_1_1_packages_rpm.stdout|length > 0 - name: "6.1.1 | AUDIT | Audit system file permissions | Message out no package descrepancies" diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 31dafa81..66754888 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -29,12 +29,18 @@ - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" debug: msg: "Good News! There are no users that have non-existent GUIDs (Groups)" - when: rhel9cis_6_2_2_passwd_gid_check.stdout | length == 0 + when: rhel9cis_6_2_2_passwd_gid_check.stdout is not defined - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" debug: - msg: "Warning! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}" - when: rhel9cis_6_2_2_passwd_gid_check.stdout | length > 0 + msg: "Warning!! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}" + when: rhel9cis_6_2_2_passwd_gid_check.stdout is defined + + - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_6.2.2' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: rhel9cis_6_2_2_passwd_gid_check.stdout is defined when: - rhel9cis_rule_6_2_2 tags: @@ -57,12 +63,18 @@ - name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" debug: msg: "Good News! There are no duplicate UID's in the system" - when: rhel9cis_6_2_3_user_uid_check.stdout | length == 0 + when: rhel9cis_6_2_3_user_uid_check.stdout is not defined - name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" debug: - msg: "Warning! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_3_user_uid_check.stdout_lines }}" - when: rhel9cis_6_2_3_user_uid_check.stdout | length > 0 + msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_3_user_uid_check.stdout_lines }}" + when: rhel9cis_6_2_3_user_uid_check.stdout is defined + + - name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_6.2.3' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: rhel9cis_6_2_3_user_uid_check.stdout is defined when: - rhel9cis_rule_6_2_3 tags: @@ -85,12 +97,19 @@ - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" debug: msg: "Good News! There are no duplicate GIDs in the system" - when: rhel9cis_6_2_4_user_user_check.stdout | length == 0 + when: rhel9cis_6_2_4_user_user_check.stdout is not defined - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" debug: - msg: "Warning! The following groups have duplicate GIDs: {{ rhel9cis_6_2_4_user_user_check.stdout_lines }}" - when: rhel9cis_6_2_4_user_user_check.stdout | length > 0 + msg: "Warning!! The following groups have duplicate GIDs: {{ rhel9cis_6_2_4_user_user_check.stdout_lines }}" + when: rhel9cis_6_2_4_user_user_check.stdout is defined + + - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_6.2.4' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: rhel9cis_6_2_4_user_user_check.stdout is defined + when: - rhel9cis_rule_6_2_4 tags: @@ -113,12 +132,18 @@ - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist" debug: msg: "Good News! There are no duplicate user names in the system" - when: rhel9cis_6_2_5_user_username_check.stdout | length == 0 + when: rhel9cis_6_2_5_user_username_check.stdout is not defined - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" debug: - msg: "Warning! The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}" - when: rhel9cis_6_2_5_user_username_check.stdout | length > 0 + msg: "Warning!! The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}" + when: rhel9cis_6_2_5_user_username_check.stdout is defined + + - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_6.2.5' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: rhel9cis_6_2_5_user_username_check.stdout is defined when: - rhel9cis_rule_6_2_5 tags: @@ -142,12 +167,18 @@ - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" debug: msg: "Good News! There are no duplicate group names in the system" - when: rhel9cis_6_2_6_group_group_check.stdout | length == 0 + when: rhel9cis_6_2_6_group_group_check.stdout is defined - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" debug: - msg: "Warning! The following group names are duplicates: {{ rhel9cis_6_2_6_group_group_check.stdout_lines }}" - when: rhel9cis_6_2_6_group_group_check.stdout | length > 0 + msg: "Warning!! The following group names are duplicates: {{ rhel9cis_6_2_6_group_group_check.stdout_lines }}" + when: rhel9cis_6_2_6_group_group_check.stdout is not defined + + - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_6.2.6' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: rhel9cis_6_2_6_group_group_check.stdout is not defined when: - rhel9cis_rule_6_2_6 tags: @@ -230,7 +261,7 @@ stat: path: "{{ item }}" register: rhel_08_6_2_9_audit - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<', max_int_uid | int ) | map(attribute='dir') | list }}" + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | map(attribute='dir') | list }}" - name: "6.2.9 | AUDIT | Ensure all users' home directories exist" command: find -H {{ item.0 | quote }} -not -type l -perm /027 @@ -270,7 +301,8 @@ recursive: yes etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: not system_is_container + when: + - not system_is_container with_nested: - "{{ (ansible_check_mode | ternary(rhel_08_6_2_9_patch_audit, rhel_08_6_2_9_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" @@ -299,7 +331,8 @@ loop_control: label: "{{ rhel9cis_passwd_label }}" when: - - min_int_uid | int <= item.uid + - item.uid >= min_int_uid | int + - item.id != 'nobody' - rhel9cis_rule_6_2_10 tags: - skip_ansible_lint # settings found on 6_2_7 @@ -315,7 +348,7 @@ - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" stat: path: "{{ item }}" - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<', max_int_uid | int ) | map(attribute='dir') | list }}" + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | map(attribute='dir') | list }}" register: rhel_08_6_2_11_audit - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" @@ -356,7 +389,8 @@ recursive: yes etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: not system_is_container + when: + - not system_is_container with_nested: - "{{ (ansible_check_mode | ternary(rhel_08_6_2_11_patch_audit, rhel_08_6_2_11_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" @@ -427,8 +461,8 @@ - name: "6.2.14 | PATCH | Ensure no users have .forward files" file: + path: "~{{ item }}/.forward" state: absent - dest: "~{{ item }}/.forward" with_items: - "{{ users.stdout_lines }}" when: @@ -444,8 +478,8 @@ - name: "6.2.15 | PATCH | Ensure no users have .netrc files" file: + path: "~{{ item }}/.netrc" state: absent - dest: "~{{ item }}/.netrc" with_items: - "{{ users.stdout_lines }}" when: @@ -461,8 +495,8 @@ - name: "6.2.16 | PATCH | Ensure no users have .rhosts files" file: + path: "~{{ item }}/.rhosts" state: absent - dest: "~{{ item }}/.rhosts" with_items: "{{ users.stdout_lines }}" when: - rhel9cis_rule_6_2_16 diff --git a/vars/main.yml b/vars/main.yml index dbbc71f6..9b13f43c 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,8 +1,12 @@ --- # vars file for RHEL9-CIS -min_ansible_version: 2.10 +min_ansible_version: 2.9.4 rhel9cis_allowed_crypto_policies: - 'DEFAULT' - 'FUTURE' - 'FIPS' + +# Used to control warning summary +control_number: "" +warn_count: 0 \ No newline at end of file From ba791f549496816889cb60646a7940fa210e8f1b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 20 Jul 2022 17:13:47 +0100 Subject: [PATCH 137/454] added jounald to syslog type Signed-off-by: Mark Bolwell --- tasks/section_4/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index d28e3cef..6128f169 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -17,6 +17,7 @@ - name: "SECTION | 4.2.2 Configure journald" import_tasks: cis_4.2.2.x.yml + when: rhel9cis_syslog == 'journald' - name: "SECTION | 4.2.3 | Configure logile perms" import_tasks: cis_4.2.3.yml From df1477199393371960129da4cda33fe909787830 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 20 Jul 2022 17:13:57 +0100 Subject: [PATCH 138/454] updated with alma vars Signed-off-by: Mark Bolwell --- vars/AlmaLinux.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/vars/AlmaLinux.yml b/vars/AlmaLinux.yml index 69e59941..61bf39b1 100644 --- a/vars/AlmaLinux.yml +++ b/vars/AlmaLinux.yml @@ -1,4 +1,6 @@ --- # OS Specific Settings -rpm_gpg_key: RPM-GPG-KEY-AlmaLinux +rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9 +rpm_packager: "AlmaLinux Packaging Team " +rpm_key: "d36cb86cb86b3716" From de4a7c5bf2efa027a79415ef6781cdcffc153694 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Jul 2022 11:24:07 +0100 Subject: [PATCH 139/454] removed empty row Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 2a5a4908..870f0701 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -369,7 +369,6 @@ rhel9cis_rh_sub_password: password # RedHat Satellite Subscription items rhel9cis_rhnsd_required: false - # 1.4.2 Bootloader password rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' rhel9cis_bootloader_password: random From 22326c5de66280f9d4526b1c93d68b9592cec9e7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Jul 2022 11:24:50 +0100 Subject: [PATCH 140/454] Add blank row Signed-off-by: Mark Bolwell --- vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/main.yml b/vars/main.yml index 9b13f43c..2ba64a18 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -9,4 +9,4 @@ rhel9cis_allowed_crypto_policies: # Used to control warning summary control_number: "" -warn_count: 0 \ No newline at end of file +warn_count: 0 From 28bbc2ff5f832d150452e9dc4cb6667b876ed09a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Jul 2022 11:26:27 +0100 Subject: [PATCH 141/454] 1.2.2 rpm gpg key check Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.2.x.yml | 32 ++++++++++++++++++++++++++++++-- vars/AlmaLinux.yml | 5 ++--- vars/RedHat.yml | 5 ++--- vars/Rocky.yml | 3 ++- 4 files changed, 36 insertions(+), 9 deletions(-) diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 4ad09dfa..4d8cd68a 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -20,8 +20,36 @@ - skip_ansible_lint # Added as no_log still errors on ansuible-lint - name: "1.2.2 | AUDIT | Ensure GPG keys are configured" - shell: "PKG=`rpm -qf {{ rpm_gpg_key }}` && rpm -q --queryformat \"%{PACKAGER} %{SIGPGP:pgpsig}\\n\" \"${PKG}\" | grep \"^{{ rpm_packager }}.*Key.ID.{{ rpm_key }}\"" - changed_when: false + block: + - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys" + shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}" + changed_when: false + failed_when: false + register: os_installed_pub_keys + + #- debug: + # msg: "{{ os_installed_pub_keys }}" + + - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Query found keys" + shell: "rpm -q --queryformat \"%{PACKAGER} %{VERSION}\\n\" {{ os_gpg_key_pubkey_name }} | grep \"{{ os_gpg_key_pubkey_content }}\"" + register: os_gpg_key_check + changed_when: false + failed_when: false + when: os_installed_pub_keys.rc == 0 + + - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | expected keys pass" + debug: + msg: "Congratulations !! - The installed gpg keys match expected values" + when: + - os_installed_pub_keys.rc == 0 + - os_gpg_key_check.rc == 0 + + - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | expected keys fail" + fail: + msg: Installed GPG Keys do not meet expected values or keys installed that are not expected + when: + - os_installed_pub_keys.rc == 1 or + os_gpg_key_check.rc == 1 when: - rhel9cis_rule_1_2_2 - ansible_distribution == "RedHat" or diff --git a/vars/AlmaLinux.yml b/vars/AlmaLinux.yml index 61bf39b1..c460fb0a 100644 --- a/vars/AlmaLinux.yml +++ b/vars/AlmaLinux.yml @@ -1,6 +1,5 @@ --- # OS Specific Settings -rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9 -rpm_packager: "AlmaLinux Packaging Team " -rpm_key: "d36cb86cb86b3716" +os_gpg_key_pubkey_name: gpg-pubkey-b86b3716-61e69f29 +os_gpg_key_pubkey_content: "AlmaLinux OS 9 b86b3716" diff --git a/vars/RedHat.yml b/vars/RedHat.yml index 0b1c2cc9..d33b0bcf 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -1,6 +1,5 @@ --- # OS Specific Settings -rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-release -rpm_packager: "Red Hat, Inc" -rpm_key: "199e2f91fd431d51" # found on https://access.redhat.com/security/team/key/ +os_gpg_key_pubkey_name: gpg-pubkey-fd431d51-4ae0493b +os_gpg_key_pubkey_content: "Red Hat, Inc. (release key 2) fd431d51" diff --git a/vars/Rocky.yml b/vars/Rocky.yml index 7c8ae0ba..77af29c8 100644 --- a/vars/Rocky.yml +++ b/vars/Rocky.yml @@ -1,4 +1,5 @@ --- # OS Specific Settings -rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial +os_gpg_key_pubkey_name: gpg-pubkey-350d275d-6279464b +os_gpg_key_pubkey_content: "Rocky Enterprise Software Foundation - Release key 2022 350d275d" From 77a73ddcae8ab4cc6e7440c650d5d7d868bd6064 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Jul 2022 11:28:50 +0100 Subject: [PATCH 142/454] tidy up warning message Signed-off-by: Mark Bolwell --- tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index a55063a8..62875c2d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -181,8 +181,9 @@ when: - run_audit -- name: Output Warning count and control IDs affected +- name: If Warnings found Output count and control IDs affected debug: msg: "You have {{ warn_count }} warning(s) that require investigating that are related to the following benchmark ID(s) {{ control_number }}" + when: warn_count > 0 tags: - always From e6191de7edf4a8566c3dc283fa62faec1c284d8d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Jul 2022 13:26:29 +0100 Subject: [PATCH 143/454] fix logic in warning Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 62875c2d..b42abf2c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -184,6 +184,6 @@ - name: If Warnings found Output count and control IDs affected debug: msg: "You have {{ warn_count }} warning(s) that require investigating that are related to the following benchmark ID(s) {{ control_number }}" - when: warn_count > 0 + when: warn_count != 0 tags: - always From 6777a887194096f07a4aed1c3aee7e8e5bccc617 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Jul 2022 14:52:26 +0100 Subject: [PATCH 144/454] fix logic in warning Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 66754888..32258957 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -29,18 +29,18 @@ - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" debug: msg: "Good News! There are no users that have non-existent GUIDs (Groups)" - when: rhel9cis_6_2_2_passwd_gid_check.stdout is not defined + when: rhel9cis_6_2_2_passwd_gid_check.stdout | length == 0 - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" debug: msg: "Warning!! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}" - when: rhel9cis_6_2_2_passwd_gid_check.stdout is defined + when: rhel9cis_6_2_2_passwd_gid_check.stdout | length >= 1 - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_6.2.2' ]" warn_count: "{{ warn_count|int + 1 }}" - when: rhel9cis_6_2_2_passwd_gid_check.stdout is defined + when: rhel9cis_6_2_2_passwd_gid_check.stdout | length >= 1 when: - rhel9cis_rule_6_2_2 tags: @@ -63,18 +63,18 @@ - name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" debug: msg: "Good News! There are no duplicate UID's in the system" - when: rhel9cis_6_2_3_user_uid_check.stdout is not defined + when: rhel9cis_6_2_3_user_uid_check.stdout | length == 0 - name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" debug: msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_3_user_uid_check.stdout_lines }}" - when: rhel9cis_6_2_3_user_uid_check.stdout is defined + when: rhel9cis_6_2_3_user_uid_check.stdout | length >= 1 - name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_6.2.3' ]" warn_count: "{{ warn_count|int + 1 }}" - when: rhel9cis_6_2_3_user_uid_check.stdout is defined + when: rhel9cis_6_2_3_user_uid_check.stdout | length >= 1 when: - rhel9cis_rule_6_2_3 tags: @@ -97,18 +97,18 @@ - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" debug: msg: "Good News! There are no duplicate GIDs in the system" - when: rhel9cis_6_2_4_user_user_check.stdout is not defined + when: rhel9cis_6_2_4_user_user_check.stdout | length == 0 - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" debug: msg: "Warning!! The following groups have duplicate GIDs: {{ rhel9cis_6_2_4_user_user_check.stdout_lines }}" - when: rhel9cis_6_2_4_user_user_check.stdout is defined + when: rhel9cis_6_2_4_user_user_check.stdout | length >= 1 - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_6.2.4' ]" warn_count: "{{ warn_count|int + 1 }}" - when: rhel9cis_6_2_4_user_user_check.stdout is defined + when: rhel9cis_6_2_4_user_user_check.stdout | length >= 1 when: - rhel9cis_rule_6_2_4 @@ -132,18 +132,18 @@ - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist" debug: msg: "Good News! There are no duplicate user names in the system" - when: rhel9cis_6_2_5_user_username_check.stdout is not defined + when: rhel9cis_6_2_5_user_username_check.stdout | length == 0 - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" debug: msg: "Warning!! The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}" - when: rhel9cis_6_2_5_user_username_check.stdout is defined + when: rhel9cis_6_2_5_user_username_check.stdout | length >= 1 - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_6.2.5' ]" warn_count: "{{ warn_count|int + 1 }}" - when: rhel9cis_6_2_5_user_username_check.stdout is defined + when: rhel9cis_6_2_5_user_username_check.stdout | length >= 1 when: - rhel9cis_rule_6_2_5 tags: From 595b952089172ae8d0fc25edbdd40cd129811e88 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Jul 2022 14:52:48 +0100 Subject: [PATCH 145/454] tidy up ttle Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index b42abf2c..e2c92618 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -183,7 +183,7 @@ - name: If Warnings found Output count and control IDs affected debug: - msg: "You have {{ warn_count }} warning(s) that require investigating that are related to the following benchmark ID(s) {{ control_number }}" + msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ control_number }}" when: warn_count != 0 tags: - always From d3f2677fd56f12298ca0f8d7492b0771a1c6d330 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Jul 2022 14:53:05 +0100 Subject: [PATCH 146/454] new control option due to space on auditing Signed-off-by: Mark Bolwell --- tasks/auditd.yml | 11 +++++++++++ templates/audit/98_auditd_exception.rules.j2 | 8 ++++++++ 2 files changed, 19 insertions(+) create mode 100644 templates/audit/98_auditd_exception.rules.j2 diff --git a/tasks/auditd.yml b/tasks/auditd.yml index f3fc1fdf..7d9e937f 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -8,6 +8,17 @@ register: audit_rules_updated notify: restart auditd + +- name: POST | Set up auditd user logging exceptions + template: + src: audit/98_auditd_exception.rules.j2 + dest: /etc/audit/rules.d/98_auditd_exceptions.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: allow_auditd_uid_user_exclusions + - name: POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable block: - name: POST | AUDITD | Discover if auditd immutable - will require reboot if auditd template applied diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 new file mode 100644 index 00000000..b3bace1e --- /dev/null +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -0,0 +1,8 @@ +## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! + +# This file contains users whose actions are not logged by auditd +{% if allow_auditd_uid_user_exclusions %} +{% for user in rhel8cis_auditd_uid_exclude %} +-F uid!={{ user }} +{% endfor %} +{% endif %} \ No newline at end of file From 3c66b3f83c6ba757d25b7d509d0449afa714404c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Jul 2022 15:25:39 +0100 Subject: [PATCH 147/454] updated rule Signed-off-by: Mark Bolwell --- tasks/auditd.yml | 5 +++-- templates/audit/98_auditd_exception.rules.j2 | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 7d9e937f..837c7e12 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -8,7 +8,6 @@ register: audit_rules_updated notify: restart auditd - - name: POST | Set up auditd user logging exceptions template: src: audit/98_auditd_exception.rules.j2 @@ -17,7 +16,9 @@ group: root mode: 0600 notify: restart auditd - when: allow_auditd_uid_user_exclusions + when: + - allow_auditd_uid_user_exclusions + - rhel9cis_auditd_uid_exclude | length > 0 - name: POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable block: diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 index b3bace1e..4bc8909f 100644 --- a/templates/audit/98_auditd_exception.rules.j2 +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -1,8 +1,8 @@ ## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! # This file contains users whose actions are not logged by auditd -{% if allow_auditd_uid_user_exclusions %} -{% for user in rhel8cis_auditd_uid_exclude %} +{% if allow_auditd_uid_user_exclusions %} +{% for user in rhel9cis_auditd_uid_exclude %} -F uid!={{ user }} {% endfor %} {% endif %} \ No newline at end of file From 9c2fead5fc21931a0e49debeab2b33f568cac2a3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Jul 2022 16:41:57 +0100 Subject: [PATCH 148/454] updated rule Signed-off-by: Mark Bolwell --- templates/audit/98_auditd_exception.rules.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 index 4bc8909f..a453f3b1 100644 --- a/templates/audit/98_auditd_exception.rules.j2 +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -3,6 +3,6 @@ # This file contains users whose actions are not logged by auditd {% if allow_auditd_uid_user_exclusions %} {% for user in rhel9cis_auditd_uid_exclude %} --F uid!={{ user }} +-a never,user -F uid!={{ user }} -F auid!={{ user }} {% endfor %} {% endif %} \ No newline at end of file From 69f453902fd465a2c0a92611fad8d931d07f2cea Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 10:03:44 +0100 Subject: [PATCH 149/454] updated 1.6.1.2 Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index f0ea11af..672316c5 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -16,7 +16,7 @@ - name: "1.6.1.2 | PATCH | Ensure SELinux is not disabled in bootloader configuration" replace: dest: /etc/default/grub - regexp: '(selinux|enforcing)\s*=(\s0|0).*' + regexp: 'selinux=0' replace: '' register: selinux_grub_patch ignore_errors: yes From 357e06cbb4a25fc8bf9b6432e4fd596db5955402 Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Tue, 26 Jul 2022 11:03:17 +0100 Subject: [PATCH 150/454] Update linux_benchmark_testing.yml updated system status check --- .github/workflows/linux_benchmark_testing.yml | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 3c4cf3f5..8a9805c8 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -81,20 +81,13 @@ jobs: working-directory: .github/workflows run: cat hosts.yml -# Centos 7 images take a while to come up insert sleep or playbook fails +# Ensure system is up for connections before continuing - - name: Check if test os is rhel7 + - name: Check system is up and running working-directory: .github/workflows id: test_os run: >- - echo "::set-output name=RHEL7::$( - grep -c RHEL7 OS.tfvars - )" - - - name: if RHEL7 - Sleep for 60 seconds - if: steps.test_os.outputs.RHEL7 >= 1 - run: sleep 60s - shell: bash + ansible all -i hosts.yml -m ping -e retries=20 -e delay=20 # Run the ansible playbook - name: Run_Ansible_Playbook From 5ba2c41851b06cddc18944343707c56bcdb798ad Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 11:13:29 +0100 Subject: [PATCH 151/454] updated Signed-off-by: Mark Bolwell --- Changelog.md | 8 ++++++++ defaults/main.yml | 3 +++ 2 files changed, 11 insertions(+) diff --git a/Changelog.md b/Changelog.md index 90329ca4..0ac90177 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,13 @@ # Changes to rhel9CIS +## 0.4 + +- RockyLinux now supported +- workflow updates +- selinux regexp improvements +- warning summary now at end of play +- advanced auditd options to exclude users in POST section + ## 0.3 - update to auditd template diff --git a/defaults/main.yml b/defaults/main.yml index 870f0701..c605f920 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -505,6 +505,9 @@ rhel9cis_max_log_file_size: 10 ### 4.1.3.x audit template update_audit_template: false +## Advanced option found in auditd post +allow_auditd_uid_user_exclusions: false + ## Preferred method of logging ## Whether rsyslog or journald preferred method for local logging ## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5 From ab698c07771668c729a84e27cbe4ade76ee41031 Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Tue, 26 Jul 2022 11:34:13 +0100 Subject: [PATCH 152/454] fixed ansible test connect delay --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 8a9805c8..f30c2634 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,7 +87,7 @@ jobs: working-directory: .github/workflows id: test_os run: >- - ansible all -i hosts.yml -m ping -e retries=20 -e delay=20 + ansible all -i hosts.yml -m wait_for_connection -a "connect_timeout=120 delay=10 timeout=10 sleep=5" # Run the ansible playbook - name: Run_Ansible_Playbook From 11132b7a4a532a8c66a02697c68aa7eb18d77561 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 11:34:35 +0100 Subject: [PATCH 153/454] updated ansible test connect Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 8a9805c8..f30c2634 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,7 +87,7 @@ jobs: working-directory: .github/workflows id: test_os run: >- - ansible all -i hosts.yml -m ping -e retries=20 -e delay=20 + ansible all -i hosts.yml -m wait_for_connection -a "connect_timeout=120 delay=10 timeout=10 sleep=5" # Run the ansible playbook - name: Run_Ansible_Playbook From 3746686927370e50addf807400b00fdc81e9ac85 Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Tue, 26 Jul 2022 11:50:10 +0100 Subject: [PATCH 154/454] updated timeout test connection --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index f30c2634..74b38cf8 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,7 +87,7 @@ jobs: working-directory: .github/workflows id: test_os run: >- - ansible all -i hosts.yml -m wait_for_connection -a "connect_timeout=120 delay=10 timeout=10 sleep=5" + ansible all -i hosts.yml -m wait_for_connection -a "connect_timeout=300 delay=10 timeout=10 sleep=5" # Run the ansible playbook - name: Run_Ansible_Playbook From 9f00bee0bea76278f17db62977b4165e4ddafebe Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 11:50:37 +0100 Subject: [PATCH 155/454] updated to 5min timeout Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index f30c2634..74b38cf8 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,7 +87,7 @@ jobs: working-directory: .github/workflows id: test_os run: >- - ansible all -i hosts.yml -m wait_for_connection -a "connect_timeout=120 delay=10 timeout=10 sleep=5" + ansible all -i hosts.yml -m wait_for_connection -a "connect_timeout=300 delay=10 timeout=10 sleep=5" # Run the ansible playbook - name: Run_Ansible_Playbook From 35e3a27776442456715bfddd869c4e428ebd3f81 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 12:04:07 +0100 Subject: [PATCH 156/454] fixed correct value Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 74b38cf8..91ee722b 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,7 +87,7 @@ jobs: working-directory: .github/workflows id: test_os run: >- - ansible all -i hosts.yml -m wait_for_connection -a "connect_timeout=300 delay=10 timeout=10 sleep=5" + ansible all -i hosts.yml -m wait_for_connection -a "connect_timeout=10 delay=10 timeout=300 sleep=5" # Run the ansible playbook - name: Run_Ansible_Playbook From f5e9fb96afca76b7eb5ebd790aa97afd80a28e6c Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Tue, 26 Jul 2022 12:04:54 +0100 Subject: [PATCH 157/454] fix correct timeout --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 74b38cf8..91ee722b 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,7 +87,7 @@ jobs: working-directory: .github/workflows id: test_os run: >- - ansible all -i hosts.yml -m wait_for_connection -a "connect_timeout=300 delay=10 timeout=10 sleep=5" + ansible all -i hosts.yml -m wait_for_connection -a "connect_timeout=10 delay=10 timeout=300 sleep=5" # Run the ansible playbook - name: Run_Ansible_Playbook From faf48726f433c281bd3747748845807dd93cd52d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 12:08:52 +0100 Subject: [PATCH 158/454] extended timeout Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 91ee722b..551630d2 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,7 +87,7 @@ jobs: working-directory: .github/workflows id: test_os run: >- - ansible all -i hosts.yml -m wait_for_connection -a "connect_timeout=10 delay=10 timeout=300 sleep=5" + ansible all -i hosts.yml -m wait_for_connection -a "connect_timeout=10 delay=10 timeout=600 sleep=5" # Run the ansible playbook - name: Run_Ansible_Playbook From 5985d8948848587b16d77a075acde34201fcbd91 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 12:31:53 +0100 Subject: [PATCH 159/454] updated ami version Signed-off-by: Mark Bolwell --- .github/workflows/OS.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars index f9dc5280..96c19c48 100644 --- a/.github/workflows/OS.tfvars +++ b/.github/workflows/OS.tfvars @@ -1,5 +1,5 @@ #Ami Rocky 85 -ami_id = "ami-0d824d9c499f27c8a" +ami_id = "ami-02881bd671eb4ac61" ami_os = "rhel9" ami_username = "ec2-user" ami_user_home = "/home/ec2-user" From 1c0714b3fb32b3aef232a0297882986a3a1b2332 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 12:43:32 +0100 Subject: [PATCH 160/454] changed to wait_for module Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 551630d2..631f8ded 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,7 +87,7 @@ jobs: working-directory: .github/workflows id: test_os run: >- - ansible all -i hosts.yml -m wait_for_connection -a "connect_timeout=10 delay=10 timeout=600 sleep=5" + ansible all -i hosts.yml -m wait_for -a "port=22 connect_timeout=10 delay=10 timeout=600 sleep=5" # Run the ansible playbook - name: Run_Ansible_Playbook From 15a6cf4c3d78b62592d4ac598eafaeaecf4e3075 Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Tue, 26 Jul 2022 12:44:25 +0100 Subject: [PATCH 161/454] change to wait_for module --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 91ee722b..03f9d4e7 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,7 +87,7 @@ jobs: working-directory: .github/workflows id: test_os run: >- - ansible all -i hosts.yml -m wait_for_connection -a "connect_timeout=10 delay=10 timeout=300 sleep=5" + ansible all -i hosts.yml -m wait_for -a "port=22 connect_timeout=10 delay=10 timeout=300 sleep=5" # Run the ansible playbook - name: Run_Ansible_Playbook From 14b5001f8e22add1cb6bd82640cee20cc8de070d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 12:49:23 +0100 Subject: [PATCH 162/454] added private key Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 631f8ded..1a5cce16 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,7 +87,7 @@ jobs: working-directory: .github/workflows id: test_os run: >- - ansible all -i hosts.yml -m wait_for -a "port=22 connect_timeout=10 delay=10 timeout=600 sleep=5" + ansible all -i hosts.yml -m wait_for -a "port=22 connect_timeout=10 delay=10 timeout=600 sleep=5" --private-key=.ssh/github_actions.pem # Run the ansible playbook - name: Run_Ansible_Playbook From 4c287c7db002e9a1182442129867807bd127ab44 Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Tue, 26 Jul 2022 12:50:43 +0100 Subject: [PATCH 163/454] added private key options --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 03f9d4e7..45c6777b 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,7 +87,7 @@ jobs: working-directory: .github/workflows id: test_os run: >- - ansible all -i hosts.yml -m wait_for -a "port=22 connect_timeout=10 delay=10 timeout=300 sleep=5" + ansible all -i hosts.yml -m wait_for -a "port=22 connect_timeout=10 delay=10 timeout=300 sleep=5" --private-key=.ssh/github_actions.pem # Run the ansible playbook - name: Run_Ansible_Playbook From 363fe9b0c600792d6d68b53d6fa8bc2559f7ea0e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 13:25:40 +0100 Subject: [PATCH 164/454] added user Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 343c887d..0fdfabf6 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,7 +87,7 @@ jobs: working-directory: .github/workflows id: test_os run: >- - ansible all -i hosts.yml -m wait_for -a "port=22 connect_timeout=10 delay=10 timeout=600 sleep=5" --private-key=.ssh/github_actions.pem + ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600 " --private-key=.ssh/github_actions.pem -u ec2-user # Run the ansible playbook From c24f0a3a714a0496bde25c82d9907c65c5f6b7b5 Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Tue, 26 Jul 2022 13:27:11 +0100 Subject: [PATCH 165/454] added user --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 45c6777b..0cbc360f 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,7 +87,7 @@ jobs: working-directory: .github/workflows id: test_os run: >- - ansible all -i hosts.yml -m wait_for -a "port=22 connect_timeout=10 delay=10 timeout=300 sleep=5" --private-key=.ssh/github_actions.pem + ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" --private-key=.ssh/github_actions.pem -u ec2-user # Run the ansible playbook - name: Run_Ansible_Playbook From 32ce7b569f6a5d8b562fa772cc0bd1effa2ccd7a Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Tue, 26 Jul 2022 13:59:10 +0100 Subject: [PATCH 166/454] add debug --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 0cbc360f..6e846f30 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,7 +87,7 @@ jobs: working-directory: .github/workflows id: test_os run: >- - ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" --private-key=.ssh/github_actions.pem -u ec2-user + ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" --private-key=.ssh/github_actions.pem -u ec2-user -vvv # Run the ansible playbook - name: Run_Ansible_Playbook From 125566fcf2f1aba9adf43c27176373703f593653 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 15:12:02 +0100 Subject: [PATCH 167/454] added debug Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 0fdfabf6..6964d190 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,7 +87,7 @@ jobs: working-directory: .github/workflows id: test_os run: >- - ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600 " --private-key=.ssh/github_actions.pem -u ec2-user + ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" --private-key=.ssh/github_actions.pem -u ec2-user -vvv # Run the ansible playbook From 15a46f25a82679d3ec900e36bd63f0dbc72918a0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 16:28:57 +0100 Subject: [PATCH 168/454] added new connection and provate key vars Signed-off-by: Mark Bolwell --- .github/workflows/github_vars.tfvars | 1 + .github/workflows/main.tf | 14 ++++++++++++++ 2 files changed, 15 insertions(+) diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars index 4d40f72a..1bf4f3eb 100644 --- a/.github/workflows/github_vars.tfvars +++ b/.github/workflows/github_vars.tfvars @@ -7,6 +7,7 @@ namespace = "github_actions" // Matching pair name found in AWS for keypairs PEM key ami_key_pair_name = "github_actions" +private_key = ".ssh/github_actions.pem" main_vpc_cidr = "172.22.0.0/24" public_subnets = "172.22.0.128/26" private_subnets = "172.22.0.192/26" \ No newline at end of file diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 29fd6f30..3019f1b8 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -59,6 +59,20 @@ resource "aws_instance" "testing_vm" { root_block_device { delete_on_termination = true } + # SSH into instance - will ensure server is up before next step in workflows + connection { + # Host name + host = self.public_ip + # The default username for our AMI + user = var.ami_username + # Private key for connection + private_key = "${file(var.private_key)}" + # Type of connection + type = "ssh" + } + provisioner "remote-exec" { + inline = [ "echo hello_world"] + } } // generate inventory file From 78116ee73840fa9ad42258430a3e0fd88b9aab5a Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Tue, 26 Jul 2022 16:30:45 +0100 Subject: [PATCH 169/454] added new ssh connection --- .github/workflows/main.tf | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 29fd6f30..4123d046 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -59,6 +59,20 @@ resource "aws_instance" "testing_vm" { root_block_device { delete_on_termination = true } + # SSH into instance - will ensure server is up before next step in workflows + connection { + # Host name + host = self.public_ip + # The default username for our AMI + user = var.ami_username + # Private key for connection + private_key = "${file(var.private_key)}" + # Type of connection + type = "ssh" + } + provisioner "remote-exec" { + inline = [ "echo hello_world"] + } } // generate inventory file From d99ab69928c60987f6f0961632dcb3ac55f40fae Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Tue, 26 Jul 2022 16:31:16 +0100 Subject: [PATCH 170/454] Added private key var --- .github/workflows/github_vars.tfvars | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars index 4d40f72a..59d5d141 100644 --- a/.github/workflows/github_vars.tfvars +++ b/.github/workflows/github_vars.tfvars @@ -7,6 +7,7 @@ namespace = "github_actions" // Matching pair name found in AWS for keypairs PEM key ami_key_pair_name = "github_actions" +private_key = ".ssh/github_actions.pem" main_vpc_cidr = "172.22.0.0/24" public_subnets = "172.22.0.128/26" -private_subnets = "172.22.0.192/26" \ No newline at end of file +private_subnets = "172.22.0.192/26" From 8178261ea7ec84ff6d5ad3a21275965801aab548 Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Tue, 26 Jul 2022 16:32:11 +0100 Subject: [PATCH 171/454] added private key var --- .github/workflows/variables.tf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/variables.tf b/.github/workflows/variables.tf index 58544fc9..752ee881 100644 --- a/.github/workflows/variables.tf +++ b/.github/workflows/variables.tf @@ -22,6 +22,11 @@ variable "ami_key_pair_name" { type = string } +variable "private_key" { + description = "path to private key for ssh" + type = string +} + variable "ami_os" { description = "AMI OS Type" type = string @@ -62,4 +67,4 @@ variable "public_subnets" { variable "private_subnets" { description = "private subnet cidr block" type = string -} \ No newline at end of file +} From f93f584f40f40c4087716dcae1a724b72a53dafd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 16:32:34 +0100 Subject: [PATCH 172/454] added private_key Signed-off-by: Mark Bolwell --- .github/workflows/variables.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/variables.tf b/.github/workflows/variables.tf index 58544fc9..d3ddbf8d 100644 --- a/.github/workflows/variables.tf +++ b/.github/workflows/variables.tf @@ -22,6 +22,11 @@ variable "ami_key_pair_name" { type = string } +variable "private_key" { + description = "path to private key for ssh" + type = string +} + variable "ami_os" { description = "AMI OS Type" type = string From dbd3ab706de5bbe55d186665a28b18066e7db2cd Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Tue, 26 Jul 2022 16:39:06 +0100 Subject: [PATCH 173/454] updated remote-exec --- .github/workflows/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 4123d046..ea3af845 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -71,7 +71,7 @@ resource "aws_instance" "testing_vm" { type = "ssh" } provisioner "remote-exec" { - inline = [ "echo hello_world"] + command = "echo 'hello world'" } } From 80d0deb80dd2f2ba6b475cae3a801c2a867e0061 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 16:40:12 +0100 Subject: [PATCH 174/454] updated local-exec Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 3019f1b8..50394807 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -71,7 +71,7 @@ resource "aws_instance" "testing_vm" { type = "ssh" } provisioner "remote-exec" { - inline = [ "echo hello_world"] + command = "echo 'hello_world'" } } From b1daec8c244f36ddff60abd4b223699d1ef46585 Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Tue, 26 Jul 2022 16:47:53 +0100 Subject: [PATCH 175/454] updated remote-exec --- .github/workflows/main.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index ea3af845..59fcc52d 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -71,7 +71,9 @@ resource "aws_instance" "testing_vm" { type = "ssh" } provisioner "remote-exec" { - command = "echo 'hello world'" + inline = [ + "echo 'hello_world'", + ] } } From 0c9a88ea1a7cc8edfe012a054b40fac82d821fd7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 16:51:36 +0100 Subject: [PATCH 176/454] updated remote-exec Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 50394807..5a7751a7 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -71,7 +71,9 @@ resource "aws_instance" "testing_vm" { type = "ssh" } provisioner "remote-exec" { - command = "echo 'hello_world'" + inline = [ + "echo 'hello_world'", + ] } } From 5a2da89394327ba55d84e2a8b2c03108e6a62c16 Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Tue, 26 Jul 2022 17:17:36 +0100 Subject: [PATCH 177/454] quoted private_key --- .github/workflows/github_vars.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars index 59d5d141..c3ac76bf 100644 --- a/.github/workflows/github_vars.tfvars +++ b/.github/workflows/github_vars.tfvars @@ -7,7 +7,7 @@ namespace = "github_actions" // Matching pair name found in AWS for keypairs PEM key ami_key_pair_name = "github_actions" -private_key = ".ssh/github_actions.pem" +private_key = "'.ssh/github_actions.pem'" main_vpc_cidr = "172.22.0.0/24" public_subnets = "172.22.0.128/26" private_subnets = "172.22.0.192/26" From 78c5e4661f1f9ed7ca44f0440e64ef21268cde1f Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Tue, 26 Jul 2022 17:20:20 +0100 Subject: [PATCH 178/454] hardcode private_key path --- .github/workflows/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 59fcc52d..adfaea0a 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -66,7 +66,7 @@ resource "aws_instance" "testing_vm" { # The default username for our AMI user = var.ami_username # Private key for connection - private_key = "${file(var.private_key)}" + private_key = "${file(.ssh/github_actions.pem)}" # Type of connection type = "ssh" } From 08bb6b553fce203db7e616b6ae09ec176516fa99 Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Tue, 26 Jul 2022 17:27:57 +0100 Subject: [PATCH 179/454] try private_key path again --- .github/workflows/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index adfaea0a..b284d24e 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -66,7 +66,7 @@ resource "aws_instance" "testing_vm" { # The default username for our AMI user = var.ami_username # Private key for connection - private_key = "${file(.ssh/github_actions.pem)}" + private_key = file(".ssh/github_actions.pem") # Type of connection type = "ssh" } From df2d812e6a15a5330198cd77a57fbc2019ea040e Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Tue, 26 Jul 2022 17:31:02 +0100 Subject: [PATCH 180/454] added debug --- .github/workflows/linux_benchmark_testing.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 6e846f30..08b0217a 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -38,7 +38,7 @@ jobs: runs-on: ubuntu-latest env: - ENABLE_DEBUG: false + ENABLE_DEBUG: true # Steps represent a sequence of tasks that will be executed as part of the job steps: @@ -67,7 +67,12 @@ jobs: - name: Terraform_Validate working-directory: .github/workflows run: terraform validate - + + - name: validate path contents + if: env.ENABLE_DEBUG == 'true' + working-directory: .github/workflows + run: pwd && ls -laR + - name: Terraform_Apply working-directory: .github/workflows env: From 02c0c64cf8225be09ab2e29e7ec6563bcd499426 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 17:32:58 +0100 Subject: [PATCH 181/454] added debug Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 6964d190..70fabc63 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -38,7 +38,7 @@ jobs: runs-on: ubuntu-latest env: - ENABLE_DEBUG: false + ENABLE_DEBUG: true # Steps represent a sequence of tasks that will be executed as part of the job steps: @@ -68,6 +68,11 @@ jobs: working-directory: .github/workflows run: terraform validate + - name: Validate path contents + if: env.ENABLE_DEBUG == 'true' + working-directory: .github/workflows + run: pwd && ls -laR + - name: Terraform_Apply working-directory: .github/workflows env: From 1a8861e4fdbb11bf4875e4da4853abbdc5fad4aa Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 17:37:17 +0100 Subject: [PATCH 182/454] updated path Signed-off-by: Mark Bolwell --- .github/workflows/github_vars.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars index 59d5d141..c3ac76bf 100644 --- a/.github/workflows/github_vars.tfvars +++ b/.github/workflows/github_vars.tfvars @@ -7,7 +7,7 @@ namespace = "github_actions" // Matching pair name found in AWS for keypairs PEM key ami_key_pair_name = "github_actions" -private_key = ".ssh/github_actions.pem" +private_key = "'.ssh/github_actions.pem'" main_vpc_cidr = "172.22.0.0/24" public_subnets = "172.22.0.128/26" private_subnets = "172.22.0.192/26" From 5c0bc4137a37ada4e0eb518253f3eb10fdd2f0ac Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 17:38:39 +0100 Subject: [PATCH 183/454] fix merge error Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 9496bd29..a4a83ac7 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -93,10 +93,6 @@ jobs: id: test_os run: >- ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" --private-key=.ssh/github_actions.pem -u ec2-user -vvv -<<<<<<< HEAD - -======= ->>>>>>> df2d812e6a15a5330198cd77a57fbc2019ea040e # Run the ansible playbook - name: Run_Ansible_Playbook From 0c6feb1b67dc88825c6dddb8b97bc0321f3a518b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 17:54:28 +0100 Subject: [PATCH 184/454] added local file option Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 5a7751a7..985aa8a4 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -3,6 +3,11 @@ provider "aws" { region = var.aws_region } +// Read local file not created via terraform +data "local_file" "github_actions" { + filename = "${path.module}/${var.private_key}" +} + // Create a security group with access to port 22 and port 80 open to serve HTTP traffic data "aws_vpc" "default" { @@ -66,7 +71,7 @@ resource "aws_instance" "testing_vm" { # The default username for our AMI user = var.ami_username # Private key for connection - private_key = "${file(var.private_key)}" + private_key = data.local_file.github_actions # Type of connection type = "ssh" } From 5e93716ecb0230f44a4690573ee4d1e66b49b0db Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 17:54:56 +0100 Subject: [PATCH 185/454] revert Signed-off-by: Mark Bolwell --- .github/workflows/github_vars.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars index c3ac76bf..59d5d141 100644 --- a/.github/workflows/github_vars.tfvars +++ b/.github/workflows/github_vars.tfvars @@ -7,7 +7,7 @@ namespace = "github_actions" // Matching pair name found in AWS for keypairs PEM key ami_key_pair_name = "github_actions" -private_key = "'.ssh/github_actions.pem'" +private_key = ".ssh/github_actions.pem" main_vpc_cidr = "172.22.0.0/24" public_subnets = "172.22.0.128/26" private_subnets = "172.22.0.192/26" From 5a81497a263b6fc495fc8b4bc05760d2df22f135 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 27 Jul 2022 10:08:27 +0100 Subject: [PATCH 186/454] added content to object Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 985aa8a4..81e1e983 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -71,7 +71,7 @@ resource "aws_instance" "testing_vm" { # The default username for our AMI user = var.ami_username # Private key for connection - private_key = data.local_file.github_actions + private_key = data.local_file.github_actions.content # Type of connection type = "ssh" } From b3cf41af6ff76dffdf797ade06eee838b56b6492 Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Wed, 27 Jul 2022 11:30:09 +0100 Subject: [PATCH 187/454] changed to local file lookup --- .github/workflows/main.tf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index b284d24e..555f23d1 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -3,6 +3,11 @@ provider "aws" { region = var.aws_region } +// Read local file not created via terraform +data "local_file" "github_actions" { + filename = "${path.module}/${var.private_key}" +} + // Create a security group with access to port 22 and port 80 open to serve HTTP traffic data "aws_vpc" "default" { @@ -66,7 +71,7 @@ resource "aws_instance" "testing_vm" { # The default username for our AMI user = var.ami_username # Private key for connection - private_key = file(".ssh/github_actions.pem") + private_key = data.local_file.github_actions.content # Type of connection type = "ssh" } From a8488de4d9af007af43c51505042328c959611fc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 27 Jul 2022 11:40:20 +0100 Subject: [PATCH 188/454] updated lint Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 81e1e983..d322cda6 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -101,4 +101,3 @@ resource "local_file" "inventory" { audit_git_version: devel EOF } - From d050db7fa9916c73a27b1bc006e62c489a6a053d Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Wed, 27 Jul 2022 11:45:08 +0100 Subject: [PATCH 189/454] sync main.tf --- .github/workflows/main.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 555f23d1..d322cda6 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -64,7 +64,7 @@ resource "aws_instance" "testing_vm" { root_block_device { delete_on_termination = true } - # SSH into instance - will ensure server is up before next step in workflows + # SSH into instance - will ensure server is up before next step in workflows connection { # Host name host = self.public_ip @@ -101,4 +101,3 @@ resource "local_file" "inventory" { audit_git_version: devel EOF } - From a83d96f4d4002af2eaa2cde9dedd64f337ffaff1 Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Wed, 27 Jul 2022 11:58:36 +0100 Subject: [PATCH 190/454] changed private key path --- .github/workflows/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index d322cda6..77966d9f 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -71,7 +71,7 @@ resource "aws_instance" "testing_vm" { # The default username for our AMI user = var.ami_username # Private key for connection - private_key = data.local_file.github_actions.content + private_key = file("${path.module}/.ssh/github_actions.pem") # Type of connection type = "ssh" } From f15f8c921c74960a49ee1c843b6c3a860abb0152 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 27 Jul 2022 15:43:26 +0100 Subject: [PATCH 191/454] removed audit template handler Signed-off-by: Mark Bolwell --- handlers/main.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index d9838403..8c3c79c0 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -74,16 +74,6 @@ args: warn: false -- name: update auditd - template: - src: audit/99_auditd.rules.j2 - dest: /etc/audit/rules.d/99_auditd.rules - owner: root - group: root - mode: 0600 - register: auditd_template_update - notify: restart auditd - - name: restart auditd shell: service auditd restart args: From a5d62ea30ab8fcdd044fc2cdab1f779b379f3a8a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 27 Jul 2022 15:47:26 +0100 Subject: [PATCH 192/454] added a test key output Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index a4a83ac7..41497680 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -58,6 +58,7 @@ jobs: chmod 700 .ssh echo $PRIVATE_KEY > .ssh/github_actions.pem chmod 600 .ssh/github_actions.pem + file .ssh/github_actions.pem && cat .ssh/github_actions.pem ### Build out the server - name: Terraform_Init From d0023ce6611fa1836b6d5ea458474e79a3656158 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 27 Jul 2022 16:32:55 +0100 Subject: [PATCH 193/454] turned off debug Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 41497680..b35264f7 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -38,7 +38,7 @@ jobs: runs-on: ubuntu-latest env: - ENABLE_DEBUG: true + ENABLE_DEBUG: false # Steps represent a sequence of tasks that will be executed as part of the job steps: From bffb3d2dc6bb439987d77a26c910649cb24fc4ac Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Wed, 27 Jul 2022 16:49:06 +0100 Subject: [PATCH 194/454] aligned with new process removed debug --- .github/workflows/linux_benchmark_testing.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 08b0217a..b35264f7 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -38,7 +38,7 @@ jobs: runs-on: ubuntu-latest env: - ENABLE_DEBUG: true + ENABLE_DEBUG: false # Steps represent a sequence of tasks that will be executed as part of the job steps: @@ -58,6 +58,7 @@ jobs: chmod 700 .ssh echo $PRIVATE_KEY > .ssh/github_actions.pem chmod 600 .ssh/github_actions.pem + file .ssh/github_actions.pem && cat .ssh/github_actions.pem ### Build out the server - name: Terraform_Init @@ -67,12 +68,12 @@ jobs: - name: Terraform_Validate working-directory: .github/workflows run: terraform validate - - - name: validate path contents + + - name: Validate path contents if: env.ENABLE_DEBUG == 'true' working-directory: .github/workflows run: pwd && ls -laR - + - name: Terraform_Apply working-directory: .github/workflows env: From 9d91c2cba2b0c211a048aa8ef8bc9b377a56db60 Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Wed, 27 Jul 2022 16:50:17 +0100 Subject: [PATCH 195/454] alignment --- .github/workflows/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 77966d9f..d322cda6 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -71,7 +71,7 @@ resource "aws_instance" "testing_vm" { # The default username for our AMI user = var.ami_username # Private key for connection - private_key = file("${path.module}/.ssh/github_actions.pem") + private_key = data.local_file.github_actions.content # Type of connection type = "ssh" } From 340da3ef226e07e8c18efbdbf73258d674a557bb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 27 Jul 2022 16:57:13 +0100 Subject: [PATCH 196/454] removed excess line Signed-off-by: Mark Bolwell --- site.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/site.yml b/site.yml index 379549f7..4446d3ed 100644 --- a/site.yml +++ b/site.yml @@ -1,7 +1,6 @@ --- - hosts: all become: true - roles: - role: "{{ playbook_dir }}" From dbf5484f73bd7f38e9a24e8cea7c1e3a39a850e6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 28 Jul 2022 17:18:56 +0100 Subject: [PATCH 197/454] reverted settings Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 1 - .github/workflows/main.tf | 21 ------------------- 2 files changed, 22 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index b35264f7..fcaa943d 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -58,7 +58,6 @@ jobs: chmod 700 .ssh echo $PRIVATE_KEY > .ssh/github_actions.pem chmod 600 .ssh/github_actions.pem - file .ssh/github_actions.pem && cat .ssh/github_actions.pem ### Build out the server - name: Terraform_Init diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index d322cda6..b231d2ae 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -3,11 +3,6 @@ provider "aws" { region = var.aws_region } -// Read local file not created via terraform -data "local_file" "github_actions" { - filename = "${path.module}/${var.private_key}" -} - // Create a security group with access to port 22 and port 80 open to serve HTTP traffic data "aws_vpc" "default" { @@ -64,22 +59,6 @@ resource "aws_instance" "testing_vm" { root_block_device { delete_on_termination = true } - # SSH into instance - will ensure server is up before next step in workflows - connection { - # Host name - host = self.public_ip - # The default username for our AMI - user = var.ami_username - # Private key for connection - private_key = data.local_file.github_actions.content - # Type of connection - type = "ssh" - } - provisioner "remote-exec" { - inline = [ - "echo 'hello_world'", - ] - } } // generate inventory file From 0c3c26e11b4fd169362d0738c2d07e42ace7da3b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 28 Jul 2022 17:19:46 +0100 Subject: [PATCH 198/454] removed system check Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index fcaa943d..f116ee84 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -86,14 +86,6 @@ jobs: working-directory: .github/workflows run: cat hosts.yml -# Ensure system is up for connections before continuing - - - name: Check system is up and running - working-directory: .github/workflows - id: test_os - run: >- - ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" --private-key=.ssh/github_actions.pem -u ec2-user -vvv - # Run the ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master From 0747cc978ab7259283d91bc29712f7b8989d1b27 Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Thu, 28 Jul 2022 21:14:07 +0100 Subject: [PATCH 199/454] Update linux_benchmark_testing.yml turned off ready check --- .github/workflows/linux_benchmark_testing.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index b35264f7..5f9f17f9 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -89,11 +89,11 @@ jobs: # Ensure system is up for connections before continuing - - name: Check system is up and running - working-directory: .github/workflows - id: test_os - run: >- - ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" --private-key=.ssh/github_actions.pem -u ec2-user -vvv + # - name: Check system is up and running + # working-directory: .github/workflows + # id: test_os + # run: >- + # ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" --private-key=.ssh/github_actions.pem -u ec2-user -vvv # Run the ansible playbook - name: Run_Ansible_Playbook From 4e2fd296b68ada8da4de7182e8040522d45ca135 Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Fri, 29 Jul 2022 09:50:06 +0100 Subject: [PATCH 200/454] Changed way key is loaded --- .github/workflows/linux_benchmark_testing.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 5f9f17f9..175b3e61 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -89,11 +89,12 @@ jobs: # Ensure system is up for connections before continuing - # - name: Check system is up and running - # working-directory: .github/workflows - # id: test_os - # run: >- - # ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" --private-key=.ssh/github_actions.pem -u ec2-user -vvv + - name: Check system is up and running + working-directory: .github/workflows + env: + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + id: test_os + run: ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" --private-key=.ssh/github_actions.pem -u ec2-user -e ansible_ssh_private_key_file='{{ lookup("env", "PRIVATE_KEY") # Run the ansible playbook - name: Run_Ansible_Playbook From a2945a6d3ad9fccfb3e2dcfa9193279f685f5d43 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Jul 2022 09:50:39 +0100 Subject: [PATCH 201/454] changed way key is loaded Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index f116ee84..6adb2c14 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -86,6 +86,16 @@ jobs: working-directory: .github/workflows run: cat hosts.yml +# Ensure system is up for connections before continuing + + - name: Check system is up and running + working-directory: .github/workflows + env: + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + id: test_os + run: >- + ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" --private-key=.ssh/github_actions.pem -u ec2-user -e ansible_ssh_private_key_file='{{ lookup("env", "PRIVATE_KEY") }}' + # Run the ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master From 4f325c435d9fab2a2dd13c586ecade372d1bba03 Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Fri, 29 Jul 2022 09:57:08 +0100 Subject: [PATCH 202/454] fix darn typo --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 175b3e61..594783d7 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -94,7 +94,7 @@ jobs: env: PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" id: test_os - run: ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" --private-key=.ssh/github_actions.pem -u ec2-user -e ansible_ssh_private_key_file='{{ lookup("env", "PRIVATE_KEY") + run: ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" --private-key=.ssh/github_actions.pem -u ec2-user -e ansible_ssh_private_key_file='{{ lookup("env", "PRIVATE_KEY") }}' # Run the ansible playbook - name: Run_Ansible_Playbook From a74f8ee3be95a5bfab87bf8e84af017cbae8831d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Jul 2022 09:57:39 +0100 Subject: [PATCH 203/454] changed spacing Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 6adb2c14..e6154f73 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -93,8 +93,7 @@ jobs: env: PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" id: test_os - run: >- - ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" --private-key=.ssh/github_actions.pem -u ec2-user -e ansible_ssh_private_key_file='{{ lookup("env", "PRIVATE_KEY") }}' + run: ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" --private-key=.ssh/github_actions.pem -u ec2-user -e ansible_ssh_private_key_file='{{ lookup("env", "PRIVATE_KEY") }}' # Run the ansible playbook - name: Run_Ansible_Playbook From 07710c09b7f51f4f4c5dae9918c16d9722bb244c Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Fri, 29 Jul 2022 10:01:54 +0100 Subject: [PATCH 204/454] testing --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 594783d7..6d9e11a2 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -94,7 +94,7 @@ jobs: env: PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" id: test_os - run: ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" --private-key=.ssh/github_actions.pem -u ec2-user -e ansible_ssh_private_key_file='{{ lookup("env", "PRIVATE_KEY") }}' + run: ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" -u ec2-user -e ansible_ssh_private_key_file='{{ lookup("env", "PRIVATE_KEY") }}' # Run the ansible playbook - name: Run_Ansible_Playbook From d87812bab459a03c64db24e0cc9018fbef06da8f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Jul 2022 10:02:17 +0100 Subject: [PATCH 205/454] testing Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index e6154f73..d133652e 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -93,7 +93,7 @@ jobs: env: PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" id: test_os - run: ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" --private-key=.ssh/github_actions.pem -u ec2-user -e ansible_ssh_private_key_file='{{ lookup("env", "PRIVATE_KEY") }}' + run: ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" -u ec2-user -e ansible_ssh_private_key_file='{{ lookup("env", "PRIVATE_KEY") }}' # Run the ansible playbook - name: Run_Ansible_Playbook From d6f60ffba406b1d597ab9aad9e8a05c951ec96db Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Fri, 29 Jul 2022 10:04:49 +0100 Subject: [PATCH 206/454] testing --- .github/workflows/linux_benchmark_testing.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 6d9e11a2..f745e77a 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -89,12 +89,12 @@ jobs: # Ensure system is up for connections before continuing - - name: Check system is up and running - working-directory: .github/workflows - env: - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - id: test_os - run: ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" -u ec2-user -e ansible_ssh_private_key_file='{{ lookup("env", "PRIVATE_KEY") }}' +# - name: Check system is up and running +# working-directory: .github/workflows +# env: +# PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" +# id: test_os +# run: ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" -u ec2-user -e ansible_ssh_private_key_file='{{ lookup("env", "PRIVATE_KEY") }}' # Run the ansible playbook - name: Run_Ansible_Playbook From 54aa47c9313c8210cba0f1d988f3ccbc699edc91 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Jul 2022 10:05:27 +0100 Subject: [PATCH 207/454] testing Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index d133652e..4a6a742f 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -88,12 +88,12 @@ jobs: # Ensure system is up for connections before continuing - - name: Check system is up and running - working-directory: .github/workflows - env: - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - id: test_os - run: ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" -u ec2-user -e ansible_ssh_private_key_file='{{ lookup("env", "PRIVATE_KEY") }}' + # - name: Check system is up and running + # working-directory: .github/workflows + # env: + # PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + # id: test_os + # run: ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" -u ec2-user -e ansible_ssh_private_key_file='{{ lookup("env", "PRIVATE_KEY") }}' # Run the ansible playbook - name: Run_Ansible_Playbook From 6171400d1705eca8fd3bf314ca0d11b3727dcda3 Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Fri, 29 Jul 2022 10:21:16 +0100 Subject: [PATCH 208/454] revert --- .github/workflows/main.tf | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index d322cda6..b231d2ae 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -3,11 +3,6 @@ provider "aws" { region = var.aws_region } -// Read local file not created via terraform -data "local_file" "github_actions" { - filename = "${path.module}/${var.private_key}" -} - // Create a security group with access to port 22 and port 80 open to serve HTTP traffic data "aws_vpc" "default" { @@ -64,22 +59,6 @@ resource "aws_instance" "testing_vm" { root_block_device { delete_on_termination = true } - # SSH into instance - will ensure server is up before next step in workflows - connection { - # Host name - host = self.public_ip - # The default username for our AMI - user = var.ami_username - # Private key for connection - private_key = data.local_file.github_actions.content - # Type of connection - type = "ssh" - } - provisioner "remote-exec" { - inline = [ - "echo 'hello_world'", - ] - } } // generate inventory file From 7fed2bcbc9bdad1fd6cc265fa161bab7bd316d53 Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Fri, 29 Jul 2022 10:22:08 +0100 Subject: [PATCH 209/454] revert --- .github/workflows/linux_benchmark_testing.yml | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index f745e77a..3c4cf3f5 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -58,7 +58,6 @@ jobs: chmod 700 .ssh echo $PRIVATE_KEY > .ssh/github_actions.pem chmod 600 .ssh/github_actions.pem - file .ssh/github_actions.pem && cat .ssh/github_actions.pem ### Build out the server - name: Terraform_Init @@ -69,11 +68,6 @@ jobs: working-directory: .github/workflows run: terraform validate - - name: Validate path contents - if: env.ENABLE_DEBUG == 'true' - working-directory: .github/workflows - run: pwd && ls -laR - - name: Terraform_Apply working-directory: .github/workflows env: @@ -87,14 +81,20 @@ jobs: working-directory: .github/workflows run: cat hosts.yml -# Ensure system is up for connections before continuing +# Centos 7 images take a while to come up insert sleep or playbook fails -# - name: Check system is up and running -# working-directory: .github/workflows -# env: -# PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" -# id: test_os -# run: ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" -u ec2-user -e ansible_ssh_private_key_file='{{ lookup("env", "PRIVATE_KEY") }}' + - name: Check if test os is rhel7 + working-directory: .github/workflows + id: test_os + run: >- + echo "::set-output name=RHEL7::$( + grep -c RHEL7 OS.tfvars + )" + + - name: if RHEL7 - Sleep for 60 seconds + if: steps.test_os.outputs.RHEL7 >= 1 + run: sleep 60s + shell: bash # Run the ansible playbook - name: Run_Ansible_Playbook From 6bce83d2a14c3f4386d1bfc0b48386ddcc946300 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Jul 2022 10:23:01 +0100 Subject: [PATCH 210/454] revert Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 27 ++++++++++--------- .github/workflows/main.tf | 2 +- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 4a6a742f..5c8da2bd 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -68,11 +68,6 @@ jobs: working-directory: .github/workflows run: terraform validate - - name: Validate path contents - if: env.ENABLE_DEBUG == 'true' - working-directory: .github/workflows - run: pwd && ls -laR - - name: Terraform_Apply working-directory: .github/workflows env: @@ -86,14 +81,20 @@ jobs: working-directory: .github/workflows run: cat hosts.yml -# Ensure system is up for connections before continuing +# Centos 7 images take a while to come up insert sleep or playbook fails + + - name: Check if test os is rhel7 + working-directory: .github/workflows + id: test_os + run: >- + echo "::set-output name=RHEL7::$( + grep -c RHEL7 OS.tfvars + )" - # - name: Check system is up and running - # working-directory: .github/workflows - # env: - # PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - # id: test_os - # run: ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" -u ec2-user -e ansible_ssh_private_key_file='{{ lookup("env", "PRIVATE_KEY") }}' + - name: if RHEL7 - Sleep for 60 seconds + if: steps.test_os.outputs.RHEL7 >= 1 + run: sleep 60s + shell: bash # Run the ansible playbook - name: Run_Ansible_Playbook @@ -116,4 +117,4 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform destroy -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false + run: terraform destroy -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false \ No newline at end of file diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index b231d2ae..3c3954f2 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -79,4 +79,4 @@ resource "local_file" "inventory" { system_is_ec2: true audit_git_version: devel EOF -} +} \ No newline at end of file From 3ae56ddd232fa83527b8d893db73492b41077680 Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Fri, 29 Jul 2022 10:45:52 +0100 Subject: [PATCH 211/454] updated image name --- .github/workflows/OS.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars index 5baddfc5..96c19c48 100644 --- a/.github/workflows/OS.tfvars +++ b/.github/workflows/OS.tfvars @@ -1,5 +1,5 @@ #Ami Rocky 85 -ami_id = "ami-0c41531b8d18cc72b" +ami_id = "ami-02881bd671eb4ac61" ami_os = "rhel9" ami_username = "ec2-user" ami_user_home = "/home/ec2-user" From 5f4b38a8b3af425925e6c6e1776a6bf9106f814f Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Fri, 29 Jul 2022 10:47:05 +0100 Subject: [PATCH 212/454] updated comment --- .github/workflows/OS.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars index 96c19c48..a5e2fda3 100644 --- a/.github/workflows/OS.tfvars +++ b/.github/workflows/OS.tfvars @@ -1,4 +1,4 @@ -#Ami Rocky 85 +#Ami Alma 9 ami_id = "ami-02881bd671eb4ac61" ami_os = "rhel9" ami_username = "ec2-user" From bb1c167922ec4d4cee10de7e4f13f47984720b9c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Jul 2022 10:47:25 +0100 Subject: [PATCH 213/454] updated comment Signed-off-by: Mark Bolwell --- .github/workflows/OS.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars index 96c19c48..a5e2fda3 100644 --- a/.github/workflows/OS.tfvars +++ b/.github/workflows/OS.tfvars @@ -1,4 +1,4 @@ -#Ami Rocky 85 +#Ami Alma 9 ami_id = "ami-02881bd671eb4ac61" ami_os = "rhel9" ami_username = "ec2-user" From 4f68cf1f92f0d1dc41b2fc3e3c5ac580430eb118 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Jul 2022 11:16:00 +0100 Subject: [PATCH 214/454] sleep 60 anyway Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 5c8da2bd..9f96e843 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -92,7 +92,7 @@ jobs: )" - name: if RHEL7 - Sleep for 60 seconds - if: steps.test_os.outputs.RHEL7 >= 1 + #if: steps.test_os.outputs.RHEL7 >= 1 run: sleep 60s shell: bash From f76919734eb155cbfc2b6e5b68c5a84dd71f631a Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Fri, 29 Jul 2022 11:16:31 +0100 Subject: [PATCH 215/454] sleep anyway --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 3c4cf3f5..f802b4cf 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -92,7 +92,7 @@ jobs: )" - name: if RHEL7 - Sleep for 60 seconds - if: steps.test_os.outputs.RHEL7 >= 1 + #if: steps.test_os.outputs.RHEL7 >= 1 run: sleep 60s shell: bash From 084e6c67601a96aede12d15032e07d4880762854 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Jul 2022 17:08:38 +0100 Subject: [PATCH 216/454] moved some controls to handlers Signed-off-by: Mark Bolwell --- handlers/main.yml | 40 +++++++++++++++++++++++++++------------- tasks/auditd.yml | 21 ++++----------------- 2 files changed, 31 insertions(+), 30 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 8c3c79c0..9264a429 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -74,18 +74,6 @@ args: warn: false -- name: restart auditd - shell: service auditd restart - args: - warn: false - when: - - audit_rules_updated.changed or - rule_4_1_2_1.changed or - rule_4_1_2_2.changed or - rule_4_1_2_3.changed - tags: - - skip_ansible_lint - - name: grub2cfg shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" args: @@ -114,6 +102,32 @@ systemd: daemon-reload: true +## Auditd tasks note order for handlers to run + +- name: auditd_immutable_check + shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules + changed_when: false + register: auditd_immutable_check + +- name: audit_immutable_fact + debug: + msg: "Reboot required for auditd to apply new rules as immutable set" + notify: change_requires_reboot + when: + - auditd_immutable_check.stdout == '1' + +- name: restart auditd + shell: service auditd restart + args: + warn: false + when: + - audit_rules_updated.changed or + rule_4_1_2_1.changed or + rule_4_1_2_2.changed or + rule_4_1_2_3.changed + tags: + - skip_ansible_lint + - name: change_requires_reboot set_fact: - change_requires_reboot: true + change_requires_reboot: true \ No newline at end of file diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 837c7e12..9c5a14e5 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -6,7 +6,10 @@ group: root mode: 0600 register: audit_rules_updated - notify: restart auditd + notify: + - auditd_immutable_check + - audit_immutable_fact + - restart auditd - name: POST | Set up auditd user logging exceptions template: @@ -19,19 +22,3 @@ when: - allow_auditd_uid_user_exclusions - rhel9cis_auditd_uid_exclude | length > 0 - -- name: POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable - block: - - name: POST | AUDITD | Discover if auditd immutable - will require reboot if auditd template applied - shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules - changed_when: false - register: auditd_immutable_check - - - name: POST | AUDITD | Set reboot required if auditd immutable - debug: - msg: "Reboot required for auditd to apply new rules as immutable set" - notify: change_requires_reboot - when: - - auditd_immutable_check.stdout == '1' - when: - - audit_rules_updated.changed \ No newline at end of file From c0ece7f57f31f45bb2085ba4b17145ffce458c81 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Jul 2022 18:27:24 +0100 Subject: [PATCH 217/454] fix warn consistent missing ' Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.6.1.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index 672316c5..494176d2 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -78,12 +78,12 @@ - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Message on unconfined services" debug: - msg: "Warning! You have unconfined services: {{ rhelcis_1_6_1_5_unconf_services.stdout_lines }}" + msg: "Warning!! You have unconfined services: {{ rhelcis_1_6_1_5_unconf_services.stdout_lines }}" when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0 - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | warning count" set_fact: - control_number: "{{ control_number }} + [ 'rule_1.6.1.5 ]" + control_number: "{{ control_number }} + [ 'rule_1.6.1.5' ]" warn_count: "{{ warn_count|int + 1 }}" when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0 when: From b842c47cd28d1a7a8a7eccf43e0e6dd4f6b641e4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Jul 2022 18:27:55 +0100 Subject: [PATCH 218/454] line spacing fixed Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.3.x.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 42cd4fb1..25599254 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -18,7 +18,6 @@ - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" - when: rhel9cis_ipv6_required when: - rhel9cis_rule_3_3_1 @@ -82,6 +81,7 @@ set_fact: sysctl_update: true flush_ipv4_route: true + - name: "3.3.4 | PATCH | Ensure suspicious packets are logged" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" @@ -100,6 +100,7 @@ set_fact: sysctl_update: true flush_ipv4_route: true + - name: 3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" @@ -155,6 +156,7 @@ set_fact: sysctl_update: true flush_ipv4_route: true + - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" From 866eafc5932afcb6851db3275aa1c3f786e21853 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Jul 2022 18:28:17 +0100 Subject: [PATCH 219/454] Added warning to reboot required Signed-off-by: Mark Bolwell --- tasks/post.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/tasks/post.yml b/tasks/post.yml index bca18aed..3a8a0ed9 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -44,11 +44,20 @@ - name: POST | Warning a reboot required but skip option set debug: - msg: "Warning! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" + msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" changed_when: true when: - change_requires_reboot - skip_reboot + + - name: "POST | Warning a reboot required but skip option set | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'Reboot_required' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: + - change_requires_reboot + - skip_reboot + tags: - grub - level1-server From 6d350170590db182adc44c817a65d24937897670 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Jul 2022 18:33:00 +0100 Subject: [PATCH 220/454] fix typo Signed-off-by: Mark Bolwell --- templates/audit/98_auditd_exception.rules.j2 | 2 +- templates/audit/99_auditd.rules.j2 | 2 +- templates/etc/cron.d/aide.cron.j2 | 2 +- templates/etc/modprobe.d/modprobe.conf.j2 | 2 +- templates/etc/sysctl.d/60-disable_ipv6.conf.j2 | 2 +- templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 | 2 +- templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 | 2 +- templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 index a453f3b1..3dcc3559 100644 --- a/templates/audit/98_auditd_exception.rules.j2 +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -1,4 +1,4 @@ -## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! +## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! # This file contains users whose actions are not logged by auditd {% if allow_auditd_uid_user_exclusions %} diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 2d270cce..050de20a 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,4 +1,4 @@ -## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! +## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! # This template will set all of the auditd configurations via a handler in the role in one task instead of individually {% if rhel9cis_rule_4_1_3_1 %} diff --git a/templates/etc/cron.d/aide.cron.j2 b/templates/etc/cron.d/aide.cron.j2 index f9014fad..781fdd40 100644 --- a/templates/etc/cron.d/aide.cron.j2 +++ b/templates/etc/cron.d/aide.cron.j2 @@ -1,5 +1,5 @@ # Run AIDE integrity check -# added via ansible-lockdown remediation +## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! # CIS 1.3.2 {{ rhel9cis_aide_cron['aide_minute'] }} {{ rhel9cis_aide_cron['aide_hour'] }} {{ rhel9cis_aide_cron['aide_month'] }} {{ rhel9cis_aide_cron['aide_weekday'] }} {{ rhel9cis_aide_cron['aide_job'] }} diff --git a/templates/etc/modprobe.d/modprobe.conf.j2 b/templates/etc/modprobe.d/modprobe.conf.j2 index a4d9d3d8..081bbae6 100644 --- a/templates/etc/modprobe.d/modprobe.conf.j2 +++ b/templates/etc/modprobe.d/modprobe.conf.j2 @@ -1,6 +1,6 @@ # Disable usage of protocol {{ item }} # Set by ansible {{ benchmark }} remediation role # https://github.com/ansible-lockdown -## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! +## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! install {{ item }} /bin/true \ No newline at end of file diff --git a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 index b172b97c..732cbcc0 100644 --- a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 +++ b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 @@ -1,4 +1,4 @@ -## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! +## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! # IPv6 disable {% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %} diff --git a/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 b/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 index bf8e8582..8bd01572 100644 --- a/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 +++ b/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 @@ -1,4 +1,4 @@ -## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! +## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! {% if rhel9cis_rule_1_5_3 %} diff --git a/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 index 4b2dabca..8bafbf9b 100644 --- a/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 +++ b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 @@ -1,4 +1,4 @@ -## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! +## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! # IPv4 Network sysctl {% if rhel9cis_rule_3_2_1 %} diff --git a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 index 895f23ee..e85fae98 100644 --- a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 +++ b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 @@ -1,4 +1,4 @@ -## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! +## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! # IPv6 Network sysctl {% if rhel9cis_ipv6_required %} From c697431c0075c6ea1fb2dd7423e9fa1b4047892c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Jul 2022 18:35:54 +0100 Subject: [PATCH 221/454] Aded comments to each control for auditd Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.3.x.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index c05b93cf..40a75176 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -1,5 +1,6 @@ --- +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected" set_fact: update_audit_template: true @@ -13,6 +14,7 @@ - auditd - rule_4.1.3.1 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.2 | PATCH | Ensure actions as another user are always logged" set_fact: update_audit_template: true @@ -26,6 +28,7 @@ - auditd - rule_4.1.3.2 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.3 | PATCH | Ensure events that modify the sudo log file are collected" set_fact: update_audit_template: true @@ -39,6 +42,7 @@ - auditd - rule_4.1.3.3 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.4 | PATCH | Ensure events that modify date and time information are collected" set_fact: update_audit_template: true @@ -52,6 +56,7 @@ - auditd - rule_4.1.3.4 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.5 | PATCH | Ensure events that modify the system's network environment are collected" set_fact: update_audit_template: true @@ -65,6 +70,7 @@ - auditd - rule_4.1.3.5 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" block: - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" @@ -88,6 +94,7 @@ - auditd - rule_4.1.3.6 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.7 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" set_fact: update_audit_template: true @@ -101,6 +108,7 @@ - auditd - rule_4.1.3_7 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected" set_fact: update_audit_template: true @@ -114,6 +122,7 @@ - auditd - rule_4.1.3.8 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.9 | PATCH | Ensure discretionary access control permission modification events are collected" set_fact: update_audit_template: true @@ -127,6 +136,7 @@ - auditd - rule_4.1.3.9 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.10 | PATCH | Ensure successful file system mounts are collected" set_fact: update_audit_template: true @@ -140,6 +150,7 @@ - auditd - rule_4.1.3.10 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.11 | PATCH | Ensure session initiation information is collected" set_fact: update_audit_template: true @@ -153,6 +164,7 @@ - auditd - rule_4.1.3.11 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.12 | PATCH | Ensure login and logout events are collected" set_fact: update_audit_template: true @@ -166,6 +178,7 @@ - auditd - rule_4.1.3.12 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.13 | PATCH | Ensure file deletion events by users are collected" set_fact: update_audit_template: true @@ -178,6 +191,7 @@ - patch - rule_4.1.3.13 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" set_fact: update_audit_template: true @@ -191,6 +205,7 @@ - auditd - rule_4.1.3.14 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" set_fact: update_audit_template: true @@ -204,6 +219,7 @@ - auditd - rule_4.1.3.15 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" set_fact: update_audit_template: true @@ -217,6 +233,7 @@ - auditd - rule_4.1.3.16 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" set_fact: update_audit_template: true @@ -230,6 +247,7 @@ - auditd - rule_4.1.3.17 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" set_fact: update_audit_template: true @@ -243,6 +261,7 @@ - auditd - rule_4.1.3.18 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.19 | PATCH | Ensure kernel module loading and unloading is collected" set_fact: update_audit_template: true @@ -256,6 +275,7 @@ - auditd - rule_4.1.3.19 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.20 | PATCH | Ensure the audit configuration is immutable" set_fact: update_audit_template: true From 9e9cc7c0791a7eebfe3c08aaf94f2300f88a92e9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 5 Aug 2022 11:41:55 +0100 Subject: [PATCH 222/454] updated workflows Signed-off-by: Mark Bolwell --- .github/workflows/OS.tfvars | 2 +- .github/workflows/github_networks.tf | 46 ++- .github/workflows/github_vars.tfvars | 3 +- .github/workflows/main.tf | 12 +- .github/workflows/terraform.tfstate | 8 - .github/workflows/terraform.tfstate.backup | 370 --------------------- .github/workflows/variables.tf | 5 + 7 files changed, 57 insertions(+), 389 deletions(-) delete mode 100644 .github/workflows/terraform.tfstate delete mode 100644 .github/workflows/terraform.tfstate.backup diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars index a5e2fda3..0bfba595 100644 --- a/.github/workflows/OS.tfvars +++ b/.github/workflows/OS.tfvars @@ -5,5 +5,5 @@ ami_username = "ec2-user" ami_user_home = "/home/ec2-user" instance_tags = { Name = "RHEL9-CIS" - Environment = "lockdown_github_repo_workflow" + Environment = "github_test_pipeline" } diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf index 4db9025a..e20fb051 100644 --- a/.github/workflows/github_networks.tf +++ b/.github/workflows/github_networks.tf @@ -1,11 +1,51 @@ resource "aws_vpc" "Main" { - cidr_block = var.main_vpc_cidr - tags = var.instance_tags + cidr_block = var.main_vpc_cidr + instance_tenancy = "default" + tags = { + Environment = "${var.environment}" + Name = "${var.namespace}-VPC" + } } resource "aws_internet_gateway" "IGW" { vpc_id = aws_vpc.Main.id tags = { - Name = "${var.namespace}-IGW" + Environment = "${var.environment}" + Name = "${var.namespace}-IGW" + } +} + +resource "aws_subnet" "publicsubnets" { + vpc_id = aws_vpc.Main.id + cidr_block = var.public_subnets + tags = { + Environment = "${var.environment}" + Name = "${var.namespace}-pubsub" + } +} + +resource "aws_subnet" "Main" { + vpc_id = aws_vpc.Main.id + cidr_block = var.private_subnets + tags = { + Environment = "${var.environment}" + Name = "${var.namespace}-prvsub" + } +} + +resource "aws_route_table" "PublicRT" { + vpc_id = aws_vpc.Main.id + route { + cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.IGW.id + } + tags = { + Environment = "${var.environment}" + Name = "${var.namespace}-publicRT" } } + +resource "aws_route_table_association" "rt_associate_public" { + subnet_id = aws_subnet.Main.id + route_table_id = aws_route_table.PublicRT.id +} diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars index c3ac76bf..2a7e263c 100644 --- a/.github/workflows/github_vars.tfvars +++ b/.github/workflows/github_vars.tfvars @@ -3,7 +3,8 @@ // Declared in variables.tf // -namespace = "github_actions" +namespace = "github_actions" +environment = "github_test_pipeline" // Matching pair name found in AWS for keypairs PEM key ami_key_pair_name = "github_actions" diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index b231d2ae..5bf002ed 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -5,9 +5,6 @@ provider "aws" { // Create a security group with access to port 22 and port 80 open to serve HTTP traffic -data "aws_vpc" "default" { - default = true -} resource "random_id" "server" { keepers = { @@ -19,8 +16,8 @@ resource "random_id" "server" { } resource "aws_security_group" "github_actions" { - name = "${var.namespace}-${random_id.server.hex}" - vpc_id = data.aws_vpc.default.id + name = "${var.namespace}-${random_id.server.hex}-SG" + vpc_id = aws_vpc.Main.id ingress { from_port = 22 @@ -43,7 +40,8 @@ resource "aws_security_group" "github_actions" { cidr_blocks = ["0.0.0.0/0"] } tags = { - Name = "${var.namespace}-SG" + Environment = "${var.environment}" + Name = "${var.namespace}-SG" } } @@ -56,6 +54,7 @@ resource "aws_instance" "testing_vm" { instance_type = var.instance_type tags = var.instance_tags vpc_security_group_ids = [aws_security_group.github_actions.id] + subnet_id = aws_subnet.Main.id root_block_device { delete_on_termination = true } @@ -80,3 +79,4 @@ resource "local_file" "inventory" { audit_git_version: devel EOF } + diff --git a/.github/workflows/terraform.tfstate b/.github/workflows/terraform.tfstate deleted file mode 100644 index 6a8982d1..00000000 --- a/.github/workflows/terraform.tfstate +++ /dev/null @@ -1,8 +0,0 @@ -{ - "version": 4, - "terraform_version": "1.2.2", - "serial": 15, - "lineage": "826bcba6-7d74-b65e-f687-a6f4945dd69e", - "outputs": {}, - "resources": [] -} diff --git a/.github/workflows/terraform.tfstate.backup b/.github/workflows/terraform.tfstate.backup deleted file mode 100644 index ffbb4b0a..00000000 --- a/.github/workflows/terraform.tfstate.backup +++ /dev/null @@ -1,370 +0,0 @@ -{ - "version": 4, - "terraform_version": "1.2.2", - "serial": 7, - "lineage": "826bcba6-7d74-b65e-f687-a6f4945dd69e", - "outputs": {}, - "resources": [ - { - "mode": "data", - "type": "aws_vpc", - "name": "default", - "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", - "instances": [ - { - "schema_version": 0, - "attributes": { - "arn": "arn:aws:ec2:us-east-1:817651307868:vpc/vpc-05ef27c517862c3b1", - "cidr_block": "172.31.0.0/16", - "cidr_block_associations": [ - { - "association_id": "vpc-cidr-assoc-0a0f361027d9f91f3", - "cidr_block": "172.31.0.0/16", - "state": "associated" - } - ], - "default": true, - "dhcp_options_id": "dopt-c5dfccbe", - "enable_dns_hostnames": true, - "enable_dns_support": true, - "filter": null, - "id": "vpc-05ef27c517862c3b1", - "instance_tenancy": "default", - "ipv6_association_id": "", - "ipv6_cidr_block": "", - "main_route_table_id": "rtb-0a40eb856c7d79f1d", - "owner_id": "817651307868", - "state": null, - "tags": { - "Name": "Default VPC" - } - }, - "sensitive_attributes": [] - } - ] - }, - { - "mode": "managed", - "type": "aws_instance", - "name": "testing_vm", - "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", - "instances": [ - { - "schema_version": 1, - "attributes": { - "ami": "ami-0c41531b8d18cc72b", - "arn": "arn:aws:ec2:us-east-1:817651307868:instance/i-0d997714170ce8898", - "associate_public_ip_address": true, - "availability_zone": "us-east-1a", - "capacity_reservation_specification": [ - { - "capacity_reservation_preference": "open", - "capacity_reservation_target": [] - } - ], - "cpu_core_count": 1, - "cpu_threads_per_core": 2, - "credit_specification": [ - { - "cpu_credits": "unlimited" - } - ], - "disable_api_termination": false, - "ebs_block_device": [], - "ebs_optimized": false, - "enclave_options": [ - { - "enabled": false - } - ], - "ephemeral_block_device": [], - "get_password_data": false, - "hibernation": false, - "host_id": null, - "iam_instance_profile": "", - "id": "i-0d997714170ce8898", - "instance_initiated_shutdown_behavior": "stop", - "instance_state": "running", - "instance_type": "t3.micro", - "ipv6_address_count": 0, - "ipv6_addresses": [], - "key_name": "github_actions", - "launch_template": [], - "maintenance_options": [ - { - "auto_recovery": "default" - } - ], - "metadata_options": [ - { - "http_endpoint": "enabled", - "http_put_response_hop_limit": 1, - "http_tokens": "optional", - "instance_metadata_tags": "disabled" - } - ], - "monitoring": false, - "network_interface": [], - "outpost_arn": "", - "password_data": "", - "placement_group": "", - "placement_partition_number": null, - "primary_network_interface_id": "eni-0417127dc77918518", - "private_dns": "ip-172-31-8-170.ec2.internal", - "private_ip": "172.31.8.170", - "public_dns": "ec2-3-238-53-150.compute-1.amazonaws.com", - "public_ip": "3.238.53.150", - "root_block_device": [ - { - "delete_on_termination": true, - "device_name": "/dev/sda1", - "encrypted": false, - "iops": 100, - "kms_key_id": "", - "tags": null, - "throughput": 0, - "volume_id": "vol-0392840b878024a68", - "volume_size": 10, - "volume_type": "gp2" - } - ], - "secondary_private_ips": [], - "security_groups": [ - "github_actions-5eb7d7f8d9c46a1c" - ], - "source_dest_check": true, - "subnet_id": "subnet-0ad8888b9fd53204f", - "tags": { - "Environment": "lockdown_github_repo_workflow", - "Name": "RHEL9-CIS" - }, - "tags_all": { - "Environment": "lockdown_github_repo_workflow", - "Name": "RHEL9-CIS" - }, - "tenancy": "default", - "timeouts": null, - "user_data": null, - "user_data_base64": null, - "user_data_replace_on_change": false, - "volume_tags": null, - "vpc_security_group_ids": [ - "sg-054e3f94c98fc64f2" - ] - }, - "sensitive_attributes": [], - "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6MTIwMDAwMDAwMDAwMCwidXBkYXRlIjo2MDAwMDAwMDAwMDB9LCJzY2hlbWFfdmVyc2lvbiI6IjEifQ==", - "dependencies": [ - "aws_security_group.github_actions", - "data.aws_vpc.default", - "random_id.server" - ] - } - ] - }, - { - "mode": "managed", - "type": "aws_internet_gateway", - "name": "IGW", - "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", - "instances": [ - { - "schema_version": 0, - "attributes": { - "arn": "arn:aws:ec2:us-east-1:817651307868:internet-gateway/igw-0ef39abda6f14481d", - "id": "igw-0ef39abda6f14481d", - "owner_id": "817651307868", - "tags": { - "Name": "github_actions-IGW" - }, - "tags_all": { - "Name": "github_actions-IGW" - }, - "vpc_id": "vpc-068452c798d98b17f" - }, - "sensitive_attributes": [], - "private": "bnVsbA==", - "dependencies": [ - "aws_vpc.Main" - ] - } - ] - }, - { - "mode": "managed", - "type": "aws_security_group", - "name": "github_actions", - "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", - "instances": [ - { - "schema_version": 1, - "attributes": { - "arn": "arn:aws:ec2:us-east-1:817651307868:security-group/sg-054e3f94c98fc64f2", - "description": "Managed by Terraform", - "egress": [ - { - "cidr_blocks": [ - "0.0.0.0/0" - ], - "description": "", - "from_port": 0, - "ipv6_cidr_blocks": [], - "prefix_list_ids": [], - "protocol": "-1", - "security_groups": [], - "self": false, - "to_port": 0 - } - ], - "id": "sg-054e3f94c98fc64f2", - "ingress": [ - { - "cidr_blocks": [ - "0.0.0.0/0" - ], - "description": "", - "from_port": 22, - "ipv6_cidr_blocks": [], - "prefix_list_ids": [], - "protocol": "tcp", - "security_groups": [], - "self": false, - "to_port": 22 - }, - { - "cidr_blocks": [ - "0.0.0.0/0" - ], - "description": "", - "from_port": 80, - "ipv6_cidr_blocks": [], - "prefix_list_ids": [], - "protocol": "tcp", - "security_groups": [], - "self": false, - "to_port": 80 - } - ], - "name": "github_actions-5eb7d7f8d9c46a1c", - "name_prefix": "", - "owner_id": "817651307868", - "revoke_rules_on_delete": false, - "tags": { - "Name": "github_actions-SG" - }, - "tags_all": { - "Name": "github_actions-SG" - }, - "timeouts": null, - "vpc_id": "vpc-05ef27c517862c3b1" - }, - "sensitive_attributes": [], - "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6OTAwMDAwMDAwMDAwfSwic2NoZW1hX3ZlcnNpb24iOiIxIn0=", - "dependencies": [ - "data.aws_vpc.default", - "random_id.server" - ] - } - ] - }, - { - "mode": "managed", - "type": "aws_vpc", - "name": "Main", - "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", - "instances": [ - { - "schema_version": 1, - "attributes": { - "arn": "arn:aws:ec2:us-east-1:817651307868:vpc/vpc-068452c798d98b17f", - "assign_generated_ipv6_cidr_block": false, - "cidr_block": "172.22.0.0/24", - "default_network_acl_id": "acl-08a831aefd0ff6f65", - "default_route_table_id": "rtb-09ae50e860e80fb1f", - "default_security_group_id": "sg-01ff3ec71f0cd3115", - "dhcp_options_id": "dopt-c5dfccbe", - "enable_classiclink": false, - "enable_classiclink_dns_support": false, - "enable_dns_hostnames": false, - "enable_dns_support": true, - "id": "vpc-068452c798d98b17f", - "instance_tenancy": "default", - "ipv4_ipam_pool_id": null, - "ipv4_netmask_length": null, - "ipv6_association_id": "", - "ipv6_cidr_block": "", - "ipv6_cidr_block_network_border_group": "", - "ipv6_ipam_pool_id": "", - "ipv6_netmask_length": 0, - "main_route_table_id": "rtb-09ae50e860e80fb1f", - "owner_id": "817651307868", - "tags": { - "Environment": "lockdown_github_repo_workflow", - "Name": "RHEL9-CIS" - }, - "tags_all": { - "Environment": "lockdown_github_repo_workflow", - "Name": "RHEL9-CIS" - } - }, - "sensitive_attributes": [], - "private": "eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ==" - } - ] - }, - { - "mode": "managed", - "type": "local_file", - "name": "inventory", - "provider": "provider[\"registry.terraform.io/hashicorp/local\"]", - "instances": [ - { - "schema_version": 0, - "attributes": { - "content": " # benchmark host\n all:\n hosts:\n rhel9:\n ansible_host: 3.238.53.150\n ansible_user: ec2-user\n vars:\n setup_audit: true\n run_audit: true\n system_is_ec2: true\n audit_git_version: devel\n", - "content_base64": null, - "directory_permission": "0755", - "file_permission": "0644", - "filename": "./hosts.yml", - "id": "697bfe9ff397a4b5e3f46caf3c48481a3d485375", - "sensitive_content": null, - "source": null - }, - "sensitive_attributes": [], - "private": "bnVsbA==", - "dependencies": [ - "aws_instance.testing_vm", - "aws_security_group.github_actions", - "data.aws_vpc.default", - "random_id.server" - ] - } - ] - }, - { - "mode": "managed", - "type": "random_id", - "name": "server", - "provider": "provider[\"registry.terraform.io/hashicorp/random\"]", - "instances": [ - { - "schema_version": 0, - "attributes": { - "b64_std": "XrfX+NnEahw=", - "b64_url": "XrfX-NnEahw", - "byte_length": 8, - "dec": "6825161224108665372", - "hex": "5eb7d7f8d9c46a1c", - "id": "XrfX-NnEahw", - "keepers": { - "ami_id": "ami-0c41531b8d18cc72b" - }, - "prefix": null - }, - "sensitive_attributes": [], - "private": "bnVsbA==" - } - ] - } - ] -} diff --git a/.github/workflows/variables.tf b/.github/workflows/variables.tf index 752ee881..90a1dd4a 100644 --- a/.github/workflows/variables.tf +++ b/.github/workflows/variables.tf @@ -52,6 +52,11 @@ variable "namespace" { type = string } +variable "environment" { + description = "Env Name used across all tags" + type = string +} + // taken from github_vars.tfvars & variable "main_vpc_cidr" { From 419d00551a31e35c51d009c1dd8e0cb82b3d285a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 5 Aug 2022 11:48:11 +0100 Subject: [PATCH 223/454] updated Signed-off-by: Mark Bolwell --- Changelog.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog.md b/Changelog.md index b120eee4..ee9aff41 100644 --- a/Changelog.md +++ b/Changelog.md @@ -10,6 +10,8 @@ - added more to logrotate 4.3.x - sure to logrotate now a seperate package - grub path now standard to /boot/grub2/grub.cfg - 1.6.1.4 from rh8 removed as selinux.cfg doesnt disable selinux any longer +- workflow update +- removed doc update ## 0.1 From 420d432531a6f75d0468e16aa035ce1765971f7d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 5 Aug 2022 11:50:38 +0100 Subject: [PATCH 224/454] removed old file Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.old | 429 ---------------------------- 1 file changed, 429 deletions(-) delete mode 100644 templates/ansible_vars_goss.yml.old diff --git a/templates/ansible_vars_goss.yml.old b/templates/ansible_vars_goss.yml.old deleted file mode 100644 index f10c74f9..00000000 --- a/templates/ansible_vars_goss.yml.old +++ /dev/null @@ -1,429 +0,0 @@ -## metadata for Audit benchmark -benchmark_version: '1.0.1' - -# Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS -is_redhat_os: {% if ansible_distribution == "RedHat" %}true{% else %}false{% endif %} - -rhel9cis_os_distribution: {{ ansible_distribution | lower }} - -# timeout for each command to run where set - default = 10seconds/10000ms -timeout_ms: {{ audit_cmd_timeout }} - -# Taken from LE rhel8-cis -rhel9cis_section1: {{ rhel9cis_section1 }} -rhel9cis_section2: {{ rhel9cis_section2 }} -rhel9cis_section3: {{ rhel9cis_section3 }} -rhel9cis_section4: {{ rhel9cis_section4 }} -rhel9cis_section5: {{ rhel9cis_section5 }} -rhel9cis_section6: {{ rhel9cis_section6 }} - -rhel9cis_level_1: {{ rhel9cis_level_1 }} -rhel9cis_level_2: {{ rhel9cis_level_2 }} - -rhel9cis_selinux_disable: {{ rhel9cis_selinux_disable }} - - - -# to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy -run_heavy_tests: true -{% if rhel9cis_legacy_boot is defined %} -rhel9cis_legacy_boot: {{ rhel9cis_legacy_boot }} -{% endif %} - - -rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }} -# These variables correspond with the CIS rule IDs or paragraph numbers defined in -# the CIS benchmark documents. -# PLEASE NOTE: These work in coordination with the section # group variables and tags. -# You must enable an entire section in order for the variables below to take effect. -# Section 1 rules -rhel9cis_rule_1_1_1_1: {{ rhel9cis_rule_1_1_1_1 }} -rhel9cis_rule_1_1_1_2: {{ rhel9cis_rule_1_1_1_2 }} -rhel9cis_rule_1_1_1_3: {{ rhel9cis_rule_1_1_1_3 }} -rhel9cis_rule_1_1_1_4: {{ rhel9cis_rule_1_1_1_4 }} -rhel9cis_rule_1_1_2: {{ rhel9cis_rule_1_1_2 }} -rhel9cis_rule_1_1_3: {{ rhel9cis_rule_1_1_3 }} -rhel9cis_rule_1_1_4: {{ rhel9cis_rule_1_1_4 }} -rhel9cis_rule_1_1_5: {{ rhel9cis_rule_1_1_5 }} -rhel9cis_rule_1_1_6: {{ rhel9cis_rule_1_1_6 }} -rhel9cis_rule_1_1_7: {{ rhel9cis_rule_1_1_7 }} -rhel9cis_rule_1_1_8: {{ rhel9cis_rule_1_1_8 }} -rhel9cis_rule_1_1_9: {{ rhel9cis_rule_1_1_9 }} -rhel9cis_rule_1_1_10: {{ rhel9cis_rule_1_1_10 }} -rhel9cis_rule_1_1_11: {{ rhel9cis_rule_1_1_11 }} -rhel9cis_rule_1_1_12: {{ rhel9cis_rule_1_1_12 }} -rhel9cis_rule_1_1_13: {{ rhel9cis_rule_1_1_13 }} -rhel9cis_rule_1_1_14: {{ rhel9cis_rule_1_1_14 }} -rhel9cis_rule_1_1_15: {{ rhel9cis_rule_1_1_15 }} -rhel9cis_rule_1_1_16: {{ rhel9cis_rule_1_1_16 }} -rhel9cis_rule_1_1_17: {{ rhel9cis_rule_1_1_17 }} -rhel9cis_rule_1_1_18: {{ rhel9cis_rule_1_1_18 }} -rhel9cis_rule_1_1_19: {{ rhel9cis_rule_1_1_19 }} -rhel9cis_rule_1_1_20: {{ rhel9cis_rule_1_1_20 }} -rhel9cis_rule_1_1_21: {{ rhel9cis_rule_1_1_21 }} -rhel9cis_rule_1_1_22: {{ rhel9cis_rule_1_1_22 }} -rhel9cis_rule_1_1_23: {{ rhel9cis_rule_1_1_23 }} -rhel9cis_rule_1_2_1: {% if ansible_distribution == "RedHat" %}True{% else %}False{% endif %} # Only run if Redhat and Subscribed -rhel9cis_rule_1_2_2: {{ rhel9cis_rule_1_2_2 }} -rhel9cis_rule_1_2_3: {{ rhel9cis_rule_1_2_3 }} -rhel9cis_rule_1_2_4: {{ rhel9cis_rule_1_2_4 }} -rhel9cis_rule_1_2_5: {{ rhel9cis_rule_1_2_5 }} -rhel9cis_rule_1_3_1: {{ rhel9cis_rule_1_3_1 }} -rhel9cis_rule_1_3_2: {{ rhel9cis_rule_1_3_2 }} -rhel9cis_rule_1_3_3: {{ rhel9cis_rule_1_3_3 }} -rhel9cis_rule_1_4_1: {{ rhel9cis_rule_1_4_1 }} -rhel9cis_rule_1_4_2: {{ rhel9cis_rule_1_4_2 }} -rhel9cis_rule_1_4_3: {{ rhel9cis_rule_1_4_3 }} -rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }} -rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }} -rhel9cis_rule_1_5_3: {{ rhel9cis_rule_1_5_3 }} - -rhel9cis_rule_1_7_1_1: {{ rhel9cis_rule_1_7_1_1 }} -rhel9cis_rule_1_7_1_2: {{ rhel9cis_rule_1_7_1_2 }} -rhel9cis_rule_1_7_1_3: {{ rhel9cis_rule_1_7_1_3 }} -rhel9cis_rule_1_7_1_4: {{ rhel9cis_rule_1_7_1_4 }} -rhel9cis_rule_1_7_1_5: {{ rhel9cis_rule_1_7_1_5 }} -rhel9cis_rule_1_7_1_6: {{ rhel9cis_rule_1_7_1_6 }} -rhel9cis_rule_1_7_1_7: {{ rhel9cis_rule_1_7_1_7 }} -rhel9cis_rule_1_8_1_1: {{ rhel9cis_rule_1_8_1_1 }} -rhel9cis_rule_1_8_1_2: {{ rhel9cis_rule_1_8_1_2 }} -rhel9cis_rule_1_8_1_3: {{ rhel9cis_rule_1_8_1_3 }} -rhel9cis_rule_1_8_1_4: {{ rhel9cis_rule_1_8_1_4 }} -rhel9cis_rule_1_8_1_5: {{ rhel9cis_rule_1_8_1_5 }} -rhel9cis_rule_1_8_1_6: {{ rhel9cis_rule_1_8_1_6 }} -rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }} -rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }} -rhel9cis_rule_1_10: {{ rhel9cis_rule_1_10 }} - - -# section 2 rules -rhel9cis_rule_2_1_1: {{ rhel9cis_rule_2_1_1 }} -rhel9cis_rule_2_2_1_1: {{ rhel9cis_rule_2_2_1_1 }} -rhel9cis_rule_2_2_1_2: {{ rhel9cis_rule_2_2_1_2 }} -rhel9cis_rule_2_2_2: {{ rhel9cis_rule_2_2_2 }} -rhel9cis_rule_2_2_3: {{ rhel9cis_rule_2_2_3 }} -rhel9cis_rule_2_2_4: {{ rhel9cis_rule_2_2_4 }} -rhel9cis_rule_2_2_5: {{ rhel9cis_rule_2_2_5 }} -rhel9cis_rule_2_2_6: {{ rhel9cis_rule_2_2_6 }} -rhel9cis_rule_2_2_7: {{ rhel9cis_rule_2_2_7 }} -rhel9cis_rule_2_2_8: {{ rhel9cis_rule_2_2_8 }} -rhel9cis_rule_2_2_9: {{ rhel9cis_rule_2_2_9 }} -rhel9cis_rule_2_2_10: {{ rhel9cis_rule_2_2_10 }} -rhel9cis_rule_2_2_11: {{ rhel9cis_rule_2_2_11 }} -rhel9cis_rule_2_2_12: {{ rhel9cis_rule_2_2_12 }} -rhel9cis_rule_2_2_13: {{ rhel9cis_rule_2_2_13 }} -rhel9cis_rule_2_2_14: {{ rhel9cis_rule_2_2_14 }} -rhel9cis_rule_2_2_15: {{ rhel9cis_rule_2_2_15 }} -rhel9cis_rule_2_2_16: {{ rhel9cis_rule_2_2_16 }} -rhel9cis_rule_2_2_17: {{ rhel9cis_rule_2_2_17 }} -rhel9cis_rule_2_2_18: {{ rhel9cis_rule_2_2_18 }} -rhel9cis_rule_2_3_1: {{ rhel9cis_rule_2_3_1 }} -rhel9cis_rule_2_3_2: {{ rhel9cis_rule_2_3_2 }} -rhel9cis_rule_2_3_3: {{ rhel9cis_rule_2_3_3 }} - - -# Section 3 rules -rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }} -rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }} -rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }} -rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }} -rhel9cis_rule_3_2_3: {{ rhel9cis_rule_3_2_3 }} -rhel9cis_rule_3_2_4: {{ rhel9cis_rule_3_2_4 }} -rhel9cis_rule_3_2_5: {{ rhel9cis_rule_3_2_5 }} -rhel9cis_rule_3_2_6: {{ rhel9cis_rule_3_2_6 }} -rhel9cis_rule_3_2_7: {{ rhel9cis_rule_3_2_7 }} -rhel9cis_rule_3_2_8: {{ rhel9cis_rule_3_2_8 }} -rhel9cis_rule_3_2_9: {{ rhel9cis_rule_3_2_9 }} -rhel9cis_rule_3_3_1: {{ rhel9cis_rule_3_3_1 }} -rhel9cis_rule_3_3_2: {{ rhel9cis_rule_3_3_2 }} -rhel9cis_rule_3_3_3: {{ rhel9cis_rule_3_3_3 }} -rhel9cis_rule_3_3_4: {{ rhel9cis_rule_3_3_4 }} -rhel9cis_rule_3_4_1_1: {{ rhel9cis_rule_3_4_1_1 }} -rhel9cis_rule_3_4_2_1: {{ rhel9cis_rule_3_4_2_1 }} -rhel9cis_rule_3_4_2_2: {{ rhel9cis_rule_3_4_2_2 }} -rhel9cis_rule_3_4_2_3: {{ rhel9cis_rule_3_4_2_3 }} -rhel9cis_rule_3_4_2_4: {{ rhel9cis_rule_3_4_2_4 }} -rhel9cis_rule_3_4_2_5: {{ rhel9cis_rule_3_4_2_5 }} -rhel9cis_rule_3_4_2_6: {{ rhel9cis_rule_3_4_2_6 }} -rhel9cis_rule_3_5: {{ rhel9cis_rule_3_5 }} -rhel9cis_rule_3_6: {{ rhel9cis_rule_3_6 }} - - -# Section 4 rules -rhel9cis_rule_4_1_1_1: {{ rhel9cis_rule_4_1_1_1 }} -rhel9cis_rule_4_1_1_2: {{ rhel9cis_rule_4_1_1_2 }} -rhel9cis_rule_4_1_1_3: {{ rhel9cis_rule_4_1_1_3 }} -rhel9cis_rule_4_1_1_4: {{ rhel9cis_rule_4_1_1_4 }} -rhel9cis_rule_4_1_2_1: {{ rhel9cis_rule_4_1_2_1 }} -rhel9cis_rule_4_1_2_2: {{ rhel9cis_rule_4_1_2_2 }} -rhel9cis_rule_4_1_2_3: {{ rhel9cis_rule_4_1_2_3 }} -rhel9cis_rule_4_1_3: {{ rhel9cis_rule_4_1_3 }} -rhel9cis_rule_4_1_4: {{ rhel9cis_rule_4_1_4 }} -rhel9cis_rule_4_1_5: {{ rhel9cis_rule_4_1_5 }} -rhel9cis_rule_4_1_6: {{ rhel9cis_rule_4_1_6 }} -rhel9cis_rule_4_1_7: {{ rhel9cis_rule_4_1_7 }} -rhel9cis_rule_4_1_8: {{ rhel9cis_rule_4_1_8 }} -rhel9cis_rule_4_1_9: {{ rhel9cis_rule_4_1_9 }} -rhel9cis_rule_4_1_10: {{ rhel9cis_rule_4_1_10 }} -rhel9cis_rule_4_1_11: {{ rhel9cis_rule_4_1_11 }} -rhel9cis_rule_4_1_12: {{ rhel9cis_rule_4_1_12 }} -rhel9cis_rule_4_1_13: {{ rhel9cis_rule_4_1_13 }} -rhel9cis_rule_4_1_14: {{ rhel9cis_rule_4_1_14 }} -rhel9cis_rule_4_1_15: {{ rhel9cis_rule_4_1_15 }} -rhel9cis_rule_4_1_16: {{ rhel9cis_rule_4_1_16 }} -rhel9cis_rule_4_1_17: {{ rhel9cis_rule_4_1_17 }} -rhel9cis_rule_4_2_1_1: {{ rhel9cis_rule_4_2_1_1 }} -rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_2 }} -rhel9cis_rule_4_2_1_3: {{ rhel9cis_rule_4_2_1_3 }} -rhel9cis_rule_4_2_1_4: {{ rhel9cis_rule_4_2_1_4 }} -rhel9cis_rule_4_2_1_5: {{ rhel9cis_rule_4_2_1_5 }} -rhel9cis_rule_4_2_1_6: {{ rhel9cis_rule_4_2_1_6 }} -rhel9cis_rule_4_2_2_1: {{ rhel9cis_rule_4_2_2_1 }} -rhel9cis_rule_4_2_2_2: {{ rhel9cis_rule_4_2_2_2 }} -rhel9cis_rule_4_2_2_3: {{ rhel9cis_rule_4_2_2_3 }} -rhel9cis_rule_4_2_3: {{ rhel9cis_rule_4_2_3 }} -rhel9cis_rule_4_3: {{ rhel9cis_rule_4_3 }} - -# Section 5 -rhel9cis_rule_5_1_1: {{ rhel9cis_rule_5_1_1 }} -rhel9cis_rule_5_1_2: {{ rhel9cis_rule_5_1_2 }} -rhel9cis_rule_5_1_3: {{ rhel9cis_rule_5_1_3 }} -rhel9cis_rule_5_1_4: {{ rhel9cis_rule_5_1_4 }} -rhel9cis_rule_5_1_5: {{ rhel9cis_rule_5_1_5 }} -rhel9cis_rule_5_1_6: {{ rhel9cis_rule_5_1_6 }} -rhel9cis_rule_5_1_7: {{ rhel9cis_rule_5_1_7 }} -rhel9cis_rule_5_1_8: {{ rhel9cis_rule_5_1_8 }} - -rhel9cis_rule_5_2_1: {{ rhel9cis_rule_5_2_1 }} -rhel9cis_rule_5_2_2: {{ rhel9cis_rule_5_2_2 }} -rhel9cis_rule_5_2_3: {{ rhel9cis_rule_5_2_3 }} -rhel9cis_rule_5_2_4: {{ rhel9cis_rule_5_2_4 }} -rhel9cis_rule_5_2_5: {{ rhel9cis_rule_5_2_5 }} -rhel9cis_rule_5_2_6: {{ rhel9cis_rule_5_2_6 }} -rhel9cis_rule_5_2_7: {{ rhel9cis_rule_5_2_7 }} -rhel9cis_rule_5_2_8: {{ rhel9cis_rule_5_2_8 }} -rhel9cis_rule_5_2_9: {{ rhel9cis_rule_5_2_9 }} -rhel9cis_rule_5_2_10: {{ rhel9cis_rule_5_2_10 }} -rhel9cis_rule_5_2_11: {{ rhel9cis_rule_5_2_11 }} -rhel9cis_rule_5_2_12: {{ rhel9cis_rule_5_2_12 }} -rhel9cis_rule_5_2_13: {{ rhel9cis_rule_5_2_13 }} -rhel9cis_rule_5_2_14: {{ rhel9cis_rule_5_2_14 }} -rhel9cis_rule_5_2_15: {{ rhel9cis_rule_5_2_15 }} -rhel9cis_rule_5_2_16: {{ rhel9cis_rule_5_2_16 }} -rhel9cis_rule_5_2_17: {{ rhel9cis_rule_5_2_17 }} -rhel9cis_rule_5_2_18: {{ rhel9cis_rule_5_2_18 }} -rhel9cis_rule_5_2_19: {{ rhel9cis_rule_5_2_19 }} -rhel9cis_rule_5_2_20: {{ rhel9cis_rule_5_2_20 }} - -rhel9cis_rule_5_3_1: {{ rhel9cis_rule_5_3_1 }} -rhel9cis_rule_5_3_2: {{ rhel9cis_rule_5_3_2 }} -rhel9cis_rule_5_3_3: {{ rhel9cis_rule_5_3_3 }} - -rhel9cis_rule_5_4_1: {{ rhel9cis_rule_5_4_1 }} -rhel9cis_rule_5_4_2: {{ rhel9cis_rule_5_4_2 }} -rhel9cis_rule_5_4_3: {{ rhel9cis_rule_5_4_3 }} -rhel9cis_rule_5_4_4: {{ rhel9cis_rule_5_4_4 }} - -rhel9cis_rule_5_5_1_1: {{ rhel9cis_rule_5_5_1_1 }} -rhel9cis_rule_5_5_1_2: {{ rhel9cis_rule_5_5_1_2 }} -rhel9cis_rule_5_5_1_3: {{ rhel9cis_rule_5_5_1_3 }} -rhel9cis_rule_5_5_1_4: {{ rhel9cis_rule_5_5_1_4 }} -rhel9cis_rule_5_5_1_5: {{ rhel9cis_rule_5_5_1_5 }} - -rhel9cis_rule_5_5_2: {{ rhel9cis_rule_5_5_2 }} -rhel9cis_rule_5_5_3: {{ rhel9cis_rule_5_5_3 }} -rhel9cis_rule_5_5_4: {{ rhel9cis_rule_5_5_4 }} -rhel9cis_rule_5_5_5: {{ rhel9cis_rule_5_5_5 }} - -rhel9cis_rule_5_6: {{ rhel9cis_rule_5_6 }} -rhel9cis_rule_5_7: {{ rhel9cis_rule_5_7 }} - -# Section 6 -rhel9cis_rule_6_1_1: {{ rhel9cis_rule_6_1_1 }} -rhel9cis_rule_6_1_2: {{ rhel9cis_rule_6_1_2 }} -rhel9cis_rule_6_1_3: {{ rhel9cis_rule_6_1_3 }} -rhel9cis_rule_6_1_4: {{ rhel9cis_rule_6_1_4 }} -rhel9cis_rule_6_1_5: {{ rhel9cis_rule_6_1_5 }} -rhel9cis_rule_6_1_6: {{ rhel9cis_rule_6_1_6 }} -rhel9cis_rule_6_1_7: {{ rhel9cis_rule_6_1_7 }} -rhel9cis_rule_6_1_8: {{ rhel9cis_rule_6_1_8 }} -rhel9cis_rule_6_1_9: {{ rhel9cis_rule_6_1_9 }} -rhel9cis_rule_6_1_10: {{ rhel9cis_rule_6_1_10 }} -rhel9cis_rule_6_1_11: {{ rhel9cis_rule_6_1_11 }} -rhel9cis_rule_6_1_12: {{ rhel9cis_rule_6_1_12 }} -rhel9cis_rule_6_1_13: {{ rhel9cis_rule_6_1_13 }} -rhel9cis_rule_6_1_14: {{ rhel9cis_rule_6_1_14 }} - -rhel9cis_rule_6_2_1: {{ rhel9cis_rule_6_2_1 }} -rhel9cis_rule_6_2_2: {{ rhel9cis_rule_6_2_2 }} -rhel9cis_rule_6_2_3: {{ rhel9cis_rule_6_2_3 }} -rhel9cis_rule_6_2_4: {{ rhel9cis_rule_6_2_4 }} -rhel9cis_rule_6_2_5: {{ rhel9cis_rule_6_2_5 }} -rhel9cis_rule_6_2_6: {{ rhel9cis_rule_6_2_6 }} -rhel9cis_rule_6_2_7: {{ rhel9cis_rule_6_2_7 }} -rhel9cis_rule_6_2_8: {{ rhel9cis_rule_6_2_8 }} -rhel9cis_rule_6_2_9: {{ rhel9cis_rule_6_2_9 }} -rhel9cis_rule_6_2_10: {{ rhel9cis_rule_6_2_10 }} -rhel9cis_rule_6_2_11: {{ rhel9cis_rule_6_2_11 }} -rhel9cis_rule_6_2_12: {{ rhel9cis_rule_6_2_12 }} -rhel9cis_rule_6_2_13: {{ rhel9cis_rule_6_2_13 }} -rhel9cis_rule_6_2_14: {{ rhel9cis_rule_6_2_14 }} -rhel9cis_rule_6_2_15: {{ rhel9cis_rule_6_2_15 }} -rhel9cis_rule_6_2_16: {{ rhel9cis_rule_6_2_16 }} -rhel9cis_rule_6_2_17: {{ rhel9cis_rule_6_2_17 }} -rhel9cis_rule_6_2_18: {{ rhel9cis_rule_6_2_18 }} -rhel9cis_rule_6_2_19: {{ rhel9cis_rule_6_2_19 }} -rhel9cis_rule_6_2_20: {{ rhel9cis_rule_6_2_20 }} - - -# Service configuration booleans set true to keep service -rhel9cis_avahi_server: {{ rhel9cis_avahi_server }} -rhel9cis_cups_server: {{ rhel9cis_cups_server }} -rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }} -rhel9cis_dns_server: {{ rhel9cis_dns_server }} -rhel9cis_ftp_server: {{ rhel9cis_ftp_server }} -rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }} -rhel9cis_tftp_server: {{ rhel9cis_tftp_server }} -rhel9cis_httpd_server: {{ rhel9cis_httpd_server }} -rhel9cis_nginx_server: {{ rhel9cis_nginx_server }} -rhel9cis_dovecot_cyrus_server: {{ rhel9cis_dovecot_cyrus_server }} -rhel9cis_samba_server: {{ rhel9cis_samba_server }} -rhel9cis_squid_server: {{ rhel9cis_squid_server }} -rhel9cis_snmp_server: {{ rhel9cis_snmp_server }} -rhel9cis_nis_server: {{ rhel9cis_nis_server }} -rhel9cis_telnet_server: {{ rhel9cis_telnet_server }} -rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }} -rhel9cis_nfs_server: {{ rhel9cis_nfs_server }} -rhel9cis_rpc_server: {{ rhel9cis_rpc_server }} -rhel9cis_rsync_server: {{ rhel9cis_rsync_server }} - - -rhel9cis_allow_autofs: {{ rhel9cis_allow_autofs }} - -# client services -rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }} -rhel9cis_rsh_required: {{ rhel9cis_rsh_required }} -rhel9cis_talk_required: {{ rhel9cis_talk_required }} -rhel9cis_telnet_required: {{ rhel9cis_telnet_required }} -rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }} -rhel9cis_tftp_client: {{ rhel9cis_tftp_client }} - - - - -# AIDE -rhel9cis_config_aide: {{ rhel9cis_config_aide }} - -# aide setup via - cron, timer -rhel9_aide_scan: cron - -# AIDE cron settings -rhel9cis_aide_cron: - cron_user: {{ rhel9cis_aide_cron.cron_user }} - cron_file: '{{ rhel9cis_aide_cron.cron_file }}' - aide_job: ' {{ rhel9cis_aide_cron.aide_job }}' - aide_minute: '{{ rhel9cis_aide_cron.aide_minute }}' - aide_hour: '{{ rhel9cis_aide_cron.aide_hour }}' - aide_day: '{{ rhel9cis_aide_cron.aide_day }}' - aide_month: '{{ rhel9cis_aide_cron.aide_month }}' - aide_weekday: '{{ rhel9cis_aide_cron.aide_weekday }}' - -# 1.5.1 Bootloader password -rhel9cis_bootloader_password: {{ rhel9cis_bootloader_password_hash }} -rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }} - -# 1.10 crypto -rhel9cis_crypto_policy: {{ rhel9cis_crypto_policy }} - -# Warning Banner Content (issue, issue.net, motd) -rhel9cis_warning_banner: {{ rhel9cis_warning_banner }} -# End Banner - - -# Whether or not to run tasks related to auditing/patching the desktop environment -rhel9cis_gui: {{ rhel9cis_gui }} - -# xinetd required -rhel9cis_xinetd_server: {{ rhel9cis_xinetd_server }} - -# IPv6 required -rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }} - -# System network parameters (host only OR host and router) -rhel9cis_is_router: {{ rhel9cis_is_router }} - - -rhel9cis_firewall: {{ rhel9cis_firewall }} -#rhel9cis_firewall: iptables -rhel9cis_default_firewall_zone: {{ rhel9cis_default_zone }} -rhel9cis_firewall_interface: -- enp0s3 -- enp0s8 - -rhel9cis_firewall_services: {{ rhel9cis_firewall_services }} - - -### Section 4 -## auditd settings -rhel9cis_auditd: - space_left_action: {{ rhel9cis_auditd.space_left_action}} - action_mail_acct: {{ rhel9cis_auditd.action_mail_acct }} - admin_space_left_action: {{ rhel9cis_auditd.admin_space_left_action }} - max_log_file_action: {{ rhel9cis_auditd.max_log_file_action }} - auditd_backlog_limit: {{ rhel9cis_audit_back_log_limit }} - -## syslog -rhel9_cis_rsyslog: true - -### Section 5 -rhel9cis_sshd_limited: false -#Note the following to understand precedence and layout -rhel9cis_sshd_access: - AllowUser: - AllowGroup: - DenyUser: - DenyGroup: - -rhel9cis_ssh_aliveinterval: "300" -rhel9cis_ssh_countmax: "3" - -rhel9cis_sudolog_location: {{ rhel9cis_sudolog_location }} - -## PAM -rhel9cis_pam_password: - minlen: {{ rhel9cis_pam_password.minlen }} - minclass: {{ rhel9cis_pam_password.minclass }} -rhel9cis_pam_passwd_retry: "3" -# faillock or tally2 -rhel9cis_accountlock: faillock - -## note this is to skip tests -skip_rhel9cis_pam_passwd_auth: true -skip_rhel9cis_pam_system_auth: true - -# choose one of below -rhel9cis_pwhistory_so: "14" -rhel9cis_unix_so: false -rhel9cis_passwd_remember: "5" - -# logins.def password settings -rhel9cis_pass: - max_days: {{ rhel9cis_pass.max_days }} - min_days: {{ rhel9cis_pass.min_days }} - warn_age: {{ rhel9cis_pass.warn_age }} - -# 5.3.1/5.3.2 Custon authselect profile settings. Settings in place now will fail, they are place holders from the control example -rhel9cis_authselect: - custom_profile_name: {{ rhel9cis_authselect['custom_profile_name'] }} - default_file_to_copy: {{ rhel9cis_authselect.default_file_to_copy }} - options: {{ rhel9cis_authselect.options }} - -# 5.3.1 Enable automation to creat custom profile settings, using the setings above -rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile_create }} - -# 5.3.2 Enable automation to select custom profile options, using the settings above -rhel9cis_authselect_custom_profile_select: {{ rhel9cis_authselect_custom_profile_select }} - -# 5.7 -rhel9cis_sugroup: {{ rhel9cis_sugroup| default('wheel') }} -rhel9cis_sugroup_users: {{ rhel9cis_sugroup_users }} From f863e97a9201c9f26e6755c390c12e37f7d70cc9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 5 Aug 2022 11:53:12 +0100 Subject: [PATCH 225/454] change var file order Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index f802b4cf..5b2a708a 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -73,7 +73,7 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false + run: terraform apply -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false ## Debug Section - name: DEBUG - Show Ansible hostfile @@ -117,4 +117,4 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform destroy -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false + run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false From d83ee52a986921c2dca2316e4a0c4d9cb6555656 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 5 Aug 2022 12:23:32 +0100 Subject: [PATCH 226/454] added availibility zone Signed-off-by: Mark Bolwell --- .github/workflows/github_networks.tf | 5 +++-- .github/workflows/terraform.tfvars | 9 +++++---- .github/workflows/variables.tf | 6 ++++++ 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf index e20fb051..d0dd081e 100644 --- a/.github/workflows/github_networks.tf +++ b/.github/workflows/github_networks.tf @@ -16,8 +16,9 @@ resource "aws_internet_gateway" "IGW" { } resource "aws_subnet" "publicsubnets" { - vpc_id = aws_vpc.Main.id - cidr_block = var.public_subnets + vpc_id = aws_vpc.Main.id + cidr_block = var.public_subnets + availability_zone = var.availability_zone tags = { Environment = "${var.environment}" Name = "${var.namespace}-pubsub" diff --git a/.github/workflows/terraform.tfvars b/.github/workflows/terraform.tfvars index 6d98b8bb..d894ec44 100644 --- a/.github/workflows/terraform.tfvars +++ b/.github/workflows/terraform.tfvars @@ -1,5 +1,6 @@ // vars should be loaded by OSname.tfvars -aws_region = "us-east-1" -ami_os = var.ami_os -ami_username = var.ami_username -instance_tags = var.instance_tags +availability_zone = "us-east-1b" +aws_region = "us-east-1" +ami_os = var.ami_os +ami_username = var.ami_username +instance_tags = var.instance_tags diff --git a/.github/workflows/variables.tf b/.github/workflows/variables.tf index 90a1dd4a..7e05228b 100644 --- a/.github/workflows/variables.tf +++ b/.github/workflows/variables.tf @@ -6,6 +6,12 @@ variable "aws_region" { type = string } +variable "availability_zone" { + description = "List of availability zone in the region" + default = "us-east-1b" + type = string +} + variable "instance_type" { description = "EC2 Instance Type" default = "t3.micro" From f247239844390b6dc4ff581b91195ec17146e93c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 5 Aug 2022 12:42:48 +0100 Subject: [PATCH 227/454] added availibility zone to instance Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 5bf002ed..61da17c4 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -49,6 +49,7 @@ resource "aws_security_group" "github_actions" { resource "aws_instance" "testing_vm" { ami = var.ami_id + availability_zone = var.availability_zone associate_public_ip_address = true key_name = var.ami_key_pair_name # This is the key as known in the ec2 key_pairs instance_type = var.instance_type From 2e53bdfef785b76b2c04fb40f827354251195553 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 5 Aug 2022 12:56:45 +0100 Subject: [PATCH 228/454] add avail zone to subnet Signed-off-by: Mark Bolwell --- .github/workflows/github_networks.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf index d0dd081e..ba777642 100644 --- a/.github/workflows/github_networks.tf +++ b/.github/workflows/github_networks.tf @@ -28,6 +28,7 @@ resource "aws_subnet" "publicsubnets" { resource "aws_subnet" "Main" { vpc_id = aws_vpc.Main.id cidr_block = var.private_subnets + availability_zone = var.availability_zone tags = { Environment = "${var.environment}" Name = "${var.namespace}-prvsub" From f45bbd6ee82f15ab32c2804d695618b40ceadaff Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 23 Aug 2022 12:21:11 +0100 Subject: [PATCH 229/454] #21 user accts locked during user exec Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 0541f9b6..14b4a509 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -32,7 +32,7 @@ - item.id != "sync" - item.id != "root" - item.id != "nfsnobody" - - min_int_uid | int < item.gid + - item.gid < min_int_uid | int - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" loop_control: From 4705e361bff2340f390a10685a85df78739a78f0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 23 Aug 2022 12:21:39 +0100 Subject: [PATCH 230/454] All passwords are expired during hardening #22 Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 790e876d..4addbc52 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -117,7 +117,7 @@ - name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" command: passwd --expire {{ item }} when: - - rhel9cis_5_6_1_5_user_list | length > 0 + - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - rhel9cis_futurepwchgdate_autofix with_items: - "{{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" From 2f8f58d4bb0d939329b08e9732a6af6c7a860c11 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 23 Aug 2022 12:22:46 +0100 Subject: [PATCH 231/454] update Signed-off-by: Mark Bolwell --- Changelog.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Changelog.md b/Changelog.md index 0ac90177..7221083c 100644 --- a/Changelog.md +++ b/Changelog.md @@ -7,6 +7,9 @@ - selinux regexp improvements - warning summary now at end of play - advanced auditd options to exclude users in POST section +- Issues fixed thanks to fgierlinger + - [#21](https://github.com/ansible-lockdown/RHEL9-CIS/issues/21) + - [#22](https://github.com/ansible-lockdown/RHEL9-CIS/issues/22) ## 0.3 From 90500ceccfb2f8c1055ada31ad9e934fcf2501af Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 23 Aug 2022 12:25:28 +0100 Subject: [PATCH 232/454] updates Signed-off-by: Mark Bolwell --- Changelog.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 7221083c..07d5effd 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,7 +2,8 @@ ## 0.4 -- RockyLinux now supported +- RockyLinux now supported - release since initial branches +- gpg check updates - workflow updates - selinux regexp improvements - warning summary now at end of play From 045bbc30cb4dc2670edc6a3150028fba2af9987a Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 23 Aug 2022 11:23:10 -0400 Subject: [PATCH 233/454] updated environment tags and sleep timeout to 120s Signed-off-by: George Nalen --- .github/workflows/OS.tfvars | 2 +- .github/workflows/github_vars.tfvars | 2 +- .github/workflows/linux_benchmark_testing.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars index 0bfba595..a5e2fda3 100644 --- a/.github/workflows/OS.tfvars +++ b/.github/workflows/OS.tfvars @@ -5,5 +5,5 @@ ami_username = "ec2-user" ami_user_home = "/home/ec2-user" instance_tags = { Name = "RHEL9-CIS" - Environment = "github_test_pipeline" + Environment = "lockdown_github_repo_workflow" } diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars index 2a7e263c..e50753db 100644 --- a/.github/workflows/github_vars.tfvars +++ b/.github/workflows/github_vars.tfvars @@ -4,7 +4,7 @@ // namespace = "github_actions" -environment = "github_test_pipeline" +environment = "lockdown_github_repo_workflow" // Matching pair name found in AWS for keypairs PEM key ami_key_pair_name = "github_actions" diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 5b2a708a..5ad17027 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -93,7 +93,7 @@ jobs: - name: if RHEL7 - Sleep for 60 seconds #if: steps.test_os.outputs.RHEL7 >= 1 - run: sleep 60s + run: sleep 120s shell: bash # Run the ansible playbook From 4853d45ca7c5ae4aef24050ddc4c49068b1d16e3 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 23 Aug 2022 11:24:42 -0400 Subject: [PATCH 234/454] updated sleep timeout from 120s to 60s Signed-off-by: George Nalen --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 5ad17027..5b2a708a 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -93,7 +93,7 @@ jobs: - name: if RHEL7 - Sleep for 60 seconds #if: steps.test_os.outputs.RHEL7 >= 1 - run: sleep 120s + run: sleep 60s shell: bash # Run the ansible playbook From 410074f7263580963c3ab4d453a9e7481ce21384 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 23 Aug 2022 16:45:01 +0100 Subject: [PATCH 235/454] updated Signed-off-by: Mark Bolwell --- Changelog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 1e2297af..cb118995 100644 --- a/Changelog.md +++ b/Changelog.md @@ -4,7 +4,7 @@ - RockyLinux now supported - release since initial branches - gpg check updates -- workflow updates +- workflow updates and improvements moved to rocky image - selinux regexp improvements - warning summary now at end of play - advanced auditd options to exclude users in POST section From 571f2f70e37c98332a164d544867732a24322eea Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 23 Aug 2022 16:47:21 +0100 Subject: [PATCH 236/454] updated for rocky an dnow beta Signed-off-by: Mark Bolwell --- README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 048c85fd..4c7324b7 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Development Only -## RHEL 9 CIS (predicted) - ALPHA - CIS baselines or OS not yet GA +## RHEL 9 CIS (predicted) - Beta - CIS baselines or OS not yet GA ## Testing if you have access to the RH developer branches @@ -17,7 +17,7 @@ Based on [CIS RedHat Enterprise Linux 8 Benchmark v2.0.0. - 02-23-2022 ](https:/ ## Join us -On our [Discord Server](https://discord.gg/JFxpSgPFEJ) to ask questions, discuss features, or just chat with other Ansible-Lockdown users +On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users ## Caution(s) @@ -49,7 +49,9 @@ Refer to [RHEL9-CIS-Audit](https://github.com/ansible-lockdown/RHEL9-CIS-Audit). ## Requirements -RHEL 9 - Other versions are not supported. +RHEL 9 +Almalinux 9 +Rocky 9 - Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.) From e4bf188383ad8d06566da1713c47fa0fb0755584 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 7 Sep 2022 13:35:36 +0100 Subject: [PATCH 237/454] Added Assertion for passwd set on ansible user Signed-off-by: Mark Bolwell --- tasks/main.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/tasks/main.yml b/tasks/main.yml index e2c92618..ecddbaa0 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -20,6 +20,28 @@ tags: - always +- name: "Check password set for {{ ansible_user }}" + block: + - name: Capture current password state of "{{ ansible_user }}" + shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'" + changed_when: false + failed_when: false + check_mode: false + register: ansible_user_password_set + + - name: "Assert that password set for {{ ansible_user }} and account not locked" + assert: + that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access" + success_msg: "You a password set for the {{ ansible_user }}" + vars: + sudo_password_rule: rhel9cis_rule_5_3_4 + when: + - rhel9cis_rule_5_3_4 + - not system_is_ec2 + tags: + - user_passwd + - name: Setup rules if container block: - name: Discover and set container variable if required From 32907dc7c6e9ab85d006aa52199ca9cd1c7a887f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 7 Sep 2022 13:36:11 +0100 Subject: [PATCH 238/454] Added Assertion update Signed-off-by: Mark Bolwell --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index cb118995..740fa1cd 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,6 +2,7 @@ ## 0.4 +- Added assertion that ansible_user has password set for rule 5.3.4 - RockyLinux now supported - release since initial branches - gpg check updates - workflow updates and improvements moved to rocky image From 2974fa5385e3a29a30eacdea3b9a7c17ad6bee51 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 11:04:12 +0100 Subject: [PATCH 239/454] lint updates Signed-off-by: Mark Bolwell --- .ansible-lint | 3 +++ .yamllint | 38 +++++++++++++++++++++++++------------- 2 files changed, 28 insertions(+), 13 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index f2a7e7cc..f21e1f44 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,6 +1,9 @@ parseable: true quiet: true skip_list: + - 'schema' + - 'no-changed-when' + - 'fqcn-builtins' - '204' - '305' - '303' diff --git a/.yamllint b/.yamllint index fdea6296..693eec6c 100644 --- a/.yamllint +++ b/.yamllint @@ -2,22 +2,34 @@ ignore: | tests/ molecule/ + .github/ .gitlab-ci.yml *molecule.yml extends: default rules: - indentation: - # Requiring 4 space indentation - spaces: 4 - # Requiring consistent indentation within a file, either indented or not - indent-sequences: consistent - truthy: disable - braces: - max-spaces-inside: 1 - level: error - brackets: - max-spaces-inside: 1 - level: error - line-length: disable + indentation: + # Requiring 4 space indentation + spaces: 4 + # Requiring consistent indentation within a file, either indented or not + indent-sequences: consistent + truthy: disable + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + indentation: + indent-sequences: consistent + level: error + line-length: disable + key-duplicates: enable + new-line-at-end-of-file: enable + new-lines: + type: unix + trailing-spaces: enable + truthy: + allowed-values: ['true', 'false'] + check-keys: false From 1e22c1379400ab4d3da111c4929fdc0b48747b0c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 11:04:19 +0100 Subject: [PATCH 240/454] linting Signed-off-by: Mark Bolwell --- handlers/main.yml | 8 ++++---- tasks/LE_audit_setup.yml | 2 +- tasks/auditd.yml | 14 ++++++++------ tasks/main.yml | 30 +++++++++++++++--------------- tasks/post.yml | 2 +- tasks/post_remediation_audit.yml | 4 ++-- tasks/pre_remediation_audit.yml | 7 +++++-- tasks/prelim.yml | 4 +++- 8 files changed, 39 insertions(+), 32 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 9264a429..533660d9 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -15,7 +15,7 @@ value: '1' sysctl_set: true ignore_errors: true - when: + when: - flush_ipv4_route - not system_is_container tags: @@ -27,7 +27,7 @@ name: net.ipv6.route.flush value: '1' sysctl_set: true - when: + when: - flush_ipv6_route - not system_is_container @@ -78,7 +78,7 @@ shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" args: warn: false - ignore_errors: True + ignore_errors: true tags: - skip_ansible_lint @@ -130,4 +130,4 @@ - name: change_requires_reboot set_fact: - change_requires_reboot: true \ No newline at end of file + change_requires_reboot: true diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index e4cac492..98f38552 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -22,7 +22,7 @@ - get_goss_file == 'copy' - name: install git if not present - package: + package: name: git state: present register: git_installed diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 9c5a14e5..74830ca5 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -1,3 +1,5 @@ +--- + - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added template: src: audit/99_auditd.rules.j2 @@ -6,18 +8,18 @@ group: root mode: 0600 register: audit_rules_updated - notify: + notify: - auditd_immutable_check - audit_immutable_fact - restart auditd - name: POST | Set up auditd user logging exceptions template: - src: audit/98_auditd_exception.rules.j2 - dest: /etc/audit/rules.d/98_auditd_exceptions.rules - owner: root - group: root - mode: 0600 + src: audit/98_auditd_exception.rules.j2 + dest: /etc/audit/rules.d/98_auditd_exceptions.rules + owner: root + group: root + mode: 0600 notify: restart auditd when: - allow_auditd_uid_user_exclusions diff --git a/tasks/main.yml b/tasks/main.yml index ecddbaa0..0d272b15 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -22,20 +22,20 @@ - name: "Check password set for {{ ansible_user }}" block: - - name: Capture current password state of "{{ ansible_user }}" - shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'" - changed_when: false - failed_when: false - check_mode: false - register: ansible_user_password_set - - - name: "Assert that password set for {{ ansible_user }} and account not locked" - assert: - that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" - fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access" - success_msg: "You a password set for the {{ ansible_user }}" - vars: - sudo_password_rule: rhel9cis_rule_5_3_4 + - name: Capture current password state of "{{ ansible_user }}" + shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'" + changed_when: false + failed_when: false + check_mode: false + register: ansible_user_password_set + + - name: "Assert that password set for {{ ansible_user }} and account not locked" + assert: + that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access" + success_msg: "You a password set for the {{ ansible_user }}" + vars: + sudo_password_rule: rhel9cis_rule_5_3_4 when: - rhel9cis_rule_5_3_4 - not system_is_ec2 @@ -205,7 +205,7 @@ - name: If Warnings found Output count and control IDs affected debug: - msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ control_number }}" + msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ control_number }}" when: warn_count != 0 tags: - always diff --git a/tasks/post.yml b/tasks/post.yml index 3a8a0ed9..3b5c3f2b 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -53,7 +53,7 @@ - name: "POST | Warning a reboot required but skip option set | warning count" set_fact: control_number: "{{ control_number }} + [ 'Reboot_required' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - change_requires_reboot - skip_reboot diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 0ab61b2e..4429b7ef 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -2,7 +2,7 @@ - name: "Post Audit | Run post_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment|default({}) }}" + environment: "{{ audit_run_script_environment | default({}) }}" changed_when: audit_run_post_remediation.rc == 0 register: audit_run_post_remediation args: @@ -28,7 +28,7 @@ - name: Capture post-audit result set_fact: - post_audit_summary: "{{ post_audit.stdout | from_json |json_query(summary) }}" + post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" vars: summary: 'summary."summary-line"' when: diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index bb9344af..93c4985f 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -33,6 +33,9 @@ get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" + owner: root + group: root + mode: 0755 when: - audit_content == 'get_url' @@ -70,7 +73,7 @@ - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment|default({}) }}" + environment: "{{ audit_run_script_environment | default({}) }}" changed_when: audit_run_pre_remediation.rc == 0 register: audit_run_pre_remediation args: @@ -87,7 +90,7 @@ - name: Pre Audit | Capture pre-audit result set_fact: - pre_audit_summary: "{{ pre_audit.stdout | from_json |json_query(summary) }}" + pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" vars: summary: 'summary."summary-line"' when: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 2646e985..55546d1f 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -217,7 +217,9 @@ min_int_uid: "{{ uid_min_id.stdout }}" max_int_uid: "{{ uid_max_id.stdout }}" min_int_gid: "{{ gid_min_id.stdout }}" -- debug: + +- name: Output of uid findings + debug: msg: "{{ min_int_uid }} {{ max_int_uid }}" when: From 33340c7487e181787e2fff9a09789936797432f9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 11:10:31 +0100 Subject: [PATCH 241/454] lint updates Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 6 +++--- tasks/section_1/cis_1.1.2.x.yml | 2 +- tasks/section_1/cis_1.1.3.x.yml | 2 +- tasks/section_1/cis_1.1.4.x.yml | 4 ++-- tasks/section_1/cis_1.1.5.x.yml | 2 +- tasks/section_1/cis_1.1.6.x.yml | 4 ++-- tasks/section_1/cis_1.1.7.x.yml | 2 +- tasks/section_1/cis_1.1.8.x.yml | 2 +- tasks/section_1/cis_1.1.x.yml | 4 ++-- tasks/section_1/cis_1.2.x.yml | 8 ++++---- tasks/section_1/cis_1.4.x.yml | 2 +- tasks/section_1/cis_1.6.1.x.yml | 4 ++-- tasks/section_1/cis_1.8.x.yml | 9 ++++++--- 13 files changed, 27 insertions(+), 24 deletions(-) diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index d0a9eaa5..1c99b62a 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -7,7 +7,7 @@ path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install cramfs(\\s|$)" line: "install cramfs /bin/true" - create: yes + create: true mode: 0600 - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs" @@ -32,7 +32,7 @@ path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" - create: yes + create: true mode: 0600 - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" @@ -57,7 +57,7 @@ path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" - create: yes + create: true mode: 0600 - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index d43d7684..d7db5a69 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -11,7 +11,7 @@ - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.2.1' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 6dbc1d2a..9e4feb86 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -13,7 +13,7 @@ - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.3.1' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 62c43068..d05db6a2 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -14,7 +14,7 @@ - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.4.1' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names @@ -68,4 +68,4 @@ - skip_ansible_lint - rule_1.1.4.2 - rule_1.1.4.3 - - rule_1.1.4.4 \ No newline at end of file + - rule_1.1.4.4 diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index 985b3d8d..dd4ab9f3 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -13,7 +13,7 @@ - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.5.1' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 47bcba77..afbe41a4 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -13,7 +13,7 @@ - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.6.1' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names @@ -66,4 +66,4 @@ - skip_ansible_lint - rule_1.1.6.2 - rule_1.1.6.3 - - rule_1.1.6.4 \ No newline at end of file + - rule_1.1.6.4 diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 6ba442db..59f28ba3 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -13,7 +13,7 @@ - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.7.1' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index a61a6aff..26ae8774 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -13,7 +13,7 @@ shell: mount -l | grep -E '\s/dev/shm\s' changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_1_1_8_x_dev_shm_status - name: | diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index a77e5242..ea5c8622 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -3,7 +3,7 @@ - name: "1.1.9 | PATCH | Disable Automounting" service: name: autofs - enabled: no + enabled: false when: - not rhel9cis_allow_autofs - "'autofs' in ansible_facts.packages" @@ -24,7 +24,7 @@ path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install usb-storage(\\s|$)" line: "install usb-storage /bin/true" - create: yes + create: true owner: root group: root mode: 0600 diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 4d8cd68a..81e996db 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -27,7 +27,7 @@ failed_when: false register: os_installed_pub_keys - #- debug: + # - debug: # msg: "{{ os_installed_pub_keys }}" - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Query found keys" @@ -40,7 +40,7 @@ - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | expected keys pass" debug: msg: "Congratulations !! - The installed gpg keys match expected values" - when: + when: - os_installed_pub_keys.rc == 0 - os_gpg_key_check.rc == 0 @@ -96,7 +96,7 @@ changed_when: false failed_when: false register: dnf_configured - check_mode: no + check_mode: false args: warn: false @@ -109,7 +109,7 @@ - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Warn Count" set_fact: control_number: "{{ control_number }} + ['rule_1.2.4']" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - rhel9cis_rule_1_2_4 tags: diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 6ac49792..8ba419e5 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -58,7 +58,7 @@ path: /etc/systemd/system/rescue.service.d/00-require-auth.conf regexp: '^ExecStart=' line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" - create: yes + create: true owner: root group: root mode: 0644 diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index 494176d2..f2b231ef 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -84,7 +84,7 @@ - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.6.1.5' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0 when: - rhel9cis_rule_1_6_1_5 @@ -121,4 +121,4 @@ - level1-workstation - automated - patch - - rule_1.6.1.7 \ No newline at end of file + - rule_1.6.1.7 diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index a126a0ab..f47d2a1e 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -21,7 +21,7 @@ regexp: "{{ item.regexp }}" line: "{{ item.line }}" state: present - create: yes + create: true owner: root group: root mode: 0644 @@ -50,7 +50,7 @@ path: "{{ item.file }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" - create: yes + create: true owner: root group: root mode: 0644 @@ -93,7 +93,10 @@ path: /etc/dconf/db/local.d/00-media-automount regexp: "{{ item.regex }}" line: "{{ item.line }}" - create: yes + create: true + owner: root + group: root + mode: 0644 notify: reload dconf with_items: - { regex: '\[org\/gnome\/desktop\/media-handling\]', line: '[org/gnome/desktop/media-handling]' } From 1992eea6dab1d56cc58a3265df61c9d0cb4b2358 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 11:19:01 +0100 Subject: [PATCH 242/454] lint updates Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.1.x.yml | 2 +- tasks/section_2/cis_2.4.yml | 8 ++++---- tasks/section_3/cis_3.1.x.yml | 6 +++--- tasks/section_3/cis_3.2.x.yml | 19 +++++++++++-------- tasks/section_3/cis_3.3.x.yml | 32 +++++++++++++++++--------------- tasks/section_3/cis_3.4.1.x.yml | 10 +++++----- tasks/section_3/cis_3.4.2.x.yml | 10 +++++----- 7 files changed, 46 insertions(+), 41 deletions(-) diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index effe8067..1db81794 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -29,7 +29,7 @@ path: /etc/sysconfig/chronyd regexp: "^(#)?OPTIONS" line: "OPTIONS=\"-u chrony\"" - create: yes + create: true mode: 0644 when: - rhel9cis_rule_2_1_2 diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index 14b86eda..3373e543 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -6,7 +6,7 @@ shell: systemctl list-units --type=service changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_2_4_services - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Display list of services" @@ -16,10 +16,10 @@ - "Please review to make sure all are essential" - "{{ rhel9cis_2_4_services.stdout_lines }}" - - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Warn Count" + - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Warn Count" set_fact: control_number: "{{ control_number }} + ['rule_2.4']" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - rhel9cis_rule_2_4 tags: @@ -28,4 +28,4 @@ - manual - audit - services - - rule_2.4 \ No newline at end of file + - rule_2.4 diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index bb6d09c1..6eaf58f9 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -10,7 +10,7 @@ flush_ipv6_route: true - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" - debug: + debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" when: - not rhel9cis_ipv6_required @@ -68,9 +68,9 @@ command: rpm -q NetworkManager changed_when: false failed_when: false - check_mode: no + check_mode: false args: - warn: no + warn: false register: rhel_08_nmcli_available - name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index 36a46282..6e07c551 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -6,18 +6,21 @@ set_fact: sysctl_update: true flush_ipv4_route: true + - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - - block: - - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding | Set Fact" - set_fact: - flush_ipv6_route: true - - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" - + - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | IPv6" + block: + - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding | Set Fact" + set_fact: + flush_ipv6_route: true + + - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" + when: rhel9cis_ipv6_required when: - not rhel9cis_is_router diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 25599254..5a1454ee 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -10,14 +10,15 @@ debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - - block: - - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 | Set Fact" - set_fact: - flush_ipv6_route: true - - - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" + - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6" + block: + - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 | Set Fact" + set_fact: + flush_ipv6_route: true + + - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" when: rhel9cis_ipv6_required when: - rhel9cis_rule_3_3_1 @@ -39,14 +40,15 @@ debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - - block: - - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 | Set Fact" - set_fact: - flush_ipv6_route: true + - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6" + block: + - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 | Set Fact" + set_fact: + flush_ipv6_route: true - - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" + - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" when: rhel9cis_ipv6_required when: - rhel9cis_rule_3_3_2 diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index cef70de8..d43dfe61 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -49,7 +49,7 @@ systemd: name: nftables state: stopped - masked: yes + masked: true when: - rhel9cis_firewalld_nftables_state == "masked" @@ -73,7 +73,7 @@ systemd: name: firewalld state: started - enabled: yes + enabled: true when: - rhel9cis_rule_3_4_1_4 tags: @@ -90,7 +90,7 @@ changed_when: false failed_when: ( firewalld_zone_set.rc not in [ 0, 1 ] ) register: firewalld_zone_set - + - name: "3.4.1.5 | AUDIT | Ensure firewalld default zone is set" command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" when: @@ -112,7 +112,7 @@ shell: "nmcli -t connection show | awk -F: '{ if($4){print $4} }' | while read INT; do firewall-cmd --get-active-zones | grep -B1 $INT; done" changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_3_4_1_6_interfacepolicy - name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies | Show the interface to policy" @@ -135,7 +135,7 @@ shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done" changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_3_4_1_7_servicesport - name: "3.4.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports" diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index b74eda17..7169fb3a 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -105,14 +105,14 @@ - name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_3.4.2.5' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - rhel9cis_3_4_2_5_nft_tables.stdout | length == 0 - not rhel9cis_nft_tables_autonewtable - name: "3.4.2.5 | PATCH | Ensure a table exists | Create table if needed" command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" - failed_when: no + failed_when: false when: rhel9cis_nft_tables_autonewtable when: - rhel9cis_firewall == "nftables" @@ -159,8 +159,8 @@ - name: "3.4.2.6 | PATCH | Ensure nftables base chains exist | Create chains if needed" shell: "{{ item }}" args: - warn: no - failed_when: no + warn: false + failed_when: false with_items: - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { type filter hook forward priority 0 \; } @@ -322,7 +322,7 @@ - name: "3.4.2.10 | PATCH | Ensure nftables service is enabled" service: name: nftables - enabled: yes + enabled: true when: - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_10 From 3df35e03a08e49d0f01f7903ed7122de2b88863d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 11:34:42 +0100 Subject: [PATCH 243/454] lint updates Signed-off-by: Mark Bolwell --- handlers/main.yml | 4 ++-- tasks/section_1/cis_1.6.1.x.yml | 2 +- tasks/section_3/cis_3.4.2.x.yml | 2 +- tasks/section_4/cis_4.1.1.x.yml | 6 ++--- tasks/section_4/cis_4.1.3.x.yml | 2 +- tasks/section_4/cis_4.2.1.x.yml | 8 +++---- tasks/section_4/cis_4.2.2.x.yml | 12 +++++----- tasks/section_5/cis_5.1.x.yml | 2 +- tasks/section_5/cis_5.2.x.yml | 6 ++--- tasks/section_5/cis_5.4.x.yml | 8 +++---- tasks/section_5/cis_5.6.1.x.yml | 10 ++++----- tasks/section_5/cis_5.6.x.yml | 2 +- tasks/section_6/cis_6.1.x.yml | 9 +++++--- tasks/section_6/cis_6.2.x.yml | 40 ++++++++++++++++----------------- 14 files changed, 58 insertions(+), 55 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 533660d9..f96d9fb2 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -14,7 +14,7 @@ name: net.ipv4.route.flush value: '1' sysctl_set: true - ignore_errors: true + ignore_errors: true # noqa ignore-errors when: - flush_ipv4_route - not system_is_container @@ -78,7 +78,7 @@ shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" args: warn: false - ignore_errors: true + ignore_errors: true # noqa ignore-errors tags: - skip_ansible_lint diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index f2b231ef..9a8d1347 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -19,7 +19,7 @@ regexp: 'selinux=0' replace: '' register: selinux_grub_patch - ignore_errors: yes + ignore_errors: true # noqa ignore-errors notify: grub2cfg when: - rhel9cis_rule_1_6_1_2 diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 7169fb3a..81fe7332 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -39,7 +39,7 @@ name: "{{ item }}" enabled: false masked: true - ignore_errors: true + ignore_errors: true # noqa ignore-errors with_items: - iptables - ip6tables diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index ffe72052..258b64f3 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -27,7 +27,7 @@ service: name: auditd state: started - enabled: yes + enabled: true when: - rhel9cis_rule_4_1_1_2 tags: @@ -44,7 +44,7 @@ shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_4_1_1_3_grub_cmdline_linux - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting" @@ -79,7 +79,7 @@ shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_4_1_1_4_grub_cmdline_linux - name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting" diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index 40a75176..8272b7e2 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -77,7 +77,7 @@ shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done changed_when: false failed_when: false - check_mode: no + check_mode: false register: priv_procs - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 7e70a024..99e253ab 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -18,7 +18,7 @@ - name: "4.2.1.2 | PATCH | Ensure rsyslog Service is enabled" service: name: rsyslog - enabled: yes + enabled: true when: - rhel9cis_rule_4_2_1_2 tags: @@ -65,10 +65,10 @@ block: - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" command: cat /etc/rsyslog.conf - become: yes + become: true changed_when: false - failed_when: no - check_mode: no + failed_when: false + check_mode: false register: rhel_08_4_2_1_5_audit - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 7a35d8ff..f172f961 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -39,7 +39,7 @@ systemd: name: systemd-journal-upload state: started - enabled: yes + enabled: true when: - rhel9cis_system_is_log_server - rhel9cis_rule_4_2_2_1_3 @@ -55,8 +55,8 @@ systemd: name: systemd-journal-remote.socket state: stopped - enabled: no - masked: yes + enabled: false + masked: true when: - not rhel9cis_system_is_log_server - rhel9cis_rule_4_2_2_1_4 @@ -74,7 +74,7 @@ systemd: name: systemd-journald state: started - enabled: yes + enabled: true - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Capture status" shell: systemctl is-enabled systemd-journald.service @@ -91,7 +91,7 @@ - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_4.2.2.2' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: "'static' not in rhel9cis_4_2_2_2_status.stdout" when: - rhel9cis_rule_4_2_2_2 @@ -203,7 +203,7 @@ - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_4.2.2.7' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - rhel9cis_rule_4_2_2_7 tags: diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 734b434a..ef82f98b 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -3,7 +3,7 @@ - name: "5.1.1 | PATCH | Ensure cron daemon is enabled" service: name: crond - enabled: yes + enabled: true when: - rhel9cis_rule_5_1_1 tags: diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 73b804f3..202ee8ce 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -275,15 +275,15 @@ - name: "5.2.14 | AUDIT | Ensure system-wide crypto policy is not over-ridden" shell: grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd args: - warn: no + warn: false changed_when: false failed_when: ( ssh_crypto_discovery.rc not in [ 0, 1 ] ) register: ssh_crypto_discovery - + - name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden" shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd args: - warn: no + warn: false notify: restart sshd when: ssh_crypto_discovery.stdout | length > 0 when: diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 501af418..11ddbbd8 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -6,7 +6,7 @@ shell: 'authselect current | grep "Profile ID: custom/"' failed_when: false changed_when: false - check_mode: no + check_mode: false register: rhel9cis_5_4_1_profiles - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Show profiles" @@ -18,7 +18,7 @@ - name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles" shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }} args: - warn: no + warn: false when: rhel9cis_authselect_custom_profile_create when: - rhel9cis_rule_5_4_1 @@ -36,7 +36,7 @@ shell: "authselect current | grep with-faillock" failed_when: false changed_when: false - check_mode: no + check_mode: false register: rhel9cis_5_4_2_profiles_faillock - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock| Show profiles" @@ -48,7 +48,7 @@ - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles" shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock" args: - warn: no + warn: false when: rhel9cis_authselect_custom_profile_select when: - rhel9cis_rule_5_4_2 diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 4addbc52..1163abb3 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -51,7 +51,7 @@ shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d= changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_5_6_1_4_inactive_settings - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting" @@ -61,7 +61,7 @@ - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" changed_when: false - check_mode: no + check_mode: false register: rhel_8_5_6_1_4_user_list - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" @@ -84,14 +84,14 @@ shell: echo $(($(date --utc --date "$1" +%s)/86400)) changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_5_6_1_5_currentut - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future" shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_6_1_5_currentut.stdout }})print$1}'" changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_5_6_1_5_user_list - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist" @@ -109,7 +109,7 @@ - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_5.6.1.5' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - not rhel9cis_futurepwchgdate_autofix diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 14b4a509..474a3783 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -49,7 +49,7 @@ - name: "5.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less" blockinfile: - create: yes + create: true mode: 0644 dest: "{{ item.dest }}" state: "{{ item.state }}" diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index c61b51e7..2cef0f7b 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -5,7 +5,7 @@ - name: "6.1.1 | AUDIT | Audit system file permissions | Audit the packages" shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto args: - warn: no + warn: false changed_when: false failed_when: false register: rhel9cis_6_1_1_packages_rpm @@ -16,6 +16,9 @@ copy: dest: "{{ rhel9cis_rpm_audit_file }}" content: "{{ rhel9cis_6_1_1_packages_rpm.stdout }}" + owner: root + group: root + mode: 0640 - name: "6.1.1 | AUDIT | Audit system file permissions | Message out alert for package descrepancies" debug: @@ -26,7 +29,7 @@ - name: "6.1.1 | AUDIT | Audit system file permissions | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_6.1.1' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: rhel9cis_6_1_1_packages_rpm.stdout|length > 0 - name: "6.1.1 | AUDIT | Audit system file permissions | Message out no package descrepancies" @@ -46,7 +49,7 @@ - name: "6.1.2 | PATCH | Ensure sticky bit is set on all world-writable directories" shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t args: - warn: no + warn: false changed_when: false failed_when: false when: diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 32258957..eb4bcdea 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -39,7 +39,7 @@ - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_6.2.2' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: rhel9cis_6_2_2_passwd_gid_check.stdout | length >= 1 when: - rhel9cis_rule_6_2_2 @@ -73,7 +73,7 @@ - name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_6.2.3' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: rhel9cis_6_2_3_user_uid_check.stdout | length >= 1 when: - rhel9cis_rule_6_2_3 @@ -107,7 +107,7 @@ - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_6.2.4' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: rhel9cis_6_2_4_user_user_check.stdout | length >= 1 when: @@ -142,7 +142,7 @@ - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_6.2.5' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: rhel9cis_6_2_5_user_username_check.stdout | length >= 1 when: - rhel9cis_rule_6_2_5 @@ -161,7 +161,7 @@ shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_6_2_6_group_group_check - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" @@ -177,7 +177,7 @@ - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_6.2.6' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: rhel9cis_6_2_6_group_group_check.stdout is not defined when: - rhel9cis_rule_6_2_6 @@ -194,23 +194,23 @@ block: - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine empty value" shell: 'echo $PATH | grep ::' - changed_when: False + changed_when: false failed_when: rhel9cis_6_2_7_path_colon.rc == 0 - check_mode: no + check_mode: false register: rhel9cis_6_2_7_path_colon - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determin colon end" shell: 'echo $PATH | grep :$' - changed_when: False + changed_when: false failed_when: rhel9cis_6_2_7_path_colon_end.rc == 0 - check_mode: no + check_mode: false register: rhel9cis_6_2_7_path_colon_end - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine dot in path" shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'" - changed_when: False + changed_when: false failed_when: '"." in rhel9cis_6_2_7_dot_in_path.stdout_lines' - check_mode: no + check_mode: false register: rhel9cis_6_2_7_dot_in_path - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path" @@ -280,7 +280,7 @@ - name: "6.2.9 | PATCH | Ensure all users' home directories exist" file: path: "{{ item.0 }}" - recurse: yes + recurse: true mode: a-st,g-w,o-rwx register: rhel_08_6_2_9_patch when: @@ -296,12 +296,12 @@ - name: "6.2.9 | PATCH | Ensure all users' home directories exist" acl: path: "{{ item.0 }}" - default: yes + default: true state: present - recursive: yes + recursive: true etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: + when: - not system_is_container with_nested: - "{{ (ansible_check_mode | ternary(rhel_08_6_2_9_patch_audit, rhel_08_6_2_9_patch)).results | @@ -368,7 +368,7 @@ - name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" file: path: "{{ item.0 }}" - recurse: yes + recurse: true mode: a-st,g-w,o-rwx register: rhel_08_6_2_11_patch when: @@ -384,12 +384,12 @@ - name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" acl: path: "{{ item.0 }}" - default: yes + default: true state: present - recursive: yes + recursive: true etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: + when: - not system_is_container with_nested: - "{{ (ansible_check_mode | ternary(rhel_08_6_2_11_patch_audit, rhel_08_6_2_11_patch)).results | From 962319fcce00af508f5d443f6320f8d42d3b3203 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 11:52:55 +0100 Subject: [PATCH 244/454] changed audit dir to opt Signed-off-by: Mark Bolwell --- defaults/main.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index c605f920..89424552 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -669,12 +669,9 @@ audit_local_copy: "some path to copy from" # get_url: audit_files_url: "some url maybe s3?" -# Where the goss audit configuration will be stored -audit_files: "/var/tmp/{{ benchmark }}-Audit/" - ## Goss configuration information # Where the goss configs and outputs are stored -audit_out_dir: '/var/tmp' +audit_out_dir: '/opt' audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/" pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" From a1d0130909d2613a9a7c0c4f2bfa40fcde04f177 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 11:53:52 +0100 Subject: [PATCH 245/454] updates Signed-off-by: Mark Bolwell --- Changelog.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog.md b/Changelog.md index 740fa1cd..2fa85d44 100644 --- a/Changelog.md +++ b/Changelog.md @@ -5,6 +5,8 @@ - Added assertion that ansible_user has password set for rule 5.3.4 - RockyLinux now supported - release since initial branches - gpg check updates +- audit out dir now /opt +- lint updates and improvements - workflow updates and improvements moved to rocky image - selinux regexp improvements - warning summary now at end of play From 0d155c418258e09c9256b409b1b7577886c149c1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 14:08:16 +0100 Subject: [PATCH 246/454] lint updates Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.3.x.yml | 2 ++ tasks/section_3/cis_3.4.2.x.yml | 2 +- tasks/section_4/cis_4.2.1.x.yml | 1 - templates/audit/98_auditd_exception.rules.j2 | 2 +- templates/etc/modprobe.d/modprobe.conf.j2 | 2 +- 5 files changed, 5 insertions(+), 4 deletions(-) diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 5a1454ee..b78593e8 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -65,6 +65,7 @@ set_fact: sysctl_update: true flush_ipv4_route: true + - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" @@ -140,6 +141,7 @@ set_fact: sysctl_update: true flush_ipv4_route: true + - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 81fe7332..ebb3631b 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -172,7 +172,7 @@ tags: - level1-server - level1-workstation - - automate + - automated - patch - nftables - rule_3.4.2.6 diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 99e253ab..12afac1f 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -65,7 +65,6 @@ block: - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" command: cat /etc/rsyslog.conf - become: true changed_when: false failed_when: false check_mode: false diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 index 3dcc3559..d8a0b8da 100644 --- a/templates/audit/98_auditd_exception.rules.j2 +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -5,4 +5,4 @@ {% for user in rhel9cis_auditd_uid_exclude %} -a never,user -F uid!={{ user }} -F auid!={{ user }} {% endfor %} -{% endif %} \ No newline at end of file +{% endif %} diff --git a/templates/etc/modprobe.d/modprobe.conf.j2 b/templates/etc/modprobe.d/modprobe.conf.j2 index 081bbae6..77b8cd59 100644 --- a/templates/etc/modprobe.d/modprobe.conf.j2 +++ b/templates/etc/modprobe.d/modprobe.conf.j2 @@ -3,4 +3,4 @@ # https://github.com/ansible-lockdown ## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! -install {{ item }} /bin/true \ No newline at end of file +install {{ item }} /bin/true From 5c2211f99b29fb1dd3845325ec82cdf99c9babff Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 14:23:33 +0100 Subject: [PATCH 247/454] aligned with audit Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index f5a7921e..1431ed47 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -159,6 +159,7 @@ rhel9cis_rule_2_3_2: {{ rhel9cis_rule_2_3_2 }} rhel9cis_rule_2_3_3: {{ rhel9cis_rule_2_3_3 }} rhel9cis_rule_2_3_4: {{ rhel9cis_rule_2_3_4 }} rhel9cis_rule_2_3_5: {{ rhel9cis_rule_2_3_5 }} +rhel9cis_rule_2_3_6: {{ rhel9cis_rule_2_3_6 }} rhel9cis_rule_2_4: true # todo @@ -276,6 +277,7 @@ rhel9cis_rule_5_1_5: {{ rhel9cis_rule_5_1_5 }} rhel9cis_rule_5_1_6: {{ rhel9cis_rule_5_1_6 }} rhel9cis_rule_5_1_7: {{ rhel9cis_rule_5_1_7 }} rhel9cis_rule_5_1_8: {{ rhel9cis_rule_5_1_8 }} +rhel9cis_rule_5_1_9: {{ rhel9cis_rule_5_1_9 }} # 5.2 Configure SSH Server rhel9cis_rule_5_2_1: {{ rhel9cis_rule_5_2_1 }} @@ -494,4 +496,4 @@ rhel9cis_pass: rhel9cis_sugroup: {% if rhel9cis_sugroup is undefined %}wheel{% else %}{{ rhel9cis_sugroup }}{% endif %} ## 5.3.7 sugroup users list -rhel9cis_sugroup_users: {{ rhel9cis_sugroup_users }} \ No newline at end of file +rhel9cis_sugroup_users: {{ rhel9cis_sugroup_users }} From d3d819b0a03972bcafa9106ff36f2dbe62119f82 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 14:24:31 +0100 Subject: [PATCH 248/454] changed default git_branch to devel Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 89424552..510784b0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -661,7 +661,7 @@ copy_goss_from_path: /some/accessible/path ## managed by the control audit_content # git audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_git_version: main +audit_git_version: devel # copy: audit_local_copy: "some path to copy from" From 19a8103be4fb7164b6416c358c352adb7ba70039 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 14:47:01 +0100 Subject: [PATCH 249/454] removed unnecessary when statement Signed-off-by: Mark Bolwell --- handlers/main.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index f96d9fb2..0fae419c 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -120,11 +120,6 @@ shell: service auditd restart args: warn: false - when: - - audit_rules_updated.changed or - rule_4_1_2_1.changed or - rule_4_1_2_2.changed or - rule_4_1_2_3.changed tags: - skip_ansible_lint From 226f2bc9b9f3aec00e8d6e94db4987d1dbf0e45e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 15:47:38 +0100 Subject: [PATCH 250/454] removed unnecessary become Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 55546d1f..80a273b5 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -86,7 +86,6 @@ package: name: python3-libselinux state: present - become: true when: - '"python3-libselinux" not in ansible_facts.packages' From cc2f734d5705e5b3028d3f31ae1aa463361a56b9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 15:47:55 +0100 Subject: [PATCH 251/454] line tidy up Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.2.x.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 81e996db..9445d151 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -27,14 +27,11 @@ failed_when: false register: os_installed_pub_keys - # - debug: - # msg: "{{ os_installed_pub_keys }}" - - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Query found keys" shell: "rpm -q --queryformat \"%{PACKAGER} %{VERSION}\\n\" {{ os_gpg_key_pubkey_name }} | grep \"{{ os_gpg_key_pubkey_content }}\"" - register: os_gpg_key_check changed_when: false failed_when: false + register: os_gpg_key_check when: os_installed_pub_keys.rc == 0 - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | expected keys pass" From cdf8bab1ed2f52b90021031461509e2a705ee037 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 15:48:13 +0100 Subject: [PATCH 252/454] removed unnecessary register Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.2.x.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index afad08bc..0eec0b29 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -5,7 +5,6 @@ path: /etc/audit/auditd.conf regexp: "^max_log_file( |=)" line: "max_log_file = {{ rhel9cis_max_log_file_size }}" - register: rule_4_1_2_1 notify: restart auditd when: - rhel9cis_rule_4_1_2_1 @@ -22,7 +21,6 @@ path: /etc/audit/auditd.conf regexp: "^max_log_file_action" line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}" - register: rule_4_1_2_2 notify: restart auditd when: - rhel9cis_rule_4_1_2_2 @@ -39,7 +37,6 @@ path: /etc/audit/auditd.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" - register: rule_4_1_2_3 notify: restart auditd with_items: - { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ rhel9cis_auditd.admin_space_left_action }}' } From fc407f832976666f72e3d057afb706fb3ca67715 Mon Sep 17 00:00:00 2001 From: Kristian Date: Tue, 27 Sep 2022 17:15:49 +0200 Subject: [PATCH 253/454] tss user and spacing Signed-off-by: Kristian --- collections/requirements.yml | 3 --- tasks/section_3/cis_3.1.x.yml | 2 +- tasks/section_4/main.yml | 2 +- tasks/section_5/cis_5.1.x.yml | 2 +- tasks/section_5/cis_5.2.x.yml | 4 ++-- tasks/section_5/cis_5.6.1.x.yml | 2 +- tasks/section_6/cis_6.1.x.yml | 10 +++++----- tasks/section_6/cis_6.2.x.yml | 1 + 8 files changed, 12 insertions(+), 14 deletions(-) diff --git a/collections/requirements.yml b/collections/requirements.yml index 4a418efa..d35b7e97 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -1,8 +1,5 @@ --- - collections: - name: community.general - - name: community.crypto - - name: ansible.posix diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 6eaf58f9..ebe43257 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -64,7 +64,7 @@ - name: "3.1.4 | PATCH | Ensure wireless interfaces are disabled" block: - - name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" + - name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" command: rpm -q NetworkManager changed_when: false failed_when: false diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index 6128f169..a4f05d2d 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -15,7 +15,7 @@ import_tasks: cis_4.2.1.x.yml when: rhel9cis_syslog == 'rsyslog' -- name: "SECTION | 4.2.2 Configure journald" +- name: "SECTION | 4.2.2 | Configure journald" import_tasks: cis_4.2.2.x.yml when: rhel9cis_syslog == 'journald' diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index ef82f98b..6af5981b 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -148,7 +148,7 @@ dest: /etc/at.deny state: absent - - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists" + - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists" stat: path: "/etc/at.allow" register: rhel9cis_5_1_9_at_allow_state diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 202ee8ce..14484b64 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -296,7 +296,7 @@ - ssh - rule_5.2.14 -- name: "5.2.15 | PATCH | Ensure SSH warning banner is configured" +- name: "5.2.15 | PATCH | Ensure SSH warning banner is configured" lineinfile: path: /etc/ssh/sshd_config regexp: '^Banner' @@ -343,7 +343,7 @@ - ssh - rule_5.2.17 -- name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" +- name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" lineinfile: path: /etc/ssh/sshd_config regexp: "^#MaxSessions|^MaxSessions" diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 1163abb3..358d0758 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -78,7 +78,7 @@ - password - rule_5.6.1.4 -- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past" +- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past" block: - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" shell: echo $(($(date --utc --date "$1" +%s)/86400)) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 2cef0f7b..099eb0ee 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -96,7 +96,7 @@ - permissions - rule_6.1.4 -- name: "6.1.5 | PATCH | Ensure permissions on /etc/group are configured" +- name: "6.1.5 | PATCH | Ensure permissions on /etc/group are configured" file: dest: /etc/group- owner: root @@ -299,7 +299,7 @@ loop_control: label: "{{ item.mount }}" - - name: "6.1.14 | AUDIT | Audit SUID executables | Alert no SUID executables exist" + - name: "6.1.14 | AUDIT | Audit SUID executables | Alert no SUID executables exist" debug: msg: "Good news! We have not found any SUID executable files on your system" failed_when: false @@ -307,7 +307,7 @@ when: - rhel_08_6_1_14_perms_results.stdout is not defined - - name: "6.1.14 | AUDIT | Audit SUID executables | Alert SUID executables exist" + - name: "6.1.14 | AUDIT | Audit SUID executables | Alert SUID executables exist" debug: msg: "Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" with_items: "{{ rhel_08_6_1_14_perms_results.stdout_lines }}" @@ -334,7 +334,7 @@ loop_control: label: "{{ item.mount }}" - - name: "6.1.15 | AUDIT | Audit SGID executables | Alert no SGID executables exist" + - name: "6.1.15 | AUDIT | Audit SGID executables | Alert no SGID executables exist" debug: msg: "Good news! We have not found any SGID executable files on your system" failed_when: false @@ -342,7 +342,7 @@ when: - rhel_08_6_1_15_perms_results.stdout is not defined - - name: "6.1.15 | AUDIT | Audit SGID executables | Alert SGID executables exist" + - name: "6.1.15 | AUDIT | Audit SGID executables | Alert SGID executables exist" debug: msg: "Manual intervention is required -- SGID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" with_items: "{{ rhel_08_6_1_15_perms_results.stdout_lines }}" diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index eb4bcdea..235146e1 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -333,6 +333,7 @@ when: - item.uid >= min_int_uid | int - item.id != 'nobody' + - (item.id != 'tss' and item.dir != '/dev/null') - rhel9cis_rule_6_2_10 tags: - skip_ansible_lint # settings found on 6_2_7 From 4fe4346f35fe2b6d38140c8992d66b8e4a982a48 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Oct 2022 12:09:14 +0100 Subject: [PATCH 254/454] updated audit filename Signed-off-by: Mark Bolwell --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 510784b0..24ca2e74 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -673,8 +673,8 @@ audit_files_url: "some url maybe s3?" # Where the goss configs and outputs are stored audit_out_dir: '/opt' audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/" -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" +pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" ## The following should not need changing goss_file: "{{ audit_conf_dir }}goss.yml" From 249135713612bdfd95465488ad4fd235704b2896 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Oct 2022 12:09:30 +0100 Subject: [PATCH 255/454] Added login.defs 5.6.5 Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 474a3783..4064d748 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -87,6 +87,15 @@ - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive" block: + - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings" + replace: + path: /etc/login.defs + regexp: "{{ item.regexp }}" + replace: "{{ item.replace }}" + loop: + - { regexp: '(UMASK\s+)0[012][0-6]', replace: '\1 027' } + - { regexp: '(USERGROUPS_ENAB\s+)yes', replace: '\1 no' } + - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" replace: path: /etc/bashrc From e764ef55d50d595e9a515d811de0031e2f167944 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Oct 2022 12:14:03 +0100 Subject: [PATCH 256/454] lint updates Signed-off-by: Mark Bolwell --- .ansible-lint | 4 ++++ meta/main.yml | 1 + tasks/section_1/cis_1.4.x.yml | 2 +- tasks/section_5/cis_5.6.x.yml | 4 ++-- tasks/section_6/cis_6.1.x.yml | 2 +- 5 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index f21e1f44..c3dfee39 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -4,6 +4,10 @@ skip_list: - 'schema' - 'no-changed-when' - 'fqcn-builtins' + - 'experimental' + - 'name[casing]' + - 'name[template]' + - 'jinja[spacing]' - '204' - '305' - '303' diff --git a/meta/main.yml b/meta/main.yml index aac8be87..b4a804e6 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -5,6 +5,7 @@ galaxy_info: company: "MindPoint Group" license: MIT role_name: rhel9_cis + namespace: mindpointgroup min_ansible_version: 2.10.0 platforms: - name: EL diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 8ba419e5..cdad67fe 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -3,7 +3,7 @@ - name: "1.4.1 | PATCH | Ensure bootloader password is set" copy: dest: /boot/grub2/user.cfg - content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" + content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy owner: root group: root mode: 0600 diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 4064d748..f1052c37 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -93,8 +93,8 @@ regexp: "{{ item.regexp }}" replace: "{{ item.replace }}" loop: - - { regexp: '(UMASK\s+)0[012][0-6]', replace: '\1 027' } - - { regexp: '(USERGROUPS_ENAB\s+)yes', replace: '\1 no' } + - { regexp: '(UMASK\s+)0[012][0-6]', replace: '\1 027' } + - { regexp: '(USERGROUPS_ENAB\s+)yes', replace: '\1 no' } - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" replace: diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 099eb0ee..29d98b37 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -14,7 +14,7 @@ block: - name: "6.1.1 | AUDIT | Audit system file permissions | Add file discrepancy list to system" copy: - dest: "{{ rhel9cis_rpm_audit_file }}" + dest: "{{ rhel9cis_rpm_audit_file }}" # noqa template-instead-of-copy content: "{{ rhel9cis_6_1_1_packages_rpm.stdout }}" owner: root group: root From acdb56a2770b3d464759b4bfc195db0f444a69c1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Oct 2022 12:20:05 +0100 Subject: [PATCH 257/454] updated for readthedocs Signed-off-by: Mark Bolwell --- README.md | 57 ++++++------------------------------------------------- 1 file changed, 6 insertions(+), 51 deletions(-) diff --git a/README.md b/README.md index 4c7324b7..00d5a39c 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, d ## Caution(s) -This role **will make changes to the system** which may have unintended concequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. +This role **will make changes to the system** which may have unintended concequences. This role was developed against a clean install of the Operating System. If you are implimenting to an existing system please review this role for any site specific changes that are needed. @@ -29,23 +29,11 @@ To use release version please point to main branch ## Documentation +- [Readthedocs](https://ansible-lockdown.readthedocs.io/en/latest/) - [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown) - [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise) - [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration) - [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise) -- [Wiki](https://github.com/ansible-lockdown/RHEL9-CIS/wiki) -- [Repo GitHub Page](https://ansible-lockdown.github.io/RHEL9-CIS/) - -## Auditing (new) - -This can be turned on or off within the defaults/main.yml file with the variable rhel9cis_run_audit. The value is false by default, please refer to the wiki for more details. - -This is a much quicker, very lightweight, checking (where possible) config compliance and live/running settings. - -A new form of auditing has been develeoped, by using a small (12MB) go binary called [goss](https://github.com/aelsabbahy/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling. -This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also trying to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process. - -Refer to [RHEL9-CIS-Audit](https://github.com/ansible-lockdown/RHEL9-CIS-Audit). ## Requirements @@ -62,8 +50,10 @@ Rocky 9 - [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html) - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html) + - Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. -- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/RHEL9-CIS/wiki/Main-Variables). +- Please read through the tasks in this role to gain an understanding of what each control is doing. + - Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file ## Dependencies @@ -71,6 +61,7 @@ Rocky 9 - Ansible 2.9+ - python-def (should be included in RHEL 9) - libselinux-python +- jmespath ## Role Variables @@ -92,39 +83,3 @@ Below is an example of the tag section from a control within this role. Using th - patch - rule_2.2.4 ``` - -## Example Audit Summary - -This is based on a vagrant image with selections enabled. e.g. No Gui or firewall. -Note: More tests are run during audit as we check config and running state. - -```txt - -ok: [default] => { - "msg": [ - "The pre remediation results are: ['Total Duration: 5.454s', 'Count: 338, Failed: 47, Skipped: 5'].", - "The post remediation results are: ['Total Duration: 5.007s', 'Count: 338, Failed: 46, Skipped: 5'].", - "Full breakdown can be found in /var/tmp", - "" - ] -} - -PLAY RECAP ******************************************************************************************************************************************* -default : ok=270 changed=23 unreachable=0 failed=0 skipped=140 rescued=0 ignored=0 -``` - -## Branches - -- devel - This is the default branch and the working development branch. Community pull requests will pull into this branch -- main - This is the release branch -- reports - This is a protected branch for our scoring reports, no code should ever go here -- all other branches** - Individual community member branches - -## Community Contribution - -We encourage you (the community) to contribute to this role. Please read the rules below. - -- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge. -- All community Pull Requests are pulled into the devel branch -- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved -- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release From 1d96539637f3a395985c4fc5ee4d2177b8b7650d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Oct 2022 12:29:06 +0100 Subject: [PATCH 258/454] Exentsion to auditd Signed-off-by: Mark Bolwell --- defaults/main.yml | 7 +++++++ tasks/section_4/cis_4.1.2.x.yml | 16 ++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 24ca2e74..2cbbbc8f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -508,6 +508,13 @@ update_audit_template: false ## Advanced option found in auditd post allow_auditd_uid_user_exclusions: false + +# This can be used to configure other keys in auditd.conf +rhel9cis_auditd_extra_conf: {} +# Example: +# rhel9cis_auditd_extra_conf: +# admin_space_left: '10%' + ## Preferred method of logging ## Whether rsyslog or journald preferred method for local logging ## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5 diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index 0eec0b29..a3ab9901 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -51,3 +51,19 @@ - patch - auditd - rule_4.1.2.3 + +- name: PATCH | Configure other keys for auditd.conf + lineinfile: + path: /etc/audit/auditd.conf + regexp: "^{{ item }}( |=)" + line: "{{ item }} = {{ rhel9cis_auditd_extra_conf[item] }}" + loop: "{{ rhel9cis_auditd_extra_conf.keys() }}" + notify: restart auditd + when: + - rhel9cis_auditd_extra_conf.keys() | length > 0 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd From ec04552390268e740fe92606c87cbeee7132c20d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Oct 2022 12:30:47 +0100 Subject: [PATCH 259/454] updated changes Signed-off-by: Mark Bolwell --- Changelog.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Changelog.md b/Changelog.md index 2fa85d44..07283db0 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,19 @@ # Changes to rhel9CIS +## 0.5 + +### Taken from RHEL8-CIS issues and PRs + +- #209 5.6.5 rewrite umask settings +- #220 tidy up and align variables +- #226 Thanks to Thulium-Drake + -Extended the auditd config required value for auditd space left percentage (not part of CIS Benchmark but required fopr auditd to run correctly in some cases) + +- #227 thanks to OscarElits + - chrony files now RH expected locations +- #228 Thanks to benbulll + - audit binary copy var missing + ## 0.4 - Added assertion that ansible_user has password set for rule 5.3.4 From fe8275429d1778ca1d81c3f17509a1887003f390 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Oct 2022 12:33:32 +0100 Subject: [PATCH 260/454] updated changelog Signed-off-by: Mark Bolwell --- Changelog.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog.md b/Changelog.md index 07283db0..506b67a1 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,6 +2,8 @@ ## 0.5 +- audit path updated and output file name + ### Taken from RHEL8-CIS issues and PRs - #209 5.6.5 rewrite umask settings From a1b042f11047ae35c05fb02cd86a09b885f17ffd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Oct 2022 12:49:10 +0100 Subject: [PATCH 261/454] updated to fix error Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 908ea06f..2396cc53 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/first-interaction@v1.1.0 + - uses: actions/first-interaction@v1.1.1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} pr-message: |- From 4455f2453f47303d8eb1d1a984b7bc6d12f02ab1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Oct 2022 12:57:51 +0100 Subject: [PATCH 262/454] updated link to discord Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 2396cc53..2c972d5c 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -31,7 +31,7 @@ jobs: repo-token: ${{ secrets.GITHUB_TOKEN }} pr-message: |- Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.gg/JFxpSgPFEJ) as well. + Please join in the conversation happening on the [Discord Server](https://discord.io/iansible-lockdown) as well. # This workflow contains a single job called "build" build: # The type of runner that the job will run on From 2634fabd41e801ca8d62ebbe5decb326e747e9a1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Jan 2023 16:29:47 +0000 Subject: [PATCH 263/454] v1.0.0 updates Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 51 ++++------------ tasks/section_1/cis_1.1.2.x.yml | 10 ++- tasks/section_1/cis_1.1.3.x.yml | 20 +++--- tasks/section_1/cis_1.1.4.x.yml | 12 ++-- tasks/section_1/cis_1.1.5.x.yml | 12 ++-- tasks/section_1/cis_1.1.6.x.yml | 10 ++- tasks/section_1/cis_1.1.7.x.yml | 20 +++--- tasks/section_1/cis_1.1.8.x.yml | 78 +++++++++++++++--------- tasks/section_1/cis_1.1.x.yml | 31 +++------- tasks/section_1/cis_1.10.yml | 3 +- tasks/section_1/cis_1.2.x.yml | 104 +++++++++++++++++--------------- tasks/section_1/cis_1.3.x.yml | 25 ++++++-- tasks/section_1/cis_1.4.x.yml | 43 ++----------- tasks/section_1/cis_1.5.x.yml | 12 ++-- tasks/section_1/cis_1.6.1.x.yml | 84 ++++++++++++++++---------- tasks/section_1/cis_1.7.x.yml | 18 ++---- tasks/section_1/cis_1.8.x.yml | 49 +++++++-------- tasks/section_1/cis_1.9.yml | 3 +- 18 files changed, 272 insertions(+), 313 deletions(-) diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 1c99b62a..cc2156c3 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -1,76 +1,49 @@ --- -- name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled" +- name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled" block: - - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config" - lineinfile: - path: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install cramfs(\\s|$)" - line: "install cramfs /bin/true" - create: true - mode: 0600 - - - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs" - modprobe: - name: cramfs - state: absent - when: not system_is_container - when: - - rhel9cis_rule_1_1_1_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.1.1 - - cramfs - -- name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled" - block: - - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config" - lineinfile: + - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config" + ansible.builtin.lineinfile: path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" create: true mode: 0600 - - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" + - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" modprobe: name: squashfs state: absent when: not system_is_container when: - - rhel9cis_rule_1_1_1_2 + - rhel9cis_rule_1_1_1_1 tags: - level2-server - level2-workstation - - automated - patch - - rule_1.1.1.2 + - rule_1.1.1.1 - squashfs -- name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disabled" +- name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disabled" block: - - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disable | Edit modprobe config" - lineinfile: + - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disable | Edit modprobe config" + ansible.builtin.lineinfile: path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" create: true mode: 0600 - - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" + - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" modprobe: name: udf state: absent when: not system_is_container when: - - rhel9cis_rule_1_1_1_3 + - rhel9cis_rule_1_1_1_2 tags: - level2-server - level2-workstation - - automated - patch - - rule_1.1.1.3 + - rule_1.1.1.2 - udf diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index d7db5a69..ab737ccd 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -3,13 +3,13 @@ - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition" block: - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Absent" - debug: + ansible.builtin.debug: msg: "Warning!! /tmp is not mounted on a separate partition" when: - required_mount not in mount_names - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Warn Count" - set_fact: + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.2.1' ]" warn_count: "{{ warn_count | int + 1 }}" when: @@ -28,7 +28,6 @@ tags: - level1-server - level1-workstation - - automated - audit - mounts - rule_1.1.2.1 @@ -38,7 +37,7 @@ "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition" "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition" "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition" - mount: + ansible.builtin.mount: name: /tmp src: "{{ item.device }}" fstype: "{{ item.fstype }}" @@ -58,7 +57,6 @@ tags: - level1-server - level1-workstation - - automated - patch - mounts - rule_1.1.2.2 @@ -71,7 +69,7 @@ "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition" "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition" "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition" - template: + ansible.builtin.template: src: etc/systemd/system/tmp.mount.j2 dest: /etc/systemd/system/tmp.mount owner: root diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 9e4feb86..3780e2fb 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -3,7 +3,7 @@ - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var" block: - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Absent" - debug: + ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: var_mount_absent changed_when: var_mount_absent.skipped is undefined @@ -11,14 +11,14 @@ - required_mount not in mount_names - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Warn Count" - set_fact: + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.3.1' ]" warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" - debug: + ansible.builtin.debug: msg: "Congratulations: {{ required_mount }} exists." register: var_mount_present when: @@ -30,7 +30,6 @@ tags: - level2-server - level2-workstation - - automated - patch - mounts - rule_1.1.3.1 @@ -38,14 +37,13 @@ # skips if mount is absent - name: | "1.1.3.2 | PATCH | Ensure nodev option set on /var partition" - "1.1.3.3 | PATCH | Ensure noexec option set on /var partition" - "1.1.3.4 | PATCH | Ensure nosuid option set on /var partition" - mount: + "1.1.3.3 | PATCH | Ensure nosuid option set on /var partition" + ansible.builtin.mount: name: /var src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}nosuid,{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -56,15 +54,13 @@ - item.mount == "/var" - rhel9cis_rule_1_1_3_1 # This is required so the check takes place - rhel9cis_rule_1_1_3_2 or - rhel9cis_rule_1_1_3_3 or - rhel9cis_rule_1_1_3_4 + rhel9cis_rule_1_1_3_3 tags: - level1-server - level1-workstation - - automated - patch - mounts - skip_ansible_lint - rule_1.1.3.2 - rule_1.1.3.3 - - rule_1.1.3.4 + diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index d05db6a2..742a5d71 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -4,7 +4,7 @@ - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp" block: - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" - debug: + ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: var_tmp_mount_absent changed_when: var_tmp_mount_absent.skipped is undefined @@ -12,14 +12,14 @@ - required_mount not in mount_names - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn Count" - set_fact: + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.4.1' ]" warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" - debug: + ansible.builtin.debug: msg: "Congratulations: {{ required_mount }} exists." register: var_tmp_mount_present when: @@ -31,7 +31,6 @@ tags: - level2-server - level2-workstation - - automated - audit - mounts - rule_1.1.4.1 @@ -41,12 +40,12 @@ "1.1.4.2 | PATCH | Ensure noexec option set on /var/tmp partition" "1.1.4.3 | PATCH | Ensure nosuid option set on /var/tmp partition" "1.1.4.4 | PATCH | Ensure nodev option set on /var/tmp partition" - mount: + ansible.builtin.mount: name: /var/tmp src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nodev{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -62,7 +61,6 @@ tags: - level1-server - level1-workstation - - automated - patch - mounts - skip_ansible_lint diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index dd4ab9f3..0fa245bd 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -3,7 +3,7 @@ - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log" block: - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Absent" - debug: + ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: var_log_mount_absent changed_when: var_log_mount_absent.skipped is undefined @@ -11,14 +11,14 @@ - required_mount not in mount_names - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Warn Count" - set_fact: + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.5.1' ]" warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present" - debug: + ansible.builtin.debug: msg: "Congratulations: {{ required_mount }} exists." register: var_log_mount_present when: @@ -30,7 +30,6 @@ tags: - level2-server - level2-workstation - - automated - audit - mounts - rule_1.1.5.1 @@ -40,12 +39,12 @@ "1.1.5.2 | PATCH | Ensure nodev option set on /var/log partition" "1.1.5.3 | PATCH | Ensure noexec option set on /var/log partition" "1.1.5.4 | PATCH | Ensure nosuid option set on /var/log partition" - mount: + ansible.builtin.mount: name: /var/log src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -61,7 +60,6 @@ tags: - level1-server - level1-workstation - - automated - patch - mounts - skip_ansible_lint diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index afbe41a4..a496f438 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -3,7 +3,7 @@ - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit" block: - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent" - debug: + ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: var_log_audit_mount_absent changed_when: var_log_audit_mount_absent.skipped is undefined @@ -11,14 +11,14 @@ - required_mount not in mount_names - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn Count" - set_fact: + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.6.1' ]" warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" - debug: + ansible.builtin.debug: msg: "Congratulations: {{ required_mount }} exists." register: var_log_audit_mount_present when: @@ -30,7 +30,6 @@ tags: - level2-server - level2-workstation - - automated - audit - mounts - rule_1.1.6.1 @@ -39,7 +38,7 @@ "1.1.6.2 | PATCH | Ensure noexec option set on /var/log/audit partition" "1.1.6.3 | PATCH | Ensure nodev option set on /var/log/audit partition" "1.1.6.4 | PATCH | Ensure nosuid option set on /var/log/audit partition" - mount: + ansible.builtin.mount: name: /var/log/audit src: "{{ item.device }}" fstype: "{{ item.fstype }}" @@ -60,7 +59,6 @@ tags: - level1-server - level1-workstation - - automated - patch - mounts - skip_ansible_lint diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 59f28ba3..dc9ea6a0 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -3,7 +3,7 @@ - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home" block: - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Absent" - debug: + ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: home_mount_absent changed_when: home_mount_absent.skipped is undefined @@ -11,14 +11,14 @@ - required_mount not in mount_names - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Warn Count" - set_fact: + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.7.1' ]" warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present" - debug: + ansible.builtin.debug: msg: "Congratulations: {{ required_mount }} exists." register: home_mount_present when: @@ -30,7 +30,6 @@ tags: - level2-server - level2-workstation - - automated - audit - mounts - rule_1.1.7.1 @@ -38,15 +37,13 @@ - name: | "1.1.7.2 | PATCH | Ensure nodev option set on /home partition - 1.1.7.3 | PATCH | Ensure nosuid option set on /home partition - 1.1.7.4 | PATCH | Ensure usrquota option set on /home partition - 1.1.7.5 | PATCH | Ensure grpquota option set on /home partition" - mount: + 1.1.7.3 | PATCH | Ensure nosuid option set on /home partition" + ansible.builtin.mount: name: /home src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_7_4 %}usrquota,{% endif %}{% if rhel9cis_rule_1_1_7_5 %}grpquota{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -57,13 +54,10 @@ - item.mount == "/home" - rhel9cis_rule_1_1_7_1 - rhel9cis_rule_1_1_7_2 or - rhel9cis_rule_1_1_7_3 or - rhel9cis_rule_1_1_7_4 or - rhel9cis_rule_1_1_7_5 + rhel9cis_rule_1_1_7_3 tags: - level1-server - level1-workstation - - automated - patch - mounts - rule_1.1.7.2 diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 26ae8774..c9a6394a 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -1,43 +1,61 @@ --- # Skips if mount is absent -- name: | - "1.1.8.1 | PATCH | Ensure nodev option set on /dev/shm partition - 1.1.8.2 | PATCH | Ensure nosuid option set on /dev/shm partition - 1.1.8.3 | PATCH | Ensure noexec option set on /dev/shm partition" +- name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a sepretae partition" block: - - name: | - "1.1.8.1 | AUDIT | Ensure nodev option set on /dev/shm partition | Check for /dev/shm existence - 1.1.8.2 | AUDIT | Ensure nosuid option set on /dev/shm partition | Check for /dev/shm existence - 1.1.8.3 | AUDIT | Ensure noexec option set on /dev/shm partition | Check for /dev/shm existence" - shell: mount -l | grep -E '\s/dev/shm\s' - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_1_1_8_x_dev_shm_status + - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a sepretae partition | Absent" + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + register: home_mount_absent + changed_when: home_mount_absent.skipped is undefined + when: + - required_mount not in mount_names + + - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Warn Count" + ansible.builtin.set_fact: + control_number: "{{ control_number }} + [ 'rule_1.1.8.1' ]" + warn_count: "{{ warn_count | int + 1 }}" + when: + - required_mount not in mount_names - - name: | - "1.1.8.1 | PATCH | Ensure nodev option set on /dev/shm partition | Set nodev option - 1.1.8.2 | PATCH | Ensure noexec option set on /dev/shm partition | Set nosuid option - 1.1.8.3 | PATCH | Ensure nosuid option set on /dev/shm partition | Set noexec option" - mount: - name: /dev/shm - src: tmpfs - fstype: tmpfs - state: mounted - opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %} - when: "'dev/shm' in rhel9cis_1_1_8_x_dev_shm_status.stdout" - notify: change_requires_reboot + - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present" + ansible.builtin.debug: + msg: "Congratulations: {{ required_mount }} exists." + register: home_mount_present + when: + - required_mount in mount_names + vars: + required_mount: '/dev/shm' when: - - rhel9cis_rule_1_1_8_1 or - rhel9cis_rule_1_1_8_2 or - rhel9cis_rule_1_1_8_3 + - rhel9cis_rule_1_1_8_1 tags: - level1-server - level1-workstation - - automated - - patch + - audit - mounts - rule_1.1.8.1 + - skip_ansible_lint + +- name: | + "1.1.8.2 | PATCH | Ensure nodev option set on /dev/shm partition | Set nodev option + 1.1.8.3 | PATCH | Ensure noexec option set on /dev/shm partition | Set nosuid option + 1.1.8.4 | PATCH | Ensure nosuid option set on /dev/shm partition | Set noexec option" + ansible.builtin.mount: + name: /dev/shm + src: tmpfs + fstype: tmpfs + state: mounted + opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_4 %}nosuid{% endif %} + notify: change_requires_reboot + when: + - rhel9cis_rule_1_1_8_2 or + rhel9cis_rule_1_1_8_3 or + rhel9cis_rule_1_1_8_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.8.2 - rule_1.1.8.3 + - rule_1.1.8.4 diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index ea5c8622..77cbf0fa 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -1,26 +1,9 @@ --- -- name: "1.1.9 | PATCH | Disable Automounting" - service: - name: autofs - enabled: false - when: - - not rhel9cis_allow_autofs - - "'autofs' in ansible_facts.packages" - - rhel9cis_rule_1_1_9 - tags: - - level1-server - - level2-workstation - - automated - - patch - - mounts - - automounting - - rule_1.1.9 - -- name: "1.1.10 | PATCH | Disable USB Storage" +- name: "1.1.9 | PATCH | Disable USB Storage" block: - - name: "1.1.10 | PATCH | Disable USB Storage | Edit modprobe config" - lineinfile: + - name: "1.1.9 | PATCH | Disable USB Storage | Edit modprobe config" + ansible.builtin.lineinfile: path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install usb-storage(\\s|$)" line: "install usb-storage /bin/true" @@ -29,12 +12,12 @@ group: root mode: 0600 - - name: "1.1.10 | PATCH | Disable USB Storage | Edit modprobe config" - modprobe: + - name: "1.1.9 | PATCH | Disable USB Storage | Edit modprobe config" + ansible.builtin.modprobe: name: usb-storage state: absent when: - - rhel9cis_rule_1_1_10 + - rhel9cis_rule_1_1_9 tags: - level1-server - level2-workstation @@ -42,4 +25,4 @@ - patch - mounts - removable_storage - - rule_1.1.10 + - rule_1.1.9 diff --git a/tasks/section_1/cis_1.10.yml b/tasks/section_1/cis_1.10.yml index 19ddc3f3..1b0d2a28 100644 --- a/tasks/section_1/cis_1.10.yml +++ b/tasks/section_1/cis_1.10.yml @@ -1,7 +1,7 @@ --- - name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy" - shell: | + ansible.builtin.shell: | update-crypto-policies --set "{{ rhel9cis_crypto_policy }}" update-crypto-policies notify: change_requires_reboot @@ -11,7 +11,6 @@ tags: - level1-server - level1-workstation - - automated - no system_is_ec2 - patch - rule_1.10 diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 9445d151..9a1a6c2f 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -1,54 +1,35 @@ --- -- name: "1.2.1 | PATCH | Ensure Red Hat Subscription Manager connection is configured" - redhat_subscription: - state: present - username: "{{ rhel9cis_rh_sub_user }}" - password: "{{ rhel9cis_rh_sub_password }}" - auto_attach: true - no_log: true - when: - - ansible_distribution == "RedHat" - - rhel9cis_rhnsd_required - - rhel9cis_rule_1_2_1 - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_1.2.1 - - skip_ansible_lint # Added as no_log still errors on ansuible-lint - -- name: "1.2.2 | AUDIT | Ensure GPG keys are configured" +- name: "1.2.1 | AUDIT | Ensure GPG keys are configured" block: - - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys" - shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}" + - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys" + ansible.builtin.shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}" changed_when: false failed_when: false register: os_installed_pub_keys - - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Query found keys" - shell: "rpm -q --queryformat \"%{PACKAGER} %{VERSION}\\n\" {{ os_gpg_key_pubkey_name }} | grep \"{{ os_gpg_key_pubkey_content }}\"" + - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | Query found keys" + ansible.builtin.shell: "rpm -q --queryformat \"%{PACKAGER} %{VERSION}\\n\" {{ os_gpg_key_pubkey_name }} | grep \"{{ os_gpg_key_pubkey_content }}\"" changed_when: false failed_when: false register: os_gpg_key_check when: os_installed_pub_keys.rc == 0 - - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | expected keys pass" - debug: + - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys pass" + ansible.builtin.debug: msg: "Congratulations !! - The installed gpg keys match expected values" when: - os_installed_pub_keys.rc == 0 - os_gpg_key_check.rc == 0 - - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | expected keys fail" - fail: + - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys fail" + ansible.builtin.fail: msg: Installed GPG Keys do not meet expected values or keys installed that are not expected when: - os_installed_pub_keys.rc == 1 or os_gpg_key_check.rc == 1 when: - - rhel9cis_rule_1_2_2 + - rhel9cis_rule_1_2_1 - ansible_distribution == "RedHat" or ansible_distribution == "Rocky" or ansible_distribution == "AlmaLinux" @@ -57,19 +38,19 @@ - level1-workstation - manual - patch - - rule_1.2.2 + - rule_1.2.1 -- name: "1.2.3| PATCH | Ensure gpgcheck is globally activated" +- name: "1.2.2 | PATCH | Ensure gpgcheck is globally activated" block: - - name: "1.2.3 | AUDIT | Ensure gpgcheck is globally activated | Find repos" - find: + - name: "1.2.2 | AUDIT | Ensure gpgcheck is globally activated | Find repos" + ansible.builtin.find: paths: /etc/yum.repos.d patterns: "*.repo" register: yum_repos changed_when: false - - name: "1.2.3 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" - replace: + - name: "1.2.2 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" + ansible.builtin.replace: name: "{{ item.path }}" regexp: "^gpgcheck=0" replace: "gpgcheck=1" @@ -78,35 +59,63 @@ loop_control: label: "{{ item.path }}" when: - - rhel9cis_rule_1_2_3 + - rhel9cis_rule_1_2_2 tags: - level1-server - level1-workstation - automated - patch - - rule_1.2.3 + - rule_1.2.2 -- name: "1.2.4 | AUDIT | Ensure package manager repositories are configured" +- name: "1.2.3 | AUDIT | Ensure package manager repositories are configured" block: - - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Get repo list" - command: dnf repolist + - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Get repo list" + ansible.builtin.command: dnf repolist changed_when: false failed_when: false register: dnf_configured check_mode: false - args: - warn: false - - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Display repo list" - debug: + - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Display repo list" + ansible.builtin.debug: msg: - "Warning!! Below are the configured repos. Please review and make sure all align with site policy" - "{{ dnf_configured.stdout_lines }}" - - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Warn Count" - set_fact: - control_number: "{{ control_number }} + ['rule_1.2.4']" + - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Warn Count" + ansible.builtin.set_fact: + control_number: "{{ control_number }} + ['rule_1.2.3']" warn_count: "{{ warn_count | int + 1 }}" + when: + - rhel9cis_rule_1_2_3 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_1.2.3 + - skip_ansible_lint + +- name: "1.2.4 | AUDIT | Ensure repo_gpgcheck is globally activated" + block: + - name: "1.2.4 | PATCH | Ensure repo_gpgcheck is globally activated | dnf.conf" + ansible.builtin.lineinfile: + path: /etc/dnf/dnf.conf + regexp: '^repo_gpgcheck' + line: repo_gpgcheck 1 + + - name: "1.2.4 | AUDIT| Ensure repo_gpgcheck is globally activated | get repo files" + ansible.builtin.find: + path: /etc/yum.repos.d + patterns: '*.repo' + register: repo_files + + - name: "1.2.4 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files" + ansible.builtin.lineinfile: + path: "{{ item }}" + regexp: '^repo_gpgcheck' + line: repo_gpgcheck=1 + loop: "{{ repo_files.files }}" when: - rhel9cis_rule_1_2_4 tags: @@ -115,4 +124,3 @@ - manual - audit - rule_1.2.4 - - skip_ansible_lint diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index 4dd7bcdb..1fce7fa7 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -3,12 +3,12 @@ - name: "1.3.1 | PATCH | Ensure AIDE is installed" block: - name: "1.3.1 | PATCH | Ensure AIDE is installed | Install AIDE" - package: + ansible.builtin.package: name: aide state: present - name: "1.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE" - command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' + ansible.builtin.command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' changed_when: false failed_when: false async: 45 @@ -22,13 +22,12 @@ tags: - level1-server - level1-workstation - - automated - aide - patch - rule_1.3.1 - name: "1.3.2 | PATCH | Ensure filesystem integrity is regularly checked" - cron: + ansible.builtin.cron: name: Run AIDE integrity check cron_file: "{{ rhel9cis_aide_cron['cron_file'] }}" user: "{{ rhel9cis_aide_cron['cron_user'] }}" @@ -44,8 +43,24 @@ tags: - level1-server - level1-workstation - - automated - aide - file_integrity - patch - rule_1.3.2 + +- name: "1.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools" + ansible.builtin.template: + src: etc/aide.conf.d/crypt_audit_procs.conf.j2 + dest: /etc/aide.conf.d/crypt_audit_procs.conf + owner: root + group: 0640 + when: + - rhel9cis_rule_1_3_2 + - not system_is_ec2 + tags: + - level1-server + - level1-workstation + - aide + - file_integrity + - patch + - rule_1.3.3 diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index cdad67fe..61174d2f 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -1,7 +1,7 @@ --- - name: "1.4.1 | PATCH | Ensure bootloader password is set" - copy: + ansible.builtin.copy: dest: /boot/grub2/user.cfg content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy owner: root @@ -14,7 +14,6 @@ tags: - level1-server - level1-workstation - - automated - grub - patch - rule_1.4.1 @@ -22,51 +21,21 @@ - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" block: - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" - file: + ansible.builtin.file: path: /boot/grub2/grub.cfg owner: root group: root mode: 0600 + loop: + - grub.cfg + - grubenv + - user.cfg - - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | UEFI" - mount: - name: /boot/efi - src: "UUID={{ item.uuid }}" - fstype: vfat - state: present - opts: defaults,umask=0027,fmask=0077,uid=0,gid=0 - passno: '0' - with_items: - - "{{ ansible_mounts }}" - loop_control: - label: "{{ item.mount }}" - when: - - not rhel9cis_legacy_boot - - item.mount == "/boot/efi" when: - rhel9cis_rule_1_4_2 tags: - level1-server - level1-workstation - - automated - grub - patch - rule_1.4.2 - -- name: "1.4.3 | PATCH | Ensure authentication is required when booting into rescue mode" - lineinfile: - path: /etc/systemd/system/rescue.service.d/00-require-auth.conf - regexp: '^ExecStart=' - line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" - create: true - owner: root - group: root - mode: 0644 - when: - - rhel9cis_rule_1_4_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.4.3 diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 031ba5c8..d0259810 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -1,7 +1,7 @@ --- - name: "1.5.1 | PATCH | Ensure core dump storage is disabled" - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/coredump.conf regexp: '^Storage\s*=\s*(?!none).*' line: 'Storage=none' @@ -12,12 +12,11 @@ tags: - level1-server - level1-workstation - - automated - patch - rule_1.5.1 - name: "1.5.2 | PATCH | Ensure core dump backtraces are disabled" - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/coredump.conf regexp: '^ProcessSizeMax\s*=\s*.*[1-9]$' line: 'ProcessSizeMax=0' @@ -26,7 +25,6 @@ tags: - level1-server - level1-workstation - - automated - patch - sysctl - rule_1.5.2 @@ -34,17 +32,17 @@ - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" block: - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - set_fact: + ansible.builtin.set_fact: sysctl_update: true + - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf" when: - rhel9cis_rule_1_5_3 tags: - level1-server - level1-workstation - - automated - patch - sysctl - rule_1.5.3 diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index 9a8d1347..bfb9c915 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -1,7 +1,7 @@ --- - name: "1.6.1.1 | PATCH | Ensure SELinux is installed" - package: + ansible.builtin.package: name: libselinux state: present when: @@ -14,10 +14,13 @@ - rule_1.6.1.1 - name: "1.6.1.2 | PATCH | Ensure SELinux is not disabled in bootloader configuration" - replace: + ansible.builtin.replace: dest: /etc/default/grub - regexp: 'selinux=0' + regexp: '{{ item }}' replace: '' + loop: + - selinux=0 + - enforcing=0 register: selinux_grub_patch ignore_errors: true # noqa ignore-errors notify: grub2cfg @@ -32,10 +35,10 @@ # State set to enforcing because control 1.6.1.5 requires enforcing to be set - name: "1.6.1.3 | PATCH | Ensure SELinux policy is configured" - selinux: + ansible.posix.selinux: conf: /etc/selinux/config policy: "{{ rhel9cis_selinux_pol }}" - state: enforcing + state: "{{ rhel9cis_selinux_enforce }}" when: - not rhel9cis_selinux_disable - rhel9cis_rule_1_6_1_3 @@ -47,78 +50,95 @@ - patch - rule_1.6.1.3 -- name: "1.6.1.4 | PATCH | Ensure the SELinux state is enforcing" - selinux: +- name: "1.6.1.4 | PATCH | Ensure the SELinux state is not disabled" + ansible.posix.selinux: conf: /etc/selinux/config policy: "{{ rhel9cis_selinux_pol }}" - state: enforcing + state: "{{ rhel9cis_selinux_enforce }}" when: - not rhel9cis_selinux_disable - rhel9cis_rule_1_6_1_4 + tags: + - level1-server + - level1-workstation + - automated + - selinux + - patch + - rule_1.6.1.4 + +- name: "1.6.1.5 | PATCH | Ensure the SELinux state is enforcing" + ansible.posix.selinux: + conf: /etc/selinux/config + policy: "{{ rhel9cis_selinux_pol }}" + state: enforcing + when: + - not rhel9cis_selinux_disable + - rhel9cis_selinux_enforce == 'enforcing' + - rhel9cis_rule_1_6_1_5 tags: - level2-server - level2-workstation - automated - selinux - patch - - rule_1.6.1.4 + - rule_1.6.1.5 -- name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist" +- name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist" block: - - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Find the unconfined services" - shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' - register: rhelcis_1_6_1_5_unconf_services + - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Find the unconfined services" + ansible.builtin.shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' + register: rhelcis_1_6_1_6_unconf_services failed_when: false changed_when: false - - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Message on no unconfined services" - debug: + - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Message on no unconfined services" + ansible.builtin.debug: msg: "Good News! There are no services found on your system" - when: rhelcis_1_6_1_5_unconf_services.stdout | length == 0 + when: rhelcis_1_6_1_6_unconf_services.stdout | length == 0 - - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Message on unconfined services" - debug: + - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Message on unconfined services" + ansible.builtin.debug: msg: "Warning!! You have unconfined services: {{ rhelcis_1_6_1_5_unconf_services.stdout_lines }}" - when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0 + when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 - - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | warning count" - set_fact: + - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | warning count" + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_1.6.1.5' ]" warn_count: "{{ warn_count | int + 1 }}" - when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0 + when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 when: - - rhel9cis_rule_1_6_1_5 + - rhel9cis_rule_1_6_1_6 tags: - level1-server - level1-workstation - automated - audit - services - - rule_1.6.1.5 + - rule_1.6.1.6 -- name: "1.6.1.6 | PATCH | Ensure SETroubleshoot is not installed" - package: +- name: "1.6.1.7 | PATCH | Ensure SETroubleshoot is not installed" + ansible.builtin.package: name: setroubleshoot state: absent when: - - rhel9cis_rule_1_6_1_6 + - rhel9cis_rule_1_6_1_7 - "'setroubleshoot' in ansible_facts.packages" tags: - level1-server - automated - selinux - patch - - rule_1.6.1.6 + - rule_1.6.1.7 -- name: "1.6.1.7 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" - package: +- name: "1.6.1.8 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" + ansible.builtin.package: name: mcstrans state: absent when: - - rhel9cis_rule_1_6_1_7 + - rhel9cis_rule_1_6_1_8 tags: - level1-server - level1-workstation - automated - patch - - rule_1.6.1.7 + - rule_1.6.1.8 diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index 1ee55791..a66cb6ce 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -1,7 +1,7 @@ --- - name: "1.7.1 | PATCH | Ensure message of the day is configured properly" - template: + ansible.builtin.template: src: etc/motd.j2 dest: /etc/motd owner: root @@ -12,13 +12,12 @@ tags: - level1-server - level1-workstation - - automated - banner - patch - rule_1.7.1 - name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly" - template: + ansible.builtin.template: src: etc/issue.j2 dest: /etc/issue owner: root @@ -29,12 +28,11 @@ tags: - level1-server - level1-workstation - - automated - patch - rule_1.7.2 - name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly" - template: + ansible.builtin.template: src: etc/issue.net.j2 dest: /etc/issue.net owner: root @@ -45,13 +43,12 @@ tags: - level1-server - level1-workstation - - automated - banner - patch - rule_1.7.3 - name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured" - file: + ansible.builtin.file: dest: /etc/motd state: file owner: root @@ -62,13 +59,12 @@ tags: - level1-server - level1-workstation - - automated - perms - patch - rule_1.7.4 - name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured" - file: + ansible.builtin.file: dest: /etc/issue state: file owner: root @@ -79,13 +75,12 @@ tags: - level1-server - level1-workstation - - automated - perms - patch - rule_1.7.5 - name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured" - file: + ansible.builtin.file: dest: /etc/issue.net state: file owner: root @@ -96,7 +91,6 @@ tags: - level1-server - level1-workstation - - automated - perms - patch - rule_1.7.6 diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index f47d2a1e..fe690c50 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -1,7 +1,7 @@ --- - name: "1.8.1 | PATCH | Ensure GNOME Display Manager is removed" - package: + ansible.builtin.package: name: gdm state: absent when: @@ -16,7 +16,7 @@ - rule_1.8.1 - name: "1.8.2 | PATCH | Ensure GDM login banner is configured" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item.file }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -45,8 +45,8 @@ - gdm - rule_1.8.2 -- name: "1.8.3 | PATCH | Ensure last logged in user display is disabled" - lineinfile: +- name: "1.8.3 | PATCH | Ensure GDM disable-user-list option is enabled" + ansible.builtin.lineinfile: path: "{{ item.file }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -72,24 +72,8 @@ - gui - rule_1.8.3 -- name: "1.8.4 | PATCH | Ensure XDMCP is not enabled" - lineinfile: - path: /etc/gdm/custom.conf - regexp: 'Enable=true' - state: absent - when: - - rhel9cis_rule_1_8_4 - - rhel9cis_gui - tags: - - level1-server - - level1-workstation - - automated - - patch - - gui - - rule_1.8.4 - -- name: "1.8.5 | PATCH | Ensure automatic mounting of removable media is disabled" - lineinfile: +- name: "1.8.6 | PATCH | Ensure automatic mounting of removable media is disabled" + ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/00-media-automount regexp: "{{ item.regex }}" line: "{{ item.line }}" @@ -103,7 +87,7 @@ - { regex: 'automount=', line: 'automount=false' } - { regex: 'automount-open=', line: 'automount-open=false'} when: - - rhel9cis_rule_1_8_5 + - rhel9cis_rule_1_8_6 - rhel9cis_gui tags: - level1-server @@ -111,4 +95,21 @@ - automated - patch - gui - - rule_1.8.5 + - rule_1.8.6 + + +- name: "1.8.10 | PATCH | Ensure XDMCP is not enabled" + ansible.builtin.lineinfile: + path: /etc/gdm/custom.conf + regexp: 'Enable=true' + state: absent + when: + - rhel9cis_rule_1_8_10 + - rhel9cis_gui + tags: + - level1-server + - level1-workstation + - automated + - patch + - gui + - rule_1.8.4 diff --git a/tasks/section_1/cis_1.9.yml b/tasks/section_1/cis_1.9.yml index 42c27b1e..37ede1b9 100644 --- a/tasks/section_1/cis_1.9.yml +++ b/tasks/section_1/cis_1.9.yml @@ -1,7 +1,7 @@ --- - name: "1.9 | PATCH | Ensure updates, patches, and additional security software are installed" - package: + ansible.builtin.package: name: "*" state: latest notify: change_requires_reboot @@ -11,7 +11,6 @@ tags: - level1-server - level1-workstation - - automated - patch - rule_1.9 - skip_ansible_lint From 50e24dfac11e6215fd9ea4be13c1b3e7b8a49429 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Jan 2023 16:30:02 +0000 Subject: [PATCH 264/454] v1.0.0 updates Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.1.x.yml | 7 +- tasks/section_2/cis_2.2.x.yml | 237 ++++++++++++++-------------------- tasks/section_2/cis_2.3.x.yml | 82 ++++-------- tasks/section_2/cis_2.4.yml | 24 ++-- 4 files changed, 139 insertions(+), 211 deletions(-) diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 1db81794..43cc2260 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -1,7 +1,7 @@ --- - name: "2.1.1 | PATCH | Ensure time synchronization is in use" - package: + ansible.builtin.package: name: chrony state: present when: @@ -10,14 +10,13 @@ tags: - level1-server - level1-workstation - - automated - patch - rule_2.1.1 - name: "2.1.2 | PATCH | Ensure chrony is configured" block: - name: "2.1.2 | PATCH | Ensure chrony is configured | Set configuration" - template: + ansible.builtin.template: src: etc/chrony.conf.j2 dest: /etc/chrony.conf owner: root @@ -25,7 +24,7 @@ mode: 0644 - name: "2.1.2 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1" - lineinfile: + ansible.builtin.lineinfile: path: /etc/sysconfig/chronyd regexp: "^(#)?OPTIONS" line: "OPTIONS=\"-u chrony\"" diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 6a195ca8..4f1be785 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -1,54 +1,38 @@ --- -- name: "2.2.1 | PATCH | Ensure xinetd is not installed" - package: - name: xinetd - state: absent - when: - - rhel9cis_rule_2_2_1 - - not rhel9cis_xinetd_server - - "'xinetd' in ansible_facts.packages" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.1 -- name: "2.2.2 | PATCH | Ensure xorg-x11-server-common is not installed" - package: +- name: "2.2.1 | PATCH | Ensure xorg-x11-server-common is not installed" + ansible.builtin.package: name: xorg-x11-server-common state: absent when: - - rhel9cis_rule_2_2_2 + - rhel9cis_rule_2_2_1 - "'xorg-x11-server-common' in ansible_facts.packages" tags: - level1-server - - automated - patch - x11 - - rule_2.2.2 + - rule_2.2.1 -- name: "2.2.3 | PATCH | Ensure Avahi Server is not installed" - package: +- name: "2.2.2 | PATCH | Ensure Avahi Server is not installed" + ansible.builtin.package: name: - avahi-autoipd - avahi state: absent when: - - rhel9cis_rule_2_2_3 + - rhel9cis_rule_2_2_2 - not rhel9cis_avahi_server - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages" tags: - level1-server - level2-workstation - - automated - patch - avahi - - rule_2.2.3 + - rule_2.2.2 -- name: "2.2.4 | PATCH | Ensure CUPS is not installed" - package: +- name: "2.2.3 | PATCH | Ensure CUPS is not installed" + ansible.builtin.package: name: cups state: absent when: @@ -57,124 +41,102 @@ - rhel9cis_rule_2_2_3 tags: - level1-server - - automated - patch - cups - rule_2.2.3 -- name: "2.2.5 | PATCH | Ensure DHCP Server is not installed" - package: +- name: "2.2.4 | PATCH | Ensure DHCP Server is not installed" + ansible.builtin.package: name: dhcp-server state: absent when: - not rhel9cis_dhcp_server - "'dhcp-server' in ansible_facts.packages" - - rhel9cis_rule_2_2_5 + - rhel9cis_rule_2_2_4 tags: - level1-server - level1-workstation - - automated - patch - dhcp - - rule_2.2.5 + - rule_2.2.4 -- name: "2.2.6 | PATCH | Ensure DNS Server is not installed" - package: +- name: "2.2.5 | PATCH | Ensure DNS Server is not installed" + ansible.builtin.package: name: bind state: absent when: - not rhel9cis_dns_server - "'bind' in ansible_facts.packages" - - rhel9cis_rule_2_2_6 + - rhel9cis_rule_2_2_5 tags: - level1-server - level1-workstation - - automated - patch - dns - - rule_2.2.6 - -- name: "2.2.7 | PATCH | Ensure FTP Server is not installed" - package: - name: ftp - state: absent - when: - - not rhel9cis_ftp_server - - "'ftp' in ansible_facts.packages" - - rhel9cis_rule_2_2_7 - tags: - - level1-server - - level1-workstation - - automated - - patch - - ftp - - rule_2.2.7 + - rule_2.2.5 -- name: "2.2.8 | PATCH | Ensure VSFTP Server is not installed" - package: +- name: "2.2.6 | PATCH | Ensure VSFTP Server is not installed" + ansible.builtin.package: name: vsftpd state: absent when: - not rhel9cis_vsftpd_server - "'vsftpd' in ansible_facts.packages" - - rhel9cis_rule_2_2_8 + - rhel9cis_rule_2_2_6 tags: - level1-server - level1-workstation - - automated - patch - vsftpd - - rule_2.2.8 + - rule_2.2.6 -- name: "2.2.9 | PACH | Ensure TFTP Server is not installed" - package: +- name: "2.2.7 | PACH | Ensure TFTP Server is not installed" + ansible.builtin.package: name: tftp-server state: absent when: - not rhel9cis_tftp_server - "'tftp-server' in ansible_facts.packages" - - rhel9cis_rule_2_2_9 + - rhel9cis_rule_2_2_7 tags: - level1-server - level1-workstation - - automated - patch - tftp - - rule_2.2.9 + - rule_2.2.7 -- name: "2.2.10 | PATCH | Ensure a web server is not installed" +- name: "2.2.8 | PATCH | Ensure a web server is not installed" block: - - name: "2.2.10 | PATCH | Ensure a web server is not installed | Remove httpd server" - package: + - name: "2.2.8 | PATCH | Ensure a web server is not installed | Remove httpd server" + ansible.builtin.package: name: httpd state: absent when: - not rhel9cis_httpd_server - "'httpd' in ansible_facts.packages" - - name: "2.2.10 | PATCH | Ensure a web server is not installed | Remove nginx server" - package: + - name: "2.2.8 | PATCH | Ensure a web server is not installed | Remove nginx server" + ansible.builtin.package: name: nginx state: absent when: - not rhel9cis_nginx_server - "'nginx' in ansible_facts.packages" when: - - rhel9cis_rule_2_2_10 + - rhel9cis_rule_2_2_8 tags: - level1-server - level1-workstation - - automated - patch - httpd - nginx - webserver - - rule_2.2.9 + - rule_2.2.8 -- name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed" +- name: "2.2.9 | PATCH | Ensure IMAP and POP3 server is not installed" block: - - name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed" - package: + - name: "2.2.9 | PATCH | Ensure IMAP and POP3 server is not installed" + ansible.builtin.package: name: - dovecot state: absent @@ -182,8 +144,8 @@ - not rhel9cis_dovecot_server - "'dovecot' in ansible_facts.packages" - - name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed" - package: + - name: "2.2.9 | PATCH | Ensure IMAP and POP3 server is not installed" + ansible.builtin.package: name: - cyrus-imapd state: absent @@ -192,99 +154,94 @@ - "'cyrus-imapd' in ansible_facts.packages" when: - - rhel9cis_rule_2_2_11 + - rhel9cis_rule_2_2_9 tags: - level1-server - level1-workstation - - automated - patch - dovecot - imap - pop3 - - rule_2.2.11 + - rule_2.2.9 -- name: "2.2.12 | PATCH | Ensure Samba is not enabled" - package: +- name: "2.2.10 | PATCH | Ensure Samba is not enabled" + ansible.builtin.package: name: samba state: absent when: - not rhel9cis_samba_server - "'samba' in ansible_facts.packages" - - rhel9cis_rule_2_2_12 + - rhel9cis_rule_2_2_10 tags: - level1-server - level1-workstation - - automated - patch - samba - - rule_2.2.12 + - rule_2.2.10 -- name: "2.2.13 | PATCH | Ensure HTTP Proxy Server is not installed" - package: +- name: "2.2.11 | PATCH | Ensure HTTP Proxy Server is not installed" + ansible.builtin.package: name: squid state: absent when: - not rhel9cis_squid_server - "'squid' in ansible_facts.packages" - - rhel9cis_rule_2_2_6 + - rhel9cis_rule_2_2_11 tags: - level1-server - level1-workstation - - automated - patch - squid - - rule_2.2.13 + - rule_2.2.11 -- name: "2.2.14 | PATCH | Ensure net-snmp is not installed" - package: +- name: "2.2.12 | PATCH | Ensure net-snmp is not installed" + ansible.builtin.package: name: net-snmp state: absent when: - not rhel9cis_snmp_server - "'net-snmp' in ansible_facts.packages" - - rhel9cis_rule_2_2_14 + - rhel9cis_rule_2_2_12 tags: - level1-server - level1-workstation - - automated - patch - snmp - - rule_2.2.14 + - rule_2.2.12 -- name: "2.2.15 | PATCH | Ensure NIS Server is not installed" - package: - name: ypserv +- name: "2.2.13 | PATCH | Ensure telnet-server is not installed" + ansible.builtin.package: + name: telnet-server state: absent when: - - not rhel9cis_nis_server - - "'ypserv' in ansible_facts.packages" - - rhel9cis_rule_2_2_17 + - not rhel9cis_telnet_server + - "'telnet-server' in ansible_facts.packages" + - rhel9cis_rule_2_2_13 tags: - level1-server - level1-workstation - - automated - patch - - nis - - rule_2.2.17 + - telnet + - rule_2.2.13 -- name: "2.2.16 | PATCH | Ensure telnet-server is not installed" - package: - name: telnet-server +- name: "2.2.14 | PATCH | Ensure dnsmasq is not installed" + ansible.builtin.package: + name: dnsmasq state: absent + notify: restart postfix when: - - not rhel9cis_telnet_server - - "'telnet-server' in ansible_facts.packages" - - rhel9cis_rule_2_2_16 + - not rhel9cis_is_mail_server + - "'dnsmasq' in ansible_facts.packages" + - rhel9cis_rule_2_2_14 tags: - level1-server - level1-workstation - - automated - patch - - telnet - - rule_2.2.16 + - dnsmasq + - rule_2.2.14 -- name: "2.2.17 | PATCH | Ensure mail transfer agent is configured for local-only mode" - lineinfile: +- name: "2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode" + ansible.builtin.lineinfile: path: /etc/postfix/main.cf regexp: "^(#)?inet_interfaces" line: "inet_interfaces = loopback-only" @@ -292,29 +249,28 @@ when: - not rhel9cis_is_mail_server - "'postfix' in ansible_facts.packages" - - rhel9cis_rule_2_2_17 + - rhel9cis_rule_2_2_15 tags: - level1-server - level1-workstation - - automated - patch - postfix - - rule_2.2.17 + - rule_2.2.15 # The name title of the service says mask the service, but the fix allows for both options # Options available in default/main if to remove the package default is false just mask the server service -- name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked" +- name: "2.2.16 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked" block: - - name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | remove package" - package: + - name: "2.2.16 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | remove package" + ansible.builtin.package: name: nfs-utils state: absent when: - not rhel9cis_use_nfs_server - not rhel9cis_use_nfs_service - - name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | mask service" - systemd: + - name: "2.2.16 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | mask service" + ansible.builtin.systemd: name: nfs-server masked: true state: stopped @@ -323,30 +279,29 @@ - rhel9cis_use_nfs_service when: - "'nfs-utils' in ansible_facts.packages" - - rhel9cis_rule_2_2_18 + - rhel9cis_rule_2_2_16 tags: - level1-server - level1-workstation - - automated - patch - nfs - services - - rule_2.2.18 + - rule_2.2.16 # The name title of the service says mask the service, but the fix allows for both options # Options available in default/main if to remove the package default is false just mask the server service -- name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked" +- name: "2.2.17 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked" block: - - name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | remove package" - package: + - name: "2.2.17 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | remove package" + ansible.builtin.package: name: rpcbind state: absent when: - not rhel9cis_use_rpc_server - not rhel9cis_use_rpc_service - - name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | mask service" - systemd: + - name: "2.2.17 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | mask service" + ansible.builtin.systemd: name: rpcbind.socket masked: true state: stopped @@ -355,29 +310,28 @@ - not rhel9cis_use_rpc_service when: - "'rpcbind' in ansible_facts.packages" - - rhel9cis_rule_2_2_19 + - rhel9cis_rule_2_2_17 tags: - level1-server - level1-workstation - - automated - patch - rpc - - rule_2.2.19 + - rule_2.2.17 # The name title of the service says mask the service, but the fix allows for both options # Options available in default/main if to remove the package default is false just mask the server service -- name: "2.2.20 | PATCH | Ensure rsync service is not enabled " +- name: "2.2.18 | PATCH | Ensure rsync service is not enabled " block: - - name: "2.2.20 | PATCH | Ensure rsync service is not enabled | remove package" - package: - name: rsync + - name: "2.2.18 | PATCH | Ensure rsync-daemon is not installed or the rsync service is masked | remove package" + ansible.builtin.package: + name: rsync-daemon state: absent when: - not rhel9cis_use_rsync_server - not rhel9cis_use_rsync_service - - name: "2.2.20 | PATCH | Ensure rsync service is not enabled | mask service" - systemd: + - name: "2.2.18 | PATCH | Ensure rsync service is not enabled | mask service" + ansible.builtin.systemd: name: rsyncd masked: true state: stopped @@ -386,11 +340,10 @@ - not rhel9cis_use_rsync_service when: - "'rsync' in ansible_facts.packages" - - rhel9cis_rule_2_2_20 + - rhel9cis_rule_2_2_18 tags: - level1-server - level1-workstation - - automated - patch - rsync - - rule_2.2.20 + - rule_2.2.18 diff --git a/tasks/section_2/cis_2.3.x.yml b/tasks/section_2/cis_2.3.x.yml index a1941da8..38f24c03 100644 --- a/tasks/section_2/cis_2.3.x.yml +++ b/tasks/section_2/cis_2.3.x.yml @@ -1,97 +1,65 @@ --- -- name: "2.3.1 | PATCH | Ensure NIS Client is not installed" - package: - name: ypbind +- name: "2.3.1 | PATCH | Ensure telnet client is not installed" + ansible.builtin.package: + name: telnet state: absent when: - - not rhel9cis_ypbind_required - - "'ypbind' in ansible_facts.packages" + - not rhel9cis_telnet_required + - "'telnet' in ansible_facts.packages" - rhel9cis_rule_2_3_1 tags: - level1-server - level1-workstation - automated - patch - - nis + - telnet - rule_2.3.1 -- name: "2.3.2 | PATCH | Ensure rsh client is not installed" - package: - name: rsh +- name: "2.3.2 | PATCH | Ensure LDAP client is not installed" + ansible.builtin.package: + name: openldap-clients state: absent when: - - not rhel9cis_rsh_required - - "'rsh' in ansible_facts.packages" + - not rhel9cis_openldap_clients_required + - "'openldap-clients' in ansible_facts.packages" - rhel9cis_rule_2_3_2 tags: - level1-server - - level2-server + - level1-workstation - automated - patch - - rsh + - ldap - rule_2.3.2 -- name: "2.3.3 | PATCH | Ensure talk client is not installed" - package: - name: talk +- name: "2.3.3 | PATCH | Ensure TFTP client is not installed" + ansible.builtin.package: + name: tftp state: absent when: - - not rhel9cis_talk_required - - "'talk' in ansible_facts.packages" + - not rhel9cis_tftp_client + - "'tftp' in ansible_facts.packages" - rhel9cis_rule_2_3_3 tags: - level1-server - level1-workstation - automated - patch - - talk + - tftp - rule_2.3.3 -- name: "2.3.4 | PATCH | Ensure telnet client is not installed" - package: - name: telnet +- name: "2.3.4 | PATCH | Ensure FTP client is not installed" + ansible.builtin.package: + name: ftp state: absent when: - - not rhel9cis_telnet_required - - "'telnet' in ansible_facts.packages" + - not rhel9cis_tftp_client + - "'ftp' in ansible_facts.packages" - rhel9cis_rule_2_3_4 tags: - level1-server - level1-workstation - automated - patch - - telnet + - ftp - rule_2.3.4 - -- name: "2.3.5 | PATCH | Ensure LDAP client is not installed" - package: - name: openldap-clients - state: absent - when: - - not rhel9cis_openldap_clients_required - - "'openldap-clients' in ansible_facts.packages" - - rhel9cis_rule_2_3_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - ldap - - rule_2.3.5 - -- name: "2.3.6 | PATCH | Ensure TFTP client is not installed" - package: - name: tftp - state: absent - when: - - not rhel9cis_tftp_client - - "'tftp' in ansible_facts.packages" - - rhel9cis_rule_2_3_6 - tags: - - level1-server - - level1-workstation - - automated - - patch - - tftp - - rule_2.3.6 diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index 3373e543..a59184bb 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -1,23 +1,31 @@ --- -- name: "2.4 | AUDIT | Ensure nonessential services are removed or masked" +- name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked" block: - - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Get list of services" - shell: systemctl list-units --type=service + - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Get list of services" + ansible.builtin.shell: systemctl list-units --type=service changed_when: false failed_when: false check_mode: false register: rhel9cis_2_4_services - - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Display list of services" - debug: + - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Get list of sockets" + ansible.builtin.shell: systemctl list-units --type=sockets + changed_when: false + failed_when: false + check_mode: false + register: rhel9cis_2_4_sockets + + - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Display list of services" + ansible.builtin.debug: msg: - - "Warning!! Below are the list of services, both active and inactive" + - "Warning!! Below are the list of services and sockets, both active and inactive" - "Please review to make sure all are essential" - "{{ rhel9cis_2_4_services.stdout_lines }}" + - "{{ rhel9cis_2_4_sockets.stdout_lines }}" - - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Warn Count" - set_fact: + - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Warn Count" + ansible.builtin.set_fact: control_number: "{{ control_number }} + ['rule_2.4']" warn_count: "{{ warn_count | int + 1 }}" when: From cb0dd58df54ae1804bedf56a7f039e78634de803 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Jan 2023 11:18:45 +0000 Subject: [PATCH 265/454] updated for v1.0.0 Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 77 +++----- tasks/section_3/cis_3.2.x.yml | 2 - tasks/section_3/cis_3.3.x.yml | 44 ++--- tasks/section_3/cis_3.4.1.x.yml | 149 +++------------- tasks/section_3/cis_3.4.2.yml | 301 ++++++++++++++++++++++++++++++++ 5 files changed, 375 insertions(+), 198 deletions(-) create mode 100644 tasks/section_3/cis_3.4.2.yml diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index ebe43257..68da3407 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -2,14 +2,14 @@ # The CIS Control wants IPv6 disabled if not in use. # We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use -- name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" +- name: "3.1.1 | PATCH | Ensure IPv6 status is identified" block: - - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" + - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh" set_fact: sysctl_update: true flush_ipv6_route: true - - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" + - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" when: @@ -24,72 +24,49 @@ - networking - rule_3.1.1 -- name: "3.1.2 | PATCH | Ensure SCTP is disabled" - template: - src: "etc/modprobe.d/modprobe.conf.j2" - dest: "/etc/modprobe.d/{{ item }}.conf" - mode: "0600" - owner: root - group: root - with_items: - - sctp - when: - - rhel9cis_rule_3_1_2 - tags: - - level2-server - - level2-workstation - - automated - - patch - - sctp - - rule_3.1.2 - -- name: "3.1.3 | PATCH | Ensure DCCP is disabled" - template: - src: "etc/modprobe.d/modprobe.conf.j2" - dest: "/etc/modprobe.d/{{ item }}.conf" - mode: "0600" - owner: root - group: root - with_items: - - dccp - when: - - rhel9cis_rule_3_1_3 - tags: - - level2-server - - level2-workstation - - automated - - dccp - - patch - - rule_3.1.3 - -- name: "3.1.4 | PATCH | Ensure wireless interfaces are disabled" +- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" block: - - name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" + - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" command: rpm -q NetworkManager changed_when: false failed_when: false check_mode: false - args: - warn: false register: rhel_08_nmcli_available - - name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" + - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" command: nmcli radio wifi register: rhel_08_wifi_enabled changed_when: rhel_08_wifi_enabled.stdout != "disabled" failed_when: false when: rhel_08_nmcli_available.rc == 0 - - name: "3.1.4 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" + - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" command: nmcli radio all off changed_when: false failed_when: false when: rhel_08_wifi_enabled is changed when: - - rhel9cis_rule_3_1_4 + - rhel9cis_rule_3_1_2 tags: - level1-server - - automated - patch - wireless - - rule_3.1.4 + - rule_3.1.2 + +- name: "3.1.3 | PATCH | Ensure TIPC is disabled" + template: + src: "etc/modprobe.d/modprobe.conf.j2" + dest: "/etc/modprobe.d/{{ item }}.conf" + mode: "0600" + owner: root + group: root + with_items: + - tipc + when: + - rhel9cis_rule_3_1_3 + tags: + - level2-server + - level2-workstation + - patch + - tipc + - rule_3.1.3 diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index 6e07c551..708deb80 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -28,7 +28,6 @@ tags: - level1-server - level1-workstation - - automated - sysctl - patch - rule_3.2.1 @@ -48,7 +47,6 @@ tags: - level1-server - level1-workstation - - automated - patch - sysctl - rule_3.2.2 diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index b78593e8..84363e7c 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -3,21 +3,21 @@ - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" block: - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4 | Set Fact" - set_fact: + ansible.builtin.set_fact: sysctl_update: true flush_ipv4_route: true - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6" block: - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 | Set Fact" - set_fact: + ansible.builtin.set_fact: flush_ipv6_route: true - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" when: rhel9cis_ipv6_required when: @@ -32,22 +32,22 @@ - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" block: - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4 | Set Fact" - set_fact: + ansible.builtin.set_fact: sysctl_update: true flush_ipv4_route: true - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6" block: - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 | Set Fact" - set_fact: + ansible.builtin.set_fact: flush_ipv6_route: true - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" when: rhel9cis_ipv6_required when: @@ -62,12 +62,12 @@ - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" block: - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted | Set Fact" - set_fact: + ansible.builtin.set_fact: sysctl_update: true flush_ipv4_route: true - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - rhel9cis_rule_3_3_3 @@ -81,12 +81,12 @@ - name: "3.3.4 | PATCH | Ensure suspicious packets are logged" block: - name: "3.3.4 | PATCH | Ensure suspicious packets are logged | Set Fact" - set_fact: + ansible.builtin.set_fact: sysctl_update: true flush_ipv4_route: true - name: "3.3.4 | PATCH | Ensure suspicious packets are logged" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - rhel9cis_rule_3_3_4 @@ -100,12 +100,12 @@ - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" block: - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored | Set Fact" - set_fact: + ansible.builtin.set_fact: sysctl_update: true flush_ipv4_route: true - name: 3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - rhel9cis_rule_3_3_5 @@ -119,12 +119,12 @@ - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" block: - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored | Set Fact" - set_fact: + ansible.builtin.set_fact: sysctl_update: true flush_ipv4_route: true - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - rhel9cis_rule_3_3_6 @@ -138,12 +138,12 @@ - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" block: - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled | Set Fact" - set_fact: + ansible.builtin.set_fact: sysctl_update: true flush_ipv4_route: true - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - rhel9cis_rule_3_3_7 @@ -157,12 +157,12 @@ - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" block: - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled | Set Fact" - set_fact: + ansible.builtin.set_fact: sysctl_update: true flush_ipv4_route: true - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - rhel9cis_rule_3_3_8 @@ -176,12 +176,12 @@ - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" block: - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6 | Set Fact" - set_fact: + ansible.builtin.set_fact: sysctl_update: true flush_ipv6_route: true - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl" when: - rhel9cis_ipv6_required diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index d43dfe61..9498c97c 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -1,153 +1,54 @@ --- -- name: "3.4.1.1 | PATCH | Ensure firewalld is installed" +- name: "3.4.1.1 | PATCH | Ensure nftables is installed" package: name: - - firewalld - - iptables + - nftables state: present when: - rhel9cis_rule_3_4_1_1 + - rhel9cis_firewall == 'nftables' tags: - level1-server - level1-workstation - - automated - patch - - firewalld + - nftables - rule_3.4.1.1 -- name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld" +- name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use" block: - - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | Stop running services" + - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | nftables" systemd: name: "{{ item }}" masked: true with_items: - - iptables - - ip6tables - when: item in ansible_facts.packages + - firewalld + when: + - item in ansible_facts.packages + - rhel9cis_firewall == 'nftables' - - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | remove iptables-services pkg " - package: - name: iptables-services - state: absent - when: - when: - - rhel9cis_rule_3_4_1_2 - - "'iptables-services' in ansible_facts.packages" - tags: - - level1-server - - level1-workstation - - automated - - patch - - firewalld - - rule_3.4.1.2 - -- name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld" - block: - - name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld | mask service" + - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | firewalld" systemd: - name: nftables - state: stopped + name: "{{ item }}" masked: true - when: - - rhel9cis_firewalld_nftables_state == "masked" - - - name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld | pkg removed" - package: - name: nftables - state: absent - when: - - rhel9cis_firewalld_nftables_state == "absent" - when: - - rhel9cis_rule_3_4_1_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - firewalld - - rule_3_4_1_3 + with_items: + - nftables + when: + - item in ansible_facts.packages + - rhel9cis_firewall == 'firewalld' -- name: "3.4.1.4 | PATCH | Ensure firewalld service is enabled and running" - systemd: - name: firewalld - state: started - enabled: true - when: - - rhel9cis_rule_3_4_1_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - firewalld - - rule_3_4_1_4 -- name: "3.4.1.5 | PATCH | Ensure firewalld default zone is set" - block: - - name: "3.4.1.5 | AUDIT | Ensure firewalld default zone is set" - shell: "firewall-cmd --get-default-zone | grep {{ rhel9cis_default_zone }}" - changed_when: false - failed_when: ( firewalld_zone_set.rc not in [ 0, 1 ] ) - register: firewalld_zone_set + - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled" + systemd: + name: "{{ rhel9cis_firewall }}" + enabled: true + state: started - - name: "3.4.1.5 | AUDIT | Ensure firewalld default zone is set" - command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" - when: - - firewalld_zone_set.rc != 0 when: - - rhel9cis_firewall == "firewalld" - - rhel9cis_rule_3_4_1_5 + - rhel9cis_rule_3_4_1_2 tags: - level1-server - level1-workstation - - automated - patch - firewalld - - rule_3.4.1.5 - -- name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone" - block: - - name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies" - shell: "nmcli -t connection show | awk -F: '{ if($4){print $4} }' | while read INT; do firewall-cmd --get-active-zones | grep -B1 $INT; done" - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_3_4_1_6_interfacepolicy - - - name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies | Show the interface to policy" - debug: - msg: - - "The items below are the policies tied to the interfaces, please correct as needed" - - "{{ rhel9cis_3_4_1_6_interfacepolicy.stdout_lines }}" - when: - - rhel9cis_rule_3_4_1_6 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_3.4.1.6 - -- name: "3.4.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports" - block: - - name: "3.4.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports" - shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done" - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_3_4_1_7_servicesport - - - name: "3.4.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports" - debug: - msg: - - "The items below are the services and ports that are accepted, please correct as needed" - - "{{ rhel9cis_3_4_1_7_servicesport.stdout_lines }}" - when: - - rhel9cis_rule_3_4_1_7 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_3.4.1.7 + - nftables + - rule_3.4.1.2 diff --git a/tasks/section_3/cis_3.4.2.yml b/tasks/section_3/cis_3.4.2.yml new file mode 100644 index 00000000..7fc873e7 --- /dev/null +++ b/tasks/section_3/cis_3.4.2.yml @@ -0,0 +1,301 @@ +--- + +- name: "3.4.2.1 | PATCH | Ensure firewalld default zone is set" + block: + - name: "3.4.2.1 | AUDIT | Ensure firewalld default zone is set" + shell: "firewall-cmd --get-default-zone | grep {{ rhel9cis_default_zone }}" + changed_when: false + failed_when: ( firewalld_zone_set.rc not in [ 0, 1 ] ) + register: firewalld_zone_set + + - name: "3.4.2.1 | AUDIT | Ensure firewalld default zone is set" + command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" + when: + - firewalld_zone_set.rc != 0 + when: + - rhel9cis_firewall == "firewalld" + - rhel9cis_rule_3_4_2_1 + tags: + - level1-server + - level1-workstation + - patch + - firewalld + - rule_3.4.2.1 + +- name: "3.4.2.2 | AUDIT | Ensure at least one nftables table exists" + block: + - name: "3.4.2.2 | AUDIT | Ensure a table exists | Check for tables" + command: nft list tables + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_2_nft_tables + + - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Show existing tables" + debug: + msg: + - "Below are the current nft tables, please review" + - "{{ rhel9cis_3_4_2_2_nft_tables.stdout_lines }}" + when: rhel9cis_3_4_2_2_nft_tables.stdout | length > 0 + + - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables" + debug: + msg: + - "Warning!! You currently have no nft tables, please review your setup" + - 'Use the command "nft create table inet
" to create a new table' + when: + - rhel9cis_3_4_2_2_nft_tables.stdout | length == 0 + - not rhel9cis_nft_tables_autonewtable + + - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_3.4.2.2' ]" + warn_count: "{{ warn_count | int + 1 }}" + when: + - rhel9cis_3_4_2_2_nft_tables.stdout | length == 0 + - not rhel9cis_nft_tables_autonewtable + + - name: "3.4.2.2 | PATCH | Ensure a table exists | Create table if needed" + command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" + failed_when: false + when: rhel9cis_nft_tables_autonewtable + when: + - rhel9cis_firewall == "nftables" + - rhel9cis_rule_3_4_2_2 + tags: + - level1-server + - level1-workstation + - patch + - nftables + - rule_3.4.2.2 + +- name: "3.4.2.3 | PATCH | Ensure nftables base chains exist" + block: + - name: "3.4.2.3 | AUDIT | Ensure nftables base chains exist | Get current chains for INPUT" + shell: nft list ruleset | grep 'hook input' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_3_input_chains + + - name: "3.4.2.3 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD" + shell: nft list ruleset | grep 'hook forward' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_3_forward_chains + + - name: "3.4.2.3 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT" + shell: nft list ruleset | grep 'hook output' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_3_output_chains + + - name: "3.4.2.3 | AUDIT | Ensure nftables base chains exist | Display chains for review" + debug: + msg: + - "Below are the current INPUT chains" + - "{{ rhel9cis_3_4_2_3_input_chains.stdout_lines }}" + - "Below are the current FORWARD chains" + - "{{ rhel9cis_3_4_2_3_forward_chains.stdout_lines }}" + - "Below are teh current OUTPUT chains" + - "{{ rhel9cis_3_4_2_3_output_chains.stdout_lines }}" + when: not rhel9cis_nft_tables_autochaincreate + + - name: "3.4.2.3 | PATCH | Ensure nftables base chains exist | Create chains if needed" + shell: "{{ item }}" + failed_when: false + with_items: + - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } + - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { type filter hook forward priority 0 \; } + - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; } + when: rhel9cis_nft_tables_autochaincreate + when: + - rhel9cis_firewall == "nftables" + - rhel9cis_rule_3_4_2_3 + tags: + - level1-server + - level1-workstation + - patch + - nftables + - rule_3.4.2.3 + +- name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured" + block: + - name: "3.4.2.4 | AUDIT | Ensure host based firewall loopback traffic is configured | Gather iif lo accept existence | nftables" + shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_4_iiflo + + - name: "3.4.2.4 | AUDIT | Ensure host based firewall loopback traffic is configured | Gather ip saddr existence | nftables" + shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_4_ipsaddr + + - name: "3.4.2.4 | AUDIT | Ensure host based firewall loopback traffic is configured | Gather ip6 saddr existence | nftables" + shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_4_ip6saddr + + - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | Set iif lo accept rule | nftables" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept + when: '"iif \"lo\" accept" not in rhel9cis_3_4_2_4_iiflo.stdout' + + - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | Set ip sddr rule | nftables" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop + when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_4_ipsaddr.stdout' + + - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | Set ip6 saddr rule | nftables" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop + when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_4_ip6saddr.stdout' + when: + - rhel9cis_firewall == "nftables" + - rhel9cis_rule_3_4_2_4 + tags: + - level1-server + - level1-workstation + - patch + - nftables + - rule_3.4.2.4 + + +- name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | firewalld" + ansible.posix.firewalld: + rich_rule: "{{ item }}" + zone: "{{ rhel9cis_firewall_zone }}" + permanent: yes + immediate: yes + state: enabled + loop: + - rule family="ipv4" source address="127.0.0.1" destination not address="127.0.0.1" drop + - rule family="ipv6" source address="::1" destination not address="::1" drop + when: + - rhel9cis_firewall == "firewalld" + - rhel9cis_rule_3_4_2_4 + tags: + - level1-server + - level1-workstation + - patch + - nftables + - rule_3.4.2.4 + +- name: "3.4.2.5 | AUDIT | Ensure firewalld drops unnecessary services and ports" + block: + - name: "3.4.2.5 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports" + shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done" + changed_when: false + failed_when: false + check_mode: false + register: rhel9cis_3_4_2_5_servicesport + + - name: "3.4.2.5 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports" + debug: + msg: + - "The items below are the services and ports that are accepted, please correct as needed" + - "{{ rhel9cis_3_4_2_5_servicesport.stdout_lines }}" + when: + - rhel9cis_rule_3_4_2_5 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_3.4.2.5 + +- name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured" + block: + - name: "3.4.2.6 | AUDIT | EEnsure nftables established connections are configured | Gather incoming connection rules" + shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_6_inconnectionrule + + - name: "3.4.2.6| AUDIT | Ensure nftables established connections are configured | Gather outbound connection rules" + shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_6_outconnectionrule + + - name: "3.4.2.6| PATCH | Ensure nftables established connections are configured | Add input tcp established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept + when: '"ip protocol tcp ct state established accept" not in rhel9cis_3_4_2_6_inconnectionrule.stdout' + + - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add input udp established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept + when: '"ip protocol udp ct state established accept" not in rhel9cis_3_4_2_6_inconnectionrule.stdout' + + - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add input icmp established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept + when: '"ip protocol icmp ct state established accept" not in rhel9cis_3_4_2_6_inconnectionrule.stdout' + + - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add output tcp new, related, established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept + when: '"ip protocol tcp ct state established,related,new accept" not in rhel9cis_3_4_2_6_outconnectionrule.stdout' + + - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add output udp new, related, established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept + when: '"ip protocol udp ct state established,related,new accept" not in rhel9cis_3_4_2_6_outconnectionrule.stdout' + + - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add output icmp new, related, established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept + when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_2_6_outconnectionrule.stdout' + when: + - rhel9cis_firewall == "nftables" + - rhel9cis_rule_3_4_2_6 + tags: + - level1-server + - level1-workstation + - patch + - nftables + - rule_3.4.2.6 + +- name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy" + block: + - name: "3.4.2.7 | AUDIT | Ensure nftables default deny firewall policy | Check for hook input deny policy" + shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input' + failed_when: false + changed_when: false + register: rhel9cis_3_4_2_7_inputpolicy + + - name: "3.4.2.7 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy" + shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward' + failed_when: false + changed_when: false + register: rhel9cis_3_4_2_7_forwardpolicy + + - name: "3.4.2.7 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy" + shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output' + failed_when: false + changed_when: false + register: rhel9cis_3_4_2_7_outputpolicy + + - name: "3.4.2.7 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow" + shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh' + failed_when: false + changed_when: false + register: rhel9cis_3_4_2_7_sshallowcheck + + - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept + when: '"tcp dport ssh accept" not in rhel9cis_3_4_2_7_sshallowcheck.stdout' + + - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" + command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } + when: '"type filter hook input priority 0; policy drop;" not in rhel9cis_3_4_2_7_inputpolicy.stdout' + + - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy" + command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } + when: '"type filter hook forward priority 0; policy drop;" not in rhel9cis_3_4_2_7_forwardpolicy.stdout' + + - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" + command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } + when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_2_7_outputpolicy.stdout' + when: + - rhel9cis_firewall == "nftables" + - rhel9cis_rule_3_4_2_7 + tags: + - level1-server + - level1-workstation + - patch + - nftables + - rule_3.4.2.7 From 77dd593e0f2caff99d90b7e75bba867db5e38148 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Jan 2023 11:19:41 +0000 Subject: [PATCH 266/454] removed arg warn Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 -- tasks/post_remediation_audit.yml | 6 ------ tasks/pre_remediation_audit.yml | 6 ------ tasks/prelim.yml | 8 -------- tasks/section_5/cis_5.2.x.yml | 4 ---- tasks/section_5/cis_5.4.x.yml | 4 ---- 6 files changed, 30 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 0d272b15..d6b026a6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -84,8 +84,6 @@ block: - name: "Check su group exists if defined" shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group - args: - warn: false register: sugroup_exists changed_when: false failed_when: sugroup_exists.rc >= 2 diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 4429b7ef..599e1044 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -5,8 +5,6 @@ environment: "{{ audit_run_script_environment | default({}) }}" changed_when: audit_run_post_remediation.rc == 0 register: audit_run_post_remediation - args: - warn: false - name: Post Audit | ensure audit files readable by users file: @@ -21,8 +19,6 @@ block: - name: "capture data {{ post_audit_outfile }}" shell: "cat {{ post_audit_outfile }}" - args: - warn: false register: post_audit changed_when: false @@ -38,8 +34,6 @@ block: - name: "Post Audit | capture data {{ post_audit_outfile }}" shell: "tail -2 {{ post_audit_outfile }}" - args: - warn: false register: post_audit changed_when: false diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 93c4985f..94e9bcfa 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -76,15 +76,11 @@ environment: "{{ audit_run_script_environment | default({}) }}" changed_when: audit_run_pre_remediation.rc == 0 register: audit_run_pre_remediation - args: - warn: false - name: Pre Audit | Capture audit data if json format block: - name: "Pre Audit | capture data {{ pre_audit_outfile }}" shell: "cat {{ pre_audit_outfile }}" - args: - warn: false register: pre_audit changed_when: false @@ -100,8 +96,6 @@ block: - name: "Pre Audit | capture data {{ pre_audit_outfile }}" shell: "tail -2 {{ pre_audit_outfile }}" - args: - warn: false register: pre_audit changed_when: false diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 80a273b5..f17d47ce 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -4,8 +4,6 @@ # List users in order to look files inside each home directory - name: "PRELIM | List users accounts" shell: "awk -F: '{print $1}' /etc/passwd" - args: - warn: false changed_when: false check_mode: false register: users @@ -16,8 +14,6 @@ - name: "PRELIM | Gather accounts with empty password fields" shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'" - args: - warn: false changed_when: false check_mode: false register: empty_password_accounts @@ -28,8 +24,6 @@ - name: "PRELIM | Gather UID 0 accounts other than root" shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" - args: - warn: false changed_when: false check_mode: false register: rhel9cis_uid_zero_accounts_except_root @@ -50,8 +44,6 @@ - name: "PRELIM | Gather system-wide crypto-policy" shell: update-crypto-policies --show - args: - warn: false changed_when: false check_mode: false register: system_wide_crypto_policy diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 14484b64..11eca291 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -274,16 +274,12 @@ block: - name: "5.2.14 | AUDIT | Ensure system-wide crypto policy is not over-ridden" shell: grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd - args: - warn: false changed_when: false failed_when: ( ssh_crypto_discovery.rc not in [ 0, 1 ] ) register: ssh_crypto_discovery - name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden" shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd - args: - warn: false notify: restart sshd when: ssh_crypto_discovery.stdout | length > 0 when: diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 11ddbbd8..fc0f2ade 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -17,8 +17,6 @@ - name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles" shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }} - args: - warn: false when: rhel9cis_authselect_custom_profile_create when: - rhel9cis_rule_5_4_1 @@ -47,8 +45,6 @@ - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles" shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock" - args: - warn: false when: rhel9cis_authselect_custom_profile_select when: - rhel9cis_rule_5_4_2 From efc686a742d27b7bb891369331e6dd56749f172e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Jan 2023 11:20:05 +0000 Subject: [PATCH 267/454] rewritten Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.4.2.x.yml | 352 -------------------------------- 1 file changed, 352 deletions(-) delete mode 100644 tasks/section_3/cis_3.4.2.x.yml diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml deleted file mode 100644 index ebb3631b..00000000 --- a/tasks/section_3/cis_3.4.2.x.yml +++ /dev/null @@ -1,352 +0,0 @@ ---- - -- name: "3.4.2.1 | PATCH | Ensure nftables is installed" - package: - name: nftables - state: present - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_2_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - nftables - - rule_3.4.2.1 - -# The control allows the service it be masked or not installed -# We have chosen not installed -- name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables" - package: - name: firewalld - state: absent - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_2_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - nftables - - rule_3.4.2.2 - -- name: "3.4.2.3 | PATCH | Ensure iptables-services not installed with nftables" - block: - - name: "3.4.2.3 | PATCH | Ensure iptables-services not installed with nftables | Stop services" - systemd: - name: "{{ item }}" - enabled: false - masked: true - ignore_errors: true # noqa ignore-errors - with_items: - - iptables - - ip6tables - - - name: "3.4.2.3 | PATCH | Ensure iptables-services not installed with nftables | Remove IPTables" - package: - name: iptables-service - state: absent - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_2_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - nftables - - rule_3.4.2.3 - -- name: "3.4.2.4 | PATCH | Ensure iptables are flushed with nftables" - block: - - name: "3.4.2.4 | PATCH | Ensure iptables are flushed with nftables | IPv4" - command: iptables -F - - - name: "3.4.2.4 | PATCH | Ensure iptables are flushed with nftables | IPv6" - command: ip6tables -F - when: rhel9cis_ipv6_required - when: - - rhel9cis_rule_3_4_2_4 - - rhel9cis_firewall != "firewalld" - tags: - - level1-server - - level1-workstation - - manual - - patch - - nftables - - rule_3.4.2.4 - -- name: "3.4.2.5 | AUDIT | Ensure an nftables table exists" - block: - - name: "3.4.2.5 | AUDIT | Ensure a table exists | Check for tables" - command: nft list tables - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_5_nft_tables - - - name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Show existing tables" - debug: - msg: - - "Below are the current nft tables, please review" - - "{{ rhel9cis_3_4_2_5_nft_tables.stdout_lines }}" - when: rhel9cis_3_4_2_5_nft_tables.stdout | length > 0 - - - name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Alert on no tables" - debug: - msg: - - "Warning!! You currently have no nft tables, please review your setup" - - 'Use the command "nft create table inet
" to create a new table' - when: - - rhel9cis_3_4_2_5_nft_tables.stdout | length == 0 - - not rhel9cis_nft_tables_autonewtable - - - name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count" - set_fact: - control_number: "{{ control_number }} + [ 'rule_3.4.2.5' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: - - rhel9cis_3_4_2_5_nft_tables.stdout | length == 0 - - not rhel9cis_nft_tables_autonewtable - - - name: "3.4.2.5 | PATCH | Ensure a table exists | Create table if needed" - command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" - failed_when: false - when: rhel9cis_nft_tables_autonewtable - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_2_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - nftables - - rule_3.4.2.5 - -- name: "3.4.2.6 | PATCH | Ensure nftables base chains exist" - block: - - name: "3.4.2.6 | AUDIT | Ensure nftables base chains exist | Get current chains for INPUT" - shell: nft list ruleset | grep 'hook input' - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_6_input_chains - - - name: "3.4.2.6 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD" - shell: nft list ruleset | grep 'hook forward' - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_6_forward_chains - - - name: "3.4.2.6 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT" - shell: nft list ruleset | grep 'hook output' - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_6_output_chains - - - name: "3.4.2.6 | AUDIT | Ensure nftables base chains exist | Display chains for review" - debug: - msg: - - "Below are the current INPUT chains" - - "{{ rhel9cis_3_4_2_6_input_chains.stdout_lines }}" - - "Below are the current FORWARD chains" - - "{{ rhel9cis_3_4_2_6_forward_chains.stdout_lines }}" - - "Below are teh current OUTPUT chains" - - "{{ rhel9cis_3_4_2_6_output_chains.stdout_lines }}" - when: not rhel9cis_nft_tables_autochaincreate - - - name: "3.4.2.6 | PATCH | Ensure nftables base chains exist | Create chains if needed" - shell: "{{ item }}" - args: - warn: false - failed_when: false - with_items: - - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } - - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { type filter hook forward priority 0 \; } - - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; } - when: rhel9cis_nft_tables_autochaincreate - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_2_6 - tags: - - level1-server - - level1-workstation - - automated - - patch - - nftables - - rule_3.4.2.6 - -- name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured" - block: - - name: "3.4.2.7 | AUDIT | Ensure nftables loopback traffic is configured | Gather iif lo accept existence" - shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_7_iiflo - - - name: "3.4.2.7 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip saddr existence" - shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_7_ipsaddr - - - name: "3.4.2.7 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip6 saddr existence" - shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_7_ip6saddr - - - name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept - when: '"iif \"lo\" accept" not in rhel9cis_3_4_2_7_iiflo.stdout' - - - name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop - when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_7_ipsaddr.stdout' - - - name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop - when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_7_ip6saddr.stdout' - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_2_7 - tags: - - level1-server - - level1-workstation - - automated - - patch - - nftables - - rule_3.4.2.7 - -- name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured" - block: - - name: "3.4.2.8 | AUDIT | Ensure nftables outbound and established connections are configured | Gather incoming connection rules" - shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_8_inconnectionrule - - - name: "3.4.2.8| AUDIT | Ensure nftables outbound and established connections are configured | Gather outbound connection rules" - shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_8_outconnectionrule - - - name: "3.4.2.8| PATCH | Ensure nftables outbound and established connections are configured | Add input tcp established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept - when: '"ip protocol tcp ct state established accept" not in rhel9cis_3_4_2_8_inconnectionrule.stdout' - - - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add input udp established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept - when: '"ip protocol udp ct state established accept" not in rhel9cis_3_4_2_8_inconnectionrule.stdout' - - - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add input icmp established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept - when: '"ip protocol icmp ct state established accept" not in rhel9cis_3_4_2_8_inconnectionrule.stdout' - - - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add output tcp new, related, established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept - when: '"ip protocol tcp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout' - - - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add output udp new, related, established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept - when: '"ip protocol udp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout' - - - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add output icmp new, related, established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept - when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout' - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_2_8 - tags: - - level1-server - - level1-workstation - - automated - - patch - - nftables - - rule_3.4.3.5 - -- name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy" - block: - - name: "3.4.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for hook input deny policy" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input' - failed_when: false - changed_when: false - register: rhel9cis_3_4_2_9_inputpolicy - - - name: "3.4.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward' - failed_when: false - changed_when: false - register: rhel9cis_3_4_2_9_forwardpolicy - - - name: "3.4.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output' - failed_when: false - changed_when: false - register: rhel9cis_3_4_2_9_outputpolicy - - - name: "3.4.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh' - failed_when: false - changed_when: false - register: rhel9cis_3_4_2_9_sshallowcheck - - - name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept - when: '"tcp dport ssh accept" not in rhel9cis_3_4_2_9_sshallowcheck.stdout' - - - name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" - command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } - when: '"type filter hook input priority 0; policy drop;" not in rhel9cis_3_4_2_9_inputpolicy.stdout' - - - name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy" - command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } - when: '"type filter hook forward priority 0; policy drop;" not in rhel9cis_3_4_2_9_forwardpolicy.stdout' - - - name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" - command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } - when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_2_9_outputpolicy.stdout' - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_2_9 - tags: - - level1-server - - level1-workstation - - automated - - patch - - nftables - - rule_3.4.2.9 - -- name: "3.4.2.10 | PATCH | Ensure nftables service is enabled" - service: - name: nftables - enabled: true - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_2_10 - tags: - - level1-server - - level1-workstation - - automated - - patch - - nftables - - rule_3.4.3.7 - -- name: "3.4.2.11 | PATCH | Ensure nftables rules are permanent" - lineinfile: - path: /etc/sysconfig/nftables.conf - state: present - insertafter: EOF - line: include "/etc/nftables/inet-{{ rhel9cis_nft_tables_tablename }}" - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_2_11 - tags: - - level1-server - - level1-workstation - - automated - - patch - - nftables - - rule_3.4.2.11 From 95ad5fac9d632ba4201b8769d32f033657e2afdd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Jan 2023 11:20:25 +0000 Subject: [PATCH 268/454] aide template added Signed-off-by: Mark Bolwell --- templates/etc/aide.conf.d/crypt_audit_procs.conf.j2 | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 templates/etc/aide.conf.d/crypt_audit_procs.conf.j2 diff --git a/templates/etc/aide.conf.d/crypt_audit_procs.conf.j2 b/templates/etc/aide.conf.d/crypt_audit_procs.conf.j2 new file mode 100644 index 00000000..fb12b297 --- /dev/null +++ b/templates/etc/aide.conf.d/crypt_audit_procs.conf.j2 @@ -0,0 +1,7 @@ +# Audit Tools +/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 +/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 +/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 +/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 +/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 +/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 From e62e5630b4287ba2a12c6af1d13b19b8d9a63b95 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 11:38:53 +0000 Subject: [PATCH 269/454] section 4 updates Signed-off-by: Mark Bolwell --- defaults/main.yml | 79 ++++++------ tasks/section_4/cis_4.1.1.x.yml | 70 +++++------ tasks/section_4/cis_4.1.2.x.yml | 3 - tasks/section_4/cis_4.1.3.x.yml | 62 ++++------ tasks/section_4/cis_4.1.4.x.yml | 188 +++++++++++++++++++++++++++++ tasks/section_4/cis_4.2.1.x.yml | 57 ++++----- tasks/section_4/cis_4.2.2.x.yml | 64 ++++------ tasks/section_4/cis_4.2.3.yml | 15 ++- tasks/section_4/cis_4.3.yml | 52 +++----- templates/ansible_vars_goss.yml.j2 | 63 +++++----- 10 files changed, 398 insertions(+), 255 deletions(-) create mode 100644 tasks/section_4/cis_4.1.4.x.yml diff --git a/defaults/main.yml b/defaults/main.yml index 2cbbbc8f..3436dea2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -71,7 +71,6 @@ audit_cmd_timeout: 60000 # Section 1 rules rhel9cis_rule_1_1_1_1: true rhel9cis_rule_1_1_1_2: true -rhel9cis_rule_1_1_1_3: true rhel9cis_rule_1_1_2_1: true rhel9cis_rule_1_1_2_2: true rhel9cis_rule_1_1_2_3: true @@ -79,7 +78,6 @@ rhel9cis_rule_1_1_2_4: true rhel9cis_rule_1_1_3_1: true rhel9cis_rule_1_1_3_2: true rhel9cis_rule_1_1_3_3: true -rhel9cis_rule_1_1_3_4: true rhel9cis_rule_1_1_4_1: true rhel9cis_rule_1_1_4_2: true rhel9cis_rule_1_1_4_3: true @@ -95,26 +93,24 @@ rhel9cis_rule_1_1_6_4: true rhel9cis_rule_1_1_7_1: true rhel9cis_rule_1_1_7_2: true rhel9cis_rule_1_1_7_3: true -rhel9cis_rule_1_1_7_4: true -rhel9cis_rule_1_1_7_5: true rhel9cis_rule_1_1_8_1: true rhel9cis_rule_1_1_8_2: true rhel9cis_rule_1_1_8_3: true +rhel9cis_rule_1_1_8_4: true rhel9cis_rule_1_1_18: true rhel9cis_rule_1_1_19: true rhel9cis_rule_1_1_20: true rhel9cis_rule_1_1_21: true rhel9cis_rule_1_1_9: true -rhel9cis_rule_1_1_10: true rhel9cis_rule_1_2_1: true rhel9cis_rule_1_2_2: true rhel9cis_rule_1_2_3: true rhel9cis_rule_1_2_4: true rhel9cis_rule_1_3_1: true rhel9cis_rule_1_3_2: true +rhel9cis_rule_1_3_3: true rhel9cis_rule_1_4_1: true rhel9cis_rule_1_4_2: true -rhel9cis_rule_1_4_3: true rhel9cis_rule_1_5_1: true rhel9cis_rule_1_5_2: true rhel9cis_rule_1_5_3: true @@ -125,6 +121,7 @@ rhel9cis_rule_1_6_1_4: true rhel9cis_rule_1_6_1_5: true rhel9cis_rule_1_6_1_6: true rhel9cis_rule_1_6_1_7: true +rhel9cis_rule_1_6_1_8: true rhel9cis_rule_1_7_1: true rhel9cis_rule_1_7_2: true rhel9cis_rule_1_7_3: true @@ -136,6 +133,11 @@ rhel9cis_rule_1_8_2: true rhel9cis_rule_1_8_3: true rhel9cis_rule_1_8_4: true rhel9cis_rule_1_8_5: true +rhel9cis_rule_1_8_6: true +rhel9cis_rule_1_8_7: true +rhel9cis_rule_1_8_8: true +rhel9cis_rule_1_8_9: true +rhel9cis_rule_1_8_10: true rhel9cis_rule_1_9: true rhel9cis_rule_1_10: true @@ -160,21 +162,16 @@ rhel9cis_rule_2_2_15: true rhel9cis_rule_2_2_16: true rhel9cis_rule_2_2_17: true rhel9cis_rule_2_2_18: true -rhel9cis_rule_2_2_19: true -rhel9cis_rule_2_2_20: true rhel9cis_rule_2_3_1: true rhel9cis_rule_2_3_2: true rhel9cis_rule_2_3_3: true rhel9cis_rule_2_3_4: true -rhel9cis_rule_2_3_5: true -rhel9cis_rule_2_3_6: true rhel9cis_rule_2_4: true Section 3 rules rhel9cis_rule_3_1_1: true rhel9cis_rule_3_1_2: true rhel9cis_rule_3_1_3: true -rhel9cis_rule_3_1_4: true rhel9cis_rule_3_2_1: true rhel9cis_rule_3_2_2: true rhel9cis_rule_3_3_1: true @@ -188,11 +185,6 @@ rhel9cis_rule_3_3_8: true rhel9cis_rule_3_3_9: true rhel9cis_rule_3_4_1_1: true rhel9cis_rule_3_4_1_2: true -rhel9cis_rule_3_4_1_3: true -rhel9cis_rule_3_4_1_4: true -rhel9cis_rule_3_4_1_5: true -rhel9cis_rule_3_4_1_6: true -rhel9cis_rule_3_4_1_7: true rhel9cis_rule_3_4_2_1: true rhel9cis_rule_3_4_2_2: true rhel9cis_rule_3_4_2_3: true @@ -200,11 +192,6 @@ rhel9cis_rule_3_4_2_4: true rhel9cis_rule_3_4_2_5: true rhel9cis_rule_3_4_2_6: true rhel9cis_rule_3_4_2_7: true -rhel9cis_rule_3_4_2_8: true -rhel9cis_rule_3_4_2_9: true -rhel9cis_rule_3_4_2_10: true -rhel9cis_rule_3_4_2_11: true - # Section 4 rules rhel9cis_rule_4_1_1_1: true @@ -235,6 +222,16 @@ rhel9cis_rule_4_1_3_18: true rhel9cis_rule_4_1_3_19: true rhel9cis_rule_4_1_3_20: true rhel9cis_rule_4_1_3_21: true +rhel9cis_rule_4_1_4_1: true +rhel9cis_rule_4_1_4_2: true +rhel9cis_rule_4_1_4_3: true +rhel9cis_rule_4_1_4_4: true +rhel9cis_rule_4_1_4_5: true +rhel9cis_rule_4_1_4_6: true +rhel9cis_rule_4_1_4_7: true +rhel9cis_rule_4_1_4_8: true +rhel9cis_rule_4_1_4_9: true +rhel9cis_rule_4_1_4_10: true rhel9cis_rule_4_2_1_1: true rhel9cis_rule_4_2_1_2: true rhel9cis_rule_4_2_1_3: true @@ -253,9 +250,7 @@ rhel9cis_rule_4_2_2_5: true rhel9cis_rule_4_2_2_6: true rhel9cis_rule_4_2_2_7: true rhel9cis_rule_4_2_3: true -rhel9cis_rule_4_3_1: true -rhel9cis_rule_4_3_2: true -rhel9cis_rule_4_3_3: true +rhel9cis_rule_4_3: true # Section 5 rules rhel9cis_rule_5_1_1: true @@ -400,6 +395,8 @@ rhel9cis_aide_cron: # SELinux policy rhel9cis_selinux_pol: targeted +# chose onf or enfocing or permissive +rhel9cis_selinux_enforce: enforcing # Whether or not to run tasks related to auditing/patching the desktop environment @@ -417,13 +414,12 @@ rhel9cis_chrony_server_options: "minpoll 8" ### 2.2 Special Purposes ##### Service configuration booleans set true to keep service -rhel9cis_xinetd_server: false rhel9cis_gui: false rhel9cis_avahi_server: false rhel9cis_cups_server: false rhel9cis_dhcp_server: false rhel9cis_dns_server: false -rhel9cis_ftp_server: false +rhel9cis_dnsmasq_server: false rhel9cis_vsftpd_server: false rhel9cis_tftp_server: false rhel9cis_httpd_server: false @@ -433,7 +429,6 @@ rhel9cis_imap_server: false rhel9cis_samba_server: false rhel9cis_squid_server: false rhel9cis_snmp_server: false -rhel9cis_nis_server: false rhel9cis_telnet_server: false rhel9cis_is_mail_server: false # Note the options @@ -450,12 +445,10 @@ rhel9cis_use_rsync_server: false rhel9cis_use_rsync_service: false #### 2.3 Service clients -rhel9cis_ypbind_required: false -rhel9cis_rsh_required: false -rhel9cis_talk_required: false rhel9cis_telnet_required: false rhel9cis_openldap_clients_required: false rhel9cis_tftp_client: false +rhel9cis_ftp_client: false ## Section3 vars @@ -473,15 +466,29 @@ rhel9cis_firewall: firewalld ##### firewalld rhel9cis_default_zone: public -rhel9cis_firewalld_nftables_state: masked # Note if absent removes the firewalld pkg dependancy + +# These are the default service add accordingly +rhel9_firewalld_service: + - ssh + - dhcpv6-client +# These are added to demonstrate how this can be done +rhel9cis_firewalld_ports: + - number: 80 + protocol: tcp #### nftables -rhel9cis_nftables_firewalld_state: masked rhel9cis_nft_tables_autonewtable: true rhel9cis_nft_tables_tablename: filter rhel9cis_nft_tables_autochaincreate: true - - +rhel9_nftables_ports: + - port: ssh + protocol: tcp + type: dport + rule: accept + - port: igmp + protocol: ip + type: protocol + rule: accept # Warning Banner Content (issue, issue.net, motd) rhel9cis_warning_banner: | Authorized uses only. All activity may be monitored and reported. @@ -522,6 +529,10 @@ rhel9cis_preferred_log_capture: rsyslog #### 4.2.1.6 remote and destation log server name rhel9cis_remote_log_server: logagg.example.com +rhel9cis_remote_log_port: 514 +rhel9cis_remote_log_protocol: tcp +rhel9cis_remote_log_retrycount: 100 +rhel9cis_remote_log_queuesize: 1000 #### 4.2.1.7 rhel9cis_system_is_log_server: false diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index 258b64f3..d21e6c45 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -18,92 +18,88 @@ tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.1.1 -- name: "4.1.1.2 | PATCH | Ensure auditd service is enabled" - service: - name: auditd - state: started - enabled: true - when: - - rhel9cis_rule_4_1_1_2 - tags: - - level2-server - - level2-workstation - - automated - - patch - - auditd - - rule_4.1.1.2 - -- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" +- name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" block: - - name: "4.1.1.3 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" + - name: "4.1.1.2 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' changed_when: false failed_when: false check_mode: false - register: rhel9cis_4_1_1_3_grub_cmdline_linux + register: rhel9cis_4_1_1_2_grub_cmdline_linux - - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting" + - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting" replace: dest: /etc/default/grub regexp: 'audit=.' replace: 'audit=1' notify: grub2cfg - when: "'audit=' in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout" + when: "'audit=' in rhel9cis_4_1_1_2_grub_cmdline_linux.stdout" - - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing" + - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing" lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' - line: '{{ rhel9cis_4_1_1_3_grub_cmdline_linux.stdout }} audit=1"' + line: '{{ rhel9cis_4_1_1_2_grub_cmdline_linux.stdout }} audit=1"' notify: grub2cfg - when: "'audit=' not in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout" + when: "'audit=' not in rhel9cis_4_1_1_2_grub_cmdline_linux.stdout" when: - - rhel9cis_rule_4_1_1_3 + - rhel9cis_rule_4_1_1_2 tags: - level2-server - level2-workstation - - automated - patch - auditd - grub - - rule_4.1.1.3 + - rule_4.1.1.2 -- name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient" +- name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient" block: - - name: "4.1.1.4 | AUDIT | Ensure audit_backlog_limit is sufficient | Get GRUB_CMDLINE_LINUX" + - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Get GRUB_CMDLINE_LINUX" shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' changed_when: false failed_when: false check_mode: false - register: rhel9cis_4_1_1_4_grub_cmdline_linux + register: rhel9cis_4_1_1_3_grub_cmdline_linux - - name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting" + - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting" replace: dest: /etc/default/grub regexp: 'audit_backlog_limit=\d+' replace: 'audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}' notify: grub2cfg - when: "'audit_backlog_limit=' in rhel9cis_4_1_1_4_grub_cmdline_linux.stdout" + when: "'audit_backlog_limit=' in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout" - - name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing" + - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing" lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' - line: '{{ rhel9cis_4_1_1_4_grub_cmdline_linux.stdout }} audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' + line: '{{ rhel9cis_4_1_1_3_grub_cmdline_linux.stdout }} audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' notify: grub2cfg - when: "'audit_backlog_limit=' not in rhel9cis_4_1_1_4_grub_cmdline_linux.stdout" + when: "'audit_backlog_limit=' not in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout" when: - - rhel9cis_rule_4_1_1_4 + - rhel9cis_rule_4_1_1_3 tags: - level2-server - level2-workstation - - automated - patch - auditd - grub + - rule_4.1.1.3 + +- name: "4.1.1.4 | PATCH | Ensure auditd service is enabled" + service: + name: auditd + state: started + enabled: true + when: + - rhel9cis_rule_4_1_1_4 + tags: + - level2-server + - level2-workstation + - patch + - auditd - rule_4.1.1.4 diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index a3ab9901..62bee82d 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -27,7 +27,6 @@ tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.2.2 @@ -47,7 +46,6 @@ tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.2.3 @@ -64,6 +62,5 @@ tags: - level2-server - level2-workstation - - automated - patch - auditd diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index 8272b7e2..ec614022 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -2,63 +2,59 @@ # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_1 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.1 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.2 | PATCH | Ensure actions as another user are always logged" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_2 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.2 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.3 | PATCH | Ensure events that modify the sudo log file are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_3 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.3 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.4 | PATCH | Ensure events that modify date and time information are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_4 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.4 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.5 | PATCH | Ensure events that modify the system's network environment are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_5 @@ -81,7 +77,7 @@ register: priv_procs - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true notify: update auditd when: @@ -89,98 +85,91 @@ tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.6 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.7 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_7 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3_7 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_8 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.8 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.9 | PATCH | Ensure discretionary access control permission modification events are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_9 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.9 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.10 | PATCH | Ensure successful file system mounts are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_10 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.10 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.11 | PATCH | Ensure session initiation information is collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_11 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.11 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.12 | PATCH | Ensure login and logout events are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_12 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.12 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.13 | PATCH | Ensure file deletion events by users are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_13 @@ -193,104 +182,97 @@ # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_14 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.14 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_15 tags: - level2-server - level2- workstation - - automated - patch - auditd - rule_4.1.3.15 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_16 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.16 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_17 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.17 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_18 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.18 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.19 | PATCH | Ensure kernel module loading and unloading is collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_19 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.19 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.20 | PATCH | Ensure the audit configuration is immutable" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_20 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.20 - name: "4.1.3.21 | AUDIT | Ensure the running and on disk configuration is the same" - debug: + ansible.builtin.debug: msg: - "Please run augenrules --load if you suspect there is a configuration that is not active" when: @@ -304,7 +286,7 @@ - rule_4.1.3.21 - name: Auditd | 4.1.3 | Auditd controls updated - debug: + ansible.builtin.debug: msg: "Auditd Controls handled in POST using template - updating /etc/auditd/rules.d/99_auditd.rules" changed_when: false when: diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml new file mode 100644 index 00000000..b7828ae6 --- /dev/null +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -0,0 +1,188 @@ +--- + +- name: | + "4.1.4.1 | PATCH | Ensure audit log files are mode 0640 or less permissive" + "4.1.4.2 | PATCH | Ensure only authorized users own audit log files" + "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" + + block: + - name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | discover file" + ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }' + register: audit_logfile + changed_when: false + + - name: | + "4.1.4.1 | PATCH | Ensure audit log files are mode 0640 or less permissive" + "4.1.4.2 | PATCH | Ensure only authorized users own audit log files" + "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" + ansible.builtin.file: + path: "{{ audit_logfile.stdout }}" + state: file + mode: 0640 + owner: root + group: root + when: + - rhel9cis_rule_4_1_4_1 or + rhel9cis_rule_4_1_4_2 or + rhel9cis_rule_4_1_4_3 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_4.1.4.1 + - rule_4.1.4.2 + - rule_4.1.4.3 + +- name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive" + block: + - name: "4.1.4.4 | AUDIT | Ensure the audit log directory is 0750 or more restrictive | get current permissions" + ansible.builtin.stat: + path: "{{ audit_logfile.stdout | dirname }}" + register: auditlog_dir + + - name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive | set" + ansible.builtin.file: + path: "{{ audit_logfile.stdout | dirname }}" + state: directory + mode: 0750 + when: not auditlog_dir.stat.mode is match('07(0|5)0') + when: + - rhel9cis_rule_4_1_4_4 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_4.1.4.4 + +- name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" + block: + + - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | get permissions" + ansible.builtin.stat: + path: "{{ item.path }}" + register: item_file + loop: "{{ audit_conf_files.results | map(attribute='files') | flatten }}" + loop_control: + label: "{{ item.path }}" + + - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | set permissions" + ansible.builtin.file: + path: "{{ audit_logfile.stdout | dirname }}" + state: file + mode: 0640 + loop: "{{ audit_config_files }}" + when: not item_file.stat.mode is match('06(0|4)0') + when: + - rhel9cis_rule_4_1_4_5 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_4.1.4.5 + +- name: "4.1.4.6 | PATCH | Ensure audit configuration files are owned by root" + ansible.builtin.file: + path: "{{ audit_logfile.stdout | dirname }}" + state: file + owner: root + loop: "{{ audit_config_files }}" + when: + - rhel9cis_rule_4_1_4_6 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_4.1.4.6 + +- name: "4.1.4.7 | PATCH | Ensure audit configuration files belong to group root" + ansible.builtin.file: + path: "{{ audit_logfile.stdout | dirname }}" + state: file + group: root + loop: "{{ audit_config_files }}" + when: + - rhel9cis_rule_4_1_4_7 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_4.1.4.7 + +- name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive" + block: + - name: "PRELIM | 4.1.4.8 | Get audit binarty file stat | get current mode" + ansible.builtin.stat: + path: "{{ item }}" + register: "audit_bins" + loop: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules + + - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required" + ansible.builtin.file: + path: "{{ item }}" + state: file + mode: 0750 + register: "audit_bins" + loop: "{{ audit_bins.results.stat.path }}" + when: not audit_bins.stat.mode is match('07(0|5)(0|5)') + when: + - rhel9cis_rule_4_1_4_8 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_4.1.4.8 + +- name: "4.1.4.9 | PATCH | Ensure audit tools are owned by root" + ansible.builtin.file: + path: "{{ item }}" + state: file + owner: root + group: root + loop: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules + when: + - rhel9cis_rule_4_1_4_9 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_4.1.4.9 + +- name: "4.1.4.10 | PATCH | Ensure audit tools belong to group root" + ansible.builtin.file: + path: "{{ item }}" + state: file + group: root + loop: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules + when: + - rhel9cis_rule_4_1_4_10 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_4.1.4.10 diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 12afac1f..e34f677d 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -1,7 +1,7 @@ --- - name: "4.2.1.1 | PATCH | Ensure rsyslog installed" - package: + ansible.builtin.package: name: rsyslog state: present when: @@ -10,13 +10,12 @@ tags: - level1-server - level1-workstation - - automated - patch - rsyslog - rule_4.2.1.1 - name: "4.2.1.2 | PATCH | Ensure rsyslog Service is enabled" - service: + ansible.builtin.systemd: name: rsyslog enabled: true when: @@ -24,29 +23,27 @@ tags: - level1-server - level1-workstation - - automated - patch - rsyslog - rule_4.2.1.2 -# This is counter to control 4.2.2.5?? - name: "4.2.1.3 | PATCH | Ensure journald is configured to send logs to rsyslog" - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/journald.conf regexp: "^#ForwardToSyslog=|^ForwardToSyslog=" line: ForwardToSyslog=yes + notify: restart rsyslog when: - rhel9cis_rule_4_2_1_3 - rhel9cis_preferred_log_capture == "rsyslog" tags: - level1-server - level1-workstation - - manual - patch - rule_4.2.1.3 - name: "4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured" - lineinfile: + ansible.builtin.lineinfile: path: /etc/rsyslog.conf regexp: '^\$FileCreateMode' line: '$FileCreateMode 0640' @@ -56,7 +53,6 @@ tags: - level1-server - level1-workstation - - automated - patch - rsyslog - rule_4.2.1.4 @@ -64,20 +60,20 @@ - name: "4.2.1.5 | PATCH | Ensure logging is configured" block: - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" - command: cat /etc/rsyslog.conf + ansible.builtin.command: cat /etc/rsyslog.conf changed_when: false failed_when: false check_mode: false register: rhel_08_4_2_1_5_audit - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" - debug: + ansible.builtin.debug: msg: - "These are the current logging configurations for rsyslog, please review:" - "{{ rhel_08_4_2_1_5_audit.stdout_lines }}" - name: "4.2.1.5 | PATCH | Ensure logging is configured | mail.* log setting" - blockinfile: + ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present marker: "# {mark} MAIL LOG SETTINGS (ANSIBLE MANAGED)" @@ -92,7 +88,7 @@ when: rhel9cis_rsyslog_ansiblemanaged - name: "4.2.1.5 | PATCH | Ensure logging is configured | news.crit log setting" - blockinfile: + ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present marker: "# {mark} NEWS LOG SETTINGS (ANSIBLE MANAGED)" @@ -105,7 +101,7 @@ when: rhel9cis_rsyslog_ansiblemanaged - name: "4.2.1.5 | PATCH | Ensure logging is configured | Misc. log setting" - blockinfile: + ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present marker: "# {mark} MISC. LOG SETTINGS (ANSIBLE MANAGED)" @@ -119,7 +115,7 @@ when: rhel9cis_rsyslog_ansiblemanaged - name: "4.2.1.5 | PATCH | Ensure logging is configured | Local log settings" - blockinfile: + ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present marker: "#{mark} LOCAL LOG SETTINGS (ANSIBLE MANAGED)" @@ -134,7 +130,7 @@ notify: restart rsyslog - name: "4.2.1.5 | PATCH | Ensure logging is configured | Auth Settings" - blockinfile: + ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present marker: "#{mark} Auth SETTINGS (ANSIBLE MANAGED)" @@ -145,7 +141,7 @@ notify: restart rsyslog - name: "4.2.1.5 | PATCH | Ensure logging is configured | Cron Settings" - blockinfile: + ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present marker: "#{mark} Cron SETTINGS (ANSIBLE MANAGED)" @@ -159,18 +155,17 @@ tags: - level1-server - level1-workstation - - manual - patch - rsyslog - rule_4.2.1.5 - name: "4.2.1.6 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" - blockinfile: + ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present block: | - # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional - *.* @@{{ rhel9cis_remote_log_server }} + # target can be IP or FQDN + *.* action(type="omfwd" target="{{ rhel9cis_remote_log_server }}" port="{{ rhel9cis_remote_log_port }}" protocol="{{ rhel9cis_remote_log_protocol }}" action.resumeRetryCount="{{ rhel9cis_remote_log_retrycount }}" queue.type="LinkedList" queue.size="{{ rhel9cis_remote_log_queuesize }}") insertafter: EOF register: result failed_when: @@ -179,11 +174,10 @@ notify: restart rsyslog when: - rhel9cis_rule_4_2_1_6 - - rhel9cis_remote_log_server is defined + - rhel9cis_remote_log_server tags: - level1-server - level1-workstation - - manual - patch - rsyslog - rule_4.2.1.6 @@ -191,20 +185,20 @@ - name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client" block: - name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client. | When not log host" - replace: + ansible.builtin.replace: path: /etc/rsyslog.conf - regexp: '({{ item }})' + regexp: '{{ item }}' replace: '#\1' notify: restart rsyslog with_items: - - '^(\$ModLoad imtcp)' - - '^(\$InputTCPServerRun)' - - '^(module\(load="imtcp"\))' - - '^(input\(type="imtcp")' + - '^\$ModLoad imtcp' + - '^\$InputTCPServerRun' + - '^module\(load="imtcp"\)' + - '^input\(type="imtcp" port=.*\)' when: not rhel9cis_system_is_log_server - name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote clients. | When log host" - replace: + ansible.builtin.replace: path: /etc/rsyslog.conf regexp: '^#(.*{{ item }}.*)' replace: '\1' @@ -213,14 +207,13 @@ - 'ModLoad imtcp' - 'InputTCPServerRun' - 'module\(load="imtcp"\)' - - 'input\(type="imtcp"' + - 'input\(type="imtcp" port=".*")' when: rhel9cis_system_is_log_server when: - rhel9cis_rule_4_2_1_7 tags: - level1-server - level1-workstation - - automated - patch - rsyslog - rule_4.2.1.7 diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index f172f961..08db497e 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -1,7 +1,7 @@ --- - name: "4.2.2.1.1 | PATCH | Ensure systemd-journal-remote is installed" - package: + ansible.builtin.package: name: systemd-journal-remote state: present when: @@ -15,7 +15,7 @@ - rule_4.2.2.1.1 - name: "4.2.2.1.2 | PATCH | Ensure systemd-journal-remote is configured" - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/journal-upload.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -36,7 +36,7 @@ - rule_4.2.2.1.2 - name: "4.2.2.1.3 | PATCH | Ensure systemd-journal-remote is enabled" - systemd: + ansible.builtin.systemd: name: systemd-journal-upload state: started enabled: true @@ -52,7 +52,7 @@ - rule_4.2.2.1.3 - name: "4.2.2.1.4 | PATCH | Ensure journald is not configured to recieve logs from a remote client" - systemd: + ansible.builtin.systemd: name: systemd-journal-remote.socket state: stopped enabled: false @@ -71,25 +71,25 @@ - name: "4.2.2.2 | PATCH | Ensure journald service is enabled" block: - name: "4.2.2.2 | PATCH | Ensure journald service is enabled | Enable service" - systemd: + ansible.builtin.systemd: name: systemd-journald state: started enabled: true - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Capture status" - shell: systemctl is-enabled systemd-journald.service + ansible.builtin.shell: systemctl is-enabled systemd-journald.service changed_when: false failed_when: false register: rhel9cis_4_2_2_2_status - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Alert on bad status" - debug: + ansible.builtin.debug: msg: - "Warning!! The status of systemd-journald should be static and it is not. Please investigate" when: "'static' not in rhel9cis_4_2_2_2_status.stdout" - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count" - set_fact: + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_4.2.2.2' ]" warn_count: "{{ warn_count | int + 1 }}" when: "'static' not in rhel9cis_4_2_2_2_status.stdout" @@ -104,10 +104,11 @@ - rule_4.2.2.2 - name: "4.2.2.3 | PATCH | Ensure journald is configured to compress large log files" - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/journald.conf regexp: "^#Compress=|^Compress=" line: Compress=yes + notify: restart systemd_journal_upload when: - rhel9cis_rule_4_2_2_3 tags: @@ -119,10 +120,11 @@ - rule_4.2.2.3 - name: "4.2.2.4 | PATCH | Ensure journald is configured to write logfiles to persistent disk" - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/journald.conf regexp: "^#Storage=|^Storage=" line: Storage=persistent + notify: restart systemd_journal_upload when: - rhel9cis_rule_4_2_2_4 tags: @@ -135,7 +137,7 @@ # This is counter to control 4.2.1.3?? - name: "4.2.2.5 | PATCH | Ensure journald is not configured to send logs to rsyslog" - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/journald.conf regexp: "^ForwardToSyslog=" line: "#ForwardToSyslog=yes" @@ -151,7 +153,7 @@ - rule_4.2.2.5 - name: "4.2.2.6 | PATCH | Ensure journald log rotation is configured per site policy" - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/journald.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -175,35 +177,21 @@ - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured" block: - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Check for override file" - find: - paths: /etc/tmpfiles.d - patterns: systemd.conf - register: rhel9cis_4_2_2_7_override_status + ansible.builtin.stat: + path: /etc/tmpfiles.d/systemd.conf + register: rhel9cis_4_2_2_7_override - - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Get override file settings" - shell: cat /etc/tmpfiles.d/systemd.conf - changed_when: false - failed_when: false - register: rhel9cis_4_2_2_7_override_settings - when: rhel9cis_4_2_2_7_override_status.matched >= 1 + - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Set live file" + ansible.builtin.set_fact: + systemd_conf_file: /etc/tmpfiles.d/systemd.conf + when: rhel9cis_4_2_2_7_override_stat.exists - - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Get non-override file settings" - shell: cat /usr/lib/tmpfiles.d/systemd.conf - changed_when: false - failed_when: false - register: rhel9cis_4_2_2_7_notoverride_settings - when: rhel9cis_4_2_2_7_override_status.matched == 0 - - - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Display file settings" - debug: - msg: - - "Warning!! Below are the current default settings for journald, please confirm they align with your site policies" - - "{{ (rhel9cis_4_2_2_7_override_status.matched >= 1) | ternary(rhel9cis_4_2_2_7_override_settings.stdout_lines, rhel9cis_4_2_2_7_notoverride_settings.stdout_lines) }}" + - name: "4.2.2.7 | PATCH | Ensure journald default file permissions configured | Set permission" + ansible.builtin.lineinfile: + path: "{{ /etc/tmpfiles.d/systemd.conf | default('/usr/lib/tmpfiles.d/systemd.conf') }}" + regexp: "^z \/var\/log\/journal\/%m\/system.journal (!?06(0|4)0) root" + line: 'z /var/log/journal/%m/system.journal 0640 root systemd-journal - -' - - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Warn Count" - set_fact: - control_number: "{{ control_number }} + [ 'rule_4.2.2.7' ]" - warn_count: "{{ warn_count | int + 1 }}" when: - rhel9cis_rule_4_2_2_7 tags: diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index a1b3bb76..e1e6becc 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -1,9 +1,18 @@ --- - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured" - command: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + - changed_when: false - failed_when: false + block: + - name: "4.2.3 | AUDIT | Ensure permissions on all logfiles are configured | find files" + ansible.builtin.find: + paths: "/var/log" + type: file + register: logfiles + + - name: "4.2.3 | AUDIT | Ensure permissions on all logfiles are configured | find files" + ansible.builtin.file: + paths: "{{ item.path }}" + mode: 0640 + register: logfiles when: - rhel9cis_rule_4_2_3 tags: diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index 2283d6a5..6709458b 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -1,43 +1,25 @@ --- -- name: "4.3.1 | PATCH | Ensure logrotate is installed" - package: - name: rsyslog-logrotate - state: present - when: - - rhel9cis_rule_4_3_1 - tags: - - level1-server - - level1-workstation - - manual - - patch - - logrotate - - rule_4.3.1 +- name: "4.3 | PATCH | Ensure logrotate is configured" + block: + - name: "4.3 | PATCH | Ensure logrotate is configured | installed" + ansible.builtin.package: + name: rsyslog-logrotate + state: present -- name: "4.3.2 | PATCH | Ensure logrotate is running and enabled" - systemd: - name: logrotate.timer - state: started - enabled: true - when: - - rhel9cis_rule_4_3_2 - tags: - - level1-server - - level1-workstation - - manual - - patch - - logrotate - - rule_4.3.2 + - name: "4.3.2 | PATCH | Ensure logrotate is configured | scheduled" + ansible.builtin.systemd: + name: logrotate.timer + state: started + enabled: true -- name: "4.3.3 | PATCH | Ensure logrotate is configured" - block: - - name: "4.3.3 | AUDIT | Ensure logrotate is configured | Get logrotate settings" - find: + - name: "4.3 | AUDIT | Ensure logrotate is configured | Get logrotate settings" + ansible.builtin.find: paths: /etc/logrotate.d/ register: log_rotates - - name: "4.3.3 | PATCH | Ensure logrotate is configured" - replace: + - name: "4.3 | PATCH | Ensure logrotate is configured" + ansible.builtin.replace: path: "{{ item.path }}" regexp: '^(\s*)(daily|weekly|monthly|yearly)$' replace: "\\1{{ rhel9cis_logrotate }}" @@ -47,11 +29,11 @@ loop_control: label: "{{ item.path }}" when: - - rhel9cis_rule_4_3_3 + - rhel9cis_rule_4_3 tags: - level1-server - level1-workstation - manual - patch - logrotate - - rule_4.3.3 + - rule_4.3.1 diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 1431ed47..89f2787d 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -3,7 +3,7 @@ ## metadata for benchmark ## metadata for Audit benchmark -benchmark_version: '2.0.0' +benchmark_version: '1.0.0' # Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS # If run via script this is discovered and set @@ -44,7 +44,6 @@ rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }} # 1.1.1 Disable unused filesystems rhel9cis_rule_1_1_1_1: {{ rhel9cis_rule_1_1_1_1 }} rhel9cis_rule_1_1_1_2: {{ rhel9cis_rule_1_1_1_2 }} -rhel9cis_rule_1_1_1_3: {{ rhel9cis_rule_1_1_1_3 }} # 1.1.2 Configure /tmp rhel9cis_rule_1_1_2_1: {{ rhel9cis_rule_1_1_2_1 }} rhel9cis_rule_1_1_2_2: {{ rhel9cis_rule_1_1_2_2 }} @@ -74,28 +73,25 @@ rhel9cis_rule_1_1_6_4: {{ rhel9cis_rule_1_1_6_4 }} rhel9cis_rule_1_1_7_1: {{ rhel9cis_rule_1_1_7_1 }} rhel9cis_rule_1_1_7_2: {{ rhel9cis_rule_1_1_7_2 }} rhel9cis_rule_1_1_7_3: {{ rhel9cis_rule_1_1_7_3 }} -rhel9cis_rule_1_1_7_4: {{ rhel9cis_rule_1_1_7_4 }} -rhel9cis_rule_1_1_7_5: {{ rhel9cis_rule_1_1_7_5 }} # 1.1.8 Configure /dev/shm rhel9cis_rule_1_1_8_1: {{ rhel9cis_rule_1_1_8_1 }} rhel9cis_rule_1_1_8_2: {{ rhel9cis_rule_1_1_8_2 }} rhel9cis_rule_1_1_8_3: {{ rhel9cis_rule_1_1_8_3 }} -# 1.9 autofs +rhel9cis_rule_1_1_8_3: {{ rhel9cis_rule_1_1_8_4 }} +# 1.9 usb-storage rhel9cis_rule_1_1_9: {{ rhel9cis_rule_1_1_9 }} -# 1.10 usb-storage -rhel9cis_rule_1_1_10: {{ rhel9cis_rule_1_1_10 }} # 1.2 Configure Software Updates -rhel9cis_rule_1_2_1: {% if ansible_distribution == "RedHat" %}True{% else %}False{% endif %} # Only run if Redhat and Subscribed +rhel9cis_rule_1_2_1: {{ rhel9cis_rule_1_2_1 }} rhel9cis_rule_1_2_2: {{ rhel9cis_rule_1_2_2 }} rhel9cis_rule_1_2_3: {{ rhel9cis_rule_1_2_3 }} rhel9cis_rule_1_2_4: {{ rhel9cis_rule_1_2_4 }} # 1.3 Filesystem Integrity Checking rhel9cis_rule_1_3_1: {{ rhel9cis_rule_1_3_1 }} rhel9cis_rule_1_3_2: {{ rhel9cis_rule_1_3_2 }} +rhel9cis_rule_1_3_3: {{ rhel9cis_rule_1_3_3 }} # 1.4 Secure Boot Settings rhel9cis_rule_1_4_1: {{ rhel9cis_rule_1_4_1 }} rhel9cis_rule_1_4_2: {{ rhel9cis_rule_1_4_2 }} -rhel9cis_rule_1_4_3: {{ rhel9cis_rule_1_4_3 }} # 1.5 Additional Process Hardening rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }} rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }} @@ -108,6 +104,7 @@ rhel9cis_rule_1_6_1_4: {{ rhel9cis_rule_1_6_1_4 }} rhel9cis_rule_1_6_1_5: {{ rhel9cis_rule_1_6_1_5 }} rhel9cis_rule_1_6_1_6: {{ rhel9cis_rule_1_6_1_6 }} rhel9cis_rule_1_6_1_7: {{ rhel9cis_rule_1_6_1_7 }} +rhel9cis_rule_1_6_1_8: {{ rhel9cis_rule_1_6_1_8 }} # 1.7 Command Line Warning Banners rhel9cis_rule_1_7_1: {{ rhel9cis_rule_1_7_1 }} rhel9cis_rule_1_7_2: {{ rhel9cis_rule_1_7_2 }} @@ -121,6 +118,11 @@ rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }} rhel9cis_rule_1_8_3: {{ rhel9cis_rule_1_8_3 }} rhel9cis_rule_1_8_4: {{ rhel9cis_rule_1_8_4 }} rhel9cis_rule_1_8_5: {{ rhel9cis_rule_1_8_5 }} +rhel9cis_rule_1_8_1: {{ rhel9cis_rule_1_8_6 }} +rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_7 }} +rhel9cis_rule_1_8_3: {{ rhel9cis_rule_1_8_8 }} +rhel9cis_rule_1_8_4: {{ rhel9cis_rule_1_8_9 }} +rhel9cis_rule_1_8_5: {{ rhel9cis_rule_1_8_10 }} # 1.9 Ensure updates, patches, and additional security software are installed rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }} # Ensure system-wide crypto policy is not legacy @@ -151,24 +153,19 @@ rhel9cis_rule_2_2_15: {{ rhel9cis_rule_2_2_15 }} rhel9cis_rule_2_2_16: {{ rhel9cis_rule_2_2_16 }} rhel9cis_rule_2_2_17: {{ rhel9cis_rule_2_2_17 }} rhel9cis_rule_2_2_18: {{ rhel9cis_rule_2_2_18 }} -rhel9cis_rule_2_2_19: {{ rhel9cis_rule_2_2_19 }} -rhel9cis_rule_2_2_20: {{ rhel9cis_rule_2_2_20 }} # 2.3 service clients rhel9cis_rule_2_3_1: {{ rhel9cis_rule_2_3_1 }} rhel9cis_rule_2_3_2: {{ rhel9cis_rule_2_3_2 }} rhel9cis_rule_2_3_3: {{ rhel9cis_rule_2_3_3 }} rhel9cis_rule_2_3_4: {{ rhel9cis_rule_2_3_4 }} -rhel9cis_rule_2_3_5: {{ rhel9cis_rule_2_3_5 }} -rhel9cis_rule_2_3_6: {{ rhel9cis_rule_2_3_6 }} -rhel9cis_rule_2_4: true # todo +rhel9cis_rule_2_4: true # Section 3 rules # 3.1 Disable unused network protocols and devices rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }} rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }} rhel9cis_rule_3_1_3: {{ rhel9cis_rule_3_1_3 }} -rhel9cis_rule_3_1_4: {{ rhel9cis_rule_3_1_4 }} # 3.2 Network Parameters (Host Only) rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }} rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }} @@ -185,11 +182,7 @@ rhel9cis_rule_3_3_9: {{ rhel9cis_rule_3_3_9 }} # 3.4.1 Configure firewalld rhel9cis_rule_3_4_1_1: {{ rhel9cis_rule_3_4_1_1 }} rhel9cis_rule_3_4_1_2: {{ rhel9cis_rule_3_4_1_2 }} -rhel9cis_rule_3_4_1_3: {{ rhel9cis_rule_3_4_1_3 }} -rhel9cis_rule_3_4_1_4: {{ rhel9cis_rule_3_4_1_4 }} -rhel9cis_rule_3_4_1_5: {{ rhel9cis_rule_3_4_1_5 }} -rhel9cis_rule_3_4_1_6: {{ rhel9cis_rule_3_4_1_6 }} -rhel9cis_rule_3_4_1_7: {{ rhel9cis_rule_3_4_1_7 }} + # 3.4.1 Configure nftables rhel9cis_rule_3_4_2_1: {{ rhel9cis_rule_3_4_2_1 }} rhel9cis_rule_3_4_2_2: {{ rhel9cis_rule_3_4_2_2 }} @@ -198,10 +191,7 @@ rhel9cis_rule_3_4_2_4: {{ rhel9cis_rule_3_4_2_4 }} rhel9cis_rule_3_4_2_5: {{ rhel9cis_rule_3_4_2_5 }} rhel9cis_rule_3_4_2_6: {{ rhel9cis_rule_3_4_2_6 }} rhel9cis_rule_3_4_2_7: {{ rhel9cis_rule_3_4_2_7 }} -rhel9cis_rule_3_4_2_8: {{ rhel9cis_rule_3_4_2_8 }} -rhel9cis_rule_3_4_2_9: {{ rhel9cis_rule_3_4_2_9 }} -rhel9cis_rule_3_4_2_10: {{ rhel9cis_rule_3_4_2_10 }} -rhel9cis_rule_3_4_2_11: {{ rhel9cis_rule_3_4_2_11 }} + # Section 4 rules # 4.1 Configure System Accounting @@ -238,6 +228,18 @@ rhel9cis_rule_4_1_3_19: {{ rhel9cis_rule_4_1_3_19 }} rhel9cis_rule_4_1_3_20: {{ rhel9cis_rule_4_1_3_20 }} rhel9cis_rule_4_1_3_21: {{ rhel9cis_rule_4_1_3_21 }} +# 4.1.4 Configure auditd file Access +rhel9cis_rule_4_1_4_1: {{ rhel9cis_rule_4_1_4_1 }} +rhel9cis_rule_4_1_4_2: {{ rhel9cis_rule_4_1_4_2 }} +rhel9cis_rule_4_1_4_3: {{ rhel9cis_rule_4_1_4_3 }} +rhel9cis_rule_4_1_4_4: {{ rhel9cis_rule_4_1_4_4 }} +rhel9cis_rule_4_1_4_5: {{ rhel9cis_rule_4_1_4_5 }} +rhel9cis_rule_4_1_4_6: {{ rhel9cis_rule_4_1_4_6 }} +rhel9cis_rule_4_1_4_7: {{ rhel9cis_rule_4_1_4_7 }} +rhel9cis_rule_4_1_4_8: {{ rhel9cis_rule_4_1_4_8 }} +rhel9cis_rule_4_1_4_9: {{ rhel9cis_rule_4_1_4_9 }} +rhel9cis_rule_4_1_4_10: {{ rhel9cis_rule_4_1_4_10 }} + # 4.2.1 Configure rsyslog rhel9cis_rule_4_2_1_1: {{ rhel9cis_rule_4_2_1_1 }} rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_2 }} @@ -262,9 +264,8 @@ rhel9cis_rule_4_2_2_7: {{ rhel9cis_rule_4_2_2_7 }} rhel9cis_rule_4_2_3: {{ rhel9cis_rule_4_2_3 }} # 4.3 Logrotate -rhel9cis_rule_4_3_1: {{ rhel9cis_rule_4_3_1 }} -rhel9cis_rule_4_3_2: {{ rhel9cis_rule_4_3_2 }} -rhel9cis_rule_4_3_3: {{ rhel9cis_rule_4_3_3 }} +rhel9cis_rule_4_3: {{ rhel9cis_rule_4_3 }} + # Section 5 # Authentication and Authorization @@ -391,12 +392,11 @@ rhel9_aide_scan: cron # Set to 'true' if X Windows is needed in your environment rhel9cis_xwindows_required: false ### Service configuration booleans set true to keep service -rhel9cis_xinetd_server: {{ rhel9cis_xinetd_server }} rhel9cis_avahi_server: {{ rhel9cis_avahi_server }} rhel9cis_cups_server: {{ rhel9cis_cups_server }} rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }} rhel9cis_dns_server: {{ rhel9cis_dns_server }} -rhel9cis_ftp_server: {{ rhel9cis_ftp_server }} +rhel9cis_dnsmasq_server: {{ rhel9cis_dnsmasq_server }} rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }} rhel9cis_tftp_server: {{ rhel9cis_tftp_server }} rhel9cis_httpd_server: {{ rhel9cis_httpd_server }} @@ -406,7 +406,6 @@ rhel9cis_imap_server: {{ rhel9cis_imap_server }} rhel9cis_samba_server: {{ rhel9cis_samba_server }} rhel9cis_squid_server: {{ rhel9cis_squid_server }} rhel9cis_snmp_server: {{ rhel9cis_snmp_server }} -rhel9cis_nis_server: {{ rhel9cis_nis_server }} rhel9cis_telnet_server: {{ rhel9cis_telnet_server }} rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }} @@ -421,12 +420,10 @@ rhel9cis_use_rsync_server: {{ rhel9cis_use_rsync_server }} rhel9cis_use_rsync_service: {{ rhel9cis_use_rsync_service }} #### 2.3 Service clients -rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }} -rhel9cis_rsh_required: {{ rhel9cis_rsh_required }} -rhel9cis_talk_required: {{ rhel9cis_talk_required }} rhel9cis_telnet_required: {{ rhel9cis_telnet_required }} rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }} rhel9cis_tftp_client: {{ rhel9cis_tftp_client }} +rhel9cis_ftp_client: {{ rhel9cis_ftp_client }} # Section 3 From 415f62faca98fb31756e7915c4f2e881464af3e1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 11:39:10 +0000 Subject: [PATCH 270/454] renamed Signed-off-by: Mark Bolwell --- tasks/section_3/{cis_3.4.2.yml => cis_3.4.2.x.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename tasks/section_3/{cis_3.4.2.yml => cis_3.4.2.x.yml} (100%) diff --git a/tasks/section_3/cis_3.4.2.yml b/tasks/section_3/cis_3.4.2.x.yml similarity index 100% rename from tasks/section_3/cis_3.4.2.yml rename to tasks/section_3/cis_3.4.2.x.yml From c3f680d8fbecdccbc28dcf8b315241ad9bdda18c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 11:39:37 +0000 Subject: [PATCH 271/454] prelim added Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index f17d47ce..d133108f 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -114,16 +114,25 @@ - rule_4.1.1.1 - auditd -- name: "PRELIM | 4.1.12 | Ensure successful file system mounts are collected" - shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done - changed_when: false - failed_when: false - check_mode: false - register: priv_procs +- name: "PRELIM | 4.1.4.5 | Audit conf and rules files | list files" + ansible.builtin.find: + path: /etc/audit + file_type: file + recurse: true + patterns: '*.conf,*.rules' + register: auditd_conf_files + when: + - rhel9cis_rule_4_1_4_5 or + rhel9cis_rule_4_1_4_6 or + rhel9cis_rule_4_1_4_7 tags: - - level1-server - - level1-workstation - - always + - level2-server + - level2-workstation + - patch + - auditd + - rule_4.1.4.5 + - rule_4.1.4.6 + - rule_4.1.4.7 - name: "PRELIM | Section 5.1 | Configure cron" package: From 1b634f31939b5eaf2837e865a4b6dd2f80cdb90b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 11:39:50 +0000 Subject: [PATCH 272/454] updated for firewall Signed-off-by: Mark Bolwell --- tasks/section_3/main.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index 6795a67d..cb5c04a3 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -9,12 +9,8 @@ - name: "SECTION | 3.3.x | Network Parameters (host and Router)" import_tasks: cis_3.3.x.yml -- name: "SECTION | 3.4.1.x | Configure firewalld" +- name: "SECTION | 3.4.1.x | Firewall configuration" import_tasks: cis_3.4.1.x.yml - when: - - rhel9cis_firewall == "firewalld" -- name: "SECTION | 3.4.2.x | Configure nftables" +- name: "SECTION | 3.4.2.x | Configure firewall" include_tasks: cis_3.4.2.x.yml - when: - - rhel9cis_firewall == "nftables" From dec098b5f3cb5014e9de14d0f47d09bc03a3c598 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 11:40:02 +0000 Subject: [PATCH 273/454] added new controls Signed-off-by: Mark Bolwell --- tasks/section_4/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index a4f05d2d..a7a36597 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -11,6 +11,9 @@ - name: "SECTION | 4.1.3 | Configure Auditd rules" import_tasks: cis_4.1.3.x.yml +- name: "SECTION | 4.1.4 | Configure Audit files" + import_tasks: cis_4.1.4.x.yml + - name: "SECTION | 4.2 | Configure Logging" import_tasks: cis_4.2.1.x.yml when: rhel9cis_syslog == 'rsyslog' From 256f582b66506a3a8a72b174b3f2eba194b5a8aa Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 13:38:14 +0000 Subject: [PATCH 274/454] lint fqcn & typo Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.2.x.yml | 4 ++-- tasks/section_1/cis_1.1.8.x.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index ab737ccd..aa67b5c8 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -15,8 +15,8 @@ when: - required_mount not in mount_names - - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" - debug: + - name: "1.1.2.1 | AUDIT | Ensure separate partition exists for /var | Present" + ansible.builtin.debug: msg: "Congratulations: {{ required_mount }} exists." register: var_mount_present when: diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index c9a6394a..fdaef150 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -1,9 +1,9 @@ --- # Skips if mount is absent -- name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a sepretae partition" +- name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition" block: - - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a sepretae partition | Absent" + - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: home_mount_absent From b347e5dd00f207a498c4e28d12ec9daed51dd648 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 13:38:27 +0000 Subject: [PATCH 275/454] lint Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.2.x.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 9a1a6c2f..093e900f 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -9,7 +9,7 @@ register: os_installed_pub_keys - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | Query found keys" - ansible.builtin.shell: "rpm -q --queryformat \"%{PACKAGER} %{VERSION}\\n\" {{ os_gpg_key_pubkey_name }} | grep \"{{ os_gpg_key_pubkey_content }}\"" + ansible.builtin.shell: 'rpm -q --queryformat "%{PACKAGER} %{VERSION}\\n" {{ os_gpg_key_pubkey_name }} | grep "{{ os_gpg_key_pubkey_content }}"' changed_when: false failed_when: false register: os_gpg_key_check @@ -47,15 +47,13 @@ paths: /etc/yum.repos.d patterns: "*.repo" register: yum_repos - changed_when: false - name: "1.2.2 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" ansible.builtin.replace: name: "{{ item.path }}" regexp: "^gpgcheck=0" replace: "gpgcheck=1" - with_items: - - "{{ yum_repos.files }}" + loop: "{{ yum_repos.files }}" loop_control: label: "{{ item.path }}" when: @@ -102,20 +100,23 @@ ansible.builtin.lineinfile: path: /etc/dnf/dnf.conf regexp: '^repo_gpgcheck' - line: repo_gpgcheck 1 + line: repo_gpgcheck=1 - name: "1.2.4 | AUDIT| Ensure repo_gpgcheck is globally activated | get repo files" ansible.builtin.find: - path: /etc/yum.repos.d - patterns: '*.repo' - register: repo_files + paths: /etc/yum.repos.d + patterns: "*.repo" + register: repo_files - name: "1.2.4 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files" ansible.builtin.lineinfile: - path: "{{ item }}" + path: "{{ item.path }}" regexp: '^repo_gpgcheck' line: repo_gpgcheck=1 loop: "{{ repo_files.files }}" + loop_control: + label: "{{ item.path }}" + when: - rhel9cis_rule_1_2_4 tags: From 572f14ef6bbd8b9d055bcb5f1ce25506274bf120 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 13:38:37 +0000 Subject: [PATCH 276/454] task change Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.3.x.yml | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index 1fce7fa7..607065cf 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -48,12 +48,18 @@ - patch - rule_1.3.2 -- name: "1.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools" - ansible.builtin.template: - src: etc/aide.conf.d/crypt_audit_procs.conf.j2 - dest: /etc/aide.conf.d/crypt_audit_procs.conf - owner: root - group: 0640 +- name: "1.3.3 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" + ansible.builtin.blockinfile: + path: /etc/aide.conf + marker: "# {mark} Audit tools (CIS - Ansible)" + block: | + /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 + /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 + /sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 + /sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 + /sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 + /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 + validate: aide -D --config %s when: - rhel9cis_rule_1_3_2 - not system_is_ec2 From 3321547bfa8d83e63e1771ade73f5bfc96cde5bd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 13:38:50 +0000 Subject: [PATCH 277/454] lint Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 12 ++--- tasks/section_3/cis_3.2.x.yml | 12 ++--- tasks/section_3/cis_3.4.1.x.yml | 8 ++-- tasks/section_3/cis_3.4.2.x.yml | 82 ++++++++++++++++----------------- 4 files changed, 57 insertions(+), 57 deletions(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 68da3407..9e1e4849 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -5,12 +5,12 @@ - name: "3.1.1 | PATCH | Ensure IPv6 status is identified" block: - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh" - set_fact: + ansible.builtin.set_fact: sysctl_update: true flush_ipv6_route: true - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" when: - not rhel9cis_ipv6_required @@ -27,21 +27,21 @@ - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" block: - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" - command: rpm -q NetworkManager + ansible.builtin.command: rpm -q NetworkManager changed_when: false failed_when: false check_mode: false register: rhel_08_nmcli_available - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" - command: nmcli radio wifi + ansible.builtin.command: nmcli radio wifi register: rhel_08_wifi_enabled changed_when: rhel_08_wifi_enabled.stdout != "disabled" failed_when: false when: rhel_08_nmcli_available.rc == 0 - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" - command: nmcli radio all off + ansible.builtin.command: nmcli radio all off changed_when: false failed_when: false when: rhel_08_wifi_enabled is changed @@ -54,7 +54,7 @@ - rule_3.1.2 - name: "3.1.3 | PATCH | Ensure TIPC is disabled" - template: + ansible.builtin.template: src: "etc/modprobe.d/modprobe.conf.j2" dest: "/etc/modprobe.d/{{ item }}.conf" mode: "0600" diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index 708deb80..56e47f76 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -3,22 +3,22 @@ - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled" block: - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding | Set Fact" - set_fact: + ansible.builtin.set_fact: sysctl_update: true flush_ipv4_route: true - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | IPv6" block: - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding | Set Fact" - set_fact: + ansible.builtin.set_fact: flush_ipv6_route: true - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" when: rhel9cis_ipv6_required @@ -35,11 +35,11 @@ - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled" block: - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled | Set Fact" - set_fact: + ansible.builtin.set_fact: sysctl_update: true flush_ipv4_route: true - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - not rhel9cis_is_router diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index 9498c97c..226cd79f 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -18,22 +18,22 @@ - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use" block: - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | nftables" - systemd: + ansible.builtin.systemd: name: "{{ item }}" masked: true with_items: - firewalld - when: + when: - item in ansible_facts.packages - rhel9cis_firewall == 'nftables' - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | firewalld" - systemd: + ansible.builtin.systemd: name: "{{ item }}" masked: true with_items: - nftables - when: + when: - item in ansible_facts.packages - rhel9cis_firewall == 'firewalld' diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 7fc873e7..bbd1ad0d 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -3,13 +3,13 @@ - name: "3.4.2.1 | PATCH | Ensure firewalld default zone is set" block: - name: "3.4.2.1 | AUDIT | Ensure firewalld default zone is set" - shell: "firewall-cmd --get-default-zone | grep {{ rhel9cis_default_zone }}" + ansible.builtin.shell: "firewall-cmd --get-default-zone | grep {{ rhel9cis_default_zone }}" changed_when: false failed_when: ( firewalld_zone_set.rc not in [ 0, 1 ] ) register: firewalld_zone_set - name: "3.4.2.1 | AUDIT | Ensure firewalld default zone is set" - command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" + ansible.builtin.command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" when: - firewalld_zone_set.rc != 0 when: @@ -25,20 +25,20 @@ - name: "3.4.2.2 | AUDIT | Ensure at least one nftables table exists" block: - name: "3.4.2.2 | AUDIT | Ensure a table exists | Check for tables" - command: nft list tables + ansible.builtin.command: nft list tables changed_when: false failed_when: false register: rhel9cis_3_4_2_2_nft_tables - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Show existing tables" - debug: + ansible.builtin.debug: msg: - "Below are the current nft tables, please review" - "{{ rhel9cis_3_4_2_2_nft_tables.stdout_lines }}" when: rhel9cis_3_4_2_2_nft_tables.stdout | length > 0 - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables" - debug: + ansible.builtin.debug: msg: - "Warning!! You currently have no nft tables, please review your setup" - 'Use the command "nft create table inet
" to create a new table' @@ -47,7 +47,7 @@ - not rhel9cis_nft_tables_autonewtable - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count" - set_fact: + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_3.4.2.2' ]" warn_count: "{{ warn_count | int + 1 }}" when: @@ -55,7 +55,7 @@ - not rhel9cis_nft_tables_autonewtable - name: "3.4.2.2 | PATCH | Ensure a table exists | Create table if needed" - command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" + ansible.builtin.command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" failed_when: false when: rhel9cis_nft_tables_autonewtable when: @@ -71,25 +71,25 @@ - name: "3.4.2.3 | PATCH | Ensure nftables base chains exist" block: - name: "3.4.2.3 | AUDIT | Ensure nftables base chains exist | Get current chains for INPUT" - shell: nft list ruleset | grep 'hook input' + ansible.builtin.shell: nft list ruleset | grep 'hook input' changed_when: false failed_when: false register: rhel9cis_3_4_2_3_input_chains - name: "3.4.2.3 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD" - shell: nft list ruleset | grep 'hook forward' + ansible.builtin.shell: nft list ruleset | grep 'hook forward' changed_when: false failed_when: false register: rhel9cis_3_4_2_3_forward_chains - name: "3.4.2.3 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT" - shell: nft list ruleset | grep 'hook output' + ansible.builtin.shell: nft list ruleset | grep 'hook output' changed_when: false failed_when: false register: rhel9cis_3_4_2_3_output_chains - name: "3.4.2.3 | AUDIT | Ensure nftables base chains exist | Display chains for review" - debug: + ansible.builtin.debug: msg: - "Below are the current INPUT chains" - "{{ rhel9cis_3_4_2_3_input_chains.stdout_lines }}" @@ -100,7 +100,7 @@ when: not rhel9cis_nft_tables_autochaincreate - name: "3.4.2.3 | PATCH | Ensure nftables base chains exist | Create chains if needed" - shell: "{{ item }}" + ansible.builtin.shell: "{{ item }}" failed_when: false with_items: - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } @@ -120,33 +120,33 @@ - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured" block: - name: "3.4.2.4 | AUDIT | Ensure host based firewall loopback traffic is configured | Gather iif lo accept existence | nftables" - shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' + ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' changed_when: false failed_when: false register: rhel9cis_3_4_2_4_iiflo - name: "3.4.2.4 | AUDIT | Ensure host based firewall loopback traffic is configured | Gather ip saddr existence | nftables" - shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' + ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' changed_when: false failed_when: false register: rhel9cis_3_4_2_4_ipsaddr - name: "3.4.2.4 | AUDIT | Ensure host based firewall loopback traffic is configured | Gather ip6 saddr existence | nftables" - shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' + ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' changed_when: false failed_when: false register: rhel9cis_3_4_2_4_ip6saddr - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | Set iif lo accept rule | nftables" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept when: '"iif \"lo\" accept" not in rhel9cis_3_4_2_4_iiflo.stdout' - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | Set ip sddr rule | nftables" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_4_ipsaddr.stdout' - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | Set ip6 saddr rule | nftables" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_4_ip6saddr.stdout' when: - rhel9cis_firewall == "nftables" @@ -161,11 +161,11 @@ - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | firewalld" ansible.posix.firewalld: - rich_rule: "{{ item }}" - zone: "{{ rhel9cis_firewall_zone }}" - permanent: yes - immediate: yes - state: enabled + rich_rule: "{{ item }}" + zone: "{{ rhel9cis_default_zone }}" + permanent: true + immediate: true + state: enabled loop: - rule family="ipv4" source address="127.0.0.1" destination not address="127.0.0.1" drop - rule family="ipv6" source address="::1" destination not address="::1" drop @@ -182,14 +182,14 @@ - name: "3.4.2.5 | AUDIT | Ensure firewalld drops unnecessary services and ports" block: - name: "3.4.2.5 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports" - shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done" + ansible.builtin.shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done" changed_when: false failed_when: false check_mode: false register: rhel9cis_3_4_2_5_servicesport - name: "3.4.2.5 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports" - debug: + ansible.builtin.debug: msg: - "The items below are the services and ports that are accepted, please correct as needed" - "{{ rhel9cis_3_4_2_5_servicesport.stdout_lines }}" @@ -205,39 +205,39 @@ - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured" block: - name: "3.4.2.6 | AUDIT | EEnsure nftables established connections are configured | Gather incoming connection rules" - shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' changed_when: false failed_when: false register: rhel9cis_3_4_2_6_inconnectionrule - name: "3.4.2.6| AUDIT | Ensure nftables established connections are configured | Gather outbound connection rules" - shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + ansible.builtin.shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' changed_when: false failed_when: false register: rhel9cis_3_4_2_6_outconnectionrule - name: "3.4.2.6| PATCH | Ensure nftables established connections are configured | Add input tcp established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept when: '"ip protocol tcp ct state established accept" not in rhel9cis_3_4_2_6_inconnectionrule.stdout' - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add input udp established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept when: '"ip protocol udp ct state established accept" not in rhel9cis_3_4_2_6_inconnectionrule.stdout' - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add input icmp established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept when: '"ip protocol icmp ct state established accept" not in rhel9cis_3_4_2_6_inconnectionrule.stdout' - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add output tcp new, related, established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept when: '"ip protocol tcp ct state established,related,new accept" not in rhel9cis_3_4_2_6_outconnectionrule.stdout' - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add output udp new, related, established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept when: '"ip protocol udp ct state established,related,new accept" not in rhel9cis_3_4_2_6_outconnectionrule.stdout' - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add output icmp new, related, established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_2_6_outconnectionrule.stdout' when: - rhel9cis_firewall == "nftables" @@ -252,43 +252,43 @@ - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy" block: - name: "3.4.2.7 | AUDIT | Ensure nftables default deny firewall policy | Check for hook input deny policy" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input' + ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input' failed_when: false changed_when: false register: rhel9cis_3_4_2_7_inputpolicy - name: "3.4.2.7 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward' + ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward' failed_when: false changed_when: false register: rhel9cis_3_4_2_7_forwardpolicy - name: "3.4.2.7 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output' + ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output' failed_when: false changed_when: false register: rhel9cis_3_4_2_7_outputpolicy - name: "3.4.2.7 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh' + ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh' failed_when: false changed_when: false register: rhel9cis_3_4_2_7_sshallowcheck - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept when: '"tcp dport ssh accept" not in rhel9cis_3_4_2_7_sshallowcheck.stdout' - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" - command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } + ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } when: '"type filter hook input priority 0; policy drop;" not in rhel9cis_3_4_2_7_inputpolicy.stdout' - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy" - command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } + ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } when: '"type filter hook forward priority 0; policy drop;" not in rhel9cis_3_4_2_7_forwardpolicy.stdout' - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" - command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } + ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_2_7_outputpolicy.stdout' when: - rhel9cis_firewall == "nftables" From dae7d03c342a16793b94872d51bc91a2c4894f42 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 13:47:13 +0000 Subject: [PATCH 278/454] lint Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.4.1.x.yml | 4 +-- tasks/section_4/cis_4.1.1.x.yml | 18 ++++++------ tasks/section_4/cis_4.1.2.x.yml | 10 +++---- tasks/section_4/cis_4.1.3.x.yml | 2 +- tasks/section_4/cis_4.1.4.x.yml | 52 ++++++++++++++++----------------- tasks/section_4/cis_4.2.2.x.yml | 8 ++--- tasks/section_4/cis_4.2.3.yml | 2 +- 7 files changed, 48 insertions(+), 48 deletions(-) diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index 226cd79f..ab151698 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -1,7 +1,7 @@ --- - name: "3.4.1.1 | PATCH | Ensure nftables is installed" - package: + ansible.builtin.package: name: - nftables state: present @@ -38,7 +38,7 @@ - rhel9cis_firewall == 'firewalld' - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled" - systemd: + ansible.builtin.systemd: name: "{{ rhel9cis_firewall }}" enabled: true state: started diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index d21e6c45..167f8d22 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -3,13 +3,13 @@ - name: "4.1.1.1 | PATCH | Ensure auditd is installed" block: - name: "4.1.1.1 | PATCH | Ensure auditd is installed | Install auditd packages" - package: + ansible.builtin.package: name: audit state: present when: '"auditd" not in ansible_facts.packages' - name: "4.1.1.1 | PATCH | Ensure auditd is installed | Install auditd-lib packages" - package: + ansible.builtin.package: name: audit-libs state: present when: '"auditd-lib" not in ansible_facts.packages' @@ -25,14 +25,14 @@ - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" block: - name: "4.1.1.2 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" - shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' + ansible.builtin.shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' changed_when: false failed_when: false check_mode: false register: rhel9cis_4_1_1_2_grub_cmdline_linux - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting" - replace: + ansible.builtin.replace: dest: /etc/default/grub regexp: 'audit=.' replace: 'audit=1' @@ -40,7 +40,7 @@ when: "'audit=' in rhel9cis_4_1_1_2_grub_cmdline_linux.stdout" - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing" - lineinfile: + ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' line: '{{ rhel9cis_4_1_1_2_grub_cmdline_linux.stdout }} audit=1"' @@ -59,14 +59,14 @@ - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient" block: - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Get GRUB_CMDLINE_LINUX" - shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' + ansible.builtin.shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' changed_when: false failed_when: false check_mode: false register: rhel9cis_4_1_1_3_grub_cmdline_linux - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting" - replace: + ansible.builtin.replace: dest: /etc/default/grub regexp: 'audit_backlog_limit=\d+' replace: 'audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}' @@ -74,7 +74,7 @@ when: "'audit_backlog_limit=' in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout" - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing" - lineinfile: + ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' line: '{{ rhel9cis_4_1_1_3_grub_cmdline_linux.stdout }} audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' @@ -91,7 +91,7 @@ - rule_4.1.1.3 - name: "4.1.1.4 | PATCH | Ensure auditd service is enabled" - service: + ansible.builtin.systemd: name: auditd state: started enabled: true diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index 62bee82d..9850ce47 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -1,7 +1,7 @@ --- - name: "4.1.2.1 | PATCH | Ensure audit log storage size is configured" - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: "^max_log_file( |=)" line: "max_log_file = {{ rhel9cis_max_log_file_size }}" @@ -17,7 +17,7 @@ - rule_4.1.2.1 - name: "4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted" - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: "^max_log_file_action" line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}" @@ -32,7 +32,7 @@ - rule_4.1.2.2 - name: "4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full" - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -51,14 +51,14 @@ - rule_4.1.2.3 - name: PATCH | Configure other keys for auditd.conf - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: "^{{ item }}( |=)" line: "{{ item }} = {{ rhel9cis_auditd_extra_conf[item] }}" loop: "{{ rhel9cis_auditd_extra_conf.keys() }}" notify: restart auditd when: - - rhel9cis_auditd_extra_conf.keys() | length > 0 + - rhel9cis_auditd_extra_conf.keys() | length > 0 tags: - level2-server - level2-workstation diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index ec614022..e29f4968 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -70,7 +70,7 @@ - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" block: - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" - shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done + ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done changed_when: false failed_when: false check_mode: false diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index b7828ae6..d7cce3ba 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -16,13 +16,13 @@ "4.1.4.2 | PATCH | Ensure only authorized users own audit log files" "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" ansible.builtin.file: - path: "{{ audit_logfile.stdout }}" - state: file - mode: 0640 - owner: root - group: root + path: "{{ audit_logfile.stdout }}" + state: file + mode: 0640 + owner: root + group: root when: - - rhel9cis_rule_4_1_4_1 or + - rhel9cis_rule_4_1_4_1 or rhel9cis_rule_4_1_4_2 or rhel9cis_rule_4_1_4_3 tags: @@ -38,14 +38,14 @@ block: - name: "4.1.4.4 | AUDIT | Ensure the audit log directory is 0750 or more restrictive | get current permissions" ansible.builtin.stat: - path: "{{ audit_logfile.stdout | dirname }}" + path: "{{ audit_logfile.stdout | dirname }}" register: auditlog_dir - name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive | set" ansible.builtin.file: - path: "{{ audit_logfile.stdout | dirname }}" - state: directory - mode: 0750 + path: "{{ audit_logfile.stdout | dirname }}" + state: directory + mode: 0750 when: not auditlog_dir.stat.mode is match('07(0|5)0') when: - rhel9cis_rule_4_1_4_4 @@ -58,22 +58,22 @@ - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" block: - - - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | get permissions" - ansible.builtin.stat: - path: "{{ item.path }}" - register: item_file - loop: "{{ audit_conf_files.results | map(attribute='files') | flatten }}" - loop_control: - label: "{{ item.path }}" - - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | set permissions" - ansible.builtin.file: - path: "{{ audit_logfile.stdout | dirname }}" - state: file - mode: 0640 - loop: "{{ audit_config_files }}" - when: not item_file.stat.mode is match('06(0|4)0') + - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | get permissions" + ansible.builtin.stat: + path: "{{ item.path }}" + register: item_file + loop: "{{ audit_conf_files.results | map(attribute='files') | flatten }}" + loop_control: + label: "{{ item.path }}" + + - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | set permissions" + ansible.builtin.file: + path: "{{ audit_logfile.stdout | dirname }}" + state: file + mode: 0640 + loop: "{{ audit_config_files }}" + when: not item_file.stat.mode is match('06(0|4)0') when: - rhel9cis_rule_4_1_4_5 tags: @@ -158,7 +158,7 @@ - /sbin/auditd - /sbin/augenrules when: - - rhel9cis_rule_4_1_4_9 + - rhel9cis_rule_4_1_4_9 tags: - level2-server - level2-workstation diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 08db497e..474026cc 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -183,14 +183,14 @@ - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Set live file" ansible.builtin.set_fact: - systemd_conf_file: /etc/tmpfiles.d/systemd.conf + systemd_conf_file: /etc/tmpfiles.d/systemd.conf when: rhel9cis_4_2_2_7_override_stat.exists - name: "4.2.2.7 | PATCH | Ensure journald default file permissions configured | Set permission" ansible.builtin.lineinfile: - path: "{{ /etc/tmpfiles.d/systemd.conf | default('/usr/lib/tmpfiles.d/systemd.conf') }}" - regexp: "^z \/var\/log\/journal\/%m\/system.journal (!?06(0|4)0) root" - line: 'z /var/log/journal/%m/system.journal 0640 root systemd-journal - -' + path: "{{ systemd_conf_file | default('/usr/lib/tmpfiles.d/systemd.conf') }}" + regexp: "^z \/var\/log\/journal\/%m\/system.journal (!?06(0|4)0) root" + line: 'z /var/log/journal/%m/system.journal 0640 root systemd-journal - -' when: - rhel9cis_rule_4_2_2_7 diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index e1e6becc..3fa195c9 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -3,7 +3,7 @@ - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured" block: - name: "4.2.3 | AUDIT | Ensure permissions on all logfiles are configured | find files" - ansible.builtin.find: + ansible.builtin.find: paths: "/var/log" type: file register: logfiles From 60d01a65826bae75601970a19293addd91f8cb85 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 15:00:51 +0000 Subject: [PATCH 279/454] removed args Signed-off-by: Mark Bolwell --- handlers/main.yml | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 0fae419c..6b47f85b 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -3,8 +3,6 @@ - name: reload sysctl shell: sysctl --system - args: - warn: false when: - sysctl_updated.changed @@ -50,9 +48,9 @@ state: reloaded - name: remount tmp - shell: mount -o remount /tmp - args: - warn: false + ansible.posix.mount: + path: /tmp + state: remounted - name: restart firewalld service: @@ -71,13 +69,9 @@ - name: reload dconf shell: dconf update - args: - warn: false - name: grub2cfg shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" - args: - warn: false ignore_errors: true # noqa ignore-errors tags: - skip_ansible_lint @@ -118,8 +112,6 @@ - name: restart auditd shell: service auditd restart - args: - warn: false tags: - skip_ansible_lint From c18151e158ebcfacc7a39e7138a58dd921cb726e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 15:01:17 +0000 Subject: [PATCH 280/454] linting fqcn Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.1.x.yml | 26 ++++++++-------- tasks/section_5/cis_5.2.x.yml | 54 ++++++++++++++++----------------- tasks/section_5/cis_5.3.x.yml | 20 ++++++------ tasks/section_5/cis_5.4.x.yml | 12 ++++---- tasks/section_5/cis_5.5.x.yml | 20 ++++++------ tasks/section_5/cis_5.6.1.x.yml | 26 ++++++++-------- tasks/section_5/cis_5.6.x.yml | 19 ++++++------ 7 files changed, 88 insertions(+), 89 deletions(-) diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 6af5981b..7cbcd7f1 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -1,7 +1,7 @@ --- - name: "5.1.1 | PATCH | Ensure cron daemon is enabled" - service: + ansible.builtin.service: name: crond enabled: true when: @@ -15,7 +15,7 @@ - rule_5.1.1 - name: "5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" - file: + ansible.builtin.file: dest: /etc/crontab owner: root group: root @@ -31,7 +31,7 @@ - rule_5.1.2 - name: "5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" - file: + ansible.builtin.file: dest: /etc/cron.hourly state: directory owner: root @@ -48,7 +48,7 @@ - rule_5.1.3 - name: "5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" - file: + ansible.builtin.file: dest: /etc/cron.daily state: directory owner: root @@ -65,7 +65,7 @@ - rule_5.1.4 - name: "5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" - file: + ansible.builtin.file: dest: /etc/cron.weekly state: directory owner: root @@ -80,7 +80,7 @@ - rule_5.1.5 - name: "5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" - file: + ansible.builtin.file: dest: /etc/cron.monthly state: directory owner: root @@ -96,7 +96,7 @@ - rule_5.1.6 - name: "5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" - file: + ansible.builtin.file: dest: /etc/cron.d state: directory owner: root @@ -115,17 +115,17 @@ - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users" block: - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny" - file: + ansible.builtin.file: dest: /etc/cron.deny state: absent - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Check if cron.allow exists" - stat: + ansible.builtin.stat: path: "/etc/cron.allow" register: rhel9cis_5_1_8_cron_allow_state - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users" - file: + ansible.builtin.file: dest: /etc/cron.allow state: '{{ "file" if rhel9cis_5_1_8_cron_allow_state.stat.exists else "touch" }}' owner: root @@ -144,17 +144,17 @@ - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users" block: - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" - file: + ansible.builtin.file: dest: /etc/at.deny state: absent - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists" - stat: + ansible.builtin.stat: path: "/etc/at.allow" register: rhel9cis_5_1_9_at_allow_state - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users" - file: + ansible.builtin.file: dest: /etc/at.allow state: '{{ "file" if rhel9cis_5_1_9_at_allow_state.stat.exists else "touch" }}' owner: root diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 11eca291..580585ef 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -1,7 +1,7 @@ --- - name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured" - file: + ansible.builtin.file: dest: /etc/ssh/sshd_config state: file owner: root @@ -21,7 +21,7 @@ - name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured" block: - name: "5.2.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find the SSH private host keys" - find: + ansible.builtin.find: paths: /etc/ssh patterns: 'ssh_host_*_key' recurse: true @@ -29,7 +29,7 @@ register: rhel9cis_5_2_2_ssh_private_host_key - name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions on SSH private host keys" - file: + ansible.builtin.file: path: "{{ item.path }}" owner: root group: root @@ -52,7 +52,7 @@ - name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured" block: - name: "5.2.3 | AUDIT | Ensure permissions on SSH public host key files are configured | Find the SSH public host keys" - find: + ansible.builtin.find: paths: /etc/ssh patterns: 'ssh_host_*_key.pub' recurse: true @@ -60,7 +60,7 @@ register: rhel9cis_5_2_3_ssh_public_host_key - name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions on SSH public host keys" - file: + ansible.builtin.file: path: "{{ item.path }}" owner: root group: root @@ -82,7 +82,7 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited" block: - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^AllowUsers" line: AllowUsers {{ rhel9cis_sshd['allowusers'] }} @@ -91,7 +91,7 @@ when: "rhel9cis_sshd['allowusers']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^AllowGroups" line: AllowGroups {{ rhel9cis_sshd['allowgroups'] }} @@ -100,7 +100,7 @@ when: "rhel9cis_sshd['allowgroups']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^DenyUsers" line: DenyUsers {{ rhel9cis_sshd['denyusers'] }} @@ -109,7 +109,7 @@ when: "rhel9cis_sshd['denyusers']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^DenyGroups" line: DenyGroups {{ rhel9cis_sshd['denygroups'] }} @@ -127,7 +127,7 @@ - rule_5.2.4 - name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#LogLevel|^LogLevel" line: 'LogLevel {{ rhel9cis_ssh_loglevel }}' @@ -143,7 +143,7 @@ - rule_5.2.5 - name: "5.2.6 | PATCH | Ensure SSH PAM is enabled" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#UsePAM|^UsePAM" line: 'UsePAM yes' @@ -159,7 +159,7 @@ - rule_5.2.6 - name: "5.2.7 | PATCH | Ensure SSH root login is disabled" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#PermitRootLogin|^PermitRootLogin" line: 'PermitRootLogin no' @@ -175,7 +175,7 @@ - rule_5.2.7 - name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#HostbasedAuthentication|^HostbasedAuthentication" line: 'HostbasedAuthentication no' @@ -191,7 +191,7 @@ - rule_5.2.8 - name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords" line: 'PermitEmptyPasswords no' @@ -207,7 +207,7 @@ - rule_5.2.9 - name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#PermitUserEnvironment|^PermitUserEnvironment" line: 'PermitUserEnvironment no' @@ -223,7 +223,7 @@ - rule_5.2.10 - name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#IgnoreRhosts|^IgnoreRhosts" line: 'IgnoreRhosts yes' @@ -239,7 +239,7 @@ - rule_5.2.11 - name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#X11Forwarding|^X11Forwarding" line: 'X11Forwarding no' @@ -255,7 +255,7 @@ - rule_5.2.12 - name: "5.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#AllowTcpForwarding|^AllowTcpForwarding" line: 'AllowTcpForwarding no' @@ -273,13 +273,13 @@ - name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden" block: - name: "5.2.14 | AUDIT | Ensure system-wide crypto policy is not over-ridden" - shell: grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd + ansible.builtin.shell: grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd changed_when: false failed_when: ( ssh_crypto_discovery.rc not in [ 0, 1 ] ) register: ssh_crypto_discovery - name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden" - shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd + ansible.builtin.shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd notify: restart sshd when: ssh_crypto_discovery.stdout | length > 0 when: @@ -293,7 +293,7 @@ - rule_5.2.14 - name: "5.2.15 | PATCH | Ensure SSH warning banner is configured" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: '^Banner' line: 'Banner /etc/issue.net' @@ -308,7 +308,7 @@ - rule_5.2.15 - name: "5.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: '^(#)?MaxAuthTries \d' line: 'MaxAuthTries 4' @@ -324,7 +324,7 @@ - rule_5.2.16 - name: "5.2.17 | PATCH | Ensure SSH MaxStartups is configured" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#MaxStartups|^MaxStartups" line: 'MaxStartups 10:30:60' @@ -340,7 +340,7 @@ - rule_5.2.17 - name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#MaxSessions|^MaxSessions" line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' @@ -356,7 +356,7 @@ - rule_5.2.18 - name: "5.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#LoginGraceTime|^LoginGraceTime" line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}" @@ -374,14 +374,14 @@ - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured" block: - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: '^ClientAliveInterval' line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}" validate: sshd -t -f %s - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: '^ClientAliveCountMax' line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}" diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index f9dad143..0cdfaac9 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -1,7 +1,7 @@ --- - name: "5.3.1 | PATCH | Ensure sudo is installed" - package: + ansible.builtin.package: name: sudo state: present when: @@ -15,7 +15,7 @@ - rule_5.3.1 - name: "5.3.2 | PATCH | Ensure sudo commands use pty" - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers line: "Defaults use_pty" validate: '/usr/sbin/visudo -cf %s' @@ -30,7 +30,7 @@ - rule_5.3.2 - name: "5.3.3 | PATCH | Ensure sudo log file exists" - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers regexp: '^Defaults logfile=' line: 'Defaults logfile="{{ rhel9cis_sudolog_location }}"' @@ -46,7 +46,7 @@ - rule_5.3.3 - name: "5.3.4 | PATCH | Ensure users must provide password for escalation" - replace: + ansible.builtin.replace: path: "{{ item }}" regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' replace: '\1PASSWD\2' @@ -64,7 +64,7 @@ - rule_5.3.4 - name: "5.3.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally" - replace: + ansible.builtin.replace: path: "{{ item }}" regexp: '^([^#].*)!authenticate(.*)' replace: '\1authenticate\2' @@ -84,13 +84,13 @@ - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly" block: - name: "5.3.6 | AUDIT | Ensure sudo authentication timeout is configured correctly | Get files with timeout set" - shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort + ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort changed_when: false failed_when: false register: rhel9cis_5_3_6_timeout_files - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results" - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers regexp: 'Defaults timestamp_timeout=' line: "Defaults timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}" @@ -98,7 +98,7 @@ when: rhel9cis_5_3_6_timeout_files.stdout | length == 0 - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results" - replace: + ansible.builtin.replace: path: "{{ item }}" regexp: 'timestamp_timeout=(\d+)' replace: "timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}" @@ -119,13 +119,13 @@ - name: "5.3.7 | PATCH | Ensure access to the su command is restricted" block: - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/su regexp: '^(#)?auth\s+required\s+pam_wheel\.so' line: 'auth required pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}' - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | wheel group contains root" - user: + ansible.builtin.user: name: "{{ rhel9cis_sugroup_users }}" groups: "{{ rhel9cis_sugroup | default('wheel') }}" when: diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index fc0f2ade..d78d6cef 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -3,20 +3,20 @@ - name: "5.4.1 | PATCH | Ensure custom authselect profile is used" block: - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Gather profiles" - shell: 'authselect current | grep "Profile ID: custom/"' + ansible.builtin.shell: 'authselect current | grep "Profile ID: custom/"' failed_when: false changed_when: false check_mode: false register: rhel9cis_5_4_1_profiles - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Show profiles" - debug: + ansible.builtin.debug: msg: - "Below are the current custom profiles" - "{{ rhel9cis_5_4_1_profiles.stdout_lines }}" - name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles" - shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }} + ansible.builtin.shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }} when: rhel9cis_authselect_custom_profile_create when: - rhel9cis_rule_5_4_1 @@ -31,20 +31,20 @@ - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock" block: - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features" - shell: "authselect current | grep with-faillock" + ansible.builtin.shell: "authselect current | grep with-faillock" failed_when: false changed_when: false check_mode: false register: rhel9cis_5_4_2_profiles_faillock - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock| Show profiles" - debug: + ansible.builtin.debug: msg: - "Below are the current custom profiles" - "{{ rhel9cis_5_4_2_profiles_faillock.stdout_lines }}" - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles" - shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock" + ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock" when: rhel9cis_authselect_custom_profile_select when: - rhel9cis_rule_5_4_2 diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index d16d91f6..8f0f4d93 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -3,7 +3,7 @@ - name: "5.5.1 | PATCH | " block: - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings" - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/pwquality.conf regexp: ^{{ item.name }} line: "{{ item.name }} = {{ item.value }}" @@ -12,14 +12,14 @@ - { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" } - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/system-auth regexp: '^password\s*requisite\s*pam_pwquality.so' line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" insertbefore: '^#?password ?' - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/password-auth regexp: '^password\s*requisite\s*pam_pwquality.so' line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" @@ -33,7 +33,7 @@ - rule_5.5.1 - name: "5.5.2 | PATCH | Ensure system accounts are secured" - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/faillock.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -46,13 +46,13 @@ - name: "5.5.3 | PATCH | Ensure password reuse is limited" block: - name: "5.5.3 | PATCH | Ensure password reuse is limited | pwhistory" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/system-auth line: "password requisite pam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" insertafter: '^password\s*requisite\s*pam_pwquality.so' - name: "5.5.3 | PATCH | Ensure password reuse is limited | pam_unix" - replace: + ansible.builtin.replace: path: /etc/pam.d/system-auth regexp: '^password\s*sufficient\s*pam_unix.so.*$' replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' @@ -67,25 +67,25 @@ - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512" block: - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf" - replace: + ansible.builtin.replace: path: /etc/libuser.conf regexp: '^crypt_style\s*=\s*.*$' replace: 'crypt_style = sha512' - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs" - replace: + ansible.builtin.replace: path: /etc/login.defs regexp: '^ENCRYPT_METHOD.*' replace: 'ENCRYPT_METHOD SHA512' - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth" - replace: + ansible.builtin.replace: path: /etc/pam.d/password-auth regexp: '^password\s*sufficient\s*pam_unix.so.*$' replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth" - replace: + ansible.builtin.replace: path: /etc/pam.d/system-auth regexp: '^password\s*sufficient\s*pam_unix.so.*$' replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 358d0758..2e178cd2 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -1,7 +1,7 @@ --- - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less" - lineinfile: + ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^PASS_MAX_DAYS' line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}" @@ -16,7 +16,7 @@ - rule_5.5.1.1 - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more" - lineinfile: + ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^PASS_MIN_DAYS' line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}" @@ -31,7 +31,7 @@ - rule_5.6.1.2 - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more" - lineinfile: + ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^PASS_WARN_AGE' line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}" @@ -48,24 +48,24 @@ - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less" block: - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Check current settings" - shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d= + ansible.builtin.shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d= changed_when: false failed_when: false check_mode: false register: rhel9cis_5_6_1_4_inactive_settings - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting" - command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} + ansible.builtin.command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} when: rhel9cis_5_6_1_4_inactive_settings.stdout | length == 0 - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" - shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" changed_when: false check_mode: false register: rhel_8_5_6_1_4_user_list - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" - command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" + ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" with_items: - "{{ rhel_8_5_6_1_4_user_list.stdout_lines }}" when: @@ -81,33 +81,33 @@ - name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past" block: - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" - shell: echo $(($(date --utc --date "$1" +%s)/86400)) + ansible.builtin.shell: echo $(($(date --utc --date "$1" +%s)/86400)) changed_when: false failed_when: false check_mode: false register: rhel9cis_5_6_1_5_currentut - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future" - shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_6_1_5_currentut.stdout }})print$1}'" + ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_6_1_5_currentut.stdout }})print$1}'" changed_when: false failed_when: false check_mode: false register: rhel9cis_5_6_1_5_user_list - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist" - debug: + ansible.builtin.debug: msg: "Good News! All accounts have PW change dates that are in the past" when: rhel9cis_5_6_1_5_user_list.stdout | length == 0 - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future" - debug: + ansible.builtin.debug: msg: "Warning!! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" when: - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - not rhel9cis_futurepwchgdate_autofix - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count" - set_fact: + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_5.6.1.5' ]" warn_count: "{{ warn_count | int + 1 }}" when: @@ -115,7 +115,7 @@ - not rhel9cis_futurepwchgdate_autofix - name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" - command: passwd --expire {{ item }} + ansible.builtin.command: passwd --expire {{ item }} when: - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - rhel9cis_futurepwchgdate_autofix diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index f1052c37..4f0ec0ba 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -3,7 +3,7 @@ - name: "5.6.2 | PATCH | Ensure system accounts are secured" block: - name: "5.6.2 | Ensure system accounts are secured | Set nologin" - user: + ansible.builtin.user: name: "{{ item.id }}" shell: /usr/sbin/nologin with_items: @@ -21,11 +21,10 @@ label: "{{ item.id }}" - name: "5.6.2 | PATCH | Ensure system accounts are secured | Lock accounts" - user: + ansible.builtin.user: name: "{{ item.id }}" password_lock: true - with_items: - - "{{ rhel9cis_passwd }}" + loop: "{{ rhel9cis_passwd }}" when: - item.id != "halt" - item.id != "shutdown" @@ -48,7 +47,7 @@ - rule_5.6.2 - name: "5.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less" - blockinfile: + ansible.builtin.blockinfile: create: true mode: 0644 dest: "{{ item.dest }}" @@ -58,7 +57,7 @@ TMOUT={{ rhel9cis_shell_session_timeout.timeout }} export TMOUT readonly TMOUT - with_items: + loop: - { dest: "{{ rhel9cis_shell_session_timeout.file }}", state: present } - { dest: /etc/profile, state: "{{ (rhel9cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" } when: @@ -72,7 +71,7 @@ - rule_5.6.3 - name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0" - user: + ansible.builtin.user: name: root group: 0 when: @@ -88,7 +87,7 @@ - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive" block: - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings" - replace: + ansible.builtin.replace: path: /etc/login.defs regexp: "{{ item.regexp }}" replace: "{{ item.replace }}" @@ -97,13 +96,13 @@ - { regexp: '(USERGROUPS_ENAB\s+)yes', replace: '\1 no' } - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" - replace: + ansible.builtin.replace: path: /etc/bashrc regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]' replace: '\1 027' - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile" - replace: + ansible.builtin.replace: path: /etc/profile regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]' replace: '\1 027' From a85902ef2fb4745bc7ea680a3ede61c4f2bf3114 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 15:01:31 +0000 Subject: [PATCH 281/454] loop improvememts Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.4.x.yml | 54 ++++++++++++++++----------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index d7cce3ba..e79b5069 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -57,25 +57,16 @@ - rule_4.1.4.4 - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" - block: - - - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | get permissions" - ansible.builtin.stat: - path: "{{ item.path }}" - register: item_file - loop: "{{ audit_conf_files.results | map(attribute='files') | flatten }}" - loop_control: - label: "{{ item.path }}" - - - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | set permissions" - ansible.builtin.file: - path: "{{ audit_logfile.stdout | dirname }}" - state: file - mode: 0640 - loop: "{{ audit_config_files }}" - when: not item_file.stat.mode is match('06(0|4)0') - when: - - rhel9cis_rule_4_1_4_5 + ansible.builtin.file: + path: "{{ item.path }}" + state: file + mode: 0640 + loop: "{{ auditd_conf_files.files }}" + loop_control: + label: "{{ item.path }}" + when: + - item.mode != '06(0|4)0' + - rhel9cis_rule_4_1_4_5 tags: - level2-server - level2-workstation @@ -85,10 +76,12 @@ - name: "4.1.4.6 | PATCH | Ensure audit configuration files are owned by root" ansible.builtin.file: - path: "{{ audit_logfile.stdout | dirname }}" + path: "{{ item.path }}" state: file owner: root - loop: "{{ audit_config_files }}" + loop: "{{ auditd_conf_files.files }}" + loop_control: + label: "{{ item.path }}" when: - rhel9cis_rule_4_1_4_6 tags: @@ -100,10 +93,12 @@ - name: "4.1.4.7 | PATCH | Ensure audit configuration files belong to group root" ansible.builtin.file: - path: "{{ audit_logfile.stdout | dirname }}" + path: "{{ item.path }}" state: file group: root - loop: "{{ audit_config_files }}" + loop: "{{ auditd_conf_files.files }}" + loop_control: + label: "{{ item.path }}" when: - rhel9cis_rule_4_1_4_7 tags: @@ -115,7 +110,7 @@ - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive" block: - - name: "PRELIM | 4.1.4.8 | Get audit binarty file stat | get current mode" + - name: "PRELIM | 4.1.4.8 | Get audit binary file stat | get current mode" ansible.builtin.stat: path: "{{ item }}" register: "audit_bins" @@ -127,14 +122,19 @@ - /sbin/auditd - /sbin/augenrules + - debug: + msg: "{{ audit_bins }}" + - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required" ansible.builtin.file: - path: "{{ item }}" + path: "{{ item.item }}" state: file mode: 0750 register: "audit_bins" - loop: "{{ audit_bins.results.stat.path }}" - when: not audit_bins.stat.mode is match('07(0|5)(0|5)') + loop: "{{ audit_bins.results }}" + loop_control: + label: "{{ item.item }}" + when: not item.stat.mode is match('07(0|5)0') when: - rhel9cis_rule_4_1_4_8 tags: From c129d9af23f9913c9f047bddc3061dc53522f20e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 15:01:43 +0000 Subject: [PATCH 282/454] fix items Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.2.1.x.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index e34f677d..b1a20a9b 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -190,11 +190,11 @@ regexp: '{{ item }}' replace: '#\1' notify: restart rsyslog - with_items: - - '^\$ModLoad imtcp' - - '^\$InputTCPServerRun' - - '^module\(load="imtcp"\)' - - '^input\(type="imtcp" port=.*\)' + loop: + - '^(\$ModLoad imtcp)' + - '^(\$InputTCPServerRun)' + - '^(module\(load="imtcp"\))' + - '^(input\(type="imtcp")' when: not rhel9cis_system_is_log_server - name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote clients. | When log host" @@ -203,11 +203,11 @@ regexp: '^#(.*{{ item }}.*)' replace: '\1' notify: restart rsyslog - with_items: + loop: - 'ModLoad imtcp' - 'InputTCPServerRun' - 'module\(load="imtcp"\)' - - 'input\(type="imtcp" port=".*")' + - 'input\(type="imtcp"' when: rhel9cis_system_is_log_server when: - rhel9cis_rule_4_2_1_7 From 876b5d350895296dd8b876b85764eca00f847833 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 15:01:59 +0000 Subject: [PATCH 283/454] improved find Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.2.3.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index 3fa195c9..a7a623a0 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -5,14 +5,17 @@ - name: "4.2.3 | AUDIT | Ensure permissions on all logfiles are configured | find files" ansible.builtin.find: paths: "/var/log" - type: file + file_type: file + recurse: true register: logfiles - name: "4.2.3 | AUDIT | Ensure permissions on all logfiles are configured | find files" ansible.builtin.file: - paths: "{{ item.path }}" + path: "{{ item.path }}" mode: 0640 - register: logfiles + loop: "{{ logfiles.files }}" + loop_control: + label: "{{ item.path }}" when: - rhel9cis_rule_4_2_3 tags: From 793b1e16666cb8b082898c5723aed217755a707d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 15:02:10 +0000 Subject: [PATCH 284/454] title update Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.3.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index 6709458b..ac0078ce 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -7,7 +7,7 @@ name: rsyslog-logrotate state: present - - name: "4.3.2 | PATCH | Ensure logrotate is configured | scheduled" + - name: "4.3 | PATCH | Ensure logrotate is configured | scheduled" ansible.builtin.systemd: name: logrotate.timer state: started @@ -36,4 +36,4 @@ - manual - patch - logrotate - - rule_4.3.1 + - rule_4.3 From bcc59228328d164608c6800f8cef2e7e6c238368 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 15:02:18 +0000 Subject: [PATCH 285/454] removed args Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.1.x.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 29d98b37..ae29cbba 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -4,8 +4,6 @@ block: - name: "6.1.1 | AUDIT | Audit system file permissions | Audit the packages" shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto - args: - warn: false changed_when: false failed_when: false register: rhel9cis_6_1_1_packages_rpm @@ -48,8 +46,6 @@ - name: "6.1.2 | PATCH | Ensure sticky bit is set on all world-writable directories" shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t - args: - warn: false changed_when: false failed_when: false when: From 7c6555d92ef27eff7249b3900550b63dd80c5dd9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 09:09:21 +0000 Subject: [PATCH 286/454] Lint updates & control alignment Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.1.x.yml | 8 -------- tasks/section_5/cis_5.2.x.yml | 20 -------------------- tasks/section_5/cis_5.3.x.yml | 7 ------- tasks/section_5/cis_5.4.x.yml | 1 - tasks/section_5/cis_5.5.x.yml | 12 ++++++------ tasks/section_5/cis_5.6.1.x.yml | 4 ---- tasks/section_5/cis_5.6.x.yml | 24 ++++++++++++++++++++---- 7 files changed, 26 insertions(+), 50 deletions(-) diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 7cbcd7f1..9edc7c71 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -9,7 +9,6 @@ tags: - level1-server - level1-workstation - - automated - patch - cron - rule_5.1.1 @@ -25,7 +24,6 @@ tags: - level1-server - level1-workstation - - automated - patch - cron - rule_5.1.2 @@ -42,7 +40,6 @@ tags: - level1-server - level1-workstation - - automated - patch - cron - rule_5.1.3 @@ -59,7 +56,6 @@ tags: - level1-server - level1-workstation - - automated - patch - cron - rule_5.1.4 @@ -91,7 +87,6 @@ tags: - level1-server - level1-workstation - - automated - patch - rule_5.1.6 @@ -107,7 +102,6 @@ tags: - level1-server - level1-workstation - - automated - patch - cron - rule_5.1.7 @@ -136,7 +130,6 @@ tags: - level1-server - level1-workstation - - automated - patch - cron - rule_5.1.8 @@ -165,7 +158,6 @@ tags: - level1-server - level1-workstation - - automated - patch - cron - rule_5.1.9 diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 580585ef..a599a4b7 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -12,7 +12,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - permissions @@ -43,7 +42,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - permissions @@ -74,7 +72,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.3 @@ -121,7 +118,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.4 @@ -137,7 +133,6 @@ tags: - level1-server - level1-workstation - - automated - patch - sshs - rule_5.2.5 @@ -153,7 +148,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.6 @@ -169,7 +163,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.7 @@ -185,7 +178,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.8 @@ -201,7 +193,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.9 @@ -217,7 +208,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.10 @@ -233,7 +223,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.11 @@ -249,7 +238,6 @@ tags: - level2-server - level1-workstation - - automated - patch - ssh - rule_5.2.12 @@ -265,7 +253,6 @@ tags: - level2-server - level2-workstation - - automated - patch - ssh - rule_5.2.13 @@ -287,7 +274,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.14 @@ -302,7 +288,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.15 @@ -318,7 +303,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.16 @@ -334,7 +318,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.17 @@ -350,7 +333,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.18 @@ -366,7 +348,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.19 @@ -391,7 +372,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.20 diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index 0cdfaac9..25d05d28 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -9,7 +9,6 @@ tags: - level1-server - level1-workstation - - automated - patch - sudo - rule_5.3.1 @@ -24,7 +23,6 @@ tags: - level1-server - level1-workstation - - automated - patch - sudo - rule_5.3.2 @@ -40,7 +38,6 @@ tags: - level1-server - level1-workstation - - automated - patch - sudo - rule_5.3.3 @@ -58,7 +55,6 @@ tags: - level2-server - level2-workstation - - automated - patch - sudo - rule_5.3.4 @@ -76,7 +72,6 @@ tags: - level1-server - level1-workstation - - automated - patch - sudo - rule_5.3.5 @@ -111,7 +106,6 @@ tags: - level1-server - level1-workstation - - automated - patch - sudo - rule_5.3.6 @@ -133,7 +127,6 @@ tags: - level1-server - level1-workstation - - automated - patch - sudo - rule_5.3.7 diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index d78d6cef..ac37cf23 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -51,7 +51,6 @@ tags: - level1-server - level1-workstation - - automated - patch - authselect - rule_5.4.2 diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 8f0f4d93..51c18f9d 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -1,6 +1,6 @@ --- -- name: "5.5.1 | PATCH | " +- name: "5.5.1 | PATCH | Ensure password creation requirements are configured" block: - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings" ansible.builtin.lineinfile: @@ -32,7 +32,7 @@ - patch - rule_5.5.1 -- name: "5.5.2 | PATCH | Ensure system accounts are secured" +- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured" ansible.builtin.lineinfile: path: /etc/security/faillock.conf regexp: "{{ item.regexp }}" @@ -45,7 +45,7 @@ - name: "5.5.3 | PATCH | Ensure password reuse is limited" block: - - name: "5.5.3 | PATCH | Ensure password reuse is limited | pwhistory" + - name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality" ansible.builtin.lineinfile: path: /etc/pam.d/system-auth line: "password requisite pam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" @@ -54,8 +54,8 @@ - name: "5.5.3 | PATCH | Ensure password reuse is limited | pam_unix" ansible.builtin.replace: path: /etc/pam.d/system-auth - regexp: '^password\s*sufficient\s*pam_unix.so.*$' - replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' + regexp: '^password\s*(sufficient|requisite|sufficient)\s*pam_unix.so.*$' + replace: 'password requisite pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' when: - rhel9cis_rule_5_5_3 tags: @@ -64,7 +64,7 @@ - patch - rule_5.5.3 -- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512" +- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 or yescrypt" block: - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf" ansible.builtin.replace: diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 2e178cd2..df3478f0 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -10,7 +10,6 @@ tags: - level1-server - level1-workstation - - automated - patch - password - rule_5.5.1.1 @@ -25,7 +24,6 @@ tags: - level1-server - level1-workstation - - automated - patch - password - rule_5.6.1.2 @@ -40,7 +38,6 @@ tags: - level1-server - level1-workstation - - automated - patch - password - rule_5.5.1.3 @@ -73,7 +70,6 @@ tags: - level1-server - level1-workstation - - automated - patch - password - rule_5.6.1.4 diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 4f0ec0ba..884efd84 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -41,7 +41,6 @@ tags: - level1-server - level1-workstation - - automated - patch - accounts - rule_5.6.2 @@ -65,7 +64,6 @@ tags: - level1-server - level1-workstation - - automated - patch - accounts - rule_5.6.3 @@ -79,7 +77,6 @@ tags: - level1-server - level1-workstation - - automated - patch - accounts - rule_5.6.4 @@ -111,7 +108,26 @@ tags: - level1-server - level1-workstation - - automated - patch - accounts - rule_5.6.5 + +- name: "5.6.6 | PATCH | Ensure root password is set" + block: + - name: "5.6.6 | PATCH | Ensure root password is set" + ansible.builtin.shell: passwd -S root | grep "Password set, SHA512 crypt" + register: root_passwd + + - name: "5.6.6 | PATCH | Ensure root password is set" + ansible.builtin.fail: + msg: The root password is not set + when: root_passwd.rc != 0 + when: + - rhel9cis_rule_5_6_6 + tags: + - level1-server + - level1-workstation + - patch + - accounts + - root + - rule_5.6.6 From 0c279ad97deb49981f34754e0d4dc0de2f72b024 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 09:09:49 +0000 Subject: [PATCH 287/454] new control 5.6.6 added Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 + templates/ansible_vars_goss.yml.j2 | 1 + 2 files changed, 2 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 3436dea2..168ce675 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -305,6 +305,7 @@ rhel9cis_rule_5_6_2: true rhel9cis_rule_5_6_3: true rhel9cis_rule_5_6_4: true rhel9cis_rule_5_6_5: true +rhel9cis_rule_5_6_6: true # Section 6 rules rhel9cis_rule_6_1_1: true diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 89f2787d..c553121d 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -332,6 +332,7 @@ rhel9cis_rule_5_6_2: {{ rhel9cis_rule_5_6_2 }} rhel9cis_rule_5_6_3: {{ rhel9cis_rule_5_6_3 }} rhel9cis_rule_5_6_4: {{ rhel9cis_rule_5_6_4 }} rhel9cis_rule_5_6_5: {{ rhel9cis_rule_5_6_5 }} +rhel9cis_rule_5_6_6: {{ rhel9cis_rule_5_6_6 }} # Section 6 # 6 System Maintenance From 198359cfbb6918867b7a778214d083ad080a01c0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 10:04:16 +0000 Subject: [PATCH 288/454] reorder and lint Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.1.x.yml | 316 ++++++++++++++++------------------ 1 file changed, 152 insertions(+), 164 deletions(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index ae29cbba..1457f6e5 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -1,147 +1,82 @@ --- -- name: "6.1.1 | AUDIT | Audit system file permissions" - block: - - name: "6.1.1 | AUDIT | Audit system file permissions | Audit the packages" - shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto - changed_when: false - failed_when: false - register: rhel9cis_6_1_1_packages_rpm - - - name: "6.1.1 | AUDIT | Audit system file permissions | Create list and warning" - block: - - name: "6.1.1 | AUDIT | Audit system file permissions | Add file discrepancy list to system" - copy: - dest: "{{ rhel9cis_rpm_audit_file }}" # noqa template-instead-of-copy - content: "{{ rhel9cis_6_1_1_packages_rpm.stdout }}" - owner: root - group: root - mode: 0640 - - - name: "6.1.1 | AUDIT | Audit system file permissions | Message out alert for package descrepancies" - debug: - msg: | - "Warning!! You have some package descrepancies issues. - The file list can be found in {{ rhel9cis_rpm_audit_file }}" - - - name: "6.1.1 | AUDIT | Audit system file permissions | warning count" - set_fact: - control_number: "{{ control_number }} + [ 'rule_6.1.1' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: rhel9cis_6_1_1_packages_rpm.stdout|length > 0 - - - name: "6.1.1 | AUDIT | Audit system file permissions | Message out no package descrepancies" - debug: - msg: "Good News! There are no package descrepancies" - when: rhel9cis_6_1_1_packages_rpm.stdout|length == 0 - when: - - rhel9cis_rule_6_1_1 - tags: - - level2-server - - level2-workstation - - manual - - audit - - permissions - - rule_6.1.1 - -- name: "6.1.2 | PATCH | Ensure sticky bit is set on all world-writable directories" - shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t - changed_when: false - failed_when: false - when: - - rhel9cis_rule_6_1_2 - tags: - - skip_ansible_lint - - level1-server - - level1-workstation - - automated - - patch - - stickybits - - permissons - - rule_1.1.21 - -- name: "6.1.3 | PATCH | Ensure permissions on /etc/passwd are configured" - file: +- name: "6.1.1 | PATCH | Ensure permissions on /etc/passwd are configured" + ansible.builtin.file: dest: /etc/passwd owner: root group: root mode: 0644 when: - - rhel9cis_rule_6_1_3 + - rhel9cis_rule_6_1_1 tags: - level1-server - level1-workstation - - automated - patch - permissions - - rule_6.1.3 + - rule_6.1.1 -- name: "6.1.4 | PATCH | Ensure permissions on /etc/shadow are configured" - file: - dest: /etc/shadow +- name: "6.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured" + ansible.builtin.file: + dest: /etc/passwd- owner: root group: root - mode: 0000 + mode: 0644 when: - - rhel9cis_rule_6_1_4 + - rhel9cis_rule_6_1_2 tags: - level1-server - level1-workstation - - automated - patch - permissions - - rule_6.1.4 + - rule_6.1.2 -- name: "6.1.5 | PATCH | Ensure permissions on /etc/group are configured" - file: +- name: "6.1.3 | PATCH | Ensure permissions on /etc/group are configured" + ansible.builtin.file: dest: /etc/group- owner: root group: root mode: 0644 when: - - rhel9cis_rule_6_1_5 + - rhel9cis_rule_6_1_3 tags: - level1-server - level1-workstation - - automated - patch - permissions - - rule_6.1.5 + - rule_6.1.3 -- name: "6.1.6 | PATCH | Ensure permissions on /etc/gshadow are configured" - file: - dest: /etc/gshadow +- name: "6.1.4 | PATCH | Ensure permissions on /etc/group- are configured" + ansible.builtin.file: + dest: /etc/group- owner: root group: root - mode: 0000 + mode: 0644 when: - - rhel9cis_rule_6_1_6 + - rhel9cis_rule_6_1_4 tags: - level1-server - level1-workstation - - automated - patch - - permissions - - rule_6.1.6 + - permissionss + - rule_6.1.4 -- name: "6.1.7 | PATCH | Ensure permissions on /etc/passwd- are configured" - file: - dest: /etc/passwd- +- name: "6.1.5 | PATCH | Ensure permissions on /etc/shadow are configured" + ansible.builtin.file: + dest: /etc/shadow owner: root group: root - mode: 0644 + mode: 0000 when: - - rhel9cis_rule_6_1_7 + - rhel9cis_rule_6_1_5 tags: - level1-server - level1-workstation - - automated - patch - permissions - - rule_6.1.7 + - rule_6.1.5 - name: "6.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured" - file: + ansible.builtin.file: dest: /etc/shadow- owner: root group: root @@ -151,68 +86,65 @@ tags: - level1-server - level1-workstation - - automated - patch - permissions - rule_6.1.6 -- name: "6.1.9 | PATCH | Ensure permissions on /etc/group- are configured" - file: - dest: /etc/group- +- name: "6.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured" + ansible.builtin.file: + dest: /etc/gshadow owner: root group: root - mode: 0644 + mode: 0000 when: - - rhel9cis_rule_6_1_9 + - rhel9cis_rule_6_1_7 tags: - level1-server - level1-workstation - - automated - patch - - permissionss - - rule_6.1.9 + - permissions + - rule_6.1.7 -- name: "6.1.10 | PATCH | Ensure permissions on /etc/gshadow- are configured" - file: +- name: "6.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured" + ansible.builtin.file: dest: /etc/gshadow- owner: root group: root mode: 0000 when: - - rhel9cis_rule_6_1_10 + - rhel9cis_rule_6_1_8 tags: - level1-server - level1-workstation - - automated - patch - permissions - rule_6.1.10 -- name: "6.1.11 | PATCH | Ensure no world writable files exist" +- name: "6.1.9 | PATCH | Ensure no world writable files exist" block: - - name: "6.1.11 | AUDIT | Ensure no world writable files exist | Get list of world-writable files" - shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 + - name: "6.1.9 | AUDIT | Ensure no world writable files exist | Get list of world-writable files" + ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 failed_when: false changed_when: false - register: rhel_08_6_1_11_perms_results + register: rhel_08_6_1_9_perms_results - - name: "6.1.11 | AUDIT | Ensure no world writable files exist | Alert no world-writable files exist" - debug: + - name: "6.1.9 | AUDIT | Ensure no world writable files exist | Alert no world-writable files exist" + ansible.builtin.debug: msg: "Good news! We have not found any world-writable files on your system" when: - - rhel_08_6_1_11_perms_results.stdout is not defined + - rhel_08_6_1_9_perms_results.stdout is not defined - - name: "6.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" - file: + - name: "6.1.9 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" + ansible.builtin.file: path: '{{ item }}' mode: o-w state: touch - with_items: "{{ rhel_08_6_1_11_perms_results.stdout_lines }}" + with_items: "{{ rhel_08_6_1_9_perms_results.stdout_lines }}" when: - - rhel_08_6_1_11_perms_results.stdout_lines is defined + - rhel_08_6_1_9_perms_results.stdout_lines is defined - rhel9cis_no_world_write_adjust when: - - rhel9cis_rule_6_1_11 + - rhel9cis_rule_6_1_9 tags: - level1-server - level1-workstation @@ -220,136 +152,192 @@ - patch - files - permissions - - rule_6.1.11 + - rule_6.1.9 -- name: "6.1.12 | AUDIT | Ensure no unowned files or directories exist" +- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist" block: - - name: "6.1.12 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories" - command: find "{{ item.mount }}" -xdev -nouser + - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories" + ansible.builtin.shell: find "{{ item.mount }}" -xdev -nouser changed_when: false failed_when: false check_mode: false - register: rhel_08_6_1_12_audit + register: rhel_08_6_1_10_audit with_items: "{{ ansible_mounts }}" loop_control: label: "{{ item.mount }}" when: item['device'].startswith('/dev') and not 'bind' in item['options'] - - name: "6.1.12 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" - debug: + - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" + ansible.builtin.debug: msg: "Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" - with_items: "{{ rhel_08_6_1_12_audit.results }}" + with_items: "{{ rhel_08_6_1_10_audit.results }}" when: - item.stdout_lines is defined - item.stdout_lines | length > 0 when: - - rhel9cis_rule_6_1_12 + - rhel9cis_rule_6_1_10 tags: - level1-server - level1-workstation - - automated - audit - files - permissions - - rule_6.1.12 + - rule_6.1.10 -- name: "6.1.13 | AUDIT | Ensure no ungrouped files or directories exist" +- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist" block: - - name: "6.1.13 | AUDIT | Ensure no ungrouped files or directories exist | Finding all ungrouped files or directories" - command: find "{{ item.mount }}" -xdev -nogroup + - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Finding all ungrouped files or directories" + ansible.builtin.shell: find "{{ item.mount }}" -xdev -nogroup check_mode: false failed_when: false changed_when: false - register: rhel_08_6_1_13_audit + register: rhel_08_6_1_11_audit with_items: "{{ ansible_mounts }}" loop_control: label: "{{ item.mount }}" when: item['device'].startswith('/dev') and not 'bind' in item['options'] - - name: "6.1.13 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" - debug: + - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" + ansible.builtin.debug: msg: "Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" - with_items: "{{ rhel_08_6_1_13_audit.results }}" + with_items: "{{ rhel_08_6_1_11_audit.results }}" when: - item.stdout_lines is defined - item.stdout_lines | length > 0 when: - - rhel9cis_rule_6_1_13 + - rhel9cis_rule_6_1_11 tags: - level1-server - level1-workstation - - automated - audit - files - permissions - - rule_6.1.13 + - rule_6.1.11 + +- name: "6.1.12 | PATCH | Ensure sticky bit is set on all world-writable directories" + ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t + changed_when: false + failed_when: false + when: + - rhel9cis_rule_6_1_12 + tags: + - level1-server + - level1-workstation + - patch + - stickybits + - permissons + - rule_1.1.21 -- name: "6.1.14 | AUDIT | Audit SUID executables" +- name: "6.1.13 | AUDIT | Audit SUID executables" block: - - name: "6.1.14 | AUDIT | Audit SUID executables | Find all SUID executables" - shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 + - name: "6.1.13 | AUDIT | Audit SUID executables | Find all SUID executables" + ansible.builtin.shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 failed_when: false changed_when: false - register: rhel_08_6_1_14_perms_results + register: rhel_08_6_1_13_perms_results with_items: "{{ ansible_mounts }}" loop_control: label: "{{ item.mount }}" - - name: "6.1.14 | AUDIT | Audit SUID executables | Alert no SUID executables exist" - debug: + - name: "6.1.13 | AUDIT | Audit SUID executables | Alert no SUID executables exist" + ansible.builtin.debug: msg: "Good news! We have not found any SUID executable files on your system" failed_when: false changed_when: false when: - - rhel_08_6_1_14_perms_results.stdout is not defined + - rhel_08_6_1_13_perms_results.stdout is not defined - - name: "6.1.14 | AUDIT | Audit SUID executables | Alert SUID executables exist" - debug: + - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" + ansible.builtin.debug: msg: "Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" - with_items: "{{ rhel_08_6_1_14_perms_results.stdout_lines }}" + with_items: "{{ rhel_08_6_1_13_perms_results.stdout_lines }}" when: - - rhel_08_6_1_14_perms_results.stdout is defined + - rhel_08_6_1_13_perms_results.stdout is defined when: - - rhel9cis_rule_6_1_14 + - rhel9cis_rule_6_1_13 tags: - level1-server - level1-workstation - manual - audit - files - - rule_6.1.14 + - rule_6.1.13 -- name: "6.1.15 | AUDIT | Audit SGID executables" +- name: "6.1.14 | AUDIT | Audit SGID executables" block: - - name: "6.1.15 | AUDIT | Audit SGID executables | Find all SGID executables" - shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 + - name: "6.1.14 | AUDIT | Audit SGID executables | Find all SGID executables" + ansible.builtin.shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 failed_when: false changed_when: false - register: rhel_08_6_1_15_perms_results + register: rhel_08_6_1_14_perms_results with_items: "{{ ansible_mounts }}" loop_control: label: "{{ item.mount }}" - - name: "6.1.15 | AUDIT | Audit SGID executables | Alert no SGID executables exist" - debug: + - name: "6.1.14 | AUDIT | Audit SGID executables | Alert no SGID executables exist" + ansible.builtin.debug: msg: "Good news! We have not found any SGID executable files on your system" failed_when: false changed_when: false when: - - rhel_08_6_1_15_perms_results.stdout is not defined + - rhel_08_6_1_14_perms_results.stdout is not defined - - name: "6.1.15 | AUDIT | Audit SGID executables | Alert SGID executables exist" - debug: + - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" + ansible.builtin.debug: msg: "Manual intervention is required -- SGID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" - with_items: "{{ rhel_08_6_1_15_perms_results.stdout_lines }}" + with_items: "{{ rhel_08_6_1_14_perms_results.stdout_lines }}" when: - - rhel_08_6_1_15_perms_results.stdout is defined + - rhel_08_6_1_14_perms_results.stdout is defined when: - - rhel9cis_rule_6_1_15 + - rhel9cis_rule_6_1_14 tags: - level1-server - level1-workstation - manual - audit - files + - rule_6.1.14 + +- name: "6.1.15 | AUDIT | Audit system file permissions" + block: + - name: "6.1.15 | AUDIT | Audit system file permissions | Audit the packages" + ansible.builtin.shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto + changed_when: false + failed_when: false + register: rhel9cis_6_1_15_packages_rpm + + - name: "6.1.15 | AUDIT | Audit system file permissions | Create list and warning" + block: + - name: "6.1.15 | AUDIT | Audit system file permissions | Add file discrepancy list to system" + ansible.builtin.copy: + dest: "{{ rhel9cis_rpm_audit_file }}" # noqa template-instead-of-copy + content: "{{ rhel9cis_6_1_15_packages_rpm.stdout }}" + owner: root + group: root + mode: 0640 + + - name: "6.1.15 | AUDIT | Audit system file permissions | Message out alert for package descrepancies" + ansible.builtin.debug: + msg: | + "Warning!! You have some package descrepancies issues. + The file list can be found in {{ rhel9cis_rpm_audit_file }}" + + - name: "6.1.15 | AUDIT | Audit system file permissions | warning count" + ansible.builtin.set_fact: + control_number: "{{ control_number }} + [ 'rule_6.1.1' ]" + warn_count: "{{ warn_count | int + 1 }}" + when: rhel9cis_6_1_15_packages_rpm.stdout|length > 0 + + - name: "6.1.15 | AUDIT | Audit system file permissions | Message out no package descrepancies" + ansible.builtin.debug: + msg: "Good News! There are no package descrepancies" + when: rhel9cis_6_1_15_packages_rpm.stdout|length == 0 + when: + - rhel9cis_rule_6_1_15 + tags: + - level2-server + - level2-workstation + - manual + - audit + - permissions - rule_6.1.15 From 440f1dfcd470dd2fa43e8d7078552917f269a837 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 10:04:33 +0000 Subject: [PATCH 289/454] reorder and lint Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 451 +++++++++++++++++----------------- 1 file changed, 219 insertions(+), 232 deletions(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 235146e1..a280cab8 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -1,300 +1,311 @@ --- -- name: "6.2.1 | PATCH | Ensure password fields are not empty" - command: passwd -l {{ item }} +- name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords" + block: + - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | discover" + ansible.builtin.shell: awk -F':' '($2 != "x" ) { print $1 " is not set to shadowed passwords "}' /etc/passwd + register: shadow_passwd + + - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Output" + ansible.builtin.debug: + msg: | + - "Warning!! Below are the accounts that do not have shadowed passwords set" + - "{{ shadow_passwd.stdout_line }}" + when: shadow_passwd.stdout | length > 0 + + - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | warning fact" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.2.1' + when: shadow_passwd.stdout | length >= 1 + + when: + - rhel9cis_rule_6_2_1 + tags: + - level1-server + - level1-workstation + - patch + - accounts + - rule_6.2.1 + +- name: "6.2.2 | PATCH | Ensure password fields are not empty" + ansible.builtin.shell: passwd -l {{ item }} changed_when: false failed_when: false with_items: "{{ empty_password_accounts.stdout_lines }}" when: - empty_password_accounts.rc - - rhel9cis_rule_6_2_1 + - rhel9cis_rule_6_2_2 tags: - level1-server - level1-workstation - automated - patch - accounts - - rule_6.2.1 - + - rule_6.2.2 -- name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" +- name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" block: - - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" - shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' + - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" + ansible.builtin.shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' changed_when: false failed_when: false check_mode: false - register: rhel9cis_6_2_2_passwd_gid_check + register: rhel9cis_6_2_3_passwd_gid_check - - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" - debug: + - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" + ansible.builtin.debug: msg: "Good News! There are no users that have non-existent GUIDs (Groups)" - when: rhel9cis_6_2_2_passwd_gid_check.stdout | length == 0 + when: rhel9cis_6_2_3_passwd_gid_check.stdout | length == 0 - - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" - debug: + - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" + ansible.builtin.debug: msg: "Warning!! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}" - when: rhel9cis_6_2_2_passwd_gid_check.stdout | length >= 1 + when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1 - - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count" - set_fact: - control_number: "{{ control_number }} + [ 'rule_6.2.2' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: rhel9cis_6_2_2_passwd_gid_check.stdout | length >= 1 + - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.2.3' + when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1 when: - rhel9cis_rule_6_2_2 tags: - level1-server - level1-workstation - - automated - audit - accounts - groups - rule_6.2.2 -- name: "6.2.3 | AUDIT Ensure no duplicate UIDs exist" +- name: "6.2.4 | AUDIT Ensure no duplicate UIDs exist" block: - - name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" - shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" + - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" + ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" changed_when: false failed_when: false - register: rhel9cis_6_2_3_user_uid_check + register: rhel9cis_6_2_4_user_uid_check - - name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" - debug: + - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" + ansible.builtin.debug: msg: "Good News! There are no duplicate UID's in the system" - when: rhel9cis_6_2_3_user_uid_check.stdout | length == 0 - - - name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" - debug: - msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_3_user_uid_check.stdout_lines }}" - when: rhel9cis_6_2_3_user_uid_check.stdout | length >= 1 - - - name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | warning count" - set_fact: - control_number: "{{ control_number }} + [ 'rule_6.2.3' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: rhel9cis_6_2_3_user_uid_check.stdout | length >= 1 + when: rhel9cis_6_2_4_user_uid_check.stdout | length == 0 + + - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" + ansible.builtin.debug: + msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_4_user_uid_check.stdout_lines }}" + when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1 + + - name: "6.2.4 | AUDIT| Ensure no duplicate UIDs exist | warning count" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.2.4' + when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1 when: - - rhel9cis_rule_6_2_3 + - rhel9cis_rule_6_2_4 tags: - level1-server - level1-workstation - - automated - audit - accounts - users - - rule_6.2.3 + - rule_6.2.4 -- name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist" +- name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist" block: - - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" - shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" + - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" + ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" changed_when: false failed_when: false - register: rhel9cis_6_2_4_user_user_check + register: rhel9cis_6_2_5_user_user_check - - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" - debug: + - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" + ansible.builtin.debug: msg: "Good News! There are no duplicate GIDs in the system" - when: rhel9cis_6_2_4_user_user_check.stdout | length == 0 + when: rhel9cis_6_2_5_user_user_check.stdout | length == 0 - - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" - debug: - msg: "Warning!! The following groups have duplicate GIDs: {{ rhel9cis_6_2_4_user_user_check.stdout_lines }}" - when: rhel9cis_6_2_4_user_user_check.stdout | length >= 1 + - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" + ansible.builtin.debug: + msg: "Warning!! The following groups have duplicate GIDs: {{ rhel9cis_6_2_5_user_user_check.stdout_lines }}" + when: rhel9cis_6_2_5_user_user_check.stdout | length >= 1 - - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | warning count" - set_fact: - control_number: "{{ control_number }} + [ 'rule_6.2.4' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: rhel9cis_6_2_4_user_user_check.stdout | length >= 1 + - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | warning count" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.2.5' + when: rhel9cis_6_2_5_user_user_check.stdout_lines | length >= 1 when: - - rhel9cis_rule_6_2_4 + - rhel9cis_rule_6_2_5 tags: - level1-server - level1-workstation - - automated - audit - accounts - groups - - rule_6.2.4 + - rule_6.2.5 -- name: "6.2.5 | AUDIT | Ensure no duplicate user names exist" +- name: "6.2.6 | AUDIT | Ensure no duplicate user names exist" block: - - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" - shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" + - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" + ansible.builtin.shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" changed_when: false failed_when: false - register: rhel9cis_6_2_5_user_username_check - - - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist" - debug: - msg: "Good News! There are no duplicate user names in the system" - when: rhel9cis_6_2_5_user_username_check.stdout | length == 0 + register: rhel9cis_6_2_6_user_username_check - - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" - debug: + - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" + ansible.builtin.debug: msg: "Warning!! The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}" - when: rhel9cis_6_2_5_user_username_check.stdout | length >= 1 + when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1 - - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | warning count" - set_fact: - control_number: "{{ control_number }} + [ 'rule_6.2.5' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: rhel9cis_6_2_5_user_username_check.stdout | length >= 1 + - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | warning count" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.2.6' + when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1 when: - - rhel9cis_rule_6_2_5 + - rhel9cis_rule_6_2_6 tags: - level1-server - level1-workstation - - automated - audit - accounts - users - - rule_6.2.5 + - rule_6.2.6 -- name: "6.2.6 | AUDIT |Ensure no duplicate group names exist" +- name: "6.2.7 | AUDIT | Ensure no duplicate group names exist" block: - - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" - shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' + - name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" + ansible.builtin.shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' changed_when: false failed_when: false check_mode: false - register: rhel9cis_6_2_6_group_group_check - - - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" - debug: - msg: "Good News! There are no duplicate group names in the system" - when: rhel9cis_6_2_6_group_group_check.stdout is defined - - - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" - debug: - msg: "Warning!! The following group names are duplicates: {{ rhel9cis_6_2_6_group_group_check.stdout_lines }}" - when: rhel9cis_6_2_6_group_group_check.stdout is not defined - - - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | warning count" - set_fact: - control_number: "{{ control_number }} + [ 'rule_6.2.6' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: rhel9cis_6_2_6_group_group_check.stdout is not defined + register: rhel9cis_6_2_7_group_group_check + + - name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" + ansible.builtin.debug: + msg: "Warning!! The following group names are duplicates: {{ rhel9cis_6_2_7_group_group_check.stdout_lines }}" + when: rhel9cis_6_2_7_group_group_check.stdout is not defined + + - name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | warning count" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.2.7' + when: rhel9cis_6_2_7_group_group_check.stdout is not defined when: - - rhel9cis_rule_6_2_6 + - rhel9cis_rule_6_2_7 tags: - level1-server - level1-workstation - - automated - audit - accounts - groups - - rule_6.2.6 + - rule_6.2.7 -- name: "6.2.7 | PATCH | Ensure root PATH Integrity" +- name: "6.2.8 | PATCH | Ensure root PATH Integrity" block: - - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine empty value" - shell: 'echo $PATH | grep ::' + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Determine empty value" + ansible.builtin.shell: 'echo $PATH | grep ::' changed_when: false - failed_when: rhel9cis_6_2_7_path_colon.rc == 0 + failed_when: rhel9cis_6_2_8_path_colon.rc == 0 check_mode: false - register: rhel9cis_6_2_7_path_colon + register: rhel9cis_6_2_8_path_colon - - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determin colon end" - shell: 'echo $PATH | grep :$' + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Determin colon end" + ansible.builtin.shell: 'echo $PATH | grep :$' changed_when: false - failed_when: rhel9cis_6_2_7_path_colon_end.rc == 0 + failed_when: rhel9cis_6_2_8_path_colon_end.rc == 0 check_mode: false - register: rhel9cis_6_2_7_path_colon_end + register: rhel9cis_6_2_8_path_colon_end - - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine dot in path" - shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'" + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Determine dot in path" + ansible.builtin.shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'" changed_when: false - failed_when: '"." in rhel9cis_6_2_7_dot_in_path.stdout_lines' + failed_when: '"." in rhel9cis_6_2_8_dot_in_path.stdout_lines' check_mode: false - register: rhel9cis_6_2_7_dot_in_path + register: rhel9cis_6_2_8_dot_in_path - - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path" - debug: + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path" + ansible.builtin.debug: msg: - - "The following paths have an empty value: {{ rhel9cis_6_2_7_path_colon.stdout_lines }}" - - "The following paths have colon end: {{ rhel9cis_6_2_7_path_colon_end.stdout_lines }}" - - "The following paths have a dot in the path: {{ rhel9cis_6_2_7_dot_in_path.stdout_lines }}" + - "Warning!!" + - "The following paths have an empty value: {{ rhel9cis_6_2_8_path_colon.stdout_lines }}" + - "The following paths have colon end: {{ rhel9cis_6_2_8_path_colon_end.stdout_lines }}" + - "The following paths have a dot in the path: {{ rhel9cis_6_2_8_dot_in_path.stdout_lines }}" - - name: "6.2.7 | PATCH | Ensure root PATH Integrity | Determine rights and owner" - file: > + - name: "6.2.8 | PATCH | Ensure root PATH Integrity | Determine rights and owner" + ansible.builtin.file: > path='{{ item }}' follow=yes state=directory owner=root mode='o-w,g-w' - with_items: "{{ rhel9cis_6_2_7_dot_in_path.stdout_lines }}" + with_items: "{{ rhel9cis_6_2_8_dot_in_path.stdout_lines }}" when: - - rhel9cis_rule_6_2_7 + - rhel9cis_rule_6_2_8 tags: - level1-server - level1-workstation - - automated - patch - paths - - rule_6.2.7 + - rule_6.2.8 -- name: "6.2.8 | PATCH | Ensure root is the only UID 0 account" - command: passwd -l {{ item }} +- name: "6.2.9 | PATCH | Ensure root is the only UID 0 account" + ansible.builtin.shell: passwd -l {{ item }} changed_when: false failed_when: false with_items: "{{ rhel9cis_uid_zero_accounts_except_root.stdout_lines }}" when: - rhel9cis_uid_zero_accounts_except_root.rc - - rhel9cis_rule_6_2_8 + - rhel9cis_rule_6_2_9 tags: - level1-server - level1-workstation - - automated - patch - accounts - users - - rule_6.2.8 + - rule_6.2.9 -- name: "6.2.9 | PATCH | Ensure all users' home directories exist" +- name: "6.2.10 | PATCH | Ensure local interactive user home directories exist" block: - - name: "6.2.9 | AUDIT | Ensure all users' home directories exist" - stat: + - name: "6.2.10 | AUDIT | Ensure local interactive user home directories exist" + ansible.builtin.stat: path: "{{ item }}" - register: rhel_08_6_2_9_audit + register: rhel_08_6_2_10_audit with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | map(attribute='dir') | list }}" - - name: "6.2.9 | AUDIT | Ensure all users' home directories exist" - command: find -H {{ item.0 | quote }} -not -type l -perm /027 + - name: "6.2.10 | AUDIT | Ensure local interactive user home directories exist" + ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027 check_mode: false - changed_when: rhel_08_6_2_9_patch_audit.stdout | length > 0 - register: rhel_08_6_2_9_patch_audit + changed_when: rhel_08_6_2_10_patch_audit.stdout | length > 0 + register: rhel_08_6_2_10_patch_audit when: - ansible_check_mode - item.1.exists with_together: - - "{{ rhel_08_6_2_9_audit.results | map(attribute='item') | list }}" - - "{{ rhel_08_6_2_9_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_08_6_2_10_audit.results | map(attribute='item') | list }}" + - "{{ rhel_08_6_2_10_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" - - name: "6.2.9 | PATCH | Ensure all users' home directories exist" - file: + - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist" + ansible.builtin.file: path: "{{ item.0 }}" recurse: true mode: a-st,g-w,o-rwx - register: rhel_08_6_2_9_patch + register: rhel_08_6_2_10_patch when: - not ansible_check_mode - item.1.exists with_together: - - "{{ rhel_08_6_2_9_audit.results | map(attribute='item') | list }}" - - "{{ rhel_08_6_2_9_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_08_6_2_10_audit.results | map(attribute='item') | list }}" + - "{{ rhel_08_6_2_10_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" # set default ACLs so the homedir has an effective umask of 0027 - - name: "6.2.9 | PATCH | Ensure all users' home directories exist" - acl: + - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist" + ansible.posix.acl: path: "{{ item.0 }}" default: true state: present @@ -304,7 +315,7 @@ when: - not system_is_container with_nested: - - "{{ (ansible_check_mode | ternary(rhel_08_6_2_9_patch_audit, rhel_08_6_2_9_patch)).results | + - "{{ (ansible_check_mode | ternary(rhel_08_6_2_10_patch_audit, rhel_08_6_2_10_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" - - etype: group @@ -312,18 +323,16 @@ - etype: other mode: '0' when: - - rhel9cis_rule_6_2_9 + - rhel9cis_rule_6_2_10 tags: - level1-server - level1-workstation - - automated - patch - users - - rule_6.2.9 - + - rule_6.2.10 -- name: "6.2.10 | PATCH | Ensure users own their home directories" - file: +- name: "6.2.11 | PATCH | Ensure local interactive users own their home directories" + ansible.builtin.file: path: "{{ item.dir }}" owner: "{{ item.id }}" state: directory @@ -334,56 +343,54 @@ - item.uid >= min_int_uid | int - item.id != 'nobody' - (item.id != 'tss' and item.dir != '/dev/null') - - rhel9cis_rule_6_2_10 + - rhel9cis_rule_6_2_11 tags: - - skip_ansible_lint # settings found on 6_2_7 - level1-server - level1-workstation - - automated - patch - users - rule_6.2.10 -- name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" +- name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive" block: - - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" - stat: + - name: "6.2.12 | AUDIT | Ensure local interactive user home directories are mode 750 or more restrictive" + ansible.builtin.stat: path: "{{ item }}" with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | map(attribute='dir') | list }}" - register: rhel_08_6_2_11_audit + register: rhel_08_6_2_12_audit - - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" - command: find -H {{ item.0 | quote }} -not -type l -perm /027 + - name: "6.2.12 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" + ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027 check_mode: false - changed_when: rhel_08_6_2_11_patch_audit.stdout | length > 0 - register: rhel_08_6_2_11_patch_audit + changed_when: rhel_08_6_2_12_patch_audit.stdout | length > 0 + register: rhel_08_6_2_12_patch_audit when: - ansible_check_mode - item.1.exists with_together: - - "{{ rhel_08_6_2_11_audit.results | map(attribute='item') | list }}" - - "{{ rhel_08_6_2_11_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_08_6_2_12_audit.results | map(attribute='item') | list }}" + - "{{ rhel_08_6_2_12_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" - - name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" - file: + - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive" + ansible.builtin.file: path: "{{ item.0 }}" recurse: true mode: a-st,g-w,o-rwx - register: rhel_08_6_2_11_patch + register: rhel_08_6_2_12_patch when: - not ansible_check_mode - item.1.exists with_together: - - "{{ rhel_08_6_2_11_audit.results | map(attribute='item') | list }}" - - "{{ rhel_08_6_2_11_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_08_6_2_12_audit.results | map(attribute='item') | list }}" + - "{{ rhel_08_6_2_12_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" # set default ACLs so the homedir has an effective umask of 0027 - - name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" - acl: + - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive" + ansible.posix.acl: path: "{{ item.0 }}" default: true state: present @@ -393,75 +400,41 @@ when: - not system_is_container with_nested: - - "{{ (ansible_check_mode | ternary(rhel_08_6_2_11_patch_audit, rhel_08_6_2_11_patch)).results | + - "{{ (ansible_check_mode | ternary(rhel_08_6_2_12_patch_audit, rhel_08_6_2_12_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" - - etype: group mode: rx - etype: other mode: '0' - when: - - rhel9cis_rule_6_2_11 - tags: - - level1-server - - level1-workstation - - automated - - patch - - users - - permissions - - rule_6.2.11 - -- name: "6.2.12 | PATCH | Ensure users' dot files are not group or world-writable" - block: - - name: "6.2.12 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files" - shell: find /home/ -maxdepth 2 -name "\.*" -perm /g+w,o+w - changed_when: false - failed_when: false - register: rhel9cis_6_2_12_audit - - - name: "6.2.12 | AUDIT | Ensure users' dot files are not group or world-writable | Alert on files found" - debug: - msg: "Good news! We have not found any group or world-writable dot files on your sytem" - when: - - rhel9cis_6_2_12_audit.stdout is not defined - - - name: "6.2.12 | PATCH | Ensure users' dot files are not group or world-writable | Changes files if configured" - file: - path: '{{ item }}' - mode: go-w - with_items: "{{ rhel9cis_6_2_12_audit.stdout_lines }}" - when: - - rhel9cis_6_2_12_audit.stdout is defined - - rhel9cis_dotperm_ansiblemanaged when: - rhel9cis_rule_6_2_12 tags: - level1-server - level1-workstation - - automated - patch - users - permissions - rule_6.2.12 -- name: "6.2.13 | PATCH | Ensure users' .netrc Files are not group or world accessible" - command: /bin/true - changed_when: false - failed_when: false +- name: "6.2.13 | PATCH | Ensure no local interactive user has .netrc files" + ansible.builtin.file: + path: "~{{ item }}/.netrc" + state: absent + with_items: + - "{{ users.stdout_lines }}" when: - rhel9cis_rule_6_2_13 tags: - level1-server - level1-workstation - - automated - patch - users - permissions - - notimplemented - rule_6.2.13 -- name: "6.2.14 | PATCH | Ensure no users have .forward files" - file: +- name: "6.2.14 | PATCH | Ensure no local interactive user has .forward files" + ansible.builtin.file: path: "~{{ item }}/.forward" state: absent with_items: @@ -471,15 +444,14 @@ tags: - level1-server - level1-workstation - - automated - patch - users - files - rule_6.2.14 -- name: "6.2.15 | PATCH | Ensure no users have .netrc files" - file: - path: "~{{ item }}/.netrc" +- name: "6.2.15 | PATCH | Ensure no users have .rhosts files" + ansible.builtin.file: + path: "~{{ item }}/.rhosts" state: absent with_items: - "{{ users.stdout_lines }}" @@ -488,24 +460,39 @@ tags: - level1-server - level1-workstation - - automated - patch - users - files - rule_6.2.15 -- name: "6.2.16 | PATCH | Ensure no users have .rhosts files" - file: - path: "~{{ item }}/.rhosts" - state: absent - with_items: "{{ users.stdout_lines }}" +- name: "6.2.16 | PATCH | Ensure local interactive user dot files are not group or world writable" + block: + - name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | Check for files" + ansible.builtin.shell: find /home/ -maxdepth 2 -name "\.*" -perm /g+w,o+w + changed_when: false + failed_when: false + register: rhel9cis_6_2_16_audit + + - name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | Alert on files found" + ansible.builtin.debug: + msg: "Good news! We have not found any group or world-writable dot files on your sytem" + when: + - rhel9cis_6_2_16_audit.stdout is not defined + + - name: "6.2.16 | PATCH | Ensure local interactive user dot files are not group or world writable | Changes files if configured" + ansible.builtin.file: + path: '{{ item }}' + mode: go-w + with_items: "{{ rhel9cis_6_2_16_audit.stdout_lines }}" + when: + - rhel9cis_6_2_16_audit.stdout is defined + - rhel9cis_dotperm_ansiblemanaged when: - rhel9cis_rule_6_2_16 tags: - level1-server - level1-workstation - - automated - patch - users - - files + - permissions - rule_6.2.16 From 3ead0d63ac5e893429c2e5d6822b128785a5b9af Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 11:05:25 +0000 Subject: [PATCH 290/454] warn control count updates Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 +- tasks/post.yml | 7 ++-- tasks/section_1/cis_1.1.2.x.yml | 21 +++------- tasks/section_1/cis_1.1.3.x.yml | 21 ++-------- tasks/section_1/cis_1.1.4.x.yml | 21 ++-------- tasks/section_1/cis_1.1.5.x.yml | 20 ++------- tasks/section_1/cis_1.1.6.x.yml | 22 +++------- tasks/section_1/cis_1.1.7.x.yml | 20 ++------- tasks/section_1/cis_1.1.8.x.yml | 20 ++------- tasks/section_1/cis_1.2.x.yml | 6 +-- tasks/section_1/cis_1.6.1.x.yml | 11 ++--- tasks/section_2/cis_2.4.yml | 6 +-- tasks/section_3/cis_3.4.2.x.yml | 6 +-- tasks/section_4/cis_4.1.4.x.yml | 3 -- tasks/section_4/cis_4.2.2.x.yml | 6 +-- tasks/section_5/cis_5.2.x.yml | 48 +++++++++++----------- tasks/section_5/cis_5.6.1.x.yml | 11 ++--- tasks/section_6/cis_6.1.x.yml | 72 ++++++++++++++++++--------------- tasks/section_6/cis_6.2.x.yml | 14 +------ tasks/warning_facts.yml | 20 +++++++++ 20 files changed, 137 insertions(+), 220 deletions(-) create mode 100644 tasks/warning_facts.yml diff --git a/tasks/main.yml b/tasks/main.yml index d6b026a6..d1918d20 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -203,7 +203,7 @@ - name: If Warnings found Output count and control IDs affected debug: - msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ control_number }}" + msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}" when: warn_count != 0 tags: - always diff --git a/tasks/post.yml b/tasks/post.yml index 3b5c3f2b..0d1260d1 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -51,13 +51,12 @@ - skip_reboot - name: "POST | Warning a reboot required but skip option set | warning count" - set_fact: - control_number: "{{ control_number }} + [ 'Reboot_required' ]" - warn_count: "{{ warn_count | int + 1 }}" + ansible.builtin.import_tasks: warning_facts.yml when: - change_requires_reboot - skip_reboot - + vars: + warn_control_id: Reboot_required tags: - grub - level1-server diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index aa67b5c8..118f93bc 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -4,26 +4,15 @@ block: - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Absent" ansible.builtin.debug: - msg: "Warning!! /tmp is not mounted on a separate partition" - when: - - required_mount not in mount_names + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_1.1.2.1' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: - - required_mount not in mount_names - - - name: "1.1.2.1 | AUDIT | Ensure separate partition exists for /var | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - register: var_mount_present - when: - - required_mount in mount_names + - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | warning" + ansible.builtin.import_tasks: warning_facts.yml vars: + warn_control_id: '1.1.2.1' required_mount: '/tmp' when: + - required_mount not in mount_names - rhel9cis_rule_1_1_2_1 tags: - level1-server diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 3780e2fb..afe1b8ce 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -5,27 +5,14 @@ - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Absent" ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_mount_absent - changed_when: var_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_1.1.3.1' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: - - required_mount not in mount_names - - - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - register: var_mount_present - when: - - required_mount in mount_names + - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | warning" + ansible.builtin.import_tasks: warning_facts.yml vars: + warn_control_id: '1.1.3.1' required_mount: '/var' when: + - required_mount not in mount_names - rhel9cis_rule_1_1_3_1 tags: - level2-server diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 742a5d71..4a1deb0f 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -6,27 +6,14 @@ - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_tmp_mount_absent - changed_when: var_tmp_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_1.1.4.1' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: - - required_mount not in mount_names - - - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - register: var_tmp_mount_present - when: - - required_mount in mount_names + - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" + ansible.builtin.import_tasks: warning_facts.yml vars: + warn_control_id: '1.1.4.1' required_mount: '/var/tmp' when: + - required_mount not in mount_names - rhel9cis_rule_1_1_4_1 tags: - level2-server diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index 0fa245bd..ccaeb5c4 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -5,27 +5,15 @@ - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Absent" ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_log_mount_absent - changed_when: var_log_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_1.1.5.1' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: - - required_mount not in mount_names - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - register: var_log_mount_present - when: - - required_mount in mount_names + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '1.1.5.1' required_mount: '/var/log' when: + - required_mount not in mount_names - rhel9cis_rule_1_1_5_1 tags: - level2-server diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index a496f438..41918994 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -5,27 +5,15 @@ - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent" ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_log_audit_mount_absent - changed_when: var_log_audit_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_1.1.6.1' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: - - required_mount not in mount_names - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - register: var_log_audit_mount_present - when: - - required_mount in mount_names + ansible.builtin.import_tasks: warning_facts.yml + vars: - required_mount: '/var/log/audit' + warn_control_id: '1.1.6.1' + required_mount: '/var/log/audit' when: + - required_mount not in mount_names - rhel9cis_rule_1_1_6_1 tags: - level2-server diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index dc9ea6a0..60192d7b 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -5,27 +5,15 @@ - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Absent" ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: home_mount_absent - changed_when: home_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_1.1.7.1' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: - - required_mount not in mount_names - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - register: home_mount_present - when: - - required_mount in mount_names + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '1.1.7.1' vars: required_mount: '/home' when: + - required_mount not in mount_names - rhel9cis_rule_1_1_7_1 tags: - level2-server diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index fdaef150..7703ed41 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -6,27 +6,15 @@ - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: home_mount_absent - changed_when: home_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_1.1.8.1' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: - - required_mount not in mount_names - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - register: home_mount_present - when: - - required_mount in mount_names + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '1.1.8.1' required_mount: '/dev/shm' when: + - required_mount not in mount_names - rhel9cis_rule_1_1_8_1 tags: - level1-server diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 093e900f..dcc8e5c0 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -81,9 +81,9 @@ - "{{ dnf_configured.stdout_lines }}" - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + ['rule_1.2.3']" - warn_count: "{{ warn_count | int + 1 }}" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '1.2.3' when: - rhel9cis_rule_1_2_3 tags: diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index bfb9c915..c954f664 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -91,21 +91,16 @@ failed_when: false changed_when: false - - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Message on no unconfined services" - ansible.builtin.debug: - msg: "Good News! There are no services found on your system" - when: rhelcis_1_6_1_6_unconf_services.stdout | length == 0 - - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Message on unconfined services" ansible.builtin.debug: msg: "Warning!! You have unconfined services: {{ rhelcis_1_6_1_5_unconf_services.stdout_lines }}" when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | warning count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_1.6.1.5' ]" - warn_count: "{{ warn_count | int + 1 }}" + ansible.builtin.import_tasks: warning_facts.yml when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 + vars: + warn_control_id: '1.6.1.6' when: - rhel9cis_rule_1_6_1_6 tags: diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index a59184bb..ce02b408 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -25,9 +25,9 @@ - "{{ rhel9cis_2_4_sockets.stdout_lines }}" - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + ['rule_2.4']" - warn_count: "{{ warn_count | int + 1 }}" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '2.4' when: - rhel9cis_rule_2_4 tags: diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index bbd1ad0d..60e769ac 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -47,9 +47,7 @@ - not rhel9cis_nft_tables_autonewtable - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_3.4.2.2' ]" - warn_count: "{{ warn_count | int + 1 }}" + ansible.builtin.import_tasks: warning_facts.yml when: - rhel9cis_3_4_2_2_nft_tables.stdout | length == 0 - not rhel9cis_nft_tables_autonewtable @@ -58,6 +56,8 @@ ansible.builtin.command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" failed_when: false when: rhel9cis_nft_tables_autonewtable + vars: + warn_control_id: '3.4.2.2' when: - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_2 diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index e79b5069..ca69e3dd 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -122,9 +122,6 @@ - /sbin/auditd - /sbin/augenrules - - debug: - msg: "{{ audit_bins }}" - - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required" ansible.builtin.file: path: "{{ item.item }}" diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 474026cc..0c537951 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -89,10 +89,10 @@ when: "'static' not in rhel9cis_4_2_2_2_status.stdout" - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_4.2.2.2' ]" - warn_count: "{{ warn_count | int + 1 }}" + ansible.builtin.import_tasks: warning_facts.yml when: "'static' not in rhel9cis_4_2_2_2_status.stdout" + vars: + warn_control_id: '4.2.2.2' when: - rhel9cis_rule_4_2_2_2 tags: diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index a599a4b7..9dc785ea 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -79,37 +79,37 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited" block: - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^AllowUsers" - line: AllowUsers {{ rhel9cis_sshd['allowusers'] }} + line: "AllowUsers {{ rhel9cis_sshd['allowusers'] }}" validate: sshd -t -f %s notify: restart sshd when: "rhel9cis_sshd['allowusers']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^AllowGroups" - line: AllowGroups {{ rhel9cis_sshd['allowgroups'] }} + line: "AllowGroups {{ rhel9cis_sshd['allowgroups'] }}" validate: sshd -t -f %s notify: restart sshd when: "rhel9cis_sshd['allowgroups']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^DenyUsers" - line: DenyUsers {{ rhel9cis_sshd['denyusers'] }} + line: "DenyUsers {{ rhel9cis_sshd['denyusers'] }}" validate: sshd -t -f %s notify: restart sshd when: "rhel9cis_sshd['denyusers']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^DenyGroups" - line: DenyGroups {{ rhel9cis_sshd['denygroups'] }} + line: "DenyGroups {{ rhel9cis_sshd['denygroups'] }}" validate: sshd -t -f %s notify: restart sshd when: "rhel9cis_sshd['denygroups']|default('') | length > 0" @@ -123,7 +123,7 @@ - rule_5.2.4 - name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#LogLevel|^LogLevel" line: 'LogLevel {{ rhel9cis_ssh_loglevel }}' @@ -138,7 +138,7 @@ - rule_5.2.5 - name: "5.2.6 | PATCH | Ensure SSH PAM is enabled" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#UsePAM|^UsePAM" line: 'UsePAM yes' @@ -153,7 +153,7 @@ - rule_5.2.6 - name: "5.2.7 | PATCH | Ensure SSH root login is disabled" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#PermitRootLogin|^PermitRootLogin" line: 'PermitRootLogin no' @@ -168,7 +168,7 @@ - rule_5.2.7 - name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#HostbasedAuthentication|^HostbasedAuthentication" line: 'HostbasedAuthentication no' @@ -183,7 +183,7 @@ - rule_5.2.8 - name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords" line: 'PermitEmptyPasswords no' @@ -198,7 +198,7 @@ - rule_5.2.9 - name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#PermitUserEnvironment|^PermitUserEnvironment" line: 'PermitUserEnvironment no' @@ -213,7 +213,7 @@ - rule_5.2.10 - name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#IgnoreRhosts|^IgnoreRhosts" line: 'IgnoreRhosts yes' @@ -228,7 +228,7 @@ - rule_5.2.11 - name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#X11Forwarding|^X11Forwarding" line: 'X11Forwarding no' @@ -243,7 +243,7 @@ - rule_5.2.12 - name: "5.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#AllowTcpForwarding|^AllowTcpForwarding" line: 'AllowTcpForwarding no' @@ -279,7 +279,7 @@ - rule_5.2.14 - name: "5.2.15 | PATCH | Ensure SSH warning banner is configured" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^Banner' line: 'Banner /etc/issue.net' @@ -293,7 +293,7 @@ - rule_5.2.15 - name: "5.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^(#)?MaxAuthTries \d' line: 'MaxAuthTries 4' @@ -308,7 +308,7 @@ - rule_5.2.16 - name: "5.2.17 | PATCH | Ensure SSH MaxStartups is configured" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#MaxStartups|^MaxStartups" line: 'MaxStartups 10:30:60' @@ -323,7 +323,7 @@ - rule_5.2.17 - name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#MaxSessions|^MaxSessions" line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' @@ -338,7 +338,7 @@ - rule_5.2.18 - name: "5.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#LoginGraceTime|^LoginGraceTime" line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}" @@ -355,14 +355,14 @@ - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured" block: - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^ClientAliveInterval' line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}" validate: sshd -t -f %s - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^ClientAliveCountMax' line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}" diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index df3478f0..5b4704c7 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -90,11 +90,6 @@ check_mode: false register: rhel9cis_5_6_1_5_user_list - - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist" - ansible.builtin.debug: - msg: "Good News! All accounts have PW change dates that are in the past" - when: rhel9cis_5_6_1_5_user_list.stdout | length == 0 - - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future" ansible.builtin.debug: msg: "Warning!! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" @@ -103,9 +98,7 @@ - not rhel9cis_futurepwchgdate_autofix - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_5.6.1.5' ]" - warn_count: "{{ warn_count | int + 1 }}" + ansible.builtin.import_tasks: warning_facts.yml when: - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - not rhel9cis_futurepwchgdate_autofix @@ -117,6 +110,8 @@ - rhel9cis_futurepwchgdate_autofix with_items: - "{{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" + vars: + warn_control_id: '5.6.1.5' when: - rhel9cis_rule_5_6_1_5 tags: diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 1457f6e5..e2985f8d 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -128,12 +128,6 @@ changed_when: false register: rhel_08_6_1_9_perms_results - - name: "6.1.9 | AUDIT | Ensure no world writable files exist | Alert no world-writable files exist" - ansible.builtin.debug: - msg: "Good news! We have not found any world-writable files on your system" - when: - - rhel_08_6_1_9_perms_results.stdout is not defined - - name: "6.1.9 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" ansible.builtin.file: path: '{{ item }}' @@ -169,11 +163,20 @@ - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" ansible.builtin.debug: - msg: "Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" + msg: "Warning !! Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" with_items: "{{ rhel_08_6_1_10_audit.results }}" when: - item.stdout_lines is defined - item.stdout_lines | length > 0 + + - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.1.10' + when: + - item.stdout_lines is defined + - item.stdout_lines | length > 0 + when: - rhel9cis_rule_6_1_10 tags: @@ -199,11 +202,19 @@ - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" ansible.builtin.debug: - msg: "Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" + msg: "Warning !! Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" with_items: "{{ rhel_08_6_1_11_audit.results }}" when: - item.stdout_lines is defined - item.stdout_lines | length > 0 + + - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.1.11' + when: + - item.stdout_lines is defined + - item.stdout_lines | length > 0 when: - rhel9cis_rule_6_1_11 tags: @@ -239,20 +250,19 @@ loop_control: label: "{{ item.mount }}" - - name: "6.1.13 | AUDIT | Audit SUID executables | Alert no SUID executables exist" - ansible.builtin.debug: - msg: "Good news! We have not found any SUID executable files on your system" - failed_when: false - changed_when: false - when: - - rhel_08_6_1_13_perms_results.stdout is not defined - - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" ansible.builtin.debug: - msg: "Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" + msg: "Warning!! Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" with_items: "{{ rhel_08_6_1_13_perms_results.stdout_lines }}" when: - rhel_08_6_1_13_perms_results.stdout is defined + + - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.1.13' + when: + - rhel_08_6_1_13_perms_results.stdout is defined when: - rhel9cis_rule_6_1_13 tags: @@ -274,20 +284,19 @@ loop_control: label: "{{ item.mount }}" - - name: "6.1.14 | AUDIT | Audit SGID executables | Alert no SGID executables exist" - ansible.builtin.debug: - msg: "Good news! We have not found any SGID executable files on your system" - failed_when: false - changed_when: false - when: - - rhel_08_6_1_14_perms_results.stdout is not defined - - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" ansible.builtin.debug: msg: "Manual intervention is required -- SGID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" with_items: "{{ rhel_08_6_1_14_perms_results.stdout_lines }}" when: - rhel_08_6_1_14_perms_results.stdout is defined + + - name: "6.1.14 | AUDIT | Audit SGID executables| warning" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.1.14' + when: + - rhel_08_6_1_14_perms_results.stdout is defined when: - rhel9cis_rule_6_1_14 tags: @@ -323,15 +332,12 @@ The file list can be found in {{ rhel9cis_rpm_audit_file }}" - name: "6.1.15 | AUDIT | Audit system file permissions | warning count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_6.1.1' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: rhel9cis_6_1_15_packages_rpm.stdout|length > 0 + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.1.15' + when: rhel9cis_6_1_15_packages_rpm.stdout|length > 0 + - - name: "6.1.15 | AUDIT | Audit system file permissions | Message out no package descrepancies" - ansible.builtin.debug: - msg: "Good News! There are no package descrepancies" - when: rhel9cis_6_1_15_packages_rpm.stdout|length == 0 when: - rhel9cis_rule_6_1_15 tags: diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index a280cab8..30fe5fed 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -86,11 +86,6 @@ failed_when: false register: rhel9cis_6_2_4_user_uid_check - - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" - ansible.builtin.debug: - msg: "Good News! There are no duplicate UID's in the system" - when: rhel9cis_6_2_4_user_uid_check.stdout | length == 0 - - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" ansible.builtin.debug: msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_4_user_uid_check.stdout_lines }}" @@ -98,9 +93,9 @@ - name: "6.2.4 | AUDIT| Ensure no duplicate UIDs exist | warning count" ansible.builtin.import_tasks: warning_facts.yml - vars: - warn_control_id: '6.2.4' when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1 + vars: + warn_control_id: '6.2.4' when: - rhel9cis_rule_6_2_4 tags: @@ -119,11 +114,6 @@ failed_when: false register: rhel9cis_6_2_5_user_user_check - - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" - ansible.builtin.debug: - msg: "Good News! There are no duplicate GIDs in the system" - when: rhel9cis_6_2_5_user_user_check.stdout | length == 0 - - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" ansible.builtin.debug: msg: "Warning!! The following groups have duplicate GIDs: {{ rhel9cis_6_2_5_user_user_check.stdout_lines }}" diff --git a/tasks/warning_facts.yml b/tasks/warning_facts.yml new file mode 100644 index 00000000..37560bd9 --- /dev/null +++ b/tasks/warning_facts.yml @@ -0,0 +1,20 @@ +--- + +# This task is used to create variables used in giving a warning summary for manual tasks +# that need attention +# +# The warn_control_list and warn_count vars start life in vars/main.yml but get updated +# as the tasks that have a warning complete +# +# Those two variables are used in the tasks/main.yml to display a list of warnings +# +# warn_control_id is set within the task itself and has the control ID as the value +# +# warn_control_list is the main variable to be used and is a list made up of the warn_control_id’s +# +# warn_count the main variable for the number of warnings and each time a warn_control_id is added +# the count increases by a value of 1 +- name: "NO CONTROL ID | AUDIT | Set fact for manual task warning." + ansible.builtin.set_fact: + warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]" + warn_count: "{{ warn_count | int + 1 }}" From acf0104f7afe46ee10ce472a4689551e6e25e1eb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 12:10:18 +0000 Subject: [PATCH 291/454] lint updates Signed-off-by: Mark Bolwell --- handlers/main.yml | 93 +++++++++++++----------------- site.yml | 1 + tasks/LE_audit_setup.yml | 10 ++-- tasks/auditd.yml | 12 ++-- tasks/check_prereqs.yml | 2 +- tasks/main.yml | 60 +++++++++---------- tasks/parse_etc_password.yml | 4 +- tasks/post.yml | 24 ++++---- tasks/post_remediation_audit.yml | 14 ++--- tasks/pre_remediation_audit.yml | 28 ++++----- tasks/prelim.yml | 42 +++++++------- tasks/section_1/cis_1.1.2.x.yml | 4 +- tasks/section_1/cis_1.1.3.x.yml | 2 +- tasks/section_1/cis_1.1.4.x.yml | 2 +- tasks/section_1/cis_1.1.5.x.yml | 2 +- tasks/section_1/cis_1.1.6.x.yml | 6 +- tasks/section_1/cis_1.1.7.x.yml | 2 +- tasks/section_1/cis_1.1.8.x.yml | 2 +- tasks/section_1/cis_1.10.yml | 2 +- tasks/section_1/cis_1.2.x.yml | 2 +- tasks/section_1/cis_1.3.x.yml | 2 +- tasks/section_1/cis_1.8.x.yml | 6 +- tasks/section_1/cis_1.9.yml | 2 +- tasks/section_2/cis_2.2.x.yml | 4 +- tasks/section_3/cis_3.1.x.yml | 6 +- tasks/section_4/cis_4.1.2.x.yml | 8 +-- tasks/section_4/cis_4.1.4.x.yml | 6 +- tasks/section_4/cis_4.2.1.x.yml | 26 ++++----- tasks/section_4/cis_4.2.2.x.yml | 12 ++-- tasks/section_5/cis_5.2.x.yml | 10 ++-- tasks/section_5/cis_5.6.1.x.yml | 10 ++-- tasks/section_6/cis_6.1.x.yml | 2 +- templates/ansible_vars_goss.yml.j2 | 2 +- vars/main.yml | 2 +- 34 files changed, 199 insertions(+), 213 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 6b47f85b..404d74bb 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,14 +1,13 @@ --- # handlers file for RHEL9-CIS -- name: reload sysctl - shell: sysctl --system +- name: Reload sysctl + ansible.builtin.shell: sysctl --system when: - sysctl_updated.changed -- name: sysctl flush ipv4 route table - become: true - sysctl: +- name: Sysctl flush ipv4 route table + ansible.posix.sysctl: name: net.ipv4.route.flush value: '1' sysctl_set: true @@ -16,12 +15,9 @@ when: - flush_ipv4_route - not system_is_container - tags: - - skip_ansible_lint -- name: sysctl flush ipv6 route table - become: true - sysctl: +- name: Sysctl flush ipv6 route table + ansible.posix.sysctl: name: net.ipv6.route.flush value: '1' sysctl_set: true @@ -29,92 +25,81 @@ - flush_ipv6_route - not system_is_container -- name: systemd restart tmp.mount - become: true - systemd: +- name: Systemd restart tmp.mount + ansible.builtin.systemd: name: tmp.mount - daemon_reload: true - enabled: true - masked: false - state: reloaded - -- name: systemd restart var-tmp.mount - become: true - systemd: - name: var-tmp.mount - daemon_reload: true + daemon_Reload: true enabled: true masked: false - state: reloaded + state: Reloaded -- name: remount tmp - ansible.posix.mount: - path: /tmp - state: remounted +- name: Remount tmp + ansible.posix.mount: + path: /tmp + state: remounted -- name: restart firewalld - service: +- name: Restart firewalld + ansible.builtin.systemd: name: firewalld state: restarted -- name: restart sshd - service: +- name: Restart sshd + ansible.builtin.systemd: name: sshd state: restarted -- name: restart postfix - service: +- name: Restart postfix + ansible.builtin.systemd: name: postfix state: restarted -- name: reload dconf - shell: dconf update +- name: Reload dconf + ansible.builtin.shell: dconf update - name: grub2cfg - shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" + ansible.builtin.shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" ignore_errors: true # noqa ignore-errors tags: - skip_ansible_lint -- name: restart rsyslog - become: true - service: +- name: Restart rsyslog + ansible.builtin.systemd: name: rsyslog state: restarted -- name: restart journald - service: +- name: Restart journald + ansible.builtin.systemd: name: systemd-journald state: restarted -- name: restart systemd_journal_upload - service: +- name: Restart systemd_journal_upload + ansible.builtin.systemd: name: systemd-journal-upload state: restarted -- name: systemd_daemon_reload - systemd: +- name: Systemd_daemon_Reload + ansible.builtin.systemd: daemon-reload: true ## Auditd tasks note order for handlers to run -- name: auditd_immutable_check - shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules +- name: Auditd_immutable_check + ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules changed_when: false register: auditd_immutable_check -- name: audit_immutable_fact - debug: +- name: Audit_immutable_fact + ansible.builtin.debug: msg: "Reboot required for auditd to apply new rules as immutable set" notify: change_requires_reboot when: - auditd_immutable_check.stdout == '1' -- name: restart auditd - shell: service auditd restart +- name: Restart auditd + ansible.builtin.shell: service auditd restart tags: - skip_ansible_lint -- name: change_requires_reboot - set_fact: +- name: Change_requires_reboot + ansible.builtin.set_fact: change_requires_reboot: true diff --git a/site.yml b/site.yml index 4446d3ed..148ca0b7 100644 --- a/site.yml +++ b/site.yml @@ -1,4 +1,5 @@ --- + - hosts: all become: true roles: diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 98f38552..bc929aea 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -1,7 +1,7 @@ --- - name: Download audit binary - get_url: + ansible.builtin.get_url: url: "{{ goss_url }}" dest: "{{ audit_bin }}" owner: root @@ -11,8 +11,8 @@ when: - get_goss_file == 'download' -- name: copy audit binary - copy: +- name: Copy audit binary + ansible.builtin.copy: src: dest: "{{ audit_bin }}" mode: 0555 @@ -21,8 +21,8 @@ when: - get_goss_file == 'copy' -- name: install git if not present - package: +- name: Install git if not present + ansible.builtin.package: name: git state: present register: git_installed diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 74830ca5..a36a744b 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -1,7 +1,7 @@ --- - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added - template: + ansible.builtin.template: src: audit/99_auditd.rules.j2 dest: /etc/audit/rules.d/99_auditd.rules owner: root @@ -9,18 +9,18 @@ mode: 0600 register: audit_rules_updated notify: - - auditd_immutable_check - - audit_immutable_fact - - restart auditd + - Auditd_immutable_check + - Audit_immutable_fact + - Restart auditd - name: POST | Set up auditd user logging exceptions - template: + ansible.builtin.template: src: audit/98_auditd_exception.rules.j2 dest: /etc/audit/rules.d/98_auditd_exceptions.rules owner: root group: root mode: 0600 - notify: restart auditd + notify: Restart auditd when: - allow_auditd_uid_user_exclusions - rhel9cis_auditd_uid_exclude | length > 0 diff --git a/tasks/check_prereqs.yml b/tasks/check_prereqs.yml index abe6248e..dcfee571 100644 --- a/tasks/check_prereqs.yml +++ b/tasks/check_prereqs.yml @@ -1,7 +1,7 @@ --- - name: "PREREQ | If required install libselinux package to manage file changes." - package: + ansible.builtin.package: name: libselinux-python3 state: present when: diff --git a/tasks/main.yml b/tasks/main.yml index d1918d20..8229390d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,7 +2,7 @@ # tasks file for RHEL9-CIS - name: Check OS version and family - assert: + ansible.builtin.assert: that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('9', '==') fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" @@ -13,7 +13,7 @@ - always - name: Check ansible version - assert: + ansible.builtin.assert: that: ansible_version.full is version_compare(min_ansible_version, '>=') fail_msg: "You must use Ansible {{ min_ansible_version }} or greater" success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" @@ -23,14 +23,14 @@ - name: "Check password set for {{ ansible_user }}" block: - name: Capture current password state of "{{ ansible_user }}" - shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'" + ansible.builtin.shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'" changed_when: false failed_when: false check_mode: false register: ansible_user_password_set - name: "Assert that password set for {{ ansible_user }} and account not locked" - assert: + ansible.builtin.assert: that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access" success_msg: "You a password set for the {{ ansible_user }}" @@ -45,15 +45,15 @@ - name: Setup rules if container block: - name: Discover and set container variable if required - set_fact: + ansible.builtin.set_fact: system_is_container: true - name: Load variable for container - include_vars: + ansible.builtin.include_vars: file: "{{ container_vars_file }}" - - name: output if discovered is a container - debug: + - name: Output if discovered is a container + ansible.builtin.debug: msg: system has been discovered as a container when: - system_is_container @@ -65,13 +65,13 @@ - always - name: Check crypto-policy input - assert: + ansible.builtin.assert: that: rhel9cis_crypto_policy in rhel9cis_allowed_crypto_policies fail_msg: "Crypto policy is not a permitted version" success_msg: "Crypto policy is a permitted version" - name: Check rhel9cis_bootloader_password_hash variable has been changed - assert: + ansible.builtin.assert: that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly" when: @@ -80,10 +80,10 @@ tags: - always -- name: "check sugroup exists if used" +- name: Check sugroup exists if used block: - name: "Check su group exists if defined" - shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group + ansible.builtin.shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group register: sugroup_exists changed_when: false failed_when: sugroup_exists.rc >= 2 @@ -91,7 +91,7 @@ - skip_ansible_lint - name: Check sugroup if defined exists before continuing - assert: + ansible.builtin.assert: that: sugroup_exists.rc == 0 msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify" when: @@ -101,35 +101,35 @@ - rule_5.7 - name: Gather the package facts - package_facts: + ansible.builtin.package_facts: manager: auto tags: - always - name: Include OS specific variables - include_vars: "{{ ansible_distribution }}.yml" + ansible.builtin.include_vars: "{{ ansible_distribution }}.yml" tags: - always - name: Include preliminary steps - import_tasks: prelim.yml + ansible.builtin.import_tasks: prelim.yml tags: - prelim_tasks - always - name: run pre_remediation audit - include_tasks: pre_remediation_audit.yml + ansible.builtin.include_tasks: pre_remediation_audit.yml when: - run_audit - name: Gather the package facts after prelim - package_facts: + ansible.builtin.package_facts: manager: auto tags: - always - name: capture /etc/password variables - include_tasks: parse_etc_password.yml + ansible.builtin.include_tasks: parse_etc_password.yml when: - rhel9cis_section6 tags: @@ -142,67 +142,67 @@ - rhel9cis_section6 - name: run Section 1 tasks - import_tasks: section_1/main.yml + ansible.builtin.import_tasks: section_1/main.yml when: rhel9cis_section1 tags: - rhel9cis_section1 - name: run Section 2 tasks - import_tasks: section_2/main.yml + ansible.builtin.import_tasks: section_2/main.yml when: rhel9cis_section2 tags: - rhel9cis_section2 - name: run Section 3 tasks - import_tasks: section_3/main.yml + ansible.builtin.import_tasks: section_3/main.yml when: rhel9cis_section3 tags: - rhel9cis_section3 - name: run Section 4 tasks - import_tasks: section_4/main.yml + ansible.builtin.import_tasks: section_4/main.yml when: rhel9cis_section4 tags: - rhel9cis_section4 - name: run Section 5 tasks - import_tasks: section_5/main.yml + ansible.builtin.import_tasks: section_5/main.yml when: rhel9cis_section5 tags: - rhel9cis_section5 - name: run Section 6 tasks - import_tasks: section_6/main.yml + ansible.builtin.import_tasks: section_6/main.yml when: rhel9cis_section6 tags: - rhel9cis_section6 - name: run auditd logic - import_tasks: auditd.yml + ansible.builtin.import_tasks: auditd.yml when: - update_audit_template tags: - always - name: run post remediation tasks - import_tasks: post.yml + ansible.builtin.import_tasks: post.yml tags: - post_tasks - always - name: run post_remediation audit - import_tasks: post_remediation_audit.yml + ansible.builtin.import_tasks: post_remediation_audit.yml when: - run_audit - name: Show Audit Summary - debug: + ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" when: - run_audit - name: If Warnings found Output count and control IDs affected - debug: + ansible.builtin.debug: msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}" when: warn_count != 0 tags: diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index 6a9ef7b9..76cb0850 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -3,13 +3,13 @@ - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd" block: - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd" - shell: cat /etc/passwd + ansible.builtin.shell: cat /etc/passwd changed_when: false check_mode: false register: rhel9cis_passwd_file_audit - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Split passwd entries" - set_fact: + ansible.builtin.set_fact: rhel9cis_passwd: "{{ rhel9cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" with_items: "{{ rhel9cis_passwd_file_audit.stdout_lines }}" vars: diff --git a/tasks/post.yml b/tasks/post.yml index 0d1260d1..7f8b1fbe 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -2,25 +2,25 @@ # Post tasks - name: Perform DNF package cleanup - dnf: + ansible.builtin.package: autoremove: true changed_when: false - name: Gather the package facts after remediation - package_facts: + ansible.builtin.package_facts: manager: auto tags: - always -- name: update sysctl - template: +- name: Update sysctl + ansible.builtin.template: src: "etc/sysctl.d/{{ item }}.j2" dest: "/etc/sysctl.d/{{ item }}" owner: root group: root mode: 0600 register: sysctl_updated - notify: reload sysctl + notify: Reload sysctl with_items: - 60-kernel_sysctl.conf - 60-disable_ipv6.conf @@ -31,29 +31,29 @@ - not system_is_container - "'procps-ng' in ansible_facts.packages" -- name: flush handlers - meta: flush_handlers +- name: Flush handlers + ansible.builtin.meta: flush_handlers - name: POST | reboot system if changes require it and not skipped block: - name: POST | Reboot system if changes require it and not skipped - reboot: + ansible.builtin.reboot: when: - - change_requires_reboot + - Change_requires_reboot - not skip_reboot - name: POST | Warning a reboot required but skip option set - debug: + ansible.builtin.debug: msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" changed_when: true when: - - change_requires_reboot + - Change_requires_reboot - skip_reboot - name: "POST | Warning a reboot required but skip option set | warning count" ansible.builtin.import_tasks: warning_facts.yml when: - - change_requires_reboot + - Change_requires_reboot - skip_reboot vars: warn_control_id: Reboot_required diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 599e1044..0eb7608a 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,13 +1,13 @@ --- - name: "Post Audit | Run post_remediation {{ benchmark }} audit" - shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" environment: "{{ audit_run_script_environment | default({}) }}" changed_when: audit_run_post_remediation.rc == 0 register: audit_run_post_remediation - name: Post Audit | ensure audit files readable by users - file: + ansible.builtin.file: path: "{{ item }}" mode: 0644 state: file @@ -17,13 +17,13 @@ - name: Post Audit | Capture audit data if json format block: - - name: "capture data {{ post_audit_outfile }}" - shell: "cat {{ post_audit_outfile }}" + - name: "Capture data {{ post_audit_outfile }}" + ansible.builtin.shell: "cat {{ post_audit_outfile }}" register: post_audit changed_when: false - name: Capture post-audit result - set_fact: + ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" vars: summary: 'summary."summary-line"' @@ -33,12 +33,12 @@ - name: Post Audit | Capture audit data if documentation format block: - name: "Post Audit | capture data {{ post_audit_outfile }}" - shell: "tail -2 {{ post_audit_outfile }}" + ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" register: post_audit changed_when: false - name: Post Audit | Capture post-audit result - set_fact: + ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout_lines }}" when: - audit_format == "documentation" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 94e9bcfa..96f16fe8 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,20 +1,20 @@ --- - name: Pre Audit | Setup the audit - include_tasks: LE_audit_setup.yml + ansible.builtin.include_tasks: LE_audit_setup.yml when: - setup_audit tags: - setup_audit - name: "Pre Audit | Ensure {{ audit_conf_dir }} exists" - file: + ansible.builtin.file: path: "{{ audit_conf_dir }}" state: directory mode: '0755' - name: Pre Audit | retrieve audit content files from git - git: + ansible.builtin.git: repo: "{{ audit_file_git }}" dest: "{{ audit_conf_dir }}" version: "{{ audit_git_version }}" @@ -22,7 +22,7 @@ - audit_content == 'git' - name: Pre Audit | copy to audit content files to server - copy: + ansible.builtin.copy: src: "{{ audit_local_copy }}" dest: "{{ audit_conf_dir }}" mode: 0644 @@ -30,7 +30,7 @@ - audit_content == 'copy' - name: Pre Audit | get audit content from url - get_url: + ansible.builtin.get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" owner: root @@ -42,12 +42,12 @@ - name: Pre Audit | Check Goss is available block: - name: Pre Audit | Check for goss file - stat: + ansible.builtin.stat: path: "{{ audit_bin }}" register: goss_available - name: Pre Audit | Alert if goss not available - assert: + ansible.builtin.assert: that: goss_available.stat.exists fail_msg: "Audit binary file {{ audit_bin }} does not exist" success_msg: "Audit binary file {{ audit_bin }} exists" @@ -55,14 +55,14 @@ - run_audit - name: "Pre Audit | Check whether machine is UEFI-based" - stat: + ansible.builtin.stat: path: /sys/firmware/efi register: rhel9_efi_boot tags: - goss_template - name: Pre Audit | Copy ansible default vars values to test audit - template: + ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" mode: 0600 @@ -72,7 +72,7 @@ - goss_template - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" - shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" environment: "{{ audit_run_script_environment | default({}) }}" changed_when: audit_run_pre_remediation.rc == 0 register: audit_run_pre_remediation @@ -80,12 +80,12 @@ - name: Pre Audit | Capture audit data if json format block: - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - shell: "cat {{ pre_audit_outfile }}" + ansible.builtin.shell: "cat {{ pre_audit_outfile }}" register: pre_audit changed_when: false - name: Pre Audit | Capture pre-audit result - set_fact: + ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" vars: summary: 'summary."summary-line"' @@ -95,12 +95,12 @@ - name: Pre Audit | Capture audit data if documentation format block: - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - shell: "tail -2 {{ pre_audit_outfile }}" + ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" register: pre_audit changed_when: false - name: Pre Audit | Capture pre-audit result - set_fact: + ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout_lines }}" when: - audit_format == "documentation" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index d133108f..eaae1a3e 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -3,7 +3,7 @@ # Preliminary tasks that should always be run # List users in order to look files inside each home directory - name: "PRELIM | List users accounts" - shell: "awk -F: '{print $1}' /etc/passwd" + ansible.builtin.shell: "awk -F: '{print $1}' /etc/passwd" changed_when: false check_mode: false register: users @@ -13,7 +13,7 @@ - users - name: "PRELIM | Gather accounts with empty password fields" - shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'" + ansible.builtin.shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'" changed_when: false check_mode: false register: empty_password_accounts @@ -23,7 +23,7 @@ - passwords - name: "PRELIM | Gather UID 0 accounts other than root" - shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" + ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" changed_when: false check_mode: false register: rhel9cis_uid_zero_accounts_except_root @@ -36,14 +36,14 @@ - name: "PRELIM | Setup crypto-policy" block: - name: "PRELIM | Install crypto-policies" - dnf: + ansible.builtin.package: name: - crypto-policies - crypto-policies-scripts state: present - name: "PRELIM | Gather system-wide crypto-policy" - shell: update-crypto-policies --show + ansible.builtin.shell: update-crypto-policies --show changed_when: false check_mode: false register: system_wide_crypto_policy @@ -56,7 +56,7 @@ - crypto - name: "PRELIM | if systemd coredump" - stat: + ansible.builtin.stat: path: /etc/systemd/coredump.conf register: systemd_coredump when: @@ -68,14 +68,14 @@ - systemd - name: "PRELIM | Section 1.1 | Create list of mount points" - set_fact: + ansible.builtin.set_fact: mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}" tags: - level1-server - level1-workstation - name: "PRELIM | Ensure python3-libselinux is installed" - package: + ansible.builtin.package: name: python3-libselinux state: present when: @@ -84,23 +84,23 @@ - name: "PRELIM | Set facts based on boot type" block: - name: "PRELIM | Check whether machine is UEFI-based" - stat: + ansible.builtin.stat: path: /sys/firmware/efi register: rhel_09_efi_boot - name: "PRELIM | AUDIT | set legacy boot and grub path | Bios" - set_fact: + ansible.builtin.set_fact: rhel9cis_legacy_boot: true grub2_path: /etc/grub2.cfg when: not rhel_09_efi_boot.stat.exists - name: "PRELIM | set grub fact | UEFI" - set_fact: + ansible.builtin.set_fact: grub2_path: /etc/grub2-efi.cfg when: rhel_09_efi_boot.stat.exists - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" - package: + ansible.builtin.package: name: audit state: present become: true @@ -135,7 +135,7 @@ - rule_4.1.4.7 - name: "PRELIM | Section 5.1 | Configure cron" - package: + ansible.builtin.package: name: cronie state: present become: true @@ -149,7 +149,7 @@ - cron - name: "PRELIM | Install authconfig" - package: + ansible.builtin.package: name: authconfig state: present become: true @@ -170,7 +170,7 @@ - auditd - name: "PRELIM | 5.3.4 | Find all sudoers files." - command: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" + ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" changed_when: false failed_when: false check_mode: false @@ -183,7 +183,7 @@ - rule_5.3.5 - name: "PRELIM | Check for rhnsd service" - shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2" + ansible.builtin.shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2" changed_when: false check_mode: false become: true @@ -198,28 +198,28 @@ - name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def" block: - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def" - shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' + ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' changed_when: false register: uid_min_id - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" - shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' + ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' changed_when: false register: uid_max_id - name: "PRELIM | AUDIT | Capture GID_MIN information from logins.def" - shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}' + ansible.builtin.shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}' changed_when: false register: gid_min_id - name: "PRELIM | AUDIT | set_facts for interactive uid/gid" - set_fact: + ansible.builtin.set_fact: min_int_uid: "{{ uid_min_id.stdout }}" max_int_uid: "{{ uid_max_id.stdout }}" min_int_gid: "{{ gid_min_id.stdout }}" - name: Output of uid findings - debug: + ansible.builtin.debug: msg: "{{ min_int_uid }} {{ max_int_uid }}" when: diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 118f93bc..d4a7f7dd 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -32,7 +32,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %} - notify: remount tmp + notify: Remount tmp with_items: - "{{ ansible_mounts }}" loop_control: @@ -64,7 +64,7 @@ owner: root group: root mode: 0644 - notify: systemd restart tmp.mount + notify: Systemd restart tmp.mount when: - rhel9cis_tmp_svc - rhel9cis_rule_1_1_2_1 or diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index afe1b8ce..7ea30d9b 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -35,7 +35,7 @@ - "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" - notify: change_requires_reboot + notify: Change_requires_reboot when: - var_mount_present is defined - item.mount == "/var" diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 4a1deb0f..b32260b5 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -37,7 +37,7 @@ - "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" - notify: change_requires_reboot + notify: Change_requires_reboot when: - var_tmp_mount_present is defined - item.mount == "/var/tmp" diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index ccaeb5c4..da3c0e8f 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -37,7 +37,7 @@ - "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" - notify: change_requires_reboot + notify: Change_requires_reboot when: - var_log_mount_present is defined - item.mount == "/var/log" diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 41918994..b030e8f7 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -10,8 +10,8 @@ ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: '1.1.6.1' - required_mount: '/var/log/audit' + warn_control_id: '1.1.6.1' + required_mount: '/var/log/audit' when: - required_mount not in mount_names - rhel9cis_rule_1_1_6_1 @@ -36,7 +36,7 @@ - "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" - notify: change_requires_reboot + notify: Change_requires_reboot when: - var_log_audit_mount_present is defined - item.mount == "/var/log/audit" diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 60192d7b..946572ce 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -36,7 +36,7 @@ - "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" - notify: change_requires_reboot + notify: Change_requires_reboot when: - home_mount_present is defined - item.mount == "/home" diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 7703ed41..3b85af37 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -34,7 +34,7 @@ fstype: tmpfs state: mounted opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_4 %}nosuid{% endif %} - notify: change_requires_reboot + notify: Change_requires_reboot when: - rhel9cis_rule_1_1_8_2 or rhel9cis_rule_1_1_8_3 or diff --git a/tasks/section_1/cis_1.10.yml b/tasks/section_1/cis_1.10.yml index 1b0d2a28..c43e4454 100644 --- a/tasks/section_1/cis_1.10.yml +++ b/tasks/section_1/cis_1.10.yml @@ -4,7 +4,7 @@ ansible.builtin.shell: | update-crypto-policies --set "{{ rhel9cis_crypto_policy }}" update-crypto-policies - notify: change_requires_reboot + notify: Change_requires_reboot when: - rhel9cis_rule_1_10 - system_wide_crypto_policy['stdout'] == 'LEGACY' diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index dcc8e5c0..99f24ea6 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -68,7 +68,7 @@ - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured" block: - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Get repo list" - ansible.builtin.command: dnf repolist + ansible.builtin.shell: dnf repolist changed_when: false failed_when: false register: dnf_configured diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index 607065cf..cf20cb9f 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -8,7 +8,7 @@ state: present - name: "1.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE" - ansible.builtin.command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' + ansible.builtin.shell: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' changed_when: false failed_when: false async: 45 diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index fe690c50..20be846b 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -25,7 +25,7 @@ owner: root group: root mode: 0644 - notify: reload dconf + notify: Reload dconf with_items: - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } @@ -54,7 +54,7 @@ owner: root group: root mode: 0644 - notify: reload dconf + notify: Reload dconf with_items: - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } @@ -81,7 +81,7 @@ owner: root group: root mode: 0644 - notify: reload dconf + notify: Reload dconf with_items: - { regex: '\[org\/gnome\/desktop\/media-handling\]', line: '[org/gnome/desktop/media-handling]' } - { regex: 'automount=', line: 'automount=false' } diff --git a/tasks/section_1/cis_1.9.yml b/tasks/section_1/cis_1.9.yml index 37ede1b9..e226948c 100644 --- a/tasks/section_1/cis_1.9.yml +++ b/tasks/section_1/cis_1.9.yml @@ -4,7 +4,7 @@ ansible.builtin.package: name: "*" state: latest - notify: change_requires_reboot + notify: Change_requires_reboot when: - rhel9cis_rule_1_9 - not system_is_ec2 diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 4f1be785..aac8a274 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -228,7 +228,7 @@ ansible.builtin.package: name: dnsmasq state: absent - notify: restart postfix + notify: Restart postfix when: - not rhel9cis_is_mail_server - "'dnsmasq' in ansible_facts.packages" @@ -245,7 +245,7 @@ path: /etc/postfix/main.cf regexp: "^(#)?inet_interfaces" line: "inet_interfaces = loopback-only" - notify: restart postfix + notify: Restart postfix when: - not rhel9cis_is_mail_server - "'postfix' in ansible_facts.packages" diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 9e1e4849..b2e104ae 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -27,21 +27,21 @@ - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" block: - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" - ansible.builtin.command: rpm -q NetworkManager + ansible.builtin.shell: rpm -q NetworkManager changed_when: false failed_when: false check_mode: false register: rhel_08_nmcli_available - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" - ansible.builtin.command: nmcli radio wifi + ansible.builtin.shell: nmcli radio wifi register: rhel_08_wifi_enabled changed_when: rhel_08_wifi_enabled.stdout != "disabled" failed_when: false when: rhel_08_nmcli_available.rc == 0 - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" - ansible.builtin.command: nmcli radio all off + ansible.builtin.shell: nmcli radio all off changed_when: false failed_when: false when: rhel_08_wifi_enabled is changed diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index 9850ce47..2473e87b 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -5,7 +5,7 @@ path: /etc/audit/auditd.conf regexp: "^max_log_file( |=)" line: "max_log_file = {{ rhel9cis_max_log_file_size }}" - notify: restart auditd + notify: Restart auditd when: - rhel9cis_rule_4_1_2_1 tags: @@ -21,7 +21,7 @@ path: /etc/audit/auditd.conf regexp: "^max_log_file_action" line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}" - notify: restart auditd + notify: Restart auditd when: - rhel9cis_rule_4_1_2_2 tags: @@ -36,7 +36,7 @@ path: /etc/audit/auditd.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" - notify: restart auditd + notify: Restart auditd with_items: - { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ rhel9cis_auditd.admin_space_left_action }}' } - { regexp: '^action_mail_acct', line: 'action_mail_acct = {{ rhel9cis_auditd.action_mail_acct }}' } @@ -56,7 +56,7 @@ regexp: "^{{ item }}( |=)" line: "{{ item }} = {{ rhel9cis_auditd_extra_conf[item] }}" loop: "{{ rhel9cis_auditd_extra_conf.keys() }}" - notify: restart auditd + notify: Restart auditd when: - rhel9cis_auditd_extra_conf.keys() | length > 0 tags: diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index ca69e3dd..5ee9b554 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -64,9 +64,9 @@ loop: "{{ auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" - when: - - item.mode != '06(0|4)0' - - rhel9cis_rule_4_1_4_5 + when: + - item.mode != '06(0|4)0' + - rhel9cis_rule_4_1_4_5 tags: - level2-server - level2-workstation diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index b1a20a9b..5ff7e75b 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -32,10 +32,10 @@ path: /etc/systemd/journald.conf regexp: "^#ForwardToSyslog=|^ForwardToSyslog=" line: ForwardToSyslog=yes - notify: restart rsyslog + notify: Restart rsyslog when: - rhel9cis_rule_4_2_1_3 - - rhel9cis_preferred_log_capture == "rsyslog" + - rhel9cis_syslog == "rsyslog" tags: - level1-server - level1-workstation @@ -47,7 +47,7 @@ path: /etc/rsyslog.conf regexp: '^\$FileCreateMode' line: '$FileCreateMode 0640' - notify: restart rsyslog + notify: Restart rsyslog when: - rhel9cis_rule_4_2_1_4 tags: @@ -60,7 +60,7 @@ - name: "4.2.1.5 | PATCH | Ensure logging is configured" block: - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" - ansible.builtin.command: cat /etc/rsyslog.conf + ansible.builtin.shell: cat /etc/rsyslog.conf changed_when: false failed_when: false check_mode: false @@ -84,7 +84,7 @@ mail.warning -/var/log/mail.warning mail.err /var/log/mail.err insertafter: '# Log all the mail messages in one place.' - notify: restart rsyslog + notify: Restart rsyslog when: rhel9cis_rsyslog_ansiblemanaged - name: "4.2.1.5 | PATCH | Ensure logging is configured | news.crit log setting" @@ -97,7 +97,7 @@ news.crit -/var/log/news/news.crit news.notice -/var/log/news/news.crit insertafter: '# Save news errors of level crit and higher in a special file.' - notify: restart rsyslog + notify: Restart rsyslog when: rhel9cis_rsyslog_ansiblemanaged - name: "4.2.1.5 | PATCH | Ensure logging is configured | Misc. log setting" @@ -111,7 +111,7 @@ *.crit /var/log/warn *.*;mail.none;news.none /var/log/messages insertafter: '#### RULES ####' - notify: restart rsyslog + notify: Restart rsyslog when: rhel9cis_rsyslog_ansiblemanaged - name: "4.2.1.5 | PATCH | Ensure logging is configured | Local log settings" @@ -127,7 +127,7 @@ local6,local7.* -/var/log/localmessages *.emrg :omusrmsg:* insertafter: '#### RULES ####' - notify: restart rsyslog + notify: Restart rsyslog - name: "4.2.1.5 | PATCH | Ensure logging is configured | Auth Settings" ansible.builtin.blockinfile: @@ -138,7 +138,7 @@ # Private settings to meet CIS standards auth,authpriv.* /var/log/secure insertafter: '#### RULES ####' - notify: restart rsyslog + notify: Restart rsyslog - name: "4.2.1.5 | PATCH | Ensure logging is configured | Cron Settings" ansible.builtin.blockinfile: @@ -149,7 +149,7 @@ # Cron settings to meet CIS standards cron.* /var/log/cron insertafter: '#### RULES ####' - notify: restart rsyslog + notify: Restart rsyslog when: - rhel9cis_rule_4_2_1_5 tags: @@ -171,7 +171,7 @@ failed_when: - result is failed - result.rc != 257 - notify: restart rsyslog + notify: Restart rsyslog when: - rhel9cis_rule_4_2_1_6 - rhel9cis_remote_log_server @@ -189,7 +189,7 @@ path: /etc/rsyslog.conf regexp: '{{ item }}' replace: '#\1' - notify: restart rsyslog + notify: Restart rsyslog loop: - '^(\$ModLoad imtcp)' - '^(\$InputTCPServerRun)' @@ -202,7 +202,7 @@ path: /etc/rsyslog.conf regexp: '^#(.*{{ item }}.*)' replace: '\1' - notify: restart rsyslog + notify: Restart rsyslog loop: - 'ModLoad imtcp' - 'InputTCPServerRun' diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 0c537951..c6b0e2e8 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -19,7 +19,7 @@ path: /etc/systemd/journal-upload.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" - notify: restart systemd_journal_upload + notify: Restart systemd_journal_upload with_items: - { regexp: 'URL=', line: 'URL={{ rhel9cis_journal_upload_url }}'} - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ rhel9cis_journal_upload_serverkeyfile }}'} @@ -92,7 +92,7 @@ ansible.builtin.import_tasks: warning_facts.yml when: "'static' not in rhel9cis_4_2_2_2_status.stdout" vars: - warn_control_id: '4.2.2.2' + warn_control_id: '4.2.2.2' when: - rhel9cis_rule_4_2_2_2 tags: @@ -108,7 +108,7 @@ path: /etc/systemd/journald.conf regexp: "^#Compress=|^Compress=" line: Compress=yes - notify: restart systemd_journal_upload + notify: Restart systemd_journal_upload when: - rhel9cis_rule_4_2_2_3 tags: @@ -124,7 +124,7 @@ path: /etc/systemd/journald.conf regexp: "^#Storage=|^Storage=" line: Storage=persistent - notify: restart systemd_journal_upload + notify: Restart systemd_journal_upload when: - rhel9cis_rule_4_2_2_4 tags: @@ -141,7 +141,7 @@ path: /etc/systemd/journald.conf regexp: "^ForwardToSyslog=" line: "#ForwardToSyslog=yes" - notify: restart systemd_journal_upload + notify: Restart systemd_journal_upload when: - rhel9cis_rule_4_2_2_5 tags: @@ -157,7 +157,7 @@ path: /etc/systemd/journald.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" - notify: restart journald + notify: Restart systemd_journal_upload with_items: - { regexp: '^#SystemMaxUse=|^SystemMaxUse=', line: 'SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}'} - { regexp: '^#SystemKeepFree=|^SystemKeepFree=', line: 'SystemKeepFree={{ rhel9cis_journald_systemkeepfree }}' } diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 9dc785ea..f0286d9e 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -84,7 +84,7 @@ regexp: "^AllowUsers" line: "AllowUsers {{ rhel9cis_sshd['allowusers'] }}" validate: sshd -t -f %s - notify: restart sshd + notify: Restart sshd when: "rhel9cis_sshd['allowusers']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups" @@ -93,7 +93,7 @@ regexp: "^AllowGroups" line: "AllowGroups {{ rhel9cis_sshd['allowgroups'] }}" validate: sshd -t -f %s - notify: restart sshd + notify: Restart sshd when: "rhel9cis_sshd['allowgroups']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers" @@ -102,7 +102,7 @@ regexp: "^DenyUsers" line: "DenyUsers {{ rhel9cis_sshd['denyusers'] }}" validate: sshd -t -f %s - notify: restart sshd + notify: Restart sshd when: "rhel9cis_sshd['denyusers']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups" @@ -111,7 +111,7 @@ regexp: "^DenyGroups" line: "DenyGroups {{ rhel9cis_sshd['denygroups'] }}" validate: sshd -t -f %s - notify: restart sshd + notify: Restart sshd when: "rhel9cis_sshd['denygroups']|default('') | length > 0" when: - rhel9cis_rule_5_2_4 @@ -267,7 +267,7 @@ - name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden" ansible.builtin.shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd - notify: restart sshd + notify: Restart sshd when: ssh_crypto_discovery.stdout | length > 0 when: - rhel9cis_rule_5_2_14 diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 5b4704c7..1f6b691c 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -52,19 +52,19 @@ register: rhel9cis_5_6_1_4_inactive_settings - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting" - ansible.builtin.command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} + ansible.builtin.shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} when: rhel9cis_5_6_1_4_inactive_settings.stdout | length == 0 - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" changed_when: false check_mode: false - register: rhel_8_5_6_1_4_user_list + register: rhel9cis_5_6_1_4_user_list - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" - ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" + ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" with_items: - - "{{ rhel_8_5_6_1_4_user_list.stdout_lines }}" + - "{{ rhel9cis_5_6_1_4_user_list.stdout_lines }}" when: - rhel9cis_rule_5_6_1_4 tags: @@ -104,7 +104,7 @@ - not rhel9cis_futurepwchgdate_autofix - name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" - ansible.builtin.command: passwd --expire {{ item }} + ansible.builtin.shell: passwd --expire {{ item }} when: - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - rhel9cis_futurepwchgdate_autofix diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index e2985f8d..e8cd62ff 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -207,7 +207,7 @@ when: - item.stdout_lines is defined - item.stdout_lines | length > 0 - + - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning" ansible.builtin.import_tasks: warning_facts.yml vars: diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index c553121d..ebc51d45 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -450,7 +450,7 @@ rhel9cis_nft_tables_autochaincreate: {{ rhel9cis_nft_tables_autochaincreate }} # Section 4 ## syslog -rhel9cis_syslog: {{ rhel9cis_preferred_log_capture }} +rhel9cis_syslog: {{ rhel9cis_syslog }} # Section 5 ## 5.2.4 Note the following to understand precedence and layout diff --git a/vars/main.yml b/vars/main.yml index 2ba64a18..165eff54 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -8,5 +8,5 @@ rhel9cis_allowed_crypto_policies: - 'FIPS' # Used to control warning summary -control_number: "" +warn_control_list: "" warn_count: 0 From 7a3a3d3444df65628893d9fbd9c1a8ed1e759f7f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 13:59:06 +0000 Subject: [PATCH 292/454] updated to latest actions Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 2c972d5c..8d26a35c 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -26,12 +26,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/first-interaction@v1.1.1 + - uses: actions/first-interaction@main with: repo-token: ${{ secrets.GITHUB_TOKEN }} pr-message: |- Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/iansible-lockdown) as well. + Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. # This workflow contains a single job called "build" build: # The type of runner that the job will run on @@ -44,7 +44,7 @@ jobs: steps: # Checks-out your repository under $GITHUB_WORKSPACE, # so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} From e17acee56daf27076e7da707efffd9b090d73637 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 13:59:15 +0000 Subject: [PATCH 293/454] fixed variables Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 168ce675..910b0982 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -526,7 +526,8 @@ rhel9cis_auditd_extra_conf: {} ## Preferred method of logging ## Whether rsyslog or journald preferred method for local logging ## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5 -rhel9cis_preferred_log_capture: rsyslog +rhel9cis_syslog: rsyslog +rhel9cis_rsyslog_ansiblemanaged: true #### 4.2.1.6 remote and destation log server name rhel9cis_remote_log_server: logagg.example.com @@ -600,9 +601,6 @@ rhel9cis_pass: max_days: 365 min_days: 7 warn_age: 7 -# Syslog system - either rsyslog or syslog-ng -rhel9cis_syslog: rsyslog -rhel9cis_rsyslog_ansiblemanaged: true # 5.5.1 ## PAM From 2e40e8c54e24b0e5f4aca09e0ef995866401da2c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 13:59:24 +0000 Subject: [PATCH 294/454] typo fix Signed-off-by: Mark Bolwell --- handlers/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 404d74bb..a350df02 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -77,7 +77,7 @@ name: systemd-journal-upload state: restarted -- name: Systemd_daemon_Reload +- name: Systemd_daemon_reload ansible.builtin.systemd: daemon-reload: true @@ -91,7 +91,7 @@ - name: Audit_immutable_fact ansible.builtin.debug: msg: "Reboot required for auditd to apply new rules as immutable set" - notify: change_requires_reboot + notify: Change_requires_reboot when: - auditd_immutable_check.stdout == '1' From 77c914998fc52625e37128b908cdca0f42b9d593 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 13:59:35 +0000 Subject: [PATCH 295/454] fix notify Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.5.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index d0259810..6d3eb4e1 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -5,7 +5,7 @@ path: /etc/systemd/coredump.conf regexp: '^Storage\s*=\s*(?!none).*' line: 'Storage=none' - notify: systemd_daemon_reload + notify: Systemd_daemon_reload when: - rhel9cis_rule_1_5_1 - systemd_coredump.stat.exists From 7f48dbd2c4782b0eb692700c1825977b01643a6d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 13:59:53 +0000 Subject: [PATCH 296/454] added gpg-key update Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index eaae1a3e..c33afe32 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -99,6 +99,13 @@ grub2_path: /etc/grub2-efi.cfg when: rhel_09_efi_boot.stat.exists +- name: "PRELIM | Update to latest gpg keys" + ansible.builtin.package: + name: "{{ ansible_distribution | lower }}-gpg-keys" + state: latest + when: + - rhel9cis_rule_1_2_4 + - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" ansible.builtin.package: name: audit From 83bd6cd87c084cb2880b51896fe9e12695b634f5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 14:00:03 +0000 Subject: [PATCH 297/454] updated Signed-off-by: Mark Bolwell --- .ansible-lint | 2 -- 1 file changed, 2 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index c3dfee39..6dc3572b 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -3,9 +3,7 @@ quiet: true skip_list: - 'schema' - 'no-changed-when' - - 'fqcn-builtins' - 'experimental' - - 'name[casing]' - 'name[template]' - 'jinja[spacing]' - '204' From 50d4cd83aabe5d899d37e5e741ce884ee416ccc5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 14:15:50 +0000 Subject: [PATCH 298/454] Removed -automated Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.x.yml | 1 - tasks/section_1/cis_1.2.x.yml | 1 - tasks/section_1/cis_1.6.1.x.yml | 7 ------- tasks/section_1/cis_1.8.x.yml | 5 ----- tasks/section_2/cis_2.3.x.yml | 4 ---- tasks/section_4/cis_4.1.2.x.yml | 1 - tasks/section_4/cis_4.1.3.x.yml | 1 - tasks/section_4/cis_4.2.2.x.yml | 6 +----- tasks/section_4/cis_4.2.3.yml | 1 - tasks/section_6/cis_6.1.x.yml | 1 - tasks/warning_facts.yml | 2 +- 11 files changed, 2 insertions(+), 28 deletions(-) diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index 77cbf0fa..dea0bbca 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -21,7 +21,6 @@ tags: - level1-server - level2-workstation - - automated - patch - mounts - removable_storage diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 99f24ea6..6d64ebb0 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -61,7 +61,6 @@ tags: - level1-server - level1-workstation - - automated - patch - rule_1.2.2 diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index c954f664..89e31610 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -9,7 +9,6 @@ tags: - level1-server - level1-workstation - - automated - patch - rule_1.6.1.1 @@ -45,7 +44,6 @@ tags: - level1-server - level1-workstation - - automated - selinux - patch - rule_1.6.1.3 @@ -61,7 +59,6 @@ tags: - level1-server - level1-workstation - - automated - selinux - patch - rule_1.6.1.4 @@ -78,7 +75,6 @@ tags: - level2-server - level2-workstation - - automated - selinux - patch - rule_1.6.1.5 @@ -106,7 +102,6 @@ tags: - level1-server - level1-workstation - - automated - audit - services - rule_1.6.1.6 @@ -120,7 +115,6 @@ - "'setroubleshoot' in ansible_facts.packages" tags: - level1-server - - automated - selinux - patch - rule_1.6.1.7 @@ -134,6 +128,5 @@ tags: - level1-server - level1-workstation - - automated - patch - rule_1.6.1.8 diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 20be846b..23dd3c6a 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -9,7 +9,6 @@ - "'gdm' in ansible_facts.packages" tags: - level2-server - - automated - patch - gui - gdm @@ -39,7 +38,6 @@ tags: - level1-server - level1-workstation - - automated - patch - gui - gdm @@ -67,7 +65,6 @@ tags: - level1-server - level1-workstation - - automated - patch - gui - rule_1.8.3 @@ -92,7 +89,6 @@ tags: - level1-server - level2-workstation - - automated - patch - gui - rule_1.8.6 @@ -109,7 +105,6 @@ tags: - level1-server - level1-workstation - - automated - patch - gui - rule_1.8.4 diff --git a/tasks/section_2/cis_2.3.x.yml b/tasks/section_2/cis_2.3.x.yml index 38f24c03..10a06623 100644 --- a/tasks/section_2/cis_2.3.x.yml +++ b/tasks/section_2/cis_2.3.x.yml @@ -11,7 +11,6 @@ tags: - level1-server - level1-workstation - - automated - patch - telnet - rule_2.3.1 @@ -27,7 +26,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ldap - rule_2.3.2 @@ -43,7 +41,6 @@ tags: - level1-server - level1-workstation - - automated - patch - tftp - rule_2.3.3 @@ -59,7 +56,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ftp - rule_2.3.4 diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index 2473e87b..e9cee1c1 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -11,7 +11,6 @@ tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.2.1 diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index e29f4968..922ea616 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -61,7 +61,6 @@ tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.5 diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index c6b0e2e8..e22da771 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -63,7 +63,6 @@ tags: - level1-server - level1-workstation - - automated - patch - journald - rule_4.2.2.1.4 @@ -98,7 +97,6 @@ tags: - level1-server - level1-workstation - - automated - audit - journald - rule_4.2.2.2 @@ -114,7 +112,6 @@ tags: - level1-server - level1-workstation - - automated - patch - journald - rule_4.2.2.3 @@ -130,7 +127,6 @@ tags: - level1-server - level1-workstation - - automated - patch - journald - rule_4.2.2.4 @@ -184,7 +180,7 @@ - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Set live file" ansible.builtin.set_fact: systemd_conf_file: /etc/tmpfiles.d/systemd.conf - when: rhel9cis_4_2_2_7_override_stat.exists + when: rhel9cis_4_2_2_7_override.stat.exists - name: "4.2.2.7 | PATCH | Ensure journald default file permissions configured | Set permission" ansible.builtin.lineinfile: diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index a7a623a0..8a7ae835 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -21,7 +21,6 @@ tags: - level1-server - level1-workstation - - automated - patch - logfiles - rule_4.2.3 diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index e8cd62ff..2360ec2b 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -142,7 +142,6 @@ tags: - level1-server - level1-workstation - - automated - patch - files - permissions diff --git a/tasks/warning_facts.yml b/tasks/warning_facts.yml index 37560bd9..6e804873 100644 --- a/tasks/warning_facts.yml +++ b/tasks/warning_facts.yml @@ -14,7 +14,7 @@ # # warn_count the main variable for the number of warnings and each time a warn_control_id is added # the count increases by a value of 1 -- name: "NO CONTROL ID | AUDIT | Set fact for manual task warning." +- name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning." ansible.builtin.set_fact: warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]" warn_count: "{{ warn_count | int + 1 }}" From 8191b02c3ed104be08bd113d7bfee82ebce19b07 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 14:16:15 +0000 Subject: [PATCH 299/454] fixed changed_requires_reboot Signed-off-by: Mark Bolwell --- tasks/post.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/post.yml b/tasks/post.yml index 7f8b1fbe..8facbd21 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -39,7 +39,7 @@ - name: POST | Reboot system if changes require it and not skipped ansible.builtin.reboot: when: - - Change_requires_reboot + - change_requires_reboot - not skip_reboot - name: POST | Warning a reboot required but skip option set @@ -47,13 +47,13 @@ msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" changed_when: true when: - - Change_requires_reboot + - change_requires_reboot - skip_reboot - name: "POST | Warning a reboot required but skip option set | warning count" ansible.builtin.import_tasks: warning_facts.yml when: - - Change_requires_reboot + - change_requires_reboot - skip_reboot vars: warn_control_id: Reboot_required From e87cc3ade5496fb314c8f4953412b1b8215459fa Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 14:16:27 +0000 Subject: [PATCH 300/454] Removed -automated Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 30fe5fed..36de90f8 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -39,7 +39,6 @@ tags: - level1-server - level1-workstation - - automated - patch - accounts - rule_6.2.2 From e1c41c4652e067421ece0b6bfde3bb8feecd12d2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 14:16:48 +0000 Subject: [PATCH 301/454] removed rule not needed Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index ebc51d45..abc4c1be 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -53,7 +53,6 @@ rhel9cis_rule_1_1_2_4: {{ rhel9cis_rule_1_1_2_4 }} rhel9cis_rule_1_1_3_1: {{ rhel9cis_rule_1_1_3_1 }} rhel9cis_rule_1_1_3_2: {{ rhel9cis_rule_1_1_3_2 }} rhel9cis_rule_1_1_3_3: {{ rhel9cis_rule_1_1_3_3 }} -rhel9cis_rule_1_1_3_4: {{ rhel9cis_rule_1_1_3_4 }} # 1.1.4 Configure /var/tmp rhel9cis_rule_1_1_4_1: {{ rhel9cis_rule_1_1_4_1 }} rhel9cis_rule_1_1_4_2: {{ rhel9cis_rule_1_1_4_2 }} From 801eff8a539568bfbd81ba45695152377294ea88 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 14:18:34 +0000 Subject: [PATCH 302/454] Added requirements Make Signed-off-by: Mark Bolwell --- Makefile | 11 +++++++++++ requirements.txt | 5 +++++ 2 files changed, 16 insertions(+) create mode 100644 Makefile create mode 100644 requirements.txt diff --git a/Makefile b/Makefile new file mode 100644 index 00000000..46a81d1f --- /dev/null +++ b/Makefile @@ -0,0 +1,11 @@ +# TESTS + +all: yamllint + +yamllint: + git ls-files "*.yml"|xargs yamllint + +requirements: + @echo 'Python dependencies:' + @cat requirements.txt + pip install -r requirements.txt diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 00000000..52cb84d2 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,5 @@ +passlib +lxml +xmltodict +jmespath +yamllint From 1fe3a88ff9cdbcdd5c02999bdae76585c916c7cc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 14:27:05 +0000 Subject: [PATCH 303/454] removed var not required Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index abc4c1be..2bc98e19 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -438,9 +438,9 @@ rhel9cis_is_router: {{ rhel9cis_is_router }} rhel9cis_firewall: {{ rhel9cis_firewall }} ##### firewalld rhel9cis_default_zone: {{ rhel9cis_default_zone }} -rhel9cis_firewalld_nftables_state: {{ rhel9cis_firewalld_nftables_state }} # Note if absent removes the firewalld pkg dependancy + #### nftables -rhel9cis_nftables_firewalld_state: {{ rhel9cis_nftables_firewalld_state }} + rhel9cis_nft_tables_autonewtable: {{ rhel9cis_nft_tables_autonewtable }} rhel9cis_nft_tables_tablename: {{ rhel9cis_nft_tables_tablename }} rhel9cis_nft_tables_autochaincreate: {{ rhel9cis_nft_tables_autochaincreate }} From 910d1599a2118e9c8af556f09de9136ff3a66819 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 17 Jan 2023 09:23:29 +0000 Subject: [PATCH 304/454] updated versions Signed-off-by: Mark Bolwell --- README.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 00d5a39c..f54c90f0 100644 --- a/README.md +++ b/README.md @@ -10,10 +10,9 @@ ![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL9-CIS/DevelToMain?label=Main%20Build%20Status&style=plastic) ![Release](https://img.shields.io/github/v/release/ansible-lockdown/RHEL9-CIS?style=plastic) -Configure RHEL 9 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant with RHEL8 settings (RHEL9 not yet released) -Based on v2.0.0 RHEL8 +Configure RHEL 9 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) -Based on [CIS RedHat Enterprise Linux 8 Benchmark v2.0.0. - 02-23-2022 ](https://www.cisecurity.org/cis-benchmarks/) +Based on [CIS RedHat Enterprise Linux 9 Benchmark v1.0.0. - 11-30-2022 ](https://www.cisecurity.org/cis-benchmarks/) ## Join us From a2d074a343cb9ddca1c1fc2669317a3fdfd7ce95 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 17 Jan 2023 11:34:01 +0000 Subject: [PATCH 305/454] added blacklist requirement Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index cc2156c3..00303aca 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -10,11 +10,20 @@ create: true mode: 0600 + - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | blacklist" + lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist squashfs(\\s|$)" + line: "blacklist squashfs" + create: true + mode: 0600 + - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" modprobe: name: squashfs state: absent when: not system_is_container + when: - rhel9cis_rule_1_1_1_1 tags: @@ -34,6 +43,14 @@ create: true mode: 0600 + - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disabled | blacklist" + lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist udf(\\s|$)" + line: "blacklist udf" + create: true + mode: 0600 + - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" modprobe: name: udf From c9b97bec6e16da7b849a62b278c1c44822bf5572 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 17 Jan 2023 12:31:47 +0000 Subject: [PATCH 306/454] fixed loop Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.4.x.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 61174d2f..af1579f2 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -22,14 +22,14 @@ block: - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" ansible.builtin.file: - path: /boot/grub2/grub.cfg + path: "/boot/grub2/{{ item.path }}" owner: root group: root - mode: 0600 + mode: "{{ item.mode }}" loop: - - grub.cfg - - grubenv - - user.cfg + - { path: 'grub.cfg', mode: '0700' } + - { path: 'grubenv', mode: '0600' } + - { path: 'user.cfg', mode: '0600' } when: - rhel9cis_rule_1_4_2 From 9d4120468ef940e7bc4698e8a0458cecbaf8a091 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 18 Jan 2023 16:00:18 +0000 Subject: [PATCH 307/454] Thanks to @keystone-admin on discord missing tag Signed-off-by: Mark Bolwell --- tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/main.yml b/tasks/main.yml index 8229390d..981ade5b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -140,6 +140,7 @@ - rule_6.2.11 - rhel9cis_section5 - rhel9cis_section6 + - level1-server - name: run Section 1 tasks ansible.builtin.import_tasks: section_1/main.yml From bc90630ca81ccd0f4dd3e9ccace62f3e460eab0f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 18 Jan 2023 16:21:51 +0000 Subject: [PATCH 308/454] git add set bootloader & gossupdates Signed-off-by: Mark Bolwell --- defaults/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 910b0982..5e0baa7e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -366,9 +366,9 @@ rhel9cis_rh_sub_password: password rhel9cis_rhnsd_required: false # 1.4.2 Bootloader password -rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' +rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.5783BF1560E32718E85FEC2E1B8D4D7FFCA39A409EE47995A515E3F22B9347131E627F8B42CE987535152103D82631E11F9C953E26B8C02A5C99787CBC395DD9.AF8C36AAA5FE5F3B4CE2B436F079F03645C7A87DD3301D083F7AD05B8C25770DB1DDB75BF329382B282C8AADE19206479FDA94BB63A4567C58C70DF126DC82DA' rhel9cis_bootloader_password: random -rhel9cis_set_boot_pass: false +rhel9cis_set_boot_pass: true # 1.10 Set crypto policy DEFAULT @@ -660,14 +660,14 @@ audit_run_script_environment: ### Goss binary settings ### goss_version: - release: v0.3.18 - checksum: 'sha256:432308ebca0caf8165d45bd27e3262126aad9d15572ac8cb3149b3c91f75aace' + release: v0.3.21 + checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json # if get_goss_file == download change accordingly -goss_url: "https://github.com/aelsabbahy/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64" +goss_url: "https://github.com/goss-org/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64" ## if get_goss_file - copy the following needs to be updated for your environment ## it is expected that it will be copied from somewhere accessible to the control node From ade06951ffbff80436b5b7ab2959377888e8ea40 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 18 Jan 2023 16:22:02 +0000 Subject: [PATCH 309/454] removed congrats Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.2.x.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 6d64ebb0..62fae23a 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -15,13 +15,6 @@ register: os_gpg_key_check when: os_installed_pub_keys.rc == 0 - - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys pass" - ansible.builtin.debug: - msg: "Congratulations !! - The installed gpg keys match expected values" - when: - - os_installed_pub_keys.rc == 0 - - os_gpg_key_check.rc == 0 - - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys fail" ansible.builtin.fail: msg: Installed GPG Keys do not meet expected values or keys installed that are not expected From e3a0ff8cd89d1da38ad084016f71e41520c1f6cc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 18 Jan 2023 16:22:11 +0000 Subject: [PATCH 310/454] added logic Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.8.x.yml | 38 +++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 23dd3c6a..f627f6a2 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -69,6 +69,44 @@ - gui - rule_1.8.3 +- name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle" + copy: + dest: /etc/dconf/db/local.d/00-screensaver + content: | + [org/gnome/desktop/session] + idle-delay=uint32 300 + [org/gnome/desktop/screensaver] + lock-delay=uint32 5 + mode: '0644' + notify: Reload dconf + when: + - rhel9cis_rule_1_8_4 + - rhel9cis_gui + tags: + - level1-server + - level1-workstation + - patch + - gui + - rule_1.8.4 + +- name: "1.8.5 PATCH | Ensure GDM screen locks cannot be overridden" + lineinfile: + path: /etc/dconf/db/local.d/locks/session + create: true + line: /org/gnome/desktop/screensaver/lock-delay + owner: root + group: root + mode: 0640 + when: + - rhel9cis_rule_1_8_5 + - rhel9cis_gui + tags: + - level1-server + - level1-workstation + - patch + - gui + - rule_1.8.3 + - name: "1.8.6 | PATCH | Ensure automatic mounting of removable media is disabled" ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/00-media-automount From 6e77a3ced6193b5762d58f432b901be78e267d8f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 18 Jan 2023 16:22:30 +0000 Subject: [PATCH 311/454] removed older version Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.2.1.x.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 5ff7e75b..3a9cd772 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -206,8 +206,6 @@ loop: - 'ModLoad imtcp' - 'InputTCPServerRun' - - 'module\(load="imtcp"\)' - - 'input\(type="imtcp"' when: rhel9cis_system_is_log_server when: - rhel9cis_rule_4_2_1_7 From 6845c8ad2fa634a4aca276e8f5a138e33ef30bec Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 18 Jan 2023 16:26:38 +0000 Subject: [PATCH 312/454] updated Signed-off-by: Mark Bolwell --- .ansible-lint | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 6dc3572b..21834039 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,16 +1,20 @@ parseable: true quiet: true skip_list: - - 'schema' - - 'no-changed-when' - - 'experimental' - - 'name[template]' - - 'jinja[spacing]' - - '204' - - '305' - - '303' - - '403' - - '306' - - '602' + - 'schema' + - 'no-changed-when' + - 'var-spacing' + - 'fqcn-builtins' + - 'experimental' + - 'name[casing]' + - 'name[template]' + - 'fqcn[action]' + - '204' + - '305' + - '303' + - '403' + - '306' + - '602' + - '208' use_default_rules: true verbosity: 0 From 05d425befef1091c84d9b6fd91d932a7e7ff090e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 18 Jan 2023 16:26:58 +0000 Subject: [PATCH 313/454] updated Signed-off-by: Mark Bolwell --- .ansible-lint | 1 - 1 file changed, 1 deletion(-) diff --git a/.ansible-lint b/.ansible-lint index 21834039..7ef99f1f 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -4,7 +4,6 @@ skip_list: - 'schema' - 'no-changed-when' - 'var-spacing' - - 'fqcn-builtins' - 'experimental' - 'name[casing]' - 'name[template]' From 9e9e3abc43596fddb02ab4daab44abe414bb5fc2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 18 Jan 2023 16:29:03 +0000 Subject: [PATCH 314/454] changed default grub password Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5e0baa7e..6b916a59 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -366,7 +366,7 @@ rhel9cis_rh_sub_password: password rhel9cis_rhnsd_required: false # 1.4.2 Bootloader password -rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.5783BF1560E32718E85FEC2E1B8D4D7FFCA39A409EE47995A515E3F22B9347131E627F8B42CE987535152103D82631E11F9C953E26B8C02A5C99787CBC395DD9.AF8C36AAA5FE5F3B4CE2B436F079F03645C7A87DD3301D083F7AD05B8C25770DB1DDB75BF329382B282C8AADE19206479FDA94BB63A4567C58C70DF126DC82DA' +rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B' rhel9cis_bootloader_password: random rhel9cis_set_boot_pass: true From 32805d64979c3d4ece950457ec18ec624771890f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 18 Jan 2023 16:34:58 +0000 Subject: [PATCH 315/454] fixed typo 1.1.8.4 Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 2bc98e19..7b0b8e69 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -76,7 +76,7 @@ rhel9cis_rule_1_1_7_3: {{ rhel9cis_rule_1_1_7_3 }} rhel9cis_rule_1_1_8_1: {{ rhel9cis_rule_1_1_8_1 }} rhel9cis_rule_1_1_8_2: {{ rhel9cis_rule_1_1_8_2 }} rhel9cis_rule_1_1_8_3: {{ rhel9cis_rule_1_1_8_3 }} -rhel9cis_rule_1_1_8_3: {{ rhel9cis_rule_1_1_8_4 }} +rhel9cis_rule_1_1_8_4: {{ rhel9cis_rule_1_1_8_4 }} # 1.9 usb-storage rhel9cis_rule_1_1_9: {{ rhel9cis_rule_1_1_9 }} # 1.2 Configure Software Updates From b8085e5dc0e270c1b955de334ea36ec45c3b23a8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jan 2023 10:07:14 +0000 Subject: [PATCH 316/454] cis_v1.0.0 alignment updated Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.2.x.yml | 2 +- tasks/section_1/cis_1.1.3.x.yml | 4 +--- tasks/section_1/cis_1.1.4.x.yml | 6 ++---- tasks/section_1/cis_1.1.5.x.yml | 2 -- tasks/section_1/cis_1.1.6.x.yml | 2 -- tasks/section_1/cis_1.1.7.x.yml | 8 +++++--- tasks/section_1/cis_1.1.x.yml | 8 ++++++++ 7 files changed, 17 insertions(+), 15 deletions(-) diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index d4a7f7dd..d55f5ec9 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -6,7 +6,7 @@ ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | warning" + - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Present" ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: '1.1.2.1' diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 7ea30d9b..649657f4 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -6,7 +6,7 @@ ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | warning" + - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: '1.1.3.1' @@ -37,9 +37,7 @@ label: "{{ item.device }}" notify: Change_requires_reboot when: - - var_mount_present is defined - item.mount == "/var" - - rhel9cis_rule_1_1_3_1 # This is required so the check takes place - rhel9cis_rule_1_1_3_2 or rhel9cis_rule_1_1_3_3 tags: diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index b32260b5..b8ae48da 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -7,7 +7,7 @@ ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" + - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: '1.1.4.1' @@ -32,16 +32,14 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nodev{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot when: - - var_tmp_mount_present is defined - item.mount == "/var/tmp" - - rhel9cis_rule_1_1_4_1 # This is required so the check takes place - rhel9cis_rule_1_1_4_2 or rhel9cis_rule_1_1_4_3 or rhel9cis_rule_1_1_4_4 diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index da3c0e8f..9f556ba1 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -39,9 +39,7 @@ label: "{{ item.device }}" notify: Change_requires_reboot when: - - var_log_mount_present is defined - item.mount == "/var/log" - - rhel9cis_rule_1_1_5_1 # This is required so the check takes place - rhel9cis_rule_1_1_5_2 or rhel9cis_rule_1_1_5_3 or rhel9cis_rule_1_1_5_4 diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index b030e8f7..fcfa92b3 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -38,9 +38,7 @@ label: "{{ item.device }}" notify: Change_requires_reboot when: - - var_log_audit_mount_present is defined - item.mount == "/var/log/audit" - - rhel9cis_rule_1_1_6_1 # This is required so the check takes place - rhel9cis_rule_1_1_6_2 or rhel9cis_rule_1_1_6_3 or rhel9cis_rule_1_1_6_4 diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 946572ce..9fadf59d 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -1,5 +1,8 @@ --- +- ansible.builtin.debug: + msg: "{{ mount_names }}" + - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home" block: - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Absent" @@ -8,9 +11,9 @@ - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present" ansible.builtin.import_tasks: warning_facts.yml - vars: - warn_control_id: '1.1.7.1' + vars: + warn_control_id: '1.1.7.1' required_mount: '/home' when: - required_mount not in mount_names @@ -38,7 +41,6 @@ label: "{{ item.device }}" notify: Change_requires_reboot when: - - home_mount_present is defined - item.mount == "/home" - rhel9cis_rule_1_1_7_1 - rhel9cis_rule_1_1_7_2 or diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index dea0bbca..19c99c0b 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -16,6 +16,14 @@ ansible.builtin.modprobe: name: usb-storage state: absent + + - name: "1.1.9 | PATCH | Disable USB Storage | blacklist" + lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist usb-storage(\\s|$)" + line: "blacklist usb-storage" + create: true + mode: 0600 when: - rhel9cis_rule_1_1_9 tags: From 184832d2acfb8695acca1b79b795d00e5f3b3c3e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jan 2023 11:28:53 +0000 Subject: [PATCH 317/454] update blacklist Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index b2e104ae..6a46b780 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -54,14 +54,24 @@ - rule_3.1.2 - name: "3.1.3 | PATCH | Ensure TIPC is disabled" - ansible.builtin.template: - src: "etc/modprobe.d/modprobe.conf.j2" - dest: "/etc/modprobe.d/{{ item }}.conf" - mode: "0600" - owner: root - group: root - with_items: - - tipc + block: + - name: "3.1.3 | PATCH | Ensure TIPC is disabled" + ansible.builtin.template: + src: "etc/modprobe.d/modprobe.conf.j2" + dest: "/etc/modprobe.d/{{ item }}.conf" + mode: "0600" + owner: root + group: root + with_items: + - tipc + + - name: "3.1.3 | PATCH | Ensure TIPC is disabled | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist tipc(\\s|$)" + line: "blacklist tipc" + create: true + mode: 0600 when: - rhel9cis_rule_3_1_3 tags: From 163900e277d318988c499852ad0b6429bbd0154d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jan 2023 11:29:03 +0000 Subject: [PATCH 318/454] add file exclusions Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.2.3.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index 8a7ae835..a3912547 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -9,13 +9,17 @@ recurse: true register: logfiles - - name: "4.2.3 | AUDIT | Ensure permissions on all logfiles are configured | find files" + - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions" ansible.builtin.file: path: "{{ item.path }}" mode: 0640 loop: "{{ logfiles.files }}" loop_control: label: "{{ item.path }}" + when: + - item.path != "/var/log/btmp" + - item.path != "/var/log/utmp" + - item.path != "/var/log/wtmp" when: - rhel9cis_rule_4_2_3 tags: From 4e1ee6f8e6ed6a188eefc3c3b8607aee8e2cdadd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jan 2023 11:29:12 +0000 Subject: [PATCH 319/454] add remote syslog option Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 7b0b8e69..ea288fc4 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -448,6 +448,8 @@ rhel9cis_nft_tables_autochaincreate: {{ rhel9cis_nft_tables_autochaincreate }} # Section 4 +## Set if server is logserver +rhel9cis_remote_log_server: {{ rhel9cis_remote_log_server }} ## syslog rhel9cis_syslog: {{ rhel9cis_syslog }} From 4e8397b89ed5cb3284caf0194560880e2ceeadb5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jan 2023 13:12:33 +0000 Subject: [PATCH 320/454] fqcn updates Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 8 ++++---- tasks/section_1/cis_1.1.7.x.yml | 3 --- tasks/section_1/cis_1.1.x.yml | 2 +- tasks/section_1/cis_1.8.x.yml | 4 ++-- 4 files changed, 7 insertions(+), 10 deletions(-) diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 00303aca..7a88f6f2 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -11,7 +11,7 @@ mode: 0600 - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | blacklist" - lineinfile: + ansible.builtin.lineinfile: path: /etc/modprobe.d/blacklist.conf regexp: "^(#)?blacklist squashfs(\\s|$)" line: "blacklist squashfs" @@ -19,7 +19,7 @@ mode: 0600 - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" - modprobe: + community.general.modprobe: name: squashfs state: absent when: not system_is_container @@ -44,7 +44,7 @@ mode: 0600 - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disabled | blacklist" - lineinfile: + ansible.builtin.lineinfile: path: /etc/modprobe.d/blacklist.conf regexp: "^(#)?blacklist udf(\\s|$)" line: "blacklist udf" @@ -52,7 +52,7 @@ mode: 0600 - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" - modprobe: + community.general.modprobe: name: udf state: absent when: not system_is_container diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 9fadf59d..54da3586 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -1,8 +1,5 @@ --- -- ansible.builtin.debug: - msg: "{{ mount_names }}" - - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home" block: - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Absent" diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index 19c99c0b..0496300b 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -18,7 +18,7 @@ state: absent - name: "1.1.9 | PATCH | Disable USB Storage | blacklist" - lineinfile: + ansible.builtin.lineinfile: path: /etc/modprobe.d/blacklist.conf regexp: "^(#)?blacklist usb-storage(\\s|$)" line: "blacklist usb-storage" diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index f627f6a2..97a50317 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -70,7 +70,7 @@ - rule_1.8.3 - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle" - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/00-screensaver content: | [org/gnome/desktop/session] @@ -90,7 +90,7 @@ - rule_1.8.4 - name: "1.8.5 PATCH | Ensure GDM screen locks cannot be overridden" - lineinfile: + ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/locks/session create: true line: /org/gnome/desktop/screensaver/lock-delay From cb609c1f1a179880af8417d8d3c6ad632faf426e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jan 2023 13:31:53 +0000 Subject: [PATCH 321/454] fqcn update Signed-off-by: Mark Bolwell --- tasks/section_1/main.yml | 32 ++++++++++++++++---------------- tasks/section_2/main.yml | 8 ++++---- tasks/section_3/main.yml | 10 +++++----- tasks/section_4/main.yml | 16 ++++++++-------- tasks/section_5/main.yml | 14 +++++++------- tasks/section_6/main.yml | 4 ++-- 6 files changed, 42 insertions(+), 42 deletions(-) diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index 1d6ab556..d9bc3b5d 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -1,57 +1,57 @@ --- - name: "SECTION | 1.1.1.x | Disable unused filesystems" - import_tasks: cis_1.1.1.x.yml + ansible.builtin.import_tasks: cis_1.1.1.x.yml - name: "SECTION | 1.1.2.x | Configure /tmp" - import_tasks: cis_1.1.2.x.yml + ansible.builtin.import_tasks: cis_1.1.2.x.yml - name: "SECTION | 1.1.3.x | Configure /var" - import_tasks: cis_1.1.3.x.yml + ansible.builtin.import_tasks: cis_1.1.3.x.yml - name: "SECTION | 1.1.4.x | Configure /var/tmp" - import_tasks: cis_1.1.4.x.yml + ansible.builtin.import_tasks: cis_1.1.4.x.yml - name: "SECTION | 1.1.5.x | Configure /var/log" - import_tasks: cis_1.1.5.x.yml + ansible.builtin.import_tasks: cis_1.1.5.x.yml - name: "SECTION | 1.1.6.x | Configure /var/log/audit" - import_tasks: cis_1.1.6.x.yml + ansible.builtin.import_tasks: cis_1.1.6.x.yml - name: "SECTION | 1.1.7.x | Configure /home" - import_tasks: cis_1.1.7.x.yml + ansible.builtin.import_tasks: cis_1.1.7.x.yml - name: "SECTION | 1.1.8.x | Configure /dev/shm" - import_tasks: cis_1.1.8.x.yml + ansible.builtin.import_tasks: cis_1.1.8.x.yml - name: "SECTION | 1.1.x | Disable various mounting" - import_tasks: cis_1.1.x.yml + ansible.builtin.import_tasks: cis_1.1.x.yml - name: "SECTION | 1.2 | Configure Software Updates" - import_tasks: cis_1.2.x.yml + ansible.builtin.import_tasks: cis_1.2.x.yml - name: "SECTION | 1.3 | Filesystem Integrity Checking" - import_tasks: cis_1.3.x.yml + ansible.builtin.import_tasks: cis_1.3.x.yml when: rhel9cis_config_aide - name: "SECTION | 1.4 | Secure Boot Settings" - import_tasks: cis_1.4.x.yml + ansible.builtin.import_tasks: cis_1.4.x.yml - name: "SECTION | 1.5 | Additional Process Hardening" - import_tasks: cis_1.5.x.yml + ansible.builtin.import_tasks: cis_1.5.x.yml - name: "SECTION | 1.6 | Mandatory Access Control" include_tasks: cis_1.6.1.x.yml when: not rhel9cis_selinux_disable - name: "SECTION | 1.7 | Command Line Warning Banners" - import_tasks: cis_1.7.x.yml + ansible.builtin.import_tasks: cis_1.7.x.yml - name: "SECTION | 1.8 | Gnome Display Manager" - import_tasks: cis_1.8.x.yml + ansible.builtin.import_tasks: cis_1.8.x.yml - name: "SECTION | 1.9 | Updates and Patches" - import_tasks: cis_1.9.yml + ansible.builtin.import_tasks: cis_1.9.yml - name: "SECTION | 1.10 | Crypto policies" include_tasks: cis_1.10.yml diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index 8f79854d..39b912d5 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -1,13 +1,13 @@ --- - name: "SECTION | 2.1 | Time Synchronization" - import_tasks: cis_2.1.x.yml + ansible.builtin.import_tasks: cis_2.1.x.yml - name: "SECTION | 2.2 | Special Purpose Services" - import_tasks: cis_2.2.x.yml + ansible.builtin.import_tasks: cis_2.2.x.yml - name: "SECTION | 2.3 | Service Clients" - import_tasks: cis_2.3.x.yml + ansible.builtin.import_tasks: cis_2.3.x.yml - name: "SECTION | 2.4 | Nonessential services removed" - import_tasks: cis_2.4.yml + ansible.builtin.import_tasks: cis_2.4.yml diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index cb5c04a3..535aba9d 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -1,16 +1,16 @@ --- - name: "SECTION | 3.1.x | Disable unused network protocols and devices" - import_tasks: cis_3.1.x.yml + ansible.builtin.import_tasks: cis_3.1.x.yml - name: "SECTION | 3.2.x | Network Parameters (Host Only)" - import_tasks: cis_3.2.x.yml + ansible.builtin.import_tasks: cis_3.2.x.yml - name: "SECTION | 3.3.x | Network Parameters (host and Router)" - import_tasks: cis_3.3.x.yml + ansible.builtin.import_tasks: cis_3.3.x.yml - name: "SECTION | 3.4.1.x | Firewall configuration" - import_tasks: cis_3.4.1.x.yml + ansible.builtin.import_tasks: cis_3.4.1.x.yml - name: "SECTION | 3.4.2.x | Configure firewall" - include_tasks: cis_3.4.2.x.yml + ansible.builtin.import_tasks: cis_3.4.2.x.yml diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index a7a36597..285a2f37 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -1,29 +1,29 @@ --- - name: "SECTION | 4.1 | Configure System Accounting (auditd)" - include_tasks: cis_4.1.1.x.yml + ansible.builtin.import_tasks: cis_4.1.1.x.yml when: - not system_is_container - name: "SECTION | 4.1.2 | Configure Data Retention" - import_tasks: cis_4.1.2.x.yml + ansible.builtin.import_tasks: cis_4.1.2.x.yml - name: "SECTION | 4.1.3 | Configure Auditd rules" - import_tasks: cis_4.1.3.x.yml + ansible.builtin.import_tasks: cis_4.1.3.x.yml - name: "SECTION | 4.1.4 | Configure Audit files" - import_tasks: cis_4.1.4.x.yml + ansible.builtin.import_tasks: cis_4.1.4.x.yml - name: "SECTION | 4.2 | Configure Logging" - import_tasks: cis_4.2.1.x.yml + ansible.builtin.import_tasks: cis_4.2.1.x.yml when: rhel9cis_syslog == 'rsyslog' - name: "SECTION | 4.2.2 | Configure journald" - import_tasks: cis_4.2.2.x.yml + ansible.builtin.import_tasks: cis_4.2.2.x.yml when: rhel9cis_syslog == 'journald' - name: "SECTION | 4.2.3 | Configure logile perms" - import_tasks: cis_4.2.3.yml + ansible.builtin.import_tasks: cis_4.2.3.yml - name: "SECTION | 4.3 | Configure logrotate" - import_tasks: cis_4.3.yml + ansible.builtin.import_tasks: cis_4.3.yml diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index b7db8599..5aed1c18 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -3,24 +3,24 @@ # Access, Authentication, and Authorization - name: "SECTION | 5.1 | Configure time-based job schedulers" - import_tasks: cis_5.1.x.yml + ansible.builtin.import_tasks: cis_5.1.x.yml - name: "SECTION | 5.2 | Configure SSH Server" - include_tasks: cis_5.2.x.yml + ansible.builtin.import_tasks: cis_5.2.x.yml when: - "'openssh-server' in ansible_facts.packages" - name: "SECTION | 5.3 | Configure privilege escalation" - include_tasks: cis_5.3.x.yml + ansible.builtin.import_tasks: cis_5.3.x.yml - name: "SECTION | 5.4 | Configure authselect" - import_tasks: cis_5.4.x.yml + ansible.builtin.import_tasks: cis_5.4.x.yml - name: "SECTION | 5.5 | Configure PAM " - import_tasks: cis_5.5.x.yml + ansible.builtin.import_tasks: cis_5.5.x.yml - name: "SECTION | 5.6.1.x | Shadow Password Suite Parameters" - import_tasks: cis_5.6.1.x.yml + ansible.builtin.import_tasks: cis_5.6.1.x.yml - name: "SECTION | 5.6.x | Misc. User Account Settings" - import_tasks: cis_5.6.x.yml + ansible.builtin.import_tasks: cis_5.6.x.yml diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index b6acabf8..35328e5f 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -1,7 +1,7 @@ --- - name: "SECTION | 6.1 | System File Permissions" - import_tasks: cis_6.1.x.yml + ansible.builtin.import_tasks: cis_6.1.x.yml - name: "SECTION | 6.2 | User and Group Settings" - import_tasks: cis_6.2.x.yml + ansible.builtin.import_tasks: cis_6.2.x.yml From 999d7b5b1e3e420b47f33fd1283832c2144486a8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jan 2023 13:33:11 +0000 Subject: [PATCH 322/454] fix csv sugroup option updated Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- tasks/section_5/cis_5.3.x.yml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 6b916a59..635d8eaf 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -637,7 +637,7 @@ rhel9cis_futurepwchgdate_autofix: true # 5.7 # rhel9cis_sugroup: sugroup # change accordingly wheel is default -# wheel users list +# wheel users list please supply comma seperated e.g. "vagrant,root" rhel9cis_sugroup_users: "root" ## Section6 vars diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index 25d05d28..823d1425 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -120,8 +120,9 @@ - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | wheel group contains root" ansible.builtin.user: - name: "{{ rhel9cis_sugroup_users }}" + name: "{{ item }}" groups: "{{ rhel9cis_sugroup | default('wheel') }}" + loop: "{{ rhel9cis_sugroup_users | split (',') }}" when: - rhel9cis_rule_5_3_7 tags: From 499b67ceb252ea3fea55a7bda14854412f15eb25 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jan 2023 14:51:30 +0000 Subject: [PATCH 323/454] Updated rsyslog server variable Signed-off-by: Mark Bolwell --- defaults/main.yml | 4 +++- tasks/section_4/cis_4.2.1.x.yml | 2 +- templates/ansible_vars_goss.yml.j2 | 10 +++++++++- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 635d8eaf..b488183d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -530,12 +530,14 @@ rhel9cis_syslog: rsyslog rhel9cis_rsyslog_ansiblemanaged: true #### 4.2.1.6 remote and destation log server name -rhel9cis_remote_log_server: logagg.example.com +rhel9cis_remote_log_server: false +rhel9cis_remote_log_host: logagg.example.com rhel9cis_remote_log_port: 514 rhel9cis_remote_log_protocol: tcp rhel9cis_remote_log_retrycount: 100 rhel9cis_remote_log_queuesize: 1000 + #### 4.2.1.7 rhel9cis_system_is_log_server: false diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 3a9cd772..d2cac937 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -165,7 +165,7 @@ state: present block: | # target can be IP or FQDN - *.* action(type="omfwd" target="{{ rhel9cis_remote_log_server }}" port="{{ rhel9cis_remote_log_port }}" protocol="{{ rhel9cis_remote_log_protocol }}" action.resumeRetryCount="{{ rhel9cis_remote_log_retrycount }}" queue.type="LinkedList" queue.size="{{ rhel9cis_remote_log_queuesize }}") + *.* action(type="omfwd" target="{{ rhel9cis_remote_log_host }}" port="{{ rhel9cis_remote_log_port }}" protocol="{{ rhel9cis_remote_log_protocol }}" action.resumeRetryCount="{{ rhel9cis_remote_log_retrycount }}" queue.type="LinkedList" queue.size="{{ rhel9cis_remote_log_queuesize }}") insertafter: EOF register: result failed_when: diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index ea288fc4..be7bb002 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -448,8 +448,16 @@ rhel9cis_nft_tables_autochaincreate: {{ rhel9cis_nft_tables_autochaincreate }} # Section 4 -## Set if server is logserver +## Set if host is a logserver rhel9cis_remote_log_server: {{ rhel9cis_remote_log_server }} + +# Remote logserver settings +rhel9cis_remote_log_host: {{ rhel9cis_remote_log_host }} +rhel9cis_remote_log_port: {{ rhel9cis_remote_log_port }} +rhel9cis_remote_log_protocol: {{ rhel9cis_remote_log_protocol }} +rhel9cis_remote_log_retrycount: {{ rhel9cis_remote_log_retrycount }} +rhel9cis_remote_log_queuesize: {{ rhel9cis_remote_log_queuesize }} + ## syslog rhel9cis_syslog: {{ rhel9cis_syslog }} From fbe238091bddd5ff055de1494bb72bf3c3696b2e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jan 2023 16:25:34 +0000 Subject: [PATCH 324/454] Added new prelim interactive_user_home Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index c33afe32..92098492 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -12,6 +12,13 @@ - level1-workstation - users +- name: "PRELIM | Interactive User accounts" + ansible.builtin.shell: 'cat /etc/passwd | grep -Ev "nologin|/sbin" | cut -d: -f6' + changed_when: false + register: interactive_users_home + tags: + - always + - name: "PRELIM | Gather accounts with empty password fields" ansible.builtin.shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'" changed_when: false From 77e48d3eccdc320fe61a7d57604765edab98a8e3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jan 2023 16:29:44 +0000 Subject: [PATCH 325/454] 6.2.11 nologin to exclude & fixed tag Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 47 ++++++++++++++++++----------------- 1 file changed, 24 insertions(+), 23 deletions(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 36de90f8..257c6a61 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -332,13 +332,14 @@ - item.uid >= min_int_uid | int - item.id != 'nobody' - (item.id != 'tss' and item.dir != '/dev/null') + - item.shell != '/sbin/nologin' - rhel9cis_rule_6_2_11 tags: - level1-server - level1-workstation - patch - users - - rule_6.2.10 + - rule_6.2.11 - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive" block: @@ -408,10 +409,10 @@ - name: "6.2.13 | PATCH | Ensure no local interactive user has .netrc files" ansible.builtin.file: - path: "~{{ item }}/.netrc" + path: "{{ item }}/.netrc" state: absent with_items: - - "{{ users.stdout_lines }}" + - "{{ interactive_users_home.stdout_lines }}" when: - rhel9cis_rule_6_2_13 tags: @@ -424,10 +425,10 @@ - name: "6.2.14 | PATCH | Ensure no local interactive user has .forward files" ansible.builtin.file: - path: "~{{ item }}/.forward" + path: "{{ item }}/.forward" state: absent with_items: - - "{{ users.stdout_lines }}" + - "{{ interactive_users_home.stdout_lines }}" when: - rhel9cis_rule_6_2_14 tags: @@ -438,12 +439,12 @@ - files - rule_6.2.14 -- name: "6.2.15 | PATCH | Ensure no users have .rhosts files" +- name: "6.2.15 | PATCH | Ensure no local interactive user has .rhosts files" ansible.builtin.file: path: "~{{ item }}/.rhosts" state: absent with_items: - - "{{ users.stdout_lines }}" + - "{{ interactive_users_home.stdout_lines }}" when: - rhel9cis_rule_6_2_15 tags: @@ -456,26 +457,26 @@ - name: "6.2.16 | PATCH | Ensure local interactive user dot files are not group or world writable" block: - - name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | Check for files" - ansible.builtin.shell: find /home/ -maxdepth 2 -name "\.*" -perm /g+w,o+w - changed_when: false - failed_when: false - register: rhel9cis_6_2_16_audit - - name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | Alert on files found" - ansible.builtin.debug: - msg: "Good news! We have not found any group or world-writable dot files on your sytem" - when: - - rhel9cis_6_2_16_audit.stdout is not defined + - name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | Check for files" + ansible.builtin.find: + path: "{{ item }}" + depth: 3 + patterns: ".*" + hidden: true + recurse: true + file_type: file + register: user_dot_files + loop: "{{ interactive_users_home.stdout_lines }}" - - name: "6.2.16 | PATCH | Ensure local interactive user dot files are not group or world writable | Changes files if configured" + - name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | update permissions" ansible.builtin.file: - path: '{{ item }}' + path: "{{ item.path }}" mode: go-w - with_items: "{{ rhel9cis_6_2_16_audit.stdout_lines }}" - when: - - rhel9cis_6_2_16_audit.stdout is defined - - rhel9cis_dotperm_ansiblemanaged + loop: "{{ user_dot_files.files }}" + loop_control: + label: "{{ item.path }}" + when: - rhel9cis_rule_6_2_16 tags: From 45435dd2baaa69bd0d4c50df2653f1a59784b0ad Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jan 2023 16:55:12 +0000 Subject: [PATCH 326/454] updated 6.2.16 Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 257c6a61..647a1501 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -460,14 +460,13 @@ - name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | Check for files" ansible.builtin.find: - path: "{{ item }}" + path: /home depth: 3 patterns: ".*" hidden: true recurse: true file_type: file register: user_dot_files - loop: "{{ interactive_users_home.stdout_lines }}" - name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | update permissions" ansible.builtin.file: From de88c96f24de1f28b15b594fd22ce7b89329fc83 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jan 2023 10:29:50 +0000 Subject: [PATCH 327/454] section 1.8 alignment v1.0.0 Signed-off-by: Mark Bolwell --- defaults/main.yml | 4 + tasks/section_1/cis_1.8.x.yml | 162 +++++++++++++++--- templates/ansible_vars_goss.yml.j2 | 5 + templates/etc/dconf/db/00-automount_lock.j2 | 9 + templates/etc/dconf/db/00-autorun_lock.j2 | 6 + templates/etc/dconf/db/00-media-automount.j2 | 7 + templates/etc/dconf/db/00-media-autorun.j2 | 6 + templates/etc/dconf/db/00-screensaver.j2 | 17 ++ templates/etc/dconf/db/00-screensaver_lock.j2 | 9 + 9 files changed, 198 insertions(+), 27 deletions(-) create mode 100644 templates/etc/dconf/db/00-automount_lock.j2 create mode 100644 templates/etc/dconf/db/00-autorun_lock.j2 create mode 100644 templates/etc/dconf/db/00-media-automount.j2 create mode 100644 templates/etc/dconf/db/00-media-autorun.j2 create mode 100644 templates/etc/dconf/db/00-screensaver.j2 create mode 100644 templates/etc/dconf/db/00-screensaver_lock.j2 diff --git a/defaults/main.yml b/defaults/main.yml index b488183d..ab0c146c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -370,6 +370,10 @@ rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF4 rhel9cis_bootloader_password: random rhel9cis_set_boot_pass: true +# 1.8 Gnome Desktop +rhel9cis_dconf_db_name: local +rhel9cis_screensaver_idle_delay: 900 # Set max value for idle-delay in seconds (between 1 and 900) +rhel9cis_screensaver_lock_delay: 5 # Set max value for lock-delay in seconds (between 0 and 5) # 1.10 Set crypto policy DEFAULT # Control 1.10 states not to use LEGACY diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 97a50317..45124ec3 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -70,14 +70,35 @@ - rule_1.8.3 - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle" - ansible.builtin.copy: - dest: /etc/dconf/db/local.d/00-screensaver - content: | - [org/gnome/desktop/session] - idle-delay=uint32 300 - [org/gnome/desktop/screensaver] - lock-delay=uint32 5 - mode: '0644' + block: + - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | User profile" + ansible.builtin.lineinfile: + path: /etc/dconf/profile/user + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + create: true + user: root + group: root + mode: 0644 + loop: + - { regexp: '^user-db', line: 'user-db: user' } + - { regexp: '^system-db', line: 'system-db: local' } + + - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | Make db directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d" + owner: root + group: root + mode: 0755 + state: directory + + - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | screensaver" + ansible.builtin.template: + src: etc/dconf/db/00-screensaver.j2 + dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-screensaver" + owner: root + group: root + mode: '0644' notify: Reload dconf when: - rhel9cis_rule_1_8_4 @@ -90,13 +111,23 @@ - rule_1.8.4 - name: "1.8.5 PATCH | Ensure GDM screen locks cannot be overridden" - ansible.builtin.lineinfile: - path: /etc/dconf/db/local.d/locks/session - create: true - line: /org/gnome/desktop/screensaver/lock-delay - owner: root - group: root - mode: 0640 + block: + - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lock directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" + owner: root + group: root + mode: 0755 + state: directory + + - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lockfile" + ansible.builtin.template: + src: etc/dconf/db/00-screensaver_lock.j2 + dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver" + owner: root + group: root + mode: 0644 + notify: Reload dconf when: - rhel9cis_rule_1_8_5 - rhel9cis_gui @@ -105,22 +136,16 @@ - level1-workstation - patch - gui - - rule_1.8.3 + - rule_1.8.5 -- name: "1.8.6 | PATCH | Ensure automatic mounting of removable media is disabled" - ansible.builtin.lineinfile: - path: /etc/dconf/db/local.d/00-media-automount - regexp: "{{ item.regex }}" - line: "{{ item.line }}" - create: true +- name: "1.8.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled" + ansible.builtin.template: + src: etc/dconf/db/00-media-automount.j2 + dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-media-automount" owner: root group: root - mode: 0644 + mode: '0644' notify: Reload dconf - with_items: - - { regex: '\[org\/gnome\/desktop\/media-handling\]', line: '[org/gnome/desktop/media-handling]' } - - { regex: 'automount=', line: 'automount=false' } - - { regex: 'automount-open=', line: 'automount-open=false'} when: - rhel9cis_rule_1_8_6 - rhel9cis_gui @@ -131,6 +156,89 @@ - gui - rule_1.8.6 +- name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden" + block: + - name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | Make lock directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" + owner: root + group: root + mode: 0755 + state: directory + + - name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | Make lock file" + ansible.builtin.template: + src: etc/dconf/db/00-automount_lock.j2 + dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-automount_lock" + owner: root + group: root + mode: 0644 + notify: Reload dconf + when: + - rhel9cis_rule_1_8_7 + - rhel9cis_gui + tags: + - level1-server + - level2-workstation + - patch + - gui + - rule_1.8.7 + +- name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled" + block: + - name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled | Make directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d" + owner: root + group: root + mode: 0755 + state: directory + + - name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled | Make conf file" + ansible.builtin.template: + src: etc/dconf/db/00-media-autorun.j2 + dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-media-autorun" + owner: root + group: root + mode: '0644' + notify: Reload dconf + when: + - rhel9cis_rule_1_8_8 + - rhel9cis_gui + tags: + - level1-server + - level2-workstation + - patch + - gui + - rule_1.8.8 + +- name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden" + block: + - name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden | Make lock directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" + owner: root + group: root + mode: 0755 + state: directory + + - name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden | Make lockfile" + ansible.builtin.template: + src: etc/dconf/db/00-autorun_lock.j2 + dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-autorun_lock" + owner: root + group: root + mode: 0644 + notify: Reload dconf + when: + - rhel9cis_rule_1_8_9 + - rhel9cis_gui + tags: + - level1-server + - level2-workstation + - patch + - gui + - rule_1.8.9 - name: "1.8.10 | PATCH | Ensure XDMCP is not enabled" ansible.builtin.lineinfile: diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index be7bb002..e7fe3b84 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -387,6 +387,11 @@ rhel9cis_warning_banner: {{ rhel9cis_warning_banner }} # aide setup via - cron, timer rhel9_aide_scan: cron +# 1.8 Gnome Desktop +rhel9cis_dconf_db_name: {{ rhel9cis_dconf_db_name }} +rhel9cis_screensaver_idle_delay: {{ rhel9cis_screensaver_idle_delay }} # Set max value for idle-delay in seconds (between 1 and 900) +rhel9cis_screensaver_lock_delay: {{ rhel9cis_screensaver_lock_delay }} # Set max value for lock-delay in seconds (between 0 and 5) + # Section 2 ## 2.2 Special Purposes # Set to 'true' if X Windows is needed in your environment diff --git a/templates/etc/dconf/db/00-automount_lock.j2 b/templates/etc/dconf/db/00-automount_lock.j2 new file mode 100644 index 00000000..3534474f --- /dev/null +++ b/templates/etc/dconf/db/00-automount_lock.j2 @@ -0,0 +1,9 @@ +## Ansible controlled file +# Added as part of CIS +# provided by MindPointGroup LLC + +# Lock desktop media-handling automount setting +/org/gnome/desktop/media-handling/automount + +# Lock desktop media-handling automount-open +/org/gnome/desktop/media-handling/automount-open diff --git a/templates/etc/dconf/db/00-autorun_lock.j2 b/templates/etc/dconf/db/00-autorun_lock.j2 new file mode 100644 index 00000000..04e23a51 --- /dev/null +++ b/templates/etc/dconf/db/00-autorun_lock.j2 @@ -0,0 +1,6 @@ +## Ansible controlled file +# Added as part of CIS +# provided by MindPointGroup LLC + +# Lock desktop media-handling settings +/org/gnome/desktop/media-handling/autorun-never diff --git a/templates/etc/dconf/db/00-media-automount.j2 b/templates/etc/dconf/db/00-media-automount.j2 new file mode 100644 index 00000000..227498e7 --- /dev/null +++ b/templates/etc/dconf/db/00-media-automount.j2 @@ -0,0 +1,7 @@ +## Ansible controlled file +# Added as part of CIS +# provided by MindPointGroup LLC + +[org/gnome/desktop/media-handling] +automount=false +automount-open=false diff --git a/templates/etc/dconf/db/00-media-autorun.j2 b/templates/etc/dconf/db/00-media-autorun.j2 new file mode 100644 index 00000000..a8c297f7 --- /dev/null +++ b/templates/etc/dconf/db/00-media-autorun.j2 @@ -0,0 +1,6 @@ +## Ansible controlled file +# Added as part of CIS +# provided by MindPointGroup LLC + +[org/gnome/desktop/media-handling] +autorun-never=true diff --git a/templates/etc/dconf/db/00-screensaver.j2 b/templates/etc/dconf/db/00-screensaver.j2 new file mode 100644 index 00000000..139c429c --- /dev/null +++ b/templates/etc/dconf/db/00-screensaver.j2 @@ -0,0 +1,17 @@ +## Ansible controlled file +# Added as part of CIS +# provided by MindPointGroup LLC + + +# Specify the dconf path +[org/gnome/desktop/session] + +# Number of seconds of inactivity before the screen goes blank +# Set to 0 seconds if you want to deactivate the screensaver. +idle-delay=uint32 {{ ubtu22cis_screensaver_idle_delay }} + +# Specify the dconf path +[org/gnome/desktop/screensaver] + +# Number of seconds after the screen is blank before locking the screen +lock-delay=uint32 {{ ubtu22cis_screensaver_lock_delay }} diff --git a/templates/etc/dconf/db/00-screensaver_lock.j2 b/templates/etc/dconf/db/00-screensaver_lock.j2 new file mode 100644 index 00000000..5d5869f7 --- /dev/null +++ b/templates/etc/dconf/db/00-screensaver_lock.j2 @@ -0,0 +1,9 @@ +## Ansible controlled file +# Added as part of CIS +# provided by MindPointGroup LLC + +# Lock desktop screensaver idle-delay setting +/org/gnome/desktop/session/idle-delay + +# Lock desktop screensaver lock-delay setting +/org/gnome/desktop/screensaver/lock-delay From 949fcc687de982009611e69ff2e2321f8ba923f9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jan 2023 10:32:21 +0000 Subject: [PATCH 328/454] fix typo Signed-off-by: Mark Bolwell --- templates/etc/dconf/db/00-screensaver.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/etc/dconf/db/00-screensaver.j2 b/templates/etc/dconf/db/00-screensaver.j2 index 139c429c..5aa21c17 100644 --- a/templates/etc/dconf/db/00-screensaver.j2 +++ b/templates/etc/dconf/db/00-screensaver.j2 @@ -8,10 +8,10 @@ # Number of seconds of inactivity before the screen goes blank # Set to 0 seconds if you want to deactivate the screensaver. -idle-delay=uint32 {{ ubtu22cis_screensaver_idle_delay }} +idle-delay=uint32 {{ rhel9cis_screensaver_idle_delay }} # Specify the dconf path [org/gnome/desktop/screensaver] # Number of seconds after the screen is blank before locking the screen -lock-delay=uint32 {{ ubtu22cis_screensaver_lock_delay }} +lock-delay=uint32 {{ rhel9cis_screensaver_lock_delay }} From 5eb72bc54466832cb243c9fa4d1f9dfd16c7a4e7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jan 2023 11:21:31 +0000 Subject: [PATCH 329/454] updated banner message Signed-off-by: Mark Bolwell --- defaults/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ab0c146c..80183cb3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -495,8 +495,7 @@ rhel9_nftables_ports: type: protocol rule: accept # Warning Banner Content (issue, issue.net, motd) -rhel9cis_warning_banner: | - Authorized uses only. All activity may be monitored and reported. +rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and reported. # End Banner ## Section4 vars From 6541736459b4b6832b195f0e3fbab822aee3985d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jan 2023 11:21:47 +0000 Subject: [PATCH 330/454] updated to template for banner Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.8.x.yml | 44 +++++++++++++++++++++-------------- 1 file changed, 27 insertions(+), 17 deletions(-) diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 45124ec3..a25c7833 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -7,6 +7,7 @@ when: - rhel9cis_rule_1_8_1 - "'gdm' in ansible_facts.packages" + - not rhel9cis_gui tags: - level2-server - patch @@ -15,23 +16,32 @@ - rule_1.8.1 - name: "1.8.2 | PATCH | Ensure GDM login banner is configured" - ansible.builtin.lineinfile: - path: "{{ item.file }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - state: present - create: true - owner: root - group: root - mode: 0644 + block: + - name: "1.8.2 | PATCH | Ensure GDM login banner is configured | gdm profile" + ansible.builtin.lineinfile: + path: /etc/dconf/profile/gdm + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + state: present + create: true + owner: root + group: root + mode: 0644 + notify: Reload dconf + with_items: + - { regexp: 'user-db', line: 'user-db:user' } + - { regexp: 'system-db', line: 'system-db:gdm' } + - { regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } + + - name: "1.8.2 | PATCH | Ensure GDM login banner is configured | gdm profile" + ansible.builtin.template: + src: etc/dconf/db/gdm.d/01-banner-message.j2 + dest: /etc/dconf/db/gdm.d/01-banner-message + owner: root + group: root + mode: 0644 + notify: Reload dconf - with_items: - - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } - - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } - - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ rhel9cis_warning_banner }}' " } when: - rhel9cis_rule_1_8_2 - rhel9cis_gui @@ -77,7 +87,7 @@ regexp: "{{ item.regexp }}" line: "{{ item.line }}" create: true - user: root + owner: root group: root mode: 0644 loop: From b83083c2003f299ff537cae2c5ee13f261b10981 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jan 2023 11:21:57 +0000 Subject: [PATCH 331/454] fix typos Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index e7fe3b84..fde2a678 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -117,11 +117,11 @@ rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }} rhel9cis_rule_1_8_3: {{ rhel9cis_rule_1_8_3 }} rhel9cis_rule_1_8_4: {{ rhel9cis_rule_1_8_4 }} rhel9cis_rule_1_8_5: {{ rhel9cis_rule_1_8_5 }} -rhel9cis_rule_1_8_1: {{ rhel9cis_rule_1_8_6 }} -rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_7 }} -rhel9cis_rule_1_8_3: {{ rhel9cis_rule_1_8_8 }} -rhel9cis_rule_1_8_4: {{ rhel9cis_rule_1_8_9 }} -rhel9cis_rule_1_8_5: {{ rhel9cis_rule_1_8_10 }} +rhel9cis_rule_1_8_6: {{ rhel9cis_rule_1_8_6 }} +rhel9cis_rule_1_8_7: {{ rhel9cis_rule_1_8_7 }} +rhel9cis_rule_1_8_8: {{ rhel9cis_rule_1_8_8 }} +rhel9cis_rule_1_8_9: {{ rhel9cis_rule_1_8_9 }} +rhel9cis_rule_1_8_10: {{ rhel9cis_rule_1_8_10 }} # 1.9 Ensure updates, patches, and additional security software are installed rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }} # Ensure system-wide crypto policy is not legacy From 0df5481788438c9f463b7d6e2c9ddbdb3467f3f0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jan 2023 11:22:06 +0000 Subject: [PATCH 332/454] initial Signed-off-by: Mark Bolwell --- templates/etc/dconf/db/gdm.d/01-banner-message.j2 | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 templates/etc/dconf/db/gdm.d/01-banner-message.j2 diff --git a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 new file mode 100644 index 00000000..f83a74a4 --- /dev/null +++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 @@ -0,0 +1,7 @@ +## Ansible controlled file +# Added as part of CIS +# provided by MindPointGroup LLC + +[org/gnome/login-screen] +banner-message-enable=true +banner-message-text="{{ rhel9cis_warning_banner }}" From 900d0f8d8e68a721f1fe6d13327f1ac76d0d8575 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jan 2023 11:25:53 +0000 Subject: [PATCH 333/454] lint updates Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.8.x.yml | 40 +++++++++++++++++------------------ 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index a25c7833..68faa949 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -124,19 +124,19 @@ block: - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lock directory" ansible.builtin.file: - path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" - owner: root - group: root - mode: 0755 - state: directory + path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" + owner: root + group: root + mode: 0755 + state: directory - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lockfile" ansible.builtin.template: - src: etc/dconf/db/00-screensaver_lock.j2 - dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver" - owner: root - group: root - mode: 0644 + src: etc/dconf/db/00-screensaver_lock.j2 + dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver" + owner: root + group: root + mode: 0644 notify: Reload dconf when: - rhel9cis_rule_1_8_5 @@ -226,19 +226,19 @@ block: - name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden | Make lock directory" ansible.builtin.file: - path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" - owner: root - group: root - mode: 0755 - state: directory + path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" + owner: root + group: root + mode: 0755 + state: directory - name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden | Make lockfile" ansible.builtin.template: - src: etc/dconf/db/00-autorun_lock.j2 - dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-autorun_lock" - owner: root - group: root - mode: 0644 + src: etc/dconf/db/00-autorun_lock.j2 + dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-autorun_lock" + owner: root + group: root + mode: 0644 notify: Reload dconf when: - rhel9cis_rule_1_8_9 From aa19388de63a95f73c3b6fd8e11b262c41ec4bfe Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jan 2023 12:34:07 +0000 Subject: [PATCH 334/454] tidy comments Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.8.x.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 68faa949..2836cee3 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -102,7 +102,7 @@ mode: 0755 state: directory - - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | screensaver" + - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | Make conf file" ansible.builtin.template: src: etc/dconf/db/00-screensaver.j2 dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-screensaver" @@ -122,7 +122,7 @@ - name: "1.8.5 PATCH | Ensure GDM screen locks cannot be overridden" block: - - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lock directory" + - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock directory" ansible.builtin.file: path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" owner: root @@ -130,7 +130,7 @@ mode: 0755 state: directory - - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lockfile" + - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock file" ansible.builtin.template: src: etc/dconf/db/00-screensaver_lock.j2 dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver" From 10f3a025d26974005da06d4c3814faa8225f8795 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jan 2023 13:33:12 +0000 Subject: [PATCH 335/454] gui fix 2.2.1 Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.2.x.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index aac8a274..496a92f7 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -8,6 +8,7 @@ when: - rhel9cis_rule_2_2_1 - "'xorg-x11-server-common' in ansible_facts.packages" + - not rhel9cis_gui tags: - level1-server - patch From 3f76affa5b0d653f9c287d92ce352f401fd3acee Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jan 2023 13:34:30 +0000 Subject: [PATCH 336/454] changed_when for idempotency. 5.6. Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 884efd84..6100b0b5 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -116,6 +116,7 @@ block: - name: "5.6.6 | PATCH | Ensure root password is set" ansible.builtin.shell: passwd -S root | grep "Password set, SHA512 crypt" + changed_when: false register: root_passwd - name: "5.6.6 | PATCH | Ensure root password is set" From 02113b783aca242fe952ed68cf41889232e37b00 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jan 2023 13:36:34 +0000 Subject: [PATCH 337/454] Addec changed_when 6.2.1 Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 647a1501..27c101dc 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -4,6 +4,7 @@ block: - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | discover" ansible.builtin.shell: awk -F':' '($2 != "x" ) { print $1 " is not set to shadowed passwords "}' /etc/passwd + changed_when: false register: shadow_passwd - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Output" From fdf298328cb3ff3ff7ea96d82c6a1e31aa039370 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jan 2023 17:14:24 +0000 Subject: [PATCH 338/454] documented 1.2.4 for rhel Signed-off-by: Mark Bolwell --- README.md | 6 ++++++ defaults/main.yml | 3 +++ tasks/prelim.yml | 1 + tasks/section_1/cis_1.2.x.yml | 7 ++++--- 4 files changed, 14 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index f54c90f0..9829e4c2 100644 --- a/README.md +++ b/README.md @@ -82,3 +82,9 @@ Below is an example of the tag section from a control within this role. Using th - patch - rule_2.2.4 ``` + +### Known Issues + +CIS 1.2.4 - repo_gpgcheck is not carried out for RedHat hosts as the default repos do not have this function. Rocky and Alma not affected. +Variable used to unset. +rhel9cis_rhel_default_repo: true # to be set to false if using repo that does have this ability diff --git a/defaults/main.yml b/defaults/main.yml index 80183cb3..9d72d7b7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -365,6 +365,9 @@ rhel9cis_rh_sub_password: password # RedHat Satellite Subscription items rhel9cis_rhnsd_required: false +# 1.2.4 repo_gpgcheck +rhel9cis_rhel_default_repo: true + # 1.4.2 Bootloader password rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B' rhel9cis_bootloader_password: random diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 92098492..3593a906 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -112,6 +112,7 @@ state: latest when: - rhel9cis_rule_1_2_4 + - ansible_distribution != 'RedHat' - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" ansible.builtin.package: diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 62fae23a..67128a7b 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -101,16 +101,17 @@ register: repo_files - name: "1.2.4 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files" - ansible.builtin.lineinfile: + ansible.builtin.replace: path: "{{ item.path }}" - regexp: '^repo_gpgcheck' - line: repo_gpgcheck=1 + regexp: '^repo_gpgcheck( |)=( |)0' + replace: repo_gpgcheck=1 loop: "{{ repo_files.files }}" loop_control: label: "{{ item.path }}" when: - rhel9cis_rule_1_2_4 + - not rhel9cis_rhel_default_repo or ansible_distribution != 'RedHat' tags: - level1-server - level1-workstation From deb509c8733cbf090e3db336c021ce3df6b8621f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 11:22:48 +0000 Subject: [PATCH 339/454] updated alma image ID Signed-off-by: Mark Bolwell --- .github/workflows/OS.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars index a5e2fda3..634512bc 100644 --- a/.github/workflows/OS.tfvars +++ b/.github/workflows/OS.tfvars @@ -1,5 +1,5 @@ #Ami Alma 9 -ami_id = "ami-02881bd671eb4ac61" +ami_id = "ami-0845395779540e3cb" ami_os = "rhel9" ami_username = "ec2-user" ami_user_home = "/home/ec2-user" From 5bcb791647befa8defa7b3c7a944bd38b4d22d8b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 13:58:50 +0000 Subject: [PATCH 340/454] lint updates Signed-off-by: Mark Bolwell --- .yamllint | 8 +------- tasks/section_1/cis_1.1.3.x.yml | 3 +-- tasks/section_1/cis_1.2.x.yml | 12 ++++++------ 3 files changed, 8 insertions(+), 15 deletions(-) diff --git a/.yamllint b/.yamllint index 693eec6c..4823010f 100644 --- a/.yamllint +++ b/.yamllint @@ -9,12 +9,6 @@ ignore: | extends: default rules: - indentation: - # Requiring 4 space indentation - spaces: 4 - # Requiring consistent indentation within a file, either indented or not - indent-sequences: consistent - truthy: disable braces: max-spaces-inside: 1 level: error @@ -32,4 +26,4 @@ rules: trailing-spaces: enable truthy: allowed-values: ['true', 'false'] - check-keys: false + check-keys: true diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 649657f4..84135ae9 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -39,7 +39,7 @@ when: - item.mount == "/var" - rhel9cis_rule_1_1_3_2 or - rhel9cis_rule_1_1_3_3 + rhel9cis_rule_1_1_3_3 tags: - level1-server - level1-workstation @@ -48,4 +48,3 @@ - skip_ansible_lint - rule_1.1.3.2 - rule_1.1.3.3 - diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 67128a7b..452c0096 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -90,9 +90,9 @@ block: - name: "1.2.4 | PATCH | Ensure repo_gpgcheck is globally activated | dnf.conf" ansible.builtin.lineinfile: - path: /etc/dnf/dnf.conf - regexp: '^repo_gpgcheck' - line: repo_gpgcheck=1 + path: /etc/dnf/dnf.conf + regexp: '^repo_gpgcheck' + line: repo_gpgcheck=1 - name: "1.2.4 | AUDIT| Ensure repo_gpgcheck is globally activated | get repo files" ansible.builtin.find: @@ -102,9 +102,9 @@ - name: "1.2.4 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files" ansible.builtin.replace: - path: "{{ item.path }}" - regexp: '^repo_gpgcheck( |)=( |)0' - replace: repo_gpgcheck=1 + path: "{{ item.path }}" + regexp: '^repo_gpgcheck( |)=( |)0' + replace: repo_gpgcheck=1 loop: "{{ repo_files.files }}" loop_control: label: "{{ item.path }}" From 95e574343a14709d9431578fe4116c7d70fc0b42 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 16:07:59 +0000 Subject: [PATCH 341/454] makefile tested Signed-off-by: Mark Bolwell --- Makefile | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) mode change 100644 => 100755 Makefile diff --git a/Makefile b/Makefile old mode 100644 new mode 100755 index 46a81d1f..24e97638 --- a/Makefile +++ b/Makefile @@ -1,11 +1,32 @@ -# TESTS +.PHONY: all galaxy-install ansible-list yamllint pip-requirements help -all: yamllint + +GALAXY=ansible-galaxy +ANSIBLE_LINT=ansible-lint +ANSIBLE_FILE=site.yml + +all: help + +help: + @echo "Make command examples for Ansible" + @echo "Command for assisting with ansible setup" + @echo " galaxy-install to install roles using ansible-galaxy" + @echo " ansible-lint to lint playbook files" + @echo " yamllint to lint playbook files" + @echo " pip-requirements add pip required file" + + +galaxy-install: + $(GALAXY) install -r ./collections/requirements.yml + +ansible-lint: + $(ANSIBLE-LINT) $(ANSIBLE_FILE) yamllint: git ls-files "*.yml"|xargs yamllint -requirements: +pip-requirements: @echo 'Python dependencies:' @cat requirements.txt - pip install -r requirements.txt + $(ANSIBLE_LINT) install -r requirements.txt + From 255fc771ebf46bec198195722c0b917cf3affc76 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 16:08:11 +0000 Subject: [PATCH 342/454] syntax update Signed-off-by: Mark Bolwell --- meta/main.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/meta/main.yml b/meta/main.yml index b4a804e6..c60c6a73 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,7 +1,7 @@ --- galaxy_info: author: "Sam Doran, Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell" - description: "Apply the RHEL 8 CIS" + description: "Apply the RHEL 9 CIS" company: "MindPoint Group" license: MIT role_name: rhel9_cis @@ -10,7 +10,7 @@ galaxy_info: platforms: - name: EL versions: - - 9 + - "9" galaxy_tags: - system - security @@ -22,6 +22,9 @@ galaxy_info: - complianceascode - disa - rhel9 + - cis + - rocky + - alma collections: - community.general - community.crypto From f59c2ccb6dd6c1bd85c7c44002c9980a334ffd31 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 16:08:19 +0000 Subject: [PATCH 343/454] changelog updated Signed-off-by: Mark Bolwell --- Changelog.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/Changelog.md b/Changelog.md index 506b67a1..78e08e13 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,18 @@ # Changes to rhel9CIS +## CIS v1.0.0 - Dec 2022 + +### Official CIS release + +- Lint file updates and improvements +- Many controls moved ID references +- Audit updates aligned +- Command warn arg removed +- Ansible 2.14 now supported +- makefile added (hopefully help some) +- fqcn added to all controls +- some controls rewritten using module rather than shell + ## 0.5 - audit path updated and output file name From 37b2faefa301af4a513a70dfd574adff81bd5de7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 16:21:56 +0000 Subject: [PATCH 344/454] tidy up Signed-off-by: Mark Bolwell --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 24e97638..c8bcd9c1 100755 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -.PHONY: all galaxy-install ansible-list yamllint pip-requirements help +.PHONY: all help galaxy-install ansible-list yamllint pip-requirements GALAXY=ansible-galaxy From a72c81be1cf46d4a1a30548bc67e69e3ef95612b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 16:22:12 +0000 Subject: [PATCH 345/454] added callback plugin for yaml Signed-off-by: Mark Bolwell --- ansible.cfg | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ansible.cfg b/ansible.cfg index 831f01d9..3bae35da 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -7,6 +7,12 @@ nocows=1 retry_files_save_path=/dev/null library=~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules:./library +# Use the YAML callback plugin. +stdout_callback = yaml +# Use the stdout_callback when running ad-hoc commands. +bin_ansible_callbacks = True + + [privilege_escalation] [paramiko_connection] From c3cf685c914842957b3ff80a055505de85135f02 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 16:22:18 +0000 Subject: [PATCH 346/454] updated Signed-off-by: Mark Bolwell --- Changelog.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 78e08e13..7fe29f74 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,9 +1,11 @@ # Changes to rhel9CIS -## CIS v1.0.0 - Dec 2022 +## Initial CIS v1.0.0 - released Dec 2022 ### Official CIS release +Jan-2023 release + - Lint file updates and improvements - Many controls moved ID references - Audit updates aligned @@ -12,6 +14,9 @@ - makefile added (hopefully help some) - fqcn added to all controls - some controls rewritten using module rather than shell +- incorporates issues + - #23 + - #24 ## 0.5 From fc0f39844b3f55fe24f2e88c901536da19442d8f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 16:22:31 +0000 Subject: [PATCH 347/454] updated Signed-off-by: Mark Bolwell --- README.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 9829e4c2..fc0376ee 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,7 @@ -# Development Only -## RHEL 9 CIS (predicted) - Beta - CIS baselines or OS not yet GA +# RHEL 9 CIS -## Testing if you have access to the RH developer branches - -### This should work on RHEL8 and derivatives currently +## v1.0.0 - released Dec 2022 ![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL9-CIS/CommunityToDevel?label=Devel%20Build%20Status&style=plastic) ![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL9-CIS/DevelToMain?label=Main%20Build%20Status&style=plastic) @@ -42,7 +39,9 @@ Rocky 9 - Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.) -**General:** +- makefile - this is there purely for testing and initial setup purposes. + +## General - Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible - [Main Ansible documentation page](https://docs.ansible.com) @@ -60,7 +59,9 @@ Rocky 9 - Ansible 2.9+ - python-def (should be included in RHEL 9) - libselinux-python -- jmespath +- pip packages + - jmespath ( complete list found in requirements.txt) +- collections found in collections/requirememnts.yml ## Role Variables From 032e73348a5a5617ad7dd533bc40fa75999424ed Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 17:01:27 +0000 Subject: [PATCH 348/454] removed vars not used any longer Signed-off-by: Mark Bolwell --- defaults/main.yml | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9d72d7b7..8a791b14 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -475,10 +475,7 @@ rhel9cis_firewall: firewalld ##### firewalld rhel9cis_default_zone: public -# These are the default service add accordingly -rhel9_firewalld_service: - - ssh - - dhcpv6-client + # These are added to demonstrate how this can be done rhel9cis_firewalld_ports: - number: 80 @@ -488,15 +485,7 @@ rhel9cis_firewalld_ports: rhel9cis_nft_tables_autonewtable: true rhel9cis_nft_tables_tablename: filter rhel9cis_nft_tables_autochaincreate: true -rhel9_nftables_ports: - - port: ssh - protocol: tcp - type: dport - rule: accept - - port: igmp - protocol: ip - type: protocol - rule: accept + # Warning Banner Content (issue, issue.net, motd) rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and reported. # End Banner From 6b219f32610ec3cd0b0da36e15c5bd4ff1446c8a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 17:03:42 +0000 Subject: [PATCH 349/454] fix typo Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index 89e31610..c1fdd79b 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -89,7 +89,7 @@ - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Message on unconfined services" ansible.builtin.debug: - msg: "Warning!! You have unconfined services: {{ rhelcis_1_6_1_5_unconf_services.stdout_lines }}" + msg: "Warning!! You have unconfined services: {{ rhelcis_1_6_1_6_unconf_services.stdout_lines }}" when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | warning count" From 939a06d3727bf64311effc242cdd35ce7b3926b0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 17:28:52 +0000 Subject: [PATCH 350/454] Ensure package installed Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.4.1.x.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index ab151698..684d0a5c 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -37,6 +37,11 @@ - item in ansible_facts.packages - rhel9cis_firewall == 'firewalld' + - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | package installed" + ansible.builtin.package: + name: "{{ rhel9cis_firewall }}" + state: installed + - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled" ansible.builtin.systemd: name: "{{ rhel9cis_firewall }}" From a4919ae339bd4a1b2b1168d5ccfed3c6051aad69 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 18:43:03 +0000 Subject: [PATCH 351/454] removed file not required Signed-off-by: Mark Bolwell --- .github/workflows/test.sh | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 .github/workflows/test.sh diff --git a/.github/workflows/test.sh b/.github/workflows/test.sh deleted file mode 100644 index 1a7202a8..00000000 --- a/.github/workflows/test.sh +++ /dev/null @@ -1,6 +0,0 @@ -RHEL7=$(grep -c RHEL7 OS.tfvars) -if [ `echo $?` != 0 ]; then - exit 0 -fi - - From 511f9cf000a637cd1f45f453833f5c0bcca09db8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 18:43:23 +0000 Subject: [PATCH 352/454] Added urandom passwd for root Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 8d26a35c..48e7eed3 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,6 +87,12 @@ jobs: run: sleep 60s shell: bash +# Set up requirements for random root password CIS 5.6.6 + - name: add urandom passwd to root account + shell: bash + run: | + ANSIBLE_HOST_KEY_CHECKING=False && ansible all -i .github/workflows/hosts.yml -m shell -a "cat /dev/urandom | tr -dc ‘[:print:]’ | head -c50 | passwd --stdin root" --private-key ${{ secrets.SSH_PRV_KEY }} -b + # Run the ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master From ee9d7d6d153508908699016f631029989376c0a3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 24 Jan 2023 10:22:26 +0000 Subject: [PATCH 353/454] updated to enable greater speed Signed-off-by: Mark Bolwell --- ansible.cfg | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ansible.cfg b/ansible.cfg index 3bae35da..3bc6e078 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -5,7 +5,7 @@ system_warnings=False command_warnings=False nocows=1 retry_files_save_path=/dev/null -library=~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules:./library +pipelining=true # Use the YAML callback plugin. stdout_callback = yaml @@ -20,6 +20,7 @@ record_host_keys=False [ssh_connection] transfer_method=scp +ssh_args = -o ControlMaster=auto -o ControlPersist=60s [accelerate] From 64dc43fa229e42aebc8a6103d19095ba89f04017 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 24 Jan 2023 10:22:58 +0000 Subject: [PATCH 354/454] enabled reboot of host Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 61da17c4..dad096fe 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -78,6 +78,7 @@ resource "local_file" "inventory" { run_audit: true system_is_ec2: true audit_git_version: devel + skip_reboot: false EOF } From eea2e1f4cc26446c4e216f192c262e1b4fc4e351 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 24 Jan 2023 10:23:11 +0000 Subject: [PATCH 355/454] fixed new perms requirement Signed-off-by: Mark Bolwell --- tasks/auditd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/auditd.yml b/tasks/auditd.yml index a36a744b..632e4d1f 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -6,7 +6,7 @@ dest: /etc/audit/rules.d/99_auditd.rules owner: root group: root - mode: 0600 + mode: 0640 register: audit_rules_updated notify: - Auditd_immutable_check From b5c57abc33f05e9cc6c829543f70755dcc87cb14 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 24 Jan 2023 10:23:39 +0000 Subject: [PATCH 356/454] removed congrats statement Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 27c101dc..ca4b892e 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -53,11 +53,6 @@ check_mode: false register: rhel9cis_6_2_3_passwd_gid_check - - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" - ansible.builtin.debug: - msg: "Good News! There are no users that have non-existent GUIDs (Groups)" - when: rhel9cis_6_2_3_passwd_gid_check.stdout | length == 0 - - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" ansible.builtin.debug: msg: "Warning!! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}" From 0350e234feb671de26228a598353e82fe75c9b50 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 24 Jan 2023 11:02:32 +0000 Subject: [PATCH 357/454] rhel_09 updates Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 10 ++++---- tasks/section_4/cis_4.2.1.x.yml | 4 ++-- tasks/section_6/cis_6.1.x.yml | 30 +++++++++++------------ tasks/section_6/cis_6.2.x.yml | 42 ++++++++++++++++----------------- 4 files changed, 43 insertions(+), 43 deletions(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 6a46b780..98ca6714 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -31,20 +31,20 @@ changed_when: false failed_when: false check_mode: false - register: rhel_08_nmcli_available + register: rhel_09_nmcli_available - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" ansible.builtin.shell: nmcli radio wifi - register: rhel_08_wifi_enabled - changed_when: rhel_08_wifi_enabled.stdout != "disabled" + register: rhel_09_wifi_enabled + changed_when: rhel_09_wifi_enabled.stdout != "disabled" failed_when: false - when: rhel_08_nmcli_available.rc == 0 + when: rhel_09_nmcli_available.rc == 0 - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" ansible.builtin.shell: nmcli radio all off changed_when: false failed_when: false - when: rhel_08_wifi_enabled is changed + when: rhel_09_wifi_enabled is changed when: - rhel9cis_rule_3_1_2 tags: diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index d2cac937..90c68e0c 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -64,13 +64,13 @@ changed_when: false failed_when: false check_mode: false - register: rhel_08_4_2_1_5_audit + register: rhel_09_4_2_1_5_audit - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" ansible.builtin.debug: msg: - "These are the current logging configurations for rsyslog, please review:" - - "{{ rhel_08_4_2_1_5_audit.stdout_lines }}" + - "{{ rhel_09_4_2_1_5_audit.stdout_lines }}" - name: "4.2.1.5 | PATCH | Ensure logging is configured | mail.* log setting" ansible.builtin.blockinfile: diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 2360ec2b..37b074d1 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -126,16 +126,16 @@ ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 failed_when: false changed_when: false - register: rhel_08_6_1_9_perms_results + register: rhel_09_6_1_9_perms_results - name: "6.1.9 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" ansible.builtin.file: path: '{{ item }}' mode: o-w state: touch - with_items: "{{ rhel_08_6_1_9_perms_results.stdout_lines }}" + with_items: "{{ rhel_09_6_1_9_perms_results.stdout_lines }}" when: - - rhel_08_6_1_9_perms_results.stdout_lines is defined + - rhel_09_6_1_9_perms_results.stdout_lines is defined - rhel9cis_no_world_write_adjust when: - rhel9cis_rule_6_1_9 @@ -154,7 +154,7 @@ changed_when: false failed_when: false check_mode: false - register: rhel_08_6_1_10_audit + register: rhel_09_6_1_10_audit with_items: "{{ ansible_mounts }}" loop_control: label: "{{ item.mount }}" @@ -163,7 +163,7 @@ - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" ansible.builtin.debug: msg: "Warning !! Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" - with_items: "{{ rhel_08_6_1_10_audit.results }}" + with_items: "{{ rhel_09_6_1_10_audit.results }}" when: - item.stdout_lines is defined - item.stdout_lines | length > 0 @@ -193,7 +193,7 @@ check_mode: false failed_when: false changed_when: false - register: rhel_08_6_1_11_audit + register: rhel_09_6_1_11_audit with_items: "{{ ansible_mounts }}" loop_control: label: "{{ item.mount }}" @@ -202,7 +202,7 @@ - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" ansible.builtin.debug: msg: "Warning !! Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" - with_items: "{{ rhel_08_6_1_11_audit.results }}" + with_items: "{{ rhel_09_6_1_11_audit.results }}" when: - item.stdout_lines is defined - item.stdout_lines | length > 0 @@ -244,7 +244,7 @@ ansible.builtin.shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 failed_when: false changed_when: false - register: rhel_08_6_1_13_perms_results + register: rhel_09_6_1_13_perms_results with_items: "{{ ansible_mounts }}" loop_control: label: "{{ item.mount }}" @@ -252,16 +252,16 @@ - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" ansible.builtin.debug: msg: "Warning!! Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" - with_items: "{{ rhel_08_6_1_13_perms_results.stdout_lines }}" + with_items: "{{ rhel_09_6_1_13_perms_results.stdout_lines }}" when: - - rhel_08_6_1_13_perms_results.stdout is defined + - rhel_09_6_1_13_perms_results.stdout is defined - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning" ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: '6.1.13' when: - - rhel_08_6_1_13_perms_results.stdout is defined + - rhel_09_6_1_13_perms_results.stdout is defined when: - rhel9cis_rule_6_1_13 tags: @@ -278,7 +278,7 @@ ansible.builtin.shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 failed_when: false changed_when: false - register: rhel_08_6_1_14_perms_results + register: rhel_09_6_1_14_perms_results with_items: "{{ ansible_mounts }}" loop_control: label: "{{ item.mount }}" @@ -286,16 +286,16 @@ - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" ansible.builtin.debug: msg: "Manual intervention is required -- SGID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" - with_items: "{{ rhel_08_6_1_14_perms_results.stdout_lines }}" + with_items: "{{ rhel_09_6_1_14_perms_results.stdout_lines }}" when: - - rhel_08_6_1_14_perms_results.stdout is defined + - rhel_09_6_1_14_perms_results.stdout is defined - name: "6.1.14 | AUDIT | Audit SGID executables| warning" ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: '6.1.14' when: - - rhel_08_6_1_14_perms_results.stdout is defined + - rhel_09_6_1_14_perms_results.stdout is defined when: - rhel9cis_rule_6_1_14 tags: diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index ca4b892e..ff30b6e3 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -55,7 +55,7 @@ - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" ansible.builtin.debug: - msg: "Warning!! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}" + msg: "Warning!! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_3_passwd_gid_check.stdout_lines | join (', ') }}" when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1 - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count" @@ -64,7 +64,7 @@ warn_control_id: '6.2.3' when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1 when: - - rhel9cis_rule_6_2_2 + - rhel9cis_rule_6_2_3 tags: - level1-server - level1-workstation @@ -140,7 +140,7 @@ - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" ansible.builtin.debug: - msg: "Warning!! The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}" + msg: "Warning!! The following user names are duplicates: {{ rhel9cis_6_2_6_user_username_check.stdout_lines }}" when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1 - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | warning count" @@ -256,20 +256,20 @@ - name: "6.2.10 | AUDIT | Ensure local interactive user home directories exist" ansible.builtin.stat: path: "{{ item }}" - register: rhel_08_6_2_10_audit + register: rhel_09_6_2_10_audit with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | map(attribute='dir') | list }}" - name: "6.2.10 | AUDIT | Ensure local interactive user home directories exist" ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027 check_mode: false - changed_when: rhel_08_6_2_10_patch_audit.stdout | length > 0 - register: rhel_08_6_2_10_patch_audit + changed_when: rhel_09_6_2_10_patch_audit.stdout | length > 0 + register: rhel_09_6_2_10_patch_audit when: - ansible_check_mode - item.1.exists with_together: - - "{{ rhel_08_6_2_10_audit.results | map(attribute='item') | list }}" - - "{{ rhel_08_6_2_10_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_09_6_2_10_audit.results | map(attribute='item') | list }}" + - "{{ rhel_09_6_2_10_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" @@ -278,13 +278,13 @@ path: "{{ item.0 }}" recurse: true mode: a-st,g-w,o-rwx - register: rhel_08_6_2_10_patch + register: rhel_09_6_2_10_patch when: - not ansible_check_mode - item.1.exists with_together: - - "{{ rhel_08_6_2_10_audit.results | map(attribute='item') | list }}" - - "{{ rhel_08_6_2_10_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_09_6_2_10_audit.results | map(attribute='item') | list }}" + - "{{ rhel_09_6_2_10_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" @@ -300,7 +300,7 @@ when: - not system_is_container with_nested: - - "{{ (ansible_check_mode | ternary(rhel_08_6_2_10_patch_audit, rhel_08_6_2_10_patch)).results | + - "{{ (ansible_check_mode | ternary(rhel_09_6_2_10_patch_audit, rhel_09_6_2_10_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" - - etype: group @@ -343,19 +343,19 @@ ansible.builtin.stat: path: "{{ item }}" with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | map(attribute='dir') | list }}" - register: rhel_08_6_2_12_audit + register: rhel_09_6_2_12_audit - name: "6.2.12 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027 check_mode: false - changed_when: rhel_08_6_2_12_patch_audit.stdout | length > 0 - register: rhel_08_6_2_12_patch_audit + changed_when: rhel_09_6_2_12_patch_audit.stdout | length > 0 + register: rhel_09_6_2_12_patch_audit when: - ansible_check_mode - item.1.exists with_together: - - "{{ rhel_08_6_2_12_audit.results | map(attribute='item') | list }}" - - "{{ rhel_08_6_2_12_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_09_6_2_12_audit.results | map(attribute='item') | list }}" + - "{{ rhel_09_6_2_12_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" @@ -364,13 +364,13 @@ path: "{{ item.0 }}" recurse: true mode: a-st,g-w,o-rwx - register: rhel_08_6_2_12_patch + register: rhel_09_6_2_12_patch when: - not ansible_check_mode - item.1.exists with_together: - - "{{ rhel_08_6_2_12_audit.results | map(attribute='item') | list }}" - - "{{ rhel_08_6_2_12_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_09_6_2_12_audit.results | map(attribute='item') | list }}" + - "{{ rhel_09_6_2_12_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" @@ -386,7 +386,7 @@ when: - not system_is_container with_nested: - - "{{ (ansible_check_mode | ternary(rhel_08_6_2_12_patch_audit, rhel_08_6_2_12_patch)).results | + - "{{ (ansible_check_mode | ternary(rhel_09_6_2_12_patch_audit, rhel_09_6_2_12_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" - - etype: group From 24391549697dae8d91ccb9a6e03a9d01dc6090ee Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 24 Jan 2023 11:02:40 +0000 Subject: [PATCH 358/454] updated Signed-off-by: Mark Bolwell --- Changelog.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog.md b/Changelog.md index 7fe29f74..18369bf9 100644 --- a/Changelog.md +++ b/Changelog.md @@ -14,6 +14,8 @@ Jan-2023 release - makefile added (hopefully help some) - fqcn added to all controls - some controls rewritten using module rather than shell +- typo fixes from rhel_08 inheritance +- workfolw update for 5.6.6 to set random root password to allow for testing - incorporates issues - #23 - #24 From 64a3e26e4f69727d4a12df5d913cdce2ef33263e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Jan 2023 09:29:19 +0000 Subject: [PATCH 359/454] moved su check to prelim Signed-off-by: Mark Bolwell --- tasks/main.yml | 19 ------------------- tasks/prelim.yml | 20 ++++++++++++++++++++ 2 files changed, 20 insertions(+), 19 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 981ade5b..60374b36 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -80,25 +80,6 @@ tags: - always -- name: Check sugroup exists if used - block: - - name: "Check su group exists if defined" - ansible.builtin.shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group - register: sugroup_exists - changed_when: false - failed_when: sugroup_exists.rc >= 2 - tags: - - skip_ansible_lint - - - name: Check sugroup if defined exists before continuing - ansible.builtin.assert: - that: sugroup_exists.rc == 0 - msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify" - when: - - rhel9cis_sugroup is defined - - rhel9cis_rule_5_7 - tags: - - rule_5.7 - name: Gather the package facts ansible.builtin.package_facts: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 3593a906..854e8614 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -197,6 +197,26 @@ - rule_5.3.4 - rule_5.3.5 +- name: Check sugroup exists if used + block: + - name: "Check su group exists if defined" + ansible.builtin.shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group + register: sugroup_exists + changed_when: false + failed_when: sugroup_exists.rc >= 2 + tags: + - skip_ansible_lint + + - name: Check sugroup if defined exists before continuing + ansible.builtin.assert: + that: sugroup_exists.rc == 0 + msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify" + when: + - rhel9cis_sugroup is defined + - rhel9cis_rule_5_7 + tags: + - rule_5.7 + - name: "PRELIM | Check for rhnsd service" ansible.builtin.shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2" changed_when: false From f8577132f0790d6236020c9c3e09db9f93bcee6d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Jan 2023 09:29:51 +0000 Subject: [PATCH 360/454] removed old rhn check Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 854e8614..702939c3 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -217,19 +217,6 @@ tags: - rule_5.7 -- name: "PRELIM | Check for rhnsd service" - ansible.builtin.shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2" - changed_when: false - check_mode: false - become: true - register: rhnsd_service_status - when: - - rhel9cis_rule_1_2_2 - - ansible_distribution == "RedHat" - tags: - - rule_1.2.2 - - skip_ansible_lint - - name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def" block: - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def" From df26c888ba016fdc7a71007ac9740feac040119c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Jan 2023 09:33:02 +0000 Subject: [PATCH 361/454] removed dnf clean up as not required Signed-off-by: Mark Bolwell --- tasks/post.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/tasks/post.yml b/tasks/post.yml index 8facbd21..e482df61 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -1,11 +1,6 @@ --- # Post tasks -- name: Perform DNF package cleanup - ansible.builtin.package: - autoremove: true - changed_when: false - - name: Gather the package facts after remediation ansible.builtin.package_facts: manager: auto From a90941af41a8da76916454d77d1b72659f41319b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Jan 2023 09:33:14 +0000 Subject: [PATCH 362/454] fiex rule number 6.2.9 Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 702939c3..5677f118 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -35,7 +35,7 @@ check_mode: false register: rhel9cis_uid_zero_accounts_except_root tags: - - rule_6.2.8 + - rule_6.2.9 - level1-server - level1-workstation - users From 4adb0ec812374ca6801bf214b01458f5cc6fdbfa Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Jan 2023 09:41:32 +0000 Subject: [PATCH 363/454] standardize handler naming Signed-off-by: Mark Bolwell --- handlers/main.yml | 8 ++++---- tasks/auditd.yml | 4 ++-- tasks/section_1/cis_1.4.x.yml | 2 +- tasks/section_1/cis_1.5.x.yml | 2 +- tasks/section_1/cis_1.6.1.x.yml | 2 +- tasks/section_4/cis_4.1.1.x.yml | 8 ++++---- 6 files changed, 13 insertions(+), 13 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index a350df02..212eacc9 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -56,7 +56,7 @@ - name: Reload dconf ansible.builtin.shell: dconf update -- name: grub2cfg +- name: Grub2cfg ansible.builtin.shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" ignore_errors: true # noqa ignore-errors tags: @@ -77,18 +77,18 @@ name: systemd-journal-upload state: restarted -- name: Systemd_daemon_reload +- name: Systemd daemon reload ansible.builtin.systemd: daemon-reload: true ## Auditd tasks note order for handlers to run -- name: Auditd_immutable_check +- name: Auditd immutable check ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules changed_when: false register: auditd_immutable_check -- name: Audit_immutable_fact +- name: Audit immutable fact ansible.builtin.debug: msg: "Reboot required for auditd to apply new rules as immutable set" notify: Change_requires_reboot diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 632e4d1f..67041259 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -9,8 +9,8 @@ mode: 0640 register: audit_rules_updated notify: - - Auditd_immutable_check - - Audit_immutable_fact + - Auditd immutable check + - Audit immutable fact - Restart auditd - name: POST | Set up auditd user logging exceptions diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index af1579f2..f2dcaee9 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -7,7 +7,7 @@ owner: root group: root mode: 0600 - notify: grub2cfg + notify: Grub2cfg when: - rhel9cis_set_boot_pass - rhel9cis_rule_1_4_1 diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 6d3eb4e1..443bfc19 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -5,7 +5,7 @@ path: /etc/systemd/coredump.conf regexp: '^Storage\s*=\s*(?!none).*' line: 'Storage=none' - notify: Systemd_daemon_reload + notify: Systemd daemon reload when: - rhel9cis_rule_1_5_1 - systemd_coredump.stat.exists diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index c1fdd79b..6c525353 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -22,7 +22,7 @@ - enforcing=0 register: selinux_grub_patch ignore_errors: true # noqa ignore-errors - notify: grub2cfg + notify: Grub2cfg when: - rhel9cis_rule_1_6_1_2 tags: diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index 167f8d22..c430f2d9 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -36,7 +36,7 @@ dest: /etc/default/grub regexp: 'audit=.' replace: 'audit=1' - notify: grub2cfg + notify: Grub2cfg when: "'audit=' in rhel9cis_4_1_1_2_grub_cmdline_linux.stdout" - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing" @@ -44,7 +44,7 @@ path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' line: '{{ rhel9cis_4_1_1_2_grub_cmdline_linux.stdout }} audit=1"' - notify: grub2cfg + notify: Grub2cfg when: "'audit=' not in rhel9cis_4_1_1_2_grub_cmdline_linux.stdout" when: - rhel9cis_rule_4_1_1_2 @@ -70,7 +70,7 @@ dest: /etc/default/grub regexp: 'audit_backlog_limit=\d+' replace: 'audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}' - notify: grub2cfg + notify: Grub2cfg when: "'audit_backlog_limit=' in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout" - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing" @@ -78,7 +78,7 @@ path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' line: '{{ rhel9cis_4_1_1_3_grub_cmdline_linux.stdout }} audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' - notify: grub2cfg + notify: Grub2cfg when: "'audit_backlog_limit=' not in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout" when: - rhel9cis_rule_4_1_1_3 From 2a39d54f41bcb2be1d9c5ce589c8ed2159c8d4b7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Jan 2023 09:41:47 +0000 Subject: [PATCH 364/454] remove conditional for parse etc passwd Signed-off-by: Mark Bolwell --- tasks/main.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 60374b36..c72dc5b2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -111,8 +111,6 @@ - name: capture /etc/password variables ansible.builtin.include_tasks: parse_etc_password.yml - when: - - rhel9cis_section6 tags: - rule_5.5.2 - rule_5.6.2 @@ -161,8 +159,7 @@ - name: run auditd logic ansible.builtin.import_tasks: auditd.yml - when: - - update_audit_template + when: update_audit_template tags: - always @@ -180,8 +177,7 @@ - name: Show Audit Summary ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" - when: - - run_audit + when: run_audit - name: If Warnings found Output count and control IDs affected ansible.builtin.debug: From 9e633938998af3c03044054b325f643e67f3c48e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Jan 2023 09:47:13 +0000 Subject: [PATCH 365/454] removed state presnet from infile as default Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.8.x.yml | 1 - tasks/section_4/cis_4.2.1.x.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 2836cee3..dff2930a 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -22,7 +22,6 @@ path: /etc/dconf/profile/gdm regexp: "{{ item.regexp }}" line: "{{ item.line }}" - state: present create: true owner: root group: root diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 90c68e0c..4eeb61dc 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -75,7 +75,6 @@ - name: "4.2.1.5 | PATCH | Ensure logging is configured | mail.* log setting" ansible.builtin.blockinfile: path: /etc/rsyslog.conf - state: present marker: "# {mark} MAIL LOG SETTINGS (ANSIBLE MANAGED)" block: | # mail logging additions to meet CIS standards From 3c33ce50568cf3c7d38981bee99a1942934e3187 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Jan 2023 09:47:26 +0000 Subject: [PATCH 366/454] with_items to loop Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.1.x.yml | 18 +++++++++--------- tasks/section_6/cis_6.2.x.yml | 27 ++++++++++++--------------- 2 files changed, 21 insertions(+), 24 deletions(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 37b074d1..a1c638d7 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -133,7 +133,7 @@ path: '{{ item }}' mode: o-w state: touch - with_items: "{{ rhel_09_6_1_9_perms_results.stdout_lines }}" + loop: "{{ rhel_09_6_1_9_perms_results.stdout_lines }}" when: - rhel_09_6_1_9_perms_results.stdout_lines is defined - rhel9cis_no_world_write_adjust @@ -155,7 +155,7 @@ failed_when: false check_mode: false register: rhel_09_6_1_10_audit - with_items: "{{ ansible_mounts }}" + loop: "{{ ansible_mounts }}" loop_control: label: "{{ item.mount }}" when: item['device'].startswith('/dev') and not 'bind' in item['options'] @@ -163,7 +163,7 @@ - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" ansible.builtin.debug: msg: "Warning !! Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" - with_items: "{{ rhel_09_6_1_10_audit.results }}" + loop: "{{ rhel_09_6_1_10_audit.results }}" when: - item.stdout_lines is defined - item.stdout_lines | length > 0 @@ -194,7 +194,7 @@ failed_when: false changed_when: false register: rhel_09_6_1_11_audit - with_items: "{{ ansible_mounts }}" + loop: "{{ ansible_mounts }}" loop_control: label: "{{ item.mount }}" when: item['device'].startswith('/dev') and not 'bind' in item['options'] @@ -202,7 +202,7 @@ - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" ansible.builtin.debug: msg: "Warning !! Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" - with_items: "{{ rhel_09_6_1_11_audit.results }}" + loop: "{{ rhel_09_6_1_11_audit.results }}" when: - item.stdout_lines is defined - item.stdout_lines | length > 0 @@ -245,14 +245,14 @@ failed_when: false changed_when: false register: rhel_09_6_1_13_perms_results - with_items: "{{ ansible_mounts }}" + loop: "{{ ansible_mounts }}" loop_control: label: "{{ item.mount }}" - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" ansible.builtin.debug: msg: "Warning!! Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" - with_items: "{{ rhel_09_6_1_13_perms_results.stdout_lines }}" + loop: "{{ rhel_09_6_1_13_perms_results.stdout_lines }}" when: - rhel_09_6_1_13_perms_results.stdout is defined @@ -279,14 +279,14 @@ failed_when: false changed_when: false register: rhel_09_6_1_14_perms_results - with_items: "{{ ansible_mounts }}" + loop: "{{ ansible_mounts }}" loop_control: label: "{{ item.mount }}" - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" ansible.builtin.debug: msg: "Manual intervention is required -- SGID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" - with_items: "{{ rhel_09_6_1_14_perms_results.stdout_lines }}" + loop: "{{ rhel_09_6_1_14_perms_results.stdout_lines }}" when: - rhel_09_6_1_14_perms_results.stdout is defined diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index ff30b6e3..2a98e90c 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -33,7 +33,7 @@ ansible.builtin.shell: passwd -l {{ item }} changed_when: false failed_when: false - with_items: "{{ empty_password_accounts.stdout_lines }}" + loop: "{{ empty_password_accounts.stdout_lines }}" when: - empty_password_accounts.rc - rhel9cis_rule_6_2_2 @@ -225,7 +225,7 @@ state=directory owner=root mode='o-w,g-w' - with_items: "{{ rhel9cis_6_2_8_dot_in_path.stdout_lines }}" + loop: "{{ rhel9cis_6_2_8_dot_in_path.stdout_lines }}" when: - rhel9cis_rule_6_2_8 tags: @@ -239,7 +239,7 @@ ansible.builtin.shell: passwd -l {{ item }} changed_when: false failed_when: false - with_items: "{{ rhel9cis_uid_zero_accounts_except_root.stdout_lines }}" + loop: "{{ rhel9cis_uid_zero_accounts_except_root.stdout_lines }}" when: - rhel9cis_uid_zero_accounts_except_root.rc - rhel9cis_rule_6_2_9 @@ -257,7 +257,7 @@ ansible.builtin.stat: path: "{{ item }}" register: rhel_09_6_2_10_audit - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | map(attribute='dir') | list }}" + loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | map(attribute='dir') | list }}" - name: "6.2.10 | AUDIT | Ensure local interactive user home directories exist" ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027 @@ -321,7 +321,7 @@ path: "{{ item.dir }}" owner: "{{ item.id }}" state: directory - with_items: "{{ rhel9cis_passwd }}" + loop: "{{ rhel9cis_passwd }}" loop_control: label: "{{ rhel9cis_passwd_label }}" when: @@ -342,7 +342,7 @@ - name: "6.2.12 | AUDIT | Ensure local interactive user home directories are mode 750 or more restrictive" ansible.builtin.stat: path: "{{ item }}" - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | map(attribute='dir') | list }}" + loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | map(attribute='dir') | list }}" register: rhel_09_6_2_12_audit - name: "6.2.12 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" @@ -365,14 +365,14 @@ recurse: true mode: a-st,g-w,o-rwx register: rhel_09_6_2_12_patch - when: - - not ansible_check_mode - - item.1.exists with_together: - "{{ rhel_09_6_2_12_audit.results | map(attribute='item') | list }}" - "{{ rhel_09_6_2_12_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" + when: + - not ansible_check_mode + - item.1.exists # set default ACLs so the homedir has an effective umask of 0027 - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive" @@ -407,8 +407,7 @@ ansible.builtin.file: path: "{{ item }}/.netrc" state: absent - with_items: - - "{{ interactive_users_home.stdout_lines }}" + loop: "{{ interactive_users_home.stdout_lines }}" when: - rhel9cis_rule_6_2_13 tags: @@ -423,8 +422,7 @@ ansible.builtin.file: path: "{{ item }}/.forward" state: absent - with_items: - - "{{ interactive_users_home.stdout_lines }}" + loop: "{{ interactive_users_home.stdout_lines }}" when: - rhel9cis_rule_6_2_14 tags: @@ -439,8 +437,7 @@ ansible.builtin.file: path: "~{{ item }}/.rhosts" state: absent - with_items: - - "{{ interactive_users_home.stdout_lines }}" + loop: "{{ interactive_users_home.stdout_lines }}" when: - rhel9cis_rule_6_2_15 tags: From 466e88613e5e1abcd45081840409ebcaf9c512d6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Jan 2023 09:49:43 +0000 Subject: [PATCH 367/454] with_items to loop Signed-off-by: Mark Bolwell --- tasks/parse_etc_password.yml | 2 +- tasks/section_1/cis_1.1.2.x.yml | 3 +-- tasks/section_1/cis_1.1.3.x.yml | 3 +-- tasks/section_1/cis_1.1.4.x.yml | 3 +-- tasks/section_1/cis_1.1.5.x.yml | 3 +-- tasks/section_1/cis_1.1.6.x.yml | 3 +-- tasks/section_1/cis_1.1.7.x.yml | 3 +-- tasks/section_1/cis_1.8.x.yml | 4 ++-- 8 files changed, 9 insertions(+), 15 deletions(-) diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index 76cb0850..8ff13fd3 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -11,7 +11,7 @@ - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Split passwd entries" ansible.builtin.set_fact: rhel9cis_passwd: "{{ rhel9cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" - with_items: "{{ rhel9cis_passwd_file_audit.stdout_lines }}" + loop: "{{ rhel9cis_passwd_file_audit.stdout_lines }}" vars: ld_passwd_regex: >- ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index d55f5ec9..b4e18889 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -33,8 +33,7 @@ state: present opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %} notify: Remount tmp - with_items: - - "{{ ansible_mounts }}" + loop: "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" when: diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 84135ae9..d873c516 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -31,8 +31,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}nosuid,{% endif %} - with_items: - - "{{ ansible_mounts }}" + loop: "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index b8ae48da..f063fbdf 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -33,8 +33,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev{% endif %} - with_items: - - "{{ ansible_mounts }}" + loop: "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index 9f556ba1..1707f308 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -33,8 +33,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} - with_items: - - "{{ ansible_mounts }}" + loop: "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index fcfa92b3..274f6683 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -32,8 +32,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_6_4 %}nosuid{% endif %} - with_items: - - "{{ ansible_mounts }}" + loop: "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 54da3586..7f166100 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -32,8 +32,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %} - with_items: - - "{{ ansible_mounts }}" + loop: "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index dff2930a..6ebe4ae7 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -27,7 +27,7 @@ group: root mode: 0644 notify: Reload dconf - with_items: + loop: - { regexp: 'user-db', line: 'user-db:user' } - { regexp: 'system-db', line: 'system-db:gdm' } - { regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } @@ -62,7 +62,7 @@ group: root mode: 0644 notify: Reload dconf - with_items: + loop: - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults'} From 674e0fab1643ada57551cb1da4ac7061d6bad6cf Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Jan 2023 09:59:33 +0000 Subject: [PATCH 368/454] with_items to loop Signed-off-by: Mark Bolwell --- tasks/post.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/post.yml b/tasks/post.yml index e482df61..3a2426eb 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -16,7 +16,7 @@ mode: 0600 register: sysctl_updated notify: Reload sysctl - with_items: + loop: - 60-kernel_sysctl.conf - 60-disable_ipv6.conf - 60-netipv4_sysctl.conf From 7760f351614acf81199b60d9e0ccbaa9793c619e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Jan 2023 10:01:14 +0000 Subject: [PATCH 369/454] with_items to loop Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 3 +-- tasks/section_3/cis_3.4.1.x.yml | 6 ++---- tasks/section_3/cis_3.4.2.x.yml | 2 +- tasks/section_4/cis_4.3.yml | 2 +- 4 files changed, 5 insertions(+), 8 deletions(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 98ca6714..3a8e7455 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -62,8 +62,7 @@ mode: "0600" owner: root group: root - with_items: - - tipc + loop: tipc # note the item used in the template - name: "3.1.3 | PATCH | Ensure TIPC is disabled | blacklist" ansible.builtin.lineinfile: diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index 684d0a5c..e0287341 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -21,8 +21,7 @@ ansible.builtin.systemd: name: "{{ item }}" masked: true - with_items: - - firewalld + loop: firewalld when: - item in ansible_facts.packages - rhel9cis_firewall == 'nftables' @@ -31,8 +30,7 @@ ansible.builtin.systemd: name: "{{ item }}" masked: true - with_items: - - nftables + loop: nftables when: - item in ansible_facts.packages - rhel9cis_firewall == 'firewalld' diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 60e769ac..38c1efa1 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -102,7 +102,7 @@ - name: "3.4.2.3 | PATCH | Ensure nftables base chains exist | Create chains if needed" ansible.builtin.shell: "{{ item }}" failed_when: false - with_items: + loop: - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { type filter hook forward priority 0 \; } - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; } diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index ac0078ce..0038b340 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -23,7 +23,7 @@ path: "{{ item.path }}" regexp: '^(\s*)(daily|weekly|monthly|yearly)$' replace: "\\1{{ rhel9cis_logrotate }}" - with_items: + loop: - "{{ log_rotates.files }}" - { path: "/etc/logrotate.conf" } loop_control: From 9fe177f9cebb5f351efeeb1e43e903d6df0ffa47 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Jan 2023 11:35:47 +0000 Subject: [PATCH 370/454] standardise naming and move items to prelim Signed-off-by: Mark Bolwell --- tasks/main.yml | 18 ------------------ tasks/prelim.yml | 38 ++++++++++++++++++++++++++++---------- 2 files changed, 28 insertions(+), 28 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index c72dc5b2..47940fc9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -103,24 +103,6 @@ when: - run_audit -- name: Gather the package facts after prelim - ansible.builtin.package_facts: - manager: auto - tags: - - always - -- name: capture /etc/password variables - ansible.builtin.include_tasks: parse_etc_password.yml - tags: - - rule_5.5.2 - - rule_5.6.2 - - rule_6.2.9 - - rule_6.2.10 - - rule_6.2.11 - - rhel9cis_section5 - - rhel9cis_section6 - - level1-server - - name: run Section 1 tasks ansible.builtin.import_tasks: section_1/main.yml when: rhel9cis_section1 diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 5677f118..18e0c177 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -12,6 +12,18 @@ - level1-workstation - users +- name: "PRELIM | capture /etc/password variables" + ansible.builtin.include_tasks: parse_etc_password.yml + tags: + - rule_5.5.2 + - rule_5.6.2 + - rule_6.2.9 + - rule_6.2.10 + - rule_6.2.11 + - rhel9cis_section5 + - rhel9cis_section6 + - level1-server + - name: "PRELIM | Interactive User accounts" ansible.builtin.shell: 'cat /etc/passwd | grep -Ev "nologin|/sbin" | cut -d: -f6' changed_when: false @@ -95,7 +107,7 @@ path: /sys/firmware/efi register: rhel_09_efi_boot - - name: "PRELIM | AUDIT | set legacy boot and grub path | Bios" + - name: "PRELIM | set legacy boot and grub path | Bios" ansible.builtin.set_fact: rhel9cis_legacy_boot: true grub2_path: /etc/grub2.cfg @@ -197,9 +209,9 @@ - rule_5.3.4 - rule_5.3.5 -- name: Check sugroup exists if used +- name: "PRELIM | Check sugroup exists if used" block: - - name: "Check su group exists if defined" + - name: "PRELIM | Check su group exists if defined" ansible.builtin.shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group register: sugroup_exists changed_when: false @@ -207,7 +219,7 @@ tags: - skip_ansible_lint - - name: Check sugroup if defined exists before continuing + - name: "PRELIM | Check sugroup if defined exists before continuing" ansible.builtin.assert: that: sugroup_exists.rc == 0 msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify" @@ -217,32 +229,38 @@ tags: - rule_5.7 -- name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def" +- name: "PRELIM | Discover Interactive UID MIN and MIN from logins.def" block: - - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def" + - name: "PRELIM | Capture UID_MIN information from logins.def" ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' changed_when: false register: uid_min_id - - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" + - name: "PRELIM | Capture UID_MAX information from logins.def" ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' changed_when: false register: uid_max_id - - name: "PRELIM | AUDIT | Capture GID_MIN information from logins.def" + - name: "PRELIM | Capture GID_MIN information from logins.def" ansible.builtin.shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}' changed_when: false register: gid_min_id - - name: "PRELIM | AUDIT | set_facts for interactive uid/gid" + - name: "PRELIM | set_facts for interactive uid/gid" ansible.builtin.set_fact: min_int_uid: "{{ uid_min_id.stdout }}" max_int_uid: "{{ uid_max_id.stdout }}" min_int_gid: "{{ gid_min_id.stdout }}" -- name: Output of uid findings +- name: "PRELIM | Output of uid findings" ansible.builtin.debug: msg: "{{ min_int_uid }} {{ max_int_uid }}" when: - not discover_int_uid + +- name: "PRELIM | Gather the package facts after prelim" + ansible.builtin.package_facts: + manager: auto + tags: + - always From 10a6a2e0dd165c0551909e8a3c19bab1be433739 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Jan 2023 11:36:12 +0000 Subject: [PATCH 371/454] with_items to loop Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 4 +++- tasks/section_3/cis_3.4.1.x.yml | 6 ++++-- tasks/section_4/cis_4.1.2.x.yml | 2 +- tasks/section_4/cis_4.2.2.x.yml | 4 ++-- 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 3a8e7455..6de9cd7c 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -62,7 +62,9 @@ mode: "0600" owner: root group: root - loop: tipc # note the item used in the template + loop: + - tipc + # note the item used in the template - name: "3.1.3 | PATCH | Ensure TIPC is disabled | blacklist" ansible.builtin.lineinfile: diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index e0287341..8f3aba9a 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -21,7 +21,8 @@ ansible.builtin.systemd: name: "{{ item }}" masked: true - loop: firewalld + loop: + - firewalld when: - item in ansible_facts.packages - rhel9cis_firewall == 'nftables' @@ -30,7 +31,8 @@ ansible.builtin.systemd: name: "{{ item }}" masked: true - loop: nftables + loop: + - nftables when: - item in ansible_facts.packages - rhel9cis_firewall == 'firewalld' diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index e9cee1c1..b830b1f5 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -36,7 +36,7 @@ regexp: "{{ item.regexp }}" line: "{{ item.line }}" notify: Restart auditd - with_items: + loop: - { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ rhel9cis_auditd.admin_space_left_action }}' } - { regexp: '^action_mail_acct', line: 'action_mail_acct = {{ rhel9cis_auditd.action_mail_acct }}' } - { regexp: '^space_left_action', line: 'space_left_action = {{ rhel9cis_auditd.space_left_action }}' } diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index e22da771..72767a41 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -20,7 +20,7 @@ regexp: "{{ item.regexp }}" line: "{{ item.line }}" notify: Restart systemd_journal_upload - with_items: + loop: - { regexp: 'URL=', line: 'URL={{ rhel9cis_journal_upload_url }}'} - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ rhel9cis_journal_upload_serverkeyfile }}'} - { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ rhel9cis_journal_servercertificatefile }}'} @@ -154,7 +154,7 @@ regexp: "{{ item.regexp }}" line: "{{ item.line }}" notify: Restart systemd_journal_upload - with_items: + loop: - { regexp: '^#SystemMaxUse=|^SystemMaxUse=', line: 'SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}'} - { regexp: '^#SystemKeepFree=|^SystemKeepFree=', line: 'SystemKeepFree={{ rhel9cis_journald_systemkeepfree }}' } - { regexp: '^#RuntimeMaxUse=|^RuntimeMaxUse=', line: 'RuntimeMaxUse={{ rhel9cis_journald_runtimemaxuse }}'} From f9267a389b674e7caedadba9996ab2e734f2e209 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 08:29:03 +0000 Subject: [PATCH 372/454] remove state file on file module Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.7.x.yml | 3 --- tasks/section_4/cis_4.1.4.x.yml | 7 ------- tasks/section_5/cis_5.2.x.yml | 7 ++----- 3 files changed, 2 insertions(+), 15 deletions(-) diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index a66cb6ce..9848beaa 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -50,7 +50,6 @@ - name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured" ansible.builtin.file: dest: /etc/motd - state: file owner: root group: root mode: 0644 @@ -66,7 +65,6 @@ - name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured" ansible.builtin.file: dest: /etc/issue - state: file owner: root group: root mode: 0644 @@ -82,7 +80,6 @@ - name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured" ansible.builtin.file: dest: /etc/issue.net - state: file owner: root group: root mode: 0644 diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index 5ee9b554..7139ab62 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -17,7 +17,6 @@ "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" ansible.builtin.file: path: "{{ audit_logfile.stdout }}" - state: file mode: 0640 owner: root group: root @@ -59,7 +58,6 @@ - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" ansible.builtin.file: path: "{{ item.path }}" - state: file mode: 0640 loop: "{{ auditd_conf_files.files }}" loop_control: @@ -77,7 +75,6 @@ - name: "4.1.4.6 | PATCH | Ensure audit configuration files are owned by root" ansible.builtin.file: path: "{{ item.path }}" - state: file owner: root loop: "{{ auditd_conf_files.files }}" loop_control: @@ -94,7 +91,6 @@ - name: "4.1.4.7 | PATCH | Ensure audit configuration files belong to group root" ansible.builtin.file: path: "{{ item.path }}" - state: file group: root loop: "{{ auditd_conf_files.files }}" loop_control: @@ -125,7 +121,6 @@ - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required" ansible.builtin.file: path: "{{ item.item }}" - state: file mode: 0750 register: "audit_bins" loop: "{{ audit_bins.results }}" @@ -144,7 +139,6 @@ - name: "4.1.4.9 | PATCH | Ensure audit tools are owned by root" ansible.builtin.file: path: "{{ item }}" - state: file owner: root group: root loop: @@ -166,7 +160,6 @@ - name: "4.1.4.10 | PATCH | Ensure audit tools belong to group root" ansible.builtin.file: path: "{{ item }}" - state: file group: root loop: - /sbin/auditctl diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index f0286d9e..b67b0184 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -3,7 +3,6 @@ - name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured" ansible.builtin.file: dest: /etc/ssh/sshd_config - state: file owner: root group: root mode: 0600 @@ -33,8 +32,7 @@ owner: root group: root mode: 0600 - with_items: - - "{{ rhel9cis_5_2_2_ssh_private_host_key.files }}" + loop: "{{ rhel9cis_5_2_2_ssh_private_host_key.files }}" loop_control: label: "{{ item.path }}" when: @@ -63,8 +61,7 @@ owner: root group: root mode: 0644 - with_items: - - "{{ rhel9cis_5_2_3_ssh_public_host_key.files }}" + loop: "{{ rhel9cis_5_2_3_ssh_public_host_key.files }}" loop_control: label: "{{ item.path }}" when: From e6417801680794641426ab87a9b2f14dfc27d070 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 08:29:30 +0000 Subject: [PATCH 373/454] replace module dest -> path Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.6.1.x.yml | 2 +- tasks/section_4/cis_4.1.1.x.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index 6c525353..f05143c7 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -14,7 +14,7 @@ - name: "1.6.1.2 | PATCH | Ensure SELinux is not disabled in bootloader configuration" ansible.builtin.replace: - dest: /etc/default/grub + path: /etc/default/grub regexp: '{{ item }}' replace: '' loop: diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index c430f2d9..a8be25f5 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -33,7 +33,7 @@ - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting" ansible.builtin.replace: - dest: /etc/default/grub + path: /etc/default/grub regexp: 'audit=.' replace: 'audit=1' notify: Grub2cfg @@ -67,7 +67,7 @@ - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting" ansible.builtin.replace: - dest: /etc/default/grub + path: /etc/default/grub regexp: 'audit_backlog_limit=\d+' replace: 'audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}' notify: Grub2cfg From 904d7811d428f5324b439c92d08165c14be3827e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 08:29:54 +0000 Subject: [PATCH 374/454] moved when to same line Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.4.2.x.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 38c1efa1..540bda0d 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -10,8 +10,7 @@ - name: "3.4.2.1 | AUDIT | Ensure firewalld default zone is set" ansible.builtin.command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" - when: - - firewalld_zone_set.rc != 0 + when: firewalld_zone_set.rc != 0 when: - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_2_1 From 8694bfde756bbe8e79732016e13db95abb70e5ed Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 08:30:26 +0000 Subject: [PATCH 375/454] with_items to loop Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.3.x.yml | 9 +++------ tasks/section_5/cis_5.5.x.yml | 4 ++-- tasks/section_5/cis_5.6.1.x.yml | 6 ++---- tasks/section_5/cis_5.6.x.yml | 3 +-- 4 files changed, 8 insertions(+), 14 deletions(-) diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index 823d1425..fc62bafc 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -48,8 +48,7 @@ regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' replace: '\1PASSWD\2' validate: '/usr/sbin/visudo -cf %s' - with_items: - - "{{ rhel9cis_sudoers_files.stdout_lines }}" + loop: "{{ rhel9cis_sudoers_files.stdout_lines }}" when: - rhel9cis_rule_5_3_4 tags: @@ -65,8 +64,7 @@ regexp: '^([^#].*)!authenticate(.*)' replace: '\1authenticate\2' validate: '/usr/sbin/visudo -cf %s' - with_items: - - "{{ rhel9cis_sudoers_files.stdout_lines }}" + loop: "{{ rhel9cis_sudoers_files.stdout_lines }}" when: - rhel9cis_rule_5_3_5 tags: @@ -98,8 +96,7 @@ regexp: 'timestamp_timeout=(\d+)' replace: "timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}" validate: '/usr/sbin/visudo -cf %s' - with_items: - - "{{ rhel9cis_5_3_6_timeout_files.stdout_lines }}" + loop: "{{ rhel9cis_5_3_6_timeout_files.stdout_lines }}" when: rhel9cis_5_3_6_timeout_files.stdout | length > 0 when: - rhel9cis_rule_5_3_6 diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 51c18f9d..64ecd184 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -7,7 +7,7 @@ path: /etc/security/pwquality.conf regexp: ^{{ item.name }} line: "{{ item.name }} = {{ item.value }}" - with_items: + loop: - { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" } - { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" } @@ -37,7 +37,7 @@ path: /etc/security/faillock.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" - with_items: + loop: - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = 5' } - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = 900' } when: diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 1f6b691c..141c0136 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -63,8 +63,7 @@ - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" - with_items: - - "{{ rhel9cis_5_6_1_4_user_list.stdout_lines }}" + loop: "{{ rhel9cis_5_6_1_4_user_list.stdout_lines }}" when: - rhel9cis_rule_5_6_1_4 tags: @@ -108,8 +107,7 @@ when: - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - rhel9cis_futurepwchgdate_autofix - with_items: - - "{{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" + loop: "{{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" vars: warn_control_id: '5.6.1.5' when: diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 6100b0b5..f03e2130 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -6,8 +6,7 @@ ansible.builtin.user: name: "{{ item.id }}" shell: /usr/sbin/nologin - with_items: - - "{{ rhel9cis_passwd }}" + loop: "{{ rhel9cis_passwd }}" when: - item.id != "root" - item.id != "sync" From 4b1956508ad894ee5b027bba6e8716d326d0481d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 08:30:43 +0000 Subject: [PATCH 376/454] updates control steps Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.3.yml | 38 ++++++++++++++++++++++++++----------- 1 file changed, 27 insertions(+), 11 deletions(-) diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index 0038b340..be17c702 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -13,21 +13,37 @@ state: started enabled: true - - name: "4.3 | AUDIT | Ensure logrotate is configured | Get logrotate settings" + - name: "4.3 | PATCH | Ensure logrotate is configured | set default conf" + ansible.builtin.replace: + path: "/etc/logrotate.conf" + regexp: '^(\s*)(daily|weekly|monthly|yearly)$' + replace: "\\1{{ rhel9cis_logrotate }}" + + - name: "4.3 | AUDIT | Ensure logrotate is configured | Get non default logrotate settings" ansible.builtin.find: paths: /etc/logrotate.d/ + contains: '^(\s*)(?!{{ rhel9cis_logrotate }})(daily|weekly|monthly|yearly)$' register: log_rotates - - name: "4.3 | PATCH | Ensure logrotate is configured" - ansible.builtin.replace: - path: "{{ item.path }}" - regexp: '^(\s*)(daily|weekly|monthly|yearly)$' - replace: "\\1{{ rhel9cis_logrotate }}" - loop: - - "{{ log_rotates.files }}" - - { path: "/etc/logrotate.conf" } - loop_control: - label: "{{ item.path }}" + - name: "4.3 | AUDIT | Ensure logrotate is configured" + block: + - name: "4.3 | AUDIT | Ensure logrotate is configured | generate file list" + ansible.builtin.set_fact: + logrotate_non_def_conf: "{{ log_rotates.files | map(attribute='path') | join (', ') }}" + + - name: "4.3 | AUDIT | Ensure logrotate is configured | List configured files" + ansible.builtin.debug: + msg: | + "Warning!! The following files are not covered by default logrotate settings ensure they match site policy" + "{{ logrotate_non_def_conf }}" + loop: "{{ log_rotates.files }}" + + - name: "4.3 | AUDIT | Ensure logrotate is configured | Warning count" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '4.3' + when: log_rotates.matched > 0 + when: - rhel9cis_rule_4_3 tags: From 0c460d4b70c0555d6e4a83828e2ed5c013c1a426 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 08:31:12 +0000 Subject: [PATCH 377/454] updated task 6.2.8 Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 101 +++++++++++++++++++--------------- 1 file changed, 57 insertions(+), 44 deletions(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 2a98e90c..e9ebed74 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -189,43 +189,56 @@ - name: "6.2.8 | PATCH | Ensure root PATH Integrity" block: - - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Determine empty value" - ansible.builtin.shell: 'echo $PATH | grep ::' + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Get root paths" + ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2 changed_when: false - failed_when: rhel9cis_6_2_8_path_colon.rc == 0 - check_mode: false - register: rhel9cis_6_2_8_path_colon + register: rhel9cis_6_2_8_root_paths + + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Set fact" + ansible.builtin.set_fact: + root_paths: "{{ rhel9cis_6_2_8_root_paths.stdout }}" - - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Determin colon end" - ansible.builtin.shell: 'echo $PATH | grep :$' + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for empty dirs" + ansible.builtin.shell: 'echo {{ root_paths }} | grep -q "::" && echo "roots path contains a empty directory (::)"' changed_when: false - failed_when: rhel9cis_6_2_8_path_colon_end.rc == 0 - check_mode: false - register: rhel9cis_6_2_8_path_colon_end + failed_when: root_path_empty_dir.rc not in [ 0, 1 ] + register: root_path_empty_dir - - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Determine dot in path" - ansible.builtin.shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'" + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for trailing ':'" + ansible.builtin.shell: '{{ root_paths }} | cut -d= -f2 | grep -q ":$" && echo "roots path contains a trailing (:)"' changed_when: false - failed_when: '"." in rhel9cis_6_2_8_dot_in_path.stdout_lines' - check_mode: false - register: rhel9cis_6_2_8_dot_in_path + failed_when: root_path_trailing_colon.rc not in [ 0, 1 ] + register: root_path_trailing_colon + + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" + block: + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" + ansible.builtin.stat: + path: "{{ item }}" + register: root_path_perms + loop: "{{ root_paths | split(':') }}" + + - ansible.builtin.debug: + msg: "{{ root_path_perms.results }}" + + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" + ansible.builtin.file: + path: "{{ item.stat.path }}" + state: directory + owner: root + group: root + mode: 0755 + follow: true + loop: "{{ root_path_perms.results }}" + loop_control: + label: "{{ item.stat }}" + when: + - item.stat.pw_name != 'root' or + item.stat.gr_name != 'root' or + item.stat.woth or + item.stat.wgrp + - - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path" - ansible.builtin.debug: - msg: - - "Warning!!" - - "The following paths have an empty value: {{ rhel9cis_6_2_8_path_colon.stdout_lines }}" - - "The following paths have colon end: {{ rhel9cis_6_2_8_path_colon_end.stdout_lines }}" - - "The following paths have a dot in the path: {{ rhel9cis_6_2_8_dot_in_path.stdout_lines }}" - - - name: "6.2.8 | PATCH | Ensure root PATH Integrity | Determine rights and owner" - ansible.builtin.file: > - path='{{ item }}' - follow=yes - state=directory - owner=root - mode='o-w,g-w' - loop: "{{ rhel9cis_6_2_8_dot_in_path.stdout_lines }}" when: - rhel9cis_rule_6_2_8 tags: @@ -264,14 +277,14 @@ check_mode: false changed_when: rhel_09_6_2_10_patch_audit.stdout | length > 0 register: rhel_09_6_2_10_patch_audit - when: - - ansible_check_mode - - item.1.exists with_together: - "{{ rhel_09_6_2_10_audit.results | map(attribute='item') | list }}" - "{{ rhel_09_6_2_10_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" + when: + - ansible_check_mode + - item.1.exists - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist" ansible.builtin.file: @@ -279,14 +292,14 @@ recurse: true mode: a-st,g-w,o-rwx register: rhel_09_6_2_10_patch - when: - - not ansible_check_mode - - item.1.exists with_together: - "{{ rhel_09_6_2_10_audit.results | map(attribute='item') | list }}" - "{{ rhel_09_6_2_10_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" + when: + - not ansible_check_mode + - item.1.exists # set default ACLs so the homedir has an effective umask of 0027 - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist" @@ -297,8 +310,6 @@ recursive: true etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: - - not system_is_container with_nested: - "{{ (ansible_check_mode | ternary(rhel_09_6_2_10_patch_audit, rhel_09_6_2_10_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" @@ -307,6 +318,8 @@ mode: rx - etype: other mode: '0' + when: + - not system_is_container when: - rhel9cis_rule_6_2_10 tags: @@ -350,14 +363,14 @@ check_mode: false changed_when: rhel_09_6_2_12_patch_audit.stdout | length > 0 register: rhel_09_6_2_12_patch_audit - when: - - ansible_check_mode - - item.1.exists with_together: - "{{ rhel_09_6_2_12_audit.results | map(attribute='item') | list }}" - "{{ rhel_09_6_2_12_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" + when: + - ansible_check_mode + - item.1.exists - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive" ansible.builtin.file: @@ -383,8 +396,6 @@ recursive: true etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: - - not system_is_container with_nested: - "{{ (ansible_check_mode | ternary(rhel_09_6_2_12_patch_audit, rhel_09_6_2_12_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" @@ -393,6 +404,8 @@ mode: rx - etype: other mode: '0' + when: + - not system_is_container when: - rhel9cis_rule_6_2_12 tags: From abd99426b8ebeaff76b81dac13f65bc0607da7c7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 09:31:27 +0000 Subject: [PATCH 378/454] replaced dest for path on file module Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.7.x.yml | 6 +++--- tasks/section_5/cis_5.1.x.yml | 20 ++++++++++---------- tasks/section_6/cis_6.1.x.yml | 16 ++++++++-------- 3 files changed, 21 insertions(+), 21 deletions(-) diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index 9848beaa..1c20dca4 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -49,7 +49,7 @@ - name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured" ansible.builtin.file: - dest: /etc/motd + path: /etc/motd owner: root group: root mode: 0644 @@ -64,7 +64,7 @@ - name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured" ansible.builtin.file: - dest: /etc/issue + path: /etc/issue owner: root group: root mode: 0644 @@ -79,7 +79,7 @@ - name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured" ansible.builtin.file: - dest: /etc/issue.net + path: /etc/issue.net owner: root group: root mode: 0644 diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 9edc7c71..f897c6c7 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -15,7 +15,7 @@ - name: "5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" ansible.builtin.file: - dest: /etc/crontab + path: /etc/crontab owner: root group: root mode: 0600 @@ -30,7 +30,7 @@ - name: "5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" ansible.builtin.file: - dest: /etc/cron.hourly + path: /etc/cron.hourly state: directory owner: root group: root @@ -46,7 +46,7 @@ - name: "5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" ansible.builtin.file: - dest: /etc/cron.daily + path: /etc/cron.daily state: directory owner: root group: root @@ -62,7 +62,7 @@ - name: "5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" ansible.builtin.file: - dest: /etc/cron.weekly + path: /etc/cron.weekly state: directory owner: root group: root @@ -77,7 +77,7 @@ - name: "5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" ansible.builtin.file: - dest: /etc/cron.monthly + path: /etc/cron.monthly state: directory owner: root group: root @@ -92,7 +92,7 @@ - name: "5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" ansible.builtin.file: - dest: /etc/cron.d + path: /etc/cron.d state: directory owner: root group: root @@ -110,7 +110,7 @@ block: - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny" ansible.builtin.file: - dest: /etc/cron.deny + path: /etc/cron.deny state: absent - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Check if cron.allow exists" @@ -120,7 +120,7 @@ - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users" ansible.builtin.file: - dest: /etc/cron.allow + path: /etc/cron.allow state: '{{ "file" if rhel9cis_5_1_8_cron_allow_state.stat.exists else "touch" }}' owner: root group: root @@ -138,7 +138,7 @@ block: - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" ansible.builtin.file: - dest: /etc/at.deny + path: /etc/at.deny state: absent - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists" @@ -148,7 +148,7 @@ - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users" ansible.builtin.file: - dest: /etc/at.allow + path: /etc/at.allow state: '{{ "file" if rhel9cis_5_1_9_at_allow_state.stat.exists else "touch" }}' owner: root group: root diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index a1c638d7..f7528d3a 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -2,7 +2,7 @@ - name: "6.1.1 | PATCH | Ensure permissions on /etc/passwd are configured" ansible.builtin.file: - dest: /etc/passwd + path: /etc/passwd owner: root group: root mode: 0644 @@ -17,7 +17,7 @@ - name: "6.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured" ansible.builtin.file: - dest: /etc/passwd- + path: /etc/passwd- owner: root group: root mode: 0644 @@ -32,7 +32,7 @@ - name: "6.1.3 | PATCH | Ensure permissions on /etc/group are configured" ansible.builtin.file: - dest: /etc/group- + path: /etc/group- owner: root group: root mode: 0644 @@ -47,7 +47,7 @@ - name: "6.1.4 | PATCH | Ensure permissions on /etc/group- are configured" ansible.builtin.file: - dest: /etc/group- + path: /etc/group- owner: root group: root mode: 0644 @@ -62,7 +62,7 @@ - name: "6.1.5 | PATCH | Ensure permissions on /etc/shadow are configured" ansible.builtin.file: - dest: /etc/shadow + path: /etc/shadow owner: root group: root mode: 0000 @@ -77,7 +77,7 @@ - name: "6.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured" ansible.builtin.file: - dest: /etc/shadow- + path: /etc/shadow- owner: root group: root mode: 0000 @@ -92,7 +92,7 @@ - name: "6.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured" ansible.builtin.file: - dest: /etc/gshadow + path: /etc/gshadow owner: root group: root mode: 0000 @@ -107,7 +107,7 @@ - name: "6.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured" ansible.builtin.file: - dest: /etc/gshadow- + path: /etc/gshadow- owner: root group: root mode: 0000 From 89e6372648c37b2b7d16bcca8a3f61139186b64c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 09:47:33 +0000 Subject: [PATCH 379/454] 5.6.3 tidy up Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index f03e2130..941ec994 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -46,18 +46,18 @@ - name: "5.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less" ansible.builtin.blockinfile: - create: true - mode: 0644 - dest: "{{ item.dest }}" + path: "{{ item.dest }}" state: "{{ item.state }}" marker: "# {mark} CIS 5.6.3 ANSIBLE MANAGED" + create: true + mode: 0644 block: | TMOUT={{ rhel9cis_shell_session_timeout.timeout }} export TMOUT readonly TMOUT loop: - - { dest: "{{ rhel9cis_shell_session_timeout.file }}", state: present } - - { dest: /etc/profile, state: "{{ (rhel9cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" } + - { path: "{{ rhel9cis_shell_session_timeout.file }}", state: present } + - { path: /etc/profile, state: "{{ (rhel9cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" } when: - rhel9cis_rule_5_6_3 tags: From e389ac16a0f7dc3dc1fc4cb3b78aedac666ca2c3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 09:47:53 +0000 Subject: [PATCH 380/454] removed blank space Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.1.x.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index f7528d3a..298492d9 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -335,8 +335,6 @@ vars: warn_control_id: '6.1.15' when: rhel9cis_6_1_15_packages_rpm.stdout|length > 0 - - when: - rhel9cis_rule_6_1_15 tags: From e61ef2c1a6838627ddab03c073d170cf0a33db3c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 09:48:10 +0000 Subject: [PATCH 381/454] blank space and tidy Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index e9ebed74..d54f53b8 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -237,8 +237,6 @@ item.stat.gr_name != 'root' or item.stat.woth or item.stat.wgrp - - when: - rhel9cis_rule_6_2_8 tags: @@ -274,8 +272,8 @@ - name: "6.2.10 | AUDIT | Ensure local interactive user home directories exist" ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027 + changed_when: false check_mode: false - changed_when: rhel_09_6_2_10_patch_audit.stdout | length > 0 register: rhel_09_6_2_10_patch_audit with_together: - "{{ rhel_09_6_2_10_audit.results | map(attribute='item') | list }}" @@ -318,8 +316,7 @@ mode: rx - etype: other mode: '0' - when: - - not system_is_container + when: not system_is_container when: - rhel9cis_rule_6_2_10 tags: From e59e72e3d1852c0c5fd4e96c90d6a82cf5978e14 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 12:10:10 +0000 Subject: [PATCH 382/454] lint Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 4 ++-- tasks/section_3/cis_3.4.1.x.yml | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 6de9cd7c..e972ae2d 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -63,8 +63,8 @@ owner: root group: root loop: - - tipc - # note the item used in the template + - tipc + # note the item used in the template - name: "3.1.3 | PATCH | Ensure TIPC is disabled | blacklist" ansible.builtin.lineinfile: diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index 8f3aba9a..8a7e7212 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -22,7 +22,7 @@ name: "{{ item }}" masked: true loop: - - firewalld + - firewalld when: - item in ansible_facts.packages - rhel9cis_firewall == 'nftables' @@ -32,15 +32,15 @@ name: "{{ item }}" masked: true loop: - - nftables + - nftables when: - item in ansible_facts.packages - rhel9cis_firewall == 'firewalld' - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | package installed" ansible.builtin.package: - name: "{{ rhel9cis_firewall }}" - state: installed + name: "{{ rhel9cis_firewall }}" + state: installed - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled" ansible.builtin.systemd: From 60f832f1b27c402a1ea7a59dd790d3508eb1c115 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 12:10:23 +0000 Subject: [PATCH 383/454] control updates and lint Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 144 ++++++++++++---------------------- 1 file changed, 51 insertions(+), 93 deletions(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index d54f53b8..5d7a6bf8 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -218,9 +218,6 @@ register: root_path_perms loop: "{{ root_paths | split(':') }}" - - ansible.builtin.debug: - msg: "{{ root_path_perms.results }}" - - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" ansible.builtin.file: path: "{{ item.stat.path }}" @@ -264,58 +261,36 @@ - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist" block: - - name: "6.2.10 | AUDIT | Ensure local interactive user home directories exist" - ansible.builtin.stat: - path: "{{ item }}" - register: rhel_09_6_2_10_audit - loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | map(attribute='dir') | list }}" - - - name: "6.2.10 | AUDIT | Ensure local interactive user home directories exist" - ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027 - changed_when: false - check_mode: false - register: rhel_09_6_2_10_patch_audit - with_together: - - "{{ rhel_09_6_2_10_audit.results | map(attribute='item') | list }}" - - "{{ rhel_09_6_2_10_audit.results | map(attribute='stat') | list }}" - loop_control: - label: "{{ item.0 }}" - when: - - ansible_check_mode - - item.1.exists - - - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist" + - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist | Create dir if absent" ansible.builtin.file: - path: "{{ item.0 }}" - recurse: true - mode: a-st,g-w,o-rwx - register: rhel_09_6_2_10_patch - with_together: - - "{{ rhel_09_6_2_10_audit.results | map(attribute='item') | list }}" - - "{{ rhel_09_6_2_10_audit.results | map(attribute='stat') | list }}" + path: "{{ item.dir }}" + state: directory + owner: "{{ item.id }}" + group: "{{ item.gid }}" + register: rhel_09_6_2_10_home_dir + loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | list }}" loop_control: - label: "{{ item.0 }}" - when: - - not ansible_check_mode - - item.1.exists + label: "{{ item.id }}" # set default ACLs so the homedir has an effective umask of 0027 - - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist" + - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist | Set group ACL" + ansible.posix.acl: + path: "{{ item }}" + default: true + etype: group + permissions: rx + state: present + loop: "{{ interactive_users_home.stdout_lines }}" + when: not system_is_container + + - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist | Set other ACL" ansible.posix.acl: - path: "{{ item.0 }}" + path: "{{ item }}" default: true + etype: other + permissions: 0 state: present - recursive: true - etype: "{{ item.1.etype }}" - permissions: "{{ item.1.mode }}" - with_nested: - - "{{ (ansible_check_mode | ternary(rhel_09_6_2_10_patch_audit, rhel_09_6_2_10_patch)).results | - rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" - - - - etype: group - mode: rx - - etype: other - mode: '0' + loop: "{{ interactive_users_home.stdout_lines }}" when: not system_is_container when: - rhel9cis_rule_6_2_10 @@ -331,9 +306,9 @@ path: "{{ item.dir }}" owner: "{{ item.id }}" state: directory - loop: "{{ rhel9cis_passwd }}" + loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | list }}" loop_control: - label: "{{ rhel9cis_passwd_label }}" + label: "{{ item.id }}" when: - item.uid >= min_int_uid | int - item.id != 'nobody' @@ -349,60 +324,43 @@ - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive" block: - - name: "6.2.12 | AUDIT | Ensure local interactive user home directories are mode 750 or more restrictive" + - name: "6.2.12 | AUDIT | Ensure local interactive user home directories are mode 750 or more restrictive | get stat" ansible.builtin.stat: path: "{{ item }}" - loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | map(attribute='dir') | list }}" - register: rhel_09_6_2_12_audit - - - name: "6.2.12 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" - ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027 - check_mode: false - changed_when: rhel_09_6_2_12_patch_audit.stdout | length > 0 - register: rhel_09_6_2_12_patch_audit - with_together: - - "{{ rhel_09_6_2_12_audit.results | map(attribute='item') | list }}" - - "{{ rhel_09_6_2_12_audit.results | map(attribute='stat') | list }}" - loop_control: - label: "{{ item.0 }}" - when: - - ansible_check_mode - - item.1.exists + register: rhel_09_6_2_12_home_dir_perms + loop: "{{ interactive_users_home.stdout_lines }}" - - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive" + - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive | amend if needed" ansible.builtin.file: - path: "{{ item.0 }}" - recurse: true - mode: a-st,g-w,o-rwx - register: rhel_09_6_2_12_patch - with_together: - - "{{ rhel_09_6_2_12_audit.results | map(attribute='item') | list }}" - - "{{ rhel_09_6_2_12_audit.results | map(attribute='stat') | list }}" + path: "{{ item.stat.path }}" + state: directory + mode: "0750" + loop: "{{ rhel_09_6_2_12_home_dir_perms.results }}" loop_control: - label: "{{ item.0 }}" + label: "{{ item }}" when: - - not ansible_check_mode - - item.1.exists + - item.stat.mode > '0750' # set default ACLs so the homedir has an effective umask of 0027 - - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive" + - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive | Set group ACL" + ansible.posix.acl: + path: "{{ item }}" + default: true + etype: group + permissions: rx + state: present + loop: "{{ interactive_users_home.stdout_lines }}" + when: not system_is_container + + - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive | Set other ACL" ansible.posix.acl: - path: "{{ item.0 }}" + path: "{{ item }}" default: true + etype: other + permissions: 0 state: present - recursive: true - etype: "{{ item.1.etype }}" - permissions: "{{ item.1.mode }}" - with_nested: - - "{{ (ansible_check_mode | ternary(rhel_09_6_2_12_patch_audit, rhel_09_6_2_12_patch)).results | - rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" - - - - etype: group - mode: rx - - etype: other - mode: '0' - when: - - not system_is_container + loop: "{{ interactive_users_home.stdout_lines }}" + when: not system_is_container when: - rhel9cis_rule_6_2_12 tags: From 388dbd797cc19218f1692b91b28b4024b62ce11f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 14:17:29 +0000 Subject: [PATCH 384/454] fix typo Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 941ec994..184345b0 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -46,7 +46,7 @@ - name: "5.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less" ansible.builtin.blockinfile: - path: "{{ item.dest }}" + path: "{{ item.path }}" state: "{{ item.state }}" marker: "# {mark} CIS 5.6.3 ANSIBLE MANAGED" create: true From 9cf1f08eec3a54a19907973eab3eda80d2365bc8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 14:59:18 +0000 Subject: [PATCH 385/454] dest to path 5.2.1 Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.2.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index b67b0184..8d0c0501 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -2,7 +2,7 @@ - name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured" ansible.builtin.file: - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config owner: root group: root mode: 0600 From b5a5d3e9519cbadc97c5e3e212015227fdd9d0c9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 15:00:10 +0000 Subject: [PATCH 386/454] Additional; step to show diff of template Signed-off-by: Mark Bolwell --- tasks/auditd.yml | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 67041259..f8d2fe61 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -1,25 +1,36 @@ --- +- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file + ansible.builtin.stat: + path: /etc/audit/rules.d/99_auditd.rules + register: auditd_file -- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added +- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | setup file ansible.builtin.template: src: audit/99_auditd.rules.j2 dest: /etc/audit/rules.d/99_auditd.rules owner: root group: root mode: 0640 + diff: "{{ auditd_file.stat.exists }}" # Only run diff if not a new file register: audit_rules_updated notify: - Auditd immutable check - Audit immutable fact - Restart auditd -- name: POST | Set up auditd user logging exceptions +- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file + ansible.builtin.stat: + path: /etc/audit/rules.d/98_auditd_exceptions.rules + register: auditd_exception_file + +- name: POST | Set up auditd user logging exceptions | setup file ansible.builtin.template: src: audit/98_auditd_exception.rules.j2 dest: /etc/audit/rules.d/98_auditd_exceptions.rules owner: root group: root - mode: 0600 + mode: 0640 + diff: "{{ auditd_exception_file.stat.exists }}" notify: Restart auditd when: - allow_auditd_uid_user_exclusions From aa5b2c30c4be73f955b7245c89602bbdfa3a02b1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 15:01:12 +0000 Subject: [PATCH 387/454] 6.2.8 rewrite Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 5d7a6bf8..557f3374 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -216,24 +216,26 @@ ansible.builtin.stat: path: "{{ item }}" register: root_path_perms - loop: "{{ root_paths | split(':') }}" + loop: "{{ rhel9cis_6_2_8_root_paths.stdout | split(':') }}" - - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" + - ansible.builtin.debug: + msg: "{{ root_path_perms.results }}" + + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Set permissions" ansible.builtin.file: path: "{{ item.stat.path }}" state: directory owner: root group: root - mode: 0755 - follow: true + mode: "0755" + follow: false loop: "{{ root_path_perms.results }}" loop_control: - label: "{{ item.stat }}" + label: "{{ item }}" when: - - item.stat.pw_name != 'root' or - item.stat.gr_name != 'root' or - item.stat.woth or - item.stat.wgrp + - item.stat.exists + - item.stat.isdir + - item.stat.pw_name != 'root' or item.stat.gr_name != 'root' or item.stat.woth or item.stat.wgrp when: - rhel9cis_rule_6_2_8 tags: @@ -418,7 +420,6 @@ - name: "6.2.16 | PATCH | Ensure local interactive user dot files are not group or world writable" block: - - name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | Check for files" ansible.builtin.find: path: /home From 849789b867a493b2c1eee5b212ac190c4c6e35c3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 15:03:05 +0000 Subject: [PATCH 388/454] updated Signed-off-by: Mark Bolwell --- Changelog.md | 4 +++- README.md | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index 18369bf9..65f05f87 100644 --- a/Changelog.md +++ b/Changelog.md @@ -7,6 +7,8 @@ Jan-2023 release - Lint file updates and improvements +- auditd now shows diff ater initial template added +- many control rewritten - Many controls moved ID references - Audit updates aligned - Command warn arg removed @@ -15,7 +17,7 @@ Jan-2023 release - fqcn added to all controls - some controls rewritten using module rather than shell - typo fixes from rhel_08 inheritance -- workfolw update for 5.6.6 to set random root password to allow for testing +- workflow update for 5.6.6 to set random root password to allow for testing - incorporates issues - #23 - #24 diff --git a/README.md b/README.md index fc0376ee..67fc2dcd 100644 --- a/README.md +++ b/README.md @@ -86,6 +86,7 @@ Below is an example of the tag section from a control within this role. Using th ### Known Issues -CIS 1.2.4 - repo_gpgcheck is not carried out for RedHat hosts as the default repos do not have this function. Rocky and Alma not affected. +CIS 1.2.4 - repo_gpgcheck is not carried out for RedHat hosts as the default repos do not have this function. This also affect EPEL(not covered by var). + - Rocky and Alma not affected. Variable used to unset. rhel9cis_rhel_default_repo: true # to be set to false if using repo that does have this ability From 50429d8278a429b2b53aa520eb740489e77b3a84 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 16:02:12 +0000 Subject: [PATCH 389/454] moved notify to task Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.8.x.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 6ebe4ae7..4f6922f0 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -39,8 +39,7 @@ owner: root group: root mode: 0644 - - notify: Reload dconf + notify: Reload dconf when: - rhel9cis_rule_1_8_2 - rhel9cis_gui @@ -108,7 +107,7 @@ owner: root group: root mode: '0644' - notify: Reload dconf + notify: Reload dconf when: - rhel9cis_rule_1_8_4 - rhel9cis_gui @@ -136,7 +135,7 @@ owner: root group: root mode: 0644 - notify: Reload dconf + notify: Reload dconf when: - rhel9cis_rule_1_8_5 - rhel9cis_gui From 7d426bd4973638d652551c9fdb79e8215cad1237 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 16:03:17 +0000 Subject: [PATCH 390/454] Added # comment Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 8a791b14..d8d62902 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -168,7 +168,7 @@ rhel9cis_rule_2_3_3: true rhel9cis_rule_2_3_4: true rhel9cis_rule_2_4: true - Section 3 rules +# Section 3 rules rhel9cis_rule_3_1_1: true rhel9cis_rule_3_1_2: true rhel9cis_rule_3_1_3: true From 2168a68b4e178ee25f7e7e3456ca259cfab1a9bb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 16:03:29 +0000 Subject: [PATCH 391/454] removed success_msg Signed-off-by: Mark Bolwell --- tasks/pre_remediation_audit.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 96f16fe8..c05ddb3c 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -50,7 +50,6 @@ ansible.builtin.assert: that: goss_available.stat.exists fail_msg: "Audit binary file {{ audit_bin }} does not exist" - success_msg: "Audit binary file {{ audit_bin }} exists" when: - run_audit From d770c69aca74bacdb7296de440d310092ecc4f69 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Jan 2023 11:01:41 +0000 Subject: [PATCH 392/454] moved 5.6.6 testing to main task Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 184345b0..349095a2 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -112,16 +112,8 @@ - rule_5.6.5 - name: "5.6.6 | PATCH | Ensure root password is set" - block: - - name: "5.6.6 | PATCH | Ensure root password is set" - ansible.builtin.shell: passwd -S root | grep "Password set, SHA512 crypt" - changed_when: false - register: root_passwd - - - name: "5.6.6 | PATCH | Ensure root password is set" - ansible.builtin.fail: - msg: The root password is not set - when: root_passwd.rc != 0 + ansible.builtin.debug: + msg: "The root password has been set as per the assert in early stages" when: - rhel9cis_rule_5_6_6 tags: From 98feeb1b01e017b1ddbd8a5f3005b96bf15f19fe Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Jan 2023 11:02:01 +0000 Subject: [PATCH 393/454] 5.6.6 test added Signed-off-by: Mark Bolwell --- tasks/main.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/tasks/main.yml b/tasks/main.yml index 47940fc9..d0833191 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -42,6 +42,28 @@ tags: - user_passwd +- name: "Ensure root password is set" + block: + - name: "Ensure root password is set" + ansible.builtin.shell: passwd -S root | grep "Password set, SHA512 crypt" + changed_when: false + register: root_passwd_set + + - name: "Ensure root password is set" + ansible.builtin.assert: + that: root_passwd_set.rc == 0 + fail_msg: "You have rule 5.6.6 enabled this requires that you have a root password set" + success_msg: "You have a root password set" + when: + - rhel9cis_rule_5_6_6 + tags: + - level1-server + - level1-workstation + - patch + - accounts + - root + - rule_5.6.6 + - name: Setup rules if container block: - name: Discover and set container variable if required From a759c38902695db28551e4b150a27f06972942c9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Jan 2023 11:03:23 +0000 Subject: [PATCH 394/454] removed split filter allowing old ansible versions Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.3.x.yml | 2 +- tasks/section_6/cis_6.2.x.yml | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index fc62bafc..04437815 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -119,7 +119,7 @@ ansible.builtin.user: name: "{{ item }}" groups: "{{ rhel9cis_sugroup | default('wheel') }}" - loop: "{{ rhel9cis_sugroup_users | split (',') }}" + loop: "{{ rhel9cis_sugroup_users }}" when: - rhel9cis_rule_5_3_7 tags: diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 557f3374..a8cafffb 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -194,6 +194,11 @@ changed_when: false register: rhel9cis_6_2_8_root_paths + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Get root paths" + ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2 | tr ":" "\n" + changed_when: false + register: rhel9cis_6_2_8_root_paths_split + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Set fact" ansible.builtin.set_fact: root_paths: "{{ rhel9cis_6_2_8_root_paths.stdout }}" @@ -216,7 +221,7 @@ ansible.builtin.stat: path: "{{ item }}" register: root_path_perms - loop: "{{ rhel9cis_6_2_8_root_paths.stdout | split(':') }}" + loop: "{{ rhel9cis_6_2_8_root_paths_split.stdout_lines }}" - ansible.builtin.debug: msg: "{{ root_path_perms.results }}" From 3c72af6a83513d894a4e4dcfbb5161043f40a185 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Jan 2023 11:03:36 +0000 Subject: [PATCH 395/454] fixed spacing Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.5.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 64ecd184..13ac418b 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -55,7 +55,7 @@ ansible.builtin.replace: path: /etc/pam.d/system-auth regexp: '^password\s*(sufficient|requisite|sufficient)\s*pam_unix.so.*$' - replace: 'password requisite pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' + replace: 'password requisite pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' when: - rhel9cis_rule_5_5_3 tags: @@ -88,7 +88,7 @@ ansible.builtin.replace: path: /etc/pam.d/system-auth regexp: '^password\s*sufficient\s*pam_unix.so.*$' - replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' + replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' when: - rhel9cis_rule_5_5_4 tags: From c0d25d67cf45f85490c30e13a0447871a835d85b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Jan 2023 11:03:47 +0000 Subject: [PATCH 396/454] updated ansible min version Signed-off-by: Mark Bolwell --- vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/main.yml b/vars/main.yml index 165eff54..7b6f8428 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,7 +1,7 @@ --- # vars file for RHEL9-CIS -min_ansible_version: 2.9.4 +min_ansible_version: 2.10 rhel9cis_allowed_crypto_policies: - 'DEFAULT' - 'FUTURE' From 56f0618bc3a58a5dec2ccf05c83efb29ad6536af Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Jan 2023 11:04:08 +0000 Subject: [PATCH 397/454] updated Signed-off-by: Mark Bolwell --- README.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 67fc2dcd..9513374a 100644 --- a/README.md +++ b/README.md @@ -37,8 +37,17 @@ RHEL 9 Almalinux 9 Rocky 9 +ansible 2.10 +jmespath +relevant collections + - Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.) +## Tested with + +ansible-base 2.10.17 - python 3.8 +ansible-core 2.13.4 - python 3.10 + - makefile - this is there purely for testing and initial setup purposes. ## General @@ -65,7 +74,7 @@ Rocky 9 ## Role Variables -This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. These variables can be found [here](https://github.com/ansible-lockdown/RHEL9-CIS/wiki/Main-Variables) in the Main Variables Wiki page. All variables are listed there along with descriptions. +This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done by overriding the required varaibles as found in defaults/main.yml file. e.g. using inventory, group_vars, extra_vars ## Tags From e88b3efbf05d3d6c3d7779a92ff0b7f2bc6eb34a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Jan 2023 11:13:33 +0000 Subject: [PATCH 398/454] Updated as per steps Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.3.x.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index cf20cb9f..2c61fc83 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -7,15 +7,21 @@ name: aide state: present - - name: "1.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE" - ansible.builtin.shell: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' + - name: "1.3.1 | PATCH | Ensure AIDE is installed | Build AIDE DB" + ansible.builtin.shell: /usr/sbin/aide --init changed_when: false failed_when: false async: 45 poll: 0 args: - creates: /var/lib/aide/aide.db.gz + creates: /var/lib/aide/aide.db.new.gz when: not ansible_check_mode + + - name: "1.3.1 | PATCH | Ensure AIDE is installed | copy AIDE DB" + ansible.builtin.copy: + src: /var/lib/aide/aide.db.new.gz + dest: /var/lib/aide/aide.db.gz + remote_src: true when: - rhel9cis_config_aide - rhel9cis_rule_1_3_1 From bf83a6b84cddffce419ab6ffebd645d997959241 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Jan 2023 12:19:16 +0000 Subject: [PATCH 399/454] Add more safety around control 5.4.2 Signed-off-by: Mark Bolwell --- defaults/main.yml | 8 ++++++++ tasks/section_5/cis_5.4.x.yml | 33 +++++++++++++++++++++++++++++++-- 2 files changed, 39 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d8d62902..b3f73d81 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -622,6 +622,14 @@ rhel9cis_sudolog_location: "/var/log/sudo.log" #### 5.3.6 rhel9cis_sudo_timestamp_timeout: 15 +### 5.4.2 authselect and faillock +## This option is used at your own risk it will enable faillock for users +## Only to be used on a new clean system if not using authselect +## THIS CAN BREAK ACCESS EVEN FOR ROOT - UNDERSTAND RISKS ## +rhel9cis_add_faillock_without_authselect: false +# This needs to be set to ACCEPT +rhel9cis_5_4_2_risks: NEVER + # RHEL-09-5.4.5 # Session timeout setting file (TMOUT setting can be set in multiple files) # Timeout value is in seconds. (60 seconds * 10 = 600) diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index ac37cf23..939285f6 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -28,7 +28,7 @@ - authselect - rule_5.4.1 -- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock" +- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | with auth select profile" block: - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features" ansible.builtin.shell: "authselect current | grep with-faillock" @@ -37,7 +37,7 @@ check_mode: false register: rhel9cis_5_4_2_profiles_faillock - - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock| Show profiles" + - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Show profiles" ansible.builtin.debug: msg: - "Below are the current custom profiles" @@ -46,6 +46,35 @@ - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles" ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock" when: rhel9cis_authselect_custom_profile_select + + - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile" + ansible.builtin.lineinfile: + path: "/etc/pam.d/password-auth" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertbefore: "{{ item.before }}" + loop: + - { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}','before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'} + - { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}','before':'^auth\s+required\s+pam_deny.so'} + - { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account required pam_faillock.so','before':'^account required pam_unix.so'} + when: + - rhel9cis_add_faillock_without_authselect + - rhel9cis_5_4_2_risks == 'ACCEPT' + + - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile" + ansible.builtin.lineinfile: + path: "/etc/pam.d/system-auth" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertbefore: "{{ item.before | default(omit)}}" + insertafter: "{{ item.after | default(omit)}}" + loop: + - { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}','before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'} + - { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}','before':'^auth\s+required\s+pam_deny.so'} + - { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account required pam_faillock.so','before':'^account required pam_unix.so'} + when: + - rhel9cis_add_faillock_without_authselect + - rhel9cis_5_4_2_risks == 'ACCEPT' when: - rhel9cis_rule_5_4_2 tags: From 3acc909f91f75010540df040c424fad8d68f3522 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Jan 2023 12:19:22 +0000 Subject: [PATCH 400/454] updated Signed-off-by: Mark Bolwell --- Changelog.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog.md b/Changelog.md index 65f05f87..35e9e445 100644 --- a/Changelog.md +++ b/Changelog.md @@ -6,6 +6,7 @@ Jan-2023 release +- updated ansible minimum to 2.10 - Lint file updates and improvements - auditd now shows diff ater initial template added - many control rewritten @@ -21,6 +22,7 @@ Jan-2023 release - incorporates issues - #23 - #24 +- New option to add faillock for users without authselect - defaults/main 5.4.2 ## 0.5 From cb0a4e71cd3b42e31b4555510ae59db0bebf0c1d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Jan 2023 12:21:26 +0000 Subject: [PATCH 401/454] fixed version Signed-off-by: Mark Bolwell --- vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/main.yml b/vars/main.yml index 7b6f8428..9815eea6 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,7 +1,7 @@ --- # vars file for RHEL9-CIS -min_ansible_version: 2.10 +min_ansible_version: 2.10.1 rhel9cis_allowed_crypto_policies: - 'DEFAULT' - 'FUTURE' From 42d37955e65ad89b9025112979810cf21702ccd0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Jan 2023 14:03:12 +0000 Subject: [PATCH 402/454] added skip play warning Signed-off-by: Mark Bolwell --- .ansible-lint | 1 + 1 file changed, 1 insertion(+) diff --git a/.ansible-lint b/.ansible-lint index 7ef99f1f..e582a588 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -5,6 +5,7 @@ skip_list: - 'no-changed-when' - 'var-spacing' - 'experimental' + - 'name[play]' - 'name[casing]' - 'name[template]' - 'fqcn[action]' From dc41fef086ccdee15e8c3e8ed947310aafdce44d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Jan 2023 14:03:20 +0000 Subject: [PATCH 403/454] updated Signed-off-by: Mark Bolwell --- Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index c8bcd9c1..5d7a9b3a 100755 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ GALAXY=ansible-galaxy -ANSIBLE_LINT=ansible-lint +ANSIBLE_LINT='/usr/local/bin/ansible-lint' ANSIBLE_FILE=site.yml all: help @@ -20,7 +20,7 @@ galaxy-install: $(GALAXY) install -r ./collections/requirements.yml ansible-lint: - $(ANSIBLE-LINT) $(ANSIBLE_FILE) + $(ANSIBLE_LINT) $(ANSIBLE_FILE) yamllint: git ls-files "*.yml"|xargs yamllint @@ -28,5 +28,5 @@ yamllint: pip-requirements: @echo 'Python dependencies:' @cat requirements.txt - $(ANSIBLE_LINT) install -r requirements.txt + pip3 install -r requirements.txt From 939102430c50209ab5e0e6e164b3376d0c727846 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Jan 2023 14:03:32 +0000 Subject: [PATCH 404/454] lint updates Signed-off-by: Mark Bolwell --- tasks/auditd.yml | 4 ++-- tasks/section_5/cis_5.4.x.yml | 12 ++++++------ tasks/section_6/cis_6.2.x.yml | 3 --- 3 files changed, 8 insertions(+), 11 deletions(-) diff --git a/tasks/auditd.yml b/tasks/auditd.yml index f8d2fe61..f2dd1225 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -1,7 +1,7 @@ --- - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file ansible.builtin.stat: - path: /etc/audit/rules.d/99_auditd.rules + path: /etc/audit/rules.d/99_auditd.rules register: auditd_file - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | setup file @@ -20,7 +20,7 @@ - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file ansible.builtin.stat: - path: /etc/audit/rules.d/98_auditd_exceptions.rules + path: /etc/audit/rules.d/98_auditd_exceptions.rules register: auditd_exception_file - name: POST | Set up auditd user logging exceptions | setup file diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 939285f6..cb370246 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -54,9 +54,9 @@ line: "{{ item.line }}" insertbefore: "{{ item.before }}" loop: - - { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}','before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'} - - { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}','before':'^auth\s+required\s+pam_deny.so'} - - { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account required pam_faillock.so','before':'^account required pam_unix.so'} + - { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'} + - { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+required\s+pam_deny.so'} + - { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account required pam_faillock.so', 'before':'^account required pam_unix.so'} when: - rhel9cis_add_faillock_without_authselect - rhel9cis_5_4_2_risks == 'ACCEPT' @@ -69,9 +69,9 @@ insertbefore: "{{ item.before | default(omit)}}" insertafter: "{{ item.after | default(omit)}}" loop: - - { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}','before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'} - - { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}','before':'^auth\s+required\s+pam_deny.so'} - - { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account required pam_faillock.so','before':'^account required pam_unix.so'} + - { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line':'auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'} + - { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+required\s+pam_deny.so'} + - { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account required pam_faillock.so', 'before':'^account required pam_unix.so'} when: - rhel9cis_add_faillock_without_authselect - rhel9cis_5_4_2_risks == 'ACCEPT' diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index a8cafffb..bfd371af 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -223,9 +223,6 @@ register: root_path_perms loop: "{{ rhel9cis_6_2_8_root_paths_split.stdout_lines }}" - - ansible.builtin.debug: - msg: "{{ root_path_perms.results }}" - - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Set permissions" ansible.builtin.file: path: "{{ item.stat.path }}" From e52cc6ca6b97a794a33758ddd64350971800941d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 31 Jan 2023 08:31:12 +0000 Subject: [PATCH 405/454] 4.1.4.8 tidy title remove register not used Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.4.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index 7139ab62..9eb2bd5c 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -106,7 +106,7 @@ - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive" block: - - name: "PRELIM | 4.1.4.8 | Get audit binary file stat | get current mode" + - name: "4.1.4.8 | AUDIT | Get audit binary file stat | get current mode" ansible.builtin.stat: path: "{{ item }}" register: "audit_bins" @@ -122,7 +122,7 @@ ansible.builtin.file: path: "{{ item.item }}" mode: 0750 - register: "audit_bins" + loop: "{{ audit_bins.results }}" loop_control: label: "{{ item.item }}" From e5ce163fcf6584a9f59a8fd0d3a30a684c9c411b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 14 Feb 2023 08:54:21 +0000 Subject: [PATCH 406/454] new option to 6_2_16 not follow symlinks Signed-off-by: Mark Bolwell --- Changelog.md | 7 +++++++ defaults/main.yml | 10 ++++++++-- tasks/section_6/cis_6.2.x.yml | 1 + 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index 35e9e445..24d6b640 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,12 @@ # Changes to rhel9CIS +## 1.0.1 + +Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8 +Will not follow ynlink in hoe directoris and amend permissions. + +-rhel_09_6_2_16_home_follow_symlink: false + ## Initial CIS v1.0.0 - released Dec 2022 ### Official CIS release diff --git a/defaults/main.yml b/defaults/main.yml index b3f73d81..b7a3e4ff 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -653,8 +653,14 @@ rhel9cis_rpm_audit_file: /var/tmp/rpm_file_check # RHEL-09_6.1.10 Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable rhel9cis_no_world_write_adjust: true rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" -# 6.2.9 -rhel9cis_dotperm_ansiblemanaged: true + + +# 6.2.16 +## Dont follow symlinks for changes to user home directory thanks to @dulin-gnet and comminty for rhel8-cis reedbacj +rhel_09_6_2_16_home_follow_symlinks: false + + + #### Goss Configuration Settings #### # Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" audit_run_script_environment: diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index bfd371af..618cadb9 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -436,6 +436,7 @@ ansible.builtin.file: path: "{{ item.path }}" mode: go-w + follow: "{{ rhel_09_6_2_16_home_follow_symlinks }}" loop: "{{ user_dot_files.files }}" loop_control: label: "{{ item.path }}" From ca4d8764eee06913d3bebc62f35e58fc3506404a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 14 Feb 2023 09:12:13 +0000 Subject: [PATCH 407/454] updated changedlog Signed-off-by: Mark Bolwell --- Changelog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 24d6b640..f77e2959 100644 --- a/Changelog.md +++ b/Changelog.md @@ -5,7 +5,7 @@ Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8 Will not follow ynlink in hoe directoris and amend permissions. --rhel_09_6_2_16_home_follow_symlink: false +- rhel_09_6_2_16_home_follow_symlink: false ## Initial CIS v1.0.0 - released Dec 2022 From 155a6016e565dc2324b4a574e5bf9bc51d740a36 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 15 Feb 2023 10:00:01 +0000 Subject: [PATCH 408/454] updated workflow Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 48e7eed3..978792ed 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -91,7 +91,7 @@ jobs: - name: add urandom passwd to root account shell: bash run: | - ANSIBLE_HOST_KEY_CHECKING=False && ansible all -i .github/workflows/hosts.yml -m shell -a "cat /dev/urandom | tr -dc ‘[:print:]’ | head -c50 | passwd --stdin root" --private-key ${{ secrets.SSH_PRV_KEY }} -b + ANSIBLE_HOST_KEY_CHECKING=False && ansible all -i .github/workflows/hosts.yml -m shell -a "cat /dev/urandom | tr -dc ‘[:print:]’ | head -c50 | passwd --stdin root" -b # Run the ansible playbook - name: Run_Ansible_Playbook From a14e9c5dbe035fa3bf3f2777b45f1045e6e49a84 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Feb 2023 11:31:46 +0000 Subject: [PATCH 409/454] #30 thanks to @smatterchew sshd config file dropin ability Signed-off-by: Mark Bolwell --- defaults/main.yml | 3 +++ tasks/prelim.yml | 16 +++++++++++++ tasks/section_5/cis_5.2.x.yml | 42 +++++++++++++++++------------------ 3 files changed, 40 insertions(+), 21 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index b7a3e4ff..42f26cc9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -560,6 +560,9 @@ rhel9cis_logrotate: "daily" ## Section5 vars +# This will allow use of drop in files when CIS adopts them. +rhel9_cis_sshd_config_file: /etc/ssh/sshd_config + rhel9cis_sshd: clientalivecountmax: 0 clientaliveinterval: 900 diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 18e0c177..97e9e99f 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -175,6 +175,22 @@ - rule_5.1.1 - cron +# Added to ensure ssh drop in file exists if not default /etc/ssh/sshd_config +- name: "PRELIM | Section 5.2 | SSH" + ansible.builtin.file: + path: "{{ rhel9_cis_sshd_config_file }}" + owner: root + group: root + mode: 0600 + state: touch + when: + - rhel9_cis_sshd_config_file != '/etc/ssh/sshd_config' + - "'openssh-server' in ansible_facts.packages" + tags: + - ssh + - level1_server + - level1_workstation + - name: "PRELIM | Install authconfig" ansible.builtin.package: name: authconfig diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 8d0c0501..9054afd2 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -2,7 +2,7 @@ - name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured" ansible.builtin.file: - path: /etc/ssh/sshd_config + path: "/etc/ssh/sshd_config" owner: root group: root mode: 0600 @@ -77,7 +77,7 @@ block: - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^AllowUsers" line: "AllowUsers {{ rhel9cis_sshd['allowusers'] }}" validate: sshd -t -f %s @@ -86,7 +86,7 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^AllowGroups" line: "AllowGroups {{ rhel9cis_sshd['allowgroups'] }}" validate: sshd -t -f %s @@ -95,7 +95,7 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^DenyUsers" line: "DenyUsers {{ rhel9cis_sshd['denyusers'] }}" validate: sshd -t -f %s @@ -104,7 +104,7 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^DenyGroups" line: "DenyGroups {{ rhel9cis_sshd['denygroups'] }}" validate: sshd -t -f %s @@ -121,7 +121,7 @@ - name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#LogLevel|^LogLevel" line: 'LogLevel {{ rhel9cis_ssh_loglevel }}' validate: sshd -t -f %s @@ -136,7 +136,7 @@ - name: "5.2.6 | PATCH | Ensure SSH PAM is enabled" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#UsePAM|^UsePAM" line: 'UsePAM yes' validate: sshd -t -f %s @@ -151,7 +151,7 @@ - name: "5.2.7 | PATCH | Ensure SSH root login is disabled" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#PermitRootLogin|^PermitRootLogin" line: 'PermitRootLogin no' validate: sshd -t -f %s @@ -166,7 +166,7 @@ - name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#HostbasedAuthentication|^HostbasedAuthentication" line: 'HostbasedAuthentication no' validate: sshd -t -f %s @@ -181,7 +181,7 @@ - name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords" line: 'PermitEmptyPasswords no' validate: sshd -t -f %s @@ -196,7 +196,7 @@ - name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#PermitUserEnvironment|^PermitUserEnvironment" line: 'PermitUserEnvironment no' validate: sshd -t -f %s @@ -211,7 +211,7 @@ - name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#IgnoreRhosts|^IgnoreRhosts" line: 'IgnoreRhosts yes' validate: sshd -t -f %s @@ -226,7 +226,7 @@ - name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#X11Forwarding|^X11Forwarding" line: 'X11Forwarding no' validate: sshd -t -f %s @@ -241,7 +241,7 @@ - name: "5.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#AllowTcpForwarding|^AllowTcpForwarding" line: 'AllowTcpForwarding no' validate: sshd -t -f %s @@ -277,7 +277,7 @@ - name: "5.2.15 | PATCH | Ensure SSH warning banner is configured" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: '^Banner' line: 'Banner /etc/issue.net' when: @@ -291,7 +291,7 @@ - name: "5.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: '^(#)?MaxAuthTries \d' line: 'MaxAuthTries 4' validate: sshd -t -f %s @@ -306,7 +306,7 @@ - name: "5.2.17 | PATCH | Ensure SSH MaxStartups is configured" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#MaxStartups|^MaxStartups" line: 'MaxStartups 10:30:60' validate: sshd -t -f %s @@ -321,7 +321,7 @@ - name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#MaxSessions|^MaxSessions" line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' validate: sshd -t -f %s @@ -336,7 +336,7 @@ - name: "5.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#LoginGraceTime|^LoginGraceTime" line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}" validate: sshd -t -f %s @@ -353,14 +353,14 @@ block: - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: '^ClientAliveInterval' line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}" validate: sshd -t -f %s - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: '^ClientAliveCountMax' line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}" validate: sshd -t -f %s From 642e89b20da4ac00885b135d8f86b7a2a7bfd01b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Feb 2023 11:32:03 +0000 Subject: [PATCH 410/454] added issue 30 fix Signed-off-by: Mark Bolwell --- Changelog.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Changelog.md b/Changelog.md index f77e2959..7fefc657 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,9 @@ # Changes to rhel9CIS +## 1.0.2 + +#30 - thanks to smattterchew ability to change sshd config file to use dropin file instead. + ## 1.0.1 Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8 From f9239d7a8ad91ade3a175c06c258b55c507de45c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Feb 2023 11:32:26 +0000 Subject: [PATCH 411/454] updated for issue #30 Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index fde2a678..caa87ce4 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -467,6 +467,9 @@ rhel9cis_remote_log_queuesize: {{ rhel9cis_remote_log_queuesize }} rhel9cis_syslog: {{ rhel9cis_syslog }} # Section 5 +# This will allow use of drop in files when CIS adopts them. +rhel9_cis_sshd_config_file: {{ rhel9_cis_sshd_config_file }} + ## 5.2.4 Note the following to understand precedence and layout rhel9cis_sshd_limited: false rhel9cis_sshd_access: From a28c0531eebc6819e46614d794019ad570e5d177 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Feb 2023 14:02:49 +0000 Subject: [PATCH 412/454] align audit release Signed-off-by: Mark Bolwell --- Changelog.md | 1 + defaults/main.yml | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 7fefc657..4ca9caf2 100644 --- a/Changelog.md +++ b/Changelog.md @@ -3,6 +3,7 @@ ## 1.0.2 #30 - thanks to smattterchew ability to change sshd config file to use dropin file instead. +Aligned benchmark audit version with remediate release ## 1.0.1 diff --git a/defaults/main.yml b/defaults/main.yml index 42f26cc9..4a95eafe 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -33,6 +33,9 @@ python2_bin: /bin/python2.7 ## Benchmark name used by audting control role # The audit variable found at the base +## metadata for Audit benchmark +benchmark_version: 'v1.0.0' + benchmark: RHEL9-CIS # Whether to skip the reboot @@ -692,7 +695,7 @@ copy_goss_from_path: /some/accessible/path ## managed by the control audit_content # git audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_git_version: devel +audit_git_version: "benchmark_{{ benchmark_version }}" # copy: audit_local_copy: "some path to copy from" From b9b283fd5219222fb5e47bdf24b88e56fa958f48 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Feb 2023 14:16:15 +0000 Subject: [PATCH 413/454] added fix for issue #30 Signed-off-by: Mark Bolwell --- Changelog.md | 6 +++++- tasks/section_1/cis_1.4.x.yml | 3 +++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 4ca9caf2..ba1933c5 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,7 +2,11 @@ ## 1.0.2 -#30 - thanks to smattterchew ability to change sshd config file to use dropin file instead. +thanks to @smatterchew +#30 ability to change sshd config file to use dropin file instead. + +thanks to @I-am-MoS +#34 create user.cfg if not present Aligned benchmark audit version with remediate release ## 1.0.1 diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index f2dcaee9..7f0e71a1 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -26,6 +26,9 @@ owner: root group: root mode: "{{ item.mode }}" + state: touch + modification_time: preserve + acess_time: preserve loop: - { path: 'grub.cfg', mode: '0700' } - { path: 'grubenv', mode: '0600' } From 80168bc6d4e73affd810fdc2306b535f45a3eeca Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Feb 2023 14:44:00 +0000 Subject: [PATCH 414/454] update urandom check again Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 978792ed..991470eb 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -90,8 +90,9 @@ jobs: # Set up requirements for random root password CIS 5.6.6 - name: add urandom passwd to root account shell: bash + working-directory: .github/workflows run: | - ANSIBLE_HOST_KEY_CHECKING=False && ansible all -i .github/workflows/hosts.yml -m shell -a "cat /dev/urandom | tr -dc ‘[:print:]’ | head -c50 | passwd --stdin root" -b + ANSIBLE_HOST_KEY_CHECKING=False && ansible all -i hosts.yml -m shell -a "cat /dev/urandom | tr -dc ‘[:print:]’ | head -c50 | passwd --stdin root" -b --private-key .ssh/github_actions.pem # Run the ansible playbook - name: Run_Ansible_Playbook From 52a293e9a12a3fb3dbd77fab14600fdbc21eb9dd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 27 Feb 2023 17:25:32 +0000 Subject: [PATCH 415/454] removed register Signed-off-by: Mark Bolwell --- tasks/auditd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/auditd.yml b/tasks/auditd.yml index f2dd1225..07e73d26 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -1,4 +1,5 @@ --- + - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file ansible.builtin.stat: path: /etc/audit/rules.d/99_auditd.rules @@ -12,7 +13,6 @@ group: root mode: 0640 diff: "{{ auditd_file.stat.exists }}" # Only run diff if not a new file - register: audit_rules_updated notify: - Auditd immutable check - Audit immutable fact From e0a490e1d54f1af0453e3a3d58ae7344e86080ec Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 27 Feb 2023 17:25:45 +0000 Subject: [PATCH 416/454] Added POST to name Signed-off-by: Mark Bolwell --- tasks/post.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/post.yml b/tasks/post.yml index 3a2426eb..591cfda0 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -1,13 +1,13 @@ --- # Post tasks -- name: Gather the package facts after remediation +- name: POST | Gather the package facts after remediation ansible.builtin.package_facts: manager: auto tags: - always -- name: Update sysctl +- name: POST | Update sysctl ansible.builtin.template: src: "etc/sysctl.d/{{ item }}.j2" dest: "/etc/sysctl.d/{{ item }}" From 969ee917ba3d96f2d519f8554118cb6609c67802 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 27 Feb 2023 17:26:15 +0000 Subject: [PATCH 417/454] #36 thanks to @fahadysf Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.4.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 7f0e71a1..ec27fa64 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -28,7 +28,7 @@ mode: "{{ item.mode }}" state: touch modification_time: preserve - acess_time: preserve + access_time: preserve loop: - { path: 'grub.cfg', mode: '0700' } - { path: 'grubenv', mode: '0600' } From 7459f1d44586dc69c412b7dd304b39eec38352c2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 27 Feb 2023 17:26:34 +0000 Subject: [PATCH 418/454] idempontency improvements Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.4.x.yml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index 9eb2bd5c..5e9ee737 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -8,7 +8,13 @@ block: - name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | discover file" ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }' - register: audit_logfile + register: audit_discovered_logfile + changed_when: false + + - name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | stat file" + ansible.builtin.stat: + path: "{{ audit_discovered_logfile.stdout }}" + register: auditd_logfile changed_when: false - name: | @@ -16,8 +22,8 @@ "4.1.4.2 | PATCH | Ensure only authorized users own audit log files" "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" ansible.builtin.file: - path: "{{ audit_logfile.stdout }}" - mode: 0640 + path: "{{ audit_discovered_logfile.stdout }}" + mode: "{% if auditd_logfile.stat.mode != '0600' %}0640{% endif %}" owner: root group: root when: @@ -37,12 +43,12 @@ block: - name: "4.1.4.4 | AUDIT | Ensure the audit log directory is 0750 or more restrictive | get current permissions" ansible.builtin.stat: - path: "{{ audit_logfile.stdout | dirname }}" + path: "{{ audit_discovered_logfile.stdout | dirname }}" register: auditlog_dir - name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive | set" ansible.builtin.file: - path: "{{ audit_logfile.stdout | dirname }}" + path: "{{ audit_discovered_logfile.stdout | dirname }}" state: directory mode: 0750 when: not auditlog_dir.stat.mode is match('07(0|5)0') From c119a8074f40c28bf25a83e25021569afc720311 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 27 Feb 2023 17:39:07 +0000 Subject: [PATCH 419/454] removed urandom work Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 991470eb..8d26a35c 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,13 +87,6 @@ jobs: run: sleep 60s shell: bash -# Set up requirements for random root password CIS 5.6.6 - - name: add urandom passwd to root account - shell: bash - working-directory: .github/workflows - run: | - ANSIBLE_HOST_KEY_CHECKING=False && ansible all -i hosts.yml -m shell -a "cat /dev/urandom | tr -dc ‘[:print:]’ | head -c50 | passwd --stdin root" -b --private-key .ssh/github_actions.pem - # Run the ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master From 13705f1d121a6af2e51fcb6122b5839f86591074 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 27 Feb 2023 17:39:21 +0000 Subject: [PATCH 420/454] added skip to 5.6.6 root passwd check Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index dad096fe..735646e5 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -79,6 +79,7 @@ resource "local_file" "inventory" { system_is_ec2: true audit_git_version: devel skip_reboot: false + rhel9cis_rule_5_6_6: false # skip root passwd check and keys only EOF } From f6b3e9b9e27ed1797b8ee3c014edc07c449ddc45 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 27 Feb 2023 17:49:40 +0000 Subject: [PATCH 421/454] moved to default audit version Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 735646e5..516d5cc1 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -77,7 +77,6 @@ resource "local_file" "inventory" { setup_audit: true run_audit: true system_is_ec2: true - audit_git_version: devel skip_reboot: false rhel9cis_rule_5_6_6: false # skip root passwd check and keys only EOF From 0ab1bdd120bf2186779fbc58482be63c1cc089e4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 28 Feb 2023 08:01:57 +0000 Subject: [PATCH 422/454] updated Signed-off-by: Mark Bolwell --- Changelog.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Changelog.md b/Changelog.md index ba1933c5..8f948819 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,11 @@ # Changes to rhel9CIS +## 1.0.3 + +Update to auditd components improve idempotency and tidy up +workflow update to remove the urandom update +skip 5.6.6 root password check + ## 1.0.2 thanks to @smatterchew @@ -7,6 +13,7 @@ thanks to @smatterchew thanks to @I-am-MoS #34 create user.cfg if not present + Aligned benchmark audit version with remediate release ## 1.0.1 From 37f0eec4d4de7490f45f1aab9f8b28f155d89d64 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 28 Feb 2023 14:28:48 +0000 Subject: [PATCH 423/454] Added audit template change warn control Signed-off-by: Mark Bolwell --- Changelog.md | 1 + tasks/auditd.yml | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/Changelog.md b/Changelog.md index 8f948819..4e65f04b 100644 --- a/Changelog.md +++ b/Changelog.md @@ -3,6 +3,7 @@ ## 1.0.3 Update to auditd components improve idempotency and tidy up +Added a warning to check diff if any changes to template file (if template file exists) else its new. workflow update to remove the urandom update skip 5.6.6 root password check diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 07e73d26..cc0f6225 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -13,11 +13,20 @@ group: root mode: 0640 diff: "{{ auditd_file.stat.exists }}" # Only run diff if not a new file + register: auditd_template_updated notify: - Auditd immutable check - Audit immutable fact - Restart auditd +- name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa: no-handler + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'Auditd_template_updated-see-diff-output' + when: + - auditd_template_updated.changed + - auditd_file.stat.exists + - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file ansible.builtin.stat: path: /etc/audit/rules.d/98_auditd_exceptions.rules From b88dca6954c24a62a82ee296ecc737ca7cc61777 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Mar 2023 09:10:39 +0000 Subject: [PATCH 424/454] updated warning for template updated Signed-off-by: Mark Bolwell --- tasks/auditd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/auditd.yml b/tasks/auditd.yml index cc0f6225..1768aa17 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -22,7 +22,7 @@ - name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa: no-handler ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'Auditd_template_updated-see-diff-output' + warn_control_id: 'Auditd template updated, see diff output for details' when: - auditd_template_updated.changed - auditd_file.stat.exists From 58d3bb4e41d70a92fa4187820b16939c4ffd284f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Mar 2023 09:17:38 +0000 Subject: [PATCH 425/454] updated var naming Signed-off-by: Mark Bolwell --- defaults/main.yml | 8 ++-- tasks/auditd.yml | 2 +- tasks/section_1/cis_1.5.x.yml | 2 +- tasks/section_3/cis_3.1.x.yml | 4 +- tasks/section_3/cis_3.2.x.yml | 10 ++--- tasks/section_3/cis_3.3.x.yml | 40 ++++++++++---------- templates/audit/98_auditd_exception.rules.j2 | 2 +- 7 files changed, 34 insertions(+), 34 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 4a95eafe..fb188b00 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -464,9 +464,9 @@ rhel9cis_ftp_client: false ## Section3 vars ## Sysctl -sysctl_update: false -flush_ipv4_route: false -flush_ipv6_route: false +rhel9cis_sysctl_update: false +rhel9cis_flush_ipv4_route: false +rhel9cis_flush_ipv6_route: false ### Firewall Service - either firewalld, iptables, or nftables #### Some control allow for services to be removed or masked @@ -512,7 +512,7 @@ rhel9cis_max_log_file_size: 10 update_audit_template: false ## Advanced option found in auditd post -allow_auditd_uid_user_exclusions: false +rhel9cis_allow_auditd_uid_user_exclusions: false # This can be used to configure other keys in auditd.conf diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 1768aa17..2a2eb9c8 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -42,5 +42,5 @@ diff: "{{ auditd_exception_file.stat.exists }}" notify: Restart auditd when: - - allow_auditd_uid_user_exclusions + - rhel9cis_allow_auditd_uid_user_exclusions - rhel9cis_auditd_uid_exclude | length > 0 diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 443bfc19..3f806471 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -33,7 +33,7 @@ block: - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" ansible.builtin.set_fact: - sysctl_update: true + rhel9cis_sysctl_update: true - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" ansible.builtin.debug: diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index e972ae2d..7ffe31c2 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -6,8 +6,8 @@ block: - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv6_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv6_route: true - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable" ansible.builtin.debug: diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index 56e47f76..cc5567f0 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -4,8 +4,8 @@ block: - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding" ansible.builtin.debug: @@ -15,7 +15,7 @@ block: - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding | Set Fact" ansible.builtin.set_fact: - flush_ipv6_route: true + rhel9cis_flush_ipv6_route: true - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding" ansible.builtin.debug: @@ -36,8 +36,8 @@ block: - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled" ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 84363e7c..e8f3a5f6 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -4,8 +4,8 @@ block: - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4 | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4" ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" @@ -14,7 +14,7 @@ block: - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 | Set Fact" ansible.builtin.set_fact: - flush_ipv6_route: true + rhel9cis_flush_ipv6_route: true - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6" ansible.builtin.debug: @@ -33,8 +33,8 @@ block: - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4 | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4" ansible.builtin.debug: @@ -44,7 +44,7 @@ block: - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 | Set Fact" ansible.builtin.set_fact: - flush_ipv6_route: true + rhel9cis_flush_ipv6_route: true - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6" ansible.builtin.debug: @@ -63,8 +63,8 @@ block: - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" ansible.builtin.debug: @@ -82,8 +82,8 @@ block: - name: "3.3.4 | PATCH | Ensure suspicious packets are logged | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.3.4 | PATCH | Ensure suspicious packets are logged" ansible.builtin.debug: @@ -101,8 +101,8 @@ block: - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: 3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" ansible.builtin.debug: @@ -120,8 +120,8 @@ block: - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" ansible.builtin.debug: @@ -139,8 +139,8 @@ block: - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" ansible.builtin.debug: @@ -158,8 +158,8 @@ block: - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" ansible.builtin.debug: @@ -177,8 +177,8 @@ block: - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6 | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv6_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv6_route: true - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6" ansible.builtin.debug: diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 index d8a0b8da..56026329 100644 --- a/templates/audit/98_auditd_exception.rules.j2 +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -1,7 +1,7 @@ ## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! # This file contains users whose actions are not logged by auditd -{% if allow_auditd_uid_user_exclusions %} +{% if rhel9cis_allow_auditd_uid_user_exclusions %} {% for user in rhel9cis_auditd_uid_exclude %} -a never,user -F uid!={{ user }} -F auid!={{ user }} {% endfor %} From 03e4b0e57ff13b1847cfef6aa968422fcf5877c4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Mar 2023 10:17:37 +0000 Subject: [PATCH 426/454] variable naming Signed-off-by: Mark Bolwell --- handlers/main.yml | 4 ++-- tasks/auditd.yml | 14 +++++++------- tasks/post.yml | 2 +- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 212eacc9..552d29f2 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -13,7 +13,7 @@ sysctl_set: true ignore_errors: true # noqa ignore-errors when: - - flush_ipv4_route + - rhel9cis_flush_ipv4_route - not system_is_container - name: Sysctl flush ipv6 route table @@ -22,7 +22,7 @@ value: '1' sysctl_set: true when: - - flush_ipv6_route + - rhel9cis_flush_ipv6_route - not system_is_container - name: Systemd restart tmp.mount diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 2a2eb9c8..486ef315 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -3,7 +3,7 @@ - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file ansible.builtin.stat: path: /etc/audit/rules.d/99_auditd.rules - register: auditd_file + register: rhel9cis_auditd_file - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | setup file ansible.builtin.template: @@ -12,8 +12,8 @@ owner: root group: root mode: 0640 - diff: "{{ auditd_file.stat.exists }}" # Only run diff if not a new file - register: auditd_template_updated + diff: "{{ rhel9cis_auditd_file.stat.exists }}" # Only run diff if not a new file + register: rhel9cis_auditd_template_updated notify: - Auditd immutable check - Audit immutable fact @@ -24,13 +24,13 @@ vars: warn_control_id: 'Auditd template updated, see diff output for details' when: - - auditd_template_updated.changed - - auditd_file.stat.exists + - rhel9cis_auditd_template_updated.changed + - rhel9cis_auditd_file.stat.exists - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file ansible.builtin.stat: path: /etc/audit/rules.d/98_auditd_exceptions.rules - register: auditd_exception_file + register: rhel9cis_auditd_exception_file - name: POST | Set up auditd user logging exceptions | setup file ansible.builtin.template: @@ -39,7 +39,7 @@ owner: root group: root mode: 0640 - diff: "{{ auditd_exception_file.stat.exists }}" + diff: "{{ rhel9cis_auditd_exception_file.stat.exists }}" notify: Restart auditd when: - rhel9cis_allow_auditd_uid_user_exclusions diff --git a/tasks/post.yml b/tasks/post.yml index 591cfda0..8e8fea72 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -22,7 +22,7 @@ - 60-netipv4_sysctl.conf - 60-netipv6_sysctl.conf when: - - sysctl_update + - rhel9cis_sysctl_update - not system_is_container - "'procps-ng' in ansible_facts.packages" From a307da2ab201f7f1041bb087f572a1869e52b723 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Mar 2023 10:17:46 +0000 Subject: [PATCH 427/454] updated Signed-off-by: Mark Bolwell --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index 4e65f04b..11a8fba1 100644 --- a/Changelog.md +++ b/Changelog.md @@ -6,6 +6,7 @@ Update to auditd components improve idempotency and tidy up Added a warning to check diff if any changes to template file (if template file exists) else its new. workflow update to remove the urandom update skip 5.6.6 root password check +variable naming ## 1.0.2 From c061a35b317f1dd069eeea8a6e933379f597bc4a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 6 Mar 2023 11:21:08 +0000 Subject: [PATCH 428/454] created new gpg_key_package variable Signed-off-by: Mark Bolwell --- vars/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vars/main.yml b/vars/main.yml index 9815eea6..edc6c7d0 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -10,3 +10,5 @@ rhel9cis_allowed_crypto_policies: # Used to control warning summary warn_control_list: "" warn_count: 0 + +gpg_key_package: "{{ ansible_distribution | lower )-gpg-keys }}" From 3de7cd2f56a45799a425236bb94d70790525cfae Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 6 Mar 2023 11:21:33 +0000 Subject: [PATCH 429/454] use new variable gpg_key_variable Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 97e9e99f..e674fb6f 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -120,11 +120,12 @@ - name: "PRELIM | Update to latest gpg keys" ansible.builtin.package: - name: "{{ ansible_distribution | lower }}-gpg-keys" + name: "{{ gpg_key_package }}" state: latest when: - rhel9cis_rule_1_2_4 - ansible_distribution != 'RedHat' + - ansible_distribution != 'OracleLinux' - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" ansible.builtin.package: From e04da88df42da0108d489f359513c574fbe5c87a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 6 Mar 2023 11:22:08 +0000 Subject: [PATCH 430/454] Added OracleLinux support Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.2.x.yml | 1 + vars/OracleLinux.yml | 4 ++++ 2 files changed, 5 insertions(+) create mode 100644 vars/OracleLinux.yml diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 452c0096..25017320 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -112,6 +112,7 @@ when: - rhel9cis_rule_1_2_4 - not rhel9cis_rhel_default_repo or ansible_distribution != 'RedHat' + - ansible_distribution != 'OracleLinux' tags: - level1-server - level1-workstation diff --git a/vars/OracleLinux.yml b/vars/OracleLinux.yml new file mode 100644 index 00000000..d9161786 --- /dev/null +++ b/vars/OracleLinux.yml @@ -0,0 +1,4 @@ +--- +# OS Specific Settings +os_gpg_key_pubkey_name: gpg-pubkey-8d8b756f-629e59ec +os_gpg_key_pubkey_content: "Oracle Linux (release key 1) " From 58122f2fee3d416f38ebc83d4b7c58869d042f9e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 6 Mar 2023 11:51:41 +0000 Subject: [PATCH 431/454] updated layout Signed-off-by: Mark Bolwell --- .ansible-lint | 3 +++ .yamllint | 52 ++++++++++++++++++++++++++------------------------- 2 files changed, 30 insertions(+), 25 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index e582a588..964eb052 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,9 +1,12 @@ +--- + parseable: true quiet: true skip_list: - 'schema' - 'no-changed-when' - 'var-spacing' + - 'fqcn-builtins' - 'experimental' - 'name[play]' - 'name[casing]' diff --git a/.yamllint b/.yamllint index 4823010f..3af111e7 100644 --- a/.yamllint +++ b/.yamllint @@ -1,29 +1,31 @@ --- -ignore: | - tests/ - molecule/ - .github/ - .gitlab-ci.yml - *molecule.yml - extends: default +ignore: | + tests/ + molecule/ + .github/ + .gitlab-ci.yml + *molecule.yml + rules: - braces: - max-spaces-inside: 1 - level: error - brackets: - max-spaces-inside: 1 - level: error - indentation: - indent-sequences: consistent - level: error - line-length: disable - key-duplicates: enable - new-line-at-end-of-file: enable - new-lines: - type: unix - trailing-spaces: enable - truthy: - allowed-values: ['true', 'false'] - check-keys: true + indentation: + # Requiring 4 space indentation + spaces: 4 + # Requiring consistent indentation within a file, either indented or not + indent-sequences: consistent + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + line-length: disable + key-duplicates: enable + new-line-at-end-of-file: enable + new-lines: + type: unix + trailing-spaces: enable + truthy: + allowed-values: ['true', 'false'] + check-keys: false From 5984829b471d63e40fa6da5a7ecca8caebe4c236 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 6 Mar 2023 11:54:00 +0000 Subject: [PATCH 432/454] Oracle Support added Signed-off-by: Mark Bolwell --- Changelog.md | 1 + README.md | 1 + 2 files changed, 2 insertions(+) diff --git a/Changelog.md b/Changelog.md index 11a8fba1..8d509baa 100644 --- a/Changelog.md +++ b/Changelog.md @@ -7,6 +7,7 @@ Added a warning to check diff if any changes to template file (if template file workflow update to remove the urandom update skip 5.6.6 root password check variable naming +OracleLinux support added ## 1.0.2 diff --git a/README.md b/README.md index 9513374a..71e7636d 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,7 @@ To use release version please point to main branch RHEL 9 Almalinux 9 Rocky 9 +OracleLinux 9 ansible 2.10 jmespath From 5a928b4304336f749913fb0f7df93d0479fec0c6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Mar 2023 11:02:15 +0000 Subject: [PATCH 433/454] Issue #38 thanks to bdwyertech Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.2.2.x.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 72767a41..2c9355b3 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -19,7 +19,7 @@ path: /etc/systemd/journal-upload.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" - notify: Restart systemd_journal_upload + notify: Restart journald loop: - { regexp: 'URL=', line: 'URL={{ rhel9cis_journal_upload_url }}'} - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ rhel9cis_journal_upload_serverkeyfile }}'} @@ -106,7 +106,7 @@ path: /etc/systemd/journald.conf regexp: "^#Compress=|^Compress=" line: Compress=yes - notify: Restart systemd_journal_upload + notify: Restart journald when: - rhel9cis_rule_4_2_2_3 tags: @@ -121,7 +121,7 @@ path: /etc/systemd/journald.conf regexp: "^#Storage=|^Storage=" line: Storage=persistent - notify: Restart systemd_journal_upload + notify: Restart journald when: - rhel9cis_rule_4_2_2_4 tags: @@ -137,7 +137,7 @@ path: /etc/systemd/journald.conf regexp: "^ForwardToSyslog=" line: "#ForwardToSyslog=yes" - notify: Restart systemd_journal_upload + notify: Restart journald when: - rhel9cis_rule_4_2_2_5 tags: @@ -153,7 +153,7 @@ path: /etc/systemd/journald.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" - notify: Restart systemd_journal_upload + notify: Restart journald loop: - { regexp: '^#SystemMaxUse=|^SystemMaxUse=', line: 'SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}'} - { regexp: '^#SystemKeepFree=|^SystemKeepFree=', line: 'SystemKeepFree={{ rhel9cis_journald_systemkeepfree }}' } From de2896ed73750d06ae96574558920caf57840af7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Mar 2023 11:03:04 +0000 Subject: [PATCH 434/454] updated Signed-off-by: Mark Bolwell --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index 8d509baa..6933ff59 100644 --- a/Changelog.md +++ b/Changelog.md @@ -8,6 +8,7 @@ workflow update to remove the urandom update skip 5.6.6 root password check variable naming OracleLinux support added +#38 journald restart amendment thanks to @bdwyertech ## 1.0.2 From 599c6db3e145f3e8441f5ff9726fc72655739237 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Mar 2023 08:18:18 +0000 Subject: [PATCH 435/454] fix typo Signed-off-by: Mark Bolwell --- vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/main.yml b/vars/main.yml index edc6c7d0..2a931845 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -11,4 +11,4 @@ rhel9cis_allowed_crypto_policies: warn_control_list: "" warn_count: 0 -gpg_key_package: "{{ ansible_distribution | lower )-gpg-keys }}" +gpg_key_package: "{{ ansible_distribution | lower }}-gpg-keys" From b170c4ac736ddb5d930db0c37a6f2f19f05d6e0e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Mar 2023 10:13:26 +0000 Subject: [PATCH 436/454] fix typo Signed-off-by: Mark Bolwell --- handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/handlers/main.yml b/handlers/main.yml index 552d29f2..968e9e68 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -28,7 +28,7 @@ - name: Systemd restart tmp.mount ansible.builtin.systemd: name: tmp.mount - daemon_Reload: true + daemon_reload: true enabled: true masked: false state: Reloaded From ebdb8b9129c2c271b8cd33d96fa0a547a092ba00 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Mar 2023 15:08:12 +0000 Subject: [PATCH 437/454] Updated layout Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.4.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index 5e9ee737..ec3eebd5 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -8,14 +8,14 @@ block: - name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | discover file" ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }' - register: audit_discovered_logfile changed_when: false + register: audit_discovered_logfile - name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | stat file" ansible.builtin.stat: path: "{{ audit_discovered_logfile.stdout }}" - register: auditd_logfile changed_when: false + register: auditd_logfile - name: | "4.1.4.1 | PATCH | Ensure audit log files are mode 0640 or less permissive" From 5e5174a5b0981585726191b392a9984efa760aa5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Mar 2023 15:19:35 +0000 Subject: [PATCH 438/454] updated marker Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.3.x.yml | 2 +- tasks/section_4/cis_4.2.1.x.yml | 12 ++++++------ tasks/section_5/cis_5.6.x.yml | 2 +- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index 2c61fc83..1275d865 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -57,7 +57,7 @@ - name: "1.3.3 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" ansible.builtin.blockinfile: path: /etc/aide.conf - marker: "# {mark} Audit tools (CIS - Ansible)" + marker: "# {mark} Audit tools - CIS benchmark - Ansible-lockdown" block: | /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 4eeb61dc..10e0ac2e 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -75,7 +75,7 @@ - name: "4.2.1.5 | PATCH | Ensure logging is configured | mail.* log setting" ansible.builtin.blockinfile: path: /etc/rsyslog.conf - marker: "# {mark} MAIL LOG SETTINGS (ANSIBLE MANAGED)" + marker: "# {mark} MAIL LOG SETTINGS - CIS benchmark - Ansible-lockdown" block: | # mail logging additions to meet CIS standards mail.* -/var/log/mail @@ -90,7 +90,7 @@ ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present - marker: "# {mark} NEWS LOG SETTINGS (ANSIBLE MANAGED)" + marker: "# {mark} NEWS LOG SETTINGS - CIS benchmark - Ansible-lockdown" block: | # news logging additions to meet CIS standards news.crit -/var/log/news/news.crit @@ -103,7 +103,7 @@ ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present - marker: "# {mark} MISC. LOG SETTINGS (ANSIBLE MANAGED)" + marker: "# {mark} MISC. LOG SETTINGS - CIS benchmark - Ansible-lockdown" block: | # misc. logging additions to meet CIS standards *.=warning;*.=err -/var/log/warn @@ -117,7 +117,7 @@ ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present - marker: "#{mark} LOCAL LOG SETTINGS (ANSIBLE MANAGED)" + marker: "#{mark} LOCAL LOG SETTINGS - CIS benchmark - Ansible-lockdown" block: | # local log settings to meet CIS standards local0,local1.* -/var/log/localmessages @@ -132,7 +132,7 @@ ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present - marker: "#{mark} Auth SETTINGS (ANSIBLE MANAGED)" + marker: "#{mark} Auth SETTINGS - CIS benchmark - Ansible-lockdown" block: | # Private settings to meet CIS standards auth,authpriv.* /var/log/secure @@ -143,7 +143,7 @@ ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present - marker: "#{mark} Cron SETTINGS (ANSIBLE MANAGED)" + marker: "#{mark} Cron SETTINGS - CIS benchmark - Ansible-lockdown" block: | # Cron settings to meet CIS standards cron.* /var/log/cron diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 349095a2..adea2211 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -48,7 +48,7 @@ ansible.builtin.blockinfile: path: "{{ item.path }}" state: "{{ item.state }}" - marker: "# {mark} CIS 5.6.3 ANSIBLE MANAGED" + marker: "# {mark} - CIS benchmark - Ansible-lockdown" create: true mode: 0644 block: | From 945fe54fe44364e589fd595ad49e307c6ad380f9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Mar 2023 15:19:52 +0000 Subject: [PATCH 439/454] updated comments Signed-off-by: Mark Bolwell --- templates/audit/98_auditd_exception.rules.j2 | 5 ++++- templates/audit/99_auditd.rules.j2 | 5 ++++- templates/etc/cron.d/aide.cron.j2 | 5 ++++- templates/etc/dconf/db/gdm.d/01-banner-message.j2 | 2 +- 4 files changed, 13 insertions(+), 4 deletions(-) diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 index 56026329..2f76269e 100644 --- a/templates/audit/98_auditd_exception.rules.j2 +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -1,4 +1,7 @@ -## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! +## Ansible controlled file +# Added as part of ansible-lockdown CIS baseline +# provided by MindPointGroup LLC +### YOUR CHANGES WILL BE LOST! # This file contains users whose actions are not logged by auditd {% if rhel9cis_allow_auditd_uid_user_exclusions %} diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 050de20a..c48782c8 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,4 +1,7 @@ -## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! +## Ansible controlled file +# Added as part of ansible-lockdown CIS baseline +# provided by MindPointGroup LLC +### YOUR CHANGES WILL BE LOST! # This template will set all of the auditd configurations via a handler in the role in one task instead of individually {% if rhel9cis_rule_4_1_3_1 %} diff --git a/templates/etc/cron.d/aide.cron.j2 b/templates/etc/cron.d/aide.cron.j2 index 781fdd40..21270eb8 100644 --- a/templates/etc/cron.d/aide.cron.j2 +++ b/templates/etc/cron.d/aide.cron.j2 @@ -1,5 +1,8 @@ # Run AIDE integrity check -## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! +## Ansible controlled file +# Added as part of ansible-lockdown CIS baseline +# provided by MindPointGroup LLC +### YOUR CHANGES WILL BE LOST! # CIS 1.3.2 {{ rhel9cis_aide_cron['aide_minute'] }} {{ rhel9cis_aide_cron['aide_hour'] }} {{ rhel9cis_aide_cron['aide_month'] }} {{ rhel9cis_aide_cron['aide_weekday'] }} {{ rhel9cis_aide_cron['aide_job'] }} diff --git a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 index f83a74a4..73b45056 100644 --- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 +++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of CIS +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC [org/gnome/login-screen] From 0a863c5848fade6a7454e5af4fe1c62844627267 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Mar 2023 15:20:30 +0000 Subject: [PATCH 440/454] updated comments Signed-off-by: Mark Bolwell --- templates/etc/dconf/db/00-automount_lock.j2 | 2 +- templates/etc/dconf/db/00-autorun_lock.j2 | 2 +- templates/etc/dconf/db/00-media-automount.j2 | 2 +- templates/etc/dconf/db/00-media-autorun.j2 | 2 +- templates/etc/dconf/db/00-screensaver.j2 | 2 +- templates/etc/dconf/db/00-screensaver_lock.j2 | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/templates/etc/dconf/db/00-automount_lock.j2 b/templates/etc/dconf/db/00-automount_lock.j2 index 3534474f..d92c56b6 100644 --- a/templates/etc/dconf/db/00-automount_lock.j2 +++ b/templates/etc/dconf/db/00-automount_lock.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of CIS +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC # Lock desktop media-handling automount setting diff --git a/templates/etc/dconf/db/00-autorun_lock.j2 b/templates/etc/dconf/db/00-autorun_lock.j2 index 04e23a51..503069c9 100644 --- a/templates/etc/dconf/db/00-autorun_lock.j2 +++ b/templates/etc/dconf/db/00-autorun_lock.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of CIS +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC # Lock desktop media-handling settings diff --git a/templates/etc/dconf/db/00-media-automount.j2 b/templates/etc/dconf/db/00-media-automount.j2 index 227498e7..32192c38 100644 --- a/templates/etc/dconf/db/00-media-automount.j2 +++ b/templates/etc/dconf/db/00-media-automount.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of CIS +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC [org/gnome/desktop/media-handling] diff --git a/templates/etc/dconf/db/00-media-autorun.j2 b/templates/etc/dconf/db/00-media-autorun.j2 index a8c297f7..16ded9d1 100644 --- a/templates/etc/dconf/db/00-media-autorun.j2 +++ b/templates/etc/dconf/db/00-media-autorun.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of CIS +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC [org/gnome/desktop/media-handling] diff --git a/templates/etc/dconf/db/00-screensaver.j2 b/templates/etc/dconf/db/00-screensaver.j2 index 5aa21c17..0b9f6862 100644 --- a/templates/etc/dconf/db/00-screensaver.j2 +++ b/templates/etc/dconf/db/00-screensaver.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of CIS +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC diff --git a/templates/etc/dconf/db/00-screensaver_lock.j2 b/templates/etc/dconf/db/00-screensaver_lock.j2 index 5d5869f7..fae6e82b 100644 --- a/templates/etc/dconf/db/00-screensaver_lock.j2 +++ b/templates/etc/dconf/db/00-screensaver_lock.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of CIS +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC # Lock desktop screensaver idle-delay setting From 200c924655eec492b88d6e48b2207e7152e2aa50 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Sun, 12 Mar 2023 14:11:01 +0000 Subject: [PATCH 441/454] fixed varaibles naming for tmp mount opts Signed-off-by: Mark Bolwell --- templates/etc/systemd/system/tmp.mount.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/etc/systemd/system/tmp.mount.j2 b/templates/etc/systemd/system/tmp.mount.j2 index f2c4fe28..3f689eef 100644 --- a/templates/etc/systemd/system/tmp.mount.j2 +++ b/templates/etc/systemd/system/tmp.mount.j2 @@ -23,8 +23,8 @@ After=swap.target What=tmpfs Where=/tmp Type=tmpfs -Options=mode=1777,strictatime,{% if rhel9cis_rule_1_1_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_4 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_5 %}noexec{% endif %} +Options=mode=1777,strictatime,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec{% endif %} # Make 'systemctl enable tmp.mount' work: [Install] -WantedBy=local-fs.target \ No newline at end of file +WantedBy=local-fs.target From 1a466b7eb798f04aa9b1d857aa0103288e459263 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 13 Mar 2023 08:43:12 +0000 Subject: [PATCH 442/454] updated caps typo Signed-off-by: Mark Bolwell --- Changelog.md | 4 ++++ handlers/main.yml | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 6933ff59..cc18a24a 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,9 @@ # Changes to rhel9CIS +## 1.0.4 + +#40 tmp systemd file variable naming update + ## 1.0.3 Update to auditd components improve idempotency and tidy up diff --git a/handlers/main.yml b/handlers/main.yml index 968e9e68..c4b27e76 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -31,7 +31,7 @@ daemon_reload: true enabled: true masked: false - state: Reloaded + state: reloaded - name: Remount tmp ansible.posix.mount: From 868e74bbf4d2d5eb3c12d1f3e84f29807c0d96dc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 13 Mar 2023 09:44:51 +0000 Subject: [PATCH 443/454] issue 41 5.3.7 tasks Signed-off-by: Mark Bolwell --- defaults/main.yml | 9 ++------- tasks/section_5/cis_5.3.x.yml | 22 +++++++++++++++------- 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index fb188b00..836f16fc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -645,11 +645,9 @@ rhel9cis_shell_session_timeout: # RHEL-09-5.4.1.5 Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords rhel9cis_futurepwchgdate_autofix: true -# 5.7 -# rhel9cis_sugroup: sugroup # change accordingly wheel is default +# 5.3.7 +rhel9cis_sugroup: nosugroup -# wheel users list please supply comma seperated e.g. "vagrant,root" -rhel9cis_sugroup_users: "root" ## Section6 vars @@ -660,13 +658,10 @@ rhel9cis_rpm_audit_file: /var/tmp/rpm_file_check rhel9cis_no_world_write_adjust: true rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" - # 6.2.16 ## Dont follow symlinks for changes to user home directory thanks to @dulin-gnet and comminty for rhel8-cis reedbacj rhel_09_6_2_16_home_follow_symlinks: false - - #### Goss Configuration Settings #### # Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" audit_run_script_environment: diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index 04437815..2f63b232 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -109,17 +109,25 @@ - name: "5.3.7 | PATCH | Ensure access to the su command is restricted" block: + + - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists" + ansible.builtin.group: + name: "{{ rhel9cis_sugroup }}" + state: present + register: rhel9cis_5_3_7_sugroup + + - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | remove users from group" + ansible.builtin.lineinfile: + path: /etc/group + regexp: '^{{ rhel9cis_sugroup }}(:.:.*:).*$' + line: '{{ rhel9cis_sugroup }}\g<1>' + backrefs: true + - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid" ansible.builtin.lineinfile: path: /etc/pam.d/su regexp: '^(#)?auth\s+required\s+pam_wheel\.so' - line: 'auth required pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}' - - - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | wheel group contains root" - ansible.builtin.user: - name: "{{ item }}" - groups: "{{ rhel9cis_sugroup | default('wheel') }}" - loop: "{{ rhel9cis_sugroup_users }}" + line: 'auth required pam_wheel.so use_uid group={{ rhel9cis_sugroup }}' when: - rhel9cis_rule_5_3_7 tags: From 67f7c44ca82ef5136548eb4225d4b15465502fc9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 13 Mar 2023 09:45:26 +0000 Subject: [PATCH 444/454] tidy up control not required Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index e674fb6f..f5553374 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -226,26 +226,6 @@ - rule_5.3.4 - rule_5.3.5 -- name: "PRELIM | Check sugroup exists if used" - block: - - name: "PRELIM | Check su group exists if defined" - ansible.builtin.shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group - register: sugroup_exists - changed_when: false - failed_when: sugroup_exists.rc >= 2 - tags: - - skip_ansible_lint - - - name: "PRELIM | Check sugroup if defined exists before continuing" - ansible.builtin.assert: - that: sugroup_exists.rc == 0 - msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify" - when: - - rhel9cis_sugroup is defined - - rhel9cis_rule_5_7 - tags: - - rule_5.7 - - name: "PRELIM | Discover Interactive UID MIN and MIN from logins.def" block: - name: "PRELIM | Capture UID_MIN information from logins.def" From 95637e935d082a56e9bcecb1626cb325f4b62284 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 13 Mar 2023 09:48:15 +0000 Subject: [PATCH 445/454] updated Signed-off-by: Mark Bolwell --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index cc18a24a..3d80626e 100644 --- a/Changelog.md +++ b/Changelog.md @@ -3,6 +3,7 @@ ## 1.0.4 #40 tmp systemd file variable naming update +#41 5.3.7 logic and rewrite - tidy up prelin for sugroup work ## 1.0.3 From 8369b9a1e463120bf119409be975d619f55add5c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 13 Mar 2023 09:48:52 +0000 Subject: [PATCH 446/454] updated Signed-off-by: Mark Bolwell --- Changelog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 3d80626e..2d3fe5a6 100644 --- a/Changelog.md +++ b/Changelog.md @@ -3,7 +3,7 @@ ## 1.0.4 #40 tmp systemd file variable naming update -#41 5.3.7 logic and rewrite - tidy up prelin for sugroup work +#41 5.3.7 logic and rewrite - tidy up prelim for sugroup work ## 1.0.3 From 5a584e3ad79da913987cf2f5250596b0ddd64996 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 13 Mar 2023 10:20:02 +0000 Subject: [PATCH 447/454] updated audit template Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index caa87ce4..8749fc13 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -508,7 +508,4 @@ rhel9cis_pass: warn_age: {{ rhel9cis_pass['warn_age'] }} ## 5.3.7 set sugroup if differs from wheel -rhel9cis_sugroup: {% if rhel9cis_sugroup is undefined %}wheel{% else %}{{ rhel9cis_sugroup }}{% endif %} - -## 5.3.7 sugroup users list -rhel9cis_sugroup_users: {{ rhel9cis_sugroup_users }} +rhel9cis_sugroup: {{ rhel9cis_sugroup }} From dca936a2837d7afc7920423fc40c7723d34cf4bf Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 13 Mar 2023 10:24:08 +0000 Subject: [PATCH 448/454] updated Signed-off-by: Mark Bolwell --- Changelog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 2d3fe5a6..38005bbf 100644 --- a/Changelog.md +++ b/Changelog.md @@ -3,7 +3,7 @@ ## 1.0.4 #40 tmp systemd file variable naming update -#41 5.3.7 logic and rewrite - tidy up prelim for sugroup work +#41 5.3.7 logic and rewrite - tidy up prelim for sugroup work - audit updated ## 1.0.3 From 181002c23b3e9b41bbc0b3f53949e82db9a35324 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 13 Mar 2023 14:04:38 +0000 Subject: [PATCH 449/454] added benchamrk audit validation Signed-off-by: Mark Bolwell --- tasks/pre_remediation_audit.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index c05ddb3c..2947e6ae 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -21,6 +21,10 @@ when: - audit_content == 'git' +- name: Pre Audit | confirm audit branch vs benchmark version + ansible.builtin.debug: + msg: "Audit will run the branch {{ audit_git_version }} for this Benchmark {{ benchmark_version }}" + - name: Pre Audit | copy to audit content files to server ansible.builtin.copy: src: "{{ audit_local_copy }}" From 74e96cedd3c176bfb862a331d4f6d34928b67378 Mon Sep 17 00:00:00 2001 From: Marcin Dulinski Date: Fri, 17 Mar 2023 14:39:07 +0000 Subject: [PATCH 450/454] Fix system accounts Signed-off-by: Marcin Dulinski --- tasks/section_5/cis_5.6.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index adea2211..56b3d5f1 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -13,7 +13,7 @@ - item.id != "shutdown" - item.id != "halt" - item.id != "nfsnobody" - - min_int_uid | int < item.gid + - item.gid < min_int_uid | int - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" loop_control: From dadbeaa84efe439899f6a2edb8170a995dfb82ee Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Mar 2023 15:15:49 +0000 Subject: [PATCH 451/454] Initial molecule thanks to @bbaassssiiee in rh8 Signed-off-by: Mark Bolwell --- molecule/default/converge.yml | 27 ++++++++++++++++++++++++++ molecule/default/molecule.yml | 34 +++++++++++++++++++++++++++++++++ molecule/default/verify.yml | 13 +++++++++++++ molecule/localhost/converge.yml | 18 +++++++++++++++++ molecule/localhost/molecule.yml | 30 +++++++++++++++++++++++++++++ molecule/localhost/verify.yml | 14 ++++++++++++++ molecule/wsl/converge.yml | 27 ++++++++++++++++++++++++++ molecule/wsl/molecule.yml | 29 ++++++++++++++++++++++++++++ molecule/wsl/verify.yml | 13 +++++++++++++ 9 files changed, 205 insertions(+) create mode 100644 molecule/default/converge.yml create mode 100644 molecule/default/molecule.yml create mode 100644 molecule/default/verify.yml create mode 100644 molecule/localhost/converge.yml create mode 100644 molecule/localhost/molecule.yml create mode 100644 molecule/localhost/verify.yml create mode 100644 molecule/wsl/converge.yml create mode 100644 molecule/wsl/molecule.yml create mode 100644 molecule/wsl/verify.yml diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml new file mode 100644 index 00000000..d558e806 --- /dev/null +++ b/molecule/default/converge.yml @@ -0,0 +1,27 @@ +--- +# This is a playbook to test the tasks. +- name: Converge + hosts: all + gather_facts: true + + vars: + role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" + ansible_user: root + system_is_container: true + rhel9cis_selinux_disable: true + rhel9cis_rule_5_3_4: false + rhel9cis_rule_1_1_10: false + rhel9cis_firewall: "none" + rhel9cis_rule_4_1_1_1: false + rhel9cis_rule_4_1_1_2: false + rhel9cis_rule_4_1_1_3: false + rhel9cis_rule_4_1_1_4: false + rhel9cis_rule_4_2_1_2: false + rhel9cis_rule_4_2_1_4: false + rhel9cis_rule_5_1_1: false + + pre_tasks: + tasks: + - name: "Include tasks" + ansible.builtin.include_role: + name: "{{ role_name }}" diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml new file mode 100644 index 00000000..55a62745 --- /dev/null +++ b/molecule/default/molecule.yml @@ -0,0 +1,34 @@ +--- +# Molecule configuration +# https://molecule.readthedocs.io/en/latest/ + +driver: + name: docker + +platforms: + - name: ubi9 + image: registry.access.redhat.com/ubi9/ubi-init + pre_build_image: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + command: "/usr/sbin/init" + capabilities: + - SYS_ADMIN + +provisioner: + name: ansible + config_options: + defaults: + interpreter_python: auto_silent + callbacks_enabled: profile_tasks, timer + +lint: | + set -e + yamllint . + ansible-lint + flake8 + +verifier: + name: ansible + diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml new file mode 100644 index 00000000..5c57ab4c --- /dev/null +++ b/molecule/default/verify.yml @@ -0,0 +1,13 @@ +--- +- name: Verify + hosts: all + gather_facts: false + + vars: + role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" + + tasks: + - name: "Include verify tasks" + ansible.builtin.include_role: + name: "{{ role_name }}" + tasks_from: verify diff --git a/molecule/localhost/converge.yml b/molecule/localhost/converge.yml new file mode 100644 index 00000000..6dadcfcd --- /dev/null +++ b/molecule/localhost/converge.yml @@ -0,0 +1,18 @@ +--- +# This is a playbook to test the tasks. +- name: Converge + hosts: all + become: true + gather_facts: true + + vars: + ansible_user: "{{ lookup('env', 'USER') }}" + role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" + rhel9cis_rule_5_3_4: false + + pre_tasks: + tasks: + - name: "Include tasks" + ansible.builtin.include_role: + name: "{{ role_name }}" + diff --git a/molecule/localhost/molecule.yml b/molecule/localhost/molecule.yml new file mode 100644 index 00000000..94547051 --- /dev/null +++ b/molecule/localhost/molecule.yml @@ -0,0 +1,30 @@ +--- +# Molecule configuration +# https://molecule.readthedocs.io/en/latest/ + +driver: + name: delegated + options: + managed: false + ansible_connection_options: + ansible_connection: local +platforms: + - name: localhost + +provisioner: + name: ansible + config_options: + defaults: + interpreter_python: auto_silent + stdout_callback: yaml + callbacks_enabled: profile_tasks, timer + +lint: | + set -e + yamllint . + ansible-lint + flake8 + +verifier: + name: ansible + diff --git a/molecule/localhost/verify.yml b/molecule/localhost/verify.yml new file mode 100644 index 00000000..58afa467 --- /dev/null +++ b/molecule/localhost/verify.yml @@ -0,0 +1,14 @@ +--- +- name: Verify + hosts: all + gather_facts: false + become: true + + vars: + role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" + + tasks: + - name: "Include verify tasks" + ansible.builtin.include_role: + name: "{{ role_name }}" + tasks_from: verify diff --git a/molecule/wsl/converge.yml b/molecule/wsl/converge.yml new file mode 100644 index 00000000..0f5f3e62 --- /dev/null +++ b/molecule/wsl/converge.yml @@ -0,0 +1,27 @@ +--- +# This is a playbook to test the tasks. +- name: Converge + hosts: all + become: true + gather_facts: true + + vars: + ansible_user: "{{ lookup('env', 'USER') }}" + system_is_container: true + rhel8cis_selinux_disable: true + role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" + rhel8cis_rule_5_3_4: false + rhel8cis_rule_1_1_10: false + rhel8cis_rsyslog_ansiblemanaged: false + rhel8cis_rule_3_4_1_3: false + rhel8cis_rule_3_4_1_4: false + rhel8cis_rule_4_2_1_2: false + rhel8cis_rule_4_2_1_4: false + rhel8cis_rule_5_1_1: false + + pre_tasks: + tasks: + - name: "Include tasks" + ansible.builtin.include_role: + name: "{{ role_name }}" + diff --git a/molecule/wsl/molecule.yml b/molecule/wsl/molecule.yml new file mode 100644 index 00000000..9360997d --- /dev/null +++ b/molecule/wsl/molecule.yml @@ -0,0 +1,29 @@ +--- +# Molecule configuration +# https://molecule.readthedocs.io/en/latest/ + +driver: + name: delegated + options: + managed: false + ansible_connection_options: + ansible_connection: local +platforms: + - name: localhost + +provisioner: + name: ansible + config_options: + defaults: + interpreter_python: auto_silent + callbacks_enabled: profile_tasks, timer + +lint: | + set -e + yamllint . + ansible-lint + flake8 + +verifier: + name: ansible + diff --git a/molecule/wsl/verify.yml b/molecule/wsl/verify.yml new file mode 100644 index 00000000..5c57ab4c --- /dev/null +++ b/molecule/wsl/verify.yml @@ -0,0 +1,13 @@ +--- +- name: Verify + hosts: all + gather_facts: false + + vars: + role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" + + tasks: + - name: "Include verify tasks" + ansible.builtin.include_role: + name: "{{ role_name }}" + tasks_from: verify From 2f5709df703714f53a3f7a5a112cf6f3313a6d6d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Mar 2023 15:15:59 +0000 Subject: [PATCH 452/454] updated for empty lines Signed-off-by: Mark Bolwell --- .yamllint | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.yamllint b/.yamllint index 3af111e7..ec469292 100644 --- a/.yamllint +++ b/.yamllint @@ -20,6 +20,8 @@ rules: brackets: max-spaces-inside: 1 level: error + empty-lines: + max: 1 line-length: disable key-duplicates: enable new-line-at-end-of-file: enable From 42b9dc9e890e8842e91e9b3f397c216281574f39 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Mar 2023 15:16:15 +0000 Subject: [PATCH 453/454] Linting Signed-off-by: Mark Bolwell --- defaults/main.yml | 10 ---------- tasks/main.yml | 1 - tasks/section_2/cis_2.2.x.yml | 1 - tasks/section_3/cis_3.4.2.x.yml | 1 - vars/is_container.yml | 4 ---- 5 files changed, 17 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 836f16fc..7ea583d0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -343,7 +343,6 @@ rhel9cis_rule_6_2_14: true rhel9cis_rule_6_2_15: true rhel9cis_rule_6_2_16: true - ## Section 1 vars #### 1.1.2 @@ -413,7 +412,6 @@ rhel9cis_selinux_enforce: enforcing ## 2. Services - ### 2.1 Time Synchronization #### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 rhel9cis_time_synchronization_servers: @@ -461,7 +459,6 @@ rhel9cis_openldap_clients_required: false rhel9cis_tftp_client: false rhel9cis_ftp_client: false - ## Section3 vars ## Sysctl rhel9cis_sysctl_update: false @@ -478,7 +475,6 @@ rhel9cis_firewall: firewalld ##### firewalld rhel9cis_default_zone: public - # These are added to demonstrate how this can be done rhel9cis_firewalld_ports: - number: 80 @@ -514,7 +510,6 @@ update_audit_template: false ## Advanced option found in auditd post rhel9cis_allow_auditd_uid_user_exclusions: false - # This can be used to configure other keys in auditd.conf rhel9cis_auditd_extra_conf: {} # Example: @@ -535,7 +530,6 @@ rhel9cis_remote_log_protocol: tcp rhel9cis_remote_log_retrycount: 100 rhel9cis_remote_log_queuesize: 1000 - #### 4.2.1.7 rhel9cis_system_is_log_server: false @@ -584,7 +578,6 @@ rhel9cis_ssh_maxsessions: 4 rhel9cis_inactivelock: lock_days: 30 - rhel9cis_use_authconfig: false # 5.3.1/5.3.2 Custom authselect profile settings. Settings in place now will fail, they are place holders from the control example # Due to the way many multiple options and ways to configure this control needs to be enabled and settings adjusted to minimise risk @@ -599,7 +592,6 @@ rhel9cis_authselect_custom_profile_create: false # 5.3.2 Enable automation to select custom profile options, using the settings above rhel9cis_authselect_custom_profile_select: false - rhel9cis_pass: max_days: 365 min_days: 7 @@ -648,7 +640,6 @@ rhel9cis_futurepwchgdate_autofix: true # 5.3.7 rhel9cis_sugroup: nosugroup - ## Section6 vars # RHEL-09_6.1.1 @@ -669,7 +660,6 @@ audit_run_script_environment: AUDIT_FILE: 'goss.yml' AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - ### Goss binary settings ### goss_version: release: v0.3.21 diff --git a/tasks/main.yml b/tasks/main.yml index d0833191..2bb0f3f5 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -102,7 +102,6 @@ tags: - always - - name: Gather the package facts ansible.builtin.package_facts: manager: auto diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 496a92f7..e592d176 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -1,6 +1,5 @@ --- - - name: "2.2.1 | PATCH | Ensure xorg-x11-server-common is not installed" ansible.builtin.package: name: xorg-x11-server-common diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 540bda0d..865fe59b 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -157,7 +157,6 @@ - nftables - rule_3.4.2.4 - - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | firewalld" ansible.posix.firewalld: rich_rule: "{{ item }}" diff --git a/vars/is_container.yml b/vars/is_container.yml index 32504ee3..1a697845 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -6,14 +6,12 @@ ## controls - # Firewall rhel9cis_firewall: None # SElinux rhel9cis_selinux_disable: true - ## Related individual rules # Aide rhel9cis_rule_1_4_1: false @@ -42,7 +40,6 @@ rhel9cis_rule_5_1_8: false # crypto rhel9cis_rule_1_10: false - # grub rhel9cis_rule_1_5_1: false rhel9cis_rule_1_5_2: false @@ -88,6 +85,5 @@ rhel9cis_rule_4_2_2_3: false # systemd - # Users/passwords/accounts rhel9cis_rule_5_5_2: false From c62c2d44898036b7a8a0f72b043fa4d2384e96db Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Mar 2023 15:17:58 +0000 Subject: [PATCH 454/454] updated Signed-off-by: Mark Bolwell --- Changelog.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Changelog.md b/Changelog.md index 38005bbf..6fb56c4c 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,12 @@ # Changes to rhel9CIS +## 1.0.5 + +updated yamllint +removed empty lines after lint +initial molecule added +galaxy workflow updated + ## 1.0.4 #40 tmp systemd file variable naming update