Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

logic, idempotency, auditd, sysctl improvements #18

Merged
merged 105 commits into from
Sep 24, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
105 commits
Select commit Hold shift + click to select a range
193fded
removed tfstate files
uk-bolly Jun 13, 2022
70942f4
updated to use almalinux image
uk-bolly Jun 13, 2022
c0c24ec
improved test with idempotency
uk-bolly Jun 17, 2022
91da6ff
updated testing
uk-bolly Jun 17, 2022
fb1c6e9
added libselinux requirement
uk-bolly Jun 17, 2022
33ebfea
sysctl control improvements
uk-bolly Jun 20, 2022
b0e038b
container var usage improvement
uk-bolly Jun 20, 2022
c3c668b
crypto idempotency
uk-bolly Jun 20, 2022
d2684c1
auditd, sysctl vars goss version update
uk-bolly Jun 20, 2022
02c843f
sysctl improvements, become usage
uk-bolly Jun 20, 2022
97a6a61
container var usage
uk-bolly Jun 20, 2022
1dd2b46
logrotate process update
uk-bolly Jun 20, 2022
b934cbe
suditd improvements
uk-bolly Jun 20, 2022
4336bbf
auditd, sysctl, become tidy up
uk-bolly Jun 20, 2022
6165191
updates
uk-bolly Jun 20, 2022
1ab63c7
added pause for rhel9 aswell
uk-bolly Jun 20, 2022
c02024e
changed to check ssh for all hosts
uk-bolly Jun 21, 2022
1836ae1
fix typo
uk-bolly Jun 21, 2022
a8ec3e3
updated timeout test
uk-bolly Jun 21, 2022
cf6e08c
added legacy mount check again
uk-bolly Jun 21, 2022
b68e8a3
Added Managed by Ansible Changes will be lost
uk-bolly Jun 22, 2022
c494559
updated handler conditional
uk-bolly Jul 20, 2022
6b6a4a3
added warning count
uk-bolly Jul 20, 2022
ba791f5
added jounald to syslog type
uk-bolly Jul 20, 2022
df14771
updated with alma vars
uk-bolly Jul 20, 2022
de4a7c5
removed empty row
uk-bolly Jul 25, 2022
22326c5
Add blank row
uk-bolly Jul 25, 2022
28bbc2f
1.2.2 rpm gpg key check
uk-bolly Jul 25, 2022
77a73dd
tidy up warning message
uk-bolly Jul 25, 2022
e6191de
fix logic in warning
uk-bolly Jul 25, 2022
6777a88
fix logic in warning
uk-bolly Jul 25, 2022
595b952
tidy up ttle
uk-bolly Jul 25, 2022
d3f2677
new control option due to space on auditing
uk-bolly Jul 25, 2022
3c66b3f
updated rule
uk-bolly Jul 25, 2022
9c2fead
updated rule
uk-bolly Jul 25, 2022
69f4539
updated 1.6.1.2
uk-bolly Jul 26, 2022
5ba2c41
updated
uk-bolly Jul 26, 2022
11132b7
updated ansible test connect
uk-bolly Jul 26, 2022
9f00bee
updated to 5min timeout
uk-bolly Jul 26, 2022
35e3a27
fixed correct value
uk-bolly Jul 26, 2022
faf4872
extended timeout
uk-bolly Jul 26, 2022
5985d89
updated ami version
uk-bolly Jul 26, 2022
1c0714b
changed to wait_for module
uk-bolly Jul 26, 2022
c17fe00
Merge branch 'devel' into updates
uk-bolly Jul 26, 2022
14b5001
added private key
uk-bolly Jul 26, 2022
b8a8ab4
Merge branch 'updates' of github.com:ansible-lockdown/RHEL9-CIS into …
uk-bolly Jul 26, 2022
363fe9b
added user
uk-bolly Jul 26, 2022
125566f
added debug
uk-bolly Jul 26, 2022
15a46f2
added new connection and provate key vars
uk-bolly Jul 26, 2022
f93f584
added private_key
uk-bolly Jul 26, 2022
80d0deb
updated local-exec
uk-bolly Jul 26, 2022
0c9a88e
updated remote-exec
uk-bolly Jul 26, 2022
02c0c64
added debug
uk-bolly Jul 26, 2022
b4e6c3d
fix merge
uk-bolly Jul 26, 2022
1a8861e
updated path
uk-bolly Jul 26, 2022
5c0bc41
fix merge error
uk-bolly Jul 26, 2022
0c6feb1
added local file option
uk-bolly Jul 26, 2022
5e93716
revert
uk-bolly Jul 26, 2022
5a81497
added content to object
uk-bolly Jul 27, 2022
a8488de
updated lint
uk-bolly Jul 27, 2022
f15f8c9
removed audit template handler
uk-bolly Jul 27, 2022
a5d62ea
added a test key output
uk-bolly Jul 27, 2022
d0023ce
turned off debug
uk-bolly Jul 27, 2022
340da3e
removed excess line
uk-bolly Jul 27, 2022
dbf5484
reverted settings
uk-bolly Jul 28, 2022
0c3c26e
removed system check
uk-bolly Jul 28, 2022
a2945a6
changed way key is loaded
uk-bolly Jul 29, 2022
a74f8ee
changed spacing
uk-bolly Jul 29, 2022
d87812b
testing
uk-bolly Jul 29, 2022
54aa47c
testing
uk-bolly Jul 29, 2022
6bce83d
revert
uk-bolly Jul 29, 2022
bb1c167
updated comment
uk-bolly Jul 29, 2022
4f68cf1
sleep 60 anyway
uk-bolly Jul 29, 2022
8a80ee9
Merge branch 'devel' into updates
uk-bolly Jul 29, 2022
084e6c6
moved some controls to handlers
uk-bolly Jul 29, 2022
99638b5
Merge branch 'updates' of github.com:ansible-lockdown/RHEL9-CIS into …
uk-bolly Jul 29, 2022
c0ece7f
fix warn consistent missing '
uk-bolly Jul 29, 2022
b842c47
line spacing fixed
uk-bolly Jul 29, 2022
866eafc
Added warning to reboot required
uk-bolly Jul 29, 2022
6d35017
fix typo
uk-bolly Jul 29, 2022
c697431
Aded comments to each control for auditd
uk-bolly Jul 29, 2022
f45bbd6
#21 user accts locked during user exec
uk-bolly Aug 23, 2022
4705e36
All passwords are expired during hardening #22
uk-bolly Aug 23, 2022
2f8f58d
update
uk-bolly Aug 23, 2022
90500ce
updates
uk-bolly Aug 23, 2022
d7be86e
Merge branch 'workflow_update' into updates
uk-bolly Aug 23, 2022
410074f
updated
uk-bolly Aug 23, 2022
571f2f7
updated for rocky an dnow beta
uk-bolly Aug 23, 2022
e4bf188
Added Assertion for passwd set on ansible user
uk-bolly Sep 7, 2022
32907dc
Added Assertion update
uk-bolly Sep 7, 2022
bc4b2f3
Merge branch 'devel' into updates
uk-bolly Sep 13, 2022
2974fa5
lint updates
uk-bolly Sep 16, 2022
1e22c13
linting
uk-bolly Sep 16, 2022
33340c7
lint updates
uk-bolly Sep 16, 2022
1992eea
lint updates
uk-bolly Sep 16, 2022
3df35e0
lint updates
uk-bolly Sep 16, 2022
962319f
changed audit dir to opt
uk-bolly Sep 16, 2022
a1d0130
updates
uk-bolly Sep 16, 2022
0d155c4
lint updates
uk-bolly Sep 16, 2022
5c2211f
aligned with audit
uk-bolly Sep 16, 2022
d3d819b
changed default git_branch to devel
uk-bolly Sep 16, 2022
19a8103
removed unnecessary when statement
uk-bolly Sep 16, 2022
226f2bc
removed unnecessary become
uk-bolly Sep 16, 2022
cc2f734
line tidy up
uk-bolly Sep 16, 2022
cdf8bab
removed unnecessary register
uk-bolly Sep 16, 2022
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .ansible-lint
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
parseable: true
quiet: true
skip_list:
- 'schema'
- 'no-changed-when'
- 'fqcn-builtins'
- '204'
- '305'
- '303'
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/github_vars.tfvars
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ environment = "lockdown_github_repo_workflow"

// Matching pair name found in AWS for keypairs PEM key
ami_key_pair_name = "github_actions"
private_key = "'.ssh/github_actions.pem'"
private_key = ".ssh/github_actions.pem"
main_vpc_cidr = "172.22.0.0/24"
public_subnets = "172.22.0.128/26"
private_subnets = "172.22.0.192/26"
15 changes: 3 additions & 12 deletions .github/workflows/linux_benchmark_testing.yml
Original file line number Diff line number Diff line change
Expand Up @@ -81,18 +81,9 @@ jobs:
working-directory: .github/workflows
run: cat hosts.yml

# Centos 7 images take a while to come up insert sleep or playbook fails
# Aws deployments taking a while to come up insert sleep or playbook fails

- name: Check if test os is rhel7
working-directory: .github/workflows
id: test_os
run: >-
echo "::set-output name=RHEL7::$(
grep -c RHEL7 OS.tfvars
)"

- name: if RHEL7 - Sleep for 60 seconds
#if: steps.test_os.outputs.RHEL7 >= 1
- name: Sleep for 60 seconds
run: sleep 60s
shell: bash

Expand All @@ -117,4 +108,4 @@ jobs:
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false
run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false
38 changes: 25 additions & 13 deletions .yamllint
Original file line number Diff line number Diff line change
Expand Up @@ -2,22 +2,34 @@
ignore: |
tests/
molecule/
.github/
.gitlab-ci.yml
*molecule.yml

extends: default

rules:
indentation:
# Requiring 4 space indentation
spaces: 4
# Requiring consistent indentation within a file, either indented or not
indent-sequences: consistent
truthy: disable
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
line-length: disable
indentation:
# Requiring 4 space indentation
spaces: 4
# Requiring consistent indentation within a file, either indented or not
indent-sequences: consistent
truthy: disable
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
indentation:
indent-sequences: consistent
level: error
line-length: disable
key-duplicates: enable
new-line-at-end-of-file: enable
new-lines:
type: unix
trailing-spaces: enable
truthy:
allowed-values: ['true', 'false']
check-keys: false
28 changes: 28 additions & 0 deletions Changelog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,33 @@
# Changes to rhel9CIS

## 0.4

- Added assertion that ansible_user has password set for rule 5.3.4
- RockyLinux now supported - release since initial branches
- gpg check updates
- audit out dir now /opt
- lint updates and improvements
- workflow updates and improvements moved to rocky image
- selinux regexp improvements
- warning summary now at end of play
- advanced auditd options to exclude users in POST section
- Issues fixed thanks to fgierlinger
- [#21](https://github.com/ansible-lockdown/RHEL9-CIS/issues/21)
- [#22](https://github.com/ansible-lockdown/RHEL9-CIS/issues/22)

## 0.3

- update to auditd template
- uses facts and template new variable
- update_audit_template (default false)
- sysctl template updates and idempotency improvements
- container discovery usage improvements
- 3.4.1.5 discovery improvement
- 5.6.1.4 discovery improvement
- logrotate process logrotate.timer
- tidy up become:
- logic improvements

## 0.2

- not all controls work with rhel8 releases any longer
Expand Down
8 changes: 5 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Development Only

## RHEL 9 CIS (predicted) - ALPHA - CIS baselines or OS not yet GA
## RHEL 9 CIS (predicted) - Beta - CIS baselines or OS not yet GA

## Testing if you have access to the RH developer branches

Expand All @@ -17,7 +17,7 @@ Based on [CIS RedHat Enterprise Linux 8 Benchmark v2.0.0. - 02-23-2022 ](https:/

## Join us

On our [Discord Server](https://discord.gg/JFxpSgPFEJ) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users

## Caution(s)

Expand Down Expand Up @@ -49,7 +49,9 @@ Refer to [RHEL9-CIS-Audit](https://github.com/ansible-lockdown/RHEL9-CIS-Audit).

## Requirements

RHEL 9 - Other versions are not supported.
RHEL 9
Almalinux 9
Rocky 9

- Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.)

Expand Down
23 changes: 15 additions & 8 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -369,7 +369,6 @@ rhel9cis_rh_sub_password: password
# RedHat Satellite Subscription items
rhel9cis_rhnsd_required: false


# 1.4.2 Bootloader password
rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'
rhel9cis_bootloader_password: random
Expand Down Expand Up @@ -460,6 +459,11 @@ rhel9cis_tftp_client: false


## Section3 vars
## Sysctl
sysctl_update: false
flush_ipv4_route: false
flush_ipv6_route: false

### Firewall Service - either firewalld, iptables, or nftables
#### Some control allow for services to be removed or masked
#### The options are under each heading
Expand Down Expand Up @@ -498,6 +502,12 @@ rhel9cis_audit_back_log_limit: 8192
# The max_log_file parameter should be based on your sites policy
rhel9cis_max_log_file_size: 10

### 4.1.3.x audit template
update_audit_template: false

## Advanced option found in auditd post
allow_auditd_uid_user_exclusions: false

## Preferred method of logging
## Whether rsyslog or journald preferred method for local logging
## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5
Expand Down Expand Up @@ -633,8 +643,8 @@ audit_run_script_environment:

### Goss binary settings ###
goss_version:
release: v0.3.16
checksum: 'sha256:827e354b48f93bce933f5efcd1f00dc82569c42a179cf2d384b040d8a80bfbfb'
release: v0.3.18
checksum: 'sha256:432308ebca0caf8165d45bd27e3262126aad9d15572ac8cb3149b3c91f75aace'
audit_bin_path: /usr/local/bin/
audit_bin: "{{ audit_bin_path }}goss"
audit_format: json
Expand All @@ -651,20 +661,17 @@ copy_goss_from_path: /some/accessible/path
## managed by the control audit_content
# git
audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
audit_git_version: main
audit_git_version: devel

# copy:
audit_local_copy: "some path to copy from"

# get_url:
audit_files_url: "some url maybe s3?"

# Where the goss audit configuration will be stored
audit_files: "/var/tmp/{{ benchmark }}-Audit/"

## Goss configuration information
# Where the goss configs and outputs are stored
audit_out_dir: '/var/tmp'
audit_out_dir: '/opt'
audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/"
pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
Expand Down
89 changes: 35 additions & 54 deletions handlers/main.yml
Original file line number Diff line number Diff line change
@@ -1,14 +1,23 @@
---
# handlers file for RHEL9-CIS

- name: reload sysctl
shell: sysctl --system
args:
warn: false
when:
- sysctl_updated.changed

- name: sysctl flush ipv4 route table
become: true
sysctl:
name: net.ipv4.route.flush
value: '1'
sysctl_set: true
ignore_errors: true
when: ansible_virtualization_type != "docker"
ignore_errors: true # noqa ignore-errors
when:
- flush_ipv4_route
- not system_is_container
tags:
- skip_ansible_lint

Expand All @@ -18,35 +27,9 @@
name: net.ipv6.route.flush
value: '1'
sysctl_set: true
when: ansible_virtualization_type != "docker"

- name: update sysctl
template:
src: "etc/sysctl.d/{{ item }}.j2"
dest: "/etc/sysctl.d/{{ item }}"
owner: root
group: root
mode: 0600
notify: reload sysctl
with_items:
- 60-kernel_sysctl.conf
- 60-disable_ipv6.conf
- 60-netipv4_sysctl.conf
- 60-netipv6_sysctl.conf
when:
- ansible_virtualization_type != "docker"
- "'procps-ng' in ansible_facts.packages"

- name: reload sysctl
sysctl:
name: net.ipv4.route.flush
value: '1'
state: present
reload: true
ignoreerrors: true
when:
- ansible_virtualization_type != "docker"
- "'systemd' in ansible_facts.packages"
- flush_ipv6_route
- not system_is_container

- name: systemd restart tmp.mount
become: true
Expand All @@ -72,53 +55,30 @@
warn: false

- name: restart firewalld
become: true
service:
name: firewalld
state: restarted

- name: restart sshd
become: true
service:
name: sshd
state: restarted

- name: restart postfix
become: true
service:
name: postfix
state: restarted

- name: reload dconf
become: true
shell: dconf update
args:
warn: false

- name: update auditd
template:
src: audit/99_auditd.rules.j2
dest: /etc/audit/rules.d/99_auditd.rules
owner: root
group: root
mode: 0600
notify: restart auditd

- name: restart auditd
shell: /sbin/service auditd restart
changed_when: false
check_mode: false
failed_when: false
args:
warn: false
tags:
- skip_ansible_lint

- name: grub2cfg
shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
args:
warn: false
ignore_errors: True
ignore_errors: true # noqa ignore-errors
tags:
- skip_ansible_lint

Expand All @@ -142,6 +102,27 @@
systemd:
daemon-reload: true

## Auditd tasks note order for handlers to run

- name: auditd_immutable_check
shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
changed_when: false
register: auditd_immutable_check

- name: audit_immutable_fact
debug:
msg: "Reboot required for auditd to apply new rules as immutable set"
notify: change_requires_reboot
when:
- auditd_immutable_check.stdout == '1'

- name: restart auditd
shell: service auditd restart
args:
warn: false
tags:
- skip_ansible_lint

- name: change_requires_reboot
set_fact:
change_requires_reboot: true
1 change: 0 additions & 1 deletion site.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
---
- hosts: all
become: true

roles:

- role: "{{ playbook_dir }}"
2 changes: 1 addition & 1 deletion tasks/LE_audit_setup.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
- get_goss_file == 'copy'

- name: install git if not present
package:
package:
name: git
state: present
register: git_installed
Expand Down
Loading