Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release to main #210

Merged
merged 19 commits into from
Jun 10, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,20 +30,20 @@ repos:

# Scan for passwords
- repo: https://github.com/Yelp/detect-secrets
rev: v1.4.0
rev: v1.5.0
hooks:
- id: detect-secrets
args: [ '--baseline', '.config/.secrets.baseline' ]
exclude: .config/.gitleaks-report.json

- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.2
rev: v8.18.3
hooks:
- id: gitleaks
args: ['--baseline-path', '.config/.gitleaks-report.json']

- repo: https://github.com/ansible-community/ansible-lint
rev: v24.2.2
rev: v24.5.0
hooks:
- id: ansible-lint
name: Ansible-lint
Expand Down
8 changes: 8 additions & 0 deletions Changelog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,13 @@
# Changes to rhel9CIS

## 1.1.6 - Based on CIS v1.0.0

- #190 - thanks to @ipruteanu-sie
- addressed requirements in PR with alternate method
- #191 - thanks to @numericillustration
- Addressed authselect for pam
- #193 thanks to brakkio86

## 1.1.5 - Based on CIS v1.0.0

- added new interactive user discoveries
Expand Down
2 changes: 1 addition & 1 deletion defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -403,7 +403,7 @@ rhel9cis_tmp_svc: false

## Control 1.2.1
# For new systems that have not yet run update the gpg key is not yet imported
# Setting to `true` will allow a test on the package and the foce the import of the key
# Setting to `true` will allow a test on the package and force the import of the key
rhel9cis_force_gpg_key_import: true

## Control 1.2.4
Expand Down
7 changes: 7 additions & 0 deletions handlers/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,13 @@
ansible.builtin.systemd:
daemon-reload: true

- name: Apply_authselect
ansible.builtin.shell: authselect apply-changes
when: not rhel9cis_rule_5_4_2

- name: Apply_authselect
ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }} --force --backup=rhel9cis_commit_{{ ansible_date_time.epoch}}"
when: rhel9cis_rule_5_4_2
## Auditd tasks note order for handlers to run

- name: Auditd immutable check
Expand Down
2 changes: 1 addition & 1 deletion tasks/prelim.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
tags:
- always
ansible.builtin.shell: >
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $1 }'
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }'
changed_when: false
register: discovered_interactive_usernames

Expand Down
2 changes: 1 addition & 1 deletion tasks/section_2/cis_2.4.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
register: rhel9cis_2_4_services

- name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Get list of sockets"
ansible.builtin.shell: systemctl list-units --type=sockets
ansible.builtin.shell: systemctl list-units --type=socket
changed_when: false
failed_when: false
check_mode: false
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_4/cis_4.2.1.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@
- name: "4.2.1.5 | PATCH | Ensure logging is configured"
block:
- name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out"
ansible.builtin.shell: cat /etc/rsyslog.conf
ansible.builtin.shell: cat /etc/rsyslog.conf | grep -Ev "^#|^$"
changed_when: false
failed_when: false
check_mode: false
Expand Down
32 changes: 18 additions & 14 deletions tasks/section_5/cis_5.4.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,21 +3,25 @@
- name: "5.4.1 | PATCH | Ensure custom authselect profile is used"
block:
- name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Gather profiles"
ansible.builtin.shell: 'authselect current | grep "Profile ID: custom/"'
ansible.builtin.shell: 'authselect list | grep custom'
failed_when: false
changed_when: false
check_mode: false
register: rhel9cis_5_4_1_profiles

- name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Show profiles"
ansible.builtin.debug:
msg:
- "Below are the current custom profiles"
- "{{ rhel9cis_5_4_1_profiles.stdout_lines }}"
register: rhel9cis_5_4_1_current_profile

- name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles"
ansible.builtin.shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }}
when: rhel9cis_authselect_custom_profile_create
when:
- rhel9cis_authselect_custom_profile_create
- "rhel9cis_authselect.custom_profile_name not in rhel9cis_5_4_1_current_profile.stdout"

- name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Force custom profile creates backup"
ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} --force --backup=rhel9cis_5_4_1_{{ ansible_date_time.epoch}}"
register: authselect_5_4_1_select
when:
- rhel9cis_authselect_custom_profile_create
- "rhel9cis_authselect.custom_profile_name not in rhel9cis_5_4_1_current_profile.stdout"

when:
- rhel9cis_rule_5_4_1
tags:
Expand All @@ -28,7 +32,7 @@
- authselect
- rule_5.4.1

- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | with auth select profile"
- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Get Authselect profile options"
block:
- name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features"
ansible.builtin.shell: "authselect current | grep with-faillock"
Expand All @@ -43,11 +47,11 @@
- "Below are the current custom profiles"
- "{{ rhel9cis_5_4_2_profiles_faillock.stdout_lines }}"

- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles"
ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }}"
- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Authselect add options"
ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }} --force"
when: rhel9cis_authselect_custom_profile_select

- name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile"
- name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not Authselect profile"
ansible.builtin.lineinfile:
path: "/etc/pam.d/password-auth"
regexp: "{{ item.regexp }}"
Expand All @@ -61,7 +65,7 @@
- rhel9cis_add_faillock_without_authselect
- rhel9cis_5_4_2_risks == 'ACCEPT'

- name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile"
- name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not Authselect profile"
ansible.builtin.lineinfile:
path: "/etc/pam.d/system-auth"
regexp: "{{ item.regexp }}"
Expand Down
23 changes: 17 additions & 6 deletions tasks/section_5/cis_5.5.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,14 @@
- { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" }
- { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" }

- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings"
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings | not Authselect"
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: '^password\s*requisite\s*pam_pwquality.so'
line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
insertbefore: '^#?password ?'

- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings"
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set password-auth retry settings | not Authselect"
ansible.builtin.lineinfile:
path: /etc/pam.d/password-auth
regexp: '^password\s*requisite\s*pam_pwquality.so'
Expand All @@ -42,6 +42,7 @@
loop:
- { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = {{ rhel9cis_pam_faillock.deny }}' }
- { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = {{ rhel9cis_pam_faillock.unlock_time }}' }

- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set preauth"
ansible.builtin.lineinfile:
path: "{{ item }}"
Expand All @@ -51,6 +52,7 @@
loop:
- "/etc/pam.d/system-auth"
- "/etc/pam.d/password-auth"

- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set authfail"
ansible.builtin.lineinfile:
path: "{{ item }}"
Expand All @@ -60,6 +62,7 @@
loop:
- "/etc/pam.d/system-auth"
- "/etc/pam.d/password-auth"

- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Load account faillock.so"
ansible.builtin.lineinfile:
path: "{{ item }}"
Expand All @@ -78,10 +81,18 @@
- rule_5.5.2

- name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality"
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
insertafter: '^password\s*requisite\s*pam_pwquality.so'
block:
- name: "5.5.3 | PATCH | Ensure password reuse is limited | Set system-auth remember Settings"
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
insertafter: '^password\s*requisite\s*pam_pwquality.so'

- name: "5.5.3 | PATCH | Ensure password reuse is limited | Set password-auth remember Settings"
ansible.builtin.lineinfile:
path: /etc/pam.d/password-auth
line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
insertafter: '^password\s*requisite\s*pam_pwquality.so'
when:
- rhel9cis_rule_5_5_3
tags:
Expand Down
144 changes: 144 additions & 0 deletions tasks/section_5/cis_5.5.x_authselect.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,144 @@
---

- name: "5.5.1 | PATCH | Ensure password creation requirements are configured"
block:
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings"
ansible.builtin.lineinfile:
path: /etc/security/pwquality.conf
regexp: ^{{ item.name }}
line: "{{ item.name }} = {{ item.value }}"
loop:
- { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" }
- { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" }

- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings | not Authselect"
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
regexp: '^password\s*requisite\s*pam_pwquality.so'
line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
insertbefore: '^#?password ?'
notify: Apply_authselect

- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set password-auth retry settings | not Authselect"
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
regexp: '^password\s*requisite\s*pam_pwquality.so'
line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
insertbefore: '^#?password ?'
notify: Apply_authselect
when:
- rhel9cis_rule_5_5_1
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.1

- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured"
block:
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set faillock.conf configs"
ansible.builtin.lineinfile:
path: /etc/security/faillock.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
loop:
- { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = {{ rhel9cis_pam_faillock.deny }}' }
- { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = {{ rhel9cis_pam_faillock.unlock_time }}' }

- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set preauth"
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*preauth(.*)'
line: "auth required pam_faillock.so preauth silent audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}"
insertafter: 'auth\s*(sufficient|required)\s*pam_env.so$'
loop:
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
notify: Apply_authselect

- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set authfail"
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*authfail(.*)'
line: "auth required pam_faillock.so authfail audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}"
insertbefore: 'auth\s*(sufficient|required)\s*pam_deny.so$'
loop:
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
notify: Apply_authselect

- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Load account faillock.so"
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: '^account\s*(sufficient|required)\s*pam_faillock.so$'
line: "account required pam_faillock.so"
insertbefore: '^account\s*(sufficient|required)\s*pam_unix.so$'
loop:
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
notify: Apply_authselect
when:
- rhel9cis_rule_5_5_2
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.2

- name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality"
block:
- name: "5.5.3 | PATCH | Ensure password reuse is limited | Set system-auth remember Settings"
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
insertafter: '^password\s*requisite\s*pam_pwquality.so'
notify: Apply_authselect

- name: "5.5.3 | PATCH | Ensure password reuse is limited | Set password-auth remember Settings"
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
insertafter: '^password\s*requisite\s*pam_pwquality.so'
notify: Apply_authselect
when:
- rhel9cis_rule_5_5_3
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.3

- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 or yescrypt"
block:
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf"
ansible.builtin.replace:
path: /etc/libuser.conf
regexp: '^crypt_style\s*=\s*.*$'
replace: 'crypt_style = sha512'

- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs"
ansible.builtin.replace:
path: /etc/login.defs
regexp: '^ENCRYPT_METHOD.*'
replace: 'ENCRYPT_METHOD SHA512'

- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth"
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
regexp: '^password\s*sufficient\s*pam_unix.so.*$'
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
notify: Apply_authselect

- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth"
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
regexp: '^password\s*sufficient\s*pam_unix.so.*$'
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
notify: Apply_authselect
when:
- rhel9cis_rule_5_5_4
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.4
1 change: 1 addition & 0 deletions tasks/section_5/cis_5.6.1.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,7 @@
- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
loop: "{{ rhel9cis_5_6_1_4_user_list.stdout_lines }}"
when: item in discovered_interactive_usernames.stdout
when:
- rhel9cis_rule_5_6_1_4
tags:
Expand Down
12 changes: 8 additions & 4 deletions tasks/section_5/cis_5.6.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,10 @@
- item.id != "halt"
- item.id != "nfsnobody"
- item.uid < min_int_uid | int
- item.shell != " /bin/false"
- item.shell != " /usr/sbin/nologin"
- item.shell != "/bin/false"
- item.shell != "/usr/sbin/nologin"
- item.shell != "/sbin/nologin"
- item.shell != "/dev/null"
loop_control:
label: "{{ item.id }}"

Expand All @@ -31,8 +33,10 @@
- item.id != "root"
- item.id != "nfsnobody"
- item.uid < min_int_uid | int
- item.shell != " /bin/false"
- item.shell != " /usr/sbin/nologin"
- item.shell != "/bin/false"
- item.shell != "/usr/sbin/nologin"
- item.shell != "/sbin/nologin"
- item.shell != "/dev/null"
loop_control:
label: "{{ item.id }}"
when:
Expand Down
Loading