Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CIS v1.0.0 updates Nov 2024 #259

Merged
merged 38 commits into from
Nov 19, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
38 commits
Select commit Hold shift + click to select a range
078c091
removed unneccesary vars
uk-bolly Sep 12, 2024
9d8cef3
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Sep 16, 2024
76fc448
Merge pull request #238 from ansible-lockdown/pre-commit-ci-update-co…
uk-bolly Sep 17, 2024
b12b5dc
Added gui discovery and updated comments
uk-bolly Sep 19, 2024
810d0e6
updated typo for gui default
uk-bolly Sep 23, 2024
93f136f
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Sep 23, 2024
804a65f
Merge pull request #241 from ansible-lockdown/pre-commit-ci-update-co…
uk-bolly Sep 24, 2024
400bb28
Merge pull request #240 from ansible-lockdown/Sept24_updates
uk-bolly Sep 24, 2024
506433e
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Sep 30, 2024
08b5441
Merge pull request #242 from ansible-lockdown/pre-commit-ci-update-co…
uk-bolly Oct 7, 2024
0f94ed9
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Oct 7, 2024
fa374bd
Merge pull request #243 from ansible-lockdown/pre-commit-ci-update-co…
uk-bolly Oct 8, 2024
41bc1e2
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Oct 14, 2024
b610b0a
Merge pull request #244 from ansible-lockdown/pre-commit-ci-update-co…
uk-bolly Oct 15, 2024
ef00aa0
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Oct 21, 2024
b2e62e2
Merge pull request #246 from ansible-lockdown/pre-commit-ci-update-co…
uk-bolly Oct 22, 2024
aee4c2a
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Oct 28, 2024
794931b
Merge pull request #248 from ansible-lockdown/pre-commit-ci-update-co…
uk-bolly Oct 29, 2024
988c42f
Added selectattr filter to fix #249
yinggs Oct 30, 2024
08eed98
Merge pull request #250 from yinggs/fix-249
uk-bolly Nov 4, 2024
272ac4e
updated to enable greater idempotence on filemounts
uk-bolly Nov 4, 2024
efd86bf
updated for first interaction step
uk-bolly Nov 4, 2024
3c75296
Merge pull request #251 from ansible-lockdown/issue_#247
uk-bolly Nov 5, 2024
bb631b1
improved idempotence on mount point options
uk-bolly Nov 11, 2024
1c1a39c
improved gpg regex
uk-bolly Nov 11, 2024
fbf16ec
readded lines removed in error
uk-bolly Nov 11, 2024
d6c9e42
reverted back to original
uk-bolly Nov 11, 2024
28a3596
Added a means to allow system users to have a shell
Thulium-Drake Nov 11, 2024
b64ce56
Merge pull request #252 from ansible-lockdown/mount_opts_and_gpg
uk-bolly Nov 11, 2024
87c1f6e
Merge pull request #253 from Thulium-Drake/fix_245
uk-bolly Nov 11, 2024
c4b489f
fixed filename thanks to @levaillx
uk-bolly Nov 12, 2024
cb9e845
Merge pull request #256 from ansible-lockdown/issue_255
uk-bolly Nov 13, 2024
1166b8b
updated typos
uk-bolly Nov 18, 2024
f591dc2
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Nov 18, 2024
b4450dd
Merge pull request #257 from ansible-lockdown/README
uk-bolly Nov 19, 2024
ed551c9
Merge pull request #258 from ansible-lockdown/pre-commit-ci-update-co…
uk-bolly Nov 19, 2024
576475d
removed skip_ansible_lint tag
uk-bolly Nov 19, 2024
2ff1550
Merge pull request #260 from ansible-lockdown/skip_ansible_lint
uk-bolly Nov 19, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/devel_pipeline_validation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
jobs:
# This will create messages for first time contributers and direct them to the Discord server
welcome:
runs-on: self-hosted
runs-on: ubuntu-latest

steps:
- uses: actions/first-interaction@main
Expand Down
6 changes: 3 additions & 3 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ ci:

repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.6.0
rev: v5.0.0
hooks:
# Safety
- id: detect-aws-credentials
Expand Down Expand Up @@ -37,13 +37,13 @@ repos:
exclude: .config/.gitleaks-report.json

- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.4
rev: v8.21.2
hooks:
- id: gitleaks
args: ['--baseline-path', '.config/.gitleaks-report.json']

- repo: https://github.com/ansible-community/ansible-lint
rev: v24.7.0
rev: v24.10.0
hooks:
- id: ansible-lint
name: Ansible-lint
Expand Down
6 changes: 2 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ Refer to [Contributing Guide](./CONTRIBUTING.rst)

This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.

Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. The RHEL8-CIS-Audit role or a compliance scanner should be used for compliance checking over check mode.
Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. The RHEL9-CIS-Audit role or a compliance scanner should be used for compliance checking over check mode.

This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed.

Expand Down Expand Up @@ -128,11 +128,9 @@ os_check: false
**Technical Dependencies:**

- Python3
- Ansible 2.10+
- Ansible 2.12+
- python-def (should be included in RHEL 9)
- libselinux-python
- pip packages
- jmespath
- collections found in collections/requirements.yml

pre-commit is available if installed on your host for pull request testing.
Expand Down
20 changes: 9 additions & 11 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -49,15 +49,10 @@ rhel9cis_selinux_disable: false
# UEFI boot('/etc/grub2-efi.cfg') or in case of BIOS legacy-boot('/etc/grub2.cfg').
rhel9cis_legacy_boot: false

## Python Binary
## This is used for python3 Installations where python2 OS modules are used in ansible
python2_bin: /bin/python2.7

## Benchmark name used by audting control role
# The audit variable found at the base
## metadata for Audit benchmark
benchmark_version: 'v1.0.0'

benchmark: RHEL9-CIS

# Whether to skip the system reboot before audit
Expand Down Expand Up @@ -526,6 +521,10 @@ rhel9cis_selinux_pol: targeted
rhel9cis_selinux_enforce: enforcing

# Whether or not to run tasks related to auditing/patching the desktop environment
## Control 1.8.1-10
# This variable governs whether rules dealing with GUI specific packages(and/or their settings)
# Discovered value can be overridden to true is required
rhel9cis_gui: "{{ prelim_gnome_present.stat.exists | default(false) }}"

## Section 2. Services

Expand Down Expand Up @@ -567,12 +566,6 @@ rhel9cis_chrony_server_minsources: 2
# Set the respective variable to true to keep the service,
# otherwise the service is stopped and disabled

## Control 1.8.10-10, 2.2.1
# This variable governs whether rules dealing with GUI specific packages(and/or their settings) should
# be executed either to:
# - secure GDM, if GUI is needed('rhel9cis_gui: true')
# - or remove GDM and X-Windows-system, if no GUI is needed('rhel9cis_gui: false')
rhel9cis_gui: false
## Control 2.2.2 - Ensure Avahi Server is not installed
# This variable, when set to false, will specify that Avahi Server packages should be uninstalled.
rhel9cis_avahi_server: false
Expand Down Expand Up @@ -1144,6 +1137,11 @@ rhel9cis_force_user_mindays: false
# This can break current connecting user access
rhel9cis_force_user_warnage: false

## Control 5.6.2 - Ensure system accounts are secured | Set nologin
# The system users on this list are allowed to have a shell (e.g. applications
# that require a shell to function)
rhel9cis_system_users_shell: []

## Control 5.6.3 - Ensure default user shell timeout is 900 seconds or less
# Session timeout setting file (TMOUT setting can be set in multiple files)
# Timeout value is in seconds. (60 seconds * 10 = 600)
Expand Down
4 changes: 0 additions & 4 deletions handlers/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -57,8 +57,6 @@
- name: Grub2cfg
ansible.builtin.shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
ignore_errors: true # noqa ignore-errors
tags:
- skip_ansible_lint

- name: Restart rsyslog
ansible.builtin.systemd:
Expand Down Expand Up @@ -102,8 +100,6 @@

- name: Restart auditd
ansible.builtin.shell: service auditd restart
tags:
- skip_ansible_lint

- name: Change_requires_reboot
ansible.builtin.set_fact:
Expand Down
7 changes: 7 additions & 0 deletions tasks/prelim.yml
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,13 @@
- rhel9cis_force_gpg_key_import
- ansible_facts.distribution == 'RedHat'

- name: "PRELIM | Discover Gnome Desktop Environment"
ansible.builtin.stat:
path: /usr/share/gnome/gnome-version.xml
register: prelim_gnome_present
tags:
- always

- name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)"
ansible.builtin.package:
name: audit
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_1/cis_1.1.2.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %}
opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_2) %},nodev{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_3) %},noexec{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_4) %},nosuid{% endif %}"
notify: Remount tmp
loop: "{{ ansible_facts.mounts }}"
loop_control:
Expand Down
3 changes: 1 addition & 2 deletions tasks/section_1/cis_1.1.3.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}nosuid{% endif %}
opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_3_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_3_3) %},nosuid{% endif %}"
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.device }}"
Expand All @@ -45,6 +45,5 @@
- level1-workstation
- patch
- mounts
- skip_ansible_lint
- rule_1.1.3.2
- rule_1.1.3.3
3 changes: 1 addition & 2 deletions tasks/section_1/cis_1.1.4.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev{% endif %}
opts: "{{ item.options }}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_4_2) %},noexec{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_4_3) %},nosuid{% endif %}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_4_4) %},nodev{% endif %}"
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.device }}"
Expand All @@ -48,7 +48,6 @@
- level1-workstation
- patch
- mounts
- skip_ansible_lint
- rule_1.1.4.2
- rule_1.1.4.3
- rule_1.1.4.4
4 changes: 1 addition & 3 deletions tasks/section_1/cis_1.1.5.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@
- audit
- mounts
- rule_1.1.5.1
- skip_ansible_lint

- name: |
"1.1.5.2 | PATCH | Ensure nodev option set on /var/log partition"
Expand All @@ -33,7 +32,7 @@
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %}
opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_5_2) %},nodev{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_5_3) %},noexec{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_5_4) %},nosuid{% endif %}"
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.device }}"
Expand All @@ -48,7 +47,6 @@
- level1-workstation
- patch
- mounts
- skip_ansible_lint
- rule_1.1.5.2
- rule_1.1.5.3
- rule_1.1.5.4
3 changes: 1 addition & 2 deletions tasks/section_1/cis_1.1.6.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_6_4 %}nosuid{% endif %}
opts: "{{ item.options }}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_6_2) %},noexec{% endif %}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_6_3) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_6_4) %},nosuid{% endif %}"
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.device }}"
Expand All @@ -47,7 +47,6 @@
- level1-workstation
- patch
- mounts
- skip_ansible_lint
- rule_1.1.6.2
- rule_1.1.6.3
- rule_1.1.6.4
4 changes: 1 addition & 3 deletions tasks/section_1/cis_1.1.7.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@
- audit
- mounts
- rule_1.1.7.1
- skip_ansible_lint

- name: |
"1.1.7.2 | PATCH | Ensure nodev option set on /home partition
Expand All @@ -32,7 +31,7 @@
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid{% endif %}
opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_7_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_7_3) %},nosuid{% endif %}"
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.device }}"
Expand All @@ -48,4 +47,3 @@
- mounts
- rule_1.1.7.2
- rule_1.1.7.3
- skip_ansible_lint
1 change: 0 additions & 1 deletion tasks/section_1/cis_1.1.8.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@
- audit
- mounts
- rule_1.1.8.1
- skip_ansible_lint

- name: |
"1.1.8.2 | PATCH | Ensure nodev option set on /dev/shm partition | Set nodev option
Expand Down
5 changes: 2 additions & 3 deletions tasks/section_1/cis_1.2.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@
- name: "1.2.2 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos"
ansible.builtin.replace:
name: "{{ item.path }}"
regexp: "^gpgcheck=0"
regexp: ^gpgcheck\s*=\s*0
replace: "gpgcheck=1"
loop: "{{ yum_repos.files }}"
loop_control:
Expand Down Expand Up @@ -85,7 +85,6 @@
- manual
- audit
- rule_1.2.3
- skip_ansible_lint

- name: "1.2.4 | AUDIT | Ensure repo_gpgcheck is globally activated"
block:
Expand All @@ -104,7 +103,7 @@
- name: "1.2.4 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files"
ansible.builtin.replace:
path: "{{ item.path }}"
regexp: '^repo_gpgcheck( |)=( |)0'
regexp: ^repo_gpgcheck\s*=\s*0
replace: repo_gpgcheck=1
loop: "{{ repo_files.files }}"
loop_control:
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_1/cis_1.8.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,7 @@
- name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock file"
ansible.builtin.template:
src: etc/dconf/db/00-screensaver_lock.j2
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver"
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver_lock"
owner: root
group: root
mode: '0644'
Expand Down
2 changes: 0 additions & 2 deletions tasks/section_1/cis_1.9.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,8 @@
notify: Change_requires_reboot
when:
- rhel9cis_rule_1_9
- not system_is_ec2
tags:
- level1-server
- level1-workstation
- patch
- rule_1.9
- skip_ansible_lint
1 change: 1 addition & 0 deletions tasks/section_5/cis_5.6.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
- item.id != "shutdown"
- item.id != "halt"
- item.id != "nfsnobody"
- item.id not in rhel9cis_system_users_shell
- item.uid < min_int_uid | int
- item.shell != "/bin/false"
- item.shell != "/usr/sbin/nologin"
Expand Down
4 changes: 2 additions & 2 deletions tasks/section_6/cis_6.1.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,7 @@

- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Flatten no_user_items results for easier use"
ansible.builtin.set_fact:
discovered_unowned_files_flatten: "{{ rhel_09_6_1_10_audit.results | map(attribute='stdout_lines') | flatten }}"
discovered_unowned_files_flatten: "{{ rhel_09_6_1_10_audit.results | selectattr('stdout_lines', 'defined') | map(attribute='stdout_lines') | flatten }}"

- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories"
ansible.builtin.debug:
Expand Down Expand Up @@ -204,7 +204,7 @@

- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Flatten no_user_items results for easier use"
ansible.builtin.set_fact:
discovered_ungrouped_files_flatten: "{{ rhel_09_6_1_11_audit.results | map(attribute='stdout_lines') | flatten }}"
discovered_ungrouped_files_flatten: "{{ rhel_09_6_1_11_audit.results | selectattr('stdout_lines', 'defined') | map(attribute='stdout_lines') | flatten }}"

- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories"
ansible.builtin.debug:
Expand Down