From c96271ea7a89a095ec28b2a11f3e9bd637af334a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 09:42:12 +0100 Subject: [PATCH 01/69] update section1_2 Signed-off-by: Mark Bolwell --- defaults/main.yml | 101 ++++++++++++++++++++++++++-------------------- 1 file changed, 57 insertions(+), 44 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 23f8efdb..2a6bd1b8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -54,7 +54,7 @@ audit_content: git run_audit: false # Timeout for those cmds that take longer to run where timeout set -audit_cmd_timeout: 30000 +audit_cmd_timeout: 60000 ### End Goss enablements #### #### Detailed settings found at the end of this document #### @@ -67,59 +67,73 @@ audit_cmd_timeout: 30000 rhel9cis_rule_1_1_1_1: true rhel9cis_rule_1_1_1_2: true rhel9cis_rule_1_1_1_3: true -rhel9cis_rule_1_1_1_4: true -rhel9cis_rule_1_1_1_5: true -rhel9cis_rule_1_1_2: true -rhel9cis_rule_1_1_3: true -rhel9cis_rule_1_1_4: true -rhel9cis_rule_1_1_5: true -rhel9cis_rule_1_1_6: true -rhel9cis_rule_1_1_7: true -rhel9cis_rule_1_1_8: true -rhel9cis_rule_1_1_9: true -rhel9cis_rule_1_1_10: true -rhel9cis_rule_1_1_11: true -rhel9cis_rule_1_1_12: true -rhel9cis_rule_1_1_13: true -rhel9cis_rule_1_1_14: true -rhel9cis_rule_1_1_15: true -rhel9cis_rule_1_1_16: true -rhel9cis_rule_1_1_17: true +rhel9cis_rule_1_1_2_1: true +rhel9cis_rule_1_1_2_2: true +rhel9cis_rule_1_1_2_3: true +rhel9cis_rule_1_1_2_4: true +rhel9cis_rule_1_1_3_1: true +rhel9cis_rule_1_1_3_2: true +rhel9cis_rule_1_1_3_3: true +rhel9cis_rule_1_1_3_4: true +rhel9cis_rule_1_1_4_1: true +rhel9cis_rule_1_1_4_2: true +rhel9cis_rule_1_1_4_3: true +rhel9cis_rule_1_1_4_4: true +rhel9cis_rule_1_1_5_1: true +rhel9cis_rule_1_1_5_2: true +rhel9cis_rule_1_1_5_3: true +rhel9cis_rule_1_1_5_4: true +rhel9cis_rule_1_1_6_1: true +rhel9cis_rule_1_1_6_2: true +rhel9cis_rule_1_1_6_3: true +rhel9cis_rule_1_1_6_4: true +rhel9cis_rule_1_1_7_1: true +rhel9cis_rule_1_1_7_2: true +rhel9cis_rule_1_1_7_3: true +rhel9cis_rule_1_1_7_4: true +rhel9cis_rule_1_1_7_5: true +rhel9cis_rule_1_1_8_1: true +rhel9cis_rule_1_1_8_2: true +rhel9cis_rule_1_1_8_3: true rhel9cis_rule_1_1_18: true rhel9cis_rule_1_1_19: true rhel9cis_rule_1_1_20: true rhel9cis_rule_1_1_21: true -rhel9cis_rule_1_1_22: true -rhel9cis_rule_1_1_23: true +rhel9cis_rule_1_1_9: true +rhel9cis_rule_1_1_10: true rhel9cis_rule_1_2_1: true rhel9cis_rule_1_2_2: true rhel9cis_rule_1_2_3: true rhel9cis_rule_1_2_4: true -rhel9cis_rule_1_2_5: true rhel9cis_rule_1_3_1: true rhel9cis_rule_1_3_2: true -rhel9cis_rule_1_3_3: true rhel9cis_rule_1_4_1: true rhel9cis_rule_1_4_2: true +rhel9cis_rule_1_4_3: true rhel9cis_rule_1_5_1: true rhel9cis_rule_1_5_2: true rhel9cis_rule_1_5_3: true rhel9cis_rule_1_6_1: true rhel9cis_rule_1_6_2: true -rhel9cis_rule_1_7_1_1: true -rhel9cis_rule_1_7_1_2: true -rhel9cis_rule_1_7_1_3: true -rhel9cis_rule_1_7_1_4: true -rhel9cis_rule_1_7_1_5: true -rhel9cis_rule_1_7_1_6: true -rhel9cis_rule_1_7_1_7: true -rhel9cis_rule_1_8_1_1: true -rhel9cis_rule_1_8_1_2: true -rhel9cis_rule_1_8_1_3: true -rhel9cis_rule_1_8_1_4: true -rhel9cis_rule_1_8_1_5: true -rhel9cis_rule_1_8_1_6: true +rhel9cis_rule_1_6_1_1: true +rhel9cis_rule_1_6_1_2: true +rhel9cis_rule_1_6_1_3: true +rhel9cis_rule_1_6_1_4: true +rhel9cis_rule_1_6_1_5: true +rhel9cis_rule_1_6_1_6: true +rhel9cis_rule_1_6_1_7: true +rhel9cis_rule_1_6_1_8: true +rhel9cis_rule_1_7_1: true +rhel9cis_rule_1_7_2: true +rhel9cis_rule_1_7_3: true +rhel9cis_rule_1_7_4: true +rhel9cis_rule_1_7_5: true +rhel9cis_rule_1_7_6: true +rhel9cis_rule_1_8_1: true rhel9cis_rule_1_8_2: true +rhel9cis_rule_1_8_3: true +rhel9cis_rule_1_8_4: true +rhel9cis_rule_1_8_5: true rhel9cis_rule_1_9: true rhel9cis_rule_1_10: true rhel9cis_rule_1_11: true @@ -127,14 +141,7 @@ rhel9cis_rule_1_11: true # Section 2 rules rhel9cis_rule_2_1_1: true rhel9cis_rule_2_1_2: true -rhel9cis_rule_2_1_3: true -rhel9cis_rule_2_1_4: true -rhel9cis_rule_2_1_5: true -rhel9cis_rule_2_1_6: true -rhel9cis_rule_2_1_7: true -rhel9cis_rule_2_2_1_1: true -rhel9cis_rule_2_2_1_2: true -rhel9cis_rule_2_2_1_3: true +rhel9cis_rule_2_2_1: true rhel9cis_rule_2_2_2: true rhel9cis_rule_2_2_3: true rhel9cis_rule_2_2_4: true @@ -152,9 +159,15 @@ rhel9cis_rule_2_2_15: true rhel9cis_rule_2_2_16: true rhel9cis_rule_2_2_17: true rhel9cis_rule_2_2_18: true +rhel9cis_rule_2_2_19: true +rhel9cis_rule_2_2_20: true rhel9cis_rule_2_3_1: true rhel9cis_rule_2_3_2: true rhel9cis_rule_2_3_3: true +rhel9cis_rule_2_3_4: true +rhel9cis_rule_2_3_5: true +rhel9cis_rule_2_3_6: true +rhel9cis_rule_2_4: true # Section 3 rules rhel9cis_rule_3_1_1: true From efdcb0b6f5fc316e87d8fab950833fcda946d20b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 11:02:30 +0100 Subject: [PATCH 02/69] section_1 updates Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.2.x.yml | 77 ++++++++++++++++++ tasks/section_1/cis_1.1.3.x.yml | 63 +++++++++++++++ tasks/section_1/cis_1.1.4.x.yml | 64 +++++++++++++++ tasks/section_1/cis_1.1.5.x.yml | 62 +++++++++++++++ tasks/section_1/cis_1.1.6.x.yml | 61 +++++++++++++++ tasks/section_1/cis_1.1.7.x.yml | 64 +++++++++++++++ tasks/section_1/cis_1.1.8.x.yml | 43 ++++++++++ tasks/section_1/cis_1.6.1.x.yml | 135 ++++++++++++++++++++++++++++++++ tasks/section_1/cis_1.7.x.yml | 102 ++++++++++++++++++++++++ tasks/section_1/cis_1.8.x.yml | 111 ++++++++++++++++++++++++++ 10 files changed, 782 insertions(+) create mode 100644 tasks/section_1/cis_1.1.2.x.yml create mode 100644 tasks/section_1/cis_1.1.3.x.yml create mode 100644 tasks/section_1/cis_1.1.4.x.yml create mode 100644 tasks/section_1/cis_1.1.5.x.yml create mode 100644 tasks/section_1/cis_1.1.6.x.yml create mode 100644 tasks/section_1/cis_1.1.7.x.yml create mode 100644 tasks/section_1/cis_1.1.8.x.yml create mode 100644 tasks/section_1/cis_1.6.1.x.yml create mode 100644 tasks/section_1/cis_1.7.x.yml create mode 100644 tasks/section_1/cis_1.8.x.yml diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml new file mode 100644 index 00000000..bb189930 --- /dev/null +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -0,0 +1,77 @@ +--- + +- name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition" + debug: + msg: "WARNING!! /tmp is not mounted on a separate partition" + when: + - rhel9cis_rule_1_1_2_1 + - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0 + tags: + - level1-server + - level1-workstation + - automated + - audit + - mounts + - rule_1.1.2.1 + +# via fstab +- name: | + "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition" + "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition" + "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition" + mount: + name: /tmp + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %} + notify: remount tmp + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" + when: + - item.mount == "/tmp" + - not rhel9cis_tmp_svc + - rhel9cis_rule_1_1_2_2 or + rhel9cis_rule_1_1_2_3 or + rhel9cis_rule_1_1_2_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - mounts + - rule_1.1.2.2 + - rule_1.1.2.3 + - rule_1.1.2.4 + +# via systemd +- name: | + "1.1.2.1 | PATCH | Ensure /tmp is configured" + "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition" + "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition" + "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition" + template: + src: etc/systemd/system/tmp.mount.j2 + dest: /etc/systemd/system/tmp.mount + owner: root + group: root + mode: 0644 + notify: systemd restart tmp.mount + when: + - rhel9cis_tmp_svc + - rhel9cis_rule_1_1_2_1 or + rhel9cis_rule_1_1_2_2 or + rhel9cis_rule_1_1_2_3 or + rhel9cis_rule_1_1_2_4 + tags: + - level1-server + - level1-workstation + - scored + - patch + - mounts + - rule_1.1.2.1 + - rule_1.1.2.2 + - rule_1.1.2.3 + - rule_1.1.2.4 diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml new file mode 100644 index 00000000..c7fb9867 --- /dev/null +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -0,0 +1,63 @@ +--- + +- name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var" + block: + - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Absent" + debug: + msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + register: var_mount_absent + changed_when: var_mount_absent.skipped is undefined + when: + - required_mount not in mount_names + + - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" + debug: + msg: "Congratulations: {{ required_mount }} exists." + register: var_mount_present + when: + - required_mount in mount_names + vars: + required_mount: '/var' + when: + - rhel9cis_rule_1_1_3_1 + tags: + - level2-server + - level2-workstation + - automated + - patch + - mounts + - rule_1.1.3.1 + +# skips if mount is absent +- name: | + "1.1.3.2 | PATCH | Ensure nodev option set on /var partition" + "1.1.3.3 | PATCH | Ensure noexec option set on /var partition" + "1.1.3.4 | PATCH | Ensure nosuid option set on /var partition" + mount: + name: /var + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %} + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" + notify: change_requires_reboot + when: + - var_mount_present is defined + - item.mount == "/var" + - rhel9cis_rule_1_1_3_1 # This is required so the check takes place + - rhel9cis_rule_1_1_3_2 or + rhel9cis_rule_1_1_3_3 or + rhel9cis_rule_1_1_3_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - mounts + - skip_ansible_lint + - rule_1.1.3.2 + - rule_1.1.3.3 + - rule_1.1.3.4 diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml new file mode 100644 index 00000000..dbeab96e --- /dev/null +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -0,0 +1,64 @@ +--- + +# Skips if mount is absent +- name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp" + block: + - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" + debug: + msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + register: var_tmp_mount_absent + changed_when: var_tmp_mount_absent.skipped is undefined + when: + - required_mount not in mount_names + + - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" + debug: + msg: "Congratulations: {{ required_mount }} exists." + register: var_tmp_mount_present + when: + - required_mount in mount_names + vars: + required_mount: '/var/tmp' + when: + - rhel9cis_rule_1_1_4_1 + tags: + - level2-server + - level2-workstation + - automated + - audit + - mounts + - rule_1.1.4.1 + +# skips if mount is absent +- name: | + "1.1.4.2 | PATCH | Ensure noexec option set on /var/tmp partition" + "1.1.4.3 | PATCH | Ensure nosuid option set on /var/tmp partition" + "1.1.4.4 | PATCH | Ensure nodev option set on /var/tmp partition" + mount: + name: /var/tmp + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid{% endif %} + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" + notify: change_requires_reboot + when: + - var_tmp_mount_present is defined + - item.mount == "/var/tmp" + - rhel9cis_rule_1_1_4_1 # This is required so the check takes place + - rhel9cis_rule_1_1_4_2 or + rhel9cis_rule_1_1_4_3 or + rhel9cis_rule_1_1_4_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - mounts + - skip_ansible_lint + - rule_1.1.4.2 + - rule_1.1.4.3 + - rule_1.1.4.4 \ No newline at end of file diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml new file mode 100644 index 00000000..f286fcc8 --- /dev/null +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -0,0 +1,62 @@ +--- + +- name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log" + block: + - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Absent" + debug: + msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + register: var_log_mount_absent + changed_when: var_log_mount_absent.skipped is undefined + when: + - required_mount not in mount_names + - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present" + debug: + msg: "Congratulations: {{ required_mount }} exists." + register: var_log_mount_present + when: + - required_mount in mount_names + vars: + required_mount: '/var/log' + when: + - rhel9cis_rule_1_1_5_1 + tags: + - level2-server + - level2-workstation + - automated + - audit + - mounts + - rule_1.1.5.1 + - skip_ansible_lint + +- name: | + "1.1.5.2 | PATCH | Ensure nodev option set on /var/log partition" + "1.1.5.3 | PATCH | Ensure noexec option set on /var/log partition" + "1.1.5.4 | PATCH | Ensure nosuid option set on /var/log partition" + mount: + name: /var/log + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" + notify: change_requires_reboot + when: + - var_log_mount_present is defined + - item.mount == "/var/log" + - rhel9cis_rule_1_1_5_1 # This is required so the check takes place + - rhel9cis_rule_1_1_5_2 or + rhel9cis_rule_1_1_5_3 or + rhel9cis_rule_1_1_5_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - mounts + - skip_ansible_lint + - rule_1.1.5.2 + - rule_1.1.5.3 + - rule_1.1.5.4 diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml new file mode 100644 index 00000000..94e85d2b --- /dev/null +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -0,0 +1,61 @@ +--- + +- name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit" + block: + - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent" + debug: + msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + register: var_log_audit_mount_absent + changed_when: var_log_audit_mount_absent.skipped is undefined + when: + - required_mount not in mount_names + - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" + debug: + msg: "Congratulations: {{ required_mount }} exists." + register: var_log_audit_mount_present + when: + - required_mount in mount_names + vars: + required_mount: '/var/log/audit' + when: + - rhel9cis_rule_1_1_6_1 + tags: + - level2-server + - level2-workstation + - automated + - audit + - mounts + - rule_1.1.6.1 + +- name: | + "1.1.6.2 | PATCH | Ensure noexec option set on /var/log/audit partition" + "1.1.6.3 | PATCH | Ensure nodev option set on /var/log/audit partition" + "1.1.6.4 | PATCH | Ensure nosuid option set on /var/log/audit partition" + mount: + name: /var/log/audit + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if rhel9cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_6_4 %}nosuid{% endif %} + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" + notify: change_requires_reboot + when: + - var_log_audit_mount_present is defined + - item.mount == "/var/log/audit" + - rhel9cis_rule_1_1_6_1 # This is required so the check takes place + - rhel9cis_rule_1_1_6_2 or + rhel9cis_rule_1_1_6_3 or + rhel9cis_rule_1_1_6_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - mounts + - skip_ansible_lint + - rule_1.1.6.2 + - rule_1.1.6.3 + - rule_1.1.6.4 \ No newline at end of file diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml new file mode 100644 index 00000000..453fef53 --- /dev/null +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -0,0 +1,64 @@ +--- + +- name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home" + block: + - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Absent" + debug: + msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + register: home_mount_absent + changed_when: home_mount_absent.skipped is undefined + when: + - required_mount not in mount_names + - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present" + debug: + msg: "Congratulations: {{ required_mount }} exists." + register: home_mount_present + when: + - required_mount in mount_names + vars: + required_mount: '/home' + when: + - rhel9cis_rule_1_1_7_1 + tags: + - level2-server + - level2-workstation + - automated + - audit + - mounts + - rule_1.1.7.1 + - skip_ansible_lint + +- name: | + "1.1.7.2 | PATCH | Ensure nodev option set on /home partition + 1.1.7.3 | PATCH | Ensure nosuid option set on /home partition + 1.1.7.4 | PATCH | Ensure usrquota option set on /home partition + 1.1.7.5 | PATCH | Ensure grpquota option set on /home partition" + mount: + name: /home + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_7_4 %}usrquota,{% endif %}{% if rhel9cis_rule_1_1_7_5 %}grpquota{% endif %} + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" + notify: change_requires_reboot + when: + - home_mount_present is defined + - item.mount == "/home" + - rhel9cis_rule_1_1_7_1 + - rhel9cis_rule_1_1_7_2 or + rhel9cis_rule_1_1_7_3 or + rhel9cis_rule_1_1_7_4 or + rhel9cis_rule_1_1_7_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - mounts + - rule_1.1.7.2 + - rule_1.1.7.3 + - rule_1.1.7.4 + - skip_ansible_lint diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml new file mode 100644 index 00000000..a61a6aff --- /dev/null +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -0,0 +1,43 @@ +--- + +# Skips if mount is absent +- name: | + "1.1.8.1 | PATCH | Ensure nodev option set on /dev/shm partition + 1.1.8.2 | PATCH | Ensure nosuid option set on /dev/shm partition + 1.1.8.3 | PATCH | Ensure noexec option set on /dev/shm partition" + block: + - name: | + "1.1.8.1 | AUDIT | Ensure nodev option set on /dev/shm partition | Check for /dev/shm existence + 1.1.8.2 | AUDIT | Ensure nosuid option set on /dev/shm partition | Check for /dev/shm existence + 1.1.8.3 | AUDIT | Ensure noexec option set on /dev/shm partition | Check for /dev/shm existence" + shell: mount -l | grep -E '\s/dev/shm\s' + changed_when: false + failed_when: false + check_mode: no + register: rhel9cis_1_1_8_x_dev_shm_status + + - name: | + "1.1.8.1 | PATCH | Ensure nodev option set on /dev/shm partition | Set nodev option + 1.1.8.2 | PATCH | Ensure noexec option set on /dev/shm partition | Set nosuid option + 1.1.8.3 | PATCH | Ensure nosuid option set on /dev/shm partition | Set noexec option" + mount: + name: /dev/shm + src: tmpfs + fstype: tmpfs + state: mounted + opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %} + when: "'dev/shm' in rhel9cis_1_1_8_x_dev_shm_status.stdout" + notify: change_requires_reboot + when: + - rhel9cis_rule_1_1_8_1 or + rhel9cis_rule_1_1_8_2 or + rhel9cis_rule_1_1_8_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - mounts + - rule_1.1.8.1 + - rule_1.1.8.2 + - rule_1.1.8.3 diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml new file mode 100644 index 00000000..b31600a7 --- /dev/null +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -0,0 +1,135 @@ +--- + +- name: "1.6.1.1 | PATCH | Ensure SELinux is installed" + package: + name: libselinux + state: present + when: + - rhel9cis_rule_1_6_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.6.1.1 + +- name: "1.6.1.2 | PATCH | Ensure SELinux is not disabled in bootloader configuration" + replace: + dest: /etc/default/grub + regexp: '(selinux|enforcing)\s*=\s*0\s*' + replace: '' + register: selinux_grub_patch + ignore_errors: yes + notify: grub2cfg + when: + - rhel9cis_rule_1_6_1_2 + tags: + - level1-server + - level1-workstation + - scored + - patch + - rule_1.6.1.2 + +# State set to enforcing because control 1.6.1.5 requires enforcing to be set +- name: "1.6.1.3 | PATCH | Ensure SELinux policy is configured" + selinux: + conf: /etc/selinux/config + policy: "{{ rhel9cis_selinux_pol }}" + state: enforcing + when: + - not rhel9cis_selinux_disable + - rhel9cis_rule_1_6_1_3 + tags: + - level1-server + - level1-workstation + - automated + - selinux + - patch + - rule_1.6.1.3 + +# State set to enforcing because control 1.6.1.5 requires enforcing to be set +- name: "1.6.1.4 | PATCH | Ensure the SELinux mode is not disabled" + selinux: + conf: /etc/selinux/config + policy: "{{ rhel9cis_selinux_pol }}" + state: enforcing + when: + - not rhel9cis_selinux_disable + - rhel9cis_rule_1_6_1_4 + tags: + - level1-server + - level1-workstation + - auotmated + - selinux + - patch + - rule_1.6.1.4 + +- name: "1.6.1.5 | PATCH | Ensure the SELinux state is enforcing" + selinux: + conf: /etc/selinux/config + policy: "{{ rhel9cis_selinux_pol }}" + state: enforcing + when: + - not rhel9cis_selinux_disable + - rhel9cis_rule_1_6_1_5 + tags: + - level2-server + - level2-workstation + - automated + - selinux + - patch + - rule_1.6.1.5 + +- name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist" + block: + - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Find the unconfined services" + shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' + register: rhelcis_1_6_1_6_unconf_services + failed_when: false + changed_when: false + + - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Message on no unconfined services" + debug: + msg: "Good News! There are no services found on your system" + when: rhelcis_1_6_1_6_unconf_services.stdout | length == 0 + + - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Message on unconfined services" + debug: + msg: "Warning! You have unconfined services: {{ rhelcis_1_6_1_6_unconf_services.stdout_lines }}" + when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 + when: + - rhel9cis_rule_1_6_1_6 + tags: + - level1-server + - level1-workstation + - automated + - audit + - services + - rule_1.6.1.6 + +- name: "1.6.1.7 | PATCH | Ensure SETroubleshoot is not installed" + package: + name: setroubleshoot + state: absent + when: + - rhel9cis_rule_1_6_1_7 + - "'setroubleshoot' in ansible_facts.packages" + tags: + - level1-server + - automated + - selinux + - patch + - rule_1.6.1.7 + +- name: "1.6.1.8 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" + package: + name: mcstrans + state: absent + when: + - rhel9cis_rule_1_6_1_8 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.6.1.8 diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml new file mode 100644 index 00000000..1ee55791 --- /dev/null +++ b/tasks/section_1/cis_1.7.x.yml @@ -0,0 +1,102 @@ +--- + +- name: "1.7.1 | PATCH | Ensure message of the day is configured properly" + template: + src: etc/motd.j2 + dest: /etc/motd + owner: root + group: root + mode: 0644 + when: + - rhel9cis_rule_1_7_1 + tags: + - level1-server + - level1-workstation + - automated + - banner + - patch + - rule_1.7.1 + +- name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly" + template: + src: etc/issue.j2 + dest: /etc/issue + owner: root + group: root + mode: 0644 + when: + - rhel9cis_rule_1_7_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.7.2 + +- name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly" + template: + src: etc/issue.net.j2 + dest: /etc/issue.net + owner: root + group: root + mode: 0644 + when: + - rhel9cis_rule_1_7_3 + tags: + - level1-server + - level1-workstation + - automated + - banner + - patch + - rule_1.7.3 + +- name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured" + file: + dest: /etc/motd + state: file + owner: root + group: root + mode: 0644 + when: + - rhel9cis_rule_1_7_4 + tags: + - level1-server + - level1-workstation + - automated + - perms + - patch + - rule_1.7.4 + +- name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured" + file: + dest: /etc/issue + state: file + owner: root + group: root + mode: 0644 + when: + - rhel9cis_rule_1_7_5 + tags: + - level1-server + - level1-workstation + - automated + - perms + - patch + - rule_1.7.5 + +- name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured" + file: + dest: /etc/issue.net + state: file + owner: root + group: root + mode: 0644 + when: + - rhel9cis_rule_1_7_6 + tags: + - level1-server + - level1-workstation + - automated + - perms + - patch + - rule_1.7.6 diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml new file mode 100644 index 00000000..1edc7048 --- /dev/null +++ b/tasks/section_1/cis_1.8.x.yml @@ -0,0 +1,111 @@ +--- + +- name: "1.8.1 | PATCH | Ensure GNOME Display Manager is removed" + package: + name: gdm + state: absent + when: + - rhel9cis_rule_1_8_1 + - "'gdm' in ansible_facts.packages" + tags: + - level2-server + - automated + - patch + - gui + - gdm + - rule_1.8.1 + +- name: "1.8.2 | PATCH | Ensure GDM login banner is configured" + lineinfile: + dest: "{{ item.file }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + state: present + create: yes + owner: root + group: root + mode: 0644 + notify: reload dconf + with_items: + - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } + - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } + - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } + - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } + - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' } + - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ rhel9cis_warning_banner }}' " } + when: + - rhel9cis_rule_1_8_2 + - rhel9cis_gui + tags: + - level1-server + - level1-workstation + - automated + - patch + - gui + - gdm + - rule_1.8.2 + +- name: "1.8.3 | PATCH | Ensure last logged in user display is disabled" + lineinfile: + path: "{{ item.file }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + create: yes + owner: root + group: root + mode: 0644 + notify: reload dconf + with_items: + - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } + - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } + - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults'} + - { file: '/etc/dconf/db/gdm.d/00-login-screen', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } + - { file: '/etc/dconf/db/gdm.d/00-login-screen', regexp: 'disable-user-list=', line: 'disable-user-list=true' } + when: + - rhel9cis_rule_1_8_3 + - rhel9cis_gui + tags: + - level1-server + - level1-workstation + - automated + - patch + - gui + - rule_1.8.3 + +- name: "1.8.4 | PATCH | Ensure XDMCP is not enabled" + lineinfile: + path: /etc/gdm/custom.conf + regexp: 'Enable=true' + state: absent + when: + - rhel9cis_rule_1_8_4 + - rhel9cis_gui + tags: + - level1-server + - level1-workstation + - automated + - patch + - gui + - rule_1.8.4 + +- name: "1.8.5 | PATCH | Ensure automatic mounting of removable media is disabled" + lineinfile: + path: /etc/dconf/db/local.d/00-media-automount + regex: "{{ item.regex }}" + line: "{{ item.line }}" + create: yes + notify: reload dconf + with_items: + - { regex: '\[org\/gnome\/desktop\/media-handling\]', line: '[org/gnome/desktop/media-handling]' } + - { regex: 'automount=', line: 'automount=false' } + - { regex: 'automount-open=', line: 'automount-open=false'} + when: + - rhel9cis_rule_1_8_5 + - rhel9cis_gui + tags: + - level1-server + - level2-workstation + - automated + - patch + - gui + - rule_1.8.5 From f808f30173c58456028d4c5d7a9fe0581f7198be Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 11:08:18 +0100 Subject: [PATCH 03/69] updated Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 74 ++---- tasks/section_1/cis_1.1.2.x.yml | 22 +- tasks/section_1/cis_1.1.3.x.yml | 12 +- tasks/section_1/cis_1.1.4.x.yml | 12 +- tasks/section_1/cis_1.1.5.x.yml | 12 +- tasks/section_1/cis_1.1.6.x.yml | 12 +- tasks/section_1/cis_1.1.7.x.yml | 14 +- tasks/section_1/cis_1.1.8.x.yml | 12 +- tasks/section_1/cis_1.1.x.yml | 346 +-------------------------- tasks/section_1/cis_1.10.yml | 10 +- tasks/section_1/cis_1.2.x.yml | 77 +++--- tasks/section_1/cis_1.3.x.yml | 65 ++--- tasks/section_1/cis_1.4.x.yml | 93 +++++--- tasks/section_1/cis_1.5.x.yml | 82 +++---- tasks/section_1/cis_1.6.1.x.yml | 28 +-- tasks/section_1/cis_1.7.x.yml | 12 +- tasks/section_1/cis_1.8.x.yml | 20 +- tasks/section_1/cis_1.9.yml | 6 +- tasks/section_1/main.yml | 59 +++-- tasks/section_2/cis_2.1.x.yml | 43 ++++ tasks/section_2/cis_2.2.x.yml | 411 ++++++++++++++++++-------------- tasks/section_2/cis_2.3.x.yml | 76 +++++- tasks/section_2/cis_2.4.yml | 26 ++ tasks/section_2/main.yml | 10 +- 24 files changed, 690 insertions(+), 844 deletions(-) create mode 100644 tasks/section_2/cis_2.1.x.yml create mode 100644 tasks/section_2/cis_2.4.yml diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index dc8ae32b..b9fb6749 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -1,102 +1,76 @@ --- -- name: "1.1.1.1 | L1 | PATCH | Ensure mounting of cramfs filesystems is disabled" +- name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled" block: - - name: "1.1.1.1 | L1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config" + - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install cramfs(\\s|$)" line: "install cramfs /bin/true" - create: true + create: yes mode: 0600 - - name: "1.1.1.1 | L1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs" + - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs" modprobe: name: cramfs state: absent when: ansible_connection != 'docker' when: - - rhel9cis_rule_1_1_1_1 + - rhel8cis_rule_1_1_1_1 tags: - level1-server - level1-workstation - - scored + - automated - patch - rule_1.1.1.1 - cramfs -- name: "1.1.1.2 | L2 | PATCH | Ensure mounting of vFAT filesystems is limited" +- name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled" block: - - name: "1.1.1.2 | L2 | PATCH | Ensure mounting of vFAT filesystems is limited | Edit modprobe config" - lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install vfat(\\s|$)" - line: "install vfat /bin/true" - create: true - mode: 0600 - - - name: "1.1.1.2 | L2 | PATCH | Ensure mounting of vFAT filesystems is limited | Disable vFAT" - modprobe: - name: vfat - state: absent - when: ansible_connection != 'docker' - when: - - rhel9cis_rule_1_1_1_2 - - rhel9cis_legacy_boot - tags: - - level2-server - - level2-workstation - - scored - - patch - - rule_1.1.1.2 - - vfat - -- name: "1.1.1.3 | L1 | PATCH | Ensure mounting of squashfs filesystems is disabled" - block: - - name: "1.1.1.3 | L1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config" + - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" - create: true + create: yes mode: 0600 - - name: "1.1.1.3 | L1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" + - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" modprobe: name: squashfs state: absent when: ansible_connection != 'docker' when: - - rhel9cis_rule_1_1_1_3 + - rhel8cis_rule_1_1_1_2 tags: - - level1-server - - level1-workstation - - scored + - level2-server + - level2-workstation + - automated - patch - - rule_1.1.1.3 + - rule_1.1.1.2 - squashfs -- name: "1.1.1.4 | L1 | PATCH | Ensure mounting of udf filesystems is disabled" +- name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disabled" block: - - name: "1.1.1.4 | L1 | PATCH | Ensure mounting of udf filesystems is disable | Edit modprobe config" + - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disable | Edit modprobe config" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" - create: true + create: yes mode: 0600 - - name: "1.1.1.4 | L1 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" + - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" modprobe: name: udf state: absent when: ansible_connection != 'docker' when: - - rhel9cis_rule_1_1_1_4 + - rhel8cis_rule_1_1_1_3 tags: - - level1-server - - level1-workstation - - scored + - level2-server + - level2-workstation + - automated - patch - - rule_1.1.1.4 + - rule_1.1.1.3 - udf diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index bb189930..06c4eefa 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -4,7 +4,7 @@ debug: msg: "WARNING!! /tmp is not mounted on a separate partition" when: - - rhel9cis_rule_1_1_2_1 + - rhel8cis_rule_1_1_2_1 - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0 tags: - level1-server @@ -24,7 +24,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %} + opts: defaults,{% if rhel8cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_2_4 %}nosuid{% endif %} notify: remount tmp with_items: - "{{ ansible_mounts }}" @@ -32,10 +32,10 @@ label: "{{ item.device }}" when: - item.mount == "/tmp" - - not rhel9cis_tmp_svc - - rhel9cis_rule_1_1_2_2 or - rhel9cis_rule_1_1_2_3 or - rhel9cis_rule_1_1_2_4 + - not rhel8cis_tmp_svc + - rhel8cis_rule_1_1_2_2 or + rhel8cis_rule_1_1_2_3 or + rhel8cis_rule_1_1_2_4 tags: - level1-server - level1-workstation @@ -60,11 +60,11 @@ mode: 0644 notify: systemd restart tmp.mount when: - - rhel9cis_tmp_svc - - rhel9cis_rule_1_1_2_1 or - rhel9cis_rule_1_1_2_2 or - rhel9cis_rule_1_1_2_3 or - rhel9cis_rule_1_1_2_4 + - rhel8cis_tmp_svc + - rhel8cis_rule_1_1_2_1 or + rhel8cis_rule_1_1_2_2 or + rhel8cis_rule_1_1_2_3 or + rhel8cis_rule_1_1_2_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index c7fb9867..31696f89 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -19,7 +19,7 @@ vars: required_mount: '/var' when: - - rhel9cis_rule_1_1_3_1 + - rhel8cis_rule_1_1_3_1 tags: - level2-server - level2-workstation @@ -38,7 +38,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %} + opts: defaults,{% if rhel8cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_3_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -47,10 +47,10 @@ when: - var_mount_present is defined - item.mount == "/var" - - rhel9cis_rule_1_1_3_1 # This is required so the check takes place - - rhel9cis_rule_1_1_3_2 or - rhel9cis_rule_1_1_3_3 or - rhel9cis_rule_1_1_3_4 + - rhel8cis_rule_1_1_3_1 # This is required so the check takes place + - rhel8cis_rule_1_1_3_2 or + rhel8cis_rule_1_1_3_3 or + rhel8cis_rule_1_1_3_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index dbeab96e..b2ddbf02 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -20,7 +20,7 @@ vars: required_mount: '/var/tmp' when: - - rhel9cis_rule_1_1_4_1 + - rhel8cis_rule_1_1_4_1 tags: - level2-server - level2-workstation @@ -39,7 +39,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid{% endif %} + opts: defaults,{% if rhel8cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_4_3 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -48,10 +48,10 @@ when: - var_tmp_mount_present is defined - item.mount == "/var/tmp" - - rhel9cis_rule_1_1_4_1 # This is required so the check takes place - - rhel9cis_rule_1_1_4_2 or - rhel9cis_rule_1_1_4_3 or - rhel9cis_rule_1_1_4_4 + - rhel8cis_rule_1_1_4_1 # This is required so the check takes place + - rhel8cis_rule_1_1_4_2 or + rhel8cis_rule_1_1_4_3 or + rhel8cis_rule_1_1_4_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index f286fcc8..662c8da5 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -18,7 +18,7 @@ vars: required_mount: '/var/log' when: - - rhel9cis_rule_1_1_5_1 + - rhel8cis_rule_1_1_5_1 tags: - level2-server - level2-workstation @@ -37,7 +37,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} + opts: defaults,{% if rhel8cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_5_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -46,10 +46,10 @@ when: - var_log_mount_present is defined - item.mount == "/var/log" - - rhel9cis_rule_1_1_5_1 # This is required so the check takes place - - rhel9cis_rule_1_1_5_2 or - rhel9cis_rule_1_1_5_3 or - rhel9cis_rule_1_1_5_4 + - rhel8cis_rule_1_1_5_1 # This is required so the check takes place + - rhel8cis_rule_1_1_5_2 or + rhel8cis_rule_1_1_5_3 or + rhel8cis_rule_1_1_5_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 94e85d2b..89434f8d 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -18,7 +18,7 @@ vars: required_mount: '/var/log/audit' when: - - rhel9cis_rule_1_1_6_1 + - rhel8cis_rule_1_1_6_1 tags: - level2-server - level2-workstation @@ -36,7 +36,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_6_4 %}nosuid{% endif %} + opts: defaults,{% if rhel8cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_6_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -45,10 +45,10 @@ when: - var_log_audit_mount_present is defined - item.mount == "/var/log/audit" - - rhel9cis_rule_1_1_6_1 # This is required so the check takes place - - rhel9cis_rule_1_1_6_2 or - rhel9cis_rule_1_1_6_3 or - rhel9cis_rule_1_1_6_4 + - rhel8cis_rule_1_1_6_1 # This is required so the check takes place + - rhel8cis_rule_1_1_6_2 or + rhel8cis_rule_1_1_6_3 or + rhel8cis_rule_1_1_6_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 453fef53..a4aa38d1 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -18,7 +18,7 @@ vars: required_mount: '/home' when: - - rhel9cis_rule_1_1_7_1 + - rhel8cis_rule_1_1_7_1 tags: - level2-server - level2-workstation @@ -38,7 +38,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_7_4 %}usrquota,{% endif %}{% if rhel9cis_rule_1_1_7_5 %}grpquota{% endif %} + opts: defaults,{% if rhel8cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_7_3 %}nosuid,{% endif %}{% if rhel8cis_rule_1_1_7_4 %}usrquota,{% endif %}{% if rhel8cis_rule_1_1_7_5 %}grpquota{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -47,11 +47,11 @@ when: - home_mount_present is defined - item.mount == "/home" - - rhel9cis_rule_1_1_7_1 - - rhel9cis_rule_1_1_7_2 or - rhel9cis_rule_1_1_7_3 or - rhel9cis_rule_1_1_7_4 or - rhel9cis_rule_1_1_7_5 + - rhel8cis_rule_1_1_7_1 + - rhel8cis_rule_1_1_7_2 or + rhel8cis_rule_1_1_7_3 or + rhel8cis_rule_1_1_7_4 or + rhel8cis_rule_1_1_7_5 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index a61a6aff..b2ec06c7 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -14,7 +14,7 @@ changed_when: false failed_when: false check_mode: no - register: rhel9cis_1_1_8_x_dev_shm_status + register: rhel8cis_1_1_8_x_dev_shm_status - name: | "1.1.8.1 | PATCH | Ensure nodev option set on /dev/shm partition | Set nodev option @@ -25,13 +25,13 @@ src: tmpfs fstype: tmpfs state: mounted - opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %} - when: "'dev/shm' in rhel9cis_1_1_8_x_dev_shm_status.stdout" + opts: defaults,{% if rhel8cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_8_3 %}nosuid{% endif %} + when: "'dev/shm' in rhel8cis_1_1_8_x_dev_shm_status.stdout" notify: change_requires_reboot when: - - rhel9cis_rule_1_1_8_1 or - rhel9cis_rule_1_1_8_2 or - rhel9cis_rule_1_1_8_3 + - rhel8cis_rule_1_1_8_1 or + rhel8cis_rule_1_1_8_2 or + rhel8cis_rule_1_1_8_3 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index 2becc11c..4498978a 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -1,365 +1,45 @@ --- -- name: | - "SCORED | 1.1.2 | PATCH | Ensure /tmp is configured" - "SCORED | 1.1.3 | PATCH | Ensure nodev option set on /tmp partition" - "SCORED | 1.1.4 | PATCH | Ensure nosuid option set on /tmp partition" - "SCORED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition" - "via fstab" - mount: - name: /tmp - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: defaults,{% if rhel9cis_rule_1_1_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5 %}nosuid{% endif %} - notify: remount tmp - loop: "{{ ansible_mounts }}" - when: - - item.mount == "/tmp" - - not rhel9cis_tmp_svc - - rhel9cis_rule_1_1_2 or - rhel9cis_rule_1_1_3 or - rhel9cis_rule_1_1_4 or - rhel9cis_rule_1_1_5 - tags: - - level1-server - - level1-workstation - - scored - - patch - - mounts - - rule_1.1.3 - - rule_1.1.4 - - rule_1.1.5 - -- name: | - "SCORED | 1.1.2 | PATCH | Ensure /tmp is configured" - "SCORED | 1.1.3 | PATCH | Ensure nodev option set on /tmp partition" - "SCORED | 1.1.4 | PATCH | Ensure nosuid option set on /tmp partition" - "SCORED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition" - "via systemd" - template: - src: etc/systemd/system/tmp.mount.j2 - dest: /etc/systemd/system/tmp.mount - owner: root - group: root - mode: 0644 - notify: systemd restart tmp.mount - when: - - rhel9cis_tmp_svc - - rhel9cis_rule_1_1_2 or - rhel9cis_rule_1_1_3 or - rhel9cis_rule_1_1_4 or - rhel9cis_rule_1_1_5 - tags: - - level1-server - - level1-workstation - - scored - - patch - - mounts - - rule_1.1.3 - - rule_1.1.4 - - rule_1.1.5 - -- name: "1.1.6 | L2 | AUDIT | Ensure separate partition exists for /var" - block: - - name: "1.1.6 | L2 | AUDIT | Ensure separate partition exists for /var | Absent" - debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" - register: var_mount_absent - changed_when: var_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.6 | L2 | AUDIT | Ensure separate partition exists for /var | Present" - debug: - msg: "Congratulations: {{ required_mount }} exists." - when: - - required_mount in mount_names - vars: - required_mount: '/var' - when: - - rhel9cis_rule_1_1_6 - tags: - - level2-server - - level2-workstation - - scored - - patch - - mounts - - rule_1.1.6 - -- name: "1.1.7 | L2 | AUDIT | Ensure separate partition exists for /var/tmp | skips if mount absent" - block: - - name: "1.1.7 | L2 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" - debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" - register: var_tmp_mount_absent - changed_when: var_tmp_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.7 | L2 | AUDIT | Ensure separate partition exists for /var/tmp | Present" - debug: - msg: "Congratulations: {{ required_mount }} exists." - register: var_tmp_mount_present - when: - - required_mount in mount_names - vars: - required_mount: '/var/tmp' - when: - - rhel9cis_rule_1_1_7 - tags: - - level2-server - - level2-workstation - - scored - - audit - - mounts - - rule_1.1.7 - -- name: | - "1.1.8 | L1 | PATCH | Ensure nodev option set on /var/tmp partition | skips if mount absent" - "1.1.9 | L1 | PATCH | Ensure nosuid option set on /var/tmp partition | skips if mount absent" - "1.1.10 | L1 | PATCH | Ensure noexec option set on /var/tmp partition | skips if mount absent" - mount: - name: /var/tmp - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: defaults,{% if rhel9cis_rule_1_1_10 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_9 %}nosuid{% endif %} - loop: "{{ ansible_mounts }}" - when: - - var_tmp_mount_present is defined - - item.mount == "/var/tmp" - - rhel9cis_rule_1_1_7 # This is required so the check takes place - - rhel9cis_rule_1_1_8 or - rhel9cis_rule_1_1_9 or - rhel9cis_rule_1_1_10 - tags: - - level1-server - - level1-workstation - - scored - - patch - - mounts - - skip_ansible_lint - -- name: "1.1.11 | L2 | AUDIT | Ensure separate partition exists for /var/log" - block: - - name: "1.1.11 | L2 | AUDIT | Ensure separate partition exists for /var/log | Absent" - debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" - register: var_log_mount_absent - changed_when: var_log_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.11 | L2 | AUDIT | Ensure separate partition exists for /var/log | Present" - debug: - msg: "Congratulations: {{ required_mount }} exists." - when: - - required_mount in mount_names - vars: - required_mount: '/var/log' - when: - - rhel9cis_rule_1_1_11 - tags: - - level2-server - - level2-workstation - - scored - - audit - - mounts - - rule_1.1.11 - - skip_ansible_lint - -- name: "1.1.12 | L2 | AUDIT | Ensure separate partition exists for /var/log/audit" - block: - - name: "1.1.12 | L2 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent" - debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" - register: var_log_audit_mount_absent - changed_when: var_log_audit_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.12 | L2 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" - debug: - msg: "Congratulations: {{ required_mount }} exists." - when: - - required_mount in mount_names - vars: - required_mount: '/var/log/audit' - when: - - rhel9cis_rule_1_1_12 - tags: - - level2-server - - level2-workstation - - scored - - audit - - mounts - - rule_1.1.12 - - -- name: "1.1.13 | L2 | AUDIT | Ensure separate partition exists for /home" - block: - - name: "1.1.13 | L2 | AUDIT | Ensure separate partition exists for /home | Absent" - debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" - register: home_mount_absent - changed_when: home_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.13 | L2 | AUDIT | Ensure separate partition exists for /home | Present" - debug: - msg: "Congratulations: {{ required_mount }} exists." - register: home_mount_present - when: - - required_mount in mount_names - vars: - required_mount: '/home' - when: - - rhel9cis_rule_1_1_13 - tags: - - level2-server - - level2-workstation - - scored - - audit - - mounts - - rule_1.1.13 - - skip_ansible_lint - -- name: "1.1.14 | L1 | PATCH | Ensure nodev option set on /home partition | skips if mount absent" - mount: - name: /home - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: defaults,{% if rhel9cis_rule_1_1_14 %}nodev{% endif %} - loop: "{{ ansible_mounts }}" - when: - - home_mount_present is defined - - item.mount == "/home" - - rhel9cis_rule_1_1_14 - tags: - - level1-server - - level1-workstation - - scored - - patch - - mounts - - rule_1.1.13 - - skip_ansible_lint - -- name: | - "1.1.15 | L1 | PATCH | Ensure nodev option set on /dev/shm partition | skips if mount absent - 1.1.16 | L1 | PATCH | Ensure nosuid option set on /dev/shm partition | skips if mount absent - 1.1.17 | L1 | PATCH | Ensure noexec option set on /dev/shm partition | skips if mount absent" - block: - - name: | - "1.1.15 | L1 | AUDIT | Ensure nodev option set on /dev/shm partition | Check for /dev/shm existence - 1.1.16 | L1 | AUDIT | Ensure nosuid option set on /dev/shm partition | Check for /dev/shm existence - 1.1.17 | L1 | AUDIT | Ensure noexec option set on /dev/shm partition | Check for /dev/shm existence" - shell: mount -l | grep -E '\s/dev/shm\s' - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_1_1_15_dev_shm_status - - - name: | - "1.1.15 | L1 | PATCH | Ensure nodev option set on /dev/shm partition | skips if mount absent - 1.1.16 | L1 | PATCH | Ensure nosuid option set on /dev/shm partition | skips if mount absent - 1.1.17 | L1 | PATCH | Ensure noexec option set on /dev/shm partition | skips if mount absent" - mount: - name: /dev/shm - src: tmpfs - fstype: tmpfs - state: mounted - opts: defaults,{% if rhel9cis_rule_1_1_17 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_15 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_16 %}nosuid{% endif %} - when: "'dev/shm' in rhel9cis_1_1_15_dev_shm_status.stdout" - when: - - rhel9cis_rule_1_1_15 or - rhel9cis_rule_1_1_16 or - rhel9cis_rule_1_1_17 - tags: - - level1-server - - level1-workstation - - scored - - patch - - mounts - - rule_1.1.15 - - rule_1.1.16 - - rule_1.1.17 - -- name: | - "1.1.18 | L1 | PATCH | Ensure nodev option set on removable media partitions" - "1.1.19 | L1 | PATCH | Ensure nosuid option set on removable media partitions" - "1.1.20 | L1 | PATCH | Ensure noexec option set on removable media partitions" - debug: - msg: "--> Not relevant" - changed_when: false - when: - - rhel9cis_rule_1_1_18 or - rhel9cis_rule_1_1_19 or - rhel9cis_rule_1_1_20 - tags: - - level1-server - - level1-workstation - - notscored - - audit - - mounts - - rule_1.1.18 - - rule_1.1.19 - - rule_1.1.20 - -- name: "1.1.21 | L1 | PATCH | Ensure sticky bit is set on all world-writable directories" - shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t - args: - warn: false - changed_when: false - failed_when: false - when: - - rhel9cis_rule_1_1_21 - tags: - - skip_ansible_lint - - level1-server - - level1-workstation - - patch - - stickybits - - permissons - - rule_1.1.21 - -- name: "1.1.22 | L1 | PATCH | Disable Automounting" +- name: "1.1.9 | PATCH | Disable Automounting" service: name: autofs - enabled: false + enabled: no when: - - not rhel9cis_allow_autofs + - not rhel8cis_allow_autofs - "'autofs' in ansible_facts.packages" - - rhel9cis_rule_1_1_22 + - rhel8cis_rule_1_1_9 tags: - level1-server - level2-workstation + - automated - patch - mounts - automounting - - rule_1.1.22 + - rule_1.1.9 -- name: "1.1.23 | L1 | PATCH | Disable USB Storage" +- name: "1.1.10 | PATCH | Disable USB Storage" block: - - name: "1.1.23 | L1 | PATCH | Disable USB Storage | Edit modprobe config" + - name: "1.1.10 | PATCH | Disable USB Storage | Edit modprobe config" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install usb-storage(\\s|$)" line: "install usb-storage /bin/true" - create: true + create: yes owner: root group: root mode: 0600 - - name: "1.1.23 | L1 | PATCH | Disable USB Storage | Edit modprobe config" + - name: "1.1.10 | PATCH | Disable USB Storage | Edit modprobe config" modprobe: name: usb-storage state: absent when: - - rhel9cis_rule_1_1_23 + - rhel8cis_rule_1_1_10 tags: - level1-server - level2-workstation + - automated - patch - mounts - removable_storage - - rule_1.1.23 + - rule_1.1.10 diff --git a/tasks/section_1/cis_1.10.yml b/tasks/section_1/cis_1.10.yml index 6b4a1611..82ec26ff 100644 --- a/tasks/section_1/cis_1.10.yml +++ b/tasks/section_1/cis_1.10.yml @@ -1,17 +1,17 @@ --- -- name: "1.10 | L1 | PATCH | Ensure system-wide crypto policy is not legacy" +- name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy" shell: | - update-crypto-policies --set "{{ rhel9cis_crypto_policy }}" + update-crypto-policies --set "{{ rhel8cis_crypto_policy }}" update-crypto-policies - args: - warn: false + notify: change_requires_reboot when: - - rhel9cis_rule_1_10 + - rhel8cis_rule_1_10 - system_wide_crypto_policy['stdout'] == 'LEGACY' tags: - level1-server - level1-workstation + - automated - no system_is_ec2 - patch - rule_1.10 diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 52372a3e..a095c966 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -1,103 +1,86 @@ --- -- name: "1.2.1 | L1 | PATCH | Ensure Red Hat Subscription Manager connection is configured" +- name: "1.2.1 | PATCH | Ensure Red Hat Subscription Manager connection is configured" redhat_subscription: state: present - username: "{{ rhel9cis_rh_sub_user }}" - password: "{{ rhel9cis_rh_sub_password }}" + username: "{{ rhel8cis_rh_sub_user }}" + password: "{{ rhel8cis_rh_sub_password }}" auto_attach: true no_log: true when: - ansible_distribution == "RedHat" - - rhel9cis_rhnsd_required - - rhel9cis_rule_1_2_1 + - rhel8cis_rhnsd_required + - rhel8cis_rule_1_2_1 tags: - level1-server - level1-workstation - - notscored + - manual - patch - rule_1.2.1 - skip_ansible_lint # Added as no_log still errors on ansuible-lint -- name: "1.2.2 | L1 | PATCH | Disable the rhnsd Daemon" - service: - name: rhnsd - state: stopped - enabled: false - masked: true +- name: "1.2.2 | AUDIT | Ensure GPG keys are configured" + command: gpg --quiet --with-fingerprint "{{ rpm_gpg_key }}" when: - - ansible_distribution == "RedHat" - - rhnsd_service_status.stdout == "loaded" and not rhel9cis_rhnsd_required - - rhel9cis_rule_1_2_2 - tags: - - level1-server - - level1-workstation - - notscored - - patch - - rule_1.2.2 - -- name: "1.2.3 | L1 | AUDIT | Ensure GPG keys are configured" - shell: gpg --quiet --with-fingerprint "{{ rpm_gpg_key }}" - args: - warn: false - when: - - rhel9cis_rule_1_2_3 + - rhel8cis_rule_1_2_2 - ansible_distribution == "RedHat" or ansible_distribution == "Rocky" tags: - level1-server - level1-workstation - - notscored + - manual - patch - - rule_1.2.3 + - rule_1.2.2 -- name: "1.2.4 | L1 | PATCH | Ensure gpgcheck is globally activated" +- name: "1.2.3| PATCH | Ensure gpgcheck is globally activated" block: - - name: "1.2.4 | L1 | AUDIT | Ensure gpgcheck is globally activated | Find repos" + - name: "1.2.3 | AUDIT | Ensure gpgcheck is globally activated | Find repos" find: paths: /etc/yum.repos.d patterns: "*.repo" register: yum_repos changed_when: false - - name: "1.2.4 | L1 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" + - name: "1.2.3 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" replace: name: "{{ item.path }}" regexp: "^gpgcheck=0" replace: "gpgcheck=1" with_items: - "{{ yum_repos.files }}" + loop_control: + label: "{{ item.path }}" when: - - rhel9cis_rule_1_2_4 + - rhel8cis_rule_1_2_3 tags: - level1-server - level1-workstation - - scored + - automated - patch - - rule_1.2.4 + - rule_1.2.3 -- name: "1.2.5 | L1 | Ensure package manager repositories are configured" +- name: "1.2.4 | AUDIT | Ensure package manager repositories are configured" block: - - name: "1.2.5 | L1 | AUDIT | Ensure package manager repositories are configured | Get repo list" - shell: dnf repolist - args: - warn: false + - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Get repo list" + command: dnf repolist changed_when: false failed_when: false register: dnf_configured - check_mode: false + check_mode: no + args: + warn: false - - name: "1.2.5 | L1 | AUDIT | Ensure package manager repositories are configured | Display repo list" + - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Display repo list" debug: msg: - "Alert! Below are the configured repos. Please review and make sure all align with site policy" - "{{ dnf_configured.stdout_lines }}" when: - - rhel9cis_rule_1_2_5 + - rhel8cis_rule_1_2_4 tags: - level1-server - level1-workstation - - notscored - - patch - - rule_1.2.5 + - manual + - audit + - rule_1.2.4 - skip_ansible_lint diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index 8456bc13..d89aa673 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -1,44 +1,51 @@ --- -- name: "1.3.1 | L1 | PATCH | Ensure sudo is installed" - package: - name: sudo - state: present +- name: "1.3.1 | PATCH | Ensure AIDE is installed" + block: + - name: "1.3.1 | PATCH | Ensure AIDE is installed | Install AIDE" + package: + name: aide + state: present + + - name: "1.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE" + command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' + changed_when: false + failed_when: false + async: 45 + poll: 0 + args: + creates: /var/lib/aide/aide.db.gz + when: not ansible_check_mode when: - - rhel9cis_rule_1_3_1 + - rhel8cis_config_aide + - rhel8cis_rule_1_3_1 tags: - level1-server - level1-workstation - - scored - - sudo + - automated + - aide - patch - rule_1.3.1 -- name: "1.3.2 | L1 | PATCH | Ensure sudo commands use pty" - lineinfile: - dest: /etc/sudoers - line: "Defaults use_pty" - state: present +- name: "1.3.2 | PATCH | Ensure filesystem integrity is regularly checked" + cron: + name: Run AIDE integrity check + cron_file: "{{ rhel8cis_aide_cron['cron_file'] }}" + user: "{{ rhel8cis_aide_cron['cron_user'] }}" + minute: "{{ rhel8cis_aide_cron['aide_minute'] | default('0') }}" + hour: "{{ rhel8cis_aide_cron['aide_hour'] | default('5') }}" + day: "{{ rhel8cis_aide_cron['aide_day'] | default('*') }}" + month: "{{ rhel8cis_aide_cron['aide_month'] | default('*') }}" + weekday: "{{ rhel8cis_aide_cron['aide_weekday'] | default('*') }}" + job: "{{ rhel8cis_aide_cron['aide_job'] }}" when: - - rhel9cis_rule_1_3_2 + - rhel8cis_rule_1_3_2 + - not system_is_ec2 tags: - level1-server - level1-workstation - - scored + - automated + - aide + - file_integrity - patch - rule_1.3.2 - -- name: "1.3.3 | L1 | PATCH | Ensure sudo log file exists" - lineinfile: - dest: /etc/sudoers - regexp: '^Defaults logfile=' - line: 'Defaults logfile="{{ rhel9cis_varlog_location }}"' - state: present - when: - - rhel9cis_rule_1_3_3 - tags: - - level1-server - - level1-workstation - - scored - - patch - - rule_1.3.3 diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index a5b1f3b5..96936024 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -1,47 +1,76 @@ --- -- name: "1.4.1 | L1 | PATCH | Ensure AIDE is installed" - block: - - name: "1.4.1 | L1 | PATCH | Ensure AIDE is installed | Install AIDE" - package: - name: aide - state: present - - - name: "1.4.1 | L1 | PATCH | Ensure AIDE is installed | Configure AIDE" - shell: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' - args: - warn: false - creates: /var/lib/aide/aide.db.gz - changed_when: false - failed_when: false - async: 45 - poll: 0 - when: not ansible_check_mode +- name: "1.4.1 | PATCH | Ensure bootloader password is set" + copy: + dest: /boot/grub2/user.cfg + content: "GRUB2_PASSWORD={{ rhel8cis_bootloader_password_hash }}" + owner: root + group: root + mode: 0600 + notify: grub2cfg when: - - rhel9cis_config_aide - - rhel9cis_rule_1_4_1 + - rhel8cis_set_boot_pass + - grub_pass is defined and grub_pass.passhash is defined + - grub_pass.passhash | length > 0 + - rhel8cis_rule_1_4_1 tags: - level1-server - level1-workstation - - scored - - aide + - automated + - grub - patch - rule_1.4.1 -- name: "1.4.2 | L1 | PATCH | Ensure filesystem integrity is regularly checked" - template: - src: aide.cron.j2 - dest: /etc/cron.d/aide.cron - owner: root - group: root - mode: 0644 +- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" + block: + - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" + file: + path: "{{ grub_cfg.stat.lnk_source }}" + owner: root + group: root + mode: 0600 + + - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | UEFI" + mount: + name: /boot/efi + src: "UUID={{ item.uuid }}" + fstype: vfat + state: present + opts: defaults,umask=0027,fmask=0077,uid=0,gid=0 + passno: '0' + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.mount }}" + when: + - not rhel8cis_legacy_boot + - item.mount == "/boot/efi" when: - - rhel9cis_rule_1_4_2 + - rhel8cis_rule_1_4_2 + - grub_cfg.stat.exists + - grub_cfg.stat.islnk tags: - level1-server - level1-workstation - - scored - - aide - - file_integrity + - automated + - grub - patch - rule_1.4.2 + +- name: "1.4.3 | PATCH | Ensure authentication is required when booting into rescue mode" + lineinfile: + path: /etc/systemd/system/rescue.service.d/00-require-auth.conf + regexp: '^ExecStart=' + line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" + create: yes + owner: root + group: root + mode: 0644 + when: + - rhel8cis_rule_1_4_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.4.3 diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 5b169468..a791860d 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -1,76 +1,50 @@ --- -- name: "1.5.1 | L1 | PATCH | Ensure permissions on bootloader config are configured" - block: - - name: "1.5.1 | L1 | PATCH | Ensure permissions on bootloader config are configured" - file: - path: "{{ grub_cfg.stat.lnk_source }}" - owner: root - group: root - mode: 0600 - - - name: "1.5.1 | L1 | PATCH | Ensure permissions on bootloader config are configured | UEFI" - mount: - name: /boot/efi - src: "UUID={{ item.uuid }}" - fstype: vfat - state: present - opts: defaults,umask=0027,fmask=0077,uid=0,gid=0 - passno: '0' - loop: "{{ ansible_mounts }}" - when: - - not rhel9cis_legacy_boot - - item.mount == "/boot/efi" +- name: "1.5.1 | PATCH | Ensure core dump storage is disabled" + lineinfile: + path: /etc/systemd/coredump.conf + regexp: 'Storage=' + line: 'Storage=none' + notify: systemd_daemon_reload when: - - rhel9cis_rule_1_5_1 - - grub_cfg.stat.exists - - grub_cfg.stat.islnk + - rhel8cis_rule_1_5_1 + - systemd_coredump.stat.exists tags: - level1-server - level1-workstation - - scored - - grub + - automated - patch - rule_1.5.1 -- name: "1.5.2 | L1 | PATCH | Ensure bootloader password is set" - copy: - dest: /boot/grub2/user.cfg - content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" - owner: root - group: root - mode: 0600 - notify: grub2cfg +- name: "1.5.2 | PATCH | Ensure core dump backtraces are disabled" + lineinfile: + path: /etc/systemd/coredump.conf + regexp: 'ProcessSizeMax=' + line: 'ProcessSizeMax=0' when: - - rhel9cis_set_boot_pass - - grub_pass is defined and grub_pass.passhash is defined - - grub_pass.passhash | length > 0 - - rhel9cis_rule_1_5_2 + - rhel8cis_rule_1_5_2 tags: - level1-server - level1-workstation - - scored - - grub + - automated - patch + - sysctl - rule_1.5.2 -- name: "1.5.3 | L1 | PATCH | Ensure authentication required for single user mode" - block: - - name: "1.5.3 | L1 | PATCH | Ensure authentication required for single user mode | Emergency service" - lineinfile: - dest: /usr/lib/systemd/system/emergency.service - regexp: '/sbin/sulogin' - line: 'ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency' - - - name: "1.5.3 | L1 | PATCH | Ensure authentication required for single user mode | Rescue service" - lineinfile: - dest: /usr/lib/systemd/system/rescue.service - regexp: '/sbin/sulogin' - line: 'ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue' +- name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" + sysctl: + name: kernel.randomize_va_space + value: '2' + state: present + reload: yes + sysctl_set: yes + ignoreerrors: yes when: - - rhel9cis_rule_1_5_3 + - rhel8cis_rule_1_5_3 tags: - level1-server - level1-workstation + - automated - patch + - sysctl - rule_1.5.3 diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index b31600a7..84dc5204 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -5,7 +5,7 @@ name: libselinux state: present when: - - rhel9cis_rule_1_6_1_1 + - rhel8cis_rule_1_6_1_1 tags: - level1-server - level1-workstation @@ -22,7 +22,7 @@ ignore_errors: yes notify: grub2cfg when: - - rhel9cis_rule_1_6_1_2 + - rhel8cis_rule_1_6_1_2 tags: - level1-server - level1-workstation @@ -34,11 +34,11 @@ - name: "1.6.1.3 | PATCH | Ensure SELinux policy is configured" selinux: conf: /etc/selinux/config - policy: "{{ rhel9cis_selinux_pol }}" + policy: "{{ rhel8cis_selinux_pol }}" state: enforcing when: - - not rhel9cis_selinux_disable - - rhel9cis_rule_1_6_1_3 + - not rhel8cis_selinux_disable + - rhel8cis_rule_1_6_1_3 tags: - level1-server - level1-workstation @@ -51,11 +51,11 @@ - name: "1.6.1.4 | PATCH | Ensure the SELinux mode is not disabled" selinux: conf: /etc/selinux/config - policy: "{{ rhel9cis_selinux_pol }}" + policy: "{{ rhel8cis_selinux_pol }}" state: enforcing when: - - not rhel9cis_selinux_disable - - rhel9cis_rule_1_6_1_4 + - not rhel8cis_selinux_disable + - rhel8cis_rule_1_6_1_4 tags: - level1-server - level1-workstation @@ -67,11 +67,11 @@ - name: "1.6.1.5 | PATCH | Ensure the SELinux state is enforcing" selinux: conf: /etc/selinux/config - policy: "{{ rhel9cis_selinux_pol }}" + policy: "{{ rhel8cis_selinux_pol }}" state: enforcing when: - - not rhel9cis_selinux_disable - - rhel9cis_rule_1_6_1_5 + - not rhel8cis_selinux_disable + - rhel8cis_rule_1_6_1_5 tags: - level2-server - level2-workstation @@ -98,7 +98,7 @@ msg: "Warning! You have unconfined services: {{ rhelcis_1_6_1_6_unconf_services.stdout_lines }}" when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 when: - - rhel9cis_rule_1_6_1_6 + - rhel8cis_rule_1_6_1_6 tags: - level1-server - level1-workstation @@ -112,7 +112,7 @@ name: setroubleshoot state: absent when: - - rhel9cis_rule_1_6_1_7 + - rhel8cis_rule_1_6_1_7 - "'setroubleshoot' in ansible_facts.packages" tags: - level1-server @@ -126,7 +126,7 @@ name: mcstrans state: absent when: - - rhel9cis_rule_1_6_1_8 + - rhel8cis_rule_1_6_1_8 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index 1ee55791..586a8812 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -8,7 +8,7 @@ group: root mode: 0644 when: - - rhel9cis_rule_1_7_1 + - rhel8cis_rule_1_7_1 tags: - level1-server - level1-workstation @@ -25,7 +25,7 @@ group: root mode: 0644 when: - - rhel9cis_rule_1_7_2 + - rhel8cis_rule_1_7_2 tags: - level1-server - level1-workstation @@ -41,7 +41,7 @@ group: root mode: 0644 when: - - rhel9cis_rule_1_7_3 + - rhel8cis_rule_1_7_3 tags: - level1-server - level1-workstation @@ -58,7 +58,7 @@ group: root mode: 0644 when: - - rhel9cis_rule_1_7_4 + - rhel8cis_rule_1_7_4 tags: - level1-server - level1-workstation @@ -75,7 +75,7 @@ group: root mode: 0644 when: - - rhel9cis_rule_1_7_5 + - rhel8cis_rule_1_7_5 tags: - level1-server - level1-workstation @@ -92,7 +92,7 @@ group: root mode: 0644 when: - - rhel9cis_rule_1_7_6 + - rhel8cis_rule_1_7_6 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 1edc7048..a512e01d 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -5,7 +5,7 @@ name: gdm state: absent when: - - rhel9cis_rule_1_8_1 + - rhel8cis_rule_1_8_1 - "'gdm' in ansible_facts.packages" tags: - level2-server @@ -32,10 +32,10 @@ - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ rhel9cis_warning_banner }}' " } + - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ rhel8cis_warning_banner }}' " } when: - - rhel9cis_rule_1_8_2 - - rhel9cis_gui + - rhel8cis_rule_1_8_2 + - rhel8cis_gui tags: - level1-server - level1-workstation @@ -62,8 +62,8 @@ - { file: '/etc/dconf/db/gdm.d/00-login-screen', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } - { file: '/etc/dconf/db/gdm.d/00-login-screen', regexp: 'disable-user-list=', line: 'disable-user-list=true' } when: - - rhel9cis_rule_1_8_3 - - rhel9cis_gui + - rhel8cis_rule_1_8_3 + - rhel8cis_gui tags: - level1-server - level1-workstation @@ -78,8 +78,8 @@ regexp: 'Enable=true' state: absent when: - - rhel9cis_rule_1_8_4 - - rhel9cis_gui + - rhel8cis_rule_1_8_4 + - rhel8cis_gui tags: - level1-server - level1-workstation @@ -100,8 +100,8 @@ - { regex: 'automount=', line: 'automount=false' } - { regex: 'automount-open=', line: 'automount-open=false'} when: - - rhel9cis_rule_1_8_5 - - rhel9cis_gui + - rhel8cis_rule_1_8_5 + - rhel8cis_gui tags: - level1-server - level2-workstation diff --git a/tasks/section_1/cis_1.9.yml b/tasks/section_1/cis_1.9.yml index a67d5dbd..f6239e37 100644 --- a/tasks/section_1/cis_1.9.yml +++ b/tasks/section_1/cis_1.9.yml @@ -1,15 +1,17 @@ --- -- name: "1.9 | L1 | PATCH | Ensure updates, patches, and additional security software are installed" +- name: "1.9 | PATCH | Ensure updates, patches, and additional security software are installed" package: name: "*" state: latest + notify: change_requires_reboot when: - - rhel9cis_rule_1_9 + - rhel8cis_rule_1_9 - not system_is_ec2 tags: - level1-server - level1-workstation + - automated - patch - rule_1.9 - skip_ansible_lint diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index 933804e1..c5c8e09d 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -1,42 +1,59 @@ --- -- name: "SECTION | 1.1 | FileSystem Configurations\n - SECTION | 1.1.1.x | Disable unused filesystems" +- name: "SECTION | 1.1.1.x | Disable unused filesystems" import_tasks: cis_1.1.1.x.yml -- import_tasks: cis_1.1.x.yml + +- name: "SECTION | 1.1.2.x | Configure /tmp" + import_tasks: cis_1.1.2.x.yml + +- name: "SECTION | 1.1.3.x | Configure /var" + import_tasks: cis_1.1.3.x.yml + +- name: "SECTION | 1.1.4.x | Configure /var/tmp" + import_tasks: cis_1.1.4.x.yml + +- name: "SECTION | 1.1.5.x | Configure /var/log" + import_tasks: cis_1.1.5.x.yml + +- name: "SECTION | 1.1.6.x | Configure /var/log/audit" + import_tasks: cis_1.1.6.x.yml + +- name: "SECTION | 1.1.7.x | Configure /home" + import_tasks: cis_1.1.7.x.yml + +- name: "SECTION | 1.1.8.x | Configure /dev/shm" + import_tasks: cis_1.1.8.x.yml + +- name: "SECTION | 1.1.x | Disable various mounting" + import_tasks: cis_1.1.x.yml - name: "SECTION | 1.2 | Configure Software Updates" import_tasks: cis_1.2.x.yml -- name: "SECTION | 1.3 | Configure sudo" +- name: "SECTION | 1.3 | Filesystem Integrity Checking" import_tasks: cis_1.3.x.yml + when: rhel8cis_config_aide -- name: "SECTION | 1.4 | Filesystem Integrity" - include_tasks: cis_1.4.x.yml - when: rhel9cis_config_aide +- name: "SECTION | 1.4 | Secure Boot Settings" + import_tasks: cis_1.4.x.yml -- name: "SECTION | 1.5 | Secure Boot Settings" +- name: "SECTION | 1.5 | Additional Process Hardening" import_tasks: cis_1.5.x.yml -- name: "SECTION | 1.6 | Additional Process Hardening" - import_tasks: cis_1.6.x.yml +- name: "SECTION | 1.6 | Mandatory Access Control" + include_tasks: cis_1.6.1.x.yml + when: not rhel8cis_selinux_disable -- name: "SECTION | 1.7 | bootloader and Mandatory Access Control" - include_tasks: cis_1.7.1.x.yml - when: not rhel9cis_selinux_disable +- name: "SECTION | 1.7 | Command Line Warning Banners" + import_tasks: cis_1.7.x.yml -- name: "SECTION | 1.8 | Warning Banners" - import_tasks: cis_1.8.1.x.yml +- name: "SECTION | 1.8 | Gnome Display Manager" + import_tasks: cis_1.8.x.yml -- name: "SECTION | 1.9 | Updated and Patches" +- name: "SECTION | 1.9 | Updates and Patches" import_tasks: cis_1.9.yml - name: "SECTION | 1.10 | Crypto policies" include_tasks: cis_1.10.yml when: - not system_is_ec2 - -- name: "SECTION | 1.11 | FIPS/FUTURE Crypto policies" - include_tasks: cis_1.11.yml - when: - - not system_is_ec2 diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml new file mode 100644 index 00000000..c627db0e --- /dev/null +++ b/tasks/section_2/cis_2.1.x.yml @@ -0,0 +1,43 @@ +--- + +- name: "2.1.1 | PATCH | Ensure time synchronization is in use" + package: + name: "{{ rhel8cis_time_synchronization }}" + state: present + when: + - rhel8cis_rule_2_1_1 + - not rhel8cis_system_is_container + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.1.1 + +- name: "2.1.2 | PATCH | Ensure chrony is configured" + block: + - name: "2.1.2 | PATCH | Ensure chrony is configured | Set configuration" + template: + src: chrony.conf.j2 + dest: /etc/chrony.conf + owner: root + group: root + mode: 0644 + + - name: "2.1.2 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1" + lineinfile: + dest: /etc/sysconfig/chronyd + regexp: "^(#)?OPTIONS" + line: "OPTIONS=\"-u chrony\"" + state: present + create: yes + mode: 0644 + when: + - rhel8cis_time_synchronization == "chrony" + - rhel8cis_rule_2_1_2 + - not rhel8cis_system_is_container + tags: + - level1-server + - level1-workstation + - patch + - rule_2.1.2 diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index f21bcd05..f8b492b6 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -1,288 +1,345 @@ --- -- name: "2.2.2 | L1 | PATCH | Ensure X Window System is not installed" - block: - - name: "2.2.2 | L1 | AUDIT | Ensure X Window System is not installed | capture xorg-x11 packages" - shell: rpm -qa | grep xorg-x11 - args: - warn: false - failed_when: xorg_x11_installed.rc >=2 - check_mode: false - changed_when: false - register: xorg_x11_installed +- name: "2.2.1 | PATCH | Ensure xinetd is not installed" + package: + name: xinetd + state: absent + when: + - rhel8cis_rule_2_2_1 + - not rhel8cis_xinetd_server + - "'xinetd' in ansible_facts.packages" + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.2.1 - - name: "2.2.2 | L1 | PATCH | Ensure X Window System is not installed | remove packages if found" - shell: "dnf remove {{ item }}" - args: - warn: false - with_items: - - xorg_x11_installed.stdout_lines - when: xorg_x11_installed.stdout | length > 0 +- name: "2.2.2 | PATCH | Ensure xorg-x11-server-common is not installed" + package: + name: xorg-x11-server-common + state: absent when: - - not rhel9cis_xwindows_required - - rhel9cis_rule_2_2_2 + - rhel8cis_rule_2_2_2 + - "'xorg-x11-server-common' in ansible_facts.packages" tags: - level1-server - - scored - - xwindows + - automated - patch + - x11 - rule_2.2.2 -- name: "2.2.3 | L1 | PATCH | Ensure rsync service is not enabled " - service: - name: rsyncd - state: stopped - enabled: false +- name: "2.2.3 | PATCH | Ensure Avahi Server is not installed" + package: + name: + - avahi-autoipd + - avahi + state: absent when: - - not rhel9cis_rsyncd_server - - "'rsyncd' in ansible_facts.packages" - - rhel9cis_rule_2_2_3 + - rhel8cis_rule_2_2_3 + - not rhel8cis_avahi_server + - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages" tags: - level1-server - - level1-workstation + - level2-workstation + - automated - patch + - avahi - rule_2.2.3 -- name: "2.2.4 | L1 | PATCH | Ensure Avahi Server is not enabled" - service: - name: avahi-daemon - state: stopped - enabled: false +- name: "2.2.4 | PATCH | Ensure CUPS is not installed" + package: + name: cups + state: absent when: - - not rhel9cis_avahi_server - - "'avahi' in ansible_facts.packages" - - rhel9cis_rule_2_2_4 + - not rhel8cis_cups_server + - "'cups' in ansible_facts.packages" + - rhel8cis_rule_2_2_3 tags: - level1-server - - level1-workstation - - scored - - avahi - - services + - automated - patch - - rule_2.2.4 + - cups + - rule_2.2.3 -- name: "2.2.5 | L1 | PATCH | Ensure SNMP Server is not enabled" - service: - name: snmpd - state: stopped - enabled: false +- name: "2.2.5 | PATCH | Ensure DHCP Server is not installed" + package: + name: dhcp-server + state: absent when: - - not rhel9cis_snmp_server - - "'net-snmp' in ansible_facts.packages" - - rhel9cis_rule_2_2_5 + - not rhel8cis_dhcp_server + - "'dhcp-server' in ansible_facts.packages" + - rhel8cis_rule_2_2_5 tags: - level1-server - level1-workstation + - audtomated - patch + - dhcp - rule_2.2.5 -- name: "2.2.6 | L1 | PATCH | Ensure HTTP Proxy Server is not enabled" - service: - name: squid - state: stopped - enabled: false +- name: "2.2.6 | PATCH | Ensure DNS Server is not installed" + package: + name: bind + state: absent when: - - not rhel9cis_squid_server - - "'squid' in ansible_facts.packages" - - rhel9cis_rule_2_2_6 + - not rhel8cis_dns_server + - "'bind' in ansible_facts.packages" + - rhel8cis_rule_2_2_6 tags: - level1-server - level1-workstation + - automated - patch + - dns - rule_2.2.6 -- name: "2.2.7 | L1 | PATCH | Ensure Samba is not enabled" - service: - name: smb - state: stopped - enabled: false +- name: "2.2.7 | PATCH | Ensure FTP Server is not installed" + package: + name: ftp + state: absent when: - - not rhel9cis_smb_server - - "'samba' in ansible_facts.packages" - - rhel9cis_rule_2_2_7 + - not rhel8cis_ftp_server + - "'ftp' in ansible_facts.packages" + - rhel8cis_rule_2_2_7 tags: - level1-server - level1-workstation + - automation - patch + - ftp - rule_2.2.7 -- name: "2.2.8 | L1 | PATCH | Ensure IMAP and POP3 server is not enabled" - service: - name: dovecot - state: stopped - enabled: false +- name: "2.2.8 | PATCH | Ensure VSFTP Server is not installed" + package: + name: vsftpd + state: absent when: - - not rhel9cis_dovecot_server - - "'dovecot' in ansible_facts.packages" - - rhel9cis_rule_2_2_8 + - not rhel8cis_vsftpd_server + - "'vsftpd' in ansible_facts.packages" + - rhel8cis_rule_2_2_8 tags: - level1-server - level1-workstation + - automated - patch + - vsftpd - rule_2.2.8 -- name: "2.2.9 | L1 | PATCH | Ensure HTTP server is not enabled" - service: - name: httpd - state: stopped - enabled: false +- name: "2.2.9 | PACH | Ensure TFTP Server is not installed" + package: + name: tftp-server + state: absent when: - - not rhel9cis_httpd_server - - "'httpd' in ansible_facts.packages" - - rhel9cis_rule_2_2_9 + - not rhel8cis_tftp_server + - "'tftp-server' in ansible_facts.packages" + - rhel8cis_rule_2_2_9 tags: - level1-server - level1-workstation + - automated - patch + - tftp - rule_2.2.9 -- name: "2.2.10 | L1 | PATCH | Ensure FTP Server is not enabled" - service: - name: vsftpd - state: stopped - enabled: false +- name: "2.2.10 | PATCH | Ensure a web server is not installed" + block: + - name: "2.2.10 | PATCH | Ensure a web server is not installed | Remove httpd server" + package: + name: httpd + state: absent + when: + - not rhel8cis_httpd_server + - "'httpd' in ansible_facts.packages" + + - name: "2.2.10 | PATCH | Ensure a web server is not installed | Remove nginx server" + package: + name: nginx + state: absent + when: + - not rhel8cis_nginx_server + - "'nginx' in ansible_facts.packages" when: - - not rhel9cis_vsftpd_server - - "'vsftpd' in ansible_facts.packages" - - rhel9cis_rule_2_2_10 + - rhel8cis_rule_2_2_9 tags: - level1-server - level1-workstation + - automated - patch - - rule_2.2.10 + - httpd + - nginx + - webserver + - rule_2.2.9 -- name: "2.2.11 | L1 | PATCH | Ensure DNS Server is not enabled" - service: - name: named - state: stopped - enabled: false +- name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed" + package: + name: + - dovecot + - cyrus-imapd + state: absent when: - - not rhel9cis_named_server - - "'bind' in ansible_facts.packages" - - rhel9cis_rule_2_2_11 + - not rhel8cis_dovecot_cyrus_server + - "'dovecot' in ansible_facts.packages or 'cyrus-imapd' in ansible_facts.packages" + - rhel8cis_rule_2_2_11 tags: - level1-server - level1-workstation + - automated - patch + - dovecot + - imap + - pop3 - rule_2.2.11 -- name: "2.2.12 | L1 | PATCH | Ensure NFS is not enabled" - service: - name: nfs-server - state: stopped - enabled: false +- name: "2.2.12 | PATCH | Ensure Samba is not enabled" + package: + name: samba + state: absent when: - - not rhel9cis_nfs_rpc_server - - "'nfs-utils' in ansible_facts.packages" - - rhel9cis_rule_2_2_12 + - not rhel8cis_samba_server + - "'samba' in ansible_facts.packages" + - rhel8cis_rule_2_2_12 tags: - level1-server - level1-workstation - - scored - - nfs - - services + - automated - patch + - samba - rule_2.2.12 -- name: "2.2.13 | L1 | PATCH | Ensure RPC is not enabled" - service: - name: rpcbind - state: stopped - enabled: false +- name: "2.2.13 | PATCH | Ensure HTTP Proxy Server is not installed" + package: + name: squid + state: absent when: - - not rhel9cis_nfs_rpc_server - - "'rpcbind' in ansible_facts.packages" - - rhel9cis_rule_2_2_13 + - not rhel8cis_squid_server + - "'squid' in ansible_facts.packages" + - rhel8cis_rule_2_2_6 tags: - level1-server - level1-workstation - - scored - - rpc - - services + - automation - patch - - rule_2.2.7 + - squid + - rule_2.2.13 -- name: "2.2.14 | L1 | PATCH | Ensure LDAP server is not enabled" - service: - name: slapd - state: stopped - enabled: false +- name: "2.2.14 | PATCH | Ensure net-snmp is not installed" + package: + name: net-snmp + state: absent when: - - not rhel9cis_ldap_server - - "'openldap-servers' in ansible_facts.packages" - - rhel9cis_rule_2_2_14 + - not rhel8cis_snmp_server + - "'net-snmp' in ansible_facts.packages" + - rhel8cis_rule_2_2_14 tags: - level1-server - level1-workstation - - scored - - ldap - - services + - automation - patch - - rule_2.2.6 + - snmp + - rule_2.2.14 -- name: "2.2.15 | L1 | PATCH | Ensure DHCP Server is not enabled" - service: - name: dhcpd - state: stopped - enabled: false +- name: "2.2.15 | PATCH | Ensure NIS Server is not installed" + package: + name: ypserv + state: absent when: - - not rhel9cis_dhcp_server - - "'dhcp' in ansible_facts.packages" - - rhel9cis_rule_2_2_15 + - not rhel8cis_nis_server + - "'ypserv' in ansible_facts.packages" + - rhel8cis_rule_2_2_17 tags: - level1-server - level1-workstation - - scored - - dhcp - - services + - automated - patch - - rule_2.2.15 + - nis + - rule_2.2.17 -- name: "2.2.16 | L1 | PATCH | Ensure CUPS is not enabled" - service: - name: cups - state: stopped - enabled: false +- name: "2.2.16 | PATCH | Ensure telnet-server is not installed" + package: + name: telnet-server + state: absent when: - - not rhel9cis_cups_server - - "'cups' in ansible_facts.packages" - - rhel9cis_rule_2_2_16 + - not rhel8cis_telnet_server + - "'telnet-server' in ansible_facts.packages" + - rhel8cis_rule_2_2_16 tags: - level1-server - - level2-workstation - - scored - - cups - - services + - level1-workstation + - automated - patch + - telnet - rule_2.2.16 -- name: "2.2.17 | L1 | PATCH | Ensure NIS Server is not enabled" - service: - name: ypserv - state: stopped - enabled: false +- name: "2.2.17 | PATCH | Ensure mail transfer agent is configured for local-only mode" + lineinfile: + dest: /etc/postfix/main.cf + regexp: "^(#)?inet_interfaces" + line: "inet_interfaces = loopback-only" + notify: restart postfix when: - - not rhel9cis_nis_server - - "'ypserv' in ansible_facts.packages" - - rhel9cis_rule_2_2_17 + - not rhel8cis_is_mail_server + - "'postfix' in ansible_facts.packages" + - rhel8cis_rule_2_2_17 tags: - level1-server - level1-workstation + - automated - patch + - postfix - rule_2.2.17 -- name: "2.2.18 | L1 | PATCH | Ensure mail transfer agent is configured for local-only mode" - lineinfile: - dest: /etc/postfix/main.cf - regexp: "^(#)?inet_interfaces" - line: "inet_interfaces = loopback-only" - notify: restart postfix +# The name title of the service says mask the service, but the fix allows for both options +# We went with removing to remove the security/update overhead with having the package installed +- name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked" + package: + name: nfs-utils + state: absent when: - - not rhel9cis_is_mail_server - - "'postfix' in ansible_facts.packages" - - rhel9cis_rule_2_2_18 + - not rhel8cis_nfs_server + - "'nfs-utils' in ansible_facts.packages" + - rhel8cis_rule_2_2_18 tags: - level1-server - level1-workstation + - automated - patch - - rule_2.2.1 + - nfs + - services + - rule_2.2.18 + +# The name title of the service says mask the service, but the fix allows for both options +# We went with removing to remove the security/update overhead with having the package installed +- name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked" + package: + name: rpcbind + state: absent + when: + - not rhel8cis_rpc_server + - "'rpcbind' in ansible_facts.packages" + - rhel8cis_rule_2_2_19 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rpc + - rule_2.2.19 + +# The name title of the service says mask the service, but the fix allows for both options +# We went with removing to remove the security/update overhead with having the package installed +- name: "2.2.20 | PATCH | Ensure rsync service is not enabled " + package: + name: rsync + state: absent + when: + - not rhel8cis_rsync_server + - "'rsync' in ansible_facts.packages" + - rhel8cis_rule_2_2_20 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rsync + - rule_2.2.20 diff --git a/tasks/section_2/cis_2.3.x.yml b/tasks/section_2/cis_2.3.x.yml index 875eff8d..ee52a752 100644 --- a/tasks/section_2/cis_2.3.x.yml +++ b/tasks/section_2/cis_2.3.x.yml @@ -1,43 +1,97 @@ --- -- name: "2.3.1 | L1 | PATCH | Ensure NIS Client is not installed" +- name: "2.3.1 | PATCH | Ensure NIS Client is not installed" package: name: ypbind state: absent when: - - not rhel9cis_ypbind_required + - not rhel8cis_ypbind_required - "'ypbind' in ansible_facts.packages" - - rhel9cis_rule_2_3_1 + - rhel8cis_rule_2_3_1 tags: - level1-server - level1-workstation + - automated - patch + - nis - rule_2.3.1 -- name: "2.3.2 | L1 | PATCH | Ensure telnet client is not installed" +- name: "2.3.2 | PATCH | Ensure rsh client is not installed" + package: + name: rsh + state: absent + when: + - not rhel8cis_rsh_required + - "'rsh' in ansible_facts.packages" + - rhel8cis_rule_2_3_2 + tags: + - level1-server + - level2-server + - automated + - patch + - rsh + - rule_2.3.2 + +- name: "2.3.3 | PATCH | Ensure talk client is not installed" + package: + name: talk + state: absent + when: + - not rhel8cis_talk_required + - "'talk' in ansible_facts.packages" + - rhel8cis_rule_2_3_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - talk + - rule_2.3.3 + +- name: "2.3.4 | PATCH | Ensure telnet client is not installed" package: name: telnet state: absent when: - - not rhel9cis_telnet_required + - not rhel8cis_telnet_required - "'telnet' in ansible_facts.packages" - - rhel9cis_rule_2_3_2 + - rhel8cis_rule_2_3_4 tags: - level1-server - level1-workstation + - automated - patch - - rule_2.3.2 + - telnet + - rule_2.3.4 -- name: "2.3.3 | L1 | PATCH | Ensure LDAP client is not installed" +- name: "2.3.5 | PATCH | Ensure LDAP client is not installed" package: name: openldap-clients state: absent when: - - not rhel9cis_openldap_clients_required + - not rhel8cis_openldap_clients_required - "'openldap-clients' in ansible_facts.packages" - - rhel9cis_rule_2_3_3 + - rhel8cis_rule_2_3_5 tags: - level1-server - level1-workstation + - automated - patch - - rule_2.3.3 + - ldap + - rule_2.3.5 + +- name: "2.3.6 | PATCH | Ensure TFTP client is not installed" + package: + name: tftp + state: absent + when: + - not rhel8cis_tftp_client + - "'tftp' in ansible_facts.packages" + - rhel8cis_rule_2_3_6 + tags: + - level1-server + - level1-workstation + - automated + - patch + - tftp + - rule_2.3.6 diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml new file mode 100644 index 00000000..84608741 --- /dev/null +++ b/tasks/section_2/cis_2.4.yml @@ -0,0 +1,26 @@ +--- + +- name: "2.4 | AUDIT | Ensure nonessential services are removed or masked" + block: + - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Get list of services" + shell: systemctl list-units --type=service + changed_when: false + failed_when: false + check_mode: no + register: rhel8cis_2_4_services + + - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Display list of services" + debug: + msg: + - "Alert! Below are the list of services, both active and inactive" + - "Please review to make sure all are essential" + - "{{ rhel8cis_2_4_services.stdout_lines }}" + when: + - rhel8cis_rule_2_4 + tags: + - level1-server + - level1-workstation + - manual + - audit + - services + - rule_2.4 \ No newline at end of file diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index 2b705ae8..731f10c1 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -1,13 +1,13 @@ --- -- name: "SECTION | 2.1 | xinetd" - import_tasks: cis_2.1.1.yml - -- name: "SECTION | 2.2.1 | Time Synchronization" - import_tasks: cis_2.2.1.x.yml +- name: "SECTION | 2.1 | Time Synchronization" + import_tasks: cis_2.1.x.yml - name: "SECTION | 2.2 | Special Purpose Services" import_tasks: cis_2.2.x.yml - name: "SECTION | 2.3 | Service Clients" import_tasks: cis_2.3.x.yml + +- name: "SECTION | 2.4 | Nonessential services removed" + import_tasks: cis_2.4.yml \ No newline at end of file From dc5f71d461dc514a4c1629f33e76d2d1b03f60bd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 11:09:55 +0100 Subject: [PATCH 04/69] removed not required files Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.11.yml | 17 ----- tasks/section_1/cis_1.6.x.yml | 54 --------------- tasks/section_1/cis_1.7.1.x.yml | 117 -------------------------------- tasks/section_1/cis_1.8.1.x.yml | 96 -------------------------- tasks/section_1/cis_1.8.2.yml | 27 -------- tasks/section_2/cis_2.1.1.yml | 14 ---- tasks/section_2/cis_2.2.1.x.yml | 42 ------------ 7 files changed, 367 deletions(-) delete mode 100644 tasks/section_1/cis_1.11.yml delete mode 100644 tasks/section_1/cis_1.6.x.yml delete mode 100644 tasks/section_1/cis_1.7.1.x.yml delete mode 100644 tasks/section_1/cis_1.8.1.x.yml delete mode 100644 tasks/section_1/cis_1.8.2.yml delete mode 100644 tasks/section_2/cis_2.1.1.yml delete mode 100644 tasks/section_2/cis_2.2.1.x.yml diff --git a/tasks/section_1/cis_1.11.yml b/tasks/section_1/cis_1.11.yml deleted file mode 100644 index bfd88069..00000000 --- a/tasks/section_1/cis_1.11.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -- name: "1.11 | L2 | PATCH | Ensure system-wide crypto policy is FUTURE or FIPS" - shell: | - update-crypto-policies --set "{{ rhel9cis_crypto_policy }}" - update-crypto-policies - args: - warn: false - when: - - rhel9cis_rule_1_11 - - system_wide_crypto_policy['stdout'] not in rhel9cis_allowed_crypto_policies - tags: - - level2-server - - level2-workstation - - not system_is_ec2 - - patch - - rule_1.11 diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml deleted file mode 100644 index 1b37c0de..00000000 --- a/tasks/section_1/cis_1.6.x.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- - -- name: "1.6.1 | L1 | PATCH | Ensure core dumps are restricted" - block: - - name: "1.6.1 | L1 | Ensure core dumps are restricted | Update limits.conf file" - lineinfile: - state: present - dest: /etc/security/limits.conf - regexp: '^#?\\*.*core' - line: '* hard core 0' - insertbefore: '^# End of file' - - - name: "1.6.1 | L1 | PATCH | Ensure core dumps are restricted | Set active kernel parameter" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - - - name: "1.6.1 | L1 | PATCH | Ensure core dumps are restricted | if systemd coredump" - lineinfile: - path: /etc/systemd/coredump.conf - regexp: "{{ item.regexp }}" - line: "{{ item.regexp }}{{ item.line }}" - state: present - with_items: - - {'regexp': 'Storage=', 'line': 'none'} - - {'regexp': 'ProcessSizeMax=', 'line': '0'} - notify: - - systemd_daemon_reload - when: - - systemd_coredump.stat.exists - when: - - rhel9cis_rule_1_6_1 - tags: - - level1-server - - level1-workstation - - scored - - sysctl - - patch - - rule_1.6.1 - -- name: "1.6.2 | L1 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - when: - - rhel9cis_rule_1_6_2 - tags: - - level1-server - - level1-workstation - - scored - - patch - - rule_1.6.2 diff --git a/tasks/section_1/cis_1.7.1.x.yml b/tasks/section_1/cis_1.7.1.x.yml deleted file mode 100644 index ded71283..00000000 --- a/tasks/section_1/cis_1.7.1.x.yml +++ /dev/null @@ -1,117 +0,0 @@ ---- - -- name: "1.7.1.1 | L2 | PATCH | Ensure SELinux is installed" - package: - name: libselinux - state: present - when: - - rhel9cis_rule_1_7_1_1 - tags: - - level2-server - - level2-workstation - - scored - - patch - - rule_1.7.1.1 - -- name: "1.7.1.2 | L2 | PATCH | Ensure SELinux is not disabled in bootloader configuration" - replace: - dest: /etc/default/grub - regexp: '(selinux|enforcing)\s*=\s*0\s*' - replace: '' - register: selinux_grub_patch - ignore_errors: true - notify: grub2cfg - when: - - rhel9cis_rule_1_7_1_2 - tags: - - level2-server - - level2-workstation - - scored - - patch - - rule_1.7.1.2 - -- name: "1.7.1.3 | L2 | PATCH | Ensure SELinux policy is configured" - selinux: - conf: /etc/selinux/config - policy: "{{ rhel9cis_selinux_pol }}" - state: enforcing - when: - - not rhel9cis_selinux_disable - - rhel9cis_rule_1_7_1_3 - tags: - - level2-server - - level2-workstation - - scored - - selinux - - patch - - rule_1.7.1.3 - -- name: "1.7.1.4 | L2 | PATCH | Ensure the SELinux state is enforcing" - selinux: - conf: /etc/selinux/config - policy: "{{ rhel9cis_selinux_pol }}" - state: enforcing - when: - - not rhel9cis_selinux_disable - - rhel9cis_rule_1_7_1_4 - tags: - - level2-server - - level2-workstation - - scored - - selinux - - patch - - rule_1.7.1.4 - -- name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist" - block: - - name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist | Find the unconfined daemons" - shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' - args: - warn: false - register: rhelcis_1_7_1_5_unconf_daemons - failed_when: false - changed_when: false - - - name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist | Message on no unconfined daemones" - debug: - msg: "Good News! There are no unconfined daemons found on your system" - when: rhelcis_1_7_1_5_unconf_daemons.stdout | length == 0 - - - name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist | Message on unconfined daemones" - debug: - msg: "Warning! You have unconfined daemons: {{ rhelcis_1_7_1_5_unconf_daemons.stdout_lines }}" - when: rhelcis_1_7_1_5_unconf_daemons.stdout | length > 0 - when: - - rhel9cis_rule_1_7_1_5 - tags: - - level2-server - - level2-workstation - - audit - - rule_1.7.1.5 - -- name: "1.7.1.6 | L2 | PATCH | Ensure SETroubleshoot is not installed" - package: - name: setroubleshoot - state: absent - when: - - rhel9cis_rule_1_7_1_6 - - "'setroubleshoot' in ansible_facts.packages" - tags: - - level2-server - - scored - - selinux - - patch - - rule_1.7.1.6 - -- name: "1.7.1.7 | L2 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" - package: - name: mcstrans - state: absent - when: - - rhel9cis_rule_1_7_1_7 - tags: - - level2-server - - level2-workstation - - scored - - patch - - rule_1.7.1.7 diff --git a/tasks/section_1/cis_1.8.1.x.yml b/tasks/section_1/cis_1.8.1.x.yml deleted file mode 100644 index d8cbec37..00000000 --- a/tasks/section_1/cis_1.8.1.x.yml +++ /dev/null @@ -1,96 +0,0 @@ ---- - -- name: "1.8.1.1 | L1 | PATCH | Ensure message of the day is configured properly" - template: - src: etc/motd.j2 - dest: /etc/motd - owner: root - group: root - mode: 0644 - when: - - rhel9cis_rule_1_8_1_1 - tags: - - level1-server - - level1-workstation - - banner - - patch - - rule_1.8.1.1 - -- name: "1.8.1.2 | L1 | PATCH | Ensure local login warning banner is configured properly" - template: - src: etc/issue.j2 - dest: /etc/issue - owner: root - group: root - mode: 0644 - when: - - rhel9cis_rule_1_8_1_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.8.1.2 - -- name: "1.8.1.3 | L1 | PATCH | Ensure remote login warning banner is configured properly" - template: - src: etc/issue.net.j2 - dest: /etc/issue.net - owner: root - group: root - mode: 0644 - when: - - rhel9cis_rule_1_8_1_3 - tags: - - level1-server - - level1-workstation - - banner - - patch - - rule_1.8.1.3 - -- name: "1.8.1.4 | L1 | PATCH | Ensure permissions on /etc/motd are configured" - file: - dest: /etc/motd - state: file - owner: root - group: root - mode: 0644 - when: - - rhel9cis_rule_1_8_1_4 - tags: - - level1-server - - level1-workstation - - perms - - patch - - rule_1.8.1.4 - -- name: "1.8.1.5 | L1 | PATCH | Ensure permissions on /etc/issue are configured" - file: - dest: /etc/issue - state: file - owner: root - group: root - mode: 0644 - when: - - rhel9cis_rule_1_8_1_5 - tags: - - level1-server - - level1-workstation - - perms - - patch - - rule_1.8.1.5 - -- name: "1.8.1.6 | L1 | PATCH | Ensure permissions on /etc/issue.net are configured" - file: - dest: /etc/issue.net - state: file - owner: root - group: root - mode: 0644 - when: - - rhel9cis_rule_1_8_1_6 - tags: - - level1-server - - level1-workstation - - perms - - patch - - rule_1.8.1.6 diff --git a/tasks/section_1/cis_1.8.2.yml b/tasks/section_1/cis_1.8.2.yml deleted file mode 100644 index be371dcf..00000000 --- a/tasks/section_1/cis_1.8.2.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- - -- name: "1.8.2 | L1 | PATCH | Ensure GDM login banner is configured" - lineinfile: - dest: "{{ item.file }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - state: present - create: true - owner: root - group: root - mode: 0644 - with_items: - - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } - - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } - - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ rhel9cis_warning_banner }}' " } - when: - - rhel9cis_gui - - rhel9cis_rule_1_8_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.8.2 diff --git a/tasks/section_2/cis_2.1.1.yml b/tasks/section_2/cis_2.1.1.yml deleted file mode 100644 index 5b563645..00000000 --- a/tasks/section_2/cis_2.1.1.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- - -- name: "2.1.1 | L1 | PATCH | Ensure xinetd is not installed" - package: - name: xinetd - state: absent - when: - - rhel9cis_rule_2_1_1 - tags: - - level1-server - - level1-workstation - - scored - - patch - - rule_2.1.1 diff --git a/tasks/section_2/cis_2.2.1.x.yml b/tasks/section_2/cis_2.2.1.x.yml deleted file mode 100644 index 8b8b39c8..00000000 --- a/tasks/section_2/cis_2.2.1.x.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- - -- name: "2.2.1.1 | L1 | PATCH | Ensure time synchronization is in use - service install" - package: - name: "{{ rhel9cis_time_synchronization }}" - state: present - when: - - rhel9cis_rule_2_2_1_1 - - not system_is_container - tags: - - level1-server - - level1-workstation - - patch - - rule_2.2.1.1 - -- name: "2.2.1.2 | L1 | PATCH | Ensure chrony is configured" - block: - - name: "2.2.1.2 | L1 | PATCH | Ensure chrony is configured | Set configuration" - template: - src: chrony.conf.j2 - dest: /etc/chrony.conf - owner: root - group: root - mode: 0644 - - - name: "2.2.1.2 | L1 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1" - lineinfile: - dest: /etc/sysconfig/chronyd - regexp: "^(#)?OPTIONS" - line: "OPTIONS=\"-u chrony\"" - state: present - create: true - mode: 0644 - when: - - rhel9cis_time_synchronization == "chrony" - - rhel9cis_rule_2_2_1_2 - - not system_is_container - tags: - - level1-server - - level1-workstation - - patch - - rule_2.2.1.2 From 8c79bfe7fb7b12cee8dd3307d0b590827faedf98 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 11:22:30 +0100 Subject: [PATCH 05/69] updated Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 6 +- tasks/section_1/cis_1.1.2.x.yml | 22 +++---- tasks/section_1/cis_1.1.3.x.yml | 12 ++-- tasks/section_1/cis_1.1.4.x.yml | 12 ++-- tasks/section_1/cis_1.1.5.x.yml | 12 ++-- tasks/section_1/cis_1.1.6.x.yml | 12 ++-- tasks/section_1/cis_1.1.7.x.yml | 14 ++--- tasks/section_1/cis_1.1.8.x.yml | 12 ++-- tasks/section_1/cis_1.1.x.yml | 6 +- tasks/section_1/cis_1.10.yml | 4 +- tasks/section_1/cis_1.2.x.yml | 14 ++--- tasks/section_1/cis_1.3.x.yml | 22 +++---- tasks/section_1/cis_1.4.x.yml | 12 ++-- tasks/section_1/cis_1.5.x.yml | 6 +- tasks/section_1/cis_1.6.1.x.yml | 28 ++++----- tasks/section_1/cis_1.7.x.yml | 12 ++-- tasks/section_1/cis_1.8.x.yml | 20 +++--- tasks/section_1/cis_1.9.yml | 2 +- tasks/section_1/main.yml | 4 +- tasks/section_2/cis_2.1.x.yml | 12 ++-- tasks/section_2/cis_2.2.x.yml | 80 ++++++++++++------------ tasks/section_2/cis_2.3.x.yml | 24 ++++---- tasks/section_2/cis_2.4.yml | 6 +- tasks/section_3/cis_3.1.x.yml | 104 +++++++++++++++++++++++--------- tasks/section_3/cis_3.3.x.yml | 61 ------------------- 25 files changed, 253 insertions(+), 266 deletions(-) delete mode 100644 tasks/section_3/cis_3.3.x.yml diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index b9fb6749..8cf70dc1 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -16,7 +16,7 @@ state: absent when: ansible_connection != 'docker' when: - - rhel8cis_rule_1_1_1_1 + - rhel9cis_rule_1_1_1_1 tags: - level1-server - level1-workstation @@ -41,7 +41,7 @@ state: absent when: ansible_connection != 'docker' when: - - rhel8cis_rule_1_1_1_2 + - rhel9cis_rule_1_1_1_2 tags: - level2-server - level2-workstation @@ -66,7 +66,7 @@ state: absent when: ansible_connection != 'docker' when: - - rhel8cis_rule_1_1_1_3 + - rhel9cis_rule_1_1_1_3 tags: - level2-server - level2-workstation diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 06c4eefa..bb189930 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -4,7 +4,7 @@ debug: msg: "WARNING!! /tmp is not mounted on a separate partition" when: - - rhel8cis_rule_1_1_2_1 + - rhel9cis_rule_1_1_2_1 - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0 tags: - level1-server @@ -24,7 +24,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel8cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_2_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %} notify: remount tmp with_items: - "{{ ansible_mounts }}" @@ -32,10 +32,10 @@ label: "{{ item.device }}" when: - item.mount == "/tmp" - - not rhel8cis_tmp_svc - - rhel8cis_rule_1_1_2_2 or - rhel8cis_rule_1_1_2_3 or - rhel8cis_rule_1_1_2_4 + - not rhel9cis_tmp_svc + - rhel9cis_rule_1_1_2_2 or + rhel9cis_rule_1_1_2_3 or + rhel9cis_rule_1_1_2_4 tags: - level1-server - level1-workstation @@ -60,11 +60,11 @@ mode: 0644 notify: systemd restart tmp.mount when: - - rhel8cis_tmp_svc - - rhel8cis_rule_1_1_2_1 or - rhel8cis_rule_1_1_2_2 or - rhel8cis_rule_1_1_2_3 or - rhel8cis_rule_1_1_2_4 + - rhel9cis_tmp_svc + - rhel9cis_rule_1_1_2_1 or + rhel9cis_rule_1_1_2_2 or + rhel9cis_rule_1_1_2_3 or + rhel9cis_rule_1_1_2_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 31696f89..c7fb9867 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -19,7 +19,7 @@ vars: required_mount: '/var' when: - - rhel8cis_rule_1_1_3_1 + - rhel9cis_rule_1_1_3_1 tags: - level2-server - level2-workstation @@ -38,7 +38,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel8cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_3_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -47,10 +47,10 @@ when: - var_mount_present is defined - item.mount == "/var" - - rhel8cis_rule_1_1_3_1 # This is required so the check takes place - - rhel8cis_rule_1_1_3_2 or - rhel8cis_rule_1_1_3_3 or - rhel8cis_rule_1_1_3_4 + - rhel9cis_rule_1_1_3_1 # This is required so the check takes place + - rhel9cis_rule_1_1_3_2 or + rhel9cis_rule_1_1_3_3 or + rhel9cis_rule_1_1_3_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index b2ddbf02..dbeab96e 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -20,7 +20,7 @@ vars: required_mount: '/var/tmp' when: - - rhel8cis_rule_1_1_4_1 + - rhel9cis_rule_1_1_4_1 tags: - level2-server - level2-workstation @@ -39,7 +39,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel8cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_4_3 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -48,10 +48,10 @@ when: - var_tmp_mount_present is defined - item.mount == "/var/tmp" - - rhel8cis_rule_1_1_4_1 # This is required so the check takes place - - rhel8cis_rule_1_1_4_2 or - rhel8cis_rule_1_1_4_3 or - rhel8cis_rule_1_1_4_4 + - rhel9cis_rule_1_1_4_1 # This is required so the check takes place + - rhel9cis_rule_1_1_4_2 or + rhel9cis_rule_1_1_4_3 or + rhel9cis_rule_1_1_4_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index 662c8da5..f286fcc8 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -18,7 +18,7 @@ vars: required_mount: '/var/log' when: - - rhel8cis_rule_1_1_5_1 + - rhel9cis_rule_1_1_5_1 tags: - level2-server - level2-workstation @@ -37,7 +37,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel8cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_5_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -46,10 +46,10 @@ when: - var_log_mount_present is defined - item.mount == "/var/log" - - rhel8cis_rule_1_1_5_1 # This is required so the check takes place - - rhel8cis_rule_1_1_5_2 or - rhel8cis_rule_1_1_5_3 or - rhel8cis_rule_1_1_5_4 + - rhel9cis_rule_1_1_5_1 # This is required so the check takes place + - rhel9cis_rule_1_1_5_2 or + rhel9cis_rule_1_1_5_3 or + rhel9cis_rule_1_1_5_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 89434f8d..94e85d2b 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -18,7 +18,7 @@ vars: required_mount: '/var/log/audit' when: - - rhel8cis_rule_1_1_6_1 + - rhel9cis_rule_1_1_6_1 tags: - level2-server - level2-workstation @@ -36,7 +36,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel8cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_6_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_6_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -45,10 +45,10 @@ when: - var_log_audit_mount_present is defined - item.mount == "/var/log/audit" - - rhel8cis_rule_1_1_6_1 # This is required so the check takes place - - rhel8cis_rule_1_1_6_2 or - rhel8cis_rule_1_1_6_3 or - rhel8cis_rule_1_1_6_4 + - rhel9cis_rule_1_1_6_1 # This is required so the check takes place + - rhel9cis_rule_1_1_6_2 or + rhel9cis_rule_1_1_6_3 or + rhel9cis_rule_1_1_6_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index a4aa38d1..453fef53 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -18,7 +18,7 @@ vars: required_mount: '/home' when: - - rhel8cis_rule_1_1_7_1 + - rhel9cis_rule_1_1_7_1 tags: - level2-server - level2-workstation @@ -38,7 +38,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel8cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_7_3 %}nosuid,{% endif %}{% if rhel8cis_rule_1_1_7_4 %}usrquota,{% endif %}{% if rhel8cis_rule_1_1_7_5 %}grpquota{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_7_4 %}usrquota,{% endif %}{% if rhel9cis_rule_1_1_7_5 %}grpquota{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -47,11 +47,11 @@ when: - home_mount_present is defined - item.mount == "/home" - - rhel8cis_rule_1_1_7_1 - - rhel8cis_rule_1_1_7_2 or - rhel8cis_rule_1_1_7_3 or - rhel8cis_rule_1_1_7_4 or - rhel8cis_rule_1_1_7_5 + - rhel9cis_rule_1_1_7_1 + - rhel9cis_rule_1_1_7_2 or + rhel9cis_rule_1_1_7_3 or + rhel9cis_rule_1_1_7_4 or + rhel9cis_rule_1_1_7_5 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index b2ec06c7..a61a6aff 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -14,7 +14,7 @@ changed_when: false failed_when: false check_mode: no - register: rhel8cis_1_1_8_x_dev_shm_status + register: rhel9cis_1_1_8_x_dev_shm_status - name: | "1.1.8.1 | PATCH | Ensure nodev option set on /dev/shm partition | Set nodev option @@ -25,13 +25,13 @@ src: tmpfs fstype: tmpfs state: mounted - opts: defaults,{% if rhel8cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_8_3 %}nosuid{% endif %} - when: "'dev/shm' in rhel8cis_1_1_8_x_dev_shm_status.stdout" + opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %} + when: "'dev/shm' in rhel9cis_1_1_8_x_dev_shm_status.stdout" notify: change_requires_reboot when: - - rhel8cis_rule_1_1_8_1 or - rhel8cis_rule_1_1_8_2 or - rhel8cis_rule_1_1_8_3 + - rhel9cis_rule_1_1_8_1 or + rhel9cis_rule_1_1_8_2 or + rhel9cis_rule_1_1_8_3 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index 4498978a..ed2872e9 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -5,9 +5,9 @@ name: autofs enabled: no when: - - not rhel8cis_allow_autofs + - not rhel9cis_allow_autofs - "'autofs' in ansible_facts.packages" - - rhel8cis_rule_1_1_9 + - rhel9cis_rule_1_1_9 tags: - level1-server - level2-workstation @@ -34,7 +34,7 @@ name: usb-storage state: absent when: - - rhel8cis_rule_1_1_10 + - rhel9cis_rule_1_1_10 tags: - level1-server - level2-workstation diff --git a/tasks/section_1/cis_1.10.yml b/tasks/section_1/cis_1.10.yml index 82ec26ff..19ddc3f3 100644 --- a/tasks/section_1/cis_1.10.yml +++ b/tasks/section_1/cis_1.10.yml @@ -2,11 +2,11 @@ - name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy" shell: | - update-crypto-policies --set "{{ rhel8cis_crypto_policy }}" + update-crypto-policies --set "{{ rhel9cis_crypto_policy }}" update-crypto-policies notify: change_requires_reboot when: - - rhel8cis_rule_1_10 + - rhel9cis_rule_1_10 - system_wide_crypto_policy['stdout'] == 'LEGACY' tags: - level1-server diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index a095c966..19ef3d0d 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -3,14 +3,14 @@ - name: "1.2.1 | PATCH | Ensure Red Hat Subscription Manager connection is configured" redhat_subscription: state: present - username: "{{ rhel8cis_rh_sub_user }}" - password: "{{ rhel8cis_rh_sub_password }}" + username: "{{ rhel9cis_rh_sub_user }}" + password: "{{ rhel9cis_rh_sub_password }}" auto_attach: true no_log: true when: - ansible_distribution == "RedHat" - - rhel8cis_rhnsd_required - - rhel8cis_rule_1_2_1 + - rhel9cis_rhnsd_required + - rhel9cis_rule_1_2_1 tags: - level1-server - level1-workstation @@ -22,7 +22,7 @@ - name: "1.2.2 | AUDIT | Ensure GPG keys are configured" command: gpg --quiet --with-fingerprint "{{ rpm_gpg_key }}" when: - - rhel8cis_rule_1_2_2 + - rhel9cis_rule_1_2_2 - ansible_distribution == "RedHat" or ansible_distribution == "Rocky" tags: @@ -51,7 +51,7 @@ loop_control: label: "{{ item.path }}" when: - - rhel8cis_rule_1_2_3 + - rhel9cis_rule_1_2_3 tags: - level1-server - level1-workstation @@ -76,7 +76,7 @@ - "Alert! Below are the configured repos. Please review and make sure all align with site policy" - "{{ dnf_configured.stdout_lines }}" when: - - rhel8cis_rule_1_2_4 + - rhel9cis_rule_1_2_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index d89aa673..4dd7bcdb 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -17,8 +17,8 @@ creates: /var/lib/aide/aide.db.gz when: not ansible_check_mode when: - - rhel8cis_config_aide - - rhel8cis_rule_1_3_1 + - rhel9cis_config_aide + - rhel9cis_rule_1_3_1 tags: - level1-server - level1-workstation @@ -30,16 +30,16 @@ - name: "1.3.2 | PATCH | Ensure filesystem integrity is regularly checked" cron: name: Run AIDE integrity check - cron_file: "{{ rhel8cis_aide_cron['cron_file'] }}" - user: "{{ rhel8cis_aide_cron['cron_user'] }}" - minute: "{{ rhel8cis_aide_cron['aide_minute'] | default('0') }}" - hour: "{{ rhel8cis_aide_cron['aide_hour'] | default('5') }}" - day: "{{ rhel8cis_aide_cron['aide_day'] | default('*') }}" - month: "{{ rhel8cis_aide_cron['aide_month'] | default('*') }}" - weekday: "{{ rhel8cis_aide_cron['aide_weekday'] | default('*') }}" - job: "{{ rhel8cis_aide_cron['aide_job'] }}" + cron_file: "{{ rhel9cis_aide_cron['cron_file'] }}" + user: "{{ rhel9cis_aide_cron['cron_user'] }}" + minute: "{{ rhel9cis_aide_cron['aide_minute'] | default('0') }}" + hour: "{{ rhel9cis_aide_cron['aide_hour'] | default('5') }}" + day: "{{ rhel9cis_aide_cron['aide_day'] | default('*') }}" + month: "{{ rhel9cis_aide_cron['aide_month'] | default('*') }}" + weekday: "{{ rhel9cis_aide_cron['aide_weekday'] | default('*') }}" + job: "{{ rhel9cis_aide_cron['aide_job'] }}" when: - - rhel8cis_rule_1_3_2 + - rhel9cis_rule_1_3_2 - not system_is_ec2 tags: - level1-server diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 96936024..9eac4eb8 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -3,16 +3,16 @@ - name: "1.4.1 | PATCH | Ensure bootloader password is set" copy: dest: /boot/grub2/user.cfg - content: "GRUB2_PASSWORD={{ rhel8cis_bootloader_password_hash }}" + content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" owner: root group: root mode: 0600 notify: grub2cfg when: - - rhel8cis_set_boot_pass + - rhel9cis_set_boot_pass - grub_pass is defined and grub_pass.passhash is defined - grub_pass.passhash | length > 0 - - rhel8cis_rule_1_4_1 + - rhel9cis_rule_1_4_1 tags: - level1-server - level1-workstation @@ -43,10 +43,10 @@ loop_control: label: "{{ item.mount }}" when: - - not rhel8cis_legacy_boot + - not rhel9cis_legacy_boot - item.mount == "/boot/efi" when: - - rhel8cis_rule_1_4_2 + - rhel9cis_rule_1_4_2 - grub_cfg.stat.exists - grub_cfg.stat.islnk tags: @@ -67,7 +67,7 @@ group: root mode: 0644 when: - - rhel8cis_rule_1_4_3 + - rhel9cis_rule_1_4_3 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index a791860d..d3602b21 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -7,7 +7,7 @@ line: 'Storage=none' notify: systemd_daemon_reload when: - - rhel8cis_rule_1_5_1 + - rhel9cis_rule_1_5_1 - systemd_coredump.stat.exists tags: - level1-server @@ -22,7 +22,7 @@ regexp: 'ProcessSizeMax=' line: 'ProcessSizeMax=0' when: - - rhel8cis_rule_1_5_2 + - rhel9cis_rule_1_5_2 tags: - level1-server - level1-workstation @@ -40,7 +40,7 @@ sysctl_set: yes ignoreerrors: yes when: - - rhel8cis_rule_1_5_3 + - rhel9cis_rule_1_5_3 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index 84dc5204..b31600a7 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -5,7 +5,7 @@ name: libselinux state: present when: - - rhel8cis_rule_1_6_1_1 + - rhel9cis_rule_1_6_1_1 tags: - level1-server - level1-workstation @@ -22,7 +22,7 @@ ignore_errors: yes notify: grub2cfg when: - - rhel8cis_rule_1_6_1_2 + - rhel9cis_rule_1_6_1_2 tags: - level1-server - level1-workstation @@ -34,11 +34,11 @@ - name: "1.6.1.3 | PATCH | Ensure SELinux policy is configured" selinux: conf: /etc/selinux/config - policy: "{{ rhel8cis_selinux_pol }}" + policy: "{{ rhel9cis_selinux_pol }}" state: enforcing when: - - not rhel8cis_selinux_disable - - rhel8cis_rule_1_6_1_3 + - not rhel9cis_selinux_disable + - rhel9cis_rule_1_6_1_3 tags: - level1-server - level1-workstation @@ -51,11 +51,11 @@ - name: "1.6.1.4 | PATCH | Ensure the SELinux mode is not disabled" selinux: conf: /etc/selinux/config - policy: "{{ rhel8cis_selinux_pol }}" + policy: "{{ rhel9cis_selinux_pol }}" state: enforcing when: - - not rhel8cis_selinux_disable - - rhel8cis_rule_1_6_1_4 + - not rhel9cis_selinux_disable + - rhel9cis_rule_1_6_1_4 tags: - level1-server - level1-workstation @@ -67,11 +67,11 @@ - name: "1.6.1.5 | PATCH | Ensure the SELinux state is enforcing" selinux: conf: /etc/selinux/config - policy: "{{ rhel8cis_selinux_pol }}" + policy: "{{ rhel9cis_selinux_pol }}" state: enforcing when: - - not rhel8cis_selinux_disable - - rhel8cis_rule_1_6_1_5 + - not rhel9cis_selinux_disable + - rhel9cis_rule_1_6_1_5 tags: - level2-server - level2-workstation @@ -98,7 +98,7 @@ msg: "Warning! You have unconfined services: {{ rhelcis_1_6_1_6_unconf_services.stdout_lines }}" when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 when: - - rhel8cis_rule_1_6_1_6 + - rhel9cis_rule_1_6_1_6 tags: - level1-server - level1-workstation @@ -112,7 +112,7 @@ name: setroubleshoot state: absent when: - - rhel8cis_rule_1_6_1_7 + - rhel9cis_rule_1_6_1_7 - "'setroubleshoot' in ansible_facts.packages" tags: - level1-server @@ -126,7 +126,7 @@ name: mcstrans state: absent when: - - rhel8cis_rule_1_6_1_8 + - rhel9cis_rule_1_6_1_8 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index 586a8812..1ee55791 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -8,7 +8,7 @@ group: root mode: 0644 when: - - rhel8cis_rule_1_7_1 + - rhel9cis_rule_1_7_1 tags: - level1-server - level1-workstation @@ -25,7 +25,7 @@ group: root mode: 0644 when: - - rhel8cis_rule_1_7_2 + - rhel9cis_rule_1_7_2 tags: - level1-server - level1-workstation @@ -41,7 +41,7 @@ group: root mode: 0644 when: - - rhel8cis_rule_1_7_3 + - rhel9cis_rule_1_7_3 tags: - level1-server - level1-workstation @@ -58,7 +58,7 @@ group: root mode: 0644 when: - - rhel8cis_rule_1_7_4 + - rhel9cis_rule_1_7_4 tags: - level1-server - level1-workstation @@ -75,7 +75,7 @@ group: root mode: 0644 when: - - rhel8cis_rule_1_7_5 + - rhel9cis_rule_1_7_5 tags: - level1-server - level1-workstation @@ -92,7 +92,7 @@ group: root mode: 0644 when: - - rhel8cis_rule_1_7_6 + - rhel9cis_rule_1_7_6 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index a512e01d..1edc7048 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -5,7 +5,7 @@ name: gdm state: absent when: - - rhel8cis_rule_1_8_1 + - rhel9cis_rule_1_8_1 - "'gdm' in ansible_facts.packages" tags: - level2-server @@ -32,10 +32,10 @@ - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ rhel8cis_warning_banner }}' " } + - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ rhel9cis_warning_banner }}' " } when: - - rhel8cis_rule_1_8_2 - - rhel8cis_gui + - rhel9cis_rule_1_8_2 + - rhel9cis_gui tags: - level1-server - level1-workstation @@ -62,8 +62,8 @@ - { file: '/etc/dconf/db/gdm.d/00-login-screen', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } - { file: '/etc/dconf/db/gdm.d/00-login-screen', regexp: 'disable-user-list=', line: 'disable-user-list=true' } when: - - rhel8cis_rule_1_8_3 - - rhel8cis_gui + - rhel9cis_rule_1_8_3 + - rhel9cis_gui tags: - level1-server - level1-workstation @@ -78,8 +78,8 @@ regexp: 'Enable=true' state: absent when: - - rhel8cis_rule_1_8_4 - - rhel8cis_gui + - rhel9cis_rule_1_8_4 + - rhel9cis_gui tags: - level1-server - level1-workstation @@ -100,8 +100,8 @@ - { regex: 'automount=', line: 'automount=false' } - { regex: 'automount-open=', line: 'automount-open=false'} when: - - rhel8cis_rule_1_8_5 - - rhel8cis_gui + - rhel9cis_rule_1_8_5 + - rhel9cis_gui tags: - level1-server - level2-workstation diff --git a/tasks/section_1/cis_1.9.yml b/tasks/section_1/cis_1.9.yml index f6239e37..42c27b1e 100644 --- a/tasks/section_1/cis_1.9.yml +++ b/tasks/section_1/cis_1.9.yml @@ -6,7 +6,7 @@ state: latest notify: change_requires_reboot when: - - rhel8cis_rule_1_9 + - rhel9cis_rule_1_9 - not system_is_ec2 tags: - level1-server diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index c5c8e09d..1d6ab556 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -32,7 +32,7 @@ - name: "SECTION | 1.3 | Filesystem Integrity Checking" import_tasks: cis_1.3.x.yml - when: rhel8cis_config_aide + when: rhel9cis_config_aide - name: "SECTION | 1.4 | Secure Boot Settings" import_tasks: cis_1.4.x.yml @@ -42,7 +42,7 @@ - name: "SECTION | 1.6 | Mandatory Access Control" include_tasks: cis_1.6.1.x.yml - when: not rhel8cis_selinux_disable + when: not rhel9cis_selinux_disable - name: "SECTION | 1.7 | Command Line Warning Banners" import_tasks: cis_1.7.x.yml diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index c627db0e..5b5cf130 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -2,11 +2,11 @@ - name: "2.1.1 | PATCH | Ensure time synchronization is in use" package: - name: "{{ rhel8cis_time_synchronization }}" + name: "{{ rhel9cis_time_synchronization }}" state: present when: - - rhel8cis_rule_2_1_1 - - not rhel8cis_system_is_container + - rhel9cis_rule_2_1_1 + - not rhel9cis_system_is_container tags: - level1-server - level1-workstation @@ -33,9 +33,9 @@ create: yes mode: 0644 when: - - rhel8cis_time_synchronization == "chrony" - - rhel8cis_rule_2_1_2 - - not rhel8cis_system_is_container + - rhel9cis_time_synchronization == "chrony" + - rhel9cis_rule_2_1_2 + - not rhel9cis_system_is_container tags: - level1-server - level1-workstation diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index f8b492b6..bd93fbdf 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -5,8 +5,8 @@ name: xinetd state: absent when: - - rhel8cis_rule_2_2_1 - - not rhel8cis_xinetd_server + - rhel9cis_rule_2_2_1 + - not rhel9cis_xinetd_server - "'xinetd' in ansible_facts.packages" tags: - level1-server @@ -20,7 +20,7 @@ name: xorg-x11-server-common state: absent when: - - rhel8cis_rule_2_2_2 + - rhel9cis_rule_2_2_2 - "'xorg-x11-server-common' in ansible_facts.packages" tags: - level1-server @@ -36,8 +36,8 @@ - avahi state: absent when: - - rhel8cis_rule_2_2_3 - - not rhel8cis_avahi_server + - rhel9cis_rule_2_2_3 + - not rhel9cis_avahi_server - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages" tags: - level1-server @@ -52,9 +52,9 @@ name: cups state: absent when: - - not rhel8cis_cups_server + - not rhel9cis_cups_server - "'cups' in ansible_facts.packages" - - rhel8cis_rule_2_2_3 + - rhel9cis_rule_2_2_3 tags: - level1-server - automated @@ -67,9 +67,9 @@ name: dhcp-server state: absent when: - - not rhel8cis_dhcp_server + - not rhel9cis_dhcp_server - "'dhcp-server' in ansible_facts.packages" - - rhel8cis_rule_2_2_5 + - rhel9cis_rule_2_2_5 tags: - level1-server - level1-workstation @@ -83,9 +83,9 @@ name: bind state: absent when: - - not rhel8cis_dns_server + - not rhel9cis_dns_server - "'bind' in ansible_facts.packages" - - rhel8cis_rule_2_2_6 + - rhel9cis_rule_2_2_6 tags: - level1-server - level1-workstation @@ -99,9 +99,9 @@ name: ftp state: absent when: - - not rhel8cis_ftp_server + - not rhel9cis_ftp_server - "'ftp' in ansible_facts.packages" - - rhel8cis_rule_2_2_7 + - rhel9cis_rule_2_2_7 tags: - level1-server - level1-workstation @@ -115,9 +115,9 @@ name: vsftpd state: absent when: - - not rhel8cis_vsftpd_server + - not rhel9cis_vsftpd_server - "'vsftpd' in ansible_facts.packages" - - rhel8cis_rule_2_2_8 + - rhel9cis_rule_2_2_8 tags: - level1-server - level1-workstation @@ -131,9 +131,9 @@ name: tftp-server state: absent when: - - not rhel8cis_tftp_server + - not rhel9cis_tftp_server - "'tftp-server' in ansible_facts.packages" - - rhel8cis_rule_2_2_9 + - rhel9cis_rule_2_2_9 tags: - level1-server - level1-workstation @@ -149,7 +149,7 @@ name: httpd state: absent when: - - not rhel8cis_httpd_server + - not rhel9cis_httpd_server - "'httpd' in ansible_facts.packages" - name: "2.2.10 | PATCH | Ensure a web server is not installed | Remove nginx server" @@ -157,10 +157,10 @@ name: nginx state: absent when: - - not rhel8cis_nginx_server + - not rhel9cis_nginx_server - "'nginx' in ansible_facts.packages" when: - - rhel8cis_rule_2_2_9 + - rhel9cis_rule_2_2_9 tags: - level1-server - level1-workstation @@ -178,9 +178,9 @@ - cyrus-imapd state: absent when: - - not rhel8cis_dovecot_cyrus_server + - not rhel9cis_dovecot_cyrus_server - "'dovecot' in ansible_facts.packages or 'cyrus-imapd' in ansible_facts.packages" - - rhel8cis_rule_2_2_11 + - rhel9cis_rule_2_2_11 tags: - level1-server - level1-workstation @@ -196,9 +196,9 @@ name: samba state: absent when: - - not rhel8cis_samba_server + - not rhel9cis_samba_server - "'samba' in ansible_facts.packages" - - rhel8cis_rule_2_2_12 + - rhel9cis_rule_2_2_12 tags: - level1-server - level1-workstation @@ -212,9 +212,9 @@ name: squid state: absent when: - - not rhel8cis_squid_server + - not rhel9cis_squid_server - "'squid' in ansible_facts.packages" - - rhel8cis_rule_2_2_6 + - rhel9cis_rule_2_2_6 tags: - level1-server - level1-workstation @@ -228,9 +228,9 @@ name: net-snmp state: absent when: - - not rhel8cis_snmp_server + - not rhel9cis_snmp_server - "'net-snmp' in ansible_facts.packages" - - rhel8cis_rule_2_2_14 + - rhel9cis_rule_2_2_14 tags: - level1-server - level1-workstation @@ -244,9 +244,9 @@ name: ypserv state: absent when: - - not rhel8cis_nis_server + - not rhel9cis_nis_server - "'ypserv' in ansible_facts.packages" - - rhel8cis_rule_2_2_17 + - rhel9cis_rule_2_2_17 tags: - level1-server - level1-workstation @@ -260,9 +260,9 @@ name: telnet-server state: absent when: - - not rhel8cis_telnet_server + - not rhel9cis_telnet_server - "'telnet-server' in ansible_facts.packages" - - rhel8cis_rule_2_2_16 + - rhel9cis_rule_2_2_16 tags: - level1-server - level1-workstation @@ -278,9 +278,9 @@ line: "inet_interfaces = loopback-only" notify: restart postfix when: - - not rhel8cis_is_mail_server + - not rhel9cis_is_mail_server - "'postfix' in ansible_facts.packages" - - rhel8cis_rule_2_2_17 + - rhel9cis_rule_2_2_17 tags: - level1-server - level1-workstation @@ -296,9 +296,9 @@ name: nfs-utils state: absent when: - - not rhel8cis_nfs_server + - not rhel9cis_nfs_server - "'nfs-utils' in ansible_facts.packages" - - rhel8cis_rule_2_2_18 + - rhel9cis_rule_2_2_18 tags: - level1-server - level1-workstation @@ -315,9 +315,9 @@ name: rpcbind state: absent when: - - not rhel8cis_rpc_server + - not rhel9cis_rpc_server - "'rpcbind' in ansible_facts.packages" - - rhel8cis_rule_2_2_19 + - rhel9cis_rule_2_2_19 tags: - level1-server - level1-workstation @@ -333,9 +333,9 @@ name: rsync state: absent when: - - not rhel8cis_rsync_server + - not rhel9cis_rsync_server - "'rsync' in ansible_facts.packages" - - rhel8cis_rule_2_2_20 + - rhel9cis_rule_2_2_20 tags: - level1-server - level1-workstation diff --git a/tasks/section_2/cis_2.3.x.yml b/tasks/section_2/cis_2.3.x.yml index ee52a752..52159bcb 100644 --- a/tasks/section_2/cis_2.3.x.yml +++ b/tasks/section_2/cis_2.3.x.yml @@ -5,9 +5,9 @@ name: ypbind state: absent when: - - not rhel8cis_ypbind_required + - not rhel9cis_ypbind_required - "'ypbind' in ansible_facts.packages" - - rhel8cis_rule_2_3_1 + - rhel9cis_rule_2_3_1 tags: - level1-server - level1-workstation @@ -21,9 +21,9 @@ name: rsh state: absent when: - - not rhel8cis_rsh_required + - not rhel9cis_rsh_required - "'rsh' in ansible_facts.packages" - - rhel8cis_rule_2_3_2 + - rhel9cis_rule_2_3_2 tags: - level1-server - level2-server @@ -37,9 +37,9 @@ name: talk state: absent when: - - not rhel8cis_talk_required + - not rhel9cis_talk_required - "'talk' in ansible_facts.packages" - - rhel8cis_rule_2_3_3 + - rhel9cis_rule_2_3_3 tags: - level1-server - level1-workstation @@ -53,9 +53,9 @@ name: telnet state: absent when: - - not rhel8cis_telnet_required + - not rhel9cis_telnet_required - "'telnet' in ansible_facts.packages" - - rhel8cis_rule_2_3_4 + - rhel9cis_rule_2_3_4 tags: - level1-server - level1-workstation @@ -69,9 +69,9 @@ name: openldap-clients state: absent when: - - not rhel8cis_openldap_clients_required + - not rhel9cis_openldap_clients_required - "'openldap-clients' in ansible_facts.packages" - - rhel8cis_rule_2_3_5 + - rhel9cis_rule_2_3_5 tags: - level1-server - level1-workstation @@ -85,9 +85,9 @@ name: tftp state: absent when: - - not rhel8cis_tftp_client + - not rhel9cis_tftp_client - "'tftp' in ansible_facts.packages" - - rhel8cis_rule_2_3_6 + - rhel9cis_rule_2_3_6 tags: - level1-server - level1-workstation diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index 84608741..a80d340f 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -7,16 +7,16 @@ changed_when: false failed_when: false check_mode: no - register: rhel8cis_2_4_services + register: rhel9cis_2_4_services - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Display list of services" debug: msg: - "Alert! Below are the list of services, both active and inactive" - "Please review to make sure all are essential" - - "{{ rhel8cis_2_4_services.stdout_lines }}" + - "{{ rhel9cis_2_4_services.stdout_lines }}" when: - - rhel8cis_rule_2_4 + - rhel9cis_rule_2_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index ad692faf..dbc35075 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -1,43 +1,91 @@ --- -- name: "3.1.1 | L1 | PATCH | Ensure IP forwarding is disabled" - block: - - name: "3.1.1 | L1 | PATCH | Ensure IP forwarding is disabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table - - - name: "3.1.1 | L1 | PATCH | Ensure IP forwarding is disabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - sysctl flush ipv6 route table - - update sysctl - when: rhel9cis_ipv6_required +# The CIS Control wants IPv6 disabled if not in use. +# We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use +- name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" + sysctl: + name: "{{ item }}" + value: '1' + state: present + reload: yes + with_items: + - net.ipv6.conf.all.disable_ipv6 + - net.ipv6.conf.default.disable_ipv6 + - net.ipv6.conf.lo.disable_ipv6 when: - - not rhel9cis_is_router + - not rhel9cis_ipv6_required - rhel9cis_rule_3_1_1 tags: - level1-server - level1-workstation - - sysctl + - manual - patch + - ipv6 + - networking - rule_3.1.1 -- name: "3.1.2 | L1 | PATCH | Ensure packet redirect sending is disabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table +- name: "3.1.2 | PATCH | Ensure SCTP is disabled" + lineinfile: + dest: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install sctp(\\s|$)" + line: "install sctp /bin/true" + create: yes + mode: 0600 when: - - not rhel9cis_is_router - rhel9cis_rule_3_1_2 tags: - - level1-server - - level1-workstation - - sysctl + - level2-server + - level2-workstation + - automated - patch + - sctp - rule_3.1.2 + +- name: "3.1.3 | PATCH | Ensure DCCP is disabled" + lineinfile: + dest: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install dccp(\\s|$)" + line: "install dccp /bin/true" + create: yes + mode: 0600 + when: + - rhel9cis_rule_3_1_3 + tags: + - level2-server + - level2-workstation + - automated + - dccp + - patch + - rule_3.1.3 + +- name: "3.1.4 | PATCH | Ensure wireless interfaces are disabled" + block: + - name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" + command: rpm -q NetworkManager + changed_when: false + failed_when: false + check_mode: no + args: + warn: no + register: rhel_08_nmcli_available + + - name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" + command: nmcli radio wifi + register: rhel_08_wifi_enabled + changed_when: rhel_08_wifi_enabled.stdout != "disabled" + failed_when: false + when: rhel_08_nmcli_available.rc == 0 + + - name: "3.1.4 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" + command: nmcli radio all off + changed_when: false + failed_when: false + when: rhel_08_wifi_enabled is changed + when: + - rhel9cis_rule_3_1_4 + tags: + - level1-server + - automated + - patch + - wireless + - rule_3.1.4 \ No newline at end of file diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml deleted file mode 100644 index 0b49ba42..00000000 --- a/tasks/section_3/cis_3.3.x.yml +++ /dev/null @@ -1,61 +0,0 @@ ---- - -- name: "3.3.1 | L2 | PATCH | Ensure DCCP is disabled" - lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install dccp(\\s|$)" - line: "install dccp /bin/true" - create: true - mode: 0600 - when: - - rhel9cis_rule_3_3_1 - tags: - - level2-server - - level2-workstation - - patch - - rule_3.3.1 - -- name: "3.3.2 | L2 | PATCH | Ensure SCTP is disabled" - lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install sctp(\\s|$)" - line: "install sctp /bin/true" - create: true - mode: 0600 - when: - - rhel9cis_rule_3_3_2 - tags: - - level2-server - - level2-workstation - - patch - - rule_3.3.2 - -- name: "3.3.3 | L2 | PATCH | Ensure RDS is disabled" - lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install rds(\\s|$)" - line: "install rds /bin/true" - create: true - mode: 0600 - when: - - rhel9cis_rule_3_3_3 - tags: - - level2-server - - level2-workstation - - patch - - rule_3.3.3 - -- name: "3.3.4 | L2 | PATCH | Ensure TIPC is disabled" - lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install tipc(\\s|$)" - line: "install tipc /bin/true" - create: true - mode: 0600 - when: - - rhel9cis_rule_3_3_4 - tags: - - level2-server - - level2-workstation - - patch - - rule_3.3.4 From c85e9ba43f3069dd2868c103c78fc8fae15328b9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 11:36:36 +0100 Subject: [PATCH 06/69] updated ipv6 rules Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index dbc35075..241ec207 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -3,15 +3,11 @@ # The CIS Control wants IPv6 disabled if not in use. # We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" - sysctl: - name: "{{ item }}" - value: '1' - state: present - reload: yes - with_items: - - net.ipv6.conf.all.disable_ipv6 - - net.ipv6.conf.default.disable_ipv6 - - net.ipv6.conf.lo.disable_ipv6 + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - update sysctl + - sysctl flush ipv6 route table when: - not rhel9cis_ipv6_required - rhel9cis_rule_3_1_1 From 42410b4cd0a99833ff03a3b5eecfd1a24845bb40 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 11:37:10 +0100 Subject: [PATCH 07/69] added ipv6 rules template Signed-off-by: Mark Bolwell --- templates/etc/60-disable_ipv6.conf.j2 | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 templates/etc/60-disable_ipv6.conf.j2 diff --git a/templates/etc/60-disable_ipv6.conf.j2 b/templates/etc/60-disable_ipv6.conf.j2 new file mode 100644 index 00000000..855d03d6 --- /dev/null +++ b/templates/etc/60-disable_ipv6.conf.j2 @@ -0,0 +1,4 @@ +{% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %} +net.ipv6.conf.all.disable_ipv6 = 1 +net.ipv6.conf.default.disable_ipv6 = 1 +{% endif %} From e043274c34f83b40b47498ac411d4e5a1fddf2fb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 11:48:50 +0100 Subject: [PATCH 08/69] updated netwokr sysctl rules Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.3.x.yml | 155 ++++++++++++++++++++++++++++++++ templates/etc/99-sysctl.conf.j2 | 50 +++++------ 2 files changed, 180 insertions(+), 25 deletions(-) create mode 100644 tasks/section_3/cis_3.3.x.yml diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml new file mode 100644 index 00000000..ce855070 --- /dev/null +++ b/tasks/section_3/cis_3.3.x.yml @@ -0,0 +1,155 @@ +--- + +- name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted" + block: + - name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - update sysctl + - sysctl flush ipv4 route table + + - name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - sysctl flush ipv6 route table + - update sysctl + when: rhel9cis_ipv6_required + when: + - rhel9cis_rule_3_2_1 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.1 + +- name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" + block: + - name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - update sysctl + - sysctl flush ipv4 route table + + - name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - sysctl flush ipv6 route table + - update sysctl + when: rhel9cis_ipv6_required + when: + - rhel9cis_rule_3_2_2 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.2 + +- name: "3.2.3 | L1 | PATCH | Ensure secure ICMP redirects are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: update sysctl + when: + - rhel9cis_rule_3_2_3 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.3 + +- name: "3.2.4 | L1 | PATCH | Ensure suspicious packets are logged" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: update sysctl + when: + - rhel9cis_rule_3_2_4 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.4 + +- name: "3.2.5 | L1 | PATCH | Ensure broadcast ICMP requests are ignored" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: update sysctl + when: + - rhel9cis_rule_3_2_5 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.5 + +- name: "3.2.6 | L1 | PATCH | Ensure bogus ICMP responses are ignored" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: update sysctl + when: + - rhel9cis_rule_3_2_6 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.6 + +- name: "3.2.7 | L1 | PATCH | Ensure Reverse Path Filtering is enabled" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: update sysctl + when: + - rhel9cis_rule_3_2_7 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.7 + +- name: "3.2.8 | L1 | PATCH | Ensure TCP SYN Cookies is enabled" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: update sysctl + when: + - rhel9cis_rule_3_2_8 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.8 + +- name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" + block: + - name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - update sysctl + - sysctl flush ipv4 route table + + - name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - sysctl flush ipv6 route table + - update sysctl + when: rhel9cis_ipv6_required + when: + - rhel9cis_ipv6_required + - rhel9cis_rule_3_2_9 + tags: + - level2-server + - level2-workstation + - sysctl + - patch + - rule_3.2.9 diff --git a/templates/etc/99-sysctl.conf.j2 b/templates/etc/99-sysctl.conf.j2 index 61f4dfa4..8feb96d6 100644 --- a/templates/etc/99-sysctl.conf.j2 +++ b/templates/etc/99-sysctl.conf.j2 @@ -12,64 +12,64 @@ kernel.randomize_va_space = 2 {% endif %} # Network sysctl -{% if rhel9cis_rule_3_1_1 %} -# CIS 3.1.1 +{% if rhel9cis_rule_3_2_1 %} +# CIS 3.2.1 net.ipv4.ip_forward = 0 -{% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %} +{% if rhel9cis_rule_3_2_1 and rhel9cis_ipv6_required %} net.ipv6.conf.all.forwarding = 0 {% endif %} {% endif %} -{% if rhel9cis_rule_3_1_2 %} -# CIS 3.1.2 +{% if rhel9cis_rule_3_2_2 %} +# CIS 3.2.2 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 {% endif %} -{% if rhel9cis_rule_3_2_1 %} -# CIS 3.2.1 +{% if rhel9cis_rule_3_3_1 %} +# CIS 3.3.1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 -{% if rhel9cis_rule_3_2_1 and rhel9cis_ipv6_required %} +{% if rhel9cis_rule_3_3_1 and rhel9cis_ipv6_required %} net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 {% endif %} {% endif %} -{% if rhel9cis_rule_3_2_2 %} -# CIS 3.2.2 +{% if rhel9cis_rule_3_3_2 %} +# CIS 3.3.2 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 -{% if rhel9cis_rule_3_2_2 and rhel9cis_ipv6_required %} +{% if rhel9cis_rule_3_3_2 and rhel9cis_ipv6_required %} net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 {% endif %} {% endif %} -{% if rhel9cis_rule_3_2_3 %} -# CIS 3.2.3 +{% if rhel9cis_rule_3_3_3 %} +# CIS 3.3.3 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 {% endif %} -{% if rhel9cis_rule_3_2_4 %} -# CIS 3.2.4 +{% if rhel9cis_rule_3_3_4 %} +# CIS 3.3.4 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 {% endif %} -{% if rhel9cis_rule_3_2_5 %} -# CIS 3.2.5 +{% if rhel9cis_rule_3_3_5 %} +# CIS 3.3.5 net.ipv4.icmp_echo_ignore_broadcasts = 1 {% endif %} -{% if rhel9cis_rule_3_2_6 %} -# CIS 3.2.6 +{% if rhel9cis_rule_3_3_6 %} +# CIS 3.3.6 net.ipv4.icmp_ignore_bogus_error_responses = 1 {% endif %} -{% if rhel9cis_rule_3_2_7 %} -# CIS 3.2.7 +{% if rhel9cis_rule_3_3_7 %} +# CIS 3.3.7 net.ipv4.conf.default.rp_filter = 1 {% endif %} -{% if rhel9cis_rule_3_2_8 %} -# CIS 3.2.8 +{% if rhel9cis_rule_3_3_8 %} +# CIS 3.3.8 net.ipv4.tcp_syncookies = 1 {% endif %} -{% if rhel9cis_rule_3_2_9 %} -# CIS 3.2.9 +{% if rhel9cis_rule_3_3_9 %} +# CIS 3.3.9 net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0 {% endif %} \ No newline at end of file From 555e443dec8d00234ce426d35c39e7850c7acf05 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 11:49:23 +0100 Subject: [PATCH 09/69] renamd updated Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.2.x.yml | 155 ---------------------------------- 1 file changed, 155 deletions(-) delete mode 100644 tasks/section_3/cis_3.2.x.yml diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml deleted file mode 100644 index ce855070..00000000 --- a/tasks/section_3/cis_3.2.x.yml +++ /dev/null @@ -1,155 +0,0 @@ ---- - -- name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted" - block: - - name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table - - - name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - sysctl flush ipv6 route table - - update sysctl - when: rhel9cis_ipv6_required - when: - - rhel9cis_rule_3_2_1 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.2.1 - -- name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" - block: - - name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table - - - name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - sysctl flush ipv6 route table - - update sysctl - when: rhel9cis_ipv6_required - when: - - rhel9cis_rule_3_2_2 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.2.2 - -- name: "3.2.3 | L1 | PATCH | Ensure secure ICMP redirects are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: update sysctl - when: - - rhel9cis_rule_3_2_3 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.2.3 - -- name: "3.2.4 | L1 | PATCH | Ensure suspicious packets are logged" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: update sysctl - when: - - rhel9cis_rule_3_2_4 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.2.4 - -- name: "3.2.5 | L1 | PATCH | Ensure broadcast ICMP requests are ignored" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: update sysctl - when: - - rhel9cis_rule_3_2_5 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.2.5 - -- name: "3.2.6 | L1 | PATCH | Ensure bogus ICMP responses are ignored" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: update sysctl - when: - - rhel9cis_rule_3_2_6 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.2.6 - -- name: "3.2.7 | L1 | PATCH | Ensure Reverse Path Filtering is enabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: update sysctl - when: - - rhel9cis_rule_3_2_7 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.2.7 - -- name: "3.2.8 | L1 | PATCH | Ensure TCP SYN Cookies is enabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: update sysctl - when: - - rhel9cis_rule_3_2_8 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.2.8 - -- name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" - block: - - name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table - - - name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - sysctl flush ipv6 route table - - update sysctl - when: rhel9cis_ipv6_required - when: - - rhel9cis_ipv6_required - - rhel9cis_rule_3_2_9 - tags: - - level2-server - - level2-workstation - - sysctl - - patch - - rule_3.2.9 From 35db8136b5bc5d31b8eea4edd80aedd407b4bfb4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 11:55:03 +0100 Subject: [PATCH 10/69] updated Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.2.yml | 51 +++++++++++++++++++++++++++ tasks/section_3/cis_3.3.x.yml | 66 +++++++++++++++++------------------ 2 files changed, 84 insertions(+), 33 deletions(-) create mode 100644 tasks/section_3/cis_3.2.yml diff --git a/tasks/section_3/cis_3.2.yml b/tasks/section_3/cis_3.2.yml new file mode 100644 index 00000000..ec397d37 --- /dev/null +++ b/tasks/section_3/cis_3.2.yml @@ -0,0 +1,51 @@ +--- + +- name: "3.2.1 | PATCH | Ensure source routed packets are not accepted" + block: + - name: "3.2.1 | PATCH | Ensure source routed packets are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - update sysctl + - sysctl flush ipv4 route table + + - name: "3.2.1 | PATCH | Ensure source routed packets are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - sysctl flush ipv6 route table + - update sysctl + when: rhel9cis_ipv6_required + when: + - rhel9cis_rule_3.2.1 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.1 + +- name: "3.2.2 | PATCH | Ensure ICMP redirects are not accepted" + block: + - name: "3.2.2 | PATCH | Ensure ICMP redirects are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - update sysctl + - sysctl flush ipv4 route table + + - name: "3.2.2 | PATCH | Ensure ICMP redirects are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - sysctl flush ipv6 route table + - update sysctl + when: rhel9cis_ipv6_required + when: + - rhel9cis_rule_3.2.2 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.2 \ No newline at end of file diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index ce855070..ecd00a4d 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -1,15 +1,15 @@ --- -- name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted" +- name: "3.3.1 | L1 | PATCH | Ensure source routed packets are not accepted" block: - - name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted" + - name: "3.3.1 | L1 | PATCH | Ensure source routed packets are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: - update sysctl - sysctl flush ipv4 route table - - name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted" + - name: "3.3.1 | L1 | PATCH | Ensure source routed packets are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: @@ -17,24 +17,24 @@ - update sysctl when: rhel9cis_ipv6_required when: - - rhel9cis_rule_3_2_1 + - rhel9cis_rule_3.3.1 tags: - level1-server - level1-workstation - sysctl - patch - - rule_3.2.1 + - rule_3.3.1 -- name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" +- name: "3.3.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" block: - - name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" + - name: "3.3.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: - update sysctl - sysctl flush ipv4 route table - - name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" + - name: "3.3.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: @@ -42,102 +42,102 @@ - update sysctl when: rhel9cis_ipv6_required when: - - rhel9cis_rule_3_2_2 + - rhel9cis_rule_3.3.2 tags: - level1-server - level1-workstation - sysctl - patch - - rule_3.2.2 + - rule_3.3.2 -- name: "3.2.3 | L1 | PATCH | Ensure secure ICMP redirects are not accepted" +- name: "3.3.3 | L1 | PATCH | Ensure secure ICMP redirects are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3_2_3 + - rhel9cis_rule_3.3.3 tags: - level1-server - level1-workstation - sysctl - patch - - rule_3.2.3 + - rule_3.3.3 -- name: "3.2.4 | L1 | PATCH | Ensure suspicious packets are logged" +- name: "3.3.4 | L1 | PATCH | Ensure suspicious packets are logged" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3_2_4 + - rhel9cis_rule_3.3.4 tags: - level1-server - level1-workstation - sysctl - patch - - rule_3.2.4 + - rule_3.3.4 -- name: "3.2.5 | L1 | PATCH | Ensure broadcast ICMP requests are ignored" +- name: "3.3.5 | L1 | PATCH | Ensure broadcast ICMP requests are ignored" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3_2_5 + - rhel9cis_rule_3.3.5 tags: - level1-server - level1-workstation - sysctl - patch - - rule_3.2.5 + - rule_3.3.5 -- name: "3.2.6 | L1 | PATCH | Ensure bogus ICMP responses are ignored" +- name: "3.3.6 | L1 | PATCH | Ensure bogus ICMP responses are ignored" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3_2_6 + - rhel9cis_rule_3.3.6 tags: - level1-server - level1-workstation - sysctl - patch - - rule_3.2.6 + - rule_3.3.6 -- name: "3.2.7 | L1 | PATCH | Ensure Reverse Path Filtering is enabled" +- name: "3.3.7 | L1 | PATCH | Ensure Reverse Path Filtering is enabled" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3_2_7 + - rhel9cis_rule_3.3.7 tags: - level1-server - level1-workstation - sysctl - patch - - rule_3.2.7 + - rule_3.3.7 -- name: "3.2.8 | L1 | PATCH | Ensure TCP SYN Cookies is enabled" +- name: "3.3.8 | L1 | PATCH | Ensure TCP SYN Cookies is enabled" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3_2_8 + - rhel9cis_rule_3.3.8 tags: - level1-server - level1-workstation - sysctl - patch - - rule_3.2.8 + - rule_3.3.8 -- name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" +- name: "3.3.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" block: - - name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" + - name: "3.3.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: - update sysctl - sysctl flush ipv4 route table - - name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" + - name: "3.3.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: @@ -146,10 +146,10 @@ when: rhel9cis_ipv6_required when: - rhel9cis_ipv6_required - - rhel9cis_rule_3_2_9 + - rhel9cis_rule_3.3.9 tags: - level2-server - level2-workstation - sysctl - patch - - rule_3.2.9 + - rule_3.3.9 From d65bb7f2571614e35122e235835e9edde2fd6da7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 13:54:29 +0100 Subject: [PATCH 11/69] renamed and updated Signed-off-by: Mark Bolwell --- tasks/section_3/{cis_3.2.yml => cis_3.2.x.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename tasks/section_3/{cis_3.2.yml => cis_3.2.x.yml} (100%) diff --git a/tasks/section_3/cis_3.2.yml b/tasks/section_3/cis_3.2.x.yml similarity index 100% rename from tasks/section_3/cis_3.2.yml rename to tasks/section_3/cis_3.2.x.yml From 398bc5bd0cb8549a9cdb02a02f586b7d5368115f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 13:55:04 +0100 Subject: [PATCH 12/69] renamed and updated Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.3.x.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index ecd00a4d..28697f1e 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -1,15 +1,15 @@ --- -- name: "3.3.1 | L1 | PATCH | Ensure source routed packets are not accepted" +- name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" block: - - name: "3.3.1 | L1 | PATCH | Ensure source routed packets are not accepted" + - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: - update sysctl - sysctl flush ipv4 route table - - name: "3.3.1 | L1 | PATCH | Ensure source routed packets are not accepted" + - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: @@ -25,16 +25,16 @@ - patch - rule_3.3.1 -- name: "3.3.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" +- name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" block: - - name: "3.3.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" + - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: - update sysctl - sysctl flush ipv4 route table - - name: "3.3.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" + - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: @@ -50,7 +50,7 @@ - patch - rule_3.3.2 -- name: "3.3.3 | L1 | PATCH | Ensure secure ICMP redirects are not accepted" +- name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl @@ -63,7 +63,7 @@ - patch - rule_3.3.3 -- name: "3.3.4 | L1 | PATCH | Ensure suspicious packets are logged" +- name: "3.3.4 | PATCH | Ensure suspicious packets are logged" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl @@ -76,7 +76,7 @@ - patch - rule_3.3.4 -- name: "3.3.5 | L1 | PATCH | Ensure broadcast ICMP requests are ignored" +- name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl @@ -89,7 +89,7 @@ - patch - rule_3.3.5 -- name: "3.3.6 | L1 | PATCH | Ensure bogus ICMP responses are ignored" +- name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl @@ -102,7 +102,7 @@ - patch - rule_3.3.6 -- name: "3.3.7 | L1 | PATCH | Ensure Reverse Path Filtering is enabled" +- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl @@ -115,7 +115,7 @@ - patch - rule_3.3.7 -- name: "3.3.8 | L1 | PATCH | Ensure TCP SYN Cookies is enabled" +- name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl From c6caa90059ee6637872d07d6c23ab1b70fb093e4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 16:18:11 +0100 Subject: [PATCH 13/69] updated Signed-off-by: Mark Bolwell --- README.md | 1 + defaults/main.yml | 137 ++-- tasks/section_3/cis_3.3.x.yml | 6 +- tasks/section_3/cis_3.4.1.1.yml | 14 - tasks/section_3/cis_3.4.1.x.yml | 138 ++++ tasks/section_3/cis_3.4.2.x.yml | 340 +++++++-- tasks/section_3/cis_3.4.3.1.x.yml | 50 ++ .../{cis_3.4.4.1.x.yml => cis_3.4.3.2.x.yml} | 133 ++-- .../{cis_3.4.4.2.x.yml => cis_3.4.3.3.x.yml} | 127 ++-- tasks/section_3/cis_3.4.3.x.yml | 320 -------- tasks/section_3/cis_3.5.yml | 27 - tasks/section_3/cis_3.6.yml | 17 - tasks/section_4/cis_4.1.1.x.yml | 48 +- tasks/section_4/cis_4.1.2.x.yml | 15 +- tasks/section_4/cis_4.1.3.x.yml | 322 ++++++++ tasks/section_4/cis_4.1.x.yml | 207 ----- tasks/section_4/cis_4.2.1.x.yml | 112 ++- tasks/section_4/cis_4.2.2.x.yml | 189 ++++- tasks/section_4/cis_4.2.3.yml | 8 +- tasks/section_4/cis_4.3.yml | 11 +- tasks/section_4/main.yml | 10 +- tasks/section_5/cis_5.1.x.yml | 78 +- tasks/section_5/cis_5.2.x.yml | 296 +++++--- tasks/section_5/cis_5.3.x.yml | 178 +++-- tasks/section_5/cis_5.4.x.yml | 172 ++--- tasks/section_5/cis_5.5.1.x.yml | 131 ---- tasks/section_5/cis_5.5.x.yml | 28 +- tasks/section_5/cis_5.6.1.x.yml | 125 +++ tasks/section_5/cis_5.6.x.yml | 108 +++ tasks/section_5/cis_5.6.yml | 37 - tasks/section_5/cis_5.7.yml | 22 - tasks/section_5/main.yml | 21 +- tasks/section_6/cis_6.1.x.yml | 227 +++--- tasks/section_6/cis_6.2.x.yml | 718 ++++++++---------- tasks/section_6/main.yml | 2 +- templates/audit/99_auditd.rules.j2 | 123 +-- 36 files changed, 2502 insertions(+), 1996 deletions(-) delete mode 100644 tasks/section_3/cis_3.4.1.1.yml create mode 100644 tasks/section_3/cis_3.4.1.x.yml create mode 100644 tasks/section_3/cis_3.4.3.1.x.yml rename tasks/section_3/{cis_3.4.4.1.x.yml => cis_3.4.3.2.x.yml} (51%) rename tasks/section_3/{cis_3.4.4.2.x.yml => cis_3.4.3.3.x.yml} (54%) delete mode 100644 tasks/section_3/cis_3.4.3.x.yml delete mode 100644 tasks/section_3/cis_3.5.yml delete mode 100644 tasks/section_3/cis_3.6.yml create mode 100644 tasks/section_4/cis_4.1.3.x.yml delete mode 100644 tasks/section_4/cis_4.1.x.yml delete mode 100644 tasks/section_5/cis_5.5.1.x.yml create mode 100644 tasks/section_5/cis_5.6.1.x.yml create mode 100644 tasks/section_5/cis_5.6.x.yml delete mode 100644 tasks/section_5/cis_5.6.yml delete mode 100644 tasks/section_5/cis_5.7.yml diff --git a/README.md b/README.md index d629e1fd..ea3ead56 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,7 @@ ![Release](https://img.shields.io/github/v/release/ansible-lockdown/RHEL9-CIS?style=plastic) Configure RHEL 9 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant with RHEL8 settings (RHEL9 not yet released) +Based on v2.0.0 RHEL8 Based on [CIS RedHat Enterprise Linux 8 Benchmark v1.0.1 - 05-19-2021 ](https://www.cisecurity.org/cis-benchmarks/) diff --git a/defaults/main.yml b/defaults/main.yml index 2a6bd1b8..d2a2372c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -169,49 +169,55 @@ rhel9cis_rule_2_3_5: true rhel9cis_rule_2_3_6: true rhel9cis_rule_2_4: true -# Section 3 rules + Section 3 rules rhel9cis_rule_3_1_1: true rhel9cis_rule_3_1_2: true +rhel9cis_rule_3_1_3: true +rhel9cis_rule_3_1_4: true rhel9cis_rule_3_2_1: true rhel9cis_rule_3_2_2: true -rhel9cis_rule_3_2_3: true -rhel9cis_rule_3_2_4: true -rhel9cis_rule_3_2_5: true -rhel9cis_rule_3_2_6: true -rhel9cis_rule_3_2_7: true -rhel9cis_rule_3_2_8: true -rhel9cis_rule_3_2_9: true rhel9cis_rule_3_3_1: true rhel9cis_rule_3_3_2: true rhel9cis_rule_3_3_3: true rhel9cis_rule_3_3_4: true +rhel9cis_rule_3_3_5: true +rhel9cis_rule_3_3_6: true +rhel9cis_rule_3_3_7: true +rhel9cis_rule_3_3_8: true +rhel9cis_rule_3_3_9: true rhel9cis_rule_3_4_1_1: true +rhel9cis_rule_3_4_1_2: true +rhel9cis_rule_3_4_1_3: true +rhel9cis_rule_3_4_1_4: true +rhel9cis_rule_3_4_1_5: true +rhel9cis_rule_3_4_1_6: true +rhel9cis_rule_3_4_1_7: true rhel9cis_rule_3_4_2_1: true rhel9cis_rule_3_4_2_2: true rhel9cis_rule_3_4_2_3: true rhel9cis_rule_3_4_2_4: true rhel9cis_rule_3_4_2_5: true rhel9cis_rule_3_4_2_6: true -rhel9cis_rule_3_4_3_1: true -rhel9cis_rule_3_4_3_2: true -rhel9cis_rule_3_4_3_3: true -rhel9cis_rule_3_4_3_4: true -rhel9cis_rule_3_4_3_5: true -rhel9cis_rule_3_4_3_6: true -rhel9cis_rule_3_4_3_7: true -rhel9cis_rule_3_4_3_8: true -rhel9cis_rule_3_4_4_1_1: true -rhel9cis_rule_3_4_4_1_2: true -rhel9cis_rule_3_4_4_1_3: true -rhel9cis_rule_3_4_4_1_4: true -rhel9cis_rule_3_4_4_1_5: true -rhel9cis_rule_3_4_4_2_1: true -rhel9cis_rule_3_4_4_2_2: true -rhel9cis_rule_3_4_4_2_3: true -rhel9cis_rule_3_4_4_2_4: true -rhel9cis_rule_3_4_4_2_5: true -rhel9cis_rule_3_5: true -rhel9cis_rule_3_6: true +rhel9cis_rule_3_4_2_7: true +rhel9cis_rule_3_4_2_8: true +rhel9cis_rule_3_4_2_9: true +rhel9cis_rule_3_4_2_10: true +rhel9cis_rule_3_4_2_11: true +rhel9cis_rule_3_4_3_1_1: true +rhel9cis_rule_3_4_3_1_2: true +rhel9cis_rule_3_4_3_1_3: true +rhel9cis_rule_3_4_3_2_1: true +rhel9cis_rule_3_4_3_2_2: true +rhel9cis_rule_3_4_3_2_3: true +rhel9cis_rule_3_4_3_2_4: true +rhel9cis_rule_3_4_3_2_5: true +rhel9cis_rule_3_4_3_2_6: true +rhel9cis_rule_3_4_3_3_1: true +rhel9cis_rule_3_4_3_3_2: true +rhel9cis_rule_3_4_3_3_3: true +rhel9cis_rule_3_4_3_3_4: true +rhel9cis_rule_3_4_3_3_5: true +rhel9cis_rule_3_4_3_3_6: true # Section 4 rules rhel9cis_rule_4_1_1_1: true @@ -221,30 +227,44 @@ rhel9cis_rule_4_1_1_4: true rhel9cis_rule_4_1_2_1: true rhel9cis_rule_4_1_2_2: true rhel9cis_rule_4_1_2_3: true -rhel9cis_rule_4_1_3: true -rhel9cis_rule_4_1_4: true -rhel9cis_rule_4_1_5: true -rhel9cis_rule_4_1_6: true -rhel9cis_rule_4_1_7: true -rhel9cis_rule_4_1_8: true -rhel9cis_rule_4_1_9: true -rhel9cis_rule_4_1_10: true -rhel9cis_rule_4_1_11: true -rhel9cis_rule_4_1_12: true -rhel9cis_rule_4_1_13: true -rhel9cis_rule_4_1_14: true -rhel9cis_rule_4_1_15: true -rhel9cis_rule_4_1_16: true -rhel9cis_rule_4_1_17: true +rhel9cis_rule_4_1_3_1: true +rhel9cis_rule_4_1_3_2: true +rhel9cis_rule_4_1_3_3: true +rhel9cis_rule_4_1_3_4: true +rhel9cis_rule_4_1_3_5: true +rhel9cis_rule_4_1_3_6: true +rhel9cis_rule_4_1_3_7: true +rhel9cis_rule_4_1_3_8: true +rhel9cis_rule_4_1_3_9: true +rhel9cis_rule_4_1_3_10: true +rhel9cis_rule_4_1_3_11: true +rhel9cis_rule_4_1_3_12: true +rhel9cis_rule_4_1_3_13: true +rhel9cis_rule_4_1_3_14: true +rhel9cis_rule_4_1_3_15: true +rhel9cis_rule_4_1_3_16: true +rhel9cis_rule_4_1_3_17: true +rhel9cis_rule_4_1_3_18: true +rhel9cis_rule_4_1_3_19: true +rhel9cis_rule_4_1_3_20: true +rhel9cis_rule_4_1_3_21: true rhel9cis_rule_4_2_1_1: true rhel9cis_rule_4_2_1_2: true rhel9cis_rule_4_2_1_3: true rhel9cis_rule_4_2_1_4: true rhel9cis_rule_4_2_1_5: true rhel9cis_rule_4_2_1_6: true -rhel9cis_rule_4_2_2_1: true +rhel9cis_rule_4_2_1_7: true +rhel9cis_rule_4_2_2_1_1: true +rhel9cis_rule_4_2_2_1_2: true +rhel9cis_rule_4_2_2_1_3: true +rhel9cis_rule_4_2_2_1_4: true rhel9cis_rule_4_2_2_2: true rhel9cis_rule_4_2_2_3: true +rhel9cis_rule_4_2_2_4: true +rhel9cis_rule_4_2_2_5: true +rhel9cis_rule_4_2_2_6: true +rhel9cis_rule_4_2_2_7: true rhel9cis_rule_4_2_3: true rhel9cis_rule_4_3: true @@ -257,6 +277,7 @@ rhel9cis_rule_5_1_5: true rhel9cis_rule_5_1_6: true rhel9cis_rule_5_1_7: true rhel9cis_rule_5_1_8: true +rhel9cis_rule_5_1_9: true rhel9cis_rule_5_2_1: true rhel9cis_rule_5_2_2: true rhel9cis_rule_5_2_3: true @@ -280,21 +301,26 @@ rhel9cis_rule_5_2_20: true rhel9cis_rule_5_3_1: true rhel9cis_rule_5_3_2: true rhel9cis_rule_5_3_3: true +rhel9cis_rule_5_3_4: true +rhel9cis_rule_5_3_5: true +rhel9cis_rule_5_3_6: true +rhel9cis_rule_5_3_7: true rhel9cis_rule_5_4_1: true rhel9cis_rule_5_4_2: true -rhel9cis_rule_5_4_3: true -rhel9cis_rule_5_4_4: true -rhel9cis_rule_5_5_1_1: true -rhel9cis_rule_5_5_1_2: true -rhel9cis_rule_5_5_1_3: true -rhel9cis_rule_5_5_1_4: true -rhel9cis_rule_5_5_1_5: true +rhel9cis_rule_5_5_1: true rhel9cis_rule_5_5_2: true rhel9cis_rule_5_5_3: true rhel9cis_rule_5_5_4: true rhel9cis_rule_5_5_5: true -rhel9cis_rule_5_6: true -rhel9cis_rule_5_7: true +rhel9cis_rule_5_6_1_1: true +rhel9cis_rule_5_6_1_2: true +rhel9cis_rule_5_6_1_3: true +rhel9cis_rule_5_6_1_4: true +rhel9cis_rule_5_6_1_5: true +rhel9cis_rule_5_6_2: true +rhel9cis_rule_5_6_3: true +rhel9cis_rule_5_6_4: true +rhel9cis_rule_5_6_5: true # Section 6 rules rhel9cis_rule_6_1_1: true @@ -311,6 +337,7 @@ rhel9cis_rule_6_1_11: true rhel9cis_rule_6_1_12: true rhel9cis_rule_6_1_13: true rhel9cis_rule_6_1_14: true +rhel9cis_rule_6_1_15: true rhel9cis_rule_6_2_1: true rhel9cis_rule_6_2_2: true rhel9cis_rule_6_2_3: true @@ -327,10 +354,6 @@ rhel9cis_rule_6_2_13: true rhel9cis_rule_6_2_14: true rhel9cis_rule_6_2_15: true rhel9cis_rule_6_2_16: true -rhel9cis_rule_6_2_17: true -rhel9cis_rule_6_2_18: true -rhel9cis_rule_6_2_19: true -rhel9cis_rule_6_2_20: true # Service configuration booleans set true to keep service rhel9cis_avahi_server: false diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 28697f1e..7187816a 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -128,16 +128,16 @@ - patch - rule_3.3.8 -- name: "3.3.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" +- name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" block: - - name: "3.3.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" + - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: - update sysctl - sysctl flush ipv4 route table - - name: "3.3.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" + - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: diff --git a/tasks/section_3/cis_3.4.1.1.yml b/tasks/section_3/cis_3.4.1.1.yml deleted file mode 100644 index fc78b06c..00000000 --- a/tasks/section_3/cis_3.4.1.1.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- - -- name: "3.4.1.1 | L1 | PATCH | Ensure a Firewall package is installed" - package: - name: "{{ rhel9cis_firewall }}" - state: present - when: - - rhel9cis_rule_3_4_1_1 - - not system_is_container - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.1.1 diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml new file mode 100644 index 00000000..753a4e57 --- /dev/null +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -0,0 +1,138 @@ +--- + +- name: "3.4.1.1 | PATCH | Ensure firewalld is installed" + package: + name: + - firewalld + - iptables + state: present + when: + - rhel9cis_rule_3_4_1_1 + - rhel9cis_firewall == "firewalld" + tags: + - level1-server + - level1-workstation + - automated + - patch + - firewalld + - rule_3.4.1.1 + +- name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld" + block: + - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | Stop running services" + systemd: + name: "{{ item }}" + enabled: false + masked: true + with_items: + - iptables + - ip6tables + when: item in ansible_facts.packages + + - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | Remove IPTables" + package: + name: iptables-services + state: absent + when: + - rhel9cis_rule_3_4_1_2 + - rhel9cis_firewall == "firewalld" + tags: + - level1-server + - level1-workstation + - automated + - patch + - firewalld + - rule_3.4.1.2 + +- name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld" + systemd: + name: nftables + state: stopped + masked: yes + when: + - rhel9cis_firewall == "firewalld" + - rhel9cis_rule_3_4_1_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - firewalld + - rule_3_4_1_3 + +- name: "3.4.1.4 | PATCH | Ensure firewalld service is enabled and running" + systemd: + name: firewalld + state: started + enabled: yes + when: + - rhel9cis_firewall == "firewalld" + - rhel9cis_rule_3_4_1_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - firewalld + - rule_3_4_1_4 + +- name: "3.4.1.5 | PATCH | Ensure firewalld default zone is set" + command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" + when: + - rhel9cis_firewall == "firewalld" + - rhel9cis_rule_3_4_1_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - firewalld + - rule_3.4.1.5 + +- name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone" + block: + - name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies" + shell: "nmcli -t connection show | awk -F: '{ if($4){print $4} }' | while read INT; do firewall-cmd --get-active-zones | grep -B1 $INT; done" + changed_when: false + failed_when: false + check_mode: no + register: rhel9cis_3_4_1_6_interfacepolicy + + - name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies | Show the interface to policy" + debug: + msg: + - "The items below are the policies tied to the interfaces, please correct as needed" + - "{{ rhel9cis_3_4_1_6_interfacepolicy.stdout_lines }}" + when: + - rhel9cis_firewall == "firewalld" + - rhel9cis_rule_3_4_1_6 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_3.4.1.6 + +- name: "3.4.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports" + block: + - name: "3.4.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports" + shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done" + changed_when: false + failed_when: false + check_mode: no + register: rhel9cis_3_4_1_7_servicesport + + - name: "3.4.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports" + debug: + msg: + - "The items below are the services and ports that are accepted, please correct as needed" + - "{{ rhel9cis_3_4_1_7_servicesport.stdout_lines }}" + when: + - rhel9cis_firewall == "firewalld" + - rhel9cis_rule_3_4_1_7 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_3.4.1.7 diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 68b08dca..e5b0c9a7 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -1,108 +1,344 @@ --- -- name: "3.4.2.1 | L1 | PATCH | Ensure firewalld service is enabled and running" - service: - name: firewalld - state: started - enabled: true +- name: "3.4.2.1 | PATCH | Ensure nftables is installed" + package: + name: nftables + state: present when: - - rhel9cis_firewall == "firewalld" + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_1 tags: - level1-server - level1-workstation + - automated - patch - - rule_3_4_2_1 + - nftables + - rule_3.4.2.1 -- name: "3.4.2.2 | L1 | PATCH | Ensure iptables is not enabled with firewalld" - systemd: - name: iptables - masked: true +# The control allows the service it be masked or not installed +# We have chosen not installed +- name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables" + package: + name: firewalld + state: absent when: - - rhel9cis_firewall == "firewalld" - - "'iptables' in ansible_facts.packages" + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_2 tags: - - skip_ansible_lint - level1-server - level1-workstation + - automated - patch - - rule_3_4_2_2 + - nftables + - rule_3.4.2.2 -- name: "3.4.2.3 | L1 | PATCH | Ensure nftables is not enabled with firewalld" - systemd: - name: nftables - enabled: false - masked: true +- name: "3.4.2.3 | PATCH | Ensure iptables-services not installed with nftables" + block: + - name: "3.4.2.3 | PATCH | Ensure iptables-services not installed with nftables | Stop services" + systemd: + name: "{{ item }}" + enabled: false + masked: true + ignore_errors: true + with_items: + - iptables + - ip6tables + + - name: "3.4.2.3 | PATCH | Ensure iptables-services not installed with nftables | Remove IPTables" + package: + name: iptables-service + state: absent when: - - rhel9cis_firewall == "firewalld" - - "'nftables' in ansible_facts.packages" + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_3 tags: - level1-server - level1-workstation + - automated - patch - - rule_3_4_2_3 + - nftables + - rule_3.4.2.3 -- name: "3.4.2.4 | L1 | PATCH | Ensure default zone is set" - shell: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" - args: - warn: false +- name: "3.4.2.4 | PATCH | Ensure iptables are flushed with nftables" + block: + - name: "3.4.2.4 | PATCH | Ensure iptables are flushed with nftables | IPv4" + command: iptables -F + + - name: "3.4.2.4 | PATCH | Ensure iptables are flushed with nftables | IPv6" + command: ip6tables -F + when: rhel9cis_ipv6_required when: - - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_2_4 + - rhel9cis_firewall != "firewalld" tags: - level1-server - level1-workstation + - manual - patch + - nftables - rule_3.4.2.4 -- name: "3.4.2.5 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone" +- name: "3.4.2.5 | AUDIT | Ensure an nftables table exists" block: - - name: "3.4.2.5 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies" - shell: "nmcli -t connection show | awk -F: '{ if($4){print $4} }' | while read INT; do firewall-cmd --get-active-zones | grep -B1 $INT; done" - args: - warn: false + - name: "3.4.2.5 | AUDIT | Ensure a table exists | Check for tables" + command: nft list tables changed_when: false failed_when: false - check_mode: false - register: rhel9cis_3_4_2_5_interfacepolicy + register: rhel9cis_3_4_2_5_nft_tables + + - name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Show existing tables" + debug: + msg: + - "Below are the current nft tables, please review" + - "{{ rhel9cis_3_4_2_5_nft_tables.stdout_lines }}" + when: rhel9cis_3_4_2_5_nft_tables.stdout | length > 0 - - name: "3.4.2.5 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies | Show the interface to policy" + - name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Alert on no tables" debug: msg: - - "The items below are the policies tied to the interfaces, please correct as needed" - - "{{ rhel9cis_3_4_2_5_interfacepolicy.stdout_lines }}" + - "Warning! You currently have no nft tables, please review your setup" + - 'Use the command "nft create table inet " to create a new table' + when: + - rhel9cis_3_4_2_5_nft_tables.stdout | length == 0 + - not rhel9cis_nft_tables_autonewtable + + - name: "3.4.2.5 | PATCH | Ensure a table exists | Create table if needed" + command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" + failed_when: no + when: rhel9cis_nft_tables_autonewtable when: - - rhel9cis_firewall == "firewalld" + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_5 tags: - level1-server - level1-workstation - - audit + - automated + - patch + - nftables - rule_3.4.2.5 -- name: "3.4.2.6 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports" +- name: "3.4.2.6 | PATCH | Ensure nftables base chains exist" block: - - name: "3.4.2.6 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports" - shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done" - args: - warn: false + - name: "3.4.2.6 | AUDIT | Ensure nftables base chains exist | Get current chains for INPUT" + shell: nft list ruleset | grep 'hook input' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_6_input_chains + + - name: "3.4.2.6 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD" + shell: nft list ruleset | grep 'hook forward' changed_when: false failed_when: false - check_mode: false - register: rhel9cis_3_4_2_6_servicesport + register: rhel9cis_3_4_2_6_forward_chains - - name: "3.4.2.6 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports" + - name: "3.4.2.6 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT" + shell: nft list ruleset | grep 'hook output' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_6_output_chains + + - name: "3.4.2.6 | AUDIT | Ensure nftables base chains exist | Display chains for review" debug: msg: - - "The items below are the services and ports that are accepted, please correct as needed" - - "{{ rhel9cis_3_4_2_6_servicesport.stdout_lines }}" + - "Below are the current INPUT chains" + - "{{ rhel9cis_3_4_2_6_input_chains.stdout_lines }}" + - "Below are the current FORWARD chains" + - "{{ rhel9cis_3_4_2_6_forward_chains.stdout_lines }}" + - "Below are teh current OUTPUT chains" + - "{{ rhel9cis_3_4_2_6_output_chains.stdout_lines }}" + when: not rhel9cis_nft_tables_autochaincreate + + - name: "3.4.2.6 | PATCH | Ensure nftables base chains exist | Create chains if needed" + shell: "{{ item }}" + args: + warn: no + failed_when: no + with_items: + - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } + - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { type filter hook forward priority 0 \; } + - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; } + when: rhel9cis_nft_tables_autochaincreate when: - - rhel9cis_firewall == "firewalld" + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_6 tags: - level1-server - level1-workstation - - audit + - automate + - patch + - nftables - rule_3.4.2.6 + +- name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured" + block: + - name: "3.4.2.7 | AUDIT | Ensure nftables loopback traffic is configured | Gather iif lo accept existence" + shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_7_iiflo + + - name: "3.4.2.7 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip saddr existence" + shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_7_ipsaddr + + - name: "3.4.2.7 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip6 saddr existence" + shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_7_ip6saddr + + - name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept + when: '"iif \"lo\" accept" not in rhel9cis_3_4_2_7_iiflo.stdout' + + - name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop + when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_7_ipsaddr.stdout' + + - name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop + when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_7_ip6saddr.stdout' + when: + - rhel9cis_firewall == "nftables" + - rhel9cis_rule_3_4_2_7 + tags: + - level1-server + - level1-workstation + - automated + - patch + - nftables + - rule_3.4.2.7 + +- name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured" + block: + - name: "3.4.2.8 | AUDIT | Ensure nftables outbound and established connections are configured | Gather incoming connection rules" + shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_8_inconnectionrule + + - name: "3.4.2.8| AUDIT | Ensure nftables outbound and established connections are configured | Gather outbound connection rules" + shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_8_outconnectionrule + + - name: "3.4.2.8| PATCH | Ensure nftables outbound and established connections are configured | Add input tcp established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept + when: '"ip protocol tcp ct state established accept" not in rhel9cis_3_4_2_8_inconnectionrule.stdout' + + - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add input udp established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept + when: '"ip protocol udp ct state established accept" not in rhel9cis_3_4_2_8_inconnectionrule.stdout' + + - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add input icmp established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept + when: '"ip protocol icmp ct state established accept" not in rhel9cis_3_4_2_8_inconnectionrule.stdout' + + - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add output tcp new, related, established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept + when: '"ip protocol tcp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout' + + - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add output udp new, related, established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept + when: '"ip protocol udp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout' + + - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add output icmp new, related, established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept + when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout' + when: + - rhel9cis_firewall == "nftables" + - rhel9cis_rule_3_4_2_8 + tags: + - level1-server + - level1-workstation + - automated + - patch + - nftables + - rule_3.4.3.5 + +- name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy" + block: + - name: "3.4.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for hook input deny policy" + shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input' + failed_when: false + changed_when: false + register: rhel9cis_3_4_2_9_inputpolicy + + - name: "3.4.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy" + shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward' + failed_when: false + changed_when: false + register: rhel9cis_3_4_2_9_forwardpolicy + + - name: "3.4.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy" + shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output' + failed_when: false + changed_when: false + register: rhel9cis_3_4_2_9_outputpolicy + + - name: "3.4.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow" + shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh' + failed_when: false + changed_when: false + register: rhel9cis_3_4_2_9_sshallowcheck + + - name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept + when: '"tcp dport ssh accept" not in rhel9cis_3_4_2_9_sshallowcheck.stdout' + + - name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" + command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } + when: '"type filter hook input priority 0; policy drop;" not in rhel9cis_3_4_2_9_inputpolicy.stdout' + + - name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy" + command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } + when: '"type filter hook forward priority 0; policy drop;" not in rhel9cis_3_4_2_9_forwardpolicy.stdout' + + - name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" + command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } + when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_2_9_outputpolicy.stdout' + when: + - rhel9cis_firewall == "nftables" + - rhel9cis_rule_3_4_2_9 + tags: + - level1-server + - level1-workstation + - automated + - patch + - nftables + - rule_3.4.2.9 + +- name: "3.4.2.10 | PATCH | Ensure nftables service is enabled" + service: + name: nftables + enabled: yes + when: + - rhel9cis_firewall == "nftables" + - rhel9cis_rule_3_4_2_10 + tags: + - level1-server + - level1-workstation + - automated + - patch + - nftables + - rule_3.4.3.7 + +- name: "3.4.2.11 | PATCH | Ensure nftables rules are permanent" + lineinfile: + path: /etc/sysconfig/nftables.conf + state: present + insertafter: EOF + line: include "/etc/nftables/inet-{{ rhel9cis_nft_tables_tablename }}" + when: + - rhel9cis_firewall == "nftables" + - rhel9cis_rule_3_4_2_11 + tags: + - level1-server + - level1-workstation + - automated + - patch + - nftables + - rule_3.4.2.11 diff --git a/tasks/section_3/cis_3.4.3.1.x.yml b/tasks/section_3/cis_3.4.3.1.x.yml new file mode 100644 index 00000000..926c6854 --- /dev/null +++ b/tasks/section_3/cis_3.4.3.1.x.yml @@ -0,0 +1,50 @@ +--- + +- name: "3.4.3.1.1 | PATCH | Ensure iptables packages are installed" + package: + name: + - iptables + - iptables-services + state: present + when: + - rhel9cis_firewall == "iptables" + - rhel9cis_rule_3_4_3_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - iptables + - rule_3.4.3.1.1 + +- name: "3.4.3.1.2 | PATCH | Ensure nftables is not installed with iptables" + package: + name: nftables + state: absent + when: + - rhel9cis_firewall == "iptables" + - rhel9cis_rule_3_4_3_1_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - iptables + - rule_3.4.3.1.2 + +# The control allows the service it be masked or not installed +# We have chosen not installed +- name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables" + package: + name: firewalld + state: absent + when: + - rhel9cis_firewall == "iptables" + - rhel9cis_rule_3_4_3_1_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - iptables + - rule_3.4.3.1.3 diff --git a/tasks/section_3/cis_3.4.4.1.x.yml b/tasks/section_3/cis_3.4.3.2.x.yml similarity index 51% rename from tasks/section_3/cis_3.4.4.1.x.yml rename to tasks/section_3/cis_3.4.3.2.x.yml index a18e7eff..3348fb5c 100644 --- a/tasks/section_3/cis_3.4.4.1.x.yml +++ b/tasks/section_3/cis_3.4.3.2.x.yml @@ -1,48 +1,22 @@ --- -- name: "3.4.4.1.1 | L1 | PATCH | Ensure iptables default deny firewall policy" +- name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured" block: - - name: "3.4.4.1.1 | L1 | PATCH | Ensure iptables default deny firewall policy | Configure ssh to be allowed" - iptables: - chain: INPUT - protocol: tcp - destination_port: "22" - jump: ACCEPT - - - name: "3.4.4.1.1 | L1 | PATCH | Ensure iptables default deny firewall policy | Set drop items" - iptables: - policy: DROP - chain: "{{ item }}" - with_items: - - INPUT - - FORWARD - - OUTPUT - when: - - rhel9cis_rule_3_4_4_1_1 - - rhel9cis_firewall == "iptables" - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.4.1.1 - -- name: "3.4.4.1.2 | L1 | PATCH | Ensure iptables loopback traffic is configured" - block: - - name: "3.4.4.1.2 | L1 | Ensure iptables loopback traffic is configured | INPUT Loopback ACCEPT" + - name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT Loopback ACCEPT" iptables: action: append chain: INPUT in_interface: lo jump: ACCEPT - - name: "3.4.4.1.2 | L1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT Loopback ACCEPT" + - name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT Loopback ACCEPT" iptables: action: append chain: OUTPUT out_interface: lo jump: ACCEPT - - name: "3.4.4.1.2 | L1 | PATCH | Ensure iptables loopback traffic is configured | INPUT Loopback 127.0.0.0/8" + - name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT Loopback 127.0.0.0/8" iptables: action: append chain: INPUT @@ -50,14 +24,16 @@ jump: DROP when: - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_1_2 + - rhel9cis_rule_3_4_3_2_1 tags: - level1-server - level1-workstation + - automated - patch - - rule_3.4.4.1.2 + - iptables + - rule_3.4.3.2.1 -- name: "3.4.4.1.3 | L1 | PATCH | Ensure iptables outbound and established connections are configured" +- name: "3.4.3.2.2 | PATCH | Ensure iptables outbound and established connections are configured" iptables: action: append chain: '{{ item.chain }}' @@ -74,32 +50,30 @@ - { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED } when: - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_1_3 + - rhel9cis_rule_3_4_3_2_2 tags: - level1-server - level1-workstation + - manual - patch - - rule_3.4.4.1.3 + - iptables + - rule_3.4.3.2.2 -- name: "3.4.4.1.4 | L1 | PATCH | Ensure iptables firewall rules exist for all open ports" +- name: "3.4.3.2.3 | PATCH | Ensure iptables rules exist for all open ports" block: - - name: "3.4.4.1.4 | L1 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of TCP open ports" + - name: "3.4.3.2.3 | AUDIT | Ensure iptables rules exist for all open ports | Get list of TCP open ports" shell: netstat -ant |grep "tcp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://' - args: - warn: false changed_when: false failed_when: false - register: rhel9cis_3_4_4_1_4_otcp + register: rhel9cis_3_4_3_2_3_otcp - - name: "3.4.4.1.4 | L1 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get the list of udp open ports" + - name: "3.4.3.2.3 | AUDIT | Ensure iptables rules exist for all open ports | Get the list of udp open ports" shell: netstat -ant |grep "udp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://' - args: - warn: false changed_when: false failed_when: false - register: rhel9cis_3_4_4_1_4_oudp + register: rhel9cis_3_4_3_2_3_oudp - - name: "3.4.4.1.4 | L1 | PATCH | Ensure iptables firewall rules exist for all open ports | Adjust open tcp ports" + - name: "3.4.3.2.3 | PATCH | Ensure iptables rules exist for all open ports | Adjust open tcp ports" iptables: action: append chain: INPUT @@ -109,10 +83,10 @@ ctstate: NEW jump: ACCEPT with_items: - - "{{ rhel9cis_3_4_4_1_4_otcp.stdout_lines }}" - when: rhel9cis_3_4_4_1_4_otcp.stdout is defined + - "{{ rhel9cis_3_4_3_2_3_otcp.stdout_lines }}" + when: rhel9cis_3_4_3_2_3_otcp.stdout is defined - - name: "3.4.4.1.4 | L1 | PATCH | Ensure iptables firewall rules exist for all open ports | Adjust open udp ports" + - name: "3.4.3.2.3 | PATCH | Ensure iptables rules exist for all open ports | Adjust open udp ports" iptables: action: append chain: INPUT @@ -122,27 +96,74 @@ ctstate: NEW jump: ACCEPT with_items: - - "{{ rhel9cis_3_4_4_1_4_oudp.stdout_lines }}" - when: rhel9cis_3_4_4_1_4_otcp.stdout is defined + - "{{ rhel9cis_3_4_3_2_3_oudp.stdout_lines }}" + when: rhel9cis_3_4_3_2_3_otcp.stdout is defined + when: + - rhel9cis_firewall == "iptables" + - rhel9cis_rule_3_4_3_2_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - iptables + - rule_3.4.3.2.3 + +- name: "3.4.3.2.4 | PATCH | Ensure iptables default deny firewall policy" + block: + - name: "3.4.3.2.4 | PATCH | Ensure iptables default deny firewall policy | Configure ssh to be allowed" + iptables: + chain: INPUT + protocol: tcp + destination_port: "22" + jump: ACCEPT + + - name: "3.4.3.2.4 | PATCH | Ensure iptables default deny firewall policy | Set drop items" + iptables: + policy: DROP + chain: "{{ item }}" + with_items: + - INPUT + - FORWARD + - OUTPUT + when: + - rhel9cis_rule_3_4_3_2_4 + - rhel9cis_firewall == "iptables" + tags: + - level1-server + - level1-workstation + - automated + - patch + - iptables + - rule_3.4.3.2.4 + +- name: "3.4.3.2.5 | PATCH | Ensure iptables rules are saved" + iptables_state: + state: saved + path: /etc/sysconfig/iptables when: + - rhel9cis_rule_3_4_3_2_5 - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_1_4 tags: - level1-server - level1-workstation + - automated - patch - - rule_3.4.4.1.4 + - iptables + - rule_3.4.3.2.5 -- name: "3.4.4.1.5 | L1 | PATCH | Ensure iptables service is enabled and active | Check if iptables is enabled" +- name: "3.4.3.2.6 | PATCH | Ensure iptables service is enabled and active" service: name: iptables - enabled: true + enabled: yes state: started when: - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_1_5 + - rhel9cis_rule_3_4_3_2_6 tags: - level1-server - level1-workstation + - automated - patch - - rule_3.4.4.1.5 + - iptables + - rule_3.4.3.2.6 diff --git a/tasks/section_3/cis_3.4.4.2.x.yml b/tasks/section_3/cis_3.4.3.3.x.yml similarity index 54% rename from tasks/section_3/cis_3.4.4.2.x.yml rename to tasks/section_3/cis_3.4.3.3.x.yml index be4bf540..f3bcfa12 100644 --- a/tasks/section_3/cis_3.4.4.2.x.yml +++ b/tasks/section_3/cis_3.4.3.3.x.yml @@ -1,37 +1,8 @@ --- -- name: "3.4.4.2.1 | L1 | PATCH | Ensure ip6tables default deny firewall policy" +- name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured" block: - - name: "3.4.4.2.1 | L1 | Ensure ip6tables default deny firewall policy | Configure ssh to be allowed" - iptables: - chain: INPUT - protocol: tcp - destination_port: "22" - jump: ACCEPT - ip_version: ipv6 - - - name: "3.4.4.2.1 | L1 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" - iptables: - policy: DROP - chain: "{{ item }}" - ip_version: ipv6 - with_items: - - INPUT - - FORWARD - - OUTPUT - when: - - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_2_1 - - rhel9cis_ipv6_required - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.4.2.1 - -- name: "3.4.4.2.2 | L1 | PATCH | Ensure ip6tables loopback traffic is configured" - block: - - name: "3.4.4.2.2 | L1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT Loopback ACCEPT" + - name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT Loopback ACCEPT" iptables: action: append chain: INPUT @@ -39,7 +10,7 @@ jump: ACCEPT ip_version: ipv6 - - name: "3.4.4.2.2 | L1 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT Loopback ACCEPT" + - name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT Loopback ACCEPT" iptables: action: append chain: OUTPUT @@ -47,7 +18,7 @@ jump: ACCEPT ip_version: ipv6 - - name: "3.4.4.2.2 | L1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT Loopback 127.0.0.0/8" + - name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT Loopback 127.0.0.0/8" iptables: action: append chain: INPUT @@ -56,15 +27,17 @@ ip_version: ipv6 when: - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_2_2 + - rhel9cis_rule_3_4_3_3_1 - rhel9cis_ipv6_required tags: - level1-server - level1-workstation + - automated - patch - - rule_3.4.4.2.2 + - ip6tables + - rule_3.4.3.3.1 -- name: "3.4.4.2.3 | L1 | PATCH | Ensure ip6tables outbound and established connections are configured" +- name: "3.4.3.3.2 | PATCH | Ensure ip6tables outbound and established connections are configured" iptables: action: append chain: '{{ item.chain }}' @@ -82,23 +55,25 @@ - { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED } when: - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_2_3 + - rhel9cis_rule_3_4_3_3_2 - rhel9cis_ipv6_required tags: - level1-server - level1-workstation + - manual - patch - - rule_3.4.4.2.3 + - ip6tables + - rule_3.4.3.3.2 -- name: "3.4.4.2.4 | L1 | PATCH | Ensure ip6tables firewall rules exist for all open ports" +- name: "3.4.3.3.3 | PATCH | Ensure ip6tables firewall rules exist for all open ports" block: - - name: "3.4.4.2.4 | L1 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of TCP6 open ports" + - name: "3.4.3.3.3 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of TCP6 open ports" shell: netstat -ant |grep "tcp6.*LISTEN" | awk '{ print $4 }'| sed 's/.*://' changed_when: false failed_when: false - register: rhel9cis_3_4_4_2_4_otcp + register: rhel9cis_3_4_3_3_3_otcp - - name: "3.4.4.2.4 | L1 | PATCH |Ensure ip6tables firewall rules exist for all open ports| Adjust open tcp6 ports" + - name: "3.4.3.3.3 | PATCH |Ensure ip6tables firewall rules exist for all open ports| Adjust open tcp6 ports" iptables: action: append chain: INPUT @@ -109,28 +84,80 @@ jump: ACCEPT ip_version: ipv6 with_items: - - "{{ rhel9cis_3_4_4_2_4_otcp.stdout_lines }}" - when: rhel9cis_3_4_4_2_4_otcp.stdout is defined + - "{{ rhel9cis_3_4_3_3_3_otcp.stdout_lines }}" + when: rhel9cis_3_4_3_3_3_otcp.stdout is defined + when: + - rhel9cis_firewall == "iptables" + - rhel9cis_rule_3_4_3_3_3 + - rhel9cis_ipv6_required + tags: + - level1-server + - level1-workstation + - automated + - patch + - ip6tables + - rule_3.4.3.3.3 + +- name: "3.4.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy" + block: + - name: "3.4.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy | Configure ssh to be allowed" + iptables: + chain: INPUT + protocol: tcp + destination_port: "22" + jump: ACCEPT + ip_version: ipv6 + + - name: "3.4.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" + iptables: + policy: DROP + chain: "{{ item }}" + ip_version: ipv6 + with_items: + - INPUT + - FORWARD + - OUTPUT + when: + - rhel9cis_firewall == "iptables" + - rhel9cis_rule_3_4_3_3_4 + - rhel9cis_ipv6_required + tags: + - level1-server + - level1-workstation + - automated + - patch + - ip6tables + - rule_3.4.3.3.4 + +- name: "3.4.3.3.5 | PATCH | Ensure ip6tables rules are saved" + iptables_state: + state: saved + path: /etc/sysconfig/ip6tables + ip_version: ipv6 when: - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_2_4 - rhel9cis_ipv6_required + - rhel9cis_rule_3_4_3_3_5 tags: - level1-server - level1-workstation + - automated - patch - - rule_3.4.4.2.4 + - ip6tables + - rule_3.4.3.3.5 -- name: "3.4.4.2.5 | L1 | PATCH | Ensure ip6tables service is enabled and active | Check if ip6tables is enabled" +- name: "3.4.3.3.6 | PATCH | Ensure ip6tables service is enabled and active" service: name: ip6tables - enabled: true + enabled: yes state: started when: - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_2_5 + - rhel9cis_rule_3_4_3_3_6 tags: - level1-server - level1-workstation + - automated - patch - - rule_3.4.4.2.5 + - ip6tables + - rule_3.4.3.3.6 diff --git a/tasks/section_3/cis_3.4.3.x.yml b/tasks/section_3/cis_3.4.3.x.yml deleted file mode 100644 index 42121395..00000000 --- a/tasks/section_3/cis_3.4.3.x.yml +++ /dev/null @@ -1,320 +0,0 @@ ---- - -- name: "3.4.3.1 | L1 | PATCH | Ensure iptables are flushed with nftables" - shell: ip6tables -F - args: - warn: false - when: - - rhel9cis_rule_3_4_3_1 - - rhel9cis_firewall != "iptables" - - rhel9cis_ipv6_required - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.3.1 - -- name: "3.4.3.2 | L1 | AUDIT | Ensure an nftables table exists" - block: - - name: "3.4.3.2 | L1 | AUDIT | Ensure a table exists | Check for tables" - shell: nft list tables - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_2_nft_tables - - - name: "3.4.3.2 | L1 | AUDIT | Ensure an nftables table exists | Show existing tables" - debug: - msg: - - "Below are the current nft tables, please review" - - "{{ rhel9cis_3_4_3_2_nft_tables.stdout_lines }}" - when: rhel9cis_3_4_3_2_nft_tables.stdout | length > 0 - - - name: "3.4.3.2 | L1 | AUDIT | Ensure an nftables table exists | Alert on no tables" - debug: - msg: - - "Warning! You currently have no nft tables, please review your setup" - - 'Use the shell "nft create table inet
" to create a new table' - when: - - rhel9cis_3_4_3_2_nft_tables.stdout | length == 0 - - not rhel9cis_nft_tables_autonewtable - - - name: "3.4.3.2 | L1 | PATCH | Ensure a table exists | Create table if needed" - shell: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" - args: - warn: false - failed_when: false - when: rhel9cis_nft_tables_autonewtable - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_3_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.3.2 - -- name: "3.4.3.3 | L1 | PATCH | Ensure nftables base chains exist" - block: - - name: "3.4.3.3 | L1 | Ensure nftables base chains exist | Get current chains for INPUT" - shell: nft list ruleset | grep 'hook input' - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_3_input_chains - - - name: "3.4.3.3 | L1 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD" - shell: nft list ruleset | grep 'hook forward' - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_3_forward_chains - - - name: "3.4.3.3 | L1 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT" - shell: nft list ruleset | grep 'hook output' - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_3_output_chains - - - name: "3.4.3.3 | L1 | AUDIT | Ensure nftables base chains exist | Display chains for review" - debug: - msg: - - "Below are the current INPUT chains" - - "{{ rhel9cis_3_4_3_3_input_chains.stdout_lines }}" - - "Below are the current FORWARD chains" - - "{{ rhel9cis_3_4_3_3_forward_chains.stdout_lines }}" - - "Below are teh current OUTPUT chains" - - "{{ rhel9cis_3_4_3_3_output_chains.stdout_lines }}" - when: not rhel9cis_nft_tables_autochaincreate - - - name: "3.4.3.3 | L1 | PATCH | Ensure nftables base chains exist | Create chains if needed" - shell: "{{ item }}" - args: - warn: false - failed_when: false - with_items: - - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } - - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { type filter hook forward priority 0 \; } - - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; } - when: rhel9cis_nft_tables_autochaincreate - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_3_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.3.3 - -- name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured" - block: - - name: "3.4.3.4 | L1 | AUDIT | Ensure nftables loopback traffic is configured | Gather iif lo accept existence" - shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_4_iiflo - - - name: "3.4.3.4 | L1 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip saddr existence" - shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_4_ipsaddr - - - name: "3.4.3.4 | L1 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip6 saddr existence" - shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_4_ip6saddr - - - name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept - args: - warn: false - when: '"iif \"lo\" accept" not in rhel9cis_3_4_3_4_iiflo.stdout' - - - name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop - args: - warn: false - when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_3_4_ipsaddr.stdout' - - - name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop - args: - warn: false - when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_3_4_ip6saddr.stdout' - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_3_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.3.4 - -- name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured" - block: - - name: "3.4.3.5 | L1 | AUDIT | Ensure nftables outbound and established connections are configured | Gather incoming connection rules" - shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_5_inconnectionrule - - - name: "3.4.3.5 | L1 | AUDIT | Ensure nftables outbound and established connections are configured | Gather outbound connection rules" - shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_5_outconnectionrule - - - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input tcp established accept policy" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept - args: - warn: false - when: '"ip protocol tcp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout' - - - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input udp established accept policy" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept - args: - warn: false - when: '"ip protocol udp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout' - - - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input icmp established accept policy" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept - args: - warn: false - when: '"ip protocol icmp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout' - - - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output tcp new, related, established accept policy" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept - args: - warn: false - when: '"ip protocol tcp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout' - - - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output udp new, related, established accept policy" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept - args: - warn: false - when: '"ip protocol udp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout' - - - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output icmp new, related, established accept policy" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept - args: - warn: false - when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout' - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_3_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.3.5 - -- name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy" - block: - - name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for hook input deny policy" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input' - args: - warn: false - failed_when: false - changed_when: false - register: rhel9cis_3_4_3_6_inputpolicy - - - name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward' - args: - warn: false - failed_when: false - changed_when: false - register: rhel9cis_3_4_3_6_forwardpolicy - - - name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output' - args: - warn: false - failed_when: false - changed_when: false - register: rhel9cis_3_4_3_6_outputpolicy - - - name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh' - args: - warn: false - failed_when: false - changed_when: false - register: rhel9cis_3_4_3_6_sshallowcheck - - - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept - args: - warn: false - when: '"tcp dport ssh accept" not in rhel9cis_3_4_3_6_sshallowcheck.stdout' - - - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" - shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } - args: - warn: false - when: '"type filter hook input priority 0; policy drop;" not in rhel9cis_3_4_3_6_inputpolicy.stdout' - - - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy" - shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } - args: - warn: false - when: '"type filter hook forward priority 0; policy drop;" not in rhel9cis_3_4_3_6_forwardpolicy.stdout' - - - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" - shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } - args: - warn: false - when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_3_6_outputpolicy.stdout' - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_3_6 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.3.6 - -- name: "3.4.3.7 | L1 | PATCH | Ensure nftables service is enabled | Check if nftables is enabled" - service: - name: nftables - enabled: true - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_3_7 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.3.7 - -- name: "3.4.3.8 | L1 | PATCH | Ensure nftables rules are permanent" - lineinfile: - path: /etc/sysconfig/nftables.conf - state: present - insertafter: EOF - line: include "/etc/nftables/inet-{{ rhel9cis_nft_tables_tablename }}" - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_3_8 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.3.8 diff --git a/tasks/section_3/cis_3.5.yml b/tasks/section_3/cis_3.5.yml deleted file mode 100644 index abe73d57..00000000 --- a/tasks/section_3/cis_3.5.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- - -- name: "3.5 | L1 | PATCH | Ensure wireless interfaces are disabled" - block: - - name: "3.5 | L1 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" - shell: nmcli radio wifi - args: - warn: false - register: rhel_09_wifi_enabled - changed_when: rhel_09_wifi_enabled.stdout != "disabled" - failed_when: false - - - name: "3.5 | L1 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" - shell: nmcli radio all off - args: - warn: false - changed_when: false - failed_when: false - when: rhel_09_wifi_enabled is changed - when: - - '"NetworkManager" in ansible_facts.packages' - - rhel9cis_rule_3_5 - tags: - - level1-server - - level2-workstation - - patch - - rule_3.5 diff --git a/tasks/section_3/cis_3.6.yml b/tasks/section_3/cis_3.6.yml deleted file mode 100644 index 4fa1ae50..00000000 --- a/tasks/section_3/cis_3.6.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -- name: "3.6 | L2 | PATCH | Disable IPv6" - replace: - dest: /etc/default/grub - regexp: '(^GRUB_CMDLINE_LINUX\s*\=\s*)(?:")(.+)(?/dev/null; done + changed_when: false + failed_when: false + check_mode: no + register: priv_procs + + - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_6 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.6 + +- name: "4.1.3.7 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_7 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3_7 + +- name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_8 + tags: + - level2-server + - level2-workstation + - autoamted + - patch + - auditd + - rule_4.1.3.8 + +- name: "4.1.3.9 | PATCH | Ensure discretionary access control permission modification events are collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_9 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.9 + +- name: "4.1.3.10 | PATCH | Ensure successful file system mounts are collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_10 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.10 + +- name: "4.1.3.11 | PATCH | Ensure session initiation information is collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_11 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.11 + +- name: "4.1.3.12 | PATCH | Ensure login and logout events are collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_12 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.12 + +- name: "4.1.3.13 | PATCH | Ensure file deletion events by users are collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_13 + tags: + - level2-server + - level2-workstation + - auditd + - patch + - rule_4.1.3.13 + +- name: "4.1.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_14 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.14 + +- name: "4.1.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_15 + tags: + - level2-server + - level2- workstation + - automated + - patch + - auditd + - rule_4.1.3.15 + +- name: "4.1.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_16 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.16 + +- name: "4.1.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_17 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.17 + +- name: "4.1.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_18 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.18 + +- name: "4.1.3.19 | PATCH | Ensure kernel module loading and unloading is collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_19 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.19 + +- name: "4.1.3.20 | PATCH | Ensure the audit configuration is immutable" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_20 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.20 + +- name: "4.1.3.21 | AUDIT | Ensure the running and on disk configuration is the same" + debug: + msg: + - "Please run augenrules --load if you suspect there is a configuration that is not active" + when: + - rhel9cis_rule_4_1_3_21 + tags: + - level2-server + - level2-workstation + - manual + - patch + - auditd + - rule_4.1.3.21 diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml deleted file mode 100644 index ba14ec06..00000000 --- a/tasks/section_4/cis_4.1.x.yml +++ /dev/null @@ -1,207 +0,0 @@ ---- - -- name: "4.1.3 | L2 | PATCH | Ensure changes to system administration scope (sudoers) is collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_3 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.3 - -- name: "4.1.4 | L2 | PATCH | Ensure login and logout events are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_4 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.4 - -- name: "4.1.5 | L2 | PATCH | Ensure session initiation information is collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_5 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.5 - -- name: "4.1.6 | L2 | PATCH | Ensure events that modify date and time information are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_6 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.6 - -- name: "4.1.7 | L2 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_7 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.7 - -- name: "4.1.8 | L2 | PATCH | Ensure events that modify the system's network environment are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_8 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.8 - -- name: "4.1.9 | L2 | PATCH | Ensure discretionary access control permission modification events are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_9 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.9 - -- name: "4.1.10 | L2 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_10 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.10 - -- name: "4.1.11 | L2 | PATCH | Ensure events that modify user/group information are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_11 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.11 - -- name: "4.1.12 | L2 | PATCH | Ensure successful file system mounts are collected" - block: - - name: "4.1.12 | L2 | AUDIT | Ensure successful file system mounts are collected" - shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: priv_procs - - - name: "4.1.12 | L2 | PATCH | Ensure successful file system mounts are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_12 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.12 - -- name: "4.1.13 | L2 | PATCH | Ensure use of privileged commands is collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_13 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.13 - -- name: "4.1.14 | L2 | PATCH | Ensure file deletion events by users are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_14 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.14 - -- name: "4.1.15 | L2 | PATCH | Ensure kernel module loading and unloading is collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_15 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.15 - -- name: "4.1.16 | L2 | PATCH | Ensure system administrator actions (sudolog) are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_16 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.16 - -- name: "4.1.17 | L2 | PATCH | Ensure the audit configuration is immutable" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_17 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.17 diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index dd9cdceb..0d9d0ee6 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -1,6 +1,6 @@ --- -- name: "4.2.1.1 | L1 | PATCH | Ensure rsyslog installed" +- name: "4.2.1.1 | PATCH | Ensure rsyslog installed" package: name: rsyslog state: present @@ -10,55 +10,74 @@ tags: - level1-server - level1-workstation + - automated - patch + - rsyslog - rule_4.2.1.1 -- name: "4.2.1.2 | L1 | PATCH | Ensure rsyslog Service is enabled" +- name: "4.2.1.2 | PATCH | Ensure rsyslog Service is enabled" service: name: rsyslog - enabled: true + enabled: yes when: - rhel9cis_rule_4_2_1_2 tags: - level1-server - level1-workstation + - autoamted - patch - rsyslog - rule_4.2.1.2 -- name: "4.2.1.3 | L1 | PATCH | Ensure rsyslog default file permissions configured" +# This is counter to control 4.2.1.5?? +- name: "4.2.1.3 | PATCH | Ensure journald is configured to send logs to rsyslog" + lineinfile: + dest: /etc/systemd/journald.conf + regexp: "^#ForwardToSyslog=|^ForwardToSyslog=" + line: ForwardToSyslog=yes + state: present + when: + - rhel9cis_rule_4_2_1_3 + tags: + - level1-server + - level1-workstation + - manual + - patch + - rule_4.2.1.3 + +- name: "4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured" lineinfile: dest: /etc/rsyslog.conf regexp: '^\$FileCreateMode' line: '$FileCreateMode 0640' notify: restart rsyslog when: - - rhel9cis_rule_4_2_1_3 + - rhel9cis_rule_4_2_1_4 tags: - level1-server - level1-workstation + - automated - patch - - rule_4.2.1.3 + - rsyslog + - rule_4.2.1.4 -- name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured" +- name: "4.2.1.5 | PATCH | Ensure logging is configured" block: - - name: "4.2.1.4 | L1 | AUDIT | Ensure logging is configured | rsyslog current config message out" - shell: cat /etc/rsyslog.conf - args: - warn: false - become: true + - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" + command: cat /etc/rsyslog.conf + become: yes changed_when: false - failed_when: false - check_mode: false - register: rhel_09_4_2_1_4_audit + failed_when: no + check_mode: no + register: rhel_08_4_2_1_5_audit - - name: "4.2.1.4 | L1 | AUDIT | Ensure logging is configured | rsyslog current config message out" + - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" debug: msg: - "These are the current logging configurations for rsyslog, please review:" - - "{{ rhel_09_4_2_1_4_audit.stdout_lines }}" + - "{{ rhel_08_4_2_1_5_audit.stdout_lines }}" - - name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured | mail.* log setting" + - name: "4.2.1.5 | PATCH | Ensure logging is configured | mail.* log setting" blockinfile: path: /etc/rsyslog.conf state: present @@ -73,7 +92,7 @@ notify: restart rsyslog when: rhel9cis_rsyslog_ansiblemanaged - - name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured | news.crit log setting" + - name: "4.2.1.5 | PATCH | Ensure logging is configured | news.crit log setting" blockinfile: path: /etc/rsyslog.conf state: present @@ -86,7 +105,7 @@ notify: restart rsyslog when: rhel9cis_rsyslog_ansiblemanaged - - name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured | Misc. log setting" + - name: "4.2.1.5 | PATCH | Ensure logging is configured | Misc. log setting" blockinfile: path: /etc/rsyslog.conf state: present @@ -100,13 +119,13 @@ notify: restart rsyslog when: rhel9cis_rsyslog_ansiblemanaged - - name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured | Local log settings" + - name: "4.2.1.5 | PATCH | Ensure logging is configured | Local log settings" blockinfile: path: /etc/rsyslog.conf state: present marker: "#{mark} LOCAL LOG SETTINGS (ANSIBLE MANAGED)" block: | - # local log settings + # local log settings to meet CIS standards local0,local1.* -/var/log/localmessages local2,local3.* -/var/log/localmessages local4,local5.* -/var/log/localmessages @@ -114,16 +133,39 @@ *.emrg :omusrmsg:* insertafter: '#### RULES ####' notify: restart rsyslog + + - name: "4.2.1.5 | PATCH | Ensure logging is configured | Auth Settings" + blockinfile: + path: /etc/rsyslog.conf + state: present + marker: "#{mark} Auth SETTINGS (ANSIBLE MANAGED)" + block: | + # Private settings to meet CIS standards + auth,authpriv.* -/var/log/secure + insertafter: '#### RULES ####' + notify: restart rsyslog + + - name: "4.2.1.5 | PATCH | Ensure logging is configured | Cron Settings" + blockinfile: + path: /etc/rsyslog.conf + state: present + marker: "#{mark} Auth SETTINGS (ANSIBLE MANAGED)" + block: | + # Cron settings to meet CIS standards + cron.* /var/log/cron + insertafter: '#### RULES ####' + notify: restart rsyslog when: - - rhel9cis_rule_4_2_1_4 + - rhel9cis_rule_4_2_1_5 tags: - level1-server - level1-workstation + - manual - patch - rsyslog - - rule_4.2.1.4 + - rule_4.2.1.5 -- name: "4.2.1.5 | L1 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" +- name: "4.2.1.6 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" blockinfile: path: /etc/rsyslog.conf state: present @@ -137,18 +179,19 @@ - result.rc != 257 notify: restart rsyslog when: - - rhel9cis_rule_4_2_1_5 + - rhel9cis_rule_4_2_1_6 - rhel9cis_remote_log_server is defined tags: - level1-server - level1-workstation + - manual - patch - - rule_4.2.1.5 - rsyslog + - rule_4.2.1.6 -- name: "4.2.1.6 | L1 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts." +- name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client" block: - - name: "4.2.1.6 | L1 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts. | When not log host" + - name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client. | When not log host" replace: path: /etc/rsyslog.conf regexp: '({{ item }})' @@ -157,9 +200,11 @@ with_items: - '^(\$ModLoad imtcp)' - '^(\$InputTCPServerRun)' + - '^(module\(load="imtcp"\))' + - '^(input\(type="imtcp")' when: not rhel9cis_system_is_log_server - - name: "4.2.1.6 | L1 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts. | When log host" + - name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote clients. | When log host" replace: path: /etc/rsyslog.conf regexp: '^#(.*{{ item }}.*)' @@ -168,12 +213,15 @@ with_items: - 'ModLoad imtcp' - 'InputTCPServerRun' + - 'module\(load="imtcp"\)' + - 'input\(type="imtcp"' when: rhel9cis_system_is_log_server when: - - rhel9cis_rule_4_2_1_6 + - rhel9cis_rule_4_2_1_7 tags: - level1-server - level1-workstation + - automated - patch - - rule_4.2.1.6 - rsyslog + - rule_4.2.1.7 diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 1c87ed47..e83d97c2 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -1,43 +1,206 @@ --- -- name: "4.2.2.1 | L1 | PATCH | Ensure journald is configured to send logs to rsyslog" - lineinfile: - dest: /etc/systemd/journald.conf - regexp: "^#ForwardToSyslog=|^ForwardToSyslog=" - line: ForwardToSyslog=yes +- name: "4.2.2.1.1 | PATCH | Ensure systemd-journal-remote is installed" + package: + name: systemd-journal-remote state: present when: - - rhel9cis_rule_4_2_2_1 + - rhel9cis_rule_4_2_2_1_1 + tags: + - level1-server + - level1-workstation + - manual + - patch + - journald + - rule_4.2.2.1.1 + +- name: "4.2.2.1.2 | PATCH | Ensure systemd-journal-remote is configured" + lineinfile: + path: /etc/systemd/journal-upload.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + notify: restart systemd_journal_upload + with_items: + - { regexp: 'URL=', line: 'URL={{ rhel9cis_journal_upload_url }}'} + - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ rhel9cis_journal_upload_serverkeyfile }}'} + - { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ rhel9cis_journal_servercertificatefile }}'} + - { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ rhel9cis_journal_trustedcertificatefile }}'} + when: + - rhel9cis_rule_4_2_2_1_2 + tags: + - level1-server + - level1-workstation + - manual + - patch + - journald + - rule_4.2.2.1.2 + +- name: "4.2.2.1.3 | PATCH | Ensure systemd-journal-remote is enabled" + systemd: + name: systemd-journal-upload + state: started + enabled: yes + when: + - rhel9cis_rule_4_2_2_1_3 tags: - level1-server - level1-workstation + - manual - patch - - rule_4.2.2.1 + - journald + - rule_4.2.2.1.3 + +- name: "4.2.2.1.4 | PATCH | Ensure journald is not configured to recieve logs from a remote client" + systemd: + name: systemd-journal-remote + state: stopped + enabled: no + masked: yes + when: + - rhel9cis_rule_4_2_2_1_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - journald + - rule_4.2.2.1.4 + +- name: "4.2.2.2 | PATCH | Ensure journald service is enabled" + block: + - name: "4.2.2.2 | PATCH | Ensure journald service is enabled | Enable service" + systemd: + name: systemd-journald + state: started + enabled: yes + + - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Capture status" + shell: systemctl is-enabled systemd-journald.service + changed_when: false + failed_when: false + register: rhel9cis_4_2_2_2_status + + - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Alert on bad status" + debug: + msg: + - "ALERT! The status of systemd-journald should be static and it is not. Please investigate" + when: "'static' not in rhel9cis_4_2_2_2_status.stdout" + when: + - rhel9cis_rule_4_2_2_2 + tags: + - level1-server + - level1-workstation + - automated + - audit + - journald + - rule_4.2.2.2 -- name: "4.2.2.2 | L1 | PATCH | Ensure journald is configured to compress large log files" +- name: "4.2.2.3 | PATCH | Ensure journald is configured to compress large log files" lineinfile: dest: /etc/systemd/journald.conf regexp: "^#Compress=|^Compress=" line: Compress=yes state: present when: - - rhel9cis_rule_4_2_2_2 + - rhel9cis_rule_4_2_2_3 tags: - level1-server - level1-workstation + - automated - patch - - rule_4.2.2.2 + - journald + - rule_4.2.2.3 -- name: "4.2.2.3 | L1 | PATCH | Ensure journald is configured to write logfiles to persistent disk" +- name: "4.2.2.4 | PATCH | Ensure journald is configured to write logfiles to persistent disk" lineinfile: dest: /etc/systemd/journald.conf regexp: "^#Storage=|^Storage=" line: Storage=persistent state: present when: - - rhel9cis_rule_4_2_2_3 + - rhel9cis_rule_4_2_2_4 tags: - level1-server - level1-workstation + - automated - patch - - rule_4.2.2.3 + - journald + - rule_4.2.2.4 + +# This is counter to control 4.2.1.3?? +- name: "4.2.2.5 | PATCH | Ensure journald is not configured to send logs to rsyslog" + lineinfile: + dest: /etc/systemd/journald.conf + regexp: "^ForwardToSyslog=" + line: "#ForwardToSyslog=yes" + state: present + notify: restart systemd_journal_upload + when: + - rhel9cis_rule_4_2_2_5 + tags: + - level1-server + - level2-workstation + - manual + - patch + - journald + - rule_4.2.2.5 + +- name: "4.2.2.6 | PATCH | Ensure journald log rotation is configured per site policy" + lineinfile: + path: /etc/systemd/journald.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + notify: restart journald + with_items: + - { regexp: '^#SystemMaxUse=|^SystemMaxUse=', line: 'SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}'} + - { regexp: '^#SystemKeepFree=|^SystemKeepFree=', line: 'SystemKeepFree={{ rhel9cis_journald_systemkeepfree }}' } + - { regexp: '^#RuntimeMaxUse=|^RuntimeMaxUse=', line: 'RuntimeMaxUse={{ rhel9cis_journald_runtimemaxuse }}'} + - { regexp: '^#RuntimeKeepFree=|^RuntimeKeepFree=', line: 'RuntimeKeepFree={{ rhel9cis_journald_runtimekeepfree }}'} + - { regexp: '^#MaxFileSec=|^MaxFileSec=', line: 'MaxFileSec={{ rhel9cis_journald_maxfilesec }}'} + when: + - rhel9cis_rule_4_2_2_6 + tags: + - level1-server + - level1-workstation + - manual + - patch + - journald + - rule_4.2.2.6 + +- name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured" + block: + - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Check for override file" + find: + paths: /etc/tmpfiles.d + patterns: systemd.conf + register: rhel9cis_4_2_2_7_override_status + + - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Get override file settings" + shell: cat /etc/tmpfiles.d/systemd.conf + changed_when: false + failed_when: false + register: rhel9cis_4_2_2_7_override_settings + when: rhel9cis_4_2_2_7_override_status.matched >= 1 + + - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Get non-override file settings" + shell: cat /usr/lib/tmpfiles.d/systemd.conf + changed_when: false + failed_when: false + register: rhel9cis_4_2_2_7_notoverride_settings + when: rhel9cis_4_2_2_7_override_status.matched == 0 + + - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Display file settings" + debug: + msg: + - "Alert! Below are the current default settings for journald, please confirm they align with your site policies" + # - "{{ rhel9cis_4_2_2_7_override_settings.stdout_lines }}" + - "{{ (rhel9cis_4_2_2_7_override_status.matched >= 1) | ternary(rhel9cis_4_2_2_7_override_settings.stdout_lines, rhel9cis_4_2_2_7_notoverride_settings.stdout_lines) }}" + when: + - rhel9cis_rule_4_2_2_7 + tags: + - level1-server + - level1-workstation + - manual + - patch + - journald + - rule_4.2.2.7 diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index bd13030a..a1b3bb76 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -1,9 +1,7 @@ --- -- name: "4.2.3 | L1 | PATCH | Ensure permissions on all logfiles are configured" - shell: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + - args: - warn: false +- name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured" + command: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + changed_when: false failed_when: false when: @@ -11,5 +9,7 @@ tags: - level1-server - level1-workstation + - automated - patch + - logfiles - rule_4.2.3 diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index 7e7fafbc..e8a47808 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -1,13 +1,13 @@ --- -- name: "4.3 | L1 | PATCH | Ensure logrotate is configured" +- name: "4.3 | PATCH | Ensure logrotate is configured" block: - - name: "4.3 | L1 | AUDIT | Ensure logrotate is configured | Get logrotate settings" + - name: "4.3 | AUDIT | Ensure logrotate is configured | Get logrotate settings" find: paths: /etc/logrotate.d/ register: log_rotates - - name: "4.3 | L1 | PATCH | Ensure logrotate is configured" + - name: "4.3 | PATCH | Ensure logrotate is configured" replace: path: "{{ item.path }}" regexp: '^(\s*)(daily|weekly|monthly|yearly)$' @@ -15,11 +15,14 @@ with_items: - "{{ log_rotates.files }}" - { path: "/etc/logrotate.conf" } + loop_control: + label: "{{ item.path }}" when: - rhel9cis_rule_4_3 - - "'logrotate' in ansible_facts.packages" tags: - level1-server - level1-workstation + - manual - patch + - logrotate - rule_4.3 diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index 8e84241a..3b3ab95c 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -1,21 +1,21 @@ --- -- name: "SECTION | 4.1| Configure System Accounting (auditd)" +- name: "SECTION | 4.1 | Configure System Accounting (auditd)" include_tasks: cis_4.1.1.x.yml when: - not system_is_container -- name: "SECTION | 4.1.2.x| Configure Data Retention" +- name: "SECTION | 4.1.2 | Configure Data Retention" import_tasks: cis_4.1.2.x.yml -- name: "SECTION | 4.1.x| Auditd rules" +- name: "SECTION | 4.1.3 | Configure Auditd rules" import_tasks: cis_4.1.x.yml -- name: "SECTION | 4.2.x| Configure Logging" +- name: "SECTION | 4.2 | Configure Logging" import_tasks: cis_4.2.1.x.yml when: rhel9cis_syslog == 'rsyslog' -- name: "SECTION | 4.2.2.x| Configure journald" +- name: "SECTION | 4.2.2 Configure journald" import_tasks: cis_4.2.2.x.yml - name: "SECTION | 4.2.3 | Configure logile perms" diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index dffbeaf9..9e8657ee 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -1,18 +1,20 @@ --- -- name: "5.1.1 | L1 | PATCH | Ensure cron daemon is enabled" +- name: "5.1.1 | PATCH | Ensure cron daemon is enabled" service: name: crond - enabled: true + enabled: yes when: - rhel9cis_rule_5_1_1 tags: - level1-server - level1-workstation + - automated - patch + - cron - rule_5.1.1 -- name: "5.1.2 | L1 | PATCH | Ensure permissions on /etc/crontab are configured" +- name: "5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" file: dest: /etc/crontab owner: root @@ -23,10 +25,12 @@ tags: - level1-server - level1-workstation + - automated - patch + - cron - rule_5.1.2 -- name: "5.1.3 | L1 | PATCH | Ensure permissions on /etc/cron.hourly are configured" +- name: "5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" file: dest: /etc/cron.hourly state: directory @@ -38,10 +42,12 @@ tags: - level1-server - level1-workstation + - automated - patch + - cron - rule_5.1.3 -- name: "5.1.4 | L1 | PATCH | Ensure permissions on /etc/cron.daily are configured" +- name: "5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" file: dest: /etc/cron.daily state: directory @@ -53,10 +59,12 @@ tags: - level1-server - level1-workstation + - automated - patch + - cron - rule_5.1.4 -- name: "5.1.5 | L1 | PATCH | Ensure permissions on /etc/cron.weekly are configured" +- name: "5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" file: dest: /etc/cron.weekly state: directory @@ -71,7 +79,7 @@ - patch - rule_5.1.5 -- name: "5.1.6 | L1 | PATCH | Ensure permissions on /etc/cron.monthly are configured" +- name: "5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" file: dest: /etc/cron.monthly state: directory @@ -83,10 +91,11 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.1.6 -- name: "5.1.7 | L1 | PATCH | Ensure permissions on /etc/cron.d are configured" +- name: "5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" file: dest: /etc/cron.d state: directory @@ -98,50 +107,65 @@ tags: - level1-server - level1-workstation + - automated - patch + - cron - rule_5.1.7 -- name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users" +- name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users" block: - - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Remove at.deny" + - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny" file: - dest: /etc/at.deny + dest: /etc/cron.deny state: absent - - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Check if at.allow exists" + - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Check if cron.allow exists" stat: - path: "/etc/at.allow" - register: p + path: "/etc/cron.allow" + register: rhel9cis_5_1_8_cron_allow_state - - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Ensure at.allow is restricted to authorized users" + - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users" file: - dest: /etc/at.allow - state: '{{ "file" if p.stat.exists else "touch" }}' + dest: /etc/cron.allow + state: '{{ "file" if rhel9cis_5_1_8_cron_allow_state.stat.exists else "touch" }}' owner: root group: root mode: 0600 + when: + - rhel9cis_rule_5_1_8 + tags: + - level1-server + - level1-workstation + - automated + - patch + - cron + - rule_5.1.8 - - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Remove cron.deny" +- name: "5.1.9 | PATCH | Ensure at is restricted to authorized users" + block: + - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" file: - dest: /etc/cron.deny + dest: /etc/at.deny state: absent - - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Check if cron.allow exists" + - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists" stat: - path: "/etc/cron.allow" - register: p + path: "/etc/at.allow" + register: rhel9cis_5_1_9_at_allow_state - - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users" + - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users" file: - dest: /etc/cron.allow - state: '{{ "file" if p.stat.exists else "touch" }}' + dest: /etc/at.allow + state: '{{ "file" if rhel9cis_5_1_9_at_allow_state.stat.exists else "touch" }}' owner: root group: root mode: 0600 when: - - rhel9cis_rule_5_1_8 + - rhel9cis_rule_5_1_9 tags: - level1-server - level1-workstation + - automated - patch - - rule_5.1.8 + - cron + - rule_5.1.9 \ No newline at end of file diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 0629cc7f..4b28f5be 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -1,6 +1,6 @@ --- -- name: "5.2.1 | L1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" +- name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured" file: dest: /etc/ssh/sshd_config state: file @@ -12,107 +12,121 @@ tags: - level1-server - level1-workstation + - automated - patch + - ssh + - permissions - rule_5.2.1 -- name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited" +- name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured" block: - - name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers" - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^AllowUsers" - line: AllowUsers {{ rhel9cis_sshd['allowusers'] }} - notify: restart sshd - when: "rhel9cis_sshd['allowusers']|default('') | length > 0" - - - name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups" - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^AllowGroups" - line: AllowGroups {{ rhel9cis_sshd['allowgroups'] }} - notify: restart sshd - when: "rhel9cis_sshd['allowgroups']|default('') | length > 0" - - - name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers" - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^DenyUsers" - line: DenyUsers {{ rhel9cis_sshd['denyusers'] }} - notify: restart sshd - when: "rhel9cis_sshd['denyusers']|default('') | length > 0" - - - name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups" - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^DenyGroups" - line: DenyGroups {{ rhel9cis_sshd['denygroups'] }} - notify: restart sshd - when: "rhel9cis_sshd['denygroups']|default('') | length > 0" - when: - - rhel9cis_rule_5_2_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.2 - -- name: "5.2.3 | L1 | PATCH | Ensure permissions on SSH private host key files are configured" - block: - - name: "5.2.3 | L1 | AUDIT | Ensure permissions on SSH private host key files are configured | Find the SSH private host keys" + - name: "5.2.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find the SSH private host keys" find: paths: /etc/ssh patterns: 'ssh_host_*_key' recurse: true file_type: any - register: rhel9cis_5_2_3_ssh_private_host_key + register: rhel9cis_5_2_2_ssh_private_host_key - - name: "5.2.3 | L1 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions on SSH private host keys" + - name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions on SSH private host keys" file: path: "{{ item.path }}" owner: root group: root mode: 0600 with_items: - - "{{ rhel9cis_5_2_3_ssh_private_host_key.files }}" + - "{{ rhel9cis_5_2_2_ssh_private_host_key.files }}" + loop_control: + label: "{{ item.path }}" when: - - rhel9cis_rule_5_2_3 + - rhel9cis_rule_5_2_2 tags: - level1-server - level1-workstation + - automated - patch - - rule_5.2.3 + - ssh + - permissions + - rule_5.2.2 -- name: "5.2.4 | L1 | PATCH | Ensure permissions on SSH public host key files are configured" +- name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured" block: - - name: "5.2.4 | L1 | AUDIT | Ensure permissions on SSH public host key files are configured | Find the SSH public host keys" + - name: "5.2.3 | AUDIT | Ensure permissions on SSH public host key files are configured | Find the SSH public host keys" find: paths: /etc/ssh patterns: 'ssh_host_*_key.pub' recurse: true file_type: any - register: rhel9cis_5_2_4_ssh_public_host_key + register: rhel9cis_5_2_3_ssh_public_host_key - - name: "5.2.4 | L1 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions on SSH public host keys" + - name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions on SSH public host keys" file: path: "{{ item.path }}" owner: root group: root mode: 0644 with_items: - - "{{ rhel9cis_5_2_4_ssh_public_host_key.files }}" + - "{{ rhel9cis_5_2_3_ssh_public_host_key.files }}" + loop_control: + label: "{{ item.path }}" + when: + - rhel9cis_rule_5_2_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - ssh + - rule_5.2.3 + +- name: "5.2.4 | PATCH | Ensure SSH access is limited" + block: + - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: "^AllowUsers" + line: AllowUsers {{ rhel9cis_sshd['allowusers'] }} + notify: restart sshd + when: "rhel9cis_sshd['allowusers']|default('') | length > 0" + + - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: "^AllowGroups" + line: AllowGroups {{ rhel9cis_sshd['allowgroups'] }} + notify: restart sshd + when: "rhel9cis_sshd['allowgroups']|default('') | length > 0" + + - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: "^DenyUsers" + line: DenyUsers {{ rhel9cis_sshd['denyusers'] }} + notify: restart sshd + when: "rhel9cis_sshd['denyusers']|default('') | length > 0" + + - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: "^DenyGroups" + line: DenyGroups {{ rhel9cis_sshd['denygroups'] }} + notify: restart sshd + when: "rhel9cis_sshd['denygroups']|default('') | length > 0" when: - rhel9cis_rule_5_2_4 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.4 -- name: "5.2.5 | L1 | PATCH | Ensure SSH LogLevel is appropriate" +- name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate" lineinfile: state: present dest: /etc/ssh/sshd_config @@ -123,145 +137,155 @@ tags: - level1-server - level1-workstation + - automated - patch + - sshs - rule_5.2.5 -- name: "5.2.6 | L2 | PATCH | Ensure SSH X11 forwarding is disabled" +- name: "5.2.6 | PATCH | Ensure SSH PAM is enabled" lineinfile: state: present dest: /etc/ssh/sshd_config - regexp: "^#X11Forwarding|^X11Forwarding" - line: 'X11Forwarding no' + regexp: "^#UsePAM|^UsePAM" + line: 'UsePAM yes' when: - rhel9cis_rule_5_2_6 tags: - - level2-server + - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.6 -- name: "5.2.7 | L1 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" +- name: "5.2.7 | PATCH | Ensure SSH root login is disabled" lineinfile: state: present dest: /etc/ssh/sshd_config - regexp: '^(#)?MaxAuthTries \d' - line: 'MaxAuthTries 4' + regexp: "^#PermitRootLogin|^PermitRootLogin" + line: 'PermitRootLogin no' when: - rhel9cis_rule_5_2_7 tags: - level1-server - level1-workstation + - autoamted - patch + - ssh - rule_5.2.7 -- name: "5.2.8 | L1 | PATCH | Ensure SSH IgnoreRhosts is enabled" +- name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled" lineinfile: state: present dest: /etc/ssh/sshd_config - regexp: "^#IgnoreRhosts|^IgnoreRhosts" - line: 'IgnoreRhosts yes' + regexp: ^#HostbasedAuthentication|^HostbasedAuthentication" + line: 'HostbasedAuthentication no' when: - rhel9cis_rule_5_2_8 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.8 -- name: "5.2.9 | L1 | PATCH | Ensure SSH HostbasedAuthentication is disabled" +- name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" lineinfile: state: present dest: /etc/ssh/sshd_config - regexp: ^#HostbasedAuthentication|^HostbasedAuthentication" - line: 'HostbasedAuthentication no' + regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords" + line: 'PermitEmptyPasswords no' when: - rhel9cis_rule_5_2_9 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.9 -- name: "5.2.10 | L1 | PATCH | Ensure SSH root login is disabled" +- name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled" lineinfile: state: present dest: /etc/ssh/sshd_config - regexp: "^#PermitRootLogin|^PermitRootLogin" - line: 'PermitRootLogin no' + regexp: "^#PermitUserEnvironment|^PermitUserEnvironment" + line: 'PermitUserEnvironment no' when: - rhel9cis_rule_5_2_10 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.10 -- name: "5.2.11 | L1 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" +- name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled" lineinfile: state: present dest: /etc/ssh/sshd_config - regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords" - line: 'PermitEmptyPasswords no' + regexp: "^#IgnoreRhosts|^IgnoreRhosts" + line: 'IgnoreRhosts yes' when: - rhel9cis_rule_5_2_11 tags: - level1-server - level1-workstation + - autoamted - patch + - ssh - rule_5.2.11 -- name: "5.2.12 | L1 | PATCH | Ensure SSH PermitUserEnvironment is disabled" +- name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled" lineinfile: state: present dest: /etc/ssh/sshd_config - regexp: "^#PermitUserEnvironment|^PermitUserEnvironment" - line: 'PermitUserEnvironment no' + regexp: "^#X11Forwarding|^X11Forwarding" + line: 'X11Forwarding no' when: - rhel9cis_rule_5_2_12 tags: - - level1-server + - level2-server - level1-workstation + - autoamted - patch + - ssh - rule_5.2.12 -- name: "5.2.13 | L1 | PATCH | Ensure SSH Idle Timeout Interval is configured" - block: - - name: "5.2.13 | L1 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval" - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: '^ClientAliveInterval' - line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}" - - - name: "5.2.13 | L1 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: '^ClientAliveCountMax' - line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}" +- name: "5.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: "^#AllowTcpForwarding|^AllowTcpForwarding" + line: 'AllowTcpForwarding no' when: - rhel9cis_rule_5_2_13 tags: - - level1-server - - level1-workstation + - level2-server + - level2-workstation + - autoamted - patch + - ssh - rule_5.2.13 -- name: "5.2.14 | L1 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^#LoginGraceTime|^LoginGraceTime" - line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}" +- name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden" + shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd + args: + warn: no + notify: restart sshd when: - rhel9cis_rule_5_2_14 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.14 -- name: "5.2.15 | L1 | PATCH | Ensure SSH warning banner is configured" +- name: "5.2.15 | PATCH | Ensure SSH warning banner is configured" lineinfile: state: present dest: /etc/ssh/sshd_config @@ -272,74 +296,96 @@ tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.15 -- name: "5.2.16 | L1 | PATCH | Ensure SSH PAM is enabled" +- name: "5.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" lineinfile: state: present dest: /etc/ssh/sshd_config - regexp: "^#UsePAM|^UsePAM" - line: 'UsePAM yes' + regexp: '^(#)?MaxAuthTries \d' + line: 'MaxAuthTries 4' when: - rhel9cis_rule_5_2_16 tags: - level1-server - level1-workstation + - autoamted - patch + - ssh - rule_5.2.16 -- name: "5.2.17 | L2 | PATCH | Ensure SSH AllowTcpForwarding is disabled" +- name: "5.2.17 | PATCH | Ensure SSH MaxStartups is configured" lineinfile: state: present dest: /etc/ssh/sshd_config - regexp: "^#AllowTcpForwarding|^AllowTcpForwarding" - line: 'AllowTcpForwarding no' + regexp: "^#MaxStartups|^MaxStartups" + line: 'MaxStartups 10:30:60' when: - rhel9cis_rule_5_2_17 tags: - - level2-server - - level2-workstation + - level1-server + - level1-workstation + - autoamted - patch + - ssh - rule_5.2.17 -- name: "5.2.18 | L1 | PATCH | Ensure SSH MaxStartups is configured" +- name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" lineinfile: state: present dest: /etc/ssh/sshd_config - regexp: "^#MaxStartups|^MaxStartups" - line: 'MaxStartups 10:30:60' + regexp: "^#MaxSessions|^MaxSessions" + line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' when: - rhel9cis_rule_5_2_18 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.18 -- name: "5.2.19 | L1 | PATCH | Ensure SSH MaxSessions is set to 4 or less" +- name: "5.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" lineinfile: state: present dest: /etc/ssh/sshd_config - regexp: "^#MaxSessions|^MaxSessions" - line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' + regexp: "^#LoginGraceTime|^LoginGraceTime" + line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}" when: - rhel9cis_rule_5_2_19 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.19 -- name: "5.2.20 | L1 | PATCH | Ensure system-wide crypto policy is not over-ridden" - shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd - args: - warn: false - notify: restart sshd +- name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured" + block: + - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^ClientAliveInterval' + line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}" + + - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^ClientAliveCountMax' + line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}" when: - rhel9cis_rule_5_2_20 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.20 diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index 27623024..b6dc07a9 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -1,94 +1,138 @@ --- -- name: "5.3.1 | L1 | PATCH | Create custom authselect profile" - block: - - name: "5.3.1 | L1 | PATCH | Create custom authselect profile | Gather profiles" - shell: 'authselect current | grep "Profile ID: custom/"' - args: - warn: false - failed_when: false - changed_when: false - check_mode: false - register: rhel9cis_5_3_1_profiles - - - name: "5.3.1 | L1 | AUDIT | Create custom authselect profile | Show profiles" - debug: - msg: - - "Below are the current custom profiles" - - "{{ rhel9cis_5_3_1_profiles.stdout_lines }}" - - - name: "5.3.1 | L1 | PATCH | Create custom authselect profile | Create custom profiles" - shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }} - args: - warn: false - when: rhel9cis_authselect_custom_profile_create +- name: "5.3.1 | PATCH | Ensure sudo is installed" + package: + name: sudo + state: present when: - rhel9cis_rule_5_3_1 tags: - level1-server - level1-workstation + - automated - patch - - authselect + - sudo - rule_5.3.1 -- name: "5.3.2 | L1 | PATCH | Select authselect profile" - block: - - name: "5.3.2 | L1 | AUDIT | Select authselect profile | Gather profiles and enabled features" - shell: "authselect current" - args: - warn: false - failed_when: false - changed_when: false - check_mode: false - register: rhel9cis_5_3_2_profiles - - - name: "5.3.2 | L1 | AUDIT | Select authselect profile | Show profiles" - debug: - msg: - - "Below are the current custom profiles" - - "{{ rhel9cis_5_3_2_profiles.stdout_lines }}" - - - name: "5.3.2 | L1 | PATCH | Select authselect profile | Create custom profiles" - shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }}" - args: - warn: false - when: rhel9cis_authselect_custom_profile_select +- name: "5.3.2 | PATCH | Ensure sudo commands use pty" + lineinfile: + dest: /etc/sudoers + line: "Defaults use_pty" + state: present when: - rhel9cis_rule_5_3_2 tags: - level1-server - level1-workstation + - automated - patch - - authselect + - sudo - rule_5.3.2 -- name: "5.3.3 | L1 | PATCH | Ensure authselect includes with-faillock" +- name: "5.3.3 | PATCH | Ensure sudo log file exists" + lineinfile: + dest: /etc/sudoers + regexp: '^Defaults logfile=' + line: 'Defaults logfile="{{ rhel9cis_varlog_location }}"' + state: present + when: + - rhel9cis_rule_5_3_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - sudo + - rule_5.3.3 + +- name: "5.3.4 | PATCH | Ensure users must provide password for escalation" + replace: + path: "{{ item }}" + regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' + replace: '\1PASSWD\2' + with_items: + - "{{ rhel9cis_sudoers_files.stdout_lines }}" + when: + - rhel9cis_rule_5_3_4 + tags: + - level2-server + - level2-workstation + - automated + - patch + - sudo + - rule_5.3.4 + +- name: "5.3.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally" + replace: + path: "{{ item }}" + regexp: '^([^#].*)!authenticate(.*)' + replace: '\1authenticate\2' + with_items: + - "{{ rhel9cis_sudoers_files.stdout_lines }}" + when: + - rhel9cis_rule_5_3_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - sudo + - rule_5.3.5 + +- name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly" block: - - name: "5.3.3 | L1 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features" - shell: "authselect current | grep with-faillock" - args: - warn: false - failed_when: false + - name: "5.3.6 | AUDIT | Ensure sudo authentication timeout is configured correctly | Get files with timeout set" + shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort changed_when: false - check_mode: false - register: rhel9cis_5_3_3_profiles_faillock + failed_when: false + register: rhel9cis_5_3_6_timeout_files - - name: "5.3.3 | L1 | AUDIT | Ensure authselect includes with-faillock| Show profiles" - debug: - msg: - - "Below are the current custom profiles" - - "{{ rhel9cis_5_3_3_profiles_faillock.stdout_lines }}" + - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results" + lineinfile: + path: /etc/sudoers + regexp: 'Defaults timestamp_timeout=' + line: "Defaults timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}" + validate: '/usr/sbin/visudo -cf %s' + when: rhel9cis_5_3_6_timeout_files.stdout | length == 0 - - name: "5.3.3 | L1 | PATCH | Ensure authselect includes with-faillock | Create custom profiles" - shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock" - args: - warn: false - when: rhel9cis_authselect_custom_profile_select + - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results" + replace: + path: "{{ item }}" + regexp: 'timestamp_timeout=(\d+)' + replace: "timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}" + validate: '/usr/sbin/visudo -cf %s' + with_items: + - "{{ rhel9cis_5_3_6_timeout_files.stdout_lines }}" + when: rhel9cis_5_3_6_timeout_files.stdout | length > 0 when: - - rhel9cis_rule_5_3_3 + - rhel9cis_rule_5_3_6 tags: - level1-server - level1-workstation + - automated - patch - - authselect - - rule_5.3.3 + - sudo + - rule_5.3.6 + +- name: "5.3.7 | PATCH | Ensure access to the su command is restricted" + block: + - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid" + lineinfile: + state: present + dest: /etc/pam.d/su + regexp: '^(#)?auth\s+required\s+pam_wheel\.so' + line: 'auth required pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}' + + - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | wheel group contains root" + user: + name: "{{ rhel9cis_sugroup_users }}" + groups: "{{ rhel9cis_sugroup | default('wheel') }}" + when: + - rhel9cis_rule_5_3_7 + tags: + - level1-server + - level1-workstation + - automated + - patch + - sudo + - rule_5.3.7 diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 05ccefba..501af418 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -1,131 +1,61 @@ --- -- name: | - "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured - 5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured - 5.4.3 | L1 | PATCH | Ensure password reuse is limited - 5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512" +- name: "5.4.1 | PATCH | Ensure custom authselect profile is used" block: - - name: "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings" - lineinfile: - state: present - dest: /etc/security/pwquality.conf - regexp: ^{{ item.name }} - line: "{{ item.name }} = {{ item.value }}" - with_items: - - { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" } - - { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" } - when: rhel9cis_rule_5_4_1 - - - name: | - "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings - 5.4.3| L1 | PATCH | Ensure password reuse is limited | Set system-auth remember settings" - lineinfile: - dest: /etc/pam.d/system-auth - state: present - regexp: '^password requisite pam_pwquality.so' - line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" - insertbefore: '^#?password ?' - when: - - rhel9cis_rule_5_4_1 or - rhel9cis_rule_5_4_3 - - - name: "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" - lineinfile: - dest: /etc/pam.d/password-auth - state: present - regexp: '^password requisite pam_pwquality.so' - line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" - insertbefore: '^#?password ?' - when: rhel9cis_rule_5_4_1 - - - name: "5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured | Add deny count and unlock time for preauth" - lineinfile: - dest: /etc/pam.d/{{ item }} - state: present - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}" - insertafter: '^#?auth ?' - with_items: - - "system-auth" - - "password-auth" - when: rhel9cis_rule_5_4_2 - - - name: "5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured | Add deny count and unlock times for authfail" - lineinfile: - dest: /etc/pam.d/{{ item }} - state: present - regexp: '^auth required pam_faillock.so authfail' - line: "auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}" - insertafter: '^#?auth ?' - with_items: - - "system-auth" - - "password-auth" - when: rhel9cis_rule_5_4_2 - - - name: | - "5.4.3 | L1 | PATCH | Ensure password reuse is limited | Set system-auth remember remember settings - 5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512 | Set system-auth pwhash settings" - lineinfile: - dest: /etc/pam.d/system-auth - state: present - regexp: '^password sufficient pam_unix.so' - line: "password sufficient pam_unix.so {{ rhel9cis_pam_faillock.pwhash }} shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}" - insertafter: '^#?password ?' - when: - - rhel9cis_rule_5_4_3 or - rhel9cis_rule_5_4_4 - - - name: "5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512 | Set system-auth pwhash settings" - lineinfile: - dest: /etc/pam.d/password-auth - state: present - regexp: '^password sufficient pam_unix.so' - line: "password sufficient pam_unix.so {{ rhel9cis_pam_faillock.pwhash }} shadow try_first_pass use_authtok" - insertafter: '^#?password ?' - when: rhel9cis_rule_5_4_4 - - # The two steps below were added to keep authconfig from overwritting the above configs. This follows steps from here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-hardening_your_system_with_tools_and_services - # With the steps below you will score five (5) points lower due to false positive results - - name: | - "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured - 5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured - 5.4.3 | L1 | PATCH | Ensure password reuse is limited - 5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512" - copy: - src: /etc/pam.d/{{ item }} - dest: /etc/pam.d/{{ item }}-local - remote_src: true - owner: root - group: root - mode: '0644' - with_items: - - "system-auth" - - "password-auth" - - - name: | - "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured - 5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured - 5.4.3 | L1 | PATCH | Ensure password reuse is limited - 5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512" - file: - src: /etc/pam.d/{{ item }}-local - dest: /etc/pam.d/{{ item }} - state: link - force: true - with_items: - - "system-auth" - - "password-auth" + - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Gather profiles" + shell: 'authselect current | grep "Profile ID: custom/"' + failed_when: false + changed_when: false + check_mode: no + register: rhel9cis_5_4_1_profiles + + - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Show profiles" + debug: + msg: + - "Below are the current custom profiles" + - "{{ rhel9cis_5_4_1_profiles.stdout_lines }}" + + - name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles" + shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }} + args: + warn: no + when: rhel9cis_authselect_custom_profile_create when: - - rhel9cis_rule_5_4_1 or - rhel9cis_rule_5_4_2 or - rhel9cis_rule_5_4_3 or - rhel9cis_rule_5_4_4 + - rhel9cis_rule_5_4_1 tags: - level1-server - level1-workstation + - manual - patch + - authselect - rule_5.4.1 + +- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock" + block: + - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features" + shell: "authselect current | grep with-faillock" + failed_when: false + changed_when: false + check_mode: no + register: rhel9cis_5_4_2_profiles_faillock + + - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock| Show profiles" + debug: + msg: + - "Below are the current custom profiles" + - "{{ rhel9cis_5_4_2_profiles_faillock.stdout_lines }}" + + - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles" + shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock" + args: + warn: no + when: rhel9cis_authselect_custom_profile_select + when: + - rhel9cis_rule_5_4_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - authselect - rule_5.4.2 - - rule_5.4.3 - - rule_5.4.4 diff --git a/tasks/section_5/cis_5.5.1.x.yml b/tasks/section_5/cis_5.5.1.x.yml deleted file mode 100644 index c7486e16..00000000 --- a/tasks/section_5/cis_5.5.1.x.yml +++ /dev/null @@ -1,131 +0,0 @@ ---- - -- name: "5.5.1.1 | L1 | PATCH | Ensure password expiration is 365 days or less" - lineinfile: - state: present - dest: /etc/login.defs - regexp: '^PASS_MAX_DAYS' - line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}" - when: - - rhel9cis_rule_5_5_1_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.1.1 - -- name: "5.5.1.2 | L1 | PATCH | Ensure minimum days between password changes is 7 or more" - lineinfile: - state: present - dest: /etc/login.defs - regexp: '^PASS_MIN_DAYS' - line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}" - when: - - rhel9cis_rule_5_5_1_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.1.2 - -- name: "5.5.1.3 | L1 | PATCH | Ensure password expiration warning days is 7 or more" - lineinfile: - state: present - dest: /etc/login.defs - regexp: '^PASS_WARN_AGE' - line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}" - when: - - rhel9cis_rule_5_5_1_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.1.3 - -- name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less" - block: - - name: "5.5.1.4 | L1 | AUDIT | Ensure inactive password lock is 30 days or less | Check current settings" - shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d= - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_5_5_1_4_inactive_settings - - - name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting" - shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} - args: - warn: false - when: rhel9cis_5_5_1_4_inactive_settings.stdout | length == 0 - - - name: "5.5.1.4 | L1 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" - shell: 'egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1' - args: - warn: false - check_mode: false - register: rhel_09_5_5_1_4_audit - changed_when: false - - - name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" - shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" - args: - warn: false - with_items: - - "{{ rhel_09_5_5_1_4_audit.stdout_lines }}" - when: - - rhel9cis_rule_5_5_1_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.1.4 - -- name: "5.5.1.5 | L1 | PATCH | Ensure all users last password change date is in the past" - block: - - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" - shell: echo $(($(date --utc --date "$1" +%s)/86400)) - args: - warn: false - failed_when: false - changed_when: false - check_mode: false - register: rhel9cis_5_5_1_5_currentut - - - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future" - shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_5_1_5_currentut.stdout }})print$1}'" - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_5_5_1_5_user_list - - - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist" - debug: - msg: "Good News! All accounts have PW change dates that are in the past" - when: rhel9cis_5_5_1_5_user_list.stdout | length == 0 - - - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future" - debug: - msg: "Warning! The following accounts have the last PW change date in the future: {{ rhel9cis_5_5_1_5_user_list.stdout_lines }}" - when: - - rhel9cis_5_5_1_5_user_list.stdout | length > 0 - - not rhel9cis_futurepwchgdate_autofix - - - name: "5.5.1.5 | L1 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" - shell: passwd --expire {{ item }} - args: - warn: false - when: - - rhel9cis_5_5_1_5_user_list | length > 0 - - rhel9cis_futurepwchgdate_autofix - with_items: - - "{{ rhel9cis_5_5_1_5_user_list.stdout_lines }}" - when: - - rhel9cis_rule_5_5_1_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.1.5 diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index ebed1bdd..8c5d301f 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -1,8 +1,8 @@ --- -- name: "5.5.2 | L1 | PATCH | Ensure system accounts are secured" +- name: "5.5.2 | PATCH | Ensure system accounts are secured" block: - - name: "5.5.2 | L1 | Ensure system accounts are secured | Set nologin" + - name: "5.5.2 | Ensure system accounts are secured | Set nologin" user: name: "{{ item.id }}" shell: /usr/sbin/nologin @@ -13,11 +13,11 @@ - item.id != "sync" - item.id != "shutdown" - item.id != "halt" - - item.uid < 1000 + - rhel9cis_int_gid | int > item.gid - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" - - name: "5.5.2 | L1 | PATCH | Ensure system accounts are secured | Lock accounts" + - name: "5.5.2 | PATCH | Ensure system accounts are secured | Lock accounts" user: name: "{{ item.id }}" password_lock: true @@ -28,7 +28,7 @@ - item.id != "shutdown" - item.id != "sync" - item.id != "root" - - min_int_uid | int >= item.uid + - rhel9cis_int_gid | int > item.gid - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" when: @@ -39,15 +39,15 @@ - patch - rule_5.5.2 -- name: "5.5.3 | L1 | PATCH | Ensure default user shell timeout is 900 seconds or less" +- name: "5.5.3 | PATCH | Ensure default user shell timeout is 900 seconds or less" blockinfile: - create: true + create: yes mode: 0644 dest: "{{ item.dest }}" state: "{{ item.state }}" marker: "# {mark} ANSIBLE MANAGED" block: | - # Set session timeout - CIS ID RHEL-09-5.4.5 + # Set session timeout - CIS ID RHEL-08-5.4.5 TMOUT={{ rhel9cis_shell_session_timeout.timeout }} export TMOUT readonly TMOUT @@ -62,10 +62,8 @@ - patch - rule_5.5.3 -- name: "5.5.4 | L1 | PATCH | Ensure default group for the root account is GID 0" - shell: usermod -g 0 root - args: - warn: false +- name: "5.5.4 | PATCH | Ensure default group for the root account is GID 0" + command: usermod -g 0 root changed_when: false failed_when: false when: @@ -76,15 +74,15 @@ - patch - rule_5.5.4 -- name: "5.5.5 | L1 | PATCH | Ensure default user umask is 027 or more restrictive" +- name: "5.5.5 | PATCH | Ensure default user umask is 027 or more restrictive" block: - - name: "5.5.5 | L1 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" + - name: "5.5.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" replace: path: /etc/bashrc regexp: '(^\s+umask) 0[012][0-6]' replace: '\1 027' - - name: "5.5.5 | L1 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile" + - name: "5.5.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile" replace: path: /etc/profile regexp: '(^\s+umask) 0[012][0-6]' diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml new file mode 100644 index 00000000..744c6d68 --- /dev/null +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -0,0 +1,125 @@ +--- + +- name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less" + lineinfile: + state: present + dest: /etc/login.defs + regexp: '^PASS_MAX_DAYS' + line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}" + when: + - rhel9cis_rule_5_6_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - password + - rule_5.5.1.1 + +- name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more" + lineinfile: + state: present + dest: /etc/login.defs + regexp: '^PASS_MIN_DAYS' + line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}" + when: + - rhel9cis_rule_5_6_1_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - password + - rule_5.6.1.2 + +- name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more" + lineinfile: + state: present + dest: /etc/login.defs + regexp: '^PASS_WARN_AGE' + line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}" + when: + - rhel9cis_rule_5_6_1_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - password + - rule_5.5.1.3 + +- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less" + block: + - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Check current settings" + shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d= + changed_when: false + failed_when: false + check_mode: no + register: rhel9cis_5_6_1_4_inactive_settings + + - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting" + command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} + when: rhel9cis_5_6_1_4_inactive_settings.stdout | length == 0 + + - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" + shell: 'egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1' + changed_when: false + check_mode: no + register: rhel_8_5_6_1_4_user_list + + - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" + command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" + with_items: + - "{{ rhel_8_5_6_1_4_user_list.stdout_lines }}" + when: + - rhel9cis_rule_5_6_1_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - password + - rule_5.6.1.4 + +- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past" + block: + - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" + shell: echo $(($(date --utc --date "$1" +%s)/86400)) + changed_when: false + failed_when: false + check_mode: no + register: rhel9cis_5_6_1_5_currentut + + - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future" + shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_6_1_5_currentut.stdout }})print$1}'" + changed_when: false + failed_when: false + check_mode: no + register: rhel9cis_5_6_1_5_user_list + + - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist" + debug: + msg: "Good News! All accounts have PW change dates that are in the past" + when: rhel9cis_5_6_1_5_user_list.stdout | length == 0 + + - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future" + debug: + msg: "Warning! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" + when: + - rhel9cis_5_6_1_5_user_list.stdout | length > 0 + - not rhel9cis_futurepwchgdate_autofix + + - name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" + command: passwd --expire {{ item }} + when: + - rhel9cis_5_6_1_5_user_list | length > 0 + - rhel9cis_futurepwchgdate_autofix + with_items: + - "{{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" + when: + - rhel9cis_rule_5_6_1_5 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.5.1.5 diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml new file mode 100644 index 00000000..3d9cf327 --- /dev/null +++ b/tasks/section_5/cis_5.6.x.yml @@ -0,0 +1,108 @@ +--- + +- name: "5.6.2 | PATCH | Ensure system accounts are secured" + block: + - name: "5.6.2 | Ensure system accounts are secured | Set nologin" + user: + name: "{{ item.id }}" + shell: /usr/sbin/nologin + with_items: + - "{{ rhel9cis_passwd }}" + when: + - item.id != "root" + - item.id != "sync" + - item.id != "shutdown" + - item.id != "halt" + - rhel9cis_int_gid | int < item.gid + - item.shell != " /bin/false" + - item.shell != " /usr/sbin/nologin" + loop_control: + label: "{{ item.id }}" + + - name: "5.6.2 | PATCH | Ensure system accounts are secured | Lock accounts" + user: + name: "{{ item.id }}" + password_lock: true + with_items: + - "{{ rhel9cis_passwd }}" + when: + - item.id != "halt" + - item.id != "shutdown" + - item.id != "sync" + - item.id != "root" + - rhel9cis_int_gid | int < item.gid + - item.shell != " /bin/false" + - item.shell != " /usr/sbin/nologin" + loop_control: + label: "{{ item.id }}" + when: + - rhel9cis_rule_5_6_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - accounts + - rule_5.6.2 + +- name: "5.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less" + blockinfile: + create: yes + mode: 0644 + dest: "{{ item.dest }}" + state: "{{ item.state }}" + marker: "# {mark} ANSIBLE MANAGED" + block: | + # Set session timeout - CIS ID RHEL-08-5.4.5 + TMOUT={{ rhel9cis_shell_session_timeout.timeout }} + export TMOUT + readonly TMOUT + with_items: + - { dest: "{{ rhel9cis_shell_session_timeout.file }}", state: present } + - { dest: /etc/profile, state: "{{ (rhel9cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" } + when: + - rhel9cis_rule_5_6_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - accounts + - rule_5.6.3 + +- name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0" + command: usermod -g 0 root + changed_when: false + failed_when: false + when: + - rhel9cis_rule_5_6_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - accounts + - rule_5.6.4 + +- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive" + block: + - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" + replace: + path: /etc/bashrc + regexp: '(^\s+umask) 0[012][0-6]' + replace: '\1 027' + + - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile" + replace: + path: /etc/profile + regexp: '(^\s+umask) 0[012][0-6]' + replace: '\1 027' + when: + - rhel9cis_rule_5_6_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - accounts + - rule_5.6.5 diff --git a/tasks/section_5/cis_5.6.yml b/tasks/section_5/cis_5.6.yml deleted file mode 100644 index 6262c3c2..00000000 --- a/tasks/section_5/cis_5.6.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- - -# this will just display the list of consoles. The site will need to confirm the allowed consoles are correct and change manually if needed. -- name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console" - block: - - name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Check if securetty file exists" - stat: - path: /etc/securetty - register: rhel9cis_securetty_check - - - name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Capture consoles" - shell: cat /etc/securetty - args: - warn: false - changed_when: false - register: rhel_09_5_6_audit - when: rhel9cis_securetty_check.stat.exists - - - name: "5.6 | L1 | AUDIT |Ensure root login is restricted to system console | Display Console" - debug: - msg: - - "These are the consoles with root login access, please review:" - - "{{ rhel_09_5_6_audit.stdout_lines }}" - when: rhel9cis_securetty_check.stat.exists - - - name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Display that no securetty file exists" - debug: - msg: - - "There is no /etc/securetty file, this has been removed by default in RHEL9" - when: not rhel9cis_securetty_check.stat.exists - when: - - rhel9cis_rule_5_6 - tags: - - level1-server - - level1-workstation - - audit - - rule_5.6 diff --git a/tasks/section_5/cis_5.7.yml b/tasks/section_5/cis_5.7.yml deleted file mode 100644 index 9e7bbec8..00000000 --- a/tasks/section_5/cis_5.7.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- - -- name: "5.7 | L1 | PATCH | Ensure access to the su command is restricted" - block: - - name: "5.7 | L1 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid" - lineinfile: - state: present - dest: /etc/pam.d/su - regexp: '^(#)?auth\s+required\s+pam_wheel\.so' - line: 'auth required pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}' - - - name: "5.7 | L1 | PATCH | Ensure access to the su command is restricted | wheel group contains root" - user: - name: "{{ rhel9cis_sugroup_users }}" - groups: "{{ rhel9cis_sugroup | default('wheel') }}" - when: - - rhel9cis_rule_5_7 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.7 diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index 08e5c452..b7db8599 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -1,5 +1,7 @@ --- +# Access, Authentication, and Authorization + - name: "SECTION | 5.1 | Configure time-based job schedulers" import_tasks: cis_5.1.x.yml @@ -8,22 +10,17 @@ when: - "'openssh-server' in ansible_facts.packages" -- name: "SECTION | 5.3 | Configure Profiles" +- name: "SECTION | 5.3 | Configure privilege escalation" include_tasks: cis_5.3.x.yml - when: - - rhel9cis_use_authconfig -- name: "SECTION | 5.4 | Configure PAM " +- name: "SECTION | 5.4 | Configure authselect" import_tasks: cis_5.4.x.yml -- name: "SECTION | 5.5.1.x | Passwords and Accounts" - import_tasks: cis_5.5.1.x.yml - -- name: "SECTION | 5.5.x | System Accounts and User Settings" +- name: "SECTION | 5.5 | Configure PAM " import_tasks: cis_5.5.x.yml -- name: "SECTION | 5.6 | Root Login" - import_tasks: cis_5.6.yml +- name: "SECTION | 5.6.1.x | Shadow Password Suite Parameters" + import_tasks: cis_5.6.1.x.yml -- name: Section | 5.7 | su Command Restriction - import_tasks: cis_5.7.yml +- name: "SECTION | 5.6.x | Misc. User Account Settings" + import_tasks: cis_5.6.x.yml diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index c596ed13..be85af00 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -1,30 +1,30 @@ --- -- name: "6.1.1 | L2 | AUDIT | Audit system file permissions" +- name: "6.1.1 | AUDIT | Audit system file permissions" block: - - name: "6.1.1 | L2 | AUDIT | Audit system file permissions | Audit the packages" + - name: "6.1.1 | AUDIT | Audit system file permissions | Audit the packages" shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto args: - warn: false + warn: no changed_when: false failed_when: false register: rhel9cis_6_1_1_packages_rpm - - name: "6.1.1 | L2 | AUDIT | Audit system file permissions | Create list and warning" + - name: "6.1.1 | AUDIT | Audit system file permissions | Create list and warning" block: - - name: "6.1.1 | L2 | Audit system file permissions | Add file discrepancy list to system" + - name: "6.1.1 | Audit system file permissions | Add file discrepancy list to system" copy: dest: "{{ rhel9cis_rpm_audit_file }}" content: "{{ rhel9cis_6_1_1_packages_rpm.stdout }}" - - name: "6.1.1 | L2 | AUDIT | Audit system file permissions | Message out alert for package descrepancies" + - name: "6.1.1 | AUDIT | Audit system file permissions | Message out alert for package descrepancies" debug: msg: | "Warning! You have some package descrepancies issues. The file list can be found in {{ rhel9cis_rpm_audit_file }}" when: rhel9cis_6_1_1_packages_rpm.stdout|length > 0 - - name: "6.1.1 | L2 | AUDIT | Audit system file permissions | Message out no package descrepancies" + - name: "6.1.1 | AUDIT | Audit system file permissions | Message out no package descrepancies" debug: msg: "Good News! There are no package descrepancies" when: rhel9cis_6_1_1_packages_rpm.stdout|length == 0 @@ -33,26 +33,32 @@ tags: - level2-server - level2-workstation + - manual - audit + - permissions - rule_6.1.1 -- name: "6.1.2 | L1 | PATCH | Ensure permissions on /etc/passwd are configured" - file: - dest: /etc/passwd - owner: root - group: root - mode: 0644 +- name: "6.1.2 | PATCH | Ensure sticky bit is set on all world-writable directories" + shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t + args: + warn: no + changed_when: false + failed_when: false when: - rhel9cis_rule_6_1_2 tags: + - skip_ansible_lint - level1-server - level1-workstation + - automated - patch - - rule_6.1.2 + - stickybits + - permissons + - rule_1.1.21 -- name: "6.1.3 | L1 | PATCH | Ensure permissions on /etc/passwd- are configured" +- name: "6.1.3 | PATCH | Ensure permissions on /etc/passwd are configured" file: - dest: /etc/passwd- + dest: /etc/passwd owner: root group: root mode: 0644 @@ -61,10 +67,12 @@ tags: - level1-server - level1-workstation + - automated - patch + - permissions - rule_6.1.3 -- name: "6.1.4 | L1 | PATCH | Ensure permissions on /etc/shadow are configured" +- name: "6.1.4 | PATCH | Ensure permissions on /etc/shadow are configured" file: dest: /etc/shadow owner: root @@ -75,24 +83,28 @@ tags: - level1-server - level1-workstation + - automated - patch + - permissions - rule_6.1.4 -- name: "6.1.5 | L1 | PATCH | Ensure permissions on /etc/shadow- are configured" +- name: "6.1.5 | PATCH | Ensure permissions on /etc/group are configured" file: - dest: /etc/shadow- + dest: /etc/group- owner: root group: root - mode: 0000 + mode: 0644 when: - rhel9cis_rule_6_1_5 tags: - level1-server - level1-workstation + - automated - patch + - permissions - rule_6.1.5 -- name: "6.1.6 | L1 | PATCH | Ensure permissions on /etc/gshadow are configured" +- name: "6.1.6 | PATCH | Ensure permissions on /etc/gshadow are configured" file: dest: /etc/gshadow owner: root @@ -103,38 +115,44 @@ tags: - level1-server - level1-workstation + - automated - patch + - permissions - rule_6.1.6 -- name: "6.1.7 | L1 | PATCH | Ensure permissions on /etc/gshadow- are configured" +- name: "6.1.7 | PATCH | Ensure permissions on /etc/passwd- are configured" file: - dest: /etc/gshadow- + dest: /etc/passwd- owner: root group: root - mode: 0000 + mode: 0644 when: - rhel9cis_rule_6_1_7 tags: - level1-server - level1-workstation + - autoamted - patch + - permissions - rule_6.1.7 -- name: "6.1.8 | L1 | PATCH | Ensure permissions on /etc/group are configured" +- name: "6.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured" file: - dest: /etc/group- + dest: /etc/shadow- owner: root group: root - mode: 0644 + mode: 0000 when: - - rhel9cis_rule_6_1_8 + - rhel9cis_rule_6_1_6 tags: - level1-server - level1-workstation + - automated - patch - - rule_6.1.8 + - permissions + - rule_6.1.6 -- name: "6.1.9 | L1 | PATCH | Ensure permissions on /etc/group- are configured" +- name: "6.1.9 | PATCH | Ensure permissions on /etc/group- are configured" file: dest: /etc/group- owner: root @@ -145,160 +163,189 @@ tags: - level1-server - level1-workstation + - automated - patch + - permissionss - rule_6.1.9 -- name: "6.1.10 | L1 | PATCH | Ensure no world writable files exist" +- name: "6.1.10 | PATCH | Ensure permissions on /etc/gshadow- are configured" + file: + dest: /etc/gshadow- + owner: root + group: root + mode: 0000 + when: + - rhel9cis_rule_6_1_10 + tags: + - level1-server + - level1-workstation + - automated + - patch + - permissions + - rule_6.1.10 + +- name: "6.1.11 | PATCH | Ensure no world writable files exist" block: - - name: "6.1.10 | L1 | AUDIT | Ensure no world writable files exist | Get list of world-writable files" + - name: "6.1.11 | AUDIT | Ensure no world writable files exist | Get list of world-writable files" shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 - args: - warn: false failed_when: false changed_when: false - register: rhel_09_6_1_10_perms_results + register: rhel_08_6_1_11_perms_results - - name: "6.1.10 | L1 | AUDIT | Ensure no world writable files exist | Alert no world-writable files exist" + - name: "6.1.11 | AUDIT | Ensure no world writable files exist | Alert no world-writable files exist" debug: msg: "Good news! We have not found any world-writable files on your system" when: - - rhel_09_6_1_10_perms_results.stdout is not defined + - rhel_08_6_1_11_perms_results.stdout is not defined - - name: "6.1.10 | L1 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" + - name: "6.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" file: path: '{{ item }}' mode: o-w state: touch - with_items: "{{ rhel_09_6_1_10_perms_results.stdout_lines }}" + with_items: "{{ rhel_08_6_1_11_perms_results.stdout_lines }}" when: - - rhel_09_6_1_10_perms_results.stdout_lines is defined + - rhel_08_6_1_11_perms_results.stdout_lines is defined - rhel9cis_no_world_write_adjust when: - - rhel9cis_rule_6_1_10 + - rhel9cis_rule_6_1_11 tags: - level1-server - level1-workstation + - automated - patch - - rule_6.1.10 + - files + - permissions + - rule_6.1.11 -- name: "6.1.11 | L1 | AUDIT | Ensure no unowned files or directories exist" +- name: "6.1.12 | AUDIT | Ensure no unowned files or directories exist" block: - - name: "6.1.11 | L1 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories" - shell: find "{{ item.mount }}" -xdev -nouser - args: - warn: false - check_mode: false - failed_when: false + - name: "6.1.12 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories" + command: find "{{ item.mount }}" -xdev -nouser changed_when: false + failed_when: false + check_mode: false + register: rhel_08_6_1_12_audit with_items: "{{ ansible_mounts }}" - register: rhel_09_6_1_11_audit + loop_control: + label: "{{ item.mount }}" when: item['device'].startswith('/dev') and not 'bind' in item['options'] - - name: "6.1.11 | L1 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" + - name: "6.1.12 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" debug: msg: "Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" - with_items: "{{ rhel_09_6_1_11_audit.results }}" + with_items: "{{ rhel_08_6_1_12_audit.results }}" when: - item.stdout_lines is defined - item.stdout_lines | length > 0 when: - - rhel9cis_rule_6_1_11 + - rhel9cis_rule_6_1_12 tags: - level1-server - level1-workstation + - automated - audit - - rule_6.1.11 + - files + - permissions + - rule_6.1.12 -- name: "6.1.12 | L1 | AUDIT | Ensure no ungrouped files or directories exist" +- name: "6.1.13 | AUDIT | Ensure no ungrouped files or directories exist" block: - - name: "6.1.12 | L1 | AUDIT | Ensure no ungrouped files or directories exist | Finding all ungrouped files or directories" - shell: find "{{ item.mount }}" -xdev -nogroup - args: - warn: false + - name: "6.1.13 | AUDIT | Ensure no ungrouped files or directories exist | Finding all ungrouped files or directories" + command: find "{{ item.mount }}" -xdev -nogroup check_mode: false failed_when: false changed_when: false - register: rhel_09_6_1_12_audit + register: rhel_08_6_1_13_audit with_items: "{{ ansible_mounts }}" + loop_control: + label: "{{ item.mount }}" when: item['device'].startswith('/dev') and not 'bind' in item['options'] - - name: "6.1.12 | L1 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" + - name: "6.1.13 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" debug: msg: "Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" - with_items: "{{ rhel_09_6_1_12_audit.results }}" + with_items: "{{ rhel_08_6_1_13_audit.results }}" when: - item.stdout_lines is defined - item.stdout_lines | length > 0 when: - - rhel9cis_rule_6_1_12 + - rhel9cis_rule_6_1_13 tags: - level1-server - level1-workstation - - patch - - rule_6.1.12 + - automated + - audit + - files + - permissions + - rule_6.1.13 -- name: "6.1.13 | L1 | AUDIT | Audit SUID executables" +- name: "6.1.14 | AUDIT | Audit SUID executables" block: - - name: "6.1.13 | L1 | AUDIT | Audit SUID executables | Find all SUID executables" + - name: "6.1.14 | AUDIT | Audit SUID executables | Find all SUID executables" shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 - args: - warn: false failed_when: false changed_when: false - register: rhel_09_6_1_13_perms_results + register: rhel_08_6_1_14_perms_results with_items: "{{ ansible_mounts }}" + loop_control: + label: "{{ item.mount }}" - - name: "6.1.13 | L1 | AUDIT | Audit SUID executables | Alert no SUID executables exist" + - name: "6.1.14 | AUDIT | Audit SUID executables | Alert no SUID executables exist" debug: msg: "Good news! We have not found any SUID executable files on your system" failed_when: false changed_when: false when: - - rhel_09_6_1_13_perms_results.stdout is not defined + - rhel_08_6_1_14_perms_results.stdout is not defined - - name: "6.1.13 | L1 | AUDIT | Audit SUID executables | Alert SUID executables exist" + - name: "6.1.14 | AUDIT | Audit SUID executables | Alert SUID executables exist" debug: msg: "Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" - with_items: "{{ rhel_09_6_1_13_perms_results.stdout_lines }}" + with_items: "{{ rhel_08_6_1_14_perms_results.stdout_lines }}" when: - - rhel_09_6_1_13_perms_results.stdout is defined + - rhel_08_6_1_14_perms_results.stdout is defined when: - - rhel9cis_rule_6_1_13 + - rhel9cis_rule_6_1_14 tags: - level1-server - level1-workstation + - manual - audit - - rule_6.1.13 + - files + - rule_6.1.14 -- name: "6.1.14 | L1 | AUDIT | Audit SGID executables" +- name: "6.1.15 | AUDIT | Audit SGID executables" block: - - name: "6.1.14 | L1 | AUDIT | Audit SGID executables | Find all SGID executables" + - name: "6.1.15 | AUDIT | Audit SGID executables | Find all SGID executables" shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 - args: - warn: false failed_when: false changed_when: false - register: rhel_09_6_1_14_perms_results + register: rhel_08_6_1_15_perms_results with_items: "{{ ansible_mounts }}" + loop_control: + label: "{{ item.mount }}" - - name: "6.1.14 | L1 | AUDIT | Audit SGID executables | Alert no SGID executables exist" + - name: "6.1.15 | AUDIT | Audit SGID executables | Alert no SGID executables exist" debug: msg: "Good news! We have not found any SGID executable files on your system" failed_when: false changed_when: false when: - - rhel_09_6_1_14_perms_results.stdout is not defined + - rhel_08_6_1_15_perms_results.stdout is not defined - - name: "6.1.14 | L1 | AUDIT | Audit SGID executables | Alert SGID executables exist" + - name: "6.1.15 | AUDIT | Audit SGID executables | Alert SGID executables exist" debug: msg: "Manual intervention is required -- SGID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" - with_items: "{{ rhel_09_6_1_14_perms_results.stdout_lines }}" + with_items: "{{ rhel_08_6_1_15_perms_results.stdout_lines }}" when: - - rhel_09_6_1_14_perms_results.stdout is defined + - rhel_08_6_1_15_perms_results.stdout is defined when: - - rhel9cis_rule_6_1_14 + - rhel9cis_rule_6_1_15 tags: - level1-server - level1-workstation - - patch - - rule_6.1.14 + - manual + - audit + - files + - rule_6.1.15 diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 7b9523bb..ff2b0c3a 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -1,9 +1,7 @@ --- -- name: "6.2.1 | L1 | AUDIT | Ensure password fields are not empty" - shell: passwd -l {{ item }} - args: - warn: false +- name: "6.2.1 | PATCH | Ensure password fields are not empty" + command: passwd -l {{ item }} changed_when: false failed_when: false with_items: "{{ empty_password_accounts.stdout_lines }}" @@ -13,177 +11,268 @@ tags: - level1-server - level1-workstation + - automated - patch + - accounts - rule_6.2.1 -- name: "6.2.2 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/passwd" - shell: sed -i '/^+/ d' /etc/passwd - args: - warn: false - changed_when: false - failed_when: false + +- name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" + block: + - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" + shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' + changed_when: false + failed_when: false + check_mode: false + register: rhel9cis_6_2_2_passwd_gid_check + + - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" + debug: + msg: "Good News! There are no users that have non-existent GUIDs (Groups)" + when: rhel9cis_6_2_2_passwd_gid_check.stdout is not defined + + - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" + debug: + msg: "WARNING: The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}" + when: rhel9cis_6_2_2_passwd_gid_check.stdout is defined when: - rhel9cis_rule_6_2_2 tags: - level1-server - level1-workstation - - patch + - automated + - audit + - accounts + - groups - rule_6.2.2 - - skip_ansible_lint -- name: "6.2.3 | L1 | PATCH | Ensure root PATH Integrity" +- name: "6.2.3 | AUDIT Ensure no duplicate UIDs exist" block: - - name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determine empty value" - shell: 'echo $PATH | grep ::' - args: - warn: false - check_mode: false - register: path_colon - changed_when: False - failed_when: path_colon.rc == 0 - - - name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determin colon end" - shell: 'echo $PATH | grep :$' - args: - warn: false - check_mode: false - register: path_colon_end - changed_when: False - failed_when: path_colon_end.rc == 0 - - - name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determine dot in path" - shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'" - args: - warn: false - check_mode: false - register: dot_in_path - changed_when: False - failed_when: '"." in dot_in_path.stdout_lines' + - name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" + shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" + changed_when: false + failed_when: false + register: rhel9cis_6_2_3_user_uid_check - - name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path" + - name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" debug: - msg: - - "The following paths have an empty value: {{ path_colon.stdout_lines }}" - - "The following paths have colon end: {{ path_colon_end.stdout_lines }}" - - "The following paths have a dot in the path: {{ dot_in_path.stdout_lines }}" + msg: "Good News! There are no duplicate UID's in the system" + when: rhel9cis_6_2_3_user_uid_check.stdout is not defined - - name: "6.2.3 | L1 | PATCH | Ensure root PATH Integrity (Scored) | Determine rights and owner" - file: > - path='{{ item }}' - follow=yes - state=directory - owner=root - mode='o-w,g-w' - with_items: "{{ dot_in_path.stdout_lines }}" + - name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" + debug: + msg: "Warning: The following users have UIDs that are duplicates: {{ rhel9cis_6_2_3_user_uid_check.stdout_lines }}" + when: rhel9cis_6_2_3_user_uid_check.stdout is defined when: - rhel9cis_rule_6_2_3 tags: - level1-server - level1-workstation - - patch + - automated + - audit + - accounts + - users - rule_6.2.3 -- name: "6.2.4 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/shadow" - shell: sed -i '/^+/ d' /etc/shadow - args: - warn: false - changed_when: false - failed_when: false +- name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist" + block: + - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" + shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" + changed_when: false + failed_when: false + register: rhel9cis_6_2_4_user_user_check + + - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" + debug: + msg: "Good News! There are no duplicate GIDs in the system" + when: rhel9cis_6_2_4_user_user_check.stdout is not defined + + - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" + debug: + msg: "Warning: The following groups have duplicate GIDs: {{ rhel9cis_6_2_4_user_user_check.stdout_lines }}" + when: rhel9cis_6_2_4_user_user_check.stdout is defined when: - rhel9cis_rule_6_2_4 tags: - level1-server - level1-workstation - - patch + - automated + - audit + - accounts + - groups - rule_6.2.4 - - skip_ansible_lint -- name: "6.2.5 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/group" - shell: sed -i '/^+/ d' /etc/group - args: - warn: false - changed_when: false - failed_when: false +- name: "6.2.5 | AUDIT | Ensure no duplicate user names exist" + block: + - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" + shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" + changed_when: false + failed_when: false + register: rhel9cis_6_2_5_user_username_check + + - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist" + debug: + msg: "Good News! There are no duplicate user names in the system" + when: rhel9cis_6_2_5_user_username_check.stdout is not defined + + - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" + debug: + msg: "Warning: The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}" + when: rhel9cis_6_2_5_user_username_check.stdout is defined when: - rhel9cis_rule_6_2_5 tags: - level1-server - level1-workstation - - patch + - automated + - audit + - accounts + - users - rule_6.2.5 - - skip_ansible_lint -- name: "6.2.6 | L1 | PATCH | Ensure root is the only UID 0 account" - shell: passwd -l {{ item }} - args: - warn: false +- name: "6.2.6 | AUDIT |Ensure no duplicate group names exist" + block: + - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" + shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' + changed_when: false + failed_when: false + check_mode: no + register: rhel9cis_6_2_6_group_group_check + + - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" + debug: + msg: "Good News! There are no duplicate group names in the system" + when: rhel9cis_6_2_6_group_group_check.stdout is defined + + - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" + debug: + msg: "Warning: The following group names are duplicates: {{ rhel9cis_6_2_6_group_group_check.stdout_lines }}" + when: rhel9cis_6_2_6_group_group_check.stdout is not defined + when: + - rhel9cis_rule_6_2_6 + tags: + - level1-server + - level1-workstation + - automated + - audit + - accounts + - groups + - rule_6.2.6 + +- name: "6.2.7 | PATCH | Ensure root PATH Integrity" + block: + - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine empty value" + shell: 'echo $PATH | grep ::' + changed_when: False + failed_when: rhel9cis_6_2_7_path_colon.rc == 0 + check_mode: no + register: rhel9cis_6_2_7_path_colon + + - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determin colon end" + shell: 'echo $PATH | grep :$' + changed_when: False + failed_when: rhel9cis_6_2_7_path_colon_end.rc == 0 + check_mode: no + register: rhel9cis_6_2_7_path_colon_end + + - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine dot in path" + shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'" + changed_when: False + failed_when: '"." in rhel9cis_6_2_7_dot_in_path.stdout_lines' + check_mode: no + register: rhel9cis_6_2_7_dot_in_path + + - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path" + debug: + msg: + - "The following paths have an empty value: {{ rhel9cis_6_2_7_path_colon.stdout_lines }}" + - "The following paths have colon end: {{ rhel9cis_6_2_7_path_colon_end.stdout_lines }}" + - "The following paths have a dot in the path: {{ rhel9cis_6_2_7_dot_in_path.stdout_lines }}" + + - name: "6.2.7 | PATCH | Ensure root PATH Integrity (Scored) | Determine rights and owner" + file: > + path='{{ item }}' + follow=yes + state=directory + owner=root + mode='o-w,g-w' + with_items: "{{ rhel9cis_6_2_7_dot_in_path.stdout_lines }}" + when: + - rhel9cis_rule_6_2_7 + tags: + - level1-server + - level1-workstation + - automated + - patch + - paths + - rule_6.2.7 + +- name: "6.2.8 | PATCH | Ensure root is the only UID 0 account" + command: passwd -l {{ item }} changed_when: false failed_when: false - with_items: "{{ uid_zero_accounts_except_root.stdout_lines }}" + with_items: "{{ rhel9cis_uid_zero_accounts_except_root.stdout_lines }}" when: - - uid_zero_accounts_except_root.rc - - rhel9cis_rule_6_2_6 + - rhel9cis_uid_zero_accounts_except_root.rc + - rhel9cis_rule_6_2_8 tags: - level1-server - level1-workstation + - automated - patch - - rule_6.2.6 + - accounts + - users + - rule_6.2.8 -- name: "6.2.7 | L1 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" +- name: "6.2.9 | PATCH | Ensure all users' home directories exist" block: - - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" + - name: "6.2.9 | AUDIT | Ensure all users' home directories exist" stat: path: "{{ item }}" - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<', max_int_uid | int) | selectattr('dir', '!=', '/') | map(attribute='dir') | list }}" - register: rhel_09_6_2_7_audit - - - debug: - var: rhel_09_6_2_7_audit + register: rhel_08_6_2_9_audit + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" - - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" - shell: find -H {{ item.0 | quote }} -not -type l -perm /027 - args: - warn: false + - name: "6.2.9 | AUDIT | Ensure all users' home directories exist" + command: find -H {{ item.0 | quote }} -not -type l -perm /027 check_mode: false - changed_when: rhel_09_6_2_7_patch_audit.stdout | length > 0 - register: rhel_09_6_2_7_patch_audit + changed_when: rhel_08_6_2_9_patch_audit.stdout | length > 0 + register: rhel_08_6_2_9_patch_audit when: - ansible_check_mode - item.1.exists with_together: - - "{{ rhel_09_6_2_7_audit.results | map(attribute='item') | list }}" - - "{{ rhel_09_6_2_7_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_08_6_2_9_audit.results | map(attribute='item') | list }}" + - "{{ rhel_08_6_2_9_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" - - name: "6.2.7 | L1 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" + - name: "6.2.9 | PATCH | Ensure all users' home directories exist" file: path: "{{ item.0 }}" - recurse: true + recurse: yes mode: a-st,g-w,o-rwx - register: rhel_09_6_2_7_patch + register: rhel_08_6_2_9_patch when: - not ansible_check_mode - item.1.exists with_together: - - "{{ rhel_09_6_2_7_audit.results | map(attribute='item') | list }}" - - "{{ rhel_09_6_2_7_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_08_6_2_9_audit.results | map(attribute='item') | list }}" + - "{{ rhel_08_6_2_9_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" # set default ACLs so the homedir has an effective umask of 0027 - - name: "6.2.7 | L1 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" + - name: "6.2.9 | PATCH | Ensure all users' home directories exist" acl: path: "{{ item.0 }}" - default: true + default: yes state: present - recursive: true + recursive: yes etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: - - not system_is_container + when: not rhel9cis_system_is_container with_nested: - - "{{ (ansible_check_mode | ternary(rhel_09_6_2_7_patch_audit, rhel_09_6_2_7_patch)).results | + - "{{ (ansible_check_mode | ternary(rhel_08_6_2_9_patch_audit, rhel_08_6_2_9_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" - - etype: group @@ -191,14 +280,17 @@ - etype: other mode: '0' when: - - rhel9cis_rule_6_2_7 + - rhel9cis_rule_6_2_9 tags: - level1-server - level1-workstation + - automated - patch - - rule_6.2.7 + - users + - rule_6.2.9 + -- name: "6.2.8 | L1 | PATCH | Ensure users own their home directories" +- name: "6.2.10 | PATCH | Ensure users own their home directories" file: path: "{{ item.dir }}" owner: "{{ item.id }}" @@ -207,358 +299,178 @@ loop_control: label: "{{ rhel9cis_passwd_label }}" when: - - min_int_uid | int >= item.uid - - rhel9cis_rule_6_2_8 + - item.uid >= rhel9cis_int_gid + - rhel9cis_rule_6_2_10 tags: - skip_ansible_lint # settings found on 6_2_7 - level1-server - level1-workstation + - autoamted - patch - - rule_6.2.8 + - users + - rule_6.2.10 -- name: "6.2.9 | L1 | PATCH | Ensure users' dot files are not group or world-writable" +- name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" block: - - name: "6.2.9 | L1 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files" - shell: find /home/ -name "\.*" -perm /g+w,o+w - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_6_2_9_audit + - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" + stat: + path: "{{ item }}" + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" + register: rhel_08_6_2_11_audit - - name: "6.2.9 | L1 | AUDIT | Ensure users' dot files are not group or world-writable | Alert on files found" - debug: - msg: "Good news! We have not found any group or world-writable dot files on your sytem" + - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" + command: find -H {{ item.0 | quote }} -not -type l -perm /027 + check_mode: false + changed_when: rhel_08_6_2_11_patch_audit.stdout | length > 0 + register: rhel_08_6_2_11_patch_audit when: - - rhel9cis_6_2_9_audit.stdout is not defined + - ansible_check_mode + - item.1.exists + with_together: + - "{{ rhel_08_6_2_11_audit.results | map(attribute='item') | list }}" + - "{{ rhel_08_6_2_11_audit.results | map(attribute='stat') | list }}" + loop_control: + label: "{{ item.0 }}" - - name: "6.2.9 | L1 | PATCH | Ensure users' dot files are not group or world-writable | Changes files if configured" + - name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" file: - path: '{{ item }}' - mode: go-w - with_items: "{{ rhel9cis_6_2_9_audit.stdout_lines }}" + path: "{{ item.0 }}" + recurse: yes + mode: a-st,g-w,o-rwx + register: rhel_08_6_2_11_patch when: - - rhel9cis_6_2_9_audit.stdout is defined - - rhel9cis_dotperm_ansiblemanaged - when: - - rhel9cis_rule_6_2_9 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.9 - -- name: "6.2.10 | L1 | PATCH | Ensure no users have .forward files" - file: - state: absent - dest: "~{{ item }}/.forward" - with_items: "{{ users.stdout_lines }}" - when: - - rhel9cis_rule_6_2_10 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.10 + - not ansible_check_mode + - item.1.exists + with_together: + - "{{ rhel_08_6_2_11_audit.results | map(attribute='item') | list }}" + - "{{ rhel_08_6_2_11_audit.results | map(attribute='stat') | list }}" + loop_control: + label: "{{ item.0 }}" -- name: "6.2.11 | L1 | PATCH | Ensure no users have .netrc files" - file: - state: absent - dest: "~{{ item }}/.netrc" - with_items: "{{ users.stdout_lines }}" + # set default ACLs so the homedir has an effective umask of 0027 + - name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" + acl: + path: "{{ item.0 }}" + default: yes + state: present + recursive: yes + etype: "{{ item.1.etype }}" + permissions: "{{ item.1.mode }}" + when: not rhel9cis_system_is_container + with_nested: + - "{{ (ansible_check_mode | ternary(rhel_08_6_2_11_patch_audit, rhel_08_6_2_11_patch)).results | + rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" + - + - etype: group + mode: rx + - etype: other + mode: '0' when: - rhel9cis_rule_6_2_11 tags: - level1-server - level1-workstation + - automated - patch + - users + - permissions - rule_6.2.11 -- name: "6.2.12 | L1 | PATCH | Ensure users' .netrc Files are not group or world accessible" - shell: /bin/true - args: - warn: false - changed_when: false - failed_when: false +- name: "6.2.12 | PATCH | Ensure users' dot files are not group or world-writable" + block: + - name: "6.2.12 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files" + shell: find /home/ -maxdepth 2 -name "\.*" -perm /g+w,o+w + changed_when: false + failed_when: false + register: rhel9cis_6_2_12_audit + + - name: "6.2.12 | AUDIT | Ensure users' dot files are not group or world-writable | Alert on files found" + debug: + msg: "Good news! We have not found any group or world-writable dot files on your sytem" + when: + - rhel9cis_6_2_12_audit.stdout is not defined + + - name: "6.2.12 | PATCH | Ensure users' dot files are not group or world-writable | Changes files if configured" + file: + path: '{{ item }}' + mode: go-w + with_items: "{{ rhel9cis_6_2_12_audit.stdout_lines }}" + when: + - rhel9cis_6_2_12_audit.stdout is defined + - rhel9cis_dotperm_ansiblemanaged when: - rhel9cis_rule_6_2_12 tags: - level1-server - level1-workstation + - automated - patch + - users + - permissions - rule_6.2.12 -- name: "6.2.13 | L1 | PATCH | Ensure no users have .rhosts files" - file: - state: absent - dest: "~{{ item }}/.rhosts" - with_items: "{{ users.stdout_lines }}" +- name: "6.2.13 | PATCH | Ensure users' .netrc Files are not group or world accessible" + command: /bin/true + changed_when: false + failed_when: false when: - rhel9cis_rule_6_2_13 tags: - level1-server - level1-workstation + - automated - patch + - users + - permissions + - notimplemented - rule_6.2.13 -- name: "6.2.14 | L1 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" - block: - - name: "6.2.14 | L1 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" - shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: passwd_gid_check - - - name: "6.2.14 | L1 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" - debug: - msg: "Good News! There are no users that have non-existent GUIDs (Groups)" - when: passwd_gid_check.stdout is not defined - - - name: "6.2.14 | L1 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" - debug: - msg: "WARNING: The following users have non-existent GIDs (Groups): {{ passwd_gid_check.stdout_lines | join (', ') }}" - when: passwd_gid_check.stdout is defined +- name: "6.2.14 | PATCH | Ensure no users have .forward files" + file: + state: absent + dest: "~{{ item }}/.forward" + with_items: + - "{{ users.stdout_lines }}" when: - rhel9cis_rule_6_2_14 tags: - level1-server - level1-workstation - - audit + - automated + - patch + - users + - files - rule_6.2.14 -- name: "6.2.15 | L1 | AUDIT Ensure no duplicate UIDs exist" - block: - - name: "6.2.15 | L1 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" - shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" - args: - warn: false - changed_when: false - failed_when: false - register: user_uid_check - - - name: "6.2.15 | L1 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" - debug: - msg: "Good News! There are no duplicate UID's in the system" - when: user_uid_check.stdout is not defined - - - name: "6.2.15 | L1 | AUDIT| Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" - debug: - msg: "Warning: The following users have UIDs that are duplicates: {{ user_uid_check.stdout_lines }}" - when: user_uid_check.stdout is defined +- name: "6.2.15 | PATCH | Ensure no users have .netrc files" + file: + state: absent + dest: "~{{ item }}/.netrc" + with_items: + - "{{ users.stdout_lines }}" when: - rhel9cis_rule_6_2_15 tags: - level1-server - level1-workstation + - automated - patch + - users + - files - rule_6.2.15 -- name: "6.2.16 | L1 | AUDIT | Ensure no duplicate GIDs exist" - block: - - name: "6.2.16 | L1 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" - shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" - args: - warn: false - changed_when: false - failed_when: false - register: user_user_check - - - name: "6.2.16 | L1 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" - debug: - msg: "Good News! There are no duplicate GIDs in the system" - when: user_user_check.stdout is not defined - - - name: "6.2.16 | L1 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" - debug: - msg: "Warning: The following groups have duplicate GIDs: {{ user_user_check.stdout_lines }}" - when: user_user_check.stdout is defined +- name: "6.2.16 | PATCH | Ensure no users have .rhosts files" + file: + state: absent + dest: "~{{ item }}/.rhosts" + with_items: "{{ users.stdout_lines }}" when: - rhel9cis_rule_6_2_16 tags: - level1-server - level1-workstation - - audit - - rule_6.2.16 - -- name: "6.2.17 | L1 | AUDIT | Ensure no duplicate user names exist" - block: - - name: "6.2.17 | L1 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" - shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" - args: - warn: false - changed_when: false - failed_when: false - register: user_username_check - - - name: "6.2.17 | L1 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist" - debug: - msg: "Good News! There are no duplicate user names in the system" - when: user_username_check.stdout is not defined - - - name: "6.2.17 | L1 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" - debug: - msg: "Warning: The following user names are duplicates: {{ user_username_check.stdout_lines }}" - when: user_username_check.stdout is defined - when: - - rhel9cis_rule_6_2_17 - tags: - - level1-server - - level1-workstation - - audit - - rule_6.2.17 - -- name: "6.2.18 | L1 | AUDIT |Ensure no duplicate group names exist" - block: - - name: "6.2.18 | L1 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" - shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: group_group_check - - - name: "6.2.18 | L1 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" - debug: - msg: "Good News! There are no duplicate group names in the system" - when: group_group_check.stdout is defined - - - name: "6.2.18 | L1 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" - debug: - msg: "Warning: The following group names are duplicates: {{ group_group_check.stdout_lines }}" - when: group_group_check.stdout is not defined - when: - - rhel9cis_rule_6_2_18 - tags: - - level1-server - - level1-workstation - - audit - - rule_6.2.18 - -- name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty" - block: - - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check for shadow group and pull group id" - shell: "getent group shadow | cut -d: -f3" - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_shadow_gid - - - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check /etc/group for empty shadow group" - shell: grep ^shadow:[^:]*:[^:]*:[^:]+ /etc/group - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_empty_shadow - - - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check for users assigned to shadow" - shell: "getent passwd | awk -F: '$4 == '{{ rhel9cis_shadow_gid.stdout }}' {print $1}'" - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_shadow_passwd - - - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Alert shadow group is empty and no users assigned" - debug: - msg: - - " Good News! The shadow group is empty and there are no users assigned to shadow" - when: - - rhel9cis_empty_shadow.stdout | length == 0 - - rhel9cis_shadow_passwd.stdout | length == 0 - - - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Alert shadow group is not empty" - debug: - msg: - - "Alert! The shadow group is not empty" - when: - - rhel9cis_empty_shadow.stdout | length > 0 - - - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Alert users are using shadow group" - debug: - msg: - - "Alert! The following users are assigned to the shadow group, please assing them to the appropriate group" - - "{{ rhel9cis_shadow_passwd.stdout_lines }}" - when: - - rhel9cis_shadow_passwd.stdout | length > 0 - when: - - rhel9cis_rule_6_2_19 - tags: - - level1-server - - level1-workstation - - audit - - rule_6.2.19 - -- name: "6.2.20 | L1 | PATCH | Ensure all users' home directories exist" - block: - - name: "6.2.20 | L1 | AUDIT | Ensure all users' home directories exist" - stat: - path: "{{ item }}" - register: rhel_09_6_2_20_audit - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<', max_int_uid | int) | selectattr('dir', '!=', '/') | map(attribute='dir') | list }}" - - - name: "6.2.20 | L1 | AUDIT | Ensure all users' home directories exist" - shell: find -H {{ item.0 | quote }} -not -type l -perm /027 - args: - warn: false - check_mode: false - changed_when: rhel_09_6_2_20_patch_audit.stdout | length > 0 - register: rhel_09_6_2_20_patch_audit - when: - - ansible_check_mode - - item.1.exists - with_together: - - "{{ rhel_09_6_2_20_audit.results | map(attribute='item') | list }}" - - "{{ rhel_09_6_2_20_audit.results | map(attribute='stat') | list }}" - loop_control: - label: "{{ item.0 }}" - - - name: "6.2.20 | L1 | PATCH | Ensure all users' home directories exist" - file: - path: "{{ item.0 }}" - recurse: true - mode: a-st,g-w,o-rwx - register: rhel_09_6_2_20_patch - when: - - not ansible_check_mode - - item.1.exists - with_together: - - "{{ rhel_09_6_2_20_audit.results | map(attribute='item') | list }}" - - "{{ rhel_09_6_2_20_audit.results | map(attribute='stat') | list }}" - loop_control: - label: "{{ item.0 }}" - - # set default ACLs so the homedir has an effective umask of 0027 - - name: "6.2.20 | L1 | PATCH | Ensure all users' home directories exist" - acl: - path: "{{ item.0 }}" - default: true - state: present - recursive: true - etype: "{{ item.1.etype }}" - permissions: "{{ item.1.mode }}" - when: - - not system_is_container - with_nested: - - "{{ (ansible_check_mode | ternary(rhel_09_6_2_20_patch_audit, rhel_09_6_2_20_patch)).results | - rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" - - - - etype: group - mode: rx - - etype: other - mode: '0' - when: - - rhel9cis_rule_6_2_20 - tags: - - level1-server - - level1-workstation + - automated - patch - - rule_6.2.20 + - users + - files + - rule_6.2.16 diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index b6acabf8..61612730 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -4,4 +4,4 @@ import_tasks: cis_6.1.x.yml - name: "SECTION | 6.2 | User and Group Settings" - import_tasks: cis_6.2.x.yml + import_tasks: cis_6.2.x.yml \ No newline at end of file diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 43897d74..4716376b 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,79 +1,92 @@ -# File created initially via RHEL9 CIS ansible-lockdown remdiation role -{% if rhel9cis_rule_4_1_3 %} +# This template will set all of the auditd configurations via a handler in the role in one task instead of individually +{% if rhel9cis_rule_4_1_3_1 %} -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d/ -p wa -k scope {% endif %} -{% if rhel9cis_rule_4_1_4 %} --w /var/log/faillog -p wa -k logins --w /var/log/lastlog -p wa -k logins +{% if rhel9cis_rule_4_1_3_2 %} +-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation +-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation {% endif %} -{% if rhel9cis_rule_4_1_5 %} --w /var/run/utmp -p wa -k session --w /var/log/wtmp -p wa -k logins --w /var/log/btmp -p wa -k logins -{% endif %} -{% if rhel9cis_rule_4_1_6 %} --a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change --a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change --a always,exit -F arch=b64 -S clock_settime -k time-change --a always,exit -F arch=b32 -S clock_settime -k time-change --w /etc/localtime -p wa -k time-change +{% if rhel9cis_rule_4_1_3_3 %} +-w {{ rhel9cis_varlog_location }} -p wa -k sudo_log_file {% endif %} -{% if rhel9cis_rule_4_1_7 %} --w /etc/selinux/ -p wa -k MAC-policy --w /usr/share/selinux/ -p wa -k MAC-policy +{% if rhel9cis_rule_4_1_3_4 %} +-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change +-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change +-w /etc/localtime -p wa -k time-change {% endif %} -{% if rhel9cis_rule_4_1_8 %} --a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale --a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +{% if rhel9cis_rule_4_1_3_5 %} +-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale +-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale +-w /etc/sysconfig/network-scripts -p wa -k system-locale {% endif %} -{% if rhel9cis_rule_4_1_9 %} --a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod -{% endif %} -{% if rhel9cis_rule_4_1_10 %} --a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access --a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access --a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access --a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access -{% endif %} -{% if rhel9cis_rule_4_1_11 %} +{% if rhel9cis_rule_4_1_3_6 %} +{% for proc in priv_procs.stdout_lines -%} +-a always,exit -F path={{ proc }} -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k privileged +{% endfor %} +{% endif %} +{% if rhel9cis_rule_4_1_3_7 %} +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=-4294967295 -F key=access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access +{% endif %} +{% if rhel9cis_rule_4_1_3_8 %} -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity {% endif %} -{% if rhel9cis_rule_4_1_12 %} --a always,exit -F arch=b32 -S mount -F auid>={{ min_int_uid }} -F auid!=4294967295 -k mounts --a always,exit -F arch=b64 -S mount -F auid>={{ min_int_uid }} -F auid!=4294967295 -k mounts +{% if rhel9cis_rule_4_1_3_9 %} +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod +-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod +-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod +-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod {% endif %} -{% if rhel9cis_rule_4_1_13 %} -{% for proc in priv_procs.stdout_lines -%} --a always,exit -F path={{ proc }} -F perm=x -F auid>={{ min_int_uid }} -F auid!=4294967295 -k privileged -{% endfor %} +{% if rhel9cis_rule_4_1_3_10 %} +-a always,exit -F arch=b32 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts +-a always,exit -F arch=b64 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts +{% endif %} +{% if rhel9cis_rule_4_1_3_11 %} +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k session +-w /var/log/btmp -p wa -k session +{% endif %} +{% if rhel9cis_rule_4_1_3_12 %} +-w /var/log/lastlog -p wa -k logins +-w /var/run/faillock -p wa -k logins +{% endif %} +{% if rhel9cis_rule_4_1_3_13 %} +-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete +-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete +{% endif %} +{% if rhel9cis_rule_4_1_3_14 %} +-w /etc/selinux/ -p wa -k MAC-policy +-w /usr/share/selinux/ -p wa -k MAC-policy +{% endif %} +{% if rhel9cis_rule_4_1_3_15 %} +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_chng +{% endif %} +{% if rhel9cis_rule_4_1_3_16 %} +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_chng {% endif %} -{% if rhel9cis_rule_4_1_14 %} --a always,exit -F arch=b32 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=delete --a always,exit -F arch=b64 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=delete +{% if rhel9cis_rule_4_1_3_17 %} +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k priv_cmd {% endif %} -{% if rhel9cis_rule_4_1_15 %} --w /usr/sbin/insmod -p x -k modules --w /usr/sbin/rmmod -p x -k modules --w /usr/sbin/modprobe -p x -k modules --a always,exit -F arch=b64 -S init_module -S delete_module -k modules +{% if rhel9cis_rule_4_1_3_18 %} +-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k usermod {% endif %} -{% if rhel9cis_rule_4_1_16 %} --w /var/log/sudo.log -p wa -k actions +{% if rhel9cis_rule_4_1_3_19 %} +-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k kernel_modules +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k kernel_modules {% endif %} -{% if rhel9cis_rule_4_1_17 %} +{% if rhel9cis_rule_4_1_3_20 %} -e 2 {% endif %} From 19a218390d7f29ba2f5ad02ea8db3aa959934661 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 16:34:33 +0100 Subject: [PATCH 14/69] updates Signed-off-by: Mark Bolwell --- handlers/main.yml | 8 ++++++-- tasks/section_1/cis_1.5.x.yml | 11 ++++------- templates/{ => etc/cron.d}/aide.cron.j2 | 2 +- templates/etc/{ => sysctl.d}/60-disable_ipv6.conf.j2 | 3 +++ templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 | 8 ++++++++ templates/etc/{ => sysctl.d}/99-sysctl.conf.j2 | 11 ----------- 6 files changed, 22 insertions(+), 21 deletions(-) rename templates/{ => etc/cron.d}/aide.cron.j2 (95%) rename templates/etc/{ => sysctl.d}/60-disable_ipv6.conf.j2 (67%) create mode 100644 templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 rename templates/etc/{ => sysctl.d}/99-sysctl.conf.j2 (89%) diff --git a/handlers/main.yml b/handlers/main.yml index ad56e8b8..d2cf453d 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -22,12 +22,16 @@ - name: update sysctl template: - src: etc/99-sysctl.conf.j2 - dest: /etc/sysctl.d/99-sysctl.conf + src: "etc/sysctl.d/{{ item }}.j2" + dest: "/etc/sysctl.d/{{ item }}" owner: root group: root mode: 0600 notify: reload sysctl + with_items: + - 60-kernel_sysctl.conf + - 60-disable_ipv6.conf + - 99-sysctl.conf when: - ansible_virtualization_type != "docker" - "'procps-ng' in ansible_facts.packages" diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index d3602b21..a969def9 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -32,13 +32,10 @@ - rule_1.5.2 - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - sysctl: - name: kernel.randomize_va_space - value: '2' - state: present - reload: yes - sysctl_set: yes - ignoreerrors: yes + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - update sysctl when: - rhel9cis_rule_1_5_3 tags: diff --git a/templates/aide.cron.j2 b/templates/etc/cron.d/aide.cron.j2 similarity index 95% rename from templates/aide.cron.j2 rename to templates/etc/cron.d/aide.cron.j2 index 848dcca4..f9014fad 100644 --- a/templates/aide.cron.j2 +++ b/templates/etc/cron.d/aide.cron.j2 @@ -1,5 +1,5 @@ # Run AIDE integrity check # added via ansible-lockdown remediation -# CIS 1.4.2 +# CIS 1.3.2 {{ rhel9cis_aide_cron['aide_minute'] }} {{ rhel9cis_aide_cron['aide_hour'] }} {{ rhel9cis_aide_cron['aide_month'] }} {{ rhel9cis_aide_cron['aide_weekday'] }} {{ rhel9cis_aide_cron['aide_job'] }} diff --git a/templates/etc/60-disable_ipv6.conf.j2 b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 similarity index 67% rename from templates/etc/60-disable_ipv6.conf.j2 rename to templates/etc/sysctl.d/60-disable_ipv6.conf.j2 index 855d03d6..34ee10ca 100644 --- a/templates/etc/60-disable_ipv6.conf.j2 +++ b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 @@ -1,3 +1,6 @@ +# Setting added via ansible CIS remediation playbook + +# IPv6 disable {% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %} net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 diff --git a/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 b/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 new file mode 100644 index 00000000..cbfffeda --- /dev/null +++ b/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 @@ -0,0 +1,8 @@ +# Setting added via ansible CIS remediation playbook + + +{% if rhel9cis_rule_1_5_3 %} +# Kernel sysctl +# CIS 1.5.3 +kernel.randomize_va_space = 2 +{% endif %} \ No newline at end of file diff --git a/templates/etc/99-sysctl.conf.j2 b/templates/etc/sysctl.d/99-sysctl.conf.j2 similarity index 89% rename from templates/etc/99-sysctl.conf.j2 rename to templates/etc/sysctl.d/99-sysctl.conf.j2 index 8feb96d6..177db219 100644 --- a/templates/etc/99-sysctl.conf.j2 +++ b/templates/etc/sysctl.d/99-sysctl.conf.j2 @@ -1,16 +1,5 @@ # Setting added via ansible CIS remediation playbook -{% if rhel9cis_rule_1_6_1 %} -# Filesystem sysctl -# CIS 1.6.1 -fs.suid_dumpable = 0 -{% endif %} -{% if rhel9cis_rule_1_6_2 %} -# Kernel sysctl -# CIS 1.6.2 -kernel.randomize_va_space = 2 -{% endif %} - # Network sysctl {% if rhel9cis_rule_3_2_1 %} # CIS 3.2.1 From f0c4701dbd45c49b19648adc3e30929d4ba2bb1a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 1 Apr 2022 15:26:13 +0100 Subject: [PATCH 15/69] updated controls Signed-off-by: Mark Bolwell --- defaults/main.yml | 160 ++++++++++++++++------------- group_vars/docker | 28 ----- group_vars/vagrant | 28 ----- handlers/main.yml | 20 ++-- tasks/main.yml | 8 +- tasks/post.yml | 31 +++++- tasks/prelim.yml | 16 ++- tasks/section_2/cis_2.1.x.yml | 9 +- tasks/section_3/cis_3.2.x.yml | 4 +- tasks/section_3/cis_3.3.x.yml | 18 ++-- tasks/section_3/cis_3.4.1.x.yml | 1 - tasks/section_3/main.yml | 34 +++--- tasks/section_4/main.yml | 2 +- tasks/section_5/cis_5.3.x.yml | 2 +- tasks/section_5/cis_5.5.x.yml | 4 +- tasks/section_5/cis_5.6.x.yml | 4 +- tasks/section_6/cis_6.2.x.yml | 12 +-- templates/ansible_vars_goss.yml.j2 | 96 +++++------------ templates/audit/99_auditd.rules.j2 | 51 ++++----- templates/{ => etc}/chrony.conf.j2 | 0 templates/hosts.allow.j2 | 11 -- templates/ntp.conf.j2 | 59 ----------- vars/is_container.yml | 2 - 23 files changed, 237 insertions(+), 363 deletions(-) delete mode 100644 group_vars/docker delete mode 100644 group_vars/vagrant rename templates/{ => etc}/chrony.conf.j2 (100%) delete mode 100644 templates/hosts.allow.j2 delete mode 100644 templates/ntp.conf.j2 diff --git a/defaults/main.yml b/defaults/main.yml index d2a2372c..78a2c0dc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -36,6 +36,9 @@ benchmark: RHEL9-CIS # Whether to skip the reboot skip_reboot: true +# default value will change to true but wont reboot if not enabled but will error +change_requires_reboot: false + #### Basic external goss audit enablement settings #### #### Precise details - per setting can be found at the bottom of this file #### @@ -345,7 +348,7 @@ rhel9cis_rule_6_2_4: true rhel9cis_rule_6_2_5: true rhel9cis_rule_6_2_6: true rhel9cis_rule_6_2_7: true -rhel9cis_rule_6_2_8: false +rhel9cis_rule_6_2_8: true rhel9cis_rule_6_2_9: true rhel9cis_rule_6_2_10: true rhel9cis_rule_6_2_11: true @@ -355,46 +358,19 @@ rhel9cis_rule_6_2_14: true rhel9cis_rule_6_2_15: true rhel9cis_rule_6_2_16: true -# Service configuration booleans set true to keep service -rhel9cis_avahi_server: false -rhel9cis_cups_server: false -rhel9cis_dhcp_server: false -rhel9cis_ldap_server: false -rhel9cis_telnet_server: false -rhel9cis_nfs_server: false -rhel9cis_rpc_server: false -rhel9cis_ntalk_server: false -rhel9cis_rsyncd_server: false -rhel9cis_tftp_server: false -rhel9cis_rsh_server: false -rhel9cis_nis_server: false -rhel9cis_snmp_server: false -rhel9cis_squid_server: false -rhel9cis_smb_server: false -rhel9cis_dovecot_server: false -rhel9cis_httpd_server: false -rhel9cis_vsftpd_server: false -rhel9cis_named_server: false -rhel9cis_nfs_rpc_server: false -rhel9cis_is_mail_server: false -rhel9cis_bind: false -rhel9cis_vsftpd: false -rhel9cis_httpd: false -rhel9cis_dovecot: false -rhel9cis_samba: false -rhel9cis_squid: false -rhel9cis_net_snmp: false -rhel9cis_allow_autofs: false ## Section 1 vars -# 1.1.2 +#### 1.1.2 # These settings go into the /etc/fstab file for the /tmp mount settings # The value must contain nosuid,nodev,noexec to conform to CIS standards # rhel9cis_tmp_tmpfs_settings: "defaults,rw,nosuid,nodev,noexec,relatime 0 0" # If set true uses the tmp.mount service else using fstab configuration rhel9cis_tmp_svc: false +#### 1.1.9 +rhel9cis_allow_autofs: false + # 1.2.1 # This is the login information for your RedHat Subscription # DO NOT USE PLAIN TEXT PASSWORDS!!!!! @@ -407,17 +383,15 @@ rhel9cis_rh_sub_password: password # RedHat Satellite Subscription items rhel9cis_rhnsd_required: false -# 1.3.3 var log location variable -rhel9cis_varlog_location: "/var/log/sudo.log" -# xinetd required -rhel9cis_xinetd_required: false + # 1.4.2 Bootloader password rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' rhel9cis_bootloader_password: random rhel9cis_set_boot_pass: false + # 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS) # Control 1.10 sates not ot use LEGACY and control 1.11 says to use FUTURE or FIPS. rhel9cis_crypto_policy: "FUTURE" @@ -433,7 +407,7 @@ rhel9cis_config_aide: true # AIDE cron settings rhel9cis_aide_cron: cron_user: root - cron_file: /etc/cron.d/aide.cron + cron_file: /etc/cron.d/aide_cron aide_job: '/usr/sbin/aide --check' aide_minute: 0 aide_hour: 5 @@ -445,92 +419,124 @@ rhel9cis_aide_cron: rhel9cis_selinux_pol: targeted # Whether or not to run tasks related to auditing/patching the desktop environment -rhel9cis_gui: false -# Set to 'true' if X Windows is needed in your environment -rhel9cis_xwindows_required: false - -rhel9cis_openldap_clients_required: false -rhel9cis_telnet_required: false -rhel9cis_talk_required: false -rhel9cis_rsh_required: false -rhel9cis_ypbind_required: false +## 2. Services -# 2.2.1.1 Time Synchronization - Either chrony or ntp -rhel9cis_time_synchronization: chrony -# 2.2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 +### 2.1 Time Synchronization +#### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 rhel9cis_time_synchronization_servers: - 0.pool.ntp.org - 1.pool.ntp.org - 2.pool.ntp.org - 3.pool.ntp.org - rhel9cis_chrony_server_options: "minpoll 8" -rhel9cis_ntp_server_options: "iburst" -## Section3 vars -# 3.4.2 | PATCH | Ensure /etc/hosts.allow is configured -rhel9cis_host_allow: - - "10.0.0.0/255.0.0.0" - - "172.16.0.0/255.240.0.0" - - "192.168.0.0/255.255.0.0" +### 2.2 Special Purposes +##### Service configuration booleans set true to keep service +rhel9cis_xinetd_server: false +rhel9cis_gui: false +rhel9cis_avahi_server: false +rhel9cis_cups_server: false +rhel9cis_dhcp_server: false +rhel9cis_dns_server: false +rhel9cis_ftp_server: false +rhel9cis_vsftpd_server: false +rhel9cis_tftp_server: false +rhel9cis_httpd_server: false +rhel9cis_nginx_server: false +rhel9cis_dovecot_cyrus_server: false +rhel9cis_samba_server: false +rhel9cis_squid_server: false +rhel9cis_snmp_server: false +rhel9cis_nis_server: false +rhel9cis_telnet_server: false +rhel9cis_is_mail_server: false +rhel9cis_nfs_server: false +rhel9cis_rpc_server: false +rhel9cis_rsync_server: false + +#### 2.3 Service clients +rhel9cis_ypbind_required: false +rhel9cis_rsh_required: false +rhel9cis_talk_required: false +rhel9cis_telnet_required: false +rhel9cis_openldap_clients_required: false +rhel9cis_tftp_client: false -# Firewall Service - either firewalld, iptables, or nftables + +## Section3 vars +### Firewall Service - either firewalld, iptables, or nftables rhel9cis_firewall: firewalld -# 3.4.2.4 Default zone setting +##### firewalld rhel9cis_default_zone: public - -# 3.4.2.5 Zone and Interface setting -rhel9cis_int_zone: customezone +rhel9cis_int_zone: customzone rhel9cis_interface: eth0 - rhel9cis_firewall_services: - ssh - dhcpv6-client -# 3.4.3.2 Set nftables new table create +#### nftables rhel9cis_nft_tables_autonewtable: true rhel9cis_nft_tables_tablename: filter - -# 3.4.3.3 Set nftables new chain create rhel9cis_nft_tables_autochaincreate: true +#### iptables + # Warning Banner Content (issue, issue.net, motd) rhel9cis_warning_banner: | Authorized uses only. All activity may be monitored and reported. # End Banner ## Section4 vars - +### 4.1 Configure System Accounting +#### 4.1.2 Configure Data Retention rhel9cis_auditd: space_left_action: email action_mail_acct: root admin_space_left_action: halt max_log_file_action: keep_logs -rhel9cis_logrotate: "daily" - # The audit_back_log_limit value should never be below 8192 rhel9cis_audit_back_log_limit: 8192 # The max_log_file parameter should be based on your sites policy rhel9cis_max_log_file_size: 10 -# RHEL-09-4.2.1.4/4.2.1.5 remote and destation log server name +#### 4.2.1.6 remote and destation log server name rhel9cis_remote_log_server: logagg.example.com -# RHEL-09-4.2.1.5 +#### 4.2.1.7 rhel9cis_system_is_log_server: false +# 4.2.2.1.2 +# rhel9cis_journal_upload_url is the ip address to upload the journal entries to +rhel9cis_journal_upload_url: 192.168.50.42 +# The paths below have the default paths/files, but allow user to create custom paths/filenames +rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem" +rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem" +rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem" + +# 4.2.2.1 +# The variables below related to journald, please set these to your site specific values +# rhel9cis_journald_systemmaxuse is the max amount of disk space the logs will use +rhel9cis_journald_systemmaxuse: 10M +# rhel9cis_journald_systemkeepfree is the amount of disk space to keep free +rhel9cis_journald_systemkeepfree: 100G +rhel9cis_journald_runtimemaxuse: 10M +rhel9cis_journald_runtimekeepfree: 100G +# rhel9cis_journald_MaxFileSec is how long in time to keep log files. Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks +rhel9cis_journald_maxfilesec: 1month + +#### 4.3 +rhel9cis_logrotate: "daily" + ## Section5 vars rhel9cis_sshd: clientalivecountmax: 0 clientaliveinterval: 900 - ciphers: "aes256-ctr,aes192-ctr,aes128-ctr" - macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com" logingracetime: 60 # WARNING: make sure you understand the precedence when working with these values!! # allowusers: @@ -553,9 +559,10 @@ rhel9cis_ssh_maxsessions: 4 rhel9cis_inactivelock: lock_days: 30 + +rhel9cis_use_authconfig: false # 5.3.1/5.3.2 Custom authselect profile settings. Settings in place now will fail, they are place holders from the control example # Due to the way many multiple options and ways to configure this control needs to be enabled and settings adjusted to minimise risk -rhel9cis_use_authconfig: false rhel9cis_authselect: custom_profile_name: custom-profile default_file_to_copy: "sssd --symlink-meta" @@ -591,6 +598,11 @@ discover_int_uid: false min_int_uid: 1000 max_int_uid: 65533 +# 5.3.3 var log location variable +rhel9cis_sudolog_location: "/var/log/sudo.log" + +#### 5.3.6 +rhel9cis_sudo_timestamp_timeout: 15 # RHEL-09-5.4.5 # Session timeout setting file (TMOUT setting can be set in multiple files) diff --git a/group_vars/docker b/group_vars/docker deleted file mode 100644 index 5b6e3b29..00000000 --- a/group_vars/docker +++ /dev/null @@ -1,28 +0,0 @@ ---- -ansible_user: root -# AIDE cron settings -rhel9cis_aide_cron: - cron_user: root - cron_file: /var/spool/cron/root - aide_job: '/usr/sbin/aide --check' - aide_minute: 0 - aide_hour: 5 - aide_day: '*' - aide_month: '*' - aide_weekday: '*' - -rhel9cis_sshd: - clientalivecountmax: 3 - clientaliveinterval: 300 - ciphers: "aes256-ctr,aes192-ctr,aes128-ctr" - macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com" - logingracetime: 60 - # - make sure you understand the precedence when working with these values!! - allowusers: vagrant - allowgroups: vagrant - denyusers: root - denygroups: root - -# Workarounds for Docker -rhel9cis_skip_for_travis: true -rhel9cis_selinux_disable: true diff --git a/group_vars/vagrant b/group_vars/vagrant deleted file mode 100644 index 1c0fb37f..00000000 --- a/group_vars/vagrant +++ /dev/null @@ -1,28 +0,0 @@ ---- -ansible_user: vagrant -# AIDE cron settings -rhel9cis_aide_cron: - cron_user: root - cron_file: /var/spool/cron/root - aide_job: '/usr/sbin/aide --check' - aide_minute: 0 - aide_hour: 5 - aide_day: '*' - aide_month: '*' - aide_weekday: '*' - -rhel9cis_sshd: - clientalivecountmax: 3 - clientaliveinterval: 300 - ciphers: 'aes256-ctr,aes192-ctr,aes128-ctr' - macs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' - logingracetime: 60 - # - make sure you understand the precedence when working with these values!! - allowusers: vagrant - allowgroups: vagrant - denyusers: root - denygroups: root - -# Vagrant can touch code that Docker cannot -rhel9cis_skip_for_travis: false -rhel9cis_selinux_disable: false diff --git a/handlers/main.yml b/handlers/main.yml index d2cf453d..9a99c242 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -76,12 +76,6 @@ name: firewalld state: restarted -- name: restart xinetd - become: true - service: - name: xinetd - state: restarted - - name: restart sshd become: true service: @@ -135,12 +129,20 @@ name: rsyslog state: restarted -- name: restart syslog-ng - become: true +- name: restart journald service: - name: syslog-ng + name: systemd-journald + state: restarted + +- name: restart systemd_journal_upload + service: + name: systemd-journal-upload state: restarted - name: systemd_daemon_reload systemd: daemon-reload: true + +- name: change_requires_reboot + set_fact: + change_requires_reboot: true diff --git a/tasks/main.yml b/tasks/main.yml index b316f67e..f44197ca 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -112,9 +112,11 @@ - rhel9cis_section6 tags: - rule_5.5.2 - - rule_6.2.7 - - rule_6.2.8 - - rule_6.2.20 + - rule_5.6.2 + - rule_6.2.9 + - rule_6.2.10 + - rule_6.2.11 + - rhel9cis_section5 - rhel9cis_section6 - name: run Section 1 tasks diff --git a/tasks/post.yml b/tasks/post.yml index 5f547374..28a2e9ef 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -66,7 +66,30 @@ - name: flush handlers meta: flush_handlers -- name: Reboot host - reboot: - when: - - not skip_reboot +- name: POST | reboot system if changes require it and not skipped + block: + - name: POST | Reboot system if changes require it and not skipped + reboot: + when: + - change_requires_reboot + - not skip_reboot + + - name: POST | Warning a reboot required but skip option set + debug: + msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" + changed_when: true + when: + - change_requires_reboot + - skip_reboot + tags: + - grub + - level1-server + - level1-workstation + - level2-server + - level2-workstation + - rhel9cis_section1 + - rhel9cis_section2 + - rhel9cis_section3 + - rhel9cis_section4 + - rhel9cis_section5 + - rhel9cis_section6 diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 5521a8d2..1cb873c1 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -32,8 +32,9 @@ warn: false changed_when: false check_mode: false - register: uid_zero_accounts_except_root + register: rhel9cis_uid_zero_accounts_except_root tags: + - rule_6.2.8 - level1-server - level1-workstation - users @@ -144,6 +145,19 @@ - authconfig - auditd +- name: "PRELIM | 5.3.4 | Find all sudoers files." + command: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" + changed_when: false + failed_when: false + check_mode: false + register: rhel9cis_sudoers_files + when: + - rhel9cis_rule_5_3_4 or + rhel9cis_rule_5_3_5 + tags: + - rule_5.3.4 + - rule_5.3.5 + - name: "PRELIM | Set facts based on boot type" block: - name: "PRELIM | Check whether machine is UEFI-based" diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 5b5cf130..ba927e9c 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -2,11 +2,11 @@ - name: "2.1.1 | PATCH | Ensure time synchronization is in use" package: - name: "{{ rhel9cis_time_synchronization }}" + name: chrony state: present when: - rhel9cis_rule_2_1_1 - - not rhel9cis_system_is_container + - not system_is_container tags: - level1-server - level1-workstation @@ -18,7 +18,7 @@ block: - name: "2.1.2 | PATCH | Ensure chrony is configured | Set configuration" template: - src: chrony.conf.j2 + src: etc/chrony.conf.j2 dest: /etc/chrony.conf owner: root group: root @@ -33,9 +33,8 @@ create: yes mode: 0644 when: - - rhel9cis_time_synchronization == "chrony" - rhel9cis_rule_2_1_2 - - not rhel9cis_system_is_container + - not system_is_container tags: - level1-server - level1-workstation diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index ec397d37..38c94334 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -17,7 +17,7 @@ - update sysctl when: rhel9cis_ipv6_required when: - - rhel9cis_rule_3.2.1 + - rhel9cis_rule_3_2_1 tags: - level1-server - level1-workstation @@ -42,7 +42,7 @@ - update sysctl when: rhel9cis_ipv6_required when: - - rhel9cis_rule_3.2.2 + - rhel9cis_rule_3_2_2 tags: - level1-server - level1-workstation diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 7187816a..8c15cde3 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -17,7 +17,7 @@ - update sysctl when: rhel9cis_ipv6_required when: - - rhel9cis_rule_3.3.1 + - rhel9cis_rule_3_3_1 tags: - level1-server - level1-workstation @@ -42,7 +42,7 @@ - update sysctl when: rhel9cis_ipv6_required when: - - rhel9cis_rule_3.3.2 + - rhel9cis_rule_3_3_2 tags: - level1-server - level1-workstation @@ -55,7 +55,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3.3.3 + - rhel9cis_rule_3_3_3 tags: - level1-server - level1-workstation @@ -68,7 +68,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3.3.4 + - rhel9cis_rule_3_3_4 tags: - level1-server - level1-workstation @@ -81,7 +81,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3.3.5 + - rhel9cis_rule_3_3_5 tags: - level1-server - level1-workstation @@ -94,7 +94,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3.3.6 + - rhel9cis_rule_3_3_6 tags: - level1-server - level1-workstation @@ -107,7 +107,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3.3.7 + - rhel9cis_rule_3_3_7 tags: - level1-server - level1-workstation @@ -120,7 +120,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3.3.8 + - rhel9cis_rule_3_3_8 tags: - level1-server - level1-workstation @@ -146,7 +146,7 @@ when: rhel9cis_ipv6_required when: - rhel9cis_ipv6_required - - rhel9cis_rule_3.3.9 + - rhel9cis_rule_3_3_9 tags: - level2-server - level2-workstation diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index 753a4e57..5bd6a3c0 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -22,7 +22,6 @@ - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | Stop running services" systemd: name: "{{ item }}" - enabled: false masked: true with_items: - iptables diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index 13b42fcf..7c6dc9b9 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -1,41 +1,35 @@ --- -- name: "SECTION | 3.1.x | Packet and IP redirection" +- name: "SECTION | 3.1.x | Disable unused network protocols and devices" import_tasks: cis_3.1.x.yml - name: "SECTION | 3.2.x | Network Parameters (Host Only)" import_tasks: cis_3.2.x.yml -- name: "SECTION | 3.3.x | Uncommon Network Protocols" +- name: "SECTION | 3.3.x | Network Parameters (host and Router)" import_tasks: cis_3.3.x.yml -- name: "SECTION | 3.4.1.x | firewall defined" - import_tasks: cis_3.4.1.1.yml - -- name: "SECTION | 3.4.2.x | firewalld firewall" - include_tasks: cis_3.4.2.x.yml +- name: "SECTION | 3.4.1.x | Configure firewalld" + import_tasks: cis_3.4.1.x.yml when: - rhel9cis_firewall == "firewalld" -- name: "SECTION | 3.4.3.x | Configure nftables firewall" - include_tasks: cis_3.4.3.x.yml +- name: "SECTION | 3.4.2.x | Configure nftables" + include_tasks: cis_3.4.2.x.yml when: - rhel9cis_firewall == "nftables" -- name: "SECTION | 3.4.4.1.x | Configure iptables IPv4" - include_tasks: cis_3.4.4.1.x.yml +- name: "SECTION | 3.4.3.1.x | Configure iptables" + include_tasks: cis_3.4.3.1.x.yml when: - rhel9cis_firewall == "iptables" -- name: "SECTION | 3.4.4.2.x | Configure iptables IPv6" - include_tasks: cis_3.4.4.2.x.yml +- name: "SECTION | 3.4.3.2.x | Configure iptables IPv4" + include_tasks: cis_3.4.3.2.x.yml when: - - ( rhel9cis_firewall == "iptables" and rhel9cis_ipv6_required ) - -- name: "SECTION | 3.5 | Configure wireless" - import_tasks: cis_3.5.yml + - rhel9cis_firewall == "iptables" -- name: "SECTION | 3.5 | disable IPv6" - include_tasks: cis_3.5.yml +- name: "SECTION | 3.4.3.3.x | Configure iptables IPv6" + include_tasks: cis_3.4.3.3.x.yml when: - - not rhel9cis_ipv6_required + - ( rhel9cis_firewall == "iptables" and rhel9cis_ipv6_required ) diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index 3b3ab95c..d28e3cef 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -9,7 +9,7 @@ import_tasks: cis_4.1.2.x.yml - name: "SECTION | 4.1.3 | Configure Auditd rules" - import_tasks: cis_4.1.x.yml + import_tasks: cis_4.1.3.x.yml - name: "SECTION | 4.2 | Configure Logging" import_tasks: cis_4.2.1.x.yml diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index b6dc07a9..bd97cc3c 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -33,7 +33,7 @@ lineinfile: dest: /etc/sudoers regexp: '^Defaults logfile=' - line: 'Defaults logfile="{{ rhel9cis_varlog_location }}"' + line: 'Defaults logfile="{{ rhel9cis_sudolog_location }}"' state: present when: - rhel9cis_rule_5_3_3 diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 8c5d301f..71a37e54 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -13,7 +13,7 @@ - item.id != "sync" - item.id != "shutdown" - item.id != "halt" - - rhel9cis_int_gid | int > item.gid + - min_int_uid | int > item.gid - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" @@ -28,7 +28,7 @@ - item.id != "shutdown" - item.id != "sync" - item.id != "root" - - rhel9cis_int_gid | int > item.gid + - min_int_uid | int > item.gid - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" when: diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 3d9cf327..6106e6e5 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -13,7 +13,7 @@ - item.id != "sync" - item.id != "shutdown" - item.id != "halt" - - rhel9cis_int_gid | int < item.gid + - min_int_uid | int < item.gid - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" loop_control: @@ -30,7 +30,7 @@ - item.id != "shutdown" - item.id != "sync" - item.id != "root" - - rhel9cis_int_gid | int < item.gid + - min_int_uid | int < item.gid - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" loop_control: diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index ff2b0c3a..096a3106 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -230,7 +230,7 @@ stat: path: "{{ item }}" register: rhel_08_6_2_9_audit - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" - name: "6.2.9 | AUDIT | Ensure all users' home directories exist" command: find -H {{ item.0 | quote }} -not -type l -perm /027 @@ -270,7 +270,7 @@ recursive: yes etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: not rhel9cis_system_is_container + when: not system_is_container with_nested: - "{{ (ansible_check_mode | ternary(rhel_08_6_2_9_patch_audit, rhel_08_6_2_9_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" @@ -299,13 +299,13 @@ loop_control: label: "{{ rhel9cis_passwd_label }}" when: - - item.uid >= rhel9cis_int_gid + - min_int_uid | int <= item.uid - rhel9cis_rule_6_2_10 tags: - skip_ansible_lint # settings found on 6_2_7 - level1-server - level1-workstation - - autoamted + - automated - patch - users - rule_6.2.10 @@ -315,7 +315,7 @@ - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" stat: path: "{{ item }}" - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" register: rhel_08_6_2_11_audit - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" @@ -356,7 +356,7 @@ recursive: yes etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: not rhel9cis_system_is_container + when: not system_is_container with_nested: - "{{ (ansible_check_mode | ternary(rhel_08_6_2_11_patch_audit, rhel_08_6_2_11_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index ec9dac64..babc8d6e 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -281,39 +281,36 @@ rhel9cis_rule_6_2_20: {{ rhel9cis_rule_6_2_20 }} rhel9cis_avahi_server: {{ rhel9cis_avahi_server }} rhel9cis_cups_server: {{ rhel9cis_cups_server }} rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }} -rhel9cis_ldap_server: {{ rhel9cis_ldap_server }} -rhel9cis_telnet_server: {{ rhel9cis_telnet_server }} -rhel9cis_nfs_server: {{ rhel9cis_nfs_server }} -rhel9cis_rpc_server: {{ rhel9cis_rpc_server }} -rhel9cis_ntalk_server: {{ rhel9cis_ntalk_server }} -rhel9cis_rsyncd_server: {{ rhel9cis_rsyncd_server }} +rhel9cis_dns_server: {{ rhel9cis_dns_server }} +rhel9cis_ftp_server: {{ rhel9cis_ftp_server }} +rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }} rhel9cis_tftp_server: {{ rhel9cis_tftp_server }} -rhel9cis_rsh_server: {{ rhel9cis_rsh_server }} -rhel9cis_nis_server: {{ rhel9cis_nis_server }} -rhel9cis_snmp_server: {{ rhel9cis_snmp_server }} -rhel9cis_squid_server: {{ rhel9cis_squid_server }} -rhel9cis_smb_server: {{ rhel9cis_smb_server }} -rhel9cis_dovecot_server: {{ rhel9cis_dovecot_server }} rhel9cis_httpd_server: {{ rhel9cis_httpd_server }} -rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }} -rhel9cis_named_server: {{ rhel9cis_named_server }} -rhel9cis_nfs_rpc_server: {{ rhel9cis_nfs_rpc_server }} +rhel9cis_nginx_server: {{ rhel9cis_nginx_server }} +rhel9cis_dovecot_cyrus_server: {{ rhel9cis_dovecot_cyrus_server }} +rhel9cis_samba_server: {{ rhel9cis_samba_server }} +rhel9cis_squid_server: {{ rhel9cis_squid_server }} +rhel9cis_snmp_server: {{ rhel9cis_snmp_server }} +rhel9cis_nis_server: {{ rhel9cis_nis_server }} +rhel9cis_telnet_server: {{ rhel9cis_telnet_server }} rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }} -rhel9cis_bind: {{ rhel9cis_bind }} -rhel9cis_vsftpd: {{ rhel9cis_vsftpd }} -rhel9cis_httpd: {{ rhel9cis_httpd }} -rhel9cis_dovecot: {{ rhel9cis_dovecot }} -rhel9cis_samba: {{ rhel9cis_samba }} -rhel9cis_squid: {{ rhel9cis_squid }} -rhel9cis_net_snmp: {{ rhel9cis_net_snmp}} +rhel9cis_nfs_server: {{ rhel9cis_nfs_server }} +rhel9cis_rpc_server: {{ rhel9cis_rpc_server }} +rhel9cis_rsync_server: {{ rhel9cis_rsync_server }} + + rhel9cis_allow_autofs: {{ rhel9cis_allow_autofs }} # client services -rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }} -rhel9cis_telnet_required: {{ rhel9cis_telnet_required }} -rhel9cis_talk_required: {{ rhel9cis_talk_required }} -rhel9cis_rsh_required: {{ rhel9cis_rsh_required }} rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }} +rhel9cis_rsh_required: {{ rhel9cis_rsh_required }} +rhel9cis_talk_required: {{ rhel9cis_talk_required }} +rhel9cis_telnet_required: {{ rhel9cis_telnet_required }} +rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }} +rhel9cis_tftp_client: {{ rhel9cis_tftp_client }} + + + # AIDE rhel9cis_config_aide: {{ rhel9cis_config_aide }} @@ -343,14 +340,12 @@ rhel9cis_crypto_policy: {{ rhel9cis_crypto_policy }} rhel9cis_warning_banner: {{ rhel9cis_warning_banner }} # End Banner -# Set to 'true' if X Windows is needed in your environment -rhel9cis_xwindows_required: {{ rhel9cis_xwindows_required }} # Whether or not to run tasks related to auditing/patching the desktop environment rhel9cis_gui: {{ rhel9cis_gui }} # xinetd required -rhel9cis_xinetd_required: {{ rhel9cis_xinetd_required }} +rhel9cis_xinetd_server: {{ rhel9cis_xinetd_server }} # IPv6 required rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }} @@ -358,10 +353,6 @@ rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }} # System network parameters (host only OR host and router) rhel9cis_is_router: {{ rhel9cis_is_router }} -# Time Synchronization -rhel9cis_time_synchronization: {{ rhel9cis_time_synchronization }} - -rhel9cis_varlog_location: {{ rhel9cis_varlog_location }} rhel9cis_firewall: {{ rhel9cis_firewall }} #rhel9cis_firewall: iptables @@ -373,7 +364,6 @@ rhel9cis_firewall_interface: rhel9cis_firewall_services: {{ rhel9cis_firewall_services }} - ### Section 4 ## auditd settings rhel9cis_auditd: @@ -395,45 +385,11 @@ rhel9cis_sshd_access: DenyUser: DenyGroup: -rhel9cis_ssh_strong_ciphers: Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128- gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr -rhel9cis_ssh_weak_ciphers: - 3des-cbc - aes128-cbc - aes192-cbc - aes256-cbc - arcfour - arcfour128 - arcfour256 - blowfish-cbc - cast128-cbc - rijndael-cbc@lysator.liu.se - -rhel9cis_ssh_strong_macs: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2- 512,hmac-sha2-256 -rhel9cis_ssh_weak_macs: - hmac-md5 - hmac-md5-96 - hmac-ripemd160 - hmac-sha1 - hmac-sha1-96 - umac-64@openssh.com - umac-128@openssh.com - hmac-md5-etm@openssh.com - hmac-md5-96-etm@openssh.com - hmac-ripemd160-etm@openssh.com - hmac-sha1-etm@openssh.com - hmac-sha1-96-etm@openssh.com - umac-64-etm@openssh.com - umac-128-etm@openssh.com - -rhel9cis_ssh_strong_kex: KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman- group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 -rhel9cis_ssh_weak_kex: - diffie-hellman-group1-sha1 - diffie-hellman-group14-sha1 - diffie-hellman-group-exchange-sha1 - rhel9cis_ssh_aliveinterval: "300" rhel9cis_ssh_countmax: "3" +rhel9cis_sudolog_location: {{ rhel9cis_sudolog_location }} + ## PAM rhel9cis_pam_password: minlen: {{ rhel9cis_pam_password.minlen }} diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 4716376b..90bddb43 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,14 +1,14 @@ # This template will set all of the auditd configurations via a handler in the role in one task instead of individually {% if rhel9cis_rule_4_1_3_1 %} -w /etc/sudoers -p wa -k scope --w /etc/sudoers.d/ -p wa -k scope +-w /etc/sudoers.d -p wa -k scope {% endif %} {% if rhel9cis_rule_4_1_3_2 %} -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation {% endif %} {% if rhel9cis_rule_4_1_3_3 %} --w {{ rhel9cis_varlog_location }} -p wa -k sudo_log_file +-w {{ rhel9cis_sudolog_location }} -p wa -k sudo_log_file {% endif %} {% if rhel9cis_rule_4_1_3_4 %} -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change @@ -26,14 +26,14 @@ {% endif %} {% if rhel9cis_rule_4_1_3_6 %} {% for proc in priv_procs.stdout_lines -%} --a always,exit -F path={{ proc }} -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k privileged +-a always,exit -F path={{ proc }} -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k privileged {% endfor %} {% endif %} {% if rhel9cis_rule_4_1_3_7 %} --a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access --a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access --a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=-4294967295 -F key=access --a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=-unset -F key=access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -F key=access {% endif %} {% if rhel9cis_rule_4_1_3_8 %} -w /etc/group -p wa -k identity @@ -43,16 +43,16 @@ -w /etc/security/opasswd -p wa -k identity {% endif %} {% if rhel9cis_rule_4_1_3_9 %} --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod --a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod --a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod --a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod {% endif %} {% if rhel9cis_rule_4_1_3_10 %} --a always,exit -F arch=b32 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts --a always,exit -F arch=b64 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>={{ min_int_uid }} -F auid!=unset -k mounts +-a always,exit -F arch=b64 -S mount -F auid>={{ min_int_uid }} -F auid!=unset -k mounts {% endif %} {% if rhel9cis_rule_4_1_3_11 %} -w /var/run/utmp -p wa -k session @@ -64,29 +64,30 @@ -w /var/run/faillock -p wa -k logins {% endif %} {% if rhel9cis_rule_4_1_3_13 %} --a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete --a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete +-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>={{ min_int_uid }} -F auid!=unset -F key=delete +-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>={{ min_int_uid }} -F auid!=unset -F key=delete {% endif %} {% if rhel9cis_rule_4_1_3_14 %} --w /etc/selinux/ -p wa -k MAC-policy --w /usr/share/selinux/ -p wa -k MAC-policy +-w /etc/selinux -p wa -k MAC-policy +-w /usr/share/selinux -p wa -k MAC-policy {% endif %} {% if rhel9cis_rule_4_1_3_15 %} --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_chng +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k perm_chng {% endif %} {% if rhel9cis_rule_4_1_3_16 %} --a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_chng +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k perm_chng {% endif %} {% if rhel9cis_rule_4_1_3_17 %} --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k priv_cmd +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k priv_cmd {% endif %} {% if rhel9cis_rule_4_1_3_18 %} --a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k usermod +-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k usermod {% endif %} {% if rhel9cis_rule_4_1_3_19 %} --a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k kernel_modules --a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k kernel_modules +-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ min_int_uid }} -F auid!=unset -k kernel_modules +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k kernel_modules {% endif %} {% if rhel9cis_rule_4_1_3_20 %} -e 2 + {% endif %} diff --git a/templates/chrony.conf.j2 b/templates/etc/chrony.conf.j2 similarity index 100% rename from templates/chrony.conf.j2 rename to templates/etc/chrony.conf.j2 diff --git a/templates/hosts.allow.j2 b/templates/hosts.allow.j2 deleted file mode 100644 index 4bab3d1f..00000000 --- a/templates/hosts.allow.j2 +++ /dev/null @@ -1,11 +0,0 @@ -# -# hosts.allow This file contains access rules which are used to -# allow or deny connections to network services that -# either use the tcp_wrappers library or that have been -# started through a tcp_wrappers-enabled xinetd. -# -# See 'man 5 hosts_options' and 'man 5 hosts_access' -# for information on rule syntax. -# See 'man tcpd' for information on tcp_wrappers -# -ALL: {% for iprange in rhel9cis_host_allow -%}{{ iprange }}{% if not loop.last %}, {% endif %}{% endfor %} diff --git a/templates/ntp.conf.j2 b/templates/ntp.conf.j2 deleted file mode 100644 index c745ab14..00000000 --- a/templates/ntp.conf.j2 +++ /dev/null @@ -1,59 +0,0 @@ -# For more information about this file, see the man pages -# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5). - -driftfile /var/lib/ntp/drift - -# Permit time synchronization with our time source, but do not -# permit the source to query or modify the service on this system. -#restrict default nomodify notrap nopeer noquery -restrict -4 default kod nomodify notrap nopeer noquery -restrict -6 default kod nomodify notrap nopeer noquery - -# Permit all access over the loopback interface. This could -# be tightened as well, but to do so would effect some of -# the administrative functions. -restrict 127.0.0.1 -restrict ::1 - -# Hosts on local network are less restricted. -#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap - -# Use public servers from the pool.ntp.org project. -# Please consider joining the pool (http://www.pool.ntp.org/join.html). -{% for server in rhel9cis_time_synchronization_servers -%} -server {{ server }} {{ rhel9cis_ntp_server_options }} -{% endfor %} - -#broadcast 192.168.1.255 autokey # broadcast server -#broadcastclient # broadcast client -#broadcast 224.0.1.1 autokey # multicast server -#multicastclient 224.0.1.1 # multicast client -#manycastserver 239.255.254.254 # manycast server -#manycastclient 239.255.254.254 autokey # manycast client - -# Enable public key cryptography. -#crypto - -includefile /etc/ntp/crypto/pw - -# Key file containing the keys and key identifiers used when operating -# with symmetric key cryptography. -keys /etc/ntp/keys - -# Specify the key identifiers which are trusted. -#trustedkey 4 8 42 - -# Specify the key identifier to use with the ntpdc utility. -#requestkey 8 - -# Specify the key identifier to use with the ntpq utility. -#controlkey 8 - -# Enable writing of statistics records. -#statistics clockstats cryptostats loopstats peerstats - -# Disable the monitoring facility to prevent amplification attacks using ntpdc -# monlist command when default restrict does not include the noquery flag. See -# CVE-2013-5211 for more details. -# Note: Monitoring will not be disabled with the limited restriction flag. -disable monitor diff --git a/vars/is_container.yml b/vars/is_container.yml index a8ac4fb0..33a23e80 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -6,8 +6,6 @@ ## controls -# Authconfig -rhel9cis_use_authconfig: false # Firewall rhel9cis_firewall: None From a7403f860f32afedcd218ed5b9df6bce7b5edb43 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 1 Apr 2022 16:37:24 +0100 Subject: [PATCH 16/69] removed travis variable Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 - handlers/main.yml | 2 -- tasks/section_4/cis_4.1.1.x.yml | 1 - 3 files changed, 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 78a2c0dc..d60f34a7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,6 @@ --- # defaults file for rhel9-cis -rhel9cis_skip_for_travis: false system_is_container: false container_vars_file: is_container.yml # rhel9cis is left off the front of this var for consistency in testing pipeline diff --git a/handlers/main.yml b/handlers/main.yml index 9a99c242..88616083 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -110,8 +110,6 @@ failed_when: false args: warn: false - when: - - not rhel9cis_skip_for_travis tags: - skip_ansible_lint diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index 8b9eeff5..c78be9b7 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -29,7 +29,6 @@ state: started enabled: yes when: - - not rhel9cis_skip_for_travis - rhel9cis_rule_4_1_1_2 - ansible_connection != 'docker' tags: From 2565df604754aef20df4ba6bbb0773e936f86b46 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 1 Apr 2022 16:41:05 +0100 Subject: [PATCH 17/69] removed notauto var as not used Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 - templates/ansible_vars_goss.yml.j2 | 3 +-- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d60f34a7..9777816c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -10,7 +10,6 @@ system_is_ec2: false # Run the OS validation check os_check: true -rhel9cis_notauto: false rhel9cis_section1: true rhel9cis_section2: true rhel9cis_section3: true diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index babc8d6e..cc0c7bd9 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -9,8 +9,7 @@ rhel9cis_os_distribution: {{ ansible_distribution | lower }} # timeout for each command to run where set - default = 10seconds/10000ms timeout_ms: {{ audit_cmd_timeout }} -# Taken from LE rhel9-cis -rhel9cis_notauto: {{ rhel9cis_notauto }} +# Taken from LE rhel8-cis rhel9cis_section1: {{ rhel9cis_section1 }} rhel9cis_section2: {{ rhel9cis_section2 }} rhel9cis_section3: {{ rhel9cis_section3 }} From 2d21f8a98e2ba33ab9c349ff169832e143503d78 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 1 Apr 2022 17:09:53 +0100 Subject: [PATCH 18/69] tidy up vars Signed-off-by: Mark Bolwell --- defaults/main.yml | 21 +--------- tasks/prelim.yml | 10 ++--- tasks/section_3/cis_3.2.x.yml | 66 ++++++++++++++++-------------- tasks/section_3/cis_3.4.1.x.yml | 7 ---- tasks/section_3/cis_3.4.2.x.yml | 10 ----- tasks/section_3/cis_3.4.3.1.x.yml | 3 -- tasks/section_3/cis_3.4.3.2.x.yml | 6 --- tasks/section_3/cis_3.4.3.3.x.yml | 11 ----- templates/ansible_vars_goss.yml.j2 | 6 +-- vars/is_container.yml | 4 +- 10 files changed, 45 insertions(+), 99 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9777816c..b93995bf 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -114,8 +114,6 @@ rhel9cis_rule_1_4_3: true rhel9cis_rule_1_5_1: true rhel9cis_rule_1_5_2: true rhel9cis_rule_1_5_3: true -rhel9cis_rule_1_6_1: true -rhel9cis_rule_1_6_2: true rhel9cis_rule_1_6_1_1: true rhel9cis_rule_1_6_1_2: true rhel9cis_rule_1_6_1_3: true @@ -137,7 +135,6 @@ rhel9cis_rule_1_8_4: true rhel9cis_rule_1_8_5: true rhel9cis_rule_1_9: true rhel9cis_rule_1_10: true -rhel9cis_rule_1_11: true # Section 2 rules rhel9cis_rule_2_1_1: true @@ -469,11 +466,6 @@ rhel9cis_firewall: firewalld ##### firewalld rhel9cis_default_zone: public -rhel9cis_int_zone: customzone -rhel9cis_interface: eth0 -rhel9cis_firewall_services: - - ssh - - dhcpv6-client #### nftables rhel9cis_nft_tables_autonewtable: true @@ -541,13 +533,6 @@ rhel9cis_sshd: # allowgroups: systems dba # denyusers: # denygroups: -rhel9cis_pam_faillock: - attempts: 5 - interval: 900 - unlock_time: 900 - fail_for_root: no - remember: 5 - pwhash: sha512 # 5.2.5 SSH LogLevel setting. Options are INFO or VERBOSE rhel9cis_ssh_loglevel: INFO @@ -580,11 +565,7 @@ rhel9cis_pass: rhel9cis_syslog: rsyslog rhel9cis_rsyslog_ansiblemanaged: true -rhel9cis_vartmp: - source: /tmp - fstype: none - opts: "defaults,nodev,nosuid,noexec,bind" - enabled: false + ## PAM rhel9cis_pam_password: minlen: "14" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 1cb873c1..47d1434d 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -56,13 +56,11 @@ check_mode: false register: system_wide_crypto_policy when: - - rhel9cis_rule_1_10 or - rhel9cis_rule_1_11 + - rhel9cis_rule_1_10 tags: - level1-server - level1-workstation - - rule_1.10 or - rule_1.11 + - rule_1.10 - crypto - name: "PRELIM | if systemd coredump" @@ -70,11 +68,11 @@ path: /etc/systemd/coredump.conf register: systemd_coredump when: - - rhel9cis_rule_1_6_1 + - rhel9cis_rule_1_5_1 tags: - level1-server - level1-workstation - - rule_1.6.1 + - rule_1.5.1 - systemd - name: "PRELIM | Section 1.1 | Create list of mount points" diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index 38c94334..f9a759c3 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -1,51 +1,55 @@ --- -- name: "3.2.1 | PATCH | Ensure source routed packets are not accepted" +- name: "3.2.1 | PATCH | Ensure IP forwarding is disabled" block: - - name: "3.2.1 | PATCH | Ensure source routed packets are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table + - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding" + sysctl: + name: net.ipv4.ip_forward + value: '0' + state: present + reload: yes + ignoreerrors: yes + notify: sysctl flush ipv4 route table - - name: "3.2.1 | PATCH | Ensure source routed packets are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - sysctl flush ipv6 route table - - update sysctl + - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding" + sysctl: + name: net.ipv6.conf.all.forwarding + value: '0' + state: present + reload: yes + ignoreerrors: yes + notify: sysctl flush ipv6 route table when: rhel9cis_ipv6_required when: + - not rhel9cis_is_router - rhel9cis_rule_3_2_1 tags: - level1-server - level1-workstation + - automated - sysctl - patch - rule_3.2.1 -- name: "3.2.2 | PATCH | Ensure ICMP redirects are not accepted" - block: - - name: "3.2.2 | PATCH | Ensure ICMP redirects are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table - - - name: "3.2.2 | PATCH | Ensure ICMP redirects are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - sysctl flush ipv6 route table - - update sysctl - when: rhel9cis_ipv6_required +- name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled" + sysctl: + name: '{{ item.name }}' + value: '{{ item.value }}' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + notify: sysctl flush ipv4 route table + with_items: + - { name: net.ipv4.conf.all.send_redirects, value: 0 } + - { name: net.ipv4.conf.default.send_redirects, value: 0 } when: + - not rhel9cis_is_router - rhel9cis_rule_3_2_2 tags: - level1-server - level1-workstation - - sysctl + - automated - patch - - rule_3.2.2 \ No newline at end of file + - sysctl + - rule_3.2.2 diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index 5bd6a3c0..51fb5b03 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -8,7 +8,6 @@ state: present when: - rhel9cis_rule_3_4_1_1 - - rhel9cis_firewall == "firewalld" tags: - level1-server - level1-workstation @@ -34,7 +33,6 @@ state: absent when: - rhel9cis_rule_3_4_1_2 - - rhel9cis_firewall == "firewalld" tags: - level1-server - level1-workstation @@ -49,7 +47,6 @@ state: stopped masked: yes when: - - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_1_3 tags: - level1-server @@ -65,7 +62,6 @@ state: started enabled: yes when: - - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_1_4 tags: - level1-server @@ -78,7 +74,6 @@ - name: "3.4.1.5 | PATCH | Ensure firewalld default zone is set" command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" when: - - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_1_5 tags: - level1-server @@ -103,7 +98,6 @@ - "The items below are the policies tied to the interfaces, please correct as needed" - "{{ rhel9cis_3_4_1_6_interfacepolicy.stdout_lines }}" when: - - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_1_6 tags: - level1-server @@ -127,7 +121,6 @@ - "The items below are the services and ports that are accepted, please correct as needed" - "{{ rhel9cis_3_4_1_7_servicesport.stdout_lines }}" when: - - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_1_7 tags: - level1-server diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index e5b0c9a7..23717c2a 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -5,7 +5,6 @@ name: nftables state: present when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_1 tags: - level1-server @@ -22,7 +21,6 @@ name: firewalld state: absent when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_2 tags: - level1-server @@ -49,7 +47,6 @@ name: iptables-service state: absent when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_3 tags: - level1-server @@ -107,7 +104,6 @@ failed_when: no when: rhel9cis_nft_tables_autonewtable when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_5 tags: - level1-server @@ -159,7 +155,6 @@ - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; } when: rhel9cis_nft_tables_autochaincreate when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_6 tags: - level1-server @@ -201,7 +196,6 @@ command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_7_ip6saddr.stdout' when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_7 tags: - level1-server @@ -249,7 +243,6 @@ command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout' when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_8 tags: - level1-server @@ -301,7 +294,6 @@ command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_2_9_outputpolicy.stdout' when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_9 tags: - level1-server @@ -316,7 +308,6 @@ name: nftables enabled: yes when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_10 tags: - level1-server @@ -333,7 +324,6 @@ insertafter: EOF line: include "/etc/nftables/inet-{{ rhel9cis_nft_tables_tablename }}" when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_11 tags: - level1-server diff --git a/tasks/section_3/cis_3.4.3.1.x.yml b/tasks/section_3/cis_3.4.3.1.x.yml index 926c6854..5d07856c 100644 --- a/tasks/section_3/cis_3.4.3.1.x.yml +++ b/tasks/section_3/cis_3.4.3.1.x.yml @@ -7,7 +7,6 @@ - iptables-services state: present when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_1_1 tags: - level1-server @@ -22,7 +21,6 @@ name: nftables state: absent when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_1_2 tags: - level1-server @@ -39,7 +37,6 @@ name: firewalld state: absent when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_1_3 tags: - level1-server diff --git a/tasks/section_3/cis_3.4.3.2.x.yml b/tasks/section_3/cis_3.4.3.2.x.yml index 3348fb5c..e600ae73 100644 --- a/tasks/section_3/cis_3.4.3.2.x.yml +++ b/tasks/section_3/cis_3.4.3.2.x.yml @@ -23,7 +23,6 @@ source: 127.0.0.0/8 jump: DROP when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_2_1 tags: - level1-server @@ -49,7 +48,6 @@ - { chain: INPUT, protocol: udp, ctstate: ESTABLISHED } - { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED } when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_2_2 tags: - level1-server @@ -99,7 +97,6 @@ - "{{ rhel9cis_3_4_3_2_3_oudp.stdout_lines }}" when: rhel9cis_3_4_3_2_3_otcp.stdout is defined when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_2_3 tags: - level1-server @@ -128,7 +125,6 @@ - OUTPUT when: - rhel9cis_rule_3_4_3_2_4 - - rhel9cis_firewall == "iptables" tags: - level1-server - level1-workstation @@ -143,7 +139,6 @@ path: /etc/sysconfig/iptables when: - rhel9cis_rule_3_4_3_2_5 - - rhel9cis_firewall == "iptables" tags: - level1-server - level1-workstation @@ -158,7 +153,6 @@ enabled: yes state: started when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_2_6 tags: - level1-server diff --git a/tasks/section_3/cis_3.4.3.3.x.yml b/tasks/section_3/cis_3.4.3.3.x.yml index f3bcfa12..83479db9 100644 --- a/tasks/section_3/cis_3.4.3.3.x.yml +++ b/tasks/section_3/cis_3.4.3.3.x.yml @@ -26,9 +26,7 @@ jump: DROP ip_version: ipv6 when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_3_1 - - rhel9cis_ipv6_required tags: - level1-server - level1-workstation @@ -54,9 +52,7 @@ - { chain: INPUT, protocol: udp, ctstate: ESTABLISHED } - { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED } when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_3_2 - - rhel9cis_ipv6_required tags: - level1-server - level1-workstation @@ -87,9 +83,7 @@ - "{{ rhel9cis_3_4_3_3_3_otcp.stdout_lines }}" when: rhel9cis_3_4_3_3_3_otcp.stdout is defined when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_3_3 - - rhel9cis_ipv6_required tags: - level1-server - level1-workstation @@ -118,9 +112,7 @@ - FORWARD - OUTPUT when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_3_4 - - rhel9cis_ipv6_required tags: - level1-server - level1-workstation @@ -135,8 +127,6 @@ path: /etc/sysconfig/ip6tables ip_version: ipv6 when: - - rhel9cis_firewall == "iptables" - - rhel9cis_ipv6_required - rhel9cis_rule_3_4_3_3_5 tags: - level1-server @@ -152,7 +142,6 @@ enabled: yes state: started when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_3_6 tags: - level1-server diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index cc0c7bd9..f10c74f9 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -73,11 +73,11 @@ rhel9cis_rule_1_3_2: {{ rhel9cis_rule_1_3_2 }} rhel9cis_rule_1_3_3: {{ rhel9cis_rule_1_3_3 }} rhel9cis_rule_1_4_1: {{ rhel9cis_rule_1_4_1 }} rhel9cis_rule_1_4_2: {{ rhel9cis_rule_1_4_2 }} +rhel9cis_rule_1_4_3: {{ rhel9cis_rule_1_4_3 }} rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }} rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }} rhel9cis_rule_1_5_3: {{ rhel9cis_rule_1_5_3 }} -rhel9cis_rule_1_6_1: {{ rhel9cis_rule_1_6_1 }} -rhel9cis_rule_1_6_2: {{ rhel9cis_rule_1_6_2 }} + rhel9cis_rule_1_7_1_1: {{ rhel9cis_rule_1_7_1_1 }} rhel9cis_rule_1_7_1_2: {{ rhel9cis_rule_1_7_1_2 }} rhel9cis_rule_1_7_1_3: {{ rhel9cis_rule_1_7_1_3 }} @@ -94,7 +94,7 @@ rhel9cis_rule_1_8_1_6: {{ rhel9cis_rule_1_8_1_6 }} rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }} rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }} rhel9cis_rule_1_10: {{ rhel9cis_rule_1_10 }} -rhel9cis_rule_1_11: {{ rhel9cis_rule_1_11 }} + # section 2 rules rhel9cis_rule_2_1_1: {{ rhel9cis_rule_2_1_1 }} diff --git a/vars/is_container.yml b/vars/is_container.yml index 33a23e80..1a395919 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -41,7 +41,7 @@ rhel9cis_rule_5_1_8: false # crypto rhel9cis_rule_1_10: false -rhel9cis_rule_1_11: false + # grub rhel9cis_rule_1_5_1: false @@ -87,7 +87,7 @@ rhel9cis_rule_4_2_2_2: false rhel9cis_rule_4_2_2_3: false # systemd -rhel9cis_rule_1_6_1: false + # Users/passwords/accounts rhel9cis_rule_5_5_2: false From bfbcede072217276597c7fe17dfe3e58cf3fbe58 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 1 Apr 2022 17:19:52 +0100 Subject: [PATCH 19/69] fixed tags Signed-off-by: Mark Bolwell --- tasks/post.yml | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/tasks/post.yml b/tasks/post.yml index 28a2e9ef..a8e1d002 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -20,19 +20,20 @@ check_mode: false notify: update sysctl when: - - rhel9cis_rule_1_6_1 or - rhel9cis_rule_1_6_2 or - rhel9cis_rule_3_1_2 or + - rhel9cis_rule_3_1_1 or rhel9cis_rule_3_1_2 or + rhel9cis_rule_3_1_3 or rhel9cis_rule_3_2_1 or rhel9cis_rule_3_2_2 or - rhel9cis_rule_3_2_3 or - rhel9cis_rule_3_2_4 or - rhel9cis_rule_3_2_5 or - rhel9cis_rule_3_2_6 or - rhel9cis_rule_3_2_7 or - rhel9cis_rule_3_2_8 or - rhel9cis_rule_3_2_9 + rhel9cis_rule_3_3_1 or + rhel9cis_rule_3_3_2 or + rhel9cis_rule_3_3_3 or + rhel9cis_rule_3_3_4 or + rhel9cis_rule_3_3_5 or + rhel9cis_rule_3_3_6 or + rhel9cis_rule_3_3_7 or + rhel9cis_rule_3_3_8 or + rhel9cis_rule_3_3_9 tags: - sysctl From 39780562c1d2c58eb6f27608de412e2f668a5559 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 12:07:07 +0100 Subject: [PATCH 20/69] section 1 updates Signed-off-by: Mark Bolwell --- README.md | 2 +- defaults/main.yml | 4 ++++ tasks/section_1/cis_1.1.3.x.yml | 2 +- tasks/section_1/cis_1.1.4.x.yml | 2 +- tasks/section_1/cis_1.1.5.x.yml | 2 +- tasks/section_1/cis_1.1.8.x.yml | 2 +- tasks/section_1/cis_1.2.x.yml | 2 +- tasks/section_1/cis_1.5.x.yml | 6 +++--- tasks/section_1/cis_1.6.1.x.yml | 2 +- 9 files changed, 14 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index ea3ead56..048c85fd 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ Configure RHEL 9 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant with RHEL8 settings (RHEL9 not yet released) Based on v2.0.0 RHEL8 -Based on [CIS RedHat Enterprise Linux 8 Benchmark v1.0.1 - 05-19-2021 ](https://www.cisecurity.org/cis-benchmarks/) +Based on [CIS RedHat Enterprise Linux 8 Benchmark v2.0.0. - 02-23-2022 ](https://www.cisecurity.org/cis-benchmarks/) ## Join us diff --git a/defaults/main.yml b/defaults/main.yml index b93995bf..68ea1dd0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -17,6 +17,10 @@ rhel9cis_section4: true rhel9cis_section5: true rhel9cis_section6: true +# This is used for audit purposes to run only specifc level use the tags +# e.g. +# - level1-server +# - level2-workstation rhel9cis_level_1: true rhel9cis_level_2: true diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index c7fb9867..8fa9e4b2 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -38,7 +38,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index dbeab96e..7ea36279 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -39,7 +39,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}noexec{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index f286fcc8..c9343c4a 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -37,7 +37,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index a61a6aff..75bdabbe 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -25,7 +25,7 @@ src: tmpfs fstype: tmpfs state: mounted - opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %} when: "'dev/shm' in rhel9cis_1_1_8_x_dev_shm_status.stdout" notify: change_requires_reboot when: diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 19ef3d0d..9ddfc98e 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -44,7 +44,7 @@ - name: "1.2.3 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" replace: name: "{{ item.path }}" - regexp: "^gpgcheck=0" + regexp: "^gpgcheck\s*=\s*0" replace: "gpgcheck=1" with_items: - "{{ yum_repos.files }}" diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index a969def9..f9f4c310 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -3,7 +3,7 @@ - name: "1.5.1 | PATCH | Ensure core dump storage is disabled" lineinfile: path: /etc/systemd/coredump.conf - regexp: 'Storage=' + regexp: '^Storage\s*=\s*(?!none).*' line: 'Storage=none' notify: systemd_daemon_reload when: @@ -19,7 +19,7 @@ - name: "1.5.2 | PATCH | Ensure core dump backtraces are disabled" lineinfile: path: /etc/systemd/coredump.conf - regexp: 'ProcessSizeMax=' + regexp: '^ProcessSizeMax\s*=\s*.*[1-9]$' line: 'ProcessSizeMax=0' when: - rhel9cis_rule_1_5_2 @@ -33,7 +33,7 @@ - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf" notify: - update sysctl when: diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index b31600a7..93e2eae7 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -16,7 +16,7 @@ - name: "1.6.1.2 | PATCH | Ensure SELinux is not disabled in bootloader configuration" replace: dest: /etc/default/grub - regexp: '(selinux|enforcing)\s*=\s*0\s*' + regexp: '(selinux|enforcing)\s*=(\s0|0).*' replace: '' register: selinux_grub_patch ignore_errors: yes From 4dfacd9e3bfb3d1964f16c710efaaa85c66cce09 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 12:50:41 +0100 Subject: [PATCH 21/69] updated server/service vars Signed-off-by: Mark Bolwell --- defaults/main.yml | 18 +++++-- tasks/section_2/cis_2.2.x.yml | 99 ++++++++++++++++++++++++++--------- 2 files changed, 89 insertions(+), 28 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 68ea1dd0..cbac9b46 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -444,16 +444,26 @@ rhel9cis_vsftpd_server: false rhel9cis_tftp_server: false rhel9cis_httpd_server: false rhel9cis_nginx_server: false -rhel9cis_dovecot_cyrus_server: false +rhel9cis_dovecot_server: false +rhel9cis_imap_server: false rhel9cis_samba_server: false rhel9cis_squid_server: false rhel9cis_snmp_server: false rhel9cis_nis_server: false rhel9cis_telnet_server: false rhel9cis_is_mail_server: false -rhel9cis_nfs_server: false -rhel9cis_rpc_server: false -rhel9cis_rsync_server: false +# Note the options +# Packages are used for client services and Server- only remove if you dont use the client service +# +rhel9cis_use_nfs: + - service: false + - server: false +rhel9_use_rpc: + - service: false + - server: false +rhel9cis_use_rsync: + - service: false + - server: false #### 2.3 Service clients rhel9cis_ypbind_required: false diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index bd93fbdf..9c0dc862 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -73,7 +73,7 @@ tags: - level1-server - level1-workstation - - audtomated + - automated - patch - dhcp - rule_2.2.5 @@ -160,7 +160,7 @@ - not rhel9cis_nginx_server - "'nginx' in ansible_facts.packages" when: - - rhel9cis_rule_2_2_9 + - rhel9cis_rule_2_2_10 tags: - level1-server - level1-workstation @@ -172,14 +172,26 @@ - rule_2.2.9 - name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed" - package: - name: - - dovecot - - cyrus-imapd - state: absent + block: + - name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed" + package: + name: + - dovecot + state: absent + when: + - not rhel9cis_dovecot_server + - "'dovecot' in ansible_facts.packages" + + - name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed" + package: + name: + - cyrus-imapd + state: absent + when: + - not rhel9cis_imap_server + - "'cyrus-imapd' in ansible_facts.packages" + when: - - not rhel9cis_dovecot_cyrus_server - - "'dovecot' in ansible_facts.packages or 'cyrus-imapd' in ansible_facts.packages" - rhel9cis_rule_2_2_11 tags: - level1-server @@ -290,13 +302,26 @@ - rule_2.2.17 # The name title of the service says mask the service, but the fix allows for both options -# We went with removing to remove the security/update overhead with having the package installed +# Options available in default/main if to remove the package default is false just mask the server service - name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked" - package: - name: nfs-utils - state: absent + block: + - name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | remove package" + package: + name: nfs-utils + state: absent + when: + - not rhel9cis_use_nfs.server + - not rhel9cis_use_nfs.service + + - name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | mask service" + systemd: + name: nfs-server + masked: true + enabled: false + when: + - not rhel9cis_use_nfs.server + - rhel9cis_use_nfs.service when: - - not rhel9cis_nfs_server - "'nfs-utils' in ansible_facts.packages" - rhel9cis_rule_2_2_18 tags: @@ -309,13 +334,26 @@ - rule_2.2.18 # The name title of the service says mask the service, but the fix allows for both options -# We went with removing to remove the security/update overhead with having the package installed +# Options available in default/main if to remove the package default is false just mask the server service - name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked" - package: - name: rpcbind - state: absent + block: + - name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | remove package" + package: + name: rpcbind + state: absent + when: + - not rhel9cis_use_rpc.server + - not rhel9cis_use_rpc.service + + - name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | mask service" + systemd: + name: rpcbind.socket + masked: true + enabled: false + when: + - rhel9cis_use_rpc.server + - not rhel9cis_use_rpc.service when: - - not rhel9cis_rpc_server - "'rpcbind' in ansible_facts.packages" - rhel9cis_rule_2_2_19 tags: @@ -327,13 +365,26 @@ - rule_2.2.19 # The name title of the service says mask the service, but the fix allows for both options -# We went with removing to remove the security/update overhead with having the package installed +# Options available in default/main if to remove the package default is false just mask the server service - name: "2.2.20 | PATCH | Ensure rsync service is not enabled " - package: - name: rsync - state: absent + block: + - name: "2.2.20 | PATCH | Ensure rsync service is not enabled | remove package" + package: + name: rsync + state: absent + when: + - not rhel9cis_use_rsync.server + - not rhel9cis_use_rsync.service + + - name: "2.2.20 | PATCH | Ensure rsync service is not enabled | mask service" + systemd: + name: rsyncd + masked: true + enabled: false + when: + - rhel9cis_use_rsync.server + - not rhel9cis_use_rsync.service when: - - not rhel9cis_rsync_server - "'rsync' in ansible_facts.packages" - rhel9cis_rule_2_2_20 tags: From 8b8aef291baf0b49bf59640748d470a2f8ee147c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 14:40:58 +0100 Subject: [PATCH 22/69] updated masked options Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.2.x.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 9c0dc862..be264288 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -317,7 +317,6 @@ systemd: name: nfs-server masked: true - enabled: false when: - not rhel9cis_use_nfs.server - rhel9cis_use_nfs.service @@ -349,7 +348,6 @@ systemd: name: rpcbind.socket masked: true - enabled: false when: - rhel9cis_use_rpc.server - not rhel9cis_use_rpc.service @@ -380,7 +378,6 @@ systemd: name: rsyncd masked: true - enabled: false when: - rhel9cis_use_rsync.server - not rhel9cis_use_rsync.service From fef891dc1bd8949270d53c1c7c88f63855e13b1a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 15:14:13 +0100 Subject: [PATCH 23/69] tidy up sysctl templates Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 30 ++++++++------ tasks/section_3/cis_3.2.x.yml | 40 +++++++------------ tasks/section_3/cis_3.3.x.yml | 24 +++++------ ...sctl.conf.j2 => 60-netipv4_sysctl.conf.j2} | 18 +-------- .../etc/sysctl.d/60-netipv6_sysctl.conf.j2 | 21 ++++++++++ 5 files changed, 66 insertions(+), 67 deletions(-) rename templates/etc/sysctl.d/{99-sysctl.conf.j2 => 60-netipv4_sysctl.conf.j2} (68%) create mode 100644 templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 241ec207..327ec960 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -4,7 +4,7 @@ # We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" notify: - update sysctl - sysctl flush ipv6 route table @@ -21,12 +21,14 @@ - rule_3.1.1 - name: "3.1.2 | PATCH | Ensure SCTP is disabled" - lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install sctp(\\s|$)" - line: "install sctp /bin/true" - create: yes - mode: 0600 + template: + src: "/etc/modprobe.d/modprobe.conf.j2" + dest: "/etc/modprobe.d/{{ item }}.conf" + mode: "0600" + owner: root + group: root + with_items: + - sctp when: - rhel9cis_rule_3_1_2 tags: @@ -38,12 +40,14 @@ - rule_3.1.2 - name: "3.1.3 | PATCH | Ensure DCCP is disabled" - lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install dccp(\\s|$)" - line: "install dccp /bin/true" - create: yes - mode: 0600 + template: + src: "/etc/modprobe.d/modprobe.conf.j2" + dest: "/etc/modprobe.d/{{ item }}.conf" + mode: "0600" + owner: root + group: root + with_items: + - dccp when: - rhel9cis_rule_3_1_3 tags: diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index f9a759c3..b7f0f6b5 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -3,22 +3,18 @@ - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled" block: - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding" - sysctl: - name: net.ipv4.ip_forward - value: '0' - state: present - reload: yes - ignoreerrors: yes - notify: sysctl flush ipv4 route table + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + notify: + - update sysctl + - sysctl flush ipv4 route table - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding" - sysctl: - name: net.ipv6.conf.all.forwarding - value: '0' - state: present - reload: yes - ignoreerrors: yes - notify: sysctl flush ipv6 route table + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" + notify: + - update sysctl + - sysctl flush ipv6 route table when: rhel9cis_ipv6_required when: - not rhel9cis_is_router @@ -32,17 +28,11 @@ - rule_3.2.1 - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled" - sysctl: - name: '{{ item.name }}' - value: '{{ item.value }}' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - notify: sysctl flush ipv4 route table - with_items: - - { name: net.ipv4.conf.all.send_redirects, value: 0 } - - { name: net.ipv4.conf.default.send_redirects, value: 0 } + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + notify: + - update sysctl + - sysctl flush ipv4 route table when: - not rhel9cis_is_router - rhel9cis_rule_3_2_2 diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 8c15cde3..e6d4952a 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -4,14 +4,14 @@ block: - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: - update sysctl - sysctl flush ipv4 route table - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" notify: - sysctl flush ipv6 route table - update sysctl @@ -29,14 +29,14 @@ block: - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: - update sysctl - sysctl flush ipv4 route table - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" notify: - sysctl flush ipv6 route table - update sysctl @@ -52,7 +52,7 @@ - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_3 @@ -65,7 +65,7 @@ - name: "3.3.4 | PATCH | Ensure suspicious packets are logged" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_4 @@ -78,7 +78,7 @@ - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_5 @@ -91,7 +91,7 @@ - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_6 @@ -104,7 +104,7 @@ - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_7 @@ -117,7 +117,7 @@ - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_8 @@ -132,14 +132,14 @@ block: - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: - update sysctl - sysctl flush ipv4 route table - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl" notify: - sysctl flush ipv6 route table - update sysctl diff --git a/templates/etc/sysctl.d/99-sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 similarity index 68% rename from templates/etc/sysctl.d/99-sysctl.conf.j2 rename to templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 index 177db219..19a9fd37 100644 --- a/templates/etc/sysctl.d/99-sysctl.conf.j2 +++ b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 @@ -1,12 +1,9 @@ # Setting added via ansible CIS remediation playbook -# Network sysctl +# IPv4 Network sysctl {% if rhel9cis_rule_3_2_1 %} # CIS 3.2.1 net.ipv4.ip_forward = 0 -{% if rhel9cis_rule_3_2_1 and rhel9cis_ipv6_required %} -net.ipv6.conf.all.forwarding = 0 -{% endif %} {% endif %} {% if rhel9cis_rule_3_2_2 %} # CIS 3.2.2 @@ -17,19 +14,11 @@ net.ipv4.conf.default.send_redirects = 0 # CIS 3.3.1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 -{% if rhel9cis_rule_3_3_1 and rhel9cis_ipv6_required %} -net.ipv6.conf.all.accept_source_route = 0 -net.ipv6.conf.default.accept_source_route = 0 -{% endif %} {% endif %} {% if rhel9cis_rule_3_3_2 %} # CIS 3.3.2 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 -{% if rhel9cis_rule_3_3_2 and rhel9cis_ipv6_required %} -net.ipv6.conf.all.accept_redirects = 0 -net.ipv6.conf.default.accept_redirects = 0 -{% endif %} {% endif %} {% if rhel9cis_rule_3_3_3 %} # CIS 3.3.3 @@ -57,8 +46,3 @@ net.ipv4.conf.default.rp_filter = 1 # CIS 3.3.8 net.ipv4.tcp_syncookies = 1 {% endif %} -{% if rhel9cis_rule_3_3_9 %} -# CIS 3.3.9 -net.ipv6.conf.all.accept_ra = 0 -net.ipv6.conf.default.accept_ra = 0 -{% endif %} \ No newline at end of file diff --git a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 new file mode 100644 index 00000000..0b23c559 --- /dev/null +++ b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 @@ -0,0 +1,21 @@ +# Setting added via ansible CIS remediation playbook + +# IPv6 Network sysctl +{% if rhel9cis_ipv6_required %} +{% if rhel9cis_rule_3_2_1 %} +net.ipv6.conf.all.forwarding = 0 +{% endif %} +{% if rhel9cis_rule_3_3_1 %} +net.ipv6.conf.all.accept_source_route = 0 +net.ipv6.conf.default.accept_source_route = 0 +{% endif %} +{% if rhel9cis_rule_3_3_2 %} +net.ipv6.conf.all.accept_redirects = 0 +net.ipv6.conf.default.accept_redirects = 0 +{% endif %} +{% if rhel9cis_rule_3_3_9 %} +# CIS 3.3.9 +net.ipv6.conf.all.accept_ra = 0 +net.ipv6.conf.default.accept_ra = 0 +{% endif %} +{% endif %} \ No newline at end of file From b4eefdbdd3b2fd2d0d36d073dccabc66582b78a9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 15:14:24 +0100 Subject: [PATCH 24/69] 2.2.18 update Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.2.x.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index be264288..31c5db7d 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -317,6 +317,7 @@ systemd: name: nfs-server masked: true + state: stopped when: - not rhel9cis_use_nfs.server - rhel9cis_use_nfs.service @@ -348,6 +349,7 @@ systemd: name: rpcbind.socket masked: true + state: stopped when: - rhel9cis_use_rpc.server - not rhel9cis_use_rpc.service @@ -378,6 +380,7 @@ systemd: name: rsyncd masked: true + state: stopped when: - rhel9cis_use_rsync.server - not rhel9cis_use_rsync.service From adcc647dd4059c870f5d5463830841499723bf22 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 15:14:59 +0100 Subject: [PATCH 25/69] masked or removal options Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.4.1.x.yml | 19 +++++++++++++++---- tasks/section_3/cis_3.4.2.x.yml | 18 +++++++++++++++--- tasks/section_3/cis_3.4.3.1.x.yml | 18 +++++++++++++++--- 3 files changed, 45 insertions(+), 10 deletions(-) diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index 51fb5b03..bb5cf97a 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -42,10 +42,21 @@ - rule_3.4.1.2 - name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld" - systemd: - name: nftables - state: stopped - masked: yes + block: + - name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld | mask service" + systemd: + name: nftables + state: stopped + masked: yes + when: + - rhel9cis_firewalld_nftables_state == "masked" + + - name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld | pkg removed" + package: + name: nftables + state: absent + when: + - rhel9cis_firewalld_nftables_state == "absent" when: - rhel9cis_rule_3_4_1_3 tags: diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 23717c2a..f3c7e5ef 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -17,9 +17,21 @@ # The control allows the service it be masked or not installed # We have chosen not installed - name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables" - package: - name: firewalld - state: absent + block: + - name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables | mask service" + systemd: + name: firewalld + masked: true + state: stopped + when: + - rhel9cis_nftables_firewalld_state == "masked" + + - name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables | pkg removed" + package: + name: firewalld + state: absent + when: + - rhel9cis_nftables_firewalld_state == "absent" when: - rhel9cis_rule_3_4_2_2 tags: diff --git a/tasks/section_3/cis_3.4.3.1.x.yml b/tasks/section_3/cis_3.4.3.1.x.yml index 5d07856c..56ce0766 100644 --- a/tasks/section_3/cis_3.4.3.1.x.yml +++ b/tasks/section_3/cis_3.4.3.1.x.yml @@ -33,9 +33,21 @@ # The control allows the service it be masked or not installed # We have chosen not installed - name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables" - package: - name: firewalld - state: absent + block: + - name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables | mask service" + systemd: + name: firewalld + masked: true + state: stopped + when: + - rhel9cis_iptables_firewalld_state == "masked" + + - name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables | mask service" + package: + name: firewalld + state: absent + when: + - rhel9cis_iptables_firewalld_state == "absent" when: - rhel9cis_rule_3_4_3_1_3 tags: From 842b295ecfce764d68976ba29796ce9830fd61a0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 15:15:40 +0100 Subject: [PATCH 26/69] firewall pkg control - prefer log capture Signed-off-by: Mark Bolwell --- defaults/main.yml | 12 ++++++++++++ tasks/section_4/cis_4.2.1.x.yml | 3 ++- tasks/section_4/cis_4.2.2.x.yml | 1 + 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index cbac9b46..79746ba6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -476,17 +476,24 @@ rhel9cis_tftp_client: false ## Section3 vars ### Firewall Service - either firewalld, iptables, or nftables +#### Some control allow for services to be removed or masked +#### The options are under each heading +#### absent = remove the package +#### masked = leave package if installed and mask the service rhel9cis_firewall: firewalld ##### firewalld rhel9cis_default_zone: public +rhel9cis_firewalld_nftables_state: absent #### nftables +rhel9cis_nftables_firewalld_state: absent rhel9cis_nft_tables_autonewtable: true rhel9cis_nft_tables_tablename: filter rhel9cis_nft_tables_autochaincreate: true #### iptables +rhel9cis_iptables_firewalld_state: absent # Warning Banner Content (issue, issue.net, motd) rhel9cis_warning_banner: | @@ -508,6 +515,11 @@ rhel9cis_audit_back_log_limit: 8192 # The max_log_file parameter should be based on your sites policy rhel9cis_max_log_file_size: 10 +## Preferred method of logging +## Whether rsyslog or journald preferred method for local logging +## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5 +rhel9cis_preferred_log_capture: rsyslog + #### 4.2.1.6 remote and destation log server name rhel9cis_remote_log_server: logagg.example.com diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 0d9d0ee6..27ec2955 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -29,7 +29,7 @@ - rsyslog - rule_4.2.1.2 -# This is counter to control 4.2.1.5?? +# This is counter to control 4.2.2.5?? - name: "4.2.1.3 | PATCH | Ensure journald is configured to send logs to rsyslog" lineinfile: dest: /etc/systemd/journald.conf @@ -38,6 +38,7 @@ state: present when: - rhel9cis_rule_4_2_1_3 + - rhel9cis_preferred_log_capture == "rsyslog" tags: - level1-server - level1-workstation diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index e83d97c2..5b59d630 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -137,6 +137,7 @@ notify: restart systemd_journal_upload when: - rhel9cis_rule_4_2_2_5 + - rhel9cis_preferred_log_capture == "journald" tags: - level1-server - level2-workstation From 49760449d0718824fd64faa466d661e6e16c3b8a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 15:15:54 +0100 Subject: [PATCH 27/69] netwokr protocol template Signed-off-by: Mark Bolwell --- templates/etc/modprobe.d/modprobe.conf.j2 | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 templates/etc/modprobe.d/modprobe.conf.j2 diff --git a/templates/etc/modprobe.d/modprobe.conf.j2 b/templates/etc/modprobe.d/modprobe.conf.j2 new file mode 100644 index 00000000..1a1a48d8 --- /dev/null +++ b/templates/etc/modprobe.d/modprobe.conf.j2 @@ -0,0 +1,5 @@ +# Disable usage of protocol {{ item }} +# Set by ansible {{ benchmark }} remediation role +# https://github.com/ansible-lockdown + +install {{ item }} /bin/true \ No newline at end of file From ca24e923c42877003fd9049fbe03f5d1851da3c7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 15:16:17 +0100 Subject: [PATCH 28/69] updated template names Signed-off-by: Mark Bolwell --- handlers/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/handlers/main.yml b/handlers/main.yml index 88616083..9a8b657a 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -31,7 +31,8 @@ with_items: - 60-kernel_sysctl.conf - 60-disable_ipv6.conf - - 99-sysctl.conf + - 60-netipv4_sysctl.conf + - 60-netipv6_sysctl.conf when: - ansible_virtualization_type != "docker" - "'procps-ng' in ansible_facts.packages" From 790db75501165a5b328c08e0d652826391e382d7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 16:12:47 +0100 Subject: [PATCH 29/69] added validate & typo fixes Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.2.x.yml | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 4b28f5be..f62ddfb5 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -87,6 +87,7 @@ dest: /etc/ssh/sshd_config regexp: "^AllowUsers" line: AllowUsers {{ rhel9cis_sshd['allowusers'] }} + validate: sshd -t -f %s notify: restart sshd when: "rhel9cis_sshd['allowusers']|default('') | length > 0" @@ -96,6 +97,7 @@ dest: /etc/ssh/sshd_config regexp: "^AllowGroups" line: AllowGroups {{ rhel9cis_sshd['allowgroups'] }} + validate: sshd -t -f %s notify: restart sshd when: "rhel9cis_sshd['allowgroups']|default('') | length > 0" @@ -105,6 +107,7 @@ dest: /etc/ssh/sshd_config regexp: "^DenyUsers" line: DenyUsers {{ rhel9cis_sshd['denyusers'] }} + validate: sshd -t -f %s notify: restart sshd when: "rhel9cis_sshd['denyusers']|default('') | length > 0" @@ -114,6 +117,7 @@ dest: /etc/ssh/sshd_config regexp: "^DenyGroups" line: DenyGroups {{ rhel9cis_sshd['denygroups'] }} + validate: sshd -t -f %s notify: restart sshd when: "rhel9cis_sshd['denygroups']|default('') | length > 0" when: @@ -132,6 +136,7 @@ dest: /etc/ssh/sshd_config regexp: "^#LogLevel|^LogLevel" line: 'LogLevel {{ rhel9cis_ssh_loglevel }}' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_5 tags: @@ -148,6 +153,7 @@ dest: /etc/ssh/sshd_config regexp: "^#UsePAM|^UsePAM" line: 'UsePAM yes' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_6 tags: @@ -164,6 +170,7 @@ dest: /etc/ssh/sshd_config regexp: "^#PermitRootLogin|^PermitRootLogin" line: 'PermitRootLogin no' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_7 tags: @@ -178,8 +185,9 @@ lineinfile: state: present dest: /etc/ssh/sshd_config - regexp: ^#HostbasedAuthentication|^HostbasedAuthentication" + regexp: "^#HostbasedAuthentication|^HostbasedAuthentication" line: 'HostbasedAuthentication no' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_8 tags: @@ -196,6 +204,7 @@ dest: /etc/ssh/sshd_config regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords" line: 'PermitEmptyPasswords no' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_9 tags: @@ -212,6 +221,7 @@ dest: /etc/ssh/sshd_config regexp: "^#PermitUserEnvironment|^PermitUserEnvironment" line: 'PermitUserEnvironment no' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_10 tags: @@ -228,12 +238,13 @@ dest: /etc/ssh/sshd_config regexp: "^#IgnoreRhosts|^IgnoreRhosts" line: 'IgnoreRhosts yes' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_11 tags: - level1-server - level1-workstation - - autoamted + - automated - patch - ssh - rule_5.2.11 @@ -244,12 +255,13 @@ dest: /etc/ssh/sshd_config regexp: "^#X11Forwarding|^X11Forwarding" line: 'X11Forwarding no' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_12 tags: - level2-server - level1-workstation - - autoamted + - automated - patch - ssh - rule_5.2.12 @@ -260,12 +272,13 @@ dest: /etc/ssh/sshd_config regexp: "^#AllowTcpForwarding|^AllowTcpForwarding" line: 'AllowTcpForwarding no' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_13 tags: - level2-server - level2-workstation - - autoamted + - automated - patch - ssh - rule_5.2.13 @@ -307,6 +320,7 @@ dest: /etc/ssh/sshd_config regexp: '^(#)?MaxAuthTries \d' line: 'MaxAuthTries 4' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_16 tags: @@ -323,6 +337,7 @@ dest: /etc/ssh/sshd_config regexp: "^#MaxStartups|^MaxStartups" line: 'MaxStartups 10:30:60' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_17 tags: @@ -339,6 +354,7 @@ dest: /etc/ssh/sshd_config regexp: "^#MaxSessions|^MaxSessions" line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_18 tags: @@ -355,6 +371,7 @@ dest: /etc/ssh/sshd_config regexp: "^#LoginGraceTime|^LoginGraceTime" line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}" + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_19 tags: @@ -373,6 +390,7 @@ dest: /etc/ssh/sshd_config regexp: '^ClientAliveInterval' line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}" + validate: sshd -t -f %s - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" lineinfile: @@ -380,6 +398,7 @@ dest: /etc/ssh/sshd_config regexp: '^ClientAliveCountMax' line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}" + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_20 tags: From e03f7194ff96ee6bd4fe2d3c28098f44e760c1eb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 16:16:31 +0100 Subject: [PATCH 30/69] added validate Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.3.x.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index bd97cc3c..9aa864a9 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -19,6 +19,7 @@ dest: /etc/sudoers line: "Defaults use_pty" state: present + validate: '/usr/sbin/visudo -cf %s' when: - rhel9cis_rule_5_3_2 tags: @@ -35,6 +36,7 @@ regexp: '^Defaults logfile=' line: 'Defaults logfile="{{ rhel9cis_sudolog_location }}"' state: present + validate: '/usr/sbin/visudo -cf %s' when: - rhel9cis_rule_5_3_3 tags: @@ -50,6 +52,7 @@ path: "{{ item }}" regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' replace: '\1PASSWD\2' + validate: '/usr/sbin/visudo -cf %s' with_items: - "{{ rhel9cis_sudoers_files.stdout_lines }}" when: @@ -67,6 +70,7 @@ path: "{{ item }}" regexp: '^([^#].*)!authenticate(.*)' replace: '\1authenticate\2' + validate: '/usr/sbin/visudo -cf %s' with_items: - "{{ rhel9cis_sudoers_files.stdout_lines }}" when: From 9a0ac2233198f773a5b6ef06075272f8a64c43e2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 16:20:27 +0100 Subject: [PATCH 31/69] fix tag typo Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.2.x.yml | 6 +++--- tasks/section_3/cis_3.4.2.x.yml | 2 +- tasks/section_4/cis_4.1.3.x.yml | 2 +- tasks/section_4/cis_4.2.1.x.yml | 2 +- tasks/section_5/cis_5.2.x.yml | 6 +++--- tasks/section_6/cis_6.1.x.yml | 2 +- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 31c5db7d..53e01ae3 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -105,7 +105,7 @@ tags: - level1-server - level1-workstation - - automation + - automated - patch - ftp - rule_2.2.7 @@ -230,7 +230,7 @@ tags: - level1-server - level1-workstation - - automation + - automated - patch - squid - rule_2.2.13 @@ -246,7 +246,7 @@ tags: - level1-server - level1-workstation - - automation + - automated - patch - snmp - rule_2.2.14 diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index f3c7e5ef..3484bf66 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -171,7 +171,7 @@ tags: - level1-server - level1-workstation - - automate + - automated - patch - nftables - rule_3.4.2.6 diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index 6f7635cf..dee0f21d 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -123,7 +123,7 @@ tags: - level2-server - level2-workstation - - autoamted + - automated - patch - auditd - rule_4.1.3.8 diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 27ec2955..9670309b 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -24,7 +24,7 @@ tags: - level1-server - level1-workstation - - autoamted + - automated - patch - rsyslog - rule_4.2.1.2 diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index f62ddfb5..d6065071 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -176,7 +176,7 @@ tags: - level1-server - level1-workstation - - autoamted + - automated - patch - ssh - rule_5.2.7 @@ -326,7 +326,7 @@ tags: - level1-server - level1-workstation - - autoamted + - automated - patch - ssh - rule_5.2.16 @@ -343,7 +343,7 @@ tags: - level1-server - level1-workstation - - autoamted + - automated - patch - ssh - rule_5.2.17 diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index be85af00..c169d4b7 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -131,7 +131,7 @@ tags: - level1-server - level1-workstation - - autoamted + - automated - patch - permissions - rule_6.1.7 From 2eeccbdc69d4e455d5ad8c5534f2d48d11c9f676 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 19:30:14 +0100 Subject: [PATCH 32/69] fixed regex Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.2.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 9ddfc98e..23583d5d 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -44,7 +44,7 @@ - name: "1.2.3 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" replace: name: "{{ item.path }}" - regexp: "^gpgcheck\s*=\s*0" + regexp: '^gpgcheck\s+=\s+0' replace: "gpgcheck=1" with_items: - "{{ yum_repos.files }}" From b3a6f89ae0471b3126aed9ac121e9cf3acd1cb17 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 19:30:40 +0100 Subject: [PATCH 33/69] lint Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.2.x.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 53e01ae3..7ba7bb48 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -176,8 +176,8 @@ - name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed" package: name: - - dovecot - state: absent + - dovecot + state: absent when: - not rhel9cis_dovecot_server - "'dovecot' in ansible_facts.packages" @@ -185,8 +185,8 @@ - name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed" package: name: - - cyrus-imapd - state: absent + - cyrus-imapd + state: absent when: - not rhel9cis_imap_server - "'cyrus-imapd' in ansible_facts.packages" From 223254b5c964059d25ff75689af17cc73c1df2ee Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 19:30:52 +0100 Subject: [PATCH 34/69] rewrite Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.5.x.yml | 168 ++++++++++++++++++++-------------- 1 file changed, 100 insertions(+), 68 deletions(-) diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 71a37e54..24288bbe 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -1,59 +1,91 @@ --- -- name: "5.5.2 | PATCH | Ensure system accounts are secured" +- name: "5.5.1 | PATCH | " block: - - name: "5.5.2 | Ensure system accounts are secured | Set nologin" - user: - name: "{{ item.id }}" - shell: /usr/sbin/nologin - with_items: - - "{{ rhel9cis_passwd }}" - when: - - item.id != "root" - - item.id != "sync" - - item.id != "shutdown" - - item.id != "halt" - - min_int_uid | int > item.gid - - item.shell != " /bin/false" - - item.shell != " /usr/sbin/nologin" + - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings" + blockinfile: + path: /etc/security/pwquality.conf + marker: "" + block: "{{ rhel9cis_pam_password }}" - - name: "5.5.2 | PATCH | Ensure system accounts are secured | Lock accounts" - user: - name: "{{ item.id }}" - password_lock: true - with_items: - - "{{ rhel9cis_passwd }}" - when: - - item.id != "halt" - - item.id != "shutdown" - - item.id != "sync" - - item.id != "root" - - min_int_uid | int > item.gid - - item.shell != " /bin/false" - - item.shell != " /usr/sbin/nologin" + - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" + lineinfile: + dest: /etc/pam.d/system-auth + state: present + regexp: '^password\s*requisite\s*pam_pwquality.so' + line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" + insertbefore: '^#?password ?' + + - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" + lineinfile: + dest: /etc/pam.d/password-auth + state: present + regexp: '^password\s*requisite\s*pam_pwquality.so' + line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" + insertbefore: '^#?password ?' when: - - rhel9cis_rule_5_5_2 + - rhel9cis_rule_5_5_1 tags: - level1-server - level1-workstation - patch - - rule_5.5.2 + - rule_5.5.1 + +- name: "5.5.2 | PATCH | Ensure system accounts are secured | pre RHEL8.2" + block: + - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock time for preauth" + lineinfile: + dest: /etc/pam.d/{{ item }} + state: present + regexp: '^auth\s*required\s*pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}" + insertafter: '^#?auth ?' + with_items: + - "system-auth" + - "password-auth" -- name: "5.5.3 | PATCH | Ensure default user shell timeout is 900 seconds or less" - blockinfile: - create: yes - mode: 0644 - dest: "{{ item.dest }}" - state: "{{ item.state }}" - marker: "# {mark} ANSIBLE MANAGED" - block: | - # Set session timeout - CIS ID RHEL-08-5.4.5 - TMOUT={{ rhel9cis_shell_session_timeout.timeout }} - export TMOUT - readonly TMOUT + - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock times for authfail" + lineinfile: + dest: /etc/pam.d/{{ item }} + state: present + regexp: '^auth\s*required\s*pam_faillock.so authfail' + line: "auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}" + insertafter: '^#?auth ?' + with_items: + - "system-auth" + - "password-auth" + when: + - ansible_distribution_version <= "8.1" + - rhel9cis_rule_5_5_2 + +- name: "5.5.2 | PATCH | Ensure system accounts are secured | RHEL8.2+ " + lineinfile: + dest: /etc/security/faillock.conf + state: present + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" with_items: - - { dest: "{{ rhel9cis_shell_session_timeout.file }}", state: present } - - { dest: /etc/profile, state: "{{ (rhel9cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" } + - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = 5' } + - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = 900' } + when: + - ansible_distribution_version >= "8.2" + - rhel9cis_rule_5_5_2 + +- name: "5.5.3 | PATCH | Ensure password reuse is limited" + block: + - name: "5.5.3 | PATCH | Ensure password reuse is limited | pwhistory" + lineinfile: + path: /etc/pam.d/system-auth + state: present + line: "password requisite pam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" + insertafter: '^password\s*requisite\s*pam_pwquality.so' + + - name: "5.5.3 | PATCH | Ensure password reuse is limited | pam_unix" + replace: + path: /etc/pam.d/system-auth + regexp: '^password\s*sufficient\s*pam_unix.so.*$' + #after: '^password\s*requisite\s*pam_pwhistory.so' + replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' when: - rhel9cis_rule_5_5_3 tags: @@ -62,35 +94,35 @@ - patch - rule_5.5.3 -- name: "5.5.4 | PATCH | Ensure default group for the root account is GID 0" - command: usermod -g 0 root - changed_when: false - failed_when: false - when: - - rhel9cis_rule_5_5_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.4 - -- name: "5.5.5 | PATCH | Ensure default user umask is 027 or more restrictive" +- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512" block: - - name: "5.5.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" + - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf" + replace: + path: /etc/libuser.conf + regexp: '^crypt_style\s*=\s*.*$' + replace: 'crypt_style = sha512' + + - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs" replace: - path: /etc/bashrc - regexp: '(^\s+umask) 0[012][0-6]' - replace: '\1 027' + path: /etc/login.defs + regexp: '^ENCRYPT_METHOD.*' + replace: 'ENCRYPT_METHOD SHA512' - - name: "5.5.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile" + - name: "5.5.4 | PATCH | Ensure password reuse is limited | pwhistory" replace: - path: /etc/profile - regexp: '(^\s+umask) 0[012][0-6]' - replace: '\1 027' + path: /etc/pam.d/password-auth + regexp: '^password\s*sufficient\s*pam_unix.so.*$' + replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' + + - name: "5.5.4 | PATCH | Ensure password reuse is limited | pam_unix" + replace: + path: /etc/pam.d/system-auth + regexp: '^password\s*sufficient\s*pam_unix.so.*' + replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' when: - - rhel9cis_rule_5_5_5 + - rhel9cis_rule_5_5_4 tags: - level1-server - level1-workstation - patch - - rule_5.5.5 + - rule_5.5.4 From 3d5fd41ed8eea2d3cf9ec93c65ac11cd52214ea4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 19:31:02 +0100 Subject: [PATCH 35/69] pam vars Signed-off-by: Mark Bolwell --- defaults/main.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 79746ba6..d4f5394c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -583,6 +583,7 @@ rhel9cis_authselect_custom_profile_create: false # 5.3.2 Enable automation to select custom profile options, using the settings above rhel9cis_authselect_custom_profile_select: false + rhel9cis_pass: max_days: 365 min_days: 7 @@ -591,14 +592,17 @@ rhel9cis_pass: rhel9cis_syslog: rsyslog rhel9cis_rsyslog_ansiblemanaged: true - +# 5.5.1 ## PAM -rhel9cis_pam_password: - minlen: "14" - minclass: "4" +rhel9cis_pam_password: | + minlen = 14 + minclass = 4 + +rhel9cis_pam_faillock: + remember: 5 # UID settings for interactive users -# These are discovered via logins.def is set true +# These are discovered via logins.def if set true discover_int_uid: false min_int_uid: 1000 max_int_uid: 65533 From d9b807c325d6bfb2917c1c2985fcf1903ebbed58 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 08:45:11 +0100 Subject: [PATCH 36/69] change lineinfile to path Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.5.x.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 24288bbe..c5fba6b0 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -10,7 +10,7 @@ - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" lineinfile: - dest: /etc/pam.d/system-auth + path: /etc/pam.d/system-auth state: present regexp: '^password\s*requisite\s*pam_pwquality.so' line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" @@ -18,7 +18,7 @@ - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" lineinfile: - dest: /etc/pam.d/password-auth + path: /etc/pam.d/password-auth state: present regexp: '^password\s*requisite\s*pam_pwquality.so' line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" @@ -35,7 +35,7 @@ block: - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock time for preauth" lineinfile: - dest: /etc/pam.d/{{ item }} + path: /etc/pam.d/{{ item }} state: present regexp: '^auth\s*required\s*pam_faillock.so preauth' line: "auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}" @@ -46,7 +46,7 @@ - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock times for authfail" lineinfile: - dest: /etc/pam.d/{{ item }} + path: /etc/pam.d/{{ item }} state: present regexp: '^auth\s*required\s*pam_faillock.so authfail' line: "auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}" @@ -60,7 +60,7 @@ - name: "5.5.2 | PATCH | Ensure system accounts are secured | RHEL8.2+ " lineinfile: - dest: /etc/security/faillock.conf + path: /etc/security/faillock.conf state: present regexp: "{{ item.regexp }}" line: "{{ item.line }}" From 0ef9e990cc51f2dafedd036fa665c833961f31fb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 08:48:53 +0100 Subject: [PATCH 37/69] tidy and fix titles Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.5.x.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index c5fba6b0..bed1b282 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -84,7 +84,6 @@ replace: path: /etc/pam.d/system-auth regexp: '^password\s*sufficient\s*pam_unix.so.*$' - #after: '^password\s*requisite\s*pam_pwhistory.so' replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' when: - rhel9cis_rule_5_5_3 @@ -108,16 +107,16 @@ regexp: '^ENCRYPT_METHOD.*' replace: 'ENCRYPT_METHOD SHA512' - - name: "5.5.4 | PATCH | Ensure password reuse is limited | pwhistory" + - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth" replace: path: /etc/pam.d/password-auth regexp: '^password\s*sufficient\s*pam_unix.so.*$' replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' - - name: "5.5.4 | PATCH | Ensure password reuse is limited | pam_unix" + - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth" replace: path: /etc/pam.d/system-auth - regexp: '^password\s*sufficient\s*pam_unix.so.*' + regexp: '^password\s*sufficient\s*pam_unix.so.*$' replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' when: - rhel9cis_rule_5_5_4 From 96abe45eb231c28de526a63b90986bb2f10379e9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 10:08:06 +0100 Subject: [PATCH 38/69] fix template path Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 327ec960..5033e5a5 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -22,7 +22,7 @@ - name: "3.1.2 | PATCH | Ensure SCTP is disabled" template: - src: "/etc/modprobe.d/modprobe.conf.j2" + src: "etc/modprobe.d/modprobe.conf.j2" dest: "/etc/modprobe.d/{{ item }}.conf" mode: "0600" owner: root @@ -41,7 +41,7 @@ - name: "3.1.3 | PATCH | Ensure DCCP is disabled" template: - src: "/etc/modprobe.d/modprobe.conf.j2" + src: "etc/modprobe.d/modprobe.conf.j2" dest: "/etc/modprobe.d/{{ item }}.conf" mode: "0600" owner: root From 32c409cb48469951bf42045bc5c8889720d27dcd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 10:08:21 +0100 Subject: [PATCH 39/69] reorder 3.4.1.2 Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.4.1.x.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index bb5cf97a..b7b50331 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -21,16 +21,18 @@ - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | Stop running services" systemd: name: "{{ item }}" - masked: true + state: stopped + enabled: false with_items: - iptables - ip6tables when: item in ansible_facts.packages - - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | Remove IPTables" + - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | remove iptables-services pkg " package: name: iptables-services state: absent + when: "'iptables-services' in ansible_facts.packages" when: - rhel9cis_rule_3_4_1_2 tags: From 2bf95bf3dabf6a3eb2debf6e2334d36cab24bcc2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 10:08:42 +0100 Subject: [PATCH 40/69] default mask nftable for firewalld Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index d4f5394c..3effee26 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -484,7 +484,7 @@ rhel9cis_firewall: firewalld ##### firewalld rhel9cis_default_zone: public -rhel9cis_firewalld_nftables_state: absent +rhel9cis_firewalld_nftables_state: masked # Note if absent removes the firewalld pkg dependancy #### nftables rhel9cis_nftables_firewalld_state: absent From d5065c1a82d04de47c180acecdf57a036060dd54 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 10:08:53 +0100 Subject: [PATCH 41/69] lint Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 744c6d68..66090262 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -81,7 +81,7 @@ - password - rule_5.6.1.4 -- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past" +- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past" block: - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" shell: echo $(($(date --utc --date "$1" +%s)/86400)) From 4e873bc0d6e51596068c26671c79361d2aff6cfa Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 10:09:06 +0100 Subject: [PATCH 42/69] added nfsnobody Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 6106e6e5..8d96b4b9 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -13,6 +13,7 @@ - item.id != "sync" - item.id != "shutdown" - item.id != "halt" + - item.id != "nfsnobody" - min_int_uid | int < item.gid - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" @@ -30,6 +31,7 @@ - item.id != "shutdown" - item.id != "sync" - item.id != "root" + - item.id != "nfsnobody" - min_int_uid | int < item.gid - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" @@ -51,9 +53,8 @@ mode: 0644 dest: "{{ item.dest }}" state: "{{ item.state }}" - marker: "# {mark} ANSIBLE MANAGED" + marker: "# {mark} CIS 5.6.3 ANSIBLE MANAGED" block: | - # Set session timeout - CIS ID RHEL-08-5.4.5 TMOUT={{ rhel9cis_shell_session_timeout.timeout }} export TMOUT readonly TMOUT @@ -71,9 +72,9 @@ - rule_5.6.3 - name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0" - command: usermod -g 0 root - changed_when: false - failed_when: false + user: + name: root + group: 0 when: - rhel9cis_rule_5_6_4 tags: From 13a6746997cab89006f5c8007c631653ca60c4ef Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 10:24:47 +0100 Subject: [PATCH 43/69] lint Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 +-- handlers/main.yml | 14 ++--- local.yml | 1 - meta/main.yml | 6 +-- tasks/main.yml | 96 ++++++++++++++++----------------- tasks/post.yml | 2 +- tasks/prelim.yml | 7 ++- tasks/section_1/cis_1.1.4.x.yml | 2 +- tasks/section_1/cis_1.1.6.x.yml | 2 +- tasks/section_1/cis_1.5.x.yml | 2 +- tasks/section_2/cis_2.2.x.yml | 6 +-- tasks/section_2/cis_2.3.x.yml | 2 +- tasks/section_2/cis_2.4.yml | 2 +- tasks/section_2/main.yml | 2 +- tasks/section_3/cis_3.1.x.yml | 6 +-- tasks/section_3/cis_3.2.x.yml | 2 +- tasks/section_3/cis_3.3.x.yml | 18 +++---- tasks/section_4/cis_4.1.3.x.yml | 1 + tasks/section_5/cis_5.1.x.yml | 2 +- tasks/section_5/cis_5.5.x.yml | 24 ++++----- tasks/section_5/cis_5.6.x.yml | 4 +- tasks/section_6/main.yml | 2 +- vars/AlmaLinux.yml | 2 +- vars/is_container.yml | 2 +- 24 files changed, 105 insertions(+), 108 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3effee26..a0bf8639 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -383,8 +383,6 @@ rhel9cis_rh_sub_password: password rhel9cis_rhnsd_required: false - - # 1.4.2 Bootloader password rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' rhel9cis_bootloader_password: random @@ -454,7 +452,7 @@ rhel9cis_telnet_server: false rhel9cis_is_mail_server: false # Note the options # Packages are used for client services and Server- only remove if you dont use the client service -# +# rhel9cis_use_nfs: - service: false - server: false @@ -484,7 +482,7 @@ rhel9cis_firewall: firewalld ##### firewalld rhel9cis_default_zone: public -rhel9cis_firewalld_nftables_state: masked # Note if absent removes the firewalld pkg dependancy +rhel9cis_firewalld_nftables_state: masked # Note if absent removes the firewalld pkg dependancy #### nftables rhel9cis_nftables_firewalld_state: absent diff --git a/handlers/main.yml b/handlers/main.yml index 9a8b657a..b0f3e7dd 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -33,18 +33,18 @@ - 60-disable_ipv6.conf - 60-netipv4_sysctl.conf - 60-netipv6_sysctl.conf - when: + when: - ansible_virtualization_type != "docker" - "'procps-ng' in ansible_facts.packages" - name: reload sysctl sysctl: - name: net.ipv4.route.flush - value: '1' - state: present - reload: true - ignoreerrors: true - when: + name: net.ipv4.route.flush + value: '1' + state: present + reload: true + ignoreerrors: true + when: - ansible_virtualization_type != "docker" - "'systemd' in ansible_facts.packages" diff --git a/local.yml b/local.yml index 3f17560f..18c2f438 100644 --- a/local.yml +++ b/local.yml @@ -6,4 +6,3 @@ roles: - role: "{{ playbook_dir }}" - diff --git a/meta/main.yml b/meta/main.yml index 266a4685..aac8be87 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -22,7 +22,7 @@ galaxy_info: - disa - rhel9 collections: - - community.general - - community.crypto - - ansible.posix + - community.general + - community.crypto + - ansible.posix dependencies: [] diff --git a/tasks/main.yml b/tasks/main.yml index f44197ca..8bda2a64 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -6,9 +6,9 @@ that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==') fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" - when: - - os_check - - not system_is_ec2 + when: + - os_check + - not system_is_ec2 tags: - always @@ -29,7 +29,7 @@ - name: Load variable for container include_vars: file: "{{ container_vars_file }}" - + - name: output if discovered is a container debug: msg: system has been discovered as a container @@ -53,128 +53,128 @@ that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set" when: - - rhel9cis_set_boot_pass - - rhel9cis_rule_1_5_2 + - rhel9cis_set_boot_pass + - rhel9cis_rule_1_5_2 - name: "check sugroup exists if used" block: - - name: "Check su group exists if defined" - shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group - args: - warn: false - register: sugroup_exists - changed_when: false - failed_when: sugroup_exists.rc >= 2 - tags: - - skip_ansible_lint - - - name: Check sugroup if defined exists before continuing - assert: - that: sugroup_exists.rc == 0 - msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify" + - name: "Check su group exists if defined" + shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group + args: + warn: false + register: sugroup_exists + changed_when: false + failed_when: sugroup_exists.rc >= 2 + tags: + - skip_ansible_lint + + - name: Check sugroup if defined exists before continuing + assert: + that: sugroup_exists.rc == 0 + msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify" when: - - rhel9cis_sugroup is defined - - rhel9cis_rule_5_7 + - rhel9cis_sugroup is defined + - rhel9cis_rule_5_7 tags: - - rule_5.7 + - rule_5.7 - name: Gather the package facts package_facts: manager: auto tags: - - always + - always - name: Include OS specific variables include_vars: "{{ ansible_distribution }}.yml" tags: - - always + - always - name: Include preliminary steps import_tasks: prelim.yml tags: - - prelim_tasks - - always + - prelim_tasks + - always - name: run pre_remediation audit include_tasks: pre_remediation_audit.yml when: - - run_audit + - run_audit - name: Gather the package facts after prelim package_facts: manager: auto tags: - - always + - always - name: capture /etc/password variables include_tasks: parse_etc_password.yml - when: - - rhel9cis_section6 + when: + - rhel9cis_section6 tags: - - rule_5.5.2 - - rule_5.6.2 - - rule_6.2.9 - - rule_6.2.10 - - rule_6.2.11 - - rhel9cis_section5 - - rhel9cis_section6 + - rule_5.5.2 + - rule_5.6.2 + - rule_6.2.9 + - rule_6.2.10 + - rule_6.2.11 + - rhel9cis_section5 + - rhel9cis_section6 - name: run Section 1 tasks import_tasks: section_1/main.yml become: true when: rhel9cis_section1 tags: - - rhel9cis_section1 + - rhel9cis_section1 - name: run Section 2 tasks import_tasks: section_2/main.yml become: true when: rhel9cis_section2 tags: - - rhel9cis_section2 + - rhel9cis_section2 - name: run Section 3 tasks import_tasks: section_3/main.yml become: true when: rhel9cis_section3 tags: - - rhel9cis_section3 + - rhel9cis_section3 - name: run Section 4 tasks import_tasks: section_4/main.yml become: true when: rhel9cis_section4 tags: - - rhel9cis_section4 + - rhel9cis_section4 - name: run Section 5 tasks import_tasks: section_5/main.yml become: true when: rhel9cis_section5 tags: - - rhel9cis_section5 + - rhel9cis_section5 - name: run Section 6 tasks import_tasks: section_6/main.yml become: true when: rhel9cis_section6 tags: - - rhel9cis_section6 + - rhel9cis_section6 - name: run post remediation tasks import_tasks: post.yml become: true tags: - - post_tasks - - always + - post_tasks + - always - name: run post_remediation audit import_tasks: post_remediation_audit.yml when: - - run_audit + - run_audit - name: Show Audit Summary debug: msg: "{{ audit_results.split('\n') }}" when: - - run_audit + - run_audit diff --git a/tasks/post.yml b/tasks/post.yml index a8e1d002..69783ab0 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -10,7 +10,7 @@ package_facts: manager: auto tags: - - always + - always - name: trigger update sysctl shell: /bin/true diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 47d1434d..eb02040d 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -87,7 +87,7 @@ name: audit state: present become: true - when: + when: - '"auditd" not in ansible_facts.packages' - rhel9cis_rule_4_1_1_1 tags: @@ -209,7 +209,7 @@ shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' changed_when: false register: uid_min_id - + - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' changed_when: false @@ -226,8 +226,7 @@ max_int_uid: "{{ uid_max_id.stdout }}" min_int_gid: "{{ gid_min_id.stdout }}" - debug: - msg: "{{ min_int_uid }} {{ max_int_uid }}" + msg: "{{ min_int_uid }} {{ max_int_uid }}" when: - not discover_int_uid - diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 7ea36279..5a901c23 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -61,4 +61,4 @@ - skip_ansible_lint - rule_1.1.4.2 - rule_1.1.4.3 - - rule_1.1.4.4 \ No newline at end of file + - rule_1.1.4.4 diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 94e85d2b..1df3e849 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -58,4 +58,4 @@ - skip_ansible_lint - rule_1.1.6.2 - rule_1.1.6.3 - - rule_1.1.6.4 \ No newline at end of file + - rule_1.1.6.4 diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index f9f4c310..6573e518 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -34,7 +34,7 @@ - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf" - notify: + notify: - update sysctl when: - rhel9cis_rule_1_5_3 diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 7ba7bb48..577ea45a 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -65,7 +65,7 @@ - name: "2.2.5 | PATCH | Ensure DHCP Server is not installed" package: name: dhcp-server - state: absent + state: absent when: - not rhel9cis_dhcp_server - "'dhcp-server' in ansible_facts.packages" @@ -113,7 +113,7 @@ - name: "2.2.8 | PATCH | Ensure VSFTP Server is not installed" package: name: vsftpd - state: absent + state: absent when: - not rhel9cis_vsftpd_server - "'vsftpd' in ansible_facts.packages" @@ -222,7 +222,7 @@ - name: "2.2.13 | PATCH | Ensure HTTP Proxy Server is not installed" package: name: squid - state: absent + state: absent when: - not rhel9cis_squid_server - "'squid' in ansible_facts.packages" diff --git a/tasks/section_2/cis_2.3.x.yml b/tasks/section_2/cis_2.3.x.yml index 52159bcb..a1941da8 100644 --- a/tasks/section_2/cis_2.3.x.yml +++ b/tasks/section_2/cis_2.3.x.yml @@ -32,7 +32,7 @@ - rsh - rule_2.3.2 -- name: "2.3.3 | PATCH | Ensure talk client is not installed" +- name: "2.3.3 | PATCH | Ensure talk client is not installed" package: name: talk state: absent diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index a80d340f..5db134ea 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -23,4 +23,4 @@ - manual - audit - services - - rule_2.4 \ No newline at end of file + - rule_2.4 diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index 731f10c1..8f79854d 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -10,4 +10,4 @@ import_tasks: cis_2.3.x.yml - name: "SECTION | 2.4 | Nonessential services removed" - import_tasks: cis_2.4.yml \ No newline at end of file + import_tasks: cis_2.4.yml diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 5033e5a5..db3c0fd6 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -1,11 +1,11 @@ --- -# The CIS Control wants IPv6 disabled if not in use. +# The CIS Control wants IPv6 disabled if not in use. # We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" - notify: + notify: - update sysctl - sysctl flush ipv6 route table when: @@ -88,4 +88,4 @@ - automated - patch - wireless - - rule_3.1.4 \ No newline at end of file + - rule_3.1.4 diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index b7f0f6b5..46295ec4 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -5,7 +5,7 @@ - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: + notify: - update sysctl - sysctl flush ipv4 route table diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index e6d4952a..139ca659 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -5,7 +5,7 @@ - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: + notify: - update sysctl - sysctl flush ipv4 route table @@ -30,7 +30,7 @@ - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: + notify: - update sysctl - sysctl flush ipv4 route table @@ -52,7 +52,7 @@ - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_3 @@ -65,7 +65,7 @@ - name: "3.3.4 | PATCH | Ensure suspicious packets are logged" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_4 @@ -78,7 +78,7 @@ - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_5 @@ -91,7 +91,7 @@ - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_6 @@ -104,7 +104,7 @@ - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_7 @@ -117,7 +117,7 @@ - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_8 @@ -133,7 +133,7 @@ - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: + notify: - update sysctl - sysctl flush ipv4 route table diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index dee0f21d..0c392678 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -1,3 +1,4 @@ +--- - name: "4.1.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected" debug: diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 9e8657ee..734b434a 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -168,4 +168,4 @@ - automated - patch - cron - - rule_5.1.9 \ No newline at end of file + - rule_5.1.9 diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index bed1b282..10b18a70 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -54,7 +54,7 @@ with_items: - "system-auth" - "password-auth" - when: + when: - ansible_distribution_version <= "8.1" - rhel9cis_rule_5_5_2 @@ -67,7 +67,7 @@ with_items: - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = 5' } - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = 900' } - when: + when: - ansible_distribution_version >= "8.2" - rhel9cis_rule_5_5_2 @@ -79,9 +79,9 @@ state: present line: "password requisite pam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" insertafter: '^password\s*requisite\s*pam_pwquality.so' - + - name: "5.5.3 | PATCH | Ensure password reuse is limited | pam_unix" - replace: + replace: path: /etc/pam.d/system-auth regexp: '^password\s*sufficient\s*pam_unix.so.*$' replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' @@ -97,15 +97,15 @@ block: - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf" replace: - path: /etc/libuser.conf - regexp: '^crypt_style\s*=\s*.*$' - replace: 'crypt_style = sha512' - + path: /etc/libuser.conf + regexp: '^crypt_style\s*=\s*.*$' + replace: 'crypt_style = sha512' + - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs" replace: - path: /etc/login.defs - regexp: '^ENCRYPT_METHOD.*' - replace: 'ENCRYPT_METHOD SHA512' + path: /etc/login.defs + regexp: '^ENCRYPT_METHOD.*' + replace: 'ENCRYPT_METHOD SHA512' - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth" replace: @@ -114,7 +114,7 @@ replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth" - replace: + replace: path: /etc/pam.d/system-auth regexp: '^password\s*sufficient\s*pam_unix.so.*$' replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 8d96b4b9..420ce12a 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -73,8 +73,8 @@ - name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0" user: - name: root - group: 0 + name: root + group: 0 when: - rhel9cis_rule_5_6_4 tags: diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index 61612730..b6acabf8 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -4,4 +4,4 @@ import_tasks: cis_6.1.x.yml - name: "SECTION | 6.2 | User and Group Settings" - import_tasks: cis_6.2.x.yml \ No newline at end of file + import_tasks: cis_6.2.x.yml diff --git a/vars/AlmaLinux.yml b/vars/AlmaLinux.yml index 8f9f4b77..69e59941 100644 --- a/vars/AlmaLinux.yml +++ b/vars/AlmaLinux.yml @@ -1,4 +1,4 @@ --- # OS Specific Settings -rpm_gpg_key: RPM-GPG-KEY-AlmaLinux \ No newline at end of file +rpm_gpg_key: RPM-GPG-KEY-AlmaLinux diff --git a/vars/is_container.yml b/vars/is_container.yml index 1a395919..32504ee3 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -54,7 +54,7 @@ rhel9cis_rule_1_1_2: false rhel9cis_rule_1_1_3: false rhel9cis_rule_1_1_4: false rhel9cis_rule_1_1_5: false -#/var +# /var rhel9cis_rule_1_1_6: false # /var/tmp rhel9cis_rule_1_1_7: false From bb7869adadd4ffbdbc7595fa9ba08bb295c35291 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 13:06:46 +0100 Subject: [PATCH 44/69] fixed 4.2.1.5 cron settings Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.2.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 9670309b..d7385dea 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -150,7 +150,7 @@ blockinfile: path: /etc/rsyslog.conf state: present - marker: "#{mark} Auth SETTINGS (ANSIBLE MANAGED)" + marker: "#{mark} Cron SETTINGS (ANSIBLE MANAGED)" block: | # Cron settings to meet CIS standards cron.* /var/log/cron From e9d212437a34f6fcd30ace6009a6d956f5613b33 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 13:07:36 +0100 Subject: [PATCH 45/69] firewall pkgs to masked as default Signed-off-by: Mark Bolwell --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index a0bf8639..b8e3d8b1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -485,13 +485,13 @@ rhel9cis_default_zone: public rhel9cis_firewalld_nftables_state: masked # Note if absent removes the firewalld pkg dependancy #### nftables -rhel9cis_nftables_firewalld_state: absent +rhel9cis_nftables_firewalld_state: masked rhel9cis_nft_tables_autonewtable: true rhel9cis_nft_tables_tablename: filter rhel9cis_nft_tables_autochaincreate: true #### iptables -rhel9cis_iptables_firewalld_state: absent +rhel9cis_iptables_firewalld_state: masked # Warning Banner Content (issue, issue.net, motd) rhel9cis_warning_banner: | From 0b684a5d43e0738b3c7c238cc53e8e5f3c640e28 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 16:56:02 +0100 Subject: [PATCH 46/69] fix typo Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.2.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index d7385dea..6196c80f 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -142,7 +142,7 @@ marker: "#{mark} Auth SETTINGS (ANSIBLE MANAGED)" block: | # Private settings to meet CIS standards - auth,authpriv.* -/var/log/secure + auth,authpriv.* /var/log/secure insertafter: '#### RULES ####' notify: restart rsyslog From 21bd88bdac11f7f38888e661f8b7b955c2531948 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 16:56:12 +0100 Subject: [PATCH 47/69] fixed control Signed-off-by: Mark Bolwell --- templates/audit/99_auditd.rules.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 90bddb43..3537c48f 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -30,10 +30,10 @@ {% endfor %} {% endif %} {% if rhel9cis_rule_4_1_3_7 %} --a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=unset -F key=access --a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -F key=access --a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=-unset -F key=access --a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=-unset -k access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -k access {% endif %} {% if rhel9cis_rule_4_1_3_8 %} -w /etc/group -p wa -k identity From 783c45d622dd32184a43fba920c4e000e5840a01 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 16:56:27 +0100 Subject: [PATCH 48/69] changed logic Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 420ce12a..a9eaf758 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -90,14 +90,14 @@ - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" replace: path: /etc/bashrc - regexp: '(^\s+umask) 0[012][0-6]' - replace: '\1 027' + regexp: '^(\s+UMASK|UMASK)\s0[0-2][0-6]' + replace: 'UMASK 027' - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile" replace: path: /etc/profile - regexp: '(^\s+umask) 0[012][0-6]' - replace: '\1 027' + regexp: '^(\s+UMASK|UMASK)\s0[0-2][0-6]' + replace: 'UMASK 027' when: - rhel9cis_rule_5_6_5 tags: From c451f15546c2ece9aac4bb777278b2913e158adb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Apr 2022 15:42:05 +0100 Subject: [PATCH 49/69] audit vars Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 475 ++++++++++++++++------------ templates/ansible_vars_goss.yml.old | 429 +++++++++++++++++++++++++ 2 files changed, 708 insertions(+), 196 deletions(-) create mode 100644 templates/ansible_vars_goss.yml.old diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index f10c74f9..35d3aa20 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -1,15 +1,17 @@ +## metadata for benchmark + ## metadata for Audit benchmark -benchmark_version: '1.0.1' +benchmark_version: '2.0.0' # Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS -is_redhat_os: {% if ansible_distribution == "RedHat" %}true{% else %}false{% endif %} +# If run via script this is discovered and set +host_os_distribution: {{ ansible_distribution | lower }} -rhel9cis_os_distribution: {{ ansible_distribution | lower }} -# timeout for each command to run where set - default = 10seconds/10000ms -timeout_ms: {{ audit_cmd_timeout }} +# timeout for each command to run where set - default = 10seconds/10000ms +timeout_ms: 60000 -# Taken from LE rhel8-cis +# Taken from LE rhel9-cis rhel9cis_section1: {{ rhel9cis_section1 }} rhel9cis_section2: {{ rhel9cis_section2 }} rhel9cis_section3: {{ rhel9cis_section3 }} @@ -22,84 +24,115 @@ rhel9cis_level_2: {{ rhel9cis_level_2 }} rhel9cis_selinux_disable: {{ rhel9cis_selinux_disable }} - - -# to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy +# to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy run_heavy_tests: true + +# True is BIOS based system else set to false {% if rhel9cis_legacy_boot is defined %} rhel9cis_legacy_boot: {{ rhel9cis_legacy_boot }} {% endif %} - rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }} + # These variables correspond with the CIS rule IDs or paragraph numbers defined in # the CIS benchmark documents. # PLEASE NOTE: These work in coordination with the section # group variables and tags. # You must enable an entire section in order for the variables below to take effect. # Section 1 rules +# 1.1.1 Disable unused filesystems rhel9cis_rule_1_1_1_1: {{ rhel9cis_rule_1_1_1_1 }} rhel9cis_rule_1_1_1_2: {{ rhel9cis_rule_1_1_1_2 }} rhel9cis_rule_1_1_1_3: {{ rhel9cis_rule_1_1_1_3 }} -rhel9cis_rule_1_1_1_4: {{ rhel9cis_rule_1_1_1_4 }} -rhel9cis_rule_1_1_2: {{ rhel9cis_rule_1_1_2 }} -rhel9cis_rule_1_1_3: {{ rhel9cis_rule_1_1_3 }} -rhel9cis_rule_1_1_4: {{ rhel9cis_rule_1_1_4 }} -rhel9cis_rule_1_1_5: {{ rhel9cis_rule_1_1_5 }} -rhel9cis_rule_1_1_6: {{ rhel9cis_rule_1_1_6 }} -rhel9cis_rule_1_1_7: {{ rhel9cis_rule_1_1_7 }} -rhel9cis_rule_1_1_8: {{ rhel9cis_rule_1_1_8 }} +# 1.1.2 Configure /tmp +rhel9cis_rule_1_1_2_1: {{ rhel9cis_rule_1_1_2_1 }} +rhel9cis_rule_1_1_2_2: {{ rhel9cis_rule_1_1_2_2 }} +rhel9cis_rule_1_1_2_3: {{ rhel9cis_rule_1_1_2_3 }} +rhel9cis_rule_1_1_2_4: {{ rhel9cis_rule_1_1_2_4 }} +# 1.1.3 Configure /var +rhel9cis_rule_1_1_3_1: {{ rhel9cis_rule_1_1_3_1 }} +rhel9cis_rule_1_1_3_2: {{ rhel9cis_rule_1_1_3_2 }} +rhel9cis_rule_1_1_3_3: {{ rhel9cis_rule_1_1_3_3 }} +rhel9cis_rule_1_1_3_4: {{ rhel9cis_rule_1_1_3_4 }} +# 1.1.4 Configure /var/tmp +rhel9cis_rule_1_1_4_1: {{ rhel9cis_rule_1_1_4_1 }} +rhel9cis_rule_1_1_4_2: {{ rhel9cis_rule_1_1_4_2 }} +rhel9cis_rule_1_1_4_3: {{ rhel9cis_rule_1_1_4_3 }} +rhel9cis_rule_1_1_4_4: {{ rhel9cis_rule_1_1_4_4 }} +# 1.1.5 Configure /var/log +rhel9cis_rule_1_1_5_1: {{ rhel9cis_rule_1_1_5_1 }} +rhel9cis_rule_1_1_5_2: {{ rhel9cis_rule_1_1_5_2 }} +rhel9cis_rule_1_1_5_3: {{ rhel9cis_rule_1_1_5_3 }} +rhel9cis_rule_1_1_5_4: {{ rhel9cis_rule_1_1_5_4 }} +# 1.1.6 Configure /var/log/audit +rhel9cis_rule_1_1_6_1: {{ rhel9cis_rule_1_1_6_1 }} +rhel9cis_rule_1_1_6_2: {{ rhel9cis_rule_1_1_6_2 }} +rhel9cis_rule_1_1_6_3: {{ rhel9cis_rule_1_1_6_3 }} +rhel9cis_rule_1_1_6_4: {{ rhel9cis_rule_1_1_6_4 }} +# 1.1.7 Configure /home +rhel9cis_rule_1_1_7_1: {{ rhel9cis_rule_1_1_7_1 }} +rhel9cis_rule_1_1_7_2: {{ rhel9cis_rule_1_1_7_2 }} +rhel9cis_rule_1_1_7_3: {{ rhel9cis_rule_1_1_7_3 }} +rhel9cis_rule_1_1_7_4: {{ rhel9cis_rule_1_1_7_4 }} +rhel9cis_rule_1_1_7_5: {{ rhel9cis_rule_1_1_7_5 }} +# 1.1.8 Configure /dev/shm +rhel9cis_rule_1_1_8_1: {{ rhel9cis_rule_1_1_8_1 }} +rhel9cis_rule_1_1_8_2: {{ rhel9cis_rule_1_1_8_2 }} +rhel9cis_rule_1_1_8_3: {{ rhel9cis_rule_1_1_8_3 }} +# 1.9 autofs rhel9cis_rule_1_1_9: {{ rhel9cis_rule_1_1_9 }} +# 1.10 usb-storage rhel9cis_rule_1_1_10: {{ rhel9cis_rule_1_1_10 }} -rhel9cis_rule_1_1_11: {{ rhel9cis_rule_1_1_11 }} -rhel9cis_rule_1_1_12: {{ rhel9cis_rule_1_1_12 }} -rhel9cis_rule_1_1_13: {{ rhel9cis_rule_1_1_13 }} -rhel9cis_rule_1_1_14: {{ rhel9cis_rule_1_1_14 }} -rhel9cis_rule_1_1_15: {{ rhel9cis_rule_1_1_15 }} -rhel9cis_rule_1_1_16: {{ rhel9cis_rule_1_1_16 }} -rhel9cis_rule_1_1_17: {{ rhel9cis_rule_1_1_17 }} -rhel9cis_rule_1_1_18: {{ rhel9cis_rule_1_1_18 }} -rhel9cis_rule_1_1_19: {{ rhel9cis_rule_1_1_19 }} -rhel9cis_rule_1_1_20: {{ rhel9cis_rule_1_1_20 }} -rhel9cis_rule_1_1_21: {{ rhel9cis_rule_1_1_21 }} -rhel9cis_rule_1_1_22: {{ rhel9cis_rule_1_1_22 }} -rhel9cis_rule_1_1_23: {{ rhel9cis_rule_1_1_23 }} +# 1.2 Configure Software Updates rhel9cis_rule_1_2_1: {% if ansible_distribution == "RedHat" %}True{% else %}False{% endif %} # Only run if Redhat and Subscribed rhel9cis_rule_1_2_2: {{ rhel9cis_rule_1_2_2 }} rhel9cis_rule_1_2_3: {{ rhel9cis_rule_1_2_3 }} rhel9cis_rule_1_2_4: {{ rhel9cis_rule_1_2_4 }} -rhel9cis_rule_1_2_5: {{ rhel9cis_rule_1_2_5 }} +# 1.3 Filesystem Integrity Checking rhel9cis_rule_1_3_1: {{ rhel9cis_rule_1_3_1 }} rhel9cis_rule_1_3_2: {{ rhel9cis_rule_1_3_2 }} -rhel9cis_rule_1_3_3: {{ rhel9cis_rule_1_3_3 }} +# 1.4 Secure Boot Settings rhel9cis_rule_1_4_1: {{ rhel9cis_rule_1_4_1 }} rhel9cis_rule_1_4_2: {{ rhel9cis_rule_1_4_2 }} rhel9cis_rule_1_4_3: {{ rhel9cis_rule_1_4_3 }} +# 1.5 Additional Process Hardening rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }} rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }} rhel9cis_rule_1_5_3: {{ rhel9cis_rule_1_5_3 }} - -rhel9cis_rule_1_7_1_1: {{ rhel9cis_rule_1_7_1_1 }} -rhel9cis_rule_1_7_1_2: {{ rhel9cis_rule_1_7_1_2 }} -rhel9cis_rule_1_7_1_3: {{ rhel9cis_rule_1_7_1_3 }} -rhel9cis_rule_1_7_1_4: {{ rhel9cis_rule_1_7_1_4 }} -rhel9cis_rule_1_7_1_5: {{ rhel9cis_rule_1_7_1_5 }} -rhel9cis_rule_1_7_1_6: {{ rhel9cis_rule_1_7_1_6 }} -rhel9cis_rule_1_7_1_7: {{ rhel9cis_rule_1_7_1_7 }} -rhel9cis_rule_1_8_1_1: {{ rhel9cis_rule_1_8_1_1 }} -rhel9cis_rule_1_8_1_2: {{ rhel9cis_rule_1_8_1_2 }} -rhel9cis_rule_1_8_1_3: {{ rhel9cis_rule_1_8_1_3 }} -rhel9cis_rule_1_8_1_4: {{ rhel9cis_rule_1_8_1_4 }} -rhel9cis_rule_1_8_1_5: {{ rhel9cis_rule_1_8_1_5 }} -rhel9cis_rule_1_8_1_6: {{ rhel9cis_rule_1_8_1_6 }} -rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }} +# 1.6 Mandatory Access Control +rhel9cis_rule_1_6_1: {{ rhel9cis_rule_1_6_1 }} +rhel9cis_rule_1_6_2: {{ rhel9cis_rule_1_6_2 }} +rhel9cis_rule_1_6_3: {{ rhel9cis_rule_1_6_3 }} +rhel9cis_rule_1_6_4: {{ rhel9cis_rule_1_6_4 }} +rhel9cis_rule_1_6_5: {{ rhel9cis_rule_1_6_5 }} +rhel9cis_rule_1_6_6: {{ rhel9cis_rule_1_6_6 }} +rhel9cis_rule_1_6_7: {{ rhel9cis_rule_1_6_7 }} +rhel9cis_rule_1_6_8: {{ rhel9cis_rule_1_6_8 }} +# 1.7 Command Line Warning Banners +rhel9cis_rule_1_7_1: {{ rhel9cis_rule_1_7_1 }} +rhel9cis_rule_1_7_2: {{ rhel9cis_rule_1_7_2 }} +rhel9cis_rule_1_7_3: {{ rhel9cis_rule_1_7_3 }} +rhel9cis_rule_1_7_4: {{ rhel9cis_rule_1_7_4 }} +rhel9cis_rule_1_7_5: {{ rhel9cis_rule_1_7_5 }} +rhel9cis_rule_1_7_6: {{ rhel9cis_rule_1_7_6 }} +rhel9cis_rule_1_7_7: {{ rhel9cis_rule_1_7_7 }} +rhel9cis_rule_1_8_1: {{ rhel9cis_rule_1_7_8 }} +rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_1 }} +rhel9cis_rule_1_8_3: {{ rhel9cis_rule_1_8_2 }} +rhel9cis_rule_1_8_4: {{ rhel9cis_rule_1_8_3 }} +rhel9cis_rule_1_8_5: {{ rhel9cis_rule_1_8_4 }} +# 1.9 Ensure updates, patches, and additional security software are installed rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }} +# Ensure system-wide crypto policy is not legacy rhel9cis_rule_1_10: {{ rhel9cis_rule_1_10 }} -# section 2 rules +# section 2 +# Services +# 2.1 Time Synchronization rhel9cis_rule_2_1_1: {{ rhel9cis_rule_2_1_1 }} -rhel9cis_rule_2_2_1_1: {{ rhel9cis_rule_2_2_1_1 }} -rhel9cis_rule_2_2_1_2: {{ rhel9cis_rule_2_2_1_2 }} +rhel9cis_rule_2_1_2: {{ rhel9cis_rule_2_1_2 }} +# 2.2 Special Purpose Services +rhel9cis_rule_2_2_1: {{ rhel9cis_rule_2_2_1 }} rhel9cis_rule_2_2_2: {{ rhel9cis_rule_2_2_2 }} rhel9cis_rule_2_2_3: {{ rhel9cis_rule_2_2_3 }} rhel9cis_rule_2_2_4: {{ rhel9cis_rule_2_2_4 }} @@ -117,74 +150,138 @@ rhel9cis_rule_2_2_15: {{ rhel9cis_rule_2_2_15 }} rhel9cis_rule_2_2_16: {{ rhel9cis_rule_2_2_16 }} rhel9cis_rule_2_2_17: {{ rhel9cis_rule_2_2_17 }} rhel9cis_rule_2_2_18: {{ rhel9cis_rule_2_2_18 }} +rhel9cis_rule_2_2_19: {{ rhel9cis_rule_2_2_19 }} +rhel9cis_rule_2_2_20: {{ rhel9cis_rule_2_2_20 }} +# 2.3 service clients rhel9cis_rule_2_3_1: {{ rhel9cis_rule_2_3_1 }} rhel9cis_rule_2_3_2: {{ rhel9cis_rule_2_3_2 }} rhel9cis_rule_2_3_3: {{ rhel9cis_rule_2_3_3 }} +rhel9cis_rule_2_3_4: {{ rhel9cis_rule_2_3_4 }} +rhel9cis_rule_2_3_5: {{ rhel9cis_rule_2_3_5 }} +rhel9cis_rule_2_4: true # todo # Section 3 rules +# 3.1 Disable unused network protocols and devices rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }} rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }} +rhel9cis_rule_3_1_3: {{ rhel9cis_rule_3_1_3 }} +rhel9cis_rule_3_1_4: {{ rhel9cis_rule_3_1_4 }} +# 3.2 Network Parameters (Host Only) rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }} rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }} -rhel9cis_rule_3_2_3: {{ rhel9cis_rule_3_2_3 }} -rhel9cis_rule_3_2_4: {{ rhel9cis_rule_3_2_4 }} -rhel9cis_rule_3_2_5: {{ rhel9cis_rule_3_2_5 }} -rhel9cis_rule_3_2_6: {{ rhel9cis_rule_3_2_6 }} -rhel9cis_rule_3_2_7: {{ rhel9cis_rule_3_2_7 }} -rhel9cis_rule_3_2_8: {{ rhel9cis_rule_3_2_8 }} -rhel9cis_rule_3_2_9: {{ rhel9cis_rule_3_2_9 }} +# 3.3 Network Parameters (Host and Router) rhel9cis_rule_3_3_1: {{ rhel9cis_rule_3_3_1 }} rhel9cis_rule_3_3_2: {{ rhel9cis_rule_3_3_2 }} rhel9cis_rule_3_3_3: {{ rhel9cis_rule_3_3_3 }} rhel9cis_rule_3_3_4: {{ rhel9cis_rule_3_3_4 }} +rhel9cis_rule_3_3_5: {{ rhel9cis_rule_3_3_5 }} +rhel9cis_rule_3_3_6: {{ rhel9cis_rule_3_3_6 }} +rhel9cis_rule_3_3_7: {{ rhel9cis_rule_3_3_7 }} +rhel9cis_rule_3_3_8: {{ rhel9cis_rule_3_3_8 }} +rhel9cis_rule_3_3_9: {{ rhel9cis_rule_3_3_9 }} +# 3.4.1 Configure firewalld rhel9cis_rule_3_4_1_1: {{ rhel9cis_rule_3_4_1_1 }} +rhel9cis_rule_3_4_1_2: {{ rhel9cis_rule_3_4_1_2 }} +rhel9cis_rule_3_4_1_3: {{ rhel9cis_rule_3_4_1_3 }} +rhel9cis_rule_3_4_1_4: {{ rhel9cis_rule_3_4_1_4 }} +rhel9cis_rule_3_4_1_5: {{ rhel9cis_rule_3_4_1_5 }} +rhel9cis_rule_3_4_1_6: {{ rhel9cis_rule_3_4_1_6 }} +rhel9cis_rule_3_4_1_7: {{ rhel9cis_rule_3_4_1_7 }} +# 3.4.1 Configure nftables rhel9cis_rule_3_4_2_1: {{ rhel9cis_rule_3_4_2_1 }} rhel9cis_rule_3_4_2_2: {{ rhel9cis_rule_3_4_2_2 }} rhel9cis_rule_3_4_2_3: {{ rhel9cis_rule_3_4_2_3 }} rhel9cis_rule_3_4_2_4: {{ rhel9cis_rule_3_4_2_4 }} rhel9cis_rule_3_4_2_5: {{ rhel9cis_rule_3_4_2_5 }} rhel9cis_rule_3_4_2_6: {{ rhel9cis_rule_3_4_2_6 }} -rhel9cis_rule_3_5: {{ rhel9cis_rule_3_5 }} -rhel9cis_rule_3_6: {{ rhel9cis_rule_3_6 }} - - -# Section 4 rules +rhel9cis_rule_3_4_2_7: {{ rhel9cis_rule_3_4_2_7 }} +rhel9cis_rule_3_4_2_8: {{ rhel9cis_rule_3_4_2_8 }} +rhel9cis_rule_3_4_2_9: {{ rhel9cis_rule_3_4_2_9 }} +rhel9cis_rule_3_4_2_10: {{ rhel9cis_rule_3_4_2_10 }} +rhel9cis_rule_3_4_2_11: {{ rhel9cis_rule_3_4_2_11 }} +# 3.4.3.1 Configure iptables +rhel9cis_rule_3_4_3_1_1: {{ rhel9cis_rule_3_4_3_1_1 }} +rhel9cis_rule_3_4_3_1_2: {{ rhel9cis_rule_3_4_3_1_2 }} +rhel9cis_rule_3_4_3_1_3: {{ rhel9cis_rule_3_4_3_1_3 }} +# 3.4.3.2 iptables ipv4 +rhel9cis_rule_3_4_3_2_1: {{ rhel9cis_rule_3_4_3_2_1 }} +rhel9cis_rule_3_4_3_2_2: {{ rhel9cis_rule_3_4_3_2_2 }} +rhel9cis_rule_3_4_3_2_3: {{ rhel9cis_rule_3_4_3_2_3 }} +rhel9cis_rule_3_4_3_2_4: {{ rhel9cis_rule_3_4_3_2_4 }} +rhel9cis_rule_3_4_3_2_5: {{ rhel9cis_rule_3_4_3_2_5 }} +rhel9cis_rule_3_4_3_2_6: {{ rhel9cis_rule_3_4_3_2_6 }} +# 3.4.3.2 iptables ipv6 +rhel9cis_rule_3_4_3_3_1: {{ rhel9cis_rule_3_4_3_3_1 }} +rhel9cis_rule_3_4_3_3_2: {{ rhel9cis_rule_3_4_3_3_2 }} +rhel9cis_rule_3_4_3_3_3: {{ rhel9cis_rule_3_4_3_3_3 }} +rhel9cis_rule_3_4_3_3_4: {{ rhel9cis_rule_3_4_3_3_4 }} +rhel9cis_rule_3_4_3_3_5: {{ rhel9cis_rule_3_4_3_3_5 }} +rhel9cis_rule_3_4_3_3_6: {{ rhel9cis_rule_3_4_3_3_6 }} + + +# Section 4 rules +# 4.1 Configure System Accounting rhel9cis_rule_4_1_1_1: {{ rhel9cis_rule_4_1_1_1 }} rhel9cis_rule_4_1_1_2: {{ rhel9cis_rule_4_1_1_2 }} rhel9cis_rule_4_1_1_3: {{ rhel9cis_rule_4_1_1_3 }} rhel9cis_rule_4_1_1_4: {{ rhel9cis_rule_4_1_1_4 }} + +# 4.1.2 Configure Data retention rhel9cis_rule_4_1_2_1: {{ rhel9cis_rule_4_1_2_1 }} rhel9cis_rule_4_1_2_2: {{ rhel9cis_rule_4_1_2_2 }} rhel9cis_rule_4_1_2_3: {{ rhel9cis_rule_4_1_2_3 }} -rhel9cis_rule_4_1_3: {{ rhel9cis_rule_4_1_3 }} -rhel9cis_rule_4_1_4: {{ rhel9cis_rule_4_1_4 }} -rhel9cis_rule_4_1_5: {{ rhel9cis_rule_4_1_5 }} -rhel9cis_rule_4_1_6: {{ rhel9cis_rule_4_1_6 }} -rhel9cis_rule_4_1_7: {{ rhel9cis_rule_4_1_7 }} -rhel9cis_rule_4_1_8: {{ rhel9cis_rule_4_1_8 }} -rhel9cis_rule_4_1_9: {{ rhel9cis_rule_4_1_9 }} -rhel9cis_rule_4_1_10: {{ rhel9cis_rule_4_1_10 }} -rhel9cis_rule_4_1_11: {{ rhel9cis_rule_4_1_11 }} -rhel9cis_rule_4_1_12: {{ rhel9cis_rule_4_1_12 }} -rhel9cis_rule_4_1_13: {{ rhel9cis_rule_4_1_13 }} -rhel9cis_rule_4_1_14: {{ rhel9cis_rule_4_1_14 }} -rhel9cis_rule_4_1_15: {{ rhel9cis_rule_4_1_15 }} -rhel9cis_rule_4_1_16: {{ rhel9cis_rule_4_1_16 }} -rhel9cis_rule_4_1_17: {{ rhel9cis_rule_4_1_17 }} + +# 4.1.3 Configure auditd rules +rhel9cis_rule_4_1_3_1: {{ rhel9cis_rule_4_1_3_1 }} +rhel9cis_rule_4_1_3_2: {{ rhel9cis_rule_4_1_3_2 }} +rhel9cis_rule_4_1_3_3: {{ rhel9cis_rule_4_1_3_3 }} +rhel9cis_rule_4_1_3_4: {{ rhel9cis_rule_4_1_3_4 }} +rhel9cis_rule_4_1_3_5: {{ rhel9cis_rule_4_1_3_5 }} +rhel9cis_rule_4_1_3_6: {{ rhel9cis_rule_4_1_3_6 }} +rhel9cis_rule_4_1_3_7: {{ rhel9cis_rule_4_1_3_7 }} +rhel9cis_rule_4_1_3_8: {{ rhel9cis_rule_4_1_3_8 }} +rhel9cis_rule_4_1_3_9: {{ rhel9cis_rule_4_1_3_9 }} +rhel9cis_rule_4_1_3_10: {{ rhel9cis_rule_4_1_3_10 }} +rhel9cis_rule_4_1_3_11: {{ rhel9cis_rule_4_1_3_11 }} +rhel9cis_rule_4_1_3_12: {{ rhel9cis_rule_4_1_3_12 }} +rhel9cis_rule_4_1_3_13: {{ rhel9cis_rule_4_1_3_13 }} +rhel9cis_rule_4_1_3_14: {{ rhel9cis_rule_4_1_3_14 }} +rhel9cis_rule_4_1_3_15: {{ rhel9cis_rule_4_1_3_15 }} +rhel9cis_rule_4_1_3_16: {{ rhel9cis_rule_4_1_3_16 }} +rhel9cis_rule_4_1_3_17: {{ rhel9cis_rule_4_1_3_17 }} +rhel9cis_rule_4_1_3_18: {{ rhel9cis_rule_4_1_3_18 }} +rhel9cis_rule_4_1_3_19: {{ rhel9cis_rule_4_1_3_19 }} +rhel9cis_rule_4_1_3_20: {{ rhel9cis_rule_4_1_3_20 }} +rhel9cis_rule_4_1_3_21: {{ rhel9cis_rule_4_1_3_21 }} + +# 4.2.1 Configure rsyslog rhel9cis_rule_4_2_1_1: {{ rhel9cis_rule_4_2_1_1 }} rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_2 }} +rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_3 }} rhel9cis_rule_4_2_1_3: {{ rhel9cis_rule_4_2_1_3 }} rhel9cis_rule_4_2_1_4: {{ rhel9cis_rule_4_2_1_4 }} rhel9cis_rule_4_2_1_5: {{ rhel9cis_rule_4_2_1_5 }} rhel9cis_rule_4_2_1_6: {{ rhel9cis_rule_4_2_1_6 }} -rhel9cis_rule_4_2_2_1: {{ rhel9cis_rule_4_2_2_1 }} +rhel9cis_rule_4_2_1_7: {{ rhel9cis_rule_4_2_1_7 }} + +# 4.2.2 Configure journald +rhel9cis_rule_4_2_2_1_1: {{ rhel9cis_rule_4_2_2_1_1 }} +rhel9cis_rule_4_2_2_1_2: {{ rhel9cis_rule_4_2_2_1_2 }} +rhel9cis_rule_4_2_2_1_3: {{ rhel9cis_rule_4_2_2_1_3 }} +rhel9cis_rule_4_2_2_1_4: {{ rhel9cis_rule_4_2_2_1_4 }} rhel9cis_rule_4_2_2_2: {{ rhel9cis_rule_4_2_2_2 }} rhel9cis_rule_4_2_2_3: {{ rhel9cis_rule_4_2_2_3 }} +rhel9cis_rule_4_2_2_4: {{ rhel9cis_rule_4_2_2_4 }} +rhel9cis_rule_4_2_2_5: {{ rhel9cis_rule_4_2_2_5 }} +rhel9cis_rule_4_2_2_6: {{ rhel9cis_rule_4_2_2_6 }} +rhel9cis_rule_4_2_2_7: {{ rhel9cis_rule_4_2_2_7 }} rhel9cis_rule_4_2_3: {{ rhel9cis_rule_4_2_3 }} rhel9cis_rule_4_3: {{ rhel9cis_rule_4_3 }} # Section 5 +# Authentication and Authorization +# 5.1 Configure time-based job schedulers rhel9cis_rule_5_1_1: {{ rhel9cis_rule_5_1_1 }} rhel9cis_rule_5_1_2: {{ rhel9cis_rule_5_1_2 }} rhel9cis_rule_5_1_3: {{ rhel9cis_rule_5_1_3 }} @@ -194,6 +291,7 @@ rhel9cis_rule_5_1_6: {{ rhel9cis_rule_5_1_6 }} rhel9cis_rule_5_1_7: {{ rhel9cis_rule_5_1_7 }} rhel9cis_rule_5_1_8: {{ rhel9cis_rule_5_1_8 }} +# 5.2 Configure SSH Server rhel9cis_rule_5_2_1: {{ rhel9cis_rule_5_2_1 }} rhel9cis_rule_5_2_2: {{ rhel9cis_rule_5_2_2 }} rhel9cis_rule_5_2_3: {{ rhel9cis_rule_5_2_3 }} @@ -214,31 +312,41 @@ rhel9cis_rule_5_2_17: {{ rhel9cis_rule_5_2_17 }} rhel9cis_rule_5_2_18: {{ rhel9cis_rule_5_2_18 }} rhel9cis_rule_5_2_19: {{ rhel9cis_rule_5_2_19 }} rhel9cis_rule_5_2_20: {{ rhel9cis_rule_5_2_20 }} - +# 5.3 Configure privilege escalation rhel9cis_rule_5_3_1: {{ rhel9cis_rule_5_3_1 }} rhel9cis_rule_5_3_2: {{ rhel9cis_rule_5_3_2 }} rhel9cis_rule_5_3_3: {{ rhel9cis_rule_5_3_3 }} +rhel9cis_rule_5_3_4: {{ rhel9cis_rule_5_3_4 }} +rhel9cis_rule_5_3_5: {{ rhel9cis_rule_5_3_5 }} +rhel9cis_rule_5_3_6: {{ rhel9cis_rule_5_3_6 }} +rhel9cis_rule_5_3_7: {{ rhel9cis_rule_5_3_7 }} + +# 5.4 Configure authselect rhel9cis_rule_5_4_1: {{ rhel9cis_rule_5_4_1 }} rhel9cis_rule_5_4_2: {{ rhel9cis_rule_5_4_2 }} -rhel9cis_rule_5_4_3: {{ rhel9cis_rule_5_4_3 }} -rhel9cis_rule_5_4_4: {{ rhel9cis_rule_5_4_4 }} - -rhel9cis_rule_5_5_1_1: {{ rhel9cis_rule_5_5_1_1 }} -rhel9cis_rule_5_5_1_2: {{ rhel9cis_rule_5_5_1_2 }} -rhel9cis_rule_5_5_1_3: {{ rhel9cis_rule_5_5_1_3 }} -rhel9cis_rule_5_5_1_4: {{ rhel9cis_rule_5_5_1_4 }} -rhel9cis_rule_5_5_1_5: {{ rhel9cis_rule_5_5_1_5 }} +# 5.5 Configure PAM +rhel9cis_rule_5_5_1: {{ rhel9cis_rule_5_5_1 }} rhel9cis_rule_5_5_2: {{ rhel9cis_rule_5_5_2 }} rhel9cis_rule_5_5_3: {{ rhel9cis_rule_5_5_3 }} rhel9cis_rule_5_5_4: {{ rhel9cis_rule_5_5_4 }} -rhel9cis_rule_5_5_5: {{ rhel9cis_rule_5_5_5 }} -rhel9cis_rule_5_6: {{ rhel9cis_rule_5_6 }} -rhel9cis_rule_5_7: {{ rhel9cis_rule_5_7 }} +# 5.6 User Accounts and Environment +# 5.6.1 Set Shadow Password Suite Parameters +rhel9cis_rule_5_6_1_1: {{ rhel9cis_rule_5_6_1_1 }} +rhel9cis_rule_5_6_1_2: {{ rhel9cis_rule_5_6_1_2 }} +rhel9cis_rule_5_6_1_3: {{ rhel9cis_rule_5_6_1_3 }} +rhel9cis_rule_5_6_1_4: {{ rhel9cis_rule_5_6_1_4 }} +rhel9cis_rule_5_6_1_5: {{ rhel9cis_rule_5_6_1_5 }} +rhel9cis_rule_5_6_2: {{ rhel9cis_rule_5_6_2 }} +rhel9cis_rule_5_6_3: {{ rhel9cis_rule_5_6_3 }} +rhel9cis_rule_5_6_4: {{ rhel9cis_rule_5_6_4 }} +rhel9cis_rule_5_6_5: {{ rhel9cis_rule_5_6_5 }} # Section 6 +# 6 System Maintenance +# 6.1 System File Permissions rhel9cis_rule_6_1_1: {{ rhel9cis_rule_6_1_1 }} rhel9cis_rule_6_1_2: {{ rhel9cis_rule_6_1_2 }} rhel9cis_rule_6_1_3: {{ rhel9cis_rule_6_1_3 }} @@ -253,7 +361,9 @@ rhel9cis_rule_6_1_11: {{ rhel9cis_rule_6_1_11 }} rhel9cis_rule_6_1_12: {{ rhel9cis_rule_6_1_12 }} rhel9cis_rule_6_1_13: {{ rhel9cis_rule_6_1_13 }} rhel9cis_rule_6_1_14: {{ rhel9cis_rule_6_1_14 }} +rhel9cis_rule_6_1_15: {{ rhel9cis_rule_6_1_15 }} +# 6.2 User and Group Settings rhel9cis_rule_6_2_1: {{ rhel9cis_rule_6_2_1 }} rhel9cis_rule_6_2_2: {{ rhel9cis_rule_6_2_2 }} rhel9cis_rule_6_2_3: {{ rhel9cis_rule_6_2_3 }} @@ -270,160 +380,133 @@ rhel9cis_rule_6_2_13: {{ rhel9cis_rule_6_2_13 }} rhel9cis_rule_6_2_14: {{ rhel9cis_rule_6_2_14 }} rhel9cis_rule_6_2_15: {{ rhel9cis_rule_6_2_15 }} rhel9cis_rule_6_2_16: {{ rhel9cis_rule_6_2_16 }} -rhel9cis_rule_6_2_17: {{ rhel9cis_rule_6_2_17 }} -rhel9cis_rule_6_2_18: {{ rhel9cis_rule_6_2_18 }} -rhel9cis_rule_6_2_19: {{ rhel9cis_rule_6_2_19 }} -rhel9cis_rule_6_2_20: {{ rhel9cis_rule_6_2_20 }} +############ + +# Section 1 + +# AIDE +rhel9cis_config_aide: {{ rhel9cis_config_aide }} -# Service configuration booleans set true to keep service +# Whether or not to run tasks related to auditing/patching the desktop environment +rhel9cis_gui: {{ rhel9cis_gui }} + +# Warning Banner Content (issue, issue.net, motd) +rhel9cis_warning_banner: {{ rhel9cis_warning_banner }} +# End Banner + +# aide setup via - cron, timer +rhel9_aide_scan: cron + +# Section 2 +## 2.2 Special Purposes +# Set to 'true' if X Windows is needed in your environment +rhel9cis_xwindows_required: false +### Service configuration booleans set true to keep service +rhel9cis_xinetd_server: {{ rhel9cis_xinetd_server }} rhel9cis_avahi_server: {{ rhel9cis_avahi_server }} rhel9cis_cups_server: {{ rhel9cis_cups_server }} rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }} rhel9cis_dns_server: {{ rhel9cis_dns_server }} rhel9cis_ftp_server: {{ rhel9cis_ftp_server }} -rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }} +rhel9cis_vsftpd_server: {{ rhel9cis_vsftp_server }} rhel9cis_tftp_server: {{ rhel9cis_tftp_server }} rhel9cis_httpd_server: {{ rhel9cis_httpd_server }} rhel9cis_nginx_server: {{ rhel9cis_nginx_server }} -rhel9cis_dovecot_cyrus_server: {{ rhel9cis_dovecot_cyrus_server }} +rhel9cis_dovecot_server: {{ rhel9cis_dovecot_server }} +rhel9cis_imap_server: {{ rhel9cis_imap_server }} rhel9cis_samba_server: {{ rhel9cis_samba_server }} rhel9cis_squid_server: {{ rhel9cis_squid_server }} rhel9cis_snmp_server: {{ rhel9cis_snmp_server }} rhel9cis_nis_server: {{ rhel9cis_nis_server }} rhel9cis_telnet_server: {{ rhel9cis_telnet_server }} rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }} -rhel9cis_nfs_server: {{ rhel9cis_nfs_server }} -rhel9cis_rpc_server: {{ rhel9cis_rpc_server }} -rhel9cis_rsync_server: {{ rhel9cis_rsync_server }} - -rhel9cis_allow_autofs: {{ rhel9cis_allow_autofs }} - -# client services +# Note the options +# Packages are used for client services and Server- only remove if you dont use the client service +# +rhel9cis_use_nfs_server: {{ rhel9cis_use_nfs.server }} +rhel9cis_use_nfs_service: {{ rhel9cis_use_nfs.service }} +rhel9cis_use_rpc_server: {{ rhel9cis_use_rpc.server }} +rhel9cis_use_rpc_service: {{ rhel9cis_use_rpc.service }} +rhel9cis_use_rsync_server: {{ rhel9cis_use_rsync.server }} +rhel9cis_use_rsync_service: {{ rhel9cis_use_rsync.service }} + +#### 2.3 Service clients rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }} rhel9cis_rsh_required: {{ rhel9cis_rsh_required }} rhel9cis_talk_required: {{ rhel9cis_talk_required }} rhel9cis_telnet_required: {{ rhel9cis_telnet_required }} -rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }} +rhel9cis_openldap_clients_required: {{ openldap_clients_required }} rhel9cis_tftp_client: {{ rhel9cis_tftp_client }} +# Section 3 - - -# AIDE -rhel9cis_config_aide: {{ rhel9cis_config_aide }} - -# aide setup via - cron, timer -rhel9_aide_scan: cron - -# AIDE cron settings -rhel9cis_aide_cron: - cron_user: {{ rhel9cis_aide_cron.cron_user }} - cron_file: '{{ rhel9cis_aide_cron.cron_file }}' - aide_job: ' {{ rhel9cis_aide_cron.aide_job }}' - aide_minute: '{{ rhel9cis_aide_cron.aide_minute }}' - aide_hour: '{{ rhel9cis_aide_cron.aide_hour }}' - aide_day: '{{ rhel9cis_aide_cron.aide_day }}' - aide_month: '{{ rhel9cis_aide_cron.aide_month }}' - aide_weekday: '{{ rhel9cis_aide_cron.aide_weekday }}' - -# 1.5.1 Bootloader password -rhel9cis_bootloader_password: {{ rhel9cis_bootloader_password_hash }} -rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }} - -# 1.10 crypto -rhel9cis_crypto_policy: {{ rhel9cis_crypto_policy }} - -# Warning Banner Content (issue, issue.net, motd) -rhel9cis_warning_banner: {{ rhel9cis_warning_banner }} -# End Banner - - -# Whether or not to run tasks related to auditing/patching the desktop environment -rhel9cis_gui: {{ rhel9cis_gui }} - -# xinetd required -rhel9cis_xinetd_server: {{ rhel9cis_xinetd_server }} - -# IPv6 required +## IPv6 required rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }} -# System network parameters (host only OR host and router) +## 3.2 System network parameters (host only OR host and router) rhel9cis_is_router: {{ rhel9cis_is_router }} - +## Section 3.4 +### Firewall rhel9cis_firewall: {{ rhel9cis_firewall }} -#rhel9cis_firewall: iptables -rhel9cis_default_firewall_zone: {{ rhel9cis_default_zone }} -rhel9cis_firewall_interface: -- enp0s3 -- enp0s8 - -rhel9cis_firewall_services: {{ rhel9cis_firewall_services }} - - -### Section 4 -## auditd settings -rhel9cis_auditd: - space_left_action: {{ rhel9cis_auditd.space_left_action}} - action_mail_acct: {{ rhel9cis_auditd.action_mail_acct }} - admin_space_left_action: {{ rhel9cis_auditd.admin_space_left_action }} - max_log_file_action: {{ rhel9cis_auditd.max_log_file_action }} - auditd_backlog_limit: {{ rhel9cis_audit_back_log_limit }} +##### firewalld +rhel9cis_default_zone: {{ rhel9cis_default_zone }} +rhel9cis_firewalld_nftables_state: {{ rhel9cis_firewalld_nftables_state }} # Note if absent removes the firewalld pkg dependancy +#### nftables +rhel9cis_nftables_firewalld_state: {{ rhel9cis_nftables_firewalld_state }} +rhel9cis_nft_tables_autonewtable: {{ rhel9cis_nft_tables_autonewtable }} +rhel9cis_nft_tables_tablename: {{ rhel9cis_nft_tables_tablename }} +rhel9cis_nft_tables_autochaincreate: {{ rhel9cis_nft_tables_autochaincreate }} +#### iptables +rhel9cis_iptables_firewalld_state: {{ rhel9cis_iptables_firewalld_state }} + +# Section 4 ## syslog -rhel9_cis_rsyslog: true +rhel9_cis_rsyslog: {{ rhel9cis_syslog }} -### Section 5 +# Section 5 +## 5.2.4 Note the following to understand precedence and layout rhel9cis_sshd_limited: false -#Note the following to understand precedence and layout rhel9cis_sshd_access: - AllowUser: - AllowGroup: - DenyUser: - DenyGroup: + - AllowUser + - AllowGroup + - DenyUser + - DenyGroup + +## 5.3.2 & 5.4.2 Enable automation to select custom profile options, using the settings above +rhel9cis_authselect_custom_profile_select: {{ rhel9cis_authselect_custom_profile_select }} + +## 5.3.2 Authselect select false if using AD or RHEL ID mgmt +rhel9cis_authselect: + custom_profile_name: {{ rhel9cis_authselect['custom_profile_name'] }} + default_file_to_copy: {{ rhel9cis_authselect.default_file_to_copy }} -rhel9cis_ssh_aliveinterval: "300" -rhel9cis_ssh_countmax: "3" -rhel9cis_sudolog_location: {{ rhel9cis_sudolog_location }} +## 5.4.1 Enable automation to create custom profile settings, using the setings above +rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile_create }} +# 5.5.1 ## PAM rhel9cis_pam_password: minlen: {{ rhel9cis_pam_password.minlen }} minclass: {{ rhel9cis_pam_password.minclass }} rhel9cis_pam_passwd_retry: "3" -# faillock or tally2 -rhel9cis_accountlock: faillock - -## note this is to skip tests -skip_rhel9cis_pam_passwd_auth: true -skip_rhel9cis_pam_system_auth: true -# choose one of below +## 5.5.3 choose one of below rhel9cis_pwhistory_so: "14" -rhel9cis_unix_so: false rhel9cis_passwd_remember: "5" -# logins.def password settings +## 5.6.x login.defs password settings rhel9cis_pass: max_days: {{ rhel9cis_pass.max_days }} min_days: {{ rhel9cis_pass.min_days }} warn_age: {{ rhel9cis_pass.warn_age }} -# 5.3.1/5.3.2 Custon authselect profile settings. Settings in place now will fail, they are place holders from the control example -rhel9cis_authselect: - custom_profile_name: {{ rhel9cis_authselect['custom_profile_name'] }} - default_file_to_copy: {{ rhel9cis_authselect.default_file_to_copy }} - options: {{ rhel9cis_authselect.options }} - -# 5.3.1 Enable automation to creat custom profile settings, using the setings above -rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile_create }} - -# 5.3.2 Enable automation to select custom profile options, using the settings above -rhel9cis_authselect_custom_profile_select: {{ rhel9cis_authselect_custom_profile_select }} +## 5.3.7 set sugroup if differs from wheel +rhel9cis_sugroup: {% if rhel9cis_sugroup is undefined %}wheel{% else %}{{ rhel9cis_sugroup }}{% endif %} -# 5.7 -rhel9cis_sugroup: {{ rhel9cis_sugroup| default('wheel') }} -rhel9cis_sugroup_users: {{ rhel9cis_sugroup_users }} +## 5.3.7 sugroup users list +rhel9cis_sugroup_users: {{ rhel9cis_sugroup_users }} \ No newline at end of file diff --git a/templates/ansible_vars_goss.yml.old b/templates/ansible_vars_goss.yml.old new file mode 100644 index 00000000..f10c74f9 --- /dev/null +++ b/templates/ansible_vars_goss.yml.old @@ -0,0 +1,429 @@ +## metadata for Audit benchmark +benchmark_version: '1.0.1' + +# Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS +is_redhat_os: {% if ansible_distribution == "RedHat" %}true{% else %}false{% endif %} + +rhel9cis_os_distribution: {{ ansible_distribution | lower }} + +# timeout for each command to run where set - default = 10seconds/10000ms +timeout_ms: {{ audit_cmd_timeout }} + +# Taken from LE rhel8-cis +rhel9cis_section1: {{ rhel9cis_section1 }} +rhel9cis_section2: {{ rhel9cis_section2 }} +rhel9cis_section3: {{ rhel9cis_section3 }} +rhel9cis_section4: {{ rhel9cis_section4 }} +rhel9cis_section5: {{ rhel9cis_section5 }} +rhel9cis_section6: {{ rhel9cis_section6 }} + +rhel9cis_level_1: {{ rhel9cis_level_1 }} +rhel9cis_level_2: {{ rhel9cis_level_2 }} + +rhel9cis_selinux_disable: {{ rhel9cis_selinux_disable }} + + + +# to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy +run_heavy_tests: true +{% if rhel9cis_legacy_boot is defined %} +rhel9cis_legacy_boot: {{ rhel9cis_legacy_boot }} +{% endif %} + + +rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }} +# These variables correspond with the CIS rule IDs or paragraph numbers defined in +# the CIS benchmark documents. +# PLEASE NOTE: These work in coordination with the section # group variables and tags. +# You must enable an entire section in order for the variables below to take effect. +# Section 1 rules +rhel9cis_rule_1_1_1_1: {{ rhel9cis_rule_1_1_1_1 }} +rhel9cis_rule_1_1_1_2: {{ rhel9cis_rule_1_1_1_2 }} +rhel9cis_rule_1_1_1_3: {{ rhel9cis_rule_1_1_1_3 }} +rhel9cis_rule_1_1_1_4: {{ rhel9cis_rule_1_1_1_4 }} +rhel9cis_rule_1_1_2: {{ rhel9cis_rule_1_1_2 }} +rhel9cis_rule_1_1_3: {{ rhel9cis_rule_1_1_3 }} +rhel9cis_rule_1_1_4: {{ rhel9cis_rule_1_1_4 }} +rhel9cis_rule_1_1_5: {{ rhel9cis_rule_1_1_5 }} +rhel9cis_rule_1_1_6: {{ rhel9cis_rule_1_1_6 }} +rhel9cis_rule_1_1_7: {{ rhel9cis_rule_1_1_7 }} +rhel9cis_rule_1_1_8: {{ rhel9cis_rule_1_1_8 }} +rhel9cis_rule_1_1_9: {{ rhel9cis_rule_1_1_9 }} +rhel9cis_rule_1_1_10: {{ rhel9cis_rule_1_1_10 }} +rhel9cis_rule_1_1_11: {{ rhel9cis_rule_1_1_11 }} +rhel9cis_rule_1_1_12: {{ rhel9cis_rule_1_1_12 }} +rhel9cis_rule_1_1_13: {{ rhel9cis_rule_1_1_13 }} +rhel9cis_rule_1_1_14: {{ rhel9cis_rule_1_1_14 }} +rhel9cis_rule_1_1_15: {{ rhel9cis_rule_1_1_15 }} +rhel9cis_rule_1_1_16: {{ rhel9cis_rule_1_1_16 }} +rhel9cis_rule_1_1_17: {{ rhel9cis_rule_1_1_17 }} +rhel9cis_rule_1_1_18: {{ rhel9cis_rule_1_1_18 }} +rhel9cis_rule_1_1_19: {{ rhel9cis_rule_1_1_19 }} +rhel9cis_rule_1_1_20: {{ rhel9cis_rule_1_1_20 }} +rhel9cis_rule_1_1_21: {{ rhel9cis_rule_1_1_21 }} +rhel9cis_rule_1_1_22: {{ rhel9cis_rule_1_1_22 }} +rhel9cis_rule_1_1_23: {{ rhel9cis_rule_1_1_23 }} +rhel9cis_rule_1_2_1: {% if ansible_distribution == "RedHat" %}True{% else %}False{% endif %} # Only run if Redhat and Subscribed +rhel9cis_rule_1_2_2: {{ rhel9cis_rule_1_2_2 }} +rhel9cis_rule_1_2_3: {{ rhel9cis_rule_1_2_3 }} +rhel9cis_rule_1_2_4: {{ rhel9cis_rule_1_2_4 }} +rhel9cis_rule_1_2_5: {{ rhel9cis_rule_1_2_5 }} +rhel9cis_rule_1_3_1: {{ rhel9cis_rule_1_3_1 }} +rhel9cis_rule_1_3_2: {{ rhel9cis_rule_1_3_2 }} +rhel9cis_rule_1_3_3: {{ rhel9cis_rule_1_3_3 }} +rhel9cis_rule_1_4_1: {{ rhel9cis_rule_1_4_1 }} +rhel9cis_rule_1_4_2: {{ rhel9cis_rule_1_4_2 }} +rhel9cis_rule_1_4_3: {{ rhel9cis_rule_1_4_3 }} +rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }} +rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }} +rhel9cis_rule_1_5_3: {{ rhel9cis_rule_1_5_3 }} + +rhel9cis_rule_1_7_1_1: {{ rhel9cis_rule_1_7_1_1 }} +rhel9cis_rule_1_7_1_2: {{ rhel9cis_rule_1_7_1_2 }} +rhel9cis_rule_1_7_1_3: {{ rhel9cis_rule_1_7_1_3 }} +rhel9cis_rule_1_7_1_4: {{ rhel9cis_rule_1_7_1_4 }} +rhel9cis_rule_1_7_1_5: {{ rhel9cis_rule_1_7_1_5 }} +rhel9cis_rule_1_7_1_6: {{ rhel9cis_rule_1_7_1_6 }} +rhel9cis_rule_1_7_1_7: {{ rhel9cis_rule_1_7_1_7 }} +rhel9cis_rule_1_8_1_1: {{ rhel9cis_rule_1_8_1_1 }} +rhel9cis_rule_1_8_1_2: {{ rhel9cis_rule_1_8_1_2 }} +rhel9cis_rule_1_8_1_3: {{ rhel9cis_rule_1_8_1_3 }} +rhel9cis_rule_1_8_1_4: {{ rhel9cis_rule_1_8_1_4 }} +rhel9cis_rule_1_8_1_5: {{ rhel9cis_rule_1_8_1_5 }} +rhel9cis_rule_1_8_1_6: {{ rhel9cis_rule_1_8_1_6 }} +rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }} +rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }} +rhel9cis_rule_1_10: {{ rhel9cis_rule_1_10 }} + + +# section 2 rules +rhel9cis_rule_2_1_1: {{ rhel9cis_rule_2_1_1 }} +rhel9cis_rule_2_2_1_1: {{ rhel9cis_rule_2_2_1_1 }} +rhel9cis_rule_2_2_1_2: {{ rhel9cis_rule_2_2_1_2 }} +rhel9cis_rule_2_2_2: {{ rhel9cis_rule_2_2_2 }} +rhel9cis_rule_2_2_3: {{ rhel9cis_rule_2_2_3 }} +rhel9cis_rule_2_2_4: {{ rhel9cis_rule_2_2_4 }} +rhel9cis_rule_2_2_5: {{ rhel9cis_rule_2_2_5 }} +rhel9cis_rule_2_2_6: {{ rhel9cis_rule_2_2_6 }} +rhel9cis_rule_2_2_7: {{ rhel9cis_rule_2_2_7 }} +rhel9cis_rule_2_2_8: {{ rhel9cis_rule_2_2_8 }} +rhel9cis_rule_2_2_9: {{ rhel9cis_rule_2_2_9 }} +rhel9cis_rule_2_2_10: {{ rhel9cis_rule_2_2_10 }} +rhel9cis_rule_2_2_11: {{ rhel9cis_rule_2_2_11 }} +rhel9cis_rule_2_2_12: {{ rhel9cis_rule_2_2_12 }} +rhel9cis_rule_2_2_13: {{ rhel9cis_rule_2_2_13 }} +rhel9cis_rule_2_2_14: {{ rhel9cis_rule_2_2_14 }} +rhel9cis_rule_2_2_15: {{ rhel9cis_rule_2_2_15 }} +rhel9cis_rule_2_2_16: {{ rhel9cis_rule_2_2_16 }} +rhel9cis_rule_2_2_17: {{ rhel9cis_rule_2_2_17 }} +rhel9cis_rule_2_2_18: {{ rhel9cis_rule_2_2_18 }} +rhel9cis_rule_2_3_1: {{ rhel9cis_rule_2_3_1 }} +rhel9cis_rule_2_3_2: {{ rhel9cis_rule_2_3_2 }} +rhel9cis_rule_2_3_3: {{ rhel9cis_rule_2_3_3 }} + + +# Section 3 rules +rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }} +rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }} +rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }} +rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }} +rhel9cis_rule_3_2_3: {{ rhel9cis_rule_3_2_3 }} +rhel9cis_rule_3_2_4: {{ rhel9cis_rule_3_2_4 }} +rhel9cis_rule_3_2_5: {{ rhel9cis_rule_3_2_5 }} +rhel9cis_rule_3_2_6: {{ rhel9cis_rule_3_2_6 }} +rhel9cis_rule_3_2_7: {{ rhel9cis_rule_3_2_7 }} +rhel9cis_rule_3_2_8: {{ rhel9cis_rule_3_2_8 }} +rhel9cis_rule_3_2_9: {{ rhel9cis_rule_3_2_9 }} +rhel9cis_rule_3_3_1: {{ rhel9cis_rule_3_3_1 }} +rhel9cis_rule_3_3_2: {{ rhel9cis_rule_3_3_2 }} +rhel9cis_rule_3_3_3: {{ rhel9cis_rule_3_3_3 }} +rhel9cis_rule_3_3_4: {{ rhel9cis_rule_3_3_4 }} +rhel9cis_rule_3_4_1_1: {{ rhel9cis_rule_3_4_1_1 }} +rhel9cis_rule_3_4_2_1: {{ rhel9cis_rule_3_4_2_1 }} +rhel9cis_rule_3_4_2_2: {{ rhel9cis_rule_3_4_2_2 }} +rhel9cis_rule_3_4_2_3: {{ rhel9cis_rule_3_4_2_3 }} +rhel9cis_rule_3_4_2_4: {{ rhel9cis_rule_3_4_2_4 }} +rhel9cis_rule_3_4_2_5: {{ rhel9cis_rule_3_4_2_5 }} +rhel9cis_rule_3_4_2_6: {{ rhel9cis_rule_3_4_2_6 }} +rhel9cis_rule_3_5: {{ rhel9cis_rule_3_5 }} +rhel9cis_rule_3_6: {{ rhel9cis_rule_3_6 }} + + +# Section 4 rules +rhel9cis_rule_4_1_1_1: {{ rhel9cis_rule_4_1_1_1 }} +rhel9cis_rule_4_1_1_2: {{ rhel9cis_rule_4_1_1_2 }} +rhel9cis_rule_4_1_1_3: {{ rhel9cis_rule_4_1_1_3 }} +rhel9cis_rule_4_1_1_4: {{ rhel9cis_rule_4_1_1_4 }} +rhel9cis_rule_4_1_2_1: {{ rhel9cis_rule_4_1_2_1 }} +rhel9cis_rule_4_1_2_2: {{ rhel9cis_rule_4_1_2_2 }} +rhel9cis_rule_4_1_2_3: {{ rhel9cis_rule_4_1_2_3 }} +rhel9cis_rule_4_1_3: {{ rhel9cis_rule_4_1_3 }} +rhel9cis_rule_4_1_4: {{ rhel9cis_rule_4_1_4 }} +rhel9cis_rule_4_1_5: {{ rhel9cis_rule_4_1_5 }} +rhel9cis_rule_4_1_6: {{ rhel9cis_rule_4_1_6 }} +rhel9cis_rule_4_1_7: {{ rhel9cis_rule_4_1_7 }} +rhel9cis_rule_4_1_8: {{ rhel9cis_rule_4_1_8 }} +rhel9cis_rule_4_1_9: {{ rhel9cis_rule_4_1_9 }} +rhel9cis_rule_4_1_10: {{ rhel9cis_rule_4_1_10 }} +rhel9cis_rule_4_1_11: {{ rhel9cis_rule_4_1_11 }} +rhel9cis_rule_4_1_12: {{ rhel9cis_rule_4_1_12 }} +rhel9cis_rule_4_1_13: {{ rhel9cis_rule_4_1_13 }} +rhel9cis_rule_4_1_14: {{ rhel9cis_rule_4_1_14 }} +rhel9cis_rule_4_1_15: {{ rhel9cis_rule_4_1_15 }} +rhel9cis_rule_4_1_16: {{ rhel9cis_rule_4_1_16 }} +rhel9cis_rule_4_1_17: {{ rhel9cis_rule_4_1_17 }} +rhel9cis_rule_4_2_1_1: {{ rhel9cis_rule_4_2_1_1 }} +rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_2 }} +rhel9cis_rule_4_2_1_3: {{ rhel9cis_rule_4_2_1_3 }} +rhel9cis_rule_4_2_1_4: {{ rhel9cis_rule_4_2_1_4 }} +rhel9cis_rule_4_2_1_5: {{ rhel9cis_rule_4_2_1_5 }} +rhel9cis_rule_4_2_1_6: {{ rhel9cis_rule_4_2_1_6 }} +rhel9cis_rule_4_2_2_1: {{ rhel9cis_rule_4_2_2_1 }} +rhel9cis_rule_4_2_2_2: {{ rhel9cis_rule_4_2_2_2 }} +rhel9cis_rule_4_2_2_3: {{ rhel9cis_rule_4_2_2_3 }} +rhel9cis_rule_4_2_3: {{ rhel9cis_rule_4_2_3 }} +rhel9cis_rule_4_3: {{ rhel9cis_rule_4_3 }} + +# Section 5 +rhel9cis_rule_5_1_1: {{ rhel9cis_rule_5_1_1 }} +rhel9cis_rule_5_1_2: {{ rhel9cis_rule_5_1_2 }} +rhel9cis_rule_5_1_3: {{ rhel9cis_rule_5_1_3 }} +rhel9cis_rule_5_1_4: {{ rhel9cis_rule_5_1_4 }} +rhel9cis_rule_5_1_5: {{ rhel9cis_rule_5_1_5 }} +rhel9cis_rule_5_1_6: {{ rhel9cis_rule_5_1_6 }} +rhel9cis_rule_5_1_7: {{ rhel9cis_rule_5_1_7 }} +rhel9cis_rule_5_1_8: {{ rhel9cis_rule_5_1_8 }} + +rhel9cis_rule_5_2_1: {{ rhel9cis_rule_5_2_1 }} +rhel9cis_rule_5_2_2: {{ rhel9cis_rule_5_2_2 }} +rhel9cis_rule_5_2_3: {{ rhel9cis_rule_5_2_3 }} +rhel9cis_rule_5_2_4: {{ rhel9cis_rule_5_2_4 }} +rhel9cis_rule_5_2_5: {{ rhel9cis_rule_5_2_5 }} +rhel9cis_rule_5_2_6: {{ rhel9cis_rule_5_2_6 }} +rhel9cis_rule_5_2_7: {{ rhel9cis_rule_5_2_7 }} +rhel9cis_rule_5_2_8: {{ rhel9cis_rule_5_2_8 }} +rhel9cis_rule_5_2_9: {{ rhel9cis_rule_5_2_9 }} +rhel9cis_rule_5_2_10: {{ rhel9cis_rule_5_2_10 }} +rhel9cis_rule_5_2_11: {{ rhel9cis_rule_5_2_11 }} +rhel9cis_rule_5_2_12: {{ rhel9cis_rule_5_2_12 }} +rhel9cis_rule_5_2_13: {{ rhel9cis_rule_5_2_13 }} +rhel9cis_rule_5_2_14: {{ rhel9cis_rule_5_2_14 }} +rhel9cis_rule_5_2_15: {{ rhel9cis_rule_5_2_15 }} +rhel9cis_rule_5_2_16: {{ rhel9cis_rule_5_2_16 }} +rhel9cis_rule_5_2_17: {{ rhel9cis_rule_5_2_17 }} +rhel9cis_rule_5_2_18: {{ rhel9cis_rule_5_2_18 }} +rhel9cis_rule_5_2_19: {{ rhel9cis_rule_5_2_19 }} +rhel9cis_rule_5_2_20: {{ rhel9cis_rule_5_2_20 }} + +rhel9cis_rule_5_3_1: {{ rhel9cis_rule_5_3_1 }} +rhel9cis_rule_5_3_2: {{ rhel9cis_rule_5_3_2 }} +rhel9cis_rule_5_3_3: {{ rhel9cis_rule_5_3_3 }} + +rhel9cis_rule_5_4_1: {{ rhel9cis_rule_5_4_1 }} +rhel9cis_rule_5_4_2: {{ rhel9cis_rule_5_4_2 }} +rhel9cis_rule_5_4_3: {{ rhel9cis_rule_5_4_3 }} +rhel9cis_rule_5_4_4: {{ rhel9cis_rule_5_4_4 }} + +rhel9cis_rule_5_5_1_1: {{ rhel9cis_rule_5_5_1_1 }} +rhel9cis_rule_5_5_1_2: {{ rhel9cis_rule_5_5_1_2 }} +rhel9cis_rule_5_5_1_3: {{ rhel9cis_rule_5_5_1_3 }} +rhel9cis_rule_5_5_1_4: {{ rhel9cis_rule_5_5_1_4 }} +rhel9cis_rule_5_5_1_5: {{ rhel9cis_rule_5_5_1_5 }} + +rhel9cis_rule_5_5_2: {{ rhel9cis_rule_5_5_2 }} +rhel9cis_rule_5_5_3: {{ rhel9cis_rule_5_5_3 }} +rhel9cis_rule_5_5_4: {{ rhel9cis_rule_5_5_4 }} +rhel9cis_rule_5_5_5: {{ rhel9cis_rule_5_5_5 }} + +rhel9cis_rule_5_6: {{ rhel9cis_rule_5_6 }} +rhel9cis_rule_5_7: {{ rhel9cis_rule_5_7 }} + +# Section 6 +rhel9cis_rule_6_1_1: {{ rhel9cis_rule_6_1_1 }} +rhel9cis_rule_6_1_2: {{ rhel9cis_rule_6_1_2 }} +rhel9cis_rule_6_1_3: {{ rhel9cis_rule_6_1_3 }} +rhel9cis_rule_6_1_4: {{ rhel9cis_rule_6_1_4 }} +rhel9cis_rule_6_1_5: {{ rhel9cis_rule_6_1_5 }} +rhel9cis_rule_6_1_6: {{ rhel9cis_rule_6_1_6 }} +rhel9cis_rule_6_1_7: {{ rhel9cis_rule_6_1_7 }} +rhel9cis_rule_6_1_8: {{ rhel9cis_rule_6_1_8 }} +rhel9cis_rule_6_1_9: {{ rhel9cis_rule_6_1_9 }} +rhel9cis_rule_6_1_10: {{ rhel9cis_rule_6_1_10 }} +rhel9cis_rule_6_1_11: {{ rhel9cis_rule_6_1_11 }} +rhel9cis_rule_6_1_12: {{ rhel9cis_rule_6_1_12 }} +rhel9cis_rule_6_1_13: {{ rhel9cis_rule_6_1_13 }} +rhel9cis_rule_6_1_14: {{ rhel9cis_rule_6_1_14 }} + +rhel9cis_rule_6_2_1: {{ rhel9cis_rule_6_2_1 }} +rhel9cis_rule_6_2_2: {{ rhel9cis_rule_6_2_2 }} +rhel9cis_rule_6_2_3: {{ rhel9cis_rule_6_2_3 }} +rhel9cis_rule_6_2_4: {{ rhel9cis_rule_6_2_4 }} +rhel9cis_rule_6_2_5: {{ rhel9cis_rule_6_2_5 }} +rhel9cis_rule_6_2_6: {{ rhel9cis_rule_6_2_6 }} +rhel9cis_rule_6_2_7: {{ rhel9cis_rule_6_2_7 }} +rhel9cis_rule_6_2_8: {{ rhel9cis_rule_6_2_8 }} +rhel9cis_rule_6_2_9: {{ rhel9cis_rule_6_2_9 }} +rhel9cis_rule_6_2_10: {{ rhel9cis_rule_6_2_10 }} +rhel9cis_rule_6_2_11: {{ rhel9cis_rule_6_2_11 }} +rhel9cis_rule_6_2_12: {{ rhel9cis_rule_6_2_12 }} +rhel9cis_rule_6_2_13: {{ rhel9cis_rule_6_2_13 }} +rhel9cis_rule_6_2_14: {{ rhel9cis_rule_6_2_14 }} +rhel9cis_rule_6_2_15: {{ rhel9cis_rule_6_2_15 }} +rhel9cis_rule_6_2_16: {{ rhel9cis_rule_6_2_16 }} +rhel9cis_rule_6_2_17: {{ rhel9cis_rule_6_2_17 }} +rhel9cis_rule_6_2_18: {{ rhel9cis_rule_6_2_18 }} +rhel9cis_rule_6_2_19: {{ rhel9cis_rule_6_2_19 }} +rhel9cis_rule_6_2_20: {{ rhel9cis_rule_6_2_20 }} + + +# Service configuration booleans set true to keep service +rhel9cis_avahi_server: {{ rhel9cis_avahi_server }} +rhel9cis_cups_server: {{ rhel9cis_cups_server }} +rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }} +rhel9cis_dns_server: {{ rhel9cis_dns_server }} +rhel9cis_ftp_server: {{ rhel9cis_ftp_server }} +rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }} +rhel9cis_tftp_server: {{ rhel9cis_tftp_server }} +rhel9cis_httpd_server: {{ rhel9cis_httpd_server }} +rhel9cis_nginx_server: {{ rhel9cis_nginx_server }} +rhel9cis_dovecot_cyrus_server: {{ rhel9cis_dovecot_cyrus_server }} +rhel9cis_samba_server: {{ rhel9cis_samba_server }} +rhel9cis_squid_server: {{ rhel9cis_squid_server }} +rhel9cis_snmp_server: {{ rhel9cis_snmp_server }} +rhel9cis_nis_server: {{ rhel9cis_nis_server }} +rhel9cis_telnet_server: {{ rhel9cis_telnet_server }} +rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }} +rhel9cis_nfs_server: {{ rhel9cis_nfs_server }} +rhel9cis_rpc_server: {{ rhel9cis_rpc_server }} +rhel9cis_rsync_server: {{ rhel9cis_rsync_server }} + + +rhel9cis_allow_autofs: {{ rhel9cis_allow_autofs }} + +# client services +rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }} +rhel9cis_rsh_required: {{ rhel9cis_rsh_required }} +rhel9cis_talk_required: {{ rhel9cis_talk_required }} +rhel9cis_telnet_required: {{ rhel9cis_telnet_required }} +rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }} +rhel9cis_tftp_client: {{ rhel9cis_tftp_client }} + + + + +# AIDE +rhel9cis_config_aide: {{ rhel9cis_config_aide }} + +# aide setup via - cron, timer +rhel9_aide_scan: cron + +# AIDE cron settings +rhel9cis_aide_cron: + cron_user: {{ rhel9cis_aide_cron.cron_user }} + cron_file: '{{ rhel9cis_aide_cron.cron_file }}' + aide_job: ' {{ rhel9cis_aide_cron.aide_job }}' + aide_minute: '{{ rhel9cis_aide_cron.aide_minute }}' + aide_hour: '{{ rhel9cis_aide_cron.aide_hour }}' + aide_day: '{{ rhel9cis_aide_cron.aide_day }}' + aide_month: '{{ rhel9cis_aide_cron.aide_month }}' + aide_weekday: '{{ rhel9cis_aide_cron.aide_weekday }}' + +# 1.5.1 Bootloader password +rhel9cis_bootloader_password: {{ rhel9cis_bootloader_password_hash }} +rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }} + +# 1.10 crypto +rhel9cis_crypto_policy: {{ rhel9cis_crypto_policy }} + +# Warning Banner Content (issue, issue.net, motd) +rhel9cis_warning_banner: {{ rhel9cis_warning_banner }} +# End Banner + + +# Whether or not to run tasks related to auditing/patching the desktop environment +rhel9cis_gui: {{ rhel9cis_gui }} + +# xinetd required +rhel9cis_xinetd_server: {{ rhel9cis_xinetd_server }} + +# IPv6 required +rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }} + +# System network parameters (host only OR host and router) +rhel9cis_is_router: {{ rhel9cis_is_router }} + + +rhel9cis_firewall: {{ rhel9cis_firewall }} +#rhel9cis_firewall: iptables +rhel9cis_default_firewall_zone: {{ rhel9cis_default_zone }} +rhel9cis_firewall_interface: +- enp0s3 +- enp0s8 + +rhel9cis_firewall_services: {{ rhel9cis_firewall_services }} + + +### Section 4 +## auditd settings +rhel9cis_auditd: + space_left_action: {{ rhel9cis_auditd.space_left_action}} + action_mail_acct: {{ rhel9cis_auditd.action_mail_acct }} + admin_space_left_action: {{ rhel9cis_auditd.admin_space_left_action }} + max_log_file_action: {{ rhel9cis_auditd.max_log_file_action }} + auditd_backlog_limit: {{ rhel9cis_audit_back_log_limit }} + +## syslog +rhel9_cis_rsyslog: true + +### Section 5 +rhel9cis_sshd_limited: false +#Note the following to understand precedence and layout +rhel9cis_sshd_access: + AllowUser: + AllowGroup: + DenyUser: + DenyGroup: + +rhel9cis_ssh_aliveinterval: "300" +rhel9cis_ssh_countmax: "3" + +rhel9cis_sudolog_location: {{ rhel9cis_sudolog_location }} + +## PAM +rhel9cis_pam_password: + minlen: {{ rhel9cis_pam_password.minlen }} + minclass: {{ rhel9cis_pam_password.minclass }} +rhel9cis_pam_passwd_retry: "3" +# faillock or tally2 +rhel9cis_accountlock: faillock + +## note this is to skip tests +skip_rhel9cis_pam_passwd_auth: true +skip_rhel9cis_pam_system_auth: true + +# choose one of below +rhel9cis_pwhistory_so: "14" +rhel9cis_unix_so: false +rhel9cis_passwd_remember: "5" + +# logins.def password settings +rhel9cis_pass: + max_days: {{ rhel9cis_pass.max_days }} + min_days: {{ rhel9cis_pass.min_days }} + warn_age: {{ rhel9cis_pass.warn_age }} + +# 5.3.1/5.3.2 Custon authselect profile settings. Settings in place now will fail, they are place holders from the control example +rhel9cis_authselect: + custom_profile_name: {{ rhel9cis_authselect['custom_profile_name'] }} + default_file_to_copy: {{ rhel9cis_authselect.default_file_to_copy }} + options: {{ rhel9cis_authselect.options }} + +# 5.3.1 Enable automation to creat custom profile settings, using the setings above +rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile_create }} + +# 5.3.2 Enable automation to select custom profile options, using the settings above +rhel9cis_authselect_custom_profile_select: {{ rhel9cis_authselect_custom_profile_select }} + +# 5.7 +rhel9cis_sugroup: {{ rhel9cis_sugroup| default('wheel') }} +rhel9cis_sugroup_users: {{ rhel9cis_sugroup_users }} From 7374c37510d31301d939384d1335d4d61e462f2e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Apr 2022 16:31:57 +0100 Subject: [PATCH 50/69] updates var naming Signed-off-by: Mark Bolwell --- defaults/main.yml | 24 ++++++++++++------------ tasks/section_2/cis_2.2.x.yml | 24 ++++++++++++------------ 2 files changed, 24 insertions(+), 24 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index b8e3d8b1..21f70b0b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -453,15 +453,15 @@ rhel9cis_is_mail_server: false # Note the options # Packages are used for client services and Server- only remove if you dont use the client service # -rhel9cis_use_nfs: - - service: false - - server: false -rhel9_use_rpc: - - service: false - - server: false -rhel9cis_use_rsync: - - service: false - - server: false + +rhel9cis_use_nfs_server: false +rhel9cis_use_nfs_service: false + +rhel9cis_use_rpc_server: false +rhel9cis_use_rpc_service: false + +rhel9cis_use_rsync_server: false +rhel9cis_use_rsync_service: false #### 2.3 Service clients rhel9cis_ypbind_required: false @@ -592,9 +592,9 @@ rhel9cis_rsyslog_ansiblemanaged: true # 5.5.1 ## PAM -rhel9cis_pam_password: | - minlen = 14 - minclass = 4 +rhel9cis_pam_password: + minlen: 14 + minclass: 4 rhel9cis_pam_faillock: remember: 5 diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 577ea45a..00a61efe 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -310,8 +310,8 @@ name: nfs-utils state: absent when: - - not rhel9cis_use_nfs.server - - not rhel9cis_use_nfs.service + - not rhel9cis_use_nfs_server + - not rhel9cis_use_nfs_service - name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | mask service" systemd: @@ -319,8 +319,8 @@ masked: true state: stopped when: - - not rhel9cis_use_nfs.server - - rhel9cis_use_nfs.service + - not rhel9cis_use_nfs_server + - rhel9cis_use_nfs_service when: - "'nfs-utils' in ansible_facts.packages" - rhel9cis_rule_2_2_18 @@ -342,8 +342,8 @@ name: rpcbind state: absent when: - - not rhel9cis_use_rpc.server - - not rhel9cis_use_rpc.service + - not rhel9cis_use_rpc_server + - not rhel9cis_use_rpc_service - name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | mask service" systemd: @@ -351,8 +351,8 @@ masked: true state: stopped when: - - rhel9cis_use_rpc.server - - not rhel9cis_use_rpc.service + - rhel9cis_use_rpc_server + - not rhel9cis_use_rpc_service when: - "'rpcbind' in ansible_facts.packages" - rhel9cis_rule_2_2_19 @@ -373,8 +373,8 @@ name: rsync state: absent when: - - not rhel9cis_use_rsync.server - - not rhel9cis_use_rsync.service + - not rhel9cis_use_rsync_server + - not rhel9cis_use_rsync_service - name: "2.2.20 | PATCH | Ensure rsync service is not enabled | mask service" systemd: @@ -382,8 +382,8 @@ masked: true state: stopped when: - - rhel9cis_use_rsync.server - - not rhel9cis_use_rsync.service + - rhel9cis_use_rsync_server + - not rhel9cis_use_rsync_service when: - "'rsync' in ansible_facts.packages" - rhel9cis_rule_2_2_20 From 9c771e03e4944663cf290563f8bc565c46e96b19 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Apr 2022 16:32:14 +0100 Subject: [PATCH 51/69] use new var name Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.5.x.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 10b18a70..3aaf27b0 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -3,10 +3,14 @@ - name: "5.5.1 | PATCH | " block: - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings" - blockinfile: + lineinfile: path: /etc/security/pwquality.conf - marker: "" - block: "{{ rhel9cis_pam_password }}" + state: present + regexp: ^{{ item.name }} + line: "{{ item.name }} = {{ item.value }}" + with_items: + - { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" } + - { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" } - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" lineinfile: From e4275b21316c82e3e00f57641056ad6bdb65d931 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Apr 2022 16:32:25 +0100 Subject: [PATCH 52/69] updated conditional Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.4.1.x.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index b7b50331..7c25ff2a 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -23,18 +23,15 @@ name: "{{ item }}" state: stopped enabled: false - with_items: - - iptables - - ip6tables - when: item in ansible_facts.packages - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | remove iptables-services pkg " package: name: iptables-services state: absent - when: "'iptables-services' in ansible_facts.packages" + when: when: - rhel9cis_rule_3_4_1_2 + - "'iptables-services' in ansible_facts.packages" tags: - level1-server - level1-workstation From ae6b6866e0892ad3aa94bbc7b4c501d67fb0a2f5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Apr 2022 16:32:36 +0100 Subject: [PATCH 53/69] fix typo Signed-off-by: Mark Bolwell --- templates/audit/99_auditd.rules.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 3537c48f..7abe895b 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -32,7 +32,7 @@ {% if rhel9cis_rule_4_1_3_7 %} -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=unset -k access -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -k access --a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=-unset -k access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=unset -k access -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -k access {% endif %} {% if rhel9cis_rule_4_1_3_8 %} From e27e5276e4d9426a624ce1c01bb43f87d1dcf941 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Apr 2022 16:32:53 +0100 Subject: [PATCH 54/69] updated Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 56 +++++++++++++++--------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 35d3aa20..e3ca2243 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -99,14 +99,14 @@ rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }} rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }} rhel9cis_rule_1_5_3: {{ rhel9cis_rule_1_5_3 }} # 1.6 Mandatory Access Control -rhel9cis_rule_1_6_1: {{ rhel9cis_rule_1_6_1 }} -rhel9cis_rule_1_6_2: {{ rhel9cis_rule_1_6_2 }} -rhel9cis_rule_1_6_3: {{ rhel9cis_rule_1_6_3 }} -rhel9cis_rule_1_6_4: {{ rhel9cis_rule_1_6_4 }} -rhel9cis_rule_1_6_5: {{ rhel9cis_rule_1_6_5 }} -rhel9cis_rule_1_6_6: {{ rhel9cis_rule_1_6_6 }} -rhel9cis_rule_1_6_7: {{ rhel9cis_rule_1_6_7 }} -rhel9cis_rule_1_6_8: {{ rhel9cis_rule_1_6_8 }} +rhel9cis_rule_1_6_1_1: {{ rhel9cis_rule_1_6_1_1 }} +rhel9cis_rule_1_6_1_2: {{ rhel9cis_rule_1_6_1_2 }} +rhel9cis_rule_1_6_1_3: {{ rhel9cis_rule_1_6_1_3 }} +rhel9cis_rule_1_6_1_4: {{ rhel9cis_rule_1_6_1_4 }} +rhel9cis_rule_1_6_1_5: {{ rhel9cis_rule_1_6_1_5 }} +rhel9cis_rule_1_6_1_6: {{ rhel9cis_rule_1_6_1_6 }} +rhel9cis_rule_1_6_1_7: {{ rhel9cis_rule_1_6_1_7 }} +rhel9cis_rule_1_6_1_8: {{ rhel9cis_rule_1_6_1_8 }} # 1.7 Command Line Warning Banners rhel9cis_rule_1_7_1: {{ rhel9cis_rule_1_7_1 }} rhel9cis_rule_1_7_2: {{ rhel9cis_rule_1_7_2 }} @@ -114,12 +114,12 @@ rhel9cis_rule_1_7_3: {{ rhel9cis_rule_1_7_3 }} rhel9cis_rule_1_7_4: {{ rhel9cis_rule_1_7_4 }} rhel9cis_rule_1_7_5: {{ rhel9cis_rule_1_7_5 }} rhel9cis_rule_1_7_6: {{ rhel9cis_rule_1_7_6 }} -rhel9cis_rule_1_7_7: {{ rhel9cis_rule_1_7_7 }} -rhel9cis_rule_1_8_1: {{ rhel9cis_rule_1_7_8 }} -rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_1 }} -rhel9cis_rule_1_8_3: {{ rhel9cis_rule_1_8_2 }} -rhel9cis_rule_1_8_4: {{ rhel9cis_rule_1_8_3 }} -rhel9cis_rule_1_8_5: {{ rhel9cis_rule_1_8_4 }} +# 1.8 Gnome Display Manager +rhel9cis_rule_1_8_1: {{ rhel9cis_rule_1_8_1 }} +rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }} +rhel9cis_rule_1_8_3: {{ rhel9cis_rule_1_8_3 }} +rhel9cis_rule_1_8_4: {{ rhel9cis_rule_1_8_4 }} +rhel9cis_rule_1_8_5: {{ rhel9cis_rule_1_8_5 }} # 1.9 Ensure updates, patches, and additional security software are installed rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }} # Ensure system-wide crypto policy is not legacy @@ -409,7 +409,7 @@ rhel9cis_cups_server: {{ rhel9cis_cups_server }} rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }} rhel9cis_dns_server: {{ rhel9cis_dns_server }} rhel9cis_ftp_server: {{ rhel9cis_ftp_server }} -rhel9cis_vsftpd_server: {{ rhel9cis_vsftp_server }} +rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }} rhel9cis_tftp_server: {{ rhel9cis_tftp_server }} rhel9cis_httpd_server: {{ rhel9cis_httpd_server }} rhel9cis_nginx_server: {{ rhel9cis_nginx_server }} @@ -425,19 +425,19 @@ rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }} # Note the options # Packages are used for client services and Server- only remove if you dont use the client service # -rhel9cis_use_nfs_server: {{ rhel9cis_use_nfs.server }} -rhel9cis_use_nfs_service: {{ rhel9cis_use_nfs.service }} -rhel9cis_use_rpc_server: {{ rhel9cis_use_rpc.server }} -rhel9cis_use_rpc_service: {{ rhel9cis_use_rpc.service }} -rhel9cis_use_rsync_server: {{ rhel9cis_use_rsync.server }} -rhel9cis_use_rsync_service: {{ rhel9cis_use_rsync.service }} +rhel9cis_use_nfs_server: {{ rhel9cis_use_nfs_server }} +rhel9cis_use_nfs_service: {{ rhel9cis_use_nfs_service }} +rhel9cis_use_rpc_server: {{ rhel9cis_use_rpc_server }} +rhel9cis_use_rpc_service: {{ rhel9cis_use_rpc_service }} +rhel9cis_use_rsync_server: {{ rhel9cis_use_rsync_server }} +rhel9cis_use_rsync_service: {{ rhel9cis_use_rsync_service }} #### 2.3 Service clients rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }} rhel9cis_rsh_required: {{ rhel9cis_rsh_required }} rhel9cis_talk_required: {{ rhel9cis_talk_required }} rhel9cis_telnet_required: {{ rhel9cis_telnet_required }} -rhel9cis_openldap_clients_required: {{ openldap_clients_required }} +rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }} rhel9cis_tftp_client: {{ rhel9cis_tftp_client }} # Section 3 @@ -482,7 +482,7 @@ rhel9cis_authselect_custom_profile_select: {{ rhel9cis_authselect_custom_profile ## 5.3.2 Authselect select false if using AD or RHEL ID mgmt rhel9cis_authselect: custom_profile_name: {{ rhel9cis_authselect['custom_profile_name'] }} - default_file_to_copy: {{ rhel9cis_authselect.default_file_to_copy }} + default_file_to_copy: {{ rhel9cis_authselect['default_file_to_copy'] }} ## 5.4.1 Enable automation to create custom profile settings, using the setings above @@ -491,8 +491,8 @@ rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile # 5.5.1 ## PAM rhel9cis_pam_password: - minlen: {{ rhel9cis_pam_password.minlen }} - minclass: {{ rhel9cis_pam_password.minclass }} + minlen: {{ rhel9cis_pam_password['minlen'] }} + minclass: {{ rhel9cis_pam_password['minclass'] }} rhel9cis_pam_passwd_retry: "3" ## 5.5.3 choose one of below @@ -501,9 +501,9 @@ rhel9cis_passwd_remember: "5" ## 5.6.x login.defs password settings rhel9cis_pass: - max_days: {{ rhel9cis_pass.max_days }} - min_days: {{ rhel9cis_pass.min_days }} - warn_age: {{ rhel9cis_pass.warn_age }} + max_days: {{ rhel9cis_pass['max_days'] }} + min_days: {{ rhel9cis_pass['min_days'] }} + warn_age: {{ rhel9cis_pass['warn_age'] }} ## 5.3.7 set sugroup if differs from wheel rhel9cis_sugroup: {% if rhel9cis_sugroup is undefined %}wheel{% else %}{{ rhel9cis_sugroup }}{% endif %} From 02d686f920352ccac596a5b19bedb50a85045c59 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Apr 2022 16:38:24 +0100 Subject: [PATCH 55/69] removed default state Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.5.x.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 3aaf27b0..9b4c7d33 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -5,7 +5,6 @@ - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings" lineinfile: path: /etc/security/pwquality.conf - state: present regexp: ^{{ item.name }} line: "{{ item.name }} = {{ item.value }}" with_items: @@ -15,7 +14,6 @@ - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" lineinfile: path: /etc/pam.d/system-auth - state: present regexp: '^password\s*requisite\s*pam_pwquality.so' line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" insertbefore: '^#?password ?' @@ -23,7 +21,6 @@ - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" lineinfile: path: /etc/pam.d/password-auth - state: present regexp: '^password\s*requisite\s*pam_pwquality.so' line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" insertbefore: '^#?password ?' @@ -40,7 +37,6 @@ - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock time for preauth" lineinfile: path: /etc/pam.d/{{ item }} - state: present regexp: '^auth\s*required\s*pam_faillock.so preauth' line: "auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}" insertafter: '^#?auth ?' @@ -51,7 +47,6 @@ - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock times for authfail" lineinfile: path: /etc/pam.d/{{ item }} - state: present regexp: '^auth\s*required\s*pam_faillock.so authfail' line: "auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}" insertafter: '^#?auth ?' @@ -65,7 +60,6 @@ - name: "5.5.2 | PATCH | Ensure system accounts are secured | RHEL8.2+ " lineinfile: path: /etc/security/faillock.conf - state: present regexp: "{{ item.regexp }}" line: "{{ item.line }}" with_items: @@ -80,7 +74,6 @@ - name: "5.5.3 | PATCH | Ensure password reuse is limited | pwhistory" lineinfile: path: /etc/pam.d/system-auth - state: present line: "password requisite pam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" insertafter: '^password\s*requisite\s*pam_pwquality.so' From 82d1d185043e60bff7da7cdb252caaa83353f93b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Apr 2022 16:58:03 +0100 Subject: [PATCH 56/69] consistent lineinfile usage Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 6 ++-- tasks/section_1/cis_1.1.x.yml | 2 +- tasks/section_1/cis_1.8.x.yml | 2 +- tasks/section_2/cis_2.1.x.yml | 3 +- tasks/section_2/cis_2.2.x.yml | 2 +- tasks/section_3/cis_3.4.2.x.yml | 1 - tasks/section_4/cis_4.1.2.x.yml | 9 ++--- tasks/section_4/cis_4.2.1.x.yml | 5 ++- tasks/section_4/cis_4.2.2.x.yml | 9 ++--- tasks/section_5/cis_5.2.x.yml | 60 +++++++++++---------------------- tasks/section_5/cis_5.3.x.yml | 9 ++--- tasks/section_5/cis_5.6.1.x.yml | 9 ++--- 12 files changed, 41 insertions(+), 76 deletions(-) diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 8cf70dc1..f687901e 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -4,7 +4,7 @@ block: - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config" lineinfile: - dest: /etc/modprobe.d/CIS.conf + path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install cramfs(\\s|$)" line: "install cramfs /bin/true" create: yes @@ -29,7 +29,7 @@ block: - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config" lineinfile: - dest: /etc/modprobe.d/CIS.conf + path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" create: yes @@ -54,7 +54,7 @@ block: - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disable | Edit modprobe config" lineinfile: - dest: /etc/modprobe.d/CIS.conf + path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" create: yes diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index ed2872e9..a77e5242 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -21,7 +21,7 @@ block: - name: "1.1.10 | PATCH | Disable USB Storage | Edit modprobe config" lineinfile: - dest: /etc/modprobe.d/CIS.conf + path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install usb-storage(\\s|$)" line: "install usb-storage /bin/true" create: yes diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 1edc7048..e056ceff 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -17,7 +17,7 @@ - name: "1.8.2 | PATCH | Ensure GDM login banner is configured" lineinfile: - dest: "{{ item.file }}" + path: "{{ item.file }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" state: present diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index ba927e9c..effe8067 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -26,10 +26,9 @@ - name: "2.1.2 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1" lineinfile: - dest: /etc/sysconfig/chronyd + path: /etc/sysconfig/chronyd regexp: "^(#)?OPTIONS" line: "OPTIONS=\"-u chrony\"" - state: present create: yes mode: 0644 when: diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 00a61efe..6a195ca8 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -285,7 +285,7 @@ - name: "2.2.17 | PATCH | Ensure mail transfer agent is configured for local-only mode" lineinfile: - dest: /etc/postfix/main.cf + path: /etc/postfix/main.cf regexp: "^(#)?inet_interfaces" line: "inet_interfaces = loopback-only" notify: restart postfix diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 3484bf66..a9284c51 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -332,7 +332,6 @@ - name: "3.4.2.11 | PATCH | Ensure nftables rules are permanent" lineinfile: path: /etc/sysconfig/nftables.conf - state: present insertafter: EOF line: include "/etc/nftables/inet-{{ rhel9cis_nft_tables_tablename }}" when: diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index a7e0282a..0eec0b29 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -2,10 +2,9 @@ - name: "4.1.2.1 | PATCH | Ensure audit log storage size is configured" lineinfile: - dest: /etc/audit/auditd.conf + path: /etc/audit/auditd.conf regexp: "^max_log_file( |=)" line: "max_log_file = {{ rhel9cis_max_log_file_size }}" - state: present notify: restart auditd when: - rhel9cis_rule_4_1_2_1 @@ -19,10 +18,9 @@ - name: "4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted" lineinfile: - dest: /etc/audit/auditd.conf + path: /etc/audit/auditd.conf regexp: "^max_log_file_action" line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}" - state: present notify: restart auditd when: - rhel9cis_rule_4_1_2_2 @@ -36,10 +34,9 @@ - name: "4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full" lineinfile: - dest: /etc/audit/auditd.conf + path: /etc/audit/auditd.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" - state: present notify: restart auditd with_items: - { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ rhel9cis_auditd.admin_space_left_action }}' } diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 6196c80f..7e70a024 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -32,10 +32,9 @@ # This is counter to control 4.2.2.5?? - name: "4.2.1.3 | PATCH | Ensure journald is configured to send logs to rsyslog" lineinfile: - dest: /etc/systemd/journald.conf + path: /etc/systemd/journald.conf regexp: "^#ForwardToSyslog=|^ForwardToSyslog=" line: ForwardToSyslog=yes - state: present when: - rhel9cis_rule_4_2_1_3 - rhel9cis_preferred_log_capture == "rsyslog" @@ -48,7 +47,7 @@ - name: "4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured" lineinfile: - dest: /etc/rsyslog.conf + path: /etc/rsyslog.conf regexp: '^\$FileCreateMode' line: '$FileCreateMode 0640' notify: restart rsyslog diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 5b59d630..8523066c 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -97,10 +97,9 @@ - name: "4.2.2.3 | PATCH | Ensure journald is configured to compress large log files" lineinfile: - dest: /etc/systemd/journald.conf + path: /etc/systemd/journald.conf regexp: "^#Compress=|^Compress=" line: Compress=yes - state: present when: - rhel9cis_rule_4_2_2_3 tags: @@ -113,10 +112,9 @@ - name: "4.2.2.4 | PATCH | Ensure journald is configured to write logfiles to persistent disk" lineinfile: - dest: /etc/systemd/journald.conf + path: /etc/systemd/journald.conf regexp: "^#Storage=|^Storage=" line: Storage=persistent - state: present when: - rhel9cis_rule_4_2_2_4 tags: @@ -130,10 +128,9 @@ # This is counter to control 4.2.1.3?? - name: "4.2.2.5 | PATCH | Ensure journald is not configured to send logs to rsyslog" lineinfile: - dest: /etc/systemd/journald.conf + path: /etc/systemd/journald.conf regexp: "^ForwardToSyslog=" line: "#ForwardToSyslog=yes" - state: present notify: restart systemd_journal_upload when: - rhel9cis_rule_4_2_2_5 diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index d6065071..7234da6e 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -83,8 +83,7 @@ block: - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^AllowUsers" line: AllowUsers {{ rhel9cis_sshd['allowusers'] }} validate: sshd -t -f %s @@ -93,8 +92,7 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^AllowGroups" line: AllowGroups {{ rhel9cis_sshd['allowgroups'] }} validate: sshd -t -f %s @@ -103,8 +101,7 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^DenyUsers" line: DenyUsers {{ rhel9cis_sshd['denyusers'] }} validate: sshd -t -f %s @@ -113,8 +110,7 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^DenyGroups" line: DenyGroups {{ rhel9cis_sshd['denygroups'] }} validate: sshd -t -f %s @@ -132,8 +128,7 @@ - name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#LogLevel|^LogLevel" line: 'LogLevel {{ rhel9cis_ssh_loglevel }}' validate: sshd -t -f %s @@ -149,8 +144,7 @@ - name: "5.2.6 | PATCH | Ensure SSH PAM is enabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#UsePAM|^UsePAM" line: 'UsePAM yes' validate: sshd -t -f %s @@ -166,8 +160,7 @@ - name: "5.2.7 | PATCH | Ensure SSH root login is disabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#PermitRootLogin|^PermitRootLogin" line: 'PermitRootLogin no' validate: sshd -t -f %s @@ -183,8 +176,7 @@ - name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#HostbasedAuthentication|^HostbasedAuthentication" line: 'HostbasedAuthentication no' validate: sshd -t -f %s @@ -200,8 +192,7 @@ - name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords" line: 'PermitEmptyPasswords no' validate: sshd -t -f %s @@ -217,8 +208,7 @@ - name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#PermitUserEnvironment|^PermitUserEnvironment" line: 'PermitUserEnvironment no' validate: sshd -t -f %s @@ -234,8 +224,7 @@ - name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#IgnoreRhosts|^IgnoreRhosts" line: 'IgnoreRhosts yes' validate: sshd -t -f %s @@ -251,8 +240,7 @@ - name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#X11Forwarding|^X11Forwarding" line: 'X11Forwarding no' validate: sshd -t -f %s @@ -268,8 +256,7 @@ - name: "5.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#AllowTcpForwarding|^AllowTcpForwarding" line: 'AllowTcpForwarding no' validate: sshd -t -f %s @@ -300,8 +287,7 @@ - name: "5.2.15 | PATCH | Ensure SSH warning banner is configured" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: '^Banner' line: 'Banner /etc/issue.net' when: @@ -316,8 +302,7 @@ - name: "5.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: '^(#)?MaxAuthTries \d' line: 'MaxAuthTries 4' validate: sshd -t -f %s @@ -333,8 +318,7 @@ - name: "5.2.17 | PATCH | Ensure SSH MaxStartups is configured" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#MaxStartups|^MaxStartups" line: 'MaxStartups 10:30:60' validate: sshd -t -f %s @@ -350,8 +334,7 @@ - name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#MaxSessions|^MaxSessions" line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' validate: sshd -t -f %s @@ -367,8 +350,7 @@ - name: "5.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#LoginGraceTime|^LoginGraceTime" line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}" validate: sshd -t -f %s @@ -386,16 +368,14 @@ block: - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: '^ClientAliveInterval' line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}" validate: sshd -t -f %s - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: '^ClientAliveCountMax' line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}" validate: sshd -t -f %s diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index 9aa864a9..f9dad143 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -16,9 +16,8 @@ - name: "5.3.2 | PATCH | Ensure sudo commands use pty" lineinfile: - dest: /etc/sudoers + path: /etc/sudoers line: "Defaults use_pty" - state: present validate: '/usr/sbin/visudo -cf %s' when: - rhel9cis_rule_5_3_2 @@ -32,10 +31,9 @@ - name: "5.3.3 | PATCH | Ensure sudo log file exists" lineinfile: - dest: /etc/sudoers + path: /etc/sudoers regexp: '^Defaults logfile=' line: 'Defaults logfile="{{ rhel9cis_sudolog_location }}"' - state: present validate: '/usr/sbin/visudo -cf %s' when: - rhel9cis_rule_5_3_3 @@ -122,8 +120,7 @@ block: - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid" lineinfile: - state: present - dest: /etc/pam.d/su + path: /etc/pam.d/su regexp: '^(#)?auth\s+required\s+pam_wheel\.so' line: 'auth required pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}' diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 66090262..c728d90b 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -2,8 +2,7 @@ - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less" lineinfile: - state: present - dest: /etc/login.defs + path: /etc/login.defs regexp: '^PASS_MAX_DAYS' line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}" when: @@ -18,8 +17,7 @@ - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more" lineinfile: - state: present - dest: /etc/login.defs + path: /etc/login.defs regexp: '^PASS_MIN_DAYS' line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}" when: @@ -34,8 +32,7 @@ - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more" lineinfile: - state: present - dest: /etc/login.defs + path: /etc/login.defs regexp: '^PASS_WARN_AGE' line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}" when: From b8bb7912a195c5a48db69e31f63938aa108ea674 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Apr 2022 17:29:57 +0100 Subject: [PATCH 57/69] removed iptables - not valid in rh9 Signed-off-by: Mark Bolwell --- defaults/main.yml | 18 +--- tasks/section_3/cis_3.4.3.1.x.yml | 59 ----------- tasks/section_3/cis_3.4.3.2.x.yml | 163 ----------------------------- tasks/section_3/cis_3.4.3.3.x.yml | 152 --------------------------- tasks/section_3/main.yml | 14 --- templates/ansible_vars_goss.yml.j2 | 22 +--- 6 files changed, 2 insertions(+), 426 deletions(-) delete mode 100644 tasks/section_3/cis_3.4.3.1.x.yml delete mode 100644 tasks/section_3/cis_3.4.3.2.x.yml delete mode 100644 tasks/section_3/cis_3.4.3.3.x.yml diff --git a/defaults/main.yml b/defaults/main.yml index 21f70b0b..66e8060f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -205,21 +205,7 @@ rhel9cis_rule_3_4_2_8: true rhel9cis_rule_3_4_2_9: true rhel9cis_rule_3_4_2_10: true rhel9cis_rule_3_4_2_11: true -rhel9cis_rule_3_4_3_1_1: true -rhel9cis_rule_3_4_3_1_2: true -rhel9cis_rule_3_4_3_1_3: true -rhel9cis_rule_3_4_3_2_1: true -rhel9cis_rule_3_4_3_2_2: true -rhel9cis_rule_3_4_3_2_3: true -rhel9cis_rule_3_4_3_2_4: true -rhel9cis_rule_3_4_3_2_5: true -rhel9cis_rule_3_4_3_2_6: true -rhel9cis_rule_3_4_3_3_1: true -rhel9cis_rule_3_4_3_3_2: true -rhel9cis_rule_3_4_3_3_3: true -rhel9cis_rule_3_4_3_3_4: true -rhel9cis_rule_3_4_3_3_5: true -rhel9cis_rule_3_4_3_3_6: true + # Section 4 rules rhel9cis_rule_4_1_1_1: true @@ -490,8 +476,6 @@ rhel9cis_nft_tables_autonewtable: true rhel9cis_nft_tables_tablename: filter rhel9cis_nft_tables_autochaincreate: true -#### iptables -rhel9cis_iptables_firewalld_state: masked # Warning Banner Content (issue, issue.net, motd) rhel9cis_warning_banner: | diff --git a/tasks/section_3/cis_3.4.3.1.x.yml b/tasks/section_3/cis_3.4.3.1.x.yml deleted file mode 100644 index 56ce0766..00000000 --- a/tasks/section_3/cis_3.4.3.1.x.yml +++ /dev/null @@ -1,59 +0,0 @@ ---- - -- name: "3.4.3.1.1 | PATCH | Ensure iptables packages are installed" - package: - name: - - iptables - - iptables-services - state: present - when: - - rhel9cis_rule_3_4_3_1_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - iptables - - rule_3.4.3.1.1 - -- name: "3.4.3.1.2 | PATCH | Ensure nftables is not installed with iptables" - package: - name: nftables - state: absent - when: - - rhel9cis_rule_3_4_3_1_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - iptables - - rule_3.4.3.1.2 - -# The control allows the service it be masked or not installed -# We have chosen not installed -- name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables" - block: - - name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables | mask service" - systemd: - name: firewalld - masked: true - state: stopped - when: - - rhel9cis_iptables_firewalld_state == "masked" - - - name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables | mask service" - package: - name: firewalld - state: absent - when: - - rhel9cis_iptables_firewalld_state == "absent" - when: - - rhel9cis_rule_3_4_3_1_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - iptables - - rule_3.4.3.1.3 diff --git a/tasks/section_3/cis_3.4.3.2.x.yml b/tasks/section_3/cis_3.4.3.2.x.yml deleted file mode 100644 index e600ae73..00000000 --- a/tasks/section_3/cis_3.4.3.2.x.yml +++ /dev/null @@ -1,163 +0,0 @@ ---- - -- name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured" - block: - - name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT Loopback ACCEPT" - iptables: - action: append - chain: INPUT - in_interface: lo - jump: ACCEPT - - - name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT Loopback ACCEPT" - iptables: - action: append - chain: OUTPUT - out_interface: lo - jump: ACCEPT - - - name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT Loopback 127.0.0.0/8" - iptables: - action: append - chain: INPUT - source: 127.0.0.0/8 - jump: DROP - when: - - rhel9cis_rule_3_4_3_2_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - iptables - - rule_3.4.3.2.1 - -- name: "3.4.3.2.2 | PATCH | Ensure iptables outbound and established connections are configured" - iptables: - action: append - chain: '{{ item.chain }}' - protocol: '{{ item.protocol }}' - match: state - ctstate: '{{ item.ctstate }}' - jump: ACCEPT - with_items: - - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - - { chain: INPUT, protocol: tcp, ctstate: ESTABLISHED } - - { chain: INPUT, protocol: udp, ctstate: ESTABLISHED } - - { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED } - when: - - rhel9cis_rule_3_4_3_2_2 - tags: - - level1-server - - level1-workstation - - manual - - patch - - iptables - - rule_3.4.3.2.2 - -- name: "3.4.3.2.3 | PATCH | Ensure iptables rules exist for all open ports" - block: - - name: "3.4.3.2.3 | AUDIT | Ensure iptables rules exist for all open ports | Get list of TCP open ports" - shell: netstat -ant |grep "tcp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://' - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_2_3_otcp - - - name: "3.4.3.2.3 | AUDIT | Ensure iptables rules exist for all open ports | Get the list of udp open ports" - shell: netstat -ant |grep "udp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://' - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_2_3_oudp - - - name: "3.4.3.2.3 | PATCH | Ensure iptables rules exist for all open ports | Adjust open tcp ports" - iptables: - action: append - chain: INPUT - protocol: tcp - destination_port: "{{ item }}" - match: state - ctstate: NEW - jump: ACCEPT - with_items: - - "{{ rhel9cis_3_4_3_2_3_otcp.stdout_lines }}" - when: rhel9cis_3_4_3_2_3_otcp.stdout is defined - - - name: "3.4.3.2.3 | PATCH | Ensure iptables rules exist for all open ports | Adjust open udp ports" - iptables: - action: append - chain: INPUT - protocol: udp - destination_port: "{{ item }}" - match: state - ctstate: NEW - jump: ACCEPT - with_items: - - "{{ rhel9cis_3_4_3_2_3_oudp.stdout_lines }}" - when: rhel9cis_3_4_3_2_3_otcp.stdout is defined - when: - - rhel9cis_rule_3_4_3_2_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - iptables - - rule_3.4.3.2.3 - -- name: "3.4.3.2.4 | PATCH | Ensure iptables default deny firewall policy" - block: - - name: "3.4.3.2.4 | PATCH | Ensure iptables default deny firewall policy | Configure ssh to be allowed" - iptables: - chain: INPUT - protocol: tcp - destination_port: "22" - jump: ACCEPT - - - name: "3.4.3.2.4 | PATCH | Ensure iptables default deny firewall policy | Set drop items" - iptables: - policy: DROP - chain: "{{ item }}" - with_items: - - INPUT - - FORWARD - - OUTPUT - when: - - rhel9cis_rule_3_4_3_2_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - iptables - - rule_3.4.3.2.4 - -- name: "3.4.3.2.5 | PATCH | Ensure iptables rules are saved" - iptables_state: - state: saved - path: /etc/sysconfig/iptables - when: - - rhel9cis_rule_3_4_3_2_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - iptables - - rule_3.4.3.2.5 - -- name: "3.4.3.2.6 | PATCH | Ensure iptables service is enabled and active" - service: - name: iptables - enabled: yes - state: started - when: - - rhel9cis_rule_3_4_3_2_6 - tags: - - level1-server - - level1-workstation - - automated - - patch - - iptables - - rule_3.4.3.2.6 diff --git a/tasks/section_3/cis_3.4.3.3.x.yml b/tasks/section_3/cis_3.4.3.3.x.yml deleted file mode 100644 index 83479db9..00000000 --- a/tasks/section_3/cis_3.4.3.3.x.yml +++ /dev/null @@ -1,152 +0,0 @@ ---- - -- name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured" - block: - - name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT Loopback ACCEPT" - iptables: - action: append - chain: INPUT - in_interface: lo - jump: ACCEPT - ip_version: ipv6 - - - name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT Loopback ACCEPT" - iptables: - action: append - chain: OUTPUT - out_interface: lo - jump: ACCEPT - ip_version: ipv6 - - - name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT Loopback 127.0.0.0/8" - iptables: - action: append - chain: INPUT - source: ::1 - jump: DROP - ip_version: ipv6 - when: - - rhel9cis_rule_3_4_3_3_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - ip6tables - - rule_3.4.3.3.1 - -- name: "3.4.3.3.2 | PATCH | Ensure ip6tables outbound and established connections are configured" - iptables: - action: append - chain: '{{ item.chain }}' - protocol: '{{ item.protocol }}' - match: state - ctstate: '{{ item.ctstate }}' - jump: ACCEPT - ip_version: ipv6 - with_items: - - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - - { chain: INPUT, protocol: tcp, ctstate: ESTABLISHED } - - { chain: INPUT, protocol: udp, ctstate: ESTABLISHED } - - { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED } - when: - - rhel9cis_rule_3_4_3_3_2 - tags: - - level1-server - - level1-workstation - - manual - - patch - - ip6tables - - rule_3.4.3.3.2 - -- name: "3.4.3.3.3 | PATCH | Ensure ip6tables firewall rules exist for all open ports" - block: - - name: "3.4.3.3.3 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of TCP6 open ports" - shell: netstat -ant |grep "tcp6.*LISTEN" | awk '{ print $4 }'| sed 's/.*://' - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_3_3_otcp - - - name: "3.4.3.3.3 | PATCH |Ensure ip6tables firewall rules exist for all open ports| Adjust open tcp6 ports" - iptables: - action: append - chain: INPUT - protocol: tcp - destination_port: "{{ item }}" - match: state - ctstate: NEW - jump: ACCEPT - ip_version: ipv6 - with_items: - - "{{ rhel9cis_3_4_3_3_3_otcp.stdout_lines }}" - when: rhel9cis_3_4_3_3_3_otcp.stdout is defined - when: - - rhel9cis_rule_3_4_3_3_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - ip6tables - - rule_3.4.3.3.3 - -- name: "3.4.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy" - block: - - name: "3.4.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy | Configure ssh to be allowed" - iptables: - chain: INPUT - protocol: tcp - destination_port: "22" - jump: ACCEPT - ip_version: ipv6 - - - name: "3.4.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" - iptables: - policy: DROP - chain: "{{ item }}" - ip_version: ipv6 - with_items: - - INPUT - - FORWARD - - OUTPUT - when: - - rhel9cis_rule_3_4_3_3_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - ip6tables - - rule_3.4.3.3.4 - -- name: "3.4.3.3.5 | PATCH | Ensure ip6tables rules are saved" - iptables_state: - state: saved - path: /etc/sysconfig/ip6tables - ip_version: ipv6 - when: - - rhel9cis_rule_3_4_3_3_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - ip6tables - - rule_3.4.3.3.5 - -- name: "3.4.3.3.6 | PATCH | Ensure ip6tables service is enabled and active" - service: - name: ip6tables - enabled: yes - state: started - when: - - rhel9cis_rule_3_4_3_3_6 - tags: - - level1-server - - level1-workstation - - automated - - patch - - ip6tables - - rule_3.4.3.3.6 diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index 7c6dc9b9..a263c0b8 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -19,17 +19,3 @@ when: - rhel9cis_firewall == "nftables" -- name: "SECTION | 3.4.3.1.x | Configure iptables" - include_tasks: cis_3.4.3.1.x.yml - when: - - rhel9cis_firewall == "iptables" - -- name: "SECTION | 3.4.3.2.x | Configure iptables IPv4" - include_tasks: cis_3.4.3.2.x.yml - when: - - rhel9cis_firewall == "iptables" - -- name: "SECTION | 3.4.3.3.x | Configure iptables IPv6" - include_tasks: cis_3.4.3.3.x.yml - when: - - ( rhel9cis_firewall == "iptables" and rhel9cis_ipv6_required ) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index e3ca2243..c779fb20 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -200,25 +200,6 @@ rhel9cis_rule_3_4_2_8: {{ rhel9cis_rule_3_4_2_8 }} rhel9cis_rule_3_4_2_9: {{ rhel9cis_rule_3_4_2_9 }} rhel9cis_rule_3_4_2_10: {{ rhel9cis_rule_3_4_2_10 }} rhel9cis_rule_3_4_2_11: {{ rhel9cis_rule_3_4_2_11 }} -# 3.4.3.1 Configure iptables -rhel9cis_rule_3_4_3_1_1: {{ rhel9cis_rule_3_4_3_1_1 }} -rhel9cis_rule_3_4_3_1_2: {{ rhel9cis_rule_3_4_3_1_2 }} -rhel9cis_rule_3_4_3_1_3: {{ rhel9cis_rule_3_4_3_1_3 }} -# 3.4.3.2 iptables ipv4 -rhel9cis_rule_3_4_3_2_1: {{ rhel9cis_rule_3_4_3_2_1 }} -rhel9cis_rule_3_4_3_2_2: {{ rhel9cis_rule_3_4_3_2_2 }} -rhel9cis_rule_3_4_3_2_3: {{ rhel9cis_rule_3_4_3_2_3 }} -rhel9cis_rule_3_4_3_2_4: {{ rhel9cis_rule_3_4_3_2_4 }} -rhel9cis_rule_3_4_3_2_5: {{ rhel9cis_rule_3_4_3_2_5 }} -rhel9cis_rule_3_4_3_2_6: {{ rhel9cis_rule_3_4_3_2_6 }} -# 3.4.3.2 iptables ipv6 -rhel9cis_rule_3_4_3_3_1: {{ rhel9cis_rule_3_4_3_3_1 }} -rhel9cis_rule_3_4_3_3_2: {{ rhel9cis_rule_3_4_3_3_2 }} -rhel9cis_rule_3_4_3_3_3: {{ rhel9cis_rule_3_4_3_3_3 }} -rhel9cis_rule_3_4_3_3_4: {{ rhel9cis_rule_3_4_3_3_4 }} -rhel9cis_rule_3_4_3_3_5: {{ rhel9cis_rule_3_4_3_3_5 }} -rhel9cis_rule_3_4_3_3_6: {{ rhel9cis_rule_3_4_3_3_6 }} - # Section 4 rules # 4.1 Configure System Accounting @@ -459,8 +440,7 @@ rhel9cis_nftables_firewalld_state: {{ rhel9cis_nftables_firewalld_state }} rhel9cis_nft_tables_autonewtable: {{ rhel9cis_nft_tables_autonewtable }} rhel9cis_nft_tables_tablename: {{ rhel9cis_nft_tables_tablename }} rhel9cis_nft_tables_autochaincreate: {{ rhel9cis_nft_tables_autochaincreate }} -#### iptables -rhel9cis_iptables_firewalld_state: {{ rhel9cis_iptables_firewalld_state }} + # Section 4 From 9c519482a8955fcabaa560e0b48b317db2bcf253 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 7 Apr 2022 10:04:46 +0100 Subject: [PATCH 58/69] fixed typo Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.4.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 5a901c23..c7800132 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -39,7 +39,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}noexec{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: From 08e48fbe8376c5d1269459f9837d6ab3d330e9c0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Apr 2022 17:38:01 +0100 Subject: [PATCH 59/69] updated grub controls Signed-off-by: Mark Bolwell --- handlers/main.yml | 2 +- tasks/prelim.yml | 34 ---------------------------------- tasks/section_1/cis_1.4.x.yml | 4 +--- 3 files changed, 2 insertions(+), 38 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index b0f3e7dd..08c80264 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -115,7 +115,7 @@ - skip_ansible_lint - name: grub2cfg - shell: "grub2-mkconfig -o {{ grub_cfg.stat.lnk_source }}" + shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" args: warn: false ignore_errors: True diff --git a/tasks/prelim.yml b/tasks/prelim.yml index eb02040d..eb17d008 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -156,40 +156,6 @@ - rule_5.3.4 - rule_5.3.5 -- name: "PRELIM | Set facts based on boot type" - block: - - name: "PRELIM | Check whether machine is UEFI-based" - stat: - path: /sys/firmware/efi - register: rhel_09_efi_boot - - - name: "PRELIM | AUDIT | set legacy boot and grub path | Bios" - set_fact: - rhel9cis_legacy_boot: true - grub2_path: /etc/grub2.cfg - when: not rhel_09_efi_boot.stat.exists - - - name: "PRELIM | set grub fact | UEFI" - set_fact: - grub2_path: /etc/grub2-efi.cfg - when: rhel_09_efi_boot.stat.exists - when: - - not system_is_container - tags: - - bootloader - - grub - -- name: "PRELIM | AUDIT | Ensure permissions on bootloader config are configured | Get grub config file stats" - stat: - path: "{{ grub2_path }}" - changed_when: false - register: grub_cfg - when: - - not system_is_container - tags: - - bootloader - - grub - - name: "PRELIM | Check for rhnsd service" shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2" changed_when: false diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 9eac4eb8..45414cdf 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -25,7 +25,7 @@ block: - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" file: - path: "{{ grub_cfg.stat.lnk_source }}" + path: /boot/grub2/grub.cfg owner: root group: root mode: 0600 @@ -47,8 +47,6 @@ - item.mount == "/boot/efi" when: - rhel9cis_rule_1_4_2 - - grub_cfg.stat.exists - - grub_cfg.stat.islnk tags: - level1-server - level1-workstation From 4bd971fdcdb98f16323638dc6c042556af013304 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Apr 2022 17:38:26 +0100 Subject: [PATCH 60/69] selinux updates Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.6.1.x.yml | 53 +++++++++++---------------------- 1 file changed, 18 insertions(+), 35 deletions(-) diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index 93e2eae7..f917a99a 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -47,8 +47,7 @@ - patch - rule_1.6.1.3 -# State set to enforcing because control 1.6.1.5 requires enforcing to be set -- name: "1.6.1.4 | PATCH | Ensure the SELinux mode is not disabled" +- name: "1.6.1.4 | PATCH | Ensure the SELinux state is enforcing" selinux: conf: /etc/selinux/config policy: "{{ rhel9cis_selinux_pol }}" @@ -56,80 +55,64 @@ when: - not rhel9cis_selinux_disable - rhel9cis_rule_1_6_1_4 - tags: - - level1-server - - level1-workstation - - auotmated - - selinux - - patch - - rule_1.6.1.4 - -- name: "1.6.1.5 | PATCH | Ensure the SELinux state is enforcing" - selinux: - conf: /etc/selinux/config - policy: "{{ rhel9cis_selinux_pol }}" - state: enforcing - when: - - not rhel9cis_selinux_disable - - rhel9cis_rule_1_6_1_5 tags: - level2-server - level2-workstation - automated - selinux - patch - - rule_1.6.1.5 + - rule_1.6.1.4 -- name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist" +- name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist" block: - - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Find the unconfined services" + - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Find the unconfined services" shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' - register: rhelcis_1_6_1_6_unconf_services + register: rhelcis_1_6_1_5_unconf_services failed_when: false changed_when: false - - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Message on no unconfined services" + - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Message on no unconfined services" debug: msg: "Good News! There are no services found on your system" - when: rhelcis_1_6_1_6_unconf_services.stdout | length == 0 + when: rhelcis_1_6_1_5_unconf_services.stdout | length == 0 - - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Message on unconfined services" + - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Message on unconfined services" debug: - msg: "Warning! You have unconfined services: {{ rhelcis_1_6_1_6_unconf_services.stdout_lines }}" - when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 + msg: "Warning! You have unconfined services: {{ rhelcis_1_6_1_5_unconf_services.stdout_lines }}" + when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0 when: - - rhel9cis_rule_1_6_1_6 + - rhel9cis_rule_1_6_1_5 tags: - level1-server - level1-workstation - automated - audit - services - - rule_1.6.1.6 + - rule_1.6.1.5 -- name: "1.6.1.7 | PATCH | Ensure SETroubleshoot is not installed" +- name: "1.6.1.6 | PATCH | Ensure SETroubleshoot is not installed" package: name: setroubleshoot state: absent when: - - rhel9cis_rule_1_6_1_7 + - rhel9cis_rule_1_6_1_6 - "'setroubleshoot' in ansible_facts.packages" tags: - level1-server - automated - selinux - patch - - rule_1.6.1.7 + - rule_1.6.1.6 -- name: "1.6.1.8 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" +- name: "1.6.1.7 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" package: name: mcstrans state: absent when: - - rhel9cis_rule_1_6_1_8 + - rhel9cis_rule_1_6_1_7 tags: - level1-server - level1-workstation - automated - patch - - rule_1.6.1.8 + - rule_1.6.1.7 From 2a421fcea6933f70a2259182f8aba2447d693ad6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Apr 2022 17:39:13 +0100 Subject: [PATCH 61/69] logrotate changes reflected Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.3.yml | 39 ++++++++++++++++++++++++++++++++----- 1 file changed, 34 insertions(+), 5 deletions(-) diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index e8a47808..f82dc9e2 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -1,13 +1,42 @@ --- -- name: "4.3 | PATCH | Ensure logrotate is configured" +- name: "4.3.1 | PATCH | Ensure logrotate is installed" + package: + name: rsyslog-logrotate + state: present + when: + - rhel9cis_rule_4_3_1 + tags: + - level1-server + - level1-workstation + - manual + - patch + - logrotate + - rule_4.3.1 + +- name: "4.3.2 | PATCH | Ensure logrotate is running and enabled" + systemd: + name: rsyslog-logrotate + state: started + enabled: true + when: + - rhel9cis_rule_4_3_2 + tags: + - level1-server + - level1-workstation + - manual + - patch + - logrotate + - rule_4.3.2 + +- name: "4.3.3 | PATCH | Ensure logrotate is configured" block: - - name: "4.3 | AUDIT | Ensure logrotate is configured | Get logrotate settings" + - name: "4.3.3 | AUDIT | Ensure logrotate is configured | Get logrotate settings" find: paths: /etc/logrotate.d/ register: log_rotates - - name: "4.3 | PATCH | Ensure logrotate is configured" + - name: "4.3.3 | PATCH | Ensure logrotate is configured" replace: path: "{{ item.path }}" regexp: '^(\s*)(daily|weekly|monthly|yearly)$' @@ -18,11 +47,11 @@ loop_control: label: "{{ item.path }}" when: - - rhel9cis_rule_4_3 + - rhel9cis_rule_4_3_3 tags: - level1-server - level1-workstation - manual - patch - logrotate - - rule_4.3 + - rule_4.3.3 From f66d271ceed36d986c2c2b0eb3f82f1f00eba44f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Apr 2022 17:39:30 +0100 Subject: [PATCH 62/69] controlid updates Signed-off-by: Mark Bolwell --- defaults/main.yml | 5 +++-- templates/ansible_vars_goss.yml.j2 | 7 +++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 66e8060f..290bbb61 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -125,7 +125,6 @@ rhel9cis_rule_1_6_1_4: true rhel9cis_rule_1_6_1_5: true rhel9cis_rule_1_6_1_6: true rhel9cis_rule_1_6_1_7: true -rhel9cis_rule_1_6_1_8: true rhel9cis_rule_1_7_1: true rhel9cis_rule_1_7_2: true rhel9cis_rule_1_7_3: true @@ -254,7 +253,9 @@ rhel9cis_rule_4_2_2_5: true rhel9cis_rule_4_2_2_6: true rhel9cis_rule_4_2_2_7: true rhel9cis_rule_4_2_3: true -rhel9cis_rule_4_3: true +rhel9cis_rule_4_3_1: true +rhel9cis_rule_4_3_2: true +rhel9cis_rule_4_3_3: true # Section 5 rules rhel9cis_rule_5_1_1: true diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index c779fb20..0947ce3c 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -106,7 +106,6 @@ rhel9cis_rule_1_6_1_4: {{ rhel9cis_rule_1_6_1_4 }} rhel9cis_rule_1_6_1_5: {{ rhel9cis_rule_1_6_1_5 }} rhel9cis_rule_1_6_1_6: {{ rhel9cis_rule_1_6_1_6 }} rhel9cis_rule_1_6_1_7: {{ rhel9cis_rule_1_6_1_7 }} -rhel9cis_rule_1_6_1_8: {{ rhel9cis_rule_1_6_1_8 }} # 1.7 Command Line Warning Banners rhel9cis_rule_1_7_1: {{ rhel9cis_rule_1_7_1 }} rhel9cis_rule_1_7_2: {{ rhel9cis_rule_1_7_2 }} @@ -258,7 +257,11 @@ rhel9cis_rule_4_2_2_5: {{ rhel9cis_rule_4_2_2_5 }} rhel9cis_rule_4_2_2_6: {{ rhel9cis_rule_4_2_2_6 }} rhel9cis_rule_4_2_2_7: {{ rhel9cis_rule_4_2_2_7 }} rhel9cis_rule_4_2_3: {{ rhel9cis_rule_4_2_3 }} -rhel9cis_rule_4_3: {{ rhel9cis_rule_4_3 }} + +# 4.3 Logrotate +rhel9cis_rule_4_3_1: {{ rhel9cis_rule_4_3_1 }} +rhel9cis_rule_4_3_2: {{ rhel9cis_rule_4_3_2 }} +rhel9cis_rule_4_3_3: {{ rhel9cis_rule_4_3_3 }} # Section 5 # Authentication and Authorization From 49ab8c6f9f2e300f1f41ffca922ac82c8848c691 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Apr 2022 17:40:50 +0100 Subject: [PATCH 63/69] updates for rh9 Signed-off-by: Mark Bolwell --- Changelog.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/Changelog.md b/Changelog.md index 03e48788..b120eee4 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,16 @@ # Changes to rhel9CIS +## 0.2 + +- not all controls work with rhel8 releases any longer + - selinux disabled 1.6.1.4 + - logrotate - 4.3.x +- updated to rhel8cis v2.0 benchamrk requirements +- removed iptables firewall controls (not valid on rhel9) +- added more to logrotate 4.3.x - sure to logrotate now a seperate package +- grub path now standard to /boot/grub2/grub.cfg +- 1.6.1.4 from rh8 removed as selinux.cfg doesnt disable selinux any longer + ## 0.1 - change to include statements From a8602689b87523e11a80349c2be79ba77dc8cb93 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Apr 2022 16:58:11 +0100 Subject: [PATCH 64/69] updated issues and added improvements Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 +++--- tasks/main.yml | 8 +++++--- tasks/section_1/cis_1.4.x.yml | 2 -- tasks/section_1/cis_1.8.x.yml | 2 +- tasks/section_3/cis_3.4.1.x.yml | 7 +++++-- vars/RedHat.yml | 4 +++- vars/main.yml | 1 + 7 files changed, 18 insertions(+), 12 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 290bbb61..02b04225 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -376,9 +376,9 @@ rhel9cis_bootloader_password: random rhel9cis_set_boot_pass: false -# 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS) -# Control 1.10 sates not ot use LEGACY and control 1.11 says to use FUTURE or FIPS. -rhel9cis_crypto_policy: "FUTURE" +# 1.10 Set crypto policy DEFAULT +# Control 1.10 states not to use LEGACY +rhel9cis_crypto_policy: "DEFAULT" # System network parameters (host only OR host and router) rhel9cis_is_router: false diff --git a/tasks/main.yml b/tasks/main.yml index 8bda2a64..94ab74c7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -50,11 +50,13 @@ - name: Check rhel9cis_bootloader_password_hash variable has been changed assert: - that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' - msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set" + that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' + msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly" when: - rhel9cis_set_boot_pass - - rhel9cis_rule_1_5_2 + - rhel9cis_rule_1_4_1 + tags: + - always - name: "check sugroup exists if used" block: diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 45414cdf..6ac49792 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -10,8 +10,6 @@ notify: grub2cfg when: - rhel9cis_set_boot_pass - - grub_pass is defined and grub_pass.passhash is defined - - grub_pass.passhash | length > 0 - rhel9cis_rule_1_4_1 tags: - level1-server diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index e056ceff..a126a0ab 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -91,7 +91,7 @@ - name: "1.8.5 | PATCH | Ensure automatic mounting of removable media is disabled" lineinfile: path: /etc/dconf/db/local.d/00-media-automount - regex: "{{ item.regex }}" + regexp: "{{ item.regex }}" line: "{{ item.line }}" create: yes notify: reload dconf diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index 7c25ff2a..3518b42c 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -21,8 +21,11 @@ - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | Stop running services" systemd: name: "{{ item }}" - state: stopped - enabled: false + masked: true + with_items: + - iptables + - ip6tables + when: item in ansible_facts.packages - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | remove iptables-services pkg " package: diff --git a/vars/RedHat.yml b/vars/RedHat.yml index d67cedc4..0b1c2cc9 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -1,4 +1,6 @@ --- # OS Specific Settings -rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-official +rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-release +rpm_packager: "Red Hat, Inc" +rpm_key: "199e2f91fd431d51" # found on https://access.redhat.com/security/team/key/ diff --git a/vars/main.yml b/vars/main.yml index e68cec00..dbbc71f6 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -3,5 +3,6 @@ min_ansible_version: 2.10 rhel9cis_allowed_crypto_policies: + - 'DEFAULT' - 'FUTURE' - 'FIPS' From 9a1ab79199dbf53155815ccb5a364528a8586409 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Apr 2022 18:29:53 +0100 Subject: [PATCH 65/69] updated test Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.2.x.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 23583d5d..0023f2dd 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -20,7 +20,8 @@ - skip_ansible_lint # Added as no_log still errors on ansuible-lint - name: "1.2.2 | AUDIT | Ensure GPG keys are configured" - command: gpg --quiet --with-fingerprint "{{ rpm_gpg_key }}" + shell: "PKG=`rpm -qf {{ rpm_gpg_key }}` && rpm -q --queryformat \"%{PACKAGER} %{SIGPGP:pgpsig}\\n\" \"${PKG}\" | grep \"^{{ rpm_packager }}.*Key.ID.{{ rpm_key }}\"" + changed_when: false when: - rhel9cis_rule_1_2_2 - ansible_distribution == "RedHat" or From 2c9587e666df77f87939538a32550ad1b388b31f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Apr 2022 18:30:43 +0100 Subject: [PATCH 66/69] updated for rh9 only Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 94ab74c7..264120ae 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,7 +3,7 @@ - name: Check OS version and family assert: - that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==') + that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('9', '==') fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" when: From e807498ed8e2e5d87f234dd441b78c9361a071cf Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Apr 2022 18:32:33 +0100 Subject: [PATCH 67/69] updated for correct service name Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index f82dc9e2..2ba5f1f5 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -16,7 +16,7 @@ - name: "4.3.2 | PATCH | Ensure logrotate is running and enabled" systemd: - name: rsyslog-logrotate + name: logrotate state: started enabled: true when: From 83f0fb30ecaaa0af68a1eda9b0d07b497cb1238f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Apr 2022 12:01:06 +0100 Subject: [PATCH 68/69] updated regex Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index a9eaf758..91540ea2 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -90,13 +90,13 @@ - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" replace: path: /etc/bashrc - regexp: '^(\s+UMASK|UMASK)\s0[0-2][0-6]' + regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]' replace: 'UMASK 027' - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile" replace: path: /etc/profile - regexp: '^(\s+UMASK|UMASK)\s0[0-2][0-6]' + regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]' replace: 'UMASK 027' when: - rhel9cis_rule_5_6_5 From 32f5817007691d6c93b7fe210d4a49f8221c1eb2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Apr 2022 12:01:20 +0100 Subject: [PATCH 69/69] added missing test to 3.3.7 Signed-off-by: Mark Bolwell --- templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 index 19a9fd37..308b914b 100644 --- a/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 +++ b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 @@ -40,6 +40,7 @@ net.ipv4.icmp_ignore_bogus_error_responses = 1 {% endif %} {% if rhel9cis_rule_3_3_7 %} # CIS 3.3.7 +net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 {% endif %} {% if rhel9cis_rule_3_3_8 %}