From 4223bd3d4a0eb5f132a7b88d8ff09b8212574a2a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 22 Feb 2024 11:35:59 +0000 Subject: [PATCH 01/22] abilty to adjust 5.6.1.x rules Signed-off-by: Mark Bolwell --- defaults/main.yml | 20 ++++- tasks/section_5/cis_5.6.1.x.yml | 136 +++++++++++++++++++++++++++----- 2 files changed, 135 insertions(+), 21 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 617ba3b4..b2e1740d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -669,14 +669,28 @@ rhel8cis_authselect: # Any other value does nothing rhel8cis_pamd_manual_risks: NEVER -# 5.6.1.1 -# 5.6.1.2 -# 5.6.1.3 +# 5.6.1.x rhel8cis_pass: max_days: 365 min_days: 7 warn_age: 7 +# 5.6.1.1 +## Set the following to true if you wish to adjust accounts greater than rhel8cis_pass['max_days'] +rhel8cis_5_6_1_1_set_max_expiry: false + +## Add users to be skipped if required +rhel8cis_5_6_1_1_user_skip_list: + root + +# 5.6.1.2 +## Set the following to true if you wish to adjust accounts greater than rhel8cis_pass['min_days'] +rhel8cis_5_6_1_1_set_min_days_change: false + +# 5.6.1.3 +## Set the following to true if you wish to adjust accounts greater than rhel8cis_pass['warn_age'] +rhel8cis_5_6_1_3_set_warn_age_change: false + # 5.6.1.4 rhel8cis_inactivelock: lock_days: 30 diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 441b36e6..4e034162 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -1,10 +1,44 @@ --- - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less" - ansible.builtin.lineinfile: - path: /etc/login.defs - regexp: '^PASS_MAX_DAYS' - line: "PASS_MAX_DAYS {{ rhel8cis_pass['max_days'] }}" + block: + - name: "5.6.1.1 | AUDIT | Ensure password expiration is 365 days or less | Capture accounts more than 365" + ansible.builtin.shell: "grep -E '^[^:]+:[^!*]' /etc/shadow | awk -F':' '$5>{{ rhel8cis_pass['max_days'] }} { print $1 }'" + changed_when: false + failed_when: rhel8cis_5_6_1_1_pass_max_expire.rc not in [ 0, 1 ] + register: rhel8cis_5_6_1_1_pass_max_expire + + - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less | update login.defs" + ansible.builtin.lineinfile: + path: /etc/login.defs + regexp: '^PASS_MAX_DAYS' + line: "PASS_MAX_DAYS {{ rhel8cis_pass['max_days'] }}" + + - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less | Ensure all accounts set to 365" + ansible.builtin.user: + name: "{{ item }}" + password_expire_max: "{{ rhel8cis_pass['max_days'] }}" + loop: "{{ rhel8cis_5_6_1_1_pass_max_expire.stdout_lines | default([]) }}" + when: + - rhel8cis_5_6_1_1_set_max_expiry + - item not in rhel8cis_5_6_1_1_user_skip_list + + - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less | Warning" + block: + - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less | Output list if not set to change" + ansible.builtin.debug: + msg: | + "Warning!! The following account are set beyond the expected expiration date: + {{ rhel8cis_5_6_1_1_set_max_expiry.stdout_lines }}" + + - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less | set warning fact" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '5.6.1.1' + when: + - rhel8cis_5_6_1_1_pass_max_expire is defined + - rhel8cis_5_6_1_1_pass_max_expire.stdout | length > 0 + - not rhel8cis_5_6_1_1_set_max_expiry when: - rhel8cis_rule_5_6_1_1 tags: @@ -16,10 +50,43 @@ - rule_5.6.1.1 - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more" - ansible.builtin.lineinfile: - path: /etc/login.defs - regexp: '^PASS_MIN_DAYS' - line: "PASS_MIN_DAYS {{ rhel8cis_pass['min_days'] }}" + block: + - name: "5.6.1.2 | AUDIT | Ensure minimum days between password changes is 7 or more | Capture accounts 7 or more" + ansible.builtin.shell: "grep -E '^[^:]+:[^!*]' /etc/shadow | awk -F':' '$4>{{ rhel8cis_pass['min_days'] }} { print $1 }'" + changed_when: false + failed_when: rhel8cis_5_6_1_2_min_day_change.rc not in [ 0, 1 ] + register: rhel8cis_5_6_1_2_min_day_change + + - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more" + ansible.builtin.lineinfile: + path: /etc/login.defs + regexp: '^PASS_MIN_DAYS' + line: "PASS_MIN_DAYS {{ rhel8cis_pass['min_days'] }}" + + - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more | Change users found" + ansible.builtin.user: + name: "{{ item }}" + password_expire_min: "{{ rhel8cis_pass['min_days'] }}" + loop: "{{ rhel8cis_5_6_1_2_min_day_change.stdout_lines | default([]) }}" + when: + - rhel8cis_5_6_1_2_set_min_days_change + + - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more | Warning" + block: + - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more | Output list if not set to change" + ansible.builtin.debug: + msg: | + "Warning!! The following account are set beyond the expected minimum days between passwords: + {{ rhel8cis_5_6_1_2_min_day_change.stdout_lines }}" + + - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more | set warning fact" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '5.6.1.2' + when: + - rhel8cis_5_6_1_2_min_day_change is defined + - rhel8cis_5_6_1_2_min_day_change.stdout | length > 0 + - not rhel8cis_5_6_1_2_set_min_days_change when: - rhel8cis_rule_5_6_1_2 tags: @@ -31,12 +98,45 @@ - rule_5.6.1.2 - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more" - ansible.builtin.lineinfile: - path: /etc/login.defs - regexp: '^PASS_WARN_AGE' - line: "PASS_WARN_AGE {{ rhel8cis_pass['warn_age'] }}" + block: + - name: "5.6.1.3 | AUDIT | Ensure password expiration warning days is 7 or more | capture accounts" + ansible.builtin.shell: "grep -E '^[^:]+:[^!*]' /etc/shadow | awk -F':' '$4>{{ rhel8cis_pass['warn_age'] }} { print $1 }'" + changed_when: false + failed_when: rhel8cis_5_6_1_3_warn_age_change.rc not in [ 0, 1 ] + register: rhel8cis_5_6_1_3_warn_age_change + + - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | set default" + ansible.builtin.lineinfile: + path: /etc/login.defs + regexp: '^PASS_WARN_AGE' + line: "PASS_WARN_AGE {{ rhel8cis_pass['warn_age'] }}" + + - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Change users found" + ansible.builtin.shell: "change --warndays {{ rhel8cis_pass['warn_age'] }} {{ item }}" + loop: "{{ rhel8cis_5_6_1_3_warn_age_change.stdout_lines | default([]) }}" + when: + - rhel8cis_5_6_1_3_set_warn_age_change + + - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | warning" + block: + - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Output list if not set to change" + ansible.builtin.debug: + msg: | + "Warning!! The following account are set beyond the expected warning date: + {{ rhel8cis_5_6_1_3_warn_age_change.stdout_lines }}" + + - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | set warning fact" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '5.6.1.3' + when: + - rhel8cis_5_6_1_3_warn_age_change is defined + - rhel8cis_5_6_1_3_warn_age_changee.stdout | length > 0 + - not rhel8cis_5_6_1_3_set_warn_age_change + when: - rhel8cis_rule_5_6_1_3 + tags: - level1-server - level1-workstation @@ -47,6 +147,12 @@ - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less" block: + - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" + ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" + changed_when: false + check_mode: false + register: rhel_8_5_6_1_4_user_list + - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Check current settings" ansible.builtin.shell: useradd -D | grep INACTIVE={{ rhel8cis_inactivelock.lock_days }} | cut -f2 -d= changed_when: false @@ -58,12 +164,6 @@ ansible.builtin.shell: useradd -D -f {{ rhel8cis_inactivelock.lock_days }} when: rhel8cis_5_6_1_4_inactive_settings.stdout | length == 0 - - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" - ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" - changed_when: false - check_mode: false - register: rhel_8_5_6_1_4_user_list - - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" ansible.builtin.shell: "chage --inactive {{ rhel8cis_inactivelock.lock_days }} {{ item }}" with_items: From a2bcc1676f2ec770be84e317995cbf7eb0cff0c4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 22 Feb 2024 11:38:39 +0000 Subject: [PATCH 02/22] Min ansible version update 2.11.1 Signed-off-by: Mark Bolwell --- vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/main.yml b/vars/main.yml index 6b2f491b..9868ccb1 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,7 +1,7 @@ --- # vars file for RHEL8-CIS -min_ansible_version: 2.10.1 +min_ansible_version: 2.11.1 rhel8cis_allowed_crypto_policies: - 'DEFAULT' - 'FUTURE' From ee5dfa79d7850d71532a5451356a794ee84df692 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 22 Feb 2024 11:39:12 +0000 Subject: [PATCH 03/22] updated changelog Signed-off-by: Mark Bolwell --- Changelog.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 1f65180f..342fd889 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,13 @@ # Changes to rhel8CIS +## 1.5.16 - Based on CIS v2.0.0 + +- updated min ansibleversion to 2.11.1 + +- changes to 5.6.1.[ 1, 2, 3] + - ability to change current users + - variables added to defaults/main.yml to enable + ## 1.5.15 - based on CIS v2.0.0 ### Audit @@ -9,7 +17,7 @@ - tidy up of audit variables to var/audit.yml and some in defaults/main.ym - goss version increased to 0.3.23 - Doesn't run with latest version 0.4+ -- updated 5.4.1 a,d 5.4.2 for authselect +- updated 5.4.1 and 5.4.2 for authselect - Update to 2.1.2. sysconfig for chronyd From d31347ca9fbd6971c7d49bd7fe6f7cf7f8623e0d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 22 Feb 2024 12:14:59 +0000 Subject: [PATCH 04/22] fix typo Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 4e034162..56020c57 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -131,7 +131,7 @@ warn_control_id: '5.6.1.3' when: - rhel8cis_5_6_1_3_warn_age_change is defined - - rhel8cis_5_6_1_3_warn_age_changee.stdout | length > 0 + - rhel8cis_5_6_1_3_warn_age_change.stdout | length > 0 - not rhel8cis_5_6_1_3_set_warn_age_change when: From d5be5f727b24f7df259936f62e56bf07e4554197 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 23 Feb 2024 13:45:26 +0000 Subject: [PATCH 05/22] removed files not required Signed-off-by: Mark Bolwell --- files/etc/systemd/system/tmp.mount | 25 ------------------------- 1 file changed, 25 deletions(-) delete mode 100644 files/etc/systemd/system/tmp.mount diff --git a/files/etc/systemd/system/tmp.mount b/files/etc/systemd/system/tmp.mount deleted file mode 100644 index 47ca6625..00000000 --- a/files/etc/systemd/system/tmp.mount +++ /dev/null @@ -1,25 +0,0 @@ -# This file is part of systemd. -# -# systemd is free software; you can redistribute it and/or modify it -# under the terms of the GNU Lesser General Public License as published by -# the Free Software Foundation; either version 2.1 of the License, or -# (at your option) any later version. - -[Unit] -Description=Temporary Directory -Documentation=man:hier(7) -Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems -ConditionPathIsSymbolicLink=!/tmp -DefaultDependencies=no -Conflicts=umount.target -Before=local-fs.target umount.target - -[Mount] -What=tmpfs -Where=/tmp -Type=tmpfs -Options=mode=1777,strictatime,noexec,nodev,nosuid - -# Make 'systemctl enable tmp.mount' work: -[Install] -WantedBy=local-fs.target From da48c0510798e4ff333c8142118604f0dbdaa8cd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Mar 2024 12:00:04 +0000 Subject: [PATCH 06/22] updated for galaxy-ng Signed-off-by: Mark Bolwell --- meta/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/main.yml b/meta/main.yml index e11479e3..2ffe148d 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,12 +1,12 @@ --- galaxy_info: - author: "Sam Doran, Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell" + author: "MindPoint Group" description: "Apply the DISA RHEL 8 CIS" company: "MindPoint Group" license: MIT namespace: mindpointgroup role_name: rhel8_cis - min_ansible_version: 2.9.0 + min_ansible_version: 2.11.1 platforms: - name: EL versions: From 727d9bd0cf1d11f212a791731987e5ee4ffad27d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Mar 2024 12:00:41 +0000 Subject: [PATCH 07/22] update tag Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 5886f6f5..3b672b1b 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -103,7 +103,7 @@ path: /etc/systemd/coredump.conf register: systemd_coredump when: - - rhel8cis_rule_1_6_1 + - rhel8cis_rule_1_5_1 tags: - always From 3029f9f36bc633bf8c687dbb37b6cb552b5d460a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Mar 2024 12:01:23 +0000 Subject: [PATCH 08/22] fix typo Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.2.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index a2cd9c2c..0b80e1fd 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -127,7 +127,7 @@ - vsftpd - rule_2.2.8 -- name: "2.2.9 | PACH | Ensure TFTP Server is not installed" +- name: "2.2.9 | PATCH | Ensure TFTP Server is not installed" ansible.builtin.package: name: tftp-server state: absent From 31c13d948b910c7dbf8663054b3dd3e0469eb7b0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Mar 2024 12:06:38 +0000 Subject: [PATCH 09/22] selinux state update now a variable Signed-off-by: Mark Bolwell --- defaults/main.yml | 11 ++++++++++- tasks/section_1/cis_1.6.1.x.yml | 6 +++--- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index b2e1740d..e53633a7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -497,7 +497,16 @@ rhel8cis_aide_cron: aide_weekday: '*' # SELinux policy -rhel8cis_selinux_pol: targeted + +# SELinux can run in one of three modes: disabled, permissive, or enforcing: +# CIS strongly discourages disabled +# NOTE: +# Section 1.6.1.5 forces Enforcing to be set. So If rhel8cis_rule_1_6_1_3: true +# make sure enforcing is set below for idempotency for taks 1.6.1.3 - 5 +rhel8cis_selinux_state: enforcing +# Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only. +# Valid Inputs: targeted or mls +rhel8cis_selinux_policy: targeted # Whether or not to run tasks related to auditing/patching the desktop environment rhel8cis_gui: false diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index 55574be5..f4836df4 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -34,7 +34,7 @@ ansible.posix.selinux: conf: /etc/selinux/config policy: "{{ rhel8cis_selinux_pol }}" - state: enforcing + state: "{{ rhel8cis_selinux_state }}" when: - not rhel8cis_selinux_disable - rhel8cis_rule_1_6_1_3 @@ -51,14 +51,14 @@ ansible.posix.selinux: conf: /etc/selinux/config policy: "{{ rhel8cis_selinux_pol }}" - state: enforcing + state: "{{ rhel8cis_selinux_state }}" when: - not rhel8cis_selinux_disable - rhel8cis_rule_1_6_1_4 tags: - level1-server - level1-workstation - - auotmated + - automated - selinux - patch - rule_1.6.1.4 From a6cf1f1c32570d90d5cd22bd64c292788b463c62 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Mar 2024 12:08:59 +0000 Subject: [PATCH 10/22] updated conditional 6.2.1 & 6.2.8 Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index d4f2b8ac..fb4e94be 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -6,7 +6,7 @@ failed_when: false with_items: "{{ empty_password_accounts.stdout_lines }}" when: - - empty_password_accounts.rc + - empty_password_accounts.stdout is defined - rhel8cis_rule_6_2_1 tags: - level1-server @@ -218,7 +218,7 @@ failed_when: false with_items: "{{ rhel8cis_uid_zero_accounts_except_root.stdout_lines }}" when: - - rhel8cis_uid_zero_accounts_except_root.rc + - rhel8cis_uid_zero_accounts_except_root.stdout is defined - rhel8cis_rule_6_2_8 tags: - level1-server From a7da6b975a04ac2f71e847860db98a14ff906472 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Mar 2024 12:10:36 +0000 Subject: [PATCH 11/22] remove invalid entries Signed-off-by: Mark Bolwell --- defaults/main.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e53633a7..552edbc8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -119,10 +119,6 @@ rhel8cis_rule_1_1_7_5: true rhel8cis_rule_1_1_8_1: true rhel8cis_rule_1_1_8_2: true rhel8cis_rule_1_1_8_3: true -rhel8cis_rule_1_1_18: true -rhel8cis_rule_1_1_19: true -rhel8cis_rule_1_1_20: true -rhel8cis_rule_1_1_21: true rhel8cis_rule_1_1_9: true rhel8cis_rule_1_1_10: true rhel8cis_rule_1_2_1: true From 7f04f81f287b7f81d0ff2128c5f10ee7d8386523 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Mar 2024 12:12:16 +0000 Subject: [PATCH 12/22] typo fixes Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.3.x.yml | 2 +- tasks/section_4/cis_4.2.1.x.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index 0bb8acb5..184912c9 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -99,7 +99,7 @@ - automated - patch - auditd - - rule_4.1.3_7 + - rule_4.1.3.7 - name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected" ansible.builtin.set_fact: diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 47468e69..a2dfba43 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -127,7 +127,7 @@ local2,local3.* -/var/log/localmessages local4,local5.* -/var/log/localmessages local6,local7.* -/var/log/localmessages - *.emrg :omusrmsg:* + *.emerg :omusrmsg:* insertafter: '#### RULES ####' notify: restart rsyslog From 3a21969f746421706cfe1bfb10b25dc105b8a99b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Mar 2024 12:14:39 +0000 Subject: [PATCH 13/22] Allow chrony config to be managed Signed-off-by: Mark Bolwell --- defaults/main.yml | 4 ++++ tasks/section_2/cis_2.1.x.yml | 1 + 2 files changed, 5 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 552edbc8..64a728a8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -520,6 +520,10 @@ rhel8cis_time_synchronization_servers: - 2.pool.ntp.org - 3.pool.ntp.org +# rhel8cis_ansible_chrony_managed uses the template built into this remediation to be copied to /etc/chrony.conf +# If you are using your own self managed /etc/chrony.conf set this to false. +rhel8cis_chrony_ansible_managed: true + rhel8cis_chrony_server_options: "minpoll 8" rhel8cis_ntp_server_options: "iburst" diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 46a210e2..33143d23 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -23,6 +23,7 @@ owner: root group: root mode: 0644 + when: rhel8cis_chrony_ansible_managed - name: "2.1.2 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd" ansible.builtin.lineinfile: From e00c5768cee8a346da005f842e429a32c9d173ea Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Mar 2024 12:17:19 +0000 Subject: [PATCH 14/22] updated pol to policy Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.6.1.x.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index f4836df4..fde021c7 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -33,7 +33,7 @@ - name: "1.6.1.3 | PATCH | Ensure SELinux policy is configured" ansible.posix.selinux: conf: /etc/selinux/config - policy: "{{ rhel8cis_selinux_pol }}" + policy: "{{ rhel8cis_selinux_policy }}" state: "{{ rhel8cis_selinux_state }}" when: - not rhel8cis_selinux_disable @@ -50,7 +50,7 @@ - name: "1.6.1.4 | PATCH | Ensure the SELinux mode is not disabled" ansible.posix.selinux: conf: /etc/selinux/config - policy: "{{ rhel8cis_selinux_pol }}" + policy: "{{ rhel8cis_selinux_policy }}" state: "{{ rhel8cis_selinux_state }}" when: - not rhel8cis_selinux_disable @@ -66,7 +66,7 @@ - name: "1.6.1.5 | PATCH | Ensure the SELinux state is enforcing" ansible.posix.selinux: conf: /etc/selinux/config - policy: "{{ rhel8cis_selinux_pol }}" + policy: "{{ rhel8cis_selinux_policy }}" state: enforcing when: - not rhel8cis_selinux_disable From cf7a77e2f3662733c07ae553da073fafad0bf55d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Mar 2024 12:21:00 +0000 Subject: [PATCH 15/22] Credits and thanks added Signed-off-by: Mark Bolwell --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 3dd2da52..17083aa0 100644 --- a/README.md +++ b/README.md @@ -212,3 +212,9 @@ local testing uses: ```sh pre-commit run ``` + +## Credits and Thanks + +Massive thanks to the fantastic community and all is members +Huge thanks and Credit to the original authors and maintainers. +Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell From 3cda94bf9fb540b4914b5e2644917599e7454fc0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Mar 2024 14:47:40 +0000 Subject: [PATCH 16/22] updated Readme credits Signed-off-by: Mark Bolwell --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 17083aa0..71134efa 100644 --- a/README.md +++ b/README.md @@ -215,6 +215,6 @@ pre-commit run ## Credits and Thanks -Massive thanks to the fantastic community and all is members -Huge thanks and Credit to the original authors and maintainers. +Massive thanks to the fantastic community and all is members. +This includes a huge thanks and credit to the original authors and maintainers. Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell From dec909250d60649a1a865bc721bf308c296c5b3f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Mar 2024 15:10:42 +0000 Subject: [PATCH 17/22] updated typo Signed-off-by: Mark Bolwell --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 71134efa..4c3ba530 100644 --- a/README.md +++ b/README.md @@ -215,6 +215,6 @@ pre-commit run ## Credits and Thanks -Massive thanks to the fantastic community and all is members. +Massive thanks to the fantastic community and all its members. This includes a huge thanks and credit to the original authors and maintainers. Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell From 6deebb86b8b1291f82f3a162bf6f811444a90727 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Mar 2024 11:58:27 +0000 Subject: [PATCH 18/22] added optional nfs,rpc and rsync, remove or mask Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 +++ tasks/section_2/cis_2.2.x.yml | 90 +++++++++++++++++++++++++++-------- 2 files changed, 75 insertions(+), 21 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 64a728a8..a52598f8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -388,11 +388,17 @@ rhel8cis_ftp_server: false rhel8cis_httpd_server: false rhel8cis_is_mail_server: false rhel8cis_net_snmp_server: false +# Ability to choose between remove or mask(default) rhel8cis_nfs_server: false +rhel8cis_nfs_mask: true rhel8cis_nginx_server: false rhel8cis_nis_server: false +# Ability to choose between remove or mask(default) rhel8cis_rpc_server: false +rhel8cis_rpc_mask: true +# Ability to choose between remove or mask(default) rhel8cis_rsync_server: false +rhel8cis_rsync_mask: true rhel8cis_samba_server: false rhel8cis_squid_server: false rhel8cis_telnet_server: false diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 0b80e1fd..5b759b26 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -291,14 +291,28 @@ - rule_2.2.17 # The name title of the service says mask the service or remove packages -# We went with masking the service due to ipa-client and other elements that are dependant on nfs-utils +# Option available - name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked" - ansible.builtin.systemd: - name: nfs-utils - masked: true - state: stopped + block: + - name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | Remove package" + ansible.builtin.package: + name: nfs-utils + state: absent + when: + - not rhel8cis_nfs_server + - not rhel8cis_nfs_mask + + - name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | Mask service" + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: nfs-server.service + enabled: false + state: stopped + masked: true + when: + - not rhel8cis_nfs_server + - rhel8cis_nfs_mask when: - - not rhel8cis_nfs_server - "'nfs-utils' in ansible_facts.packages" - rhel8cis_rule_2_2_18 tags: @@ -311,15 +325,30 @@ - rule_2.2.18 # The name title of the service says mask the service or remove packages -# We went with masking the service due to ipa-client and other elements that are dependant on rpcbind +# Option available - name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked" - ansible.builtin.systemd: - name: "{{ item }}" - masked: true - state: stopped - with_items: - - rpcbind - - rpcbind.socket + block: + - name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | Remove package" + ansible.builtin.package: + name: cups + state: absent + when: + - not rhel8cis_rpc_server + - not rhel8cis_rpc_mask + + - name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | Mask service" + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: "{{ item }}" + enabled: false + state: stopped + masked: true + loop: + - rpcbind.service + - rpcbind.socket + when: + - not rhel8cis_rpc_server + - rhel8cis_rpc_mask when: - not rhel8cis_rpc_server - "'rpcbind' in ansible_facts.packages" @@ -332,15 +361,34 @@ - rpc - rule_2.2.19 -# The name title of the service says mask the service, but the fix allows for both options -# We went with removing to remove the security/update overhead with having the package installed -- name: "2.2.20 | PATCH | Ensure rsync service is not enabled " - ansible.builtin.package: - name: rsync - state: absent +# The name title of the service says mask the service or remove packages +# Option available +- name: "2.2.20 | PATCH | Ensure rsync is not installed or the rsyncd service is masked" + block: + - name: "2.2.20 | PATCH | Ensure rsync is not installed or the rsyncd service is masked | Remove package" + ansible.builtin.package: + name: rsync-daemon + state: absent + when: + - not rhel8cis_rsync_server + - not rhel8cis_rsync_mask + + - name: "2.2.20 | PATCH | Ensure rsync is not installed or the rsyncd service is masked | Mask service" + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: "{{ item }}" + enabled: false + state: stopped + masked: true + loop: + - 'rsyncd.socket' + - 'rsyncd.service' + when: + - not rhel8cis_rsync_server + - rhel8cis_rsync_mask when: - not rhel8cis_rsync_server - - "'rsync' in ansible_facts.packages" + - "'rsync-daemon' in ansible_facts.packages" - rhel8cis_rule_2_2_20 tags: - level1-server From be0c5c81318632ac4fb159b995d1a2d5aa0b2f77 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Mar 2024 11:59:48 +0000 Subject: [PATCH 19/22] updated Signed-off-by: Mark Bolwell --- Changelog.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog.md b/Changelog.md index 342fd889..20a34030 100644 --- a/Changelog.md +++ b/Changelog.md @@ -8,6 +8,8 @@ - ability to change current users - variables added to defaults/main.yml to enable +- ability to choose remove for mask for nfs,rpc and rsync + ## 1.5.15 - based on CIS v2.0.0 ### Audit From 6f39963209456e78689414936027e179fa1f27f7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Mar 2024 12:17:46 +0000 Subject: [PATCH 20/22] updated 5.6.1.1 Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 56020c57..2cc5abd2 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -29,7 +29,7 @@ ansible.builtin.debug: msg: | "Warning!! The following account are set beyond the expected expiration date: - {{ rhel8cis_5_6_1_1_set_max_expiry.stdout_lines }}" + {{ rhel8cis_5_6_1_1_pass_max_expire.stdout_lines | default([]) }}" - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less | set warning fact" ansible.builtin.import_tasks: warning_facts.yml From 7442e8855216250aebcedc52af2173ac35eb7d20 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Mar 2024 12:18:45 +0000 Subject: [PATCH 21/22] Updated to ignore false or nologin for users Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index fb4e94be..94dbe775 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -235,7 +235,7 @@ ansible.builtin.stat: path: "{{ item }}" register: rhel_08_6_2_9_audit - with_items: "{{ rhel8cis_passwd | selectattr('uid', '>=', rhel8uid_interactive_uid_start | int ) | selectattr('uid', '<=', rhel8uid_interactive_uid_stop | int ) | map(attribute='dir') | list }}" + with_items: "{{ rhel8cis_passwd | selectattr('shell', '!=', '/bin/false') | selectattr('shell', '!=', '/usr/bin/nologin') | selectattr('uid', '>=', rhel8uid_interactive_uid_start | int ) | selectattr('uid', '<=', rhel8uid_interactive_uid_stop | int ) | map(attribute='dir') | list }}" - name: "6.2.9 | AUDIT | Ensure all users' home directories exist" ansible.builtin.shell: find -H {{ item.0 | quote }} -type d -not -type l -perm /027 @@ -323,7 +323,7 @@ - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" ansible.builtin.stat: path: "{{ item }}" - with_items: "{{ rhel8cis_passwd | selectattr('uid', '>=', rhel8uid_interactive_uid_start | int) | selectattr('uid', '<=', rhel8uid_interactive_uid_stop | int) | map(attribute='dir') | list }}" + with_items: "{{ rhel8cis_passwd | selectattr('shell', '!=', '/bin/false') | selectattr('shell', '!=', '/usr/bin/nologin') | selectattr('uid', '>=', rhel8uid_interactive_uid_start | int) | selectattr('uid', '<=', rhel8uid_interactive_uid_stop | int) | map(attribute='dir') | list }}" register: rhel_08_6_2_11_audit - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" From 78ba0a935e5338297b6fa4f6873e59609f698cda Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Mar 2024 12:20:50 +0000 Subject: [PATCH 22/22] added systemd handler Signed-off-by: Mark Bolwell --- handlers/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/handlers/main.yml b/handlers/main.yml index d10a91b2..f2e6e8f1 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -37,6 +37,10 @@ masked: false state: reloaded +- name: Systemd_daemon_reload + ansible.builtin.systemd: + daemon-reload: true + - name: remount tmp ansible.builtin.shell: mount -o remount /tmp