diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json deleted file mode 100644 index fe51488c..00000000 --- a/.config/.gitleaks-report.json +++ /dev/null @@ -1 +0,0 @@ -[] diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline deleted file mode 100644 index 11bdb467..00000000 --- a/.config/.secrets.baseline +++ /dev/null @@ -1,119 +0,0 @@ -{ - "version": "1.4.0", - "plugins_used": [ - { - "name": "ArtifactoryDetector" - }, - { - "name": "AWSKeyDetector" - }, - { - "name": "AzureStorageKeyDetector" - }, - { - "name": "Base64HighEntropyString", - "limit": 4.5 - }, - { - "name": "BasicAuthDetector" - }, - { - "name": "CloudantDetector" - }, - { - "name": "DiscordBotTokenDetector" - }, - { - "name": "GitHubTokenDetector" - }, - { - "name": "HexHighEntropyString", - "limit": 3.0 - }, - { - "name": "IbmCloudIamDetector" - }, - { - "name": "IbmCosHmacDetector" - }, - { - "name": "JwtTokenDetector" - }, - { - "name": "KeywordDetector", - "keyword_exclude": "" - }, - { - "name": "MailchimpDetector" - }, - { - "name": "NpmDetector" - }, - { - "name": "PrivateKeyDetector" - }, - { - "name": "SendGridDetector" - }, - { - "name": "SlackDetector" - }, - { - "name": "SoftlayerDetector" - }, - { - "name": "SquareOAuthDetector" - }, - { - "name": "StripeDetector" - }, - { - "name": "TwilioKeyDetector" - } - ], - "filters_used": [ - { - "path": "detect_secrets.filters.allowlist.is_line_allowlisted" - }, - { - "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", - "min_level": 2 - }, - { - "path": "detect_secrets.filters.heuristic.is_indirect_reference" - }, - { - "path": "detect_secrets.filters.heuristic.is_likely_id_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_lock_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_potential_uuid" - }, - { - "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" - }, - { - "path": "detect_secrets.filters.heuristic.is_sequential_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_swagger_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_templated_secret" - }, - { - "path": "detect_secrets.filters.regex.should_exclude_file", - "pattern": [ - ".config/.gitleaks-report.json", - "tasks/parse_etc_password.yml" - ] - } - ], - "results": {}, - "generated_at": "2023-10-09T15:14:50Z" -} diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index dba39dc0..e02fe1f0 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -1,138 +1,159 @@ --- - name: Devel pipeline - - on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - devel - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' - - # A workflow run is made up of one or more jobs - # that can run sequentially or in parallel - jobs: - # This will create messages for first time contributers and direct them to the Discord server - welcome: - runs-on: ubuntu-latest - - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. - - # This workflow contains a single job which tests the playbook - playbook-test: - # The type of runner that the job will run on - runs-on: ubuntu-latest - env: - ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} - # Imported as a variable by terraform - TF_VAR_repository: ${{ github.event.repository.name }} - defaults: - run: - shell: bash - working-directory: .github/workflows/github_linux_IaC - - steps: - - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + name: Devel pipeline + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + # Allow manual running of workflow + workflow_dispatch: + + # Allow permissions for AWS auth + permissions: + id-token: write + contents: read + pull-requests: read + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: self-hosted + + steps: + - uses: actions/first-interaction@main with: - ref: ${{ github.event.pull_request.head.sha }} - - # Pull in terraform code for linux servers - - name: Clone github IaC plan - uses: actions/checkout@v3 - with: - repository: ansible-lockdown/github_linux_IaC - path: .github/workflows/github_linux_IaC - - - name: Add_ssh_key - working-directory: .github/workflows - env: - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - run: | - mkdir .ssh - chmod 700 .ssh - echo $PRIVATE_KEY > .ssh/github_actions.pem - chmod 600 .ssh/github_actions.pem - - - name: DEBUG - Show IaC files - if: env.ENABLE_DEBUG == 'true' - run: | - echo "OSVAR = $OSVAR" - echo "benchmark_type = $benchmark_type" - pwd - ls - env: - # Imported from github variables this is used to load the relvent OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Init - id: init - run: terraform init - env: - # Imported from github variables this is used to load the relvent OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Validate - id: validate - run: terraform validate - env: - # Imported from github variables this is used to load the relvent OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Apply - id: apply - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false - - ## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - run: cat hosts.yml - - # Aws deployments taking a while to come up insert sleep or playbook fails - - - name: Sleep for 60 seconds - run: sleep 60s - - # Run the ansible playbook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/github_linux_IaC/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} - # verbose: 3 - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - - # Remove test system - User secrets to keep if necessary - - - name: Terraform_Destroy - if: always() && env.ENABLE_DEBUG == 'false' - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. + + # This workflow contains a single job that tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: self-hosted + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + AWS_REGION: "us-east-1" + ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + # working-directory: .github/workflows + + steps: + + - name: Git clone the lockdown repository to test + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: If a variable for IAC_BRANCH is set use that branch + working-directory: .github/workflows + run: | + if [ ${{ vars.IAC_BRANCH }} != '' ]; then + echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV + echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}" + else + echo IAC_BRANCH=main >> $GITHUB_ENV + fi + + + # Pull in terraform code for linux servers + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + ref: ${{ env.IAC_BRANCH }} + + # Uses dedicated restricted role and policy to enable this only for this task + # No credentials are part of github for AWS auth + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@main + with: + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + role-session-name: ${{ secrets.AWS_ROLE_SESSION }} + aws-region: ${{ env.AWS_REGION }} + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID" + echo "VPC_ID" = $AWS_VPC_SECGRP_ID" + pwd + ls + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }} + VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }} + + - name: Tofu init + id: init + run: tofu init + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu validate + id: validate + run: tofu validate + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu apply + id: apply + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false + +## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep to allow system to come up + run: sleep ${{ vars.BUILD_SLEEPTIME }} + + # Run the Ansible playbook + - name: Run_Ansible_Playbook + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + run: | + /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml + + # Remove test system - User secrets to keep if necessary + + - name: Tofu Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 0b149fb3..4a5adc9c 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -1,127 +1,156 @@ --- - name: Main pipeline - - on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - main - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' - - # A workflow run is made up of one or more jobs - # that can run sequentially or in parallel - jobs: - - # This workflow contains a single job which tests the playbook - playbook-test: - # The type of runner that the job will run on - runs-on: ubuntu-latest - env: - ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} - # Imported as a variable by terraform - TF_VAR_repository: ${{ github.event.repository.name }} - defaults: - run: - shell: bash - working-directory: .github/workflows/github_linux_IaC - - steps: - - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + name: Main pipeline + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + + # Allow permissions for AWS auth + permissions: + id-token: write + contents: read + pull-requests: read + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: self-hosted + + steps: + - uses: actions/first-interaction@main with: - ref: ${{ github.event.pull_request.head.sha }} - - # Pull in terraform code for linux servers - - name: Clone github IaC plan - uses: actions/checkout@v3 - with: - repository: ansible-lockdown/github_linux_IaC - path: .github/workflows/github_linux_IaC - - - name: Add_ssh_key - working-directory: .github/workflows - env: - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - run: | - mkdir .ssh - chmod 700 .ssh - echo $PRIVATE_KEY > .ssh/github_actions.pem - chmod 600 .ssh/github_actions.pem - - - name: DEBUG - Show IaC files - if: env.ENABLE_DEBUG == 'true' - run: | - echo "OSVAR = $OSVAR" - echo "benchmark_type = $benchmark_type" - pwd - ls - env: - # Imported from github variables this is used to load the relvent OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Init - id: init - run: terraform init - env: - # Imported from github variables this is used to load the relvent OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Validate - id: validate - run: terraform validate - env: - # Imported from github variables this is used to load the relvent OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Apply - id: apply - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false - - ## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - run: cat hosts.yml - - # Aws deployments taking a while to come up insert sleep or playbook fails - - - name: Sleep for 60 seconds - run: sleep 60s - - # Run the ansible playbook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/github_linux_IaC/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} - # verbose: 3 - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - - # Remove test system - User secrets to keep if necessary - - - name: Terraform_Destroy - if: always() && env.ENABLE_DEBUG == 'false' - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. + + # This workflow contains a single job that tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: self-hosted + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + AWS_REGION : "us-east-1" + ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + # working-directory: .github/workflows + + steps: + + - name: Git clone the lockdown repository to test + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: If a variable for IAC_BRANCH is set use that branch + working-directory: .github/workflows + run: | + if [ ${{ vars.IAC_BRANCH }} != '' ]; then + echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV + echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}" + else + echo IAC_BRANCH=main >> $GITHUB_ENV + fi + + # Pull in terraform code for linux servers + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + ref: ${{ env.IAC_BRANCH }} + + # Uses dedicated restricted role and policy to enable this only for this task + # No credentials are part of github for AWS auth + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@main + with: + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + role-session-name: ${{ secrets.AWS_ROLE_SESSION }} + aws-region: ${{ env.AWS_REGION }} + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID" + echo "VPC_ID" = $AWS_VPC_SECGRP_ID" + pwd + ls + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }} + VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }} + + - name: Tofu init + id: init + run: tofu init + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu validate + id: validate + run: tofu validate + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu apply + id: apply + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false + +## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep to allow system to come up + run: sleep ${{ vars.BUILD_SLEEPTIME }} + + # Run the Ansible playbook + - name: Run_Ansible_Playbook + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + run: | + /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml + + # Remove test system - User secrets to keep if necessary + + - name: Tofu Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index 951a53cb..b6ee6a1f 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -1,21 +1,19 @@ --- -# This is a basic workflow to help you get started with Actions + name: update galaxy -name: update galaxy + on: + push: + branches: + - main + jobs: + update_role: + runs-on: ubuntu-latest + steps: + - name: Checkout repo + uses: actions/checkout@v4 -# Controls when the action will run. -# Triggers the workflow on merge request events to the main branch -on: - push: - branches: - - main -jobs: - update_role: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: robertdebock/galaxy-action@master - with: - galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} - git_branch: main + - name: Action Ansible Galaxy Release ${{ github.ref_name }} + uses: ansible-actions/ansible-galaxy-action@main + with: + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 873f2757..f63884f9 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.5.0 + rev: v4.6.0 hooks: # Safety - id: detect-aws-credentials @@ -30,20 +30,17 @@ repos: # Scan for passwords - repo: https://github.com/Yelp/detect-secrets - rev: v1.4.0 + rev: v1.5.0 hooks: - id: detect-secrets - args: [ '--baseline', '.config/.secrets.baseline' ] - exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.2 + rev: v8.18.4 hooks: - id: gitleaks - args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v24.2.0 + rev: v24.6.0 hooks: - id: ansible-lint name: Ansible-lint diff --git a/ChangeLog.md b/ChangeLog.md index 0cab94cc..76219bee 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,4 +1,15 @@ -# release CIS RedHat Enterprise Linux 7 Benchmark v3.0.1 - 09-21-2020 +# Release CIS RedHat Enterprise Linux 7 Benchmark + +## v4.0.0 - 21-12-2023 + +- Rewrite to address v4.0.0 changes - refer to full changelog in release +- Audit binary version updates +- Audit only option added +- Audit moved earlier in process +- Audit improvements for copy/unarchive etc +- workflow update to self hosted runner + +## v3.0.1 - 09-21-2020 ## 1.1.4 diff --git a/README.md b/README.md index 844c60a6..9e491fff 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a RHEL/Centos 7 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant -### Based on [CIS RedHat Enterprise Linux 7 Benchmark v3.1.1 - 05-21-2021 ](https://www.cisecurity.org/cis-benchmarks/) +### Based on [CIS RedHat Enterprise Linux 7 Benchmark v4.0.0 - 21-12-2023 ](https://www.cisecurity.org/cis-benchmarks/) --- ![Org Stars](https://img.shields.io/github/stars/ansible-lockdown?label=Org%20Stars&style=social) @@ -59,10 +59,10 @@ To use release version please point to main branch and relevant release for the It is possible to to only run level 1 or level 2 controls for CIS. This is managed using tags: -- level1_server -- level1_workstation -- level2_server -- level2_workstation +- level1-server +- level1-workstation +- level2-server +- level2-workstation The control found in defaults main also need to reflect this as this control the testing thet takes place if you are using the audit component. diff --git a/defaults/main.yml b/defaults/main.yml index 42ea0764..656aff1c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,4 @@ --- -# rhel7cis_notauto will auto install intrusive items -rhel7cis_notauto: false # Disable/Enable whole sections (Default is for all) rhel7cis_section1: true @@ -15,7 +13,9 @@ rhel7cis_os_check: true # Should always reboot after this number of changes allow this to be automated as part of remediation skip_reboot: true -change_requires_reboot: false + +# Some tests can have a heavy impact on systen e.g. find on all filesystems etc +rhel7cis_disruption_high: false ## Python Binary ## This is used for python3 Installations where python2 OS modules are used in ansible @@ -24,25 +24,35 @@ python2_bin: /bin/python2.7 ## Benchmark name used by audting control role # The audit variable found at the base benchmark: RHEL7-CIS -benchmark_version: v3.1.1 +benchmark_version: v4.0.0 + +## Level are used heavily in audit +rhel7cis_level_1: true +rhel7cis_level_2: true +### +### Settings for associated Audit role using Goss +### -########################################## +########################################### ### Goss is required on the remote host ### -## Refer to vars/auditd.yml for any other settings ## +### vars/auditd.yml for other settings ### # Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system) setup_audit: false # enable audits to run - this runs the audit and get the latest content run_audit: false +# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system +audit_run_heavy_tests: true -# Only run Audit do not remediate +## Only run Audit do not remediate audit_only: false -# As part of audit_only -# This will enable files to be copied back to control node +### As part of audit_only ### +# This will enable files to be copied back to control node in audit_only mode fetch_audit_files: false -# Path to copy the files to will create dir structure +# Path to copy the files to will create dir structure in audit_only mode audit_capture_files_dir: /some/location to copy to on control node +############################# # How to retrieve audit binary # Options are copy or download - detailed settings at the bottom of this file @@ -55,111 +65,143 @@ get_audit_binary_method: download audit_bin_copy_location: /some/accessible/path # how to get audit files onto host options -# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf +# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf audit_content: git -# archive or copy: -audit_conf_copy: "some path to copy from" +# If using either archive, copy, get_url: +## Note will work with .tar files - zip will require extra configuration +### If using get_url this is expecting github url in tar.gz format e.g. +### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz +audit_conf_source: "some path or url to copy from" -# get_url: -audit_files_url: "some url maybe s3?" +# Destination for the audit content to be placed on managed node +# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory +audit_conf_dest: "/opt" -# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system -audit_run_heavy_tests: true +# Where the audit logs are stored +audit_log_dir: '/opt' -### End Goss enablements #### -#### Detailed settings found at the end of this document #### +### Goss Settings ## +####### END ######## -# Enable/Disable SELinux -rhel7cis_selinux_disable: false -rhel7cis_selinux_state: enforcing +#### Detailed settings found at the end of this document #### -system_is_container: false # Place to find the container yml file for your environment - /vars/... This can be adjusted for your requirements. container_vars_file: is_container.yml -# Misc. environment variables -rhel7cis_skip_for_travis: false -system_is_ec2: false - # Change to false if using EFI boot changes 1.1.1.4 to stop vfat rhel7cis_legacy_boot: true -# If set true uses the tmp.mount service else using fstab configuration -rhel7cis_tmp_svc: false - # These variables correspond with the CIS rule IDs or paragraph numbers defined in # the CIS benchmark documents. # PLEASE NOTE: These work in coordination with the section # group variables and tags. # You must enable an entire section in order for the variables below to take effect. # Section 1 rules -# Section 1 is Initial Setup (Filesystem Configuration, Configure Software Updates, Configure Sudo, Filesystem Integrity Checking, Secure Boot Settings, Additional Process Hardening, Mandatory Access Control, and Warning Banners) rhel7cis_rule_1_1_1_1: true rhel7cis_rule_1_1_1_2: true rhel7cis_rule_1_1_1_3: true -rhel7cis_rule_1_1_2: true -rhel7cis_rule_1_1_3: true -rhel7cis_rule_1_1_4: true -rhel7cis_rule_1_1_5: true -rhel7cis_rule_1_1_6: true -rhel7cis_rule_1_1_7: true -rhel7cis_rule_1_1_8: true -rhel7cis_rule_1_1_9: true -rhel7cis_rule_1_1_10: true -rhel7cis_rule_1_1_11: true -rhel7cis_rule_1_1_12: true -rhel7cis_rule_1_1_13: true -rhel7cis_rule_1_1_14: true -rhel7cis_rule_1_1_15: true -rhel7cis_rule_1_1_16: true -rhel7cis_rule_1_1_17: true -rhel7cis_rule_1_1_18: true -rhel7cis_rule_1_1_19: true -rhel7cis_rule_1_1_20: true -rhel7cis_rule_1_1_21: true -rhel7cis_rule_1_1_22: true -rhel7cis_rule_1_1_23: true -rhel7cis_rule_1_1_24: true +rhel7cis_rule_1_1_1_4: true +rhel7cis_rule_1_1_1_5: true +rhel7cis_rule_1_1_1_6: true +rhel7cis_rule_1_1_1_7: true +rhel7cis_rule_1_1_1_8: true + +# /tmp +rhel7cis_rule_1_1_2_1_1: true +rhel7cis_rule_1_1_2_1_2: true +rhel7cis_rule_1_1_2_1_3: true +rhel7cis_rule_1_1_2_1_4: true + +# /dev/shm +rhel7cis_rule_1_1_2_2_1: true +rhel7cis_rule_1_1_2_2_2: true +rhel7cis_rule_1_1_2_2_3: true +rhel7cis_rule_1_1_2_2_4: true + +# /home +rhel7cis_rule_1_1_2_3_1: true +rhel7cis_rule_1_1_2_3_2: true +rhel7cis_rule_1_1_2_3_3: true + +# /var +rhel7cis_rule_1_1_2_4_1: true +rhel7cis_rule_1_1_2_4_2: true +rhel7cis_rule_1_1_2_4_3: true + +# /var/tmp +rhel7cis_rule_1_1_2_5_1: true +rhel7cis_rule_1_1_2_5_2: true +rhel7cis_rule_1_1_2_5_3: true +rhel7cis_rule_1_1_2_5_4: true + +# /var/log +rhel7cis_rule_1_1_2_6_1: true +rhel7cis_rule_1_1_2_6_2: true +rhel7cis_rule_1_1_2_6_3: true +rhel7cis_rule_1_1_2_6_4: true + +# /var/log/audit +rhel7cis_rule_1_1_2_7_1: true +rhel7cis_rule_1_1_2_7_2: true +rhel7cis_rule_1_1_2_7_3: true +rhel7cis_rule_1_1_2_7_4: true + +# Software updates rhel7cis_rule_1_2_1: true rhel7cis_rule_1_2_2: true rhel7cis_rule_1_2_3: true rhel7cis_rule_1_2_4: true rhel7cis_rule_1_2_5: true + +# bootloader rhel7cis_rule_1_3_1: true rhel7cis_rule_1_3_2: true +rhel7cis_rule_1_3_3: true + +# kernel sysctl and coredumps rhel7cis_rule_1_4_1: true rhel7cis_rule_1_4_2: true rhel7cis_rule_1_4_3: true -rhel7cis_rule_1_5_1: true -rhel7cis_rule_1_5_2: true -rhel7cis_rule_1_5_3: true -rhel7cis_rule_1_5_4: true -rhel7cis_rule_1_6_1_1: true -rhel7cis_rule_1_6_1_2: true -rhel7cis_rule_1_6_1_3: true -rhel7cis_rule_1_6_1_4: true -rhel7cis_rule_1_6_1_5: true -rhel7cis_rule_1_6_1_6: true -rhel7cis_rule_1_6_1_7: true -rhel7cis_rule_1_6_1_8: true +rhel7cis_rule_1_4_4: true + +# SElinux +rhel7cis_rule_1_5_1_1: true +rhel7cis_rule_1_5_1_2: true +rhel7cis_rule_1_5_1_3: true +rhel7cis_rule_1_5_1_4: true +rhel7cis_rule_1_5_1_5: true +rhel7cis_rule_1_5_1_6: true +rhel7cis_rule_1_5_1_7: true +rhel7cis_rule_1_5_1_8: true + +# Message of the Day +rhel7cis_rule_1_6_1: true +rhel7cis_rule_1_6_2: true +rhel7cis_rule_1_6_3: true +rhel7cis_rule_1_6_4: true +rhel7cis_rule_1_6_5: true +rhel7cis_rule_1_6_6: true + +# Gnome and graphic desktop rhel7cis_rule_1_7_1: true rhel7cis_rule_1_7_2: true rhel7cis_rule_1_7_3: true rhel7cis_rule_1_7_4: true rhel7cis_rule_1_7_5: true rhel7cis_rule_1_7_6: true -rhel7cis_rule_1_8_1: true -rhel7cis_rule_1_8_2: true -rhel7cis_rule_1_8_3: true -rhel7cis_rule_1_8_4: true -rhel7cis_rule_1_9: true +rhel7cis_rule_1_7_7: true +rhel7cis_rule_1_7_8: true +rhel7cis_rule_1_7_9: true +rhel7cis_rule_1_7_10: true # Section 2 rules -# Section 2 is Services (inetd Services, Special Purpose Services, and Service Clients) +# time sync rhel7cis_rule_2_1_1: true -rhel7cis_rule_2_2_1_1: true -rhel7cis_rule_2_2_1_2: true -rhel7cis_rule_2_2_1_3: true +rhel7cis_rule_2_1_2: true +rhel7cis_rule_2_1_3: true + +# Server services +rhel7cis_rule_2_2_1: true rhel7cis_rule_2_2_2: true rhel7cis_rule_2_2_3: true rhel7cis_rule_2_2_4: true @@ -178,19 +220,33 @@ rhel7cis_rule_2_2_16: true rhel7cis_rule_2_2_17: true rhel7cis_rule_2_2_18: true rhel7cis_rule_2_2_19: true +rhel7cis_rule_2_2_20: true +rhel7cis_rule_2_2_21: true +rhel7cis_rule_2_2_22: true + +# Client services rhel7cis_rule_2_3_1: true rhel7cis_rule_2_3_2: true rhel7cis_rule_2_3_3: true rhel7cis_rule_2_3_4: true rhel7cis_rule_2_3_5: true -rhel7cis_rule_2_4: true -# Section 3 rules +## +## Section 3 rules +## # Section 3 is Network Configuration (Disable unused network protocols, Network parameters (host), Network parameters (Host and Router), Uncommon Network Protocols, Firewall Configuration, and Configure iptables) +# ipv6, bluettoth and wireless rhel7cis_rule_3_1_1: true rhel7cis_rule_3_1_2: true +rhel7cis_rule_3_1_3: true + +# network kernel modules rhel7cis_rule_3_2_1: true rhel7cis_rule_3_2_2: true +rhel7cis_rule_3_2_3: true +rhel7cis_rule_3_2_4: true + +# network kernel parameters rhel7cis_rule_3_3_1: true rhel7cis_rule_3_3_2: true rhel7cis_rule_3_3_3: true @@ -200,129 +256,224 @@ rhel7cis_rule_3_3_6: true rhel7cis_rule_3_3_7: true rhel7cis_rule_3_3_8: true rhel7cis_rule_3_3_9: true -rhel7cis_rule_3_4_1: true -rhel7cis_rule_3_4_2: true -rhel7cis_rule_3_5_1_1: true -rhel7cis_rule_3_5_1_2: true -rhel7cis_rule_3_5_1_3: true -rhel7cis_rule_3_5_1_4: true -rhel7cis_rule_3_5_1_5: true -rhel7cis_rule_3_5_1_6: true -rhel7cis_rule_3_5_1_7: true -rhel7cis_rule_3_5_2_1: true -rhel7cis_rule_3_5_2_2: true -rhel7cis_rule_3_5_2_3: true -rhel7cis_rule_3_5_2_4: true -rhel7cis_rule_3_5_2_5: true -rhel7cis_rule_3_5_2_6: true -rhel7cis_rule_3_5_2_7: true -rhel7cis_rule_3_5_2_8: true -rhel7cis_rule_3_5_2_9: true -rhel7cis_rule_3_5_2_10: true -rhel7cis_rule_3_5_2_11: true -rhel7cis_rule_3_5_3_1_1: true -rhel7cis_rule_3_5_3_1_2: true -rhel7cis_rule_3_5_3_1_3: true -rhel7cis_rule_3_5_3_2_1: true -rhel7cis_rule_3_5_3_2_2: true -rhel7cis_rule_3_5_3_2_3: true -rhel7cis_rule_3_5_3_2_4: true -rhel7cis_rule_3_5_3_2_5: true -rhel7cis_rule_3_5_3_2_6: true -rhel7cis_rule_3_5_3_3_1: true -rhel7cis_rule_3_5_3_3_2: true -rhel7cis_rule_3_5_3_3_3: true -rhel7cis_rule_3_5_3_3_4: true -rhel7cis_rule_3_5_3_3_5: true -rhel7cis_rule_3_5_3_3_6: true - -# Section 4 rules -# Section 4 is Logging and Auditing (Configure System Accounting (auditd) and Configure Logging) +rhel7cis_rule_3_3_10: true +rhel7cis_rule_3_3_11: true + +# Configure firewall utility +rhel7cis_rule_3_4_1_1: true +rhel7cis_rule_3_4_1_2: true + +# firewalld +rhel7cis_rule_3_4_2_1: true +rhel7cis_rule_3_4_2_2: true +rhel7cis_rule_3_4_2_3: true +rhel7cis_rule_3_4_2_4: true + +# nftables +rhel7cis_rule_3_4_3_1: true +rhel7cis_rule_3_4_3_2: true +rhel7cis_rule_3_4_3_3: true +rhel7cis_rule_3_4_3_4: true +rhel7cis_rule_3_4_3_5: true +rhel7cis_rule_3_4_3_6: true +rhel7cis_rule_3_4_3_7: true +rhel7cis_rule_3_4_3_8: true +rhel7cis_rule_3_4_3_9: true + +# iptables +rhel7cis_rule_3_4_4_1_1: true + +# ip4tables +rhel7cis_rule_3_4_4_2_1: true +rhel7cis_rule_3_4_4_2_2: true +rhel7cis_rule_3_4_4_2_3: true +rhel7cis_rule_3_4_4_2_4: true +rhel7cis_rule_3_4_4_2_5: true +rhel7cis_rule_3_4_4_2_6: true + +# ip6tables +rhel7cis_rule_3_4_4_3_1: true +rhel7cis_rule_3_4_4_3_2: true +rhel7cis_rule_3_4_4_3_3: true +rhel7cis_rule_3_4_4_3_4: true +rhel7cis_rule_3_4_4_3_5: true +rhel7cis_rule_3_4_4_3_6: true + +# +## Section 4 rules +## +# Section 4 is Job Schedulers, SSH and privilege PAM +# Job Schedulers +## Cron rhel7cis_rule_4_1_1_1: true rhel7cis_rule_4_1_1_2: true rhel7cis_rule_4_1_1_3: true +rhel7cis_rule_4_1_1_4: true +rhel7cis_rule_4_1_1_5: true +rhel7cis_rule_4_1_1_6: true +rhel7cis_rule_4_1_1_7: true +rhel7cis_rule_4_1_1_8: true +# At rhel7cis_rule_4_1_2_1: true -rhel7cis_rule_4_1_2_2: true -rhel7cis_rule_4_1_2_3: true -rhel7cis_rule_4_1_2_4: true -rhel7cis_rule_4_1_3: true -rhel7cis_rule_4_1_4: true -rhel7cis_rule_4_1_5: true -rhel7cis_rule_4_1_6: true -rhel7cis_rule_4_1_7: true -rhel7cis_rule_4_1_8: true -rhel7cis_rule_4_1_9: true -rhel7cis_rule_4_1_10: true -rhel7cis_rule_4_1_11: true -rhel7cis_rule_4_1_12: true -rhel7cis_rule_4_1_13: true -rhel7cis_rule_4_1_14: true -rhel7cis_rule_4_1_15: true -rhel7cis_rule_4_1_16: true -rhel7cis_rule_4_1_17: true -rhel7cis_rule_4_2_1_1: true -rhel7cis_rule_4_2_1_2: true -rhel7cis_rule_4_2_1_3: true -rhel7cis_rule_4_2_1_4: true -rhel7cis_rule_4_2_1_5: true -rhel7cis_rule_4_2_1_6: true -rhel7cis_rule_4_2_2_1: true -rhel7cis_rule_4_2_2_2: true -rhel7cis_rule_4_2_2_3: true + +# SSH Server +rhel7cis_rule_4_2_1: true +rhel7cis_rule_4_2_2: true rhel7cis_rule_4_2_3: true rhel7cis_rule_4_2_4: true - -# Section 5 rules -# Section 5 is Access, Authentication, and Authorization (Configure time-based job schedulers, Configure SSH Server, Configure PAM, and User Accounts and Environment) -rhel7cis_rule_5_1_1: true -rhel7cis_rule_5_1_2: true +rhel7cis_rule_4_2_5: true +rhel7cis_rule_4_2_6: true +rhel7cis_rule_4_2_7: true +rhel7cis_rule_4_2_8: true +rhel7cis_rule_4_2_9: true +rhel7cis_rule_4_2_10: true +rhel7cis_rule_4_2_11: true +rhel7cis_rule_4_2_12: true +rhel7cis_rule_4_2_13: true +rhel7cis_rule_4_2_14: true +rhel7cis_rule_4_2_15: true +rhel7cis_rule_4_2_16: true +rhel7cis_rule_4_2_17: true +rhel7cis_rule_4_2_18: true +rhel7cis_rule_4_2_19: true +rhel7cis_rule_4_2_20: true +rhel7cis_rule_4_2_21: true +rhel7cis_rule_4_2_22: true + +# Privilege escalation +rhel7cis_rule_4_3_1: true +rhel7cis_rule_4_3_2: true +rhel7cis_rule_4_3_3: true +rhel7cis_rule_4_3_4: true +rhel7cis_rule_4_3_5: true +rhel7cis_rule_4_3_6: true +rhel7cis_rule_4_3_7: true + +## Configure Pluggable Authentication +# software packages +rhel7cis_rule_4_4_1_1: true +rhel7cis_rule_4_4_1_2: true + +# pam_faillock +rhel7cis_rule_4_4_2_1_1: true +rhel7cis_rule_4_4_2_1_2: true +rhel7cis_rule_4_4_2_1_3: true +rhel7cis_rule_4_4_2_1_4: true + +# pam_pwquality +rhel7cis_rule_4_4_2_2_1: true +rhel7cis_rule_4_4_2_2_2: true +rhel7cis_rule_4_4_2_2_3: true +rhel7cis_rule_4_4_2_2_4: true +rhel7cis_rule_4_4_2_2_5: true +rhel7cis_rule_4_4_2_2_6: true +rhel7cis_rule_4_4_2_2_7: true + +# pam pwhistory +rhel7cis_rule_4_4_2_3_1: true +rhel7cis_rule_4_4_2_3_2: true +rhel7cis_rule_4_4_2_3_3: true +rhel7cis_rule_4_4_2_3_4: true + +# pam pam_unix +rhel7cis_rule_4_4_2_4_1: true +rhel7cis_rule_4_4_2_4_2: true +rhel7cis_rule_4_4_2_4_3: true +rhel7cis_rule_4_4_2_4_4: true + +# shadow password +rhel7cis_rule_4_5_1_1: true +rhel7cis_rule_4_5_1_2: true +rhel7cis_rule_4_5_1_3: true +rhel7cis_rule_4_5_1_4: true +rhel7cis_rule_4_5_1_5: true + +# root and system accts +rhel7cis_rule_4_5_2_1: true +rhel7cis_rule_4_5_2_2: true +rhel7cis_rule_4_5_2_3: true +rhel7cis_rule_4_5_2_4: true + +# user default envs +rhel7cis_rule_4_5_3_1: true +rhel7cis_rule_4_5_3_2: true +rhel7cis_rule_4_5_3_3: true + +## +## Section 5 rules +## + +# Rsyslog +rhel7cis_rule_5_1_1_1: true +rhel7cis_rule_5_1_1_2: true +rhel7cis_rule_5_1_1_3: true +rhel7cis_rule_5_1_1_4: true +rhel7cis_rule_5_1_1_5: true +rhel7cis_rule_5_1_1_6: true +rhel7cis_rule_5_1_1_7: true + +# Journald +rhel7cis_rule_5_1_2_1_1: true +rhel7cis_rule_5_1_2_1_2: true +rhel7cis_rule_5_1_2_1_3: true +rhel7cis_rule_5_1_2_1_4: true +rhel7cis_rule_5_1_2_2: true +rhel7cis_rule_5_1_2_3: true +rhel7cis_rule_5_1_2_4: true +rhel7cis_rule_5_1_2_5: true +rhel7cis_rule_5_1_2_6: true rhel7cis_rule_5_1_3: true rhel7cis_rule_5_1_4: true -rhel7cis_rule_5_1_5: true -rhel7cis_rule_5_1_6: true -rhel7cis_rule_5_1_7: true -rhel7cis_rule_5_1_8: true -rhel7cis_rule_5_1_9: true -rhel7cis_rule_5_2_1: true -rhel7cis_rule_5_2_2: true -rhel7cis_rule_5_2_3: true + +# Auditd +rhel7cis_rule_5_2_1_1: true +rhel7cis_rule_5_2_1_2: true +rhel7cis_rule_5_2_1_3: true +rhel7cis_rule_5_2_1_4: true +rhel7cis_rule_5_2_2_1: true +rhel7cis_rule_5_2_2_2: true +rhel7cis_rule_5_2_2_3: true +rhel7cis_rule_5_2_2_4: true + +# auditd rules +rhel7cis_rule_5_2_3_1: true +rhel7cis_rule_5_2_3_2: true +rhel7cis_rule_5_2_3_3: true +rhel7cis_rule_5_2_3_4: true +rhel7cis_rule_5_2_3_5: true +rhel7cis_rule_5_2_3_6: true +rhel7cis_rule_5_2_3_7: true +rhel7cis_rule_5_2_3_8: true +rhel7cis_rule_5_2_3_9: true +rhel7cis_rule_5_2_3_10: true +rhel7cis_rule_5_2_3_11: true +rhel7cis_rule_5_2_3_12: true +rhel7cis_rule_5_2_3_13: true +rhel7cis_rule_5_2_3_14: true +rhel7cis_rule_5_2_3_15: true +rhel7cis_rule_5_2_3_16: true +rhel7cis_rule_5_2_3_17: true +rhel7cis_rule_5_2_3_18: true +rhel7cis_rule_5_2_3_19: true +rhel7cis_rule_5_2_3_20: true +rhel7cis_rule_5_2_3_21: true + +# auditd file access +rhel7cis_rule_5_2_4_1: true +rhel7cis_rule_5_2_4_2: true +rhel7cis_rule_5_2_4_3: true +rhel7cis_rule_5_2_4_4: true +rhel7cis_rule_5_2_4_5: true +rhel7cis_rule_5_2_4_6: true +rhel7cis_rule_5_2_4_7: true +rhel7cis_rule_5_2_4_8: true +rhel7cis_rule_5_2_4_9: true +rhel7cis_rule_5_2_4_10: true + +# Aide rhel7cis_rule_5_3_1: true rhel7cis_rule_5_3_2: true -rhel7cis_rule_5_3_3: true -rhel7cis_rule_5_3_4: true -rhel7cis_rule_5_3_5: true -rhel7cis_rule_5_3_6: true -rhel7cis_rule_5_3_7: true -rhel7cis_rule_5_3_8: true -rhel7cis_rule_5_3_9: true -rhel7cis_rule_5_3_10: true -rhel7cis_rule_5_3_12: true -rhel7cis_rule_5_3_11: true -rhel7cis_rule_5_3_13: true -rhel7cis_rule_5_3_14: true -rhel7cis_rule_5_3_15: true -rhel7cis_rule_5_3_16: true -rhel7cis_rule_5_3_17: true -rhel7cis_rule_5_3_18: true -rhel7cis_rule_5_3_19: true -rhel7cis_rule_5_3_20: true -rhel7cis_rule_5_3_21: true -rhel7cis_rule_5_3_22: true -rhel7cis_rule_5_4_1: true -rhel7cis_rule_5_4_2: true -rhel7cis_rule_5_4_3: true -rhel7cis_rule_5_4_4: true -rhel7cis_rule_5_5_1_1: true -rhel7cis_rule_5_5_1_2: true -rhel7cis_rule_5_5_1_3: true -rhel7cis_rule_5_5_1_4: true -rhel7cis_rule_5_5_1_5: true -rhel7cis_rule_5_5_2: true -rhel7cis_rule_5_5_3: true -rhel7cis_rule_5_5_4: true -rhel7cis_rule_5_5_5: true -rhel7cis_rule_5_6: true -rhel7cis_rule_5_7: true + # Section 6 rules # Section 6 is System Maintenance (System File Permissions and User and Group Settings) rhel7cis_rule_6_1_1: true @@ -357,88 +508,56 @@ rhel7cis_rule_6_2_15: true rhel7cis_rule_6_2_16: true rhel7cis_rule_6_2_17: true -# Service configuration booleans set true to keep service -rhel7cis_avahi_server: false -rhel7cis_cups_server: false -rhel7cis_dhcp_server: false -rhel7cis_ldap_server: false -rhel7cis_telnet_server: false -rhel7cis_nfs_server: false -rhel7cis_rpc_server: false -rhel7cis_ntalk_server: false -rhel7cis_rsyncd_server: false -rhel7cis_tftp_server: false -rhel7cis_rsh_server: false -rhel7cis_nis_server: false -rhel7cis_snmp_server: false -rhel7cis_squid_server: false -rhel7cis_smb_server: false -rhel7cis_dovecot_server: false -rhel7cis_httpd_server: false -rhel7cis_vsftpd_server: false -rhel7cis_named_server: false -rhel7cis_nfs_rpc_server: false -rhel7cis_is_mail_server: false -rhel7cis_bind: false -rhel7cis_vsftpd: false -rhel7cis_httpd: false -rhel7cis_dovecot: false -rhel7cis_samba: false -rhel7cis_squid: false -rhel7cis_net_snmp: false -rhel7cis_allow_autofs: false - +### ## Section 1 vars -# 1.3.3 var log location variable -rhel7cis_varlog_location: "/var/log/sudo.log" +## +# 1.1.2.2 +# 1.1.2.3 +# 1.1.2.4 -# xinetd required -rhel7cis_xinetd_required: false +# If set true uses the tmp.mount service else using fstab configuration +rhel7cis_tmp_svc: true -# RedHat Satellite Subscription items -rhel7cis_rhnsd_required: false +# 1.2 patch system +rhel7cis_apply_installed_kernel_limit: false +rhel7cis_installed_kernel_limit: 2 -# 1.4.2 Bootloader password +# 1.3 Bootloader password +rhel7cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret +rhel7cis_bootloader_password: random # pragma: allowlist secret rhel7cis_set_boot_pass: false -rhel7cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispart' # pragma: allowlist secret - -# System network parameters (host only OR host and router) -rhel7cis_is_router: false +rhel7cis_bootloader_file: /etc/grub2.cfg -# IPv6 required -rhel7cis_ipv6_required: true +# cis 1.4.1 +rhel7cis_kernel_sysctl_file: /etc/sysctl.d/60-kernel_sysctl.conf +rhel7cis_sysctl_file: /etc/sysctl.conf -# AIDE -rhel7cis_config_aide: true -# AIDE cron settings -rhel7cis_aide_cron: - cron_user: root - cron_file: /etc/cron.d/cis_aide - aide_job: '/usr/sbin/aide --check' - aide_minute: '0' - aide_hour: '5' - aide_day: '*' - aide_month: '*' - aide_weekday: '*' +# 1.5 SELinux policy +rhel7cis_selinux_disable: false +rhel7cis_selinux_state: enforcing +# Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only. +# Valid Inputs: targeted or mls +rhel7cis_selinux_policy: targeted -# SELinux policy -rhel7cis_selinux_pol: targeted +# 1.6 +# Warning Banner Content (issue, issue.net, motd) +rhel7cis_warning_banner: | + Authorized uses only. All activity may be monitored and reported. +# End Banner +# 1.7 Gnome Desktop # Whether or not to run tasks related to auditing/patching the desktop environment rhel7cis_gui: false - -# Set to 'true' if X Windows is needed in your environment -rhel7cis_xwindows_required: false - -rhel7cis_openldap_clients_required: false -rhel7cis_telnet_required: false -rhel7cis_talk_required: false -rhel7cis_rsh_required: false -rhel7cis_ypbind_required: false - -# Time Synchronization - Either chrony or ntp +rhel7cis_dconf_db_name: local +rhel7cis_screensaver_idle_delay: 900 # Set max value for idle-delay in seconds (between 1 and 900) +rhel7cis_screensaver_lock_delay: 5 # Set max value for lock-delay in seconds (between 0 and 5) +## +## Section 2 vars +## +# 2.1.1 Time Synchronization - Either chrony or ntp rhel7cis_time_synchronization: chrony +# Time Synchronization servers - used in template file chrony.conf.j2 rhel7cis_time_synchronization_servers: - 0.pool.ntp.org - 1.pool.ntp.org @@ -448,74 +567,120 @@ rhel7cis_time_synchronization_servers: rhel7cis_chrony_server_options: "minpoll 8" rhel7cis_ntp_server_options: "iburst" -# 3.4.2 | PATCH | Ensure /etc/hosts.allow is configured -rhel7cis_host_allow: - - "10.0.0.0/255.0.0.0" - - "172.16.0.0/255.240.0.0" - - "192.168.0.0/255.255.0.0" - -# Firewall Service - either firewalld or iptables -rhel7cis_firewall: firewalld -rhel7cis_default_zone: public - -rhel7cis_firewall_services: - - ssh - - dhcpv6-client - -# 3.5.2.x -# NFT firewall -# not tested but added example for clarity - This will break connections -# If the tables dont exist automatically create the tablename below -rhel7cis_nft_tables_autoNewTable: false # noqa: var-naming[pattern] -# create chain if doesnt exist -rhel7cis_nft_tables_autoChainCreate: false # noqa: var-naming[pattern] -# create a table called -rhel7cis_nft_tables_tableName: filter # noqa: var-naming[pattern] - -# 3.5.3.x.x iptables -rhel7cis_save_iptables_cis_rules: true -rhel7cis_save_ip6tables_cis_rules: true -# rhel7cis_firewall: iptables -rhel7cis_iptables_boot_config: /etc/sysconfig/iptables -rhel7cis_ip6tables_boot_config: /etc/sysconfig/ip6tables +## Optional settings not part of CIS but can assist systems +# Disable ipv6 on Chrony if ipv6 not required +rhel7cis_ipv6_chrony_disable: false + +# Service configuration +# Options are +# true to leave installed if exists no changes take place +# false - this removes the package +# mask - if a dependancy for product so cannot be removed +# Server Services +rhel7cis_autofs_services: false +rhel7cis_autofs_mask: true +rhel7cis_avahi_server: false +rhel7cis_avahi_mask: false +rhel7cis_dhcp_server: false +rhel7cis_dhcp_mask: false +rhel7cis_dns_server: false +rhel7cis_dns_mask: false +rhel7cis_dnsmasq_server: false +rhel7cis_dnsmasq_mask: false +rhel7cis_samba_server: false +rhel7cis_samba_mask: false +rhel7cis_ftp_server: false +rhel7cis_ftp_mask: false +rhel7cis_message_server: false # This is for messaging dovecot and cyrus-imap +rhel7cis_message_mask: false +rhel7cis_nfs_server: false +rhel7cis_nfs_mask: true +rhel7cis_nis_server: true # set to mask if nis client required +rhel7cis_nis_mask: false +rhel7cis_print_server: false # replaces cups +rhel7cis_print_mask: false +rhel7cis_rpc_server: false +rhel7cis_rpc_mask: true +rhel7cis_rsync_server: false +rhel7cis_rsync_mask: false +rhel7cis_net_snmp_server: false +rhel7cis_net_snmp_mask: false +rhel7cis_telnet_server: false +rhel7cis_telnet_mask: false +rhel7cis_tftp_server: false +rhel7cis_tftp_mask: false +rhel7cis_squid_server: false +rhel7cis_squid_mask: false +rhel7cis_httpd_server: false +rhel7cis_httpd_mask: false +rhel7cis_nginx_server: false +rhel7cis_nginx_mask: false +rhel7cis_xinetd_server: false +rhel7cis_xinetd_mask: false +rhel7cis_xwindow_server: false # will remove mask not an option +rhel7cis_is_mail_server: false -# Warning Banner Content (issue, issue.net, motd) -rhel7cis_warning_banner: | - Authorized uses only. All activity may be monitored and reported. -# End Banner +# Client Services +rhel7cis_ftp_client: false +rhel7cis_openldap_clients_required: false +rhel7cis_ypbind_required: false # Same package as NIS server +rhel7cis_telnet_required: false +rhel7cis_tftp_client: false -## Section4 vars +## Section 3 Variables +# 3.1.x +# IPv6 required +rhel7cis_ipv6_required: false +rhel7cis_ipv6_sysctl_force: true +rhel7cis_ipv6_sysctl_file: /etc/sysctl.d/60-ipv6.conf +# Setting this will stop ipv6 listening on ::1 and will remove from /etc/hosts +rhel7cis_ipv6_disable_localhost: false -# auditd settings -rhel7cis_auditd: - space_left_action: email - action_mail_acct: root - admin_space_left_action: halt - max_log_file_action: keep_logs +# service = true removes package - mask = true will just mask package +rhel7cis_bluetooth_service: true +rhel7cis_bluetooth_mask: false -rhel7cis_logrotate: "daily" +# 3.3.x +# System network parameters (host only OR host and router) +rhel7cis_is_router: false +rhel7cis_ipv4_sysctl_file: /etc/sysctl.d/60-ipv4.conf -# RHEL-07-4.1.2.4 -# rhel7cis_audit_backlog_limit value needs to be 8192 or larger to conform to CIS standards -rhel7cis_audit_backlog_limit: 8192 +# Firewall Service - either firewalld, iptables or nftables +# multiple options for removal or masking of services +# The firewall to be configured +rhel7cis_system_firewall: firewalld +# Set the following to remove or mask - note will not effect system_firewall # set to none +rhel7cis_nftables: mask +rhel7cis_iptables: mask +rhel7cis_firewalld: none -# RHEL-07-4.2.1.4/4.2.1.5 remote and destation log server name -rhel7cis_remote_log_server: logagg.example.com +# Allow automated creation of nftables table +rhel7cis_nft_tables_autonewtable: false +# give that table a name +rhel7cis_nft_tables_tablename: cis -# RHEL-07-4.2.1.5 -rhel7cis_system_is_log_server: false +# Allow creation of chains +rhel7cis_nft_tables_autochaincreate: false -## Section5 vars +## +## Section 4 Variables +## # SSH variables + +## Can be VERBOSE or INFO rhel7cis_ssh_loglevel: INFO -rhel7cis_ssh_maxsessions: 10 +# rhel7cis_ssh_maxsessions is the max number of sessions +# To conform to CIS standards this value nees to be 10 or less + rhel7cis_sshd: clientalivecountmax: 3 - clientaliveinterval: 300 - ciphers: "aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" + # clientaliveinterval shoudl be between 1 and 900 + clientaliveinterval: 15 + ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256" - kex: "diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256" + kex: "curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" + # logingracetime value is in seconds and needs to be set to 1 minute or less logingracetime: 60 # WARNING: make sure you understand the precedence when working with these values!! # allowusers: @@ -523,66 +688,163 @@ rhel7cis_sshd: # denyusers: # denygroups: +rhel7cis_ssh_maxsessions: 10 +rhel7cis_ssh_maxauthtries: 4 + +## Optional settings not part of CIS but can assist systems +# Disable ipv6 on ssh if ipv6 not required +rhel7cis_ipv6_sshd_disable: false + +## Sudo +rhel7cis_sudolog_location: "/var/log/sudo.log" +rhel7cis_sudo_timestamp_timeout: 15 + +# Group to be used for su +# this group needs to exists groups will not be created for remediation this is considered sys admins + +rhel7cis_sugroup: wheel + # pam variables rhel7cis_pam_faillock: - attempts: 5 + deny: 5 interval: 900 unlock_time: 900 - fail_for_root: 'no' + fail_for_root: "no" remember: 5 pwhash: sha512 rhel7cis_inactivelock: lock_days: 30 -# Accounte listed below will not have INACTIVE field set in shadow file +rhel7cis_pwquality_difok: 2 # 2 or more required +rhel7cis_pwquality_maxrepeat: 3 # 3 or less not 0 required +rhel7cis_pwquality_maxsequence: 3 # 3 or less not 0 required +rhel7cis_pwquality_minlen: 14 # 14 or more required +# Setting minclass true - mincalls used instead of seperated values +rhel7cis_pwquality_minclass: true +rhel7cis_pwquality_minclass_value: '4' # Not less than 4 +rhel7cis_pwquality: + - key: '#minclass' + value: "{{ ubtu22cis_pwquality_minclass_value }}" + - key: 'dcredit' + value: '-1' # not 0 or greater + - key: 'ucredit' + value: '-1' # not 0 or greater + - key: 'ocredit' + value: '-1' # not 0 or greater + - key: 'lcredit' + value: '-1' # not 0 or greater + +# pwhistory +rhel7cis_pwhistory_remember: 24 # 24 or more recommended + +## Users and environments +rhel7cis_encryption: sha512 +# If encryption method changes foce users to change password at next login +rhel7cis_force_user_passwd_change: false +# Accounts listed below will not have INACTIVE field set in shadow file + +# Allow synmic discovery of user accounts minimum and maximun from /etc/login.defs +# findings will override the uid_min|max below +rhel7cis_uid_info_dynamic: true +rhel7cis_uid_min: 1000 +rhel7cis_uid_max: 60000 + rhel7cis_inactive_whitelist: - root - vagrant rhel7cis_pass: - max_days: 90 - min_days: 7 + max_days: 365 + min_days: 1 warn_age: 7 -# Syslog system - either rsyslog or syslog-ng -rhel7cis_syslog: rsyslog -rhel7cis_rsyslog_ansiblemanaged: true + inactive: 30 # should not be 0 or -1 (little details in control) -# Var/tmp settings -rhel7cis_vartmp: - source: /tmp - fstype: none - opts: "defaults,nodev,nosuid,noexec,bind" - enabled: true - -# Interactive user UID starting point -rhel7cis_rule_5_4_2_min_uid: 1000 - -# RHEL-07-5.4.5 # Session timeout setting file (TMOUT setting can be set in multiple files) # Timeout value is in seconds. (60 seconds * 10 = 600) rhel7cis_shell_session_timeout: file: /etc/profile.d/tmout.sh timeout: 600 -# RHEL-07-5.4.1.5 Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords +# Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords rhel7cis_futurepwchgdate_autofix: true -# 5.4.2 -rhel7cis_int_gid: 1000 +rhel7cis_root_umask: '0027' # 0027 or more restrictive -# 5.6 Group to be used for su -# this group needs to exists groups will not be created for remediation this is considered sys admins +## +## Section 5 Variables +## + +# Preferred method of logging +# Whether rsyslog or journald preferred method for local logging +rhel7cis_syslog: rsyslog +rhel7cis_rsyslog_ansiblemanaged: true +# Set if system is the log server +rhel7cis_system_is_log_server: false + +# remote and destination log server name +rhel7cis_remote_log_server: false +rhel7cis_remote_log_host: logagg.example.com +rhel7cis_remote_log_port: 514 +rhel7cis_remote_log_protocol: tcp +rhel7cis_remote_log_retrycount: 100 +rhel7cis_remote_log_queuesize: 1000 + +# rhel7cis_logrotate sets the daily, weekly, monthly, yearly value for the log rotation +# To conform to CIS standards this just needs to comply with your site policy +rhel7cis_logrotate: "daily" + +# AuditD +# The audit_back_log_limit value should never be below 8192 +rhel7cis_audit_back_log_limit: 8192 +# The max_log_file parameter should be based on your sites policy size in MB +rhel7cis_max_log_file_size: 10 + +# auditd settings +rhel7cis_auditd: + disk_error_action: halt + disk_full_action: halt + action_mail_acct: root + space_left_action: email + admin_space_left_action: single + max_log_file_action: keep_logs + +# This can be used to configure other keys in auditd.conf +rhel7cis_auditd_extra_conf: {} +# Example: +# rhel7cis_auditd_extra_conf: +# admin_space_left: '10%' -# rhel7cis_sugroup: sugroup +# AIDE +# aide setup via - cron, timer +rhel7cis_aide_scan: cron +rhel7cis_config_aide: true +# AIDE cron settings +rhel7cis_aide_cron: + cron_user: root + cron_file: /etc/cron.d/cis_aide + aide_job: '/usr/sbin/aide --check' + aide_minute: 0 + aide_hour: 5 + aide_day: '*' + aide_month: '*' + aide_weekday: '*' -## Section6 vars +## +## Section 6 variables +## -# RHEL-07_6.1.1 +# rhel7cis_rpm_audit_file: /var/tmp/rpm_file_check -# RHEL-07_6.1.10 Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable +# Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable rhel7cis_no_world_write_adjust: true rhel7cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" -rhel7cis_dotperm_ansiblemanaged: true -# RHEL-07-6.2.18 Clear users from shadow group -rhel7cis_remove_shadow_grp_usrs: true +## adjust files if ungrouped +rhel7cis_ungrouped_adjust: false + +## Remove suid/sgid from files +rhel7cis_suid_adjust: false +rhel7cis_sgid_adjust: false + +# 6.2.12 +rhel7cis_dotperm_ansiblemanaged: true diff --git a/handlers/main.yml b/handlers/main.yml index a62e4b9f..5a721d13 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,21 +1,6 @@ --- -# handlers file for RHEL7-CIS -- name: sysctl flush ipv4 route table - ansible.posix.sysctl: - name: net.ipv4.route.flush - value: '1' - sysctl_set: true - when: ansible_virtualization_type != "docker" - -- name: sysctl flush ipv6 route table - ansible.posix.sysctl: - name: net.ipv6.route.flush - value: '1' - sysctl_set: true - when: ansible_virtualization_type != "docker" - -- name: systemd restart tmp.mount +- name: Systemd_restart_tmp.mount ansible.builtin.systemd: name: tmp.mount daemon_reload: true @@ -23,75 +8,106 @@ masked: false state: reloaded -- name: remount tmp - ansible.builtin.command: mount -o remount /tmp - -- name: remount dev_shm - ansible.builtin.command: mount -o remount /dev/shm - -- name: remount var_tmp - ansible.builtin.command: mount -o remount /var/tmp - -- name: systemd restart var-tmp.mount +- name: Remount_dev_shm + ansible.posix.mount: + name: /dev/shm + state: remounted + +- name: Remount_home + ansible.posix.mount: + name: /home + state: remounted + +- name: Remount_var + ansible.posix.mount: + name: /var + state: remounted + +- name: Remount_var_tmp + ansible.posix.mount: + name: /var/tmp + state: remounted + +- name: Remount_var_log + ansible.posix.mount: + name: /var/log + state: remounted + +- name: Remount_var_log_audit + ansible.posix.mount: + name: /var/log/audit + state: remounted + +- name: Systemd_daemon_reload ansible.builtin.systemd: - name: var-tmp.mount daemon_reload: true - enabled: true - masked: false - state: reloaded - -- name: remount home - ansible.builtin.command: mount -o remount /home -- name: update dconf - ansible.builtin.command: dconf update +- name: Rebuild_grub + ansible.builtin.command: /sbin/grub2-mkconfig -o "{{ rhel7cis_bootloader_file }}" -- name: restart firewalld +- name: Restart_postfix ansible.builtin.service: - name: firewalld + name: postfix state: restarted -- name: reboot_required - ansible.builtin.set_fact: - change_requires_reboot: true +- name: Sysctl_flush_ipv4_routes + ansible.posix.sysctl: + name: net.ipv4.route.flush + value: '1' + sysctl_set: true + ignore_errors: true # noqa ignore-errors + +- name: Sysctl_flush_ipv6_routes + ansible.posix.sysctl: + name: net.ipv6.route.flush + value: '1' + sysctl_set: true + ignore_errors: true # noqa ignore-errors -- name: restart xinetd +- name: Restart_rsyslog ansible.builtin.service: - name: xinetd + name: rsyslog state: restarted -- name: restart sshd +- name: Restart_journald ansible.builtin.service: - name: sshd + name: systemd-journald state: restarted -- name: restart postfix +- name: Restart_systemd_journal_upload ansible.builtin.service: - name: postfix + name: systemd-journal-upload state: restarted -- name: reload dconf - ansible.builtin.command: dconf update - -- name: restart auditd - ansible.builtin.command: /sbin/service auditd restart +- name: Auditd_immutable_check + ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules changed_when: false - check_mode: false - failed_when: false + register: auditd_immutable_check + +- name: Audit_immutable_fact + ansible.builtin.debug: + msg: "Reboot required for auditd to apply new rules as immutable set" + notify: Change_requires_reboot when: - - not rhel7cis_skip_for_travis - tags: - - skip_ansible_lint + - auditd_immutable_check.stdout == '1' + +- name: Restart_auditd + ansible.builtin.shell: /sbin/service auditd restart - name: grub2cfg - ansible.builtin.command: /sbin/grub2-mkconfig -o "{{ rhel7cis_bootloader_path }}grub.cfg" + ansible.builtin.command: /sbin/grub2-mkconfig -o "{{ rhel7cis_bootloader_file }}" + notify: Change_requires_reboot -- name: restart rsyslog +- name: Restart_rsyslog ansible.builtin.service: name: rsyslog state: restarted -- name: restart syslog-ng +- name: Restart_sshd ansible.builtin.service: - name: syslog-ng + name: sshd state: restarted + +- name: Change_requires_reboot + ansible.builtin.set_fact: + change_requires_reboot: true diff --git a/meta/main.yml b/meta/main.yml index 7221686c..eebec06c 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,7 +1,7 @@ --- galaxy_info: - author: "MindPoint group" + author: "MindPoint Group" description: "Apply the CIS RHEL7 role" company: "MindPoint Group" license: MIT diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 7ef94b4a..70674142 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -3,16 +3,18 @@ - name: Pre Audit Setup | Set audit package name block: - name: Pre Audit Setup | Set audit package name | 64bit + when: ansible_facts.machine == "x86_64" ansible.builtin.set_fact: audit_pkg_arch_name: AMD64 - when: ansible_facts.machine == "x86_64" - name: Pre Audit Setup | Set audit package name | ARM64 + when: ansible_facts.machine == "arm64" ansible.builtin.set_fact: audit_pkg_arch_name: ARM64 - when: ansible_facts.machine == "arm64" - name: Pre Audit Setup | Download audit binary + when: + - get_audit_binary_method == 'download' ansible.builtin.get_url: url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}" dest: "{{ audit_bin }}" @@ -20,15 +22,13 @@ group: root checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" mode: '0555' - when: - - get_audit_binary_method == 'download' - name: Pre Audit Setup | Copy audit binary + when: + - get_audit_binary_method == 'copy' ansible.builtin.copy: src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" mode: '0555' owner: root group: root - when: - - get_audit_binary_method == 'copy' diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml index 864f5bbe..d34b90f0 100644 --- a/tasks/audit_only.yml +++ b/tasks/audit_only.yml @@ -1,28 +1,28 @@ --- - name: Audit_Only | Create local Directories for hosts + when: fetch_audit_files ansible.builtin.file: mode: '0755' path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" recurse: true state: directory - when: fetch_audit_files delegate_to: localhost become: false - name: Audit_only | Get audits from systems and put in group dir + when: fetch_audit_files ansible.builtin.fetch: dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" flat: true mode: '0644' src: "{{ pre_audit_outfile }}" - when: fetch_audit_files - name: Audit_only | Show Audit Summary when: - audit_only ansible.builtin.debug: - msg: "The Audit results are: {{ pre_audit_summary }}." + msg: "{{ audit_results.split('\n') }}" - name: Audit_only | Stop Playbook Audit Only selected when: diff --git a/tasks/auditd.yml b/tasks/auditd.yml new file mode 100644 index 00000000..1aaa1176 --- /dev/null +++ b/tasks/auditd.yml @@ -0,0 +1,14 @@ +--- + +- name: POST | AUDITD | Apply auditd template - only required rules will be added + ansible.builtin.template: + src: audit/99_auditd.rules.j2 + dest: /etc/audit/rules.d/99_auditd.rules + owner: root + group: root + mode: '0600' + register: audit_rules_updated + notify: + - Auditd_immutable_check + - Audit_immutable_fact + - Restart_auditd diff --git a/tasks/check_prereqs.yml b/tasks/check_prereqs.yml index 8bb53ab0..c21a5dcd 100644 --- a/tasks/check_prereqs.yml +++ b/tasks/check_prereqs.yml @@ -12,13 +12,13 @@ - name: "PREREQ | Add the required packages | Python 3" block: - - name: Check if python36-rpm package installed - ansible.builtin.command: rpm -q python36-rpm + - name: PREREQ | Check if python36-rpm package installed + ansible.builtin.shell: rpm -q python36-rpm register: python36_rpm_present failed_when: ( python36_rpm_present.rc not in [ 0, 1 ] ) changed_when: false - - name: Add the EPEL repository required for the python36-rpm pkg + - name: PREREQ | Add the EPEL repository required for the python36-rpm pkg ansible.builtin.package: name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm state: present @@ -35,8 +35,8 @@ - python36-rpm - libselinux-python3 - - name: Disable Epel repo if installed earlier - ansible.builtin.command: yum-config-manager disable epel + - name: PREREQ | Disable Epel repo if installed earlier + ansible.builtin.shell: yum-config-manager disable epel when: epel_installed.changed # noqa: no-handler when: - ( ansible_python.version.major == 3 and ansible_python.version.minor == 6 ) diff --git a/tasks/main.yml b/tasks/main.yml index 159110d4..01aeb340 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,59 +1,66 @@ --- # tasks file for RHEL7-CIS - name: Check OS version and family - ansible.builtin.fail: - msg: "This role can only be run against RHEL 7. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." when: - - ansible_os_family == 'RedHat' - - ansible_distribution_major_version is version_compare('7', '!=') - rhel7cis_os_check + ansible.builtin.assert: + that: (ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version is version_compare('7', '==')) + fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported." + success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}" tags: - always - - name: Check ansible version - ansible.builtin.fail: - msg: You must use ansible 2.9 or greater - when: not ansible_version.full is version_compare('2.9', '>=') + ansible.builtin.assert: + that: ansible_version.full is version_compare(min_ansible_version, '>=') + fail_msg: "You must use Ansible {{ min_ansible_version }} or greater" + success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" tags: - always -- name: Check rhel7cis_bootloader_password_hash variable has been changed - ansible.builtin.assert: - that: rhel7cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispart' # pragma: allowlist secret - msg: "This role will not be able to run single user password commands as rhel7cis_bootloader_password_hash variable has not been set" # pragma: allowlist secret +- name: Ensure root password is set + when: + - rhel7cis_rule_4_5_2_4 + tags: + - always + block: + - name: Ensure root password is set + ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)" + changed_when: false + failed_when: false + register: root_passwd_set + + - name: Ensure root password is set + ansible.builtin.assert: + that: root_passwd_set.rc == 0 + fail_msg: "You have rule 4.5.2.4 enabled this requires that you have a root password set" + success_msg: "You have a root password set" + +- name: "Check sugroup exists if used" when: - - ansible_distribution_version >= '7.2' - - rhel7cis_set_boot_pass - - rhel7cis_rule_1_5_1 + - rhel7cis_sugroup is defined + - rhel7cis_rule_4_3_7 + tags: + - rule_4.3.7 -- name: "check sugroup exists if used" block: - name: "Check su group exists if defined" ansible.builtin.command: grep -w "{{ rhel7cis_sugroup }}" /etc/group - register: sugroup_exists changed_when: false failed_when: sugroup_exists.rc >= 2 - tags: - - skip_ansible_lint + register: sugroup_exists - name: Check sugroup if defined exists before continuing ansible.builtin.assert: that: sugroup_exists.rc == 0 msg: "The variable rhel7cis_sugroup is defined but does not exist please rectify" - when: - - rhel7cis_sugroup is defined - - rhel7cis_rule_5_6 - tags: - - rule_5.6 -- name: Import prereq checks - ansible.builtin.import_tasks: - file: check_prereqs.yml +- name: Setup rules if container + when: + - ansible_connection == 'docker' or + ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] tags: + - container_discovery - always - - prereqs - -- name: Setup rules if container block: - name: Discover and set container variable if required ansible.builtin.set_fact: @@ -68,120 +75,108 @@ msg: system has been discovered as a container when: - system_is_container - when: - - ansible_connection == 'docker' or - ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] + +- name: Run pre-reqs tags: - - container_discovery - always - -- name: Import preliminary tasks + - prereqs ansible.builtin.import_tasks: - file: prelim.yml + file: check_prereqs.yml + +- name: Run prelim tasks tags: - prelim_tasks - always - -- name: Include audit specific variables - ansible.builtin.include_vars: - file: audit.yml - when: - - run_audit or audit_only - - setup_audit - tags: - - setup_audit - - run_audit - -- name: Include pre-remediation audit tasks ansible.builtin.import_tasks: - file: pre_remediation_audit.yml - when: - - run_audit or audit_only - - setup_audit - tags: - - run_audit + file: prelim.yml - name: Gather the package facts - ansible.builtin.package_facts: - manager: auto tags: - always + ansible.builtin.package_facts: + manager: auto - name: Include OS specific variables - ansible.builtin.include_vars: - file: "{{ ansible_distribution }}.yml" tags: - always - -- name: Run parse etc password for user variables - ansible.builtin.import_tasks: - file: parse_etc_password.yml - when: - - rhel7cis_section5 or - rhel7cis_section6 + ansible.builtin.include_vars: + file: "{{ ansible_distribution }}.yml" - name: Import section 1 tasks - ansible.builtin.import_tasks: - file: section_1/main.yml when: rhel7cis_section1 tags: - rhel7cis_section1 + ansible.builtin.import_tasks: + file: section_1/main.yml - name: Import section 2 tasks - ansible.builtin.import_tasks: - file: section_2/main.yml + when: rhel7cis_section2 tags: - rhel7cis_section2 - when: rhel7cis_section2 + ansible.builtin.import_tasks: + file: section_2/main.yml - name: Import section 3 tasks - ansible.builtin.import_tasks: - file: section_3/main.yml when: rhel7cis_section3 tags: - rhel7cis_section3 + ansible.builtin.import_tasks: + file: section_3/main.yml - name: Import section 4 tasks - ansible.builtin.import_tasks: - file: section_4/main.yml when: rhel7cis_section4 tags: - rhel7cis_section4 + ansible.builtin.import_tasks: + file: section_4/main.yml - name: Import section 5 tasks - ansible.builtin.import_tasks: - file: section_5/main.yml when: rhel7cis_section5 tags: - rhel7cis_section5 + ansible.builtin.import_tasks: + file: section_5/main.yml - name: Import section 6 tasks - ansible.builtin.import_tasks: - file: section_6/main.yml when: rhel7cis_section6 tags: - rhel7cis_section6 + ansible.builtin.import_tasks: + file: section_6/main.yml -- name: flush handlers - ansible.builtin.meta: flush_handlers - -- name: Post Task +- name: Run auditd logic + when: + - update_audit_template + tags: + - always ansible.builtin.import_tasks: - file: post.yml + file: auditd.yml + +- name: Run post remediation tasks tags: - post_tasks - always - -- name: Run post audit ansible.builtin.import_tasks: - file: post_remediation_audit.yml + file: post.yml + +- name: Run post_remediation audit when: - run_audit + tags: + - run_audit + ansible.builtin.import_tasks: + file: post_remediation_audit.yml - name: Show Audit Summary - ansible.builtin.debug: - msg: "{{ audit_results.split('\n') }}" when: - run_audit tags: - run_audit + ansible.builtin.debug: + msg: "{{ audit_results.split('\n') }}" + +- name: Output Warning count and control IDs affected + tags: + - always + ansible.builtin.debug: + msg: "You have {{ warn_count }} warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}" diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index c689aace..c997596c 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -15,7 +15,7 @@ vars: ld_passwd_regex: >- ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) - ld_passwd_yaml: | + ld_passwd_yaml: | # pragma: allowlist secret id: >-4 \g password: >-4 diff --git a/tasks/post.yml b/tasks/post.yml index 0b3af2f7..c27c603e 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -11,6 +11,9 @@ vars: ansible_python_interpreter: /bin/python +- name: POST | flush handlers + ansible.builtin.meta: flush_handlers + - name: POST | reboot system if changes require it and not skipped block: - name: POST | Reboot system if changes require it and not skipped @@ -26,6 +29,15 @@ when: - change_requires_reboot - skip_reboot + + - name: "POST | Warning a reboot required but skip option set | warning count" + when: + - change_requires_reboot + - skip_reboot + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: Reboot_required tags: - grub - level1-server diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 2c51bbb0..19dff268 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,14 +1,14 @@ --- - name: Post Audit | Run post_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" AUDIT_FILE: goss.yml -- name: Post Audit | ensure audit files readable by users +- name: Post Audit | Ensure audit files readable by users ansible.builtin.file: path: "{{ item }}" mode: '0644' @@ -21,14 +21,14 @@ when: - audit_format == "json" block: - - name: capture data {{ post_audit_outfile }} - ansible.builtin.shell: cat {{ post_audit_outfile }} - register: post_audit + - name: Post Audit | Capture data {{ post_audit_outfile }} + ansible.builtin.shell: "cat {{ post_audit_outfile }}" + register: discovered_post_audit changed_when: false - - name: Capture post-audit result + - name: Post Audit | Capture post-audit result ansible.builtin.set_fact: - post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" + post_audit_summary: "{{ discovered_post_audit.stdout | from_json | json_query(summary) }}" vars: summary: summary."summary-line" @@ -36,11 +36,11 @@ when: - audit_format == "documentation" block: - - name: Post Audit | capture data {{ post_audit_outfile }} - ansible.builtin.shell: tail -2 {{ post_audit_outfile }} - register: post_audit + - name: Post Audit | Capture data {{ post_audit_outfile }} + ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" + register: discovered_post_audit changed_when: false - name: Post Audit | Capture post-audit result ansible.builtin.set_fact: - post_audit_summary: "{{ post_audit.stdout_lines }}" + post_audit_summary: "{{ discovered_post_audit.stdout_lines }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 7bf3d991..fb6d709f 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -5,7 +5,8 @@ - setup_audit tags: - setup_audit - ansible.builtin.include_tasks: LE_audit_setup.yml + ansible.builtin.include_tasks: + file: LE_audit_setup.yml - name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists ansible.builtin.file: @@ -32,23 +33,25 @@ when: - audit_content == 'copy' ansible.builtin.copy: - src: "{{ audit_local_copy }}" + src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}" mode: preserve - name: Pre Audit Setup | Unarchive audit content files on server when: - - audit_content == 'archived' + - audit_content == 'archive' ansible.builtin.unarchive: - src: "{{ audit_conf_copy }}" - dest: "{{ audit_conf_dir }}" + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}" - name: Pre Audit Setup | Get audit content from url when: - audit_content == 'get_url' - ansible.builtin.get_url: - url: "{{ audit_files_url }}" - dest: "{{ audit_conf_dir }}" + ansible.builtin.unarchive: + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit" + remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}" + extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}" - name: Pre Audit Setup | Check Goss is available when: @@ -57,45 +60,44 @@ - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: path: "{{ audit_bin }}" - register: goss_available + register: discovered_goss_available - name: Pre Audit Setup | If audit ensure goss is available - when: - - not goss_available.stat.exists ansible.builtin.assert: + that: discovered_goss_available.stat.exists msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - name: Pre Audit Setup | Copy ansible default vars values to test audit + when: + - run_audit tags: - goss_template - run_audit - when: - - run_audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" mode: '0600' - name: Pre Audit | Run pre_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format when: - audit_format == "json" block: - - name: capture data {{ pre_audit_outfile }} - ansible.builtin.shell: cat {{ pre_audit_outfile }} - register: pre_audit + - name: Pre Audit | Capture data {{ pre_audit_outfile }} + ansible.builtin.shell: "cat {{ pre_audit_outfile }}" + register: discovered_pre_audit changed_when: false - name: Pre Audit | Capture pre-audit result ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" + pre_audit_summary: "{{ discovered_pre_audit.stdout | from_json | json_query(summary) }}" vars: summary: summary."summary-line" @@ -104,15 +106,16 @@ - audit_format == "documentation" block: - name: Pre Audit | Capture data {{ pre_audit_outfile }} | documentation format - ansible.builtin.shell: tail -2 {{ pre_audit_outfile }} - register: pre_audit + ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" + register: discovered_pre_audit changed_when: false - name: Pre Audit | Capture pre-audit result | documentation format ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout_lines }}" + pre_audit_summary: "{{ discovered_pre_audit.stdout_lines }}" - name: Audit_Only | Run Audit Only when: - audit_only - ansible.builtin.import_tasks: audit_only.yml + ansible.builtin.import_tasks: + file: audit_only.yml diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 0a050a83..52c11902 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,87 +1,239 @@ --- + # Preliminary tasks that should always be run # List users in order to look files inside each home directory -- name: "PRELIM | List users accounts" - ansible.builtin.command: "awk -F: '{print $1}' /etc/passwd" - register: users - changed_when: false - check_mode: false - -- name: "PRELIM | Gather accounts with empty password fields" - ansible.builtin.shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'" - register: empty_password_accounts - changed_when: false - check_mode: false +- name: Parse etc password tags: - - skip_ansible_lint + - always + ansible.builtin.import_tasks: + file: parse_etc_password.yml - name: "PRELIM | Gather UID 0 accounts other than root" ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" - register: uid_zero_accounts_except_root changed_when: false check_mode: false + register: discovered_uid_zero_accounts_except_root + +- name: "PRELIM | Gather interactive user ID min and max" + when: + - rhel7cis_uid_info_dynamic tags: - - skip_ansible_lint + - always + block: + - name: "PRELIM | Gather interactive user ID min" + ansible.builtin.shell: grep ^UID_MIN /etc/login.defs | awk '{print $2}' + changed_when: false + failed_when: false + register: discovered_min_uid -- name: "PRELIM | Check whether machine is UEFI-based" - ansible.builtin.stat: - path: /sys/firmware/efi - register: rhel7cis_efi_boot - changed_when: false + - name: "PRELIM | Gather interactive user ID max" + ansible.builtin.shell: grep ^UID_MAX /etc/login.defs | awk '{print $2}' + changed_when: false + failed_when: false + register: discovered_max_uid -- name: set bootloader type - block: - - name: "PRELIM | set fact if UEFI boot | RHEL or OEL" + - name: "PRELIM | Setting the fact" ansible.builtin.set_fact: - rhel7cis_bootloader_path: /boot/efi/EFI/redhat/ - rhel7cis_legacy_boot: false - when: - - rhel7cis_efi_boot.stat.exists - - ansible_distribution != 'CentOS' # Note: rhel & OEL both use redhat path + rhel7uid_interactive_uid_start: "{{ discovered_min_uid.stdout | string }}" + rhel7uid_interactive_uid_stop: "{{ discovered_max_uid.stdout | string }}" - - name: "PRELIM | set fact if UEFI boot | CentOS " - ansible.builtin.set_fact: - rhel7cis_bootloader_path: /boot/efi/EFI/centos/ - rhel7cis_legacy_boot: false - when: - - rhel7cis_efi_boot.stat.exists - - ansible_distribution == 'CentOS' +- name: "PRELIM | Set facts based on boot type" + tags: + - always + block: + - name: "PRELIM | Check whether machine is UEFI-based" + ansible.builtin.stat: + path: /sys/firmware/efi + register: discovered_efi_boot - - name: "PRELIM | set if not UEFI boot" + - name: "PRELIM | set legacy boot and grub path | Bios" + when: not discovered_efi_boot.stat.exists ansible.builtin.set_fact: - rhel7cis_bootloader_path: /boot/grub2/ rhel7cis_legacy_boot: true - when: not rhel7cis_efi_boot.stat.exists + grub2_path: /etc/grub2.cfg + rhel7cis_boot_path: /boot/grub2/ - - name: output bootloader and efi state - ansible.builtin.debug: - msg: - - "bootloader path set to {{ rhel7cis_bootloader_path }}" - - "legacy boot equals {{ rhel7cis_legacy_boot }}" + - name: "PRELIM | set grub fact | UEFI" + when: discovered_efi_boot.stat.exists + ansible.builtin.set_fact: + grub2_path: /etc/grub2-efi.cfg + rhel7cis_boot_path: "/boot/efi/EFI/{{ansible_facts.distribution | lower }}/" + +- name: Include audit specific variables + when: + - run_audit or audit_only + - setup_audit + tags: + - setup_audit + - run_audit + ansible.builtin.include_vars: + file: audit.yml + +- name: Include pre-remediation audit tasks + when: + - run_audit or audit_only + - setup_audit + tags: + - run_audit + ansible.builtin.import_tasks: + file: pre_remediation_audit.yml + +- name: "PRELIM | AUDIT | Ensure permissions on bootloader config are configured | Get grub config file stats" + tags: + - always + ansible.builtin.stat: + path: "{{ grub2_path }}" + changed_when: false + register: discovered_grub_cfg - name: "PRELIM | Section 1.1 | Create list of mount points" ansible.builtin.set_fact: mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}" -- name: "PRELIM | Section 1.7 | Ensure SELinux is installed" - ansible.builtin.package: - name: libselinux - state: present +- name: "PRELIM | Section 1.5 | SELinux" when: - not rhel7cis_selinux_disable + block: + - name: "PRELIM | Section 1.5 | Ensure SELinux is installed" + ansible.builtin.package: + name: + - libselinux + - policycoreutils-python + state: present + + - name: "PRELIM | Section 1.5 | Check current firewalld_t semanage state" + ansible.builtin.shell: semanage permissive -l | grep firewalld_t + changed_when: false + failed_when: false + register: discovered_firewalld_t_sestate + + - name: "PRELIM | Section 1.5 | Ensure firewalld_t is set to permissive" + when: "'firewalld_t' not in discovered_firewalld_t_sestate.stdout" + ansible.builtin.shell: semanage permissive -a firewalld_t vars: ansible_python_interpreter: /bin/python -- name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" +- name: "PRELIM | Find all sudoers files." + when: + - rhel7cis_rule_4_3_4 or + rhel7cis_rule_4_3_5 + tags: + - always + ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" + changed_when: false + failed_when: false + check_mode: false + register: discovered_sudoers_files + +- name: "PRELIM | Section 5.2.x | Configure System Accounting (auditd)" ansible.builtin.package: name: audit state: present vars: ansible_python_interpreter: /bin/python -- name: "PRELIM | Section 5.1 | Configure cron" +- name: "PRELIM | 5.2.4.x | Ensure audit log files are mode 0640 or less permissive | discover file" + when: + - rhel7cis_rule_5_2_4_1 or + rhel7cis_rule_5_2_4_2 or + rhel7cis_rule_5_2_4_3 or + rhel7cis_rule_5_2_4_4 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_5.2.4.1 + - rule_5.2.4.2 + - rule_5.2.4.3 + - rule_5.2.4.4 + ansible.builtin.shell: "grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'" + changed_when: false + failed_when: discovered_audit_logfile.rc not in [0, 1] + register: discovered_audit_logfile + +- name: "PRELIM | 5.2.4.5/6/7 | Audit conf and rules files | list files" + when: + - rhel7cis_rule_5_2_4_5 or + rhel7cis_rule_5_2_4_6 or + rhel7cis_rule_5_2_4_7 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_5.2.4.5 + - rule_5.2.4.6 + - rule_5.2.4.7 + ansible.builtin.find: + path: /etc/audit + file_type: file + recurse: true + patterns: '*.conf,*.rules' + register: auditd_conf_files + +- name: "PRELIM | Section 4.1.1.x | Configure cron" ansible.builtin.package: name: cronie state: present vars: ansible_python_interpreter: /bin/python + +- name: "PRELIM | Interactive User accounts home directories" + tags: + - always + ansible.builtin.shell: > + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/false") { print $6 }' + changed_when: false + register: discovered_interactive_users_home + +##### Optional ##### + +- name: "PRELIM | Optional | If IPv6 disable to stop ssh listening" + when: + - rhel7cis_ipv6_sshd_disable + - not rhel7cis_ipv6_required + tags: + - always + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: ^AddressFamily + line: AddressFamily inet + notify: Restart_sshd + +- name: "PRELIM | Optional | If IPv6 disable to stop chronyd listening" + when: + - rhel7cis_ipv6_chrony_disable + - not rhel7cis_ipv6_required + tags: + - always + notify: Restart_chronyd + block: + - name: "PRELIM | Optional | If IPv6 disable to stop chronyd listening | Check existence" + ansible.builtin.shell: grep -E "OPTIONS=.*-4" /etc/sysconfig/chronyd + changed_when: false + failed_when: chrony_ipv6_exists.rc not in [ 0, 1] + register: discovered_chrony_ipv6_exists + + - name: "PRELIM | Optional | If IPv6 disable to stop chronyd listening" + when: discovered_chrony_ipv6_exists.stdout | length == 0 + ansible.builtin.lineinfile: + path: /etc/sysconfig/chronyd + regexp: ^OPTIONS="(.*)" + line: OPTIONS="\1 -4" + backrefs: true + +# Optional extra keys to extend auditd not part of CIS but can influence a system +# e.g. admin_space_left: '10%' + +- name: PRELIM | Optional | Configure other keys for auditd.conf + when: + - rhel7cis_auditd_extra_conf.keys() | length > 0 + tags: + - always + ansible.builtin.lineinfile: + path: /etc/audit/auditd.conf + regexp: "^{{ item }}( |=)" + line: "{{ item }} = {{ rhel7cis_auditd_extra_conf[item] }}" + notify: Restart_auditd + loop: "{{ rhel7cis_auditd_extra_conf.keys() }}" diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 8bff761c..ddbc09d6 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -1,73 +1,281 @@ --- -- name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled " +- name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available" + when: + - rhel7cis_rule_1_1_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.1.1 + - NIST800-53R5_CM-7 + - cramfs block: - - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config" + - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: - dest: /etc/modprobe.d/CIS.conf + path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install cramfs(\\s|$)" line: "install cramfs /bin/true" create: true mode: '0600' - - name: "1.1.1.1 | PATCH | Remove cramfs module" + - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist cramfs(\\s|$)" + line: "blacklist cramfs" + create: true + mode: '0600' + + - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs" + when: + - not system_is_container community.general.modprobe: name: cramfs state: absent + +- name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available" when: - - rhel7cis_rule_1_1_1_1 - - ansible_connection != 'docker' + - rhel7cis_rule_1_1_1_2 tags: - level1-server - level1-workstation + - automated - patch - - rule_1.1.1.1 - - cramfs + - rule_1.1.1.2 + - NIST800-53R5_CM-7 + - freevxfs + block: + - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Edit modprobe config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install freevxfs(\\s|$)" + line: "install freevxfs /bin/true" + create: true + mode: '0600' -- name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled" + - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist freevxfs(\\s|$)" + line: "blacklist freevxfs" + create: true + mode: '0600' + + - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Disable freevxfs" + community.general.modprobe: + name: freevxfs + state: absent + when: + - not system_is_container + +- name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available" + when: + - rhel7cis_rule_1_1_1_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.1.3 + - NIST800-53R5_CM-7 + - hfs block: - - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config " + - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install squashfs(\\s|$)" - line: "install squashfs /bin/true" + path: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install hfs(\\s|$)" + line: "install hfs /bin/true" create: true mode: '0600' - - name: "1.1.1.2 | PATCH | Remove squashfs module | rmmod" + - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist hfs(\\s|$)" + line: "blacklist hfs" + create: true + mode: '0600' + + - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Disable squashfs" + when: + - not system_is_container community.general.modprobe: name: squashfs state: absent + +- name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available" when: - - rhel7cis_rule_1_1_1_2 - - ansible_connection != 'docker' + - rhel7cis_rule_1_1_1_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.1.4 + - NIST800-53R5_CM-7 + - hfsplus + block: + - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Edit modprobe config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install hfsplus(\\s|$)" + line: "install hfsplus /bin/true" + create: true + mode: '0600' + + - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist hfsplus(\\s|$)" + line: "blacklist hfsplus" + create: true + mode: '0600' + + - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Disable hfsplus" + when: + - not system_is_container + community.general.modprobe: + name: hfsplus + state: absent + +- name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available" + when: + - rhel7cis_rule_1_1_1_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.1.5 + - NIST800-53R5_CM-7 + - jffs2 + block: + - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Edit modprobe config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install jffs2(\\s|$)" + line: "install jffs2 /bin/true" + create: true + mode: '0600' + + - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist jffs2(\\s|$)" + line: "blacklist jffs2" + create: true + mode: '0600' + + - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Disable jffs2" + when: + - not system_is_container + community.general.modprobe: + name: jffs2 + state: absent + +- name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available" + when: + - rhel7cis_rule_1_1_1_6 tags: - level2-server - level2-workstation + - automated - patch - - rule_1.1.1.2 + - rule_1.1.1.6 + - NIST800-53R5_CM-7 - squashfs + block: + - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Edit modprobe config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install squashfs(\\s|$)" + line: "install squashfs /bin/true" + create: true + mode: '0600' + + - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist squashfs(\\s|$)" + line: "blacklist squashfs" + create: true + mode: '0600' + + - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Disable squashfs" + when: + - not system_is_container + community.general.modprobe: + name: squashfs + state: absent -- name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disabled" +- name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available" + when: + - rhel7cis_rule_1_1_1_7 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_1.1.1.7 + - NIST800-53R5_CM-7 + - udf block: - - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disabled | Edit modprobe config" + - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: - dest: /etc/modprobe.d/CIS.conf + path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" create: true mode: '0600' - - name: "1.1.1.3 | PATCH | Remove udf module | rmmod " + - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist udf(\\s|$)" + line: "blacklist udf" + create: true + mode: '0600' + + - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Disable udf" + when: + - not system_is_container community.general.modprobe: name: udf state: absent + +- name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available" when: - - rhel7cis_rule_1_1_1_3 - - ansible_connection != 'docker' + - rhel7cis_rule_1_1_1_8 tags: - level1-server - - level1-workstation + - level2-workstation + - automated - patch - - rule_1.1.1.3 - - udf + - rule_1.1.1.8 + - NIST800-53R5_SI-3 + - usb + block: + - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Edit modprobe config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install usb-storage(\\s|$)" + line: "install usb-storage /bin/true" + create: true + mode: '0600' + + - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist usb-storage(\\s|$)" + line: "blacklist usb-storage" + create: true + mode: '0600' + + - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Disable usb" + when: + - not system_is_container + community.general.modprobe: + name: usb-storage + state: absent diff --git a/tasks/section_1/cis_1.1.2.1.x.yml b/tasks/section_1/cis_1.1.2.1.x.yml new file mode 100644 index 00000000..5fac47f0 --- /dev/null +++ b/tasks/section_1/cis_1.1.2.1.x.yml @@ -0,0 +1,58 @@ +--- + +- name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a seperate partition" + when: + - required_mount not in mount_names + - rhel7cis_rule_1_1_2_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.2.1.1 + - mounts + - NIST800-53R5_CM-7 + vars: + warn_control_id: '1.1.2.1.1' + required_mount: '/tmp' + block: + - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | Absent" + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + + - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | Warn Count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: | + "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition + 1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition + 1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition" + when: + - item.mount == "/tmp" + - rhel7cis_tmp_svc + - rhel7cis_rule_1_1_2_1_2 or + rhel7cis_rule_1_1_2_1_3 or + rhel7cis_rule_1_1_2_1_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.2.1.2 + - rule_1.1.2.1.3 + - rule_1.1.2.1.4 + - mounts + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.posix.mount: + name: /tmp + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if rhel7cis_rule_1_1_2_1_2 %}nodev,{% endif %}{% if rhel7cis_rule_1_1_2_1_3 %}nosuid,{% endif %}{% if rhel7cis_rule_1_1_2_1_4 %}noexec{% endif %} + notify: Systemd_restart_tmp.mount + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml new file mode 100644 index 00000000..bb1dfc8e --- /dev/null +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -0,0 +1,58 @@ +--- + +- name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition" + when: + - required_mount not in mount_names + - rhel7cis_rule_1_1_2_2_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.2.2.1 + - mounts + - NIST800-53R5_CM-7 + vars: + warn_control_id: '1.1.2.2.1' + required_mount: '/dev/shm' + block: + - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + + - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Warn Count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: | + "1.1.2.2.2 | PATCH | Ensure nodev option set on /dev/shm partition + 1.1.2.2.3 | PATCH | Ensure nosuid option set on /dev/shm partition + 1.1.2.2.4 | PATCH | Ensure noexec option set on /dev/shm partition" + when: + - item.mount == "/dev/shm" + - rhel7cis_tmp_svc + - rhel7cis_rule_1_1_2_2_2 or + rhel7cis_rule_1_1_2_2_3 or + rhel7cis_rule_1_1_2_2_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.2.2.2 + - rule_1.1.2.2.3 + - rule_1.1.2.2.4 + - mounts + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.posix.mount: + name: /dev/shm + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if rhel7cis_rule_1_1_2_2_2 %}nodev,{% endif %}{% if rhel7cis_rule_1_1_2_2_3 %}nosuid,{% endif %}{% if rhel7cis_rule_1_1_2_2_4 %}noexec{% endif %} + notify: Remount_dev_shm + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.3.x.yml b/tasks/section_1/cis_1.1.2.3.x.yml new file mode 100644 index 00000000..7ccd4f21 --- /dev/null +++ b/tasks/section_1/cis_1.1.2.3.x.yml @@ -0,0 +1,55 @@ +--- + +- name: "1.1.2.3.1 | AUDIT | Ensure /home is a seperate partition" + when: + - required_mount not in mount_names + - rhel7cis_rule_1_1_2_3_1 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_1.1.2.3.1 + - mounts + - NIST800-53R5_CM-7 + vars: + warn_control_id: '1.1.2.3.1' + required_mount: '/home' + block: + - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Absent" + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + + - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Warn Count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: | + "1.1.2.3.2 | PATCH | Ensure nodev option set on /home partition + 1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition + when: + - item.mount == "/home" + - rhel7cis_tmp_svc + - rhel7cis_rule_1_1_2_3_2 or + rhel7cis_rule_1_1_2_3_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.2.3.2 + - rule_1.1.2.3.3 + - mounts + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.posix.mount: + name: /home + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if rhel7cis_rule_1_1_2_3_2 %}nodev,{% endif %}{% if rhel7cis_rule_1_1_2_3_3 %}nosuid{% endif %} + notify: Remount_home + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.4.x.yml b/tasks/section_1/cis_1.1.2.4.x.yml new file mode 100644 index 00000000..2a733118 --- /dev/null +++ b/tasks/section_1/cis_1.1.2.4.x.yml @@ -0,0 +1,55 @@ +--- + +- name: "1.1.2.4.1 | AUDIT | Ensure /var is a seperate partition" + when: + - required_mount not in mount_names + - rhel7cis_rule_1_1_2_4_1 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_1.1.2.4.1 + - mounts + - NIST800-53R5_CM-7 + vars: + warn_control_id: '1.1.2.4.1' + required_mount: '/var' + block: + - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Absent" + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + + - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Warn Count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: | + "1.1.2.4.2 | PATCH | Ensure nodev option set on /var partition + 1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition + when: + - item.mount == "/var" + - rhel7cis_tmp_svc + - rhel7cis_rule_1_1_2_4_2 or + rhel7cis_rule_1_1_2_4_3 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_1.1.2.4.2 + - rule_1.1.2.4.3 + - mounts + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.posix.mount: + name: /var + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if rhel7cis_rule_1_1_2_4_2 %}nodev,{% endif %}{% if rhel7cis_rule_1_1_2_4_3 %}nosuid{% endif %} + notify: Remount_var + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.5.x.yml b/tasks/section_1/cis_1.1.2.5.x.yml new file mode 100644 index 00000000..06ceb154 --- /dev/null +++ b/tasks/section_1/cis_1.1.2.5.x.yml @@ -0,0 +1,58 @@ +--- + +- name: "1.1.2.5.1 | AUDIT | Ensure /var/tmp is a seperate partition" + when: + - required_mount not in mount_names + - rhel7cis_rule_1_1_2_5_1 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_1.1.2.5.1 + - mounts + - NIST800-53R5_CM-7 + vars: + warn_control_id: '1.1.2.5.1' + required_mount: '/var/tmp' + block: + - name: "1.1.2.5.1 | AUDIT | Ensure /var/tmp is a separate partition | Absent" + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + + - name: "1.1.2.5.1 | AUDIT | Ensure /var/tmp is a separate partition | Warn Count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: | + "1.1.2.5.2 | PATCH | Ensure nodev option set on /var/tmp partition + 1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition + 1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition" + when: + - item.mount == "/var/tmp" + - rhel7cis_tmp_svc + - rhel7cis_rule_1_1_2_5_2 or + rhel7cis_rule_1_1_2_5_3 or + rhel7cis_rule_1_1_2_5_4 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_1.1.2.5.2 + - rule_1.1.2.5.3 + - rule_1.1.2.5.4 + - mounts + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.posix.mount: + name: /var/tmp + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if rhel7cis_rule_1_1_2_5_2 %}nodev,{% endif %}{% if rhel7cis_rule_1_1_2_5_3 %}nosuid,{% endif %}{% if rhel7cis_rule_1_1_2_5_4 %}noexec{% endif %} + notify: Remount_var_tmp + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.6.x.yml b/tasks/section_1/cis_1.1.2.6.x.yml new file mode 100644 index 00000000..5404da1b --- /dev/null +++ b/tasks/section_1/cis_1.1.2.6.x.yml @@ -0,0 +1,59 @@ +--- + +- name: "1.1.2.6.1 | AUDIT | Ensure /var/log is a seperate partition" + when: + - required_mount not in mount_names + - rhel7cis_rule_1_1_2_6_1 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_1.1.2.6.1 + - mounts + - NIST800-53R5_CM-7 + vars: + warn_control_id: '1.1.2.6.1' + required_mount: '/var/log' + + block: + - name: "1.1.2.6.1 | AUDIT | Ensure /var/log is a separate partition | Absent" + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + + - name: "1.1.2.6.1 | AUDIT | Ensure /var/log is a separate partition | Warn Count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: | + "1.1.2.6.2 | PATCH | Ensure nodev option set on /var/log partition + 1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition + 1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition" + when: + - item.mount == "/var/log" + - rhel7cis_tmp_svc + - rhel7cis_rule_1_1_2_6_2 or + rhel7cis_rule_1_1_2_6_3 or + rhel7cis_rule_1_1_2_6_4 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_1.1.2.6.2 + - rule_1.1.2.6.3 + - rule_1.1.2.6.4 + - mounts + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.posix.mount: + name: /var/log + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if rhel7cis_rule_1_1_2_6_2 %}nodev,{% endif %}{% if rhel7cis_rule_1_1_2_6_3 %}nosuid,{% endif %}{% if rhel7cis_rule_1_1_2_6_4 %}noexec{% endif %} + notify: Remount_var_log + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.7.x.yml b/tasks/section_1/cis_1.1.2.7.x.yml new file mode 100644 index 00000000..28e1a9ff --- /dev/null +++ b/tasks/section_1/cis_1.1.2.7.x.yml @@ -0,0 +1,58 @@ +--- + +- name: "1.1.2.7.1 | AUDIT | Ensure /var/log/audit is a seperate partition" + when: + - required_mount not in mount_names + - rhel7cis_rule_1_1_2_7_1 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_1.1.2.7.1 + - mounts + - NIST800-53R5_CM-7 + vars: + warn_control_id: '1.1.2.7.1' + required_mount: '/var/log/audit' + block: + - name: "1.1.2.7.1 | AUDIT | Ensure /var/log/audit is a separate partition | Absent" + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + + - name: "1.1.2.7.1 | AUDIT | Ensure /var/log/audit is a separate partition | Warn Count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: | + "1.1.2.7.2 | PATCH | Ensure nodev option set on /var/log/audit partition + 1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition + 1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition" + when: + - item.mount == "/var/log/audit" + - rhel7cis_tmp_svc + - rhel7cis_rule_1_1_2_7_2 or + rhel7cis_rule_1_1_2_7_3 or + rhel7cis_rule_1_1_2_7_4 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_1.1.2.7.2 + - rule_1.1.2.7.3 + - rule_1.1.2.7.4 + - mounts + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.posix.mount: + name: /var/log/audit + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if rhel7cis_rule_1_1_2_7_2 %}nodev,{% endif %}{% if rhel7cis_rule_1_1_2_7_3 %}nosuid,{% endif %}{% if rhel7cis_rule_1_1_2_7_4 %}noexec{% endif %} + notify: Remount_var_log_audit + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml deleted file mode 100644 index 2be33e5d..00000000 --- a/tasks/section_1/cis_1.1.x.yml +++ /dev/null @@ -1,389 +0,0 @@ ---- - -- name: "1.1.2 | AUDIT | Ensure /tmp is configured" - block: - - name: "1.1.2 | AUDIT | Ensure /tmp is configured | Absent" - ansible.builtin.debug: - msg: "WARNING!! {{ required_mount }} doesn't exist. This is a manual task" - register: tmp_mount_absent - changed_when: tmp_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - - name: "1.1.2 | AUDIT | Ensure /tmp is configured | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - register: tmp_mount_present - when: - - required_mount in mount_names - vars: - required_mount: '/tmp' - when: - - rhel7cis_rule_1_1_2 - tags: - - level1-server - - level1-workstation - - audit - - mounts - - rule_1.1.2 - -- name: | - "1.1.3 | PATCH | Ensure nodev option set on /tmp partition | skips if not present" - "1.1.4 | PATCH | Ensure nosuid option set on /tmp partition | skips if not present" - "1.1.5 | PATCH | Ensure noexec option set on /tmp partition| skips if not present" - block: - - name: | - "1.1.3 | PATCH | Ensure nodev option set on /tmp partition | fstab config | skips if mount absent" - "1.1.4 | PATCH | Ensure nosuid option set on /tmp partition | fstab_config | skips if mount absent" - "1.1.5 | PATCH | Ensure noexec option set on /tmp partition| fstab_config | skips if mount absent" - ansible.posix.mount: - name: /tmp - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: defaults,{% if rhel7cis_rule_1_1_3 %}noexec,{% endif %}{% if rhel7cis_rule_1_1_4 %}nodev,{% endif %}{% if rhel7cis_rule_1_1_5 %}nosuid{% endif %} - notify: remount tmp - loop: "{{ ansible_mounts }}" - loop_control: - label: "{{ item.mount }}" - when: - - not rhel7cis_tmp_svc - - item.mount == "/tmp" - - - name: | - "1.1.3 | PATCH | Ensure noexec option set on /tmp partition | systemd | skips if mount absent" - "1.1.4 | PATCH | Ensure nodev option set on /tmp partition | systemd | skips if mount absent" - "1.1.5 | PATCH | Ensure nosuid option set on /tmp partition | systemd | skips if mount absent" - ansible.builtin.template: - src: etc/tmp_mount.j2 - dest: /etc/systemd/system/tmp.mount - owner: root - group: root - mode: 0644 - notify: systemd restart tmp.mount - when: - - rhel7cis_tmp_svc - when: - - tmp_mount_present is defined - - rhel7cis_rule_1_1_2 # This is required so the check takes place - - rhel7cis_rule_1_1_3 or - rhel7cis_rule_1_1_4 or - rhel7cis_rule_1_1_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.1.3 - - rule_1.1.4 - - rule_1.1.5 - -- name: "1.1.6 | AUDIT | Ensure /dev/shm is configured" - block: - - name: "1.1.6 | AUDIT | Ensure separate partition exists for {{ required_mount }} | Absent" - ansible.builtin.debug: - msg: "WARNING!! {{ required_mount }} doesn't exist. This is a manual task" - register: dev_shm_mount_absent - changed_when: dev_shm_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.6 | AUDIT | Ensure separate partition exists for {{ required_mount }} | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - register: dev_shm_mount_present - when: - - required_mount in mount_names - vars: - required_mount: '/dev/shm' - when: - - rhel7cis_rule_1_1_6 - tags: - - level1-server - - level1-workstation - - patch - - mounts - - rule_1.1.6 - -- name: | - "1.1.7 | PATCH | Ensure noexec option set on /dev/shm partition | skips if mount absent" - "1.1.8 | PATCH | Ensure nosuid option set on /dev/shm partition | skips if mount absent" - "1.1.9 | PATCH | Ensure noexec option set on /dev/shm partition | skips if mount absent" - ansible.posix.mount: - name: /dev/shm - src: tmpfs - fstype: tmpfs - state: present - opts: defaults,{% if rhel7cis_rule_1_1_7 %}noexec,{% endif %}{% if rhel7cis_rule_1_1_8 %}nodev,{% endif %}{% if rhel7cis_rule_1_1_9 %}nosuid{% endif %},seclabel - notify: remount dev_shm - when: - - rhel7cis_rule_1_1_7 or - rhel7cis_rule_1_1_8 or - rhel7cis_rule_1_1_9 - tags: - - level1-server - - level1-workstation - - patch - - mounts - - rule_1.1.7 - - rule_1.1.8 - - rule_1.1.9 - -- name: "1.1.10 | AUDIT | Ensure separate partition exists for {{ required_mount }} | skips if mount absent" - block: - - name: "1.1.10 | AUDIT | Ensure separate partition exists for {{ required_mount }} | Absent" - ansible.builtin.debug: - msg: "WARNING!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_mount_absent - changed_when: var_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - - name: "1.1.10 | AUDIT | Ensure separate partition exists for {{ required_mount }} | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - register: var_mount_present - when: - - required_mount in mount_names - vars: - required_mount: '/var' - when: - - rhel7cis_rule_1_1_10 - tags: - - level2-server - - level2-workstation - - audit - - mounts - - rule_1.1.10 - -- name: "1.1.11 | AUDIT | Ensure separate partition exists for {{ required_mount }} | skips if mount absent" - block: - - name: "1.1.11 | AUDIT | Ensure separate partition exists for {{ required_mount }} | Absent" - ansible.builtin.debug: - msg: "WARNING!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_tmp_mount_absent - changed_when: var_tmp_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - - name: "1.1.11 | AUDIT | Ensure separate partition exists for {{ required_mount }} | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - register: var_tmp_mount_present - when: - - required_mount in mount_names - vars: - required_mount: '/var/tmp' - when: - - rhel7cis_rule_1_1_11 - tags: - - level2-server - - level2-workstation - - audit - - mounts - - rule_1.1.11 - -- name: | - "1.1.12 | PATCH | Ensure noexec option set on /var/tmp partition | skips if mount absent" - "1.1.13 | PATCH | Ensure nodec option set on /var/tmp partition | skips if mount absent" - "1.1.14 | PATCH | Ensure nosuid option set on /var/tmp partition | skips if mount absent" - ansible.posix.mount: - name: /var/tmp - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: defaults,{% if rhel7cis_rule_1_1_12 %}noexec,{% endif %}{% if rhel7cis_rule_1_1_13 %}nodev,{% endif %}{% if rhel7cis_rule_1_1_14 %}nosuid{% endif %} - loop: "{{ ansible_mounts }}" - loop_control: - label: "{{ item.mount }}" - when: - - var_tmp_mount_present is defined - - item.mount == "/var/tmp" - - rhel7cis_rule_1_1_11 # This is required so the check takes place - - rhel7cis_rule_1_1_12 or - rhel7cis_rule_1_1_13 or - rhel7cis_rule_1_1_14 - tags: - - level1-server - - level1-workstation - - patch - - mounts - - skip_ansible_lint - -- name: "1.1.15 | AUDIT | Ensure separate partition exists for /var/log | skips if mount absent" - block: - - name: "1.1.15 | AUDIT | Ensure separate partition exists for {{ required_mount }} | Absent" - ansible.builtin.debug: - msg: "WARNING!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_log_mount_absent - changed_when: var_log_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.15 | AUDIT | Ensure separate partition exists for {{ required_mount }} | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - when: - - required_mount in mount_names - vars: - required_mount: '/var/log' - when: - - rhel7cis_rule_1_1_15 - tags: - - level2-server - - level2-workstation - - audit - - mounts - - rule_1.1.15 - - skip_ansible_lint - -- name: "1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit | skips if mount absent" - block: - - name: "1.1.16 | AUDIT | Ensure separate partition exists for {{ required_mount }} | Absent" - ansible.builtin.debug: - msg: "WARNING!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_log_audit_mount_absent - changed_when: var_log_audit_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - - name: "1.1.16 | AUDIT | Ensure separate partition exists for {{ required_mount }} | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - when: - - required_mount in mount_names - vars: - required_mount: '/var/log/audit' - when: - - rhel7cis_rule_1_1_16 - tags: - - level2-server - - level2-workstation - - audit - - mounts - - rule_1.1.16 - - skip_ansible_lint - -- name: "1.1.17 | AUDIT | Ensure separate partition exists for /home" - block: - - name: "1.1.17 | AUDIT | Ensure separate partition exists for {{ required_mount }} | Absent" - ansible.builtin.debug: - msg: "WARNING!! {{ required_mount }} doesn't exist. This is a manual task" - register: home_mount_absent - changed_when: home_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - - name: "1.1.17 | AUDIT | Ensure separate partition exists for {{ required_mount }} | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - register: home_mount_present - when: - - required_mount in mount_names - vars: - required_mount: '/home' - when: - - rhel7cis_rule_1_1_17 - tags: - - level2-server - - level2-workstation - - audit - - mounts - - rule_1.1.17 - - skip_ansible_lint - -- name: "1.1.18 | PATCH | Ensure nodev option set on /home partition | skips if mount absent" - ansible.posix.mount: - name: /home - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: defaults,{% if rhel7cis_rule_1_1_17 %}nodev{% endif %} - loop: "{{ ansible_mounts }}" - loop_control: - label: "{{ item.mount }}" - when: - - home_mount_present is defined - - item.mount == "/home" - - rhel7cis_rule_1_1_18 - tags: - - level1-server - - level1-workstation - - patch - - mounts - - rule_1.1.18 - - skip_ansible_lint - -- name: | - "1.1.19 | PATCH | Ensure removable media partitions include noexec option" - "1.1.20 | PATCH | Ensure nodev option set on removable media partitions" - "1.1.21 | PATCH | Ensure nosuid option set on removable media partitions" - ansible.builtin.debug: - msg: "--> Not relevant" - changed_when: false - when: - - rhel7cis_rule_1_1_19 or - rhel7cis_rule_1_1_20 or - rhel7cis_rule_1_1_21 - tags: - - level1-server - - level1-workstation - - audit - - mounts - - rule_1.1.19 - - rule_1.1.20 - - rule_1.1.21 - -- name: "1.1.22 | PATCH | Ensure sticky bit is set on all world-writable directories" - ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t - changed_when: false - failed_when: false - when: - - rhel7cis_rule_1_1_22 - tags: - - skip_ansible_lint - - level1-server - - level1-workstation - - patch - - stickybits - - permissons - - rule_1.1.22 - -- name: "1.1.23 | PATCH | Disable Automounting" - ansible.builtin.service: - name: autofs - enabled: false - when: - - not rhel7cis_allow_autofs - - "'autofs' in ansible_facts.packages" - - rhel7cis_rule_1_1_23 - tags: - - level1-server - - level2-workstation - - patch - - mounts - - automounting - - rule_1.1.23 - -- name: "1.1.24 | PATCH | Disable USB Storage" - block: - - name: "1.1.24 | PATCH | Disable USB Storage | Edit modprobe config" - ansible.builtin.lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install usb-storage(\\s|$)" - line: "install usb-storage /bin/true" - create: true - owner: root - group: root - mode: 0600 - - - name: "1.1.24 | PATCH | Disable USB Storage | Edit modprobe config" - community.general.modprobe: - name: usb-storage - state: absent - when: - - rhel7cis_rule_1_1_24 - tags: - - level1-server - - level2-workstation - - patch - - mounts - - removable_storage - - rule_1.1.24 diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 8b4a1f37..38200d0e 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -1,50 +1,40 @@ --- -- name: "1.2.1 | PATCH | Ensure GPG keys are configured" - block: - - name: "1.2.1 | PATCH | Ensure GPG keys are configured" - ansible.builtin.shell: "PKG=`rpm -qf {{ rpm_gpg_key }}` && rpm -q --queryformat \"%{PACKAGER} %{SIGPGP:pgpsig}\\n\" \"${PKG}\" | grep \"^{{ rpm_packager }}.*Key.ID.{{ rpm_key }}\"" - changed_when: false +- name: "1.2.1 | AUDIT | Ensure GPG keys are configured" when: - rhel7cis_rule_1_2_1 + - ansible_distribution == "RedHat" or + ansible_distribution == "CentOS" tags: - level1-server - level1-workstation + - manual - patch + - NIST800-53R5_SI-2 - rule_1.2.1 -- name: "1.2.2 | AUDIT | Ensure package manager repositories are configured" - block: - - name: "1.2.2 | AUDIT | Ensure package manager repositories are configured" - ansible.builtin.shell: yum repolist - changed_when: false - register: repolist - check_mode: false + ansible.builtin.shell: "PKG=`rpm -qf {{ rpm_gpg_key }}` && rpm -q --queryformat \"%{PACKAGER} %{SIGPGP:pgpsig}\\n\" \"${PKG}\" | grep \"^{{ rpm_packager }}.*Key.ID.{{ rpm_key }}\"" + changed_when: false - - name: "1.2.2 | AUDIT | Ensure package manager repositories are configured" - ansible.builtin.debug: - msg: - - "Please check against site policy repos listed below match expected:" - - "{{ repolist.stdout_lines }}" +- name: "1.2.2 | PATCH | Ensure gpgcheck is globally activated" when: - rhel7cis_rule_1_2_2 tags: - level1-server - level1-workstation - - audit + - automated + - patch + - NIST800-53R5_SI-2 - rule_1.2.2 - - skip_ansible_lint - -- name: "1.2.3 | PATCH | Ensure gpgcheck is globally activated" block: - - name: "1.2.3 | AUDIT | Ensure gpgcheck is globally activated" + - name: "1.2.2 | AUDIT | Ensure gpgcheck is globally activated | Find repos" ansible.builtin.find: paths: /etc/yum.repos.d patterns: "*.repo" - changed_when: false register: yum_repos + changed_when: false - - name: "1.2.3 | PATCH | Ensure gpgcheck is globally activated" + - name: "1.2.2 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" ansible.builtin.replace: path: "{{ item.path }}" regexp: "^gpgcheck=0" @@ -52,38 +42,109 @@ loop: "{{ yum_repos.files }}" loop_control: label: "{{ item.path }}" + + - name: "1.2.2 | PATCH | Ensure gpgcheck is globally activated | Update yum.conf" + ansible.builtin.lineinfile: + path: /etc/yum.conf + regexp: ^(#|)gpgcheck= + line: gpgcheck=1 + +- name: "1.2.3 | PATCH | Ensure repo_gpgcheck is globally activated" when: - rhel7cis_rule_1_2_3 tags: - - level1-server - - level1-workstation + - level2-server + - level2-workstation + - automated - patch + - NIST800-53R5_SI-2 - rule_1.2.3 + block: + - name: "1.2.3 | AUDIT | Ensure repo_gpgcheck is globally activated | Find repos" + ansible.builtin.find: + paths: /etc/yum.repos.d + patterns: "*.repo" + register: yum_repos + changed_when: false -- name: "1.2.4 | AUDIT | Ensure Red Hat Subscription Manager connection is configured" - ansible.builtin.shell: subscription-manager identity - changed_when: false - failed_when: false + - name: "1.2.3 | PATCH | Ensure repo_gpgcheck is globally activated | Update yum.repos" + ansible.builtin.replace: + name: "{{ item.path }}" + regexp: "^repo_gpgcheck=0" + replace: "repo_gpgcheck=1" + loop: "{{ yum_repos.files }}" + loop_control: + label: "{{ item.path }}" + + - name: "1.2.3 | PATCH | Ensure repo_gpgcheck is globally activated | Update yum.conf" + ansible.builtin.lineinfile: + path: /etc/yum.conf + regexp: ^(#|)repo_gpgcheck= + line: repo_gpgcheck=1 + +- name: "1.2.4 | AUDIT | Ensure package manager repositories are configured" when: - - ansible_distribution == "RedHat" - rhel7cis_rule_1_2_4 tags: - level1-server - level1-workstation - - patch + - manual + - audit + - NIST800-53R5_SI-2 - rule_1.2.4 + vars: + warn_control_id: '1.2.4' + block: + - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Get repo list" + ansible.builtin.shell: yum repolist + changed_when: false + failed_when: false + register: dnf_configured + check_mode: false + + - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Display repo list" + ansible.builtin.debug: + msg: + - "Warning!! Below are the configured repos. Please review and make sure all align with site policy" + - "{{ dnf_configured.stdout_lines }}" + + - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Warn Count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "1.2.5 | PATCH | Ensure updates, patches, and additional security software are installed" + when: + - rhel7cis_rule_1_2_5 + - not system_is_ec2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.2_5 + notify: Change_requires_reboot + block: + - name: "1.2.5 | PATCH | Ensure updates, patches, and additional security software are installed | Patch" + ansible.builtin.package: + name: "*" + state: latest + + - name: "1.2.5 | PATCH | Ensure updates, patches, and additional security software are installed | update_facts" + ansible.builtin.package_facts: + manager: auto -- name: "1.2.5 | PATCH | Disable the rhnsd Daemon" - ansible.builtin.systemd: - name: rhnsd - state: stopped - enabled: false - masked: true +- name: "1.2.5 | PATCH | Ensure updates, patches, and additional security software are installed | limit kernels" when: - - ansible_distribution == "RedHat" and not rhel7cis_rhnsd_required - rhel7cis_rule_1_2_5 + - rhel7cis_apply_installed_kernel_limit tags: - level1-server - level1-workstation + - automated - patch + - kernel_limit - rule_1.2.5 + ansible.builtin.lineinfile: + path: /etc/yum.conf + regexp: ^installonly_limit= + line: installonly_limit={{ rhel7cis_installed_kernel_limit }} diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index c076fc2f..2431a5f7 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -1,49 +1,93 @@ --- -- name: "1.3.1 | PATCH | Ensure AIDE is installed" - block: - - name: "1.3.1 | PATCH | Ensure AIDE is installed | Install" - ansible.builtin.package: - name: aide - state: installed - - - name: "1.3.1 | PATCH | Ensure AIDE is installed | started" - ansible.builtin.shell: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' - args: - creates: /var/lib/aide/aide.db.gz - changed_when: false - failed_when: false - async: "{{ ansible_check_mode | ternary(0, 45) }}" - poll: 0 +- name: "1.3.1 | PATCH | Ensure bootloader password is set" + ansible.builtin.copy: + dest: "{{ rhel7cis_boot_path }}user.cfg" # noqa template-instead-of-copy + content: "GRUB2_PASSWORD={{ rhel7cis_bootloader_password_hash }}" + owner: root + group: root + mode: '0600' + notify: Rebuild_grub when: - - rhel7cis_config_aide + - rhel7cis_set_boot_pass - rhel7cis_rule_1_3_1 tags: - level1-server - level1-workstation - - aide + - automated + - grub - patch + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - rule_1.3.1 - vars: - ansible_python_interpreter: /bin/python -- name: "1.3.2 | PATCH | Ensure filesystem integrity is regularly checked | cron" - ansible.builtin.cron: - name: Run AIDE integrity check - cron_file: "{{ rhel7cis_aide_cron['cron_file'] }}" - user: "{{ rhel7cis_aide_cron['cron_user'] }}" - minute: "{{ rhel7cis_aide_cron['aide_minute'] | default('0') }}" - hour: "{{ rhel7cis_aide_cron['aide_hour'] | default('5') }}" - day: "{{ rhel7cis_aide_cron['aide_day'] | default('*') }}" - month: "{{ rhel7cis_aide_cron['aide_month'] | default('*') }}" - weekday: "{{ rhel7cis_aide_cron['aide_weekday'] | default('*') }}" - job: "{{ rhel7cis_aide_cron['aide_job'] }}" +- name: "1.3.2 | PATCH | Ensure permissions on bootloader config are configured" when: - rhel7cis_rule_1_3_2 + - discovered_grub_cfg.stat.exists + - discovered_grub_cfg.stat.islnk tags: - level1-server - level1-workstation - - aide - - file_integrity + - automated + - grub - patch + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - rule_1.3.2 + block: + - name: "1.3.2 | PATCH | Ensure permissions on bootloader config are configured | BIOS" + when: rhel7cis_legacy_boot + ansible.builtin.file: + path: "{{ rhel7cis_boot_path }}" + owner: root + group: root + mode: '0600' + recurse: true + + - name: "1.3.2 | PATCH | Ensure permissions on bootloader config are configured | EFI" + when: not rhel7cis_legacy_boot + ansible.builtin.file: + path: "{{ rhel7cis_boot_path }}" + owner: root + group: root + mode: '0700' + recurse: true + + - name: "1.3.2 | PATCH | Ensure permissions on bootloader config are configured | UEFI" + when: + - not rhel7cis_legacy_boot + - item.mount == "/boot/efi" + notify: Change_requires_reboot + ansible.posix.mount: + name: /boot/efi + src: "UUID={{ item.uuid }}" + fstype: vfat + state: present + opts: defaults,umask=0027,fmask=0077,uid=0,gid=0 + passno: '0' + loop: "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.mount }}" + +- name: "1.3.3 | PATCH | Ensure authentication required for single user mode" + block: + - name: "1.3.3 | PATCH | Ensure authentication required for single user mode | Emergency service" + ansible.builtin.lineinfile: + path: /usr/lib/systemd/system/emergency.service + regexp: '/sbin/sulogin' + line: 'ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default' + + - name: "1.3.3 | PATCH | Ensure authentication required for single user mode | Rescue service" + ansible.builtin.lineinfile: + path: /usr/lib/systemd/system/rescue.service + regexp: '/sbin/sulogin' + line: 'ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default' + when: + - rhel7cis_rule_1_3_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.3.3 diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 67c0b437..f1cf140c 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -1,83 +1,75 @@ --- -- name: "1.4.1 | PATCH | Ensure bootloader password is set" - block: - - name: "1.4.1 | PATCH | Ensure bootloader password is set" - ansible.builtin.copy: - dest: "{{ rhel7cis_bootloader_path }}user.cfg" # noqa template-instead-of-copy - content: "GRUB2_PASSWORD={{ rhel7cis_bootloader_password_hash }}" - owner: root - group: root - mode: "{% if rhel7cis_legacy_boot %}0600{% else %}0700{% endif %}" - register: bootloader_pw - notify: grub2cfg - - - name: "1.4.1 | FACT | Ensure bootloader password is set" - ansible.builtin.set_fact: - change_requires_reboot: true - when: bootloader_pw +- name: "1.4.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled" when: - - ansible_distribution_version >= '7.2' - - rhel7cis_set_boot_pass - rhel7cis_rule_1_4_1 tags: - level1-server - level1-workstation - - grub + - automated - patch - rule_1.4.1 + - NIST800-53R5_CM-6 + ansible.posix.sysctl: + name: kernel.randomize_va_space + value: '2' + state: present + reload: true + sysctl_set: true + ignoreerrors: true + sysctl_file: "{{ rhel7cis_kernel_sysctl_file }}" -- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" - block: - - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | Update grub config settings" - ansible.builtin.file: - path: "{{ rhel7cis_bootloader_path }}grub.cfg" - owner: root - group: root - mode: 0600 - when: - - rhel7cis_legacy_boot - - - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | UEFI" - ansible.posix.mount: - name: /boot/efi - src: "UUID={{ item.uuid }}" - fstype: vfat - state: present - opts: defaults,umask=0027,fmask=0077,uid=0,gid=0 - passno: '0' - loop: "{{ ansible_mounts }}" - loop_control: - label: "{{ item.mount }}" - when: - - not rhel7cis_legacy_boot - - item.mount == "/boot/efi" +- name: "1.4.2 | PATCH | Ensure ptrace_scope is restricted" when: - rhel7cis_rule_1_4_2 tags: - level1-server - level1-workstation - - grub + - automated - patch - rule_1.4.2 + ansible.posix.sysctl: + name: kernel.yama.ptrace_scope + value: '1' + state: present + reload: true + sysctl_set: true + ignoreerrors: true + sysctl_file: "{{ rhel7cis_kernel_sysctl_file }}" -- name: "1.4.3 | PATCH | Ensure authentication required for single user mode" - block: - - name: "1.4.3 | PATCH | Ensure authentication required for single user mode | Emergency service" - ansible.builtin.lineinfile: - dest: /usr/lib/systemd/system/emergency.service - regexp: '/sbin/sulogin' - line: 'ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"' - - - name: "1.4.3 | PATCH | Ensure authentication required for single user mode | Rescue service" - ansible.builtin.lineinfile: - dest: /usr/lib/systemd/system/rescue.service - regexp: '/sbin/sulogin' - line: 'ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"' +- name: "1.4.3 | PATCH | Ensure core dump backtraces are disabled" when: - rhel7cis_rule_1_4_3 tags: - level1-server - level1-workstation + - automated - patch - rule_1.4.3 + - coredump + - NIST800-53R5_CM-6b + notify: Systemd_daemon_reload + ansible.builtin.lineinfile: + dest: /etc/systemd/coredump.conf + regexp: ^ProcessSizeMax + line: ProcessSizeMax=0 + create: true + mode: '0644' + +- name: "1.4.4 | PATCH | Ensure core dump storage is disabled" + when: + - rhel7cis_rule_1_4_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.4.4 + - coredump + notify: Systemd_daemon_reload + ansible.builtin.lineinfile: + dest: /etc/systemd/coredump.conf + regexp: ^Storage + line: Storage=none + create: true + mode: '0644' diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 0971c87f..2a27ed8c 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -1,81 +1,154 @@ --- -- name: "1.5.1 | PATCH | Ensure core dumps are restricted" - block: - - name: "1.5.1 | PATCH | Ensure core dumps are restricted | Update limits.conf file" - ansible.builtin.lineinfile: - state: present - dest: /etc/security/limits.conf - regexp: '^#?\\*.*core' - line: '* hard core 0' - insertbefore: '^# End of file' +- name: "1.5.1.1 | PATCH | Ensure SELinux is installed" + when: + - rhel7cis_rule_1_5_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + - rule_1.5.1.1 + ansible.builtin.package: + name: libselinux + state: present - - name: "1.5.1 | PATCH | Ensure core dumps are restricted | Set active kernel parameter" - ansible.posix.sysctl: - name: fs.suid_dumpable - value: '0' - state: present - reload: true - sysctl_set: true - ignoreerrors: true +- name: "1.5.1.2 | PATCH | Ensure SELinux is not disabled in bootloader configuration" + when: + - rhel7cis_rule_1_5_1_2 + tags: + - level1-server + - level1-workstation + - patch + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + - rule_1.5.1.2 + notify: Rebuild_grub + ansible.builtin.replace: + path: /etc/default/grub + regexp: '(selinux|enforcing)\s*=\s*0\s*' + replace: '' + register: selinux_grub_patch + ignore_errors: true # noqa ignore-errors - - name: 1.5.1 | PATCH | Ensure core dumps are restricted | coredump.conf" - ansible.builtin.lineinfile: - dest: /etc/systemd/coredump.conf - regexp: "{{ item.regex }}" - line: "{{ item.line }}" - create: true - mode: 0644 - loop: - - { regex: '^Storage', line: 'Storage=none' } - - { regex: '^ProcessSizeMax', line: 'ProcessSizeMax=0' } +# State set to enforcing because control 1.5.1.5 requires enforcing to be set +- name: "1.5.1.3 | PATCH | Ensure SELinux policy is configured" when: - - rhel7cis_rule_1_5_1 + - rhel7cis_rule_1_5_1_3 tags: - level1-server - level1-workstation - - sysctl + - automated + - selinux - patch - - rule_1.5.1 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + - rule_1.5.1.3 + notify: Change_requires_reboot + ansible.posix.selinux: + conf: /etc/selinux/config + policy: "{{ rhel7cis_selinux_policy }}" + state: "{{ rhel7cis_selinux_state }}" -- name: "1.5.2 | PATCH | Ensure XD/NX support is enabled" - ansible.builtin.shell: dmesg|grep -E "NX|XD" | grep " active" - changed_when: false +# State set to enforcing because control 1.6.1.5 requires enforcing to be set +- name: "1.5.1.4 | PATCH | Ensure the SELinux mode is not disabled" when: - - rhel7cis_rule_1_5_2 + - rhel7cis_rule_1_5_1_4 tags: - - skip_ansible_lint - level1-server - level1-workstation + - auotmated + - selinux - patch - - rule_1.5.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + - rule_1.5.1.4 + ansible.posix.selinux: + conf: /etc/selinux/config + policy: "{{ rhel7cis_selinux_policy }}" + state: "{{ rhel7cis_selinux_state }}" -- name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - ansible.posix.sysctl: - name: kernel.randomize_va_space - value: '2' - state: present - reload: true - sysctl_set: true - ignoreerrors: true +- name: "1.5.1.5 | PATCH | Ensure the SELinux state is enforcing" when: - - rhel7cis_rule_1_5_3 + - rhel7cis_rule_1_5_1_5 + tags: + - level2-server + - level2-workstation + - automated + - selinux + - patch + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + - rule_1.5.1.5 + ansible.posix.selinux: + conf: /etc/selinux/config + policy: "{{ rhel7cis_selinux_policy }}" + state: enforcing + +- name: "1.5.1.6 | AUDIT | Ensure no unconfined services exist" + when: + - rhel7cis_rule_1_5_1_6 tags: - level1-server - level1-workstation + - automated + - audit + - services + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + - rule_1.5.1.6 + vars: + warn_control_id: '1.5.1.6' + block: + - name: "1.5.1.6 | AUDIT | Ensure no unconfined services exist | Find the unconfined services" + ansible.builtin.shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' + register: rhel7cis_1_5_1_6_unconf_services + failed_when: false + changed_when: false + + - name: "1.5.1.6 | WARN | Ensure no unconfined services exist | Message on unconfined services" + when: + - rhel7cis_1_5_1_6_unconf_services is defined + - rhel7cis_1_5_1_6_unconf_services.stdout | length > 0 + ansible.builtin.debug: + msg: "Warning!! You have unconfined services: {{ rhel7cis_1_5_1_6_unconf_services.stdout_lines }}" + + - name: "1.5.1.6 | WARN | Ensure no unconfined services exist | warning count" + when: + - rhel7cis_1_5_1_6_unconf_services is defined + - rhel7cis_1_5_1_6_unconf_services.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "1.5.1.7 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" + when: + - rhel7cis_rule_1_5_1_7 + tags: + - level1-server + - level1-workstation + - automated - patch - - rule_1.5.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + - rule_1.5.1.7 + ansible.builtin.package: + name: mcstrans + state: absent -- name: "1.5.4 | PATCH | Ensure prelink is disabled" +- name: "1.5.1.8 | PATCH | Ensure SETroubleshoot is not installed" ansible.builtin.package: - name: prelink + name: setroubleshoot state: absent when: - - rhel7cis_rule_1_5_4 + - rhel7cis_rule_1_5_1_8 + - "'setroubleshoot' in ansible_facts.packages" tags: - level1-server - - level1-workstation + - automated + - selinux - patch - - rule_1.5.4 - vars: - ansible_python_interpreter: /bin/python + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + - rule_1.5.1.8 diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index 29cac139..00befd5e 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -1,123 +1,117 @@ --- -- name: "1.6.1.1 | PATCH | Ensure SELinux is installed" - ansible.builtin.package: - name: libselinux - state: present +- name: "1.6.1 | PATCH | Ensure message of the day is configured properly" when: - - not rhel7cis_selinux_disable - - rhel7cis_rule_1_6_1_1 + - rhel7cis_rule_1_6_1 tags: - level1-server - level1-workstation + - automated + - banner - patch - - rule_1.6.1.1 - vars: - ansible_python_interpreter: /bin/python + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-3 + - NIST800-53R5_CM-6 + - rule_1.6.1 + ansible.builtin.template: + src: etc/motd.j2 + dest: /etc/motd + owner: root + group: root + mode: go-rx -- name: "1.6.1.2 | PATCH | Ensure SELinux is not disabled in bootloader configuration" - ansible.builtin.replace: - dest: /etc/default/grub - regexp: '(selinux|enforcing)\s*=\s*0\s*' - register: selinux_grub_patch - ignore_errors: true # noqa ignore-errors - notify: - - grub2cfg - - reboot_required +- name: "1.6.2 | PATCH | Ensure local login warning banner is configured properly" when: - - not rhel7cis_selinux_disable - - rhel7cis_rule_1_6_1_2 + - rhel7cis_rule_1_6_2 tags: - level1-server - level1-workstation + - automated - patch - - rule_1.6.1.2 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-3 + - NIST800-53R5_CM-6 + - rule_1.6.2 + ansible.builtin.template: + src: etc/issue.j2 + dest: /etc/issue + owner: root + group: root + mode: go-rx -- name: "1.6.1.3 | PATCH | Ensure SELinux policy is configured\n - 1.6.1.4 | PATCH | Ensure the SELinux state is enforcing or permissive" - ansible.posix.selinux: - conf: /etc/selinux/config - policy: "{{ rhel7cis_selinux_pol }}" - state: "{{ rhel7cis_selinux_state }}" +- name: "1.6.3 | PATCH | Ensure remote login warning banner is configured properly" when: - - not rhel7cis_selinux_disable - - rhel7cis_rule_1_6_1_3 - - rhel7cis_rule_1_6_1_4 + - rhel7cis_rule_1_6_3 tags: - level1-server - level1-workstation - - selinux + - automated + - banner - patch - - rule_1.6.1.3 - - rule_1.6.1.4 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-3 + - NIST800-53R5_CM-6 + - rule_1.6.3 + ansible.builtin.template: + src: etc/issue.net.j2 + dest: /etc/issue.net + owner: root + group: root + mode: go-wx -- name: "1.6.1.5 | PATCH | Ensure the SELinux state is enforcing" - ansible.posix.selinux: - conf: /etc/selinux/config - policy: "{{ rhel7cis_selinux_pol }}" - state: enforcing +- name: "1.6.4 | PATCH | Ensure access to /etc/motd is configured" when: - - not rhel7cis_selinux_disable - - not rhel7cis_selinux_state == "permissive" - - rhel7cis_rule_1_6_1_5 - tags: - - level2-server - - level2-workstation - - selinux - - patch - - rule_1.6.1.5 - -- name: "1.6.1.6 | AUDIT | Ensure no unconfined daemons exist" - block: - - name: "1.6.1.6 | AUDIT | Ensure no unconfined daemons exist | Find the unconfined daemons" - ansible.builtin.shell: ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' - failed_when: false - changed_when: false - check_mode: false - register: rhelcis_1_6_1_6_unconf_daemons - - - name: "1.6.1.6 | AUDIT | Ensure no unconfined daemons exist | Message on no unconfined daemones" - ansible.builtin.debug: - msg: "Good News! There are no unconfined daemons found on your system" - when: rhelcis_1_6_1_6_unconf_daemons.stdout | length == 0 - - - name: "1.6.1.6 | AUDIT | Ensure no unconfined daemons exist | Message on unconfined daemones" - ansible.builtin.debug: - msg: "WARNING!! You have unconfined daemons: {{ rhelcis_1_6_1_6_unconf_daemons.stdout_lines }}" - when: rhelcis_1_6_1_6_unconf_daemons.stdout | length > 0 - when: - - rhel7cis_rule_1_6_1_6 + - rhel7cis_rule_1_6_4 tags: - level1-server - level1-workstation - - audit - - rule_1.6.1.6 + - automated + - perms + - patch + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + - rule_1.6.4 + ansible.builtin.file: + path: /etc/motd + state: file + owner: root + group: root + mode: go-wx -- name: "1.6.1.7 | PATCH | Ensure SETroubleshoot is not installed" - ansible.builtin.package: - name: setroubleshoot - state: absent +- name: "1.6.5 | PATCH | Ensure access to /etc/issue is configured" when: - - rhel7cis_rule_1_6_1_7 + - rhel7cis_rule_1_6_5 tags: - level1-server - level1-workstation - - selinux + - automated + - perms - patch - - rule_1.6.1.7 - vars: - ansible_python_interpreter: /bin/python + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + - rule_1.6.5 + ansible.builtin.file: + path: /etc/issue + state: file + owner: root + group: root + mode: go-wx -- name: "1.6.1.8 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" - ansible.builtin.package: - name: mcstrans - state: absent +- name: "1.6.6 | PATCH | Ensure access to /etc/issue.net is configured" when: - - rhel7cis_rule_1_6_1_8 + - rhel7cis_rule_1_6_6 tags: - level1-server - level1-workstation + - automated + - perms - patch - - rule_1.6.1.8 - vars: - ansible_python_interpreter: /bin/python + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + - rule_1.6.6 + ansible.builtin.file: + path: /etc/issue.net + state: file + owner: root + group: root + mode: go-wx diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index b1587fb0..ac9c86d9 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -1,97 +1,250 @@ --- -- name: "1.7.1 | PATCH | Ensure message of the day is configured properly" - ansible.builtin.template: - src: etc/motd.j2 - dest: /etc/motd - owner: root - group: root - mode: 0644 +- name: "1.7.1 | PATCH | Ensure GNOME Display Manager is removed" when: - rhel7cis_rule_1_7_1 + - "'gdm' in ansible_facts.packages" + - not rhel7cis_gui tags: - - level1-server - - level1-workstation - - banner + - level2-server + - automated - patch + - gui + - gdm - rule_1.7.1 + ansible.builtin.package: + name: gdm + state: absent -- name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly" - ansible.builtin.template: - src: etc/issue.j2 - dest: /etc/issue - owner: root - group: root - mode: 0644 +- name: "1.7.2 | PATCH | Ensure GDM login banner is configured" when: - rhel7cis_rule_1_7_2 + - rhel7cis_gui tags: - level1-server - level1-workstation - - banner + - automated - patch + - gui + - gdm - rule_1.7.2 - -- name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly" - ansible.builtin.template: - src: etc/issue.net.j2 - dest: /etc/issue.net + ansible.builtin.lineinfile: + path: "{{ item.file }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + create: true owner: root group: root - mode: 0644 - when: - - rhel7cis_rule_1_7_3 - tags: - - level1-server - - level1-workstation - - banner - - patch - - rule_1.7.3 + mode: '0644' + notify: Reload_dconf + loop: + - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } + - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } + - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } + - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } + - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' } + - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ rhel7cis_warning_banner | replace('\n', ' ') }}' " } -- name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured" - ansible.builtin.file: - dest: /etc/motd - state: file +- name: "1.7.3 | PATCH | Ensure GDM disable-user-list option is enabled" + ansible.builtin.lineinfile: + path: "{{ item.file }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + create: true owner: root group: root - mode: 0644 + mode: '0644' + notify: Reload_dconf + loop: + - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } + - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } + - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults'} + - { file: '/etc/dconf/db/gdm.d/00-login-screen', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } + - { file: '/etc/dconf/db/gdm.d/00-login-screen', regexp: 'disable-user-list=', line: 'disable-user-list=true' } + +- name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle" when: - rhel7cis_rule_1_7_4 + - rhel7cis_gui tags: - level1-server - level1-workstation - - perms + - automated - patch + - gui - rule_1.7.4 + notify: Reload_dconf + block: + - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle | User profile" + ansible.builtin.lineinfile: + path: /etc/dconf/profile/user + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + create: true + owner: root + group: root + mode: '0644' + loop: + - { regexp: '^user-db', line: 'user-db: user' } + - { regexp: '^system-db', line: 'system-db: local' } -- name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured" - ansible.builtin.file: - dest: /etc/issue - state: file - owner: root - group: root - mode: 0644 + - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle | Make db directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ rhel7cis_dconf_db_name }}.d" + owner: root + group: root + mode: '0755' + state: directory + + - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle | Make conf file" + ansible.builtin.template: + src: etc/dconf/db/00-screensaver.j2 + dest: "/etc/dconf/db/{{ rhel7cis_dconf_db_name }}.d/00-screensaver" + owner: root + group: root + mode: '0644' + +- name: "1.7.5 PATCH | Ensure GDM screen locks cannot be overridden" when: - rhel7cis_rule_1_7_5 + - rhel7cis_gui tags: - level1-server - - level1-workstation - - perms + - level2-workstation + - automated - patch + - gui - rule_1.7.5 + block: + - name: "1.7.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ rhel7cis_dconf_db_name }}.d/locks" + owner: root + group: root + mode: '0755' + state: directory + + - name: "1.7.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock file" + ansible.builtin.template: + src: etc/dconf/db/locks/00-screensaver_lock.j2 + dest: "/etc/dconf/db/{{ rhel7cis_dconf_db_name }}.d/locks/00-screensaver" + owner: root + group: root + mode: '0644' -- name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured" - ansible.builtin.file: - dest: /etc/issue.net - state: file +- name: "1.7.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled" + when: + - rhel7cis_rule_1_7_6 + - rhel7cis_gui + tags: + - level1-server + - level2-workstation + - patch + - gui + - rule_1.7.6 + notify: Reload_dconf + ansible.builtin.template: + src: etc/dconf/db/00-media-automount.j2 + dest: "/etc/dconf/db/{{ rhel7cis_dconf_db_name }}.d/00-media-automount" owner: root group: root - mode: 0644 + mode: '0644' + +- name: "1.7.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden" when: - - rhel7cis_rule_1_7_6 + - rhel7cis_rule_1_7_7 + - rhel7cis_gui + tags: + - level1-server + - level2-workstation + - patch + - gui + - rule_1.7.7 + notify: Reload_dconf + block: + - name: "1.7.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | Make lock directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ rhel7cis_dconf_db_name }}.d/locks" + owner: root + group: root + mode: '0755' + state: directory + + - name: "1.7.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | Make lock file" + ansible.builtin.template: + src: etc/dconf/db/locks/00-automount_lock.j2 + dest: "/etc/dconf/db/{{ rhel7cis_dconf_db_name }}.d/locks/00-automount_lock" + owner: root + group: root + mode: '0644' + +- name: "1.7.8 | PATCH | Ensure GDM autorun-never is enabled" + when: + - rhel7cis_rule_1_7_8 + - rhel7cis_gui + tags: + - level1-server + - level2-workstation + - patch + - gui + - rule_1.7.8 + notify: Reload_dconf + block: + - name: "1.7.8 | PATCH | Ensure GDM autorun-never is enabled | Make directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ rhel7cis_dconf_db_name }}.d" + owner: root + group: root + mode: '0755' + state: directory + + - name: "1.7.8 | PATCH | Ensure GDM autorun-never is enabled | Make conf file" + ansible.builtin.template: + src: etc/dconf/db/00-media-autorun.j2 + dest: "/etc/dconf/db/{{ rhel7cis_dconf_db_name }}.d/00-media-autorun" + owner: root + group: root + mode: '0644' + +- name: "1.7.9 | PATCH | Ensure GDM autorun-never is not overridden" + when: + - rhel7cis_rule_1_7_9 + - rhel7cis_gui + tags: + - level1-server + - level2-workstation + - patch + - gui + - rule_1.7.9 + notify: Reload_dconf + block: + - name: "1.7.9 | PATCH | Ensure GDM autorun-never is not overridden | Make lock directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ rhel7cis_dconf_db_name }}.d/locks" + owner: root + group: root + mode: '0755' + state: directory + + - name: "1.7.9 | PATCH | Ensure GDM autorun-never is not overridden | Make lockfile" + ansible.builtin.template: + src: etc/dconf/db/locks/00-autorun_lock.j2 + dest: "/etc/dconf/db/{{ rhel7cis_dconf_db_name }}.d/locks/00-autorun_lock" + owner: root + group: root + mode: '0644' + +- name: "1.7.10 | PATCH | Ensure XDMCP is not enabled" + when: + - rhel7cis_rule_1_7_10 + - rhel7cis_gui tags: - level1-server - level1-workstation - - perms - patch - - rule_1.7.6 + - gui + - rule_1.7.10 + ansible.builtin.lineinfile: + path: /etc/gdm/custom.conf + regexp: 'Enable=true' + state: absent diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml deleted file mode 100644 index dcf7f129..00000000 --- a/tasks/section_1/cis_1.8.x.yml +++ /dev/null @@ -1,119 +0,0 @@ ---- - -- name: 1.8.1 | PATCH | Ensure GNOME Display Manager is removed - block: - - name: 1.8.1 | AUDIT | Ensure GNOME Display Manager is removed | check runlevel - ansible.builtin.fail: - msg: "System is at runlevel 5 and GDM is installed this can only be removed at Lvl <= 3" - when: - - ansible_env.SHLVL > 3 - - - name: 1.8.1 | AUDIT | Ensure GNOME Display Manager is removed | Remove package - ansible.builtin.package: - name: gdm - state: absent - when: - - "'gdm' in ansible_facts.packages" - - not rhel7cis_gui - - rhel7cis_rule_1_8_1 - tags: - - rule_1.8.1 - - level1-server - - level1-workstation - -- name: 1.8.2 | PATCH | Ensure GDM login banner is configured - block: - - name: 1.8.2 | PATCH | Ensure GDM login banner is configured | gdm profile - ansible.builtin.lineinfile: - path: /etc/dconf/profile/gdm - regexp: "^{{ item.regexp }}" - line: "{{ item.line }}" - state: present - create: true - mode: 0644 - owner: root - group: root - with_items: - - {regexp: 'user-db', line: 'user-db:user' } - - {regexp: 'system-db', line: 'system-db:gdm' } - - {regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } - - - name: 1.8.2 | PATCH | Ensure GDM login banner is configured | banner - ansible.builtin.lineinfile: - path: /etc/dconf/db/gdm.d/01-banner-message - regexp: "^{{ item.regexp }}" - line: "{{ item.line }}" - state: present - create: true - mode: 0644 - owner: root - group: root - with_items: - - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } - - { regexp: 'banner-message-enable', line: 'banner-message-enable=true' } - - { regexp: 'banner-message-text', line: "banner-message-text='{{ rhel7cis_warning_banner }}' " } - when: - - "'gdm' in ansible_facts.packages" - - not rhel7cis_gui - - rhel7cis_rule_1_8_2 - tags: - - rule_1.8.2 - - level1-server - - level1-workstation - -- name: 1.8.3 | PATCH | Ensure last logged in user display is disabled | banner - block: - - name: 1.8.3 | PATCH | Ensure last logged in user display is disabled | gdm profile - ansible.builtin.lineinfile: - path: /etc/dconf/profile/gdm - regexp: "^{{ item.regexp }}" - line: "{{ item.line }}" - state: present - create: true - mode: 0644 - owner: root - group: root - with_items: - - {regexp: 'user-db', line: 'user-db:user' } - - {regexp: 'system-db', line: 'system-db:gdm' } - - {regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } - - - name: 1.8.3 | PATCH | Ensure last logged in user display is disabled | login screen - ansible.builtin.lineinfile: - path: /etc/dconf/db/gdm.d/00-login-screen - regexp: "^{{ item.regexp }}" - line: "{{ item.line }}" - state: present - create: true - mode: 0644 - owner: root - group: root - with_items: - - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } - - { regexp: 'disable-user-list', line: 'disable-user-list=true' } - when: - - "'gdm' in ansible_facts.packages" - - not rhel7cis_gui - - rhel7cis_rule_1_8_3 - tags: - - rule_1.8.3 - - level1-server - - level1-workstation - -- name: 1.8.4 | PATCH | Ensure XDCMP is not enabled - ansible.builtin.lineinfile: - path: /etc/gdm/custom.conf - regexp: ^Enable(\s|)=(\s|)true - state: absent - create: true - owner: root - group: root - mode: 0644 - when: - - "'gdm' in ansible_facts.packages" - - not rhel7cis_gui - - rhel7cis_rule_1_8_4 - tags: - - rule_1.8.4 - - level1-server - - level1-workstation diff --git a/tasks/section_1/cis_1.9.x.yml b/tasks/section_1/cis_1.9.x.yml deleted file mode 100644 index 795dc442..00000000 --- a/tasks/section_1/cis_1.9.x.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -- name: "1.9 | PATCH | Ensure updates, patches, and additional security software are installed" - ansible.builtin.package: - name: "*" - state: latest - when: - - rhel7cis_rule_1_9 - - not system_is_ec2 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.9 - - skip_ansible_lint - vars: - ansible_python_interpreter: /bin/python diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index 4851f703..36884179 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -4,40 +4,56 @@ ansible.builtin.import_tasks: file: cis_1.1.1.x.yml -- name: "SECTION | 1.1 | Partition Configurations" +- name: "SECTION | 1.1.2.1.x | Configure /tmp" ansible.builtin.import_tasks: - file: cis_1.1.x.yml + file: cis_1.1.2.1.x.yml + +- name: "SECTION | 1.1.2.2.x | Configure /dev/shm" + ansible.builtin.import_tasks: + file: cis_1.1.2.2.x.yml + +- name: "SECTION | 1.1.2.3.x | Configure /home" + ansible.builtin.import_tasks: + file: cis_1.1.2.3.x.yml + +- name: "SECTION | 1.1.2.4.x | Configure /var" + ansible.builtin.import_tasks: + file: cis_1.1.2.4.x.yml + +- name: "SECTION | 1.1.2.5.x | Configure /var/tmp" + ansible.builtin.import_tasks: + file: cis_1.1.2.5.x.yml + +- name: "SECTION | 1.1.2.6.x | Configure /var/log" + ansible.builtin.import_tasks: + file: cis_1.1.2.6.x.yml + +- name: "SECTION | 1.1.2.7.x | Configure /var/log/audit" + ansible.builtin.import_tasks: + file: cis_1.1.2.7.x.yml - name: "SECTION | 1.2 | Configure Software Updates" ansible.builtin.import_tasks: file: cis_1.2.x.yml -- name: "SECTION | 1.3 | Filesystem Integrity" +- name: "SECTION | 1.3 | Secure Boot Settings" ansible.builtin.import_tasks: file: cis_1.3.x.yml - when: rhel7cis_config_aide -- name: "SECTION | 1.4 | Secure Boot Settings" +- name: "SECTION | 1.4 | Configure Additional Process Hardening" ansible.builtin.import_tasks: file: cis_1.4.x.yml -- name: "SECTION | 1.5 | Additional Process Hardening" +- name: "SECTION | 1.5 | Mandatory Access Control" ansible.builtin.import_tasks: file: cis_1.5.x.yml + when: not rhel7cis_selinux_disable -- name: "SECTION | 1.6 | Mandatory Access Control" +- name: "SECTION | 1.6 | Warning Banners" ansible.builtin.import_tasks: file: cis_1.6.x.yml - when: not rhel7cis_selinux_disable -- name: "SECTION | 1.7 | Warning Banners" +- name: "SECTION | 1.7 | Gnome desktop" + when: rhel7cis_gui ansible.builtin.import_tasks: file: cis_1.7.x.yml - -- name: "SECTION | 1.8 | GDM Login" - ansible.builtin.import_tasks: - file: cis_1.8.x.yml - -- name: "SECTION | 1.9 | Updated and Patches" - ansible.builtin.import_tasks: - file: cis_1.9.x.yml diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 7811ab9d..10622f9f 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -1,16 +1,54 @@ --- -- name: "2.1.1 | PATCH | Ensure xinetd is not installed" - ansible.builtin.package: - name: xinetd - state: absent - vars: - ansible_python_interpreter: /bin/python +- name: "2.1.1 | PATCH | Ensure time synchronization is in use" when: - - ("'xinetd' in ansible_facts.packages") and not rhel7cis_xinetd_required - rhel7cis_rule_2_1_1 + - not system_is_container tags: - level1-server - level1-workstation + - automated - patch - rule_2.1.1 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + ansible.builtin.package: + name: "{{ rhel7cis_time_synchronization }}" + state: present + +- name: "2.1.2 | PATCH | Ensure chrony is configured" + when: + - rhel7cis_time_synchronization == "chrony" + - rhel7cis_rule_2_1_2 + - not system_is_container + tags: + - level1-server + - level1-workstation + - patch + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + - rule_2.1.2 + ansible.builtin.template: + src: chrony.conf.j2 + dest: /etc/chrony.conf + owner: root + group: root + mode: '0644' + +- name: "2.1.3 | PATCH | Ensure chrony is not run as the root user" + when: + - rhel7cis_time_synchronization == "chrony" + - rhel7cis_rule_2_1_3 + - not system_is_container + tags: + - level1-server + - level1-workstation + - patch + - rule_2.1.3 + ansible.builtin.lineinfile: + path: /etc/sysconfig/chronyd + regexp: OPTIONS=\"(.*)(?!-u chrony)(.*)" + line: OPTIONS="\1\2 -u chrony" + create: true + backrefs: true + mode: '0644' diff --git a/tasks/section_2/cis_2.2.1.x.yml b/tasks/section_2/cis_2.2.1.x.yml deleted file mode 100644 index 70a4d9f9..00000000 --- a/tasks/section_2/cis_2.2.1.x.yml +++ /dev/null @@ -1,102 +0,0 @@ ---- - -- name: "2.2.1.1 | PATCH | Ensure time synchronization is in use" - block: - - name: "2.2.1.1 | PATCH | Ensure time synchronization is in use | service install" - ansible.builtin.package: - name: "{{ rhel7cis_time_synchronization }}" - state: present - - - name: "2.2.1.1 | PATCH | Ensure time synchronization is in use | service start" - ansible.builtin.service: - name: "{{ rhel7cis_time_synchronization }}d" - state: started - enabled: true - - - name: "2.2.1.1 | PATCH | Ensure time synchronization is in use - service stop ntp" - ansible.builtin.service: - name: ntpd - state: stopped - enabled: false - when: - - "'ntp' in ansible_facts.packages" - - rhel7cis_time_synchronization == "chrony" - - - name: "2.2.1.1 | PATCH | Ensure time synchronization is in use - service stop chrony" - ansible.builtin.service: - name: chronyd - state: stopped - enabled: false - when: - - rhel7cis_time_synchronization == "ntp" and "'chrony' in ansible_facts.packages" - vars: - ansible_python_interpreter: /bin/python - when: - - rhel7cis_rule_2_2_1_1 - - not system_is_container - tags: - - level1-server - - level1-workstation - - patch - - rule_2.2.1.1 - -- name: "2.2.1.2 | PATCH | Ensure chrony is configured" - block: - - name: "2.2.1.2 | PATCH | Ensure chrony is configured | modify /etc/chrony.conf" - ansible.builtin.template: - src: chrony.conf.j2 - dest: /etc/chrony.conf - owner: root - group: root - mode: 0644 - - - name: "2.2.1.2 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd" - ansible.builtin.lineinfile: - dest: /etc/sysconfig/chronyd - regexp: "^(#)?OPTIONS" - line: "OPTIONS=\"-u chrony\"" - state: present - create: true - owner: root - group: root - mode: 0640 - when: - - rhel7cis_time_synchronization == "chrony" - - rhel7cis_rule_2_2_1_2 - - not system_is_container - tags: - - level1-server - - level1-workstation - - patch - - rule_2.2.1.2 - -- name: "2.2.1.3 | PATCH | Ensure ntp is configured" - block: - - name: "2.2.1.3 | PATCH | Ensure ntp is configured | modify /etc/ntp.conf" - ansible.builtin.template: - src: ntp.conf.j2 - dest: /etc/ntp.conf - owner: root - group: root - mode: 0644 - - - name: "2.2.1.3 | PATCH | Ensure ntp is configured | modify /etc/sysconfig/ntpd" - ansible.builtin.lineinfile: - dest: /etc/sysconfig/ntpd - regexp: "^(#)?OPTIONS" - line: "OPTIONS=\"-u ntp:ntp\"" - - - name: "2.2.1.3 | PATCH | Ensure ntp is configured | modify /usr/lib/systemd/system/ntpd.service" - ansible.builtin.lineinfile: - dest: /usr/lib/systemd/system/ntpd.service - regexp: "^(#)?ExecStart" - line: "ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS" - when: - - rhel7cis_time_synchronization == "ntp" - - rhel7cis_rule_2_2_1_3 - - not system_is_container - tags: - - level1-server - - level1-workstation - - patch - - rule_2.2.1.3 diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index d3801d01..5774458f 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -1,358 +1,736 @@ --- -- name: "2.2.2 | PATCH | Ensure X11 Server components are not installed" - ansible.builtin.package: - state: absent - name: - - "@X Window System" - - "xorg-x11*" - vars: - ansible_python_interpreter: /bin/python +- name: "2.2.1 | PATCH | Ensure autofs services are not in use" + when: + - rhel7cis_rule_2_2_1 + tags: + - level1-server + - level2-workstation + - automated + - patch + - NIST800-53R5_SI-3 + - NIST800-53R5_MP-7 + - rule_2.2.1 + block: + - name: "2.2.1 | PATCH | Ensure autofs services are not in use | Remove Package" + when: + - "'autofs' in ansible_facts.packages" + - not rhel7cis_autofs_services + - not rhel7cis_autofs_mask + ansible.builtin.package: + name: autofs + state: absent + + - name: "2.2.1 | PATCH | Ensure autofs services are not in use | Mask service" + when: + - not rhel7cis_autofs_services + - rhel7cis_autofs_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: autofs + enabled: "{{ ('autofs' in ansible_facts.packages) | ternary(false, omit) }}" + state: "{{ ('autofs' in ansible_facts.packages) | ternary('stopped', omit) }}" + masked: true + +- name: "2.2.2 | PATCH | Ensure avahi daemon services are not in use" when: - - not rhel7cis_xwindows_required - rhel7cis_rule_2_2_2 tags: - level1-server - - level1-workstation - - xwindows + - level2-workstation + - automated - patch + - avahi + - NIST800-53R5_SI-4 - rule_2.2.2 + block: + - name: "2.2.2 | PATCH | Ensure avahi daemon services are not in use | Remove package" + when: + - not rhel7cis_avahi_server + - not rhel7cis_avahi_mask + - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages" + ansible.builtin.package: + name: + - avahi-autoipd + - avahi + state: absent -- name: "2.2.3 | PATCH | Ensure Avahi Server is not installed | disabled" - ansible.builtin.service: - name: avahi-daemon - state: stopped - enabled: false + - name: "2.2.2 | PATCH | Ensure avahi daemon services are not in use | Mask service" + when: + - not rhel7cis_avahi_server + - rhel7cis_avahi_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: "{{ item }}" + enabled: "{{ ('avahi' in ansible_facts.packages) | ternary(false, omit) }}" + state: "{{ ('avahi' in ansible_facts.packages) | ternary('stopped', omit) }}" + masked: true + loop: + - avahi-daemon.socket + - avahi-daemon.service + +- name: "2.2.3 | PATCH | Ensure dhcp server services are not in use" when: - - not rhel7cis_avahi_server - - "'avahi' in ansible_facts.packages" - rhel7cis_rule_2_2_3 tags: - level1-server - level1-workstation - - avahi - - services + - automated - patch + - dhcp + - NIST800-53R5_CM-7 - rule_2.2.3 + block: + - name: "2.2.3 | PATCH | Ensure dhcp server services are not in use | Remove package" + when: + - "'dhcp-server' in ansible_facts.packages" + - not rhel7cis_dhcp_server + - not rhel7cis_dhcp_mask + ansible.builtin.package: + name: dhcp-server + state: absent -- name: "2.2.4 | PATCH | Ensure CUPS is not installed" - ansible.builtin.package: - name: cups - state: absent - vars: - ansible_python_interpreter: /bin/python + - name: "2.2.3 | PATCH | Ensure dhcp server services are not in use | Mask service" + when: + - not rhel7cis_dhcp_server + - rhel7cis_dhcp_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: "{{ item }}" + enabled: "{{ ('dhcp-server' in ansible_facts.packages) | ternary(false, omit) }}" + state: "{{ ('dhcp-server' in ansible_facts.packages) | ternary('stopped', omit) }}" + masked: true + loop: + - dhcpd.service + - dhcpd6.service + +- name: "2.2.4 | PATCH | Ensure dns server services are not in use" when: - - not rhel7cis_cups_server - - "'cups' in ansible_facts.packages" - rhel7cis_rule_2_2_4 tags: - level1-server - level1-workstation - - cups - - services + - automated - patch + - dns + - NIST800-53R5_CM-7 - rule_2.2.4 + block: + - name: "2.2.4 | PATCH | Ensure dns server services are not in use | Remove package" + when: + - "'bind' in ansible_facts.packages" + - not rhel7cis_dns_server + - not rhel7cis_dns_mask + ansible.builtin.package: + name: bind + state: absent -- name: "2.2.5 | PATCH | Ensure DHCP Server is not installed" - ansible.builtin.package: - name: dhcp - state: absent - vars: - ansible_python_interpreter: /bin/python + - name: "2.2.4 | PATCH | Ensure dns server services are not in use | Mask service" + when: + - not rhel7cis_dns_server + - rhel7cis_dns_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: named.service + enabled: "{{ ('bind' in ansible_facts.packages) | ternary(false, omit) }}" + state: "{{ ('bind' in ansible_facts.packages) | ternary('stopped', omit) }}" + masked: true + +- name: "2.2.5 | PATCH | Ensure dnsmasq server services are not in use" when: - - not rhel7cis_dhcp_server - - "'dhcp' in ansible_facts.packages" - rhel7cis_rule_2_2_5 tags: - level1-server - level1-workstation - - dhcp - - services + - automated - patch + - dns + - NIST800-53R5_CM-7 - rule_2.2.5 + block: + - name: "2.2.5 | PATCH | Ensure dnsmasq server services are not in use | Remove package" + when: + - "'dnsmasq' in ansible_facts.packages" + - not rhel7cis_dnsmasq_server + - not rhel7cis_dnsmasq_mask + ansible.builtin.package: + name: dnsmasq + state: absent -- name: "2.2.6 | PATCH | Ensure LDAP server is not installed" - ansible.builtin.package: - name: openldap-servers - state: absent - vars: - ansible_python_interpreter: /bin/python + - name: "2.2.5 | PATCH | Ensure dnsmasq server services are not in use | Mask service" + when: + - not rhel7cis_dnsmasq_server + - rhel7cis_dnsmasq_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: dnsmasq.service + enabled: "{{ ('dnsmasq' in ansible_facts.packages) | ternary(false, omit) }}" + state: "{{ ('dnsmasq' in ansible_facts.packages) | ternary('stopped', omit) }}" + masked: true + +- name: "2.2.6 | PATCH | Ensure samba file server services are not in use" when: - - not rhel7cis_ldap_server - - "'openldap-servers' in ansible_facts.packages" - rhel7cis_rule_2_2_6 tags: - level1-server - level1-workstation - - ldap - - services + - automated - patch + - samba + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 - rule_2.2.6 + block: + - name: "2.2.6 | PATCH | Ensure samba file server services are not in use | Remove package" + when: + - "'samba' in ansible_facts.packages" + - not rhel7cis_samba_server + - not rhel7cis_samba_mask + ansible.builtin.package: + name: samba + state: absent -- name: "2.2.7 | PATCH | Ensure DNS server is not installed" - ansible.builtin.package: - name: bind - state: absent - vars: - ansible_python_interpreter: /bin/python + - name: "2.2.6 | PATCH | Ensure samba file server services are not in use | Mask service" + when: + - not rhel7cis_samba_server + - rhel7cis_samba_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: smb.service + enabled: "{{ ('samba' in ansible_facts.packages) | ternary(false, omit) }}" + state: "{{ ('samba' in ansible_facts.packages) | ternary('stopped', omit) }}" + masked: true + +- name: "2.2.7 | PATCH | Ensure ftp server services are not in use" when: - - not rhel7cis_named_server - - "'bind' in ansible_facts.packages" - rhel7cis_rule_2_2_7 tags: - level1-server - level1-workstation - - dns - - services + - automation - patch + - ftp + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 - rule_2.2.7 + block: + - name: "2.2.7 | PATCH | Ensure ftp server services are not in use | Remove package" + when: + - "'vsftp' in ansible_facts.packages" + - not rhel7cis_ftp_server + - not rhel7cis_ftp_mask + ansible.builtin.package: + name: vsftpd + state: absent -- name: "2.2.8 | PATCH | Ensure FTP server is not installed" - ansible.builtin.package: - name: vsftpd - state: absent - vars: - ansible_python_interpreter: /bin/python + - name: "2.2.7 | PATCH | Ensure ftp server services are not in use | Mask service" + when: + - not rhel7cis_ftp_server + - rhel7cis_ftp_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: vsftpd.service + enabled: "{{ ('vsftpd' in ansible_facts.packages) | ternary(false, omit) }}" + state: "{{ ('vsftpd' in ansible_facts.packages) | ternary('stopped', omit) }}" + masked: true + +- name: "2.2.8 | PATCH | Ensure message access server services are not in use" when: - - not rhel7cis_vsftpd_server - - "'vsftpd' in ansible_facts.packages" - rhel7cis_rule_2_2_8 tags: - level1-server - level1-workstation - - ftp - - services + - automated - patch + - dovecot + - imap + - pop3 + - NIST800-53R5_CM-7 - rule_2.2.8 + block: + - name: "2.2.8 | PATCH | Ensure message access server services are not in use | Remove package" + when: + - "'dovecot' in ansible_facts.packages or 'cyrus-imapd' in ansible_facts.packages" + - not rhel7cis_message_server + - not rhel7cis_message_mask + ansible.builtin.package: + name: + - dovecot + - cyrus-imapd + state: absent -- name: "2.2.9 | PATCH | Ensure HTTP server is not installed" - ansible.builtin.package: - name: httpd - state: absent - vars: - ansible_python_interpreter: /bin/python + - name: "2.2.8 | PATCH | Ensure message access server services are not in use | Mask service" + when: + - not rhel7cis_message_server + - rhel7cis_message_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: "{{ item }}" + enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}" + state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}" + masked: true + loop: + - "dovecot.socket" + - "dovecot.service" + - "cyrus-imapd.service" + +- name: "2.2.9 | PATCH | Ensure network file system services are not in use" when: - - not rhel7cis_httpd_server - - "'httpd' in ansible_facts.packages" - rhel7cis_rule_2_2_9 tags: - level1-server - level1-workstation - - httpd - - services + - automated - patch + - nfs + - services + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 - rule_2.2.9 + block: + - name: "2.2.9 | PATCH | Ensure network file system services are not in use | Remove package" + when: + - "'nfs-utils' in ansible_facts.packages" + - not rhel7cis_nfs_server + - not rhel7cis_nfs_mask + ansible.builtin.package: + name: nfs-utils + state: absent -- name: "2.2.10 | PATCH | Ensure IMAP and POP3 server is not installed" - ansible.builtin.package: - name: dovecot - state: absent - vars: - ansible_python_interpreter: /bin/python + - name: "2.2.9 | PATCH | Ensure network file system services are not in use | Mask service" + when: + - not rhel7cis_nfs_server + - rhel7cis_nfs_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: nfs-server.service + enabled: "{{ ('nfs-utils' in ansible_facts.packages) | ternary(false, omit) }}" + state: "{{ ('nfs-utils' in ansible_facts.packages) | ternary('stopped', omit) }}" + masked: true + +- name: "2.2.10 | PATCH | Ensure nis server services are not in use" when: - - not rhel7cis_dovecot_server - - "'dovecot' in ansible_facts.packages" - rhel7cis_rule_2_2_10 tags: - level1-server - level1-workstation - - dovecot - - services + - automated - patch + - nis + - NIST800-53R5_CM-7 - rule_2.2.10 + notify: Systemd_daemon_reload + block: + - name: "2.2.10 | PATCH | Ensure nis server services are not in use | Remove package" + when: + - "'ypserv' in ansible_facts.packages" + - not rhel7cis_nis_server + - not rhel7cis_nis_mask + ansible.builtin.package: + name: ypserv + state: absent -- name: "2.2.11 | PATCH | Ensure Samba server is not installed" - ansible.builtin.package: - name: samba - state: absent - vars: - ansible_python_interpreter: /bin/python + - name: "2.2.10 | PATCH | Ensure nis server services are not in use | Mask service" + when: + - not rhel7cis_nis_server + - rhel7cis_nis_mask + ansible.builtin.systemd: + name: ypserv.service + enabled: "{{ ('ypserv' in ansible_facts.packages) | ternary(false, omit) }}" + state: "{{ ('ypserv' in ansible_facts.packages) | ternary('stopped', omit) }}" + masked: true + +- name: "2.2.11 | PATCH | Ensure print server services are not in use" when: - - not rhel7cis_smb_server - - "'samba' in ansible_facts.packages" - rhel7cis_rule_2_2_11 tags: - level1-server - - level1-workstation - - samba - - services + - automated - patch + - cups + - NIST800-53R5_CM-7 - rule_2.2.11 + block: + - name: "2.2.11 | PATCH | Ensure print server services are not in use | Remove package" + when: + - "'cups' in ansible_facts.packages" + - not rhel7cis_print_server + - not rhel7cis_print_mask + ansible.builtin.package: + name: cups + state: absent -- name: "2.2.12 | PATCH | Ensure HTTP Proxy server is not installed" - ansible.builtin.package: - name: squid - state: absent - vars: - ansible_python_interpreter: /bin/python + - name: "2.2.11 | PATCH | Ensure print server services are not in use | Mask service" + when: + - not rhel7cis_print_server + - rhel7cis_print_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: "{{ item }}" + enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}" + state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}" + masked: true + loop: + - "cups.socket" + - "cups.service" + +- name: "2.2.12 | PATCH | Ensure rpcbind services are not in use" when: - - not rhel7cis_squid_server - - "'squid' in ansible_facts.packages" - rhel7cis_rule_2_2_12 tags: - level1-server - level1-workstation - - squid - - services + - automated - patch + - rpc + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 - rule_2.2.12 + block: + - name: "2.2.12 | PATCH | Ensure rpcbind services are not in use | Remove package" + when: + - "'rpcbind' in ansible_facts.packages" + - not rhel7cis_rpc_server + - not rhel7cis_rpc_mask + ansible.builtin.package: + name: cups + state: absent -- name: "2.2.13 | PATCH | Ensure net-snmp is not installed" - ansible.builtin.package: - name: net-snmp - state: absent - vars: - ansible_python_interpreter: /bin/python + - name: "2.2.12 | PATCH | Ensure rpcbind services are not in use | Mask service" + when: + - not rhel7cis_rpc_server + - rhel7cis_rpc_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: "{{ item }}" + enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}" + state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}" + masked: true + loop: + - rpcbind.service + - rpcbind.socket + +- name: "2.2.13 | PATCH | Ensure rsync services are not in use" when: - - not rhel7cis_snmp_server - - "'net-snmp' in ansible_facts.packages" - rhel7cis_rule_2_2_13 tags: - level1-server - level1-workstation - - squid - - services + - automated - patch + - rsync + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 - rule_2.2.13 + block: + - name: "2.2.13 | PATCH | Ensure rsync services are not in use | Remove package" + when: + - "'rsync-daemon' in ansible_facts.packages" + - not rhel7cis_rsync_server + - not rhel7cis_rsync_mask + ansible.builtin.package: + name: rsync-daemon + state: absent -- name: "2.2.14 | PATCH | Ensure NIS server is not installed" - ansible.builtin.package: - name: ypserv - state: absent - vars: - ansible_python_interpreter: /bin/python + - name: "2.2.13 | PATCH | Ensure rsync services are not in use | Mask service" + when: + - not rhel7cis_rsync_server + - rhel7cis_rsync_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: "{{ item }}" + enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}" + state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}" + masked: true + loop: + - 'rsyncd.socket' + - 'rsyncd.service' + +- name: "2.2.14 | PATCH | Ensure snmp services are not in use" when: - - not rhel7cis_nis_server - - "'ypserv' in ansible_facts.packages" - rhel7cis_rule_2_2_14 tags: - level1-server - level1-workstation - - nis - - services + - automation - patch + - snmp + - NIST800-53R5_CM-7 - rule_2.2.14 + block: + - name: "2.2.14 | PATCH | Ensure snmp services are not in use | Remove package" + when: + - "'net-snmp' in ansible_facts.packages" + - not rhel7cis_net_snmp_server + - not rhel7cis_net_snmp_mask + ansible.builtin.package: + name: rsync-daemon + state: absent -- name: "2.2.15 | PATCH | Ensure telnet-server is not installed" - ansible.builtin.package: - name: telnet-server - state: absent - vars: - ansible_python_interpreter: /bin/python + - name: "2.2.14 | PATCH | Ensure snmp services are not in use | Mask service" + when: + - not rhel7cis_net_snmp_server + - rhel7cis_net_snmp_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: snmpd.service + enabled: "{{ ('net-snmp' in ansible_facts.packages) | ternary(false, omit) }}" + state: "{{ ('net-snmp' in ansible_facts.packages) | ternary('stopped', omit) }}" + masked: true + +- name: "2.2.15 | PATCH | Ensure telnet server services are not in use" when: - - not rhel7cis_telnet_server - - "'telnet-server' in ansible_facts.packages" - - rhel7cis_rule_2.2_15 + - rhel7cis_rule_2_2_15 tags: - level1-server - level1-workstation - - telnet - - services + - automated - patch + - telnet + - NIST800-53R5_CM-7 + - NIST800-53R5_CM-11 - rule_2.2.15 + block: + - name: "2.2.15 | PATCH | Ensure telnet server services are not in use | Remove package" + when: + - "'telnet-server' in ansible_facts.packages" + - not rhel7cis_telnet_server + - not rhel7cis_telnet_mask + ansible.builtin.package: + name: telnet-server + state: absent -- name: "2.2.16 | PATCH | Ensure mail transfer agent is configured for local-only mode" - ansible.builtin.lineinfile: - dest: /etc/postfix/main.cf - regexp: "^(#)?inet_interfaces" - line: "inet_interfaces = loopback-only" - notify: restart postfix + - name: "2.2.15 | PATCH | Ensure telnet server services are not in use | Mask service" + when: + - not rhel7cis_telnet_server + - rhel7cis_telnet_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: telnet.socket + enabled: "{{ ('telnet-server' in ansible_facts.packages) | ternary(false, omit) }}" + state: "{{ ('telnet-server' in ansible_facts.packages) | ternary('stopped', omit) }}" + masked: true + +- name: "2.2.16 | PATCH | Ensure tftp server services are not in use" when: - - not rhel7cis_is_mail_server - - "'postfix' in ansible_facts.packages" - rhel7cis_rule_2_2_16 tags: - level1-server - level1-workstation + - automated - patch + - tftp + - NIST800-53R5_CM-7 - rule_2.2.16 - -- name: "2.2.17 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked" block: - - name: "2.2.17 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | nfs-utils " + - name: "2.2.16 | PATCH | Ensure tftp server services are not in use | Remove package" + when: + - "'tftp-server' in ansible_facts.packages" + - not rhel7cis_tftp_server + - not rhel7cis_tftp_mask ansible.builtin.package: - name: nfs-utils + name: tftp-server state: absent - vars: - ansible_python_interpreter: /bin/python - when: - - not rhel7cis_nfs_rpc_server and not rhel7cis_nfs_server - - name: "2.2.17 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | nfs-server " + - name: "2.2.16 | PATCH | Ensure tftp server services are not in use | Mask service" + when: + - not rhel7cis_tftp_server + - rhel7cis_tftp_mask + notify: Systemd_daemon_reload ansible.builtin.systemd: - name: nfs-server + name: "{{ item }}" + enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}" + state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}" masked: true - when: - - rhel7cis_nfs_rpc_server and not rhel7cis_nfs_server + loop: + - 'tftp.socket' + - 'tftp.service' + +- name: "2.2.17 | PATCH | Ensure web proxy server services are not in use" when: - - "'nfs-utils' in ansible_facts.packages" - rhel7cis_rule_2_2_17 tags: - level1-server - level1-workstation - - nfs - - services + - automation - patch + - squid + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 - rule_2.2.17 - -- name: "2.2.18 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked" block: - - name: "2.2.18 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | rpcbind" + - name: "2.2.17 | PATCH | Ensure web proxy server services are not in use | Remove package" + when: + - "'squid' in ansible_facts.packages" + - not rhel7cis_squid_server + - not rhel7cis_squid_mask ansible.builtin.package: - name: rpcbind + name: squid state: absent - vars: - ansible_python_interpreter: /bin/python - when: - - not rhel7cis_nfs_rpc_server and not rhel7cis_rpc_server - - name: "2.2.18 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | rpcbind-server" - ansible.builtin.systemd: - name: rpcbind - masked: true + - name: "2.2.17 | PATCH | Ensure web proxy server services are not in use | Mask service" when: - - rhel7cis_nfs_rpc_server and not rhel7cis_rpc_server - - - name: "2.2.18 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | rpcbind-server" + - not rhel7cis_squid_server + - rhel7cis_squid_mask + notify: Systemd_daemon_reload ansible.builtin.systemd: - name: rpcbind.socket + name: squid.service + enabled: "{{ ('squid' in ansible_facts.packages) | ternary(false, omit) }}" + state: "{{ ('squid' in ansible_facts.packages) | ternary('stopped', omit) }}" masked: true - when: - - rhel7cis_nfs_rpc_server and not rhel7cis_rpc_server + +- name: "2.2.18 | PATCH | Ensure web server services are not in use" when: - - "'rpcbind' in ansible_facts.packages" - rhel7cis_rule_2_2_18 tags: - level1-server - level1-workstation - - rpc - - services + - automated - patch + - httpd + - nginx + - webserver + - NIST800-53R5_CM-7 - rule_2.2.18 - -- name: "2.2.19 | PATCH | Ensure rsync is not installed or the rsyncd services are masked" block: - - name: "2.2.19 | PATCH | Ensure rsync is not installed or the rsyncd services are masked | pkg removal" + - name: "2.2.18 | PATCH | Ensure web server services are not in use | Remove httpd server" + when: + - "'httpd' in ansible_facts.packages" + - not rhel7cis_httpd_server + - not rhel7cis_httpd_mask ansible.builtin.package: - name: rsync + name: httpd state: absent - vars: - ansible_python_interpreter: /bin/python - - name: "2.2.19 | PATCH | Ensure rsync is not installed or the rsyncd services are masked | Mask " + - name: "2.2.18 | PATCH | Ensure web server services are not in use | Remove nginx server" + when: + - "'nginx' in ansible_facts.packages" + - not rhel7cis_nginx_server + - not rhel7cis_nginx_mask + ansible.builtin.package: + name: nginx + state: absent + + - name: "2.2.18 | PATCH | Ensure web server services are not in use | Mask httpd service" + when: + - not rhel7cis_httpd_server + - rhel7cis_httpd_mask + - "'httpd' in ansible_facts.packages" + notify: Systemd_daemon_reload ansible.builtin.systemd: - name: rsyncd + name: httpd.service + enabled: "{{ ('httpd' in ansible_facts.packages) | ternary(false, omit) }}" + state: "{{ ('httpd' in ansible_facts.packages) | ternary('stopped', omit) }}" masked: true + - name: "2.2.18 | PATCH | Ensure web server services are not in use | Mask nginx service" + when: + - not rhel7cis_nginx_server + - rhel7cis_nginx_mask + - "'nginx' in ansible_facts.packages" + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: ngnix.service + enabled: "{{ ('nginx' in ansible_facts.packages) | ternary(false, omit) }}" + state: "{{ ('nginx' in ansible_facts.packages) | ternary('stopped', omit) }}" + masked: true + +- name: "2.2.19 | PATCH | Ensure xinetd services are not in use" when: - - not rhel7cis_rsyncd_server - - not audit_content == 'git' # Required by git for audit - - "'rsync' in ansible_facts.packages" - rhel7cis_rule_2_2_19 tags: - level1-server - level1-workstation - - rsync - - services + - automated - patch + - xinetd + - NIST800-53R5_CM-7 - rule_2.2.19 + block: + - name: "2.2.19 | PATCH | Ensure xinetd services are not in use | Remove package" + when: + - "'xinetd' in ansible_facts.packages" + - not rhel7cis_xinetd_server + - not rhel7cis_xinetd_mask + ansible.builtin.package: + name: tftp-server + state: absent + + - name: "2.2.19 | PATCH | Ensure xinetd services are not in use | Mask service" + when: + - not rhel7cis_xinetd_server + - rhel7cis_xinetd_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: xinetd.service + enabled: "{{ ('xinetd' in ansible_facts.packages) | ternary(false, omit) }}" + state: "{{ ('xinetd' in ansible_facts.packages) | ternary('stopped', omit) }}" + masked: true + +- name: "2.2.20 | PATCH | Ensure X window server services are not in use" + when: + - not rhel7cis_xwindow_server + - "'xorg-x11-server-common' in ansible_facts.packages" + - rhel7cis_rule_2_2_20 + tags: + - level1-server + - level1-workstation + - automated + - patch + - xwindow + - NIST800-53R5_CM-11 + - rule_2.2.20 + ansible.builtin.package: + name: xorg-x11-server-common + state: absent + +- name: "2.2.21 | PATCH | Ensure mail transfer agents are configured for local-only mode" + when: + - not rhel7cis_is_mail_server + - "'postfix' in ansible_facts.packages" + - rhel7cis_rule_2_2_21 + tags: + - level1-server + - level1-workstation + - automated + - patch + - postfix + - NIST800-53R5_CM-7 + - rule_2.2.21 + notify: Restart_postfix + ansible.builtin.lineinfile: + path: /etc/postfix/main.cf + regexp: "^(#)?inet_interfaces" + line: "inet_interfaces = loopback-only" + +- name: "2.2.22 | AUDIT | Ensure only approved services are listening on a network interface" + when: + - rhel7cis_rule_2_2_22 + tags: + - level1-server + - level1-workstation + - manual + - audit + - services + - NIST800-53R5_CM-7 + - rule_2.2.22 + vars: + warn_control_id: '2.2.22' + block: + - name: "2.2.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services" + ansible.builtin.shell: systemctl list-units --type=service + changed_when: false + failed_when: rhel7cis_2_2_22_services.rc not in [ 0, 1 ] + check_mode: false + register: rhel7cis_2_2_22_services + + - name: "2.2.22 | AUDIT | Ensure only approved services are listening on a network interface | Display list of services" + ansible.builtin.debug: + msg: + - "Warning!! Below are the list of services, both active and inactive" + - "Please review to make sure all are essential" + - "{{ rhel7cis_2_2_22_services.stdout_lines }}" + + - name: "2.2.22 | AUDIT | Ensure only approved services are listening on a network interface | Warn Count" + ansible.builtin.import_tasks: + file: warning_facts.yml diff --git a/tasks/section_2/cis_2.3.x.yml b/tasks/section_2/cis_2.3.x.yml index 99263a00..6bedff4d 100644 --- a/tasks/section_2/cis_2.3.x.yml +++ b/tasks/section_2/cis_2.3.x.yml @@ -1,86 +1,86 @@ --- -- name: "2.3.1 | PATCH | Ensure NIS client is not installed" - ansible.builtin.package: - name: ypbind - state: absent - vars: - ansible_python_interpreter: /bin/python +- name: "2.3.1 | PATCH | Ensure ftp client is not installed" when: - - not rhel7cis_ypbind_required - - "'ypbind' in ansible_facts.packages" + - not rhel7cis_ftp_client + - "'ftp' in ansible_facts.packages" - rhel7cis_rule_2_3_1 tags: - level1-server - level1-workstation - - nis + - automated - patch + - ftp + - NIST800-53R5_CM-7 - rule_2.3.1 - -- name: "2.3.2 | PATCH | Ensure rsh client is not installed" ansible.builtin.package: - name: rsh + name: ftp state: absent - vars: - ansible_python_interpreter: /bin/python + +- name: "2.3.2 | PATCH | Ensure ldap client is not installed" when: - - not rhel7cis_rsh_required - - "'rsh' in ansible_facts.packages" + - not rhel7cis_openldap_clients_required + - "'openldap-clients' in ansible_facts.packages" - rhel7cis_rule_2_3_2 tags: - - level1-server - - level1-workstation - - rsh + - level2-server + - level2-workstation + - automated - patch + - ldap + - NIST800-53R5_CM-7 - rule_2.3.2 - -- name: "2.3.3 | PATCH | Ensure talk client is not installed" ansible.builtin.package: - name: talk + name: openldap-clients state: absent - vars: - ansible_python_interpreter: /bin/python + +- name: "2.3.3 | PATCH | Ensure nis client is not installed" when: - - not rhel7cis_talk_required - - "'talk' in ansible_facts.packages" + - not rhel7cis_ypbind_required + - "'ypbind' in ansible_facts.packages" - rhel7cis_rule_2_3_3 tags: - level1-server - level1-workstation - - talk + - automated - patch + - nis + - NIST800-53R5_CM-7 - rule_2.3.3 - -- name: "2.3.4 | PATCH | Ensure telnet client is not installed" ansible.builtin.package: - name: telnet + name: ypbind state: absent - vars: - ansible_python_interpreter: /bin/python + +- name: "2.3.4 | PATCH | Ensure telnet client is not installed" when: - - "'telnet' in ansible_facts.packages" - not rhel7cis_telnet_required + - "'telnet' in ansible_facts.packages" - rhel7cis_rule_2_3_4 tags: - level1-server - level1-workstation - - telnet + - automated - patch + - telnet + - NIST800-53R5_CM-7 - rule_2.3.4 - -- name: "2.3.5 | PATCH | Ensure LDAP client is not installed" ansible.builtin.package: - name: openldap-clients + name: telnet state: absent - vars: - ansible_python_interpreter: /bin/python + +- name: "2.3.5 | PATCH | Ensure TFTP client is not installed" when: - - not rhel7cis_openldap_clients_required - - "'openldap-clients' in ansible_facts.packages" + - not rhel7cis_tftp_client + - "'tftp' in ansible_facts.packages" - rhel7cis_rule_2_3_5 tags: - level1-server - level1-workstation - - ldap_client + - automated - patch + - tftp + - NIST800-53R5_CM-7 - rule_2.3.5 + ansible.builtin.package: + name: tftp + state: absent diff --git a/tasks/section_2/cis_2.4.x.yml b/tasks/section_2/cis_2.4.x.yml deleted file mode 100644 index 48a9031a..00000000 --- a/tasks/section_2/cis_2.4.x.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- - -- name: "2.4 | Ensure nonessential services are removed or masked (Manual)" - ansible.builtin.debug: - msg: "<----- not required" - when: - - rhel7cis_rule_2_4 - tags: - - level1-server - - level1-workstation - - rule_2.4 diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index 196c5502..8b9a094d 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -1,13 +1,9 @@ --- -- name: "SECTION | 2.1 | inetd Services" +- name: "SECTION | 2.1 | Time Synchronization" ansible.builtin.import_tasks: file: cis_2.1.x.yml -- name: "SECTION | 2.2.1 | Time Synchronization" - ansible.builtin.import_tasks: - file: cis_2.2.1.x.yml - - name: "SECTION | 2.2 | Special Purpose Services" ansible.builtin.import_tasks: file: cis_2.2.x.yml @@ -15,7 +11,3 @@ - name: "SECTION | 2.3 | Service Clients" ansible.builtin.import_tasks: file: cis_2.3.x.yml - -- name: "SECTION | 2.4 | Nonessential Services" - ansible.builtin.import_tasks: - file: cis_2.4.x.yml diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index f008fa3a..4790f9ef 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -1,40 +1,109 @@ --- -- name: "3.1.1 | PATCH | Disable IPv6 | grub" - ansible.builtin.replace: - dest: /etc/default/grub - regexp: '(^GRUB_CMDLINE_LINUX\s*\=\s*)(?:")(.+)(? 0 + vars: + warn_control_id: '3.4.2.3' + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "3.4.2.4 | AUDIT | Ensure network interfaces are assigned to appropriate zone" + when: + - rhel7cis_rule_3_4_2_4 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_3.4.2.4 + - firewall + - NIST800-53R5_CA-9 + block: + - name: "3.4.2.4 | AUDIT | Ensure network interfaces are assigned to appropriate zone | capture output" + ansible.builtin.shell: find /sys/class/net/* -maxdepth 1 | awk -F"/" '{print $NF}' | while read -r netint; do [ "$netint" != "lo" ] && firewall-cmd --get-active-zones | grep -B1 $netint; done + changed_when: false + failed_when: false + register: rhel7cis_3_4_2_4_nics_and_zones + + - name: "3.4.2.4 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Show nics and zones" + ansible.builtin.debug: + msg: + - "The items below are the system network interfaces and associated firewalld zones, please correct as needed" + - "{{ rhel7cis_3_4_2_4_nics_and_zones.stdout_lines }}" + + - name: "3.4.2.4 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Warn Count" + when: rhel7cis_3_4_2_4_nics_and_zones.stdout | length > 0 + vars: + warn_control_id: '3.4.2.4' + ansible.builtin.import_tasks: + file: warning_facts.yml diff --git a/tasks/section_3/cis_3.4.3.x.yml b/tasks/section_3/cis_3.4.3.x.yml new file mode 100644 index 00000000..aa24bead --- /dev/null +++ b/tasks/section_3/cis_3.4.3.x.yml @@ -0,0 +1,343 @@ +--- + +- name: "3.4.3.1 | PATCH | Ensure nftables is installed" + when: + - rhel7cis_rule_3_4_3_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.4.3.1 + - firewall + - nftables + - NIST800-53R5_CA-9 + vars: + ansible_python_interpreter: /bin/python + ansible.builtin.package: + name: nftables + state: present + +- name: "3.4.3.2 | PATCH | Ensure iptables are flushed" + when: + - "'iptables' in ansible_facts.packages" + - rhel7cis_firewall != "iptables" + - rhel7cis_rule_3_4_3_2 + tags: + - level1-server + - level1-workstation + - manual + - patch + - rule_3.4.3.2 + - firewall + - nftables + - NIST800-53R5_CA-9 + block: + - name: "3.4.3.2 | PATCH | Ensure iptables are flushed | Flush IPv4 tables" + ansible.builtin.shell: iptables -F + + - name: "3.4.3.2 | PATCH | Ensure iptables are flushed | Flush IPv6 tables" + ansible.builtin.shell: ip6tables -F + when: + - rhel7cis_ipv6_required + +- name: "3.4.3.3 | PATCH | Ensure an nftables table exists" + when: + - rhel7cis_rule_3_4_3_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.4.3.3 + - firewall + - nftables + - NIST800-53R5_CA-9 + block: + - name: "3.4.3.3 | AUDIT | Ensure an nftables table exists | Check for tables" + ansible.builtin.shell: nft list tables + changed_when: false + failed_when: false + register: rhel7cis_3_4_3_3_nft_tables + + - name: "3.4.3.3 | AUDIT | Ensure an nftables table exists | Show existing tables" + when: + - rhel7cis_3_4_3_3_nft_tables.stdout | length > 0 + ansible.builtin.debug: + msg: + - "Below are the current nft tables, please review" + - "{{ rhel7cis_3_4_3_3_nft_tables.stdout_lines }}" + + - name: "3.4.3.3 | AUDIT | Ensure an nftables table exists | Alert on no tables" + when: + - rhel7cis_3_4_3_3_nft_tables.stdout | length == 0 + - not rhel7cis_nft_tables_autoNewTable + ansible.builtin.debug: + msg: + - "Warning! You currently have no nft tables, please review your setup" + - 'Use the command "nft create table inet " to create a new table' + + - name: "3.4.3.3 | WARN | Ensure an nftables table exists | Warn Count" + when: not rhel7cis_nft_tables_autoNewTable + vars: + warn_control_id: '3.4.3.3' + ansible.builtin.import_tasks: + file: warning_facts.yml + + - name: "3.4.3.3 | PATCH | Ensure an nftables table exists | Create table if needed" + ansible.builtin.shell: nft create table inet "{{ rhel7cis_nft_tables_tablename }}" + failed_when: false + when: + - rhel7cis_nft_tables_autoNewTable + +- name: "3.4.3.4 | PATCH | Ensure nftables base chains exist" + when: + - rhel7cis_rule_3_4_3_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.4.3.4 + - firewall + - nftables + - NIST800-53R5_CA-9 + block: + - name: "3.4.3.4 | AUDIT | Ensure nftables base chains exist | Get current chains for INPUT" + ansible.builtin.shell: nft list ruleset | grep 'hook input' + changed_when: false + failed_when: false + register: rhel7cis_3_4_3_4_input_chains + + - name: "3.4.3.4 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD" + ansible.builtin.shell: nft list ruleset | grep 'hook forward' + changed_when: false + failed_when: false + register: rhel7cis_3_4_3_4_forward_chains + + - name: "3.4.3.4 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT" + ansible.builtin.shell: nft list ruleset | grep 'hook output' + changed_when: false + failed_when: false + register: rhel7cis_3_4_3_4_output_chains + + - name: "3.4.3.4 | AUDIT | Ensure nftables base chains exist | Display chains for review" + when: + - not rhel7cis_nft_tables_autochaincreate + ansible.builtin.debug: + msg: + - "Below are the current INPUT chains" + - "{{ rhel7cis_3_4_3_4_input_chains.stdout_lines }}" + - "Below are the current FORWARD chains" + - "{{ rhel7cis_3_4_3_4_forward_chains.stdout_lines }}" + - "Below are teh current OUTPUT chains" + - "{{ rhel7cis_3_4_3_4_output_chains.stdout_lines }}" + + - name: "3.4.3.3 | WARN | Ensure nftables base chains exist | Warn Count" + when: not rhel7cis_nft_tables_autochaincreate + vars: + warn_control_id: '3.4.3.4' + ansible.builtin.import_tasks: + file: warning_facts.yml + + - name: "3.4.3.4 | PATCH | Ensure nftables base chains exist | Create chains if needed" + when: + - rhel7cis_nft_tables_autochaincreate + ansible.builtin.shell: "{{ item }}" + failed_when: false + with_items: + - nft create chain inet "{{ rhel7cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } + - nft create chain inet "{{ rhel7cis_nft_tables_tablename }}" forward { type filter hook forward priority 0 \; } + - nft create chain inet "{{ rhel7cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; } + +- name: "3.4.3.5 | PATCH | Ensure nftables loopback traffic is configured" + when: + - rhel7cis_rule_3.4.3.5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.4.3.5 + - firewall + - nftables + - NIST800-53R5_CA-9 + block: + - name: "3.4.3.5 | AUDIT | Ensure nftables loopback traffic is configured | Gather iif lo accept existence" + ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' + changed_when: false + failed_when: false + register: rhel7cis_3_4_3_5_iiflo + + - name: "3.4.3.5 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip saddr existence" + ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' + changed_when: false + failed_when: false + register: rhel7cis_3_4_3_5_ipsaddr + + - name: "3.4.3.5 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip6 saddr existence" + ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' + changed_when: false + failed_when: false + register: rhel7cis_3_4_3_2_ip6saddr + + - name: "3.4.3.5 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule" + when: + - '"iif \"lo\" accept" not in rhel7cis_3_4_3_5_iiflo.stdout' + ansible.builtin.shell: nft add rule inet "{{ rhel7cis_nft_tables_tablename }}" input iif lo accept + + - name: "3.4.3.5 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule" + when: + - '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel7cis_3_4_3_5_ipsaddr.stdout' + ansible.builtin.shell: nft add rule inet "{{ rhel7cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop + + - name: "3.4.3.5 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule" + when: + - '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel7cis_3_4_3_5_ip6saddr.stdout' + ansible.builtin.shell: nft add rule inet "{{ rhel7cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop + +- name: "3.4.3.6 | PATCH | Ensure nftables outbound and established connections are configured" + when: + - rhel7cis_rule_3_4_3_6 + tags: + - level1-server + - level1-workstation + - manual + - patch + - rule_3.4.3.6 + - firewall + - nftables + - NIST800-53R5_CA-9 + block: + - name: "3.4.3.6 | AUDIT | Ensure nftables outbound and established connections are configured | Gather incoming connection rules" + ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + changed_when: false + failed_when: false + register: rhel7cis_3_4_3_6_inconnectionrule + + - name: "3.4.3.6 | AUDIT | Ensure nftables outbound and established connections are configured | Gather outbound connection rules" + ansible.builtin.shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + changed_when: false + failed_when: false + register: rhel7cis_3_4_3_6_outconnectionrule + + - name: "3.4.3.6 | PATCH | Ensure nftables outbound and established connections are configured | Add input tcp established accept policy" + when: + - '"ip protocol tcp ct state established accept" not in rhel7cis_3_4_3_6_inconnectionrule.stdout' + ansible.builtin.shell: nft add rule inet "{{ rhel7cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept + + - name: "3.4.3.6 | PATCH | Ensure nftables outbound and established connections are configured | Add input udp established accept policy" + when: + - '"ip protocol udp ct state established accept" not in rhel7cis_3_4_3_6_inconnectionrule.stdout' + ansible.builtin.shell: nft add rule inet "{{ rhel7cis_nft_tables_tablename }}" input ip protocol udp ct state established accept + + - name: "3.4.3.6 | PATCH | Ensure nftables outbound and established connections are configured | Add input icmp established accept policy" + when: + - '"ip protocol icmp ct state established accept" not in rhel7cis_3_4_3_6_inconnectionrule.stdout' + ansible.builtin.shell: nft add rule inet "{{ rhel7cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept + + - name: "3.4.3.6 | PATCH | Ensure nftables outbound and established connections are configured | Add output tcp new, related, established accept policy" + when: + - '"ip protocol tcp ct state established,related,new accept" not in rhel7cis_3_4_3_6_outconnectionrule.stdout' + ansible.builtin.shell: nft add rule inet "{{ rhel7cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept + + - name: "3.4.3.6 | PATCH | Ensure nftables outbound and established connections are configured | Add output udp new, related, established accept policy" + when: + - '"ip protocol udp ct state established,related,new accept" not in rhel7cis_3_4_3_6_outconnectionrule.stdout' + ansible.builtin.shell: nft add rule inet "{{ rhel7cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept + + - name: "3.4.3.6 | PATCH | Ensure nftables outbound and established connections are configured | Add output icmp new, related, established accept policy" + when: + - '"ip protocol icmp ct state established,related,new accept" not in rhel7cis_3_4_3_6_outconnectionrule.stdout' + ansible.builtin.shell: nft add rule inet "{{ rhel7cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept + +- name: "3.4.3.7 | PATCH | Ensure nftables default deny firewall policy" + when: + - rhel7cis_rule_3_4_3_7 + tags: + - level1-server + - level1-workstation + - manual + - patch + - rule_3.4.3.7 + - firewall + - nftables + - NIST800-53R5_CA-9 + block: + - name: "3.4.3.7 | AUDIT | Ensure nftables default deny firewall policy | Check for hook input deny policy" + ansible.builtin.shell: nft list table inet "{{ rhel7cis_nft_tables_tablename }}" | grep 'hook input' + failed_when: false + changed_when: false + register: rhel7cis_3_4_3_7_inputpolicy + + - name: "3.4.3.7 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy" + ansible.builtin.shell: nft list table inet "{{ rhel7cis_nft_tables_tablename }}" | grep 'hook forward' + failed_when: false + changed_when: false + register: rhel7cis_3_4_3_7_forwardpolicy + + - name: "3.4.3.7 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy" + ansible.builtin.shell: nft list table inet "{{ rhel7cis_nft_tables_tablename }}" | grep 'hook output' + failed_when: false + changed_when: false + register: rhel7cis_3_4_3_7_outputpolicy + + - name: "3.4.3.7 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow" + ansible.builtin.shell: nft list table inet "{{ rhel7cis_nft_tables_tablename }}" | grep 'ssh' + failed_when: false + changed_when: false + register: rhel7cis_3_4_3_7_sshallowcheck + + - name: "3.4.3.7 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" + when: + - '"tcp dport ssh accept" not in rhel7cis_3_4_3_7_sshallowcheck.stdout' + ansible.builtin.shell: nft add rule inet "{{ rhel7cis_nft_tables_tablename }}" input tcp dport ssh accept + + - name: "3.4.3.7 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" + when: + - '"type filter hook input priority 0; policy drop;" not in rhel7cis_3_4_3_7_inputpolicy.stdout' + ansible.builtin.shell: nft chain inet "{{ rhel7cis_nft_tables_tablename }}" input { policy drop \; } + + - name: "3.4.3.7 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy" + when: + - '"type filter hook forward priority 0; policy drop;" not in rhel7cis_3_4_3_7_forwardpolicy.stdout' + ansible.builtin.shell: nft chain inet "{{ rhel7cis_nft_tables_tablename }}" forward { policy drop \; } + + - name: "3.4.3.7 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" + when: + - '"type filter hook output priority 0; policy drop;" not in rhel7cis_3_4_3_7_outputpolicy.stdout' + ansible.builtin.shell: nft chain inet "{{ rhel7cis_nft_tables_tablename }}" output { policy drop \; } + +- name: "3.4.3.8 | PATCH | Ensure nftables service is enabled and active" + when: + - rhel7cis_rule_3_4_3_8 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.4.3.8 + - firewall + - nftables + - NIST800-53R5_CA-9 + ansible.builtin.systemd: + name: nftables + enabled: true + state: started + +- name: "3.4.3.9 | PATCH | Ensure nftables rules are permanent" + when: + - rhel7cis_rule_3_4_3_9 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.4.3.9 + - firewall + - nftables + ansible.builtin.lineinfile: + path: /etc/sysconfig/nftables.conf + state: present + insertafter: EOF + line: include "/etc/nftables/inet-{{ rhel7cis_nft_tables_tablename }}.rules" diff --git a/tasks/section_3/cis_3.4.4.1.x.yml b/tasks/section_3/cis_3.4.4.1.x.yml new file mode 100644 index 00000000..65afe1ef --- /dev/null +++ b/tasks/section_3/cis_3.4.4.1.x.yml @@ -0,0 +1,22 @@ +--- + +- name: "3.4.4.1.1 | PATCH | Ensure iptables packages are installed" + when: + - rhel7cis_rule_3_4_4_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.4.4.1.1 + - firewall + - iptables + - NIST800-53R5_CA-9 + vars: + ansible_python_interpreter: /bin/python + ansible.builtin.package: + name: "{{ item }}" + state: present + with_items: + - iptables + - iptables-services diff --git a/tasks/section_3/cis_3.5.3.2.x.yml b/tasks/section_3/cis_3.4.4.2.x.yml similarity index 61% rename from tasks/section_3/cis_3.5.3.2.x.yml rename to tasks/section_3/cis_3.4.4.2.x.yml index adfb398b..92f9ee51 100644 --- a/tasks/section_3/cis_3.5.3.2.x.yml +++ b/tasks/section_3/cis_3.4.4.2.x.yml @@ -1,37 +1,47 @@ --- -- name: "3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured" +- name: "3.4.4.2.1 | PATCH | Ensure iptables loopback traffic is configured" + when: + - rhel7cis_rule_3_4_4_2_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_3.4.4.2.1 + - iptables + - NIST800-53R5_CA-9 block: - - name: "3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT" + - name: "3.4.4.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT" ansible.builtin.iptables: action: append chain: INPUT in_interface: lo jump: ACCEPT - - name: "3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" + - name: "3.4.4.2.1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" ansible.builtin.iptables: action: append chain: OUTPUT out_interface: lo jump: ACCEPT - - name: "3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" + - name: "3.4.4.2.1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" ansible.builtin.iptables: action: append chain: INPUT source: 127.0.0.0/8 jump: DROP + +- name: "3.4.4.2.2 | PATCH | Ensure iptables outbound and established connections are configured" when: - - rhel7cis_rule_3_5_3_2_1 + - rhel7cis_rule_3_4_4_2_2 tags: - level1-server - level1-workstation - patch - - rule_3.5.3.2.1 + - rule_3.4.4.2.2 - iptables - -- name: "3.5.3.2.2 | PATCH | Ensure iptables outbound and established connections are configured" + - NIST800-53R5_CA-9 ansible.builtin.iptables: action: append chain: '{{ item.chain }}' @@ -46,52 +56,61 @@ - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } + +- name: "3.4.4.2.3 | AUDIT | Ensure iptables firewall rules exist for all open ports" when: - - rhel7cis_rule_3_5_3_2_2 + - rhel7cis_rule_3_4_4_2_3 tags: - level1-server - level1-workstation - - patch - - rule_3.5.3.2.2 + - audit + - rule_3.4.4.2.3 - iptables - -- name: "3.5.3.2.3 | AUDIT | Ensure iptables firewall rules exist for all open ports" + - NIST800-53R5_CA-9 block: - - name: "3.5.3.2.3 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports" - ansible.builtin.command: ss -4tuln + - name: "3.4.4.2.3 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports" + ansible.builtin.shell: ss -4tuln changed_when: false failed_when: false check_mode: false - register: rhel7cis_3_5_3_2_3_open_ports + register: rhel7cis_3_4_4_2_3_open_ports - - name: "3.5.3.2.3 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules" - ansible.builtin.command: iptables -L INPUT -v -n + - name: "3.4.4.2.3 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules" + ansible.builtin.shell: iptables -L INPUT -v -n changed_when: false failed_when: false check_mode: false - register: rhel7cis_3_5_3_2_3_current_rules + register: rhel7cis_3_4_4_2_3_current_rules - - name: "3.5.3.2.3 | AUDIT | Ensure iptables firewall rules exist for all open ports | Alert about settings" + - name: "3.4.4.2.3 | AUDIT | Ensure iptables firewall rules exist for all open ports | Alert about settings" ansible.builtin.debug: msg: - "ALERT!!!!Below is the list the open ports and current rules" - "Please create a rule for any open port that does not have a current rule" - "Open Ports:" - - "{{ rhel7cis_3_5_3_2_3_open_ports.stdout_lines }}" + - "{{ rhel7cis_3_4_4_2_3_open_ports.stdout_lines }}" - "Current Rules:" - - "{{ rhel7cis_3_5_3_2_3_current_rules.stdout_lines }}" + - "{{ rhel7cis_3_4_4_2_3_current_rules.stdout_lines }}" + + - name: "3.4.4.2.3 | WARN | Ensure iptables firewall rules exist for all open ports | Warn Count" + vars: + warn_control_id: '3.4.4.2.3' + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "3.4.4.2.4 | PATCH | Ensure iptables default deny firewall policy" when: - - rhel7cis_rule_3_5_3_2_3 + - rhel7cis_rule_3_4_4_2_4 + - not system_is_ec2 tags: - level1-server - level1-workstation - - audit - - rule_3.5.3.2.3 + - patch + - rule_3.4.4.2.4 - iptables - -- name: "3.5.3.2.4 | PATCH | Ensure iptables default deny firewall policy" + - NIST800-53R5_CA-9 block: - - name: "3.5.3.2.4 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed in" + - name: "3.4.4.2.4 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed in" ansible.builtin.iptables: chain: INPUT protocol: tcp @@ -99,7 +118,7 @@ jump: ACCEPT ctstate: 'NEW,ESTABLISHED' - - name: "3.5.3.2.4 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed out" + - name: "3.4.4.2.4 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed out" ansible.builtin.iptables: chain: OUTPUT protocol: tcp @@ -107,13 +126,13 @@ jump: ACCEPT ctstate: 'NEW,ESTABLISHED' - - name: "3.5.3.2.4 | PATCH | Ensure iptables default deny firewall policy | Enable apt traffic" + - name: "3.4.4.2.4 | PATCH | Ensure iptables default deny firewall policy | Enable apt traffic" ansible.builtin.iptables: chain: INPUT ctstate: 'ESTABLISHED' jump: ACCEPT - - name: "3.5.3.2.4 | PATCH | Ensure iptables default deny firewall policy | Set drop items" + - name: "3.4.4.2.4 | PATCH | Ensure iptables default deny firewall policy | Set drop items" ansible.builtin.iptables: policy: DROP chain: "{{ item }}" @@ -121,47 +140,40 @@ - INPUT - FORWARD - OUTPUT + +- name: "3.4.4.2.5 | Ensure iptables rules are saved" when: - - rhel7cis_rule_3_5_3_2_4 - - not system_is_ec2 + - rhel7cis_save_iptables_cis_rules + - rhel7cis_rule_3_4_4_2_1 or + rhel7cis_rule_3_4_4_2_2 or + rhel7cis_rule_3_4_4_2_3 or + rhel7cis_rule_3_4_4_2_4 or + rhel7cis_rule_3_4_4_2_5 tags: - level1-server - level1-workstation - patch - - rule_3.5.3.2.4 + - rule_3.4.4.2.5 - iptables - -- name: "3.5.3.2.5 | Ensure iptables rules are saved " + - NIST800-53R5_CA-9 block: - - name: "3.5.3.2.5 | Ensure iptables rules are saved " + - name: "3.4.4.2.5 | Ensure iptables rules are saved " ansible.builtin.shell: service iptables save changed_when: rhel7cis_iptables_save.rc == 0 failed_when: rhel7cis_iptables_save.rc != 0 register: rhel7cis_iptables_save + +- name: "3.4.4.2.6 | Ensure iptables service is enabled and running" when: - - rhel7cis_save_iptables_cis_rules - - rhel7cis_rule_3_5_3_2_1 or - rhel7cis_rule_3_5_3_2_2 or - rhel7cis_rule_3_5_3_2_3 or - rhel7cis_rule_3_5_3_2_4 or - rhel7cis_rule_3_5_3_2_5 + - rhel7cis_rule_3_4_4_2_6 tags: - level1-server - level1-workstation - patch - - rule_3.5.3.2.5 + - rule_3.4.4.2.6 - iptables - -- name: "3.5.3.2.6 | Ensure iptables is enabled and running" + - NIST800-53R5_CA-9 ansible.builtin.service: name: iptables state: started enabled: true - when: - - rhel7cis_rule_3_5_3_2_6 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.5.3.2.6 - - iptables diff --git a/tasks/section_3/cis_3.5.3.3.x.yml b/tasks/section_3/cis_3.4.4.3.x.yml similarity index 62% rename from tasks/section_3/cis_3.5.3.3.x.yml rename to tasks/section_3/cis_3.4.4.3.x.yml index 7e8e35fa..bd970e0d 100644 --- a/tasks/section_3/cis_3.5.3.3.x.yml +++ b/tasks/section_3/cis_3.4.4.3.x.yml @@ -1,8 +1,18 @@ --- -- name: "3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured" +- name: "3.4.4.3.1 | PATCH | Ensure ip6tables loopback traffic is configured" + when: + - rhel7cis_rule_3_4_4_3_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_3.4.4.3.1 + - iptables + - ip6tables + - NIST800-53R5_CA-9 block: - - name: "3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback ACCEPT" + - name: "3.4.4.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback ACCEPT" ansible.builtin.iptables: action: append chain: INPUT @@ -10,7 +20,7 @@ jump: ACCEPT ip_version: ipv6 - - name: "3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT loopback ACCEPT" + - name: "3.4.4.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT loopback ACCEPT" ansible.builtin.iptables: action: append chain: OUTPUT @@ -18,24 +28,25 @@ jump: ACCEPT ip_version: ipv6 - - name: "3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT loopback ACCEPT" + - name: "3.4.4.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT loopback ACCEPT" ansible.builtin.iptables: action: append chain: INPUT source: ::1 jump: DROP ip_version: ipv6 + +- name: "3.4.4.3.2 | PATCH | Ensure ip6tables outbound and established connections are configured" when: - - rhel7cis_rule_3_5_3_3_1 + - rhel7cis_rule_3_4_4_3_2 tags: - level1-server - level1-workstation - patch - - rule_3.5.3.3.1 + - rule_3.4.4.3.2 - iptables - ip6tables - -- name: "3.5.3.3.2 | PATCH | Ensure ip6tables outbound and established connections are configured" + - NIST800-53R5_CA-9 ansible.builtin.iptables: action: append chain: '{{ item.chain }}' @@ -51,54 +62,63 @@ - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } + +- name: "3.4.4.3.3 | AUDIT | Ensure ip6tables firewall rules exist for all open ports" when: - - rhel7cis_rule_3_5_3_3_2 + - rhel7cis_rule_3_4_4_3_3 tags: - level1-server - level1-workstation - - patch - - rule_3.5.3.3.2 + - audit + - rule_3.4.4.3.3 - iptables - ip6tables - -- name: "3.5.3.3.3 | AUDIT | Ensure ip6tables firewall rules exist for all open ports" + - NIST800-53R5_CA-9 block: - - name: "3.5.3.3.3 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports" - ansible.builtin.command: ss -6tuln + - name: "3.4.4.3.3 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports" + ansible.builtin.shell: ss -6tuln changed_when: false failed_when: false check_mode: false - register: rhel7cis_3_5_3_3_3_open_ports + register: rhel7cis_3_4_4_3_3_open_ports - - name: "3.5.3.3.3 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules" - ansible.builtin.command: ip6tables -L INPUT -v -n + - name: "3.4.4.3.3 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules" + ansible.builtin.shell: ip6tables -L INPUT -v -n changed_when: false failed_when: false check_mode: false - register: rhel7cis_3_5_3_3_3_current_rules + register: rhel7cis_3_4_4_3_3_current_rules - - name: "3.5.3.3.3 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Alert about settings" + - name: "3.4.4.3.3 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Alert about settings" ansible.builtin.debug: msg: - - "ALERT!!!!Below is the list the open ports and current rules" + - "Warning!! Below is the list the open ports and current rules" - "Please create a rule for any open port that does not have a current rule" - "Open Ports:" - - "{{ rhel7cis_3_5_3_3_3_open_ports.stdout_lines }}" + - "{{ rhel7cis_3_4_4_3_3_open_ports.stdout_lines }}" - "Current Rules:" - - "{{ rhel7cis_3_5_3_3_3_current_rules.stdout_lines }}" + - "{{ rhel7cis_3_4_4_3_3_current_rules.stdout_lines }}" + + - name: "3.4.4.3.3 | WARN | Ensure ip6tables firewall rules exist for all open ports | Warn Count" + vars: + warn_control_id: '3.4.4.3.3' + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "3.4.4.3.4 | PATCH | Ensure ip6tables default deny firewall policy" when: - - rhel7cis_rule_3_5_3_3_3 + - rhel7cis_rule_3_4_4_3_4 + - not system_is_ec2 tags: - level1-server - level1-workstation - - audit - - rule_3.5.3.3.3 + - patch + - rule_3.4.4.3.4 - iptables - ip6tables - -- name: "3.5.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy" + - NIST800-53R5_CA-9 block: - - name: "3.5.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy | Configure SSH to be allowed in" + - name: "3.4.4.3.4 | PATCH | Ensure ip6tables default deny firewall policy | Configure SSH to be allowed in" ansible.builtin.iptables: chain: INPUT protocol: tcp @@ -107,7 +127,7 @@ ctstate: 'NEW,ESTABLISHED' ip_version: ipv6 - - name: "3.5.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy | Configure SSH to be allowed out" + - name: "3.4.4.3.4 | PATCH | Ensure ip6tables default deny firewall policy | Configure SSH to be allowed out" ansible.builtin.iptables: chain: OUTPUT protocol: tcp @@ -116,14 +136,14 @@ ctstate: 'NEW,ESTABLISHED' ip_version: ipv6 - - name: "3.5.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy | Enable apt traffic" + - name: "3.4.4.3.4 | PATCH | Ensure ip6tables default deny firewall policy | Enable apt traffic" ansible.builtin.iptables: chain: INPUT ctstate: 'ESTABLISHED' jump: ACCEPT ip_version: ipv6 - - name: "3.5.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" + - name: "3.4.4.3.4 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" ansible.builtin.iptables: policy: DROP chain: "{{ item }}" @@ -132,50 +152,42 @@ - INPUT - FORWARD - OUTPUT + +- name: "3.4.4.3.5 | Ensure ip6tables rules are saved" when: - - rhel7cis_rule_3_5_3_3_4 - - not system_is_ec2 + - rhel7cis_save_ip6tables_cis_rules + - rhel7cis_rule_3_4_4_3_1 or + rhel7cis_rule_3_4_4_3_2 or + rhel7cis_rule_3_4_4_3_3 or + rhel7cis_rule_3_4_4_3_4 or + rhel7cis_rule_3_4_4_3_5 tags: - level1-server - level1-workstation - patch - - rule_3.5.3.3.4 + - rule_3.4.4.3.5 - iptables - ip6tables - -- name: "3.5.3.3.5 | Ensure ip6tables rules are saved " + - NIST800-53R5_CA-9 block: - - name: "3.5.3.3.5 | Ensure ip6tables rules are saved " + - name: "3.4.4.3.5 | Ensure ip6tables rules are saved " ansible.builtin.shell: service ip6tables save changed_when: rhel7cis_ip6tables_save.rc == 0 failed_when: rhel7cis_ip6tables_save.rc != 0 register: rhel7cis_ip6tables_save + +- name: "3.4.4.3.6 | Ensure ip6tables is enabled and running" when: - - rhel7cis_save_ip6tables_cis_rules - - rhel7cis_rule_3_5_3_3_1 or - rhel7cis_rule_3_5_3_3_2 or - rhel7cis_rule_3_5_3_3_3 or - rhel7cis_rule_3_5_3_3_4 or - rhel7cis_rule_3_5_3_3_5 + - rhel7cis_rule_3_4_4_3_6 tags: - level1-server - level1-workstation - patch - - rule_3.5.3.3.5 + - rule_3.4.4.3.6 - iptables - ip6tables - -- name: "3.5.3.3.6 | Ensure ip6tables is enabled and running" + - NIST800-53R5_CA-9 ansible.builtin.service: name: ip6tables state: started enabled: true - when: - - rhel7cis_rule_3_5_3_3_6 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.5.3.3.6 - - iptables - - ip6tables diff --git a/tasks/section_3/cis_3.4.x.yml b/tasks/section_3/cis_3.4.x.yml deleted file mode 100644 index 2d5cbae3..00000000 --- a/tasks/section_3/cis_3.4.x.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- - -- name: "3.4.1 | PATCH | Ensure DCCP is disabled" - ansible.builtin.lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install dccp(\\s|$)" - line: "install dccp /bin/true" - create: true - owner: root - group: root - mode: 0600 - when: - - rhel7cis_rule_3_4_1 - tags: - - level2-server - - level2-workstation - - patch - - rule_3.4.1 - -- name: "3.4.2 | PATCH | Ensure SCTP is disabled" - ansible.builtin.lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install sctp(\\s|$)" - line: "install sctp /bin/true" - create: true - owner: root - group: root - mode: 0600 - when: - - rhel7cis_rule_3_4_2 - tags: - - level2-server - - level2-workstation - - patch - - rule_3.4.2 diff --git a/tasks/section_3/cis_3.5.1.x.yml b/tasks/section_3/cis_3.5.1.x.yml deleted file mode 100644 index c97c9058..00000000 --- a/tasks/section_3/cis_3.5.1.x.yml +++ /dev/null @@ -1,122 +0,0 @@ ---- - -- name: "3.5.1.1 | PATCH | Ensure FirewallD is installed" - ansible.builtin.package: - name: firewalld - state: present - vars: - ansible_python_interpreter: /bin/python - when: - - "'firewalld' not in ansible_facts.packages" - - rhel7cis_rule_3_5_1_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.5.1.1 - -- name: "3.5.1.2 | PATCH | Ensure iptables-services not installed with firewalld" - ansible.builtin.package: - name: iptables-services - state: absent - vars: - ansible_python_interpreter: /bin/python - when: - - "'iptables-services' in ansible_facts.packages" - - rhel7cis_rule_3_5_1_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.5.1.2 - -- name: "3.5.1.3 | PATCH | Ensure iptables-services not installed with firewalld" - ansible.builtin.package: - name: nftables - state: absent - vars: - ansible_python_interpreter: /bin/python - when: - - "'nftables' in ansible_facts.packages" - - rhel7cis_rule_3_5_1_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.5.1.3 - -- name: "3.5.1.4 | PATCH | Ensure firewalld service is enabled and running" - ansible.builtin.systemd: - name: firewalld - state: started - enabled: true - masked: false - when: - - rhel7cis_rule_3_5_1_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.5.1.4 - -- name: "3.5.1.5 | PATCH | Ensure firewalld default zone is set" - block: - - name: "3.5.1.5 | AUDIT | Ensure default zone is set" - ansible.builtin.command: firewall-cmd --get-default-zone - changed_when: false - check_mode: false - register: current_default_zone - - - name: "3.5.1.5 | PATCH | Ensure default zone is set" - ansible.builtin.command: firewall-cmd --set-default-zone="{{ rhel7cis_default_zone }}" - when: - - current_default_zone.stdout != rhel7cis_default_zone - when: - - rhel7cis_rule_3_5_1_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.5.1.5 - -- name: "3.5.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone" - block: - - name: "3.5.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and policies" - ansible.builtin.shell: "nmcli -t connection show | awk -F: '{ if($4){print $4} }' | while read INT; do firewall-cmd --get-active-zones | grep -B1 $INT; done" - changed_when: false - check_mode: false - register: rhel7cis_3_5_1_6_interfacepolicy - - - name: "3.5.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and policies | Show the interface to policy" - ansible.builtin.debug: - msg: - - "The items below are the policies tied to the interfaces, please correct as needed" - - "{{ rhel7cis_3_5_1_6_interfacepolicy.stdout_lines }}" - when: - - rhel7cis_rule_3_5_1_6 - tags: - - level1-server - - level1-workstation - - audit - - rule_3.5.1.6 - -- name: "3.5.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports" - block: - - name: "3.5.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports" - ansible.builtin.shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done" - changed_when: false - check_mode: false - register: rhel7cis_3_5_1_7_servicesport - - - name: "3.5.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports" - ansible.builtin.debug: - msg: - - "The items below are the services and ports that are accepted, please correct as needed" - - "{{ rhel7cis_3_5_1_7_servicesport.stdout_lines }}" - when: - - rhel7cis_rule_3_5_1_7 - tags: - - level1-server - - level1-workstation - - audit - - rule_3.5.1.7 diff --git a/tasks/section_3/cis_3.5.2.x.yml b/tasks/section_3/cis_3.5.2.x.yml deleted file mode 100644 index 0e10deaa..00000000 --- a/tasks/section_3/cis_3.5.2.x.yml +++ /dev/null @@ -1,332 +0,0 @@ ---- - -- name: "3.5.2.1 | PATCH | Ensure nftables is installed" - ansible.builtin.package: - name: nftables - state: present - vars: - ansible_python_interpreter: /bin/python - when: - - "'nftables' not in ansible_facts.packages" - - rhel7cis_rule_3_5_2_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.5.2.1 - -- name: "3.5.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables" - ansible.builtin.package: - name: firewalld - state: absent - vars: - ansible_python_interpreter: /bin/python - when: - - "'firewalld' in ansible_facts.packages" - - rhel7cis_rule_3_5_2_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.5.2.2 - -- name: "3.5.2.3 | PATCH | Ensure iptables-services not installed with nftables" - ansible.builtin.package: - name: iptables-services - state: absent - vars: - ansible_python_interpreter: /bin/python - when: - - "'iptables-services' in ansible_facts.packages" - - rhel7cis_rule_3_5_2_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.5.2.3 - -- name: "3.5.2.4 | PATCH | Ensure iptables are flushed with nftables" - block: - - name: "3.5.2.4 | PATCH | Ensure iptables are flushed with nftables| Flush IPv4 tables" - ansible.builtin.command: iptables -F - - - name: "3.5.2.4 | PATCH | Ensure iptables are flushed with nftables | Flush IPv6 tables" - ansible.builtin.command: ip6tables -F - when: - - rhel7cis_ipv6_required - when: - - rhel7cis_firewall != "iptables" - - rhel7cis_rule_3_5_2_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.5.2.4 - -- name: "3.5.2.5 | PATCH | Ensure an nftables table exists" - block: - - name: "3.5.2.5 | AUDIT | Ensure an nftables table exists | Check for tables" - ansible.builtin.command: nft list tables - register: rhel7cis_3_5_2_5_nft_tables - - - name: "3.5.2.5 | AUDIT | Ensure an nftables table exists | Show existing tables" - ansible.builtin.debug: - msg: - - "Below are the current nft tables, please review" - - "{{ rhel7cis_3_5_2_5_nft_tables.stdout_lines }}" - when: - - rhel7cis_3_5_2_5_nft_tables.stdout | length > 0 - - - name: "3.5.2.5 | AUDIT | Ensure an nftables table exists | Alert on no tables" - ansible.builtin.debug: - msg: - - "WARNING!! You currently have no nft tables, please review your setup" - - 'Use the command "nft create table inet
" to create a new table' - when: - - rhel7cis_3_5_2_5_nft_tables.stdout | length == 0 - - not rhel7cis_nft_tables_autoNewTable - - - name: "3.5.2.5 | PATCH | Ensure an nftables table exists | Create table if needed" - ansible.builtin.command: nft create table inet "{{ rhel7cis_nft_tables_tableName }}" - failed_when: false - when: - - rhel7cis_nft_tables_autoNewTable - when: - - rhel7cis_rule_3_5_2_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.5.2.5 - -- name: "3.5.2.6 | PATCH | Ensure nftables base chains exist" - block: - - name: "3.5.2.6 | AUDIT | Ensure nftables base chains exist | Get current chains for INPUT" - ansible.builtin.shell: nft list ruleset | grep 'hook input' - register: rhel7cis_3_5_2_6_input_chains - - - name: "3.5.2.6 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD" - ansible.builtin.shell: nft list ruleset | grep 'hook forward' - register: rhel7cis_3_5_2_6_forward_chains - - - name: "3.5.2.6 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT" - ansible.builtin.shell: nft list ruleset | grep 'hook output' - register: rhel7cis_3_5_2_6_output_chains - - - name: "3.5.2.6 | AUDIT | Ensure nftables base chains exist | Display chains for review" - ansible.builtin.debug: - msg: - - "Below are the current INPUT chains" - - "{{ rhel7cis_3_5_2_6_input_chains.stdout_lines }}" - - "Below are the current FORWARD chains" - - "{{ rhel7cis_3_5_2_6_forward_chains.stdout_lines }}" - - "Below are teh current OUTPUT chains" - - "{{ rhel7cis_3_4_2_6_output_chains.stdout_lines }}" - when: - - not rhel7cis_nft_tables_autoChainCreate - - - name: "3.5.2.6 | PATCH | Ensure nftables base chains exist | Create chains if needed" - ansible.builtin.command: "{{ item }}" - failed_when: false - with_items: - - nft create chain inet "{{ rhel7cis_nft_tables_tableName }}" input { type filter hook input priority 0 \; } - - nft create chain inet "{{ rhel7cis_nft_tables_tableName }}" forward { type filter hook forward priority 0 \; } - - nft create chain inet "{{ rhel7cis_nft_tables_tableName }}" output { type filter hook output priority 0 \; } - when: - - rhel7cis_nft_tables_autoChainCreate - when: - - rhel7cis_rule_3_5_2_6 - tags: - - skip_ansible_lint - - level1-server - - level1-workstation - - patch - - rule_3.5.2.6 - -- name: "3.5.2.7 | PATCH | Ensure nftables loopback traffic is configured" - block: - - name: "3.5.2.7 | AUDIT | Ensure nftables loopback traffic is configured | Gather iif lo accept existence" - ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' - changed_when: false - failed_when: false - register: rhel7cis_3_5_2_7_iiflo - - - name: "3.5.2.7 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip saddr existence" - ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' - changed_when: false - failed_when: false - register: rhel7cis_3_5_2_7_ipsaddr - - - name: "3.5.2.7 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip6 saddr existence" - ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' - changed_when: false - failed_when: false - register: rhel7cis_3_5_2_7_ip6saddr - - - name: "3.5.2.7 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule" - ansible.builtin.command: nft add rule inet "{{ rhel7cis_nft_tables_tableName }}" input iif lo accept - when: - - '"iif \"lo\" accept" not in rhel7cis_3_5_2_7_iiflo.stdout' - - - name: "3.5.2.7 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule" - ansible.builtin.command: nft add rule inet "{{ rhel7cis_nft_tables_tableName }}" input ip saddr 127.0.0.0/8 counter drop - when: - - '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel7cis_3_5_2_7_ipsaddr.stdout' - - - name: "3.5.2.7 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule" - ansible.builtin.command: nft add rule inet "{{ rhel7cis_nft_tables_tableName }}" input ip6 saddr ::1 counter drop - when: - - '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel7cis_3_5_2_7_ip6saddr.stdout' - when: - - rhel7cis_rule_3.5.2.7 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.5.2.7 - -- name: "3.5.2.8 | PATCH | Ensure nftables outbound and established connections are configured" - block: - - name: "3.5.2.8 | AUDIT | Ensure nftables outbound and established connections are configured | Gather incoming connection rules" - ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' - changed_when: false - failed_when: false - register: rhel7cis_3_5_2_8_inconnectionrule - - - name: "3.5.2.8 | AUDIT | Ensure nftables outbound and established connections are configured | Gather outbound connection rules" - ansible.builtin.shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' - changed_when: false - failed_when: false - register: rhel7cis_3_5_2_8_outconnectionrule - - - name: "3.5.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add input tcp established accpet policy" - ansible.builtin.command: nft add rule inet "{{ rhel7cis_nft_tables_tableName }}" input ip protocol tcp ct state established accept - become: true - when: - - '"ip protocol tcp ct state established accept" not in rhel7cis_3_5_2_8_inconnectionrule.stdout' - - - name: "3.5.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add input udp established accpet policy" - ansible.builtin.command: nft add rule inet "{{ rhel7cis_nft_tables_tableName }}" input ip protocol udp ct state established accept - become: true - when: - - '"ip protocol udp ct state established accept" not in rhel7cis_3_5_2_8_inconnectionrule.stdout' - - - name: "3.5.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add input icmp established accpet policy" - ansible.builtin.command: nft add rule inet "{{ rhel7cis_nft_tables_tableName }}" input ip protocol icmp ct state established accept - become: true - when: - - '"ip protocol icmp ct state established accept" not in rhel7cis_3_5_2_8_inconnectionrule.stdout' - - - name: "3.5.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add output tcp new, related, established accpet policy" - ansible.builtin.command: nft add rule inet "{{ rhel7cis_nft_tables_tableName }}" output ip protocol tcp ct state new,related,established accept - become: true - when: - - '"ip protocol tcp ct state established,related,new accept" not in rhel7cis_3_5_2_8_outconnectionrule.stdout' - - - name: "3.5.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add output udp new, related, established accpet policy" - ansible.builtin.command: nft add rule inet "{{ rhel7cis_nft_tables_tableName }}" output ip protocol udp ct state new,related,established accept - become: true - when: - - '"ip protocol udp ct state established,related,new accept" not in rhel7cis_3_5_2_8_outconnectionrule.stdout' - - - name: "3.5.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add output icmp new, related, established accpet policy" - ansible.builtin.command: nft add rule inet "{{ rhel7cis_nft_tables_tableName }}" output ip protocol icmp ct state new,related,established accept - become: true - when: - - '"ip protocol icmp ct state established,related,new accept" not in rhel7cis_3_5_2_8_outconnectionrule.stdout' - when: - - rhel7cis_rule_3_5_2_8 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.5.2.8 - -- name: "3.5.2.9 | PATCH | Ensure nftables default deny firewall policy" - block: - - name: "3.5.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for hook input deny policy" - ansible.builtin.shell: nft list table inet "{{ rhel7cis_nft_tables_tableName }}" | grep 'hook input' - become: true - failed_when: false - changed_when: false - register: rhel7cis_3_5_2_9_inputpolicy - - - name: "3.5.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy" - ansible.builtin.shell: nft list table inet "{{ rhel7cis_nft_tables_tableName }}" | grep 'hook forward' - become: true - failed_when: false - changed_when: false - register: rhel7cis_3_5_2_9_forwardpolicy - - - name: "3.5.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy" - ansible.builtin.shell: nft list table inet "{{ rhel7cis_nft_tables_tableName }}" | grep 'hook output' - become: true - failed_when: false - changed_when: false - register: rhel7cis_3_5_2_9_outputpolicy - - - name: "3.5.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow" - ansible.builtin.shell: nft list table inet "{{ rhel7cis_nft_tables_tableName }}" | grep 'ssh' - become: true - failed_when: false - changed_when: false - register: rhel7cis_3_5_2_9_sshallowcheck - - - name: "3.5.2.9 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" - ansible.builtin.command: nft add rule inet "{{ rhel7cis_nft_tables_tableName }}" input tcp dport ssh accept - become: true - when: - - '"tcp dport ssh accept" not in rhel7cis_3_5_2_9_sshallowcheck.stdout' - - - name: "3.5.2.9 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" - ansible.builtin.command: nft chain inet "{{ rhel7cis_nft_tables_tableName }}" input { policy drop \; } - become: true - when: - - '"type filter hook input priority 0; policy drop;" not in rhel7cis_3_5_2_9_inputpolicy.stdout' - - - name: "3.5.2.9 | PATCH | EEnsure nftables default deny firewall policy | Create hook forward deny policy" - ansible.builtin.command: nft chain inet "{{ rhel7cis_nft_tables_tableName }}" forward { policy drop \; } - become: true - when: - - '"type filter hook forward priority 0; policy drop;" not in rhel7cis_3_5_2_9_forwardpolicy.stdout' - - - name: "3.5.2.9 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" - ansible.builtin.command: nft chain inet "{{ rhel7cis_nft_tables_tableName }}" output { policy drop \; } - become: true - when: - - '"type filter hook output priority 0; policy drop;" not in rhel7cis_3_5_2_9_outputpolicy.stdout' - when: - - rhel7cis_rule_3_5_2_9 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.5.2.9 - -- name: "3.5.2.10 | PATCH | Ensure nftables service is enabled" - ansible.builtin.systemd: - name: nftables - enabled: true - become: true - when: - - rhel7cis_rule_3_5_2_10 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.5.2.10 - -- name: "3.5.2.11 | PATCH | Ensure nftables rules are permanent" - ansible.builtin.lineinfile: - path: /etc/sysconfig/nftables.conf - state: present - insertafter: EOF - line: include "/etc/nftables/inet-{{ rhel7cis_nft_tables_tableName }}" - become: true - when: - - rhel7cis_rule_3_5_2_11 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.5.2.11 diff --git a/tasks/section_3/cis_3.5.3.1.x.yml b/tasks/section_3/cis_3.5.3.1.x.yml deleted file mode 100644 index e458a54e..00000000 --- a/tasks/section_3/cis_3.5.3.1.x.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- - -- name: "3.5.3.1.1 | PATCH | Ensure iptables packages are installed" - ansible.builtin.package: - name: "{{ item }}" - state: present - loop: - - iptables - - iptables-services - vars: - ansible_python_interpreter: /bin/python - when: - - "'iptables' not in ansible_facts.packages or - 'iptables-services' not in ansible_facts.packages" - - rhel7cis_rule_3_5_3_1_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.5.3.1.1 - -- name: "3.5.3.1.2 | PATCH | Ensure nftables is not installed with iptables" - ansible.builtin.package: - name: nftables - state: absent - vars: - ansible_python_interpreter: /bin/python - when: - - "'nftables' in ansible_facts.packages" - - rhel7cis_rule_3_5_3_1_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.5.3.1.2 - -- name: "3.5.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables" - ansible.builtin.package: - name: firewalld - state: absent - vars: - ansible_python_interpreter: /bin/python - when: - - "'firewalld' in ansible_facts.packages" - - rhel7cis_rule_3_5_3_1_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.5.3.1.3 diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index 9f073ae1..545f338d 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -1,56 +1,48 @@ --- -- name: "SECTION | 3.1 | Disable unused network protocols and devices" +- name: "SECTION | 3.1.x | Disable unused network protocols and devices" ansible.builtin.import_tasks: file: cis_3.1.x.yml -- name: "SECTION | 3.2 | Network Parameters (Host Only)" +- name: "SECTION | 3.2 | Network Kernel modules (Host Only)" ansible.builtin.import_tasks: file: cis_3.2.x.yml -- name: "SECTION | 3.3 | Network Parameters (Host and Router)" +- name: "SECTION | 3.3 | Network Kernel Parameters (Host and Router)" ansible.builtin.import_tasks: file: cis_3.3.x.yml -- name: "SECTION | 3.4 | Uncommon Network Protocols" +- name: "SECTION | 3.4.1 | Configure host based firewall" ansible.builtin.import_tasks: - file: cis_3.4.x.yml + file: cis_3.4.1.x.yml -- name: "SECTION | 3.5.1 | Configure firewalld" - ansible.builtin.import_tasks: - file: cis_3.5.1.x.yml +- name: "SECTION | 3.4.2 | Configure firewalld" when: - - rhel7cis_firewall == "firewalld" - tags: - - firewalld - -- name: "SECTION | 3.5.2 | Configure nftables" + - rhel7cis_system_firewall == "firewalld" ansible.builtin.import_tasks: - file: cis_3.5.2.x.yml + file: cis_3.4.2.x.yml + +- name: "SECTION | 3.4.3 | Configure nftables" when: - - rhel7cis_firewall == "nftables" - tags: - - nftables - -- name: "SECTION | 3.5.3.x.x | Configure iptables" - block: - - name: "SECTION | 3.5.3.1.x | Configure iptables" - ansible.builtin.import_tasks: - file: cis_3.5.3.1.x.yml - - name: "SECTION | 3.5.3.2.x | Configure iptables" - ansible.builtin.import_tasks: - file: cis_3.5.3.2.x.yml + - rhel7cis_system_firewall == "nftables" + ansible.builtin.import_tasks: + file: cis_3.4.3.x.yml + +- name: "SECTION | 3.4.4.1.x | Configure iptables software" when: - - rhel7cis_firewall == "iptables" - tags: - - iptables + - rhel7cis_system_firewall == "iptables" + ansible.builtin.import_tasks: + file: cis_3.4.4.1.x.yml -- name: "SECTION | 3.5.3.3.x | Configure ip6tables" +- name: "SECTION | 3.4.4.2.x | Configure iptables" + when: + - rhel7cis_system_firewall == "iptables" ansible.builtin.import_tasks: - file: cis_3.5.3.3.x.yml + file: cis_3.4.4.2.x.yml + +- name: "SECTION | 3.4.4.3.x | Configure ip6tables" when: - - not rhel7cis_ipv6_required - - rhel7cis_firewall == "iptables" - tags: - - iptables - - ip6tables + - rhel7cis_system_firewall == "iptables" + - rhel7cis_ipv6_required + ansible.builtin.import_tasks: + file: cis_3.4.4.3.x.yml diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml deleted file mode 100644 index c0d4027d..00000000 --- a/tasks/section_4/cis_4.1.1.x.yml +++ /dev/null @@ -1,49 +0,0 @@ ---- -- name: "4.1.1.1 | PATCH | Ensure auditd is installed" - ansible.builtin.package: - name: ['audit', 'audit-libs'] - state: present - vars: - ansible_python_interpreter: /bin/python - when: - - rhel7cis_rule_4_1_1_1 - notify: restart auditd - tags: - - level2-server - - level2-workstation - - auditd - - rule_4.1.1.1 - -- name: "4.1.1.2 | PATCH | Ensure auditd service is enabled and running" - ansible.builtin.service: - name: auditd - state: started - enabled: true - when: - - not rhel7cis_skip_for_travis - - rhel7cis_rule_4_1_1_2 - - ansible_connection != 'docker' - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.1.2 - -- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" - ansible.builtin.replace: - dest: /etc/default/grub - regexp: ^(GRUB_CMDLINE_LINUX=)(?:")(?!.*audit=1)(.+)(?:")$ - replace: '\1"\2 audit=1"' - register: audit_grub - notify: - - grub2cfg - - reboot_required - when: - - rhel7cis_rule_4_1_1_3 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.1.3 diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml deleted file mode 100644 index 03db64c4..00000000 --- a/tasks/section_4/cis_4.1.2.x.yml +++ /dev/null @@ -1,369 +0,0 @@ ---- - -- name: "4.1.2.1 | PATCH | Ensure audit log storage size is configured" - ansible.builtin.lineinfile: - dest: /etc/audit/auditd.conf - regexp: "^max_log_file( |=)" - line: "max_log_file = 10" - state: present - notify: restart auditd - when: - - rhel7cis_rule_4_1_2_1 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.2.1 - -- name: "4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted" - ansible.builtin.lineinfile: - dest: /etc/audit/auditd.conf - regexp: "^max_log_file_action" - line: "max_log_file_action = {{ rhel7cis_auditd['max_log_file_action'] }}" - state: present - notify: restart auditd - when: - - rhel7cis_rule_4_1_2_2 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.2.2 - -- name: "4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full" - ansible.builtin.lineinfile: - dest: /etc/audit/auditd.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - state: present - with_items: - - { regexp: '^space_left_action', line: "space_left_action = {{ rhel7cis_auditd['space_left_action'] }}" } - - { regexp: '^action_mail_acct', line: "action_mail_acct = {{ rhel7cis_auditd['action_mail_acct'] }}" } - - { regexp: '^admin_space_left_action', line: "admin_space_left_action = {{ rhel7cis_auditd['admin_space_left_action'] }}" } - notify: restart auditd - when: - - rhel7cis_rule_4_1_2_3 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.2.3 - -- name: "4.1.2.4 | PATCH | Ensure audit_backlog_limit is sufficient" - block: - - name: "4.1.2.4 | AUDIT | Ensure audit_backlog_limit is sufficient | Grep GRUB_CMDLINE_LINUX parameter" - ansible.builtin.shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | cut -f2 -d'"' - changed_when: false - failed_when: false - check_mode: false - register: rhel7cis_4_1_2_4_grub_cmdline_linux_settings - - - name: "4.1.2.4 | PATCH | Ensure audit_backlog_limit is sufficient | Set audit_backlog_limit if not configured" - ansible.builtin.lineinfile: - dest: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ rhel7cis_4_1_2_4_grub_cmdline_linux_settings.stdout }} audit_backlog_limit={{ rhel7cis_audit_backlog_limit }}"' - register: grub_backup_new - notify: grub2cfg - when: '"audit_backlog_limit" not in rhel7cis_4_1_2_4_grub_cmdline_linux_settings.stdout' - - - name: "4.1.2.4 | PATCH | Ensure audit_backlog_limit is sufficient | Adjust audit_backlog_limit if exists" - ansible.builtin.replace: - dest: /etc/default/grub - regexp: 'audit_backlog_limit=([^\D]+)' - replace: 'audit_backlog_limit={{ rhel7cis_audit_backlog_limit }}' - register: grub_backup_updated - notify: grub2cfg - when: '"audit_backlog_limit" in rhel7cis_4_1_2_4_grub_cmdline_linux_settings.stdout' - - - name: "4.1.2.4 | PATCH | Ensure audit_backlog_limit is sufficient" - ansible.builtin.set_fact: - change_requires_reboot: true - when: - - grub_backup_updated.changed or - grub_backup_new.changed - - when: - - rhel7cis_rule_4_1_2_4 - tags: - - level2-server - - level2-workstation - - grub - - patch - - rule_4.1.2.4 - -- name: "4.1.3 | PATCH | Ensure events that modify date and time information are collected" - ansible.builtin.template: - src: audit/time_change.rules.j2 - dest: /etc/audit/rules.d/time_change.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - rhel7cis_rule_4_1_3 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.3 - -- name: "4.1.4 | PATCH | Ensure events that modify user/group information are collected" - ansible.builtin.template: - src: audit/identity.rules.j2 - dest: /etc/audit/rules.d/identity.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - rhel7cis_rule_4_1_4 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.4 - -- name: "4.1.5 | PATCH | Ensure events that modify the system's network environment are collected" - ansible.builtin.template: - src: audit/system_local.rules.j2 - dest: /etc/audit/rules.d/system_local.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - rhel7cis_rule_4_1_5 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.5 - -- name: "4.1.6 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" - ansible.builtin.template: - src: audit/MAC_policy.rules.j2 - dest: /etc/audit/rules.d/MAC_policy.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - rhel7cis_rule_4_1_6 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.6 - -- name: "4.1.7 | PATCH | Ensure login and logout events are collected" - block: - - name: "4.1.7 | AUDIT | Ensure login and logout events are collected | Check for pam_fallock or pam_tally2" - ansible.builtin.shell: grep pam_tally2.so /etc/pam.d/system-auth /etc/pam.d/password-auth - changed_when: false - failed_when: false - register: rhel7cis_4_1_7_tally2_check - tags: - - skip_ansible_lint - - - name: "4.1.7 | PATCH | Ensure login and logout events are collected | Set login and logout events" - ansible.builtin.template: - src: audit/logins.rules.j2 - dest: /etc/audit/rules.d/logins.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - rhel7cis_rule_4_1_7 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.7 - -- name: "4.1.8 | PATCH | Ensure session initiation information is collected" - ansible.builtin.template: - src: audit/session.rules.j2 - dest: /etc/audit/rules.d/session.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - rhel7cis_rule_4_1_8 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.8 - -- name: "4.1.9 | PATCH | Ensure discretionary access control permission modification events are collected" - ansible.builtin.template: - src: audit/perm_mod.rules.j2 - dest: /etc/audit/rules.d/perm_mod.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - rhel7cis_rule_4_1_9 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.9 - -- name: "4.1.10 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" - ansible.builtin.template: - src: audit/access.rules.j2 - dest: /etc/audit/rules.d/access.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - rhel7cis_rule_4_1_10 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.10 - -- name: "4.1.11 | PATCH | Ensure use of privileged commands is collected" - block: - - name: "4.1.11 | AUDIT | Ensure use of privileged commands is collected" - ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done - register: priv_procs - changed_when: false - check_mode: false - - - name: "4.1.11 | PATCH | Ensure use of privileged commands is collected" - ansible.builtin.template: - src: audit/priv_commands.rules.j2 - dest: /etc/audit/rules.d/priv_commands.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - rhel7cis_rule_4_1_11 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.11 - -- name: "4.1.12 | PATCH | Ensure successful file system mounts are collected" - ansible.builtin.template: - src: audit/mounts.rules.j2 - dest: /etc/audit/rules.d/mounts.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - rhel7cis_rule_4_1_12 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.12 - -- name: "4.1.13 | PATCH | Ensure file deletion events by users are collected" - ansible.builtin.template: - src: audit/deletion.rules.j2 - dest: /etc/audit/rules.d/deletion.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - rhel7cis_rule_4_1_13 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.13 - -- name: "4.1.14 | PATCH | Ensure changes to system administration scope (sudoers) is collected" - ansible.builtin.template: - src: audit/scope.rules.j2 - dest: /etc/audit/rules.d/scope.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - rhel7cis_rule_4_1_14 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.14 - -- name: "4.1.15 | PATCH | Ensure system administrator command executions (sudo) are collected" - ansible.builtin.template: - src: audit/actions.rules.j2 - dest: /etc/audit/rules.d/actions.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - rhel7cis_rule_4_1_15 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.15 - -- name: "4.1.16 | PATCH | Ensure kernel module loading and unloading is collected" - ansible.builtin.template: - src: audit/modules.rules.j2 - dest: /etc/audit/rules.d/modules.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - rhel7cis_rule_4_1_16 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.16 - -- name: "4.1.17 | PATCH | Ensure the audit configuration is immutable" - ansible.builtin.template: - src: audit/99_finalize.rules.j2 - dest: /etc/audit/rules.d/99_finalize.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - rhel7cis_rule_4_1_17 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.17 diff --git a/tasks/section_4/cis_4.1.x.x.yml b/tasks/section_4/cis_4.1.x.x.yml new file mode 100644 index 00000000..45f54176 --- /dev/null +++ b/tasks/section_4/cis_4.1.x.x.yml @@ -0,0 +1,202 @@ +--- + +- name: "4.1.1.1 | PATCH | Ensure cron daemon is enabled and active" + when: + - rhel7cis_rule_4_1_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.1.1.1 + - cron + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + ansible.builtin.service: + name: crond + state: started + enabled: true + +- name: "4.1.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" + when: + - rhel7cis_rule_4_1_1_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.1.1.2 + - permissions + - cron + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/crontab + owner: root + group: root + mode: '0600' + +- name: "4.1.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" + when: + - rhel7cis_rule_4_1_1_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.1.1.3 + - permissions + - cron + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/cron.hourly + state: directory + owner: root + group: root + mode: '0700' + +- name: "4.1.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" + when: + - rhel7cis_rule_4_1_1_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.1.1.4 + - permissions + - cron + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/cron.daily + state: directory + owner: root + group: root + mode: '0700' + +- name: "4.1.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" + when: + - rhel7cis_rule_4_1_1_5 + tags: + - level1-server + - level1-workstation + - patch + - rule_4.1.1.5 + - permissions + - cron + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/cron.weekly + state: directory + owner: root + group: root + mode: '0700' + +- name: "4.1.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" + when: + - rhel7cis_rule_4_1_1_6 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.1.1.6 + - permissions + - cron + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/cron.monthly + state: directory + owner: root + group: root + mode: '0700' + +- name: "4.1.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" + when: + - rhel7cis_rule_4_1_1_7 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.1.1.7 + - permissions + - cron + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/cron.d + state: directory + owner: root + group: root + mode: '0700' + +- name: "4.1.1.8 | PATCH | Ensure cron is restricted to authorized users" + when: + - rhel7cis_rule_4_1_1_8 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.1.1.8 + - permissions + - cron + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + block: + - name: "4.1.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny" + ansible.builtin.file: + path: /etc/cron.deny + state: absent + + - name: "4.1.1.8 | AUDIT | Ensure cron is restricted to authorized users | Check if cron.allow exists" + ansible.builtin.stat: + path: "/etc/cron.allow" + register: rhel7cis_4_1_1_8_p + + - name: "4.1.1.8 | PATCH | Ensure cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users" + ansible.builtin.file: + path: /etc/cron.allow + state: '{{ "file" if rhel7cis_4_1_1_8_p.stat.exists else "touch" }}' + owner: root + group: root + mode: '0600' + +- name: "4.1.2.1 | PATCH | Ensure at is restricted to authorized users" + when: + - rhel7cis_rule_4_1_2_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.1.2.1 + - at + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + block: + - name: "4.1.2.1 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" + ansible.builtin.file: + path: /etc/at.deny + state: absent + + - name: "4.1.2.1 | AUDIT | Ensure at is restricted to authorized users | Check if at.allow exists" + ansible.builtin.stat: + path: "/etc/at.allow" + register: rhel7cis_4_1_1_9_p + + - name: "4.1.2.1 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users" + ansible.builtin.file: + dest: /etc/at.allow + state: '{{ "file" if rhel7cis_4_1_1_9_p.stat.exists else "touch" }}' + owner: root + group: root + mode: '0600' diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml deleted file mode 100644 index d3e26894..00000000 --- a/tasks/section_4/cis_4.2.1.x.yml +++ /dev/null @@ -1,177 +0,0 @@ ---- - -- name: "4.2.1.1 | PATCH | Ensure rsyslog is installed" - ansible.builtin.package: - name: "{{ rhel7cis_syslog }}" - state: present - vars: - ansible_python_interpreter: /bin/python - when: - - rhel7cis_rule_4_2_1_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_4.2.1.1 - -- name: "4.2.1.2 | PATCH | Ensure rsyslog Service is enabled and running" - ansible.builtin.service: - name: rsyslog - enabled: true - state: started - when: - - rhel7cis_rule_4_2_1_2 - - rhel7cis_syslog == 'rsyslog' - tags: - - level1-server - - level1-workstation - - patch - - rsyslog - - rule_4.2.1.2 - -- name: "4.2.1.3 | PATCH | Ensure rsyslog default file permissions configured" - ansible.builtin.lineinfile: - dest: /etc/rsyslog.conf - regexp: '^\$FileCreateMode' - line: '$FileCreateMode 0640' - notify: restart rsyslog - when: - - rhel7cis_rule_4_2_1_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_4.2.1.3 - -- name: "4.2.1.4 | PATCH | Ensure logging is configured" - block: - - name: "4.2.1.4 | AUDIT | Ensure logging is configured | rsyslog current config message out" - ansible.builtin.shell: cat /etc/rsyslog.conf - changed_when: false - failed_when: false - register: rhel_07_4_2_1_4_audit - - - name: "4.2.1.4 | PATCH | Ensure logging is configured | Debug out rsyslog settings" - ansible.builtin.debug: - msg: - - "These are the current logging configurations for rsyslog, please review:" - - "{{ rhel_07_4_2_1_4_audit.stdout_lines }}" - when: - - not rhel7cis_rsyslog_ansiblemanaged - - - name: "4.2.1.4 | PATCH | Ensure logging is configured | Set logging settings lineinfile" - ansible.builtin.lineinfile: - path: /etc/rsyslog.conf - state: present - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: '^[# ]*{{ item.insertafter }}\s*=\s*' - with_items: - - { regexp: '^\*\.emerg(.*)$', line: '*.emerg :omusrmsg:*', insertafter: '# Everybody gets emergency messages' } - - { regexp: '^authpriv(.*)$', line: 'auth,authpriv.* /var/log/secure', insertafter: '# # The authpriv file has restricted access.' } - - { regexp: '^mail\.\*(.*)$', line: 'mail.* -/var/log/mail', insertafter: '# Log all the mail messages in one place.' } - - { regexp: '^mail.info(.*)$', line: 'mail.info -/var/log/mail.info', insertafter: '# Log all the mail messages in one place.' } - - { regexp: '^mail.warning(.*)$', line: 'mail.warning -/var/log/mail.warning', insertafter: '# Log all the mail messages in one place.' } - - { regexp: '^mail.err(.*)$', line: 'mail.err /var/log/mail.err', insertafter: '# Log all the mail messages in one place.' } - - { regexp: '^news.crit(.*)$', line: 'news.crit -/var/log/news/news.crit', insertafter: '# Save news errors of level crit and higher in a special file.' } - - { regexp: '^news.err(.*)$', line: 'news.err -/var/log/news/news.err', insertafter: '# Save news errors of level crit and higher in a special file.' } - - { regexp: '^news.notice(.*)$', line: 'news.notice -/var/log/news/news.notice', insertafter: '# Save news errors of level crit and higher in a special file.' } - loop_control: - label: "{{ item.regexp }}" - notify: restart rsyslog - when: - - rhel7cis_rsyslog_ansiblemanaged - - - name: "4.2.1.4 | PATCH | Ensure logging is configured | Misc. log setting" - ansible.builtin.blockinfile: - path: /etc/rsyslog.conf - state: present - marker: "# {mark} MISC. LOG SETTINGS (ANSIBLE MANAGED)" - block: | - # misc. logging additions to meet CIS standards - *.=warning;*.=err -/var/log/warn - *.crit /var/log/warn - *.*;mail.none;news.none /var/log/messages - insertafter: '#### RULES ####' - notify: restart rsyslog - when: - - rhel7cis_rsyslog_ansiblemanaged - - - name: "4.2.1.4 | PATCH | Ensure logging is configured | Local log settings" - ansible.builtin.blockinfile: - path: /etc/rsyslog.conf - state: present - marker: "#{mark} LOCAL LOG SETTINGS (ANSIBLE MANAGED)" - block: | - # local log settings - local0,local1.* -/var/log/localmessages - local2,local3.* -/var/log/localmessages - local4,local5.* -/var/log/localmessages - local6,local7.* -/var/log/localmessages - insertafter: '#### RULES ####' - notify: restart rsyslog - when: - - rhel7cis_rule_4_2_1_4 - tags: - - level1-server - - level1-workstation - - patch - - rsyslog - - rule_4.2.1.4 - -- name: "4.2.1.5 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" - ansible.builtin.blockinfile: - path: /etc/rsyslog.conf - state: present - block: | - # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional - *.* @@{{ rhel7cis_remote_log_server }} - insertafter: EOF - notify: restart rsyslog - register: result - failed_when: - - result is failed - - result.rc != 257 - when: - - rhel7cis_rule_4_2_1_5 - - rhel7cis_remote_log_server is defined - tags: - - level1-server - - level1-workstation - - patch - - rule_4.2.1.5 - - rsyslog - -- name: "4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts." - block: - - name: "4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts. | When not log host" - ansible.builtin.replace: - path: /etc/rsyslog.conf - regexp: '({{ item }})' - replace: '#\1' - with_items: - - '^(\$ModLoad imtcp)' - - '^(\$InputTCPServerRun)' - notify: restart rsyslog - when: - - not rhel7cis_system_is_log_server - - - name: "4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts. | When log host" - ansible.builtin.replace: - path: /etc/rsyslog.conf - regexp: '^#(.*{{ item }}.*)' - replace: '\1' - with_items: - - 'ModLoad imtcp' - - 'InputTCPServerRun' - notify: restart rsyslog - when: - - rhel7cis_system_is_log_server - when: - - rhel7cis_rule_4_2_1_6 - tags: - - level1-server - - level1-workstation - - patch - - rule_4.2.1.6 - - rsyslog diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml deleted file mode 100644 index ce195a62..00000000 --- a/tasks/section_4/cis_4.2.2.x.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- - -- name: "4.2.2.1 | PATCH | Ensure journald is configured to send logs to rsyslog" - ansible.builtin.lineinfile: - path: /etc/systemd/journald.conf - regexp: '^[F|f]orward[T|t]o[S|s]yslog=' - line: "ForwardToSyslog=yes" - when: - - rhel7cis_rule_4_2_2_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_4.2.2.1 - - journald - -- name: "4.2.2.2 | PATCH | Ensure journald is configured to compress large log files" - ansible.builtin.lineinfile: - path: /etc/systemd/journald.conf - regexp: '^[C|c]ompress=' - line: "Compress=yes" - when: - - rhel7cis_rule_4_2_2_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_4.2.2.2 - - journald - -- name: "4.2.2.3 | PATCH | Ensure journald is configured to write logfiles to persistent disk" - ansible.builtin.lineinfile: - path: /etc/systemd/journald.conf - regexp: '^[S|s]torage=' - line: "Storage=persistent" - when: - - rhel7cis_rule_4_2_2_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_4.2.2.3 - - journald diff --git a/tasks/section_4/cis_4.2.x.yml b/tasks/section_4/cis_4.2.x.yml index beea9ede..058463ac 100644 --- a/tasks/section_4/cis_4.2.x.yml +++ b/tasks/section_4/cis_4.2.x.yml @@ -1,35 +1,520 @@ --- -- name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured" - ansible.builtin.command: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + - changed_when: false - failed_when: false +- name: "4.2.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" + ansible.builtin.file: + path: /etc/ssh/sshd_config + state: file + owner: root + group: root + mode: '0600' + when: + - rhel7cis_rule_4_2_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.1 + - ssh + - permissions + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + +- name: "4.2.2 | PATCH | Ensure permissions on SSH private host key files are configured" + when: + - rhel7cis_rule_4_2_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.2 + - ssh + - permissions + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + block: + - name: "4.2.2 | AUDIT | Ensure permissions on SSH private host key files are configured | find keys" + ansible.builtin.find: + paths: /etc/ssh + patterns: 'ssh_host_*_key' + recurse: true + file_type: any + register: rhel7cis_4_2_2_priv_ssh_key_results + + - name: "4.2.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set keys permissions" + ansible.builtin.file: + path: "{{ item.path }}" + owner: root + group: root + mode: '0600' + with_items: + - "{{ rhel7cis_4_2_2_priv_ssh_key_results.files }}" + loop_control: + label: "{{ item.path }}" + +- name: "4.2.3 | PATCH | Ensure permissions on SSH public host key files are configured" when: - rhel7cis_rule_4_2_3 tags: - level1-server - level1-workstation + - automated - patch - rule_4.2.3 - -- name: "4.2.4 | AUDIT | Ensure logrotate is configured" + - ssh + - permissions + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 block: - - name: "4.2.4 | AUDIT | Ensure logrotate is configured" + - name: "4.2.3 | AUDIT | Ensure permissions on SSH public host key files are configured" ansible.builtin.find: - paths: /etc/logrotate.d/ - register: log_rotate + paths: /etc/ssh + patterns: 'ssh_host_*_key' + recurse: true + file_type: any + register: rhel7cis_4_2_3_pub_ssh_key_results + + - name: "4.2.3 | AUDIT | Ensure permissions on SSH public host key files are configured" + ansible.builtin.file: + path: "{{ item.path }}" + owner: root + group: root + mode: '0600' + with_items: + - "{{ rhel7cis_4_2_3_pub_ssh_key_results.files }}" + loop_control: + label: "{{ item.path }}" - - name: "4.2.4 | AUDIT | Ensure logrotate is configured | output list" - ansible.builtin.debug: - msg: - - WARNING!! The following files need to confirm with site requirements - - /etc/logrotate.conf - - "{{ log_rotate.files | map(attribute='path') | list }}" - when: log_rotate.matched > 0 +- name: "4.2.4 | PATCH | Ensure sshd access is configured" when: - rhel7cis_rule_4_2_4 tags: - level1-server - level1-workstation - - audit + - automated + - patch - rule_4.2.4 + - ssh + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + block: + - name: "4.2.4 | PATCH | Ensure sshd access is configured | Add line to sshd_config for allowusers" + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: "^AllowUsers" + line: AllowUsers {{ rhel7cis_sshd['allowusers'] }} + validate: 'sshd -t -f %s' + notify: Restart_sshd + when: "rhel7cis_sshd['allowusers']| default('') | length > 0" + + - name: "4.2.4 | PATCH | Ensure sshd access is configured | Add line to sshd_config for allowgroups" + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: "^AllowGroups" + line: AllowGroups {{ rhel7cis_sshd['allowgroups'] }} + validate: 'sshd -t -f %s' + notify: Restart_sshd + when: "rhel7cis_sshd['allowgroups']| default('') | length > 0" + + - name: "4.2.4 | PATCH | Ensure sshd access is configured | Add line to sshd_config for denyusers" + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: "^DenyUsers" + line: DenyUsers {{ rhel7cis_sshd['denyusers'] }} + validate: 'sshd -t -f %s' + notify: Restart_sshd + when: "rhel7cis_sshd['denyusers']| default('') | length > 0" + + - name: "4.2.4 | PATCH | Ensure sshd access is configured | Add line to sshd_config for denygroups" + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: "^DenyGroups" + line: DenyGroups {{ rhel7cis_sshd['denygroups'] }} + validate: 'sshd -t -f %s' + notify: Restart_sshd + when: "rhel7cis_sshd['denygroups']| default('') | length > 0" + +- name: "4.2.5 | PATCH | Ensure SSH banner is configured" + when: + - rhel7cis_rule_4_2_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.5 + - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + notify: Restart_sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^Banner' + line: 'Banner /etc/issue.net' + validate: 'sshd -t -f %s' + +- name: "4.2.6 | PATCH | Ensure only strong Ciphers are used" + when: + - rhel7cis_rule_4_2_6 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.6 + - ssh + - NIST800-53R5_SC-8 + notify: Restart_sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^Cipherss' + line: "Ciphers {{ rhel7cis_sshd['ciphers'] }}" + validate: 'sshd -t -f %s' + +- name: "4.2.7 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured" + when: + - rhel7cis_rule_4_2_7 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.7 + - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + block: + - name: "4.2.7 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured | Add line in sshd_config for ClientAliveInterval" + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^ClientAliveInterval' + line: "ClientAliveInterval {{ rhel7cis_sshd['clientaliveinterval'] }}" + validate: 'sshd -t -f %s' + notify: Restart_sshd + + - name: "4.2.7 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured | Ensure SSH ClientAliveCountMax set" + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^ClientAliveCountMax' + line: "ClientAliveCountMax {{ rhel7cis_sshd['clientalivecountmax'] }}" + validate: 'sshd -t -f %s' + notify: Restart_sshd + +- name: "4.2.8 | PATCH | Ensure sshd DisableForwarding is enabled" + when: + - rhel7cis_rule_4_2_8 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.8 + - ssh + - NIST800-53R5_CM-7 + notify: Restart_sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: ^(?i)(#|)\s*disableforwarding + line: 'DisableForwarding yes' + validate: 'sshd -t -f %s' + +- name: "4.2.9 | PATCH | Ensure sshd GSSAPIAuthentication is disabled" + when: + - rhel7cis_rule_4_2_9 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.9 + - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + notify: Restart_sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: ^(?i)(#|)\s*gssapiauthentication + line: 'GSSAPIAuthentication no' + validate: 'sshd -t -f %s' + +- name: "4.2.10 | PATCH | Ensure sshd HostbasedAuthentication is disabled" + when: + - rhel7cis_rule_4_2_10 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.10 + - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + notify: Restart_sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: ^(?i)(#|)\s*HostbasedAuthentication + line: 'HostbasedAuthentication no' + validate: 'sshd -t -f %s' + +- name: "4.2.11 | PATCH | Ensure sshd IgnoreRhosts is enabled" + when: + - rhel7cis_rule_4_2_11 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.11 + - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + notify: Restart_sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: ^(?i)(#|)\s*IgnoreRhosts + line: 'IgnoreRhosts yes' + validate: 'sshd -t -f %s' + +- name: "4.2.12 | PATCH | Ensure only strong Key Exchange algorithms are used" + when: + - rhel7cis_rule_4_2_12 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.12 + - ssh + - NIST800-53R5_SC-8 + notify: Restart_sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^KexAlgorithms' + line: "KexAlgorithms {{ rhel7cis_sshd['kex'] }}" + validate: 'sshd -t -f %s' + +- name: "4.2.13 | PATCH | Ensure sshd LoginGraceTime is configured" + when: + - rhel7cis_rule_4_2_13 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.13 + - ssh + - NIST800-53R5_CM-6 + notify: Restart_sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: ^(?i)(#|)\s*LoginGraceTime + line: "LoginGraceTime {{ rhel7cis_sshd['logingracetime'] }}" + validate: 'sshd -t -f %s' + +- name: "4.2.14 | PATCH | Ensure SSH LogLevel is configured" + when: + - rhel7cis_rule_4_2_14 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.14 + - ssh + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + notify: Restart_sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: ^(?i)(#|)\s*LogLevel + line: 'LogLevel {{ rhel7cis_ssh_loglevel }}' + validate: 'sshd -t -f %s' + +- name: "4.2.15 | PATCH | Ensure sshd MACs are configured" + when: + - rhel7cis_rule_4_2_15 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.15 + - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + notify: Restart_sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^MACs' + line: "MACs {{ rhel7cis_sshd['macs'] }}" + validate: 'sshd -t -f %s' + +- name: "4.2.16 | PATCH | Ensure sshd MaxAuthTries is configured" + when: + - rhel7cis_rule_4_2_16 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.16 + - ssh + - NIST800-53R5_AU-3 + notify: Restart_sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: ^(?i)(#|)\s*maxauthtries + line: 'MaxAuthTries {{ rhel7cis_ssh_maxauthtries }}' + validate: 'sshd -t -f %s' + +- name: "4.2.17 | PATCH | Ensure sshd MaxSessions is configured" + when: + - rhel7cis_rule_4_2_17 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.17 + - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + notify: Restart_sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: ^(?i)(#|)\s*MaxSessions + line: 'MaxSessions {{ rhel7cis_ssh_maxsessions }}' + validate: 'sshd -t -f %s' + +- name: "4.2.18 | PATCH | Ensure SSH MaxStartups is configured" + when: + - rhel7cis_rule_4_2_18 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.18 + - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + notify: Restart_sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: ^(?i)(#|)\s*MaxStartups + line: 'MaxStartups 10:30:60' + validate: 'sshd -t -f %s' + +- name: "4.2.19 | PATCH | Ensure sshd PermitEmptyPasswords is disabled" + when: + - rhel7cis_rule_4_2_19 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.19 + - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + notify: Restart_sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: ^(?i)(#|)\s*PermitEmptyPasswords + line: 'PermitEmptyPasswords no' + validate: 'sshd -t -f %s' + +- name: "4.2.20 | PATCH | Ensure sshd PermitRootLogin is disabled" + when: + - rhel7cis_rule_4_2_20 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.20 + - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + notify: Restart_sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: ^(?i)(#|)\s*PermitRootLogin + line: 'PermitRootLogin no' + validate: 'sshd -t -f %s' + +- name: "4.2.21 | PATCH | Ensure sshd PermitUserEnvironment is disabled" + when: + - rhel7cis_rule_4_2_21 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.21 + - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + notify: Restart_sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: ^(?i)(#|)\s*PermitUserEnvironment + line: 'PermitUserEnvironment no' + validate: 'sshd -t -f %s' + +- name: "4.2.22 | PATCH | Ensure sshd UsePAM is enabled" + when: + - rhel7cis_rule_4_2_22 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.22 + - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + notify: Restart_sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: ^(?i)(#|)\s*UsePAM + line: 'UsePAM yes' + validate: 'sshd -t -f %s' diff --git a/tasks/section_4/cis_4.3.x.yml b/tasks/section_4/cis_4.3.x.yml new file mode 100644 index 00000000..6ee90e43 --- /dev/null +++ b/tasks/section_4/cis_4.3.x.yml @@ -0,0 +1,153 @@ +--- + +- name: "4.3.1 | PATCH | Ensure sudo is installed" + when: + - rhel7cis_rule_4_3_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.3.1 + - sudo + - NIST800-53R5_AC-6 + ansible.builtin.package: + name: sudo + state: present + +- name: "4.3.2 | PATCH | Ensure sudo commands use pty" + when: + - rhel7cis_rule_4_3_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.3.2 + - sudo + - NIST800-53R5_AC-6 + ansible.builtin.lineinfile: + path: /etc/sudoers + regexp: ^Defaults\s+use_pty + line: "Defaults use_pty" + validate: '/usr/sbin/visudo -cf %s' + +- name: "4.3.3 | PATCH | Ensure sudo log file exists" + when: + - rhel7cis_rule_4_3_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.3.3 + - sudo + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + ansible.builtin.lineinfile: + path: /etc/sudoers + regexp: '^Defaults\s+logfile=' + line: 'Defaults logfile="{{ rhel7cis_sudolog_location }}"' + validate: '/usr/sbin/visudo -cf %s' + +- name: "4.3.4 | PATCH | Ensure users must provide password for escalation" + when: + - rhel7cis_rule_4_3_4 + tags: + - level2-server + - level2-workstation + - automated + - patch + - sudo + - rule_4.3.4 + - NIST800-53R5_AC-6 + ansible.builtin.replace: + path: "{{ item }}" + regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' + replace: '\1PASSWD\2' + validate: '/usr/sbin/visudo -cf %s' + loop: "{{ discovered_sudoers_files.stdout_lines }}" + +- name: "4.3.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally" + when: + - rhel7cis_rule_4_3_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - sudo + - rule_4.3.5 + - NIST800-53R5_AC-6 + ansible.builtin.replace: + path: "{{ item }}" + regexp: '^([^#].*)!authenticate(.*)' + replace: '\1authenticate\2' + validate: '/usr/sbin/visudo -cf %s' + loop: "{{ discovered_sudoers_files.stdout_lines }}" + +- name: "4.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly" + when: + - rhel7cis_rule_4_3_6 + tags: + - level1-server + - level1-workstation + - automated + - patch + - sudo + - rule_4.3.6 + block: + - name: "4.3.6 | AUDIT | Ensure sudo authentication timeout is configured correctly | Get files with timeout set" + ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort + changed_when: false + failed_when: false + register: rhel7cis_4_3_6_timeout_files + + - name: "4.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results" + when: rhel7cis_4_3_6_timeout_files.stdout | length == 0 + ansible.builtin.lineinfile: + path: /etc/sudoers + regexp: 'Defaults\s+timestamp_timeout=' + line: "Defaults timestamp_timeout={{ rhel7cis_sudo_timestamp_timeout }}" + validate: '/usr/sbin/visudo -cf %s' + + - name: "4.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results" + when: rhel7cis_4_3_6_timeout_files.stdout | length > 0 + ansible.builtin.replace: + path: "{{ item }}" + regexp: 'timestamp_timeout=(\d+)' + replace: "timestamp_timeout={{ rhel7cis_sudo_timestamp_timeout }}" + validate: '/usr/sbin/visudo -cf %s' + loop: "{{ rhel7cis_4_3_6_timeout_files.stdout_lines }}" + +- name: "4.3.7 | PATCH | Ensure access to the su command is restricted" + when: + - rhel7cis_rule_4_3_7 + tags: + - level1-server + - level1-workstation + - automated + - patch + - sudo + - rule_4.3.7 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + block: + - name: "4.3.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists" + ansible.builtin.group: + name: "{{ rhel7cis_sugroup }}" + state: present + register: rhel7cis_4_3_7_sugroup + + - name: "4.3.7 | PATCH | Ensure access to the su command is restricted | remove users from group" + ansible.builtin.lineinfile: + path: /etc/group + regexp: '^{{ rhel7cis_sugroup }}(:.:.*:).*$' + line: '{{ rhel7cis_sugroup }}\g<1>' + backrefs: true + + - name: "4.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid" + ansible.builtin.lineinfile: + path: /etc/pam.d/su + regexp: '^(#)?auth\s+required\s+pam_wheel\.so' + line: 'auth required pam_wheel.so use_uid group={{ rhel7cis_sugroup }}' diff --git a/tasks/section_4/cis_4.4.1.x.yml b/tasks/section_4/cis_4.4.1.x.yml new file mode 100644 index 00000000..d9cd15d1 --- /dev/null +++ b/tasks/section_4/cis_4.4.1.x.yml @@ -0,0 +1,30 @@ +--- + +- name: "4.4.1.1 | PATCH | Ensure latest version of pam is installed" + when: + - rhel7cis_rule_4_4_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - pam + - rule_4.4.1.1 + ansible.builtin.package: + name: pam + state: latest + +- name: "4.4.1.2 | PATCH | Ensure libpwquality is installed" + when: + - rhel7cis_rule_4_4_1_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - pam + - rule_4.4.1.2 + - NIST800-53R5_IA-5 + ansible.builtin.package: + name: libpwquality + state: present diff --git a/tasks/section_4/cis_4.4.2.1.x.yml b/tasks/section_4/cis_4.4.2.1.x.yml new file mode 100644 index 00000000..4196c871 --- /dev/null +++ b/tasks/section_4/cis_4.4.2.1.x.yml @@ -0,0 +1,199 @@ +--- + +- name: | + "4.4.2.1.1 | PATCH | Ensure pam_faillock module is enabled + 4.4.2.1.2 | PATCH | Ensure password failed attempts lockout is configured + 4.4.2.1.3 | PATCH | Ensure password unlock time is configured + 4.4.2.1.4 | PATCH | Ensure password failed attempts lockout includes root account" + when: + - rhel7cis_rule_4_4_2_1_1 or + rhel7cis_rule_4_4_2_1_2 or + rhel7cis_rule_4_4_2_1_3 or + rhel7cis_rule_4_4_2_1_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - pam + - pam_faillock + - rule_4.4.2.1.1 + - rule_4.4.2.1.2 + - rule_4.4.2.1.3 + - rule_4.4.2.1.4 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + block: + - name: | + "4.4.2.1.1 | PATCH | Ensure pam_faillock module is enabled + 4.4.2.1.2 | PATCH | Ensure password failed attempts lockout is configured + 4.4.2.1.3 | PATCH | Ensure password unlock time is configured + 4.4.2.1.4 | PATCH | Ensure password failed attempts lockout includes root account | auth_required" + community.general.pamd: + name: "{{ item }}" + type: auth + control: required + module_path: pam_env.so + state: after + new_type: auth + new_control: required + new_module_path: pam_faillock.so + module_arguments: 'preauth + silent + audit + {% if rhel7cis_rule_4_4_2_1_2 %}deny="{{ rhel7cis_pam_faillock.deny }}"{% endif %} + {% if rhel7cis_rule_4_4_2_1_3 %}unlock_time="{{ rhel7cis_pam_faillock.unlock_time }}"{% endif %} + {% if rhel7cis_rule_4_4_2_1_4 %}even_deny_root{% endif %}' + loop: + - system-auth + - password-auth + + - name: | + "4.4.2.1.1 | PATCH | Ensure pam_faillock module is enabled + 4.4.2.1.2 | PATCH | Ensure password failed attempts lockout is configured + 4.4.2.1.3 | PATCH | Ensure password unlock time is configured + 4.4.2.1.4 | PATCH | Ensure password failed attempts lockout includes root account | auth_default" + community.general.pamd: + name: "{{ item }}" + type: auth + control: sufficient + module_path: pam_unix.so + state: after + new_type: auth + new_control: '[default=die]' + new_module_path: pam_faillock.so + module_arguments: 'authfail + audit + {% if rhel7cis_rule_4_4_2_1_2 %}deny={{ rhel7cis_pam_faillock.deny }}{% endif %} + {% if rhel7cis_rule_4_4_2_1_3 %}unlock_time={{ rhel7cis_pam_faillock.unlock_time }}{% endif %} + {% if rhel7cis_rule_4_4_2_1_4 %}even_deny_root{% endif %}' + loop: + - system-auth + - password-auth + + - name: | + "4.4.2.1.1 | PATCH | Ensure pam_faillock module is enabled + 4.4.2.1.2 | PATCH | Ensure password failed attempts lockout is configured + 4.4.2.1.3 | PATCH | Ensure password unlock time is configured + 4.4.2.1.4 | PATCH | Ensure password failed attempts lockout includes root account | add to account section" + community.general.pamd: + name: "{{ item }}" + type: account + control: required + module_path: pam_unix.so + state: before + new_type: account + new_control: required + new_module_path: pam_faillock.so + module_arguments: '' + loop: + - system-auth + - password-auth + +- name: "4.4.2.1.2 | PATCH | Ensure password failed attempts lockout is configured" + when: rhel7cis_rule_4_4_2_1_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - pam + - pam_faillock + - rule_4.4.2.1.2 + block: + - name: "4.4.2.1.2 | PATCH | Ensure password failed attempts lockout is configured | auth_required" + community.general.pamd: + name: "{{ item }}" + type: auth + control: required + module_path: pam_faillock.so + state: args_present + module_arguments: 'deny={{ rhel7cis_pam_faillock.deny }}' + loop: + - system-auth + - password-auth + + - name: "4.4.2.1.2 | PATCH | Ensure password failed attempts lockout is configured | auth_default" + community.general.pamd: + name: "{{ item }}" + type: auth + control: '[default=die]' + module_path: pam_faillock.so + state: args_present + module_arguments: 'deny={{ rhel7cis_pam_faillock.deny }}' + loop: + - system-auth + - password-auth + +- name: "4.4.2.1.3 | PATCH | Ensure password unlock time is configured" + when: rhel7cis_rule_4_4_2_1_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - pam + - pam_faillock + - rule_4.4.2.1.3 + block: + - name: "4.4.2.1.3 | PATCH | Ensure password unlock time is configured | auth_required" + community.general.pamd: + name: "{{ item }}" + type: auth + control: required + module_path: pam_faillock.so + state: args_present + module_arguments: 'unlock_time={{ rhel7cis_pam_faillock.unlock_time }}' + loop: + - system-auth + - password-auth + + - name: "4.4.2.1.3 | PATCH | Ensure password unlock time is configured | auth_default" + community.general.pamd: + name: "{{ item }}" + type: auth + control: '[default=die]' + module_path: pam_faillock.so + state: args_present + module_arguments: 'unlock_time={{ rhel7cis_pam_faillock.unlock_time }}' + loop: + - system-auth + - password-auth + +- name: "4.4.2.1.4 | PATCH | Ensure password failed attempts lockout includes root account" + when: rhel7cis_rule_4_4_2_1_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - pam + - pam_faillock + - rule_4.4.2.1.4 + block: + - name: "4.4.2.1.4 | PATCH | Ensure password failed attempts lockout includes root account | auth_required" + community.general.pamd: + name: "{{ item }}" + type: auth + control: required + module_path: pam_faillock.so + state: args_present + module_arguments: 'even_deny_root' + loop: + - system-auth + - password-auth + + - name: "4.4.2.1.4 | PATCH | Ensure password failed attempts lockout includes root account | auth_default" + community.general.pamd: + name: "{{ item }}" + type: auth + control: '[default=die]' + module_path: pam_faillock.so + state: args_present + module_arguments: 'even_deny_root' + loop: + - system-auth + - password-auth diff --git a/tasks/section_4/cis_4.4.2.2.x.yml b/tasks/section_4/cis_4.4.2.2.x.yml new file mode 100644 index 00000000..7c77b688 --- /dev/null +++ b/tasks/section_4/cis_4.4.2.2.x.yml @@ -0,0 +1,150 @@ +--- + +- name: "4.4.2.2.1 | PATCH | Ensure pam_pwquality module is enabled" + when: + - rhel7cis_rule_4_4_2_2_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - pam + - pam_pwquality + - rule_4.4.2.2.1 + - NIST800-53R5_IA-5 + block: + - name: "4.4.2.2.1 | PATCH | Ensure pam_pwquality module is enabled | present" + community.general.pamd: + name: "{{ item }}" + type: password + control: required + module_path: pam_pwhistory.so + state: before + new_type: password + new_control: requisite + new_module_path: pam_pwquality.so + module_arguments: 'try_first_pass + local_users_only' + loop: + - system-auth + - password-auth + + - name: "4.4.2.2.1 | PATCH | Ensure pam_pwquality module is enabled | args_updated" + community.general.pamd: + name: "{{ item }}" + type: password + control: requisite + module_path: pam_pwquality.so + state: args_present + module_arguments: 'try_first_pass + local_users_only' + loop: + - system-auth + - password-auth + +- name: "4.4.2.2.2 | PATCH | Ensure password number of changed characters is configured" + when: rhel7cis_rule_4_4_2_2_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - pam + - pam_pwquality + - rule_4.4.2.2.2 + - NIST800-53R5_IA-5 + ansible.builtin.lineinfile: + path: /etc/security/pwquality.conf + regexp: ^(?i)(#|)\s*difok + line: "difok = {{ rhel7cis_pwquality_difok }}" + +- name: "4.4.2.2.3 | PATCH | Ensure password length is configured" + when: rhel7cis_rule_4_4_2_2_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - pam + - pam_pwquality + - rule_4.4.2.2.3 + - NIST800-53R5_IA-5 + ansible.builtin.lineinfile: + path: /etc/security/pwquality.conf + regexp: ^(?i)(#|)\s*minlen + line: "minlen = {{ rhel7cis_pwquality_minlen }}" + +- name: "4.4.2.2.4 | PATCH | Ensure password complexity is configured" + when: rhel7cis_rule_4_4_2_2_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - pam + - pam_pwquality + - rule_4.4.2.2.4 + - NIST800-53R5_IA-5 + block: + - name: "4.4.2.2.4 | PATCH | Ensure password complexity is configured | minclass" + ansible.builtin.lineinfile: + path: /etc/security/pwquality.conf + regexp: ^minclass + line: "minclass = {{ rhel7cis_pwquality_minclass_value }}" + when: rhel7cis_pwquality_minclass + + - name: "4.4.2.2.4 | PATCH | Ensure password complexity is configured | seperated values" + ansible.builtin.lineinfile: + path: /etc/security/pwquality.conf + regexp: ^{{ item.key }} + line: "{{ item.key }} = {{ item.value }}" + loop: "{{ rhel7cis_pwquality }}" + when: not rhel7cis_pwquality_minclass + +- name: "4.4.2.2.5 | PATCH | Ensure password same consecutive characters is configured" + when: rhel7cis_rule_4_4_2_2_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - pam + - pam_pwquality + - rule_4.4.2.2.5 + - NIST800-53R5_IA-5 + ansible.builtin.lineinfile: + path: /etc/security/pwquality.conf + regexp: ^(?i)(#|)\s*maxrepeat + line: "maxrepeat = {{ rhel7cis_pwquality_maxrepeat }}" + +- name: "4.4.2.2.6 | PATCH | Ensure password maximum sequential characters is configured" + when: rhel7cis_rule_4_4_2_2_6 + tags: + - level1-server + - level1-workstation + - automated + - patch + - pam + - pam_pwquality + - rule_4.4.2.2.6 + - NIST800-53R5_IA-5 + ansible.builtin.lineinfile: + path: /etc/security/pwquality.conf + regexp: ^(?i)(#|)\s*maxsequence + line: "maxsequence = {{ rhel7cis_pwquality_maxsequence }}" + +- name: "4.4.2.2.7 | PATCH | Ensure password dictionary check is enabled" + when: rhel7cis_rule_4_4_2_2_7 + tags: + - level1-server + - level1-workstation + - automated + - patch + - pam + - pam_pwquality + - rule_4.4.2.2.7 + - NIST800-53R5_IA-5 + ansible.builtin.lineinfile: + path: /etc/security/pwquality.conf + regexp: ^(?i)(#|)\s*dictcheck + line: "dictcheck = 1" diff --git a/tasks/section_4/cis_4.4.2.3.x.yml b/tasks/section_4/cis_4.4.2.3.x.yml new file mode 100644 index 00000000..bf4478bf --- /dev/null +++ b/tasks/section_4/cis_4.4.2.3.x.yml @@ -0,0 +1,118 @@ +--- + +- name: "4.4.2.3.1 | PATCH | Ensure pam_pwhistory module is enabled" + when: + - rhel7cis_rule_4_4_2_3_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - pam + - pam_pwhistory + - rule_4.4.2.3.1 + - NIST800-53R5_IA-5 + block: + - name: "4.4.2.3.1 | AUDIT | Ensure pam_pwhistory module is enabled | check if exists" + ansible.builtin.shell: grep -P "^auth\s+(sufficient|required|requisite)\s+pam_pwhistory.so" /etc/pam.d/{system,password}-auth | wc -l + changed_when: false + failed_when: rhel7cis_4_4_2_3_1_pwhistory_exists.rc not in [ 0, 1 ] + register: rhel7cis_4_4_2_3_1_pwhistory_exists + + - name: "4.4.2.3.1 | PATCH | Ensure pam_pwhistory module is enabled | present" + when: rhel7cis_4_4_2_3_1_pwhistory_exists.stdout|int < 2 + community.general.pamd: + name: "{{ item }}" + type: password + control: sufficient + module_path: pam_unix.so + state: before + new_type: password + new_control: required + new_module_path: pam_pwhistory.so + module_arguments: 'use_authtok' + loop: + - system-auth + - password-auth + + - name: "4.4.2.3.1 | PATCH | Ensure pam_pwhistory module is enabled | updated" + when: rhel7cis_4_4_2_3_1_pwhistory_exists.stdout | int < 2 + community.general.pamd: + name: "{{ item }}" + type: password + control: required + module_path: pam_pwhistory.so + state: args_present + module_arguments: 'use_authtok' + loop: + - system-auth + - password-auth + +- name: "4.4.2.3.2 | PATCH | Ensure password history remember is configured" + when: + - rhel7cis_rule_4_4_2_3_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - pam + - pam_pwhistory + - rule_4.4.2.3.2 + - NIST800-53R5_IA-5 + community.general.pamd: + name: "{{ item }}" + type: password + control: required + module_path: pam_pwhistory.so + state: args_present + module_arguments: 'remember={{ rhel7cis_pwhistory_remember }}' + loop: + - system-auth + - password-auth + +- name: "4.4.2.3.3 | PATCH | Ensure password history is enforced for the root user" + when: + - rhel7cis_rule_4_4_2_3_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - pam + - pam_pwhistory + - rule_4.4.2.3.3 + - NIST800-53R5_IA-5 + community.general.pamd: + name: "{{ item }}" + type: password + control: required + module_path: pam_pwhistory.so + state: args_present + module_arguments: 'enforce_for_root' + loop: + - system-auth + - password-auth + +- name: "4.4.2.3.4 | PATCH | Ensure pam_pwhistory includes use_authtok" + when: + - rhel7cis_rule_4_4_2_3_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - pam + - pam_pwhistory + - rule_4.4.2.3.4 + - NIST800-53R5_IA-5 + community.general.pamd: + name: "{{ item }}" + type: password + control: required + module_path: pam_pwhistory.so + state: args_present + module_arguments: 'use_authtok' + loop: + - system-auth + - password-auth diff --git a/tasks/section_4/cis_4.4.2.4.x.yml b/tasks/section_4/cis_4.4.2.4.x.yml new file mode 100644 index 00000000..1db66a6d --- /dev/null +++ b/tasks/section_4/cis_4.4.2.4.x.yml @@ -0,0 +1,83 @@ +--- + +- name: "4.4.2.4.1 | PATCH | Ensure pam_unix does not include nullok" + when: + - rhel7cis_rule_4_4_2_4_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - pam + - pam_unix + - rule_4.4.2.4.1 + - NIST800-53R5_IA-5 + ansible.builtin.lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: (.*pam_unix.so.*)(nullok)(.*) + line: \1\3 + backrefs: true + loop: + - system-auth + - password-auth + +- name: "4.4.2.4.2 | PATCH | Ensure pam_unix does not include remember" + when: + - rhel7cis_rule_4_4_2_4_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - pam + - pam_unix + - rule_4.4.2.4.2 + ansible.builtin.lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: (.*pam_unix.so.*)remember(.*) + line: \1\2 + backrefs: true + loop: + - system-auth + - password-auth + +- name: "4.4.2.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm" + when: + - rhel7cis_rule_4_4_2_4_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - pam + - pam_unix + - rule_4.4.2.4.3 + ansible.builtin.lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: (.*pam_unix.so.*)(md5|bigcrypt|sha256|blowfish)(.*) + line: \1\2 sha512 + backrefs: true + loop: + - system-auth + - password-auth + +- name: "4.4.2.4.4 | PATCH | Ensure pam_unix includes use_authtok" + when: + - rhel7cis_rule_4_4_2_4_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - pam + - pam_unix + - rule_4.4.2.4.4 + - NIST800-53R5_IA-5 + ansible.builtin.lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: (.*pam_unix.so.*)(use_authtok)(.*) + line: \1use_authtok\3 + backrefs: true + loop: + - system-auth + - password-auth diff --git a/tasks/section_4/cis_4.5.1.x.yml b/tasks/section_4/cis_4.5.1.x.yml new file mode 100644 index 00000000..bd503eda --- /dev/null +++ b/tasks/section_4/cis_4.5.1.x.yml @@ -0,0 +1,187 @@ +--- + +- name: "4.5.1.1 | PATCH | Ensure strong password hashing algorithm is configured" + when: + - rhel7cis_rule_4_5_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - pam + - pam_unix + - rule_4.5.1.1 + - NIST800-53R5_IA-5 + block: + - name: "4.5.1.1 | PATCH | Ensure strong password hashing algorithm is configured | libuser.conf" + ansible.builtin.lineinfile: + path: /etc/libuser.conf + regexp: ^(?i)(#|)\s*crypt_style + line: "crypt_style = {{ rhel7cis_encryption }}" + + - name: "4.5.1.1 | PATCH | Ensure strong password hashing algorithm is configured | login.defs" + ansible.builtin.lineinfile: + path: /etc/login.defs + regexp: ^(?i)(#|)\s*ENCRYPT_METHOD + line: "ENCRYPT_METHOD {{ rhel7cis_encryption | upper }}" + + - name: "4.5.1.1 | PATCH | Ensure strong password hashing algorithm is configured | Captures users who need to change passwd" + when: rhel7cis_force_user_passwd_change + ansible.builtin.shell: "awk -F: '( $3>='{{ rhel7cis_uid_min }}' && $1 != 'nfsnobody' ) { print $1 }' /etc/passwd" + failed_when: false + changed_when: false + register: rhel7cis_4_5_1_1_user_crypt_password + + - name: "4.5.1.1 | PATCH | Ensure strong password hashing algorithm is configured | force user password change" + when: + - rhel7cis_force_user_passwd_change + - rhel7cis_4_5_1_1_user_crypt_password.stdout | length > 0 + ansible.builtin.shell: "chage -d 0 {{ item }}" + loop: "{{ rhel7cis_4_5_1_1_user_crypt_password.stdout_lines }}" + +- name: "4.5.1.2 | PATCH | Ensure password expiration is 365 days or less" + when: + - rhel7cis_rule_4_5_1_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - pam + - pam_unix + - rule_4.5.1.2 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + block: + - name: "4.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Set /etc/login.defs PASS_MAX_DAYS" + ansible.builtin.lineinfile: + path: /etc/login.defs + regexp: '^PASS_MAX_DAYS|^#PASS_MAX_DAYS' + line: 'PASS_MAX_DAYS {{ rhel7cis_pass.max_days }}' + insertafter: '# Password aging controls' + + - name: "4.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Get existing users PASS_MAX_DAYS" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5>{{ rhel7cis_pass.max_days }} || $5<{{ rhel7cis_pass.min_days }} || $5 == -1)){print $1}' /etc/shadow" + changed_when: false + failed_when: false + register: rhel7cis_4_5_1_2_max_days + + - name: "4.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS" + ansible.builtin.shell: chage --maxdays {{ rhel7cis_pass.max_days }} {{ item }} + failed_when: false + changed_when: rhel7cis_4_5_1_2_max_days.stdout | length > 0 + loop: "{{ rhel7cis_4_5_1_2_max_days.stdout_lines }}" + when: + - rhel7cis_disruption_high + - (item != 'root') or (not rhel7cis_uses_root) + +- name: "4.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more" + when: + - rhel7cis_rule_4_5_1_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.5.1.3 + - accounts + - password + block: + - name: "4.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more" + ansible.builtin.lineinfile: + path: /etc/login.defs + regexp: '^PASS_WARN_AGE' + line: "PASS_WARN_AGE {{ rhel7cis_pass['warn_age'] }}" + + - name: "4.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Get existing users WARN_DAYS" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5>{{ rhel7cis_pass['max_days'] }} || $5<{{ rhel7cis_pass['min_days'] }} || $5 == -1)){print $1}' /etc/shadow" + changed_when: false + failed_when: rhel7cis_users_warn_days.rc not in [ 0, 1 ] + register: rhel7cis_users_warn_days + + - name: "4.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more | change users not matching req" + when: + - rhel7cis_users_warn_days is defined + - rhel7cis_users_warn_days.stdout | length > 0 + ansible.builtin.shell: chage --warndays {{ rhel7cis_pass['warn_age'] }} {{ item }} + loop: "{{ rhel7cis_users_warn_days.stdout_lines }}" + +- name: "4.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less" + when: + - rhel7cis_rule_4_5_1_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - shadow_suite + - rule_4.5.1.4 + block: + - name: "4.5.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | capture default state" + ansible.builtin.shell: useradd -D | grep INACTIVE | cut -d= -f2 + changed_when: false + failed_when: rhel7cis_users_inactive_def.rc not in [ 0, 1 ] + register: rhel7cis_users_inactive_def + + - name: "4.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less | change default" + when: + - rhel7cis_users_inactive_def is defined + - (rhel7cis_pass.inactive | string) not in rhel7cis_users_inactive_def.stdout + ansible.builtin.shell: "useradd -D -f {{ rhel7cis_pass.inactive }}" + + - name: "4.5.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | capture users not matching" + ansible.builtin.shell: | + awk -F: '/^[^#:]+:[^!*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\s*$/ {print $1}' /etc/shadow + changed_when: false + failed_when: rhel7cis_users_inactive.rc not in [ 0, 1 ] + register: rhel7cis_users_inactive + + - name: "4.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less | change users not matching req" + when: + - rhel7cis_users_inactive is defined + - rhel7cis_users_inactive.stdout | length > 0 + ansible.builtin.shell: "chage --inactive {{ rhel7cis_pass.inactive }} {{ item }}" + loop: "{{ rhel7cis_users_inactive.stdout_lines }}" + +- name: "4.5.1.5 | PATCH | Ensure all users last password change date is in the past" + when: + - rhel7cis_rule_4_5_1_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - shadow_suite + - rule_4.5.1.5 + vars: + warn_control_id: '4.5.1.5' + block: + - name: "4.5.1.5 | FACT | Ensure inactive password lock is 30 days or less | set fact days since_epoch" + ansible.builtin.set_fact: + days_since_epoch: "{{ (ansible_facts['date_time']['epoch']|int)/86400 }}" + + - name: "4.5.1.5 | AUDIT | Ensure inactive password lock is 30 days or less | capture users date in future" + ansible.builtin.shell: | + awk -F: '{ if ($3 > "{{ days_since_epoch }}") { print $1 } }' /etc/shadow + changed_when: false + failed_when: rhel7cis_users_user_future.rc not in [ 0, 1 ] + register: rhel7cis_users_user_future + + - name: "4.5.1.5 | WARN | Ensure inactive password lock is 30 days or less | Warn Users in future" + when: + - rhel7cis_users_user_future + - rhel7cis_users_user_future.stdout | length > 0 + ansible.builtin.debug: + msg: + - "Warning!! - The following users have passwords set in the future please investigate" + - "{{ rhel7cis_users_user_future.stdout_lines }}" + + - name: "4.5.1.5 | WARN | Ensure inactive password lock is 30 days or less | Warn Users in future" + when: + - rhel7cis_users_user_future + - rhel7cis_users_user_future.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml diff --git a/tasks/section_4/cis_4.5.2.x.yml b/tasks/section_4/cis_4.5.2.x.yml new file mode 100644 index 00000000..6b7668aa --- /dev/null +++ b/tasks/section_4/cis_4.5.2.x.yml @@ -0,0 +1,99 @@ +--- + +- name: "4.5.2.1 | PATCH | Ensure default group for the root account is GID 0" + when: + - rhel7cis_rule_4_5_2_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + - root + - rule_4.5.2.1 + ansible.builtin.user: + name: root + group: 0 + +- name: "4.5.2.2 | PATCH | Ensure root user umask is configured" + when: + - rhel7cis_rule_4_5_2_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + - shadow_suite + - rule_4.5.2.2 + ansible.builtin.lineinfile: + path: /root/.bash_profile + regexp: \s*umask + line: "umask {{ rhel7cis_root_umask }}" + +- name: "4.5.2.3 | PATCH | Ensure system accounts are secured" + when: + - rhel7cis_rule_4_5_2_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - NIST800-53R5_AC-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_AC-11 + - NIST800-53R5_MP-2 + - shadow_suite + - rule_4.5.2.3 + block: + - name: "4.5.2.3 | PATCH | | Ensure system accounts are secured | Set nologin" + when: + - item.id != "root" + - item.id != "sync" + - item.id != "shutdown" + - item.id != "halt" + - item.id != "nfsnobody" + - item.uid < rhel7uid_interactive_uid_start | int + - item.shell != " /bin/false" + - item.shell != " /usr/sbin/nologin" + ansible.builtin.user: + name: "{{ item.id }}" + shell: /usr/sbin/nologin + loop: "{{ rhel7cis_passwd }}" + loop_control: + label: "{{ item.id }}" + + - name: "4.5.2.3 | PATCH | | Ensure system accounts are secured | Lock accounts" + when: + - item.id != "root" + - item.id != "sync" + - item.id != "shutdown" + - item.id != "halt" + - item.id != "nfsnobody" + - item.uid < rhel7uid_interactive_uid_start | int + - item.shell != " /bin/false" + - item.shell != " /usr/sbin/nologin" + ansible.builtin.user: + name: "{{ item.id }}" + password_lock: true + loop: "{{ rhel7cis_passwd }}" + loop_control: + label: "{{ item.id }}" + +- name: "4.5.2.4 | PATCH | Ensure root password is set" + when: + - rhel7cis_rule_4_5_2_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - shadow_suite + - rule_4.5.2.4 + ansible.builtin.debug: + msg: "This is set as an assert in tasks/main" diff --git a/tasks/section_4/cis_4.5.3.x.yml b/tasks/section_4/cis_4.5.3.x.yml new file mode 100644 index 00000000..5b066636 --- /dev/null +++ b/tasks/section_4/cis_4.5.3.x.yml @@ -0,0 +1,68 @@ +--- + +- name: "4.5.3.1 | PATCH | Ensure nologin is not listed in /etc/shells" + when: + - rhel7cis_rule_4_5_3_1 + tags: + - level2-server + - level2-workstation + - automated + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + - patch + - shells + - rule_4.5.3.1 + ansible.builtin.replace: + path: /etc/shells + regexp: nologin + replace: "" + +- name: "4.5.3.2 | PATCH | Ensure default user shell timeout is configured" + when: + - rhel7cis_rule_4_5_3_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + - shell + - rule_4.5.3.2 + ansible.builtin.blockinfile: + path: "{{ item.path }}" + state: "{{ item.state }}" + marker: "# {mark} - CIS benchmark - Ansible-lockdown" + create: true + mode: '0644' + block: | + TMOUT={{ rhel7cis_shell_session_timeout.timeout }} + readonly TMOUT + export TMOUT + loop: + - { path: "{{ rhel7cis_shell_session_timeout.file }}", state: present } + - { path: /etc/profile, state: "{{ (rhel7cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" } + +- name: "4.5.3.3 | PATCH | Ensure default user umask is configured" + when: + - rhel7cis_rule_4_5_3_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - umask + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + - rule_4.5.3.3 + ansible.builtin.replace: + path: "{{ item.path }}" + regexp: (?i)(umask\s+\d\d\d) + replace: '{{ item.line }} 027' + loop: + - { path: '/etc/bashrc', line: 'umask' } + - { path: '/etc/profile', line: 'umask' } + - { path: '/etc/login.defs', line: 'UMASK' } diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index 354361be..00bf9e97 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -1,21 +1,45 @@ --- -- name: "SECTION | 4.1| Configure System Accounting (auditd)" +- name: "SECTION | 4.1.x.x | Configure Job Schedulers" ansible.builtin.import_tasks: - file: cis_4.1.1.x.yml + file: cis_4.1.x.x.yml -- name: "SECTION | 4.1.2.x| Configure Data Retention" +- name: "SECTION | 4.2.x | Configure SSH Server" ansible.builtin.import_tasks: - file: cis_4.1.2.x.yml + file: cis_4.2.x.yml -- name: "SECTION | 4.2.x| Configure Logging" +- name: "SECTION | 4.3.x | Configure Privilege Escalation" ansible.builtin.import_tasks: - file: cis_4.2.1.x.yml + file: cis_4.3.x.yml -- name: "SECTION | 4.2.2.x| Configure journald" +- name: "SECTION | 4.4.1.x | Configure PAM software" ansible.builtin.import_tasks: - file: cis_4.2.2.x.yml + file: cis_4.4.1.x.yml -- name: "SECTION | 4.2.x | logfile configuration" +- name: "SECTION | 4.4.2.1.x | Configure pam_faillock" ansible.builtin.import_tasks: - file: cis_4.2.x.yml + file: cis_4.4.2.1.x.yml + +- name: "SECTION | 4.4.2.2.x | Configure pam_pwquality" + ansible.builtin.import_tasks: + file: cis_4.4.2.2.x.yml + +- name: "SECTION | 4.4.2.3.x | Configure pam_pwhistory" + ansible.builtin.import_tasks: + file: cis_4.4.2.3.x.yml + +- name: "SECTION | 4.4.2.4.x | Configure pam_unix" + ansible.builtin.import_tasks: + file: cis_4.4.2.4.x.yml + +- name: "SECTION | 4.5.1.x | Configure shadow password settings" + ansible.builtin.import_tasks: + file: cis_4.5.1.x.yml + +- name: "SECTION | 4.5.2.x | Configure root and system accounts" + ansible.builtin.import_tasks: + file: cis_4.5.2.x.yml + +- name: "SECTION | 4.5.3.x | Configure user default env" + ansible.builtin.import_tasks: + file: cis_4.5.3.x.yml diff --git a/tasks/section_5/cis_5.1.1.x.yml b/tasks/section_5/cis_5.1.1.x.yml new file mode 100644 index 00000000..7aa4b1e4 --- /dev/null +++ b/tasks/section_5/cis_5.1.1.x.yml @@ -0,0 +1,210 @@ +--- + +- name: "5.1.1.1 | PATCH | Ensure rsyslog installed" + when: + - "'rsyslog' not in ansible_facts.packages" + - rhel7cis_rule_5_1_1_1 + tags: + - level1-server + - level1-workstation + - patch + - rsyslog + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + - rule_5.1.1.1 + ansible.builtin.package: + name: rsyslog + state: present + +- name: "5.1.1.2 | PATCH | Ensure rsyslog service is enabled" + when: + - rhel7cis_rule_5_1_1_2 + tags: + - level1-server + - level1-workstation + - patch + - rsyslog + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + - rule_5.1.1.2 + ansible.builtin.systemd: + name: rsyslog + enabled: true + +- name: "5.1.1.3 | PATCH | Ensure journald is configured to send logs to rsyslog" + ansible.builtin.lineinfile: + path: /etc/systemd/journald.conf + regexp: "^#ForwardToSyslog=|^ForwardToSyslog=" + line: ForwardToSyslog=yes + notify: Restart_journald + when: + - rhel7cis_rule_5_1_1_3 + - rhel7cis_syslog == "rsyslog" + tags: + - level1-server + - level1-workstation + - patch + - NIST800-53R5_AC-3 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-4 + - NIST800-53R5_AU-12 + - NIST800-53R5_MP-2 + - NIST800-53R5_SI-5 + - rsyslog + - rule_5.1.1.3 + +- name: "5.1.1.4 | PATCH | Ensure rsyslog default file permissions configured" + when: + - rhel7cis_rule_5_1_1_4 + tags: + - level1-server + - level1-workstation + - patch + - rsyslog + - rule_5.1.1.4 + notify: Restart_rsyslog + ansible.builtin.lineinfile: + path: /etc/rsyslog.conf + regexp: '^\$FileCreateMode' + line: '$FileCreateMode 0640' + +- name: "5.1.1.5 | PATCH | Ensure logging is configured" + when: + - rhel7cis_rule_5_1_1_5 + tags: + - level1-server + - level1-workstation + - patch + - rsyslog + - rule_5.1.1.5 + notify: Restart_rsyslog + block: + - name: "5.1.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" + ansible.builtin.shell: cat /etc/rsyslog.conf + changed_when: false + failed_when: false + check_mode: false + register: rhel7cis_5_1_1_5_audit + + - name: "5.1.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" + ansible.builtin.debug: + msg: + - "These are the current logging configurations for rsyslog, please review:" + - "{{ rhel7cis_5_1_1_5_audit.stdout_lines }}" + + - name: "5.1.1.5 | PATCH | Ensure logging is configured | mail.* log setting" + when: rhel7cis_rsyslog_ansiblemanaged + ansible.builtin.blockinfile: + path: /etc/rsyslog.conf + marker: "# {mark} MAIL LOG SETTINGS - CIS benchmark - Ansible-lockdown" + block: | + # mail logging additions to meet CIS standards + mail.* -/var/log/mail + mail.info -/var/log/mail.info + mail.warning -/var/log/mail.warning + mail.err /var/log/mail.err + insertafter: '# Log all the mail messages in one place.' + + - name: "5.1.1.5 | PATCH | Ensure logging is configured | Misc. log setting" + when: rhel7cis_rsyslog_ansiblemanaged + ansible.builtin.blockinfile: + path: /etc/rsyslog.conf + state: present + marker: "# {mark} MISC. LOG SETTINGS - CIS benchmark - Ansible-lockdown" + block: | + # misc. logging additions to meet CIS standards + *.=warning;*.=err -/var/log/warn + *.crit /var/log/warn + *.*;mail.none;news.none /var/log/messages + insertafter: '#### RULES ####' + + - name: "5.1.1.5 | PATCH | Ensure logging is configured | Local log settings" + ansible.builtin.blockinfile: + path: /etc/rsyslog.conf + state: present + marker: "#{mark} LOCAL LOG SETTINGS - CIS benchmark - Ansible-lockdown" + block: | + # local log settings to meet CIS standards + local0,local1.* -/var/log/localmessages + local2,local3.* -/var/log/localmessages + local4,local5.* -/var/log/localmessages + local6,local7.* -/var/log/localmessages + *.emerg :omusrmsg:* + insertafter: '#### RULES ####' + + - name: "5.1.1.5 | PATCH | Ensure logging is configured | Auth Settings" + ansible.builtin.blockinfile: + path: /etc/rsyslog.conf + state: present + marker: "#{mark} Auth SETTINGS - CIS benchmark - Ansible-lockdown" + block: | + # Private settings to meet CIS standards + auth,authpriv.* /var/log/secure + insertafter: '#### RULES ####' + + - name: "5.1.1.5 | PATCH | Ensure logging is configured | Cron Settings" + ansible.builtin.blockinfile: + path: /etc/rsyslog.conf + state: present + marker: "#{mark} Cron SETTINGS - CIS benchmark - Ansible-lockdown" + block: | + # Cron settings to meet CIS standards + cron.* /var/log/cron + insertafter: '#### RULES ####' + +- name: "5.1.1.6 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" + when: + - rhel7cis_rule_5_1_1_6 + - rhel7cis_remote_log_server + tags: + - level1-server + - level1-workstation + - patch + - rsyslog + - rule_5.1.1.6 + notify: Restart_rsyslog + ansible.builtin.blockinfile: + path: /etc/rsyslog.conf + state: present + block: | + # target can be IP or FQDN + *.* action(type="omfwd" target="{{ rhel7cis_remote_log_host }}" port="{{ rhel7cis_remote_log_port }}" protocol="{{ rhel7cis_remote_log_protocol }}" action.resumeRetryCount="{{ rhel7cis_remote_log_retrycount }}" queue.type="LinkedList" queue.size="{{ rhel7cis_remote_log_queuesize }}") + insertafter: EOF + register: result + failed_when: + - result is failed + - result.rc != 257 + +- name: "5.1.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client" + when: + - rhel7cis_rule_5_1_1_7 + tags: + - level1-server + - level1-workstation + - patch + - rsyslog + - rule_5.1.1.7 + notify: Restart_rsyslog + block: + - name: "5.1.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client. | When not log host" + when: not rhel7cis_system_is_log_server + ansible.builtin.replace: + path: /etc/rsyslog.conf + regexp: '{{ item }}' + replace: '#\1' + loop: + - '^(\$ModLoad imtcp)' + - '^(\$InputTCPServerRun)' + - '^(module\(load="imtcp"\))' + - '^(input\(type="imtcp")' + + - name: "5.1.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote clients. | When log host" + when: rhel7cis_system_is_log_server + ansible.builtin.replace: + path: /etc/rsyslog.conf + regexp: '^#(.*{{ item }}.*)' + replace: '\1' + loop: + - 'ModLoad imtcp' + - 'InputTCPServerRun' diff --git a/tasks/section_5/cis_5.1.2.x.yml b/tasks/section_5/cis_5.1.2.x.yml new file mode 100644 index 00000000..58b32035 --- /dev/null +++ b/tasks/section_5/cis_5.1.2.x.yml @@ -0,0 +1,197 @@ +--- + +- name: "5.1.2.1.1 | PATCH | Ensure systemd-journal-remote is installed" + when: + - rhel7cis_rule_5_1_2_1_1 + - rhel7cis_syslog == 'journald' + tags: + - level1-server + - level1-workstation + - manual + - patch + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + - journald + - rule_5.1.2.1.1 + ansible.builtin.package: + name: systemd-journal-remote + state: present + +- name: "5.1.2.1.2 | PATCH | Ensure systemd-journal-remote is configured" + when: + - rhel7cis_rule_5_1_2_1_2 + - rhel7cis_syslog == 'journald' + tags: + - level1-server + - level1-workstation + - manual + - patch + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + - journald + - rule_5.1.2.1.2 + notify: Restart_systemd_journal_upload + ansible.builtin.lineinfile: + path: /etc/systemd/journal-upload.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + loop: + - { regexp: 'URL=', line: 'URL={{ rhel7cis_journal_upload_url }}'} + - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ rhel7cis_journal_upload_serverkeyfile }}'} + - { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ rhel7cis_journal_servercertificatefile }}'} + - { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ rhel7cis_journal_trustedcertificatefile }}'} + +- name: "5.1.2.1.3 | PATCH | Ensure systemd-journal-remote is enabled" + when: + - rhel7cis_system_is_log_server + - rhel7cis_rule_5_1_2_1_3 + - rhel7cis_syslog == 'journald' + tags: + - level1-server + - level1-workstation + - automated + - patch + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + - journald + - rule_5.1.2.1.3 + ansible.builtin.systemd: + name: systemd-journal-upload + state: started + enabled: true + +- name: "5.1.2.1.4 | PATCH | Ensure journald is not configured to recieve logs from a remote client" + when: + - not rhel7cis_system_is_log_server + - rhel7cis_rule_5_1_2_1_4 + - rhel7cis_syslog == 'journald' + tags: + - level1-server + - level1-workstation + - automated + - patch + - journald + - rule_5.1.2.1.4 + ansible.builtin.systemd: + name: systemd-journal-remote.socket + state: stopped + enabled: false + masked: true + +- name: "5.1.2.2 | PATCH | Ensure journald service is enabled" + when: + - rhel7cis_rule_5_1_2_2 + - rhel7cis_syslog == 'journald' + tags: + - level1-server + - level1-workstation + - automated + - audit + - journald + - rule_5.1.2.2 + block: + - name: "5.1.2.2 | PATCH | Ensure journald service is enabled | Enable service" + ansible.builtin.systemd: + name: systemd-journald + state: started + enabled: true + + - name: "5.1.2.2 | AUDIT | Ensure journald service is enabled | Capture status" + ansible.builtin.shell: systemctl is-enabled systemd-journald.service + changed_when: false + failed_when: false + register: rhel7cis_5_1_2_2_status + + - name: "5.1.2.2 | AUDIT | Ensure journald service is enabled | Alert on bad status" + ansible.builtin.debug: + msg: + - "Warning!! The status of systemd-journald should be static and it is not. Please investigate" + when: "'static' not in rhel7cis_5_1_2_2_status.stdout" + + - name: "5.1.2.2 | AUDIT | Ensure journald service is enabled | Warn Count" + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '5.1.2.2' + when: "'static' not in rhel7cis_5_1_2_2_status.stdout" + +- name: "5.1.2.3 | PATCH | Ensure journald is configured to compress large log files" + when: + - rhel7cis_rule_5_1_2_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - journald + - rule_5.1.2.3 + notify: Restart_journald + ansible.builtin.lineinfile: + path: /etc/systemd/journald.conf + regexp: 'Compress=' + line: Compress=yes + insertafter: ^#Compress + validate: /usr/bin/bash -n %s + +- name: "5.1.2.4 | PATCH | Ensure journald is configured to write logfiles to persistent disk" + when: + - rhel7cis_rule_5_1_2_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - journald + - rule_5.1.2.4 + notify: Restart_journald + ansible.builtin.lineinfile: + path: /etc/systemd/journald.conf + regexp: 'Storage=' + line: Storage=persistent + state: present + insertafter: ^#Storage + validate: /usr/bin/bash -n %s + +# This is counter to control 5.1.1.3?? +- name: "5.1.2.5 | PATCH | Ensure journald is not configured to send logs to rsyslog" + when: + - rhel7cis_rule_5_1_2_5 + - rhel7cis_syslog == 'journald' + tags: + - level1-server + - level2-workstation + - manual + - patch + - journald + - rule_5.1.2.5 + notify: Restart_journald + ansible.builtin.lineinfile: + path: /etc/systemd/journald.conf + regexp: "^ForwardToSyslog=" + line: "#ForwardToSyslog=yes" + +- name: "5.1.2.6 | PATCH | Ensure journald log rotation is configured per site policy" + when: + - rhel7cis_rule_5_1_2_6 + - rhel7cis_syslog == 'journald' + tags: + - level1-server + - level1-workstation + - manual + - patch + - journald + - rule_5.1.2.6 + ansible.builtin.lineinfile: + path: /etc/systemd/journald.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + notify: Restart_journald + loop: + - { regexp: '^#SystemMaxUse=|^SystemMaxUse=', line: 'SystemMaxUse={{ rhel7cis_journald_systemmaxuse }}'} + - { regexp: '^#SystemKeepFree=|^SystemKeepFree=', line: 'SystemKeepFree={{ rhel7cis_journald_systemkeepfree }}' } + - { regexp: '^#RuntimeMaxUse=|^RuntimeMaxUse=', line: 'RuntimeMaxUse={{ rhel7cis_journald_runtimemaxuse }}'} + - { regexp: '^#RuntimeKeepFree=|^RuntimeKeepFree=', line: 'RuntimeKeepFree={{ rhel7cis_journald_runtimekeepfree }}'} + - { regexp: '^#MaxFileSec=|^MaxFileSec=', line: 'MaxFileSec={{ rhel7cis_journald_maxfilesec }}'} diff --git a/tasks/section_5/cis_5.1.3.yml b/tasks/section_5/cis_5.1.3.yml new file mode 100644 index 00000000..55f8d1af --- /dev/null +++ b/tasks/section_5/cis_5.1.3.yml @@ -0,0 +1,30 @@ +--- + +- name: "5.1.3 | PATCH | Ensure logrotate is configured" + when: + - rhel7cis_rule_5_1_3 + tags: + - level1-server + - level1-workstation + - manual + - patch + - logrotate + - rule_5.1.3 + block: + - name: "5.1.3 | AUDIT | Ensure logrotate is configured | Get logrotate settings" + ansible.builtin.find: + paths: /etc/logrotate.d/ + register: rhel7cis_log_rotate_conf + + - name: "5.1.3 | PATCH | Ensure logrotate is configured | conf files" + ansible.builtin.replace: + path: "{{ item.path }}" + regexp: '^(\s*)(daily|weekly|monthly|yearly)$' + replace: "\\1{{ rhel7cis_logrotate }}" + loop: "{{ rhel7cis_log_rotate_conf.files }}" + + - name: "5.1.3 | PATCH | Ensure logrotate is configured | logrotate.conf" + ansible.builtin.replace: + path: /etc/logrotate.conf + regexp: '^(\s*)(daily|weekly|monthly|yearly)$' + replace: "\\1{{ rhel7cis_logrotate }}" diff --git a/tasks/section_5/cis_5.1.4.yml b/tasks/section_5/cis_5.1.4.yml new file mode 100644 index 00000000..8e3a67a1 --- /dev/null +++ b/tasks/section_5/cis_5.1.4.yml @@ -0,0 +1,37 @@ +--- + +- name: "5.1.4 | PATCH | Ensure all logfiles have appropriate access configured" + when: + - rhel7cis_rule_5_1_4 + tags: + - level1-server + - level1-workstation + - patch + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - logfiles + - rule_5.1.4 + block: + - name: "5.1.4 | AUDIT | Ensure all logfiles have appropriate access configured | find files" + ansible.builtin.shell: find /var/log/ -type f -perm /g+wx,o+rwx -exec ls {} \; + changed_when: false + failed_when: false + register: rhel7cis_5_1_4_logfiles + + - name: "5.1.4 | AUDIT | Ensure all logfiles have appropriate access configured | set_fact" + ansible.builtin.set_fact: + rhel7cis_4_2_3_logfiles_flattened: "{{ rhel7cis_5_1_4_logfiles | json_query('stdout_lines[*]') | flatten }}" # noqa: jinja[invalid] + when: + - rhel7cis_5_1_4_logfiles.stdout_lines | length > 0 + - rhel7cis_5_1_4_logfiles is defined + + - name: "5.1.4 | PATCH | Ensure all logfiles have appropriate access configured | change permissions" + ansible.builtin.file: + path: "{{ item }}" + mode: '0640' + loop: "{{ rhel7cis_5_1_4_logfiles_flattened }}" + when: + - rhel7cis_5_1_4_logfiles_flattened is defined + - item != "/var/log/btmp" + - item != "/var/log/utmp" + - item != "/var/log/wtmp" diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml deleted file mode 100644 index 46127550..00000000 --- a/tasks/section_5/cis_5.1.x.yml +++ /dev/null @@ -1,157 +0,0 @@ ---- - -- name: "5.1.1 | PATCH | Ensure cron daemon is enabled and running" - ansible.builtin.service: - name: crond - enabled: true - state: started - when: - - rhel7cis_rule_5_1_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.1.1 - -- name: "5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" - ansible.builtin.file: - dest: /etc/crontab - owner: root - group: root - mode: 0600 - when: - - rhel7cis_rule_5_1_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.1.2 - -- name: "5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" - ansible.builtin.file: - dest: /etc/cron.hourly - state: directory - owner: root - group: root - mode: 0700 - when: - - rhel7cis_rule_5_1_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.1.3 - -- name: "5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" - ansible.builtin.file: - dest: /etc/cron.daily - state: directory - owner: root - group: root - mode: 0700 - when: - - rhel7cis_rule_5_1_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.1.4 - -- name: "5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" - ansible.builtin.file: - dest: /etc/cron.weekly - state: directory - owner: root - group: root - mode: 0700 - when: - - rhel7cis_rule_5_1_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.1.5 - -- name: "5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" - ansible.builtin.file: - dest: /etc/cron.monthly - state: directory - owner: root - group: root - mode: 0700 - when: - - rhel7cis_rule_5_1_6 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.1.6 - -- name: "5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" - ansible.builtin.file: - dest: /etc/cron.d - state: directory - owner: root - group: root - mode: 0700 - when: - - rhel7cis_rule_5_1_7 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.1.7 - -- name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users" - block: - - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny" - ansible.builtin.file: - dest: /etc/cron.deny - state: absent - - - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Check if cron.allow exists" - ansible.builtin.stat: - path: "/etc/cron.allow" - register: p - - - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users" - ansible.builtin.file: - dest: /etc/cron.allow - state: '{{ "file" if p.stat.exists else "touch" }}' - owner: root - group: root - mode: 0600 - when: - - rhel7cis_rule_5_1_8 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.1.8 - -- name: "5.1.9 | PATCH | Ensure at is restricted to authorized users" - block: - - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" - ansible.builtin.file: - dest: /etc/at.deny - state: absent - - - name: "5.1.9 | AUDIT | Ensure at is restricted to authorized users | Check if at.allow exists" - ansible.builtin.stat: - path: "/etc/at.allow" - register: p - - - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users" - ansible.builtin.file: - dest: /etc/at.allow - state: '{{ "file" if p.stat.exists else "touch" }}' - owner: root - group: root - mode: 0600 - when: - - rhel7cis_rule_5_1_9 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.1.9 diff --git a/tasks/section_5/cis_5.2.1.x.yml b/tasks/section_5/cis_5.2.1.x.yml new file mode 100644 index 00000000..5d45db5e --- /dev/null +++ b/tasks/section_5/cis_5.2.1.x.yml @@ -0,0 +1,121 @@ +--- + +- name: "5.2.1.1 | PATCH | Ensure audit is installed" + when: + - rhel7cis_rule_5_2_1_1 + tags: + - level2-server + - level2-workstation + - automated + - patch + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + - auditd + - rule_5.2.1.1 + block: + - name: "5.2.1.1 | PATCH | Ensure auditd is installed | Install auditd packages" + ansible.builtin.package: + name: audit + state: present + when: '"auditd" not in ansible_facts.packages' + + - name: "5.2.1.1 | PATCH | Ensure auditd is installed | Install auditd-lib packages" + ansible.builtin.package: + name: audit-libs + state: present + when: '"auditd-lib" not in ansible_facts.packages' + +- name: "5.2.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" + when: + - rhel7cis_rule_5_2_1_2 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - grub + - rule_5.2.1.2 + notify: Rebuild_grub + block: + - name: "5.2.1.2 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" + ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX_DEFAULT=" /etc/default/grub | cut -f2 -d'"' + changed_when: false + failed_when: false + check_mode: false + register: rhel7cis_5_2_1_2_grub_cmdline_linux + + - name: "5.2.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting" + when: "'audit=' in rhel7cis_5_2_1_2_grub_cmdline_linux.stdout" + ansible.builtin.replace: + dest: /etc/default/grub + regexp: 'audit=([0-9]+)' + replace: 'audit=1' + after: '^GRUB_CMDLINE_LINUX_DEFAULT="' + before: '"' + + - name: "5.2.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing" + when: "'audit=' not in rhel7cis_5_2_1_2_grub_cmdline_linux.stdout" + ansible.builtin.lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX_DEFAULT=' + line: 'GRUB_CMDLINE_LINUX_DEFAULT="{{ rhel7cis_5_2_1_2_grub_cmdline_linux.stdout }} audit=1"' + +- name: "5.2.1.3 | PATCH | Ensure audit_backlog_limit is sufficient" + when: + - rhel7cis_rule_5_2_1_3 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + - grub + - rule_5.2.1.3 + notify: Rebuild_grub + block: + - name: "5.2.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Get GRUB_CMDLINE_LINUX" + ansible.builtin.shell: grep 'GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub | cut -f2 -d'"' + changed_when: false + failed_when: false + check_mode: false + register: rhel7cis_5_2_1_3_grub_cmdline_linux + + - name: "5.2.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting" + when: "'audit_backlog_limit=' in rhel7cis_5_2_1_3_grub_cmdline_linux.stdout" + ansible.builtin.replace: + dest: /etc/default/grub + regexp: 'audit_backlog_limit=([0-9]+)' + replace: 'audit_backlog_limit={{ rhel7cis_audit_back_log_limit }}' + after: '^GRUB_CMDLINE_LINUX_DEFAULT="' + before: '"' + + - name: "5.2.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing" + when: "'audit_backlog_limit=' not in rhel7cis_5_2_1_3_grub_cmdline_linux.stdout" + ansible.builtin.lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX_DEFAULT=' + line: 'GRUB_CMDLINE_LINUX_DEFAULT="{{ rhel7cis_5_2_1_3_grub_cmdline_linux.stdout }} audit_backlog_limit={{ rhel7cis_audit_back_log_limit }}"' + +- name: "5.2.1.4 | PATCH | Ensure auditd service is enabled" + when: + - rhel7cis_rule_5_2_1_4 + tags: + - level2-server + - level2-workstation + - automated + - patch + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + - auditd + - rule_5.2.1.4 + ansible.builtin.service: + name: auditd + state: started + enabled: true diff --git a/tasks/section_5/cis_5.2.2.x.yml b/tasks/section_5/cis_5.2.2.x.yml new file mode 100644 index 00000000..be41b2fb --- /dev/null +++ b/tasks/section_5/cis_5.2.2.x.yml @@ -0,0 +1,81 @@ +--- + +- name: "5.2.2.1 | PATCH | Ensure audit log storage size is configured" + when: + - rhel7cis_rule_5_2_2_1 + tags: + - level2-server + - level2-workstation + - automated + - patch + - NIST800-53R5_AU-8 + - auditd + - rule_5.2.2.1 + notify: Restart_auditd + ansible.builtin.lineinfile: + path: /etc/audit/auditd.conf + regexp: ^max_log_file(\s|=) + line: "max_log_file = {{ rhel7cis_max_log_file_size }}" + +- name: "5.2.2.2 | PATCH | Ensure audit logs are not automatically deleted" + when: + - rhel7cis_rule_5_2_2_2 + tags: + - level2-server + - level2-workstation + - automated + - patch + - NIST800-53R5_AU-8 + - auditd + - rule_5.2.2.2 + notify: Restart_auditd + ansible.builtin.lineinfile: + path: /etc/audit/auditd.conf + regexp: "^max_log_file_action" + line: "max_log_file_action = {{ rhel7cis_auditd['max_log_file_action'] }}" + +- name: "5.2.2.3 | PATCH | Ensure system is disabled when audit logs are full" + when: + - rhel7cis_rule_5_2_2_3 + tags: + - level2-server + - level2-workstation + - automated + - patch + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-8 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + - auditd + - rule_5.2.2.3 + ansible.builtin.lineinfile: + path: /etc/audit/auditd.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + notify: Restart_auditd + loop: + - { regexp: '^disk_full_action', line: 'disk_full_action = {{ rhel7cis_auditd.disk_full_action }}' } + - { regexp: '^disk_error_action', line: 'disk_error_action = {{ rhel7cis_auditd.disk_error_action }}' } + +- name: "5.2.2.4 | PATCH | Ensure system warns when audit logs are low on space" + when: + - rhel7cis_rule_5_2_2_4 + tags: + - level2-server + - level2-workstation + - automated + - patch + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-8 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + - auditd + - rule_5.2.2.4 + ansible.builtin.lineinfile: + path: /etc/audit/auditd.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + notify: Restart_auditd + loop: + - { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ rhel7cis_auditd.admin_space_left_action }}' } + - { regexp: '^space_left_action', line: 'space_left_action = {{ rhel7cis_auditd.space_left_action }}' } diff --git a/tasks/section_5/cis_5.2.3.x.yml b/tasks/section_5/cis_5.2.3.x.yml new file mode 100644 index 00000000..435ef36a --- /dev/null +++ b/tasks/section_5/cis_5.2.3.x.yml @@ -0,0 +1,299 @@ +--- + +- name: "5.2.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected" + when: + - rhel7cis_rule_5_2_3_1 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_5.2.3.1 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "5.2.3.2 | PATCH | Ensure actions as another user are always logged" + when: + - rhel7cis_rule_5_2_3_2 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_5.2.3.2 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "5.2.3.3 | PATCH | Ensure events that modify the sudo log file are collected" + when: + - rhel7cis_rule_5_2_3_3 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_5.2.3.3 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "5.2.3.4 | PATCH | Ensure events that modify date and time information are collected" + when: + - rhel7cis_rule_5_2_3_4 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_5.2.3.4 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "5.2.3.5 | PATCH | Ensure events that modify the system's network environment are collected" + when: + - rhel7cis_rule_5_2_3_5 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_5.2.3.5 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "5.2.3.6 | PATCH | Ensure use of privileged commands is collected" + when: + - rhel7cis_rule_5_2_3_6 + tags: + - level2-server + - level2-workstation + - automated + - patch + - NIST800-53R5_AU-3 + - auditd + - rule_5.2.3.6 + block: + - name: "5.2.3.6 | PATCH | Ensure use of privileged commands is collected" + ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm /6000 2>/dev/null; done + changed_when: false + failed_when: false + check_mode: false + register: priv_procs + + - name: "5.2.3.6 | PATCH | Ensure use of privileged commands is collected" + ansible.builtin.set_fact: + update_audit_template: true + notify: Update_auditd_rules + +- name: "5.2.3.7 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" + ansible.builtin.set_fact: + update_audit_template: true + when: + - rhel7cis_rule_5_2_3_7 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_5.2.3_7 + +- name: "5.2.3.8 | PATCH | Ensure events that modify user/group information are collected" + when: + - rhel7cis_rule_5_2_3_8 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_5.2.3.8 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "5.2.3.9 | PATCH | Ensure discretionary access control permission modification events are collected" + when: + - rhel7cis_rule_5_2_3_9 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_5.2.3.9 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "5.2.3.10 | PATCH | Ensure successful file system mounts are collected" + when: + - rhel7cis_rule_5_2_3_10 + tags: + - level2-server + - level2-workstation + - automated + - patch + - NIST800-53R5_CM-6 + - auditd + - rule_5.2.3.10 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "5.2.3.11 | PATCH | Ensure session initiation information is collected" + when: + - rhel7cis_rule_5_2_3_11 + tags: + - level2-server + - level2-workstation + - automated + - patch + - NIST800-53R5_AU-3 + - auditd + - rule_5.2.3.11 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "5.2.3.12 | PATCH | Ensure login and logout events are collected" + when: + - rhel7cis_rule_5_2_3_12 + tags: + - level2-server + - level2-workstation + - automated + - patch + - NIST800-53R5_AU-3 + - auditd + - rule_5.2.3.12 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "5.2.3.13 | PATCH | Ensure file deletion events by users are collected" + when: + - rhel7cis_rule_5_2_3_13 + tags: + - level2-server + - level2-workstation + - auditd + - patch + - rule_5.2.3.13 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "5.2.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" + when: + - rhel7cis_rule_5_2_3_14 + tags: + - level2-server + - level2-workstation + - automated + - patch + - NIST800-53R5_AU-3 + - auditd + - rule_5.2.3.14 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "5.2.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" + when: + - rhel7cis_rule_5_2_3_15 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_5.2.3.15 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "5.2.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" + when: + - rhel7cis_rule_5_2_3_16 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_5.2.3.16 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "5.2.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" + when: + - rhel7cis_rule_5_2_3_17 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_5.2.3.17 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "5.2.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" + when: + - rhel7cis_rule_5_2_3_18 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_5.2.3.18 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "5.2.3.19 | PATCH | Ensure kernel module loading and unloading is collected" + when: + - rhel7cis_rule_5_2_3_19 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_5.2.3.19 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "5.2.3.20 | PATCH | Ensure the audit configuration is immutable" + when: + - rhel7cis_rule_5_2_3_20 + tags: + - level2-server + - level2-workstation + - automated + - patch + - NIST800-53R5_AC-3 + - NIST800-53R5_AU-3 + - NIST800-53R5_MP-2 + - auditd + - rule_4.1.20 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "5.2.3.21 | AUDIT | Ensure the running and on disk configuration is the same" + when: + - rhel7cis_rule_5_2_3_21 + tags: + - level2-server + - level2-workstation + - manual + - patch + - auditd + - rule_5.2.3.21 + ansible.builtin.debug: + msg: + - "Please run augenrules --load if you suspect there is a configuration that is not active" + +- name: Auditd | 5.2.3 | Auditd controls updated + when: + - update_audit_template + ansible.builtin.debug: + msg: "Auditd Controls handled in POST using template - updating /etc/auditd/rules.d/99_auditd.rules" + changed_when: false diff --git a/tasks/section_5/cis_5.2.4.x.yml b/tasks/section_5/cis_5.2.4.x.yml new file mode 100644 index 00000000..341af9d0 --- /dev/null +++ b/tasks/section_5/cis_5.2.4.x.yml @@ -0,0 +1,174 @@ +--- + +- name: "5.2.4.1 | PATCH | Ensure the audit log directory is 0750 or more restrictive" + when: + - rhel7cis_rule_5_2_4_1 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_5.2.4.1 + block: + - name: "5.2.4.1 | AUDIT | Ensure the audit log directory is 0750 or more restrictive | get current permissions" + ansible.builtin.stat: + path: "{{ discovered_audit_logfile.stdout | dirname }}" + register: auditlog_dir + + - name: "5.2.4.1 | PATCH | Ensure the audit log directory is 0750 or more restrictive | set" + ansible.builtin.file: + path: "{{ discovered_audit_logfile.stdout | dirname }}" + state: directory + mode: g-w,o-rwx + +- name: | + "5.2.4.2 | PATCH | Ensure audit log files are mode 0640 or less permissive" + "5.2.4.3 | PATCH | Ensure only authorized users own audit log files" + "5.2.4.4 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" + when: + - rhel7cis_rule_5_2_4_2 or + rhel7cis_rule_5_2_4_3 or + rhel7cis_rule_5_2_4_4 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_5.2.4.2 + - rule_5.2.4.3 + - rule_5.2.4.4 + block: + - name: "5.2.4.2 | AUDIT | Ensure audit log files are mode 0640 or less permissive | stat file" + ansible.builtin.stat: + path: "{{ discovered_audit_logfile.stdout }}" + changed_when: false + register: auditd_logfile + + - name: | + "5.2.4.2 | PATCH | Ensure audit log files are mode 0640 or less permissive" + "5.2.4.3 | PATCH | Ensure only authorized users own audit log files" + "5.2.4.4 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" + ansible.builtin.file: + path: "{{ discovered_audit_logfile.stdout }}" + mode: "{% if auditd_logfile.stat.mode != '0600' %}0640{% endif %}" + owner: root + group: root + +- name: "5.2.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" + when: + - rhel7cis_rule_5_2_4_5 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_5.2.4.5 + ansible.builtin.file: + path: "{{ item.path }}" + mode: g-wx,o-rwx + loop: "{{ auditd_conf_files.files }}" + loop_control: + label: "{{ item.path }}" + +- name: "5.2.4.6 | PATCH | Ensure audit configuration files are owned by root" + when: + - rhel7cis_rule_5_2_4_6 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_5.2.4.6 + ansible.builtin.file: + path: "{{ item.path }}" + owner: root + loop: "{{ auditd_conf_files.files }}" + loop_control: + label: "{{ item.path }}" + +- name: "5.2.4.7 | PATCH | Ensure audit configuration files belong to group root" + when: + - rhel7cis_rule_5_2_4_7 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_5.2.4.7 + ansible.builtin.file: + path: "{{ item.path }}" + group: root + loop: "{{ auditd_conf_files.files }}" + loop_control: + label: "{{ item.path }}" + +- name: "5.2.4.8 | PATCH | Ensure audit tools are 755 or more restrictive" + when: + - rhel7cis_rule_5_2_4_8 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_5.2.4.8 + block: + - name: "5.2.4.8 | AUDIT | Get audit binary file stat | get current mode" + ansible.builtin.stat: + path: "{{ item }}" + register: "audit_bins" + loop: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules + + - name: "5.2.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required" + ansible.builtin.file: + path: "{{ item.item }}" + mode: g-w,o-w + loop: "{{ audit_bins.results }}" + loop_control: + label: "{{ item.item }}" + +- name: "5.2.4.9 | PATCH | Ensure audit tools are owned by root" + when: + - rhel7cis_rule_5_2_4_9 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_5.2.4.9 + ansible.builtin.file: + path: "{{ item }}" + owner: root + group: root + loop: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules + +- name: "5.2.4.10 | PATCH | Ensure audit tools belong to group root" + when: + - rhel7cis_rule_5_2_4_10 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_5.2.4.10 + ansible.builtin.file: + path: "{{ item }}" + group: root + loop: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml deleted file mode 100644 index 99f608aa..00000000 --- a/tasks/section_5/cis_5.2.x.yml +++ /dev/null @@ -1,51 +0,0 @@ ---- - -- name: "5.2.1 | PATCH | Ensure sudo is installed" - ansible.builtin.package: - name: sudo - state: present - become: true - when: - - rhel7cis_rule_5_2_1 - tags: - - level1-server - - level1-workstation - - sudo - - patch - - rule_5.2.1 - vars: - ansible_python_interpreter: /bin/python - -- name: "5.2.2 | AUDIT | Ensure sudo commands use pty" - ansible.builtin.lineinfile: - dest: /etc/sudoers - regexp: '^Defaults use_pty' - line: 'Defaults use_pty' - state: present - validate: '/usr/sbin/visudo -cf %s' - become: true - when: - - rhel7cis_rule_5_2_2 - tags: - - level1-server - - level1-workstation - - patch - - sudo - - rule_5.2.2 - -- name: "5.2.3 | PATCH | Ensure sudo log file exists" - ansible.builtin.lineinfile: - dest: /etc/sudoers - regexp: '^Defaults logfile="{{ rhel7cis_varlog_location }}"' - line: 'Defaults logfile="{{ rhel7cis_varlog_location }}"' - state: present - validate: '/usr/sbin/visudo -cf %s' - become: true - when: - - rhel7cis_rule_5_2_1 and rhel7cis_rule_5_2_3 - tags: - - level1-server - - level1-workstation - - patch - - sudo - - rule_5.2.3 diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index fb479f97..ef7c3253 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -1,480 +1,73 @@ --- -- name: "5.3.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" - ansible.builtin.file: - dest: /etc/ssh/sshd_config - state: file - owner: root - group: root - mode: 0600 +- name: "5.3.1 | PATCH | Ensure AIDE is installed" when: + - rhel7cis_config_aide - rhel7cis_rule_5_3_1 tags: - level1-server - level1-workstation + - automated + - aide + - NIST800-53R5_AU-2 - patch - - ssh - rule_5.3.1 - -- name: "5.3.2 | PATCH | Ensure permissions on SSH private host key files are configured" block: - - name: "5.3.2 | AUDIT | Ensure permissions on SSH private host key files are configured" - ansible.builtin.find: - paths: - - /etc/ssh - patterns: 'ssh_host_*_key' - recurse: true - file_type: any - register: rhel_07_5_3_2_priv_results - - - name: "5.3.2 | AUDIT | Ensure permissions on SSH private host key files are configured" - ansible.builtin.file: - path: "{{ item.path }}" - owner: root - group: root - mode: 0600 - loop: "{{ rhel_07_5_3_2_priv_results.files }}" - loop_control: - label: "{{ item.path }}" - when: - - rhel7cis_rule_5_3_2 - tags: - - level1-server - - level1-workstation - - patch - - ssh - - rule_5.3.2 - -- name: "5.3.3 | PATCH | Ensure permissions on SSH public host key files are configured" - block: - - name: "5.3.3 | AUDIT | Ensure permissions on SSH public host key files are configured" - ansible.builtin.find: - paths: - - /etc/ssh - patterns: 'ssh_host_*_key' - recurse: true - file_type: any - register: rhel_07_5_3_3_pub_results - - - name: "5.3.3 | AUDIT | Ensure permissions on SSH public host key files are configured" - ansible.builtin.file: - path: "{{ item.path }}" - owner: root - group: root - mode: 0600 - loop: "{{ rhel_07_5_3_3_pub_results.files }}" - loop_control: - label: "{{ item.path }}" - when: - - rhel7cis_rule_5_3_3 - tags: - - level1-server - - level1-workstation - - patch - - ssh - - rule_5.3.3 - -- name: "5.3.4 | PATCH | Ensure SSH access is limited" - block: - - name: "5.3.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers" - ansible.builtin.lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^AllowUsers" - insertbefore: "# Accept locale-related environment variables" - line: AllowUsers {{ rhel7cis_sshd['allowusers'] }} - validate: /usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" -f %s - notify: - - restart sshd - when: - - "rhel7cis_sshd['allowusers']|default('') | length > 0" - - - name: "5.3.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups" - ansible.builtin.lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^AllowGroups" - insertbefore: "# Accept locale-related environment variables" - line: AllowGroups {{ rhel7cis_sshd['allowgroups'] }} - validate: /usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" -f %s - notify: - - restart sshd - when: - - "rhel7cis_sshd['allowgroups']|default('') | length > 0" - - - name: "5.3.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers" - ansible.builtin.lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^DenyUsers" - insertbefore: "# Accept locale-related environment variables" - line: DenyUsers {{ rhel7cis_sshd['denyusers'] }} - validate: /usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" -f %s - notify: - - restart sshd - when: - - "rhel7cis_sshd['denyusers']|default('') | length > 0" - - - name: "5.3.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups" - ansible.builtin.lineinfile: + - name: "5.3.1 | PATCH | Ensure AIDE is installed | Install AIDE" + ansible.builtin.package: + name: aide state: present - dest: /etc/ssh/sshd_config - regexp: "^DenyGroups" - insertbefore: "# Accept locale-related environment variables" - line: DenyGroups {{ rhel7cis_sshd['denygroups'] }} - validate: /usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" -f %s - notify: - - restart sshd - when: - - "rhel7cis_sshd['denygroups']|default('') | length > 0" - when: - - rhel7cis_rule_5_3_4 - tags: - - level1-server - - level1-workstation - - patch - - ssh - - rule_5.3.4 - -- name: "5.3.5 | PATCH | Ensure SSH LogLevel is appropriate" - ansible.builtin.lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^#LogLevel|^LogLevel" - line: 'LogLevel {{ rhel7cis_ssh_loglevel }}' - validate: /usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" -f %s - notify: - - restart sshd - when: - - rhel7cis_rule_5_3_5 - tags: - - level1-server - - level1-workstation - - patch - - ssh - - rule_5.3.5 - -- name: "5.3.6 | PATCH | Ensure SSH X11 forwarding is disabled" - ansible.builtin.lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^#X11Forwarding|^X11Forwarding" - line: 'X11Forwarding no' - validate: /usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" -f %s - notify: - - restart sshd - when: - - rhel7cis_rule_5_3_6 - tags: - - level2-server - - level1-workstation - - patch - - ssh - - rule_5.3.6 - -- name: "5.3.7 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" - ansible.builtin.lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: '^(#)?MaxAuthTries \d' - line: 'MaxAuthTries 4' - validate: /usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" -f %s - notify: - - restart sshd - when: - - rhel7cis_rule_5_3_7 - tags: - - level1-server - - level1-workstation - - patch - - ssh - - rule_5.3.7 - -- name: "5.3.8 | PATCH | Ensure SSH IgnoreRhosts is enabled" - ansible.builtin.lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^#IgnoreRhosts|^IgnoreRhosts" - line: 'IgnoreRhosts yes' - validate: /usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" -f %s - notify: - - restart sshd - when: - - rhel7cis_rule_5_3_8 - tags: - - level1-server - - level1-workstation - - patch - - ssh - - rule_5.3.8 - -- name: "5.3.9 | PATCH | Ensure SSH HostbasedAuthentication is disabled" - ansible.builtin.lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^#HostbasedAuthentication|^HostbasedAuthentication" - line: 'HostbasedAuthentication no' - validate: /usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" -f %s - notify: - - restart sshd - when: - - rhel7cis_rule_5_3_9 - tags: - - level1-server - - level1-workstation - - patch - - ssh - - rule_5.3.9 - -- name: "5.3.10 | PATCH | Ensure SSH root login is disabled" - ansible.builtin.lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^#PermitRootLogin|^PermitRootLogin" - line: 'PermitRootLogin no' - validate: /usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" -f %s - notify: - - restart sshd - when: - - rhel7cis_rule_5_3_10 - tags: - - level1-server - - level1-workstation - - patch - - ssh - - rule_5.3.10 - -- name: "5.3.11 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" - ansible.builtin.lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords" - line: 'PermitEmptyPasswords no' - validate: /usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" -f %s - notify: - - restart sshd - when: - - rhel7cis_rule_5_3_11 - tags: - - level1-server - - level1-workstation - - patch - - ssh - - rule_5.3.11 -- name: "5.3.12 | PATCH | Ensure SSH PermitUserEnvironment is disabled" - ansible.builtin.lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^#PermitUserEnvironment|^PermitUserEnvironment" - line: 'PermitUserEnvironment no' - validate: /usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" -f %s - notify: - - restart sshd - when: - - rhel7cis_rule_5_3_12 - tags: - - level1-server - - level1-workstation - - patch - - ssh - - rule_5.3.12 + - name: "5.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE" + ansible.builtin.shell: /usr/sbin/aide --init + changed_when: false + failed_when: false + async: 45 + poll: 0 + args: + creates: /var/lib/aide/aide.db.new.gz + when: not ansible_check_mode -- name: "5.3.13 | PATCH | Ensure only strong Ciphers are used" - ansible.builtin.lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: '^Ciphers' - insertbefore: "# Accept locale-related environment variables" - line: "Ciphers {{ rhel7cis_sshd['ciphers'] }}" - validate: /usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" -f %s - notify: - - restart sshd - when: - - rhel7cis_rule_5_3_13 - tags: - - level1-server - - level1-workstation - - patch - - ssh - - rule_5.3.13 + - name: "5.3.1 | PATCH | Ensure AIDE is installed | copy AIDE DB" + ansible.builtin.copy: + src: /var/lib/aide/aide.db.new.gz + dest: /var/lib/aide/aide.db.gz + remote_src: true -- name: "5.3.14 | PATCH | Ensure only strong MAC algorithms are used" - ansible.builtin.lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: '^MACs' - insertbefore: "# Accept locale-related environment variables" - line: "MACs {{ rhel7cis_sshd['macs'] }}" - validate: /usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" -f %s - notify: - - restart sshd +- name: "5.3.2 | PATCH | Ensure filesystem integrity is regularly checked" when: - - rhel7cis_rule_5_3_14 - tags: - - level1-server - - level1-workstation - - patch - - ssh - - rule_5.3.14 - -- name: "5.3.15 | PATCH | Ensure only strong Key Exchange algorithms are used" - ansible.builtin.lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: '^KexAlgorithms' - line: "KexAlgorithms {{ rhel7cis_sshd['kex'] }}" - insertafter: '^MACs' - validate: /usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" -f %s - notify: - - restart sshd - when: - - rhel7cis_rule_5_3_15 + - rhel7cis_rule_5_3_2 + - rhel7cis_config_aide + - not system_is_ec2 tags: - level1-server - level1-workstation + - automated + - aide + - NIST800-53R5_AU-2 + - file_integrity - patch - - ssh - - rule_5.3.15 - -- name: "5.3.16 | PATCH | Ensure SSH Idle Timeout Interval is configured" + - rule_5.3.2 block: - - name: "5.3.16 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval" - ansible.builtin.lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^#ClientAliveInterval|^ClientAliveInterval" - line: "ClientAliveInterval {{ rhel7cis_sshd['clientaliveinterval'] }}" - validate: /usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" -f %s - notify: - - restart sshd - - - name: "5.3.16 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" - ansible.builtin.lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^#ClientAliveCountMax|^ClientAliveCountMax" - line: "ClientAliveCountMax {{ rhel7cis_sshd['clientalivecountmax'] }}" - validate: /usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" -f %s - notify: - - restart sshd - when: - - rhel7cis_rule_5_3_16 - tags: - - level1-server - - level1-workstation - - patch - - ssh - - rule_5.3.16 - -- name: "5.3.17 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" - ansible.builtin.lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^#LoginGraceTime|^LoginGraceTime" - line: "LoginGraceTime {{ rhel7cis_sshd['logingracetime'] }}" - validate: /usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" -f %s - notify: - - restart sshd - when: - - rhel7cis_rule_5_3_17 - tags: - - level1-server - - level1-workstation - - patch - - ssh - - rule_5.3.17 - -- name: "5.3.18 | PATCH | Ensure SSH warning banner is configured" - ansible.builtin.lineinfile: - dest: /etc/ssh/sshd_config - regexp: '^Banner ((?!/etc/issue.net$)).*$' - line: "{{ item.line | default (omit) }}" - insertafter: "{{ item.after | default(omit) }}" - state: "{{ item.state }}" - validate: /usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" -f %s - with_items: - - { state: absent } - - { state: present, line: 'Banner /etc/issue.net', after: '#Banner none' } - notify: - - restart sshd - when: - - rhel7cis_rule_5_3_18 - tags: - - level1-server - - level1-workstation - - patch - - ssh - - rule_5.3.18 - -- name: "5.3.19 | PATCH | Ensure SSH PAM is enabled" - ansible.builtin.lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^#UsePAM|^UsePAM" - line: 'UsePAM yes' - validate: /usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" -f %s - notify: - - restart sshd - when: - - rhel7cis_rule_5_3_19 - tags: - - level1-server - - level1-workstation - - patch - - ssh - - rule_5.3.19 - -- name: "5.3.20 | PATCH | Ensure SSH AllowTcpForwarding is disabled" - ansible.builtin.lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^#AllowTcpForwarding|^AllowTcpForwarding" - line: 'AllowTcpForwarding no' - validate: /usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" -f %s - notify: - - restart sshd - when: - - rhel7cis_rule_5_3_20 - tags: - - level2-server - - level2-workstation - - patch - - ssh - - rule_5.3.20 - -- name: "5.3.21 | PATCH | Ensure SSH MaxStartups is configured" - ansible.builtin.lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^#MaxStartups|^MaxStartups" - line: 'MaxStartups 10:30:60' - validate: /usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" -f %s - notify: - - restart sshd - when: - - rhel7cis_rule_5_3_21 - tags: - - level1-server - - level1-workstation - - patch - - ssh - - rule_5.3.21 - -- name: "5.3.22 | PATCH | Ensure SSH MaxSessions is limited" - ansible.builtin.lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^#MaxSessions|^MaxSessions" - line: 'MaxSessions {{ rhel7cis_ssh_maxsessions }}' - validate: /usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" -f %s - notify: - - restart sshd - when: - - rhel7cis_rule_5_3_22 - tags: - - level1-server - - level1-workstation - - patch - - ssh - - rule_5.3.22 + - name: "5.3.2 | PATCH | Ensure filesystem integrity is regularly checked | cron" + when: rhel7cis_aide_scan == "cron" + ansible.builtin.cron: + name: Run AIDE integrity check + cron_file: "{{ rhel7cis_aide_cron['cron_file'] }}" + user: "{{ rhel7cis_aide_cron['cron_user'] }}" + minute: "{{ rhel7cis_aide_cron['aide_minute'] | default('0') }}" + hour: "{{ rhel7cis_aide_cron['aide_hour'] | default('5') }}" + day: "{{ rhel7cis_aide_cron['aide_day'] | default('*') }}" + month: "{{ rhel7cis_aide_cron['aide_month'] | default('*') }}" + weekday: "{{ rhel7cis_aide_cron['aide_weekday'] | default('*') }}" + job: "{{ rhel7cis_aide_cron['aide_job'] }}" + + - name: "5.3.2 | PATCH | Ensure filesystem integrity is regularly checked | timer" + when: rhel7cis_aide_scan == "timer" + ansible.builtin.systemd: + name: "{{ item.name }}" + enabled: true + state: "{{ item.state | default(omit)}}" + loop: + - { name: 'aidecheck.service' } + - { name: 'aidecheck.timer', state: started } diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml deleted file mode 100644 index 238788ab..00000000 --- a/tasks/section_5/cis_5.4.x.yml +++ /dev/null @@ -1,135 +0,0 @@ ---- - -- name: "5.4.1 | PATCH | Ensure password creation requirements are configured" - ansible.builtin.lineinfile: - state: present - dest: "/etc/security/pwquality.conf" - regexp: '^{{ item.key }}' - line: '{{ item.key }} = {{ item.value }}' - with_items: - - { key: 'minlen', value: '14' } - - { key: 'minclass', value: '4' } - when: - - rhel7cis_rule_5_4_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.4.1 - -- name: | - "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured - 5.4.3 | PATCH | Ensure password hashing algorithm is SHA-512 - 5.4.4 | PATCH | Ensure password reuse is limited" - block: - - name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Add deny count and unlock time for preauth" - ansible.builtin.lineinfile: - dest: "/etc/pam.d/{{ item }}" - state: present - line: "auth required pam_faillock.so preauth audit silent deny={{ rhel7cis_pam_faillock.attempts }}{{ (rhel7cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel7cis_pam_faillock.unlock_time }}" - insertafter: '^#?auth ?' - loop: - - "system-auth" - - "password-auth" - - - name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Add success and default settings to pam_unix.so" - ansible.builtin.lineinfile: - dest: "/etc/pam.d/{{ item }}" - state: present - line: "auth [success=1 default=bad] pam_unix.so" - insertafter: '^#?auth ?' - loop: - - "system-auth" - - "password-auth" - - - name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Add default, deny count, and unlock times for authfail" - ansible.builtin.lineinfile: - dest: "/etc/pam.d/{{ item }}" - state: present - line: "auth [default=die] pam_faillock.so authfail audit deny={{ rhel7cis_pam_faillock.attempts }}{{ (rhel7cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel7cis_pam_faillock.unlock_time }}" - insertafter: '^#?auth ?' - loop: - - "system-auth" - - "password-auth" - - - name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Add deny count and unlock times to authsucc" - ansible.builtin.lineinfile: - dest: "/etc/pam.d/{{ item }}" - state: present - line: "auth sufficient pam_faillock.so authsucc audit deny={{ rhel7cis_pam_faillock.attempts }}{{ (rhel7cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel7cis_pam_faillock.unlock_time }}" - insertafter: '^#?auth ?' - loop: - - "system-auth" - - "password-auth" - - - name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Activate deny count and unlock times to failed password" - ansible.builtin.lineinfile: - dest: "/etc/pam.d/{{ item }}" - state: present - line: "account required pam_faillock.so" - firstmatch: true - regexp: '^\s*account\s+required\s+pam_faillock.so\s*' - insertbefore: '^#?account ?' - loop: - - "system-auth" - - "password-auth" - - - name: "5.4.3 | PATCH | Ensure password hashing algorithm is SHA-512 | add sha512 settings" - ansible.builtin.lineinfile: - dest: "/etc/pam.d/{{ item }}" - state: present - line: "password sufficient pam_unix.so {{ rhel7cis_pam_faillock.pwhash }} shadow nullok try_first_pass use_authtok" - insertafter: '^#?password ?' - loop: - - "system-auth" - - "password-auth" - - - name: "5.4.4 | PATCH | Ensure password reuse is limited | add remember settings" - ansible.builtin.lineinfile: - dest: "/etc/pam.d/{{ item }}" - state: present - line: "password required pam_pwhistory.so remember={{ rhel7cis_pam_faillock.remember }}" - insertafter: '^#?password ?' - loop: - - "system-auth" - - "password-auth" - - # The two steps below were added to keep authconfig from overwritting the above configs. This follows steps from here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-hardening_your_system_with_tools_and_services - # With the steps below you will score five (5) points lower due to false positive results - - - name: | - "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Copy system/passowrd-auth to system/password-auth-local - 5.4.3 | PATCH | Ensure password hashing algorithm is SHA-512 - 5.4.4 | PATCH | Ensure password reuse is limited | Copy system/password-auth to system/password-auth-local" - ansible.builtin.copy: - src: "/etc/pam.d/{{ item }}" - dest: "/etc/pam.d/{{ item }}-local" - remote_src: true - owner: root - group: root - mode: '0644' - loop: - - "system-auth" - - "password-auth" - - - name: | - "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Setup symbolic link - 5.4.4 | PATCH | Ensure password reuse is limited | Setup symbolic link" - ansible.builtin.file: - src: "/etc/pam.d/{{ item }}-local" - dest: "/etc/pam.d/{{ item }}" - state: link - force: true - loop: - - "system-auth" - - "password-auth" - when: - - rhel7cis_rule_5_4_2 - - rhel7cis_rule_5_4_3 - - rhel7cis_rule_5_4_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.4.2 - - rule_5.4.4 diff --git a/tasks/section_5/cis_5.5.1.x.yml b/tasks/section_5/cis_5.5.1.x.yml deleted file mode 100644 index 1373c318..00000000 --- a/tasks/section_5/cis_5.5.1.x.yml +++ /dev/null @@ -1,114 +0,0 @@ ---- - -- name: "5.5.1.1 | PATCH | Ensure password expiration is 365 days or less" - ansible.builtin.lineinfile: - state: present - dest: /etc/login.defs - regexp: '^PASS_MAX_DAYS' - line: "PASS_MAX_DAYS {{ rhel7cis_pass['max_days'] }}" - when: - - rhel7cis_rule_5_5_1_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.1.1 - -- name: "5.5.1.2 | PATCH | Ensure minimum days between password changes is configured" - ansible.builtin.lineinfile: - state: present - dest: /etc/login.defs - regexp: '^PASS_MIN_DAYS' - line: "PASS_MIN_DAYS {{ rhel7cis_pass['min_days'] }}" - when: - - rhel7cis_rule_5_5_1_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.1.2 - -- name: "5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more" - ansible.builtin.lineinfile: - state: present - dest: /etc/login.defs - regexp: '^PASS_WARN_AGE' - line: "PASS_WARN_AGE {{ rhel7cis_pass['warn_age'] }}" - when: - - rhel7cis_rule_5_5_1_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.1.3 - -- name: "5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less" - block: - - name: "5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting" - ansible.builtin.lineinfile: - path: /etc/default/useradd - regexp: '^INACTIVE=' - line: "INACTIVE={{ rhel7cis_inactivelock['lock_days'] }}" - state: present - - - name: "5.5.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" - ansible.builtin.shell: "egrep ^[A-Za-z0-9][^:]+:[^\\!*] /etc/shadow | awk -F: '{print $1 \",\" $7}' | egrep -v ',\\d|,[1-2][0-9]|,30|{{ rhel7cis_inactive_whitelist | join('|') }}' | cut -d , -f1" - changed_when: false - check_mode: false - register: rhel_07_5_5_1_4_audit - - - name: "5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" - ansible.builtin.shell: "chage --inactive {{ rhel7cis_inactivelock.lock_days }} {{ item }}" - with_items: - - "{{ rhel_07_5_5_1_4_audit.stdout_lines }}" - when: - - rhel_07_5_5_1_4_audit.stdout | length > 0 - when: - - rhel7cis_rule_5_5_1_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.1.4 - -- name: "5.5.1.5 | PATCH | Ensure all users last password change date is in the past" - block: - - name: "5.5.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" - ansible.builtin.shell: echo $(($(date --utc --date "$1" +%s)/86400)) - failed_when: false - changed_when: false - check_mode: false - register: rhel7cis_5_5_1_5_current_unix_time - - - name: "5.5.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future" - ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel7cis_5_5_1_5_current_unix_time.stdout }})print$1}'" - check_mode: false - changed_when: false - register: rhel7cis_5_5_1_5_user_list - - - name: "5.5.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist" - ansible.builtin.debug: - msg: "Good News! All accounts have PW change dates that are in the past" - when: rhel7cis_5_5_1_5_user_list.stdout | length == 0 - - - name: "5.5.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future" - ansible.builtin.debug: - msg: "WARNING!! The following accounts have the last PW change date in the future: {{ rhel7cis_5_5_1_5_user_list.stdout_lines }}" - when: - - rhel7cis_5_5_1_5_user_list.stdout | length > 0 - - not rhel7cis_futurepwchgdate_autofix - - - name: "5.5.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" - ansible.builtin.shell: passwd --expire {{ item }} - when: - - rhel7cis_5_5_1_5_user_list | length > 0 - - rhel7cis_futurepwchgdate_autofix - with_items: - - "{{ rhel7cis_5_5_1_5_user_list.stdout_lines }}" - when: - - rhel7cis_rule_5_5_1_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.1.5 diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml deleted file mode 100644 index 23eb9d21..00000000 --- a/tasks/section_5/cis_5.5.x.yml +++ /dev/null @@ -1,100 +0,0 @@ ---- - -- name: "5.5.2 | PATCH | Ensure system accounts are secured" - block: - - name: "5.5.2 | PATCH | Ensure system accounts are secured | Set nologin" - ansible.builtin.user: - name: "{{ item.id }}" - shell: /usr/sbin/nologin - loop: "{{ rhel7cis_passwd }}" - loop_control: - label: "{{ item.id }}" - when: - - item.id != "root" - - item.id != "sync" - - item.id != "shutdown" - - item.id != "halt" - - item.gid < rhel7cis_int_gid - - item.shell != " /bin/false" - - item.shell != " /usr/sbin/nologin" - - - name: "5.5.2 | PATCH | Ensure system accounts are secured | Lock accounts" - ansible.builtin.user: - name: "{{ item.id }}" - password_lock: true - loop: "{{ rhel7cis_passwd }}" - loop_control: - label: "{{ item.id }}" - when: - - item.id != "halt" - - item.id != "shutdown" - - item.id != "sync" - - item.id != "root" - - item.gid < rhel7cis_int_gid - - item.shell != " /bin/false" - - item.shell != " /usr/sbin/nologin" - when: - - rhel7cis_rule_5_5_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.2 - -- name: "5.5.3 | PATCH | Ensure default group for the root account is GID 0" - ansible.builtin.shell: usermod -g 0 root - changed_when: false - failed_when: false - when: - - rhel7cis_rule_5_5_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.3 - -- name: "5.5.4 | PATCH | Ensure default user shell timeout is configured" - ansible.builtin.blockinfile: - create: true - mode: 0644 - dest: "{{ item.dest }}" - state: "{{ item.state }}" - marker: "# {mark} ANSIBLE MANAGED" - block: | - # Set session timeout - CIS ID RHEL-07-5.5.4 - TMOUT={{ rhel7cis_shell_session_timeout.timeout }} - readonly TMOUT - export TMOUT - loop: - - dest: "{{ rhel7cis_shell_session_timeout.file }}" - state: present - - dest: /etc/profile - state: "{{ (rhel7cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" - when: - - rhel7cis_rule_5_5_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.4 - -- name: "5.5.5 | PATCH | Ensure default user umask is configured" - block: - - name: "5.5.5 | PATCH | Ensure default user umask is configured | Set umask for /etc/bashrc" - ansible.builtin.replace: - path: /etc/bashrc - regexp: '(^\s+umask) 0[012][0-6]' - replace: '\1 027' - - - name: "5.5.5 | PATCH | Ensure default user umask is configured | Set umask for /etc/profile" - ansible.builtin.replace: - path: /etc/profile - regexp: '(^\s+umask) 0[012][0-6]' - replace: '\1 027' - when: - - rhel7cis_rule_5_5_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.5 diff --git a/tasks/section_5/cis_5.6.yml b/tasks/section_5/cis_5.6.yml deleted file mode 100644 index c0623315..00000000 --- a/tasks/section_5/cis_5.6.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- - -- name: "5.6 | AUDIT | Ensure root login is restricted to system console " - block: - - name: "5.6 | AUDIT | Ensure root login is restricted to system console" - ansible.builtin.command: cat /etc/securetty - changed_when: false - check_mode: false - register: rhel_07_5_6_audit - - - name: "5.6 | AUDIT | Ensure root login is restricted to system console" - ansible.builtin.debug: - msg: - - "These are the consoles with root login access, please review:" - - "{{ rhel_07_5_6_audit.stdout_lines }}" - when: - - rhel7cis_rule_5_6 - tags: - - level1-server - - level1-workstation - - audit - - rule_5.6 diff --git a/tasks/section_5/cis_5.7.yml b/tasks/section_5/cis_5.7.yml deleted file mode 100644 index b3c467fd..00000000 --- a/tasks/section_5/cis_5.7.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- - -- name: "5.7 | PATCH | Ensure access to the su command is restricted" - block: - - name: "5.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid" - ansible.builtin.lineinfile: - state: present - dest: /etc/pam.d/su - regexp: '^(#)?auth\s+required\s+pam_wheel\.so' - line: 'auth required pam_wheel.so use_uid {% if rhel7cis_sugroup is defined %}group={{ rhel7cis_sugroup }}{% endif %}' - - - name: "5.7 | PATCH | Ensure access to the su command is restricted | wheel group contains root" - ansible.builtin.user: - name: root - groups: "{{ rhel7cis_sugroup }}" - when: - - rhel7cis_sugroup is defined - when: - - rhel7cis_rule_5_7 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.7 diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index 190bf4e9..46388815 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -1,33 +1,41 @@ --- -- name: "SECTION | 5.1 | Configure time-based job schedulers" +# 5.1 Configure Logging +- name: "SECTION | 5.1.1.x | Configure rsyslog" + when: rhel7cis_syslog == 'rsyslog' ansible.builtin.import_tasks: - file: cis_5.1.x.yml + file: cis_5.1.1.x.yml -- name: "SECTION | 5.2 | Configure Sudo" +- name: "SECTION | 5.1.2.x | Configure journald" + when: rhel7cis_syslog == 'journald' ansible.builtin.import_tasks: - file: cis_5.2.x.yml + file: cis_5.1.2.x.yml -- name: "SECTION | 5.3 | Configure SSH Server" +- name: "SECTION | 5.1.3 | Configure logfile perms" ansible.builtin.import_tasks: - file: cis_5.3.x.yml + file: cis_5.1.3.yml + +- name: "SECTION | 5.1.4 | Configure logrotate" + ansible.builtin.import_tasks: + file: cis_5.1.4.yml -- name: "SECTION | 5.4 | Configure PAM" +# 5.2 Configure System Accounting (auditd) +- name: "SECTION | 5.2.1 | Ensure auditing is enabled" ansible.builtin.import_tasks: - file: cis_5.4.x.yml + file: cis_5.2.1.x.yml -- name: "SECTION | 5.5.1 | Set Shadow Password Suite Parameters" +- name: "SECTION | 5.2.2 | Configure data retention" ansible.builtin.import_tasks: - file: cis_5.5.1.x.yml + file: cis_5.2.2.x.yml -- name: "SECTION | 5.5 | User Accounts and Environment" +- name: "SECTION | 5.2.3.x | Configure auditd rules" ansible.builtin.import_tasks: - file: cis_5.5.x.yml + file: cis_5.2.3.x.yml -- name: "SECTION | 5.6 | User Accounts and Environment" +- name: "SECTION | 5.2.4.x | Audit file permissions" ansible.builtin.import_tasks: - file: cis_5.6.yml + file: cis_5.2.4.x.yml -- name: "SECTION | 5.7 | User Accounts and Environment" +- name: "SECTION | 5.3.x | Aide" ansible.builtin.import_tasks: - file: cis_5.7.yml + file: cis_5.3.x.yml diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 300a1f5c..49099afe 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -1,305 +1,429 @@ --- -- name: "6.1.1 | PATCH | Audit system file permissions" - block: - - name: "6.1.1 | AUDIT | Audit system file permissions | Audit the packages" - ansible.builtin.shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto - changed_when: false - failed_when: false - check_mode: false - register: rhel7cis_6_1_1_packages_rpm - tags: - - skip_ansible_lint - - - name: "6.1.1 | AUDIT | Audit system file permissions | Create list and warning" - block: - - name: "6.1.1 | AUDIT | Audit system file permissions | Add file discrepancy list to system" - ansible.builtin.copy: - dest: "{{ rhel7cis_rpm_audit_file }}" # noqa template-instead-of-copy - content: "{{ rhel7cis_6_1_1_packages_rpm.stdout }}" - owner: root - group: root - mode: 0640 - - - name: "6.1.1 | AUDIT | Audit system file permissions | Message out alert for package descrepancies" - ansible.builtin.debug: - msg: | - "WARNING!! You have some package descrepancies issues. - The file list can be found in {{ rhel7cis_rpm_audit_file }}" - when: rhel7cis_6_1_1_packages_rpm.stdout|length > 0 - - name: "6.1.1 | AUDIT | Audit system file permissions | Message out no package descrepancies" - ansible.builtin.debug: - msg: "Good News! There are no package descrepancies" - when: rhel7cis_6_1_1_packages_rpm.stdout|length == 0 +- name: "6.1.1 | PATCH | Ensure permissions on /etc/passwd are configured" when: - rhel7cis_rule_6_1_1 tags: - - level2-server - - level2-workstation + - level1-server + - level1-workstation + - automated - patch + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + - permissions - rule_6.1.1 - -- name: "6.1.2 | PATCH | Ensure permissions on /etc/passwd are configured" ansible.builtin.file: - dest: /etc/passwd + path: /etc/passwd owner: root group: root - mode: 0644 + mode: u-x,go-wx + +- name: "6.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured" when: - rhel7cis_rule_6_1_2 tags: - level1-server - level1-workstation + - automated - patch + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + - permissions - rule_6.1.2 - -- name: "6.1.3 | PATCH | Ensure permissions on /etc/passwd- are configured" ansible.builtin.file: - dest: /etc/passwd- + path: /etc/passwd- owner: root group: root - mode: 0644 + mode: u-x,go-wx + +- name: "6.1.3 | PATCH | Ensure permissions on /etc/security/opasswd are configured" when: - rhel7cis_rule_6_1_3 tags: - level1-server - level1-workstation + - automated - patch + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + - permissions - rule_6.1.3 - -- name: "6.1.4 | PATCH | Ensure permissions on /etc/shadow are configured" ansible.builtin.file: - dest: /etc/shadow + path: /etc/security/opasswd owner: root group: root - mode: 0000 + mode: '0600' + +- name: "6.1.4 | PATCH | Ensure permissions on /etc/group are configured" when: - rhel7cis_rule_6_1_4 tags: - level1-server - level1-workstation + - automated - patch + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + - permissions - rule_6.1.4 - -- name: "6.1.5 | PATCH | Ensure permissions on /etc/shadow- are configured" ansible.builtin.file: - dest: /etc/shadow- + path: /etc/group owner: root group: root - mode: 0000 + mode: u-x,go-wx + +- name: "6.1.5 | PATCH | Ensure permissions on /etc/group- are configured" when: - rhel7cis_rule_6_1_5 tags: - level1-server - level1-workstation + - automated - patch + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + - permissions - rule_6.1.5 - -- name: "6.1.6 | PATCH | Ensure permissions on /etc/gshadow- are configured" ansible.builtin.file: - dest: /etc/gshadow- + path: /etc/group- owner: root group: root - mode: 0000 + mode: u-x,go-wx + +- name: "6.1.6 | PATCH | Ensure permissions on /etc/shadow are configured" when: - rhel7cis_rule_6_1_6 tags: - level1-server - level1-workstation + - automated - patch + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + - permissions - rule_6.1.6 - -- name: "6.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured" ansible.builtin.file: - dest: /etc/gshadow + path: /etc/shadow owner: root group: root - mode: 0000 + mode: '0000' + +- name: "6.1.7 | PATCH | Ensure permissions on /etc/shadow- are configured" when: - rhel7cis_rule_6_1_7 tags: - level1-server - level1-workstation + - automated - patch + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + - permissions - rule_6.1.7 - -- name: "6.1.8 | PATCH | Ensure permissions on /etc/group are configured" ansible.builtin.file: - dest: /etc/group + path: /etc/shadow- owner: root group: root - mode: 0644 + mode: '0000' + +- name: "6.1.8 | PATCH | Ensure permissions on /etc/gshadow are configured" when: - rhel7cis_rule_6_1_8 tags: - level1-server - level1-workstation + - automated - patch + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + - permissions - rule_6.1.8 - -- name: "6.1.9 | PATCH | Ensure permissions on /etc/group- are configured" ansible.builtin.file: - dest: /etc/group- + path: /etc/gshadow owner: root group: root - mode: 0644 + mode: '0000' + +- name: "6.1.9 | PATCH | Ensure permissions on /etc/gshadow- are configured" when: - rhel7cis_rule_6_1_9 tags: - level1-server - level1-workstation + - automated - patch + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + - permissions - rule_6.1.9 + ansible.builtin.file: + path: /etc/gshadow- + owner: root + group: root + mode: '0000' -- name: "6.1.10 | PATCH | Ensure no world writable files exist" - block: - - name: "6.1.10 | AUDIT | Ensure no world writable files exist | Get list of world-writable files" - ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 - failed_when: false - changed_when: false - register: rhel_07_6_1_10_perms_results - - - name: "6.1.10 | AUDIT | Ensure no world writable files exist | Alert no world-writable files exist" - ansible.builtin.debug: - msg: "Good news! We have not found any world-writable files on your system" - failed_when: false - changed_when: false - when: - - rhel_07_6_1_10_perms_results.stdout is not defined - - - name: "6.1.10 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" - ansible.builtin.file: - path: '{{ item }}' - mode: o-w - state: touch - with_items: "{{ rhel_07_6_1_10_perms_results.stdout_lines }}" - when: - - rhel_07_6_1_10_perms_results.stdout_lines is defined - - rhel7cis_no_world_write_adjust +- name: "6.1.10 | PATCH | Ensure permissions on /etc/shells are configured" when: - rhel7cis_rule_6_1_10 tags: - level1-server - level1-workstation + - automated - patch + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + - permissions - rule_6.1.10 + ansible.builtin.file: + path: /etc/shells + owner: root + group: root + mode: u-x,go-wx -- name: "6.1.11 | PATCH | Ensure no unowned files or directories exist" - block: - - name: "6.1.11 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories" - ansible.builtin.command: find "{{ item.mount }}" -xdev -nouser - check_mode: false - register: rhel_07_6_1_11_audit - failed_when: false - changed_when: false - when: item['device'].startswith('/dev') and not 'bind' in item['options'] - with_items: "{{ ansible_mounts }}" - loop_control: - label: "{{ item.mount }}" - - - name: "6.1.11 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" - ansible.builtin.debug: - msg: "WARNING!! Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" - when: - - item.stdout_lines is defined - - item.stdout_lines | length > 0 - with_items: "{{ rhel_07_6_1_11_audit.results }}" +- name: "6.1.11 | PATCH | Ensure world writable files and directories are secured" when: - rhel7cis_rule_6_1_11 + - rhel7cis_disruption_high tags: - level1-server - level1-workstation + - automated - patch + - files + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + - permissions - rule_6.1.11 - -- name: "6.1.12 | PATCH | Ensure no ungrouped files or directories exist" + vars: + warn_control_id: '6.1.11' block: - - name: "6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | Finding all ungrouped files or directories" - ansible.builtin.command: find "{{ item.mount }}" -xdev -nogroup - check_mode: false - register: rhel_07_6_1_12_audit + - name: "6.1.11 | AUDIT | Ensure world writable files and directories are secured | Get list of world-writable files" + ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 failed_when: false changed_when: false - when: item['device'].startswith('/dev') and not 'bind' in item['options'] - with_items: "{{ ansible_mounts }}" - loop_control: - label: "{{ item.mount }}" + register: rhel7cis_6_1_11_perms_results + + - name: "6.1.11 | PATCH | Adjust world-writable files if they exist (Configurable)" + when: + - rhel7cis_6_1_11_perms_results.stdout_lines is defined + - rhel7cis_no_world_write_adjust + ansible.builtin.file: + path: '{{ item }}' + mode: o-w + state: touch + with_items: "{{ rhel7cis_6_1_11_perms_results.stdout_lines }}" + + - name: "6.1.11 | PATCH | Ensure world writable files and directories are secured | sticky bit set on world-writable directories" + ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t + changed_when: false + failed_when: false - - name: "6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" + - name: "6.1.11 | AUDIT | Ensure world writable files and directories are secured | Warning" + when: + - rhel7cis_6_1_11_perms_results.stdout_lines is defined + - not rhel7cis_no_world_write_adjust ansible.builtin.debug: - msg: "WARNING!! Manual intervention is required -- missing group on items in {{ item }}!" - changed_when: item | length > 0 - with_items: "{{ rhel_07_6_1_12_audit.results | map(attribute='stdout_lines') }}" + msg: "Warning!! - WorldWritable files have been found" + + - name: "6.1.11 | AUDIT | Ensure world writable files and directories are secured | Warn Count" + when: + - rhel7cis_6_1_11_perms_results.stdout_lines is defined + - not rhel7cis_no_world_write_adjust + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "6.1.12 | PATCH | Ensure no ungrouped files or directories exist" when: - rhel7cis_rule_6_1_12 + - rhel7cis_disruption_high tags: - level1-server - level1-workstation + - automated - patch + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - rule_6.1.12 - -- name: "6.1.13 | PATCH | Audit SUID executables" + - permissions + vars: + warn_control_id: '6.1.12' block: - - name: "6.1.13 | AUDIT | Audit SUID executables | Find all SUID executables" - ansible.builtin.shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 - failed_when: false + - name: "6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | Get ungrouped files or directories" + ansible.builtin.shell: find {{ item.mount }} -xdev -nogroup -not -fstype nfs changed_when: false - register: rhel_07_6_1_13_perms_results - with_items: "{{ ansible_mounts }}" + failed_when: false + check_mode: false + register: rhel7cis_6_1_12_ungrouped_items + with_items: + - "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.mount }}" - - name: "6.1.13 | AUDIT | Audit SUID executables | Alert no SUID executables exist" + - name: "6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | Flatten ungrouped_items results for easier use" + ansible.builtin.set_fact: + rhel7cis_6_1_12_ungrouped_items_flatten: "{{ rhel7cis_6_1_12_ungrouped_items.results | map(attribute='stdout_lines') | flatten }}" + + - name: "6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | Alert on ungrouped files and directories" + when: + - not rhel7cis_ungrouped_adjust + - rhel7cis_6_1_12_ungrouped_items_flatten | length > 0 ansible.builtin.debug: - msg: "Good news! We have not found any SUID executable files on your system" - failed_when: false - changed_when: false + msg: + - "Warning!! You have ungrouped files/directories and are configured to not auto-remediate for this task" + - "Please review the files/directories below and assign a group" + - "{{ rhel7cis_6_1_12_ungrouped_items_flatten }}" + + - name: "6.1.12 | PATCH | Ensure no ungrouped files or directories exist | Set ungrouped files/directories to configured group" when: - - rhel_07_6_1_13_perms_results.stdout is not defined + - rhel7cis_ungrouped_adjust + - rhel7cis_6_1_12_ungrouped_items_flatten | length > 0 + ansible.builtin.file: + path: "{{ item }}" + group: "{{ rhel7cis_ungrouped_group }}" + loop: + - "{{ rhel7cis_6_1_12_ungrouped_items_flatten }}" - - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" - ansible.builtin.debug: - msg: "WARNING!! Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" - with_items: "{{ rhel_07_6_1_13_perms_results.stdout_lines }}" + - name: "6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | Warn Count" when: - - rhel_07_6_1_13_perms_results.stdout is defined + - rhel7cis_ungrouped_adjust + - rhel7cis_6_1_12_ungrouped_items_flatten | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "6.1.13 | AUDIT | Ensure SUID and SGID files are reviewed" when: - rhel7cis_rule_6_1_13 + - rhel7cis_disruption_high tags: - level1-server - level1-workstation - - patch + - manual + - audit - rule_6.1.13 - -- name: "6.1.14 | PATCH | Audit SGID executables" + - permissions + vars: + warn_control_id: '6.1.13' block: - - name: "6.1.14 | AUDIT | Audit SGID executables | Find all SGID executables" - ansible.builtin.shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 - failed_when: false + - name: "6.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Find SUID executables" + ansible.builtin.shell: find {{ item.mount }} -xdev -type f -perm -4000 -not -fstype nfs changed_when: false - register: rhel_07_6_1_14_perms_results - with_items: "{{ ansible_mounts }}" + failed_when: false + check_mode: false + register: rhel7cis_6_1_13_suid_executables + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.mount }}" - - name: "6.1.14 | AUDIT | Audit SGID executables | Alert no SGID executables exist" - ansible.builtin.debug: - msg: "Good news! We have not found any SGID executable files on your system" - failed_when: false + - name: "6.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Find all SGID executables" + ansible.builtin.shell: find {{ item.mount }} -xdev -type f -perm -2000 -not -fstype nfs changed_when: false + failed_when: false + check_mode: false + register: rhel7cis_6_1_13_sgid_executables + loop: "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.mount }}" + + - name: "6.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Flatten suid_executables results for easier use" + ansible.builtin.set_fact: + rhel7cis_6_1_13_suid_executables_flatten: "{{ rhel7cis_6_1_13_suid_executables.results | map(attribute='stdout_lines') | flatten }}" + + - name: "6.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Set fact SGID executables" + ansible.builtin.set_fact: + rhel7cis_6_1_13_sgid_executables_flatten: "{{ rhel7cis_6_1_13_sgid_executables.results | map(attribute='stdout_lines') | flatten }}" + + - name: "6.1.13 | PATCH | Ensure SUID and SGID files are reviewed | Remove SUID bit" + when: + - rhel7cis_suid_adjust + - rhel7cis_6_1_13_suid_executables_flatten | length > 0 + ansible.builtin.file: + path: "{{ item }}" + mode: 'u-s' + loop: + - "{{ rhel7cis_6_1_13_suid_executables_flatten }}" + + - name: "6.1.13 | PATCH | Audit SGID executables | Remove SGID bit" + ansible.builtin.file: + path: "{{ item }}" + mode: 'g-s' + with_items: + - "{{ rhel7cis_6_1_13_sgid_executables_flatten }}" when: - - rhel_07_6_1_14_perms_results.stdout is not defined + - rhel7cis_sgid_adjust + - rhel7cis_6_1_13_sgid_executables_flatten | length > 0 - - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" + - name: "6.1.13 | WARN | Ensure SUID and SGID files are reviewed | Alert SUID executables exist" + when: + - rhel7cis_6_1_13_suid_executables_flatten | length > 0 + - not rhel7cis_suid_adjust ansible.builtin.debug: - msg: "WARNING!! Manual intervention is required -- SGID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" - with_items: "{{ rhel_07_6_1_14_perms_results.stdout_lines }}" + msg: + - "Warning!! You have SUID executables" + - "The files are listed below, please confirm the integrity of these binaries" + - "{{ rhel7cis_6_1_13_suid_executables_flatten }}" + + - name: "6.1.13 | WARN | Ensure SUID and SGID files are reviewed | Alert SGID executables exist" when: - - rhel_07_6_1_14_perms_results.stdout is defined + - rhel7cis_6_1_13_sgid_executables_flatten | length > 0 + - not rhel7cis_sgid_adjust + ansible.builtin.debug: + msg: + - "Warning!! You have SGID executables" + - "The files are listed below, please review the integrity of these binaries" + - "{{ rhel7cis_6_1_13_sgid_executables_flatten }}" + + - name: "6.1.13 | WARN | Ensure SUID and SGID files are reviewed | Warn Count" + when: + - (rhel7cis_6_1_13_suid_executables_flatten | length > 0 and not rhel7cis_suid_adjust) or + (rhel7cis_6_1_13_sgid_executables_flatten | length > 0 and not rhel7cis_sgid_adjust) + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "6.1.14 | AUDIT | Audit system file permissions" when: - rhel7cis_rule_6_1_14 + - rhel7cis_disruption_high tags: - - level1-server - - level1-workstation - - patch + - level2-server + - level2-workstation + - manual + - audit + - NIST800-53R5_AC-3 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + - NIST800-53R5_MP-2 + - permissions - rule_6.1.14 + vars: + warn_control_id: '6.1.14' + block: + - name: "6.1.14 | AUDIT | Audit system file permissions | Audit the packages" + ansible.builtin.shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto + changed_when: false + failed_when: false + register: rhel7cis_6_1_14_packages_rpm + + - name: "6.1.14 | AUDIT | Audit system file permissions | Create list and warning" + block: + - name: "6.1.14 | AUDIT | Audit system file permissions | Add file discrepancy list to system" + ansible.builtin.copy: + dest: "{{ rhel7cis_rpm_audit_file }}" # noqa template-instead-of-copy + content: "{{ rhel7cis_6_1_14_packages_rpm.stdout }}" + owner: root + group: root + mode: '0644' + + - name: "6.1.14 | AUDIT | Audit system file permissions | Message out alert for package descrepancies" + when: rhel7cis_6_1_14_packages_rpm.stdout | length > 0 + ansible.builtin.debug: + msg: | + "Warning!! You have some package descrepancies issues. + The file list can be found in {{ rhel7cis_rpm_audit_file }}" + + - name: "6.1.14 | AUDIT | Audit system file permissions | Warn Count" + when: rhel7cis_6_1_14_packages_rpm.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 89fb7297..f5650783 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -1,443 +1,446 @@ --- -- name: "6.2.1 | PATCH | Ensure accounts in /etc/passwd use shadow passwords" - block: - - name: "6.2.1 | PATCH | Ensure accounts in /etc/passwd use shadow passwords" - ansible.builtin.shell: sed -e 's/^\([a-zA-Z0-9_]*\):[^:]*:/\1:x:/' -i /etc/passwd - loop: "{{ rhel7cis_passwd | selectattr('password', '!=', 'x') | list }}" - register: rhel7_6_2_1_shadow - when: - - rhel7cis_passwd | selectattr('password', '!=', 'x') - - - name: "6.2.1 | PATCH | Ensure accounts in /etc/passwd use shadow passwords | Good News" - ansible.builtin.debug: - msg: "Good News!! No Unshadowed passwords have been found" - when: rhel7_6_2_1_shadow is not changed +- name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords" when: - rhel7cis_rule_6_2_1 tags: - level1-server - level1-workstation - - patch + - automated + - audit + - NIST800-53R5_IA-5 - rule_6.2.1 + - user_accounts + vars: + warn_control_id: '6.2.1' + block: + - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Get users not using shadowed passwords" + ansible.builtin.shell: awk -F':' '($2 != "x" ) { print $1}' /etc/passwd + changed_when: false + failed_when: false + register: rhel7cis_6_2_1_nonshadowed_users -- name: "6.2.2 | PATCH | Ensure /etc/shadow password fields are not empty" - ansible.builtin.command: passwd -l {{ item }} - changed_when: false - failed_when: false - loop: "{{ empty_password_accounts.stdout_lines }}" + - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Warn on findings" + when: rhel7cis_6_2_1_nonshadowed_users.stdout | length > 0 + ansible.builtin.debug: + msg: + - "Warning!! You have users that are not using a shadowed password. Please convert the below accounts to use a shadowed password" + - "{{ rhel7cis_6_2_1_nonshadowed_users.stdout_lines }}" + + - name: "6.2.1 | WARN | Ensure accounts in /etc/passwd use shadowed passwords | warn_count" + when: rhel7cis_6_2_1_nonshadowed_users.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "6.2.2 | PATCH | Ensure /etc/shadow password fields are not empty" when: - - empty_password_accounts.rc - rhel7cis_rule_6_2_2 tags: - level1-server - level1-workstation + - automated - patch - rule_6.2.2 - -- name: "6.2.3 | PATCH | Ensure all groups in /etc/passwd exist in /etc/group" + - NIST800-53R5_IA-5 + - user + - permissions block: - - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" - ansible.builtin.shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' + - name: "6.2.2 | AUDIT | Ensure /etc/shadow password fields are not empty | Find users with no password" + ansible.builtin.shell: awk -F":" '($2 == "" ) { print $1 }' /etc/shadow changed_when: false - failed_when: false check_mode: false - register: passwd_gid_check + register: rhel7cis_6_2_2_empty_password_acct - - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" - ansible.builtin.debug: - msg: "Good News! There are no users that have non-existent GUIDs (Groups)" - when: passwd_gid_check.stdout is not defined + - name: "6.2.2 | PATCH | Ensure /etc/shadow password fields are not empty | Lock users with empty password" + when: rhel7cis_6_2_2_empty_password_acct.stdout | length > 0 + ansible.builtin.user: + name: "{{ item }}" + password_lock: true + loop: + - "{{ rhel7cis_6_2_2_empty_password_acct.stdout_lines }}" - - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" - ansible.builtin.debug: - msg: "WARNING!! The following users have non-existent GIDs (Groups): {{ passwd_gid_check.stdout_lines | join (', ') }}" - changed_when: false - when: passwd_gid_check.stdout is defined +- name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" when: - rhel7cis_rule_6_2_3 tags: - level1-server - level1-workstation - - patch + - automated + - audit - rule_6.2.3 - -- name: "6.2.4 | AUDIT | Ensure shadow group is empty" + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + - groups + vars: + warn_control_id: '6.2.3' block: - - name: "6.2.4 | AUDIT | Ensure shadow group is empty" - ansible.builtin.shell: "grep ^shadow:[^:]*:[^:]*:[^:]+ /etc/group" + - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" + ansible.builtin.shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' changed_when: false failed_when: false - register: users_in_shadow_group + check_mode: false + register: rhel7cis_6_2_3_passwd_gid_check - - name: "6.2.4 | AUDIT | Ensure shadow group is empty | Print no user in shadow group" + - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" + when: rhel7cis_6_2_3_passwd_gid_check.stdout | length > 0 ansible.builtin.debug: - msg: "Good News! There are no users in the shadow group" - when: users_is_shadow_group.stdout is undefined + msg: "Warning!! The following users have non-existent GIDs (Groups): {{ rhel7cis_6_2_3_passwd_gid_check.stdout_lines | join (', ') }}" - - name: "6.2.4 AUDIT | Ensure shadow group is empty | Print no user in shadow group" - ansible.builtin.debug: - msg: "WARNING!! The following users are in the shadow group: {{ users_is_shadow_group.stdout_lines }}" - when: users_is_shadow_group.stdout is defined + - name: "6.2.3 | WARN | Ensure all groups in /etc/passwd exist in /etc/group | warn_count" + when: rhel7cis_6_2_3_passwd_gid_check.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist" when: - rhel7cis_rule_6_2_4 tags: - level1-server - level1-workstation - - patch + - automated + - audit + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - rule_6.2.4 - -- name: "6.2.5 | PATCH | Ensure no duplicate user names exist" + - user + vars: + warn_control_id: '6.2.4' block: - - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" - ansible.builtin.shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" + - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" + ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" changed_when: false failed_when: false - register: user_username_check + check_mode: false + register: rhel7cis_6_2_4_user_uid_check - - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist" + - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" + when: rhel7cis_6_2_4_user_uid_check.stdout | length > 0 ansible.builtin.debug: - msg: "Good News! There are no duplicate user names in the system" - when: user_username_check.stdout is not defined + msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel7cis_6_2_4_user_uid_check.stdout_lines }}" - - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" - ansible.builtin.debug: - msg: "WARNING!! The following user names are duplicates: {{ user_username_check.stdout_lines }}" - when: user_username_check.stdout is defined + - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Set warning count" + when: rhel7cis_6_2_4_user_uid_check.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist" when: - rhel7cis_rule_6_2_5 tags: - level1-server - level1-workstation - - patch + - automated + - audit + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - rule_6.2.5 - -- name: "6.2.6 | PATCH | Ensure no duplicate group names exist" + - groups + vars: + warn_control_id: '6.2.5' block: - - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" - ansible.builtin.shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' + - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" + ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" changed_when: false failed_when: false check_mode: false - register: group_group_check + register: rhel7cis_6_2_5_user_user_check - - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" + - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" + when: rhel7cis_6_2_5_user_user_check.stdout | length > 0 ansible.builtin.debug: - msg: "Good News! There are no duplicate group names in the system" - when: group_group_check.stdout is defined + msg: "Warning!! The following groups have duplicate GIDs: {{ rhel7cis_6_2_5_user_user_check.stdout_lines }}" - - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" - ansible.builtin.debug: - msg: "WARNING!! The following group names are duplicates: {{ group_group_check.stdout_lines }}" - when: group_group_check.stdout is not defined + - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Set warning count" + when: rhel7cis_6_2_5_user_user_check.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "6.2.6 | AUDIT | Ensure no duplicate user names exist" + vars: + warn_control_id: '6.2.6' when: - rhel7cis_rule_6_2_6 tags: - level1-server - level1-workstation - - patch + - automated + - audit - rule_6.2.6 - -- name: "6.2.7 | PATCH | Ensure no duplicate UIDs exist" + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + - user block: - - name: "6.2.7 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" - ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" + - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" + ansible.builtin.shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" changed_when: false failed_when: false - register: user_uid_check + check_mode: false + register: rhel7cis_6_2_6_username_check - - name: "6.2.7 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" + - name: "6.2.6 | WARN | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" + when: rhel7cis_6_2_6_username_check.stdout | length > 0 ansible.builtin.debug: - msg: "Good News! There are no duplicate UID's in the system" - when: user_uid_check.stdout is not defined + msg: "Warning!! The following user names are duplicates: {{ rhel7cis_6_2_6_user_username_check.stdout_lines }}" - - name: "6.2.7 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" - ansible.builtin.debug: - msg: "WARNING!! The following users have UIDs that are duplicates: {{ user_uid_check.stdout_lines }}" - when: user_uid_check.stdout is defined + - name: "6.2.6 | WARN | Ensure no duplicate user names exist | Set warning count" + when: rhel7cis_6_2_6_username_check.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "6.2.7 | AUDIT | Ensure no duplicate group names exist" when: - rhel7cis_rule_6_2_7 tags: - level1-server - level1-workstation - - patch + - automated + - audit + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - rule_6.2.7 - -- name: "6.2.8 | PATCH | Ensure no duplicate GIDs exist" + - groups + vars: + warn_control_id: '6.2.7' block: - - name: "6.2.8 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" - ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" + - name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" + ansible.builtin.shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' changed_when: false failed_when: false - register: user_user_check + check_mode: false + register: rhel7cis_6_2_7_group_check - - name: "6.2.8 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" + - name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" + when: rhel7cis_6_2_7_group_check.stdout | length > 0 ansible.builtin.debug: - msg: "Good News! There are no duplicate GIDs in the system" - when: user_user_check.stdout is not defined + msg: "Warning!! The following group names are duplicates: {{ rhel7cis_6_2_7_group_group_check.stdout_lines }}" - - name: "6.2.8 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" - ansible.builtin.debug: - msg: "WARNING!! The following groups have duplicate GIDs: {{ user_user_check.stdout_lines }}" - when: user_user_check.stdout is defined + - name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | Set warning count" + when: rhel7cis_6_2_7_group_check.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "6.2.8 | PATCH | Ensure root PATH Integrity" when: - rhel7cis_rule_6_2_8 tags: - level1-server - level1-workstation - patch + - paths + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - rule_6.2.8 - -- name: "6.2.9 | PATCH | Ensure root is the only UID 0 account" - ansible.builtin.command: passwd -l {{ item }} - changed_when: false - failed_when: false - loop: "{{ uid_zero_accounts_except_root.stdout_lines }}" - when: - - uid_zero_accounts_except_root.rc - - rhel7cis_rule_6_2_9 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.9 - -- name: "6.2.10 | PATCH | Ensure root PATH Integrity" block: - - name: "6.2.10 | AUDIT | Ensure root PATH Integrity | Determine empty value" - ansible.builtin.shell: 'echo $PATH | grep ::' + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Get root paths" + ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2 changed_when: false - failed_when: path_colon.rc == 0 - check_mode: false - register: path_colon + register: rhel7cis_6_2_8_root_paths - - name: "6.2.10 | AUDIT | Ensure root PATH Integrity | Determin colon end" - ansible.builtin.shell: 'echo $PATH | grep :$' + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Get root paths" + ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2 | tr ":" "\n" changed_when: false - failed_when: path_colon_end.rc == 0 - check_mode: false - register: path_colon_end - - - name: "6.2.10 | AUDIT | Ensure root PATH Integrity | Determine dot in path" - ansible.builtin.shell: "/bin/bash --login -c 'env | grep ^PATH=' | grep ^PATH | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'" - changed_when: false - failed_when: '"." in dot_in_path.stdout_lines' - check_mode: false - register: dot_in_path - - - name: "6.2.10 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path" - ansible.builtin.debug: - msg: - - "The following paths have an empty value: {{ path_colon.stdout_lines }}" - - "The following paths have colon end: {{ path_colon_end.stdout_lines }}" - - "The following paths have a dot in the path: {{ dot_in_path.stdout_lines }}" - - - name: "6.2.10 | PATCH | Ensure root PATH Integrity | Determine rights and owner" - ansible.builtin.file: - path: '{{ item }}' - follow: true - state: directory - owner: root - mode: 'o-w,g-w' - loop: "{{ dot_in_path.stdout_lines }}" - when: - - rhel7cis_rule_6_2_10 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.10 - -- name: "6.2.11 | PATCH | Ensure all users' home directories exist" - block: - - name: "6.2.11 | AUDIT | Ensure all users' home directories exist | Find users missing home directories" - ansible.builtin.shell: set -o pipefail ; pwck -r | grep -P {{ ld_regex | quote }} - changed_when: rhel_07_6_2_11_audit | length > 0 - # failed_when: 0: success, 1: no grep match, 2: pwck found something - failed_when: rhel7cis_users_missing_home.rc not in [0,1,2] - check_mode: false - register: rhel7cis_users_missing_home + register: rhel7cis_6_2_8_root_paths_split - - name: "6.2.11 | AUDIT | Ensure all users' home directories exist | set fact missinghome dirs" + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Set fact" ansible.builtin.set_fact: - missing_home_dirs: "{{ rhel_07_6_2_11_audit | map(attribute='id') | list }}" + root_paths: "{{ rhel7cis_6_2_8_root_paths.stdout }}" - - name: "6.2.11 | PATCH | Ensure all users' home directories exist | create missing home dirs" - ansible.builtin.shell: "mkhomedir_helper {{ item }}" - with_items: - - "{{ missing_home_dirs }}" - when: rhel7cis_users_missing_home is changed # noqa: no-handler + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for empty dirs" + ansible.builtin.shell: 'echo {{ root_paths }} | grep -q "::" && echo "roots path contains a empty directory (::)"' + changed_when: false + failed_when: rhel7cis_6_2_8_root_path_empty_dir.rc not in [ 0, 1 ] + register: rhel7cis_6_2_8_root_path_empty_dir - - name: "6.2.11 | Audit| Ensure all users' home directories exist | Warning" - ansible.builtin.debug: - msg: "WARNING!! {{ item }} user home directory has been created please ensure any SELINUX settings are applied" - with_items: - - "{{ missing_home_dirs }}" - when: rhel7cis_users_missing_home is changed # noqa: no-handler + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for trailing ':'" + ansible.builtin.shell: '{{ root_paths }} | cut -d= -f2 | grep -q ":$" && echo "roots path contains a trailing (:)"' + changed_when: false + failed_when: rhel7cis_6_2_8_root_path_trailing_colon.rc not in [ 0, 1 ] + register: rhel7cis_6_2_8_root_path_trailing_colon + + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" + block: + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" + ansible.builtin.stat: + path: "{{ item }}" + register: rhel7cis_6_2_8_root_path_perms + loop: "{{ rhel7cis_6_2_8_root_paths_split.stdout_lines }}" + + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Set permissions" + when: + - item.stat.exists + - item.stat.isdir + - item.stat.pw_name != 'root' or item.stat.gr_name != 'root' or item.stat.woth or item.stat.wgrp + - (item != 'root') and (not rhel7cis_uses_root) + ansible.builtin.file: + path: "{{ item.stat.path }}" + state: directory + owner: root + group: root + mode: '0755' + follow: false + loop: "{{ rhel7cis_6_2_8_root_path_perms.results }}" + loop_control: + label: "{{ item }}" - vars: - ld_regex: >- - ^user '(?P.*)': directory '(?P.*)' does not exist$ - ld_users: "{{ rhel7cis_users_missing_home.stdout_lines | map('regex_replace', ld_regex, '\\g') | list }}" - rhel_07_6_2_11_audit: "{{ rhel7cis_passwd | selectattr('uid', '>=', 1000) | selectattr('id', 'in', ld_users) | list }}" +- name: "6.2.9 | PATCH | Ensure root is the only UID 0 account" when: - - rhel7cis_rule_6_2_11 + - discovered_uid_zero_accounts_except_root.rc + - rhel7cis_rule_6_2_9 tags: - level1-server - level1-workstation - patch - - rule_6.2.11 + - accounts + - users + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + - rule_6.2.9 + ansible.builtin.shell: passwd -l {{ item }} + changed_when: false + failed_when: false + loop: "{{ discovered_uid_zero_accounts_except_root.stdout_lines }}" -- name: "6.2.12 | PATCH | Ensure users own their home directories" - ansible.builtin.file: - path: "{{ item.dir }}" - owner: "{{ item.id }}" - state: directory - with_items: "{{ rhel7cis_passwd | selectattr('uid', '>=', 1000) | selectattr('uid', '!=', 65534) | selectattr('dir', '!=', '/') | list }}" - loop_control: - label: "{{ rhel7cis_passwd_label }}" +- name: "6.2.10 | PATCH | Ensure local interactive user home directories exist" when: - - rhel7cis_rule_6_2_12 + - rhel7cis_rule_6_2_10 tags: - - skip_ansible_lint - level1-server - level1-workstation - patch - - rule_6.2.12 - -- name: "6.2.13 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" + - users + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + - rule_6.2.10 block: - - name: "6.2.13 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" + - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist | Create dir if absent" + ansible.builtin.file: + path: "{{ item.dir }}" + state: directory + owner: "{{ item.id }}" + group: "{{ item.gid }}" + register: rhel7cis_6_2_10_home_dir + loop: "{{ rhel7cis_passwd | selectattr('uid', '>=', rhel7uid_interactive_uid_start | int ) | selectattr('uid', '<=', rhel7uid_interactive_uid_stop | int ) | list }}" + loop_control: + label: "{{ item.id }}" + + - name: "6.2.10 | AUDIT | Ensure local interactive user home directories exist | get perms stat" ansible.builtin.stat: path: "{{ item }}" - with_items: "{{ rhel7cis_passwd | selectattr('uid', '>=', 1000) | selectattr('uid', '!=', 65534) | selectattr('dir', '!=', '/') | map(attribute='dir') | list }}" - register: rhel_07_6_2_13_audit + register: rhel7cis_6_2_10_home_dir_perms + loop: "{{ discovered_interactive_users_home.stdout_lines }}" - - name: "6.2.13 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" - ansible.builtin.command: find -P {{ item.0 | quote }} -not -type l -perm /027 - check_mode: false - register: rhel_07_6_2_13_patch_audit - changed_when: rhel_07_6_2_13_patch_audit.stdout != "" - when: - - ansible_check_mode - - item.1.exists - with_together: - - "{{ rhel_07_6_2_13_audit.results | map(attribute='item') | list }}" - - "{{ rhel_07_6_2_13_audit.results | map(attribute='stat') | list }}" + - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist | set perms if needed" + ansible.builtin.file: + path: "{{ item.stat.path }}" + state: directory + mode: g-w,o-rwx + loop: "{{ rhel7cis_6_2_10_home_dir_perms.results }}" loop_control: - label: "{{ item.0 }}" + label: "{{ item }}" - - name: "6.2.13 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" - ansible.builtin.file: - path: "{{ item.0 }}" - recurse: true - mode: a-st,g-w,o-rwx - follow: false - register: rhel_07_6_2_13_patch + - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist | own their home directories" when: - - not ansible_check_mode - - item.1.exists - with_together: - - "{{ rhel_07_6_2_13_audit.results | map(attribute='item') | list }}" - - "{{ rhel_07_6_2_13_audit.results | map(attribute='stat') | list }}" + - item.uid >= rhel7uid_interactive_uid_start | int + - item.id != 'nobody' + - (item.id != 'tss' and item.dir != '/dev/null') + - item.shell != '/sbin/nologin' + ansible.builtin.file: + path: "{{ item.dir }}" + owner: "{{ item.id }}" + state: directory + loop: "{{ rhel7cis_passwd | selectattr('uid', '>=', rhel7uid_interactive_uid_start | int ) | selectattr('uid', '<=', rhel7uid_interactive_uid_stop | int ) | list }}" loop_control: - label: "{{ item.0 }}" + label: "{{ item.id }}" # set default ACLs so the homedir has an effective umask of 0027 - - name: "6.2.13 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" + - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist | Set group ACL" ansible.posix.acl: - path: "{{ item.0 }}" + path: "{{ item }}" default: true + etype: group + permissions: rx state: present - recursive: true - follow: false - etype: "{{ item.1.etype }}" - permissions: "{{ item.1.mode }}" - when: - - not system_is_container - with_nested: - - "{{ (ansible_check_mode | ternary(rhel_07_6_2_13_patch_audit, rhel_07_6_2_13_patch)).results | - rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" - - - - etype: group - mode: rx - - etype: other - mode: '0' + loop: "{{ discovered_interactive_users_home.stdout_lines }}" + + - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist | Set other ACL" + ansible.posix.acl: + path: "{{ item }}" + default: true + etype: other + permissions: 0 + state: present + loop: "{{ discovered_interactive_users_home.stdout_lines }}" + +- name: "6.2.11 | PATCH | Ensure local interactive user dot files access is configured" when: - - rhel7cis_rule_6_2_13 + - rhel7cis_rule_6_2_11 + - rhel7cis_disruption_high tags: - level1-server - level1-workstation + - automated - patch - - rule_6.2.13 - -- name: "6.2.14 | PATCH | Ensure users' dot files are not group or world-writable" + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + - rule_6.2.11 + - user + vars: + warn_control_id: '6.2.11' block: - - name: "6.2.14 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files" + - name: "6.2.11 | AUDIT | Ensure local interactive user dot files access is configured | Check for files" ansible.builtin.shell: find /home/ -name "\.*" -perm /g+w,o+w changed_when: false - failed_when: false - register: rhel7cis_6_2_14_audit + failed_when: rhel7cis_6_2_11_audit.rc not in [ 0, 1 ] + check_mode: false + register: rhel7cis_6_2_11_audit - - name: "6.2.14 | AUDIT | Ensure users' dot files are not group or world-writable | Alert on files found" + - name: "6.2.11 | AUDIT | Ensure local interactive user dot files access is configured | Warning on files found" + when: + - rhel7cis_6_2_11_audit.stdout | length > 0 + - rhel7cis_dotperm_ansiblemanaged ansible.builtin.debug: - msg: "Good news! We have not found any group or world-writable dot files on your sytem" - failed_when: false - changed_when: false + msg: + - "Warning!! You have group or world-writable dot files on your system and have configured for manual intervention" + + - name: "6.2.11 | PATCH | Ensure local interactive user dot files access is configured | Set warning count" when: - - rhel7cis_6_2_14_audit.stdout is not defined + - rhel7cis_6_2_11_audit.stdout | length > 0 + - rhel7cis_dotperm_ansiblemanaged + ansible.builtin.import_tasks: + file: warning_facts.yml - - name: "6.2.14 | PATCH | Ensure users' dot files are not group or world-writable | Changes files if configured" + - name: "6.2.11 | PATCH | Ensure local interactive user dot files access is configured | Changes files if configured" + when: + - rhel7cis_6_2_11_audit.stdout | length > 0 + - rhel7cis_dotperm_ansiblemanaged ansible.builtin.file: path: '{{ item }}' mode: go-w - with_items: "{{ rhel7cis_6_2_14_audit.stdout_lines }}" - when: - - rhel7cis_6_2_14_audit.stdout is defined - - rhel7cis_dotperm_ansiblemanaged - when: - - rhel7cis_rule_6_2_14 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.14 - -- name: "6.2.15 | PATCH | Ensure no users have .forward files" - ansible.builtin.file: - state: absent - dest: "~{{ item }}/.forward" - loop: "{{ users.stdout_lines }}" - when: - - rhel7cis_rule_6_2_15 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.15 - -- name: "6.2.16 | PATCH | Ensure no users have .netrc files" - ansible.builtin.file: - state: absent - dest: "~{{ item }}/.netrc" - with_items: "{{ users.stdout_lines }}" - when: - - rhel7cis_rule_6_2_16 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.16 - -- name: "6.2.17 | PATCH | Ensure no users have .rhosts files" - ansible.builtin.file: - state: absent - dest: "~{{ item }}/.rhosts" - with_items: "{{ users.stdout_lines }}" - when: - - rhel7cis_rule_6_2_17 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.17 + with_items: "{{ rhel7cis_6_2_11_audit.stdout_lines }}" diff --git a/tasks/warning_facts.yml b/tasks/warning_facts.yml new file mode 100644 index 00000000..3032b7cb --- /dev/null +++ b/tasks/warning_facts.yml @@ -0,0 +1,20 @@ +--- + +# This task is used to create variables used in giving a warning summary for manual tasks +# that need attention +# +# The warn_control_list and warn_count vars start life in vars/main.yml but get updated +# as the tasks that have a warning complete +# +# Those two variables are used in the tasks/main.yml to display a list of warnings +# +# warn_control_id is set within the task itself and has the control ID as the value +# +# warn_control_list is the main variable to be used and is a list made up of the warn_control_id’s +# +# warn_count the main variable for the number of warnings and each time a warn_control_id is added +# the count increases by a value of 1 +- name: "{{ warn_control_id }} | WARNING | Set fact for manual task warning." + ansible.builtin.set_fact: + warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]" + warn_count: "{{ warn_count | int + 1 }}" diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index ba9ffa85..bac77b61 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -1,15 +1,13 @@ ---- ## metadata for Audit benchmark -benchmark_version: '3.1.1' +benchmark_version: '4.0.0' # Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS -is_redhat_os: {% if ansible_distribution == "RedHat" %}true{% else %}false{% endif %} +host_os_distribution: {{ ansible_distribution }} # timeout for each command to run where set - default = 10seconds/10000ms timeout_ms: {{ audit_cmd_timeout }} # Taken from LE rhel7-cis -rhel7cis_notauto: {{ rhel7cis_notauto }} rhel7cis_section1: {{ rhel7cis_section1 }} rhel7cis_section2: {{ rhel7cis_section2 }} rhel7cis_section3: {{ rhel7cis_section3 }} @@ -17,17 +15,26 @@ rhel7cis_section4: {{ rhel7cis_section4 }} rhel7cis_section5: {{ rhel7cis_section5 }} rhel7cis_section6: {{ rhel7cis_section6 }} +rhel7cis_level_1: {{ rhel7cis_level_1 }} +rhel7cis_level_2: {{ rhel7cis_level_2 }} + rhel7cis_selinux_disable: {{ rhel7cis_selinux_disable }} rhel7cis_selinux_state: {{ rhel7cis_selinux_state }} - -rhel7cis_level1: true -rhel7cis_level2: true # to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy -run_heavy_tests: {{ audit_run_heavy_tests }} +rhel7cis_run_heavy_tests: {{ audit_run_heavy_tests }} +{% if rhel7cis_legacy_boot is defined %} rhel7cis_legacy_boot: {{ rhel7cis_legacy_boot }} +{% endif %} +# if Bios boot +rhel7cis_bootloader_file: /boot/grub2/grub.cfg +# These variables correspond with the CIS rule IDs or paragraph numbers defined in +# the CIS benchmark documents. +# PLEASE NOTE: These work in coordination with the section # group variables and tags. +# You must enable an entire section in order for the variables below to take effect. +# Section 1 rules # These variables correspond with the CIS rule IDs or paragraph numbers defined in # the CIS benchmark documents. # PLEASE NOTE: These work in coordination with the section # group variables and tags. @@ -36,68 +43,106 @@ rhel7cis_legacy_boot: {{ rhel7cis_legacy_boot }} rhel7cis_rule_1_1_1_1: {{ rhel7cis_rule_1_1_1_1 }} rhel7cis_rule_1_1_1_2: {{ rhel7cis_rule_1_1_1_2 }} rhel7cis_rule_1_1_1_3: {{ rhel7cis_rule_1_1_1_3 }} -rhel7cis_rule_1_1_2: {{ rhel7cis_rule_1_1_2 }} -rhel7cis_rule_1_1_3: {{ rhel7cis_rule_1_1_3 }} -rhel7cis_rule_1_1_4: {{ rhel7cis_rule_1_1_4 }} -rhel7cis_rule_1_1_5: {{ rhel7cis_rule_1_1_5 }} -rhel7cis_rule_1_1_6: {{ rhel7cis_rule_1_1_6 }} -rhel7cis_rule_1_1_7: {{ rhel7cis_rule_1_1_7 }} -rhel7cis_rule_1_1_8: {{ rhel7cis_rule_1_1_8 }} -rhel7cis_rule_1_1_9: {{ rhel7cis_rule_1_1_9 }} -rhel7cis_rule_1_1_10: {{ rhel7cis_rule_1_1_10 }} -rhel7cis_rule_1_1_11: {{ rhel7cis_rule_1_1_11 }} -rhel7cis_rule_1_1_12: {{ rhel7cis_rule_1_1_12 }} -rhel7cis_rule_1_1_13: {{ rhel7cis_rule_1_1_13 }} -rhel7cis_rule_1_1_14: {{ rhel7cis_rule_1_1_14 }} -rhel7cis_rule_1_1_15: {{ rhel7cis_rule_1_1_15 }} -rhel7cis_rule_1_1_16: {{ rhel7cis_rule_1_1_16 }} -rhel7cis_rule_1_1_17: {{ rhel7cis_rule_1_1_17 }} -rhel7cis_rule_1_1_18: {{ rhel7cis_rule_1_1_18 }} -rhel7cis_rule_1_1_19: {{ rhel7cis_rule_1_1_19 }} -rhel7cis_rule_1_1_20: {{ rhel7cis_rule_1_1_20 }} -rhel7cis_rule_1_1_21: {{ rhel7cis_rule_1_1_21 }} -rhel7cis_rule_1_1_22: {{ rhel7cis_rule_1_1_22 }} -rhel7cis_rule_1_1_23: {{ rhel7cis_rule_1_1_23 }} -rhel7cis_rule_1_1_24: {{ rhel7cis_rule_1_1_24 }} +rhel7cis_rule_1_1_1_4: {{ rhel7cis_rule_1_1_1_4 }} +rhel7cis_rule_1_1_1_5: {{ rhel7cis_rule_1_1_1_5 }} +rhel7cis_rule_1_1_1_6: {{ rhel7cis_rule_1_1_1_6 }} +rhel7cis_rule_1_1_1_7: {{ rhel7cis_rule_1_1_1_7 }} +rhel7cis_rule_1_1_1_8: {{ rhel7cis_rule_1_1_1_8 }} +# /tmp +rhel7cis_rule_1_1_2_1_1: {{ rhel7cis_rule_1_1_2_1_1 }} +rhel7cis_rule_1_1_2_1_2: {{ rhel7cis_rule_1_1_2_1_2 }} +rhel7cis_rule_1_1_2_1_3: {{ rhel7cis_rule_1_1_2_1_3 }} +rhel7cis_rule_1_1_2_1_4: {{ rhel7cis_rule_1_1_2_1_4 }} + +# /dev/shm +rhel7cis_rule_1_1_2_2_1: {{ rhel7cis_rule_1_1_2_2_1 }} +rhel7cis_rule_1_1_2_2_2: {{ rhel7cis_rule_1_1_2_2_2 }} +rhel7cis_rule_1_1_2_2_3: {{ rhel7cis_rule_1_1_2_2_3 }} +rhel7cis_rule_1_1_2_2_4: {{ rhel7cis_rule_1_1_2_2_4 }} + +# /home +rhel7cis_rule_1_1_2_3_1: {{ rhel7cis_rule_1_1_2_3_1 }} +rhel7cis_rule_1_1_2_3_2: {{ rhel7cis_rule_1_1_2_3_2 }} +rhel7cis_rule_1_1_2_3_3: {{ rhel7cis_rule_1_1_2_3_3 }} + +# /var +rhel7cis_rule_1_1_2_4_1: {{ rhel7cis_rule_1_1_2_4_1 }} +rhel7cis_rule_1_1_2_4_2: {{ rhel7cis_rule_1_1_2_4_2 }} +rhel7cis_rule_1_1_2_4_3: {{ rhel7cis_rule_1_1_2_4_3 }} + +# /var/tmp +rhel7cis_rule_1_1_2_5_1: {{ rhel7cis_rule_1_1_2_5_1 }} +rhel7cis_rule_1_1_2_5_2: {{ rhel7cis_rule_1_1_2_5_2 }} +rhel7cis_rule_1_1_2_5_3: {{ rhel7cis_rule_1_1_2_5_3 }} +rhel7cis_rule_1_1_2_5_4: {{ rhel7cis_rule_1_1_2_5_4 }} + +# /var/log +rhel7cis_rule_1_1_2_6_1: {{ rhel7cis_rule_1_1_2_6_1 }} +rhel7cis_rule_1_1_2_6_2: {{ rhel7cis_rule_1_1_2_6_2 }} +rhel7cis_rule_1_1_2_6_3: {{ rhel7cis_rule_1_1_2_6_3 }} +rhel7cis_rule_1_1_2_6_4: {{ rhel7cis_rule_1_1_2_6_4 }} + +# /var/log/audit +rhel7cis_rule_1_1_2_7_1: {{ rhel7cis_rule_1_1_2_7_1 }} +rhel7cis_rule_1_1_2_7_2: {{ rhel7cis_rule_1_1_2_7_2 }} +rhel7cis_rule_1_1_2_7_3: {{ rhel7cis_rule_1_1_2_7_3 }} +rhel7cis_rule_1_1_2_7_4: {{ rhel7cis_rule_1_1_2_7_4 }} + +# Patching rhel7cis_rule_1_2_1: {{ rhel7cis_rule_1_2_1 }} rhel7cis_rule_1_2_2: {{ rhel7cis_rule_1_2_2 }} rhel7cis_rule_1_2_3: {{ rhel7cis_rule_1_2_3 }} rhel7cis_rule_1_2_4: {{ rhel7cis_rule_1_2_4 }} rhel7cis_rule_1_2_5: {{ rhel7cis_rule_1_2_5 }} + +# bootloader grub rhel7cis_rule_1_3_1: {{ rhel7cis_rule_1_3_1 }} rhel7cis_rule_1_3_2: {{ rhel7cis_rule_1_3_2 }} +rhel7cis_rule_1_3_3: {{ rhel7cis_rule_1_3_3 }} + +# kernel sysctl and coredumps rhel7cis_rule_1_4_1: {{ rhel7cis_rule_1_4_1 }} rhel7cis_rule_1_4_2: {{ rhel7cis_rule_1_4_2 }} rhel7cis_rule_1_4_3: {{ rhel7cis_rule_1_4_3 }} -rhel7cis_rule_1_5_1: {{ rhel7cis_rule_1_5_1 }} -rhel7cis_rule_1_5_2: {{ rhel7cis_rule_1_5_2 }} -rhel7cis_rule_1_5_3: {{ rhel7cis_rule_1_5_3 }} -rhel7cis_rule_1_5_4: {{ rhel7cis_rule_1_5_4 }} -rhel7cis_rule_1_6_1_1: {{ rhel7cis_rule_1_6_1_1 }} -rhel7cis_rule_1_6_1_2: {{ rhel7cis_rule_1_6_1_2 }} -rhel7cis_rule_1_6_1_3: {{ rhel7cis_rule_1_6_1_3 }} -rhel7cis_rule_1_6_1_4: {{ rhel7cis_rule_1_6_1_4 }} -rhel7cis_rule_1_6_1_5: {{ rhel7cis_rule_1_6_1_5 }} -rhel7cis_rule_1_6_1_6: {{ rhel7cis_rule_1_6_1_6 }} -rhel7cis_rule_1_6_1_7: {{ rhel7cis_rule_1_6_1_7 }} -rhel7cis_rule_1_6_1_8: {{ rhel7cis_rule_1_6_1_8 }} +rhel7cis_rule_1_4_4: {{ rhel7cis_rule_1_4_4 }} + +# SElinux +rhel7cis_rule_1_5_1_1: {{ rhel7cis_rule_1_5_1_1 }} +rhel7cis_rule_1_5_1_2: {{ rhel7cis_rule_1_5_1_2 }} +rhel7cis_rule_1_5_1_3: {{ rhel7cis_rule_1_5_1_3 }} +rhel7cis_rule_1_5_1_4: {{ rhel7cis_rule_1_5_1_4 }} +rhel7cis_rule_1_5_1_5: {{ rhel7cis_rule_1_5_1_5 }} +rhel7cis_rule_1_5_1_6: {{ rhel7cis_rule_1_5_1_6 }} +rhel7cis_rule_1_5_1_7: {{ rhel7cis_rule_1_5_1_7 }} +rhel7cis_rule_1_5_1_8: {{ rhel7cis_rule_1_5_1_8 }} + +# motd and banner +rhel7cis_rule_1_6_1: {{ rhel7cis_rule_1_6_1 }} +rhel7cis_rule_1_6_2: {{ rhel7cis_rule_1_6_2 }} +rhel7cis_rule_1_6_3: {{ rhel7cis_rule_1_6_3 }} +rhel7cis_rule_1_6_4: {{ rhel7cis_rule_1_6_4 }} +rhel7cis_rule_1_6_5: {{ rhel7cis_rule_1_6_5 }} +rhel7cis_rule_1_6_6: {{ rhel7cis_rule_1_6_6 }} + +# Gnome and Desktop rhel7cis_rule_1_7_1: {{ rhel7cis_rule_1_7_1 }} rhel7cis_rule_1_7_2: {{ rhel7cis_rule_1_7_2 }} rhel7cis_rule_1_7_3: {{ rhel7cis_rule_1_7_3 }} rhel7cis_rule_1_7_4: {{ rhel7cis_rule_1_7_4 }} rhel7cis_rule_1_7_5: {{ rhel7cis_rule_1_7_5 }} rhel7cis_rule_1_7_6: {{ rhel7cis_rule_1_7_6 }} -rhel7cis_rule_1_8_1: {{ rhel7cis_rule_1_8_1 }} -rhel7cis_rule_1_8_2: {{ rhel7cis_rule_1_8_2 }} -rhel7cis_rule_1_8_3: {{ rhel7cis_rule_1_8_3 }} -rhel7cis_rule_1_8_4: {{ rhel7cis_rule_1_8_4 }} -rhel7cis_rule_1_9: {{ rhel7cis_rule_1_9 }} +rhel7cis_rule_1_7_7: {{ rhel7cis_rule_1_7_7 }} +rhel7cis_rule_1_7_8: {{ rhel7cis_rule_1_7_8 }} +rhel7cis_rule_1_7_9: {{ rhel7cis_rule_1_7_9 }} +rhel7cis_rule_1_7_10: {{ rhel7cis_rule_1_7_10 }} -# section 2 rules +# Time Service (Chrony) rhel7cis_rule_2_1_1: {{ rhel7cis_rule_2_1_1 }} -rhel7cis_rule_2_2_1_1: {{ rhel7cis_rule_2_2_1_1 }} -rhel7cis_rule_2_2_1_2: {{ rhel7cis_rule_2_2_1_2 }} -rhel7cis_rule_2_2_1_3: {{ rhel7cis_rule_2_2_1_3 }} +rhel7cis_rule_2_1_2: {{ rhel7cis_rule_2_1_2 }} +rhel7cis_rule_2_1_3: {{ rhel7cis_rule_2_1_3 }} + +# Special purpose services +rhel7cis_rule_2_2_1: {{ rhel7cis_rule_2_2_1 }} rhel7cis_rule_2_2_2: {{ rhel7cis_rule_2_2_2 }} rhel7cis_rule_2_2_3: {{ rhel7cis_rule_2_2_3 }} rhel7cis_rule_2_2_4: {{ rhel7cis_rule_2_2_4 }} @@ -116,17 +161,33 @@ rhel7cis_rule_2_2_16: {{ rhel7cis_rule_2_2_16 }} rhel7cis_rule_2_2_17: {{ rhel7cis_rule_2_2_17 }} rhel7cis_rule_2_2_18: {{ rhel7cis_rule_2_2_18 }} rhel7cis_rule_2_2_19: {{ rhel7cis_rule_2_2_19 }} +rhel7cis_rule_2_2_20: {{ rhel7cis_rule_2_2_20 }} +rhel7cis_rule_2_2_21: {{ rhel7cis_rule_2_2_21 }} +rhel7cis_rule_2_2_22: {{ rhel7cis_rule_2_2_22 }} + +# Client Services rhel7cis_rule_2_3_1: {{ rhel7cis_rule_2_3_1 }} rhel7cis_rule_2_3_2: {{ rhel7cis_rule_2_3_2 }} rhel7cis_rule_2_3_3: {{ rhel7cis_rule_2_3_3 }} rhel7cis_rule_2_3_4: {{ rhel7cis_rule_2_3_4 }} rhel7cis_rule_2_3_5: {{ rhel7cis_rule_2_3_5 }} -# Section 3 rules +## +## Section 3 rules +## +# Section 3 is Network Configuration (Disable unused network protocols, Network parameters (host), Network parameters (Host and Router), Uncommon Network Protocols, Firewall Configuration, and Configure iptables) +# ipv6, bluettoth and wireless rhel7cis_rule_3_1_1: {{ rhel7cis_rule_3_1_1 }} rhel7cis_rule_3_1_2: {{ rhel7cis_rule_3_1_2 }} +rhel7cis_rule_3_1_3: {{ rhel7cis_rule_3_1_3 }} + +# network kernel modules rhel7cis_rule_3_2_1: {{ rhel7cis_rule_3_2_1 }} rhel7cis_rule_3_2_2: {{ rhel7cis_rule_3_2_2 }} +rhel7cis_rule_3_2_3: {{ rhel7cis_rule_3_2_3 }} +rhel7cis_rule_3_2_4: {{ rhel7cis_rule_3_2_4 }} + +# network kernel parameters rhel7cis_rule_3_3_1: {{ rhel7cis_rule_3_3_1 }} rhel7cis_rule_3_3_2: {{ rhel7cis_rule_3_3_2 }} rhel7cis_rule_3_3_3: {{ rhel7cis_rule_3_3_3 }} @@ -136,124 +197,221 @@ rhel7cis_rule_3_3_6: {{ rhel7cis_rule_3_3_6 }} rhel7cis_rule_3_3_7: {{ rhel7cis_rule_3_3_7 }} rhel7cis_rule_3_3_8: {{ rhel7cis_rule_3_3_8 }} rhel7cis_rule_3_3_9: {{ rhel7cis_rule_3_3_9 }} -rhel7cis_rule_3_4_1: {{ rhel7cis_rule_3_4_1 }} -rhel7cis_rule_3_4_2: {{ rhel7cis_rule_3_4_2 }} -rhel7cis_rule_3_5_1_1: {{ rhel7cis_rule_3_5_1_1 }} -rhel7cis_rule_3_5_1_2: {{ rhel7cis_rule_3_5_1_2 }} -rhel7cis_rule_3_5_1_3: {{ rhel7cis_rule_3_5_1_3 }} -rhel7cis_rule_3_5_1_4: {{ rhel7cis_rule_3_5_1_4 }} -rhel7cis_rule_3_5_1_5: {{ rhel7cis_rule_3_5_1_5 }} -rhel7cis_rule_3_5_1_6: {{ rhel7cis_rule_3_5_1_6 }} -rhel7cis_rule_3_5_1_7: {{ rhel7cis_rule_3_5_1_7 }} -rhel7cis_rule_3_5_2_1: {{ rhel7cis_rule_3_5_2_1 }} -rhel7cis_rule_3_5_2_2: {{ rhel7cis_rule_3_5_2_2 }} -rhel7cis_rule_3_5_2_3: {{ rhel7cis_rule_3_5_2_3 }} -rhel7cis_rule_3_5_2_4: {{ rhel7cis_rule_3_5_2_4 }} -rhel7cis_rule_3_5_2_5: {{ rhel7cis_rule_3_5_2_5 }} -rhel7cis_rule_3_5_2_6: {{ rhel7cis_rule_3_5_2_6 }} -rhel7cis_rule_3_5_2_7: {{ rhel7cis_rule_3_5_2_7 }} -rhel7cis_rule_3_5_2_8: {{ rhel7cis_rule_3_5_2_8 }} -rhel7cis_rule_3_5_2_9: {{ rhel7cis_rule_3_5_2_9 }} -rhel7cis_rule_3_5_2_10: {{ rhel7cis_rule_3_5_2_10 }} -rhel7cis_rule_3_5_2_11: {{ rhel7cis_rule_3_5_2_11 }} -rhel7cis_rule_3_5_3_1_1: {{ rhel7cis_rule_3_5_3_1_1 }} -rhel7cis_rule_3_5_3_1_2: {{ rhel7cis_rule_3_5_3_1_2 }} -rhel7cis_rule_3_5_3_1_3: {{ rhel7cis_rule_3_5_3_1_3 }} -rhel7cis_rule_3_5_3_2_1: {{ rhel7cis_rule_3_5_3_2_1 }} -rhel7cis_rule_3_5_3_2_2: {{ rhel7cis_rule_3_5_3_2_2 }} -rhel7cis_rule_3_5_3_2_3: {{ rhel7cis_rule_3_5_3_2_3 }} -rhel7cis_rule_3_5_3_2_4: {{ rhel7cis_rule_3_5_3_2_4 }} -rhel7cis_rule_3_5_3_2_5: {{ rhel7cis_rule_3_5_3_2_5 }} -rhel7cis_rule_3_5_3_2_6: {{ rhel7cis_rule_3_5_3_2_6 }} -rhel7cis_rule_3_5_3_3_1: {{ rhel7cis_rule_3_5_3_3_1 }} -rhel7cis_rule_3_5_3_3_2: {{ rhel7cis_rule_3_5_3_3_2 }} -rhel7cis_rule_3_5_3_3_3: {{ rhel7cis_rule_3_5_3_3_3 }} -rhel7cis_rule_3_5_3_3_4: {{ rhel7cis_rule_3_5_3_3_4 }} -rhel7cis_rule_3_5_3_3_5: {{ rhel7cis_rule_3_5_3_3_5 }} -rhel7cis_rule_3_5_3_3_6: {{ rhel7cis_rule_3_5_3_3_6 }} - +rhel7cis_rule_3_3_10: {{ rhel7cis_rule_3_3_10 }} +rhel7cis_rule_3_3_11: {{ rhel7cis_rule_3_3_11 }} + +# Configure firewall utility +rhel7cis_rule_3_4_1_1: {{ rhel7cis_rule_3_4_1_1 }} +rhel7cis_rule_3_4_1_2: {{ rhel7cis_rule_3_4_1_2 }} + +# firewalld +rhel7cis_rule_3_4_2_1: {{ rhel7cis_rule_3_4_2_1 }} +rhel7cis_rule_3_4_2_2: {{ rhel7cis_rule_3_4_2_2 }} +rhel7cis_rule_3_4_2_3: {{ rhel7cis_rule_3_4_2_3 }} +rhel7cis_rule_3_4_2_4: {{ rhel7cis_rule_3_4_2_4 }} + +# nftables +rhel7cis_rule_3_4_3_1: {{ rhel7cis_rule_3_4_3_1 }} +rhel7cis_rule_3_4_3_2: {{ rhel7cis_rule_3_4_3_2 }} +rhel7cis_rule_3_4_3_3: {{ rhel7cis_rule_3_4_3_3 }} +rhel7cis_rule_3_4_3_4: {{ rhel7cis_rule_3_4_3_4 }} +rhel7cis_rule_3_4_3_5: {{ rhel7cis_rule_3_4_3_5 }} +rhel7cis_rule_3_4_3_6: {{ rhel7cis_rule_3_4_3_6 }} +rhel7cis_rule_3_4_3_7: {{ rhel7cis_rule_3_4_3_7 }} +rhel7cis_rule_3_4_3_8: {{ rhel7cis_rule_3_4_3_8 }} +rhel7cis_rule_3_4_3_9: {{ rhel7cis_rule_3_4_3_9 }} + +# iptables +rhel7cis_rule_3_4_4_1_1: {{ rhel7cis_rule_3_4_4_1_1 }} + +# ip4tables +rhel7cis_rule_3_4_4_2_1: {{ rhel7cis_rule_3_4_4_2_1 }} +rhel7cis_rule_3_4_4_2_2: {{ rhel7cis_rule_3_4_4_2_2 }} +rhel7cis_rule_3_4_4_2_3: {{ rhel7cis_rule_3_4_4_2_3 }} +rhel7cis_rule_3_4_4_2_4: {{ rhel7cis_rule_3_4_4_2_4 }} +rhel7cis_rule_3_4_4_2_5: {{ rhel7cis_rule_3_4_4_2_5 }} +rhel7cis_rule_3_4_4_2_6: {{ rhel7cis_rule_3_4_4_2_6 }} + +# ip6tables +rhel7cis_rule_3_4_4_3_1: {{ rhel7cis_rule_3_4_4_3_1 }} +rhel7cis_rule_3_4_4_3_2: {{ rhel7cis_rule_3_4_4_3_2 }} +rhel7cis_rule_3_4_4_3_3: {{ rhel7cis_rule_3_4_4_3_3 }} +rhel7cis_rule_3_4_4_3_4: {{ rhel7cis_rule_3_4_4_3_4 }} +rhel7cis_rule_3_4_4_3_5: {{ rhel7cis_rule_3_4_4_3_5 }} +rhel7cis_rule_3_4_4_3_6: {{ rhel7cis_rule_3_4_4_3_6 }} + +## # Section 4 rules +## + +# Crond and at rhel7cis_rule_4_1_1_1: {{ rhel7cis_rule_4_1_1_1 }} rhel7cis_rule_4_1_1_2: {{ rhel7cis_rule_4_1_1_2 }} rhel7cis_rule_4_1_1_3: {{ rhel7cis_rule_4_1_1_3 }} +rhel7cis_rule_4_1_1_4: {{ rhel7cis_rule_4_1_1_4 }} +rhel7cis_rule_4_1_1_5: {{ rhel7cis_rule_4_1_1_5 }} +rhel7cis_rule_4_1_1_6: {{ rhel7cis_rule_4_1_1_6 }} +rhel7cis_rule_4_1_1_7: {{ rhel7cis_rule_4_1_1_7 }} +rhel7cis_rule_4_1_1_8: {{ rhel7cis_rule_4_1_1_8 }} rhel7cis_rule_4_1_2_1: {{ rhel7cis_rule_4_1_2_1 }} -rhel7cis_rule_4_1_2_2: {{ rhel7cis_rule_4_1_2_2 }} -rhel7cis_rule_4_1_2_3: {{ rhel7cis_rule_4_1_2_3 }} -rhel7cis_rule_4_1_2_4: {{ rhel7cis_rule_4_1_2_4 }} -rhel7cis_rule_4_1_3: {{ rhel7cis_rule_4_1_3 }} -rhel7cis_rule_4_1_4: {{ rhel7cis_rule_4_1_4 }} -rhel7cis_rule_4_1_5: {{ rhel7cis_rule_4_1_5 }} -rhel7cis_rule_4_1_6: {{ rhel7cis_rule_4_1_6 }} -rhel7cis_rule_4_1_7: {{ rhel7cis_rule_4_1_7 }} -rhel7cis_rule_4_1_8: {{ rhel7cis_rule_4_1_8 }} -rhel7cis_rule_4_1_9: {{ rhel7cis_rule_4_1_9 }} -rhel7cis_rule_4_1_10: {{ rhel7cis_rule_4_1_10 }} -rhel7cis_rule_4_1_11: {{ rhel7cis_rule_4_1_11 }} -rhel7cis_rule_4_1_12: {{ rhel7cis_rule_4_1_12 }} -rhel7cis_rule_4_1_13: {{ rhel7cis_rule_4_1_13 }} -rhel7cis_rule_4_1_14: {{ rhel7cis_rule_4_1_14 }} -rhel7cis_rule_4_1_15: {{ rhel7cis_rule_4_1_15 }} -rhel7cis_rule_4_1_16: {{ rhel7cis_rule_4_1_16 }} -rhel7cis_rule_4_1_17: {{ rhel7cis_rule_4_1_17 }} -rhel7cis_rule_4_2_1_1: {{ rhel7cis_rule_4_2_1_1 }} -rhel7cis_rule_4_2_1_2: {{ rhel7cis_rule_4_2_1_2 }} -rhel7cis_rule_4_2_1_3: {{ rhel7cis_rule_4_2_1_3 }} -rhel7cis_rule_4_2_1_4: {{ rhel7cis_rule_4_2_1_4 }} -rhel7cis_rule_4_2_1_5: {{ rhel7cis_rule_4_2_1_5 }} -rhel7cis_rule_4_2_2_1: {{ rhel7cis_rule_4_2_2_1 }} -rhel7cis_rule_4_2_2_2: {{ rhel7cis_rule_4_2_2_2 }} -rhel7cis_rule_4_2_2_3: {{ rhel7cis_rule_4_2_2_3 }} -rhel7cis_rule_4_2_3: {{ rhel7cis_rule_4_2_3 }} -# Section 5 -rhel7cis_rule_5_1_1: {{ rhel7cis_rule_5_1_1 }} -rhel7cis_rule_5_1_2: {{ rhel7cis_rule_5_1_2 }} +# SSHD +rhel7cis_rule_4_2_1: {{ rhel7cis_rule_4_2_1 }} +rhel7cis_rule_4_2_2: {{ rhel7cis_rule_4_2_2 }} +rhel7cis_rule_4_2_3: {{ rhel7cis_rule_4_2_3 }} +rhel7cis_rule_4_2_4: {{ rhel7cis_rule_4_2_4 }} +rhel7cis_rule_4_2_5: {{ rhel7cis_rule_4_2_5 }} +rhel7cis_rule_4_2_6: {{ rhel7cis_rule_4_2_6 }} +rhel7cis_rule_4_2_7: {{ rhel7cis_rule_4_2_7 }} +rhel7cis_rule_4_2_8: {{ rhel7cis_rule_4_2_8 }} +rhel7cis_rule_4_2_9: {{ rhel7cis_rule_4_2_9 }} +rhel7cis_rule_4_2_10: {{ rhel7cis_rule_4_2_10 }} +rhel7cis_rule_4_2_11: {{ rhel7cis_rule_4_2_11 }} +rhel7cis_rule_4_2_12: {{ rhel7cis_rule_4_2_12 }} +rhel7cis_rule_4_2_13: {{ rhel7cis_rule_4_2_13 }} +rhel7cis_rule_4_2_14: {{ rhel7cis_rule_4_2_14 }} +rhel7cis_rule_4_2_15: {{ rhel7cis_rule_4_2_15 }} +rhel7cis_rule_4_2_16: {{ rhel7cis_rule_4_2_16 }} +rhel7cis_rule_4_2_17: {{ rhel7cis_rule_4_2_17 }} +rhel7cis_rule_4_2_18: {{ rhel7cis_rule_4_2_18 }} +rhel7cis_rule_4_2_19: {{ rhel7cis_rule_4_2_19 }} +rhel7cis_rule_4_2_20: {{ rhel7cis_rule_4_2_20 }} +rhel7cis_rule_4_2_21: {{ rhel7cis_rule_4_2_21 }} +rhel7cis_rule_4_2_22: {{ rhel7cis_rule_4_2_22 }} + +# Privilege Escalation +rhel7cis_rule_4_3_1: {{ rhel7cis_rule_4_3_1 }} +rhel7cis_rule_4_3_2: {{ rhel7cis_rule_4_3_2 }} +rhel7cis_rule_4_3_3: {{ rhel7cis_rule_4_3_3 }} +rhel7cis_rule_4_3_4: {{ rhel7cis_rule_4_3_4 }} +rhel7cis_rule_4_3_5: {{ rhel7cis_rule_4_3_5 }} +rhel7cis_rule_4_3_6: {{ rhel7cis_rule_4_3_6 }} +rhel7cis_rule_4_3_7: {{ rhel7cis_rule_4_3_7 }} + +## Configure Pluggable Authentication +# software packages +rhel7cis_rule_4_4_1_1: {{ rhel7cis_rule_4_4_1_1 }} +rhel7cis_rule_4_4_1_2: {{ rhel7cis_rule_4_4_1_2 }} + +# pam_faillock +rhel7cis_rule_4_4_2_1_1: {{ rhel7cis_rule_4_4_2_1_1 }} +rhel7cis_rule_4_4_2_1_2: {{ rhel7cis_rule_4_4_2_1_2 }} +rhel7cis_rule_4_4_2_1_3: {{ rhel7cis_rule_4_4_2_1_3 }} +rhel7cis_rule_4_4_2_1_4: {{ rhel7cis_rule_4_4_2_1_4 }} + +# pam_pwquality +rhel7cis_rule_4_4_2_2_1: {{ rhel7cis_rule_4_4_2_2_1 }} +rhel7cis_rule_4_4_2_2_2: {{ rhel7cis_rule_4_4_2_2_2 }} +rhel7cis_rule_4_4_2_2_3: {{ rhel7cis_rule_4_4_2_2_3 }} +rhel7cis_rule_4_4_2_2_4: {{ rhel7cis_rule_4_4_2_2_4 }} +rhel7cis_rule_4_4_2_2_5: {{ rhel7cis_rule_4_4_2_2_5 }} +rhel7cis_rule_4_4_2_2_6: {{ rhel7cis_rule_4_4_2_2_6 }} +rhel7cis_rule_4_4_2_2_7: {{ rhel7cis_rule_4_4_2_2_7 }} + +# pam pwhistory +rhel7cis_rule_4_4_2_3_1: {{ rhel7cis_rule_4_4_2_3_1 }} +rhel7cis_rule_4_4_2_3_2: {{ rhel7cis_rule_4_4_2_3_2 }} +rhel7cis_rule_4_4_2_3_3: {{ rhel7cis_rule_4_4_2_3_3 }} +rhel7cis_rule_4_4_2_3_4: {{ rhel7cis_rule_4_4_2_3_4 }} + +# pam pam_unix +rhel7cis_rule_4_4_2_4_1: {{ rhel7cis_rule_4_4_2_4_1 }} +rhel7cis_rule_4_4_2_4_2: {{ rhel7cis_rule_4_4_2_4_2 }} +rhel7cis_rule_4_4_2_4_3: {{ rhel7cis_rule_4_4_2_4_3 }} +rhel7cis_rule_4_4_2_4_4: {{ rhel7cis_rule_4_4_2_4_4 }} + +# shadow password +rhel7cis_rule_4_5_1_1: {{ rhel7cis_rule_4_5_1_1 }} +rhel7cis_rule_4_5_1_2: {{ rhel7cis_rule_4_5_1_2 }} +rhel7cis_rule_4_5_1_3: {{ rhel7cis_rule_4_5_1_3 }} +rhel7cis_rule_4_5_1_4: {{ rhel7cis_rule_4_5_1_4 }} +rhel7cis_rule_4_5_1_5: {{ rhel7cis_rule_4_5_1_5 }} + +# root and system accts +rhel7cis_rule_4_5_2_1: {{ rhel7cis_rule_4_5_2_1 }} +rhel7cis_rule_4_5_2_2: {{ rhel7cis_rule_4_5_2_2 }} +rhel7cis_rule_4_5_2_3: {{ rhel7cis_rule_4_5_2_3 }} +rhel7cis_rule_4_5_2_4: {{ rhel7cis_rule_4_5_2_4 }} + +# user default envs +rhel7cis_rule_4_5_3_1: {{ rhel7cis_rule_4_5_3_1 }} +rhel7cis_rule_4_5_3_2: {{ rhel7cis_rule_4_5_3_2 }} +rhel7cis_rule_4_5_3_3: {{ rhel7cis_rule_4_5_3_3 }} + +# +## Section 5 rules +## + +# Rsyslog +rhel7cis_rule_5_1_1_1: {{ rhel7cis_rule_5_1_1_1 }} +rhel7cis_rule_5_1_1_2: {{ rhel7cis_rule_5_1_1_2 }} +rhel7cis_rule_5_1_1_3: {{ rhel7cis_rule_5_1_1_3 }} +rhel7cis_rule_5_1_1_4: {{ rhel7cis_rule_5_1_1_4 }} +rhel7cis_rule_5_1_1_5: {{ rhel7cis_rule_5_1_1_5 }} +rhel7cis_rule_5_1_1_6: {{ rhel7cis_rule_5_1_1_6 }} +rhel7cis_rule_5_1_1_7: {{ rhel7cis_rule_5_1_1_7 }} + +# Journald +rhel7cis_rule_5_1_2_1_1: {{ rhel7cis_rule_5_1_2_1_1 }} +rhel7cis_rule_5_1_2_1_2: {{ rhel7cis_rule_5_1_2_1_2 }} +rhel7cis_rule_5_1_2_1_3: {{ rhel7cis_rule_5_1_2_1_3 }} +rhel7cis_rule_5_1_2_1_4: {{ rhel7cis_rule_5_1_2_1_4 }} +rhel7cis_rule_5_1_2_2: {{ rhel7cis_rule_5_1_2_2 }} +rhel7cis_rule_5_1_2_3: {{ rhel7cis_rule_5_1_2_3 }} +rhel7cis_rule_5_1_2_4: {{ rhel7cis_rule_5_1_2_4 }} +rhel7cis_rule_5_1_2_5: {{ rhel7cis_rule_5_1_2_5 }} +rhel7cis_rule_5_1_2_6: {{ rhel7cis_rule_5_1_2_6 }} rhel7cis_rule_5_1_3: {{ rhel7cis_rule_5_1_3 }} rhel7cis_rule_5_1_4: {{ rhel7cis_rule_5_1_4 }} -rhel7cis_rule_5_1_5: {{ rhel7cis_rule_5_1_5 }} -rhel7cis_rule_5_1_6: {{ rhel7cis_rule_5_1_6 }} -rhel7cis_rule_5_1_7: {{ rhel7cis_rule_5_1_7 }} -rhel7cis_rule_5_1_8: {{ rhel7cis_rule_5_1_8 }} -rhel7cis_rule_5_1_9: {{ rhel7cis_rule_5_1_9 }} -rhel7cis_rule_5_2_1: {{ rhel7cis_rule_5_2_1 }} -rhel7cis_rule_5_2_2: {{ rhel7cis_rule_5_2_2 }} -rhel7cis_rule_5_2_3: {{ rhel7cis_rule_5_2_3 }} + +# Auditd +rhel7cis_rule_5_2_1_1: {{ rhel7cis_rule_5_2_1_1 }} +rhel7cis_rule_5_2_1_2: {{ rhel7cis_rule_5_2_1_2 }} +rhel7cis_rule_5_2_1_3: {{ rhel7cis_rule_5_2_1_3 }} +rhel7cis_rule_5_2_1_4: {{ rhel7cis_rule_5_2_1_4 }} +rhel7cis_rule_5_2_2_1: {{ rhel7cis_rule_5_2_2_1 }} +rhel7cis_rule_5_2_2_2: {{ rhel7cis_rule_5_2_2_2 }} +rhel7cis_rule_5_2_2_3: {{ rhel7cis_rule_5_2_2_3 }} +rhel7cis_rule_5_2_2_4: {{ rhel7cis_rule_5_2_2_4 }} + +# auditd rules +rhel7cis_rule_5_2_3_1: {{ rhel7cis_rule_5_2_3_1 }} +rhel7cis_rule_5_2_3_2: {{ rhel7cis_rule_5_2_3_2 }} +rhel7cis_rule_5_2_3_3: {{ rhel7cis_rule_5_2_3_3 }} +rhel7cis_rule_5_2_3_4: {{ rhel7cis_rule_5_2_3_4 }} +rhel7cis_rule_5_2_3_5: {{ rhel7cis_rule_5_2_3_5 }} +rhel7cis_rule_5_2_3_6: {{ rhel7cis_rule_5_2_3_6 }} +rhel7cis_rule_5_2_3_7: {{ rhel7cis_rule_5_2_3_7 }} +rhel7cis_rule_5_2_3_8: {{ rhel7cis_rule_5_2_3_8 }} +rhel7cis_rule_5_2_3_9: {{ rhel7cis_rule_5_2_3_9 }} +rhel7cis_rule_5_2_3_10: {{ rhel7cis_rule_5_2_3_10 }} +rhel7cis_rule_5_2_3_11: {{ rhel7cis_rule_5_2_3_11 }} +rhel7cis_rule_5_2_3_12: {{ rhel7cis_rule_5_2_3_12 }} +rhel7cis_rule_5_2_3_13: {{ rhel7cis_rule_5_2_3_13 }} +rhel7cis_rule_5_2_3_14: {{ rhel7cis_rule_5_2_3_14 }} +rhel7cis_rule_5_2_3_15: {{ rhel7cis_rule_5_2_3_15 }} +rhel7cis_rule_5_2_3_16: {{ rhel7cis_rule_5_2_3_16 }} +rhel7cis_rule_5_2_3_17: {{ rhel7cis_rule_5_2_3_17 }} +rhel7cis_rule_5_2_3_18: {{ rhel7cis_rule_5_2_3_18 }} +rhel7cis_rule_5_2_3_19: {{ rhel7cis_rule_5_2_3_19 }} +rhel7cis_rule_5_2_3_20: {{ rhel7cis_rule_5_2_3_20 }} +rhel7cis_rule_5_2_3_21: {{ rhel7cis_rule_5_2_3_21 }} + +# auditd file access +rhel7cis_rule_5_2_4_1: {{ rhel7cis_rule_5_2_4_1 }} +rhel7cis_rule_5_2_4_2: {{ rhel7cis_rule_5_2_4_2 }} +rhel7cis_rule_5_2_4_3: {{ rhel7cis_rule_5_2_4_3 }} +rhel7cis_rule_5_2_4_4: {{ rhel7cis_rule_5_2_4_4 }} +rhel7cis_rule_5_2_4_5: {{ rhel7cis_rule_5_2_4_5 }} +rhel7cis_rule_5_2_4_6: {{ rhel7cis_rule_5_2_4_6 }} +rhel7cis_rule_5_2_4_7: {{ rhel7cis_rule_5_2_4_7 }} +rhel7cis_rule_5_2_4_8: {{ rhel7cis_rule_5_2_4_8 }} +rhel7cis_rule_5_2_4_9: {{ rhel7cis_rule_5_2_4_9 }} +rhel7cis_rule_5_2_4_10: {{ rhel7cis_rule_5_2_4_10 }} + +# Aide rhel7cis_rule_5_3_1: {{ rhel7cis_rule_5_3_1 }} rhel7cis_rule_5_3_2: {{ rhel7cis_rule_5_3_2 }} -rhel7cis_rule_5_3_3: {{ rhel7cis_rule_5_3_3 }} -rhel7cis_rule_5_3_4: {{ rhel7cis_rule_5_3_4 }} -rhel7cis_rule_5_3_5: {{ rhel7cis_rule_5_3_5 }} -rhel7cis_rule_5_3_6: {{ rhel7cis_rule_5_3_6 }} -rhel7cis_rule_5_3_7: {{ rhel7cis_rule_5_3_7 }} -rhel7cis_rule_5_3_8: {{ rhel7cis_rule_5_3_8 }} -rhel7cis_rule_5_3_9: {{ rhel7cis_rule_5_3_9 }} -rhel7cis_rule_5_3_10: {{ rhel7cis_rule_5_3_10 }} -rhel7cis_rule_5_3_11: {{ rhel7cis_rule_5_3_11 }} -rhel7cis_rule_5_3_12: {{ rhel7cis_rule_5_3_12 }} -rhel7cis_rule_5_3_13: {{ rhel7cis_rule_5_3_13 }} -rhel7cis_rule_5_3_14: {{ rhel7cis_rule_5_3_14 }} -rhel7cis_rule_5_3_15: {{ rhel7cis_rule_5_3_15 }} -rhel7cis_rule_5_3_16: {{ rhel7cis_rule_5_3_16 }} -rhel7cis_rule_5_3_17: {{ rhel7cis_rule_5_3_17 }} -rhel7cis_rule_5_3_18: {{ rhel7cis_rule_5_3_18 }} -rhel7cis_rule_5_3_19: {{ rhel7cis_rule_5_3_19 }} -rhel7cis_rule_5_3_20: {{ rhel7cis_rule_5_3_20 }} -rhel7cis_rule_5_3_21: {{ rhel7cis_rule_5_3_21 }} -rhel7cis_rule_5_3_22: {{ rhel7cis_rule_5_3_22 }} -rhel7cis_rule_5_4_1: {{ rhel7cis_rule_5_4_1 }} -rhel7cis_rule_5_4_2: {{ rhel7cis_rule_5_4_2 }} -rhel7cis_rule_5_4_3: {{ rhel7cis_rule_5_4_3 }} -rhel7cis_rule_5_4_4: {{ rhel7cis_rule_5_4_4 }} -rhel7cis_rule_5_5_1_1: {{ rhel7cis_rule_5_5_1_1 }} -rhel7cis_rule_5_5_1_2: {{ rhel7cis_rule_5_5_1_2 }} -rhel7cis_rule_5_5_1_3: {{ rhel7cis_rule_5_5_1_3 }} -rhel7cis_rule_5_5_1_4: {{ rhel7cis_rule_5_5_1_4 }} -rhel7cis_rule_5_5_1_5: {{ rhel7cis_rule_5_5_1_5 }} -rhel7cis_rule_5_5_2: {{ rhel7cis_rule_5_5_2 }} -rhel7cis_rule_5_5_3: {{ rhel7cis_rule_5_5_3 }} -rhel7cis_rule_5_5_4: {{ rhel7cis_rule_5_5_4 }} -rhel7cis_rule_5_5_5: {{ rhel7cis_rule_5_5_5 }} -rhel7cis_rule_5_7: {{ rhel7cis_rule_5_7 }} # Section 6 rhel7cis_rule_6_1_1: {{ rhel7cis_rule_6_1_1 }} @@ -288,184 +446,225 @@ rhel7cis_rule_6_2_14: {{ rhel7cis_rule_6_2_14 }} rhel7cis_rule_6_2_15: {{ rhel7cis_rule_6_2_15 }} rhel7cis_rule_6_2_16: {{ rhel7cis_rule_6_2_16 }} rhel7cis_rule_6_2_17: {{ rhel7cis_rule_6_2_17 }} +##### +#### +# Section1 +#### +rhel7cis_boot_path: {{ rhel7cis_boot_path }} +rhel7cis_set_boot_pass: {{ rhel7cis_set_boot_pass }} + +# Warning Banner Content (issue, issue.net, motd) +rhel7cis_warning_banner: {{ rhel7cis_warning_banner }} +# End Banner + +# Whether or not to run tasks related to auditing/patching the desktop environment +rhel7cis_gui: {{ rhel7cis_gui }} + +#### +# Section 2 +#### +rhel7cis_time_synchronization: {{ rhel7cis_time_synchronization }} + +# 2.2.x # Service configuration booleans set true to keep service +# Service configuration +# Options are +# true to leave installed if exists not changes take place +# false - this removes the package +# mask - if a dependancy for product so cannot be removed +# Server Services +rhel7cis_autofs_services: {{ rhel7cis_autofs_services }} +rhel7cis_autofs_mask: {{ rhel7cis_autofs_mask }} rhel7cis_avahi_server: {{ rhel7cis_avahi_server }} -rhel7cis_cups_server: {{ rhel7cis_cups_server }} +rhel7cis_avahi_mask: {{ rhel7cis_avahi_mask }} rhel7cis_dhcp_server: {{ rhel7cis_dhcp_server }} -rhel7cis_ldap_server: {{ rhel7cis_ldap_server }} -rhel7cis_telnet_server: {{ rhel7cis_telnet_server }} +rhel7cis_dhcp_mask: {{ rhel7cis_dhcp_mask }} +rhel7cis_dns_server: {{ rhel7cis_dns_server }} +rhel7cis_dns_mask: {{ rhel7cis_dns_mask }} +rhel7cis_dnsmasq_server: {{ rhel7cis_dnsmasq_server }} +rhel7cis_dnsmasq_mask: {{ rhel7cis_dnsmasq_mask }} +rhel7cis_samba_server: {{ rhel7cis_samba_server }} +rhel7cis_samba_mask: {{ rhel7cis_samba_mask }} +rhel7cis_ftp_server: {{ rhel7cis_ftp_server }} +rhel7cis_ftp_mask: {{ rhel7cis_ftp_mask }} +rhel7cis_message_server: {{ rhel7cis_message_server }} # This is for messaging dovecot and cyrus-imap +rhel7cis_message_mask: {{ rhel7cis_message_mask }} rhel7cis_nfs_server: {{ rhel7cis_nfs_server }} +rhel7cis_nfs_mask: {{ rhel7cis_nfs_mask }} +rhel7cis_nis_server: {{ rhel7cis_nis_server }} # set to mask if nis client required +rhel7cis_nis_mask: {{ rhel7cis_nis_mask }} +rhel7cis_print_server: {{ rhel7cis_print_server }} # replaces cups +rhel7cis_print_mask: {{ rhel7cis_print_mask }} rhel7cis_rpc_server: {{ rhel7cis_rpc_server }} -rhel7cis_ntalk_server: {{ rhel7cis_ntalk_server }} -rhel7cis_rsyncd_server: {{ rhel7cis_rsyncd_server }} +rhel7cis_rpc_mask: {{ rhel7cis_rpc_mask }} +rhel7cis_rsync_server: {{ rhel7cis_rsync_server }} +rhel7cis_rsync_mask: {{ rhel7cis_rsync_mask }} +rhel7cis_net_snmp_server: {{ rhel7cis_net_snmp_server }} +rhel7cis_net_snmp_mask: {{ rhel7cis_net_snmp_mask }} +rhel7cis_telnet_server: {{ rhel7cis_telnet_server }} +rhel7cis_telnet_mask: {{ rhel7cis_telnet_mask }} rhel7cis_tftp_server: {{ rhel7cis_tftp_server }} -rhel7cis_rsh_server: {{ rhel7cis_rsh_server }} -rhel7cis_nis_server: {{ rhel7cis_nis_server }} -rhel7cis_snmp_server: {{ rhel7cis_snmp_server }} +rhel7cis_tftp_mask: {{ rhel7cis_tftp_mask }} rhel7cis_squid_server: {{ rhel7cis_squid_server }} -rhel7cis_smb_server: {{ rhel7cis_smb_server }} -rhel7cis_dovecot_server: {{ rhel7cis_dovecot_server }} +rhel7cis_squid_mask: {{ rhel7cis_squid_mask }} rhel7cis_httpd_server: {{ rhel7cis_httpd_server }} -rhel7cis_vsftpd_server: {{ rhel7cis_vsftpd_server }} -rhel7cis_named_server: {{ rhel7cis_named_server }} -rhel7cis_nfs_rpc_server: {{ rhel7cis_nfs_rpc_server }} +rhel7cis_httpd_mask: {{ rhel7cis_httpd_mask }} +rhel7cis_nginx_server: {{ rhel7cis_nginx_server }} +rhel7cis_nginx_mask: {{ rhel7cis_nginx_mask }} +rhel7cis_xinetd_server: {{ rhel7cis_xinetd_server }} +rhel7cis_xinetd_mask: {{ rhel7cis_xinetd_mask }} +rhel7cis_xwindow_server: {{ rhel7cis_xwindow_server }} # will remove mask not an option rhel7cis_is_mail_server: {{ rhel7cis_is_mail_server }} -rhel7cis_bind: {{ rhel7cis_bind }} -rhel7cis_vsftpd: {{ rhel7cis_vsftpd }} -rhel7cis_httpd: {{ rhel7cis_httpd }} -rhel7cis_dovecot: {{ rhel7cis_dovecot }} -rhel7cis_samba: {{ rhel7cis_samba }} -rhel7cis_squid: {{ rhel7cis_squid }} -rhel7cis_net_snmp: {{ rhel7cis_net_snmp}} -rhel7cis_allow_autofs: {{ rhel7cis_allow_autofs }} - -# client services + +# Service Clients +# Client Services +rhel7cis_ftp_client: {{ rhel7cis_ftp_client }} rhel7cis_openldap_clients_required: {{ rhel7cis_openldap_clients_required }} +rhel7cis_ypbind_required: {{ rhel7cis_ypbind_required }} # Same package as NIS server rhel7cis_telnet_required: {{ rhel7cis_telnet_required }} -rhel7cis_talk_required: {{ rhel7cis_talk_required }} -rhel7cis_rsh_required: {{ rhel7cis_rsh_required }} -rhel7cis_ypbind_required: {{ rhel7cis_ypbind_required }} - -# AIDE -rhel7cis_config_aide: {{ rhel7cis_config_aide }} -# aide setup via - cron, timer -rhel7_aide_scan: cron - -# AIDE cron settings -rhel7cis_aide_cron: - cron_user: {{ rhel7cis_aide_cron.cron_user }} - cron_file: '{{ rhel7cis_aide_cron.cron_file }}' - aide_job: ' {{ rhel7cis_aide_cron.aide_job }}' - aide_minute: '{{ rhel7cis_aide_cron.aide_minute }}' - aide_hour: '{{ rhel7cis_aide_cron.aide_hour }}' - aide_day: '{{ rhel7cis_aide_cron.aide_day }}' - aide_month: '{{ rhel7cis_aide_cron.aide_month }}' - aide_weekday: '{{ rhel7cis_aide_cron.aide_weekday }}' - -# 1.4.1 Bootloader password -rhel7cis_bootloader_file: {{ rhel7cis_bootloader_path }}grub.cfg -rhel7cis_bootloader_user: {{ rhel7cis_bootloader_path }}user.cfg -rhel7cis_bootloader_password: {{ rhel7cis_bootloader_password_hash }} -rhel7cis_set_boot_pass: {{ rhel7cis_set_boot_pass }} - -# Warning Banner Content (issue, issue.net, motd) -rhel7cis_warning_banner: {{ rhel7cis_warning_banner }} -# End Banner - -# Set to 'true' if X Windows is needed in your environment -rhel7cis_xwindows_required: {{ rhel7cis_xwindows_required }} - -# Whether or not to run tasks related to auditing/patching the desktop environment -rhel7cis_gui: {{ rhel7cis_gui }} - -# xinetd required -rhel7cis_xinetd_required: {{ rhel7cis_xinetd_required }} +rhel7cis_tftp_client: {{ rhel7cis_tftp_client }} +### +## Section 3 Variables +#### +# 3.1.x # IPv6 required rhel7cis_ipv6_required: {{ rhel7cis_ipv6_required }} +rhel7cis_ipv6_sysctl_force: {{ rhel7cis_ipv6_sysctl_force }} +rhel7cis_ipv6_sysctl_file: /etc/sysctl.d/60-ipv6.conf +# Setting this will stop ipv6 listening on ::1 and will remove from /etc/hosts +rhel7cis_ipv6_disable_localhost: {{ rhel7cis_ipv6_disable_localhost }} +# service = true removes package - mask = true will just mask package +rhel7cis_bluetooth_service: {{ rhel7cis_bluetooth_service }} +rhel7cis_bluetooth_mask: {{ rhel7cis_bluetooth_mask }} + +# 3.3.x # System network parameters (host only OR host and router) rhel7cis_is_router: {{ rhel7cis_is_router }} +rhel7cis_ipv4_sysctl_file: /etc/sysctl.d/60-ipv4.conf -# Time Synchronization -rhel7cis_time_synchronization: {{ rhel7cis_time_synchronization }} +# Firewall Service - either firewalld, iptables or nftables +# multiple options for removal or masking of services +# The firewall to be configured +rhel7cis_system_firewall: firewalld +# Set the following to remove or mask - note will not effect system_firewall # set to none +rhel7cis_nftables: mask +rhel7cis_iptables: mask +rhel7cis_firewalld: none -rhel7cis_firewall: {{ rhel7cis_firewall }} -# rhel7cis_firewall: iptables -rhel7cis_default_firewall_zone: {{ rhel7cis_default_zone }} rhel7cis_firewall_interface: -- ['ens224'] -- ['ens192'] -rhel7cis_firewall_services: {{ rhel7cis_firewall_services }} +- eth0 -# rhel7cis_firewall: iptables -iptables_boot_config: {{ rhel7cis_iptables_boot_config }} -ip6tables_boot_config: {{ rhel7cis_ip6tables_boot_config }} +#### +## Section 4 Variables +#### -# Section 4 -# auditd settings -rhel7cis_auditd: - space_left_action: {{ rhel7cis_auditd.space_left_action }} - action_mail_acct: {{ rhel7cis_auditd.action_mail_acct }} - admin_space_left_action: {{ rhel7cis_auditd.admin_space_left_action }} - max_log_file_action: {{ rhel7cis_auditd.max_log_file_action }} - auditd_backlog_limit: {{ rhel7cis_audit_backlog_limit }} - -# syslog -{% if rhel7cis_syslog == "rsyslog" %} -rhel7cis_rsyslog: true -{% endif %} +# SSH variables + +## Can be VERBOSE or INFO +rhel7cis_ssh_loglevel: INFO +# rhel7cis_ssh_maxsessions is the max number of sessions +# To conform to CIS standards this value nees to be 10 or less + +rhel7cis_sshd: + clientalivecountmax: 3 + # clientaliveinterval shoudl be between 1 and 900 + clientaliveinterval: 15 + ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" + macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256" + kex: "curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" + # logingracetime value is in seconds and needs to be set to 1 minute or less + logingracetime: 60 -# Section 5 rhel7cis_sshd_limited: false #Note the following to understand precedence and layout rhel7cis_sshd_access: -- AllowUser -- AllowGroup -- DenyUser -- DenyGroup +{% if rhel7cis_sshd.allowusers is defined %} + AllowUser: {{ rhel7cis_sshd.allowusers }} +{% endif %} +{% if rhel7cis_sshd.allowgroups is defined %} + AllowGroup: {{ rhel7cis_sshd.allowgroups }} +{% endif %} +{% if rhel7cis_sshd.denyusers is defined %} + DenyUser: {{ rhel7cis_sshd.denyusers }} +{% endif %} +{% if rhel7cis_sshd.denygroups is defined %} + DenyGroup: {{ rhel7cis_sshd.denygroups }} +{% endif %} -rhel7cis_ssh_strong_ciphers: Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128- gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr rhel7cis_ssh_weak_ciphers: -- 3des-cbc -- aes128-cbc -- aes192-cbc -- aes256-cbc -- arcfour -- arcfour128 -- arcfour256 -- blowfish-cbc -- cast128-cbc -- rijndael-cbc@lysator.liu.se - -rhel7cis_ssh_strong_macs: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2- 512,hmac-sha2-256 -rhel7cis_ssh_weak_macs: -- hmac-md5 -- hmac-md5-96 -- hmac-ripemd160 -- hmac-sha1 -- hmac-sha1-96 -- umac-64@openssh.com -- umac-128@openssh.com -- hmac-md5-etm@openssh.com -- hmac-md5-96-etm@openssh.com -- hmac-ripemd160-etm@openssh.com -- hmac-sha1-etm@openssh.com -- hmac-sha1-96-etm@openssh.com -- umac-64-etm@openssh.com -- umac-128-etm@openssh.com - -rhel7cis_ssh_strong_kex: KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman- group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 -rhel7cis_ssh_weak_kex: -- diffie-hellman-group1-sha1 -- diffie-hellman-group14-sha1 -- diffie-hellman-group-exchange-sha1 + - 3des-cbc + - aes128-cbc + - aes192-cbc + - aes256-cbc + - arcfour + - arcfour128 + - arcfour256 + - blowfish-cbc + - cast128-cbc + - rijndael-cbc@lysator.liu.se -rhel7cis_ssh_aliveinterval: "300" -rhel7cis_ssh_countmax: "3" - -rhel7cis_sugroup: {{ rhel7cis_sugroup| default('wheel') }} +rhel7cis_ssh_weak_kex: + - diffie-hellman-group1-sha1 + - diffie-hellman-group14-sha1 + - diffie-hellman-group-exchange-sha1 +rhel7cis_ssh_weak_macs: + - hmac-md5 + - hmac-md5-96 + - hmac-ripemd160 + - hmac-sha1 + - hmac-sha1-96 + - umac-64@openssh.com + - umac-128@openssh.com + - hmac-md5-etm@openssh.com + - hmac-md5-96-etm@openssh.com + - hmac-ripemd160-etm@openssh.com + - hmac-sha1-etm@openssh.com + - hmac-sha1-96-etm@openssh.com + - umac-64-etm@openssh.com + - umac-128-etm@openssh.com + +## Sudo + +# Group to be used for su +# this group needs to exists groups will not be created for remediation this is considered sys admins + +rhel7cis_sugroup: wheel +rhel7cis_sugroup_users: "" + +rhel7cis_pwquality_minclass: {{ rhel7cis_pwquality_minclass }} + +rhel7cis_pass: + max_days: 365 + warn_age: 7 + +#### +## Section 5 Variables +#### + +# Preferred method of logging +# Whether rsyslog or journald preferred method for local logging +rhel7cis_syslog: rsyslog +rhel7cis_rsyslog_ansiblemanaged: {{ rhel7cis_rsyslog_ansiblemanaged }} +# Set if system is the log server +rhel7cis_system_is_log_server: {{ rhel7cis_system_is_log_server }} + +# AuditD -## PAM -rhel7cis_pam_password: - - minclass = 4 -rhel7cis_pam_passwd_retry: "3" -# faillock or tally2 -rhel7cis_accountlock: faillock +# auditd settings +rhel7cis_auditd: + max_log_file_action: keep_logs -## note this is to skip tests -skip_rhel7cis_pam_passwd_auth: true -skip_rhel7cis_pam_system_auth: true +# AIDE +rhel7cis_config_aide: {{ rhel7cis_config_aide }} -# choose one of below -rhel7cis_pwhistory_so: "14" -rhel7cis_unix_so: false -rhel7cis_passwd_remember: "{{ rhel7cis_pam_faillock.remember }}" +# aide setup via - cron, timer +rhel7cis_aide_scan: cron -# logins.def password settings -rhel7cis_pass_max_days: {{ rhel7cis_pass.max_days }} -rhel7cis_pass_min_days: {{ rhel7cis_pass.min_days }} -rhel7cis_pass_warn_age: {{ rhel7cis_pass.warn_age }} +#### +## Section 6 variables +#### diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 new file mode 100644 index 00000000..473dda91 --- /dev/null +++ b/templates/audit/99_auditd.rules.j2 @@ -0,0 +1,95 @@ +## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! + +# This template will set all of the auditd configurations via a handler in the role in one task instead of individually +{% if rhel7cis_rule_5_2_3_1 %} +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope +{% endif %} +{% if rhel7cis_rule_5_2_3_2 %} +-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation +-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation +{% endif %} +{% if rhel7cis_rule_5_2_3_3 %} +-w {{ rhel7cis_sudolog_location }} -p wa -k sudo_log_file +{% endif %} +{% if rhel7cis_rule_5_2_3_4 %} +-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change +-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change +-w /etc/localtime -p wa -k time-change +{% endif %} +{% if rhel7cis_rule_5_2_3_5 %} +-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale +-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/sysconfig/network -p wa -k system-locale +-w /etc/sysconfig/network-scripts/ -p wa -k system-locale +{% endif %} +{% if rhel7cis_rule_5_2_3_6 %} +{% for proc in priv_procs.stdout_lines -%} +-a always,exit -F path={{ proc }} -F perm=x -F auid>={{ rhel7uid_interactive_uid_start }} -F auid!=unset -k privileged +{% endfor %} +{% endif %} +{% if rhel7cis_rule_5_2_3_7 %} +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel7uid_interactive_uid_start }} -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel7uid_interactive_uid_start }} -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel7uid_interactive_uid_start }} -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel7uid_interactive_uid_start }} -F auid!=unset -F key=access +{% endif %} +{% if rhel7cis_rule_5_2_3_8 %} +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity +{% endif %} +{% if rhel7cis_rule_5_2_3_9 %} +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ rhel7uid_interactive_uid_start }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ rhel7uid_interactive_uid_start }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ rhel7uid_interactive_uid_start }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ rhel7uid_interactive_uid_start }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ rhel7uid_interactive_uid_start }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ rhel7uid_interactive_uid_start }} -F auid!=unset -F key=perm_mod +{% endif %} +{% if rhel7cis_rule_5_2_3_10 %} +-a always,exit -F arch=b32 -S mount -F auid>={{ rhel7uid_interactive_uid_start }} -F auid!=unset -k mounts +-a always,exit -F arch=b64 -S mount -F auid>={{ rhel7uid_interactive_uid_start }} -F auid!=unset -k mounts +{% endif %} +{% if rhel7cis_rule_5_2_3_11 %} +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k session +-w /var/log/btmp -p wa -k session +{% endif %} +{% if rhel7cis_rule_5_2_3_12 %} +-w /var/log/lastlog -p wa -k logins +-w /var/run/faillock -p wa -k logins +{% endif %} +{% if rhel7cis_rule_5_2_3_13 %} +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>={{ rhel7uid_interactive_uid_start }} -F auid!=unset -F key=delete +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>={{ rhel7uid_interactive_uid_start }} -F auid!=unset -F key=delete +{% endif %} +{% if rhel7cis_rule_5_2_3_14 %} +-w /etc/selinux/ -p wa -k MAC-policy +-w /usr/share/selinux/ -p wa -k MAC-policy +{% endif %} +{% if rhel7cis_rule_5_2_3_15 %} +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel7uid_interactive_uid_start }} -F auid!=unset -k perm_chng +{% endif %} +{% if rhel7cis_rule_5_2_3_16 %} +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel7uid_interactive_uid_start }} -F auid!=unset -k perm_chng +{% endif %} +{% if rhel7cis_rule_5_2_3_17 %} +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel7uid_interactive_uid_start }} -F auid!=unset -k perm_chng +{% endif %} +{% if rhel7cis_rule_5_2_3_18 %} +-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel7uid_interactive_uid_start }} -F auid!=unset -k usermod +{% endif %} +{% if rhel7cis_rule_5_2_3_19 %} +-a always,exit -F arch=b32 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ rhel7uid_interactive_uid_start }} -F auid!=unset -k kernel_modules +-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ rhel7uid_interactive_uid_start }} -F auid!=unset -k kernel_modules +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ rhel7uid_interactive_uid_start }} -F auid!=unset -k kernel_modules +{% endif %} +{% if rhel7cis_rule_5_2_3_20 %} +-e 2 +{% endif %} diff --git a/templates/audit/99_finalize.rules.j2 b/templates/audit/99_finalize.rules.j2 deleted file mode 100644 index bc95eba3..00000000 --- a/templates/audit/99_finalize.rules.j2 +++ /dev/null @@ -1 +0,0 @@ --e 2 diff --git a/templates/audit/MAC_policy.rules.j2 b/templates/audit/MAC_policy.rules.j2 deleted file mode 100644 index 640c21a7..00000000 --- a/templates/audit/MAC_policy.rules.j2 +++ /dev/null @@ -1,2 +0,0 @@ --w /etc/selinux/ -p wa -k MAC-policy --w /usr/share/selinux/ -p wa -k MAC-policy diff --git a/templates/audit/access.rules.j2 b/templates/audit/access.rules.j2 deleted file mode 100644 index 1a86703a..00000000 --- a/templates/audit/access.rules.j2 +++ /dev/null @@ -1,4 +0,0 @@ --a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access diff --git a/templates/audit/actions.rules.j2 b/templates/audit/actions.rules.j2 deleted file mode 100644 index 9eafbd32..00000000 --- a/templates/audit/actions.rules.j2 +++ /dev/null @@ -1,2 +0,0 @@ --a always,exit -F arch=b64 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions --a always,exit -F arch=b32 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions diff --git a/templates/audit/deletion.rules.j2 b/templates/audit/deletion.rules.j2 deleted file mode 100644 index 39fedff0..00000000 --- a/templates/audit/deletion.rules.j2 +++ /dev/null @@ -1,2 +0,0 @@ --a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete --a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete diff --git a/templates/audit/identity.rules.j2 b/templates/audit/identity.rules.j2 deleted file mode 100644 index 358f9992..00000000 --- a/templates/audit/identity.rules.j2 +++ /dev/null @@ -1,5 +0,0 @@ --w /etc/group -p wa -k identity --w /etc/passwd -p wa -k identity --w /etc/gshadow -p wa -k identity --w /etc/shadow -p wa -k identity --w /etc/security/opasswd -p wa -k identity diff --git a/templates/audit/logins.rules.j2 b/templates/audit/logins.rules.j2 deleted file mode 100644 index 092a053c..00000000 --- a/templates/audit/logins.rules.j2 +++ /dev/null @@ -1,3 +0,0 @@ --w /var/log/faillog -p wa -k logins --w /var/log/lastlog -p wa -k logins --w /var/run/faillock/ -p wa -k logins diff --git a/templates/audit/modules.rules.j2 b/templates/audit/modules.rules.j2 deleted file mode 100644 index 5fae54ea..00000000 --- a/templates/audit/modules.rules.j2 +++ /dev/null @@ -1,4 +0,0 @@ --w /sbin/insmod -p x -k modules --w /sbin/rmmod -p x -k modules --w /sbin/modprobe -p x -k modules --a always,exit -F arch=b64 -S init_module -S delete_module -k modules diff --git a/templates/audit/mounts.rules.j2 b/templates/audit/mounts.rules.j2 deleted file mode 100644 index c70add18..00000000 --- a/templates/audit/mounts.rules.j2 +++ /dev/null @@ -1,2 +0,0 @@ --a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts --a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts diff --git a/templates/audit/perm_mod.rules.j2 b/templates/audit/perm_mod.rules.j2 deleted file mode 100644 index 2bab6dd1..00000000 --- a/templates/audit/perm_mod.rules.j2 +++ /dev/null @@ -1,6 +0,0 @@ --a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod diff --git a/templates/audit/priv_commands.rules.j2 b/templates/audit/priv_commands.rules.j2 deleted file mode 100644 index ed65a428..00000000 --- a/templates/audit/priv_commands.rules.j2 +++ /dev/null @@ -1,4 +0,0 @@ -{% for proc in priv_procs.stdout_lines -%} --a always,exit -F path={{ proc }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged - -{% endfor %} diff --git a/templates/audit/scope.rules.j2 b/templates/audit/scope.rules.j2 deleted file mode 100644 index 0ae21fd2..00000000 --- a/templates/audit/scope.rules.j2 +++ /dev/null @@ -1,2 +0,0 @@ --w /etc/sudoers -p wa -k scope --w /etc/sudoers.d/ -p wa -k scope diff --git a/templates/audit/session.rules.j2 b/templates/audit/session.rules.j2 deleted file mode 100644 index 51d7254f..00000000 --- a/templates/audit/session.rules.j2 +++ /dev/null @@ -1,3 +0,0 @@ --w /var/run/utmp -p wa -k session --w /var/log/wtmp -p wa -k logins --w /var/log/btmp -p wa -k logins diff --git a/templates/audit/system_local.rules.j2 b/templates/audit/system_local.rules.j2 deleted file mode 100644 index 63d590ed..00000000 --- a/templates/audit/system_local.rules.j2 +++ /dev/null @@ -1,6 +0,0 @@ --a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale --a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale --w /etc/issue -p wa -k system-locale --w /etc/issue.net -p wa -k system-locale --w /etc/hosts -p wa -k system-locale --w /etc/sysconfig/network -p wa -k system-locale diff --git a/templates/audit/time_change.rules.j2 b/templates/audit/time_change.rules.j2 deleted file mode 100644 index e39a529d..00000000 --- a/templates/audit/time_change.rules.j2 +++ /dev/null @@ -1,7 +0,0 @@ --a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change --a always,exit -F arch=b32 -S clock_settime -k time-change -{% if ansible_architecture == 'x86_64' -%} --a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change --a always,exit -F arch=b64 -S clock_settime -k time-change -{% endif %} --w /etc/localtime -p wa -k time-change diff --git a/templates/hosts.allow.j2 b/templates/hosts.allow.j2 deleted file mode 100644 index 90554819..00000000 --- a/templates/hosts.allow.j2 +++ /dev/null @@ -1,11 +0,0 @@ -# -# hosts.allow This file contains access rules which are used to -# allow or deny connections to network services that -# either use the tcp_wrappers library or that have been -# started through a tcp_wrappers-enabled xinetd. -# -# See 'man 5 hosts_options' and 'man 5 hosts_access' -# for information on rule syntax. -# See 'man tcpd' for information on tcp_wrappers -# -ALL: {% for iprange in rhel7cis_host_allow -%}{{ iprange }}{% if not loop.last %}, {% endif %}{% endfor %} diff --git a/templates/ntp.conf.j2 b/templates/ntp.conf.j2 deleted file mode 100644 index 6e11739a..00000000 --- a/templates/ntp.conf.j2 +++ /dev/null @@ -1,59 +0,0 @@ -# For more information about this file, see the man pages -# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5). - -driftfile /var/lib/ntp/drift - -# Permit time synchronization with our time source, but do not -# permit the source to query or modify the service on this system. -#restrict default nomodify notrap nopeer noquery -restrict -4 default kod nomodify notrap nopeer noquery -restrict -6 default kod nomodify notrap nopeer noquery - -# Permit all access over the loopback interface. This could -# be tightened as well, but to do so would effect some of -# the administrative functions. -restrict 127.0.0.1 -restrict ::1 - -# Hosts on local network are less restricted. -#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap - -# Use public servers from the pool.ntp.org project. -# Please consider joining the pool (http://www.pool.ntp.org/join.html). -{% for server in rhel7cis_time_synchronization_servers -%} -server {{ server }} {{ rhel7cis_ntp_server_options }} -{% endfor %} - -#broadcast 192.168.1.255 autokey # broadcast server -#broadcastclient # broadcast client -#broadcast 224.0.1.1 autokey # multicast server -#multicastclient 224.0.1.1 # multicast client -#manycastserver 239.255.254.254 # manycast server -#manycastclient 239.255.254.254 autokey # manycast client - -# Enable public key cryptography. -#crypto - -includefile /etc/ntp/crypto/pw - -# Key file containing the keys and key identifiers used when operating -# with symmetric key cryptography. -keys /etc/ntp/keys - -# Specify the key identifiers which are trusted. -#trustedkey 4 8 42 - -# Specify the key identifier to use with the ntpdc utility. -#requestkey 8 - -# Specify the key identifier to use with the ntpq utility. -#controlkey 8 - -# Enable writing of statistics records. -#statistics clockstats cryptostats loopstats peerstats - -# Disable the monitoring facility to prevent amplification attacks using ntpdc -# monlist command when default restrict does not include the noquery flag. See -# CVE-2013-5211 for more details. -# Note: Monitoring will not be disabled with the limited restriction flag. -disable monitor diff --git a/vars/audit.yml b/vars/audit.yml index a85db5d3..bb50f6d3 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -1,5 +1,7 @@ --- +#### Audit Configuration Settings #### + # Timeout for those cmds that take longer to run where timeout set audit_cmd_timeout: 120000 @@ -13,27 +15,26 @@ audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" audit_git_version: "benchmark_{{ benchmark_version }}" ## Goss configuration information -# Where the goss configs and outputs are stored -audit_out_dir: '/opt' -# Where the goss audit configuration will be stored -audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit" +# Where the goss audit configuration will be stored - NOTE benchmark-audit is expected +audit_conf_dir: "{{ audit_conf_dest | default('/opt') }}/{{ benchmark }}-Audit" # If changed these can affect other products -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +pre_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" ## The following should not need changing ### Audit binary settings ### audit_bin_version: - release: v0.3.23 - AMD64_checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d' + release: v0.4.4 + AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" audit_results: | - The pre remediation results are: {{ pre_audit_summary }}. - The post remediation results are: {{ post_audit_summary }}. - Full breakdown can be found in {{ audit_out_dir }} + The audit results are: {{ pre_audit_summary }} + {% if not audit_only %}The post remediation audit results are: {{ post_audit_summary }}{% endif %} + + Full breakdown can be found in {{ audit_log_dir }} diff --git a/vars/main.yml b/vars/main.yml index 77594b30..809c8197 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,2 +1,14 @@ --- # vars file for RHEL7-CIS + +## Defaults +min_ansible_version: 2.11.1 +system_is_container: false +system_is_ec2: false +update_audit_template: false + +change_requires_reboot: false + +# Used to control warning summary +warn_control_list: "" +warn_count: 0