March 24 to devel (#186)

* Issue #170, PR #181 thanks to @ipruteanu-sie

* issue #182, PR #183 thansk to @ipruteanu-sie

* PR #180 thanks to @ipruteanu-sie and @raabf

* Addressed PR #165 thanks to @ipruteanu-sie

* PT #184 addressed thansk to @ipruteanu-sie

* updated credits

* typo and ssh allow_deny comments

* enable OS check

---------

Signed-off-by: Mark Bolwell <[email protected]>

Changelog.md

@@ -3,6 +3,13 @@
 ## 1.1.4 - Based on CIS v1.0.0
 
 - 1.2.1 new option for a new system to import gpg key for 1.2.1 to pass redhat only
+- thanks to @ipruteanu-sie
+  - #156
+  - #165
+  - #180
+  - #181
+  - #183
+  - #184
 
 ## 1.1.3 - Based on CIS v1.0.0
 

defaults/main.yml

@@ -1003,11 +1003,11 @@ rhel9cis_sshd:
     # This variable sets the maximum number of unresponsive "keep-alive" messages
     # that can be sent from the server to the client before the connection is considered
     # inactive and thus, closed.
-    clientalivecountmax: 0
+    clientalivecountmax: 3
     # This variable sets the time interval in seconds between sending "keep-alive"
     # messages from the server to the client. These types of messages are intended to
     # keep the connection alive and prevent it being terminated due to inactivity.
-    clientaliveinterval: 900
+    clientaliveinterval: 15
     # This variable specifies the amount of seconds allowed for successful authentication to
     # the SSH server.
     logingracetime: 60
@@ -1017,26 +1017,29 @@ rhel9cis_sshd:
     # If an USER@HOST format will be used, the specified user will be allowed only on that particular host.
     # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
     # For more info, see https://linux.die.net/man/5/sshd_config
-    allow_users: ""
-    # (String) This variable, if spcieifed, configures a list of GROUP name patterns, separated by spaces, to allow SSH access
+    # allowusers: ""
+
+    # (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access
     # for users whose primary group or supplementary group list matches one of the patterns. This is done
     # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file.
     # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
     # For more info, https://linux.die.net/man/5/sshd_config
-    allow_groups: "wheel"
+    # allowgroups: "wheel"
+
     # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access
     # for users whose user name matches one of the patterns. This is done
     # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file.
     # If an USER@HOST format will be used, the specified user will be restricted only on that particular host.
     # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
     # For more info, see https://linux.die.net/man/5/sshd_config
-    deny_users: "nobody"
+    denyusers: "nobody"
+
     # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access
     # for users whose primary group or supplementary group list matches one of the patterns. This is done
     # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file.
     # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
     # For more info, see https://linux.die.net/man/5/sshd_config
-    deny_groups: ""
+    denygroups: ""
 
 ## Control 5.2.5 - Ensure SSH LogLevel is appropriate
 # This variable is used to control the verbosity of the logging produced by the SSH server.
@@ -1060,10 +1063,6 @@ rhel9cis_inactivelock:
     # This variable specifies the number of days of inactivity before an account will be locked.
     # CIS requires a value of 30 days or less.
     lock_days: 30
-# This variable governs if authconfig package should be installed. This package provides a simple method of
-# configuring /etc/sysconfig/network to handle NIS, as well as /etc/passwd and /etc/shadow, the files used
-# for shadow password support. Basic LDAP, Kerberos 5, and Winbind client configuration is also provided.
-rhel9cis_use_authconfig: false
 
 ## Section 5.4 - Configure authselect: Custom authselect profile settings(name, profile to customize, options)
 ## Controls:

tasks/main.yml

@@ -8,7 +8,6 @@
       success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}"
   when:
       - os_check
-      - not system_is_ec2
   tags:
       - always
 
@@ -169,63 +168,63 @@
       - run_audit
   ansible.builtin.import_tasks: pre_remediation_audit.yml
 
-- name: run Section 1 tasks
+- name: Run Section 1 tasks
   ansible.builtin.import_tasks:
       file: section_1/main.yml
   when: rhel9cis_section1
   tags:
       - rhel9cis_section1
 
-- name: run Section 2 tasks
+- name: Run Section 2 tasks
   ansible.builtin.import_tasks:
       file: section_2/main.yml
   when: rhel9cis_section2
   tags:
       - rhel9cis_section2
 
-- name: run Section 3 tasks
+- name: Run Section 3 tasks
   ansible.builtin.import_tasks:
       file: section_3/main.yml
   when: rhel9cis_section3
   tags:
       - rhel9cis_section3
 
-- name: run Section 4 tasks
+- name: Run Section 4 tasks
   ansible.builtin.import_tasks:
       file: section_4/main.yml
   when: rhel9cis_section4
   tags:
       - rhel9cis_section4
 
-- name: run Section 5 tasks
+- name: Run Section 5 tasks
   ansible.builtin.import_tasks:
       file: section_5/main.yml
   when: rhel9cis_section5
   tags:
       - rhel9cis_section5
 
-- name: run Section 6 tasks
+- name: Run Section 6 tasks
   ansible.builtin.import_tasks:
       file: section_6/main.yml
   when: rhel9cis_section6
   tags:
       - rhel9cis_section6
 
-- name: run auditd logic
+- name: Run auditd logic
   ansible.builtin.import_tasks:
       file: auditd.yml
   when: update_audit_template
   tags:
       - always
 
-- name: run post remediation tasks
+- name: Run post remediation tasks
   ansible.builtin.import_tasks:
       file: post.yml
   tags:
       - post_tasks
       - always
 
-- name: run post_remediation audit
+- name: Run post_remediation audit
   ansible.builtin.import_tasks:
       file: post_remediation_audit.yml
   when:

tasks/prelim.yml

@@ -226,27 +226,6 @@
       - level1_server
       - level1_workstation
 
-- name: "PRELIM | Install authconfig"
-  ansible.builtin.package:
-      name: authconfig
-      state: present
-  become: true
-  when:
-      - rhel9cis_use_authconfig
-      - rhel9cis_rule_5_3_1 or
-        rhel9cis_rule_5_3_2 or
-        rhel9cis_rule_5_3_3 or
-       '"authconfig" not in ansible_facts.packages or
-       "auditd-lib" not in ansible_facts.packages'
-  tags:
-      - level1-server
-      - level1-workstation
-      - rule_5.3.1 or
-        rule_5.3.2 or
-        rule_5.3.3
-      - authconfig
-      - auditd
-
 - name: "PRELIM | 5.3.4 | Find all sudoers files."
   ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'"
   changed_when: false

tasks/section_1/cis_1.1.7.x.yml

@@ -39,7 +39,6 @@
   notify: Change_requires_reboot
   when:
       - item.mount == "/home"
-      - rhel9cis_rule_1_1_7_1
       - rhel9cis_rule_1_1_7_2 or
         rhel9cis_rule_1_1_7_3
   tags:
@@ -49,5 +48,4 @@
       - mounts
       - rule_1.1.7.2
       - rule_1.1.7.3
-      - rule_1.1.7.4
       - skip_ansible_lint

tasks/section_1/cis_1.3.x.yml

@@ -54,7 +54,7 @@
       - patch
       - rule_1.3.2
 
-- name: "1.3.3 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools"
+- name: "1.3.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools"
   ansible.builtin.blockinfile:
       path: /etc/aide.conf
       marker: "# {mark} Audit tools - CIS benchmark - Ansible-lockdown"

tasks/section_1/cis_1.8.x.yml

@@ -118,7 +118,7 @@
       - gui
       - rule_1.8.4
 
-- name: "1.8.5 PATCH | Ensure GDM screen locks cannot be overridden"
+- name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden"
   block:
       - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock directory"
         ansible.builtin.file:

tasks/section_4/cis_4.1.3.x.yml

@@ -99,7 +99,7 @@
       - level2-workstation
       - patch
       - auditd
-      - rule_4.1.3_7
+      - rule_4.1.3.7
 
 # All changes selected are managed by the POST audit and handlers to update
 - name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected"
@@ -268,7 +268,7 @@
       - level2-workstation
       - patch
       - auditd
-      - rule_4.1.20
+      - rule_4.1.3.20
 
 - name: "4.1.3.21 | AUDIT | Ensure the running and on disk configuration is the same"
   ansible.builtin.debug:

tasks/section_5/cis_5.2.x.yml

@@ -1,6 +1,6 @@
 ---
 
-- name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured"
+- name: "5.2.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured"
   ansible.builtin.file:
       path: "/etc/ssh/sshd_config"
       owner: root

tasks/section_5/cis_5.6.x.yml

@@ -2,7 +2,7 @@
 
 - name: "5.6.2 | PATCH | Ensure system accounts are secured"
   block:
-      - name: "5.6.2 | Ensure system accounts are secured | Set nologin"
+      - name: "5.6.2 | PATCH | Ensure system accounts are secured | Set nologin"
         ansible.builtin.user:
             name: "{{ item.id }}"
             shell: /usr/sbin/nologin
@@ -98,11 +98,30 @@
             regexp: '^USERGROUPS_ENAB'
             line: USERGROUPS_ENAB no
 
-      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Force umask sessions /etc/pam.d/system-auth"
-        ansible.builtin.lineinfile:
-            path: /etc/pam.d/system-auth
-            line: 'session     required            pam_umask.so'
-            insertafter: EOF
+      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Add umask sessions for pamd"
+        community.general.pamd:
+            name: "{{ item }}"
+            type: session
+            control: required
+            module_path: pam_limits.so
+            new_type: session
+            new_module_path: pam_umask.so
+            new_control: optional
+            state: before
+        register: rhel9cis_pamd_umask_added
+        loop:
+            - system-auth
+            - password-auth
+
+      - name: "5.6.5 | AUDIT | Ensure default user umask is 027 or more restrictive | update umask settings if required"
+        ansible.builtin.replace:
+            path: "/etc/pam.d/{{ item }}"
+            regexp: ^(session\s+)(requisite|required)(\s+pam_umask.so)$
+            replace: \1optional\3
+        loop:
+            - system-auth
+            - password-auth
+
   when:
       - rhel9cis_rule_5_6_5
   tags:

tasks/section_6/cis_6.2.x.yml

@@ -75,7 +75,7 @@
       - groups
       - rule_6.2.3
 
-- name: "6.2.4 | AUDIT Ensure no duplicate UIDs exist"
+- name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist"
   block:
       - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs"
         ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd"
@@ -88,7 +88,7 @@
             msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_4_user_uid_check.stdout_lines }}"
         when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1
 
-      - name: "6.2.4 | AUDIT| Ensure no duplicate UIDs exist | warning count"
+      - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | warning count"
         ansible.builtin.import_tasks:
             file: warning_facts.yml
         when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1