From 7d7b6132f4716ec0ed9118dfcda948b681a3827d Mon Sep 17 00:00:00 2001 From: uk-bolly Date: Wed, 6 Mar 2024 16:52:38 +0000 Subject: [PATCH] March 24 to devel (#186) * Issue #170, PR #181 thanks to @ipruteanu-sie * issue #182, PR #183 thansk to @ipruteanu-sie * PR #180 thanks to @ipruteanu-sie and @raabf * Addressed PR #165 thanks to @ipruteanu-sie * PT #184 addressed thansk to @ipruteanu-sie * updated credits * typo and ssh allow_deny comments * enable OS check --------- Signed-off-by: Mark Bolwell --- Changelog.md | 7 +++++++ defaults/main.yml | 21 ++++++++++----------- tasks/main.yml | 19 +++++++++---------- tasks/prelim.yml | 21 --------------------- tasks/section_1/cis_1.1.7.x.yml | 2 -- tasks/section_1/cis_1.3.x.yml | 2 +- tasks/section_1/cis_1.8.x.yml | 2 +- tasks/section_4/cis_4.1.3.x.yml | 4 ++-- tasks/section_5/cis_5.2.x.yml | 2 +- tasks/section_5/cis_5.6.x.yml | 31 +++++++++++++++++++++++++------ tasks/section_6/cis_6.2.x.yml | 4 ++-- 11 files changed, 58 insertions(+), 57 deletions(-) diff --git a/Changelog.md b/Changelog.md index b6f9886e..0fe314ff 100644 --- a/Changelog.md +++ b/Changelog.md @@ -3,6 +3,13 @@ ## 1.1.4 - Based on CIS v1.0.0 - 1.2.1 new option for a new system to import gpg key for 1.2.1 to pass redhat only +- thanks to @ipruteanu-sie + - #156 + - #165 + - #180 + - #181 + - #183 + - #184 ## 1.1.3 - Based on CIS v1.0.0 diff --git a/defaults/main.yml b/defaults/main.yml index 43671f34..f5838c0a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1003,11 +1003,11 @@ rhel9cis_sshd: # This variable sets the maximum number of unresponsive "keep-alive" messages # that can be sent from the server to the client before the connection is considered # inactive and thus, closed. - clientalivecountmax: 0 + clientalivecountmax: 3 # This variable sets the time interval in seconds between sending "keep-alive" # messages from the server to the client. These types of messages are intended to # keep the connection alive and prevent it being terminated due to inactivity. - clientaliveinterval: 900 + clientaliveinterval: 15 # This variable specifies the amount of seconds allowed for successful authentication to # the SSH server. logingracetime: 60 @@ -1017,26 +1017,29 @@ rhel9cis_sshd: # If an USER@HOST format will be used, the specified user will be allowed only on that particular host. # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. # For more info, see https://linux.die.net/man/5/sshd_config - allow_users: "" - # (String) This variable, if spcieifed, configures a list of GROUP name patterns, separated by spaces, to allow SSH access + # allowusers: "" + + # (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access # for users whose primary group or supplementary group list matches one of the patterns. This is done # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file. # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. # For more info, https://linux.die.net/man/5/sshd_config - allow_groups: "wheel" + # allowgroups: "wheel" + # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access # for users whose user name matches one of the patterns. This is done # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. # If an USER@HOST format will be used, the specified user will be restricted only on that particular host. # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. # For more info, see https://linux.die.net/man/5/sshd_config - deny_users: "nobody" + denyusers: "nobody" + # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access # for users whose primary group or supplementary group list matches one of the patterns. This is done # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. # For more info, see https://linux.die.net/man/5/sshd_config - deny_groups: "" + denygroups: "" ## Control 5.2.5 - Ensure SSH LogLevel is appropriate # This variable is used to control the verbosity of the logging produced by the SSH server. @@ -1060,10 +1063,6 @@ rhel9cis_inactivelock: # This variable specifies the number of days of inactivity before an account will be locked. # CIS requires a value of 30 days or less. lock_days: 30 -# This variable governs if authconfig package should be installed. This package provides a simple method of -# configuring /etc/sysconfig/network to handle NIS, as well as /etc/passwd and /etc/shadow, the files used -# for shadow password support. Basic LDAP, Kerberos 5, and Winbind client configuration is also provided. -rhel9cis_use_authconfig: false ## Section 5.4 - Configure authselect: Custom authselect profile settings(name, profile to customize, options) ## Controls: diff --git a/tasks/main.yml b/tasks/main.yml index 2d7aa57e..114c806b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -8,7 +8,6 @@ success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}" when: - os_check - - not system_is_ec2 tags: - always @@ -169,63 +168,63 @@ - run_audit ansible.builtin.import_tasks: pre_remediation_audit.yml -- name: run Section 1 tasks +- name: Run Section 1 tasks ansible.builtin.import_tasks: file: section_1/main.yml when: rhel9cis_section1 tags: - rhel9cis_section1 -- name: run Section 2 tasks +- name: Run Section 2 tasks ansible.builtin.import_tasks: file: section_2/main.yml when: rhel9cis_section2 tags: - rhel9cis_section2 -- name: run Section 3 tasks +- name: Run Section 3 tasks ansible.builtin.import_tasks: file: section_3/main.yml when: rhel9cis_section3 tags: - rhel9cis_section3 -- name: run Section 4 tasks +- name: Run Section 4 tasks ansible.builtin.import_tasks: file: section_4/main.yml when: rhel9cis_section4 tags: - rhel9cis_section4 -- name: run Section 5 tasks +- name: Run Section 5 tasks ansible.builtin.import_tasks: file: section_5/main.yml when: rhel9cis_section5 tags: - rhel9cis_section5 -- name: run Section 6 tasks +- name: Run Section 6 tasks ansible.builtin.import_tasks: file: section_6/main.yml when: rhel9cis_section6 tags: - rhel9cis_section6 -- name: run auditd logic +- name: Run auditd logic ansible.builtin.import_tasks: file: auditd.yml when: update_audit_template tags: - always -- name: run post remediation tasks +- name: Run post remediation tasks ansible.builtin.import_tasks: file: post.yml tags: - post_tasks - always -- name: run post_remediation audit +- name: Run post_remediation audit ansible.builtin.import_tasks: file: post_remediation_audit.yml when: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index d363a9fb..f58ad014 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -226,27 +226,6 @@ - level1_server - level1_workstation -- name: "PRELIM | Install authconfig" - ansible.builtin.package: - name: authconfig - state: present - become: true - when: - - rhel9cis_use_authconfig - - rhel9cis_rule_5_3_1 or - rhel9cis_rule_5_3_2 or - rhel9cis_rule_5_3_3 or - '"authconfig" not in ansible_facts.packages or - "auditd-lib" not in ansible_facts.packages' - tags: - - level1-server - - level1-workstation - - rule_5.3.1 or - rule_5.3.2 or - rule_5.3.3 - - authconfig - - auditd - - name: "PRELIM | 5.3.4 | Find all sudoers files." ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" changed_when: false diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index ef169880..d1133618 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -39,7 +39,6 @@ notify: Change_requires_reboot when: - item.mount == "/home" - - rhel9cis_rule_1_1_7_1 - rhel9cis_rule_1_1_7_2 or rhel9cis_rule_1_1_7_3 tags: @@ -49,5 +48,4 @@ - mounts - rule_1.1.7.2 - rule_1.1.7.3 - - rule_1.1.7.4 - skip_ansible_lint diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index dda9c66b..3010b5aa 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -54,7 +54,7 @@ - patch - rule_1.3.2 -- name: "1.3.3 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" +- name: "1.3.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" ansible.builtin.blockinfile: path: /etc/aide.conf marker: "# {mark} Audit tools - CIS benchmark - Ansible-lockdown" diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index e6f4b0c2..b7f47915 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -118,7 +118,7 @@ - gui - rule_1.8.4 -- name: "1.8.5 PATCH | Ensure GDM screen locks cannot be overridden" +- name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden" block: - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock directory" ansible.builtin.file: diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index ec925bb7..2c8746a1 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -99,7 +99,7 @@ - level2-workstation - patch - auditd - - rule_4.1.3_7 + - rule_4.1.3.7 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected" @@ -268,7 +268,7 @@ - level2-workstation - patch - auditd - - rule_4.1.20 + - rule_4.1.3.20 - name: "4.1.3.21 | AUDIT | Ensure the running and on disk configuration is the same" ansible.builtin.debug: diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 7daf6d11..ac62767c 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -1,6 +1,6 @@ --- -- name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured" +- name: "5.2.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" ansible.builtin.file: path: "/etc/ssh/sshd_config" owner: root diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index a2c0219e..8fba8986 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -2,7 +2,7 @@ - name: "5.6.2 | PATCH | Ensure system accounts are secured" block: - - name: "5.6.2 | Ensure system accounts are secured | Set nologin" + - name: "5.6.2 | PATCH | Ensure system accounts are secured | Set nologin" ansible.builtin.user: name: "{{ item.id }}" shell: /usr/sbin/nologin @@ -98,11 +98,30 @@ regexp: '^USERGROUPS_ENAB' line: USERGROUPS_ENAB no - - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Force umask sessions /etc/pam.d/system-auth" - ansible.builtin.lineinfile: - path: /etc/pam.d/system-auth - line: 'session required pam_umask.so' - insertafter: EOF + - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Add umask sessions for pamd" + community.general.pamd: + name: "{{ item }}" + type: session + control: required + module_path: pam_limits.so + new_type: session + new_module_path: pam_umask.so + new_control: optional + state: before + register: rhel9cis_pamd_umask_added + loop: + - system-auth + - password-auth + + - name: "5.6.5 | AUDIT | Ensure default user umask is 027 or more restrictive | update umask settings if required" + ansible.builtin.replace: + path: "/etc/pam.d/{{ item }}" + regexp: ^(session\s+)(requisite|required)(\s+pam_umask.so)$ + replace: \1optional\3 + loop: + - system-auth + - password-auth + when: - rhel9cis_rule_5_6_5 tags: diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 6ab91cd5..e2d03e5e 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -75,7 +75,7 @@ - groups - rule_6.2.3 -- name: "6.2.4 | AUDIT Ensure no duplicate UIDs exist" +- name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist" block: - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" @@ -88,7 +88,7 @@ msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_4_user_uid_check.stdout_lines }}" when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1 - - name: "6.2.4 | AUDIT| Ensure no duplicate UIDs exist | warning count" + - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | warning count" ansible.builtin.import_tasks: file: warning_facts.yml when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1