From fb73b18596f3d5ad19ee11800e0931bc6defd132 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 22 Jan 2025 08:53:02 +0000 Subject: [PATCH 1/4] Add new pwquality dicovery & title update Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 6602d282..56958438 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -177,14 +177,14 @@ ansible.builtin.set_fact: grub2_path: /etc/grub2-efi.cfg -- name: "PRELIM | Discover Gnome Desktop Environment" +- name: "PRELIM | AUDIT | Discover Gnome Desktop Environment" tags: - always ansible.builtin.stat: path: /usr/share/gnome/gnome-version.xml register: prelim_gnome_present -- name: "PRELIM | Install dconf if gui installed" +- name: "PRELIM | PATCH | Install dconf if gui installed" when: - rhel9cis_gui tags: @@ -243,6 +243,15 @@ mode: 'go-rwx' state: touch +- name: "PRELIM | AUDIT | Capture pam secuirty related files" + tags: always + ansible.builtin.find: + paths: + - /etc/security/pwquality.conf.d/ + - /etc/pam.d/ + patterns: '*-auth,*.conf' + register: prelim_pam_pwquality_confs + - name: "PRELIM | AUDIT | Gather UID 0 accounts other than root" when: rhel9cis_rule_5_4_2_1 tags: @@ -326,7 +335,7 @@ changed_when: false register: prelim_uid_max_id - - name: "PRELIM | AUDIT | set_facts for interactive uid/gid" + - name: "PRELIM | AUDIT | Set Fact for interactive uid/gid" ansible.builtin.set_fact: prelim_min_int_uid: "{{ prelim_uid_min_id.stdout }}" prelim_max_int_uid: "{{ prelim_uid_max_id.stdout }}" From 5e176d4dc9bf4ce22c4d532cdbc18501b9433e45 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 22 Jan 2025 08:53:27 +0000 Subject: [PATCH 2/4] Use new prelim task for controls based on #273 Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.3.3.2.x.yml | 42 +++++++++++++------------------ 1 file changed, 18 insertions(+), 24 deletions(-) diff --git a/tasks/section_5/cis_5.3.3.2.x.yml b/tasks/section_5/cis_5.3.3.2.x.yml index 920ed88a..702503de 100644 --- a/tasks/section_5/cis_5.3.3.2.x.yml +++ b/tasks/section_5/cis_5.3.3.2.x.yml @@ -18,10 +18,9 @@ path: "{{ item }}" regexp: 'difok\s*=\s*\d+\b' replace: '' - with_fileglob: - - '/etc/security/pwquality.conf' - - '/etc/security/pwquality.conf.d/*.conf' - - /etc/pam.d/*-auth + loop: + - /etc/security/pwquality.conf + - "{{ prelim_pam_pwquality_confs.files | default ([]) }}" - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Ensure difok file exists" ansible.builtin.template: @@ -74,10 +73,9 @@ path: "{{ item }}" regexp: 'minlen\s*=\s*\d+\b' replace: '' - with_fileglob: - - '/etc/security/pwquality.conf' - - '/etc/security/pwquality.conf.d/*.conf' - - '/etc/pam.d/*-auth' + loop: + - /etc/security/pwquality.conf + - "{{ prelim_pam_pwquality_confs.files | default ([]) }}" - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists" ansible.builtin.template: @@ -130,10 +128,9 @@ path: "{{ item }}" regexp: '(minclass|[dulo]credit)\s*=\s*(-\d|\d+)\b' replace: '' - with_fileglob: - - '/etc/security/pwquality.conf' - - '/etc/security/pwquality.conf.d/*.conf' - - '/etc/pam.d/*-auth' + loop: + - /etc/security/pwquality.conf + - "{{ prelim_pam_pwquality_confs.files | default ([]) }}" - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Ensure complexity file exists" ansible.builtin.template: @@ -184,10 +181,9 @@ path: "{{ item }}" regexp: 'maxrepeat\s*=\s*\d+\b' replace: '' - with_fileglob: - - '/etc/security/pwquality.conf' - - '/etc/security/pwquality.conf.d/*.conf' - - '/etc/pam.d/*-auth' + loop: + - /etc/security/pwquality.conf + - "{{ prelim_pam_pwquality_confs.files | default ([]) }}" - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Ensure maxrepeat file exists" ansible.builtin.template: @@ -240,10 +236,9 @@ path: "{{ item }}" regexp: 'maxsequence\s*=\s*\d+\b' replace: '' - with_fileglob: - - '/etc/security/pwquality.conf' - - '/etc/security/pwquality.conf.d/*.conf' - - '/etc/pam.d/*-auth' + loop: + - /etc/security/pwquality.conf + - "{{ prelim_pam_pwquality_confs.files | default ([]) }}" - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Ensure maxsequence file exists" ansible.builtin.template: @@ -295,10 +290,9 @@ path: "{{ item }}" regexp: 'dictcheck\s*=\s*\d+\b' replace: '' - with_fileglob: - - '/etc/security/pwquality.conf' - - '/etc/security/pwquality.conf.d/*.conf' - - '/etc/pam.d/*-auth' + loop: + - /etc/security/pwquality.conf + - "{{ prelim_pam_pwquality_confs.files | default ([]) }}" - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Ensure dictcheck file exists" ansible.builtin.template: From 7d49c0d27c69419189b8b31f930b10ba1aa7d53f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 22 Jan 2025 14:23:31 +0000 Subject: [PATCH 3/4] added fix for #280 thanks to @msachikanta Signed-off-by: Mark Bolwell --- templates/etc/systemd/system/tmp.mount.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/etc/systemd/system/tmp.mount.j2 b/templates/etc/systemd/system/tmp.mount.j2 index 3f689eef..7f645474 100644 --- a/templates/etc/systemd/system/tmp.mount.j2 +++ b/templates/etc/systemd/system/tmp.mount.j2 @@ -23,7 +23,7 @@ After=swap.target What=tmpfs Where=/tmp Type=tmpfs -Options=mode=1777,strictatime,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec{% endif %} +Options=mode=1777,strictatime,{% if rhel9cis_rule_1_1_2_1_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_1_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_1_4 %}noexec{% endif %} # Make 'systemctl enable tmp.mount' work: [Install] From 9f3d8becf03de14eed78d59f13a6d09d8de2e910 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 22 Jan 2025 16:56:51 +0000 Subject: [PATCH 4/4] Improve logic for 5.3.3.2.x controls Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 5 ++-- tasks/section_5/cis_5.3.3.2.x.yml | 48 +++++++++++++++++++------------ 2 files changed, 32 insertions(+), 21 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 56958438..1ec355b3 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -243,13 +243,12 @@ mode: 'go-rwx' state: touch -- name: "PRELIM | AUDIT | Capture pam secuirty related files" +- name: "PRELIM | AUDIT | Capture pam security related files" tags: always ansible.builtin.find: paths: - /etc/security/pwquality.conf.d/ - - /etc/pam.d/ - patterns: '*-auth,*.conf' + patterns: '*.conf' register: prelim_pam_pwquality_confs - name: "PRELIM | AUDIT | Gather UID 0 accounts other than root" diff --git a/tasks/section_5/cis_5.3.3.2.x.yml b/tasks/section_5/cis_5.3.3.2.x.yml index 702503de..e8e1530b 100644 --- a/tasks/section_5/cis_5.3.3.2.x.yml +++ b/tasks/section_5/cis_5.3.3.2.x.yml @@ -14,13 +14,15 @@ when: - item != rhel9cis_passwd_difok_file - rhel9cis_disruption_high - ansible.builtin.replace: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'difok\s*=\s*\d+\b' - replace: '' + state: absent loop: - /etc/security/pwquality.conf - - "{{ prelim_pam_pwquality_confs.files | default ([]) }}" + - /etc/pam.d/system-auth + - /etc/pam.d/password-auth + - "{{ prelim_pam_pwquality_confs.files | default([]) }}" - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Ensure difok file exists" ansible.builtin.template: @@ -69,13 +71,15 @@ when: - item != rhel9cis_passwd_minlen_file - rhel9cis_disruption_high - ansible.builtin.replace: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'minlen\s*=\s*\d+\b' - replace: '' + state: absent loop: - /etc/security/pwquality.conf - - "{{ prelim_pam_pwquality_confs.files | default ([]) }}" + - /etc/pam.d/system-auth + - /etc/pam.d/password-auth + - "{{ prelim_pam_pwquality_confs.files | default([]) }}" - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists" ansible.builtin.template: @@ -124,13 +128,15 @@ when: - item != rhel9cis_passwd_complex_file - rhel9cis_disruption_high - ansible.builtin.replace: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: '(minclass|[dulo]credit)\s*=\s*(-\d|\d+)\b' - replace: '' + state: absent loop: - /etc/security/pwquality.conf - - "{{ prelim_pam_pwquality_confs.files | default ([]) }}" + - /etc/pam.d/system-auth + - /etc/pam.d/password-auth + - "{{ prelim_pam_pwquality_confs.files | default([]) }}" - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Ensure complexity file exists" ansible.builtin.template: @@ -177,13 +183,15 @@ block: - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file" when: item != rhel9cis_passwd_maxrepeat_file - ansible.builtin.replace: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'maxrepeat\s*=\s*\d+\b' - replace: '' + state: absent loop: - /etc/security/pwquality.conf - - "{{ prelim_pam_pwquality_confs.files | default ([]) }}" + - /etc/pam.d/system-auth + - /etc/pam.d/password-auth + - "{{ prelim_pam_pwquality_confs.files | default([]) }}" - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Ensure maxrepeat file exists" ansible.builtin.template: @@ -232,13 +240,15 @@ when: - item != rhel9cis_passwd_maxsequence_file - rhel9cis_disruption_high - ansible.builtin.replace: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'maxsequence\s*=\s*\d+\b' - replace: '' + state: absent loop: - /etc/security/pwquality.conf - - "{{ prelim_pam_pwquality_confs.files | default ([]) }}" + - /etc/pam.d/system-auth + - /etc/pam.d/password-auth + - "{{ prelim_pam_pwquality_confs.files | default([]) }}" - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Ensure maxsequence file exists" ansible.builtin.template: @@ -286,13 +296,15 @@ - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck settings from conf files except expected file" when: - item != rhel9cis_passwd_dictcheck_file - ansible.builtin.replace: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'dictcheck\s*=\s*\d+\b' - replace: '' + state: absent loop: - /etc/security/pwquality.conf - - "{{ prelim_pam_pwquality_confs.files | default ([]) }}" + - /etc/pam.d/system-auth + - /etc/pam.d/password-auth + - "{{ prelim_pam_pwquality_confs.files | default([]) }}" - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Ensure dictcheck file exists" ansible.builtin.template: