Skip to content

Commit

Permalink
Merge pull request #259 from ansible-lockdown/devel
Browse files Browse the repository at this point in the history
CIS v1.0.0 updates Nov 2024
  • Loading branch information
uk-bolly authored Nov 19, 2024
2 parents 16cb6a4 + 2ff1550 commit 81a9299
Show file tree
Hide file tree
Showing 18 changed files with 34 additions and 45 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/devel_pipeline_validation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
jobs:
# This will create messages for first time contributers and direct them to the Discord server
welcome:
runs-on: self-hosted
runs-on: ubuntu-latest

steps:
- uses: actions/first-interaction@main
Expand Down
6 changes: 3 additions & 3 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ ci:

repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.6.0
rev: v5.0.0
hooks:
# Safety
- id: detect-aws-credentials
Expand Down Expand Up @@ -37,13 +37,13 @@ repos:
exclude: .config/.gitleaks-report.json

- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.4
rev: v8.21.2
hooks:
- id: gitleaks
args: ['--baseline-path', '.config/.gitleaks-report.json']

- repo: https://github.com/ansible-community/ansible-lint
rev: v24.7.0
rev: v24.10.0
hooks:
- id: ansible-lint
name: Ansible-lint
Expand Down
6 changes: 2 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ Refer to [Contributing Guide](./CONTRIBUTING.rst)

This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.

Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. The RHEL8-CIS-Audit role or a compliance scanner should be used for compliance checking over check mode.
Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. The RHEL9-CIS-Audit role or a compliance scanner should be used for compliance checking over check mode.

This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed.

Expand Down Expand Up @@ -128,11 +128,9 @@ os_check: false
**Technical Dependencies:**

- Python3
- Ansible 2.10+
- Ansible 2.12+
- python-def (should be included in RHEL 9)
- libselinux-python
- pip packages
- jmespath
- collections found in collections/requirements.yml

pre-commit is available if installed on your host for pull request testing.
Expand Down
20 changes: 9 additions & 11 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -49,15 +49,10 @@ rhel9cis_selinux_disable: false
# UEFI boot('/etc/grub2-efi.cfg') or in case of BIOS legacy-boot('/etc/grub2.cfg').
rhel9cis_legacy_boot: false

## Python Binary
## This is used for python3 Installations where python2 OS modules are used in ansible
python2_bin: /bin/python2.7

## Benchmark name used by audting control role
# The audit variable found at the base
## metadata for Audit benchmark
benchmark_version: 'v1.0.0'

benchmark: RHEL9-CIS

# Whether to skip the system reboot before audit
Expand Down Expand Up @@ -526,6 +521,10 @@ rhel9cis_selinux_pol: targeted
rhel9cis_selinux_enforce: enforcing

# Whether or not to run tasks related to auditing/patching the desktop environment
## Control 1.8.1-10
# This variable governs whether rules dealing with GUI specific packages(and/or their settings)
# Discovered value can be overridden to true is required
rhel9cis_gui: "{{ prelim_gnome_present.stat.exists | default(false) }}"

## Section 2. Services

Expand Down Expand Up @@ -567,12 +566,6 @@ rhel9cis_chrony_server_minsources: 2
# Set the respective variable to true to keep the service,
# otherwise the service is stopped and disabled

## Control 1.8.10-10, 2.2.1
# This variable governs whether rules dealing with GUI specific packages(and/or their settings) should
# be executed either to:
# - secure GDM, if GUI is needed('rhel9cis_gui: true')
# - or remove GDM and X-Windows-system, if no GUI is needed('rhel9cis_gui: false')
rhel9cis_gui: false
## Control 2.2.2 - Ensure Avahi Server is not installed
# This variable, when set to false, will specify that Avahi Server packages should be uninstalled.
rhel9cis_avahi_server: false
Expand Down Expand Up @@ -1144,6 +1137,11 @@ rhel9cis_force_user_mindays: false
# This can break current connecting user access
rhel9cis_force_user_warnage: false

## Control 5.6.2 - Ensure system accounts are secured | Set nologin
# The system users on this list are allowed to have a shell (e.g. applications
# that require a shell to function)
rhel9cis_system_users_shell: []

## Control 5.6.3 - Ensure default user shell timeout is 900 seconds or less
# Session timeout setting file (TMOUT setting can be set in multiple files)
# Timeout value is in seconds. (60 seconds * 10 = 600)
Expand Down
4 changes: 0 additions & 4 deletions handlers/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -57,8 +57,6 @@
- name: Grub2cfg
ansible.builtin.shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
ignore_errors: true # noqa ignore-errors
tags:
- skip_ansible_lint

- name: Restart rsyslog
ansible.builtin.systemd:
Expand Down Expand Up @@ -102,8 +100,6 @@

- name: Restart auditd
ansible.builtin.shell: service auditd restart
tags:
- skip_ansible_lint

- name: Change_requires_reboot
ansible.builtin.set_fact:
Expand Down
7 changes: 7 additions & 0 deletions tasks/prelim.yml
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,13 @@
- rhel9cis_force_gpg_key_import
- ansible_facts.distribution == 'RedHat'

- name: "PRELIM | Discover Gnome Desktop Environment"
ansible.builtin.stat:
path: /usr/share/gnome/gnome-version.xml
register: prelim_gnome_present
tags:
- always

- name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)"
ansible.builtin.package:
name: audit
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_1/cis_1.1.2.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %}
opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_2) %},nodev{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_3) %},noexec{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_4) %},nosuid{% endif %}"
notify: Remount tmp
loop: "{{ ansible_facts.mounts }}"
loop_control:
Expand Down
3 changes: 1 addition & 2 deletions tasks/section_1/cis_1.1.3.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}nosuid{% endif %}
opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_3_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_3_3) %},nosuid{% endif %}"
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.device }}"
Expand All @@ -45,6 +45,5 @@
- level1-workstation
- patch
- mounts
- skip_ansible_lint
- rule_1.1.3.2
- rule_1.1.3.3
3 changes: 1 addition & 2 deletions tasks/section_1/cis_1.1.4.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev{% endif %}
opts: "{{ item.options }}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_4_2) %},noexec{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_4_3) %},nosuid{% endif %}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_4_4) %},nodev{% endif %}"
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.device }}"
Expand All @@ -48,7 +48,6 @@
- level1-workstation
- patch
- mounts
- skip_ansible_lint
- rule_1.1.4.2
- rule_1.1.4.3
- rule_1.1.4.4
4 changes: 1 addition & 3 deletions tasks/section_1/cis_1.1.5.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@
- audit
- mounts
- rule_1.1.5.1
- skip_ansible_lint

- name: |
"1.1.5.2 | PATCH | Ensure nodev option set on /var/log partition"
Expand All @@ -33,7 +32,7 @@
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %}
opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_5_2) %},nodev{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_5_3) %},noexec{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_5_4) %},nosuid{% endif %}"
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.device }}"
Expand All @@ -48,7 +47,6 @@
- level1-workstation
- patch
- mounts
- skip_ansible_lint
- rule_1.1.5.2
- rule_1.1.5.3
- rule_1.1.5.4
3 changes: 1 addition & 2 deletions tasks/section_1/cis_1.1.6.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_6_4 %}nosuid{% endif %}
opts: "{{ item.options }}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_6_2) %},noexec{% endif %}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_6_3) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_6_4) %},nosuid{% endif %}"
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.device }}"
Expand All @@ -47,7 +47,6 @@
- level1-workstation
- patch
- mounts
- skip_ansible_lint
- rule_1.1.6.2
- rule_1.1.6.3
- rule_1.1.6.4
4 changes: 1 addition & 3 deletions tasks/section_1/cis_1.1.7.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@
- audit
- mounts
- rule_1.1.7.1
- skip_ansible_lint

- name: |
"1.1.7.2 | PATCH | Ensure nodev option set on /home partition
Expand All @@ -32,7 +31,7 @@
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid{% endif %}
opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_7_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_7_3) %},nosuid{% endif %}"
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.device }}"
Expand All @@ -48,4 +47,3 @@
- mounts
- rule_1.1.7.2
- rule_1.1.7.3
- skip_ansible_lint
1 change: 0 additions & 1 deletion tasks/section_1/cis_1.1.8.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@
- audit
- mounts
- rule_1.1.8.1
- skip_ansible_lint

- name: |
"1.1.8.2 | PATCH | Ensure nodev option set on /dev/shm partition | Set nodev option
Expand Down
5 changes: 2 additions & 3 deletions tasks/section_1/cis_1.2.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@
- name: "1.2.2 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos"
ansible.builtin.replace:
name: "{{ item.path }}"
regexp: "^gpgcheck=0"
regexp: ^gpgcheck\s*=\s*0
replace: "gpgcheck=1"
loop: "{{ yum_repos.files }}"
loop_control:
Expand Down Expand Up @@ -85,7 +85,6 @@
- manual
- audit
- rule_1.2.3
- skip_ansible_lint

- name: "1.2.4 | AUDIT | Ensure repo_gpgcheck is globally activated"
block:
Expand All @@ -104,7 +103,7 @@
- name: "1.2.4 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files"
ansible.builtin.replace:
path: "{{ item.path }}"
regexp: '^repo_gpgcheck( |)=( |)0'
regexp: ^repo_gpgcheck\s*=\s*0
replace: repo_gpgcheck=1
loop: "{{ repo_files.files }}"
loop_control:
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_1/cis_1.8.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,7 @@
- name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock file"
ansible.builtin.template:
src: etc/dconf/db/00-screensaver_lock.j2
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver"
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver_lock"
owner: root
group: root
mode: '0644'
Expand Down
2 changes: 0 additions & 2 deletions tasks/section_1/cis_1.9.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,8 @@
notify: Change_requires_reboot
when:
- rhel9cis_rule_1_9
- not system_is_ec2
tags:
- level1-server
- level1-workstation
- patch
- rule_1.9
- skip_ansible_lint
1 change: 1 addition & 0 deletions tasks/section_5/cis_5.6.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
- item.id != "shutdown"
- item.id != "halt"
- item.id != "nfsnobody"
- item.id not in rhel9cis_system_users_shell
- item.uid < min_int_uid | int
- item.shell != "/bin/false"
- item.shell != "/usr/sbin/nologin"
Expand Down
4 changes: 2 additions & 2 deletions tasks/section_6/cis_6.1.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,7 @@

- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Flatten no_user_items results for easier use"
ansible.builtin.set_fact:
discovered_unowned_files_flatten: "{{ rhel_09_6_1_10_audit.results | map(attribute='stdout_lines') | flatten }}"
discovered_unowned_files_flatten: "{{ rhel_09_6_1_10_audit.results | selectattr('stdout_lines', 'defined') | map(attribute='stdout_lines') | flatten }}"

- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories"
ansible.builtin.debug:
Expand Down Expand Up @@ -204,7 +204,7 @@

- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Flatten no_user_items results for easier use"
ansible.builtin.set_fact:
discovered_ungrouped_files_flatten: "{{ rhel_09_6_1_11_audit.results | map(attribute='stdout_lines') | flatten }}"
discovered_ungrouped_files_flatten: "{{ rhel_09_6_1_11_audit.results | selectattr('stdout_lines', 'defined') | map(attribute='stdout_lines') | flatten }}"

- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories"
ansible.builtin.debug:
Expand Down

0 comments on commit 81a9299

Please sign in to comment.