Skip to content

Commit

Permalink
Merge pull request #429 from ansible-lockdown/6_2_10_improvements
Browse files Browse the repository at this point in the history
updated loop for 6.2.10 to use interactive users
  • Loading branch information
uk-bolly authored Nov 14, 2024
2 parents 2d4d2b5 + 3852132 commit d1bf968
Show file tree
Hide file tree
Showing 13 changed files with 103 additions and 81 deletions.
16 changes: 13 additions & 3 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -773,9 +773,6 @@ rhel8cis_inactivelock:
# Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords
rhel8cis_futurepwchgdate_autofix: true

rhel8uid_uid_start: 1000
rhel8uid_uid_stop: 60000

## Section5 vars

## Preferred method of logging
Expand Down Expand Up @@ -803,6 +800,19 @@ rhel8cis_auditd:
admin_space_left_action: single
max_log_file_action: keep_logs

# UID settings for interactive users
# These are discovered via logins.def if set true
discover_int_uid: true
### Controls:
# This variable sets the minimum number from which to search for UID
# Note that the value will be dynamically overwritten if variable `discover_int_uid` has
# been set to `true`.
min_int_uid: 1000
### Controls:
# Note that the value will be dynamically overwritten if variable `discover_int_uid` has
# been set to `true`.
max_int_uid: 65533

# This can be used to configure other keys in auditd.conf
rhel8cis_auditd_extra_conf: {}
# Example:
Expand Down
2 changes: 1 addition & 1 deletion handlers/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@
state: restarted

- name: Rebuild_grub
ansible.builtin.shell: "grub2-mkconfig -o {{ discovered_grub_cfg.stat.lnk_source }}"
ansible.builtin.shell: "grub2-mkconfig -o {{ prelim_grub_cfg.stat.lnk_source }}"
ignore_errors: true # noqa ignore-errors
notify: Change_requires_reboot
tags:
Expand Down
65 changes: 41 additions & 24 deletions tasks/prelim.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,23 +16,40 @@
ansible.builtin.shell: >
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }'
changed_when: false
register: discovered_interactive_usernames
register: prelim_interactive_usernames

- name: "PRELIM | AUDIT | Interactive User accounts home directories"
tags:
- always
ansible.builtin.shell: >
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $6 }'
changed_when: false
register: discovered_interactive_users_home
register: prelim_interactive_users_home

- name: "PRELIM | AUDIT | Interactive UIDs"
tags:
- always
ansible.builtin.shell: >
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $3 }'
changed_when: false
register: discovered_interactive_uids
register: prelim_interactive_uids

- name: "PRELIM | Discover Interactive UID MIN and MIN from logins.def"
block:
- name: "PRELIM | Capture UID_MIN information from logins.def"
ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}'
changed_when: false
register: prelim_uid_min_id

- name: "PRELIM | Capture UID_MAX information from logins.def"
ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}'
changed_when: false
register: prelim_uid_max_id

- name: "PRELIM | set_facts for interactive uid/gid"
ansible.builtin.set_fact:
min_int_uid: "{{ prelim_uid_min_id.stdout }}"
max_int_uid: "{{ prelim_uid_max_id.stdout }}"

- name: "PRELIM | AUDIT | Set facts based on boot type"
tags:
Expand All @@ -41,17 +58,17 @@
- name: "PRELIM | AUDIT | Check whether machine is UEFI-based"
ansible.builtin.stat:
path: /sys/firmware/efi
register: discovered_efi_boot
register: prelim_efi_boot

- name: "PRELIM | AUDIT | set legacy boot and grub path fact | Bios"
when: not discovered_efi_boot.stat.exists
when: not prelim_efi_boot.stat.exists
ansible.builtin.set_fact:
rhel8cis_legacy_boot: true
grub2_path: /etc/grub2.cfg
rhel8cis_boot_path: /boot/grub2/

- name: "PRELIM | AUDIT | set grub fact | UEFI"
when: discovered_efi_boot.stat.exists
when: prelim_efi_boot.stat.exists
ansible.builtin.set_fact:
grub2_path: /etc/grub2-efi.cfg
rhel8cis_boot_path: "/boot/efi/EFI/{{ansible_facts.distribution | lower }}/"
Expand All @@ -62,7 +79,7 @@
ansible.builtin.stat:
path: "{{ grub2_path }}"
changed_when: false
register: discovered_grub_cfg
register: prelim_grub_cfg

- name: "PRELIM | AUDIT | Gather the package facts before prelim"
tags:
Expand Down Expand Up @@ -106,8 +123,8 @@
- always
ansible.builtin.shell: findmnt -kn /dev/shm
changed_when: false
failed_when: discovered_dev_shm_present.rc not in [ 0, 1 ]
register: discovered_dev_shm_present
failed_when: prelim_dev_shm_present.rc not in [ 0, 1 ]
register: prelim_dev_shm_present

- name: "PRELIM | AUDIT | systemd coredump file check"
when:
Expand All @@ -116,7 +133,7 @@
- always
ansible.builtin.stat:
path: /etc/systemd/coredump.conf
register: discovered_systemd_coredump
register: prelim_systemd_coredump

- name: "PRELIM | AUDIT | Ensure crypto-policies-scripts package is installed"
when: "'crypto-policies-scripts' not in ansible_facts.packages"
Expand All @@ -134,16 +151,16 @@
ansible.builtin.shell: 'update-crypto-policies --show'
changed_when: false
check_mode: false
register: discovered_system_wide_crypto_policy
register: prelim_system_wide_crypto_policy

- name: "PRELIM | AUDIT | Gather system-wide crypto-policy | set fact for crypto policy"
ansible.builtin.set_fact:
current_crypto_policy: "{{ discovered_system_wide_crypto_policy.stdout.split(':')[0] }}"
current_crypto_policy: "{{ prelim_system_wide_crypto_policy.stdout.split(':')[0] }}"

- name: "PRELIM | AUDIT | Gather system-wide crypto-policy module | set fact for crypto submodule"
when: "':' in discovered_system_wide_crypto_policy.stdout"
when: "':' in prelim_system_wide_crypto_policy.stdout"
ansible.builtin.set_fact:
current_crypto_module: "{{ discovered_system_wide_crypto_policy.stdout.split(':')[1] }}"
current_crypto_module: "{{ prelim_system_wide_crypto_policy.stdout.split(':')[1] }}"

- name: "PRELIM | PATCH | Install dconf if gui"
when:
Expand Down Expand Up @@ -174,7 +191,7 @@
changed_when: false
failed_when: false
check_mode: false
register: discovered_sudoers_files
register: prelim_sudoers_files

- name: "PRELIM | AUDIT | Check authselect package versions"
tags:
Expand Down Expand Up @@ -234,7 +251,7 @@
ansible.builtin.shell: >
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $6 }'
changed_when: false
register: discovered_interactive_users_home
register: prelim_interactive_users_home

- name: "PRELIM | PATCH | Section 5.1 | Configure System Accounting (auditd)"
when:
Expand All @@ -249,8 +266,8 @@
- name: "PRELIM | AUDIT | 5.2.4.x | Ensure audit log files are mode 0640 or less permissive | discover file"
ansible.builtin.shell: "grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'"
changed_when: false
failed_when: discovered_audit_logfile.rc not in [0, 1]
register: discovered_audit_logfile
failed_when: prelim_audit_logfile.rc not in [0, 1]
register: prelim_audit_logfile
when:
- rhel8cis_rule_5_2_4_1
- rhel8cis_rule_5_2_4_2
Expand Down Expand Up @@ -284,18 +301,18 @@
file_type: file
recurse: true
patterns: '*.conf,*.rules'
register: discovered_auditd_conf_files
register: prelim_auditd_conf_files

- name: "PRELIM | AUDIT | Gather UID 0 accounts other than root"
when:
- rhel8cis_rule_6_2_9
tags:
- always
ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit 1}'"
failed_when: discovered_uid_zero_accounts_except_root.rc not in [ 0, 1 ]
failed_when: prelim_uid_zero_accounts_except_root.rc not in [ 0, 1 ]
changed_when: false
check_mode: false
register: discovered_uid_zero_accounts_except_root
register: prelim_uid_zero_accounts_except_root

##### Optional #####

Expand All @@ -322,11 +339,11 @@
- name: "PRELIM | Optional | If IPv6 disable to stop chronyd listening | Check existence"
ansible.builtin.shell: grep -E "OPTIONS=.*-4" /etc/sysconfig/chronyd
changed_when: false
failed_when: discovered_chrony_ipv6_exists.rc not in [ 0, 1]
register: discovered_chrony_ipv6_exists
failed_when: prelim_chrony_ipv6_exists.rc not in [ 0, 1]
register: prelim_chrony_ipv6_exists

- name: "PRELIM | Optional | If IPv6 disable to stop chronyd listening"
when: discovered_chrony_ipv6_exists.stdout | length == 0
when: prelim_chrony_ipv6_exists.stdout | length == 0
ansible.builtin.lineinfile:
path: /etc/sysconfig/chronyd
regexp: '^OPTIONS="(?!.* -4.*)(.*)"'
Expand Down
6 changes: 3 additions & 3 deletions tasks/section_1/cis_1.1.2.2.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,12 @@
block:

- name: "1.1.2.2.1 | PATCH | Ensure /dev/shm is a separate partition | Absent"
when: discovered_dev_shm_present is undefined
when: prelim_dev_shm_present is undefined
ansible.builtin.debug:
msg: "Warning!! {{ required_mount }} is not mounted on a separate partition"

- name: "1.1.2.2.1 | PATCH | Ensure /dev/shm is a separate partition | Present"
when: discovered_dev_shm_present is undefined
when: prelim_dev_shm_present is undefined
ansible.builtin.import_tasks:
file: warning_facts.yml

Expand All @@ -32,7 +32,7 @@
1.1.2.2.3 | PATCH | Ensure nosuid option set on /dev/shm partition
1.1.2.2.4 | PATCH | Ensure noexec option set on /dev/shm partition"
when:
- discovered_dev_shm_present is defined
- prelim_dev_shm_present is defined
- rhel8cis_rule_1_1_2_2_2 or
rhel8cis_rule_1_1_2_2_3 or
rhel8cis_rule_1_1_2_2_4
Expand Down
4 changes: 2 additions & 2 deletions tasks/section_1/cis_1.3.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,8 @@
- name: "1.3.2 | PATCH | Ensure permissions on bootloader config are configured"
when:
- rhel8cis_rule_1_3_2
- discovered_grub_cfg.stat.exists
- discovered_grub_cfg.stat.islnk
- prelim_grub_cfg.stat.exists
- prelim_grub_cfg.stat.islnk
tags:
- level1-server
- level1-workstation
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_1/cis_1.4.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@
- name: "1.4.4 | PATCH | Ensure core dump storage is disabled"
when:
- rhel8cis_rule_1_4_4
- discovered_systemd_coredump.stat.exists
- prelim_systemd_coredump.stat.exists
tags:
- level1-server
- level1-workstation
Expand Down
8 changes: 4 additions & 4 deletions tasks/section_1/cis_1.6.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,15 +18,15 @@

- name: "1.6.1 | PATCH | Ensure system-wide crypto policy is not legacy"
when:
- rhel8cis_full_crypto_policy not in discovered_system_wide_crypto_policy.stdout
- rhel8cis_full_crypto_policy not in prelim_system_wide_crypto_policy.stdout
ansible.builtin.shell: |
update-crypto-policies --set "{{ rhel8cis_full_crypto_policy }}"
update-crypto-policies
- name: "1.6.2 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support"
when:
- rhel8cis_rule_1_6_2
- "'NO-SHA1' not in discovered_system_wide_crypto_policy.stdout"
- "'NO-SHA1' not in prelim_system_wide_crypto_policy.stdout"
tags:
- level1-server
- level1-workstation
Expand All @@ -47,7 +47,7 @@
- name: "1.6.3 | PATCH | Ensure system wide crypto policy disables cbc for ssh"
when:
- rhel8cis_rule_1_6_3
- "'NO-SSHCBC' not in discovered_system_wide_crypto_policy.stdout"
- "'NO-SSHCBC' not in prelim_system_wide_crypto_policy.stdout"
tags:
- level1-server
- level1-workstation
Expand All @@ -68,7 +68,7 @@
- name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits"
when:
- rhel8cis_rule_1_6_4
- "'NO-WEAKMAC' not in discovered_system_wide_crypto_policy.stdout"
- "'NO-WEAKMAC' not in prelim_system_wide_crypto_policy.stdout"
tags:
- level1-server
- level1-workstation
Expand Down
4 changes: 2 additions & 2 deletions tasks/section_4/cis_4.3.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@
regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)'
replace: '\1PASSWD\2'
validate: '/usr/sbin/visudo -cf %s'
loop: "{{ discovered_sudoers_files.stdout_lines }}"
loop: "{{ prelim_sudoers_files.stdout_lines }}"

- name: "4.3.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally"
when:
Expand All @@ -82,7 +82,7 @@
regexp: '^([^#].*)!authenticate(.*)'
replace: '\1authenticate\2'
validate: '/usr/sbin/visudo -cf %s'
loop: "{{ discovered_sudoers_files.stdout_lines }}"
loop: "{{ prelim_sudoers_files.stdout_lines }}"

- name: "4.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly"
when:
Expand Down
4 changes: 2 additions & 2 deletions tasks/section_4/cis_4.5.2.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@
block:
- name: "4.5.2.3 | PATCH | | Ensure system accounts are secured | Set nologin"
when:
- item.id not in discovered_interactive_usernames.stdout
- item.id not in prelim_interactive_usernames.stdout
- "'root' not in item.id"
ansible.builtin.user:
name: "{{ item.id }}"
Expand All @@ -64,7 +64,7 @@

- name: "4.5.2.3 | PATCH | | Ensure system accounts are secured | Lock accounts"
when:
- "item.id not in discovered_interactive_usernames.stdout"
- "item.id not in prelim_interactive_usernames.stdout"
- "'root' not in item.id"
ansible.builtin.user:
name: "{{ item.id }}"
Expand Down
12 changes: 6 additions & 6 deletions tasks/section_5/cis_5.2.4.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
- auditd
- rule_5.2.4.1
ansible.builtin.file:
path: "{{ discovered_audit_logfile.stdout | dirname }}"
path: "{{ prelim_audit_logfile.stdout | dirname }}"
state: directory
mode: 'g-w,o-rwx'

Expand All @@ -33,7 +33,7 @@
block:
- name: "5.2.4.2 | AUDIT | Ensure audit log files are mode 0640 or less permissive | stat file"
ansible.builtin.stat:
path: "{{ discovered_audit_logfile.stdout }}"
path: "{{ prelim_audit_logfile.stdout }}"
changed_when: false
register: discovered_auditlog_info

Expand All @@ -42,7 +42,7 @@
"5.2.4.3 | PATCH | Ensure only authorized users own audit log files"
"5.2.4.4 | PATCH | Ensure only authorized groups are assigned ownership of audit log files"
ansible.builtin.file:
path: "{{ discovered_audit_logfile.stdout }}"
path: "{{ prelim_audit_logfile.stdout }}"
mode: 'o-x,g-wx,o-rwx'
owner: root
group: root
Expand All @@ -59,7 +59,7 @@
ansible.builtin.file:
path: "{{ item.path }}"
mode: 'g-wx,o-rwx'
loop: "{{ discovered_auditd_conf_files.files }}"
loop: "{{ prelim_auditd_conf_files.files }}"
loop_control:
label: "{{ item.path }}"

Expand All @@ -75,7 +75,7 @@
ansible.builtin.file:
path: "{{ item.path }}"
owner: root
loop: "{{ discovered_auditd_conf_files.files }}"
loop: "{{ prelim_auditd_conf_files.files }}"
loop_control:
label: "{{ item.path }}"

Expand All @@ -91,7 +91,7 @@
ansible.builtin.file:
path: "{{ item.path }}"
group: root
loop: "{{ discovered_auditd_conf_files.files }}"
loop: "{{ prelim_auditd_conf_files.files }}"
loop_control:
label: "{{ item.path }}"

Expand Down
Loading

0 comments on commit d1bf968

Please sign in to comment.