diff --git a/defaults/main.yml b/defaults/main.yml index 45692cdd..6dd4445f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -773,9 +773,6 @@ rhel8cis_inactivelock: # Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords rhel8cis_futurepwchgdate_autofix: true -rhel8uid_uid_start: 1000 -rhel8uid_uid_stop: 60000 - ## Section5 vars ## Preferred method of logging @@ -803,6 +800,19 @@ rhel8cis_auditd: admin_space_left_action: single max_log_file_action: keep_logs +# UID settings for interactive users +# These are discovered via logins.def if set true +discover_int_uid: true +### Controls: +# This variable sets the minimum number from which to search for UID +# Note that the value will be dynamically overwritten if variable `discover_int_uid` has +# been set to `true`. +min_int_uid: 1000 +### Controls: +# Note that the value will be dynamically overwritten if variable `discover_int_uid` has +# been set to `true`. +max_int_uid: 65533 + # This can be used to configure other keys in auditd.conf rhel8cis_auditd_extra_conf: {} # Example: diff --git a/handlers/main.yml b/handlers/main.yml index 49d3d7ed..ae469e8a 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -74,7 +74,7 @@ state: restarted - name: Rebuild_grub - ansible.builtin.shell: "grub2-mkconfig -o {{ discovered_grub_cfg.stat.lnk_source }}" + ansible.builtin.shell: "grub2-mkconfig -o {{ prelim_grub_cfg.stat.lnk_source }}" ignore_errors: true # noqa ignore-errors notify: Change_requires_reboot tags: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index df3b5e64..496565c5 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -16,7 +16,7 @@ ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }' changed_when: false - register: discovered_interactive_usernames + register: prelim_interactive_usernames - name: "PRELIM | AUDIT | Interactive User accounts home directories" tags: @@ -24,7 +24,7 @@ ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $6 }' changed_when: false - register: discovered_interactive_users_home + register: prelim_interactive_users_home - name: "PRELIM | AUDIT | Interactive UIDs" tags: @@ -32,7 +32,24 @@ ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $3 }' changed_when: false - register: discovered_interactive_uids + register: prelim_interactive_uids + +- name: "PRELIM | Discover Interactive UID MIN and MIN from logins.def" + block: + - name: "PRELIM | Capture UID_MIN information from logins.def" + ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' + changed_when: false + register: prelim_uid_min_id + + - name: "PRELIM | Capture UID_MAX information from logins.def" + ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' + changed_when: false + register: prelim_uid_max_id + + - name: "PRELIM | set_facts for interactive uid/gid" + ansible.builtin.set_fact: + min_int_uid: "{{ prelim_uid_min_id.stdout }}" + max_int_uid: "{{ prelim_uid_max_id.stdout }}" - name: "PRELIM | AUDIT | Set facts based on boot type" tags: @@ -41,17 +58,17 @@ - name: "PRELIM | AUDIT | Check whether machine is UEFI-based" ansible.builtin.stat: path: /sys/firmware/efi - register: discovered_efi_boot + register: prelim_efi_boot - name: "PRELIM | AUDIT | set legacy boot and grub path fact | Bios" - when: not discovered_efi_boot.stat.exists + when: not prelim_efi_boot.stat.exists ansible.builtin.set_fact: rhel8cis_legacy_boot: true grub2_path: /etc/grub2.cfg rhel8cis_boot_path: /boot/grub2/ - name: "PRELIM | AUDIT | set grub fact | UEFI" - when: discovered_efi_boot.stat.exists + when: prelim_efi_boot.stat.exists ansible.builtin.set_fact: grub2_path: /etc/grub2-efi.cfg rhel8cis_boot_path: "/boot/efi/EFI/{{ansible_facts.distribution | lower }}/" @@ -62,7 +79,7 @@ ansible.builtin.stat: path: "{{ grub2_path }}" changed_when: false - register: discovered_grub_cfg + register: prelim_grub_cfg - name: "PRELIM | AUDIT | Gather the package facts before prelim" tags: @@ -106,8 +123,8 @@ - always ansible.builtin.shell: findmnt -kn /dev/shm changed_when: false - failed_when: discovered_dev_shm_present.rc not in [ 0, 1 ] - register: discovered_dev_shm_present + failed_when: prelim_dev_shm_present.rc not in [ 0, 1 ] + register: prelim_dev_shm_present - name: "PRELIM | AUDIT | systemd coredump file check" when: @@ -116,7 +133,7 @@ - always ansible.builtin.stat: path: /etc/systemd/coredump.conf - register: discovered_systemd_coredump + register: prelim_systemd_coredump - name: "PRELIM | AUDIT | Ensure crypto-policies-scripts package is installed" when: "'crypto-policies-scripts' not in ansible_facts.packages" @@ -134,16 +151,16 @@ ansible.builtin.shell: 'update-crypto-policies --show' changed_when: false check_mode: false - register: discovered_system_wide_crypto_policy + register: prelim_system_wide_crypto_policy - name: "PRELIM | AUDIT | Gather system-wide crypto-policy | set fact for crypto policy" ansible.builtin.set_fact: - current_crypto_policy: "{{ discovered_system_wide_crypto_policy.stdout.split(':')[0] }}" + current_crypto_policy: "{{ prelim_system_wide_crypto_policy.stdout.split(':')[0] }}" - name: "PRELIM | AUDIT | Gather system-wide crypto-policy module | set fact for crypto submodule" - when: "':' in discovered_system_wide_crypto_policy.stdout" + when: "':' in prelim_system_wide_crypto_policy.stdout" ansible.builtin.set_fact: - current_crypto_module: "{{ discovered_system_wide_crypto_policy.stdout.split(':')[1] }}" + current_crypto_module: "{{ prelim_system_wide_crypto_policy.stdout.split(':')[1] }}" - name: "PRELIM | PATCH | Install dconf if gui" when: @@ -174,7 +191,7 @@ changed_when: false failed_when: false check_mode: false - register: discovered_sudoers_files + register: prelim_sudoers_files - name: "PRELIM | AUDIT | Check authselect package versions" tags: @@ -234,7 +251,7 @@ ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $6 }' changed_when: false - register: discovered_interactive_users_home + register: prelim_interactive_users_home - name: "PRELIM | PATCH | Section 5.1 | Configure System Accounting (auditd)" when: @@ -249,8 +266,8 @@ - name: "PRELIM | AUDIT | 5.2.4.x | Ensure audit log files are mode 0640 or less permissive | discover file" ansible.builtin.shell: "grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'" changed_when: false - failed_when: discovered_audit_logfile.rc not in [0, 1] - register: discovered_audit_logfile + failed_when: prelim_audit_logfile.rc not in [0, 1] + register: prelim_audit_logfile when: - rhel8cis_rule_5_2_4_1 - rhel8cis_rule_5_2_4_2 @@ -284,7 +301,7 @@ file_type: file recurse: true patterns: '*.conf,*.rules' - register: discovered_auditd_conf_files + register: prelim_auditd_conf_files - name: "PRELIM | AUDIT | Gather UID 0 accounts other than root" when: @@ -292,10 +309,10 @@ tags: - always ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit 1}'" - failed_when: discovered_uid_zero_accounts_except_root.rc not in [ 0, 1 ] + failed_when: prelim_uid_zero_accounts_except_root.rc not in [ 0, 1 ] changed_when: false check_mode: false - register: discovered_uid_zero_accounts_except_root + register: prelim_uid_zero_accounts_except_root ##### Optional ##### @@ -322,11 +339,11 @@ - name: "PRELIM | Optional | If IPv6 disable to stop chronyd listening | Check existence" ansible.builtin.shell: grep -E "OPTIONS=.*-4" /etc/sysconfig/chronyd changed_when: false - failed_when: discovered_chrony_ipv6_exists.rc not in [ 0, 1] - register: discovered_chrony_ipv6_exists + failed_when: prelim_chrony_ipv6_exists.rc not in [ 0, 1] + register: prelim_chrony_ipv6_exists - name: "PRELIM | Optional | If IPv6 disable to stop chronyd listening" - when: discovered_chrony_ipv6_exists.stdout | length == 0 + when: prelim_chrony_ipv6_exists.stdout | length == 0 ansible.builtin.lineinfile: path: /etc/sysconfig/chronyd regexp: '^OPTIONS="(?!.* -4.*)(.*)"' diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml index 42c04a0d..cafc1929 100644 --- a/tasks/section_1/cis_1.1.2.2.x.yml +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -18,12 +18,12 @@ block: - name: "1.1.2.2.1 | PATCH | Ensure /dev/shm is a separate partition | Absent" - when: discovered_dev_shm_present is undefined + when: prelim_dev_shm_present is undefined ansible.builtin.debug: msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" - name: "1.1.2.2.1 | PATCH | Ensure /dev/shm is a separate partition | Present" - when: discovered_dev_shm_present is undefined + when: prelim_dev_shm_present is undefined ansible.builtin.import_tasks: file: warning_facts.yml @@ -32,7 +32,7 @@ 1.1.2.2.3 | PATCH | Ensure nosuid option set on /dev/shm partition 1.1.2.2.4 | PATCH | Ensure noexec option set on /dev/shm partition" when: - - discovered_dev_shm_present is defined + - prelim_dev_shm_present is defined - rhel8cis_rule_1_1_2_2_2 or rhel8cis_rule_1_1_2_2_3 or rhel8cis_rule_1_1_2_2_4 diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index 9c82fe44..c8041bb2 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -24,8 +24,8 @@ - name: "1.3.2 | PATCH | Ensure permissions on bootloader config are configured" when: - rhel8cis_rule_1_3_2 - - discovered_grub_cfg.stat.exists - - discovered_grub_cfg.stat.islnk + - prelim_grub_cfg.stat.exists + - prelim_grub_cfg.stat.islnk tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 818b5eba..7bd584f3 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -66,7 +66,7 @@ - name: "1.4.4 | PATCH | Ensure core dump storage is disabled" when: - rhel8cis_rule_1_4_4 - - discovered_systemd_coredump.stat.exists + - prelim_systemd_coredump.stat.exists tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index 4e619c49..d5fc1fdb 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -18,7 +18,7 @@ - name: "1.6.1 | PATCH | Ensure system-wide crypto policy is not legacy" when: - - rhel8cis_full_crypto_policy not in discovered_system_wide_crypto_policy.stdout + - rhel8cis_full_crypto_policy not in prelim_system_wide_crypto_policy.stdout ansible.builtin.shell: | update-crypto-policies --set "{{ rhel8cis_full_crypto_policy }}" update-crypto-policies @@ -26,7 +26,7 @@ - name: "1.6.2 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support" when: - rhel8cis_rule_1_6_2 - - "'NO-SHA1' not in discovered_system_wide_crypto_policy.stdout" + - "'NO-SHA1' not in prelim_system_wide_crypto_policy.stdout" tags: - level1-server - level1-workstation @@ -47,7 +47,7 @@ - name: "1.6.3 | PATCH | Ensure system wide crypto policy disables cbc for ssh" when: - rhel8cis_rule_1_6_3 - - "'NO-SSHCBC' not in discovered_system_wide_crypto_policy.stdout" + - "'NO-SSHCBC' not in prelim_system_wide_crypto_policy.stdout" tags: - level1-server - level1-workstation @@ -68,7 +68,7 @@ - name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits" when: - rhel8cis_rule_1_6_4 - - "'NO-WEAKMAC' not in discovered_system_wide_crypto_policy.stdout" + - "'NO-WEAKMAC' not in prelim_system_wide_crypto_policy.stdout" tags: - level1-server - level1-workstation diff --git a/tasks/section_4/cis_4.3.x.yml b/tasks/section_4/cis_4.3.x.yml index 4ad33145..a12b0fee 100644 --- a/tasks/section_4/cis_4.3.x.yml +++ b/tasks/section_4/cis_4.3.x.yml @@ -64,7 +64,7 @@ regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' replace: '\1PASSWD\2' validate: '/usr/sbin/visudo -cf %s' - loop: "{{ discovered_sudoers_files.stdout_lines }}" + loop: "{{ prelim_sudoers_files.stdout_lines }}" - name: "4.3.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally" when: @@ -82,7 +82,7 @@ regexp: '^([^#].*)!authenticate(.*)' replace: '\1authenticate\2' validate: '/usr/sbin/visudo -cf %s' - loop: "{{ discovered_sudoers_files.stdout_lines }}" + loop: "{{ prelim_sudoers_files.stdout_lines }}" - name: "4.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly" when: diff --git a/tasks/section_4/cis_4.5.2.x.yml b/tasks/section_4/cis_4.5.2.x.yml index 1a2eae1a..45971e1d 100644 --- a/tasks/section_4/cis_4.5.2.x.yml +++ b/tasks/section_4/cis_4.5.2.x.yml @@ -53,7 +53,7 @@ block: - name: "4.5.2.3 | PATCH | | Ensure system accounts are secured | Set nologin" when: - - item.id not in discovered_interactive_usernames.stdout + - item.id not in prelim_interactive_usernames.stdout - "'root' not in item.id" ansible.builtin.user: name: "{{ item.id }}" @@ -64,7 +64,7 @@ - name: "4.5.2.3 | PATCH | | Ensure system accounts are secured | Lock accounts" when: - - "item.id not in discovered_interactive_usernames.stdout" + - "item.id not in prelim_interactive_usernames.stdout" - "'root' not in item.id" ansible.builtin.user: name: "{{ item.id }}" diff --git a/tasks/section_5/cis_5.2.4.x.yml b/tasks/section_5/cis_5.2.4.x.yml index 2914005e..fe61811b 100644 --- a/tasks/section_5/cis_5.2.4.x.yml +++ b/tasks/section_5/cis_5.2.4.x.yml @@ -10,7 +10,7 @@ - auditd - rule_5.2.4.1 ansible.builtin.file: - path: "{{ discovered_audit_logfile.stdout | dirname }}" + path: "{{ prelim_audit_logfile.stdout | dirname }}" state: directory mode: 'g-w,o-rwx' @@ -33,7 +33,7 @@ block: - name: "5.2.4.2 | AUDIT | Ensure audit log files are mode 0640 or less permissive | stat file" ansible.builtin.stat: - path: "{{ discovered_audit_logfile.stdout }}" + path: "{{ prelim_audit_logfile.stdout }}" changed_when: false register: discovered_auditlog_info @@ -42,7 +42,7 @@ "5.2.4.3 | PATCH | Ensure only authorized users own audit log files" "5.2.4.4 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" ansible.builtin.file: - path: "{{ discovered_audit_logfile.stdout }}" + path: "{{ prelim_audit_logfile.stdout }}" mode: 'o-x,g-wx,o-rwx' owner: root group: root @@ -59,7 +59,7 @@ ansible.builtin.file: path: "{{ item.path }}" mode: 'g-wx,o-rwx' - loop: "{{ discovered_auditd_conf_files.files }}" + loop: "{{ prelim_auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" @@ -75,7 +75,7 @@ ansible.builtin.file: path: "{{ item.path }}" owner: root - loop: "{{ discovered_auditd_conf_files.files }}" + loop: "{{ prelim_auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" @@ -91,7 +91,7 @@ ansible.builtin.file: path: "{{ item.path }}" group: root - loop: "{{ discovered_auditd_conf_files.files }}" + loop: "{{ prelim_auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 9d282757..dcfc8ac5 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -302,7 +302,7 @@ - name: "6.2.9 | PATCH | Ensure root is the only UID 0 account" when: - - discovered_uid_zero_accounts_except_root.rc + - prelim_uid_zero_accounts_except_root.rc - rhel8cis_rule_6_2_9 tags: - level1-server @@ -319,7 +319,7 @@ ansible.builtin.shell: passwd -l {{ item }} changed_when: false failed_when: false - loop: "{{ discovered_uid_zero_accounts_except_root.stdout_lines }}" + loop: "{{ prelim_uid_zero_accounts_except_root.stdout_lines }}" - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist" when: @@ -338,18 +338,16 @@ block: - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist | Create dir if absent" ansible.builtin.file: - path: "{{ item.dir }}" + path: "{{ item }}" state: directory - owner: "{{ item.id }}" - loop: "{{ rhel8cis_passwd | selectattr('uid', '>=', rhel8uid_uid_start | int ) | selectattr('uid', '<=', rhel8uid_uid_stop | int ) | list }}" - loop_control: - label: "{{ item.id }}" + owner: "{{ item | basename }}" + loop: "{{ prelim_interactive_users_home.stdout_lines }}" - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist | Permissions" ansible.builtin.file: path: "{{ item }}" mode: 'g-w,o-rwx' - loop: "{{ discovered_interactive_users_home.stdout_lines }}" + loop: "{{ prelim_interactive_users_home.stdout_lines }}" when: not system_is_container - name: "6.2.11 | PATCH | Ensure local interactive user dot files access is configured" diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 9284799b..09d15042 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -664,9 +664,6 @@ rhel8cis_inactivelock: # 5.6.1.5 Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords rhel8cis_futurepwchgdate_autofix: {{ rhel8cis_futurepwchgdate_autofix }} -rhel8uid_uid_start: {{ rhel8uid_uid_start }} -rhel8uid_uid_stop: {{ rhel8uid_uid_stop }} - ## Section5 vars ## Preferred method of logging diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 9dd63740..00379a27 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -28,14 +28,14 @@ {% endif %} {% if rhel8cis_rule_5_2_3_6 %} {% for proc in discovered_privilege_procs.stdout_lines -%} --a always,exit -F path={{ proc }} -F perm=x -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -k privileged +-a always,exit -F path={{ proc }} -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k privileged {% endfor %} {% endif %} {% if rhel8cis_rule_5_2_3_7 %} --a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -F key=access --a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -F key=access --a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -F key=access --a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -F key=access {% endif %} {% if rhel8cis_rule_5_2_3_8 %} -w /etc/group -p wa -k identity @@ -45,16 +45,16 @@ -w /etc/security/opasswd -p wa -k identity {% endif %} {% if rhel8cis_rule_5_2_3_9 %} --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod {% endif %} {% if rhel8cis_rule_5_2_3_10 %} --a always,exit -F arch=b32 -S mount -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -k mounts --a always,exit -F arch=b64 -S mount -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -k mounts +-a always,exit -F arch=b32 -S mount -F auid>={{ min_int_uid }} -F auid!=unset -k mounts +-a always,exit -F arch=b64 -S mount -F auid>={{ min_int_uid }} -F auid!=unset -k mounts {% endif %} {% if rhel8cis_rule_5_2_3_11 %} -w /var/run/utmp -p wa -k session @@ -66,29 +66,29 @@ -w /var/run/faillock -p wa -k logins {% endif %} {% if rhel8cis_rule_5_2_3_13 %} --a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -F key=delete --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -F key=delete +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>={{ min_int_uid }} -F auid!=unset -F key=delete +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>={{ min_int_uid }} -F auid!=unset -F key=delete {% endif %} {% if rhel8cis_rule_5_2_3_14 %} -w /etc/selinux/ -p wa -k MAC-policy -w /usr/share/selinux/ -p wa -k MAC-policy {% endif %} {% if rhel8cis_rule_5_2_3_15 %} --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -k perm_chng +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k perm_chng {% endif %} {% if rhel8cis_rule_5_2_3_16 %} --a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -k perm_chng +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k perm_chng {% endif %} {% if rhel8cis_rule_5_2_3_17 %} --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -k perm_chng +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k perm_chng {% endif %} {% if rhel8cis_rule_5_2_3_18 %} --a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -k usermod +-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k usermod {% endif %} {% if rhel8cis_rule_5_2_3_19 %} --a always,exit -F arch=b32 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -k kernel_modules --a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -k kernel_modules --a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -k kernel_modules +-a always,exit -F arch=b32 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ min_int_uid }} -F auid!=unset -k kernel_modules +-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ min_int_uid }} -F auid!=unset -k kernel_modules +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k kernel_modules {% endif %} {% if rhel8cis_rule_5_2_3_20 %} -e 2