Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Oct23 issues #325

Merged
merged 9 commits into from
Oct 24, 2023
Merged

Oct23 issues #325

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
5893cc9
6.2.11 add follow false to not change symlinks #322
uk-bolly Oct 23, 2023
858a1a7
#323 and tidy up git install
uk-bolly Oct 23, 2023
17ec35c
#320 addressed - journald check now on controls
uk-bolly Oct 23, 2023
a41a52e
added preserve mode
uk-bolly Oct 23, 2023
3710772
tidy up title
uk-bolly Oct 24, 2023
d1ce9d1
3.1.1 fix rules in correct place
uk-bolly Oct 24, 2023
3eacf5e
updated
uk-bolly Oct 24, 2023
bd451bd
removed quality tage since galaxy updates
uk-bolly Oct 24, 2023
2ac4e23
updated collections due to galaxy changes
uk-bolly Oct 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions Changelog.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,18 @@
# Changes to rhel8CIS

## 1.5.14 based on CIS v2.0.0

- audit updates
- pre and post and format type updates
- #323 thanks to @cobrin preserve copied audit files permissions
- python 3 only

- journald
- #320 thanks to @bbbbaassiieeee set files even if rsyslog chosen

- home directories files change links
- #322 thanks to @mballon

## 1.5.13

- Improvements for workflow and new pipeline methods
Expand Down
1 change: 0 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@
![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social)
[![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown)

![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/56380?label=Quality&&logo=ansible)
![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord)

![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen)
Expand Down
12 changes: 9 additions & 3 deletions collections/requirements.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,14 @@
---

collections:
- name: community.general
- name: community.general
source: https://github.com/ansible-collections/community.general
type: git

- name: community.crypto
- name: community.crypto
source: https://github.com/ansible-collections/community.crypto
type: git

- name: ansible.posix
- name: ansible.posix
source: https://github.com/ansible-collections/ansible.posix
type: git
13 changes: 2 additions & 11 deletions tasks/pre_remediation_audit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,19 +15,10 @@

- name: Pre Audit | If using git for content set up
block:
- name: Pre Audit | Install git (rh8 python3)
- name: Pre Audit | Install git
ansible.builtin.package:
name: git
state: present
when: ansible_distribution_major_version == '8'

- name: Pre Audit | Install git (rh7 python2)
ansible.builtin.package:
name: git
state: present
vars:
ansible_python_interpreter: "{{ python2_bin }}"
when: ansible_distribution_major_version == '7'

- name: Pre Audit | retrieve audit content files from git
ansible.builtin.git:
Expand All @@ -41,7 +32,7 @@
ansible.builtin.copy:
src: "{{ audit_local_copy }}"
dest: "{{ audit_conf_dir }}"
mode: 0644
mode: preserve
when:
- audit_content == 'copy'

Expand Down
1 change: 0 additions & 1 deletion tasks/section_3/cis_3.1.x.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@
with_items:
- net.ipv6.conf.all.disable_ipv6
- net.ipv6.conf.default.disable_ipv6
- net.ipv6.conf.lo.disable_ipv6

- name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system | disable localhost sysctl"
ansible.posix.sysctl:
Expand Down
8 changes: 8 additions & 0 deletions tasks/section_4/cis_4.2.2.x.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
state: present
when:
- rhel8cis_rule_4_2_2_1_1
- rhel8cis_syslog == 'journald'
tags:
- level1-server
- level1-workstation
Expand All @@ -27,6 +28,7 @@
- { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ rhel8cis_journal_trustedcertificatefile }}'}
when:
- rhel8cis_rule_4_2_2_1_2
- rhel8cis_syslog == 'journald'
tags:
- level1-server
- level1-workstation
Expand All @@ -43,6 +45,7 @@
when:
- rhel8cis_system_is_log_server
- rhel8cis_rule_4_2_2_1_3
- rhel8cis_syslog == 'journald'
tags:
- level1-server
- level1-workstation
Expand All @@ -60,6 +63,7 @@
when:
- not rhel8cis_system_is_log_server
- rhel8cis_rule_4_2_2_1_4
- rhel8cis_syslog == 'journald'
tags:
- level1-server
- level1-workstation
Expand Down Expand Up @@ -95,6 +99,7 @@
when: "'static' not in rhel8cis_4_2_2_2_status.stdout"
when:
- rhel8cis_rule_4_2_2_2
- rhel8cis_syslog == 'journald'
tags:
- level1-server
- level1-workstation
Expand Down Expand Up @@ -147,6 +152,7 @@
notify: restart systemd_journal_upload
when:
- rhel8cis_rule_4_2_2_5
- rhel8cis_syslog == 'journald'
tags:
- level1-server
- level2-workstation
Expand All @@ -169,6 +175,7 @@
- { regexp: '^#MaxFileSec=|^MaxFileSec=', line: 'MaxFileSec={{ rhel8cis_journald_maxfilesec }}'}
when:
- rhel8cis_rule_4_2_2_6
- rhel8cis_syslog == 'journald'
tags:
- level1-server
- level1-workstation
Expand Down Expand Up @@ -211,6 +218,7 @@
warn_control_id: '4.2.2.7'
when:
- rhel8cis_rule_4_2_2_7
- rhel8cis_syslog == 'journald'
tags:
- level1-server
- level1-workstation
Expand Down
1 change: 0 additions & 1 deletion tasks/section_4/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@

- name: "SECTION | 4.2.2.x| Configure journald"
ansible.builtin.import_tasks: cis_4.2.2.x.yml
when: rhel8cis_syslog == 'journald'

- name: "SECTION | 4.2.3 | Configure logile perms"
ansible.builtin.import_tasks: cis_4.2.3.yml
Expand Down
7 changes: 4 additions & 3 deletions tasks/section_6/cis_6.2.x.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -238,7 +238,7 @@
with_items: "{{ rhel8cis_passwd | selectattr('uid', '>=', rhel8uid_interactive_uid_start | int ) | selectattr('uid', '<=', rhel8uid_interactive_uid_stop | int ) | map(attribute='dir') | list }}"

- name: "6.2.9 | AUDIT | Ensure all users' home directories exist"
ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027
ansible.builtin.shell: find -H {{ item.0 | quote }} -type d -not -type l -perm /027
check_mode: false
changed_when: rhel_08_6_2_9_patch_audit.stdout | length > 0
register: rhel_08_6_2_9_patch_audit
Expand All @@ -254,7 +254,7 @@
- name: "6.2.9 | PATCH | Ensure all users' home directories exist"
ansible.builtin.file:
path: "{{ item.0 }}"
recurse: true
recurse: false
mode: a-st,g-w,o-rwx
register: rhel_08_6_2_9_patch
when:
Expand Down Expand Up @@ -327,7 +327,7 @@
register: rhel_08_6_2_11_audit

- name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027
ansible.builtin.shell: find -H {{ item.0 | quote }} type -d -not -type l -perm /027
check_mode: false
changed_when: rhel_08_6_2_11_patch_audit.stdout | length > 0
register: rhel_08_6_2_11_patch_audit
Expand All @@ -345,6 +345,7 @@
path: "{{ item.0 }}"
recurse: true
mode: a-st,g-w,o-rwx
follow: false
register: rhel_08_6_2_11_patch
when:
- not ansible_check_mode
Expand Down