diff --git a/Changelog.md b/Changelog.md index 04969f0f..4bd1c86f 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,13 @@ # Changes to rhel9CIS +## 1.1.6 - Based on CIS v1.0.0 + +- #190 - thanks to @ipruteanu-sie + - addressed requirements in PR with alternate method +- #191 - thanks to @numericillustration + - Addressed authselect for pam +- #193 thanks to brakkio86 + ## 1.1.5 - Based on CIS v1.0.0 - added new interactive user discoveries diff --git a/handlers/main.yml b/handlers/main.yml index 544dd4b3..dd97feca 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -79,6 +79,13 @@ ansible.builtin.systemd: daemon-reload: true +- name: Apply_authselect + ansible.builtin.shell: authselect apply-changes + when: not rhel9cis_rule_5_4_2 + +- name: Apply_authselect + ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }} --force --backup=rhel9cis_commit_{{ ansible_date_time.epoch}}" + when: rhel9cis_rule_5_4_2 ## Auditd tasks note order for handlers to run - name: Auditd immutable check diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 6ffc298f..0db27d34 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -24,7 +24,7 @@ tags: - always ansible.builtin.shell: > - grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $1 }' + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }' changed_when: false register: discovered_interactive_usernames diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index a3f2a444..740f8209 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -59,7 +59,7 @@ - name: "4.2.1.5 | PATCH | Ensure logging is configured" block: - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" - ansible.builtin.shell: cat /etc/rsyslog.conf + ansible.builtin.shell: cat /etc/rsyslog.conf | grep -Ev "^#|^$" changed_when: false failed_when: false check_mode: false diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 69eb090e..e4639987 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -3,21 +3,25 @@ - name: "5.4.1 | PATCH | Ensure custom authselect profile is used" block: - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Gather profiles" - ansible.builtin.shell: 'authselect current | grep "Profile ID: custom/"' + ansible.builtin.shell: 'authselect list | grep custom' failed_when: false changed_when: false check_mode: false - register: rhel9cis_5_4_1_profiles - - - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Show profiles" - ansible.builtin.debug: - msg: - - "Below are the current custom profiles" - - "{{ rhel9cis_5_4_1_profiles.stdout_lines }}" + register: rhel9cis_5_4_1_current_profile - name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles" ansible.builtin.shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }} - when: rhel9cis_authselect_custom_profile_create + when: + - rhel9cis_authselect_custom_profile_create + - "rhel9cis_authselect.custom_profile_name not in rhel9cis_5_4_1_current_profile.stdout" + + - name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Force custom profile creates backup" + ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} --force --backup=rhel9cis_5_4_1_{{ ansible_date_time.epoch}}" + register: authselect_5_4_1_select + when: + - rhel9cis_authselect_custom_profile_create + - "rhel9cis_authselect.custom_profile_name not in rhel9cis_5_4_1_current_profile.stdout" + when: - rhel9cis_rule_5_4_1 tags: @@ -28,7 +32,7 @@ - authselect - rule_5.4.1 -- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | with auth select profile" +- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Get Authselect profile options" block: - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features" ansible.builtin.shell: "authselect current | grep with-faillock" @@ -43,11 +47,11 @@ - "Below are the current custom profiles" - "{{ rhel9cis_5_4_2_profiles_faillock.stdout_lines }}" - - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles" - ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }}" + - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Authselect add options" + ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }} --force" when: rhel9cis_authselect_custom_profile_select - - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile" + - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not Authselect profile" ansible.builtin.lineinfile: path: "/etc/pam.d/password-auth" regexp: "{{ item.regexp }}" @@ -61,7 +65,7 @@ - rhel9cis_add_faillock_without_authselect - rhel9cis_5_4_2_risks == 'ACCEPT' - - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile" + - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not Authselect profile" ansible.builtin.lineinfile: path: "/etc/pam.d/system-auth" regexp: "{{ item.regexp }}" diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index bb3cf346..57ad96b3 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -11,14 +11,14 @@ - { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" } - { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" } - - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" + - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings | not Authselect" ansible.builtin.lineinfile: path: /etc/pam.d/system-auth regexp: '^password\s*requisite\s*pam_pwquality.so' line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" insertbefore: '^#?password ?' - - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" + - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set password-auth retry settings | not Authselect" ansible.builtin.lineinfile: path: /etc/pam.d/password-auth regexp: '^password\s*requisite\s*pam_pwquality.so' @@ -42,6 +42,7 @@ loop: - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = {{ rhel9cis_pam_faillock.deny }}' } - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = {{ rhel9cis_pam_faillock.unlock_time }}' } + - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set preauth" ansible.builtin.lineinfile: path: "{{ item }}" @@ -51,6 +52,7 @@ loop: - "/etc/pam.d/system-auth" - "/etc/pam.d/password-auth" + - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set authfail" ansible.builtin.lineinfile: path: "{{ item }}" @@ -60,6 +62,7 @@ loop: - "/etc/pam.d/system-auth" - "/etc/pam.d/password-auth" + - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Load account faillock.so" ansible.builtin.lineinfile: path: "{{ item }}" @@ -78,10 +81,18 @@ - rule_5.5.2 - name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality" - ansible.builtin.lineinfile: - path: /etc/pam.d/system-auth - line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" - insertafter: '^password\s*requisite\s*pam_pwquality.so' + block: + - name: "5.5.3 | PATCH | Ensure password reuse is limited | Set system-auth remember Settings" + ansible.builtin.lineinfile: + path: /etc/pam.d/system-auth + line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" + insertafter: '^password\s*requisite\s*pam_pwquality.so' + + - name: "5.5.3 | PATCH | Ensure password reuse is limited | Set password-auth remember Settings" + ansible.builtin.lineinfile: + path: /etc/pam.d/password-auth + line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" + insertafter: '^password\s*requisite\s*pam_pwquality.so' when: - rhel9cis_rule_5_5_3 tags: diff --git a/tasks/section_5/cis_5.5.x_authselect.yml b/tasks/section_5/cis_5.5.x_authselect.yml new file mode 100644 index 00000000..0d1811b7 --- /dev/null +++ b/tasks/section_5/cis_5.5.x_authselect.yml @@ -0,0 +1,144 @@ +--- + +- name: "5.5.1 | PATCH | Ensure password creation requirements are configured" + block: + - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings" + ansible.builtin.lineinfile: + path: /etc/security/pwquality.conf + regexp: ^{{ item.name }} + line: "{{ item.name }} = {{ item.value }}" + loop: + - { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" } + - { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" } + + - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings | not Authselect" + ansible.builtin.lineinfile: + path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth" + regexp: '^password\s*requisite\s*pam_pwquality.so' + line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" + insertbefore: '^#?password ?' + notify: Apply_authselect + + - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set password-auth retry settings | not Authselect" + ansible.builtin.lineinfile: + path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth" + regexp: '^password\s*requisite\s*pam_pwquality.so' + line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" + insertbefore: '^#?password ?' + notify: Apply_authselect + when: + - rhel9cis_rule_5_5_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.5.1 + +- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured" + block: + - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set faillock.conf configs" + ansible.builtin.lineinfile: + path: /etc/security/faillock.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + loop: + - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = {{ rhel9cis_pam_faillock.deny }}' } + - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = {{ rhel9cis_pam_faillock.unlock_time }}' } + + - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set preauth" + ansible.builtin.lineinfile: + path: "{{ item }}" + regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*preauth(.*)' + line: "auth required pam_faillock.so preauth silent audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}" + insertafter: 'auth\s*(sufficient|required)\s*pam_env.so$' + loop: + - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth" + - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth" + notify: Apply_authselect + + - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set authfail" + ansible.builtin.lineinfile: + path: "{{ item }}" + regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*authfail(.*)' + line: "auth required pam_faillock.so authfail audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}" + insertbefore: 'auth\s*(sufficient|required)\s*pam_deny.so$' + loop: + - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth" + - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth" + notify: Apply_authselect + + - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Load account faillock.so" + ansible.builtin.lineinfile: + path: "{{ item }}" + regexp: '^account\s*(sufficient|required)\s*pam_faillock.so$' + line: "account required pam_faillock.so" + insertbefore: '^account\s*(sufficient|required)\s*pam_unix.so$' + loop: + - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth" + - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth" + notify: Apply_authselect + when: + - rhel9cis_rule_5_5_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.5.2 + +- name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality" + block: + - name: "5.5.3 | PATCH | Ensure password reuse is limited | Set system-auth remember Settings" + ansible.builtin.lineinfile: + path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth" + line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" + insertafter: '^password\s*requisite\s*pam_pwquality.so' + notify: Apply_authselect + + - name: "5.5.3 | PATCH | Ensure password reuse is limited | Set password-auth remember Settings" + ansible.builtin.lineinfile: + path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth" + line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" + insertafter: '^password\s*requisite\s*pam_pwquality.so' + notify: Apply_authselect + when: + - rhel9cis_rule_5_5_3 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.5.3 + +- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 or yescrypt" + block: + - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf" + ansible.builtin.replace: + path: /etc/libuser.conf + regexp: '^crypt_style\s*=\s*.*$' + replace: 'crypt_style = sha512' + + - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs" + ansible.builtin.replace: + path: /etc/login.defs + regexp: '^ENCRYPT_METHOD.*' + replace: 'ENCRYPT_METHOD SHA512' + + - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth" + ansible.builtin.replace: + path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth" + regexp: '^password\s*sufficient\s*pam_unix.so.*$' + replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' + notify: Apply_authselect + + - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth" + ansible.builtin.replace: + path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth" + regexp: '^password\s*sufficient\s*pam_unix.so.*$' + replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' + notify: Apply_authselect + when: + - rhel9cis_rule_5_5_4 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.5.4 diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 6ad3dc06..7abe1d1b 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -116,6 +116,7 @@ - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" loop: "{{ rhel9cis_5_6_1_4_user_list.stdout_lines }}" + when: item in discovered_interactive_usernames.stdout when: - rhel9cis_rule_5_6_1_4 tags: diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 8fba8986..52713888 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -14,8 +14,10 @@ - item.id != "halt" - item.id != "nfsnobody" - item.uid < min_int_uid | int - - item.shell != " /bin/false" - - item.shell != " /usr/sbin/nologin" + - item.shell != "/bin/false" + - item.shell != "/usr/sbin/nologin" + - item.shell != "/sbin/nologin" + - item.shell != "/dev/null" loop_control: label: "{{ item.id }}" @@ -31,8 +33,10 @@ - item.id != "root" - item.id != "nfsnobody" - item.uid < min_int_uid | int - - item.shell != " /bin/false" - - item.shell != " /usr/sbin/nologin" + - item.shell != "/bin/false" + - item.shell != "/usr/sbin/nologin" + - item.shell != "/sbin/nologin" + - item.shell != "/dev/null" loop_control: label: "{{ item.id }}" when: diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index ed06b5ac..be71ea55 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -20,9 +20,15 @@ ansible.builtin.import_tasks: file: cis_5.4.x.yml -- name: "SECTION | 5.5 | Configure PAM " +- name: "SECTION | 5.5 | Configure PAM | not authselect" ansible.builtin.import_tasks: file: cis_5.5.x.yml + when: not rhel9cis_authselect_custom_profile_select + +- name: "SECTION | 5.5 | Configure PAM | authselect" + ansible.builtin.import_tasks: + file: cis_5.5.x_authselect.yml + when: rhel9cis_authselect_custom_profile_select - name: "SECTION | 5.6.1.x | Shadow Password Suite Parameters" ansible.builtin.import_tasks: