From 7fde313f85118115c09a317d4a37a4d855bf60b7 Mon Sep 17 00:00:00 2001 From: John Foster Date: Tue, 13 Feb 2024 15:37:39 +0000 Subject: [PATCH 1/4] Main task was failing when using an AD account to connect to host. With an AD account there isn't an entry in the /etc/shadow file. This caused the password length check to treat it as a zero length password. Now local password check is skipped for AD account. Also added an additional check for a locked local account for the sudo user. Signed-off-by: John Foster --- tasks/main.yml | 33 +++++++++++++++++++++++++-------- 1 file changed, 25 insertions(+), 8 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 858755bd..5b64d7c1 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -23,19 +23,34 @@ - name: "Check password set for {{ ansible_env.SUDO_USER }}" block: - name: "Check password set for {{ ansible_env.SUDO_USER }} | password state" - ansible.builtin.shell: "grep {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'" + ansible.builtin.shell: "(grep {{ ansible_env.SUDO_USER }} /etc/shadow || echo 'not found:not found') | awk -F: '{print $2}'" changed_when: false failed_when: false check_mode: false register: rhel9cis_ansible_user_password_set - - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert password set and not locked" - ansible.builtin.assert: - that: rhel9cis_ansible_user_password_set.stdout | length != 0 and rhel9cis_ansible_user_password_set.stdout != "!!" - fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" - success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" - vars: - sudo_password_rule: rhel9cis_rule_5_3_4 # pragma: allowlist secret + - name: "Check for local account {{ ansible_env.SUDO_USER }} | Check for local account" + ansible.builtin.debug: + msg: "No local account found for {{ ansible_env.SUDO_USER }} user. Skipping local account checks." + when: + - rhel9cis_ansible_user_password_set.stdout == "not found" + - name: "Check local account" + block: + - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" + ansible.builtin.assert: + that: + - rhel9cis_ansible_user_password_set.stdout | length != 0 + - rhel9cis_ansible_user_password_set.stdout != "!!" + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" + success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" + - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" + ansible.builtin.assert: + that: + - not rhel9cis_ansible_user_password_set.stdout.startswith("!") + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access" + success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user" + when: + - rhel9cis_ansible_user_password_set.stdout != "not found" when: - rhel9cis_rule_5_3_4 - ansible_env.SUDO_USER is defined @@ -43,6 +58,8 @@ tags: - user_passwd - rule_5.3.4 + vars: + sudo_password_rule: rhel9cis_rule_5_3_4 # pragma: allowlist secret - name: Ensure root password is set block: From 0e89fedfcac6ca36ee56383702503641c008cc01 Mon Sep 17 00:00:00 2001 From: John Foster Date: Thu, 15 Feb 2024 10:17:41 +0000 Subject: [PATCH 2/4] Adjusted tasks/main.yml indentation after running precommit checks Signed-off-by: John Foster --- tasks/main.yml | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 5b64d7c1..84bc1ae5 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -33,24 +33,24 @@ ansible.builtin.debug: msg: "No local account found for {{ ansible_env.SUDO_USER }} user. Skipping local account checks." when: - - rhel9cis_ansible_user_password_set.stdout == "not found" + - rhel9cis_ansible_user_password_set.stdout == "not found" - name: "Check local account" block: - - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" - ansible.builtin.assert: - that: - - rhel9cis_ansible_user_password_set.stdout | length != 0 - - rhel9cis_ansible_user_password_set.stdout != "!!" - fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" - success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" - - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" - ansible.builtin.assert: - that: - - not rhel9cis_ansible_user_password_set.stdout.startswith("!") - fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access" - success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user" + - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" + ansible.builtin.assert: + that: + - rhel9cis_ansible_user_password_set.stdout | length != 0 + - rhel9cis_ansible_user_password_set.stdout != "!!" + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" + success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" + - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" + ansible.builtin.assert: + that: + - not rhel9cis_ansible_user_password_set.stdout.startswith("!") + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access" + success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user" when: - - rhel9cis_ansible_user_password_set.stdout != "not found" + - rhel9cis_ansible_user_password_set.stdout != "not found" when: - rhel9cis_rule_5_3_4 - ansible_env.SUDO_USER is defined From e100b02f44957633553738daa5f22d6b9ddcf68d Mon Sep 17 00:00:00 2001 From: John Foster Date: Fri, 16 Feb 2024 15:06:27 +0000 Subject: [PATCH 3/4] Updated cis_6.1.x.yml to avoid deprecation warning as per Illibur's findings in issue #168. Changed vars on line 233 to use dictionary. Signed-off-by: John Foster --- tasks/section_6/cis_6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 7bce9c59..f7c33cc3 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -230,7 +230,7 @@ warn_control_id: '6.1.11' when: rhel_09_6_1_11_ungrouped_files_found vars: - - rhel_09_6_1_11_ungrouped_files_found: false + rhel_09_6_1_11_ungrouped_files_found: false when: - rhel9cis_rule_6_1_11 tags: From 467434a56f5dce96bcfb6467b4ee429d121ffdbf Mon Sep 17 00:00:00 2001 From: John Foster Date: Mon, 19 Feb 2024 12:03:08 +0000 Subject: [PATCH 4/4] Added blank line between each named task for consistency. Signed-off-by: John Foster --- tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tasks/main.yml b/tasks/main.yml index 84bc1ae5..40f49afe 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -34,6 +34,7 @@ msg: "No local account found for {{ ansible_env.SUDO_USER }} user. Skipping local account checks." when: - rhel9cis_ansible_user_password_set.stdout == "not found" + - name: "Check local account" block: - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" @@ -43,6 +44,7 @@ - rhel9cis_ansible_user_password_set.stdout != "!!" fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" + - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" ansible.builtin.assert: that: