Chage tool related settings: max-days, min-days and warn-age, for get…

.pre-commit-config.yaml

@@ -43,7 +43,7 @@ repos:
     args: ['--baseline-path', '.config/.gitleaks-report.json']
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v24.2.0
+  rev: v24.2.1
   hooks:
   - id: ansible-lint
     name: Ansible-lint

Changelog.md

@@ -1,5 +1,16 @@
 # Changes to rhel9CIS
 
+## 1.1.4 - Based on CIS v1.0.0
+
+- 1.2.1 new option for a new system to import gpg key for 1.2.1 to pass redhat only
+- thanks to @ipruteanu-sie
+  - #156
+  - #165
+  - #180
+  - #181
+  - #183
+  - #184
+
 ## 1.1.3 - Based on CIS v1.0.0
 
 - updated goss binary to 0.4.4

defaults/main.yml

@@ -424,6 +424,11 @@ rhel9cis_rule_6_2_16: true
 # These /tmp settings will include nosuid,nodev,noexec to conform to CIS standards.
 rhel9cis_tmp_svc: false
 
+## Control 1.2.1
+# For new systems that have not yet run update the gpg key is not yet imported
+# Setting to `true` will allow a test on the package and the foce the import of the key
+rhel9cis_force_gpg_key_import: true
+
 ## Control 1.2.4
 # When installing RHEL from authorized Red Hat source, RHEL will come with default YUM repository. NOT having a default YUM
 # repo ('rhel9cis_rhel_default_repo' set as 'false'), in conjunction with 'rhel9cis_rule_enable_repogpg' set as 'True', will enable the tasks
@@ -998,11 +1003,11 @@ rhel9cis_sshd:
     # This variable sets the maximum number of unresponsive "keep-alive" messages
     # that can be sent from the server to the client before the connection is considered
     # inactive and thus, closed.
-    clientalivecountmax: 0
+    clientalivecountmax: 3
     # This variable sets the time interval in seconds between sending "keep-alive"
     # messages from the server to the client. These types of messages are intended to
     # keep the connection alive and prevent it being terminated due to inactivity.
-    clientaliveinterval: 900
+    clientaliveinterval: 15
     # This variable specifies the amount of seconds allowed for successful authentication to
     # the SSH server.
     logingracetime: 60
@@ -1012,26 +1017,29 @@ rhel9cis_sshd:
     # If an USER@HOST format will be used, the specified user will be allowed only on that particular host.
     # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
     # For more info, see https://linux.die.net/man/5/sshd_config
-    allow_users: ""
-    # (String) This variable, if spcieifed, configures a list of GROUP name patterns, separated by spaces, to allow SSH access
+    # allowusers: ""
+
+    # (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access
     # for users whose primary group or supplementary group list matches one of the patterns. This is done
     # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file.
     # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
     # For more info, https://linux.die.net/man/5/sshd_config
-    allow_groups: "wheel"
+    # allowgroups: "wheel"
+
     # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access
     # for users whose user name matches one of the patterns. This is done
     # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file.
     # If an USER@HOST format will be used, the specified user will be restricted only on that particular host.
     # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
     # For more info, see https://linux.die.net/man/5/sshd_config
-    deny_users: "nobody"
+    denyusers: "nobody"
+
     # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access
     # for users whose primary group or supplementary group list matches one of the patterns. This is done
     # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file.
     # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
     # For more info, see https://linux.die.net/man/5/sshd_config
-    deny_groups: ""
+    denygroups: ""
 
 ## Control 5.2.5 - Ensure SSH LogLevel is appropriate
 # This variable is used to control the verbosity of the logging produced by the SSH server.
@@ -1055,10 +1063,6 @@ rhel9cis_inactivelock:
     # This variable specifies the number of days of inactivity before an account will be locked.
     # CIS requires a value of 30 days or less.
     lock_days: 30
-# This variable governs if authconfig package should be installed. This package provides a simple method of
-# configuring /etc/sysconfig/network to handle NIS, as well as /etc/passwd and /etc/shadow, the files used
-# for shadow password support. Basic LDAP, Kerberos 5, and Winbind client configuration is also provided.
-rhel9cis_use_authconfig: false
 
 ## Section 5.4 - Configure authselect: Custom authselect profile settings(name, profile to customize, options)
 ## Controls:

tasks/LE_audit_setup.yml

@@ -5,12 +5,12 @@
       - name: Pre Audit Setup | Set audit package name | 64bit
         ansible.builtin.set_fact:
             audit_pkg_arch_name: AMD64
-        when: ansible_machine == "x86_64"
+        when: ansible_facts.machine == "x86_64"
 
       - name: Pre Audit Setup | Set audit package name | ARM64
         ansible.builtin.set_fact:
             audit_pkg_arch_name: ARM64
-        when: ansible_machine == "arm64"
+        when: ansible_facts.machine == "arm64"
 
 - name: Pre Audit Setup | Download audit binary
   ansible.builtin.get_url:

tasks/main.yml

@@ -8,7 +8,6 @@
       success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}"
   when:
       - os_check
-      - not system_is_ec2
   tags:
       - always
 
@@ -169,63 +168,63 @@
       - run_audit
   ansible.builtin.import_tasks: pre_remediation_audit.yml
 
-- name: run Section 1 tasks
+- name: Run Section 1 tasks
   ansible.builtin.import_tasks:
       file: section_1/main.yml
   when: rhel9cis_section1
   tags:
       - rhel9cis_section1
 
-- name: run Section 2 tasks
+- name: Run Section 2 tasks
   ansible.builtin.import_tasks:
       file: section_2/main.yml
   when: rhel9cis_section2
   tags:
       - rhel9cis_section2
 
-- name: run Section 3 tasks
+- name: Run Section 3 tasks
   ansible.builtin.import_tasks:
       file: section_3/main.yml
   when: rhel9cis_section3
   tags:
       - rhel9cis_section3
 
-- name: run Section 4 tasks
+- name: Run Section 4 tasks
   ansible.builtin.import_tasks:
       file: section_4/main.yml
   when: rhel9cis_section4
   tags:
       - rhel9cis_section4
 
-- name: run Section 5 tasks
+- name: Run Section 5 tasks
   ansible.builtin.import_tasks:
       file: section_5/main.yml
   when: rhel9cis_section5
   tags:
       - rhel9cis_section5
 
-- name: run Section 6 tasks
+- name: Run Section 6 tasks
   ansible.builtin.import_tasks:
       file: section_6/main.yml
   when: rhel9cis_section6
   tags:
       - rhel9cis_section6
 
-- name: run auditd logic
+- name: Run auditd logic
   ansible.builtin.import_tasks:
       file: auditd.yml
   when: update_audit_template
   tags:
       - always
 
-- name: run post remediation tasks
+- name: Run post remediation tasks
   ansible.builtin.import_tasks:
       file: post.yml
   tags:
       - post_tasks
       - always
 
-- name: run post_remediation audit
+- name: Run post_remediation audit
   ansible.builtin.import_tasks:
       file: post_remediation_audit.yml
   when:

tasks/prelim.yml

@@ -136,6 +136,31 @@
       - ansible_facts.distribution != 'RedHat'
       - ansible_facts.distribution != 'OracleLinux'
 
+- name: "PRELIM | Check gpg keys are imported will cause 1.2.1 to fail if not | RedHat Only"
+  block:
+      - name: "PRELIM | Check gpg keys are imported will cause 1.2.1 to fail if not"
+        ansible.builtin.shell: rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
+        changed_when: false
+        failed_when: false
+        register: check_gpg_imported
+
+      - name: "PRELIM | Check key package matches RedHat"
+        ansible.builtin.shell: rpm -qi redhat-release | grep Signature
+        changed_when: false
+        failed_when: false
+        register: os_gpg_package_valid
+        when: "'not installed' in check_gpg_imported.stdout"
+
+      - name: "PRELIM | Force keys to be imported"
+        ansible.builtin.shell: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+        when:
+            - "'not installed' in check_gpg_imported.stdout"
+            - "'Key ID 199e2f91fd431d51' in os_gpg_package_valid.stdout"
+  when:
+      - rhel9cis_rule_1_2_1
+      - rhel9cis_force_gpg_key_import
+      - ansible_facts.distribution == 'RedHat'
+
 - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)"
   ansible.builtin.package:
       name: audit
@@ -201,27 +226,6 @@
       - level1_server
       - level1_workstation
 
-- name: "PRELIM | Install authconfig"
-  ansible.builtin.package:
-      name: authconfig
-      state: present
-  become: true
-  when:
-      - rhel9cis_use_authconfig
-      - rhel9cis_rule_5_3_1 or
-        rhel9cis_rule_5_3_2 or
-        rhel9cis_rule_5_3_3 or
-       '"authconfig" not in ansible_facts.packages or
-       "auditd-lib" not in ansible_facts.packages'
-  tags:
-      - level1-server
-      - level1-workstation
-      - rule_5.3.1 or
-        rule_5.3.2 or
-        rule_5.3.3
-      - authconfig
-      - auditd
-
 - name: "PRELIM | 5.3.4 | Find all sudoers files."
   ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'"
   changed_when: false

tasks/section_1/cis_1.1.7.x.yml

@@ -39,7 +39,6 @@
   notify: Change_requires_reboot
   when:
       - item.mount == "/home"
-      - rhel9cis_rule_1_1_7_1
       - rhel9cis_rule_1_1_7_2 or
         rhel9cis_rule_1_1_7_3
   tags:
@@ -49,5 +48,4 @@
       - mounts
       - rule_1.1.7.2
       - rule_1.1.7.3
-      - rule_1.1.7.4
       - skip_ansible_lint

tasks/section_1/cis_1.3.x.yml

@@ -54,7 +54,7 @@
       - patch
       - rule_1.3.2
 
-- name: "1.3.3 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools"
+- name: "1.3.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools"
   ansible.builtin.blockinfile:
       path: /etc/aide.conf
       marker: "# {mark} Audit tools - CIS benchmark - Ansible-lockdown"

tasks/section_1/cis_1.8.x.yml

@@ -118,7 +118,7 @@
       - gui
       - rule_1.8.4
 
-- name: "1.8.5 PATCH | Ensure GDM screen locks cannot be overridden"
+- name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden"
   block:
       - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock directory"
         ansible.builtin.file:

tasks/section_4/cis_4.1.1.x.yml

@@ -25,7 +25,7 @@
 - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
   block:
       - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby existence of current value"
-        ansible.builtin.shell: grubby --info=ALL | grep args | grep -o -E "audit=([[:digit:]])+" | grep -o -E "([[:digit:]])+"
+        ansible.builtin.shell: grubby --info=ALL | grep args | sed -n 's/.*audit=\([[:alnum:]]\+\).*/\1/p'
         changed_when: false
         failed_when: false
         check_mode: false
@@ -34,7 +34,9 @@
       - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby update, if needed"
         ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1"
         when:
-            - rhel9cis_4_1_1_2_grubby_curr_value_audit_linux is not defined or rhel9cis_4_1_1_2_grubby_curr_value_audit_linux | int != 1
+            - rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout == '' or
+              '0' in rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout or
+              'off' in rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout|lower
   when:
       - rhel9cis_rule_4_1_1_2
   tags:
@@ -48,16 +50,32 @@
 - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient"
   block:
       - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby existence of current value"
-        ansible.builtin.shell: grubby --info=ALL | grep args | grep -o -E "audit_backlog_limit=([[:digit:]])+" | grep -o -E "([[:digit:]])+"
+        ansible.builtin.shell:
+            cmd: 'grubby --info=ALL | grep args | grep -o -E "audit_backlog_limit=([[:digit:]])+" | grep -o -E "([[:digit:]])+"'
         changed_when: false
         failed_when: false
         check_mode: false
         register: rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux
 
-      - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update, if needed"
-        ansible.builtin.shell: grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"
+      - name: "4.1.1.3 | AUDIT | Check to see if limits are set"
+        ansible.builtin.set_fact:
+            rhel9cis_4_1_1_3_reset_backlog_limits: true
         when:
-            - rhel9cis_4_1_1_2_grubby_curr_value_audit_linux is not defined or rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout | int < rhel9cis_audit_back_log_limit
+            - rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux is not defined or
+              rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux.stdout_lines == []
+
+      - name: "4.1.1.3 | AUDIT | Check to see if any limits are too low"
+        ansible.builtin.set_fact:
+            rhel9cis_4_1_1_3_reset_backlog_limits: true
+        when:
+            - (item | int < rhel9cis_audit_back_log_limit)
+        loop: "{{ rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux.stdout_lines }}"
+
+      - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update applied"
+        ansible.builtin.shell:
+            cmd: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"'
+        when:
+            - rhel9cis_4_1_1_3_reset_backlog_limits is defined
   when:
       - rhel9cis_rule_4_1_1_3
   tags:

tasks/section_4/cis_4.1.3.x.yml

@@ -99,7 +99,7 @@
       - level2-workstation
       - patch
       - auditd
-      - rule_4.1.3_7
+      - rule_4.1.3.7
 
 # All changes selected are managed by the POST audit and handlers to update
 - name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected"
@@ -268,7 +268,7 @@
       - level2-workstation
       - patch
       - auditd
-      - rule_4.1.20
+      - rule_4.1.3.20
 
 - name: "4.1.3.21 | AUDIT | Ensure the running and on disk configuration is the same"
   ansible.builtin.debug:

tasks/section_4/cis_4.1.4.x.yml

@@ -65,7 +65,7 @@
   ansible.builtin.file:
       path: "{{ item.path }}"
       mode: "{{ '0600' if item.mode == '0600' else '0640' }}"
-  loop: "{{ auditd_conf_files.files | default([]) }}"
+  loop: "{{ auditd_conf_files.files }}"
   loop_control:
       label: "{{ item.path }}"
   when:

tasks/section_5/cis_5.2.x.yml

@@ -1,6 +1,6 @@
 ---
 
-- name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured"
+- name: "5.2.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured"
   ansible.builtin.file:
       path: "/etc/ssh/sshd_config"
       owner: root