Merge pull request #349 from ansible-lockdown/Feb24_updates

Feb24 updates

Changelog.md

@@ -1,5 +1,15 @@
 # Changes to rhel8CIS
 
+## 1.5.16 - Based on CIS v2.0.0
+
+- updated min ansibleversion to 2.11.1
+
+- changes to 5.6.1.[ 1, 2, 3]
+  - ability to change current users
+  - variables added to defaults/main.yml to enable
+
+- ability to choose remove for mask for nfs,rpc and rsync
+
 ## 1.5.15 - based on CIS v2.0.0
 
 ### Audit
@@ -9,7 +19,7 @@
   - tidy up of audit variables to var/audit.yml and some in defaults/main.ym
 - goss version increased to 0.3.23 - Doesn't run with latest version 0.4+
 
-- updated 5.4.1 a,d 5.4.2 for authselect
+- updated 5.4.1 and 5.4.2 for authselect
 
 - Update to 2.1.2. sysconfig for chronyd
 

README.md

@@ -212,3 +212,9 @@ local testing uses:
 ```sh
 pre-commit run
 ```
+
+## Credits and Thanks
+
+Massive thanks to the fantastic community and all its members.
+This includes a huge thanks and credit to the original authors and maintainers.
+Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell

defaults/main.yml

@@ -119,10 +119,6 @@ rhel8cis_rule_1_1_7_5: true
 rhel8cis_rule_1_1_8_1: true
 rhel8cis_rule_1_1_8_2: true
 rhel8cis_rule_1_1_8_3: true
-rhel8cis_rule_1_1_18: true
-rhel8cis_rule_1_1_19: true
-rhel8cis_rule_1_1_20: true
-rhel8cis_rule_1_1_21: true
 rhel8cis_rule_1_1_9: true
 rhel8cis_rule_1_1_10: true
 rhel8cis_rule_1_2_1: true
@@ -392,11 +388,17 @@ rhel8cis_ftp_server: false
 rhel8cis_httpd_server: false
 rhel8cis_is_mail_server: false
 rhel8cis_net_snmp_server: false
+# Ability to choose between remove or mask(default)
 rhel8cis_nfs_server: false
+rhel8cis_nfs_mask: true
 rhel8cis_nginx_server: false
 rhel8cis_nis_server: false
+# Ability to choose between remove or mask(default)
 rhel8cis_rpc_server: false
+rhel8cis_rpc_mask: true
+# Ability to choose between remove or mask(default)
 rhel8cis_rsync_server: false
+rhel8cis_rsync_mask: true
 rhel8cis_samba_server: false
 rhel8cis_squid_server: false
 rhel8cis_telnet_server: false
@@ -497,7 +499,16 @@ rhel8cis_aide_cron:
     aide_weekday: '*'
 
 # SELinux policy
-rhel8cis_selinux_pol: targeted
+
+# SELinux can run in one of three modes: disabled, permissive, or enforcing:
+# CIS strongly discourages disabled
+# NOTE:
+# Section 1.6.1.5 forces Enforcing to be set. So If rhel8cis_rule_1_6_1_3: true
+# make sure enforcing is set below for idempotency for taks 1.6.1.3 - 5
+rhel8cis_selinux_state: enforcing
+# Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only.
+# Valid Inputs: targeted or mls
+rhel8cis_selinux_policy: targeted
 
 # Whether or not to run tasks related to auditing/patching the desktop environment
 rhel8cis_gui: false
@@ -515,6 +526,10 @@ rhel8cis_time_synchronization_servers:
     - 2.pool.ntp.org
     - 3.pool.ntp.org
 
+# rhel8cis_ansible_chrony_managed uses the template built into this remediation to be copied to /etc/chrony.conf
+# If you are using your own self managed /etc/chrony.conf set this to false.
+rhel8cis_chrony_ansible_managed: true
+
 rhel8cis_chrony_server_options: "minpoll 8"
 rhel8cis_ntp_server_options: "iburst"
 
@@ -669,14 +684,28 @@ rhel8cis_authselect:
 # Any other value does nothing
 rhel8cis_pamd_manual_risks: NEVER
 
-# 5.6.1.1
-# 5.6.1.2
-# 5.6.1.3
+# 5.6.1.x
 rhel8cis_pass:
     max_days: 365
     min_days: 7
     warn_age: 7
 
+# 5.6.1.1
+## Set the following to true if you wish to adjust accounts greater than rhel8cis_pass['max_days']
+rhel8cis_5_6_1_1_set_max_expiry: false
+
+## Add users to be skipped if required
+rhel8cis_5_6_1_1_user_skip_list:
+    root
+
+# 5.6.1.2
+## Set the following to true if you wish to adjust accounts greater than rhel8cis_pass['min_days']
+rhel8cis_5_6_1_1_set_min_days_change: false
+
+# 5.6.1.3
+## Set the following to true if you wish to adjust accounts greater than rhel8cis_pass['warn_age']
+rhel8cis_5_6_1_3_set_warn_age_change: false
+
 # 5.6.1.4
 rhel8cis_inactivelock:
     lock_days: 30

handlers/main.yml

@@ -37,6 +37,10 @@
       masked: false
       state: reloaded
 
+- name: Systemd_daemon_reload
+  ansible.builtin.systemd:
+      daemon-reload: true
+
 - name: remount tmp
   ansible.builtin.shell: mount -o remount /tmp
 

meta/main.yml

@@ -1,12 +1,12 @@
 ---
 galaxy_info:
-    author: "Sam Doran, Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell"
+    author: "MindPoint Group"
     description: "Apply the DISA RHEL 8 CIS"
     company: "MindPoint Group"
     license: MIT
     namespace: mindpointgroup
     role_name: rhel8_cis
-    min_ansible_version: 2.9.0
+    min_ansible_version: 2.11.1
     platforms:
         - name: EL
           versions:

tasks/prelim.yml

@@ -103,7 +103,7 @@
       path: /etc/systemd/coredump.conf
   register: systemd_coredump
   when:
-      - rhel8cis_rule_1_6_1
+      - rhel8cis_rule_1_5_1
   tags:
       - always
 

tasks/section_1/cis_1.6.1.x.yml

@@ -33,8 +33,8 @@
 - name: "1.6.1.3 | PATCH | Ensure SELinux policy is configured"
   ansible.posix.selinux:
       conf: /etc/selinux/config
-      policy: "{{ rhel8cis_selinux_pol }}"
-      state: enforcing
+      policy: "{{ rhel8cis_selinux_policy }}"
+      state: "{{ rhel8cis_selinux_state }}"
   when:
       - not rhel8cis_selinux_disable
       - rhel8cis_rule_1_6_1_3
@@ -50,23 +50,23 @@
 - name: "1.6.1.4 | PATCH | Ensure the SELinux mode is not disabled"
   ansible.posix.selinux:
       conf: /etc/selinux/config
-      policy: "{{ rhel8cis_selinux_pol }}"
-      state: enforcing
+      policy: "{{ rhel8cis_selinux_policy }}"
+      state: "{{ rhel8cis_selinux_state }}"
   when:
       - not rhel8cis_selinux_disable
       - rhel8cis_rule_1_6_1_4
   tags:
       - level1-server
       - level1-workstation
-      - auotmated
+      - automated
       - selinux
       - patch
       - rule_1.6.1.4
 
 - name: "1.6.1.5 | PATCH | Ensure the SELinux state is enforcing"
   ansible.posix.selinux:
       conf: /etc/selinux/config
-      policy: "{{ rhel8cis_selinux_pol }}"
+      policy: "{{ rhel8cis_selinux_policy }}"
       state: enforcing
   when:
       - not rhel8cis_selinux_disable

tasks/section_2/cis_2.1.x.yml

@@ -23,6 +23,7 @@
             owner: root
             group: root
             mode: 0644
+        when: rhel8cis_chrony_ansible_managed
 
       - name: "2.1.2 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd"
         ansible.builtin.lineinfile:

tasks/section_2/cis_2.2.x.yml

@@ -127,7 +127,7 @@
       - vsftpd
       - rule_2.2.8
 
-- name: "2.2.9 | PACH | Ensure TFTP Server is not installed"
+- name: "2.2.9 | PATCH | Ensure TFTP Server is not installed"
   ansible.builtin.package:
       name: tftp-server
       state: absent
@@ -291,14 +291,28 @@
       - rule_2.2.17
 
 # The name title of the service says mask the service or remove packages
-# We went with masking the service due to ipa-client and other elements that are dependant on nfs-utils
+# Option available
 - name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked"
-  ansible.builtin.systemd:
-      name: nfs-utils
-      masked: true
-      state: stopped
+  block:
+      - name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | Remove package"
+        ansible.builtin.package:
+            name: nfs-utils
+            state: absent
+        when:
+            - not rhel8cis_nfs_server
+            - not rhel8cis_nfs_mask
+
+      - name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | Mask service"
+        notify: Systemd_daemon_reload
+        ansible.builtin.systemd:
+            name: nfs-server.service
+            enabled: false
+            state: stopped
+            masked: true
+        when:
+            - not rhel8cis_nfs_server
+            - rhel8cis_nfs_mask
   when:
-      - not rhel8cis_nfs_server
       - "'nfs-utils' in ansible_facts.packages"
       - rhel8cis_rule_2_2_18
   tags:
@@ -311,15 +325,30 @@
       - rule_2.2.18
 
 # The name title of the service says mask the service or remove packages
-# We went with masking the service due to ipa-client and other elements that are dependant on rpcbind
+# Option available
 - name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked"
-  ansible.builtin.systemd:
-      name: "{{ item }}"
-      masked: true
-      state: stopped
-  with_items:
-      - rpcbind
-      - rpcbind.socket
+  block:
+      - name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | Remove package"
+        ansible.builtin.package:
+            name: cups
+            state: absent
+        when:
+            - not rhel8cis_rpc_server
+            - not rhel8cis_rpc_mask
+
+      - name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | Mask service"
+        notify: Systemd_daemon_reload
+        ansible.builtin.systemd:
+            name: "{{ item }}"
+            enabled: false
+            state: stopped
+            masked: true
+        loop:
+            - rpcbind.service
+            - rpcbind.socket
+        when:
+            - not rhel8cis_rpc_server
+            - rhel8cis_rpc_mask
   when:
       - not rhel8cis_rpc_server
       - "'rpcbind' in ansible_facts.packages"
@@ -332,15 +361,34 @@
       - rpc
       - rule_2.2.19
 
-# The name title of the service says mask the service, but the fix allows for both options
-# We went with removing to remove the security/update overhead with having the package installed
-- name: "2.2.20 | PATCH | Ensure rsync service is not enabled "
-  ansible.builtin.package:
-      name: rsync
-      state: absent
+# The name title of the service says mask the service or remove packages
+# Option available
+- name: "2.2.20 | PATCH | Ensure rsync is not installed or the rsyncd service is masked"
+  block:
+      - name: "2.2.20 | PATCH | Ensure rsync is not installed or the rsyncd service is masked | Remove package"
+        ansible.builtin.package:
+            name: rsync-daemon
+            state: absent
+        when:
+            - not rhel8cis_rsync_server
+            - not rhel8cis_rsync_mask
+
+      - name: "2.2.20 | PATCH | Ensure rsync is not installed or the rsyncd service is masked | Mask service"
+        notify: Systemd_daemon_reload
+        ansible.builtin.systemd:
+            name: "{{ item }}"
+            enabled: false
+            state: stopped
+            masked: true
+        loop:
+            - 'rsyncd.socket'
+            - 'rsyncd.service'
+        when:
+            - not rhel8cis_rsync_server
+            - rhel8cis_rsync_mask
   when:
       - not rhel8cis_rsync_server
-      - "'rsync' in ansible_facts.packages"
+      - "'rsync-daemon' in ansible_facts.packages"
       - rhel8cis_rule_2_2_20
   tags:
       - level1-server

tasks/section_4/cis_4.1.3.x.yml

@@ -99,7 +99,7 @@
       - automated
       - patch
       - auditd
-      - rule_4.1.3_7
+      - rule_4.1.3.7
 
 - name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected"
   ansible.builtin.set_fact:

tasks/section_4/cis_4.2.1.x.yml

@@ -127,7 +127,7 @@
               local2,local3.*                                          -/var/log/localmessages
               local4,local5.*                                          -/var/log/localmessages
               local6,local7.*                                          -/var/log/localmessages
-              *.emrg                                                    :omusrmsg:*
+              *.emerg                                                    :omusrmsg:*
             insertafter: '#### RULES ####'
         notify: restart rsyslog