Merge pull request #406 from ansible-lockdown/august_issues

August issues

Changelog.md

@@ -1,5 +1,16 @@
 # Changes to rhel8CIS
 
+## Benchmark v3.0.0
+
+### 2.1 updates August 2024
+
+new workflow
+audit updates
+authselect rewrite
+thanks to @msachikanta, @fgierlinger, @bantify, @txdavec, @csabapatyi @dirkvdplas, @karlg100 and @devallan for issues and fixes
+now able to run audit on ARM64 although not officially supported by CIS feedback needed
+audit binary update to 0.4.8
+
 ## 2.0 based on CIS 3.0.0
 
 ### This is not an upgrade for CIS v2.0.0 due to the number of changes treat as a new baseline

defaults/main.yml

@@ -563,7 +563,7 @@ rhel8cis_ntp_server_options: "iburst"
 # mask - if a dependancy for product so cannot be removed
 # Server Services
 rhel8cis_autofs_services: false
-rhel8cis_autofs_mask: true
+rhel8cis_autofs_mask: false
 rhel8cis_avahi_server: false
 rhel8cis_avahi_mask: false
 rhel8cis_dhcp_server: false
@@ -686,21 +686,34 @@ rhel8cis_sudolog_location: "/var/log/sudo.log"
 rhel8cis_sudo_timestamp_timeout: 15
 
 ## PAM
-# 4.4.2.x
+## 4.4.2.x PAM and Authselect
 # Do not use authselect if:
 # Your host is part of Linux Identity Management.
 # Joining your host to an IdM domain with the ipa-client-install command automatically configures SSSD authentication on your host.
 # Your host is part of Active Directory via SSSD.
 # Calling the realm join command to join your host to an Active Directory domain automatically configures SSSD authentication on your host.
-rhel8cis_allow_authselect_updates: false
+rhel8cis_allow_authselect_updates: true
 ##
 rhel8cis_authselect_pkg_update: false  # NOTE the risks if system is using SSSD or using ipa-client-install
-rhel8cis_authselect_custom_profile_create: false
-rhel8cis_authselect_custom_profile_select: false
-rhel8cis_authselect:
-    custom_profile_name: 'cis_example_profile'
-    default_file_to_copy: "sssd --symlink-meta"
-    options: with-sudo with-faillock without-nullok with-pwhistory
+
+## PAM AND Authselect
+
+# To create a new profile (best for greenfield fresh sites not configured)
+# This allows creation of a custom profile using an existing one to build from
+# will only create if profiel does not already exist
+## options true or false
+rhel8cis_authselect_custom_profile_create: true
+## Controls:
+#  - 4.4.2.1 - Ensure custom authselect profile is used
+# Settings in place now will fail, they are placeholders from the control example. Due to the way many multiple
+# options and ways to configure this control needs to be enabled and settings adjusted to minimise risk.
+
+# This variable configures the name of the custom profile to be created and selected.
+# To be changed from default - cis_example_profile
+rhel8cis_authselect_custom_profile_name: cis_example_profile
+# Name of the existing authselect profile to copy - options can be found with
+# ```authselect list``` on the host to be configured
+rhel8cis_authselect_default_profile_to_copy: "sssd --symlink-meta"
 
 rhel8cis_pam_faillock:
     attempts: 5
@@ -787,7 +800,7 @@ rhel8cis_auditd:
     disk_full_action: halt
     action_mail_acct: root
     space_left_action: email
-    admin_space_left_action: email
+    admin_space_left_action: single
     max_log_file_action: keep_logs
 
 # This can be used to configure other keys in auditd.conf

tasks/LE_audit_setup.yml

@@ -8,7 +8,7 @@
             audit_pkg_arch_name: AMD64
 
       - name: Pre Audit Setup | Set audit package name | ARM64
-        when: ansible_facts.machine == "arm64"
+        when: ansible_facts.machine == "aarch64"
         ansible.builtin.set_fact:
             audit_pkg_arch_name: ARM64
 

tasks/main.yml

@@ -108,6 +108,29 @@
         vars:
             sudo_password_rule: rhel8cis_rule_4_3_4  # pragma: allowlist secret
 
+- name: "PRELIM | AUDIT | Check authselect profile is selected"
+  when:
+      - rhel8cis_allow_authselect_updates
+  tags:
+      - always
+  block:
+      - name: "PRELIM | AUDIT | Check authselect profile name has been updated"
+        ansible.builtin.assert:
+            that: rhel8cis_authselect_custom_profile_name != 'cis_example_profile'
+            fail_msg: "You still have the default name for your authselect profile"
+
+      - name: "PRELIM | AUDIT | Check authselect profile is selected"
+        ansible.builtin.shell: authselect current | head -1 | awk '{print $NF}'
+        changed_when: false
+        failed_when: prelim_authselect_current_profile.rc not in [ 0, 1 ]
+        register: prelim_authselect_current_profile
+
+      - name: "PRELIM | AUDIT | Check authselect profile is selected"
+        ansible.builtin.assert:
+            that: prelim_authselect_current_profile is defined
+            success_msg: "Authselect is running and profile is selected"
+            fail_msg: Authselect updates have been selected there are issues with profile selection"
+
 - name: Include prelim tasks
   tags:
       - prelim_tasks
@@ -139,48 +162,36 @@
 - name: Run Section 1 tasks
   when:
       - rhel8cis_section1
-  tags:
-      - rhel8cis_section1
   ansible.builtin.import_tasks:
       file: section_1/main.yml
 
 - name: Run Section 2 tasks
   when:
       - rhel8cis_section2
-  tags:
-      - rhel8cis_section2
   ansible.builtin.import_tasks:
       file: section_2/main.yml
 
 - name: Run Section 3 tasks
   when:
       - rhel8cis_section3
-  tags:
-      - rhel8cis_section3
   ansible.builtin.import_tasks:
       file: section_3/main.yml
 
 - name: Run Section 4 tasks
   when:
       - rhel8cis_section4
-  tags:
-      - rhel8cis_section4
   ansible.builtin.import_tasks:
       file: section_4/main.yml
 
 - name: run Section 5 tasks
   when:
       - rhel8cis_section5
-  tags:
-      - rhel8cis_section5
   ansible.builtin.import_tasks:
       file: section_5/main.yml
 
 - name: Run Section 6 tasks
   when:
       - rhel8cis_section6
-  tags:
-      - rhel8cis_section6
   ansible.builtin.import_tasks:
       file: section_6/main.yml
 

tasks/post_remediation_audit.yml

@@ -35,7 +35,7 @@
       - audit_format == "documentation"
   block:
       - name: Post Audit | Capture audit data if documentation format
-        ansible.builtin.shell: "tail -2 /opt/audit_ubuntu2204-CIS-UBUNTU22_1720624848.documentation"
+        ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}"
         register: post_audit_summary
         changed_when: false
 

tasks/pre_remediation_audit.yml

@@ -60,12 +60,11 @@
       - name: Pre Audit Setup | Check for goss file
         ansible.builtin.stat:
             path: "{{ audit_bin }}"
-        register: goss_available
+        register: discovered_goss_available
 
       - name: Pre Audit Setup | If audit ensure goss is available
-        when:
-            - not goss_available.stat.exists
         ansible.builtin.assert:
+            that: discovered_goss_available.stat.exists
             msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}"
 
 - name: Pre Audit Setup | Copy ansible default vars values to test audit

tasks/prelim.yml

@@ -228,50 +228,6 @@
         ansible.builtin.import_tasks:
             file: warning_facts.yml
 
-- name: "PRELIM | AUDIT | Check authselect profile is selected"
-  when:
-      - rhel8cis_allow_authselect_updates
-      - rhel8cis_rule_4_4_2_1 or
-        rhel8cis_rule_4_4_2_2 or
-        rhel8cis_rule_4_4_2_3 or
-        rhel8cis_rule_4_4_2_4 or
-        rhel8cis_rule_4_4_2_5 or
-        rhel8cis_rule_4_4_3_1_1 or
-        rhel8cis_rule_4_4_3_1_2 or
-        rhel8cis_rule_4_4_3_1_3
-  tags:
-      - always
-  block:
-      - name: "PRELIM | AUDIT | Check authselect profile name has been updated"
-        ansible.builtin.assert:
-            that: rhel8cis_authselect['custom_profile_name'] != 'cis_example_profile'
-            fail_msg: "You still have the default name for your authselect profile"
-
-      - name: "PRELIM | AUDIT | Check authselect profile is selected"
-        when: not rhel8cis_authselect_custom_profile_create
-        ansible.builtin.shell: authselect current
-        changed_when: false
-        failed_when: discovered_authselect_running_config.rc not in [ 0, 1 ]
-        register: discovered_authselect_running_config
-
-      - name: "PRELIM | AUDIT | Check authselect profile is selected"
-        ansible.builtin.assert:
-            that: not rhel8cis_authselect_custom_profile_create and "'example' not in rhel8cis_authselect['custom_profile_name']" or discovered_authselect_running_config is defined
-            success_msg: "Authselect is running and profile is selected"
-            fail_msg: Authselect updates have been selected there are issues with profile selection"
-
-      - name: "PRELIM | AUDIT | Check profile exists if not created"
-        ansible.builtin.stat:
-            path: "/etc/authselect/custom/{{ rhel8cis_authselect['custom_profile_name'] }}"
-        register: discovered_authselect_profile
-
-      - name: "PRELIM | AUDIT | Check authselect profile exists if not created"
-        when: discovered_authselect_profile.stat.exists
-        ansible.builtin.assert:
-            that: not rhel8cis_authselect_custom_profile_create
-            success_msg: "Authselect is running and profile is selected"
-            fail_msg: Authselect updates have been selected but you have stated create and profile already exists"
-
 - name: "PRELIM | AUDIT | Interactive User accounts home directories"
   tags:
       - always