Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

5.6.1.1 Adding solution for users with passwords. #116

Closed
wants to merge 25 commits into from
Closed

5.6.1.1 Adding solution for users with passwords. #116

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
beaeb3a
Merge pull request #45 from ansible-lockdown/devel
uk-bolly Mar 21, 2023
8bbccd6
Merge pull request #47 from ansible-lockdown/devel
uk-bolly Mar 21, 2023
759bbba
Merge pull request #49 from ansible-lockdown/devel
uk-bolly Mar 21, 2023
21a886a
Merge pull request #64 from ansible-lockdown/devel
uk-bolly Jun 6, 2023
10dc297
Merge pull request #84 from ansible-lockdown/devel
uk-bolly Aug 9, 2023
4567a0b
Merge pull request #86 from ansible-lockdown/devel
uk-bolly Aug 9, 2023
00e6f19
Merge pull request #89 from ansible-lockdown/devel
uk-bolly Aug 10, 2023
646b4de
Adding missing lines to sysctl.d/50-default.conf
bgro Oct 12, 2023
7677400
Merge branch 'siemens/feat/reverse_path_filtering_3_3_7' into 'siemen…
bgro Oct 12, 2023
154959a
Adding new entry in /etc/pam.d/system-auth
brisky Oct 12, 2023
ae31f4f
Merge branch 'siemens/feat/ensure_default_umask_027_5_6_5' into 'siem…
brisky Oct 12, 2023
829766b
Update cis_5.6.x.yml
brisky Oct 16, 2023
8319a02
Fix sintax Error on cis_5.2.x.yml
brisky Oct 16, 2023
aa4c427
Fix sintax Error on cis_5.2.x.yml
brisky Oct 16, 2023
5ab4a1c
Add SSH Variables the proper way, condition entries correct.
brisky Oct 17, 2023
fa0b19c
Merge branch 'siemens/feat/ensure_SSH_access_is_limited_5_2_4' into '…
brisky Oct 17, 2023
0b6d783
Merge branch 'siemens/feat/ensure_default_umask_027_5_6_5' of code.si…
brisky Oct 17, 2023
e4e0b9d
Add SSH Variables the proper way, condition entries correct.
brisky Oct 17, 2023
2dadff7
Add SSH Variables the proper way, condition entries correct.
brisky Oct 17, 2023
2982897
Merge branch 'siemens/feat/ensure_default_umask_027_5_6_5' into 'siem…
brisky Oct 17, 2023
8c7d8f1
Add SSH Variables the proper way, condition entries correct.
brisky Oct 17, 2023
d1721f5
Add SSH Variables the proper way, fix vars.
brisky Oct 17, 2023
be0a0de
Merge branch 'siemens/feat/ensure_SSH_access_is_limited_5_2_4' into '…
brisky Oct 17, 2023
0856639
5.6.1.x Test with shell.
brisky Oct 25, 2023
9c12cc0
Ensure min/max days between password changes.
brisky Nov 2, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -601,6 +601,10 @@ rhel9cis_pass:
min_days: 7
warn_age: 7

# 5.6.1.1/2 Variable to be adjust so the rule sets password min/max
# This refers to the minimum UID that rule will start from
usr_min_uid: 1000

# 5.5.1
## PAM
rhel9cis_pam_password:
Expand Down
13 changes: 13 additions & 0 deletions tasks/post.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,19 @@
- not system_is_container
- "'procps-ng' in ansible_facts.packages"

- name: POST | Update usr sysctl
ansible.builtin.lineinfile:
dest: /usr/lib/sysctl.d/50-default.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
loop:
- { regexp: '^net.ipv4.conf.default.rp_filter', line: 'net.ipv4.conf.default.rp_filter = 1' }
- { regexp: '^net.ipv4.conf.*.rp_filter', line: 'net.ipv4.conf.*.rp_filter = 1' }
when:
- rhel9cis_sysctl_update
- not system_is_container
- "'procps-ng' in ansible_facts.packages"

- name: Flush handlers
ansible.builtin.meta: flush_handlers

Expand Down
8 changes: 4 additions & 4 deletions tasks/section_5/cis_5.2.x.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@
line: "AllowGroups {{ rhel9cis_sshd['allowgroups'] }}"
validate: sshd -t -f %s
notify: Restart sshd
when: "rhel9cis_sshd['allowgroups']|default('') | length > 0"
when: "rhel9cis_sshd['allowgroups']| default('')| length > 0"

- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers"
ansible.builtin.lineinfile:
Expand Down Expand Up @@ -278,7 +278,7 @@
- name: "5.2.15 | PATCH | Ensure SSH warning banner is configured"
ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}"
regexp: '^Banner'
regexp: "^#Banner|^Banner"
line: 'Banner /etc/issue.net'
when:
- rhel9cis_rule_5_2_15
Expand Down Expand Up @@ -354,14 +354,14 @@
- name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval"
ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}"
regexp: '^ClientAliveInterval'
regexp: '^ClientAliveInterval|^#ClientAliveInterval'
line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}"
validate: sshd -t -f %s

- name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3"
ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}"
regexp: '^ClientAliveCountMax'
regexp: '^ClientAliveCountMax|^#ClientAliveCountMax'
line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}"
validate: sshd -t -f %s
when:
Expand Down
23 changes: 23 additions & 0 deletions tasks/section_5/cis_5.6.1.x.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,29 @@
- password
- rule_5.6.1.2

- name: "5.6.1.1/2 | PATCH | Set existing users with password rules"
block:
- name: "5.6.1.1/2 | AUDIT | Get existing users"
ansible.builtin.getent:
database: passwd

- name: "5.6.1.1/2 | PATCH | Update users higher than usr_min_uid"
ansible.builtin.user:
name: "{{ item }}"
password_expire_min: "{{ rhel9cis_pass['min_days'] }}"
password_expire_max: "{{ rhel9cis_pass['max_days'] }}"
loop: "{{ getent_passwd | dict2items | map(attribute='key') | list }}"
when: getent_passwd[item].1 | int >= usr_min_uid
when:
- rhel9cis_rule_5_6_1_2
- rhel9cis_rule_5_6_1_2_set_user
tags:
- level1-server
- level1-workstation
- patch
- password
- rule_5.6.1.2

- name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more"
ansible.builtin.lineinfile:
path: /etc/login.defs
Expand Down
5 changes: 5 additions & 0 deletions tasks/section_5/cis_5.6.x.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,11 @@
regexp: '^USERGROUPS_ENAB'
line: USERGROUPS_ENAB no

- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Force umask sessions /etc/pam.d/system-auth"
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
line: 'session required pam_umask.so'
insertafter: EOF
when:
- rhel9cis_rule_5_6_5
tags:
Expand Down
19 changes: 19 additions & 0 deletions vars/RedHat.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,22 @@ os_gpg_key_pubkey_content: "Red Hat, Inc. (release key 2) <[email protected]>

# disable repo_gpgcheck due to OS default repos
rhel9cis_rule_enable_repogpg: false

# enable interactive users to be set min/max password change
rhel9cis_rule_5_6_1_2_set_user: true

# 5.6.1.1/2 Variable to be adjust so the rule sets password min/max
# This refers to the minimum UID that rule will start from
usr_min_uid: 1000

# Vars setup for overiding main.yml for rule 5.3.2
rhel9cis_sshd:
clientalivecountmax: 3
clientaliveinterval: 900
logingracetime: 60
# Group and user choose as being the default for this release
# Can also use;
# allowusers:
# denygroups:
allowgroups: wheel
denyusers: nobody