March 24 updates (#356)

* added conditional to user password check #354 thanks to @bbaassssiiee

Signed-off-by: Mark Bolwell <[email protected]>

* updated logic to check root passwd locked

Signed-off-by: Mark Bolwell <[email protected]>

* Updated

Signed-off-by: Mark Bolwell <[email protected]>

* lint and audit order change

Signed-off-by: Mark Bolwell <[email protected]>

* updated for documentation format

Signed-off-by: Mark Bolwell <[email protected]>

---------

Signed-off-by: Mark Bolwell <[email protected]>

Changelog.md

@@ -4,6 +4,17 @@
 
 ### This is not an upgrade for CIS v2.0.0 due to the number of changes treat as a new baseline
 
+### Changes and improvements (March24)
+
+thanks to @bbaassssiiee
+
+- #353
+- #354
+
+Audit and audit_only changed to run prior to any significant changes
+
+#### Initial
+
 Inline with new CIS baseline
 Rewrite and ordering of nearly all controls
 Many new controls added

defaults/main.yml

@@ -492,7 +492,7 @@ rhel8cis_selinux_policy: targeted
 
 # 1.6 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS)
 rhel8cis_crypto_policy: 'DEFAULT'
-# Added module to be allowed as default setting (Allowed options in vars/main.yml)
+# Added module to be loaded - (Allowed options in vars/main.yml - OSPP and AD-SUPPORT)
 rhel8cis_crypto_policy_module: ''
 
 # 1.7

tasks/audit_only.yml

@@ -1,22 +1,22 @@
 ---
 
 - name: Audit_Only | Create local Directories for hosts
+ when: fetch_audit_files
  ansible.builtin.file:
  mode: '0755'
  path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}"
  recurse: true
  state: directory
- when: fetch_audit_files
  delegate_to: localhost
  become: false
 
 - name: Audit_only | Get audits from systems and put in group dir
+ when: fetch_audit_files
  ansible.builtin.fetch:
  dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/"
  flat: true
  mode: '0644'
  src: "{{ pre_audit_outfile }}"
- when: fetch_audit_files
 
 - name: Audit_only | Show Audit Summary
  when:

tasks/main.yml

@@ -53,7 +53,7 @@
  - always
  block:
  - name: Ensure root password is set
- ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)"
+ ansible.builtin.shell: passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked|root\s(LK|L)\s)"
  changed_when: false
  failed_when: false
  register: root_passwd_set
@@ -91,6 +91,7 @@
  - ansible_env.SUDO_USER is defined
  - not system_is_ec2
  - not audit_only
+ - rhel8cis_rule_4_3_4
  block:
  - name: Capture current password state of connecting user"
  ansible.builtin.shell: "grep {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'"
@@ -105,7 +106,7 @@
  fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
  success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user"
  vars:
- sudo_password_rule: rhel8cis_rule_5_3_4 # pragma: allowlist secret
+ sudo_password_rule: rhel8cis_rule_4_3_4 # pragma: allowlist secret
 
 - name: Include prelim tasks
  tags:
@@ -114,25 +115,6 @@
  ansible.builtin.import_tasks:
  file: prelim.yml
 
-- name: Include audit specific variables
- when:
- - run_audit or audit_only
- - setup_audit
- tags:
- - setup_audit
- - run_audit
- ansible.builtin.include_vars:
- file: audit.yml
-
-- name: Include pre-remediation audit tasks
- when:
- - run_audit or audit_only
- - setup_audit
- tags:
- - run_audit
- ansible.builtin.import_tasks:
- file: pre_remediation_audit.yml
-
 - name: Gather the package facts after prelim
  tags:
  - always

tasks/post_remediation_audit.yml

@@ -1,14 +1,14 @@
 ---
 
 - name: Post Audit | Run post_remediation {{ benchmark }} audit
- ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}"
+ ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g {{ group_names }}"
  changed_when: true
  environment:
  AUDIT_BIN: "{{ audit_bin }}"
  AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
  AUDIT_FILE: goss.yml
 
-- name: Post Audit | ensure audit files readable by users
+- name: Post Audit | Ensure audit files readable by users
  ansible.builtin.file:
  path: "{{ item }}"
  mode: '0644'
@@ -21,12 +21,12 @@
  when:
  - audit_format == "json"
  block:
- - name: capture data {{ post_audit_outfile }}
+ - name: Post Audit | Capture data {{ post_audit_outfile }}
  ansible.builtin.shell: cat {{ post_audit_outfile }}
  register: post_audit
  changed_when: false
 
- - name: Capture post-audit result
+ - name: Post Audit | Capture post-audit result
  ansible.builtin.set_fact:
  post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}"
  vars:
@@ -36,7 +36,7 @@
  when:
  - audit_format == "documentation"
  block:
- - name: Post Audit | capture data {{ post_audit_outfile }}
+ - name: Post Audit | Capture data {{ post_audit_outfile }}
  ansible.builtin.shell: tail -2 {{ post_audit_outfile }}
  register: post_audit
  changed_when: false

tasks/pre_remediation_audit.yml

@@ -77,7 +77,7 @@
  mode: '0600'
 
 - name: Pre Audit | Run pre_remediation {{ benchmark }} audit
- ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}"
+ ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g {{ group_names }}"
  changed_when: true
  environment:
  AUDIT_BIN: "{{ audit_bin }}"