Re-factored

rdiers · Jan 1, 2020 · abe6c19 · abe6c19
1 parent 394c7fb
commit abe6c19
Showing 24 changed files with 97 additions and 21 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -18,6 +18,20 @@ rhel7cis_level2: false
 ### Section 1 Parameters ###
 ############################
 
+# Section Partition #
+
+# Section 1.1.3 - 1.1.5 | Ensure nodev, nosuid, noexec on /tmp
+rhel7cis_tmp_ensure_all: false
+rhel7cis_tmp_ensure_nodev: false
+rhel7cis_tmp_ensure_nosuid: false
+rhel7cis_tmp_ensure_noexec: false
+
+# Section 1.1.8 - 1.1.10 | Ensure nodev, nosuid, noexec on /var/tmp
+rhel7cis_var_tmp_ensure_all: true
+rhel7cis_var_tmp_ensure_nodev: false
+rhel7cis_var_tmp_ensure_nosuid: false
+rhel7cis_var_tmp_ensure_noexec: false
+
 # Section AIDE #
 
 # Section 1.3.1 | Ensure AIDE is installed and configured
@@ -208,6 +222,9 @@ rhel7cis_syslog_ng_loghost_address: INSERT_DNS_NAME_HERE
 ### Section 5 Parameters ###
 ############################
 
+# Section 5.1.8 | Ensure at/cron is restricted to authorized users
+rhel7cis_cron_allow_apply_template: false
+
 # Section 5.2.9 | Ensure SSH root login is disabled
 rhel7cis_permit_ssh_root_login_disabled: true
 

diff --git a/files/etc/systemd/system/tmp.mount b/files/etc/systemd/system/tmp.mount
diff --git a/handlers/main.yml b/handlers/main.yml
diff --git a/library/grub_crypt.py b/library/grub_crypt.py
diff --git a/scripts/6.2.16.sh b/scripts/6.2.16.sh
diff --git a/scripts/rule_five_four_two.sh b/scripts/rule_five_four_two.sh
diff --git a/scripts/rule_six_two_fifteen.sh b/scripts/rule_six_two_fifteen.sh
diff --git a/tasks/main.yml b/tasks/main.yml
diff --git a/tasks/post.yml b/tasks/post.yml
diff --git a/tasks/prelim.yml b/tasks/prelim.yml
diff --git a/tasks/section1.yml b/tasks/section1.yml
@@ -133,23 +133,40 @@
     - patch
     - rule_1.1.2
 
-- name: "SCORED | 1.1.3 | PATCH | Ensure nodev option set on /tmp partition\n
-         SCORED | 1.1.4 | PATCH | Ensure nosuid option set on /tmp partition\n
-         SCORED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition\n
-         | drop custom tmp.mount"
+- name: "SCORED | 1.1.2 | PATCH | Ensure separate partition exists for /tmp | enable and start/restart tmp.mount"
   copy:
     src: etc/systemd/system/tmp.mount
     dest: /etc/systemd/system/tmp.mount
     owner: root
     group: root
     mode: 0644
   notify: systemd restart tmp.mount
+  when:
+    - rhel7cis_level2 is defined and rhel7cis_level2
+  tags:
+    - level2
+    - scored
+    - patch
+    - rule_1.1.2
+
+- name: "SCORED | 1.1.3 | PATCH | Ensure nodev option set on /tmp partition\n
+         SCORED | 1.1.4 | PATCH | Ensure nosuid option set on /tmp partition\n
+         SCORED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition\n
+         | drop custom tmp.mount"
+  mount:
+    path: /tmp
+    opts: "nosuid,nodev,noexec"
+    state: mounted
+    fstype: "tmpfs"
+    src: tmpfs
   when:
     - rhel7cis_level1 is defined and rhel7cis_level1
+    - rhel7cis_tmp_ensure_all is defined and rhel7cis_tmp_ensure_all
   tags:
     - level1
     - scored
     - patch
+    - high
     - rule_1.1.3
     - rule_1.1.4
     - rule_1.1.5
@@ -191,6 +208,7 @@
     src: tmpfs
   when:
     - rhel7cis_level1 is defined and rhel7cis_level1
+    - rhel7cis_var_tmp_ensure_all is defined and rhel7cis_var_tmp_ensure_all
   tags:
     - level1
     - scored
@@ -244,14 +262,19 @@
     path: /home
     opts: nodev
     state: mounted
-    fstype: "ext4"
-    src: home
-  when:
-    - rhel7cis_level2 is defined and rhel7cis_level2
+    fstype: "{{ item.fstype }}"
+    src: "{{ item.device }}"
   tags:
+    - level1
     - level2
     - patch
     - rule_1.1.14
+    - user_check
+  when:
+    - rhel7cis_level2 is defined and rhel7cis_level2
+    - item.mount == "/home"
+  with_items:
+    - "{{ ansible_mounts }}"
 
 - name: "SCORED | 1.1.15 | PATCH | Ensure nodev option set on /dev/shm partition\n
          SCORED | 1.1.16 | PATCH | Ensure nosuid option set on /dev/shm partition\n

diff --git a/tasks/section2.yml b/tasks/section2.yml
diff --git a/tasks/section3.yml b/tasks/section3.yml
diff --git a/tasks/section4.yml b/tasks/section4.yml
diff --git a/tasks/section5.yml b/tasks/section5.yml
@@ -138,6 +138,21 @@
     - patch
     - rule_5.1.8
 
+- name: "SCORED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users"
+  template:
+    src: etc/cron.allow.j2
+    dest: /etc/cron.allow
+    owner: root
+    group: root
+    mode: 0600
+  when:
+    - rhel7cis_level1 is defined and rhel7cis_level1
+    - rhel7cis_cron_allow_apply_template is defined and rhel7cis_cron_allow_apply_template
+  tags:
+    - level1
+    - patch
+    - rule_5.1.8
+
 - name: "SCORED | 5.2.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured"
   file:
     dest: /etc/ssh/sshd_config
@@ -504,23 +519,46 @@
     - rule_5.3.2
     - low
 
-
 # END # auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 #
 
 # START # auth [success=1 default=bad] pam_unix.so #
 
+- name: "SCORED | 5.3.2 | Ensure lockout for failed password attempts is configured - pam_unix.so"
+  pamd:
+    name: "{{ item }}"
+    type: auth
+    control: "[success=1 default=bad]"
+    module_path: pam_unix.so
+    new_type: auth
+    new_control: sufficient
+    new_module_path: pam_unix.so
+    module_arguments: nullok try_first_pass
+    state: updated
+  ignore_errors: yes
+  loop:
+    - system-auth
+    - password-auth
+  when:
+    - rhel7cis_level1 is defined and rhel7cis_level1
+  tags:
+    - level1
+    - patch
+    - rule_5.3.2
+    - low
+
 - name: 'SCORED | 5.3.2 | Ensure lockout for failed password attempts is configured - pam_unix.so'
   pamd:
     name: '{{ item }}'
     type: auth
-    control: sufficient
-    module_path: 'pam_unix.so'
-    new_control: '[success=1 default=bad]'
+    control: 'sufficient'
+    module_path: pam_unix.so
+#    new_control: 'sufficient'
+    module_arguments: 'nullok try_first_pass'
+    state: updated
   ignore_errors: yes
   loop:
     - system-auth
     - password-auth
-
   when:
     - rhel7cis_level1 is defined and rhel7cis_level1
   tags:
@@ -535,15 +573,12 @@
     type: auth
     control: sufficient
     module_path: 'pam_unix.so'
-    new_type: auth
-    new_control: '[success=1 default=bad]'
-    new_module_path: pam_unix.so
-    module_arguments: 'nullok try_first_pass'
-    state: before
+    new_control: 'sufficient'
   ignore_errors: yes
   loop:
     - system-auth
     - password-auth
+
   when:
     - rhel7cis_level1 is defined and rhel7cis_level1
   tags:
@@ -556,7 +591,7 @@
   pamd:
     name: '{{ item }}'
     type: auth
-    control: '[success=1 default=bad]'
+    control: 'sufficient'
     module_path: pam_unix.so
     module_arguments: 'nullok try_first_pass'
     state: updated
@@ -576,7 +611,7 @@
   pamd:
     name: '{{ item }}'
     type: auth
-    control: '[success=1 default=bad]'
+    control: 'sufficient'
     module_path: pam_unix.so
     module_arguments: 'nullok try_first_pass'
     state: args_present
@@ -619,7 +654,7 @@
   pamd:
     name: '{{ item }}'
     type: auth
-    control: '[success=1 default=bad]'
+    control: 'sufficient'
     module_path: pam_unix.so
     new_type: auth
     new_control: '[default=die]'

diff --git a/tasks/section6.yml b/tasks/section6.yml
diff --git a/templates/chrony.conf.j2 b/templates/chrony.conf.j2
diff --git a/templates/etc/cron.allow.j2 b/templates/etc/cron.allow.j2
@@ -0,0 +1 @@
+root
diff --git a/templates/etc/issue.j2 b/templates/etc/issue.j2
diff --git a/templates/etc/issue.net.j2 b/templates/etc/issue.net.j2
diff --git a/templates/etc/motd.j2 b/templates/etc/motd.j2
diff --git a/templates/hosts.allow.j2 b/templates/hosts.allow.j2
diff --git a/templates/ntp.conf.j2 b/templates/ntp.conf.j2
diff --git a/vars/main.yml b/vars/main.yml