ansible-lockdown / rhel7-cis Goto Github PK

Ansible role for Red Hat 7 CIS Baseline

Home Page: https://ansible-lockdown.readthedocs.io/en/latest/

License: MIT License

Jinja 11.08% YAML 88.92%

cis security-hardening rhel7 ansible-role security hardening compliance-automation redhat7 redhat-ansible compliance-as-code

rhel7-cis's Introduction

RHEL 7 CIS

Configure a RHEL/Centos 7 machine to be CIS compliant

Based on CIS RedHat Enterprise Linux 7 Benchmark v3.1.1 - 05-21-2021

Looking for support?

Lockdown Enterprise

Ansible support

Community

On our Discord Server to ask questions, discuss features, or just chat with other Ansible-Lockdown users

Caution(s)

This role will make changes to the system which may have unintended consequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.

Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. The RHEL7-CIS-Audit role or a compliance scanner should be used for compliance checking over check mode.

This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed.

To use release version please point to main branch and relevant release for the cis benchmark you wish to work with.

Matching a security Level for CIS

It is possible to to only run level 1 or level 2 controls for CIS. This is managed using tags:

level1_server
level1_workstation
level2_server
level2_workstation

The control found in defaults main also need to reflect this as this control the testing thet takes place if you are using the audit component.

Coming from a previous release

CIS release always contains changes, it is highly recommended to review the new references and available variables. This have changed significantly since ansible-lockdown initial release. This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly.

Further details can be seen in the Changelog

Auditing (new)

This can be turned on or off within the defaults/main.yml file with the variable rhel7cis_run_audit. The value is false by default, please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role.

This is a much quicker, very lightweight, checking (where possible) config compliance and live/running settings.

A new form of auditing has been developed, by using a small (12MB) go binary called goss along with the relevant configurations to check. Without the need for infrastructure or other tooling. This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also trying to remove false positives in the process.

Documentation

Requirements

General:

Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible
Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup.
Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file.

Technical Dependencies:

Running Ansible/Tower setup (this role is tested against Ansible version 2.9.1 and newer)
Python3 Ansible run environment
python-def (should be included in RHEL/CentOS 7) - First task sets up the prerequisites (Tag pre-reqs)for python3 and python2 (where required)
- libselinux-python
- python3-rpm (package used by py3 to use the rpm pkg)

Role Variables

This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc.

Community Contribution

We encourage you (the community) to contribute to this role. Please read the rules below.

Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge.
All community Pull Requests are pulled into the devel branch
Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved
Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release

Pipeline Testing

uses:

ansible-core 2.12
ansible collections - pulls in the latest version based on requirements file
runs the audit using the devel branch
This is an automated test that occurs on pull requests into devel

Local Testing

Ansible
- ansible-base 2.10.17 - python 3.8
- ansible-core 2.13.4 - python 3.10
- ansible-core 2.15.1 - python 3.11

Added Extras

pre-commit can be tested and can be run from within the directory

pre-commit run

Credits and Thanks

Massive thanks to the fantastic community and all its members.

This includes a huge thanks and credit to the original authors and maintainers.

Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell

rhel7-cis's People

Contributors

Stargazers

Watchers

Forkers

touqeerhussain wildone ferhaty belooussov daswars alejojo shraderdm arielyum rbramwell amunter erpadmin mbrost karabistouille gloppasglop sushil921 cgliang nand0p parryian danzelziggy mugila samjaninf commanderk5 kissingwolf antonioj-mattos gg-it-robot catpele victorock leerich dimdung gavin-romig-koch arctiqteam nullport thisdougb gouthamchilakala florianutz lescactus talorh dbrazzeal marcelocorreia ledubenjamin afaleti neescs jdiazmx richvred tum007jb mikerenfro toshywoshy arunsanna treatbhanu adimian alexander-baeshko schubergphilis jsebastin praveenraonp davidpesticcio ossiemarks softfactoryio wegitit abdul-git wallacetan chrisarmas2 yuenyuenmoonmoon cygnus8595 albertoxvicente sawwinnnaung phahok vishal-nera roro76 tonyjames stshow eformat gunasekar1390 synchrotechnologies t32yla ajeastwood opsreformation dipanjanmukherjee83 tsmilam ag-michael rot26 zyphermonkey tvigers direvus djgreen94 vemund-lonbakken mihneaspirescu nik0811 vipulshivnani alireza82 gbomar1 brydoncheyney tuantmb rhythmictech vshivnani-cavirin aoshee mladen40 vmulasmob siemianowskim mapbased adamtbeames

rhel7-cis's Issues

Service configuration booleans to stop removal

My HTTP server got wiped. I would like to be able to say I need it.

SCORED | 1.7.2 | PATCH | Ensure GDM login banner is configured not idempotent

The last item this task iterates over is not idempotent. Not sure why but it looks like the regex used needs to be tightened up.

TASK [role_under_test : SCORED | 1.7.2 | PATCH | Ensure GDM login banner is configured] ***
task path: /etc/ansible/roles/role_under_test/tasks/section1.yml:702
ok: [localhost] => (item={u'regexp': u'user-db', u'line': u'user-db:user', u'file': u'/etc/dconf/profile/gdm'}) => {"backup": "", "changed": false, "item": {"file": "/etc/dconf/profile/gdm", "line": "user-db:user", "regexp": "user-db"}, "msg": ""}
ok: [localhost] => (item={u'regexp': u'system-db', u'line': u'system-db:gdm', u'file': u'/etc/dconf/profile/gdm'}) => {"backup": "", "changed": false, "item": {"file": "/etc/dconf/profile/gdm", "line": "system-db:gdm", "regexp": "system-db"}, "msg": ""}
ok: [localhost] => (item={u'regexp': u'file-db', u'line': u'file-db:/usr/share/gdm/greeter-dconf-defaults', u'file': u'/etc/dconf/profile/gdm'}) => {"backup": "", "changed": false, "item": {"file": "/etc/dconf/profile/gdm", "line": "file-db:/usr/share/gdm/greeter-dconf-defaults", "regexp": "file-db"}, "msg": ""}
ok: [localhost] => (item={u'regexp': u'\\[org\\/gnome\\/login-screen\\]', u'line': u'[org/gnome/login-screen]', u'file': u'/etc/dconf/db/gdm.d/01-banner-message'}) => {"backup": "", "changed": false, "item": {"file": "/etc/dconf/db/gdm.d/01-banner-message", "line": "[org/gnome/login-screen]", "regexp": "\\[org\\/gnome\\/login-screen\\]"}, "msg": ""}
ok: [localhost] => (item={u'regexp': u'banner-message-enable', u'line': u'banner-message-enable=true', u'file': u'/etc/dconf/db/gdm.d/01-banner-message'}) => {"backup": "", "changed": false, "item": {"file": "/etc/dconf/db/gdm.d/01-banner-message", "line": "banner-message-enable=true", "regexp": "banner-message-enable"}, "msg": ""}
changed: [localhost] => (item={u'regexp': u'banner-message-text', u'line': u"banner-message-text='Authorized uses only. All activity may be monitored and reported.\n' ", u'file': u'/etc/dconf/db/gdm.d/01-banner-message'}) => {"backup": "", "changed": true, "item": {"file": "/etc/dconf/db/gdm.d/01-banner-message", "line": "banner-message-text='Authorized uses only. All activity may be monitored and reported.\n' ", "regexp": "banner-message-text"}, "msg": "line replaced"}

SCORED | 4.2.1.3 | PATCH | Ensure rsyslog default file permissions configured not idempotent

There is an issue in this lineinfile task.

TASK [role_under_test : SCORED | 4.2.1.3 | PATCH | Ensure rsyslog default file permissions configured] ***
task path: /etc/ansible/roles/role_under_test/tasks/section4.yml:289
changed: [localhost] => {"backup": "", "changed": true, "msg": "line added"}

UNIMPLEMENTED: 4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host

Edit the /etc/rsyslog.conf file and add the following line (where loghost.example.com is the name of your central log host).

*.* @@loghost

I suggest to use a variable to hold the dns name or dns alias for 'loghost'.

Ansible upgrade to 2.6.0 is failing 3.6.5 rule

amazon-ebs: TASK [RHEL7-CIS : SCORED | 3.6.5 | PATCH | Ensure firewall rules exist for all open ports] ***

amazon-ebs: failed: [default] (item=ssh) => {"changed": false, "item": "ssh", "msg": "firewall is not currently running, unable to perform immediate actions without a running firewall daemon"}

amazon-ebs: failed: [default] (item=dhcpv6-client) => {"changed": false, "item": "dhcpv6-client", "msg": "firewall is not currently running, unable to perform immediate actions without a running firewall daemon

Ansible thinks firewalld is not running?

Azure image requires UDF mounting support.

I've been tasked with creating a CIS Level 1 standard RHEL image in Azure. I've taken a market place RHEL 7.3 image and applied this playbook with packer/ansible using tags level1.

However, when I go and try and create a VM from the image, it fails. If I skip cis_section1, I can create a VM from the image. I'm a linux newbie, apologies, but any obvious rules in section 1 that could be causing me an issue?

Any help/direction appreciated.

packer provisioner

"provisioners": [{ "execute_command": "echo '{{user ssh_pass`}}' | {{ .Vars }} sudo -S -E sh '{{ .Path }}'",
"inline": [

    "wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm",
    "rpm -i epel-release-latest-7.noarch.rpm",
    "yum update -y",
    "yum install git -y" ,
    "yum install ansible -y",
    "echo '- src: https://github.com/MindPointGroup/RHEL7-CIS.git' >> requirements.yml",
    "ansible-galaxy install -p roles -r requirements.yml",
    "echo '- name: Harden Server' >> harden-main.yml",
    "echo '  hosts: 127.0.0.1 ' >> harden-main.yml",
    "echo '  connection: local' >> harden-main.yml",
    "echo '  become: yes' >> harden-main.yml",
    "echo ' ' >> harden-main.yml",
    "echo '  roles:' >> harden-main.yml",
    "echo '    - RHEL7-CIS' >> harden-main.yml",
    "sudo sed -i -e 's/rhel7cis_section1: true/rhel7cis_section1: false/g' ./roles/RHEL7-CIS/defaults/main.yml",
    "ansible-playbook harden-main.yml  --tags=\"level1\"",
    "sed -i -e 's/ALL:/ALL:ALL,/g'  /etc/hosts.allow",
    "cat /etc/hosts.allow",
    "ping 127.0.0.1 -c 30",

    "/usr/sbin/waagent -force -deprovision+user && export HISTSIZE=0 && sync"
  ],
  "inline_shebang": "/bin/sh -x",
  "type": "shell",
  "skip_clean": true
}]`

azure error

Provisioning failed. OS Provisioning failed for VM 'spcishardened' due to an internal error.. OSProvisioningInternalError

avoid trailing comma in hosts.allow, fails nessus scan

not savvy with github yet :)

diff --git a/templates/hosts.allow.j2 b/templates/hosts.allow.j2
index ca37253..9055481 100644
--- a/templates/hosts.allow.j2
+++ b/templates/hosts.allow.j2
@@ -8,4 +8,4 @@
 #              for information on rule syntax.
 #              See 'man tcpd' for information on tcp_wrappers
 #
-ALL: {% for iprange in rhel7cis_host_allow -%}{{ iprange }}, {% endfor %}
+ALL: {% for iprange in rhel7cis_host_allow -%}{{ iprange }}{% if not loop.last %}, {% endif %}{% endfor %}

UNIMPLEMENTED: 5.3.3 Ensure password reuse is limited

Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the remember option and conform to site policy as shown:

password sufficient pam_unix.so remember=5

Forking or extending for RHEL6 CIS/CentOS6/7 usage?

It is a great repo, focussing on quality and pureness of the CIS requirements. I'd like to use this as a base for supporting RHEL6 and the few minor things for CentOS. But just forking it makes it much less usable and sustainable towards the future, there is simply a lot of overlap between these 4 variations of RHEL and CentOS. Overlap which imho should not be forked off to different repo's.

Are you open to the idea that we create a RHEL-CIS repo (instead of RHEL7-CIS) which would support RHEL/CentOS/6/7 variations? This way a lot of duplicate effort can be prevented, and would make it even more generic usable on heterogeneous environments.

Or do you have a different suggestion to get these platforms also CIS compliant as a public Ansible Galaxy role?

Anton

Defaults main.yml

Hi,

The defaults/main.yml has a captical S i.s.o. lower case which caused ansible to stop:
#rhel7cis_time_Synchronization: ntp
should be:
#rhel7cis_time_synchronization: ntp

SCORED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users not idempotent

These tasks use the file module in touch mode which is not idempotent. Need a precursor check or to change the task a little based on the intent of the CIS rule.

TASK [role_under_test : SCORED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users] ***
task path: /etc/ansible/roles/role_under_test/tasks/section5.yml:98
changed: [localhost] => {"changed": true, "dest": "/etc/at.allow", "gid": 0, "group": "root", "mode": "0600", "owner": "root", "size": 0, "state": "file", "uid": 0}

TASK [role_under_test : SCORED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users] ***
task path: /etc/ansible/roles/role_under_test/tasks/section5.yml:121
changed: [localhost] => {"changed": true, "dest": "/etc/cron.allow", "gid": 0, "group": "root", "mode": "0600", "owner": "root", "size": 0, "state": "file", "uid": 0}

AIDE crontab not deployed

TASK [RHEL7-CIS : SCORED | 1.3.2 | PATCH | Ensure filesystem integrity is regularly checked] ***
changed: [rhel7sectest.localdomain]

[root@rhel7sectest ~]# crontab -l
no crontab for root

defaults/main.yml

# AIDE
rhel7cis_config_aide: true
# AIDE cron settings
rhel7cis_aide_cron:
  cron_user: root
  cron_file: /etc/crontab
  aide_job: '/usr/sbin/aide --check'
  aide_minute: 0
  aide_hour: 5
  aide_day: '*'
  aide_month: '*'
  aide_weekday: '*'

section1.yml

- name: "SCORED | 1.3.2 | PATCH | Ensure filesystem integrity is regularly checked"
  cron:
      name: Run AIDE integrity check weekly
      cron_file: "{{ rhel7cis_aide_cron['cron_file'] }}"
      user: "{{ rhel7cis_aide_cron['cron_user'] }}"
      minute: "{{ rhel7cis_aide_cron['aide_minute'] | default('0') }}"
      hour: "{{ rhel7cis_aide_cron['aide_hour'] | default('5') }}"
      day: "{{ rhel7cis_aide_cron['aide_day'] | default('*') }}"
      month: "{{ rhel7cis_aide_cron['aide_month'] | default('*') }}"
      weekday: "{{ rhel7cis_aide_cron['aide_weekday'] | default('*') }}"
      job: "{{ rhel7cis_aide_cron['aide_job'] }}"
  tags:
      - level1
      - scored
      - aide
      - file_integrity
      - patch
      - rule_1.3.2

CIS Level 2 audit findings

fail: 1.1.6 Ensure separate partition exists for /var
fail: 1.1.7 Ensure separate partition exists for /var/tmp
fail: 1.1.11 Ensure separate partition exists for /var/log
fail: 1.1.12 Ensure separate partition exists for /var/log/audit
fail: 1.1.13 Ensure separate partition exists for /home
fail: 1.3.2 Ensure filesystem integrity is regularly checked
fail: 1.4.2 Ensure bootloader password is set
fail: 3.6.2 Ensure default deny firewall policy
fail: 3.6.3 Ensure loopback traffic is configured
fail: 4.1.1.2 Ensure system is disabled when audit logs are full
fail: 4.1.3 Ensure auditing for processes that start prior to auditd is enabled
fail: 4.1.4 Ensure events that modify date and time information are collected
fail: 4.1.5 Ensure events that modify user/group information are collected
fail: 4.1.6 Ensure events that modify the system's network environment are collected
fail: 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected
fail: 4.1.8 Ensure login and logout events are collected
fail: 4.1.9 Ensure session initiation information is collected
fail: 4.1.10 Ensure discretionary access control permission modification events are collected
fail: 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected
fail: 4.1.12 Ensure use of privileged commands is collected
fail: 4.1.13 Ensure successful file system mounts are collected
fail: 4.1.14 Ensure file deletion events by users are collected
fail: 4.1.15 Ensure changes to system administration scope (sudoers) is collected
fail: 4.1.16 Ensure system administrator actions (sudolog) are collected
fail: 4.1.17 Ensure kernel module loading and unloading is collected
fail: 4.1.18 Ensure the audit configuration is immutable
fail: 4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host
fail: 5.3.2 Ensure lockout for failed password attempts is configured
fail: 5.3.3 Ensure password reuse is limited
fail: 5.4.1.1 Ensure password expiration is 90 days or less
fail: 5.4.1.2 Ensure minimum days between password changes is 7 or more
fail: 5.4.1.4 Ensure inactive password lock is 30 days or less
fail: 5.4.4 Ensure default user umask is 027 or more restrictive

warning on TASK [RHEL7-CIS : PRELIM | Check if prelink package is installed]

TASK [RHEL7-CIS : PRELIM | Check if prelink package is installed] ***************************************************************************
 [WARNING]: Consider using yum, dnf or zypper module rather than running rpm

tasks/prelim.yml

- name: "PRELIM | Check if prelink package is installed"
  command: rpm -q prelink
  register: prelink_installed
  changed_when: no
  failed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint

rhnsd boolean variable in defaults

In section1.yml you have:

- name: "NOTSCORED | 1.2.5 | PATCH | Disable the rhnsd Daemon"
  service:
      name: rhnsd
      state: stopped
      enabled: no
  when: ansible_distribution == "RedHat" and rhnsd_service_status and rhel7cis_rhnsd_required

but I think this is backwards because it disables and stops rhnsd if the rhel7cis_rhnsd_required is true, not if it's false. Seems like you could change the variable name to be "rhel7cis_rhnsd_not_required" so that it triggers when it's true.

As is, if you say "false" in defaults, because it's not required, it will never run this check and will leave it running and enabled.

files/etc/systemd/system/tmp.mount is switching /tmp to tmpfs

I just noticed /tmp is being mounted as tmpfs, but I don't see a requirement by CIS for /tmp to be tmpfs.

I don't know what is the new default for RHEL installs as we are still using the same kickstart file. Has this been an issue for anyone?

my main concern is oracle and other heavy ram use boxes

Couple of questions for contributing

Hi There

We are using this role and it is a lifesaver! There are a few things from an openscap scan that we would like to add and I was wondering if you were open to PRs?

I also have a couple of questions for compatibility.

What does SCORED and NOT_SCORED mean?
Are the numbers e.g. 6.2.4 meaningful, or would a new check (fix rpm file perms) just go the end of section 6 with an incremented number?

Cheers
Sam

SCORED | 3.6.2 Ensure default deny firewall policy

Add notify handler to restart sshd and config validation for any /etc/ssh/sshd_config edits

Been out of the loop a bit. This patch is not compatible with the latest commits, but serves as an example

------------------------------ tasks/section5.yml ------------------------------
<snip>

NOTSCORED | 4.1.1.1 | PATCH | Ensure audit log storage size is configured not idempotent

There is an issue with the regex in this lineinfile task.

TASK [role_under_test : NOTSCORED | 4.1.1.1 | PATCH | Ensure audit log storage size is configured] ***
task path: /etc/ansible/roles/role_under_test/tasks/section4.yml:1
changed: [localhost] => {"backup": "", "changed": true, "msg": "line replaced"}

5.2.13 - ClientAliveCountMax set to <= 3 is missing

Per CIS CentOS Linux 7 Benchmark - 2.1.1
5.2.13 Ensure SSH Idle Timeout Interval is configured (Scored)
The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time.

Incorrect comment on AIDE cron task, rule 1.3.2

The comment on the cron job created by rule 1.3.2 "SCORED | 1.3.2 | PATCH | Ensure filesystem integrity is regularly checked" reads "Run AIDE integrity check weekly". However, the cron job is clearly set up to run daily by default, and has variables so the frequency is user-customisable in any case.

I think the cron job comment should just omit the word "weekly".

ssh access issue: ssh_exchange_identification: read: Connection reset by peer

After apply the CIS rules on aws ami, it is not allowing to ssh to the EC2 instance created from hardened ami. I am getting message : ssh_exchange_identification: read: Connection reset by peer.

I am able to telnet to port 22 but within few seconds, foreign host closing the connection. more details are below. Any suggestion is really appreciated.

OpenSSH_7.4p1, LibreSSL 2.5.0
debug1: Reading configuration data /user//.ssh/config
debug1: /user//.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "x.x.x.x" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to x.x.x.x [x.x.x.x] port 22.
debug2: fd 3 setting O_NONBLOCK
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug3: timeout: 599931 ms remain after connect
debug1: key_load_public: No such file or directory
debug1: identity file /user//.ssh/key.pem type -1
debug1: key_load_public: No such file or directory
debug1: identity file /user//.ssh/key.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
ssh_exchange_identification: read: Connection reset by peer

SCORED | 5.4.1.1 Ensure password expiration is 90 days or less

Set the PASS_MAX_DAYS parameter to 90 in /etc/login.defs :

PASS_MAX_DAYS 90

Modify user parameters for all users with a password set to match:

chage --maxdays 90 <user>

UNIMPLEMENTED: 3.6.3 Ensure loopback traffic is configured

Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.

SCORED | 1.3.2 Ensure filesystem integrity is regularly checked

/var/spool/cron/root should have:

0 5 * * * /usr/sbin/aide --check

FoXT BoKS support

I am curious if anyone who uses this project is familiar with and uses BoKS. I have to create local code to make the CIS playbook continue to work against our BoKS enabled hosts and I am willing to contribute 'compatible' code back to the project if there is any interest. The goal would be that the playbook runs exactly the same way it is expected to on a typical host but also has the logic to act differently for a BoKS enabled host.

Background:
BoKS is primarily an SSHD fork with fine grained access controls. It is not uncommon to see it implemented in the financial establishments such as where I work.

Functionally, it symlinks /etc/pam.d to its own {BOKS_INSTALLDIR}/etc/pam.d directory and uses it's own sshd config file (/opt/boks/etc/ssh/sshd_config) for the boks_sshd daemon that it spawns.

In the BoKS context as it relates to the CIS playbook:

any edits to the normal /etc/ssh/sshd_config only apply to the (now disabled) system sshd service. These edits by the CIS playbook are of no concern and are actually desired in the event that BoKS is disabled for any length of time (basically boks is disabled and sshd is reenabled)
any edits to /etc/pam.d would most likely have to be disabled although I will test which changes have any impact. Disabling rules should be easy using the new task variable support recently added to the project.
any notify restart requests for SSHD would either need to be ignored (if even feasible) or the respective restart errors ignored (SSHD cannot start while BoKS is running because the port is in use). another option might be to only signal an SSHD restart on nonboks hosts. This would impact design on issue #71

branches etc

requesting something similar to the following

create a master or stable branch base on current version
add a staging branch and allow a few people write access
you could then cherry pick changes into devl from staging
merge devl into stable after x amount of time
use tagging system that indicates current playbook compatibility

SCORED | 5.4.4 Ensure default user umask is 027 or more restrictive

Edit the /etc/bashrc and /etc/profile files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows:

umask 027

Targeting tasks relevant to a particular level or scoring status

Somewhat in the same line of thinking as #26, I'd like to be able to target all scored items for Level 1 servers, without worrying about anything for Level 2 servers, items specific to workstations, or un-scored items.

This may end up replacing many of the task tags, since the current tag taxonomy doesn't distinguish between level 1 on a server versus level 1 on a workstation, for example.

Proof of concept:

---

- hosts: localhost
  vars:
    - rhel7cis_level1_server: true
    - rhel7cis_level2_server: false
    - rhel7cis_level1_workstation: false
    - rhel7cis_level2_workstation: false
    - rhel7cis_scored: true
    - rhel7cis_notscored: false

  tasks:
    - debug:
        msg: "1.1.13: scored, level 2 server, level 2 workstation"
      when:
        - (rhel7cis_level2_server or rhel7cis_level2_workstation)
        - (rhel7cis_scored)

    - debug:
        msg: "1.1.21: scored, level 1 server, level 1 workstation"
      when:
        - (rhel7cis_level1_server or rhel7cis_level1_workstation)
        - (rhel7cis_scored)

    - debug:
        msg: "1.1.22: scored, level 1 server, level 2 workstation"
      when:
        - (rhel7cis_level1_server or rhel7cis_level2_workstation)
        - (rhel7cis_scored)

    - debug:
        msg: "1.2.1: not scored, level 1 server, level 1 workstation"
      when:
        - (rhel7cis_level1_server or rhel7cis_level1_workstation)
        - (rhel7cis_notscored)

As-is, this executes the tasks for 1.1.21 and 1.1.22. Changing rhel7cis_notscored to true also executes task 1.2.1. Changing rhel7cis_level2_server to true adds task 1.1.13.

Does this seem like a worthwhile change? If so, do you want PRs on a per-section basis, or something else?

SCORED | 4.1.1.3 | PATCH | Ensure audit logs are not automatically deleted not idempotent

There is an issue with this lineinfile task.

TASK [role_under_test : SCORED | 4.1.1.3 | PATCH | Ensure audit logs are not automatically deleted] ***
task path: /etc/ansible/roles/role_under_test/tasks/section4.yml:25
changed: [localhost] => {"backup": "", "changed": true, "msg": "line added"}

SCORED | 5.6 | PATCH | Ensure access to the su command is restricted not idempotent

Another issue with lineinfile task/regex.

TASK [role_under_test : SCORED | 5.6 | PATCH | Ensure access to the su command is restricted] ***
task path: /etc/ansible/roles/role_under_test/tasks/section5.yml:529
changed: [localhost] => {"backup": "", "changed": true, "msg": "line added"}

xinetd based service checks in section2

The ansible service module doesn't seem to be working to detect and disable xinetd based services at the beginning of section2. The files that it checks for like /etc/xinetd.d/chargen-dgram might actually be there, but you don't know if that service is enabled or not without either doing a chkconfig --list or looking into the file to see if 'disabled=yes' is there.

To disable it you'd do a chkconfig chargen-dgram off but that is failing for me when using the service module in section2.yml. Seems like this fix would need to be switched to running the chkconfig command manually and then maybe bouncing xinetd like kill -USR2 `pidof xinetd`

tmp.mount overwritten

i believe that systemd-219-57.el7_5.1.x86_64 overwrites local changes in tmp.mount, we set a size= to limit tmpfs memory consumption

Update tasks to v2.2.0 of benchmark

Tasks need to be updated to be in line with v2.2.0 of the benchmark which was released in Dec. 2017.

Change history is listed below:

Tag strategy and consistency within this role

Example is 3.1.1 but there are more. Most are tagged as scored or not scored and without them all being tagged as such it seems some may run even if not intended. For instance running this playbook with --tags=level-1,scored ends up running some items which are not scored. Unsure if this is intended, but it still seems as though the tags should be consistent.

Fails idempotence check during CI

In its current state the role has about 15 tasks that report a change every time the role is run.

always tag on post.yml include

- include: post.yml
  become: yes
  tags:
      - post_tasks
      - always

should this be the case even in scenarios where we are running specific rule(s)?

1.2.5 Disable rhnsd Daemon

Not sure why this failing yet

TASK [RHEL7-CIS : NOTSCORED | 1.2.5 | PATCH | Disable the rhnsd Daemon] *********************************************************************
fatal: [rhel7-dev2.uxdev.essent.us]: FAILED! => {"changed": false, "failed": true, "msg": "Could not find the requested service rhnsd: host"}

- name: "NOTSCORED | 1.2.5 | PATCH | Disable the rhnsd Daemon"
  service:
      name: rhnsd
      state: stopped
      enabled: no
  when: ansible_distribution == "RedHat" and rhnsd_service_status and not rhel7cis_rhnsd_required
  tags:
      - level2
      - notscored
      - patch
      - rule_1.2.5

- name: "PRELIM | Check for rhnsd service"
  shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2"
  register: rhnsd_service_status
  changed_when: no
  check_mode: no

Feature: Use variables instead of flags for skipping or forcing rules.

In the same way that this role have
rhel7cis_section1: true
...
rhel7cis_section6: true

Would be fantastic to have variables for each rule like
rhel7cis_rule_1.1.1.1
rhel7cis_rule_1.2

I know that it already has tags, but tags can only be set using the command line arguments, which is not version controlled.

If you don't disagree on this, I can do a PR for it.

tmp.mount restart handler will fail if /tmp is in use

Need to determine how to approach in use /tmp mount. I don't think we should hard fail the playbook for this condition, but certainly notify.

RUNNING HANDLER [RHEL7-CIS : systemd restart tmp.mount] *************************************************************************************
fatal: [someserver.somewhere.com]: FAILED! => {"changed": false, "failed": true, "msg": "Unable to reload service tmp.mount: Job for tmp.mount failed. See \"systemctl status tmp.mount\" and \"journalctl -xe\" for details.\n"}

# systemctl status tmp.mount
● tmp.mount - Temporary Directory
   Loaded: loaded (/etc/systemd/system/tmp.mount; enabled; vendor preset: disabled)
   Active: active (mounted) (Result: exit-code) since Thu 2017-10-05 09:34:33 EDT; 7s ago
    Where: /tmp
     What: /dev/mapper/rootvg-tmplv
     Docs: man:hier(7)
           http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
  Process: 4911 ExecRemount=/bin/mount tmpfs /tmp -o remount,mode=1777,strictatime,noexec,nodev,nosuid -t tmpfs (code=exited, status=32)
  Process: 4927 ExecUnmount=/bin/umount /tmp (code=exited, status=32)

Oct 05 09:33:05 someserver.somewhere.com mount[4911]: mount: /tmp not mounted or bad option
Oct 05 09:33:05 someserver.somewhere.com mount[4911]: In some cases useful info is found in syslog - try
Oct 05 09:33:05 someserver.somewhere.com mount[4911]: dmesg | tail or so.
Oct 05 09:33:05 someserver.somewhere.com systemd[1]: tmp.mount mount process exited, code=exited status=32
Oct 05 09:33:05 someserver.somewhere.com systemd[1]: Reload failed for Temporary Directory.
Oct 05 09:34:33 someserver.somewhere.com systemd[1]: Unmounting Temporary Directory...
Oct 05 09:34:33 someserver.somewhere.com umount[4927]: umount: /tmp: target is busy.
Oct 05 09:34:33 someserver.somewhere.com umount[4927]: (In some cases useful info about processes that use
Oct 05 09:34:33 someserver.somewhere.com umount[4927]: the device is found by lsof(8) or fuser(1))
Oct 05 09:34:33 someserver.somewhere.com systemd[1]: tmp.mount mount process exited, code=exited status=32

[root@someserver service]# lsof /tmp
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
firewalld  975 root  DEL    REG  253,6           136 /tmp/ffikXVvEQ
firewalld  975 root    8u   REG  253,6     4096  136 /tmp/ffikXVvEQ (deleted)
tuned     1281 root  DEL    REG  253,6           137 /tmp/ffiau2RGq
tuned     1281 root    7u   REG  253,6     4096  137 /tmp/ffiau2RGq (deleted)
[root@someserver service]# systemctl stop firewalld
[root@someserver service]# systemctl stop tuned
[root@someserver service]# systemctl restart tmp.mount
[root@someserver service]# systemctl start firewalld
[root@someserver service]# systemctl start tuned

UNIMPLEMENTED: 5.3.2 Ensure lockout for failed password attempts is configured

Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files and add the following pam_faillock.so lines surrounding a pam_unix.so line modify the pam_unix.so is [success=1 default=bad] as listed in both:

auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth [success=1 default=bad] pam_unix.so
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900

1.1.21 implementation cannot handle paths with spaces

The command that is run at 1.1.21 does not handle paths with spaces. The official CIS remediation is invalid too.

It can be solved by using -print0 on find and then -0 on xargs.

The following worked on my system, it no longer throws a bunch of errors on paths that has spaces in them.

df --local -P | awk if (NR!=1) print $6 | xargs -I '{}' find '{}' -xdev -
type d -perm -0002 -print0 2>/dev/null | xargs -0 chmod a+t

SCORED | 5.4.1.2 Ensure minimum days between password changes is 7 or more

Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs :

PASS_MIN_DAYS 7

Modify user parameters for all users with a password set to match:

chage --mindays 7 <user>

SCORED | 5.2.15 Ensure SSH access is limited

Test variables to override defaults in group_vars/role_test

Remediation for 5.2.15 Ensure SSH access is limited

I'd like to start contributing to devel, I have a fork and a Branch name NESSUS that you might want commits from. Today I am looking at tackling the title.

-- Removed previous ansible blasphemy --

Now I'm thinking about doing one rule for each type of limit, deploying only when defined

rhel7cis_sshd:
    clientalivecountmax: 3
    # - make sure you understand the precedence when working with these values!!
    #allowusers:
    allowgroups: systems dba
    #denyusers:
    #denygroups:

- name: "SCORED | 5.2.15 | PATCH | Ensure SSH access is limited - allowgroups"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: "^AllowGroups"
      line: AllowGroups {{ rhel7cis_sshd['allowgroups'] }}
  when: rhel7cis_sshd['allowgroups'] is defined
  tags:
      - level1
      - level2
      - patch
      - rule_5.2.15

UNIMPLEMENTED: 5.4.1.4 Ensure inactive password lock is 30 days or less

2.2.6. Ensure LDAP server is not enabled fails when slapd is absent

TASK [RHEL7-CIS : SCORED | 2.2.6 | AUDIT | Ensure LDAP server is not enabled] **
fatal: [build]: FAILED! => {"failed": true, "msg": "The conditional check ''enabled' in slapd_server_enabled_audit.stdout' failed. The error was: error while evaluating conditional ('enabled' in slapd_server_enabled_audit.stdout): 'slapd_server_enabled_audit' is undefined"}
...ignoring

TASK [RHEL7-CIS : SCORED | 2.2.6 | PATCH | Ensure LDAP server is not enabled] **
fatal: [build]: FAILED! => {"failed": true, "msg": "The conditional check 'slapd_server_enabled_audit.failed and rhel7cis_ldap_server == false' failed. The error was: error while evaluating conditional (slapd_server_enabled_audit.failed and rhel7cis_ldap_server == false): 'slapd_server_enabled_audit' is undefined\n\nThe error appears to have been in '/Users/bas/code/RHEL7-CIS/tasks/section2.yml': line 332, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: "SCORED | 2.2.6 | PATCH | Ensure LDAP server is not enabled"\n ^ here\n"}

SCORED | 1.4.2 Ensure bootloader password is set

Request a policy change for use in the cloud?

[RHEL7-CIS : PRELIM | Gather accounts with empty password fields] fails if empty passwords exist

TASK [RHEL7-CIS : PRELIM | Gather accounts with empty password fields] **********************************************************************
fatal: [somehost.localnet]: FAILED! => {"changed": false, "cmd": "cat /etc/shadow | awk -F: '($2 == "" ) {j++;print $1; } END {exit j}'", "delta": "0:00:00.005703", "end": "2017-08-02 15:21:28.010028", "failed": true, "rc": 5, "start": "2017-08-02 15:21:28.004325", "stderr": "", "stderr_lines": [], "stdout": "someuser", "stdout_lines": ["someuser"]}
to retry, use: --limit @/home/someuser/hardening/roles/cis.retry

verbose indicates "warnings": []}\r\n', 'Shared connection to somehost.localnet closed.\r\n'

- name: "PRELIM | Gather accounts with empty password fields"
  shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'"
  register: empty_password_accounts
  changed_when: no
  check_mode: no

a test with "echo j" instead of "exit j" works around the issue