From 09dc296297c9dc59e4899aa6c5f8a54bcb317021 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 22 Oct 2024 08:09:59 +0100 Subject: [PATCH 1/5] Fixed control 6.2.11 inline with control details Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 59 ++++++++++++++++++++++++----------- 1 file changed, 41 insertions(+), 18 deletions(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index e1fc4d90..6b2afe39 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -386,35 +386,58 @@ warn_control_id: '6.2.11' block: - name: "6.2.11 | AUDIT | Ensure local interactive user dot files access is configured | Check for files" - ansible.builtin.shell: find /home/ -name "\.*" -perm /g+w,o+w - changed_when: false - failed_when: discovered_dot_files.rc not in [ 0, 1 ] - check_mode: false - register: discovered_dot_files + # ansible.builtin.shell: find /home/ -name "\.*" exec ls -l {} + # changed_when: false + # failed_when: discovered_hidden_files.rc not in [ 0, 1 ] + # check_mode: false + # register: discovered_hidden_files + ansible.builtin.find: + path: /home + recurse: true + file_type: file + hidden: true + register: discovered_hidden_files - name: "6.2.11 | AUDIT | Ensure local interactive user dot files access is configured | Warning on files found" when: - - discovered_dot_files.stdout | length > 0 - - rhel8cis_dotperm_ansiblemanaged - + - not rhel8cis_dotperm_ansiblemanaged ansible.builtin.debug: msg: - - "Warning!! We have discovered group or world-writable dot files on your system and this host is configured for manual intervention. Please investigate these files further." + - "Warning!! Please investigate thathidden files found in users home directories match control requirements." - name: "6.2.11 | PATCH | Ensure local interactive user dot files access is configured | Set warning count" when: - - discovered_dot_files.stdout | length > 0 - - rhel8cis_dotperm_ansiblemanaged - + - not rhel8cis_dotperm_ansiblemanaged ansible.builtin.import_tasks: file: warning_facts.yml - - name: "6.2.11 | PATCH | Ensure local interactive user dot files access is configured | Changes files if configured" + - name: "6.2.11 | PATCH | Ensure local interactive user dot files access is configured" when: - - discovered_dot_files.stdout | length > 0 + - discovered_hidden_files.matched > 0 - rhel8cis_dotperm_ansiblemanaged + block: + - name: "6.2.11 | PATCH | Ensure local interactive user dot files access is configured | Changes files if configured .bash_history" + when: + - discovered_hidden_files.matched > 0 + - "'.bash_history' in item.path" + ansible.builtin.file: + path: '{{ item.path }}' + mode: 'go-rwx' + with_items: "{{ discovered_hidden_files.files }}" - ansible.builtin.file: - path: '{{ item }}' - mode: 'go-w' - with_items: "{{ discovered_dot_files.stdout_lines }}" + - name: "6.2.11 | PATCH | Ensure local interactive user dot files access is configured | Changes files if configured file mode" + when: + - "'.netrc' not in item.path" + - "'.rhost' not in item.path" + - "'.forward' not in item.path" + ansible.builtin.file: + path: '{{ item.path }}' + mode: 'go-wx' + with_items: "{{ discovered_hidden_files.files }}" + + - name: "6.2.11 | PATCH | Ensure local interactive user dot files access is configured | Changes files if configured file mode" + ansible.builtin.file: + path: '{{ item.path }}' + owner: "{{ item.path | dirname | basename }}" + group: "{{ item.path | dirname | basename }}" + with_items: "{{ discovered_hidden_files.files }}" From cdcb50c17fdeb3ecaf623371951031574a0c2c6b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 25 Oct 2024 18:25:18 +0100 Subject: [PATCH 2/5] add context and default to false for 6.2.12 Signed-off-by: Mark Bolwell --- defaults/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 66d8ba6c..88dfd5c8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -871,4 +871,5 @@ rhel8cis_suid_adjust: false rhel8cis_sgid_adjust: false # 6.2.12 -rhel8cis_dotperm_ansiblemanaged: true +# Allow changes to take place on system +rhel8cis_dotperm_ansiblemanaged: false From 40cda3abd08cd6d9dce797abf0f98355bdf35728 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 25 Oct 2024 18:26:04 +0100 Subject: [PATCH 3/5] Extended and updated 6.2.11 Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- tasks/section_6/cis_6.2.x.yml | 23 +++++++++++++++-------- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 88dfd5c8..45692cdd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -870,6 +870,6 @@ rhel8cis_ungrouped_adjust: false rhel8cis_suid_adjust: false rhel8cis_sgid_adjust: false -# 6.2.12 +# 6.2.11 # Allow changes to take place on system rhel8cis_dotperm_ansiblemanaged: false diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 6b2afe39..2a272226 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -419,25 +419,32 @@ - name: "6.2.11 | PATCH | Ensure local interactive user dot files access is configured | Changes files if configured .bash_history" when: - discovered_hidden_files.matched > 0 - - "'.bash_history' in item.path" + - item.path is search (".netrc") or item.path is search (".bash_history") ansible.builtin.file: - path: '{{ item.path }}' - mode: 'go-rwx' + path: "{{ item.path }}" + mode: 'u-x,go-rwx' with_items: "{{ discovered_hidden_files.files }}" - name: "6.2.11 | PATCH | Ensure local interactive user dot files access is configured | Changes files if configured file mode" when: - - "'.netrc' not in item.path" - - "'.rhost' not in item.path" - - "'.forward' not in item.path" + - (item.path != '.netrc' or + item.path != '.rhost' or + item.path != '.forward') ansible.builtin.file: path: '{{ item.path }}' - mode: 'go-wx' + mode: 'u-x,go-wx' with_items: "{{ discovered_hidden_files.files }}" - - name: "6.2.11 | PATCH | Ensure local interactive user dot files access is configured | Changes files if configured file mode" + - name: "6.2.11 | PATCH | Ensure local interactive user dot files access is configured | Changes files ownerships" ansible.builtin.file: path: '{{ item.path }}' owner: "{{ item.path | dirname | basename }}" group: "{{ item.path | dirname | basename }}" with_items: "{{ discovered_hidden_files.files }}" + + - name: "6.2.11 | PATCH | Ensure local interactive user dot files access is configured | rename .forward or .netrc files" + when: + - item.path is search (".forward") or item.path is search (".rhost") + - item.path is not search ("CIS") + ansible.builtin.shell: "mv {{ item.path }} {{ item.path }}_CIS_TOBEREVIEWED" + with_items: "{{ discovered_hidden_files.files }}" From f23ef8b51c64a3eacb272ec221d92ead388c8d47 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Oct 2024 08:48:57 +0000 Subject: [PATCH 4/5] removed recursive from find command 6.2.11 Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 2a272226..65d41602 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -393,7 +393,6 @@ # register: discovered_hidden_files ansible.builtin.find: path: /home - recurse: true file_type: file hidden: true register: discovered_hidden_files @@ -428,7 +427,7 @@ - name: "6.2.11 | PATCH | Ensure local interactive user dot files access is configured | Changes files if configured file mode" when: - (item.path != '.netrc' or - item.path != '.rhost' or + item.path != '.rhost' or item.path != '.forward') ansible.builtin.file: path: '{{ item.path }}' From 7e4ace8d39f9cf65b9ffa1828cde1e9939af7a35 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 12 Nov 2024 13:08:45 +0000 Subject: [PATCH 5/5] udpated spacing in warning Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 65d41602..a5405007 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -402,7 +402,7 @@ - not rhel8cis_dotperm_ansiblemanaged ansible.builtin.debug: msg: - - "Warning!! Please investigate thathidden files found in users home directories match control requirements." + - "Warning!! Please investigate that hidden files found in users home directories match control requirements." - name: "6.2.11 | PATCH | Ensure local interactive user dot files access is configured | Set warning count" when: