ansible-lockdown · MrSteve81 · Jan 31, 2025 · Jan 29, 2025 · Jan 29, 2025 · Jan 29, 2025
diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml
@@ -7,7 +7,7 @@
         audit_pkg_arch_name: AMD64
 
     - name: Pre Audit Setup | Set audit package name | ARM64
-      when: ansible_facts.machine == "arm64"
+      when: (ansible_facts.machine == "arm64" or ansible_facts.machine == "aarch64")
       ansible.builtin.set_fact:
         audit_pkg_arch_name: ARM64
 
@@ -24,7 +24,7 @@
 - name: Pre Audit Setup | Copy audit binary
   when: get_audit_binary_method == 'copy'
   ansible.builtin.copy:
-    src: "{{ audit_bin_copy_location }}"
+    src: "{{ audit_bin_copy_location }}/goss-linux-{{ audit_pkg_arch_name }}"
     dest: "{{ audit_bin }}"
     owner: root
     group: root

diff --git a/tasks/auditd.yml b/tasks/auditd.yml
@@ -1,17 +1,30 @@
 ---
 
-- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file
+# Since auditd rules are dependent on syscalls and syscall tables are architecture specific,
+# we need to update the auditd rules depending on the architecture of the system.
+# This task passed the syscalls table to the auditd template and updates the auditd rules
+
+- name: "POST | AUDITD | Set supported_syscalls variable"
+  ansible.builtin.shell: ausyscall --dump |  awk  '{print $2}'
+  changed_when: false
+  failed_when: discovered_auditd_syscalls.rc not in [ 0, 1 ]
+  register: discovered_auditd_syscalls
+
+- name: POST | AUDITD | Apply auditd template will for section 6.3.3 - only required rules will be added | stat file
   ansible.builtin.stat:
     path: /etc/audit/rules.d/99_auditd.rules
   register: discovered_auditd_rules_file
 
-- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | setup file
+- name: POST | Apply auditd template for section 6.3.3.x
+  when: update_audit_template
+  vars:
+    supported_syscalls: "{{ discovered_auditd_syscalls.stdout_lines }}"
   ansible.builtin.template:
     src: audit/99_auditd.rules.j2
     dest: /etc/audit/rules.d/99_auditd.rules
     owner: root
     group: root
-    mode: '0640'
+    mode: 'u-x,go-wx'
   diff: "{{ discovered_auditd_rules_file.stat.exists }}"  # Only run diff if not a new file
   register: discovered_auditd_rules_template_updated
   notify:

diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml
@@ -95,7 +95,7 @@
           loop:
             - { regexp: auth\s*required\s*pam_faillock.so preauth, after: auth\s*required\s*pam_env.so, line: "auth        required      pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" }
             - { regexp: auth\s*required\s*pam_faillock.so authfail, before: auth\s*required\s*pam_deny.so, line: "auth        required      pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" }
-            - { regexp: account\s*required\s*pam_faillock.so, before: account\s*required\s*pam_unix.so, line: account     required      pam_faillock.so }
+            - { regexp: account\s*required\s*pam_faillock.so, before: account\s*required\s*pam_unix.so, line: "account     required      pam_faillock.so" }
 
         - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add lines password-auth"
           when: not rhel9cis_allow_authselect_updates
@@ -108,7 +108,7 @@
           loop:
             - { regexp: auth\s*required\s*pam_faillock.so preauth, after: auth\s*required\s*pam_env.so, line: "auth        required      pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" }
             - { regexp: auth\s*required\s*pam_faillock.so authfail, before: auth\s*required\s*pam_deny.so, line: "auth        required      pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" }
-            - { regexp: account\s*required\s*pam_faillock.so, before: account\s*required\s*pam_unix.so, line: account     required      pam_faillock.so }
+            - { regexp: account\s*required\s*pam_faillock.so, before: account\s*required\s*pam_unix.so, line: "account     required      pam_faillock.so" }
 
 - name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled"
   when:

diff --git a/tasks/section_5/cis_5.3.3.1.x.yml b/tasks/section_5/cis_5.3.3.1.x.yml
@@ -24,7 +24,7 @@
       ansible.builtin.replace:
         path: "/etc/pam.d/{{ item }}-auth"
         regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s+deny\s*=\s*\S+(.*$)
-        replace: \1\2\3
+        replace: \1 \2\3
       loop:
         - password
         - system
@@ -126,4 +126,3 @@
       loop:
         - password
         - system
-      notify: Authselect update
diff --git a/tasks/section_5/cis_5.3.3.3.x.yml b/tasks/section_5/cis_5.3.3.3.x.yml
@@ -69,7 +69,7 @@
     - pam
   block:
     - name: "5.3.3.3.3 | AUDIT | Ensure pam_pwhistory includes use_authtok | Check existing files"
-      ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/{system,password}-auth
+      ansible.builtin.shell: grep -Psic -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/{system,password}-auth
       register: discovered_pwhistory_use_authtok
       changed_when: false
       failed_when: discovered_pwhistory_use_authtok.rc not in [0, 1]
@@ -81,9 +81,9 @@
         - rhel9cis_disruption_high
       ansible.builtin.lineinfile:
         path: "{{ item }}"
-        regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(use_authtok)
-        line: '\1\2 use_authtok'
-        backrefs: true
+        regexp: ^password\s*pam_pwhistory\.so\s*.*\s(!?use_authtok)
+        line: password   required     pam_pwhistory.so use_authtok
+        insertbefore: ^password.*pam_deny.so
       loop:
         - /etc/pam.d/password-auth
         - /etc/pam.d/system-auth

diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2
@@ -9,20 +9,40 @@
 -w /etc/sudoers.d -p wa -k scope
 {% endif %}
 {% if rhel9cis_rule_6_3_3_2 %}
--a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation
--a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation
+{% set syscalls = ["execve"] %}
+{% set arch_syscalls = [] %}
+{%- for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append(syscall) }}
+{% endif %}
+{% endfor -%}
+-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation
+-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation
 {% endif %}
 {% if rhel9cis_rule_6_3_3_3 %}
 -w {{ rhel9cis_sudolog_location }} -p wa -k sudo_log_file
 {% endif %}
 {% if rhel9cis_rule_6_3_3_4 %}
--a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change
--a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append(syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k time-change
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k time-change
 -w /etc/localtime -p wa -k time-change
 {% endif %}
 {% if rhel9cis_rule_6_3_3_5 %}
--a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
--a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
+{% set syscalls = ["sethostname","setdomainname"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append(syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }}  -k system-locale
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }}  -k system-locale
 -w /etc/issue -p wa -k system-locale
 -w /etc/issue.net -p wa -k system-locale
 -w /etc/hosts -p wa -k system-locale
@@ -35,10 +55,17 @@
 {% endfor %}
 {% endif %}
 {% if rhel9cis_rule_6_3_3_7 %}
--a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
--a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
--a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
--a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
+{% set syscalls = ["creat","open","openat","truncate","ftruncate"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append(syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
 {% endif %}
 {% if rhel9cis_rule_6_3_3_8 %}
 -w /etc/group -p wa -k identity
@@ -51,16 +78,65 @@
 -w /etc/pam.d -p wa -k identity
 {% endif %}
 {% if rhel9cis_rule_6_3_3_9 %}
--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod
+{% set syscalls = ["chmod","fchmod","fchmodat"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append(syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
+{% set syscalls = ["chown","fchown","lchown","fchownat"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append(syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
+{% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append(syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
+{% set syscalls = ["chmod","fchmod","fchmodat"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append(syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
+{% set syscalls = ["chown","fchown","lchown","fchownat"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append(syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
+{% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append(syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
 {% endif %}
 {% if rhel9cis_rule_6_3_3_10 %}
--a always,exit -F arch=b32 -S mount -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts
--a always,exit -F arch=b64 -S mount -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts
+{% set syscalls = ["mount"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append(syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts
 {% endif %}
 {% if rhel9cis_rule_6_3_3_11 %}
 -w /var/run/utmp -p wa -k session
@@ -72,8 +148,15 @@
 -w /var/run/faillock -p wa -k logins
 {% endif %}
 {% if rhel9cis_rule_6_3_3_13 %}
--a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=delete
--a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=delete
+{% set syscalls = ["unlink","unlinkat","rename","renameat"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k delete
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k delete
 {% endif %}
 {% if rhel9cis_rule_6_3_3_14 %}
 -w /etc/selinux -p wa -k MAC-policy
@@ -92,8 +175,15 @@
 -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k usermod
 {% endif %}
 {% if rhel9cis_rule_6_3_3_19 %}
--a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules
 -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules
+{% set syscalls = ["init_module","finit_module","delete_module","create_module","query_module"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules
 {% endif %}
 {% if rhel9cis_rule_6_3_3_20 %}
 -e 2

diff --git a/vars/main.yml b/vars/main.yml
@@ -24,9 +24,11 @@ warn_count: 0
 
 gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys"
 
-## Control 6.3.3.x - Audit template
-# This variable governs if the auditd logic should be executed(if value is true).
-# NOTE: The current default value is likely to be overriden(via 'set_fact') by other further tasks(in sub-section 'Auditd rules').
+## Controls 6.3.3.x - Audit template
+# This variable is set to true by tasks 6.3.3.1 to 6.3.3.20. As a result, the
+# audit settings are overwritten with the role's template. In order to exclude
+# specific rules, you must set the variable of form `ubtu24cis_rule_6_3_3_x` above
+# to `false`.
 update_audit_template: false
 
 # Defaults