Update to Dimension's version

2025-12-13 09:32:15 +00:00 · 2022-07-02 11:08:11 +01:00
parent 87dee9b3fa
commit d71a4ace92
16 changed files with 184 additions and 41 deletions
--- a/files/auditd/privileged.rules
+++ b/files/auditd/privileged.rules
@@ -9,6 +9,9 @@
 -a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/fusermount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
@@ -16,6 +19,7 @@
 -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/sbin/mount.nfs -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/games/nethack/nethack -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
--- a/handlers/main.yaml
+++ b/handlers/main.yaml
@@ -1,5 +1,23 @@
 ---
 - name: restart sshd
-  service:
+  ansible.builtin.service:
    name: sshd
    state: restarted
+- name: init aide
+  ansible.builtin.shell: aide --init; mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
+  args:
+    creates: /var/lib/aide/aide.db.gz
+  async: 300
+  poll: 0
+- name: remount proc
+  ansible.posix.mount:
+    path: /proc
+    state: remount
+- name: restart journald
+  ansible.builtin.service:
+    name: systemd-journald
+    state: restarted
+- name: restart rsyslog
+  ansible.builtin.service:
+    name: rsyslog
+    state: restarted
--- a/meta/main.yaml
+++ b/meta/main.yaml
@@ -0,0 +1,19 @@
+---
+allow_duplicates: false
+
+galaxy_info:
+  role_name: cis
+  author: Andrew Williams
+  description: Configures a RHEL systems to CIS specs
+  license: MIT
+
+  min_ansible_version: 2.4
+
+  platforms:
+    - name: RedHat
+      versions:
+        - 8
+
+  collections:
+    - ansible.posix
+    - community.general
--- a/tasks/aide.yaml
+++ b/tasks/aide.yaml
@@ -1,14 +1,11 @@
 ---
 - name: Install AIDE
-  dnf:
+  ansible.builtin.package:
    name: aide
    state: installed
- name: Init AIDE if database is missing
-  shell: aide --init && mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
-  args:
-    creates: /var/lib/aide/aide.db.gz
+  notify: init aide
 - name: Install AIDE crontab
-  copy:
+  ansible.builtin.copy:
    dest: /etc/cron.d/aide
    owner: root
    group: root
@@ -17,4 +14,4 @@
      SHELL=/bin/bash
      PATH=/sbin:/bin:/usr/sbin:/usr/bin
      MAILTO=root
-      0 5 * * * root /usr/sbin/aide --check
+      0 5 * * * root /usr/sbin/aide --update; mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
--- a/tasks/auditd.yaml
+++ b/tasks/auditd.yaml
@@ -1,13 +1,13 @@
 ---
 - name: Copy main CIS benchmark ruleset
-  copy:
+  ansible.builtin.copy:
    src: auditd/cis-hardening.rules
    dest: /etc/audit/rules.d/cis-hardening.rules
    owner: root
    group: root
    mode: "0600"
 - name: Copy privileged commands ruleset
-  copy:
+  ansible.builtin.copy:
    src: auditd/privileged.rules
    dest: /etc/audit/rules.d/privileged.rules
    owner: root
--- a/tasks/cron.yaml
+++ b/tasks/cron.yaml
@@ -0,0 +1,26 @@
+---
+- name: Enable crond
+  ansible.builtin.service:
+    name: crond
+    state: started
+    enabled: true
+- name: Set cron file security
+  ansible.builtin.file:
+    path: "{{ item }}"
+    owner: root
+    group: root
+    mode: "0600"
+  loop:
+    - /etc/crontab
+- name: Set cron.* directory security
+  ansible.builtin.file:
+    path: "{{ item }}"
+    owner: root
+    group: root
+    mode: "0700"
+  loop:
+    - /etc/cron.hourly
+    - /etc/cron.daily
+    - /etc/cron.weekly
+    - /etc/cron.monthly
+    - /etc/cron.d
--- a/tasks/file_security.yaml
+++ b/tasks/file_security.yaml
@@ -1,16 +1,22 @@
 ---
- name: Change grub file modes  # noqa: ignore-errors
-  file:
+- name: Check if grub file exists
+  ansible.builtin.stat:
    path: "{{ item }}"
-    owner: root
-    group: root
-    mode: "0600"
-  ignore_errors: true
+  register: grub_results
  loop:
    - /boot/grub2/grub.cfg
    - /boot/grub2/grubenv
+  ignore_errors: true
+- name: Change grub file modes
+  ansible.builtin.file:
+    path: "{{ item.item }}"
+    owner: root
+    group: root
+    mode: "0600"
+  loop: "{{ grub_results.results }}"
+  when: item.stat.exists
 - name: Change MOTD files security
-  file:
+  ansible.builtin.file:
    path: "{{ item }}"
    owner: root
    group: root
@@ -19,23 +25,3 @@
    - /etc/motd
    - /etc/issue
    - /etc/issue.net
- name: Set cron file security
-  file:
-    path: "{{ item }}"
-    owner: root
-    group: root
-    mode: "0600"
-  loop:
-    - /etc/crontab
- name: Set cron.* directory security
-  file:
-    path: "{{ item }}"
-    owner: root
-    group: root
-    mode: "0700"
-  loop:
-    - /etc/cron.hourly
-    - /etc/cron.daily
-    - /etc/cron.weekly
-    - /etc/cron.monthly
-    - /etc/cron.d
--- a/tasks/journald.yaml
+++ b/tasks/journald.yaml
@@ -0,0 +1,31 @@
+---
+- name: Forward journald to syslog
+  community.general.ini_file:
+    path: /etc/systemd/journald.conf
+    section: Journal
+    option: ForwardToSyslog
+    value: "yes"
+    owner: root
+    group: root
+    mode: "0644"
+  notify: restart journald
+- name: Compress journald logs
+  community.general.ini_file:
+    path: /etc/systemd/journald.conf
+    section: Journal
+    option: Compress
+    value: "yes"
+    owner: root
+    group: root
+    mode: "0644"
+  notify: restart journald
+- name: Ensure logs are wrote to persistent disk
+  community.general.ini_file:
+    path: /etc/systemd/journald.conf
+    section: Journal
+    option: Storage
+    value: persistent
+    owner: root
+    group: root
+    mode: "0644"
+  notify: restart journald
--- a/tasks/limits.yaml
+++ b/tasks/limits.yaml
@@ -1,6 +1,6 @@
 ---
 - name: Add core limits
-  pam_limits:
+  community.general.pam_limits:
    dest: /etc/security/limits.d/core.conf
    domain: "*"
    limit_type: hard
--- a/tasks/logindefs.yaml
+++ b/tasks/logindefs.yaml
@@ -0,0 +1,20 @@
+---
+# Modify login.defs
+- name: Set Default umask for Users
+  ansible.builtin.lineinfile:
+    dest: "/etc/login.defs"
+    regexp: "UMASK"
+    line: "UMASK 077"
+    state: present
+- name: Set Home filemode
+  ansible.builtin.lineinfile:
+    dest: "/etc/login.defs"
+    regexp: "HOME_MODE"
+    line: "HOME_MODE 0701"
+    state: present
+- name: Disable user groups
+  ansible.builtin.lineinfile:
+    dest: "/etc/login.defs"
+    regexp: "USERGROUPS_ENAB"
+    line: "USERGROUPS_ENAB no"
+    state: present
--- a/tasks/main.yaml
+++ b/tasks/main.yaml
@@ -1,8 +1,13 @@
 ---
 - include: auditd.yaml
 - include: limits.yaml
+- include: proc.yaml
 - include: sudo.yaml
 - include: file_security.yaml
+- include: cron.yaml
 - include: ssh.yaml
 - include: sysctl.yaml
+- include: logindefs.yaml
+- include: journald.yaml
+- include: rsyslog.yaml
 - include: aide.yaml
--- a/tasks/proc.yaml
+++ b/tasks/proc.yaml
@@ -0,0 +1,10 @@
+---
+# Tighten down /proc
+- name: Hide other user's PIDs for non-root users
+  ansible.posix.mount:
+    src: proc
+    path: /proc
+    opts: defaults,hidepid=1,gid=986
+    state: present
+    fstype: proc
+  notify: remount proc
--- a/tasks/rsyslog.yaml
+++ b/tasks/rsyslog.yaml
@@ -0,0 +1,18 @@
+---
+- name: Install rsyslog
+  ansible.builtin.package:
+    name: rsyslog
+    state: present
+- name: Set FileCreateMode for rsyslog
+  ansible.builtin.copy:
+    dest: /etc/rsyslog.d/00-filecreatemode.conf
+    owner: root
+    group: root
+    mode: "0644"
+    content: "$FileCreateMode 0640\n"
+  notify: restart rsyslog
+- name: Start rsyslog
+  ansible.builtin.service:
+    name: rsyslog
+    state: started
+    enabled: true
--- a/tasks/services.yaml
+++ b/tasks/services.yaml
@@ -0,0 +1,9 @@
+---
+- name: Disable services
+  ansible.builtin.service:
+    name: "{{ item }}"
+    state: stopped
+    enabled: false
+  loop:
+    - rpcbind.socket
+    - rpcbind.service
--- a/tasks/ssh.yaml
+++ b/tasks/ssh.yaml
@@ -1,12 +1,12 @@
 ---
 - name: Set sshd_config file security
-  file:
+  ansible.builtin.file:
    path: /etc/ssh/sshd_config
    owner: root
    group: root
    mode: "0600"
 - name: Set SSHD configuration values
-  lineinfile:
+  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "^{{ item.key }}"
    line: "{{ item.key }} {{ item.value }}"
--- a/tasks/sudo.yaml
+++ b/tasks/sudo.yaml
@@ -1,6 +1,6 @@
 ---
 - name: Ensure sudo access is logged
-  copy:
+  ansible.builtin.copy:
    dest: /etc/sudoers.d/logfile.conf
    owner: root
    group: root