Browse Source

more rules

010010-020620
Micah Halter 1 year ago
parent
commit
ba19115d19
  1. 153
      roles/disa-v2r6/tasks/main.yml
  2. 6
      roles/disa-v2r6/tasks/prelim.yml

153
roles/disa-v2r6/tasks/main.yml

@ -1,4 +1,10 @@
---
- name: run preliminary tasks
import_tasks: prelim.yml
become: yes
tags:
- prelim_tasks
- name: "CAT I | RHEL-07-010010 | The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values."
block:
- name: Check for packages with incorrect permissions
@ -938,3 +944,150 @@
tags:
- CAT-II
- RHEL-07-010310
- name: |
"CAT II | RHEL-07-010320 | The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe."
"CAT II | RHEL-07-010330 | The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period."
block:
- name: verify pam_faillock.so module exists
pamd:
name: "{{ item }}"
state: before
type: auth
control: sufficient
module_path: pam_unix.so
new_type: auth
new_control: required
new_module_path: pam_faillock.so
with_items:
- "system-auth"
- "password-auth"
- name: check if correct rules are set for locking after 3 unsuccessful password attempts
command: "grep -iE '^auth\\s+required\\s+pam_faillock.so\\s+preauth\\s+silent\\s+audit\\s+deny=3\\s+even_deny_root\\s+fail_interval=900\\s+unlock_time=900$' /etc/pam.d/{{ item }}"
check_mode: no
changed_when: no
failed_when: password_lock_rules_check.rc > 1
register: password_lock_rules_check
with_items:
- "system-auth"
- "password-auth"
- name: set correct rules for locking
pamd:
name: "{{ item.item }}"
state: updated
type: auth
control: required
module_path: pam_faillock.so
module_arguments: "preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900"
with_items: "{{ password_lock_rules_check.results }}"
when: item.rc == 1
- name: add default die to faillock
pamd:
name: "{{ item }}"
state: before
type: auth
control: required
module_path: pam_deny.so
new_type: auth
new_control: "[default=die]"
new_module_path: pam_faillock.so
with_items:
- "system-auth"
- "password-auth"
- name: check if correct rules are set for authfail
command: "grep -iE '^auth\\s+\\[default=die\\]\\s+pam_faillock.so\\s+authfail\\s+audit\\s+deny=3\\s+even_deny_root\\s+fail_interval=900\\s+unlock_time=900$' /etc/pam.d/{{ item }}"
check_mode: no
changed_when: no
failed_when: authfail_check.rc > 1
register: authfail_check
with_items:
- "system-auth"
- "password-auth"
- name: set correct rules for authfail
pamd:
name: "{{ item.item }}"
state: updated
type: auth
control: "[default=die]"
module_path: pam_faillock.so
module_arguments: "authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900"
with_items: "{{ authfail_check.results }}"
when: item.rc == 1
- name: make sure faillock module is required
pamd:
name: "{{ item }}"
state: before
type: account
control: required
module_path: pam_unix.so
new_type: account
new_control: required
new_module_path: pam_faillock.so
with_items:
- "system-auth"
- "password-auth"
tags:
- CAT-II
- RHEL-07-010320
- RHEL-07-010330
- name: "CAT II | RHEL-07-010340 | The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation."
block:
- name: verify that password is needed for privilege escalation
replace:
path: "{{ item }}"
regexp: '^([^#].*)NOPASSWD(.*)'
replace: '\1PASSWD\2'
validate: '/usr/sbin/visudo -cf %s'
with_items: "{{ sudoers_files.stdout_lines }}"
tags:
- CAT-II
- RHEL-07-010340
- name: "CAT II | RHEL-07-010350 | The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation."
block:
- name: verify that reauthentication is needed for privilege escalation
replace:
path: "{{ item }}"
regexp: '^([^#].*)!authenticate(.*)'
replace: '\1authenticate\2'
validate: '/usr/sbin/visudo -cf %s'
with_items: "{{ sudoers_files.stdout_lines }}"
tags:
- CAT-II
- RHEL-07-010350
- name: "CAT II | RHEL-07-010430 | The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds."
block:
- name: verify login delay on failed password
lineinfile:
dest: /etc/login.defs
regexp: ^#?FAIL_DELAY
line: "FAIL_DELAY 4"
tags:
- CAT-II
- RHEL-07-010430
- name: "CAT I | RHEL-07-010440 | The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface."
block:
- name: don't allow unattended graphical login
lineinfile:
dest: /etc/gdm/custom.conf
regexp: (?i)automaticloginenable
line: AutomaticLoginEnable=false
insertafter: '\[daemon\]'
tags:
- CAT-I
- RHEL-07-010440
- name: "CAT I | RHEL-07-010450 | The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system."
block:
- name: don't allow unrestricted logon
lineinfile:
dest: /etc/gdm/custom.conf
regexp: (?i)timedloginenable
line: TimedLoginEnable=false
insertafter: '\[daemon\]'
tags:
- CAT-I
- RHEL-07-010450

6
roles/disa-v2r6/tasks/prelim.yml

@ -0,0 +1,6 @@
- name: "Find all sudoers files."
command: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'"
check_mode: no
changed_when: no
failed_when: no
register: sudoers_files
Loading…
Cancel
Save