Comments (4)
shepdelacreme
commented on July 17, 2024
I'm not familiar with BoKS but will check it out. As far as making role updates to support using BoKS...maybe? We should see what the user community thinks but I think if done in the right way it could work.
One thought is...do you think its possible to parameterize the SSHD setting? i.e.
rhel7cis_ssh_daemon_config: /etc/ssh/sshd_config
Then for BoKS you could set it to:
rhel7cis_ssh_daemon_config: /opt/boks/etc/ssh/sshd_config
Also could we parameterize the daemon itself and then setup the restart ssh handlers to restart the correct daemon?
from rhel7-cis.
erpadmin
commented on July 17, 2024
On BoKS, it's sshd_config file is largely left untouched. There are a few tweaks we have to make for sftp on certain hosts, but they aren't security oriented. All administrative work (policies, user admin, etc) is performed within a GUI interface on the BoKS master host. So basically that is the configuration portion.
With any new build RHEL7 hosts, I've always ran the CIS playbook on it first and then enabled BoKS afterwards. The majority of CIS changes do not affect BoKS.
In order to get the playbook to run, after BoKS has been enabled on a host, all I had to do was add this patch.
diff --git a/handlers/main.yml b/handlers/main.yml
index a680633..9cd5802 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -47,7 +47,7 @@
service:
name: sshd
state: restarted
-
+ when: boks_sshd.stat.exists == False
- name: reload dconf
become: yes
command: dconf update
diff --git a/tasks/prelim.yml b/tasks/prelim.yml
index 0c70d52..94e6c4e 100644
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@@ -203,3 +203,9 @@
register: rhnsd_service_status
changed_when: no
check_mode: no
+
+- name: "PRELIM | Check for BoKS"
+ stat:
+ path: /opt/boksm
+ register: boks_sshd
+- debug: msg="{{ boks_sshd.stat.exists }}"
diff --git a/tasks/section5.yml b/tasks/section5.yml
index e9aa3c1..1d233f3 100644
--- a/tasks/section5.yml
+++ b/tasks/section5.yml
@@ -588,6 +588,7 @@
dest: /etc/pam.d/su
regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
line: 'auth required pam_wheel.so use_uid'
+ when: boks_sshd.stat.exists == False
tags:
- level1
- level2
The only rule that introduces a conflict that I see so far is:
- name: "SCORED | 5.6 | PATCH | Ensure access to the su command is restricted"
lineinfile:
state: present
dest: /etc/pam.d/su
regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
line: 'auth required pam_wheel.so use_uid'
tags:
- level1
- level2
- patch
- rule_5.6
So basically there a few things to not to do on BoKS enabled host. This might mean to have register variable hold the BoKS status and act accordingly on these items.
from rhel7-cis.
bbaassssiiee
commented on July 17, 2024
I have seen BoKS in use in a large bank, I has fine-grained access rules where you can restrict the use of: remote execution, scp, sftp, and interactive shell. Also it manages every point-to-point connection from a security viewpoint.
Since BoKS is not open-source, it is hard to test in CI when we refactor. I suggest you maintain your own fork.
from rhel7-cis.
erpadmin
commented on July 17, 2024
I agree. Thanks for the feedback.
from rhel7-cis.
Related Issues (20)
- Tasks using selectattr (section 6) fail on CentOS 7, Python 2.7.5, jinja2-2.7.2 HOT 2
- Rules 3.5.3.2.4 and 3.5.3.3.4 are missing HOT 2
- Show Audit Summary is missing tag run_audit HOT 3
- Missing quote line 207 of cis_5.3.x.yml HOT 1
- container discovery work and exclusions taken from rhel8cis
- Extra quote typo cis_5.4.x.yml
- Consider not following links for 6.2.13 home directory recommendations HOT 3
- Task 5.5.1.4 regex does not handle commented usernames HOT 2
- 6.2.1 does not handle an empty line in /etc/passwd using dict rhel7cis_passwd HOT 2
- Section 1.4 included on wrong variable? HOT 5
- README does not correct reflect how to run CIS levels HOT 1
- Missing OracleLinux.yml or override method for running CIS on Oracle Linux. HOT 5
- Add makestep in chrony.conf.j2 HOT 1
- Why was the rule 1.2.5 removed? HOT 2
- Unsupported parameters for (ansible.legacy.command) module: warn. HOT 3
- AIDE cron job setup 1.3.2 missing cron_file variable HOT 2
- Audit-Only Mode? HOT 3
- `RHEL7-CIS : 3.5.1.5 | AUDIT | Ensure default zone is set` fails although firewalld is up HOT 2
- Summary is not generated HOT 3
- 5.7 | PATCH | Ensure access to the su command is restricted | wheel group contains root HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rhel7-cis.