Hello, Firstly thank you very much for collection. I would need some clarification to get to use the role included in the collection. Once the collection is installed, I try to do an include role like this. But it does not work.

---
- name: Linux Hardening
  hosts: testserver
  vars:
    selinux: "disabled"
    time_server: "ourtimeserver"
    update_system: true
    email_server: true
    enable_firewall: false
  tasks:
    - name: CIS Security
      include_role:
        name: dsglaser.cis_security.dsglaser.cis_security

I also tried to use the role in that way. dsglaser.cis_security and cis_security

Thx in advance for your help.

Hi

The Set root password task configures the root_password as password instead of the value of the root_password variable
The problematic line is as follows:

        password: "{{ 'root_password' | password_hash('sha512', 65534 | random(seed=inventory_hostname) | string) }}"

To resolve this issue, you should remove the apostrophe signs from around the root_password variable, as shown below:

        password: "{{ root_password | password_hash('sha512', 65534 | random(seed=inventory_hostname) | string) }}"

If you get an error like secret must be unicode or bytes, not ansible.parsing.yaml add | string so the final line will be

        password: "{{ root_password | string | password_hash('sha512', 65534 | random(seed=inventory_hostname) | string) }}"

In the case of auditing system be locked, with -e 2 flag, then the handler fails to execute and the playbook is marked as failed.

I think setting ignore_errors: True would be better.

Are there plans to update this to cover Ubuntu 22.04 in the near future?

Hi there, (thanks for all your updates btw :) )

Can the following be updated please:

Current:

• name: 3.3.2 - Ensure ICMP redirects are not accepted
  ansible.builtin.set_fact:
  unneeded_ipv4_network: "{{ unneeded_ipv4_network | combine({ 'net.ipv4.conf.all.accept_redirects' : '0' }) }}"
  tags:

  • 3.3.2

• name: 3.3.2 - Ensure ICMP redirects are not accepted
  ansible.builtin.set_fact:
  unneeded_ipv6_network: "{{ unneeded_ipv6_network | combine({ 'net.ipv6.conf.all.accept_redirects' : '0' }) }}"
  when: not ipv6_disable
  tags:

  • 3.3.2

Change to:

• name: 3.3.2 - Ensure ICMP redirects are not accepted
  ansible.builtin.set_fact:
  unneeded_ipv4_network: "{{ unneeded_ipv4_network | combine({ item : '0' }) }}"
  loop:

  • net.ipv4.conf.all.accept_redirects
  • net.ipv4.conf.default.accept_redirects
    tags:
  • 3.3.2

• name: 3.3.2 - Ensure ICMP redirects are not accepted
  ansible.builtin.set_fact:
  unneeded_ipv6_network: "{{ unneeded_ipv6_network | combine({ item : '0' }) }}"
  when: not ipv6_disable
  loop:

  • net.ipv6.conf.all.accept_redirects
  • net.ipv6.conf.default.accept_redirects
    tags:
  • 3.3.2

Host is running Red Hat Enterprise Linux 8.7

Unable to restart service auditd: Failed to restart auditd.service: Operation refused, unit auditd.service may be requested by dependency only (it is configured to refuse manual start/stop).\nSee system logs and 'systemctl status auditd.service' for details.

Looking back at the history, use: service was there and now isn't?

The "Add unused_filesystems to /etc/modprobe.d/CIS.conf" task has improperly indented values.
The "Wait for AIDE initialization to complete" tasks has an extra colon in the command.

$ diff -u .ansible/collections/ansible_collections/dsglaser/cis_security/roles/cis_security/tasks/type-files/redhat-8-type.yml redhat-8-type.yml > rh8t.patch
$ cat rh8t.patch 
--- .ansible/collections/ansible_collections/dsglaser/cis_security/roles/cis_security/tasks/type-files/redhat-8-type.yml        2022-08-05 02:16:05.128045797 +0000
+++ redhat-8-type.yml   2022-08-05 02:10:19.569043922 +0000
@@ -88,9 +88,9 @@
       line: "install {{ item }} /bin/true"
       state: present
       create: true
-    owner: root
-    group: root
-    mode: 0644
+      owner: root
+      group: root
+      mode: 0644
     with_items:
       - "{{ unused_filesystems }}"
 
@@ -585,7 +585,7 @@
           - 1.4.1
 
       - name: Wait for AIDE initialization to complete
-        ansible.builtin.async_status:: jid={{ aide.ansible_job_id }}
+        ansible.builtin.async_status: jid={{ aide.ansible_job_id }}
         register: aide_status
         until: aide_status.finished
         when: ( not aide_path.stat.exists or not aide_path.stat.isreg ) and ansible_distribution != "SLES"

That normal ?

TASK [dsglaser.cis_security.cis_security : 2.2.1.3 - configure sysconfig time_server options] ***
changed: [templates8.domain] => {"changed": true, "checksum": "c81fc383a075ffadae9801d9c7ee7528c271abaf", "dest": "/etc/sysconfig/chronyd", "gid": 0, "group": "root", "md5sum": "b9583a310fb2cd295b8e054abbc5c1fc", "mode": "0644", "owner": "root", "size": 19, "src": "/root/.ansible/tmp/ansible-tmp-1607016045.3845468-10993-207435942943047/source", "state": "file", "uid": 0}

I don't understand why I see this point is normally only for RHEL7 not 8

Thx!

# With the list complete, use it with the system's package manager
#  to remove packages from the system that are not needed.
- name: Remove unused_filesystem list
  ansible.builtin.dnf:
    name: unused_filesystems
    state: absent

I think in the above unused_filesystems should be '{{ unused_filesystems }}'.

Hi (thanks for the quick responses!)

RHEL8

An additional file needs to be added to the loop for this condition to pass.

Current:

loop:
- /etc/bashrc
- /etc/profile

changed to:

loop:
- /etc/bashrc
- /etc/profile
- /etc/login.defs

Environment

CentOS 8

Error

"Could not find or access 'audit_rules/session.rules'"

Cause

roles/cis_security/tasks/type-files/redhat-8-type.yml

1537           src: audit_rules/session.rules

Fix

roles/cis_security/tasks/type-files/redhat-8-type.yml

1537           src: audit_rules/sessions.rules

I deployed a minimal RHEL9 images and ran the task against it. It fails here:

RUNNING HANDLER [cis : Reboot] *************************************************
changed: [rhel9base]
RUNNING HANDLER [cis : Restart sshd] *******************************************
changed: [rhel9base]
RUNNING HANDLER [cis : Restart chronyd] ****************************************
changed: [rhel9base]
RUNNING HANDLER [cis : Restart journald] ***************************************
changed: [rhel9base]
RUNNING HANDLER [cis : Start firewalld] ****************************************
fatal: [rhel9base]: FAILED! => {"changed": false, "msg": "Unable to start service firewalld: Failed to start firewalld.service: Unit firewalld.service is masked.\n"}
PLAY RECAP *********************************************************************
rhel9base : ok=220 changed=100 unreachable=0 failed=1 skipped=87 rescued=0 ignored=0

The code says:

- name: Add unused_filesystems to /etc/modprobe.d/CIS.conf
  ansible.builtin.lineinfile:
    dest: /etc/modprobe.d/CIS.conf
    line: "install {{ item }} /bin/true"
    state: present
    create: true
    owner: root
    group: root
    mode: 0644
    setype: modules_conf_t
  with_items:
    - "{{ unused_filesystems }}"

The standard wants /bin/false.

Spelling issue in section 4.1.8 in ubuntu-18-type.yml

Line 1549 should read "src: audit_rules/sessions.rules"

missing s in sessions.rules

Original line is "src: audit_rules/session.rules"

Do you think it would be useful to add the possibility to disable the firewall. A useful option might be disabled. Thx!

Currently there is no clear license for this code. Could you please add a license file to the repo.

Thanks.

Hi,

Getting the below error and I believe that it is due to the following issues:

ERROR:
ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE)
There was an error in line 21 of /etc/audit/audit.rules
There was an error in line 34 of /etc/audit/audit.rules
etc

00-datetime.rules - Needs a new line after line 3

-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -F key=time-change
-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -F key=time-change
-w /etc/localtime -p wa -k time-change

because the following was happening in the /etc/audit/audit.rules, merging the last line of 00-datetime.rules and the first line of 00-delete.rules:

-w /etc/localtime -p wa -k time-change-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=unset -k delete

00-network.rules - First two lines need changing from:

-a always,exit -F arch=b64 -S sethostname -S setdomainname -k -F system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k -F system-locale

to:

-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale

00-user_emulation.rules - needs new line at the end of line 2 as the below was occuring in /etc/audit/audit.rules:

-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation-e 2

Host is running Red Hat Enterprise Linux 8.7

Destination directory /etc/dconf/db/local.d does not exist

distro.d exists in /etc/dconf/db but not local.d

password_hash_alg is set to 'yescrypt' but to pass it needs to be 'sha512'

Hi

For ubuntu22, ubuntu18, redhat9, redhat8, redhat7 the task Process removal list tries to uninstall the unneeded_packages package instead of the packages listed in the unneeded_packages variable

  - name: Process removal list
    ansible.builtin.package:
      name: unneeded_packages
      state: absent

to fix the issue replace unneeded_packages with "{{ unneeded_packages }}" like below:

- name: Process removal list
  ansible.builtin.apt:
    name: "{{ unneeded_packages }}"
    state: absent

I'm getting the following error on multiple Ubuntu (20.04) machines:

TASK [cis_security : Create a symbolic link] ***********************************
fatal: []: FAILED! => {"changed": false, "gid": 0, "group": "root", "mode": "0644", "msg": "src file does not exist, use "force=yes" if you really want to create the link: /etc/systemd/system/tmp.mount", "owner": "root", "path": "/etc/systemd/system/local-fs.target.wants/tmp.mount", "size": 149, "src": "/etc/systemd/system/tmp.mount", "state": "file", "uid": 0}

Path to template folder ommitted - line 1572

Original line
" src: bad-file-access.rules"
should be

" src: audit_rules/bad-file-access.rules"

FAILED! => {"changed": true, "cmd": "/usr/sbin/augenrules --load", "delta": "0:00:00.002983", "end": "2022-01-19 01:53:26.639735", "msg": "non-zero return code", "rc": 127, "start": "2022-01-19 01:53:26.636752", "stderr": "/bin/sh: 1: /usr/sbin/augenrules: not found", "stderr_lines": ["/bin/sh: 1: /usr/sbin/augenrules: not found"], "stdout": "", "stdout_lines": []}

Host is running Red Hat Enterprise Linux 8.7

Getting the following error:

Fatal: [servername]: FAILED! =>
{
"msg": "The conditional check '( ansible_selinux.mode == "disabled" and selinux | lower != "disabled" ) or selinux_installed.changed' failed.
The error was: error while evaluating conditional (( ansible_selinux.mode == "disabled" and selinux | lower != "disabled" ) or selinux_installed.changed): 'dict object' has no attribute 'mode'. 'dict object' has no attribute 'mode'\n\n

The error appears to be in '/runner/requirements_collections/ansible_collections/dsglaser/cis_security/roles/cis_security/tasks/type-files/redhat-8-type.yml': line 821, column 3, but may\n
be elsewhere in the file depending on the exact syntax problem.\n\n

The offending line appears to be:\n\n

set the autorelabel and notify the machine to reboot\n

• name: 1.6.1.3 - If disabled and we are enabling it, autorelabel\n
  ^ here\n"

}

If I want to run the role in check mode I got an error and I think I know the cause.

TASK [dsglaser.cis_security.cis_security : Determine if /dev/shm has nodev set] ***
skipping: [templates8.saq.qc.ca] => {"changed": false, "msg": "skipped, running in check mode"}
TASK [dsglaser.cis_security.cis_security : 1.1.15 - Report to user] ************
fatal: [templates8.saq.qc.ca]: FAILED! => {"msg": "The conditional check 'devshm_nodev_out is defined and devshm_nodev_out.stdout' failed. The error was: error while evaluating conditional (devshm_nodev_out is defined and devshm_nodev_out.stdout): 'dict object' has no attribute 'stdout'\n\nThe error appears to be in '/tmp/awx_121_fzv6u2ra/requirements_collections/ansible_collections/dsglaser/cis_security/roles/cis_security/tasks/type-files/redhat-8-type.yml': line 352, column 9, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n  # Let the user know if we did not find the option set.\n      - name: 1.1.15 - Report to user\n        ^ here\n"}

I think I got an error because the step dsglaser.cis_security.cis_security : Determine if /dev/shm has nodev set is skipped so dsglaser.cis_security.cis_security : 1.1.15 - Report to user cannont access empty data.

First of all, thanks for the great work.

I checked out the Control 3.4.4.1(redhat-8-type.yml) for iptables and firewalld.
with CIS CentOS Linux 8 Benchmark v1.0.0 - 10-31-2019

The CIS Benchmark has not mentioned to disable firewalld but use firewalld as a frontend for nftables, however, I found the redhat-8-type.yml disabled it. Instead, iptables-service is the one who need to be disabled/remove due to "3.4.2.6 Ensure iptables is not enabled (Scored)" in CIS Benchmark.

Hello @dev

In this file you call an incorrect Handler. You must call
notify: rebuild grub
and not
notify: rebuild ubuntu-grub

Have a nice day

I'm running this role on RHEL8 with Ansible v2.8.13.
IMHO the syntax for excluding tags as mentioned in the readme is wrong. Instead of using --exclude-tags you should use
--skip-tags.

Check 1.5.1 fails (maybe because this is an EFI boot ?) with:
(item=/boot/grub2/grub.cfg) => {"ansible_loop_var": "item", "changed": false, "item": "/boot/grub2/grub.cfg", "msg": "file (/boot/grub2/grub.cfg) is absent, cannot continue", "path": "/boot/grub2/grub.cfg"}

Hi,

In addition to:

install "unused_filesystems" /bin/false

can

blacklist "unused_filesystems"

be added as well?

Example:

install squashfs /bin/false
blacklist squashfs

The reason is a a CIS CAT scan fails because it is missing.

Thanks.

Host is running Red Hat Enterprise Linux 8.7

"The conditional check 'unconfined_services_out.stdout' failed. The error was: error while evaluating conditional (unconfined_services_out.stdout): 'dict object' has no attribute 'stdout'. 'dict object' has no attribute 'stdout'\n\n

The error appears to be in '/runner/requirements_collections/ansible_collections/dsglaser/cis_security/roles/cis_security/tasks/type-files/redhat-8-type.yml': line 861, column 7, but may\n
be elsewhere in the file depending on the exact syntax problem.\n\n

The offending line appears to be:\n\n

# Print any findings to the user\n
- name: 1.6.1.6 - Report on unconfined running services to user\n
  ^ here\n

Hi, me again :)

I noticed that not all the partition checks have the mount_options variable so the debug checks aren't running. Can you check that all the partition checks are configured to check the fsoption are being checked.

control tag to check:
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7

Example:

/var doen't have it

- name: 1.1.3.1 - Determine if /var is on a separate partition
  ansible.builtin.set_fact:
    mount_count: "addition{{ mount_count + 1 }}"
  when: item.mount == "/var"
  with_items:
    - "{{ ansible_mounts }}"

- name: 1.1.3.2 - Report to user if /var does not have nodev set
  ansible.builtin.debug:
    msg: "FAILED CONTROL: /var does not have nodev set"
  when: mount_options is defined and "nodev" not in mount_options and mount_count == 0
  changed_when: true
  tags:
    - 1.1.3.2

whereas /var/tmp does have it

- name: 1.1.4.1 - Determine if /var/tmp is on a separate partition
  ansible.builtin.set_fact:
    mount_count: "addition{{ mount_count + 1 }}"
    mount_options: "{{ item.options }}"
  when: item.mount == "/var/tmp"
  with_items:
    - "{{ ansible_mounts }}"
  tags:
    - 1.1.4.1

- name: 1.1.4.2 - Report to user if /var/tmp does not have noexec set
  ansible.builtin.debug:
    msg: "FAILED CONTROL: /var/tmp/ does not have noexec set"
  when: mount_options is defined and "noexec" not in mount_options and mount_count == 0
  changed_when: true
  tags:
    - 1.1.4.2