ansible-lockdown · uk-bolly · Jun 17, 2024 · May 17, 2024 · May 17, 2024 · May 17, 2024
diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -180,7 +180,7 @@
   changed_when: false
   failed_when: false
   check_mode: false
-  register: discovered_sudoers_filess
+  register: discovered_sudoers_files
 
 - name: "PRELIM | AUDIT | Check authselect package versions"
   tags:

diff --git a/tasks/section_4/cis_4.3.x.yml b/tasks/section_4/cis_4.3.x.yml
@@ -64,7 +64,7 @@
       regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)'
       replace: '\1PASSWD\2'
       validate: '/usr/sbin/visudo -cf %s'
-  loop: "{{ discovered_sudoers_filess.stdout_lines }}"
+  loop: "{{ discovered_sudoers_files.stdout_lines }}"
 
 - name: "4.3.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally"
   when:
@@ -82,7 +82,7 @@
       regexp: '^([^#].*)!authenticate(.*)'
       replace: '\1authenticate\2'
       validate: '/usr/sbin/visudo -cf %s'
-  loop: "{{ discovered_sudoers_filess.stdout_lines }}"
+  loop: "{{ discovered_sudoers_files.stdout_lines }}"
 
 - name: "4.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly"
   when:
@@ -135,17 +135,9 @@
         ansible.builtin.group:
             name: "{{ rhel8cis_sugroup }}"
             state: present
-        register: discovered_sugroup
-
-      - name: "4.3.7 | PATCH | Ensure access to the su command is restricted | remove users from group"
-        ansible.builtin.lineinfile:
-            path: /etc/group
-            regexp: '^{{ discovered_sugroup }}(:.:.*:).*$'
-            line: '{{ discovered_sugroup }}\g<1>'
-            backrefs: true
 
       - name: "4.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid"
         ansible.builtin.lineinfile:
             path: /etc/pam.d/su
             regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
-            line: 'auth           required        pam_wheel.so use_uid group={{ discovered_sugroup }}'
+            line: 'auth           required        pam_wheel.so use_uid group={{ rhel8cis_sugroup }}'
diff --git a/tasks/section_4/cis_4.4.3.2.x.yml b/tasks/section_4/cis_4.4.3.2.x.yml
@@ -224,9 +224,10 @@
   block:
       - name: "4.4.3.2.6 | PATCH | Ensure password dictionary check is enabled | pwquality.conf"
         ansible.builtin.lineinfile:
+            line: 'dictcheck = 1'
             path: /etc/security/pwquality.conf
-            state: absent
             regexp: '^(#|)\s*dictcheck\s*=\s*\d'
+            state: present
 
       - name: "4.4.3.2.6 | PATCH | Ensure password dictionary check is enabled | pam_files"
         when: not rhel8cis_allow_authselect_updates

diff --git a/tasks/section_4/cis_4.4.3.4.x.yml b/tasks/section_4/cis_4.4.3.4.x.yml
@@ -23,8 +23,9 @@
             - not rhel8cis_allow_authselect_updates
         ansible.builtin.replace:
             path: "/etc/pam.d/{{ item }}-auth"
-            regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)nullok(.*$)
-            replace: \1\2\3
+            #regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)nullok(.*$)
+            regexp: nullok
+            replace: ''
         loop:
             - password
             - system
@@ -107,8 +108,8 @@
             - discovered_hash_state | length > 0
         ansible.builtin.replace:
             path: "/etc/pam.d/{{ item }}-auth"
-            regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)(sha512|yescrypt)\s*=\s*\d+(.*$)
-            replace: \1\2\4 {{ discovered_hash_state.stdout }}
+            regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)(sha512|yescrypt)(.*$)
+            replace: \1\2\4 {{ rhel8cis_pam_pwhash }}
         loop:
             - password
             - system

diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml
@@ -85,10 +85,10 @@
       path: /etc/aide.conf
       marker: "# {mark} Audit tools - CIS benchmark - Ansible-lockdown"
       block: |
-        /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
-        /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
-        /sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
-        /sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
-        /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
-        /sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
+        /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
+        /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
+        /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
+        /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
+        /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
+        /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
       validate: aide -D --config %s
diff --git a/templates/etc/systemd/system/tmp.mount.j2 b/templates/etc/systemd/system/tmp.mount.j2
@@ -23,7 +23,7 @@ After=swap.target
 What=tmpfs
 Where=/tmp
 Type=tmpfs
-Options=mode=1777,strictatime,{% if rhel8cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_2_4 %}nosuid,{% endif %}{% if rhel8cis_rule_1_1_2_3 %}noexec{% endif %}
+Options=mode=1777,strictatime,{% if rhel8cis_rule_1_1_2_1_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_2_1_3 %}nosuid,{% endif %}{% if rhel8cis_rule_1_1_2_1_4 %}noexec{% endif %}
 
 # Make 'systemctl enable tmp.mount' work:
 [Install]