ansible-lockdown / rhel7-cis Goto Github PK
View Code? Open in Web Editor NEWAnsible role for Red Hat 7 CIS Baseline
Home Page: https://ansible-lockdown.readthedocs.io/en/latest/
License: MIT License
Ansible role for Red Hat 7 CIS Baseline
Home Page: https://ansible-lockdown.readthedocs.io/en/latest/
License: MIT License
In section1.yml you have:
- name: "NOTSCORED | 1.2.5 | PATCH | Disable the rhnsd Daemon"
service:
name: rhnsd
state: stopped
enabled: no
when: ansible_distribution == "RedHat" and rhnsd_service_status and rhel7cis_rhnsd_required
but I think this is backwards because it disables and stops rhnsd if the rhel7cis_rhnsd_required is true, not if it's false. Seems like you could change the variable name to be "rhel7cis_rhnsd_not_required" so that it triggers when it's true.
As is, if you say "false" in defaults, because it's not required, it will never run this check and will leave it running and enabled.
fail: 1.1.6 Ensure separate partition exists for /var
fail: 1.1.7 Ensure separate partition exists for /var/tmp
fail: 1.1.11 Ensure separate partition exists for /var/log
fail: 1.1.12 Ensure separate partition exists for /var/log/audit
fail: 1.1.13 Ensure separate partition exists for /home
fail: 1.3.2 Ensure filesystem integrity is regularly checked
fail: 1.4.2 Ensure bootloader password is set
fail: 3.6.2 Ensure default deny firewall policy
fail: 3.6.3 Ensure loopback traffic is configured
fail: 4.1.1.2 Ensure system is disabled when audit logs are full
fail: 4.1.3 Ensure auditing for processes that start prior to auditd is enabled
fail: 4.1.4 Ensure events that modify date and time information are collected
fail: 4.1.5 Ensure events that modify user/group information are collected
fail: 4.1.6 Ensure events that modify the system's network environment are collected
fail: 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected
fail: 4.1.8 Ensure login and logout events are collected
fail: 4.1.9 Ensure session initiation information is collected
fail: 4.1.10 Ensure discretionary access control permission modification events are collected
fail: 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected
fail: 4.1.12 Ensure use of privileged commands is collected
fail: 4.1.13 Ensure successful file system mounts are collected
fail: 4.1.14 Ensure file deletion events by users are collected
fail: 4.1.15 Ensure changes to system administration scope (sudoers) is collected
fail: 4.1.16 Ensure system administrator actions (sudolog) are collected
fail: 4.1.17 Ensure kernel module loading and unloading is collected
fail: 4.1.18 Ensure the audit configuration is immutable
fail: 4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host
fail: 5.3.2 Ensure lockout for failed password attempts is configured
fail: 5.3.3 Ensure password reuse is limited
fail: 5.4.1.1 Ensure password expiration is 90 days or less
fail: 5.4.1.2 Ensure minimum days between password changes is 7 or more
fail: 5.4.1.4 Ensure inactive password lock is 30 days or less
fail: 5.4.4 Ensure default user umask is 027 or more restrictive
Another issue with lineinfile
task/regex.
TASK [role_under_test : SCORED | 5.6 | PATCH | Ensure access to the su command is restricted] ***
task path: /etc/ansible/roles/role_under_test/tasks/section5.yml:529
changed: [localhost] => {"backup": "", "changed": true, "msg": "line added"}
Request a policy change for use in the cloud?
amazon-ebs: TASK [RHEL7-CIS : SCORED | 3.6.5 | PATCH | Ensure firewall rules exist for all open ports] ***
amazon-ebs: failed: [default] (item=ssh) => {"changed": false, "item": "ssh", "msg": "firewall is not currently running, unable to perform immediate actions without a running firewall daemon"}
amazon-ebs: failed: [default] (item=dhcpv6-client) => {"changed": false, "item": "dhcpv6-client", "msg": "firewall is not currently running, unable to perform immediate actions without a running firewall daemon
Ansible thinks firewalld is not running?
not savvy with github yet :)
diff --git a/templates/hosts.allow.j2 b/templates/hosts.allow.j2
index ca37253..9055481 100644
--- a/templates/hosts.allow.j2
+++ b/templates/hosts.allow.j2
@@ -8,4 +8,4 @@
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
-ALL: {% for iprange in rhel7cis_host_allow -%}{{ iprange }}, {% endfor %}
+ALL: {% for iprange in rhel7cis_host_allow -%}{{ iprange }}{% if not loop.last %}, {% endif %}{% endfor %}
I just noticed /tmp is being mounted as tmpfs, but I don't see a requirement by CIS for /tmp to be tmpfs.
I don't know what is the new default for RHEL installs as we are still using the same kickstart file. Has this been an issue for anyone?
my main concern is oracle and other heavy ram use boxes
In its current state the role has about 15 tasks that report a change every time the role is run.
i believe that systemd-219-57.el7_5.1.x86_64 overwrites local changes in tmp.mount, we set a size= to limit tmpfs memory consumption
After apply the CIS rules on aws ami, it is not allowing to ssh to the EC2 instance created from hardened ami. I am getting message : ssh_exchange_identification: read: Connection reset by peer.
I am able to telnet to port 22 but within few seconds, foreign host closing the connection. more details are below. Any suggestion is really appreciated.
OpenSSH_7.4p1, LibreSSL 2.5.0
debug1: Reading configuration data /user//.ssh/config
debug1: /user//.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "x.x.x.x" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to x.x.x.x [x.x.x.x] port 22.
debug2: fd 3 setting O_NONBLOCK
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug3: timeout: 599931 ms remain after connect
debug1: key_load_public: No such file or directory
debug1: identity file /user//.ssh/key.pem type -1
debug1: key_load_public: No such file or directory
debug1: identity file /user//.ssh/key.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
ssh_exchange_identification: read: Connection reset by peer
Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.
The ansible service module doesn't seem to be working to detect and disable xinetd based services at the beginning of section2. The files that it checks for like /etc/xinetd.d/chargen-dgram might actually be there, but you don't know if that service is enabled or not without either doing a chkconfig --list
or looking into the file to see if 'disabled=yes' is there.
To disable it you'd do a chkconfig chargen-dgram off
but that is failing for me when using the service module in section2.yml. Seems like this fix would need to be switched to running the chkconfig command manually and then maybe bouncing xinetd like kill -USR2 `pidof xinetd`
The comment on the cron job created by rule 1.3.2 "SCORED | 1.3.2 | PATCH | Ensure filesystem integrity is regularly checked" reads "Run AIDE integrity check weekly". However, the cron job is clearly set up to run daily by default, and has variables so the frequency is user-customisable in any case.
I think the cron job comment should just omit the word "weekly".
Set the PASS_MAX_DAYS parameter to 90 in /etc/login.defs :
PASS_MAX_DAYS 90
Modify user parameters for all users with a password set to match:
chage --maxdays 90 <user>
requesting something similar to the following
It is a great repo, focussing on quality and pureness of the CIS requirements. I'd like to use this as a base for supporting RHEL6 and the few minor things for CentOS. But just forking it makes it much less usable and sustainable towards the future, there is simply a lot of overlap between these 4 variations of RHEL and CentOS. Overlap which imho should not be forked off to different repo's.
Are you open to the idea that we create a RHEL-CIS repo (instead of RHEL7-CIS) which would support RHEL/CentOS/6/7 variations? This way a lot of duplicate effort can be prevented, and would make it even more generic usable on heterogeneous environments.
Or do you have a different suggestion to get these platforms also CIS compliant as a public Ansible Galaxy role?
Anton
My HTTP server got wiped. I would like to be able to say I need it.
Hi There
We are using this role and it is a lifesaver! There are a few things from an openscap scan that we would like to add and I was wondering if you were open to PRs?
I also have a couple of questions for compatibility.
What does SCORED and NOT_SCORED mean?
Are the numbers e.g. 6.2.4 meaningful, or would a new check (fix rpm file perms) just go the end of section 6 with an incremented number?
Cheers
Sam
Been out of the loop a bit. This patch is not compatible with the latest commits, but serves as an example
------------------------------ tasks/section5.yml ------------------------------
<snip>
I am curious if anyone who uses this project is familiar with and uses BoKS. I have to create local code to make the CIS playbook continue to work against our BoKS enabled hosts and I am willing to contribute 'compatible' code back to the project if there is any interest. The goal would be that the playbook runs exactly the same way it is expected to on a typical host but also has the logic to act differently for a BoKS enabled host.
Background:
BoKS is primarily an SSHD fork with fine grained access controls. It is not uncommon to see it implemented in the financial establishments such as where I work.
Functionally, it symlinks /etc/pam.d to its own {BOKS_INSTALLDIR}/etc/pam.d directory and uses it's own sshd config file (/opt/boks/etc/ssh/sshd_config) for the boks_sshd daemon that it spawns.
In the BoKS context as it relates to the CIS playbook:
Somewhat in the same line of thinking as #26, I'd like to be able to target all scored items for Level 1 servers, without worrying about anything for Level 2 servers, items specific to workstations, or un-scored items.
This may end up replacing many of the task tags, since the current tag taxonomy doesn't distinguish between level 1 on a server versus level 1 on a workstation, for example.
Proof of concept:
---
- hosts: localhost
vars:
- rhel7cis_level1_server: true
- rhel7cis_level2_server: false
- rhel7cis_level1_workstation: false
- rhel7cis_level2_workstation: false
- rhel7cis_scored: true
- rhel7cis_notscored: false
tasks:
- debug:
msg: "1.1.13: scored, level 2 server, level 2 workstation"
when:
- (rhel7cis_level2_server or rhel7cis_level2_workstation)
- (rhel7cis_scored)
- debug:
msg: "1.1.21: scored, level 1 server, level 1 workstation"
when:
- (rhel7cis_level1_server or rhel7cis_level1_workstation)
- (rhel7cis_scored)
- debug:
msg: "1.1.22: scored, level 1 server, level 2 workstation"
when:
- (rhel7cis_level1_server or rhel7cis_level2_workstation)
- (rhel7cis_scored)
- debug:
msg: "1.2.1: not scored, level 1 server, level 1 workstation"
when:
- (rhel7cis_level1_server or rhel7cis_level1_workstation)
- (rhel7cis_notscored)
As-is, this executes the tasks for 1.1.21 and 1.1.22. Changing rhel7cis_notscored
to true
also executes task 1.2.1. Changing rhel7cis_level2_server
to true
adds task 1.1.13.
Does this seem like a worthwhile change? If so, do you want PRs on a per-section basis, or something else?
Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs :
PASS_MIN_DAYS 7
Modify user parameters for all users with a password set to match:
chage --mindays 7 <user>
Edit the /etc/rsyslog.conf file and add the following line (where loghost.example.com is the name of your central log host).
*.* @@loghost
I suggest to use a variable to hold the dns name or dns alias for 'loghost'.
TASK [RHEL7-CIS : PRELIM | Gather accounts with empty password fields] **********************************************************************
fatal: [somehost.localnet]: FAILED! => {"changed": false, "cmd": "cat /etc/shadow | awk -F: '($2 == "" ) {j++;print $1; } END {exit j}'", "delta": "0:00:00.005703", "end": "2017-08-02 15:21:28.010028", "failed": true, "rc": 5, "start": "2017-08-02 15:21:28.004325", "stderr": "", "stderr_lines": [], "stdout": "someuser", "stdout_lines": ["someuser"]}
to retry, use: --limit @/home/someuser/hardening/roles/cis.retry
verbose indicates "warnings": []}\r\n', 'Shared connection to somehost.localnet closed.\r\n'
- name: "PRELIM | Gather accounts with empty password fields"
shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'"
register: empty_password_accounts
changed_when: no
check_mode: no
a test with "echo j" instead of "exit j" works around the issue
Test variables to override defaults in group_vars/role_test
The command that is run at 1.1.21 does not handle paths with spaces. The official CIS remediation is invalid too.
It can be solved by using -print0
on find
and then -0
on xargs
.
The following worked on my system, it no longer throws a bunch of errors on paths that has spaces in them.
df --local -P | awk if (NR!=1) print $6 | xargs -I '{}' find '{}' -xdev -
type d -perm -0002 -print0 2>/dev/null | xargs -0 chmod a+t
There is an issue with this lineinfile
task.
TASK [role_under_test : SCORED | 4.1.1.3 | PATCH | Ensure audit logs are not automatically deleted] ***
task path: /etc/ansible/roles/role_under_test/tasks/section4.yml:25
changed: [localhost] => {"backup": "", "changed": true, "msg": "line added"}
I've been tasked with creating a CIS Level 1 standard RHEL image in Azure. I've taken a market place RHEL 7.3 image and applied this playbook with packer/ansible using tags level1.
However, when I go and try and create a VM from the image, it fails. If I skip cis_section1, I can create a VM from the image. I'm a linux newbie, apologies, but any obvious rules in section 1 that could be causing me an issue?
Any help/direction appreciated.
packer provisioner
"provisioners": [{ "execute_command": "echo '{{user
ssh_pass`}}' | {{ .Vars }} sudo -S -E sh '{{ .Path }}'",
"inline": [
"wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm",
"rpm -i epel-release-latest-7.noarch.rpm",
"yum update -y",
"yum install git -y" ,
"yum install ansible -y",
"echo '- src: https://github.com/MindPointGroup/RHEL7-CIS.git' >> requirements.yml",
"ansible-galaxy install -p roles -r requirements.yml",
"echo '- name: Harden Server' >> harden-main.yml",
"echo ' hosts: 127.0.0.1 ' >> harden-main.yml",
"echo ' connection: local' >> harden-main.yml",
"echo ' become: yes' >> harden-main.yml",
"echo ' ' >> harden-main.yml",
"echo ' roles:' >> harden-main.yml",
"echo ' - RHEL7-CIS' >> harden-main.yml",
"sudo sed -i -e 's/rhel7cis_section1: true/rhel7cis_section1: false/g' ./roles/RHEL7-CIS/defaults/main.yml",
"ansible-playbook harden-main.yml --tags=\"level1\"",
"sed -i -e 's/ALL:/ALL:ALL,/g' /etc/hosts.allow",
"cat /etc/hosts.allow",
"ping 127.0.0.1 -c 30",
"/usr/sbin/waagent -force -deprovision+user && export HISTSIZE=0 && sync"
],
"inline_shebang": "/bin/sh -x",
"type": "shell",
"skip_clean": true
}]`
azure error
Provisioning failed. OS Provisioning failed for VM 'spcishardened' due to an internal error.. OSProvisioningInternalError
/var/spool/cron/root should have:
0 5 * * * /usr/sbin/aide --check
There is an issue in this lineinfile
task.
TASK [role_under_test : SCORED | 4.2.1.3 | PATCH | Ensure rsyslog default file permissions configured] ***
task path: /etc/ansible/roles/role_under_test/tasks/section4.yml:289
changed: [localhost] => {"backup": "", "changed": true, "msg": "line added"}
TASK [RHEL7-CIS : PRELIM | Check if prelink package is installed] ***************************************************************************
[WARNING]: Consider using yum, dnf or zypper module rather than running rpm
tasks/prelim.yml
- name: "PRELIM | Check if prelink package is installed"
command: rpm -q prelink
register: prelink_installed
changed_when: no
failed_when: no
check_mode: no
tags:
- skip_ansible_lint
- include: post.yml
become: yes
tags:
- post_tasks
- always
should this be the case even in scenarios where we are running specific rule(s)?
Example is 3.1.1 but there are more. Most are tagged as scored or not scored and without them all being tagged as such it seems some may run even if not intended. For instance running this playbook with --tags=level-1,scored
ends up running some items which are not scored. Unsure if this is intended, but it still seems as though the tags should be consistent.
Tasks need to be updated to be in line with v2.2.0 of the benchmark which was released in Dec. 2017.
Change history is listed below:
These tasks use the file
module in touch
mode which is not idempotent. Need a precursor check or to change the task a little based on the intent of the CIS rule.
TASK [role_under_test : SCORED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users] ***
task path: /etc/ansible/roles/role_under_test/tasks/section5.yml:98
changed: [localhost] => {"changed": true, "dest": "/etc/at.allow", "gid": 0, "group": "root", "mode": "0600", "owner": "root", "size": 0, "state": "file", "uid": 0}
TASK [role_under_test : SCORED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users] ***
task path: /etc/ansible/roles/role_under_test/tasks/section5.yml:121
changed: [localhost] => {"changed": true, "dest": "/etc/cron.allow", "gid": 0, "group": "root", "mode": "0600", "owner": "root", "size": 0, "state": "file", "uid": 0}
Hi,
The defaults/main.yml has a captical S i.s.o. lower case which caused ansible to stop:
#rhel7cis_time_Synchronization: ntp
should be:
#rhel7cis_time_synchronization: ntp
TASK [RHEL7-CIS : SCORED | 1.3.2 | PATCH | Ensure filesystem integrity is regularly checked] ***
changed: [rhel7sectest.localdomain]
[root@rhel7sectest ~]# crontab -l
no crontab for root
defaults/main.yml
# AIDE
rhel7cis_config_aide: true
# AIDE cron settings
rhel7cis_aide_cron:
cron_user: root
cron_file: /etc/crontab
aide_job: '/usr/sbin/aide --check'
aide_minute: 0
aide_hour: 5
aide_day: '*'
aide_month: '*'
aide_weekday: '*'
section1.yml
- name: "SCORED | 1.3.2 | PATCH | Ensure filesystem integrity is regularly checked"
cron:
name: Run AIDE integrity check weekly
cron_file: "{{ rhel7cis_aide_cron['cron_file'] }}"
user: "{{ rhel7cis_aide_cron['cron_user'] }}"
minute: "{{ rhel7cis_aide_cron['aide_minute'] | default('0') }}"
hour: "{{ rhel7cis_aide_cron['aide_hour'] | default('5') }}"
day: "{{ rhel7cis_aide_cron['aide_day'] | default('*') }}"
month: "{{ rhel7cis_aide_cron['aide_month'] | default('*') }}"
weekday: "{{ rhel7cis_aide_cron['aide_weekday'] | default('*') }}"
job: "{{ rhel7cis_aide_cron['aide_job'] }}"
tags:
- level1
- scored
- aide
- file_integrity
- patch
- rule_1.3.2
Per CIS CentOS Linux 7 Benchmark - 2.1.1
5.2.13 Ensure SSH Idle Timeout Interval is configured (Scored)
The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time.
Edit the /etc/bashrc and /etc/profile files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows:
umask 027
Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the remember option and conform to site policy as shown:
password sufficient pam_unix.so remember=5
In the same way that this role have
rhel7cis_section1: true
...
rhel7cis_section6: true
Would be fantastic to have variables for each rule like
rhel7cis_rule_1.1.1.1
rhel7cis_rule_1.2
I know that it already has tags, but tags can only be set using the command line arguments, which is not version controlled.
If you don't disagree on this, I can do a PR for it.
The last item this task iterates over is not idempotent. Not sure why but it looks like the regex used needs to be tightened up.
TASK [role_under_test : SCORED | 1.7.2 | PATCH | Ensure GDM login banner is configured] ***
task path: /etc/ansible/roles/role_under_test/tasks/section1.yml:702
ok: [localhost] => (item={u'regexp': u'user-db', u'line': u'user-db:user', u'file': u'/etc/dconf/profile/gdm'}) => {"backup": "", "changed": false, "item": {"file": "/etc/dconf/profile/gdm", "line": "user-db:user", "regexp": "user-db"}, "msg": ""}
ok: [localhost] => (item={u'regexp': u'system-db', u'line': u'system-db:gdm', u'file': u'/etc/dconf/profile/gdm'}) => {"backup": "", "changed": false, "item": {"file": "/etc/dconf/profile/gdm", "line": "system-db:gdm", "regexp": "system-db"}, "msg": ""}
ok: [localhost] => (item={u'regexp': u'file-db', u'line': u'file-db:/usr/share/gdm/greeter-dconf-defaults', u'file': u'/etc/dconf/profile/gdm'}) => {"backup": "", "changed": false, "item": {"file": "/etc/dconf/profile/gdm", "line": "file-db:/usr/share/gdm/greeter-dconf-defaults", "regexp": "file-db"}, "msg": ""}
ok: [localhost] => (item={u'regexp': u'\\[org\\/gnome\\/login-screen\\]', u'line': u'[org/gnome/login-screen]', u'file': u'/etc/dconf/db/gdm.d/01-banner-message'}) => {"backup": "", "changed": false, "item": {"file": "/etc/dconf/db/gdm.d/01-banner-message", "line": "[org/gnome/login-screen]", "regexp": "\\[org\\/gnome\\/login-screen\\]"}, "msg": ""}
ok: [localhost] => (item={u'regexp': u'banner-message-enable', u'line': u'banner-message-enable=true', u'file': u'/etc/dconf/db/gdm.d/01-banner-message'}) => {"backup": "", "changed": false, "item": {"file": "/etc/dconf/db/gdm.d/01-banner-message", "line": "banner-message-enable=true", "regexp": "banner-message-enable"}, "msg": ""}
changed: [localhost] => (item={u'regexp': u'banner-message-text', u'line': u"banner-message-text='Authorized uses only. All activity may be monitored and reported.\n' ", u'file': u'/etc/dconf/db/gdm.d/01-banner-message'}) => {"backup": "", "changed": true, "item": {"file": "/etc/dconf/db/gdm.d/01-banner-message", "line": "banner-message-text='Authorized uses only. All activity may be monitored and reported.\n' ", "regexp": "banner-message-text"}, "msg": "line replaced"}
Need to determine how to approach in use /tmp mount. I don't think we should hard fail the playbook for this condition, but certainly notify.
RUNNING HANDLER [RHEL7-CIS : systemd restart tmp.mount] *************************************************************************************
fatal: [someserver.somewhere.com]: FAILED! => {"changed": false, "failed": true, "msg": "Unable to reload service tmp.mount: Job for tmp.mount failed. See \"systemctl status tmp.mount\" and \"journalctl -xe\" for details.\n"}
# systemctl status tmp.mount
โ tmp.mount - Temporary Directory
Loaded: loaded (/etc/systemd/system/tmp.mount; enabled; vendor preset: disabled)
Active: active (mounted) (Result: exit-code) since Thu 2017-10-05 09:34:33 EDT; 7s ago
Where: /tmp
What: /dev/mapper/rootvg-tmplv
Docs: man:hier(7)
http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
Process: 4911 ExecRemount=/bin/mount tmpfs /tmp -o remount,mode=1777,strictatime,noexec,nodev,nosuid -t tmpfs (code=exited, status=32)
Process: 4927 ExecUnmount=/bin/umount /tmp (code=exited, status=32)
Oct 05 09:33:05 someserver.somewhere.com mount[4911]: mount: /tmp not mounted or bad option
Oct 05 09:33:05 someserver.somewhere.com mount[4911]: In some cases useful info is found in syslog - try
Oct 05 09:33:05 someserver.somewhere.com mount[4911]: dmesg | tail or so.
Oct 05 09:33:05 someserver.somewhere.com systemd[1]: tmp.mount mount process exited, code=exited status=32
Oct 05 09:33:05 someserver.somewhere.com systemd[1]: Reload failed for Temporary Directory.
Oct 05 09:34:33 someserver.somewhere.com systemd[1]: Unmounting Temporary Directory...
Oct 05 09:34:33 someserver.somewhere.com umount[4927]: umount: /tmp: target is busy.
Oct 05 09:34:33 someserver.somewhere.com umount[4927]: (In some cases useful info about processes that use
Oct 05 09:34:33 someserver.somewhere.com umount[4927]: the device is found by lsof(8) or fuser(1))
Oct 05 09:34:33 someserver.somewhere.com systemd[1]: tmp.mount mount process exited, code=exited status=32
[root@someserver service]# lsof /tmp
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
firewalld 975 root DEL REG 253,6 136 /tmp/ffikXVvEQ
firewalld 975 root 8u REG 253,6 4096 136 /tmp/ffikXVvEQ (deleted)
tuned 1281 root DEL REG 253,6 137 /tmp/ffiau2RGq
tuned 1281 root 7u REG 253,6 4096 137 /tmp/ffiau2RGq (deleted)
[root@someserver service]# systemctl stop firewalld
[root@someserver service]# systemctl stop tuned
[root@someserver service]# systemctl restart tmp.mount
[root@someserver service]# systemctl start firewalld
[root@someserver service]# systemctl start tuned
Not sure why this failing yet
TASK [RHEL7-CIS : NOTSCORED | 1.2.5 | PATCH | Disable the rhnsd Daemon] *********************************************************************
fatal: [rhel7-dev2.uxdev.essent.us]: FAILED! => {"changed": false, "failed": true, "msg": "Could not find the requested service rhnsd: host"}
- name: "NOTSCORED | 1.2.5 | PATCH | Disable the rhnsd Daemon"
service:
name: rhnsd
state: stopped
enabled: no
when: ansible_distribution == "RedHat" and rhnsd_service_status and not rhel7cis_rhnsd_required
tags:
- level2
- notscored
- patch
- rule_1.2.5
- name: "PRELIM | Check for rhnsd service"
shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2"
register: rhnsd_service_status
changed_when: no
check_mode: no
Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files and add the following pam_faillock.so lines surrounding a pam_unix.so line modify the pam_unix.so is [success=1 default=bad] as listed in both:
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth [success=1 default=bad] pam_unix.so
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900
I'd like to start contributing to devel, I have a fork and a Branch name NESSUS that you might want commits from. Today I am looking at tackling the title.
-- Removed previous ansible blasphemy --
Now I'm thinking about doing one rule for each type of limit, deploying only when defined
rhel7cis_sshd:
clientalivecountmax: 3
# - make sure you understand the precedence when working with these values!!
#allowusers:
allowgroups: systems dba
#denyusers:
#denygroups:
- name: "SCORED | 5.2.15 | PATCH | Ensure SSH access is limited - allowgroups"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: "^AllowGroups"
line: AllowGroups {{ rhel7cis_sshd['allowgroups'] }}
when: rhel7cis_sshd['allowgroups'] is defined
tags:
- level1
- level2
- patch
- rule_5.2.15
There is an issue with the regex in this lineinfile
task.
TASK [role_under_test : NOTSCORED | 4.1.1.1 | PATCH | Ensure audit log storage size is configured] ***
task path: /etc/ansible/roles/role_under_test/tasks/section4.yml:1
changed: [localhost] => {"backup": "", "changed": true, "msg": "line replaced"}
TASK [RHEL7-CIS : SCORED | 2.2.6 | AUDIT | Ensure LDAP server is not enabled] **
fatal: [build]: FAILED! => {"failed": true, "msg": "The conditional check ''enabled' in slapd_server_enabled_audit.stdout' failed. The error was: error while evaluating conditional ('enabled' in slapd_server_enabled_audit.stdout): 'slapd_server_enabled_audit' is undefined"}
...ignoring
TASK [RHEL7-CIS : SCORED | 2.2.6 | PATCH | Ensure LDAP server is not enabled] **
fatal: [build]: FAILED! => {"failed": true, "msg": "The conditional check 'slapd_server_enabled_audit.failed and rhel7cis_ldap_server == false' failed. The error was: error while evaluating conditional (slapd_server_enabled_audit.failed and rhel7cis_ldap_server == false): 'slapd_server_enabled_audit' is undefined\n\nThe error appears to have been in '/Users/bas/code/RHEL7-CIS/tasks/section2.yml': line 332, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: "SCORED | 2.2.6 | PATCH | Ensure LDAP server is not enabled"\n ^ here\n"}
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.