Comments (18)
I like thiis PR. More room for corporate policies (with exceptions) and a more tractable way to run the role.
from rhel7-cis.
@thisdougb That makes sense to me. Thanks!
from rhel7-cis.
OK, a quick and dirty Python script to convert the original section files into having when: clauses - https://gist.github.com/thisdougb/927c1ccf8988fb28896f7fef5a236081
I'm converting two levels (x.x.x and x.x.x.x), handling existing when: lines in the old format but not when: as lists (Ansible warns of these, so quicker to manually fix if it happens).
produces tasks looking like this:
- name: "SCORED | 1.1.8 | PATCH | Ensure nodev option set on /var/tmp partition\n
SCORED | 1.1.9 | PATCH | Ensure nosuid option set on /var/tmp partition\n
SCORED | 1.1.10 | PATCH | Ensure noexec option set on /var/tmp partition"
mount:
name: /var/tmp
src: "{{ rhel7cis_vartmp['source'] }}"
state: mounted
fstype: "{{ rhel7cis_vartmp['fstype'] }}"
opts: "{{ rhel7cis_vartmp['opts'] }}"
when:
- rhel7cis_rule_1_1_8
- rhel7cis_rule_1_1_9
- rhel7cis_rule_1_1_10
- rhel7cis_vartmp['enabled'] == 'yes'
tags:
- level1
- scored
- patch
- rule_1.1.8
- rule_1.1.9
- rule_1.1.10
and spits out the vars for default/main.yml:
rhel7cis_rule_1_1_1_2: true
rhel7cis_rule_1_1_1_3: true
rhel7cis_rule_1_1_1_4: true
rhel7cis_rule_1_1_1_5: true
rhel7cis_rule_1_1_1_6: true
rhel7cis_rule_1_1_1_7: true
rhel7cis_rule_1_1_1_8: true
rhel7cis_rule_1_1_2: true
rhel7cis_rule_1_1_3: true
rhel7cis_rule_1_1_4: true
rhel7cis_rule_1_1_5: true
rhel7cis_rule_1_1_6: true
rhel7cis_rule_1_1_7: true
rhel7cis_rule_1_1_8: true
rhel7cis_rule_1_1_9: true
rhel7cis_rule_1_1_10: true
rhel7cis_rule_1_1_11: true
rhel7cis_rule_1_1_12: true
rhel7cis_rule_1_1_13: true
rhel7cis_rule_1_1_14: true
rhel7cis_rule_1_1_15: true
rhel7cis_rule_1_1_16: true
rhel7cis_rule_1_1_17: true
rhel7cis_rule_1_1_18: true
rhel7cis_rule_1_1_19: true
rhel7cis_rule_1_1_20: true
rhel7cis_rule_1_1_21: true
rhel7cis_rule_1_1_22: true
rhel7cis_rule_1_2_1: true
rhel7cis_rule_1_2_2: true
rhel7cis_rule_1_2_3: true
rhel7cis_rule_1_2_4: true
rhel7cis_rule_1_2_5: true
rhel7cis_rule_1_3_1: true
rhel7cis_rule_1_3_2: true
rhel7cis_rule_1_4_1: true
rhel7cis_rule_1_4_2: true
rhel7cis_rule_1_4_3: true
rhel7cis_rule_1_5_1: true
rhel7cis_rule_1_5_2: true
rhel7cis_rule_1_5_3: true
rhel7cis_rule_1_5_4: true
rhel7cis_rule_1_6_1_1: true
rhel7cis_rule_1_6_1_2: true
rhel7cis_rule_1_6_1_3: true
rhel7cis_rule_1_6_1_4: true
rhel7cis_rule_1_6_1_5: true
rhel7cis_rule_1_6_2: true
rhel7cis_rule_1_7_1_1: true
rhel7cis_rule_1_7_1_2: true
rhel7cis_rule_1_7_1_3: true
rhel7cis_rule_1_7_1_4: true
rhel7cis_rule_1_7_1_5: true
rhel7cis_rule_1_7_1_6: true
rhel7cis_rule_1_7_2: true
setting:
# roles/RHEL7-CIS/defaults/main.yml
rhel7cis_rule_1_1_1_1: false
produces (snipped):
TASK [RHEL7-CIS : PRELIM | Check for rhnsd service] **************************************************************************************************
ok: [neo4j]
TASK [RHEL7-CIS : SCORED | 1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled] ******************************************************
skipping: [neo4j]
TASK [RHEL7-CIS : SCORED | 1.1.1.2 | PATCH | Ensure mounting of freevxfs filesystems is disabled] ****************************************************
ok: [neo4j]
from rhel7-cis.
I just merged your first PR in...I'll be sure to review/merge as these come in so you can keep making progress.
Thanks!
from rhel7-cis.
@thisdougb Just merged in the last one! Thanks for the work on this.
from rhel7-cis.
@joaogbcravo Let me pose the question to the ansible-lockdown mailing list and see what the consensus is as far as adding this sort of thing to the role spec. I don't disagree that it would be easier to pick out specific tasks. Using tags to do this leaves a lot to be desired.
from rhel7-cis.
@joaogbcravo We've come to agreement on this. If you'd like to submit a PR with these changes we welcome it. We are going to start implementing this on all the roles we've released over the coming months.
One thing to note. The variable names cannot contain "dots" and will need to be as follows:
rhel7cis_rule_1_1_1_1
rhel7cis_rule_1_2
Thanks!
from rhel7-cis.
Hey! Thanks a lot for starting doing this!
I'm a little without time to do this changes but as soon as possible I will help too!
from rhel7-cis.
I have some time (and need) to do this. I'd suggest maybe I do one full section per PR, if that's ok?
from rhel7-cis.
cool, @shepdelacreme. do you have a link to the discussion on the ansible lockdown list that I can read through, to avoid asking already resolved questions?
because there are a large number of rules (228?), my thinking is that selectively turning off rules will result in smaller, more readable vars files. and turning off rules really should be the exception, so something like:
# roles/RHEL7-CIS/defaults/main.yml
# Section 1 rules
rhel7cis_rule_1_1_1_1: false
and the code change to each task would be:
# roles/RHEL7-CIS/tasks/section1.yml
- name: "SCORED | 1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled"
lineinfile:
dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install cramfs(\\s|$)"
line: "install cramfs /bin/true"
create: yes
when:
rhel7cis_rule_1_1_1_1 | default(true)
tags:
- level1
- scored
- patch
- rule_1.1.1.1
- cramfs
A point to note, which may not be obvious to some, the variables override the tags. So the above variable settings prevent the rule running even if you '--tags rule_1.1.1.1'.
from rhel7-cis.
this has me thinking. groups of servers having different tweaks.
is there a way to dynamically set defaults/main.yml based on group name in ansible hosts?
example:
2 different groups
[internal_hosts]
[dmz_hosts]
2 different files
main_int.yml
main_dm.yml
then somehow be able to use either as the main.yml settings according to the group name (or some other method)
from rhel7-cis.
@thisdougb Here is the discussion on the Google group regarding this: https://groups.google.com/forum/#!topic/ansible-lockdown/rsfyEXWvZJg
Also you can look at how this same setup was implemented in the RHEL7-STIG role: https://github.com/MindPointGroup/RHEL7-STIG
The var value in defaults/main.yml
should be set to true
unless there is a good reason to disable it. i.e. applying the setting by default is dangerous or has the potential to cause serious harm to a system.
In the tasks it should be something like:
when:
- rhel7cis_rule_1_1_1_1
And all rules should have a default value set in defaults/main.yml so don't need the | default(true)
Thanks!
from rhel7-cis.
@erpadmin This setup makes it much easier to control applying the role to different types of hosts since you can take all the rule variables and stick them into inventory vars files.
i.e. in your inventory
[internal_hosts]
int-host-1
[external_hosts]
ext-host-1
Then you would be able to do this:
/
apply_stig.yml
inventory/
hosts <- inventory file
group_vars/
all.yml <- vars file that applies to all hosts. Any CIS vars that are common to all hosts can go here.
internal_hosts.yml <- any vars for the CIS role that need to be overridden for internal hosts
external_hosts.yml <- any vars for the CIS role that need to be overridden for external hosts
from rhel7-cis.
makes sense, thanks for the feedback
from rhel7-cis.
@shepdelacreme, yes you can still do exactly the same thing even if you put the default value on the when: clause, but the list of vars will be far fewer and easily readable. defaults/main.yml has role defined exceptions, groups_vars/all.yml has site wide exceptions, internal_hosts.yml has internal hosts exceptions, etc.
I get what you're saying, but I think having all those vars listed in one file makes for poor readability and a higher chance of making mistakes. Every task conditional must be (successfully) mapped to an entry in defaults/main.yml, rather than simply the task conditional itself. For example in https://github.com/MindPointGroup/RHEL7-STIG/blob/devel/defaults/main.yml, I think this would just be much neater (only specifying exceptions):
# This check breaks with redhat.com repos as they do not sign repo data
rhel_07_020070: false
# Not an automated task
rhel_07_020250: false
# Potential for locking out users
rhel_07_010260: false
# Send AIDE reports as mail notifications - Disabled by default as this is a non-ideal way to do notifications
rhel_07_020040: false
Anyway, I'll be writing some quick Perl to generate the defaults/main.yml and when: clauses, so it's no more work either way. I just think that the fewer characters people (admins, etc) have to read during their daily work the better.
from rhel7-cis.
I'm doing some work involving this role, so will be testing over the next few days. But if there's agreement then I can generate the new section files, and corresponding defaults/main.yml updates, and submit them as PRs in the next week or so.
from rhel7-cis.
@thisdougb Looks good to me! I'll keep an eye out for your PRs.
from rhel7-cis.
it occurred to me that I'll need to wait for each PR to be merged before creating the next one, otherwise there'll be messing about resolving the conflict with defaults/main.yml. So we'll need to do this in serial style :) No rush at all from my side, but just so you know that the next PR will only be done once I've updated my fork with the current PR merge.
from rhel7-cis.
Related Issues (20)
- Tasks using selectattr (section 6) fail on CentOS 7, Python 2.7.5, jinja2-2.7.2 HOT 2
- Rules 3.5.3.2.4 and 3.5.3.3.4 are missing HOT 2
- Show Audit Summary is missing tag run_audit HOT 3
- Missing quote line 207 of cis_5.3.x.yml HOT 1
- container discovery work and exclusions taken from rhel8cis
- Extra quote typo cis_5.4.x.yml
- Consider not following links for 6.2.13 home directory recommendations HOT 3
- Task 5.5.1.4 regex does not handle commented usernames HOT 2
- 6.2.1 does not handle an empty line in /etc/passwd using dict rhel7cis_passwd HOT 2
- Section 1.4 included on wrong variable? HOT 5
- README does not correct reflect how to run CIS levels HOT 1
- Missing OracleLinux.yml or override method for running CIS on Oracle Linux. HOT 5
- Add makestep in chrony.conf.j2 HOT 1
- Why was the rule 1.2.5 removed? HOT 2
- Unsupported parameters for (ansible.legacy.command) module: warn. HOT 3
- AIDE cron job setup 1.3.2 missing cron_file variable HOT 2
- Audit-Only Mode? HOT 3
- `RHEL7-CIS : 3.5.1.5 | AUDIT | Ensure default zone is set` fails although firewalld is up HOT 2
- Summary is not generated HOT 3
- 5.7 | PATCH | Ensure access to the su command is restricted | wheel group contains root HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rhel7-cis.