search

ansible-lockdown / RHEL9-CIS

Ansible role for Red Hat 9 CIS Baseline
https://ansible-lockdown.readthedocs.io
MIT License
113 stars 86 forks source link

Solving conflicts after previous commit: #165

Closed ipruteanu-sie closed 6 months ago

ipruteanu-sie commented 7 months ago

Recreated this PR, by cherry-picking previous commit with --signoff.

Overall Review of Changes: Conditional insertion of "session optional pam_umask.so" line in:

Issue Fixes:

162

How has this been tested?: Manual, on EC2 instance:


# cat /etc/pam.d/password-auth  | grep umask
#
# cat /etc/pam.d/system-auth | grep umask
# 
===============================================
TASK [rhel9-cis : 5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs settings] ********************************************************************************************************************************************
ok: [34.244.29.147] => (item={'path': '/etc/bashrc', 'line': 'umask'}) => {"ansible_loop_var": "item", "changed": false, "item": {"line": "umask", "path": "/etc/bashrc"}, "msg": "", "rc": 0}
ok: [34.244.29.147] => (item={'path': '/etc/profile', 'line': 'umask'}) => {"ansible_loop_var": "item", "changed": false, "item": {"line": "umask", "path": "/etc/profile"}, "msg": "", "rc": 0}
ok: [34.244.29.147] => (item={'path': '/etc/login.defs', 'line': 'UMASK'}) => {"ansible_loop_var": "item", "changed": false, "item": {"line": "UMASK", "path": "/etc/login.defs"}, "msg": "", "rc": 0}

TASK [rhel9-cis : 5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Check umask.so in system-auth] *****************************************************************************************************************************************************
fatal: [34.244.29.147]: FAILED! => {"changed": true, "cmd": "grep -E -q \"^session\\s*(optional|requisite|required)\\s*pam_umask.so$\" /etc/pam.d/system-auth\n", "delta": "0:00:00.005307", "end": "2024-01-30 13:50:13.881481", "msg": "non-zero return code", "rc": 1, "start": "2024-01-30 13:50:13.876174", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}
...ignoring

TASK [rhel9-cis : 5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | If needed, load session umask.so in system-auth] ***********************************************************************************************************************************
changed: [34.244.29.147] => {"backup": "", "changed": true, "msg": "line added"}

TASK [rhel9-cis : 5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Check umask.so in password-auth] ***************************************************************************************************************************************************
fatal: [34.244.29.147]: FAILED! => {"changed": true, "cmd": "grep -E -q \"^session\\s*(optional|requisite|required)\\s*pam_umask.so$\" /etc/pam.d/password-auth\n", "delta": "0:00:00.005221", "end": "2024-01-30 13:50:18.033096", "msg": "non-zero return code", "rc": 1, "start": "2024-01-30 13:50:18.027875", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}
...ignoring

TASK [rhel9-cis : 5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | If needed, load session umask.so in password-auth] *********************************************************************************************************************************
changed: [34.244.29.147] => {"backup": "", "changed": true, "msg": "line added"}
===============================================

# cat /etc/pam.d/password-auth  | grep umask
session    optional    pam_umask.so
#
# cat /etc/pam.d/system-auth | grep umask
session    optional    pam_umask.so
#
===============================================

CIS_RESULT: pass
"01/30/2024 14:35:06","ip-172-31-38-227.eu-west-1.compute.internal","N/A","N/A","1.0.0","#scap_org.cisecurity_comp_1.0.0_CIS_Red_Hat_Enterprise_Linux_9_Benchmark-xccdf","CIS Red Hat Enterprise Linux 9 Benchmark","xccdf_org.cisecurity.benchmarks_benchmark_1.0.0_CIS_Red_Hat_Enterprise_Linux_9_Benchmark","Level 2 - Server","xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server","xccdf_org.cisecurity.benchmarks_rule_5.6.5_Ensure_default_user_umask_is_027_or_more_restrictive","5.6.5","Ensure default user umask is 027 or more restrictive","pass",","
ipruteanu-sie commented 6 months ago

Current approach is just fine, CIS report a Pass