feat(cis_baseline): implement 1.7.1.4-6 controls for banner permissions

karras · Oct 15, 2023 · 85f777e · 85f777e
1 parent fef7e0a
commit 85f777e
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 0 deletions.
diff --git a/roles/cis_baseline/molecule/default/tests/1_7_warning_banners.yml b/roles/cis_baseline/molecule/default/tests/1_7_warning_banners.yml
@@ -23,3 +23,36 @@
   register: out
   changed_when: false
   failed_when: out.stdout_lines | length < 0
+
+# 1.7.1.4 Ensure permissions on /etc/motd are configured (Scored)
+- name: 1.7.1.4 test if motd banner permissions are correct
+  ansible.builtin.stat:
+    path: /etc/motd
+  register: out
+  changed_when: false
+  failed_when: (not out.stat.exists) or
+               (out.stat.pw_name != 'root') or
+               (out.stat.gr_name != 'root') or
+               (out.stat.mode != '0644')
+
+# 1.7.1.5 Ensure permissions on /etc/issue are configured (Scored)
+- name: 1.7.1.5 test if local login banner permissions are correct
+  ansible.builtin.stat:
+    path: /etc/motd
+  register: out
+  changed_when: false
+  failed_when: (not out.stat.exists) or
+               (out.stat.pw_name != 'root') or
+               (out.stat.gr_name != 'root') or
+               (out.stat.mode != '0644')
+
+# 1.7.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
+- name: 1.7.1.6 test if remote login banner permissions are correct
+  ansible.builtin.stat:
+    path: /etc/motd
+  register: out
+  changed_when: false
+  failed_when: (not out.stat.exists) or
+               (out.stat.pw_name != 'root') or
+               (out.stat.gr_name != 'root') or
+               (out.stat.mode != '0644')
diff --git a/roles/cis_baseline/tasks/1_7_warning_banners.yml b/roles/cis_baseline/tasks/1_7_warning_banners.yml
@@ -29,3 +29,30 @@
     group: root
     mode: '0644'
   when: not '1.7.1.3' in cis_baseline_ignored_rules
+
+# 1.7.1.4 Ensure permissions on /etc/motd are configured (Scored)
+- name: 1.7.1.4 ensure motd banner permissions are correct
+  ansible.builtin.file:
+    path: /etc/motd
+    owner: root
+    group: root
+    mode: '0644'
+  when: not '1.7.1.4' in cis_baseline_ignored_rules
+
+# 1.7.1.5 Ensure permissions on /etc/issue are configured (Scored)
+- name: 1.7.1.5 ensure local login banner permissions are correct
+  ansible.builtin.file:
+    path: /etc/issue
+    owner: root
+    group: root
+    mode: '0644'
+  when: not '1.7.1.5' in cis_baseline_ignored_rules
+
+# 1.7.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
+- name: 1.7.1.6 ensure remote login banner permissions are correct
+  ansible.builtin.file:
+    path: /etc/issue.net
+    owner: root
+    group: root
+    mode: '0644'
+  when: not '1.7.1.6' in cis_baseline_ignored_rules