ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix in logic for Alma (#4)

Browse source 
* container standards

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* logic on handlers

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* initial container ignore

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* tags and containder discovery

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* logic on auditd task

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* tags and crypto logic

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* distro update for rocky

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* system_is_container updates

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* ssh pkg check

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* logrotate pkg check

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* logic in container check

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* add pkg fact and audit conditionals

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* tidy up crypto step

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* Added missing tags

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* container vars file now a variable

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* added uid discovery and usage

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* Updated OS checks and conditionals

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* fixed empty become

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* change audit to include task

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* Added OS_specific vars

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated import/include

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* OS Specific vars

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated tags

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated changed_when

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* fixed UID logic

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* changed reboot var

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* changed skip_reboot var name

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* masked only

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* fix logic

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* remove debug update logic 6.2.8

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* initial

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* removed CentOS

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
uk-bolly 2022-02-02 11:25:03 +00:00 committed by GitHub
parent 876ac290d5
commit 02a36f7f8d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
27 changed files with 392 additions and 113 deletions
Download patch file Download diff file Expand all files Collapse all files

4
tasks/section_4/cis_4.1.1.x.yml
View file

@ -20,6 +20,7 @@
- level2-workstation
- patch
- rule_4.1.1.1
- auditd
- name: "4.1.1.2 | L2 | PATCH | Ensure auditd service is enabled"
service:
@ -29,7 +30,7 @@
when:
- not rhel9cis_skip_for_travis
- rhel9cis_rule_4_1_1_2
- ansible_connection != 'docker'
- not system_is_container
tags:
- level2-server
- level2-workstation
@ -104,4 +105,5 @@
- level2-server
- level2-workstation
- patch
- auditd
- rule_4.1.1.4

1
tasks/section_4/cis_4.3.yml
View file

@ -17,6 +17,7 @@
- { path: "/etc/logrotate.conf" }
when:
- rhel9cis_rule_4_3
- "'logrotate' in ansible_facts.packages"
tags:
- level1-server
- level1-workstation

12
tasks/section_4/main.yml
View file

@ -2,22 +2,24 @@
- name: "SECTION | 4.1| Configure System Accounting (auditd)"
include_tasks: cis_4.1.1.x.yml
when:
- not system_is_container
- name: "SECTION | 4.1.2.x| Configure Data Retention"
include_tasks: cis_4.1.2.x.yml
import_tasks: cis_4.1.2.x.yml
- name: "SECTION | 4.1.x| Auditd rules"
include_tasks: cis_4.1.x.yml
import_tasks: cis_4.1.x.yml
- name: "SECTION | 4.2.x| Configure Logging"
import_tasks: cis_4.2.1.x.yml
when: rhel9cis_syslog == 'rsyslog'
- name: "SECTION | 4.2.2.x| Configure journald"
include_tasks: cis_4.2.2.x.yml
import_tasks: cis_4.2.2.x.yml
- name: "SECTION | 4.2.3 | Configure logile perms"
include_tasks: cis_4.2.3.yml
import_tasks: cis_4.2.3.yml
- name: "SECTION | 4.3 | Configure logrotate"
include_tasks: cis_4.3.yml
import_tasks: cis_4.3.yml