ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 14:23:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

lint

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2022-04-05 10:24:47 +01:00
parent 4e873bc0d6
commit 13a6746997
No known key found for this signature in database
GPG key ID: F734FDFC154B83FB
24 changed files with 104 additions and 107 deletions
Download patch file Download diff file Expand all files Collapse all files

6
defaults/main.yml
View file

@ -383,8 +383,6 @@ rhel9cis_rh_sub_password: password
rhel9cis_rhnsd_required: false
# 1.4.2 Bootloader password
rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'
rhel9cis_bootloader_password: random
@ -454,7 +452,7 @@ rhel9cis_telnet_server: false
rhel9cis_is_mail_server: false
# Note the options
# Packages are used for client services and Server- only remove if you dont use the client service
#
#
rhel9cis_use_nfs:
- service: false
- server: false
@ -484,7 +482,7 @@ rhel9cis_firewall: firewalld
##### firewalld
rhel9cis_default_zone: public
rhel9cis_firewalld_nftables_state: masked # Note if absent removes the firewalld pkg dependancy
rhel9cis_firewalld_nftables_state: masked # Note if absent removes the firewalld pkg dependancy
#### nftables
rhel9cis_nftables_firewalld_state: absent

14
handlers/main.yml
View file

@ -33,18 +33,18 @@
- 60-disable_ipv6.conf
- 60-netipv4_sysctl.conf
- 60-netipv6_sysctl.conf
when:
when:
- ansible_virtualization_type != "docker"
- "'procps-ng' in ansible_facts.packages"
- name: reload sysctl
sysctl:
name: net.ipv4.route.flush
value: '1'
state: present
reload: true
ignoreerrors: true
when:
name: net.ipv4.route.flush
value: '1'
state: present
reload: true
ignoreerrors: true
when:
- ansible_virtualization_type != "docker"
- "'systemd' in ansible_facts.packages"

1
local.yml
View file

@ -6,4 +6,3 @@
roles:
- role: "{{ playbook_dir }}"

6
meta/main.yml
View file

@ -22,7 +22,7 @@ galaxy_info:
- disa
- rhel9
collections:
- community.general
- community.crypto
- ansible.posix
- community.general
- community.crypto
- ansible.posix
dependencies: []

94
tasks/main.yml
View file

@ -6,9 +6,9 @@
that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==')
fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}"
when:
- os_check
- not system_is_ec2
when:
- os_check
- not system_is_ec2
tags:
- always
@ -29,7 +29,7 @@
- name: Load variable for container
include_vars:
file: "{{ container_vars_file }}"
- name: output if discovered is a container
debug:
msg: system has been discovered as a container
@ -53,128 +53,128 @@
that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set"
when:
- rhel9cis_set_boot_pass
- rhel9cis_rule_1_5_2
- rhel9cis_set_boot_pass
- rhel9cis_rule_1_5_2
- name: "check sugroup exists if used"
block:
- name: "Check su group exists if defined"
shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group
args:
warn: false
register: sugroup_exists
changed_when: false
failed_when: sugroup_exists.rc >= 2
tags:
- skip_ansible_lint
- name: "Check su group exists if defined"
shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group
args:
warn: false
register: sugroup_exists
changed_when: false
failed_when: sugroup_exists.rc >= 2
tags:
- skip_ansible_lint
- name: Check sugroup if defined exists before continuing
assert:
that: sugroup_exists.rc == 0
msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify"
- name: Check sugroup if defined exists before continuing
assert:
that: sugroup_exists.rc == 0
msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify"
when:
- rhel9cis_sugroup is defined
- rhel9cis_rule_5_7
- rhel9cis_sugroup is defined
- rhel9cis_rule_5_7
tags:
- rule_5.7
- rule_5.7
- name: Gather the package facts
package_facts:
manager: auto
tags:
- always
- always
- name: Include OS specific variables
include_vars: "{{ ansible_distribution }}.yml"
tags:
- always
- always
- name: Include preliminary steps
import_tasks: prelim.yml
tags:
- prelim_tasks
- always
- prelim_tasks
- always
- name: run pre_remediation audit
include_tasks: pre_remediation_audit.yml
when:
- run_audit
- run_audit
- name: Gather the package facts after prelim
package_facts:
manager: auto
tags:
- always
- always
- name: capture /etc/password variables
include_tasks: parse_etc_password.yml
when:
- rhel9cis_section6
when:
- rhel9cis_section6
tags:
- rule_5.5.2
- rule_5.6.2
- rule_6.2.9
- rule_6.2.10
- rule_6.2.11
- rhel9cis_section5
- rhel9cis_section6
- rule_5.5.2
- rule_5.6.2
- rule_6.2.9
- rule_6.2.10
- rule_6.2.11
- rhel9cis_section5
- rhel9cis_section6
- name: run Section 1 tasks
import_tasks: section_1/main.yml
become: true
when: rhel9cis_section1
tags:
- rhel9cis_section1
- rhel9cis_section1
- name: run Section 2 tasks
import_tasks: section_2/main.yml
become: true
when: rhel9cis_section2
tags:
- rhel9cis_section2
- rhel9cis_section2
- name: run Section 3 tasks
import_tasks: section_3/main.yml
become: true
when: rhel9cis_section3
tags:
- rhel9cis_section3
- rhel9cis_section3
- name: run Section 4 tasks
import_tasks: section_4/main.yml
become: true
when: rhel9cis_section4
tags:
- rhel9cis_section4
- rhel9cis_section4
- name: run Section 5 tasks
import_tasks: section_5/main.yml
become: true
when: rhel9cis_section5
tags:
- rhel9cis_section5
- rhel9cis_section5
- name: run Section 6 tasks
import_tasks: section_6/main.yml
become: true
when: rhel9cis_section6
tags:
- rhel9cis_section6
- rhel9cis_section6
- name: run post remediation tasks
import_tasks: post.yml
become: true
tags:
- post_tasks
- always
- post_tasks
- always
- name: run post_remediation audit
import_tasks: post_remediation_audit.yml
when:
- run_audit
- run_audit
- name: Show Audit Summary
debug:
msg: "{{ audit_results.split('\n') }}"
when:
- run_audit
- run_audit

2
tasks/post.yml
View file

@ -10,7 +10,7 @@
package_facts:
manager: auto
tags:
- always
- always
- name: trigger update sysctl
shell: /bin/true

7
tasks/prelim.yml
View file

@ -87,7 +87,7 @@
name: audit
state: present
become: true
when:
when:
- '"auditd" not in ansible_facts.packages'
- rhel9cis_rule_4_1_1_1
tags:
@ -209,7 +209,7 @@
shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}'
changed_when: false
register: uid_min_id
- name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def"
shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}'
changed_when: false
@ -226,8 +226,7 @@
max_int_uid: "{{ uid_max_id.stdout }}"
min_int_gid: "{{ gid_min_id.stdout }}"
- debug:
msg: "{{ min_int_uid }} {{ max_int_uid }}"
msg: "{{ min_int_uid }} {{ max_int_uid }}"
when:
- not discover_int_uid

2
tasks/section_1/cis_1.1.4.x.yml
View file

@ -61,4 +61,4 @@
- skip_ansible_lint
- rule_1.1.4.2
- rule_1.1.4.3
- rule_1.1.4.4
- rule_1.1.4.4

2
tasks/section_1/cis_1.1.6.x.yml
View file

@ -58,4 +58,4 @@
- skip_ansible_lint
- rule_1.1.6.2
- rule_1.1.6.3
- rule_1.1.6.4
- rule_1.1.6.4

2
tasks/section_1/cis_1.5.x.yml
View file

@ -34,7 +34,7 @@
- name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf"
notify:
notify:
- update sysctl
when:
- rhel9cis_rule_1_5_3

6
tasks/section_2/cis_2.2.x.yml
View file

@ -65,7 +65,7 @@
- name: "2.2.5 | PATCH | Ensure DHCP Server is not installed"
package:
name: dhcp-server
state: absent
state: absent
when:
- not rhel9cis_dhcp_server
- "'dhcp-server' in ansible_facts.packages"
@ -113,7 +113,7 @@
- name: "2.2.8 | PATCH | Ensure VSFTP Server is not installed"
package:
name: vsftpd
state: absent
state: absent
when:
- not rhel9cis_vsftpd_server
- "'vsftpd' in ansible_facts.packages"
@ -222,7 +222,7 @@
- name: "2.2.13 | PATCH | Ensure HTTP Proxy Server is not installed"
package:
name: squid
state: absent
state: absent
when:
- not rhel9cis_squid_server
- "'squid' in ansible_facts.packages"

2
tasks/section_2/cis_2.3.x.yml
View file

@ -32,7 +32,7 @@
- rsh
- rule_2.3.2
- name: "2.3.3 | PATCH | Ensure talk client is not installed"
- name: "2.3.3 | PATCH | Ensure talk client is not installed"
package:
name: talk
state: absent

2
tasks/section_2/cis_2.4.yml
View file

@ -23,4 +23,4 @@
- manual
- audit
- services
- rule_2.4
- rule_2.4

2
tasks/section_2/main.yml
View file

@ -10,4 +10,4 @@
import_tasks: cis_2.3.x.yml
- name: "SECTION | 2.4 | Nonessential services removed"
import_tasks: cis_2.4.yml
import_tasks: cis_2.4.yml

6
tasks/section_3/cis_3.1.x.yml
View file

@ -1,11 +1,11 @@
---
# The CIS Control wants IPv6 disabled if not in use.
# The CIS Control wants IPv6 disabled if not in use.
# We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use
- name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf"
notify:
notify:
- update sysctl
- sysctl flush ipv6 route table
when:
@ -88,4 +88,4 @@
- automated
- patch
- wireless
- rule_3.1.4
- rule_3.1.4

2
tasks/section_3/cis_3.2.x.yml
View file

@ -5,7 +5,7 @@
- name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify:
notify:
- update sysctl
- sysctl flush ipv4 route table

18
tasks/section_3/cis_3.3.x.yml
View file

@ -5,7 +5,7 @@
- name: "3.3.1 | PATCH | Ensure source routed packets are not accepted"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify:
notify:
- update sysctl
- sysctl flush ipv4 route table
@ -30,7 +30,7 @@
- name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify:
notify:
- update sysctl
- sysctl flush ipv4 route table
@ -52,7 +52,7 @@
- name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl
when:
- rhel9cis_rule_3_3_3
@ -65,7 +65,7 @@
- name: "3.3.4 | PATCH | Ensure suspicious packets are logged"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl
when:
- rhel9cis_rule_3_3_4
@ -78,7 +78,7 @@
- name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl
when:
- rhel9cis_rule_3_3_5
@ -91,7 +91,7 @@
- name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl
when:
- rhel9cis_rule_3_3_6
@ -104,7 +104,7 @@
- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl
when:
- rhel9cis_rule_3_3_7
@ -117,7 +117,7 @@
- name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl
when:
- rhel9cis_rule_3_3_8
@ -133,7 +133,7 @@
- name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify:
notify:
- update sysctl
- sysctl flush ipv4 route table

1
tasks/section_4/cis_4.1.3.x.yml
View file

@ -1,3 +1,4 @@
---
- name: "4.1.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected"
debug:

2
tasks/section_5/cis_5.1.x.yml
View file

@ -168,4 +168,4 @@
- automated
- patch
- cron
- rule_5.1.9
- rule_5.1.9

24
tasks/section_5/cis_5.5.x.yml
View file

@ -54,7 +54,7 @@
with_items:
- "system-auth"
- "password-auth"
when:
when:
- ansible_distribution_version <= "8.1"
- rhel9cis_rule_5_5_2
@ -67,7 +67,7 @@
with_items:
- { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = 5' }
- { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = 900' }
when:
when:
- ansible_distribution_version >= "8.2"
- rhel9cis_rule_5_5_2
@ -79,9 +79,9 @@
state: present
line: "password requisite pam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
insertafter: '^password\s*requisite\s*pam_pwquality.so'
- name: "5.5.3 | PATCH | Ensure password reuse is limited | pam_unix"
replace:
replace:
path: /etc/pam.d/system-auth
regexp: '^password\s*sufficient\s*pam_unix.so.*$'
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
@ -97,15 +97,15 @@
block:
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf"
replace:
path: /etc/libuser.conf
regexp: '^crypt_style\s*=\s*.*$'
replace: 'crypt_style = sha512'
path: /etc/libuser.conf
regexp: '^crypt_style\s*=\s*.*$'
replace: 'crypt_style = sha512'
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs"
replace:
path: /etc/login.defs
regexp: '^ENCRYPT_METHOD.*'
replace: 'ENCRYPT_METHOD SHA512'
path: /etc/login.defs
regexp: '^ENCRYPT_METHOD.*'
replace: 'ENCRYPT_METHOD SHA512'
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth"
replace:
@ -114,7 +114,7 @@
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth"
replace:
replace:
path: /etc/pam.d/system-auth
regexp: '^password\s*sufficient\s*pam_unix.so.*$'
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'

4
tasks/section_5/cis_5.6.x.yml
View file

@ -73,8 +73,8 @@
- name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0"
user:
name: root
group: 0
name: root
group: 0
when:
- rhel9cis_rule_5_6_4
tags:

2
tasks/section_6/main.yml
View file

@ -4,4 +4,4 @@
import_tasks: cis_6.1.x.yml
- name: "SECTION | 6.2 | User and Group Settings"
import_tasks: cis_6.2.x.yml
import_tasks: cis_6.2.x.yml

2
vars/AlmaLinux.yml
View file

@ -1,4 +1,4 @@
---
# OS Specific Settings
rpm_gpg_key: RPM-GPG-KEY-AlmaLinux
rpm_gpg_key: RPM-GPG-KEY-AlmaLinux

2
vars/is_container.yml
View file

@ -54,7 +54,7 @@ rhel9cis_rule_1_1_2: false
rhel9cis_rule_1_1_3: false
rhel9cis_rule_1_1_4: false
rhel9cis_rule_1_1_5: false
#/var
# /var
rhel9cis_rule_1_1_6: false
# /var/tmp
rhel9cis_rule_1_1_7: false