ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

lint

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2022-04-05 10:24:47 +01:00
parent 4e873bc0d6
commit 13a6746997
No known key found for this signature in database
GPG key ID: F734FDFC154B83FB
24 changed files with 104 additions and 107 deletions
Download patch file Download diff file Expand all files Collapse all files

4
defaults/main.yml
View file

@ -383,8 +383,6 @@ rhel9cis_rh_sub_password: password
rhel9cis_rhnsd_required: false
# 1.4.2 Bootloader password
rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'
rhel9cis_bootloader_password: random
@ -484,7 +482,7 @@ rhel9cis_firewall: firewalld
##### firewalld
rhel9cis_default_zone: public
rhel9cis_firewalld_nftables_state: masked # Note if absent removes the firewalld pkg dependancy
rhel9cis_firewalld_nftables_state: masked # Note if absent removes the firewalld pkg dependancy
#### nftables
rhel9cis_nftables_firewalld_state: absent

10
handlers/main.yml
View file

@ -39,11 +39,11 @@
- name: reload sysctl
sysctl:
name: net.ipv4.route.flush
value: '1'
state: present
reload: true
ignoreerrors: true
name: net.ipv4.route.flush
value: '1'
state: present
reload: true
ignoreerrors: true
when:
- ansible_virtualization_type != "docker"
- "'systemd' in ansible_facts.packages"

1
local.yml
View file

@ -6,4 +6,3 @@
roles:
- role: "{{ playbook_dir }}"

6
meta/main.yml
View file

@ -22,7 +22,7 @@ galaxy_info:
- disa
- rhel9
collections:
- community.general
- community.crypto
- ansible.posix
- community.general
- community.crypto
- ansible.posix
dependencies: []

88
tasks/main.yml
View file

@ -7,8 +7,8 @@
fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}"
when:
- os_check
- not system_is_ec2
- os_check
- not system_is_ec2
tags:
- always
@ -53,128 +53,128 @@
that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set"
when:
- rhel9cis_set_boot_pass
- rhel9cis_rule_1_5_2
- rhel9cis_set_boot_pass
- rhel9cis_rule_1_5_2
- name: "check sugroup exists if used"
block:
- name: "Check su group exists if defined"
shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group
args:
warn: false
register: sugroup_exists
changed_when: false
failed_when: sugroup_exists.rc >= 2
tags:
- skip_ansible_lint
- name: "Check su group exists if defined"
shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group
args:
warn: false
register: sugroup_exists
changed_when: false
failed_when: sugroup_exists.rc >= 2
tags:
- skip_ansible_lint
- name: Check sugroup if defined exists before continuing
assert:
that: sugroup_exists.rc == 0
msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify"
- name: Check sugroup if defined exists before continuing
assert:
that: sugroup_exists.rc == 0
msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify"
when:
- rhel9cis_sugroup is defined
- rhel9cis_rule_5_7
- rhel9cis_sugroup is defined
- rhel9cis_rule_5_7
tags:
- rule_5.7
- rule_5.7
- name: Gather the package facts
package_facts:
manager: auto
tags:
- always
- always
- name: Include OS specific variables
include_vars: "{{ ansible_distribution }}.yml"
tags:
- always
- always
- name: Include preliminary steps
import_tasks: prelim.yml
tags:
- prelim_tasks
- always
- prelim_tasks
- always
- name: run pre_remediation audit
include_tasks: pre_remediation_audit.yml
when:
- run_audit
- run_audit
- name: Gather the package facts after prelim
package_facts:
manager: auto
tags:
- always
- always
- name: capture /etc/password variables
include_tasks: parse_etc_password.yml
when:
- rhel9cis_section6
- rhel9cis_section6
tags:
- rule_5.5.2
- rule_5.6.2
- rule_6.2.9
- rule_6.2.10
- rule_6.2.11
- rhel9cis_section5
- rhel9cis_section6
- rule_5.5.2
- rule_5.6.2
- rule_6.2.9
- rule_6.2.10
- rule_6.2.11
- rhel9cis_section5
- rhel9cis_section6
- name: run Section 1 tasks
import_tasks: section_1/main.yml
become: true
when: rhel9cis_section1
tags:
- rhel9cis_section1
- rhel9cis_section1
- name: run Section 2 tasks
import_tasks: section_2/main.yml
become: true
when: rhel9cis_section2
tags:
- rhel9cis_section2
- rhel9cis_section2
- name: run Section 3 tasks
import_tasks: section_3/main.yml
become: true
when: rhel9cis_section3
tags:
- rhel9cis_section3
- rhel9cis_section3
- name: run Section 4 tasks
import_tasks: section_4/main.yml
become: true
when: rhel9cis_section4
tags:
- rhel9cis_section4
- rhel9cis_section4
- name: run Section 5 tasks
import_tasks: section_5/main.yml
become: true
when: rhel9cis_section5
tags:
- rhel9cis_section5
- rhel9cis_section5
- name: run Section 6 tasks
import_tasks: section_6/main.yml
become: true
when: rhel9cis_section6
tags:
- rhel9cis_section6
- rhel9cis_section6
- name: run post remediation tasks
import_tasks: post.yml
become: true
tags:
- post_tasks
- always
- post_tasks
- always
- name: run post_remediation audit
import_tasks: post_remediation_audit.yml
when:
- run_audit
- run_audit
- name: Show Audit Summary
debug:
msg: "{{ audit_results.split('\n') }}"
when:
- run_audit
- run_audit

2
tasks/post.yml
View file

@ -10,7 +10,7 @@
package_facts:
manager: auto
tags:
- always
- always
- name: trigger update sysctl
shell: /bin/true

3
tasks/prelim.yml
View file

@ -226,8 +226,7 @@
max_int_uid: "{{ uid_max_id.stdout }}"
min_int_gid: "{{ gid_min_id.stdout }}"
- debug:
msg: "{{ min_int_uid }} {{ max_int_uid }}"
msg: "{{ min_int_uid }} {{ max_int_uid }}"
when:
- not discover_int_uid

2
tasks/section_2/cis_2.3.x.yml
View file

@ -32,7 +32,7 @@
- rsh
- rule_2.3.2
- name: "2.3.3 | PATCH | Ensure talk client is not installed"
- name: "2.3.3 | PATCH | Ensure talk client is not installed"
package:
name: talk
state: absent

12
tasks/section_3/cis_3.3.x.yml
View file

@ -52,7 +52,7 @@
- name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl
when:
- rhel9cis_rule_3_3_3
@ -65,7 +65,7 @@
- name: "3.3.4 | PATCH | Ensure suspicious packets are logged"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl
when:
- rhel9cis_rule_3_3_4
@ -78,7 +78,7 @@
- name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl
when:
- rhel9cis_rule_3_3_5
@ -91,7 +91,7 @@
- name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl
when:
- rhel9cis_rule_3_3_6
@ -104,7 +104,7 @@
- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl
when:
- rhel9cis_rule_3_3_7
@ -117,7 +117,7 @@
- name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl
when:
- rhel9cis_rule_3_3_8

1
tasks/section_4/cis_4.1.3.x.yml
View file

@ -1,3 +1,4 @@
---
- name: "4.1.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected"
debug:

12
tasks/section_5/cis_5.5.x.yml
View file

@ -97,15 +97,15 @@
block:
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf"
replace:
path: /etc/libuser.conf
regexp: '^crypt_style\s*=\s*.*$'
replace: 'crypt_style = sha512'
path: /etc/libuser.conf
regexp: '^crypt_style\s*=\s*.*$'
replace: 'crypt_style = sha512'
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs"
replace:
path: /etc/login.defs
regexp: '^ENCRYPT_METHOD.*'
replace: 'ENCRYPT_METHOD SHA512'
path: /etc/login.defs
regexp: '^ENCRYPT_METHOD.*'
replace: 'ENCRYPT_METHOD SHA512'
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth"
replace:

4
tasks/section_5/cis_5.6.x.yml
View file

@ -73,8 +73,8 @@
- name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0"
user:
name: root
group: 0
name: root
group: 0
when:
- rhel9cis_rule_5_6_4
tags:

2
vars/is_container.yml
View file

@ -54,7 +54,7 @@ rhel9cis_rule_1_1_2: false
rhel9cis_rule_1_1_3: false
rhel9cis_rule_1_1_4: false
rhel9cis_rule_1_1_5: false
#/var
# /var
rhel9cis_rule_1_1_6: false
# /var/tmp
rhel9cis_rule_1_1_7: false