From 19a218390d7f29ba2f5ad02ea8db3aa959934661 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 16:34:33 +0100 Subject: [PATCH] updates Signed-off-by: Mark Bolwell --- handlers/main.yml | 8 ++++++-- tasks/section_1/cis_1.5.x.yml | 11 ++++------- templates/{ => etc/cron.d}/aide.cron.j2 | 2 +- templates/etc/{ => sysctl.d}/60-disable_ipv6.conf.j2 | 3 +++ templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 | 8 ++++++++ templates/etc/{ => sysctl.d}/99-sysctl.conf.j2 | 11 ----------- 6 files changed, 22 insertions(+), 21 deletions(-) rename templates/{ => etc/cron.d}/aide.cron.j2 (95%) rename templates/etc/{ => sysctl.d}/60-disable_ipv6.conf.j2 (67%) create mode 100644 templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 rename templates/etc/{ => sysctl.d}/99-sysctl.conf.j2 (89%) diff --git a/handlers/main.yml b/handlers/main.yml index ad56e8b..d2cf453 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -22,12 +22,16 @@ - name: update sysctl template: - src: etc/99-sysctl.conf.j2 - dest: /etc/sysctl.d/99-sysctl.conf + src: "etc/sysctl.d/{{ item }}.j2" + dest: "/etc/sysctl.d/{{ item }}" owner: root group: root mode: 0600 notify: reload sysctl + with_items: + - 60-kernel_sysctl.conf + - 60-disable_ipv6.conf + - 99-sysctl.conf when: - ansible_virtualization_type != "docker" - "'procps-ng' in ansible_facts.packages" diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index d3602b2..a969def 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -32,13 +32,10 @@ - rule_1.5.2 - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - sysctl: - name: kernel.randomize_va_space - value: '2' - state: present - reload: yes - sysctl_set: yes - ignoreerrors: yes + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - update sysctl when: - rhel9cis_rule_1_5_3 tags: diff --git a/templates/aide.cron.j2 b/templates/etc/cron.d/aide.cron.j2 similarity index 95% rename from templates/aide.cron.j2 rename to templates/etc/cron.d/aide.cron.j2 index 848dcca..f9014fa 100644 --- a/templates/aide.cron.j2 +++ b/templates/etc/cron.d/aide.cron.j2 @@ -1,5 +1,5 @@ # Run AIDE integrity check # added via ansible-lockdown remediation -# CIS 1.4.2 +# CIS 1.3.2 {{ rhel9cis_aide_cron['aide_minute'] }} {{ rhel9cis_aide_cron['aide_hour'] }} {{ rhel9cis_aide_cron['aide_month'] }} {{ rhel9cis_aide_cron['aide_weekday'] }} {{ rhel9cis_aide_cron['aide_job'] }} diff --git a/templates/etc/60-disable_ipv6.conf.j2 b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 similarity index 67% rename from templates/etc/60-disable_ipv6.conf.j2 rename to templates/etc/sysctl.d/60-disable_ipv6.conf.j2 index 855d03d..34ee10c 100644 --- a/templates/etc/60-disable_ipv6.conf.j2 +++ b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 @@ -1,3 +1,6 @@ +# Setting added via ansible CIS remediation playbook + +# IPv6 disable {% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %} net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 diff --git a/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 b/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 new file mode 100644 index 0000000..cbfffed --- /dev/null +++ b/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 @@ -0,0 +1,8 @@ +# Setting added via ansible CIS remediation playbook + + +{% if rhel9cis_rule_1_5_3 %} +# Kernel sysctl +# CIS 1.5.3 +kernel.randomize_va_space = 2 +{% endif %} \ No newline at end of file diff --git a/templates/etc/99-sysctl.conf.j2 b/templates/etc/sysctl.d/99-sysctl.conf.j2 similarity index 89% rename from templates/etc/99-sysctl.conf.j2 rename to templates/etc/sysctl.d/99-sysctl.conf.j2 index 8feb96d..177db21 100644 --- a/templates/etc/99-sysctl.conf.j2 +++ b/templates/etc/sysctl.d/99-sysctl.conf.j2 @@ -1,16 +1,5 @@ # Setting added via ansible CIS remediation playbook -{% if rhel9cis_rule_1_6_1 %} -# Filesystem sysctl -# CIS 1.6.1 -fs.suid_dumpable = 0 -{% endif %} -{% if rhel9cis_rule_1_6_2 %} -# Kernel sysctl -# CIS 1.6.2 -kernel.randomize_va_space = 2 -{% endif %} - # Network sysctl {% if rhel9cis_rule_3_2_1 %} # CIS 3.2.1