ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-27 15:33:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

PR #180 thanks to @ipruteanu-sie and @raabf

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-03-06 09:28:18 +00:00
parent bf7df3fea2
commit 1b655bb473
No known key found for this signature in database
GPG key ID: 1DE02A772D0908F9
7 changed files with 8 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

2
tasks/section_1/cis_1.1.7.x.yml
View file

@ -39,7 +39,6 @@
notify: Change_requires_reboot notify: Change_requires_reboot
when: when:
- item.mount == "/home" - item.mount == "/home"
- rhel9cis_rule_1_1_7_1
- rhel9cis_rule_1_1_7_2 or - rhel9cis_rule_1_1_7_2 or
rhel9cis_rule_1_1_7_3 rhel9cis_rule_1_1_7_3
tags: tags:
@ -49,5 +48,4 @@
- mounts - mounts
- rule_1.1.7.2 - rule_1.1.7.2
- rule_1.1.7.3 - rule_1.1.7.3
- rule_1.1.7.4
- skip_ansible_lint - skip_ansible_lint

2
tasks/section_1/cis_1.3.x.yml
View file

@ -54,7 +54,7 @@
- patch - patch
- rule_1.3.2 - rule_1.3.2
- name: "1.3.3 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" - name: "1.3.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools"
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
path: /etc/aide.conf path: /etc/aide.conf
marker: "# {mark} Audit tools - CIS benchmark - Ansible-lockdown" marker: "# {mark} Audit tools - CIS benchmark - Ansible-lockdown"

2
tasks/section_1/cis_1.8.x.yml
View file

@ -118,7 +118,7 @@
- gui - gui
- rule_1.8.4 - rule_1.8.4
- name: "1.8.5 PATCH | Ensure GDM screen locks cannot be overridden" - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden"
block: block:
- name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock directory" - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock directory"
ansible.builtin.file: ansible.builtin.file:

4
tasks/section_4/cis_4.1.3.x.yml
View file

@ -99,7 +99,7 @@
- level2-workstation - level2-workstation
- patch - patch
- auditd - auditd
- rule_4.1.3_7 - rule_4.1.3.7
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected" - name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected"
@ -268,7 +268,7 @@
- level2-workstation - level2-workstation
- patch - patch
- auditd - auditd
- rule_4.1.20 - rule_4.1.3.20
- name: "4.1.3.21 | AUDIT | Ensure the running and on disk configuration is the same" - name: "4.1.3.21 | AUDIT | Ensure the running and on disk configuration is the same"
ansible.builtin.debug: ansible.builtin.debug:

2
tasks/section_5/cis_5.2.x.yml
View file

@ -1,6 +1,6 @@
--- ---
- name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured" - name: "5.2.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured"
ansible.builtin.file: ansible.builtin.file:
path: "/etc/ssh/sshd_config" path: "/etc/ssh/sshd_config"
owner: root owner: root

2
tasks/section_5/cis_5.6.x.yml
View file

@ -2,7 +2,7 @@
- name: "5.6.2 | PATCH | Ensure system accounts are secured" - name: "5.6.2 | PATCH | Ensure system accounts are secured"
block: block:
- name: "5.6.2 | Ensure system accounts are secured | Set nologin" - name: "5.6.2 | PATCH | Ensure system accounts are secured | Set nologin"
ansible.builtin.user: ansible.builtin.user:
name: "{{ item.id }}" name: "{{ item.id }}"
shell: /usr/sbin/nologin shell: /usr/sbin/nologin

4
tasks/section_6/cis_6.2.x.yml
View file

@ -75,7 +75,7 @@
- groups - groups
- rule_6.2.3 - rule_6.2.3
- name: "6.2.4 | AUDIT Ensure no duplicate UIDs exist" - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist"
block: block:
- name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs"
ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd"
@ -88,7 +88,7 @@
msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_4_user_uid_check.stdout_lines }}" msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_4_user_uid_check.stdout_lines }}"
when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1 when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1
- name: "6.2.4 | AUDIT| Ensure no duplicate UIDs exist | warning count" - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | warning count"
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: warning_facts.yml file: warning_facts.yml
when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1 when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1