ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-25 22:37:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #25 from ansible-lockdown/benchmark_v2.0.0

Browse source 
Benchmark v2.0.0
This commit is contained in:
Fred W. 2025-05-09 15:12:17 -04:00 committed by GitHub
commit 1d266e61a7
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
11 changed files with 81 additions and 69 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.pre-commit-config.yaml
View file

@ -42,13 +42,13 @@ repos:
name: Detect Secrets name: Detect Secrets
- repo: https://github.com/gitleaks/gitleaks - repo: https://github.com/gitleaks/gitleaks
rev: v8.24.2 rev: v8.24.3
hooks: hooks:
- id: gitleaks - id: gitleaks
name: GitLeaks name: GitLeaks
- repo: https://github.com/ansible-community/ansible-lint - repo: https://github.com/ansible-community/ansible-lint
rev: v25.1.3 rev: v25.2.1
hooks: hooks:
- id: ansible-lint - id: ansible-lint
name: Ansible-lint name: Ansible-lint

1
defaults/main.yml
View file

@ -1,4 +1,5 @@
--- ---
# defaults file for rhel9-cis # defaults file for rhel9-cis
# WARNING: # WARNING:
# These values may be overridden by other vars-setting options(e.g. like the below 'container_vars_file'), as explained here: # These values may be overridden by other vars-setting options(e.g. like the below 'container_vars_file'), as explained here:

8
tasks/audit_only.yml
View file

@ -9,14 +9,6 @@
delegate_to: localhost delegate_to: localhost
become: false become: false
- name: Audit_only | Get audits from systems and put in group dir
when: fetch_audit_files
ansible.builtin.fetch:
dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/"
flat: true
mode: 'go-wx'
src: "{{ pre_audit_outfile }}"
- name: Audit_only | Show Audit Summary - name: Audit_only | Show Audit Summary
when: audit_only when: audit_only
ansible.builtin.debug: ansible.builtin.debug:

20
tasks/fetch_audit_output.yml
View file

@ -2,7 +2,7 @@
# Stage to copy audit output to a centralised location # Stage to copy audit output to a centralised location
- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller" - name: "POST | FETCH | Fetch files and copy to controller"
when: audit_output_collection_method == "fetch" when: audit_output_collection_method == "fetch"
ansible.builtin.fetch: ansible.builtin.fetch:
src: "{{ item }}" src: "{{ item }}"
@ -17,7 +17,7 @@
# Added this option for continuity but could be changed by adjusting the variable audit_conf_dest # Added this option for continuity but could be changed by adjusting the variable audit_conf_dest
# Allowing backup to one location # Allowing backup to one location
- name: "FETCH_AUDIT_FILES | Copy files to location available to managed node" - name: "POST | FETCH | Copy files to location available to managed node"
when: audit_output_collection_method == "copy" when: audit_output_collection_method == "copy"
ansible.builtin.copy: ansible.builtin.copy:
src: "{{ item }}" src: "{{ item }}"
@ -25,21 +25,21 @@
mode: 'u-x,go-wx' mode: 'u-x,go-wx'
flat: true flat: true
failed_when: false failed_when: false
register: discovered_audit_fetch_copy_state register: discovered_audit_copy_state
loop: loop:
- pre_audit_outfile - "{{ pre_audit_outfile }}"
- post_audit_outfile - "{{ post_audit_outfile }}"
- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files" - name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
when: when:
- (discovered_audit_fetch_state is defined and not discovered_audit_fetch_state.changed) or - (audit_output_collection_method == "fetch" and not discovered_audit_fetch_state.changed) or
(discovered_audit_copy_state is defined and not discovered_audit_copy_state.changed) (audit_output_collection_method == "copy" and not discovered_audit_copy_state.changed)
block: block:
- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files" - name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Warning!! Unable to write to localhost {{ audit_output_destination }} for audit file copy" msg: "Warning!! Unable to write to localhost {{ audit_output_destination }} for audit file copy"
- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files" - name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
vars: vars:
warn_control_id: "FETCH_AUDIT_FILES" warn_control_id: "FETCH_AUDIT_FILES"
ansible.builtin.import_tasks: ansible.builtin.import_tasks:

15
tasks/main.yml
View file

@ -209,16 +209,20 @@
- name: "Run post_remediation audit" - name: "Run post_remediation audit"
when: run_audit when: run_audit
tags: always
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: post_remediation_audit.yml file: post_remediation_audit.yml
- name: Add ansible file showing Benchmark and levels applied - name: Add ansible file showing Benchmark and levels applied if audit details not present
when: create_benchmark_facts when:
- create_benchmark_facts
- (post_audit_summary is defined) or
(ansible_local['compliance_facts']['lockdown_audit_details']['audit_summary'] is undefined and post_audit_summary is undefined)
tags: tags:
- always - always
- benchmark - benchmark
block: block:
- name: Create ansible facts directory - name: Create ansible facts directory if audit facts not present
ansible.builtin.file: ansible.builtin.file:
path: "{{ ansible_facts_path }}" path: "{{ ansible_facts_path }}"
state: directory state: directory
@ -226,13 +230,13 @@
group: root group: root
mode: 'u=rwx,go=rx' mode: 'u=rwx,go=rx'
- name: Create ansible facts file - name: Create ansible facts file and levels applied if audit facts not present
ansible.builtin.template: ansible.builtin.template:
src: etc/ansible/compliance_facts.j2 src: etc/ansible/compliance_facts.j2
dest: "{{ ansible_facts_path }}/compliance_facts.fact" dest: "{{ ansible_facts_path }}/compliance_facts.fact"
owner: root owner: root
group: root group: root
mode: "u-x,go-wx" mode: 'u-x,go=r'
- name: Fetch audit files - name: Fetch audit files
when: when:
@ -244,6 +248,7 @@
- name: "Show Audit Summary" - name: "Show Audit Summary"
when: run_audit when: run_audit
tags: always
ansible.builtin.debug: ansible.builtin.debug:
msg: "{{ audit_results.split('\n') }}" msg: "{{ audit_results.split('\n') }}"

42
tasks/section_2/cis_2.1.x.yml
View file

@ -25,7 +25,7 @@
when: when:
- not rhel9cis_autofs_services - not rhel9cis_autofs_services
- rhel9cis_autofs_mask - rhel9cis_autofs_mask
notify: Systemd_daemon_reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: autofs name: autofs
enabled: false enabled: false
@ -57,7 +57,7 @@
when: when:
- not rhel9cis_avahi_server - not rhel9cis_avahi_server
- rhel9cis_avahi_mask - rhel9cis_avahi_mask
notify: Systemd_daemon_reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: "{{ item }}" name: "{{ item }}"
enabled: false enabled: false
@ -90,7 +90,7 @@
when: when:
- not rhel9cis_dhcp_server - not rhel9cis_dhcp_server
- rhel9cis_dhcp_mask - rhel9cis_dhcp_mask
notify: Systemd_daemon_reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: "{{ item }}" name: "{{ item }}"
enabled: false enabled: false
@ -123,7 +123,7 @@
when: when:
- not rhel9cis_dns_server - not rhel9cis_dns_server
- rhel9cis_dns_mask - rhel9cis_dns_mask
notify: Systemd_daemon_reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: named.service name: named.service
enabled: false enabled: false
@ -153,7 +153,7 @@
when: when:
- not rhel9cis_dnsmasq_server - not rhel9cis_dnsmasq_server
- rhel9cis_dnsmasq_mask - rhel9cis_dnsmasq_mask
notify: Systemd_daemon_reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: dnsmasq.service name: dnsmasq.service
enabled: false enabled: false
@ -184,7 +184,7 @@
when: when:
- not rhel9cis_samba_server - not rhel9cis_samba_server
- rhel9cis_samba_mask - rhel9cis_samba_mask
notify: Systemd_daemon_reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: smb.service name: smb.service
enabled: false enabled: false
@ -215,7 +215,7 @@
when: when:
- not rhel9cis_ftp_server - not rhel9cis_ftp_server
- rhel9cis_ftp_mask - rhel9cis_ftp_mask
notify: Systemd_daemon_reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: vsftpd.service name: vsftpd.service
enabled: false enabled: false
@ -249,7 +249,7 @@
when: when:
- not rhel9cis_message_server - not rhel9cis_message_server
- rhel9cis_message_mask - rhel9cis_message_mask
notify: Systemd_daemon_reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: "{{ item }}" name: "{{ item }}"
enabled: false enabled: false
@ -285,7 +285,7 @@
when: when:
- not rhel9cis_nfs_server - not rhel9cis_nfs_server
- rhel9cis_nfs_mask - rhel9cis_nfs_mask
notify: Systemd_daemon_reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: nfs-server.service name: nfs-server.service
enabled: false enabled: false
@ -302,7 +302,7 @@
- nis - nis
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- rule_2.1.10 - rule_2.1.10
notify: Systemd_daemon_reload notify: Systemd daemon reload
block: block:
- name: "2.1.10 | PATCH | Ensure nis server services are not in use | Remove package" - name: "2.1.10 | PATCH | Ensure nis server services are not in use | Remove package"
when: when:
@ -344,7 +344,7 @@
when: when:
- not rhel9cis_print_server - not rhel9cis_print_server
- rhel9cis_print_mask - rhel9cis_print_mask
notify: Systemd_daemon_reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: "{{ item }}" name: "{{ item }}"
enabled: false enabled: false
@ -378,7 +378,7 @@
when: when:
- not rhel9cis_rpc_server - not rhel9cis_rpc_server
- rhel9cis_rpc_mask - rhel9cis_rpc_mask
notify: Systemd_daemon_reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: "{{ item }}" name: "{{ item }}"
enabled: false enabled: false
@ -412,7 +412,7 @@
when: when:
- not rhel9cis_rsync_server - not rhel9cis_rsync_server
- rhel9cis_rsync_mask - rhel9cis_rsync_mask
notify: Systemd_daemon_reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: "{{ item }}" name: "{{ item }}"
enabled: false enabled: false
@ -445,7 +445,7 @@
when: when:
- not rhel9cis_snmp_server - not rhel9cis_snmp_server
- rhel9cis_snmp_mask - rhel9cis_snmp_mask
notify: Systemd_daemon_reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: snmpd.service name: snmpd.service
enabled: false enabled: false
@ -476,7 +476,7 @@
when: when:
- not rhel9cis_telnet_server - not rhel9cis_telnet_server
- rhel9cis_telnet_mask - rhel9cis_telnet_mask
notify: Systemd_daemon_reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: telnet.socket name: telnet.socket
enabled: false enabled: false
@ -506,7 +506,7 @@
when: when:
- not rhel9cis_tftp_server - not rhel9cis_tftp_server
- rhel9cis_tftp_mask - rhel9cis_tftp_mask
notify: Systemd_daemon_reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: "{{ item }}" name: "{{ item }}"
enabled: false enabled: false
@ -540,7 +540,7 @@
when: when:
- not rhel9cis_squid_server - not rhel9cis_squid_server
- rhel9cis_squid_mask - rhel9cis_squid_mask
notify: Systemd_daemon_reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: squid.service name: squid.service
enabled: false enabled: false
@ -580,7 +580,7 @@
when: when:
- not rhel9cis_httpd_server - not rhel9cis_httpd_server
- rhel9cis_httpd_mask - rhel9cis_httpd_mask
notify: Systemd_daemon_reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: httpd.service name: httpd.service
enabled: false enabled: false
@ -591,7 +591,7 @@
when: when:
- not rhel9cis_nginx_server - not rhel9cis_nginx_server
- rhel9cis_nginx_mask - rhel9cis_nginx_mask
notify: Systemd_daemon_reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: ngnix.service name: ngnix.service
enabled: false enabled: false
@ -621,7 +621,7 @@
when: when:
- not rhel9cis_xinetd_server - not rhel9cis_xinetd_server
- rhel9cis_xinetd_mask - rhel9cis_xinetd_mask
notify: Systemd_daemon_reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: xinetd.service name: xinetd.service
enabled: false enabled: false
@ -657,7 +657,7 @@
- postfix - postfix
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- rule_2.1.21 - rule_2.1.21
notify: Restart_postfix notify: Restart postfix
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/postfix/main.cf path: /etc/postfix/main.cf
regexp: "^(#)?inet_interfaces" regexp: "^(#)?inet_interfaces"

2
tasks/section_3/cis_3.1.x.yml
View file

@ -86,7 +86,7 @@
when: when:
- not rhel9cis_bluetooth_service - not rhel9cis_bluetooth_service
- rhel9cis_bluetooth_mask - rhel9cis_bluetooth_mask
notify: Systemd_daemon_reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: bluetooth.service name: bluetooth.service
enabled: false enabled: false

46
tasks/section_5/cis_5.1.x.yml
View file

@ -6,7 +6,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- permissions - permissions
- rule_5.1.1 - rule_5.1.1
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
@ -23,7 +23,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- permissions - permissions
- rule_5.1.2 - rule_5.1.2
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
@ -53,7 +53,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.3 - rule_5.1.3
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
- NIST800-53R5_MP-2 - NIST800-53R5_MP-2
@ -166,7 +166,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.7 - rule_5.1.7
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
- NIST800-53R5_MP-2 - NIST800-53R5_MP-2
@ -195,6 +195,8 @@
path: "{{ rhel9cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: "^DenyUsers" regexp: "^DenyUsers"
line: "DenyUsers {{ rhel9cis_sshd_denyusers }}" line: "DenyUsers {{ rhel9cis_sshd_denyusers }}"
insertbefore: "^Match"
firstmatch: true
validate: sshd -t -f %s validate: sshd -t -f %s
notify: Restart sshd notify: Restart sshd
@ -213,7 +215,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.8 - rule_5.1.8
- NIST800-53R5_CM-1 - NIST800-53R5_CM-1
- NIST800-53R5_CM-2 - NIST800-53R5_CM-2
@ -231,7 +233,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.9 - rule_5.1.9
- NIST800-53R5_CM-1 - NIST800-53R5_CM-1
- NIST800-53R5_CM-2 - NIST800-53R5_CM-2
@ -261,7 +263,7 @@
- level2-server - level2-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.10 - rule_5.1.10
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
block: block:
@ -287,7 +289,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- sshs - sshd
- rule_5.1.11 - rule_5.1.11
- NIST800-53R5_CM-1 - NIST800-53R5_CM-1
- NIST800-53R5_CM-2 - NIST800-53R5_CM-2
@ -317,7 +319,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.12 - rule_5.1.12
- NIST800-53R5_CM-1 - NIST800-53R5_CM-1
- NIST800-53R5_CM-2 - NIST800-53R5_CM-2
@ -337,7 +339,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.13 - rule_5.1.13
- NIST800-53R5_CM-1 - NIST800-53R5_CM-1
- NIST800-53R5_CM-2 - NIST800-53R5_CM-2
@ -348,6 +350,8 @@
path: "{{ rhel9cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*IgnoreRhosts regexp: ^(?i)(#|)\s*IgnoreRhosts
line: 'IgnoreRhosts yes' line: 'IgnoreRhosts yes'
insertbefore: "^Match"
firstmatch: true
validate: sshd -t -f %s validate: sshd -t -f %s
notify: Restart sshd notify: Restart sshd
@ -357,13 +361,15 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.14 - rule_5.1.14
- NIST800-53R5_CM-6 - NIST800-53R5_CM-6
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ rhel9cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*LoginGraceTime regexp: ^(?i)(#|)\s*LoginGraceTime
line: "LoginGraceTime {{ rhel9cis_sshd_logingracetime }}" line: "LoginGraceTime {{ rhel9cis_sshd_logingracetime }}"
insertbefore: "^Match"
firstmatch: true
validate: sshd -t -f %s validate: sshd -t -f %s
notify: Restart sshd notify: Restart sshd
@ -373,7 +379,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- sshs - sshd
- rule_5.1.15 - rule_5.1.15
- NIST800-53R5_AU-3 - NIST800-53R5_AU-3
- NIST800-53R5_AU-12 - NIST800-53R5_AU-12
@ -382,6 +388,8 @@
path: "{{ rhel9cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*LogLevel regexp: ^(?i)(#|)\s*LogLevel
line: 'LogLevel {{ rhel9cis_ssh_loglevel }}' line: 'LogLevel {{ rhel9cis_ssh_loglevel }}'
insertbefore: "^Match"
firstmatch: true
validate: sshd -t -f %s validate: sshd -t -f %s
notify: Restart sshd notify: Restart sshd
@ -391,7 +399,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.16 - rule_5.1.16
- NIST800-53R5_AU-3 - NIST800-53R5_AU-3
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
@ -407,7 +415,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.17 - rule_5.1.17
- NIST800-53R5_CM-1 - NIST800-53R5_CM-1
- NIST800-53R5_CM-2 - NIST800-53R5_CM-2
@ -427,7 +435,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.18 - rule_5.1.18
- NIST800-53R5_CM-1 - NIST800-53R5_CM-1
- NIST800-53R5_CM-2 - NIST800-53R5_CM-2
@ -447,7 +455,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.19 - rule_5.1.19
- NIST800-53R5_CM-1 - NIST800-53R5_CM-1
- NIST800-53R5_CM-2 - NIST800-53R5_CM-2
@ -467,7 +475,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.20 - rule_5.1.20
- NIST800-53R5_AC-6 - NIST800-53R5_AC-6
block: block:
@ -491,7 +499,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.21 - rule_5.1.21
- NIST800-53R5_CM-1 - NIST800-53R5_CM-1
- NIST800-53R5_CM-2 - NIST800-53R5_CM-2
@ -511,7 +519,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.22 - rule_5.1.22
- NIST800-53R5_CM-1 - NIST800-53R5_CM-1
- NIST800-53R5_CM-2 - NIST800-53R5_CM-2

2
tasks/section_5/cis_5.3.3.1.x.yml
View file

@ -23,7 +23,7 @@
- rhel9cis_disruption_high - rhel9cis_disruption_high
ansible.builtin.replace: ansible.builtin.replace:
path: "/etc/pam.d/{{ item }}-auth" path: "/etc/pam.d/{{ item }}-auth"
regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s+deny\s*=\s*\S+(.*$) regexp: ^(\s*auth\s+(?:requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s+deny\s*=\s*\S+(.*$)
replace: \1 \2\3 replace: \1 \2\3
loop: loop:
- password - password

9
tasks/section_6/cis_6.2.1.x.yml
View file

@ -96,15 +96,20 @@
- rule_6.2.1.4 - rule_6.2.1.4
block: block:
- name: "6.2.1.4 | PATCH | Ensure only one logging system is in use | when rsyslog" - name: "6.2.1.4 | PATCH | Ensure only one logging system is in use | when rsyslog"
when: rhel9cis_syslog == "rsyslog" when:
- rhel9cis_syslog == "rsyslog"
- "'systemd-journald' in ansible_facts.packages"
ansible.builtin.systemd: ansible.builtin.systemd:
name: systemd-journald name: systemd-journald
state: stopped state: stopped
enabled: false enabled: false
- name: "6.2.1.4 | PATCH | Ensure only one logging system is in use | when journald" - name: "6.2.1.4 | PATCH | Ensure only one logging system is in use | when journald"
when: rhel9cis_syslog == "journald" when:
- rhel9cis_syslog == "journald"
- "'rsyslog' in ansible_facts.packages"
ansible.builtin.systemd: ansible.builtin.systemd:
name: rsyslog name: rsyslog
state: stopped state: stopped
enabled: false enabled: false
register: discovered_rsyslog_service

1
templates/etc/ansible/compliance_facts.j2
View file

@ -29,6 +29,7 @@ Level_2_workstation_tag_run = true
[lockdown_audit_details] [lockdown_audit_details]
{% if run_audit %} {% if run_audit %}
# Audit run # Audit run
audit_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }}
audit_file_local_location = {{ audit_log_dir }} audit_file_local_location = {{ audit_log_dir }}
{% if not audit_only %} {% if not audit_only %}
audit_summary = {{ post_audit_results }} audit_summary = {{ post_audit_results }}