ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-05-09 23:33:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

QA, lint, standards, var naming, title aming aligned

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2026-04-08 12:56:24 +01:00
parent 69bef1f371
commit 201edf02e4
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
39 changed files with 478 additions and 608 deletions
Download patch file Download diff file Expand all files Collapse all files

23
.gitignore vendored
View file

@ -1,7 +1,6 @@
.env
*.log
*.retry
.cache
.vagrant
tests/*redhat-subscription
tests/Dockerfile
@ -10,11 +9,9 @@ tests/Dockerfile
packer_cache
delete*
ignore*
test_inv
# temp remove doc while this is built up
doc/
# VSCode
.vscode
vagrant
# Byte-compiled / optimized / DLL files
__pycache__/
@ -39,13 +36,29 @@ tramp
rh-creds.env
travis.env
# Secret/key files
*.vault
*.key
*.pem
*.p12
*.pfx
*.keystore
*.jks
*.credentials
*vault_pass*
.vault_pass
# Lockdown-specific
benchparse/
*xccdf.xml
*.retry
*.pdf
*history.md
*plan.md
*qa_report*
# GitHub Action/Workflow files
.github/
# Precommit exclusions
# ansible-lint
.ansible/

2
.yamllint
View file

@ -17,7 +17,7 @@ rules:
comments:
ignore-shebangs: true
min-spaces-from-content: 1 # prettier compatibility
comments-indentation: enable
comments-indentation: disable
empty-lines:
max: 1
indentation:

4
CONTRIBUTING.rst
View file

@ -1,4 +1,4 @@
Contributing to MindPoint Group Projects
Contributing to Ansible-Lockdown Projects
========================================
Rules
@ -20,7 +20,7 @@ Signing your contribution
We've chosen to use the Developer's Certificate of Origin (DCO) method
that is employed by the Linux Kernel Project, which provides a simple
way to contribute to MindPoint Group projects.
way to contribute to Ansible-Lockdown projects.
The process is to certify the below DCO 1.1 text
::

57
Changelog.md
View file

@ -1,7 +1,34 @@
# Changes to RHEL9CIS
## 2.0.5 - Based on CIS v2.0.0
## April 2026
- bootloader password logic improved thanks to skullbringer on discord community
- 7.1.12 and 7.1.13 fixed thanks to @bubaimondalsch #440
- 4.3 tags updated
- 2.1.x - improve logic for mask/disable/stop thanks to @numericillustration #434
## March 2026 — workspace alignment
- Common files aligned to std
- workflows updates
- titles updates
- levels aligned
- auditd improvement
- grammar, lint
- vars naming
- Linting: converted ~75 single-item when: conditions from list to inline format
- Linting: added blank line after --- YAML document marker in 10 files
- Linting: fixed register: key order in 8 tasks (now appears after changed_when/failed_when)
- Linting: fixed spelling typo sddr → saddr in cis_4.3.x.yml
- Defaults: added justification comments for service client and bluetooth variables
## Based on CIS v2.0.0
# Feb26 2
#430 thanks to @numericillustration - 5.4.2.5 missing echo
# Feb26 1
- QA Fixes
- .j2 Branding Update
- Added rhel9cis_uses_root variable definition for 5.4.2.5 root PATH integrity task
@ -77,34 +104,6 @@ tidy up tags on tasks/main.yml
- public issue 372
- allow password with different locale
## 2.0.4 - Based on CIS v2.0.0
- addressed issue #419, thank you @aaronk1
- addressed issue #418 thank you @bbaassssiiee
- addressed issue #416 thank you @georgenalen and @bbaassssiiee
- addressed issue #393 thank you to @fragglexarmy
- addressed issue #394 thank you to @dbeuker
- addressed issues #390 and #391 thanks to @polski-g
- addressed issue #398 & #399 thanks to trumbaut
- Added max-concurrent options for audit
- work flow updates
- audit logic improvements
- auditd template 2.19 compatible
- pre-commit updates
- #410 thanks to @kpi-nourman
- #413 thanks to @bbaassssiiee
## 2.0.3 - Based on CIS v2.0.0
- addressed issue #387, thank you @fragglexarmy
- addressed issue #382 to improve regex logic on 5.4.2.4
- improvement on crypto policy managed controls with var logic
- addressed issue #384 thank you @polski-g
- update command to shell module on tasks
- addressed issue 371 thanks to @bgro and kodebach
- addressed issue 350 thanks to @chrispipo
- addressed issue 364 thanks to @polski-g
- pre-commit update
## 2.0.2 - Based on CIS v2.0.0
- Update to audit_only to allow fetching results

655
defaults/main.yml
View file

File diff suppressed because it is too large Load diff

2
tasks/LE_audit_setup.yml
View file

@ -25,7 +25,7 @@
- name: Pre Audit Setup | Copy audit binary
when: get_audit_binary_method == 'copy'
ansible.builtin.copy:
src: "{{ audit_bin_copy_location }}/goss-linux-{{ audit_pkg_arch_name }}"
src: "{{ audit_bin_copy_location }}"
dest: "{{ audit_bin }}"
owner: root
group: root

56
tasks/auditd.yml
View file

@ -3,59 +3,47 @@
# Since auditd rules are dependent on syscalls and syscall tables are architecture specific,
# we need to update the auditd rules depending on the architecture of the system.
# This task passed the syscalls table to the auditd template and updates the auditd rules
- name: "POST | AUDITD | Set supported_syscalls variable"
ansible.builtin.shell: ausyscall --dump | awk '{print $2}'
changed_when: false
check_mode: false
failed_when: discovered_auditd_syscalls.rc not in [ 0, 1 ]
register: discovered_auditd_syscalls
- name: POST | AUDITD | Apply auditd template will for section 6.3.3 - only required rules will be added | stat file
ansible.builtin.stat:
path: /etc/audit/rules.d/99_auditd.rules
register: discovered_auditd_rules_file
- name: "POST | AUDITD | Ensure use of privileged commands is collected"
ansible.builtin.shell: |
{%- set egrep_exclude = "(asdfmnop|{{ rhel9cis_priv_command_excluded_mounts | join('|') }})" -%}
for i in $(df | grep '^/dev' | grep -Ev '{{ egrep_exclude }}' | awk '{ print $NF }'); do
find $i -xdev -type f -perm /6000 2>/dev/null;
done
changed_when: false
failed_when: false
check_mode: false
register: discovered_privileged_commands
- name: POST | Apply auditd template for section 6.3.3.x
- name: "POST | AUDITD | Apply auditd template for section 6.2.4.x"
when: update_audit_template
vars:
supported_syscalls: "{{ discovered_auditd_syscalls.stdout_lines }}"
ansible.builtin.template:
src: audit/99_auditd.rules.j2
src: etc/audit/rules.d/99_auditd.rules.j2
dest: /etc/audit/rules.d/99_auditd.rules
owner: root
group: root
mode: 'u-x,g-wx,o-rwx'
diff: "{{ discovered_auditd_rules_file.stat.exists }}" # Only run diff if not a new file
register: discovered_auditd_rules_template_updated
mode: 'u-x,go-wx'
register: discovered_audit_rules_updated
notify:
- Auditd immutable check
- Audit immutable fact
- Auditd rules reload
- Restart auditd
- name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa no-handler
when:
- discovered_auditd_rules_template_updated.changed
- discovered_auditd_rules_file.stat.exists
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: 'Auditd template updated, validate as expected'
- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file
ansible.builtin.stat:
path: /etc/audit/rules.d/98_auditd_exceptions.rules
register: discovered_auditd_exception_file
- name: POST | Set up auditd user logging exceptions | setup file
when:
- rhel9cis_allow_auditd_uid_user_exclusions
- rhel9cis_auditd_uid_exclude | length > 0
- name: POST | AUDITD | Set up auditd user logging exceptions
when: rhel9cis_allow_auditd_uid_user_exclusions
ansible.builtin.template:
src: audit/98_auditd_exception.rules.j2
src: etc/audit/rules.d/98_auditd_exception.rules.j2
dest: /etc/audit/rules.d/98_auditd_exceptions.rules
owner: root
group: root
mode: '0640'
diff: "{{ discovered_auditd_exception_file.stat.exists }}"
mode: 'u-x,go-rwx'
notify: Restart auditd
- name: POST | AUDITD | Flush handlers
ansible.builtin.meta: flush_handlers

8
tasks/main.yml
View file

@ -200,15 +200,13 @@
file: auditd.yml
- name: "Run post remediation tasks"
tags:
- post_tasks
- always
tags: always
ansible.builtin.import_tasks:
file: post.yml
- name: "Run post_remediation audit"
- name: "Run post remediation audit"
when: run_audit
tags: always
tags: run_audit
ansible.builtin.import_tasks:
file: post_remediation_audit.yml

10
tasks/post_remediation_audit.yml
View file

@ -1,6 +1,6 @@
---
- name: Post Audit | Run post_remediation {{ benchmark }} audit # noqa name[template]
- name: Post Audit | Run post_remediation {{ benchmark }} audit # noqa name[template]
ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -m {{ audit_max_concurrent }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" # noqa yaml[line-length]
changed_when: true
environment:
@ -14,11 +14,11 @@
- name: Post Audit | Capture audit data if json format
ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4
changed_when: false
register: post_audit_summary
register: post_audit_summary_json
- name: Post Audit | Set Fact for audit summary
ansible.builtin.set_fact:
post_audit_results: "{{ post_audit_summary.stdout }}"
post_audit_results: "{{ post_audit_summary_json.stdout }}"
- name: Post Audit | Capture audit data if documentation format
when: audit_format == "documentation"
@ -26,8 +26,8 @@
- name: Post Audit | Capture audit data if documentation format
ansible.builtin.shell: tail -2 "{{ post_audit_outfile }}" | tac | tr '\n' ' '
changed_when: false
register: post_audit_summary
register: post_audit_summary_documentation
- name: Post Audit | Set Fact for audit summary
ansible.builtin.set_fact:
post_audit_results: "{{ post_audit_summary.stdout }}"
post_audit_results: "{{ post_audit_summary_documentation.stdout }}"

16
tasks/pre_remediation_audit.yml
View file

@ -6,7 +6,7 @@
ansible.builtin.include_tasks:
file: LE_audit_setup.yml
- name: Pre Audit Setup | Ensure existence of {{ audit_conf_dir }} # noqa name[template]
- name: Pre Audit Setup | Ensure existence of {{ audit_conf_dir }} # noqa name[template]
ansible.builtin.file:
path: "{{ audit_conf_dir }}"
mode: 'go-w'
@ -71,8 +71,8 @@
dest: "{{ audit_vars_path }}"
mode: 'go-rwx'
- name: Pre Audit | Run pre_remediation audit {{ benchmark }} # noqa name[template]
ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -m {{ audit_max_concurrent }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" # noqa yaml[line-length]
- name: Pre Audit | Run pre_remediation audit {{ benchmark }} # noqa name[template]
ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -m {{ audit_max_concurrent }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" # noqa yaml[line-length]
changed_when: true
environment:
AUDIT_BIN: "{{ audit_bin }}"
@ -85,12 +85,11 @@
- name: Pre Audit | Capture audit data if json format
ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4
changed_when: false
failed_when: pre_audit_summary.stderr | length > 0
register: pre_audit_summary
register: pre_audit_summary_json
- name: Pre Audit | Set Fact for audit summary
ansible.builtin.set_fact:
pre_audit_results: "{{ pre_audit_summary.stdout }}"
pre_audit_results: "{{ pre_audit_summary_json.stdout }}"
- name: Pre Audit | Capture audit data if documentation format
when: audit_format == "documentation"
@ -98,12 +97,11 @@
- name: Pre Audit | Capture audit data if documentation format
ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' '
changed_when: false
failed_when: pre_audit_summary.stderr | length > 0
register: pre_audit_summary
register: pre_audit_summary_documentation
- name: Pre Audit | Set Fact for audit summary
ansible.builtin.set_fact:
pre_audit_results: "{{ pre_audit_summary.stdout }}"
pre_audit_results: "{{ pre_audit_summary_documentation.stdout }}"
- name: Audit_Only | Run Audit Only
when: audit_only

7
tasks/prelim.yml
View file

@ -295,6 +295,13 @@
state: directory
mode: 'u+x,g-w,o-rwx'
- name: "PRELIM | AUDIT | Discover if auditd is immutable"
tags: always
ansible.builtin.command: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
changed_when: false
failed_when: prelim_auditd_immutable_check.rc not in [ 0, 1, 2 ]
register: prelim_auditd_immutable_check
- name: "PRELIM | PATCH | Configure System Accounting (auditd)"
when:
- '"auditd" not in ansible_facts.packages'

6
tasks/section_1/cis_1.1.2.3.x.yml
View file

@ -1,12 +1,12 @@
---
- name: "1.1.2.3.1 | PATCH | Ensure /home is a separate partition"
- name: "1.1.2.3.1 | PATCH | Ensure separate partition exists for /home"
when:
- rhel9cis_rule_1_1_2_3_1
- required_mount not in prelim_mount_names
tags:
- level1-server
- level1-workstation
- level2-server
- level2-workstation
- audit
- mounts
- rule_1.1.2.3.1

6
tasks/section_1/cis_1.1.2.4.x.yml
View file

@ -1,12 +1,12 @@
---
- name: "1.1.2.4.1 | PATCH | Ensure /var is a separate partition"
- name: "1.1.2.4.1 | PATCH | Ensure separate partition exists for /var"
when:
- rhel9cis_rule_1_1_2_4_1
- required_mount not in prelim_mount_names
tags:
- level1-server
- level1-workstation
- level2-server
- level2-workstation
- audit
- mounts
- rule_1.1.2.4.1

6
tasks/section_1/cis_1.1.2.5.x.yml
View file

@ -1,12 +1,12 @@
---
- name: "1.1.2.5.1 | PATCH | Ensure /var/tmp is a separate partition"
- name: "1.1.2.5.1 | PATCH | Ensure separate partition exists for /var/tmp"
when:
- rhel9cis_rule_1_1_2_5_1
- required_mount not in prelim_mount_names
tags:
- level1-server
- level1-workstation
- level2-server
- level2-workstation
- audit
- mounts
- rule_1.1.2.5.1

6
tasks/section_1/cis_1.1.2.6.x.yml
View file

@ -1,12 +1,12 @@
---
- name: "1.1.2.6.1 | PATCH | Ensure /var/log is a separate partition"
- name: "1.1.2.6.1 | PATCH | Ensure separate partition exists for /var/log"
when:
- rhel9cis_rule_1_1_2_6_1
- required_mount not in prelim_mount_names
tags:
- level1-server
- level1-workstation
- level2-server
- level2-workstation
- audit
- mounts
- rule_1.1.2.6.1

6
tasks/section_1/cis_1.1.2.7.x.yml
View file

@ -1,12 +1,12 @@
---
- name: "1.1.2.7.1 | PATCH | Ensure /var/log/audit is a separate partition"
- name: "1.1.2.7.1 | PATCH | Ensure separate partition exists for /var/log/audit"
when:
- rhel9cis_rule_1_1_2_7_1
- required_mount not in prelim_mount_names
tags:
- level1-server
- level1-workstation
- level2-server
- level2-workstation
- audit
- mounts
- rule_1.1.2.7.1

4
tasks/section_1/cis_1.3.1.x.yml
View file

@ -55,7 +55,7 @@
policy: "{{ rhel9cis_selinux_pol }}"
state: "{{ rhel9cis_selinux_enforce }}"
- name: "1.3.1.4 | PATCH | Ensure the SELinux state is not disabled"
- name: "1.3.1.4 | PATCH | Ensure the SELinux mode is not disabled"
when:
- rhel9cis_rule_1_3_1_4
- not rhel9cis_selinux_disable
@ -72,7 +72,7 @@
policy: "{{ rhel9cis_selinux_pol }}"
state: "{{ rhel9cis_selinux_enforce }}"
- name: "1.3.1.5 | PATCH | Ensure the SELinux state is enforcing"
- name: "1.3.1.5 | PATCH | Ensure the SELinux mode is enforcing"
when:
- rhel9cis_selinux_enforce == 'enforcing'
- rhel9cis_rule_1_3_1_5

6
tasks/section_1/cis_1.5.x.yml
View file

@ -1,6 +1,6 @@
---
- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
- name: "1.5.1 | PATCH | Ensure address space layout randomization is enabled"
when: rhel9cis_rule_1_5_1
tags:
- level1-server
@ -11,11 +11,11 @@
- NIST800-53R5_CM-6
- NIST800-53R5_CM-6.1
block:
- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
- name: "1.5.1 | PATCH | Ensure address space layout randomization is enabled"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
- name: "1.5.1 | PATCH | Ensure address space layout randomization is enabled"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf"

6
tasks/section_1/cis_1.6.x.yml
View file

@ -130,7 +130,7 @@
- Update Crypto Policy
- Set Crypto Policy
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh"
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20- poly1305 for ssh"
when:
- rhel9cis_rule_1_6_6
- "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module"
@ -144,7 +144,7 @@
- rule_1.6.6
- NIST800-53R5_SC-6
block:
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | Add submodule exclusion"
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20- poly1305 for ssh | Add submodule exclusion"
ansible.builtin.template:
src: etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2
dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod
@ -153,7 +153,7 @@
mode: 'g-wx,o-rwx'
register: discovered_no_sshweakciphers_template
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules"
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20- poly1305 for ssh | submodule to crypto policy modules"
ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKCIPHERS' }}"
changed_when: discovered_no_sshweakciphers_template is changed # noqa: no-handler

6
tasks/section_1/cis_1.7.x.yml
View file

@ -53,7 +53,7 @@
group: root
mode: 'go-wx'
- name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured"
- name: "1.7.4 | PATCH | Ensure access to /etc/motd is configured"
when: rhel9cis_rule_1_7_4
tags:
- level1-server
@ -69,7 +69,7 @@
group: root
mode: 'go-wx'
- name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured"
- name: "1.7.5 | PATCH | Ensure access to /etc/issue is configured"
when: rhel9cis_rule_1_7_5
tags:
- level1-server
@ -85,7 +85,7 @@
group: root
mode: 'go-wx'
- name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured"
- name: "1.7.6 | PATCH | Ensure access to /etc/issue.net is configured"
when: rhel9cis_rule_1_7_6
tags:
- level1-server

4
tasks/section_1/cis_1.8.x.yml
View file

@ -198,7 +198,7 @@
- rhel9cis_gui
tags:
- level1-server
- level2-workstation
- level1-workstation
- patch
- gui
- rule_1.8.8
@ -226,7 +226,7 @@
- rhel9cis_gui
tags:
- level1-server
- level2-workstation
- level1-workstation
- patch
- gui
- rule_1.8.9

2
tasks/section_2/cis_2.2.x.yml
View file

@ -64,7 +64,7 @@
name: telnet
state: absent
- name: "2.2.5 | PATCH | Ensure TFTP client is not installed"
- name: "2.2.5 | PATCH | Ensure tftp client is not installed"
when:
- not rhel9cis_tftp_client
- rhel9cis_rule_2_2_5

2
tasks/section_2/cis_2.4.x.yml
View file

@ -1,6 +1,6 @@
---
- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled"
- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled and active"
when: rhel9cis_rule_2_4_1_1
tags:
- level1-server

68
tasks/section_3/cis_3.3.x.yml
View file

@ -1,6 +1,6 @@
---
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled"
- name: "3.3.1 | PATCH | Ensure ip forwarding is disabled"
when:
- not rhel9cis_is_router
- rhel9cis_rule_3_3_1
@ -16,23 +16,23 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding | Set Fact"
- name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | Disable IPv4 forwarding | Set Fact"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding"
- name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | Disable IPv4 forwarding"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | IPv6"
- name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | IPv6"
when: rhel9cis_ipv6_required
block:
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding | Set Fact"
- name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | Disable IPv6 forwarding | Set Fact"
ansible.builtin.set_fact:
rhel9cis_flush_ipv6_route: true
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding"
- name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | Disable IPv6 forwarding"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
@ -60,7 +60,7 @@
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored"
- name: "3.3.3 | PATCH | Ensure bogus icmp responses are ignored"
when: rhel9cis_rule_3_3_3
tags:
- level1-server
@ -74,16 +74,16 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored | Set Fact"
- name: "3.3.3 | PATCH | Ensure bogus icmp responses are ignored | Set Fact"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true
- name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored"
- name: "3.3.3 | PATCH | Ensure bogus icmp responses are ignored"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored"
- name: "3.3.4 | PATCH | Ensure broadcast icmp requests are ignored"
when: rhel9cis_rule_3_3_4
tags:
- level1-server
@ -97,7 +97,7 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored | Set Fact"
- name: "3.3.4 | PATCH | Ensure broadcast icmp requests are ignored | Set Fact"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true
@ -106,7 +106,7 @@
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted"
- name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted"
when: rhel9cis_rule_3_3_5
tags:
- level1-server
@ -120,27 +120,27 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | Set Fact"
- name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted | Set Fact"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted"
- name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv6"
- name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted | IPv6"
when: rhel9cis_ipv6_required
block:
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv6 | Set Fact"
- name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted | IPv6 | Set Fact"
ansible.builtin.set_fact:
rhel9cis_flush_ipv6_route: true
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv6"
- name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted | IPv6"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted"
- name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted"
when: rhel9cis_rule_3_3_6
tags:
- level1-server
@ -154,27 +154,27 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv4 | Set Fact"
- name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv4 | Set Fact"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv4"
- name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv4"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv6"
- name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv6"
when: rhel9cis_ipv6_required
block:
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv6 | Set Fact"
- name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv6 | Set Fact"
ansible.builtin.set_fact:
rhel9cis_flush_ipv6_route: true
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv6"
- name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv6"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
- name: "3.3.7 | PATCH | Ensure reverse path filtering is enabled"
when: rhel9cis_rule_3_3_7
tags:
- level1-server
@ -188,12 +188,12 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled | Set Fact"
- name: "3.3.7 | PATCH | Ensure reverse path filtering is enabled | Set Fact"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true
- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
- name: "3.3.7 | PATCH | Ensure reverse path filtering is enabled"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
@ -249,7 +249,7 @@
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled"
- name: "3.3.10 | PATCH | Ensure tcp syn cookies is enabled"
when: rhel9cis_rule_3_3_10
tags:
- level1-server
@ -263,22 +263,22 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled | Set Fact"
- name: "3.3.10 | PATCH | Ensure tcp syn cookies is enabled | Set Fact"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true
- name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled"
- name: "3.3.10 | PATCH | Ensure tcp syn cookies is enabled"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted"
- name: "3.3.11 | PATCH | Ensure ipv6 router advertisements are not accepted"
when:
- rhel9cis_ipv6_required
- rhel9cis_rule_3_3_11
tags:
- level2-server
- level2-workstation
- level1-server
- level1-workstation
- sysctl
- patch
- rule_3.3.11
@ -288,11 +288,11 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6 | Set Fact"
- name: "3.3.11 | PATCH | Ensure ipv6 router advertisements are not accepted | IPv6 | Set Fact"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
rhel9cis_flush_ipv6_route: true
- name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6"
- name: "3.3.11 | PATCH | Ensure ipv6 router advertisements are not accepted | IPv6"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl"

18
tasks/section_5/cis_5.1.x.yml
View file

@ -134,7 +134,7 @@
ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-SHA1' }}"
- name: "5.1.6 | PATCH | Ensure sshd KexAlgorithms is configured"
- name: "5.1.6 | PATCH | Ensure sshd MACs are configured"
when:
- rhel9cis_rule_5_1_6
- "'NO-SSHWEAKMACS' not in rhel9cis_crypto_policy_module"
@ -148,7 +148,7 @@
- rule_5.1.6
- NIST800-53R5_SC-6
block:
- name: "5.1.6 | PATCH | Ensure sshd KexAlgorithms is configured | Add submodule exclusion"
- name: "5.1.6 | PATCH | Ensure sshd MACs are configured | Add submodule exclusion"
ansible.builtin.template:
src: etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2
dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod
@ -159,7 +159,7 @@
- Update Crypto Policy
- Set Crypto Policy
- name: "5.1.6 | PATCH | Ensure sshd KexAlgorithms is configured | submodule to crypto policy modules"
- name: "5.1.6 | PATCH | Ensure sshd MACs are configured | submodule to crypto policy modules"
ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKMACS' }}"
@ -290,7 +290,7 @@
- name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled"
when: rhel9cis_rule_5_1_11
tags:
- level1-server
- level2-server
- level1-workstation
- patch
- sshd
@ -360,7 +360,7 @@
validate: sshd -t -f %s
notify: Restart sshd
- name: "5.1.14 | PATCH | Ensure sshd LoginGraceTime is set to one minute or less"
- name: "5.1.14 | PATCH | Ensure sshd LoginGraceTime is configured"
when: rhel9cis_rule_5_1_14
tags:
- level1-server
@ -378,7 +378,7 @@
validate: sshd -t -f %s
notify: Restart sshd
- name: "5.1.15 | PATCH | Ensure sshd LogLevel is appropriate"
- name: "5.1.15 | PATCH | Ensure sshd LogLevel is configured"
when: rhel9cis_rule_5_1_15
tags:
- level1-server
@ -398,7 +398,7 @@
validate: sshd -t -f %s
notify: Restart sshd
- name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is set to 4 or less"
- name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is configured"
when: rhel9cis_rule_5_1_16
tags:
- level1-server
@ -438,7 +438,7 @@
validate: sshd -t -f %s
notify: Restart sshd
- name: "5.1.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less"
- name: "5.1.18 | PATCH | Ensure sshd MaxSessions is configured"
when: rhel9cis_rule_5_1_18
tags:
- level1-server
@ -522,7 +522,7 @@
validate: sshd -t -f %s
notify: Restart sshd
- name: "5.1.22 | PATCH | Ensure SSH PAM is enabled"
- name: "5.1.22 | PATCH | Ensure sshd UsePAM is enabled"
when: rhel9cis_rule_5_1_22
tags:
- level1-server

2
tasks/section_5/cis_5.3.1.x.yml
View file

@ -39,7 +39,7 @@
ansible.builtin.set_fact:
authselect_update: OK
- name: "5.3.1.3 | PATCH | Ensure libpwquality is installed"
- name: "5.3.1.3 | PATCH | Ensure latest version of libpwquality is installed"
when:
- rhel9cis_rule_5_3_1_3
- ansible_facts.packages['libpwquality'][0]['version'] is version('1.4.4-8', '<') or

2
tasks/section_5/cis_5.3.2.x.yml
View file

@ -65,7 +65,7 @@
failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ]
register: discovered_authselect_current_faillock
- name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled | Add feature if missing authselect" # noqa syntax-check[specific]"
- name: '5.3.2.2 | PATCH | Ensure pam_faillock module is enabled | Add feature if missing authselect" # noqa syntax-check[specific]'
when:
- rhel9cis_allow_authselect_updates
- discovered_authselect_current_faillock.rc != 0

4
tasks/section_5/cis_5.3.3.1.x.yml
View file

@ -87,8 +87,8 @@
- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account"
when: rhel9cis_rule_5_3_3_1_3
tags:
- level1-server
- level1-workstation
- level2-server
- level2-workstation
- automated
- patch
- pam

10
tasks/section_5/cis_5.3.3.2.x.yml
View file

@ -67,7 +67,7 @@
- NIST800-53R5_IA-5
- pam
block:
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from conf files except expected file"
- name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Remove minlen from conf files except expected file"
when:
- item != rhel9cis_passwd_minlen_file
- rhel9cis_disruption_high
@ -81,7 +81,7 @@
- /etc/pam.d/password-auth
- "{{ prelim_pam_pwquality_confs.files | default([]) }}"
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists"
- name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Ensure minlen file exists"
ansible.builtin.template:
src: "{{ rhel9cis_passwd_minlen_file }}.j2"
dest: "/{{ rhel9cis_passwd_minlen_file }}"
@ -89,7 +89,7 @@
group: root
mode: 'go-rwx'
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files NOT AuthSelect"
- name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Remove minlen from pam files NOT AuthSelect"
when:
- not rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
@ -101,7 +101,7 @@
- password
- system
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files AuthSelect"
- name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Remove minlen from pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
@ -226,7 +226,7 @@
- system
notify: Authselect update
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is is configured"
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured"
when: rhel9cis_rule_5_3_3_2_5
tags:
- level1-server

6
tasks/section_5/cis_5.3.3.3.x.yml
View file

@ -15,13 +15,13 @@
failed_when: discovered_pwhistory_remember.rc not in [0, 1]
register: discovered_pwhistory_remember
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Ensure remember is set pwhistory file"
- name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured | Ensure remember is set pwhistory file"
ansible.builtin.lineinfile:
path: "/etc/security/pwhistory.conf"
regexp: remember\s*=\s*\d*
line: remember = {{ rhel9cis_pamd_pwhistory_remember }}
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Remove remember from pam files NOT AuthSelect"
- name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured | Remove remember from pam files NOT AuthSelect"
when:
- not rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
@ -33,7 +33,7 @@
- password
- system
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Remove remember from pam files AuthSelect"
- name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured | Remove remember from pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high

4
tasks/section_5/cis_5.3.3.4.x.yml
View file

@ -27,7 +27,7 @@
replace: ''
loop: "{{ discovered_pam_nullok.stdout_lines }}"
- name: "5.3.3.4.1 | PATCH | Ensure password number of changed characters is configured | Remove nullok from pam files AuthSelect"
- name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | Remove nullok from pam files AuthSelect"
when: rhel9cis_allow_authselect_updates
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
@ -65,7 +65,7 @@
replace: ''
loop: "{{ discovered_pam_remember.stdout_lines }}"
- name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Remove remember from pam files AuthSelect"
- name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Remove remember from pam files AuthSelect"
when: rhel9cis_allow_authselect_updates
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"

12
tasks/section_5/cis_5.4.1.x.yml
View file

@ -1,6 +1,6 @@
---
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less"
- name: "5.4.1.1 | PATCH | Ensure password expiration is configured"
when: rhel9cis_rule_5_4_1_1
tags:
- level1-server
@ -14,7 +14,7 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less"
- name: "5.4.1.1 | PATCH | Ensure password expiration is configured"
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^PASS_MAX_DAYS'
@ -27,7 +27,7 @@
check_mode: false
register: discovered_max_days
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS"
- name: "5.4.1.1 | PATCH | Ensure password expiration is configured | Set existing users PASS_MAX_DAYS"
when:
- discovered_max_days.stdout_lines | length > 0
- item in prelim_interactive_users | map(attribute='username') | list
@ -40,8 +40,8 @@
- name: "5.4.1.2 | PATCH | Ensure minimum password days is configured"
when: rhel9cis_rule_5_4_1_2
tags:
- level1-server
- level1-workstation
- level2-server
- level2-workstation
- patch
- password
- rule_5.4.1.2
@ -140,7 +140,7 @@
check_mode: false
register: discovered_passwdlck_user_list
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Apply Inactive setting to existing accounts"
when: item in prelim_interactive_users | map(attribute='username') | list
ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
changed_when: true

4
tasks/section_5/cis_5.4.2.x.yml
View file

@ -94,7 +94,7 @@
vars:
warn_control_id: '5.4.2.3'
- name: "5.4.2.4 | PATCH | Ensure root account access is controlled "
- name: "5.4.2.4 | PATCH | Ensure root account access is controlled"
when: rhel9cis_rule_5_4_2_4
tags:
- level1-server
@ -105,7 +105,7 @@
ansible.builtin.debug:
msg: "This is set as an assert in tasks/main"
- name: "5.4.2.5 | PATCH | Ensure root PATH Integrity"
- name: "5.4.2.5 | PATCH | Ensure root path integrity"
when: rhel9cis_rule_5_4_2_5
tags:
- level1-server

2
tasks/section_6/cis_6.2.2.x.yml
View file

@ -4,7 +4,7 @@
when: rhel9cis_rule_6_2_2_2
tags:
- level1-server
- level2-workstation
- level1-workstation
- patch
- journald
- rule_6.2.2.2

24
tasks/section_6/cis_6.2.3.x.yml
View file

@ -1,6 +1,6 @@
---
- name: "6.2.3.1 | PATCH | Ensure rsyslog installed"
- name: "6.2.3.1 | PATCH | Ensure rsyslog is installed"
when:
- "'rsyslog' not in ansible_facts.packages"
- rhel9cis_rule_6_2_3_1
@ -17,7 +17,7 @@
name: rsyslog
state: present
- name: "6.2.3.2 | PATCH | Ensure rsyslog Service is enabled and active"
- name: "6.2.3.2 | PATCH | Ensure rsyslog service is enabled and active"
when: rhel9cis_rule_6_2_3_2
tags:
- level1-server
@ -68,7 +68,7 @@
line: '$FileCreateMode 0640'
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured"
- name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured"
when: rhel9cis_rule_6_2_3_5
tags:
- level1-server
@ -93,7 +93,7 @@
- "These are the current logging configurations for rsyslog, please review:"
- "{{ discovered_configured_rsyslog.stdout_lines }}"
- name: "6.2.3.5 | PATCH | Ensure logging is configured | mail.* log setting"
- name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | mail.* log setting"
when: rhel9cis_rsyslog_ansiblemanaged
ansible.builtin.blockinfile:
path: /etc/rsyslog.conf
@ -107,7 +107,7 @@
insertafter: '# Log all the mail messages in one place.'
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | news.crit log setting"
- name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | news.crit log setting"
when: rhel9cis_rsyslog_ansiblemanaged
ansible.builtin.blockinfile:
path: /etc/rsyslog.conf
@ -120,7 +120,7 @@
insertafter: '# Save news errors of level crit and higher in a special file.'
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | Misc. log setting"
- name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | Misc. log setting"
when: rhel9cis_rsyslog_ansiblemanaged
ansible.builtin.blockinfile:
path: /etc/rsyslog.conf
@ -134,7 +134,7 @@
insertbefore: '# ### sample forwarding rule ###'
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | Local log settings"
- name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | Local log settings"
ansible.builtin.blockinfile:
path: /etc/rsyslog.conf
state: present
@ -149,7 +149,7 @@
insertafter: '#### RULES ####'
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | Auth Settings"
- name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | Auth Settings"
ansible.builtin.blockinfile:
path: /etc/rsyslog.conf
state: present
@ -160,7 +160,7 @@
insertafter: '#### RULES ####'
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | Cron Settings"
- name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | Cron Settings"
ansible.builtin.blockinfile:
path: /etc/rsyslog.conf
state: present
@ -208,7 +208,7 @@
- NIST800-53R5_AU-12
- NIST800-53R5_CM-6
block:
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client. | When not log host"
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client | When not log host"
when: not rhel9cis_system_is_log_server
ansible.builtin.replace:
path: /etc/rsyslog.conf
@ -221,7 +221,7 @@
- '^(module\(load="imtcp"\))'
- '^(input\(type="imtcp")'
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote clients. | When log host"
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client | When log host"
when: rhel9cis_system_is_log_server
ansible.builtin.replace:
path: /etc/rsyslog.conf
@ -254,7 +254,7 @@
state: started
enabled: true
- name: "6.2.3.8 | PATCH | Ensure logrotate is configured | set rsyslog conf"
- name: "6.2.3.8 | PATCH | Ensure rsyslog logrotate is configured | set rsyslog conf"
ansible.builtin.template:
src: etc/logrotate.d/rsyslog_log.j2
dest: /etc/logrotate.d/rsyslog_log

6
tasks/section_6/cis_6.3.1.x.yml
View file

@ -1,6 +1,6 @@
---
- name: "6.3.1.1 | PATCH | Ensure auditd is installed"
- name: "6.3.1.1 | PATCH | Ensure auditd packages are installed"
when: rhel9cis_rule_6_3_1_1
tags:
- level2-server
@ -13,13 +13,13 @@
- NIST800-53R5_AU-12
- NIST800-53R5_SI-5
block:
- name: "6.3.1.1 | PATCH | Ensure auditd is installed | Install auditd packages"
- name: "6.3.1.1 | PATCH | Ensure auditd packages are installed | Install auditd packages"
when: '"auditd" not in ansible_facts.packages'
ansible.builtin.package:
name: audit
state: present
- name: "6.3.1.1 | PATCH | Ensure auditd is installed | Install auditd-lib packages"
- name: "6.3.1.1 | PATCH | Ensure auditd packages are installed | Install auditd-lib packages"
when: '"auditd-lib" not in ansible_facts.packages'
ansible.builtin.package:
name: audit-libs

24
tasks/section_6/cis_6.3.3.x.yml
View file

@ -67,7 +67,7 @@
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected"
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands are collected"
when: rhel9cis_rule_6_3_3_6
tags:
- level2-server
@ -77,14 +77,14 @@
- rule_6.3.3.6
- NIST800-53R5_AU-3
block:
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected"
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands are collected"
ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm /6000 2>/dev/null; done
changed_when: false
failed_when: false
check_mode: false
register: discovered_priv_procs
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected"
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands are collected"
ansible.builtin.set_fact:
update_audit_template: true
notify: update auditd
@ -197,11 +197,11 @@
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded"
- name: "6.3.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are collected"
when: rhel9cis_rule_6_3_3_15
tags:
- level2-server
- level2- workstation
- level2-workstation
- patch
- auditd
- rule_6.3.3.15
@ -212,7 +212,7 @@
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded"
- name: "6.3.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are collected"
when: rhel9cis_rule_6_3_3_16
tags:
- level2-server
@ -227,7 +227,7 @@
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded"
- name: "6.3.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are collected"
when: rhel9cis_rule_6_3_3_17
tags:
- level2-server
@ -242,7 +242,7 @@
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded"
- name: "6.3.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are collected"
when: rhel9cis_rule_6_3_3_18
tags:
- level2-server
@ -257,7 +257,7 @@
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.19 | PATCH | Ensure kernel module loading and unloading and modification is collected"
- name: "6.3.3.19 | PATCH | Ensure kernel module loading unloading and modification is collected"
when: rhel9cis_rule_6_3_3_19
tags:
- level2-server
@ -295,9 +295,9 @@
- auditd
- rule_6.3.3.21
- NIST800-53R5_AU-3
ansible.builtin.debug:
msg:
- "Please run augenrules --load if you suspect there is a configuration that is not active"
ansible.builtin.command: augenrules --check
changed_when: false
register: discovered_augenrules_check
- name: Auditd | 6.3.3.x | Auditd controls updated
when: update_audit_template

0
templates/audit/98_auditd_exception.rules.j2 → templates/etc/audit/rules.d/98_auditd_exception.rules.j2
View file

0
templates/audit/99_auditd.rules.j2 → templates/etc/audit/rules.d/99_auditd.rules.j2
View file