mirror of
https://github.com/ansible-lockdown/RHEL9-CIS.git
synced 2026-05-09 23:33:53 +00:00
QA, lint, standards, var naming, title aming aligned
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
69bef1f371
commit
201edf02e4
39 changed files with 478 additions and 608 deletions
|
|
@ -134,7 +134,7 @@
|
|||
ansible.builtin.set_fact:
|
||||
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-SHA1' }}"
|
||||
|
||||
- name: "5.1.6 | PATCH | Ensure sshd KexAlgorithms is configured"
|
||||
- name: "5.1.6 | PATCH | Ensure sshd MACs are configured"
|
||||
when:
|
||||
- rhel9cis_rule_5_1_6
|
||||
- "'NO-SSHWEAKMACS' not in rhel9cis_crypto_policy_module"
|
||||
|
|
@ -148,7 +148,7 @@
|
|||
- rule_5.1.6
|
||||
- NIST800-53R5_SC-6
|
||||
block:
|
||||
- name: "5.1.6 | PATCH | Ensure sshd KexAlgorithms is configured | Add submodule exclusion"
|
||||
- name: "5.1.6 | PATCH | Ensure sshd MACs are configured | Add submodule exclusion"
|
||||
ansible.builtin.template:
|
||||
src: etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2
|
||||
dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod
|
||||
|
|
@ -159,7 +159,7 @@
|
|||
- Update Crypto Policy
|
||||
- Set Crypto Policy
|
||||
|
||||
- name: "5.1.6 | PATCH | Ensure sshd KexAlgorithms is configured | submodule to crypto policy modules"
|
||||
- name: "5.1.6 | PATCH | Ensure sshd MACs are configured | submodule to crypto policy modules"
|
||||
ansible.builtin.set_fact:
|
||||
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKMACS' }}"
|
||||
|
||||
|
|
@ -290,7 +290,7 @@
|
|||
- name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled"
|
||||
when: rhel9cis_rule_5_1_11
|
||||
tags:
|
||||
- level1-server
|
||||
- level2-server
|
||||
- level1-workstation
|
||||
- patch
|
||||
- sshd
|
||||
|
|
@ -360,7 +360,7 @@
|
|||
validate: sshd -t -f %s
|
||||
notify: Restart sshd
|
||||
|
||||
- name: "5.1.14 | PATCH | Ensure sshd LoginGraceTime is set to one minute or less"
|
||||
- name: "5.1.14 | PATCH | Ensure sshd LoginGraceTime is configured"
|
||||
when: rhel9cis_rule_5_1_14
|
||||
tags:
|
||||
- level1-server
|
||||
|
|
@ -378,7 +378,7 @@
|
|||
validate: sshd -t -f %s
|
||||
notify: Restart sshd
|
||||
|
||||
- name: "5.1.15 | PATCH | Ensure sshd LogLevel is appropriate"
|
||||
- name: "5.1.15 | PATCH | Ensure sshd LogLevel is configured"
|
||||
when: rhel9cis_rule_5_1_15
|
||||
tags:
|
||||
- level1-server
|
||||
|
|
@ -398,7 +398,7 @@
|
|||
validate: sshd -t -f %s
|
||||
notify: Restart sshd
|
||||
|
||||
- name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is set to 4 or less"
|
||||
- name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is configured"
|
||||
when: rhel9cis_rule_5_1_16
|
||||
tags:
|
||||
- level1-server
|
||||
|
|
@ -438,7 +438,7 @@
|
|||
validate: sshd -t -f %s
|
||||
notify: Restart sshd
|
||||
|
||||
- name: "5.1.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less"
|
||||
- name: "5.1.18 | PATCH | Ensure sshd MaxSessions is configured"
|
||||
when: rhel9cis_rule_5_1_18
|
||||
tags:
|
||||
- level1-server
|
||||
|
|
@ -522,7 +522,7 @@
|
|||
validate: sshd -t -f %s
|
||||
notify: Restart sshd
|
||||
|
||||
- name: "5.1.22 | PATCH | Ensure SSH PAM is enabled"
|
||||
- name: "5.1.22 | PATCH | Ensure sshd UsePAM is enabled"
|
||||
when: rhel9cis_rule_5_1_22
|
||||
tags:
|
||||
- level1-server
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@
|
|||
ansible.builtin.set_fact:
|
||||
authselect_update: OK
|
||||
|
||||
- name: "5.3.1.3 | PATCH | Ensure libpwquality is installed"
|
||||
- name: "5.3.1.3 | PATCH | Ensure latest version of libpwquality is installed"
|
||||
when:
|
||||
- rhel9cis_rule_5_3_1_3
|
||||
- ansible_facts.packages['libpwquality'][0]['version'] is version('1.4.4-8', '<') or
|
||||
|
|
|
|||
|
|
@ -65,7 +65,7 @@
|
|||
failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ]
|
||||
register: discovered_authselect_current_faillock
|
||||
|
||||
- name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled | Add feature if missing authselect" # noqa syntax-check[specific]"
|
||||
- name: '5.3.2.2 | PATCH | Ensure pam_faillock module is enabled | Add feature if missing authselect" # noqa syntax-check[specific]'
|
||||
when:
|
||||
- rhel9cis_allow_authselect_updates
|
||||
- discovered_authselect_current_faillock.rc != 0
|
||||
|
|
|
|||
|
|
@ -87,8 +87,8 @@
|
|||
- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account"
|
||||
when: rhel9cis_rule_5_3_3_1_3
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
- level2-server
|
||||
- level2-workstation
|
||||
- automated
|
||||
- patch
|
||||
- pam
|
||||
|
|
|
|||
|
|
@ -67,7 +67,7 @@
|
|||
- NIST800-53R5_IA-5
|
||||
- pam
|
||||
block:
|
||||
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from conf files except expected file"
|
||||
- name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Remove minlen from conf files except expected file"
|
||||
when:
|
||||
- item != rhel9cis_passwd_minlen_file
|
||||
- rhel9cis_disruption_high
|
||||
|
|
@ -81,7 +81,7 @@
|
|||
- /etc/pam.d/password-auth
|
||||
- "{{ prelim_pam_pwquality_confs.files | default([]) }}"
|
||||
|
||||
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists"
|
||||
- name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Ensure minlen file exists"
|
||||
ansible.builtin.template:
|
||||
src: "{{ rhel9cis_passwd_minlen_file }}.j2"
|
||||
dest: "/{{ rhel9cis_passwd_minlen_file }}"
|
||||
|
|
@ -89,7 +89,7 @@
|
|||
group: root
|
||||
mode: 'go-rwx'
|
||||
|
||||
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files NOT AuthSelect"
|
||||
- name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Remove minlen from pam files NOT AuthSelect"
|
||||
when:
|
||||
- not rhel9cis_allow_authselect_updates
|
||||
- rhel9cis_disruption_high
|
||||
|
|
@ -101,7 +101,7 @@
|
|||
- password
|
||||
- system
|
||||
|
||||
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files AuthSelect"
|
||||
- name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Remove minlen from pam files AuthSelect"
|
||||
when:
|
||||
- rhel9cis_allow_authselect_updates
|
||||
- rhel9cis_disruption_high
|
||||
|
|
@ -226,7 +226,7 @@
|
|||
- system
|
||||
notify: Authselect update
|
||||
|
||||
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is is configured"
|
||||
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured"
|
||||
when: rhel9cis_rule_5_3_3_2_5
|
||||
tags:
|
||||
- level1-server
|
||||
|
|
|
|||
|
|
@ -15,13 +15,13 @@
|
|||
failed_when: discovered_pwhistory_remember.rc not in [0, 1]
|
||||
register: discovered_pwhistory_remember
|
||||
|
||||
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Ensure remember is set pwhistory file"
|
||||
- name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured | Ensure remember is set pwhistory file"
|
||||
ansible.builtin.lineinfile:
|
||||
path: "/etc/security/pwhistory.conf"
|
||||
regexp: remember\s*=\s*\d*
|
||||
line: remember = {{ rhel9cis_pamd_pwhistory_remember }}
|
||||
|
||||
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Remove remember from pam files NOT AuthSelect"
|
||||
- name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured | Remove remember from pam files NOT AuthSelect"
|
||||
when:
|
||||
- not rhel9cis_allow_authselect_updates
|
||||
- rhel9cis_disruption_high
|
||||
|
|
@ -33,7 +33,7 @@
|
|||
- password
|
||||
- system
|
||||
|
||||
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Remove remember from pam files AuthSelect"
|
||||
- name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured | Remove remember from pam files AuthSelect"
|
||||
when:
|
||||
- rhel9cis_allow_authselect_updates
|
||||
- rhel9cis_disruption_high
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@
|
|||
replace: ''
|
||||
loop: "{{ discovered_pam_nullok.stdout_lines }}"
|
||||
|
||||
- name: "5.3.3.4.1 | PATCH | Ensure password number of changed characters is configured | Remove nullok from pam files AuthSelect"
|
||||
- name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | Remove nullok from pam files AuthSelect"
|
||||
when: rhel9cis_allow_authselect_updates
|
||||
ansible.builtin.replace:
|
||||
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
|
||||
|
|
@ -65,7 +65,7 @@
|
|||
replace: ''
|
||||
loop: "{{ discovered_pam_remember.stdout_lines }}"
|
||||
|
||||
- name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Remove remember from pam files AuthSelect"
|
||||
- name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Remove remember from pam files AuthSelect"
|
||||
when: rhel9cis_allow_authselect_updates
|
||||
ansible.builtin.replace:
|
||||
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
|
||||
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less"
|
||||
- name: "5.4.1.1 | PATCH | Ensure password expiration is configured"
|
||||
when: rhel9cis_rule_5_4_1_1
|
||||
tags:
|
||||
- level1-server
|
||||
|
|
@ -14,7 +14,7 @@
|
|||
- NIST800-53R5_CM-7
|
||||
- NIST800-53R5_IA-5
|
||||
block:
|
||||
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less"
|
||||
- name: "5.4.1.1 | PATCH | Ensure password expiration is configured"
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/login.defs
|
||||
regexp: '^PASS_MAX_DAYS'
|
||||
|
|
@ -27,7 +27,7 @@
|
|||
check_mode: false
|
||||
register: discovered_max_days
|
||||
|
||||
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS"
|
||||
- name: "5.4.1.1 | PATCH | Ensure password expiration is configured | Set existing users PASS_MAX_DAYS"
|
||||
when:
|
||||
- discovered_max_days.stdout_lines | length > 0
|
||||
- item in prelim_interactive_users | map(attribute='username') | list
|
||||
|
|
@ -40,8 +40,8 @@
|
|||
- name: "5.4.1.2 | PATCH | Ensure minimum password days is configured"
|
||||
when: rhel9cis_rule_5_4_1_2
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
- level2-server
|
||||
- level2-workstation
|
||||
- patch
|
||||
- password
|
||||
- rule_5.4.1.2
|
||||
|
|
@ -140,7 +140,7 @@
|
|||
check_mode: false
|
||||
register: discovered_passwdlck_user_list
|
||||
|
||||
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
|
||||
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Apply Inactive setting to existing accounts"
|
||||
when: item in prelim_interactive_users | map(attribute='username') | list
|
||||
ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
|
||||
changed_when: true
|
||||
|
|
|
|||
|
|
@ -94,7 +94,7 @@
|
|||
vars:
|
||||
warn_control_id: '5.4.2.3'
|
||||
|
||||
- name: "5.4.2.4 | PATCH | Ensure root account access is controlled "
|
||||
- name: "5.4.2.4 | PATCH | Ensure root account access is controlled"
|
||||
when: rhel9cis_rule_5_4_2_4
|
||||
tags:
|
||||
- level1-server
|
||||
|
|
@ -105,7 +105,7 @@
|
|||
ansible.builtin.debug:
|
||||
msg: "This is set as an assert in tasks/main"
|
||||
|
||||
- name: "5.4.2.5 | PATCH | Ensure root PATH Integrity"
|
||||
- name: "5.4.2.5 | PATCH | Ensure root path integrity"
|
||||
when: rhel9cis_rule_5_4_2_5
|
||||
tags:
|
||||
- level1-server
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue