ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-05-09 23:33:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

QA, lint, standards, var naming, title aming aligned

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2026-04-08 12:56:24 +01:00
parent 69bef1f371
commit 201edf02e4
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
39 changed files with 478 additions and 608 deletions
Download patch file Download diff file Expand all files Collapse all files

23
.gitignore vendored
View file

@ -1,7 +1,6 @@
.env .env
*.log *.log
*.retry *.retry
.cache
.vagrant .vagrant
tests/*redhat-subscription tests/*redhat-subscription
tests/Dockerfile tests/Dockerfile
@ -10,11 +9,9 @@ tests/Dockerfile
packer_cache packer_cache
delete* delete*
ignore* ignore*
test_inv
# temp remove doc while this is built up
doc/
# VSCode # VSCode
.vscode .vscode
vagrant
# Byte-compiled / optimized / DLL files # Byte-compiled / optimized / DLL files
__pycache__/ __pycache__/
@ -39,13 +36,29 @@ tramp
rh-creds.env rh-creds.env
travis.env travis.env
# Secret/key files
*.vault
*.key
*.pem
*.p12
*.pfx
*.keystore
*.jks
*.credentials
*vault_pass*
.vault_pass
# Lockdown-specific # Lockdown-specific
benchparse/ benchparse/
*xccdf.xml *xccdf.xml
*.retry *.retry
*.pdf
*history.md
*plan.md
*qa_report*
# GitHub Action/Workflow files # GitHub Action/Workflow files
.github/ .github/
# Precommit exclusions # ansible-lint
.ansible/ .ansible/

2
.yamllint
View file

@ -17,7 +17,7 @@ rules:
comments: comments:
ignore-shebangs: true ignore-shebangs: true
min-spaces-from-content: 1 # prettier compatibility min-spaces-from-content: 1 # prettier compatibility
comments-indentation: enable comments-indentation: disable
empty-lines: empty-lines:
max: 1 max: 1
indentation: indentation:

4
CONTRIBUTING.rst
View file

@ -1,4 +1,4 @@
Contributing to MindPoint Group Projects Contributing to Ansible-Lockdown Projects
======================================== ========================================
Rules Rules
@ -20,7 +20,7 @@ Signing your contribution
We've chosen to use the Developer's Certificate of Origin (DCO) method We've chosen to use the Developer's Certificate of Origin (DCO) method
that is employed by the Linux Kernel Project, which provides a simple that is employed by the Linux Kernel Project, which provides a simple
way to contribute to MindPoint Group projects. way to contribute to Ansible-Lockdown projects.
The process is to certify the below DCO 1.1 text The process is to certify the below DCO 1.1 text
:: ::

57
Changelog.md
View file

@ -1,7 +1,34 @@
# Changes to RHEL9CIS # Changes to RHEL9CIS
## 2.0.5 - Based on CIS v2.0.0
## April 2026
- bootloader password logic improved thanks to skullbringer on discord community
- 7.1.12 and 7.1.13 fixed thanks to @bubaimondalsch #440
- 4.3 tags updated
- 2.1.x - improve logic for mask/disable/stop thanks to @numericillustration #434
## March 2026 — workspace alignment
- Common files aligned to std
- workflows updates
- titles updates
- levels aligned
- auditd improvement
- grammar, lint
- vars naming
- Linting: converted ~75 single-item when: conditions from list to inline format
- Linting: added blank line after --- YAML document marker in 10 files
- Linting: fixed register: key order in 8 tasks (now appears after changed_when/failed_when)
- Linting: fixed spelling typo sddr → saddr in cis_4.3.x.yml
- Defaults: added justification comments for service client and bluetooth variables
## Based on CIS v2.0.0
# Feb26 2
#430 thanks to @numericillustration - 5.4.2.5 missing echo
# Feb26 1
- QA Fixes - QA Fixes
- .j2 Branding Update - .j2 Branding Update
- Added rhel9cis_uses_root variable definition for 5.4.2.5 root PATH integrity task - Added rhel9cis_uses_root variable definition for 5.4.2.5 root PATH integrity task
@ -77,34 +104,6 @@ tidy up tags on tasks/main.yml
- public issue 372 - public issue 372
- allow password with different locale - allow password with different locale
## 2.0.4 - Based on CIS v2.0.0
- addressed issue #419, thank you @aaronk1
- addressed issue #418 thank you @bbaassssiiee
- addressed issue #416 thank you @georgenalen and @bbaassssiiee
- addressed issue #393 thank you to @fragglexarmy
- addressed issue #394 thank you to @dbeuker
- addressed issues #390 and #391 thanks to @polski-g
- addressed issue #398 & #399 thanks to trumbaut
- Added max-concurrent options for audit
- work flow updates
- audit logic improvements
- auditd template 2.19 compatible
- pre-commit updates
- #410 thanks to @kpi-nourman
- #413 thanks to @bbaassssiiee
## 2.0.3 - Based on CIS v2.0.0
- addressed issue #387, thank you @fragglexarmy
- addressed issue #382 to improve regex logic on 5.4.2.4
- improvement on crypto policy managed controls with var logic
- addressed issue #384 thank you @polski-g
- update command to shell module on tasks
- addressed issue 371 thanks to @bgro and kodebach
- addressed issue 350 thanks to @chrispipo
- addressed issue 364 thanks to @polski-g
- pre-commit update
## 2.0.2 - Based on CIS v2.0.0 ## 2.0.2 - Based on CIS v2.0.0
- Update to audit_only to allow fetching results - Update to audit_only to allow fetching results

655
defaults/main.yml
View file

File diff suppressed because it is too large Load diff

2
tasks/LE_audit_setup.yml
View file

@ -25,7 +25,7 @@
- name: Pre Audit Setup | Copy audit binary - name: Pre Audit Setup | Copy audit binary
when: get_audit_binary_method == 'copy' when: get_audit_binary_method == 'copy'
ansible.builtin.copy: ansible.builtin.copy:
src: "{{ audit_bin_copy_location }}/goss-linux-{{ audit_pkg_arch_name }}" src: "{{ audit_bin_copy_location }}"
dest: "{{ audit_bin }}" dest: "{{ audit_bin }}"
owner: root owner: root
group: root group: root

56
tasks/auditd.yml
View file

@ -3,59 +3,47 @@
# Since auditd rules are dependent on syscalls and syscall tables are architecture specific, # Since auditd rules are dependent on syscalls and syscall tables are architecture specific,
# we need to update the auditd rules depending on the architecture of the system. # we need to update the auditd rules depending on the architecture of the system.
# This task passed the syscalls table to the auditd template and updates the auditd rules # This task passed the syscalls table to the auditd template and updates the auditd rules
- name: "POST | AUDITD | Set supported_syscalls variable" - name: "POST | AUDITD | Set supported_syscalls variable"
ansible.builtin.shell: ausyscall --dump | awk '{print $2}' ansible.builtin.shell: ausyscall --dump | awk '{print $2}'
changed_when: false changed_when: false
check_mode: false
failed_when: discovered_auditd_syscalls.rc not in [ 0, 1 ] failed_when: discovered_auditd_syscalls.rc not in [ 0, 1 ]
register: discovered_auditd_syscalls register: discovered_auditd_syscalls
- name: POST | AUDITD | Apply auditd template will for section 6.3.3 - only required rules will be added | stat file - name: "POST | AUDITD | Ensure use of privileged commands is collected"
ansible.builtin.stat: ansible.builtin.shell: |
path: /etc/audit/rules.d/99_auditd.rules {%- set egrep_exclude = "(asdfmnop|{{ rhel9cis_priv_command_excluded_mounts | join('|') }})" -%}
register: discovered_auditd_rules_file for i in $(df | grep '^/dev' | grep -Ev '{{ egrep_exclude }}' | awk '{ print $NF }'); do
find $i -xdev -type f -perm /6000 2>/dev/null;
done
changed_when: false
failed_when: false
check_mode: false
register: discovered_privileged_commands
- name: POST | Apply auditd template for section 6.3.3.x - name: "POST | AUDITD | Apply auditd template for section 6.2.4.x"
when: update_audit_template when: update_audit_template
vars: vars:
supported_syscalls: "{{ discovered_auditd_syscalls.stdout_lines }}" supported_syscalls: "{{ discovered_auditd_syscalls.stdout_lines }}"
ansible.builtin.template: ansible.builtin.template:
src: audit/99_auditd.rules.j2 src: etc/audit/rules.d/99_auditd.rules.j2
dest: /etc/audit/rules.d/99_auditd.rules dest: /etc/audit/rules.d/99_auditd.rules
owner: root owner: root
group: root group: root
mode: 'u-x,g-wx,o-rwx' mode: 'u-x,go-wx'
diff: "{{ discovered_auditd_rules_file.stat.exists }}" # Only run diff if not a new file register: discovered_audit_rules_updated
register: discovered_auditd_rules_template_updated
notify: notify:
- Auditd immutable check - Auditd rules reload
- Audit immutable fact
- Restart auditd - Restart auditd
- name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa no-handler - name: POST | AUDITD | Set up auditd user logging exceptions
when: when: rhel9cis_allow_auditd_uid_user_exclusions
- discovered_auditd_rules_template_updated.changed
- discovered_auditd_rules_file.stat.exists
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: 'Auditd template updated, validate as expected'
- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file
ansible.builtin.stat:
path: /etc/audit/rules.d/98_auditd_exceptions.rules
register: discovered_auditd_exception_file
- name: POST | Set up auditd user logging exceptions | setup file
when:
- rhel9cis_allow_auditd_uid_user_exclusions
- rhel9cis_auditd_uid_exclude | length > 0
ansible.builtin.template: ansible.builtin.template:
src: audit/98_auditd_exception.rules.j2 src: etc/audit/rules.d/98_auditd_exception.rules.j2
dest: /etc/audit/rules.d/98_auditd_exceptions.rules dest: /etc/audit/rules.d/98_auditd_exceptions.rules
owner: root owner: root
group: root group: root
mode: '0640' mode: 'u-x,go-rwx'
diff: "{{ discovered_auditd_exception_file.stat.exists }}"
notify: Restart auditd notify: Restart auditd
- name: POST | AUDITD | Flush handlers
ansible.builtin.meta: flush_handlers

8
tasks/main.yml
View file

@ -200,15 +200,13 @@
file: auditd.yml file: auditd.yml
- name: "Run post remediation tasks" - name: "Run post remediation tasks"
tags: tags: always
- post_tasks
- always
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: post.yml file: post.yml
- name: "Run post_remediation audit" - name: "Run post remediation audit"
when: run_audit when: run_audit
tags: always tags: run_audit
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: post_remediation_audit.yml file: post_remediation_audit.yml

10
tasks/post_remediation_audit.yml
View file

@ -1,6 +1,6 @@
--- ---
- name: Post Audit | Run post_remediation {{ benchmark }} audit # noqa name[template] - name: Post Audit | Run post_remediation {{ benchmark }} audit # noqa name[template]
ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -m {{ audit_max_concurrent }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" # noqa yaml[line-length] ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -m {{ audit_max_concurrent }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" # noqa yaml[line-length]
changed_when: true changed_when: true
environment: environment:
@ -14,11 +14,11 @@
- name: Post Audit | Capture audit data if json format - name: Post Audit | Capture audit data if json format
ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4 ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4
changed_when: false changed_when: false
register: post_audit_summary register: post_audit_summary_json
- name: Post Audit | Set Fact for audit summary - name: Post Audit | Set Fact for audit summary
ansible.builtin.set_fact: ansible.builtin.set_fact:
post_audit_results: "{{ post_audit_summary.stdout }}" post_audit_results: "{{ post_audit_summary_json.stdout }}"
- name: Post Audit | Capture audit data if documentation format - name: Post Audit | Capture audit data if documentation format
when: audit_format == "documentation" when: audit_format == "documentation"
@ -26,8 +26,8 @@
- name: Post Audit | Capture audit data if documentation format - name: Post Audit | Capture audit data if documentation format
ansible.builtin.shell: tail -2 "{{ post_audit_outfile }}" | tac | tr '\n' ' ' ansible.builtin.shell: tail -2 "{{ post_audit_outfile }}" | tac | tr '\n' ' '
changed_when: false changed_when: false
register: post_audit_summary register: post_audit_summary_documentation
- name: Post Audit | Set Fact for audit summary - name: Post Audit | Set Fact for audit summary
ansible.builtin.set_fact: ansible.builtin.set_fact:
post_audit_results: "{{ post_audit_summary.stdout }}" post_audit_results: "{{ post_audit_summary_documentation.stdout }}"

16
tasks/pre_remediation_audit.yml
View file

@ -6,7 +6,7 @@
ansible.builtin.include_tasks: ansible.builtin.include_tasks:
file: LE_audit_setup.yml file: LE_audit_setup.yml
- name: Pre Audit Setup | Ensure existence of {{ audit_conf_dir }} # noqa name[template] - name: Pre Audit Setup | Ensure existence of {{ audit_conf_dir }} # noqa name[template]
ansible.builtin.file: ansible.builtin.file:
path: "{{ audit_conf_dir }}" path: "{{ audit_conf_dir }}"
mode: 'go-w' mode: 'go-w'
@ -71,8 +71,8 @@
dest: "{{ audit_vars_path }}" dest: "{{ audit_vars_path }}"
mode: 'go-rwx' mode: 'go-rwx'
- name: Pre Audit | Run pre_remediation audit {{ benchmark }} # noqa name[template] - name: Pre Audit | Run pre_remediation audit {{ benchmark }} # noqa name[template]
ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -m {{ audit_max_concurrent }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" # noqa yaml[line-length] ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -m {{ audit_max_concurrent }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" # noqa yaml[line-length]
changed_when: true changed_when: true
environment: environment:
AUDIT_BIN: "{{ audit_bin }}" AUDIT_BIN: "{{ audit_bin }}"
@ -85,12 +85,11 @@
- name: Pre Audit | Capture audit data if json format - name: Pre Audit | Capture audit data if json format
ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4 ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4
changed_when: false changed_when: false
failed_when: pre_audit_summary.stderr | length > 0 register: pre_audit_summary_json
register: pre_audit_summary
- name: Pre Audit | Set Fact for audit summary - name: Pre Audit | Set Fact for audit summary
ansible.builtin.set_fact: ansible.builtin.set_fact:
pre_audit_results: "{{ pre_audit_summary.stdout }}" pre_audit_results: "{{ pre_audit_summary_json.stdout }}"
- name: Pre Audit | Capture audit data if documentation format - name: Pre Audit | Capture audit data if documentation format
when: audit_format == "documentation" when: audit_format == "documentation"
@ -98,12 +97,11 @@
- name: Pre Audit | Capture audit data if documentation format - name: Pre Audit | Capture audit data if documentation format
ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' '
changed_when: false changed_when: false
failed_when: pre_audit_summary.stderr | length > 0 register: pre_audit_summary_documentation
register: pre_audit_summary
- name: Pre Audit | Set Fact for audit summary - name: Pre Audit | Set Fact for audit summary
ansible.builtin.set_fact: ansible.builtin.set_fact:
pre_audit_results: "{{ pre_audit_summary.stdout }}" pre_audit_results: "{{ pre_audit_summary_documentation.stdout }}"
- name: Audit_Only | Run Audit Only - name: Audit_Only | Run Audit Only
when: audit_only when: audit_only

7
tasks/prelim.yml
View file

@ -295,6 +295,13 @@
state: directory state: directory
mode: 'u+x,g-w,o-rwx' mode: 'u+x,g-w,o-rwx'
- name: "PRELIM | AUDIT | Discover if auditd is immutable"
tags: always
ansible.builtin.command: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
changed_when: false
failed_when: prelim_auditd_immutable_check.rc not in [ 0, 1, 2 ]
register: prelim_auditd_immutable_check
- name: "PRELIM | PATCH | Configure System Accounting (auditd)" - name: "PRELIM | PATCH | Configure System Accounting (auditd)"
when: when:
- '"auditd" not in ansible_facts.packages' - '"auditd" not in ansible_facts.packages'

6
tasks/section_1/cis_1.1.2.3.x.yml
View file

@ -1,12 +1,12 @@
--- ---
- name: "1.1.2.3.1 | PATCH | Ensure /home is a separate partition" - name: "1.1.2.3.1 | PATCH | Ensure separate partition exists for /home"
when: when:
- rhel9cis_rule_1_1_2_3_1 - rhel9cis_rule_1_1_2_3_1
- required_mount not in prelim_mount_names - required_mount not in prelim_mount_names
tags: tags:
- level1-server - level2-server
- level1-workstation - level2-workstation
- audit - audit
- mounts - mounts
- rule_1.1.2.3.1 - rule_1.1.2.3.1

6
tasks/section_1/cis_1.1.2.4.x.yml
View file

@ -1,12 +1,12 @@
--- ---
- name: "1.1.2.4.1 | PATCH | Ensure /var is a separate partition" - name: "1.1.2.4.1 | PATCH | Ensure separate partition exists for /var"
when: when:
- rhel9cis_rule_1_1_2_4_1 - rhel9cis_rule_1_1_2_4_1
- required_mount not in prelim_mount_names - required_mount not in prelim_mount_names
tags: tags:
- level1-server - level2-server
- level1-workstation - level2-workstation
- audit - audit
- mounts - mounts
- rule_1.1.2.4.1 - rule_1.1.2.4.1

6
tasks/section_1/cis_1.1.2.5.x.yml
View file

@ -1,12 +1,12 @@
--- ---
- name: "1.1.2.5.1 | PATCH | Ensure /var/tmp is a separate partition" - name: "1.1.2.5.1 | PATCH | Ensure separate partition exists for /var/tmp"
when: when:
- rhel9cis_rule_1_1_2_5_1 - rhel9cis_rule_1_1_2_5_1
- required_mount not in prelim_mount_names - required_mount not in prelim_mount_names
tags: tags:
- level1-server - level2-server
- level1-workstation - level2-workstation
- audit - audit
- mounts - mounts
- rule_1.1.2.5.1 - rule_1.1.2.5.1

6
tasks/section_1/cis_1.1.2.6.x.yml
View file

@ -1,12 +1,12 @@
--- ---
- name: "1.1.2.6.1 | PATCH | Ensure /var/log is a separate partition" - name: "1.1.2.6.1 | PATCH | Ensure separate partition exists for /var/log"
when: when:
- rhel9cis_rule_1_1_2_6_1 - rhel9cis_rule_1_1_2_6_1
- required_mount not in prelim_mount_names - required_mount not in prelim_mount_names
tags: tags:
- level1-server - level2-server
- level1-workstation - level2-workstation
- audit - audit
- mounts - mounts
- rule_1.1.2.6.1 - rule_1.1.2.6.1

6
tasks/section_1/cis_1.1.2.7.x.yml
View file

@ -1,12 +1,12 @@
--- ---
- name: "1.1.2.7.1 | PATCH | Ensure /var/log/audit is a separate partition" - name: "1.1.2.7.1 | PATCH | Ensure separate partition exists for /var/log/audit"
when: when:
- rhel9cis_rule_1_1_2_7_1 - rhel9cis_rule_1_1_2_7_1
- required_mount not in prelim_mount_names - required_mount not in prelim_mount_names
tags: tags:
- level1-server - level2-server
- level1-workstation - level2-workstation
- audit - audit
- mounts - mounts
- rule_1.1.2.7.1 - rule_1.1.2.7.1

4
tasks/section_1/cis_1.3.1.x.yml
View file

@ -55,7 +55,7 @@
policy: "{{ rhel9cis_selinux_pol }}" policy: "{{ rhel9cis_selinux_pol }}"
state: "{{ rhel9cis_selinux_enforce }}" state: "{{ rhel9cis_selinux_enforce }}"
- name: "1.3.1.4 | PATCH | Ensure the SELinux state is not disabled" - name: "1.3.1.4 | PATCH | Ensure the SELinux mode is not disabled"
when: when:
- rhel9cis_rule_1_3_1_4 - rhel9cis_rule_1_3_1_4
- not rhel9cis_selinux_disable - not rhel9cis_selinux_disable
@ -72,7 +72,7 @@
policy: "{{ rhel9cis_selinux_pol }}" policy: "{{ rhel9cis_selinux_pol }}"
state: "{{ rhel9cis_selinux_enforce }}" state: "{{ rhel9cis_selinux_enforce }}"
- name: "1.3.1.5 | PATCH | Ensure the SELinux state is enforcing" - name: "1.3.1.5 | PATCH | Ensure the SELinux mode is enforcing"
when: when:
- rhel9cis_selinux_enforce == 'enforcing' - rhel9cis_selinux_enforce == 'enforcing'
- rhel9cis_rule_1_3_1_5 - rhel9cis_rule_1_3_1_5

6
tasks/section_1/cis_1.5.x.yml
View file

@ -1,6 +1,6 @@
--- ---
- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - name: "1.5.1 | PATCH | Ensure address space layout randomization is enabled"
when: rhel9cis_rule_1_5_1 when: rhel9cis_rule_1_5_1
tags: tags:
- level1-server - level1-server
@ -11,11 +11,11 @@
- NIST800-53R5_CM-6 - NIST800-53R5_CM-6
- NIST800-53R5_CM-6.1 - NIST800-53R5_CM-6.1
block: block:
- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - name: "1.5.1 | PATCH | Ensure address space layout randomization is enabled"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_sysctl_update: true rhel9cis_sysctl_update: true
- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - name: "1.5.1 | PATCH | Ensure address space layout randomization is enabled"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf"

6
tasks/section_1/cis_1.6.x.yml
View file

@ -130,7 +130,7 @@
- Update Crypto Policy - Update Crypto Policy
- Set Crypto Policy - Set Crypto Policy
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh" - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20- poly1305 for ssh"
when: when:
- rhel9cis_rule_1_6_6 - rhel9cis_rule_1_6_6
- "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module" - "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module"
@ -144,7 +144,7 @@
- rule_1.6.6 - rule_1.6.6
- NIST800-53R5_SC-6 - NIST800-53R5_SC-6
block: block:
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | Add submodule exclusion" - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20- poly1305 for ssh | Add submodule exclusion"
ansible.builtin.template: ansible.builtin.template:
src: etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2 src: etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2
dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod
@ -153,7 +153,7 @@
mode: 'g-wx,o-rwx' mode: 'g-wx,o-rwx'
register: discovered_no_sshweakciphers_template register: discovered_no_sshweakciphers_template
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules" - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20- poly1305 for ssh | submodule to crypto policy modules"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKCIPHERS' }}" rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKCIPHERS' }}"
changed_when: discovered_no_sshweakciphers_template is changed # noqa: no-handler changed_when: discovered_no_sshweakciphers_template is changed # noqa: no-handler

6
tasks/section_1/cis_1.7.x.yml
View file

@ -53,7 +53,7 @@
group: root group: root
mode: 'go-wx' mode: 'go-wx'
- name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured" - name: "1.7.4 | PATCH | Ensure access to /etc/motd is configured"
when: rhel9cis_rule_1_7_4 when: rhel9cis_rule_1_7_4
tags: tags:
- level1-server - level1-server
@ -69,7 +69,7 @@
group: root group: root
mode: 'go-wx' mode: 'go-wx'
- name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured" - name: "1.7.5 | PATCH | Ensure access to /etc/issue is configured"
when: rhel9cis_rule_1_7_5 when: rhel9cis_rule_1_7_5
tags: tags:
- level1-server - level1-server
@ -85,7 +85,7 @@
group: root group: root
mode: 'go-wx' mode: 'go-wx'
- name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured" - name: "1.7.6 | PATCH | Ensure access to /etc/issue.net is configured"
when: rhel9cis_rule_1_7_6 when: rhel9cis_rule_1_7_6
tags: tags:
- level1-server - level1-server

4
tasks/section_1/cis_1.8.x.yml
View file

@ -198,7 +198,7 @@
- rhel9cis_gui - rhel9cis_gui
tags: tags:
- level1-server - level1-server
- level2-workstation - level1-workstation
- patch - patch
- gui - gui
- rule_1.8.8 - rule_1.8.8
@ -226,7 +226,7 @@
- rhel9cis_gui - rhel9cis_gui
tags: tags:
- level1-server - level1-server
- level2-workstation - level1-workstation
- patch - patch
- gui - gui
- rule_1.8.9 - rule_1.8.9

2
tasks/section_2/cis_2.2.x.yml
View file

@ -64,7 +64,7 @@
name: telnet name: telnet
state: absent state: absent
- name: "2.2.5 | PATCH | Ensure TFTP client is not installed" - name: "2.2.5 | PATCH | Ensure tftp client is not installed"
when: when:
- not rhel9cis_tftp_client - not rhel9cis_tftp_client
- rhel9cis_rule_2_2_5 - rhel9cis_rule_2_2_5

2
tasks/section_2/cis_2.4.x.yml
View file

@ -1,6 +1,6 @@
--- ---
- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled" - name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled and active"
when: rhel9cis_rule_2_4_1_1 when: rhel9cis_rule_2_4_1_1
tags: tags:
- level1-server - level1-server

68
tasks/section_3/cis_3.3.x.yml
View file

@ -1,6 +1,6 @@
--- ---
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled" - name: "3.3.1 | PATCH | Ensure ip forwarding is disabled"
when: when:
- not rhel9cis_is_router - not rhel9cis_is_router
- rhel9cis_rule_3_3_1 - rhel9cis_rule_3_3_1
@ -16,23 +16,23 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
block: block:
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding | Set Fact" - name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | Disable IPv4 forwarding | Set Fact"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_sysctl_update: true rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true rhel9cis_flush_ipv4_route: true
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding" - name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | Disable IPv4 forwarding"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | IPv6" - name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | IPv6"
when: rhel9cis_ipv6_required when: rhel9cis_ipv6_required
block: block:
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding | Set Fact" - name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | Disable IPv6 forwarding | Set Fact"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_flush_ipv6_route: true rhel9cis_flush_ipv6_route: true
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding" - name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | Disable IPv6 forwarding"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
@ -60,7 +60,7 @@
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored" - name: "3.3.3 | PATCH | Ensure bogus icmp responses are ignored"
when: rhel9cis_rule_3_3_3 when: rhel9cis_rule_3_3_3
tags: tags:
- level1-server - level1-server
@ -74,16 +74,16 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
block: block:
- name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored | Set Fact" - name: "3.3.3 | PATCH | Ensure bogus icmp responses are ignored | Set Fact"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_sysctl_update: true rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true rhel9cis_flush_ipv4_route: true
- name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored" - name: "3.3.3 | PATCH | Ensure bogus icmp responses are ignored"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored" - name: "3.3.4 | PATCH | Ensure broadcast icmp requests are ignored"
when: rhel9cis_rule_3_3_4 when: rhel9cis_rule_3_3_4
tags: tags:
- level1-server - level1-server
@ -97,7 +97,7 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
block: block:
- name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored | Set Fact" - name: "3.3.4 | PATCH | Ensure broadcast icmp requests are ignored | Set Fact"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_sysctl_update: true rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true rhel9cis_flush_ipv4_route: true
@ -106,7 +106,7 @@
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted" - name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted"
when: rhel9cis_rule_3_3_5 when: rhel9cis_rule_3_3_5
tags: tags:
- level1-server - level1-server
@ -120,27 +120,27 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
block: block:
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | Set Fact" - name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted | Set Fact"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_sysctl_update: true rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true rhel9cis_flush_ipv4_route: true
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted" - name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv6" - name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted | IPv6"
when: rhel9cis_ipv6_required when: rhel9cis_ipv6_required
block: block:
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv6 | Set Fact" - name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted | IPv6 | Set Fact"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_flush_ipv6_route: true rhel9cis_flush_ipv6_route: true
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv6" - name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted | IPv6"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted" - name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted"
when: rhel9cis_rule_3_3_6 when: rhel9cis_rule_3_3_6
tags: tags:
- level1-server - level1-server
@ -154,27 +154,27 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
block: block:
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv4 | Set Fact" - name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv4 | Set Fact"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_sysctl_update: true rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true rhel9cis_flush_ipv4_route: true
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv4" - name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv4"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv6" - name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv6"
when: rhel9cis_ipv6_required when: rhel9cis_ipv6_required
block: block:
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv6 | Set Fact" - name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv6 | Set Fact"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_flush_ipv6_route: true rhel9cis_flush_ipv6_route: true
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv6" - name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv6"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" - name: "3.3.7 | PATCH | Ensure reverse path filtering is enabled"
when: rhel9cis_rule_3_3_7 when: rhel9cis_rule_3_3_7
tags: tags:
- level1-server - level1-server
@ -188,12 +188,12 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
block: block:
- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled | Set Fact" - name: "3.3.7 | PATCH | Ensure reverse path filtering is enabled | Set Fact"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_sysctl_update: true rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true rhel9cis_flush_ipv4_route: true
- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" - name: "3.3.7 | PATCH | Ensure reverse path filtering is enabled"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
@ -249,7 +249,7 @@
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled" - name: "3.3.10 | PATCH | Ensure tcp syn cookies is enabled"
when: rhel9cis_rule_3_3_10 when: rhel9cis_rule_3_3_10
tags: tags:
- level1-server - level1-server
@ -263,22 +263,22 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
block: block:
- name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled | Set Fact" - name: "3.3.10 | PATCH | Ensure tcp syn cookies is enabled | Set Fact"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_sysctl_update: true rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true rhel9cis_flush_ipv4_route: true
- name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled" - name: "3.3.10 | PATCH | Ensure tcp syn cookies is enabled"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted" - name: "3.3.11 | PATCH | Ensure ipv6 router advertisements are not accepted"
when: when:
- rhel9cis_ipv6_required - rhel9cis_ipv6_required
- rhel9cis_rule_3_3_11 - rhel9cis_rule_3_3_11
tags: tags:
- level2-server - level1-server
- level2-workstation - level1-workstation
- sysctl - sysctl
- patch - patch
- rule_3.3.11 - rule_3.3.11
@ -288,11 +288,11 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
block: block:
- name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6 | Set Fact" - name: "3.3.11 | PATCH | Ensure ipv6 router advertisements are not accepted | IPv6 | Set Fact"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_sysctl_update: true rhel9cis_sysctl_update: true
rhel9cis_flush_ipv6_route: true rhel9cis_flush_ipv6_route: true
- name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6" - name: "3.3.11 | PATCH | Ensure ipv6 router advertisements are not accepted | IPv6"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl"

18
tasks/section_5/cis_5.1.x.yml
View file

@ -134,7 +134,7 @@
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-SHA1' }}" rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-SHA1' }}"
- name: "5.1.6 | PATCH | Ensure sshd KexAlgorithms is configured" - name: "5.1.6 | PATCH | Ensure sshd MACs are configured"
when: when:
- rhel9cis_rule_5_1_6 - rhel9cis_rule_5_1_6
- "'NO-SSHWEAKMACS' not in rhel9cis_crypto_policy_module" - "'NO-SSHWEAKMACS' not in rhel9cis_crypto_policy_module"
@ -148,7 +148,7 @@
- rule_5.1.6 - rule_5.1.6
- NIST800-53R5_SC-6 - NIST800-53R5_SC-6
block: block:
- name: "5.1.6 | PATCH | Ensure sshd KexAlgorithms is configured | Add submodule exclusion" - name: "5.1.6 | PATCH | Ensure sshd MACs are configured | Add submodule exclusion"
ansible.builtin.template: ansible.builtin.template:
src: etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2 src: etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2
dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod
@ -159,7 +159,7 @@
- Update Crypto Policy - Update Crypto Policy
- Set Crypto Policy - Set Crypto Policy
- name: "5.1.6 | PATCH | Ensure sshd KexAlgorithms is configured | submodule to crypto policy modules" - name: "5.1.6 | PATCH | Ensure sshd MACs are configured | submodule to crypto policy modules"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKMACS' }}" rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKMACS' }}"
@ -290,7 +290,7 @@
- name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled" - name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled"
when: rhel9cis_rule_5_1_11 when: rhel9cis_rule_5_1_11
tags: tags:
- level1-server - level2-server
- level1-workstation - level1-workstation
- patch - patch
- sshd - sshd
@ -360,7 +360,7 @@
validate: sshd -t -f %s validate: sshd -t -f %s
notify: Restart sshd notify: Restart sshd
- name: "5.1.14 | PATCH | Ensure sshd LoginGraceTime is set to one minute or less" - name: "5.1.14 | PATCH | Ensure sshd LoginGraceTime is configured"
when: rhel9cis_rule_5_1_14 when: rhel9cis_rule_5_1_14
tags: tags:
- level1-server - level1-server
@ -378,7 +378,7 @@
validate: sshd -t -f %s validate: sshd -t -f %s
notify: Restart sshd notify: Restart sshd
- name: "5.1.15 | PATCH | Ensure sshd LogLevel is appropriate" - name: "5.1.15 | PATCH | Ensure sshd LogLevel is configured"
when: rhel9cis_rule_5_1_15 when: rhel9cis_rule_5_1_15
tags: tags:
- level1-server - level1-server
@ -398,7 +398,7 @@
validate: sshd -t -f %s validate: sshd -t -f %s
notify: Restart sshd notify: Restart sshd
- name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is set to 4 or less" - name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is configured"
when: rhel9cis_rule_5_1_16 when: rhel9cis_rule_5_1_16
tags: tags:
- level1-server - level1-server
@ -438,7 +438,7 @@
validate: sshd -t -f %s validate: sshd -t -f %s
notify: Restart sshd notify: Restart sshd
- name: "5.1.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" - name: "5.1.18 | PATCH | Ensure sshd MaxSessions is configured"
when: rhel9cis_rule_5_1_18 when: rhel9cis_rule_5_1_18
tags: tags:
- level1-server - level1-server
@ -522,7 +522,7 @@
validate: sshd -t -f %s validate: sshd -t -f %s
notify: Restart sshd notify: Restart sshd
- name: "5.1.22 | PATCH | Ensure SSH PAM is enabled" - name: "5.1.22 | PATCH | Ensure sshd UsePAM is enabled"
when: rhel9cis_rule_5_1_22 when: rhel9cis_rule_5_1_22
tags: tags:
- level1-server - level1-server

2
tasks/section_5/cis_5.3.1.x.yml
View file

@ -39,7 +39,7 @@
ansible.builtin.set_fact: ansible.builtin.set_fact:
authselect_update: OK authselect_update: OK
- name: "5.3.1.3 | PATCH | Ensure libpwquality is installed" - name: "5.3.1.3 | PATCH | Ensure latest version of libpwquality is installed"
when: when:
- rhel9cis_rule_5_3_1_3 - rhel9cis_rule_5_3_1_3
- ansible_facts.packages['libpwquality'][0]['version'] is version('1.4.4-8', '<') or - ansible_facts.packages['libpwquality'][0]['version'] is version('1.4.4-8', '<') or

2
tasks/section_5/cis_5.3.2.x.yml
View file

@ -65,7 +65,7 @@
failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ] failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ]
register: discovered_authselect_current_faillock register: discovered_authselect_current_faillock
- name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled | Add feature if missing authselect" # noqa syntax-check[specific]" - name: '5.3.2.2 | PATCH | Ensure pam_faillock module is enabled | Add feature if missing authselect" # noqa syntax-check[specific]'
when: when:
- rhel9cis_allow_authselect_updates - rhel9cis_allow_authselect_updates
- discovered_authselect_current_faillock.rc != 0 - discovered_authselect_current_faillock.rc != 0

4
tasks/section_5/cis_5.3.3.1.x.yml
View file

@ -87,8 +87,8 @@
- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account" - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account"
when: rhel9cis_rule_5_3_3_1_3 when: rhel9cis_rule_5_3_3_1_3
tags: tags:
- level1-server - level2-server
- level1-workstation - level2-workstation
- automated - automated
- patch - patch
- pam - pam

10
tasks/section_5/cis_5.3.3.2.x.yml
View file

@ -67,7 +67,7 @@
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
- pam - pam
block: block:
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from conf files except expected file" - name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Remove minlen from conf files except expected file"
when: when:
- item != rhel9cis_passwd_minlen_file - item != rhel9cis_passwd_minlen_file
- rhel9cis_disruption_high - rhel9cis_disruption_high
@ -81,7 +81,7 @@
- /etc/pam.d/password-auth - /etc/pam.d/password-auth
- "{{ prelim_pam_pwquality_confs.files | default([]) }}" - "{{ prelim_pam_pwquality_confs.files | default([]) }}"
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists" - name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Ensure minlen file exists"
ansible.builtin.template: ansible.builtin.template:
src: "{{ rhel9cis_passwd_minlen_file }}.j2" src: "{{ rhel9cis_passwd_minlen_file }}.j2"
dest: "/{{ rhel9cis_passwd_minlen_file }}" dest: "/{{ rhel9cis_passwd_minlen_file }}"
@ -89,7 +89,7 @@
group: root group: root
mode: 'go-rwx' mode: 'go-rwx'
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files NOT AuthSelect" - name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Remove minlen from pam files NOT AuthSelect"
when: when:
- not rhel9cis_allow_authselect_updates - not rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high - rhel9cis_disruption_high
@ -101,7 +101,7 @@
- password - password
- system - system
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files AuthSelect" - name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Remove minlen from pam files AuthSelect"
when: when:
- rhel9cis_allow_authselect_updates - rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high - rhel9cis_disruption_high
@ -226,7 +226,7 @@
- system - system
notify: Authselect update notify: Authselect update
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is is configured" - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured"
when: rhel9cis_rule_5_3_3_2_5 when: rhel9cis_rule_5_3_3_2_5
tags: tags:
- level1-server - level1-server

6
tasks/section_5/cis_5.3.3.3.x.yml
View file

@ -15,13 +15,13 @@
failed_when: discovered_pwhistory_remember.rc not in [0, 1] failed_when: discovered_pwhistory_remember.rc not in [0, 1]
register: discovered_pwhistory_remember register: discovered_pwhistory_remember
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Ensure remember is set pwhistory file" - name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured | Ensure remember is set pwhistory file"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "/etc/security/pwhistory.conf" path: "/etc/security/pwhistory.conf"
regexp: remember\s*=\s*\d* regexp: remember\s*=\s*\d*
line: remember = {{ rhel9cis_pamd_pwhistory_remember }} line: remember = {{ rhel9cis_pamd_pwhistory_remember }}
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Remove remember from pam files NOT AuthSelect" - name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured | Remove remember from pam files NOT AuthSelect"
when: when:
- not rhel9cis_allow_authselect_updates - not rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high - rhel9cis_disruption_high
@ -33,7 +33,7 @@
- password - password
- system - system
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Remove remember from pam files AuthSelect" - name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured | Remove remember from pam files AuthSelect"
when: when:
- rhel9cis_allow_authselect_updates - rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high - rhel9cis_disruption_high

4
tasks/section_5/cis_5.3.3.4.x.yml
View file

@ -27,7 +27,7 @@
replace: '' replace: ''
loop: "{{ discovered_pam_nullok.stdout_lines }}" loop: "{{ discovered_pam_nullok.stdout_lines }}"
- name: "5.3.3.4.1 | PATCH | Ensure password number of changed characters is configured | Remove nullok from pam files AuthSelect" - name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | Remove nullok from pam files AuthSelect"
when: rhel9cis_allow_authselect_updates when: rhel9cis_allow_authselect_updates
ansible.builtin.replace: ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
@ -65,7 +65,7 @@
replace: '' replace: ''
loop: "{{ discovered_pam_remember.stdout_lines }}" loop: "{{ discovered_pam_remember.stdout_lines }}"
- name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Remove remember from pam files AuthSelect" - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Remove remember from pam files AuthSelect"
when: rhel9cis_allow_authselect_updates when: rhel9cis_allow_authselect_updates
ansible.builtin.replace: ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"

12
tasks/section_5/cis_5.4.1.x.yml
View file

@ -1,6 +1,6 @@
--- ---
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less" - name: "5.4.1.1 | PATCH | Ensure password expiration is configured"
when: rhel9cis_rule_5_4_1_1 when: rhel9cis_rule_5_4_1_1
tags: tags:
- level1-server - level1-server
@ -14,7 +14,7 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
block: block:
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less" - name: "5.4.1.1 | PATCH | Ensure password expiration is configured"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/login.defs path: /etc/login.defs
regexp: '^PASS_MAX_DAYS' regexp: '^PASS_MAX_DAYS'
@ -27,7 +27,7 @@
check_mode: false check_mode: false
register: discovered_max_days register: discovered_max_days
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS" - name: "5.4.1.1 | PATCH | Ensure password expiration is configured | Set existing users PASS_MAX_DAYS"
when: when:
- discovered_max_days.stdout_lines | length > 0 - discovered_max_days.stdout_lines | length > 0
- item in prelim_interactive_users | map(attribute='username') | list - item in prelim_interactive_users | map(attribute='username') | list
@ -40,8 +40,8 @@
- name: "5.4.1.2 | PATCH | Ensure minimum password days is configured" - name: "5.4.1.2 | PATCH | Ensure minimum password days is configured"
when: rhel9cis_rule_5_4_1_2 when: rhel9cis_rule_5_4_1_2
tags: tags:
- level1-server - level2-server
- level1-workstation - level2-workstation
- patch - patch
- password - password
- rule_5.4.1.2 - rule_5.4.1.2
@ -140,7 +140,7 @@
check_mode: false check_mode: false
register: discovered_passwdlck_user_list register: discovered_passwdlck_user_list
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Apply Inactive setting to existing accounts"
when: item in prelim_interactive_users | map(attribute='username') | list when: item in prelim_interactive_users | map(attribute='username') | list
ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
changed_when: true changed_when: true

4
tasks/section_5/cis_5.4.2.x.yml
View file

@ -94,7 +94,7 @@
vars: vars:
warn_control_id: '5.4.2.3' warn_control_id: '5.4.2.3'
- name: "5.4.2.4 | PATCH | Ensure root account access is controlled " - name: "5.4.2.4 | PATCH | Ensure root account access is controlled"
when: rhel9cis_rule_5_4_2_4 when: rhel9cis_rule_5_4_2_4
tags: tags:
- level1-server - level1-server
@ -105,7 +105,7 @@
ansible.builtin.debug: ansible.builtin.debug:
msg: "This is set as an assert in tasks/main" msg: "This is set as an assert in tasks/main"
- name: "5.4.2.5 | PATCH | Ensure root PATH Integrity" - name: "5.4.2.5 | PATCH | Ensure root path integrity"
when: rhel9cis_rule_5_4_2_5 when: rhel9cis_rule_5_4_2_5
tags: tags:
- level1-server - level1-server

2
tasks/section_6/cis_6.2.2.x.yml
View file

@ -4,7 +4,7 @@
when: rhel9cis_rule_6_2_2_2 when: rhel9cis_rule_6_2_2_2
tags: tags:
- level1-server - level1-server
- level2-workstation - level1-workstation
- patch - patch
- journald - journald
- rule_6.2.2.2 - rule_6.2.2.2

24
tasks/section_6/cis_6.2.3.x.yml
View file

@ -1,6 +1,6 @@
--- ---
- name: "6.2.3.1 | PATCH | Ensure rsyslog installed" - name: "6.2.3.1 | PATCH | Ensure rsyslog is installed"
when: when:
- "'rsyslog' not in ansible_facts.packages" - "'rsyslog' not in ansible_facts.packages"
- rhel9cis_rule_6_2_3_1 - rhel9cis_rule_6_2_3_1
@ -17,7 +17,7 @@
name: rsyslog name: rsyslog
state: present state: present
- name: "6.2.3.2 | PATCH | Ensure rsyslog Service is enabled and active" - name: "6.2.3.2 | PATCH | Ensure rsyslog service is enabled and active"
when: rhel9cis_rule_6_2_3_2 when: rhel9cis_rule_6_2_3_2
tags: tags:
- level1-server - level1-server
@ -68,7 +68,7 @@
line: '$FileCreateMode 0640' line: '$FileCreateMode 0640'
notify: Restart rsyslog notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured" - name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured"
when: rhel9cis_rule_6_2_3_5 when: rhel9cis_rule_6_2_3_5
tags: tags:
- level1-server - level1-server
@ -93,7 +93,7 @@
- "These are the current logging configurations for rsyslog, please review:" - "These are the current logging configurations for rsyslog, please review:"
- "{{ discovered_configured_rsyslog.stdout_lines }}" - "{{ discovered_configured_rsyslog.stdout_lines }}"
- name: "6.2.3.5 | PATCH | Ensure logging is configured | mail.* log setting" - name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | mail.* log setting"
when: rhel9cis_rsyslog_ansiblemanaged when: rhel9cis_rsyslog_ansiblemanaged
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
@ -107,7 +107,7 @@
insertafter: '# Log all the mail messages in one place.' insertafter: '# Log all the mail messages in one place.'
notify: Restart rsyslog notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | news.crit log setting" - name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | news.crit log setting"
when: rhel9cis_rsyslog_ansiblemanaged when: rhel9cis_rsyslog_ansiblemanaged
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
@ -120,7 +120,7 @@
insertafter: '# Save news errors of level crit and higher in a special file.' insertafter: '# Save news errors of level crit and higher in a special file.'
notify: Restart rsyslog notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | Misc. log setting" - name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | Misc. log setting"
when: rhel9cis_rsyslog_ansiblemanaged when: rhel9cis_rsyslog_ansiblemanaged
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
@ -134,7 +134,7 @@
insertbefore: '# ### sample forwarding rule ###' insertbefore: '# ### sample forwarding rule ###'
notify: Restart rsyslog notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | Local log settings" - name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | Local log settings"
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
state: present state: present
@ -149,7 +149,7 @@
insertafter: '#### RULES ####' insertafter: '#### RULES ####'
notify: Restart rsyslog notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | Auth Settings" - name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | Auth Settings"
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
state: present state: present
@ -160,7 +160,7 @@
insertafter: '#### RULES ####' insertafter: '#### RULES ####'
notify: Restart rsyslog notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | Cron Settings" - name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | Cron Settings"
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
state: present state: present
@ -208,7 +208,7 @@
- NIST800-53R5_AU-12 - NIST800-53R5_AU-12
- NIST800-53R5_CM-6 - NIST800-53R5_CM-6
block: block:
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client. | When not log host" - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client | When not log host"
when: not rhel9cis_system_is_log_server when: not rhel9cis_system_is_log_server
ansible.builtin.replace: ansible.builtin.replace:
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
@ -221,7 +221,7 @@
- '^(module\(load="imtcp"\))' - '^(module\(load="imtcp"\))'
- '^(input\(type="imtcp")' - '^(input\(type="imtcp")'
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote clients. | When log host" - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client | When log host"
when: rhel9cis_system_is_log_server when: rhel9cis_system_is_log_server
ansible.builtin.replace: ansible.builtin.replace:
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
@ -254,7 +254,7 @@
state: started state: started
enabled: true enabled: true
- name: "6.2.3.8 | PATCH | Ensure logrotate is configured | set rsyslog conf" - name: "6.2.3.8 | PATCH | Ensure rsyslog logrotate is configured | set rsyslog conf"
ansible.builtin.template: ansible.builtin.template:
src: etc/logrotate.d/rsyslog_log.j2 src: etc/logrotate.d/rsyslog_log.j2
dest: /etc/logrotate.d/rsyslog_log dest: /etc/logrotate.d/rsyslog_log

6
tasks/section_6/cis_6.3.1.x.yml
View file

@ -1,6 +1,6 @@
--- ---
- name: "6.3.1.1 | PATCH | Ensure auditd is installed" - name: "6.3.1.1 | PATCH | Ensure auditd packages are installed"
when: rhel9cis_rule_6_3_1_1 when: rhel9cis_rule_6_3_1_1
tags: tags:
- level2-server - level2-server
@ -13,13 +13,13 @@
- NIST800-53R5_AU-12 - NIST800-53R5_AU-12
- NIST800-53R5_SI-5 - NIST800-53R5_SI-5
block: block:
- name: "6.3.1.1 | PATCH | Ensure auditd is installed | Install auditd packages" - name: "6.3.1.1 | PATCH | Ensure auditd packages are installed | Install auditd packages"
when: '"auditd" not in ansible_facts.packages' when: '"auditd" not in ansible_facts.packages'
ansible.builtin.package: ansible.builtin.package:
name: audit name: audit
state: present state: present
- name: "6.3.1.1 | PATCH | Ensure auditd is installed | Install auditd-lib packages" - name: "6.3.1.1 | PATCH | Ensure auditd packages are installed | Install auditd-lib packages"
when: '"auditd-lib" not in ansible_facts.packages' when: '"auditd-lib" not in ansible_facts.packages'
ansible.builtin.package: ansible.builtin.package:
name: audit-libs name: audit-libs

24
tasks/section_6/cis_6.3.3.x.yml
View file

@ -67,7 +67,7 @@
update_audit_template: true update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected" - name: "6.3.3.6 | PATCH | Ensure use of privileged commands are collected"
when: rhel9cis_rule_6_3_3_6 when: rhel9cis_rule_6_3_3_6
tags: tags:
- level2-server - level2-server
@ -77,14 +77,14 @@
- rule_6.3.3.6 - rule_6.3.3.6
- NIST800-53R5_AU-3 - NIST800-53R5_AU-3
block: block:
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected" - name: "6.3.3.6 | PATCH | Ensure use of privileged commands are collected"
ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm /6000 2>/dev/null; done ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm /6000 2>/dev/null; done
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false check_mode: false
register: discovered_priv_procs register: discovered_priv_procs
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected" - name: "6.3.3.6 | PATCH | Ensure use of privileged commands are collected"
ansible.builtin.set_fact: ansible.builtin.set_fact:
update_audit_template: true update_audit_template: true
notify: update auditd notify: update auditd
@ -197,11 +197,11 @@
update_audit_template: true update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" - name: "6.3.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are collected"
when: rhel9cis_rule_6_3_3_15 when: rhel9cis_rule_6_3_3_15
tags: tags:
- level2-server - level2-server
- level2- workstation - level2-workstation
- patch - patch
- auditd - auditd
- rule_6.3.3.15 - rule_6.3.3.15
@ -212,7 +212,7 @@
update_audit_template: true update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" - name: "6.3.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are collected"
when: rhel9cis_rule_6_3_3_16 when: rhel9cis_rule_6_3_3_16
tags: tags:
- level2-server - level2-server
@ -227,7 +227,7 @@
update_audit_template: true update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" - name: "6.3.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are collected"
when: rhel9cis_rule_6_3_3_17 when: rhel9cis_rule_6_3_3_17
tags: tags:
- level2-server - level2-server
@ -242,7 +242,7 @@
update_audit_template: true update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" - name: "6.3.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are collected"
when: rhel9cis_rule_6_3_3_18 when: rhel9cis_rule_6_3_3_18
tags: tags:
- level2-server - level2-server
@ -257,7 +257,7 @@
update_audit_template: true update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.19 | PATCH | Ensure kernel module loading and unloading and modification is collected" - name: "6.3.3.19 | PATCH | Ensure kernel module loading unloading and modification is collected"
when: rhel9cis_rule_6_3_3_19 when: rhel9cis_rule_6_3_3_19
tags: tags:
- level2-server - level2-server
@ -295,9 +295,9 @@
- auditd - auditd
- rule_6.3.3.21 - rule_6.3.3.21
- NIST800-53R5_AU-3 - NIST800-53R5_AU-3
ansible.builtin.debug: ansible.builtin.command: augenrules --check
msg: changed_when: false
- "Please run augenrules --load if you suspect there is a configuration that is not active" register: discovered_augenrules_check
- name: Auditd | 6.3.3.x | Auditd controls updated - name: Auditd | 6.3.3.x | Auditd controls updated
when: update_audit_template when: update_audit_template

0
templates/audit/98_auditd_exception.rules.j2 → templates/etc/audit/rules.d/98_auditd_exception.rules.j2
View file

0
templates/audit/99_auditd.rules.j2 → templates/etc/audit/rules.d/99_auditd.rules.j2
View file