ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-26 06:37:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

align with public fixes

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2025-05-28 16:12:31 +01:00
parent f2c03f1e68
commit 2256456f0e
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
5 changed files with 24 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

10
tasks/audit_only.yml
View file

@ -1,15 +1,5 @@
--- ---
- name: Audit_Only | Create local Directories for hosts
when: fetch_audit_files
ansible.builtin.file:
mode: 'u+x,go-w'
path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}"
recurse: true
state: directory
delegate_to: localhost
become: false
- name: Audit_only | Show Audit Summary - name: Audit_only | Show Audit Summary
when: audit_only when: audit_only
ansible.builtin.debug: ansible.builtin.debug:

4
tasks/main.yml
View file

@ -17,7 +17,9 @@
success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
- name: "Setup rules if container" - name: "Setup rules if container"
when: ansible_connection == 'docker' or ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] when:
- ansible_connection == 'docker' or
ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"
tags: tags:
- container_discovery - container_discovery
- always - always

20
tasks/prelim.yml
View file

@ -31,9 +31,17 @@
- name: "PRELIM | AUDIT | Interactive Users (reformat)" - name: "PRELIM | AUDIT | Interactive Users (reformat)"
tags: always tags: always
ansible.builtin.set_fact: ansible.builtin.set_fact:
prelim_interactive_usernames: "{{ prelim_interactive_users | default([]) + [dict([('username', item.split(':')[0]), ('uid', item.split(':')[1]), ('home', item.split(':')[2])])] }}" prelim_interactive_users: "{{ prelim_interactive_users | default([]) + [dict([('username', item.split(':')[0]), ('uid', item.split(':')[1]), ('home', item.split(':')[2])])] }}"
loop: "{{ prelim_interactive_users_raw.stdout_lines }}" loop: "{{ prelim_interactive_users_raw.stdout_lines }}"
- name: "PRELIM | AUDIT | Interactive User accounts home directories"
tags: always
ansible.builtin.shell: >
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $6 }'
changed_when: false
check_mode: false
register: prelim_interactive_users_home
- name: "PRELIM | AUDIT | Interactive UIDs" - name: "PRELIM | AUDIT | Interactive UIDs"
tags: always tags: always
ansible.builtin.shell: > ansible.builtin.shell: >
@ -203,7 +211,7 @@
tags: tags:
- always - always
block: block:
- name: "PRELIM | AUDIT | Discover is wirelss adapter on system" - name: "PRELIM | AUDIT | Discover is wireless adapter on system"
ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless
register: discover_wireless_adapters register: discover_wireless_adapters
changed_when: false changed_when: false
@ -246,6 +254,14 @@
mode: 'go-rwx' mode: 'go-rwx'
state: touch state: touch
- name: "PRELIM | PATCH | sshd_config.d/50-redhat.conf exists"
when:
- rhel9cis_rule_5_1_10 or
rhel9cis_rule_5_1_11
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d/50-redhat.conf
register: discovered_sshd_50_redhat_file
- name: "PRELIM | AUDIT | Capture pam security related files" - name: "PRELIM | AUDIT | Capture pam security related files"
tags: always tags: always
ansible.builtin.find: ansible.builtin.find:

2
tasks/section_5/cis_5.1.x.yml
View file

@ -276,6 +276,7 @@
notify: Restart sshd notify: Restart sshd
- name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled | override" - name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled | override"
when: discovered_sshd_50_redhat_file.stat.exists
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/50-redhat.conf path: /etc/ssh/sshd_config.d/50-redhat.conf
regexp: ^(?i)(#|)\s*X11Forwarding regexp: ^(?i)(#|)\s*X11Forwarding
@ -298,6 +299,7 @@
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
block: block:
- name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled | redhat file" - name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled | redhat file"
when: discovered_sshd_50_redhat_file.stat.exists
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/50-redhat.conf path: /etc/ssh/sshd_config.d/50-redhat.conf
regexp: ^(?i)(#|)\s*GSSAPIAuthentication regexp: ^(?i)(#|)\s*GSSAPIAuthentication

2
tasks/section_7/cis_7.2.x.yml
View file

@ -220,7 +220,7 @@
- name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" - name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names"
when: discovered_group_check.stdout | length > 0 when: discovered_group_check.stdout | length > 0
ansible.builtin.debug: ansible.builtin.debug:
msg: "Warning!! The following group names are duplicates: {{ discovered_group_group_check.stdout_lines }}" msg: "Warning!! The following group names are duplicates: {{ discovered_group_check.stdout_lines }}"
- name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Set warning count" - name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Set warning count"
when: discovered_group_check.stdout | length > 0 when: discovered_group_check.stdout | length > 0