mirror of
https://github.com/ansible-lockdown/RHEL9-CIS.git
synced 2025-12-24 22:23:06 +00:00
Added Nist values
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
8b58d71e4b
commit
2bf67cde0d
16 changed files with 100 additions and 21 deletions
|
|
@ -9,6 +9,7 @@
|
|||
- patch
|
||||
- rule_1.1.1.1
|
||||
- cramfs
|
||||
- NIST800-53R5_CM-7
|
||||
block:
|
||||
- name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Edit modprobe config"
|
||||
ansible.builtin.lineinfile:
|
||||
|
|
@ -42,6 +43,7 @@
|
|||
- patch
|
||||
- rule_1.1.1.2
|
||||
- freevxfs
|
||||
- NIST800-53R5_CM-7
|
||||
block:
|
||||
- name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Edit modprobe config"
|
||||
ansible.builtin.lineinfile:
|
||||
|
|
@ -75,6 +77,7 @@
|
|||
- patch
|
||||
- rule_1.1.1.3
|
||||
- hfs
|
||||
- NIST800-53R5_CM-7
|
||||
block:
|
||||
- name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Edit modprobe config"
|
||||
ansible.builtin.lineinfile:
|
||||
|
|
@ -108,6 +111,7 @@
|
|||
- patch
|
||||
- rule_1.1.1.4
|
||||
- hfsplus
|
||||
- NIST800-53R5_CM-7
|
||||
block:
|
||||
- name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Edit modprobe config"
|
||||
ansible.builtin.lineinfile:
|
||||
|
|
@ -141,6 +145,7 @@
|
|||
- patch
|
||||
- rule_1.1.1.5
|
||||
- jffs2
|
||||
- NIST800-53R5_CM-7
|
||||
block:
|
||||
- name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Edit modprobe config"
|
||||
ansible.builtin.lineinfile:
|
||||
|
|
@ -174,6 +179,7 @@
|
|||
- patch
|
||||
- rule_1.1.1.6
|
||||
- squashfs
|
||||
- NIST800-53R5_CM-7
|
||||
block:
|
||||
- name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Edit modprobe config"
|
||||
ansible.builtin.lineinfile:
|
||||
|
|
@ -207,6 +213,7 @@
|
|||
- patch
|
||||
- rule_1.1.1.7
|
||||
- udf
|
||||
- NIST800-53R5_CM-7
|
||||
block:
|
||||
- name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Edit modprobe config"
|
||||
ansible.builtin.lineinfile:
|
||||
|
|
@ -240,6 +247,7 @@
|
|||
- patch
|
||||
- rule_1.1.1.8
|
||||
- usb
|
||||
- NIST800-53R5_SI-3
|
||||
block:
|
||||
- name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Edit modprobe config"
|
||||
ansible.builtin.lineinfile:
|
||||
|
|
@ -272,7 +280,6 @@
|
|||
- level1-workstation
|
||||
- patch
|
||||
- rule_1.1.1.9
|
||||
- usb
|
||||
vars:
|
||||
warn_control_id: '1.1.1.9'
|
||||
block:
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@
|
|||
- audit
|
||||
- mounts
|
||||
- rule_1.1.2.1.1
|
||||
- NIST800-53R5_CM-7
|
||||
vars:
|
||||
warn_control_id: '1.1.2.1.1'
|
||||
required_mount: '/tmp'
|
||||
|
|
@ -51,6 +52,9 @@
|
|||
- rule_1.1.2.1.2
|
||||
- rule_1.1.2.1.3
|
||||
- rule_1.1.2.1.4
|
||||
- NIST800-53R5_CM-7
|
||||
- NIST800-53R5_AC-3
|
||||
- NIST800-53R5_MP-2
|
||||
|
||||
# via systemd
|
||||
- name: |
|
||||
|
|
@ -73,6 +77,8 @@
|
|||
- rule_1.1.2.1.2
|
||||
- rule_1.1.2.1.3
|
||||
- rule_1.1.2.1.4
|
||||
- NIST800-53R5_AC-3
|
||||
- NIST800-53R5_MP-2
|
||||
ansible.builtin.template:
|
||||
src: etc/systemd/system/tmp.mount.j2
|
||||
dest: /etc/systemd/system/tmp.mount
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@
|
|||
- audit
|
||||
- mounts
|
||||
- rule_1.1.2.2.1
|
||||
- NIST800-53R5_CM-7
|
||||
vars:
|
||||
warn_control_id: '1.1.2.2.1'
|
||||
block:
|
||||
|
|
@ -45,6 +46,8 @@
|
|||
- rule_1.1.2.2.2
|
||||
- rule_1.1.2.2.3
|
||||
- rule_1.1.2.2.4
|
||||
- NIST800-53R5_AC-3
|
||||
- NIST800-53R5_MP-2
|
||||
ansible.posix.mount:
|
||||
name: /dev/shm
|
||||
src: tmpfs
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@
|
|||
- audit
|
||||
- mounts
|
||||
- rule_1_1_2.3.1
|
||||
- skip_ansible_lint
|
||||
- NIST800-53R5_CM-7
|
||||
vars:
|
||||
warn_control_id: '1.1.2.3.1'
|
||||
required_mount: '/home'
|
||||
|
|
@ -37,6 +37,9 @@
|
|||
- mounts
|
||||
- rule_1_1_2.3.2
|
||||
- rule_1_1_2.3.3
|
||||
- NIST800-53R5_CM-7
|
||||
- NIST800-53R5_AC-3
|
||||
- NIST800-53R5_MP-2
|
||||
ansible.builtin.mount:
|
||||
name: /home
|
||||
src: "{{ item.device }}"
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@
|
|||
- patch
|
||||
- mounts
|
||||
- rule_1_1_2.4.1
|
||||
- NIST800-53R5_CM-7
|
||||
vars:
|
||||
warn_control_id: '1.1.2.4.1'
|
||||
required_mount: '/var'
|
||||
|
|
@ -37,6 +38,8 @@
|
|||
- mounts
|
||||
- rule_1_1_2.4.2
|
||||
- rule_1_1_2.4.3
|
||||
- NIST800-53R5_AC-3
|
||||
- NIST800-53R5_MP-2
|
||||
ansible.builtin.mount:
|
||||
name: /var
|
||||
src: "{{ item.device }}"
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@
|
|||
- audit
|
||||
- mounts
|
||||
- rule_1_1_2.5.1
|
||||
- NIST800-53R5_CM-7
|
||||
vars:
|
||||
warn_control_id: '1.1.2.5.1'
|
||||
required_mount: '/var/tmp'
|
||||
|
|
@ -41,6 +42,8 @@
|
|||
- rule_1_1_2.5.2
|
||||
- rule_1_1_2.5.3
|
||||
- rule_1_1_2.5.4
|
||||
- NIST800-53R5_AC-3
|
||||
- NIST800-53R5_MP-2
|
||||
ansible.builtin.mount:
|
||||
name: /var/tmp
|
||||
src: "{{ item.device }}"
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@
|
|||
- audit
|
||||
- mounts
|
||||
- rule_1_1_2.6.1
|
||||
- NIST800-53R5_CM-7
|
||||
vars:
|
||||
warn_control_id: '1.1.2.6.1'
|
||||
required_mount: '/var/log'
|
||||
|
|
@ -39,6 +40,8 @@
|
|||
- rule_1_1_2.6.2
|
||||
- rule_1_1_2.6.3
|
||||
- rule_1_1_2.6.4
|
||||
- NIST800-53R5_AC-3
|
||||
- NIST800-53R5_MP-2
|
||||
ansible.builtin.mount:
|
||||
name: /var/log
|
||||
src: "{{ item.device }}"
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@
|
|||
- audit
|
||||
- mounts
|
||||
- rule_1_1_2.7.1
|
||||
- NIST800-53R5_CM-7
|
||||
vars:
|
||||
warn_control_id: '1.1.2.7.1'
|
||||
required_mount: '/var/log/audit'
|
||||
|
|
@ -49,3 +50,5 @@
|
|||
- rule_1_1_2.7.2
|
||||
- rule_1_1_2.7.3
|
||||
- rule_1_1_2.7.4
|
||||
- NIST800-53R5_AC-3
|
||||
- NIST800-53R5_MP-2
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@
|
|||
- manual
|
||||
- patch
|
||||
- rule_1.2.1.1
|
||||
- NIST800-53R5_SI-2
|
||||
block:
|
||||
- name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys"
|
||||
ansible.builtin.shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}"
|
||||
|
|
@ -41,6 +42,7 @@
|
|||
- level1-workstation
|
||||
- patch
|
||||
- rule_1.2.1.2
|
||||
- NIST800-53R5_SI-2
|
||||
block:
|
||||
- name: "1.2.1.2 | AUDIT | Ensure gpgcheck is globally activated | Find repos"
|
||||
ansible.builtin.find:
|
||||
|
|
@ -68,6 +70,7 @@
|
|||
- manual
|
||||
- audit
|
||||
- rule_1.2.1.3
|
||||
- NIST800-53R5_SI-2
|
||||
block:
|
||||
- name: "1.2.1.3 | PATCH | Ensure repo_gpgcheck is globally activated | dnf.conf"
|
||||
ansible.builtin.lineinfile:
|
||||
|
|
@ -99,7 +102,7 @@
|
|||
- manual
|
||||
- audit
|
||||
- rule_1.2.1.4
|
||||
- skip_ansible_lint
|
||||
- NIST800-53R5_SI-2
|
||||
vars:
|
||||
warn_control_id: '1.2.1.4'
|
||||
block:
|
||||
|
|
|
|||
|
|
@ -1,16 +1,16 @@
|
|||
---
|
||||
|
||||
- name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installed"
|
||||
ansible.builtin.package:
|
||||
name: "*"
|
||||
state: latest
|
||||
notify: Change_requires_reboot
|
||||
when:
|
||||
- rhel9cis_rule_1_2_2_1
|
||||
- not system_is_ec2
|
||||
- rhel9cis_rule_1_2_2_1
|
||||
- not system_is_ec2
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
- patch
|
||||
- rule_1.2.2.1
|
||||
- skip_ansible_lint
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
- patch
|
||||
- rule_1.2.2.1
|
||||
- NIST800-53R5_SI-2
|
||||
ansible.builtin.package:
|
||||
name: "*"
|
||||
state: latest
|
||||
notify: Change_requires_reboot
|
||||
|
|
|
|||
|
|
@ -9,6 +9,8 @@
|
|||
- level1-workstation
|
||||
- patch
|
||||
- rule_1.3.1.1
|
||||
- NIST800-53R5_AC-3
|
||||
- NIST800-53R5_MP-2
|
||||
ansible.builtin.package:
|
||||
name: libselinux
|
||||
state: present
|
||||
|
|
@ -23,6 +25,8 @@
|
|||
- scored
|
||||
- patch
|
||||
- rule_1.3.1.2
|
||||
- NIST800-53R5_AC-3
|
||||
- NIST800-53R5_MP-2
|
||||
ansible.builtin.replace:
|
||||
path: /etc/default/grub
|
||||
regexp: '{{ item }}'
|
||||
|
|
@ -45,6 +49,8 @@
|
|||
- selinux
|
||||
- patch
|
||||
- rule_1.3.1.3
|
||||
- NIST800-53R5_AC-3
|
||||
- NIST800-53R5_MP-2
|
||||
ansible.posix.selinux:
|
||||
conf: /etc/selinux/config
|
||||
policy: "{{ rhel9cis_selinux_pol }}"
|
||||
|
|
@ -60,6 +66,8 @@
|
|||
- selinux
|
||||
- patch
|
||||
- rule_1.3.1.4
|
||||
- NIST800-53R5_AC-3
|
||||
- NIST800-53R5_MP-2
|
||||
ansible.posix.selinux:
|
||||
conf: /etc/selinux/config
|
||||
policy: "{{ rhel9cis_selinux_pol }}"
|
||||
|
|
@ -76,6 +84,8 @@
|
|||
- selinux
|
||||
- patch
|
||||
- rule_1.3.1.5
|
||||
- NIST800-53R4_AC-3
|
||||
- NIST800-53R4_SI-6
|
||||
ansible.posix.selinux:
|
||||
conf: /etc/selinux/config
|
||||
policy: "{{ rhel9cis_selinux_pol }}"
|
||||
|
|
@ -91,6 +101,8 @@
|
|||
- audit
|
||||
- services
|
||||
- rule_1.3.1.6
|
||||
- NIST800-53R5_AC-3
|
||||
- NIST800-53R5_MP-2
|
||||
vars:
|
||||
warn_control_id: '1.3.1.6'
|
||||
block:
|
||||
|
|
@ -118,6 +130,8 @@
|
|||
- level1-workstation
|
||||
- patch
|
||||
- rule_1.3.1.7
|
||||
- NIST800-53R5_AC-3
|
||||
- NIST800-53R5_MP-2
|
||||
ansible.builtin.package:
|
||||
name: mcstrans
|
||||
state: absent
|
||||
|
|
@ -134,3 +148,5 @@
|
|||
- selinux
|
||||
- patch
|
||||
- rule_1.3.1.8
|
||||
- NIST800-53R5_AC-3
|
||||
- NIST800-53R5_MP-2
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@
|
|||
- grub
|
||||
- patch
|
||||
- rule_1.4.1
|
||||
- NIST800-53R5_AC-3
|
||||
ansible.builtin.copy:
|
||||
dest: /boot/grub2/user.cfg
|
||||
content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy
|
||||
|
|
@ -27,6 +28,7 @@
|
|||
- grub
|
||||
- patch
|
||||
- rule_1.4.2
|
||||
- NIST800-53R5_AC-3
|
||||
block:
|
||||
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
|
||||
ansible.builtin.file:
|
||||
|
|
|
|||
|
|
@ -9,6 +9,8 @@
|
|||
- patch
|
||||
- sysctl
|
||||
- rule_1.5.1
|
||||
- NIST800-53R5_CM-6
|
||||
- NIST800-53R5_CM-6.1
|
||||
block:
|
||||
- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
|
||||
ansible.builtin.set_fact:
|
||||
|
|
@ -45,6 +47,7 @@
|
|||
- patch
|
||||
- sysctl
|
||||
- rule_1.5.3
|
||||
- NIST800-53R5_CM-6b
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/systemd/coredump.conf
|
||||
regexp: '^ProcessSizeMax\s*=\s*.*[1-9]$'
|
||||
|
|
|
|||
|
|
@ -8,7 +8,9 @@
|
|||
- level1-workstation
|
||||
- automated
|
||||
- patch
|
||||
- crypto
|
||||
- rule_1.6.1
|
||||
- NIST800-53R5_SC-6
|
||||
ansible.builtin.debug:
|
||||
msg: "Captured in prelim to ensure not LEGACY. Runs handler to update"
|
||||
changed_when: true
|
||||
|
|
@ -25,6 +27,9 @@
|
|||
- automated
|
||||
- patch
|
||||
- rule_1.6.2
|
||||
- NIST800-53R5_SC-8
|
||||
- NIST800-53R5_IA-5
|
||||
- NIST800-53R5_AC-17- NIST800-53R5_SC-6
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/sysconfig/sshd
|
||||
regexp: ^CRYPTO_POLICY\s*=
|
||||
|
|
@ -40,7 +45,9 @@
|
|||
- level1-workstation
|
||||
- automated
|
||||
- patch
|
||||
- crypto
|
||||
- rule_1.6.3
|
||||
- NIST800-53R5_SC-6
|
||||
block:
|
||||
- name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | Add submodule exclusion"
|
||||
ansible.builtin.template:
|
||||
|
|
@ -66,7 +73,9 @@
|
|||
- level1-workstation
|
||||
- automated
|
||||
- patch
|
||||
- crypto
|
||||
- rule_1.6.4
|
||||
- NIST800-53R5_SC-6
|
||||
block:
|
||||
- name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | Add submodule exclusion"
|
||||
ansible.builtin.template:
|
||||
|
|
@ -93,7 +102,9 @@
|
|||
- level1-workstation
|
||||
- automated
|
||||
- patch
|
||||
- crypto
|
||||
- rule_1.6.5
|
||||
- NIST800-53R5_SC-6
|
||||
block:
|
||||
- name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh | Add submodule exclusion"
|
||||
ansible.builtin.template:
|
||||
|
|
@ -119,7 +130,9 @@
|
|||
- level1-workstation
|
||||
- automated
|
||||
- patch
|
||||
- crypto
|
||||
- rule_1.6.6
|
||||
- NIST800-53R5_SC-6
|
||||
block:
|
||||
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | Add submodule exclusion"
|
||||
ansible.builtin.template:
|
||||
|
|
@ -145,7 +158,9 @@
|
|||
- level1-workstation
|
||||
- automated
|
||||
- patch
|
||||
- crypto
|
||||
- rule_1.6.7
|
||||
- NIST800-53R5_SC-6
|
||||
block:
|
||||
- name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh | Add submodule exclusion"
|
||||
ansible.builtin.template:
|
||||
|
|
|
|||
|
|
@ -9,6 +9,9 @@
|
|||
- banner
|
||||
- patch
|
||||
- rule_1.7.1
|
||||
- NIST800-53R5_CM-1
|
||||
- NIST800-53R5_CM-3
|
||||
- NIST800-53R5_CM-6
|
||||
ansible.builtin.template:
|
||||
src: etc/motd.j2
|
||||
dest: /etc/motd
|
||||
|
|
@ -24,6 +27,9 @@
|
|||
- level1-workstation
|
||||
- patch
|
||||
- rule_1.7.2
|
||||
- NIST800-53R5_CM-1
|
||||
- NIST800-53R5_CM-3
|
||||
- NIST800-53R5_CM-6
|
||||
ansible.builtin.template:
|
||||
src: etc/issue.j2
|
||||
dest: /etc/issue
|
||||
|
|
@ -40,6 +46,9 @@
|
|||
- banner
|
||||
- patch
|
||||
- rule_1.7.3
|
||||
- NIST800-53R5_CM-1
|
||||
- NIST800-53R5_CM-3
|
||||
- NIST800-53R5_CM-6
|
||||
ansible.builtin.template:
|
||||
src: etc/issue.net.j2
|
||||
dest: /etc/issue.net
|
||||
|
|
@ -56,6 +65,8 @@
|
|||
- perms
|
||||
- patch
|
||||
- rule_1.7.4
|
||||
- NIST800-53R5_AC-3
|
||||
- NIST800-53R5_MP-2
|
||||
ansible.builtin.file:
|
||||
path: /etc/motd
|
||||
owner: root
|
||||
|
|
@ -71,6 +82,8 @@
|
|||
- perms
|
||||
- patch
|
||||
- rule_1.7.5
|
||||
- NIST800-53R5_AC-3
|
||||
- NIST800-53R5_MP-2
|
||||
ansible.builtin.file:
|
||||
path: /etc/issue
|
||||
owner: root
|
||||
|
|
@ -86,6 +99,8 @@
|
|||
- perms
|
||||
- patch
|
||||
- rule_1.7.6
|
||||
- NIST800-53R5_AC-3
|
||||
- NIST800-53R5_MP-2
|
||||
ansible.builtin.file:
|
||||
path: /etc/issue.net
|
||||
owner: root
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue