Added Nist values

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

tasks/prelim.yml

@@ -270,6 +270,7 @@
       - users
 
 - name: "PRELIM | Discover Interactive UID MIN and MIN from logins.def"
+  when: rhel9cis_discover_int_uid
   block:
       - name: "PRELIM | Capture UID_MIN information from logins.def"
         ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}'
@@ -292,13 +293,6 @@
             max_int_uid: "{{ uid_max_id.stdout }}"
             min_int_gid: "{{ gid_min_id.stdout }}"
 
-- name: "PRELIM | Output of uid findings"
-  ansible.builtin.debug:
-      msg: "{{ min_int_uid }} {{ max_int_uid }}"
-
-  when:
-      - not discover_int_uid
-
 - name: "PRELIM | Gather the package facts after prelim"
   ansible.builtin.package_facts:
       manager: auto

tasks/section_1/cis_1.1.1.x.yml

@@ -9,6 +9,7 @@
     - patch
     - rule_1.1.1.1
     - cramfs
+    - NIST800-53R5_CM-7
   block:
     - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Edit modprobe config"
       ansible.builtin.lineinfile:
@@ -42,6 +43,7 @@
     - patch
     - rule_1.1.1.2
     - freevxfs
+    - NIST800-53R5_CM-7
   block:
     - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Edit modprobe config"
       ansible.builtin.lineinfile:
@@ -75,6 +77,7 @@
     - patch
     - rule_1.1.1.3
     - hfs
+    - NIST800-53R5_CM-7
   block:
     - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Edit modprobe config"
       ansible.builtin.lineinfile:
@@ -108,6 +111,7 @@
     - patch
     - rule_1.1.1.4
     - hfsplus
+    - NIST800-53R5_CM-7
   block:
     - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Edit modprobe config"
       ansible.builtin.lineinfile:
@@ -141,6 +145,7 @@
     - patch
     - rule_1.1.1.5
     - jffs2
+    - NIST800-53R5_CM-7
   block:
     - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Edit modprobe config"
       ansible.builtin.lineinfile:
@@ -174,6 +179,7 @@
     - patch
     - rule_1.1.1.6
     - squashfs
+    - NIST800-53R5_CM-7
   block:
     - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Edit modprobe config"
       ansible.builtin.lineinfile:
@@ -207,6 +213,7 @@
     - patch
     - rule_1.1.1.7
     - udf
+    - NIST800-53R5_CM-7
   block:
     - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Edit modprobe config"
       ansible.builtin.lineinfile:
@@ -240,6 +247,7 @@
     - patch
     - rule_1.1.1.8
     - usb
+    - NIST800-53R5_SI-3
   block:
     - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Edit modprobe config"
       ansible.builtin.lineinfile:
@@ -272,7 +280,6 @@
     - level1-workstation
     - patch
     - rule_1.1.1.9
-    - usb
   vars:
     warn_control_id: '1.1.1.9'
   block:

tasks/section_1/cis_1.1.2.1.x.yml

@@ -10,6 +10,7 @@
     - audit
     - mounts
     - rule_1.1.2.1.1
+    - NIST800-53R5_CM-7
   vars:
     warn_control_id: '1.1.2.1.1'
     required_mount: '/tmp'
@@ -51,6 +52,9 @@
     - rule_1.1.2.1.2
     - rule_1.1.2.1.3
     - rule_1.1.2.1.4
+    - NIST800-53R5_CM-7
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
 
 # via systemd
 - name: |
@@ -73,6 +77,8 @@
     - rule_1.1.2.1.2
     - rule_1.1.2.1.3
     - rule_1.1.2.1.4
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
   ansible.builtin.template:
     src: etc/systemd/system/tmp.mount.j2
     dest: /etc/systemd/system/tmp.mount

tasks/section_1/cis_1.1.2.2.x.yml

@@ -10,6 +10,7 @@
     - audit
     - mounts
     - rule_1.1.2.2.1
+    - NIST800-53R5_CM-7
   vars:
     warn_control_id: '1.1.2.2.1'
   block:
@@ -45,6 +46,8 @@
     - rule_1.1.2.2.2
     - rule_1.1.2.2.3
     - rule_1.1.2.2.4
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
   ansible.posix.mount:
     name: /dev/shm
     src: tmpfs

tasks/section_1/cis_1.1.2.3.x.yml

@@ -10,7 +10,7 @@
     - audit
     - mounts
     - rule_1_1_2.3.1
-    - skip_ansible_lint
+    - NIST800-53R5_CM-7
   vars:
       warn_control_id: '1.1.2.3.1'
       required_mount: '/home'
@@ -37,6 +37,9 @@
     - mounts
     - rule_1_1_2.3.2
     - rule_1_1_2.3.3
+    - NIST800-53R5_CM-7
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
   ansible.builtin.mount:
     name: /home
     src: "{{ item.device }}"

tasks/section_1/cis_1.1.2.4.x.yml

@@ -10,6 +10,7 @@
     - patch
     - mounts
     - rule_1_1_2.4.1
+    - NIST800-53R5_CM-7
   vars:
     warn_control_id: '1.1.2.4.1'
     required_mount: '/var'
@@ -37,6 +38,8 @@
     - mounts
     - rule_1_1_2.4.2
     - rule_1_1_2.4.3
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
   ansible.builtin.mount:
     name: /var
     src: "{{ item.device }}"

tasks/section_1/cis_1.1.2.5.x.yml

@@ -11,6 +11,7 @@
     - audit
     - mounts
     - rule_1_1_2.5.1
+    - NIST800-53R5_CM-7
   vars:
     warn_control_id: '1.1.2.5.1'
     required_mount: '/var/tmp'
@@ -41,6 +42,8 @@
     - rule_1_1_2.5.2
     - rule_1_1_2.5.3
     - rule_1_1_2.5.4
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
   ansible.builtin.mount:
     name: /var/tmp
     src: "{{ item.device }}"

tasks/section_1/cis_1.1.2.6.x.yml

@@ -10,6 +10,7 @@
     - audit
     - mounts
     - rule_1_1_2.6.1
+    - NIST800-53R5_CM-7
   vars:
       warn_control_id: '1.1.2.6.1'
       required_mount: '/var/log'
@@ -39,6 +40,8 @@
     - rule_1_1_2.6.2
     - rule_1_1_2.6.3
     - rule_1_1_2.6.4
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
   ansible.builtin.mount:
     name: /var/log
     src: "{{ item.device }}"

tasks/section_1/cis_1.1.2.7.x.yml

@@ -10,6 +10,7 @@
     - audit
     - mounts
     - rule_1_1_2.7.1
+    - NIST800-53R5_CM-7
   vars:
     warn_control_id: '1.1.2.7.1'
     required_mount: '/var/log/audit'
@@ -49,3 +50,5 @@
     - rule_1_1_2.7.2
     - rule_1_1_2.7.3
     - rule_1_1_2.7.4
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2

tasks/section_1/cis_1.2.1.x.yml

@@ -12,6 +12,7 @@
     - manual
     - patch
     - rule_1.2.1.1
+    - NIST800-53R5_SI-2
   block:
     - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys"
       ansible.builtin.shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}"
@@ -41,6 +42,7 @@
     - level1-workstation
     - patch
     - rule_1.2.1.2
+    - NIST800-53R5_SI-2
   block:
     - name: "1.2.1.2 | AUDIT | Ensure gpgcheck is globally activated | Find repos"
       ansible.builtin.find:
@@ -68,6 +70,7 @@
     - manual
     - audit
     - rule_1.2.1.3
+    - NIST800-53R5_SI-2
   block:
     - name: "1.2.1.3 | PATCH | Ensure repo_gpgcheck is globally activated | dnf.conf"
       ansible.builtin.lineinfile:
@@ -99,7 +102,7 @@
     - manual
     - audit
     - rule_1.2.1.4
-    - skip_ansible_lint
+    - NIST800-53R5_SI-2
   vars:
     warn_control_id: '1.2.1.4'
   block:

tasks/section_1/cis_1.2.2.x.yml

@@ -1,16 +1,16 @@
 ---
 
 - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installed"
-  ansible.builtin.package:
-      name: "*"
-      state: latest
-  notify: Change_requires_reboot
   when:
-      - rhel9cis_rule_1_2_2_1
+    - rhel9cis_rule_1_2_2_1
-      - not system_is_ec2
+    - not system_is_ec2
   tags:
-      - level1-server
+    - level1-server
-      - level1-workstation
+    - level1-workstation
-      - patch
+    - patch
-      - rule_1.2.2.1
+    - rule_1.2.2.1
-      - skip_ansible_lint
+    - NIST800-53R5_SI-2
+  ansible.builtin.package:
+    name: "*"
+    state: latest
+  notify: Change_requires_reboot

tasks/section_1/cis_1.3.1.x.yml

@@ -9,6 +9,8 @@
     - level1-workstation
     - patch
     - rule_1.3.1.1
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
   ansible.builtin.package:
     name: libselinux
     state: present
@@ -23,6 +25,8 @@
     - scored
     - patch
     - rule_1.3.1.2
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
   ansible.builtin.replace:
     path: /etc/default/grub
     regexp: '{{ item }}'
@@ -45,6 +49,8 @@
     - selinux
     - patch
     - rule_1.3.1.3
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
   ansible.posix.selinux:
     conf: /etc/selinux/config
     policy: "{{ rhel9cis_selinux_pol }}"
@@ -60,6 +66,8 @@
     - selinux
     - patch
     - rule_1.3.1.4
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
   ansible.posix.selinux:
     conf: /etc/selinux/config
     policy: "{{ rhel9cis_selinux_pol }}"
@@ -76,6 +84,8 @@
     - selinux
     - patch
     - rule_1.3.1.5
+    - NIST800-53R4_AC-3
+    - NIST800-53R4_SI-6
   ansible.posix.selinux:
     conf: /etc/selinux/config
     policy: "{{ rhel9cis_selinux_pol }}"
@@ -91,6 +101,8 @@
     - audit
     - services
     - rule_1.3.1.6
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
   vars:
     warn_control_id: '1.3.1.6'
   block:
@@ -118,6 +130,8 @@
     - level1-workstation
     - patch
     - rule_1.3.1.7
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
   ansible.builtin.package:
     name: mcstrans
     state: absent
@@ -134,3 +148,5 @@
     - selinux
     - patch
     - rule_1.3.1.8
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2

tasks/section_1/cis_1.4.x.yml

@@ -10,6 +10,7 @@
     - grub
     - patch
     - rule_1.4.1
+    - NIST800-53R5_AC-3
   ansible.builtin.copy:
     dest: /boot/grub2/user.cfg
     content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}"  # noqa template-instead-of-copy
@@ -27,6 +28,7 @@
     - grub
     - patch
     - rule_1.4.2
+    - NIST800-53R5_AC-3
   block:
     - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
       ansible.builtin.file:

tasks/section_1/cis_1.5.x.yml

@@ -9,6 +9,8 @@
     - patch
     - sysctl
     - rule_1.5.1
+    - NIST800-53R5_CM-6
+    - NIST800-53R5_CM-6.1
   block:
     - name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
       ansible.builtin.set_fact:
@@ -45,6 +47,7 @@
     - patch
     - sysctl
     - rule_1.5.3
+    - NIST800-53R5_CM-6b
   ansible.builtin.lineinfile:
     path: /etc/systemd/coredump.conf
     regexp: '^ProcessSizeMax\s*=\s*.*[1-9]$'

tasks/section_1/cis_1.6.x.yml

@@ -8,7 +8,9 @@
     - level1-workstation
     - automated
     - patch
+    - crypto
     - rule_1.6.1
+    - NIST800-53R5_SC-6
   ansible.builtin.debug:
     msg: "Captured in prelim to ensure not LEGACY. Runs handler to update"
   changed_when: true
@@ -25,6 +27,9 @@
     - automated
     - patch
     - rule_1.6.2
+    - NIST800-53R5_SC-8
+    - NIST800-53R5_IA-5
+    - NIST800-53R5_AC-17- NIST800-53R5_SC-6
   ansible.builtin.lineinfile:
     path: /etc/sysconfig/sshd
     regexp: ^CRYPTO_POLICY\s*=
@@ -40,7 +45,9 @@
     - level1-workstation
     - automated
     - patch
+    - crypto
     - rule_1.6.3
+    - NIST800-53R5_SC-6
   block:
     - name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | Add submodule exclusion"
       ansible.builtin.template:
@@ -66,7 +73,9 @@
     - level1-workstation
     - automated
     - patch
+    - crypto
     - rule_1.6.4
+    - NIST800-53R5_SC-6
   block:
     - name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | Add submodule exclusion"
       ansible.builtin.template:
@@ -93,7 +102,9 @@
     - level1-workstation
     - automated
     - patch
+    - crypto
     - rule_1.6.5
+    - NIST800-53R5_SC-6
   block:
     - name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh | Add submodule exclusion"
       ansible.builtin.template:
@@ -119,7 +130,9 @@
     - level1-workstation
     - automated
     - patch
+    - crypto
     - rule_1.6.6
+    - NIST800-53R5_SC-6
   block:
     - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | Add submodule exclusion"
       ansible.builtin.template:
@@ -145,7 +158,9 @@
     - level1-workstation
     - automated
     - patch
+    - crypto
     - rule_1.6.7
+    - NIST800-53R5_SC-6
   block:
     - name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh | Add submodule exclusion"
       ansible.builtin.template:

tasks/section_1/cis_1.7.x.yml

@@ -9,6 +9,9 @@
     - banner
     - patch
     - rule_1.7.1
+    - NIST800-53R5_CM-1
+    - NIST800-53R5_CM-3
+    - NIST800-53R5_CM-6
   ansible.builtin.template:
     src: etc/motd.j2
     dest: /etc/motd
@@ -24,6 +27,9 @@
     - level1-workstation
     - patch
     - rule_1.7.2
+    - NIST800-53R5_CM-1
+    - NIST800-53R5_CM-3
+    - NIST800-53R5_CM-6
   ansible.builtin.template:
     src: etc/issue.j2
     dest: /etc/issue
@@ -40,6 +46,9 @@
     - banner
     - patch
     - rule_1.7.3
+    - NIST800-53R5_CM-1
+    - NIST800-53R5_CM-3
+    - NIST800-53R5_CM-6
   ansible.builtin.template:
     src: etc/issue.net.j2
     dest: /etc/issue.net
@@ -56,6 +65,8 @@
     - perms
     - patch
     - rule_1.7.4
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
   ansible.builtin.file:
     path: /etc/motd
     owner: root
@@ -71,6 +82,8 @@
     - perms
     - patch
     - rule_1.7.5
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
   ansible.builtin.file:
     path: /etc/issue
     owner: root
@@ -86,6 +99,8 @@
     - perms
     - patch
     - rule_1.7.6
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
   ansible.builtin.file:
     path: /etc/issue.net
     owner: root