ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 14:23:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

tidy up vars

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2022-04-01 17:09:53 +01:00
parent 2565df6047
commit 2d21f8a98e
No known key found for this signature in database
GPG key ID: F734FDFC154B83FB
10 changed files with 45 additions and 99 deletions
Download patch file Download diff file Expand all files Collapse all files

21
defaults/main.yml
View file

@ -114,8 +114,6 @@ rhel9cis_rule_1_4_3: true
rhel9cis_rule_1_5_1: true
rhel9cis_rule_1_5_2: true
rhel9cis_rule_1_5_3: true
rhel9cis_rule_1_6_1: true
rhel9cis_rule_1_6_2: true
rhel9cis_rule_1_6_1_1: true
rhel9cis_rule_1_6_1_2: true
rhel9cis_rule_1_6_1_3: true
@ -137,7 +135,6 @@ rhel9cis_rule_1_8_4: true
rhel9cis_rule_1_8_5: true
rhel9cis_rule_1_9: true
rhel9cis_rule_1_10: true
rhel9cis_rule_1_11: true
# Section 2 rules
rhel9cis_rule_2_1_1: true
@ -469,11 +466,6 @@ rhel9cis_firewall: firewalld
##### firewalld
rhel9cis_default_zone: public
rhel9cis_int_zone: customzone
rhel9cis_interface: eth0
rhel9cis_firewall_services:
- ssh
- dhcpv6-client
#### nftables
rhel9cis_nft_tables_autonewtable: true
@ -541,13 +533,6 @@ rhel9cis_sshd:
# allowgroups: systems dba
# denyusers:
# denygroups:
rhel9cis_pam_faillock:
attempts: 5
interval: 900
unlock_time: 900
fail_for_root: no
remember: 5
pwhash: sha512
# 5.2.5 SSH LogLevel setting. Options are INFO or VERBOSE
rhel9cis_ssh_loglevel: INFO
@ -580,11 +565,7 @@ rhel9cis_pass:
rhel9cis_syslog: rsyslog
rhel9cis_rsyslog_ansiblemanaged: true
rhel9cis_vartmp:
source: /tmp
fstype: none
opts: "defaults,nodev,nosuid,noexec,bind"
enabled: false
## PAM
rhel9cis_pam_password:
minlen: "14"

10
tasks/prelim.yml
View file

@ -56,13 +56,11 @@
check_mode: false
register: system_wide_crypto_policy
when:
- rhel9cis_rule_1_10 or
rhel9cis_rule_1_11
- rhel9cis_rule_1_10
tags:
- level1-server
- level1-workstation
- rule_1.10 or
rule_1.11
- rule_1.10
- crypto
- name: "PRELIM | if systemd coredump"
@ -70,11 +68,11 @@
path: /etc/systemd/coredump.conf
register: systemd_coredump
when:
- rhel9cis_rule_1_6_1
- rhel9cis_rule_1_5_1
tags:
- level1-server
- level1-workstation
- rule_1.6.1
- rule_1.5.1
- systemd
- name: "PRELIM | Section 1.1 | Create list of mount points"

66
tasks/section_3/cis_3.2.x.yml
View file

@ -1,51 +1,55 @@
---
- name: "3.2.1 | PATCH | Ensure source routed packets are not accepted"
- name: "3.2.1 | PATCH | Ensure IP forwarding is disabled"
block:
- name: "3.2.1 | PATCH | Ensure source routed packets are not accepted"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
notify:
- update sysctl
- sysctl flush ipv4 route table
- name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding"
sysctl:
name: net.ipv4.ip_forward
value: '0'
state: present
reload: yes
ignoreerrors: yes
notify: sysctl flush ipv4 route table
- name: "3.2.1 | PATCH | Ensure source routed packets are not accepted"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
notify:
- sysctl flush ipv6 route table
- update sysctl
- name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding"
sysctl:
name: net.ipv6.conf.all.forwarding
value: '0'
state: present
reload: yes
ignoreerrors: yes
notify: sysctl flush ipv6 route table
when: rhel9cis_ipv6_required
when:
- not rhel9cis_is_router
- rhel9cis_rule_3_2_1
tags:
- level1-server
- level1-workstation
- automated
- sysctl
- patch
- rule_3.2.1
- name: "3.2.2 | PATCH | Ensure ICMP redirects are not accepted"
block:
- name: "3.2.2 | PATCH | Ensure ICMP redirects are not accepted"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
notify:
- update sysctl
- sysctl flush ipv4 route table
- name: "3.2.2 | PATCH | Ensure ICMP redirects are not accepted"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
notify:
- sysctl flush ipv6 route table
- update sysctl
when: rhel9cis_ipv6_required
- name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled"
sysctl:
name: '{{ item.name }}'
value: '{{ item.value }}'
sysctl_set: yes
state: present
reload: yes
ignoreerrors: yes
notify: sysctl flush ipv4 route table
with_items:
- { name: net.ipv4.conf.all.send_redirects, value: 0 }
- { name: net.ipv4.conf.default.send_redirects, value: 0 }
when:
- not rhel9cis_is_router
- rhel9cis_rule_3_2_2
tags:
- level1-server
- level1-workstation
- sysctl
- automated
- patch
- rule_3.2.2
- sysctl
- rule_3.2.2

7
tasks/section_3/cis_3.4.1.x.yml
View file

@ -8,7 +8,6 @@
state: present
when:
- rhel9cis_rule_3_4_1_1
- rhel9cis_firewall == "firewalld"
tags:
- level1-server
- level1-workstation
@ -34,7 +33,6 @@
state: absent
when:
- rhel9cis_rule_3_4_1_2
- rhel9cis_firewall == "firewalld"
tags:
- level1-server
- level1-workstation
@ -49,7 +47,6 @@
state: stopped
masked: yes
when:
- rhel9cis_firewall == "firewalld"
- rhel9cis_rule_3_4_1_3
tags:
- level1-server
@ -65,7 +62,6 @@
state: started
enabled: yes
when:
- rhel9cis_firewall == "firewalld"
- rhel9cis_rule_3_4_1_4
tags:
- level1-server
@ -78,7 +74,6 @@
- name: "3.4.1.5 | PATCH | Ensure firewalld default zone is set"
command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}"
when:
- rhel9cis_firewall == "firewalld"
- rhel9cis_rule_3_4_1_5
tags:
- level1-server
@ -103,7 +98,6 @@
- "The items below are the policies tied to the interfaces, please correct as needed"
- "{{ rhel9cis_3_4_1_6_interfacepolicy.stdout_lines }}"
when:
- rhel9cis_firewall == "firewalld"
- rhel9cis_rule_3_4_1_6
tags:
- level1-server
@ -127,7 +121,6 @@
- "The items below are the services and ports that are accepted, please correct as needed"
- "{{ rhel9cis_3_4_1_7_servicesport.stdout_lines }}"
when:
- rhel9cis_firewall == "firewalld"
- rhel9cis_rule_3_4_1_7
tags:
- level1-server

10
tasks/section_3/cis_3.4.2.x.yml
View file

@ -5,7 +5,6 @@
name: nftables
state: present
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_2_1
tags:
- level1-server
@ -22,7 +21,6 @@
name: firewalld
state: absent
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_2_2
tags:
- level1-server
@ -49,7 +47,6 @@
name: iptables-service
state: absent
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_2_3
tags:
- level1-server
@ -107,7 +104,6 @@
failed_when: no
when: rhel9cis_nft_tables_autonewtable
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_2_5
tags:
- level1-server
@ -159,7 +155,6 @@
- nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; }
when: rhel9cis_nft_tables_autochaincreate
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_2_6
tags:
- level1-server
@ -201,7 +196,6 @@
command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop
when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_7_ip6saddr.stdout'
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_2_7
tags:
- level1-server
@ -249,7 +243,6 @@
command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept
when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout'
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_2_8
tags:
- level1-server
@ -301,7 +294,6 @@
command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; }
when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_2_9_outputpolicy.stdout'
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_2_9
tags:
- level1-server
@ -316,7 +308,6 @@
name: nftables
enabled: yes
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_2_10
tags:
- level1-server
@ -333,7 +324,6 @@
insertafter: EOF
line: include "/etc/nftables/inet-{{ rhel9cis_nft_tables_tablename }}"
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_2_11
tags:
- level1-server

3
tasks/section_3/cis_3.4.3.1.x.yml
View file

@ -7,7 +7,6 @@
- iptables-services
state: present
when:
- rhel9cis_firewall == "iptables"
- rhel9cis_rule_3_4_3_1_1
tags:
- level1-server
@ -22,7 +21,6 @@
name: nftables
state: absent
when:
- rhel9cis_firewall == "iptables"
- rhel9cis_rule_3_4_3_1_2
tags:
- level1-server
@ -39,7 +37,6 @@
name: firewalld
state: absent
when:
- rhel9cis_firewall == "iptables"
- rhel9cis_rule_3_4_3_1_3
tags:
- level1-server

6
tasks/section_3/cis_3.4.3.2.x.yml
View file

@ -23,7 +23,6 @@
source: 127.0.0.0/8
jump: DROP
when:
- rhel9cis_firewall == "iptables"
- rhel9cis_rule_3_4_3_2_1
tags:
- level1-server
@ -49,7 +48,6 @@
- { chain: INPUT, protocol: udp, ctstate: ESTABLISHED }
- { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED }
when:
- rhel9cis_firewall == "iptables"
- rhel9cis_rule_3_4_3_2_2
tags:
- level1-server
@ -99,7 +97,6 @@
- "{{ rhel9cis_3_4_3_2_3_oudp.stdout_lines }}"
when: rhel9cis_3_4_3_2_3_otcp.stdout is defined
when:
- rhel9cis_firewall == "iptables"
- rhel9cis_rule_3_4_3_2_3
tags:
- level1-server
@ -128,7 +125,6 @@
- OUTPUT
when:
- rhel9cis_rule_3_4_3_2_4
- rhel9cis_firewall == "iptables"
tags:
- level1-server
- level1-workstation
@ -143,7 +139,6 @@
path: /etc/sysconfig/iptables
when:
- rhel9cis_rule_3_4_3_2_5
- rhel9cis_firewall == "iptables"
tags:
- level1-server
- level1-workstation
@ -158,7 +153,6 @@
enabled: yes
state: started
when:
- rhel9cis_firewall == "iptables"
- rhel9cis_rule_3_4_3_2_6
tags:
- level1-server

11
tasks/section_3/cis_3.4.3.3.x.yml
View file

@ -26,9 +26,7 @@
jump: DROP
ip_version: ipv6
when:
- rhel9cis_firewall == "iptables"
- rhel9cis_rule_3_4_3_3_1
- rhel9cis_ipv6_required
tags:
- level1-server
- level1-workstation
@ -54,9 +52,7 @@
- { chain: INPUT, protocol: udp, ctstate: ESTABLISHED }
- { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED }
when:
- rhel9cis_firewall == "iptables"
- rhel9cis_rule_3_4_3_3_2
- rhel9cis_ipv6_required
tags:
- level1-server
- level1-workstation
@ -87,9 +83,7 @@
- "{{ rhel9cis_3_4_3_3_3_otcp.stdout_lines }}"
when: rhel9cis_3_4_3_3_3_otcp.stdout is defined
when:
- rhel9cis_firewall == "iptables"
- rhel9cis_rule_3_4_3_3_3
- rhel9cis_ipv6_required
tags:
- level1-server
- level1-workstation
@ -118,9 +112,7 @@
- FORWARD
- OUTPUT
when:
- rhel9cis_firewall == "iptables"
- rhel9cis_rule_3_4_3_3_4
- rhel9cis_ipv6_required
tags:
- level1-server
- level1-workstation
@ -135,8 +127,6 @@
path: /etc/sysconfig/ip6tables
ip_version: ipv6
when:
- rhel9cis_firewall == "iptables"
- rhel9cis_ipv6_required
- rhel9cis_rule_3_4_3_3_5
tags:
- level1-server
@ -152,7 +142,6 @@
enabled: yes
state: started
when:
- rhel9cis_firewall == "iptables"
- rhel9cis_rule_3_4_3_3_6
tags:
- level1-server

6
templates/ansible_vars_goss.yml.j2
View file

@ -73,11 +73,11 @@ rhel9cis_rule_1_3_2: {{ rhel9cis_rule_1_3_2 }}
rhel9cis_rule_1_3_3: {{ rhel9cis_rule_1_3_3 }}
rhel9cis_rule_1_4_1: {{ rhel9cis_rule_1_4_1 }}
rhel9cis_rule_1_4_2: {{ rhel9cis_rule_1_4_2 }}
rhel9cis_rule_1_4_3: {{ rhel9cis_rule_1_4_3 }}
rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }}
rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }}
rhel9cis_rule_1_5_3: {{ rhel9cis_rule_1_5_3 }}
rhel9cis_rule_1_6_1: {{ rhel9cis_rule_1_6_1 }}
rhel9cis_rule_1_6_2: {{ rhel9cis_rule_1_6_2 }}
rhel9cis_rule_1_7_1_1: {{ rhel9cis_rule_1_7_1_1 }}
rhel9cis_rule_1_7_1_2: {{ rhel9cis_rule_1_7_1_2 }}
rhel9cis_rule_1_7_1_3: {{ rhel9cis_rule_1_7_1_3 }}
@ -94,7 +94,7 @@ rhel9cis_rule_1_8_1_6: {{ rhel9cis_rule_1_8_1_6 }}
rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }}
rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }}
rhel9cis_rule_1_10: {{ rhel9cis_rule_1_10 }}
rhel9cis_rule_1_11: {{ rhel9cis_rule_1_11 }}
# section 2 rules
rhel9cis_rule_2_1_1: {{ rhel9cis_rule_2_1_1 }}

4
vars/is_container.yml
View file

@ -41,7 +41,7 @@ rhel9cis_rule_5_1_8: false
# crypto
rhel9cis_rule_1_10: false
rhel9cis_rule_1_11: false
# grub
rhel9cis_rule_1_5_1: false
@ -87,7 +87,7 @@ rhel9cis_rule_4_2_2_2: false
rhel9cis_rule_4_2_2_3: false
# systemd
rhel9cis_rule_1_6_1: false
# Users/passwords/accounts
rhel9cis_rule_5_5_2: false