mirror of
https://github.com/ansible-lockdown/RHEL9-CIS.git
synced 2025-12-24 14:23:05 +00:00
updated yamllint, company naming, linting and spacing
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
1b694832bb
commit
2de8a39cdc
66 changed files with 461 additions and 675 deletions
|
|
@ -33,9 +33,8 @@
|
|||
masked: true
|
||||
|
||||
- name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use"
|
||||
when:
|
||||
- rhel9cis_rule_2_1_2
|
||||
- "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages"
|
||||
when: rhel9cis_rule_2_1_2
|
||||
|
||||
tags:
|
||||
- level1-server
|
||||
- level2-workstation
|
||||
|
|
@ -70,9 +69,7 @@
|
|||
- avahi-daemon.service
|
||||
|
||||
- name: "2.1.3 | PATCH | Ensure dhcp server services are not in use"
|
||||
when:
|
||||
- "'dhcp-server' in ansible_facts.packages"
|
||||
- rhel9cis_rule_2_1_3
|
||||
when: rhel9cis_rule_2_1_3
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -105,9 +102,7 @@
|
|||
- dhcpd6.service
|
||||
|
||||
- name: "2.1.4 | PATCH | Ensure dns server services are not in use"
|
||||
when:
|
||||
- "'bind' in ansible_facts.packages"
|
||||
- rhel9cis_rule_2_1_4
|
||||
when: rhel9cis_rule_2_1_4
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -137,9 +132,7 @@
|
|||
masked: true
|
||||
|
||||
- name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use"
|
||||
when:
|
||||
- "'dnsmasq' in ansible_facts.packages"
|
||||
- rhel9cis_rule_2_1_5
|
||||
when: rhel9cis_rule_2_1_5
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -169,9 +162,7 @@
|
|||
masked: true
|
||||
|
||||
- name: "2.1.6 | PATCH | Ensure samba file server services are not in use"
|
||||
when:
|
||||
- "'samba' in ansible_facts.packages"
|
||||
- rhel9cis_rule_2_1_6
|
||||
when: rhel9cis_rule_2_1_6
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -202,9 +193,7 @@
|
|||
masked: true
|
||||
|
||||
- name: "2.1.7 | PATCH | Ensure ftp server services are not in use"
|
||||
when:
|
||||
- "'ftp' in ansible_facts.packages"
|
||||
- rhel9cis_rule_2_1_7
|
||||
when: rhel9cis_rule_2_1_7
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -235,9 +224,7 @@
|
|||
masked: true
|
||||
|
||||
- name: "2.1.8 | PATCH | Ensure message access server services are not in use"
|
||||
when:
|
||||
- "'dovecot' in ansible_facts.packages or 'cyrus-imapd' in ansible_facts.packages"
|
||||
- rhel9cis_rule_2_1_8
|
||||
when: rhel9cis_rule_2_1_8
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -275,9 +262,7 @@
|
|||
- "cyrus-imapd.service"
|
||||
|
||||
- name: "2.1.9 | PATCH | Ensure network file system services are not in use"
|
||||
when:
|
||||
- "'nfs-utils' in ansible_facts.packages"
|
||||
- rhel9cis_rule_2_1_9
|
||||
when: rhel9cis_rule_2_1_9
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -309,9 +294,7 @@
|
|||
masked: true
|
||||
|
||||
- name: "2.1.10 | PATCH | Ensure nis server services are not in use"
|
||||
when:
|
||||
- "'ypserv' in ansible_facts.packages"
|
||||
- rhel9cis_rule_2_1_10
|
||||
when: rhel9cis_rule_2_1_10
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -341,9 +324,7 @@
|
|||
masked: true
|
||||
|
||||
- name: "2.1.11 | PATCH | Ensure print server services are not in use"
|
||||
when:
|
||||
- "'cups' in ansible_facts.packages"
|
||||
- rhel9cis_rule_2_1_11
|
||||
when: rhel9cis_rule_2_1_11
|
||||
tags:
|
||||
- level1-server
|
||||
- automated
|
||||
|
|
@ -375,9 +356,7 @@
|
|||
- "cups.service"
|
||||
|
||||
- name: "2.1.12 | PATCH | Ensure rpcbind services are not in use"
|
||||
when:
|
||||
- "'rpcbind' in ansible_facts.packages"
|
||||
- rhel9cis_rule_2_1_12
|
||||
when: rhel9cis_rule_2_1_12
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -411,9 +390,7 @@
|
|||
- rpcbind.socket
|
||||
|
||||
- name: "2.1.13 | PATCH | Ensure rsync services are not in use"
|
||||
when:
|
||||
- "'rsync-daemon' in ansible_facts.packages"
|
||||
- rhel9cis_rule_2_1_13
|
||||
when: rhel9cis_rule_2_1_13
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -447,9 +424,7 @@
|
|||
- 'rsyncd.service'
|
||||
|
||||
- name: "2.1.14 | PATCH | Ensure snmp services are not in use"
|
||||
when:
|
||||
- "'net-snmp' in ansible_facts.packages"
|
||||
- rhel9cis_rule_2_1_14
|
||||
when: rhel9cis_rule_2_1_14
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -479,9 +454,7 @@
|
|||
masked: true
|
||||
|
||||
- name: "2.1.15 | PATCH | Ensure telnet server services are not in use"
|
||||
when:
|
||||
- "'telnet-server' in ansible_facts.packages"
|
||||
- rhel9cis_rule_2_1_15
|
||||
when: rhel9cis_rule_2_1_15
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -512,9 +485,7 @@
|
|||
masked: true
|
||||
|
||||
- name: "2.1.16 | PATCH | Ensure tftp server services are not in use"
|
||||
when:
|
||||
- "'tftp-server' in ansible_facts.packages"
|
||||
- rhel9cis_rule_2_1_16
|
||||
when: rhel9cis_rule_2_1_16
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -547,9 +518,7 @@
|
|||
- 'tftp.service'
|
||||
|
||||
- name: "2.1.17 | PATCH | Ensure web proxy server services are not in use"
|
||||
when:
|
||||
- "'squid' in ansible_facts.packages"
|
||||
- rhel9cis_rule_2_117
|
||||
when: rhel9cis_rule_2_1_17
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -580,8 +549,7 @@
|
|||
masked: true
|
||||
|
||||
- name: "2.1.18 | PATCH | Ensure web server services are not in use"
|
||||
when:
|
||||
- rhel9cis_rule_2_1_18
|
||||
when: rhel9cis_rule_2_1_18
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -597,7 +565,6 @@
|
|||
when:
|
||||
- not rhel9cis_httpd_server
|
||||
- not rhel9cis_httpd_mask
|
||||
- "'httpd' in ansible_facts.packages"
|
||||
ansible.builtin.package:
|
||||
name: httpd
|
||||
state: absent
|
||||
|
|
@ -606,7 +573,6 @@
|
|||
when:
|
||||
- not rhel9cis_nginx_server
|
||||
- not rhel9cis_nginx_mask
|
||||
- "'nginx' in ansible_facts.packages"
|
||||
ansible.builtin.package:
|
||||
name: nginx
|
||||
state: absent
|
||||
|
|
@ -615,7 +581,6 @@
|
|||
when:
|
||||
- not rhel9cis_httpd_server
|
||||
- rhel9cis_httpd_mask
|
||||
- "'httpd' in ansible_facts.packages"
|
||||
notify: Systemd_daemon_reload
|
||||
ansible.builtin.systemd:
|
||||
name: httpd.service
|
||||
|
|
@ -627,7 +592,6 @@
|
|||
when:
|
||||
- not rhel9cis_nginx_server
|
||||
- rhel9cis_nginx_mask
|
||||
- "'nginx' in ansible_facts.packages"
|
||||
notify: Systemd_daemon_reload
|
||||
ansible.builtin.systemd:
|
||||
name: ngnix.service
|
||||
|
|
@ -636,9 +600,7 @@
|
|||
masked: true
|
||||
|
||||
- name: "2.1.19 | PATCH | Ensure xinetd services are not in use"
|
||||
when:
|
||||
- "'xinetd' in ansible_facts.packages"
|
||||
- rhel9cis_rule_2_1_19
|
||||
when: rhel9cis_rule_2_1_19
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -670,7 +632,6 @@
|
|||
- name: "2.1.20 | PATCH | Ensure X window server services are not in use"
|
||||
when:
|
||||
- not rhel9cis_xwindow_server
|
||||
- "'xorg-x11-server-common' in ansible_facts.packages"
|
||||
- rhel9cis_rule_2_1_20
|
||||
tags:
|
||||
- level1-server
|
||||
|
|
@ -704,8 +665,7 @@
|
|||
line: "inet_interfaces = loopback-only"
|
||||
|
||||
- name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface"
|
||||
when:
|
||||
- rhel9cis_rule_2_1_22
|
||||
when: rhel9cis_rule_2_1_22
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -717,8 +677,8 @@
|
|||
vars:
|
||||
warn_control_id: '2.1.22'
|
||||
block:
|
||||
- name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services"
|
||||
ansible.builtin.shell: systemctl list-units --type=service
|
||||
- name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services" # noqa command-instead-of-module
|
||||
ansible.builtin.command: systemctl list-units --type=service
|
||||
changed_when: false
|
||||
failed_when: discovered_running_services.rc not in [ 0, 1 ]
|
||||
check_mode: false
|
||||
|
|
|
|||
|
|
@ -3,7 +3,6 @@
|
|||
- name: "2.2.1 | PATCH | Ensure ftp client is not installed"
|
||||
when:
|
||||
- not rhel9cis_ftp_client
|
||||
- "'ftp' in ansible_facts.packages"
|
||||
- rhel9cis_rule_2_2_1
|
||||
tags:
|
||||
- level1-server
|
||||
|
|
@ -20,7 +19,6 @@
|
|||
- name: "2.2.2 | PATCH | Ensure ldap client is not installed"
|
||||
when:
|
||||
- not rhel9cis_openldap_clients_required
|
||||
- "'openldap-clients' in ansible_facts.packages"
|
||||
- rhel9cis_rule_2_2_2
|
||||
tags:
|
||||
- level2-server
|
||||
|
|
@ -37,7 +35,6 @@
|
|||
- name: "2.2.3 | PATCH | Ensure nis client is not installed"
|
||||
when:
|
||||
- not rhel9cis_ypbind_required
|
||||
- "'ypbind' in ansible_facts.packages"
|
||||
- rhel9cis_rule_2_2_3
|
||||
tags:
|
||||
- level1-server
|
||||
|
|
@ -54,7 +51,6 @@
|
|||
- name: "2.2.4 | PATCH | Ensure telnet client is not installed"
|
||||
when:
|
||||
- not rhel9cis_telnet_required
|
||||
- "'telnet' in ansible_facts.packages"
|
||||
- rhel9cis_rule_2_2_4
|
||||
tags:
|
||||
- level1-server
|
||||
|
|
@ -71,7 +67,6 @@
|
|||
- name: "2.2.5 | PATCH | Ensure TFTP client is not installed"
|
||||
when:
|
||||
- not rhel9cis_tftp_client
|
||||
- "'tftp' in ansible_facts.packages"
|
||||
- rhel9cis_rule_2_2_5
|
||||
tags:
|
||||
- level1-server
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@
|
|||
dest: /etc/chrony.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
mode: 'go-wx'
|
||||
|
||||
- name: "2.3.3 | PATCH | Ensure chrony is not run as the root user"
|
||||
when:
|
||||
|
|
@ -48,4 +48,4 @@
|
|||
line: OPTIONS="\1 -u chrony"
|
||||
create: true
|
||||
backrefs: true
|
||||
mode: '0644'
|
||||
mode: 'go-wx'
|
||||
|
|
|
|||
|
|
@ -1,8 +1,7 @@
|
|||
---
|
||||
|
||||
- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled"
|
||||
when:
|
||||
- rhel9cis_rule_2_4_1_1
|
||||
when: rhel9cis_rule_2_4_1_1
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -19,8 +18,7 @@
|
|||
enabled: true
|
||||
|
||||
- name: "2.4.1.2 | PATCH | Ensure permissions on /etc/crontab are configured"
|
||||
when:
|
||||
- rhel9cis_rule_2_4_1_2
|
||||
when: rhel9cis_rule_2_4_1_2
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -33,11 +31,10 @@
|
|||
path: /etc/crontab
|
||||
owner: root
|
||||
group: root
|
||||
mode: og-rwx
|
||||
mode: 'og-rwx'
|
||||
|
||||
- name: "2.4.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured"
|
||||
when:
|
||||
- rhel9cis_rule_2_4_1_3
|
||||
when: rhel9cis_rule_2_4_1_3
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -51,11 +48,10 @@
|
|||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: og-rwx
|
||||
mode: 'og-rwx'
|
||||
|
||||
- name: "2.4.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured"
|
||||
when:
|
||||
- rhel9cis_rule_2_4_1_4
|
||||
when: rhel9cis_rule_2_4_1_4
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -67,11 +63,10 @@
|
|||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: og-rwx
|
||||
mode: 'og-rwx'
|
||||
|
||||
- name: "2.4.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured"
|
||||
when:
|
||||
- rhel9cis_rule_2_4_1_5
|
||||
when: rhel9cis_rule_2_4_1_5
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -84,11 +79,10 @@
|
|||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: og-rwx
|
||||
mode: 'og-rwx'
|
||||
|
||||
- name: "2.4.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured"
|
||||
when:
|
||||
- rhel9cis_rule_2_4_1_6
|
||||
when: rhel9cis_rule_2_4_1_6
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -101,11 +95,10 @@
|
|||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: og-rwx
|
||||
mode: 'og-rwx'
|
||||
|
||||
- name: "2.4.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured"
|
||||
when:
|
||||
- rhel9cis_rule_2_4_1_7
|
||||
when: rhel9cis_rule_2_4_1_7
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -119,11 +112,10 @@
|
|||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0700'
|
||||
mode: 'og-rwx'
|
||||
|
||||
- name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users"
|
||||
when:
|
||||
- rhel9cis_rule_2_4_1_8
|
||||
when: rhel9cis_rule_2_4_1_8
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -146,14 +138,13 @@
|
|||
- name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Ensure cron.allow is restricted to authorized users"
|
||||
ansible.builtin.file:
|
||||
path: /etc/cron.allow
|
||||
state: '{{ "file" if discovered_cron_allow_state.stat.exists else "touch" }}'
|
||||
state: '{{ "file" if discovered_cron_allow_state.stat.exists else "touch" }}'
|
||||
owner: root
|
||||
group: root
|
||||
mode: u-x,g-wx,o-rwx
|
||||
mode: 'u-x,g-wx,o-rwx'
|
||||
|
||||
- name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users"
|
||||
when:
|
||||
- rhel9cis_rule_2_4_2_1
|
||||
when: rhel9cis_rule_2_4_2_1
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -179,4 +170,4 @@
|
|||
state: '{{ "file" if discovered_at_allow_state.stat.exists else "touch" }}'
|
||||
owner: root
|
||||
group: root
|
||||
mode: u-x,g-wx,o-rwx
|
||||
mode: 'u-x,g-wx,o-rwx'
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue