ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 14:23:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

updated yamllint, company naming, linting and spacing

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-12-04 11:45:13 +00:00
parent 1b694832bb
commit 2de8a39cdc
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
66 changed files with 461 additions and 675 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.yamllint
View file

@ -17,7 +17,7 @@ rules:
comments:
ignore-shebangs: true
min-spaces-from-content: 1 # prettier compatibility
comments-indentation: enabled
comments-indentation: enable
empty-lines:
max: 1
indentation:

2
LICENSE
View file

@ -1,6 +1,6 @@
MIT License
Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases
Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal

26
handlers/main.yml
View file

@ -2,7 +2,8 @@
# handlers file for RHEL9-CIS
- name: Reload sysctl
ansible.builtin.shell: sysctl --system
ansible.builtin.command: sysctl --system
changed_when: true
- name: Sysctl flush ipv4 route table
when:
@ -43,8 +44,8 @@
- name: Set Crypto Policy
when: prelim_system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy
ansible.builtin.shell: |
update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}"
ansible.builtin.command: update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}"
changed_when: true
notify:
- Change_requires_reboot
- Restart sshd
@ -65,11 +66,13 @@
state: restarted
- name: Reload dconf
ansible.builtin.shell: dconf update
ansible.builtin.command: dconf update
changed_when: true
- name: Grub2cfg
ansible.builtin.shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
ansible.builtin.command: "grub2-mkconfig -o /boot/grub2/grub.cfg"
ignore_errors: true # noqa ignore-errors
changed_when: true
- name: Restart rsyslog
ansible.builtin.systemd:
@ -91,24 +94,25 @@
daemon-reload: true
- name: Authselect update
ansible.builtin.shell: authselect apply-changes
ansible.builtin.command: authselect apply-changes
changed_when: true
## Auditd tasks note order for handlers to run
- name: Auditd immutable check
ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
ansible.builtin.command: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
changed_when: false
register: discovered_auditd_immutable_check
- name: Audit immutable fact
when:
- discovered_auditd_immutable_check.stdout == '1'
when: discovered_auditd_immutable_check.stdout == '1'
ansible.builtin.debug:
msg: "Reboot required for auditd to apply new rules as immutable set"
notify: Change_requires_reboot
- name: Restart auditd
ansible.builtin.shell: service auditd restart
- name: Restart auditd # noqa command-instead-of-module
ansible.builtin.command: service auditd restart
changed_when: true
- name: Change_requires_reboot
ansible.builtin.set_fact:

5
tasks/LE_audit_setup.yml
View file

@ -1,5 +1,4 @@
---
- name: Pre Audit Setup | Set audit package name
block:
- name: Pre Audit Setup | Set audit package name | 64bit
@ -20,13 +19,13 @@
owner: root
group: root
checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}"
mode: '0555'
mode: "0555"
- name: Pre Audit Setup | Copy audit binary
when: get_audit_binary_method == 'copy'
ansible.builtin.copy:
src: "{{ audit_bin_copy_location }}"
dest: "{{ audit_bin }}"
mode: '0555'
mode: "0555"
owner: root
group: root

11
tasks/audit_only.yml
View file

@ -1,9 +1,8 @@
---
- name: Audit_Only | Create local Directories for hosts
when: fetch_audit_files
ansible.builtin.file:
mode: '0755'
mode: "0755"
path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}"
recurse: true
state: directory
@ -15,16 +14,14 @@
ansible.builtin.fetch:
dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/"
flat: true
mode: '0644'
mode: "0644"
src: "{{ pre_audit_outfile }}"
- name: Audit_only | Show Audit Summary
when:
- audit_only
when: audit_only
ansible.builtin.debug:
msg: "{{ audit_results.split('\n') }}"
- name: Audit_only | Stop Playbook Audit Only selected
when:
- audit_only
when: audit_only
ansible.builtin.meta: end_play

3
tasks/check_prereqs.yml
View file

@ -1,8 +1,7 @@
---
- name: "PREREQ | If required install libselinux package to manage file changes."
when:
- '"libselinux-python3" not in ansible_facts.packages'
when: '"libselinux-python3" not in ansible_facts.packages'
ansible.builtin.package:
name: libselinux-python3
state: present

50
tasks/main.yml
View file

@ -2,22 +2,19 @@
# tasks file for RHEL9-CIS
- name: "Check OS version and family"
when: os_check
tags: always
ansible.builtin.assert:
that: (ansible_facts.distribution != 'CentOS' and ansible_facts.os_family == 'RedHat' or ansible_facts.os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==')
fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported."
success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}"
when:
- os_check
tags:
- always
- name: "Check ansible version"
tags: always
ansible.builtin.assert:
that: ansible_version.full is version_compare(min_ansible_version, '>=')
fail_msg: "You must use Ansible {{ min_ansible_version }} or greater"
success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
tags:
- always
- name: "Setup rules if container"
when:
@ -36,8 +33,7 @@
file: "{{ container_vars_file }}"
- name: "Output if discovered is a container"
when:
- system_is_container
when: system_is_container
ansible.builtin.debug:
msg: system has been discovered as a container
@ -51,8 +47,7 @@
when:
- rhel9cis_set_boot_pass
- rhel9cis_rule_1_4_1
tags:
- always
tags: always
ansible.builtin.assert:
that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
@ -81,23 +76,22 @@
vars:
sudo_password_rule: rhel9cis_rule_5_2_4 # pragma: allowlist secret
block:
- name: "Check password set for {{ ansible_env.SUDO_USER }} | password state"
- name: "Check password set for {{ ansible_env.SUDO_USER }} | password state" # noqa name[template]
ansible.builtin.shell: "(grep {{ ansible_env.SUDO_USER }} /etc/shadow || echo 'not found:not found') | awk -F: '{print $2}'"
changed_when: false
failed_when: false
check_mode: false
register: prelim_ansible_user_password_set
- name: "Check for local account {{ ansible_env.SUDO_USER }} | Check for local account"
- name: "Check for local account {{ ansible_env.SUDO_USER }} | Check for local account" # noqa name[template]
when: prelim_ansible_user_password_set.stdout == "not found"
ansible.builtin.debug:
msg: "No local account found for {{ ansible_env.SUDO_USER }} user. Skipping local account checks."
- name: "Check local account"
when:
- prelim_ansible_user_password_set.stdout != "not found"
when: prelim_ansible_user_password_set.stdout != "not found"
block:
- name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set"
- name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" # noqa name[template]
ansible.builtin.assert:
that:
- prelim_ansible_user_password_set.stdout | length != 0
@ -105,7 +99,7 @@
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user"
- name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked"
- name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" # noqa name[template]
ansible.builtin.assert:
that:
- not prelim_ansible_user_password_set.stdout.startswith("!")
@ -113,10 +107,8 @@
success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user"
- name: "PRELIM | AUDIT | Check authselect profile is selected"
when:
- rhel9cis_allow_authselect_updates
tags:
- always
when: rhel9cis_allow_authselect_updates
tags: always
block:
- name: "PRELIM | AUDIT | Check authselect profile name has been updated"
ansible.builtin.assert:
@ -136,8 +128,7 @@
fail_msg: Authselect updates have been selected there are issues with profile selection"
- name: "Ensure root password is set"
when:
- rhel9cis_rule_5_4_2_4
when: rhel9cis_rule_5_4_2_4
tags:
- level1-server
- level1-workstation
@ -158,14 +149,12 @@
success_msg: "You have a root password set"
- name: "Gather the package facts"
tags:
- always
tags: always
ansible.builtin.package_facts:
manager: auto
- name: "Include OS specific variables"
tags:
- always
tags: always
ansible.builtin.include_vars:
file: "{{ ansible_facts.distribution }}.yml"
@ -213,8 +202,7 @@
- name: "Run auditd logic"
when: update_audit_template
tags:
- always
tags: always
ansible.builtin.import_tasks:
file: auditd.yml
@ -226,8 +214,7 @@
file: post.yml
- name: "Run post_remediation audit"
when:
- run_audit
when: run_audit
ansible.builtin.import_tasks:
file: post_remediation_audit.yml
@ -238,7 +225,6 @@
- name: "If Warnings found Output count and control IDs affected"
when: warn_count != 0
tags:
- always
tags: always
ansible.builtin.debug:
msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}"

10
tasks/parse_etc_password.yml
View file

@ -1,19 +1,17 @@
---
- name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd"
tags:
- always
tags: always
block:
- name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd"
ansible.builtin.shell: cat /etc/passwd
ansible.builtin.command: cat /etc/passwd
changed_when: false
check_mode: false
register: rhel9cis_passwd_file_audit
register: prelim_passwd_file_audit
- name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Split passwd entries"
ansible.builtin.set_fact:
rhel9cis_passwd: "{{ rhel9cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}"
loop: "{{ rhel9cis_passwd_file_audit.stdout_lines }}"
rhel9cis_passwd: "{{ prelim_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}"
vars:
ld_passwd_regex: >-
^(?P<id>[^:]*):(?P<password>[^:]*):(?P<uid>[^:]*):(?P<gid>[^:]*):(?P<gecos>[^:]*):(?P<dir>[^:]*):(?P<shell>[^:]*)

26
tasks/post.yml
View file

@ -1,9 +1,7 @@
---
# Post tasks
- name: POST | Gather the package facts after remediation
tags:
- always
tags: always
ansible.builtin.package_facts:
manager: auto
@ -17,7 +15,7 @@
dest: "/etc/sysctl.d/{{ item }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
notify: Reload sysctl
loop:
- 60-kernel_sysctl.conf
@ -29,28 +27,22 @@
ansible.builtin.meta: flush_handlers
- name: POST | reboot system if changes require it and not skipped
tags:
- always
when: change_requires_reboot
tags: always
vars:
warn_control_id: Reboot_required
block:
- name: POST | Reboot system if changes require it and not skipped
when: not skip_reboot
ansible.builtin.reboot:
when:
- change_requires_reboot
- not skip_reboot
- name: POST | Warning a reboot required but skip option set
when: skip_reboot
ansible.builtin.debug:
msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results"
changed_when: true
when:
- change_requires_reboot
- skip_reboot
- name: "POST | Warning a reboot required but skip option set | warning count"
when: skip_reboot
ansible.builtin.import_tasks:
file: warning_facts.yml
when:
- change_requires_reboot
- skip_reboot
vars:
warn_control_id: Reboot_required

10
tasks/post_remediation_audit.yml
View file

@ -1,7 +1,7 @@
---
- name: Post Audit | Run post_remediation {{ benchmark }} audit
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""
- name: Post Audit | Run post_remediation {{ benchmark }} audit # noqa name[template]
ansible.builtin.command: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""
changed_when: true
environment:
AUDIT_BIN: "{{ audit_bin }}"
@ -18,8 +18,7 @@
- "{{ pre_audit_outfile }}"
- name: Post Audit | Capture audit data if json format
when:
- audit_format == "json"
when: audit_format == "json"
block:
- name: Post Audit | Capture audit data if json format
ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4
@ -31,8 +30,7 @@
post_audit_results: "{{ post_audit_summary.stdout }}"
- name: Post Audit | Capture audit data if documentation format
when:
- audit_format == "documentation"
when: audit_format == "documentation"
block:
- name: Post Audit | Capture audit data if documentation format
ansible.builtin.shell: tail -2 "{{ post_audit_outfile }}" | tac | tr '\n' ' '

55
tasks/pre_remediation_audit.yml
View file

@ -1,22 +1,18 @@
---
- name: Pre Audit Setup | Setup the LE audit
when:
- setup_audit
tags:
- setup_audit
when: setup_audit
tags: setup_audit
ansible.builtin.include_tasks:
file: LE_audit_setup.yml
- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists
- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists # noqa name[template]
ansible.builtin.file:
path: "{{ audit_conf_dir }}"
state: directory
mode: '0755'
mode: "0755"
- name: Pre Audit Setup | If using git for content set up
when:
- audit_content == 'git'
when: audit_content == 'git'
block:
- name: Pre Audit Setup | Install git
ansible.builtin.package:
@ -30,32 +26,28 @@
version: "{{ audit_git_version }}"
- name: Pre Audit Setup | Copy to audit content files to server
when:
- audit_content == 'copy'
when: audit_content == 'copy'
ansible.builtin.copy:
src: "{{ audit_conf_source }}"
dest: "{{ audit_conf_dest }}"
mode: preserve
- name: Pre Audit Setup | Unarchive audit content files on server
when:
- audit_content == 'archive'
when: audit_content == 'archive'
ansible.builtin.unarchive:
src: "{{ audit_conf_source }}"
dest: "{{ audit_conf_dest }}"
- name: Pre Audit Setup | Get audit content from url
when:
- audit_content == 'get_url'
when: audit_content == 'get_url'
ansible.builtin.unarchive:
src: "{{ audit_conf_source }}"
dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit"
remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}"
extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}"
remote_src: "{{ (audit_conf_source is contains('http')) | ternary(true, false) }}"
extra_opts: "{{ (audit_conf_source is contains('github')) | ternary('--strip-components=1', []) }}"
- name: Pre Audit Setup | Check Goss is available
when:
- run_audit
when: run_audit
block:
- name: Pre Audit Setup | Check for goss file
ansible.builtin.stat:
@ -63,24 +55,22 @@
register: discovered_goss_available
- name: Pre Audit Setup | If audit ensure goss is available
when:
- not discovered_goss_available.stat.exists
when: not discovered_goss_available.stat.exists
ansible.builtin.assert:
msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}"
- name: Pre Audit Setup | Copy ansible default vars values to test audit
when:
- run_audit
when: run_audit
tags:
- goss_template
- run_audit
ansible.builtin.template:
src: ansible_vars_goss.yml.j2
dest: "{{ audit_vars_path }}"
mode: '0600'
mode: "0600"
- name: Pre Audit | Run pre_remediation {{ benchmark }} audit
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\""
- name: Pre Audit | Run pre_remediation {{ benchmark }} audit # noqa name[template]
ansible.builtin.command: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\""
changed_when: true
environment:
AUDIT_BIN: "{{ audit_bin }}"
@ -88,33 +78,30 @@
AUDIT_FILE: goss.yml
- name: Pre Audit | Capture audit data if json format
when:
- audit_format == "json"
when: audit_format == "json"
block:
- name: Pre Audit | Capture audit data if json format
ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4
register: pre_audit_summary
changed_when: false
register: pre_audit_summary
- name: Pre Audit | Set Fact for audit summary
ansible.builtin.set_fact:
pre_audit_results: "{{ pre_audit_summary.stdout }}"
- name: Pre Audit | Capture audit data if documentation format
when:
- audit_format == "documentation"
when: audit_format == "documentation"
block:
- name: Pre Audit | Capture audit data if documentation format
ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' '
register: pre_audit_summary
changed_when: false
register: pre_audit_summary
- name: Pre Audit | Set Fact for audit summary
ansible.builtin.set_fact:
pre_audit_results: "{{ pre_audit_summary.stdout }}"
- name: Audit_Only | Run Audit Only
when:
- audit_only
when: audit_only
ansible.builtin.import_tasks:
file: audit_only.yml

40
tasks/prelim.yml
View file

@ -17,50 +17,43 @@
when:
- run_audit or audit_only
- setup_audit
tags:
- run_audit
tags: run_audit
ansible.builtin.import_tasks: pre_remediation_audit.yml
- name: "PRELIM | AUDIT | Interactive Users"
tags:
- always
tags: always
ansible.builtin.shell: >
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }'
changed_when: false
register: prelim_interactive_usernames
- name: "PRELIM | AUDIT | Interactive User accounts home directories"
tags:
- always
tags: always
ansible.builtin.shell: >
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $6 }'
changed_when: false
register: prelim_interactive_users_home
- name: "PRELIM | AUDIT | Interactive UIDs"
tags:
- always
tags: always
ansible.builtin.shell: >
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $3 }'
changed_when: false
register: prelim_interactive_uids
- name: "PRELIM | AUDIT | Capture /etc/password variables"
tags: always
ansible.builtin.include_tasks:
file: parse_etc_password.yml
tags:
- always
- name: "PRELIM | PATCH | Ensure python3-libselinux is installed"
when:
- '"python3-libselinux" not in ansible_facts.packages'
when: '"python3-libselinux" not in ansible_facts.packages'
ansible.builtin.package:
name: python3-libselinux
state: present
- name: "PRELIM | AUDIT | Section 1.1 | Create list of mount points"
tags:
- Always
tags: always
ansible.builtin.set_fact:
mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}"
@ -80,27 +73,27 @@
- ansible_facts.distribution == 'RedHat'
block:
- name: "PRELIM | AUDIT | Import gpg keys | get data"
ansible.builtin.shell: rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
ansible.builtin.command: rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' # noqa command-instead-of-module
changed_when: false
failed_when: false
register: prelim_check_gpg_imported
- name: "PRELIM | AUDIT | Import gpg keys | Check Package"
- name: "PRELIM | AUDIT | Import gpg keys | Check Package" # noqa command-instead-of-module
when: "'not installed' in prelim_check_gpg_imported.stdout"
ansible.builtin.shell: rpm -qi redhat-release | grep Signature
changed_when: false
failed_when: false
register: prelim_os_gpg_package_valid
- name: "PRELIM | PATCH | Force keys to be imported"
- name: "PRELIM | PATCH | Force keys to be imported" # noqa command-instead-of-module
when:
- "'not installed' in prelim_check_gpg_imported.stdout"
- "'Key ID 199e2f91fd431d51' in prelim_os_gpg_package_valid.stdout"
ansible.builtin.shell: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
ansible.builtin.command: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
changed_when: false
- name: "PRELIM | AUDIT | Check systemd coredump"
when:
- rhel9cis_rule_1_5_4
when: rhel9cis_rule_1_5_4
tags:
- level1-server
- level1-workstation
@ -127,7 +120,7 @@
state: present
- name: "PRELIM | AUDIT | Gather system-wide crypto-policy"
ansible.builtin.shell: 'update-crypto-policies --show'
ansible.builtin.command: 'update-crypto-policies --show'
changed_when: false
check_mode: false
register: prelim_system_wide_crypto_policy
@ -183,7 +176,7 @@
- always
block:
- name: "PRELIM | AUDIT | Discover is wirelss adapter on system"
ansible.builtin.shell: find /sys/class/net/*/ -type d -name wireless
ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless
register: discover_wireless_adapters
changed_when: false
failed_when: discover_wireless_adapters.rc not in [ 0, 1 ]
@ -222,7 +215,7 @@
path: "{{ rhel9cis_sshd_config_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
state: touch
- name: "PRELIM | AUDIT | Gather UID 0 accounts other than root"
@ -246,6 +239,7 @@
ansible.builtin.file:
path: /etc/systemd/journald.conf.d
state: directory
mode: 'go-w'
- name: "PRELIM | PATCH | Configure System Accounting (auditd)"
when:

38
tasks/section_1/cis_1.1.1.x.yml
View file

@ -16,7 +16,7 @@
regexp: "^(#)?install cramfs(\\s|$)"
line: "install cramfs /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -24,7 +24,7 @@
regexp: "^(#)?blacklist cramfs(\\s|$)"
line: "blacklist cramfs"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs"
when:
@ -49,7 +49,7 @@
regexp: "^(#)?install freevxfs(\\s|$)"
line: "install freevxfs /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -57,7 +57,7 @@
regexp: "^(#)?blacklist freevxfs(\\s|$)"
line: "blacklist freevxfs"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Disable freevxfs"
when: not system_is_container
@ -81,7 +81,7 @@
regexp: "^(#)?install hfs(\\s|$)"
line: "install hfs /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -89,7 +89,7 @@
regexp: "^(#)?blacklist hfs(\\s|$)"
line: "blacklist hfs"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Disable hfs"
when: not system_is_container
@ -113,7 +113,7 @@
regexp: "^(#)?install hfsplus(\\s|$)"
line: "install hfsplus /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -121,7 +121,7 @@
regexp: "^(#)?blacklist hfsplus(\\s|$)"
line: "blacklist hfsplus"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Disable hfsplus"
when: not system_is_container
@ -145,7 +145,7 @@
regexp: "^(#)?install jffs2(\\s|$)"
line: "install jffs2 /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -153,7 +153,7 @@
regexp: "^(#)?blacklist jffs2(\\s|$)"
line: "blacklist jffs2"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Disable jffs2"
when: not system_is_container
@ -177,7 +177,7 @@
regexp: "^(#)?install squashfs(\\s|$)"
line: "install squashfs /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -185,7 +185,7 @@
regexp: "^(#)?blacklist squashfs(\\s|$)"
line: "blacklist squashfs"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Disable squashfs"
when: not system_is_container
@ -209,7 +209,7 @@
regexp: "^(#)?install udf(\\s|$)"
line: "install udf /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -217,7 +217,7 @@
regexp: "^(#)?blacklist udf(\\s|$)"
line: "blacklist udf"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Disable udf"
when: not system_is_container
@ -241,7 +241,7 @@
regexp: "^(#)?install usb-storage(\\s|$)"
line: "install usb-storage /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -249,7 +249,7 @@
regexp: "^(#)?blacklist usb-storage(\\s|$)"
line: "blacklist usb-storage"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Disable usb"
when: not system_is_container
@ -273,10 +273,10 @@
dest: /var/fs_with_cves.sh
owner: root
group: root
mode: '0744'
mode: 'u+x,go-wx'
- name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Run discovery script"
ansible.builtin.shell: /var/fs_with_cves.sh
ansible.builtin.command: /var/fs_with_cves.sh
changed_when: false
failed_when: discovered_fs_modules_loaded.rc not in [ 0, 99 ]
register: discovered_fs_modules_loaded
@ -286,7 +286,7 @@
ansible.builtin.debug:
msg: |
"Warning!! Discovered loaded Filesystem modules that need attention. This is a manual task
{{ discovered_fs_modules_loaded.stdout_lines}}"
{{ discovered_fs_modules_loaded.stdout_lines }}"
- name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Capture Warning"
when: discovered_fs_modules_loaded.stdout | length > 0

2
tasks/section_1/cis_1.1.2.1.x.yml
View file

@ -84,5 +84,5 @@
dest: /etc/systemd/system/tmp.mount
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Systemd restart tmp.mount

5
tasks/section_1/cis_1.1.2.2.x.yml
View file

@ -2,8 +2,7 @@
# Skips if mount is absent
- name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition"
when:
- rhel9cis_rule_1_1_2_2_1
when: rhel9cis_rule_1_1_2_2_1
tags:
- level1-server
- level1-workstation
@ -14,7 +13,7 @@
vars:
warn_control_id: '1.1.2.2.1'
block:
- name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check exists"
- name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check exists" # noqa command-instead-of-module
ansible.builtin.shell: mount -l | grep -w /dev/shm
changed_when: false
register: discovered_dev_shm_mount_check

16
tasks/section_1/cis_1.2.1.x.yml
View file

@ -14,18 +14,18 @@
- rule_1.2.1.1
- NIST800-53R5_SI-2
block:
- name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys"
- name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys" # noqa command-instead-of-module
ansible.builtin.shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}"
changed_when: false
failed_when: false
register: discovered_os_installed_pub_keys
- name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Query found keys"
- name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Query found keys" # noqa command-instead-of-module
when: discovered_os_installed_pub_keys.rc == 0
ansible.builtin.shell: 'rpm -q --queryformat "%{PACKAGER} %{VERSION}\\n" {{ os_gpg_key_pubkey_name }} | grep "{{ os_gpg_key_pubkey_content }}"'
changed_when: false
failed_when: false
register: discovered_os_gpg_key_check
when: discovered_os_installed_pub_keys.rc == 0
- name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | expected keys fail"
when:
@ -35,8 +35,7 @@
msg: Installed GPG Keys do not meet expected values or expected keys are not installed
- name: "1.2.1.2 | PATCH | Ensure gpgcheck is globally activated"
when:
- rhel9cis_rule_1_2_1_2
when: rhel9cis_rule_1_2_1_2
tags:
- level1-server
- level1-workstation
@ -94,8 +93,7 @@
label: "{{ item.path }}"
- name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured"
when:
- rhel9cis_rule_1_2_1_4
when: rhel9cis_rule_1_2_1_4
tags:
- level1-server
- level1-workstation
@ -107,11 +105,11 @@
warn_control_id: '1.2.1.4'
block:
- name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured | Get repo list"
ansible.builtin.shell: dnf repolist
ansible.builtin.command: dnf repolist
changed_when: false
failed_when: false
register: discovered_dnf_configured
check_mode: false
register: discovered_dnf_configured
- name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured | Display repo list"
ansible.builtin.debug:

9
tasks/section_1/cis_1.3.1.x.yml
View file

@ -122,8 +122,7 @@
file: warning_facts.yml
- name: "1.3.1.7 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed"
when:
- rhel9cis_rule_1_3_1_7
when: rhel9cis_rule_1_3_1_7
tags:
- level1-server
- level1-workstation
@ -136,9 +135,6 @@
state: absent
- name: "1.3.1.8 | PATCH | Ensure SETroubleshoot is not installed"
ansible.builtin.package:
name: setroubleshoot
state: absent
when:
- rhel9cis_rule_1_3_1_8
- "'setroubleshoot' in ansible_facts.packages"
@ -149,3 +145,6 @@
- rule_1.3.1.8
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
ansible.builtin.package:
name: setroubleshoot
state: absent

9
tasks/section_1/cis_1.4.x.yml
View file

@ -16,12 +16,11 @@
content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
notify: Grub2cfg
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
when:
- rhel9cis_rule_1_4_2
when: rhel9cis_rule_1_4_2
tags:
- level1-server
- level1-workstation
@ -41,5 +40,5 @@
access_time: preserve
loop:
- { path: 'grub.cfg', mode: '0700' }
- { path: 'grubenv', mode: '0600' }
- { path: 'user.cfg', mode: '0600' }
- { path: 'grubenv', mode: 'go-rwx' }
- { path: 'user.cfg', mode: 'go-rwx' }

9
tasks/section_1/cis_1.5.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
when:
- rhel9cis_rule_1_5_1
when: rhel9cis_rule_1_5_1
tags:
- level1-server
- level1-workstation
@ -21,8 +20,7 @@
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf"
- name: "1.5.2 | PATCH | Ensure ptrace_scope is restricted"
when:
- rhel9cis_rule_1_5_2
when: rhel9cis_rule_1_5_2
tags:
- level1-server
- level1-workstation
@ -39,8 +37,7 @@
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf"
- name: "1.5.3 | PATCH | Ensure core dump backtraces are disabled"
when:
- rhel9cis_rule_1_5_3
when: rhel9cis_rule_1_5_3
tags:
- level1-server
- level1-workstation

16
tasks/section_1/cis_1.6.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "1.6.1 | AUDIT | Ensure system-wide crypto policy is not legacy"
when:
- rhel9cis_rule_1_6_1
when: rhel9cis_rule_1_6_1
tags:
- level1-server
- level1-workstation
@ -18,8 +17,7 @@
- Set Crypto Policy
- name: "1.6.2 | PATCH | Ensure system wide crypto policy is not set in sshd configuration"
when:
- rhel9cis_rule_1_6_2
when: rhel9cis_rule_1_6_2
tags:
- level1-server
- level1-workstation
@ -54,7 +52,7 @@
dest: /etc/crypto-policies/policies/modules/NO-SHA1.pmod
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
register: discovered_no_sha1_template
- name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | submodule to crypto policy modules"
@ -85,7 +83,7 @@
dest: /etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
register: discovered_no_weakmac_template
- name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | submodule to crypto policy modules"
@ -115,7 +113,7 @@
dest: /etc/crypto-policies/policies/modules/NO-SSHCBC.pmod
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
register: discovered_no_sshcbc_template
- name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh | submodule to crypto policy modules"
@ -145,7 +143,7 @@
dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
register: discovered_no_sshweakciphers_template
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules"
@ -175,7 +173,7 @@
dest: /etc/crypto-policies/policies/modules/NO-SSHETM.pmod
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
register: discovered_no_sshetm_template
- name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh | submodule to crypto policy modules"

30
tasks/section_1/cis_1.7.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "1.7.1 | PATCH | Ensure message of the day is configured properly"
when:
- rhel9cis_rule_1_7_1
when: rhel9cis_rule_1_7_1
tags:
- level1-server
- level1-workstation
@ -17,11 +16,10 @@
dest: /etc/motd
owner: root
group: root
mode: u-x,go-wx
mode: 'u-x,go-wx'
- name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly"
when:
- rhel9cis_rule_1_7_2
when: rhel9cis_rule_1_7_2
tags:
- level1-server
- level1-workstation
@ -35,11 +33,10 @@
dest: /etc/issue
owner: root
group: root
mode: '0644'
mode: 'go-wx'
- name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly"
when:
- rhel9cis_rule_1_7_3
when: rhel9cis_rule_1_7_3
tags:
- level1-server
- level1-workstation
@ -54,11 +51,10 @@
dest: /etc/issue.net
owner: root
group: root
mode: '0644'
mode: 'go-wx'
- name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured"
when:
- rhel9cis_rule_1_7_4
when: rhel9cis_rule_1_7_4
tags:
- level1-server
- level1-workstation
@ -71,11 +67,10 @@
path: /etc/motd
owner: root
group: root
mode: '0644'
mode: 'go-wx'
- name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured"
when:
- rhel9cis_rule_1_7_5
when: rhel9cis_rule_1_7_5
tags:
- level1-server
- level1-workstation
@ -88,11 +83,10 @@
path: /etc/issue
owner: root
group: root
mode: '0644'
mode: 'go-wx'
- name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured"
when:
- rhel9cis_rule_1_7_6
when: rhel9cis_rule_1_7_6
tags:
- level1-server
- level1-workstation
@ -105,4 +99,4 @@
path: /etc/issue.net
owner: root
group: root
mode: '0644'
mode: 'go-wx'

30
tasks/section_1/cis_1.8.x.yml
View file

@ -35,7 +35,7 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
loop:
- { regexp: 'user-db', line: 'user-db:user' }
@ -48,7 +48,7 @@
dest: /etc/dconf/db/gdm.d/01-banner-message
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
- name: "1.8.3 | PATCH | Ensure GDM disable-user-list option is enabled"
@ -68,7 +68,7 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
loop:
- { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' }
@ -96,7 +96,7 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'go-wx'
loop:
- { regexp: '^user-db', line: 'user-db:user' }
- { regexp: '^system-db', line: 'system-db:local' }
@ -106,7 +106,7 @@
path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d"
owner: root
group: root
mode: '0755'
mode: 'go-w'
state: directory
- name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | Make conf file"
@ -115,7 +115,7 @@
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-screensaver"
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
- name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden"
@ -134,7 +134,7 @@
path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks"
owner: root
group: root
mode: '0755'
mode: 'go-w'
state: directory
- name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock file"
@ -143,7 +143,7 @@
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver"
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
- name: "1.8.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled"
@ -161,7 +161,7 @@
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-media-automount"
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
- name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden"
@ -180,7 +180,7 @@
path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks"
owner: root
group: root
mode: '0755'
mode: 'go-w'
state: directory
- name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | Make lock file"
@ -189,7 +189,7 @@
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-automount_lock"
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
- name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled"
@ -208,7 +208,7 @@
path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d"
owner: root
group: root
mode: '0755'
mode: 'go-w'
state: directory
- name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled | Make conf file"
@ -217,7 +217,7 @@
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-media-autorun"
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
- name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden"
@ -236,7 +236,7 @@
path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks"
owner: root
group: root
mode: '0755'
mode: 'go-w'
state: directory
- name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden | Make lockfile"
@ -245,7 +245,7 @@
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-autorun_lock"
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
- name: "1.8.10 | PATCH | Ensure XDMCP is not enabled"

84
tasks/section_2/cis_2.1.x.yml
View file

@ -33,9 +33,8 @@
masked: true
- name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use"
when:
- rhel9cis_rule_2_1_2
- "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages"
when: rhel9cis_rule_2_1_2
tags:
- level1-server
- level2-workstation
@ -70,9 +69,7 @@
- avahi-daemon.service
- name: "2.1.3 | PATCH | Ensure dhcp server services are not in use"
when:
- "'dhcp-server' in ansible_facts.packages"
- rhel9cis_rule_2_1_3
when: rhel9cis_rule_2_1_3
tags:
- level1-server
- level1-workstation
@ -105,9 +102,7 @@
- dhcpd6.service
- name: "2.1.4 | PATCH | Ensure dns server services are not in use"
when:
- "'bind' in ansible_facts.packages"
- rhel9cis_rule_2_1_4
when: rhel9cis_rule_2_1_4
tags:
- level1-server
- level1-workstation
@ -137,9 +132,7 @@
masked: true
- name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use"
when:
- "'dnsmasq' in ansible_facts.packages"
- rhel9cis_rule_2_1_5
when: rhel9cis_rule_2_1_5
tags:
- level1-server
- level1-workstation
@ -169,9 +162,7 @@
masked: true
- name: "2.1.6 | PATCH | Ensure samba file server services are not in use"
when:
- "'samba' in ansible_facts.packages"
- rhel9cis_rule_2_1_6
when: rhel9cis_rule_2_1_6
tags:
- level1-server
- level1-workstation
@ -202,9 +193,7 @@
masked: true
- name: "2.1.7 | PATCH | Ensure ftp server services are not in use"
when:
- "'ftp' in ansible_facts.packages"
- rhel9cis_rule_2_1_7
when: rhel9cis_rule_2_1_7
tags:
- level1-server
- level1-workstation
@ -235,9 +224,7 @@
masked: true
- name: "2.1.8 | PATCH | Ensure message access server services are not in use"
when:
- "'dovecot' in ansible_facts.packages or 'cyrus-imapd' in ansible_facts.packages"
- rhel9cis_rule_2_1_8
when: rhel9cis_rule_2_1_8
tags:
- level1-server
- level1-workstation
@ -275,9 +262,7 @@
- "cyrus-imapd.service"
- name: "2.1.9 | PATCH | Ensure network file system services are not in use"
when:
- "'nfs-utils' in ansible_facts.packages"
- rhel9cis_rule_2_1_9
when: rhel9cis_rule_2_1_9
tags:
- level1-server
- level1-workstation
@ -309,9 +294,7 @@
masked: true
- name: "2.1.10 | PATCH | Ensure nis server services are not in use"
when:
- "'ypserv' in ansible_facts.packages"
- rhel9cis_rule_2_1_10
when: rhel9cis_rule_2_1_10
tags:
- level1-server
- level1-workstation
@ -341,9 +324,7 @@
masked: true
- name: "2.1.11 | PATCH | Ensure print server services are not in use"
when:
- "'cups' in ansible_facts.packages"
- rhel9cis_rule_2_1_11
when: rhel9cis_rule_2_1_11
tags:
- level1-server
- automated
@ -375,9 +356,7 @@
- "cups.service"
- name: "2.1.12 | PATCH | Ensure rpcbind services are not in use"
when:
- "'rpcbind' in ansible_facts.packages"
- rhel9cis_rule_2_1_12
when: rhel9cis_rule_2_1_12
tags:
- level1-server
- level1-workstation
@ -411,9 +390,7 @@
- rpcbind.socket
- name: "2.1.13 | PATCH | Ensure rsync services are not in use"
when:
- "'rsync-daemon' in ansible_facts.packages"
- rhel9cis_rule_2_1_13
when: rhel9cis_rule_2_1_13
tags:
- level1-server
- level1-workstation
@ -447,9 +424,7 @@
- 'rsyncd.service'
- name: "2.1.14 | PATCH | Ensure snmp services are not in use"
when:
- "'net-snmp' in ansible_facts.packages"
- rhel9cis_rule_2_1_14
when: rhel9cis_rule_2_1_14
tags:
- level1-server
- level1-workstation
@ -479,9 +454,7 @@
masked: true
- name: "2.1.15 | PATCH | Ensure telnet server services are not in use"
when:
- "'telnet-server' in ansible_facts.packages"
- rhel9cis_rule_2_1_15
when: rhel9cis_rule_2_1_15
tags:
- level1-server
- level1-workstation
@ -512,9 +485,7 @@
masked: true
- name: "2.1.16 | PATCH | Ensure tftp server services are not in use"
when:
- "'tftp-server' in ansible_facts.packages"
- rhel9cis_rule_2_1_16
when: rhel9cis_rule_2_1_16
tags:
- level1-server
- level1-workstation
@ -547,9 +518,7 @@
- 'tftp.service'
- name: "2.1.17 | PATCH | Ensure web proxy server services are not in use"
when:
- "'squid' in ansible_facts.packages"
- rhel9cis_rule_2_117
when: rhel9cis_rule_2_1_17
tags:
- level1-server
- level1-workstation
@ -580,8 +549,7 @@
masked: true
- name: "2.1.18 | PATCH | Ensure web server services are not in use"
when:
- rhel9cis_rule_2_1_18
when: rhel9cis_rule_2_1_18
tags:
- level1-server
- level1-workstation
@ -597,7 +565,6 @@
when:
- not rhel9cis_httpd_server
- not rhel9cis_httpd_mask
- "'httpd' in ansible_facts.packages"
ansible.builtin.package:
name: httpd
state: absent
@ -606,7 +573,6 @@
when:
- not rhel9cis_nginx_server
- not rhel9cis_nginx_mask
- "'nginx' in ansible_facts.packages"
ansible.builtin.package:
name: nginx
state: absent
@ -615,7 +581,6 @@
when:
- not rhel9cis_httpd_server
- rhel9cis_httpd_mask
- "'httpd' in ansible_facts.packages"
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: httpd.service
@ -627,7 +592,6 @@
when:
- not rhel9cis_nginx_server
- rhel9cis_nginx_mask
- "'nginx' in ansible_facts.packages"
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: ngnix.service
@ -636,9 +600,7 @@
masked: true
- name: "2.1.19 | PATCH | Ensure xinetd services are not in use"
when:
- "'xinetd' in ansible_facts.packages"
- rhel9cis_rule_2_1_19
when: rhel9cis_rule_2_1_19
tags:
- level1-server
- level1-workstation
@ -670,7 +632,6 @@
- name: "2.1.20 | PATCH | Ensure X window server services are not in use"
when:
- not rhel9cis_xwindow_server
- "'xorg-x11-server-common' in ansible_facts.packages"
- rhel9cis_rule_2_1_20
tags:
- level1-server
@ -704,8 +665,7 @@
line: "inet_interfaces = loopback-only"
- name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface"
when:
- rhel9cis_rule_2_1_22
when: rhel9cis_rule_2_1_22
tags:
- level1-server
- level1-workstation
@ -717,8 +677,8 @@
vars:
warn_control_id: '2.1.22'
block:
- name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services"
ansible.builtin.shell: systemctl list-units --type=service
- name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services" # noqa command-instead-of-module
ansible.builtin.command: systemctl list-units --type=service
changed_when: false
failed_when: discovered_running_services.rc not in [ 0, 1 ]
check_mode: false

5
tasks/section_2/cis_2.2.x.yml
View file

@ -3,7 +3,6 @@
- name: "2.2.1 | PATCH | Ensure ftp client is not installed"
when:
- not rhel9cis_ftp_client
- "'ftp' in ansible_facts.packages"
- rhel9cis_rule_2_2_1
tags:
- level1-server
@ -20,7 +19,6 @@
- name: "2.2.2 | PATCH | Ensure ldap client is not installed"
when:
- not rhel9cis_openldap_clients_required
- "'openldap-clients' in ansible_facts.packages"
- rhel9cis_rule_2_2_2
tags:
- level2-server
@ -37,7 +35,6 @@
- name: "2.2.3 | PATCH | Ensure nis client is not installed"
when:
- not rhel9cis_ypbind_required
- "'ypbind' in ansible_facts.packages"
- rhel9cis_rule_2_2_3
tags:
- level1-server
@ -54,7 +51,6 @@
- name: "2.2.4 | PATCH | Ensure telnet client is not installed"
when:
- not rhel9cis_telnet_required
- "'telnet' in ansible_facts.packages"
- rhel9cis_rule_2_2_4
tags:
- level1-server
@ -71,7 +67,6 @@
- name: "2.2.5 | PATCH | Ensure TFTP client is not installed"
when:
- not rhel9cis_tftp_client
- "'tftp' in ansible_facts.packages"
- rhel9cis_rule_2_2_5
tags:
- level1-server

4
tasks/section_2/cis_2.3.x.yml
View file

@ -31,7 +31,7 @@
dest: /etc/chrony.conf
owner: root
group: root
mode: '0644'
mode: 'go-wx'
- name: "2.3.3 | PATCH | Ensure chrony is not run as the root user"
when:
@ -48,4 +48,4 @@
line: OPTIONS="\1 -u chrony"
create: true
backrefs: true
mode: '0644'
mode: 'go-wx'

43
tasks/section_2/cis_2.4.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled"
when:
- rhel9cis_rule_2_4_1_1
when: rhel9cis_rule_2_4_1_1
tags:
- level1-server
- level1-workstation
@ -19,8 +18,7 @@
enabled: true
- name: "2.4.1.2 | PATCH | Ensure permissions on /etc/crontab are configured"
when:
- rhel9cis_rule_2_4_1_2
when: rhel9cis_rule_2_4_1_2
tags:
- level1-server
- level1-workstation
@ -33,11 +31,10 @@
path: /etc/crontab
owner: root
group: root
mode: og-rwx
mode: 'og-rwx'
- name: "2.4.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured"
when:
- rhel9cis_rule_2_4_1_3
when: rhel9cis_rule_2_4_1_3
tags:
- level1-server
- level1-workstation
@ -51,11 +48,10 @@
state: directory
owner: root
group: root
mode: og-rwx
mode: 'og-rwx'
- name: "2.4.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured"
when:
- rhel9cis_rule_2_4_1_4
when: rhel9cis_rule_2_4_1_4
tags:
- level1-server
- level1-workstation
@ -67,11 +63,10 @@
state: directory
owner: root
group: root
mode: og-rwx
mode: 'og-rwx'
- name: "2.4.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured"
when:
- rhel9cis_rule_2_4_1_5
when: rhel9cis_rule_2_4_1_5
tags:
- level1-server
- level1-workstation
@ -84,11 +79,10 @@
state: directory
owner: root
group: root
mode: og-rwx
mode: 'og-rwx'
- name: "2.4.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured"
when:
- rhel9cis_rule_2_4_1_6
when: rhel9cis_rule_2_4_1_6
tags:
- level1-server
- level1-workstation
@ -101,11 +95,10 @@
state: directory
owner: root
group: root
mode: og-rwx
mode: 'og-rwx'
- name: "2.4.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured"
when:
- rhel9cis_rule_2_4_1_7
when: rhel9cis_rule_2_4_1_7
tags:
- level1-server
- level1-workstation
@ -119,11 +112,10 @@
state: directory
owner: root
group: root
mode: '0700'
mode: 'og-rwx'
- name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users"
when:
- rhel9cis_rule_2_4_1_8
when: rhel9cis_rule_2_4_1_8
tags:
- level1-server
- level1-workstation
@ -149,11 +141,10 @@
state: '{{ "file" if discovered_cron_allow_state.stat.exists else "touch" }}'
owner: root
group: root
mode: u-x,g-wx,o-rwx
mode: 'u-x,g-wx,o-rwx'
- name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users"
when:
- rhel9cis_rule_2_4_2_1
when: rhel9cis_rule_2_4_2_1
tags:
- level1-server
- level1-workstation
@ -179,4 +170,4 @@
state: '{{ "file" if discovered_at_allow_state.stat.exists else "touch" }}'
owner: root
group: root
mode: u-x,g-wx,o-rwx
mode: 'u-x,g-wx,o-rwx'

7
tasks/section_3/cis_3.1.x.yml
View file

@ -40,7 +40,7 @@
block:
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool"
when: "'network-manager' in ansible_facts.packages"
ansible.builtin.shell: nmcli radio wifi
ansible.builtin.command: nmcli radio wifi
changed_when: false
failed_when: false
check_mode: false
@ -50,7 +50,7 @@
when:
- "'network-manager' in ansible_facts.packages"
- "'enabled' in discovered_wifi_status.stdout"
ansible.builtin.shell: nmcli radio all off
ansible.builtin.command: nmcli radio all off
changed_when: discovered_nmcli_radio_off.rc == 0
register: discovered_nmcli_radio_off
@ -65,8 +65,7 @@
file: warning_facts.yml
- name: "3.1.3 | PATCH | Ensure bluetooth services are not in use"
when:
- rhel9cis_rule_3_1_3
when: rhel9cis_rule_3_1_3
tags:
- level1-server
- level2-workstation

24
tasks/section_3/cis_3.2.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "3.2.1 | PATCH | Ensure dccp kernel module is not available"
when:
- rhel9cis_rule_3_2_1
when: rhel9cis_rule_3_2_1
tags:
- level2-server
- level2-workstation
@ -18,6 +17,7 @@
regexp: '^(#)?install dccp(\\s|$)'
line: "{{ item }}"
create: true
mode: 'go-wx'
loop:
- install dccp /bin/true
- blacklist dccp
@ -28,11 +28,10 @@
regexp: "^(#)?blacklist cramfs(\\s|$)"
line: "blacklist cramfs"
create: true
mode: '0600'
mode: 'go-wx'
- name: "3.2.2 | PATCH | Ensure tipc kernel module is not available"
when:
- rhel9cis_rule_3_2_2
when: rhel9cis_rule_3_2_2
tags:
- level2-server
- level2-workstation
@ -48,6 +47,7 @@
regexp: '^(#)?install tipc(\\s|$)'
line: "{{ item }}"
create: true
mode: 'go-wx'
loop:
- install tipc /bin/true
- blacklist tipc
@ -58,11 +58,10 @@
regexp: "^(#)?blacklist tipc(\\s|$)"
line: "blacklist tipc"
create: true
mode: '0600'
mode: 'go-wx'
- name: "3.2.3 | PATCH | Ensure rds kernel module is not available"
when:
- rhel9cis_rule_3_2_3
when: rhel9cis_rule_3_2_3
tags:
- level2-server
- level2-workstation
@ -78,6 +77,7 @@
regexp: '^(#)?install rds(\\s|$)'
line: "{{ item }}"
create: true
mode: 'go-wx'
loop:
- install rds /bin/true
- blacklist rds
@ -88,11 +88,10 @@
regexp: "^(#)?blacklist rds(\\s|$)"
line: "blacklist rds"
create: true
mode: '0600'
mode: 'go-wx'
- name: "3.2.4 | PATCH | Ensure sctp kernel module is not available"
when:
- rhel9cis_rule_3_2_4
when: rhel9cis_rule_3_2_4
tags:
- level2-server
- level2-workstation
@ -108,6 +107,7 @@
regexp: '^(#)?install sctp(\\s|$)'
line: "{{ item }}"
create: true
mode: 'go-wx'
loop:
- install sctp /bin/true
- blacklist sctp
@ -118,4 +118,4 @@
regexp: "^(#)?blacklist sctp(\\s|$)"
line: "blacklist sctp"
create: true
mode: '0600'
mode: 'go-wx'

24
tasks/section_3/cis_3.3.x.yml
View file

@ -61,8 +61,7 @@
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored"
when:
- rhel9cis_rule_3_3_3
when: rhel9cis_rule_3_3_3
tags:
- level1-server
- level1-workstation
@ -85,8 +84,7 @@
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored"
when:
- rhel9cis_rule_3_3_4
when: rhel9cis_rule_3_3_4
tags:
- level1-server
- level1-workstation
@ -109,8 +107,7 @@
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted"
when:
- rhel9cis_rule_3_3_5
when: rhel9cis_rule_3_3_5
tags:
- level1-server
- level1-workstation
@ -144,8 +141,7 @@
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted"
when:
- rhel9cis_rule_3_3_6
when: rhel9cis_rule_3_3_6
tags:
- level1-server
- level1-workstation
@ -179,8 +175,7 @@
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
when:
- rhel9cis_rule_3_3_7
when: rhel9cis_rule_3_3_7
tags:
- level1-server
- level1-workstation
@ -203,8 +198,7 @@
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.8 | PATCH | Ensure source routed packets are not accepted"
when:
- rhel9cis_rule_3_3_8
when: rhel9cis_rule_3_3_8
tags:
- level1-server
- level1-workstation
@ -237,8 +231,7 @@
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
- name: "3.3.9 | PATCH | Ensure suspicious packets are logged"
when:
- rhel9cis_rule_3_3_9
when: rhel9cis_rule_3_3_9
tags:
- level1-server
- level1-workstation
@ -257,8 +250,7 @@
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled"
when:
- rhel9cis_rule_3_3_10
when: rhel9cis_rule_3_3_10
tags:
- level1-server
- level1-workstation

5
tasks/section_4/cis_4.1.x.yml
View file

@ -17,8 +17,7 @@
state: present
- name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use"
when:
- rhel9cis_rule_4_1_2
when: rhel9cis_rule_4_1_2
tags:
- level1-server
- level1-workstation
@ -52,7 +51,7 @@
name: "{{ rhel9cis_firewall }}"
state: installed
- name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled"
- name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled" # noqa name[template]
ansible.builtin.systemd:
name: "{{ rhel9cis_firewall }}"
enabled: true

6
tasks/section_4/cis_4.2.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "4.2.1 | AUDIT | Ensure firewalld drops unnecessary services and ports"
when:
- rhel9cis_rule_4_2_1
when: rhel9cis_rule_4_2_1
tags:
- level1-server
- level1-workstation
@ -25,8 +24,7 @@
- "{{ discovered_services_and_ports.stdout_lines }}"
- name: "4.2.2 | PATCH | Ensure firewalld loopback traffic is configured | firewalld"
when:
- rhel9cis_rule_4_2_2
when: rhel9cis_rule_4_2_2
tags:
- level1-server
- level1-workstation

33
tasks/section_4/cis_4.3.x.yml
View file

@ -8,11 +8,11 @@
- rhel9cis_rule_4_3_3
- rhel9cis_rule_4_3_4
tags: always
ansible.builtin.shell: "nft add table inet {{ rhel9cis_nft_tables_tablename }}"
ansible.builtin.command: "nft add table inet {{ rhel9cis_nft_tables_tablename }}"
changed_when: true
- name: "4.3.1 | PATCH | Ensure nftables base chains exist"
when:
- rhel9cis_rule_4_3_1
when: rhel9cis_rule_4_3_1
tags:
- level1-server
- level1-workstation
@ -52,7 +52,8 @@
- name: "4.3.1 | PATCH | Ensure nftables base chains exist | Create chains if needed"
when: rhel9cis_nft_tables_autochaincreate
ansible.builtin.shell: "{{ item }}"
ansible.builtin.command: "{{ item }}"
changed_when: true
failed_when: false
loop:
- nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; }
@ -60,8 +61,7 @@
- nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; }
- name: "4.3.2 | PATCH | Ensure nftables established connections are configured"
when:
- rhel9cis_rule_4_3_2
when: rhel9cis_rule_4_3_2
tags:
- level1-server
- level1-workstation
@ -84,31 +84,36 @@
- name: "4.3.2| PATCH | Ensure nftables established connections are configured | Add input tcp established accept policy"
when: '"ip protocol tcp ct state established accept" not in discovered_nftables_inconnectionrule.stdout'
ansible.builtin.shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept
changed_when: true
- name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input udp established accept policy"
when: '"ip protocol udp ct state established accept" not in discovered_nftables_inconnectionrule.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept
changed_when: true
- name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input icmp established accept policy"
when: '"ip protocol icmp ct state established accept" not in discovered_nftables_inconnectionrule.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept
changed_when: true
- name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output tcp new, related, established accept policy"
when: '"ip protocol tcp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept
changed_when: true
- name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output udp new, related, established accept policy"
when: '"ip protocol udp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept
changed_when: true
- name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output icmp new, related, established accept policy"
when: '"ip protocol icmp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept
changed_when: true
- name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy"
when:
- rhel9cis_rule_4_3_3
when: rhel9cis_rule_4_3_3
tags:
- level1-server
- level1-workstation
@ -144,22 +149,25 @@
- name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic"
when: '"tcp dport ssh accept" not in discovered_nftables_sshallowcheck.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept
changed_when: true
- name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy"
when: '"type filter hook input priority 0; policy drop;" not in discovered_nftables_inputpolicy.stdout'
ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; }
changed_when: true
- name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy"
when: '"type filter hook forward priority 0; policy drop;" not in discovered_nftables_forwardpolicy.stdout'
ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; }
changed_when: true
- name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy"
when: '"type filter hook output priority 0; policy drop;" not in discovered_nftables_outputpolicy.stdout'
ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; }
changed_when: true
- name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured"
when:
- rhel9cis_rule_4_3_4
when: rhel9cis_rule_4_3_4
tags:
- level1-server
- level1-workstation
@ -189,11 +197,14 @@
- name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule | nftables"
when: '"iif \"lo\" accept" not in discovered_nftables_iiflo.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept
changed_when: true
- name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule | nftables"
when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in discovered_nftables_ipsaddr.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop
changed_when: true
- name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule | nftables"
when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in discovered_nftables_ip6saddr.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop
changed_when: true

65
tasks/section_5/cis_5.1.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured"
when:
- rhel9cis_rule_5_1_1
when: rhel9cis_rule_5_1_1
tags:
- level1-server
- level1-workstation
@ -16,11 +15,10 @@
path: "/etc/ssh/sshd_config"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured"
when:
- rhel9cis_rule_5_1_2
when: rhel9cis_rule_5_1_2
tags:
- level1-server
- level1-workstation
@ -50,8 +48,7 @@
label: "{{ item.path }}"
- name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured"
when:
- rhel9cis_rule_5_1_3
when: rhel9cis_rule_5_1_3
tags:
- level1-server
- level1-workstation
@ -98,7 +95,7 @@
dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
notify:
- Update Crypto Policy
- Set Crypto Policy
@ -126,7 +123,7 @@
dest: /etc/crypto-policies/policies/modules/NO-SHA1.pmod
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
notify:
- Update Crypto Policy
- Set Crypto Policy
@ -154,7 +151,7 @@
dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
notify:
- Update Crypto Policy
- Set Crypto Policy
@ -164,8 +161,7 @@
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKMACS' }}"
- name: "5.1.7 | PATCH | Ensure sshd access is configured"
when:
- rhel9cis_rule_5_1_7
when: rhel9cis_rule_5_1_7
tags:
- level1-server
- level1-workstation
@ -212,8 +208,7 @@
notify: Restart sshd
- name: "5.1.8 | PATCH | Ensure sshd Banner is configured"
when:
- rhel9cis_rule_5_1_8
when: rhel9cis_rule_5_1_8
tags:
- level1-server
- level1-workstation
@ -231,8 +226,7 @@
line: 'Banner /etc/issue.net'
- name: "5.1.9 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured"
when:
- rhel9cis_rule_5_1_9
when: rhel9cis_rule_5_1_9
tags:
- level1-server
- level1-workstation
@ -262,8 +256,7 @@
notify: Restart sshd
- name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled"
when:
- rhel9cis_rule_5_1_10
when: rhel9cis_rule_5_1_10
tags:
- level2-server
- level1-workstation
@ -289,8 +282,7 @@
notify: Restart sshd
- name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled"
when:
- rhel9cis_rule_5_1_11
when: rhel9cis_rule_5_1_11
tags:
- level1-server
- level1-workstation
@ -320,8 +312,7 @@
notify: Restart sshd
- name: "5.1.12 | PATCH | Ensure sshd HostbasedAuthentication is disabled"
when:
- rhel9cis_rule_5_1_12
when: rhel9cis_rule_5_1_12
tags:
- level1-server
- level1-workstation
@ -341,8 +332,7 @@
notify: Restart sshd
- name: "5.1.13 | PATCH | Ensure sshd IgnoreRhosts is enabled"
when:
- rhel9cis_rule_5_1_13
when: rhel9cis_rule_5_1_13
tags:
- level1-server
- level1-workstation
@ -362,8 +352,7 @@
notify: Restart sshd
- name: "5.1.14 | PATCH | Ensure sshd LoginGraceTime is set to one minute or less"
when:
- rhel9cis_rule_5_1_14
when: rhel9cis_rule_5_1_14
tags:
- level1-server
- level1-workstation
@ -379,8 +368,7 @@
notify: Restart sshd
- name: "5.1.15 | PATCH | Ensure sshd LogLevel is appropriate"
when:
- rhel9cis_rule_5_1_15
when: rhel9cis_rule_5_1_15
tags:
- level1-server
- level1-workstation
@ -398,8 +386,7 @@
notify: Restart sshd
- name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is set to 4 or less"
when:
- rhel9cis_rule_5_1_16
when: rhel9cis_rule_5_1_16
tags:
- level1-server
- level1-workstation
@ -415,8 +402,7 @@
notify: Restart sshd
- name: "5.1.17 | PATCH | Ensure sshd MaxStartups is configured"
when:
- rhel9cis_rule_5_1_17
when: rhel9cis_rule_5_1_17
tags:
- level1-server
- level1-workstation
@ -436,8 +422,7 @@
notify: Restart sshd
- name: "5.1.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less"
when:
- rhel9cis_rule_5_1_18
when: rhel9cis_rule_5_1_18
tags:
- level1-server
- level1-workstation
@ -457,8 +442,7 @@
notify: Restart sshd
- name: "5.1.19 | PATCH | Ensure sshd PermitEmptyPasswords is disabled"
when:
- rhel9cis_rule_5_1_19
when: rhel9cis_rule_5_1_19
tags:
- level1-server
- level1-workstation
@ -478,8 +462,7 @@
notify: Restart sshd
- name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled"
when:
- rhel9cis_rule_5_1_20
when: rhel9cis_rule_5_1_20
tags:
- level1-server
- level1-workstation
@ -503,8 +486,7 @@
notify: Restart sshd
- name: "5.1.21 | PATCH | Ensure sshd PermitUserEnvironment is disabled"
when:
- rhel9cis_rule_5_1_21
when: rhel9cis_rule_5_1_21
tags:
- level1-server
- level1-workstation
@ -524,8 +506,7 @@
notify: Restart sshd
- name: "5.1.22 | PATCH | Ensure SSH PAM is enabled"
when:
- rhel9cis_rule_5_1_22
when: rhel9cis_rule_5_1_22
tags:
- level1-server
- level1-workstation

21
tasks/section_5/cis_5.2.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "5.2.1 | PATCH | Ensure sudo is installed"
when:
- rhel9cis_rule_5_2_1
when: rhel9cis_rule_5_2_1
tags:
- level1-server
- level1-workstation
@ -15,8 +14,7 @@
state: present
- name: "5.2.2 | PATCH | Ensure sudo commands use pty"
when:
- rhel9cis_rule_5_2_2
when: rhel9cis_rule_5_2_2
tags:
- level1-server
- level1-workstation
@ -30,8 +28,7 @@
validate: '/usr/sbin/visudo -cf %s'
- name: "5.2.3 | PATCH | Ensure sudo log file exists"
when:
- rhel9cis_rule_5_2_3
when: rhel9cis_rule_5_2_3
tags:
- level1-server
- level1-workstation
@ -47,8 +44,7 @@
validate: '/usr/sbin/visudo -cf %s'
- name: "5.2.4 | PATCH | Ensure users must provide password for escalation"
when:
- rhel9cis_rule_5_2_4
when: rhel9cis_rule_5_2_4
tags:
- level2-server
- level2-workstation
@ -74,8 +70,7 @@
loop: "{{ discovered_nopasswd_sudoers.stdout_lines }}"
- name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally"
when:
- rhel9cis_rule_5_2_5
when: rhel9cis_rule_5_2_5
tags:
- level1-server
- level1-workstation
@ -101,8 +96,7 @@
loop: "{{ discovered_priv_reauth.stdout_lines }}"
- name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly"
when:
- rhel9cis_rule_5_2_6
when: rhel9cis_rule_5_2_6
tags:
- level1-server
- level1-workstation
@ -134,8 +128,7 @@
loop: "{{ discovered_sudo_timeout_files.stdout_lines }}"
- name: "5.2.7 | PATCH | Ensure access to the su command is restricted"
when:
- rhel9cis_rule_5_2_7
when: rhel9cis_rule_5_2_7
tags:
- level1-server
- level1-workstation

35
tasks/section_5/cis_5.3.2.x.yml
View file

@ -17,12 +17,13 @@
when:
- rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout or
prelim_authselect_current_profile.stdout is not defined
ansible.builtin.shell: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}"
ansible.builtin.command: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}"
changed_when: true
args:
creates: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}"
- name: "5.3.2.1 | AUDIT | Ensure active authselect profile includes pam modules | get profile features"
ansible.builtin.shell: "/usr/bin/authselect list-features custom/{{ rhel9cis_authselect_custom_profile_name }}"
ansible.builtin.command: "/usr/bin/authselect list-features custom/{{ rhel9cis_authselect_custom_profile_name }}"
changed_when: false
register: discovered_authselect_profile_features
@ -37,7 +38,8 @@
- password
- name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Backup and Add pam modules"
ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %} --force --backup=rhel9cis-preremediate-{{ lookup('pipe', 'date +%Y-%m-%d-%H%M') }}"
ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %} --force --backup=rhel9cis-preremediate-{{ lookup('pipe', 'date +%Y-%m-%d-%H%M') }}"
changed_when: true
- name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled"
when:
@ -64,9 +66,11 @@
failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ]
register: discovered_authselect_current_faillock
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing"
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing" # noqa syntax-check[specific]"
when: discovered_authselect_current_faillock.rc != 0
ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
changed_when: true
notify: Authselect update
- name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled"
when:
@ -90,7 +94,8 @@
- name: "5.3.2.3 | AUDIT | Ensure pam_pwquality module is enabled | Add feature if missing"
when: discovered_authselect_current_quality.rc != 0
ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
changed_when: true
notify: Authselect update
- name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled"
@ -115,7 +120,8 @@
- name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled | enable feature"
when: discovered_authselect_current_history.rc != 0
ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
changed_when: true
notify: Authselect update
- name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled"
@ -133,8 +139,7 @@
- rule_5.3.2.5
block:
- name: "5.3.2.5 | AUDIT | Ensure pam_unix module is enabled"
ansible.builtin.shell: |
grep -P -- '\b(pam_unix\.so)\b' /etc/authselect/"$(head -1 /etc/authselect/authselect.conf)"/{system,password}-auth
ansible.builtin.command: grep -P -- '\b(pam_unix\.so)\b' /etc/authselect/"$(head -1 /etc/authselect/authselect.conf)"/{system,password}-auth
changed_when: false
failed_when: discovered_discovered_authselect_pam_unix.rc not in [ 0, 1 ]
register: discovered_discovered_authselect_pam_unix
@ -142,12 +147,12 @@
- name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | system-auth"
when: "'system-auth:password' not in discovered_authselect_pam_unix.stdout"
ansible.builtin.lineinfile:
path: /etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth
path: /etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/system-auth
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
backrefs: true
insertafter: "{{ item.after | default (omit) }}"
insertbefore: "{{ item.before | default (omit) }}"
insertafter: "{{ item.after | default(omit) }}"
insertbefore: "{{ item.before | default(omit) }}"
loop:
- { regexp: '^(auth\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', after: '^auth.*pam_faillock.*preauth' }
- { regexp: '^(password\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', before: '^password.*pam_deny.so' }
@ -156,12 +161,12 @@
- name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | password-auth"
when: "'password-auth:password' not in discovered_authselect_pam_unix.stdout"
ansible.builtin.lineinfile:
path: /etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth
path: /etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/password-auth
line: "{{ item.line }}"
regexp: "{{ item.regexp }}"
backrefs: true
insertafter: "{{ item.after | default (omit) }}"
insertbefore: "{{ item.before | default (omit) }}"
insertafter: "{{ item.after | default(omit) }}"
insertbefore: "{{ item.before | default(omit) }}"
loop:
- { regexp: '^(auth\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\2', after: '^auth.*pam_faillock.*preauth' }
- { regexp: '^(password\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', before: '^password.*pam_deny.so' }

10
tasks/section_5/cis_5.3.3.1.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured"
when:
- rhel9cis_rule_5_3_3_1_1
when: rhel9cis_rule_5_3_3_1_1
tags:
- level1-server
- level1-workstation
@ -44,8 +43,7 @@
notify: Authselect update
- name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured"
when:
- rhel9cis_rule_5_3_3_1_2
when: rhel9cis_rule_5_3_3_1_2
tags:
- level1-server
- level1-workstation
@ -87,8 +85,7 @@
notify: Authselect update
- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account"
when:
- rhel9cis_rule_5_3_3_1_3
when: rhel9cis_rule_5_3_3_1_3
tags:
- level1-server
- level1-workstation
@ -104,6 +101,7 @@
line: "{{ rhel9cis_pamroot_lock_option }}"
insertafter: '^# end of pam-auth-update config'
create: true
mode: 'go-rwx'
- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | remove lockout from pam files NOT AuthSelect"
when:

38
tasks/section_5/cis_5.3.3.2.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured"
when:
- rhel9cis_rule_5_3_3_2_1
when: rhel9cis_rule_5_3_3_2_1
tags:
- level1-server
- level1-workstation
@ -30,7 +29,7 @@
dest: "/{{ rhel9cis_passwd_difok_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from pam files Not AuthSelect"
when:
@ -58,8 +57,7 @@
notify: Authselect update
- name: "5.3.3.2.2 | PATCH | Ensure password length is configured"
when:
- rhel9cis_rule_5_3_3_2_2
when: rhel9cis_rule_5_3_3_2_2
tags:
- level1-server
- level1-workstation
@ -87,7 +85,7 @@
dest: "/{{ rhel9cis_passwd_minlen_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files NOT AuthSelect"
when:
@ -115,8 +113,7 @@
notify: Authselect update
- name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured"
when:
- rhel9cis_rule_5_3_3_2_3
when: rhel9cis_rule_5_3_3_2_3
tags:
- level1-server
- level1-workstation
@ -144,7 +141,7 @@
dest: "/{{ rhel9cis_passwd_complex_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove complexity from pam files NOT AuthSelect"
when:
@ -172,8 +169,7 @@
notify: Authselect update
- name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured"
when:
- rhel9cis_rule_5_3_3_2_4
when: rhel9cis_rule_5_3_3_2_4
tags:
- level1-server
- level1-workstation
@ -183,8 +179,7 @@
- pam
block:
- name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file"
when:
- item != rhel9cis_passwd_maxrepeat_file
when: item != rhel9cis_passwd_maxrepeat_file
ansible.builtin.replace:
path: "{{ item }}"
regexp: 'maxrepeat\s*=\s*\d+\b'
@ -200,7 +195,7 @@
dest: "/{{ rhel9cis_passwd_maxrepeat_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat from pam files NOT AuthSelect"
when:
@ -228,8 +223,7 @@
notify: Authselect update
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is is configured"
when:
- rhel9cis_rule_5_3_3_2_5
when: rhel9cis_rule_5_3_3_2_5
tags:
- level1-server
- level1-workstation
@ -257,7 +251,7 @@
dest: "/{{ rhel9cis_passwd_maxsequence_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence from pam files NOT AuthSelect"
when:
@ -285,8 +279,7 @@
notify: Authselect update
- name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled"
when:
- rhel9cis_rule_5_3_3_2_6
when: rhel9cis_rule_5_3_3_2_6
tags:
- level1-server
- level1-workstation
@ -313,7 +306,7 @@
dest: "/{{ rhel9cis_passwd_dictcheck_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck from pam files NOT AuthSelect"
when:
@ -342,8 +335,7 @@
notify: Authselect update
- name: "5.3.3.2.7 | PATCH | Ensure password quality is enforced for the root user"
when:
- rhel9cis_rule_5_3_3_2_7
when: rhel9cis_rule_5_3_3_2_7
tags:
- level1-server
- level1-workstation
@ -356,4 +348,4 @@
dest: "/{{ rhel9cis_passwd_quality_enforce_root_file }}"
owner: root
group: root
mode: '0600'
mode: 'o-rwx'

9
tasks/section_5/cis_5.3.3.3.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured"
when:
- rhel9cis_rule_5_3_3_3_1
when: rhel9cis_rule_5_3_3_3_1
tags:
- level1-server
- level1-workstation
@ -48,8 +47,7 @@
notify: Authselect update
- name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user"
when:
- rhel9cis_rule_5_3_3_3_2
when: rhel9cis_rule_5_3_3_3_2
tags:
- level1-server
- level1-workstation
@ -95,8 +93,7 @@
notify: Authselect update
- name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok"
when:
- rhel9cis_rule_5_3_3_3_3
when: rhel9cis_rule_5_3_3_3_3
tags:
- level1-server
- level1-workstation

12
tasks/section_5/cis_5.3.3.4.x.yml
View file

@ -28,8 +28,7 @@
loop: "{{ discovered_pam_nullok.stdout_lines }}"
- name: "5.3.3.4.1 | PATCH | Ensure password number of changed characters is configured | Remove nullok from pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
when: rhel9cis_allow_authselect_updates
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)\snullok(.*$)
@ -67,8 +66,7 @@
loop: "{{ discovered_pam_remember.stdout_lines }}"
- name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Remove remember from pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
when: rhel9cis_allow_authselect_updates
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)\sremember\s*=\s*=\d*(.*$)
@ -107,8 +105,7 @@
loop: "{{ discovered_pam_remember.stdout_lines }}"
- name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Add hash algorithm to pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
when: rhel9cis_allow_authselect_updates
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)(sha512|yescrypt)(.*$)
@ -150,8 +147,7 @@
loop: "{{ discovered_pam_authtok.stdout_lines }}"
- name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | Add use_authtok pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
when: rhel9cis_allow_authselect_updates
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)use_authtok(.*$)

42
tasks/section_5/cis_5.4.1.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less"
when:
- rhel9cis_rule_5_4_1_1
when: rhel9cis_rule_5_4_1_1
tags:
- level1-server
- level1-workstation
@ -38,8 +37,7 @@
loop: "{{ discovered_max_days.stdout_lines }}"
- name: "5.4.1.2 | PATCH | Ensure minimum password days is configured"
when:
- rhel9cis_rule_5_4_1_2
when: rhel9cis_rule_5_4_1_2
tags:
- level1-server
- level1-workstation
@ -70,8 +68,7 @@
loop: "{{ discovered_min_days.stdout_lines }}"
- name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured"
when:
- rhel9cis_rule_5_4_1_3
when: rhel9cis_rule_5_4_1_3
tags:
- level1-server
- level1-workstation
@ -96,12 +93,12 @@
- discovered_warn_days.stdout_lines | length > 0
- item in prelim_interactive_usernames.stdout
- rhel9cis_force_user_warnage
ansible.builtin.shell: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}"
ansible.builtin.command: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}"
changed_when: true
loop: "{{ discovered_warn_days.stdout_lines }}"
- name: "5.4.1.4 | PATCH | Ensure strong password hashing algorithm is configured"
when:
- rhel9cis_rule_5_4_1_4
when: rhel9cis_rule_5_4_1_4
tags:
- level1-server
- level1-workstation
@ -115,8 +112,7 @@
line: 'ENCRYPT_METHOD {{ rhel9cis_passwd_hash_algo | upper }}'
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured"
when:
- rhel9cis_rule_5_4_1_5
when: rhel9cis_rule_5_4_1_5
tags:
- level1-server
- level1-workstation
@ -132,23 +128,24 @@
register: discovered_passwdlck_inactive_settings
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Set default inactive setting"
ansible.builtin.shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
ansible.builtin.command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
changed_when: true
when: discovered_passwdlck_inactive_settings.stdout | length == 0
- name: "5.4.1.5 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
ansible.builtin.command: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
changed_when: false
check_mode: false
register: discovered_passwdlck_user_list
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
when: item in prelim_interactive_usernames.stdout
ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
changed_when: true
loop: "{{ discovered_passwdlck_user_list.stdout_lines }}"
- name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past"
when:
- rhel9cis_rule_5_4_1_6
when: rhel9cis_rule_5_4_1_6
tags:
- level1-server
- level1-workstation
@ -172,22 +169,23 @@
register: discovered_passwdlck_user_future
- name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future"
when:
- discovered_passwdlck_user_future.stdout | length > 0
- not rhel9cis_futurepwchgdate_autofix
ansible.builtin.debug:
msg: "Warning!! The following accounts have the last PW change date in the future: {{ discovered_passwdlck_user_future.stdout_lines }}"
when:
- discovered_passwdlck_user_future.stdout | length > 0
- not rhel9cis_futurepwchgdate_autofix
- name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
when:
- discovered_passwdlck_user_future.stdout | length > 0
- not rhel9cis_futurepwchgdate_autofix
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
ansible.builtin.shell: passwd --expire {{ item }}
when:
- discovered_passwdlck_user_future.stdout | length > 0
- rhel9cis_futurepwchgdate_autofix
ansible.builtin.command: passwd --expire {{ item }}
changed_when: true
loop: "{{ discovered_passwdlck_user_future.stdout_lines }}"

19
tasks/section_5/cis_5.4.2.x.yml
View file

@ -17,7 +17,7 @@
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
ansible.builtin.shell: passwd -l {{ item }}
ansible.builtin.command: passwd -l {{ item }}
changed_when: false
failed_when: false
loop: "{{ prelim_uid_zero_accounts_except_root.stdout_lines }}"
@ -56,8 +56,7 @@
loop: "{{ discovered_gid0_members.stdout_lines }}"
- name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group"
when:
- rhel9cis_rule_5_4_2_3
when: rhel9cis_rule_5_4_2_3
tags:
- level1-server
- level1-workstation
@ -96,8 +95,7 @@
warn_control_id: '5.4.2.3'
- name: "5.4.2.4 | PATCH | Ensure root account access is controlled "
when:
- rhel9cis_rule_5_4_2_4
when: rhel9cis_rule_5_4_2_4
tags:
- level1-server
- level1-workstation
@ -108,8 +106,7 @@
msg: "This is set as an assert in tasks/main"
- name: "5.4.2.5 | PATCH | Ensure root PATH Integrity"
when:
- rhel9cis_rule_5_4_2_5
when: rhel9cis_rule_5_4_2_5
tags:
- level1-server
- level1-workstation
@ -172,15 +169,14 @@
state: directory
owner: root
group: root
mode: '0755'
mode: 'go-w'
follow: false
loop: "{{ discovered_root_path_perms.results }}"
loop_control:
label: "{{ item }}"
- name: "5.4.2.6 | PATCH | Ensure root user umask is configured"
when:
- rhel9cis_rule_5_4_2_6
when: rhel9cis_rule_5_4_2_6
tags:
- level1-server
- level1-workstation
@ -194,6 +190,9 @@
regexp: \s*umask
line: "umask {{ rhel9cis_root_umask }}"
create: true
owner: root
group: root
mode: 'go-rwx'
- name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell"
when:

11
tasks/section_5/cis_5.4.3.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "5.4.3.1 | PATCH | Ensure nologin is not listed in /etc/shells"
when:
- rhel9cis_rule_5_4_3_1
when: rhel9cis_rule_5_4_3_1
tags:
- level2-server
- level2-workstation
@ -20,8 +19,7 @@
replace: ""
- name: "5.4.3.2 | PATCH | Ensure default user shell timeout is configured"
when:
- rhel9cis_rule_5_4_3_2
when: rhel9cis_rule_5_4_3_2
tags:
- level1-server
- level1-workstation
@ -33,7 +31,7 @@
state: "{{ item.state }}"
marker: "# {mark} - CIS benchmark - Ansible-lockdown"
create: true
mode: '0644'
mode: 'go-wx'
block: |
TMOUT={{ rhel9cis_shell_session_timeout }}
readonly TMOUT
@ -43,8 +41,7 @@
- { path: /etc/profile, state: "{{ (rhel9cis_shell_session_file == '/etc/profile') | ternary('present', 'absent') }}" }
- name: "5.4.3.3 | PATCH | Ensure default user umask is configured"
when:
- rhel9cis_rule_5_4_3_3
when: rhel9cis_rule_5_4_3_3
tags:
- level1-server
- level1-workstation

12
tasks/section_6/cis_6.1.x.yml
View file

@ -19,10 +19,11 @@
register: discovered_aide_installed
- name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB"
when: discovered_aide_installed.changed # noqa: no-handler
when: discovered_aide_installed.changed # noqa no-handler
block:
- name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB"
ansible.builtin.shell: /usr/sbin/aide --init
ansible.builtin.command: /usr/sbin/aide --init
changed_when: true
- name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB | Wait for file before continuing"
ansible.builtin.wait_for:
@ -33,6 +34,7 @@
src: /var/lib/aide/aide.db.new.gz
dest: /var/lib/aide/aide.db.gz
remote_src: true
mode: 'go-wx'
- name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked"
when:
@ -62,15 +64,15 @@
- name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service"
when: rhel9cis_aide_scan == "timer"
ansible.builtin.systemd:
ansible.builtin.systemd_service:
name: aidecheck.service
enabled: true
- name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service"
when: rhel9cis_aide_scan == "timer"
ansible.builtin.systemd:
ansible.builtin.systemd_service:
name: aidecheck.timer
state: running
state: started
enabled: true
- name: "6.1.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools"

16
tasks/section_6/cis_6.2.1.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "6.2.1.1 | PATCH | Ensure journald service is enabled and active"
when:
- rhel9cis_rule_6_2_1_1
when: rhel9cis_rule_6_2_1_1
tags:
- level1-server
- level1-workstation
@ -15,8 +14,7 @@
state: started
- name: "6.2.1.2 | PATCH | Ensure journald log file access is configured"
when:
- rhel9cis_rule_6_2_1_2
when: rhel9cis_rule_6_2_1_2
tags:
- level1-server
- level1-workstation
@ -27,7 +25,7 @@
- name: "6.2.1.2 | PATCH | Ensure journald log file access is configured | Default file permissions"
ansible.builtin.file:
path: /usr/lib/tmpfiles.d/systemd.conf
mode: '0640'
mode: 'g-wx,o-rwx'
- name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | Check for override file"
ansible.builtin.stat:
@ -58,8 +56,7 @@
warn_control_id: '6.2.1.2'
- name: "6.2.1.3 | PATCH | Ensure journald log file rotation is configured"
when:
- rhel9cis_rule_6_2_1_3
when: rhel9cis_rule_6_2_1_3
tags:
- level1-server
- level1-workstation
@ -74,7 +71,7 @@
dest: /etc/systemd/journald.conf.d/rotation.conf
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
- name: "6.2.1.3 | PATCH | Ensure journald log file rotation is configured | comment out current entries"
ansible.builtin.replace:
@ -89,8 +86,7 @@
- '^(\s*MaxFileSec\s*=.*)'
- name: "6.2.1.4 | PATCH | Ensure only one logging system is in use"
when:
- rhel9cis_rule_6_2_1_4
when: rhel9cis_rule_6_2_1_4
tags:
- level1-server
- level1-workstation

15
tasks/section_6/cis_6.2.2.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled"
when:
- rhel9cis_rule_6_2_2_2
when: rhel9cis_rule_6_2_2_2
tags:
- level1-server
- level2-workstation
@ -21,7 +20,7 @@
dest: /etc/systemd/journald.conf.d/forwardtosyslog.conf
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
- name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries"
ansible.builtin.replace:
@ -30,8 +29,7 @@
replace: '#\1'
- name: "6.2.2.3 | PATCH | Ensure journald Compress is configured"
when:
- rhel9cis_rule_6_2_2_3
when: rhel9cis_rule_6_2_2_3
tags:
- level1-server
- level1-workstation
@ -47,7 +45,7 @@
dest: /etc/systemd/journald.conf.d/storage.conf
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
- name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries"
ansible.builtin.replace:
@ -56,8 +54,7 @@
replace: '#\1'
- name: "6.2.2.4 | PATCH | Ensure journald Storage is configured"
when:
- rhel9cis_rule_6_2_2_4
when: rhel9cis_rule_6_2_2_4
tags:
- level1-server
- level1-workstation
@ -74,7 +71,7 @@
dest: /etc/systemd/journald.conf.d/storage.conf
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
- name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries"
ansible.builtin.replace:

20
tasks/section_6/cis_6.2.3.x.yml
View file

@ -18,8 +18,7 @@
state: present
- name: "6.2.3.2 | PATCH | Ensure rsyslog Service is enabled and active"
when:
- rhel9cis_rule_6_2_3_2
when: rhel9cis_rule_6_2_3_2
tags:
- level1-server
- level1-workstation
@ -35,8 +34,7 @@
state: started
- name: "6.2.3.3 | PATCH | Ensure journald is configured to send logs to rsyslog"
when:
- rhel9cis_rule_6_2_3_3
when: rhel9cis_rule_6_2_3_3
tags:
- level1-server
- level1-workstation
@ -54,8 +52,7 @@
notify: Restart rsyslog
- name: "6.2.3.4 | PATCH | Ensure rsyslog log file creation mode is configured"
when:
- rhel9cis_rule_6_2_3_4
when: rhel9cis_rule_6_2_3_4
tags:
- level1-server
- level1-workstation
@ -72,8 +69,7 @@
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured"
when:
- rhel9cis_rule_6_2_3_5
when: rhel9cis_rule_6_2_3_5
tags:
- level1-server
- level1-workstation
@ -200,8 +196,7 @@
notify: Restart rsyslog
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client"
when:
- rhel9cis_rule_6_2_3_7
when: rhel9cis_rule_6_2_3_7
tags:
- level1-server
- level1-workstation
@ -238,8 +233,7 @@
- 'InputTCPServerRun'
- name: "6.2.3.8 | PATCH | Ensure rsyslog logrotate is configured"
when:
- rhel9cis_rule_6_2_3_8
when: rhel9cis_rule_6_2_3_8
tags:
- level1-server
- level1-workstation
@ -266,4 +260,4 @@
dest: /etc/logrotate.d/rsyslog.conf
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'

3
tasks/section_6/cis_6.2.4.1.yml
View file

@ -1,8 +1,7 @@
---
- name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured"
when:
- rhel9cis_rule_6_2_4_1
when: rhel9cis_rule_6_2_4_1
tags:
- level1-server
- level1-workstation

22
tasks/section_6/cis_6.3.1.x.yml
View file

@ -27,8 +27,7 @@
state: present
- name: "6.3.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
when:
- rhel9cis_rule_6_3_1_2
when: rhel9cis_rule_6_3_1_2
tags:
- level2-server
- level2-workstation
@ -49,11 +48,11 @@
- discovered_grubby_curr_value_audit_linux.stdout == '' or
'0' in discovered_grubby_curr_value_audit_linux.stdout or
'off' in discovered_grubby_curr_value_audit_linux.stdout|lower
ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1"
ansible.builtin.command: grubby --update-kernel=ALL --args="audit=1"
changed_when: true
- name: "6.3.1.3 | PATCH | Ensure audit_backlog_limit is sufficient"
when:
- rhel9cis_rule_6_3_1_3
when: rhel9cis_rule_6_3_1_3
tags:
- level2-server
- level2-workstation
@ -81,21 +80,18 @@
discovered_reset_backlog_limits: true
- name: "6.3.1.3 | AUDIT | Check to see if any limits are too low"
when:
- (item | int < rhel9cis_audit_back_log_limit)
when: (item | int < rhel9cis_audit_back_log_limit)
ansible.builtin.set_fact:
discovered_reset_backlog_limits: true
loop: "{{ discovered_grubby_curr_value_backlog_linux.stdout_lines }}"
- name: "6.3.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update applied"
when:
- discovered_reset_backlog_limits is defined
ansible.builtin.shell:
cmd: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"'
when: discovered_reset_backlog_limits is defined
ansible.builtin.command: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"'
changed_when: true
- name: "6.3.1.4 | PATCH | Ensure auditd service is enabled and active"
when:
- rhel9cis_rule_6_3_1_4
when: rhel9cis_rule_6_3_1_4
tags:
- level2-server
- level2-workstation

12
tasks/section_6/cis_6.3.2.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "6.3.2.1 | PATCH | Ensure audit log storage size is configured"
when:
- rhel9cis_rule_6_3_2_1
when: rhel9cis_rule_6_3_2_1
tags:
- level2-server
- level2-workstation
@ -17,8 +16,7 @@
notify: Restart auditd
- name: "6.3.2.2 | PATCH | Ensure audit logs are not automatically deleted"
when:
- rhel9cis_rule_6_3_2_2
when: rhel9cis_rule_6_3_2_2
tags:
- level2-server
- level2-workstation
@ -33,8 +31,7 @@
notify: Restart auditd
- name: "6.3.2.3 | PATCH | Ensure system is disabled when audit logs are full"
when:
- rhel9cis_rule_6_3_2_3
when: rhel9cis_rule_6_3_2_3
tags:
- level2-server
- level2-workstation
@ -55,8 +52,7 @@
- { regexp: '^disk_error_action', line: 'disk_error_action = {{ rhel9cis_auditd_disk_error_action }}' }
- name: "6.3.2.4 | PATCH | Ensure system warns when audit logs are low on space"
when:
- rhel9cis_rule_6_3_2_4
when: rhel9cis_rule_6_3_2_4
tags:
- level2-server
- level2-workstation

66
tasks/section_6/cis_6.3.3.x.yml
View file

@ -2,8 +2,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected"
when:
- rhel9cis_rule_6_3_3_1
when: rhel9cis_rule_6_3_3_1
tags:
- level2-server
- level2-workstation
@ -16,8 +15,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.2 | PATCH | Ensure actions as another user are always logged"
when:
- rhel9cis_rule_6_3_3_2
when: rhel9cis_rule_6_3_3_2
tags:
- level2-server
- level2-workstation
@ -30,8 +28,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.3 | PATCH | Ensure events that modify the sudo log file are collected"
when:
- rhel9cis_rule_6_3_3_3
when: rhel9cis_rule_6_3_3_3
tags:
- level2-server
- level2-workstation
@ -43,8 +40,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.4 | PATCH | Ensure events that modify date and time information are collected"
when:
- rhel9cis_rule_6_3_3_4
when: rhel9cis_rule_6_3_3_4
tags:
- level2-server
- level2-workstation
@ -58,8 +54,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.5 | PATCH | Ensure events that modify the system's network environment are collected"
when:
- rhel9cis_rule_6_3_3_5
when: rhel9cis_rule_6_3_3_5
tags:
- level2-server
- level2-workstation
@ -73,8 +68,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected"
when:
- rhel9cis_rule_6_3_3_6
when: rhel9cis_rule_6_3_3_6
tags:
- level2-server
- level2-workstation
@ -97,8 +91,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.7 | PATCH | Ensure unsuccessful file access attempts are collected"
when:
- rhel9cis_rule_6_3_3_7
when: rhel9cis_rule_6_3_3_7
tags:
- level2-server
- level2-workstation
@ -111,8 +104,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.8 | PATCH | Ensure events that modify user/group information are collected"
when:
- rhel9cis_rule_6_3_3_8
when: rhel9cis_rule_6_3_3_8
tags:
- level2-server
- level2-workstation
@ -125,8 +117,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.9 | PATCH | Ensure discretionary access control permission modification events are collected"
when:
- rhel9cis_rule_6_3_3_9
when: rhel9cis_rule_6_3_3_9
tags:
- level2-server
- level2-workstation
@ -140,8 +131,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.10 | PATCH | Ensure successful file system mounts are collected"
when:
- rhel9cis_rule_6_3_3_10
when: rhel9cis_rule_6_3_3_10
tags:
- level2-server
- level2-workstation
@ -154,8 +144,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.11 | PATCH | Ensure session initiation information is collected"
when:
- rhel9cis_rule_6_3_3_11
when: rhel9cis_rule_6_3_3_11
tags:
- level2-server
- level2-workstation
@ -168,8 +157,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.12 | PATCH | Ensure login and logout events are collected"
when:
- rhel9cis_rule_6_3_3_12
when: rhel9cis_rule_6_3_3_12
tags:
- level2-server
- level2-workstation
@ -182,8 +170,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.13 | PATCH | Ensure file deletion events by users are collected"
when:
- rhel9cis_rule_6_3_3_13
when: rhel9cis_rule_6_3_3_13
tags:
- level2-server
- level2-workstation
@ -197,8 +184,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected"
when:
- rhel9cis_rule_6_3_3_14
when: rhel9cis_rule_6_3_3_14
tags:
- level2-server
- level2-workstation
@ -212,8 +198,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded"
when:
- rhel9cis_rule_6_3_3_15
when: rhel9cis_rule_6_3_3_15
tags:
- level2-server
- level2- workstation
@ -228,8 +213,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded"
when:
- rhel9cis_rule_6_3_3_16
when: rhel9cis_rule_6_3_3_16
tags:
- level2-server
- level2-workstation
@ -244,8 +228,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded"
when:
- rhel9cis_rule_6_3_3_17
when: rhel9cis_rule_6_3_3_17
tags:
- level2-server
- level2-workstation
@ -260,8 +243,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded"
when:
- rhel9cis_rule_6_3_3_18
when: rhel9cis_rule_6_3_3_18
tags:
- level2-server
- level2-workstation
@ -276,8 +258,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.19 | PATCH | Ensure kernel module loading and unloading and modification is collected"
when:
- rhel9cis_rule_6_3_3_19
when: rhel9cis_rule_6_3_3_19
tags:
- level2-server
- level2-workstation
@ -291,8 +272,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.20 | PATCH | Ensure the audit configuration is immutable"
when:
- rhel9cis_rule_6_3_3_20
when: rhel9cis_rule_6_3_3_20
tags:
- level2-server
- level2-workstation
@ -306,8 +286,7 @@
update_audit_template: true
- name: "6.3.3.21 | AUDIT | Ensure the running and on disk configuration is the same"
when:
- rhel9cis_rule_6_3_3_21
when: rhel9cis_rule_6_3_3_21
tags:
- level2-server
- level2-workstation
@ -321,8 +300,7 @@
- "Please run augenrules --load if you suspect there is a configuration that is not active"
- name: Auditd | 6.3.3.x | Auditd controls updated
when:
- update_audit_template
when: update_audit_template
ansible.builtin.debug:
msg: "Auditd Controls handled in POST using template - updating /etc/auditd/rules.d/99_auditd.rules"
changed_when: false

21
tasks/section_6/cis_6.3.4.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "6.3.4.1 | PATCH | Ensure the audit log file directory mode is configured"
when:
- rhel9cis_rule_6_3_4_1
when: rhel9cis_rule_6_3_4_1
tags:
- level2-server
- level2-workstation
@ -39,8 +38,7 @@
group: root
- name: "6.3.4.5 | PATCH | Ensure audit configuration files mode is configured"
when:
- rhel9cis_rule_6_3_4_5
when: rhel9cis_rule_6_3_4_5
tags:
- level2-server
- level2-workstation
@ -57,8 +55,7 @@
label: "{{ item.path }}"
- name: "6.3.4.6 | PATCH | Ensure audit configuration files owner is configured"
when:
- rhel9cis_rule_6_3_4_6
when: rhel9cis_rule_6_3_4_6
tags:
- level2-server
- level2-workstation
@ -75,8 +72,7 @@
label: "{{ item.path }}"
- name: "6.3.4.7 | PATCH | Ensure audit configuration files group owner is configured"
when:
- rhel9cis_rule_6_3_4_7
when: rhel9cis_rule_6_3_4_7
tags:
- level2-server
- level2-workstation
@ -93,8 +89,7 @@
label: "{{ item.path }}"
- name: "6.3.4.8 | PATCH | Ensure audit tools mode is configured"
when:
- rhel9cis_rule_6_3_4_8
when: rhel9cis_rule_6_3_4_8
tags:
- level2-server
- level2-workstation
@ -114,8 +109,7 @@
- /sbin/augenrules
- name: "6.3.4.9 | PATCH | Ensure audit tools owner is configured"
when:
- rhel9cis_rule_6_3_4_9
when: rhel9cis_rule_6_3_4_9
tags:
- level2-server
- level2-workstation
@ -135,8 +129,7 @@
- /sbin/augenrules
- name: "6.3.4.10 | PATCH | Ensure audit tools group owner is configured"
when:
- rhel9cis_rule_6_3_4_10
when: rhel9cis_rule_6_3_4_10
tags:
- level2-server
- level2-workstation

14
tasks/section_7/cis_7.1.x.yml
View file

@ -83,7 +83,7 @@
path: /etc/shadow
owner: root
group: root
mode: '0000'
mode: 'ugo-rwx'
- name: "7.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured"
when:
@ -100,7 +100,7 @@
path: /etc/shadow-
owner: root
group: root
mode: '0000'
mode: 'ugo-rwx'
- name: "7.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured"
when:
@ -117,7 +117,7 @@
path: /etc/gshadow
owner: root
group: root
mode: '0000'
mode: 'ugo-rwx'
- name: "7.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured"
when:
@ -134,7 +134,7 @@
path: /etc/gshadow-
owner: root
group: root
mode: '0000'
mode: 'ugo-rwx'
- name: "7.1.9 | PATCH | Ensure permissions on /etc/shells are configured"
when:
@ -196,7 +196,7 @@
- rhel9cis_no_world_write_adjust
ansible.builtin.file:
path: '{{ item }}'
mode: o-w
mode: 'o-w'
state: touch
loop: "{{ discovered_world_writable.stdout_lines }}"
@ -221,7 +221,7 @@
warn_control_id: '7.1.12'
block:
- name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories"
ansible.builtin.shell: find {{ rhel9cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs
ansible.builtin.command: find {{ rhel9cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs
changed_when: false
failed_when: false
check_mode: false
@ -283,7 +283,7 @@
warn_control_id: '7.1.13'
block:
- name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Find SUID and SGID"
ansible.builtin.shell: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs
ansible.builtin.command: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs
changed_when: false
failed_when: false
check_mode: false

2
tasks/section_7/cis_7.2.x.yml
View file

@ -237,7 +237,7 @@
- users
- rule_7.2.8
block:
- name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Create dir if absent"
- name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Create dir if absent" # noqa risky-file-permissions
ansible.builtin.file:
path: "{{ item.dir }}"
state: directory

3
tasks/warning_facts.yml
View file

@ -1,5 +1,4 @@
---
# This task is used to create variables used in giving a warning summary for manual tasks
# that need attention
#
@ -14,7 +13,7 @@
#
# warn_count the main variable for the number of warnings and each time a warn_control_id is added
# the count increases by a value of 1
- name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning."
- name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning." # noqa name[template]
ansible.builtin.set_fact:
warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]"
warn_count: "{{ warn_count | int + 1 }}"

2
templates/audit/98_auditd_exception.rules.j2
View file

@ -1,6 +1,6 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by MindPointGroup LLC
# provided by Mindpoint Group - A Tyto Athene Company
### YOUR CHANGES WILL BE LOST!
# This file contains users whose actions are not logged by auditd

2
templates/audit/99_auditd.rules.j2
View file

@ -1,6 +1,6 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by MindPointGroup LLC
# provided by Mindpoint Group - A Tyto Athene Company
### YOUR CHANGES WILL BE LOST!
# This template will set all of the auditd configurations via a handler in the role in one task instead of individually

2
templates/etc/cron.d/aide.cron.j2
View file

@ -1,7 +1,7 @@
# Run AIDE integrity check
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by MindPointGroup LLC
# provided by Mindpoint Group - A Tyto Athene Company
### YOUR CHANGES WILL BE LOST!
# CIS 1.3.2

2
templates/etc/dconf/db/00-automount_lock.j2
View file

@ -1,6 +1,6 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by MindPointGroup LLC
# provided by Mindpoint Group - A Tyto Athene Company
# Lock desktop media-handling automount setting
/org/gnome/desktop/media-handling/automount

2
templates/etc/dconf/db/00-autorun_lock.j2
View file

@ -1,6 +1,6 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by MindPointGroup LLC
# provided by Mindpoint Group - A Tyto Athene Company
# Lock desktop media-handling settings
/org/gnome/desktop/media-handling/autorun-never

2
templates/etc/dconf/db/00-media-automount.j2
View file

@ -1,6 +1,6 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by MindPointGroup LLC
# provided by Mindpoint Group - A Tyto Athene Company
[org/gnome/desktop/media-handling]
automount=false

2
templates/etc/dconf/db/00-media-autorun.j2
View file

@ -1,6 +1,6 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by MindPointGroup LLC
# provided by Mindpoint Group - A Tyto Athene Company
[org/gnome/desktop/media-handling]
autorun-never=true

2
templates/etc/dconf/db/00-screensaver.j2
View file

@ -1,6 +1,6 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by MindPointGroup LLC
# provided by Mindpoint Group - A Tyto Athene Company
# Specify the dconf path
[org/gnome/desktop/session]

2
templates/etc/dconf/db/00-screensaver_lock.j2
View file

@ -1,6 +1,6 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by MindPointGroup LLC
# provided by Mindpoint Group - A Tyto Athene Company
# Lock desktop screensaver idle-delay setting
/org/gnome/desktop/session/idle-delay

2
templates/etc/dconf/db/gdm.d/01-banner-message.j2
View file

@ -1,6 +1,6 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by MindPointGroup LLC
# provided by Mindpoint Group - A Tyto Athene Company
[org/gnome/login-screen]
banner-message-enable=true

5
templates/fs_with_cves.sh
View file

@ -1,11 +1,8 @@
{% raw %}
#! /usr/bin/env bash
{% raw %}#! /usr/bin/env bash
# Based on original Script provided by CIS
# CVEs correct at time of creation - April2024
#! /usr/bin/env bash
{
a_output=(); a_output2=(); a_modprope_config=(); a_excluded=(); a_available_modules=()
a_ignore=("xfs" "vfat" "ext2" "ext3" "ext4")

2
vars/audit.yml
View file

@ -35,7 +35,7 @@ audit_format: json
audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml"
audit_results: |
The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results}}
The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results }}
{% if not audit_only %}The post remediation audit results are: {{ post_audit_results }}{% endif %}
Full breakdown can be found in {{ audit_log_dir }}