ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-25 22:37:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge branch 'devel' into pub_feb26_updates

Browse source 
Signed-off-by: uk-bolly <69214557+uk-bolly@users.noreply.github.com>
This commit is contained in:
uk-bolly 2026-02-12 09:54:10 +00:00 committed by GitHub
commit 3015e2fe2f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 18 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.pre-commit-config.yaml
View file

@ -42,13 +42,13 @@ repos:
name: Detect Secrets test name: Detect Secrets test
- repo: https://github.com/gitleaks/gitleaks - repo: https://github.com/gitleaks/gitleaks
rev: v8.29.1 rev: v8.30.0
hooks: hooks:
- id: gitleaks - id: gitleaks
name: Run Gitleaks test name: Run Gitleaks test
- repo: https://github.com/ansible-community/ansible-lint - repo: https://github.com/ansible-community/ansible-lint
rev: v25.11.0 rev: v26.1.1
hooks: hooks:
- id: ansible-lint - id: ansible-lint
name: Ansible-lint name: Ansible-lint
@ -67,7 +67,7 @@ repos:
# - ansible-core>=2.10.1 # - ansible-core>=2.10.1
- repo: https://github.com/adrienverge/yamllint.git - repo: https://github.com/adrienverge/yamllint.git
rev: v1.37.1 # or higher tag rev: v1.38.0 # or higher tag
hooks: hooks:
- id: yamllint - id: yamllint
name: Check YAML Lint name: Check YAML Lint

7
Changelog.md
View file

@ -77,9 +77,11 @@ tidy up tags on tasks/main.yml
- public issue 372 - public issue 372
- allow password with different locale - allow password with different locale
## 2.0.4 - Based on CIS v2.0.0 ## 2.0.4 - Based on CIS v2.0.0
- addressed issue #419, thank you @aaronk1
- addressed issue #418 thank you @bbaassssiiee
- addressed issue #416 thank you @georgenalen and @bbaassssiiee
- addressed issue #393 thank you to @fragglexarmy - addressed issue #393 thank you to @fragglexarmy
- addressed issue #394 thank you to @dbeuker - addressed issue #394 thank you to @dbeuker
- addressed issues #390 and #391 thanks to @polski-g - addressed issues #390 and #391 thanks to @polski-g
@ -88,6 +90,9 @@ tidy up tags on tasks/main.yml
- work flow updates - work flow updates
- audit logic improvements - audit logic improvements
- auditd template 2.19 compatible - auditd template 2.19 compatible
- pre-commit updates
- #410 thanks to @kpi-nourman
- #413 thanks to @bbaassssiiee
## 2.0.3 - Based on CIS v2.0.0 ## 2.0.3 - Based on CIS v2.0.0
- addressed issue #387, thank you @fragglexarmy - addressed issue #387, thank you @fragglexarmy

11
defaults/main.yml
View file

@ -614,14 +614,7 @@ rhel9cis_crypto_policy_ansiblemanaged: true
# -'FUTURE': conservative security level that is believed to withstand any near-term future attacks # -'FUTURE': conservative security level that is believed to withstand any near-term future attacks
# -'FIPS': A level that conforms to the FIPS140-2 requirements # -'FIPS': A level that conforms to the FIPS140-2 requirements
rhel9cis_crypto_policy: 'DEFAULT' rhel9cis_crypto_policy: 'DEFAULT'
# This variable contains the value of the crypto policy module(combinations of policies and ## Control 1.6
# sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file,
# using 'rhel9cis_allowed_crypto_policies_modules' variable, which currently are:
# - 'OSPP'
# - 'AD-SUPPORT'
# - 'AD-SUPPORT-LEGACY'
rhel9cis_crypto_policy_module: ''
## Controls 1.6.x
# This variable contains the value of the crypto policy module(combinations of policies and # This variable contains the value of the crypto policy module(combinations of policies and
# sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file, # sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file,
# using those listed in the 'rhel9cis_allowed_crypto_policies_modules' variable. # using those listed in the 'rhel9cis_allowed_crypto_policies_modules' variable.
@ -814,6 +807,8 @@ rhel9cis_tftp_client: false
## Control 3.1.1 - Ensure IPv6 status is identified ## Control 3.1.1 - Ensure IPv6 status is identified
# This variable governs whether ipv6 is enabled or disabled. # This variable governs whether ipv6 is enabled or disabled.
rhel9cis_ipv6_required: true rhel9cis_ipv6_required: true
# rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel
rhel9cis_ipv6_disable_method: "sysctl"
# 3.1.1 Disable IPv6 # 3.1.1 Disable IPv6
# rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel # rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel

2
tasks/section_5/cis_5.1.x.yml
View file

@ -433,6 +433,8 @@
path: "{{ rhel9cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: (?i)^(#|)\s*MaxStartups regexp: (?i)^(#|)\s*MaxStartups
line: 'MaxStartups {{ rhel9cis_ssh_maxstartups }}' line: 'MaxStartups {{ rhel9cis_ssh_maxstartups }}'
insertbefore: "^Match"
firstmatch: true
validate: sshd -t -f %s validate: sshd -t -f %s
notify: Restart sshd notify: Restart sshd

8
tasks/section_5/cis_5.3.2.x.yml
View file

@ -93,10 +93,10 @@
loop: loop:
- regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth" - regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth"
after: "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons after: "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons
line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons line: "auth required pam_faillock.so preauth silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
- regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail" - regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail"
before: "auth\\s+required\\s+pam_deny.so" before: "auth\\s+required\\s+pam_deny.so"
line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons line: "auth required pam_faillock.so authfail silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
- regexp: "account\\s+required\\s+pam_faillock.so" - regexp: "account\\s+required\\s+pam_faillock.so"
before: "account\\s+required\\s+pam_unix.so" before: "account\\s+required\\s+pam_unix.so"
line: "account required pam_faillock.so" # yamllint disable-line rule:colons line: "account required pam_faillock.so" # yamllint disable-line rule:colons
@ -112,10 +112,10 @@
loop: loop:
- regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth" - regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth"
after: "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons after: "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons
line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons line: "auth required pam_faillock.so preauth silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
- regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail" - regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail"
before: "auth\\s+required\\s+pam_deny.so" before: "auth\\s+required\\s+pam_deny.so"
line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons line: "auth required pam_faillock.so authfail silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
- regexp: "account\\s+required\\s+pam_faillock.so" - regexp: "account\\s+required\\s+pam_faillock.so"
before: "account\\s+required\\s+pam_unix.so" before: "account\\s+required\\s+pam_unix.so"
line: "account required pam_faillock.so" # yamllint disable-line rule:colons line: "account required pam_faillock.so" # yamllint disable-line rule:colons