mirror of
https://github.com/ansible-lockdown/RHEL9-CIS.git
synced 2026-03-25 14:27:12 +00:00
Merge pull request #33 from ansible-lockdown/audit_only_fetch
Audit only fetch
This commit is contained in:
uk-bolly
GitHub
commit
383822d107
7 changed files with 34 additions and 14 deletions
|
|
@ -1,6 +1,12 @@
|
|||
# Changes to rhel9CIS
|
||||
|
||||
|
||||
## Based on CIS v2.0.0
|
||||
|
||||
Update to audit_only to allow fetching results
|
||||
resolved false warning for fetch audit
|
||||
Improved documentation and variable compilation for crypto policies
|
||||
|
||||
## 2.0.1 - Based on CIS v2.0.0
|
||||
|
||||
- Thanks to @polski-g several issues and improvements added
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ os_check: true
|
|||
# Disruption is high
|
||||
## Run tests that are considered higher risk and could have a system impact if not properly tested
|
||||
## Default false
|
||||
## Will be fine if clean new un configured build
|
||||
## Will be fine if clean new un-configured build
|
||||
rhel9cis_disruption_high: false
|
||||
|
||||
## Switching on/off specific baseline sections
|
||||
|
|
@ -37,6 +37,7 @@ rhel9cis_level_2: true
|
|||
# Create managed not custom local_facts files
|
||||
create_benchmark_facts: true
|
||||
ansible_facts_path: /etc/ansible/facts.d
|
||||
|
||||
## Section 1.6 - Mandatory Access Control
|
||||
# This variable governs whether SELinux is disabled or not. If SELinux is NOT DISABLED by setting
|
||||
# 'rhel9cis_selinux_disable' to 'true', the 1.6 subsection will be executed.
|
||||
|
|
@ -111,7 +112,7 @@ audit_conf_dest: "/opt"
|
|||
# Where the audit logs are stored
|
||||
audit_log_dir: '/opt'
|
||||
|
||||
## Ability to collect and take audit files moving to a centralised location
|
||||
## Ability to collect and take audit files moving to a centralized location
|
||||
# This enables the collection of the files from the host
|
||||
fetch_audit_output: false
|
||||
|
||||
|
|
@ -238,7 +239,7 @@ rhel9cis_rule_1_8_8: true
|
|||
rhel9cis_rule_1_8_9: true
|
||||
rhel9cis_rule_1_8_10: true
|
||||
|
||||
# Section 2 rules are controlling Services (Special Purpose Services, and service clients)
|
||||
# Section 2 rules are controling Services (Special Purpose Services, and service clients)
|
||||
## Configure Server Services
|
||||
rhel9cis_rule_2_1_1: true
|
||||
rhel9cis_rule_2_1_2: true
|
||||
|
|
@ -579,8 +580,8 @@ rhel9cis_crypto_policy: 'DEFAULT'
|
|||
## Control 1.6
|
||||
# This variable contains the value of the crypto policy module(combinations of policies and
|
||||
# sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file,
|
||||
# using 'rhel9cis_allowed_crypto_policies_modules' variable.
|
||||
rhel9cis_crypto_policy_module: ''
|
||||
# using those listed in the 'rhel9cis_allowed_crypto_policies_modules' variable.
|
||||
rhel9cis_additional_crypto_policy_module: ''
|
||||
|
||||
## Controls:
|
||||
# - 1.7.1 - Ensure message of the day is configured properly
|
||||
|
|
@ -816,7 +817,7 @@ rhel9cis_sshd_clientalivecountmax: 3
|
|||
rhel9cis_sshd_clientaliveinterval: 15
|
||||
|
||||
## Control 5.1.12 - disable forwarding
|
||||
# By Default this will also disable x11 forwarding
|
||||
# By Default this will also disablex11 forwarding
|
||||
# set 'yes' if x11 is required this can be changed to run in /etc/ssh/ssh_config.d/50-redhat.conf
|
||||
rhel9cis_sshd_x11forwarding: 'no'
|
||||
|
||||
|
|
@ -1046,14 +1047,14 @@ rhel9cis_bash_umask: '0027' # 0027 or more restrictive
|
|||
# These are discovered via logins.def if set true
|
||||
rhel9cis_discover_int_uid: true
|
||||
# This variable sets the minimum number from which to search for UID
|
||||
# Note that the value will be dynamically overwritten if variable `discover_int_uid` has
|
||||
# Note that the value will be dynamically overwritten if variable `rhel9cis_discover_int_uid` has
|
||||
# been set to `true`.
|
||||
min_int_uid: 1000
|
||||
### Controls:
|
||||
# - Ensure local interactive user home directories exist
|
||||
# - Ensure local interactive users own their home directories
|
||||
# This variable sets the maximum number at which the search stops for UID
|
||||
# Note that the value will be dynamically overwritten if variable `discover_int_uid` has
|
||||
# Note that the value will be dynamically overwritten if variable `rhel9cis_discover_int_uid` has
|
||||
# been set to `true`.
|
||||
max_int_uid: 65533
|
||||
|
||||
|
|
|
|||
|
|
@ -186,7 +186,7 @@
|
|||
|
||||
- name: Update Crypto Policy
|
||||
ansible.builtin.set_fact:
|
||||
rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{% if rhel9cis_crypto_policy_module | length > 0 %}{{ rhel9cis_crypto_policy_module }}{% endif %}"
|
||||
rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{{ rhel9cis_crypto_policy_module }}{% if rhel9cis_additional_crypto_policy_module | length > 0 %}:{{ rhel9cis_additional_crypto_policy_module }}{% endif %}"
|
||||
notify: Set Crypto Policy
|
||||
|
||||
- name: Set Crypto Policy
|
||||
|
|
|
|||
|
|
@ -1,10 +1,17 @@
|
|||
---
|
||||
|
||||
- name: Audit_only | Fetch audit files
|
||||
when:
|
||||
- fetch_audit_output
|
||||
- audit_only
|
||||
ansible.builtin.import_tasks:
|
||||
file: fetch_audit_output.yml
|
||||
|
||||
- name: Audit_only | Show Audit Summary
|
||||
when: audit_only
|
||||
ansible.builtin.debug:
|
||||
msg: "{{ audit_results.split('\n') }}"
|
||||
|
||||
- name: Audit_only | Stop Playbook Audit Only selected
|
||||
- name: Audit_only | Stop task for host as audit_only selected
|
||||
when: audit_only
|
||||
ansible.builtin.meta: end_play
|
||||
ansible.builtin.meta: end_host
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@
|
|||
src: "{{ item }}"
|
||||
dest: "{{ audit_output_destination }}"
|
||||
flat: true
|
||||
changed_when: true
|
||||
failed_when: false
|
||||
register: discovered_audit_fetch_state
|
||||
loop:
|
||||
|
|
|
|||
|
|
@ -61,7 +61,7 @@
|
|||
- crypto
|
||||
- NIST800-53R5_SC-6
|
||||
ansible.builtin.assert:
|
||||
that: rhel9cis_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules
|
||||
that: rhel9cis_additional_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules
|
||||
fail_msg: "Crypto policy module is not a permitted version"
|
||||
success_msg: "Crypto policy module is a permitted version"
|
||||
|
||||
|
|
@ -132,9 +132,8 @@
|
|||
- rule_5.4.2.4
|
||||
block:
|
||||
- name: "Ensure root password is set"
|
||||
ansible.builtin.shell: passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)"
|
||||
ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)"
|
||||
changed_when: false
|
||||
failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ]
|
||||
register: prelim_root_passwd_set
|
||||
|
||||
- name: "Ensure root password is set"
|
||||
|
|
|
|||
|
|
@ -7,10 +7,16 @@ rhel9cis_allowed_crypto_policies:
|
|||
- 'FUTURE'
|
||||
- 'FIPS'
|
||||
|
||||
# Following is left blank for ability to build string
|
||||
rhel9cis_crypto_policy_module: ''
|
||||
|
||||
# Do not adjust these are recognized as part of the CIS benchmark and used during testing
|
||||
rhel9cis_allowed_crypto_policies_modules:
|
||||
# Recognized by CIS as possible extra options
|
||||
- 'OSPP'
|
||||
- 'AD-SUPPORT'
|
||||
- 'AD-SUPPORT-LEGACY'
|
||||
# The following are already included in 1.6.x controls
|
||||
- 'NO-SHA1'
|
||||
- 'NO-SSHCBC'
|
||||
- 'NO-SSHETM'
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue