section 1 updates

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2025-12-24 22:23:06 +00:00 · 2022-04-04 12:07:07 +01:00 · 2022-04-04 12:07:07 +01:00 · 39780562c1
commit 39780562c1
parent bfbcede072
9 changed files with 14 additions and 10 deletions
--- a/README.md
+++ b/README.md
@ -13,7 +13,7 @@
 Configure RHEL 9 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant with RHEL8 settings (RHEL9 not yet released)
 Based on v2.0.0 RHEL8

-Based on [CIS RedHat Enterprise Linux 8 Benchmark v1.0.1 - 05-19-2021 ](https://www.cisecurity.org/cis-benchmarks/)
+Based on [CIS RedHat Enterprise Linux 8 Benchmark v2.0.0. - 02-23-2022 ](https://www.cisecurity.org/cis-benchmarks/)

 ## Join us

--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -17,6 +17,10 @@ rhel9cis_section4: true
 rhel9cis_section5: true
 rhel9cis_section6: true

+# This is used for audit purposes to run only specifc level use the tags
+# e.g.
+# - level1-server
+# - level2-workstation
 rhel9cis_level_1: true
 rhel9cis_level_2: true

--- a/tasks/section_1/cis_1.1.3.x.yml
+++ b/tasks/section_1/cis_1.1.3.x.yml
@ -38,7 +38,7 @@
      src: "{{ item.device }}"
      fstype: "{{ item.fstype }}"
      state: present
-      opts: defaults,{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %}
+      opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %}
  with_items:
      - "{{ ansible_mounts }}"
  loop_control:
--- a/tasks/section_1/cis_1.1.4.x.yml
+++ b/tasks/section_1/cis_1.1.4.x.yml
@ -39,7 +39,7 @@
      src: "{{ item.device }}"
      fstype: "{{ item.fstype }}"
      state: present
-      opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid{% endif %}
+      opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}noexec{% endif %}
  with_items:
      - "{{ ansible_mounts }}"
  loop_control:
--- a/tasks/section_1/cis_1.1.5.x.yml
+++ b/tasks/section_1/cis_1.1.5.x.yml
@ -37,7 +37,7 @@
      src: "{{ item.device }}"
      fstype: "{{ item.fstype }}"
      state: present
-      opts: defaults,{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %}
+      opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %}
  with_items:
      - "{{ ansible_mounts }}"
  loop_control:
--- a/tasks/section_1/cis_1.1.8.x.yml
+++ b/tasks/section_1/cis_1.1.8.x.yml
@ -25,7 +25,7 @@
            src: tmpfs
            fstype: tmpfs
            state: mounted
-            opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %}
+            opts: defaults,{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %}
        when: "'dev/shm' in rhel9cis_1_1_8_x_dev_shm_status.stdout"
        notify: change_requires_reboot
  when:
--- a/tasks/section_1/cis_1.2.x.yml
+++ b/tasks/section_1/cis_1.2.x.yml
@ -44,7 +44,7 @@
      - name: "1.2.3 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos"
        replace:
            name: "{{ item.path }}"
-            regexp: "^gpgcheck=0"
+            regexp: "^gpgcheck\s*=\s*0"
            replace: "gpgcheck=1"
        with_items:
            - "{{ yum_repos.files }}"
--- a/tasks/section_1/cis_1.5.x.yml
+++ b/tasks/section_1/cis_1.5.x.yml
@ -3,7 +3,7 @@
 - name: "1.5.1 | PATCH | Ensure core dump storage is disabled"
  lineinfile:
      path: /etc/systemd/coredump.conf
-      regexp: 'Storage='
+      regexp: '^Storage\s*=\s*(?!none).*'
      line: 'Storage=none'
  notify: systemd_daemon_reload
  when:
@ -19,7 +19,7 @@
 - name: "1.5.2 | PATCH | Ensure core dump backtraces are disabled"
  lineinfile:
      path: /etc/systemd/coredump.conf
-      regexp: 'ProcessSizeMax='
+      regexp: '^ProcessSizeMax\s*=\s*.*[1-9]$'
      line: 'ProcessSizeMax=0'
  when:
      - rhel9cis_rule_1_5_2
@ -33,7 +33,7 @@

 - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
  debug:
-      msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+      msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf"
  notify: 
      - update sysctl
  when:
--- a/tasks/section_1/cis_1.6.1.x.yml
+++ b/tasks/section_1/cis_1.6.1.x.yml
@ -16,7 +16,7 @@
 - name: "1.6.1.2 | PATCH | Ensure SELinux is not disabled in bootloader configuration"
  replace:
      dest: /etc/default/grub
-      regexp: '(selinux|enforcing)\s*=\s*0\s*'
+      regexp: '(selinux|enforcing)\s*=(\s0|0).*'
      replace: ''
  register: selinux_grub_patch
  ignore_errors: yes