ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 14:23:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge pull request #317 from ansible-lockdown/improvements

Browse source 
Improvements
This commit is contained in:
uk-bolly 2025-04-15 14:06:32 +01:00 committed by GitHub
commit 4c47bb5b6b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 51 additions and 45 deletions
Download patch file Download diff file Expand all files Collapse all files

6
defaults/main.yml
View file

@ -1,7 +1,8 @@
---
# defaults file for rhel9-cis
# WARNING:
# These values may be overriden by other vars-setting options(e.g. like the below 'container_vars_file'), as explained here:
# These values may be overridden by other vars-setting options(e.g. like the below 'container_vars_file'), as explained here:
# https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable
# Run the OS validation check
@ -36,6 +37,7 @@ rhel9cis_level_2: true
# Create managed not custom local_facts files
create_benchmark_facts: true
ansible_facts_path: /etc/ansible/facts.d
## Section 1.6 - Mandatory Access Control
# This variable governs whether SELinux is disabled or not. If SELinux is NOT DISABLED by setting
# 'rhel9cis_selinux_disable' to 'true', the 1.6 subsection will be executed.
@ -85,7 +87,7 @@ audit_capture_files_dir: /some/location to copy to on control node
# How to retrieve audit binary
# Options are copy or download - detailed settings at the bottom of this file
# you will need to access to either github or the file already dowmloaded
# you will need to access to either github or the file already downloaded
get_audit_binary_method: download
## if get_audit_binary_method - copy the following needs to be updated for your environment

8
tasks/audit_only.yml
View file

@ -9,14 +9,6 @@
delegate_to: localhost
become: false
- name: Audit_only | Get audits from systems and put in group dir
when: fetch_audit_files
ansible.builtin.fetch:
dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/"
flat: true
mode: 'go-wx'
src: "{{ pre_audit_outfile }}"
- name: Audit_only | Show Audit Summary
when: audit_only
ansible.builtin.debug:

20
tasks/fetch_audit_output.yml
View file

@ -2,7 +2,7 @@
# Stage to copy audit output to a centralised location
- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller"
- name: "POST | FETCH | Fetch files and copy to controller"
when: audit_output_collection_method == "fetch"
ansible.builtin.fetch:
src: "{{ item }}"
@ -17,7 +17,7 @@
# Added this option for continuity but could be changed by adjusting the variable audit_conf_dest
# Allowing backup to one location
- name: "FETCH_AUDIT_FILES | Copy files to location available to managed node"
- name: "POST | FETCH | Copy files to location available to managed node"
when: audit_output_collection_method == "copy"
ansible.builtin.copy:
src: "{{ item }}"
@ -25,21 +25,21 @@
mode: 'u-x,go-wx'
flat: true
failed_when: false
register: discovered_audit_fetch_copy_state
register: discovered_audit_copy_state
loop:
- pre_audit_outfile
- post_audit_outfile
- "{{ pre_audit_outfile }}"
- "{{ post_audit_outfile }}"
- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
- name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
when:
- (discovered_audit_fetch_state is defined and not discovered_audit_fetch_state.changed) or
(discovered_audit_copy_state is defined and not discovered_audit_copy_state.changed)
- (audit_output_collection_method == "fetch" and not discovered_audit_fetch_state.changed) or
(audit_output_collection_method == "copy" and not discovered_audit_copy_state.changed)
block:
- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
- name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
ansible.builtin.debug:
msg: "Warning!! Unable to write to localhost {{ audit_output_destination }} for audit file copy"
- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
- name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
vars:
warn_control_id: "FETCH_AUDIT_FILES"
ansible.builtin.import_tasks:

13
tasks/main.yml
View file

@ -213,13 +213,16 @@
ansible.builtin.import_tasks:
file: post_remediation_audit.yml
- name: Add ansible file showing Benchmark and levels applied
when: create_benchmark_facts
- name: Add ansible file showing Benchmark and levels applied if audit details not present
when:
- create_benchmark_facts
- (post_audit_summary is defined) or
(ansible_local['compliance_facts']['lockdown_audit_details']['audit_summary'] is undefined and post_audit_summary is undefined)
tags:
- always
- benchmark
block:
- name: Create ansible facts directory
- name: Create ansible facts directory if audit facts not present
ansible.builtin.file:
path: "{{ ansible_facts_path }}"
state: directory
@ -227,13 +230,13 @@
group: root
mode: 'u=rwx,go=rx'
- name: Create ansible facts file
- name: Create ansible facts file and levels applied if audit facts not present
ansible.builtin.template:
src: etc/ansible/compliance_facts.j2
dest: "{{ ansible_facts_path }}/compliance_facts.fact"
owner: root
group: root
mode: "u-x,go-wx"
mode: 'u-x,go=r'
- name: Fetch audit files
when:

46
tasks/section_5/cis_5.1.x.yml
View file

@ -6,7 +6,7 @@
- level1-server
- level1-workstation
- patch
- ssh
- sshd
- permissions
- rule_5.1.1
- NIST800-53R5_AC-3
@ -23,7 +23,7 @@
- level1-server
- level1-workstation
- patch
- ssh
- sshd
- permissions
- rule_5.1.2
- NIST800-53R5_AC-3
@ -53,7 +53,7 @@
- level1-server
- level1-workstation
- patch
- ssh
- sshd
- rule_5.1.3
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
@ -166,7 +166,7 @@
- level1-server
- level1-workstation
- patch
- ssh
- sshd
- rule_5.1.7
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
@ -195,6 +195,8 @@
path: "{{ rhel9cis_sshd_config_file }}"
regexp: "^DenyUsers"
line: "DenyUsers {{ rhel9cis_sshd_denyusers }}"
insertbefore: "^Match"
firstmatch: true
validate: sshd -t -f %s
notify: Restart sshd
@ -213,7 +215,7 @@
- level1-server
- level1-workstation
- patch
- ssh
- sshd
- rule_5.1.8
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
@ -231,7 +233,7 @@
- level1-server
- level1-workstation
- patch
- ssh
- sshd
- rule_5.1.9
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
@ -261,7 +263,7 @@
- level2-server
- level1-workstation
- patch
- ssh
- sshd
- rule_5.1.10
- NIST800-53R5_CM-7
block:
@ -287,7 +289,7 @@
- level1-server
- level1-workstation
- patch
- sshs
- sshd
- rule_5.1.11
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
@ -317,7 +319,7 @@
- level1-server
- level1-workstation
- patch
- ssh
- sshd
- rule_5.1.12
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
@ -337,7 +339,7 @@
- level1-server
- level1-workstation
- patch
- ssh
- sshd
- rule_5.1.13
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
@ -348,6 +350,8 @@
path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*IgnoreRhosts
line: 'IgnoreRhosts yes'
insertbefore: "^Match"
firstmatch: true
validate: sshd -t -f %s
notify: Restart sshd
@ -357,13 +361,15 @@
- level1-server
- level1-workstation
- patch
- ssh
- sshd
- rule_5.1.14
- NIST800-53R5_CM-6
ansible.builtin.lineinfile:
path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*LoginGraceTime
line: "LoginGraceTime {{ rhel9cis_sshd_logingracetime }}"
insertbefore: "^Match"
firstmatch: true
validate: sshd -t -f %s
notify: Restart sshd
@ -373,7 +379,7 @@
- level1-server
- level1-workstation
- patch
- sshs
- sshd
- rule_5.1.15
- NIST800-53R5_AU-3
- NIST800-53R5_AU-12
@ -382,6 +388,8 @@
path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*LogLevel
line: 'LogLevel {{ rhel9cis_ssh_loglevel }}'
insertbefore: "^Match"
firstmatch: true
validate: sshd -t -f %s
notify: Restart sshd
@ -391,7 +399,7 @@
- level1-server
- level1-workstation
- patch
- ssh
- sshd
- rule_5.1.16
- NIST800-53R5_AU-3
ansible.builtin.lineinfile:
@ -407,7 +415,7 @@
- level1-server
- level1-workstation
- patch
- ssh
- sshd
- rule_5.1.17
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
@ -427,7 +435,7 @@
- level1-server
- level1-workstation
- patch
- ssh
- sshd
- rule_5.1.18
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
@ -447,7 +455,7 @@
- level1-server
- level1-workstation
- patch
- ssh
- sshd
- rule_5.1.19
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
@ -467,7 +475,7 @@
- level1-server
- level1-workstation
- patch
- ssh
- sshd
- rule_5.1.20
- NIST800-53R5_AC-6
block:
@ -491,7 +499,7 @@
- level1-server
- level1-workstation
- patch
- ssh
- sshd
- rule_5.1.21
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
@ -511,7 +519,7 @@
- level1-server
- level1-workstation
- patch
- ssh
- sshd
- rule_5.1.22
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2

2
tasks/section_5/cis_5.3.3.1.x.yml
View file

@ -23,7 +23,7 @@
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "/etc/pam.d/{{ item }}-auth"
regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s+deny\s*=\s*\S+(.*$)
regexp: ^(\s*auth\s+(?:requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s+deny\s*=\s*\S+(.*$)
replace: \1 \2\3
loop:
- password

1
templates/etc/ansible/compliance_facts.j2
View file

@ -29,6 +29,7 @@ Level_2_workstation_tag_run = true
[lockdown_audit_details]
{% if run_audit %}
# Audit run
audit_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }}
audit_file_local_location = {{ audit_log_dir }}
{% if not audit_only %}
audit_summary = {{ post_audit_results }}