ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

boolean variable true/false

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2022-01-13 16:51:17 +00:00
parent 727095ca35
commit 54f4e0b4b8
No known key found for this signature in database
GPG key ID: F734FDFC154B83FB
26 changed files with 92 additions and 90 deletions
Download patch file Download diff file Expand all files Collapse all files

4
defaults/main.yml
View file

@ -405,7 +405,7 @@ rhel9cis_aide_cron:
rhel9cis_selinux_pol: targeted rhel9cis_selinux_pol: targeted
# Whether or not to run tasks related to auditing/patching the desktop environment # Whether or not to run tasks related to auditing/patching the desktop environment
rhel9cis_gui: no rhel9cis_gui: false
# Set to 'true' if X Windows is needed in your environment # Set to 'true' if X Windows is needed in your environment
rhel9cis_xwindows_required: false rhel9cis_xwindows_required: false
@ -539,7 +539,7 @@ rhel9cis_vartmp:
source: /tmp source: /tmp
fstype: none fstype: none
opts: "defaults,nodev,nosuid,noexec,bind" opts: "defaults,nodev,nosuid,noexec,bind"
enabled: no enabled: false
## PAM ## PAM
rhel9cis_pam_password: rhel9cis_pam_password:
minlen: "14" minlen: "14"

4
tasks/parse_etc_password.yml
View file

@ -4,8 +4,8 @@
block: block:
- name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd" - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd"
shell: cat /etc/passwd shell: cat /etc/passwd
changed_when: no changed_when: false
check_mode: no check_mode: false
register: rhel9cis_passwd_file_audit register: rhel9cis_passwd_file_audit
- name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Split passwd entries" - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Split passwd entries"

2
tasks/post.yml
View file

@ -4,7 +4,7 @@
- name: Perform DNF package cleanup - name: Perform DNF package cleanup
dnf: dnf:
autoremove: true autoremove: true
changed_when: no changed_when: false
- name: trigger update sysctl - name: trigger update sysctl
shell: /bin/true shell: /bin/true

29
tasks/prelim.yml
View file

@ -4,33 +4,33 @@
- name: "PRELIM | List users accounts" - name: "PRELIM | List users accounts"
shell: "awk -F: '{print $1}' /etc/passwd" shell: "awk -F: '{print $1}' /etc/passwd"
args: args:
warn: no warn: false
changed_when: no changed_when: false
check_mode: no check_mode: false
register: users register: users
- name: "PRELIM | Gather accounts with empty password fields" - name: "PRELIM | Gather accounts with empty password fields"
shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'" shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'"
args: args:
warn: no warn: false
changed_when: no changed_when: false
check_mode: no check_mode: false
register: empty_password_accounts register: empty_password_accounts
- name: "PRELIM | Gather UID 0 accounts other than root" - name: "PRELIM | Gather UID 0 accounts other than root"
shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'"
args: args:
warn: no warn: false
changed_when: no changed_when: false
check_mode: no check_mode: false
register: uid_zero_accounts_except_root register: uid_zero_accounts_except_root
- name: "PRELIM | Gather system-wide crypto-policy" - name: "PRELIM | Gather system-wide crypto-policy"
shell: update-crypto-policies --show shell: update-crypto-policies --show
args: args:
warn: no warn: false
changed_when: no changed_when: false
check_mode: no check_mode: false
register: system_wide_crypto_policy register: system_wide_crypto_policy
- name: "PRELIM | if systemd coredump" - name: "PRELIM | if systemd coredump"
@ -50,15 +50,16 @@
state: present state: present
become: true become: true
when: when:
- '"auditd" not in ansible_facts.packages'
- rhel9cis_level_2 or - rhel9cis_level_2 or
rhel9cis_rule_4_1_1_1 rhel9cis_rule_4_1_1_1
- '"auditd" not in ansible_facts.packages'
- name: "PRELIM | 4.1.12 | Ensure successful file system mounts are collected" - name: "PRELIM | 4.1.12 | Ensure successful file system mounts are collected"
shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: no check_mode: false
register: priv_procs register: priv_procs
tags: tags:
- always - always

8
tasks/section_1/cis_1.1.1.x.yml
View file

@ -7,7 +7,7 @@
dest: /etc/modprobe.d/CIS.conf dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install cramfs(\\s|$)" regexp: "^(#)?install cramfs(\\s|$)"
line: "install cramfs /bin/true" line: "install cramfs /bin/true"
create: yes create: true
mode: 0600 mode: 0600
- name: "1.1.1.1 | L1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs" - name: "1.1.1.1 | L1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs"
@ -32,7 +32,7 @@
dest: /etc/modprobe.d/CIS.conf dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install vfat(\\s|$)" regexp: "^(#)?install vfat(\\s|$)"
line: "install vfat /bin/true" line: "install vfat /bin/true"
create: yes create: true
mode: 0600 mode: 0600
- name: "1.1.1.2 | L2 | PATCH | Ensure mounting of vFAT filesystems is limited | Disable vFAT" - name: "1.1.1.2 | L2 | PATCH | Ensure mounting of vFAT filesystems is limited | Disable vFAT"
@ -58,7 +58,7 @@
dest: /etc/modprobe.d/CIS.conf dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install squashfs(\\s|$)" regexp: "^(#)?install squashfs(\\s|$)"
line: "install squashfs /bin/true" line: "install squashfs /bin/true"
create: yes create: true
mode: 0600 mode: 0600
- name: "1.1.1.3 | L1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" - name: "1.1.1.3 | L1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs"
@ -83,7 +83,7 @@
dest: /etc/modprobe.d/CIS.conf dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install udf(\\s|$)" regexp: "^(#)?install udf(\\s|$)"
line: "install udf /bin/true" line: "install udf /bin/true"
create: yes create: true
mode: 0600 mode: 0600
- name: "1.1.1.4 | L1 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" - name: "1.1.1.4 | L1 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf"

6
tasks/section_1/cis_1.1.x.yml
View file

@ -256,7 +256,7 @@
warn: false warn: false
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: no check_mode: false
register: rhel9cis_1_1_15_dev_shm_status register: rhel9cis_1_1_15_dev_shm_status
- name: | - name: |
@ -325,7 +325,7 @@
- name: "1.1.22 | L1 | PATCH | Disable Automounting" - name: "1.1.22 | L1 | PATCH | Disable Automounting"
service: service:
name: autofs name: autofs
enabled: no enabled: false
when: when:
- not rhel9cis_allow_autofs - not rhel9cis_allow_autofs
- "'autofs' in ansible_facts.packages" - "'autofs' in ansible_facts.packages"
@ -345,7 +345,7 @@
dest: /etc/modprobe.d/CIS.conf dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install usb-storage(\\s|$)" regexp: "^(#)?install usb-storage(\\s|$)"
line: "install usb-storage /bin/true" line: "install usb-storage /bin/true"
create: yes create: true
owner: root owner: root
group: root group: root
mode: 0600 mode: 0600

4
tasks/section_1/cis_1.2.x.yml
View file

@ -23,7 +23,7 @@
service: service:
name: rhnsd name: rhnsd
state: stopped state: stopped
enabled: no enabled: false
masked: true masked: true
when: when:
- ansible_distribution == "RedHat" - ansible_distribution == "RedHat"
@ -84,7 +84,7 @@
changed_when: false changed_when: false
failed_when: false failed_when: false
register: dnf_configured register: dnf_configured
check_mode: no check_mode: false
- name: "1.2.5 | L1 | AUDIT | Ensure package manager repositories are configured | Display repo list" - name: "1.2.5 | L1 | AUDIT | Ensure package manager repositories are configured | Display repo list"
debug: debug:

2
tasks/section_1/cis_1.7.1.x.yml
View file

@ -19,7 +19,7 @@
regexp: '(selinux|enforcing)\s*=\s*0\s*' regexp: '(selinux|enforcing)\s*=\s*0\s*'
replace: '' replace: ''
register: selinux_grub_patch register: selinux_grub_patch
ignore_errors: yes ignore_errors: true
notify: grub2cfg notify: grub2cfg
when: when:
- rhel9cis_rule_1_7_1_2 - rhel9cis_rule_1_7_1_2

2
tasks/section_1/cis_1.8.2.yml
View file

@ -6,7 +6,7 @@
regexp: "{{ item.regexp }}" regexp: "{{ item.regexp }}"
line: "{{ item.line }}" line: "{{ item.line }}"
state: present state: present
create: yes create: true
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644

2
tasks/section_2/cis_2.2.1.x.yml
View file

@ -29,7 +29,7 @@
regexp: "^(#)?OPTIONS" regexp: "^(#)?OPTIONS"
line: "OPTIONS=\"-u chrony\"" line: "OPTIONS=\"-u chrony\""
state: present state: present
create: yes create: true
mode: 0644 mode: 0644
when: when:
- rhel9cis_time_synchronization == "chrony" - rhel9cis_time_synchronization == "chrony"

32
tasks/section_2/cis_2.2.x.yml
View file

@ -7,7 +7,7 @@
args: args:
warn: false warn: false
failed_when: xorg_x11_installed.rc >=2 failed_when: xorg_x11_installed.rc >=2
check_mode: no check_mode: false
changed_when: false changed_when: false
register: xorg_x11_installed register: xorg_x11_installed
@ -32,7 +32,7 @@
service: service:
name: rsyncd name: rsyncd
state: stopped state: stopped
enabled: no enabled: false
when: when:
- not rhel9cis_rsyncd_server - not rhel9cis_rsyncd_server
- "'rsyncd' in ansible_facts.packages" - "'rsyncd' in ansible_facts.packages"
@ -47,7 +47,7 @@
service: service:
name: avahi-daemon name: avahi-daemon
state: stopped state: stopped
enabled: no enabled: false
when: when:
- not rhel9cis_avahi_server - not rhel9cis_avahi_server
- "'avahi' in ansible_facts.packages" - "'avahi' in ansible_facts.packages"
@ -65,7 +65,7 @@
service: service:
name: snmpd name: snmpd
state: stopped state: stopped
enabled: no enabled: false
when: when:
- not rhel9cis_snmp_server - not rhel9cis_snmp_server
- "'net-snmp' in ansible_facts.packages" - "'net-snmp' in ansible_facts.packages"
@ -80,7 +80,7 @@
service: service:
name: squid name: squid
state: stopped state: stopped
enabled: no enabled: false
when: when:
- not rhel9cis_squid_server - not rhel9cis_squid_server
- "'squid' in ansible_facts.packages" - "'squid' in ansible_facts.packages"
@ -95,7 +95,7 @@
service: service:
name: smb name: smb
state: stopped state: stopped
enabled: no enabled: false
when: when:
- not rhel9cis_smb_server - not rhel9cis_smb_server
- "'samba' in ansible_facts.packages" - "'samba' in ansible_facts.packages"
@ -110,7 +110,7 @@
service: service:
name: dovecot name: dovecot
state: stopped state: stopped
enabled: no enabled: false
when: when:
- not rhel9cis_dovecot_server - not rhel9cis_dovecot_server
- "'dovecot' in ansible_facts.packages" - "'dovecot' in ansible_facts.packages"
@ -125,7 +125,7 @@
service: service:
name: httpd name: httpd
state: stopped state: stopped
enabled: no enabled: false
when: when:
- not rhel9cis_httpd_server - not rhel9cis_httpd_server
- "'httpd' in ansible_facts.packages" - "'httpd' in ansible_facts.packages"
@ -140,7 +140,7 @@
service: service:
name: vsftpd name: vsftpd
state: stopped state: stopped
enabled: no enabled: false
when: when:
- not rhel9cis_vsftpd_server - not rhel9cis_vsftpd_server
- "'vsftpd' in ansible_facts.packages" - "'vsftpd' in ansible_facts.packages"
@ -155,7 +155,7 @@
service: service:
name: named name: named
state: stopped state: stopped
enabled: no enabled: false
when: when:
- not rhel9cis_named_server - not rhel9cis_named_server
- "'bind' in ansible_facts.packages" - "'bind' in ansible_facts.packages"
@ -170,7 +170,7 @@
service: service:
name: nfs-server name: nfs-server
state: stopped state: stopped
enabled: no enabled: false
when: when:
- not rhel9cis_nfs_rpc_server - not rhel9cis_nfs_rpc_server
- "'nfs-utils' in ansible_facts.packages" - "'nfs-utils' in ansible_facts.packages"
@ -188,7 +188,7 @@
service: service:
name: rpcbind name: rpcbind
state: stopped state: stopped
enabled: no enabled: false
when: when:
- not rhel9cis_nfs_rpc_server - not rhel9cis_nfs_rpc_server
- "'rpcbind' in ansible_facts.packages" - "'rpcbind' in ansible_facts.packages"
@ -206,7 +206,7 @@
service: service:
name: slapd name: slapd
state: stopped state: stopped
enabled: no enabled: false
when: when:
- not rhel9cis_ldap_server - not rhel9cis_ldap_server
- "'openldap-servers' in ansible_facts.packages" - "'openldap-servers' in ansible_facts.packages"
@ -224,7 +224,7 @@
service: service:
name: dhcpd name: dhcpd
state: stopped state: stopped
enabled: no enabled: false
when: when:
- not rhel9cis_dhcp_server - not rhel9cis_dhcp_server
- "'dhcp' in ansible_facts.packages" - "'dhcp' in ansible_facts.packages"
@ -242,7 +242,7 @@
service: service:
name: cups name: cups
state: stopped state: stopped
enabled: no enabled: false
when: when:
- not rhel9cis_cups_server - not rhel9cis_cups_server
- "'cups' in ansible_facts.packages" - "'cups' in ansible_facts.packages"
@ -260,7 +260,7 @@
service: service:
name: ypserv name: ypserv
state: stopped state: stopped
enabled: no enabled: false
when: when:
- not rhel9cis_nis_server - not rhel9cis_nis_server
- "'ypserv' in ansible_facts.packages" - "'ypserv' in ansible_facts.packages"

8
tasks/section_3/cis_3.3.x.yml
View file

@ -5,7 +5,7 @@
dest: /etc/modprobe.d/CIS.conf dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install dccp(\\s|$)" regexp: "^(#)?install dccp(\\s|$)"
line: "install dccp /bin/true" line: "install dccp /bin/true"
create: yes create: true
mode: 0600 mode: 0600
when: when:
- rhel9cis_rule_3_3_1 - rhel9cis_rule_3_3_1
@ -20,7 +20,7 @@
dest: /etc/modprobe.d/CIS.conf dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install sctp(\\s|$)" regexp: "^(#)?install sctp(\\s|$)"
line: "install sctp /bin/true" line: "install sctp /bin/true"
create: yes create: true
mode: 0600 mode: 0600
when: when:
- rhel9cis_rule_3_3_2 - rhel9cis_rule_3_3_2
@ -35,7 +35,7 @@
dest: /etc/modprobe.d/CIS.conf dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install rds(\\s|$)" regexp: "^(#)?install rds(\\s|$)"
line: "install rds /bin/true" line: "install rds /bin/true"
create: yes create: true
mode: 0600 mode: 0600
when: when:
- rhel9cis_rule_3_3_3 - rhel9cis_rule_3_3_3
@ -50,7 +50,7 @@
dest: /etc/modprobe.d/CIS.conf dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install tipc(\\s|$)" regexp: "^(#)?install tipc(\\s|$)"
line: "install tipc /bin/true" line: "install tipc /bin/true"
create: yes create: true
mode: 0600 mode: 0600
when: when:
- rhel9cis_rule_3_3_4 - rhel9cis_rule_3_3_4

9
tasks/section_3/cis_3.4.2.x.yml
View file

@ -4,7 +4,7 @@
service: service:
name: firewalld name: firewalld
state: started state: started
enabled: yes enabled: true
when: when:
- rhel9cis_firewall == "firewalld" - rhel9cis_firewall == "firewalld"
- rhel9cis_rule_3_4_2_1 - rhel9cis_rule_3_4_2_1
@ -19,9 +19,9 @@
name: iptables name: iptables
enabled: false enabled: false
masked: true masked: true
ignore_errors: true
when: when:
- rhel9cis_firewall == "firewalld" - rhel9cis_firewall == "firewalld"
- "'iptables' in ansible_facts.packages"
- rhel9cis_rule_3_4_2_2 - rhel9cis_rule_3_4_2_2
tags: tags:
- skip_ansible_lint - skip_ansible_lint
@ -37,6 +37,7 @@
masked: true masked: true
when: when:
- rhel9cis_firewall == "firewalld" - rhel9cis_firewall == "firewalld"
- "'nftables' in ansible_facts.packages"
- rhel9cis_rule_3_4_2_3 - rhel9cis_rule_3_4_2_3
tags: tags:
- level1-server - level1-server
@ -65,7 +66,7 @@
warn: false warn: false
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: no check_mode: false
register: rhel9cis_3_4_2_5_interfacepolicy register: rhel9cis_3_4_2_5_interfacepolicy
- name: "3.4.2.5 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies | Show the interface to policy" - name: "3.4.2.5 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies | Show the interface to policy"
@ -90,7 +91,7 @@
warn: false warn: false
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: no check_mode: false
register: rhel9cis_3_4_2_6_servicesport register: rhel9cis_3_4_2_6_servicesport
- name: "3.4.2.6 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports" - name: "3.4.2.6 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports"

6
tasks/section_3/cis_3.4.3.x.yml
View file

@ -44,7 +44,7 @@
shell: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" shell: nft create table inet "{{ rhel9cis_nft_tables_tablename }}"
args: args:
warn: false warn: false
failed_when: no failed_when: false
when: rhel9cis_nft_tables_autonewtable when: rhel9cis_nft_tables_autonewtable
when: when:
- rhel9cis_firewall == "nftables" - rhel9cis_firewall == "nftables"
@ -96,7 +96,7 @@
shell: "{{ item }}" shell: "{{ item }}"
args: args:
warn: false warn: false
failed_when: no failed_when: false
with_items: with_items:
- nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; }
- nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { type filter hook forward priority 0 \; } - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { type filter hook forward priority 0 \; }
@ -294,7 +294,7 @@
- name: "3.4.3.7 | L1 | PATCH | Ensure nftables service is enabled | Check if nftables is enabled" - name: "3.4.3.7 | L1 | PATCH | Ensure nftables service is enabled | Check if nftables is enabled"
service: service:
name: nftables name: nftables
enabled: yes enabled: true
when: when:
- rhel9cis_firewall == "nftables" - rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_3_7 - rhel9cis_rule_3_4_3_7

2
tasks/section_3/cis_3.4.4.1.x.yml
View file

@ -136,7 +136,7 @@
- name: "3.4.4.1.5 | L1 | PATCH | Ensure iptables service is enabled and active | Check if iptables is enabled" - name: "3.4.4.1.5 | L1 | PATCH | Ensure iptables service is enabled and active | Check if iptables is enabled"
service: service:
name: iptables name: iptables
enabled: yes enabled: true
state: started state: started
when: when:
- rhel9cis_firewall == "iptables" - rhel9cis_firewall == "iptables"

2
tasks/section_3/cis_3.4.4.2.x.yml
View file

@ -124,7 +124,7 @@
- name: "3.4.4.2.5 | L1 | PATCH | Ensure ip6tables service is enabled and active | Check if ip6tables is enabled" - name: "3.4.4.2.5 | L1 | PATCH | Ensure ip6tables service is enabled and active | Check if ip6tables is enabled"
service: service:
name: ip6tables name: ip6tables
enabled: yes enabled: true
state: started state: started
when: when:
- rhel9cis_firewall == "iptables" - rhel9cis_firewall == "iptables"

2
tasks/section_3/cis_3.6.yml
View file

@ -5,7 +5,7 @@
dest: /etc/default/grub dest: /etc/default/grub
regexp: '(^GRUB_CMDLINE_LINUX\s*\=\s*)(?:")(.+)(?<!ipv6.disable=1)(?:")' regexp: '(^GRUB_CMDLINE_LINUX\s*\=\s*)(?:")(.+)(?<!ipv6.disable=1)(?:")'
replace: '\1"\2 ipv6.disable=1"' replace: '\1"\2 ipv6.disable=1"'
follow: yes follow: true
notify: grub2cfg notify: grub2cfg
when: when:
- not rhel9cis_ipv6_required - not rhel9cis_ipv6_required

6
tasks/section_4/cis_4.1.1.x.yml
View file

@ -25,7 +25,7 @@
service: service:
name: auditd name: auditd
state: started state: started
enabled: yes enabled: true
when: when:
- not rhel9cis_skip_for_travis - not rhel9cis_skip_for_travis
- rhel9cis_rule_4_1_1_2 - rhel9cis_rule_4_1_1_2
@ -45,7 +45,7 @@
warn: false warn: false
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: no check_mode: false
register: rhel9cis_4_1_1_3_grub_cmdline_linux register: rhel9cis_4_1_1_3_grub_cmdline_linux
- name: "4.1.1.3 | L2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting" - name: "4.1.1.3 | L2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting"
@ -80,7 +80,7 @@
warn: false warn: false
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: no check_mode: false
register: rhel9cis_4_1_1_4_grub_cmdline_linux register: rhel9cis_4_1_1_4_grub_cmdline_linux
- name: "4.1.1.4 | L2 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting" - name: "4.1.1.4 | L2 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting"

2
tasks/section_4/cis_4.1.x.yml
View file

@ -125,7 +125,7 @@
warn: false warn: false
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: no check_mode: false
register: priv_procs register: priv_procs
- name: "4.1.12 | L2 | PATCH | Ensure successful file system mounts are collected" - name: "4.1.12 | L2 | PATCH | Ensure successful file system mounts are collected"

2
tasks/section_4/cis_4.2.1.x.yml
View file

@ -157,7 +157,7 @@
with_items: with_items:
- '^(\$ModLoad imtcp)' - '^(\$ModLoad imtcp)'
- '^(\$InputTCPServerRun)' - '^(\$InputTCPServerRun)'
when: falset rhel9cis_system_is_log_server when: not rhel9cis_system_is_log_server
- name: "4.2.1.6 | L1 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts. | When log host" - name: "4.2.1.6 | L1 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts. | When log host"
replace: replace:

2
tasks/section_5/cis_5.1.x.yml
View file

@ -3,7 +3,7 @@
- name: "5.1.1 | L1 | PATCH | Ensure cron daemon is enabled" - name: "5.1.1 | L1 | PATCH | Ensure cron daemon is enabled"
service: service:
name: crond name: crond
enabled: yes enabled: true
when: when:
- rhel9cis_rule_5_1_1 - rhel9cis_rule_5_1_1
tags: tags:

6
tasks/section_5/cis_5.3.x.yml
View file

@ -8,7 +8,7 @@
warn: false warn: false
failed_when: false failed_when: false
changed_when: false changed_when: false
check_mode: no check_mode: false
register: rhel9cis_5_3_1_profiles register: rhel9cis_5_3_1_profiles
- name: "5.3.1 | L1 | AUDIT | Create custom authselect profile | Show profiles" - name: "5.3.1 | L1 | AUDIT | Create custom authselect profile | Show profiles"
@ -39,7 +39,7 @@
warn: false warn: false
failed_when: false failed_when: false
changed_when: false changed_when: false
check_mode: no check_mode: false
register: rhel9cis_5_3_2_profiles register: rhel9cis_5_3_2_profiles
- name: "5.3.2 | L1 | AUDIT | Select authselect profile | Show profiles" - name: "5.3.2 | L1 | AUDIT | Select authselect profile | Show profiles"
@ -70,7 +70,7 @@
warn: false warn: false
failed_when: false failed_when: false
changed_when: false changed_when: false
check_mode: no check_mode: false
register: rhel9cis_5_3_3_profiles_faillock register: rhel9cis_5_3_3_profiles_faillock
- name: "5.3.3 | L1 | AUDIT | Ensure authselect includes with-faillock| Show profiles" - name: "5.3.3 | L1 | AUDIT | Ensure authselect includes with-faillock| Show profiles"

4
tasks/section_5/cis_5.4.x.yml
View file

@ -95,7 +95,7 @@
copy: copy:
src: /etc/pam.d/{{ item }} src: /etc/pam.d/{{ item }}
dest: /etc/pam.d/{{ item }}-local dest: /etc/pam.d/{{ item }}-local
remote_src: yes remote_src: true
owner: root owner: root
group: root group: root
mode: '0644' mode: '0644'
@ -112,7 +112,7 @@
src: /etc/pam.d/{{ item }}-local src: /etc/pam.d/{{ item }}-local
dest: /etc/pam.d/{{ item }} dest: /etc/pam.d/{{ item }}
state: link state: link
force: yes force: true
with_items: with_items:
- "system-auth" - "system-auth"
- "password-auth" - "password-auth"

8
tasks/section_5/cis_5.5.1.x.yml
View file

@ -50,7 +50,7 @@
warn: false warn: false
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: no check_mode: false
register: rhel9cis_5_5_1_4_inactive_settings register: rhel9cis_5_5_1_4_inactive_settings
- name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting" - name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting"
@ -63,7 +63,7 @@
shell: 'egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1' shell: 'egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1'
args: args:
warn: false warn: false
check_mode: no check_mode: false
register: rhel_09_5_5_1_4_audit register: rhel_09_5_5_1_4_audit
changed_when: false changed_when: false
@ -89,7 +89,7 @@
warn: false warn: false
failed_when: false failed_when: false
changed_when: false changed_when: false
check_mode: no check_mode: false
register: rhel9cis_5_5_1_5_currentut register: rhel9cis_5_5_1_5_currentut
- name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future" - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future"
@ -98,7 +98,7 @@
warn: false warn: false
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: no check_mode: false
register: rhel9cis_5_5_1_5_user_list register: rhel9cis_5_5_1_5_user_list
- name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist" - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist"

2
tasks/section_5/cis_5.5.x.yml
View file

@ -41,7 +41,7 @@
- name: "5.5.3 | L1 | PATCH | Ensure default user shell timeout is 900 seconds or less" - name: "5.5.3 | L1 | PATCH | Ensure default user shell timeout is 900 seconds or less"
blockinfile: blockinfile:
create: yes create: true
mode: 0644 mode: 0644
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
state: "{{ item.state }}" state: "{{ item.state }}"

26
tasks/section_6/cis_6.2.x.yml
View file

@ -37,7 +37,7 @@
shell: 'echo $PATH | grep ::' shell: 'echo $PATH | grep ::'
args: args:
warn: false warn: false
check_mode: no check_mode: false
register: path_colon register: path_colon
changed_when: False changed_when: False
failed_when: path_colon.rc == 0 failed_when: path_colon.rc == 0
@ -46,7 +46,7 @@
shell: 'echo $PATH | grep :$' shell: 'echo $PATH | grep :$'
args: args:
warn: false warn: false
check_mode: no check_mode: false
register: path_colon_end register: path_colon_end
changed_when: False changed_when: False
failed_when: path_colon_end.rc == 0 failed_when: path_colon_end.rc == 0
@ -55,7 +55,7 @@
shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'" shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'"
args: args:
warn: false warn: false
check_mode: no check_mode: false
register: dot_in_path register: dot_in_path
changed_when: False changed_when: False
failed_when: '"." in dot_in_path.stdout_lines' failed_when: '"." in dot_in_path.stdout_lines'
@ -156,7 +156,7 @@
- name: "6.2.7 | L1 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" - name: "6.2.7 | L1 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
file: file:
path: "{{ item.0 }}" path: "{{ item.0 }}"
recurse: yes recurse: true
mode: a-st,g-w,o-rwx mode: a-st,g-w,o-rwx
register: rhel_09_6_2_7_patch register: rhel_09_6_2_7_patch
when: when:
@ -172,9 +172,9 @@
- name: "6.2.7 | L1 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" - name: "6.2.7 | L1 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
acl: acl:
path: "{{ item.0 }}" path: "{{ item.0 }}"
default: yes default: true
state: present state: present
recursive: yes recursive: true
etype: "{{ item.1.etype }}" etype: "{{ item.1.etype }}"
permissions: "{{ item.1.mode }}" permissions: "{{ item.1.mode }}"
when: not rhel9cis_system_is_container when: not rhel9cis_system_is_container
@ -414,7 +414,7 @@
warn: false warn: false
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: no check_mode: false
register: group_group_check register: group_group_check
- name: "6.2.18 | L1 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" - name: "6.2.18 | L1 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist"
@ -442,7 +442,7 @@
warn: false warn: false
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: no check_mode: false
register: rhel9cis_shadow_gid register: rhel9cis_shadow_gid
- name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check /etc/group for empty shadow group" - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check /etc/group for empty shadow group"
@ -451,7 +451,7 @@
warn: false warn: false
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: no check_mode: false
register: rhel9cis_empty_shadow register: rhel9cis_empty_shadow
- name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check for users assigned to shadow" - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check for users assigned to shadow"
@ -460,7 +460,7 @@
warn: false warn: false
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: no check_mode: false
register: rhel9cis_shadow_passwd register: rhel9cis_shadow_passwd
- name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Alert shadow group is empty and no users assigned" - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Alert shadow group is empty and no users assigned"
@ -520,7 +520,7 @@
- name: "6.2.20 | L1 | PATCH | Ensure all users' home directories exist" - name: "6.2.20 | L1 | PATCH | Ensure all users' home directories exist"
file: file:
path: "{{ item.0 }}" path: "{{ item.0 }}"
recurse: yes recurse: true
mode: a-st,g-w,o-rwx mode: a-st,g-w,o-rwx
register: rhel_09_6_2_20_patch register: rhel_09_6_2_20_patch
when: when:
@ -536,9 +536,9 @@
- name: "6.2.20 | L1 | PATCH | Ensure all users' home directories exist" - name: "6.2.20 | L1 | PATCH | Ensure all users' home directories exist"
acl: acl:
path: "{{ item.0 }}" path: "{{ item.0 }}"
default: yes default: true
state: present state: present
recursive: yes recursive: true
etype: "{{ item.1.etype }}" etype: "{{ item.1.etype }}"
permissions: "{{ item.1.mode }}" permissions: "{{ item.1.mode }}"
when: not rhel9cis_system_is_container when: not rhel9cis_system_is_container