ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-27 15:33:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'devel' into improvements

Browse source
This commit is contained in:
uk-bolly 2022-02-02 11:33:38 +00:00 committed by GitHub
commit 581bf4657d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 11 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

2
defaults/main.yml
View file

@ -34,7 +34,7 @@ python2_bin: /bin/python2.7
benchmark: RHEL9-CIS benchmark: RHEL9-CIS
# Whether to skip the reboot # Whether to skip the reboot
rhel9cis_skip_reboot: true skip_reboot: true
#### Basic external goss audit enablement settings #### #### Basic external goss audit enablement settings ####
#### Precise details - per setting can be found at the bottom of this file #### #### Precise details - per setting can be found at the bottom of this file ####

5
tasks/main.yml
View file

@ -3,8 +3,8 @@
- name: Check OS version and family - name: Check OS version and family
assert: assert:
that: (ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==') that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==')
fail_msg: "This role can only be run against RHEL8 family OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}"
when: when:
- os_check - os_check
@ -113,6 +113,7 @@
tags: tags:
- rule_5.5.2 - rule_5.5.2
- rule_6.2.7 - rule_6.2.7
- rule_6.2.8
- rule_6.2.20 - rule_6.2.20
- rhel9cis_section6 - rhel9cis_section6

2
tasks/post.yml
View file

@ -69,4 +69,4 @@
- name: Reboot host - name: Reboot host
reboot: reboot:
when: when:
- not rhel9cis_skip_reboot - not skip_reboot

1
tasks/section_3/cis_3.4.2.x.yml
View file

@ -17,7 +17,6 @@
- name: "3.4.2.2 | L1 | PATCH | Ensure iptables is not enabled with firewalld" - name: "3.4.2.2 | L1 | PATCH | Ensure iptables is not enabled with firewalld"
systemd: systemd:
name: iptables name: iptables
enabled: false
masked: true masked: true
when: when:
- rhel9cis_firewall == "firewalld" - rhel9cis_firewall == "firewalld"

2
tasks/section_5/cis_5.5.x.yml
View file

@ -28,7 +28,7 @@
- item.id != "shutdown" - item.id != "shutdown"
- item.id != "sync" - item.id != "sync"
- item.id != "root" - item.id != "root"
- item.uid < 1000 - min_int_uid | int >= item.uid
- item.shell != " /bin/false" - item.shell != " /bin/false"
- item.shell != " /usr/sbin/nologin" - item.shell != " /usr/sbin/nologin"
when: when:

2
tasks/section_6/cis_6.2.x.yml
View file

@ -207,7 +207,7 @@
loop_control: loop_control:
label: "{{ rhel9cis_passwd_label }}" label: "{{ rhel9cis_passwd_label }}"
when: when:
- item.uid >= min_int_uid - min_int_uid | int >= item.uid
- rhel9cis_rule_6_2_8 - rhel9cis_rule_6_2_8
tags: tags:
- skip_ansible_lint # settings found on 6_2_7 - skip_ansible_lint # settings found on 6_2_7

4
vars/AlmaLinux.yml Normal file
View file

@ -0,0 +1,4 @@
---
# OS Specific Settings
rpm_gpg_key: RPM-GPG-KEY-AlmaLinux