mirror of
https://github.com/ansible-lockdown/RHEL9-CIS.git
synced 2025-12-24 22:23:06 +00:00
uk-bolly
GitHub
commit
60f756adb5
47 changed files with 252 additions and 380 deletions
|
|
@ -6,12 +6,10 @@ skip_list:
|
|||
- 'schema'
|
||||
- 'no-changed-when'
|
||||
- 'var-spacing'
|
||||
- 'fqcn-builtins'
|
||||
- 'experimental'
|
||||
- 'name[play]'
|
||||
- 'name[casing]'
|
||||
- 'name[template]'
|
||||
- 'fqcn[action]'
|
||||
- 'key-order[task]'
|
||||
- '204'
|
||||
- '305'
|
||||
|
|
|
|||
|
|
@ -75,10 +75,6 @@
|
|||
{
|
||||
"path": "detect_secrets.filters.allowlist.is_line_allowlisted"
|
||||
},
|
||||
{
|
||||
"path": "detect_secrets.filters.common.is_baseline_file",
|
||||
"filename": ".config/.secrets.baseline"
|
||||
},
|
||||
{
|
||||
"path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
|
||||
"min_level": 2
|
||||
|
|
@ -109,224 +105,15 @@
|
|||
},
|
||||
{
|
||||
"path": "detect_secrets.filters.heuristic.is_templated_secret"
|
||||
},
|
||||
{
|
||||
"path": "detect_secrets.filters.regex.should_exclude_file",
|
||||
"pattern": [
|
||||
".config/.gitleaks-report.json",
|
||||
"tasks/parse_etc_password.yml"
|
||||
]
|
||||
}
|
||||
],
|
||||
"results": {
|
||||
".config/.gitleaks-report.json": [
|
||||
{
|
||||
"type": "Hex High Entropy String",
|
||||
"filename": ".config/.gitleaks-report.json",
|
||||
"hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b",
|
||||
"is_verified": false,
|
||||
"line_number": 9,
|
||||
"is_secret": false
|
||||
},
|
||||
{
|
||||
"type": "Secret Keyword",
|
||||
"filename": ".config/.gitleaks-report.json",
|
||||
"hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b",
|
||||
"is_verified": false,
|
||||
"line_number": 9,
|
||||
"is_secret": false
|
||||
},
|
||||
{
|
||||
"type": "Hex High Entropy String",
|
||||
"filename": ".config/.gitleaks-report.json",
|
||||
"hashed_secret": "cd6f8dc4b799af818fedddd7c83e5df8bf770555",
|
||||
"is_verified": false,
|
||||
"line_number": 12,
|
||||
"is_secret": false
|
||||
},
|
||||
{
|
||||
"type": "Hex High Entropy String",
|
||||
"filename": ".config/.gitleaks-report.json",
|
||||
"hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb",
|
||||
"is_verified": false,
|
||||
"line_number": 29,
|
||||
"is_secret": false
|
||||
},
|
||||
{
|
||||
"type": "Secret Keyword",
|
||||
"filename": ".config/.gitleaks-report.json",
|
||||
"hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb",
|
||||
"is_verified": false,
|
||||
"line_number": 29,
|
||||
"is_secret": false
|
||||
},
|
||||
{
|
||||
"type": "Hex High Entropy String",
|
||||
"filename": ".config/.gitleaks-report.json",
|
||||
"hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657",
|
||||
"is_verified": false,
|
||||
"line_number": 49,
|
||||
"is_secret": false
|
||||
},
|
||||
{
|
||||
"type": "Secret Keyword",
|
||||
"filename": ".config/.gitleaks-report.json",
|
||||
"hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657",
|
||||
"is_verified": false,
|
||||
"line_number": 49,
|
||||
"is_secret": false
|
||||
},
|
||||
{
|
||||
"type": "Hex High Entropy String",
|
||||
"filename": ".config/.gitleaks-report.json",
|
||||
"hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9",
|
||||
"is_verified": false,
|
||||
"line_number": 69,
|
||||
"is_secret": false
|
||||
},
|
||||
{
|
||||
"type": "Secret Keyword",
|
||||
"filename": ".config/.gitleaks-report.json",
|
||||
"hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9",
|
||||
"is_verified": false,
|
||||
"line_number": 69,
|
||||
"is_secret": false
|
||||
},
|
||||
{
|
||||
"type": "Hex High Entropy String",
|
||||
"filename": ".config/.gitleaks-report.json",
|
||||
"hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7",
|
||||
"is_verified": false,
|
||||
"line_number": 89,
|
||||
"is_secret": false
|
||||
},
|
||||
{
|
||||
"type": "Secret Keyword",
|
||||
"filename": ".config/.gitleaks-report.json",
|
||||
"hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7",
|
||||
"is_verified": false,
|
||||
"line_number": 89,
|
||||
"is_secret": false
|
||||
},
|
||||
{
|
||||
"type": "Hex High Entropy String",
|
||||
"filename": ".config/.gitleaks-report.json",
|
||||
"hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b",
|
||||
"is_verified": false,
|
||||
"line_number": 109,
|
||||
"is_secret": false
|
||||
},
|
||||
{
|
||||
"type": "Secret Keyword",
|
||||
"filename": ".config/.gitleaks-report.json",
|
||||
"hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b",
|
||||
"is_verified": false,
|
||||
"line_number": 109,
|
||||
"is_secret": false
|
||||
},
|
||||
{
|
||||
"type": "Hex High Entropy String",
|
||||
"filename": ".config/.gitleaks-report.json",
|
||||
"hashed_secret": "cb5e191d260065309ce16cd3675837069c8734c8",
|
||||
"is_verified": false,
|
||||
"line_number": 132,
|
||||
"is_secret": false
|
||||
},
|
||||
{
|
||||
"type": "Secret Keyword",
|
||||
"filename": ".config/.gitleaks-report.json",
|
||||
"hashed_secret": "976b057e0978bf8956e05b173f070cd7757c38c6",
|
||||
"is_verified": false,
|
||||
"line_number": 249,
|
||||
"is_secret": false
|
||||
},
|
||||
{
|
||||
"type": "Hex High Entropy String",
|
||||
"filename": ".config/.gitleaks-report.json",
|
||||
"hashed_secret": "bdb4ffe72f980b517d691e83c9eb50219a63fe91",
|
||||
"is_verified": false,
|
||||
"line_number": 252,
|
||||
"is_secret": false
|
||||
},
|
||||
{
|
||||
"type": "Secret Keyword",
|
||||
"filename": ".config/.gitleaks-report.json",
|
||||
"hashed_secret": "95f603d65dd6aec15f75185df59f92e90737da49",
|
||||
"is_verified": false,
|
||||
"line_number": 269,
|
||||
"is_secret": false
|
||||
},
|
||||
{
|
||||
"type": "Hex High Entropy String",
|
||||
"filename": ".config/.gitleaks-report.json",
|
||||
"hashed_secret": "72172e3578dc29c275e5a39bdf7a1a038bdc03c4",
|
||||
"is_verified": false,
|
||||
"line_number": 272,
|
||||
"is_secret": false
|
||||
},
|
||||
{
|
||||
"type": "Secret Keyword",
|
||||
"filename": ".config/.gitleaks-report.json",
|
||||
"hashed_secret": "08f0ac7a7bbbb1819417e5a47aa0eebbd5fe4e86",
|
||||
"is_verified": false,
|
||||
"line_number": 289,
|
||||
"is_secret": false
|
||||
},
|
||||
{
|
||||
"type": "Secret Keyword",
|
||||
"filename": ".config/.gitleaks-report.json",
|
||||
"hashed_secret": "23fdd48a76e5b32e85c6698062f1489d6fbac450",
|
||||
"is_verified": false,
|
||||
"line_number": 309,
|
||||
"is_secret": false
|
||||
}
|
||||
],
|
||||
"defaults/main.yml": [
|
||||
{
|
||||
"type": "Secret Keyword",
|
||||
"filename": "defaults/main.yml",
|
||||
"hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
|
||||
"is_verified": false,
|
||||
"line_number": 364,
|
||||
"is_secret": false
|
||||
},
|
||||
{
|
||||
"type": "Secret Keyword",
|
||||
"filename": "defaults/main.yml",
|
||||
"hashed_secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e",
|
||||
"is_verified": false,
|
||||
"line_number": 376,
|
||||
"is_secret": false
|
||||
},
|
||||
{
|
||||
"type": "Secret Keyword",
|
||||
"filename": "defaults/main.yml",
|
||||
"hashed_secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4",
|
||||
"is_verified": false,
|
||||
"line_number": 377,
|
||||
"is_secret": false
|
||||
}
|
||||
],
|
||||
"tasks/main.yml": [
|
||||
{
|
||||
"type": "Secret Keyword",
|
||||
"filename": "tasks/main.yml",
|
||||
"hashed_secret": "2478fefdceefe2847c3aa36dc731aaad5b3cc2fb",
|
||||
"is_verified": false,
|
||||
"line_number": 38,
|
||||
"is_secret": false
|
||||
},
|
||||
{
|
||||
"type": "Secret Keyword",
|
||||
"filename": "tasks/main.yml",
|
||||
"hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a",
|
||||
"is_verified": false,
|
||||
"line_number": 110,
|
||||
"is_secret": false
|
||||
}
|
||||
],
|
||||
"tasks/parse_etc_password.yml": [
|
||||
{
|
||||
"type": "Secret Keyword",
|
||||
"filename": "tasks/parse_etc_password.yml",
|
||||
"hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
|
||||
"is_verified": false,
|
||||
"line_number": 18
|
||||
}
|
||||
]
|
||||
},
|
||||
"generated_at": "2023-09-07T13:18:00Z"
|
||||
"results": {},
|
||||
"generated_at": "2023-09-21T14:11:05Z"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -30,4 +30,4 @@ rules:
|
|||
trailing-spaces: enable
|
||||
truthy:
|
||||
allowed-values: ['true', 'false']
|
||||
check-keys: false
|
||||
check-keys: true
|
||||
|
|
|
|||
|
|
@ -3,6 +3,9 @@
|
|||
## 1.1.2 - Based on CIS v1.0.0
|
||||
|
||||
- updated audit binary versions - aligned with rhel9-cis-audit
|
||||
- lint updates
|
||||
- .secrets updated
|
||||
- file mode quoted
|
||||
|
||||
## 1.1.1 - Based on CIS v1.0.0
|
||||
|
||||
|
|
|
|||
|
|
@ -361,7 +361,7 @@ rhel9cis_allow_autofs: false
|
|||
# DO NOT USE PLAIN TEXT PASSWORDS!!!!!
|
||||
# The intent here is to use a password utility like Ansible Vault here
|
||||
rhel9cis_rh_sub_user: user
|
||||
rhel9cis_rh_sub_password: password
|
||||
rhel9cis_rh_sub_password: password # pragma: allowlist secret
|
||||
|
||||
# 1.2.2
|
||||
# Do you require rhnsd
|
||||
|
|
@ -373,8 +373,8 @@ rhel9cis_rhel_default_repo: true
|
|||
rhel9cis_rule_enable_repogpg: true
|
||||
|
||||
# 1.4.1 Bootloader password
|
||||
rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B'
|
||||
rhel9cis_bootloader_password: random
|
||||
rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B' # pragma: allowlist secret
|
||||
rhel9cis_bootloader_password: random # pragma: allowlist secret
|
||||
rhel9cis_set_boot_pass: true
|
||||
|
||||
# 1.8 Gnome Desktop
|
||||
|
|
|
|||
6
site.yml
6
site.yml
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
- hosts: all # noqa: name[play]
|
||||
|
||||
- name: Apply RHEL9 CIS hardening
|
||||
hosts: all
|
||||
become: true
|
||||
|
||||
roles:
|
||||
|
||||
- role: "{{ playbook_dir }}"
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
owner: root
|
||||
group: root
|
||||
checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}"
|
||||
mode: 0555
|
||||
mode: '0555'
|
||||
when:
|
||||
- get_audit_binary_method == 'download'
|
||||
|
||||
|
|
@ -27,7 +27,7 @@
|
|||
ansible.builtin.copy:
|
||||
src: "{{ audit_bin_copy_location }}"
|
||||
dest: "{{ audit_bin }}"
|
||||
mode: 0555
|
||||
mode: '0555'
|
||||
owner: root
|
||||
group: root
|
||||
when:
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@
|
|||
dest: /etc/audit/rules.d/99_auditd.rules
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
mode: '0640'
|
||||
diff: "{{ rhel9cis_auditd_file.stat.exists }}" # Only run diff if not a new file
|
||||
register: rhel9cis_auditd_template_updated
|
||||
notify:
|
||||
|
|
@ -20,7 +20,8 @@
|
|||
- Restart auditd
|
||||
|
||||
- name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa no-handler
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
vars:
|
||||
warn_control_id: 'Auditd template updated, see diff output for details'
|
||||
when:
|
||||
|
|
@ -38,7 +39,7 @@
|
|||
dest: /etc/audit/rules.d/98_auditd_exceptions.rules
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
mode: '0640'
|
||||
diff: "{{ rhel9cis_auditd_exception_file.stat.exists }}"
|
||||
notify: Restart auditd
|
||||
when:
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@
|
|||
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
|
||||
success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user"
|
||||
vars:
|
||||
sudo_password_rule: rhel9cis_rule_5_3_4
|
||||
sudo_password_rule: rhel9cis_rule_5_3_4 # pragma: allowlist secret
|
||||
when:
|
||||
- rhel9cis_rule_5_3_4
|
||||
- ansible_env.SUDO_USER is defined
|
||||
|
|
@ -107,7 +107,7 @@
|
|||
|
||||
- name: Check rhel9cis_bootloader_password_hash variable has been changed
|
||||
ansible.builtin.assert:
|
||||
that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'
|
||||
that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
|
||||
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
|
||||
when:
|
||||
- rhel9cis_set_boot_pass
|
||||
|
|
@ -127,66 +127,77 @@
|
|||
- always
|
||||
|
||||
- name: Include preliminary steps
|
||||
ansible.builtin.import_tasks: prelim.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: prelim.yml
|
||||
tags:
|
||||
- prelim_tasks
|
||||
- always
|
||||
|
||||
- name: run pre_remediation audit
|
||||
ansible.builtin.include_tasks: pre_remediation_audit.yml
|
||||
ansible.builtin.include_tasks:
|
||||
file: pre_remediation_audit.yml
|
||||
when:
|
||||
- run_audit
|
||||
|
||||
- name: run Section 1 tasks
|
||||
ansible.builtin.import_tasks: section_1/main.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: section_1/main.yml
|
||||
when: rhel9cis_section1
|
||||
tags:
|
||||
- rhel9cis_section1
|
||||
|
||||
- name: run Section 2 tasks
|
||||
ansible.builtin.import_tasks: section_2/main.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: section_2/main.yml
|
||||
when: rhel9cis_section2
|
||||
tags:
|
||||
- rhel9cis_section2
|
||||
|
||||
- name: run Section 3 tasks
|
||||
ansible.builtin.import_tasks: section_3/main.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: section_3/main.yml
|
||||
when: rhel9cis_section3
|
||||
tags:
|
||||
- rhel9cis_section3
|
||||
|
||||
- name: run Section 4 tasks
|
||||
ansible.builtin.import_tasks: section_4/main.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: section_4/main.yml
|
||||
when: rhel9cis_section4
|
||||
tags:
|
||||
- rhel9cis_section4
|
||||
|
||||
- name: run Section 5 tasks
|
||||
ansible.builtin.import_tasks: section_5/main.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: section_5/main.yml
|
||||
when: rhel9cis_section5
|
||||
tags:
|
||||
- rhel9cis_section5
|
||||
|
||||
- name: run Section 6 tasks
|
||||
ansible.builtin.import_tasks: section_6/main.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: section_6/main.yml
|
||||
when: rhel9cis_section6
|
||||
tags:
|
||||
- rhel9cis_section6
|
||||
|
||||
- name: run auditd logic
|
||||
ansible.builtin.import_tasks: auditd.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: auditd.yml
|
||||
when: update_audit_template
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: run post remediation tasks
|
||||
ansible.builtin.import_tasks: post.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: post.yml
|
||||
tags:
|
||||
- post_tasks
|
||||
- always
|
||||
|
||||
- name: run post_remediation audit
|
||||
ansible.builtin.import_tasks: post_remediation_audit.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: post_remediation_audit.yml
|
||||
when:
|
||||
- run_audit
|
||||
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
dest: "/etc/sysctl.d/{{ item }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
mode: '0600'
|
||||
register: sysctl_updated
|
||||
notify: Reload sysctl
|
||||
loop:
|
||||
|
|
@ -46,7 +46,8 @@
|
|||
- skip_reboot
|
||||
|
||||
- name: "POST | Warning a reboot required but skip option set | warning count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
when:
|
||||
- change_requires_reboot
|
||||
- skip_reboot
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@
|
|||
- name: Post Audit | ensure audit files readable by users
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
mode: 0644
|
||||
mode: '0644'
|
||||
state: file
|
||||
loop:
|
||||
- "{{ post_audit_outfile }}"
|
||||
|
|
|
|||
|
|
@ -69,7 +69,7 @@
|
|||
ansible.builtin.template:
|
||||
src: ansible_vars_goss.yml.j2
|
||||
dest: "{{ audit_vars_path }}"
|
||||
mode: 0600
|
||||
mode: '0600'
|
||||
when:
|
||||
- run_audit
|
||||
tags:
|
||||
|
|
|
|||
|
|
@ -191,7 +191,7 @@
|
|||
path: "{{ rhel9_cis_sshd_config_file }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
mode: '0600'
|
||||
state: touch
|
||||
when:
|
||||
- rhel9_cis_sshd_config_file != '/etc/ssh/sshd_config'
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
regexp: "^(#)?install squashfs(\\s|$)"
|
||||
line: "install squashfs /bin/true"
|
||||
create: true
|
||||
mode: 0600
|
||||
mode: '0600'
|
||||
|
||||
- name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | blacklist"
|
||||
ansible.builtin.lineinfile:
|
||||
|
|
@ -16,7 +16,7 @@
|
|||
regexp: "^(#)?blacklist squashfs(\\s|$)"
|
||||
line: "blacklist squashfs"
|
||||
create: true
|
||||
mode: 0600
|
||||
mode: '0600'
|
||||
|
||||
- name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs"
|
||||
community.general.modprobe:
|
||||
|
|
@ -41,7 +41,7 @@
|
|||
regexp: "^(#)?install udf(\\s|$)"
|
||||
line: "install udf /bin/true"
|
||||
create: true
|
||||
mode: 0600
|
||||
mode: '0600'
|
||||
|
||||
- name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disabled | blacklist"
|
||||
ansible.builtin.lineinfile:
|
||||
|
|
@ -49,7 +49,7 @@
|
|||
regexp: "^(#)?blacklist udf(\\s|$)"
|
||||
line: "blacklist udf"
|
||||
create: true
|
||||
mode: 0600
|
||||
mode: '0600'
|
||||
|
||||
- name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf"
|
||||
community.general.modprobe:
|
||||
|
|
|
|||
|
|
@ -7,7 +7,8 @@
|
|||
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
|
||||
|
||||
- name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Present"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
vars:
|
||||
warn_control_id: '1.1.2.1'
|
||||
required_mount: '/tmp'
|
||||
|
|
@ -62,7 +63,7 @@
|
|||
dest: /etc/systemd/system/tmp.mount
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: '0644'
|
||||
notify: Systemd restart tmp.mount
|
||||
when:
|
||||
- rhel9cis_tmp_svc
|
||||
|
|
|
|||
|
|
@ -7,7 +7,8 @@
|
|||
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
|
||||
|
||||
- name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
vars:
|
||||
warn_control_id: '1.1.3.1'
|
||||
required_mount: '/var'
|
||||
|
|
|
|||
|
|
@ -8,7 +8,8 @@
|
|||
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
|
||||
|
||||
- name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
vars:
|
||||
warn_control_id: '1.1.4.1'
|
||||
required_mount: '/var/tmp'
|
||||
|
|
|
|||
|
|
@ -7,7 +7,8 @@
|
|||
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
|
||||
|
||||
- name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
|
||||
vars:
|
||||
warn_control_id: '1.1.5.1'
|
||||
|
|
|
|||
|
|
@ -7,7 +7,8 @@
|
|||
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
|
||||
|
||||
- name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
|
||||
vars:
|
||||
warn_control_id: '1.1.6.1'
|
||||
|
|
|
|||
|
|
@ -7,7 +7,8 @@
|
|||
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
|
||||
|
||||
- name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
|
||||
vars:
|
||||
warn_control_id: '1.1.7.1'
|
||||
|
|
|
|||
|
|
@ -8,13 +8,15 @@
|
|||
changed_when: false
|
||||
register: rhel9cis_1_8_1_1_mount_check
|
||||
|
||||
- block:
|
||||
- name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition"
|
||||
block:
|
||||
- name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent"
|
||||
ansible.builtin.debug:
|
||||
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
|
||||
|
||||
- name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
when: rhel9cis_1_8_1_1_mount_check.rc == 1
|
||||
|
||||
vars:
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@
|
|||
create: true
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
mode: '0600'
|
||||
|
||||
- name: "1.1.9 | PATCH | Disable USB Storage | Edit modprobe config"
|
||||
community.general.modprobe:
|
||||
|
|
@ -24,7 +24,7 @@
|
|||
regexp: "^(#)?blacklist usb-storage(\\s|$)"
|
||||
line: "blacklist usb-storage"
|
||||
create: true
|
||||
mode: 0600
|
||||
mode: '0600'
|
||||
when:
|
||||
- rhel9cis_rule_1_1_9
|
||||
tags:
|
||||
|
|
|
|||
|
|
@ -73,7 +73,8 @@
|
|||
- "{{ dnf_configured.stdout_lines }}"
|
||||
|
||||
- name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Warn Count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
vars:
|
||||
warn_control_id: '1.2.3'
|
||||
when:
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
mode: '0600'
|
||||
notify: Grub2cfg
|
||||
when:
|
||||
- rhel9cis_set_boot_pass
|
||||
|
|
|
|||
|
|
@ -93,7 +93,8 @@
|
|||
when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0
|
||||
|
||||
- name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | warning count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0
|
||||
vars:
|
||||
warn_control_id: '1.6.1.6'
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
dest: /etc/motd
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: '0644'
|
||||
when:
|
||||
- rhel9cis_rule_1_7_1
|
||||
tags:
|
||||
|
|
@ -22,7 +22,7 @@
|
|||
dest: /etc/issue
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: '0644'
|
||||
when:
|
||||
- rhel9cis_rule_1_7_2
|
||||
tags:
|
||||
|
|
@ -37,7 +37,7 @@
|
|||
dest: /etc/issue.net
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: '0644'
|
||||
when:
|
||||
- rhel9cis_rule_1_7_3
|
||||
tags:
|
||||
|
|
@ -52,7 +52,7 @@
|
|||
path: /etc/motd
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: '0644'
|
||||
when:
|
||||
- rhel9cis_rule_1_7_4
|
||||
tags:
|
||||
|
|
@ -67,7 +67,7 @@
|
|||
path: /etc/issue
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: '0644'
|
||||
when:
|
||||
- rhel9cis_rule_1_7_5
|
||||
tags:
|
||||
|
|
@ -82,7 +82,7 @@
|
|||
path: /etc/issue.net
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: '0644'
|
||||
when:
|
||||
- rhel9cis_rule_1_7_6
|
||||
tags:
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@
|
|||
create: true
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: '0644'
|
||||
notify: Reload dconf
|
||||
loop:
|
||||
- { regexp: 'user-db', line: 'user-db:user' }
|
||||
|
|
@ -38,7 +38,7 @@
|
|||
dest: /etc/dconf/db/gdm.d/01-banner-message
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: '0644'
|
||||
notify: Reload dconf
|
||||
when:
|
||||
- rhel9cis_rule_1_8_2
|
||||
|
|
@ -59,7 +59,7 @@
|
|||
create: true
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: '0644'
|
||||
notify: Reload dconf
|
||||
loop:
|
||||
- { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' }
|
||||
|
|
@ -87,7 +87,7 @@
|
|||
create: true
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: '0644'
|
||||
loop:
|
||||
- { regexp: '^user-db', line: 'user-db: user' }
|
||||
- { regexp: '^system-db', line: 'system-db: local' }
|
||||
|
|
@ -97,7 +97,7 @@
|
|||
path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
mode: '0755'
|
||||
state: directory
|
||||
|
||||
- name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | Make conf file"
|
||||
|
|
@ -125,7 +125,7 @@
|
|||
path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
mode: '0755'
|
||||
state: directory
|
||||
|
||||
- name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock file"
|
||||
|
|
@ -134,7 +134,7 @@
|
|||
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: '0644'
|
||||
notify: Reload dconf
|
||||
when:
|
||||
- rhel9cis_rule_1_8_5
|
||||
|
|
@ -171,7 +171,7 @@
|
|||
path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
mode: '0755'
|
||||
state: directory
|
||||
|
||||
- name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | Make lock file"
|
||||
|
|
@ -180,7 +180,7 @@
|
|||
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-automount_lock"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: '0644'
|
||||
notify: Reload dconf
|
||||
when:
|
||||
- rhel9cis_rule_1_8_7
|
||||
|
|
@ -199,7 +199,7 @@
|
|||
path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
mode: '0755'
|
||||
state: directory
|
||||
|
||||
- name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled | Make conf file"
|
||||
|
|
@ -227,7 +227,7 @@
|
|||
path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
mode: '0755'
|
||||
state: directory
|
||||
|
||||
- name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden | Make lockfile"
|
||||
|
|
@ -236,7 +236,7 @@
|
|||
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-autorun_lock"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: '0644'
|
||||
notify: Reload dconf
|
||||
when:
|
||||
- rhel9cis_rule_1_8_9
|
||||
|
|
|
|||
|
|
@ -1,59 +1,77 @@
|
|||
---
|
||||
|
||||
- name: "SECTION | 1.1.1.x | Disable unused filesystems"
|
||||
ansible.builtin.import_tasks: cis_1.1.1.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_1.1.1.x.yml
|
||||
|
||||
- name: "SECTION | 1.1.2.x | Configure /tmp"
|
||||
ansible.builtin.import_tasks: cis_1.1.2.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_1.1.2.x.yml
|
||||
|
||||
- name: "SECTION | 1.1.3.x | Configure /var"
|
||||
ansible.builtin.import_tasks: cis_1.1.3.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_1.1.3.x.yml
|
||||
|
||||
- name: "SECTION | 1.1.4.x | Configure /var/tmp"
|
||||
ansible.builtin.import_tasks: cis_1.1.4.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_1.1.4.x.yml
|
||||
|
||||
- name: "SECTION | 1.1.5.x | Configure /var/log"
|
||||
ansible.builtin.import_tasks: cis_1.1.5.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_1.1.5.x.yml
|
||||
|
||||
- name: "SECTION | 1.1.6.x | Configure /var/log/audit"
|
||||
ansible.builtin.import_tasks: cis_1.1.6.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_1.1.6.x.yml
|
||||
|
||||
- name: "SECTION | 1.1.7.x | Configure /home"
|
||||
ansible.builtin.import_tasks: cis_1.1.7.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_1.1.7.x.yml
|
||||
|
||||
- name: "SECTION | 1.1.8.x | Configure /dev/shm"
|
||||
ansible.builtin.import_tasks: cis_1.1.8.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_1.1.8.x.yml
|
||||
|
||||
- name: "SECTION | 1.1.x | Disable various mounting"
|
||||
ansible.builtin.import_tasks: cis_1.1.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_1.1.x.yml
|
||||
|
||||
- name: "SECTION | 1.2 | Configure Software Updates"
|
||||
ansible.builtin.import_tasks: cis_1.2.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_1.2.x.yml
|
||||
|
||||
- name: "SECTION | 1.3 | Filesystem Integrity Checking"
|
||||
ansible.builtin.import_tasks: cis_1.3.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_1.3.x.yml
|
||||
when: rhel9cis_config_aide
|
||||
|
||||
- name: "SECTION | 1.4 | Secure Boot Settings"
|
||||
ansible.builtin.import_tasks: cis_1.4.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_1.4.x.yml
|
||||
|
||||
- name: "SECTION | 1.5 | Additional Process Hardening"
|
||||
ansible.builtin.import_tasks: cis_1.5.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_1.5.x.yml
|
||||
|
||||
- name: "SECTION | 1.6 | Mandatory Access Control"
|
||||
include_tasks: cis_1.6.1.x.yml
|
||||
ansible.builtin.include_tasks:
|
||||
file: cis_1.6.1.x.yml
|
||||
when: not rhel9cis_selinux_disable
|
||||
|
||||
- name: "SECTION | 1.7 | Command Line Warning Banners"
|
||||
ansible.builtin.import_tasks: cis_1.7.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_1.7.x.yml
|
||||
|
||||
- name: "SECTION | 1.8 | Gnome Display Manager"
|
||||
ansible.builtin.import_tasks: cis_1.8.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_1.8.x.yml
|
||||
|
||||
- name: "SECTION | 1.9 | Updates and Patches"
|
||||
ansible.builtin.import_tasks: cis_1.9.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_1.9.yml
|
||||
|
||||
- name: "SECTION | 1.10 | Crypto policies"
|
||||
include_tasks: cis_1.10.yml
|
||||
ansible.builtin.include_tasks:
|
||||
file: cis_1.10.yml
|
||||
when:
|
||||
- not system_is_ec2
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@
|
|||
dest: /etc/chrony.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: '0644'
|
||||
|
||||
- name: "2.1.2 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1"
|
||||
ansible.builtin.lineinfile:
|
||||
|
|
@ -29,7 +29,7 @@
|
|||
regexp: "^(#)?OPTIONS"
|
||||
line: "OPTIONS=\"-u chrony\""
|
||||
create: true
|
||||
mode: 0644
|
||||
mode: '0644'
|
||||
when:
|
||||
- rhel9cis_rule_2_1_2
|
||||
- not system_is_container
|
||||
|
|
|
|||
|
|
@ -25,7 +25,8 @@
|
|||
- "{{ rhel9cis_2_4_sockets.stdout_lines }}"
|
||||
|
||||
- name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Warn Count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
vars:
|
||||
warn_control_id: '2.4'
|
||||
when:
|
||||
|
|
|
|||
|
|
@ -1,13 +1,17 @@
|
|||
---
|
||||
|
||||
- name: "SECTION | 2.1 | Time Synchronization"
|
||||
ansible.builtin.import_tasks: cis_2.1.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_2.1.x.yml
|
||||
|
||||
- name: "SECTION | 2.2 | Special Purpose Services"
|
||||
ansible.builtin.import_tasks: cis_2.2.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_2.2.x.yml
|
||||
|
||||
- name: "SECTION | 2.3 | Service Clients"
|
||||
ansible.builtin.import_tasks: cis_2.3.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_2.3.x.yml
|
||||
|
||||
- name: "SECTION | 2.4 | Nonessential services removed"
|
||||
ansible.builtin.import_tasks: cis_2.4.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_2.4.yml
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@
|
|||
|
||||
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled"
|
||||
block:
|
||||
- name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available"
|
||||
- name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available | if wlan exists"
|
||||
ansible.builtin.shell: rpm -q NetworkManager
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
|
|
@ -47,6 +47,7 @@
|
|||
when: rhel_09_wifi_enabled is changed # noqa no-handler
|
||||
when:
|
||||
- rhel9cis_rule_3_1_2
|
||||
- "'wlan' in ansible_facts.interfaces"
|
||||
tags:
|
||||
- level1-server
|
||||
- patch
|
||||
|
|
@ -72,7 +73,7 @@
|
|||
regexp: "^(#)?blacklist tipc(\\s|$)"
|
||||
line: "blacklist tipc"
|
||||
create: true
|
||||
mode: 0600
|
||||
mode: '0600'
|
||||
when:
|
||||
- rhel9cis_rule_3_1_3
|
||||
tags:
|
||||
|
|
|
|||
|
|
@ -46,7 +46,8 @@
|
|||
- not rhel9cis_nft_tables_autonewtable
|
||||
|
||||
- name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
when:
|
||||
- rhel9cis_3_4_2_2_nft_tables.stdout | length == 0
|
||||
- not rhel9cis_nft_tables_autonewtable
|
||||
|
|
|
|||
|
|
@ -1,16 +1,21 @@
|
|||
---
|
||||
|
||||
- name: "SECTION | 3.1.x | Disable unused network protocols and devices"
|
||||
ansible.builtin.import_tasks: cis_3.1.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_3.1.x.yml
|
||||
|
||||
- name: "SECTION | 3.2.x | Network Parameters (Host Only)"
|
||||
ansible.builtin.import_tasks: cis_3.2.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_3.2.x.yml
|
||||
|
||||
- name: "SECTION | 3.3.x | Network Parameters (host and Router)"
|
||||
ansible.builtin.import_tasks: cis_3.3.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_3.3.x.yml
|
||||
|
||||
- name: "SECTION | 3.4.1.x | Firewall configuration"
|
||||
ansible.builtin.import_tasks: cis_3.4.1.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_3.4.1.x.yml
|
||||
|
||||
- name: "SECTION | 3.4.2.x | Configure firewall"
|
||||
ansible.builtin.import_tasks: cis_3.4.2.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_3.4.2.x.yml
|
||||
|
|
|
|||
|
|
@ -50,7 +50,7 @@
|
|||
ansible.builtin.file:
|
||||
path: "{{ audit_discovered_logfile.stdout | dirname }}"
|
||||
state: directory
|
||||
mode: 0750
|
||||
mode: '0750'
|
||||
when: not auditlog_dir.stat.mode is match('07(0|5)0')
|
||||
when:
|
||||
- rhel9cis_rule_4_1_4_4
|
||||
|
|
@ -64,7 +64,7 @@
|
|||
- name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive"
|
||||
ansible.builtin.file:
|
||||
path: "{{ item.path }}"
|
||||
mode: 0640
|
||||
mode: '0640'
|
||||
loop: "{{ auditd_conf_files.files }}"
|
||||
loop_control:
|
||||
label: "{{ item.path }}"
|
||||
|
|
@ -127,7 +127,7 @@
|
|||
- name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required"
|
||||
ansible.builtin.file:
|
||||
path: "{{ item.item }}"
|
||||
mode: 0750
|
||||
mode: '0750'
|
||||
|
||||
loop: "{{ audit_bins.results }}"
|
||||
loop_control:
|
||||
|
|
|
|||
|
|
@ -88,7 +88,8 @@
|
|||
when: "'static' not in rhel9cis_4_2_2_2_status.stdout"
|
||||
|
||||
- name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
when: "'static' not in rhel9cis_4_2_2_2_status.stdout"
|
||||
vars:
|
||||
warn_control_id: '4.2.2.2'
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@
|
|||
- name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions"
|
||||
ansible.builtin.file:
|
||||
path: "{{ item.path }}"
|
||||
mode: 0640
|
||||
mode: '0640'
|
||||
loop: "{{ logfiles.files }}"
|
||||
loop_control:
|
||||
label: "{{ item.path }}"
|
||||
|
|
|
|||
|
|
@ -39,7 +39,8 @@
|
|||
loop: "{{ log_rotates.files }}"
|
||||
|
||||
- name: "4.3 | AUDIT | Ensure logrotate is configured | Warning count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
vars:
|
||||
warn_control_id: '4.3'
|
||||
when: log_rotates.matched > 0
|
||||
|
|
|
|||
|
|
@ -1,29 +1,37 @@
|
|||
---
|
||||
|
||||
- name: "SECTION | 4.1 | Configure System Accounting (auditd)"
|
||||
ansible.builtin.import_tasks: cis_4.1.1.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_4.1.1.x.yml
|
||||
when:
|
||||
- not system_is_container
|
||||
|
||||
- name: "SECTION | 4.1.2 | Configure Data Retention"
|
||||
ansible.builtin.import_tasks: cis_4.1.2.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_4.1.2.x.yml
|
||||
|
||||
- name: "SECTION | 4.1.3 | Configure Auditd rules"
|
||||
ansible.builtin.import_tasks: cis_4.1.3.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_4.1.3.x.yml
|
||||
|
||||
- name: "SECTION | 4.1.4 | Configure Audit files"
|
||||
ansible.builtin.import_tasks: cis_4.1.4.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_4.1.4.x.yml
|
||||
|
||||
- name: "SECTION | 4.2 | Configure Logging"
|
||||
ansible.builtin.import_tasks: cis_4.2.1.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_4.2.1.x.yml
|
||||
when: rhel9cis_syslog == 'rsyslog'
|
||||
|
||||
- name: "SECTION | 4.2.2 | Configure journald"
|
||||
ansible.builtin.import_tasks: cis_4.2.2.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_4.2.2.x.yml
|
||||
when: rhel9cis_syslog == 'journald'
|
||||
|
||||
- name: "SECTION | 4.2.3 | Configure logile perms"
|
||||
ansible.builtin.import_tasks: cis_4.2.3.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_4.2.3.yml
|
||||
|
||||
- name: "SECTION | 4.3 | Configure logrotate"
|
||||
ansible.builtin.import_tasks: cis_4.3.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_4.3.yml
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@
|
|||
path: /etc/crontab
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
mode: '0600'
|
||||
when:
|
||||
- rhel9cis_rule_5_1_2
|
||||
tags:
|
||||
|
|
@ -34,7 +34,7 @@
|
|||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0700
|
||||
mode: '0700'
|
||||
when:
|
||||
- rhel9cis_rule_5_1_3
|
||||
tags:
|
||||
|
|
@ -50,7 +50,7 @@
|
|||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0700
|
||||
mode: '0700'
|
||||
when:
|
||||
- rhel9cis_rule_5_1_4
|
||||
tags:
|
||||
|
|
@ -66,7 +66,7 @@
|
|||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0700
|
||||
mode: '0700'
|
||||
when:
|
||||
- rhel9cis_rule_5_1_5
|
||||
tags:
|
||||
|
|
@ -81,7 +81,7 @@
|
|||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0700
|
||||
mode: '0700'
|
||||
when:
|
||||
- rhel9cis_rule_5_1_6
|
||||
tags:
|
||||
|
|
@ -96,7 +96,7 @@
|
|||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0700
|
||||
mode: '0700'
|
||||
when:
|
||||
- rhel9cis_rule_5_1_7
|
||||
tags:
|
||||
|
|
@ -124,7 +124,7 @@
|
|||
state: '{{ "file" if rhel9cis_5_1_8_cron_allow_state.stat.exists else "touch" }}'
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
mode: '0600'
|
||||
when:
|
||||
- rhel9cis_rule_5_1_8
|
||||
tags:
|
||||
|
|
@ -152,7 +152,7 @@
|
|||
state: '{{ "file" if rhel9cis_5_1_9_at_allow_state.stat.exists else "touch" }}'
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
mode: '0600'
|
||||
when:
|
||||
- rhel9cis_rule_5_1_9
|
||||
tags:
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
path: "/etc/ssh/sshd_config"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
mode: '0600'
|
||||
when:
|
||||
- rhel9cis_rule_5_2_1
|
||||
tags:
|
||||
|
|
@ -31,7 +31,7 @@
|
|||
path: "{{ item.path }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
mode: '0600'
|
||||
loop: "{{ rhel9cis_5_2_2_ssh_private_host_key.files }}"
|
||||
loop_control:
|
||||
label: "{{ item.path }}"
|
||||
|
|
@ -60,7 +60,7 @@
|
|||
path: "{{ item.path }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: '0644'
|
||||
loop: "{{ rhel9cis_5_2_3_ssh_public_host_key.files }}"
|
||||
loop_control:
|
||||
label: "{{ item.path }}"
|
||||
|
|
|
|||
|
|
@ -97,7 +97,8 @@
|
|||
- not rhel9cis_futurepwchgdate_autofix
|
||||
|
||||
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
when:
|
||||
- rhel9cis_5_6_1_5_user_list.stdout | length > 0
|
||||
- not rhel9cis_futurepwchgdate_autofix
|
||||
|
|
|
|||
|
|
@ -50,7 +50,7 @@
|
|||
state: "{{ item.state }}"
|
||||
marker: "# {mark} - CIS benchmark - Ansible-lockdown"
|
||||
create: true
|
||||
mode: 0644
|
||||
mode: '0644'
|
||||
block: |
|
||||
TMOUT={{ rhel9cis_shell_session_timeout.timeout }}
|
||||
export TMOUT
|
||||
|
|
|
|||
|
|
@ -3,24 +3,31 @@
|
|||
# Access, Authentication, and Authorization
|
||||
|
||||
- name: "SECTION | 5.1 | Configure time-based job schedulers"
|
||||
ansible.builtin.import_tasks: cis_5.1.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_5.1.x.yml
|
||||
|
||||
- name: "SECTION | 5.2 | Configure SSH Server"
|
||||
ansible.builtin.import_tasks: cis_5.2.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_5.2.x.yml
|
||||
when:
|
||||
- "'openssh-server' in ansible_facts.packages"
|
||||
|
||||
- name: "SECTION | 5.3 | Configure privilege escalation"
|
||||
ansible.builtin.import_tasks: cis_5.3.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_5.3.x.yml
|
||||
|
||||
- name: "SECTION | 5.4 | Configure authselect"
|
||||
ansible.builtin.import_tasks: cis_5.4.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_5.4.x.yml
|
||||
|
||||
- name: "SECTION | 5.5 | Configure PAM "
|
||||
ansible.builtin.import_tasks: cis_5.5.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_5.5.x.yml
|
||||
|
||||
- name: "SECTION | 5.6.1.x | Shadow Password Suite Parameters"
|
||||
ansible.builtin.import_tasks: cis_5.6.1.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_5.6.1.x.yml
|
||||
|
||||
- name: "SECTION | 5.6.x | Misc. User Account Settings"
|
||||
ansible.builtin.import_tasks: cis_5.6.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_5.6.x.yml
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
path: /etc/passwd
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: '0644'
|
||||
when:
|
||||
- rhel9cis_rule_6_1_1
|
||||
tags:
|
||||
|
|
@ -20,7 +20,7 @@
|
|||
path: /etc/passwd-
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: '0644'
|
||||
when:
|
||||
- rhel9cis_rule_6_1_2
|
||||
tags:
|
||||
|
|
@ -32,10 +32,10 @@
|
|||
|
||||
- name: "6.1.3 | PATCH | Ensure permissions on /etc/group are configured"
|
||||
ansible.builtin.file:
|
||||
path: /etc/group-
|
||||
path: /etc/group
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: '0644'
|
||||
when:
|
||||
- rhel9cis_rule_6_1_3
|
||||
tags:
|
||||
|
|
@ -50,7 +50,7 @@
|
|||
path: /etc/group-
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: '0644'
|
||||
when:
|
||||
- rhel9cis_rule_6_1_4
|
||||
tags:
|
||||
|
|
@ -65,7 +65,7 @@
|
|||
path: /etc/shadow
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0000
|
||||
mode: '0000'
|
||||
when:
|
||||
- rhel9cis_rule_6_1_5
|
||||
tags:
|
||||
|
|
@ -80,7 +80,7 @@
|
|||
path: /etc/shadow-
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0000
|
||||
mode: '0000'
|
||||
when:
|
||||
- rhel9cis_rule_6_1_6
|
||||
tags:
|
||||
|
|
@ -95,7 +95,7 @@
|
|||
path: /etc/gshadow
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0000
|
||||
mode: '0000'
|
||||
when:
|
||||
- rhel9cis_rule_6_1_7
|
||||
tags:
|
||||
|
|
@ -110,7 +110,7 @@
|
|||
path: /etc/gshadow-
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0000
|
||||
mode: '0000'
|
||||
when:
|
||||
- rhel9cis_rule_6_1_8
|
||||
tags:
|
||||
|
|
@ -177,7 +177,8 @@
|
|||
when: rhel_09_6_1_10_unowned_files_found
|
||||
|
||||
- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
vars:
|
||||
warn_control_id: '6.1.10'
|
||||
when: rhel_09_6_1_10_unowned_files_found
|
||||
|
|
@ -223,7 +224,8 @@
|
|||
when: rhel_09_6_1_11_ungrouped_files_found
|
||||
|
||||
- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
vars:
|
||||
warn_control_id: '6.1.11'
|
||||
when: rhel_09_6_1_11_ungrouped_files_found
|
||||
|
|
@ -279,7 +281,8 @@
|
|||
when: rhel9_6_1_13_suid_found
|
||||
|
||||
- name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
vars:
|
||||
warn_control_id: '6.1.13'
|
||||
when: rhel9_6_1_13_suid_found
|
||||
|
|
@ -321,7 +324,8 @@
|
|||
when: rhel9_6_1_14_sgid_found
|
||||
|
||||
- name: "6.1.14 | AUDIT | Audit SGID executables| warning"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
vars:
|
||||
warn_control_id: '6.1.14'
|
||||
when: rhel9_6_1_14_sgid_found
|
||||
|
|
@ -353,7 +357,7 @@
|
|||
content: "{{ rhel9cis_6_1_15_packages_rpm.stdout }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
mode: '0640'
|
||||
|
||||
- name: "6.1.15 | AUDIT | Audit system file permissions | Message out alert for package descrepancies"
|
||||
ansible.builtin.debug:
|
||||
|
|
@ -362,7 +366,8 @@
|
|||
The file list can be found in {{ rhel9cis_rpm_audit_file }}"
|
||||
|
||||
- name: "6.1.15 | AUDIT | Audit system file permissions | warning count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
vars:
|
||||
warn_control_id: '6.1.15'
|
||||
when: rhel9cis_6_1_15_packages_rpm.stdout|length > 0
|
||||
|
|
|
|||
|
|
@ -15,7 +15,8 @@
|
|||
when: shadow_passwd.stdout | length > 0
|
||||
|
||||
- name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | warning fact"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
vars:
|
||||
warn_control_id: '6.2.1'
|
||||
when: shadow_passwd.stdout | length >= 1
|
||||
|
|
@ -59,7 +60,8 @@
|
|||
when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1
|
||||
|
||||
- name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
vars:
|
||||
warn_control_id: '6.2.3'
|
||||
when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1
|
||||
|
|
@ -87,7 +89,8 @@
|
|||
when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1
|
||||
|
||||
- name: "6.2.4 | AUDIT| Ensure no duplicate UIDs exist | warning count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1
|
||||
vars:
|
||||
warn_control_id: '6.2.4'
|
||||
|
|
@ -115,7 +118,8 @@
|
|||
when: rhel9cis_6_2_5_user_user_check.stdout | length >= 1
|
||||
|
||||
- name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | warning count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
vars:
|
||||
warn_control_id: '6.2.5'
|
||||
when: rhel9cis_6_2_5_user_user_check.stdout_lines | length >= 1
|
||||
|
|
@ -144,7 +148,8 @@
|
|||
when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1
|
||||
|
||||
- name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | warning count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
vars:
|
||||
warn_control_id: '6.2.6'
|
||||
when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1
|
||||
|
|
@ -173,7 +178,8 @@
|
|||
when: rhel9cis_6_2_7_group_group_check.stdout is not defined
|
||||
|
||||
- name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | warning count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
vars:
|
||||
warn_control_id: '6.2.7'
|
||||
when: rhel9cis_6_2_7_group_group_check.stdout is not defined
|
||||
|
|
|
|||
|
|
@ -1,7 +1,9 @@
|
|||
---
|
||||
|
||||
- name: "SECTION | 6.1 | System File Permissions"
|
||||
ansible.builtin.import_tasks: cis_6.1.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_6.1.x.yml
|
||||
|
||||
- name: "SECTION | 6.2 | User and Group Settings"
|
||||
ansible.builtin.import_tasks: cis_6.2.x.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: cis_6.2.x.yml
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue