Merge branch 'devel' of github.com:siemens/RHEL9-CIS into siemens/feat/document_main_variables

2025-12-27 15:33:06 +00:00 · 2024-01-19 11:03:46 +02:00 · 2024-01-19 11:03:46 +02:00 · 677424d853
commit 677424d853
parent 14cd1e0397 068c45f509
15 changed files with 39 additions and 23 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -43,7 +43,7 @@ repos:
    args: ['--baseline-path', '.config/.gitleaks-report.json']

 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v6.22.0
+  rev: v6.22.1
  hooks:
  - id: ansible-lint
    name: Ansible-lint
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -582,6 +582,9 @@ rhel9cis_time_synchronization_servers:
 # This variable should contain the default options to be used for every NTP server hostname defined
 # within the 'rhel9cis_time_synchronization_servers' var.
 rhel9cis_chrony_server_options: "minpoll 8"
+rhel9cis_chrony_server_rtcsync: false
+rhel9cis_chrony_server_makestep: "1.0 3"
+rhel9cis_chrony_server_minsources: 2


 ### 2.2 Special Purposes
--- a/tasks/post.yml
+++ b/tasks/post.yml
@ -26,6 +26,19 @@
      - not system_is_container
      - "'procps-ng' in ansible_facts.packages"

+- name: POST | Update usr sysctl
+  ansible.builtin.lineinfile:
+      dest: /usr/lib/sysctl.d/50-default.conf
+      regexp: "{{ item.regexp }}"
+      line: "{{ item.line }}"
+  loop:
+      - { regexp: '^net.ipv4.conf.default.rp_filter', line: 'net.ipv4.conf.default.rp_filter = 1' }
+      - { regexp: '^net.ipv4.conf.*.rp_filter', line: 'net.ipv4.conf.*.rp_filter = 1' }
+  when:
+      - rhel9cis_sysctl_update
+      - not system_is_container
+      - "'procps-ng' in ansible_facts.packages"
+
 - name: Flush handlers
  ansible.builtin.meta: flush_handlers

--- a/tasks/section_1/cis_1.1.3.x.yml
+++ b/tasks/section_1/cis_1.1.3.x.yml
@ -31,7 +31,7 @@
      src: "{{ item.device }}"
      fstype: "{{ item.fstype }}"
      state: present
-      opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}nosuid,{% endif %}
+      opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}nosuid{% endif %}
  loop: "{{ ansible_facts.mounts }}"
  loop_control:
      label: "{{ item.device }}"
--- a/tasks/section_1/cis_1.6.1.x.yml
+++ b/tasks/section_1/cis_1.6.1.x.yml
@ -39,7 +39,6 @@
      policy: "{{ rhel9cis_selinux_pol }}"
      state: "{{ rhel9cis_selinux_enforce }}"
  when:
-      - not rhel9cis_selinux_disable
      - rhel9cis_rule_1_6_1_3
  tags:
      - level1-server
@ -54,7 +53,6 @@
      policy: "{{ rhel9cis_selinux_pol }}"
      state: "{{ rhel9cis_selinux_enforce }}"
  when:
-      - not rhel9cis_selinux_disable
      - rhel9cis_rule_1_6_1_4
  tags:
      - level1-server
@ -69,7 +67,6 @@
      policy: "{{ rhel9cis_selinux_pol }}"
      state: enforcing
  when:
-      - not rhel9cis_selinux_disable
      - rhel9cis_selinux_enforce == 'enforcing'
      - rhel9cis_rule_1_6_1_5
  tags:
--- a/tasks/section_2/cis_2.2.x.yml
+++ b/tasks/section_2/cis_2.2.x.yml
@ -274,8 +274,8 @@
            masked: true
            state: stopped
        when:
-            - not rhel9cis_use_nfs_server
-            - rhel9cis_use_nfs_service
+            - rhel9cis_use_nfs_server
+            - not rhel9cis_use_nfs_service
  when:
      - "'nfs-utils' in ansible_facts.packages"
      - rhel9cis_rule_2_2_16
--- a/tasks/section_2/cis_2.3.x.yml
+++ b/tasks/section_2/cis_2.3.x.yml
@ -50,7 +50,7 @@
      name: ftp
      state: absent
  when:
-      - not rhel9cis_tftp_client
+      - not rhel9cis_ftp_client
      - "'ftp' in ansible_facts.packages"
      - rhel9cis_rule_2_3_4
  tags:
--- a/tasks/section_3/cis_3.4.2.x.yml
+++ b/tasks/section_3/cis_3.4.2.x.yml
@ -194,6 +194,7 @@
                - "{{ rhel9cis_3_4_2_5_servicesport.stdout_lines }}"
  when:
      - rhel9cis_rule_3_4_2_5
+      - rhel9cis_firewall == "firewalld"
  tags:
      - level1-server
      - level1-workstation
--- a/tasks/section_4/cis_4.2.1.x.yml
+++ b/tasks/section_4/cis_4.2.1.x.yml
@ -35,7 +35,6 @@
  notify: Restart rsyslog
  when:
      - rhel9cis_rule_4_2_1_3
-      - rhel9cis_syslog == "rsyslog"
  tags:
      - level1-server
      - level1-workstation
--- a/tasks/section_4/cis_4.2.3.yml
+++ b/tasks/section_4/cis_4.2.3.yml
@ -7,6 +7,7 @@
            paths: "/var/log"
            file_type: file
            recurse: true
+            hidden: true
        register: logfiles

      - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions"
--- a/tasks/section_4/main.yml
+++ b/tasks/section_4/main.yml
@ -18,7 +18,7 @@
  ansible.builtin.import_tasks:
      file: cis_4.1.4.x.yml

- name: "SECTION | 4.2 | Configure Logging"
+- name: "SECTION | 4.2.1 | Configure rsyslog"
  ansible.builtin.import_tasks:
      file: cis_4.2.1.x.yml
  when: rhel9cis_syslog == 'rsyslog'
--- a/tasks/section_5/cis_5.4.x.yml
+++ b/tasks/section_5/cis_5.4.x.yml
@ -44,7 +44,7 @@
                - "{{ rhel9cis_5_4_2_profiles_faillock.stdout_lines }}"

      - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles"
-        ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock"
+        ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }}  {{ rhel9cis_authselect['options'] }}"
        when: rhel9cis_authselect_custom_profile_select

      - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile"
--- a/tasks/section_5/cis_5.6.1.x.yml
+++ b/tasks/section_5/cis_5.6.1.x.yml
@ -40,7 +40,7 @@
      - level1-workstation
      - patch
      - password
-      - rule_5.5.1.3
+      - rule_5.6.1.3

 - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less"
  block:
--- a/templates/ansible_vars_goss.yml.j2
+++ b/templates/ansible_vars_goss.yml.j2
@ -10,7 +10,7 @@ benchmark_version: '1.0.0'
 host_os_distribution: {{ ansible_facts.distribution | lower }}

 #  timeout for each command to run where set - default = 10seconds/10000ms
-timeout_ms: 60000
+timeout_ms: {{ audit_cmd_timeout }}

 # Taken from LE rhel9-cis
 rhel9cis_section1: {{ rhel9cis_section1 }}
--- a/templates/etc/chrony.conf.j2
+++ b/templates/etc/chrony.conf.j2
@ -1,4 +1,4 @@
-## This file is managed by Ansible, YOUR CHANGED WILL BE LOST!
+## {{ ansible_managed }}

 # This the default chrony.conf file for the Debian chrony package.  After
 # editing this file use the command 'invoke-rc.d chrony restart' to make
@ -27,19 +27,21 @@ server {{ server }} {{ rhel9cis_chrony_server_options }}
 # password is generated by a random process at install time.  You may
 # change it if you wish.

-keyfile /etc/chrony/chrony.keys
+keyfile /etc/chrony.keys

-# Set runtime command key.  Note that if you change the key (not the
-# password) to anything other than 1 you will need to edit
-# /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony
-# and /etc/cron.weekly/chrony as these scripts use it to get the password.
+# Record the rate at which the system clock gains/losses time.
+driftfile /var/lib/chrony/drift

-commandkey 1
+# Allow the system clock to be stepped in the first three updates
+# if its offset is larger than 1 second.
+makestep {{ rhel9cis_chrony_server_makestep }}

-# I moved the driftfile to /var/lib/chrony to comply with the Debian
-# filesystem standard.
+# Enable kernel synchronization of the real-time clock (RTC).
+{% if not rhel9cis_chrony_server_rtcsync %}#{% endif %}rtcsync

-driftfile /var/lib/chrony/chrony.drift
+# Increase the minimum number of selectable sources required to adjust
+# the system clock.
+minsources {{ rhel9cis_chrony_server_minsources }}

 # Comment this line out to turn off logging.