ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-25 22:37:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Updates from Public

Browse source 
Signed-off-by: Frederick Witty <frederickw@mindpointgroup.com>
This commit is contained in:
Frederick Witty 2025-09-10 12:57:50 -04:00
parent a1d88edde0
commit 67c574d8a9
No known key found for this signature in database
GPG key ID: D29987C25A47D813
10 changed files with 32 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

4
tasks/main.yml
View file

@ -52,7 +52,7 @@
- name: "Check crypto-policy module input"
when:
- rhel9cis_rule_1_6_1
- rhel9cis_crypto_policy_ansiblemanaged
- rhel9cis_crypto_policy_module | length > 0
tags:
- rule_1.6.1
@ -132,7 +132,7 @@
- rule_5.4.2.4
block:
- name: "Ensure root password is set"
ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)"
ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set|Password locked)"
changed_when: false
failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ]
register: prelim_root_passwd_set

2
tasks/prelim.yml
View file

@ -136,7 +136,7 @@
register: prelim_systemd_coredump
- name: "PRELIM | PATCH | Setup crypto-policy"
when: rhel9cis_rule_1_6_1
when: rhel9cis_crypto_policy_ansiblemanaged
tags:
- level1-server
- level1-workstation

1
tasks/section_1/cis_1.4.x.yml
View file

@ -52,6 +52,7 @@
- name: "1.4.2 | AUDIT | Ensure permissions on bootloader config are configured | efi based system | capture current state"
ansible.builtin.shell: grep "^[^#;]" /etc/fstab | grep '/boot/efi' | awk -F" " '{print $4}'
changed_when: false
check_mode: false
register: discovered_efi_fstab
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Build Options"

13
tasks/section_1/cis_1.6.x.yml
View file

@ -1,7 +1,9 @@
---
- name: "1.6.1 | AUDIT | Ensure system-wide crypto policy is not legacy"
when: rhel9cis_rule_1_6_1
when:
- rhel9cis_rule_1_6_1
- rhel9cis_crypto_policy_ansiblemanaged
tags:
- level1-server
- level1-workstation
@ -21,12 +23,14 @@
tags:
- level1-server
- level1-workstation
- sshd
- automated
- patch
- rule_1.6.2
- NIST800-53R5_SC-8
- NIST800-53R5_IA-5
- NIST800-53R5_AC-17- NIST800-53R5_SC-6
- NIST800-53R5_AC-17
- NIST800-53R5_SC-6
ansible.builtin.lineinfile:
path: /etc/sysconfig/sshd
regexp: ^CRYPTO_POLICY\s*=
@ -37,6 +41,7 @@
when:
- rhel9cis_rule_1_6_3
- "'NO-SHA1' not in rhel9cis_crypto_policy_module"
- rhel9cis_crypto_policy_ansiblemanaged
tags:
- level1-server
- level1-workstation
@ -67,6 +72,7 @@
when:
- rhel9cis_rule_1_6_4
- "'NO-WEAKMAC' not in rhel9cis_crypto_policy_module"
- rhel9cis_crypto_policy_ansiblemanaged
tags:
- level1-server
- level1-workstation
@ -76,7 +82,6 @@
- rule_1.6.4
- NIST800-53R5_SC-6
block:
- name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | Add submodule exclusion"
ansible.builtin.template:
src: etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2
@ -98,6 +103,7 @@
when:
- rhel9cis_rule_1_6_5
- "'NO-SSHCBC' not in rhel9cis_crypto_policy_module"
- rhel9cis_crypto_policy_ansiblemanaged
tags:
- level1-server
- level1-workstation
@ -128,6 +134,7 @@
when:
- rhel9cis_rule_1_6_6
- "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module"
- rhel9cis_crypto_policy_ansiblemanaged
tags:
- level1-server
- level1-workstation

2
tasks/section_4/cis_4.3.x.yml
View file

@ -81,7 +81,7 @@
register: discovered_nftables_inconnectionrule
- name: "4.3.2 | AUDIT | Ensure nftables established connections are configured | Gather outbound connection rules"
ansible.builtin.command: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
ansible.builtin.shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
changed_when: false
failed_when: false
register: discovered_nftables_outconnectionrule

3
tasks/section_5/cis_5.1.x.yml
View file

@ -80,6 +80,7 @@
when:
- rhel9cis_rule_5_1_4
- "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module"
- rhel9cis_crypto_policy_ansiblemanaged
tags:
- level1-server
- level1-workstation
@ -108,6 +109,7 @@
when:
- rhel9cis_rule_5_1_5
- "'NO-SHA1' not in rhel9cis_crypto_policy_module"
- rhel9cis_crypto_policy_ansiblemanaged
tags:
- level1-server
- level1-workstation
@ -136,6 +138,7 @@
when:
- rhel9cis_rule_5_1_6
- "'NO-SSHWEAKMACS' not in rhel9cis_crypto_policy_module"
- rhel9cis_crypto_policy_ansiblemanaged
tags:
- level1-server
- level1-workstation

3
tasks/section_5/cis_5.4.1.x.yml
View file

@ -24,6 +24,7 @@
ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5> {{ rhel9cis_pass_max_days }} || $5< {{ rhel9cis_pass_max_days }} || $5 == -1)){print $1}' /etc/shadow"
changed_when: false
failed_when: false
check_mode: false
register: discovered_max_days
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS"
@ -64,7 +65,7 @@
- rhel9cis_force_user_mindays
ansible.builtin.user:
name: "{{ item }}"
password_expire_max: "{{ rhel9cis_pass_min_days }}"
password_expire_min: "{{ rhel9cis_pass_min_days }}"
loop: "{{ discovered_min_days.stdout_lines }}"
- name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured"

4
tasks/section_5/cis_5.4.2.x.yml
View file

@ -139,7 +139,7 @@
ansible.builtin.stat:
path: "{{ item }}"
loop: "{{ discovered_root_paths_split.stdout_lines }}"
register: paths_stat
register: discovered_root_paths_stat
- name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Create dirs for some paths that are not dirs"
ansible.builtin.file:
@ -148,7 +148,7 @@
owner: root
group: root
mode: 'go-w'
loop: "{{ paths_stat.results }}"
loop: "{{ discovered_root_paths_stat.results }}"
when: not item.stat.exists
- name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for empty dirs"