diff --git a/tasks/main.yml b/tasks/main.yml index 843850c..123858a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -49,59 +49,75 @@ tags: - rule_5.7 -- include: prelim.yml - become: yes - tags: - - prelim_tasks - - always - -- import_tasks: pre_remediation_audit.yml - when: - - run_audit - - name: Gather the package facts package_facts: manager: auto tags: - always -- include: parse_etc_password.yml - become: yes +- name: Include preliminary steps + import_tasks: prelim.yml + become: + tags: + - prelim_tasks + - always + +- name: run pre_remediation audit + import_tasks: pre_remediation_audit.yml + when: + - run_audit + +- name: Gather the package facts after prelim + package_facts: + manager: auto + tags: + - always + +- name: capture /etc/password variables + include_tasks: parse_etc_password.yml when: rhel9cis_section6 -- include: section_1/main.yml - become: yes +- name: run Section 1 tasks + import_tasks: section_1/main.yml + become: true when: rhel9cis_section1 tags: - rhel9cis_section1 -- include: section_2/main.yml - become: yes +- name: run Section 2 tasks + import_tasks: section_2/main.yml + become: true when: rhel9cis_section2 -- include: section_3/main.yml - become: yes +- name: run Section 3 tasks + import_tasks: section_3/main.yml + become: true when: rhel9cis_section3 -- include: section_4/main.yml - become: yes +- name: run Section 4 tasks + import_tasks: section_4/main.yml + become: true when: rhel9cis_section4 -- include: section_5/main.yml - become: yes +- name: run Section 5 tasks + import_tasks: section_5/main.yml + become: true when: rhel9cis_section5 -- include: section_6/main.yml - become: yes +- name: run Section 6 tasks + import_tasks: section_6/main.yml + become: true when: rhel9cis_section6 -- include: post.yml - become: yes +- name: run post remediation tasks + import_tasks: post.yml + become: true tags: - post_tasks - always -- import_tasks: post_remediation_audit.yml +- name: run post_remediation audit + import_tasks: post_remediation_audit.yml when: - run_audit diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index 5c7b083..b8c8e8e 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -2,41 +2,41 @@ - name: "SECTION | 1.1 | FileSystem Configurations\n SECTION | 1.1.1.x | Disable unused filesystems" - include: cis_1.1.1.x.yml -- include: cis_1.1.x.yml + include_tasks: cis_1.1.1.x.yml +- include_tasks: cis_1.1.x.yml - name: "SECTION | 1.2 | Configure Software Updates" - include: cis_1.2.x.yml + include_tasks: cis_1.2.x.yml - name: "SECTION | 1.3 | Configure sudo" - include: cis_1.3.x.yml + include_tasks: cis_1.3.x.yml - name: "SECTION | 1.4 | Filesystem Integrity" - include: cis_1.4.x.yml + import_tasks: cis_1.4.x.yml when: rhel9cis_config_aide - name: "SECTION | 1.5 | Secure Boot Settings" - include: cis_1.5.x.yml + include_tasks: cis_1.5.x.yml - name: "SECTION | 1.6 | Additional Process Hardening" - include: cis_1.6.x.yml + include_tasks: cis_1.6.x.yml - name: "SECTION | 1.7 | bootloader and Mandatory Access Control" - include: cis_1.7.1.x.yml + import_tasks: cis_1.7.1.x.yml when: not rhel9cis_selinux_disable - name: "SECTION | 1.8 | Warning Banners" - include: cis_1.8.1.x.yml + include_tasks: cis_1.8.1.x.yml - name: "SECTION | 1.9 | Updated and Patches" - include: cis_1.9.yml + include_tasks: cis_1.9.yml - name: "SECTION | 1.10 | Crypto policies" - include: cis_1.10.yml + import_tasks: cis_1.10.yml when: - not system_is_ec2 - name: "SECTION | 1.11 | FIPS/FUTURE Crypto policies" - include: cis_1.11.yml + import_tasks: cis_1.11.yml when: - not system_is_ec2 diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index 1c99c03..f2ed232 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -1,13 +1,13 @@ --- - name: "SECTION | 2.1 | xinetd" - include: cis_2.1.1.yml + include_tasks: cis_2.1.1.yml - name: "SECTION | 2.2.1 | Time Synchronization" - include: cis_2.2.1.x.yml + include_tasks: cis_2.2.1.x.yml - name: "SECTION | 2.2 | Special Purpose Services" - include: cis_2.2.x.yml + include_tasks: cis_2.2.x.yml - name: "SECTION | 2.3 | Service Clients" - include: cis_2.3.x.yml + include_tasks: cis_2.3.x.yml diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index 752ba85..7d6af68 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -1,41 +1,41 @@ --- - name: "SECTION | 3.1.x | Packet and IP redirection" - include: cis_3.1.x.yml + include_tasks: cis_3.1.x.yml - name: "SECTION | 3.2.x | Network Parameters (Host Only)" - include: cis_3.2.x.yml + include_tasks: cis_3.2.x.yml - name: "SECTION | 3.3.x | Uncommon Network Protocols" - include: cis_3.3.x.yml + include_tasks: cis_3.3.x.yml - name: "SECTION | 3.4.1.x | firewall defined" - include: cis_3.4.1.1.yml + include_tasks: cis_3.4.1.1.yml - name: "SECTION | 3.4.2.x | firewalld firewall" - include: cis_3.4.2.x.yml + import_tasks: cis_3.4.2.x.yml when: - rhel9cis_firewall == "firewalld" - name: "SECTION | 3.4.3.x | Configure nftables firewall" - include: cis_3.4.3.x.yml + import_tasks: cis_3.4.3.x.yml when: - rhel9cis_firewall == "nftables" - name: "SECTION | 3.4.4.1.x | Configure iptables IPv4" - include: cis_3.4.4.1.x.yml + import_tasks: cis_3.4.4.1.x.yml when: - rhel9cis_firewall == "iptables" - name: "SECTION | 3.4.4.2.x | Configure iptables IPv6" - include: cis_3.4.4.2.x.yml + import_tasks: cis_3.4.4.2.x.yml when: - ( rhel9cis_firewall == "iptables" and rhel9cis_ipv6_required ) - name: "SECTION | 3.5 | Configure wireless" - include: cis_3.5.yml + include_tasks: cis_3.5.yml - name: "SECTION | 3.5 | disable IPv6" - include: cis_3.5.yml + import_tasks: cis_3.5.yml when: - not rhel9cis_ipv6_required diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index aecac9f..910a9e2 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -1,23 +1,23 @@ --- - name: "SECTION | 4.1| Configure System Accounting (auditd)" - include: cis_4.1.1.x.yml + include_tasks: cis_4.1.1.x.yml - name: "SECTION | 4.1.2.x| Configure Data Retention" - include: cis_4.1.2.x.yml + include_tasks: cis_4.1.2.x.yml - name: "SECTION | 4.1.x| Auditd rules" - include: cis_4.1.x.yml + include_tasks: cis_4.1.x.yml - name: "SECTION | 4.2.x| Configure Logging" - include: cis_4.2.1.x.yml + import_tasks: cis_4.2.1.x.yml when: rhel9cis_syslog == 'rsyslog' - name: "SECTION | 4.2.2.x| Configure journald" - include: cis_4.2.2.x.yml + include_tasks: cis_4.2.2.x.yml - name: "SECTION | 4.2.3 | Configure logile perms" - include: cis_4.2.3.yml + include_tasks: cis_4.2.3.yml - name: "SECTION | 4.3 | Configure logrotate" - include: cis_4.3.yml + include_tasks: cis_4.3.yml diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index f290165..6195af5 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -1,27 +1,27 @@ --- - name: "SECTION | 5.1 | Configure time-based job schedulers" - include: cis_5.1.x.yml + include_tasks: cis_5.1.x.yml - name: "SECTION | 5.2 | Configure SSH Server" - include: cis_5.2.x.yml + include_tasks: cis_5.2.x.yml - name: "SECTION | 5.3 | Configure Profiles" - include: cis_5.3.x.yml + import_tasks: cis_5.3.x.yml when: - rhel9cis_use_authconfig - name: "SECTION | 5.4 | Configure PAM " - include: cis_5.4.x.yml + include_tasks: cis_5.4.x.yml - name: "SECTION | 5.5.1.x | Passwords and Accounts" - include: cis_5.5.1.x.yml + include_tasks: cis_5.5.1.x.yml - name: "SECTION | 5.5.x | System Accounts and User Settings" - include: cis_5.5.x.yml + include_tasks: cis_5.5.x.yml - name: "SECTION | 5.6 | Root Login" - include: cis_5.6.yml + include_tasks: cis_5.6.yml - name: Section | 5.7 | su Command Restriction - include: cis_5.7.yml + include_tasks: cis_5.7.yml diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index bf6943a..479b9c8 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -1,7 +1,7 @@ --- - name: "SECTION | 6.1 | System File Permissions" - include: cis_6.1.x.yml + include_tasks: cis_6.1.x.yml - name: "SECTION | 6.2 | User and Group Settings" - include: cis_6.2.x.yml + include_tasks: cis_6.2.x.yml