ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'lint_dec24' into alignment

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-12-11 13:36:08 +00:00
commit 82f7b53a67
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
49 changed files with 375 additions and 606 deletions
Download patch file Download diff file Expand all files Collapse all files

79
tasks/section_2/cis_2.1.x.yml
View file

@ -33,9 +33,7 @@
masked: true
- name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use"
when:
- rhel9cis_rule_2_1_2
- "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages"
when: rhel9cis_rule_2_1_2
tags:
- level1-server
- level2-workstation
@ -70,9 +68,7 @@
- avahi-daemon.service
- name: "2.1.3 | PATCH | Ensure dhcp server services are not in use"
when:
- "'dhcp-server' in ansible_facts.packages"
- rhel9cis_rule_2_1_3
when: rhel9cis_rule_2_1_3
tags:
- level1-server
- level1-workstation
@ -105,9 +101,7 @@
- dhcpd6.service
- name: "2.1.4 | PATCH | Ensure dns server services are not in use"
when:
- "'bind' in ansible_facts.packages"
- rhel9cis_rule_2_1_4
when: rhel9cis_rule_2_1_4
tags:
- level1-server
- level1-workstation
@ -137,9 +131,7 @@
masked: true
- name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use"
when:
- "'dnsmasq' in ansible_facts.packages"
- rhel9cis_rule_2_1_5
when: rhel9cis_rule_2_1_5
tags:
- level1-server
- level1-workstation
@ -169,9 +161,7 @@
masked: true
- name: "2.1.6 | PATCH | Ensure samba file server services are not in use"
when:
- "'samba' in ansible_facts.packages"
- rhel9cis_rule_2_1_6
when: rhel9cis_rule_2_1_6
tags:
- level1-server
- level1-workstation
@ -202,9 +192,7 @@
masked: true
- name: "2.1.7 | PATCH | Ensure ftp server services are not in use"
when:
- "'ftp' in ansible_facts.packages"
- rhel9cis_rule_2_1_7
when: rhel9cis_rule_2_1_7
tags:
- level1-server
- level1-workstation
@ -235,9 +223,7 @@
masked: true
- name: "2.1.8 | PATCH | Ensure message access server services are not in use"
when:
- "'dovecot' in ansible_facts.packages or 'cyrus-imapd' in ansible_facts.packages"
- rhel9cis_rule_2_1_8
when: rhel9cis_rule_2_1_8
tags:
- level1-server
- level1-workstation
@ -275,9 +261,7 @@
- "cyrus-imapd.service"
- name: "2.1.9 | PATCH | Ensure network file system services are not in use"
when:
- "'nfs-utils' in ansible_facts.packages"
- rhel9cis_rule_2_1_9
when: rhel9cis_rule_2_1_9
tags:
- level1-server
- level1-workstation
@ -309,9 +293,7 @@
masked: true
- name: "2.1.10 | PATCH | Ensure nis server services are not in use"
when:
- "'ypserv' in ansible_facts.packages"
- rhel9cis_rule_2_1_10
when: rhel9cis_rule_2_1_10
tags:
- level1-server
- level1-workstation
@ -341,9 +323,7 @@
masked: true
- name: "2.1.11 | PATCH | Ensure print server services are not in use"
when:
- "'cups' in ansible_facts.packages"
- rhel9cis_rule_2_1_11
when: rhel9cis_rule_2_1_11
tags:
- level1-server
- automated
@ -375,9 +355,7 @@
- "cups.service"
- name: "2.1.12 | PATCH | Ensure rpcbind services are not in use"
when:
- "'rpcbind' in ansible_facts.packages"
- rhel9cis_rule_2_1_12
when: rhel9cis_rule_2_1_12
tags:
- level1-server
- level1-workstation
@ -411,9 +389,7 @@
- rpcbind.socket
- name: "2.1.13 | PATCH | Ensure rsync services are not in use"
when:
- "'rsync-daemon' in ansible_facts.packages"
- rhel9cis_rule_2_1_13
when: rhel9cis_rule_2_1_13
tags:
- level1-server
- level1-workstation
@ -447,9 +423,7 @@
- 'rsyncd.service'
- name: "2.1.14 | PATCH | Ensure snmp services are not in use"
when:
- "'net-snmp' in ansible_facts.packages"
- rhel9cis_rule_2_1_14
when: rhel9cis_rule_2_1_14
tags:
- level1-server
- level1-workstation
@ -479,9 +453,7 @@
masked: true
- name: "2.1.15 | PATCH | Ensure telnet server services are not in use"
when:
- "'telnet-server' in ansible_facts.packages"
- rhel9cis_rule_2_1_15
when: rhel9cis_rule_2_1_15
tags:
- level1-server
- level1-workstation
@ -512,9 +484,7 @@
masked: true
- name: "2.1.16 | PATCH | Ensure tftp server services are not in use"
when:
- "'tftp-server' in ansible_facts.packages"
- rhel9cis_rule_2_1_16
when: rhel9cis_rule_2_1_16
tags:
- level1-server
- level1-workstation
@ -547,9 +517,7 @@
- 'tftp.service'
- name: "2.1.17 | PATCH | Ensure web proxy server services are not in use"
when:
- "'squid' in ansible_facts.packages"
- rhel9cis_rule_2_117
when: rhel9cis_rule_2_1_17
tags:
- level1-server
- level1-workstation
@ -580,8 +548,7 @@
masked: true
- name: "2.1.18 | PATCH | Ensure web server services are not in use"
when:
- rhel9cis_rule_2_1_18
when: rhel9cis_rule_2_1_18
tags:
- level1-server
- level1-workstation
@ -597,7 +564,6 @@
when:
- not rhel9cis_httpd_server
- not rhel9cis_httpd_mask
- "'httpd' in ansible_facts.packages"
ansible.builtin.package:
name: httpd
state: absent
@ -606,7 +572,6 @@
when:
- not rhel9cis_nginx_server
- not rhel9cis_nginx_mask
- "'nginx' in ansible_facts.packages"
ansible.builtin.package:
name: nginx
state: absent
@ -615,7 +580,6 @@
when:
- not rhel9cis_httpd_server
- rhel9cis_httpd_mask
- "'httpd' in ansible_facts.packages"
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: httpd.service
@ -627,7 +591,6 @@
when:
- not rhel9cis_nginx_server
- rhel9cis_nginx_mask
- "'nginx' in ansible_facts.packages"
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: ngnix.service
@ -636,9 +599,7 @@
masked: true
- name: "2.1.19 | PATCH | Ensure xinetd services are not in use"
when:
- "'xinetd' in ansible_facts.packages"
- rhel9cis_rule_2_1_19
when: rhel9cis_rule_2_1_19
tags:
- level1-server
- level1-workstation
@ -670,7 +631,6 @@
- name: "2.1.20 | PATCH | Ensure X window server services are not in use"
when:
- not rhel9cis_xwindow_server
- "'xorg-x11-server-common' in ansible_facts.packages"
- rhel9cis_rule_2_1_20
tags:
- level1-server
@ -704,8 +664,7 @@
line: "inet_interfaces = loopback-only"
- name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface"
when:
- rhel9cis_rule_2_1_22
when: rhel9cis_rule_2_1_22
tags:
- level1-server
- level1-workstation

5
tasks/section_2/cis_2.2.x.yml
View file

@ -3,7 +3,6 @@
- name: "2.2.1 | PATCH | Ensure ftp client is not installed"
when:
- not rhel9cis_ftp_client
- "'ftp' in ansible_facts.packages"
- rhel9cis_rule_2_2_1
tags:
- level1-server
@ -20,7 +19,6 @@
- name: "2.2.2 | PATCH | Ensure ldap client is not installed"
when:
- not rhel9cis_openldap_clients_required
- "'openldap-clients' in ansible_facts.packages"
- rhel9cis_rule_2_2_2
tags:
- level2-server
@ -37,7 +35,6 @@
- name: "2.2.3 | PATCH | Ensure nis client is not installed"
when:
- not rhel9cis_ypbind_required
- "'ypbind' in ansible_facts.packages"
- rhel9cis_rule_2_2_3
tags:
- level1-server
@ -54,7 +51,6 @@
- name: "2.2.4 | PATCH | Ensure telnet client is not installed"
when:
- not rhel9cis_telnet_required
- "'telnet' in ansible_facts.packages"
- rhel9cis_rule_2_2_4
tags:
- level1-server
@ -71,7 +67,6 @@
- name: "2.2.5 | PATCH | Ensure TFTP client is not installed"
when:
- not rhel9cis_tftp_client
- "'tftp' in ansible_facts.packages"
- rhel9cis_rule_2_2_5
tags:
- level1-server

4
tasks/section_2/cis_2.3.x.yml
View file

@ -31,7 +31,7 @@
dest: /etc/chrony.conf
owner: root
group: root
mode: '0644'
mode: 'go-wx'
- name: "2.3.3 | PATCH | Ensure chrony is not run as the root user"
when:
@ -48,4 +48,4 @@
line: OPTIONS="\1 -u chrony"
create: true
backrefs: true
mode: '0644'
mode: 'go-wx'

43
tasks/section_2/cis_2.4.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled"
when:
- rhel9cis_rule_2_4_1_1
when: rhel9cis_rule_2_4_1_1
tags:
- level1-server
- level1-workstation
@ -19,8 +18,7 @@
enabled: true
- name: "2.4.1.2 | PATCH | Ensure permissions on /etc/crontab are configured"
when:
- rhel9cis_rule_2_4_1_2
when: rhel9cis_rule_2_4_1_2
tags:
- level1-server
- level1-workstation
@ -33,11 +31,10 @@
path: /etc/crontab
owner: root
group: root
mode: og-rwx
mode: 'og-rwx'
- name: "2.4.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured"
when:
- rhel9cis_rule_2_4_1_3
when: rhel9cis_rule_2_4_1_3
tags:
- level1-server
- level1-workstation
@ -51,11 +48,10 @@
state: directory
owner: root
group: root
mode: og-rwx
mode: 'og-rwx'
- name: "2.4.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured"
when:
- rhel9cis_rule_2_4_1_4
when: rhel9cis_rule_2_4_1_4
tags:
- level1-server
- level1-workstation
@ -67,11 +63,10 @@
state: directory
owner: root
group: root
mode: og-rwx
mode: 'og-rwx'
- name: "2.4.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured"
when:
- rhel9cis_rule_2_4_1_5
when: rhel9cis_rule_2_4_1_5
tags:
- level1-server
- level1-workstation
@ -84,11 +79,10 @@
state: directory
owner: root
group: root
mode: og-rwx
mode: 'og-rwx'
- name: "2.4.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured"
when:
- rhel9cis_rule_2_4_1_6
when: rhel9cis_rule_2_4_1_6
tags:
- level1-server
- level1-workstation
@ -101,11 +95,10 @@
state: directory
owner: root
group: root
mode: og-rwx
mode: 'og-rwx'
- name: "2.4.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured"
when:
- rhel9cis_rule_2_4_1_7
when: rhel9cis_rule_2_4_1_7
tags:
- level1-server
- level1-workstation
@ -119,11 +112,10 @@
state: directory
owner: root
group: root
mode: '0700'
mode: 'og-rwx'
- name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users"
when:
- rhel9cis_rule_2_4_1_8
when: rhel9cis_rule_2_4_1_8
tags:
- level1-server
- level1-workstation
@ -149,11 +141,10 @@
state: '{{ "file" if discovered_cron_allow_state.stat.exists else "touch" }}'
owner: root
group: root
mode: u-x,g-wx,o-rwx
mode: 'u-x,g-wx,o-rwx'
- name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users"
when:
- rhel9cis_rule_2_4_2_1
when: rhel9cis_rule_2_4_2_1
tags:
- level1-server
- level1-workstation
@ -179,4 +170,4 @@
state: '{{ "file" if discovered_at_allow_state.stat.exists else "touch" }}'
owner: root
group: root
mode: u-x,g-wx,o-rwx
mode: 'u-x,g-wx,o-rwx'