ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'lint_dec24' into alignment

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-12-11 13:36:08 +00:00
commit 82f7b53a67
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
49 changed files with 375 additions and 606 deletions
Download patch file Download diff file Expand all files Collapse all files

65
tasks/section_5/cis_5.1.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured"
when:
- rhel9cis_rule_5_1_1
when: rhel9cis_rule_5_1_1
tags:
- level1-server
- level1-workstation
@ -16,11 +15,10 @@
path: "/etc/ssh/sshd_config"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured"
when:
- rhel9cis_rule_5_1_2
when: rhel9cis_rule_5_1_2
tags:
- level1-server
- level1-workstation
@ -50,8 +48,7 @@
label: "{{ item.path }}"
- name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured"
when:
- rhel9cis_rule_5_1_3
when: rhel9cis_rule_5_1_3
tags:
- level1-server
- level1-workstation
@ -98,7 +95,7 @@
dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
notify:
- Update Crypto Policy
- Set Crypto Policy
@ -126,7 +123,7 @@
dest: /etc/crypto-policies/policies/modules/NO-SHA1.pmod
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
notify:
- Update Crypto Policy
- Set Crypto Policy
@ -154,7 +151,7 @@
dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
notify:
- Update Crypto Policy
- Set Crypto Policy
@ -164,8 +161,7 @@
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKMACS' }}"
- name: "5.1.7 | PATCH | Ensure sshd access is configured"
when:
- rhel9cis_rule_5_1_7
when: rhel9cis_rule_5_1_7
tags:
- level1-server
- level1-workstation
@ -212,8 +208,7 @@
notify: Restart sshd
- name: "5.1.8 | PATCH | Ensure sshd Banner is configured"
when:
- rhel9cis_rule_5_1_8
when: rhel9cis_rule_5_1_8
tags:
- level1-server
- level1-workstation
@ -231,8 +226,7 @@
line: 'Banner /etc/issue.net'
- name: "5.1.9 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured"
when:
- rhel9cis_rule_5_1_9
when: rhel9cis_rule_5_1_9
tags:
- level1-server
- level1-workstation
@ -262,8 +256,7 @@
notify: Restart sshd
- name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled"
when:
- rhel9cis_rule_5_1_10
when: rhel9cis_rule_5_1_10
tags:
- level2-server
- level1-workstation
@ -289,8 +282,7 @@
notify: Restart sshd
- name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled"
when:
- rhel9cis_rule_5_1_11
when: rhel9cis_rule_5_1_11
tags:
- level1-server
- level1-workstation
@ -320,8 +312,7 @@
notify: Restart sshd
- name: "5.1.12 | PATCH | Ensure sshd HostbasedAuthentication is disabled"
when:
- rhel9cis_rule_5_1_12
when: rhel9cis_rule_5_1_12
tags:
- level1-server
- level1-workstation
@ -341,8 +332,7 @@
notify: Restart sshd
- name: "5.1.13 | PATCH | Ensure sshd IgnoreRhosts is enabled"
when:
- rhel9cis_rule_5_1_13
when: rhel9cis_rule_5_1_13
tags:
- level1-server
- level1-workstation
@ -362,8 +352,7 @@
notify: Restart sshd
- name: "5.1.14 | PATCH | Ensure sshd LoginGraceTime is set to one minute or less"
when:
- rhel9cis_rule_5_1_14
when: rhel9cis_rule_5_1_14
tags:
- level1-server
- level1-workstation
@ -379,8 +368,7 @@
notify: Restart sshd
- name: "5.1.15 | PATCH | Ensure sshd LogLevel is appropriate"
when:
- rhel9cis_rule_5_1_15
when: rhel9cis_rule_5_1_15
tags:
- level1-server
- level1-workstation
@ -398,8 +386,7 @@
notify: Restart sshd
- name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is set to 4 or less"
when:
- rhel9cis_rule_5_1_16
when: rhel9cis_rule_5_1_16
tags:
- level1-server
- level1-workstation
@ -415,8 +402,7 @@
notify: Restart sshd
- name: "5.1.17 | PATCH | Ensure sshd MaxStartups is configured"
when:
- rhel9cis_rule_5_1_17
when: rhel9cis_rule_5_1_17
tags:
- level1-server
- level1-workstation
@ -436,8 +422,7 @@
notify: Restart sshd
- name: "5.1.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less"
when:
- rhel9cis_rule_5_1_18
when: rhel9cis_rule_5_1_18
tags:
- level1-server
- level1-workstation
@ -457,8 +442,7 @@
notify: Restart sshd
- name: "5.1.19 | PATCH | Ensure sshd PermitEmptyPasswords is disabled"
when:
- rhel9cis_rule_5_1_19
when: rhel9cis_rule_5_1_19
tags:
- level1-server
- level1-workstation
@ -478,8 +462,7 @@
notify: Restart sshd
- name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled"
when:
- rhel9cis_rule_5_1_20
when: rhel9cis_rule_5_1_20
tags:
- level1-server
- level1-workstation
@ -503,8 +486,7 @@
notify: Restart sshd
- name: "5.1.21 | PATCH | Ensure sshd PermitUserEnvironment is disabled"
when:
- rhel9cis_rule_5_1_21
when: rhel9cis_rule_5_1_21
tags:
- level1-server
- level1-workstation
@ -524,8 +506,7 @@
notify: Restart sshd
- name: "5.1.22 | PATCH | Ensure SSH PAM is enabled"
when:
- rhel9cis_rule_5_1_22
when: rhel9cis_rule_5_1_22
tags:
- level1-server
- level1-workstation

21
tasks/section_5/cis_5.2.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "5.2.1 | PATCH | Ensure sudo is installed"
when:
- rhel9cis_rule_5_2_1
when: rhel9cis_rule_5_2_1
tags:
- level1-server
- level1-workstation
@ -15,8 +14,7 @@
state: present
- name: "5.2.2 | PATCH | Ensure sudo commands use pty"
when:
- rhel9cis_rule_5_2_2
when: rhel9cis_rule_5_2_2
tags:
- level1-server
- level1-workstation
@ -30,8 +28,7 @@
validate: '/usr/sbin/visudo -cf %s'
- name: "5.2.3 | PATCH | Ensure sudo log file exists"
when:
- rhel9cis_rule_5_2_3
when: rhel9cis_rule_5_2_3
tags:
- level1-server
- level1-workstation
@ -47,8 +44,7 @@
validate: '/usr/sbin/visudo -cf %s'
- name: "5.2.4 | PATCH | Ensure users must provide password for escalation"
when:
- rhel9cis_rule_5_2_4
when: rhel9cis_rule_5_2_4
tags:
- level2-server
- level2-workstation
@ -74,8 +70,7 @@
loop: "{{ discovered_nopasswd_sudoers.stdout_lines }}"
- name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally"
when:
- rhel9cis_rule_5_2_5
when: rhel9cis_rule_5_2_5
tags:
- level1-server
- level1-workstation
@ -101,8 +96,7 @@
loop: "{{ discovered_priv_reauth.stdout_lines }}"
- name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly"
when:
- rhel9cis_rule_5_2_6
when: rhel9cis_rule_5_2_6
tags:
- level1-server
- level1-workstation
@ -134,8 +128,7 @@
loop: "{{ discovered_sudo_timeout_files.stdout_lines }}"
- name: "5.2.7 | PATCH | Ensure access to the su command is restricted"
when:
- rhel9cis_rule_5_2_7
when: rhel9cis_rule_5_2_7
tags:
- level1-server
- level1-workstation

9
tasks/section_5/cis_5.3.2.x.yml
View file

@ -67,7 +67,7 @@
failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ]
register: discovered_authselect_current_faillock
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing"
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing" # noqa syntax-check[specific]"
when: discovered_authselect_current_faillock.rc != 0
ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
changed_when: true
@ -141,8 +141,7 @@
- rule_5.3.2.5
block:
- name: "5.3.2.5 | AUDIT | Ensure pam_unix module is enabled"
ansible.builtin.shell: |
grep -P -- '\b(pam_unix\.so)\b' /etc/authselect/"$(head -1 /etc/authselect/authselect.conf)"/{system,password}-auth
ansible.builtin.command: grep -P -- '\b(pam_unix\.so)\b' /etc/authselect/"$(head -1 /etc/authselect/authselect.conf)"/{system,password}-auth
changed_when: false
failed_when: discovered_discovered_authselect_pam_unix.rc not in [ 0, 1 ]
register: discovered_discovered_authselect_pam_unix
@ -150,7 +149,7 @@
- name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | system-auth"
when: "'system-auth:password' not in discovered_authselect_pam_unix.stdout"
ansible.builtin.lineinfile:
path: /etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth
path: /etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/system-auth
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
backrefs: true
@ -164,7 +163,7 @@
- name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | password-auth"
when: "'password-auth:password' not in discovered_authselect_pam_unix.stdout"
ansible.builtin.lineinfile:
path: /etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth
path: /etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/password-auth
line: "{{ item.line }}"
regexp: "{{ item.regexp }}"
backrefs: true

9
tasks/section_5/cis_5.3.3.1.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured"
when:
- rhel9cis_rule_5_3_3_1_1
when: rhel9cis_rule_5_3_3_1_1
tags:
- level1-server
- level1-workstation
@ -44,8 +43,7 @@
notify: Authselect update
- name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured"
when:
- rhel9cis_rule_5_3_3_1_2
when: rhel9cis_rule_5_3_3_1_2
tags:
- level1-server
- level1-workstation
@ -87,8 +85,7 @@
notify: Authselect update
- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account"
when:
- rhel9cis_rule_5_3_3_1_3
when: rhel9cis_rule_5_3_3_1_3
tags:
- level1-server
- level1-workstation

38
tasks/section_5/cis_5.3.3.2.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured"
when:
- rhel9cis_rule_5_3_3_2_1
when: rhel9cis_rule_5_3_3_2_1
tags:
- level1-server
- level1-workstation
@ -30,7 +29,7 @@
dest: "/{{ rhel9cis_passwd_difok_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from pam files Not AuthSelect"
when:
@ -58,8 +57,7 @@
notify: Authselect update
- name: "5.3.3.2.2 | PATCH | Ensure password length is configured"
when:
- rhel9cis_rule_5_3_3_2_2
when: rhel9cis_rule_5_3_3_2_2
tags:
- level1-server
- level1-workstation
@ -87,7 +85,7 @@
dest: "/{{ rhel9cis_passwd_minlen_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files NOT AuthSelect"
when:
@ -115,8 +113,7 @@
notify: Authselect update
- name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured"
when:
- rhel9cis_rule_5_3_3_2_3
when: rhel9cis_rule_5_3_3_2_3
tags:
- level1-server
- level1-workstation
@ -144,7 +141,7 @@
dest: "/{{ rhel9cis_passwd_complex_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove complexity from pam files NOT AuthSelect"
when:
@ -172,8 +169,7 @@
notify: Authselect update
- name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured"
when:
- rhel9cis_rule_5_3_3_2_4
when: rhel9cis_rule_5_3_3_2_4
tags:
- level1-server
- level1-workstation
@ -183,8 +179,7 @@
- pam
block:
- name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file"
when:
- item != rhel9cis_passwd_maxrepeat_file
when: item != rhel9cis_passwd_maxrepeat_file
ansible.builtin.replace:
path: "{{ item }}"
regexp: 'maxrepeat\s*=\s*\d+\b'
@ -200,7 +195,7 @@
dest: "/{{ rhel9cis_passwd_maxrepeat_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat from pam files NOT AuthSelect"
when:
@ -228,8 +223,7 @@
notify: Authselect update
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is is configured"
when:
- rhel9cis_rule_5_3_3_2_5
when: rhel9cis_rule_5_3_3_2_5
tags:
- level1-server
- level1-workstation
@ -257,7 +251,7 @@
dest: "/{{ rhel9cis_passwd_maxsequence_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence from pam files NOT AuthSelect"
when:
@ -285,8 +279,7 @@
notify: Authselect update
- name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled"
when:
- rhel9cis_rule_5_3_3_2_6
when: rhel9cis_rule_5_3_3_2_6
tags:
- level1-server
- level1-workstation
@ -313,7 +306,7 @@
dest: "/{{ rhel9cis_passwd_dictcheck_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck from pam files NOT AuthSelect"
when:
@ -342,8 +335,7 @@
notify: Authselect update
- name: "5.3.3.2.7 | PATCH | Ensure password quality is enforced for the root user"
when:
- rhel9cis_rule_5_3_3_2_7
when: rhel9cis_rule_5_3_3_2_7
tags:
- level1-server
- level1-workstation
@ -356,4 +348,4 @@
dest: "/{{ rhel9cis_passwd_quality_enforce_root_file }}"
owner: root
group: root
mode: '0600'
mode: 'o-rwx'

9
tasks/section_5/cis_5.3.3.3.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured"
when:
- rhel9cis_rule_5_3_3_3_1
when: rhel9cis_rule_5_3_3_3_1
tags:
- level1-server
- level1-workstation
@ -48,8 +47,7 @@
notify: Authselect update
- name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user"
when:
- rhel9cis_rule_5_3_3_3_2
when: rhel9cis_rule_5_3_3_3_2
tags:
- level1-server
- level1-workstation
@ -95,8 +93,7 @@
notify: Authselect update
- name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok"
when:
- rhel9cis_rule_5_3_3_3_3
when: rhel9cis_rule_5_3_3_3_3
tags:
- level1-server
- level1-workstation

12
tasks/section_5/cis_5.3.3.4.x.yml
View file

@ -28,8 +28,7 @@
loop: "{{ discovered_pam_nullok.stdout_lines }}"
- name: "5.3.3.4.1 | PATCH | Ensure password number of changed characters is configured | Remove nullok from pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
when: rhel9cis_allow_authselect_updates
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)\snullok(.*$)
@ -67,8 +66,7 @@
loop: "{{ discovered_pam_remember.stdout_lines }}"
- name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Remove remember from pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
when: rhel9cis_allow_authselect_updates
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)\sremember\s*=\s*=\d*(.*$)
@ -107,8 +105,7 @@
loop: "{{ discovered_pam_remember.stdout_lines }}"
- name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Add hash algorithm to pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
when: rhel9cis_allow_authselect_updates
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)(sha512|yescrypt)(.*$)
@ -150,8 +147,7 @@
loop: "{{ discovered_pam_authtok.stdout_lines }}"
- name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | Add use_authtok pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
when: rhel9cis_allow_authselect_updates
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)use_authtok(.*$)

24
tasks/section_5/cis_5.4.1.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less"
when:
- rhel9cis_rule_5_4_1_1
when: rhel9cis_rule_5_4_1_1
tags:
- level1-server
- level1-workstation
@ -38,8 +37,7 @@
loop: "{{ discovered_max_days.stdout_lines }}"
- name: "5.4.1.2 | PATCH | Ensure minimum password days is configured"
when:
- rhel9cis_rule_5_4_1_2
when: rhel9cis_rule_5_4_1_2
tags:
- level1-server
- level1-workstation
@ -70,8 +68,7 @@
loop: "{{ discovered_min_days.stdout_lines }}"
- name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured"
when:
- rhel9cis_rule_5_4_1_3
when: rhel9cis_rule_5_4_1_3
tags:
- level1-server
- level1-workstation
@ -101,8 +98,7 @@
loop: "{{ discovered_warn_days.stdout_lines }}"
- name: "5.4.1.4 | PATCH | Ensure strong password hashing algorithm is configured"
when:
- rhel9cis_rule_5_4_1_4
when: rhel9cis_rule_5_4_1_4
tags:
- level1-server
- level1-workstation
@ -116,8 +112,7 @@
line: 'ENCRYPT_METHOD {{ rhel9cis_passwd_hash_algo | upper }}'
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured"
when:
- rhel9cis_rule_5_4_1_5
when: rhel9cis_rule_5_4_1_5
tags:
- level1-server
- level1-workstation
@ -139,7 +134,7 @@
changed_when: true
- name: "5.4.1.5 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
ansible.builtin.command: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
changed_when: false
check_mode: false
register: discovered_passwdlck_user_list
@ -151,8 +146,7 @@
loop: "{{ discovered_passwdlck_user_list.stdout_lines }}"
- name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past"
when:
- rhel9cis_rule_5_4_1_6
when: rhel9cis_rule_5_4_1_6
tags:
- level1-server
- level1-workstation
@ -190,9 +184,9 @@
file: warning_facts.yml
- name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
changed_when: true
when:
- discovered_passwdlck_user_future.stdout | length > 0
- rhel9cis_futurepwchgdate_autofix
loop: "{{ discovered_passwdlck_user_future.stdout_lines }}"
ansible.builtin.command: passwd --expire {{ item }}
changed_when: true
loop: "{{ discovered_passwdlck_user_future.stdout_lines }}"

14
tasks/section_5/cis_5.4.2.x.yml
View file

@ -56,8 +56,7 @@
loop: "{{ discovered_gid0_members.stdout_lines }}"
- name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group"
when:
- rhel9cis_rule_5_4_2_3
when: rhel9cis_rule_5_4_2_3
tags:
- level1-server
- level1-workstation
@ -96,8 +95,7 @@
warn_control_id: '5.4.2.3'
- name: "5.4.2.4 | PATCH | Ensure root account access is controlled "
when:
- rhel9cis_rule_5_4_2_4
when: rhel9cis_rule_5_4_2_4
tags:
- level1-server
- level1-workstation
@ -108,8 +106,7 @@
msg: "This is set as an assert in tasks/main"
- name: "5.4.2.5 | PATCH | Ensure root PATH Integrity"
when:
- rhel9cis_rule_5_4_2_5
when: rhel9cis_rule_5_4_2_5
tags:
- level1-server
- level1-workstation
@ -172,15 +169,14 @@
state: directory
owner: root
group: root
mode: '0755'
mode: 'go-w'
follow: false
loop: "{{ discovered_root_path_perms.results }}"
loop_control:
label: "{{ item }}"
- name: "5.4.2.6 | PATCH | Ensure root user umask is configured"
when:
- rhel9cis_rule_5_4_2_6
when: rhel9cis_rule_5_4_2_6
tags:
- level1-server
- level1-workstation

11
tasks/section_5/cis_5.4.3.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "5.4.3.1 | PATCH | Ensure nologin is not listed in /etc/shells"
when:
- rhel9cis_rule_5_4_3_1
when: rhel9cis_rule_5_4_3_1
tags:
- level2-server
- level2-workstation
@ -20,8 +19,7 @@
replace: ""
- name: "5.4.3.2 | PATCH | Ensure default user shell timeout is configured"
when:
- rhel9cis_rule_5_4_3_2
when: rhel9cis_rule_5_4_3_2
tags:
- level1-server
- level1-workstation
@ -33,7 +31,7 @@
state: "{{ item.state }}"
marker: "# {mark} - CIS benchmark - Ansible-lockdown"
create: true
mode: '0644'
mode: 'go-wx'
block: |
TMOUT={{ rhel9cis_shell_session_timeout }}
readonly TMOUT
@ -43,8 +41,7 @@
- { path: /etc/profile, state: "{{ (rhel9cis_shell_session_file == '/etc/profile') | ternary('present', 'absent') }}" }
- name: "5.4.3.3 | PATCH | Ensure default user umask is configured"
when:
- rhel9cis_rule_5_4_3_3
when: rhel9cis_rule_5_4_3_3
tags:
- level1-server
- level1-workstation