ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 14:23:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge pull request #8 from ansible-lockdown/rh8_2.0

Browse source 
Rh8 2.0
This commit is contained in:
uk-bolly 2022-04-26 15:58:05 +01:00 committed by GitHub
commit 8361791c51
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
92 changed files with 5217 additions and 4360 deletions
Download patch file Download diff file Expand all files Collapse all files

11
Changelog.md
View file

@ -1,5 +1,16 @@
# Changes to rhel9CIS
## 0.2
- not all controls work with rhel8 releases any longer
- selinux disabled 1.6.1.4
- logrotate - 4.3.x
- updated to rhel8cis v2.0 benchamrk requirements
- removed iptables firewall controls (not valid on rhel9)
- added more to logrotate 4.3.x - sure to logrotate now a seperate package
- grub path now standard to /boot/grub2/grub.cfg
- 1.6.1.4 from rh8 removed as selinux.cfg doesnt disable selinux any longer
## 0.1
- change to include statements

3
README.md
View file

@ -11,8 +11,9 @@
![Release](https://img.shields.io/github/v/release/ansible-lockdown/RHEL9-CIS?style=plastic)
Configure RHEL 9 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant with RHEL8 settings (RHEL9 not yet released)
Based on v2.0.0 RHEL8
Based on [CIS RedHat Enterprise Linux 8 Benchmark v1.0.1 - 05-19-2021 ](https://www.cisecurity.org/cis-benchmarks/)
Based on [CIS RedHat Enterprise Linux 8 Benchmark v2.0.0. - 02-23-2022 ](https://www.cisecurity.org/cis-benchmarks/)
## Join us

448
defaults/main.yml
View file

@ -1,7 +1,6 @@
---
# defaults file for rhel9-cis
rhel9cis_skip_for_travis: false
system_is_container: false
container_vars_file: is_container.yml
# rhel9cis is left off the front of this var for consistency in testing pipeline
@ -11,7 +10,6 @@ system_is_ec2: false
# Run the OS validation check
os_check: true
rhel9cis_notauto: false
rhel9cis_section1: true
rhel9cis_section2: true
rhel9cis_section3: true
@ -19,6 +17,10 @@ rhel9cis_section4: true
rhel9cis_section5: true
rhel9cis_section6: true
# This is used for audit purposes to run only specifc level use the tags
# e.g.
# - level1-server
# - level2-workstation
rhel9cis_level_1: true
rhel9cis_level_2: true
@ -36,6 +38,9 @@ benchmark: RHEL9-CIS
# Whether to skip the reboot
skip_reboot: true
# default value will change to true but wont reboot if not enabled but will error
change_requires_reboot: false
#### Basic external goss audit enablement settings ####
#### Precise details - per setting can be found at the bottom of this file ####
@ -54,7 +59,7 @@ audit_content: git
run_audit: false
# Timeout for those cmds that take longer to run where timeout set
audit_cmd_timeout: 30000
audit_cmd_timeout: 60000
### End Goss enablements ####
#### Detailed settings found at the end of this document ####
@ -67,74 +72,77 @@ audit_cmd_timeout: 30000
rhel9cis_rule_1_1_1_1: true
rhel9cis_rule_1_1_1_2: true
rhel9cis_rule_1_1_1_3: true
rhel9cis_rule_1_1_1_4: true
rhel9cis_rule_1_1_1_5: true
rhel9cis_rule_1_1_2: true
rhel9cis_rule_1_1_3: true
rhel9cis_rule_1_1_4: true
rhel9cis_rule_1_1_5: true
rhel9cis_rule_1_1_6: true
rhel9cis_rule_1_1_7: true
rhel9cis_rule_1_1_8: true
rhel9cis_rule_1_1_9: true
rhel9cis_rule_1_1_10: true
rhel9cis_rule_1_1_11: true
rhel9cis_rule_1_1_12: true
rhel9cis_rule_1_1_13: true
rhel9cis_rule_1_1_14: true
rhel9cis_rule_1_1_15: true
rhel9cis_rule_1_1_16: true
rhel9cis_rule_1_1_17: true
rhel9cis_rule_1_1_2_1: true
rhel9cis_rule_1_1_2_2: true
rhel9cis_rule_1_1_2_3: true
rhel9cis_rule_1_1_2_4: true
rhel9cis_rule_1_1_3_1: true
rhel9cis_rule_1_1_3_2: true
rhel9cis_rule_1_1_3_3: true
rhel9cis_rule_1_1_3_4: true
rhel9cis_rule_1_1_4_1: true
rhel9cis_rule_1_1_4_2: true
rhel9cis_rule_1_1_4_3: true
rhel9cis_rule_1_1_4_4: true
rhel9cis_rule_1_1_5_1: true
rhel9cis_rule_1_1_5_2: true
rhel9cis_rule_1_1_5_3: true
rhel9cis_rule_1_1_5_4: true
rhel9cis_rule_1_1_6_1: true
rhel9cis_rule_1_1_6_2: true
rhel9cis_rule_1_1_6_3: true
rhel9cis_rule_1_1_6_4: true
rhel9cis_rule_1_1_7_1: true
rhel9cis_rule_1_1_7_2: true
rhel9cis_rule_1_1_7_3: true
rhel9cis_rule_1_1_7_4: true
rhel9cis_rule_1_1_7_5: true
rhel9cis_rule_1_1_8_1: true
rhel9cis_rule_1_1_8_2: true
rhel9cis_rule_1_1_8_3: true
rhel9cis_rule_1_1_18: true
rhel9cis_rule_1_1_19: true
rhel9cis_rule_1_1_20: true
rhel9cis_rule_1_1_21: true
rhel9cis_rule_1_1_22: true
rhel9cis_rule_1_1_23: true
rhel9cis_rule_1_1_9: true
rhel9cis_rule_1_1_10: true
rhel9cis_rule_1_2_1: true
rhel9cis_rule_1_2_2: true
rhel9cis_rule_1_2_3: true
rhel9cis_rule_1_2_4: true
rhel9cis_rule_1_2_5: true
rhel9cis_rule_1_3_1: true
rhel9cis_rule_1_3_2: true
rhel9cis_rule_1_3_3: true
rhel9cis_rule_1_4_1: true
rhel9cis_rule_1_4_2: true
rhel9cis_rule_1_4_3: true
rhel9cis_rule_1_5_1: true
rhel9cis_rule_1_5_2: true
rhel9cis_rule_1_5_3: true
rhel9cis_rule_1_6_1: true
rhel9cis_rule_1_6_2: true
rhel9cis_rule_1_7_1_1: true
rhel9cis_rule_1_7_1_2: true
rhel9cis_rule_1_7_1_3: true
rhel9cis_rule_1_7_1_4: true
rhel9cis_rule_1_7_1_5: true
rhel9cis_rule_1_7_1_6: true
rhel9cis_rule_1_7_1_7: true
rhel9cis_rule_1_8_1_1: true
rhel9cis_rule_1_8_1_2: true
rhel9cis_rule_1_8_1_3: true
rhel9cis_rule_1_8_1_4: true
rhel9cis_rule_1_8_1_5: true
rhel9cis_rule_1_8_1_6: true
rhel9cis_rule_1_6_1_1: true
rhel9cis_rule_1_6_1_2: true
rhel9cis_rule_1_6_1_3: true
rhel9cis_rule_1_6_1_4: true
rhel9cis_rule_1_6_1_5: true
rhel9cis_rule_1_6_1_6: true
rhel9cis_rule_1_6_1_7: true
rhel9cis_rule_1_7_1: true
rhel9cis_rule_1_7_2: true
rhel9cis_rule_1_7_3: true
rhel9cis_rule_1_7_4: true
rhel9cis_rule_1_7_5: true
rhel9cis_rule_1_7_6: true
rhel9cis_rule_1_8_1: true
rhel9cis_rule_1_8_2: true
rhel9cis_rule_1_8_3: true
rhel9cis_rule_1_8_4: true
rhel9cis_rule_1_8_5: true
rhel9cis_rule_1_9: true
rhel9cis_rule_1_10: true
rhel9cis_rule_1_11: true
# Section 2 rules
rhel9cis_rule_2_1_1: true
rhel9cis_rule_2_1_2: true
rhel9cis_rule_2_1_3: true
rhel9cis_rule_2_1_4: true
rhel9cis_rule_2_1_5: true
rhel9cis_rule_2_1_6: true
rhel9cis_rule_2_1_7: true
rhel9cis_rule_2_2_1_1: true
rhel9cis_rule_2_2_1_2: true
rhel9cis_rule_2_2_1_3: true
rhel9cis_rule_2_2_1: true
rhel9cis_rule_2_2_2: true
rhel9cis_rule_2_2_3: true
rhel9cis_rule_2_2_4: true
@ -152,53 +160,51 @@ rhel9cis_rule_2_2_15: true
rhel9cis_rule_2_2_16: true
rhel9cis_rule_2_2_17: true
rhel9cis_rule_2_2_18: true
rhel9cis_rule_2_2_19: true
rhel9cis_rule_2_2_20: true
rhel9cis_rule_2_3_1: true
rhel9cis_rule_2_3_2: true
rhel9cis_rule_2_3_3: true
rhel9cis_rule_2_3_4: true
rhel9cis_rule_2_3_5: true
rhel9cis_rule_2_3_6: true
rhel9cis_rule_2_4: true
# Section 3 rules
Section 3 rules
rhel9cis_rule_3_1_1: true
rhel9cis_rule_3_1_2: true
rhel9cis_rule_3_1_3: true
rhel9cis_rule_3_1_4: true
rhel9cis_rule_3_2_1: true
rhel9cis_rule_3_2_2: true
rhel9cis_rule_3_2_3: true
rhel9cis_rule_3_2_4: true
rhel9cis_rule_3_2_5: true
rhel9cis_rule_3_2_6: true
rhel9cis_rule_3_2_7: true
rhel9cis_rule_3_2_8: true
rhel9cis_rule_3_2_9: true
rhel9cis_rule_3_3_1: true
rhel9cis_rule_3_3_2: true
rhel9cis_rule_3_3_3: true
rhel9cis_rule_3_3_4: true
rhel9cis_rule_3_3_5: true
rhel9cis_rule_3_3_6: true
rhel9cis_rule_3_3_7: true
rhel9cis_rule_3_3_8: true
rhel9cis_rule_3_3_9: true
rhel9cis_rule_3_4_1_1: true
rhel9cis_rule_3_4_1_2: true
rhel9cis_rule_3_4_1_3: true
rhel9cis_rule_3_4_1_4: true
rhel9cis_rule_3_4_1_5: true
rhel9cis_rule_3_4_1_6: true
rhel9cis_rule_3_4_1_7: true
rhel9cis_rule_3_4_2_1: true
rhel9cis_rule_3_4_2_2: true
rhel9cis_rule_3_4_2_3: true
rhel9cis_rule_3_4_2_4: true
rhel9cis_rule_3_4_2_5: true
rhel9cis_rule_3_4_2_6: true
rhel9cis_rule_3_4_3_1: true
rhel9cis_rule_3_4_3_2: true
rhel9cis_rule_3_4_3_3: true
rhel9cis_rule_3_4_3_4: true
rhel9cis_rule_3_4_3_5: true
rhel9cis_rule_3_4_3_6: true
rhel9cis_rule_3_4_3_7: true
rhel9cis_rule_3_4_3_8: true
rhel9cis_rule_3_4_4_1_1: true
rhel9cis_rule_3_4_4_1_2: true
rhel9cis_rule_3_4_4_1_3: true
rhel9cis_rule_3_4_4_1_4: true
rhel9cis_rule_3_4_4_1_5: true
rhel9cis_rule_3_4_4_2_1: true
rhel9cis_rule_3_4_4_2_2: true
rhel9cis_rule_3_4_4_2_3: true
rhel9cis_rule_3_4_4_2_4: true
rhel9cis_rule_3_4_4_2_5: true
rhel9cis_rule_3_5: true
rhel9cis_rule_3_6: true
rhel9cis_rule_3_4_2_7: true
rhel9cis_rule_3_4_2_8: true
rhel9cis_rule_3_4_2_9: true
rhel9cis_rule_3_4_2_10: true
rhel9cis_rule_3_4_2_11: true
# Section 4 rules
rhel9cis_rule_4_1_1_1: true
@ -208,32 +214,48 @@ rhel9cis_rule_4_1_1_4: true
rhel9cis_rule_4_1_2_1: true
rhel9cis_rule_4_1_2_2: true
rhel9cis_rule_4_1_2_3: true
rhel9cis_rule_4_1_3: true
rhel9cis_rule_4_1_4: true
rhel9cis_rule_4_1_5: true
rhel9cis_rule_4_1_6: true
rhel9cis_rule_4_1_7: true
rhel9cis_rule_4_1_8: true
rhel9cis_rule_4_1_9: true
rhel9cis_rule_4_1_10: true
rhel9cis_rule_4_1_11: true
rhel9cis_rule_4_1_12: true
rhel9cis_rule_4_1_13: true
rhel9cis_rule_4_1_14: true
rhel9cis_rule_4_1_15: true
rhel9cis_rule_4_1_16: true
rhel9cis_rule_4_1_17: true
rhel9cis_rule_4_1_3_1: true
rhel9cis_rule_4_1_3_2: true
rhel9cis_rule_4_1_3_3: true
rhel9cis_rule_4_1_3_4: true
rhel9cis_rule_4_1_3_5: true
rhel9cis_rule_4_1_3_6: true
rhel9cis_rule_4_1_3_7: true
rhel9cis_rule_4_1_3_8: true
rhel9cis_rule_4_1_3_9: true
rhel9cis_rule_4_1_3_10: true
rhel9cis_rule_4_1_3_11: true
rhel9cis_rule_4_1_3_12: true
rhel9cis_rule_4_1_3_13: true
rhel9cis_rule_4_1_3_14: true
rhel9cis_rule_4_1_3_15: true
rhel9cis_rule_4_1_3_16: true
rhel9cis_rule_4_1_3_17: true
rhel9cis_rule_4_1_3_18: true
rhel9cis_rule_4_1_3_19: true
rhel9cis_rule_4_1_3_20: true
rhel9cis_rule_4_1_3_21: true
rhel9cis_rule_4_2_1_1: true
rhel9cis_rule_4_2_1_2: true
rhel9cis_rule_4_2_1_3: true
rhel9cis_rule_4_2_1_4: true
rhel9cis_rule_4_2_1_5: true
rhel9cis_rule_4_2_1_6: true
rhel9cis_rule_4_2_2_1: true
rhel9cis_rule_4_2_1_7: true
rhel9cis_rule_4_2_2_1_1: true
rhel9cis_rule_4_2_2_1_2: true
rhel9cis_rule_4_2_2_1_3: true
rhel9cis_rule_4_2_2_1_4: true
rhel9cis_rule_4_2_2_2: true
rhel9cis_rule_4_2_2_3: true
rhel9cis_rule_4_2_2_4: true
rhel9cis_rule_4_2_2_5: true
rhel9cis_rule_4_2_2_6: true
rhel9cis_rule_4_2_2_7: true
rhel9cis_rule_4_2_3: true
rhel9cis_rule_4_3: true
rhel9cis_rule_4_3_1: true
rhel9cis_rule_4_3_2: true
rhel9cis_rule_4_3_3: true
# Section 5 rules
rhel9cis_rule_5_1_1: true
@ -244,6 +266,7 @@ rhel9cis_rule_5_1_5: true
rhel9cis_rule_5_1_6: true
rhel9cis_rule_5_1_7: true
rhel9cis_rule_5_1_8: true
rhel9cis_rule_5_1_9: true
rhel9cis_rule_5_2_1: true
rhel9cis_rule_5_2_2: true
rhel9cis_rule_5_2_3: true
@ -267,21 +290,26 @@ rhel9cis_rule_5_2_20: true
rhel9cis_rule_5_3_1: true
rhel9cis_rule_5_3_2: true
rhel9cis_rule_5_3_3: true
rhel9cis_rule_5_3_4: true
rhel9cis_rule_5_3_5: true
rhel9cis_rule_5_3_6: true
rhel9cis_rule_5_3_7: true
rhel9cis_rule_5_4_1: true
rhel9cis_rule_5_4_2: true
rhel9cis_rule_5_4_3: true
rhel9cis_rule_5_4_4: true
rhel9cis_rule_5_5_1_1: true
rhel9cis_rule_5_5_1_2: true
rhel9cis_rule_5_5_1_3: true
rhel9cis_rule_5_5_1_4: true
rhel9cis_rule_5_5_1_5: true
rhel9cis_rule_5_5_1: true
rhel9cis_rule_5_5_2: true
rhel9cis_rule_5_5_3: true
rhel9cis_rule_5_5_4: true
rhel9cis_rule_5_5_5: true
rhel9cis_rule_5_6: true
rhel9cis_rule_5_7: true
rhel9cis_rule_5_6_1_1: true
rhel9cis_rule_5_6_1_2: true
rhel9cis_rule_5_6_1_3: true
rhel9cis_rule_5_6_1_4: true
rhel9cis_rule_5_6_1_5: true
rhel9cis_rule_5_6_2: true
rhel9cis_rule_5_6_3: true
rhel9cis_rule_5_6_4: true
rhel9cis_rule_5_6_5: true
# Section 6 rules
rhel9cis_rule_6_1_1: true
@ -298,6 +326,7 @@ rhel9cis_rule_6_1_11: true
rhel9cis_rule_6_1_12: true
rhel9cis_rule_6_1_13: true
rhel9cis_rule_6_1_14: true
rhel9cis_rule_6_1_15: true
rhel9cis_rule_6_2_1: true
rhel9cis_rule_6_2_2: true
rhel9cis_rule_6_2_3: true
@ -305,7 +334,7 @@ rhel9cis_rule_6_2_4: true
rhel9cis_rule_6_2_5: true
rhel9cis_rule_6_2_6: true
rhel9cis_rule_6_2_7: true
rhel9cis_rule_6_2_8: false
rhel9cis_rule_6_2_8: true
rhel9cis_rule_6_2_9: true
rhel9cis_rule_6_2_10: true
rhel9cis_rule_6_2_11: true
@ -314,51 +343,20 @@ rhel9cis_rule_6_2_13: true
rhel9cis_rule_6_2_14: true
rhel9cis_rule_6_2_15: true
rhel9cis_rule_6_2_16: true
rhel9cis_rule_6_2_17: true
rhel9cis_rule_6_2_18: true
rhel9cis_rule_6_2_19: true
rhel9cis_rule_6_2_20: true
# Service configuration booleans set true to keep service
rhel9cis_avahi_server: false
rhel9cis_cups_server: false
rhel9cis_dhcp_server: false
rhel9cis_ldap_server: false
rhel9cis_telnet_server: false
rhel9cis_nfs_server: false
rhel9cis_rpc_server: false
rhel9cis_ntalk_server: false
rhel9cis_rsyncd_server: false
rhel9cis_tftp_server: false
rhel9cis_rsh_server: false
rhel9cis_nis_server: false
rhel9cis_snmp_server: false
rhel9cis_squid_server: false
rhel9cis_smb_server: false
rhel9cis_dovecot_server: false
rhel9cis_httpd_server: false
rhel9cis_vsftpd_server: false
rhel9cis_named_server: false
rhel9cis_nfs_rpc_server: false
rhel9cis_is_mail_server: false
rhel9cis_bind: false
rhel9cis_vsftpd: false
rhel9cis_httpd: false
rhel9cis_dovecot: false
rhel9cis_samba: false
rhel9cis_squid: false
rhel9cis_net_snmp: false
rhel9cis_allow_autofs: false
## Section 1 vars
# 1.1.2
#### 1.1.2
# These settings go into the /etc/fstab file for the /tmp mount settings
# The value must contain nosuid,nodev,noexec to conform to CIS standards
# rhel9cis_tmp_tmpfs_settings: "defaults,rw,nosuid,nodev,noexec,relatime 0 0"
# If set true uses the tmp.mount service else using fstab configuration
rhel9cis_tmp_svc: false
#### 1.1.9
rhel9cis_allow_autofs: false
# 1.2.1
# This is the login information for your RedHat Subscription
# DO NOT USE PLAIN TEXT PASSWORDS!!!!!
@ -371,20 +369,16 @@ rhel9cis_rh_sub_password: password
# RedHat Satellite Subscription items
rhel9cis_rhnsd_required: false
# 1.3.3 var log location variable
rhel9cis_varlog_location: "/var/log/sudo.log"
# xinetd required
rhel9cis_xinetd_required: false
# 1.4.2 Bootloader password
rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'
rhel9cis_bootloader_password: random
rhel9cis_set_boot_pass: false
# 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS)
# Control 1.10 sates not ot use LEGACY and control 1.11 says to use FUTURE or FIPS.
rhel9cis_crypto_policy: "FUTURE"
# 1.10 Set crypto policy DEFAULT
# Control 1.10 states not to use LEGACY
rhel9cis_crypto_policy: "DEFAULT"
# System network parameters (host only OR host and router)
rhel9cis_is_router: false
@ -397,7 +391,7 @@ rhel9cis_config_aide: true
# AIDE cron settings
rhel9cis_aide_cron:
cron_user: root
cron_file: /etc/cron.d/aide.cron
cron_file: /etc/cron.d/aide_cron
aide_job: '/usr/sbin/aide --check'
aide_minute: 0
aide_hour: 5
@ -409,105 +403,145 @@ rhel9cis_aide_cron:
rhel9cis_selinux_pol: targeted
# Whether or not to run tasks related to auditing/patching the desktop environment
rhel9cis_gui: false
# Set to 'true' if X Windows is needed in your environment
rhel9cis_xwindows_required: false
## 2. Services
rhel9cis_openldap_clients_required: false
rhel9cis_telnet_required: false
rhel9cis_talk_required: false
rhel9cis_rsh_required: false
rhel9cis_ypbind_required: false
# 2.2.1.1 Time Synchronization - Either chrony or ntp
rhel9cis_time_synchronization: chrony
# 2.2.1.2 Time Synchronization servers - used in template file chrony.conf.j2
### 2.1 Time Synchronization
#### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2
rhel9cis_time_synchronization_servers:
- 0.pool.ntp.org
- 1.pool.ntp.org
- 2.pool.ntp.org
- 3.pool.ntp.org
rhel9cis_chrony_server_options: "minpoll 8"
rhel9cis_ntp_server_options: "iburst"
### 2.2 Special Purposes
##### Service configuration booleans set true to keep service
rhel9cis_xinetd_server: false
rhel9cis_gui: false
rhel9cis_avahi_server: false
rhel9cis_cups_server: false
rhel9cis_dhcp_server: false
rhel9cis_dns_server: false
rhel9cis_ftp_server: false
rhel9cis_vsftpd_server: false
rhel9cis_tftp_server: false
rhel9cis_httpd_server: false
rhel9cis_nginx_server: false
rhel9cis_dovecot_server: false
rhel9cis_imap_server: false
rhel9cis_samba_server: false
rhel9cis_squid_server: false
rhel9cis_snmp_server: false
rhel9cis_nis_server: false
rhel9cis_telnet_server: false
rhel9cis_is_mail_server: false
# Note the options
# Packages are used for client services and Server- only remove if you dont use the client service
#
rhel9cis_use_nfs_server: false
rhel9cis_use_nfs_service: false
rhel9cis_use_rpc_server: false
rhel9cis_use_rpc_service: false
rhel9cis_use_rsync_server: false
rhel9cis_use_rsync_service: false
#### 2.3 Service clients
rhel9cis_ypbind_required: false
rhel9cis_rsh_required: false
rhel9cis_talk_required: false
rhel9cis_telnet_required: false
rhel9cis_openldap_clients_required: false
rhel9cis_tftp_client: false
## Section3 vars
# 3.4.2 | PATCH | Ensure /etc/hosts.allow is configured
rhel9cis_host_allow:
- "10.0.0.0/255.0.0.0"
- "172.16.0.0/255.240.0.0"
- "192.168.0.0/255.255.0.0"
# Firewall Service - either firewalld, iptables, or nftables
### Firewall Service - either firewalld, iptables, or nftables
#### Some control allow for services to be removed or masked
#### The options are under each heading
#### absent = remove the package
#### masked = leave package if installed and mask the service
rhel9cis_firewall: firewalld
# 3.4.2.4 Default zone setting
##### firewalld
rhel9cis_default_zone: public
rhel9cis_firewalld_nftables_state: masked # Note if absent removes the firewalld pkg dependancy
# 3.4.2.5 Zone and Interface setting
rhel9cis_int_zone: customezone
rhel9cis_interface: eth0
rhel9cis_firewall_services:
- ssh
- dhcpv6-client
# 3.4.3.2 Set nftables new table create
#### nftables
rhel9cis_nftables_firewalld_state: masked
rhel9cis_nft_tables_autonewtable: true
rhel9cis_nft_tables_tablename: filter
# 3.4.3.3 Set nftables new chain create
rhel9cis_nft_tables_autochaincreate: true
# Warning Banner Content (issue, issue.net, motd)
rhel9cis_warning_banner: |
Authorized uses only. All activity may be monitored and reported.
# End Banner
## Section4 vars
### 4.1 Configure System Accounting
#### 4.1.2 Configure Data Retention
rhel9cis_auditd:
space_left_action: email
action_mail_acct: root
admin_space_left_action: halt
max_log_file_action: keep_logs
rhel9cis_logrotate: "daily"
# The audit_back_log_limit value should never be below 8192
rhel9cis_audit_back_log_limit: 8192
# The max_log_file parameter should be based on your sites policy
rhel9cis_max_log_file_size: 10
# RHEL-09-4.2.1.4/4.2.1.5 remote and destation log server name
## Preferred method of logging
## Whether rsyslog or journald preferred method for local logging
## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5
rhel9cis_preferred_log_capture: rsyslog
#### 4.2.1.6 remote and destation log server name
rhel9cis_remote_log_server: logagg.example.com
# RHEL-09-4.2.1.5
#### 4.2.1.7
rhel9cis_system_is_log_server: false
# 4.2.2.1.2
# rhel9cis_journal_upload_url is the ip address to upload the journal entries to
rhel9cis_journal_upload_url: 192.168.50.42
# The paths below have the default paths/files, but allow user to create custom paths/filenames
rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem"
rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem"
rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem"
# 4.2.2.1
# The variables below related to journald, please set these to your site specific values
# rhel9cis_journald_systemmaxuse is the max amount of disk space the logs will use
rhel9cis_journald_systemmaxuse: 10M
# rhel9cis_journald_systemkeepfree is the amount of disk space to keep free
rhel9cis_journald_systemkeepfree: 100G
rhel9cis_journald_runtimemaxuse: 10M
rhel9cis_journald_runtimekeepfree: 100G
# rhel9cis_journald_MaxFileSec is how long in time to keep log files. Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks
rhel9cis_journald_maxfilesec: 1month
#### 4.3
rhel9cis_logrotate: "daily"
## Section5 vars
rhel9cis_sshd:
clientalivecountmax: 0
clientaliveinterval: 900
ciphers: "aes256-ctr,aes192-ctr,aes128-ctr"
macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com"
logingracetime: 60
# WARNING: make sure you understand the precedence when working with these values!!
# allowusers:
# allowgroups: systems dba
# denyusers:
# denygroups:
rhel9cis_pam_faillock:
attempts: 5
interval: 900
unlock_time: 900
fail_for_root: no
remember: 5
pwhash: sha512
# 5.2.5 SSH LogLevel setting. Options are INFO or VERBOSE
rhel9cis_ssh_loglevel: INFO
@ -517,9 +551,10 @@ rhel9cis_ssh_maxsessions: 4
rhel9cis_inactivelock:
lock_days: 30
rhel9cis_use_authconfig: false
# 5.3.1/5.3.2 Custom authselect profile settings. Settings in place now will fail, they are place holders from the control example
# Due to the way many multiple options and ways to configure this control needs to be enabled and settings adjusted to minimise risk
rhel9cis_use_authconfig: false
rhel9cis_authselect:
custom_profile_name: custom-profile
default_file_to_copy: "sssd --symlink-meta"
@ -531,6 +566,7 @@ rhel9cis_authselect_custom_profile_create: false
# 5.3.2 Enable automation to select custom profile options, using the settings above
rhel9cis_authselect_custom_profile_select: false
rhel9cis_pass:
max_days: 365
min_days: 7
@ -539,22 +575,26 @@ rhel9cis_pass:
rhel9cis_syslog: rsyslog
rhel9cis_rsyslog_ansiblemanaged: true
rhel9cis_vartmp:
source: /tmp
fstype: none
opts: "defaults,nodev,nosuid,noexec,bind"
enabled: false
# 5.5.1
## PAM
rhel9cis_pam_password:
minlen: "14"
minclass: "4"
minlen: 14
minclass: 4
rhel9cis_pam_faillock:
remember: 5
# UID settings for interactive users
# These are discovered via logins.def is set true
# These are discovered via logins.def if set true
discover_int_uid: false
min_int_uid: 1000
max_int_uid: 65533
# 5.3.3 var log location variable
rhel9cis_sudolog_location: "/var/log/sudo.log"
#### 5.3.6
rhel9cis_sudo_timestamp_timeout: 15
# RHEL-09-5.4.5
# Session timeout setting file (TMOUT setting can be set in multiple files)

28
group_vars/docker
View file

@ -1,28 +0,0 @@
---
ansible_user: root
# AIDE cron settings
rhel9cis_aide_cron:
cron_user: root
cron_file: /var/spool/cron/root
aide_job: '/usr/sbin/aide --check'
aide_minute: 0
aide_hour: 5
aide_day: '*'
aide_month: '*'
aide_weekday: '*'
rhel9cis_sshd:
clientalivecountmax: 3
clientaliveinterval: 300
ciphers: "aes256-ctr,aes192-ctr,aes128-ctr"
macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com"
logingracetime: 60
# - make sure you understand the precedence when working with these values!!
allowusers: vagrant
allowgroups: vagrant
denyusers: root
denygroups: root
# Workarounds for Docker
rhel9cis_skip_for_travis: true
rhel9cis_selinux_disable: true

28
group_vars/vagrant
View file

@ -1,28 +0,0 @@
---
ansible_user: vagrant
# AIDE cron settings
rhel9cis_aide_cron:
cron_user: root
cron_file: /var/spool/cron/root
aide_job: '/usr/sbin/aide --check'
aide_minute: 0
aide_hour: 5
aide_day: '*'
aide_month: '*'
aide_weekday: '*'
rhel9cis_sshd:
clientalivecountmax: 3
clientaliveinterval: 300
ciphers: 'aes256-ctr,aes192-ctr,aes128-ctr'
macs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
logingracetime: 60
# - make sure you understand the precedence when working with these values!!
allowusers: vagrant
allowgroups: vagrant
denyusers: root
denygroups: root
# Vagrant can touch code that Docker cannot
rhel9cis_skip_for_travis: false
rhel9cis_selinux_disable: false

47
handlers/main.yml
View file

@ -22,24 +22,29 @@
- name: update sysctl
template:
src: etc/99-sysctl.conf.j2
dest: /etc/sysctl.d/99-sysctl.conf
src: "etc/sysctl.d/{{ item }}.j2"
dest: "/etc/sysctl.d/{{ item }}"
owner: root
group: root
mode: 0600
notify: reload sysctl
when:
with_items:
- 60-kernel_sysctl.conf
- 60-disable_ipv6.conf
- 60-netipv4_sysctl.conf
- 60-netipv6_sysctl.conf
when:
- ansible_virtualization_type != "docker"
- "'procps-ng' in ansible_facts.packages"
- name: reload sysctl
sysctl:
name: net.ipv4.route.flush
value: '1'
state: present
reload: true
ignoreerrors: true
when:
name: net.ipv4.route.flush
value: '1'
state: present
reload: true
ignoreerrors: true
when:
- ansible_virtualization_type != "docker"
- "'systemd' in ansible_facts.packages"
@ -72,12 +77,6 @@
name: firewalld
state: restarted
- name: restart xinetd
become: true
service:
name: xinetd
state: restarted
- name: restart sshd
become: true
service:
@ -112,13 +111,11 @@
failed_when: false
args:
warn: false
when:
- not rhel9cis_skip_for_travis
tags:
- skip_ansible_lint
- name: grub2cfg
shell: "grub2-mkconfig -o {{ grub_cfg.stat.lnk_source }}"
shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
args:
warn: false
ignore_errors: True
@ -131,12 +128,20 @@
name: rsyslog
state: restarted
- name: restart syslog-ng
become: true
- name: restart journald
service:
name: syslog-ng
name: systemd-journald
state: restarted
- name: restart systemd_journal_upload
service:
name: systemd-journal-upload
state: restarted
- name: systemd_daemon_reload
systemd:
daemon-reload: true
- name: change_requires_reboot
set_fact:
change_requires_reboot: true

1
local.yml
View file

@ -6,4 +6,3 @@
roles:
- role: "{{ playbook_dir }}"

6
meta/main.yml
View file

@ -22,7 +22,7 @@ galaxy_info:
- disa
- rhel9
collections:
- community.general
- community.crypto
- ansible.posix
- community.general
- community.crypto
- ansible.posix
dependencies: []

100
tasks/main.yml
View file

@ -3,12 +3,12 @@
- name: Check OS version and family
assert:
that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==')
that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('9', '==')
fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}"
when:
- os_check
- not system_is_ec2
when:
- os_check
- not system_is_ec2
tags:
- always
@ -29,7 +29,7 @@
- name: Load variable for container
include_vars:
file: "{{ container_vars_file }}"
- name: output if discovered is a container
debug:
msg: system has been discovered as a container
@ -50,129 +50,133 @@
- name: Check rhel9cis_bootloader_password_hash variable has been changed
assert:
that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set"
that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
when:
- rhel9cis_set_boot_pass
- rhel9cis_rule_1_5_2
- rhel9cis_set_boot_pass
- rhel9cis_rule_1_4_1
tags:
- always
- name: "check sugroup exists if used"
block:
- name: "Check su group exists if defined"
shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group
args:
warn: false
register: sugroup_exists
changed_when: false
failed_when: sugroup_exists.rc >= 2
tags:
- skip_ansible_lint
- name: "Check su group exists if defined"
shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group
args:
warn: false
register: sugroup_exists
changed_when: false
failed_when: sugroup_exists.rc >= 2
tags:
- skip_ansible_lint
- name: Check sugroup if defined exists before continuing
assert:
that: sugroup_exists.rc == 0
msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify"
- name: Check sugroup if defined exists before continuing
assert:
that: sugroup_exists.rc == 0
msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify"
when:
- rhel9cis_sugroup is defined
- rhel9cis_rule_5_7
- rhel9cis_sugroup is defined
- rhel9cis_rule_5_7
tags:
- rule_5.7
- rule_5.7
- name: Gather the package facts
package_facts:
manager: auto
tags:
- always
- always
- name: Include OS specific variables
include_vars: "{{ ansible_distribution }}.yml"
tags:
- always
- always
- name: Include preliminary steps
import_tasks: prelim.yml
tags:
- prelim_tasks
- always
- prelim_tasks
- always
- name: run pre_remediation audit
include_tasks: pre_remediation_audit.yml
when:
- run_audit
- run_audit
- name: Gather the package facts after prelim
package_facts:
manager: auto
tags:
- always
- always
- name: capture /etc/password variables
include_tasks: parse_etc_password.yml
when:
- rhel9cis_section6
when:
- rhel9cis_section6
tags:
- rule_5.5.2
- rule_6.2.7
- rule_6.2.8
- rule_6.2.20
- rhel9cis_section6
- rule_5.5.2
- rule_5.6.2
- rule_6.2.9
- rule_6.2.10
- rule_6.2.11
- rhel9cis_section5
- rhel9cis_section6
- name: run Section 1 tasks
import_tasks: section_1/main.yml
become: true
when: rhel9cis_section1
tags:
- rhel9cis_section1
- rhel9cis_section1
- name: run Section 2 tasks
import_tasks: section_2/main.yml
become: true
when: rhel9cis_section2
tags:
- rhel9cis_section2
- rhel9cis_section2
- name: run Section 3 tasks
import_tasks: section_3/main.yml
become: true
when: rhel9cis_section3
tags:
- rhel9cis_section3
- rhel9cis_section3
- name: run Section 4 tasks
import_tasks: section_4/main.yml
become: true
when: rhel9cis_section4
tags:
- rhel9cis_section4
- rhel9cis_section4
- name: run Section 5 tasks
import_tasks: section_5/main.yml
become: true
when: rhel9cis_section5
tags:
- rhel9cis_section5
- rhel9cis_section5
- name: run Section 6 tasks
import_tasks: section_6/main.yml
become: true
when: rhel9cis_section6
tags:
- rhel9cis_section6
- rhel9cis_section6
- name: run post remediation tasks
import_tasks: post.yml
become: true
tags:
- post_tasks
- always
- post_tasks
- always
- name: run post_remediation audit
import_tasks: post_remediation_audit.yml
when:
- run_audit
- run_audit
- name: Show Audit Summary
debug:
msg: "{{ audit_results.split('\n') }}"
when:
- run_audit
- run_audit

54
tasks/post.yml
View file

@ -10,7 +10,7 @@
package_facts:
manager: auto
tags:
- always
- always
- name: trigger update sysctl
shell: /bin/true
@ -20,19 +20,20 @@
check_mode: false
notify: update sysctl
when:
- rhel9cis_rule_1_6_1 or
rhel9cis_rule_1_6_2 or
rhel9cis_rule_3_1_2 or
- rhel9cis_rule_3_1_1 or
rhel9cis_rule_3_1_2 or
rhel9cis_rule_3_1_3 or
rhel9cis_rule_3_2_1 or
rhel9cis_rule_3_2_2 or
rhel9cis_rule_3_2_3 or
rhel9cis_rule_3_2_4 or
rhel9cis_rule_3_2_5 or
rhel9cis_rule_3_2_6 or
rhel9cis_rule_3_2_7 or
rhel9cis_rule_3_2_8 or
rhel9cis_rule_3_2_9
rhel9cis_rule_3_3_1 or
rhel9cis_rule_3_3_2 or
rhel9cis_rule_3_3_3 or
rhel9cis_rule_3_3_4 or
rhel9cis_rule_3_3_5 or
rhel9cis_rule_3_3_6 or
rhel9cis_rule_3_3_7 or
rhel9cis_rule_3_3_8 or
rhel9cis_rule_3_3_9
tags:
- sysctl
@ -66,7 +67,30 @@
- name: flush handlers
meta: flush_handlers
- name: Reboot host
reboot:
when:
- not skip_reboot
- name: POST | reboot system if changes require it and not skipped
block:
- name: POST | Reboot system if changes require it and not skipped
reboot:
when:
- change_requires_reboot
- not skip_reboot
- name: POST | Warning a reboot required but skip option set
debug:
msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results"
changed_when: true
when:
- change_requires_reboot
- skip_reboot
tags:
- grub
- level1-server
- level1-workstation
- level2-server
- level2-workstation
- rhel9cis_section1
- rhel9cis_section2
- rhel9cis_section3
- rhel9cis_section4
- rhel9cis_section5
- rhel9cis_section6

59
tasks/prelim.yml
View file

@ -32,8 +32,9 @@
warn: false
changed_when: false
check_mode: false
register: uid_zero_accounts_except_root
register: rhel9cis_uid_zero_accounts_except_root
tags:
- rule_6.2.8
- level1-server
- level1-workstation
- users
@ -55,13 +56,11 @@
check_mode: false
register: system_wide_crypto_policy
when:
- rhel9cis_rule_1_10 or
rhel9cis_rule_1_11
- rhel9cis_rule_1_10
tags:
- level1-server
- level1-workstation
- rule_1.10 or
rule_1.11
- rule_1.10
- crypto
- name: "PRELIM | if systemd coredump"
@ -69,11 +68,11 @@
path: /etc/systemd/coredump.conf
register: systemd_coredump
when:
- rhel9cis_rule_1_6_1
- rhel9cis_rule_1_5_1
tags:
- level1-server
- level1-workstation
- rule_1.6.1
- rule_1.5.1
- systemd
- name: "PRELIM | Section 1.1 | Create list of mount points"
@ -88,7 +87,7 @@
name: audit
state: present
become: true
when:
when:
- '"auditd" not in ansible_facts.packages'
- rhel9cis_rule_4_1_1_1
tags:
@ -144,39 +143,18 @@
- authconfig
- auditd
- name: "PRELIM | Set facts based on boot type"
block:
- name: "PRELIM | Check whether machine is UEFI-based"
stat:
path: /sys/firmware/efi
register: rhel_09_efi_boot
- name: "PRELIM | AUDIT | set legacy boot and grub path | Bios"
set_fact:
rhel9cis_legacy_boot: true
grub2_path: /etc/grub2.cfg
when: not rhel_09_efi_boot.stat.exists
- name: "PRELIM | set grub fact | UEFI"
set_fact:
grub2_path: /etc/grub2-efi.cfg
when: rhel_09_efi_boot.stat.exists
when:
- not system_is_container
tags:
- bootloader
- grub
- name: "PRELIM | AUDIT | Ensure permissions on bootloader config are configured | Get grub config file stats"
stat:
path: "{{ grub2_path }}"
- name: "PRELIM | 5.3.4 | Find all sudoers files."
command: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'"
changed_when: false
register: grub_cfg
failed_when: false
check_mode: false
register: rhel9cis_sudoers_files
when:
- not system_is_container
- rhel9cis_rule_5_3_4 or
rhel9cis_rule_5_3_5
tags:
- bootloader
- grub
- rule_5.3.4
- rule_5.3.5
- name: "PRELIM | Check for rhnsd service"
shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2"
@ -197,7 +175,7 @@
shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}'
changed_when: false
register: uid_min_id
- name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def"
shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}'
changed_when: false
@ -214,8 +192,7 @@
max_int_uid: "{{ uid_max_id.stdout }}"
min_int_gid: "{{ gid_min_id.stdout }}"
- debug:
msg: "{{ min_int_uid }} {{ max_int_uid }}"
msg: "{{ min_int_uid }} {{ max_int_uid }}"
when:
- not discover_int_uid

78
tasks/section_1/cis_1.1.1.x.yml
View file

@ -1,16 +1,16 @@
---
- name: "1.1.1.1 | L1 | PATCH | Ensure mounting of cramfs filesystems is disabled"
- name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled"
block:
- name: "1.1.1.1 | L1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config"
- name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config"
lineinfile:
dest: /etc/modprobe.d/CIS.conf
path: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install cramfs(\\s|$)"
line: "install cramfs /bin/true"
create: true
create: yes
mode: 0600
- name: "1.1.1.1 | L1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs"
- name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs"
modprobe:
name: cramfs
state: absent
@ -20,83 +20,57 @@
tags:
- level1-server
- level1-workstation
- scored
- automated
- patch
- rule_1.1.1.1
- cramfs
- name: "1.1.1.2 | L2 | PATCH | Ensure mounting of vFAT filesystems is limited"
- name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled"
block:
- name: "1.1.1.2 | L2 | PATCH | Ensure mounting of vFAT filesystems is limited | Edit modprobe config"
- name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config"
lineinfile:
dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install vfat(\\s|$)"
line: "install vfat /bin/true"
create: true
mode: 0600
- name: "1.1.1.2 | L2 | PATCH | Ensure mounting of vFAT filesystems is limited | Disable vFAT"
modprobe:
name: vfat
state: absent
when: ansible_connection != 'docker'
when:
- rhel9cis_rule_1_1_1_2
- rhel9cis_legacy_boot
tags:
- level2-server
- level2-workstation
- scored
- patch
- rule_1.1.1.2
- vfat
- name: "1.1.1.3 | L1 | PATCH | Ensure mounting of squashfs filesystems is disabled"
block:
- name: "1.1.1.3 | L1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config"
lineinfile:
dest: /etc/modprobe.d/CIS.conf
path: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install squashfs(\\s|$)"
line: "install squashfs /bin/true"
create: true
create: yes
mode: 0600
- name: "1.1.1.3 | L1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs"
- name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs"
modprobe:
name: squashfs
state: absent
when: ansible_connection != 'docker'
when:
- rhel9cis_rule_1_1_1_3
- rhel9cis_rule_1_1_1_2
tags:
- level1-server
- level1-workstation
- scored
- level2-server
- level2-workstation
- automated
- patch
- rule_1.1.1.3
- rule_1.1.1.2
- squashfs
- name: "1.1.1.4 | L1 | PATCH | Ensure mounting of udf filesystems is disabled"
- name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disabled"
block:
- name: "1.1.1.4 | L1 | PATCH | Ensure mounting of udf filesystems is disable | Edit modprobe config"
- name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disable | Edit modprobe config"
lineinfile:
dest: /etc/modprobe.d/CIS.conf
path: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install udf(\\s|$)"
line: "install udf /bin/true"
create: true
create: yes
mode: 0600
- name: "1.1.1.4 | L1 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf"
- name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf"
modprobe:
name: udf
state: absent
when: ansible_connection != 'docker'
when:
- rhel9cis_rule_1_1_1_4
- rhel9cis_rule_1_1_1_3
tags:
- level1-server
- level1-workstation
- scored
- level2-server
- level2-workstation
- automated
- patch
- rule_1.1.1.4
- rule_1.1.1.3
- udf

77
tasks/section_1/cis_1.1.2.x.yml Normal file
View file

@ -0,0 +1,77 @@
---
- name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition"
debug:
msg: "WARNING!! /tmp is not mounted on a separate partition"
when:
- rhel9cis_rule_1_1_2_1
- ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0
tags:
- level1-server
- level1-workstation
- automated
- audit
- mounts
- rule_1.1.2.1
# via fstab
- name: |
"1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition"
"1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition"
"1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition"
mount:
name: /tmp
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %}
notify: remount tmp
with_items:
- "{{ ansible_mounts }}"
loop_control:
label: "{{ item.device }}"
when:
- item.mount == "/tmp"
- not rhel9cis_tmp_svc
- rhel9cis_rule_1_1_2_2 or
rhel9cis_rule_1_1_2_3 or
rhel9cis_rule_1_1_2_4
tags:
- level1-server
- level1-workstation
- automated
- patch
- mounts
- rule_1.1.2.2
- rule_1.1.2.3
- rule_1.1.2.4
# via systemd
- name: |
"1.1.2.1 | PATCH | Ensure /tmp is configured"
"1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition"
"1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition"
"1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition"
template:
src: etc/systemd/system/tmp.mount.j2
dest: /etc/systemd/system/tmp.mount
owner: root
group: root
mode: 0644
notify: systemd restart tmp.mount
when:
- rhel9cis_tmp_svc
- rhel9cis_rule_1_1_2_1 or
rhel9cis_rule_1_1_2_2 or
rhel9cis_rule_1_1_2_3 or
rhel9cis_rule_1_1_2_4
tags:
- level1-server
- level1-workstation
- scored
- patch
- mounts
- rule_1.1.2.1
- rule_1.1.2.2
- rule_1.1.2.3
- rule_1.1.2.4

63
tasks/section_1/cis_1.1.3.x.yml Normal file
View file

@ -0,0 +1,63 @@
---
- name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var"
block:
- name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Absent"
debug:
msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task"
register: var_mount_absent
changed_when: var_mount_absent.skipped is undefined
when:
- required_mount not in mount_names
- name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present"
debug:
msg: "Congratulations: {{ required_mount }} exists."
register: var_mount_present
when:
- required_mount in mount_names
vars:
required_mount: '/var'
when:
- rhel9cis_rule_1_1_3_1
tags:
- level2-server
- level2-workstation
- automated
- patch
- mounts
- rule_1.1.3.1
# skips if mount is absent
- name: |
"1.1.3.2 | PATCH | Ensure nodev option set on /var partition"
"1.1.3.3 | PATCH | Ensure noexec option set on /var partition"
"1.1.3.4 | PATCH | Ensure nosuid option set on /var partition"
mount:
name: /var
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %}
with_items:
- "{{ ansible_mounts }}"
loop_control:
label: "{{ item.device }}"
notify: change_requires_reboot
when:
- var_mount_present is defined
- item.mount == "/var"
- rhel9cis_rule_1_1_3_1 # This is required so the check takes place
- rhel9cis_rule_1_1_3_2 or
rhel9cis_rule_1_1_3_3 or
rhel9cis_rule_1_1_3_4
tags:
- level1-server
- level1-workstation
- automated
- patch
- mounts
- skip_ansible_lint
- rule_1.1.3.2
- rule_1.1.3.3
- rule_1.1.3.4

64
tasks/section_1/cis_1.1.4.x.yml Normal file
View file

@ -0,0 +1,64 @@
---
# Skips if mount is absent
- name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp"
block:
- name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent"
debug:
msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task"
register: var_tmp_mount_absent
changed_when: var_tmp_mount_absent.skipped is undefined
when:
- required_mount not in mount_names
- name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present"
debug:
msg: "Congratulations: {{ required_mount }} exists."
register: var_tmp_mount_present
when:
- required_mount in mount_names
vars:
required_mount: '/var/tmp'
when:
- rhel9cis_rule_1_1_4_1
tags:
- level2-server
- level2-workstation
- automated
- audit
- mounts
- rule_1.1.4.1
# skips if mount is absent
- name: |
"1.1.4.2 | PATCH | Ensure noexec option set on /var/tmp partition"
"1.1.4.3 | PATCH | Ensure nosuid option set on /var/tmp partition"
"1.1.4.4 | PATCH | Ensure nodev option set on /var/tmp partition"
mount:
name: /var/tmp
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev{% endif %}
with_items:
- "{{ ansible_mounts }}"
loop_control:
label: "{{ item.device }}"
notify: change_requires_reboot
when:
- var_tmp_mount_present is defined
- item.mount == "/var/tmp"
- rhel9cis_rule_1_1_4_1 # This is required so the check takes place
- rhel9cis_rule_1_1_4_2 or
rhel9cis_rule_1_1_4_3 or
rhel9cis_rule_1_1_4_4
tags:
- level1-server
- level1-workstation
- automated
- patch
- mounts
- skip_ansible_lint
- rule_1.1.4.2
- rule_1.1.4.3
- rule_1.1.4.4

62
tasks/section_1/cis_1.1.5.x.yml Normal file
View file

@ -0,0 +1,62 @@
---
- name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log"
block:
- name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Absent"
debug:
msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task"
register: var_log_mount_absent
changed_when: var_log_mount_absent.skipped is undefined
when:
- required_mount not in mount_names
- name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present"
debug:
msg: "Congratulations: {{ required_mount }} exists."
register: var_log_mount_present
when:
- required_mount in mount_names
vars:
required_mount: '/var/log'
when:
- rhel9cis_rule_1_1_5_1
tags:
- level2-server
- level2-workstation
- automated
- audit
- mounts
- rule_1.1.5.1
- skip_ansible_lint
- name: |
"1.1.5.2 | PATCH | Ensure nodev option set on /var/log partition"
"1.1.5.3 | PATCH | Ensure noexec option set on /var/log partition"
"1.1.5.4 | PATCH | Ensure nosuid option set on /var/log partition"
mount:
name: /var/log
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %}
with_items:
- "{{ ansible_mounts }}"
loop_control:
label: "{{ item.device }}"
notify: change_requires_reboot
when:
- var_log_mount_present is defined
- item.mount == "/var/log"
- rhel9cis_rule_1_1_5_1 # This is required so the check takes place
- rhel9cis_rule_1_1_5_2 or
rhel9cis_rule_1_1_5_3 or
rhel9cis_rule_1_1_5_4
tags:
- level1-server
- level1-workstation
- automated
- patch
- mounts
- skip_ansible_lint
- rule_1.1.5.2
- rule_1.1.5.3
- rule_1.1.5.4

61
tasks/section_1/cis_1.1.6.x.yml Normal file
View file

@ -0,0 +1,61 @@
---
- name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit"
block:
- name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent"
debug:
msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task"
register: var_log_audit_mount_absent
changed_when: var_log_audit_mount_absent.skipped is undefined
when:
- required_mount not in mount_names
- name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present"
debug:
msg: "Congratulations: {{ required_mount }} exists."
register: var_log_audit_mount_present
when:
- required_mount in mount_names
vars:
required_mount: '/var/log/audit'
when:
- rhel9cis_rule_1_1_6_1
tags:
- level2-server
- level2-workstation
- automated
- audit
- mounts
- rule_1.1.6.1
- name: |
"1.1.6.2 | PATCH | Ensure noexec option set on /var/log/audit partition"
"1.1.6.3 | PATCH | Ensure nodev option set on /var/log/audit partition"
"1.1.6.4 | PATCH | Ensure nosuid option set on /var/log/audit partition"
mount:
name: /var/log/audit
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_6_4 %}nosuid{% endif %}
with_items:
- "{{ ansible_mounts }}"
loop_control:
label: "{{ item.device }}"
notify: change_requires_reboot
when:
- var_log_audit_mount_present is defined
- item.mount == "/var/log/audit"
- rhel9cis_rule_1_1_6_1 # This is required so the check takes place
- rhel9cis_rule_1_1_6_2 or
rhel9cis_rule_1_1_6_3 or
rhel9cis_rule_1_1_6_4
tags:
- level1-server
- level1-workstation
- automated
- patch
- mounts
- skip_ansible_lint
- rule_1.1.6.2
- rule_1.1.6.3
- rule_1.1.6.4

64
tasks/section_1/cis_1.1.7.x.yml Normal file
View file

@ -0,0 +1,64 @@
---
- name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home"
block:
- name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Absent"
debug:
msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task"
register: home_mount_absent
changed_when: home_mount_absent.skipped is undefined
when:
- required_mount not in mount_names
- name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present"
debug:
msg: "Congratulations: {{ required_mount }} exists."
register: home_mount_present
when:
- required_mount in mount_names
vars:
required_mount: '/home'
when:
- rhel9cis_rule_1_1_7_1
tags:
- level2-server
- level2-workstation
- automated
- audit
- mounts
- rule_1.1.7.1
- skip_ansible_lint
- name: |
"1.1.7.2 | PATCH | Ensure nodev option set on /home partition
1.1.7.3 | PATCH | Ensure nosuid option set on /home partition
1.1.7.4 | PATCH | Ensure usrquota option set on /home partition
1.1.7.5 | PATCH | Ensure grpquota option set on /home partition"
mount:
name: /home
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_7_4 %}usrquota,{% endif %}{% if rhel9cis_rule_1_1_7_5 %}grpquota{% endif %}
with_items:
- "{{ ansible_mounts }}"
loop_control:
label: "{{ item.device }}"
notify: change_requires_reboot
when:
- home_mount_present is defined
- item.mount == "/home"
- rhel9cis_rule_1_1_7_1
- rhel9cis_rule_1_1_7_2 or
rhel9cis_rule_1_1_7_3 or
rhel9cis_rule_1_1_7_4 or
rhel9cis_rule_1_1_7_5
tags:
- level1-server
- level1-workstation
- automated
- patch
- mounts
- rule_1.1.7.2
- rule_1.1.7.3
- rule_1.1.7.4
- skip_ansible_lint

43
tasks/section_1/cis_1.1.8.x.yml Normal file
View file

@ -0,0 +1,43 @@
---
# Skips if mount is absent
- name: |
"1.1.8.1 | PATCH | Ensure nodev option set on /dev/shm partition
1.1.8.2 | PATCH | Ensure nosuid option set on /dev/shm partition
1.1.8.3 | PATCH | Ensure noexec option set on /dev/shm partition"
block:
- name: |
"1.1.8.1 | AUDIT | Ensure nodev option set on /dev/shm partition | Check for /dev/shm existence
1.1.8.2 | AUDIT | Ensure nosuid option set on /dev/shm partition | Check for /dev/shm existence
1.1.8.3 | AUDIT | Ensure noexec option set on /dev/shm partition | Check for /dev/shm existence"
shell: mount -l | grep -E '\s/dev/shm\s'
changed_when: false
failed_when: false
check_mode: no
register: rhel9cis_1_1_8_x_dev_shm_status
- name: |
"1.1.8.1 | PATCH | Ensure nodev option set on /dev/shm partition | Set nodev option
1.1.8.2 | PATCH | Ensure noexec option set on /dev/shm partition | Set nosuid option
1.1.8.3 | PATCH | Ensure nosuid option set on /dev/shm partition | Set noexec option"
mount:
name: /dev/shm
src: tmpfs
fstype: tmpfs
state: mounted
opts: defaults,{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %}
when: "'dev/shm' in rhel9cis_1_1_8_x_dev_shm_status.stdout"
notify: change_requires_reboot
when:
- rhel9cis_rule_1_1_8_1 or
rhel9cis_rule_1_1_8_2 or
rhel9cis_rule_1_1_8_3
tags:
- level1-server
- level1-workstation
- automated
- patch
- mounts
- rule_1.1.8.1
- rule_1.1.8.2
- rule_1.1.8.3

346
tasks/section_1/cis_1.1.x.yml
View file

@ -1,365 +1,45 @@
---
- name: |
"SCORED | 1.1.2 | PATCH | Ensure /tmp is configured"
"SCORED | 1.1.3 | PATCH | Ensure nodev option set on /tmp partition"
"SCORED | 1.1.4 | PATCH | Ensure nosuid option set on /tmp partition"
"SCORED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition"
"via fstab"
mount:
name: /tmp
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5 %}nosuid{% endif %}
notify: remount tmp
loop: "{{ ansible_mounts }}"
when:
- item.mount == "/tmp"
- not rhel9cis_tmp_svc
- rhel9cis_rule_1_1_2 or
rhel9cis_rule_1_1_3 or
rhel9cis_rule_1_1_4 or
rhel9cis_rule_1_1_5
tags:
- level1-server
- level1-workstation
- scored
- patch
- mounts
- rule_1.1.3
- rule_1.1.4
- rule_1.1.5
- name: |
"SCORED | 1.1.2 | PATCH | Ensure /tmp is configured"
"SCORED | 1.1.3 | PATCH | Ensure nodev option set on /tmp partition"
"SCORED | 1.1.4 | PATCH | Ensure nosuid option set on /tmp partition"
"SCORED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition"
"via systemd"
template:
src: etc/systemd/system/tmp.mount.j2
dest: /etc/systemd/system/tmp.mount
owner: root
group: root
mode: 0644
notify: systemd restart tmp.mount
when:
- rhel9cis_tmp_svc
- rhel9cis_rule_1_1_2 or
rhel9cis_rule_1_1_3 or
rhel9cis_rule_1_1_4 or
rhel9cis_rule_1_1_5
tags:
- level1-server
- level1-workstation
- scored
- patch
- mounts
- rule_1.1.3
- rule_1.1.4
- rule_1.1.5
- name: "1.1.6 | L2 | AUDIT | Ensure separate partition exists for /var"
block:
- name: "1.1.6 | L2 | AUDIT | Ensure separate partition exists for /var | Absent"
debug:
msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task"
register: var_mount_absent
changed_when: var_mount_absent.skipped is undefined
when:
- required_mount not in mount_names
- name: "1.1.6 | L2 | AUDIT | Ensure separate partition exists for /var | Present"
debug:
msg: "Congratulations: {{ required_mount }} exists."
when:
- required_mount in mount_names
vars:
required_mount: '/var'
when:
- rhel9cis_rule_1_1_6
tags:
- level2-server
- level2-workstation
- scored
- patch
- mounts
- rule_1.1.6
- name: "1.1.7 | L2 | AUDIT | Ensure separate partition exists for /var/tmp | skips if mount absent"
block:
- name: "1.1.7 | L2 | AUDIT | Ensure separate partition exists for /var/tmp | Absent"
debug:
msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task"
register: var_tmp_mount_absent
changed_when: var_tmp_mount_absent.skipped is undefined
when:
- required_mount not in mount_names
- name: "1.1.7 | L2 | AUDIT | Ensure separate partition exists for /var/tmp | Present"
debug:
msg: "Congratulations: {{ required_mount }} exists."
register: var_tmp_mount_present
when:
- required_mount in mount_names
vars:
required_mount: '/var/tmp'
when:
- rhel9cis_rule_1_1_7
tags:
- level2-server
- level2-workstation
- scored
- audit
- mounts
- rule_1.1.7
- name: |
"1.1.8 | L1 | PATCH | Ensure nodev option set on /var/tmp partition | skips if mount absent"
"1.1.9 | L1 | PATCH | Ensure nosuid option set on /var/tmp partition | skips if mount absent"
"1.1.10 | L1 | PATCH | Ensure noexec option set on /var/tmp partition | skips if mount absent"
mount:
name: /var/tmp
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_10 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_9 %}nosuid{% endif %}
loop: "{{ ansible_mounts }}"
when:
- var_tmp_mount_present is defined
- item.mount == "/var/tmp"
- rhel9cis_rule_1_1_7 # This is required so the check takes place
- rhel9cis_rule_1_1_8 or
rhel9cis_rule_1_1_9 or
rhel9cis_rule_1_1_10
tags:
- level1-server
- level1-workstation
- scored
- patch
- mounts
- skip_ansible_lint
- name: "1.1.11 | L2 | AUDIT | Ensure separate partition exists for /var/log"
block:
- name: "1.1.11 | L2 | AUDIT | Ensure separate partition exists for /var/log | Absent"
debug:
msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task"
register: var_log_mount_absent
changed_when: var_log_mount_absent.skipped is undefined
when:
- required_mount not in mount_names
- name: "1.1.11 | L2 | AUDIT | Ensure separate partition exists for /var/log | Present"
debug:
msg: "Congratulations: {{ required_mount }} exists."
when:
- required_mount in mount_names
vars:
required_mount: '/var/log'
when:
- rhel9cis_rule_1_1_11
tags:
- level2-server
- level2-workstation
- scored
- audit
- mounts
- rule_1.1.11
- skip_ansible_lint
- name: "1.1.12 | L2 | AUDIT | Ensure separate partition exists for /var/log/audit"
block:
- name: "1.1.12 | L2 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent"
debug:
msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task"
register: var_log_audit_mount_absent
changed_when: var_log_audit_mount_absent.skipped is undefined
when:
- required_mount not in mount_names
- name: "1.1.12 | L2 | AUDIT | Ensure separate partition exists for /var/log/audit | Present"
debug:
msg: "Congratulations: {{ required_mount }} exists."
when:
- required_mount in mount_names
vars:
required_mount: '/var/log/audit'
when:
- rhel9cis_rule_1_1_12
tags:
- level2-server
- level2-workstation
- scored
- audit
- mounts
- rule_1.1.12
- name: "1.1.13 | L2 | AUDIT | Ensure separate partition exists for /home"
block:
- name: "1.1.13 | L2 | AUDIT | Ensure separate partition exists for /home | Absent"
debug:
msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task"
register: home_mount_absent
changed_when: home_mount_absent.skipped is undefined
when:
- required_mount not in mount_names
- name: "1.1.13 | L2 | AUDIT | Ensure separate partition exists for /home | Present"
debug:
msg: "Congratulations: {{ required_mount }} exists."
register: home_mount_present
when:
- required_mount in mount_names
vars:
required_mount: '/home'
when:
- rhel9cis_rule_1_1_13
tags:
- level2-server
- level2-workstation
- scored
- audit
- mounts
- rule_1.1.13
- skip_ansible_lint
- name: "1.1.14 | L1 | PATCH | Ensure nodev option set on /home partition | skips if mount absent"
mount:
name: /home
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_14 %}nodev{% endif %}
loop: "{{ ansible_mounts }}"
when:
- home_mount_present is defined
- item.mount == "/home"
- rhel9cis_rule_1_1_14
tags:
- level1-server
- level1-workstation
- scored
- patch
- mounts
- rule_1.1.13
- skip_ansible_lint
- name: |
"1.1.15 | L1 | PATCH | Ensure nodev option set on /dev/shm partition | skips if mount absent
1.1.16 | L1 | PATCH | Ensure nosuid option set on /dev/shm partition | skips if mount absent
1.1.17 | L1 | PATCH | Ensure noexec option set on /dev/shm partition | skips if mount absent"
block:
- name: |
"1.1.15 | L1 | AUDIT | Ensure nodev option set on /dev/shm partition | Check for /dev/shm existence
1.1.16 | L1 | AUDIT | Ensure nosuid option set on /dev/shm partition | Check for /dev/shm existence
1.1.17 | L1 | AUDIT | Ensure noexec option set on /dev/shm partition | Check for /dev/shm existence"
shell: mount -l | grep -E '\s/dev/shm\s'
args:
warn: false
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_1_1_15_dev_shm_status
- name: |
"1.1.15 | L1 | PATCH | Ensure nodev option set on /dev/shm partition | skips if mount absent
1.1.16 | L1 | PATCH | Ensure nosuid option set on /dev/shm partition | skips if mount absent
1.1.17 | L1 | PATCH | Ensure noexec option set on /dev/shm partition | skips if mount absent"
mount:
name: /dev/shm
src: tmpfs
fstype: tmpfs
state: mounted
opts: defaults,{% if rhel9cis_rule_1_1_17 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_15 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_16 %}nosuid{% endif %}
when: "'dev/shm' in rhel9cis_1_1_15_dev_shm_status.stdout"
when:
- rhel9cis_rule_1_1_15 or
rhel9cis_rule_1_1_16 or
rhel9cis_rule_1_1_17
tags:
- level1-server
- level1-workstation
- scored
- patch
- mounts
- rule_1.1.15
- rule_1.1.16
- rule_1.1.17
- name: |
"1.1.18 | L1 | PATCH | Ensure nodev option set on removable media partitions"
"1.1.19 | L1 | PATCH | Ensure nosuid option set on removable media partitions"
"1.1.20 | L1 | PATCH | Ensure noexec option set on removable media partitions"
debug:
msg: "--> Not relevant"
changed_when: false
when:
- rhel9cis_rule_1_1_18 or
rhel9cis_rule_1_1_19 or
rhel9cis_rule_1_1_20
tags:
- level1-server
- level1-workstation
- notscored
- audit
- mounts
- rule_1.1.18
- rule_1.1.19
- rule_1.1.20
- name: "1.1.21 | L1 | PATCH | Ensure sticky bit is set on all world-writable directories"
shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
args:
warn: false
changed_when: false
failed_when: false
when:
- rhel9cis_rule_1_1_21
tags:
- skip_ansible_lint
- level1-server
- level1-workstation
- patch
- stickybits
- permissons
- rule_1.1.21
- name: "1.1.22 | L1 | PATCH | Disable Automounting"
- name: "1.1.9 | PATCH | Disable Automounting"
service:
name: autofs
enabled: false
enabled: no
when:
- not rhel9cis_allow_autofs
- "'autofs' in ansible_facts.packages"
- rhel9cis_rule_1_1_22
- rhel9cis_rule_1_1_9
tags:
- level1-server
- level2-workstation
- automated
- patch
- mounts
- automounting
- rule_1.1.22
- rule_1.1.9
- name: "1.1.23 | L1 | PATCH | Disable USB Storage"
- name: "1.1.10 | PATCH | Disable USB Storage"
block:
- name: "1.1.23 | L1 | PATCH | Disable USB Storage | Edit modprobe config"
- name: "1.1.10 | PATCH | Disable USB Storage | Edit modprobe config"
lineinfile:
dest: /etc/modprobe.d/CIS.conf
path: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install usb-storage(\\s|$)"
line: "install usb-storage /bin/true"
create: true
create: yes
owner: root
group: root
mode: 0600
- name: "1.1.23 | L1 | PATCH | Disable USB Storage | Edit modprobe config"
- name: "1.1.10 | PATCH | Disable USB Storage | Edit modprobe config"
modprobe:
name: usb-storage
state: absent
when:
- rhel9cis_rule_1_1_23
- rhel9cis_rule_1_1_10
tags:
- level1-server
- level2-workstation
- automated
- patch
- mounts
- removable_storage
- rule_1.1.23
- rule_1.1.10

6
tasks/section_1/cis_1.10.yml
View file

@ -1,17 +1,17 @@
---
- name: "1.10 | L1 | PATCH | Ensure system-wide crypto policy is not legacy"
- name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy"
shell: |
update-crypto-policies --set "{{ rhel9cis_crypto_policy }}"
update-crypto-policies
args:
warn: false
notify: change_requires_reboot
when:
- rhel9cis_rule_1_10
- system_wide_crypto_policy['stdout'] == 'LEGACY'
tags:
- level1-server
- level1-workstation
- automated
- no system_is_ec2
- patch
- rule_1.10

17
tasks/section_1/cis_1.11.yml
View file

@ -1,17 +0,0 @@
---
- name: "1.11 | L2 | PATCH | Ensure system-wide crypto policy is FUTURE or FIPS"
shell: |
update-crypto-policies --set "{{ rhel9cis_crypto_policy }}"
update-crypto-policies
args:
warn: false
when:
- rhel9cis_rule_1_11
- system_wide_crypto_policy['stdout'] not in rhel9cis_allowed_crypto_policies
tags:
- level2-server
- level2-workstation
- not system_is_ec2
- patch
- rule_1.11

70
tasks/section_1/cis_1.2.x.yml
View file

@ -1,6 +1,6 @@
---
- name: "1.2.1 | L1 | PATCH | Ensure Red Hat Subscription Manager connection is configured"
- name: "1.2.1 | PATCH | Ensure Red Hat Subscription Manager connection is configured"
redhat_subscription:
state: present
username: "{{ rhel9cis_rh_sub_user }}"
@ -14,90 +14,74 @@
tags:
- level1-server
- level1-workstation
- notscored
- manual
- patch
- rule_1.2.1
- skip_ansible_lint # Added as no_log still errors on ansuible-lint
- name: "1.2.2 | L1 | PATCH | Disable the rhnsd Daemon"
service:
name: rhnsd
state: stopped
enabled: false
masked: true
- name: "1.2.2 | AUDIT | Ensure GPG keys are configured"
shell: "PKG=`rpm -qf {{ rpm_gpg_key }}` && rpm -q --queryformat \"%{PACKAGER} %{SIGPGP:pgpsig}\\n\" \"${PKG}\" | grep \"^{{ rpm_packager }}.*Key.ID.{{ rpm_key }}\""
changed_when: false
when:
- ansible_distribution == "RedHat"
- rhnsd_service_status.stdout == "loaded" and not rhel9cis_rhnsd_required
- rhel9cis_rule_1_2_2
tags:
- level1-server
- level1-workstation
- notscored
- patch
- rule_1.2.2
- name: "1.2.3 | L1 | AUDIT | Ensure GPG keys are configured"
shell: gpg --quiet --with-fingerprint "{{ rpm_gpg_key }}"
args:
warn: false
when:
- rhel9cis_rule_1_2_3
- ansible_distribution == "RedHat" or
ansible_distribution == "Rocky"
tags:
- level1-server
- level1-workstation
- notscored
- manual
- patch
- rule_1.2.3
- rule_1.2.2
- name: "1.2.4 | L1 | PATCH | Ensure gpgcheck is globally activated"
- name: "1.2.3| PATCH | Ensure gpgcheck is globally activated"
block:
- name: "1.2.4 | L1 | AUDIT | Ensure gpgcheck is globally activated | Find repos"
- name: "1.2.3 | AUDIT | Ensure gpgcheck is globally activated | Find repos"
find:
paths: /etc/yum.repos.d
patterns: "*.repo"
register: yum_repos
changed_when: false
- name: "1.2.4 | L1 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos"
- name: "1.2.3 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos"
replace:
name: "{{ item.path }}"
regexp: "^gpgcheck=0"
regexp: '^gpgcheck\s+=\s+0'
replace: "gpgcheck=1"
with_items:
- "{{ yum_repos.files }}"
loop_control:
label: "{{ item.path }}"
when:
- rhel9cis_rule_1_2_4
- rhel9cis_rule_1_2_3
tags:
- level1-server
- level1-workstation
- scored
- automated
- patch
- rule_1.2.4
- rule_1.2.3
- name: "1.2.5 | L1 | Ensure package manager repositories are configured"
- name: "1.2.4 | AUDIT | Ensure package manager repositories are configured"
block:
- name: "1.2.5 | L1 | AUDIT | Ensure package manager repositories are configured | Get repo list"
shell: dnf repolist
args:
warn: false
- name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Get repo list"
command: dnf repolist
changed_when: false
failed_when: false
register: dnf_configured
check_mode: false
check_mode: no
args:
warn: false
- name: "1.2.5 | L1 | AUDIT | Ensure package manager repositories are configured | Display repo list"
- name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Display repo list"
debug:
msg:
- "Alert! Below are the configured repos. Please review and make sure all align with site policy"
- "{{ dnf_configured.stdout_lines }}"
when:
- rhel9cis_rule_1_2_5
- rhel9cis_rule_1_2_4
tags:
- level1-server
- level1-workstation
- notscored
- patch
- rule_1.2.5
- manual
- audit
- rule_1.2.4
- skip_ansible_lint

61
tasks/section_1/cis_1.3.x.yml
View file

@ -1,44 +1,51 @@
---
- name: "1.3.1 | L1 | PATCH | Ensure sudo is installed"
package:
name: sudo
state: present
- name: "1.3.1 | PATCH | Ensure AIDE is installed"
block:
- name: "1.3.1 | PATCH | Ensure AIDE is installed | Install AIDE"
package:
name: aide
state: present
- name: "1.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE"
command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz'
changed_when: false
failed_when: false
async: 45
poll: 0
args:
creates: /var/lib/aide/aide.db.gz
when: not ansible_check_mode
when:
- rhel9cis_config_aide
- rhel9cis_rule_1_3_1
tags:
- level1-server
- level1-workstation
- scored
- sudo
- automated
- aide
- patch
- rule_1.3.1
- name: "1.3.2 | L1 | PATCH | Ensure sudo commands use pty"
lineinfile:
dest: /etc/sudoers
line: "Defaults use_pty"
state: present
- name: "1.3.2 | PATCH | Ensure filesystem integrity is regularly checked"
cron:
name: Run AIDE integrity check
cron_file: "{{ rhel9cis_aide_cron['cron_file'] }}"
user: "{{ rhel9cis_aide_cron['cron_user'] }}"
minute: "{{ rhel9cis_aide_cron['aide_minute'] | default('0') }}"
hour: "{{ rhel9cis_aide_cron['aide_hour'] | default('5') }}"
day: "{{ rhel9cis_aide_cron['aide_day'] | default('*') }}"
month: "{{ rhel9cis_aide_cron['aide_month'] | default('*') }}"
weekday: "{{ rhel9cis_aide_cron['aide_weekday'] | default('*') }}"
job: "{{ rhel9cis_aide_cron['aide_job'] }}"
when:
- rhel9cis_rule_1_3_2
- not system_is_ec2
tags:
- level1-server
- level1-workstation
- scored
- automated
- aide
- file_integrity
- patch
- rule_1.3.2
- name: "1.3.3 | L1 | PATCH | Ensure sudo log file exists"
lineinfile:
dest: /etc/sudoers
regexp: '^Defaults logfile='
line: 'Defaults logfile="{{ rhel9cis_varlog_location }}"'
state: present
when:
- rhel9cis_rule_1_3_3
tags:
- level1-server
- level1-workstation
- scored
- patch
- rule_1.3.3

85
tasks/section_1/cis_1.4.x.yml
View file

@ -1,47 +1,72 @@
---
- name: "1.4.1 | L1 | PATCH | Ensure AIDE is installed"
block:
- name: "1.4.1 | L1 | PATCH | Ensure AIDE is installed | Install AIDE"
package:
name: aide
state: present
- name: "1.4.1 | L1 | PATCH | Ensure AIDE is installed | Configure AIDE"
shell: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz'
args:
warn: false
creates: /var/lib/aide/aide.db.gz
changed_when: false
failed_when: false
async: 45
poll: 0
when: not ansible_check_mode
- name: "1.4.1 | PATCH | Ensure bootloader password is set"
copy:
dest: /boot/grub2/user.cfg
content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}"
owner: root
group: root
mode: 0600
notify: grub2cfg
when:
- rhel9cis_config_aide
- rhel9cis_set_boot_pass
- rhel9cis_rule_1_4_1
tags:
- level1-server
- level1-workstation
- scored
- aide
- automated
- grub
- patch
- rule_1.4.1
- name: "1.4.2 | L1 | PATCH | Ensure filesystem integrity is regularly checked"
template:
src: aide.cron.j2
dest: /etc/cron.d/aide.cron
owner: root
group: root
mode: 0644
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
block:
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
file:
path: /boot/grub2/grub.cfg
owner: root
group: root
mode: 0600
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | UEFI"
mount:
name: /boot/efi
src: "UUID={{ item.uuid }}"
fstype: vfat
state: present
opts: defaults,umask=0027,fmask=0077,uid=0,gid=0
passno: '0'
with_items:
- "{{ ansible_mounts }}"
loop_control:
label: "{{ item.mount }}"
when:
- not rhel9cis_legacy_boot
- item.mount == "/boot/efi"
when:
- rhel9cis_rule_1_4_2
tags:
- level1-server
- level1-workstation
- scored
- aide
- file_integrity
- automated
- grub
- patch
- rule_1.4.2
- name: "1.4.3 | PATCH | Ensure authentication is required when booting into rescue mode"
lineinfile:
path: /etc/systemd/system/rescue.service.d/00-require-auth.conf
regexp: '^ExecStart='
line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue"
create: yes
owner: root
group: root
mode: 0644
when:
- rhel9cis_rule_1_4_3
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_1.4.3

73
tasks/section_1/cis_1.5.x.yml
View file

@ -1,76 +1,47 @@
---
- name: "1.5.1 | L1 | PATCH | Ensure permissions on bootloader config are configured"
block:
- name: "1.5.1 | L1 | PATCH | Ensure permissions on bootloader config are configured"
file:
path: "{{ grub_cfg.stat.lnk_source }}"
owner: root
group: root
mode: 0600
- name: "1.5.1 | L1 | PATCH | Ensure permissions on bootloader config are configured | UEFI"
mount:
name: /boot/efi
src: "UUID={{ item.uuid }}"
fstype: vfat
state: present
opts: defaults,umask=0027,fmask=0077,uid=0,gid=0
passno: '0'
loop: "{{ ansible_mounts }}"
when:
- not rhel9cis_legacy_boot
- item.mount == "/boot/efi"
- name: "1.5.1 | PATCH | Ensure core dump storage is disabled"
lineinfile:
path: /etc/systemd/coredump.conf
regexp: '^Storage\s*=\s*(?!none).*'
line: 'Storage=none'
notify: systemd_daemon_reload
when:
- rhel9cis_rule_1_5_1
- grub_cfg.stat.exists
- grub_cfg.stat.islnk
- systemd_coredump.stat.exists
tags:
- level1-server
- level1-workstation
- scored
- grub
- automated
- patch
- rule_1.5.1
- name: "1.5.2 | L1 | PATCH | Ensure bootloader password is set"
copy:
dest: /boot/grub2/user.cfg
content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}"
owner: root
group: root
mode: 0600
notify: grub2cfg
- name: "1.5.2 | PATCH | Ensure core dump backtraces are disabled"
lineinfile:
path: /etc/systemd/coredump.conf
regexp: '^ProcessSizeMax\s*=\s*.*[1-9]$'
line: 'ProcessSizeMax=0'
when:
- rhel9cis_set_boot_pass
- grub_pass is defined and grub_pass.passhash is defined
- grub_pass.passhash | length > 0
- rhel9cis_rule_1_5_2
tags:
- level1-server
- level1-workstation
- scored
- grub
- automated
- patch
- sysctl
- rule_1.5.2
- name: "1.5.3 | L1 | PATCH | Ensure authentication required for single user mode"
block:
- name: "1.5.3 | L1 | PATCH | Ensure authentication required for single user mode | Emergency service"
lineinfile:
dest: /usr/lib/systemd/system/emergency.service
regexp: '/sbin/sulogin'
line: 'ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency'
- name: "1.5.3 | L1 | PATCH | Ensure authentication required for single user mode | Rescue service"
lineinfile:
dest: /usr/lib/systemd/system/rescue.service
regexp: '/sbin/sulogin'
line: 'ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue'
- name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf"
notify:
- update sysctl
when:
- rhel9cis_rule_1_5_3
tags:
- level1-server
- level1-workstation
- automated
- patch
- sysctl
- rule_1.5.3

118
tasks/section_1/cis_1.6.1.x.yml Normal file
View file

@ -0,0 +1,118 @@
---
- name: "1.6.1.1 | PATCH | Ensure SELinux is installed"
package:
name: libselinux
state: present
when:
- rhel9cis_rule_1_6_1_1
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_1.6.1.1
- name: "1.6.1.2 | PATCH | Ensure SELinux is not disabled in bootloader configuration"
replace:
dest: /etc/default/grub
regexp: '(selinux|enforcing)\s*=(\s0|0).*'
replace: ''
register: selinux_grub_patch
ignore_errors: yes
notify: grub2cfg
when:
- rhel9cis_rule_1_6_1_2
tags:
- level1-server
- level1-workstation
- scored
- patch
- rule_1.6.1.2
# State set to enforcing because control 1.6.1.5 requires enforcing to be set
- name: "1.6.1.3 | PATCH | Ensure SELinux policy is configured"
selinux:
conf: /etc/selinux/config
policy: "{{ rhel9cis_selinux_pol }}"
state: enforcing
when:
- not rhel9cis_selinux_disable
- rhel9cis_rule_1_6_1_3
tags:
- level1-server
- level1-workstation
- automated
- selinux
- patch
- rule_1.6.1.3
- name: "1.6.1.4 | PATCH | Ensure the SELinux state is enforcing"
selinux:
conf: /etc/selinux/config
policy: "{{ rhel9cis_selinux_pol }}"
state: enforcing
when:
- not rhel9cis_selinux_disable
- rhel9cis_rule_1_6_1_4
tags:
- level2-server
- level2-workstation
- automated
- selinux
- patch
- rule_1.6.1.4
- name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist"
block:
- name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Find the unconfined services"
shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
register: rhelcis_1_6_1_5_unconf_services
failed_when: false
changed_when: false
- name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Message on no unconfined services"
debug:
msg: "Good News! There are no services found on your system"
when: rhelcis_1_6_1_5_unconf_services.stdout | length == 0
- name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Message on unconfined services"
debug:
msg: "Warning! You have unconfined services: {{ rhelcis_1_6_1_5_unconf_services.stdout_lines }}"
when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0
when:
- rhel9cis_rule_1_6_1_5
tags:
- level1-server
- level1-workstation
- automated
- audit
- services
- rule_1.6.1.5
- name: "1.6.1.6 | PATCH | Ensure SETroubleshoot is not installed"
package:
name: setroubleshoot
state: absent
when:
- rhel9cis_rule_1_6_1_6
- "'setroubleshoot' in ansible_facts.packages"
tags:
- level1-server
- automated
- selinux
- patch
- rule_1.6.1.6
- name: "1.6.1.7 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed"
package:
name: mcstrans
state: absent
when:
- rhel9cis_rule_1_6_1_7
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_1.6.1.7

54
tasks/section_1/cis_1.6.x.yml
View file

@ -1,54 +0,0 @@
---
- name: "1.6.1 | L1 | PATCH | Ensure core dumps are restricted"
block:
- name: "1.6.1 | L1 | Ensure core dumps are restricted | Update limits.conf file"
lineinfile:
state: present
dest: /etc/security/limits.conf
regexp: '^#?\\*.*core'
line: '* hard core 0'
insertbefore: '^# End of file'
- name: "1.6.1 | L1 | PATCH | Ensure core dumps are restricted | Set active kernel parameter"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
notify:
- update sysctl
- name: "1.6.1 | L1 | PATCH | Ensure core dumps are restricted | if systemd coredump"
lineinfile:
path: /etc/systemd/coredump.conf
regexp: "{{ item.regexp }}"
line: "{{ item.regexp }}{{ item.line }}"
state: present
with_items:
- {'regexp': 'Storage=', 'line': 'none'}
- {'regexp': 'ProcessSizeMax=', 'line': '0'}
notify:
- systemd_daemon_reload
when:
- systemd_coredump.stat.exists
when:
- rhel9cis_rule_1_6_1
tags:
- level1-server
- level1-workstation
- scored
- sysctl
- patch
- rule_1.6.1
- name: "1.6.2 | L1 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
notify:
- update sysctl
when:
- rhel9cis_rule_1_6_2
tags:
- level1-server
- level1-workstation
- scored
- patch
- rule_1.6.2

117
tasks/section_1/cis_1.7.1.x.yml
View file

@ -1,117 +0,0 @@
---
- name: "1.7.1.1 | L2 | PATCH | Ensure SELinux is installed"
package:
name: libselinux
state: present
when:
- rhel9cis_rule_1_7_1_1
tags:
- level2-server
- level2-workstation
- scored
- patch
- rule_1.7.1.1
- name: "1.7.1.2 | L2 | PATCH | Ensure SELinux is not disabled in bootloader configuration"
replace:
dest: /etc/default/grub
regexp: '(selinux|enforcing)\s*=\s*0\s*'
replace: ''
register: selinux_grub_patch
ignore_errors: true
notify: grub2cfg
when:
- rhel9cis_rule_1_7_1_2
tags:
- level2-server
- level2-workstation
- scored
- patch
- rule_1.7.1.2
- name: "1.7.1.3 | L2 | PATCH | Ensure SELinux policy is configured"
selinux:
conf: /etc/selinux/config
policy: "{{ rhel9cis_selinux_pol }}"
state: enforcing
when:
- not rhel9cis_selinux_disable
- rhel9cis_rule_1_7_1_3
tags:
- level2-server
- level2-workstation
- scored
- selinux
- patch
- rule_1.7.1.3
- name: "1.7.1.4 | L2 | PATCH | Ensure the SELinux state is enforcing"
selinux:
conf: /etc/selinux/config
policy: "{{ rhel9cis_selinux_pol }}"
state: enforcing
when:
- not rhel9cis_selinux_disable
- rhel9cis_rule_1_7_1_4
tags:
- level2-server
- level2-workstation
- scored
- selinux
- patch
- rule_1.7.1.4
- name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist"
block:
- name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist | Find the unconfined daemons"
shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
args:
warn: false
register: rhelcis_1_7_1_5_unconf_daemons
failed_when: false
changed_when: false
- name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist | Message on no unconfined daemones"
debug:
msg: "Good News! There are no unconfined daemons found on your system"
when: rhelcis_1_7_1_5_unconf_daemons.stdout | length == 0
- name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist | Message on unconfined daemones"
debug:
msg: "Warning! You have unconfined daemons: {{ rhelcis_1_7_1_5_unconf_daemons.stdout_lines }}"
when: rhelcis_1_7_1_5_unconf_daemons.stdout | length > 0
when:
- rhel9cis_rule_1_7_1_5
tags:
- level2-server
- level2-workstation
- audit
- rule_1.7.1.5
- name: "1.7.1.6 | L2 | PATCH | Ensure SETroubleshoot is not installed"
package:
name: setroubleshoot
state: absent
when:
- rhel9cis_rule_1_7_1_6
- "'setroubleshoot' in ansible_facts.packages"
tags:
- level2-server
- scored
- selinux
- patch
- rule_1.7.1.6
- name: "1.7.1.7 | L2 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed"
package:
name: mcstrans
state: absent
when:
- rhel9cis_rule_1_7_1_7
tags:
- level2-server
- level2-workstation
- scored
- patch
- rule_1.7.1.7

42
tasks/section_1/cis_1.8.1.x.yml → tasks/section_1/cis_1.7.x.yml
View file

@ -1,6 +1,6 @@
---
- name: "1.8.1.1 | L1 | PATCH | Ensure message of the day is configured properly"
- name: "1.7.1 | PATCH | Ensure message of the day is configured properly"
template:
src: etc/motd.j2
dest: /etc/motd
@ -8,15 +8,16 @@
group: root
mode: 0644
when:
- rhel9cis_rule_1_8_1_1
- rhel9cis_rule_1_7_1
tags:
- level1-server
- level1-workstation
- automated
- banner
- patch
- rule_1.8.1.1
- rule_1.7.1
- name: "1.8.1.2 | L1 | PATCH | Ensure local login warning banner is configured properly"
- name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly"
template:
src: etc/issue.j2
dest: /etc/issue
@ -24,14 +25,15 @@
group: root
mode: 0644
when:
- rhel9cis_rule_1_8_1_2
- rhel9cis_rule_1_7_2
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_1.8.1.2
- rule_1.7.2
- name: "1.8.1.3 | L1 | PATCH | Ensure remote login warning banner is configured properly"
- name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly"
template:
src: etc/issue.net.j2
dest: /etc/issue.net
@ -39,15 +41,16 @@
group: root
mode: 0644
when:
- rhel9cis_rule_1_8_1_3
- rhel9cis_rule_1_7_3
tags:
- level1-server
- level1-workstation
- automated
- banner
- patch
- rule_1.8.1.3
- rule_1.7.3
- name: "1.8.1.4 | L1 | PATCH | Ensure permissions on /etc/motd are configured"
- name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured"
file:
dest: /etc/motd
state: file
@ -55,15 +58,16 @@
group: root
mode: 0644
when:
- rhel9cis_rule_1_8_1_4
- rhel9cis_rule_1_7_4
tags:
- level1-server
- level1-workstation
- automated
- perms
- patch
- rule_1.8.1.4
- rule_1.7.4
- name: "1.8.1.5 | L1 | PATCH | Ensure permissions on /etc/issue are configured"
- name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured"
file:
dest: /etc/issue
state: file
@ -71,15 +75,16 @@
group: root
mode: 0644
when:
- rhel9cis_rule_1_8_1_5
- rhel9cis_rule_1_7_5
tags:
- level1-server
- level1-workstation
- automated
- perms
- patch
- rule_1.8.1.5
- rule_1.7.5
- name: "1.8.1.6 | L1 | PATCH | Ensure permissions on /etc/issue.net are configured"
- name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured"
file:
dest: /etc/issue.net
state: file
@ -87,10 +92,11 @@
group: root
mode: 0644
when:
- rhel9cis_rule_1_8_1_6
- rhel9cis_rule_1_7_6
tags:
- level1-server
- level1-workstation
- automated
- perms
- patch
- rule_1.8.1.6
- rule_1.7.6

27
tasks/section_1/cis_1.8.2.yml
View file

@ -1,27 +0,0 @@
---
- name: "1.8.2 | L1 | PATCH | Ensure GDM login banner is configured"
lineinfile:
dest: "{{ item.file }}"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
create: true
owner: root
group: root
mode: 0644
with_items:
- { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' }
- { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' }
- { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' }
- { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' }
- { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' }
- { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ rhel9cis_warning_banner }}' " }
when:
- rhel9cis_gui
- rhel9cis_rule_1_8_2
tags:
- level1-server
- level1-workstation
- patch
- rule_1.8.2

111
tasks/section_1/cis_1.8.x.yml Normal file
View file

@ -0,0 +1,111 @@
---
- name: "1.8.1 | PATCH | Ensure GNOME Display Manager is removed"
package:
name: gdm
state: absent
when:
- rhel9cis_rule_1_8_1
- "'gdm' in ansible_facts.packages"
tags:
- level2-server
- automated
- patch
- gui
- gdm
- rule_1.8.1
- name: "1.8.2 | PATCH | Ensure GDM login banner is configured"
lineinfile:
path: "{{ item.file }}"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
create: yes
owner: root
group: root
mode: 0644
notify: reload dconf
with_items:
- { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' }
- { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' }
- { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' }
- { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' }
- { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' }
- { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ rhel9cis_warning_banner }}' " }
when:
- rhel9cis_rule_1_8_2
- rhel9cis_gui
tags:
- level1-server
- level1-workstation
- automated
- patch
- gui
- gdm
- rule_1.8.2
- name: "1.8.3 | PATCH | Ensure last logged in user display is disabled"
lineinfile:
path: "{{ item.file }}"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
create: yes
owner: root
group: root
mode: 0644
notify: reload dconf
with_items:
- { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' }
- { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' }
- { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults'}
- { file: '/etc/dconf/db/gdm.d/00-login-screen', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' }
- { file: '/etc/dconf/db/gdm.d/00-login-screen', regexp: 'disable-user-list=', line: 'disable-user-list=true' }
when:
- rhel9cis_rule_1_8_3
- rhel9cis_gui
tags:
- level1-server
- level1-workstation
- automated
- patch
- gui
- rule_1.8.3
- name: "1.8.4 | PATCH | Ensure XDMCP is not enabled"
lineinfile:
path: /etc/gdm/custom.conf
regexp: 'Enable=true'
state: absent
when:
- rhel9cis_rule_1_8_4
- rhel9cis_gui
tags:
- level1-server
- level1-workstation
- automated
- patch
- gui
- rule_1.8.4
- name: "1.8.5 | PATCH | Ensure automatic mounting of removable media is disabled"
lineinfile:
path: /etc/dconf/db/local.d/00-media-automount
regexp: "{{ item.regex }}"
line: "{{ item.line }}"
create: yes
notify: reload dconf
with_items:
- { regex: '\[org\/gnome\/desktop\/media-handling\]', line: '[org/gnome/desktop/media-handling]' }
- { regex: 'automount=', line: 'automount=false' }
- { regex: 'automount-open=', line: 'automount-open=false'}
when:
- rhel9cis_rule_1_8_5
- rhel9cis_gui
tags:
- level1-server
- level2-workstation
- automated
- patch
- gui
- rule_1.8.5

4
tasks/section_1/cis_1.9.yml
View file

@ -1,15 +1,17 @@
---
- name: "1.9 | L1 | PATCH | Ensure updates, patches, and additional security software are installed"
- name: "1.9 | PATCH | Ensure updates, patches, and additional security software are installed"
package:
name: "*"
state: latest
notify: change_requires_reboot
when:
- rhel9cis_rule_1_9
- not system_is_ec2
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_1.9
- skip_ansible_lint

59
tasks/section_1/main.yml
View file

@ -1,42 +1,59 @@
---
- name: "SECTION | 1.1 | FileSystem Configurations\n
SECTION | 1.1.1.x | Disable unused filesystems"
- name: "SECTION | 1.1.1.x | Disable unused filesystems"
import_tasks: cis_1.1.1.x.yml
- import_tasks: cis_1.1.x.yml
- name: "SECTION | 1.1.2.x | Configure /tmp"
import_tasks: cis_1.1.2.x.yml
- name: "SECTION | 1.1.3.x | Configure /var"
import_tasks: cis_1.1.3.x.yml
- name: "SECTION | 1.1.4.x | Configure /var/tmp"
import_tasks: cis_1.1.4.x.yml
- name: "SECTION | 1.1.5.x | Configure /var/log"
import_tasks: cis_1.1.5.x.yml
- name: "SECTION | 1.1.6.x | Configure /var/log/audit"
import_tasks: cis_1.1.6.x.yml
- name: "SECTION | 1.1.7.x | Configure /home"
import_tasks: cis_1.1.7.x.yml
- name: "SECTION | 1.1.8.x | Configure /dev/shm"
import_tasks: cis_1.1.8.x.yml
- name: "SECTION | 1.1.x | Disable various mounting"
import_tasks: cis_1.1.x.yml
- name: "SECTION | 1.2 | Configure Software Updates"
import_tasks: cis_1.2.x.yml
- name: "SECTION | 1.3 | Configure sudo"
- name: "SECTION | 1.3 | Filesystem Integrity Checking"
import_tasks: cis_1.3.x.yml
- name: "SECTION | 1.4 | Filesystem Integrity"
include_tasks: cis_1.4.x.yml
when: rhel9cis_config_aide
- name: "SECTION | 1.5 | Secure Boot Settings"
- name: "SECTION | 1.4 | Secure Boot Settings"
import_tasks: cis_1.4.x.yml
- name: "SECTION | 1.5 | Additional Process Hardening"
import_tasks: cis_1.5.x.yml
- name: "SECTION | 1.6 | Additional Process Hardening"
import_tasks: cis_1.6.x.yml
- name: "SECTION | 1.7 | bootloader and Mandatory Access Control"
include_tasks: cis_1.7.1.x.yml
- name: "SECTION | 1.6 | Mandatory Access Control"
include_tasks: cis_1.6.1.x.yml
when: not rhel9cis_selinux_disable
- name: "SECTION | 1.8 | Warning Banners"
import_tasks: cis_1.8.1.x.yml
- name: "SECTION | 1.7 | Command Line Warning Banners"
import_tasks: cis_1.7.x.yml
- name: "SECTION | 1.9 | Updated and Patches"
- name: "SECTION | 1.8 | Gnome Display Manager"
import_tasks: cis_1.8.x.yml
- name: "SECTION | 1.9 | Updates and Patches"
import_tasks: cis_1.9.yml
- name: "SECTION | 1.10 | Crypto policies"
include_tasks: cis_1.10.yml
when:
- not system_is_ec2
- name: "SECTION | 1.11 | FIPS/FUTURE Crypto policies"
include_tasks: cis_1.11.yml
when:
- not system_is_ec2

14
tasks/section_2/cis_2.1.1.yml
View file

@ -1,14 +0,0 @@
---
- name: "2.1.1 | L1 | PATCH | Ensure xinetd is not installed"
package:
name: xinetd
state: absent
when:
- rhel9cis_rule_2_1_1
tags:
- level1-server
- level1-workstation
- scored
- patch
- rule_2.1.1

41
tasks/section_2/cis_2.1.x.yml Normal file
View file

@ -0,0 +1,41 @@
---
- name: "2.1.1 | PATCH | Ensure time synchronization is in use"
package:
name: chrony
state: present
when:
- rhel9cis_rule_2_1_1
- not system_is_container
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_2.1.1
- name: "2.1.2 | PATCH | Ensure chrony is configured"
block:
- name: "2.1.2 | PATCH | Ensure chrony is configured | Set configuration"
template:
src: etc/chrony.conf.j2
dest: /etc/chrony.conf
owner: root
group: root
mode: 0644
- name: "2.1.2 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1"
lineinfile:
path: /etc/sysconfig/chronyd
regexp: "^(#)?OPTIONS"
line: "OPTIONS=\"-u chrony\""
create: yes
mode: 0644
when:
- rhel9cis_rule_2_1_2
- not system_is_container
tags:
- level1-server
- level1-workstation
- patch
- rule_2.1.2

42
tasks/section_2/cis_2.2.1.x.yml
View file

@ -1,42 +0,0 @@
---
- name: "2.2.1.1 | L1 | PATCH | Ensure time synchronization is in use - service install"
package:
name: "{{ rhel9cis_time_synchronization }}"
state: present
when:
- rhel9cis_rule_2_2_1_1
- not system_is_container
tags:
- level1-server
- level1-workstation
- patch
- rule_2.2.1.1
- name: "2.2.1.2 | L1 | PATCH | Ensure chrony is configured"
block:
- name: "2.2.1.2 | L1 | PATCH | Ensure chrony is configured | Set configuration"
template:
src: chrony.conf.j2
dest: /etc/chrony.conf
owner: root
group: root
mode: 0644
- name: "2.2.1.2 | L1 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1"
lineinfile:
dest: /etc/sysconfig/chronyd
regexp: "^(#)?OPTIONS"
line: "OPTIONS=\"-u chrony\""
state: present
create: true
mode: 0644
when:
- rhel9cis_time_synchronization == "chrony"
- rhel9cis_rule_2_2_1_2
- not system_is_container
tags:
- level1-server
- level1-workstation
- patch
- rule_2.2.1.2

558
tasks/section_2/cis_2.2.x.yml
View file

@ -1,86 +1,228 @@
---
- name: "2.2.2 | L1 | PATCH | Ensure X Window System is not installed"
block:
- name: "2.2.2 | L1 | AUDIT | Ensure X Window System is not installed | capture xorg-x11 packages"
shell: rpm -qa | grep xorg-x11
args:
warn: false
failed_when: xorg_x11_installed.rc >=2
check_mode: false
changed_when: false
register: xorg_x11_installed
- name: "2.2.2 | L1 | PATCH | Ensure X Window System is not installed | remove packages if found"
shell: "dnf remove {{ item }}"
args:
warn: false
with_items:
- xorg_x11_installed.stdout_lines
when: xorg_x11_installed.stdout | length > 0
- name: "2.2.1 | PATCH | Ensure xinetd is not installed"
package:
name: xinetd
state: absent
when:
- not rhel9cis_xwindows_required
- rhel9cis_rule_2_2_2
- rhel9cis_rule_2_2_1
- not rhel9cis_xinetd_server
- "'xinetd' in ansible_facts.packages"
tags:
- level1-server
- scored
- xwindows
- level1-workstation
- automated
- patch
- rule_2.2.1
- name: "2.2.2 | PATCH | Ensure xorg-x11-server-common is not installed"
package:
name: xorg-x11-server-common
state: absent
when:
- rhel9cis_rule_2_2_2
- "'xorg-x11-server-common' in ansible_facts.packages"
tags:
- level1-server
- automated
- patch
- x11
- rule_2.2.2
- name: "2.2.3 | L1 | PATCH | Ensure rsync service is not enabled "
service:
name: rsyncd
state: stopped
enabled: false
- name: "2.2.3 | PATCH | Ensure Avahi Server is not installed"
package:
name:
- avahi-autoipd
- avahi
state: absent
when:
- not rhel9cis_rsyncd_server
- "'rsyncd' in ansible_facts.packages"
- rhel9cis_rule_2_2_3
- not rhel9cis_avahi_server
- "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages"
tags:
- level1-server
- level2-workstation
- automated
- patch
- avahi
- rule_2.2.3
- name: "2.2.4 | PATCH | Ensure CUPS is not installed"
package:
name: cups
state: absent
when:
- not rhel9cis_cups_server
- "'cups' in ansible_facts.packages"
- rhel9cis_rule_2_2_3
tags:
- level1-server
- level1-workstation
- automated
- patch
- cups
- rule_2.2.3
- name: "2.2.4 | L1 | PATCH | Ensure Avahi Server is not enabled"
service:
name: avahi-daemon
state: stopped
enabled: false
- name: "2.2.5 | PATCH | Ensure DHCP Server is not installed"
package:
name: dhcp-server
state: absent
when:
- not rhel9cis_avahi_server
- "'avahi' in ansible_facts.packages"
- rhel9cis_rule_2_2_4
tags:
- level1-server
- level1-workstation
- scored
- avahi
- services
- patch
- rule_2.2.4
- name: "2.2.5 | L1 | PATCH | Ensure SNMP Server is not enabled"
service:
name: snmpd
state: stopped
enabled: false
when:
- not rhel9cis_snmp_server
- "'net-snmp' in ansible_facts.packages"
- not rhel9cis_dhcp_server
- "'dhcp-server' in ansible_facts.packages"
- rhel9cis_rule_2_2_5
tags:
- level1-server
- level1-workstation
- automated
- patch
- dhcp
- rule_2.2.5
- name: "2.2.6 | L1 | PATCH | Ensure HTTP Proxy Server is not enabled"
service:
- name: "2.2.6 | PATCH | Ensure DNS Server is not installed"
package:
name: bind
state: absent
when:
- not rhel9cis_dns_server
- "'bind' in ansible_facts.packages"
- rhel9cis_rule_2_2_6
tags:
- level1-server
- level1-workstation
- automated
- patch
- dns
- rule_2.2.6
- name: "2.2.7 | PATCH | Ensure FTP Server is not installed"
package:
name: ftp
state: absent
when:
- not rhel9cis_ftp_server
- "'ftp' in ansible_facts.packages"
- rhel9cis_rule_2_2_7
tags:
- level1-server
- level1-workstation
- automated
- patch
- ftp
- rule_2.2.7
- name: "2.2.8 | PATCH | Ensure VSFTP Server is not installed"
package:
name: vsftpd
state: absent
when:
- not rhel9cis_vsftpd_server
- "'vsftpd' in ansible_facts.packages"
- rhel9cis_rule_2_2_8
tags:
- level1-server
- level1-workstation
- automated
- patch
- vsftpd
- rule_2.2.8
- name: "2.2.9 | PACH | Ensure TFTP Server is not installed"
package:
name: tftp-server
state: absent
when:
- not rhel9cis_tftp_server
- "'tftp-server' in ansible_facts.packages"
- rhel9cis_rule_2_2_9
tags:
- level1-server
- level1-workstation
- automated
- patch
- tftp
- rule_2.2.9
- name: "2.2.10 | PATCH | Ensure a web server is not installed"
block:
- name: "2.2.10 | PATCH | Ensure a web server is not installed | Remove httpd server"
package:
name: httpd
state: absent
when:
- not rhel9cis_httpd_server
- "'httpd' in ansible_facts.packages"
- name: "2.2.10 | PATCH | Ensure a web server is not installed | Remove nginx server"
package:
name: nginx
state: absent
when:
- not rhel9cis_nginx_server
- "'nginx' in ansible_facts.packages"
when:
- rhel9cis_rule_2_2_10
tags:
- level1-server
- level1-workstation
- automated
- patch
- httpd
- nginx
- webserver
- rule_2.2.9
- name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed"
block:
- name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed"
package:
name:
- dovecot
state: absent
when:
- not rhel9cis_dovecot_server
- "'dovecot' in ansible_facts.packages"
- name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed"
package:
name:
- cyrus-imapd
state: absent
when:
- not rhel9cis_imap_server
- "'cyrus-imapd' in ansible_facts.packages"
when:
- rhel9cis_rule_2_2_11
tags:
- level1-server
- level1-workstation
- automated
- patch
- dovecot
- imap
- pop3
- rule_2.2.11
- name: "2.2.12 | PATCH | Ensure Samba is not enabled"
package:
name: samba
state: absent
when:
- not rhel9cis_samba_server
- "'samba' in ansible_facts.packages"
- rhel9cis_rule_2_2_12
tags:
- level1-server
- level1-workstation
- automated
- patch
- samba
- rule_2.2.12
- name: "2.2.13 | PATCH | Ensure HTTP Proxy Server is not installed"
package:
name: squid
state: stopped
enabled: false
state: absent
when:
- not rhel9cis_squid_server
- "'squid' in ansible_facts.packages"
@ -88,179 +230,31 @@
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_2.2.6
- squid
- rule_2.2.13
- name: "2.2.7 | L1 | PATCH | Ensure Samba is not enabled"
service:
name: smb
state: stopped
enabled: false
- name: "2.2.14 | PATCH | Ensure net-snmp is not installed"
package:
name: net-snmp
state: absent
when:
- not rhel9cis_smb_server
- "'samba' in ansible_facts.packages"
- rhel9cis_rule_2_2_7
tags:
- level1-server
- level1-workstation
- patch
- rule_2.2.7
- name: "2.2.8 | L1 | PATCH | Ensure IMAP and POP3 server is not enabled"
service:
name: dovecot
state: stopped
enabled: false
when:
- not rhel9cis_dovecot_server
- "'dovecot' in ansible_facts.packages"
- rhel9cis_rule_2_2_8
tags:
- level1-server
- level1-workstation
- patch
- rule_2.2.8
- name: "2.2.9 | L1 | PATCH | Ensure HTTP server is not enabled"
service:
name: httpd
state: stopped
enabled: false
when:
- not rhel9cis_httpd_server
- "'httpd' in ansible_facts.packages"
- rhel9cis_rule_2_2_9
tags:
- level1-server
- level1-workstation
- patch
- rule_2.2.9
- name: "2.2.10 | L1 | PATCH | Ensure FTP Server is not enabled"
service:
name: vsftpd
state: stopped
enabled: false
when:
- not rhel9cis_vsftpd_server
- "'vsftpd' in ansible_facts.packages"
- rhel9cis_rule_2_2_10
tags:
- level1-server
- level1-workstation
- patch
- rule_2.2.10
- name: "2.2.11 | L1 | PATCH | Ensure DNS Server is not enabled"
service:
name: named
state: stopped
enabled: false
when:
- not rhel9cis_named_server
- "'bind' in ansible_facts.packages"
- rhel9cis_rule_2_2_11
tags:
- level1-server
- level1-workstation
- patch
- rule_2.2.11
- name: "2.2.12 | L1 | PATCH | Ensure NFS is not enabled"
service:
name: nfs-server
state: stopped
enabled: false
when:
- not rhel9cis_nfs_rpc_server
- "'nfs-utils' in ansible_facts.packages"
- rhel9cis_rule_2_2_12
tags:
- level1-server
- level1-workstation
- scored
- nfs
- services
- patch
- rule_2.2.12
- name: "2.2.13 | L1 | PATCH | Ensure RPC is not enabled"
service:
name: rpcbind
state: stopped
enabled: false
when:
- not rhel9cis_nfs_rpc_server
- "'rpcbind' in ansible_facts.packages"
- rhel9cis_rule_2_2_13
tags:
- level1-server
- level1-workstation
- scored
- rpc
- services
- patch
- rule_2.2.7
- name: "2.2.14 | L1 | PATCH | Ensure LDAP server is not enabled"
service:
name: slapd
state: stopped
enabled: false
when:
- not rhel9cis_ldap_server
- "'openldap-servers' in ansible_facts.packages"
- not rhel9cis_snmp_server
- "'net-snmp' in ansible_facts.packages"
- rhel9cis_rule_2_2_14
tags:
- level1-server
- level1-workstation
- scored
- ldap
- services
- automated
- patch
- rule_2.2.6
- snmp
- rule_2.2.14
- name: "2.2.15 | L1 | PATCH | Ensure DHCP Server is not enabled"
service:
name: dhcpd
state: stopped
enabled: false
when:
- not rhel9cis_dhcp_server
- "'dhcp' in ansible_facts.packages"
- rhel9cis_rule_2_2_15
tags:
- level1-server
- level1-workstation
- scored
- dhcp
- services
- patch
- rule_2.2.15
- name: "2.2.16 | L1 | PATCH | Ensure CUPS is not enabled"
service:
name: cups
state: stopped
enabled: false
when:
- not rhel9cis_cups_server
- "'cups' in ansible_facts.packages"
- rhel9cis_rule_2_2_16
tags:
- level1-server
- level2-workstation
- scored
- cups
- services
- patch
- rule_2.2.16
- name: "2.2.17 | L1 | PATCH | Ensure NIS Server is not enabled"
service:
- name: "2.2.15 | PATCH | Ensure NIS Server is not installed"
package:
name: ypserv
state: stopped
enabled: false
state: absent
when:
- not rhel9cis_nis_server
- "'ypserv' in ansible_facts.packages"
@ -268,21 +262,135 @@
tags:
- level1-server
- level1-workstation
- automated
- patch
- nis
- rule_2.2.17
- name: "2.2.18 | L1 | PATCH | Ensure mail transfer agent is configured for local-only mode"
- name: "2.2.16 | PATCH | Ensure telnet-server is not installed"
package:
name: telnet-server
state: absent
when:
- not rhel9cis_telnet_server
- "'telnet-server' in ansible_facts.packages"
- rhel9cis_rule_2_2_16
tags:
- level1-server
- level1-workstation
- automated
- patch
- telnet
- rule_2.2.16
- name: "2.2.17 | PATCH | Ensure mail transfer agent is configured for local-only mode"
lineinfile:
dest: /etc/postfix/main.cf
path: /etc/postfix/main.cf
regexp: "^(#)?inet_interfaces"
line: "inet_interfaces = loopback-only"
notify: restart postfix
when:
- not rhel9cis_is_mail_server
- "'postfix' in ansible_facts.packages"
- rhel9cis_rule_2_2_17
tags:
- level1-server
- level1-workstation
- automated
- patch
- postfix
- rule_2.2.17
# The name title of the service says mask the service, but the fix allows for both options
# Options available in default/main if to remove the package default is false just mask the server service
- name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked"
block:
- name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | remove package"
package:
name: nfs-utils
state: absent
when:
- not rhel9cis_use_nfs_server
- not rhel9cis_use_nfs_service
- name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | mask service"
systemd:
name: nfs-server
masked: true
state: stopped
when:
- not rhel9cis_use_nfs_server
- rhel9cis_use_nfs_service
when:
- "'nfs-utils' in ansible_facts.packages"
- rhel9cis_rule_2_2_18
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_2.2.1
- nfs
- services
- rule_2.2.18
# The name title of the service says mask the service, but the fix allows for both options
# Options available in default/main if to remove the package default is false just mask the server service
- name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked"
block:
- name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | remove package"
package:
name: rpcbind
state: absent
when:
- not rhel9cis_use_rpc_server
- not rhel9cis_use_rpc_service
- name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | mask service"
systemd:
name: rpcbind.socket
masked: true
state: stopped
when:
- rhel9cis_use_rpc_server
- not rhel9cis_use_rpc_service
when:
- "'rpcbind' in ansible_facts.packages"
- rhel9cis_rule_2_2_19
tags:
- level1-server
- level1-workstation
- automated
- patch
- rpc
- rule_2.2.19
# The name title of the service says mask the service, but the fix allows for both options
# Options available in default/main if to remove the package default is false just mask the server service
- name: "2.2.20 | PATCH | Ensure rsync service is not enabled "
block:
- name: "2.2.20 | PATCH | Ensure rsync service is not enabled | remove package"
package:
name: rsync
state: absent
when:
- not rhel9cis_use_rsync_server
- not rhel9cis_use_rsync_service
- name: "2.2.20 | PATCH | Ensure rsync service is not enabled | mask service"
systemd:
name: rsyncd
masked: true
state: stopped
when:
- rhel9cis_use_rsync_server
- not rhel9cis_use_rsync_service
when:
- "'rsync' in ansible_facts.packages"
- rhel9cis_rule_2_2_20
tags:
- level1-server
- level1-workstation
- automated
- patch
- rsync
- rule_2.2.20

68
tasks/section_2/cis_2.3.x.yml
View file

@ -1,6 +1,6 @@
---
- name: "2.3.1 | L1 | PATCH | Ensure NIS Client is not installed"
- name: "2.3.1 | PATCH | Ensure NIS Client is not installed"
package:
name: ypbind
state: absent
@ -11,33 +11,87 @@
tags:
- level1-server
- level1-workstation
- automated
- patch
- nis
- rule_2.3.1
- name: "2.3.2 | L1 | PATCH | Ensure telnet client is not installed"
- name: "2.3.2 | PATCH | Ensure rsh client is not installed"
package:
name: rsh
state: absent
when:
- not rhel9cis_rsh_required
- "'rsh' in ansible_facts.packages"
- rhel9cis_rule_2_3_2
tags:
- level1-server
- level2-server
- automated
- patch
- rsh
- rule_2.3.2
- name: "2.3.3 | PATCH | Ensure talk client is not installed"
package:
name: talk
state: absent
when:
- not rhel9cis_talk_required
- "'talk' in ansible_facts.packages"
- rhel9cis_rule_2_3_3
tags:
- level1-server
- level1-workstation
- automated
- patch
- talk
- rule_2.3.3
- name: "2.3.4 | PATCH | Ensure telnet client is not installed"
package:
name: telnet
state: absent
when:
- not rhel9cis_telnet_required
- "'telnet' in ansible_facts.packages"
- rhel9cis_rule_2_3_2
- rhel9cis_rule_2_3_4
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_2.3.2
- telnet
- rule_2.3.4
- name: "2.3.3 | L1 | PATCH | Ensure LDAP client is not installed"
- name: "2.3.5 | PATCH | Ensure LDAP client is not installed"
package:
name: openldap-clients
state: absent
when:
- not rhel9cis_openldap_clients_required
- "'openldap-clients' in ansible_facts.packages"
- rhel9cis_rule_2_3_3
- rhel9cis_rule_2_3_5
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_2.3.3
- ldap
- rule_2.3.5
- name: "2.3.6 | PATCH | Ensure TFTP client is not installed"
package:
name: tftp
state: absent
when:
- not rhel9cis_tftp_client
- "'tftp' in ansible_facts.packages"
- rhel9cis_rule_2_3_6
tags:
- level1-server
- level1-workstation
- automated
- patch
- tftp
- rule_2.3.6

26
tasks/section_2/cis_2.4.yml Normal file
View file

@ -0,0 +1,26 @@
---
- name: "2.4 | AUDIT | Ensure nonessential services are removed or masked"
block:
- name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Get list of services"
shell: systemctl list-units --type=service
changed_when: false
failed_when: false
check_mode: no
register: rhel9cis_2_4_services
- name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Display list of services"
debug:
msg:
- "Alert! Below are the list of services, both active and inactive"
- "Please review to make sure all are essential"
- "{{ rhel9cis_2_4_services.stdout_lines }}"
when:
- rhel9cis_rule_2_4
tags:
- level1-server
- level1-workstation
- manual
- audit
- services
- rule_2.4

10
tasks/section_2/main.yml
View file

@ -1,13 +1,13 @@
---
- name: "SECTION | 2.1 | xinetd"
import_tasks: cis_2.1.1.yml
- name: "SECTION | 2.2.1 | Time Synchronization"
import_tasks: cis_2.2.1.x.yml
- name: "SECTION | 2.1 | Time Synchronization"
import_tasks: cis_2.1.x.yml
- name: "SECTION | 2.2 | Special Purpose Services"
import_tasks: cis_2.2.x.yml
- name: "SECTION | 2.3 | Service Clients"
import_tasks: cis_2.3.x.yml
- name: "SECTION | 2.4 | Nonessential services removed"
import_tasks: cis_2.4.yml

104
tasks/section_3/cis_3.1.x.yml
View file

@ -1,43 +1,91 @@
---
- name: "3.1.1 | L1 | PATCH | Ensure IP forwarding is disabled"
block:
- name: "3.1.1 | L1 | PATCH | Ensure IP forwarding is disabled"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
notify:
- update sysctl
- sysctl flush ipv4 route table
- name: "3.1.1 | L1 | PATCH | Ensure IP forwarding is disabled"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
notify:
- sysctl flush ipv6 route table
- update sysctl
when: rhel9cis_ipv6_required
# The CIS Control wants IPv6 disabled if not in use.
# We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use
- name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf"
notify:
- update sysctl
- sysctl flush ipv6 route table
when:
- not rhel9cis_is_router
- not rhel9cis_ipv6_required
- rhel9cis_rule_3_1_1
tags:
- level1-server
- level1-workstation
- sysctl
- manual
- patch
- ipv6
- networking
- rule_3.1.1
- name: "3.1.2 | L1 | PATCH | Ensure packet redirect sending is disabled"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
notify:
- update sysctl
- sysctl flush ipv4 route table
- name: "3.1.2 | PATCH | Ensure SCTP is disabled"
template:
src: "etc/modprobe.d/modprobe.conf.j2"
dest: "/etc/modprobe.d/{{ item }}.conf"
mode: "0600"
owner: root
group: root
with_items:
- sctp
when:
- not rhel9cis_is_router
- rhel9cis_rule_3_1_2
tags:
- level1-server
- level1-workstation
- sysctl
- level2-server
- level2-workstation
- automated
- patch
- sctp
- rule_3.1.2
- name: "3.1.3 | PATCH | Ensure DCCP is disabled"
template:
src: "etc/modprobe.d/modprobe.conf.j2"
dest: "/etc/modprobe.d/{{ item }}.conf"
mode: "0600"
owner: root
group: root
with_items:
- dccp
when:
- rhel9cis_rule_3_1_3
tags:
- level2-server
- level2-workstation
- automated
- dccp
- patch
- rule_3.1.3
- name: "3.1.4 | PATCH | Ensure wireless interfaces are disabled"
block:
- name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available"
command: rpm -q NetworkManager
changed_when: false
failed_when: false
check_mode: no
args:
warn: no
register: rhel_08_nmcli_available
- name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled"
command: nmcli radio wifi
register: rhel_08_wifi_enabled
changed_when: rhel_08_wifi_enabled.stdout != "disabled"
failed_when: false
when: rhel_08_nmcli_available.rc == 0
- name: "3.1.4 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled"
command: nmcli radio all off
changed_when: false
failed_when: false
when: rhel_08_wifi_enabled is changed
when:
- rhel9cis_rule_3_1_4
tags:
- level1-server
- automated
- patch
- wireless
- rule_3.1.4

146
tasks/section_3/cis_3.2.x.yml
View file

@ -1,155 +1,45 @@
---
- name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted"
- name: "3.2.1 | PATCH | Ensure IP forwarding is disabled"
block:
- name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted"
- name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
notify:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify:
- update sysctl
- sysctl flush ipv4 route table
- name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted"
- name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
notify:
- sysctl flush ipv6 route table
- update sysctl
- sysctl flush ipv6 route table
when: rhel9cis_ipv6_required
when:
- not rhel9cis_is_router
- rhel9cis_rule_3_2_1
tags:
- level1-server
- level1-workstation
- automated
- sysctl
- patch
- rule_3.2.1
- name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted"
block:
- name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
notify:
- update sysctl
- sysctl flush ipv4 route table
- name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
notify:
- sysctl flush ipv6 route table
- update sysctl
when: rhel9cis_ipv6_required
- name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify:
- update sysctl
- sysctl flush ipv4 route table
when:
- not rhel9cis_is_router
- rhel9cis_rule_3_2_2
tags:
- level1-server
- level1-workstation
- sysctl
- automated
- patch
- sysctl
- rule_3.2.2
- name: "3.2.3 | L1 | PATCH | Ensure secure ICMP redirects are not accepted"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
notify: update sysctl
when:
- rhel9cis_rule_3_2_3
tags:
- level1-server
- level1-workstation
- sysctl
- patch
- rule_3.2.3
- name: "3.2.4 | L1 | PATCH | Ensure suspicious packets are logged"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
notify: update sysctl
when:
- rhel9cis_rule_3_2_4
tags:
- level1-server
- level1-workstation
- sysctl
- patch
- rule_3.2.4
- name: "3.2.5 | L1 | PATCH | Ensure broadcast ICMP requests are ignored"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
notify: update sysctl
when:
- rhel9cis_rule_3_2_5
tags:
- level1-server
- level1-workstation
- sysctl
- patch
- rule_3.2.5
- name: "3.2.6 | L1 | PATCH | Ensure bogus ICMP responses are ignored"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
notify: update sysctl
when:
- rhel9cis_rule_3_2_6
tags:
- level1-server
- level1-workstation
- sysctl
- patch
- rule_3.2.6
- name: "3.2.7 | L1 | PATCH | Ensure Reverse Path Filtering is enabled"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
notify: update sysctl
when:
- rhel9cis_rule_3_2_7
tags:
- level1-server
- level1-workstation
- sysctl
- patch
- rule_3.2.7
- name: "3.2.8 | L1 | PATCH | Ensure TCP SYN Cookies is enabled"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
notify: update sysctl
when:
- rhel9cis_rule_3_2_8
tags:
- level1-server
- level1-workstation
- sysctl
- patch
- rule_3.2.8
- name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted"
block:
- name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
notify:
- update sysctl
- sysctl flush ipv4 route table
- name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
notify:
- sysctl flush ipv6 route table
- update sysctl
when: rhel9cis_ipv6_required
when:
- rhel9cis_ipv6_required
- rhel9cis_rule_3_2_9
tags:
- level2-server
- level2-workstation
- sysctl
- patch
- rule_3.2.9

166
tasks/section_3/cis_3.3.x.yml
View file

@ -1,61 +1,155 @@
---
- name: "3.3.1 | L2 | PATCH | Ensure DCCP is disabled"
lineinfile:
dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install dccp(\\s|$)"
line: "install dccp /bin/true"
create: true
mode: 0600
- name: "3.3.1 | PATCH | Ensure source routed packets are not accepted"
block:
- name: "3.3.1 | PATCH | Ensure source routed packets are not accepted"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify:
- update sysctl
- sysctl flush ipv4 route table
- name: "3.3.1 | PATCH | Ensure source routed packets are not accepted"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
notify:
- sysctl flush ipv6 route table
- update sysctl
when: rhel9cis_ipv6_required
when:
- rhel9cis_rule_3_3_1
tags:
- level2-server
- level2-workstation
- level1-server
- level1-workstation
- sysctl
- patch
- rule_3.3.1
- name: "3.3.2 | L2 | PATCH | Ensure SCTP is disabled"
lineinfile:
dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install sctp(\\s|$)"
line: "install sctp /bin/true"
create: true
mode: 0600
- name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted"
block:
- name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify:
- update sysctl
- sysctl flush ipv4 route table
- name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
notify:
- sysctl flush ipv6 route table
- update sysctl
when: rhel9cis_ipv6_required
when:
- rhel9cis_rule_3_3_2
tags:
- level2-server
- level2-workstation
- level1-server
- level1-workstation
- sysctl
- patch
- rule_3.3.2
- name: "3.3.3 | L2 | PATCH | Ensure RDS is disabled"
lineinfile:
dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install rds(\\s|$)"
line: "install rds /bin/true"
create: true
mode: 0600
- name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl
when:
- rhel9cis_rule_3_3_3
tags:
- level2-server
- level2-workstation
- level1-server
- level1-workstation
- sysctl
- patch
- rule_3.3.3
- name: "3.3.4 | L2 | PATCH | Ensure TIPC is disabled"
lineinfile:
dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install tipc(\\s|$)"
line: "install tipc /bin/true"
create: true
mode: 0600
- name: "3.3.4 | PATCH | Ensure suspicious packets are logged"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl
when:
- rhel9cis_rule_3_3_4
tags:
- level2-server
- level2-workstation
- level1-server
- level1-workstation
- sysctl
- patch
- rule_3.3.4
- name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl
when:
- rhel9cis_rule_3_3_5
tags:
- level1-server
- level1-workstation
- sysctl
- patch
- rule_3.3.5
- name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl
when:
- rhel9cis_rule_3_3_6
tags:
- level1-server
- level1-workstation
- sysctl
- patch
- rule_3.3.6
- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl
when:
- rhel9cis_rule_3_3_7
tags:
- level1-server
- level1-workstation
- sysctl
- patch
- rule_3.3.7
- name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl
when:
- rhel9cis_rule_3_3_8
tags:
- level1-server
- level1-workstation
- sysctl
- patch
- rule_3.3.8
- name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted"
block:
- name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify:
- update sysctl
- sysctl flush ipv4 route table
- name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl"
notify:
- sysctl flush ipv6 route table
- update sysctl
when: rhel9cis_ipv6_required
when:
- rhel9cis_ipv6_required
- rhel9cis_rule_3_3_9
tags:
- level2-server
- level2-workstation
- sysctl
- patch
- rule_3.3.9

14
tasks/section_3/cis_3.4.1.1.yml
View file

@ -1,14 +0,0 @@
---
- name: "3.4.1.1 | L1 | PATCH | Ensure a Firewall package is installed"
package:
name: "{{ rhel9cis_firewall }}"
state: present
when:
- rhel9cis_rule_3_4_1_1
- not system_is_container
tags:
- level1-server
- level1-workstation
- patch
- rule_3.4.1.1

143
tasks/section_3/cis_3.4.1.x.yml Normal file
View file

@ -0,0 +1,143 @@
---
- name: "3.4.1.1 | PATCH | Ensure firewalld is installed"
package:
name:
- firewalld
- iptables
state: present
when:
- rhel9cis_rule_3_4_1_1
tags:
- level1-server
- level1-workstation
- automated
- patch
- firewalld
- rule_3.4.1.1
- name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld"
block:
- name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | Stop running services"
systemd:
name: "{{ item }}"
masked: true
with_items:
- iptables
- ip6tables
when: item in ansible_facts.packages
- name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | remove iptables-services pkg "
package:
name: iptables-services
state: absent
when:
when:
- rhel9cis_rule_3_4_1_2
- "'iptables-services' in ansible_facts.packages"
tags:
- level1-server
- level1-workstation
- automated
- patch
- firewalld
- rule_3.4.1.2
- name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld"
block:
- name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld | mask service"
systemd:
name: nftables
state: stopped
masked: yes
when:
- rhel9cis_firewalld_nftables_state == "masked"
- name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld | pkg removed"
package:
name: nftables
state: absent
when:
- rhel9cis_firewalld_nftables_state == "absent"
when:
- rhel9cis_rule_3_4_1_3
tags:
- level1-server
- level1-workstation
- automated
- patch
- firewalld
- rule_3_4_1_3
- name: "3.4.1.4 | PATCH | Ensure firewalld service is enabled and running"
systemd:
name: firewalld
state: started
enabled: yes
when:
- rhel9cis_rule_3_4_1_4
tags:
- level1-server
- level1-workstation
- automated
- patch
- firewalld
- rule_3_4_1_4
- name: "3.4.1.5 | PATCH | Ensure firewalld default zone is set"
command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}"
when:
- rhel9cis_rule_3_4_1_5
tags:
- level1-server
- level1-workstation
- automated
- patch
- firewalld
- rule_3.4.1.5
- name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone"
block:
- name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies"
shell: "nmcli -t connection show | awk -F: '{ if($4){print $4} }' | while read INT; do firewall-cmd --get-active-zones | grep -B1 $INT; done"
changed_when: false
failed_when: false
check_mode: no
register: rhel9cis_3_4_1_6_interfacepolicy
- name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies | Show the interface to policy"
debug:
msg:
- "The items below are the policies tied to the interfaces, please correct as needed"
- "{{ rhel9cis_3_4_1_6_interfacepolicy.stdout_lines }}"
when:
- rhel9cis_rule_3_4_1_6
tags:
- level1-server
- level1-workstation
- manual
- audit
- rule_3.4.1.6
- name: "3.4.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports"
block:
- name: "3.4.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports"
shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done"
changed_when: false
failed_when: false
check_mode: no
register: rhel9cis_3_4_1_7_servicesport
- name: "3.4.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports"
debug:
msg:
- "The items below are the services and ports that are accepted, please correct as needed"
- "{{ rhel9cis_3_4_1_7_servicesport.stdout_lines }}"
when:
- rhel9cis_rule_3_4_1_7
tags:
- level1-server
- level1-workstation
- manual
- audit
- rule_3.4.1.7

341
tasks/section_3/cis_3.4.2.x.yml
View file

@ -1,108 +1,345 @@
---
- name: "3.4.2.1 | L1 | PATCH | Ensure firewalld service is enabled and running"
service:
name: firewalld
state: started
enabled: true
- name: "3.4.2.1 | PATCH | Ensure nftables is installed"
package:
name: nftables
state: present
when:
- rhel9cis_firewall == "firewalld"
- rhel9cis_rule_3_4_2_1
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_3_4_2_1
- nftables
- rule_3.4.2.1
- name: "3.4.2.2 | L1 | PATCH | Ensure iptables is not enabled with firewalld"
systemd:
name: iptables
masked: true
# The control allows the service it be masked or not installed
# We have chosen not installed
- name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables"
block:
- name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables | mask service"
systemd:
name: firewalld
masked: true
state: stopped
when:
- rhel9cis_nftables_firewalld_state == "masked"
- name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables | pkg removed"
package:
name: firewalld
state: absent
when:
- rhel9cis_nftables_firewalld_state == "absent"
when:
- rhel9cis_firewall == "firewalld"
- "'iptables' in ansible_facts.packages"
- rhel9cis_rule_3_4_2_2
tags:
- skip_ansible_lint
- level1-server
- level1-workstation
- automated
- patch
- rule_3_4_2_2
- nftables
- rule_3.4.2.2
- name: "3.4.2.3 | L1 | PATCH | Ensure nftables is not enabled with firewalld"
systemd:
name: nftables
enabled: false
masked: true
- name: "3.4.2.3 | PATCH | Ensure iptables-services not installed with nftables"
block:
- name: "3.4.2.3 | PATCH | Ensure iptables-services not installed with nftables | Stop services"
systemd:
name: "{{ item }}"
enabled: false
masked: true
ignore_errors: true
with_items:
- iptables
- ip6tables
- name: "3.4.2.3 | PATCH | Ensure iptables-services not installed with nftables | Remove IPTables"
package:
name: iptables-service
state: absent
when:
- rhel9cis_firewall == "firewalld"
- "'nftables' in ansible_facts.packages"
- rhel9cis_rule_3_4_2_3
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_3_4_2_3
- nftables
- rule_3.4.2.3
- name: "3.4.2.4 | L1 | PATCH | Ensure default zone is set"
shell: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}"
args:
warn: false
- name: "3.4.2.4 | PATCH | Ensure iptables are flushed with nftables"
block:
- name: "3.4.2.4 | PATCH | Ensure iptables are flushed with nftables | IPv4"
command: iptables -F
- name: "3.4.2.4 | PATCH | Ensure iptables are flushed with nftables | IPv6"
command: ip6tables -F
when: rhel9cis_ipv6_required
when:
- rhel9cis_firewall == "firewalld"
- rhel9cis_rule_3_4_2_4
- rhel9cis_firewall != "firewalld"
tags:
- level1-server
- level1-workstation
- manual
- patch
- nftables
- rule_3.4.2.4
- name: "3.4.2.5 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone"
- name: "3.4.2.5 | AUDIT | Ensure an nftables table exists"
block:
- name: "3.4.2.5 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies"
shell: "nmcli -t connection show | awk -F: '{ if($4){print $4} }' | while read INT; do firewall-cmd --get-active-zones | grep -B1 $INT; done"
args:
warn: false
- name: "3.4.2.5 | AUDIT | Ensure a table exists | Check for tables"
command: nft list tables
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_3_4_2_5_interfacepolicy
register: rhel9cis_3_4_2_5_nft_tables
- name: "3.4.2.5 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies | Show the interface to policy"
- name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Show existing tables"
debug:
msg:
- "The items below are the policies tied to the interfaces, please correct as needed"
- "{{ rhel9cis_3_4_2_5_interfacepolicy.stdout_lines }}"
- "Below are the current nft tables, please review"
- "{{ rhel9cis_3_4_2_5_nft_tables.stdout_lines }}"
when: rhel9cis_3_4_2_5_nft_tables.stdout | length > 0
- name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Alert on no tables"
debug:
msg:
- "Warning! You currently have no nft tables, please review your setup"
- 'Use the command "nft create table inet <table name>" to create a new table'
when:
- rhel9cis_3_4_2_5_nft_tables.stdout | length == 0
- not rhel9cis_nft_tables_autonewtable
- name: "3.4.2.5 | PATCH | Ensure a table exists | Create table if needed"
command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}"
failed_when: no
when: rhel9cis_nft_tables_autonewtable
when:
- rhel9cis_firewall == "firewalld"
- rhel9cis_rule_3_4_2_5
tags:
- level1-server
- level1-workstation
- audit
- automated
- patch
- nftables
- rule_3.4.2.5
- name: "3.4.2.6 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports"
- name: "3.4.2.6 | PATCH | Ensure nftables base chains exist"
block:
- name: "3.4.2.6 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports"
shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done"
args:
warn: false
- name: "3.4.2.6 | AUDIT | Ensure nftables base chains exist | Get current chains for INPUT"
shell: nft list ruleset | grep 'hook input'
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_3_4_2_6_servicesport
register: rhel9cis_3_4_2_6_input_chains
- name: "3.4.2.6 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports"
- name: "3.4.2.6 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD"
shell: nft list ruleset | grep 'hook forward'
changed_when: false
failed_when: false
register: rhel9cis_3_4_2_6_forward_chains
- name: "3.4.2.6 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT"
shell: nft list ruleset | grep 'hook output'
changed_when: false
failed_when: false
register: rhel9cis_3_4_2_6_output_chains
- name: "3.4.2.6 | AUDIT | Ensure nftables base chains exist | Display chains for review"
debug:
msg:
- "The items below are the services and ports that are accepted, please correct as needed"
- "{{ rhel9cis_3_4_2_6_servicesport.stdout_lines }}"
- "Below are the current INPUT chains"
- "{{ rhel9cis_3_4_2_6_input_chains.stdout_lines }}"
- "Below are the current FORWARD chains"
- "{{ rhel9cis_3_4_2_6_forward_chains.stdout_lines }}"
- "Below are teh current OUTPUT chains"
- "{{ rhel9cis_3_4_2_6_output_chains.stdout_lines }}"
when: not rhel9cis_nft_tables_autochaincreate
- name: "3.4.2.6 | PATCH | Ensure nftables base chains exist | Create chains if needed"
shell: "{{ item }}"
args:
warn: no
failed_when: no
with_items:
- nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; }
- nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { type filter hook forward priority 0 \; }
- nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; }
when: rhel9cis_nft_tables_autochaincreate
when:
- rhel9cis_firewall == "firewalld"
- rhel9cis_rule_3_4_2_6
tags:
- level1-server
- level1-workstation
- audit
- automated
- patch
- nftables
- rule_3.4.2.6
- name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured"
block:
- name: "3.4.2.7 | AUDIT | Ensure nftables loopback traffic is configured | Gather iif lo accept existence"
shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept'
changed_when: false
failed_when: false
register: rhel9cis_3_4_2_7_iiflo
- name: "3.4.2.7 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip saddr existence"
shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr'
changed_when: false
failed_when: false
register: rhel9cis_3_4_2_7_ipsaddr
- name: "3.4.2.7 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip6 saddr existence"
shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr'
changed_when: false
failed_when: false
register: rhel9cis_3_4_2_7_ip6saddr
- name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule"
command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept
when: '"iif \"lo\" accept" not in rhel9cis_3_4_2_7_iiflo.stdout'
- name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule"
command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop
when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_7_ipsaddr.stdout'
- name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule"
command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop
when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_7_ip6saddr.stdout'
when:
- rhel9cis_rule_3_4_2_7
tags:
- level1-server
- level1-workstation
- automated
- patch
- nftables
- rule_3.4.2.7
- name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured"
block:
- name: "3.4.2.8 | AUDIT | Ensure nftables outbound and established connections are configured | Gather incoming connection rules"
shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
changed_when: false
failed_when: false
register: rhel9cis_3_4_2_8_inconnectionrule
- name: "3.4.2.8| AUDIT | Ensure nftables outbound and established connections are configured | Gather outbound connection rules"
shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
changed_when: false
failed_when: false
register: rhel9cis_3_4_2_8_outconnectionrule
- name: "3.4.2.8| PATCH | Ensure nftables outbound and established connections are configured | Add input tcp established accept policy"
command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept
when: '"ip protocol tcp ct state established accept" not in rhel9cis_3_4_2_8_inconnectionrule.stdout'
- name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add input udp established accept policy"
command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept
when: '"ip protocol udp ct state established accept" not in rhel9cis_3_4_2_8_inconnectionrule.stdout'
- name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add input icmp established accept policy"
command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept
when: '"ip protocol icmp ct state established accept" not in rhel9cis_3_4_2_8_inconnectionrule.stdout'
- name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add output tcp new, related, established accept policy"
command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept
when: '"ip protocol tcp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout'
- name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add output udp new, related, established accept policy"
command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept
when: '"ip protocol udp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout'
- name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add output icmp new, related, established accept policy"
command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept
when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout'
when:
- rhel9cis_rule_3_4_2_8
tags:
- level1-server
- level1-workstation
- automated
- patch
- nftables
- rule_3.4.3.5
- name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy"
block:
- name: "3.4.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for hook input deny policy"
shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input'
failed_when: false
changed_when: false
register: rhel9cis_3_4_2_9_inputpolicy
- name: "3.4.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy"
shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward'
failed_when: false
changed_when: false
register: rhel9cis_3_4_2_9_forwardpolicy
- name: "3.4.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy"
shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output'
failed_when: false
changed_when: false
register: rhel9cis_3_4_2_9_outputpolicy
- name: "3.4.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow"
shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh'
failed_when: false
changed_when: false
register: rhel9cis_3_4_2_9_sshallowcheck
- name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic"
command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept
when: '"tcp dport ssh accept" not in rhel9cis_3_4_2_9_sshallowcheck.stdout'
- name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy"
command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; }
when: '"type filter hook input priority 0; policy drop;" not in rhel9cis_3_4_2_9_inputpolicy.stdout'
- name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy"
command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; }
when: '"type filter hook forward priority 0; policy drop;" not in rhel9cis_3_4_2_9_forwardpolicy.stdout'
- name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy"
command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; }
when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_2_9_outputpolicy.stdout'
when:
- rhel9cis_rule_3_4_2_9
tags:
- level1-server
- level1-workstation
- automated
- patch
- nftables
- rule_3.4.2.9
- name: "3.4.2.10 | PATCH | Ensure nftables service is enabled"
service:
name: nftables
enabled: yes
when:
- rhel9cis_rule_3_4_2_10
tags:
- level1-server
- level1-workstation
- automated
- patch
- nftables
- rule_3.4.3.7
- name: "3.4.2.11 | PATCH | Ensure nftables rules are permanent"
lineinfile:
path: /etc/sysconfig/nftables.conf
insertafter: EOF
line: include "/etc/nftables/inet-{{ rhel9cis_nft_tables_tablename }}"
when:
- rhel9cis_rule_3_4_2_11
tags:
- level1-server
- level1-workstation
- automated
- patch
- nftables
- rule_3.4.2.11

320
tasks/section_3/cis_3.4.3.x.yml
View file

@ -1,320 +0,0 @@
---
- name: "3.4.3.1 | L1 | PATCH | Ensure iptables are flushed with nftables"
shell: ip6tables -F
args:
warn: false
when:
- rhel9cis_rule_3_4_3_1
- rhel9cis_firewall != "iptables"
- rhel9cis_ipv6_required
tags:
- level1-server
- level1-workstation
- patch
- rule_3.4.3.1
- name: "3.4.3.2 | L1 | AUDIT | Ensure an nftables table exists"
block:
- name: "3.4.3.2 | L1 | AUDIT | Ensure a table exists | Check for tables"
shell: nft list tables
args:
warn: false
changed_when: false
failed_when: false
register: rhel9cis_3_4_3_2_nft_tables
- name: "3.4.3.2 | L1 | AUDIT | Ensure an nftables table exists | Show existing tables"
debug:
msg:
- "Below are the current nft tables, please review"
- "{{ rhel9cis_3_4_3_2_nft_tables.stdout_lines }}"
when: rhel9cis_3_4_3_2_nft_tables.stdout | length > 0
- name: "3.4.3.2 | L1 | AUDIT | Ensure an nftables table exists | Alert on no tables"
debug:
msg:
- "Warning! You currently have no nft tables, please review your setup"
- 'Use the shell "nft create table inet <table name>" to create a new table'
when:
- rhel9cis_3_4_3_2_nft_tables.stdout | length == 0
- not rhel9cis_nft_tables_autonewtable
- name: "3.4.3.2 | L1 | PATCH | Ensure a table exists | Create table if needed"
shell: nft create table inet "{{ rhel9cis_nft_tables_tablename }}"
args:
warn: false
failed_when: false
when: rhel9cis_nft_tables_autonewtable
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_3_2
tags:
- level1-server
- level1-workstation
- patch
- rule_3.4.3.2
- name: "3.4.3.3 | L1 | PATCH | Ensure nftables base chains exist"
block:
- name: "3.4.3.3 | L1 | Ensure nftables base chains exist | Get current chains for INPUT"
shell: nft list ruleset | grep 'hook input'
args:
warn: false
changed_when: false
failed_when: false
register: rhel9cis_3_4_3_3_input_chains
- name: "3.4.3.3 | L1 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD"
shell: nft list ruleset | grep 'hook forward'
args:
warn: false
changed_when: false
failed_when: false
register: rhel9cis_3_4_3_3_forward_chains
- name: "3.4.3.3 | L1 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT"
shell: nft list ruleset | grep 'hook output'
args:
warn: false
changed_when: false
failed_when: false
register: rhel9cis_3_4_3_3_output_chains
- name: "3.4.3.3 | L1 | AUDIT | Ensure nftables base chains exist | Display chains for review"
debug:
msg:
- "Below are the current INPUT chains"
- "{{ rhel9cis_3_4_3_3_input_chains.stdout_lines }}"
- "Below are the current FORWARD chains"
- "{{ rhel9cis_3_4_3_3_forward_chains.stdout_lines }}"
- "Below are teh current OUTPUT chains"
- "{{ rhel9cis_3_4_3_3_output_chains.stdout_lines }}"
when: not rhel9cis_nft_tables_autochaincreate
- name: "3.4.3.3 | L1 | PATCH | Ensure nftables base chains exist | Create chains if needed"
shell: "{{ item }}"
args:
warn: false
failed_when: false
with_items:
- nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; }
- nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { type filter hook forward priority 0 \; }
- nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; }
when: rhel9cis_nft_tables_autochaincreate
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_3_3
tags:
- level1-server
- level1-workstation
- patch
- rule_3.4.3.3
- name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured"
block:
- name: "3.4.3.4 | L1 | AUDIT | Ensure nftables loopback traffic is configured | Gather iif lo accept existence"
shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept'
args:
warn: false
changed_when: false
failed_when: false
register: rhel9cis_3_4_3_4_iiflo
- name: "3.4.3.4 | L1 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip saddr existence"
shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr'
args:
warn: false
changed_when: false
failed_when: false
register: rhel9cis_3_4_3_4_ipsaddr
- name: "3.4.3.4 | L1 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip6 saddr existence"
shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr'
args:
warn: false
changed_when: false
failed_when: false
register: rhel9cis_3_4_3_4_ip6saddr
- name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule"
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept
args:
warn: false
when: '"iif \"lo\" accept" not in rhel9cis_3_4_3_4_iiflo.stdout'
- name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule"
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop
args:
warn: false
when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_3_4_ipsaddr.stdout'
- name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule"
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop
args:
warn: false
when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_3_4_ip6saddr.stdout'
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_3_4
tags:
- level1-server
- level1-workstation
- patch
- rule_3.4.3.4
- name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured"
block:
- name: "3.4.3.5 | L1 | AUDIT | Ensure nftables outbound and established connections are configured | Gather incoming connection rules"
shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
args:
warn: false
changed_when: false
failed_when: false
register: rhel9cis_3_4_3_5_inconnectionrule
- name: "3.4.3.5 | L1 | AUDIT | Ensure nftables outbound and established connections are configured | Gather outbound connection rules"
shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
args:
warn: false
changed_when: false
failed_when: false
register: rhel9cis_3_4_3_5_outconnectionrule
- name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input tcp established accept policy"
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept
args:
warn: false
when: '"ip protocol tcp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout'
- name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input udp established accept policy"
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept
args:
warn: false
when: '"ip protocol udp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout'
- name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input icmp established accept policy"
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept
args:
warn: false
when: '"ip protocol icmp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout'
- name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output tcp new, related, established accept policy"
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept
args:
warn: false
when: '"ip protocol tcp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout'
- name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output udp new, related, established accept policy"
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept
args:
warn: false
when: '"ip protocol udp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout'
- name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output icmp new, related, established accept policy"
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept
args:
warn: false
when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout'
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_3_5
tags:
- level1-server
- level1-workstation
- patch
- rule_3.4.3.5
- name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy"
block:
- name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for hook input deny policy"
shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input'
args:
warn: false
failed_when: false
changed_when: false
register: rhel9cis_3_4_3_6_inputpolicy
- name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy"
shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward'
args:
warn: false
failed_when: false
changed_when: false
register: rhel9cis_3_4_3_6_forwardpolicy
- name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy"
shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output'
args:
warn: false
failed_when: false
changed_when: false
register: rhel9cis_3_4_3_6_outputpolicy
- name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow"
shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh'
args:
warn: false
failed_when: false
changed_when: false
register: rhel9cis_3_4_3_6_sshallowcheck
- name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic"
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept
args:
warn: false
when: '"tcp dport ssh accept" not in rhel9cis_3_4_3_6_sshallowcheck.stdout'
- name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy"
shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; }
args:
warn: false
when: '"type filter hook input priority 0; policy drop;" not in rhel9cis_3_4_3_6_inputpolicy.stdout'
- name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy"
shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; }
args:
warn: false
when: '"type filter hook forward priority 0; policy drop;" not in rhel9cis_3_4_3_6_forwardpolicy.stdout'
- name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy"
shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; }
args:
warn: false
when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_3_6_outputpolicy.stdout'
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_3_6
tags:
- level1-server
- level1-workstation
- patch
- rule_3.4.3.6
- name: "3.4.3.7 | L1 | PATCH | Ensure nftables service is enabled | Check if nftables is enabled"
service:
name: nftables
enabled: true
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_3_7
tags:
- level1-server
- level1-workstation
- patch
- rule_3.4.3.7
- name: "3.4.3.8 | L1 | PATCH | Ensure nftables rules are permanent"
lineinfile:
path: /etc/sysconfig/nftables.conf
state: present
insertafter: EOF
line: include "/etc/nftables/inet-{{ rhel9cis_nft_tables_tablename }}"
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_3_8
tags:
- level1-server
- level1-workstation
- patch
- rule_3.4.3.8

148
tasks/section_3/cis_3.4.4.1.x.yml
View file

@ -1,148 +0,0 @@
---
- name: "3.4.4.1.1 | L1 | PATCH | Ensure iptables default deny firewall policy"
block:
- name: "3.4.4.1.1 | L1 | PATCH | Ensure iptables default deny firewall policy | Configure ssh to be allowed"
iptables:
chain: INPUT
protocol: tcp
destination_port: "22"
jump: ACCEPT
- name: "3.4.4.1.1 | L1 | PATCH | Ensure iptables default deny firewall policy | Set drop items"
iptables:
policy: DROP
chain: "{{ item }}"
with_items:
- INPUT
- FORWARD
- OUTPUT
when:
- rhel9cis_rule_3_4_4_1_1
- rhel9cis_firewall == "iptables"
tags:
- level1-server
- level1-workstation
- patch
- rule_3.4.4.1.1
- name: "3.4.4.1.2 | L1 | PATCH | Ensure iptables loopback traffic is configured"
block:
- name: "3.4.4.1.2 | L1 | Ensure iptables loopback traffic is configured | INPUT Loopback ACCEPT"
iptables:
action: append
chain: INPUT
in_interface: lo
jump: ACCEPT
- name: "3.4.4.1.2 | L1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT Loopback ACCEPT"
iptables:
action: append
chain: OUTPUT
out_interface: lo
jump: ACCEPT
- name: "3.4.4.1.2 | L1 | PATCH | Ensure iptables loopback traffic is configured | INPUT Loopback 127.0.0.0/8"
iptables:
action: append
chain: INPUT
source: 127.0.0.0/8
jump: DROP
when:
- rhel9cis_firewall == "iptables"
- rhel9cis_rule_3_4_4_1_2
tags:
- level1-server
- level1-workstation
- patch
- rule_3.4.4.1.2
- name: "3.4.4.1.3 | L1 | PATCH | Ensure iptables outbound and established connections are configured"
iptables:
action: append
chain: '{{ item.chain }}'
protocol: '{{ item.protocol }}'
match: state
ctstate: '{{ item.ctstate }}'
jump: ACCEPT
with_items:
- { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' }
- { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' }
- { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' }
- { chain: INPUT, protocol: tcp, ctstate: ESTABLISHED }
- { chain: INPUT, protocol: udp, ctstate: ESTABLISHED }
- { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED }
when:
- rhel9cis_firewall == "iptables"
- rhel9cis_rule_3_4_4_1_3
tags:
- level1-server
- level1-workstation
- patch
- rule_3.4.4.1.3
- name: "3.4.4.1.4 | L1 | PATCH | Ensure iptables firewall rules exist for all open ports"
block:
- name: "3.4.4.1.4 | L1 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of TCP open ports"
shell: netstat -ant |grep "tcp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://'
args:
warn: false
changed_when: false
failed_when: false
register: rhel9cis_3_4_4_1_4_otcp
- name: "3.4.4.1.4 | L1 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get the list of udp open ports"
shell: netstat -ant |grep "udp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://'
args:
warn: false
changed_when: false
failed_when: false
register: rhel9cis_3_4_4_1_4_oudp
- name: "3.4.4.1.4 | L1 | PATCH | Ensure iptables firewall rules exist for all open ports | Adjust open tcp ports"
iptables:
action: append
chain: INPUT
protocol: tcp
destination_port: "{{ item }}"
match: state
ctstate: NEW
jump: ACCEPT
with_items:
- "{{ rhel9cis_3_4_4_1_4_otcp.stdout_lines }}"
when: rhel9cis_3_4_4_1_4_otcp.stdout is defined
- name: "3.4.4.1.4 | L1 | PATCH | Ensure iptables firewall rules exist for all open ports | Adjust open udp ports"
iptables:
action: append
chain: INPUT
protocol: udp
destination_port: "{{ item }}"
match: state
ctstate: NEW
jump: ACCEPT
with_items:
- "{{ rhel9cis_3_4_4_1_4_oudp.stdout_lines }}"
when: rhel9cis_3_4_4_1_4_otcp.stdout is defined
when:
- rhel9cis_firewall == "iptables"
- rhel9cis_rule_3_4_4_1_4
tags:
- level1-server
- level1-workstation
- patch
- rule_3.4.4.1.4
- name: "3.4.4.1.5 | L1 | PATCH | Ensure iptables service is enabled and active | Check if iptables is enabled"
service:
name: iptables
enabled: true
state: started
when:
- rhel9cis_firewall == "iptables"
- rhel9cis_rule_3_4_4_1_5
tags:
- level1-server
- level1-workstation
- patch
- rule_3.4.4.1.5

136
tasks/section_3/cis_3.4.4.2.x.yml
View file

@ -1,136 +0,0 @@
---
- name: "3.4.4.2.1 | L1 | PATCH | Ensure ip6tables default deny firewall policy"
block:
- name: "3.4.4.2.1 | L1 | Ensure ip6tables default deny firewall policy | Configure ssh to be allowed"
iptables:
chain: INPUT
protocol: tcp
destination_port: "22"
jump: ACCEPT
ip_version: ipv6
- name: "3.4.4.2.1 | L1 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items"
iptables:
policy: DROP
chain: "{{ item }}"
ip_version: ipv6
with_items:
- INPUT
- FORWARD
- OUTPUT
when:
- rhel9cis_firewall == "iptables"
- rhel9cis_rule_3_4_4_2_1
- rhel9cis_ipv6_required
tags:
- level1-server
- level1-workstation
- patch
- rule_3.4.4.2.1
- name: "3.4.4.2.2 | L1 | PATCH | Ensure ip6tables loopback traffic is configured"
block:
- name: "3.4.4.2.2 | L1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT Loopback ACCEPT"
iptables:
action: append
chain: INPUT
in_interface: lo
jump: ACCEPT
ip_version: ipv6
- name: "3.4.4.2.2 | L1 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT Loopback ACCEPT"
iptables:
action: append
chain: OUTPUT
out_interface: lo
jump: ACCEPT
ip_version: ipv6
- name: "3.4.4.2.2 | L1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT Loopback 127.0.0.0/8"
iptables:
action: append
chain: INPUT
source: ::1
jump: DROP
ip_version: ipv6
when:
- rhel9cis_firewall == "iptables"
- rhel9cis_rule_3_4_4_2_2
- rhel9cis_ipv6_required
tags:
- level1-server
- level1-workstation
- patch
- rule_3.4.4.2.2
- name: "3.4.4.2.3 | L1 | PATCH | Ensure ip6tables outbound and established connections are configured"
iptables:
action: append
chain: '{{ item.chain }}'
protocol: '{{ item.protocol }}'
match: state
ctstate: '{{ item.ctstate }}'
jump: ACCEPT
ip_version: ipv6
with_items:
- { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' }
- { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' }
- { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' }
- { chain: INPUT, protocol: tcp, ctstate: ESTABLISHED }
- { chain: INPUT, protocol: udp, ctstate: ESTABLISHED }
- { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED }
when:
- rhel9cis_firewall == "iptables"
- rhel9cis_rule_3_4_4_2_3
- rhel9cis_ipv6_required
tags:
- level1-server
- level1-workstation
- patch
- rule_3.4.4.2.3
- name: "3.4.4.2.4 | L1 | PATCH | Ensure ip6tables firewall rules exist for all open ports"
block:
- name: "3.4.4.2.4 | L1 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of TCP6 open ports"
shell: netstat -ant |grep "tcp6.*LISTEN" | awk '{ print $4 }'| sed 's/.*://'
changed_when: false
failed_when: false
register: rhel9cis_3_4_4_2_4_otcp
- name: "3.4.4.2.4 | L1 | PATCH |Ensure ip6tables firewall rules exist for all open ports| Adjust open tcp6 ports"
iptables:
action: append
chain: INPUT
protocol: tcp
destination_port: "{{ item }}"
match: state
ctstate: NEW
jump: ACCEPT
ip_version: ipv6
with_items:
- "{{ rhel9cis_3_4_4_2_4_otcp.stdout_lines }}"
when: rhel9cis_3_4_4_2_4_otcp.stdout is defined
when:
- rhel9cis_firewall == "iptables"
- rhel9cis_rule_3_4_4_2_4
- rhel9cis_ipv6_required
tags:
- level1-server
- level1-workstation
- patch
- rule_3.4.4.2.4
- name: "3.4.4.2.5 | L1 | PATCH | Ensure ip6tables service is enabled and active | Check if ip6tables is enabled"
service:
name: ip6tables
enabled: true
state: started
when:
- rhel9cis_firewall == "iptables"
- rhel9cis_rule_3_4_4_2_5
tags:
- level1-server
- level1-workstation
- patch
- rule_3.4.4.2.5

27
tasks/section_3/cis_3.5.yml
View file

@ -1,27 +0,0 @@
---
- name: "3.5 | L1 | PATCH | Ensure wireless interfaces are disabled"
block:
- name: "3.5 | L1 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled"
shell: nmcli radio wifi
args:
warn: false
register: rhel_09_wifi_enabled
changed_when: rhel_09_wifi_enabled.stdout != "disabled"
failed_when: false
- name: "3.5 | L1 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled"
shell: nmcli radio all off
args:
warn: false
changed_when: false
failed_when: false
when: rhel_09_wifi_enabled is changed
when:
- '"NetworkManager" in ansible_facts.packages'
- rhel9cis_rule_3_5
tags:
- level1-server
- level2-workstation
- patch
- rule_3.5

17
tasks/section_3/cis_3.6.yml
View file

@ -1,17 +0,0 @@
---
- name: "3.6 | L2 | PATCH | Disable IPv6"
replace:
dest: /etc/default/grub
regexp: '(^GRUB_CMDLINE_LINUX\s*\=\s*)(?:")(.+)(?<!ipv6.disable=1)(?:")'
replace: '\1"\2 ipv6.disable=1"'
follow: true
notify: grub2cfg
when:
- not rhel9cis_ipv6_required
- rhel9cis_rule_3_6
tags:
- level2-server
- level2-workstation
- patch
- rule_3.6

32
tasks/section_3/main.yml
View file

@ -1,41 +1,21 @@
---
- name: "SECTION | 3.1.x | Packet and IP redirection"
- name: "SECTION | 3.1.x | Disable unused network protocols and devices"
import_tasks: cis_3.1.x.yml
- name: "SECTION | 3.2.x | Network Parameters (Host Only)"
import_tasks: cis_3.2.x.yml
- name: "SECTION | 3.3.x | Uncommon Network Protocols"
- name: "SECTION | 3.3.x | Network Parameters (host and Router)"
import_tasks: cis_3.3.x.yml
- name: "SECTION | 3.4.1.x | firewall defined"
import_tasks: cis_3.4.1.1.yml
- name: "SECTION | 3.4.2.x | firewalld firewall"
include_tasks: cis_3.4.2.x.yml
- name: "SECTION | 3.4.1.x | Configure firewalld"
import_tasks: cis_3.4.1.x.yml
when:
- rhel9cis_firewall == "firewalld"
- name: "SECTION | 3.4.3.x | Configure nftables firewall"
include_tasks: cis_3.4.3.x.yml
- name: "SECTION | 3.4.2.x | Configure nftables"
include_tasks: cis_3.4.2.x.yml
when:
- rhel9cis_firewall == "nftables"
- name: "SECTION | 3.4.4.1.x | Configure iptables IPv4"
include_tasks: cis_3.4.4.1.x.yml
when:
- rhel9cis_firewall == "iptables"
- name: "SECTION | 3.4.4.2.x | Configure iptables IPv6"
include_tasks: cis_3.4.4.2.x.yml
when:
- ( rhel9cis_firewall == "iptables" and rhel9cis_ipv6_required )
- name: "SECTION | 3.5 | Configure wireless"
import_tasks: cis_3.5.yml
- name: "SECTION | 3.5 | disable IPv6"
include_tasks: cis_3.5.yml
when:
- not rhel9cis_ipv6_required

49
tasks/section_4/cis_4.1.1.x.yml
View file

@ -1,14 +1,14 @@
---
- name: "4.1.1.1 | L2 | PATCH | Ensure auditd is installed"
- name: "4.1.1.1 | PATCH | Ensure auditd is installed"
block:
- name: "4.1.1.1 | L2 | PATCH | Ensure auditd is installed | Install auditd packages"
- name: "4.1.1.1 | PATCH | Ensure auditd is installed | Install auditd packages"
package:
name: audit
state: present
when: '"auditd" not in ansible_facts.packages'
- name: "4.1.1.1 | L2 | PATCH | Ensure auditd is installed | Install auditd-lib packages"
- name: "4.1.1.1 | PATCH | Ensure auditd is installed | Install auditd-lib packages"
package:
name: audit-libs
state: present
@ -18,38 +18,37 @@
tags:
- level2-server
- level2-workstation
- automated
- patch
- rule_4.1.1.1
- auditd
- rule_4.1.1.1
- name: "4.1.1.2 | L2 | PATCH | Ensure auditd service is enabled"
- name: "4.1.1.2 | PATCH | Ensure auditd service is enabled"
service:
name: auditd
state: started
enabled: true
enabled: yes
when:
- not rhel9cis_skip_for_travis
- rhel9cis_rule_4_1_1_2
- not system_is_container
- ansible_connection != 'docker'
tags:
- level2-server
- level2-workstation
- auditd
- automated
- patch
- auditd
- rule_4.1.1.2
- name: "4.1.1.3 | L2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
block:
- name: "4.1.1.3 | L2 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX"
- name: "4.1.1.3 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX"
shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//'
args:
warn: false
changed_when: false
failed_when: false
check_mode: false
check_mode: no
register: rhel9cis_4_1_1_3_grub_cmdline_linux
- name: "4.1.1.3 | L2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting"
- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting"
replace:
dest: /etc/default/grub
regexp: 'audit=.'
@ -57,7 +56,7 @@
notify: grub2cfg
when: "'audit=' in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout"
- name: "4.1.1.3 | L2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing"
- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing"
lineinfile:
path: /etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX='
@ -69,22 +68,22 @@
tags:
- level2-server
- level2-workstation
- auditd
- automated
- patch
- auditd
- grub
- rule_4.1.1.3
- name: "4.1.1.4 | L2 | PATCH | Ensure audit_backlog_limit is sufficient"
- name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient"
block:
- name: "4.1.1.4 | L2 | AUDIT | Ensure audit_backlog_limit is sufficient | Get GRUB_CMDLINE_LINUX"
- name: "4.1.1.4 | AUDIT | Ensure audit_backlog_limit is sufficient | Get GRUB_CMDLINE_LINUX"
shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//'
args:
warn: false
changed_when: false
failed_when: false
check_mode: false
check_mode: no
register: rhel9cis_4_1_1_4_grub_cmdline_linux
- name: "4.1.1.4 | L2 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting"
- name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting"
replace:
dest: /etc/default/grub
regexp: 'audit_backlog_limit=\d+'
@ -92,7 +91,7 @@
notify: grub2cfg
when: "'audit_backlog_limit=' in rhel9cis_4_1_1_4_grub_cmdline_linux.stdout"
- name: "4.1.1.4 | L2 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing"
- name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing"
lineinfile:
path: /etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX='
@ -104,6 +103,8 @@
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- grub
- rule_4.1.1.4

24
tasks/section_4/cis_4.1.2.x.yml
View file

@ -1,43 +1,42 @@
---
- name: "4.1.2.1 | L2 | PATCH | Ensure audit log storage size is configured"
- name: "4.1.2.1 | PATCH | Ensure audit log storage size is configured"
lineinfile:
dest: /etc/audit/auditd.conf
path: /etc/audit/auditd.conf
regexp: "^max_log_file( |=)"
line: "max_log_file = {{ rhel9cis_max_log_file_size }}"
state: present
notify: restart auditd
when:
- rhel9cis_rule_4_1_2_1
tags:
- level2-server
- level2-workstation
- auditd
- automated
- patch
- auditd
- rule_4.1.2.1
- name: "4.1.2.2 | L2 | PATCH | Ensure audit logs are not automatically deleted"
- name: "4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted"
lineinfile:
dest: /etc/audit/auditd.conf
path: /etc/audit/auditd.conf
regexp: "^max_log_file_action"
line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}"
state: present
notify: restart auditd
when:
- rhel9cis_rule_4_1_2_2
tags:
- level2-server
- level2-workstation
- auditd
- automated
- patch
- auditd
- rule_4.1.2.2
- name: "4.1.2.3 | L2 | PATCH | Ensure system is disabled when audit logs are full"
- name: "4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full"
lineinfile:
dest: /etc/audit/auditd.conf
path: /etc/audit/auditd.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
notify: restart auditd
with_items:
- { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ rhel9cis_auditd.admin_space_left_action }}' }
@ -48,6 +47,7 @@
tags:
- level2-server
- level2-workstation
- auditd
- automated
- patch
- auditd
- rule_4.1.2.3

323
tasks/section_4/cis_4.1.3.x.yml Normal file
View file

@ -0,0 +1,323 @@
---
- name: "4.1.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_1
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.1
- name: "4.1.3.2 | PATCH | Ensure actions as another user are always logged"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_2
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.2
- name: "4.1.3.3 | PATCH | Ensure events that modify the sudo log file are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_3
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.3
- name: "4.1.3.4 | PATCH | Ensure events that modify date and time information are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_4
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.4
- name: "4.1.3.5 | PATCH | Ensure events that modify the system's network environment are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_5
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.5
- name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected"
block:
- name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected"
shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
changed_when: false
failed_when: false
check_mode: no
register: priv_procs
- name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_6
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.6
- name: "4.1.3.7 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_7
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3_7
- name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_8
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.8
- name: "4.1.3.9 | PATCH | Ensure discretionary access control permission modification events are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_9
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.9
- name: "4.1.3.10 | PATCH | Ensure successful file system mounts are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_10
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.10
- name: "4.1.3.11 | PATCH | Ensure session initiation information is collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_11
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.11
- name: "4.1.3.12 | PATCH | Ensure login and logout events are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_12
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.12
- name: "4.1.3.13 | PATCH | Ensure file deletion events by users are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_13
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.3.13
- name: "4.1.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_14
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.14
- name: "4.1.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_15
tags:
- level2-server
- level2- workstation
- automated
- patch
- auditd
- rule_4.1.3.15
- name: "4.1.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_16
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.16
- name: "4.1.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_17
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.17
- name: "4.1.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_18
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.18
- name: "4.1.3.19 | PATCH | Ensure kernel module loading and unloading is collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_19
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.19
- name: "4.1.3.20 | PATCH | Ensure the audit configuration is immutable"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_20
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.20
- name: "4.1.3.21 | AUDIT | Ensure the running and on disk configuration is the same"
debug:
msg:
- "Please run augenrules --load if you suspect there is a configuration that is not active"
when:
- rhel9cis_rule_4_1_3_21
tags:
- level2-server
- level2-workstation
- manual
- patch
- auditd
- rule_4.1.3.21

207
tasks/section_4/cis_4.1.x.yml
View file

@ -1,207 +0,0 @@
---
- name: "4.1.3 | L2 | PATCH | Ensure changes to system administration scope (sudoers) is collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_3
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.3
- name: "4.1.4 | L2 | PATCH | Ensure login and logout events are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_4
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.4
- name: "4.1.5 | L2 | PATCH | Ensure session initiation information is collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_5
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.5
- name: "4.1.6 | L2 | PATCH | Ensure events that modify date and time information are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_6
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.6
- name: "4.1.7 | L2 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_7
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.7
- name: "4.1.8 | L2 | PATCH | Ensure events that modify the system's network environment are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_8
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.8
- name: "4.1.9 | L2 | PATCH | Ensure discretionary access control permission modification events are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_9
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.9
- name: "4.1.10 | L2 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_10
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.10
- name: "4.1.11 | L2 | PATCH | Ensure events that modify user/group information are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_11
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.11
- name: "4.1.12 | L2 | PATCH | Ensure successful file system mounts are collected"
block:
- name: "4.1.12 | L2 | AUDIT | Ensure successful file system mounts are collected"
shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
args:
warn: false
changed_when: false
failed_when: false
check_mode: false
register: priv_procs
- name: "4.1.12 | L2 | PATCH | Ensure successful file system mounts are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_12
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.12
- name: "4.1.13 | L2 | PATCH | Ensure use of privileged commands is collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_13
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.13
- name: "4.1.14 | L2 | PATCH | Ensure file deletion events by users are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_14
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.14
- name: "4.1.15 | L2 | PATCH | Ensure kernel module loading and unloading is collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_15
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.15
- name: "4.1.16 | L2 | PATCH | Ensure system administrator actions (sudolog) are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_16
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.16
- name: "4.1.17 | L2 | PATCH | Ensure the audit configuration is immutable"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_17
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.17

114
tasks/section_4/cis_4.2.1.x.yml
View file

@ -1,6 +1,6 @@
---
- name: "4.2.1.1 | L1 | PATCH | Ensure rsyslog installed"
- name: "4.2.1.1 | PATCH | Ensure rsyslog installed"
package:
name: rsyslog
state: present
@ -10,55 +10,74 @@
tags:
- level1-server
- level1-workstation
- automated
- patch
- rsyslog
- rule_4.2.1.1
- name: "4.2.1.2 | L1 | PATCH | Ensure rsyslog Service is enabled"
- name: "4.2.1.2 | PATCH | Ensure rsyslog Service is enabled"
service:
name: rsyslog
enabled: true
enabled: yes
when:
- rhel9cis_rule_4_2_1_2
tags:
- level1-server
- level1-workstation
- automated
- patch
- rsyslog
- rule_4.2.1.2
- name: "4.2.1.3 | L1 | PATCH | Ensure rsyslog default file permissions configured"
# This is counter to control 4.2.2.5??
- name: "4.2.1.3 | PATCH | Ensure journald is configured to send logs to rsyslog"
lineinfile:
dest: /etc/rsyslog.conf
path: /etc/systemd/journald.conf
regexp: "^#ForwardToSyslog=|^ForwardToSyslog="
line: ForwardToSyslog=yes
when:
- rhel9cis_rule_4_2_1_3
- rhel9cis_preferred_log_capture == "rsyslog"
tags:
- level1-server
- level1-workstation
- manual
- patch
- rule_4.2.1.3
- name: "4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured"
lineinfile:
path: /etc/rsyslog.conf
regexp: '^\$FileCreateMode'
line: '$FileCreateMode 0640'
notify: restart rsyslog
when:
- rhel9cis_rule_4_2_1_3
- rhel9cis_rule_4_2_1_4
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_4.2.1.3
- rsyslog
- rule_4.2.1.4
- name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured"
- name: "4.2.1.5 | PATCH | Ensure logging is configured"
block:
- name: "4.2.1.4 | L1 | AUDIT | Ensure logging is configured | rsyslog current config message out"
shell: cat /etc/rsyslog.conf
args:
warn: false
become: true
- name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out"
command: cat /etc/rsyslog.conf
become: yes
changed_when: false
failed_when: false
check_mode: false
register: rhel_09_4_2_1_4_audit
failed_when: no
check_mode: no
register: rhel_08_4_2_1_5_audit
- name: "4.2.1.4 | L1 | AUDIT | Ensure logging is configured | rsyslog current config message out"
- name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out"
debug:
msg:
- "These are the current logging configurations for rsyslog, please review:"
- "{{ rhel_09_4_2_1_4_audit.stdout_lines }}"
- "{{ rhel_08_4_2_1_5_audit.stdout_lines }}"
- name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured | mail.* log setting"
- name: "4.2.1.5 | PATCH | Ensure logging is configured | mail.* log setting"
blockinfile:
path: /etc/rsyslog.conf
state: present
@ -73,7 +92,7 @@
notify: restart rsyslog
when: rhel9cis_rsyslog_ansiblemanaged
- name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured | news.crit log setting"
- name: "4.2.1.5 | PATCH | Ensure logging is configured | news.crit log setting"
blockinfile:
path: /etc/rsyslog.conf
state: present
@ -86,7 +105,7 @@
notify: restart rsyslog
when: rhel9cis_rsyslog_ansiblemanaged
- name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured | Misc. log setting"
- name: "4.2.1.5 | PATCH | Ensure logging is configured | Misc. log setting"
blockinfile:
path: /etc/rsyslog.conf
state: present
@ -100,13 +119,13 @@
notify: restart rsyslog
when: rhel9cis_rsyslog_ansiblemanaged
- name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured | Local log settings"
- name: "4.2.1.5 | PATCH | Ensure logging is configured | Local log settings"
blockinfile:
path: /etc/rsyslog.conf
state: present
marker: "#{mark} LOCAL LOG SETTINGS (ANSIBLE MANAGED)"
block: |
# local log settings
# local log settings to meet CIS standards
local0,local1.* -/var/log/localmessages
local2,local3.* -/var/log/localmessages
local4,local5.* -/var/log/localmessages
@ -114,16 +133,39 @@
*.emrg :omusrmsg:*
insertafter: '#### RULES ####'
notify: restart rsyslog
- name: "4.2.1.5 | PATCH | Ensure logging is configured | Auth Settings"
blockinfile:
path: /etc/rsyslog.conf
state: present
marker: "#{mark} Auth SETTINGS (ANSIBLE MANAGED)"
block: |
# Private settings to meet CIS standards
auth,authpriv.* /var/log/secure
insertafter: '#### RULES ####'
notify: restart rsyslog
- name: "4.2.1.5 | PATCH | Ensure logging is configured | Cron Settings"
blockinfile:
path: /etc/rsyslog.conf
state: present
marker: "#{mark} Cron SETTINGS (ANSIBLE MANAGED)"
block: |
# Cron settings to meet CIS standards
cron.* /var/log/cron
insertafter: '#### RULES ####'
notify: restart rsyslog
when:
- rhel9cis_rule_4_2_1_4
- rhel9cis_rule_4_2_1_5
tags:
- level1-server
- level1-workstation
- manual
- patch
- rsyslog
- rule_4.2.1.4
- rule_4.2.1.5
- name: "4.2.1.5 | L1 | PATCH | Ensure rsyslog is configured to send logs to a remote log host"
- name: "4.2.1.6 | PATCH | Ensure rsyslog is configured to send logs to a remote log host"
blockinfile:
path: /etc/rsyslog.conf
state: present
@ -137,18 +179,19 @@
- result.rc != 257
notify: restart rsyslog
when:
- rhel9cis_rule_4_2_1_5
- rhel9cis_rule_4_2_1_6
- rhel9cis_remote_log_server is defined
tags:
- level1-server
- level1-workstation
- manual
- patch
- rule_4.2.1.5
- rsyslog
- rule_4.2.1.6
- name: "4.2.1.6 | L1 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts."
- name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client"
block:
- name: "4.2.1.6 | L1 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts. | When not log host"
- name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client. | When not log host"
replace:
path: /etc/rsyslog.conf
regexp: '({{ item }})'
@ -157,9 +200,11 @@
with_items:
- '^(\$ModLoad imtcp)'
- '^(\$InputTCPServerRun)'
- '^(module\(load="imtcp"\))'
- '^(input\(type="imtcp")'
when: not rhel9cis_system_is_log_server
- name: "4.2.1.6 | L1 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts. | When log host"
- name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote clients. | When log host"
replace:
path: /etc/rsyslog.conf
regexp: '^#(.*{{ item }}.*)'
@ -168,12 +213,15 @@
with_items:
- 'ModLoad imtcp'
- 'InputTCPServerRun'
- 'module\(load="imtcp"\)'
- 'input\(type="imtcp"'
when: rhel9cis_system_is_log_server
when:
- rhel9cis_rule_4_2_1_6
- rhel9cis_rule_4_2_1_7
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_4.2.1.6
- rsyslog
- rule_4.2.1.7

197
tasks/section_4/cis_4.2.2.x.yml
View file

@ -1,43 +1,204 @@
---
- name: "4.2.2.1 | L1 | PATCH | Ensure journald is configured to send logs to rsyslog"
lineinfile:
dest: /etc/systemd/journald.conf
regexp: "^#ForwardToSyslog=|^ForwardToSyslog="
line: ForwardToSyslog=yes
- name: "4.2.2.1.1 | PATCH | Ensure systemd-journal-remote is installed"
package:
name: systemd-journal-remote
state: present
when:
- rhel9cis_rule_4_2_2_1
- rhel9cis_rule_4_2_2_1_1
tags:
- level1-server
- level1-workstation
- manual
- patch
- rule_4.2.2.1
- journald
- rule_4.2.2.1.1
- name: "4.2.2.2 | L1 | PATCH | Ensure journald is configured to compress large log files"
- name: "4.2.2.1.2 | PATCH | Ensure systemd-journal-remote is configured"
lineinfile:
dest: /etc/systemd/journald.conf
regexp: "^#Compress=|^Compress="
line: Compress=yes
state: present
path: /etc/systemd/journal-upload.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
notify: restart systemd_journal_upload
with_items:
- { regexp: 'URL=', line: 'URL={{ rhel9cis_journal_upload_url }}'}
- { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ rhel9cis_journal_upload_serverkeyfile }}'}
- { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ rhel9cis_journal_servercertificatefile }}'}
- { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ rhel9cis_journal_trustedcertificatefile }}'}
when:
- rhel9cis_rule_4_2_2_1_2
tags:
- level1-server
- level1-workstation
- manual
- patch
- journald
- rule_4.2.2.1.2
- name: "4.2.2.1.3 | PATCH | Ensure systemd-journal-remote is enabled"
systemd:
name: systemd-journal-upload
state: started
enabled: yes
when:
- rhel9cis_rule_4_2_2_1_3
tags:
- level1-server
- level1-workstation
- manual
- patch
- journald
- rule_4.2.2.1.3
- name: "4.2.2.1.4 | PATCH | Ensure journald is not configured to recieve logs from a remote client"
systemd:
name: systemd-journal-remote
state: stopped
enabled: no
masked: yes
when:
- rhel9cis_rule_4_2_2_1_4
tags:
- level1-server
- level1-workstation
- automated
- patch
- journald
- rule_4.2.2.1.4
- name: "4.2.2.2 | PATCH | Ensure journald service is enabled"
block:
- name: "4.2.2.2 | PATCH | Ensure journald service is enabled | Enable service"
systemd:
name: systemd-journald
state: started
enabled: yes
- name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Capture status"
shell: systemctl is-enabled systemd-journald.service
changed_when: false
failed_when: false
register: rhel9cis_4_2_2_2_status
- name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Alert on bad status"
debug:
msg:
- "ALERT! The status of systemd-journald should be static and it is not. Please investigate"
when: "'static' not in rhel9cis_4_2_2_2_status.stdout"
when:
- rhel9cis_rule_4_2_2_2
tags:
- level1-server
- level1-workstation
- patch
- automated
- audit
- journald
- rule_4.2.2.2
- name: "4.2.2.3 | L1 | PATCH | Ensure journald is configured to write logfiles to persistent disk"
- name: "4.2.2.3 | PATCH | Ensure journald is configured to compress large log files"
lineinfile:
dest: /etc/systemd/journald.conf
regexp: "^#Storage=|^Storage="
line: Storage=persistent
state: present
path: /etc/systemd/journald.conf
regexp: "^#Compress=|^Compress="
line: Compress=yes
when:
- rhel9cis_rule_4_2_2_3
tags:
- level1-server
- level1-workstation
- automated
- patch
- journald
- rule_4.2.2.3
- name: "4.2.2.4 | PATCH | Ensure journald is configured to write logfiles to persistent disk"
lineinfile:
path: /etc/systemd/journald.conf
regexp: "^#Storage=|^Storage="
line: Storage=persistent
when:
- rhel9cis_rule_4_2_2_4
tags:
- level1-server
- level1-workstation
- automated
- patch
- journald
- rule_4.2.2.4
# This is counter to control 4.2.1.3??
- name: "4.2.2.5 | PATCH | Ensure journald is not configured to send logs to rsyslog"
lineinfile:
path: /etc/systemd/journald.conf
regexp: "^ForwardToSyslog="
line: "#ForwardToSyslog=yes"
notify: restart systemd_journal_upload
when:
- rhel9cis_rule_4_2_2_5
- rhel9cis_preferred_log_capture == "journald"
tags:
- level1-server
- level2-workstation
- manual
- patch
- journald
- rule_4.2.2.5
- name: "4.2.2.6 | PATCH | Ensure journald log rotation is configured per site policy"
lineinfile:
path: /etc/systemd/journald.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
notify: restart journald
with_items:
- { regexp: '^#SystemMaxUse=|^SystemMaxUse=', line: 'SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}'}
- { regexp: '^#SystemKeepFree=|^SystemKeepFree=', line: 'SystemKeepFree={{ rhel9cis_journald_systemkeepfree }}' }
- { regexp: '^#RuntimeMaxUse=|^RuntimeMaxUse=', line: 'RuntimeMaxUse={{ rhel9cis_journald_runtimemaxuse }}'}
- { regexp: '^#RuntimeKeepFree=|^RuntimeKeepFree=', line: 'RuntimeKeepFree={{ rhel9cis_journald_runtimekeepfree }}'}
- { regexp: '^#MaxFileSec=|^MaxFileSec=', line: 'MaxFileSec={{ rhel9cis_journald_maxfilesec }}'}
when:
- rhel9cis_rule_4_2_2_6
tags:
- level1-server
- level1-workstation
- manual
- patch
- journald
- rule_4.2.2.6
- name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured"
block:
- name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Check for override file"
find:
paths: /etc/tmpfiles.d
patterns: systemd.conf
register: rhel9cis_4_2_2_7_override_status
- name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Get override file settings"
shell: cat /etc/tmpfiles.d/systemd.conf
changed_when: false
failed_when: false
register: rhel9cis_4_2_2_7_override_settings
when: rhel9cis_4_2_2_7_override_status.matched >= 1
- name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Get non-override file settings"
shell: cat /usr/lib/tmpfiles.d/systemd.conf
changed_when: false
failed_when: false
register: rhel9cis_4_2_2_7_notoverride_settings
when: rhel9cis_4_2_2_7_override_status.matched == 0
- name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Display file settings"
debug:
msg:
- "Alert! Below are the current default settings for journald, please confirm they align with your site policies"
# - "{{ rhel9cis_4_2_2_7_override_settings.stdout_lines }}"
- "{{ (rhel9cis_4_2_2_7_override_status.matched >= 1) | ternary(rhel9cis_4_2_2_7_override_settings.stdout_lines, rhel9cis_4_2_2_7_notoverride_settings.stdout_lines) }}"
when:
- rhel9cis_rule_4_2_2_7
tags:
- level1-server
- level1-workstation
- manual
- patch
- journald
- rule_4.2.2.7

8
tasks/section_4/cis_4.2.3.yml
View file

@ -1,9 +1,7 @@
---
- name: "4.2.3 | L1 | PATCH | Ensure permissions on all logfiles are configured"
shell: find /var/log -type f -exec chmod g-wx,o-rwx "{}" +
args:
warn: false
- name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured"
command: find /var/log -type f -exec chmod g-wx,o-rwx "{}" +
changed_when: false
failed_when: false
when:
@ -11,5 +9,7 @@
tags:
- level1-server
- level1-workstation
- automated
- patch
- logfiles
- rule_4.2.3

44
tasks/section_4/cis_4.3.yml
View file

@ -1,13 +1,42 @@
---
- name: "4.3 | L1 | PATCH | Ensure logrotate is configured"
- name: "4.3.1 | PATCH | Ensure logrotate is installed"
package:
name: rsyslog-logrotate
state: present
when:
- rhel9cis_rule_4_3_1
tags:
- level1-server
- level1-workstation
- manual
- patch
- logrotate
- rule_4.3.1
- name: "4.3.2 | PATCH | Ensure logrotate is running and enabled"
systemd:
name: logrotate
state: started
enabled: true
when:
- rhel9cis_rule_4_3_2
tags:
- level1-server
- level1-workstation
- manual
- patch
- logrotate
- rule_4.3.2
- name: "4.3.3 | PATCH | Ensure logrotate is configured"
block:
- name: "4.3 | L1 | AUDIT | Ensure logrotate is configured | Get logrotate settings"
- name: "4.3.3 | AUDIT | Ensure logrotate is configured | Get logrotate settings"
find:
paths: /etc/logrotate.d/
register: log_rotates
- name: "4.3 | L1 | PATCH | Ensure logrotate is configured"
- name: "4.3.3 | PATCH | Ensure logrotate is configured"
replace:
path: "{{ item.path }}"
regexp: '^(\s*)(daily|weekly|monthly|yearly)$'
@ -15,11 +44,14 @@
with_items:
- "{{ log_rotates.files }}"
- { path: "/etc/logrotate.conf" }
loop_control:
label: "{{ item.path }}"
when:
- rhel9cis_rule_4_3
- "'logrotate' in ansible_facts.packages"
- rhel9cis_rule_4_3_3
tags:
- level1-server
- level1-workstation
- manual
- patch
- rule_4.3
- logrotate
- rule_4.3.3

12
tasks/section_4/main.yml
View file

@ -1,21 +1,21 @@
---
- name: "SECTION | 4.1| Configure System Accounting (auditd)"
- name: "SECTION | 4.1 | Configure System Accounting (auditd)"
include_tasks: cis_4.1.1.x.yml
when:
- not system_is_container
- name: "SECTION | 4.1.2.x| Configure Data Retention"
- name: "SECTION | 4.1.2 | Configure Data Retention"
import_tasks: cis_4.1.2.x.yml
- name: "SECTION | 4.1.x| Auditd rules"
import_tasks: cis_4.1.x.yml
- name: "SECTION | 4.1.3 | Configure Auditd rules"
import_tasks: cis_4.1.3.x.yml
- name: "SECTION | 4.2.x| Configure Logging"
- name: "SECTION | 4.2 | Configure Logging"
import_tasks: cis_4.2.1.x.yml
when: rhel9cis_syslog == 'rsyslog'
- name: "SECTION | 4.2.2.x| Configure journald"
- name: "SECTION | 4.2.2 Configure journald"
import_tasks: cis_4.2.2.x.yml
- name: "SECTION | 4.2.3 | Configure logile perms"

88
tasks/section_5/cis_5.1.x.yml
View file

@ -1,18 +1,20 @@
---
- name: "5.1.1 | L1 | PATCH | Ensure cron daemon is enabled"
- name: "5.1.1 | PATCH | Ensure cron daemon is enabled"
service:
name: crond
enabled: true
enabled: yes
when:
- rhel9cis_rule_5_1_1
tags:
- level1-server
- level1-workstation
- automated
- patch
- cron
- rule_5.1.1
- name: "5.1.2 | L1 | PATCH | Ensure permissions on /etc/crontab are configured"
- name: "5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured"
file:
dest: /etc/crontab
owner: root
@ -23,10 +25,12 @@
tags:
- level1-server
- level1-workstation
- automated
- patch
- cron
- rule_5.1.2
- name: "5.1.3 | L1 | PATCH | Ensure permissions on /etc/cron.hourly are configured"
- name: "5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured"
file:
dest: /etc/cron.hourly
state: directory
@ -38,10 +42,12 @@
tags:
- level1-server
- level1-workstation
- automated
- patch
- cron
- rule_5.1.3
- name: "5.1.4 | L1 | PATCH | Ensure permissions on /etc/cron.daily are configured"
- name: "5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured"
file:
dest: /etc/cron.daily
state: directory
@ -53,10 +59,12 @@
tags:
- level1-server
- level1-workstation
- automated
- patch
- cron
- rule_5.1.4
- name: "5.1.5 | L1 | PATCH | Ensure permissions on /etc/cron.weekly are configured"
- name: "5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured"
file:
dest: /etc/cron.weekly
state: directory
@ -71,7 +79,7 @@
- patch
- rule_5.1.5
- name: "5.1.6 | L1 | PATCH | Ensure permissions on /etc/cron.monthly are configured"
- name: "5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured"
file:
dest: /etc/cron.monthly
state: directory
@ -83,10 +91,11 @@
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_5.1.6
- name: "5.1.7 | L1 | PATCH | Ensure permissions on /etc/cron.d are configured"
- name: "5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured"
file:
dest: /etc/cron.d
state: directory
@ -98,43 +107,27 @@
tags:
- level1-server
- level1-workstation
- automated
- patch
- cron
- rule_5.1.7
- name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users"
- name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users"
block:
- name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Remove at.deny"
file:
dest: /etc/at.deny
state: absent
- name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Check if at.allow exists"
stat:
path: "/etc/at.allow"
register: p
- name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Ensure at.allow is restricted to authorized users"
file:
dest: /etc/at.allow
state: '{{ "file" if p.stat.exists else "touch" }}'
owner: root
group: root
mode: 0600
- name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Remove cron.deny"
- name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny"
file:
dest: /etc/cron.deny
state: absent
- name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Check if cron.allow exists"
- name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Check if cron.allow exists"
stat:
path: "/etc/cron.allow"
register: p
register: rhel9cis_5_1_8_cron_allow_state
- name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users"
- name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users"
file:
dest: /etc/cron.allow
state: '{{ "file" if p.stat.exists else "touch" }}'
state: '{{ "file" if rhel9cis_5_1_8_cron_allow_state.stat.exists else "touch" }}'
owner: root
group: root
mode: 0600
@ -143,5 +136,36 @@
tags:
- level1-server
- level1-workstation
- automated
- patch
- cron
- rule_5.1.8
- name: "5.1.9 | PATCH | Ensure at is restricted to authorized users"
block:
- name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Remove at.deny"
file:
dest: /etc/at.deny
state: absent
- name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists"
stat:
path: "/etc/at.allow"
register: rhel9cis_5_1_9_at_allow_state
- name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users"
file:
dest: /etc/at.allow
state: '{{ "file" if rhel9cis_5_1_9_at_allow_state.stat.exists else "touch" }}'
owner: root
group: root
mode: 0600
when:
- rhel9cis_rule_5_1_9
tags:
- level1-server
- level1-workstation
- automated
- patch
- cron
- rule_5.1.9

347
tasks/section_5/cis_5.2.x.yml
View file

@ -1,6 +1,6 @@
---
- name: "5.2.1 | L1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured"
- name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured"
file:
dest: /etc/ssh/sshd_config
state: file
@ -12,259 +12,282 @@
tags:
- level1-server
- level1-workstation
- automated
- patch
- ssh
- permissions
- rule_5.2.1
- name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited"
- name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured"
block:
- name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: "^AllowUsers"
line: AllowUsers {{ rhel9cis_sshd['allowusers'] }}
notify: restart sshd
when: "rhel9cis_sshd['allowusers']|default('') | length > 0"
- name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: "^AllowGroups"
line: AllowGroups {{ rhel9cis_sshd['allowgroups'] }}
notify: restart sshd
when: "rhel9cis_sshd['allowgroups']|default('') | length > 0"
- name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: "^DenyUsers"
line: DenyUsers {{ rhel9cis_sshd['denyusers'] }}
notify: restart sshd
when: "rhel9cis_sshd['denyusers']|default('') | length > 0"
- name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: "^DenyGroups"
line: DenyGroups {{ rhel9cis_sshd['denygroups'] }}
notify: restart sshd
when: "rhel9cis_sshd['denygroups']|default('') | length > 0"
when:
- rhel9cis_rule_5_2_2
tags:
- level1-server
- level1-workstation
- patch
- rule_5.2.2
- name: "5.2.3 | L1 | PATCH | Ensure permissions on SSH private host key files are configured"
block:
- name: "5.2.3 | L1 | AUDIT | Ensure permissions on SSH private host key files are configured | Find the SSH private host keys"
- name: "5.2.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find the SSH private host keys"
find:
paths: /etc/ssh
patterns: 'ssh_host_*_key'
recurse: true
file_type: any
register: rhel9cis_5_2_3_ssh_private_host_key
register: rhel9cis_5_2_2_ssh_private_host_key
- name: "5.2.3 | L1 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions on SSH private host keys"
- name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions on SSH private host keys"
file:
path: "{{ item.path }}"
owner: root
group: root
mode: 0600
with_items:
- "{{ rhel9cis_5_2_3_ssh_private_host_key.files }}"
- "{{ rhel9cis_5_2_2_ssh_private_host_key.files }}"
loop_control:
label: "{{ item.path }}"
when:
- rhel9cis_rule_5_2_3
- rhel9cis_rule_5_2_2
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_5.2.3
- ssh
- permissions
- rule_5.2.2
- name: "5.2.4 | L1 | PATCH | Ensure permissions on SSH public host key files are configured"
- name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured"
block:
- name: "5.2.4 | L1 | AUDIT | Ensure permissions on SSH public host key files are configured | Find the SSH public host keys"
- name: "5.2.3 | AUDIT | Ensure permissions on SSH public host key files are configured | Find the SSH public host keys"
find:
paths: /etc/ssh
patterns: 'ssh_host_*_key.pub'
recurse: true
file_type: any
register: rhel9cis_5_2_4_ssh_public_host_key
register: rhel9cis_5_2_3_ssh_public_host_key
- name: "5.2.4 | L1 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions on SSH public host keys"
- name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions on SSH public host keys"
file:
path: "{{ item.path }}"
owner: root
group: root
mode: 0644
with_items:
- "{{ rhel9cis_5_2_4_ssh_public_host_key.files }}"
- "{{ rhel9cis_5_2_3_ssh_public_host_key.files }}"
loop_control:
label: "{{ item.path }}"
when:
- rhel9cis_rule_5_2_3
tags:
- level1-server
- level1-workstation
- automated
- patch
- ssh
- rule_5.2.3
- name: "5.2.4 | PATCH | Ensure SSH access is limited"
block:
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers"
lineinfile:
path: /etc/ssh/sshd_config
regexp: "^AllowUsers"
line: AllowUsers {{ rhel9cis_sshd['allowusers'] }}
validate: sshd -t -f %s
notify: restart sshd
when: "rhel9cis_sshd['allowusers']|default('') | length > 0"
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups"
lineinfile:
path: /etc/ssh/sshd_config
regexp: "^AllowGroups"
line: AllowGroups {{ rhel9cis_sshd['allowgroups'] }}
validate: sshd -t -f %s
notify: restart sshd
when: "rhel9cis_sshd['allowgroups']|default('') | length > 0"
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers"
lineinfile:
path: /etc/ssh/sshd_config
regexp: "^DenyUsers"
line: DenyUsers {{ rhel9cis_sshd['denyusers'] }}
validate: sshd -t -f %s
notify: restart sshd
when: "rhel9cis_sshd['denyusers']|default('') | length > 0"
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups"
lineinfile:
path: /etc/ssh/sshd_config
regexp: "^DenyGroups"
line: DenyGroups {{ rhel9cis_sshd['denygroups'] }}
validate: sshd -t -f %s
notify: restart sshd
when: "rhel9cis_sshd['denygroups']|default('') | length > 0"
when:
- rhel9cis_rule_5_2_4
tags:
- level1-server
- level1-workstation
- automated
- patch
- ssh
- rule_5.2.4
- name: "5.2.5 | L1 | PATCH | Ensure SSH LogLevel is appropriate"
- name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
path: /etc/ssh/sshd_config
regexp: "^#LogLevel|^LogLevel"
line: 'LogLevel {{ rhel9cis_ssh_loglevel }}'
validate: sshd -t -f %s
when:
- rhel9cis_rule_5_2_5
tags:
- level1-server
- level1-workstation
- automated
- patch
- sshs
- rule_5.2.5
- name: "5.2.6 | L2 | PATCH | Ensure SSH X11 forwarding is disabled"
- name: "5.2.6 | PATCH | Ensure SSH PAM is enabled"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: "^#X11Forwarding|^X11Forwarding"
line: 'X11Forwarding no'
path: /etc/ssh/sshd_config
regexp: "^#UsePAM|^UsePAM"
line: 'UsePAM yes'
validate: sshd -t -f %s
when:
- rhel9cis_rule_5_2_6
tags:
- level2-server
- level1-server
- level1-workstation
- automated
- patch
- ssh
- rule_5.2.6
- name: "5.2.7 | L1 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less"
- name: "5.2.7 | PATCH | Ensure SSH root login is disabled"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?MaxAuthTries \d'
line: 'MaxAuthTries 4'
path: /etc/ssh/sshd_config
regexp: "^#PermitRootLogin|^PermitRootLogin"
line: 'PermitRootLogin no'
validate: sshd -t -f %s
when:
- rhel9cis_rule_5_2_7
tags:
- level1-server
- level1-workstation
- automated
- patch
- ssh
- rule_5.2.7
- name: "5.2.8 | L1 | PATCH | Ensure SSH IgnoreRhosts is enabled"
- name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: "^#IgnoreRhosts|^IgnoreRhosts"
line: 'IgnoreRhosts yes'
path: /etc/ssh/sshd_config
regexp: "^#HostbasedAuthentication|^HostbasedAuthentication"
line: 'HostbasedAuthentication no'
validate: sshd -t -f %s
when:
- rhel9cis_rule_5_2_8
tags:
- level1-server
- level1-workstation
- automated
- patch
- ssh
- rule_5.2.8
- name: "5.2.9 | L1 | PATCH | Ensure SSH HostbasedAuthentication is disabled"
- name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: ^#HostbasedAuthentication|^HostbasedAuthentication"
line: 'HostbasedAuthentication no'
path: /etc/ssh/sshd_config
regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords"
line: 'PermitEmptyPasswords no'
validate: sshd -t -f %s
when:
- rhel9cis_rule_5_2_9
tags:
- level1-server
- level1-workstation
- automated
- patch
- ssh
- rule_5.2.9
- name: "5.2.10 | L1 | PATCH | Ensure SSH root login is disabled"
- name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: "^#PermitRootLogin|^PermitRootLogin"
line: 'PermitRootLogin no'
path: /etc/ssh/sshd_config
regexp: "^#PermitUserEnvironment|^PermitUserEnvironment"
line: 'PermitUserEnvironment no'
validate: sshd -t -f %s
when:
- rhel9cis_rule_5_2_10
tags:
- level1-server
- level1-workstation
- automated
- patch
- ssh
- rule_5.2.10
- name: "5.2.11 | L1 | PATCH | Ensure SSH PermitEmptyPasswords is disabled"
- name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords"
line: 'PermitEmptyPasswords no'
path: /etc/ssh/sshd_config
regexp: "^#IgnoreRhosts|^IgnoreRhosts"
line: 'IgnoreRhosts yes'
validate: sshd -t -f %s
when:
- rhel9cis_rule_5_2_11
tags:
- level1-server
- level1-workstation
- automated
- patch
- ssh
- rule_5.2.11
- name: "5.2.12 | L1 | PATCH | Ensure SSH PermitUserEnvironment is disabled"
- name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: "^#PermitUserEnvironment|^PermitUserEnvironment"
line: 'PermitUserEnvironment no'
path: /etc/ssh/sshd_config
regexp: "^#X11Forwarding|^X11Forwarding"
line: 'X11Forwarding no'
validate: sshd -t -f %s
when:
- rhel9cis_rule_5_2_12
tags:
- level1-server
- level2-server
- level1-workstation
- automated
- patch
- ssh
- rule_5.2.12
- name: "5.2.13 | L1 | PATCH | Ensure SSH Idle Timeout Interval is configured"
block:
- name: "5.2.13 | L1 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^ClientAliveInterval'
line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}"
- name: "5.2.13 | L1 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^ClientAliveCountMax'
line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}"
- name: "5.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled"
lineinfile:
path: /etc/ssh/sshd_config
regexp: "^#AllowTcpForwarding|^AllowTcpForwarding"
line: 'AllowTcpForwarding no'
validate: sshd -t -f %s
when:
- rhel9cis_rule_5_2_13
tags:
- level1-server
- level1-workstation
- level2-server
- level2-workstation
- automated
- patch
- ssh
- rule_5.2.13
- name: "5.2.14 | L1 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: "^#LoginGraceTime|^LoginGraceTime"
line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}"
- name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden"
shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd
args:
warn: no
notify: restart sshd
when:
- rhel9cis_rule_5_2_14
tags:
- level1-server
- level1-workstation
- automated
- patch
- ssh
- rule_5.2.14
- name: "5.2.15 | L1 | PATCH | Ensure SSH warning banner is configured"
- name: "5.2.15 | PATCH | Ensure SSH warning banner is configured"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
path: /etc/ssh/sshd_config
regexp: '^Banner'
line: 'Banner /etc/issue.net'
when:
@ -272,74 +295,96 @@
tags:
- level1-server
- level1-workstation
- automated
- patch
- ssh
- rule_5.2.15
- name: "5.2.16 | L1 | PATCH | Ensure SSH PAM is enabled"
- name: "5.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: "^#UsePAM|^UsePAM"
line: 'UsePAM yes'
path: /etc/ssh/sshd_config
regexp: '^(#)?MaxAuthTries \d'
line: 'MaxAuthTries 4'
validate: sshd -t -f %s
when:
- rhel9cis_rule_5_2_16
tags:
- level1-server
- level1-workstation
- automated
- patch
- ssh
- rule_5.2.16
- name: "5.2.17 | L2 | PATCH | Ensure SSH AllowTcpForwarding is disabled"
- name: "5.2.17 | PATCH | Ensure SSH MaxStartups is configured"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: "^#AllowTcpForwarding|^AllowTcpForwarding"
line: 'AllowTcpForwarding no'
path: /etc/ssh/sshd_config
regexp: "^#MaxStartups|^MaxStartups"
line: 'MaxStartups 10:30:60'
validate: sshd -t -f %s
when:
- rhel9cis_rule_5_2_17
tags:
- level2-server
- level2-workstation
- level1-server
- level1-workstation
- automated
- patch
- ssh
- rule_5.2.17
- name: "5.2.18 | L1 | PATCH | Ensure SSH MaxStartups is configured"
- name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: "^#MaxStartups|^MaxStartups"
line: 'MaxStartups 10:30:60'
path: /etc/ssh/sshd_config
regexp: "^#MaxSessions|^MaxSessions"
line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}'
validate: sshd -t -f %s
when:
- rhel9cis_rule_5_2_18
tags:
- level1-server
- level1-workstation
- automated
- patch
- ssh
- rule_5.2.18
- name: "5.2.19 | L1 | PATCH | Ensure SSH MaxSessions is set to 4 or less"
- name: "5.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: "^#MaxSessions|^MaxSessions"
line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}'
path: /etc/ssh/sshd_config
regexp: "^#LoginGraceTime|^LoginGraceTime"
line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}"
validate: sshd -t -f %s
when:
- rhel9cis_rule_5_2_19
tags:
- level1-server
- level1-workstation
- automated
- patch
- ssh
- rule_5.2.19
- name: "5.2.20 | L1 | PATCH | Ensure system-wide crypto policy is not over-ridden"
shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd
args:
warn: false
notify: restart sshd
- name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured"
block:
- name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval"
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^ClientAliveInterval'
line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}"
validate: sshd -t -f %s
- name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3"
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^ClientAliveCountMax'
line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}"
validate: sshd -t -f %s
when:
- rhel9cis_rule_5_2_20
tags:
- level1-server
- level1-workstation
- automated
- patch
- ssh
- rule_5.2.20

183
tasks/section_5/cis_5.3.x.yml
View file

@ -1,94 +1,139 @@
---
- name: "5.3.1 | L1 | PATCH | Create custom authselect profile"
block:
- name: "5.3.1 | L1 | PATCH | Create custom authselect profile | Gather profiles"
shell: 'authselect current | grep "Profile ID: custom/"'
args:
warn: false
failed_when: false
changed_when: false
check_mode: false
register: rhel9cis_5_3_1_profiles
- name: "5.3.1 | L1 | AUDIT | Create custom authselect profile | Show profiles"
debug:
msg:
- "Below are the current custom profiles"
- "{{ rhel9cis_5_3_1_profiles.stdout_lines }}"
- name: "5.3.1 | L1 | PATCH | Create custom authselect profile | Create custom profiles"
shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }}
args:
warn: false
when: rhel9cis_authselect_custom_profile_create
- name: "5.3.1 | PATCH | Ensure sudo is installed"
package:
name: sudo
state: present
when:
- rhel9cis_rule_5_3_1
tags:
- level1-server
- level1-workstation
- automated
- patch
- authselect
- sudo
- rule_5.3.1
- name: "5.3.2 | L1 | PATCH | Select authselect profile"
block:
- name: "5.3.2 | L1 | AUDIT | Select authselect profile | Gather profiles and enabled features"
shell: "authselect current"
args:
warn: false
failed_when: false
changed_when: false
check_mode: false
register: rhel9cis_5_3_2_profiles
- name: "5.3.2 | L1 | AUDIT | Select authselect profile | Show profiles"
debug:
msg:
- "Below are the current custom profiles"
- "{{ rhel9cis_5_3_2_profiles.stdout_lines }}"
- name: "5.3.2 | L1 | PATCH | Select authselect profile | Create custom profiles"
shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }}"
args:
warn: false
when: rhel9cis_authselect_custom_profile_select
- name: "5.3.2 | PATCH | Ensure sudo commands use pty"
lineinfile:
path: /etc/sudoers
line: "Defaults use_pty"
validate: '/usr/sbin/visudo -cf %s'
when:
- rhel9cis_rule_5_3_2
tags:
- level1-server
- level1-workstation
- automated
- patch
- authselect
- sudo
- rule_5.3.2
- name: "5.3.3 | L1 | PATCH | Ensure authselect includes with-faillock"
block:
- name: "5.3.3 | L1 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features"
shell: "authselect current | grep with-faillock"
args:
warn: false
failed_when: false
changed_when: false
check_mode: false
register: rhel9cis_5_3_3_profiles_faillock
- name: "5.3.3 | L1 | AUDIT | Ensure authselect includes with-faillock| Show profiles"
debug:
msg:
- "Below are the current custom profiles"
- "{{ rhel9cis_5_3_3_profiles_faillock.stdout_lines }}"
- name: "5.3.3 | L1 | PATCH | Ensure authselect includes with-faillock | Create custom profiles"
shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock"
args:
warn: false
when: rhel9cis_authselect_custom_profile_select
- name: "5.3.3 | PATCH | Ensure sudo log file exists"
lineinfile:
path: /etc/sudoers
regexp: '^Defaults logfile='
line: 'Defaults logfile="{{ rhel9cis_sudolog_location }}"'
validate: '/usr/sbin/visudo -cf %s'
when:
- rhel9cis_rule_5_3_3
tags:
- level1-server
- level1-workstation
- automated
- patch
- authselect
- sudo
- rule_5.3.3
- name: "5.3.4 | PATCH | Ensure users must provide password for escalation"
replace:
path: "{{ item }}"
regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)'
replace: '\1PASSWD\2'
validate: '/usr/sbin/visudo -cf %s'
with_items:
- "{{ rhel9cis_sudoers_files.stdout_lines }}"
when:
- rhel9cis_rule_5_3_4
tags:
- level2-server
- level2-workstation
- automated
- patch
- sudo
- rule_5.3.4
- name: "5.3.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally"
replace:
path: "{{ item }}"
regexp: '^([^#].*)!authenticate(.*)'
replace: '\1authenticate\2'
validate: '/usr/sbin/visudo -cf %s'
with_items:
- "{{ rhel9cis_sudoers_files.stdout_lines }}"
when:
- rhel9cis_rule_5_3_5
tags:
- level1-server
- level1-workstation
- automated
- patch
- sudo
- rule_5.3.5
- name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly"
block:
- name: "5.3.6 | AUDIT | Ensure sudo authentication timeout is configured correctly | Get files with timeout set"
shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort
changed_when: false
failed_when: false
register: rhel9cis_5_3_6_timeout_files
- name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results"
lineinfile:
path: /etc/sudoers
regexp: 'Defaults timestamp_timeout='
line: "Defaults timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}"
validate: '/usr/sbin/visudo -cf %s'
when: rhel9cis_5_3_6_timeout_files.stdout | length == 0
- name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results"
replace:
path: "{{ item }}"
regexp: 'timestamp_timeout=(\d+)'
replace: "timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}"
validate: '/usr/sbin/visudo -cf %s'
with_items:
- "{{ rhel9cis_5_3_6_timeout_files.stdout_lines }}"
when: rhel9cis_5_3_6_timeout_files.stdout | length > 0
when:
- rhel9cis_rule_5_3_6
tags:
- level1-server
- level1-workstation
- automated
- patch
- sudo
- rule_5.3.6
- name: "5.3.7 | PATCH | Ensure access to the su command is restricted"
block:
- name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid"
lineinfile:
path: /etc/pam.d/su
regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
line: 'auth required pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}'
- name: "5.3.7 | PATCH | Ensure access to the su command is restricted | wheel group contains root"
user:
name: "{{ rhel9cis_sugroup_users }}"
groups: "{{ rhel9cis_sugroup | default('wheel') }}"
when:
- rhel9cis_rule_5_3_7
tags:
- level1-server
- level1-workstation
- automated
- patch
- sudo
- rule_5.3.7

168
tasks/section_5/cis_5.4.x.yml
View file

@ -1,131 +1,61 @@
---
- name: |
"5.4.1 | L1 | PATCH | Ensure password creation requirements are configured
5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured
5.4.3 | L1 | PATCH | Ensure password reuse is limited
5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512"
- name: "5.4.1 | PATCH | Ensure custom authselect profile is used"
block:
- name: "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings"
lineinfile:
state: present
dest: /etc/security/pwquality.conf
regexp: ^{{ item.name }}
line: "{{ item.name }} = {{ item.value }}"
with_items:
- { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" }
- { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" }
when: rhel9cis_rule_5_4_1
- name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Gather profiles"
shell: 'authselect current | grep "Profile ID: custom/"'
failed_when: false
changed_when: false
check_mode: no
register: rhel9cis_5_4_1_profiles
- name: |
"5.4.1 | L1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings
5.4.3| L1 | PATCH | Ensure password reuse is limited | Set system-auth remember settings"
lineinfile:
dest: /etc/pam.d/system-auth
state: present
regexp: '^password requisite pam_pwquality.so'
line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
insertbefore: '^#?password ?'
when:
- rhel9cis_rule_5_4_1 or
rhel9cis_rule_5_4_3
- name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Show profiles"
debug:
msg:
- "Below are the current custom profiles"
- "{{ rhel9cis_5_4_1_profiles.stdout_lines }}"
- name: "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings"
lineinfile:
dest: /etc/pam.d/password-auth
state: present
regexp: '^password requisite pam_pwquality.so'
line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
insertbefore: '^#?password ?'
when: rhel9cis_rule_5_4_1
- name: "5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured | Add deny count and unlock time for preauth"
lineinfile:
dest: /etc/pam.d/{{ item }}
state: present
regexp: '^auth required pam_faillock.so preauth'
line: "auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}"
insertafter: '^#?auth ?'
with_items:
- "system-auth"
- "password-auth"
when: rhel9cis_rule_5_4_2
- name: "5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured | Add deny count and unlock times for authfail"
lineinfile:
dest: /etc/pam.d/{{ item }}
state: present
regexp: '^auth required pam_faillock.so authfail'
line: "auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}"
insertafter: '^#?auth ?'
with_items:
- "system-auth"
- "password-auth"
when: rhel9cis_rule_5_4_2
- name: |
"5.4.3 | L1 | PATCH | Ensure password reuse is limited | Set system-auth remember remember settings
5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512 | Set system-auth pwhash settings"
lineinfile:
dest: /etc/pam.d/system-auth
state: present
regexp: '^password sufficient pam_unix.so'
line: "password sufficient pam_unix.so {{ rhel9cis_pam_faillock.pwhash }} shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}"
insertafter: '^#?password ?'
when:
- rhel9cis_rule_5_4_3 or
rhel9cis_rule_5_4_4
- name: "5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512 | Set system-auth pwhash settings"
lineinfile:
dest: /etc/pam.d/password-auth
state: present
regexp: '^password sufficient pam_unix.so'
line: "password sufficient pam_unix.so {{ rhel9cis_pam_faillock.pwhash }} shadow try_first_pass use_authtok"
insertafter: '^#?password ?'
when: rhel9cis_rule_5_4_4
# The two steps below were added to keep authconfig from overwritting the above configs. This follows steps from here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-hardening_your_system_with_tools_and_services
# With the steps below you will score five (5) points lower due to false positive results
- name: |
"5.4.1 | L1 | PATCH | Ensure password creation requirements are configured
5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured
5.4.3 | L1 | PATCH | Ensure password reuse is limited
5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512"
copy:
src: /etc/pam.d/{{ item }}
dest: /etc/pam.d/{{ item }}-local
remote_src: true
owner: root
group: root
mode: '0644'
with_items:
- "system-auth"
- "password-auth"
- name: |
"5.4.1 | L1 | PATCH | Ensure password creation requirements are configured
5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured
5.4.3 | L1 | PATCH | Ensure password reuse is limited
5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512"
file:
src: /etc/pam.d/{{ item }}-local
dest: /etc/pam.d/{{ item }}
state: link
force: true
with_items:
- "system-auth"
- "password-auth"
- name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles"
shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }}
args:
warn: no
when: rhel9cis_authselect_custom_profile_create
when:
- rhel9cis_rule_5_4_1 or
rhel9cis_rule_5_4_2 or
rhel9cis_rule_5_4_3 or
rhel9cis_rule_5_4_4
- rhel9cis_rule_5_4_1
tags:
- level1-server
- level1-workstation
- manual
- patch
- authselect
- rule_5.4.1
- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock"
block:
- name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features"
shell: "authselect current | grep with-faillock"
failed_when: false
changed_when: false
check_mode: no
register: rhel9cis_5_4_2_profiles_faillock
- name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock| Show profiles"
debug:
msg:
- "Below are the current custom profiles"
- "{{ rhel9cis_5_4_2_profiles_faillock.stdout_lines }}"
- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles"
shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock"
args:
warn: no
when: rhel9cis_authselect_custom_profile_select
when:
- rhel9cis_rule_5_4_2
tags:
- level1-server
- level1-workstation
- automated
- patch
- authselect
- rule_5.4.2
- rule_5.4.3
- rule_5.4.4

131
tasks/section_5/cis_5.5.1.x.yml
View file

@ -1,131 +0,0 @@
---
- name: "5.5.1.1 | L1 | PATCH | Ensure password expiration is 365 days or less"
lineinfile:
state: present
dest: /etc/login.defs
regexp: '^PASS_MAX_DAYS'
line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}"
when:
- rhel9cis_rule_5_5_1_1
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.1.1
- name: "5.5.1.2 | L1 | PATCH | Ensure minimum days between password changes is 7 or more"
lineinfile:
state: present
dest: /etc/login.defs
regexp: '^PASS_MIN_DAYS'
line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}"
when:
- rhel9cis_rule_5_5_1_2
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.1.2
- name: "5.5.1.3 | L1 | PATCH | Ensure password expiration warning days is 7 or more"
lineinfile:
state: present
dest: /etc/login.defs
regexp: '^PASS_WARN_AGE'
line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}"
when:
- rhel9cis_rule_5_5_1_3
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.1.3
- name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less"
block:
- name: "5.5.1.4 | L1 | AUDIT | Ensure inactive password lock is 30 days or less | Check current settings"
shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d=
args:
warn: false
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_5_5_1_4_inactive_settings
- name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting"
shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
args:
warn: false
when: rhel9cis_5_5_1_4_inactive_settings.stdout | length == 0
- name: "5.5.1.4 | L1 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
shell: 'egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1'
args:
warn: false
check_mode: false
register: rhel_09_5_5_1_4_audit
changed_when: false
- name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
args:
warn: false
with_items:
- "{{ rhel_09_5_5_1_4_audit.stdout_lines }}"
when:
- rhel9cis_rule_5_5_1_4
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.1.4
- name: "5.5.1.5 | L1 | PATCH | Ensure all users last password change date is in the past"
block:
- name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time"
shell: echo $(($(date --utc --date "$1" +%s)/86400))
args:
warn: false
failed_when: false
changed_when: false
check_mode: false
register: rhel9cis_5_5_1_5_currentut
- name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future"
shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_5_1_5_currentut.stdout }})print$1}'"
args:
warn: false
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_5_5_1_5_user_list
- name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist"
debug:
msg: "Good News! All accounts have PW change dates that are in the past"
when: rhel9cis_5_5_1_5_user_list.stdout | length == 0
- name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future"
debug:
msg: "Warning! The following accounts have the last PW change date in the future: {{ rhel9cis_5_5_1_5_user_list.stdout_lines }}"
when:
- rhel9cis_5_5_1_5_user_list.stdout | length > 0
- not rhel9cis_futurepwchgdate_autofix
- name: "5.5.1.5 | L1 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
shell: passwd --expire {{ item }}
args:
warn: false
when:
- rhel9cis_5_5_1_5_user_list | length > 0
- rhel9cis_futurepwchgdate_autofix
with_items:
- "{{ rhel9cis_5_5_1_5_user_list.stdout_lines }}"
when:
- rhel9cis_rule_5_5_1_5
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.1.5

168
tasks/section_5/cis_5.5.x.yml
View file

@ -1,59 +1,87 @@
---
- name: "5.5.2 | L1 | PATCH | Ensure system accounts are secured"
- name: "5.5.1 | PATCH | "
block:
- name: "5.5.2 | L1 | Ensure system accounts are secured | Set nologin"
user:
name: "{{ item.id }}"
shell: /usr/sbin/nologin
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings"
lineinfile:
path: /etc/security/pwquality.conf
regexp: ^{{ item.name }}
line: "{{ item.name }} = {{ item.value }}"
with_items:
- "{{ rhel9cis_passwd }}"
when:
- item.id != "root"
- item.id != "sync"
- item.id != "shutdown"
- item.id != "halt"
- item.uid < 1000
- item.shell != " /bin/false"
- item.shell != " /usr/sbin/nologin"
- { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" }
- { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" }
- name: "5.5.2 | L1 | PATCH | Ensure system accounts are secured | Lock accounts"
user:
name: "{{ item.id }}"
password_lock: true
with_items:
- "{{ rhel9cis_passwd }}"
when:
- item.id != "halt"
- item.id != "shutdown"
- item.id != "sync"
- item.id != "root"
- min_int_uid | int >= item.uid
- item.shell != " /bin/false"
- item.shell != " /usr/sbin/nologin"
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings"
lineinfile:
path: /etc/pam.d/system-auth
regexp: '^password\s*requisite\s*pam_pwquality.so'
line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
insertbefore: '^#?password ?'
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings"
lineinfile:
path: /etc/pam.d/password-auth
regexp: '^password\s*requisite\s*pam_pwquality.so'
line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
insertbefore: '^#?password ?'
when:
- rhel9cis_rule_5_5_2
- rhel9cis_rule_5_5_1
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.2
- rule_5.5.1
- name: "5.5.3 | L1 | PATCH | Ensure default user shell timeout is 900 seconds or less"
blockinfile:
create: true
mode: 0644
dest: "{{ item.dest }}"
state: "{{ item.state }}"
marker: "# {mark} ANSIBLE MANAGED"
block: |
# Set session timeout - CIS ID RHEL-09-5.4.5
TMOUT={{ rhel9cis_shell_session_timeout.timeout }}
export TMOUT
readonly TMOUT
- name: "5.5.2 | PATCH | Ensure system accounts are secured | pre RHEL8.2"
block:
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock time for preauth"
lineinfile:
path: /etc/pam.d/{{ item }}
regexp: '^auth\s*required\s*pam_faillock.so preauth'
line: "auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}"
insertafter: '^#?auth ?'
with_items:
- "system-auth"
- "password-auth"
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock times for authfail"
lineinfile:
path: /etc/pam.d/{{ item }}
regexp: '^auth\s*required\s*pam_faillock.so authfail'
line: "auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}"
insertafter: '^#?auth ?'
with_items:
- "system-auth"
- "password-auth"
when:
- ansible_distribution_version <= "8.1"
- rhel9cis_rule_5_5_2
- name: "5.5.2 | PATCH | Ensure system accounts are secured | RHEL8.2+ "
lineinfile:
path: /etc/security/faillock.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
with_items:
- { dest: "{{ rhel9cis_shell_session_timeout.file }}", state: present }
- { dest: /etc/profile, state: "{{ (rhel9cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" }
- { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = 5' }
- { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = 900' }
when:
- ansible_distribution_version >= "8.2"
- rhel9cis_rule_5_5_2
- name: "5.5.3 | PATCH | Ensure password reuse is limited"
block:
- name: "5.5.3 | PATCH | Ensure password reuse is limited | pwhistory"
lineinfile:
path: /etc/pam.d/system-auth
line: "password requisite pam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
insertafter: '^password\s*requisite\s*pam_pwquality.so'
- name: "5.5.3 | PATCH | Ensure password reuse is limited | pam_unix"
replace:
path: /etc/pam.d/system-auth
regexp: '^password\s*sufficient\s*pam_unix.so.*$'
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
when:
- rhel9cis_rule_5_5_3
tags:
@ -62,12 +90,31 @@
- patch
- rule_5.5.3
- name: "5.5.4 | L1 | PATCH | Ensure default group for the root account is GID 0"
shell: usermod -g 0 root
args:
warn: false
changed_when: false
failed_when: false
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512"
block:
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf"
replace:
path: /etc/libuser.conf
regexp: '^crypt_style\s*=\s*.*$'
replace: 'crypt_style = sha512'
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs"
replace:
path: /etc/login.defs
regexp: '^ENCRYPT_METHOD.*'
replace: 'ENCRYPT_METHOD SHA512'
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth"
replace:
path: /etc/pam.d/password-auth
regexp: '^password\s*sufficient\s*pam_unix.so.*$'
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth"
replace:
path: /etc/pam.d/system-auth
regexp: '^password\s*sufficient\s*pam_unix.so.*$'
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
when:
- rhel9cis_rule_5_5_4
tags:
@ -75,24 +122,3 @@
- level1-workstation
- patch
- rule_5.5.4
- name: "5.5.5 | L1 | PATCH | Ensure default user umask is 027 or more restrictive"
block:
- name: "5.5.5 | L1 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc"
replace:
path: /etc/bashrc
regexp: '(^\s+umask) 0[012][0-6]'
replace: '\1 027'
- name: "5.5.5 | L1 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile"
replace:
path: /etc/profile
regexp: '(^\s+umask) 0[012][0-6]'
replace: '\1 027'
when:
- rhel9cis_rule_5_5_5
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.5

122
tasks/section_5/cis_5.6.1.x.yml Normal file
View file

@ -0,0 +1,122 @@
---
- name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less"
lineinfile:
path: /etc/login.defs
regexp: '^PASS_MAX_DAYS'
line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}"
when:
- rhel9cis_rule_5_6_1_1
tags:
- level1-server
- level1-workstation
- automated
- patch
- password
- rule_5.5.1.1
- name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more"
lineinfile:
path: /etc/login.defs
regexp: '^PASS_MIN_DAYS'
line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}"
when:
- rhel9cis_rule_5_6_1_2
tags:
- level1-server
- level1-workstation
- automated
- patch
- password
- rule_5.6.1.2
- name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more"
lineinfile:
path: /etc/login.defs
regexp: '^PASS_WARN_AGE'
line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}"
when:
- rhel9cis_rule_5_6_1_3
tags:
- level1-server
- level1-workstation
- automated
- patch
- password
- rule_5.5.1.3
- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less"
block:
- name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Check current settings"
shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d=
changed_when: false
failed_when: false
check_mode: no
register: rhel9cis_5_6_1_4_inactive_settings
- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting"
command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
when: rhel9cis_5_6_1_4_inactive_settings.stdout | length == 0
- name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
shell: 'egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1'
changed_when: false
check_mode: no
register: rhel_8_5_6_1_4_user_list
- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
with_items:
- "{{ rhel_8_5_6_1_4_user_list.stdout_lines }}"
when:
- rhel9cis_rule_5_6_1_4
tags:
- level1-server
- level1-workstation
- automated
- patch
- password
- rule_5.6.1.4
- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past"
block:
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time"
shell: echo $(($(date --utc --date "$1" +%s)/86400))
changed_when: false
failed_when: false
check_mode: no
register: rhel9cis_5_6_1_5_currentut
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future"
shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_6_1_5_currentut.stdout }})print$1}'"
changed_when: false
failed_when: false
check_mode: no
register: rhel9cis_5_6_1_5_user_list
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist"
debug:
msg: "Good News! All accounts have PW change dates that are in the past"
when: rhel9cis_5_6_1_5_user_list.stdout | length == 0
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future"
debug:
msg: "Warning! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}"
when:
- rhel9cis_5_6_1_5_user_list.stdout | length > 0
- not rhel9cis_futurepwchgdate_autofix
- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
command: passwd --expire {{ item }}
when:
- rhel9cis_5_6_1_5_user_list | length > 0
- rhel9cis_futurepwchgdate_autofix
with_items:
- "{{ rhel9cis_5_6_1_5_user_list.stdout_lines }}"
when:
- rhel9cis_rule_5_6_1_5
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.1.5

109
tasks/section_5/cis_5.6.x.yml Normal file
View file

@ -0,0 +1,109 @@
---
- name: "5.6.2 | PATCH | Ensure system accounts are secured"
block:
- name: "5.6.2 | Ensure system accounts are secured | Set nologin"
user:
name: "{{ item.id }}"
shell: /usr/sbin/nologin
with_items:
- "{{ rhel9cis_passwd }}"
when:
- item.id != "root"
- item.id != "sync"
- item.id != "shutdown"
- item.id != "halt"
- item.id != "nfsnobody"
- min_int_uid | int < item.gid
- item.shell != " /bin/false"
- item.shell != " /usr/sbin/nologin"
loop_control:
label: "{{ item.id }}"
- name: "5.6.2 | PATCH | Ensure system accounts are secured | Lock accounts"
user:
name: "{{ item.id }}"
password_lock: true
with_items:
- "{{ rhel9cis_passwd }}"
when:
- item.id != "halt"
- item.id != "shutdown"
- item.id != "sync"
- item.id != "root"
- item.id != "nfsnobody"
- min_int_uid | int < item.gid
- item.shell != " /bin/false"
- item.shell != " /usr/sbin/nologin"
loop_control:
label: "{{ item.id }}"
when:
- rhel9cis_rule_5_6_2
tags:
- level1-server
- level1-workstation
- automated
- patch
- accounts
- rule_5.6.2
- name: "5.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less"
blockinfile:
create: yes
mode: 0644
dest: "{{ item.dest }}"
state: "{{ item.state }}"
marker: "# {mark} CIS 5.6.3 ANSIBLE MANAGED"
block: |
TMOUT={{ rhel9cis_shell_session_timeout.timeout }}
export TMOUT
readonly TMOUT
with_items:
- { dest: "{{ rhel9cis_shell_session_timeout.file }}", state: present }
- { dest: /etc/profile, state: "{{ (rhel9cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" }
when:
- rhel9cis_rule_5_6_3
tags:
- level1-server
- level1-workstation
- automated
- patch
- accounts
- rule_5.6.3
- name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0"
user:
name: root
group: 0
when:
- rhel9cis_rule_5_6_4
tags:
- level1-server
- level1-workstation
- automated
- patch
- accounts
- rule_5.6.4
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive"
block:
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc"
replace:
path: /etc/bashrc
regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]'
replace: 'UMASK 027'
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile"
replace:
path: /etc/profile
regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]'
replace: 'UMASK 027'
when:
- rhel9cis_rule_5_6_5
tags:
- level1-server
- level1-workstation
- automated
- patch
- accounts
- rule_5.6.5

37
tasks/section_5/cis_5.6.yml
View file

@ -1,37 +0,0 @@
---
# this will just display the list of consoles. The site will need to confirm the allowed consoles are correct and change manually if needed.
- name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console"
block:
- name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Check if securetty file exists"
stat:
path: /etc/securetty
register: rhel9cis_securetty_check
- name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Capture consoles"
shell: cat /etc/securetty
args:
warn: false
changed_when: false
register: rhel_09_5_6_audit
when: rhel9cis_securetty_check.stat.exists
- name: "5.6 | L1 | AUDIT |Ensure root login is restricted to system console | Display Console"
debug:
msg:
- "These are the consoles with root login access, please review:"
- "{{ rhel_09_5_6_audit.stdout_lines }}"
when: rhel9cis_securetty_check.stat.exists
- name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Display that no securetty file exists"
debug:
msg:
- "There is no /etc/securetty file, this has been removed by default in RHEL9"
when: not rhel9cis_securetty_check.stat.exists
when:
- rhel9cis_rule_5_6
tags:
- level1-server
- level1-workstation
- audit
- rule_5.6

22
tasks/section_5/cis_5.7.yml
View file

@ -1,22 +0,0 @@
---
- name: "5.7 | L1 | PATCH | Ensure access to the su command is restricted"
block:
- name: "5.7 | L1 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid"
lineinfile:
state: present
dest: /etc/pam.d/su
regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
line: 'auth required pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}'
- name: "5.7 | L1 | PATCH | Ensure access to the su command is restricted | wheel group contains root"
user:
name: "{{ rhel9cis_sugroup_users }}"
groups: "{{ rhel9cis_sugroup | default('wheel') }}"
when:
- rhel9cis_rule_5_7
tags:
- level1-server
- level1-workstation
- patch
- rule_5.7

21
tasks/section_5/main.yml
View file

@ -1,5 +1,7 @@
---
# Access, Authentication, and Authorization
- name: "SECTION | 5.1 | Configure time-based job schedulers"
import_tasks: cis_5.1.x.yml
@ -8,22 +10,17 @@
when:
- "'openssh-server' in ansible_facts.packages"
- name: "SECTION | 5.3 | Configure Profiles"
- name: "SECTION | 5.3 | Configure privilege escalation"
include_tasks: cis_5.3.x.yml
when:
- rhel9cis_use_authconfig
- name: "SECTION | 5.4 | Configure PAM "
- name: "SECTION | 5.4 | Configure authselect"
import_tasks: cis_5.4.x.yml
- name: "SECTION | 5.5.1.x | Passwords and Accounts"
import_tasks: cis_5.5.1.x.yml
- name: "SECTION | 5.5.x | System Accounts and User Settings"
- name: "SECTION | 5.5 | Configure PAM "
import_tasks: cis_5.5.x.yml
- name: "SECTION | 5.6 | Root Login"
import_tasks: cis_5.6.yml
- name: "SECTION | 5.6.1.x | Shadow Password Suite Parameters"
import_tasks: cis_5.6.1.x.yml
- name: Section | 5.7 | su Command Restriction
import_tasks: cis_5.7.yml
- name: "SECTION | 5.6.x | Misc. User Account Settings"
import_tasks: cis_5.6.x.yml

275
tasks/section_6/cis_6.1.x.yml
View file

@ -1,30 +1,30 @@
---
- name: "6.1.1 | L2 | AUDIT | Audit system file permissions"
- name: "6.1.1 | AUDIT | Audit system file permissions"
block:
- name: "6.1.1 | L2 | AUDIT | Audit system file permissions | Audit the packages"
- name: "6.1.1 | AUDIT | Audit system file permissions | Audit the packages"
shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto
args:
warn: false
warn: no
changed_when: false
failed_when: false
register: rhel9cis_6_1_1_packages_rpm
- name: "6.1.1 | L2 | AUDIT | Audit system file permissions | Create list and warning"
- name: "6.1.1 | AUDIT | Audit system file permissions | Create list and warning"
block:
- name: "6.1.1 | L2 | Audit system file permissions | Add file discrepancy list to system"
- name: "6.1.1 | Audit system file permissions | Add file discrepancy list to system"
copy:
dest: "{{ rhel9cis_rpm_audit_file }}"
content: "{{ rhel9cis_6_1_1_packages_rpm.stdout }}"
- name: "6.1.1 | L2 | AUDIT | Audit system file permissions | Message out alert for package descrepancies"
- name: "6.1.1 | AUDIT | Audit system file permissions | Message out alert for package descrepancies"
debug:
msg: |
"Warning! You have some package descrepancies issues.
The file list can be found in {{ rhel9cis_rpm_audit_file }}"
when: rhel9cis_6_1_1_packages_rpm.stdout|length > 0
- name: "6.1.1 | L2 | AUDIT | Audit system file permissions | Message out no package descrepancies"
- name: "6.1.1 | AUDIT | Audit system file permissions | Message out no package descrepancies"
debug:
msg: "Good News! There are no package descrepancies"
when: rhel9cis_6_1_1_packages_rpm.stdout|length == 0
@ -33,26 +33,32 @@
tags:
- level2-server
- level2-workstation
- manual
- audit
- permissions
- rule_6.1.1
- name: "6.1.2 | L1 | PATCH | Ensure permissions on /etc/passwd are configured"
file:
dest: /etc/passwd
owner: root
group: root
mode: 0644
- name: "6.1.2 | PATCH | Ensure sticky bit is set on all world-writable directories"
shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
args:
warn: no
changed_when: false
failed_when: false
when:
- rhel9cis_rule_6_1_2
tags:
- skip_ansible_lint
- level1-server
- level1-workstation
- automated
- patch
- rule_6.1.2
- stickybits
- permissons
- rule_1.1.21
- name: "6.1.3 | L1 | PATCH | Ensure permissions on /etc/passwd- are configured"
- name: "6.1.3 | PATCH | Ensure permissions on /etc/passwd are configured"
file:
dest: /etc/passwd-
dest: /etc/passwd
owner: root
group: root
mode: 0644
@ -61,10 +67,12 @@
tags:
- level1-server
- level1-workstation
- automated
- patch
- permissions
- rule_6.1.3
- name: "6.1.4 | L1 | PATCH | Ensure permissions on /etc/shadow are configured"
- name: "6.1.4 | PATCH | Ensure permissions on /etc/shadow are configured"
file:
dest: /etc/shadow
owner: root
@ -75,24 +83,28 @@
tags:
- level1-server
- level1-workstation
- automated
- patch
- permissions
- rule_6.1.4
- name: "6.1.5 | L1 | PATCH | Ensure permissions on /etc/shadow- are configured"
- name: "6.1.5 | PATCH | Ensure permissions on /etc/group are configured"
file:
dest: /etc/shadow-
dest: /etc/group-
owner: root
group: root
mode: 0000
mode: 0644
when:
- rhel9cis_rule_6_1_5
tags:
- level1-server
- level1-workstation
- automated
- patch
- permissions
- rule_6.1.5
- name: "6.1.6 | L1 | PATCH | Ensure permissions on /etc/gshadow are configured"
- name: "6.1.6 | PATCH | Ensure permissions on /etc/gshadow are configured"
file:
dest: /etc/gshadow
owner: root
@ -103,38 +115,44 @@
tags:
- level1-server
- level1-workstation
- automated
- patch
- permissions
- rule_6.1.6
- name: "6.1.7 | L1 | PATCH | Ensure permissions on /etc/gshadow- are configured"
- name: "6.1.7 | PATCH | Ensure permissions on /etc/passwd- are configured"
file:
dest: /etc/gshadow-
dest: /etc/passwd-
owner: root
group: root
mode: 0000
mode: 0644
when:
- rhel9cis_rule_6_1_7
tags:
- level1-server
- level1-workstation
- automated
- patch
- permissions
- rule_6.1.7
- name: "6.1.8 | L1 | PATCH | Ensure permissions on /etc/group are configured"
- name: "6.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured"
file:
dest: /etc/group-
dest: /etc/shadow-
owner: root
group: root
mode: 0644
mode: 0000
when:
- rhel9cis_rule_6_1_8
- rhel9cis_rule_6_1_6
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_6.1.8
- permissions
- rule_6.1.6
- name: "6.1.9 | L1 | PATCH | Ensure permissions on /etc/group- are configured"
- name: "6.1.9 | PATCH | Ensure permissions on /etc/group- are configured"
file:
dest: /etc/group-
owner: root
@ -145,87 +163,78 @@
tags:
- level1-server
- level1-workstation
- automated
- patch
- permissionss
- rule_6.1.9
- name: "6.1.10 | L1 | PATCH | Ensure no world writable files exist"
block:
- name: "6.1.10 | L1 | AUDIT | Ensure no world writable files exist | Get list of world-writable files"
shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002
args:
warn: false
failed_when: false
changed_when: false
register: rhel_09_6_1_10_perms_results
- name: "6.1.10 | L1 | AUDIT | Ensure no world writable files exist | Alert no world-writable files exist"
debug:
msg: "Good news! We have not found any world-writable files on your system"
when:
- rhel_09_6_1_10_perms_results.stdout is not defined
- name: "6.1.10 | L1 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)"
file:
path: '{{ item }}'
mode: o-w
state: touch
with_items: "{{ rhel_09_6_1_10_perms_results.stdout_lines }}"
when:
- rhel_09_6_1_10_perms_results.stdout_lines is defined
- rhel9cis_no_world_write_adjust
- name: "6.1.10 | PATCH | Ensure permissions on /etc/gshadow- are configured"
file:
dest: /etc/gshadow-
owner: root
group: root
mode: 0000
when:
- rhel9cis_rule_6_1_10
tags:
- level1-server
- level1-workstation
- automated
- patch
- permissions
- rule_6.1.10
- name: "6.1.11 | L1 | AUDIT | Ensure no unowned files or directories exist"
- name: "6.1.11 | PATCH | Ensure no world writable files exist"
block:
- name: "6.1.11 | L1 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories"
shell: find "{{ item.mount }}" -xdev -nouser
args:
warn: false
check_mode: false
- name: "6.1.11 | AUDIT | Ensure no world writable files exist | Get list of world-writable files"
shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002
failed_when: false
changed_when: false
with_items: "{{ ansible_mounts }}"
register: rhel_09_6_1_11_audit
when: item['device'].startswith('/dev') and not 'bind' in item['options']
register: rhel_08_6_1_11_perms_results
- name: "6.1.11 | L1 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories"
- name: "6.1.11 | AUDIT | Ensure no world writable files exist | Alert no world-writable files exist"
debug:
msg: "Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}"
with_items: "{{ rhel_09_6_1_11_audit.results }}"
msg: "Good news! We have not found any world-writable files on your system"
when:
- item.stdout_lines is defined
- item.stdout_lines | length > 0
- rhel_08_6_1_11_perms_results.stdout is not defined
- name: "6.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)"
file:
path: '{{ item }}'
mode: o-w
state: touch
with_items: "{{ rhel_08_6_1_11_perms_results.stdout_lines }}"
when:
- rhel_08_6_1_11_perms_results.stdout_lines is defined
- rhel9cis_no_world_write_adjust
when:
- rhel9cis_rule_6_1_11
tags:
- level1-server
- level1-workstation
- audit
- automated
- patch
- files
- permissions
- rule_6.1.11
- name: "6.1.12 | L1 | AUDIT | Ensure no ungrouped files or directories exist"
- name: "6.1.12 | AUDIT | Ensure no unowned files or directories exist"
block:
- name: "6.1.12 | L1 | AUDIT | Ensure no ungrouped files or directories exist | Finding all ungrouped files or directories"
shell: find "{{ item.mount }}" -xdev -nogroup
args:
warn: false
check_mode: false
failed_when: false
- name: "6.1.12 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories"
command: find "{{ item.mount }}" -xdev -nouser
changed_when: false
register: rhel_09_6_1_12_audit
failed_when: false
check_mode: false
register: rhel_08_6_1_12_audit
with_items: "{{ ansible_mounts }}"
loop_control:
label: "{{ item.mount }}"
when: item['device'].startswith('/dev') and not 'bind' in item['options']
- name: "6.1.12 | L1 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories"
- name: "6.1.12 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories"
debug:
msg: "Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}"
with_items: "{{ rhel_09_6_1_12_audit.results }}"
msg: "Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}"
with_items: "{{ rhel_08_6_1_12_audit.results }}"
when:
- item.stdout_lines is defined
- item.stdout_lines | length > 0
@ -234,71 +243,109 @@
tags:
- level1-server
- level1-workstation
- patch
- automated
- audit
- files
- permissions
- rule_6.1.12
- name: "6.1.13 | L1 | AUDIT | Audit SUID executables"
- name: "6.1.13 | AUDIT | Ensure no ungrouped files or directories exist"
block:
- name: "6.1.13 | L1 | AUDIT | Audit SUID executables | Find all SUID executables"
shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000
args:
warn: false
- name: "6.1.13 | AUDIT | Ensure no ungrouped files or directories exist | Finding all ungrouped files or directories"
command: find "{{ item.mount }}" -xdev -nogroup
check_mode: false
failed_when: false
changed_when: false
register: rhel_09_6_1_13_perms_results
register: rhel_08_6_1_13_audit
with_items: "{{ ansible_mounts }}"
loop_control:
label: "{{ item.mount }}"
when: item['device'].startswith('/dev') and not 'bind' in item['options']
- name: "6.1.13 | L1 | AUDIT | Audit SUID executables | Alert no SUID executables exist"
- name: "6.1.13 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories"
debug:
msg: "Good news! We have not found any SUID executable files on your system"
failed_when: false
changed_when: false
msg: "Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}"
with_items: "{{ rhel_08_6_1_13_audit.results }}"
when:
- rhel_09_6_1_13_perms_results.stdout is not defined
- name: "6.1.13 | L1 | AUDIT | Audit SUID executables | Alert SUID executables exist"
debug:
msg: "Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}"
with_items: "{{ rhel_09_6_1_13_perms_results.stdout_lines }}"
when:
- rhel_09_6_1_13_perms_results.stdout is defined
- item.stdout_lines is defined
- item.stdout_lines | length > 0
when:
- rhel9cis_rule_6_1_13
tags:
- level1-server
- level1-workstation
- automated
- audit
- files
- permissions
- rule_6.1.13
- name: "6.1.14 | L1 | AUDIT | Audit SGID executables"
- name: "6.1.14 | AUDIT | Audit SUID executables"
block:
- name: "6.1.14 | L1 | AUDIT | Audit SGID executables | Find all SGID executables"
shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000
args:
warn: false
- name: "6.1.14 | AUDIT | Audit SUID executables | Find all SUID executables"
shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000
failed_when: false
changed_when: false
register: rhel_09_6_1_14_perms_results
register: rhel_08_6_1_14_perms_results
with_items: "{{ ansible_mounts }}"
loop_control:
label: "{{ item.mount }}"
- name: "6.1.14 | L1 | AUDIT | Audit SGID executables | Alert no SGID executables exist"
- name: "6.1.14 | AUDIT | Audit SUID executables | Alert no SUID executables exist"
debug:
msg: "Good news! We have not found any SGID executable files on your system"
msg: "Good news! We have not found any SUID executable files on your system"
failed_when: false
changed_when: false
when:
- rhel_09_6_1_14_perms_results.stdout is not defined
- rhel_08_6_1_14_perms_results.stdout is not defined
- name: "6.1.14 | L1 | AUDIT | Audit SGID executables | Alert SGID executables exist"
- name: "6.1.14 | AUDIT | Audit SUID executables | Alert SUID executables exist"
debug:
msg: "Manual intervention is required -- SGID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}"
with_items: "{{ rhel_09_6_1_14_perms_results.stdout_lines }}"
msg: "Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}"
with_items: "{{ rhel_08_6_1_14_perms_results.stdout_lines }}"
when:
- rhel_09_6_1_14_perms_results.stdout is defined
- rhel_08_6_1_14_perms_results.stdout is defined
when:
- rhel9cis_rule_6_1_14
tags:
- level1-server
- level1-workstation
- patch
- manual
- audit
- files
- rule_6.1.14
- name: "6.1.15 | AUDIT | Audit SGID executables"
block:
- name: "6.1.15 | AUDIT | Audit SGID executables | Find all SGID executables"
shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000
failed_when: false
changed_when: false
register: rhel_08_6_1_15_perms_results
with_items: "{{ ansible_mounts }}"
loop_control:
label: "{{ item.mount }}"
- name: "6.1.15 | AUDIT | Audit SGID executables | Alert no SGID executables exist"
debug:
msg: "Good news! We have not found any SGID executable files on your system"
failed_when: false
changed_when: false
when:
- rhel_08_6_1_15_perms_results.stdout is not defined
- name: "6.1.15 | AUDIT | Audit SGID executables | Alert SGID executables exist"
debug:
msg: "Manual intervention is required -- SGID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}"
with_items: "{{ rhel_08_6_1_15_perms_results.stdout_lines }}"
when:
- rhel_08_6_1_15_perms_results.stdout is defined
when:
- rhel9cis_rule_6_1_15
tags:
- level1-server
- level1-workstation
- manual
- audit
- files
- rule_6.1.15

740
tasks/section_6/cis_6.2.x.yml
View file

@ -1,9 +1,7 @@
---
- name: "6.2.1 | L1 | AUDIT | Ensure password fields are not empty"
shell: passwd -l {{ item }}
args:
warn: false
- name: "6.2.1 | PATCH | Ensure password fields are not empty"
command: passwd -l {{ item }}
changed_when: false
failed_when: false
with_items: "{{ empty_password_accounts.stdout_lines }}"
@ -13,177 +11,268 @@
tags:
- level1-server
- level1-workstation
- automated
- patch
- accounts
- rule_6.2.1
- name: "6.2.2 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/passwd"
shell: sed -i '/^+/ d' /etc/passwd
args:
warn: false
changed_when: false
failed_when: false
- name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group"
block:
- name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries"
shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}'
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_6_2_2_passwd_gid_check
- name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files"
debug:
msg: "Good News! There are no users that have non-existent GUIDs (Groups)"
when: rhel9cis_6_2_2_passwd_gid_check.stdout is not defined
- name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group"
debug:
msg: "WARNING: The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}"
when: rhel9cis_6_2_2_passwd_gid_check.stdout is defined
when:
- rhel9cis_rule_6_2_2
tags:
- level1-server
- level1-workstation
- patch
- automated
- audit
- accounts
- groups
- rule_6.2.2
- skip_ansible_lint
- name: "6.2.3 | L1 | PATCH | Ensure root PATH Integrity"
- name: "6.2.3 | AUDIT Ensure no duplicate UIDs exist"
block:
- name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determine empty value"
- name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs"
shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd"
changed_when: false
failed_when: false
register: rhel9cis_6_2_3_user_uid_check
- name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist"
debug:
msg: "Good News! There are no duplicate UID's in the system"
when: rhel9cis_6_2_3_user_uid_check.stdout is not defined
- name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs"
debug:
msg: "Warning: The following users have UIDs that are duplicates: {{ rhel9cis_6_2_3_user_uid_check.stdout_lines }}"
when: rhel9cis_6_2_3_user_uid_check.stdout is defined
when:
- rhel9cis_rule_6_2_3
tags:
- level1-server
- level1-workstation
- automated
- audit
- accounts
- users
- rule_6.2.3
- name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist"
block:
- name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs"
shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group"
changed_when: false
failed_when: false
register: rhel9cis_6_2_4_user_user_check
- name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist"
debug:
msg: "Good News! There are no duplicate GIDs in the system"
when: rhel9cis_6_2_4_user_user_check.stdout is not defined
- name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs"
debug:
msg: "Warning: The following groups have duplicate GIDs: {{ rhel9cis_6_2_4_user_user_check.stdout_lines }}"
when: rhel9cis_6_2_4_user_user_check.stdout is defined
when:
- rhel9cis_rule_6_2_4
tags:
- level1-server
- level1-workstation
- automated
- audit
- accounts
- groups
- rule_6.2.4
- name: "6.2.5 | AUDIT | Ensure no duplicate user names exist"
block:
- name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names"
shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd"
changed_when: false
failed_when: false
register: rhel9cis_6_2_5_user_username_check
- name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist"
debug:
msg: "Good News! There are no duplicate user names in the system"
when: rhel9cis_6_2_5_user_username_check.stdout is not defined
- name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names"
debug:
msg: "Warning: The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}"
when: rhel9cis_6_2_5_user_username_check.stdout is defined
when:
- rhel9cis_rule_6_2_5
tags:
- level1-server
- level1-workstation
- automated
- audit
- accounts
- users
- rule_6.2.5
- name: "6.2.6 | AUDIT |Ensure no duplicate group names exist"
block:
- name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names"
shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d'
changed_when: false
failed_when: false
check_mode: no
register: rhel9cis_6_2_6_group_group_check
- name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist"
debug:
msg: "Good News! There are no duplicate group names in the system"
when: rhel9cis_6_2_6_group_group_check.stdout is defined
- name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names"
debug:
msg: "Warning: The following group names are duplicates: {{ rhel9cis_6_2_6_group_group_check.stdout_lines }}"
when: rhel9cis_6_2_6_group_group_check.stdout is not defined
when:
- rhel9cis_rule_6_2_6
tags:
- level1-server
- level1-workstation
- automated
- audit
- accounts
- groups
- rule_6.2.6
- name: "6.2.7 | PATCH | Ensure root PATH Integrity"
block:
- name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine empty value"
shell: 'echo $PATH | grep ::'
args:
warn: false
check_mode: false
register: path_colon
changed_when: False
failed_when: path_colon.rc == 0
failed_when: rhel9cis_6_2_7_path_colon.rc == 0
check_mode: no
register: rhel9cis_6_2_7_path_colon
- name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determin colon end"
- name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determin colon end"
shell: 'echo $PATH | grep :$'
args:
warn: false
check_mode: false
register: path_colon_end
changed_when: False
failed_when: path_colon_end.rc == 0
failed_when: rhel9cis_6_2_7_path_colon_end.rc == 0
check_mode: no
register: rhel9cis_6_2_7_path_colon_end
- name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determine dot in path"
- name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine dot in path"
shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'"
args:
warn: false
check_mode: false
register: dot_in_path
changed_when: False
failed_when: '"." in dot_in_path.stdout_lines'
failed_when: '"." in rhel9cis_6_2_7_dot_in_path.stdout_lines'
check_mode: no
register: rhel9cis_6_2_7_dot_in_path
- name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path"
- name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path"
debug:
msg:
- "The following paths have an empty value: {{ path_colon.stdout_lines }}"
- "The following paths have colon end: {{ path_colon_end.stdout_lines }}"
- "The following paths have a dot in the path: {{ dot_in_path.stdout_lines }}"
- "The following paths have an empty value: {{ rhel9cis_6_2_7_path_colon.stdout_lines }}"
- "The following paths have colon end: {{ rhel9cis_6_2_7_path_colon_end.stdout_lines }}"
- "The following paths have a dot in the path: {{ rhel9cis_6_2_7_dot_in_path.stdout_lines }}"
- name: "6.2.3 | L1 | PATCH | Ensure root PATH Integrity (Scored) | Determine rights and owner"
- name: "6.2.7 | PATCH | Ensure root PATH Integrity (Scored) | Determine rights and owner"
file: >
path='{{ item }}'
follow=yes
state=directory
owner=root
mode='o-w,g-w'
with_items: "{{ dot_in_path.stdout_lines }}"
with_items: "{{ rhel9cis_6_2_7_dot_in_path.stdout_lines }}"
when:
- rhel9cis_rule_6_2_3
- rhel9cis_rule_6_2_7
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_6.2.3
- paths
- rule_6.2.7
- name: "6.2.4 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/shadow"
shell: sed -i '/^+/ d' /etc/shadow
args:
warn: false
- name: "6.2.8 | PATCH | Ensure root is the only UID 0 account"
command: passwd -l {{ item }}
changed_when: false
failed_when: false
with_items: "{{ rhel9cis_uid_zero_accounts_except_root.stdout_lines }}"
when:
- rhel9cis_rule_6_2_4
- rhel9cis_uid_zero_accounts_except_root.rc
- rhel9cis_rule_6_2_8
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_6.2.4
- skip_ansible_lint
- accounts
- users
- rule_6.2.8
- name: "6.2.5 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/group"
shell: sed -i '/^+/ d' /etc/group
args:
warn: false
changed_when: false
failed_when: false
when:
- rhel9cis_rule_6_2_5
tags:
- level1-server
- level1-workstation
- patch
- rule_6.2.5
- skip_ansible_lint
- name: "6.2.6 | L1 | PATCH | Ensure root is the only UID 0 account"
shell: passwd -l {{ item }}
args:
warn: false
changed_when: false
failed_when: false
with_items: "{{ uid_zero_accounts_except_root.stdout_lines }}"
when:
- uid_zero_accounts_except_root.rc
- rhel9cis_rule_6_2_6
tags:
- level1-server
- level1-workstation
- patch
- rule_6.2.6
- name: "6.2.7 | L1 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
- name: "6.2.9 | PATCH | Ensure all users' home directories exist"
block:
- name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
- name: "6.2.9 | AUDIT | Ensure all users' home directories exist"
stat:
path: "{{ item }}"
with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<', max_int_uid | int) | selectattr('dir', '!=', '/') | map(attribute='dir') | list }}"
register: rhel_09_6_2_7_audit
register: rhel_08_6_2_9_audit
with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}"
- debug:
var: rhel_09_6_2_7_audit
- name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
shell: find -H {{ item.0 | quote }} -not -type l -perm /027
args:
warn: false
- name: "6.2.9 | AUDIT | Ensure all users' home directories exist"
command: find -H {{ item.0 | quote }} -not -type l -perm /027
check_mode: false
changed_when: rhel_09_6_2_7_patch_audit.stdout | length > 0
register: rhel_09_6_2_7_patch_audit
changed_when: rhel_08_6_2_9_patch_audit.stdout | length > 0
register: rhel_08_6_2_9_patch_audit
when:
- ansible_check_mode
- item.1.exists
with_together:
- "{{ rhel_09_6_2_7_audit.results | map(attribute='item') | list }}"
- "{{ rhel_09_6_2_7_audit.results | map(attribute='stat') | list }}"
- "{{ rhel_08_6_2_9_audit.results | map(attribute='item') | list }}"
- "{{ rhel_08_6_2_9_audit.results | map(attribute='stat') | list }}"
loop_control:
label: "{{ item.0 }}"
- name: "6.2.7 | L1 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
- name: "6.2.9 | PATCH | Ensure all users' home directories exist"
file:
path: "{{ item.0 }}"
recurse: true
recurse: yes
mode: a-st,g-w,o-rwx
register: rhel_09_6_2_7_patch
register: rhel_08_6_2_9_patch
when:
- not ansible_check_mode
- item.1.exists
with_together:
- "{{ rhel_09_6_2_7_audit.results | map(attribute='item') | list }}"
- "{{ rhel_09_6_2_7_audit.results | map(attribute='stat') | list }}"
- "{{ rhel_08_6_2_9_audit.results | map(attribute='item') | list }}"
- "{{ rhel_08_6_2_9_audit.results | map(attribute='stat') | list }}"
loop_control:
label: "{{ item.0 }}"
# set default ACLs so the homedir has an effective umask of 0027
- name: "6.2.7 | L1 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
- name: "6.2.9 | PATCH | Ensure all users' home directories exist"
acl:
path: "{{ item.0 }}"
default: true
default: yes
state: present
recursive: true
recursive: yes
etype: "{{ item.1.etype }}"
permissions: "{{ item.1.mode }}"
when:
- not system_is_container
when: not system_is_container
with_nested:
- "{{ (ansible_check_mode | ternary(rhel_09_6_2_7_patch_audit, rhel_09_6_2_7_patch)).results |
- "{{ (ansible_check_mode | ternary(rhel_08_6_2_9_patch_audit, rhel_08_6_2_9_patch)).results |
rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}"
-
- etype: group
@ -191,14 +280,17 @@
- etype: other
mode: '0'
when:
- rhel9cis_rule_6_2_7
- rhel9cis_rule_6_2_9
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_6.2.7
- users
- rule_6.2.9
- name: "6.2.8 | L1 | PATCH | Ensure users own their home directories"
- name: "6.2.10 | PATCH | Ensure users own their home directories"
file:
path: "{{ item.dir }}"
owner: "{{ item.id }}"
@ -207,348 +299,66 @@
loop_control:
label: "{{ rhel9cis_passwd_label }}"
when:
- min_int_uid | int >= item.uid
- rhel9cis_rule_6_2_8
- min_int_uid | int <= item.uid
- rhel9cis_rule_6_2_10
tags:
- skip_ansible_lint # settings found on 6_2_7
- level1-server
- level1-workstation
- automated
- patch
- rule_6.2.8
- name: "6.2.9 | L1 | PATCH | Ensure users' dot files are not group or world-writable"
block:
- name: "6.2.9 | L1 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files"
shell: find /home/ -name "\.*" -perm /g+w,o+w
args:
warn: false
changed_when: false
failed_when: false
register: rhel9cis_6_2_9_audit
- name: "6.2.9 | L1 | AUDIT | Ensure users' dot files are not group or world-writable | Alert on files found"
debug:
msg: "Good news! We have not found any group or world-writable dot files on your sytem"
when:
- rhel9cis_6_2_9_audit.stdout is not defined
- name: "6.2.9 | L1 | PATCH | Ensure users' dot files are not group or world-writable | Changes files if configured"
file:
path: '{{ item }}'
mode: go-w
with_items: "{{ rhel9cis_6_2_9_audit.stdout_lines }}"
when:
- rhel9cis_6_2_9_audit.stdout is defined
- rhel9cis_dotperm_ansiblemanaged
when:
- rhel9cis_rule_6_2_9
tags:
- level1-server
- level1-workstation
- patch
- rule_6.2.9
- name: "6.2.10 | L1 | PATCH | Ensure no users have .forward files"
file:
state: absent
dest: "~{{ item }}/.forward"
with_items: "{{ users.stdout_lines }}"
when:
- rhel9cis_rule_6_2_10
tags:
- level1-server
- level1-workstation
- patch
- users
- rule_6.2.10
- name: "6.2.11 | L1 | PATCH | Ensure no users have .netrc files"
file:
state: absent
dest: "~{{ item }}/.netrc"
with_items: "{{ users.stdout_lines }}"
when:
- rhel9cis_rule_6_2_11
tags:
- level1-server
- level1-workstation
- patch
- rule_6.2.11
- name: "6.2.12 | L1 | PATCH | Ensure users' .netrc Files are not group or world accessible"
shell: /bin/true
args:
warn: false
changed_when: false
failed_when: false
when:
- rhel9cis_rule_6_2_12
tags:
- level1-server
- level1-workstation
- patch
- rule_6.2.12
- name: "6.2.13 | L1 | PATCH | Ensure no users have .rhosts files"
file:
state: absent
dest: "~{{ item }}/.rhosts"
with_items: "{{ users.stdout_lines }}"
when:
- rhel9cis_rule_6_2_13
tags:
- level1-server
- level1-workstation
- patch
- rule_6.2.13
- name: "6.2.14 | L1 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group"
- name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
block:
- name: "6.2.14 | L1 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries"
shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}'
args:
warn: false
changed_when: false
failed_when: false
check_mode: false
register: passwd_gid_check
- name: "6.2.14 | L1 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files"
debug:
msg: "Good News! There are no users that have non-existent GUIDs (Groups)"
when: passwd_gid_check.stdout is not defined
- name: "6.2.14 | L1 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group"
debug:
msg: "WARNING: The following users have non-existent GIDs (Groups): {{ passwd_gid_check.stdout_lines | join (', ') }}"
when: passwd_gid_check.stdout is defined
when:
- rhel9cis_rule_6_2_14
tags:
- level1-server
- level1-workstation
- audit
- rule_6.2.14
- name: "6.2.15 | L1 | AUDIT Ensure no duplicate UIDs exist"
block:
- name: "6.2.15 | L1 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs"
shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd"
args:
warn: false
changed_when: false
failed_when: false
register: user_uid_check
- name: "6.2.15 | L1 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist"
debug:
msg: "Good News! There are no duplicate UID's in the system"
when: user_uid_check.stdout is not defined
- name: "6.2.15 | L1 | AUDIT| Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs"
debug:
msg: "Warning: The following users have UIDs that are duplicates: {{ user_uid_check.stdout_lines }}"
when: user_uid_check.stdout is defined
when:
- rhel9cis_rule_6_2_15
tags:
- level1-server
- level1-workstation
- patch
- rule_6.2.15
- name: "6.2.16 | L1 | AUDIT | Ensure no duplicate GIDs exist"
block:
- name: "6.2.16 | L1 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs"
shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group"
args:
warn: false
changed_when: false
failed_when: false
register: user_user_check
- name: "6.2.16 | L1 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist"
debug:
msg: "Good News! There are no duplicate GIDs in the system"
when: user_user_check.stdout is not defined
- name: "6.2.16 | L1 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs"
debug:
msg: "Warning: The following groups have duplicate GIDs: {{ user_user_check.stdout_lines }}"
when: user_user_check.stdout is defined
when:
- rhel9cis_rule_6_2_16
tags:
- level1-server
- level1-workstation
- audit
- rule_6.2.16
- name: "6.2.17 | L1 | AUDIT | Ensure no duplicate user names exist"
block:
- name: "6.2.17 | L1 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names"
shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd"
args:
warn: false
changed_when: false
failed_when: false
register: user_username_check
- name: "6.2.17 | L1 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist"
debug:
msg: "Good News! There are no duplicate user names in the system"
when: user_username_check.stdout is not defined
- name: "6.2.17 | L1 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names"
debug:
msg: "Warning: The following user names are duplicates: {{ user_username_check.stdout_lines }}"
when: user_username_check.stdout is defined
when:
- rhel9cis_rule_6_2_17
tags:
- level1-server
- level1-workstation
- audit
- rule_6.2.17
- name: "6.2.18 | L1 | AUDIT |Ensure no duplicate group names exist"
block:
- name: "6.2.18 | L1 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names"
shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d'
args:
warn: false
changed_when: false
failed_when: false
check_mode: false
register: group_group_check
- name: "6.2.18 | L1 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist"
debug:
msg: "Good News! There are no duplicate group names in the system"
when: group_group_check.stdout is defined
- name: "6.2.18 | L1 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names"
debug:
msg: "Warning: The following group names are duplicates: {{ group_group_check.stdout_lines }}"
when: group_group_check.stdout is not defined
when:
- rhel9cis_rule_6_2_18
tags:
- level1-server
- level1-workstation
- audit
- rule_6.2.18
- name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty"
block:
- name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check for shadow group and pull group id"
shell: "getent group shadow | cut -d: -f3"
args:
warn: false
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_shadow_gid
- name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check /etc/group for empty shadow group"
shell: grep ^shadow:[^:]*:[^:]*:[^:]+ /etc/group
args:
warn: false
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_empty_shadow
- name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check for users assigned to shadow"
shell: "getent passwd | awk -F: '$4 == '{{ rhel9cis_shadow_gid.stdout }}' {print $1}'"
args:
warn: false
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_shadow_passwd
- name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Alert shadow group is empty and no users assigned"
debug:
msg:
- " Good News! The shadow group is empty and there are no users assigned to shadow"
when:
- rhel9cis_empty_shadow.stdout | length == 0
- rhel9cis_shadow_passwd.stdout | length == 0
- name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Alert shadow group is not empty"
debug:
msg:
- "Alert! The shadow group is not empty"
when:
- rhel9cis_empty_shadow.stdout | length > 0
- name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Alert users are using shadow group"
debug:
msg:
- "Alert! The following users are assigned to the shadow group, please assing them to the appropriate group"
- "{{ rhel9cis_shadow_passwd.stdout_lines }}"
when:
- rhel9cis_shadow_passwd.stdout | length > 0
when:
- rhel9cis_rule_6_2_19
tags:
- level1-server
- level1-workstation
- audit
- rule_6.2.19
- name: "6.2.20 | L1 | PATCH | Ensure all users' home directories exist"
block:
- name: "6.2.20 | L1 | AUDIT | Ensure all users' home directories exist"
- name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
stat:
path: "{{ item }}"
register: rhel_09_6_2_20_audit
with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<', max_int_uid | int) | selectattr('dir', '!=', '/') | map(attribute='dir') | list }}"
with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}"
register: rhel_08_6_2_11_audit
- name: "6.2.20 | L1 | AUDIT | Ensure all users' home directories exist"
shell: find -H {{ item.0 | quote }} -not -type l -perm /027
args:
warn: false
- name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
command: find -H {{ item.0 | quote }} -not -type l -perm /027
check_mode: false
changed_when: rhel_09_6_2_20_patch_audit.stdout | length > 0
register: rhel_09_6_2_20_patch_audit
changed_when: rhel_08_6_2_11_patch_audit.stdout | length > 0
register: rhel_08_6_2_11_patch_audit
when:
- ansible_check_mode
- item.1.exists
with_together:
- "{{ rhel_09_6_2_20_audit.results | map(attribute='item') | list }}"
- "{{ rhel_09_6_2_20_audit.results | map(attribute='stat') | list }}"
- "{{ rhel_08_6_2_11_audit.results | map(attribute='item') | list }}"
- "{{ rhel_08_6_2_11_audit.results | map(attribute='stat') | list }}"
loop_control:
label: "{{ item.0 }}"
- name: "6.2.20 | L1 | PATCH | Ensure all users' home directories exist"
- name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
file:
path: "{{ item.0 }}"
recurse: true
recurse: yes
mode: a-st,g-w,o-rwx
register: rhel_09_6_2_20_patch
register: rhel_08_6_2_11_patch
when:
- not ansible_check_mode
- item.1.exists
with_together:
- "{{ rhel_09_6_2_20_audit.results | map(attribute='item') | list }}"
- "{{ rhel_09_6_2_20_audit.results | map(attribute='stat') | list }}"
- "{{ rhel_08_6_2_11_audit.results | map(attribute='item') | list }}"
- "{{ rhel_08_6_2_11_audit.results | map(attribute='stat') | list }}"
loop_control:
label: "{{ item.0 }}"
# set default ACLs so the homedir has an effective umask of 0027
- name: "6.2.20 | L1 | PATCH | Ensure all users' home directories exist"
- name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
acl:
path: "{{ item.0 }}"
default: true
default: yes
state: present
recursive: true
recursive: yes
etype: "{{ item.1.etype }}"
permissions: "{{ item.1.mode }}"
when:
- not system_is_container
when: not system_is_container
with_nested:
- "{{ (ansible_check_mode | ternary(rhel_09_6_2_20_patch_audit, rhel_09_6_2_20_patch)).results |
- "{{ (ansible_check_mode | ternary(rhel_08_6_2_11_patch_audit, rhel_08_6_2_11_patch)).results |
rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}"
-
- etype: group
@ -556,9 +366,111 @@
- etype: other
mode: '0'
when:
- rhel9cis_rule_6_2_20
- rhel9cis_rule_6_2_11
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_6.2.20
- users
- permissions
- rule_6.2.11
- name: "6.2.12 | PATCH | Ensure users' dot files are not group or world-writable"
block:
- name: "6.2.12 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files"
shell: find /home/ -maxdepth 2 -name "\.*" -perm /g+w,o+w
changed_when: false
failed_when: false
register: rhel9cis_6_2_12_audit
- name: "6.2.12 | AUDIT | Ensure users' dot files are not group or world-writable | Alert on files found"
debug:
msg: "Good news! We have not found any group or world-writable dot files on your sytem"
when:
- rhel9cis_6_2_12_audit.stdout is not defined
- name: "6.2.12 | PATCH | Ensure users' dot files are not group or world-writable | Changes files if configured"
file:
path: '{{ item }}'
mode: go-w
with_items: "{{ rhel9cis_6_2_12_audit.stdout_lines }}"
when:
- rhel9cis_6_2_12_audit.stdout is defined
- rhel9cis_dotperm_ansiblemanaged
when:
- rhel9cis_rule_6_2_12
tags:
- level1-server
- level1-workstation
- automated
- patch
- users
- permissions
- rule_6.2.12
- name: "6.2.13 | PATCH | Ensure users' .netrc Files are not group or world accessible"
command: /bin/true
changed_when: false
failed_when: false
when:
- rhel9cis_rule_6_2_13
tags:
- level1-server
- level1-workstation
- automated
- patch
- users
- permissions
- notimplemented
- rule_6.2.13
- name: "6.2.14 | PATCH | Ensure no users have .forward files"
file:
state: absent
dest: "~{{ item }}/.forward"
with_items:
- "{{ users.stdout_lines }}"
when:
- rhel9cis_rule_6_2_14
tags:
- level1-server
- level1-workstation
- automated
- patch
- users
- files
- rule_6.2.14
- name: "6.2.15 | PATCH | Ensure no users have .netrc files"
file:
state: absent
dest: "~{{ item }}/.netrc"
with_items:
- "{{ users.stdout_lines }}"
when:
- rhel9cis_rule_6_2_15
tags:
- level1-server
- level1-workstation
- automated
- patch
- users
- files
- rule_6.2.15
- name: "6.2.16 | PATCH | Ensure no users have .rhosts files"
file:
state: absent
dest: "~{{ item }}/.rhosts"
with_items: "{{ users.stdout_lines }}"
when:
- rhel9cis_rule_6_2_16
tags:
- level1-server
- level1-workstation
- automated
- patch
- users
- files
- rule_6.2.16

547
templates/ansible_vars_goss.yml.j2
View file

@ -1,16 +1,17 @@
## metadata for benchmark
## metadata for Audit benchmark
benchmark_version: '1.0.1'
benchmark_version: '2.0.0'
# Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS
is_redhat_os: {% if ansible_distribution == "RedHat" %}true{% else %}false{% endif %}
# If run via script this is discovered and set
host_os_distribution: {{ ansible_distribution | lower }}
rhel9cis_os_distribution: {{ ansible_distribution | lower }}
# timeout for each command to run where set - default = 10seconds/10000ms
timeout_ms: {{ audit_cmd_timeout }}
# timeout for each command to run where set - default = 10seconds/10000ms
timeout_ms: 60000
# Taken from LE rhel9-cis
rhel9cis_notauto: {{ rhel9cis_notauto }}
rhel9cis_section1: {{ rhel9cis_section1 }}
rhel9cis_section2: {{ rhel9cis_section2 }}
rhel9cis_section3: {{ rhel9cis_section3 }}
@ -23,84 +24,114 @@ rhel9cis_level_2: {{ rhel9cis_level_2 }}
rhel9cis_selinux_disable: {{ rhel9cis_selinux_disable }}
# to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy
# to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy
run_heavy_tests: true
# True is BIOS based system else set to false
{% if rhel9cis_legacy_boot is defined %}
rhel9cis_legacy_boot: {{ rhel9cis_legacy_boot }}
{% endif %}
rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }}
# These variables correspond with the CIS rule IDs or paragraph numbers defined in
# the CIS benchmark documents.
# PLEASE NOTE: These work in coordination with the section # group variables and tags.
# You must enable an entire section in order for the variables below to take effect.
# Section 1 rules
# 1.1.1 Disable unused filesystems
rhel9cis_rule_1_1_1_1: {{ rhel9cis_rule_1_1_1_1 }}
rhel9cis_rule_1_1_1_2: {{ rhel9cis_rule_1_1_1_2 }}
rhel9cis_rule_1_1_1_3: {{ rhel9cis_rule_1_1_1_3 }}
rhel9cis_rule_1_1_1_4: {{ rhel9cis_rule_1_1_1_4 }}
rhel9cis_rule_1_1_2: {{ rhel9cis_rule_1_1_2 }}
rhel9cis_rule_1_1_3: {{ rhel9cis_rule_1_1_3 }}
rhel9cis_rule_1_1_4: {{ rhel9cis_rule_1_1_4 }}
rhel9cis_rule_1_1_5: {{ rhel9cis_rule_1_1_5 }}
rhel9cis_rule_1_1_6: {{ rhel9cis_rule_1_1_6 }}
rhel9cis_rule_1_1_7: {{ rhel9cis_rule_1_1_7 }}
rhel9cis_rule_1_1_8: {{ rhel9cis_rule_1_1_8 }}
# 1.1.2 Configure /tmp
rhel9cis_rule_1_1_2_1: {{ rhel9cis_rule_1_1_2_1 }}
rhel9cis_rule_1_1_2_2: {{ rhel9cis_rule_1_1_2_2 }}
rhel9cis_rule_1_1_2_3: {{ rhel9cis_rule_1_1_2_3 }}
rhel9cis_rule_1_1_2_4: {{ rhel9cis_rule_1_1_2_4 }}
# 1.1.3 Configure /var
rhel9cis_rule_1_1_3_1: {{ rhel9cis_rule_1_1_3_1 }}
rhel9cis_rule_1_1_3_2: {{ rhel9cis_rule_1_1_3_2 }}
rhel9cis_rule_1_1_3_3: {{ rhel9cis_rule_1_1_3_3 }}
rhel9cis_rule_1_1_3_4: {{ rhel9cis_rule_1_1_3_4 }}
# 1.1.4 Configure /var/tmp
rhel9cis_rule_1_1_4_1: {{ rhel9cis_rule_1_1_4_1 }}
rhel9cis_rule_1_1_4_2: {{ rhel9cis_rule_1_1_4_2 }}
rhel9cis_rule_1_1_4_3: {{ rhel9cis_rule_1_1_4_3 }}
rhel9cis_rule_1_1_4_4: {{ rhel9cis_rule_1_1_4_4 }}
# 1.1.5 Configure /var/log
rhel9cis_rule_1_1_5_1: {{ rhel9cis_rule_1_1_5_1 }}
rhel9cis_rule_1_1_5_2: {{ rhel9cis_rule_1_1_5_2 }}
rhel9cis_rule_1_1_5_3: {{ rhel9cis_rule_1_1_5_3 }}
rhel9cis_rule_1_1_5_4: {{ rhel9cis_rule_1_1_5_4 }}
# 1.1.6 Configure /var/log/audit
rhel9cis_rule_1_1_6_1: {{ rhel9cis_rule_1_1_6_1 }}
rhel9cis_rule_1_1_6_2: {{ rhel9cis_rule_1_1_6_2 }}
rhel9cis_rule_1_1_6_3: {{ rhel9cis_rule_1_1_6_3 }}
rhel9cis_rule_1_1_6_4: {{ rhel9cis_rule_1_1_6_4 }}
# 1.1.7 Configure /home
rhel9cis_rule_1_1_7_1: {{ rhel9cis_rule_1_1_7_1 }}
rhel9cis_rule_1_1_7_2: {{ rhel9cis_rule_1_1_7_2 }}
rhel9cis_rule_1_1_7_3: {{ rhel9cis_rule_1_1_7_3 }}
rhel9cis_rule_1_1_7_4: {{ rhel9cis_rule_1_1_7_4 }}
rhel9cis_rule_1_1_7_5: {{ rhel9cis_rule_1_1_7_5 }}
# 1.1.8 Configure /dev/shm
rhel9cis_rule_1_1_8_1: {{ rhel9cis_rule_1_1_8_1 }}
rhel9cis_rule_1_1_8_2: {{ rhel9cis_rule_1_1_8_2 }}
rhel9cis_rule_1_1_8_3: {{ rhel9cis_rule_1_1_8_3 }}
# 1.9 autofs
rhel9cis_rule_1_1_9: {{ rhel9cis_rule_1_1_9 }}
# 1.10 usb-storage
rhel9cis_rule_1_1_10: {{ rhel9cis_rule_1_1_10 }}
rhel9cis_rule_1_1_11: {{ rhel9cis_rule_1_1_11 }}
rhel9cis_rule_1_1_12: {{ rhel9cis_rule_1_1_12 }}
rhel9cis_rule_1_1_13: {{ rhel9cis_rule_1_1_13 }}
rhel9cis_rule_1_1_14: {{ rhel9cis_rule_1_1_14 }}
rhel9cis_rule_1_1_15: {{ rhel9cis_rule_1_1_15 }}
rhel9cis_rule_1_1_16: {{ rhel9cis_rule_1_1_16 }}
rhel9cis_rule_1_1_17: {{ rhel9cis_rule_1_1_17 }}
rhel9cis_rule_1_1_18: {{ rhel9cis_rule_1_1_18 }}
rhel9cis_rule_1_1_19: {{ rhel9cis_rule_1_1_19 }}
rhel9cis_rule_1_1_20: {{ rhel9cis_rule_1_1_20 }}
rhel9cis_rule_1_1_21: {{ rhel9cis_rule_1_1_21 }}
rhel9cis_rule_1_1_22: {{ rhel9cis_rule_1_1_22 }}
rhel9cis_rule_1_1_23: {{ rhel9cis_rule_1_1_23 }}
# 1.2 Configure Software Updates
rhel9cis_rule_1_2_1: {% if ansible_distribution == "RedHat" %}True{% else %}False{% endif %} # Only run if Redhat and Subscribed
rhel9cis_rule_1_2_2: {{ rhel9cis_rule_1_2_2 }}
rhel9cis_rule_1_2_3: {{ rhel9cis_rule_1_2_3 }}
rhel9cis_rule_1_2_4: {{ rhel9cis_rule_1_2_4 }}
rhel9cis_rule_1_2_5: {{ rhel9cis_rule_1_2_5 }}
# 1.3 Filesystem Integrity Checking
rhel9cis_rule_1_3_1: {{ rhel9cis_rule_1_3_1 }}
rhel9cis_rule_1_3_2: {{ rhel9cis_rule_1_3_2 }}
rhel9cis_rule_1_3_3: {{ rhel9cis_rule_1_3_3 }}
# 1.4 Secure Boot Settings
rhel9cis_rule_1_4_1: {{ rhel9cis_rule_1_4_1 }}
rhel9cis_rule_1_4_2: {{ rhel9cis_rule_1_4_2 }}
rhel9cis_rule_1_4_3: {{ rhel9cis_rule_1_4_3 }}
# 1.5 Additional Process Hardening
rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }}
rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }}
rhel9cis_rule_1_5_3: {{ rhel9cis_rule_1_5_3 }}
rhel9cis_rule_1_6_1: {{ rhel9cis_rule_1_6_1 }}
rhel9cis_rule_1_6_2: {{ rhel9cis_rule_1_6_2 }}
rhel9cis_rule_1_7_1_1: {{ rhel9cis_rule_1_7_1_1 }}
rhel9cis_rule_1_7_1_2: {{ rhel9cis_rule_1_7_1_2 }}
rhel9cis_rule_1_7_1_3: {{ rhel9cis_rule_1_7_1_3 }}
rhel9cis_rule_1_7_1_4: {{ rhel9cis_rule_1_7_1_4 }}
rhel9cis_rule_1_7_1_5: {{ rhel9cis_rule_1_7_1_5 }}
rhel9cis_rule_1_7_1_6: {{ rhel9cis_rule_1_7_1_6 }}
rhel9cis_rule_1_7_1_7: {{ rhel9cis_rule_1_7_1_7 }}
rhel9cis_rule_1_8_1_1: {{ rhel9cis_rule_1_8_1_1 }}
rhel9cis_rule_1_8_1_2: {{ rhel9cis_rule_1_8_1_2 }}
rhel9cis_rule_1_8_1_3: {{ rhel9cis_rule_1_8_1_3 }}
rhel9cis_rule_1_8_1_4: {{ rhel9cis_rule_1_8_1_4 }}
rhel9cis_rule_1_8_1_5: {{ rhel9cis_rule_1_8_1_5 }}
rhel9cis_rule_1_8_1_6: {{ rhel9cis_rule_1_8_1_6 }}
# 1.6 Mandatory Access Control
rhel9cis_rule_1_6_1_1: {{ rhel9cis_rule_1_6_1_1 }}
rhel9cis_rule_1_6_1_2: {{ rhel9cis_rule_1_6_1_2 }}
rhel9cis_rule_1_6_1_3: {{ rhel9cis_rule_1_6_1_3 }}
rhel9cis_rule_1_6_1_4: {{ rhel9cis_rule_1_6_1_4 }}
rhel9cis_rule_1_6_1_5: {{ rhel9cis_rule_1_6_1_5 }}
rhel9cis_rule_1_6_1_6: {{ rhel9cis_rule_1_6_1_6 }}
rhel9cis_rule_1_6_1_7: {{ rhel9cis_rule_1_6_1_7 }}
# 1.7 Command Line Warning Banners
rhel9cis_rule_1_7_1: {{ rhel9cis_rule_1_7_1 }}
rhel9cis_rule_1_7_2: {{ rhel9cis_rule_1_7_2 }}
rhel9cis_rule_1_7_3: {{ rhel9cis_rule_1_7_3 }}
rhel9cis_rule_1_7_4: {{ rhel9cis_rule_1_7_4 }}
rhel9cis_rule_1_7_5: {{ rhel9cis_rule_1_7_5 }}
rhel9cis_rule_1_7_6: {{ rhel9cis_rule_1_7_6 }}
# 1.8 Gnome Display Manager
rhel9cis_rule_1_8_1: {{ rhel9cis_rule_1_8_1 }}
rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }}
rhel9cis_rule_1_8_3: {{ rhel9cis_rule_1_8_3 }}
rhel9cis_rule_1_8_4: {{ rhel9cis_rule_1_8_4 }}
rhel9cis_rule_1_8_5: {{ rhel9cis_rule_1_8_5 }}
# 1.9 Ensure updates, patches, and additional security software are installed
rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }}
# Ensure system-wide crypto policy is not legacy
rhel9cis_rule_1_10: {{ rhel9cis_rule_1_10 }}
rhel9cis_rule_1_11: {{ rhel9cis_rule_1_11 }}
# section 2 rules
# section 2
# Services
# 2.1 Time Synchronization
rhel9cis_rule_2_1_1: {{ rhel9cis_rule_2_1_1 }}
rhel9cis_rule_2_2_1_1: {{ rhel9cis_rule_2_2_1_1 }}
rhel9cis_rule_2_2_1_2: {{ rhel9cis_rule_2_2_1_2 }}
rhel9cis_rule_2_1_2: {{ rhel9cis_rule_2_1_2 }}
# 2.2 Special Purpose Services
rhel9cis_rule_2_2_1: {{ rhel9cis_rule_2_2_1 }}
rhel9cis_rule_2_2_2: {{ rhel9cis_rule_2_2_2 }}
rhel9cis_rule_2_2_3: {{ rhel9cis_rule_2_2_3 }}
rhel9cis_rule_2_2_4: {{ rhel9cis_rule_2_2_4 }}
@ -118,74 +149,123 @@ rhel9cis_rule_2_2_15: {{ rhel9cis_rule_2_2_15 }}
rhel9cis_rule_2_2_16: {{ rhel9cis_rule_2_2_16 }}
rhel9cis_rule_2_2_17: {{ rhel9cis_rule_2_2_17 }}
rhel9cis_rule_2_2_18: {{ rhel9cis_rule_2_2_18 }}
rhel9cis_rule_2_2_19: {{ rhel9cis_rule_2_2_19 }}
rhel9cis_rule_2_2_20: {{ rhel9cis_rule_2_2_20 }}
# 2.3 service clients
rhel9cis_rule_2_3_1: {{ rhel9cis_rule_2_3_1 }}
rhel9cis_rule_2_3_2: {{ rhel9cis_rule_2_3_2 }}
rhel9cis_rule_2_3_3: {{ rhel9cis_rule_2_3_3 }}
rhel9cis_rule_2_3_4: {{ rhel9cis_rule_2_3_4 }}
rhel9cis_rule_2_3_5: {{ rhel9cis_rule_2_3_5 }}
rhel9cis_rule_2_4: true # todo
# Section 3 rules
# 3.1 Disable unused network protocols and devices
rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }}
rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }}
rhel9cis_rule_3_1_3: {{ rhel9cis_rule_3_1_3 }}
rhel9cis_rule_3_1_4: {{ rhel9cis_rule_3_1_4 }}
# 3.2 Network Parameters (Host Only)
rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }}
rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }}
rhel9cis_rule_3_2_3: {{ rhel9cis_rule_3_2_3 }}
rhel9cis_rule_3_2_4: {{ rhel9cis_rule_3_2_4 }}
rhel9cis_rule_3_2_5: {{ rhel9cis_rule_3_2_5 }}
rhel9cis_rule_3_2_6: {{ rhel9cis_rule_3_2_6 }}
rhel9cis_rule_3_2_7: {{ rhel9cis_rule_3_2_7 }}
rhel9cis_rule_3_2_8: {{ rhel9cis_rule_3_2_8 }}
rhel9cis_rule_3_2_9: {{ rhel9cis_rule_3_2_9 }}
# 3.3 Network Parameters (Host and Router)
rhel9cis_rule_3_3_1: {{ rhel9cis_rule_3_3_1 }}
rhel9cis_rule_3_3_2: {{ rhel9cis_rule_3_3_2 }}
rhel9cis_rule_3_3_3: {{ rhel9cis_rule_3_3_3 }}
rhel9cis_rule_3_3_4: {{ rhel9cis_rule_3_3_4 }}
rhel9cis_rule_3_3_5: {{ rhel9cis_rule_3_3_5 }}
rhel9cis_rule_3_3_6: {{ rhel9cis_rule_3_3_6 }}
rhel9cis_rule_3_3_7: {{ rhel9cis_rule_3_3_7 }}
rhel9cis_rule_3_3_8: {{ rhel9cis_rule_3_3_8 }}
rhel9cis_rule_3_3_9: {{ rhel9cis_rule_3_3_9 }}
# 3.4.1 Configure firewalld
rhel9cis_rule_3_4_1_1: {{ rhel9cis_rule_3_4_1_1 }}
rhel9cis_rule_3_4_1_2: {{ rhel9cis_rule_3_4_1_2 }}
rhel9cis_rule_3_4_1_3: {{ rhel9cis_rule_3_4_1_3 }}
rhel9cis_rule_3_4_1_4: {{ rhel9cis_rule_3_4_1_4 }}
rhel9cis_rule_3_4_1_5: {{ rhel9cis_rule_3_4_1_5 }}
rhel9cis_rule_3_4_1_6: {{ rhel9cis_rule_3_4_1_6 }}
rhel9cis_rule_3_4_1_7: {{ rhel9cis_rule_3_4_1_7 }}
# 3.4.1 Configure nftables
rhel9cis_rule_3_4_2_1: {{ rhel9cis_rule_3_4_2_1 }}
rhel9cis_rule_3_4_2_2: {{ rhel9cis_rule_3_4_2_2 }}
rhel9cis_rule_3_4_2_3: {{ rhel9cis_rule_3_4_2_3 }}
rhel9cis_rule_3_4_2_4: {{ rhel9cis_rule_3_4_2_4 }}
rhel9cis_rule_3_4_2_5: {{ rhel9cis_rule_3_4_2_5 }}
rhel9cis_rule_3_4_2_6: {{ rhel9cis_rule_3_4_2_6 }}
rhel9cis_rule_3_5: {{ rhel9cis_rule_3_5 }}
rhel9cis_rule_3_6: {{ rhel9cis_rule_3_6 }}
rhel9cis_rule_3_4_2_7: {{ rhel9cis_rule_3_4_2_7 }}
rhel9cis_rule_3_4_2_8: {{ rhel9cis_rule_3_4_2_8 }}
rhel9cis_rule_3_4_2_9: {{ rhel9cis_rule_3_4_2_9 }}
rhel9cis_rule_3_4_2_10: {{ rhel9cis_rule_3_4_2_10 }}
rhel9cis_rule_3_4_2_11: {{ rhel9cis_rule_3_4_2_11 }}
# Section 4 rules
# Section 4 rules
# 4.1 Configure System Accounting
rhel9cis_rule_4_1_1_1: {{ rhel9cis_rule_4_1_1_1 }}
rhel9cis_rule_4_1_1_2: {{ rhel9cis_rule_4_1_1_2 }}
rhel9cis_rule_4_1_1_3: {{ rhel9cis_rule_4_1_1_3 }}
rhel9cis_rule_4_1_1_4: {{ rhel9cis_rule_4_1_1_4 }}
# 4.1.2 Configure Data retention
rhel9cis_rule_4_1_2_1: {{ rhel9cis_rule_4_1_2_1 }}
rhel9cis_rule_4_1_2_2: {{ rhel9cis_rule_4_1_2_2 }}
rhel9cis_rule_4_1_2_3: {{ rhel9cis_rule_4_1_2_3 }}
rhel9cis_rule_4_1_3: {{ rhel9cis_rule_4_1_3 }}
rhel9cis_rule_4_1_4: {{ rhel9cis_rule_4_1_4 }}
rhel9cis_rule_4_1_5: {{ rhel9cis_rule_4_1_5 }}
rhel9cis_rule_4_1_6: {{ rhel9cis_rule_4_1_6 }}
rhel9cis_rule_4_1_7: {{ rhel9cis_rule_4_1_7 }}
rhel9cis_rule_4_1_8: {{ rhel9cis_rule_4_1_8 }}
rhel9cis_rule_4_1_9: {{ rhel9cis_rule_4_1_9 }}
rhel9cis_rule_4_1_10: {{ rhel9cis_rule_4_1_10 }}
rhel9cis_rule_4_1_11: {{ rhel9cis_rule_4_1_11 }}
rhel9cis_rule_4_1_12: {{ rhel9cis_rule_4_1_12 }}
rhel9cis_rule_4_1_13: {{ rhel9cis_rule_4_1_13 }}
rhel9cis_rule_4_1_14: {{ rhel9cis_rule_4_1_14 }}
rhel9cis_rule_4_1_15: {{ rhel9cis_rule_4_1_15 }}
rhel9cis_rule_4_1_16: {{ rhel9cis_rule_4_1_16 }}
rhel9cis_rule_4_1_17: {{ rhel9cis_rule_4_1_17 }}
# 4.1.3 Configure auditd rules
rhel9cis_rule_4_1_3_1: {{ rhel9cis_rule_4_1_3_1 }}
rhel9cis_rule_4_1_3_2: {{ rhel9cis_rule_4_1_3_2 }}
rhel9cis_rule_4_1_3_3: {{ rhel9cis_rule_4_1_3_3 }}
rhel9cis_rule_4_1_3_4: {{ rhel9cis_rule_4_1_3_4 }}
rhel9cis_rule_4_1_3_5: {{ rhel9cis_rule_4_1_3_5 }}
rhel9cis_rule_4_1_3_6: {{ rhel9cis_rule_4_1_3_6 }}
rhel9cis_rule_4_1_3_7: {{ rhel9cis_rule_4_1_3_7 }}
rhel9cis_rule_4_1_3_8: {{ rhel9cis_rule_4_1_3_8 }}
rhel9cis_rule_4_1_3_9: {{ rhel9cis_rule_4_1_3_9 }}
rhel9cis_rule_4_1_3_10: {{ rhel9cis_rule_4_1_3_10 }}
rhel9cis_rule_4_1_3_11: {{ rhel9cis_rule_4_1_3_11 }}
rhel9cis_rule_4_1_3_12: {{ rhel9cis_rule_4_1_3_12 }}
rhel9cis_rule_4_1_3_13: {{ rhel9cis_rule_4_1_3_13 }}
rhel9cis_rule_4_1_3_14: {{ rhel9cis_rule_4_1_3_14 }}
rhel9cis_rule_4_1_3_15: {{ rhel9cis_rule_4_1_3_15 }}
rhel9cis_rule_4_1_3_16: {{ rhel9cis_rule_4_1_3_16 }}
rhel9cis_rule_4_1_3_17: {{ rhel9cis_rule_4_1_3_17 }}
rhel9cis_rule_4_1_3_18: {{ rhel9cis_rule_4_1_3_18 }}
rhel9cis_rule_4_1_3_19: {{ rhel9cis_rule_4_1_3_19 }}
rhel9cis_rule_4_1_3_20: {{ rhel9cis_rule_4_1_3_20 }}
rhel9cis_rule_4_1_3_21: {{ rhel9cis_rule_4_1_3_21 }}
# 4.2.1 Configure rsyslog
rhel9cis_rule_4_2_1_1: {{ rhel9cis_rule_4_2_1_1 }}
rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_2 }}
rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_3 }}
rhel9cis_rule_4_2_1_3: {{ rhel9cis_rule_4_2_1_3 }}
rhel9cis_rule_4_2_1_4: {{ rhel9cis_rule_4_2_1_4 }}
rhel9cis_rule_4_2_1_5: {{ rhel9cis_rule_4_2_1_5 }}
rhel9cis_rule_4_2_1_6: {{ rhel9cis_rule_4_2_1_6 }}
rhel9cis_rule_4_2_2_1: {{ rhel9cis_rule_4_2_2_1 }}
rhel9cis_rule_4_2_1_7: {{ rhel9cis_rule_4_2_1_7 }}
# 4.2.2 Configure journald
rhel9cis_rule_4_2_2_1_1: {{ rhel9cis_rule_4_2_2_1_1 }}
rhel9cis_rule_4_2_2_1_2: {{ rhel9cis_rule_4_2_2_1_2 }}
rhel9cis_rule_4_2_2_1_3: {{ rhel9cis_rule_4_2_2_1_3 }}
rhel9cis_rule_4_2_2_1_4: {{ rhel9cis_rule_4_2_2_1_4 }}
rhel9cis_rule_4_2_2_2: {{ rhel9cis_rule_4_2_2_2 }}
rhel9cis_rule_4_2_2_3: {{ rhel9cis_rule_4_2_2_3 }}
rhel9cis_rule_4_2_2_4: {{ rhel9cis_rule_4_2_2_4 }}
rhel9cis_rule_4_2_2_5: {{ rhel9cis_rule_4_2_2_5 }}
rhel9cis_rule_4_2_2_6: {{ rhel9cis_rule_4_2_2_6 }}
rhel9cis_rule_4_2_2_7: {{ rhel9cis_rule_4_2_2_7 }}
rhel9cis_rule_4_2_3: {{ rhel9cis_rule_4_2_3 }}
rhel9cis_rule_4_3: {{ rhel9cis_rule_4_3 }}
# 4.3 Logrotate
rhel9cis_rule_4_3_1: {{ rhel9cis_rule_4_3_1 }}
rhel9cis_rule_4_3_2: {{ rhel9cis_rule_4_3_2 }}
rhel9cis_rule_4_3_3: {{ rhel9cis_rule_4_3_3 }}
# Section 5
# Authentication and Authorization
# 5.1 Configure time-based job schedulers
rhel9cis_rule_5_1_1: {{ rhel9cis_rule_5_1_1 }}
rhel9cis_rule_5_1_2: {{ rhel9cis_rule_5_1_2 }}
rhel9cis_rule_5_1_3: {{ rhel9cis_rule_5_1_3 }}
@ -195,6 +275,7 @@ rhel9cis_rule_5_1_6: {{ rhel9cis_rule_5_1_6 }}
rhel9cis_rule_5_1_7: {{ rhel9cis_rule_5_1_7 }}
rhel9cis_rule_5_1_8: {{ rhel9cis_rule_5_1_8 }}
# 5.2 Configure SSH Server
rhel9cis_rule_5_2_1: {{ rhel9cis_rule_5_2_1 }}
rhel9cis_rule_5_2_2: {{ rhel9cis_rule_5_2_2 }}
rhel9cis_rule_5_2_3: {{ rhel9cis_rule_5_2_3 }}
@ -215,31 +296,41 @@ rhel9cis_rule_5_2_17: {{ rhel9cis_rule_5_2_17 }}
rhel9cis_rule_5_2_18: {{ rhel9cis_rule_5_2_18 }}
rhel9cis_rule_5_2_19: {{ rhel9cis_rule_5_2_19 }}
rhel9cis_rule_5_2_20: {{ rhel9cis_rule_5_2_20 }}
# 5.3 Configure privilege escalation
rhel9cis_rule_5_3_1: {{ rhel9cis_rule_5_3_1 }}
rhel9cis_rule_5_3_2: {{ rhel9cis_rule_5_3_2 }}
rhel9cis_rule_5_3_3: {{ rhel9cis_rule_5_3_3 }}
rhel9cis_rule_5_3_4: {{ rhel9cis_rule_5_3_4 }}
rhel9cis_rule_5_3_5: {{ rhel9cis_rule_5_3_5 }}
rhel9cis_rule_5_3_6: {{ rhel9cis_rule_5_3_6 }}
rhel9cis_rule_5_3_7: {{ rhel9cis_rule_5_3_7 }}
# 5.4 Configure authselect
rhel9cis_rule_5_4_1: {{ rhel9cis_rule_5_4_1 }}
rhel9cis_rule_5_4_2: {{ rhel9cis_rule_5_4_2 }}
rhel9cis_rule_5_4_3: {{ rhel9cis_rule_5_4_3 }}
rhel9cis_rule_5_4_4: {{ rhel9cis_rule_5_4_4 }}
rhel9cis_rule_5_5_1_1: {{ rhel9cis_rule_5_5_1_1 }}
rhel9cis_rule_5_5_1_2: {{ rhel9cis_rule_5_5_1_2 }}
rhel9cis_rule_5_5_1_3: {{ rhel9cis_rule_5_5_1_3 }}
rhel9cis_rule_5_5_1_4: {{ rhel9cis_rule_5_5_1_4 }}
rhel9cis_rule_5_5_1_5: {{ rhel9cis_rule_5_5_1_5 }}
# 5.5 Configure PAM
rhel9cis_rule_5_5_1: {{ rhel9cis_rule_5_5_1 }}
rhel9cis_rule_5_5_2: {{ rhel9cis_rule_5_5_2 }}
rhel9cis_rule_5_5_3: {{ rhel9cis_rule_5_5_3 }}
rhel9cis_rule_5_5_4: {{ rhel9cis_rule_5_5_4 }}
rhel9cis_rule_5_5_5: {{ rhel9cis_rule_5_5_5 }}
rhel9cis_rule_5_6: {{ rhel9cis_rule_5_6 }}
rhel9cis_rule_5_7: {{ rhel9cis_rule_5_7 }}
# 5.6 User Accounts and Environment
# 5.6.1 Set Shadow Password Suite Parameters
rhel9cis_rule_5_6_1_1: {{ rhel9cis_rule_5_6_1_1 }}
rhel9cis_rule_5_6_1_2: {{ rhel9cis_rule_5_6_1_2 }}
rhel9cis_rule_5_6_1_3: {{ rhel9cis_rule_5_6_1_3 }}
rhel9cis_rule_5_6_1_4: {{ rhel9cis_rule_5_6_1_4 }}
rhel9cis_rule_5_6_1_5: {{ rhel9cis_rule_5_6_1_5 }}
rhel9cis_rule_5_6_2: {{ rhel9cis_rule_5_6_2 }}
rhel9cis_rule_5_6_3: {{ rhel9cis_rule_5_6_3 }}
rhel9cis_rule_5_6_4: {{ rhel9cis_rule_5_6_4 }}
rhel9cis_rule_5_6_5: {{ rhel9cis_rule_5_6_5 }}
# Section 6
# 6 System Maintenance
# 6.1 System File Permissions
rhel9cis_rule_6_1_1: {{ rhel9cis_rule_6_1_1 }}
rhel9cis_rule_6_1_2: {{ rhel9cis_rule_6_1_2 }}
rhel9cis_rule_6_1_3: {{ rhel9cis_rule_6_1_3 }}
@ -254,7 +345,9 @@ rhel9cis_rule_6_1_11: {{ rhel9cis_rule_6_1_11 }}
rhel9cis_rule_6_1_12: {{ rhel9cis_rule_6_1_12 }}
rhel9cis_rule_6_1_13: {{ rhel9cis_rule_6_1_13 }}
rhel9cis_rule_6_1_14: {{ rhel9cis_rule_6_1_14 }}
rhel9cis_rule_6_1_15: {{ rhel9cis_rule_6_1_15 }}
# 6.2 User and Group Settings
rhel9cis_rule_6_2_1: {{ rhel9cis_rule_6_2_1 }}
rhel9cis_rule_6_2_2: {{ rhel9cis_rule_6_2_2 }}
rhel9cis_rule_6_2_3: {{ rhel9cis_rule_6_2_3 }}
@ -271,204 +364,132 @@ rhel9cis_rule_6_2_13: {{ rhel9cis_rule_6_2_13 }}
rhel9cis_rule_6_2_14: {{ rhel9cis_rule_6_2_14 }}
rhel9cis_rule_6_2_15: {{ rhel9cis_rule_6_2_15 }}
rhel9cis_rule_6_2_16: {{ rhel9cis_rule_6_2_16 }}
rhel9cis_rule_6_2_17: {{ rhel9cis_rule_6_2_17 }}
rhel9cis_rule_6_2_18: {{ rhel9cis_rule_6_2_18 }}
rhel9cis_rule_6_2_19: {{ rhel9cis_rule_6_2_19 }}
rhel9cis_rule_6_2_20: {{ rhel9cis_rule_6_2_20 }}
############
# Service configuration booleans set true to keep service
rhel9cis_avahi_server: {{ rhel9cis_avahi_server }}
rhel9cis_cups_server: {{ rhel9cis_cups_server }}
rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }}
rhel9cis_ldap_server: {{ rhel9cis_ldap_server }}
rhel9cis_telnet_server: {{ rhel9cis_telnet_server }}
rhel9cis_nfs_server: {{ rhel9cis_nfs_server }}
rhel9cis_rpc_server: {{ rhel9cis_rpc_server }}
rhel9cis_ntalk_server: {{ rhel9cis_ntalk_server }}
rhel9cis_rsyncd_server: {{ rhel9cis_rsyncd_server }}
rhel9cis_tftp_server: {{ rhel9cis_tftp_server }}
rhel9cis_rsh_server: {{ rhel9cis_rsh_server }}
rhel9cis_nis_server: {{ rhel9cis_nis_server }}
rhel9cis_snmp_server: {{ rhel9cis_snmp_server }}
rhel9cis_squid_server: {{ rhel9cis_squid_server }}
rhel9cis_smb_server: {{ rhel9cis_smb_server }}
rhel9cis_dovecot_server: {{ rhel9cis_dovecot_server }}
rhel9cis_httpd_server: {{ rhel9cis_httpd_server }}
rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }}
rhel9cis_named_server: {{ rhel9cis_named_server }}
rhel9cis_nfs_rpc_server: {{ rhel9cis_nfs_rpc_server }}
rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }}
rhel9cis_bind: {{ rhel9cis_bind }}
rhel9cis_vsftpd: {{ rhel9cis_vsftpd }}
rhel9cis_httpd: {{ rhel9cis_httpd }}
rhel9cis_dovecot: {{ rhel9cis_dovecot }}
rhel9cis_samba: {{ rhel9cis_samba }}
rhel9cis_squid: {{ rhel9cis_squid }}
rhel9cis_net_snmp: {{ rhel9cis_net_snmp}}
rhel9cis_allow_autofs: {{ rhel9cis_allow_autofs }}
# client services
rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }}
rhel9cis_telnet_required: {{ rhel9cis_telnet_required }}
rhel9cis_talk_required: {{ rhel9cis_talk_required }}
rhel9cis_rsh_required: {{ rhel9cis_rsh_required }}
rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }}
# Section 1
# AIDE
rhel9cis_config_aide: {{ rhel9cis_config_aide }}
# aide setup via - cron, timer
rhel9_aide_scan: cron
# AIDE cron settings
rhel9cis_aide_cron:
cron_user: {{ rhel9cis_aide_cron.cron_user }}
cron_file: '{{ rhel9cis_aide_cron.cron_file }}'
aide_job: ' {{ rhel9cis_aide_cron.aide_job }}'
aide_minute: '{{ rhel9cis_aide_cron.aide_minute }}'
aide_hour: '{{ rhel9cis_aide_cron.aide_hour }}'
aide_day: '{{ rhel9cis_aide_cron.aide_day }}'
aide_month: '{{ rhel9cis_aide_cron.aide_month }}'
aide_weekday: '{{ rhel9cis_aide_cron.aide_weekday }}'
# 1.5.1 Bootloader password
rhel9cis_bootloader_password: {{ rhel9cis_bootloader_password_hash }}
rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }}
# 1.10 crypto
rhel9cis_crypto_policy: {{ rhel9cis_crypto_policy }}
# Whether or not to run tasks related to auditing/patching the desktop environment
rhel9cis_gui: {{ rhel9cis_gui }}
# Warning Banner Content (issue, issue.net, motd)
rhel9cis_warning_banner: {{ rhel9cis_warning_banner }}
# End Banner
# aide setup via - cron, timer
rhel9_aide_scan: cron
# Section 2
## 2.2 Special Purposes
# Set to 'true' if X Windows is needed in your environment
rhel9cis_xwindows_required: {{ rhel9cis_xwindows_required }}
rhel9cis_xwindows_required: false
### Service configuration booleans set true to keep service
rhel9cis_xinetd_server: {{ rhel9cis_xinetd_server }}
rhel9cis_avahi_server: {{ rhel9cis_avahi_server }}
rhel9cis_cups_server: {{ rhel9cis_cups_server }}
rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }}
rhel9cis_dns_server: {{ rhel9cis_dns_server }}
rhel9cis_ftp_server: {{ rhel9cis_ftp_server }}
rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }}
rhel9cis_tftp_server: {{ rhel9cis_tftp_server }}
rhel9cis_httpd_server: {{ rhel9cis_httpd_server }}
rhel9cis_nginx_server: {{ rhel9cis_nginx_server }}
rhel9cis_dovecot_server: {{ rhel9cis_dovecot_server }}
rhel9cis_imap_server: {{ rhel9cis_imap_server }}
rhel9cis_samba_server: {{ rhel9cis_samba_server }}
rhel9cis_squid_server: {{ rhel9cis_squid_server }}
rhel9cis_snmp_server: {{ rhel9cis_snmp_server }}
rhel9cis_nis_server: {{ rhel9cis_nis_server }}
rhel9cis_telnet_server: {{ rhel9cis_telnet_server }}
rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }}
# Whether or not to run tasks related to auditing/patching the desktop environment
rhel9cis_gui: {{ rhel9cis_gui }}
# Note the options
# Packages are used for client services and Server- only remove if you dont use the client service
#
rhel9cis_use_nfs_server: {{ rhel9cis_use_nfs_server }}
rhel9cis_use_nfs_service: {{ rhel9cis_use_nfs_service }}
rhel9cis_use_rpc_server: {{ rhel9cis_use_rpc_server }}
rhel9cis_use_rpc_service: {{ rhel9cis_use_rpc_service }}
rhel9cis_use_rsync_server: {{ rhel9cis_use_rsync_server }}
rhel9cis_use_rsync_service: {{ rhel9cis_use_rsync_service }}
# xinetd required
rhel9cis_xinetd_required: {{ rhel9cis_xinetd_required }}
#### 2.3 Service clients
rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }}
rhel9cis_rsh_required: {{ rhel9cis_rsh_required }}
rhel9cis_talk_required: {{ rhel9cis_talk_required }}
rhel9cis_telnet_required: {{ rhel9cis_telnet_required }}
rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }}
rhel9cis_tftp_client: {{ rhel9cis_tftp_client }}
# IPv6 required
# Section 3
## IPv6 required
rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }}
# System network parameters (host only OR host and router)
## 3.2 System network parameters (host only OR host and router)
rhel9cis_is_router: {{ rhel9cis_is_router }}
# Time Synchronization
rhel9cis_time_synchronization: {{ rhel9cis_time_synchronization }}
rhel9cis_varlog_location: {{ rhel9cis_varlog_location }}
## Section 3.4
### Firewall
rhel9cis_firewall: {{ rhel9cis_firewall }}
#rhel9cis_firewall: iptables
rhel9cis_default_firewall_zone: {{ rhel9cis_default_zone }}
rhel9cis_firewall_interface:
- enp0s3
- enp0s8
rhel9cis_firewall_services: {{ rhel9cis_firewall_services }}
##### firewalld
rhel9cis_default_zone: {{ rhel9cis_default_zone }}
rhel9cis_firewalld_nftables_state: {{ rhel9cis_firewalld_nftables_state }} # Note if absent removes the firewalld pkg dependancy
#### nftables
rhel9cis_nftables_firewalld_state: {{ rhel9cis_nftables_firewalld_state }}
rhel9cis_nft_tables_autonewtable: {{ rhel9cis_nft_tables_autonewtable }}
rhel9cis_nft_tables_tablename: {{ rhel9cis_nft_tables_tablename }}
rhel9cis_nft_tables_autochaincreate: {{ rhel9cis_nft_tables_autochaincreate }}
### Section 4
## auditd settings
rhel9cis_auditd:
space_left_action: {{ rhel9cis_auditd.space_left_action}}
action_mail_acct: {{ rhel9cis_auditd.action_mail_acct }}
admin_space_left_action: {{ rhel9cis_auditd.admin_space_left_action }}
max_log_file_action: {{ rhel9cis_auditd.max_log_file_action }}
auditd_backlog_limit: {{ rhel9cis_audit_back_log_limit }}
# Section 4
## syslog
rhel9_cis_rsyslog: true
rhel9_cis_rsyslog: {{ rhel9cis_syslog }}
### Section 5
# Section 5
## 5.2.4 Note the following to understand precedence and layout
rhel9cis_sshd_limited: false
#Note the following to understand precedence and layout
rhel9cis_sshd_access:
AllowUser:
AllowGroup:
DenyUser:
DenyGroup:
- AllowUser
- AllowGroup
- DenyUser
- DenyGroup
rhel9cis_ssh_strong_ciphers: Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128- gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
rhel9cis_ssh_weak_ciphers:
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se
rhel9cis_ssh_strong_macs: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2- 512,hmac-sha2-256
rhel9cis_ssh_weak_macs:
hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-sha1
hmac-sha1-96
umac-64@openssh.com
umac-128@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
hmac-ripemd160-etm@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com
rhel9cis_ssh_strong_kex: KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman- group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
rhel9cis_ssh_weak_kex:
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
rhel9cis_ssh_aliveinterval: "300"
rhel9cis_ssh_countmax: "3"
## PAM
rhel9cis_pam_password:
minlen: {{ rhel9cis_pam_password.minlen }}
minclass: {{ rhel9cis_pam_password.minclass }}
rhel9cis_pam_passwd_retry: "3"
# faillock or tally2
rhel9cis_accountlock: faillock
## note this is to skip tests
skip_rhel9cis_pam_passwd_auth: true
skip_rhel9cis_pam_system_auth: true
# choose one of below
rhel9cis_pwhistory_so: "14"
rhel9cis_unix_so: false
rhel9cis_passwd_remember: "5"
# logins.def password settings
rhel9cis_pass:
max_days: {{ rhel9cis_pass.max_days }}
min_days: {{ rhel9cis_pass.min_days }}
warn_age: {{ rhel9cis_pass.warn_age }}
# 5.3.1/5.3.2 Custon authselect profile settings. Settings in place now will fail, they are place holders from the control example
rhel9cis_authselect:
custom_profile_name: {{ rhel9cis_authselect['custom_profile_name'] }}
default_file_to_copy: {{ rhel9cis_authselect.default_file_to_copy }}
options: {{ rhel9cis_authselect.options }}
# 5.3.1 Enable automation to creat custom profile settings, using the setings above
rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile_create }}
# 5.3.2 Enable automation to select custom profile options, using the settings above
## 5.3.2 & 5.4.2 Enable automation to select custom profile options, using the settings above
rhel9cis_authselect_custom_profile_select: {{ rhel9cis_authselect_custom_profile_select }}
# 5.7
rhel9cis_sugroup: {{ rhel9cis_sugroup| default('wheel') }}
rhel9cis_sugroup_users: {{ rhel9cis_sugroup_users }}
## 5.3.2 Authselect select false if using AD or RHEL ID mgmt
rhel9cis_authselect:
custom_profile_name: {{ rhel9cis_authselect['custom_profile_name'] }}
default_file_to_copy: {{ rhel9cis_authselect['default_file_to_copy'] }}
## 5.4.1 Enable automation to create custom profile settings, using the setings above
rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile_create }}
# 5.5.1
## PAM
rhel9cis_pam_password:
minlen: {{ rhel9cis_pam_password['minlen'] }}
minclass: {{ rhel9cis_pam_password['minclass'] }}
rhel9cis_pam_passwd_retry: "3"
## 5.5.3 choose one of below
rhel9cis_pwhistory_so: "14"
rhel9cis_passwd_remember: "5"
## 5.6.x login.defs password settings
rhel9cis_pass:
max_days: {{ rhel9cis_pass['max_days'] }}
min_days: {{ rhel9cis_pass['min_days'] }}
warn_age: {{ rhel9cis_pass['warn_age'] }}
## 5.3.7 set sugroup if differs from wheel
rhel9cis_sugroup: {% if rhel9cis_sugroup is undefined %}wheel{% else %}{{ rhel9cis_sugroup }}{% endif %}
## 5.3.7 sugroup users list
rhel9cis_sugroup_users: {{ rhel9cis_sugroup_users }}

429
templates/ansible_vars_goss.yml.old Normal file
View file

@ -0,0 +1,429 @@
## metadata for Audit benchmark
benchmark_version: '1.0.1'
# Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS
is_redhat_os: {% if ansible_distribution == "RedHat" %}true{% else %}false{% endif %}
rhel9cis_os_distribution: {{ ansible_distribution | lower }}
# timeout for each command to run where set - default = 10seconds/10000ms
timeout_ms: {{ audit_cmd_timeout }}
# Taken from LE rhel8-cis
rhel9cis_section1: {{ rhel9cis_section1 }}
rhel9cis_section2: {{ rhel9cis_section2 }}
rhel9cis_section3: {{ rhel9cis_section3 }}
rhel9cis_section4: {{ rhel9cis_section4 }}
rhel9cis_section5: {{ rhel9cis_section5 }}
rhel9cis_section6: {{ rhel9cis_section6 }}
rhel9cis_level_1: {{ rhel9cis_level_1 }}
rhel9cis_level_2: {{ rhel9cis_level_2 }}
rhel9cis_selinux_disable: {{ rhel9cis_selinux_disable }}
# to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy
run_heavy_tests: true
{% if rhel9cis_legacy_boot is defined %}
rhel9cis_legacy_boot: {{ rhel9cis_legacy_boot }}
{% endif %}
rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }}
# These variables correspond with the CIS rule IDs or paragraph numbers defined in
# the CIS benchmark documents.
# PLEASE NOTE: These work in coordination with the section # group variables and tags.
# You must enable an entire section in order for the variables below to take effect.
# Section 1 rules
rhel9cis_rule_1_1_1_1: {{ rhel9cis_rule_1_1_1_1 }}
rhel9cis_rule_1_1_1_2: {{ rhel9cis_rule_1_1_1_2 }}
rhel9cis_rule_1_1_1_3: {{ rhel9cis_rule_1_1_1_3 }}
rhel9cis_rule_1_1_1_4: {{ rhel9cis_rule_1_1_1_4 }}
rhel9cis_rule_1_1_2: {{ rhel9cis_rule_1_1_2 }}
rhel9cis_rule_1_1_3: {{ rhel9cis_rule_1_1_3 }}
rhel9cis_rule_1_1_4: {{ rhel9cis_rule_1_1_4 }}
rhel9cis_rule_1_1_5: {{ rhel9cis_rule_1_1_5 }}
rhel9cis_rule_1_1_6: {{ rhel9cis_rule_1_1_6 }}
rhel9cis_rule_1_1_7: {{ rhel9cis_rule_1_1_7 }}
rhel9cis_rule_1_1_8: {{ rhel9cis_rule_1_1_8 }}
rhel9cis_rule_1_1_9: {{ rhel9cis_rule_1_1_9 }}
rhel9cis_rule_1_1_10: {{ rhel9cis_rule_1_1_10 }}
rhel9cis_rule_1_1_11: {{ rhel9cis_rule_1_1_11 }}
rhel9cis_rule_1_1_12: {{ rhel9cis_rule_1_1_12 }}
rhel9cis_rule_1_1_13: {{ rhel9cis_rule_1_1_13 }}
rhel9cis_rule_1_1_14: {{ rhel9cis_rule_1_1_14 }}
rhel9cis_rule_1_1_15: {{ rhel9cis_rule_1_1_15 }}
rhel9cis_rule_1_1_16: {{ rhel9cis_rule_1_1_16 }}
rhel9cis_rule_1_1_17: {{ rhel9cis_rule_1_1_17 }}
rhel9cis_rule_1_1_18: {{ rhel9cis_rule_1_1_18 }}
rhel9cis_rule_1_1_19: {{ rhel9cis_rule_1_1_19 }}
rhel9cis_rule_1_1_20: {{ rhel9cis_rule_1_1_20 }}
rhel9cis_rule_1_1_21: {{ rhel9cis_rule_1_1_21 }}
rhel9cis_rule_1_1_22: {{ rhel9cis_rule_1_1_22 }}
rhel9cis_rule_1_1_23: {{ rhel9cis_rule_1_1_23 }}
rhel9cis_rule_1_2_1: {% if ansible_distribution == "RedHat" %}True{% else %}False{% endif %} # Only run if Redhat and Subscribed
rhel9cis_rule_1_2_2: {{ rhel9cis_rule_1_2_2 }}
rhel9cis_rule_1_2_3: {{ rhel9cis_rule_1_2_3 }}
rhel9cis_rule_1_2_4: {{ rhel9cis_rule_1_2_4 }}
rhel9cis_rule_1_2_5: {{ rhel9cis_rule_1_2_5 }}
rhel9cis_rule_1_3_1: {{ rhel9cis_rule_1_3_1 }}
rhel9cis_rule_1_3_2: {{ rhel9cis_rule_1_3_2 }}
rhel9cis_rule_1_3_3: {{ rhel9cis_rule_1_3_3 }}
rhel9cis_rule_1_4_1: {{ rhel9cis_rule_1_4_1 }}
rhel9cis_rule_1_4_2: {{ rhel9cis_rule_1_4_2 }}
rhel9cis_rule_1_4_3: {{ rhel9cis_rule_1_4_3 }}
rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }}
rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }}
rhel9cis_rule_1_5_3: {{ rhel9cis_rule_1_5_3 }}
rhel9cis_rule_1_7_1_1: {{ rhel9cis_rule_1_7_1_1 }}
rhel9cis_rule_1_7_1_2: {{ rhel9cis_rule_1_7_1_2 }}
rhel9cis_rule_1_7_1_3: {{ rhel9cis_rule_1_7_1_3 }}
rhel9cis_rule_1_7_1_4: {{ rhel9cis_rule_1_7_1_4 }}
rhel9cis_rule_1_7_1_5: {{ rhel9cis_rule_1_7_1_5 }}
rhel9cis_rule_1_7_1_6: {{ rhel9cis_rule_1_7_1_6 }}
rhel9cis_rule_1_7_1_7: {{ rhel9cis_rule_1_7_1_7 }}
rhel9cis_rule_1_8_1_1: {{ rhel9cis_rule_1_8_1_1 }}
rhel9cis_rule_1_8_1_2: {{ rhel9cis_rule_1_8_1_2 }}
rhel9cis_rule_1_8_1_3: {{ rhel9cis_rule_1_8_1_3 }}
rhel9cis_rule_1_8_1_4: {{ rhel9cis_rule_1_8_1_4 }}
rhel9cis_rule_1_8_1_5: {{ rhel9cis_rule_1_8_1_5 }}
rhel9cis_rule_1_8_1_6: {{ rhel9cis_rule_1_8_1_6 }}
rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }}
rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }}
rhel9cis_rule_1_10: {{ rhel9cis_rule_1_10 }}
# section 2 rules
rhel9cis_rule_2_1_1: {{ rhel9cis_rule_2_1_1 }}
rhel9cis_rule_2_2_1_1: {{ rhel9cis_rule_2_2_1_1 }}
rhel9cis_rule_2_2_1_2: {{ rhel9cis_rule_2_2_1_2 }}
rhel9cis_rule_2_2_2: {{ rhel9cis_rule_2_2_2 }}
rhel9cis_rule_2_2_3: {{ rhel9cis_rule_2_2_3 }}
rhel9cis_rule_2_2_4: {{ rhel9cis_rule_2_2_4 }}
rhel9cis_rule_2_2_5: {{ rhel9cis_rule_2_2_5 }}
rhel9cis_rule_2_2_6: {{ rhel9cis_rule_2_2_6 }}
rhel9cis_rule_2_2_7: {{ rhel9cis_rule_2_2_7 }}
rhel9cis_rule_2_2_8: {{ rhel9cis_rule_2_2_8 }}
rhel9cis_rule_2_2_9: {{ rhel9cis_rule_2_2_9 }}
rhel9cis_rule_2_2_10: {{ rhel9cis_rule_2_2_10 }}
rhel9cis_rule_2_2_11: {{ rhel9cis_rule_2_2_11 }}
rhel9cis_rule_2_2_12: {{ rhel9cis_rule_2_2_12 }}
rhel9cis_rule_2_2_13: {{ rhel9cis_rule_2_2_13 }}
rhel9cis_rule_2_2_14: {{ rhel9cis_rule_2_2_14 }}
rhel9cis_rule_2_2_15: {{ rhel9cis_rule_2_2_15 }}
rhel9cis_rule_2_2_16: {{ rhel9cis_rule_2_2_16 }}
rhel9cis_rule_2_2_17: {{ rhel9cis_rule_2_2_17 }}
rhel9cis_rule_2_2_18: {{ rhel9cis_rule_2_2_18 }}
rhel9cis_rule_2_3_1: {{ rhel9cis_rule_2_3_1 }}
rhel9cis_rule_2_3_2: {{ rhel9cis_rule_2_3_2 }}
rhel9cis_rule_2_3_3: {{ rhel9cis_rule_2_3_3 }}
# Section 3 rules
rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }}
rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }}
rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }}
rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }}
rhel9cis_rule_3_2_3: {{ rhel9cis_rule_3_2_3 }}
rhel9cis_rule_3_2_4: {{ rhel9cis_rule_3_2_4 }}
rhel9cis_rule_3_2_5: {{ rhel9cis_rule_3_2_5 }}
rhel9cis_rule_3_2_6: {{ rhel9cis_rule_3_2_6 }}
rhel9cis_rule_3_2_7: {{ rhel9cis_rule_3_2_7 }}
rhel9cis_rule_3_2_8: {{ rhel9cis_rule_3_2_8 }}
rhel9cis_rule_3_2_9: {{ rhel9cis_rule_3_2_9 }}
rhel9cis_rule_3_3_1: {{ rhel9cis_rule_3_3_1 }}
rhel9cis_rule_3_3_2: {{ rhel9cis_rule_3_3_2 }}
rhel9cis_rule_3_3_3: {{ rhel9cis_rule_3_3_3 }}
rhel9cis_rule_3_3_4: {{ rhel9cis_rule_3_3_4 }}
rhel9cis_rule_3_4_1_1: {{ rhel9cis_rule_3_4_1_1 }}
rhel9cis_rule_3_4_2_1: {{ rhel9cis_rule_3_4_2_1 }}
rhel9cis_rule_3_4_2_2: {{ rhel9cis_rule_3_4_2_2 }}
rhel9cis_rule_3_4_2_3: {{ rhel9cis_rule_3_4_2_3 }}
rhel9cis_rule_3_4_2_4: {{ rhel9cis_rule_3_4_2_4 }}
rhel9cis_rule_3_4_2_5: {{ rhel9cis_rule_3_4_2_5 }}
rhel9cis_rule_3_4_2_6: {{ rhel9cis_rule_3_4_2_6 }}
rhel9cis_rule_3_5: {{ rhel9cis_rule_3_5 }}
rhel9cis_rule_3_6: {{ rhel9cis_rule_3_6 }}
# Section 4 rules
rhel9cis_rule_4_1_1_1: {{ rhel9cis_rule_4_1_1_1 }}
rhel9cis_rule_4_1_1_2: {{ rhel9cis_rule_4_1_1_2 }}
rhel9cis_rule_4_1_1_3: {{ rhel9cis_rule_4_1_1_3 }}
rhel9cis_rule_4_1_1_4: {{ rhel9cis_rule_4_1_1_4 }}
rhel9cis_rule_4_1_2_1: {{ rhel9cis_rule_4_1_2_1 }}
rhel9cis_rule_4_1_2_2: {{ rhel9cis_rule_4_1_2_2 }}
rhel9cis_rule_4_1_2_3: {{ rhel9cis_rule_4_1_2_3 }}
rhel9cis_rule_4_1_3: {{ rhel9cis_rule_4_1_3 }}
rhel9cis_rule_4_1_4: {{ rhel9cis_rule_4_1_4 }}
rhel9cis_rule_4_1_5: {{ rhel9cis_rule_4_1_5 }}
rhel9cis_rule_4_1_6: {{ rhel9cis_rule_4_1_6 }}
rhel9cis_rule_4_1_7: {{ rhel9cis_rule_4_1_7 }}
rhel9cis_rule_4_1_8: {{ rhel9cis_rule_4_1_8 }}
rhel9cis_rule_4_1_9: {{ rhel9cis_rule_4_1_9 }}
rhel9cis_rule_4_1_10: {{ rhel9cis_rule_4_1_10 }}
rhel9cis_rule_4_1_11: {{ rhel9cis_rule_4_1_11 }}
rhel9cis_rule_4_1_12: {{ rhel9cis_rule_4_1_12 }}
rhel9cis_rule_4_1_13: {{ rhel9cis_rule_4_1_13 }}
rhel9cis_rule_4_1_14: {{ rhel9cis_rule_4_1_14 }}
rhel9cis_rule_4_1_15: {{ rhel9cis_rule_4_1_15 }}
rhel9cis_rule_4_1_16: {{ rhel9cis_rule_4_1_16 }}
rhel9cis_rule_4_1_17: {{ rhel9cis_rule_4_1_17 }}
rhel9cis_rule_4_2_1_1: {{ rhel9cis_rule_4_2_1_1 }}
rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_2 }}
rhel9cis_rule_4_2_1_3: {{ rhel9cis_rule_4_2_1_3 }}
rhel9cis_rule_4_2_1_4: {{ rhel9cis_rule_4_2_1_4 }}
rhel9cis_rule_4_2_1_5: {{ rhel9cis_rule_4_2_1_5 }}
rhel9cis_rule_4_2_1_6: {{ rhel9cis_rule_4_2_1_6 }}
rhel9cis_rule_4_2_2_1: {{ rhel9cis_rule_4_2_2_1 }}
rhel9cis_rule_4_2_2_2: {{ rhel9cis_rule_4_2_2_2 }}
rhel9cis_rule_4_2_2_3: {{ rhel9cis_rule_4_2_2_3 }}
rhel9cis_rule_4_2_3: {{ rhel9cis_rule_4_2_3 }}
rhel9cis_rule_4_3: {{ rhel9cis_rule_4_3 }}
# Section 5
rhel9cis_rule_5_1_1: {{ rhel9cis_rule_5_1_1 }}
rhel9cis_rule_5_1_2: {{ rhel9cis_rule_5_1_2 }}
rhel9cis_rule_5_1_3: {{ rhel9cis_rule_5_1_3 }}
rhel9cis_rule_5_1_4: {{ rhel9cis_rule_5_1_4 }}
rhel9cis_rule_5_1_5: {{ rhel9cis_rule_5_1_5 }}
rhel9cis_rule_5_1_6: {{ rhel9cis_rule_5_1_6 }}
rhel9cis_rule_5_1_7: {{ rhel9cis_rule_5_1_7 }}
rhel9cis_rule_5_1_8: {{ rhel9cis_rule_5_1_8 }}
rhel9cis_rule_5_2_1: {{ rhel9cis_rule_5_2_1 }}
rhel9cis_rule_5_2_2: {{ rhel9cis_rule_5_2_2 }}
rhel9cis_rule_5_2_3: {{ rhel9cis_rule_5_2_3 }}
rhel9cis_rule_5_2_4: {{ rhel9cis_rule_5_2_4 }}
rhel9cis_rule_5_2_5: {{ rhel9cis_rule_5_2_5 }}
rhel9cis_rule_5_2_6: {{ rhel9cis_rule_5_2_6 }}
rhel9cis_rule_5_2_7: {{ rhel9cis_rule_5_2_7 }}
rhel9cis_rule_5_2_8: {{ rhel9cis_rule_5_2_8 }}
rhel9cis_rule_5_2_9: {{ rhel9cis_rule_5_2_9 }}
rhel9cis_rule_5_2_10: {{ rhel9cis_rule_5_2_10 }}
rhel9cis_rule_5_2_11: {{ rhel9cis_rule_5_2_11 }}
rhel9cis_rule_5_2_12: {{ rhel9cis_rule_5_2_12 }}
rhel9cis_rule_5_2_13: {{ rhel9cis_rule_5_2_13 }}
rhel9cis_rule_5_2_14: {{ rhel9cis_rule_5_2_14 }}
rhel9cis_rule_5_2_15: {{ rhel9cis_rule_5_2_15 }}
rhel9cis_rule_5_2_16: {{ rhel9cis_rule_5_2_16 }}
rhel9cis_rule_5_2_17: {{ rhel9cis_rule_5_2_17 }}
rhel9cis_rule_5_2_18: {{ rhel9cis_rule_5_2_18 }}
rhel9cis_rule_5_2_19: {{ rhel9cis_rule_5_2_19 }}
rhel9cis_rule_5_2_20: {{ rhel9cis_rule_5_2_20 }}
rhel9cis_rule_5_3_1: {{ rhel9cis_rule_5_3_1 }}
rhel9cis_rule_5_3_2: {{ rhel9cis_rule_5_3_2 }}
rhel9cis_rule_5_3_3: {{ rhel9cis_rule_5_3_3 }}
rhel9cis_rule_5_4_1: {{ rhel9cis_rule_5_4_1 }}
rhel9cis_rule_5_4_2: {{ rhel9cis_rule_5_4_2 }}
rhel9cis_rule_5_4_3: {{ rhel9cis_rule_5_4_3 }}
rhel9cis_rule_5_4_4: {{ rhel9cis_rule_5_4_4 }}
rhel9cis_rule_5_5_1_1: {{ rhel9cis_rule_5_5_1_1 }}
rhel9cis_rule_5_5_1_2: {{ rhel9cis_rule_5_5_1_2 }}
rhel9cis_rule_5_5_1_3: {{ rhel9cis_rule_5_5_1_3 }}
rhel9cis_rule_5_5_1_4: {{ rhel9cis_rule_5_5_1_4 }}
rhel9cis_rule_5_5_1_5: {{ rhel9cis_rule_5_5_1_5 }}
rhel9cis_rule_5_5_2: {{ rhel9cis_rule_5_5_2 }}
rhel9cis_rule_5_5_3: {{ rhel9cis_rule_5_5_3 }}
rhel9cis_rule_5_5_4: {{ rhel9cis_rule_5_5_4 }}
rhel9cis_rule_5_5_5: {{ rhel9cis_rule_5_5_5 }}
rhel9cis_rule_5_6: {{ rhel9cis_rule_5_6 }}
rhel9cis_rule_5_7: {{ rhel9cis_rule_5_7 }}
# Section 6
rhel9cis_rule_6_1_1: {{ rhel9cis_rule_6_1_1 }}
rhel9cis_rule_6_1_2: {{ rhel9cis_rule_6_1_2 }}
rhel9cis_rule_6_1_3: {{ rhel9cis_rule_6_1_3 }}
rhel9cis_rule_6_1_4: {{ rhel9cis_rule_6_1_4 }}
rhel9cis_rule_6_1_5: {{ rhel9cis_rule_6_1_5 }}
rhel9cis_rule_6_1_6: {{ rhel9cis_rule_6_1_6 }}
rhel9cis_rule_6_1_7: {{ rhel9cis_rule_6_1_7 }}
rhel9cis_rule_6_1_8: {{ rhel9cis_rule_6_1_8 }}
rhel9cis_rule_6_1_9: {{ rhel9cis_rule_6_1_9 }}
rhel9cis_rule_6_1_10: {{ rhel9cis_rule_6_1_10 }}
rhel9cis_rule_6_1_11: {{ rhel9cis_rule_6_1_11 }}
rhel9cis_rule_6_1_12: {{ rhel9cis_rule_6_1_12 }}
rhel9cis_rule_6_1_13: {{ rhel9cis_rule_6_1_13 }}
rhel9cis_rule_6_1_14: {{ rhel9cis_rule_6_1_14 }}
rhel9cis_rule_6_2_1: {{ rhel9cis_rule_6_2_1 }}
rhel9cis_rule_6_2_2: {{ rhel9cis_rule_6_2_2 }}
rhel9cis_rule_6_2_3: {{ rhel9cis_rule_6_2_3 }}
rhel9cis_rule_6_2_4: {{ rhel9cis_rule_6_2_4 }}
rhel9cis_rule_6_2_5: {{ rhel9cis_rule_6_2_5 }}
rhel9cis_rule_6_2_6: {{ rhel9cis_rule_6_2_6 }}
rhel9cis_rule_6_2_7: {{ rhel9cis_rule_6_2_7 }}
rhel9cis_rule_6_2_8: {{ rhel9cis_rule_6_2_8 }}
rhel9cis_rule_6_2_9: {{ rhel9cis_rule_6_2_9 }}
rhel9cis_rule_6_2_10: {{ rhel9cis_rule_6_2_10 }}
rhel9cis_rule_6_2_11: {{ rhel9cis_rule_6_2_11 }}
rhel9cis_rule_6_2_12: {{ rhel9cis_rule_6_2_12 }}
rhel9cis_rule_6_2_13: {{ rhel9cis_rule_6_2_13 }}
rhel9cis_rule_6_2_14: {{ rhel9cis_rule_6_2_14 }}
rhel9cis_rule_6_2_15: {{ rhel9cis_rule_6_2_15 }}
rhel9cis_rule_6_2_16: {{ rhel9cis_rule_6_2_16 }}
rhel9cis_rule_6_2_17: {{ rhel9cis_rule_6_2_17 }}
rhel9cis_rule_6_2_18: {{ rhel9cis_rule_6_2_18 }}
rhel9cis_rule_6_2_19: {{ rhel9cis_rule_6_2_19 }}
rhel9cis_rule_6_2_20: {{ rhel9cis_rule_6_2_20 }}
# Service configuration booleans set true to keep service
rhel9cis_avahi_server: {{ rhel9cis_avahi_server }}
rhel9cis_cups_server: {{ rhel9cis_cups_server }}
rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }}
rhel9cis_dns_server: {{ rhel9cis_dns_server }}
rhel9cis_ftp_server: {{ rhel9cis_ftp_server }}
rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }}
rhel9cis_tftp_server: {{ rhel9cis_tftp_server }}
rhel9cis_httpd_server: {{ rhel9cis_httpd_server }}
rhel9cis_nginx_server: {{ rhel9cis_nginx_server }}
rhel9cis_dovecot_cyrus_server: {{ rhel9cis_dovecot_cyrus_server }}
rhel9cis_samba_server: {{ rhel9cis_samba_server }}
rhel9cis_squid_server: {{ rhel9cis_squid_server }}
rhel9cis_snmp_server: {{ rhel9cis_snmp_server }}
rhel9cis_nis_server: {{ rhel9cis_nis_server }}
rhel9cis_telnet_server: {{ rhel9cis_telnet_server }}
rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }}
rhel9cis_nfs_server: {{ rhel9cis_nfs_server }}
rhel9cis_rpc_server: {{ rhel9cis_rpc_server }}
rhel9cis_rsync_server: {{ rhel9cis_rsync_server }}
rhel9cis_allow_autofs: {{ rhel9cis_allow_autofs }}
# client services
rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }}
rhel9cis_rsh_required: {{ rhel9cis_rsh_required }}
rhel9cis_talk_required: {{ rhel9cis_talk_required }}
rhel9cis_telnet_required: {{ rhel9cis_telnet_required }}
rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }}
rhel9cis_tftp_client: {{ rhel9cis_tftp_client }}
# AIDE
rhel9cis_config_aide: {{ rhel9cis_config_aide }}
# aide setup via - cron, timer
rhel9_aide_scan: cron
# AIDE cron settings
rhel9cis_aide_cron:
cron_user: {{ rhel9cis_aide_cron.cron_user }}
cron_file: '{{ rhel9cis_aide_cron.cron_file }}'
aide_job: ' {{ rhel9cis_aide_cron.aide_job }}'
aide_minute: '{{ rhel9cis_aide_cron.aide_minute }}'
aide_hour: '{{ rhel9cis_aide_cron.aide_hour }}'
aide_day: '{{ rhel9cis_aide_cron.aide_day }}'
aide_month: '{{ rhel9cis_aide_cron.aide_month }}'
aide_weekday: '{{ rhel9cis_aide_cron.aide_weekday }}'
# 1.5.1 Bootloader password
rhel9cis_bootloader_password: {{ rhel9cis_bootloader_password_hash }}
rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }}
# 1.10 crypto
rhel9cis_crypto_policy: {{ rhel9cis_crypto_policy }}
# Warning Banner Content (issue, issue.net, motd)
rhel9cis_warning_banner: {{ rhel9cis_warning_banner }}
# End Banner
# Whether or not to run tasks related to auditing/patching the desktop environment
rhel9cis_gui: {{ rhel9cis_gui }}
# xinetd required
rhel9cis_xinetd_server: {{ rhel9cis_xinetd_server }}
# IPv6 required
rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }}
# System network parameters (host only OR host and router)
rhel9cis_is_router: {{ rhel9cis_is_router }}
rhel9cis_firewall: {{ rhel9cis_firewall }}
#rhel9cis_firewall: iptables
rhel9cis_default_firewall_zone: {{ rhel9cis_default_zone }}
rhel9cis_firewall_interface:
- enp0s3
- enp0s8
rhel9cis_firewall_services: {{ rhel9cis_firewall_services }}
### Section 4
## auditd settings
rhel9cis_auditd:
space_left_action: {{ rhel9cis_auditd.space_left_action}}
action_mail_acct: {{ rhel9cis_auditd.action_mail_acct }}
admin_space_left_action: {{ rhel9cis_auditd.admin_space_left_action }}
max_log_file_action: {{ rhel9cis_auditd.max_log_file_action }}
auditd_backlog_limit: {{ rhel9cis_audit_back_log_limit }}
## syslog
rhel9_cis_rsyslog: true
### Section 5
rhel9cis_sshd_limited: false
#Note the following to understand precedence and layout
rhel9cis_sshd_access:
AllowUser:
AllowGroup:
DenyUser:
DenyGroup:
rhel9cis_ssh_aliveinterval: "300"
rhel9cis_ssh_countmax: "3"
rhel9cis_sudolog_location: {{ rhel9cis_sudolog_location }}
## PAM
rhel9cis_pam_password:
minlen: {{ rhel9cis_pam_password.minlen }}
minclass: {{ rhel9cis_pam_password.minclass }}
rhel9cis_pam_passwd_retry: "3"
# faillock or tally2
rhel9cis_accountlock: faillock
## note this is to skip tests
skip_rhel9cis_pam_passwd_auth: true
skip_rhel9cis_pam_system_auth: true
# choose one of below
rhel9cis_pwhistory_so: "14"
rhel9cis_unix_so: false
rhel9cis_passwd_remember: "5"
# logins.def password settings
rhel9cis_pass:
max_days: {{ rhel9cis_pass.max_days }}
min_days: {{ rhel9cis_pass.min_days }}
warn_age: {{ rhel9cis_pass.warn_age }}
# 5.3.1/5.3.2 Custon authselect profile settings. Settings in place now will fail, they are place holders from the control example
rhel9cis_authselect:
custom_profile_name: {{ rhel9cis_authselect['custom_profile_name'] }}
default_file_to_copy: {{ rhel9cis_authselect.default_file_to_copy }}
options: {{ rhel9cis_authselect.options }}
# 5.3.1 Enable automation to creat custom profile settings, using the setings above
rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile_create }}
# 5.3.2 Enable automation to select custom profile options, using the settings above
rhel9cis_authselect_custom_profile_select: {{ rhel9cis_authselect_custom_profile_select }}
# 5.7
rhel9cis_sugroup: {{ rhel9cis_sugroup| default('wheel') }}
rhel9cis_sugroup_users: {{ rhel9cis_sugroup_users }}

120
templates/audit/99_auditd.rules.j2
View file

@ -1,79 +1,93 @@
# File created initially via RHEL9 CIS ansible-lockdown remdiation role
{% if rhel9cis_rule_4_1_3 %}
# This template will set all of the auditd configurations via a handler in the role in one task instead of individually
{% if rhel9cis_rule_4_1_3_1 %}
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope
-w /etc/sudoers.d -p wa -k scope
{% endif %}
{% if rhel9cis_rule_4_1_4 %}
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
{% if rhel9cis_rule_4_1_3_2 %}
-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation
-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation
{% endif %}
{% if rhel9cis_rule_4_1_5 %}
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k logins
-w /var/log/btmp -p wa -k logins
{% if rhel9cis_rule_4_1_3_3 %}
-w {{ rhel9cis_sudolog_location }} -p wa -k sudo_log_file
{% endif %}
{% if rhel9cis_rule_4_1_6 %}
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
{% if rhel9cis_rule_4_1_3_4 %}
-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change
-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
{% endif %}
{% if rhel9cis_rule_4_1_7 %}
-w /etc/selinux/ -p wa -k MAC-policy
-w /usr/share/selinux/ -p wa -k MAC-policy
{% endif %}
{% if rhel9cis_rule_4_1_8 %}
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
{% if rhel9cis_rule_4_1_3_5 %}
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-w /etc/sysconfig/network-scripts -p wa -k system-locale
{% endif %}
{% if rhel9cis_rule_4_1_9 %}
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod
{% if rhel9cis_rule_4_1_3_6 %}
{% for proc in priv_procs.stdout_lines -%}
-a always,exit -F path={{ proc }} -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k privileged
{% endfor %}
{% endif %}
{% if rhel9cis_rule_4_1_10 %}
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access
{% if rhel9cis_rule_4_1_3_7 %}
-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=unset -k access
-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -k access
-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=unset -k access
-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -k access
{% endif %}
{% if rhel9cis_rule_4_1_11 %}
{% if rhel9cis_rule_4_1_3_8 %}
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
{% endif %}
{% if rhel9cis_rule_4_1_12 %}
-a always,exit -F arch=b32 -S mount -F auid>={{ min_int_uid }} -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S mount -F auid>={{ min_int_uid }} -F auid!=4294967295 -k mounts
{% if rhel9cis_rule_4_1_3_9 %}
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
{% endif %}
{% if rhel9cis_rule_4_1_13 %}
{% for proc in priv_procs.stdout_lines -%}
-a always,exit -F path={{ proc }} -F perm=x -F auid>={{ min_int_uid }} -F auid!=4294967295 -k privileged
{% endfor %}
{% if rhel9cis_rule_4_1_3_10 %}
-a always,exit -F arch=b32 -S mount -F auid>={{ min_int_uid }} -F auid!=unset -k mounts
-a always,exit -F arch=b64 -S mount -F auid>={{ min_int_uid }} -F auid!=unset -k mounts
{% endif %}
{% if rhel9cis_rule_4_1_14 %}
-a always,exit -F arch=b32 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b64 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=delete
{% if rhel9cis_rule_4_1_3_11 %}
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
{% endif %}
{% if rhel9cis_rule_4_1_15 %}
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
{% if rhel9cis_rule_4_1_3_12 %}
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock -p wa -k logins
{% endif %}
{% if rhel9cis_rule_4_1_16 %}
-w /var/log/sudo.log -p wa -k actions
{% if rhel9cis_rule_4_1_3_13 %}
-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>={{ min_int_uid }} -F auid!=unset -F key=delete
-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>={{ min_int_uid }} -F auid!=unset -F key=delete
{% endif %}
{% if rhel9cis_rule_4_1_17 %}
{% if rhel9cis_rule_4_1_3_14 %}
-w /etc/selinux -p wa -k MAC-policy
-w /usr/share/selinux -p wa -k MAC-policy
{% endif %}
{% if rhel9cis_rule_4_1_3_15 %}
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k perm_chng
{% endif %}
{% if rhel9cis_rule_4_1_3_16 %}
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k perm_chng
{% endif %}
{% if rhel9cis_rule_4_1_3_17 %}
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k priv_cmd
{% endif %}
{% if rhel9cis_rule_4_1_3_18 %}
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k usermod
{% endif %}
{% if rhel9cis_rule_4_1_3_19 %}
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ min_int_uid }} -F auid!=unset -k kernel_modules
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k kernel_modules
{% endif %}
{% if rhel9cis_rule_4_1_3_20 %}
-e 2
{% endif %}

75
templates/etc/99-sysctl.conf.j2
View file

@ -1,75 +0,0 @@
# Setting added via ansible CIS remediation playbook
{% if rhel9cis_rule_1_6_1 %}
# Filesystem sysctl
# CIS 1.6.1
fs.suid_dumpable = 0
{% endif %}
{% if rhel9cis_rule_1_6_2 %}
# Kernel sysctl
# CIS 1.6.2
kernel.randomize_va_space = 2
{% endif %}
# Network sysctl
{% if rhel9cis_rule_3_1_1 %}
# CIS 3.1.1
net.ipv4.ip_forward = 0
{% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %}
net.ipv6.conf.all.forwarding = 0
{% endif %}
{% endif %}
{% if rhel9cis_rule_3_1_2 %}
# CIS 3.1.2
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
{% endif %}
{% if rhel9cis_rule_3_2_1 %}
# CIS 3.2.1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
{% if rhel9cis_rule_3_2_1 and rhel9cis_ipv6_required %}
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
{% endif %}
{% endif %}
{% if rhel9cis_rule_3_2_2 %}
# CIS 3.2.2
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
{% if rhel9cis_rule_3_2_2 and rhel9cis_ipv6_required %}
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
{% endif %}
{% endif %}
{% if rhel9cis_rule_3_2_3 %}
# CIS 3.2.3
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
{% endif %}
{% if rhel9cis_rule_3_2_4 %}
# CIS 3.2.4
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
{% endif %}
{% if rhel9cis_rule_3_2_5 %}
# CIS 3.2.5
net.ipv4.icmp_echo_ignore_broadcasts = 1
{% endif %}
{% if rhel9cis_rule_3_2_6 %}
# CIS 3.2.6
net.ipv4.icmp_ignore_bogus_error_responses = 1
{% endif %}
{% if rhel9cis_rule_3_2_7 %}
# CIS 3.2.7
net.ipv4.conf.default.rp_filter = 1
{% endif %}
{% if rhel9cis_rule_3_2_8 %}
# CIS 3.2.8
net.ipv4.tcp_syncookies = 1
{% endif %}
{% if rhel9cis_rule_3_2_9 %}
# CIS 3.2.9
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
{% endif %}

0
templates/chrony.conf.j2 → templates/etc/chrony.conf.j2
View file

2
templates/aide.cron.j2 → templates/etc/cron.d/aide.cron.j2
View file

@ -1,5 +1,5 @@
# Run AIDE integrity check
# added via ansible-lockdown remediation
# CIS 1.4.2
# CIS 1.3.2
{{ rhel9cis_aide_cron['aide_minute'] }} {{ rhel9cis_aide_cron['aide_hour'] }} {{ rhel9cis_aide_cron['aide_month'] }} {{ rhel9cis_aide_cron['aide_weekday'] }} {{ rhel9cis_aide_cron['aide_job'] }}

5
templates/etc/modprobe.d/modprobe.conf.j2 Normal file
View file

@ -0,0 +1,5 @@
# Disable usage of protocol {{ item }}
# Set by ansible {{ benchmark }} remediation role
# https://github.com/ansible-lockdown
install {{ item }} /bin/true

7
templates/etc/sysctl.d/60-disable_ipv6.conf.j2 Normal file
View file

@ -0,0 +1,7 @@
# Setting added via ansible CIS remediation playbook
# IPv6 disable
{% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %}
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
{% endif %}

8
templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 Normal file
View file

@ -0,0 +1,8 @@
# Setting added via ansible CIS remediation playbook
{% if rhel9cis_rule_1_5_3 %}
# Kernel sysctl
# CIS 1.5.3
kernel.randomize_va_space = 2
{% endif %}

49
templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 Normal file
View file

@ -0,0 +1,49 @@
# Setting added via ansible CIS remediation playbook
# IPv4 Network sysctl
{% if rhel9cis_rule_3_2_1 %}
# CIS 3.2.1
net.ipv4.ip_forward = 0
{% endif %}
{% if rhel9cis_rule_3_2_2 %}
# CIS 3.2.2
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
{% endif %}
{% if rhel9cis_rule_3_3_1 %}
# CIS 3.3.1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
{% endif %}
{% if rhel9cis_rule_3_3_2 %}
# CIS 3.3.2
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
{% endif %}
{% if rhel9cis_rule_3_3_3 %}
# CIS 3.3.3
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
{% endif %}
{% if rhel9cis_rule_3_3_4 %}
# CIS 3.3.4
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
{% endif %}
{% if rhel9cis_rule_3_3_5 %}
# CIS 3.3.5
net.ipv4.icmp_echo_ignore_broadcasts = 1
{% endif %}
{% if rhel9cis_rule_3_3_6 %}
# CIS 3.3.6
net.ipv4.icmp_ignore_bogus_error_responses = 1
{% endif %}
{% if rhel9cis_rule_3_3_7 %}
# CIS 3.3.7
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
{% endif %}
{% if rhel9cis_rule_3_3_8 %}
# CIS 3.3.8
net.ipv4.tcp_syncookies = 1
{% endif %}

21
templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 Normal file
View file

@ -0,0 +1,21 @@
# Setting added via ansible CIS remediation playbook
# IPv6 Network sysctl
{% if rhel9cis_ipv6_required %}
{% if rhel9cis_rule_3_2_1 %}
net.ipv6.conf.all.forwarding = 0
{% endif %}
{% if rhel9cis_rule_3_3_1 %}
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
{% endif %}
{% if rhel9cis_rule_3_3_2 %}
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
{% endif %}
{% if rhel9cis_rule_3_3_9 %}
# CIS 3.3.9
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
{% endif %}
{% endif %}

11
templates/hosts.allow.j2
View file

@ -1,11 +0,0 @@
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
ALL: {% for iprange in rhel9cis_host_allow -%}{{ iprange }}{% if not loop.last %}, {% endif %}{% endfor %}

59
templates/ntp.conf.j2
View file

@ -1,59 +0,0 @@
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
#restrict default nomodify notrap nopeer noquery
restrict -4 default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
{% for server in rhel9cis_time_synchronization_servers -%}
server {{ server }} {{ rhel9cis_ntp_server_options }}
{% endfor %}
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor

2
vars/AlmaLinux.yml
View file

@ -1,4 +1,4 @@
---
# OS Specific Settings
rpm_gpg_key: RPM-GPG-KEY-AlmaLinux
rpm_gpg_key: RPM-GPG-KEY-AlmaLinux

4
vars/RedHat.yml
View file

@ -1,4 +1,6 @@
---
# OS Specific Settings
rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-official
rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-release
rpm_packager: "Red Hat, Inc"
rpm_key: "199e2f91fd431d51" # found on https://access.redhat.com/security/team/key/

8
vars/is_container.yml
View file

@ -6,8 +6,6 @@
## controls
# Authconfig
rhel9cis_use_authconfig: false
# Firewall
rhel9cis_firewall: None
@ -43,7 +41,7 @@ rhel9cis_rule_5_1_8: false
# crypto
rhel9cis_rule_1_10: false
rhel9cis_rule_1_11: false
# grub
rhel9cis_rule_1_5_1: false
@ -56,7 +54,7 @@ rhel9cis_rule_1_1_2: false
rhel9cis_rule_1_1_3: false
rhel9cis_rule_1_1_4: false
rhel9cis_rule_1_1_5: false
#/var
# /var
rhel9cis_rule_1_1_6: false
# /var/tmp
rhel9cis_rule_1_1_7: false
@ -89,7 +87,7 @@ rhel9cis_rule_4_2_2_2: false
rhel9cis_rule_4_2_2_3: false
# systemd
rhel9cis_rule_1_6_1: false
# Users/passwords/accounts
rhel9cis_rule_5_5_2: false

1
vars/main.yml
View file

@ -3,5 +3,6 @@
min_ansible_version: 2.10
rhel9cis_allowed_crypto_policies:
- 'DEFAULT'
- 'FUTURE'
- 'FIPS'