From 8c79bfe7fb7b12cee8dd3307d0b590827faedf98 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 11:22:30 +0100 Subject: [PATCH] updated Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 6 +- tasks/section_1/cis_1.1.2.x.yml | 22 +++---- tasks/section_1/cis_1.1.3.x.yml | 12 ++-- tasks/section_1/cis_1.1.4.x.yml | 12 ++-- tasks/section_1/cis_1.1.5.x.yml | 12 ++-- tasks/section_1/cis_1.1.6.x.yml | 12 ++-- tasks/section_1/cis_1.1.7.x.yml | 14 ++--- tasks/section_1/cis_1.1.8.x.yml | 12 ++-- tasks/section_1/cis_1.1.x.yml | 6 +- tasks/section_1/cis_1.10.yml | 4 +- tasks/section_1/cis_1.2.x.yml | 14 ++--- tasks/section_1/cis_1.3.x.yml | 22 +++---- tasks/section_1/cis_1.4.x.yml | 12 ++-- tasks/section_1/cis_1.5.x.yml | 6 +- tasks/section_1/cis_1.6.1.x.yml | 28 ++++----- tasks/section_1/cis_1.7.x.yml | 12 ++-- tasks/section_1/cis_1.8.x.yml | 20 +++--- tasks/section_1/cis_1.9.yml | 2 +- tasks/section_1/main.yml | 4 +- tasks/section_2/cis_2.1.x.yml | 12 ++-- tasks/section_2/cis_2.2.x.yml | 80 ++++++++++++------------ tasks/section_2/cis_2.3.x.yml | 24 ++++---- tasks/section_2/cis_2.4.yml | 6 +- tasks/section_3/cis_3.1.x.yml | 104 +++++++++++++++++++++++--------- tasks/section_3/cis_3.3.x.yml | 61 ------------------- 25 files changed, 253 insertions(+), 266 deletions(-) delete mode 100644 tasks/section_3/cis_3.3.x.yml diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index b9fb674..8cf70dc 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -16,7 +16,7 @@ state: absent when: ansible_connection != 'docker' when: - - rhel8cis_rule_1_1_1_1 + - rhel9cis_rule_1_1_1_1 tags: - level1-server - level1-workstation @@ -41,7 +41,7 @@ state: absent when: ansible_connection != 'docker' when: - - rhel8cis_rule_1_1_1_2 + - rhel9cis_rule_1_1_1_2 tags: - level2-server - level2-workstation @@ -66,7 +66,7 @@ state: absent when: ansible_connection != 'docker' when: - - rhel8cis_rule_1_1_1_3 + - rhel9cis_rule_1_1_1_3 tags: - level2-server - level2-workstation diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 06c4eef..bb18993 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -4,7 +4,7 @@ debug: msg: "WARNING!! /tmp is not mounted on a separate partition" when: - - rhel8cis_rule_1_1_2_1 + - rhel9cis_rule_1_1_2_1 - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0 tags: - level1-server @@ -24,7 +24,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel8cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_2_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %} notify: remount tmp with_items: - "{{ ansible_mounts }}" @@ -32,10 +32,10 @@ label: "{{ item.device }}" when: - item.mount == "/tmp" - - not rhel8cis_tmp_svc - - rhel8cis_rule_1_1_2_2 or - rhel8cis_rule_1_1_2_3 or - rhel8cis_rule_1_1_2_4 + - not rhel9cis_tmp_svc + - rhel9cis_rule_1_1_2_2 or + rhel9cis_rule_1_1_2_3 or + rhel9cis_rule_1_1_2_4 tags: - level1-server - level1-workstation @@ -60,11 +60,11 @@ mode: 0644 notify: systemd restart tmp.mount when: - - rhel8cis_tmp_svc - - rhel8cis_rule_1_1_2_1 or - rhel8cis_rule_1_1_2_2 or - rhel8cis_rule_1_1_2_3 or - rhel8cis_rule_1_1_2_4 + - rhel9cis_tmp_svc + - rhel9cis_rule_1_1_2_1 or + rhel9cis_rule_1_1_2_2 or + rhel9cis_rule_1_1_2_3 or + rhel9cis_rule_1_1_2_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 31696f8..c7fb986 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -19,7 +19,7 @@ vars: required_mount: '/var' when: - - rhel8cis_rule_1_1_3_1 + - rhel9cis_rule_1_1_3_1 tags: - level2-server - level2-workstation @@ -38,7 +38,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel8cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_3_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -47,10 +47,10 @@ when: - var_mount_present is defined - item.mount == "/var" - - rhel8cis_rule_1_1_3_1 # This is required so the check takes place - - rhel8cis_rule_1_1_3_2 or - rhel8cis_rule_1_1_3_3 or - rhel8cis_rule_1_1_3_4 + - rhel9cis_rule_1_1_3_1 # This is required so the check takes place + - rhel9cis_rule_1_1_3_2 or + rhel9cis_rule_1_1_3_3 or + rhel9cis_rule_1_1_3_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index b2ddbf0..dbeab96 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -20,7 +20,7 @@ vars: required_mount: '/var/tmp' when: - - rhel8cis_rule_1_1_4_1 + - rhel9cis_rule_1_1_4_1 tags: - level2-server - level2-workstation @@ -39,7 +39,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel8cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_4_3 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -48,10 +48,10 @@ when: - var_tmp_mount_present is defined - item.mount == "/var/tmp" - - rhel8cis_rule_1_1_4_1 # This is required so the check takes place - - rhel8cis_rule_1_1_4_2 or - rhel8cis_rule_1_1_4_3 or - rhel8cis_rule_1_1_4_4 + - rhel9cis_rule_1_1_4_1 # This is required so the check takes place + - rhel9cis_rule_1_1_4_2 or + rhel9cis_rule_1_1_4_3 or + rhel9cis_rule_1_1_4_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index 662c8da..f286fcc 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -18,7 +18,7 @@ vars: required_mount: '/var/log' when: - - rhel8cis_rule_1_1_5_1 + - rhel9cis_rule_1_1_5_1 tags: - level2-server - level2-workstation @@ -37,7 +37,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel8cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_5_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -46,10 +46,10 @@ when: - var_log_mount_present is defined - item.mount == "/var/log" - - rhel8cis_rule_1_1_5_1 # This is required so the check takes place - - rhel8cis_rule_1_1_5_2 or - rhel8cis_rule_1_1_5_3 or - rhel8cis_rule_1_1_5_4 + - rhel9cis_rule_1_1_5_1 # This is required so the check takes place + - rhel9cis_rule_1_1_5_2 or + rhel9cis_rule_1_1_5_3 or + rhel9cis_rule_1_1_5_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 89434f8..94e85d2 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -18,7 +18,7 @@ vars: required_mount: '/var/log/audit' when: - - rhel8cis_rule_1_1_6_1 + - rhel9cis_rule_1_1_6_1 tags: - level2-server - level2-workstation @@ -36,7 +36,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel8cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_6_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_6_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -45,10 +45,10 @@ when: - var_log_audit_mount_present is defined - item.mount == "/var/log/audit" - - rhel8cis_rule_1_1_6_1 # This is required so the check takes place - - rhel8cis_rule_1_1_6_2 or - rhel8cis_rule_1_1_6_3 or - rhel8cis_rule_1_1_6_4 + - rhel9cis_rule_1_1_6_1 # This is required so the check takes place + - rhel9cis_rule_1_1_6_2 or + rhel9cis_rule_1_1_6_3 or + rhel9cis_rule_1_1_6_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index a4aa38d..453fef5 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -18,7 +18,7 @@ vars: required_mount: '/home' when: - - rhel8cis_rule_1_1_7_1 + - rhel9cis_rule_1_1_7_1 tags: - level2-server - level2-workstation @@ -38,7 +38,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel8cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_7_3 %}nosuid,{% endif %}{% if rhel8cis_rule_1_1_7_4 %}usrquota,{% endif %}{% if rhel8cis_rule_1_1_7_5 %}grpquota{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_7_4 %}usrquota,{% endif %}{% if rhel9cis_rule_1_1_7_5 %}grpquota{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -47,11 +47,11 @@ when: - home_mount_present is defined - item.mount == "/home" - - rhel8cis_rule_1_1_7_1 - - rhel8cis_rule_1_1_7_2 or - rhel8cis_rule_1_1_7_3 or - rhel8cis_rule_1_1_7_4 or - rhel8cis_rule_1_1_7_5 + - rhel9cis_rule_1_1_7_1 + - rhel9cis_rule_1_1_7_2 or + rhel9cis_rule_1_1_7_3 or + rhel9cis_rule_1_1_7_4 or + rhel9cis_rule_1_1_7_5 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index b2ec06c..a61a6af 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -14,7 +14,7 @@ changed_when: false failed_when: false check_mode: no - register: rhel8cis_1_1_8_x_dev_shm_status + register: rhel9cis_1_1_8_x_dev_shm_status - name: | "1.1.8.1 | PATCH | Ensure nodev option set on /dev/shm partition | Set nodev option @@ -25,13 +25,13 @@ src: tmpfs fstype: tmpfs state: mounted - opts: defaults,{% if rhel8cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_8_3 %}nosuid{% endif %} - when: "'dev/shm' in rhel8cis_1_1_8_x_dev_shm_status.stdout" + opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %} + when: "'dev/shm' in rhel9cis_1_1_8_x_dev_shm_status.stdout" notify: change_requires_reboot when: - - rhel8cis_rule_1_1_8_1 or - rhel8cis_rule_1_1_8_2 or - rhel8cis_rule_1_1_8_3 + - rhel9cis_rule_1_1_8_1 or + rhel9cis_rule_1_1_8_2 or + rhel9cis_rule_1_1_8_3 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index 4498978..ed2872e 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -5,9 +5,9 @@ name: autofs enabled: no when: - - not rhel8cis_allow_autofs + - not rhel9cis_allow_autofs - "'autofs' in ansible_facts.packages" - - rhel8cis_rule_1_1_9 + - rhel9cis_rule_1_1_9 tags: - level1-server - level2-workstation @@ -34,7 +34,7 @@ name: usb-storage state: absent when: - - rhel8cis_rule_1_1_10 + - rhel9cis_rule_1_1_10 tags: - level1-server - level2-workstation diff --git a/tasks/section_1/cis_1.10.yml b/tasks/section_1/cis_1.10.yml index 82ec26f..19ddc3f 100644 --- a/tasks/section_1/cis_1.10.yml +++ b/tasks/section_1/cis_1.10.yml @@ -2,11 +2,11 @@ - name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy" shell: | - update-crypto-policies --set "{{ rhel8cis_crypto_policy }}" + update-crypto-policies --set "{{ rhel9cis_crypto_policy }}" update-crypto-policies notify: change_requires_reboot when: - - rhel8cis_rule_1_10 + - rhel9cis_rule_1_10 - system_wide_crypto_policy['stdout'] == 'LEGACY' tags: - level1-server diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index a095c96..19ef3d0 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -3,14 +3,14 @@ - name: "1.2.1 | PATCH | Ensure Red Hat Subscription Manager connection is configured" redhat_subscription: state: present - username: "{{ rhel8cis_rh_sub_user }}" - password: "{{ rhel8cis_rh_sub_password }}" + username: "{{ rhel9cis_rh_sub_user }}" + password: "{{ rhel9cis_rh_sub_password }}" auto_attach: true no_log: true when: - ansible_distribution == "RedHat" - - rhel8cis_rhnsd_required - - rhel8cis_rule_1_2_1 + - rhel9cis_rhnsd_required + - rhel9cis_rule_1_2_1 tags: - level1-server - level1-workstation @@ -22,7 +22,7 @@ - name: "1.2.2 | AUDIT | Ensure GPG keys are configured" command: gpg --quiet --with-fingerprint "{{ rpm_gpg_key }}" when: - - rhel8cis_rule_1_2_2 + - rhel9cis_rule_1_2_2 - ansible_distribution == "RedHat" or ansible_distribution == "Rocky" tags: @@ -51,7 +51,7 @@ loop_control: label: "{{ item.path }}" when: - - rhel8cis_rule_1_2_3 + - rhel9cis_rule_1_2_3 tags: - level1-server - level1-workstation @@ -76,7 +76,7 @@ - "Alert! Below are the configured repos. Please review and make sure all align with site policy" - "{{ dnf_configured.stdout_lines }}" when: - - rhel8cis_rule_1_2_4 + - rhel9cis_rule_1_2_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index d89aa67..4dd7bcd 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -17,8 +17,8 @@ creates: /var/lib/aide/aide.db.gz when: not ansible_check_mode when: - - rhel8cis_config_aide - - rhel8cis_rule_1_3_1 + - rhel9cis_config_aide + - rhel9cis_rule_1_3_1 tags: - level1-server - level1-workstation @@ -30,16 +30,16 @@ - name: "1.3.2 | PATCH | Ensure filesystem integrity is regularly checked" cron: name: Run AIDE integrity check - cron_file: "{{ rhel8cis_aide_cron['cron_file'] }}" - user: "{{ rhel8cis_aide_cron['cron_user'] }}" - minute: "{{ rhel8cis_aide_cron['aide_minute'] | default('0') }}" - hour: "{{ rhel8cis_aide_cron['aide_hour'] | default('5') }}" - day: "{{ rhel8cis_aide_cron['aide_day'] | default('*') }}" - month: "{{ rhel8cis_aide_cron['aide_month'] | default('*') }}" - weekday: "{{ rhel8cis_aide_cron['aide_weekday'] | default('*') }}" - job: "{{ rhel8cis_aide_cron['aide_job'] }}" + cron_file: "{{ rhel9cis_aide_cron['cron_file'] }}" + user: "{{ rhel9cis_aide_cron['cron_user'] }}" + minute: "{{ rhel9cis_aide_cron['aide_minute'] | default('0') }}" + hour: "{{ rhel9cis_aide_cron['aide_hour'] | default('5') }}" + day: "{{ rhel9cis_aide_cron['aide_day'] | default('*') }}" + month: "{{ rhel9cis_aide_cron['aide_month'] | default('*') }}" + weekday: "{{ rhel9cis_aide_cron['aide_weekday'] | default('*') }}" + job: "{{ rhel9cis_aide_cron['aide_job'] }}" when: - - rhel8cis_rule_1_3_2 + - rhel9cis_rule_1_3_2 - not system_is_ec2 tags: - level1-server diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 9693602..9eac4eb 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -3,16 +3,16 @@ - name: "1.4.1 | PATCH | Ensure bootloader password is set" copy: dest: /boot/grub2/user.cfg - content: "GRUB2_PASSWORD={{ rhel8cis_bootloader_password_hash }}" + content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" owner: root group: root mode: 0600 notify: grub2cfg when: - - rhel8cis_set_boot_pass + - rhel9cis_set_boot_pass - grub_pass is defined and grub_pass.passhash is defined - grub_pass.passhash | length > 0 - - rhel8cis_rule_1_4_1 + - rhel9cis_rule_1_4_1 tags: - level1-server - level1-workstation @@ -43,10 +43,10 @@ loop_control: label: "{{ item.mount }}" when: - - not rhel8cis_legacy_boot + - not rhel9cis_legacy_boot - item.mount == "/boot/efi" when: - - rhel8cis_rule_1_4_2 + - rhel9cis_rule_1_4_2 - grub_cfg.stat.exists - grub_cfg.stat.islnk tags: @@ -67,7 +67,7 @@ group: root mode: 0644 when: - - rhel8cis_rule_1_4_3 + - rhel9cis_rule_1_4_3 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index a791860..d3602b2 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -7,7 +7,7 @@ line: 'Storage=none' notify: systemd_daemon_reload when: - - rhel8cis_rule_1_5_1 + - rhel9cis_rule_1_5_1 - systemd_coredump.stat.exists tags: - level1-server @@ -22,7 +22,7 @@ regexp: 'ProcessSizeMax=' line: 'ProcessSizeMax=0' when: - - rhel8cis_rule_1_5_2 + - rhel9cis_rule_1_5_2 tags: - level1-server - level1-workstation @@ -40,7 +40,7 @@ sysctl_set: yes ignoreerrors: yes when: - - rhel8cis_rule_1_5_3 + - rhel9cis_rule_1_5_3 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index 84dc520..b31600a 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -5,7 +5,7 @@ name: libselinux state: present when: - - rhel8cis_rule_1_6_1_1 + - rhel9cis_rule_1_6_1_1 tags: - level1-server - level1-workstation @@ -22,7 +22,7 @@ ignore_errors: yes notify: grub2cfg when: - - rhel8cis_rule_1_6_1_2 + - rhel9cis_rule_1_6_1_2 tags: - level1-server - level1-workstation @@ -34,11 +34,11 @@ - name: "1.6.1.3 | PATCH | Ensure SELinux policy is configured" selinux: conf: /etc/selinux/config - policy: "{{ rhel8cis_selinux_pol }}" + policy: "{{ rhel9cis_selinux_pol }}" state: enforcing when: - - not rhel8cis_selinux_disable - - rhel8cis_rule_1_6_1_3 + - not rhel9cis_selinux_disable + - rhel9cis_rule_1_6_1_3 tags: - level1-server - level1-workstation @@ -51,11 +51,11 @@ - name: "1.6.1.4 | PATCH | Ensure the SELinux mode is not disabled" selinux: conf: /etc/selinux/config - policy: "{{ rhel8cis_selinux_pol }}" + policy: "{{ rhel9cis_selinux_pol }}" state: enforcing when: - - not rhel8cis_selinux_disable - - rhel8cis_rule_1_6_1_4 + - not rhel9cis_selinux_disable + - rhel9cis_rule_1_6_1_4 tags: - level1-server - level1-workstation @@ -67,11 +67,11 @@ - name: "1.6.1.5 | PATCH | Ensure the SELinux state is enforcing" selinux: conf: /etc/selinux/config - policy: "{{ rhel8cis_selinux_pol }}" + policy: "{{ rhel9cis_selinux_pol }}" state: enforcing when: - - not rhel8cis_selinux_disable - - rhel8cis_rule_1_6_1_5 + - not rhel9cis_selinux_disable + - rhel9cis_rule_1_6_1_5 tags: - level2-server - level2-workstation @@ -98,7 +98,7 @@ msg: "Warning! You have unconfined services: {{ rhelcis_1_6_1_6_unconf_services.stdout_lines }}" when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 when: - - rhel8cis_rule_1_6_1_6 + - rhel9cis_rule_1_6_1_6 tags: - level1-server - level1-workstation @@ -112,7 +112,7 @@ name: setroubleshoot state: absent when: - - rhel8cis_rule_1_6_1_7 + - rhel9cis_rule_1_6_1_7 - "'setroubleshoot' in ansible_facts.packages" tags: - level1-server @@ -126,7 +126,7 @@ name: mcstrans state: absent when: - - rhel8cis_rule_1_6_1_8 + - rhel9cis_rule_1_6_1_8 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index 586a881..1ee5579 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -8,7 +8,7 @@ group: root mode: 0644 when: - - rhel8cis_rule_1_7_1 + - rhel9cis_rule_1_7_1 tags: - level1-server - level1-workstation @@ -25,7 +25,7 @@ group: root mode: 0644 when: - - rhel8cis_rule_1_7_2 + - rhel9cis_rule_1_7_2 tags: - level1-server - level1-workstation @@ -41,7 +41,7 @@ group: root mode: 0644 when: - - rhel8cis_rule_1_7_3 + - rhel9cis_rule_1_7_3 tags: - level1-server - level1-workstation @@ -58,7 +58,7 @@ group: root mode: 0644 when: - - rhel8cis_rule_1_7_4 + - rhel9cis_rule_1_7_4 tags: - level1-server - level1-workstation @@ -75,7 +75,7 @@ group: root mode: 0644 when: - - rhel8cis_rule_1_7_5 + - rhel9cis_rule_1_7_5 tags: - level1-server - level1-workstation @@ -92,7 +92,7 @@ group: root mode: 0644 when: - - rhel8cis_rule_1_7_6 + - rhel9cis_rule_1_7_6 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index a512e01..1edc704 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -5,7 +5,7 @@ name: gdm state: absent when: - - rhel8cis_rule_1_8_1 + - rhel9cis_rule_1_8_1 - "'gdm' in ansible_facts.packages" tags: - level2-server @@ -32,10 +32,10 @@ - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ rhel8cis_warning_banner }}' " } + - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ rhel9cis_warning_banner }}' " } when: - - rhel8cis_rule_1_8_2 - - rhel8cis_gui + - rhel9cis_rule_1_8_2 + - rhel9cis_gui tags: - level1-server - level1-workstation @@ -62,8 +62,8 @@ - { file: '/etc/dconf/db/gdm.d/00-login-screen', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } - { file: '/etc/dconf/db/gdm.d/00-login-screen', regexp: 'disable-user-list=', line: 'disable-user-list=true' } when: - - rhel8cis_rule_1_8_3 - - rhel8cis_gui + - rhel9cis_rule_1_8_3 + - rhel9cis_gui tags: - level1-server - level1-workstation @@ -78,8 +78,8 @@ regexp: 'Enable=true' state: absent when: - - rhel8cis_rule_1_8_4 - - rhel8cis_gui + - rhel9cis_rule_1_8_4 + - rhel9cis_gui tags: - level1-server - level1-workstation @@ -100,8 +100,8 @@ - { regex: 'automount=', line: 'automount=false' } - { regex: 'automount-open=', line: 'automount-open=false'} when: - - rhel8cis_rule_1_8_5 - - rhel8cis_gui + - rhel9cis_rule_1_8_5 + - rhel9cis_gui tags: - level1-server - level2-workstation diff --git a/tasks/section_1/cis_1.9.yml b/tasks/section_1/cis_1.9.yml index f6239e3..42c27b1 100644 --- a/tasks/section_1/cis_1.9.yml +++ b/tasks/section_1/cis_1.9.yml @@ -6,7 +6,7 @@ state: latest notify: change_requires_reboot when: - - rhel8cis_rule_1_9 + - rhel9cis_rule_1_9 - not system_is_ec2 tags: - level1-server diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index c5c8e09..1d6ab55 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -32,7 +32,7 @@ - name: "SECTION | 1.3 | Filesystem Integrity Checking" import_tasks: cis_1.3.x.yml - when: rhel8cis_config_aide + when: rhel9cis_config_aide - name: "SECTION | 1.4 | Secure Boot Settings" import_tasks: cis_1.4.x.yml @@ -42,7 +42,7 @@ - name: "SECTION | 1.6 | Mandatory Access Control" include_tasks: cis_1.6.1.x.yml - when: not rhel8cis_selinux_disable + when: not rhel9cis_selinux_disable - name: "SECTION | 1.7 | Command Line Warning Banners" import_tasks: cis_1.7.x.yml diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index c627db0..5b5cf13 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -2,11 +2,11 @@ - name: "2.1.1 | PATCH | Ensure time synchronization is in use" package: - name: "{{ rhel8cis_time_synchronization }}" + name: "{{ rhel9cis_time_synchronization }}" state: present when: - - rhel8cis_rule_2_1_1 - - not rhel8cis_system_is_container + - rhel9cis_rule_2_1_1 + - not rhel9cis_system_is_container tags: - level1-server - level1-workstation @@ -33,9 +33,9 @@ create: yes mode: 0644 when: - - rhel8cis_time_synchronization == "chrony" - - rhel8cis_rule_2_1_2 - - not rhel8cis_system_is_container + - rhel9cis_time_synchronization == "chrony" + - rhel9cis_rule_2_1_2 + - not rhel9cis_system_is_container tags: - level1-server - level1-workstation diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index f8b492b..bd93fbd 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -5,8 +5,8 @@ name: xinetd state: absent when: - - rhel8cis_rule_2_2_1 - - not rhel8cis_xinetd_server + - rhel9cis_rule_2_2_1 + - not rhel9cis_xinetd_server - "'xinetd' in ansible_facts.packages" tags: - level1-server @@ -20,7 +20,7 @@ name: xorg-x11-server-common state: absent when: - - rhel8cis_rule_2_2_2 + - rhel9cis_rule_2_2_2 - "'xorg-x11-server-common' in ansible_facts.packages" tags: - level1-server @@ -36,8 +36,8 @@ - avahi state: absent when: - - rhel8cis_rule_2_2_3 - - not rhel8cis_avahi_server + - rhel9cis_rule_2_2_3 + - not rhel9cis_avahi_server - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages" tags: - level1-server @@ -52,9 +52,9 @@ name: cups state: absent when: - - not rhel8cis_cups_server + - not rhel9cis_cups_server - "'cups' in ansible_facts.packages" - - rhel8cis_rule_2_2_3 + - rhel9cis_rule_2_2_3 tags: - level1-server - automated @@ -67,9 +67,9 @@ name: dhcp-server state: absent when: - - not rhel8cis_dhcp_server + - not rhel9cis_dhcp_server - "'dhcp-server' in ansible_facts.packages" - - rhel8cis_rule_2_2_5 + - rhel9cis_rule_2_2_5 tags: - level1-server - level1-workstation @@ -83,9 +83,9 @@ name: bind state: absent when: - - not rhel8cis_dns_server + - not rhel9cis_dns_server - "'bind' in ansible_facts.packages" - - rhel8cis_rule_2_2_6 + - rhel9cis_rule_2_2_6 tags: - level1-server - level1-workstation @@ -99,9 +99,9 @@ name: ftp state: absent when: - - not rhel8cis_ftp_server + - not rhel9cis_ftp_server - "'ftp' in ansible_facts.packages" - - rhel8cis_rule_2_2_7 + - rhel9cis_rule_2_2_7 tags: - level1-server - level1-workstation @@ -115,9 +115,9 @@ name: vsftpd state: absent when: - - not rhel8cis_vsftpd_server + - not rhel9cis_vsftpd_server - "'vsftpd' in ansible_facts.packages" - - rhel8cis_rule_2_2_8 + - rhel9cis_rule_2_2_8 tags: - level1-server - level1-workstation @@ -131,9 +131,9 @@ name: tftp-server state: absent when: - - not rhel8cis_tftp_server + - not rhel9cis_tftp_server - "'tftp-server' in ansible_facts.packages" - - rhel8cis_rule_2_2_9 + - rhel9cis_rule_2_2_9 tags: - level1-server - level1-workstation @@ -149,7 +149,7 @@ name: httpd state: absent when: - - not rhel8cis_httpd_server + - not rhel9cis_httpd_server - "'httpd' in ansible_facts.packages" - name: "2.2.10 | PATCH | Ensure a web server is not installed | Remove nginx server" @@ -157,10 +157,10 @@ name: nginx state: absent when: - - not rhel8cis_nginx_server + - not rhel9cis_nginx_server - "'nginx' in ansible_facts.packages" when: - - rhel8cis_rule_2_2_9 + - rhel9cis_rule_2_2_9 tags: - level1-server - level1-workstation @@ -178,9 +178,9 @@ - cyrus-imapd state: absent when: - - not rhel8cis_dovecot_cyrus_server + - not rhel9cis_dovecot_cyrus_server - "'dovecot' in ansible_facts.packages or 'cyrus-imapd' in ansible_facts.packages" - - rhel8cis_rule_2_2_11 + - rhel9cis_rule_2_2_11 tags: - level1-server - level1-workstation @@ -196,9 +196,9 @@ name: samba state: absent when: - - not rhel8cis_samba_server + - not rhel9cis_samba_server - "'samba' in ansible_facts.packages" - - rhel8cis_rule_2_2_12 + - rhel9cis_rule_2_2_12 tags: - level1-server - level1-workstation @@ -212,9 +212,9 @@ name: squid state: absent when: - - not rhel8cis_squid_server + - not rhel9cis_squid_server - "'squid' in ansible_facts.packages" - - rhel8cis_rule_2_2_6 + - rhel9cis_rule_2_2_6 tags: - level1-server - level1-workstation @@ -228,9 +228,9 @@ name: net-snmp state: absent when: - - not rhel8cis_snmp_server + - not rhel9cis_snmp_server - "'net-snmp' in ansible_facts.packages" - - rhel8cis_rule_2_2_14 + - rhel9cis_rule_2_2_14 tags: - level1-server - level1-workstation @@ -244,9 +244,9 @@ name: ypserv state: absent when: - - not rhel8cis_nis_server + - not rhel9cis_nis_server - "'ypserv' in ansible_facts.packages" - - rhel8cis_rule_2_2_17 + - rhel9cis_rule_2_2_17 tags: - level1-server - level1-workstation @@ -260,9 +260,9 @@ name: telnet-server state: absent when: - - not rhel8cis_telnet_server + - not rhel9cis_telnet_server - "'telnet-server' in ansible_facts.packages" - - rhel8cis_rule_2_2_16 + - rhel9cis_rule_2_2_16 tags: - level1-server - level1-workstation @@ -278,9 +278,9 @@ line: "inet_interfaces = loopback-only" notify: restart postfix when: - - not rhel8cis_is_mail_server + - not rhel9cis_is_mail_server - "'postfix' in ansible_facts.packages" - - rhel8cis_rule_2_2_17 + - rhel9cis_rule_2_2_17 tags: - level1-server - level1-workstation @@ -296,9 +296,9 @@ name: nfs-utils state: absent when: - - not rhel8cis_nfs_server + - not rhel9cis_nfs_server - "'nfs-utils' in ansible_facts.packages" - - rhel8cis_rule_2_2_18 + - rhel9cis_rule_2_2_18 tags: - level1-server - level1-workstation @@ -315,9 +315,9 @@ name: rpcbind state: absent when: - - not rhel8cis_rpc_server + - not rhel9cis_rpc_server - "'rpcbind' in ansible_facts.packages" - - rhel8cis_rule_2_2_19 + - rhel9cis_rule_2_2_19 tags: - level1-server - level1-workstation @@ -333,9 +333,9 @@ name: rsync state: absent when: - - not rhel8cis_rsync_server + - not rhel9cis_rsync_server - "'rsync' in ansible_facts.packages" - - rhel8cis_rule_2_2_20 + - rhel9cis_rule_2_2_20 tags: - level1-server - level1-workstation diff --git a/tasks/section_2/cis_2.3.x.yml b/tasks/section_2/cis_2.3.x.yml index ee52a75..52159bc 100644 --- a/tasks/section_2/cis_2.3.x.yml +++ b/tasks/section_2/cis_2.3.x.yml @@ -5,9 +5,9 @@ name: ypbind state: absent when: - - not rhel8cis_ypbind_required + - not rhel9cis_ypbind_required - "'ypbind' in ansible_facts.packages" - - rhel8cis_rule_2_3_1 + - rhel9cis_rule_2_3_1 tags: - level1-server - level1-workstation @@ -21,9 +21,9 @@ name: rsh state: absent when: - - not rhel8cis_rsh_required + - not rhel9cis_rsh_required - "'rsh' in ansible_facts.packages" - - rhel8cis_rule_2_3_2 + - rhel9cis_rule_2_3_2 tags: - level1-server - level2-server @@ -37,9 +37,9 @@ name: talk state: absent when: - - not rhel8cis_talk_required + - not rhel9cis_talk_required - "'talk' in ansible_facts.packages" - - rhel8cis_rule_2_3_3 + - rhel9cis_rule_2_3_3 tags: - level1-server - level1-workstation @@ -53,9 +53,9 @@ name: telnet state: absent when: - - not rhel8cis_telnet_required + - not rhel9cis_telnet_required - "'telnet' in ansible_facts.packages" - - rhel8cis_rule_2_3_4 + - rhel9cis_rule_2_3_4 tags: - level1-server - level1-workstation @@ -69,9 +69,9 @@ name: openldap-clients state: absent when: - - not rhel8cis_openldap_clients_required + - not rhel9cis_openldap_clients_required - "'openldap-clients' in ansible_facts.packages" - - rhel8cis_rule_2_3_5 + - rhel9cis_rule_2_3_5 tags: - level1-server - level1-workstation @@ -85,9 +85,9 @@ name: tftp state: absent when: - - not rhel8cis_tftp_client + - not rhel9cis_tftp_client - "'tftp' in ansible_facts.packages" - - rhel8cis_rule_2_3_6 + - rhel9cis_rule_2_3_6 tags: - level1-server - level1-workstation diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index 8460874..a80d340 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -7,16 +7,16 @@ changed_when: false failed_when: false check_mode: no - register: rhel8cis_2_4_services + register: rhel9cis_2_4_services - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Display list of services" debug: msg: - "Alert! Below are the list of services, both active and inactive" - "Please review to make sure all are essential" - - "{{ rhel8cis_2_4_services.stdout_lines }}" + - "{{ rhel9cis_2_4_services.stdout_lines }}" when: - - rhel8cis_rule_2_4 + - rhel9cis_rule_2_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index ad692fa..dbc3507 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -1,43 +1,91 @@ --- -- name: "3.1.1 | L1 | PATCH | Ensure IP forwarding is disabled" - block: - - name: "3.1.1 | L1 | PATCH | Ensure IP forwarding is disabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table - - - name: "3.1.1 | L1 | PATCH | Ensure IP forwarding is disabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - sysctl flush ipv6 route table - - update sysctl - when: rhel9cis_ipv6_required +# The CIS Control wants IPv6 disabled if not in use. +# We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use +- name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" + sysctl: + name: "{{ item }}" + value: '1' + state: present + reload: yes + with_items: + - net.ipv6.conf.all.disable_ipv6 + - net.ipv6.conf.default.disable_ipv6 + - net.ipv6.conf.lo.disable_ipv6 when: - - not rhel9cis_is_router + - not rhel9cis_ipv6_required - rhel9cis_rule_3_1_1 tags: - level1-server - level1-workstation - - sysctl + - manual - patch + - ipv6 + - networking - rule_3.1.1 -- name: "3.1.2 | L1 | PATCH | Ensure packet redirect sending is disabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table +- name: "3.1.2 | PATCH | Ensure SCTP is disabled" + lineinfile: + dest: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install sctp(\\s|$)" + line: "install sctp /bin/true" + create: yes + mode: 0600 when: - - not rhel9cis_is_router - rhel9cis_rule_3_1_2 tags: - - level1-server - - level1-workstation - - sysctl + - level2-server + - level2-workstation + - automated - patch + - sctp - rule_3.1.2 + +- name: "3.1.3 | PATCH | Ensure DCCP is disabled" + lineinfile: + dest: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install dccp(\\s|$)" + line: "install dccp /bin/true" + create: yes + mode: 0600 + when: + - rhel9cis_rule_3_1_3 + tags: + - level2-server + - level2-workstation + - automated + - dccp + - patch + - rule_3.1.3 + +- name: "3.1.4 | PATCH | Ensure wireless interfaces are disabled" + block: + - name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" + command: rpm -q NetworkManager + changed_when: false + failed_when: false + check_mode: no + args: + warn: no + register: rhel_08_nmcli_available + + - name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" + command: nmcli radio wifi + register: rhel_08_wifi_enabled + changed_when: rhel_08_wifi_enabled.stdout != "disabled" + failed_when: false + when: rhel_08_nmcli_available.rc == 0 + + - name: "3.1.4 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" + command: nmcli radio all off + changed_when: false + failed_when: false + when: rhel_08_wifi_enabled is changed + when: + - rhel9cis_rule_3_1_4 + tags: + - level1-server + - automated + - patch + - wireless + - rule_3.1.4 \ No newline at end of file diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml deleted file mode 100644 index 0b49ba4..0000000 --- a/tasks/section_3/cis_3.3.x.yml +++ /dev/null @@ -1,61 +0,0 @@ ---- - -- name: "3.3.1 | L2 | PATCH | Ensure DCCP is disabled" - lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install dccp(\\s|$)" - line: "install dccp /bin/true" - create: true - mode: 0600 - when: - - rhel9cis_rule_3_3_1 - tags: - - level2-server - - level2-workstation - - patch - - rule_3.3.1 - -- name: "3.3.2 | L2 | PATCH | Ensure SCTP is disabled" - lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install sctp(\\s|$)" - line: "install sctp /bin/true" - create: true - mode: 0600 - when: - - rhel9cis_rule_3_3_2 - tags: - - level2-server - - level2-workstation - - patch - - rule_3.3.2 - -- name: "3.3.3 | L2 | PATCH | Ensure RDS is disabled" - lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install rds(\\s|$)" - line: "install rds /bin/true" - create: true - mode: 0600 - when: - - rhel9cis_rule_3_3_3 - tags: - - level2-server - - level2-workstation - - patch - - rule_3.3.3 - -- name: "3.3.4 | L2 | PATCH | Ensure TIPC is disabled" - lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install tipc(\\s|$)" - line: "install tipc /bin/true" - create: true - mode: 0600 - when: - - rhel9cis_rule_3_3_4 - tags: - - level2-server - - level2-workstation - - patch - - rule_3.3.4