ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

update var naming

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-08-07 10:30:45 +01:00
parent 4f566974c9
commit 9196e916fc
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
4 changed files with 45 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

8
handlers/main.yml
View file

@ -42,7 +42,7 @@
notify: Set Crypto Policy notify: Set Crypto Policy
- name: Set Crypto Policy - name: Set Crypto Policy
when: rhel9cis_system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy when: prelim_system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy
ansible.builtin.shell: | ansible.builtin.shell: |
update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}" update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}"
update-crypto-policies update-crypto-policies
@ -91,13 +91,9 @@
ansible.builtin.systemd: ansible.builtin.systemd:
daemon-reload: true daemon-reload: true
- name: Apply_authselect - name: Authselect update
when: not rhel9cis_rule_5_4_2
ansible.builtin.shell: authselect apply-changes ansible.builtin.shell: authselect apply-changes
- name: Apply_authselect
when: rhel9cis_rule_5_4_2
ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }} --force --backup=rhel9cis_commit_{{ ansible_date_time.epoch}}"
## Auditd tasks note order for handlers to run ## Auditd tasks note order for handlers to run
- name: Auditd immutable check - name: Auditd immutable check

2
tasks/section_1/cis_1.5.x.yml
View file

@ -56,7 +56,7 @@
- name: "1.5.4 | PATCH | Ensure core dump storage is disabled" - name: "1.5.4 | PATCH | Ensure core dump storage is disabled"
when: when:
- rhel9cis_rule_1_5_4 - rhel9cis_rule_1_5_4
- systemd_coredump.stat.exists - prelim_systemd_coredump.stat.exists
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation

30
tasks/section_6/cis_6.2.2.1.x.yml
View file

@ -2,8 +2,8 @@
- name: "6.2.2.1.1 | PATCH | Ensure systemd-journal-remote is installed" - name: "6.2.2.1.1 | PATCH | Ensure systemd-journal-remote is installed"
when: when:
- ubtu22cis_rule_6_2_2_1_1 - rhel9cis_rule_6_2_2_1_1
- not ubtu22cis_system_is_log_server - not rhel9cis_system_is_log_server
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -19,8 +19,8 @@
- name: "6.2.2.1.2 | PATCH | Ensure systemd-journal-remote authentication is configured" - name: "6.2.2.1.2 | PATCH | Ensure systemd-journal-remote authentication is configured"
when: when:
- ubtu22cis_rule_6_2_2_1_2 - rhel9cis_rule_6_2_2_1_2
- not ubtu22cis_system_is_log_server - not rhel9cis_system_is_log_server
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -35,15 +35,15 @@
regexp: "{{ item.regexp }}" regexp: "{{ item.regexp }}"
line: "{{ item.line }}" line: "{{ item.line }}"
loop: loop:
- { regexp: 'URL=', line: 'URL={{ ubtu22cis_remote_log_server }}'} - { regexp: 'URL=', line: 'URL={{ rhel9cis_remote_log_server }}'}
- { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ ubtu22cis_journal_upload_serverkeyfile }}'} - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ rhel9cis_journal_upload_serverkeyfile }}'}
- { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ ubtu22cis_journal_servercertificatefile }}'} - { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ rhel9cis_journal_servercertificatefile }}'}
- { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ ubtu22cis_journal_trustedcertificatefile }}'} - { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ rhel9cis_journal_trustedcertificatefile }}'}
- name: "6.2.2.1.3 | PATCH | Ensure systemd-journal-remote is enabled and active" - name: "6.2.2.1.3 | PATCH | Ensure systemd-journal-remote is enabled and active"
when: when:
- not ubtu22cis_system_is_log_server - not rhel9cis_system_is_log_server
- ubtu22cis_rule_6_2_2_1_3 - rhel9cis_rule_6_2_2_1_3
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -59,8 +59,8 @@
- name: "6.2.2.1.4 | PATCH | Ensure systemd-journal-remote service is not in use" - name: "6.2.2.1.4 | PATCH | Ensure systemd-journal-remote service is not in use"
when: when:
- not ubtu22cis_system_is_log_server - not rhel9cis_system_is_log_server
- ubtu22cis_rule_6_2_2_1_4 - rhel9cis_rule_6_2_2_1_4
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -81,7 +81,7 @@
- name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled" - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled"
when: when:
- ubtu22cis_rule_6_2_2_2 - rhel9cis_rule_6_2_2_2
tags: tags:
- level1-server - level1-server
- level2-workstation - level2-workstation
@ -110,7 +110,7 @@
- name: "6.2.2.3 | PATCH | Ensure journald Compress is configured" - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured"
when: when:
- ubtu22cis_rule_6_2_2_3 - rhel9cis_rule_6_2_2_3
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -136,7 +136,7 @@
- name: "6.2.2.4 | PATCH | Ensure journald Storage is configured" - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured"
when: when:
- ubtu22cis_rule_6_2_2_4 - rhel9cis_rule_6_2_2_4
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation

33
tasks/section_6/cis_6.3.2.x.yml
View file

@ -13,7 +13,7 @@
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf path: /etc/audit/auditd.conf
regexp: "^max_log_file( |=)" regexp: "^max_log_file( |=)"
line: "max_log_file = {{ rhel9cis_auditd['max_log_file'] }}" line: "max_log_file = {{ rhel9cis_auditd_max_log_file_size }}"
notify: Restart auditd notify: Restart auditd
- name: "6.3.2.2 | PATCH | Ensure audit logs are not automatically deleted" - name: "6.3.2.2 | PATCH | Ensure audit logs are not automatically deleted"
@ -29,7 +29,7 @@
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf path: /etc/audit/auditd.conf
regexp: "^max_log_file_action" regexp: "^max_log_file_action"
line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}" line: "max_log_file_action = {{ rhel9cis_auditd_max_log_file_action }}"
notify: Restart auditd notify: Restart auditd
- name: "6.3.2.3 | PATCH | Ensure system is disabled when audit logs are full" - name: "6.3.2.3 | PATCH | Ensure system is disabled when audit logs are full"
@ -51,11 +51,32 @@
line: "{{ item.line }}" line: "{{ item.line }}"
notify: Restart auditd notify: Restart auditd
loop: loop:
- { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ rhel9cis_auditd.admin_space_left_action }}' } - { regexp: '^disk_full_action', line: 'disk_full_action = {{ rhel9cis_auditd_disk_full_action }}' }
- { regexp: '^action_mail_acct', line: 'action_mail_acct = {{ rhel9cis_auditd.action_mail_acct }}' } - { regexp: '^disk_error_action', line: 'disk_error_action = {{ rhel9cis_auditd_disk_error_action }}' }
- { regexp: '^space_left_action', line: 'space_left_action = {{ rhel9cis_auditd.space_left_action }}' }
- name: PATCH | Configure other keys for auditd.conf - name: "6.3.2.4 | PATCH | Ensure system warns when audit logs are low on space"
when:
- rhel9cis_rule_6_3_2_4
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.2.4
- NIST800-53R5_AU-2
- NIST800-53R5_AU-8
- NIST800-53R5_AU-12
- NIST800-53R5_SI-5
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
notify: Restart auditd
loop:
- { regexp: '^space_left_action', line: 'space_left_action = {{ rhel9cis_auditd_space_left_action }}' }
- { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ rhel9cis_auditd_admin_space_left_action }}' }
- name: "PATCH | Configure other keys for auditd.conf"
when: when:
- rhel9cis_auditd_extra_conf.keys() | length > 0 - rhel9cis_auditd_extra_conf.keys() | length > 0
- rhel9cis_auditd_extra_conf_usage - rhel9cis_auditd_extra_conf_usage