ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 14:23:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

lint and v2 initial

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-07-24 14:02:05 +01:00
parent 42aa624d50
commit a36a84c5ea
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
5 changed files with 712 additions and 676 deletions
Download patch file Download diff file Expand all files Collapse all files

1188
defaults/main.yml
View file

File diff suppressed because it is too large Load diff

12
handlers/main.yml
View file

@ -5,23 +5,23 @@
ansible.builtin.shell: sysctl --system ansible.builtin.shell: sysctl --system
- name: Sysctl flush ipv4 route table - name: Sysctl flush ipv4 route table
when:
- rhel9cis_flush_ipv4_route
- not system_is_container
ansible.posix.sysctl: ansible.posix.sysctl:
name: net.ipv4.route.flush name: net.ipv4.route.flush
value: '1' value: '1'
sysctl_set: true sysctl_set: true
ignore_errors: true # noqa ignore-errors ignore_errors: true # noqa ignore-errors
when:
- rhel9cis_flush_ipv4_route
- not system_is_container
- name: Sysctl flush ipv6 route table - name: Sysctl flush ipv6 route table
when:
- rhel9cis_flush_ipv6_route
- not system_is_container
ansible.posix.sysctl: ansible.posix.sysctl:
name: net.ipv6.route.flush name: net.ipv6.route.flush
value: '1' value: '1'
sysctl_set: true sysctl_set: true
when:
- rhel9cis_flush_ipv6_route
- not system_is_container
- name: Systemd restart tmp.mount - name: Systemd restart tmp.mount
ansible.builtin.systemd: ansible.builtin.systemd:

2
site.yml
View file

@ -1,6 +1,6 @@
--- ---
- name: Apply RHEL9 CIS hardening - name: Apply ansible-lockdown hardening
hosts: all hosts: all
become: true become: true
roles: roles:

12
tasks/auditd.yml
View file

@ -20,13 +20,13 @@
- Restart auditd - Restart auditd
- name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa no-handler - name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa no-handler
when:
- rhel9cis_auditd_template_updated.changed
- rhel9cis_auditd_file.stat.exists
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: warning_facts.yml file: warning_facts.yml
vars: vars:
warn_control_id: 'Auditd template updated, see diff output for details' warn_control_id: 'Auditd template updated, see diff output for details'
when:
- rhel9cis_auditd_template_updated.changed
- rhel9cis_auditd_file.stat.exists
- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file
ansible.builtin.stat: ansible.builtin.stat:
@ -34,6 +34,9 @@
register: rhel9cis_auditd_exception_file register: rhel9cis_auditd_exception_file
- name: POST | Set up auditd user logging exceptions | setup file - name: POST | Set up auditd user logging exceptions | setup file
when:
- rhel9cis_allow_auditd_uid_user_exclusions
- rhel9cis_auditd_uid_exclude | length > 0
ansible.builtin.template: ansible.builtin.template:
src: audit/98_auditd_exception.rules.j2 src: audit/98_auditd_exception.rules.j2
dest: /etc/audit/rules.d/98_auditd_exceptions.rules dest: /etc/audit/rules.d/98_auditd_exceptions.rules
@ -42,6 +45,3 @@
mode: '0640' mode: '0640'
diff: "{{ rhel9cis_auditd_exception_file.stat.exists }}" diff: "{{ rhel9cis_auditd_exception_file.stat.exists }}"
notify: Restart auditd notify: Restart auditd
when:
- rhel9cis_allow_auditd_uid_user_exclusions
- rhel9cis_auditd_uid_exclude | length > 0