ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 14:23:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

lint updates

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2023-01-13 12:10:18 +00:00
parent 3ead0d63ac
commit acf0104f7a
No known key found for this signature in database
GPG key ID: 1DE02A772D0908F9
34 changed files with 199 additions and 213 deletions
Download patch file Download diff file Expand all files Collapse all files

93
handlers/main.yml
View file

@ -1,14 +1,13 @@
---
# handlers file for RHEL9-CIS
- name: reload sysctl
shell: sysctl --system
- name: Reload sysctl
ansible.builtin.shell: sysctl --system
when:
- sysctl_updated.changed
- name: sysctl flush ipv4 route table
become: true
sysctl:
- name: Sysctl flush ipv4 route table
ansible.posix.sysctl:
name: net.ipv4.route.flush
value: '1'
sysctl_set: true
@ -16,12 +15,9 @@
when:
- flush_ipv4_route
- not system_is_container
tags:
- skip_ansible_lint
- name: sysctl flush ipv6 route table
become: true
sysctl:
- name: Sysctl flush ipv6 route table
ansible.posix.sysctl:
name: net.ipv6.route.flush
value: '1'
sysctl_set: true
@ -29,92 +25,81 @@
- flush_ipv6_route
- not system_is_container
- name: systemd restart tmp.mount
become: true
systemd:
- name: Systemd restart tmp.mount
ansible.builtin.systemd:
name: tmp.mount
daemon_reload: true
daemon_Reload: true
enabled: true
masked: false
state: reloaded
state: Reloaded
- name: systemd restart var-tmp.mount
become: true
systemd:
name: var-tmp.mount
daemon_reload: true
enabled: true
masked: false
state: reloaded
- name: Remount tmp
ansible.posix.mount:
path: /tmp
state: remounted
- name: remount tmp
ansible.posix.mount:
path: /tmp
state: remounted
- name: restart firewalld
service:
- name: Restart firewalld
ansible.builtin.systemd:
name: firewalld
state: restarted
- name: restart sshd
service:
- name: Restart sshd
ansible.builtin.systemd:
name: sshd
state: restarted
- name: restart postfix
service:
- name: Restart postfix
ansible.builtin.systemd:
name: postfix
state: restarted
- name: reload dconf
shell: dconf update
- name: Reload dconf
ansible.builtin.shell: dconf update
- name: grub2cfg
shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
ansible.builtin.shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
ignore_errors: true # noqa ignore-errors
tags:
- skip_ansible_lint
- name: restart rsyslog
become: true
service:
- name: Restart rsyslog
ansible.builtin.systemd:
name: rsyslog
state: restarted
- name: restart journald
service:
- name: Restart journald
ansible.builtin.systemd:
name: systemd-journald
state: restarted
- name: restart systemd_journal_upload
service:
- name: Restart systemd_journal_upload
ansible.builtin.systemd:
name: systemd-journal-upload
state: restarted
- name: systemd_daemon_reload
systemd:
- name: Systemd_daemon_Reload
ansible.builtin.systemd:
daemon-reload: true
## Auditd tasks note order for handlers to run
- name: auditd_immutable_check
shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
- name: Auditd_immutable_check
ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
changed_when: false
register: auditd_immutable_check
- name: audit_immutable_fact
debug:
- name: Audit_immutable_fact
ansible.builtin.debug:
msg: "Reboot required for auditd to apply new rules as immutable set"
notify: change_requires_reboot
when:
- auditd_immutable_check.stdout == '1'
- name: restart auditd
shell: service auditd restart
- name: Restart auditd
ansible.builtin.shell: service auditd restart
tags:
- skip_ansible_lint
- name: change_requires_reboot
set_fact:
- name: Change_requires_reboot
ansible.builtin.set_fact:
change_requires_reboot: true

1
site.yml
View file

@ -1,4 +1,5 @@
---
- hosts: all
become: true
roles:

10
tasks/LE_audit_setup.yml
View file

@ -1,7 +1,7 @@
---
- name: Download audit binary
get_url:
ansible.builtin.get_url:
url: "{{ goss_url }}"
dest: "{{ audit_bin }}"
owner: root
@ -11,8 +11,8 @@
when:
- get_goss_file == 'download'
- name: copy audit binary
copy:
- name: Copy audit binary
ansible.builtin.copy:
src:
dest: "{{ audit_bin }}"
mode: 0555
@ -21,8 +21,8 @@
when:
- get_goss_file == 'copy'
- name: install git if not present
package:
- name: Install git if not present
ansible.builtin.package:
name: git
state: present
register: git_installed

12
tasks/auditd.yml
View file

@ -1,7 +1,7 @@
---
- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added
template:
ansible.builtin.template:
src: audit/99_auditd.rules.j2
dest: /etc/audit/rules.d/99_auditd.rules
owner: root
@ -9,18 +9,18 @@
mode: 0600
register: audit_rules_updated
notify:
- auditd_immutable_check
- audit_immutable_fact
- restart auditd
- Auditd_immutable_check
- Audit_immutable_fact
- Restart auditd
- name: POST | Set up auditd user logging exceptions
template:
ansible.builtin.template:
src: audit/98_auditd_exception.rules.j2
dest: /etc/audit/rules.d/98_auditd_exceptions.rules
owner: root
group: root
mode: 0600
notify: restart auditd
notify: Restart auditd
when:
- allow_auditd_uid_user_exclusions
- rhel9cis_auditd_uid_exclude | length > 0

2
tasks/check_prereqs.yml
View file

@ -1,7 +1,7 @@
---
- name: "PREREQ | If required install libselinux package to manage file changes."
package:
ansible.builtin.package:
name: libselinux-python3
state: present
when:

60
tasks/main.yml
View file

@ -2,7 +2,7 @@
# tasks file for RHEL9-CIS
- name: Check OS version and family
assert:
ansible.builtin.assert:
that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('9', '==')
fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}"
@ -13,7 +13,7 @@
- always
- name: Check ansible version
assert:
ansible.builtin.assert:
that: ansible_version.full is version_compare(min_ansible_version, '>=')
fail_msg: "You must use Ansible {{ min_ansible_version }} or greater"
success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
@ -23,14 +23,14 @@
- name: "Check password set for {{ ansible_user }}"
block:
- name: Capture current password state of "{{ ansible_user }}"
shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'"
ansible.builtin.shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'"
changed_when: false
failed_when: false
check_mode: false
register: ansible_user_password_set
- name: "Assert that password set for {{ ansible_user }} and account not locked"
assert:
ansible.builtin.assert:
that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!"
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access"
success_msg: "You a password set for the {{ ansible_user }}"
@ -45,15 +45,15 @@
- name: Setup rules if container
block:
- name: Discover and set container variable if required
set_fact:
ansible.builtin.set_fact:
system_is_container: true
- name: Load variable for container
include_vars:
ansible.builtin.include_vars:
file: "{{ container_vars_file }}"
- name: output if discovered is a container
debug:
- name: Output if discovered is a container
ansible.builtin.debug:
msg: system has been discovered as a container
when:
- system_is_container
@ -65,13 +65,13 @@
- always
- name: Check crypto-policy input
assert:
ansible.builtin.assert:
that: rhel9cis_crypto_policy in rhel9cis_allowed_crypto_policies
fail_msg: "Crypto policy is not a permitted version"
success_msg: "Crypto policy is a permitted version"
- name: Check rhel9cis_bootloader_password_hash variable has been changed
assert:
ansible.builtin.assert:
that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
when:
@ -80,10 +80,10 @@
tags:
- always
- name: "check sugroup exists if used"
- name: Check sugroup exists if used
block:
- name: "Check su group exists if defined"
shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group
ansible.builtin.shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group
register: sugroup_exists
changed_when: false
failed_when: sugroup_exists.rc >= 2
@ -91,7 +91,7 @@
- skip_ansible_lint
- name: Check sugroup if defined exists before continuing
assert:
ansible.builtin.assert:
that: sugroup_exists.rc == 0
msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify"
when:
@ -101,35 +101,35 @@
- rule_5.7
- name: Gather the package facts
package_facts:
ansible.builtin.package_facts:
manager: auto
tags:
- always
- name: Include OS specific variables
include_vars: "{{ ansible_distribution }}.yml"
ansible.builtin.include_vars: "{{ ansible_distribution }}.yml"
tags:
- always
- name: Include preliminary steps
import_tasks: prelim.yml
ansible.builtin.import_tasks: prelim.yml
tags:
- prelim_tasks
- always
- name: run pre_remediation audit
include_tasks: pre_remediation_audit.yml
ansible.builtin.include_tasks: pre_remediation_audit.yml
when:
- run_audit
- name: Gather the package facts after prelim
package_facts:
ansible.builtin.package_facts:
manager: auto
tags:
- always
- name: capture /etc/password variables
include_tasks: parse_etc_password.yml
ansible.builtin.include_tasks: parse_etc_password.yml
when:
- rhel9cis_section6
tags:
@ -142,67 +142,67 @@
- rhel9cis_section6
- name: run Section 1 tasks
import_tasks: section_1/main.yml
ansible.builtin.import_tasks: section_1/main.yml
when: rhel9cis_section1
tags:
- rhel9cis_section1
- name: run Section 2 tasks
import_tasks: section_2/main.yml
ansible.builtin.import_tasks: section_2/main.yml
when: rhel9cis_section2
tags:
- rhel9cis_section2
- name: run Section 3 tasks
import_tasks: section_3/main.yml
ansible.builtin.import_tasks: section_3/main.yml
when: rhel9cis_section3
tags:
- rhel9cis_section3
- name: run Section 4 tasks
import_tasks: section_4/main.yml
ansible.builtin.import_tasks: section_4/main.yml
when: rhel9cis_section4
tags:
- rhel9cis_section4
- name: run Section 5 tasks
import_tasks: section_5/main.yml
ansible.builtin.import_tasks: section_5/main.yml
when: rhel9cis_section5
tags:
- rhel9cis_section5
- name: run Section 6 tasks
import_tasks: section_6/main.yml
ansible.builtin.import_tasks: section_6/main.yml
when: rhel9cis_section6
tags:
- rhel9cis_section6
- name: run auditd logic
import_tasks: auditd.yml
ansible.builtin.import_tasks: auditd.yml
when:
- update_audit_template
tags:
- always
- name: run post remediation tasks
import_tasks: post.yml
ansible.builtin.import_tasks: post.yml
tags:
- post_tasks
- always
- name: run post_remediation audit
import_tasks: post_remediation_audit.yml
ansible.builtin.import_tasks: post_remediation_audit.yml
when:
- run_audit
- name: Show Audit Summary
debug:
ansible.builtin.debug:
msg: "{{ audit_results.split('\n') }}"
when:
- run_audit
- name: If Warnings found Output count and control IDs affected
debug:
ansible.builtin.debug:
msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}"
when: warn_count != 0
tags:

4
tasks/parse_etc_password.yml
View file

@ -3,13 +3,13 @@
- name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd"
block:
- name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd"
shell: cat /etc/passwd
ansible.builtin.shell: cat /etc/passwd
changed_when: false
check_mode: false
register: rhel9cis_passwd_file_audit
- name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Split passwd entries"
set_fact:
ansible.builtin.set_fact:
rhel9cis_passwd: "{{ rhel9cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}"
with_items: "{{ rhel9cis_passwd_file_audit.stdout_lines }}"
vars:

24
tasks/post.yml
View file

@ -2,25 +2,25 @@
# Post tasks
- name: Perform DNF package cleanup
dnf:
ansible.builtin.package:
autoremove: true
changed_when: false
- name: Gather the package facts after remediation
package_facts:
ansible.builtin.package_facts:
manager: auto
tags:
- always
- name: update sysctl
template:
- name: Update sysctl
ansible.builtin.template:
src: "etc/sysctl.d/{{ item }}.j2"
dest: "/etc/sysctl.d/{{ item }}"
owner: root
group: root
mode: 0600
register: sysctl_updated
notify: reload sysctl
notify: Reload sysctl
with_items:
- 60-kernel_sysctl.conf
- 60-disable_ipv6.conf
@ -31,29 +31,29 @@
- not system_is_container
- "'procps-ng' in ansible_facts.packages"
- name: flush handlers
meta: flush_handlers
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: POST | reboot system if changes require it and not skipped
block:
- name: POST | Reboot system if changes require it and not skipped
reboot:
ansible.builtin.reboot:
when:
- change_requires_reboot
- Change_requires_reboot
- not skip_reboot
- name: POST | Warning a reboot required but skip option set
debug:
ansible.builtin.debug:
msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results"
changed_when: true
when:
- change_requires_reboot
- Change_requires_reboot
- skip_reboot
- name: "POST | Warning a reboot required but skip option set | warning count"
ansible.builtin.import_tasks: warning_facts.yml
when:
- change_requires_reboot
- Change_requires_reboot
- skip_reboot
vars:
warn_control_id: Reboot_required

14
tasks/post_remediation_audit.yml
View file

@ -1,13 +1,13 @@
---
- name: "Post Audit | Run post_remediation {{ benchmark }} audit"
shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}"
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}"
environment: "{{ audit_run_script_environment | default({}) }}"
changed_when: audit_run_post_remediation.rc == 0
register: audit_run_post_remediation
- name: Post Audit | ensure audit files readable by users
file:
ansible.builtin.file:
path: "{{ item }}"
mode: 0644
state: file
@ -17,13 +17,13 @@
- name: Post Audit | Capture audit data if json format
block:
- name: "capture data {{ post_audit_outfile }}"
shell: "cat {{ post_audit_outfile }}"
- name: "Capture data {{ post_audit_outfile }}"
ansible.builtin.shell: "cat {{ post_audit_outfile }}"
register: post_audit
changed_when: false
- name: Capture post-audit result
set_fact:
ansible.builtin.set_fact:
post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}"
vars:
summary: 'summary."summary-line"'
@ -33,12 +33,12 @@
- name: Post Audit | Capture audit data if documentation format
block:
- name: "Post Audit | capture data {{ post_audit_outfile }}"
shell: "tail -2 {{ post_audit_outfile }}"
ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}"
register: post_audit
changed_when: false
- name: Post Audit | Capture post-audit result
set_fact:
ansible.builtin.set_fact:
post_audit_summary: "{{ post_audit.stdout_lines }}"
when:
- audit_format == "documentation"

28
tasks/pre_remediation_audit.yml
View file

@ -1,20 +1,20 @@
---
- name: Pre Audit | Setup the audit
include_tasks: LE_audit_setup.yml
ansible.builtin.include_tasks: LE_audit_setup.yml
when:
- setup_audit
tags:
- setup_audit
- name: "Pre Audit | Ensure {{ audit_conf_dir }} exists"
file:
ansible.builtin.file:
path: "{{ audit_conf_dir }}"
state: directory
mode: '0755'
- name: Pre Audit | retrieve audit content files from git
git:
ansible.builtin.git:
repo: "{{ audit_file_git }}"
dest: "{{ audit_conf_dir }}"
version: "{{ audit_git_version }}"
@ -22,7 +22,7 @@
- audit_content == 'git'
- name: Pre Audit | copy to audit content files to server
copy:
ansible.builtin.copy:
src: "{{ audit_local_copy }}"
dest: "{{ audit_conf_dir }}"
mode: 0644
@ -30,7 +30,7 @@
- audit_content == 'copy'
- name: Pre Audit | get audit content from url
get_url:
ansible.builtin.get_url:
url: "{{ audit_files_url }}"
dest: "{{ audit_conf_dir }}"
owner: root
@ -42,12 +42,12 @@
- name: Pre Audit | Check Goss is available
block:
- name: Pre Audit | Check for goss file
stat:
ansible.builtin.stat:
path: "{{ audit_bin }}"
register: goss_available
- name: Pre Audit | Alert if goss not available
assert:
ansible.builtin.assert:
that: goss_available.stat.exists
fail_msg: "Audit binary file {{ audit_bin }} does not exist"
success_msg: "Audit binary file {{ audit_bin }} exists"
@ -55,14 +55,14 @@
- run_audit
- name: "Pre Audit | Check whether machine is UEFI-based"
stat:
ansible.builtin.stat:
path: /sys/firmware/efi
register: rhel9_efi_boot
tags:
- goss_template
- name: Pre Audit | Copy ansible default vars values to test audit
template:
ansible.builtin.template:
src: ansible_vars_goss.yml.j2
dest: "{{ audit_vars_path }}"
mode: 0600
@ -72,7 +72,7 @@
- goss_template
- name: "Pre Audit | Run pre_remediation {{ benchmark }} audit"
shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}"
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}"
environment: "{{ audit_run_script_environment | default({}) }}"
changed_when: audit_run_pre_remediation.rc == 0
register: audit_run_pre_remediation
@ -80,12 +80,12 @@
- name: Pre Audit | Capture audit data if json format
block:
- name: "Pre Audit | capture data {{ pre_audit_outfile }}"
shell: "cat {{ pre_audit_outfile }}"
ansible.builtin.shell: "cat {{ pre_audit_outfile }}"
register: pre_audit
changed_when: false
- name: Pre Audit | Capture pre-audit result
set_fact:
ansible.builtin.set_fact:
pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}"
vars:
summary: 'summary."summary-line"'
@ -95,12 +95,12 @@
- name: Pre Audit | Capture audit data if documentation format
block:
- name: "Pre Audit | capture data {{ pre_audit_outfile }}"
shell: "tail -2 {{ pre_audit_outfile }}"
ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}"
register: pre_audit
changed_when: false
- name: Pre Audit | Capture pre-audit result
set_fact:
ansible.builtin.set_fact:
pre_audit_summary: "{{ pre_audit.stdout_lines }}"
when:
- audit_format == "documentation"

42
tasks/prelim.yml
View file

@ -3,7 +3,7 @@
# Preliminary tasks that should always be run
# List users in order to look files inside each home directory
- name: "PRELIM | List users accounts"
shell: "awk -F: '{print $1}' /etc/passwd"
ansible.builtin.shell: "awk -F: '{print $1}' /etc/passwd"
changed_when: false
check_mode: false
register: users
@ -13,7 +13,7 @@
- users
- name: "PRELIM | Gather accounts with empty password fields"
shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'"
ansible.builtin.shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'"
changed_when: false
check_mode: false
register: empty_password_accounts
@ -23,7 +23,7 @@
- passwords
- name: "PRELIM | Gather UID 0 accounts other than root"
shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'"
ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'"
changed_when: false
check_mode: false
register: rhel9cis_uid_zero_accounts_except_root
@ -36,14 +36,14 @@
- name: "PRELIM | Setup crypto-policy"
block:
- name: "PRELIM | Install crypto-policies"
dnf:
ansible.builtin.package:
name:
- crypto-policies
- crypto-policies-scripts
state: present
- name: "PRELIM | Gather system-wide crypto-policy"
shell: update-crypto-policies --show
ansible.builtin.shell: update-crypto-policies --show
changed_when: false
check_mode: false
register: system_wide_crypto_policy
@ -56,7 +56,7 @@
- crypto
- name: "PRELIM | if systemd coredump"
stat:
ansible.builtin.stat:
path: /etc/systemd/coredump.conf
register: systemd_coredump
when:
@ -68,14 +68,14 @@
- systemd
- name: "PRELIM | Section 1.1 | Create list of mount points"
set_fact:
ansible.builtin.set_fact:
mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}"
tags:
- level1-server
- level1-workstation
- name: "PRELIM | Ensure python3-libselinux is installed"
package:
ansible.builtin.package:
name: python3-libselinux
state: present
when:
@ -84,23 +84,23 @@
- name: "PRELIM | Set facts based on boot type"
block:
- name: "PRELIM | Check whether machine is UEFI-based"
stat:
ansible.builtin.stat:
path: /sys/firmware/efi
register: rhel_09_efi_boot
- name: "PRELIM | AUDIT | set legacy boot and grub path | Bios"
set_fact:
ansible.builtin.set_fact:
rhel9cis_legacy_boot: true
grub2_path: /etc/grub2.cfg
when: not rhel_09_efi_boot.stat.exists
- name: "PRELIM | set grub fact | UEFI"
set_fact:
ansible.builtin.set_fact:
grub2_path: /etc/grub2-efi.cfg
when: rhel_09_efi_boot.stat.exists
- name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)"
package:
ansible.builtin.package:
name: audit
state: present
become: true
@ -135,7 +135,7 @@
- rule_4.1.4.7
- name: "PRELIM | Section 5.1 | Configure cron"
package:
ansible.builtin.package:
name: cronie
state: present
become: true
@ -149,7 +149,7 @@
- cron
- name: "PRELIM | Install authconfig"
package:
ansible.builtin.package:
name: authconfig
state: present
become: true
@ -170,7 +170,7 @@
- auditd
- name: "PRELIM | 5.3.4 | Find all sudoers files."
command: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'"
ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'"
changed_when: false
failed_when: false
check_mode: false
@ -183,7 +183,7 @@
- rule_5.3.5
- name: "PRELIM | Check for rhnsd service"
shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2"
ansible.builtin.shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2"
changed_when: false
check_mode: false
become: true
@ -198,28 +198,28 @@
- name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def"
block:
- name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def"
shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}'
ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}'
changed_when: false
register: uid_min_id
- name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def"
shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}'
ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}'
changed_when: false
register: uid_max_id
- name: "PRELIM | AUDIT | Capture GID_MIN information from logins.def"
shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}'
ansible.builtin.shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}'
changed_when: false
register: gid_min_id
- name: "PRELIM | AUDIT | set_facts for interactive uid/gid"
set_fact:
ansible.builtin.set_fact:
min_int_uid: "{{ uid_min_id.stdout }}"
max_int_uid: "{{ uid_max_id.stdout }}"
min_int_gid: "{{ gid_min_id.stdout }}"
- name: Output of uid findings
debug:
ansible.builtin.debug:
msg: "{{ min_int_uid }} {{ max_int_uid }}"
when:

4
tasks/section_1/cis_1.1.2.x.yml
View file

@ -32,7 +32,7 @@
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %}
notify: remount tmp
notify: Remount tmp
with_items:
- "{{ ansible_mounts }}"
loop_control:
@ -64,7 +64,7 @@
owner: root
group: root
mode: 0644
notify: systemd restart tmp.mount
notify: Systemd restart tmp.mount
when:
- rhel9cis_tmp_svc
- rhel9cis_rule_1_1_2_1 or

2
tasks/section_1/cis_1.1.3.x.yml
View file

@ -35,7 +35,7 @@
- "{{ ansible_mounts }}"
loop_control:
label: "{{ item.device }}"
notify: change_requires_reboot
notify: Change_requires_reboot
when:
- var_mount_present is defined
- item.mount == "/var"

2
tasks/section_1/cis_1.1.4.x.yml
View file

@ -37,7 +37,7 @@
- "{{ ansible_mounts }}"
loop_control:
label: "{{ item.device }}"
notify: change_requires_reboot
notify: Change_requires_reboot
when:
- var_tmp_mount_present is defined
- item.mount == "/var/tmp"

2
tasks/section_1/cis_1.1.5.x.yml
View file

@ -37,7 +37,7 @@
- "{{ ansible_mounts }}"
loop_control:
label: "{{ item.device }}"
notify: change_requires_reboot
notify: Change_requires_reboot
when:
- var_log_mount_present is defined
- item.mount == "/var/log"

6
tasks/section_1/cis_1.1.6.x.yml
View file

@ -10,8 +10,8 @@
ansible.builtin.import_tasks: warning_facts.yml
vars:
warn_control_id: '1.1.6.1'
required_mount: '/var/log/audit'
warn_control_id: '1.1.6.1'
required_mount: '/var/log/audit'
when:
- required_mount not in mount_names
- rhel9cis_rule_1_1_6_1
@ -36,7 +36,7 @@
- "{{ ansible_mounts }}"
loop_control:
label: "{{ item.device }}"
notify: change_requires_reboot
notify: Change_requires_reboot
when:
- var_log_audit_mount_present is defined
- item.mount == "/var/log/audit"

2
tasks/section_1/cis_1.1.7.x.yml
View file

@ -36,7 +36,7 @@
- "{{ ansible_mounts }}"
loop_control:
label: "{{ item.device }}"
notify: change_requires_reboot
notify: Change_requires_reboot
when:
- home_mount_present is defined
- item.mount == "/home"

2
tasks/section_1/cis_1.1.8.x.yml
View file

@ -34,7 +34,7 @@
fstype: tmpfs
state: mounted
opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_4 %}nosuid{% endif %}
notify: change_requires_reboot
notify: Change_requires_reboot
when:
- rhel9cis_rule_1_1_8_2 or
rhel9cis_rule_1_1_8_3 or

2
tasks/section_1/cis_1.10.yml
View file

@ -4,7 +4,7 @@
ansible.builtin.shell: |
update-crypto-policies --set "{{ rhel9cis_crypto_policy }}"
update-crypto-policies
notify: change_requires_reboot
notify: Change_requires_reboot
when:
- rhel9cis_rule_1_10
- system_wide_crypto_policy['stdout'] == 'LEGACY'

2
tasks/section_1/cis_1.2.x.yml
View file

@ -68,7 +68,7 @@
- name: "1.2.3 | AUDIT | Ensure package manager repositories are configured"
block:
- name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Get repo list"
ansible.builtin.command: dnf repolist
ansible.builtin.shell: dnf repolist
changed_when: false
failed_when: false
register: dnf_configured

2
tasks/section_1/cis_1.3.x.yml
View file

@ -8,7 +8,7 @@
state: present
- name: "1.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE"
ansible.builtin.command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz'
ansible.builtin.shell: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz'
changed_when: false
failed_when: false
async: 45

6
tasks/section_1/cis_1.8.x.yml
View file

@ -25,7 +25,7 @@
owner: root
group: root
mode: 0644
notify: reload dconf
notify: Reload dconf
with_items:
- { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' }
- { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' }
@ -54,7 +54,7 @@
owner: root
group: root
mode: 0644
notify: reload dconf
notify: Reload dconf
with_items:
- { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' }
- { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' }
@ -81,7 +81,7 @@
owner: root
group: root
mode: 0644
notify: reload dconf
notify: Reload dconf
with_items:
- { regex: '\[org\/gnome\/desktop\/media-handling\]', line: '[org/gnome/desktop/media-handling]' }
- { regex: 'automount=', line: 'automount=false' }

2
tasks/section_1/cis_1.9.yml
View file

@ -4,7 +4,7 @@
ansible.builtin.package:
name: "*"
state: latest
notify: change_requires_reboot
notify: Change_requires_reboot
when:
- rhel9cis_rule_1_9
- not system_is_ec2

4
tasks/section_2/cis_2.2.x.yml
View file

@ -228,7 +228,7 @@
ansible.builtin.package:
name: dnsmasq
state: absent
notify: restart postfix
notify: Restart postfix
when:
- not rhel9cis_is_mail_server
- "'dnsmasq' in ansible_facts.packages"
@ -245,7 +245,7 @@
path: /etc/postfix/main.cf
regexp: "^(#)?inet_interfaces"
line: "inet_interfaces = loopback-only"
notify: restart postfix
notify: Restart postfix
when:
- not rhel9cis_is_mail_server
- "'postfix' in ansible_facts.packages"

6
tasks/section_3/cis_3.1.x.yml
View file

@ -27,21 +27,21 @@
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled"
block:
- name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available"
ansible.builtin.command: rpm -q NetworkManager
ansible.builtin.shell: rpm -q NetworkManager
changed_when: false
failed_when: false
check_mode: false
register: rhel_08_nmcli_available
- name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled"
ansible.builtin.command: nmcli radio wifi
ansible.builtin.shell: nmcli radio wifi
register: rhel_08_wifi_enabled
changed_when: rhel_08_wifi_enabled.stdout != "disabled"
failed_when: false
when: rhel_08_nmcli_available.rc == 0
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled"
ansible.builtin.command: nmcli radio all off
ansible.builtin.shell: nmcli radio all off
changed_when: false
failed_when: false
when: rhel_08_wifi_enabled is changed

8
tasks/section_4/cis_4.1.2.x.yml
View file

@ -5,7 +5,7 @@
path: /etc/audit/auditd.conf
regexp: "^max_log_file( |=)"
line: "max_log_file = {{ rhel9cis_max_log_file_size }}"
notify: restart auditd
notify: Restart auditd
when:
- rhel9cis_rule_4_1_2_1
tags:
@ -21,7 +21,7 @@
path: /etc/audit/auditd.conf
regexp: "^max_log_file_action"
line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}"
notify: restart auditd
notify: Restart auditd
when:
- rhel9cis_rule_4_1_2_2
tags:
@ -36,7 +36,7 @@
path: /etc/audit/auditd.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
notify: restart auditd
notify: Restart auditd
with_items:
- { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ rhel9cis_auditd.admin_space_left_action }}' }
- { regexp: '^action_mail_acct', line: 'action_mail_acct = {{ rhel9cis_auditd.action_mail_acct }}' }
@ -56,7 +56,7 @@
regexp: "^{{ item }}( |=)"
line: "{{ item }} = {{ rhel9cis_auditd_extra_conf[item] }}"
loop: "{{ rhel9cis_auditd_extra_conf.keys() }}"
notify: restart auditd
notify: Restart auditd
when:
- rhel9cis_auditd_extra_conf.keys() | length > 0
tags:

6
tasks/section_4/cis_4.1.4.x.yml
View file

@ -64,9 +64,9 @@
loop: "{{ auditd_conf_files.files }}"
loop_control:
label: "{{ item.path }}"
when:
- item.mode != '06(0|4)0'
- rhel9cis_rule_4_1_4_5
when:
- item.mode != '06(0|4)0'
- rhel9cis_rule_4_1_4_5
tags:
- level2-server
- level2-workstation

26
tasks/section_4/cis_4.2.1.x.yml
View file

@ -32,10 +32,10 @@
path: /etc/systemd/journald.conf
regexp: "^#ForwardToSyslog=|^ForwardToSyslog="
line: ForwardToSyslog=yes
notify: restart rsyslog
notify: Restart rsyslog
when:
- rhel9cis_rule_4_2_1_3
- rhel9cis_preferred_log_capture == "rsyslog"
- rhel9cis_syslog == "rsyslog"
tags:
- level1-server
- level1-workstation
@ -47,7 +47,7 @@
path: /etc/rsyslog.conf
regexp: '^\$FileCreateMode'
line: '$FileCreateMode 0640'
notify: restart rsyslog
notify: Restart rsyslog
when:
- rhel9cis_rule_4_2_1_4
tags:
@ -60,7 +60,7 @@
- name: "4.2.1.5 | PATCH | Ensure logging is configured"
block:
- name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out"
ansible.builtin.command: cat /etc/rsyslog.conf
ansible.builtin.shell: cat /etc/rsyslog.conf
changed_when: false
failed_when: false
check_mode: false
@ -84,7 +84,7 @@
mail.warning -/var/log/mail.warning
mail.err /var/log/mail.err
insertafter: '# Log all the mail messages in one place.'
notify: restart rsyslog
notify: Restart rsyslog
when: rhel9cis_rsyslog_ansiblemanaged
- name: "4.2.1.5 | PATCH | Ensure logging is configured | news.crit log setting"
@ -97,7 +97,7 @@
news.crit -/var/log/news/news.crit
news.notice -/var/log/news/news.crit
insertafter: '# Save news errors of level crit and higher in a special file.'
notify: restart rsyslog
notify: Restart rsyslog
when: rhel9cis_rsyslog_ansiblemanaged
- name: "4.2.1.5 | PATCH | Ensure logging is configured | Misc. log setting"
@ -111,7 +111,7 @@
*.crit /var/log/warn
*.*;mail.none;news.none /var/log/messages
insertafter: '#### RULES ####'
notify: restart rsyslog
notify: Restart rsyslog
when: rhel9cis_rsyslog_ansiblemanaged
- name: "4.2.1.5 | PATCH | Ensure logging is configured | Local log settings"
@ -127,7 +127,7 @@
local6,local7.* -/var/log/localmessages
*.emrg :omusrmsg:*
insertafter: '#### RULES ####'
notify: restart rsyslog
notify: Restart rsyslog
- name: "4.2.1.5 | PATCH | Ensure logging is configured | Auth Settings"
ansible.builtin.blockinfile:
@ -138,7 +138,7 @@
# Private settings to meet CIS standards
auth,authpriv.* /var/log/secure
insertafter: '#### RULES ####'
notify: restart rsyslog
notify: Restart rsyslog
- name: "4.2.1.5 | PATCH | Ensure logging is configured | Cron Settings"
ansible.builtin.blockinfile:
@ -149,7 +149,7 @@
# Cron settings to meet CIS standards
cron.* /var/log/cron
insertafter: '#### RULES ####'
notify: restart rsyslog
notify: Restart rsyslog
when:
- rhel9cis_rule_4_2_1_5
tags:
@ -171,7 +171,7 @@
failed_when:
- result is failed
- result.rc != 257
notify: restart rsyslog
notify: Restart rsyslog
when:
- rhel9cis_rule_4_2_1_6
- rhel9cis_remote_log_server
@ -189,7 +189,7 @@
path: /etc/rsyslog.conf
regexp: '{{ item }}'
replace: '#\1'
notify: restart rsyslog
notify: Restart rsyslog
loop:
- '^(\$ModLoad imtcp)'
- '^(\$InputTCPServerRun)'
@ -202,7 +202,7 @@
path: /etc/rsyslog.conf
regexp: '^#(.*{{ item }}.*)'
replace: '\1'
notify: restart rsyslog
notify: Restart rsyslog
loop:
- 'ModLoad imtcp'
- 'InputTCPServerRun'

12
tasks/section_4/cis_4.2.2.x.yml
View file

@ -19,7 +19,7 @@
path: /etc/systemd/journal-upload.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
notify: restart systemd_journal_upload
notify: Restart systemd_journal_upload
with_items:
- { regexp: 'URL=', line: 'URL={{ rhel9cis_journal_upload_url }}'}
- { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ rhel9cis_journal_upload_serverkeyfile }}'}
@ -92,7 +92,7 @@
ansible.builtin.import_tasks: warning_facts.yml
when: "'static' not in rhel9cis_4_2_2_2_status.stdout"
vars:
warn_control_id: '4.2.2.2'
warn_control_id: '4.2.2.2'
when:
- rhel9cis_rule_4_2_2_2
tags:
@ -108,7 +108,7 @@
path: /etc/systemd/journald.conf
regexp: "^#Compress=|^Compress="
line: Compress=yes
notify: restart systemd_journal_upload
notify: Restart systemd_journal_upload
when:
- rhel9cis_rule_4_2_2_3
tags:
@ -124,7 +124,7 @@
path: /etc/systemd/journald.conf
regexp: "^#Storage=|^Storage="
line: Storage=persistent
notify: restart systemd_journal_upload
notify: Restart systemd_journal_upload
when:
- rhel9cis_rule_4_2_2_4
tags:
@ -141,7 +141,7 @@
path: /etc/systemd/journald.conf
regexp: "^ForwardToSyslog="
line: "#ForwardToSyslog=yes"
notify: restart systemd_journal_upload
notify: Restart systemd_journal_upload
when:
- rhel9cis_rule_4_2_2_5
tags:
@ -157,7 +157,7 @@
path: /etc/systemd/journald.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
notify: restart journald
notify: Restart systemd_journal_upload
with_items:
- { regexp: '^#SystemMaxUse=|^SystemMaxUse=', line: 'SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}'}
- { regexp: '^#SystemKeepFree=|^SystemKeepFree=', line: 'SystemKeepFree={{ rhel9cis_journald_systemkeepfree }}' }

10
tasks/section_5/cis_5.2.x.yml
View file

@ -84,7 +84,7 @@
regexp: "^AllowUsers"
line: "AllowUsers {{ rhel9cis_sshd['allowusers'] }}"
validate: sshd -t -f %s
notify: restart sshd
notify: Restart sshd
when: "rhel9cis_sshd['allowusers']|default('') | length > 0"
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups"
@ -93,7 +93,7 @@
regexp: "^AllowGroups"
line: "AllowGroups {{ rhel9cis_sshd['allowgroups'] }}"
validate: sshd -t -f %s
notify: restart sshd
notify: Restart sshd
when: "rhel9cis_sshd['allowgroups']|default('') | length > 0"
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers"
@ -102,7 +102,7 @@
regexp: "^DenyUsers"
line: "DenyUsers {{ rhel9cis_sshd['denyusers'] }}"
validate: sshd -t -f %s
notify: restart sshd
notify: Restart sshd
when: "rhel9cis_sshd['denyusers']|default('') | length > 0"
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups"
@ -111,7 +111,7 @@
regexp: "^DenyGroups"
line: "DenyGroups {{ rhel9cis_sshd['denygroups'] }}"
validate: sshd -t -f %s
notify: restart sshd
notify: Restart sshd
when: "rhel9cis_sshd['denygroups']|default('') | length > 0"
when:
- rhel9cis_rule_5_2_4
@ -267,7 +267,7 @@
- name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden"
ansible.builtin.shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd
notify: restart sshd
notify: Restart sshd
when: ssh_crypto_discovery.stdout | length > 0
when:
- rhel9cis_rule_5_2_14

10
tasks/section_5/cis_5.6.1.x.yml
View file

@ -52,19 +52,19 @@
register: rhel9cis_5_6_1_4_inactive_settings
- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting"
ansible.builtin.command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
ansible.builtin.shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
when: rhel9cis_5_6_1_4_inactive_settings.stdout | length == 0
- name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
changed_when: false
check_mode: false
register: rhel_8_5_6_1_4_user_list
register: rhel9cis_5_6_1_4_user_list
- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
with_items:
- "{{ rhel_8_5_6_1_4_user_list.stdout_lines }}"
- "{{ rhel9cis_5_6_1_4_user_list.stdout_lines }}"
when:
- rhel9cis_rule_5_6_1_4
tags:
@ -104,7 +104,7 @@
- not rhel9cis_futurepwchgdate_autofix
- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
ansible.builtin.command: passwd --expire {{ item }}
ansible.builtin.shell: passwd --expire {{ item }}
when:
- rhel9cis_5_6_1_5_user_list.stdout | length > 0
- rhel9cis_futurepwchgdate_autofix

2
tasks/section_6/cis_6.1.x.yml
View file

@ -207,7 +207,7 @@
when:
- item.stdout_lines is defined
- item.stdout_lines | length > 0
- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning"
ansible.builtin.import_tasks: warning_facts.yml
vars:

2
templates/ansible_vars_goss.yml.j2
View file

@ -450,7 +450,7 @@ rhel9cis_nft_tables_autochaincreate: {{ rhel9cis_nft_tables_autochaincreate }}
# Section 4
## syslog
rhel9cis_syslog: {{ rhel9cis_preferred_log_capture }}
rhel9cis_syslog: {{ rhel9cis_syslog }}
# Section 5
## 5.2.4 Note the following to understand precedence and layout

2
vars/main.yml
View file

@ -8,5 +8,5 @@ rhel9cis_allowed_crypto_policies:
- 'FIPS'
# Used to control warning summary
control_number: ""
warn_control_list: ""
warn_count: 0