ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

lint updates

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2023-01-13 12:10:18 +00:00
parent 3ead0d63ac
commit acf0104f7a
No known key found for this signature in database
GPG key ID: 1DE02A772D0908F9
34 changed files with 199 additions and 213 deletions
Download patch file Download diff file Expand all files Collapse all files

93
handlers/main.yml
View file

@ -1,14 +1,13 @@
--- ---
# handlers file for RHEL9-CIS # handlers file for RHEL9-CIS
- name: reload sysctl - name: Reload sysctl
shell: sysctl --system ansible.builtin.shell: sysctl --system
when: when:
- sysctl_updated.changed - sysctl_updated.changed
- name: sysctl flush ipv4 route table - name: Sysctl flush ipv4 route table
become: true ansible.posix.sysctl:
sysctl:
name: net.ipv4.route.flush name: net.ipv4.route.flush
value: '1' value: '1'
sysctl_set: true sysctl_set: true
@ -16,12 +15,9 @@
when: when:
- flush_ipv4_route - flush_ipv4_route
- not system_is_container - not system_is_container
tags:
- skip_ansible_lint
- name: sysctl flush ipv6 route table - name: Sysctl flush ipv6 route table
become: true ansible.posix.sysctl:
sysctl:
name: net.ipv6.route.flush name: net.ipv6.route.flush
value: '1' value: '1'
sysctl_set: true sysctl_set: true
@ -29,92 +25,81 @@
- flush_ipv6_route - flush_ipv6_route
- not system_is_container - not system_is_container
- name: systemd restart tmp.mount - name: Systemd restart tmp.mount
become: true ansible.builtin.systemd:
systemd:
name: tmp.mount name: tmp.mount
daemon_reload: true daemon_Reload: true
enabled: true enabled: true
masked: false masked: false
state: reloaded state: Reloaded
- name: systemd restart var-tmp.mount - name: Remount tmp
become: true ansible.posix.mount:
systemd: path: /tmp
name: var-tmp.mount state: remounted
daemon_reload: true
enabled: true
masked: false
state: reloaded
- name: remount tmp - name: Restart firewalld
ansible.posix.mount: ansible.builtin.systemd:
path: /tmp
state: remounted
- name: restart firewalld
service:
name: firewalld name: firewalld
state: restarted state: restarted
- name: restart sshd - name: Restart sshd
service: ansible.builtin.systemd:
name: sshd name: sshd
state: restarted state: restarted
- name: restart postfix - name: Restart postfix
service: ansible.builtin.systemd:
name: postfix name: postfix
state: restarted state: restarted
- name: reload dconf - name: Reload dconf
shell: dconf update ansible.builtin.shell: dconf update
- name: grub2cfg - name: grub2cfg
shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" ansible.builtin.shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
ignore_errors: true # noqa ignore-errors ignore_errors: true # noqa ignore-errors
tags: tags:
- skip_ansible_lint - skip_ansible_lint
- name: restart rsyslog - name: Restart rsyslog
become: true ansible.builtin.systemd:
service:
name: rsyslog name: rsyslog
state: restarted state: restarted
- name: restart journald - name: Restart journald
service: ansible.builtin.systemd:
name: systemd-journald name: systemd-journald
state: restarted state: restarted
- name: restart systemd_journal_upload - name: Restart systemd_journal_upload
service: ansible.builtin.systemd:
name: systemd-journal-upload name: systemd-journal-upload
state: restarted state: restarted
- name: systemd_daemon_reload - name: Systemd_daemon_Reload
systemd: ansible.builtin.systemd:
daemon-reload: true daemon-reload: true
## Auditd tasks note order for handlers to run ## Auditd tasks note order for handlers to run
- name: auditd_immutable_check - name: Auditd_immutable_check
shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
changed_when: false changed_when: false
register: auditd_immutable_check register: auditd_immutable_check
- name: audit_immutable_fact - name: Audit_immutable_fact
debug: ansible.builtin.debug:
msg: "Reboot required for auditd to apply new rules as immutable set" msg: "Reboot required for auditd to apply new rules as immutable set"
notify: change_requires_reboot notify: change_requires_reboot
when: when:
- auditd_immutable_check.stdout == '1' - auditd_immutable_check.stdout == '1'
- name: restart auditd - name: Restart auditd
shell: service auditd restart ansible.builtin.shell: service auditd restart
tags: tags:
- skip_ansible_lint - skip_ansible_lint
- name: change_requires_reboot - name: Change_requires_reboot
set_fact: ansible.builtin.set_fact:
change_requires_reboot: true change_requires_reboot: true

1
site.yml
View file

@ -1,4 +1,5 @@
--- ---
- hosts: all - hosts: all
become: true become: true
roles: roles:

10
tasks/LE_audit_setup.yml
View file

@ -1,7 +1,7 @@
--- ---
- name: Download audit binary - name: Download audit binary
get_url: ansible.builtin.get_url:
url: "{{ goss_url }}" url: "{{ goss_url }}"
dest: "{{ audit_bin }}" dest: "{{ audit_bin }}"
owner: root owner: root
@ -11,8 +11,8 @@
when: when:
- get_goss_file == 'download' - get_goss_file == 'download'
- name: copy audit binary - name: Copy audit binary
copy: ansible.builtin.copy:
src: src:
dest: "{{ audit_bin }}" dest: "{{ audit_bin }}"
mode: 0555 mode: 0555
@ -21,8 +21,8 @@
when: when:
- get_goss_file == 'copy' - get_goss_file == 'copy'
- name: install git if not present - name: Install git if not present
package: ansible.builtin.package:
name: git name: git
state: present state: present
register: git_installed register: git_installed

12
tasks/auditd.yml
View file

@ -1,7 +1,7 @@
--- ---
- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added
template: ansible.builtin.template:
src: audit/99_auditd.rules.j2 src: audit/99_auditd.rules.j2
dest: /etc/audit/rules.d/99_auditd.rules dest: /etc/audit/rules.d/99_auditd.rules
owner: root owner: root
@ -9,18 +9,18 @@
mode: 0600 mode: 0600
register: audit_rules_updated register: audit_rules_updated
notify: notify:
- auditd_immutable_check - Auditd_immutable_check
- audit_immutable_fact - Audit_immutable_fact
- restart auditd - Restart auditd
- name: POST | Set up auditd user logging exceptions - name: POST | Set up auditd user logging exceptions
template: ansible.builtin.template:
src: audit/98_auditd_exception.rules.j2 src: audit/98_auditd_exception.rules.j2
dest: /etc/audit/rules.d/98_auditd_exceptions.rules dest: /etc/audit/rules.d/98_auditd_exceptions.rules
owner: root owner: root
group: root group: root
mode: 0600 mode: 0600
notify: restart auditd notify: Restart auditd
when: when:
- allow_auditd_uid_user_exclusions - allow_auditd_uid_user_exclusions
- rhel9cis_auditd_uid_exclude | length > 0 - rhel9cis_auditd_uid_exclude | length > 0

2
tasks/check_prereqs.yml
View file

@ -1,7 +1,7 @@
--- ---
- name: "PREREQ | If required install libselinux package to manage file changes." - name: "PREREQ | If required install libselinux package to manage file changes."
package: ansible.builtin.package:
name: libselinux-python3 name: libselinux-python3
state: present state: present
when: when:

60
tasks/main.yml
View file

@ -2,7 +2,7 @@
# tasks file for RHEL9-CIS # tasks file for RHEL9-CIS
- name: Check OS version and family - name: Check OS version and family
assert: ansible.builtin.assert:
that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('9', '==') that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('9', '==')
fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}"
@ -13,7 +13,7 @@
- always - always
- name: Check ansible version - name: Check ansible version
assert: ansible.builtin.assert:
that: ansible_version.full is version_compare(min_ansible_version, '>=') that: ansible_version.full is version_compare(min_ansible_version, '>=')
fail_msg: "You must use Ansible {{ min_ansible_version }} or greater" fail_msg: "You must use Ansible {{ min_ansible_version }} or greater"
success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
@ -23,14 +23,14 @@
- name: "Check password set for {{ ansible_user }}" - name: "Check password set for {{ ansible_user }}"
block: block:
- name: Capture current password state of "{{ ansible_user }}" - name: Capture current password state of "{{ ansible_user }}"
shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'" ansible.builtin.shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'"
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false check_mode: false
register: ansible_user_password_set register: ansible_user_password_set
- name: "Assert that password set for {{ ansible_user }} and account not locked" - name: "Assert that password set for {{ ansible_user }} and account not locked"
assert: ansible.builtin.assert:
that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!"
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access" fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access"
success_msg: "You a password set for the {{ ansible_user }}" success_msg: "You a password set for the {{ ansible_user }}"
@ -45,15 +45,15 @@
- name: Setup rules if container - name: Setup rules if container
block: block:
- name: Discover and set container variable if required - name: Discover and set container variable if required
set_fact: ansible.builtin.set_fact:
system_is_container: true system_is_container: true
- name: Load variable for container - name: Load variable for container
include_vars: ansible.builtin.include_vars:
file: "{{ container_vars_file }}" file: "{{ container_vars_file }}"
- name: output if discovered is a container - name: Output if discovered is a container
debug: ansible.builtin.debug:
msg: system has been discovered as a container msg: system has been discovered as a container
when: when:
- system_is_container - system_is_container
@ -65,13 +65,13 @@
- always - always
- name: Check crypto-policy input - name: Check crypto-policy input
assert: ansible.builtin.assert:
that: rhel9cis_crypto_policy in rhel9cis_allowed_crypto_policies that: rhel9cis_crypto_policy in rhel9cis_allowed_crypto_policies
fail_msg: "Crypto policy is not a permitted version" fail_msg: "Crypto policy is not a permitted version"
success_msg: "Crypto policy is a permitted version" success_msg: "Crypto policy is a permitted version"
- name: Check rhel9cis_bootloader_password_hash variable has been changed - name: Check rhel9cis_bootloader_password_hash variable has been changed
assert: ansible.builtin.assert:
that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly" msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
when: when:
@ -80,10 +80,10 @@
tags: tags:
- always - always
- name: "check sugroup exists if used" - name: Check sugroup exists if used
block: block:
- name: "Check su group exists if defined" - name: "Check su group exists if defined"
shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group ansible.builtin.shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group
register: sugroup_exists register: sugroup_exists
changed_when: false changed_when: false
failed_when: sugroup_exists.rc >= 2 failed_when: sugroup_exists.rc >= 2
@ -91,7 +91,7 @@
- skip_ansible_lint - skip_ansible_lint
- name: Check sugroup if defined exists before continuing - name: Check sugroup if defined exists before continuing
assert: ansible.builtin.assert:
that: sugroup_exists.rc == 0 that: sugroup_exists.rc == 0
msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify" msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify"
when: when:
@ -101,35 +101,35 @@
- rule_5.7 - rule_5.7
- name: Gather the package facts - name: Gather the package facts
package_facts: ansible.builtin.package_facts:
manager: auto manager: auto
tags: tags:
- always - always
- name: Include OS specific variables - name: Include OS specific variables
include_vars: "{{ ansible_distribution }}.yml" ansible.builtin.include_vars: "{{ ansible_distribution }}.yml"
tags: tags:
- always - always
- name: Include preliminary steps - name: Include preliminary steps
import_tasks: prelim.yml ansible.builtin.import_tasks: prelim.yml
tags: tags:
- prelim_tasks - prelim_tasks
- always - always
- name: run pre_remediation audit - name: run pre_remediation audit
include_tasks: pre_remediation_audit.yml ansible.builtin.include_tasks: pre_remediation_audit.yml
when: when:
- run_audit - run_audit
- name: Gather the package facts after prelim - name: Gather the package facts after prelim
package_facts: ansible.builtin.package_facts:
manager: auto manager: auto
tags: tags:
- always - always
- name: capture /etc/password variables - name: capture /etc/password variables
include_tasks: parse_etc_password.yml ansible.builtin.include_tasks: parse_etc_password.yml
when: when:
- rhel9cis_section6 - rhel9cis_section6
tags: tags:
@ -142,67 +142,67 @@
- rhel9cis_section6 - rhel9cis_section6
- name: run Section 1 tasks - name: run Section 1 tasks
import_tasks: section_1/main.yml ansible.builtin.import_tasks: section_1/main.yml
when: rhel9cis_section1 when: rhel9cis_section1
tags: tags:
- rhel9cis_section1 - rhel9cis_section1
- name: run Section 2 tasks - name: run Section 2 tasks
import_tasks: section_2/main.yml ansible.builtin.import_tasks: section_2/main.yml
when: rhel9cis_section2 when: rhel9cis_section2
tags: tags:
- rhel9cis_section2 - rhel9cis_section2
- name: run Section 3 tasks - name: run Section 3 tasks
import_tasks: section_3/main.yml ansible.builtin.import_tasks: section_3/main.yml
when: rhel9cis_section3 when: rhel9cis_section3
tags: tags:
- rhel9cis_section3 - rhel9cis_section3
- name: run Section 4 tasks - name: run Section 4 tasks
import_tasks: section_4/main.yml ansible.builtin.import_tasks: section_4/main.yml
when: rhel9cis_section4 when: rhel9cis_section4
tags: tags:
- rhel9cis_section4 - rhel9cis_section4
- name: run Section 5 tasks - name: run Section 5 tasks
import_tasks: section_5/main.yml ansible.builtin.import_tasks: section_5/main.yml
when: rhel9cis_section5 when: rhel9cis_section5
tags: tags:
- rhel9cis_section5 - rhel9cis_section5
- name: run Section 6 tasks - name: run Section 6 tasks
import_tasks: section_6/main.yml ansible.builtin.import_tasks: section_6/main.yml
when: rhel9cis_section6 when: rhel9cis_section6
tags: tags:
- rhel9cis_section6 - rhel9cis_section6
- name: run auditd logic - name: run auditd logic
import_tasks: auditd.yml ansible.builtin.import_tasks: auditd.yml
when: when:
- update_audit_template - update_audit_template
tags: tags:
- always - always
- name: run post remediation tasks - name: run post remediation tasks
import_tasks: post.yml ansible.builtin.import_tasks: post.yml
tags: tags:
- post_tasks - post_tasks
- always - always
- name: run post_remediation audit - name: run post_remediation audit
import_tasks: post_remediation_audit.yml ansible.builtin.import_tasks: post_remediation_audit.yml
when: when:
- run_audit - run_audit
- name: Show Audit Summary - name: Show Audit Summary
debug: ansible.builtin.debug:
msg: "{{ audit_results.split('\n') }}" msg: "{{ audit_results.split('\n') }}"
when: when:
- run_audit - run_audit
- name: If Warnings found Output count and control IDs affected - name: If Warnings found Output count and control IDs affected
debug: ansible.builtin.debug:
msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}" msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}"
when: warn_count != 0 when: warn_count != 0
tags: tags:

4
tasks/parse_etc_password.yml
View file

@ -3,13 +3,13 @@
- name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd" - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd"
block: block:
- name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd" - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd"
shell: cat /etc/passwd ansible.builtin.shell: cat /etc/passwd
changed_when: false changed_when: false
check_mode: false check_mode: false
register: rhel9cis_passwd_file_audit register: rhel9cis_passwd_file_audit
- name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Split passwd entries" - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Split passwd entries"
set_fact: ansible.builtin.set_fact:
rhel9cis_passwd: "{{ rhel9cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" rhel9cis_passwd: "{{ rhel9cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}"
with_items: "{{ rhel9cis_passwd_file_audit.stdout_lines }}" with_items: "{{ rhel9cis_passwd_file_audit.stdout_lines }}"
vars: vars:

24
tasks/post.yml
View file

@ -2,25 +2,25 @@
# Post tasks # Post tasks
- name: Perform DNF package cleanup - name: Perform DNF package cleanup
dnf: ansible.builtin.package:
autoremove: true autoremove: true
changed_when: false changed_when: false
- name: Gather the package facts after remediation - name: Gather the package facts after remediation
package_facts: ansible.builtin.package_facts:
manager: auto manager: auto
tags: tags:
- always - always
- name: update sysctl - name: Update sysctl
template: ansible.builtin.template:
src: "etc/sysctl.d/{{ item }}.j2" src: "etc/sysctl.d/{{ item }}.j2"
dest: "/etc/sysctl.d/{{ item }}" dest: "/etc/sysctl.d/{{ item }}"
owner: root owner: root
group: root group: root
mode: 0600 mode: 0600
register: sysctl_updated register: sysctl_updated
notify: reload sysctl notify: Reload sysctl
with_items: with_items:
- 60-kernel_sysctl.conf - 60-kernel_sysctl.conf
- 60-disable_ipv6.conf - 60-disable_ipv6.conf
@ -31,29 +31,29 @@
- not system_is_container - not system_is_container
- "'procps-ng' in ansible_facts.packages" - "'procps-ng' in ansible_facts.packages"
- name: flush handlers - name: Flush handlers
meta: flush_handlers ansible.builtin.meta: flush_handlers
- name: POST | reboot system if changes require it and not skipped - name: POST | reboot system if changes require it and not skipped
block: block:
- name: POST | Reboot system if changes require it and not skipped - name: POST | Reboot system if changes require it and not skipped
reboot: ansible.builtin.reboot:
when: when:
- change_requires_reboot - Change_requires_reboot
- not skip_reboot - not skip_reboot
- name: POST | Warning a reboot required but skip option set - name: POST | Warning a reboot required but skip option set
debug: ansible.builtin.debug:
msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results"
changed_when: true changed_when: true
when: when:
- change_requires_reboot - Change_requires_reboot
- skip_reboot - skip_reboot
- name: "POST | Warning a reboot required but skip option set | warning count" - name: "POST | Warning a reboot required but skip option set | warning count"
ansible.builtin.import_tasks: warning_facts.yml ansible.builtin.import_tasks: warning_facts.yml
when: when:
- change_requires_reboot - Change_requires_reboot
- skip_reboot - skip_reboot
vars: vars:
warn_control_id: Reboot_required warn_control_id: Reboot_required

14
tasks/post_remediation_audit.yml
View file

@ -1,13 +1,13 @@
--- ---
- name: "Post Audit | Run post_remediation {{ benchmark }} audit" - name: "Post Audit | Run post_remediation {{ benchmark }} audit"
shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}"
environment: "{{ audit_run_script_environment | default({}) }}" environment: "{{ audit_run_script_environment | default({}) }}"
changed_when: audit_run_post_remediation.rc == 0 changed_when: audit_run_post_remediation.rc == 0
register: audit_run_post_remediation register: audit_run_post_remediation
- name: Post Audit | ensure audit files readable by users - name: Post Audit | ensure audit files readable by users
file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"
mode: 0644 mode: 0644
state: file state: file
@ -17,13 +17,13 @@
- name: Post Audit | Capture audit data if json format - name: Post Audit | Capture audit data if json format
block: block:
- name: "capture data {{ post_audit_outfile }}" - name: "Capture data {{ post_audit_outfile }}"
shell: "cat {{ post_audit_outfile }}" ansible.builtin.shell: "cat {{ post_audit_outfile }}"
register: post_audit register: post_audit
changed_when: false changed_when: false
- name: Capture post-audit result - name: Capture post-audit result
set_fact: ansible.builtin.set_fact:
post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}"
vars: vars:
summary: 'summary."summary-line"' summary: 'summary."summary-line"'
@ -33,12 +33,12 @@
- name: Post Audit | Capture audit data if documentation format - name: Post Audit | Capture audit data if documentation format
block: block:
- name: "Post Audit | capture data {{ post_audit_outfile }}" - name: "Post Audit | capture data {{ post_audit_outfile }}"
shell: "tail -2 {{ post_audit_outfile }}" ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}"
register: post_audit register: post_audit
changed_when: false changed_when: false
- name: Post Audit | Capture post-audit result - name: Post Audit | Capture post-audit result
set_fact: ansible.builtin.set_fact:
post_audit_summary: "{{ post_audit.stdout_lines }}" post_audit_summary: "{{ post_audit.stdout_lines }}"
when: when:
- audit_format == "documentation" - audit_format == "documentation"

28
tasks/pre_remediation_audit.yml
View file

@ -1,20 +1,20 @@
--- ---
- name: Pre Audit | Setup the audit - name: Pre Audit | Setup the audit
include_tasks: LE_audit_setup.yml ansible.builtin.include_tasks: LE_audit_setup.yml
when: when:
- setup_audit - setup_audit
tags: tags:
- setup_audit - setup_audit
- name: "Pre Audit | Ensure {{ audit_conf_dir }} exists" - name: "Pre Audit | Ensure {{ audit_conf_dir }} exists"
file: ansible.builtin.file:
path: "{{ audit_conf_dir }}" path: "{{ audit_conf_dir }}"
state: directory state: directory
mode: '0755' mode: '0755'
- name: Pre Audit | retrieve audit content files from git - name: Pre Audit | retrieve audit content files from git
git: ansible.builtin.git:
repo: "{{ audit_file_git }}" repo: "{{ audit_file_git }}"
dest: "{{ audit_conf_dir }}" dest: "{{ audit_conf_dir }}"
version: "{{ audit_git_version }}" version: "{{ audit_git_version }}"
@ -22,7 +22,7 @@
- audit_content == 'git' - audit_content == 'git'
- name: Pre Audit | copy to audit content files to server - name: Pre Audit | copy to audit content files to server
copy: ansible.builtin.copy:
src: "{{ audit_local_copy }}" src: "{{ audit_local_copy }}"
dest: "{{ audit_conf_dir }}" dest: "{{ audit_conf_dir }}"
mode: 0644 mode: 0644
@ -30,7 +30,7 @@
- audit_content == 'copy' - audit_content == 'copy'
- name: Pre Audit | get audit content from url - name: Pre Audit | get audit content from url
get_url: ansible.builtin.get_url:
url: "{{ audit_files_url }}" url: "{{ audit_files_url }}"
dest: "{{ audit_conf_dir }}" dest: "{{ audit_conf_dir }}"
owner: root owner: root
@ -42,12 +42,12 @@
- name: Pre Audit | Check Goss is available - name: Pre Audit | Check Goss is available
block: block:
- name: Pre Audit | Check for goss file - name: Pre Audit | Check for goss file
stat: ansible.builtin.stat:
path: "{{ audit_bin }}" path: "{{ audit_bin }}"
register: goss_available register: goss_available
- name: Pre Audit | Alert if goss not available - name: Pre Audit | Alert if goss not available
assert: ansible.builtin.assert:
that: goss_available.stat.exists that: goss_available.stat.exists
fail_msg: "Audit binary file {{ audit_bin }} does not exist" fail_msg: "Audit binary file {{ audit_bin }} does not exist"
success_msg: "Audit binary file {{ audit_bin }} exists" success_msg: "Audit binary file {{ audit_bin }} exists"
@ -55,14 +55,14 @@
- run_audit - run_audit
- name: "Pre Audit | Check whether machine is UEFI-based" - name: "Pre Audit | Check whether machine is UEFI-based"
stat: ansible.builtin.stat:
path: /sys/firmware/efi path: /sys/firmware/efi
register: rhel9_efi_boot register: rhel9_efi_boot
tags: tags:
- goss_template - goss_template
- name: Pre Audit | Copy ansible default vars values to test audit - name: Pre Audit | Copy ansible default vars values to test audit
template: ansible.builtin.template:
src: ansible_vars_goss.yml.j2 src: ansible_vars_goss.yml.j2
dest: "{{ audit_vars_path }}" dest: "{{ audit_vars_path }}"
mode: 0600 mode: 0600
@ -72,7 +72,7 @@
- goss_template - goss_template
- name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit"
shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}"
environment: "{{ audit_run_script_environment | default({}) }}" environment: "{{ audit_run_script_environment | default({}) }}"
changed_when: audit_run_pre_remediation.rc == 0 changed_when: audit_run_pre_remediation.rc == 0
register: audit_run_pre_remediation register: audit_run_pre_remediation
@ -80,12 +80,12 @@
- name: Pre Audit | Capture audit data if json format - name: Pre Audit | Capture audit data if json format
block: block:
- name: "Pre Audit | capture data {{ pre_audit_outfile }}" - name: "Pre Audit | capture data {{ pre_audit_outfile }}"
shell: "cat {{ pre_audit_outfile }}" ansible.builtin.shell: "cat {{ pre_audit_outfile }}"
register: pre_audit register: pre_audit
changed_when: false changed_when: false
- name: Pre Audit | Capture pre-audit result - name: Pre Audit | Capture pre-audit result
set_fact: ansible.builtin.set_fact:
pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}"
vars: vars:
summary: 'summary."summary-line"' summary: 'summary."summary-line"'
@ -95,12 +95,12 @@
- name: Pre Audit | Capture audit data if documentation format - name: Pre Audit | Capture audit data if documentation format
block: block:
- name: "Pre Audit | capture data {{ pre_audit_outfile }}" - name: "Pre Audit | capture data {{ pre_audit_outfile }}"
shell: "tail -2 {{ pre_audit_outfile }}" ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}"
register: pre_audit register: pre_audit
changed_when: false changed_when: false
- name: Pre Audit | Capture pre-audit result - name: Pre Audit | Capture pre-audit result
set_fact: ansible.builtin.set_fact:
pre_audit_summary: "{{ pre_audit.stdout_lines }}" pre_audit_summary: "{{ pre_audit.stdout_lines }}"
when: when:
- audit_format == "documentation" - audit_format == "documentation"

42
tasks/prelim.yml
View file

@ -3,7 +3,7 @@
# Preliminary tasks that should always be run # Preliminary tasks that should always be run
# List users in order to look files inside each home directory # List users in order to look files inside each home directory
- name: "PRELIM | List users accounts" - name: "PRELIM | List users accounts"
shell: "awk -F: '{print $1}' /etc/passwd" ansible.builtin.shell: "awk -F: '{print $1}' /etc/passwd"
changed_when: false changed_when: false
check_mode: false check_mode: false
register: users register: users
@ -13,7 +13,7 @@
- users - users
- name: "PRELIM | Gather accounts with empty password fields" - name: "PRELIM | Gather accounts with empty password fields"
shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'" ansible.builtin.shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'"
changed_when: false changed_when: false
check_mode: false check_mode: false
register: empty_password_accounts register: empty_password_accounts
@ -23,7 +23,7 @@
- passwords - passwords
- name: "PRELIM | Gather UID 0 accounts other than root" - name: "PRELIM | Gather UID 0 accounts other than root"
shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'"
changed_when: false changed_when: false
check_mode: false check_mode: false
register: rhel9cis_uid_zero_accounts_except_root register: rhel9cis_uid_zero_accounts_except_root
@ -36,14 +36,14 @@
- name: "PRELIM | Setup crypto-policy" - name: "PRELIM | Setup crypto-policy"
block: block:
- name: "PRELIM | Install crypto-policies" - name: "PRELIM | Install crypto-policies"
dnf: ansible.builtin.package:
name: name:
- crypto-policies - crypto-policies
- crypto-policies-scripts - crypto-policies-scripts
state: present state: present
- name: "PRELIM | Gather system-wide crypto-policy" - name: "PRELIM | Gather system-wide crypto-policy"
shell: update-crypto-policies --show ansible.builtin.shell: update-crypto-policies --show
changed_when: false changed_when: false
check_mode: false check_mode: false
register: system_wide_crypto_policy register: system_wide_crypto_policy
@ -56,7 +56,7 @@
- crypto - crypto
- name: "PRELIM | if systemd coredump" - name: "PRELIM | if systemd coredump"
stat: ansible.builtin.stat:
path: /etc/systemd/coredump.conf path: /etc/systemd/coredump.conf
register: systemd_coredump register: systemd_coredump
when: when:
@ -68,14 +68,14 @@
- systemd - systemd
- name: "PRELIM | Section 1.1 | Create list of mount points" - name: "PRELIM | Section 1.1 | Create list of mount points"
set_fact: ansible.builtin.set_fact:
mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}" mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}"
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- name: "PRELIM | Ensure python3-libselinux is installed" - name: "PRELIM | Ensure python3-libselinux is installed"
package: ansible.builtin.package:
name: python3-libselinux name: python3-libselinux
state: present state: present
when: when:
@ -84,23 +84,23 @@
- name: "PRELIM | Set facts based on boot type" - name: "PRELIM | Set facts based on boot type"
block: block:
- name: "PRELIM | Check whether machine is UEFI-based" - name: "PRELIM | Check whether machine is UEFI-based"
stat: ansible.builtin.stat:
path: /sys/firmware/efi path: /sys/firmware/efi
register: rhel_09_efi_boot register: rhel_09_efi_boot
- name: "PRELIM | AUDIT | set legacy boot and grub path | Bios" - name: "PRELIM | AUDIT | set legacy boot and grub path | Bios"
set_fact: ansible.builtin.set_fact:
rhel9cis_legacy_boot: true rhel9cis_legacy_boot: true
grub2_path: /etc/grub2.cfg grub2_path: /etc/grub2.cfg
when: not rhel_09_efi_boot.stat.exists when: not rhel_09_efi_boot.stat.exists
- name: "PRELIM | set grub fact | UEFI" - name: "PRELIM | set grub fact | UEFI"
set_fact: ansible.builtin.set_fact:
grub2_path: /etc/grub2-efi.cfg grub2_path: /etc/grub2-efi.cfg
when: rhel_09_efi_boot.stat.exists when: rhel_09_efi_boot.stat.exists
- name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)"
package: ansible.builtin.package:
name: audit name: audit
state: present state: present
become: true become: true
@ -135,7 +135,7 @@
- rule_4.1.4.7 - rule_4.1.4.7
- name: "PRELIM | Section 5.1 | Configure cron" - name: "PRELIM | Section 5.1 | Configure cron"
package: ansible.builtin.package:
name: cronie name: cronie
state: present state: present
become: true become: true
@ -149,7 +149,7 @@
- cron - cron
- name: "PRELIM | Install authconfig" - name: "PRELIM | Install authconfig"
package: ansible.builtin.package:
name: authconfig name: authconfig
state: present state: present
become: true become: true
@ -170,7 +170,7 @@
- auditd - auditd
- name: "PRELIM | 5.3.4 | Find all sudoers files." - name: "PRELIM | 5.3.4 | Find all sudoers files."
command: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'"
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false check_mode: false
@ -183,7 +183,7 @@
- rule_5.3.5 - rule_5.3.5
- name: "PRELIM | Check for rhnsd service" - name: "PRELIM | Check for rhnsd service"
shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2" ansible.builtin.shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2"
changed_when: false changed_when: false
check_mode: false check_mode: false
become: true become: true
@ -198,28 +198,28 @@
- name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def" - name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def"
block: block:
- name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def" - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def"
shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}'
changed_when: false changed_when: false
register: uid_min_id register: uid_min_id
- name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def"
shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}'
changed_when: false changed_when: false
register: uid_max_id register: uid_max_id
- name: "PRELIM | AUDIT | Capture GID_MIN information from logins.def" - name: "PRELIM | AUDIT | Capture GID_MIN information from logins.def"
shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}' ansible.builtin.shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}'
changed_when: false changed_when: false
register: gid_min_id register: gid_min_id
- name: "PRELIM | AUDIT | set_facts for interactive uid/gid" - name: "PRELIM | AUDIT | set_facts for interactive uid/gid"
set_fact: ansible.builtin.set_fact:
min_int_uid: "{{ uid_min_id.stdout }}" min_int_uid: "{{ uid_min_id.stdout }}"
max_int_uid: "{{ uid_max_id.stdout }}" max_int_uid: "{{ uid_max_id.stdout }}"
min_int_gid: "{{ gid_min_id.stdout }}" min_int_gid: "{{ gid_min_id.stdout }}"
- name: Output of uid findings - name: Output of uid findings
debug: ansible.builtin.debug:
msg: "{{ min_int_uid }} {{ max_int_uid }}" msg: "{{ min_int_uid }} {{ max_int_uid }}"
when: when:

4
tasks/section_1/cis_1.1.2.x.yml
View file

@ -32,7 +32,7 @@
fstype: "{{ item.fstype }}" fstype: "{{ item.fstype }}"
state: present state: present
opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %} opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %}
notify: remount tmp notify: Remount tmp
with_items: with_items:
- "{{ ansible_mounts }}" - "{{ ansible_mounts }}"
loop_control: loop_control:
@ -64,7 +64,7 @@
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: systemd restart tmp.mount notify: Systemd restart tmp.mount
when: when:
- rhel9cis_tmp_svc - rhel9cis_tmp_svc
- rhel9cis_rule_1_1_2_1 or - rhel9cis_rule_1_1_2_1 or

2
tasks/section_1/cis_1.1.3.x.yml
View file

@ -35,7 +35,7 @@
- "{{ ansible_mounts }}" - "{{ ansible_mounts }}"
loop_control: loop_control:
label: "{{ item.device }}" label: "{{ item.device }}"
notify: change_requires_reboot notify: Change_requires_reboot
when: when:
- var_mount_present is defined - var_mount_present is defined
- item.mount == "/var" - item.mount == "/var"

2
tasks/section_1/cis_1.1.4.x.yml
View file

@ -37,7 +37,7 @@
- "{{ ansible_mounts }}" - "{{ ansible_mounts }}"
loop_control: loop_control:
label: "{{ item.device }}" label: "{{ item.device }}"
notify: change_requires_reboot notify: Change_requires_reboot
when: when:
- var_tmp_mount_present is defined - var_tmp_mount_present is defined
- item.mount == "/var/tmp" - item.mount == "/var/tmp"

2
tasks/section_1/cis_1.1.5.x.yml
View file

@ -37,7 +37,7 @@
- "{{ ansible_mounts }}" - "{{ ansible_mounts }}"
loop_control: loop_control:
label: "{{ item.device }}" label: "{{ item.device }}"
notify: change_requires_reboot notify: Change_requires_reboot
when: when:
- var_log_mount_present is defined - var_log_mount_present is defined
- item.mount == "/var/log" - item.mount == "/var/log"

6
tasks/section_1/cis_1.1.6.x.yml
View file

@ -10,8 +10,8 @@
ansible.builtin.import_tasks: warning_facts.yml ansible.builtin.import_tasks: warning_facts.yml
vars: vars:
warn_control_id: '1.1.6.1' warn_control_id: '1.1.6.1'
required_mount: '/var/log/audit' required_mount: '/var/log/audit'
when: when:
- required_mount not in mount_names - required_mount not in mount_names
- rhel9cis_rule_1_1_6_1 - rhel9cis_rule_1_1_6_1
@ -36,7 +36,7 @@
- "{{ ansible_mounts }}" - "{{ ansible_mounts }}"
loop_control: loop_control:
label: "{{ item.device }}" label: "{{ item.device }}"
notify: change_requires_reboot notify: Change_requires_reboot
when: when:
- var_log_audit_mount_present is defined - var_log_audit_mount_present is defined
- item.mount == "/var/log/audit" - item.mount == "/var/log/audit"

2
tasks/section_1/cis_1.1.7.x.yml
View file

@ -36,7 +36,7 @@
- "{{ ansible_mounts }}" - "{{ ansible_mounts }}"
loop_control: loop_control:
label: "{{ item.device }}" label: "{{ item.device }}"
notify: change_requires_reboot notify: Change_requires_reboot
when: when:
- home_mount_present is defined - home_mount_present is defined
- item.mount == "/home" - item.mount == "/home"

2
tasks/section_1/cis_1.1.8.x.yml
View file

@ -34,7 +34,7 @@
fstype: tmpfs fstype: tmpfs
state: mounted state: mounted
opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_4 %}nosuid{% endif %} opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_4 %}nosuid{% endif %}
notify: change_requires_reboot notify: Change_requires_reboot
when: when:
- rhel9cis_rule_1_1_8_2 or - rhel9cis_rule_1_1_8_2 or
rhel9cis_rule_1_1_8_3 or rhel9cis_rule_1_1_8_3 or

2
tasks/section_1/cis_1.10.yml
View file

@ -4,7 +4,7 @@
ansible.builtin.shell: | ansible.builtin.shell: |
update-crypto-policies --set "{{ rhel9cis_crypto_policy }}" update-crypto-policies --set "{{ rhel9cis_crypto_policy }}"
update-crypto-policies update-crypto-policies
notify: change_requires_reboot notify: Change_requires_reboot
when: when:
- rhel9cis_rule_1_10 - rhel9cis_rule_1_10
- system_wide_crypto_policy['stdout'] == 'LEGACY' - system_wide_crypto_policy['stdout'] == 'LEGACY'

2
tasks/section_1/cis_1.2.x.yml
View file

@ -68,7 +68,7 @@
- name: "1.2.3 | AUDIT | Ensure package manager repositories are configured" - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured"
block: block:
- name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Get repo list" - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Get repo list"
ansible.builtin.command: dnf repolist ansible.builtin.shell: dnf repolist
changed_when: false changed_when: false
failed_when: false failed_when: false
register: dnf_configured register: dnf_configured

2
tasks/section_1/cis_1.3.x.yml
View file

@ -8,7 +8,7 @@
state: present state: present
- name: "1.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE" - name: "1.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE"
ansible.builtin.command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' ansible.builtin.shell: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz'
changed_when: false changed_when: false
failed_when: false failed_when: false
async: 45 async: 45

6
tasks/section_1/cis_1.8.x.yml
View file

@ -25,7 +25,7 @@
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: reload dconf notify: Reload dconf
with_items: with_items:
- { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' }
- { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' }
@ -54,7 +54,7 @@
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: reload dconf notify: Reload dconf
with_items: with_items:
- { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' }
- { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' }
@ -81,7 +81,7 @@
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: reload dconf notify: Reload dconf
with_items: with_items:
- { regex: '\[org\/gnome\/desktop\/media-handling\]', line: '[org/gnome/desktop/media-handling]' } - { regex: '\[org\/gnome\/desktop\/media-handling\]', line: '[org/gnome/desktop/media-handling]' }
- { regex: 'automount=', line: 'automount=false' } - { regex: 'automount=', line: 'automount=false' }

2
tasks/section_1/cis_1.9.yml
View file

@ -4,7 +4,7 @@
ansible.builtin.package: ansible.builtin.package:
name: "*" name: "*"
state: latest state: latest
notify: change_requires_reboot notify: Change_requires_reboot
when: when:
- rhel9cis_rule_1_9 - rhel9cis_rule_1_9
- not system_is_ec2 - not system_is_ec2

4
tasks/section_2/cis_2.2.x.yml
View file

@ -228,7 +228,7 @@
ansible.builtin.package: ansible.builtin.package:
name: dnsmasq name: dnsmasq
state: absent state: absent
notify: restart postfix notify: Restart postfix
when: when:
- not rhel9cis_is_mail_server - not rhel9cis_is_mail_server
- "'dnsmasq' in ansible_facts.packages" - "'dnsmasq' in ansible_facts.packages"
@ -245,7 +245,7 @@
path: /etc/postfix/main.cf path: /etc/postfix/main.cf
regexp: "^(#)?inet_interfaces" regexp: "^(#)?inet_interfaces"
line: "inet_interfaces = loopback-only" line: "inet_interfaces = loopback-only"
notify: restart postfix notify: Restart postfix
when: when:
- not rhel9cis_is_mail_server - not rhel9cis_is_mail_server
- "'postfix' in ansible_facts.packages" - "'postfix' in ansible_facts.packages"

6
tasks/section_3/cis_3.1.x.yml
View file

@ -27,21 +27,21 @@
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled"
block: block:
- name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available"
ansible.builtin.command: rpm -q NetworkManager ansible.builtin.shell: rpm -q NetworkManager
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false check_mode: false
register: rhel_08_nmcli_available register: rhel_08_nmcli_available
- name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled"
ansible.builtin.command: nmcli radio wifi ansible.builtin.shell: nmcli radio wifi
register: rhel_08_wifi_enabled register: rhel_08_wifi_enabled
changed_when: rhel_08_wifi_enabled.stdout != "disabled" changed_when: rhel_08_wifi_enabled.stdout != "disabled"
failed_when: false failed_when: false
when: rhel_08_nmcli_available.rc == 0 when: rhel_08_nmcli_available.rc == 0
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled"
ansible.builtin.command: nmcli radio all off ansible.builtin.shell: nmcli radio all off
changed_when: false changed_when: false
failed_when: false failed_when: false
when: rhel_08_wifi_enabled is changed when: rhel_08_wifi_enabled is changed

8
tasks/section_4/cis_4.1.2.x.yml
View file

@ -5,7 +5,7 @@
path: /etc/audit/auditd.conf path: /etc/audit/auditd.conf
regexp: "^max_log_file( |=)" regexp: "^max_log_file( |=)"
line: "max_log_file = {{ rhel9cis_max_log_file_size }}" line: "max_log_file = {{ rhel9cis_max_log_file_size }}"
notify: restart auditd notify: Restart auditd
when: when:
- rhel9cis_rule_4_1_2_1 - rhel9cis_rule_4_1_2_1
tags: tags:
@ -21,7 +21,7 @@
path: /etc/audit/auditd.conf path: /etc/audit/auditd.conf
regexp: "^max_log_file_action" regexp: "^max_log_file_action"
line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}" line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}"
notify: restart auditd notify: Restart auditd
when: when:
- rhel9cis_rule_4_1_2_2 - rhel9cis_rule_4_1_2_2
tags: tags:
@ -36,7 +36,7 @@
path: /etc/audit/auditd.conf path: /etc/audit/auditd.conf
regexp: "{{ item.regexp }}" regexp: "{{ item.regexp }}"
line: "{{ item.line }}" line: "{{ item.line }}"
notify: restart auditd notify: Restart auditd
with_items: with_items:
- { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ rhel9cis_auditd.admin_space_left_action }}' } - { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ rhel9cis_auditd.admin_space_left_action }}' }
- { regexp: '^action_mail_acct', line: 'action_mail_acct = {{ rhel9cis_auditd.action_mail_acct }}' } - { regexp: '^action_mail_acct', line: 'action_mail_acct = {{ rhel9cis_auditd.action_mail_acct }}' }
@ -56,7 +56,7 @@
regexp: "^{{ item }}( |=)" regexp: "^{{ item }}( |=)"
line: "{{ item }} = {{ rhel9cis_auditd_extra_conf[item] }}" line: "{{ item }} = {{ rhel9cis_auditd_extra_conf[item] }}"
loop: "{{ rhel9cis_auditd_extra_conf.keys() }}" loop: "{{ rhel9cis_auditd_extra_conf.keys() }}"
notify: restart auditd notify: Restart auditd
when: when:
- rhel9cis_auditd_extra_conf.keys() | length > 0 - rhel9cis_auditd_extra_conf.keys() | length > 0
tags: tags:

6
tasks/section_4/cis_4.1.4.x.yml
View file

@ -64,9 +64,9 @@
loop: "{{ auditd_conf_files.files }}" loop: "{{ auditd_conf_files.files }}"
loop_control: loop_control:
label: "{{ item.path }}" label: "{{ item.path }}"
when: when:
- item.mode != '06(0|4)0' - item.mode != '06(0|4)0'
- rhel9cis_rule_4_1_4_5 - rhel9cis_rule_4_1_4_5
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation

26
tasks/section_4/cis_4.2.1.x.yml
View file

@ -32,10 +32,10 @@
path: /etc/systemd/journald.conf path: /etc/systemd/journald.conf
regexp: "^#ForwardToSyslog=|^ForwardToSyslog=" regexp: "^#ForwardToSyslog=|^ForwardToSyslog="
line: ForwardToSyslog=yes line: ForwardToSyslog=yes
notify: restart rsyslog notify: Restart rsyslog
when: when:
- rhel9cis_rule_4_2_1_3 - rhel9cis_rule_4_2_1_3
- rhel9cis_preferred_log_capture == "rsyslog" - rhel9cis_syslog == "rsyslog"
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -47,7 +47,7 @@
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
regexp: '^\$FileCreateMode' regexp: '^\$FileCreateMode'
line: '$FileCreateMode 0640' line: '$FileCreateMode 0640'
notify: restart rsyslog notify: Restart rsyslog
when: when:
- rhel9cis_rule_4_2_1_4 - rhel9cis_rule_4_2_1_4
tags: tags:
@ -60,7 +60,7 @@
- name: "4.2.1.5 | PATCH | Ensure logging is configured" - name: "4.2.1.5 | PATCH | Ensure logging is configured"
block: block:
- name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out"
ansible.builtin.command: cat /etc/rsyslog.conf ansible.builtin.shell: cat /etc/rsyslog.conf
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false check_mode: false
@ -84,7 +84,7 @@
mail.warning -/var/log/mail.warning mail.warning -/var/log/mail.warning
mail.err /var/log/mail.err mail.err /var/log/mail.err
insertafter: '# Log all the mail messages in one place.' insertafter: '# Log all the mail messages in one place.'
notify: restart rsyslog notify: Restart rsyslog
when: rhel9cis_rsyslog_ansiblemanaged when: rhel9cis_rsyslog_ansiblemanaged
- name: "4.2.1.5 | PATCH | Ensure logging is configured | news.crit log setting" - name: "4.2.1.5 | PATCH | Ensure logging is configured | news.crit log setting"
@ -97,7 +97,7 @@
news.crit -/var/log/news/news.crit news.crit -/var/log/news/news.crit
news.notice -/var/log/news/news.crit news.notice -/var/log/news/news.crit
insertafter: '# Save news errors of level crit and higher in a special file.' insertafter: '# Save news errors of level crit and higher in a special file.'
notify: restart rsyslog notify: Restart rsyslog
when: rhel9cis_rsyslog_ansiblemanaged when: rhel9cis_rsyslog_ansiblemanaged
- name: "4.2.1.5 | PATCH | Ensure logging is configured | Misc. log setting" - name: "4.2.1.5 | PATCH | Ensure logging is configured | Misc. log setting"
@ -111,7 +111,7 @@
*.crit /var/log/warn *.crit /var/log/warn
*.*;mail.none;news.none /var/log/messages *.*;mail.none;news.none /var/log/messages
insertafter: '#### RULES ####' insertafter: '#### RULES ####'
notify: restart rsyslog notify: Restart rsyslog
when: rhel9cis_rsyslog_ansiblemanaged when: rhel9cis_rsyslog_ansiblemanaged
- name: "4.2.1.5 | PATCH | Ensure logging is configured | Local log settings" - name: "4.2.1.5 | PATCH | Ensure logging is configured | Local log settings"
@ -127,7 +127,7 @@
local6,local7.* -/var/log/localmessages local6,local7.* -/var/log/localmessages
*.emrg :omusrmsg:* *.emrg :omusrmsg:*
insertafter: '#### RULES ####' insertafter: '#### RULES ####'
notify: restart rsyslog notify: Restart rsyslog
- name: "4.2.1.5 | PATCH | Ensure logging is configured | Auth Settings" - name: "4.2.1.5 | PATCH | Ensure logging is configured | Auth Settings"
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
@ -138,7 +138,7 @@
# Private settings to meet CIS standards # Private settings to meet CIS standards
auth,authpriv.* /var/log/secure auth,authpriv.* /var/log/secure
insertafter: '#### RULES ####' insertafter: '#### RULES ####'
notify: restart rsyslog notify: Restart rsyslog
- name: "4.2.1.5 | PATCH | Ensure logging is configured | Cron Settings" - name: "4.2.1.5 | PATCH | Ensure logging is configured | Cron Settings"
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
@ -149,7 +149,7 @@
# Cron settings to meet CIS standards # Cron settings to meet CIS standards
cron.* /var/log/cron cron.* /var/log/cron
insertafter: '#### RULES ####' insertafter: '#### RULES ####'
notify: restart rsyslog notify: Restart rsyslog
when: when:
- rhel9cis_rule_4_2_1_5 - rhel9cis_rule_4_2_1_5
tags: tags:
@ -171,7 +171,7 @@
failed_when: failed_when:
- result is failed - result is failed
- result.rc != 257 - result.rc != 257
notify: restart rsyslog notify: Restart rsyslog
when: when:
- rhel9cis_rule_4_2_1_6 - rhel9cis_rule_4_2_1_6
- rhel9cis_remote_log_server - rhel9cis_remote_log_server
@ -189,7 +189,7 @@
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
regexp: '{{ item }}' regexp: '{{ item }}'
replace: '#\1' replace: '#\1'
notify: restart rsyslog notify: Restart rsyslog
loop: loop:
- '^(\$ModLoad imtcp)' - '^(\$ModLoad imtcp)'
- '^(\$InputTCPServerRun)' - '^(\$InputTCPServerRun)'
@ -202,7 +202,7 @@
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
regexp: '^#(.*{{ item }}.*)' regexp: '^#(.*{{ item }}.*)'
replace: '\1' replace: '\1'
notify: restart rsyslog notify: Restart rsyslog
loop: loop:
- 'ModLoad imtcp' - 'ModLoad imtcp'
- 'InputTCPServerRun' - 'InputTCPServerRun'

12
tasks/section_4/cis_4.2.2.x.yml
View file

@ -19,7 +19,7 @@
path: /etc/systemd/journal-upload.conf path: /etc/systemd/journal-upload.conf
regexp: "{{ item.regexp }}" regexp: "{{ item.regexp }}"
line: "{{ item.line }}" line: "{{ item.line }}"
notify: restart systemd_journal_upload notify: Restart systemd_journal_upload
with_items: with_items:
- { regexp: 'URL=', line: 'URL={{ rhel9cis_journal_upload_url }}'} - { regexp: 'URL=', line: 'URL={{ rhel9cis_journal_upload_url }}'}
- { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ rhel9cis_journal_upload_serverkeyfile }}'} - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ rhel9cis_journal_upload_serverkeyfile }}'}
@ -92,7 +92,7 @@
ansible.builtin.import_tasks: warning_facts.yml ansible.builtin.import_tasks: warning_facts.yml
when: "'static' not in rhel9cis_4_2_2_2_status.stdout" when: "'static' not in rhel9cis_4_2_2_2_status.stdout"
vars: vars:
warn_control_id: '4.2.2.2' warn_control_id: '4.2.2.2'
when: when:
- rhel9cis_rule_4_2_2_2 - rhel9cis_rule_4_2_2_2
tags: tags:
@ -108,7 +108,7 @@
path: /etc/systemd/journald.conf path: /etc/systemd/journald.conf
regexp: "^#Compress=|^Compress=" regexp: "^#Compress=|^Compress="
line: Compress=yes line: Compress=yes
notify: restart systemd_journal_upload notify: Restart systemd_journal_upload
when: when:
- rhel9cis_rule_4_2_2_3 - rhel9cis_rule_4_2_2_3
tags: tags:
@ -124,7 +124,7 @@
path: /etc/systemd/journald.conf path: /etc/systemd/journald.conf
regexp: "^#Storage=|^Storage=" regexp: "^#Storage=|^Storage="
line: Storage=persistent line: Storage=persistent
notify: restart systemd_journal_upload notify: Restart systemd_journal_upload
when: when:
- rhel9cis_rule_4_2_2_4 - rhel9cis_rule_4_2_2_4
tags: tags:
@ -141,7 +141,7 @@
path: /etc/systemd/journald.conf path: /etc/systemd/journald.conf
regexp: "^ForwardToSyslog=" regexp: "^ForwardToSyslog="
line: "#ForwardToSyslog=yes" line: "#ForwardToSyslog=yes"
notify: restart systemd_journal_upload notify: Restart systemd_journal_upload
when: when:
- rhel9cis_rule_4_2_2_5 - rhel9cis_rule_4_2_2_5
tags: tags:
@ -157,7 +157,7 @@
path: /etc/systemd/journald.conf path: /etc/systemd/journald.conf
regexp: "{{ item.regexp }}" regexp: "{{ item.regexp }}"
line: "{{ item.line }}" line: "{{ item.line }}"
notify: restart journald notify: Restart systemd_journal_upload
with_items: with_items:
- { regexp: '^#SystemMaxUse=|^SystemMaxUse=', line: 'SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}'} - { regexp: '^#SystemMaxUse=|^SystemMaxUse=', line: 'SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}'}
- { regexp: '^#SystemKeepFree=|^SystemKeepFree=', line: 'SystemKeepFree={{ rhel9cis_journald_systemkeepfree }}' } - { regexp: '^#SystemKeepFree=|^SystemKeepFree=', line: 'SystemKeepFree={{ rhel9cis_journald_systemkeepfree }}' }

10
tasks/section_5/cis_5.2.x.yml
View file

@ -84,7 +84,7 @@
regexp: "^AllowUsers" regexp: "^AllowUsers"
line: "AllowUsers {{ rhel9cis_sshd['allowusers'] }}" line: "AllowUsers {{ rhel9cis_sshd['allowusers'] }}"
validate: sshd -t -f %s validate: sshd -t -f %s
notify: restart sshd notify: Restart sshd
when: "rhel9cis_sshd['allowusers']|default('') | length > 0" when: "rhel9cis_sshd['allowusers']|default('') | length > 0"
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups"
@ -93,7 +93,7 @@
regexp: "^AllowGroups" regexp: "^AllowGroups"
line: "AllowGroups {{ rhel9cis_sshd['allowgroups'] }}" line: "AllowGroups {{ rhel9cis_sshd['allowgroups'] }}"
validate: sshd -t -f %s validate: sshd -t -f %s
notify: restart sshd notify: Restart sshd
when: "rhel9cis_sshd['allowgroups']|default('') | length > 0" when: "rhel9cis_sshd['allowgroups']|default('') | length > 0"
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers"
@ -102,7 +102,7 @@
regexp: "^DenyUsers" regexp: "^DenyUsers"
line: "DenyUsers {{ rhel9cis_sshd['denyusers'] }}" line: "DenyUsers {{ rhel9cis_sshd['denyusers'] }}"
validate: sshd -t -f %s validate: sshd -t -f %s
notify: restart sshd notify: Restart sshd
when: "rhel9cis_sshd['denyusers']|default('') | length > 0" when: "rhel9cis_sshd['denyusers']|default('') | length > 0"
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups"
@ -111,7 +111,7 @@
regexp: "^DenyGroups" regexp: "^DenyGroups"
line: "DenyGroups {{ rhel9cis_sshd['denygroups'] }}" line: "DenyGroups {{ rhel9cis_sshd['denygroups'] }}"
validate: sshd -t -f %s validate: sshd -t -f %s
notify: restart sshd notify: Restart sshd
when: "rhel9cis_sshd['denygroups']|default('') | length > 0" when: "rhel9cis_sshd['denygroups']|default('') | length > 0"
when: when:
- rhel9cis_rule_5_2_4 - rhel9cis_rule_5_2_4
@ -267,7 +267,7 @@
- name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden" - name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden"
ansible.builtin.shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd ansible.builtin.shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd
notify: restart sshd notify: Restart sshd
when: ssh_crypto_discovery.stdout | length > 0 when: ssh_crypto_discovery.stdout | length > 0
when: when:
- rhel9cis_rule_5_2_14 - rhel9cis_rule_5_2_14

10
tasks/section_5/cis_5.6.1.x.yml
View file

@ -52,19 +52,19 @@
register: rhel9cis_5_6_1_4_inactive_settings register: rhel9cis_5_6_1_4_inactive_settings
- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting" - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting"
ansible.builtin.command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} ansible.builtin.shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
when: rhel9cis_5_6_1_4_inactive_settings.stdout | length == 0 when: rhel9cis_5_6_1_4_inactive_settings.stdout | length == 0
- name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
changed_when: false changed_when: false
check_mode: false check_mode: false
register: rhel_8_5_6_1_4_user_list register: rhel9cis_5_6_1_4_user_list
- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
with_items: with_items:
- "{{ rhel_8_5_6_1_4_user_list.stdout_lines }}" - "{{ rhel9cis_5_6_1_4_user_list.stdout_lines }}"
when: when:
- rhel9cis_rule_5_6_1_4 - rhel9cis_rule_5_6_1_4
tags: tags:
@ -104,7 +104,7 @@
- not rhel9cis_futurepwchgdate_autofix - not rhel9cis_futurepwchgdate_autofix
- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" - name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
ansible.builtin.command: passwd --expire {{ item }} ansible.builtin.shell: passwd --expire {{ item }}
when: when:
- rhel9cis_5_6_1_5_user_list.stdout | length > 0 - rhel9cis_5_6_1_5_user_list.stdout | length > 0
- rhel9cis_futurepwchgdate_autofix - rhel9cis_futurepwchgdate_autofix

2
tasks/section_6/cis_6.1.x.yml
View file

@ -207,7 +207,7 @@
when: when:
- item.stdout_lines is defined - item.stdout_lines is defined
- item.stdout_lines | length > 0 - item.stdout_lines | length > 0
- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning" - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning"
ansible.builtin.import_tasks: warning_facts.yml ansible.builtin.import_tasks: warning_facts.yml
vars: vars:

2
templates/ansible_vars_goss.yml.j2
View file

@ -450,7 +450,7 @@ rhel9cis_nft_tables_autochaincreate: {{ rhel9cis_nft_tables_autochaincreate }}
# Section 4 # Section 4
## syslog ## syslog
rhel9cis_syslog: {{ rhel9cis_preferred_log_capture }} rhel9cis_syslog: {{ rhel9cis_syslog }}
# Section 5 # Section 5
## 5.2.4 Note the following to understand precedence and layout ## 5.2.4 Note the following to understand precedence and layout

2
vars/main.yml
View file

@ -8,5 +8,5 @@ rhel9cis_allowed_crypto_policies:
- 'FIPS' - 'FIPS'
# Used to control warning summary # Used to control warning summary
control_number: "" warn_control_list: ""
warn_count: 0 warn_count: 0