ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-25 14:27:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #432 from ansible-lockdown/devel
Some checks failed
Export Public Repo Badges / export-badges (push) Has been cancelled
Details

Browse source 
Latest main release
This commit is contained in:
uk-bolly 2026-02-27 11:43:24 +00:00 committed by GitHub
commit b98381fcd8
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
71 changed files with 384 additions and 204 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.ansible-lint
View file

@ -1,9 +1,9 @@
---
parseable: true
quiet: true
skip_list:
- 'package-latest'
- 'risky-shell-pipe'
- 'var-naming[read-only]'
use_default_rules: true
verbosity: 0

2
.github/workflows/export_badges_private.yml vendored
View file

@ -12,8 +12,6 @@ on:
push:
branches:
- latest
schedule:
- cron: '0 */6 * * *'
workflow_dispatch:
jobs:

2
.pre-commit-config.yaml
View file

@ -39,11 +39,13 @@ repos:
rev: v1.5.0
hooks:
- id: detect-secrets
name: Detect Secrets test
- repo: https://github.com/gitleaks/gitleaks
rev: v8.30.0
hooks:
- id: gitleaks
name: Run Gitleaks test
- repo: https://github.com/ansible-community/ansible-lint
rev: v26.1.1

1
.yamllint
View file

@ -1,4 +1,5 @@
---
extends: default
ignore: |
tests/

2
CONTRIBUTING.rst
View file

@ -7,7 +7,7 @@ Rules
2) All commits must have Signed-off-by (Signed-off-by: Joan Doe <joan.doe@email.com>) in the commit message (details in Signing section)
3) All work is done in your own branch
4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing)
5) Be open and nice to eachother
5) Be open and nice to each other
Workflow
--------

95
Changelog.md
View file

@ -1,4 +1,81 @@
# Changes to rhel9CIS
# Changes to RHEL9CIS
## 2.0.5 - Based on CIS v2.0.0
- QA Fixes
- .j2 Branding Update
- Added rhel9cis_uses_root variable definition for 5.4.2.5 root PATH integrity task
- fixed spelling and grammar across defaults/main.yml, Changelog.md, README.md, tasks/main.yml, and vars/main.yml
- Fixed incorrect product reference in vars/main.yml comment (ubtu24cis -> rhel9cis)
- Fixed broken Changelog link in README.md (case mismatch)
- Added var-naming[read-only] to ansible-lint skip list for molecule files
- Bootloader password logic updated with salt and hash options
- Added passlib dependency documentation for bootloader password hash
- Updated company title
- Tidied up comments and variables for bootloader password
- Removed scheduled tasks
- Fixed typo thanks to Eugene @Frequentis
- Unused variable audit: wired up all unused variables, removed legacy references
- Updated chrony template to use rhel9cis_chrony_server_makestep, rtcsync, and minsources variables instead of hardcoded values
- Wired up rhel9cis_authselect_custom_profile_create toggle in authselect profile creation task
- Fixed task 5.3.3.2.7/5.3.3.2.8 mislabeling: separated password quality enforce and root enforce into correct tasks
- Wired up audit_capture_files_dir in audit_only workflow for file capture to control node
- Clarified rhel9cis_root_unlock_time documentation for commented-out alternative usage
- Removed legacy rhel9cis_rule_1_1_10 from molecule converge files and is_container.yml
- Fixed wrong variable name rhel9cis_unowned_group to rhel9cis_ungrouped_group in tasks/section_7/cis_7.1.x.yml
- Added rhel9cis_install_network_manager toggle to 3.1.2 wireless interfaces task
## 2.0.4 - Based on CIS v2.0.0
addressed issue #419, thank you @aaronk1
addressed issue #418 thank you @bbaassssiiee
Added better sysctl logic to disable IPv6
Added option to disable IPv6 via sysctl (original method) or via the kernel
pre-commit updates
public issue #410 thanks to @kpi-nourman
public issue #413 thanks to @bbaassssiiee
Public issues incorporated
Workflow updates
Pre-commit updates
README latest versions
Audit improvements and max-concurrent option added
Benchmark version variable in audit template
fixed typo thanks to @fragglexarmy #393
fixed typo thanks to @trumbaut #397 & #399
updated auditd template to be 2.19 compliant
PR345 thanks to thulium-drake boot password hash - if used needs passlib module
tidy up tags on tasks/main.yml
## 2.0.3 - Based on CIS v2.0.0
- Thank you @fragglexarmy
- addressed Public issue 387
- Addressed Public issue 382 to improve regex logic on 5.4.2.4
- Improvement on crypto policy managed controls with var logic
- Thanks to @polski-g
- addressed issue 384
- update command to shell module on tasks
- Thanks to @numericillustration
- Public PR 380
- systemd_service rolled back to systemd for < ansible 2.14
- Thanks to @bgro and @Kodebach
- Public PR 371
- updated to user sudo check 5.2.4
- Thanks to @DianaMariaDDM
- Public PR 367
- updated several typos
- Thanks to @polski-g
- Public PR 364
- gdm section 1.8 improvements
- Thanks to @chrispipo
- Public PR 350
- change insert before for rsyslog setting
- Thanks to @thesmilinglord
- public issue 377
- change 1.3 from include task to import for tagging
- Thanks to @Fredouye
- public issue 372
- allow password with different locale
## 2.0.4 - Based on CIS v2.0.0
@ -64,7 +141,7 @@
- updated controls 6.2.10-6.2.14
- audit
- steps moved to prelim
- update to coipy and archive logic and variables
- update to copy and archive logic and variables
- removed vars not used
- updated quotes used in mode tasks
- pre-commit update
@ -98,7 +175,7 @@
- lint updates
- .secrets updated
- file mode quoted
- updated 5.6.5 thansk to feedback from S!ghs on discord community
- updated 5.6.5 thanks to feedback from S!ghs on discord community
## 1.1.1 - Based on CIS v1.0.0
@ -130,7 +207,7 @@
## 1.0.10
- [#72](https://github.com/ansible-lockdown/RHEL9-CIS/issues/72)
- Only run check when paybook user not a superuser
- Only run check when playbook user not a superuser
- fix for 5.5.3 thanks to @nrg-fv
## 1.0.9
@ -202,7 +279,7 @@ Jan-2023 release
- updated ansible minimum to 2.10
- Lint file updates and improvements
- auditd now shows diff ater initial template added
- auditd now shows diff after initial template added
- many control rewritten
- Many controls moved ID references
- Audit updates aligned
@ -227,7 +304,7 @@ Jan-2023 release
- #209 5.6.5 rewrite umask settings
- #220 tidy up and align variables
- #226 Thanks to Thulium-Drake
-Extended the auditd config required value for auditd space left percentage (not part of CIS Benchmark but required fopr auditd to run correctly in some cases)
-Extended the auditd config required value for auditd space left percentage (not part of CIS Benchmark but required for auditd to run correctly in some cases)
- #227 thanks to OscarElits
- chrony files now RH expected locations
@ -267,9 +344,9 @@ Jan-2023 release
- not all controls work with rhel8 releases any longer
- selinux disabled 1.6.1.4
- logrotate - 4.3.x
- updated to rhel8cis v2.0 benchamrk requirements
- updated to rhel8cis v2.0 benchmark requirements
- removed iptables firewall controls (not valid on rhel9)
- added more to logrotate 4.3.x - sure to logrotate now a seperate package
- added more to logrotate 4.3.x - sure to logrotate now a separate package
- grub path now standard to /boot/grub2/grub.cfg
- 1.6.1.4 from rh8 removed as selinux.cfg doesnt disable selinux any longer
- workflow update
@ -288,7 +365,7 @@ args:
```
- update boolean values to true/false
- 3.4.2 improved checks for p[ackage presence
- 3.4.2 improved checks for package presence
- changed to assert for OS/release and ansible version
## Initial

15
README.md
View file

@ -19,7 +19,6 @@
## Lint & Pre-Commit Tools 🔧
[![Pre-Commit.ci](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/RHEL9-CIS/pre-commit-ci.json)](https://results.pre-commit.ci/latest/github/ansible-lockdown/RHEL9-CIS/devel)
![YamlLint](https://img.shields.io/badge/yamllint-Present-brightgreen?style=flat&logo=yaml&logoColor=white)
![Ansible-Lint](https://img.shields.io/badge/ansible--lint-Present-brightgreen?style=flat&logo=ansible&logoColor=white)
@ -49,7 +48,6 @@
![Private Benchmark Version](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/benchmark-version.json)
[![Private Remediate Pipeline](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/remediate.json)](https://github.com/ansible-lockdown/Private-RHEL9-CIS/actions/workflows/main_pipeline_validation.yml)
[![Private GPO Pipeline](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/gpo.json)](https://github.com/ansible-lockdown/Private-RHEL9-CIS/actions/workflows/main_pipeline_validation_gpo.yml)
![Private Pull Requests](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/prs.json)
![Private Closed Issues](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/issues-closed.json)
@ -58,9 +56,9 @@
## Looking for support? 🤝
[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_RHEL9-CIS)
[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_RH9-CIS)
[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_RHEL9-CIS)
[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_RH9-CIS)
### Community 💬
@ -86,10 +84,10 @@ This role **will make changes to the system** which may have unintended conseque
## Coming From A Previous Release ⏪
CIS release always contains changes, it is highly recommended to review the new references and available variables. This have changed significantly since ansible-lockdown initial release.
CIS release always contains changes, it is highly recommended to review the new references and available variables. These have changed significantly since ansible-lockdown initial release.
This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly.
Further details can be seen in the [Changelog](./ChangeLog.md)
Further details can be seen in the [Changelog](./Changelog.md)
---
@ -103,7 +101,7 @@ This is managed using tags:
- level2-server
- level2-workstation
The control found in defaults main also need to reflect this as this control the testing that takes place if you are using the audit component.
The controls found in defaults/main.yml also need to reflect this, as they control the testing that takes place if you are using the audit component.
---
## Requirements ✅
@ -130,6 +128,9 @@ RHEL Family OS 9
- python-def
- libselinux-python
If you are using the option to create your own bootloader hash the ansible controller
- passlib
---
## Auditing 🔍

146
defaults/main.yml
View file

@ -1,5 +1,6 @@
---
# defaults file for rhel9-cis
# defaults file for RHEL9-CIS
# WARNING:
# These values may be overridden by other vars-setting options(e.g. like the below 'container_vars_file'), as explained here:
# https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable
@ -63,7 +64,7 @@ benchmark: RHEL9-CIS
# System will reboot if false, can give better audit results
skip_reboot: true
# default value will change to true but wont reboot if not enabled but will error
# default value will change to true but won't reboot if not enabled but will error
change_requires_reboot: false
###
@ -93,17 +94,11 @@ audit_max_concurrent: 50
## Only run Audit do not remediate
audit_only: false
### As part of audit_only ###
# Path to copy the files to will create dir structure in audit_only mode
audit_capture_files_dir: /some/location to copy to on control node
#############################
## How to retrieve audit binary(Goss)
# Options are 'copy' or 'download' - detailed settings at the bottom of this file
# - if 'copy':
# - the filepath mentioned via the below 'audit_bin_copy_location' var will be used to access already downloaded Goss
# - if 'download':
# - the GitHub Goss-releases URL will be used for a fresh-download, via 'audit_bin_url' and 'audit_pkg_arch_name' vars
# How to retrieve audit binary
# Options are copy or download - detailed settings at the bottom of this file
# you will need access to either github or the file already downloaded
get_audit_binary_method: download
## if get_audit_binary_method - copy the following needs to be updated for your environment
@ -257,9 +252,8 @@ rhel9cis_rule_1_8_8: true
rhel9cis_rule_1_8_9: true
rhel9cis_rule_1_8_10: true
## Section 2 Fixes
# Section 2 rules are controlling Services (Special Purpose Services, and service clients)
# Configure Server Services
## Configure Server Services
rhel9cis_rule_2_1_1: true
rhel9cis_rule_2_1_2: true
rhel9cis_rule_2_1_3: true
@ -400,7 +394,6 @@ rhel9cis_rule_5_3_3_2_4: true
rhel9cis_rule_5_3_3_2_5: true
rhel9cis_rule_5_3_3_2_6: true
rhel9cis_rule_5_3_3_2_7: true
rhel9cis_rule_5_3_3_2_8: true
# 5.3.3.3 Configure pam_pwhistory module
# These are added as part of 5.3.2.4 using jinja2 template
rhel9cis_rule_5_3_3_3_1: true
@ -539,7 +532,7 @@ rhel9cis_rule_7_2_9: true
## Ability to enable debug on mounts to assist in troubleshooting
# Mount point changes are set based upon facts created in Prelim
# these then build the variable and options that is passed to the handler to set the mount point for the controls in section1.
# these then build the variable and options that are passed to the handler to set the mount point for the controls in section1.
rhel9cis_debug_mount_data: false
## Control 1.1.2
@ -583,14 +576,33 @@ rhel9cis_selinux_pol: targeted
rhel9cis_selinux_enforce: enforcing
## Control 1.4.1
# This variable will store the hashed GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value
# must be changed to a value that may be generated with this command 'grub2-mkpasswd-pbkdf2' and must comply with
# this format: 'grub.pbkdf2.sha512.<Rounds>.<Salt>.<Checksum>'
# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
rhel9cis_set_boot_pass: false
################### bootloader password ############################################################
#
# Two options for setting the bootloader password
#
# Option 1: Set the bootloader password and salt requires the passlib Python module
# to be available on the Ansible controller.
# Set this value to something secure to have predictable hashes,
# which will prevent unnecessary changes.
rhel9cis_bootloader_salt: ''
# This variable stores the GRUB bootloader password to be written
# to the '/boot/grub2/user.cfg' file. The default value must be changed.
rhel9cis_bootloader_password: 'password' # pragma: allowlist secret
# Option 2: Set the bootloader password hash if the salt value is empty,
# the password will be set using the variable below.
# If you are not using the bootloader hash filter, you can set it here
# in encrypted format, e.g. grub.pbkdf2.sha512.hashstring
rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
## Control 1.4.1
# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
rhel9cis_set_boot_pass: true
######################################################################################################
## Controls 1.6.x and Controls 5.1.x
# This variable governs if current Ansible role should manage system-wide crypto policy.
@ -612,7 +624,7 @@ rhel9cis_additional_crypto_policy_module: ''
# - 1.7.1 - Ensure message of the day is configured properly
# - 1.7.2 - Ensure local login warning banner is configured properly
# - 1.7.3 - Ensure remote login warning banner is configured properly
# This variable stores the content for the Warning Banner(relevant for issue, issue.net, motd).
# This variable stores the content for the Warning Banner(relevant for issue, issue.net, motd).
rhel9cis_warning_banner: Authorized users only. All activity may be monitored and reported.
# End Banner
@ -902,8 +914,8 @@ rhel9cis_sshd_clientalivecountmax: 3
# keep the connection alive and prevent it being terminated due to inactivity.
rhel9cis_sshd_clientaliveinterval: 15
## Control 5.1.10 - Ensure sshd DisableForwarding is enabled
# By Default this will also disablex11 forwarding
## Control 5.1.12 - disable forwarding
# By Default this will also disable X11 forwarding
# set 'yes' if x11 is required this can be changed to run in /etc/ssh/ssh_config.d/50-redhat.conf
# This variable's value is used in the `/etc/ssh/ssh_config.d/50-redhat.conf` file to
# disable X11Forwarding. If X11 is required, set this variable's value to `yes`!
@ -947,14 +959,7 @@ rhel9cis_ssh_maxsessions: 4
# This variable defines the path and file name of the sudo log file.
rhel9cis_sudolog_location: "/var/log/sudo.log"
## Control 5.2.4 - Ensure users must provide password for escalation
# The following variable specifies a list of users that should not be required to provide a password
# for escalation. Feel free to edit it according to your needs.
rhel9cis_sudoers_exclude_nopasswd_list:
- ec2-user
- vagrant
## Control 5.2.6 - Ensure sudo authentication timeout is configured correctly
## Control 5.2.x - Ensure sudo authentication timeout is configured correctly
# This variable sets the duration (in minutes) during which a user's authentication credentials
# are cached after successfully authenticating using "sudo". This allows the user to execute
# multiple commands with elevated privileges without needing to re-enter their password for each
@ -994,19 +999,38 @@ rhel9cis_authselect_default_profile_to_copy: "sssd --symlink-meta"
## Control 5.3.3.1.1 -
# This variable sets the amount of tries a password can be entered, before a user is locked.
rhel9cis_pam_faillock_deny: 5
## Control 5.3.3.2, 5.3.2.2
# - 5.3.3.1.2
# This variable sets the amount of time a user will be unlocked after the max amount of
# password failures.
rhel9cis_pam_faillock_unlock_time: 900
## Control 5.3.3.1.3 - Ensure password failed attempts lockout includes root account
# This variable is used in the task that ensures that even the root account
# is included in the password failed attempts lockout measure.
# The following variable is used in the 'regexp' field. This field is used to find the
# line in the file. If the line matches the regular expression, it will be replaced
# with the line parameter's value.
#####################################################################################################################
# 5.3.3.1.3 | Ensure pam_faillock is configured - root account lockout behavior
#
# Controls how root is handled when the failed login threshold is reached.
#################### Two mutually exclusive options #################################################################
#
# -> even_deny_root : Lock root just like any other account
# -> root_unlock_time = <n> : Lock root but auto-unlock after <n> seconds
#
# Note: The default value is set to 'even_deny_root' to align with the CIS Benchmark recommendation of locking root
# identically to regular users when the failed login threshold is reached. If you prefer to have root auto-unlock
# after a specified time, set 'rhel9cis_pamroot_lock_option' to "root_unlock_time = {{ rhel9cis_root_unlock_time }}"
# and adjust 'rhel9cis_root_unlock_time' as needed.
#
# Set ONE of the following:
#
# Option 1: root is locked identically to regular users when the failed login threshold is reached
rhel9cis_pamroot_lock_option: even_deny_root
# Option 2: root is locked but auto-unlocks after the specified seconds.
# Seconds before root is automatically unlocked (only used when rhel9cis_pamroot_lock_option includes root_unlock_time)
rhel9cis_root_unlock_time: 60
# rhel9cis_pamroot_lock_option: "root_unlock_time = {{ rhel9cis_root_unlock_time }}"
#
########################################################################################################################
## Control 5.3.3.2.1 - Ensure password number of changed characters is configured
# This variable holds the path to the configuration file that will be created (or overwritten if already existing)
# in order to implement the 'Ensure password number of changed characters is configured' control.
@ -1079,14 +1103,9 @@ rhel9cis_passwd_dictcheck_file: etc/security/pwquality.conf.d/50-pwdictcheck.con
# When set to '0', dictionary checks are disabled. CIS states that it shall always be set to '1'.
rhel9cis_passwd_dictcheck_value: 1
# This variable is used in one of the config files to ensure password quality checking is enforced
# 5.3.3.2.7 - Ensure password quality is enforced for the root user
rhel9cis_passwd_quality_enforce_file: etc/security/pwquality.conf.d/50-pwquality_enforce.conf # pragma: allowlist secret
rhel9cis_passwd_quality_enforce_value: 1
## Control 5.3.3.2.7 - Ensure password quality is enforced for the root user
# This variable holds the path to the configuration file that will be created (or overwritten if already existing)
# in order to implement the 'Ensure password quality is enforced for the root user' control.
rhel9cis_passwd_quality_enforce_root_file: etc/security/pwquality.conf.d/50-pwroot.conf # pragma: allowlist secret
# The following variable enforces that the root user must adhere to the same password quality policies as other users.
rhel9cis_passwd_quality_enforce_root_value: enforce_for_root # pragma: allowlist secret
## Control 5.3.3.3.1 - Ensure password history remember is configured
@ -1126,21 +1145,21 @@ rhel9cis_inactivelock:
# CIS requires a value of 30 days or less.
lock_days: 30
## Control 5.4.1.6 - Ensure all users last password change date is in the past
## Control 5.4.1.x - Ensure all users last password change date is in the past
# Allow ansible to expire password for account with a last changed date in the future. Setting it
# to 'false' will just display users in violation, while 'true' will expire those users passwords.
rhel9cis_futurepwchgdate_autofix: true
## Control 5.4.2.6 - Ensure root user umask is configured
# The following variable specifies the "umask" to configure for the root user.
# The user file-creation mode mask ( umask ) is used to determine the file
# permission for newly created directories and files. In Linux, the default
# permissions for any newly created directory is 0777 ( rwxrwxrwx ), and for
# any newly created file it is 0666 ( rw-rw-rw- ). The umask modifies the default
# Linux permissions by restricting (masking) these permissions. The umask is not
# simply subtracted, but is processed bitwise. Bits set in the umask are cleared
# in the resulting file mode. CIS recommends setting 'umask' to '0027' or more
# restrictive.
# 5.4.2.x
## 5.4.2.5 Root user used
# Root by default is not used unless setup by user
# The role will only run certain commands if set to true
# This allows the ability to skip tasks that may cause an issue
# With the understanding root has full access
rhel9cis_uses_root: false
## 5.4.2.6 - Ensure root home directory permissions are 750 or more restrictive
rhel9cis_root_umask: '0027' # 0027 or more restrictive
## Control 5.4.2.7 - Ensure system accounts are secured | Set nologin
@ -1157,7 +1176,7 @@ rhel9cis_shell_session_timeout: 900
# This variable specifies the path of the timeout setting file.
# (TMOUT setting can be set in multiple files, but only one is required for the
# rule to pass. Options are:
# - a file in `/etc/profile.d/` ending in `.s`,
# - a file in `/etc/profile.d/` ending in `.sh`,
# - `/etc/profile`, or
# - `/etc/bash.bashrc`.
rhel9cis_shell_session_file: /etc/profile.d/tmout.sh
@ -1185,9 +1204,8 @@ rhel9cis_aide_db_file_age: 1w
# If AIDE is already setup this variable forces a new database
# file to be created.
rhel9cis_aide_db_recreate: false
# This variable is used to check if there is already an existing database file
# created by AIDE on the target system. If it is not present, the role will generate
# a database file with the same name as the value of this variable.
# allows changing the db file; note the config needs to be adjusted too
rhel9cis_aide_db_file: /var/lib/aide/aide.db.gz
## Control 6.1.2 - Ensure filesystem integrity is regularly checked
@ -1217,12 +1235,12 @@ rhel9cis_aide_cron:
# This variable governs the day of the month when the AIDE cronjob is run.
# `*` signifies that the job is run on all days; furthermore, specific days
# can be given in the range `1-31`; several days can be concatenated with a comma.
# The specified day(s) can must be in the range `1-31`.
# The specified day(s) must be in the range `1-31`.
aide_day: '*'
# This variable governs months when the AIDE cronjob is run.
# `*` signifies that the job is run in every month; furthermore, specific months
# can be given in the range `1-12`; several months can be concatenated with commas.
# The specified month(s) can must be in the range `1-12`.
# The specified month(s) must be in the range `1-12`.
aide_month: '*'
# This variable governs the weekdays, when the AIDE cronjob is run.
# `*` signifies that the job is run on all weekdays; furthermore, specific weekdays
@ -1262,7 +1280,7 @@ rhel9cis_journald_runtimekeepfree: 100G
# Current variable governs the settings for log retention(how long the log files will be kept).
# Thus, it specifies the maximum time to store entries in a single journal
# file before rotating to the next one. Set to 0 to turn off this feature.
# The given values is interpreted as seconds, unless suffixed with the units
# The given value is interpreted as seconds, unless suffixed with the units
# `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds.
# Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks
# ATTENTION: Uncomment the keyword below when values are set!

73
filter_plugins/grub_hash.py Normal file
View file

@ -0,0 +1,73 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# Copyright (c) 2025, Jeffrey van Pelt <jeff@vanpelt.one>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import annotations
DOCUMENTATION = r"""
name: grub_hash
short_description: Generate a GRUB2 password hash
version_added: 1.0.0
author: Jeffrey van Pelt (@Thulium-Drake)
description:
- Generate a GRUB2 password hash from the input
options:
_input:
description: The desired password for the GRUB bootloader
type: string
required: true
salt:
description: The salt used to generate the hash
type: string
required: false
rounds:
description: The amount of rounds to run the PBKDF2 function
type: int
required: false
"""
EXAMPLES = r"""
- name: 'Generate hash with defaults'
ansible.builtin.debug:
msg: "{{ 'mango123!' | grub_hash }}"
- name: 'Generate hash with custom rounds and salt'
ansible.builtin.debug:
msg: "{{ 'mango123!' | grub_hash(rounds=10001, salt='andpepper') }}"
# Produces: grub.pbkdf2.sha512.10001.616E64706570706572.4C6AEA2A811B4059D4F47AEA36B77DB185B41E9F08ECC3C4C694427DB876C21B24E6CBA0319053E4F1431CDEE83076398C73B9AA8F50A7355E446229BC69A97C
"""
RETURN = r"""
_value:
description: A GRUB2 password hash
type: string
"""
from ansible.errors import AnsibleFilterError
import os
import base64
from passlib.hash import grub_pbkdf2_sha512
def grub_hash(password, rounds=10000, salt=None):
if salt is None:
# Generate 64-byte salt if not provided
salt = os.urandom(64)
# Check if the salt, when not generated, is a valid bytes value and attempt to convert if needed
if not isinstance(salt, bytes):
try:
salt = salt.encode("utf-8")
except AttributeError:
raise TypeError("Salt must be a string, not int.")
# Configure hash generator
pbkdf2_generator = grub_pbkdf2_sha512.using(rounds=rounds, salt=salt)
return pbkdf2_generator.hash(password)
class FilterModule(object):
def filters(self):
return {
'grub_hash': grub_hash
}

8
handlers/main.yml
View file

@ -150,7 +150,7 @@
ansible.posix.mount:
path: "{{ mount_point }}"
state: remounted
notify: Change_requires_reboot
notify: Set reboot required
listen: "Remount /boot/efi"
- name: Reload sysctl
@ -194,7 +194,7 @@
ansible.builtin.command: update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}"
changed_when: true
notify:
- Change_requires_reboot
- Set reboot required
- Restart sshd
- name: Restart firewalld
@ -255,7 +255,7 @@
when: discovered_auditd_immutable_check.stdout == '1'
ansible.builtin.debug:
msg: "Reboot required for auditd to apply new rules as immutable set"
notify: Change_requires_reboot
notify: Set reboot required
- name: Stop auditd process
ansible.builtin.command: systemctl kill auditd
@ -268,6 +268,6 @@
state: started
listen: Restart auditd
- name: Change_requires_reboot
- name: Set reboot required
ansible.builtin.set_fact:
change_requires_reboot: true

6
meta/main.yml
View file

@ -1,11 +1,11 @@
---
galaxy_info:
author: "MindPoint Group"
author: "Ansible-Lockdown"
description: "Apply the RHEL 9 CIS"
company: "MindPoint Group"
company: "MindPoint Group - A Tyto Athene Company"
license: MIT
role_name: rhel9_cis
namespace: mindpointgroup
namespace: ansible-lockdown
min_ansible_version: 2.10.1
platforms:
- name: EL

1
molecule/default/converge.yml
View file

@ -10,7 +10,6 @@
system_is_container: true
rhel9cis_selinux_disable: true
rhel9cis_rule_5_2_4: false
rhel9cis_rule_1_1_10: false
rhel9cis_firewall: "none"
rhel9cis_rule_4_1_1_1: false
rhel9cis_rule_4_1_1_2: false

17
molecule/wsl/converge.yml
View file

@ -8,16 +8,15 @@
vars:
ansible_user: "{{ lookup('env', 'USER') }}"
system_is_container: true
rhel8cis_selinux_disable: true
rhel9cis_selinux_disable: true
role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
rhel8cis_rule_5_3_4: false
rhel8cis_rule_1_1_10: false
rhel8cis_rsyslog_ansiblemanaged: false
rhel8cis_rule_3_4_1_3: false
rhel8cis_rule_3_4_1_4: false
rhel8cis_rule_4_2_1_2: false
rhel8cis_rule_4_2_1_4: false
rhel8cis_rule_5_1_1: false
rhel9cis_rule_5_3_4: false
rhel9cis_rsyslog_ansiblemanaged: false
rhel9cis_rule_3_4_1_3: false
rhel9cis_rule_3_4_1_4: false
rhel9cis_rule_4_2_1_2: false
rhel9cis_rule_4_2_1_4: false
rhel9cis_rule_5_1_1: false
pre_tasks:
tasks:

2
site.yml
View file

@ -1,7 +1,7 @@
---
- name: Apply ansible-lockdown hardening
hosts: all
hosts: "{{ hosts | default('all') }}"
become: true
roles:
- role: "{{ playbook_dir }}"

1
tasks/LE_audit_setup.yml
View file

@ -1,4 +1,5 @@
---
- name: Pre Audit Setup | Set audit package name
block:
- name: Pre Audit Setup | Set audit package name | 64bit

22
tasks/main.yml
View file

@ -17,9 +17,7 @@
success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
- name: "Setup rules if container"
when:
- ansible_connection == 'docker' or
ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
when: ansible_connection == 'docker' or ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- container_discovery
- always
@ -43,18 +41,18 @@
fail_msg: "Crypto policy is not a permitted version"
success_msg: "Crypto policy is a permitted version"
- name: "Check rhel9cis_bootloader_password_hash variable has been changed"
- name: "Check rhel9cis_bootloader_password variable has been changed"
when:
- rhel9cis_set_boot_pass
- rhel9cis_rule_1_4_1
tags: always
ansible.builtin.assert:
that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' or (rhel9cis_bootloader_salt != '' and rhel9cis_bootloader_password != 'password') # pragma: allowlist secret
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password or rhel9cis_bootloader_password_hash variable has not been set correctly"
- name: "Check crypto-policy module input"
when:
- rhel9cis_rule_1_6_1
- rhel9cis_crypto_policy_ansiblemanaged
- rhel9cis_crypto_policy_module | length > 0
tags:
- rule_1.6.1
@ -99,7 +97,7 @@
or
(ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list)
)
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or or the user is not included in the exception list for rule 5.2.4 - It can break access"
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or the user is not included in the exception list for rule 5.2.4 - It can break access"
success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user or the user is included in the exception list for rule 5.2.4"
- name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" # noqa name[template]
@ -120,8 +118,8 @@
- name: "Check authselect profile is selected | Check current profile"
ansible.builtin.command: authselect list
changed_when: false
failed_when: prelim_authselect_current_profile.rc not in [ 0, 1 ]
register: prelim_authselect_current_profile
failed_when: prelim_authselect_profile_list.rc not in [ 0, 1 ]
register: prelim_authselect_profile_list
- name: "Ensure root password is set"
when: rhel9cis_rule_5_4_2_4
@ -156,9 +154,7 @@
file: "{{ ansible_facts.distribution }}.yml"
- name: "Include preliminary steps"
tags:
- prelim_tasks
- always
tags: prelim_tasks
ansible.builtin.import_tasks:
file: prelim.yml

3
tasks/post.yml
View file

@ -28,8 +28,7 @@
- name: POST | reboot system if changes require it and not skipped
when: change_requires_reboot
tags:
- always
tags: always
vars:
warn_control_id: Reboot_required
block:

26
tasks/prelim.yml
View file

@ -1,10 +1,12 @@
---
# Preliminary tasks that should always be run
# List users in order to look files inside each home directory
# Preliminary tasks that should always run
# List users in order to look up files inside each home directory
- name: "PRELIM | Include audit specific variables"
when: run_audit or audit_only or setup_audit
when:
- run_audit or audit_only
- setup_audit
tags:
- setup_audit
- run_audit
@ -12,7 +14,8 @@
file: audit.yml
- name: "PRELIM | Include pre-remediation audit tasks"
when: run_audit or audit_only or setup_audit
when:
- run_audit or audit_only
tags: run_audit
ansible.builtin.import_tasks: pre_remediation_audit.yml
@ -92,6 +95,11 @@
- rhel9cis_rule_1_2_1_1
- ansible_facts.distribution != 'RedHat'
- ansible_facts.distribution != 'OracleLinux'
tags:
- level1-server
- level1-workstation
- rule_1.2.1.1
- gpg
ansible.builtin.package:
name: "{{ gpg_key_package }}"
state: latest
@ -206,14 +214,15 @@
block:
- name: "PRELIM | AUDIT | Discover is wireless adapter on system"
ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless
register: discover_wireless_adapters
register: prelim_wireless_adapters
changed_when: false
check_mode: false
failed_when: discover_wireless_adapters.rc not in [ 0, 1 ]
failed_when: prelim_wireless_adapters.rc not in [ 0, 1 ]
- name: "PRELIM | PATCH | Install Network-Manager | if wireless adapter present"
when:
- discover_wireless_adapters.rc == 0
- rhel9cis_install_network_manager
- prelim_wireless_adapters.rc == 0
- "'NetworkManager' not in ansible_facts.packages"
ansible.builtin.package:
name: NetworkManager
@ -277,8 +286,7 @@
- name: "PRELIM | PATCH | Create journald config directory"
when:
- rhel9cis_syslog == 'journald'
- rhel9cis_rule_6_2_1_3 or
rhel9cis_rule_6_2_1_4
- rhel9cis_rule_6_2_1_3 or rhel9cis_rule_6_2_1_4
tags: always
ansible.builtin.file:
path: /etc/systemd/journald.conf.d

3
tasks/section_1/cis_1.1.1.x.yml
View file

@ -27,8 +27,7 @@
mode: 'go-rwx'
- name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs"
when:
- not system_is_container
when: not system_is_container
community.general.modprobe:
name: cramfs
state: absent

1
tasks/section_1/cis_1.1.2.3.x.yml
View file

@ -1,4 +1,5 @@
---
- name: "1.1.2.3.1 | PATCH | Ensure /home is a separate partition"
when:
- rhel9cis_rule_1_1_2_3_1

2
tasks/section_1/cis_1.2.2.x.yml
View file

@ -13,4 +13,4 @@
ansible.builtin.package:
name: "*"
state: latest
notify: Change_requires_reboot
notify: Set reboot required

2
tasks/section_1/cis_1.4.x.yml
View file

@ -13,7 +13,7 @@
- NIST800-53R5_AC-3
ansible.builtin.copy:
dest: /boot/grub2/user.cfg
content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy
content: "GRUB2_PASSWORD={{ rhel9_compiled_bootloader_password }}" # noqa template-instead-of-copy
owner: root
group: root
mode: 'go-rwx'

5
tasks/section_3/cis_3.1.x.yml
View file

@ -38,12 +38,13 @@
when:
- "'kernel' in rhel9cis_ipv6_disable_method"
- "'ipv6.disable=1' not in discovered_rhel9cis_3_1_1_ipv6_status.stdout"
ansible.builtin.shell: grubby --update-kernel=ALL --args="ipv6.disable=1"
ansible.builtin.command: grubby --update-kernel=ALL --args="ipv6.disable=1"
changed_when: discovered_rhel9cis_3_1_1_ipv6_status.rc == 0
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled"
when:
- rhel9cis_rule_3_1_2
- discover_wireless_adapters.rc == 0
- prelim_wireless_adapters.rc == 0
tags:
- level1-server
- patch

2
tasks/section_5/cis_5.1.x.yml
View file

@ -411,6 +411,8 @@
path: "{{ rhel9cis_sshd_config_file }}"
regexp: '^(#)?MaxAuthTries \d'
line: 'MaxAuthTries {{ rhel9cis_ssh_maxauthtries }}'
insertbefore: "^Match"
firstmatch: true
validate: sshd -t -f %s
notify: Restart sshd

2
tasks/section_5/cis_5.3.2.x.yml
View file

@ -14,7 +14,7 @@
- rule_5.3.2.1
block:
- name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Create custom profiles"
when: rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout
when: rhel9cis_authselect_custom_profile_name not in prelim_authselect_profile_list.stdout
ansible.builtin.command: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}"
changed_when: false
args:

6
tasks/section_5/cis_5.3.3.2.x.yml
View file

@ -340,7 +340,7 @@
- system
notify: Authselect update
- name: "5.3.3.2.7 | PATCH | Ensure password quality is enforced for the root user"
- name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced"
when: rhel9cis_rule_5_3_3_2_7
tags:
- level1-server
@ -350,8 +350,8 @@
- NIST800-53R5_IA-5
- pam
ansible.builtin.template:
src: "{{ rhel9cis_passwd_quality_enforce_root_file }}.j2"
dest: "/{{ rhel9cis_passwd_quality_enforce_root_file }}"
src: "{{ rhel9cis_passwd_quality_enforce_file }}.j2"
dest: "/{{ rhel9cis_passwd_quality_enforce_file }}"
owner: root
group: root
mode: 'o-rwx'

2
tasks/section_5/cis_5.4.2.x.yml
View file

@ -179,7 +179,7 @@
- item.stat.exists
- item.stat.isdir
- item.stat.pw_name != 'root' or item.stat.gr_name != 'root' or item.stat.woth or item.stat.wgrp
- (item != 'root') and (not rhel9cis_uses_root)
- (item != 'root') and (not rhel9cis_uses_root )
ansible.builtin.file:
path: "{{ item.stat.path }}"
state: directory

9
tasks/section_5/main.yml
View file

@ -10,14 +10,12 @@
file: cis_5.1.x.yml
- name: "SECTION | 5.2 | Configure privilege escalation"
when:
- rhel9cis_section5_2
when: rhel9cis_section5_2
ansible.builtin.import_tasks:
file: cis_5.2.x.yml
- name: "SECTION | 5.3"
when:
- rhel9cis_section5_3
when: rhel9cis_section5_3
block:
- name: "SECTION | 5.3.1.x | Configure PAM software packages"
ansible.builtin.import_tasks:
@ -44,8 +42,7 @@
file: cis_5.3.3.4.x.yml
- name: "SECTION | 5.4"
when:
- rhel9cis_section5_4
when: rhel9cis_section5_4
block:
- name: "SECTION | 5.4.1.x | Configure shadow password suite parameters"
ansible.builtin.import_tasks:

6
tasks/section_6/cis_6.2.3.x.yml
View file

@ -195,7 +195,7 @@
register: discovered_rsyslog_remote_host
notify: Restart rsyslog
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client"
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client"
when: rhel9cis_rule_6_2_3_7
tags:
- level1-server
@ -208,7 +208,7 @@
- NIST800-53R5_AU-12
- NIST800-53R5_CM-6
block:
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client. | When not log host"
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client. | When not log host"
when: not rhel9cis_system_is_log_server
ansible.builtin.replace:
path: /etc/rsyslog.conf
@ -221,7 +221,7 @@
- '^(module\(load="imtcp"\))'
- '^(input\(type="imtcp")'
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote clients. | When log host"
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote clients. | When log host"
when: rhel9cis_system_is_log_server
ansible.builtin.replace:
path: /etc/rsyslog.conf

4
tasks/section_7/cis_7.1.x.yml
View file

@ -58,7 +58,7 @@
- level1-server
- level1-workstation
- patch
- permissionss
- permissions
- rule_7.1.4
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
@ -254,7 +254,7 @@
ansible.builtin.file:
path: "{{ item }}"
owner: "{{ rhel9cis_unowned_owner }}"
group: "{{ rhel9cis_unowned_group }}"
group: "{{ rhel9cis_ungrouped_group }}"
with_items:
- "{{ discovered_unowned_files_flatten }}"

6
templates/ansible_vars_goss.yml.j2
View file

@ -1,7 +1,7 @@
---
# Enable logrunning potential resource intensive tests
# Enable long running potential resource intensive tests
run_heavy_tests: {{ audit_run_heavy_tests }}
# Extend default command timeout for longer running tests
@ -206,7 +206,6 @@ rhel9cis_rule_2_4_2_1: {{ rhel9cis_rule_2_4_2_1 }}
rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }}
rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }}
rhel9cis_rule_3_1_3: {{ rhel9cis_rule_3_1_3 }}
rhel9cis_ipv6_disable_method: {{ rhel9cis_ipv6_disable_method }}
## Network Kernel Modules
rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }}
@ -293,7 +292,6 @@ rhel9cis_rule_5_3_3_2_4: {{ rhel9cis_rule_5_3_3_2_4 }}
rhel9cis_rule_5_3_3_2_5: {{ rhel9cis_rule_5_3_3_2_5 }}
rhel9cis_rule_5_3_3_2_6: {{ rhel9cis_rule_5_3_3_2_6 }}
rhel9cis_rule_5_3_3_2_7: {{ rhel9cis_rule_5_3_3_2_7 }}
rhel9cis_rule_5_3_3_2_8: {{ rhel9cis_rule_5_3_3_2_8 }}
# 5.3.3.3 Configure pam_pwhistory module
# This are added as part of 5.3.2.4 using jinja2 template
rhel9cis_rule_5_3_3_3_1: {{ rhel9cis_rule_5_3_3_3_1 }}
@ -532,6 +530,8 @@ rhel9cis_bluetooth_mask: {{ rhel9cis_bluetooth_mask }}
## 3.1 IPv6 requirement toggle
# This variable governs whether ipv6 is enabled or disabled.
rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }}
# rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel
rhel9cis_ipv6_disable_method: {{ rhel9cis_ipv6_disable_method }}
# 3.3 System network parameters (host only OR host and router)
# This variable governs whether specific CIS rules

4
templates/audit/98_auditd_exception.rules.j2
View file

@ -1,6 +1,4 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by Mindpoint Group - A Tyto Athene Company
{{ file_managed_by_ansible }}
### YOUR CHANGES WILL BE LOST!
# This file contains users whose actions are not logged by auditd

4
templates/audit/99_auditd.rules.j2
View file

@ -1,6 +1,4 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by Mindpoint Group - A Tyto Athene Company
{{ file_managed_by_ansible }}
### YOUR CHANGES WILL BE LOST!
# This template will set all of the auditd configurations via a handler in the role in one task instead of individually

1
templates/etc/aide.conf.d/crypt_audit_procs.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# Audit Tools
/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512

4
templates/etc/ansible/compliance_facts.j2
View file

@ -1,6 +1,4 @@
# CIS Hardening Carried out
# Added as part of ansible-lockdown CIS baseline
# provided by Mindpoint Group - A Tyto Athene Company
{{ file_managed_by_ansible }}
[lockdown_details]
# Benchmark release

8
templates/etc/chrony.conf.j2
View file

@ -1,4 +1,4 @@
{{ ansible_managed | comment }}
{{ file_managed_by_ansible }}
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
@ -11,17 +11,19 @@ driftfile /var/lib/chrony/drift
# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3
makestep {{ rhel9cis_chrony_server_makestep }}
{% if rhel9cis_chrony_server_rtcsync %}
# Enable kernel synchronization of the real-time clock (RTC).
rtcsync
{% endif %}
# Enable hardware timestamping on all interfaces that support it.
#hwtimestamp *
# Increase the minimum number of selectable sources required to adjust
# the system clock.
#minsources 2
minsources {{ rhel9cis_chrony_server_minsources }}
# Allow NTP client access from local network.
#allow 192.168.0.0/16

4
templates/etc/cron.d/aide.cron.j2
View file

@ -1,7 +1,5 @@
{{ file_managed_by_ansible }}
# Run AIDE integrity check
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by Mindpoint Group - A Tyto Athene Company
### YOUR CHANGES WILL BE LOST!
# CIS 1.3.2

1
templates/etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# This is a subpolicy dropping the SHA1 hash and signature support
# Carried out as part of CIS Benchmark rule 1.6.3

1
templates/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# This is a subpolicy to disable all CBC mode ciphers
# for the SSH protocol (libssh and OpenSSH)
# Carried out as part of CIS Benchmark rule 1.6.5

1
templates/etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# This is a subpolicy to disable Encrypt then MAC
# for the SSH protocol (libssh and OpenSSH)
# Carried out as part of CIS Benchmark rule 1.6.7

1
templates/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# This is a subpolicy to disable weak ciphers
# for the SSH protocol (libssh and OpenSSH)
# Carried out as part of CIS Benchmark rules combined 1.6.6 and 5.1.4

1
templates/etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# This is a subpolicy to disable weak macs
# Carried out as part of CIS Benchmark control 5.1.6

1
templates/etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# This is a subpolicy to disable weak macs
# Carried out as part of CIS Benchmark rule 1.6.4

4
templates/etc/dconf/db/00-automount_lock.j2
View file

@ -1,6 +1,4 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by Mindpoint Group - A Tyto Athene Company
{{ file_managed_by_ansible }}
# Lock desktop media-handling automount setting
/org/gnome/desktop/media-handling/automount

4
templates/etc/dconf/db/00-autorun_lock.j2
View file

@ -1,6 +1,4 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by Mindpoint Group - A Tyto Athene Company
{{ file_managed_by_ansible }}
# Lock desktop media-handling settings
/org/gnome/desktop/media-handling/autorun-never

4
templates/etc/dconf/db/00-media-automount.j2
View file

@ -1,6 +1,4 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by Mindpoint Group - A Tyto Athene Company
{{ file_managed_by_ansible }}
[org/gnome/desktop/media-handling]
automount=false

4
templates/etc/dconf/db/00-media-autorun.j2
View file

@ -1,6 +1,4 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by Mindpoint Group - A Tyto Athene Company
{{ file_managed_by_ansible }}
[org/gnome/desktop/media-handling]
autorun-never=true

4
templates/etc/dconf/db/00-screensaver.j2
View file

@ -1,6 +1,4 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by Mindpoint Group - A Tyto Athene Company
{{ file_managed_by_ansible }}
# Specify the dconf path
[org/gnome/desktop/session]

4
templates/etc/dconf/db/00-screensaver_lock.j2
View file

@ -1,6 +1,4 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by Mindpoint Group - A Tyto Athene Company
{{ file_managed_by_ansible }}
# Lock desktop screensaver idle-delay setting
/org/gnome/desktop/session/idle-delay

4
templates/etc/dconf/db/gdm.d/01-banner-message.j2
View file

@ -1,6 +1,4 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by Mindpoint Group - A Tyto Athene Company
{{ file_managed_by_ansible }}
[org/gnome/login-screen]
banner-message-enable=true

1
templates/etc/logrotate.d/rsyslog_log.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
/var/log/rsyslog/*.log {
{{ rhel9cis_rsyslog_logrotate_rotated_when }}
rotate {{ rhel9cis_rsyslog_logrotate_rotatation_keep }}

6
templates/etc/modprobe.d/modprobe.conf.j2
View file

@ -1,6 +1,4 @@
# Disable usage of protocol {{ item }}
# Set by ansible {{ benchmark }} remediation role
# https://github.com/ansible-lockdown
## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
{{ file_managed_by_ansible }}
## YOUR CHANGES WILL BE LOST!
install {{ item }} /bin/true

1
templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# CIS Configurations
# 5.3.3.2.3 Ensure password complexity is configured
{% if rhel9cis_passwd_complex_option == 'minclass' %} # pragma: allowlist secret

1
templates/etc/security/pwquality.conf.d/50-pwdictcheck.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# CIS Configurations
# 5.3.3.2.6 Ensure password dictionary check is enabled
dictcheck = {{ rhel9cis_passwd_dictcheck_value }}

1
templates/etc/security/pwquality.conf.d/50-pwdifok.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# CIS Configurations
# 5.3.3.2.1 Ensure password number of changed characters is configured
difok = {{ rhel9cis_passwd_difok_value }}

1
templates/etc/security/pwquality.conf.d/50-pwlength.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# CIS Configurations
# 5.3.3.2.2 Ensure minimum password length is configured
minlen = {{ rhel9cis_passwd_minlen_value }}

1
templates/etc/security/pwquality.conf.d/50-pwmaxsequence.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# CIS Configurations
# 5.3.3.2.5 Ensure password maximum sequential characters is configured
maxsequence = {{ rhel9cis_passwd_maxsequence_value }}

1
templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# CIS Configurations
# 5.3.3.2.7 Ensure password quality checking is enforced
enforcing = {{ rhel9cis_passwd_quality_enforce_value }}

1
templates/etc/security/pwquality.conf.d/50-pwrepeat.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# CIS Configurations
# 5.3.3.2.4 Ensure password same consecutive characters is configured
maxrepeat = {{ rhel9cis_passwd_maxrepeat_value }}

3
templates/etc/security/pwquality.conf.d/50-pwroot.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# CIS Configurations
# 5.3.3.2.8 Ensure password quality is enforced for the root user
# 5.3.3.2.7 Ensure password quality is enforced for the root user
{{ rhel9cis_passwd_quality_enforce_root_value }}

3
templates/etc/sysctl.d/60-disable_ipv6.conf.j2
View file

@ -1,4 +1,5 @@
## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
{{ file_managed_by_ansible }}
## YOUR CHANGES WILL BE LOST!
# IPv6 disable
{% if rhel9cis_rule_3_1_1 and not rhel9cis_ipv6_required %}

3
templates/etc/sysctl.d/60-kernel_sysctl.conf.j2
View file

@ -1,4 +1,5 @@
## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
{{ file_managed_by_ansible }}
## YOUR CHANGES WILL BE LOST!
{% if rhel9cis_rule_1_5_1 %}
# Adress space randomise

3
templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2
View file

@ -1,4 +1,5 @@
## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
{{ file_managed_by_ansible }}
## YOUR CHANGES WILL BE LOST!
# IPv4 Network sysctl
{% if rhel9cis_rule_3_3_1 %}

3
templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2
View file

@ -1,4 +1,5 @@
## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
{{ file_managed_by_ansible }}
## YOUR CHANGES WILL BE LOST!
# IPv6 Network sysctl
{% if rhel9cis_ipv6_required %}

2
templates/etc/systemd/journald.conf.d/forwardtosyslog.conf.j2
View file

@ -1,4 +1,4 @@
# File created for CIS benchmark
{{ file_managed_by_ansible }}
# CIS rule 6_2_2_2
[Journal]
ForwardToSyslog=no

2
templates/etc/systemd/journald.conf.d/rotation.conf.j2
View file

@ -1,4 +1,4 @@
# File created for CIS benchmark
{{ file_managed_by_ansible }}
# CIS rule 6_2_1_3
[Journal]
SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}

2
templates/etc/systemd/journald.conf.d/storage.conf.j2
View file

@ -1,4 +1,4 @@
# File created for CIS benchmark
{{ file_managed_by_ansible }}
[Journal]
{% if rhel9cis_rule_6_2_2_3 %}
# Set compress CIS rule 6_2_2_3

3
templates/etc/systemd/system/tmp.mount.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# SPDX-License-Identifier: LGPL-2.1+
#
# This file is part of systemd.
@ -7,7 +8,7 @@
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
## This file is managed by Ansible, YOUR CHANGED WILL BE LOST!
## YOUR CHANGED WILL BE LOST!
[Unit]
Description=Temporary Directory (/tmp)

1
vars/OracleLinux.yml
View file

@ -1,4 +1,5 @@
---
# OS Specific Settings
os_gpg_key_pubkey_name: gpg-pubkey-8d8b756f-629e59ec
os_gpg_key_pubkey_content: "Oracle Linux (release key 1) <secalert_us@oracle.com>"

3
vars/is_container.yml
View file

@ -2,7 +2,7 @@
# File to skip controls if container
# Based on standard image no changes
# it expected all pkgs required for the container are alreday installed
# it expected all pkgs required for the container are already installed
## controls
@ -57,7 +57,6 @@ rhel9cis_rule_1_1_6: false
rhel9cis_rule_1_1_7: false
rhel9cis_rule_1_1_8: false
rhel9cis_rule_1_1_9: false
rhel9cis_rule_1_1_10: false
# /var/log
rhel9cis_rule_1_1_11: false
# /var/log/audit

13
vars/main.yml
View file

@ -24,6 +24,8 @@ rhel9cis_allowed_crypto_policies_modules:
- 'NO-SSHWEAKMAC'
- 'NO-WEAKMAC'
rhel9_compiled_bootloader_password: "{% if rhel9cis_bootloader_salt != '' %}{{ (rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}{% else %}{{ rhel9cis_bootloader_password_hash }}{% endif %}" # noqa template-instead-of-copy
# Used to control warning summary
warn_control_list: ""
warn_count: 0
@ -39,7 +41,7 @@ gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys"
## Controls 6.3.3.x - Audit template
# This variable is set to true by tasks 6.3.3.1 to 6.3.3.20. As a result, the
# audit settings are overwritten with the role's template. In order to exclude
# specific rules, you must set the variable of form `ubtu24cis_rule_6_3_3_x` above
# specific rules, you must set the variable of form `rhel9cis_rule_6_3_3_x` above
# to `false`.
update_audit_template: false
@ -50,7 +52,7 @@ update_audit_template: false
# system_is_container the true. Otherwise, the default value
# 'false' is left unchanged.
system_is_container: false
# The filename of the existing yml file in role's 'vars/' sub-directory
# The filename of the existing yml file in role's 'vars/' sub-directory
# to be used for managing the role-behavior when a container was detected:
# (de)activating rules or for other tasks(e.g. disabling Selinux or a specific
# firewall-type).
@ -74,3 +76,10 @@ audit_bins:
- /sbin/autrace
- /sbin/auditd
- /sbin/augenrules
company_title: 'MindPoint Group - A Tyto Athene Company'
file_managed_by_ansible: |-
# File managed by ansible as part of {{ benchmark }} benchmark
# As part of Ansible-lockdown
# Provided by {{ company_title }}