ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-05-09 23:33:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #444 from ansible-lockdown/april26
Some checks failed
Export Public Repo Badges / export-badges (push) Has been cancelled
Details

Browse source 
April26
This commit is contained in:
uk-bolly 2026-04-16 17:03:34 +01:00 committed by GitHub
commit c7ed4de9a8
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
50 changed files with 845 additions and 972 deletions
Download patch file Download diff file Expand all files Collapse all files

5
.github/workflows/devel_pipeline_validation.yml vendored
View file

@ -65,7 +65,7 @@
steps: steps:
- name: Git clone the lockdown repository to test - name: Git clone the lockdown repository to test
uses: actions/checkout@v4 uses: actions/checkout@v6.0.2
with: with:
ref: ${{ github.event.pull_request.head.sha }} ref: ${{ github.event.pull_request.head.sha }}
@ -81,7 +81,7 @@
# Pull in terraform code for linux servers # Pull in terraform code for linux servers
- name: Clone GitHub IaC plan - name: Clone GitHub IaC plan
uses: actions/checkout@v4 uses: actions/checkout@v6.0.2
with: with:
repository: ansible-lockdown/github_linux_IaC repository: ansible-lockdown/github_linux_IaC
path: .github/workflows/github_linux_IaC path: .github/workflows/github_linux_IaC
@ -128,6 +128,7 @@
env: env:
OSVAR: ${{ vars.OSVAR }} OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
TF_VAR_ansible_version: ${{ vars.ANSIBLE_RUNNER_VERSION }}
TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false

6
.github/workflows/export_badges_private.yml vendored
View file

@ -2,12 +2,6 @@
name: Export Private Repo Badges name: Export Private Repo Badges
# Use different minute offsets with the same hourly pattern:
# Repo Group Suggested Cron Expression Explanation
# Group A 0 */6 * * * Starts at top of hour
# Group B 10 */6 * * * Starts at 10 after
# And So On
on: on:
push: push:
branches: branches:

5
.github/workflows/main_pipeline_validation.yml vendored
View file

@ -43,7 +43,7 @@
steps: steps:
- name: Git clone the lockdown repository to test - name: Git clone the lockdown repository to test
uses: actions/checkout@v4 uses: actions/checkout@v6.0.2
with: with:
ref: ${{ github.event.pull_request.head.sha }} ref: ${{ github.event.pull_request.head.sha }}
@ -59,7 +59,7 @@
# Pull in terraform code for linux servers # Pull in terraform code for linux servers
- name: Clone GitHub IaC plan - name: Clone GitHub IaC plan
uses: actions/checkout@v4 uses: actions/checkout@v6.0.2
with: with:
repository: ansible-lockdown/github_linux_IaC repository: ansible-lockdown/github_linux_IaC
path: .github/workflows/github_linux_IaC path: .github/workflows/github_linux_IaC
@ -107,6 +107,7 @@
env: env:
OSVAR: ${{ vars.OSVAR }} OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
TF_VAR_ansible_version: ${{ vars.ANSIBLE_RUNNER_VERSION }}
TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false

23
.gitignore vendored
View file

@ -1,7 +1,6 @@
.env .env
*.log *.log
*.retry *.retry
.cache
.vagrant .vagrant
tests/*redhat-subscription tests/*redhat-subscription
tests/Dockerfile tests/Dockerfile
@ -10,11 +9,9 @@ tests/Dockerfile
packer_cache packer_cache
delete* delete*
ignore* ignore*
test_inv
# temp remove doc while this is built up
doc/
# VSCode # VSCode
.vscode .vscode
vagrant
# Byte-compiled / optimized / DLL files # Byte-compiled / optimized / DLL files
__pycache__/ __pycache__/
@ -39,13 +36,29 @@ tramp
rh-creds.env rh-creds.env
travis.env travis.env
# Secret/key files
*.vault
*.key
*.pem
*.p12
*.pfx
*.keystore
*.jks
*.credentials
*vault_pass*
.vault_pass
# Lockdown-specific # Lockdown-specific
benchparse/ benchparse/
*xccdf.xml *xccdf.xml
*.retry *.retry
*.pdf
*history.md
*plan.md
*qa_report*
# GitHub Action/Workflow files # GitHub Action/Workflow files
.github/ .github/
# Precommit exclusions # ansible-lint
.ansible/ .ansible/

2
.yamllint
View file

@ -17,7 +17,7 @@ rules:
comments: comments:
ignore-shebangs: true ignore-shebangs: true
min-spaces-from-content: 1 # prettier compatibility min-spaces-from-content: 1 # prettier compatibility
comments-indentation: enable comments-indentation: disable
empty-lines: empty-lines:
max: 1 max: 1
indentation: indentation:

4
CONTRIBUTING.rst
View file

@ -1,4 +1,4 @@
Contributing to MindPoint Group Projects Contributing to Ansible-Lockdown Projects
======================================== ========================================
Rules Rules
@ -20,7 +20,7 @@ Signing your contribution
We've chosen to use the Developer's Certificate of Origin (DCO) method We've chosen to use the Developer's Certificate of Origin (DCO) method
that is employed by the Linux Kernel Project, which provides a simple that is employed by the Linux Kernel Project, which provides a simple
way to contribute to MindPoint Group projects. way to contribute to Ansible-Lockdown projects.
The process is to certify the below DCO 1.1 text The process is to certify the below DCO 1.1 text
:: ::

57
Changelog.md
View file

@ -1,7 +1,34 @@
# Changes to RHEL9CIS # Changes to RHEL9CIS
## 2.0.5 - Based on CIS v2.0.0
## April 2026
- bootloader password logic improved thanks to skullbringer on discord community
- 7.1.12 and 7.1.13 fixed thanks to @bubaimondalsch #440
- 4.3 tags updated
- 2.1.x - improve logic for mask/disable/stop thanks to @numericillustration #434
## March 2026 — workspace alignment
- Common files aligned to std
- workflows updates
- titles updates
- levels aligned
- auditd improvement
- grammar, lint
- vars naming
- Linting: converted ~75 single-item when: conditions from list to inline format
- Linting: added blank line after --- YAML document marker in 10 files
- Linting: fixed register: key order in 8 tasks (now appears after changed_when/failed_when)
- Linting: fixed spelling typo sddr → saddr in cis_4.3.x.yml
- Defaults: added justification comments for service client and bluetooth variables
## Based on CIS v2.0.0
# Feb26 2
#430 thanks to @numericillustration - 5.4.2.5 missing echo
# Feb26 1
- QA Fixes - QA Fixes
- .j2 Branding Update - .j2 Branding Update
- Added rhel9cis_uses_root variable definition for 5.4.2.5 root PATH integrity task - Added rhel9cis_uses_root variable definition for 5.4.2.5 root PATH integrity task
@ -77,34 +104,6 @@ tidy up tags on tasks/main.yml
- public issue 372 - public issue 372
- allow password with different locale - allow password with different locale
## 2.0.4 - Based on CIS v2.0.0
- addressed issue #419, thank you @aaronk1
- addressed issue #418 thank you @bbaassssiiee
- addressed issue #416 thank you @georgenalen and @bbaassssiiee
- addressed issue #393 thank you to @fragglexarmy
- addressed issue #394 thank you to @dbeuker
- addressed issues #390 and #391 thanks to @polski-g
- addressed issue #398 & #399 thanks to trumbaut
- Added max-concurrent options for audit
- work flow updates
- audit logic improvements
- auditd template 2.19 compatible
- pre-commit updates
- #410 thanks to @kpi-nourman
- #413 thanks to @bbaassssiiee
## 2.0.3 - Based on CIS v2.0.0
- addressed issue #387, thank you @fragglexarmy
- addressed issue #382 to improve regex logic on 5.4.2.4
- improvement on crypto policy managed controls with var logic
- addressed issue #384 thank you @polski-g
- update command to shell module on tasks
- addressed issue 371 thanks to @bgro and kodebach
- addressed issue 350 thanks to @chrispipo
- addressed issue 364 thanks to @polski-g
- pre-commit update
## 2.0.2 - Based on CIS v2.0.0 ## 2.0.2 - Based on CIS v2.0.0
- Update to audit_only to allow fetching results - Update to audit_only to allow fetching results

653
defaults/main.yml
View file

File diff suppressed because it is too large Load diff

13
handlers/main.yml
View file

@ -246,18 +246,21 @@
## Auditd tasks note order for handlers to run ## Auditd tasks note order for handlers to run
- name: Auditd immutable check - name: Auditd rules reload
ansible.builtin.command: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules when: prelim_auditd_immutable_check.rc == 1 or discovered_augenrules_check.stdout is search('No change')
changed_when: false ansible.builtin.command: augenrules --load
register: discovered_auditd_immutable_check changed_when: true
failed_when: discovered_augenrule_check.rc not in [ 0, 1 ]
register: discovered_augenrule_check
- name: Audit immutable fact - name: Audit immutable fact
when: discovered_auditd_immutable_check.stdout == '1' when: prelim_auditd_immutable_check is defined
ansible.builtin.debug: ansible.builtin.debug:
msg: "Reboot required for auditd to apply new rules as immutable set" msg: "Reboot required for auditd to apply new rules as immutable set"
notify: Set reboot required notify: Set reboot required
- name: Stop auditd process - name: Stop auditd process
when: prelim_auditd_immutable_check is defined
ansible.builtin.command: systemctl kill auditd ansible.builtin.command: systemctl kill auditd
changed_when: true changed_when: true
listen: Restart auditd listen: Restart auditd

2
tasks/LE_audit_setup.yml
View file

@ -25,7 +25,7 @@
- name: Pre Audit Setup | Copy audit binary - name: Pre Audit Setup | Copy audit binary
when: get_audit_binary_method == 'copy' when: get_audit_binary_method == 'copy'
ansible.builtin.copy: ansible.builtin.copy:
src: "{{ audit_bin_copy_location }}/goss-linux-{{ audit_pkg_arch_name }}" src: "{{ audit_bin_copy_location }}"
dest: "{{ audit_bin }}" dest: "{{ audit_bin }}"
owner: root owner: root
group: root group: root

56
tasks/auditd.yml
View file

@ -3,59 +3,47 @@
# Since auditd rules are dependent on syscalls and syscall tables are architecture specific, # Since auditd rules are dependent on syscalls and syscall tables are architecture specific,
# we need to update the auditd rules depending on the architecture of the system. # we need to update the auditd rules depending on the architecture of the system.
# This task passed the syscalls table to the auditd template and updates the auditd rules # This task passed the syscalls table to the auditd template and updates the auditd rules
- name: "POST | AUDITD | Set supported_syscalls variable" - name: "POST | AUDITD | Set supported_syscalls variable"
ansible.builtin.shell: ausyscall --dump | awk '{print $2}' ansible.builtin.shell: ausyscall --dump | awk '{print $2}'
changed_when: false changed_when: false
check_mode: false
failed_when: discovered_auditd_syscalls.rc not in [ 0, 1 ] failed_when: discovered_auditd_syscalls.rc not in [ 0, 1 ]
register: discovered_auditd_syscalls register: discovered_auditd_syscalls
- name: POST | AUDITD | Apply auditd template will for section 6.3.3 - only required rules will be added | stat file - name: "POST | AUDITD | Ensure use of privileged commands is collected"
ansible.builtin.stat: ansible.builtin.shell: |
path: /etc/audit/rules.d/99_auditd.rules {%- set egrep_exclude = "(asdfmnop|{{ rhel9cis_priv_command_excluded_mounts | join('|') }})" -%}
register: discovered_auditd_rules_file for i in $(df | grep '^/dev' | grep -Ev '{{ egrep_exclude }}' | awk '{ print $NF }'); do
find $i -xdev -type f -perm /6000 2>/dev/null;
done
changed_when: false
failed_when: false
check_mode: false
register: discovered_privileged_commands
- name: POST | Apply auditd template for section 6.3.3.x - name: "POST | AUDITD | Apply auditd template for section 6.2.4.x"
when: update_audit_template when: update_audit_template
vars: vars:
supported_syscalls: "{{ discovered_auditd_syscalls.stdout_lines }}" supported_syscalls: "{{ discovered_auditd_syscalls.stdout_lines }}"
ansible.builtin.template: ansible.builtin.template:
src: audit/99_auditd.rules.j2 src: etc/audit/rules.d/99_auditd.rules.j2
dest: /etc/audit/rules.d/99_auditd.rules dest: /etc/audit/rules.d/99_auditd.rules
owner: root owner: root
group: root group: root
mode: 'u-x,g-wx,o-rwx' mode: 'u-x,go-wx'
diff: "{{ discovered_auditd_rules_file.stat.exists }}" # Only run diff if not a new file register: discovered_audit_rules_updated
register: discovered_auditd_rules_template_updated
notify: notify:
- Auditd immutable check - Auditd rules reload
- Audit immutable fact
- Restart auditd - Restart auditd
- name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa no-handler - name: POST | AUDITD | Set up auditd user logging exceptions
when: when: rhel9cis_allow_auditd_uid_user_exclusions
- discovered_auditd_rules_template_updated.changed
- discovered_auditd_rules_file.stat.exists
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: 'Auditd template updated, validate as expected'
- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file
ansible.builtin.stat:
path: /etc/audit/rules.d/98_auditd_exceptions.rules
register: discovered_auditd_exception_file
- name: POST | Set up auditd user logging exceptions | setup file
when:
- rhel9cis_allow_auditd_uid_user_exclusions
- rhel9cis_auditd_uid_exclude | length > 0
ansible.builtin.template: ansible.builtin.template:
src: audit/98_auditd_exception.rules.j2 src: etc/audit/rules.d/98_auditd_exception.rules.j2
dest: /etc/audit/rules.d/98_auditd_exceptions.rules dest: /etc/audit/rules.d/98_auditd_exceptions.rules
owner: root owner: root
group: root group: root
mode: '0640' mode: 'u-x,go-rwx'
diff: "{{ discovered_auditd_exception_file.stat.exists }}"
notify: Restart auditd notify: Restart auditd
- name: POST | AUDITD | Flush handlers
ansible.builtin.meta: flush_handlers

8
tasks/main.yml
View file

@ -200,15 +200,13 @@
file: auditd.yml file: auditd.yml
- name: "Run post remediation tasks" - name: "Run post remediation tasks"
tags: tags: always
- post_tasks
- always
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: post.yml file: post.yml
- name: "Run post_remediation audit" - name: "Run post remediation audit"
when: run_audit when: run_audit
tags: always tags: run_audit
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: post_remediation_audit.yml file: post_remediation_audit.yml

8
tasks/post_remediation_audit.yml
View file

@ -14,11 +14,11 @@
- name: Post Audit | Capture audit data if json format - name: Post Audit | Capture audit data if json format
ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4 ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4
changed_when: false changed_when: false
register: post_audit_summary register: post_audit_summary_json
- name: Post Audit | Set Fact for audit summary - name: Post Audit | Set Fact for audit summary
ansible.builtin.set_fact: ansible.builtin.set_fact:
post_audit_results: "{{ post_audit_summary.stdout }}" post_audit_results: "{{ post_audit_summary_json.stdout }}"
- name: Post Audit | Capture audit data if documentation format - name: Post Audit | Capture audit data if documentation format
when: audit_format == "documentation" when: audit_format == "documentation"
@ -26,8 +26,8 @@
- name: Post Audit | Capture audit data if documentation format - name: Post Audit | Capture audit data if documentation format
ansible.builtin.shell: tail -2 "{{ post_audit_outfile }}" | tac | tr '\n' ' ' ansible.builtin.shell: tail -2 "{{ post_audit_outfile }}" | tac | tr '\n' ' '
changed_when: false changed_when: false
register: post_audit_summary register: post_audit_summary_documentation
- name: Post Audit | Set Fact for audit summary - name: Post Audit | Set Fact for audit summary
ansible.builtin.set_fact: ansible.builtin.set_fact:
post_audit_results: "{{ post_audit_summary.stdout }}" post_audit_results: "{{ post_audit_summary_documentation.stdout }}"

10
tasks/pre_remediation_audit.yml
View file

@ -85,12 +85,11 @@
- name: Pre Audit | Capture audit data if json format - name: Pre Audit | Capture audit data if json format
ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4 ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4
changed_when: false changed_when: false
failed_when: pre_audit_summary.stderr | length > 0 register: pre_audit_summary_json
register: pre_audit_summary
- name: Pre Audit | Set Fact for audit summary - name: Pre Audit | Set Fact for audit summary
ansible.builtin.set_fact: ansible.builtin.set_fact:
pre_audit_results: "{{ pre_audit_summary.stdout }}" pre_audit_results: "{{ pre_audit_summary_json.stdout }}"
- name: Pre Audit | Capture audit data if documentation format - name: Pre Audit | Capture audit data if documentation format
when: audit_format == "documentation" when: audit_format == "documentation"
@ -98,12 +97,11 @@
- name: Pre Audit | Capture audit data if documentation format - name: Pre Audit | Capture audit data if documentation format
ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' '
changed_when: false changed_when: false
failed_when: pre_audit_summary.stderr | length > 0 register: pre_audit_summary_documentation
register: pre_audit_summary
- name: Pre Audit | Set Fact for audit summary - name: Pre Audit | Set Fact for audit summary
ansible.builtin.set_fact: ansible.builtin.set_fact:
pre_audit_results: "{{ pre_audit_summary.stdout }}" pre_audit_results: "{{ pre_audit_summary_documentation.stdout }}"
- name: Audit_Only | Run Audit Only - name: Audit_Only | Run Audit Only
when: audit_only when: audit_only

7
tasks/prelim.yml
View file

@ -295,6 +295,13 @@
state: directory state: directory
mode: 'u+x,g-w,o-rwx' mode: 'u+x,g-w,o-rwx'
- name: "PRELIM | AUDIT | Discover if auditd is immutable"
tags: always
ansible.builtin.command: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
changed_when: false
failed_when: prelim_auditd_immutable_check.rc not in [ 0, 1, 2 ]
register: prelim_auditd_immutable_check
- name: "PRELIM | PATCH | Configure System Accounting (auditd)" - name: "PRELIM | PATCH | Configure System Accounting (auditd)"
when: when:
- '"auditd" not in ansible_facts.packages' - '"auditd" not in ansible_facts.packages'

6
tasks/section_1/cis_1.1.2.3.x.yml
View file

@ -1,12 +1,12 @@
--- ---
- name: "1.1.2.3.1 | PATCH | Ensure /home is a separate partition" - name: "1.1.2.3.1 | PATCH | Ensure separate partition exists for /home"
when: when:
- rhel9cis_rule_1_1_2_3_1 - rhel9cis_rule_1_1_2_3_1
- required_mount not in prelim_mount_names - required_mount not in prelim_mount_names
tags: tags:
- level1-server - level2-server
- level1-workstation - level2-workstation
- audit - audit
- mounts - mounts
- rule_1.1.2.3.1 - rule_1.1.2.3.1

6
tasks/section_1/cis_1.1.2.4.x.yml
View file

@ -1,12 +1,12 @@
--- ---
- name: "1.1.2.4.1 | PATCH | Ensure /var is a separate partition" - name: "1.1.2.4.1 | PATCH | Ensure separate partition exists for /var"
when: when:
- rhel9cis_rule_1_1_2_4_1 - rhel9cis_rule_1_1_2_4_1
- required_mount not in prelim_mount_names - required_mount not in prelim_mount_names
tags: tags:
- level1-server - level2-server
- level1-workstation - level2-workstation
- audit - audit
- mounts - mounts
- rule_1.1.2.4.1 - rule_1.1.2.4.1

6
tasks/section_1/cis_1.1.2.5.x.yml
View file

@ -1,12 +1,12 @@
--- ---
- name: "1.1.2.5.1 | PATCH | Ensure /var/tmp is a separate partition" - name: "1.1.2.5.1 | PATCH | Ensure separate partition exists for /var/tmp"
when: when:
- rhel9cis_rule_1_1_2_5_1 - rhel9cis_rule_1_1_2_5_1
- required_mount not in prelim_mount_names - required_mount not in prelim_mount_names
tags: tags:
- level1-server - level2-server
- level1-workstation - level2-workstation
- audit - audit
- mounts - mounts
- rule_1.1.2.5.1 - rule_1.1.2.5.1

6
tasks/section_1/cis_1.1.2.6.x.yml
View file

@ -1,12 +1,12 @@
--- ---
- name: "1.1.2.6.1 | PATCH | Ensure /var/log is a separate partition" - name: "1.1.2.6.1 | PATCH | Ensure separate partition exists for /var/log"
when: when:
- rhel9cis_rule_1_1_2_6_1 - rhel9cis_rule_1_1_2_6_1
- required_mount not in prelim_mount_names - required_mount not in prelim_mount_names
tags: tags:
- level1-server - level2-server
- level1-workstation - level2-workstation
- audit - audit
- mounts - mounts
- rule_1.1.2.6.1 - rule_1.1.2.6.1

6
tasks/section_1/cis_1.1.2.7.x.yml
View file

@ -1,12 +1,12 @@
--- ---
- name: "1.1.2.7.1 | PATCH | Ensure /var/log/audit is a separate partition" - name: "1.1.2.7.1 | PATCH | Ensure separate partition exists for /var/log/audit"
when: when:
- rhel9cis_rule_1_1_2_7_1 - rhel9cis_rule_1_1_2_7_1
- required_mount not in prelim_mount_names - required_mount not in prelim_mount_names
tags: tags:
- level1-server - level2-server
- level1-workstation - level2-workstation
- audit - audit
- mounts - mounts
- rule_1.1.2.7.1 - rule_1.1.2.7.1

4
tasks/section_1/cis_1.3.1.x.yml
View file

@ -55,7 +55,7 @@
policy: "{{ rhel9cis_selinux_pol }}" policy: "{{ rhel9cis_selinux_pol }}"
state: "{{ rhel9cis_selinux_enforce }}" state: "{{ rhel9cis_selinux_enforce }}"
- name: "1.3.1.4 | PATCH | Ensure the SELinux state is not disabled" - name: "1.3.1.4 | PATCH | Ensure the SELinux mode is not disabled"
when: when:
- rhel9cis_rule_1_3_1_4 - rhel9cis_rule_1_3_1_4
- not rhel9cis_selinux_disable - not rhel9cis_selinux_disable
@ -72,7 +72,7 @@
policy: "{{ rhel9cis_selinux_pol }}" policy: "{{ rhel9cis_selinux_pol }}"
state: "{{ rhel9cis_selinux_enforce }}" state: "{{ rhel9cis_selinux_enforce }}"
- name: "1.3.1.5 | PATCH | Ensure the SELinux state is enforcing" - name: "1.3.1.5 | PATCH | Ensure the SELinux mode is enforcing"
when: when:
- rhel9cis_selinux_enforce == 'enforcing' - rhel9cis_selinux_enforce == 'enforcing'
- rhel9cis_rule_1_3_1_5 - rhel9cis_rule_1_3_1_5

24
tasks/section_1/cis_1.4.x.yml
View file

@ -11,15 +11,27 @@
- patch - patch
- rule_1.4.1 - rule_1.4.1
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
block:
- name: "1.4.1 | PATCH | Ensure bootloader password is set | Set fact if using salt (no python passlib required)"
when: rhel9cis_bootloader_salt | length == 0
ansible.builtin.set_fact:
rhel9cis_compiled_bootloader_password: "{{ rhel9cis_bootloader_password_hash }}"
- name: "1.4.1 | PATCH | Ensure bootloader password is set | Set fact if using salt (python passlib required)"
when: rhel9cis_bootloader_salt | length > 0
ansible.builtin.set_fact:
rhel9cis_compiled_bootloader_password: "{{ (rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}" # noqa template-instead-of-copy
- name: "1.4.1 | PATCH | Ensure bootloader password is set"
ansible.builtin.copy: ansible.builtin.copy:
dest: /boot/grub2/user.cfg dest: /boot/grub2/user.cfg
content: "GRUB2_PASSWORD={{ rhel9_compiled_bootloader_password }}" # noqa template-instead-of-copy content: "GRUB2_PASSWORD={{ rhel9cis_compiled_bootloader_password }}" # noqa template-instead-of-copy
owner: root owner: root
group: root group: root
mode: 'go-rwx' mode: 'go-rwx'
notify: Grub2cfg notify: Grub2cfg
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" - name: "1.4.2 | PATCH | Ensure access to bootloader config is configured"
when: rhel9cis_rule_1_4_2 when: rhel9cis_rule_1_4_2
tags: tags:
- level1-server - level1-server
@ -29,7 +41,7 @@
- rule_1.4.2 - rule_1.4.2
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
block: block:
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | bios based system" - name: "1.4.2 | PATCH | Ensure access to bootloader config is configured | bios based system"
when: rhel9cis_legacy_boot when: rhel9cis_legacy_boot
ansible.builtin.file: ansible.builtin.file:
path: "/boot/grub2/{{ item.path }}" path: "/boot/grub2/{{ item.path }}"
@ -44,7 +56,7 @@
- { path: 'grubenv', mode: 'u-x,go-rwx' } - { path: 'grubenv', mode: 'u-x,go-rwx' }
- { path: 'user.cfg', mode: 'u-x,go-rwx' } - { path: 'user.cfg', mode: 'u-x,go-rwx' }
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system" - name: "1.4.2 | PATCH | Ensure access to bootloader config is configured | efi based system"
when: not rhel9cis_legacy_boot when: not rhel9cis_legacy_boot
vars: vars:
efi_mount_options: ['umask=0077', 'fmask=0077', 'uid=0', 'gid=0'] efi_mount_options: ['umask=0077', 'fmask=0077', 'uid=0', 'gid=0']
@ -55,13 +67,13 @@
check_mode: false check_mode: false
register: discovered_efi_fstab register: discovered_efi_fstab
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Build Options" - name: "1.4.2 | PATCH | Ensure access to bootloader config is configured | efi based system | Build Options"
when: item not in discovered_efi_fstab.stdout when: item not in discovered_efi_fstab.stdout
ansible.builtin.set_fact: ansible.builtin.set_fact:
efi_mount_opts_addition: "{{ efi_mount_opts_addition + ',' + item }}" efi_mount_opts_addition: "{{ efi_mount_opts_addition + ',' + item }}"
loop: "{{ efi_mount_options }}" loop: "{{ efi_mount_options }}"
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Add mount options" - name: "1.4.2 | PATCH | Ensure access to bootloader config is configured | efi based system | Add mount options"
when: efi_mount_opts_addition | length > 0 when: efi_mount_opts_addition | length > 0
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/fstab path: /etc/fstab

6
tasks/section_1/cis_1.5.x.yml
View file

@ -1,6 +1,6 @@
--- ---
- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - name: "1.5.1 | PATCH | Ensure address space layout randomization is enabled"
when: rhel9cis_rule_1_5_1 when: rhel9cis_rule_1_5_1
tags: tags:
- level1-server - level1-server
@ -11,11 +11,11 @@
- NIST800-53R5_CM-6 - NIST800-53R5_CM-6
- NIST800-53R5_CM-6.1 - NIST800-53R5_CM-6.1
block: block:
- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - name: "1.5.1 | PATCH | Ensure address space layout randomization is enabled"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_sysctl_update: true rhel9cis_sysctl_update: true
- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - name: "1.5.1 | PATCH | Ensure address space layout randomization is enabled"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf"

6
tasks/section_1/cis_1.7.x.yml
View file

@ -53,7 +53,7 @@
group: root group: root
mode: 'go-wx' mode: 'go-wx'
- name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured" - name: "1.7.4 | PATCH | Ensure access to /etc/motd is configured"
when: rhel9cis_rule_1_7_4 when: rhel9cis_rule_1_7_4
tags: tags:
- level1-server - level1-server
@ -69,7 +69,7 @@
group: root group: root
mode: 'go-wx' mode: 'go-wx'
- name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured" - name: "1.7.5 | PATCH | Ensure access to /etc/issue is configured"
when: rhel9cis_rule_1_7_5 when: rhel9cis_rule_1_7_5
tags: tags:
- level1-server - level1-server
@ -85,7 +85,7 @@
group: root group: root
mode: 'go-wx' mode: 'go-wx'
- name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured" - name: "1.7.6 | PATCH | Ensure access to /etc/issue.net is configured"
when: rhel9cis_rule_1_7_6 when: rhel9cis_rule_1_7_6
tags: tags:
- level1-server - level1-server

4
tasks/section_1/cis_1.8.x.yml
View file

@ -198,7 +198,7 @@
- rhel9cis_gui - rhel9cis_gui
tags: tags:
- level1-server - level1-server
- level2-workstation - level1-workstation
- patch - patch
- gui - gui
- rule_1.8.8 - rule_1.8.8
@ -226,7 +226,7 @@
- rhel9cis_gui - rhel9cis_gui
tags: tags:
- level1-server - level1-server
- level2-workstation - level1-workstation
- patch - patch
- gui - gui
- rule_1.8.9 - rule_1.8.9

89
tasks/section_2/cis_2.1.x.yml
View file

@ -28,8 +28,8 @@
notify: Systemd daemon reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: autofs name: autofs
enabled: false enabled: "{{ ('autofs' in ansible_facts.packages) | ternary(false, omit) }}"
state: stopped state: "{{ ('autofs' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true masked: true
- name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use" - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use"
@ -60,8 +60,8 @@
notify: Systemd daemon reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: "{{ item }}" name: "{{ item }}"
enabled: false enabled: "{{ ('avahi-daemon' in ansible_facts.packages) | ternary(false, omit) }}"
state: stopped state: "{{ ('avahi-daemon' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true masked: true
loop: loop:
- avahi-daemon.socket - avahi-daemon.socket
@ -93,8 +93,8 @@
notify: Systemd daemon reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: "{{ item }}" name: "{{ item }}"
enabled: false enabled: "{{ ('dhcp-server' in ansible_facts.packages) | ternary(false, omit) }}"
state: stopped state: "{{ ('dhcp-server' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true masked: true
loop: loop:
- dhcpd.service - dhcpd.service
@ -126,11 +126,11 @@
notify: Systemd daemon reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: named.service name: named.service
enabled: false enabled: "{{ ('bind' in ansible_facts.packages) | ternary(false, omit) }}"
state: stopped state: "{{ ('bind' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true masked: true
- name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use" - name: "2.1.5 | PATCH | Ensure dnsmasq services are not in use"
when: rhel9cis_rule_2_1_5 when: rhel9cis_rule_2_1_5
tags: tags:
- level1-server - level1-server
@ -141,7 +141,7 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- rule_2.1.5 - rule_2.1.5
block: block:
- name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Remove package" - name: "2.1.5 | PATCH | Ensure dnsmasq services are not in use | Remove package"
when: when:
- not rhel9cis_dnsmasq_server - not rhel9cis_dnsmasq_server
- not rhel9cis_dnsmasq_mask - not rhel9cis_dnsmasq_mask
@ -149,15 +149,15 @@
name: dnsmasq name: dnsmasq
state: absent state: absent
- name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Mask service" - name: "2.1.5 | PATCH | Ensure dnsmasq services are not in use | Mask service"
when: when:
- not rhel9cis_dnsmasq_server - not rhel9cis_dnsmasq_server
- rhel9cis_dnsmasq_mask - rhel9cis_dnsmasq_mask
notify: Systemd daemon reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: dnsmasq.service name: dnsmasq.service
enabled: false enabled: "{{ ('dnsmasq' in ansible_facts.packages) | ternary(false, omit) }}"
state: stopped state: "{{ ('dnsmasq' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true masked: true
- name: "2.1.6 | PATCH | Ensure samba file server services are not in use" - name: "2.1.6 | PATCH | Ensure samba file server services are not in use"
@ -187,8 +187,8 @@
notify: Systemd daemon reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: smb.service name: smb.service
enabled: false enabled: "{{ ('samba' in ansible_facts.packages) | ternary(false, omit) }}"
state: stopped state: "{{ ('samba' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true masked: true
- name: "2.1.7 | PATCH | Ensure ftp server services are not in use" - name: "2.1.7 | PATCH | Ensure ftp server services are not in use"
@ -218,8 +218,8 @@
notify: Systemd daemon reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: vsftpd.service name: vsftpd.service
enabled: false enabled: "{{ ('vsftpd' in ansible_facts.packages) | ternary(false, omit) }}"
state: stopped state: "{{ ('vsftpd' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true masked: true
- name: "2.1.8 | PATCH | Ensure message access server services are not in use" - name: "2.1.8 | PATCH | Ensure message access server services are not in use"
@ -252,8 +252,8 @@
notify: Systemd daemon reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: "{{ item }}" name: "{{ item }}"
enabled: false enabled: "{{ ('dovecot' in ansible_facts.packages) | ternary(false, omit) }}"
state: stopped state: "{{ ('dovecot' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true masked: true
loop: loop:
- "dovecot.socket" - "dovecot.socket"
@ -288,8 +288,8 @@
notify: Systemd daemon reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: nfs-server.service name: nfs-server.service
enabled: false enabled: "{{ ('nfs-utils' in ansible_facts.packages) | ternary(false, omit) }}"
state: stopped state: "{{ ('nfs-utils' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true masked: true
- name: "2.1.10 | PATCH | Ensure nis server services are not in use" - name: "2.1.10 | PATCH | Ensure nis server services are not in use"
@ -318,8 +318,8 @@
- rhel9cis_nis_mask - rhel9cis_nis_mask
ansible.builtin.systemd: ansible.builtin.systemd:
name: ypserv.service name: ypserv.service
enabled: false enabled: "{{ ('ypserv' in ansible_facts.packages) | ternary(false, omit) }}"
state: stopped state: "{{ ('ypserv' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true masked: true
- name: "2.1.11 | PATCH | Ensure print server services are not in use" - name: "2.1.11 | PATCH | Ensure print server services are not in use"
@ -347,8 +347,8 @@
notify: Systemd daemon reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: "{{ item }}" name: "{{ item }}"
enabled: false enabled: "{{ ('cups' in ansible_facts.packages) | ternary(false, omit) }}"
state: stopped state: "{{ ('cups' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true masked: true
loop: loop:
- "cups.socket" - "cups.socket"
@ -381,8 +381,8 @@
notify: Systemd daemon reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: "{{ item }}" name: "{{ item }}"
enabled: false enabled: "{{ ('rpcbind' in ansible_facts.packages) | ternary(false, omit) }}"
state: stopped state: "{{ ('rpcbind' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true masked: true
loop: loop:
- rpcbind.service - rpcbind.service
@ -415,8 +415,8 @@
notify: Systemd daemon reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: "{{ item }}" name: "{{ item }}"
enabled: false enabled: "{{ ('rsync-daemon' in ansible_facts.packages) | ternary(false, omit) }}"
state: stopped state: "{{ ('rsync-daemon' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true masked: true
loop: loop:
- 'rsyncd.socket' - 'rsyncd.socket'
@ -448,8 +448,8 @@
notify: Systemd daemon reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: snmpd.service name: snmpd.service
enabled: false enabled: "{{ ('net-snmp' in ansible_facts.packages) | ternary(false, omit) }}"
state: stopped state: "{{ ('net-snmp' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true masked: true
- name: "2.1.15 | PATCH | Ensure telnet server services are not in use" - name: "2.1.15 | PATCH | Ensure telnet server services are not in use"
@ -479,8 +479,8 @@
notify: Systemd daemon reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: telnet.socket name: telnet.socket
enabled: false enabled: "{{ ('telnet-server' in ansible_facts.packages) | ternary(false, omit) }}"
state: stopped state: "{{ ('telnet-server' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true masked: true
- name: "2.1.16 | PATCH | Ensure tftp server services are not in use" - name: "2.1.16 | PATCH | Ensure tftp server services are not in use"
@ -509,8 +509,8 @@
notify: Systemd daemon reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: "{{ item }}" name: "{{ item }}"
enabled: false enabled: "{{ ('tftp-server' in ansible_facts.packages) | ternary(false, omit) }}"
state: stopped state: "{{ ('tftp-server' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true masked: true
loop: loop:
- 'tftp.socket' - 'tftp.socket'
@ -543,8 +543,8 @@
notify: Systemd daemon reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: squid.service name: squid.service
enabled: false enabled: "{{ ('squid' in ansible_facts.packages) | ternary(false, omit) }}"
state: stopped state: "{{ ('squid' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true masked: true
- name: "2.1.18 | PATCH | Ensure web server services are not in use" - name: "2.1.18 | PATCH | Ensure web server services are not in use"
@ -583,8 +583,8 @@
notify: Systemd daemon reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: httpd.service name: httpd.service
enabled: false enabled: "{{ ('httpd' in ansible_facts.packages) | ternary(false, omit) }}"
state: stopped state: "{{ ('httpd' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true masked: true
- name: "2.1.18 | PATCH | Ensure web server services are not in use | Mask nginx service" - name: "2.1.18 | PATCH | Ensure web server services are not in use | Mask nginx service"
@ -594,8 +594,8 @@
notify: Systemd daemon reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: ngnix.service name: ngnix.service
enabled: false enabled: "{{ ('nginx' in ansible_facts.packages) | ternary(false, omit) }}"
state: stopped state: "{{ ('nginx' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true masked: true
- name: "2.1.19 | PATCH | Ensure xinetd services are not in use" - name: "2.1.19 | PATCH | Ensure xinetd services are not in use"
@ -624,8 +624,8 @@
notify: Systemd daemon reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: xinetd.service name: xinetd.service
enabled: false enabled: "{{ ('xinetd' in ansible_facts.packages) | ternary(false, omit) }}"
state: stopped state: "{{ ('xinetd' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true masked: true
- name: "2.1.20 | PATCH | Ensure X window server services are not in use" - name: "2.1.20 | PATCH | Ensure X window server services are not in use"
@ -633,8 +633,7 @@
- not rhel9cis_xwindow_server - not rhel9cis_xwindow_server
- rhel9cis_rule_2_1_20 - rhel9cis_rule_2_1_20
tags: tags:
- level1-server - level2-server
- level1-workstation
- automated - automated
- patch - patch
- xwindow - xwindow

2
tasks/section_2/cis_2.2.x.yml
View file

@ -64,7 +64,7 @@
name: telnet name: telnet
state: absent state: absent
- name: "2.2.5 | PATCH | Ensure TFTP client is not installed" - name: "2.2.5 | PATCH | Ensure tftp client is not installed"
when: when:
- not rhel9cis_tftp_client - not rhel9cis_tftp_client
- rhel9cis_rule_2_2_5 - rhel9cis_rule_2_2_5

2
tasks/section_2/cis_2.4.x.yml
View file

@ -1,6 +1,6 @@
--- ---
- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled" - name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled and active"
when: rhel9cis_rule_2_4_1_1 when: rhel9cis_rule_2_4_1_1
tags: tags:
- level1-server - level1-server

4
tasks/section_3/cis_3.1.x.yml
View file

@ -105,6 +105,6 @@
notify: Systemd daemon reload notify: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: bluetooth.service name: bluetooth.service
enabled: false enabled: "{{ ('bluez' in ansible_facts.packages) | ternary(false, omit) }}"
state: stopped state: "{{ ('bluez' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true masked: true

68
tasks/section_3/cis_3.3.x.yml
View file

@ -1,6 +1,6 @@
--- ---
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled" - name: "3.3.1 | PATCH | Ensure ip forwarding is disabled"
when: when:
- not rhel9cis_is_router - not rhel9cis_is_router
- rhel9cis_rule_3_3_1 - rhel9cis_rule_3_3_1
@ -16,23 +16,23 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
block: block:
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding | Set Fact" - name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | Disable IPv4 forwarding | Set Fact"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_sysctl_update: true rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true rhel9cis_flush_ipv4_route: true
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding" - name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | Disable IPv4 forwarding"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | IPv6" - name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | IPv6"
when: rhel9cis_ipv6_required when: rhel9cis_ipv6_required
block: block:
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding | Set Fact" - name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | Disable IPv6 forwarding | Set Fact"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_flush_ipv6_route: true rhel9cis_flush_ipv6_route: true
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding" - name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | Disable IPv6 forwarding"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
@ -60,7 +60,7 @@
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored" - name: "3.3.3 | PATCH | Ensure bogus icmp responses are ignored"
when: rhel9cis_rule_3_3_3 when: rhel9cis_rule_3_3_3
tags: tags:
- level1-server - level1-server
@ -74,16 +74,16 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
block: block:
- name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored | Set Fact" - name: "3.3.3 | PATCH | Ensure bogus icmp responses are ignored | Set Fact"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_sysctl_update: true rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true rhel9cis_flush_ipv4_route: true
- name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored" - name: "3.3.3 | PATCH | Ensure bogus icmp responses are ignored"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored" - name: "3.3.4 | PATCH | Ensure broadcast icmp requests are ignored"
when: rhel9cis_rule_3_3_4 when: rhel9cis_rule_3_3_4
tags: tags:
- level1-server - level1-server
@ -97,7 +97,7 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
block: block:
- name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored | Set Fact" - name: "3.3.4 | PATCH | Ensure broadcast icmp requests are ignored | Set Fact"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_sysctl_update: true rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true rhel9cis_flush_ipv4_route: true
@ -106,7 +106,7 @@
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted" - name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted"
when: rhel9cis_rule_3_3_5 when: rhel9cis_rule_3_3_5
tags: tags:
- level1-server - level1-server
@ -120,27 +120,27 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
block: block:
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | Set Fact" - name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted | Set Fact"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_sysctl_update: true rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true rhel9cis_flush_ipv4_route: true
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted" - name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv6" - name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted | IPv6"
when: rhel9cis_ipv6_required when: rhel9cis_ipv6_required
block: block:
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv6 | Set Fact" - name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted | IPv6 | Set Fact"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_flush_ipv6_route: true rhel9cis_flush_ipv6_route: true
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv6" - name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted | IPv6"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted" - name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted"
when: rhel9cis_rule_3_3_6 when: rhel9cis_rule_3_3_6
tags: tags:
- level1-server - level1-server
@ -154,27 +154,27 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
block: block:
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv4 | Set Fact" - name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv4 | Set Fact"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_sysctl_update: true rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true rhel9cis_flush_ipv4_route: true
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv4" - name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv4"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv6" - name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv6"
when: rhel9cis_ipv6_required when: rhel9cis_ipv6_required
block: block:
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv6 | Set Fact" - name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv6 | Set Fact"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_flush_ipv6_route: true rhel9cis_flush_ipv6_route: true
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv6" - name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv6"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" - name: "3.3.7 | PATCH | Ensure reverse path filtering is enabled"
when: rhel9cis_rule_3_3_7 when: rhel9cis_rule_3_3_7
tags: tags:
- level1-server - level1-server
@ -188,12 +188,12 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
block: block:
- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled | Set Fact" - name: "3.3.7 | PATCH | Ensure reverse path filtering is enabled | Set Fact"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_sysctl_update: true rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true rhel9cis_flush_ipv4_route: true
- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" - name: "3.3.7 | PATCH | Ensure reverse path filtering is enabled"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
@ -249,7 +249,7 @@
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled" - name: "3.3.10 | PATCH | Ensure tcp syn cookies is enabled"
when: rhel9cis_rule_3_3_10 when: rhel9cis_rule_3_3_10
tags: tags:
- level1-server - level1-server
@ -263,22 +263,22 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
block: block:
- name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled | Set Fact" - name: "3.3.10 | PATCH | Ensure tcp syn cookies is enabled | Set Fact"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_sysctl_update: true rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true rhel9cis_flush_ipv4_route: true
- name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled" - name: "3.3.10 | PATCH | Ensure tcp syn cookies is enabled"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted" - name: "3.3.11 | PATCH | Ensure ipv6 router advertisements are not accepted"
when: when:
- rhel9cis_ipv6_required - rhel9cis_ipv6_required
- rhel9cis_rule_3_3_11 - rhel9cis_rule_3_3_11
tags: tags:
- level2-server - level1-server
- level2-workstation - level1-workstation
- sysctl - sysctl
- patch - patch
- rule_3.3.11 - rule_3.3.11
@ -288,11 +288,11 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
block: block:
- name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6 | Set Fact" - name: "3.3.11 | PATCH | Ensure ipv6 router advertisements are not accepted | IPv6 | Set Fact"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_sysctl_update: true rhel9cis_sysctl_update: true
rhel9cis_flush_ipv6_route: true rhel9cis_flush_ipv6_route: true
- name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6" - name: "3.3.11 | PATCH | Ensure ipv6 router advertisements are not accepted | IPv6"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl"

8
tasks/section_4/cis_4.3.x.yml
View file

@ -7,7 +7,11 @@
- rhel9cis_rule_4_3_2 - rhel9cis_rule_4_3_2
- rhel9cis_rule_4_3_3 - rhel9cis_rule_4_3_3
- rhel9cis_rule_4_3_4 - rhel9cis_rule_4_3_4
tags: always tags:
- rule_4.3.1
- rule_4.3.2
- rule_4.3.3
- rule_4.3.4
ansible.builtin.command: "nft add table inet {{ rhel9cis_nft_tables_tablename }}" ansible.builtin.command: "nft add table inet {{ rhel9cis_nft_tables_tablename }}"
changed_when: true changed_when: true
@ -210,7 +214,7 @@
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept
changed_when: true changed_when: true
- name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule | nftables" - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip saddr rule | nftables"
when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in discovered_nftables_ipsaddr.stdout' when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in discovered_nftables_ipsaddr.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop
changed_when: true changed_when: true

18
tasks/section_5/cis_5.1.x.yml
View file

@ -134,7 +134,7 @@
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-SHA1' }}" rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-SHA1' }}"
- name: "5.1.6 | PATCH | Ensure sshd KexAlgorithms is configured" - name: "5.1.6 | PATCH | Ensure sshd MACs are configured"
when: when:
- rhel9cis_rule_5_1_6 - rhel9cis_rule_5_1_6
- "'NO-SSHWEAKMACS' not in rhel9cis_crypto_policy_module" - "'NO-SSHWEAKMACS' not in rhel9cis_crypto_policy_module"
@ -148,7 +148,7 @@
- rule_5.1.6 - rule_5.1.6
- NIST800-53R5_SC-6 - NIST800-53R5_SC-6
block: block:
- name: "5.1.6 | PATCH | Ensure sshd KexAlgorithms is configured | Add submodule exclusion" - name: "5.1.6 | PATCH | Ensure sshd MACs are configured | Add submodule exclusion"
ansible.builtin.template: ansible.builtin.template:
src: etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2 src: etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2
dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod
@ -159,7 +159,7 @@
- Update Crypto Policy - Update Crypto Policy
- Set Crypto Policy - Set Crypto Policy
- name: "5.1.6 | PATCH | Ensure sshd KexAlgorithms is configured | submodule to crypto policy modules" - name: "5.1.6 | PATCH | Ensure sshd MACs are configured | submodule to crypto policy modules"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKMACS' }}" rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKMACS' }}"
@ -290,7 +290,7 @@
- name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled" - name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled"
when: rhel9cis_rule_5_1_11 when: rhel9cis_rule_5_1_11
tags: tags:
- level1-server - level2-server
- level1-workstation - level1-workstation
- patch - patch
- sshd - sshd
@ -360,7 +360,7 @@
validate: sshd -t -f %s validate: sshd -t -f %s
notify: Restart sshd notify: Restart sshd
- name: "5.1.14 | PATCH | Ensure sshd LoginGraceTime is set to one minute or less" - name: "5.1.14 | PATCH | Ensure sshd LoginGraceTime is configured"
when: rhel9cis_rule_5_1_14 when: rhel9cis_rule_5_1_14
tags: tags:
- level1-server - level1-server
@ -378,7 +378,7 @@
validate: sshd -t -f %s validate: sshd -t -f %s
notify: Restart sshd notify: Restart sshd
- name: "5.1.15 | PATCH | Ensure sshd LogLevel is appropriate" - name: "5.1.15 | PATCH | Ensure sshd LogLevel is configured"
when: rhel9cis_rule_5_1_15 when: rhel9cis_rule_5_1_15
tags: tags:
- level1-server - level1-server
@ -398,7 +398,7 @@
validate: sshd -t -f %s validate: sshd -t -f %s
notify: Restart sshd notify: Restart sshd
- name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is set to 4 or less" - name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is configured"
when: rhel9cis_rule_5_1_16 when: rhel9cis_rule_5_1_16
tags: tags:
- level1-server - level1-server
@ -438,7 +438,7 @@
validate: sshd -t -f %s validate: sshd -t -f %s
notify: Restart sshd notify: Restart sshd
- name: "5.1.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" - name: "5.1.18 | PATCH | Ensure sshd MaxSessions is configured"
when: rhel9cis_rule_5_1_18 when: rhel9cis_rule_5_1_18
tags: tags:
- level1-server - level1-server
@ -522,7 +522,7 @@
validate: sshd -t -f %s validate: sshd -t -f %s
notify: Restart sshd notify: Restart sshd
- name: "5.1.22 | PATCH | Ensure SSH PAM is enabled" - name: "5.1.22 | PATCH | Ensure sshd UsePAM is enabled"
when: rhel9cis_rule_5_1_22 when: rhel9cis_rule_5_1_22
tags: tags:
- level1-server - level1-server

2
tasks/section_5/cis_5.3.1.x.yml
View file

@ -39,7 +39,7 @@
ansible.builtin.set_fact: ansible.builtin.set_fact:
authselect_update: OK authselect_update: OK
- name: "5.3.1.3 | PATCH | Ensure libpwquality is installed" - name: "5.3.1.3 | PATCH | Ensure latest version of libpwquality is installed"
when: when:
- rhel9cis_rule_5_3_1_3 - rhel9cis_rule_5_3_1_3
- ansible_facts.packages['libpwquality'][0]['version'] is version('1.4.4-8', '<') or - ansible_facts.packages['libpwquality'][0]['version'] is version('1.4.4-8', '<') or

2
tasks/section_5/cis_5.3.2.x.yml
View file

@ -65,7 +65,7 @@
failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ] failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ]
register: discovered_authselect_current_faillock register: discovered_authselect_current_faillock
- name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled | Add feature if missing authselect" # noqa syntax-check[specific]" - name: '5.3.2.2 | PATCH | Ensure pam_faillock module is enabled | Add feature if missing authselect" # noqa syntax-check[specific]'
when: when:
- rhel9cis_allow_authselect_updates - rhel9cis_allow_authselect_updates
- discovered_authselect_current_faillock.rc != 0 - discovered_authselect_current_faillock.rc != 0

4
tasks/section_5/cis_5.3.3.1.x.yml
View file

@ -87,8 +87,8 @@
- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account" - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account"
when: rhel9cis_rule_5_3_3_1_3 when: rhel9cis_rule_5_3_3_1_3
tags: tags:
- level1-server - level2-server
- level1-workstation - level2-workstation
- automated - automated
- patch - patch
- pam - pam

10
tasks/section_5/cis_5.3.3.2.x.yml
View file

@ -67,7 +67,7 @@
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
- pam - pam
block: block:
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from conf files except expected file" - name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Remove minlen from conf files except expected file"
when: when:
- item != rhel9cis_passwd_minlen_file - item != rhel9cis_passwd_minlen_file
- rhel9cis_disruption_high - rhel9cis_disruption_high
@ -81,7 +81,7 @@
- /etc/pam.d/password-auth - /etc/pam.d/password-auth
- "{{ prelim_pam_pwquality_confs.files | default([]) }}" - "{{ prelim_pam_pwquality_confs.files | default([]) }}"
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists" - name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Ensure minlen file exists"
ansible.builtin.template: ansible.builtin.template:
src: "{{ rhel9cis_passwd_minlen_file }}.j2" src: "{{ rhel9cis_passwd_minlen_file }}.j2"
dest: "/{{ rhel9cis_passwd_minlen_file }}" dest: "/{{ rhel9cis_passwd_minlen_file }}"
@ -89,7 +89,7 @@
group: root group: root
mode: 'go-rwx' mode: 'go-rwx'
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files NOT AuthSelect" - name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Remove minlen from pam files NOT AuthSelect"
when: when:
- not rhel9cis_allow_authselect_updates - not rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high - rhel9cis_disruption_high
@ -101,7 +101,7 @@
- password - password
- system - system
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files AuthSelect" - name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Remove minlen from pam files AuthSelect"
when: when:
- rhel9cis_allow_authselect_updates - rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high - rhel9cis_disruption_high
@ -226,7 +226,7 @@
- system - system
notify: Authselect update notify: Authselect update
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is is configured" - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured"
when: rhel9cis_rule_5_3_3_2_5 when: rhel9cis_rule_5_3_3_2_5
tags: tags:
- level1-server - level1-server

6
tasks/section_5/cis_5.3.3.3.x.yml
View file

@ -15,13 +15,13 @@
failed_when: discovered_pwhistory_remember.rc not in [0, 1] failed_when: discovered_pwhistory_remember.rc not in [0, 1]
register: discovered_pwhistory_remember register: discovered_pwhistory_remember
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Ensure remember is set pwhistory file" - name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured | Ensure remember is set pwhistory file"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "/etc/security/pwhistory.conf" path: "/etc/security/pwhistory.conf"
regexp: remember\s*=\s*\d* regexp: remember\s*=\s*\d*
line: remember = {{ rhel9cis_pamd_pwhistory_remember }} line: remember = {{ rhel9cis_pamd_pwhistory_remember }}
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Remove remember from pam files NOT AuthSelect" - name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured | Remove remember from pam files NOT AuthSelect"
when: when:
- not rhel9cis_allow_authselect_updates - not rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high - rhel9cis_disruption_high
@ -33,7 +33,7 @@
- password - password
- system - system
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Remove remember from pam files AuthSelect" - name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured | Remove remember from pam files AuthSelect"
when: when:
- rhel9cis_allow_authselect_updates - rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high - rhel9cis_disruption_high

2
tasks/section_5/cis_5.3.3.4.x.yml
View file

@ -27,7 +27,7 @@
replace: '' replace: ''
loop: "{{ discovered_pam_nullok.stdout_lines }}" loop: "{{ discovered_pam_nullok.stdout_lines }}"
- name: "5.3.3.4.1 | PATCH | Ensure password number of changed characters is configured | Remove nullok from pam files AuthSelect" - name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | Remove nullok from pam files AuthSelect"
when: rhel9cis_allow_authselect_updates when: rhel9cis_allow_authselect_updates
ansible.builtin.replace: ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"

12
tasks/section_5/cis_5.4.1.x.yml
View file

@ -1,6 +1,6 @@
--- ---
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less" - name: "5.4.1.1 | PATCH | Ensure password expiration is configured"
when: rhel9cis_rule_5_4_1_1 when: rhel9cis_rule_5_4_1_1
tags: tags:
- level1-server - level1-server
@ -14,7 +14,7 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
block: block:
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less" - name: "5.4.1.1 | PATCH | Ensure password expiration is configured"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/login.defs path: /etc/login.defs
regexp: '^PASS_MAX_DAYS' regexp: '^PASS_MAX_DAYS'
@ -27,7 +27,7 @@
check_mode: false check_mode: false
register: discovered_max_days register: discovered_max_days
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS" - name: "5.4.1.1 | PATCH | Ensure password expiration is configured | Set existing users PASS_MAX_DAYS"
when: when:
- discovered_max_days.stdout_lines | length > 0 - discovered_max_days.stdout_lines | length > 0
- item in prelim_interactive_users | map(attribute='username') | list - item in prelim_interactive_users | map(attribute='username') | list
@ -40,8 +40,8 @@
- name: "5.4.1.2 | PATCH | Ensure minimum password days is configured" - name: "5.4.1.2 | PATCH | Ensure minimum password days is configured"
when: rhel9cis_rule_5_4_1_2 when: rhel9cis_rule_5_4_1_2
tags: tags:
- level1-server - level2-server
- level1-workstation - level2-workstation
- patch - patch
- password - password
- rule_5.4.1.2 - rule_5.4.1.2
@ -140,7 +140,7 @@
check_mode: false check_mode: false
register: discovered_passwdlck_user_list register: discovered_passwdlck_user_list
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Apply Inactive setting to existing accounts"
when: item in prelim_interactive_users | map(attribute='username') | list when: item in prelim_interactive_users | map(attribute='username') | list
ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
changed_when: true changed_when: true

2
tasks/section_5/cis_5.4.2.x.yml
View file

@ -105,7 +105,7 @@
ansible.builtin.debug: ansible.builtin.debug:
msg: "This is set as an assert in tasks/main" msg: "This is set as an assert in tasks/main"
- name: "5.4.2.5 | PATCH | Ensure root PATH Integrity" - name: "5.4.2.5 | PATCH | Ensure root path integrity"
when: rhel9cis_rule_5_4_2_5 when: rhel9cis_rule_5_4_2_5
tags: tags:
- level1-server - level1-server

4
tasks/section_6/cis_6.2.2.1.x.yml
View file

@ -72,8 +72,8 @@
- NIST800-53R5_AU-12 - NIST800-53R5_AU-12
ansible.builtin.systemd: ansible.builtin.systemd:
name: "{{ item }}" name: "{{ item }}"
state: stopped state: "{{ ('systemd-journal-upload' in ansible_facts.packages) | ternary('stopped', omit) }}"
enabled: false enabled: "{{ ('systemd-journal-upload' in ansible_facts.packages) | ternary(false, omit) }}"
masked: true masked: true
loop: loop:
- systemd-journal-remote.socket - systemd-journal-remote.socket

2
tasks/section_6/cis_6.2.2.x.yml
View file

@ -4,7 +4,7 @@
when: rhel9cis_rule_6_2_2_2 when: rhel9cis_rule_6_2_2_2
tags: tags:
- level1-server - level1-server
- level2-workstation - level1-workstation
- patch - patch
- journald - journald
- rule_6.2.2.2 - rule_6.2.2.2

24
tasks/section_6/cis_6.2.3.x.yml
View file

@ -1,6 +1,6 @@
--- ---
- name: "6.2.3.1 | PATCH | Ensure rsyslog installed" - name: "6.2.3.1 | PATCH | Ensure rsyslog is installed"
when: when:
- "'rsyslog' not in ansible_facts.packages" - "'rsyslog' not in ansible_facts.packages"
- rhel9cis_rule_6_2_3_1 - rhel9cis_rule_6_2_3_1
@ -17,7 +17,7 @@
name: rsyslog name: rsyslog
state: present state: present
- name: "6.2.3.2 | PATCH | Ensure rsyslog Service is enabled and active" - name: "6.2.3.2 | PATCH | Ensure rsyslog service is enabled and active"
when: rhel9cis_rule_6_2_3_2 when: rhel9cis_rule_6_2_3_2
tags: tags:
- level1-server - level1-server
@ -68,7 +68,7 @@
line: '$FileCreateMode 0640' line: '$FileCreateMode 0640'
notify: Restart rsyslog notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured" - name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured"
when: rhel9cis_rule_6_2_3_5 when: rhel9cis_rule_6_2_3_5
tags: tags:
- level1-server - level1-server
@ -93,7 +93,7 @@
- "These are the current logging configurations for rsyslog, please review:" - "These are the current logging configurations for rsyslog, please review:"
- "{{ discovered_configured_rsyslog.stdout_lines }}" - "{{ discovered_configured_rsyslog.stdout_lines }}"
- name: "6.2.3.5 | PATCH | Ensure logging is configured | mail.* log setting" - name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | mail.* log setting"
when: rhel9cis_rsyslog_ansiblemanaged when: rhel9cis_rsyslog_ansiblemanaged
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
@ -107,7 +107,7 @@
insertafter: '# Log all the mail messages in one place.' insertafter: '# Log all the mail messages in one place.'
notify: Restart rsyslog notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | news.crit log setting" - name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | news.crit log setting"
when: rhel9cis_rsyslog_ansiblemanaged when: rhel9cis_rsyslog_ansiblemanaged
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
@ -120,7 +120,7 @@
insertafter: '# Save news errors of level crit and higher in a special file.' insertafter: '# Save news errors of level crit and higher in a special file.'
notify: Restart rsyslog notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | Misc. log setting" - name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | Misc. log setting"
when: rhel9cis_rsyslog_ansiblemanaged when: rhel9cis_rsyslog_ansiblemanaged
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
@ -134,7 +134,7 @@
insertbefore: '# ### sample forwarding rule ###' insertbefore: '# ### sample forwarding rule ###'
notify: Restart rsyslog notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | Local log settings" - name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | Local log settings"
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
state: present state: present
@ -149,7 +149,7 @@
insertafter: '#### RULES ####' insertafter: '#### RULES ####'
notify: Restart rsyslog notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | Auth Settings" - name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | Auth Settings"
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
state: present state: present
@ -160,7 +160,7 @@
insertafter: '#### RULES ####' insertafter: '#### RULES ####'
notify: Restart rsyslog notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | Cron Settings" - name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | Cron Settings"
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
state: present state: present
@ -208,7 +208,7 @@
- NIST800-53R5_AU-12 - NIST800-53R5_AU-12
- NIST800-53R5_CM-6 - NIST800-53R5_CM-6
block: block:
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client. | When not log host" - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client | When not log host"
when: not rhel9cis_system_is_log_server when: not rhel9cis_system_is_log_server
ansible.builtin.replace: ansible.builtin.replace:
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
@ -221,7 +221,7 @@
- '^(module\(load="imtcp"\))' - '^(module\(load="imtcp"\))'
- '^(input\(type="imtcp")' - '^(input\(type="imtcp")'
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote clients. | When log host" - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client | When log host"
when: rhel9cis_system_is_log_server when: rhel9cis_system_is_log_server
ansible.builtin.replace: ansible.builtin.replace:
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
@ -254,7 +254,7 @@
state: started state: started
enabled: true enabled: true
- name: "6.2.3.8 | PATCH | Ensure logrotate is configured | set rsyslog conf" - name: "6.2.3.8 | PATCH | Ensure rsyslog logrotate is configured | set rsyslog conf"
ansible.builtin.template: ansible.builtin.template:
src: etc/logrotate.d/rsyslog_log.j2 src: etc/logrotate.d/rsyslog_log.j2
dest: /etc/logrotate.d/rsyslog_log dest: /etc/logrotate.d/rsyslog_log

6
tasks/section_6/cis_6.3.1.x.yml
View file

@ -1,6 +1,6 @@
--- ---
- name: "6.3.1.1 | PATCH | Ensure auditd is installed" - name: "6.3.1.1 | PATCH | Ensure auditd packages are installed"
when: rhel9cis_rule_6_3_1_1 when: rhel9cis_rule_6_3_1_1
tags: tags:
- level2-server - level2-server
@ -13,13 +13,13 @@
- NIST800-53R5_AU-12 - NIST800-53R5_AU-12
- NIST800-53R5_SI-5 - NIST800-53R5_SI-5
block: block:
- name: "6.3.1.1 | PATCH | Ensure auditd is installed | Install auditd packages" - name: "6.3.1.1 | PATCH | Ensure auditd packages are installed | Install auditd packages"
when: '"auditd" not in ansible_facts.packages' when: '"auditd" not in ansible_facts.packages'
ansible.builtin.package: ansible.builtin.package:
name: audit name: audit
state: present state: present
- name: "6.3.1.1 | PATCH | Ensure auditd is installed | Install auditd-lib packages" - name: "6.3.1.1 | PATCH | Ensure auditd packages are installed | Install auditd-lib packages"
when: '"auditd-lib" not in ansible_facts.packages' when: '"auditd-lib" not in ansible_facts.packages'
ansible.builtin.package: ansible.builtin.package:
name: audit-libs name: audit-libs

22
tasks/section_6/cis_6.3.3.x.yml
View file

@ -67,7 +67,7 @@
update_audit_template: true update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected" - name: "6.3.3.6 | PATCH | Ensure use of privileged commands are collected"
when: rhel9cis_rule_6_3_3_6 when: rhel9cis_rule_6_3_3_6
tags: tags:
- level2-server - level2-server
@ -77,14 +77,14 @@
- rule_6.3.3.6 - rule_6.3.3.6
- NIST800-53R5_AU-3 - NIST800-53R5_AU-3
block: block:
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected" - name: "6.3.3.6 | PATCH | Ensure use of privileged commands are collected"
ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm /6000 2>/dev/null; done ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm /6000 2>/dev/null; done
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false check_mode: false
register: discovered_priv_procs register: discovered_priv_procs
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected" - name: "6.3.3.6 | PATCH | Ensure use of privileged commands are collected"
ansible.builtin.set_fact: ansible.builtin.set_fact:
update_audit_template: true update_audit_template: true
notify: update auditd notify: update auditd
@ -197,7 +197,7 @@
update_audit_template: true update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" - name: "6.3.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are collected"
when: rhel9cis_rule_6_3_3_15 when: rhel9cis_rule_6_3_3_15
tags: tags:
- level2-server - level2-server
@ -212,7 +212,7 @@
update_audit_template: true update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" - name: "6.3.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are collected"
when: rhel9cis_rule_6_3_3_16 when: rhel9cis_rule_6_3_3_16
tags: tags:
- level2-server - level2-server
@ -227,7 +227,7 @@
update_audit_template: true update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" - name: "6.3.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are collected"
when: rhel9cis_rule_6_3_3_17 when: rhel9cis_rule_6_3_3_17
tags: tags:
- level2-server - level2-server
@ -242,7 +242,7 @@
update_audit_template: true update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" - name: "6.3.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are collected"
when: rhel9cis_rule_6_3_3_18 when: rhel9cis_rule_6_3_3_18
tags: tags:
- level2-server - level2-server
@ -257,7 +257,7 @@
update_audit_template: true update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.19 | PATCH | Ensure kernel module loading and unloading and modification is collected" - name: "6.3.3.19 | PATCH | Ensure kernel module loading unloading and modification is collected"
when: rhel9cis_rule_6_3_3_19 when: rhel9cis_rule_6_3_3_19
tags: tags:
- level2-server - level2-server
@ -295,9 +295,9 @@
- auditd - auditd
- rule_6.3.3.21 - rule_6.3.3.21
- NIST800-53R5_AU-3 - NIST800-53R5_AU-3
ansible.builtin.debug: ansible.builtin.command: augenrules --check
msg: changed_when: false
- "Please run augenrules --load if you suspect there is a configuration that is not active" register: discovered_augenrules_check
- name: Auditd | 6.3.3.x | Auditd controls updated - name: Auditd | 6.3.3.x | Auditd controls updated
when: update_audit_template when: update_audit_template

49
tasks/section_7/cis_7.1.x.yml
View file

@ -1,8 +1,7 @@
--- ---
- name: "7.1.1 | PATCH | Ensure permissions on /etc/passwd are configured" - name: "7.1.1 | PATCH | Ensure permissions on /etc/passwd are configured"
when: when: rhel9cis_rule_7_1_1
- rhel9cis_rule_7_1_1
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -18,8 +17,7 @@
mode: 'u-x,go-wx' mode: 'u-x,go-wx'
- name: "7.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured" - name: "7.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured"
when: when: rhel9cis_rule_7_1_2
- rhel9cis_rule_7_1_2
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -35,8 +33,7 @@
mode: 'u-x,go-wx' mode: 'u-x,go-wx'
- name: "7.1.3 | PATCH | Ensure permissions on /etc/group are configured" - name: "7.1.3 | PATCH | Ensure permissions on /etc/group are configured"
when: when: rhel9cis_rule_7_1_3
- rhel9cis_rule_7_1_3
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -52,8 +49,7 @@
mode: 'u-x,go-wx' mode: 'u-x,go-wx'
- name: "7.1.4 | PATCH | Ensure permissions on /etc/group- are configured" - name: "7.1.4 | PATCH | Ensure permissions on /etc/group- are configured"
when: when: rhel9cis_rule_7_1_4
- rhel9cis_rule_7_1_4
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -69,8 +65,7 @@
mode: 'u-x,go-wx' mode: 'u-x,go-wx'
- name: "7.1.5 | PATCH | Ensure permissions on /etc/shadow are configured" - name: "7.1.5 | PATCH | Ensure permissions on /etc/shadow are configured"
when: when: rhel9cis_rule_7_1_5
- rhel9cis_rule_7_1_5
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -86,8 +81,7 @@
mode: 'ugo-rwx' mode: 'ugo-rwx'
- name: "7.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured" - name: "7.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured"
when: when: rhel9cis_rule_7_1_6
- rhel9cis_rule_7_1_6
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -103,8 +97,7 @@
mode: 'ugo-rwx' mode: 'ugo-rwx'
- name: "7.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured" - name: "7.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured"
when: when: rhel9cis_rule_7_1_7
- rhel9cis_rule_7_1_7
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -120,8 +113,7 @@
mode: 'ugo-rwx' mode: 'ugo-rwx'
- name: "7.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured" - name: "7.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured"
when: when: rhel9cis_rule_7_1_8
- rhel9cis_rule_7_1_8
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -137,8 +129,7 @@
mode: 'ugo-rwx' mode: 'ugo-rwx'
- name: "7.1.9 | PATCH | Ensure permissions on /etc/shells are configured" - name: "7.1.9 | PATCH | Ensure permissions on /etc/shells are configured"
when: when: rhel9cis_rule_7_1_9
- rhel9cis_rule_7_1_9
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -154,8 +145,7 @@
mode: 'u-x,go-wx' mode: 'u-x,go-wx'
- name: "7.1.10 | PATCH | Ensure permissions on /etc/security/opasswd are configured" - name: "7.1.10 | PATCH | Ensure permissions on /etc/security/opasswd are configured"
when: when: rhel9cis_rule_7_1_10
- rhel9cis_rule_7_1_10
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -173,8 +163,7 @@
register: discovered_file_exists register: discovered_file_exists
- name: "7.1.11 | PATCH | Ensure world writable files and directories are secured" - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured"
when: when: rhel9cis_rule_7_1_11
- rhel9cis_rule_7_1_11
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -191,7 +180,7 @@
changed_when: false changed_when: false
register: discovered_world_writable register: discovered_world_writable
- name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured | Adjust world-writable files if they exist (Configurable)"
when: when:
- discovered_world_writable.stdout_lines is defined - discovered_world_writable.stdout_lines is defined
- discovered_world_writable.stdout_lines | length > 0 - discovered_world_writable.stdout_lines | length > 0
@ -202,15 +191,14 @@
state: touch state: touch
loop: "{{ discovered_world_writable.stdout_lines }}" loop: "{{ discovered_world_writable.stdout_lines }}"
- name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable directories add sticky bit" - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured | Adjust world-writable directories add sticky bit"
ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -o+w ! -perm -1002 2>/dev/null | xargs chmod a+t ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -o+w ! -perm -1002 2>/dev/null | xargs chmod a+t
failed_when: discovered_set_stickybit.rc not in [ 0, 123 ] failed_when: discovered_set_stickybit.rc not in [ 0, 123 ]
changed_when: discovered_set_stickybit.rc == 0 changed_when: discovered_set_stickybit.rc == 0
register: discovered_set_stickybit register: discovered_set_stickybit
- name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist" - name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist"
when: when: rhel9cis_rule_7_1_12
- rhel9cis_rule_7_1_12
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -223,7 +211,7 @@
warn_control_id: '7.1.12' warn_control_id: '7.1.12'
block: block:
- name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories" - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories"
ansible.builtin.command: find {{ rhel9cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs ansible.builtin.command: "find {{ item.mount }} -xdev {{ rhel9cis_exclude_unowned_search_path }} \\( -nouser -o -nogroup \\) -not -fstype nfs"
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false check_mode: false
@ -266,8 +254,7 @@
file: warning_facts.yml file: warning_facts.yml
- name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed" - name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed"
when: when: rhel9cis_rule_7_1_13
- rhel9cis_rule_7_1_13
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -285,7 +272,7 @@
warn_control_id: '7.1.13' warn_control_id: '7.1.13'
block: block:
- name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Find SUID and SGID" - name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Find SUID and SGID"
ansible.builtin.command: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs ansible.builtin.command: find {{ item.mount }} -xdev -type f -perm \( -02000 -o -04000 \) -not -fstype nfs
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false check_mode: false
@ -309,7 +296,7 @@
- "The files are listed below, please confirm the integrity of these binaries" - "The files are listed below, please confirm the integrity of these binaries"
- "{{ discovered_suid_sgid_files_flatten }}" - "{{ discovered_suid_sgid_files_flatten }}"
- name: "7.1.13 | PATCH | Audit SUID executables | Remove SUID bit" - name: "7.1.13 | PATCH | Ensure SUID and SGID files are reviewed | Remove SUID bit"
when: when:
- rhel9cis_suid_sgid_adjust - rhel9cis_suid_sgid_adjust
- discovered_suid_sgid_files_flatten | length > 0 - discovered_suid_sgid_files_flatten | length > 0

0
templates/audit/98_auditd_exception.rules.j2 → templates/etc/audit/rules.d/98_auditd_exception.rules.j2
View file

0
templates/audit/99_auditd.rules.j2 → templates/etc/audit/rules.d/99_auditd.rules.j2
View file

6
vars/main.yml
View file

@ -1,6 +1,10 @@
--- ---
# vars file for RHEL9-CIS # vars file for RHEL9-CIS
# Set default value for reboot value
change_requires_reboot: false
min_ansible_version: 2.10.1 min_ansible_version: 2.10.1
rhel9cis_allowed_crypto_policies: rhel9cis_allowed_crypto_policies:
- 'DEFAULT' - 'DEFAULT'
@ -24,8 +28,6 @@ rhel9cis_allowed_crypto_policies_modules:
- 'NO-SSHWEAKMAC' - 'NO-SSHWEAKMAC'
- 'NO-WEAKMAC' - 'NO-WEAKMAC'
rhel9_compiled_bootloader_password: "{% if rhel9cis_bootloader_salt != '' %}{{ (rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}{% else %}{{ rhel9cis_bootloader_password_hash }}{% endif %}" # noqa template-instead-of-copy
# Used to control warning summary # Used to control warning summary
warn_control_list: "" warn_control_list: ""
warn_count: 0 warn_count: 0