ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-05-09 23:33:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #444 from ansible-lockdown/april26
Some checks failed
Export Public Repo Badges / export-badges (push) Has been cancelled
Details

Browse source 
April26
This commit is contained in:
uk-bolly 2026-04-16 17:03:34 +01:00 committed by GitHub
commit c7ed4de9a8
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
50 changed files with 845 additions and 972 deletions
Download patch file Download diff file Expand all files Collapse all files

17
.github/workflows/devel_pipeline_validation.yml vendored
View file

@ -1,8 +1,8 @@
---
name: Devel pipeline
name: Devel pipeline
on: # yamllint disable-line rule:truthy
on: # yamllint disable-line rule:truthy
pull_request_target:
types: [opened, reopened, synchronize]
branches:
@ -17,9 +17,9 @@
# Allow manual running of workflow
workflow_dispatch:
# A workflow run is made up of one or more jobs
# that can run sequentially or in parallel
jobs:
# A workflow run is made up of one or more jobs
# that can run sequentially or in parallel
jobs:
# This will create messages for first time contributers and direct them to the Discord server
welcome:
runs-on: ubuntu-latest
@ -65,7 +65,7 @@
steps:
- name: Git clone the lockdown repository to test
uses: actions/checkout@v4
uses: actions/checkout@v6.0.2
with:
ref: ${{ github.event.pull_request.head.sha }}
@ -81,7 +81,7 @@
# Pull in terraform code for linux servers
- name: Clone GitHub IaC plan
uses: actions/checkout@v4
uses: actions/checkout@v6.0.2
with:
repository: ansible-lockdown/github_linux_IaC
path: .github/workflows/github_linux_IaC
@ -128,6 +128,7 @@
env:
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
TF_VAR_ansible_version: ${{ vars.ANSIBLE_RUNNER_VERSION }}
TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false
@ -137,7 +138,7 @@
if: env.ENABLE_DEBUG == 'true'
run: cat hosts.yml
# Aws deployments taking a while to come up insert sleep or playbook fails
# Aws deployments taking a while to come up insert sleep or playbook fails
- name: Sleep to allow system to come up
run: sleep ${{ vars.BUILD_SLEEPTIME }}

6
.github/workflows/export_badges_private.yml vendored
View file

@ -2,12 +2,6 @@
name: Export Private Repo Badges
# Use different minute offsets with the same hourly pattern:
# Repo Group Suggested Cron Expression Explanation
# Group A 0 */6 * * * Starts at top of hour
# Group B 10 */6 * * * Starts at 10 after
# And So On
on:
push:
branches:

23
.github/workflows/main_pipeline_validation.yml vendored
View file

@ -1,8 +1,8 @@
---
name: Main pipeline
name: Main pipeline
on: # yamllint disable-line rule:truthy
on: # yamllint disable-line rule:truthy
pull_request_target:
types: [opened, reopened, synchronize]
branches:
@ -15,15 +15,15 @@
- '**.ps1'
- '**.cfg'
# Allow permissions for AWS auth
permissions:
# Allow permissions for AWS auth
permissions:
id-token: write
contents: read
pull-requests: read
# A workflow run is made up of one or more jobs
# that can run sequentially or in parallel
jobs:
# A workflow run is made up of one or more jobs
# that can run sequentially or in parallel
jobs:
# This workflow contains a single job that tests the playbook
playbook-test:
# The type of runner that the job will run on
@ -32,7 +32,7 @@
ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
# Imported as a variable by terraform
TF_VAR_repository: ${{ github.event.repository.name }}
AWS_REGION : "us-east-1"
AWS_REGION: "us-east-1"
ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }}
defaults:
run:
@ -43,7 +43,7 @@
steps:
- name: Git clone the lockdown repository to test
uses: actions/checkout@v4
uses: actions/checkout@v6.0.2
with:
ref: ${{ github.event.pull_request.head.sha }}
@ -59,7 +59,7 @@
# Pull in terraform code for linux servers
- name: Clone GitHub IaC plan
uses: actions/checkout@v4
uses: actions/checkout@v6.0.2
with:
repository: ansible-lockdown/github_linux_IaC
path: .github/workflows/github_linux_IaC
@ -107,6 +107,7 @@
env:
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
TF_VAR_ansible_version: ${{ vars.ANSIBLE_RUNNER_VERSION }}
TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false
@ -116,7 +117,7 @@
if: env.ENABLE_DEBUG == 'true'
run: cat hosts.yml
# Aws deployments taking a while to come up insert sleep or playbook fails
# Aws deployments taking a while to come up insert sleep or playbook fails
- name: Sleep to allow system to come up
run: sleep ${{ vars.BUILD_SLEEPTIME }}

23
.gitignore vendored
View file

@ -1,7 +1,6 @@
.env
*.log
*.retry
.cache
.vagrant
tests/*redhat-subscription
tests/Dockerfile
@ -10,11 +9,9 @@ tests/Dockerfile
packer_cache
delete*
ignore*
test_inv
# temp remove doc while this is built up
doc/
# VSCode
.vscode
vagrant
# Byte-compiled / optimized / DLL files
__pycache__/
@ -39,13 +36,29 @@ tramp
rh-creds.env
travis.env
# Secret/key files
*.vault
*.key
*.pem
*.p12
*.pfx
*.keystore
*.jks
*.credentials
*vault_pass*
.vault_pass
# Lockdown-specific
benchparse/
*xccdf.xml
*.retry
*.pdf
*history.md
*plan.md
*qa_report*
# GitHub Action/Workflow files
.github/
# Precommit exclusions
# ansible-lint
.ansible/

2
.yamllint
View file

@ -17,7 +17,7 @@ rules:
comments:
ignore-shebangs: true
min-spaces-from-content: 1 # prettier compatibility
comments-indentation: enable
comments-indentation: disable
empty-lines:
max: 1
indentation:

4
CONTRIBUTING.rst
View file

@ -1,4 +1,4 @@
Contributing to MindPoint Group Projects
Contributing to Ansible-Lockdown Projects
========================================
Rules
@ -20,7 +20,7 @@ Signing your contribution
We've chosen to use the Developer's Certificate of Origin (DCO) method
that is employed by the Linux Kernel Project, which provides a simple
way to contribute to MindPoint Group projects.
way to contribute to Ansible-Lockdown projects.
The process is to certify the below DCO 1.1 text
::

57
Changelog.md
View file

@ -1,7 +1,34 @@
# Changes to RHEL9CIS
## 2.0.5 - Based on CIS v2.0.0
## April 2026
- bootloader password logic improved thanks to skullbringer on discord community
- 7.1.12 and 7.1.13 fixed thanks to @bubaimondalsch #440
- 4.3 tags updated
- 2.1.x - improve logic for mask/disable/stop thanks to @numericillustration #434
## March 2026 — workspace alignment
- Common files aligned to std
- workflows updates
- titles updates
- levels aligned
- auditd improvement
- grammar, lint
- vars naming
- Linting: converted ~75 single-item when: conditions from list to inline format
- Linting: added blank line after --- YAML document marker in 10 files
- Linting: fixed register: key order in 8 tasks (now appears after changed_when/failed_when)
- Linting: fixed spelling typo sddr → saddr in cis_4.3.x.yml
- Defaults: added justification comments for service client and bluetooth variables
## Based on CIS v2.0.0
# Feb26 2
#430 thanks to @numericillustration - 5.4.2.5 missing echo
# Feb26 1
- QA Fixes
- .j2 Branding Update
- Added rhel9cis_uses_root variable definition for 5.4.2.5 root PATH integrity task
@ -77,34 +104,6 @@ tidy up tags on tasks/main.yml
- public issue 372
- allow password with different locale
## 2.0.4 - Based on CIS v2.0.0
- addressed issue #419, thank you @aaronk1
- addressed issue #418 thank you @bbaassssiiee
- addressed issue #416 thank you @georgenalen and @bbaassssiiee
- addressed issue #393 thank you to @fragglexarmy
- addressed issue #394 thank you to @dbeuker
- addressed issues #390 and #391 thanks to @polski-g
- addressed issue #398 & #399 thanks to trumbaut
- Added max-concurrent options for audit
- work flow updates
- audit logic improvements
- auditd template 2.19 compatible
- pre-commit updates
- #410 thanks to @kpi-nourman
- #413 thanks to @bbaassssiiee
## 2.0.3 - Based on CIS v2.0.0
- addressed issue #387, thank you @fragglexarmy
- addressed issue #382 to improve regex logic on 5.4.2.4
- improvement on crypto policy managed controls with var logic
- addressed issue #384 thank you @polski-g
- update command to shell module on tasks
- addressed issue 371 thanks to @bgro and kodebach
- addressed issue 350 thanks to @chrispipo
- addressed issue 364 thanks to @polski-g
- pre-commit update
## 2.0.2 - Based on CIS v2.0.0
- Update to audit_only to allow fetching results

655
defaults/main.yml
View file

File diff suppressed because it is too large Load diff

13
handlers/main.yml
View file

@ -246,18 +246,21 @@
## Auditd tasks note order for handlers to run
- name: Auditd immutable check
ansible.builtin.command: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
changed_when: false
register: discovered_auditd_immutable_check
- name: Auditd rules reload
when: prelim_auditd_immutable_check.rc == 1 or discovered_augenrules_check.stdout is search('No change')
ansible.builtin.command: augenrules --load
changed_when: true
failed_when: discovered_augenrule_check.rc not in [ 0, 1 ]
register: discovered_augenrule_check
- name: Audit immutable fact
when: discovered_auditd_immutable_check.stdout == '1'
when: prelim_auditd_immutable_check is defined
ansible.builtin.debug:
msg: "Reboot required for auditd to apply new rules as immutable set"
notify: Set reboot required
- name: Stop auditd process
when: prelim_auditd_immutable_check is defined
ansible.builtin.command: systemctl kill auditd
changed_when: true
listen: Restart auditd

2
tasks/LE_audit_setup.yml
View file

@ -25,7 +25,7 @@
- name: Pre Audit Setup | Copy audit binary
when: get_audit_binary_method == 'copy'
ansible.builtin.copy:
src: "{{ audit_bin_copy_location }}/goss-linux-{{ audit_pkg_arch_name }}"
src: "{{ audit_bin_copy_location }}"
dest: "{{ audit_bin }}"
owner: root
group: root

56
tasks/auditd.yml
View file

@ -3,59 +3,47 @@
# Since auditd rules are dependent on syscalls and syscall tables are architecture specific,
# we need to update the auditd rules depending on the architecture of the system.
# This task passed the syscalls table to the auditd template and updates the auditd rules
- name: "POST | AUDITD | Set supported_syscalls variable"
ansible.builtin.shell: ausyscall --dump | awk '{print $2}'
changed_when: false
check_mode: false
failed_when: discovered_auditd_syscalls.rc not in [ 0, 1 ]
register: discovered_auditd_syscalls
- name: POST | AUDITD | Apply auditd template will for section 6.3.3 - only required rules will be added | stat file
ansible.builtin.stat:
path: /etc/audit/rules.d/99_auditd.rules
register: discovered_auditd_rules_file
- name: "POST | AUDITD | Ensure use of privileged commands is collected"
ansible.builtin.shell: |
{%- set egrep_exclude = "(asdfmnop|{{ rhel9cis_priv_command_excluded_mounts | join('|') }})" -%}
for i in $(df | grep '^/dev' | grep -Ev '{{ egrep_exclude }}' | awk '{ print $NF }'); do
find $i -xdev -type f -perm /6000 2>/dev/null;
done
changed_when: false
failed_when: false
check_mode: false
register: discovered_privileged_commands
- name: POST | Apply auditd template for section 6.3.3.x
- name: "POST | AUDITD | Apply auditd template for section 6.2.4.x"
when: update_audit_template
vars:
supported_syscalls: "{{ discovered_auditd_syscalls.stdout_lines }}"
ansible.builtin.template:
src: audit/99_auditd.rules.j2
src: etc/audit/rules.d/99_auditd.rules.j2
dest: /etc/audit/rules.d/99_auditd.rules
owner: root
group: root
mode: 'u-x,g-wx,o-rwx'
diff: "{{ discovered_auditd_rules_file.stat.exists }}" # Only run diff if not a new file
register: discovered_auditd_rules_template_updated
mode: 'u-x,go-wx'
register: discovered_audit_rules_updated
notify:
- Auditd immutable check
- Audit immutable fact
- Auditd rules reload
- Restart auditd
- name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa no-handler
when:
- discovered_auditd_rules_template_updated.changed
- discovered_auditd_rules_file.stat.exists
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: 'Auditd template updated, validate as expected'
- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file
ansible.builtin.stat:
path: /etc/audit/rules.d/98_auditd_exceptions.rules
register: discovered_auditd_exception_file
- name: POST | Set up auditd user logging exceptions | setup file
when:
- rhel9cis_allow_auditd_uid_user_exclusions
- rhel9cis_auditd_uid_exclude | length > 0
- name: POST | AUDITD | Set up auditd user logging exceptions
when: rhel9cis_allow_auditd_uid_user_exclusions
ansible.builtin.template:
src: audit/98_auditd_exception.rules.j2
src: etc/audit/rules.d/98_auditd_exception.rules.j2
dest: /etc/audit/rules.d/98_auditd_exceptions.rules
owner: root
group: root
mode: '0640'
diff: "{{ discovered_auditd_exception_file.stat.exists }}"
mode: 'u-x,go-rwx'
notify: Restart auditd
- name: POST | AUDITD | Flush handlers
ansible.builtin.meta: flush_handlers

8
tasks/main.yml
View file

@ -200,15 +200,13 @@
file: auditd.yml
- name: "Run post remediation tasks"
tags:
- post_tasks
- always
tags: always
ansible.builtin.import_tasks:
file: post.yml
- name: "Run post_remediation audit"
- name: "Run post remediation audit"
when: run_audit
tags: always
tags: run_audit
ansible.builtin.import_tasks:
file: post_remediation_audit.yml

8
tasks/post_remediation_audit.yml
View file

@ -14,11 +14,11 @@
- name: Post Audit | Capture audit data if json format
ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4
changed_when: false
register: post_audit_summary
register: post_audit_summary_json
- name: Post Audit | Set Fact for audit summary
ansible.builtin.set_fact:
post_audit_results: "{{ post_audit_summary.stdout }}"
post_audit_results: "{{ post_audit_summary_json.stdout }}"
- name: Post Audit | Capture audit data if documentation format
when: audit_format == "documentation"
@ -26,8 +26,8 @@
- name: Post Audit | Capture audit data if documentation format
ansible.builtin.shell: tail -2 "{{ post_audit_outfile }}" | tac | tr '\n' ' '
changed_when: false
register: post_audit_summary
register: post_audit_summary_documentation
- name: Post Audit | Set Fact for audit summary
ansible.builtin.set_fact:
post_audit_results: "{{ post_audit_summary.stdout }}"
post_audit_results: "{{ post_audit_summary_documentation.stdout }}"

10
tasks/pre_remediation_audit.yml
View file

@ -85,12 +85,11 @@
- name: Pre Audit | Capture audit data if json format
ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4
changed_when: false
failed_when: pre_audit_summary.stderr | length > 0
register: pre_audit_summary
register: pre_audit_summary_json
- name: Pre Audit | Set Fact for audit summary
ansible.builtin.set_fact:
pre_audit_results: "{{ pre_audit_summary.stdout }}"
pre_audit_results: "{{ pre_audit_summary_json.stdout }}"
- name: Pre Audit | Capture audit data if documentation format
when: audit_format == "documentation"
@ -98,12 +97,11 @@
- name: Pre Audit | Capture audit data if documentation format
ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' '
changed_when: false
failed_when: pre_audit_summary.stderr | length > 0
register: pre_audit_summary
register: pre_audit_summary_documentation
- name: Pre Audit | Set Fact for audit summary
ansible.builtin.set_fact:
pre_audit_results: "{{ pre_audit_summary.stdout }}"
pre_audit_results: "{{ pre_audit_summary_documentation.stdout }}"
- name: Audit_Only | Run Audit Only
when: audit_only

7
tasks/prelim.yml
View file

@ -295,6 +295,13 @@
state: directory
mode: 'u+x,g-w,o-rwx'
- name: "PRELIM | AUDIT | Discover if auditd is immutable"
tags: always
ansible.builtin.command: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
changed_when: false
failed_when: prelim_auditd_immutable_check.rc not in [ 0, 1, 2 ]
register: prelim_auditd_immutable_check
- name: "PRELIM | PATCH | Configure System Accounting (auditd)"
when:
- '"auditd" not in ansible_facts.packages'

6
tasks/section_1/cis_1.1.2.3.x.yml
View file

@ -1,12 +1,12 @@
---
- name: "1.1.2.3.1 | PATCH | Ensure /home is a separate partition"
- name: "1.1.2.3.1 | PATCH | Ensure separate partition exists for /home"
when:
- rhel9cis_rule_1_1_2_3_1
- required_mount not in prelim_mount_names
tags:
- level1-server
- level1-workstation
- level2-server
- level2-workstation
- audit
- mounts
- rule_1.1.2.3.1

6
tasks/section_1/cis_1.1.2.4.x.yml
View file

@ -1,12 +1,12 @@
---
- name: "1.1.2.4.1 | PATCH | Ensure /var is a separate partition"
- name: "1.1.2.4.1 | PATCH | Ensure separate partition exists for /var"
when:
- rhel9cis_rule_1_1_2_4_1
- required_mount not in prelim_mount_names
tags:
- level1-server
- level1-workstation
- level2-server
- level2-workstation
- audit
- mounts
- rule_1.1.2.4.1

6
tasks/section_1/cis_1.1.2.5.x.yml
View file

@ -1,12 +1,12 @@
---
- name: "1.1.2.5.1 | PATCH | Ensure /var/tmp is a separate partition"
- name: "1.1.2.5.1 | PATCH | Ensure separate partition exists for /var/tmp"
when:
- rhel9cis_rule_1_1_2_5_1
- required_mount not in prelim_mount_names
tags:
- level1-server
- level1-workstation
- level2-server
- level2-workstation
- audit
- mounts
- rule_1.1.2.5.1

6
tasks/section_1/cis_1.1.2.6.x.yml
View file

@ -1,12 +1,12 @@
---
- name: "1.1.2.6.1 | PATCH | Ensure /var/log is a separate partition"
- name: "1.1.2.6.1 | PATCH | Ensure separate partition exists for /var/log"
when:
- rhel9cis_rule_1_1_2_6_1
- required_mount not in prelim_mount_names
tags:
- level1-server
- level1-workstation
- level2-server
- level2-workstation
- audit
- mounts
- rule_1.1.2.6.1

6
tasks/section_1/cis_1.1.2.7.x.yml
View file

@ -1,12 +1,12 @@
---
- name: "1.1.2.7.1 | PATCH | Ensure /var/log/audit is a separate partition"
- name: "1.1.2.7.1 | PATCH | Ensure separate partition exists for /var/log/audit"
when:
- rhel9cis_rule_1_1_2_7_1
- required_mount not in prelim_mount_names
tags:
- level1-server
- level1-workstation
- level2-server
- level2-workstation
- audit
- mounts
- rule_1.1.2.7.1

4
tasks/section_1/cis_1.3.1.x.yml
View file

@ -55,7 +55,7 @@
policy: "{{ rhel9cis_selinux_pol }}"
state: "{{ rhel9cis_selinux_enforce }}"
- name: "1.3.1.4 | PATCH | Ensure the SELinux state is not disabled"
- name: "1.3.1.4 | PATCH | Ensure the SELinux mode is not disabled"
when:
- rhel9cis_rule_1_3_1_4
- not rhel9cis_selinux_disable
@ -72,7 +72,7 @@
policy: "{{ rhel9cis_selinux_pol }}"
state: "{{ rhel9cis_selinux_enforce }}"
- name: "1.3.1.5 | PATCH | Ensure the SELinux state is enforcing"
- name: "1.3.1.5 | PATCH | Ensure the SELinux mode is enforcing"
when:
- rhel9cis_selinux_enforce == 'enforcing'
- rhel9cis_rule_1_3_1_5

24
tasks/section_1/cis_1.4.x.yml
View file

@ -11,15 +11,27 @@
- patch
- rule_1.4.1
- NIST800-53R5_AC-3
block:
- name: "1.4.1 | PATCH | Ensure bootloader password is set | Set fact if using salt (no python passlib required)"
when: rhel9cis_bootloader_salt | length == 0
ansible.builtin.set_fact:
rhel9cis_compiled_bootloader_password: "{{ rhel9cis_bootloader_password_hash }}"
- name: "1.4.1 | PATCH | Ensure bootloader password is set | Set fact if using salt (python passlib required)"
when: rhel9cis_bootloader_salt | length > 0
ansible.builtin.set_fact:
rhel9cis_compiled_bootloader_password: "{{ (rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}" # noqa template-instead-of-copy
- name: "1.4.1 | PATCH | Ensure bootloader password is set"
ansible.builtin.copy:
dest: /boot/grub2/user.cfg
content: "GRUB2_PASSWORD={{ rhel9_compiled_bootloader_password }}" # noqa template-instead-of-copy
content: "GRUB2_PASSWORD={{ rhel9cis_compiled_bootloader_password }}" # noqa template-instead-of-copy
owner: root
group: root
mode: 'go-rwx'
notify: Grub2cfg
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
- name: "1.4.2 | PATCH | Ensure access to bootloader config is configured"
when: rhel9cis_rule_1_4_2
tags:
- level1-server
@ -29,7 +41,7 @@
- rule_1.4.2
- NIST800-53R5_AC-3
block:
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | bios based system"
- name: "1.4.2 | PATCH | Ensure access to bootloader config is configured | bios based system"
when: rhel9cis_legacy_boot
ansible.builtin.file:
path: "/boot/grub2/{{ item.path }}"
@ -44,7 +56,7 @@
- { path: 'grubenv', mode: 'u-x,go-rwx' }
- { path: 'user.cfg', mode: 'u-x,go-rwx' }
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system"
- name: "1.4.2 | PATCH | Ensure access to bootloader config is configured | efi based system"
when: not rhel9cis_legacy_boot
vars:
efi_mount_options: ['umask=0077', 'fmask=0077', 'uid=0', 'gid=0']
@ -55,13 +67,13 @@
check_mode: false
register: discovered_efi_fstab
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Build Options"
- name: "1.4.2 | PATCH | Ensure access to bootloader config is configured | efi based system | Build Options"
when: item not in discovered_efi_fstab.stdout
ansible.builtin.set_fact:
efi_mount_opts_addition: "{{ efi_mount_opts_addition + ',' + item }}"
loop: "{{ efi_mount_options }}"
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Add mount options"
- name: "1.4.2 | PATCH | Ensure access to bootloader config is configured | efi based system | Add mount options"
when: efi_mount_opts_addition | length > 0
ansible.builtin.lineinfile:
path: /etc/fstab

6
tasks/section_1/cis_1.5.x.yml
View file

@ -1,6 +1,6 @@
---
- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
- name: "1.5.1 | PATCH | Ensure address space layout randomization is enabled"
when: rhel9cis_rule_1_5_1
tags:
- level1-server
@ -11,11 +11,11 @@
- NIST800-53R5_CM-6
- NIST800-53R5_CM-6.1
block:
- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
- name: "1.5.1 | PATCH | Ensure address space layout randomization is enabled"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
- name: "1.5.1 | PATCH | Ensure address space layout randomization is enabled"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf"

6
tasks/section_1/cis_1.6.x.yml
View file

@ -130,7 +130,7 @@
- Update Crypto Policy
- Set Crypto Policy
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh"
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20- poly1305 for ssh"
when:
- rhel9cis_rule_1_6_6
- "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module"
@ -144,7 +144,7 @@
- rule_1.6.6
- NIST800-53R5_SC-6
block:
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | Add submodule exclusion"
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20- poly1305 for ssh | Add submodule exclusion"
ansible.builtin.template:
src: etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2
dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod
@ -153,7 +153,7 @@
mode: 'g-wx,o-rwx'
register: discovered_no_sshweakciphers_template
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules"
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20- poly1305 for ssh | submodule to crypto policy modules"
ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKCIPHERS' }}"
changed_when: discovered_no_sshweakciphers_template is changed # noqa: no-handler

6
tasks/section_1/cis_1.7.x.yml
View file

@ -53,7 +53,7 @@
group: root
mode: 'go-wx'
- name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured"
- name: "1.7.4 | PATCH | Ensure access to /etc/motd is configured"
when: rhel9cis_rule_1_7_4
tags:
- level1-server
@ -69,7 +69,7 @@
group: root
mode: 'go-wx'
- name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured"
- name: "1.7.5 | PATCH | Ensure access to /etc/issue is configured"
when: rhel9cis_rule_1_7_5
tags:
- level1-server
@ -85,7 +85,7 @@
group: root
mode: 'go-wx'
- name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured"
- name: "1.7.6 | PATCH | Ensure access to /etc/issue.net is configured"
when: rhel9cis_rule_1_7_6
tags:
- level1-server

4
tasks/section_1/cis_1.8.x.yml
View file

@ -198,7 +198,7 @@
- rhel9cis_gui
tags:
- level1-server
- level2-workstation
- level1-workstation
- patch
- gui
- rule_1.8.8
@ -226,7 +226,7 @@
- rhel9cis_gui
tags:
- level1-server
- level2-workstation
- level1-workstation
- patch
- gui
- rule_1.8.9

89
tasks/section_2/cis_2.1.x.yml
View file

@ -28,8 +28,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: autofs
enabled: false
state: stopped
enabled: "{{ ('autofs' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('autofs' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use"
@ -60,8 +60,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
enabled: "{{ ('avahi-daemon' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('avahi-daemon' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- avahi-daemon.socket
@ -93,8 +93,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
enabled: "{{ ('dhcp-server' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('dhcp-server' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- dhcpd.service
@ -126,11 +126,11 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: named.service
enabled: false
state: stopped
enabled: "{{ ('bind' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('bind' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use"
- name: "2.1.5 | PATCH | Ensure dnsmasq services are not in use"
when: rhel9cis_rule_2_1_5
tags:
- level1-server
@ -141,7 +141,7 @@
- NIST800-53R5_CM-7
- rule_2.1.5
block:
- name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Remove package"
- name: "2.1.5 | PATCH | Ensure dnsmasq services are not in use | Remove package"
when:
- not rhel9cis_dnsmasq_server
- not rhel9cis_dnsmasq_mask
@ -149,15 +149,15 @@
name: dnsmasq
state: absent
- name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Mask service"
- name: "2.1.5 | PATCH | Ensure dnsmasq services are not in use | Mask service"
when:
- not rhel9cis_dnsmasq_server
- rhel9cis_dnsmasq_mask
notify: Systemd daemon reload
ansible.builtin.systemd:
name: dnsmasq.service
enabled: false
state: stopped
enabled: "{{ ('dnsmasq' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('dnsmasq' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.6 | PATCH | Ensure samba file server services are not in use"
@ -187,8 +187,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: smb.service
enabled: false
state: stopped
enabled: "{{ ('samba' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('samba' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.7 | PATCH | Ensure ftp server services are not in use"
@ -218,8 +218,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: vsftpd.service
enabled: false
state: stopped
enabled: "{{ ('vsftpd' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('vsftpd' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.8 | PATCH | Ensure message access server services are not in use"
@ -252,8 +252,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
enabled: "{{ ('dovecot' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('dovecot' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- "dovecot.socket"
@ -288,8 +288,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: nfs-server.service
enabled: false
state: stopped
enabled: "{{ ('nfs-utils' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('nfs-utils' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.10 | PATCH | Ensure nis server services are not in use"
@ -318,8 +318,8 @@
- rhel9cis_nis_mask
ansible.builtin.systemd:
name: ypserv.service
enabled: false
state: stopped
enabled: "{{ ('ypserv' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('ypserv' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.11 | PATCH | Ensure print server services are not in use"
@ -347,8 +347,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
enabled: "{{ ('cups' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('cups' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- "cups.socket"
@ -381,8 +381,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
enabled: "{{ ('rpcbind' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('rpcbind' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- rpcbind.service
@ -415,8 +415,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
enabled: "{{ ('rsync-daemon' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('rsync-daemon' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- 'rsyncd.socket'
@ -448,8 +448,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: snmpd.service
enabled: false
state: stopped
enabled: "{{ ('net-snmp' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('net-snmp' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.15 | PATCH | Ensure telnet server services are not in use"
@ -479,8 +479,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: telnet.socket
enabled: false
state: stopped
enabled: "{{ ('telnet-server' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('telnet-server' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.16 | PATCH | Ensure tftp server services are not in use"
@ -509,8 +509,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
enabled: "{{ ('tftp-server' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('tftp-server' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- 'tftp.socket'
@ -543,8 +543,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: squid.service
enabled: false
state: stopped
enabled: "{{ ('squid' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('squid' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.18 | PATCH | Ensure web server services are not in use"
@ -583,8 +583,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: httpd.service
enabled: false
state: stopped
enabled: "{{ ('httpd' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('httpd' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.18 | PATCH | Ensure web server services are not in use | Mask nginx service"
@ -594,8 +594,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: ngnix.service
enabled: false
state: stopped
enabled: "{{ ('nginx' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('nginx' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.19 | PATCH | Ensure xinetd services are not in use"
@ -624,8 +624,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: xinetd.service
enabled: false
state: stopped
enabled: "{{ ('xinetd' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('xinetd' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.20 | PATCH | Ensure X window server services are not in use"
@ -633,8 +633,7 @@
- not rhel9cis_xwindow_server
- rhel9cis_rule_2_1_20
tags:
- level1-server
- level1-workstation
- level2-server
- automated
- patch
- xwindow

2
tasks/section_2/cis_2.2.x.yml
View file

@ -64,7 +64,7 @@
name: telnet
state: absent
- name: "2.2.5 | PATCH | Ensure TFTP client is not installed"
- name: "2.2.5 | PATCH | Ensure tftp client is not installed"
when:
- not rhel9cis_tftp_client
- rhel9cis_rule_2_2_5

2
tasks/section_2/cis_2.4.x.yml
View file

@ -1,6 +1,6 @@
---
- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled"
- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled and active"
when: rhel9cis_rule_2_4_1_1
tags:
- level1-server

4
tasks/section_3/cis_3.1.x.yml
View file

@ -105,6 +105,6 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: bluetooth.service
enabled: false
state: stopped
enabled: "{{ ('bluez' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('bluez' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true

68
tasks/section_3/cis_3.3.x.yml
View file

@ -1,6 +1,6 @@
---
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled"
- name: "3.3.1 | PATCH | Ensure ip forwarding is disabled"
when:
- not rhel9cis_is_router
- rhel9cis_rule_3_3_1
@ -16,23 +16,23 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding | Set Fact"
- name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | Disable IPv4 forwarding | Set Fact"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding"
- name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | Disable IPv4 forwarding"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | IPv6"
- name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | IPv6"
when: rhel9cis_ipv6_required
block:
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding | Set Fact"
- name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | Disable IPv6 forwarding | Set Fact"
ansible.builtin.set_fact:
rhel9cis_flush_ipv6_route: true
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding"
- name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | Disable IPv6 forwarding"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
@ -60,7 +60,7 @@
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored"
- name: "3.3.3 | PATCH | Ensure bogus icmp responses are ignored"
when: rhel9cis_rule_3_3_3
tags:
- level1-server
@ -74,16 +74,16 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored | Set Fact"
- name: "3.3.3 | PATCH | Ensure bogus icmp responses are ignored | Set Fact"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true
- name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored"
- name: "3.3.3 | PATCH | Ensure bogus icmp responses are ignored"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored"
- name: "3.3.4 | PATCH | Ensure broadcast icmp requests are ignored"
when: rhel9cis_rule_3_3_4
tags:
- level1-server
@ -97,7 +97,7 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored | Set Fact"
- name: "3.3.4 | PATCH | Ensure broadcast icmp requests are ignored | Set Fact"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true
@ -106,7 +106,7 @@
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted"
- name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted"
when: rhel9cis_rule_3_3_5
tags:
- level1-server
@ -120,27 +120,27 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | Set Fact"
- name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted | Set Fact"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted"
- name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv6"
- name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted | IPv6"
when: rhel9cis_ipv6_required
block:
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv6 | Set Fact"
- name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted | IPv6 | Set Fact"
ansible.builtin.set_fact:
rhel9cis_flush_ipv6_route: true
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv6"
- name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted | IPv6"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted"
- name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted"
when: rhel9cis_rule_3_3_6
tags:
- level1-server
@ -154,27 +154,27 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv4 | Set Fact"
- name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv4 | Set Fact"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv4"
- name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv4"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv6"
- name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv6"
when: rhel9cis_ipv6_required
block:
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv6 | Set Fact"
- name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv6 | Set Fact"
ansible.builtin.set_fact:
rhel9cis_flush_ipv6_route: true
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv6"
- name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv6"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
- name: "3.3.7 | PATCH | Ensure reverse path filtering is enabled"
when: rhel9cis_rule_3_3_7
tags:
- level1-server
@ -188,12 +188,12 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled | Set Fact"
- name: "3.3.7 | PATCH | Ensure reverse path filtering is enabled | Set Fact"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true
- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
- name: "3.3.7 | PATCH | Ensure reverse path filtering is enabled"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
@ -249,7 +249,7 @@
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled"
- name: "3.3.10 | PATCH | Ensure tcp syn cookies is enabled"
when: rhel9cis_rule_3_3_10
tags:
- level1-server
@ -263,22 +263,22 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled | Set Fact"
- name: "3.3.10 | PATCH | Ensure tcp syn cookies is enabled | Set Fact"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true
- name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled"
- name: "3.3.10 | PATCH | Ensure tcp syn cookies is enabled"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted"
- name: "3.3.11 | PATCH | Ensure ipv6 router advertisements are not accepted"
when:
- rhel9cis_ipv6_required
- rhel9cis_rule_3_3_11
tags:
- level2-server
- level2-workstation
- level1-server
- level1-workstation
- sysctl
- patch
- rule_3.3.11
@ -288,11 +288,11 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6 | Set Fact"
- name: "3.3.11 | PATCH | Ensure ipv6 router advertisements are not accepted | IPv6 | Set Fact"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
rhel9cis_flush_ipv6_route: true
- name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6"
- name: "3.3.11 | PATCH | Ensure ipv6 router advertisements are not accepted | IPv6"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl"

8
tasks/section_4/cis_4.3.x.yml
View file

@ -7,7 +7,11 @@
- rhel9cis_rule_4_3_2
- rhel9cis_rule_4_3_3
- rhel9cis_rule_4_3_4
tags: always
tags:
- rule_4.3.1
- rule_4.3.2
- rule_4.3.3
- rule_4.3.4
ansible.builtin.command: "nft add table inet {{ rhel9cis_nft_tables_tablename }}"
changed_when: true
@ -210,7 +214,7 @@
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept
changed_when: true
- name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule | nftables"
- name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip saddr rule | nftables"
when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in discovered_nftables_ipsaddr.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop
changed_when: true

18
tasks/section_5/cis_5.1.x.yml
View file

@ -134,7 +134,7 @@
ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-SHA1' }}"
- name: "5.1.6 | PATCH | Ensure sshd KexAlgorithms is configured"
- name: "5.1.6 | PATCH | Ensure sshd MACs are configured"
when:
- rhel9cis_rule_5_1_6
- "'NO-SSHWEAKMACS' not in rhel9cis_crypto_policy_module"
@ -148,7 +148,7 @@
- rule_5.1.6
- NIST800-53R5_SC-6
block:
- name: "5.1.6 | PATCH | Ensure sshd KexAlgorithms is configured | Add submodule exclusion"
- name: "5.1.6 | PATCH | Ensure sshd MACs are configured | Add submodule exclusion"
ansible.builtin.template:
src: etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2
dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod
@ -159,7 +159,7 @@
- Update Crypto Policy
- Set Crypto Policy
- name: "5.1.6 | PATCH | Ensure sshd KexAlgorithms is configured | submodule to crypto policy modules"
- name: "5.1.6 | PATCH | Ensure sshd MACs are configured | submodule to crypto policy modules"
ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKMACS' }}"
@ -290,7 +290,7 @@
- name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled"
when: rhel9cis_rule_5_1_11
tags:
- level1-server
- level2-server
- level1-workstation
- patch
- sshd
@ -360,7 +360,7 @@
validate: sshd -t -f %s
notify: Restart sshd
- name: "5.1.14 | PATCH | Ensure sshd LoginGraceTime is set to one minute or less"
- name: "5.1.14 | PATCH | Ensure sshd LoginGraceTime is configured"
when: rhel9cis_rule_5_1_14
tags:
- level1-server
@ -378,7 +378,7 @@
validate: sshd -t -f %s
notify: Restart sshd
- name: "5.1.15 | PATCH | Ensure sshd LogLevel is appropriate"
- name: "5.1.15 | PATCH | Ensure sshd LogLevel is configured"
when: rhel9cis_rule_5_1_15
tags:
- level1-server
@ -398,7 +398,7 @@
validate: sshd -t -f %s
notify: Restart sshd
- name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is set to 4 or less"
- name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is configured"
when: rhel9cis_rule_5_1_16
tags:
- level1-server
@ -438,7 +438,7 @@
validate: sshd -t -f %s
notify: Restart sshd
- name: "5.1.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less"
- name: "5.1.18 | PATCH | Ensure sshd MaxSessions is configured"
when: rhel9cis_rule_5_1_18
tags:
- level1-server
@ -522,7 +522,7 @@
validate: sshd -t -f %s
notify: Restart sshd
- name: "5.1.22 | PATCH | Ensure SSH PAM is enabled"
- name: "5.1.22 | PATCH | Ensure sshd UsePAM is enabled"
when: rhel9cis_rule_5_1_22
tags:
- level1-server

2
tasks/section_5/cis_5.3.1.x.yml
View file

@ -39,7 +39,7 @@
ansible.builtin.set_fact:
authselect_update: OK
- name: "5.3.1.3 | PATCH | Ensure libpwquality is installed"
- name: "5.3.1.3 | PATCH | Ensure latest version of libpwquality is installed"
when:
- rhel9cis_rule_5_3_1_3
- ansible_facts.packages['libpwquality'][0]['version'] is version('1.4.4-8', '<') or

2
tasks/section_5/cis_5.3.2.x.yml
View file

@ -65,7 +65,7 @@
failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ]
register: discovered_authselect_current_faillock
- name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled | Add feature if missing authselect" # noqa syntax-check[specific]"
- name: '5.3.2.2 | PATCH | Ensure pam_faillock module is enabled | Add feature if missing authselect" # noqa syntax-check[specific]'
when:
- rhel9cis_allow_authselect_updates
- discovered_authselect_current_faillock.rc != 0

4
tasks/section_5/cis_5.3.3.1.x.yml
View file

@ -87,8 +87,8 @@
- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account"
when: rhel9cis_rule_5_3_3_1_3
tags:
- level1-server
- level1-workstation
- level2-server
- level2-workstation
- automated
- patch
- pam

10
tasks/section_5/cis_5.3.3.2.x.yml
View file

@ -67,7 +67,7 @@
- NIST800-53R5_IA-5
- pam
block:
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from conf files except expected file"
- name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Remove minlen from conf files except expected file"
when:
- item != rhel9cis_passwd_minlen_file
- rhel9cis_disruption_high
@ -81,7 +81,7 @@
- /etc/pam.d/password-auth
- "{{ prelim_pam_pwquality_confs.files | default([]) }}"
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists"
- name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Ensure minlen file exists"
ansible.builtin.template:
src: "{{ rhel9cis_passwd_minlen_file }}.j2"
dest: "/{{ rhel9cis_passwd_minlen_file }}"
@ -89,7 +89,7 @@
group: root
mode: 'go-rwx'
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files NOT AuthSelect"
- name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Remove minlen from pam files NOT AuthSelect"
when:
- not rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
@ -101,7 +101,7 @@
- password
- system
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files AuthSelect"
- name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Remove minlen from pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
@ -226,7 +226,7 @@
- system
notify: Authselect update
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is is configured"
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured"
when: rhel9cis_rule_5_3_3_2_5
tags:
- level1-server

6
tasks/section_5/cis_5.3.3.3.x.yml
View file

@ -15,13 +15,13 @@
failed_when: discovered_pwhistory_remember.rc not in [0, 1]
register: discovered_pwhistory_remember
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Ensure remember is set pwhistory file"
- name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured | Ensure remember is set pwhistory file"
ansible.builtin.lineinfile:
path: "/etc/security/pwhistory.conf"
regexp: remember\s*=\s*\d*
line: remember = {{ rhel9cis_pamd_pwhistory_remember }}
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Remove remember from pam files NOT AuthSelect"
- name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured | Remove remember from pam files NOT AuthSelect"
when:
- not rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
@ -33,7 +33,7 @@
- password
- system
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Remove remember from pam files AuthSelect"
- name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured | Remove remember from pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high

2
tasks/section_5/cis_5.3.3.4.x.yml
View file

@ -27,7 +27,7 @@
replace: ''
loop: "{{ discovered_pam_nullok.stdout_lines }}"
- name: "5.3.3.4.1 | PATCH | Ensure password number of changed characters is configured | Remove nullok from pam files AuthSelect"
- name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | Remove nullok from pam files AuthSelect"
when: rhel9cis_allow_authselect_updates
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"

12
tasks/section_5/cis_5.4.1.x.yml
View file

@ -1,6 +1,6 @@
---
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less"
- name: "5.4.1.1 | PATCH | Ensure password expiration is configured"
when: rhel9cis_rule_5_4_1_1
tags:
- level1-server
@ -14,7 +14,7 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less"
- name: "5.4.1.1 | PATCH | Ensure password expiration is configured"
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^PASS_MAX_DAYS'
@ -27,7 +27,7 @@
check_mode: false
register: discovered_max_days
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS"
- name: "5.4.1.1 | PATCH | Ensure password expiration is configured | Set existing users PASS_MAX_DAYS"
when:
- discovered_max_days.stdout_lines | length > 0
- item in prelim_interactive_users | map(attribute='username') | list
@ -40,8 +40,8 @@
- name: "5.4.1.2 | PATCH | Ensure minimum password days is configured"
when: rhel9cis_rule_5_4_1_2
tags:
- level1-server
- level1-workstation
- level2-server
- level2-workstation
- patch
- password
- rule_5.4.1.2
@ -140,7 +140,7 @@
check_mode: false
register: discovered_passwdlck_user_list
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Apply Inactive setting to existing accounts"
when: item in prelim_interactive_users | map(attribute='username') | list
ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
changed_when: true

4
tasks/section_5/cis_5.4.2.x.yml
View file

@ -94,7 +94,7 @@
vars:
warn_control_id: '5.4.2.3'
- name: "5.4.2.4 | PATCH | Ensure root account access is controlled "
- name: "5.4.2.4 | PATCH | Ensure root account access is controlled"
when: rhel9cis_rule_5_4_2_4
tags:
- level1-server
@ -105,7 +105,7 @@
ansible.builtin.debug:
msg: "This is set as an assert in tasks/main"
- name: "5.4.2.5 | PATCH | Ensure root PATH Integrity"
- name: "5.4.2.5 | PATCH | Ensure root path integrity"
when: rhel9cis_rule_5_4_2_5
tags:
- level1-server

4
tasks/section_6/cis_6.2.2.1.x.yml
View file

@ -72,8 +72,8 @@
- NIST800-53R5_AU-12
ansible.builtin.systemd:
name: "{{ item }}"
state: stopped
enabled: false
state: "{{ ('systemd-journal-upload' in ansible_facts.packages) | ternary('stopped', omit) }}"
enabled: "{{ ('systemd-journal-upload' in ansible_facts.packages) | ternary(false, omit) }}"
masked: true
loop:
- systemd-journal-remote.socket

2
tasks/section_6/cis_6.2.2.x.yml
View file

@ -4,7 +4,7 @@
when: rhel9cis_rule_6_2_2_2
tags:
- level1-server
- level2-workstation
- level1-workstation
- patch
- journald
- rule_6.2.2.2

24
tasks/section_6/cis_6.2.3.x.yml
View file

@ -1,6 +1,6 @@
---
- name: "6.2.3.1 | PATCH | Ensure rsyslog installed"
- name: "6.2.3.1 | PATCH | Ensure rsyslog is installed"
when:
- "'rsyslog' not in ansible_facts.packages"
- rhel9cis_rule_6_2_3_1
@ -17,7 +17,7 @@
name: rsyslog
state: present
- name: "6.2.3.2 | PATCH | Ensure rsyslog Service is enabled and active"
- name: "6.2.3.2 | PATCH | Ensure rsyslog service is enabled and active"
when: rhel9cis_rule_6_2_3_2
tags:
- level1-server
@ -68,7 +68,7 @@
line: '$FileCreateMode 0640'
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured"
- name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured"
when: rhel9cis_rule_6_2_3_5
tags:
- level1-server
@ -93,7 +93,7 @@
- "These are the current logging configurations for rsyslog, please review:"
- "{{ discovered_configured_rsyslog.stdout_lines }}"
- name: "6.2.3.5 | PATCH | Ensure logging is configured | mail.* log setting"
- name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | mail.* log setting"
when: rhel9cis_rsyslog_ansiblemanaged
ansible.builtin.blockinfile:
path: /etc/rsyslog.conf
@ -107,7 +107,7 @@
insertafter: '# Log all the mail messages in one place.'
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | news.crit log setting"
- name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | news.crit log setting"
when: rhel9cis_rsyslog_ansiblemanaged
ansible.builtin.blockinfile:
path: /etc/rsyslog.conf
@ -120,7 +120,7 @@
insertafter: '# Save news errors of level crit and higher in a special file.'
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | Misc. log setting"
- name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | Misc. log setting"
when: rhel9cis_rsyslog_ansiblemanaged
ansible.builtin.blockinfile:
path: /etc/rsyslog.conf
@ -134,7 +134,7 @@
insertbefore: '# ### sample forwarding rule ###'
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | Local log settings"
- name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | Local log settings"
ansible.builtin.blockinfile:
path: /etc/rsyslog.conf
state: present
@ -149,7 +149,7 @@
insertafter: '#### RULES ####'
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | Auth Settings"
- name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | Auth Settings"
ansible.builtin.blockinfile:
path: /etc/rsyslog.conf
state: present
@ -160,7 +160,7 @@
insertafter: '#### RULES ####'
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | Cron Settings"
- name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | Cron Settings"
ansible.builtin.blockinfile:
path: /etc/rsyslog.conf
state: present
@ -208,7 +208,7 @@
- NIST800-53R5_AU-12
- NIST800-53R5_CM-6
block:
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client. | When not log host"
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client | When not log host"
when: not rhel9cis_system_is_log_server
ansible.builtin.replace:
path: /etc/rsyslog.conf
@ -221,7 +221,7 @@
- '^(module\(load="imtcp"\))'
- '^(input\(type="imtcp")'
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote clients. | When log host"
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client | When log host"
when: rhel9cis_system_is_log_server
ansible.builtin.replace:
path: /etc/rsyslog.conf
@ -254,7 +254,7 @@
state: started
enabled: true
- name: "6.2.3.8 | PATCH | Ensure logrotate is configured | set rsyslog conf"
- name: "6.2.3.8 | PATCH | Ensure rsyslog logrotate is configured | set rsyslog conf"
ansible.builtin.template:
src: etc/logrotate.d/rsyslog_log.j2
dest: /etc/logrotate.d/rsyslog_log

6
tasks/section_6/cis_6.3.1.x.yml
View file

@ -1,6 +1,6 @@
---
- name: "6.3.1.1 | PATCH | Ensure auditd is installed"
- name: "6.3.1.1 | PATCH | Ensure auditd packages are installed"
when: rhel9cis_rule_6_3_1_1
tags:
- level2-server
@ -13,13 +13,13 @@
- NIST800-53R5_AU-12
- NIST800-53R5_SI-5
block:
- name: "6.3.1.1 | PATCH | Ensure auditd is installed | Install auditd packages"
- name: "6.3.1.1 | PATCH | Ensure auditd packages are installed | Install auditd packages"
when: '"auditd" not in ansible_facts.packages'
ansible.builtin.package:
name: audit
state: present
- name: "6.3.1.1 | PATCH | Ensure auditd is installed | Install auditd-lib packages"
- name: "6.3.1.1 | PATCH | Ensure auditd packages are installed | Install auditd-lib packages"
when: '"auditd-lib" not in ansible_facts.packages'
ansible.builtin.package:
name: audit-libs

24
tasks/section_6/cis_6.3.3.x.yml
View file

@ -67,7 +67,7 @@
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected"
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands are collected"
when: rhel9cis_rule_6_3_3_6
tags:
- level2-server
@ -77,14 +77,14 @@
- rule_6.3.3.6
- NIST800-53R5_AU-3
block:
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected"
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands are collected"
ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm /6000 2>/dev/null; done
changed_when: false
failed_when: false
check_mode: false
register: discovered_priv_procs
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected"
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands are collected"
ansible.builtin.set_fact:
update_audit_template: true
notify: update auditd
@ -197,11 +197,11 @@
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded"
- name: "6.3.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are collected"
when: rhel9cis_rule_6_3_3_15
tags:
- level2-server
- level2- workstation
- level2-workstation
- patch
- auditd
- rule_6.3.3.15
@ -212,7 +212,7 @@
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded"
- name: "6.3.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are collected"
when: rhel9cis_rule_6_3_3_16
tags:
- level2-server
@ -227,7 +227,7 @@
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded"
- name: "6.3.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are collected"
when: rhel9cis_rule_6_3_3_17
tags:
- level2-server
@ -242,7 +242,7 @@
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded"
- name: "6.3.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are collected"
when: rhel9cis_rule_6_3_3_18
tags:
- level2-server
@ -257,7 +257,7 @@
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.19 | PATCH | Ensure kernel module loading and unloading and modification is collected"
- name: "6.3.3.19 | PATCH | Ensure kernel module loading unloading and modification is collected"
when: rhel9cis_rule_6_3_3_19
tags:
- level2-server
@ -295,9 +295,9 @@
- auditd
- rule_6.3.3.21
- NIST800-53R5_AU-3
ansible.builtin.debug:
msg:
- "Please run augenrules --load if you suspect there is a configuration that is not active"
ansible.builtin.command: augenrules --check
changed_when: false
register: discovered_augenrules_check
- name: Auditd | 6.3.3.x | Auditd controls updated
when: update_audit_template

49
tasks/section_7/cis_7.1.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "7.1.1 | PATCH | Ensure permissions on /etc/passwd are configured"
when:
- rhel9cis_rule_7_1_1
when: rhel9cis_rule_7_1_1
tags:
- level1-server
- level1-workstation
@ -18,8 +17,7 @@
mode: 'u-x,go-wx'
- name: "7.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured"
when:
- rhel9cis_rule_7_1_2
when: rhel9cis_rule_7_1_2
tags:
- level1-server
- level1-workstation
@ -35,8 +33,7 @@
mode: 'u-x,go-wx'
- name: "7.1.3 | PATCH | Ensure permissions on /etc/group are configured"
when:
- rhel9cis_rule_7_1_3
when: rhel9cis_rule_7_1_3
tags:
- level1-server
- level1-workstation
@ -52,8 +49,7 @@
mode: 'u-x,go-wx'
- name: "7.1.4 | PATCH | Ensure permissions on /etc/group- are configured"
when:
- rhel9cis_rule_7_1_4
when: rhel9cis_rule_7_1_4
tags:
- level1-server
- level1-workstation
@ -69,8 +65,7 @@
mode: 'u-x,go-wx'
- name: "7.1.5 | PATCH | Ensure permissions on /etc/shadow are configured"
when:
- rhel9cis_rule_7_1_5
when: rhel9cis_rule_7_1_5
tags:
- level1-server
- level1-workstation
@ -86,8 +81,7 @@
mode: 'ugo-rwx'
- name: "7.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured"
when:
- rhel9cis_rule_7_1_6
when: rhel9cis_rule_7_1_6
tags:
- level1-server
- level1-workstation
@ -103,8 +97,7 @@
mode: 'ugo-rwx'
- name: "7.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured"
when:
- rhel9cis_rule_7_1_7
when: rhel9cis_rule_7_1_7
tags:
- level1-server
- level1-workstation
@ -120,8 +113,7 @@
mode: 'ugo-rwx'
- name: "7.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured"
when:
- rhel9cis_rule_7_1_8
when: rhel9cis_rule_7_1_8
tags:
- level1-server
- level1-workstation
@ -137,8 +129,7 @@
mode: 'ugo-rwx'
- name: "7.1.9 | PATCH | Ensure permissions on /etc/shells are configured"
when:
- rhel9cis_rule_7_1_9
when: rhel9cis_rule_7_1_9
tags:
- level1-server
- level1-workstation
@ -154,8 +145,7 @@
mode: 'u-x,go-wx'
- name: "7.1.10 | PATCH | Ensure permissions on /etc/security/opasswd are configured"
when:
- rhel9cis_rule_7_1_10
when: rhel9cis_rule_7_1_10
tags:
- level1-server
- level1-workstation
@ -173,8 +163,7 @@
register: discovered_file_exists
- name: "7.1.11 | PATCH | Ensure world writable files and directories are secured"
when:
- rhel9cis_rule_7_1_11
when: rhel9cis_rule_7_1_11
tags:
- level1-server
- level1-workstation
@ -191,7 +180,7 @@
changed_when: false
register: discovered_world_writable
- name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)"
- name: "7.1.11 | PATCH | Ensure world writable files and directories are secured | Adjust world-writable files if they exist (Configurable)"
when:
- discovered_world_writable.stdout_lines is defined
- discovered_world_writable.stdout_lines | length > 0
@ -202,15 +191,14 @@
state: touch
loop: "{{ discovered_world_writable.stdout_lines }}"
- name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable directories add sticky bit"
- name: "7.1.11 | PATCH | Ensure world writable files and directories are secured | Adjust world-writable directories add sticky bit"
ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -o+w ! -perm -1002 2>/dev/null | xargs chmod a+t
failed_when: discovered_set_stickybit.rc not in [ 0, 123 ]
changed_when: discovered_set_stickybit.rc == 0
register: discovered_set_stickybit
- name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist"
when:
- rhel9cis_rule_7_1_12
when: rhel9cis_rule_7_1_12
tags:
- level1-server
- level1-workstation
@ -223,7 +211,7 @@
warn_control_id: '7.1.12'
block:
- name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories"
ansible.builtin.command: find {{ rhel9cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs
ansible.builtin.command: "find {{ item.mount }} -xdev {{ rhel9cis_exclude_unowned_search_path }} \\( -nouser -o -nogroup \\) -not -fstype nfs"
changed_when: false
failed_when: false
check_mode: false
@ -266,8 +254,7 @@
file: warning_facts.yml
- name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed"
when:
- rhel9cis_rule_7_1_13
when: rhel9cis_rule_7_1_13
tags:
- level1-server
- level1-workstation
@ -285,7 +272,7 @@
warn_control_id: '7.1.13'
block:
- name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Find SUID and SGID"
ansible.builtin.command: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs
ansible.builtin.command: find {{ item.mount }} -xdev -type f -perm \( -02000 -o -04000 \) -not -fstype nfs
changed_when: false
failed_when: false
check_mode: false
@ -309,7 +296,7 @@
- "The files are listed below, please confirm the integrity of these binaries"
- "{{ discovered_suid_sgid_files_flatten }}"
- name: "7.1.13 | PATCH | Audit SUID executables | Remove SUID bit"
- name: "7.1.13 | PATCH | Ensure SUID and SGID files are reviewed | Remove SUID bit"
when:
- rhel9cis_suid_sgid_adjust
- discovered_suid_sgid_files_flatten | length > 0

0
templates/audit/98_auditd_exception.rules.j2 → templates/etc/audit/rules.d/98_auditd_exception.rules.j2
View file

0
templates/audit/99_auditd.rules.j2 → templates/etc/audit/rules.d/99_auditd.rules.j2
View file

6
vars/main.yml
View file

@ -1,6 +1,10 @@
---
# vars file for RHEL9-CIS
# Set default value for reboot value
change_requires_reboot: false
min_ansible_version: 2.10.1
rhel9cis_allowed_crypto_policies:
- 'DEFAULT'
@ -24,8 +28,6 @@ rhel9cis_allowed_crypto_policies_modules:
- 'NO-SSHWEAKMAC'
- 'NO-WEAKMAC'
rhel9_compiled_bootloader_password: "{% if rhel9cis_bootloader_salt != '' %}{{ (rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}{% else %}{{ rhel9cis_bootloader_password_hash }}{% endif %}" # noqa template-instead-of-copy
# Used to control warning summary
warn_control_list: ""
warn_count: 0