ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge pull request #19 from ansible-lockdown/workflow_update

Browse source 
updated workflows
This commit is contained in:
uk-bolly 2022-09-13 16:05:49 +01:00 committed by GitHub
commit ceb65435c1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 74 additions and 823 deletions
Download patch file Download diff file Expand all files Collapse all files

48
.github/workflows/github_networks.tf vendored
View file

@ -1,11 +1,53 @@
resource "aws_vpc" "Main" {
cidr_block = var.main_vpc_cidr
tags = var.instance_tags
cidr_block = var.main_vpc_cidr
instance_tenancy = "default"
tags = {
Environment = "${var.environment}"
Name = "${var.namespace}-VPC"
}
}
resource "aws_internet_gateway" "IGW" {
vpc_id = aws_vpc.Main.id
tags = {
Name = "${var.namespace}-IGW"
Environment = "${var.environment}"
Name = "${var.namespace}-IGW"
}
}
resource "aws_subnet" "publicsubnets" {
vpc_id = aws_vpc.Main.id
cidr_block = var.public_subnets
availability_zone = var.availability_zone
tags = {
Environment = "${var.environment}"
Name = "${var.namespace}-pubsub"
}
}
resource "aws_subnet" "Main" {
vpc_id = aws_vpc.Main.id
cidr_block = var.private_subnets
availability_zone = var.availability_zone
tags = {
Environment = "${var.environment}"
Name = "${var.namespace}-prvsub"
}
}
resource "aws_route_table" "PublicRT" {
vpc_id = aws_vpc.Main.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.IGW.id
}
tags = {
Environment = "${var.environment}"
Name = "${var.namespace}-publicRT"
}
}
resource "aws_route_table_association" "rt_associate_public" {
subnet_id = aws_subnet.Main.id
route_table_id = aws_route_table.PublicRT.id
}

3
.github/workflows/github_vars.tfvars vendored
View file

@ -3,7 +3,8 @@
// Declared in variables.tf
//
namespace = "github_actions"
namespace = "github_actions"
environment = "lockdown_github_repo_workflow"
// Matching pair name found in AWS for keypairs PEM key
ami_key_pair_name = "github_actions"

4
.github/workflows/linux_benchmark_testing.yml vendored
View file

@ -73,7 +73,7 @@ jobs:
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false
run: terraform apply -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false
## Debug Section
- name: DEBUG - Show Ansible hostfile
@ -117,4 +117,4 @@ jobs:
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: terraform destroy -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false
run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false

13
.github/workflows/main.tf vendored
View file

@ -5,9 +5,6 @@ provider "aws" {
// Create a security group with access to port 22 and port 80 open to serve HTTP traffic
data "aws_vpc" "default" {
default = true
}
resource "random_id" "server" {
keepers = {
@ -19,8 +16,8 @@ resource "random_id" "server" {
}
resource "aws_security_group" "github_actions" {
name = "${var.namespace}-${random_id.server.hex}"
vpc_id = data.aws_vpc.default.id
name = "${var.namespace}-${random_id.server.hex}-SG"
vpc_id = aws_vpc.Main.id
ingress {
from_port = 22
@ -43,7 +40,8 @@ resource "aws_security_group" "github_actions" {
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "${var.namespace}-SG"
Environment = "${var.environment}"
Name = "${var.namespace}-SG"
}
}
@ -51,11 +49,13 @@ resource "aws_security_group" "github_actions" {
resource "aws_instance" "testing_vm" {
ami = var.ami_id
availability_zone = var.availability_zone
associate_public_ip_address = true
key_name = var.ami_key_pair_name # This is the key as known in the ec2 key_pairs
instance_type = var.instance_type
tags = var.instance_tags
vpc_security_group_ids = [aws_security_group.github_actions.id]
subnet_id = aws_subnet.Main.id
root_block_device {
delete_on_termination = true
}
@ -80,3 +80,4 @@ resource "local_file" "inventory" {
audit_git_version: devel
EOF
}

8
.github/workflows/terraform.tfstate vendored
View file

@ -1,8 +0,0 @@
{
"version": 4,
"terraform_version": "1.2.2",
"serial": 15,
"lineage": "826bcba6-7d74-b65e-f687-a6f4945dd69e",
"outputs": {},
"resources": []
}

370
.github/workflows/terraform.tfstate.backup vendored
View file

@ -1,370 +0,0 @@
{
"version": 4,
"terraform_version": "1.2.2",
"serial": 7,
"lineage": "826bcba6-7d74-b65e-f687-a6f4945dd69e",
"outputs": {},
"resources": [
{
"mode": "data",
"type": "aws_vpc",
"name": "default",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:ec2:us-east-1:817651307868:vpc/vpc-05ef27c517862c3b1",
"cidr_block": "172.31.0.0/16",
"cidr_block_associations": [
{
"association_id": "vpc-cidr-assoc-0a0f361027d9f91f3",
"cidr_block": "172.31.0.0/16",
"state": "associated"
}
],
"default": true,
"dhcp_options_id": "dopt-c5dfccbe",
"enable_dns_hostnames": true,
"enable_dns_support": true,
"filter": null,
"id": "vpc-05ef27c517862c3b1",
"instance_tenancy": "default",
"ipv6_association_id": "",
"ipv6_cidr_block": "",
"main_route_table_id": "rtb-0a40eb856c7d79f1d",
"owner_id": "817651307868",
"state": null,
"tags": {
"Name": "Default VPC"
}
},
"sensitive_attributes": []
}
]
},
{
"mode": "managed",
"type": "aws_instance",
"name": "testing_vm",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 1,
"attributes": {
"ami": "ami-0c41531b8d18cc72b",
"arn": "arn:aws:ec2:us-east-1:817651307868:instance/i-0d997714170ce8898",
"associate_public_ip_address": true,
"availability_zone": "us-east-1a",
"capacity_reservation_specification": [
{
"capacity_reservation_preference": "open",
"capacity_reservation_target": []
}
],
"cpu_core_count": 1,
"cpu_threads_per_core": 2,
"credit_specification": [
{
"cpu_credits": "unlimited"
}
],
"disable_api_termination": false,
"ebs_block_device": [],
"ebs_optimized": false,
"enclave_options": [
{
"enabled": false
}
],
"ephemeral_block_device": [],
"get_password_data": false,
"hibernation": false,
"host_id": null,
"iam_instance_profile": "",
"id": "i-0d997714170ce8898",
"instance_initiated_shutdown_behavior": "stop",
"instance_state": "running",
"instance_type": "t3.micro",
"ipv6_address_count": 0,
"ipv6_addresses": [],
"key_name": "github_actions",
"launch_template": [],
"maintenance_options": [
{
"auto_recovery": "default"
}
],
"metadata_options": [
{
"http_endpoint": "enabled",
"http_put_response_hop_limit": 1,
"http_tokens": "optional",
"instance_metadata_tags": "disabled"
}
],
"monitoring": false,
"network_interface": [],
"outpost_arn": "",
"password_data": "",
"placement_group": "",
"placement_partition_number": null,
"primary_network_interface_id": "eni-0417127dc77918518",
"private_dns": "ip-172-31-8-170.ec2.internal",
"private_ip": "172.31.8.170",
"public_dns": "ec2-3-238-53-150.compute-1.amazonaws.com",
"public_ip": "3.238.53.150",
"root_block_device": [
{
"delete_on_termination": true,
"device_name": "/dev/sda1",
"encrypted": false,
"iops": 100,
"kms_key_id": "",
"tags": null,
"throughput": 0,
"volume_id": "vol-0392840b878024a68",
"volume_size": 10,
"volume_type": "gp2"
}
],
"secondary_private_ips": [],
"security_groups": [
"github_actions-5eb7d7f8d9c46a1c"
],
"source_dest_check": true,
"subnet_id": "subnet-0ad8888b9fd53204f",
"tags": {
"Environment": "lockdown_github_repo_workflow",
"Name": "RHEL9-CIS"
},
"tags_all": {
"Environment": "lockdown_github_repo_workflow",
"Name": "RHEL9-CIS"
},
"tenancy": "default",
"timeouts": null,
"user_data": null,
"user_data_base64": null,
"user_data_replace_on_change": false,
"volume_tags": null,
"vpc_security_group_ids": [
"sg-054e3f94c98fc64f2"
]
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6MTIwMDAwMDAwMDAwMCwidXBkYXRlIjo2MDAwMDAwMDAwMDB9LCJzY2hlbWFfdmVyc2lvbiI6IjEifQ==",
"dependencies": [
"aws_security_group.github_actions",
"data.aws_vpc.default",
"random_id.server"
]
}
]
},
{
"mode": "managed",
"type": "aws_internet_gateway",
"name": "IGW",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:ec2:us-east-1:817651307868:internet-gateway/igw-0ef39abda6f14481d",
"id": "igw-0ef39abda6f14481d",
"owner_id": "817651307868",
"tags": {
"Name": "github_actions-IGW"
},
"tags_all": {
"Name": "github_actions-IGW"
},
"vpc_id": "vpc-068452c798d98b17f"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_vpc.Main"
]
}
]
},
{
"mode": "managed",
"type": "aws_security_group",
"name": "github_actions",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 1,
"attributes": {
"arn": "arn:aws:ec2:us-east-1:817651307868:security-group/sg-054e3f94c98fc64f2",
"description": "Managed by Terraform",
"egress": [
{
"cidr_blocks": [
"0.0.0.0/0"
],
"description": "",
"from_port": 0,
"ipv6_cidr_blocks": [],
"prefix_list_ids": [],
"protocol": "-1",
"security_groups": [],
"self": false,
"to_port": 0
}
],
"id": "sg-054e3f94c98fc64f2",
"ingress": [
{
"cidr_blocks": [
"0.0.0.0/0"
],
"description": "",
"from_port": 22,
"ipv6_cidr_blocks": [],
"prefix_list_ids": [],
"protocol": "tcp",
"security_groups": [],
"self": false,
"to_port": 22
},
{
"cidr_blocks": [
"0.0.0.0/0"
],
"description": "",
"from_port": 80,
"ipv6_cidr_blocks": [],
"prefix_list_ids": [],
"protocol": "tcp",
"security_groups": [],
"self": false,
"to_port": 80
}
],
"name": "github_actions-5eb7d7f8d9c46a1c",
"name_prefix": "",
"owner_id": "817651307868",
"revoke_rules_on_delete": false,
"tags": {
"Name": "github_actions-SG"
},
"tags_all": {
"Name": "github_actions-SG"
},
"timeouts": null,
"vpc_id": "vpc-05ef27c517862c3b1"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6OTAwMDAwMDAwMDAwfSwic2NoZW1hX3ZlcnNpb24iOiIxIn0=",
"dependencies": [
"data.aws_vpc.default",
"random_id.server"
]
}
]
},
{
"mode": "managed",
"type": "aws_vpc",
"name": "Main",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 1,
"attributes": {
"arn": "arn:aws:ec2:us-east-1:817651307868:vpc/vpc-068452c798d98b17f",
"assign_generated_ipv6_cidr_block": false,
"cidr_block": "172.22.0.0/24",
"default_network_acl_id": "acl-08a831aefd0ff6f65",
"default_route_table_id": "rtb-09ae50e860e80fb1f",
"default_security_group_id": "sg-01ff3ec71f0cd3115",
"dhcp_options_id": "dopt-c5dfccbe",
"enable_classiclink": false,
"enable_classiclink_dns_support": false,
"enable_dns_hostnames": false,
"enable_dns_support": true,
"id": "vpc-068452c798d98b17f",
"instance_tenancy": "default",
"ipv4_ipam_pool_id": null,
"ipv4_netmask_length": null,
"ipv6_association_id": "",
"ipv6_cidr_block": "",
"ipv6_cidr_block_network_border_group": "",
"ipv6_ipam_pool_id": "",
"ipv6_netmask_length": 0,
"main_route_table_id": "rtb-09ae50e860e80fb1f",
"owner_id": "817651307868",
"tags": {
"Environment": "lockdown_github_repo_workflow",
"Name": "RHEL9-CIS"
},
"tags_all": {
"Environment": "lockdown_github_repo_workflow",
"Name": "RHEL9-CIS"
}
},
"sensitive_attributes": [],
"private": "eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ=="
}
]
},
{
"mode": "managed",
"type": "local_file",
"name": "inventory",
"provider": "provider[\"registry.terraform.io/hashicorp/local\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"content": " # benchmark host\n all:\n hosts:\n rhel9:\n ansible_host: 3.238.53.150\n ansible_user: ec2-user\n vars:\n setup_audit: true\n run_audit: true\n system_is_ec2: true\n audit_git_version: devel\n",
"content_base64": null,
"directory_permission": "0755",
"file_permission": "0644",
"filename": "./hosts.yml",
"id": "697bfe9ff397a4b5e3f46caf3c48481a3d485375",
"sensitive_content": null,
"source": null
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_instance.testing_vm",
"aws_security_group.github_actions",
"data.aws_vpc.default",
"random_id.server"
]
}
]
},
{
"mode": "managed",
"type": "random_id",
"name": "server",
"provider": "provider[\"registry.terraform.io/hashicorp/random\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"b64_std": "XrfX+NnEahw=",
"b64_url": "XrfX-NnEahw",
"byte_length": 8,
"dec": "6825161224108665372",
"hex": "5eb7d7f8d9c46a1c",
"id": "XrfX-NnEahw",
"keepers": {
"ami_id": "ami-0c41531b8d18cc72b"
},
"prefix": null
},
"sensitive_attributes": [],
"private": "bnVsbA=="
}
]
}
]
}

9
.github/workflows/terraform.tfvars vendored
View file

@ -1,5 +1,6 @@
// vars should be loaded by OSname.tfvars
aws_region = "us-east-1"
ami_os = var.ami_os
ami_username = var.ami_username
instance_tags = var.instance_tags
availability_zone = "us-east-1b"
aws_region = "us-east-1"
ami_os = var.ami_os
ami_username = var.ami_username
instance_tags = var.instance_tags

11
.github/workflows/variables.tf vendored
View file

@ -6,6 +6,12 @@ variable "aws_region" {
type = string
}
variable "availability_zone" {
description = "List of availability zone in the region"
default = "us-east-1b"
type = string
}
variable "instance_type" {
description = "EC2 Instance Type"
default = "t3.micro"
@ -52,6 +58,11 @@ variable "namespace" {
type = string
}
variable "environment" {
description = "Env Name used across all tags"
type = string
}
// taken from github_vars.tfvars &
variable "main_vpc_cidr" {

2
Changelog.md
View file

@ -10,6 +10,8 @@
- added more to logrotate 4.3.x - sure to logrotate now a seperate package
- grub path now standard to /boot/grub2/grub.cfg
- 1.6.1.4 from rh8 removed as selinux.cfg doesnt disable selinux any longer
- workflow update
- removed doc update
## 0.1

429
templates/ansible_vars_goss.yml.old
View file

@ -1,429 +0,0 @@
## metadata for Audit benchmark
benchmark_version: '1.0.1'
# Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS
is_redhat_os: {% if ansible_distribution == "RedHat" %}true{% else %}false{% endif %}
rhel9cis_os_distribution: {{ ansible_distribution | lower }}
# timeout for each command to run where set - default = 10seconds/10000ms
timeout_ms: {{ audit_cmd_timeout }}
# Taken from LE rhel8-cis
rhel9cis_section1: {{ rhel9cis_section1 }}
rhel9cis_section2: {{ rhel9cis_section2 }}
rhel9cis_section3: {{ rhel9cis_section3 }}
rhel9cis_section4: {{ rhel9cis_section4 }}
rhel9cis_section5: {{ rhel9cis_section5 }}
rhel9cis_section6: {{ rhel9cis_section6 }}
rhel9cis_level_1: {{ rhel9cis_level_1 }}
rhel9cis_level_2: {{ rhel9cis_level_2 }}
rhel9cis_selinux_disable: {{ rhel9cis_selinux_disable }}
# to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy
run_heavy_tests: true
{% if rhel9cis_legacy_boot is defined %}
rhel9cis_legacy_boot: {{ rhel9cis_legacy_boot }}
{% endif %}
rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }}
# These variables correspond with the CIS rule IDs or paragraph numbers defined in
# the CIS benchmark documents.
# PLEASE NOTE: These work in coordination with the section # group variables and tags.
# You must enable an entire section in order for the variables below to take effect.
# Section 1 rules
rhel9cis_rule_1_1_1_1: {{ rhel9cis_rule_1_1_1_1 }}
rhel9cis_rule_1_1_1_2: {{ rhel9cis_rule_1_1_1_2 }}
rhel9cis_rule_1_1_1_3: {{ rhel9cis_rule_1_1_1_3 }}
rhel9cis_rule_1_1_1_4: {{ rhel9cis_rule_1_1_1_4 }}
rhel9cis_rule_1_1_2: {{ rhel9cis_rule_1_1_2 }}
rhel9cis_rule_1_1_3: {{ rhel9cis_rule_1_1_3 }}
rhel9cis_rule_1_1_4: {{ rhel9cis_rule_1_1_4 }}
rhel9cis_rule_1_1_5: {{ rhel9cis_rule_1_1_5 }}
rhel9cis_rule_1_1_6: {{ rhel9cis_rule_1_1_6 }}
rhel9cis_rule_1_1_7: {{ rhel9cis_rule_1_1_7 }}
rhel9cis_rule_1_1_8: {{ rhel9cis_rule_1_1_8 }}
rhel9cis_rule_1_1_9: {{ rhel9cis_rule_1_1_9 }}
rhel9cis_rule_1_1_10: {{ rhel9cis_rule_1_1_10 }}
rhel9cis_rule_1_1_11: {{ rhel9cis_rule_1_1_11 }}
rhel9cis_rule_1_1_12: {{ rhel9cis_rule_1_1_12 }}
rhel9cis_rule_1_1_13: {{ rhel9cis_rule_1_1_13 }}
rhel9cis_rule_1_1_14: {{ rhel9cis_rule_1_1_14 }}
rhel9cis_rule_1_1_15: {{ rhel9cis_rule_1_1_15 }}
rhel9cis_rule_1_1_16: {{ rhel9cis_rule_1_1_16 }}
rhel9cis_rule_1_1_17: {{ rhel9cis_rule_1_1_17 }}
rhel9cis_rule_1_1_18: {{ rhel9cis_rule_1_1_18 }}
rhel9cis_rule_1_1_19: {{ rhel9cis_rule_1_1_19 }}
rhel9cis_rule_1_1_20: {{ rhel9cis_rule_1_1_20 }}
rhel9cis_rule_1_1_21: {{ rhel9cis_rule_1_1_21 }}
rhel9cis_rule_1_1_22: {{ rhel9cis_rule_1_1_22 }}
rhel9cis_rule_1_1_23: {{ rhel9cis_rule_1_1_23 }}
rhel9cis_rule_1_2_1: {% if ansible_distribution == "RedHat" %}True{% else %}False{% endif %} # Only run if Redhat and Subscribed
rhel9cis_rule_1_2_2: {{ rhel9cis_rule_1_2_2 }}
rhel9cis_rule_1_2_3: {{ rhel9cis_rule_1_2_3 }}
rhel9cis_rule_1_2_4: {{ rhel9cis_rule_1_2_4 }}
rhel9cis_rule_1_2_5: {{ rhel9cis_rule_1_2_5 }}
rhel9cis_rule_1_3_1: {{ rhel9cis_rule_1_3_1 }}
rhel9cis_rule_1_3_2: {{ rhel9cis_rule_1_3_2 }}
rhel9cis_rule_1_3_3: {{ rhel9cis_rule_1_3_3 }}
rhel9cis_rule_1_4_1: {{ rhel9cis_rule_1_4_1 }}
rhel9cis_rule_1_4_2: {{ rhel9cis_rule_1_4_2 }}
rhel9cis_rule_1_4_3: {{ rhel9cis_rule_1_4_3 }}
rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }}
rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }}
rhel9cis_rule_1_5_3: {{ rhel9cis_rule_1_5_3 }}
rhel9cis_rule_1_7_1_1: {{ rhel9cis_rule_1_7_1_1 }}
rhel9cis_rule_1_7_1_2: {{ rhel9cis_rule_1_7_1_2 }}
rhel9cis_rule_1_7_1_3: {{ rhel9cis_rule_1_7_1_3 }}
rhel9cis_rule_1_7_1_4: {{ rhel9cis_rule_1_7_1_4 }}
rhel9cis_rule_1_7_1_5: {{ rhel9cis_rule_1_7_1_5 }}
rhel9cis_rule_1_7_1_6: {{ rhel9cis_rule_1_7_1_6 }}
rhel9cis_rule_1_7_1_7: {{ rhel9cis_rule_1_7_1_7 }}
rhel9cis_rule_1_8_1_1: {{ rhel9cis_rule_1_8_1_1 }}
rhel9cis_rule_1_8_1_2: {{ rhel9cis_rule_1_8_1_2 }}
rhel9cis_rule_1_8_1_3: {{ rhel9cis_rule_1_8_1_3 }}
rhel9cis_rule_1_8_1_4: {{ rhel9cis_rule_1_8_1_4 }}
rhel9cis_rule_1_8_1_5: {{ rhel9cis_rule_1_8_1_5 }}
rhel9cis_rule_1_8_1_6: {{ rhel9cis_rule_1_8_1_6 }}
rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }}
rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }}
rhel9cis_rule_1_10: {{ rhel9cis_rule_1_10 }}
# section 2 rules
rhel9cis_rule_2_1_1: {{ rhel9cis_rule_2_1_1 }}
rhel9cis_rule_2_2_1_1: {{ rhel9cis_rule_2_2_1_1 }}
rhel9cis_rule_2_2_1_2: {{ rhel9cis_rule_2_2_1_2 }}
rhel9cis_rule_2_2_2: {{ rhel9cis_rule_2_2_2 }}
rhel9cis_rule_2_2_3: {{ rhel9cis_rule_2_2_3 }}
rhel9cis_rule_2_2_4: {{ rhel9cis_rule_2_2_4 }}
rhel9cis_rule_2_2_5: {{ rhel9cis_rule_2_2_5 }}
rhel9cis_rule_2_2_6: {{ rhel9cis_rule_2_2_6 }}
rhel9cis_rule_2_2_7: {{ rhel9cis_rule_2_2_7 }}
rhel9cis_rule_2_2_8: {{ rhel9cis_rule_2_2_8 }}
rhel9cis_rule_2_2_9: {{ rhel9cis_rule_2_2_9 }}
rhel9cis_rule_2_2_10: {{ rhel9cis_rule_2_2_10 }}
rhel9cis_rule_2_2_11: {{ rhel9cis_rule_2_2_11 }}
rhel9cis_rule_2_2_12: {{ rhel9cis_rule_2_2_12 }}
rhel9cis_rule_2_2_13: {{ rhel9cis_rule_2_2_13 }}
rhel9cis_rule_2_2_14: {{ rhel9cis_rule_2_2_14 }}
rhel9cis_rule_2_2_15: {{ rhel9cis_rule_2_2_15 }}
rhel9cis_rule_2_2_16: {{ rhel9cis_rule_2_2_16 }}
rhel9cis_rule_2_2_17: {{ rhel9cis_rule_2_2_17 }}
rhel9cis_rule_2_2_18: {{ rhel9cis_rule_2_2_18 }}
rhel9cis_rule_2_3_1: {{ rhel9cis_rule_2_3_1 }}
rhel9cis_rule_2_3_2: {{ rhel9cis_rule_2_3_2 }}
rhel9cis_rule_2_3_3: {{ rhel9cis_rule_2_3_3 }}
# Section 3 rules
rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }}
rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }}
rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }}
rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }}
rhel9cis_rule_3_2_3: {{ rhel9cis_rule_3_2_3 }}
rhel9cis_rule_3_2_4: {{ rhel9cis_rule_3_2_4 }}
rhel9cis_rule_3_2_5: {{ rhel9cis_rule_3_2_5 }}
rhel9cis_rule_3_2_6: {{ rhel9cis_rule_3_2_6 }}
rhel9cis_rule_3_2_7: {{ rhel9cis_rule_3_2_7 }}
rhel9cis_rule_3_2_8: {{ rhel9cis_rule_3_2_8 }}
rhel9cis_rule_3_2_9: {{ rhel9cis_rule_3_2_9 }}
rhel9cis_rule_3_3_1: {{ rhel9cis_rule_3_3_1 }}
rhel9cis_rule_3_3_2: {{ rhel9cis_rule_3_3_2 }}
rhel9cis_rule_3_3_3: {{ rhel9cis_rule_3_3_3 }}
rhel9cis_rule_3_3_4: {{ rhel9cis_rule_3_3_4 }}
rhel9cis_rule_3_4_1_1: {{ rhel9cis_rule_3_4_1_1 }}
rhel9cis_rule_3_4_2_1: {{ rhel9cis_rule_3_4_2_1 }}
rhel9cis_rule_3_4_2_2: {{ rhel9cis_rule_3_4_2_2 }}
rhel9cis_rule_3_4_2_3: {{ rhel9cis_rule_3_4_2_3 }}
rhel9cis_rule_3_4_2_4: {{ rhel9cis_rule_3_4_2_4 }}
rhel9cis_rule_3_4_2_5: {{ rhel9cis_rule_3_4_2_5 }}
rhel9cis_rule_3_4_2_6: {{ rhel9cis_rule_3_4_2_6 }}
rhel9cis_rule_3_5: {{ rhel9cis_rule_3_5 }}
rhel9cis_rule_3_6: {{ rhel9cis_rule_3_6 }}
# Section 4 rules
rhel9cis_rule_4_1_1_1: {{ rhel9cis_rule_4_1_1_1 }}
rhel9cis_rule_4_1_1_2: {{ rhel9cis_rule_4_1_1_2 }}
rhel9cis_rule_4_1_1_3: {{ rhel9cis_rule_4_1_1_3 }}
rhel9cis_rule_4_1_1_4: {{ rhel9cis_rule_4_1_1_4 }}
rhel9cis_rule_4_1_2_1: {{ rhel9cis_rule_4_1_2_1 }}
rhel9cis_rule_4_1_2_2: {{ rhel9cis_rule_4_1_2_2 }}
rhel9cis_rule_4_1_2_3: {{ rhel9cis_rule_4_1_2_3 }}
rhel9cis_rule_4_1_3: {{ rhel9cis_rule_4_1_3 }}
rhel9cis_rule_4_1_4: {{ rhel9cis_rule_4_1_4 }}
rhel9cis_rule_4_1_5: {{ rhel9cis_rule_4_1_5 }}
rhel9cis_rule_4_1_6: {{ rhel9cis_rule_4_1_6 }}
rhel9cis_rule_4_1_7: {{ rhel9cis_rule_4_1_7 }}
rhel9cis_rule_4_1_8: {{ rhel9cis_rule_4_1_8 }}
rhel9cis_rule_4_1_9: {{ rhel9cis_rule_4_1_9 }}
rhel9cis_rule_4_1_10: {{ rhel9cis_rule_4_1_10 }}
rhel9cis_rule_4_1_11: {{ rhel9cis_rule_4_1_11 }}
rhel9cis_rule_4_1_12: {{ rhel9cis_rule_4_1_12 }}
rhel9cis_rule_4_1_13: {{ rhel9cis_rule_4_1_13 }}
rhel9cis_rule_4_1_14: {{ rhel9cis_rule_4_1_14 }}
rhel9cis_rule_4_1_15: {{ rhel9cis_rule_4_1_15 }}
rhel9cis_rule_4_1_16: {{ rhel9cis_rule_4_1_16 }}
rhel9cis_rule_4_1_17: {{ rhel9cis_rule_4_1_17 }}
rhel9cis_rule_4_2_1_1: {{ rhel9cis_rule_4_2_1_1 }}
rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_2 }}
rhel9cis_rule_4_2_1_3: {{ rhel9cis_rule_4_2_1_3 }}
rhel9cis_rule_4_2_1_4: {{ rhel9cis_rule_4_2_1_4 }}
rhel9cis_rule_4_2_1_5: {{ rhel9cis_rule_4_2_1_5 }}
rhel9cis_rule_4_2_1_6: {{ rhel9cis_rule_4_2_1_6 }}
rhel9cis_rule_4_2_2_1: {{ rhel9cis_rule_4_2_2_1 }}
rhel9cis_rule_4_2_2_2: {{ rhel9cis_rule_4_2_2_2 }}
rhel9cis_rule_4_2_2_3: {{ rhel9cis_rule_4_2_2_3 }}
rhel9cis_rule_4_2_3: {{ rhel9cis_rule_4_2_3 }}
rhel9cis_rule_4_3: {{ rhel9cis_rule_4_3 }}
# Section 5
rhel9cis_rule_5_1_1: {{ rhel9cis_rule_5_1_1 }}
rhel9cis_rule_5_1_2: {{ rhel9cis_rule_5_1_2 }}
rhel9cis_rule_5_1_3: {{ rhel9cis_rule_5_1_3 }}
rhel9cis_rule_5_1_4: {{ rhel9cis_rule_5_1_4 }}
rhel9cis_rule_5_1_5: {{ rhel9cis_rule_5_1_5 }}
rhel9cis_rule_5_1_6: {{ rhel9cis_rule_5_1_6 }}
rhel9cis_rule_5_1_7: {{ rhel9cis_rule_5_1_7 }}
rhel9cis_rule_5_1_8: {{ rhel9cis_rule_5_1_8 }}
rhel9cis_rule_5_2_1: {{ rhel9cis_rule_5_2_1 }}
rhel9cis_rule_5_2_2: {{ rhel9cis_rule_5_2_2 }}
rhel9cis_rule_5_2_3: {{ rhel9cis_rule_5_2_3 }}
rhel9cis_rule_5_2_4: {{ rhel9cis_rule_5_2_4 }}
rhel9cis_rule_5_2_5: {{ rhel9cis_rule_5_2_5 }}
rhel9cis_rule_5_2_6: {{ rhel9cis_rule_5_2_6 }}
rhel9cis_rule_5_2_7: {{ rhel9cis_rule_5_2_7 }}
rhel9cis_rule_5_2_8: {{ rhel9cis_rule_5_2_8 }}
rhel9cis_rule_5_2_9: {{ rhel9cis_rule_5_2_9 }}
rhel9cis_rule_5_2_10: {{ rhel9cis_rule_5_2_10 }}
rhel9cis_rule_5_2_11: {{ rhel9cis_rule_5_2_11 }}
rhel9cis_rule_5_2_12: {{ rhel9cis_rule_5_2_12 }}
rhel9cis_rule_5_2_13: {{ rhel9cis_rule_5_2_13 }}
rhel9cis_rule_5_2_14: {{ rhel9cis_rule_5_2_14 }}
rhel9cis_rule_5_2_15: {{ rhel9cis_rule_5_2_15 }}
rhel9cis_rule_5_2_16: {{ rhel9cis_rule_5_2_16 }}
rhel9cis_rule_5_2_17: {{ rhel9cis_rule_5_2_17 }}
rhel9cis_rule_5_2_18: {{ rhel9cis_rule_5_2_18 }}
rhel9cis_rule_5_2_19: {{ rhel9cis_rule_5_2_19 }}
rhel9cis_rule_5_2_20: {{ rhel9cis_rule_5_2_20 }}
rhel9cis_rule_5_3_1: {{ rhel9cis_rule_5_3_1 }}
rhel9cis_rule_5_3_2: {{ rhel9cis_rule_5_3_2 }}
rhel9cis_rule_5_3_3: {{ rhel9cis_rule_5_3_3 }}
rhel9cis_rule_5_4_1: {{ rhel9cis_rule_5_4_1 }}
rhel9cis_rule_5_4_2: {{ rhel9cis_rule_5_4_2 }}
rhel9cis_rule_5_4_3: {{ rhel9cis_rule_5_4_3 }}
rhel9cis_rule_5_4_4: {{ rhel9cis_rule_5_4_4 }}
rhel9cis_rule_5_5_1_1: {{ rhel9cis_rule_5_5_1_1 }}
rhel9cis_rule_5_5_1_2: {{ rhel9cis_rule_5_5_1_2 }}
rhel9cis_rule_5_5_1_3: {{ rhel9cis_rule_5_5_1_3 }}
rhel9cis_rule_5_5_1_4: {{ rhel9cis_rule_5_5_1_4 }}
rhel9cis_rule_5_5_1_5: {{ rhel9cis_rule_5_5_1_5 }}
rhel9cis_rule_5_5_2: {{ rhel9cis_rule_5_5_2 }}
rhel9cis_rule_5_5_3: {{ rhel9cis_rule_5_5_3 }}
rhel9cis_rule_5_5_4: {{ rhel9cis_rule_5_5_4 }}
rhel9cis_rule_5_5_5: {{ rhel9cis_rule_5_5_5 }}
rhel9cis_rule_5_6: {{ rhel9cis_rule_5_6 }}
rhel9cis_rule_5_7: {{ rhel9cis_rule_5_7 }}
# Section 6
rhel9cis_rule_6_1_1: {{ rhel9cis_rule_6_1_1 }}
rhel9cis_rule_6_1_2: {{ rhel9cis_rule_6_1_2 }}
rhel9cis_rule_6_1_3: {{ rhel9cis_rule_6_1_3 }}
rhel9cis_rule_6_1_4: {{ rhel9cis_rule_6_1_4 }}
rhel9cis_rule_6_1_5: {{ rhel9cis_rule_6_1_5 }}
rhel9cis_rule_6_1_6: {{ rhel9cis_rule_6_1_6 }}
rhel9cis_rule_6_1_7: {{ rhel9cis_rule_6_1_7 }}
rhel9cis_rule_6_1_8: {{ rhel9cis_rule_6_1_8 }}
rhel9cis_rule_6_1_9: {{ rhel9cis_rule_6_1_9 }}
rhel9cis_rule_6_1_10: {{ rhel9cis_rule_6_1_10 }}
rhel9cis_rule_6_1_11: {{ rhel9cis_rule_6_1_11 }}
rhel9cis_rule_6_1_12: {{ rhel9cis_rule_6_1_12 }}
rhel9cis_rule_6_1_13: {{ rhel9cis_rule_6_1_13 }}
rhel9cis_rule_6_1_14: {{ rhel9cis_rule_6_1_14 }}
rhel9cis_rule_6_2_1: {{ rhel9cis_rule_6_2_1 }}
rhel9cis_rule_6_2_2: {{ rhel9cis_rule_6_2_2 }}
rhel9cis_rule_6_2_3: {{ rhel9cis_rule_6_2_3 }}
rhel9cis_rule_6_2_4: {{ rhel9cis_rule_6_2_4 }}
rhel9cis_rule_6_2_5: {{ rhel9cis_rule_6_2_5 }}
rhel9cis_rule_6_2_6: {{ rhel9cis_rule_6_2_6 }}
rhel9cis_rule_6_2_7: {{ rhel9cis_rule_6_2_7 }}
rhel9cis_rule_6_2_8: {{ rhel9cis_rule_6_2_8 }}
rhel9cis_rule_6_2_9: {{ rhel9cis_rule_6_2_9 }}
rhel9cis_rule_6_2_10: {{ rhel9cis_rule_6_2_10 }}
rhel9cis_rule_6_2_11: {{ rhel9cis_rule_6_2_11 }}
rhel9cis_rule_6_2_12: {{ rhel9cis_rule_6_2_12 }}
rhel9cis_rule_6_2_13: {{ rhel9cis_rule_6_2_13 }}
rhel9cis_rule_6_2_14: {{ rhel9cis_rule_6_2_14 }}
rhel9cis_rule_6_2_15: {{ rhel9cis_rule_6_2_15 }}
rhel9cis_rule_6_2_16: {{ rhel9cis_rule_6_2_16 }}
rhel9cis_rule_6_2_17: {{ rhel9cis_rule_6_2_17 }}
rhel9cis_rule_6_2_18: {{ rhel9cis_rule_6_2_18 }}
rhel9cis_rule_6_2_19: {{ rhel9cis_rule_6_2_19 }}
rhel9cis_rule_6_2_20: {{ rhel9cis_rule_6_2_20 }}
# Service configuration booleans set true to keep service
rhel9cis_avahi_server: {{ rhel9cis_avahi_server }}
rhel9cis_cups_server: {{ rhel9cis_cups_server }}
rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }}
rhel9cis_dns_server: {{ rhel9cis_dns_server }}
rhel9cis_ftp_server: {{ rhel9cis_ftp_server }}
rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }}
rhel9cis_tftp_server: {{ rhel9cis_tftp_server }}
rhel9cis_httpd_server: {{ rhel9cis_httpd_server }}
rhel9cis_nginx_server: {{ rhel9cis_nginx_server }}
rhel9cis_dovecot_cyrus_server: {{ rhel9cis_dovecot_cyrus_server }}
rhel9cis_samba_server: {{ rhel9cis_samba_server }}
rhel9cis_squid_server: {{ rhel9cis_squid_server }}
rhel9cis_snmp_server: {{ rhel9cis_snmp_server }}
rhel9cis_nis_server: {{ rhel9cis_nis_server }}
rhel9cis_telnet_server: {{ rhel9cis_telnet_server }}
rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }}
rhel9cis_nfs_server: {{ rhel9cis_nfs_server }}
rhel9cis_rpc_server: {{ rhel9cis_rpc_server }}
rhel9cis_rsync_server: {{ rhel9cis_rsync_server }}
rhel9cis_allow_autofs: {{ rhel9cis_allow_autofs }}
# client services
rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }}
rhel9cis_rsh_required: {{ rhel9cis_rsh_required }}
rhel9cis_talk_required: {{ rhel9cis_talk_required }}
rhel9cis_telnet_required: {{ rhel9cis_telnet_required }}
rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }}
rhel9cis_tftp_client: {{ rhel9cis_tftp_client }}
# AIDE
rhel9cis_config_aide: {{ rhel9cis_config_aide }}
# aide setup via - cron, timer
rhel9_aide_scan: cron
# AIDE cron settings
rhel9cis_aide_cron:
cron_user: {{ rhel9cis_aide_cron.cron_user }}
cron_file: '{{ rhel9cis_aide_cron.cron_file }}'
aide_job: ' {{ rhel9cis_aide_cron.aide_job }}'
aide_minute: '{{ rhel9cis_aide_cron.aide_minute }}'
aide_hour: '{{ rhel9cis_aide_cron.aide_hour }}'
aide_day: '{{ rhel9cis_aide_cron.aide_day }}'
aide_month: '{{ rhel9cis_aide_cron.aide_month }}'
aide_weekday: '{{ rhel9cis_aide_cron.aide_weekday }}'
# 1.5.1 Bootloader password
rhel9cis_bootloader_password: {{ rhel9cis_bootloader_password_hash }}
rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }}
# 1.10 crypto
rhel9cis_crypto_policy: {{ rhel9cis_crypto_policy }}
# Warning Banner Content (issue, issue.net, motd)
rhel9cis_warning_banner: {{ rhel9cis_warning_banner }}
# End Banner
# Whether or not to run tasks related to auditing/patching the desktop environment
rhel9cis_gui: {{ rhel9cis_gui }}
# xinetd required
rhel9cis_xinetd_server: {{ rhel9cis_xinetd_server }}
# IPv6 required
rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }}
# System network parameters (host only OR host and router)
rhel9cis_is_router: {{ rhel9cis_is_router }}
rhel9cis_firewall: {{ rhel9cis_firewall }}
#rhel9cis_firewall: iptables
rhel9cis_default_firewall_zone: {{ rhel9cis_default_zone }}
rhel9cis_firewall_interface:
- enp0s3
- enp0s8
rhel9cis_firewall_services: {{ rhel9cis_firewall_services }}
### Section 4
## auditd settings
rhel9cis_auditd:
space_left_action: {{ rhel9cis_auditd.space_left_action}}
action_mail_acct: {{ rhel9cis_auditd.action_mail_acct }}
admin_space_left_action: {{ rhel9cis_auditd.admin_space_left_action }}
max_log_file_action: {{ rhel9cis_auditd.max_log_file_action }}
auditd_backlog_limit: {{ rhel9cis_audit_back_log_limit }}
## syslog
rhel9_cis_rsyslog: true
### Section 5
rhel9cis_sshd_limited: false
#Note the following to understand precedence and layout
rhel9cis_sshd_access:
AllowUser:
AllowGroup:
DenyUser:
DenyGroup:
rhel9cis_ssh_aliveinterval: "300"
rhel9cis_ssh_countmax: "3"
rhel9cis_sudolog_location: {{ rhel9cis_sudolog_location }}
## PAM
rhel9cis_pam_password:
minlen: {{ rhel9cis_pam_password.minlen }}
minclass: {{ rhel9cis_pam_password.minclass }}
rhel9cis_pam_passwd_retry: "3"
# faillock or tally2
rhel9cis_accountlock: faillock
## note this is to skip tests
skip_rhel9cis_pam_passwd_auth: true
skip_rhel9cis_pam_system_auth: true
# choose one of below
rhel9cis_pwhistory_so: "14"
rhel9cis_unix_so: false
rhel9cis_passwd_remember: "5"
# logins.def password settings
rhel9cis_pass:
max_days: {{ rhel9cis_pass.max_days }}
min_days: {{ rhel9cis_pass.min_days }}
warn_age: {{ rhel9cis_pass.warn_age }}
# 5.3.1/5.3.2 Custon authselect profile settings. Settings in place now will fail, they are place holders from the control example
rhel9cis_authselect:
custom_profile_name: {{ rhel9cis_authselect['custom_profile_name'] }}
default_file_to_copy: {{ rhel9cis_authselect.default_file_to_copy }}
options: {{ rhel9cis_authselect.options }}
# 5.3.1 Enable automation to creat custom profile settings, using the setings above
rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile_create }}
# 5.3.2 Enable automation to select custom profile options, using the settings above
rhel9cis_authselect_custom_profile_select: {{ rhel9cis_authselect_custom_profile_select }}
# 5.7
rhel9cis_sugroup: {{ rhel9cis_sugroup| default('wheel') }}
rhel9cis_sugroup_users: {{ rhel9cis_sugroup_users }}