ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-28 07:53:07 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Revert "Merge 'devel' of kris9854/RHEL9-CIS-fix into devel"

Browse source 
This reverts commit d4471a3016, reversing
changes made to d6ca36a91f.
This commit is contained in:
Kristian 2022-09-26 19:10:53 +02:00
parent 66d8fb8b32
commit da0734c3a8
65 changed files with 461 additions and 801 deletions
Download patch file Download diff file Expand all files Collapse all files

12
tasks/section_1/cis_1.1.1.x.yml
View file

@ -7,14 +7,14 @@
path: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install cramfs(\\s|$)"
line: "install cramfs /bin/true"
create: true
create: yes
mode: 0600
- name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs"
modprobe:
name: cramfs
state: absent
when: not system_is_container
when: ansible_connection != 'docker'
when:
- rhel9cis_rule_1_1_1_1
tags:
@ -32,14 +32,14 @@
path: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install squashfs(\\s|$)"
line: "install squashfs /bin/true"
create: true
create: yes
mode: 0600
- name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs"
modprobe:
name: squashfs
state: absent
when: not system_is_container
when: ansible_connection != 'docker'
when:
- rhel9cis_rule_1_1_1_2
tags:
@ -57,14 +57,14 @@
path: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install udf(\\s|$)"
line: "install udf /bin/true"
create: true
create: yes
mode: 0600
- name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf"
modprobe:
name: udf
state: absent
when: not system_is_container
when: ansible_connection != 'docker'
when:
- rhel9cis_rule_1_1_1_3
tags:

26
tasks/section_1/cis_1.1.2.x.yml
View file

@ -1,30 +1,11 @@
---
- name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition"
block:
- name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Absent"
debug:
msg: "Warning!! /tmp is not mounted on a separate partition"
when:
- required_mount not in mount_names
- name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Warn Count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_1.1.2.1' ]"
warn_count: "{{ warn_count | int + 1 }}"
when:
- required_mount not in mount_names
- name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present"
debug:
msg: "Congratulations: {{ required_mount }} exists."
register: var_mount_present
when:
- required_mount in mount_names
vars:
required_mount: '/tmp'
debug:
msg: "Warning! /tmp is not mounted on a separate partition"
when:
- rhel9cis_rule_1_1_2_1
- ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0
tags:
- level1-server
- level1-workstation
@ -87,6 +68,7 @@
tags:
- level1-server
- level1-workstation
- scored
- patch
- mounts
- rule_1.1.2.1

11
tasks/section_1/cis_1.1.3.x.yml
View file

@ -4,19 +4,12 @@
block:
- name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Absent"
debug:
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task"
register: var_mount_absent
changed_when: var_mount_absent.skipped is undefined
when:
- required_mount not in mount_names
- name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Warn Count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_1.1.3.1' ]"
warn_count: "{{ warn_count | int + 1 }}"
when:
- required_mount not in mount_names
- name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present"
debug:
msg: "Congratulations: {{ required_mount }} exists."
@ -45,7 +38,7 @@
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %}
opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %}
with_items:
- "{{ ansible_mounts }}"
loop_control:

11
tasks/section_1/cis_1.1.4.x.yml
View file

@ -5,19 +5,12 @@
block:
- name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent"
debug:
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task"
register: var_tmp_mount_absent
changed_when: var_tmp_mount_absent.skipped is undefined
when:
- required_mount not in mount_names
- name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn Count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_1.1.4.1' ]"
warn_count: "{{ warn_count | int + 1 }}"
when:
- required_mount not in mount_names
- name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present"
debug:
msg: "Congratulations: {{ required_mount }} exists."
@ -46,7 +39,7 @@
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid{% endif %}
opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev{% endif %}
with_items:
- "{{ ansible_mounts }}"
loop_control:

12
tasks/section_1/cis_1.1.5.x.yml
View file

@ -4,19 +4,11 @@
block:
- name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Absent"
debug:
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task"
register: var_log_mount_absent
changed_when: var_log_mount_absent.skipped is undefined
when:
- required_mount not in mount_names
- name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Warn Count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_1.1.5.1' ]"
warn_count: "{{ warn_count | int + 1 }}"
when:
- required_mount not in mount_names
- name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present"
debug:
msg: "Congratulations: {{ required_mount }} exists."
@ -45,7 +37,7 @@
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %}
opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %}
with_items:
- "{{ ansible_mounts }}"
loop_control:

10
tasks/section_1/cis_1.1.6.x.yml
View file

@ -4,19 +4,11 @@
block:
- name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent"
debug:
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task"
register: var_log_audit_mount_absent
changed_when: var_log_audit_mount_absent.skipped is undefined
when:
- required_mount not in mount_names
- name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn Count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_1.1.6.1' ]"
warn_count: "{{ warn_count | int + 1 }}"
when:
- required_mount not in mount_names
- name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present"
debug:
msg: "Congratulations: {{ required_mount }} exists."

10
tasks/section_1/cis_1.1.7.x.yml
View file

@ -4,19 +4,11 @@
block:
- name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Absent"
debug:
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task"
register: home_mount_absent
changed_when: home_mount_absent.skipped is undefined
when:
- required_mount not in mount_names
- name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Warn Count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_1.1.7.1' ]"
warn_count: "{{ warn_count | int + 1 }}"
when:
- required_mount not in mount_names
- name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present"
debug:
msg: "Congratulations: {{ required_mount }} exists."

4
tasks/section_1/cis_1.1.8.x.yml
View file

@ -13,7 +13,7 @@
shell: mount -l | grep -E '\s/dev/shm\s'
changed_when: false
failed_when: false
check_mode: false
check_mode: no
register: rhel9cis_1_1_8_x_dev_shm_status
- name: |
@ -25,7 +25,7 @@
src: tmpfs
fstype: tmpfs
state: mounted
opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %}
opts: defaults,{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %}
when: "'dev/shm' in rhel9cis_1_1_8_x_dev_shm_status.stdout"
notify: change_requires_reboot
when:

4
tasks/section_1/cis_1.1.x.yml
View file

@ -3,7 +3,7 @@
- name: "1.1.9 | PATCH | Disable Automounting"
service:
name: autofs
enabled: false
enabled: no
when:
- not rhel9cis_allow_autofs
- "'autofs' in ansible_facts.packages"
@ -24,7 +24,7 @@
path: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install usb-storage(\\s|$)"
line: "install usb-storage /bin/true"
create: true
create: yes
owner: root
group: root
mode: 0600

43
tasks/section_1/cis_1.2.x.yml
View file

@ -20,38 +20,12 @@
- skip_ansible_lint # Added as no_log still errors on ansuible-lint
- name: "1.2.2 | AUDIT | Ensure GPG keys are configured"
block:
- name: "1.2.2 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys"
shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}"
changed_when: false
failed_when: false
register: os_installed_pub_keys
- name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Query found keys"
shell: "rpm -q --queryformat \"%{PACKAGER} %{VERSION}\\n\" {{ os_gpg_key_pubkey_name }} | grep \"{{ os_gpg_key_pubkey_content }}\""
changed_when: false
failed_when: false
register: os_gpg_key_check
when: os_installed_pub_keys.rc == 0
- name: "1.2.2 | AUDIT | Ensure GPG keys are configured | expected keys pass"
debug:
msg: "Congratulations !! - The installed gpg keys match expected values"
when:
- os_installed_pub_keys.rc == 0
- os_gpg_key_check.rc == 0
- name: "1.2.2 | AUDIT | Ensure GPG keys are configured | expected keys fail"
fail:
msg: Installed GPG Keys do not meet expected values or keys installed that are not expected
when:
- os_installed_pub_keys.rc == 1 or
os_gpg_key_check.rc == 1
shell: "PKG=`rpm -qf {{ rpm_gpg_key }}` && rpm -q --queryformat \"%{PACKAGER} %{SIGPGP:pgpsig}\\n\" \"${PKG}\" | grep \"^{{ rpm_packager }}.*Key.ID.{{ rpm_key }}\""
changed_when: false
when:
- rhel9cis_rule_1_2_2
- ansible_distribution == "RedHat" or
ansible_distribution == "Rocky" or
ansible_distribution == "AlmaLinux"
ansible_distribution == "Rocky"
tags:
- level1-server
- level1-workstation
@ -71,7 +45,7 @@
- name: "1.2.3 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos"
replace:
name: "{{ item.path }}"
regexp: "^gpgcheck=0"
regexp: '^gpgcheck\s+=\s+0'
replace: "gpgcheck=1"
with_items:
- "{{ yum_repos.files }}"
@ -93,20 +67,15 @@
changed_when: false
failed_when: false
register: dnf_configured
check_mode: false
check_mode: no
args:
warn: false
- name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Display repo list"
debug:
msg:
- "Warning!! Below are the configured repos. Please review and make sure all align with site policy"
- "Warning! Below are the configured repos. Please review and make sure all align with site policy"
- "{{ dnf_configured.stdout_lines }}"
- name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Warn Count"
set_fact:
control_number: "{{ control_number }} + ['rule_1.2.4']"
warn_count: "{{ warn_count | int + 1 }}"
when:
- rhel9cis_rule_1_2_4
tags:

2
tasks/section_1/cis_1.4.x.yml
View file

@ -58,7 +58,7 @@
path: /etc/systemd/system/rescue.service.d/00-require-auth.conf
regexp: '^ExecStart='
line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue"
create: true
create: yes
owner: root
group: root
mode: 0644

11
tasks/section_1/cis_1.5.x.yml
View file

@ -32,13 +32,10 @@
- rule_1.5.2
- name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
block:
- name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
set_fact:
sysctl_update: true
- name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf"
debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf"
notify:
- update sysctl
when:
- rhel9cis_rule_1_5_3
tags:

12
tasks/section_1/cis_1.6.1.x.yml
View file

@ -16,10 +16,10 @@
- name: "1.6.1.2 | PATCH | Ensure SELinux is not disabled in bootloader configuration"
replace:
dest: /etc/default/grub
regexp: 'selinux=0'
regexp: '(selinux|enforcing)\s*=(\s0|0).*'
replace: ''
register: selinux_grub_patch
ignore_errors: true # noqa ignore-errors
ignore_errors: yes
notify: grub2cfg
when:
- rhel9cis_rule_1_6_1_2
@ -78,13 +78,7 @@
- name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Message on unconfined services"
debug:
msg: "Warning!! You have unconfined services: {{ rhelcis_1_6_1_5_unconf_services.stdout_lines }}"
when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0
- name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | warning count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_1.6.1.5' ]"
warn_count: "{{ warn_count | int + 1 }}"
msg: "Warning! You have unconfined services: {{ rhelcis_1_6_1_5_unconf_services.stdout_lines }}"
when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0
when:
- rhel9cis_rule_1_6_1_5

9
tasks/section_1/cis_1.8.x.yml
View file

@ -21,7 +21,7 @@
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
create: true
create: yes
owner: root
group: root
mode: 0644
@ -50,7 +50,7 @@
path: "{{ item.file }}"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
create: true
create: yes
owner: root
group: root
mode: 0644
@ -93,10 +93,7 @@
path: /etc/dconf/db/local.d/00-media-automount
regexp: "{{ item.regex }}"
line: "{{ item.line }}"
create: true
owner: root
group: root
mode: 0644
create: yes
notify: reload dconf
with_items:
- { regex: '\[org\/gnome\/desktop\/media-handling\]', line: '[org/gnome/desktop/media-handling]' }