ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

quoted file mode

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2023-09-21 16:25:59 +01:00
parent 35dfa8770a
commit e82b2cefac
No known key found for this signature in database
GPG key ID: 1DE02A772D0908F9
20 changed files with 63 additions and 63 deletions
Download patch file Download diff file Expand all files Collapse all files

4
tasks/LE_audit_setup.yml
View file

@ -19,7 +19,7 @@
owner: root
group: root
checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}"
mode: 0555
mode: '0555'
when:
- get_audit_binary_method == 'download'
@ -27,7 +27,7 @@
ansible.builtin.copy:
src: "{{ audit_bin_copy_location }}"
dest: "{{ audit_bin }}"
mode: 0555
mode: '0555'
owner: root
group: root
when:

4
tasks/auditd.yml
View file

@ -11,7 +11,7 @@
dest: /etc/audit/rules.d/99_auditd.rules
owner: root
group: root
mode: 0640
mode: '0640'
diff: "{{ rhel9cis_auditd_file.stat.exists }}" # Only run diff if not a new file
register: rhel9cis_auditd_template_updated
notify:
@ -39,7 +39,7 @@
dest: /etc/audit/rules.d/98_auditd_exceptions.rules
owner: root
group: root
mode: 0640
mode: '0640'
diff: "{{ rhel9cis_auditd_exception_file.stat.exists }}"
notify: Restart auditd
when:

2
tasks/post.yml
View file

@ -13,7 +13,7 @@
dest: "/etc/sysctl.d/{{ item }}"
owner: root
group: root
mode: 0600
mode: '0600'
register: sysctl_updated
notify: Reload sysctl
loop:

2
tasks/post_remediation_audit.yml
View file

@ -11,7 +11,7 @@
- name: Post Audit | ensure audit files readable by users
ansible.builtin.file:
path: "{{ item }}"
mode: 0644
mode: '0644'
state: file
loop:
- "{{ post_audit_outfile }}"

2
tasks/pre_remediation_audit.yml
View file

@ -69,7 +69,7 @@
ansible.builtin.template:
src: ansible_vars_goss.yml.j2
dest: "{{ audit_vars_path }}"
mode: 0600
mode: '0600'
when:
- run_audit
tags:

2
tasks/prelim.yml
View file

@ -191,7 +191,7 @@
path: "{{ rhel9_cis_sshd_config_file }}"
owner: root
group: root
mode: 0600
mode: '0600'
state: touch
when:
- rhel9_cis_sshd_config_file != '/etc/ssh/sshd_config'

8
tasks/section_1/cis_1.1.1.x.yml
View file

@ -8,7 +8,7 @@
regexp: "^(#)?install squashfs(\\s|$)"
line: "install squashfs /bin/true"
create: true
mode: 0600
mode: '0600'
- name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | blacklist"
ansible.builtin.lineinfile:
@ -16,7 +16,7 @@
regexp: "^(#)?blacklist squashfs(\\s|$)"
line: "blacklist squashfs"
create: true
mode: 0600
mode: '0600'
- name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs"
community.general.modprobe:
@ -41,7 +41,7 @@
regexp: "^(#)?install udf(\\s|$)"
line: "install udf /bin/true"
create: true
mode: 0600
mode: '0600'
- name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disabled | blacklist"
ansible.builtin.lineinfile:
@ -49,7 +49,7 @@
regexp: "^(#)?blacklist udf(\\s|$)"
line: "blacklist udf"
create: true
mode: 0600
mode: '0600'
- name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf"
community.general.modprobe:

2
tasks/section_1/cis_1.1.2.x.yml
View file

@ -63,7 +63,7 @@
dest: /etc/systemd/system/tmp.mount
owner: root
group: root
mode: 0644
mode: '0644'
notify: Systemd restart tmp.mount
when:
- rhel9cis_tmp_svc

4
tasks/section_1/cis_1.1.x.yml
View file

@ -10,7 +10,7 @@
create: true
owner: root
group: root
mode: 0600
mode: '0600'
- name: "1.1.9 | PATCH | Disable USB Storage | Edit modprobe config"
community.general.modprobe:
@ -24,7 +24,7 @@
regexp: "^(#)?blacklist usb-storage(\\s|$)"
line: "blacklist usb-storage"
create: true
mode: 0600
mode: '0600'
when:
- rhel9cis_rule_1_1_9
tags:

2
tasks/section_1/cis_1.4.x.yml
View file

@ -6,7 +6,7 @@
content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy
owner: root
group: root
mode: 0600
mode: '0600'
notify: Grub2cfg
when:
- rhel9cis_set_boot_pass

12
tasks/section_1/cis_1.7.x.yml
View file

@ -6,7 +6,7 @@
dest: /etc/motd
owner: root
group: root
mode: 0644
mode: '0644'
when:
- rhel9cis_rule_1_7_1
tags:
@ -22,7 +22,7 @@
dest: /etc/issue
owner: root
group: root
mode: 0644
mode: '0644'
when:
- rhel9cis_rule_1_7_2
tags:
@ -37,7 +37,7 @@
dest: /etc/issue.net
owner: root
group: root
mode: 0644
mode: '0644'
when:
- rhel9cis_rule_1_7_3
tags:
@ -52,7 +52,7 @@
path: /etc/motd
owner: root
group: root
mode: 0644
mode: '0644'
when:
- rhel9cis_rule_1_7_4
tags:
@ -67,7 +67,7 @@
path: /etc/issue
owner: root
group: root
mode: 0644
mode: '0644'
when:
- rhel9cis_rule_1_7_5
tags:
@ -82,7 +82,7 @@
path: /etc/issue.net
owner: root
group: root
mode: 0644
mode: '0644'
when:
- rhel9cis_rule_1_7_6
tags:

24
tasks/section_1/cis_1.8.x.yml
View file

@ -25,7 +25,7 @@
create: true
owner: root
group: root
mode: 0644
mode: '0644'
notify: Reload dconf
loop:
- { regexp: 'user-db', line: 'user-db:user' }
@ -38,7 +38,7 @@
dest: /etc/dconf/db/gdm.d/01-banner-message
owner: root
group: root
mode: 0644
mode: '0644'
notify: Reload dconf
when:
- rhel9cis_rule_1_8_2
@ -59,7 +59,7 @@
create: true
owner: root
group: root
mode: 0644
mode: '0644'
notify: Reload dconf
loop:
- { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' }
@ -87,7 +87,7 @@
create: true
owner: root
group: root
mode: 0644
mode: '0644'
loop:
- { regexp: '^user-db', line: 'user-db: user' }
- { regexp: '^system-db', line: 'system-db: local' }
@ -97,7 +97,7 @@
path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d"
owner: root
group: root
mode: 0755
mode: '0755'
state: directory
- name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | Make conf file"
@ -125,7 +125,7 @@
path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks"
owner: root
group: root
mode: 0755
mode: '0755'
state: directory
- name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock file"
@ -134,7 +134,7 @@
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver"
owner: root
group: root
mode: 0644
mode: '0644'
notify: Reload dconf
when:
- rhel9cis_rule_1_8_5
@ -171,7 +171,7 @@
path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks"
owner: root
group: root
mode: 0755
mode: '0755'
state: directory
- name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | Make lock file"
@ -180,7 +180,7 @@
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-automount_lock"
owner: root
group: root
mode: 0644
mode: '0644'
notify: Reload dconf
when:
- rhel9cis_rule_1_8_7
@ -199,7 +199,7 @@
path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d"
owner: root
group: root
mode: 0755
mode: '0755'
state: directory
- name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled | Make conf file"
@ -227,7 +227,7 @@
path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks"
owner: root
group: root
mode: 0755
mode: '0755'
state: directory
- name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden | Make lockfile"
@ -236,7 +236,7 @@
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-autorun_lock"
owner: root
group: root
mode: 0644
mode: '0644'
notify: Reload dconf
when:
- rhel9cis_rule_1_8_9

4
tasks/section_2/cis_2.1.x.yml
View file

@ -21,7 +21,7 @@
dest: /etc/chrony.conf
owner: root
group: root
mode: 0644
mode: '0644'
- name: "2.1.2 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1"
ansible.builtin.lineinfile:
@ -29,7 +29,7 @@
regexp: "^(#)?OPTIONS"
line: "OPTIONS=\"-u chrony\""
create: true
mode: 0644
mode: '0644'
when:
- rhel9cis_rule_2_1_2
- not system_is_container

2
tasks/section_3/cis_3.1.x.yml
View file

@ -73,7 +73,7 @@
regexp: "^(#)?blacklist tipc(\\s|$)"
line: "blacklist tipc"
create: true
mode: 0600
mode: '0600'
when:
- rhel9cis_rule_3_1_3
tags:

6
tasks/section_4/cis_4.1.4.x.yml
View file

@ -50,7 +50,7 @@
ansible.builtin.file:
path: "{{ audit_discovered_logfile.stdout | dirname }}"
state: directory
mode: 0750
mode: '0750'
when: not auditlog_dir.stat.mode is match('07(0|5)0')
when:
- rhel9cis_rule_4_1_4_4
@ -64,7 +64,7 @@
- name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive"
ansible.builtin.file:
path: "{{ item.path }}"
mode: 0640
mode: '0640'
loop: "{{ auditd_conf_files.files }}"
loop_control:
label: "{{ item.path }}"
@ -127,7 +127,7 @@
- name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required"
ansible.builtin.file:
path: "{{ item.item }}"
mode: 0750
mode: '0750'
loop: "{{ audit_bins.results }}"
loop_control:

2
tasks/section_4/cis_4.2.3.yml
View file

@ -12,7 +12,7 @@
- name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions"
ansible.builtin.file:
path: "{{ item.path }}"
mode: 0640
mode: '0640'
loop: "{{ logfiles.files }}"
loop_control:
label: "{{ item.path }}"

16
tasks/section_5/cis_5.1.x.yml
View file

@ -18,7 +18,7 @@
path: /etc/crontab
owner: root
group: root
mode: 0600
mode: '0600'
when:
- rhel9cis_rule_5_1_2
tags:
@ -34,7 +34,7 @@
state: directory
owner: root
group: root
mode: 0700
mode: '0700'
when:
- rhel9cis_rule_5_1_3
tags:
@ -50,7 +50,7 @@
state: directory
owner: root
group: root
mode: 0700
mode: '0700'
when:
- rhel9cis_rule_5_1_4
tags:
@ -66,7 +66,7 @@
state: directory
owner: root
group: root
mode: 0700
mode: '0700'
when:
- rhel9cis_rule_5_1_5
tags:
@ -81,7 +81,7 @@
state: directory
owner: root
group: root
mode: 0700
mode: '0700'
when:
- rhel9cis_rule_5_1_6
tags:
@ -96,7 +96,7 @@
state: directory
owner: root
group: root
mode: 0700
mode: '0700'
when:
- rhel9cis_rule_5_1_7
tags:
@ -124,7 +124,7 @@
state: '{{ "file" if rhel9cis_5_1_8_cron_allow_state.stat.exists else "touch" }}'
owner: root
group: root
mode: 0600
mode: '0600'
when:
- rhel9cis_rule_5_1_8
tags:
@ -152,7 +152,7 @@
state: '{{ "file" if rhel9cis_5_1_9_at_allow_state.stat.exists else "touch" }}'
owner: root
group: root
mode: 0600
mode: '0600'
when:
- rhel9cis_rule_5_1_9
tags:

6
tasks/section_5/cis_5.2.x.yml
View file

@ -5,7 +5,7 @@
path: "/etc/ssh/sshd_config"
owner: root
group: root
mode: 0600
mode: '0600'
when:
- rhel9cis_rule_5_2_1
tags:
@ -31,7 +31,7 @@
path: "{{ item.path }}"
owner: root
group: root
mode: 0600
mode: '0600'
loop: "{{ rhel9cis_5_2_2_ssh_private_host_key.files }}"
loop_control:
label: "{{ item.path }}"
@ -60,7 +60,7 @@
path: "{{ item.path }}"
owner: root
group: root
mode: 0644
mode: '0644'
loop: "{{ rhel9cis_5_2_3_ssh_public_host_key.files }}"
loop_control:
label: "{{ item.path }}"

2
tasks/section_5/cis_5.6.x.yml
View file

@ -50,7 +50,7 @@
state: "{{ item.state }}"
marker: "# {mark} - CIS benchmark - Ansible-lockdown"
create: true
mode: 0644
mode: '0644'
block: |
TMOUT={{ rhel9cis_shell_session_timeout.timeout }}
export TMOUT

20
tasks/section_6/cis_6.1.x.yml
View file

@ -5,7 +5,7 @@
path: /etc/passwd
owner: root
group: root
mode: 0644
mode: '0644'
when:
- rhel9cis_rule_6_1_1
tags:
@ -20,7 +20,7 @@
path: /etc/passwd-
owner: root
group: root
mode: 0644
mode: '0644'
when:
- rhel9cis_rule_6_1_2
tags:
@ -32,10 +32,10 @@
- name: "6.1.3 | PATCH | Ensure permissions on /etc/group are configured"
ansible.builtin.file:
path: /etc/group-
path: /etc/group
owner: root
group: root
mode: 0644
mode: '0644'
when:
- rhel9cis_rule_6_1_3
tags:
@ -50,7 +50,7 @@
path: /etc/group-
owner: root
group: root
mode: 0644
mode: '0644'
when:
- rhel9cis_rule_6_1_4
tags:
@ -65,7 +65,7 @@
path: /etc/shadow
owner: root
group: root
mode: 0000
mode: '0000'
when:
- rhel9cis_rule_6_1_5
tags:
@ -80,7 +80,7 @@
path: /etc/shadow-
owner: root
group: root
mode: 0000
mode: '0000'
when:
- rhel9cis_rule_6_1_6
tags:
@ -95,7 +95,7 @@
path: /etc/gshadow
owner: root
group: root
mode: 0000
mode: '0000'
when:
- rhel9cis_rule_6_1_7
tags:
@ -110,7 +110,7 @@
path: /etc/gshadow-
owner: root
group: root
mode: 0000
mode: '0000'
when:
- rhel9cis_rule_6_1_8
tags:
@ -357,7 +357,7 @@
content: "{{ rhel9cis_6_1_15_packages_rpm.stdout }}"
owner: root
group: root
mode: 0640
mode: '0640'
- name: "6.1.15 | AUDIT | Audit system file permissions | Message out alert for package descrepancies"
ansible.builtin.debug: