mirror of
https://github.com/ansible-lockdown/RHEL9-CIS.git
synced 2026-03-25 14:27:12 +00:00
Merge pull request #26 from ansible-lockdown/latest
May 2025 Alignment to latest
This commit is contained in:
Fred W.
GitHub
commit
ee5f604a66
3 changed files with 11 additions and 11 deletions
|
|
@ -69,7 +69,7 @@ This is managed using tags:
|
||||||
- level2-server
|
- level2-server
|
||||||
- level2-workstation
|
- level2-workstation
|
||||||
|
|
||||||
The control found in defaults main also need to reflect this as this control the testing thet takes place if you are using the audit component.
|
The control found in defaults main also need to reflect this as this control the testing that takes place if you are using the audit component.
|
||||||
|
|
||||||
## Coming from a previous release
|
## Coming from a previous release
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -45,7 +45,7 @@ rhel9cis_selinux_disable: false
|
||||||
# UEFI boot('/etc/grub2-efi.cfg') or in case of BIOS legacy-boot('/etc/grub2.cfg').
|
# UEFI boot('/etc/grub2-efi.cfg') or in case of BIOS legacy-boot('/etc/grub2.cfg').
|
||||||
rhel9cis_legacy_boot: false
|
rhel9cis_legacy_boot: false
|
||||||
|
|
||||||
## Benchmark name used by audting control role
|
## Benchmark name used by auditing control role
|
||||||
# The audit variable found at the base
|
# The audit variable found at the base
|
||||||
## metadata for Audit benchmark
|
## metadata for Audit benchmark
|
||||||
benchmark_version: 'v2.0.0'
|
benchmark_version: 'v2.0.0'
|
||||||
|
|
@ -101,7 +101,7 @@ audit_content: git
|
||||||
# If using either archive, copy, get_url:
|
# If using either archive, copy, get_url:
|
||||||
## Note will work with .tar files - zip will require extra configuration
|
## Note will work with .tar files - zip will require extra configuration
|
||||||
### If using get_url this is expecting github url in tar.gz format e.g.
|
### If using get_url this is expecting github url in tar.gz format e.g.
|
||||||
### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz
|
### https://github.com/ansible-lockdown/RHEL9-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz
|
||||||
audit_conf_source: "some path or url to copy from"
|
audit_conf_source: "some path or url to copy from"
|
||||||
|
|
||||||
# Destination for the audit content to be placed on managed node
|
# Destination for the audit content to be placed on managed node
|
||||||
|
|
@ -238,7 +238,7 @@ rhel9cis_rule_1_8_8: true
|
||||||
rhel9cis_rule_1_8_9: true
|
rhel9cis_rule_1_8_9: true
|
||||||
rhel9cis_rule_1_8_10: true
|
rhel9cis_rule_1_8_10: true
|
||||||
|
|
||||||
# Section 2 rules are controling Services (Special Purpose Services, and service clients)
|
# Section 2 rules are controlling Services (Special Purpose Services, and service clients)
|
||||||
## Configure Server Services
|
## Configure Server Services
|
||||||
rhel9cis_rule_2_1_1: true
|
rhel9cis_rule_2_1_1: true
|
||||||
rhel9cis_rule_2_1_2: true
|
rhel9cis_rule_2_1_2: true
|
||||||
|
|
@ -721,7 +721,7 @@ rhel9cis_bluetooth_mask: false
|
||||||
rhel9cis_ipv6_required: true
|
rhel9cis_ipv6_required: true
|
||||||
|
|
||||||
## 3.1.2 wireless network requirements
|
## 3.1.2 wireless network requirements
|
||||||
# if wireless adapetr found allow network manager to be installed
|
# if wireless adapter found allow network manager to be installed
|
||||||
rhel9cis_install_network_manager: false
|
rhel9cis_install_network_manager: false
|
||||||
# 3.3 System network parameters (host only OR host and router)
|
# 3.3 System network parameters (host only OR host and router)
|
||||||
# This variable governs whether specific CIS rules
|
# This variable governs whether specific CIS rules
|
||||||
|
|
@ -729,15 +729,15 @@ rhel9cis_install_network_manager: false
|
||||||
rhel9cis_is_router: false
|
rhel9cis_is_router: false
|
||||||
|
|
||||||
# This variable governs if the task which updates sysctl(including sysctl reload) is executed.
|
# This variable governs if the task which updates sysctl(including sysctl reload) is executed.
|
||||||
# NOTE: The current default value is likely to be overriden by other further tasks(via 'set_fact').
|
# NOTE: The current default value is likely to be overridden by other further tasks(via 'set_fact').
|
||||||
rhel9cis_sysctl_update: false
|
rhel9cis_sysctl_update: false
|
||||||
# This variable governs if the task which flushes the IPv4 routing table is executed(forcing subsequent connections to
|
# This variable governs if the task which flushes the IPv4 routing table is executed(forcing subsequent connections to
|
||||||
# use the new configuration).
|
# use the new configuration).
|
||||||
# NOTE: The current default value is likely to be overriden by other further tasks(via 'set_fact').
|
# NOTE: The current default value is likely to be overridden by other further tasks(via 'set_fact').
|
||||||
rhel9cis_flush_ipv4_route: false
|
rhel9cis_flush_ipv4_route: false
|
||||||
# This variable governs if the task which flushes the IPv6 routing table is executed(forcing subsequent connections to
|
# This variable governs if the task which flushes the IPv6 routing table is executed(forcing subsequent connections to
|
||||||
# use the new configuration).
|
# use the new configuration).
|
||||||
# NOTE: The current default value is likely to be overriden by other further tasks(via 'set_fact').
|
# NOTE: The current default value is likely to be overridden by other further tasks(via 'set_fact').
|
||||||
rhel9cis_flush_ipv6_route: false
|
rhel9cis_flush_ipv6_route: false
|
||||||
|
|
||||||
# Section 4 vars
|
# Section 4 vars
|
||||||
|
|
@ -889,13 +889,13 @@ rhel9cis_authselect_pkg_update: false # NOTE the risks if system is using SSSD
|
||||||
|
|
||||||
# To create a new profile (best for greenfield fresh sites not configured)
|
# To create a new profile (best for greenfield fresh sites not configured)
|
||||||
# This allows creation of a custom profile using an existing one to build from
|
# This allows creation of a custom profile using an existing one to build from
|
||||||
# will only create if profiel does not already exist
|
# will only create if profile does not already exist
|
||||||
## options true or false
|
## options true or false
|
||||||
rhel9cis_authselect_custom_profile_create: true
|
rhel9cis_authselect_custom_profile_create: true
|
||||||
## Controls:
|
## Controls:
|
||||||
# - 5.3.2.1 - Ensure custom authselect profile is used
|
# - 5.3.2.1 - Ensure custom authselect profile is used
|
||||||
# Settings in place now will fail, they are placeholders from the control example. Due to the way many multiple
|
# Settings in place now will fail, they are placeholders from the control example. Due to the way many multiple
|
||||||
# options and ways to configure this control needs to be enabled and settings adjusted to minimise risk.
|
# options and ways to configure this control needs to be enabled and settings adjusted to minimize risk.
|
||||||
|
|
||||||
# This variable configures the name of the custom profile to be created and selected.
|
# This variable configures the name of the custom profile to be created and selected.
|
||||||
# To be changed from default - cis_example_profile
|
# To be changed from default - cis_example_profile
|
||||||
|
|
|
||||||
|
|
@ -33,7 +33,7 @@
|
||||||
when: audit_format == "documentation"
|
when: audit_format == "documentation"
|
||||||
block:
|
block:
|
||||||
- name: Post Audit | Capture audit data if documentation format
|
- name: Post Audit | Capture audit data if documentation format
|
||||||
ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' '
|
ansible.builtin.shell: tail -2 "{{ post_audit_outfile }}" | tac | tr '\n' ' '
|
||||||
changed_when: false
|
changed_when: false
|
||||||
register: post_audit_summary
|
register: post_audit_summary
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue