From f808f30173c58456028d4c5d7a9fe0581f7198be Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 11:08:18 +0100 Subject: [PATCH] updated Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 74 ++--- tasks/section_1/cis_1.1.2.x.yml | 22 +- tasks/section_1/cis_1.1.3.x.yml | 12 +- tasks/section_1/cis_1.1.4.x.yml | 12 +- tasks/section_1/cis_1.1.5.x.yml | 12 +- tasks/section_1/cis_1.1.6.x.yml | 12 +- tasks/section_1/cis_1.1.7.x.yml | 14 +- tasks/section_1/cis_1.1.8.x.yml | 12 +- tasks/section_1/cis_1.1.x.yml | 346 +------------------ tasks/section_1/cis_1.10.yml | 10 +- tasks/section_1/cis_1.2.x.yml | 77 ++--- tasks/section_1/cis_1.3.x.yml | 65 ++-- tasks/section_1/cis_1.4.x.yml | 93 ++++-- tasks/section_1/cis_1.5.x.yml | 82 ++--- tasks/section_1/cis_1.6.1.x.yml | 28 +- tasks/section_1/cis_1.7.x.yml | 12 +- tasks/section_1/cis_1.8.x.yml | 20 +- tasks/section_1/cis_1.9.yml | 6 +- tasks/section_1/main.yml | 59 ++-- tasks/section_2/cis_2.1.x.yml | 43 +++ tasks/section_2/cis_2.2.x.yml | 569 ++++++++++++++++++-------------- tasks/section_2/cis_2.3.x.yml | 76 ++++- tasks/section_2/cis_2.4.yml | 26 ++ tasks/section_2/main.yml | 10 +- 24 files changed, 769 insertions(+), 923 deletions(-) create mode 100644 tasks/section_2/cis_2.1.x.yml create mode 100644 tasks/section_2/cis_2.4.yml diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index dc8ae32..b9fb674 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -1,102 +1,76 @@ --- -- name: "1.1.1.1 | L1 | PATCH | Ensure mounting of cramfs filesystems is disabled" +- name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled" block: - - name: "1.1.1.1 | L1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config" + - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install cramfs(\\s|$)" line: "install cramfs /bin/true" - create: true + create: yes mode: 0600 - - name: "1.1.1.1 | L1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs" + - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs" modprobe: name: cramfs state: absent when: ansible_connection != 'docker' when: - - rhel9cis_rule_1_1_1_1 + - rhel8cis_rule_1_1_1_1 tags: - level1-server - level1-workstation - - scored + - automated - patch - rule_1.1.1.1 - cramfs -- name: "1.1.1.2 | L2 | PATCH | Ensure mounting of vFAT filesystems is limited" +- name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled" block: - - name: "1.1.1.2 | L2 | PATCH | Ensure mounting of vFAT filesystems is limited | Edit modprobe config" - lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install vfat(\\s|$)" - line: "install vfat /bin/true" - create: true - mode: 0600 - - - name: "1.1.1.2 | L2 | PATCH | Ensure mounting of vFAT filesystems is limited | Disable vFAT" - modprobe: - name: vfat - state: absent - when: ansible_connection != 'docker' - when: - - rhel9cis_rule_1_1_1_2 - - rhel9cis_legacy_boot - tags: - - level2-server - - level2-workstation - - scored - - patch - - rule_1.1.1.2 - - vfat - -- name: "1.1.1.3 | L1 | PATCH | Ensure mounting of squashfs filesystems is disabled" - block: - - name: "1.1.1.3 | L1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config" + - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" - create: true + create: yes mode: 0600 - - name: "1.1.1.3 | L1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" + - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" modprobe: name: squashfs state: absent when: ansible_connection != 'docker' when: - - rhel9cis_rule_1_1_1_3 + - rhel8cis_rule_1_1_1_2 tags: - - level1-server - - level1-workstation - - scored + - level2-server + - level2-workstation + - automated - patch - - rule_1.1.1.3 + - rule_1.1.1.2 - squashfs -- name: "1.1.1.4 | L1 | PATCH | Ensure mounting of udf filesystems is disabled" +- name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disabled" block: - - name: "1.1.1.4 | L1 | PATCH | Ensure mounting of udf filesystems is disable | Edit modprobe config" + - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disable | Edit modprobe config" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" - create: true + create: yes mode: 0600 - - name: "1.1.1.4 | L1 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" + - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" modprobe: name: udf state: absent when: ansible_connection != 'docker' when: - - rhel9cis_rule_1_1_1_4 + - rhel8cis_rule_1_1_1_3 tags: - - level1-server - - level1-workstation - - scored + - level2-server + - level2-workstation + - automated - patch - - rule_1.1.1.4 + - rule_1.1.1.3 - udf diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index bb18993..06c4eef 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -4,7 +4,7 @@ debug: msg: "WARNING!! /tmp is not mounted on a separate partition" when: - - rhel9cis_rule_1_1_2_1 + - rhel8cis_rule_1_1_2_1 - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0 tags: - level1-server @@ -24,7 +24,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %} + opts: defaults,{% if rhel8cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_2_4 %}nosuid{% endif %} notify: remount tmp with_items: - "{{ ansible_mounts }}" @@ -32,10 +32,10 @@ label: "{{ item.device }}" when: - item.mount == "/tmp" - - not rhel9cis_tmp_svc - - rhel9cis_rule_1_1_2_2 or - rhel9cis_rule_1_1_2_3 or - rhel9cis_rule_1_1_2_4 + - not rhel8cis_tmp_svc + - rhel8cis_rule_1_1_2_2 or + rhel8cis_rule_1_1_2_3 or + rhel8cis_rule_1_1_2_4 tags: - level1-server - level1-workstation @@ -60,11 +60,11 @@ mode: 0644 notify: systemd restart tmp.mount when: - - rhel9cis_tmp_svc - - rhel9cis_rule_1_1_2_1 or - rhel9cis_rule_1_1_2_2 or - rhel9cis_rule_1_1_2_3 or - rhel9cis_rule_1_1_2_4 + - rhel8cis_tmp_svc + - rhel8cis_rule_1_1_2_1 or + rhel8cis_rule_1_1_2_2 or + rhel8cis_rule_1_1_2_3 or + rhel8cis_rule_1_1_2_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index c7fb986..31696f8 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -19,7 +19,7 @@ vars: required_mount: '/var' when: - - rhel9cis_rule_1_1_3_1 + - rhel8cis_rule_1_1_3_1 tags: - level2-server - level2-workstation @@ -38,7 +38,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %} + opts: defaults,{% if rhel8cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_3_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -47,10 +47,10 @@ when: - var_mount_present is defined - item.mount == "/var" - - rhel9cis_rule_1_1_3_1 # This is required so the check takes place - - rhel9cis_rule_1_1_3_2 or - rhel9cis_rule_1_1_3_3 or - rhel9cis_rule_1_1_3_4 + - rhel8cis_rule_1_1_3_1 # This is required so the check takes place + - rhel8cis_rule_1_1_3_2 or + rhel8cis_rule_1_1_3_3 or + rhel8cis_rule_1_1_3_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index dbeab96..b2ddbf0 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -20,7 +20,7 @@ vars: required_mount: '/var/tmp' when: - - rhel9cis_rule_1_1_4_1 + - rhel8cis_rule_1_1_4_1 tags: - level2-server - level2-workstation @@ -39,7 +39,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid{% endif %} + opts: defaults,{% if rhel8cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_4_3 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -48,10 +48,10 @@ when: - var_tmp_mount_present is defined - item.mount == "/var/tmp" - - rhel9cis_rule_1_1_4_1 # This is required so the check takes place - - rhel9cis_rule_1_1_4_2 or - rhel9cis_rule_1_1_4_3 or - rhel9cis_rule_1_1_4_4 + - rhel8cis_rule_1_1_4_1 # This is required so the check takes place + - rhel8cis_rule_1_1_4_2 or + rhel8cis_rule_1_1_4_3 or + rhel8cis_rule_1_1_4_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index f286fcc..662c8da 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -18,7 +18,7 @@ vars: required_mount: '/var/log' when: - - rhel9cis_rule_1_1_5_1 + - rhel8cis_rule_1_1_5_1 tags: - level2-server - level2-workstation @@ -37,7 +37,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} + opts: defaults,{% if rhel8cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_5_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -46,10 +46,10 @@ when: - var_log_mount_present is defined - item.mount == "/var/log" - - rhel9cis_rule_1_1_5_1 # This is required so the check takes place - - rhel9cis_rule_1_1_5_2 or - rhel9cis_rule_1_1_5_3 or - rhel9cis_rule_1_1_5_4 + - rhel8cis_rule_1_1_5_1 # This is required so the check takes place + - rhel8cis_rule_1_1_5_2 or + rhel8cis_rule_1_1_5_3 or + rhel8cis_rule_1_1_5_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 94e85d2..89434f8 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -18,7 +18,7 @@ vars: required_mount: '/var/log/audit' when: - - rhel9cis_rule_1_1_6_1 + - rhel8cis_rule_1_1_6_1 tags: - level2-server - level2-workstation @@ -36,7 +36,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_6_4 %}nosuid{% endif %} + opts: defaults,{% if rhel8cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_6_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -45,10 +45,10 @@ when: - var_log_audit_mount_present is defined - item.mount == "/var/log/audit" - - rhel9cis_rule_1_1_6_1 # This is required so the check takes place - - rhel9cis_rule_1_1_6_2 or - rhel9cis_rule_1_1_6_3 or - rhel9cis_rule_1_1_6_4 + - rhel8cis_rule_1_1_6_1 # This is required so the check takes place + - rhel8cis_rule_1_1_6_2 or + rhel8cis_rule_1_1_6_3 or + rhel8cis_rule_1_1_6_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 453fef5..a4aa38d 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -18,7 +18,7 @@ vars: required_mount: '/home' when: - - rhel9cis_rule_1_1_7_1 + - rhel8cis_rule_1_1_7_1 tags: - level2-server - level2-workstation @@ -38,7 +38,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_7_4 %}usrquota,{% endif %}{% if rhel9cis_rule_1_1_7_5 %}grpquota{% endif %} + opts: defaults,{% if rhel8cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_7_3 %}nosuid,{% endif %}{% if rhel8cis_rule_1_1_7_4 %}usrquota,{% endif %}{% if rhel8cis_rule_1_1_7_5 %}grpquota{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -47,11 +47,11 @@ when: - home_mount_present is defined - item.mount == "/home" - - rhel9cis_rule_1_1_7_1 - - rhel9cis_rule_1_1_7_2 or - rhel9cis_rule_1_1_7_3 or - rhel9cis_rule_1_1_7_4 or - rhel9cis_rule_1_1_7_5 + - rhel8cis_rule_1_1_7_1 + - rhel8cis_rule_1_1_7_2 or + rhel8cis_rule_1_1_7_3 or + rhel8cis_rule_1_1_7_4 or + rhel8cis_rule_1_1_7_5 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index a61a6af..b2ec06c 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -14,7 +14,7 @@ changed_when: false failed_when: false check_mode: no - register: rhel9cis_1_1_8_x_dev_shm_status + register: rhel8cis_1_1_8_x_dev_shm_status - name: | "1.1.8.1 | PATCH | Ensure nodev option set on /dev/shm partition | Set nodev option @@ -25,13 +25,13 @@ src: tmpfs fstype: tmpfs state: mounted - opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %} - when: "'dev/shm' in rhel9cis_1_1_8_x_dev_shm_status.stdout" + opts: defaults,{% if rhel8cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_8_3 %}nosuid{% endif %} + when: "'dev/shm' in rhel8cis_1_1_8_x_dev_shm_status.stdout" notify: change_requires_reboot when: - - rhel9cis_rule_1_1_8_1 or - rhel9cis_rule_1_1_8_2 or - rhel9cis_rule_1_1_8_3 + - rhel8cis_rule_1_1_8_1 or + rhel8cis_rule_1_1_8_2 or + rhel8cis_rule_1_1_8_3 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index 2becc11..4498978 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -1,365 +1,45 @@ --- -- name: | - "SCORED | 1.1.2 | PATCH | Ensure /tmp is configured" - "SCORED | 1.1.3 | PATCH | Ensure nodev option set on /tmp partition" - "SCORED | 1.1.4 | PATCH | Ensure nosuid option set on /tmp partition" - "SCORED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition" - "via fstab" - mount: - name: /tmp - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: defaults,{% if rhel9cis_rule_1_1_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5 %}nosuid{% endif %} - notify: remount tmp - loop: "{{ ansible_mounts }}" - when: - - item.mount == "/tmp" - - not rhel9cis_tmp_svc - - rhel9cis_rule_1_1_2 or - rhel9cis_rule_1_1_3 or - rhel9cis_rule_1_1_4 or - rhel9cis_rule_1_1_5 - tags: - - level1-server - - level1-workstation - - scored - - patch - - mounts - - rule_1.1.3 - - rule_1.1.4 - - rule_1.1.5 - -- name: | - "SCORED | 1.1.2 | PATCH | Ensure /tmp is configured" - "SCORED | 1.1.3 | PATCH | Ensure nodev option set on /tmp partition" - "SCORED | 1.1.4 | PATCH | Ensure nosuid option set on /tmp partition" - "SCORED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition" - "via systemd" - template: - src: etc/systemd/system/tmp.mount.j2 - dest: /etc/systemd/system/tmp.mount - owner: root - group: root - mode: 0644 - notify: systemd restart tmp.mount - when: - - rhel9cis_tmp_svc - - rhel9cis_rule_1_1_2 or - rhel9cis_rule_1_1_3 or - rhel9cis_rule_1_1_4 or - rhel9cis_rule_1_1_5 - tags: - - level1-server - - level1-workstation - - scored - - patch - - mounts - - rule_1.1.3 - - rule_1.1.4 - - rule_1.1.5 - -- name: "1.1.6 | L2 | AUDIT | Ensure separate partition exists for /var" - block: - - name: "1.1.6 | L2 | AUDIT | Ensure separate partition exists for /var | Absent" - debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" - register: var_mount_absent - changed_when: var_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.6 | L2 | AUDIT | Ensure separate partition exists for /var | Present" - debug: - msg: "Congratulations: {{ required_mount }} exists." - when: - - required_mount in mount_names - vars: - required_mount: '/var' - when: - - rhel9cis_rule_1_1_6 - tags: - - level2-server - - level2-workstation - - scored - - patch - - mounts - - rule_1.1.6 - -- name: "1.1.7 | L2 | AUDIT | Ensure separate partition exists for /var/tmp | skips if mount absent" - block: - - name: "1.1.7 | L2 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" - debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" - register: var_tmp_mount_absent - changed_when: var_tmp_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.7 | L2 | AUDIT | Ensure separate partition exists for /var/tmp | Present" - debug: - msg: "Congratulations: {{ required_mount }} exists." - register: var_tmp_mount_present - when: - - required_mount in mount_names - vars: - required_mount: '/var/tmp' - when: - - rhel9cis_rule_1_1_7 - tags: - - level2-server - - level2-workstation - - scored - - audit - - mounts - - rule_1.1.7 - -- name: | - "1.1.8 | L1 | PATCH | Ensure nodev option set on /var/tmp partition | skips if mount absent" - "1.1.9 | L1 | PATCH | Ensure nosuid option set on /var/tmp partition | skips if mount absent" - "1.1.10 | L1 | PATCH | Ensure noexec option set on /var/tmp partition | skips if mount absent" - mount: - name: /var/tmp - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: defaults,{% if rhel9cis_rule_1_1_10 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_9 %}nosuid{% endif %} - loop: "{{ ansible_mounts }}" - when: - - var_tmp_mount_present is defined - - item.mount == "/var/tmp" - - rhel9cis_rule_1_1_7 # This is required so the check takes place - - rhel9cis_rule_1_1_8 or - rhel9cis_rule_1_1_9 or - rhel9cis_rule_1_1_10 - tags: - - level1-server - - level1-workstation - - scored - - patch - - mounts - - skip_ansible_lint - -- name: "1.1.11 | L2 | AUDIT | Ensure separate partition exists for /var/log" - block: - - name: "1.1.11 | L2 | AUDIT | Ensure separate partition exists for /var/log | Absent" - debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" - register: var_log_mount_absent - changed_when: var_log_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.11 | L2 | AUDIT | Ensure separate partition exists for /var/log | Present" - debug: - msg: "Congratulations: {{ required_mount }} exists." - when: - - required_mount in mount_names - vars: - required_mount: '/var/log' - when: - - rhel9cis_rule_1_1_11 - tags: - - level2-server - - level2-workstation - - scored - - audit - - mounts - - rule_1.1.11 - - skip_ansible_lint - -- name: "1.1.12 | L2 | AUDIT | Ensure separate partition exists for /var/log/audit" - block: - - name: "1.1.12 | L2 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent" - debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" - register: var_log_audit_mount_absent - changed_when: var_log_audit_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.12 | L2 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" - debug: - msg: "Congratulations: {{ required_mount }} exists." - when: - - required_mount in mount_names - vars: - required_mount: '/var/log/audit' - when: - - rhel9cis_rule_1_1_12 - tags: - - level2-server - - level2-workstation - - scored - - audit - - mounts - - rule_1.1.12 - - -- name: "1.1.13 | L2 | AUDIT | Ensure separate partition exists for /home" - block: - - name: "1.1.13 | L2 | AUDIT | Ensure separate partition exists for /home | Absent" - debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" - register: home_mount_absent - changed_when: home_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.13 | L2 | AUDIT | Ensure separate partition exists for /home | Present" - debug: - msg: "Congratulations: {{ required_mount }} exists." - register: home_mount_present - when: - - required_mount in mount_names - vars: - required_mount: '/home' - when: - - rhel9cis_rule_1_1_13 - tags: - - level2-server - - level2-workstation - - scored - - audit - - mounts - - rule_1.1.13 - - skip_ansible_lint - -- name: "1.1.14 | L1 | PATCH | Ensure nodev option set on /home partition | skips if mount absent" - mount: - name: /home - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: defaults,{% if rhel9cis_rule_1_1_14 %}nodev{% endif %} - loop: "{{ ansible_mounts }}" - when: - - home_mount_present is defined - - item.mount == "/home" - - rhel9cis_rule_1_1_14 - tags: - - level1-server - - level1-workstation - - scored - - patch - - mounts - - rule_1.1.13 - - skip_ansible_lint - -- name: | - "1.1.15 | L1 | PATCH | Ensure nodev option set on /dev/shm partition | skips if mount absent - 1.1.16 | L1 | PATCH | Ensure nosuid option set on /dev/shm partition | skips if mount absent - 1.1.17 | L1 | PATCH | Ensure noexec option set on /dev/shm partition | skips if mount absent" - block: - - name: | - "1.1.15 | L1 | AUDIT | Ensure nodev option set on /dev/shm partition | Check for /dev/shm existence - 1.1.16 | L1 | AUDIT | Ensure nosuid option set on /dev/shm partition | Check for /dev/shm existence - 1.1.17 | L1 | AUDIT | Ensure noexec option set on /dev/shm partition | Check for /dev/shm existence" - shell: mount -l | grep -E '\s/dev/shm\s' - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_1_1_15_dev_shm_status - - - name: | - "1.1.15 | L1 | PATCH | Ensure nodev option set on /dev/shm partition | skips if mount absent - 1.1.16 | L1 | PATCH | Ensure nosuid option set on /dev/shm partition | skips if mount absent - 1.1.17 | L1 | PATCH | Ensure noexec option set on /dev/shm partition | skips if mount absent" - mount: - name: /dev/shm - src: tmpfs - fstype: tmpfs - state: mounted - opts: defaults,{% if rhel9cis_rule_1_1_17 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_15 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_16 %}nosuid{% endif %} - when: "'dev/shm' in rhel9cis_1_1_15_dev_shm_status.stdout" - when: - - rhel9cis_rule_1_1_15 or - rhel9cis_rule_1_1_16 or - rhel9cis_rule_1_1_17 - tags: - - level1-server - - level1-workstation - - scored - - patch - - mounts - - rule_1.1.15 - - rule_1.1.16 - - rule_1.1.17 - -- name: | - "1.1.18 | L1 | PATCH | Ensure nodev option set on removable media partitions" - "1.1.19 | L1 | PATCH | Ensure nosuid option set on removable media partitions" - "1.1.20 | L1 | PATCH | Ensure noexec option set on removable media partitions" - debug: - msg: "--> Not relevant" - changed_when: false - when: - - rhel9cis_rule_1_1_18 or - rhel9cis_rule_1_1_19 or - rhel9cis_rule_1_1_20 - tags: - - level1-server - - level1-workstation - - notscored - - audit - - mounts - - rule_1.1.18 - - rule_1.1.19 - - rule_1.1.20 - -- name: "1.1.21 | L1 | PATCH | Ensure sticky bit is set on all world-writable directories" - shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t - args: - warn: false - changed_when: false - failed_when: false - when: - - rhel9cis_rule_1_1_21 - tags: - - skip_ansible_lint - - level1-server - - level1-workstation - - patch - - stickybits - - permissons - - rule_1.1.21 - -- name: "1.1.22 | L1 | PATCH | Disable Automounting" +- name: "1.1.9 | PATCH | Disable Automounting" service: name: autofs - enabled: false + enabled: no when: - - not rhel9cis_allow_autofs + - not rhel8cis_allow_autofs - "'autofs' in ansible_facts.packages" - - rhel9cis_rule_1_1_22 + - rhel8cis_rule_1_1_9 tags: - level1-server - level2-workstation + - automated - patch - mounts - automounting - - rule_1.1.22 + - rule_1.1.9 -- name: "1.1.23 | L1 | PATCH | Disable USB Storage" +- name: "1.1.10 | PATCH | Disable USB Storage" block: - - name: "1.1.23 | L1 | PATCH | Disable USB Storage | Edit modprobe config" + - name: "1.1.10 | PATCH | Disable USB Storage | Edit modprobe config" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install usb-storage(\\s|$)" line: "install usb-storage /bin/true" - create: true + create: yes owner: root group: root mode: 0600 - - name: "1.1.23 | L1 | PATCH | Disable USB Storage | Edit modprobe config" + - name: "1.1.10 | PATCH | Disable USB Storage | Edit modprobe config" modprobe: name: usb-storage state: absent when: - - rhel9cis_rule_1_1_23 + - rhel8cis_rule_1_1_10 tags: - level1-server - level2-workstation + - automated - patch - mounts - removable_storage - - rule_1.1.23 + - rule_1.1.10 diff --git a/tasks/section_1/cis_1.10.yml b/tasks/section_1/cis_1.10.yml index 6b4a161..82ec26f 100644 --- a/tasks/section_1/cis_1.10.yml +++ b/tasks/section_1/cis_1.10.yml @@ -1,17 +1,17 @@ --- -- name: "1.10 | L1 | PATCH | Ensure system-wide crypto policy is not legacy" +- name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy" shell: | - update-crypto-policies --set "{{ rhel9cis_crypto_policy }}" + update-crypto-policies --set "{{ rhel8cis_crypto_policy }}" update-crypto-policies - args: - warn: false + notify: change_requires_reboot when: - - rhel9cis_rule_1_10 + - rhel8cis_rule_1_10 - system_wide_crypto_policy['stdout'] == 'LEGACY' tags: - level1-server - level1-workstation + - automated - no system_is_ec2 - patch - rule_1.10 diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 52372a3..a095c96 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -1,103 +1,86 @@ --- -- name: "1.2.1 | L1 | PATCH | Ensure Red Hat Subscription Manager connection is configured" +- name: "1.2.1 | PATCH | Ensure Red Hat Subscription Manager connection is configured" redhat_subscription: state: present - username: "{{ rhel9cis_rh_sub_user }}" - password: "{{ rhel9cis_rh_sub_password }}" + username: "{{ rhel8cis_rh_sub_user }}" + password: "{{ rhel8cis_rh_sub_password }}" auto_attach: true no_log: true when: - ansible_distribution == "RedHat" - - rhel9cis_rhnsd_required - - rhel9cis_rule_1_2_1 + - rhel8cis_rhnsd_required + - rhel8cis_rule_1_2_1 tags: - level1-server - level1-workstation - - notscored + - manual - patch - rule_1.2.1 - skip_ansible_lint # Added as no_log still errors on ansuible-lint -- name: "1.2.2 | L1 | PATCH | Disable the rhnsd Daemon" - service: - name: rhnsd - state: stopped - enabled: false - masked: true +- name: "1.2.2 | AUDIT | Ensure GPG keys are configured" + command: gpg --quiet --with-fingerprint "{{ rpm_gpg_key }}" when: - - ansible_distribution == "RedHat" - - rhnsd_service_status.stdout == "loaded" and not rhel9cis_rhnsd_required - - rhel9cis_rule_1_2_2 - tags: - - level1-server - - level1-workstation - - notscored - - patch - - rule_1.2.2 - -- name: "1.2.3 | L1 | AUDIT | Ensure GPG keys are configured" - shell: gpg --quiet --with-fingerprint "{{ rpm_gpg_key }}" - args: - warn: false - when: - - rhel9cis_rule_1_2_3 + - rhel8cis_rule_1_2_2 - ansible_distribution == "RedHat" or ansible_distribution == "Rocky" tags: - level1-server - level1-workstation - - notscored + - manual - patch - - rule_1.2.3 + - rule_1.2.2 -- name: "1.2.4 | L1 | PATCH | Ensure gpgcheck is globally activated" +- name: "1.2.3| PATCH | Ensure gpgcheck is globally activated" block: - - name: "1.2.4 | L1 | AUDIT | Ensure gpgcheck is globally activated | Find repos" + - name: "1.2.3 | AUDIT | Ensure gpgcheck is globally activated | Find repos" find: paths: /etc/yum.repos.d patterns: "*.repo" register: yum_repos changed_when: false - - name: "1.2.4 | L1 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" + - name: "1.2.3 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" replace: name: "{{ item.path }}" regexp: "^gpgcheck=0" replace: "gpgcheck=1" with_items: - "{{ yum_repos.files }}" + loop_control: + label: "{{ item.path }}" when: - - rhel9cis_rule_1_2_4 + - rhel8cis_rule_1_2_3 tags: - level1-server - level1-workstation - - scored + - automated - patch - - rule_1.2.4 + - rule_1.2.3 -- name: "1.2.5 | L1 | Ensure package manager repositories are configured" +- name: "1.2.4 | AUDIT | Ensure package manager repositories are configured" block: - - name: "1.2.5 | L1 | AUDIT | Ensure package manager repositories are configured | Get repo list" - shell: dnf repolist - args: - warn: false + - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Get repo list" + command: dnf repolist changed_when: false failed_when: false register: dnf_configured - check_mode: false + check_mode: no + args: + warn: false - - name: "1.2.5 | L1 | AUDIT | Ensure package manager repositories are configured | Display repo list" + - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Display repo list" debug: msg: - "Alert! Below are the configured repos. Please review and make sure all align with site policy" - "{{ dnf_configured.stdout_lines }}" when: - - rhel9cis_rule_1_2_5 + - rhel8cis_rule_1_2_4 tags: - level1-server - level1-workstation - - notscored - - patch - - rule_1.2.5 + - manual + - audit + - rule_1.2.4 - skip_ansible_lint diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index 8456bc1..d89aa67 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -1,44 +1,51 @@ --- -- name: "1.3.1 | L1 | PATCH | Ensure sudo is installed" - package: - name: sudo - state: present +- name: "1.3.1 | PATCH | Ensure AIDE is installed" + block: + - name: "1.3.1 | PATCH | Ensure AIDE is installed | Install AIDE" + package: + name: aide + state: present + + - name: "1.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE" + command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' + changed_when: false + failed_when: false + async: 45 + poll: 0 + args: + creates: /var/lib/aide/aide.db.gz + when: not ansible_check_mode when: - - rhel9cis_rule_1_3_1 + - rhel8cis_config_aide + - rhel8cis_rule_1_3_1 tags: - level1-server - level1-workstation - - scored - - sudo + - automated + - aide - patch - rule_1.3.1 -- name: "1.3.2 | L1 | PATCH | Ensure sudo commands use pty" - lineinfile: - dest: /etc/sudoers - line: "Defaults use_pty" - state: present +- name: "1.3.2 | PATCH | Ensure filesystem integrity is regularly checked" + cron: + name: Run AIDE integrity check + cron_file: "{{ rhel8cis_aide_cron['cron_file'] }}" + user: "{{ rhel8cis_aide_cron['cron_user'] }}" + minute: "{{ rhel8cis_aide_cron['aide_minute'] | default('0') }}" + hour: "{{ rhel8cis_aide_cron['aide_hour'] | default('5') }}" + day: "{{ rhel8cis_aide_cron['aide_day'] | default('*') }}" + month: "{{ rhel8cis_aide_cron['aide_month'] | default('*') }}" + weekday: "{{ rhel8cis_aide_cron['aide_weekday'] | default('*') }}" + job: "{{ rhel8cis_aide_cron['aide_job'] }}" when: - - rhel9cis_rule_1_3_2 + - rhel8cis_rule_1_3_2 + - not system_is_ec2 tags: - level1-server - level1-workstation - - scored + - automated + - aide + - file_integrity - patch - rule_1.3.2 - -- name: "1.3.3 | L1 | PATCH | Ensure sudo log file exists" - lineinfile: - dest: /etc/sudoers - regexp: '^Defaults logfile=' - line: 'Defaults logfile="{{ rhel9cis_varlog_location }}"' - state: present - when: - - rhel9cis_rule_1_3_3 - tags: - - level1-server - - level1-workstation - - scored - - patch - - rule_1.3.3 diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index a5b1f3b..9693602 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -1,47 +1,76 @@ --- -- name: "1.4.1 | L1 | PATCH | Ensure AIDE is installed" - block: - - name: "1.4.1 | L1 | PATCH | Ensure AIDE is installed | Install AIDE" - package: - name: aide - state: present - - - name: "1.4.1 | L1 | PATCH | Ensure AIDE is installed | Configure AIDE" - shell: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' - args: - warn: false - creates: /var/lib/aide/aide.db.gz - changed_when: false - failed_when: false - async: 45 - poll: 0 - when: not ansible_check_mode +- name: "1.4.1 | PATCH | Ensure bootloader password is set" + copy: + dest: /boot/grub2/user.cfg + content: "GRUB2_PASSWORD={{ rhel8cis_bootloader_password_hash }}" + owner: root + group: root + mode: 0600 + notify: grub2cfg when: - - rhel9cis_config_aide - - rhel9cis_rule_1_4_1 + - rhel8cis_set_boot_pass + - grub_pass is defined and grub_pass.passhash is defined + - grub_pass.passhash | length > 0 + - rhel8cis_rule_1_4_1 tags: - level1-server - level1-workstation - - scored - - aide + - automated + - grub - patch - rule_1.4.1 -- name: "1.4.2 | L1 | PATCH | Ensure filesystem integrity is regularly checked" - template: - src: aide.cron.j2 - dest: /etc/cron.d/aide.cron - owner: root - group: root - mode: 0644 +- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" + block: + - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" + file: + path: "{{ grub_cfg.stat.lnk_source }}" + owner: root + group: root + mode: 0600 + + - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | UEFI" + mount: + name: /boot/efi + src: "UUID={{ item.uuid }}" + fstype: vfat + state: present + opts: defaults,umask=0027,fmask=0077,uid=0,gid=0 + passno: '0' + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.mount }}" + when: + - not rhel8cis_legacy_boot + - item.mount == "/boot/efi" when: - - rhel9cis_rule_1_4_2 + - rhel8cis_rule_1_4_2 + - grub_cfg.stat.exists + - grub_cfg.stat.islnk tags: - level1-server - level1-workstation - - scored - - aide - - file_integrity + - automated + - grub - patch - rule_1.4.2 + +- name: "1.4.3 | PATCH | Ensure authentication is required when booting into rescue mode" + lineinfile: + path: /etc/systemd/system/rescue.service.d/00-require-auth.conf + regexp: '^ExecStart=' + line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" + create: yes + owner: root + group: root + mode: 0644 + when: + - rhel8cis_rule_1_4_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.4.3 diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 5b16946..a791860 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -1,76 +1,50 @@ --- -- name: "1.5.1 | L1 | PATCH | Ensure permissions on bootloader config are configured" - block: - - name: "1.5.1 | L1 | PATCH | Ensure permissions on bootloader config are configured" - file: - path: "{{ grub_cfg.stat.lnk_source }}" - owner: root - group: root - mode: 0600 - - - name: "1.5.1 | L1 | PATCH | Ensure permissions on bootloader config are configured | UEFI" - mount: - name: /boot/efi - src: "UUID={{ item.uuid }}" - fstype: vfat - state: present - opts: defaults,umask=0027,fmask=0077,uid=0,gid=0 - passno: '0' - loop: "{{ ansible_mounts }}" - when: - - not rhel9cis_legacy_boot - - item.mount == "/boot/efi" +- name: "1.5.1 | PATCH | Ensure core dump storage is disabled" + lineinfile: + path: /etc/systemd/coredump.conf + regexp: 'Storage=' + line: 'Storage=none' + notify: systemd_daemon_reload when: - - rhel9cis_rule_1_5_1 - - grub_cfg.stat.exists - - grub_cfg.stat.islnk + - rhel8cis_rule_1_5_1 + - systemd_coredump.stat.exists tags: - level1-server - level1-workstation - - scored - - grub + - automated - patch - rule_1.5.1 -- name: "1.5.2 | L1 | PATCH | Ensure bootloader password is set" - copy: - dest: /boot/grub2/user.cfg - content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" - owner: root - group: root - mode: 0600 - notify: grub2cfg +- name: "1.5.2 | PATCH | Ensure core dump backtraces are disabled" + lineinfile: + path: /etc/systemd/coredump.conf + regexp: 'ProcessSizeMax=' + line: 'ProcessSizeMax=0' when: - - rhel9cis_set_boot_pass - - grub_pass is defined and grub_pass.passhash is defined - - grub_pass.passhash | length > 0 - - rhel9cis_rule_1_5_2 + - rhel8cis_rule_1_5_2 tags: - level1-server - level1-workstation - - scored - - grub + - automated - patch + - sysctl - rule_1.5.2 -- name: "1.5.3 | L1 | PATCH | Ensure authentication required for single user mode" - block: - - name: "1.5.3 | L1 | PATCH | Ensure authentication required for single user mode | Emergency service" - lineinfile: - dest: /usr/lib/systemd/system/emergency.service - regexp: '/sbin/sulogin' - line: 'ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency' - - - name: "1.5.3 | L1 | PATCH | Ensure authentication required for single user mode | Rescue service" - lineinfile: - dest: /usr/lib/systemd/system/rescue.service - regexp: '/sbin/sulogin' - line: 'ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue' +- name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" + sysctl: + name: kernel.randomize_va_space + value: '2' + state: present + reload: yes + sysctl_set: yes + ignoreerrors: yes when: - - rhel9cis_rule_1_5_3 + - rhel8cis_rule_1_5_3 tags: - level1-server - level1-workstation + - automated - patch + - sysctl - rule_1.5.3 diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index b31600a..84dc520 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -5,7 +5,7 @@ name: libselinux state: present when: - - rhel9cis_rule_1_6_1_1 + - rhel8cis_rule_1_6_1_1 tags: - level1-server - level1-workstation @@ -22,7 +22,7 @@ ignore_errors: yes notify: grub2cfg when: - - rhel9cis_rule_1_6_1_2 + - rhel8cis_rule_1_6_1_2 tags: - level1-server - level1-workstation @@ -34,11 +34,11 @@ - name: "1.6.1.3 | PATCH | Ensure SELinux policy is configured" selinux: conf: /etc/selinux/config - policy: "{{ rhel9cis_selinux_pol }}" + policy: "{{ rhel8cis_selinux_pol }}" state: enforcing when: - - not rhel9cis_selinux_disable - - rhel9cis_rule_1_6_1_3 + - not rhel8cis_selinux_disable + - rhel8cis_rule_1_6_1_3 tags: - level1-server - level1-workstation @@ -51,11 +51,11 @@ - name: "1.6.1.4 | PATCH | Ensure the SELinux mode is not disabled" selinux: conf: /etc/selinux/config - policy: "{{ rhel9cis_selinux_pol }}" + policy: "{{ rhel8cis_selinux_pol }}" state: enforcing when: - - not rhel9cis_selinux_disable - - rhel9cis_rule_1_6_1_4 + - not rhel8cis_selinux_disable + - rhel8cis_rule_1_6_1_4 tags: - level1-server - level1-workstation @@ -67,11 +67,11 @@ - name: "1.6.1.5 | PATCH | Ensure the SELinux state is enforcing" selinux: conf: /etc/selinux/config - policy: "{{ rhel9cis_selinux_pol }}" + policy: "{{ rhel8cis_selinux_pol }}" state: enforcing when: - - not rhel9cis_selinux_disable - - rhel9cis_rule_1_6_1_5 + - not rhel8cis_selinux_disable + - rhel8cis_rule_1_6_1_5 tags: - level2-server - level2-workstation @@ -98,7 +98,7 @@ msg: "Warning! You have unconfined services: {{ rhelcis_1_6_1_6_unconf_services.stdout_lines }}" when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 when: - - rhel9cis_rule_1_6_1_6 + - rhel8cis_rule_1_6_1_6 tags: - level1-server - level1-workstation @@ -112,7 +112,7 @@ name: setroubleshoot state: absent when: - - rhel9cis_rule_1_6_1_7 + - rhel8cis_rule_1_6_1_7 - "'setroubleshoot' in ansible_facts.packages" tags: - level1-server @@ -126,7 +126,7 @@ name: mcstrans state: absent when: - - rhel9cis_rule_1_6_1_8 + - rhel8cis_rule_1_6_1_8 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index 1ee5579..586a881 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -8,7 +8,7 @@ group: root mode: 0644 when: - - rhel9cis_rule_1_7_1 + - rhel8cis_rule_1_7_1 tags: - level1-server - level1-workstation @@ -25,7 +25,7 @@ group: root mode: 0644 when: - - rhel9cis_rule_1_7_2 + - rhel8cis_rule_1_7_2 tags: - level1-server - level1-workstation @@ -41,7 +41,7 @@ group: root mode: 0644 when: - - rhel9cis_rule_1_7_3 + - rhel8cis_rule_1_7_3 tags: - level1-server - level1-workstation @@ -58,7 +58,7 @@ group: root mode: 0644 when: - - rhel9cis_rule_1_7_4 + - rhel8cis_rule_1_7_4 tags: - level1-server - level1-workstation @@ -75,7 +75,7 @@ group: root mode: 0644 when: - - rhel9cis_rule_1_7_5 + - rhel8cis_rule_1_7_5 tags: - level1-server - level1-workstation @@ -92,7 +92,7 @@ group: root mode: 0644 when: - - rhel9cis_rule_1_7_6 + - rhel8cis_rule_1_7_6 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 1edc704..a512e01 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -5,7 +5,7 @@ name: gdm state: absent when: - - rhel9cis_rule_1_8_1 + - rhel8cis_rule_1_8_1 - "'gdm' in ansible_facts.packages" tags: - level2-server @@ -32,10 +32,10 @@ - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ rhel9cis_warning_banner }}' " } + - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ rhel8cis_warning_banner }}' " } when: - - rhel9cis_rule_1_8_2 - - rhel9cis_gui + - rhel8cis_rule_1_8_2 + - rhel8cis_gui tags: - level1-server - level1-workstation @@ -62,8 +62,8 @@ - { file: '/etc/dconf/db/gdm.d/00-login-screen', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } - { file: '/etc/dconf/db/gdm.d/00-login-screen', regexp: 'disable-user-list=', line: 'disable-user-list=true' } when: - - rhel9cis_rule_1_8_3 - - rhel9cis_gui + - rhel8cis_rule_1_8_3 + - rhel8cis_gui tags: - level1-server - level1-workstation @@ -78,8 +78,8 @@ regexp: 'Enable=true' state: absent when: - - rhel9cis_rule_1_8_4 - - rhel9cis_gui + - rhel8cis_rule_1_8_4 + - rhel8cis_gui tags: - level1-server - level1-workstation @@ -100,8 +100,8 @@ - { regex: 'automount=', line: 'automount=false' } - { regex: 'automount-open=', line: 'automount-open=false'} when: - - rhel9cis_rule_1_8_5 - - rhel9cis_gui + - rhel8cis_rule_1_8_5 + - rhel8cis_gui tags: - level1-server - level2-workstation diff --git a/tasks/section_1/cis_1.9.yml b/tasks/section_1/cis_1.9.yml index a67d5db..f6239e3 100644 --- a/tasks/section_1/cis_1.9.yml +++ b/tasks/section_1/cis_1.9.yml @@ -1,15 +1,17 @@ --- -- name: "1.9 | L1 | PATCH | Ensure updates, patches, and additional security software are installed" +- name: "1.9 | PATCH | Ensure updates, patches, and additional security software are installed" package: name: "*" state: latest + notify: change_requires_reboot when: - - rhel9cis_rule_1_9 + - rhel8cis_rule_1_9 - not system_is_ec2 tags: - level1-server - level1-workstation + - automated - patch - rule_1.9 - skip_ansible_lint diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index 933804e..c5c8e09 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -1,42 +1,59 @@ --- -- name: "SECTION | 1.1 | FileSystem Configurations\n - SECTION | 1.1.1.x | Disable unused filesystems" +- name: "SECTION | 1.1.1.x | Disable unused filesystems" import_tasks: cis_1.1.1.x.yml -- import_tasks: cis_1.1.x.yml + +- name: "SECTION | 1.1.2.x | Configure /tmp" + import_tasks: cis_1.1.2.x.yml + +- name: "SECTION | 1.1.3.x | Configure /var" + import_tasks: cis_1.1.3.x.yml + +- name: "SECTION | 1.1.4.x | Configure /var/tmp" + import_tasks: cis_1.1.4.x.yml + +- name: "SECTION | 1.1.5.x | Configure /var/log" + import_tasks: cis_1.1.5.x.yml + +- name: "SECTION | 1.1.6.x | Configure /var/log/audit" + import_tasks: cis_1.1.6.x.yml + +- name: "SECTION | 1.1.7.x | Configure /home" + import_tasks: cis_1.1.7.x.yml + +- name: "SECTION | 1.1.8.x | Configure /dev/shm" + import_tasks: cis_1.1.8.x.yml + +- name: "SECTION | 1.1.x | Disable various mounting" + import_tasks: cis_1.1.x.yml - name: "SECTION | 1.2 | Configure Software Updates" import_tasks: cis_1.2.x.yml -- name: "SECTION | 1.3 | Configure sudo" +- name: "SECTION | 1.3 | Filesystem Integrity Checking" import_tasks: cis_1.3.x.yml + when: rhel8cis_config_aide -- name: "SECTION | 1.4 | Filesystem Integrity" - include_tasks: cis_1.4.x.yml - when: rhel9cis_config_aide +- name: "SECTION | 1.4 | Secure Boot Settings" + import_tasks: cis_1.4.x.yml -- name: "SECTION | 1.5 | Secure Boot Settings" +- name: "SECTION | 1.5 | Additional Process Hardening" import_tasks: cis_1.5.x.yml -- name: "SECTION | 1.6 | Additional Process Hardening" - import_tasks: cis_1.6.x.yml +- name: "SECTION | 1.6 | Mandatory Access Control" + include_tasks: cis_1.6.1.x.yml + when: not rhel8cis_selinux_disable -- name: "SECTION | 1.7 | bootloader and Mandatory Access Control" - include_tasks: cis_1.7.1.x.yml - when: not rhel9cis_selinux_disable +- name: "SECTION | 1.7 | Command Line Warning Banners" + import_tasks: cis_1.7.x.yml -- name: "SECTION | 1.8 | Warning Banners" - import_tasks: cis_1.8.1.x.yml +- name: "SECTION | 1.8 | Gnome Display Manager" + import_tasks: cis_1.8.x.yml -- name: "SECTION | 1.9 | Updated and Patches" +- name: "SECTION | 1.9 | Updates and Patches" import_tasks: cis_1.9.yml - name: "SECTION | 1.10 | Crypto policies" include_tasks: cis_1.10.yml when: - not system_is_ec2 - -- name: "SECTION | 1.11 | FIPS/FUTURE Crypto policies" - include_tasks: cis_1.11.yml - when: - - not system_is_ec2 diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml new file mode 100644 index 0000000..c627db0 --- /dev/null +++ b/tasks/section_2/cis_2.1.x.yml @@ -0,0 +1,43 @@ +--- + +- name: "2.1.1 | PATCH | Ensure time synchronization is in use" + package: + name: "{{ rhel8cis_time_synchronization }}" + state: present + when: + - rhel8cis_rule_2_1_1 + - not rhel8cis_system_is_container + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.1.1 + +- name: "2.1.2 | PATCH | Ensure chrony is configured" + block: + - name: "2.1.2 | PATCH | Ensure chrony is configured | Set configuration" + template: + src: chrony.conf.j2 + dest: /etc/chrony.conf + owner: root + group: root + mode: 0644 + + - name: "2.1.2 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1" + lineinfile: + dest: /etc/sysconfig/chronyd + regexp: "^(#)?OPTIONS" + line: "OPTIONS=\"-u chrony\"" + state: present + create: yes + mode: 0644 + when: + - rhel8cis_time_synchronization == "chrony" + - rhel8cis_rule_2_1_2 + - not rhel8cis_system_is_container + tags: + - level1-server + - level1-workstation + - patch + - rule_2.1.2 diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index f21bcd0..f8b492b 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -1,288 +1,345 @@ --- -- name: "2.2.2 | L1 | PATCH | Ensure X Window System is not installed" - block: - - name: "2.2.2 | L1 | AUDIT | Ensure X Window System is not installed | capture xorg-x11 packages" - shell: rpm -qa | grep xorg-x11 - args: - warn: false - failed_when: xorg_x11_installed.rc >=2 - check_mode: false - changed_when: false - register: xorg_x11_installed - - - name: "2.2.2 | L1 | PATCH | Ensure X Window System is not installed | remove packages if found" - shell: "dnf remove {{ item }}" - args: - warn: false - with_items: - - xorg_x11_installed.stdout_lines - when: xorg_x11_installed.stdout | length > 0 +- name: "2.2.1 | PATCH | Ensure xinetd is not installed" + package: + name: xinetd + state: absent when: - - not rhel9cis_xwindows_required - - rhel9cis_rule_2_2_2 + - rhel8cis_rule_2_2_1 + - not rhel8cis_xinetd_server + - "'xinetd' in ansible_facts.packages" tags: - level1-server - - scored - - xwindows + - level1-workstation + - automated - patch + - rule_2.2.1 + +- name: "2.2.2 | PATCH | Ensure xorg-x11-server-common is not installed" + package: + name: xorg-x11-server-common + state: absent + when: + - rhel8cis_rule_2_2_2 + - "'xorg-x11-server-common' in ansible_facts.packages" + tags: + - level1-server + - automated + - patch + - x11 - rule_2.2.2 -- name: "2.2.3 | L1 | PATCH | Ensure rsync service is not enabled " - service: - name: rsyncd - state: stopped - enabled: false +- name: "2.2.3 | PATCH | Ensure Avahi Server is not installed" + package: + name: + - avahi-autoipd + - avahi + state: absent when: - - not rhel9cis_rsyncd_server - - "'rsyncd' in ansible_facts.packages" - - rhel9cis_rule_2_2_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.2.3 - -- name: "2.2.4 | L1 | PATCH | Ensure Avahi Server is not enabled" - service: - name: avahi-daemon - state: stopped - enabled: false - when: - - not rhel9cis_avahi_server - - "'avahi' in ansible_facts.packages" - - rhel9cis_rule_2_2_4 - tags: - - level1-server - - level1-workstation - - scored - - avahi - - services - - patch - - rule_2.2.4 - -- name: "2.2.5 | L1 | PATCH | Ensure SNMP Server is not enabled" - service: - name: snmpd - state: stopped - enabled: false - when: - - not rhel9cis_snmp_server - - "'net-snmp' in ansible_facts.packages" - - rhel9cis_rule_2_2_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.2.5 - -- name: "2.2.6 | L1 | PATCH | Ensure HTTP Proxy Server is not enabled" - service: - name: squid - state: stopped - enabled: false - when: - - not rhel9cis_squid_server - - "'squid' in ansible_facts.packages" - - rhel9cis_rule_2_2_6 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.2.6 - -- name: "2.2.7 | L1 | PATCH | Ensure Samba is not enabled" - service: - name: smb - state: stopped - enabled: false - when: - - not rhel9cis_smb_server - - "'samba' in ansible_facts.packages" - - rhel9cis_rule_2_2_7 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.2.7 - -- name: "2.2.8 | L1 | PATCH | Ensure IMAP and POP3 server is not enabled" - service: - name: dovecot - state: stopped - enabled: false - when: - - not rhel9cis_dovecot_server - - "'dovecot' in ansible_facts.packages" - - rhel9cis_rule_2_2_8 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.2.8 - -- name: "2.2.9 | L1 | PATCH | Ensure HTTP server is not enabled" - service: - name: httpd - state: stopped - enabled: false - when: - - not rhel9cis_httpd_server - - "'httpd' in ansible_facts.packages" - - rhel9cis_rule_2_2_9 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.2.9 - -- name: "2.2.10 | L1 | PATCH | Ensure FTP Server is not enabled" - service: - name: vsftpd - state: stopped - enabled: false - when: - - not rhel9cis_vsftpd_server - - "'vsftpd' in ansible_facts.packages" - - rhel9cis_rule_2_2_10 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.2.10 - -- name: "2.2.11 | L1 | PATCH | Ensure DNS Server is not enabled" - service: - name: named - state: stopped - enabled: false - when: - - not rhel9cis_named_server - - "'bind' in ansible_facts.packages" - - rhel9cis_rule_2_2_11 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.2.11 - -- name: "2.2.12 | L1 | PATCH | Ensure NFS is not enabled" - service: - name: nfs-server - state: stopped - enabled: false - when: - - not rhel9cis_nfs_rpc_server - - "'nfs-utils' in ansible_facts.packages" - - rhel9cis_rule_2_2_12 - tags: - - level1-server - - level1-workstation - - scored - - nfs - - services - - patch - - rule_2.2.12 - -- name: "2.2.13 | L1 | PATCH | Ensure RPC is not enabled" - service: - name: rpcbind - state: stopped - enabled: false - when: - - not rhel9cis_nfs_rpc_server - - "'rpcbind' in ansible_facts.packages" - - rhel9cis_rule_2_2_13 - tags: - - level1-server - - level1-workstation - - scored - - rpc - - services - - patch - - rule_2.2.7 - -- name: "2.2.14 | L1 | PATCH | Ensure LDAP server is not enabled" - service: - name: slapd - state: stopped - enabled: false - when: - - not rhel9cis_ldap_server - - "'openldap-servers' in ansible_facts.packages" - - rhel9cis_rule_2_2_14 - tags: - - level1-server - - level1-workstation - - scored - - ldap - - services - - patch - - rule_2.2.6 - -- name: "2.2.15 | L1 | PATCH | Ensure DHCP Server is not enabled" - service: - name: dhcpd - state: stopped - enabled: false - when: - - not rhel9cis_dhcp_server - - "'dhcp' in ansible_facts.packages" - - rhel9cis_rule_2_2_15 - tags: - - level1-server - - level1-workstation - - scored - - dhcp - - services - - patch - - rule_2.2.15 - -- name: "2.2.16 | L1 | PATCH | Ensure CUPS is not enabled" - service: - name: cups - state: stopped - enabled: false - when: - - not rhel9cis_cups_server - - "'cups' in ansible_facts.packages" - - rhel9cis_rule_2_2_16 + - rhel8cis_rule_2_2_3 + - not rhel8cis_avahi_server + - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages" tags: - level1-server - level2-workstation - - scored - - cups - - services + - automated - patch - - rule_2.2.16 + - avahi + - rule_2.2.3 -- name: "2.2.17 | L1 | PATCH | Ensure NIS Server is not enabled" - service: - name: ypserv - state: stopped - enabled: false +- name: "2.2.4 | PATCH | Ensure CUPS is not installed" + package: + name: cups + state: absent when: - - not rhel9cis_nis_server - - "'ypserv' in ansible_facts.packages" - - rhel9cis_rule_2_2_17 + - not rhel8cis_cups_server + - "'cups' in ansible_facts.packages" + - rhel8cis_rule_2_2_3 + tags: + - level1-server + - automated + - patch + - cups + - rule_2.2.3 + +- name: "2.2.5 | PATCH | Ensure DHCP Server is not installed" + package: + name: dhcp-server + state: absent + when: + - not rhel8cis_dhcp_server + - "'dhcp-server' in ansible_facts.packages" + - rhel8cis_rule_2_2_5 tags: - level1-server - level1-workstation + - audtomated - patch + - dhcp + - rule_2.2.5 + +- name: "2.2.6 | PATCH | Ensure DNS Server is not installed" + package: + name: bind + state: absent + when: + - not rhel8cis_dns_server + - "'bind' in ansible_facts.packages" + - rhel8cis_rule_2_2_6 + tags: + - level1-server + - level1-workstation + - automated + - patch + - dns + - rule_2.2.6 + +- name: "2.2.7 | PATCH | Ensure FTP Server is not installed" + package: + name: ftp + state: absent + when: + - not rhel8cis_ftp_server + - "'ftp' in ansible_facts.packages" + - rhel8cis_rule_2_2_7 + tags: + - level1-server + - level1-workstation + - automation + - patch + - ftp + - rule_2.2.7 + +- name: "2.2.8 | PATCH | Ensure VSFTP Server is not installed" + package: + name: vsftpd + state: absent + when: + - not rhel8cis_vsftpd_server + - "'vsftpd' in ansible_facts.packages" + - rhel8cis_rule_2_2_8 + tags: + - level1-server + - level1-workstation + - automated + - patch + - vsftpd + - rule_2.2.8 + +- name: "2.2.9 | PACH | Ensure TFTP Server is not installed" + package: + name: tftp-server + state: absent + when: + - not rhel8cis_tftp_server + - "'tftp-server' in ansible_facts.packages" + - rhel8cis_rule_2_2_9 + tags: + - level1-server + - level1-workstation + - automated + - patch + - tftp + - rule_2.2.9 + +- name: "2.2.10 | PATCH | Ensure a web server is not installed" + block: + - name: "2.2.10 | PATCH | Ensure a web server is not installed | Remove httpd server" + package: + name: httpd + state: absent + when: + - not rhel8cis_httpd_server + - "'httpd' in ansible_facts.packages" + + - name: "2.2.10 | PATCH | Ensure a web server is not installed | Remove nginx server" + package: + name: nginx + state: absent + when: + - not rhel8cis_nginx_server + - "'nginx' in ansible_facts.packages" + when: + - rhel8cis_rule_2_2_9 + tags: + - level1-server + - level1-workstation + - automated + - patch + - httpd + - nginx + - webserver + - rule_2.2.9 + +- name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed" + package: + name: + - dovecot + - cyrus-imapd + state: absent + when: + - not rhel8cis_dovecot_cyrus_server + - "'dovecot' in ansible_facts.packages or 'cyrus-imapd' in ansible_facts.packages" + - rhel8cis_rule_2_2_11 + tags: + - level1-server + - level1-workstation + - automated + - patch + - dovecot + - imap + - pop3 + - rule_2.2.11 + +- name: "2.2.12 | PATCH | Ensure Samba is not enabled" + package: + name: samba + state: absent + when: + - not rhel8cis_samba_server + - "'samba' in ansible_facts.packages" + - rhel8cis_rule_2_2_12 + tags: + - level1-server + - level1-workstation + - automated + - patch + - samba + - rule_2.2.12 + +- name: "2.2.13 | PATCH | Ensure HTTP Proxy Server is not installed" + package: + name: squid + state: absent + when: + - not rhel8cis_squid_server + - "'squid' in ansible_facts.packages" + - rhel8cis_rule_2_2_6 + tags: + - level1-server + - level1-workstation + - automation + - patch + - squid + - rule_2.2.13 + +- name: "2.2.14 | PATCH | Ensure net-snmp is not installed" + package: + name: net-snmp + state: absent + when: + - not rhel8cis_snmp_server + - "'net-snmp' in ansible_facts.packages" + - rhel8cis_rule_2_2_14 + tags: + - level1-server + - level1-workstation + - automation + - patch + - snmp + - rule_2.2.14 + +- name: "2.2.15 | PATCH | Ensure NIS Server is not installed" + package: + name: ypserv + state: absent + when: + - not rhel8cis_nis_server + - "'ypserv' in ansible_facts.packages" + - rhel8cis_rule_2_2_17 + tags: + - level1-server + - level1-workstation + - automated + - patch + - nis - rule_2.2.17 -- name: "2.2.18 | L1 | PATCH | Ensure mail transfer agent is configured for local-only mode" +- name: "2.2.16 | PATCH | Ensure telnet-server is not installed" + package: + name: telnet-server + state: absent + when: + - not rhel8cis_telnet_server + - "'telnet-server' in ansible_facts.packages" + - rhel8cis_rule_2_2_16 + tags: + - level1-server + - level1-workstation + - automated + - patch + - telnet + - rule_2.2.16 + +- name: "2.2.17 | PATCH | Ensure mail transfer agent is configured for local-only mode" lineinfile: dest: /etc/postfix/main.cf regexp: "^(#)?inet_interfaces" line: "inet_interfaces = loopback-only" notify: restart postfix when: - - not rhel9cis_is_mail_server + - not rhel8cis_is_mail_server - "'postfix' in ansible_facts.packages" - - rhel9cis_rule_2_2_18 + - rhel8cis_rule_2_2_17 tags: - level1-server - level1-workstation + - automated - patch - - rule_2.2.1 + - postfix + - rule_2.2.17 + +# The name title of the service says mask the service, but the fix allows for both options +# We went with removing to remove the security/update overhead with having the package installed +- name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked" + package: + name: nfs-utils + state: absent + when: + - not rhel8cis_nfs_server + - "'nfs-utils' in ansible_facts.packages" + - rhel8cis_rule_2_2_18 + tags: + - level1-server + - level1-workstation + - automated + - patch + - nfs + - services + - rule_2.2.18 + +# The name title of the service says mask the service, but the fix allows for both options +# We went with removing to remove the security/update overhead with having the package installed +- name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked" + package: + name: rpcbind + state: absent + when: + - not rhel8cis_rpc_server + - "'rpcbind' in ansible_facts.packages" + - rhel8cis_rule_2_2_19 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rpc + - rule_2.2.19 + +# The name title of the service says mask the service, but the fix allows for both options +# We went with removing to remove the security/update overhead with having the package installed +- name: "2.2.20 | PATCH | Ensure rsync service is not enabled " + package: + name: rsync + state: absent + when: + - not rhel8cis_rsync_server + - "'rsync' in ansible_facts.packages" + - rhel8cis_rule_2_2_20 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rsync + - rule_2.2.20 diff --git a/tasks/section_2/cis_2.3.x.yml b/tasks/section_2/cis_2.3.x.yml index 875eff8..ee52a75 100644 --- a/tasks/section_2/cis_2.3.x.yml +++ b/tasks/section_2/cis_2.3.x.yml @@ -1,43 +1,97 @@ --- -- name: "2.3.1 | L1 | PATCH | Ensure NIS Client is not installed" +- name: "2.3.1 | PATCH | Ensure NIS Client is not installed" package: name: ypbind state: absent when: - - not rhel9cis_ypbind_required + - not rhel8cis_ypbind_required - "'ypbind' in ansible_facts.packages" - - rhel9cis_rule_2_3_1 + - rhel8cis_rule_2_3_1 tags: - level1-server - level1-workstation + - automated - patch + - nis - rule_2.3.1 -- name: "2.3.2 | L1 | PATCH | Ensure telnet client is not installed" +- name: "2.3.2 | PATCH | Ensure rsh client is not installed" + package: + name: rsh + state: absent + when: + - not rhel8cis_rsh_required + - "'rsh' in ansible_facts.packages" + - rhel8cis_rule_2_3_2 + tags: + - level1-server + - level2-server + - automated + - patch + - rsh + - rule_2.3.2 + +- name: "2.3.3 | PATCH | Ensure talk client is not installed" + package: + name: talk + state: absent + when: + - not rhel8cis_talk_required + - "'talk' in ansible_facts.packages" + - rhel8cis_rule_2_3_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - talk + - rule_2.3.3 + +- name: "2.3.4 | PATCH | Ensure telnet client is not installed" package: name: telnet state: absent when: - - not rhel9cis_telnet_required + - not rhel8cis_telnet_required - "'telnet' in ansible_facts.packages" - - rhel9cis_rule_2_3_2 + - rhel8cis_rule_2_3_4 tags: - level1-server - level1-workstation + - automated - patch - - rule_2.3.2 + - telnet + - rule_2.3.4 -- name: "2.3.3 | L1 | PATCH | Ensure LDAP client is not installed" +- name: "2.3.5 | PATCH | Ensure LDAP client is not installed" package: name: openldap-clients state: absent when: - - not rhel9cis_openldap_clients_required + - not rhel8cis_openldap_clients_required - "'openldap-clients' in ansible_facts.packages" - - rhel9cis_rule_2_3_3 + - rhel8cis_rule_2_3_5 tags: - level1-server - level1-workstation + - automated - patch - - rule_2.3.3 + - ldap + - rule_2.3.5 + +- name: "2.3.6 | PATCH | Ensure TFTP client is not installed" + package: + name: tftp + state: absent + when: + - not rhel8cis_tftp_client + - "'tftp' in ansible_facts.packages" + - rhel8cis_rule_2_3_6 + tags: + - level1-server + - level1-workstation + - automated + - patch + - tftp + - rule_2.3.6 diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml new file mode 100644 index 0000000..8460874 --- /dev/null +++ b/tasks/section_2/cis_2.4.yml @@ -0,0 +1,26 @@ +--- + +- name: "2.4 | AUDIT | Ensure nonessential services are removed or masked" + block: + - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Get list of services" + shell: systemctl list-units --type=service + changed_when: false + failed_when: false + check_mode: no + register: rhel8cis_2_4_services + + - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Display list of services" + debug: + msg: + - "Alert! Below are the list of services, both active and inactive" + - "Please review to make sure all are essential" + - "{{ rhel8cis_2_4_services.stdout_lines }}" + when: + - rhel8cis_rule_2_4 + tags: + - level1-server + - level1-workstation + - manual + - audit + - services + - rule_2.4 \ No newline at end of file diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index 2b705ae..731f10c 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -1,13 +1,13 @@ --- -- name: "SECTION | 2.1 | xinetd" - import_tasks: cis_2.1.1.yml - -- name: "SECTION | 2.2.1 | Time Synchronization" - import_tasks: cis_2.2.1.x.yml +- name: "SECTION | 2.1 | Time Synchronization" + import_tasks: cis_2.1.x.yml - name: "SECTION | 2.2 | Special Purpose Services" import_tasks: cis_2.2.x.yml - name: "SECTION | 2.3 | Service Clients" import_tasks: cis_2.3.x.yml + +- name: "SECTION | 2.4 | Nonessential services removed" + import_tasks: cis_2.4.yml \ No newline at end of file