ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

documented 1.2.4 for rhel

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2023-01-20 17:14:24 +00:00
parent 02113b783a
commit fdf298328c
No known key found for this signature in database
GPG key ID: 1DE02A772D0908F9
4 changed files with 14 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -82,3 +82,9 @@ Below is an example of the tag section from a control within this role. Using th
- patch - patch
- rule_2.2.4 - rule_2.2.4
``` ```
### Known Issues
CIS 1.2.4 - repo_gpgcheck is not carried out for RedHat hosts as the default repos do not have this function. Rocky and Alma not affected.
Variable used to unset.
rhel9cis_rhel_default_repo: true # to be set to false if using repo that does have this ability

3
defaults/main.yml
View file

@ -365,6 +365,9 @@ rhel9cis_rh_sub_password: password
# RedHat Satellite Subscription items # RedHat Satellite Subscription items
rhel9cis_rhnsd_required: false rhel9cis_rhnsd_required: false
# 1.2.4 repo_gpgcheck
rhel9cis_rhel_default_repo: true
# 1.4.2 Bootloader password # 1.4.2 Bootloader password
rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B' rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B'
rhel9cis_bootloader_password: random rhel9cis_bootloader_password: random

1
tasks/prelim.yml
View file

@ -112,6 +112,7 @@
state: latest state: latest
when: when:
- rhel9cis_rule_1_2_4 - rhel9cis_rule_1_2_4
- ansible_distribution != 'RedHat'
- name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)"
ansible.builtin.package: ansible.builtin.package:

7
tasks/section_1/cis_1.2.x.yml
View file

@ -101,16 +101,17 @@
register: repo_files register: repo_files
- name: "1.2.4 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files" - name: "1.2.4 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files"
ansible.builtin.lineinfile: ansible.builtin.replace:
path: "{{ item.path }}" path: "{{ item.path }}"
regexp: '^repo_gpgcheck' regexp: '^repo_gpgcheck( |)=( |)0'
line: repo_gpgcheck=1 replace: repo_gpgcheck=1
loop: "{{ repo_files.files }}" loop: "{{ repo_files.files }}"
loop_control: loop_control:
label: "{{ item.path }}" label: "{{ item.path }}"
when: when:
- rhel9cis_rule_1_2_4 - rhel9cis_rule_1_2_4
- not rhel9cis_rhel_default_repo or ansible_distribution != 'RedHat'
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation