RHEL9-CIS

mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-26 22:47:12 +00:00

Author	SHA1	Message	Date
Michael Hicks	c4a97079b1	added guardrails on enabled and state flags to systemd mask tasks to only disable and stop when the package is installed, otherwise just mask to prevent the service from ever starting should it get installed at a later time. This allows hardening to proceed when the service doesn't exist but masking has been requested. Otherwise the playbook run will fail at a step when the service which comes with the package doesn't already exist Signed-off-by: Michael Hicks <nooneofconsequence@gmail.com>	2026-03-04 11:42:10 -08:00
Frederick Witty	de7555aa10	Update Changelog with fixes Signed-off-by: Frederick Witty <frederickw@mindpointgroup.com>	2025-09-02 17:14:30 -04:00
Mark Bolwell	82f7b53a67	Merge branch 'lint_dec24' into alignment Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2024-12-11 13:36:08 +00:00
Mark Bolwell	88ac5c3d65	Lint updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2024-12-11 11:49:02 +00:00
Mark Bolwell	2de8a39cdc	updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2024-12-04 12:00:12 +00:00
Mark Bolwell	22a1955948	Updated nftables prereqs for table Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2024-09-09 13:59:31 +01:00
Mark Bolwell	ab3c9cc8aa	Updated 4.3.2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2024-09-09 12:10:38 +01:00
Mark Bolwell	14d038e8eb	renamed variables Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2024-09-05 17:36:07 +01:00
Mark Bolwell	aa0f4d0f6d	section4 v2 initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2024-07-24 13:57:29 +01:00
Mark Bolwell	20e2986406	capture only configuratoin lines from rsyslog Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2024-06-05 17:10:22 +01:00
RoboPickle	6eeae19517	Address issues in 4.1.1.2 and 4.1.1.3 including idempotent status (#188 ) * Fixed issues with 4.1.1.2 and 4.1.1.3 Now handle multiple kernels and are idempotent Signed-off-by: John Foster <robopickle@proton.me> * Fixed issues with 4.1.1.2 and 4.1.1.3 Now handle multiple kernels and are idempotent Removed debug messages Signed-off-by: John Foster <robopickle@proton.me> --------- Signed-off-by: John Foster <robopickle@proton.me>	2024-03-14 17:13:34 +00:00
uk-bolly	7d7b6132f4	March 24 to devel (#186 ) * Issue #170, PR #181 thanks to @ipruteanu-sie * issue #182, PR #183 thansk to @ipruteanu-sie * PR #180 thanks to @ipruteanu-sie and @raabf * Addressed PR #165 thanks to @ipruteanu-sie * PT #184 addressed thansk to @ipruteanu-sie * updated credits * typo and ssh allow_deny comments * enable OS check --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2024-03-06 16:52:38 +00:00
uk-bolly	0f58436212	Gpg import for rhel servers (#185 ) * change logic thanks to @rjacobs1990 see #175 * 1.2.1 force gpg import rhel * fix missing facts --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2024-03-06 09:10:06 +00:00
uk-bolly	40bc7aa082	Feb24 updates (#179 ) * change logic thanks to @rjacobs1990 see #175 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * thanks to @ipruteani-sie #134 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Thanks to @stwongst #125 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * thanks to @sgomez86 #146 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Added updates from #115 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed rp_filter in post added in error Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated yamllint precommit Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated fqcn fo json_query Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix typo for virt type query Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2024-02-20 15:43:43 +00:00
uk-bolly	06ec3de5c4	Merge pull request #175 from rjacobs1990/bugfix/fix-permissions-logfiles fix: idempotency molecule issue fixed for logfiles #173	2024-02-19 14:16:21 +00:00
rjacobs1990	742165cd72	fix: more readable condition and prevent skipping 0600 #173 Signed-off-by: rjacobs1990 <ricardojacobs20@gmail.com>	2024-02-12 16:21:31 +01:00
rjacobs1990	8652390beb	fix: idempotency molecule issue fixed for logfiles and prevent skipping 0600 #173 Signed-off-by: rjacobs1990 <ricardojacobs20@gmail.com>	2024-02-12 15:55:42 +01:00
rjacobs1990	c805ee398b	fix: idempotency molecule issue fixed for logfiles #173 Signed-off-by: rjacobs1990 <ricardojacobs20@gmail.com>	2024-02-12 14:47:12 +01:00
Ionut Pruteanu	e2738f0a44	Fixing indentation for lines reported by yamllint Signed-off-by: Ionut Pruteanu <ionut.pruteanu@siemens.com>	2024-01-31 21:31:14 +02:00
Ionut Pruteanu	18803420f0	Replacing secure-configuration of 'audit' and 'audit_backlog_limit' from the `/etc/default/grub` approach to `grubby`(actually used by CIS) Signed-off-by: Ionut Pruteanu <ionut.pruteanu@siemens.com>	2024-01-31 21:27:00 +02:00
uk-bolly	df1aef8d31	Merge pull request #148 from siemens/siemens/feat/AuditVarsRefactoring Siemens/feat/audit vars refactoring	2024-01-26 12:34:30 +00:00
uk-bolly	6f8a95c73a	Merge pull request #143 from siemens/siemens/feat/4.2.1.3conditionalAndSectionHeader Siemens/feat/4.2.1.3conditional and section header	2023-12-21 08:40:41 +00:00
Ionut Pruteanu	ca41b128cd	Defining some threshold for (audit_)space_left vars, as well as a bool which governs if extra params will be configured Signed-off-by: Ionut Pruteanu <ionut.pruteanu@siemens.com>	2023-12-20 22:21:14 +02:00
Ionut Pruteanu	88ffe32137	Storing max_log_file under `rhel9cis_auditd` dict variable. Signed-off-by: Ionut Pruteanu <ionut.pruteanu@siemens.com>	2023-12-20 21:58:49 +02:00
Corey Reid	8d85f178e2	find hidden files in /var/log for 4.3.2 Signed-off-by: Corey Reid <corey.nathan.reid@gmail.com>	2023-12-17 17:36:34 +00:00
Ionut Pruteanu	e0de491263	whole section defined in cis_4.2.1.x.yml gets executed only `when: rhel9cis_syslog == 'rsyslog'`, having same condition is redundant and may confuse users. Signed-off-by: Ionut Pruteanu <ionut.pruteanu@siemens.com>	2023-12-08 12:03:00 +02:00
Ionut Pruteanu	d79bba53c6	Rsyslog subsection corrected header(was using 4.2 logging name, instead of 4.2.1. rsyslog name) Signed-off-by: Ionut Pruteanu <ionut.pruteanu@siemens.com>	2023-12-08 12:01:10 +02:00
Mark Bolwell	e82b2cefac	quoted file mode Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2023-09-21 16:25:59 +01:00
Mark Bolwell	580ee762ee	fix filename Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2023-09-21 15:35:35 +01:00
Mark Bolwell	c5ed197e03	import_tasks file added Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2023-09-21 15:07:52 +01:00
Mark Bolwell	a67a484971	import_tasks file added Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2023-09-21 14:55:55 +01:00
Mark Bolwell	c7d72b564b	4.1.3.6 command improvement Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2023-05-17 15:42:30 +01:00
Thomas Merkel	2380cd46c9	Use correct backtick for regex escape Depends on the ansible version regex escape (via slash) require correct backticks to work. Otherwise it would result in a syntax error. Signed-off-by: Thomas Merkel <tm@core.io>	2023-05-04 19:40:19 +02:00
Mark Bolwell	5e5174a5b0	updated marker Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2023-03-10 15:19:35 +00:00
Mark Bolwell	ebdb8b9129	Updated layout Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2023-03-10 15:08:12 +00:00
Mark Bolwell	5a928b4304	Issue #38 thanks to bdwyertech Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2023-03-07 11:02:15 +00:00
Mark Bolwell	7459f1d445	idempontency improvements Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2023-02-27 17:26:34 +00:00
Mark Bolwell	e52cc6ca6b	4.1.4.8 tidy title remove register not used Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2023-01-31 08:31:12 +00:00
Mark Bolwell	4b1956508a	updates control steps Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2023-01-26 08:30:43 +00:00
Mark Bolwell	e641780168	replace module dest -> path Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2023-01-26 08:29:30 +00:00
Mark Bolwell	f9267a389b	remove state file on file module Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2023-01-26 08:29:03 +00:00
Mark Bolwell	10a6a2e0dd	with_items to loop Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2023-01-25 11:36:12 +00:00
Mark Bolwell	7760f35161	with_items to loop Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2023-01-25 10:01:14 +00:00
Mark Bolwell	9e63393899	removed state presnet from infile as default Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2023-01-25 09:47:13 +00:00
Mark Bolwell	4adb0ec812	standardize handler naming Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2023-01-25 09:41:32 +00:00
Mark Bolwell	0350e234fe	rhel_09 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2023-01-24 11:02:32 +00:00
Mark Bolwell	499b67ceb2	Updated rsyslog server variable Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2023-01-19 14:51:30 +00:00
Mark Bolwell	cb609c1f1a	fqcn update Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2023-01-19 13:31:53 +00:00
Mark Bolwell	163900e277	add file exclusions Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2023-01-19 11:29:03 +00:00
Mark Bolwell	6e77a3ced6	removed older version Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2023-01-18 16:22:30 +00:00

1 2

91 commits