mirror of
https://github.com/ansible-lockdown/RHEL9-CIS.git
synced 2025-12-24 22:23:06 +00:00
Compare commits
18 commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
9bab97dccc | ||
|
|
751fac8a0c | ||
|
|
25b4bb780c | ||
|
|
3d502efaef | ||
|
|
f4a0bca52a | ||
|
|
ef2b7dca5d | ||
|
|
81a929961a | ||
|
|
16cb6a4617 | ||
|
|
151896e113 | ||
|
|
306eb59b88 | ||
|
|
7661bc0963 | ||
|
|
00e6f196b5 | ||
|
|
4567a0baad | ||
|
|
10dc297e9a | ||
|
|
21a886a81c | ||
|
|
759bbbad7e | ||
|
|
8bbccd6b62 | ||
|
|
beaeb3a181 |
9 changed files with 27 additions and 30 deletions
|
|
@ -14,4 +14,4 @@ jobs:
|
|||
- uses: actions/add-to-project@main
|
||||
with:
|
||||
project-url: https://github.com/orgs/ansible-lockdown/projects/1
|
||||
github-token: ${{ secrets.ALD_GH_PROJECT }}
|
||||
github-token: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
|
|
|||
19
.github/workflows/update_galaxy.yml
vendored
Normal file
19
.github/workflows/update_galaxy.yml
vendored
Normal file
|
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
|
||||
name: update galaxy
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
jobs:
|
||||
update_role:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout repo
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Action Ansible Galaxy Release ${{ github.ref_name }}
|
||||
uses: ansible-actions/ansible-galaxy-action@main
|
||||
with:
|
||||
galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}
|
||||
|
|
@ -41,12 +41,12 @@ repos:
|
|||
- id: detect-secrets
|
||||
|
||||
- repo: https://github.com/gitleaks/gitleaks
|
||||
rev: v8.30.0
|
||||
rev: v8.28.0
|
||||
hooks:
|
||||
- id: gitleaks
|
||||
|
||||
- repo: https://github.com/ansible-community/ansible-lint
|
||||
rev: v25.12.2
|
||||
rev: v25.9.2
|
||||
hooks:
|
||||
- id: ansible-lint
|
||||
name: Ansible-lint
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
# Changes to rhel9CIS
|
||||
|
||||
|
||||
## 2.0.4 - Based on CIS v2.0.0
|
||||
|
||||
- addressed issue #393 thank you to @fragglexarmy
|
||||
|
|
@ -10,9 +11,6 @@
|
|||
- work flow updates
|
||||
- audit logic improvements
|
||||
- auditd template 2.19 compatible
|
||||
- pre-commit updates
|
||||
- #410 thanks to @kpi-nourman
|
||||
- #413 thanks to @bbaassssiiee
|
||||
|
||||
## 2.0.3 - Based on CIS v2.0.0
|
||||
- addressed issue #387, thank you @fragglexarmy
|
||||
|
|
|
|||
|
|
@ -802,8 +802,6 @@ rhel9cis_tftp_client: false
|
|||
## Control 3.1.1 - Ensure IPv6 status is identified
|
||||
# This variable governs whether ipv6 is enabled or disabled.
|
||||
rhel9cis_ipv6_required: true
|
||||
# rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel
|
||||
rhel9cis_ipv6_disable_method: "sysctl"
|
||||
|
||||
## Control 3.1.2 - Ensure wireless interfaces are disabled
|
||||
# if wireless adapter found allow network manager to be installed
|
||||
|
|
|
|||
|
|
@ -134,7 +134,7 @@
|
|||
- rule_5.4.2.4
|
||||
block:
|
||||
- name: "Ensure root password is set"
|
||||
ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Alternate authentication|Password set|Password locked)"
|
||||
ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set|Password locked)"
|
||||
changed_when: false
|
||||
failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ]
|
||||
register: prelim_root_passwd_set
|
||||
|
|
|
|||
|
|
@ -16,30 +16,15 @@
|
|||
- rule_3.1.1
|
||||
- NIST800-53R5_CM-7
|
||||
block:
|
||||
- name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Set vars for sysctl template"
|
||||
when: "'sysctl' in rhel9cis_ipv6_disable_method"
|
||||
- name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh"
|
||||
ansible.builtin.set_fact:
|
||||
rhel9cis_sysctl_update: true
|
||||
rhel9cis_flush_ipv6_route: true
|
||||
|
||||
- name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Message out implementation info"
|
||||
when: "'sysctl' in rhel9cis_ipv6_disable_method"
|
||||
- name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable"
|
||||
ansible.builtin.debug:
|
||||
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf"
|
||||
|
||||
- name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Find IPv6 status"
|
||||
when: "'kernel' in rhel9cis_ipv6_disable_method"
|
||||
ansible.builtin.command: grubby --info=ALL
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
register: discovered_rhel9cis_3_1_1_ipv6_status
|
||||
|
||||
- name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Disable IPV6 via Kernel"
|
||||
when:
|
||||
- "'kernel' in rhel9cis_ipv6_disable_method"
|
||||
- "'ipv6.disable=1' not in discovered_rhel9cis_3_1_1_ipv6_status.stdout"
|
||||
ansible.builtin.shell: grubby --update-kernel=ALL --args="ipv6.disable=1"
|
||||
|
||||
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled"
|
||||
when:
|
||||
- rhel9cis_rule_3_1_2
|
||||
|
|
|
|||
|
|
@ -4,4 +4,4 @@
|
|||
|
||||
[org/gnome/login-screen]
|
||||
banner-message-enable=true
|
||||
banner-message-text="{{ rhel9cis_warning_banner | trim | replace("\n", "\\n") }}"
|
||||
banner-message-text="{{ rhel9cis_warning_banner }}"
|
||||
|
|
|
|||
|
|
@ -4,7 +4,4 @@
|
|||
{% if rhel9cis_rule_3_1_1 and not rhel9cis_ipv6_required %}
|
||||
net.ipv6.conf.all.disable_ipv6 = 1
|
||||
net.ipv6.conf.default.disable_ipv6 = 1
|
||||
{% for interface in ansible_interfaces %}
|
||||
net.ipv6.conf.{{ interface }}.disable_ipv6 = 1
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue