ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-25 14:43:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
RHEL9-CIS/tasks/section_5/cis_5.6.x.yml
Mark Bolwell 388dbd797c
fix typo 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2023-01-26 14:17:29 +00:00

133 lines
4.1 KiB
YAML
Raw Blame History

---
- name: "5.6.2 | PATCH | Ensure system accounts are secured"
block:
- name: "5.6.2 | Ensure system accounts are secured | Set nologin"
ansible.builtin.user:
name: "{{ item.id }}"
shell: /usr/sbin/nologin
loop: "{{ rhel9cis_passwd }}"
when:
- item.id != "root"
- item.id != "sync"
- item.id != "shutdown"
- item.id != "halt"
- item.id != "nfsnobody"
- min_int_uid | int < item.gid
- item.shell != " /bin/false"
- item.shell != " /usr/sbin/nologin"
loop_control:
label: "{{ item.id }}"
- name: "5.6.2 | PATCH | Ensure system accounts are secured | Lock accounts"
ansible.builtin.user:
name: "{{ item.id }}"
password_lock: true
loop: "{{ rhel9cis_passwd }}"
when:
- item.id != "halt"
- item.id != "shutdown"
- item.id != "sync"
- item.id != "root"
- item.id != "nfsnobody"
- item.gid < min_int_uid | int
- item.shell != " /bin/false"
- item.shell != " /usr/sbin/nologin"
loop_control:
label: "{{ item.id }}"
when:
- rhel9cis_rule_5_6_2
tags:
- level1-server
- level1-workstation
- patch
- accounts
- rule_5.6.2
- name: "5.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less"
ansible.builtin.blockinfile:
path: "{{ item.path }}"
state: "{{ item.state }}"
marker: "# {mark} CIS 5.6.3 ANSIBLE MANAGED"
create: true
mode: 0644
block: |
TMOUT={{ rhel9cis_shell_session_timeout.timeout }}
export TMOUT
readonly TMOUT
loop:
- { path: "{{ rhel9cis_shell_session_timeout.file }}", state: present }
- { path: /etc/profile, state: "{{ (rhel9cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" }
when:
- rhel9cis_rule_5_6_3
tags:
- level1-server
- level1-workstation
- patch
- accounts
- rule_5.6.3
- name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0"
ansible.builtin.user:
name: root
group: 0
when:
- rhel9cis_rule_5_6_4
tags:
- level1-server
- level1-workstation
- patch
- accounts
- rule_5.6.4
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive"
block:
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings"
ansible.builtin.replace:
path: /etc/login.defs
regexp: "{{ item.regexp }}"
replace: "{{ item.replace }}"
loop:
- { regexp: '(UMASK\s+)0[012][0-6]', replace: '\1 027' }
- { regexp: '(USERGROUPS_ENAB\s+)yes', replace: '\1 no' }
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc"
ansible.builtin.replace:
path: /etc/bashrc
regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]'
replace: '\1 027'
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile"
ansible.builtin.replace:
path: /etc/profile
regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]'
replace: '\1 027'
when:
- rhel9cis_rule_5_6_5
tags:
- level1-server
- level1-workstation
- patch
- accounts
- rule_5.6.5
- name: "5.6.6 | PATCH | Ensure root password is set"
block:
- name: "5.6.6 | PATCH | Ensure root password is set"
ansible.builtin.shell: passwd -S root | grep "Password set, SHA512 crypt"
changed_when: false
register: root_passwd
- name: "5.6.6 | PATCH | Ensure root password is set"
ansible.builtin.fail:
msg: The root password is not set
when: root_passwd.rc != 0
when:
- rhel9cis_rule_5_6_6
tags:
- level1-server
- level1-workstation
- patch
- accounts
- root
- rule_5.6.6
Reference in a new issue View git blame Copy permalink