ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
RHEL9-CIS/tasks/section_2/cis_2.4.x.yml
Mark Bolwell 88ac5c3d65
Lint updates 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2024-12-11 11:49:02 +00:00

173 lines
4.4 KiB
YAML
Raw Blame History

---
- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled"
when: rhel9cis_rule_2_4_1_1
tags:
- level1-server
- level1-workstation
- patch
- cron
- rule_2.4.1.1
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
ansible.builtin.service:
name: crond
enabled: true
- name: "2.4.1.2 | PATCH | Ensure permissions on /etc/crontab are configured"
when: rhel9cis_rule_2_4_1_2
tags:
- level1-server
- level1-workstation
- patch
- cron
- rule_2.4.1.2
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
ansible.builtin.file:
path: /etc/crontab
owner: root
group: root
mode: 'og-rwx'
- name: "2.4.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured"
when: rhel9cis_rule_2_4_1_3
tags:
- level1-server
- level1-workstation
- patch
- cron
- rule_2.4.1.3
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
ansible.builtin.file:
path: /etc/cron.hourly
state: directory
owner: root
group: root
mode: 'og-rwx'
- name: "2.4.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured"
when: rhel9cis_rule_2_4_1_4
tags:
- level1-server
- level1-workstation
- patch
- cron
- rule_2.4.1.4
ansible.builtin.file:
path: /etc/cron.daily
state: directory
owner: root
group: root
mode: 'og-rwx'
- name: "2.4.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured"
when: rhel9cis_rule_2_4_1_5
tags:
- level1-server
- level1-workstation
- patch
- rule_2.4.1.5
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
ansible.builtin.file:
path: /etc/cron.weekly
state: directory
owner: root
group: root
mode: 'og-rwx'
- name: "2.4.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured"
when: rhel9cis_rule_2_4_1_6
tags:
- level1-server
- level1-workstation
- patch
- rule_2.4.1.6
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
ansible.builtin.file:
path: /etc/cron.monthly
state: directory
owner: root
group: root
mode: 'og-rwx'
- name: "2.4.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured"
when: rhel9cis_rule_2_4_1_7
tags:
- level1-server
- level1-workstation
- patch
- cron
- rule_2.4.1.7
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
ansible.builtin.file:
path: /etc/cron.d
state: directory
owner: root
group: root
mode: 'og-rwx'
- name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users"
when: rhel9cis_rule_2_4_1_8
tags:
- level1-server
- level1-workstation
- patch
- cron
- rule_2.4.1.8
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
block:
- name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Remove cron.deny"
ansible.builtin.file:
path: /etc/cron.deny
state: absent
- name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Check if cron.allow exists"
ansible.builtin.stat:
path: "/etc/cron.allow"
register: discovered_cron_allow_state
- name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Ensure cron.allow is restricted to authorized users"
ansible.builtin.file:
path: /etc/cron.allow
state: '{{ "file" if discovered_cron_allow_state.stat.exists else "touch" }}'
owner: root
group: root
mode: 'u-x,g-wx,o-rwx'
- name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users"
when: rhel9cis_rule_2_4_2_1
tags:
- level1-server
- level1-workstation
- patch
- cron
- rule_2.4.2.1
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
block:
- name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Remove at.deny"
ansible.builtin.file:
path: /etc/at.deny
state: absent
- name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists"
ansible.builtin.stat:
path: "/etc/at.allow"
register: discovered_at_allow_state
- name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users"
ansible.builtin.file:
path: /etc/at.allow
state: '{{ "file" if discovered_at_allow_state.stat.exists else "touch" }}'
owner: root
group: root
mode: 'u-x,g-wx,o-rwx'
Reference in a new issue View git blame Copy permalink