2022-01-07 09:06:18 +00:00
|
|
|
---
|
|
|
|
|
|
2024-07-19 17:01:23 +01:00
|
|
|
- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
|
2022-01-07 09:06:18 +00:00
|
|
|
when:
|
2024-07-19 17:01:23 +01:00
|
|
|
- rhel9cis_rule_1_5_1
|
2022-01-07 09:06:18 +00:00
|
|
|
tags:
|
2024-07-19 17:01:23 +01:00
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
|
|
|
|
- sysctl
|
|
|
|
|
- rule_1.5.1
|
2024-07-22 12:42:39 +01:00
|
|
|
- NIST800-53R5_CM-6
|
|
|
|
|
- NIST800-53R5_CM-6.1
|
2024-07-19 17:01:23 +01:00
|
|
|
block:
|
|
|
|
|
- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
|
|
|
|
|
ansible.builtin.set_fact:
|
|
|
|
|
rhel9cis_sysctl_update: true
|
2022-01-07 09:06:18 +00:00
|
|
|
|
2024-07-19 17:01:23 +01:00
|
|
|
- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
|
|
|
|
|
ansible.builtin.debug:
|
|
|
|
|
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf"
|
|
|
|
|
|
|
|
|
|
- name: "1.5.2 | PATCH | Ensure ptrace_scope is restricted"
|
2022-01-07 09:06:18 +00:00
|
|
|
when:
|
2024-07-19 17:01:23 +01:00
|
|
|
- rhel9cis_rule_1_5_2
|
2022-01-07 09:06:18 +00:00
|
|
|
tags:
|
2024-07-19 17:01:23 +01:00
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
|
|
|
|
- sysctl
|
|
|
|
|
- rule_1.5.2
|
2022-06-20 17:03:18 +01:00
|
|
|
block:
|
2024-07-19 17:01:23 +01:00
|
|
|
- name: "1.5.2 | PATCH | Ensure ptrace_scope is restricted"
|
|
|
|
|
ansible.builtin.set_fact:
|
|
|
|
|
rhel9cis_sysctl_update: true
|
|
|
|
|
|
|
|
|
|
- name: "1.5.2 | PATCH | Ensure ptrace_scope is restricted"
|
|
|
|
|
ansible.builtin.debug:
|
|
|
|
|
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf"
|
2023-01-09 16:29:47 +00:00
|
|
|
|
2024-07-19 17:01:23 +01:00
|
|
|
- name: "1.5.3 | PATCH | Ensure core dump backtraces are disabled"
|
2022-01-07 09:06:18 +00:00
|
|
|
when:
|
2024-07-19 17:01:23 +01:00
|
|
|
- rhel9cis_rule_1_5_3
|
2022-01-07 09:06:18 +00:00
|
|
|
tags:
|
2024-07-19 17:01:23 +01:00
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
|
|
|
|
- sysctl
|
|
|
|
|
- rule_1.5.3
|
2024-07-22 12:42:39 +01:00
|
|
|
- NIST800-53R5_CM-6b
|
2024-07-19 17:01:23 +01:00
|
|
|
ansible.builtin.lineinfile:
|
|
|
|
|
path: /etc/systemd/coredump.conf
|
|
|
|
|
regexp: '^ProcessSizeMax\s*=\s*.*[1-9]$'
|
|
|
|
|
line: 'ProcessSizeMax=0'
|
|
|
|
|
|
|
|
|
|
- name: "1.5.4 | PATCH | Ensure core dump storage is disabled"
|
|
|
|
|
when:
|
|
|
|
|
- rhel9cis_rule_1_5_4
|
2024-08-07 10:30:45 +01:00
|
|
|
- prelim_systemd_coredump.stat.exists
|
2024-07-19 17:01:23 +01:00
|
|
|
tags:
|
|
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
|
|
|
|
- rule_1.5.4
|
|
|
|
|
ansible.builtin.lineinfile:
|
|
|
|
|
path: /etc/systemd/coredump.conf
|
|
|
|
|
regexp: '^Storage\s*=\s*(?!none).*'
|
|
|
|
|
line: 'Storage=none'
|
|
|
|
|
notify: Systemd daemon reload
|
