forked from ansible-lockdown/RHEL9-CIS
#54 merged into new layout
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
8f3150e6c9
commit
04cb2e0f1d
11 changed files with 22 additions and 22 deletions
|
|
@ -3,9 +3,9 @@
|
||||||
|
|
||||||
- name: Check OS version and family
|
- name: Check OS version and family
|
||||||
ansible.builtin.assert:
|
ansible.builtin.assert:
|
||||||
that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('9', '==')
|
that: (ansible_facts.distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==')
|
||||||
fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
|
fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported."
|
||||||
success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}"
|
success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}"
|
||||||
when:
|
when:
|
||||||
- os_check
|
- os_check
|
||||||
- not system_is_ec2
|
- not system_is_ec2
|
||||||
|
|
@ -122,7 +122,7 @@
|
||||||
- always
|
- always
|
||||||
|
|
||||||
- name: Include OS specific variables
|
- name: Include OS specific variables
|
||||||
ansible.builtin.include_vars: "{{ ansible_distribution }}.yml"
|
ansible.builtin.include_vars: "{{ ansible_facts.distribution }}.yml"
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -133,8 +133,8 @@
|
||||||
state: latest
|
state: latest
|
||||||
when:
|
when:
|
||||||
- rhel9cis_rule_1_2_4
|
- rhel9cis_rule_1_2_4
|
||||||
- ansible_distribution != 'RedHat'
|
- ansible_facts.distribution != 'RedHat'
|
||||||
- ansible_distribution != 'OracleLinux'
|
- ansible_facts.distribution != 'OracleLinux'
|
||||||
|
|
||||||
- name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)"
|
- name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)"
|
||||||
ansible.builtin.package:
|
ansible.builtin.package:
|
||||||
|
|
|
||||||
|
|
@ -33,7 +33,7 @@
|
||||||
state: present
|
state: present
|
||||||
opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %}
|
opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %}
|
||||||
notify: Remount tmp
|
notify: Remount tmp
|
||||||
loop: "{{ ansible_mounts }}"
|
loop: "{{ ansible_facts.mounts }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
label: "{{ item.device }}"
|
label: "{{ item.device }}"
|
||||||
when:
|
when:
|
||||||
|
|
|
||||||
|
|
@ -31,7 +31,7 @@
|
||||||
fstype: "{{ item.fstype }}"
|
fstype: "{{ item.fstype }}"
|
||||||
state: present
|
state: present
|
||||||
opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}nosuid,{% endif %}
|
opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}nosuid,{% endif %}
|
||||||
loop: "{{ ansible_mounts }}"
|
loop: "{{ ansible_facts.mounts }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
label: "{{ item.device }}"
|
label: "{{ item.device }}"
|
||||||
notify: Change_requires_reboot
|
notify: Change_requires_reboot
|
||||||
|
|
|
||||||
|
|
@ -33,7 +33,7 @@
|
||||||
fstype: "{{ item.fstype }}"
|
fstype: "{{ item.fstype }}"
|
||||||
state: present
|
state: present
|
||||||
opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev{% endif %}
|
opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev{% endif %}
|
||||||
loop: "{{ ansible_mounts }}"
|
loop: "{{ ansible_facts.mounts }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
label: "{{ item.device }}"
|
label: "{{ item.device }}"
|
||||||
notify: Change_requires_reboot
|
notify: Change_requires_reboot
|
||||||
|
|
|
||||||
|
|
@ -33,7 +33,7 @@
|
||||||
fstype: "{{ item.fstype }}"
|
fstype: "{{ item.fstype }}"
|
||||||
state: present
|
state: present
|
||||||
opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %}
|
opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %}
|
||||||
loop: "{{ ansible_mounts }}"
|
loop: "{{ ansible_facts.mounts }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
label: "{{ item.device }}"
|
label: "{{ item.device }}"
|
||||||
notify: Change_requires_reboot
|
notify: Change_requires_reboot
|
||||||
|
|
|
||||||
|
|
@ -32,7 +32,7 @@
|
||||||
fstype: "{{ item.fstype }}"
|
fstype: "{{ item.fstype }}"
|
||||||
state: present
|
state: present
|
||||||
opts: defaults,{% if rhel9cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_6_4 %}nosuid{% endif %}
|
opts: defaults,{% if rhel9cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_6_4 %}nosuid{% endif %}
|
||||||
loop: "{{ ansible_mounts }}"
|
loop: "{{ ansible_facts.mounts }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
label: "{{ item.device }}"
|
label: "{{ item.device }}"
|
||||||
notify: Change_requires_reboot
|
notify: Change_requires_reboot
|
||||||
|
|
|
||||||
|
|
@ -32,7 +32,7 @@
|
||||||
fstype: "{{ item.fstype }}"
|
fstype: "{{ item.fstype }}"
|
||||||
state: present
|
state: present
|
||||||
opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %}
|
opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %}
|
||||||
loop: "{{ ansible_mounts }}"
|
loop: "{{ ansible_facts.mounts }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
label: "{{ item.device }}"
|
label: "{{ item.device }}"
|
||||||
notify: Change_requires_reboot
|
notify: Change_requires_reboot
|
||||||
|
|
|
||||||
|
|
@ -23,9 +23,9 @@
|
||||||
os_gpg_key_check.rc == 1
|
os_gpg_key_check.rc == 1
|
||||||
when:
|
when:
|
||||||
- rhel9cis_rule_1_2_1
|
- rhel9cis_rule_1_2_1
|
||||||
- ansible_distribution == "RedHat" or
|
- ansible_facts.distribution == "RedHat" or
|
||||||
ansible_distribution == "Rocky" or
|
ansible_facts.distribution == "Rocky" or
|
||||||
ansible_distribution == "AlmaLinux"
|
ansible_facts.distribution == "AlmaLinux"
|
||||||
tags:
|
tags:
|
||||||
- level1-server
|
- level1-server
|
||||||
- level1-workstation
|
- level1-workstation
|
||||||
|
|
@ -111,8 +111,8 @@
|
||||||
|
|
||||||
when:
|
when:
|
||||||
- rhel9cis_rule_1_2_4
|
- rhel9cis_rule_1_2_4
|
||||||
- not rhel9cis_rhel_default_repo or ansible_distribution != 'RedHat'
|
- not rhel9cis_rhel_default_repo or ansible_facts.distribution != 'RedHat'
|
||||||
- ansible_distribution != 'OracleLinux'
|
- ansible_facts.distribution != 'OracleLinux'
|
||||||
tags:
|
tags:
|
||||||
- level1-server
|
- level1-server
|
||||||
- level1-workstation
|
- level1-workstation
|
||||||
|
|
|
||||||
|
|
@ -155,7 +155,7 @@
|
||||||
failed_when: false
|
failed_when: false
|
||||||
check_mode: false
|
check_mode: false
|
||||||
register: rhel_09_6_1_10_audit
|
register: rhel_09_6_1_10_audit
|
||||||
loop: "{{ ansible_mounts }}"
|
loop: "{{ ansible_facts.mounts }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
label: "{{ item.mount }}"
|
label: "{{ item.mount }}"
|
||||||
when:
|
when:
|
||||||
|
|
@ -201,7 +201,7 @@
|
||||||
failed_when: false
|
failed_when: false
|
||||||
changed_when: false
|
changed_when: false
|
||||||
register: rhel_09_6_1_11_audit
|
register: rhel_09_6_1_11_audit
|
||||||
loop: "{{ ansible_mounts }}"
|
loop: "{{ ansible_facts.mounts }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
label: "{{ item.mount }}"
|
label: "{{ item.mount }}"
|
||||||
when:
|
when:
|
||||||
|
|
@ -260,7 +260,7 @@
|
||||||
failed_when: false
|
failed_when: false
|
||||||
changed_when: false
|
changed_when: false
|
||||||
register: rhel_09_6_1_13_suid_perms
|
register: rhel_09_6_1_13_suid_perms
|
||||||
loop: "{{ ansible_mounts }}"
|
loop: "{{ ansible_facts.mounts }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
label: "{{ item.mount }}"
|
label: "{{ item.mount }}"
|
||||||
|
|
||||||
|
|
@ -302,7 +302,7 @@
|
||||||
failed_when: false
|
failed_when: false
|
||||||
changed_when: false
|
changed_when: false
|
||||||
register: rhel_09_6_1_14_sgid_perms
|
register: rhel_09_6_1_14_sgid_perms
|
||||||
loop: "{{ ansible_mounts }}"
|
loop: "{{ ansible_facts.mounts }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
label: "{{ item.mount }}"
|
label: "{{ item.mount }}"
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,7 @@ benchmark_version: '1.0.0'
|
||||||
|
|
||||||
# Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS
|
# Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS
|
||||||
# If run via script this is discovered and set
|
# If run via script this is discovered and set
|
||||||
host_os_distribution: {{ ansible_distribution | lower }}
|
host_os_distribution: {{ ansible_facts.distribution | lower }}
|
||||||
|
|
||||||
# timeout for each command to run where set - default = 10seconds/10000ms
|
# timeout for each command to run where set - default = 10seconds/10000ms
|
||||||
timeout_ms: 60000
|
timeout_ms: 60000
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue