sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

lint

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2022-04-05 10:24:47 +01:00
parent 4e873bc0d6
commit 13a6746997
No known key found for this signature in database
GPG key ID: F734FDFC154B83FB
24 changed files with 104 additions and 107 deletions
Download patch file Download diff file Expand all files Collapse all files

4
defaults/main.yml
View file

@ -383,8 +383,6 @@ rhel9cis_rh_sub_password: password
rhel9cis_rhnsd_required: false rhel9cis_rhnsd_required: false
# 1.4.2 Bootloader password # 1.4.2 Bootloader password
rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'
rhel9cis_bootloader_password: random rhel9cis_bootloader_password: random
@ -484,7 +482,7 @@ rhel9cis_firewall: firewalld
##### firewalld ##### firewalld
rhel9cis_default_zone: public rhel9cis_default_zone: public
rhel9cis_firewalld_nftables_state: masked # Note if absent removes the firewalld pkg dependancy rhel9cis_firewalld_nftables_state: masked # Note if absent removes the firewalld pkg dependancy
#### nftables #### nftables
rhel9cis_nftables_firewalld_state: absent rhel9cis_nftables_firewalld_state: absent

10
handlers/main.yml
View file

@ -39,11 +39,11 @@
- name: reload sysctl - name: reload sysctl
sysctl: sysctl:
name: net.ipv4.route.flush name: net.ipv4.route.flush
value: '1' value: '1'
state: present state: present
reload: true reload: true
ignoreerrors: true ignoreerrors: true
when: when:
- ansible_virtualization_type != "docker" - ansible_virtualization_type != "docker"
- "'systemd' in ansible_facts.packages" - "'systemd' in ansible_facts.packages"

1
local.yml
View file

@ -6,4 +6,3 @@
roles: roles:
- role: "{{ playbook_dir }}" - role: "{{ playbook_dir }}"

6
meta/main.yml
View file

@ -22,7 +22,7 @@ galaxy_info:
- disa - disa
- rhel9 - rhel9
collections: collections:
- community.general - community.general
- community.crypto - community.crypto
- ansible.posix - ansible.posix
dependencies: [] dependencies: []

88
tasks/main.yml
View file

@ -7,8 +7,8 @@
fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}"
when: when:
- os_check - os_check
- not system_is_ec2 - not system_is_ec2
tags: tags:
- always - always
@ -53,128 +53,128 @@
that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set" msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set"
when: when:
- rhel9cis_set_boot_pass - rhel9cis_set_boot_pass
- rhel9cis_rule_1_5_2 - rhel9cis_rule_1_5_2
- name: "check sugroup exists if used" - name: "check sugroup exists if used"
block: block:
- name: "Check su group exists if defined" - name: "Check su group exists if defined"
shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group
args: args:
warn: false warn: false
register: sugroup_exists register: sugroup_exists
changed_when: false changed_when: false
failed_when: sugroup_exists.rc >= 2 failed_when: sugroup_exists.rc >= 2
tags: tags:
- skip_ansible_lint - skip_ansible_lint
- name: Check sugroup if defined exists before continuing - name: Check sugroup if defined exists before continuing
assert: assert:
that: sugroup_exists.rc == 0 that: sugroup_exists.rc == 0
msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify" msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify"
when: when:
- rhel9cis_sugroup is defined - rhel9cis_sugroup is defined
- rhel9cis_rule_5_7 - rhel9cis_rule_5_7
tags: tags:
- rule_5.7 - rule_5.7
- name: Gather the package facts - name: Gather the package facts
package_facts: package_facts:
manager: auto manager: auto
tags: tags:
- always - always
- name: Include OS specific variables - name: Include OS specific variables
include_vars: "{{ ansible_distribution }}.yml" include_vars: "{{ ansible_distribution }}.yml"
tags: tags:
- always - always
- name: Include preliminary steps - name: Include preliminary steps
import_tasks: prelim.yml import_tasks: prelim.yml
tags: tags:
- prelim_tasks - prelim_tasks
- always - always
- name: run pre_remediation audit - name: run pre_remediation audit
include_tasks: pre_remediation_audit.yml include_tasks: pre_remediation_audit.yml
when: when:
- run_audit - run_audit
- name: Gather the package facts after prelim - name: Gather the package facts after prelim
package_facts: package_facts:
manager: auto manager: auto
tags: tags:
- always - always
- name: capture /etc/password variables - name: capture /etc/password variables
include_tasks: parse_etc_password.yml include_tasks: parse_etc_password.yml
when: when:
- rhel9cis_section6 - rhel9cis_section6
tags: tags:
- rule_5.5.2 - rule_5.5.2
- rule_5.6.2 - rule_5.6.2
- rule_6.2.9 - rule_6.2.9
- rule_6.2.10 - rule_6.2.10
- rule_6.2.11 - rule_6.2.11
- rhel9cis_section5 - rhel9cis_section5
- rhel9cis_section6 - rhel9cis_section6
- name: run Section 1 tasks - name: run Section 1 tasks
import_tasks: section_1/main.yml import_tasks: section_1/main.yml
become: true become: true
when: rhel9cis_section1 when: rhel9cis_section1
tags: tags:
- rhel9cis_section1 - rhel9cis_section1
- name: run Section 2 tasks - name: run Section 2 tasks
import_tasks: section_2/main.yml import_tasks: section_2/main.yml
become: true become: true
when: rhel9cis_section2 when: rhel9cis_section2
tags: tags:
- rhel9cis_section2 - rhel9cis_section2
- name: run Section 3 tasks - name: run Section 3 tasks
import_tasks: section_3/main.yml import_tasks: section_3/main.yml
become: true become: true
when: rhel9cis_section3 when: rhel9cis_section3
tags: tags:
- rhel9cis_section3 - rhel9cis_section3
- name: run Section 4 tasks - name: run Section 4 tasks
import_tasks: section_4/main.yml import_tasks: section_4/main.yml
become: true become: true
when: rhel9cis_section4 when: rhel9cis_section4
tags: tags:
- rhel9cis_section4 - rhel9cis_section4
- name: run Section 5 tasks - name: run Section 5 tasks
import_tasks: section_5/main.yml import_tasks: section_5/main.yml
become: true become: true
when: rhel9cis_section5 when: rhel9cis_section5
tags: tags:
- rhel9cis_section5 - rhel9cis_section5
- name: run Section 6 tasks - name: run Section 6 tasks
import_tasks: section_6/main.yml import_tasks: section_6/main.yml
become: true become: true
when: rhel9cis_section6 when: rhel9cis_section6
tags: tags:
- rhel9cis_section6 - rhel9cis_section6
- name: run post remediation tasks - name: run post remediation tasks
import_tasks: post.yml import_tasks: post.yml
become: true become: true
tags: tags:
- post_tasks - post_tasks
- always - always
- name: run post_remediation audit - name: run post_remediation audit
import_tasks: post_remediation_audit.yml import_tasks: post_remediation_audit.yml
when: when:
- run_audit - run_audit
- name: Show Audit Summary - name: Show Audit Summary
debug: debug:
msg: "{{ audit_results.split('\n') }}" msg: "{{ audit_results.split('\n') }}"
when: when:
- run_audit - run_audit

2
tasks/post.yml
View file

@ -10,7 +10,7 @@
package_facts: package_facts:
manager: auto manager: auto
tags: tags:
- always - always
- name: trigger update sysctl - name: trigger update sysctl
shell: /bin/true shell: /bin/true

3
tasks/prelim.yml
View file

@ -226,8 +226,7 @@
max_int_uid: "{{ uid_max_id.stdout }}" max_int_uid: "{{ uid_max_id.stdout }}"
min_int_gid: "{{ gid_min_id.stdout }}" min_int_gid: "{{ gid_min_id.stdout }}"
- debug: - debug:
msg: "{{ min_int_uid }} {{ max_int_uid }}" msg: "{{ min_int_uid }} {{ max_int_uid }}"
when: when:
- not discover_int_uid - not discover_int_uid

2
tasks/section_2/cis_2.3.x.yml
View file

@ -32,7 +32,7 @@
- rsh - rsh
- rule_2.3.2 - rule_2.3.2
- name: "2.3.3 | PATCH | Ensure talk client is not installed" - name: "2.3.3 | PATCH | Ensure talk client is not installed"
package: package:
name: talk name: talk
state: absent state: absent

12
tasks/section_3/cis_3.3.x.yml
View file

@ -52,7 +52,7 @@
- name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted"
debug: debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl notify: update sysctl
when: when:
- rhel9cis_rule_3_3_3 - rhel9cis_rule_3_3_3
@ -65,7 +65,7 @@
- name: "3.3.4 | PATCH | Ensure suspicious packets are logged" - name: "3.3.4 | PATCH | Ensure suspicious packets are logged"
debug: debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl notify: update sysctl
when: when:
- rhel9cis_rule_3_3_4 - rhel9cis_rule_3_3_4
@ -78,7 +78,7 @@
- name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored"
debug: debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl notify: update sysctl
when: when:
- rhel9cis_rule_3_3_5 - rhel9cis_rule_3_3_5
@ -91,7 +91,7 @@
- name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored"
debug: debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl notify: update sysctl
when: when:
- rhel9cis_rule_3_3_6 - rhel9cis_rule_3_3_6
@ -104,7 +104,7 @@
- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
debug: debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl notify: update sysctl
when: when:
- rhel9cis_rule_3_3_7 - rhel9cis_rule_3_3_7
@ -117,7 +117,7 @@
- name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled"
debug: debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl notify: update sysctl
when: when:
- rhel9cis_rule_3_3_8 - rhel9cis_rule_3_3_8

1
tasks/section_4/cis_4.1.3.x.yml
View file

@ -1,3 +1,4 @@
---
- name: "4.1.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected" - name: "4.1.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected"
debug: debug:

12
tasks/section_5/cis_5.5.x.yml
View file

@ -97,15 +97,15 @@
block: block:
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf" - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf"
replace: replace:
path: /etc/libuser.conf path: /etc/libuser.conf
regexp: '^crypt_style\s*=\s*.*$' regexp: '^crypt_style\s*=\s*.*$'
replace: 'crypt_style = sha512' replace: 'crypt_style = sha512'
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs" - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs"
replace: replace:
path: /etc/login.defs path: /etc/login.defs
regexp: '^ENCRYPT_METHOD.*' regexp: '^ENCRYPT_METHOD.*'
replace: 'ENCRYPT_METHOD SHA512' replace: 'ENCRYPT_METHOD SHA512'
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth" - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth"
replace: replace:

4
tasks/section_5/cis_5.6.x.yml
View file

@ -73,8 +73,8 @@
- name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0" - name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0"
user: user:
name: root name: root
group: 0 group: 0
when: when:
- rhel9cis_rule_5_6_4 - rhel9cis_rule_5_6_4
tags: tags:

2
vars/is_container.yml
View file

@ -54,7 +54,7 @@ rhel9cis_rule_1_1_2: false
rhel9cis_rule_1_1_3: false rhel9cis_rule_1_1_3: false
rhel9cis_rule_1_1_4: false rhel9cis_rule_1_1_4: false
rhel9cis_rule_1_1_5: false rhel9cis_rule_1_1_5: false
#/var # /var
rhel9cis_rule_1_1_6: false rhel9cis_rule_1_1_6: false
# /var/tmp # /var/tmp
rhel9cis_rule_1_1_7: false rhel9cis_rule_1_1_7: false