sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

lint

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2022-04-05 10:24:47 +01:00
parent 4e873bc0d6
commit 13a6746997
No known key found for this signature in database
GPG key ID: F734FDFC154B83FB
24 changed files with 104 additions and 107 deletions
Download patch file Download diff file Expand all files Collapse all files

6
defaults/main.yml
View file

@ -383,8 +383,6 @@ rhel9cis_rh_sub_password: password
rhel9cis_rhnsd_required: false rhel9cis_rhnsd_required: false
# 1.4.2 Bootloader password # 1.4.2 Bootloader password
rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'
rhel9cis_bootloader_password: random rhel9cis_bootloader_password: random
@ -454,7 +452,7 @@ rhel9cis_telnet_server: false
rhel9cis_is_mail_server: false rhel9cis_is_mail_server: false
# Note the options # Note the options
# Packages are used for client services and Server- only remove if you dont use the client service # Packages are used for client services and Server- only remove if you dont use the client service
# #
rhel9cis_use_nfs: rhel9cis_use_nfs:
- service: false - service: false
- server: false - server: false
@ -484,7 +482,7 @@ rhel9cis_firewall: firewalld
##### firewalld ##### firewalld
rhel9cis_default_zone: public rhel9cis_default_zone: public
rhel9cis_firewalld_nftables_state: masked # Note if absent removes the firewalld pkg dependancy rhel9cis_firewalld_nftables_state: masked # Note if absent removes the firewalld pkg dependancy
#### nftables #### nftables
rhel9cis_nftables_firewalld_state: absent rhel9cis_nftables_firewalld_state: absent

14
handlers/main.yml
View file

@ -33,18 +33,18 @@
- 60-disable_ipv6.conf - 60-disable_ipv6.conf
- 60-netipv4_sysctl.conf - 60-netipv4_sysctl.conf
- 60-netipv6_sysctl.conf - 60-netipv6_sysctl.conf
when: when:
- ansible_virtualization_type != "docker" - ansible_virtualization_type != "docker"
- "'procps-ng' in ansible_facts.packages" - "'procps-ng' in ansible_facts.packages"
- name: reload sysctl - name: reload sysctl
sysctl: sysctl:
name: net.ipv4.route.flush name: net.ipv4.route.flush
value: '1' value: '1'
state: present state: present
reload: true reload: true
ignoreerrors: true ignoreerrors: true
when: when:
- ansible_virtualization_type != "docker" - ansible_virtualization_type != "docker"
- "'systemd' in ansible_facts.packages" - "'systemd' in ansible_facts.packages"

1
local.yml
View file

@ -6,4 +6,3 @@
roles: roles:
- role: "{{ playbook_dir }}" - role: "{{ playbook_dir }}"

6
meta/main.yml
View file

@ -22,7 +22,7 @@ galaxy_info:
- disa - disa
- rhel9 - rhel9
collections: collections:
- community.general - community.general
- community.crypto - community.crypto
- ansible.posix - ansible.posix
dependencies: [] dependencies: []

94
tasks/main.yml
View file

@ -6,9 +6,9 @@
that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==') that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==')
fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}"
when: when:
- os_check - os_check
- not system_is_ec2 - not system_is_ec2
tags: tags:
- always - always
@ -29,7 +29,7 @@
- name: Load variable for container - name: Load variable for container
include_vars: include_vars:
file: "{{ container_vars_file }}" file: "{{ container_vars_file }}"
- name: output if discovered is a container - name: output if discovered is a container
debug: debug:
msg: system has been discovered as a container msg: system has been discovered as a container
@ -53,128 +53,128 @@
that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set" msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set"
when: when:
- rhel9cis_set_boot_pass - rhel9cis_set_boot_pass
- rhel9cis_rule_1_5_2 - rhel9cis_rule_1_5_2
- name: "check sugroup exists if used" - name: "check sugroup exists if used"
block: block:
- name: "Check su group exists if defined" - name: "Check su group exists if defined"
shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group
args: args:
warn: false warn: false
register: sugroup_exists register: sugroup_exists
changed_when: false changed_when: false
failed_when: sugroup_exists.rc >= 2 failed_when: sugroup_exists.rc >= 2
tags: tags:
- skip_ansible_lint - skip_ansible_lint
- name: Check sugroup if defined exists before continuing - name: Check sugroup if defined exists before continuing
assert: assert:
that: sugroup_exists.rc == 0 that: sugroup_exists.rc == 0
msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify" msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify"
when: when:
- rhel9cis_sugroup is defined - rhel9cis_sugroup is defined
- rhel9cis_rule_5_7 - rhel9cis_rule_5_7
tags: tags:
- rule_5.7 - rule_5.7
- name: Gather the package facts - name: Gather the package facts
package_facts: package_facts:
manager: auto manager: auto
tags: tags:
- always - always
- name: Include OS specific variables - name: Include OS specific variables
include_vars: "{{ ansible_distribution }}.yml" include_vars: "{{ ansible_distribution }}.yml"
tags: tags:
- always - always
- name: Include preliminary steps - name: Include preliminary steps
import_tasks: prelim.yml import_tasks: prelim.yml
tags: tags:
- prelim_tasks - prelim_tasks
- always - always
- name: run pre_remediation audit - name: run pre_remediation audit
include_tasks: pre_remediation_audit.yml include_tasks: pre_remediation_audit.yml
when: when:
- run_audit - run_audit
- name: Gather the package facts after prelim - name: Gather the package facts after prelim
package_facts: package_facts:
manager: auto manager: auto
tags: tags:
- always - always
- name: capture /etc/password variables - name: capture /etc/password variables
include_tasks: parse_etc_password.yml include_tasks: parse_etc_password.yml
when: when:
- rhel9cis_section6 - rhel9cis_section6
tags: tags:
- rule_5.5.2 - rule_5.5.2
- rule_5.6.2 - rule_5.6.2
- rule_6.2.9 - rule_6.2.9
- rule_6.2.10 - rule_6.2.10
- rule_6.2.11 - rule_6.2.11
- rhel9cis_section5 - rhel9cis_section5
- rhel9cis_section6 - rhel9cis_section6
- name: run Section 1 tasks - name: run Section 1 tasks
import_tasks: section_1/main.yml import_tasks: section_1/main.yml
become: true become: true
when: rhel9cis_section1 when: rhel9cis_section1
tags: tags:
- rhel9cis_section1 - rhel9cis_section1
- name: run Section 2 tasks - name: run Section 2 tasks
import_tasks: section_2/main.yml import_tasks: section_2/main.yml
become: true become: true
when: rhel9cis_section2 when: rhel9cis_section2
tags: tags:
- rhel9cis_section2 - rhel9cis_section2
- name: run Section 3 tasks - name: run Section 3 tasks
import_tasks: section_3/main.yml import_tasks: section_3/main.yml
become: true become: true
when: rhel9cis_section3 when: rhel9cis_section3
tags: tags:
- rhel9cis_section3 - rhel9cis_section3
- name: run Section 4 tasks - name: run Section 4 tasks
import_tasks: section_4/main.yml import_tasks: section_4/main.yml
become: true become: true
when: rhel9cis_section4 when: rhel9cis_section4
tags: tags:
- rhel9cis_section4 - rhel9cis_section4
- name: run Section 5 tasks - name: run Section 5 tasks
import_tasks: section_5/main.yml import_tasks: section_5/main.yml
become: true become: true
when: rhel9cis_section5 when: rhel9cis_section5
tags: tags:
- rhel9cis_section5 - rhel9cis_section5
- name: run Section 6 tasks - name: run Section 6 tasks
import_tasks: section_6/main.yml import_tasks: section_6/main.yml
become: true become: true
when: rhel9cis_section6 when: rhel9cis_section6
tags: tags:
- rhel9cis_section6 - rhel9cis_section6
- name: run post remediation tasks - name: run post remediation tasks
import_tasks: post.yml import_tasks: post.yml
become: true become: true
tags: tags:
- post_tasks - post_tasks
- always - always
- name: run post_remediation audit - name: run post_remediation audit
import_tasks: post_remediation_audit.yml import_tasks: post_remediation_audit.yml
when: when:
- run_audit - run_audit
- name: Show Audit Summary - name: Show Audit Summary
debug: debug:
msg: "{{ audit_results.split('\n') }}" msg: "{{ audit_results.split('\n') }}"
when: when:
- run_audit - run_audit

2
tasks/post.yml
View file

@ -10,7 +10,7 @@
package_facts: package_facts:
manager: auto manager: auto
tags: tags:
- always - always
- name: trigger update sysctl - name: trigger update sysctl
shell: /bin/true shell: /bin/true

7
tasks/prelim.yml
View file

@ -87,7 +87,7 @@
name: audit name: audit
state: present state: present
become: true become: true
when: when:
- '"auditd" not in ansible_facts.packages' - '"auditd" not in ansible_facts.packages'
- rhel9cis_rule_4_1_1_1 - rhel9cis_rule_4_1_1_1
tags: tags:
@ -209,7 +209,7 @@
shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}'
changed_when: false changed_when: false
register: uid_min_id register: uid_min_id
- name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def"
shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}'
changed_when: false changed_when: false
@ -226,8 +226,7 @@
max_int_uid: "{{ uid_max_id.stdout }}" max_int_uid: "{{ uid_max_id.stdout }}"
min_int_gid: "{{ gid_min_id.stdout }}" min_int_gid: "{{ gid_min_id.stdout }}"
- debug: - debug:
msg: "{{ min_int_uid }} {{ max_int_uid }}" msg: "{{ min_int_uid }} {{ max_int_uid }}"
when: when:
- not discover_int_uid - not discover_int_uid

2
tasks/section_1/cis_1.1.4.x.yml
View file

@ -61,4 +61,4 @@
- skip_ansible_lint - skip_ansible_lint
- rule_1.1.4.2 - rule_1.1.4.2
- rule_1.1.4.3 - rule_1.1.4.3
- rule_1.1.4.4 - rule_1.1.4.4

2
tasks/section_1/cis_1.1.6.x.yml
View file

@ -58,4 +58,4 @@
- skip_ansible_lint - skip_ansible_lint
- rule_1.1.6.2 - rule_1.1.6.2
- rule_1.1.6.3 - rule_1.1.6.3
- rule_1.1.6.4 - rule_1.1.6.4

2
tasks/section_1/cis_1.5.x.yml
View file

@ -34,7 +34,7 @@
- name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
debug: debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf"
notify: notify:
- update sysctl - update sysctl
when: when:
- rhel9cis_rule_1_5_3 - rhel9cis_rule_1_5_3

6
tasks/section_2/cis_2.2.x.yml
View file

@ -65,7 +65,7 @@
- name: "2.2.5 | PATCH | Ensure DHCP Server is not installed" - name: "2.2.5 | PATCH | Ensure DHCP Server is not installed"
package: package:
name: dhcp-server name: dhcp-server
state: absent state: absent
when: when:
- not rhel9cis_dhcp_server - not rhel9cis_dhcp_server
- "'dhcp-server' in ansible_facts.packages" - "'dhcp-server' in ansible_facts.packages"
@ -113,7 +113,7 @@
- name: "2.2.8 | PATCH | Ensure VSFTP Server is not installed" - name: "2.2.8 | PATCH | Ensure VSFTP Server is not installed"
package: package:
name: vsftpd name: vsftpd
state: absent state: absent
when: when:
- not rhel9cis_vsftpd_server - not rhel9cis_vsftpd_server
- "'vsftpd' in ansible_facts.packages" - "'vsftpd' in ansible_facts.packages"
@ -222,7 +222,7 @@
- name: "2.2.13 | PATCH | Ensure HTTP Proxy Server is not installed" - name: "2.2.13 | PATCH | Ensure HTTP Proxy Server is not installed"
package: package:
name: squid name: squid
state: absent state: absent
when: when:
- not rhel9cis_squid_server - not rhel9cis_squid_server
- "'squid' in ansible_facts.packages" - "'squid' in ansible_facts.packages"

2
tasks/section_2/cis_2.3.x.yml
View file

@ -32,7 +32,7 @@
- rsh - rsh
- rule_2.3.2 - rule_2.3.2
- name: "2.3.3 | PATCH | Ensure talk client is not installed" - name: "2.3.3 | PATCH | Ensure talk client is not installed"
package: package:
name: talk name: talk
state: absent state: absent

2
tasks/section_2/cis_2.4.yml
View file

@ -23,4 +23,4 @@
- manual - manual
- audit - audit
- services - services
- rule_2.4 - rule_2.4

2
tasks/section_2/main.yml
View file

@ -10,4 +10,4 @@
import_tasks: cis_2.3.x.yml import_tasks: cis_2.3.x.yml
- name: "SECTION | 2.4 | Nonessential services removed" - name: "SECTION | 2.4 | Nonessential services removed"
import_tasks: cis_2.4.yml import_tasks: cis_2.4.yml

6
tasks/section_3/cis_3.1.x.yml
View file

@ -1,11 +1,11 @@
--- ---
# The CIS Control wants IPv6 disabled if not in use. # The CIS Control wants IPv6 disabled if not in use.
# We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use # We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use
- name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system"
debug: debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf"
notify: notify:
- update sysctl - update sysctl
- sysctl flush ipv6 route table - sysctl flush ipv6 route table
when: when:
@ -88,4 +88,4 @@
- automated - automated
- patch - patch
- wireless - wireless
- rule_3.1.4 - rule_3.1.4

2
tasks/section_3/cis_3.2.x.yml
View file

@ -5,7 +5,7 @@
- name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding" - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding"
debug: debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: notify:
- update sysctl - update sysctl
- sysctl flush ipv4 route table - sysctl flush ipv4 route table

18
tasks/section_3/cis_3.3.x.yml
View file

@ -5,7 +5,7 @@
- name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted"
debug: debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: notify:
- update sysctl - update sysctl
- sysctl flush ipv4 route table - sysctl flush ipv4 route table
@ -30,7 +30,7 @@
- name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted"
debug: debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: notify:
- update sysctl - update sysctl
- sysctl flush ipv4 route table - sysctl flush ipv4 route table
@ -52,7 +52,7 @@
- name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted"
debug: debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl notify: update sysctl
when: when:
- rhel9cis_rule_3_3_3 - rhel9cis_rule_3_3_3
@ -65,7 +65,7 @@
- name: "3.3.4 | PATCH | Ensure suspicious packets are logged" - name: "3.3.4 | PATCH | Ensure suspicious packets are logged"
debug: debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl notify: update sysctl
when: when:
- rhel9cis_rule_3_3_4 - rhel9cis_rule_3_3_4
@ -78,7 +78,7 @@
- name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored"
debug: debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl notify: update sysctl
when: when:
- rhel9cis_rule_3_3_5 - rhel9cis_rule_3_3_5
@ -91,7 +91,7 @@
- name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored"
debug: debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl notify: update sysctl
when: when:
- rhel9cis_rule_3_3_6 - rhel9cis_rule_3_3_6
@ -104,7 +104,7 @@
- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
debug: debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl notify: update sysctl
when: when:
- rhel9cis_rule_3_3_7 - rhel9cis_rule_3_3_7
@ -117,7 +117,7 @@
- name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled"
debug: debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: update sysctl notify: update sysctl
when: when:
- rhel9cis_rule_3_3_8 - rhel9cis_rule_3_3_8
@ -133,7 +133,7 @@
- name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted"
debug: debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
notify: notify:
- update sysctl - update sysctl
- sysctl flush ipv4 route table - sysctl flush ipv4 route table

1
tasks/section_4/cis_4.1.3.x.yml
View file

@ -1,3 +1,4 @@
---
- name: "4.1.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected" - name: "4.1.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected"
debug: debug:

2
tasks/section_5/cis_5.1.x.yml
View file

@ -168,4 +168,4 @@
- automated - automated
- patch - patch
- cron - cron
- rule_5.1.9 - rule_5.1.9

24
tasks/section_5/cis_5.5.x.yml
View file

@ -54,7 +54,7 @@
with_items: with_items:
- "system-auth" - "system-auth"
- "password-auth" - "password-auth"
when: when:
- ansible_distribution_version <= "8.1" - ansible_distribution_version <= "8.1"
- rhel9cis_rule_5_5_2 - rhel9cis_rule_5_5_2
@ -67,7 +67,7 @@
with_items: with_items:
- { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = 5' } - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = 5' }
- { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = 900' } - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = 900' }
when: when:
- ansible_distribution_version >= "8.2" - ansible_distribution_version >= "8.2"
- rhel9cis_rule_5_5_2 - rhel9cis_rule_5_5_2
@ -79,9 +79,9 @@
state: present state: present
line: "password requisite pam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" line: "password requisite pam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
insertafter: '^password\s*requisite\s*pam_pwquality.so' insertafter: '^password\s*requisite\s*pam_pwquality.so'
- name: "5.5.3 | PATCH | Ensure password reuse is limited | pam_unix" - name: "5.5.3 | PATCH | Ensure password reuse is limited | pam_unix"
replace: replace:
path: /etc/pam.d/system-auth path: /etc/pam.d/system-auth
regexp: '^password\s*sufficient\s*pam_unix.so.*$' regexp: '^password\s*sufficient\s*pam_unix.so.*$'
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
@ -97,15 +97,15 @@
block: block:
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf" - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf"
replace: replace:
path: /etc/libuser.conf path: /etc/libuser.conf
regexp: '^crypt_style\s*=\s*.*$' regexp: '^crypt_style\s*=\s*.*$'
replace: 'crypt_style = sha512' replace: 'crypt_style = sha512'
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs" - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs"
replace: replace:
path: /etc/login.defs path: /etc/login.defs
regexp: '^ENCRYPT_METHOD.*' regexp: '^ENCRYPT_METHOD.*'
replace: 'ENCRYPT_METHOD SHA512' replace: 'ENCRYPT_METHOD SHA512'
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth" - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth"
replace: replace:
@ -114,7 +114,7 @@
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth" - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth"
replace: replace:
path: /etc/pam.d/system-auth path: /etc/pam.d/system-auth
regexp: '^password\s*sufficient\s*pam_unix.so.*$' regexp: '^password\s*sufficient\s*pam_unix.so.*$'
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'

4
tasks/section_5/cis_5.6.x.yml
View file

@ -73,8 +73,8 @@
- name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0" - name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0"
user: user:
name: root name: root
group: 0 group: 0
when: when:
- rhel9cis_rule_5_6_4 - rhel9cis_rule_5_6_4
tags: tags:

2
tasks/section_6/main.yml
View file

@ -4,4 +4,4 @@
import_tasks: cis_6.1.x.yml import_tasks: cis_6.1.x.yml
- name: "SECTION | 6.2 | User and Group Settings" - name: "SECTION | 6.2 | User and Group Settings"
import_tasks: cis_6.2.x.yml import_tasks: cis_6.2.x.yml

2
vars/AlmaLinux.yml
View file

@ -1,4 +1,4 @@
--- ---
# OS Specific Settings # OS Specific Settings
rpm_gpg_key: RPM-GPG-KEY-AlmaLinux rpm_gpg_key: RPM-GPG-KEY-AlmaLinux

2
vars/is_container.yml
View file

@ -54,7 +54,7 @@ rhel9cis_rule_1_1_2: false
rhel9cis_rule_1_1_3: false rhel9cis_rule_1_1_3: false
rhel9cis_rule_1_1_4: false rhel9cis_rule_1_1_4: false
rhel9cis_rule_1_1_5: false rhel9cis_rule_1_1_5: false
#/var # /var
rhel9cis_rule_1_1_6: false rhel9cis_rule_1_1_6: false
# /var/tmp # /var/tmp
rhel9cis_rule_1_1_7: false rhel9cis_rule_1_1_7: false