sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

initial v2

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-07-24 14:05:46 +01:00
parent 6ea105374a
commit 3b346f7fe1
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
11 changed files with 1415 additions and 814 deletions
Download patch file Download diff file Expand all files Collapse all files

423
tasks/section_6/cis_6.1.x.yml
View file

@ -1,366 +1,79 @@
---
- name: "6.1.1 | PATCH | Ensure permissions on /etc/passwd are configured"
ansible.builtin.file:
path: /etc/passwd
owner: root
group: root
mode: '0644'
- name: "6.1.1 | PATCH | Ensure AIDE is installed"
when:
- rhel9cis_rule_6_1_1
- rhel9cis_config_aide
- rhel9cis_rule_6_1_1
tags:
- level1-server
- level1-workstation
- patch
- permissions
- rule_6.1.1
- name: "6.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured"
ansible.builtin.file:
path: /etc/passwd-
owner: root
group: root
mode: '0644'
when:
- rhel9cis_rule_6_1_2
tags:
- level1-server
- level1-workstation
- patch
- permissions
- rule_6.1.2
- name: "6.1.3 | PATCH | Ensure permissions on /etc/group are configured"
ansible.builtin.file:
path: /etc/group
owner: root
group: root
mode: '0644'
when:
- rhel9cis_rule_6_1_3
tags:
- level1-server
- level1-workstation
- patch
- permissions
- rule_6.1.3
- name: "6.1.4 | PATCH | Ensure permissions on /etc/group- are configured"
ansible.builtin.file:
path: /etc/group-
owner: root
group: root
mode: '0644'
when:
- rhel9cis_rule_6_1_4
tags:
- level1-server
- level1-workstation
- patch
- permissionss
- rule_6.1.4
- name: "6.1.5 | PATCH | Ensure permissions on /etc/shadow are configured"
ansible.builtin.file:
path: /etc/shadow
owner: root
group: root
mode: '0000'
when:
- rhel9cis_rule_6_1_5
tags:
- level1-server
- level1-workstation
- patch
- permissions
- rule_6.1.5
- name: "6.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured"
ansible.builtin.file:
path: /etc/shadow-
owner: root
group: root
mode: '0000'
when:
- rhel9cis_rule_6_1_6
tags:
- level1-server
- level1-workstation
- patch
- permissions
- rule_6.1.6
- name: "6.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured"
ansible.builtin.file:
path: /etc/gshadow
owner: root
group: root
mode: '0000'
when:
- rhel9cis_rule_6_1_7
tags:
- level1-server
- level1-workstation
- patch
- permissions
- rule_6.1.7
- name: "6.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured"
ansible.builtin.file:
path: /etc/gshadow-
owner: root
group: root
mode: '0000'
when:
- rhel9cis_rule_6_1_8
tags:
- level1-server
- level1-workstation
- patch
- permissions
- rule_6.1.8
- name: "6.1.9 | PATCH | Ensure no world writable files exist"
- level1-server
- level1-workstation
- aide
- patch
- rule_6.1.1
- NIST800-53R5_AU-2
block:
- name: "6.1.9 | AUDIT | Ensure no world writable files exist | Get list of world-writable files"
ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002
failed_when: false
changed_when: false
register: rhel_09_6_1_9_perms_results
- name: "6.1.1 | PATCH | Ensure AIDE is installed | Install AIDE"
ansible.builtin.package:
name: aide
state: present
- name: "6.1.9 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)"
ansible.builtin.file:
path: '{{ item }}'
mode: o-w
state: touch
loop: "{{ rhel_09_6_1_9_perms_results.stdout_lines }}"
when:
- rhel_09_6_1_9_perms_results.stdout_lines is defined
- rhel9cis_no_world_write_adjust
- name: "6.1.1 | PATCH | Ensure AIDE is installed | Build AIDE DB"
when: not ansible_check_mode
ansible.builtin.shell: /usr/sbin/aide --init
args:
- name: "6.1.1 | PATCH | Ensure AIDE is installed | Wait for file before continuing"
ansible.builtin.wait_for:
path: /var/lib/aide/aide.db.new.gz
- name: "6.1.1 | PATCH | Ensure AIDE is installed | copy AIDE DB"
ansible.builtin.copy:
src: /var/lib/aide/aide.db.new.gz
dest: /var/lib/aide/aide.db.gz
remote_src: true
- name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked"
when:
- rhel9cis_rule_6_1_9
- rhel9cis_rule_6_1_2
- not system_is_ec2
tags:
- level1-server
- level1-workstation
- patch
- files
- permissions
- rule_6.1.9
- level1-server
- level1-workstation
- aide
- file_integrity
- patch
- rule_6.1.2
- NIST800-53R5_AU-2
ansible.builtin.cron:
name: Run AIDE integrity check
cron_file: "{{ rhel9cis_aide_cron['cron_file'] }}"
user: "{{ rhel9cis_aide_cron['cron_user'] }}"
minute: "{{ rhel9cis_aide_cron['aide_minute'] | default('0') }}"
hour: "{{ rhel9cis_aide_cron['aide_hour'] | default('5') }}"
day: "{{ rhel9cis_aide_cron['aide_day'] | default('*') }}"
month: "{{ rhel9cis_aide_cron['aide_month'] | default('*') }}"
weekday: "{{ rhel9cis_aide_cron['aide_weekday'] | default('*') }}"
job: "{{ rhel9cis_aide_cron['aide_job'] }}"
- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist"
block:
- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories"
ansible.builtin.shell: find "{{ item.mount }}" -xdev -nouser
changed_when: false
failed_when: false
check_mode: false
register: rhel_09_6_1_10_audit
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.mount }}"
when:
- item['device'].startswith('/dev')
- not 'bind' in item['options']
- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | set fact"
ansible.builtin.set_fact:
rhel_09_6_1_10_unowned_files_found: true
loop: "{{ rhel_09_6_1_10_audit.results }}"
when:
- item | length > 0
- item.stdout is defined # skipped items are part of results list, but don't have the registered module properties
- item.stdout | length > 0
- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories"
ansible.builtin.debug:
msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit.stdout_lines }}"
when: rhel_09_6_1_10_unowned_files_found
- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning"
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '6.1.10'
when: rhel_09_6_1_10_unowned_files_found
vars:
rhel_09_6_1_10_unowned_files_found: false
- name: "6.1.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools"
when:
- rhel9cis_rule_6_1_10
- rhel9cis_rule_6_1_3
- not system_is_ec2
tags:
- level1-server
- level1-workstation
- audit
- files
- permissions
- rule_6.1.10
- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist"
block:
- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Finding all ungrouped files or directories"
ansible.builtin.shell: find "{{ item.mount }}" -xdev -nogroup
check_mode: false
failed_when: false
changed_when: false
register: rhel_09_6_1_11_audit
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.mount }}"
when:
- item['device'].startswith('/dev')
- not 'bind' in item['options']
- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | set fact"
ansible.builtin.set_fact:
rhel_09_6_1_11_ungrouped_files_found: true
loop: "{{ rhel_09_6_1_11_audit.results }}"
when:
- item | length > 0
- item.stdout is defined # skipped items are part of results list, but don't have the registered module properties
- item.stdout | length > 0
- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories"
ansible.builtin.debug:
msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit.stdout_lines }}"
when: rhel_09_6_1_11_ungrouped_files_found
- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning"
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '6.1.11'
when: rhel_09_6_1_11_ungrouped_files_found
vars:
rhel_09_6_1_11_ungrouped_files_found: false
when:
- rhel9cis_rule_6_1_11
tags:
- level1-server
- level1-workstation
- audit
- files
- permissions
- rule_6.1.11
- name: "6.1.12 | PATCH | Ensure sticky bit is set on all world-writable directories"
ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
changed_when: false
failed_when: false
when:
- rhel9cis_rule_6_1_12
tags:
- level1-server
- level1-workstation
- patch
- stickybits
- permissons
- rule_6.1.12
- name: "6.1.13 | AUDIT | Audit SUID executables"
block:
- name: "6.1.13 | AUDIT | Audit SUID executables | Find all SUID executables"
ansible.builtin.shell: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000"
failed_when: false
changed_when: false
register: rhel_09_6_1_13_suid_perms
- name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist"
ansible.builtin.debug:
msg: "Warning!! SUID set on items in {{ rhel_09_6_1_13_suid_perms.stdout_lines }}"
when:
- rhel_09_6_1_13_suid_perms.stdout is defined
- rhel_09_6_1_13_suid_perms.stdout | length > 0
- name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning"
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '6.1.13'
when:
- rhel_09_6_1_13_suid_perms.stdout is defined
- rhel_09_6_1_13_suid_perms.stdout | length > 0
vars:
rhel9_6_1_13_suid_found: false
when:
- rhel9cis_rule_6_1_13
tags:
- level1-server
- level1-workstation
- manual
- audit
- files
- rule_6.1.13
- name: "6.1.14 | AUDIT | Audit SGID executables"
block:
- name: "6.1.14 | AUDIT | Audit SGID executables | Find all SGID executables"
ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000
failed_when: false
changed_when: false
register: rhel_09_6_1_14_sgid_perms
- name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist"
ansible.builtin.debug:
msg: "Warning!! SGID set on items in {{ rhel_09_6_1_14_sgid_perms.stdout_lines }}"
when:
- rhel_09_6_1_14_sgid_perms.stdout is defined
- rhel_09_6_1_14_sgid_perms.stdout | length > 0
- name: "6.1.14 | AUDIT | Audit SGID executables| warning"
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '6.1.14'
when:
- rhel_09_6_1_14_sgid_perms.stdout is defined
- rhel_09_6_1_14_sgid_perms.stdout | length > 0
vars:
rhel9_6_1_14_sgid_found: false
when:
- rhel9cis_rule_6_1_14
tags:
- level1-server
- level1-workstation
- manual
- audit
- files
- rule_6.1.14
- name: "6.1.15 | AUDIT | Audit system file permissions"
block:
- name: "6.1.15 | AUDIT | Audit system file permissions | Audit the packages"
ansible.builtin.shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto
changed_when: false
failed_when: false
register: rhel9cis_6_1_15_packages_rpm
- name: "6.1.15 | AUDIT | Audit system file permissions | Create list and warning"
block:
- name: "6.1.15 | AUDIT | Audit system file permissions | Add file discrepancy list to system"
ansible.builtin.copy:
dest: "{{ rhel9cis_rpm_audit_file }}" # noqa template-instead-of-copy
content: "{{ rhel9cis_6_1_15_packages_rpm.stdout }}"
owner: root
group: root
mode: '0640'
- name: "6.1.15 | AUDIT | Audit system file permissions | Message out alert for package descrepancies"
ansible.builtin.debug:
msg: |
"Warning!! You have some package descrepancies issues.
The file list can be found in {{ rhel9cis_rpm_audit_file }}"
- name: "6.1.15 | AUDIT | Audit system file permissions | warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '6.1.15'
when: rhel9cis_6_1_15_packages_rpm.stdout|length > 0
when:
- rhel9cis_rule_6_1_15
tags:
- level2-server
- level2-workstation
- manual
- audit
- permissions
- rule_6.1.15
- level1-server
- level1-workstation
- aide
- file_integrity
- patch
- rule_6.1.3
ansible.builtin.blockinfile:
path: /etc/aide.conf
marker: "# {mark} Audit tools - CIS benchmark - Ansible-lockdown"
block: |
/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
validate: aide -D --config %s

114
tasks/section_6/cis_6.2.1.x.yml Normal file
View file

@ -0,0 +1,114 @@
---
- name: "6.2.1.1 | PATCH | Ensure journald service is enabled and active"
when:
- rhel9cis_rule_6_2_1_1
tags:
- level1-server
- level1-workstation
- audit
- journald
- rule_6.2.1.1
ansible.builtin.systemd:
name: systemd-journald.service
masked: false
state: started
- name: "6.2.1.2 | PATCH | Ensure journald log file access is configured"
when:
- rhel9cis_rule_6_2_1_2
tags:
- level1-server
- level1-workstation
- audit
- journald
- rule_6.2.1.2
block:
- name: "6.2.1.2 | PATCH | Ensure journald log file access is configured | Default file permissions"
ansible.builtin.file:
path: /usr/lib/tmpfiles.d/systemd.conf
mode: '0640'
- name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | Check for override file"
ansible.builtin.stat:
path: /etc/tmpfiles.d/systemd.conf
register: tmpfile_override
- name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | If override file check for journal"
when: tmpfile_override.stat.exists
ansible.builtin.shell: grep -E 'z /var/log/journal/%m/system.journal \d*' /usr/lib/tmpfiles.d/systemd.conf
register: journald_fileperms_override
changed_when: false
failed_when: journald_fileperms_override.rc not in [ 0, 1 ]
- name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found"
when:
- tmpfile_override.stat.exists
- journald_fileperms_override.stdout | length > 0
ansible.builtin.debug:
msg: "Warning!! - tmpfiles override found /usr/lib/tmpfiles.d/systemd.conf affecting journald files please confirm matches site policy"
- name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found"
when:
- tmpfile_override.stat.exists
- journald_fileperms_override.stdout | length > 0
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '6.2.1.2'
- name: "6.2.1.3 | PATCH | Ensure journald log file rotation is configured"
when:
- rhel9cis_rule_6_2_1_3
tags:
- level1-server
- level1-workstation
- patch
- journald
- rule_6.2.1.3
notify: Restart journald
block:
- name: "6.2.1.3 | PATCH | Ensure journald log file rotation is configured | Add file"
ansible.builtin.template:
src: etc/systemd/journald.conf.d/rotation.conf.j2
dest: /etc/systemd/journald.conf.d/rotation.conf
owner: root
group: root
mode: '0640'
- name: "6.2.1.3 | PATCH | Ensure journald log file rotation is configured | comment out current entries"
ansible.builtin.replace:
path: /etc/systemd/journald.conf
regexp: "{{ item }}"
replace: '#\1'
loop:
- '^(\s*SystemMaxUse\s*=.*)'
- '^(\s*SystemKeepFree\s*=.*)'
- '^(\s*RuntimeMaxUse\s*=)'
- '^(\s*RuntimeKeepFree\s*=.*)'
- '^(\s*MaxFileSec\s*=.*)'
- name: "6.2.1.4 | PATCH | Ensure only one logging system is in use"
when:
- rhel9cis_rule_6_2_1_4
tags:
- level1-server
- level1-workstation
- patch
- journald
- syslog
- rule_6.2.1.4
block:
- name: "6.2.1.4 | PATCH | Ensure only one logging system is in use | when rsyslog"
when: rhel9cis_syslog == "rsyslog"
ansible.builtin.systemd:
name: systemd-journald
state: stopped
enabled: false
- name: "6.2.1.4 | PATCH | Ensure only one logging system is in use | when journald"
when: rhel9cis_syslog == "journald"
ansible.builtin.systemd:
name: rsyslog
state: stopped
enabled: false

162
tasks/section_6/cis_6.2.2.1.x.yml Normal file
View file

@ -0,0 +1,162 @@
---
- name: "6.2.2.1.1 | PATCH | Ensure systemd-journal-remote is installed"
when:
- ubtu22cis_rule_6_2_2_1_1
- not ubtu22cis_system_is_log_server
tags:
- level1-server
- level1-workstation
- patch
- journald
- rule_6.2.2.1.1
- NIST800-53R5_AU-2
- NIST800-53R5_AU-7
- NIST800-53R5_AU-12
ansible.builtin.package:
name: systemd-journal-remote
state: present
- name: "6.2.2.1.2 | PATCH | Ensure systemd-journal-remote authentication is configured"
when:
- ubtu22cis_rule_6_2_2_1_2
- not ubtu22cis_system_is_log_server
tags:
- level1-server
- level1-workstation
- patch
- journald
- rule_6.2.2.1.2
- NIST800-53R5_AU-2
- NIST800-53R5_AU-12
notify: Restart journald
ansible.builtin.lineinfile:
path: /etc/systemd/journal-upload.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
loop:
- { regexp: 'URL=', line: 'URL={{ ubtu22cis_remote_log_server }}'}
- { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ ubtu22cis_journal_upload_serverkeyfile }}'}
- { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ ubtu22cis_journal_servercertificatefile }}'}
- { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ ubtu22cis_journal_trustedcertificatefile }}'}
- name: "6.2.2.1.3 | PATCH | Ensure systemd-journal-remote is enabled and active"
when:
- not ubtu22cis_system_is_log_server
- ubtu22cis_rule_6_2_2_1_3
tags:
- level1-server
- level1-workstation
- patch
- journald
- rule_6.2.2.1.3
- NIST800-53R5_AU-2
- NIST800-53R5_AU-12
ansible.builtin.systemd:
name: systemd-journal-upload
masked: false
enabled: true
- name: "6.2.2.1.4 | PATCH | Ensure systemd-journal-remote service is not in use"
when:
- not ubtu22cis_system_is_log_server
- ubtu22cis_rule_6_2_2_1_4
tags:
- level1-server
- level1-workstation
- patch
- journald
- rule_6.2.2.1.4
- NIST800-53R5_AU-2
- NIST800-53R5_AU-7
- NIST800-53R5_AU-12
ansible.builtin.systemd:
name: "{{ item }}"
state: stopped
enabled: false
masked: true
loop:
- systemd-journal-remote.socket
- systemd-journal-remote.service
- name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled"
when:
- ubtu22cis_rule_6_2_2_2
tags:
- level1-server
- level2-workstation
- patch
- journald
- rule_6.2.2.2
- NIST800-53R5_AU-2
- NIST800-53R5_AU-6
- NIST800-53R5_AU-7
- NIST800-53R5_AU-12
notify: Restart journald
block:
- name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | Add file"
ansible.builtin.template:
src: etc/systemd/journald.conf.d/forwardtosyslog.conf.j2
dest: /etc/systemd/journald.conf.d/forwardtosyslog.conf
owner: root
group: root
mode: '0640'
- name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries"
ansible.builtin.replace:
path: /etc/systemd/journald.conf
regexp: ^(\s*ForwardToSyslog)
replace: '#\1'
- name: "6.2.2.3 | PATCH | Ensure journald Compress is configured"
when:
- ubtu22cis_rule_6_2_2_3
tags:
- level1-server
- level1-workstation
- patch
- journald
- rule_6.2.2.3
- NIST800-53R5_AU-4
notify: Restart journald
block:
- name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | Add file"
ansible.builtin.template:
src: etc/systemd/journald.conf.d/storage.conf.j2 # Added to the same file as 6.2.1.1.4
dest: /etc/systemd/journald.conf.d/storage.conf
owner: root
group: root
mode: '0640'
- name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries"
ansible.builtin.replace:
path: /etc/systemd/journald.conf
regexp: ^(?i)(\s*compress=)
replace: '#\1'
- name: "6.2.2.4 | PATCH | Ensure journald Storage is configured"
when:
- ubtu22cis_rule_6_2_2_4
tags:
- level1-server
- level1-workstation
- patch
- journald
- rule_6.2.2.4
- NIST800-53R5_AU-3
- NIST800-53R5_AU-12
notify: Restart journald
block:
- name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | Add file"
ansible.builtin.template:
src: etc/systemd/journald.conf.d/storage.conf.j2
dest: /etc/systemd/journald.conf.d/storage.conf
owner: root
group: root
mode: '0640'
- name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries"
ansible.builtin.replace:
path: /etc/systemd/journald.conf
regexp: ^(?i)(\s*storage=)
replace: '#\1'

293
tasks/section_6/cis_6.2.3.x.yml Normal file
View file

@ -0,0 +1,293 @@
---
- name: "6.2.3.1 | PATCH | Ensure rsyslog installed"
when:
- "'rsyslog' not in ansible_facts.packages"
- rhel9cis_rule_6_2_3_1
tags:
- level1-server
- level1-workstation
- patch
- rsyslog
- rule_6.2.3.1
- NIST800-53R5_AU-2
- NIST800-53R5_AU-3
- NIST800-53R5_AU-12
ansible.builtin.package:
name: rsyslog
state: present
- name: "6.2.3.2 | PATCH | Ensure rsyslog Service is enabled and active"
when:
- rhel9cis_rule_6_2_3_2
tags:
- level1-server
- level1-workstation
- patch
- rsyslog
- rule_6.2.3.2
- NIST800-53R5_AU-2
- NIST800-53R5_AU-3
- NIST800-53R5_AU-12
ansible.builtin.systemd:
name: rsyslog
enabled: true
state: started
- name: "6.2.3.3 | PATCH | Ensure journald is configured to send logs to rsyslog"
when:
- rhel9cis_rule_6_2_3_3
tags:
- level1-server
- level1-workstation
- patch
- rule_6.2.3.3
- NIST800-53R5_AC-3
- NIST800-53R5_AU-2
- NIST800-53R5_AU-4
- NIST800-53R5_AU-12
- NIST800-53R5_MP-2
ansible.builtin.lineinfile:
path: /etc/systemd/journald.conf
regexp: "^#ForwardToSyslog=|^ForwardToSyslog="
line: ForwardToSyslog=yes
notify: Restart rsyslog
- name: "6.2.3.4 | PATCH | Ensure rsyslog log file creation mode is configured"
when:
- rhel9cis_rule_6_2_3_4
tags:
- level1-server
- level1-workstation
- patch
- rsyslog
- rule_6.2.3.4
- NIST800-53R5_AC-3
- NIST800-53R5_AC-6
- NIST800-53R5_MP-2
ansible.builtin.lineinfile:
path: /etc/rsyslog.conf
regexp: '^\$FileCreateMode'
line: '$FileCreateMode 0640'
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured"
when:
- rhel9cis_rule_6_2_3_5
tags:
- level1-server
- level1-workstation
- patch
- rsyslog
- rule_6.2.3.5
- NIST800-53R5_AU-2
- NIST800-53R5_AU-7
- NIST800-53R5_AU-12
block:
- name: "6.2.3.5 | AUDIT | Ensure logging is configured | rsyslog current config message out"
ansible.builtin.shell: cat /etc/rsyslog.conf | grep -Ev "^#|^$"
changed_when: false
failed_when: false
check_mode: false
register: rhel_09_6_2_3_5_audit
- name: "6.2.3.5 | AUDIT | Ensure logging is configured | rsyslog current config message out"
ansible.builtin.debug:
msg:
- "These are the current logging configurations for rsyslog, please review:"
- "{{ rhel_09_4_2_1_5_audit.stdout_lines }}"
- name: "6.2.3.5 | PATCH | Ensure logging is configured | mail.* log setting"
when: rhel9cis_rsyslog_ansiblemanaged
ansible.builtin.blockinfile:
path: /etc/rsyslog.conf
marker: "# {mark} MAIL LOG SETTINGS - CIS benchmark - Ansible-lockdown"
block: |
# mail logging additions to meet CIS standards
mail.* -/var/log/mail
mail.info -/var/log/mail.info
mail.warning -/var/log/mail.warning
mail.err /var/log/mail.err
insertafter: '# Log all the mail messages in one place.'
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | news.crit log setting"
when: rhel9cis_rsyslog_ansiblemanaged
ansible.builtin.blockinfile:
path: /etc/rsyslog.conf
state: present
marker: "# {mark} NEWS LOG SETTINGS - CIS benchmark - Ansible-lockdown"
block: |
# news logging additions to meet CIS standards
news.crit -/var/log/news/news.crit
news.notice -/var/log/news/news.crit
insertafter: '# Save news errors of level crit and higher in a special file.'
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | Misc. log setting"
when: rhel9cis_rsyslog_ansiblemanaged
ansible.builtin.blockinfile:
path: /etc/rsyslog.conf
state: present
marker: "# {mark} MISC. LOG SETTINGS - CIS benchmark - Ansible-lockdown"
block: |
# misc. logging additions to meet CIS standards
*.=warning;*.=err -/var/log/warn
*.crit /var/log/warn
*.*;mail.none;news.none /var/log/messages
insertafter: '#### RULES ####'
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | Local log settings"
ansible.builtin.blockinfile:
path: /etc/rsyslog.conf
state: present
marker: "#{mark} LOCAL LOG SETTINGS - CIS benchmark - Ansible-lockdown"
block: |
# local log settings to meet CIS standards
local0,local1.* -/var/log/localmessages
local2,local3.* -/var/log/localmessages
local4,local5.* -/var/log/localmessages
local6,local7.* -/var/log/localmessages
*.emrg :omusrmsg:*
insertafter: '#### RULES ####'
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | Auth Settings"
ansible.builtin.blockinfile:
path: /etc/rsyslog.conf
state: present
marker: "#{mark} Auth SETTINGS - CIS benchmark - Ansible-lockdown"
block: |
# Private settings to meet CIS standards
auth,authpriv.* /var/log/secure
insertafter: '#### RULES ####'
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | Cron Settings"
ansible.builtin.blockinfile:
path: /etc/rsyslog.conf
state: present
marker: "#{mark} Cron SETTINGS - CIS benchmark - Ansible-lockdown"
block: |
# Cron settings to meet CIS standards
cron.* /var/log/cron
insertafter: '#### RULES ####'
notify: Restart rsyslog
- name: "6.2.3.6 | PATCH | Ensure rsyslog is configured to send logs to a remote log host"
when:
- rhel9cis_rule_6_2_3_6
- rhel9cis_remote_log_server
tags:
- level1-server
- level1-workstation
- patch
- rsyslog
- rule_6.2.3.6
- NIST800-53R5_AU-6
ansible.builtin.blockinfile:
path: /etc/rsyslog.conf
state: present
block: |
# target can be IP or FQDN
*.* action(type="omfwd" target="{{ rhel9cis_remote_log_host }}" port="{{ rhel9cis_remote_log_port }}" protocol="{{ rhel9cis_remote_log_protocol }}" action.resumeRetryCount="{{ rhel9cis_remote_log_retrycount }}" queue.type="LinkedList" queue.size="{{ rhel9cis_remote_log_queuesize }}")
insertafter: EOF
register: result
failed_when:
- result is failed
- result.rc != 257
notify: Restart rsyslog
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client"
when:
- rhel9cis_rule_6_2_3_7
tags:
- level1-server
- level1-workstation
- patch
- rsyslog
- rule_6.2.3.7
- NIST800-53R5_AU-2
- NIST800-53R5_AU-7
- NIST800-53R5_AU-12
- NIST800-53R5_CM-6
block:
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client. | When not log host"
when: not rhel9cis_system_is_log_server
ansible.builtin.replace:
path: /etc/rsyslog.conf
regexp: '{{ item }}'
replace: '#\1'
notify: Restart rsyslog
loop:
- '^(\$ModLoad imtcp)'
- '^(\$InputTCPServerRun)'
- '^(module\(load="imtcp"\))'
- '^(input\(type="imtcp")'
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote clients. | When log host"
when: rhel9cis_system_is_log_server
ansible.builtin.replace:
path: /etc/rsyslog.conf
regexp: '^#(.*{{ item }}.*)'
replace: '\1'
notify: Restart rsyslog
loop:
- 'ModLoad imtcp'
- 'InputTCPServerRun'
- name: "6.2.3.8 | PATCH | Ensure logrotate is configured"
when:
- rhel9cis_rule_6_2_3_8
tags:
- level1-server
- level1-workstation
- manual
- patch
- logrotate
- rule_6.2.3.8
- NIST800-53R5_AU-8
block:
- name: "6.2.3.8 | PATCH | Ensure logrotate is configured | installed"
ansible.builtin.package:
name: rsyslog-logrotate
state: present
- name: "6.2.3.8 | PATCH | Ensure logrotate is configured | scheduled"
ansible.builtin.systemd:
name: logrotate.timer
state: started
enabled: true
- name: "6.2.3.8 | PATCH | Ensure logrotate is configured | set default conf"
ansible.builtin.replace:
path: "/etc/logrotate.conf"
regexp: '^(\s*)(daily|weekly|monthly|yearly)$'
replace: "\\1{{ rhel9cis_logrotate }}"
- name: "6.2.3.8 | AUDIT | Ensure logrotate is configured | Get non default logrotate settings"
ansible.builtin.find:
paths: /etc/logrotate.d/
contains: '^(\s*)(?!{{ rhel9cis_logrotate }})(daily|weekly|monthly|yearly)$'
register: log_rotates
- name: "6.2.3.8 | AUDIT | Ensure logrotate is configured"
when: log_rotates.matched > 0
vars:
warn_control_id: '6.2.3.8'
block:
- name: "6.2.3.8 | AUDIT | Ensure logrotate is configured | generate file list"
ansible.builtin.set_fact:
logrotate_non_def_conf: "{{ log_rotates.files | map(attribute='path') | join (', ') }}"
- name: "6.2.3.8 | AUDIT | Ensure logrotate is configured | List configured files"
ansible.builtin.debug:
msg: |
"Warning!! The following files are not covered by default logrotate settings ensure they match site policy"
"{{ logrotate_non_def_conf }}"
loop: "{{ log_rotates.files }}"
- name: "6.2.3.8 | AUDIT | Ensure logrotate is configured | Warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml

62
tasks/section_6/cis_6.2.4.1.yml Normal file
View file

@ -0,0 +1,62 @@
---
- name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured"
when:
- rhel9cis_rule_6_2_4_1
tags:
- level1-server
- level1-workstation
- patch
- logfiles
- rule_6.2.4.1
block:
- name: "6.2.4.1 | AUDIT | Ensure access to all logfiles has been configured | find log files"
ansible.builtin.shell: find /var/log/ -type f -exec ls {} \;
changed_when: false
failed_when: false
register: discovered_logfiles
- name: "6.2.4.1 | AUDIT | Ensure access to all logfiles has been configured | set_fact"
when:
- discovered_logfiles.stdout_lines | length > 0
- discovered_logfiles is defined
ansible.builtin.set_fact:
discovered_logfiles_flattened: "{{ discovered_logfiles | json_query('stdout_lines[*]') | flatten }}" # noqa: jinja[invalid]
- name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
when:
- discovered_logfiles_flattened is defined
- item == "/var/log/secure"
- item == "/var/log/auth.log"
- item == "/var/log/syslog"
- "'journal' in item"
ansible.builtin.file:
path: "{{ item }}"
mode: 'u-x,g-wx,o-rwx'
loop: "{{ discovered_logfiles_flattened }}"
- name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
when:
- discovered_logfiles_flattened is defined
- item == "/var/log/btmp"
- item == "/var/log/utmp"
- item == "/var/log/wtmp"
- item == "/var/log/lastlog"
ansible.builtin.file:
path: "{{ item }}"
mode: 'u-x,g-wx,o-rwx'
owner: root
group: root
loop: "{{ discovered_logfiles_flattened }}"
- name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
when:
- discovered_logfiles_flattened is defined
- "'sssd' in item"
- item == "/var/log/utmp"
- item == "/var/log/wtmp"
- item == "/var/log/lastlog"
ansible.builtin.file:
path: "{{ item }}"
mode: 'u-x,g-wx,o-rwx'
loop: "{{ discovered_logfiles_flattened }}"

455
tasks/section_6/cis_6.2.x.yml
View file

@ -1,455 +0,0 @@
---
- name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords"
block:
- name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | discover"
ansible.builtin.shell: awk -F':' '($2 != "x" ) { print $1 " is not set to shadowed passwords "}' /etc/passwd
changed_when: false
register: shadow_passwd
- name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Output"
ansible.builtin.debug:
msg: |
- "Warning!! Below are the accounts that do not have shadowed passwords set"
- "{{ shadow_passwd.stdout_line }}"
when: shadow_passwd.stdout | length > 0
- name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | warning fact"
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '6.2.1'
when: shadow_passwd.stdout | length >= 1
when:
- rhel9cis_rule_6_2_1
tags:
- level1-server
- level1-workstation
- patch
- accounts
- rule_6.2.1
- name: "6.2.2 | PATCH | Ensure password fields are not empty"
ansible.builtin.shell: passwd -l {{ item }}
changed_when: false
failed_when: false
loop: "{{ empty_password_accounts.stdout_lines }}"
when:
- empty_password_accounts.rc
- rhel9cis_rule_6_2_2
tags:
- level1-server
- level1-workstation
- patch
- accounts
- rule_6.2.2
- name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group"
block:
- name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries"
ansible.builtin.shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}'
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_6_2_3_passwd_gid_check
- name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group"
ansible.builtin.debug:
msg: "Warning!! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_3_passwd_gid_check.stdout_lines | join (', ') }}"
when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1
- name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '6.2.3'
when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1
when:
- rhel9cis_rule_6_2_3
tags:
- level1-server
- level1-workstation
- audit
- accounts
- groups
- rule_6.2.3
- name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist"
block:
- name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs"
ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd"
changed_when: false
failed_when: false
register: rhel9cis_6_2_4_user_uid_check
- name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs"
ansible.builtin.debug:
msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_4_user_uid_check.stdout_lines }}"
when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1
- name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1
vars:
warn_control_id: '6.2.4'
when:
- rhel9cis_rule_6_2_4
tags:
- level1-server
- level1-workstation
- audit
- accounts
- users
- rule_6.2.4
- name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist"
block:
- name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs"
ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group"
changed_when: false
failed_when: false
register: rhel9cis_6_2_5_user_user_check
- name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs"
ansible.builtin.debug:
msg: "Warning!! The following groups have duplicate GIDs: {{ rhel9cis_6_2_5_user_user_check.stdout_lines }}"
when: rhel9cis_6_2_5_user_user_check.stdout | length >= 1
- name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '6.2.5'
when: rhel9cis_6_2_5_user_user_check.stdout_lines | length >= 1
when:
- rhel9cis_rule_6_2_5
tags:
- level1-server
- level1-workstation
- audit
- accounts
- groups
- rule_6.2.5
- name: "6.2.6 | AUDIT | Ensure no duplicate user names exist"
block:
- name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names"
ansible.builtin.shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd"
changed_when: false
failed_when: false
register: rhel9cis_6_2_6_user_username_check
- name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names"
ansible.builtin.debug:
msg: "Warning!! The following user names are duplicates: {{ rhel9cis_6_2_6_user_username_check.stdout_lines }}"
when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1
- name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '6.2.6'
when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1
when:
- rhel9cis_rule_6_2_6
tags:
- level1-server
- level1-workstation
- audit
- accounts
- users
- rule_6.2.6
- name: "6.2.7 | AUDIT | Ensure no duplicate group names exist"
block:
- name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names"
ansible.builtin.shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d'
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_6_2_7_group_group_check
- name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names"
ansible.builtin.debug:
msg: "Warning!! The following group names are duplicates: {{ rhel9cis_6_2_7_group_group_check.stdout_lines }}"
when: rhel9cis_6_2_7_group_group_check.stdout is not defined
- name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '6.2.7'
when: rhel9cis_6_2_7_group_group_check.stdout is not defined
when:
- rhel9cis_rule_6_2_7
tags:
- level1-server
- level1-workstation
- audit
- accounts
- groups
- rule_6.2.7
- name: "6.2.8 | PATCH | Ensure root PATH Integrity"
block:
- name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Get root paths"
ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2
changed_when: false
register: rhel9cis_6_2_8_root_paths
- name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Get root paths"
ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2 | tr ":" "\n"
changed_when: false
register: rhel9cis_6_2_8_root_paths_split
- name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Set fact"
ansible.builtin.set_fact:
root_paths: "{{ rhel9cis_6_2_8_root_paths.stdout }}"
- name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for empty dirs"
ansible.builtin.shell: 'echo {{ root_paths }} | grep -q "::" && echo "roots path contains a empty directory (::)"'
changed_when: false
failed_when: root_path_empty_dir.rc not in [ 0, 1 ]
register: root_path_empty_dir
- name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for trailing ':'"
ansible.builtin.shell: '{{ root_paths }} | cut -d= -f2 | grep -q ":$" && echo "roots path contains a trailing (:)"'
changed_when: false
failed_when: root_path_trailing_colon.rc not in [ 0, 1 ]
register: root_path_trailing_colon
- name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions"
block:
- name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions"
ansible.builtin.stat:
path: "{{ item }}"
register: root_path_perms
loop: "{{ rhel9cis_6_2_8_root_paths_split.stdout_lines }}"
- name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Set permissions"
ansible.builtin.file:
path: "{{ item.stat.path }}"
state: directory
owner: root
group: root
mode: '0755'
follow: false
loop: "{{ root_path_perms.results }}"
loop_control:
label: "{{ item }}"
when:
- item.stat.exists
- item.stat.isdir
- item.stat.pw_name != 'root' or item.stat.gr_name != 'root' or item.stat.woth or item.stat.wgrp
when:
- rhel9cis_rule_6_2_8
tags:
- level1-server
- level1-workstation
- patch
- paths
- rule_6.2.8
- name: "6.2.9 | PATCH | Ensure root is the only UID 0 account"
ansible.builtin.shell: passwd -l {{ item }}
changed_when: false
failed_when: false
loop: "{{ rhel9cis_uid_zero_accounts_except_root.stdout_lines }}"
when:
- rhel9cis_uid_zero_accounts_except_root.rc
- rhel9cis_rule_6_2_9
tags:
- level1-server
- level1-workstation
- patch
- accounts
- users
- rule_6.2.9
- name: "6.2.10 | PATCH | Ensure local interactive user home directories exist"
block:
- name: "6.2.10 | PATCH | Ensure local interactive user home directories exist | Create dir if absent"
ansible.builtin.file:
path: "{{ item.dir }}"
state: directory
owner: "{{ item.id }}"
group: "{{ item.gid }}"
register: rhel_09_6_2_10_home_dir
loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | list }}"
loop_control:
label: "{{ item.id }}"
# set default ACLs so the homedir has an effective umask of 0027
- name: "6.2.10 | PATCH | Ensure local interactive user home directories exist | Set group ACL"
ansible.posix.acl:
path: "{{ item }}"
default: true
etype: group
permissions: rx
state: present
loop: "{{ discovered_interactive_users_home.stdout_lines }}"
when: not system_is_container
- name: "6.2.10 | PATCH | Ensure local interactive user home directories exist | Set other ACL"
ansible.posix.acl:
path: "{{ item }}"
default: true
etype: other
permissions: 0
state: present
loop: "{{ discovered_interactive_users_home.stdout_lines }}"
when: not system_is_container
when:
- rhel9cis_rule_6_2_10
tags:
- level1-server
- level1-workstation
- patch
- users
- rule_6.2.10
- name: "6.2.11 | PATCH | Ensure local interactive users own their home directories"
ansible.builtin.file:
path: "{{ item.dir }}"
owner: "{{ item.id }}"
state: directory
loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | list }}"
loop_control:
label: "{{ item.id }}"
when:
- item.id in discovered_interactive_usernames.stdout
- rhel9cis_rule_6_2_11
tags:
- level1-server
- level1-workstation
- patch
- users
- rule_6.2.11
- name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive"
block:
- name: "6.2.12 | AUDIT | Ensure local interactive user home directories are mode 750 or more restrictive | get stat"
ansible.builtin.stat:
path: "{{ item }}"
register: rhel_09_6_2_12_home_dir_perms
loop: "{{ discovered_interactive_users_home.stdout_lines }}"
- name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive | amend if needed"
ansible.builtin.file:
path: "{{ item.stat.path }}"
state: directory
mode: '0750'
loop: "{{ rhel_09_6_2_12_home_dir_perms.results }}"
loop_control:
label: "{{ item }}"
when:
- item.stat.mode > '0750'
# set default ACLs so the homedir has an effective umask of 0027
- name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive | Set group ACL"
ansible.posix.acl:
path: "{{ item }}"
default: true
etype: group
permissions: rx
state: present
loop: "{{ discovered_interactive_users_home.stdout_lines }}"
when: not system_is_container
- name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive | Set other ACL"
ansible.posix.acl:
path: "{{ item }}"
default: true
etype: other
permissions: 0
state: present
loop: "{{ discovered_interactive_users_home.stdout_lines }}"
when: not system_is_container
when:
- rhel9cis_rule_6_2_12
tags:
- level1-server
- level1-workstation
- patch
- users
- permissions
- rule_6.2.12
- name: "6.2.13 | PATCH | Ensure no local interactive user has .netrc files"
ansible.builtin.file:
path: "{{ item }}/.netrc"
state: absent
loop: "{{ discovered_interactive_users_home.stdout_lines }}"
when:
- rhel9cis_rule_6_2_13
tags:
- level1-server
- level1-workstation
- patch
- users
- permissions
- rule_6.2.13
- name: "6.2.14 | PATCH | Ensure no local interactive user has .forward files"
ansible.builtin.file:
path: "{{ item }}/.forward"
state: absent
loop: "{{ discovered_interactive_users_home.stdout_lines }}"
when:
- rhel9cis_rule_6_2_14
tags:
- level1-server
- level1-workstation
- patch
- users
- files
- rule_6.2.14
- name: "6.2.15 | PATCH | Ensure no local interactive user has .rhosts files"
ansible.builtin.file:
path: "~{{ item }}/.rhosts"
state: absent
loop: "{{ discovered_interactive_users_home.stdout_lines }}"
when:
- rhel9cis_rule_6_2_15
tags:
- level1-server
- level1-workstation
- patch
- users
- files
- rule_6.2.15
- name: "6.2.16 | PATCH | Ensure local interactive user dot files are not group or world writable"
block:
- name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | Check for files"
ansible.builtin.find:
path: /home
depth: 3
patterns: ".*"
hidden: true
recurse: true
file_type: file
register: user_dot_files
- name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | update permissions"
ansible.builtin.file:
path: "{{ item.path }}"
mode: go-w
follow: "{{ rhel_09_6_2_16_home_follow_symlinks }}"
loop: "{{ user_dot_files.files }}"
loop_control:
label: "{{ item.path }}"
when:
- rhel9cis_rule_6_2_16
tags:
- level1-server
- level1-workstation
- patch
- users
- permissions
- rule_6.2.16

111
tasks/section_6/cis_6.3.1.x.yml Normal file
View file

@ -0,0 +1,111 @@
---
- name: "6.3.1.1 | PATCH | Ensure auditd is installed"
when:
- rhel9cis_rule_6_3_1_1
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.1.1
- NIST800-53R5_AU-2
- NIST800-53R5_AU-3
- NIST800-53R5_AU-12
- NIST800-53R5_SI-5
block:
- name: "6.3.1.1 | PATCH | Ensure auditd is installed | Install auditd packages"
when: '"auditd" not in ansible_facts.packages'
ansible.builtin.package:
name: audit
state: present
- name: "6.3.1.1 | PATCH | Ensure auditd is installed | Install auditd-lib packages"
when: '"auditd-lib" not in ansible_facts.packages'
ansible.builtin.package:
name: audit-libs
state: present
- name: "6.3.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
when:
- rhel9cis_rule_6_3_1_2
tags:
- level2-server
- level2-workstation
- patch
- auditd
- grub
- rule_6.3.1.2
block:
- name: "6.3.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby existence of current value"
ansible.builtin.shell: grubby --info=ALL | grep args | sed -n 's/.*audit=\([[:alnum:]]\+\).*/\1/p'
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_6_3_1_2_grubby_curr_value_audit_linux
- name: "6.3.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby update, if needed"
when:
- rhel9cis_6_3_1_2_grubby_curr_value_audit_linux.stdout == '' or
'0' in rhel9cis_6_3_1_2_grubby_curr_value_audit_linux.stdout or
'off' in rhel9cis_6_3_1_2_grubby_curr_value_audit_linux.stdout|lower
ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1"
- name: "6.3.1.3 | PATCH | Ensure audit_backlog_limit is sufficient"
when:
- rhel9cis_rule_6_3_1_3
tags:
- level2-server
- level2-workstation
- patch
- auditd
- grub
- rule_6.3.1.3
- NIST800-53R5_AU-2
- NIST800-53R5_AU-12
- NIST800-53R5_SI-5
block:
- name: "6.3.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby existence of current value"
ansible.builtin.shell:
cmd: 'grubby --info=ALL | grep args | grep -o -E "audit_backlog_limit=([[:digit:]])+" | grep -o -E "([[:digit:]])+"'
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_6_3_1_3_grubby_curr_value_backlog_linux
- name: "6.3.1.3 | AUDIT | Check to see if limits are set"
when:
- rhel9cis_6_3_1_3_grubby_curr_value_backlog_linux is not defined or
rhel9cis_6_3_1_3_grubby_curr_value_backlog_linux.stdout_lines == []
ansible.builtin.set_fact:
rhel9cis_6_3_1_3_reset_backlog_limits: true
- name: "6.3.1.3 | AUDIT | Check to see if any limits are too low"
when:
- (item | int < rhel9cis_audit_back_log_limit)
ansible.builtin.set_fact:
rhel9cis_6_3_1_3_reset_backlog_limits: true
loop: "{{ rhel9cis_6_3_1_3_grubby_curr_value_backlog_linux.stdout_lines }}"
- name: "6.3.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update applied"
when:
- rhel9cis_6_3_1_3_reset_backlog_limits is defined
ansible.builtin.shell:
cmd: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"'
- name: "6.3.1.4 | PATCH | Ensure auditd service is enabled and active"
when:
- rhel9cis_rule_6_3_1_4
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.1.4
- NIST800-53R5_AU-2
- NIST800-53R5_AU-12
- NIST800-53R5_SI-5
ansible.builtin.systemd:
name: auditd
state: started
enabled: true

76
tasks/section_6/cis_6.3.2.x.yml Normal file
View file

@ -0,0 +1,76 @@
---
- name: "6.3.2.1 | PATCH | Ensure audit log storage size is configured"
when:
- rhel9cis_rule_6_3_2_1
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.2.1
- NIST800-53R5_AU-8
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
regexp: "^max_log_file( |=)"
line: "max_log_file = {{ rhel9cis_auditd['max_log_file'] }}"
notify: Restart auditd
- name: "6.3.2.2 | PATCH | Ensure audit logs are not automatically deleted"
when:
- rhel9cis_rule_6_3_2_2
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.2.2
- NIST800-53R5_AU-8
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
regexp: "^max_log_file_action"
line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}"
notify: Restart auditd
- name: "6.3.2.3 | PATCH | Ensure system is disabled when audit logs are full"
when:
- rhel9cis_rule_6_3_2_3
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.2.3
- NIST800-53R5_AU-2
- NIST800-53R5_AU-8
- NIST800-53R5_AU-12
- NIST800-53R5_SI-5
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
notify: Restart auditd
loop:
- { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ rhel9cis_auditd.admin_space_left_action }}' }
- { regexp: '^action_mail_acct', line: 'action_mail_acct = {{ rhel9cis_auditd.action_mail_acct }}' }
- { regexp: '^space_left_action', line: 'space_left_action = {{ rhel9cis_auditd.space_left_action }}' }
- name: PATCH | Configure other keys for auditd.conf
when:
- rhel9cis_auditd_extra_conf.keys() | length > 0
- rhel9cis_auditd_extra_conf_usage
tags:
- level2-server
- level2-workstation
- patch
- auditd
- NIST800-53R5_AU-2
- NIST800-53R5_AU-8
- NIST800-53R5_AU-12
- NIST800-53R5_SI-5
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
regexp: "^{{ item }}( |=)"
line: "{{ item }} = {{ rhel9cis_auditd_extra_conf[item] }}"
loop: "{{ rhel9cis_auditd_extra_conf.keys() }}"
notify: Restart auditd

328
tasks/section_6/cis_6.3.3.x.yml Normal file
View file

@ -0,0 +1,328 @@
---
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected"
when:
- rhel9cis_rule_6_3_3_1
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.3.1
- NIST800-53R5_AU-3
ansible.builtin.set_fact:
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.2 | PATCH | Ensure actions as another user are always logged"
when:
- rhel9cis_rule_6_3_3_2
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.3.2
- NIST800-53R5_AU-3
ansible.builtin.set_fact:
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.3 | PATCH | Ensure events that modify the sudo log file are collected"
when:
- rhel9cis_rule_6_3_3_3
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.3.3
ansible.builtin.set_fact:
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.4 | PATCH | Ensure events that modify date and time information are collected"
when:
- rhel9cis_rule_6_3_3_4
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.3.4
- NIST800-53R5_AU-3
- NIST800-53R5_CM-6
ansible.builtin.set_fact:
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.5 | PATCH | Ensure events that modify the system's network environment are collected"
when:
- rhel9cis_rule_6_3_3_5
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.3.5
- NIST800-53R5_AU-3
- NIST800-53R5_CM-6
ansible.builtin.set_fact:
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected"
when:
- rhel9cis_rule_6_3_3_6
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.3.6
- NIST800-53R5_AU-3
block:
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected"
ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm /6000 2>/dev/null; done
changed_when: false
failed_when: false
check_mode: false
register: priv_procs
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected"
ansible.builtin.set_fact:
update_audit_template: true
notify: update auditd
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.7 | PATCH | Ensure unsuccessful file access attempts are collected"
when:
- rhel9cis_rule_6_3_3_7
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.3.7
- NIST800-53R5_AU-3
ansible.builtin.set_fact:
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.8 | PATCH | Ensure events that modify user/group information are collected"
when:
- rhel9cis_rule_6_3_3_8
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.3.8
- NIST800-53R5_AU-3
ansible.builtin.set_fact:
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.9 | PATCH | Ensure discretionary access control permission modification events are collected"
when:
- rhel9cis_rule_6_3_3_9
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.3.9
- NIST800-53R5_AU-3
- NIST800-53R5_CM-6
ansible.builtin.set_fact:
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.10 | PATCH | Ensure successful file system mounts are collected"
when:
- rhel9cis_rule_6_3_3_10
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.3.10
- NIST800-53R5_CM-6
ansible.builtin.set_fact:
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.11 | PATCH | Ensure session initiation information is collected"
when:
- rhel9cis_rule_6_3_3_11
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.3.11
- NIST800-53R5_AU-3
ansible.builtin.set_fact:
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.12 | PATCH | Ensure login and logout events are collected"
when:
- rhel9cis_rule_6_3_3_12
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.3.12
- NIST800-53R5_AU-3
ansible.builtin.set_fact:
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.13 | PATCH | Ensure file deletion events by users are collected"
when:
- rhel9cis_rule_6_3_3_13
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.3.13
- NIST800-53R5_AU-12
- NIST800-53R5_SC-7
ansible.builtin.set_fact:
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected"
when:
- rhel9cis_rule_6_3_3_14
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.3.14
- NIST800-53R5_AU-3
- NIST800-53R5_CM-6
ansible.builtin.set_fact:
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded"
when:
- rhel9cis_rule_6_3_3_15
tags:
- level2-server
- level2- workstation
- patch
- auditd
- rule_6.3.3.15
- NIST800-53R5_AU-2
- NIST800-53R5_AU-12
- NIST800-53R5_SI-5
ansible.builtin.set_fact:
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded"
when:
- rhel9cis_rule_6_3_3_16
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.3.16
- NIST800-53R5_AU-2
- NIST800-53R5_AU-12
- NIST800-53R5_SI-5
ansible.builtin.set_fact:
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded"
when:
- rhel9cis_rule_6_3_3_17
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.3.17
- NIST800-53R5_AU-2
- NIST800-53R5_AU-12
- NIST800-53R5_SI-5
ansible.builtin.set_fact:
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded"
when:
- rhel9cis_rule_6_3_3_18
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.3.18
- NIST800-53R5_AU-2
- NIST800-53R5_AU-12
- NIST800-53R5_SI-5
ansible.builtin.set_fact:
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.19 | PATCH | Ensure kernel module loading and unloading and modification is collected"
when:
- rhel9cis_rule_6_3_3_19
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.3.19
- NIST800-53R5_AU-3
- NIST800-53R5_CM-6
ansible.builtin.set_fact:
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.20 | PATCH | Ensure the audit configuration is immutable"
when:
- rhel9cis_rule_6_3_3_20
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.3.20
- NIST800-53R5_AC-3
- NIST800-53R5_AU-3
- NIST800-53R5_MP-2
ansible.builtin.set_fact:
update_audit_template: true
- name: "6.3.3.21 | AUDIT | Ensure the running and on disk configuration is the same"
when:
- rhel9cis_rule_6_3_3_21
tags:
- level2-server
- level2-workstation
- manual
- patch
- auditd
- rule_6.3.3.21
- NIST800-53R5_AU-3
ansible.builtin.debug:
msg:
- "Please run augenrules --load if you suspect there is a configuration that is not active"
- name: Auditd | 6.3.3.x | Auditd controls updated
when:
- update_audit_template
ansible.builtin.debug:
msg: "Auditd Controls handled in POST using template - updating /etc/auditd/rules.d/99_auditd.rules"
changed_when: false

167
tasks/section_6/cis_6.3.4.x.yml Normal file
View file

@ -0,0 +1,167 @@
---
- name: "6.3.4.1 | PATCH | Ensure the audit log file directory mode is configured"
when:
- rhel9cis_rule_6_3_4_1
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.4.1
- NIST800-53R5_AU-3
block:
- name: "6.3.4.1 | AUDIT | Ensure the audit log file directory mode is configured | get current permissions"
ansible.builtin.stat:
path: "{{ audit_discovered_logfile.stdout | dirname }}"
register: auditlog_dir
- name: "6.3.4.1 | PATCH | Ensure the audit log file directory mode is configured | set"
ansible.builtin.file:
path: "{{ audit_discovered_logfile.stdout | dirname }}"
state: directory
mode: 'g-w,o-rwx'
- name: |
"6.3.4.2 | PATCH | Ensure audit log files mode is configured"
"6.3.4.3 | PATCH | Ensure audit log files owner is configured"
"6.3.4.4 | PATCH | Ensure only authorized groups are assigned ownership of audit log files"
when:
- rhel9cis_rule_6_3_4_2 or
rhel9cis_rule_6_3_4_3 or
rhel9cis_rule_6_3_4_4
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.4.1
- rule_6.3.4.2
- rule_6.3.4.3
- NIST800-53R5_AU-3
block:
- name: "6.3.4.2 | AUDIT | Ensure audit log files mode is configured | discover file"
ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'
changed_when: false
register: audit_discovered_logfile
- name: |
"6.3.4.2 | PATCH | Ensure audit log files mode is configured"
"6.3.4.3 | PATCH | Ensure audit log files owner is configured"
"6.3.4.4 | PATCH | Ensure audit log files group owner is configured"
ansible.builtin.file:
path: "{{ audit_discovered_logfile.stdout }}"
mode: 'o-x,g-wx,o-rwx'
owner: root
group: root
- name: "6.3.4.5 | PATCH | Ensure audit configuration files mode is configured"
when:
- rhel9cis_rule_6_3_4_5
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.4.5
ansible.builtin.file:
path: "{{ item.path }}"
mode: 'u-x,g-wx,o-rwx'
loop: "{{ auditd_conf_files.files }}"
loop_control:
label: "{{ item.path }}"
- name: "6.3.4.6 | PATCH | Ensure audit configuration files owner is configured"
when:
- rhel9cis_rule_6_3_4_6
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.4.6
ansible.builtin.file:
path: "{{ item.path }}"
owner: root
loop: "{{ auditd_conf_files.files | default([]) }}"
loop_control:
label: "{{ item.path }}"
- name: "6.3.4.7 | PATCH | Ensure audit configuration files group owner is configured"
when:
- rhel9cis_rule_6_3_4_7
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.4.7
ansible.builtin.file:
path: "{{ item.path }}"
group: root
loop: "{{ auditd_conf_files.files | default([]) }}"
loop_control:
label: "{{ item.path }}"
- name: "6.3.4.8 | PATCH | Ensure audit tools mode is configured"
when:
- rhel9cis_rule_6_3_4_8
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.4.8
- NIST800-53R5_AU-3
ansible.builtin.file:
path: "{{ item.item }}"
mode: 'go-w'
loop:
- /sbin/auditctl
- /sbin/aureport
- /sbin/ausearch
- /sbin/autrace
- /sbin/auditd
- /sbin/augenrules
- name: "6.3.4.9 | PATCH | Ensure audit tools owner is configured"
when:
- rhel9cis_rule_6_3_4_9
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.4.9
ansible.builtin.file:
path: "{{ item }}"
owner: root
group: root
loop:
- /sbin/auditctl
- /sbin/aureport
- /sbin/ausearch
- /sbin/autrace
- /sbin/auditd
- /sbin/augenrules
- name: "6.3.4.10 | PATCH | Ensure audit tools group owner is configured"
when:
- rhel9cis_rule_6_3_4_10
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.4.10
- NIST800-53R5_AU-3
ansible.builtin.file:
path: "{{ item }}"
group: root
loop:
- /sbin/auditctl
- /sbin/aureport
- /sbin/ausearch
- /sbin/autrace
- /sbin/auditd
- /sbin/augenrules

38
tasks/section_6/main.yml
View file

@ -1,9 +1,39 @@
---
- name: "SECTION | 6.1 | System File Permissions"
- name: "SECTION | 6.1 | Configure Integrity Checking"
ansible.builtin.import_tasks:
file: cis_6.1.x.yml
file: cis_6.1.x.yml
- name: "SECTION | 6.2 | User and Group Settings"
- name: "SECTION | 6.2.1 | Configure systemd-journald service"
ansible.builtin.import_tasks:
file: cis_6.2.x.yml
file: cis_6.2.1.x.yml
- name: "SECTION | 6.2.2 | Configure journald"
when: rhel9cis_syslog == 'journald'
ansible.builtin.import_tasks:
file: cis_6.2.2.1.x.yml
- name: "SECTION | 6.2.3 | Configure rsyslog"
when: rhel9cis_syslog == 'rsyslog'
ansible.builtin.import_tasks:
file: cis_6.2.3.x.yml
- name: "SECTION | 6.2.4.1 | Configure Logfiles"
ansible.builtin.import_tasks:
file: cis_6.2.4.1.yml
- name: "SECTION | 6.3.1 | Configure auditd Service"
ansible.builtin.import_tasks:
file: cis_6.3.1.x.yml
- name: "SECTION | 6.3.2 | Configure Data Retention"
ansible.builtin.import_tasks:
file: cis_6.3.2.x.yml
- name: "SECTION | 6.3.3 | Configure auditd Rules"
ansible.builtin.import_tasks:
file: cis_6.3.3.x.yml
- name: "SECTION | 6.3.4 | Configure auditd File Access"
ansible.builtin.import_tasks:
file: cis_6.3.4.x.yml