diff --git a/defaults/main.yml b/defaults/main.yml index 4a95eaf..fb188b0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -464,9 +464,9 @@ rhel9cis_ftp_client: false ## Section3 vars ## Sysctl -sysctl_update: false -flush_ipv4_route: false -flush_ipv6_route: false +rhel9cis_sysctl_update: false +rhel9cis_flush_ipv4_route: false +rhel9cis_flush_ipv6_route: false ### Firewall Service - either firewalld, iptables, or nftables #### Some control allow for services to be removed or masked @@ -512,7 +512,7 @@ rhel9cis_max_log_file_size: 10 update_audit_template: false ## Advanced option found in auditd post -allow_auditd_uid_user_exclusions: false +rhel9cis_allow_auditd_uid_user_exclusions: false # This can be used to configure other keys in auditd.conf diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 1768aa1..2a2eb9c 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -42,5 +42,5 @@ diff: "{{ auditd_exception_file.stat.exists }}" notify: Restart auditd when: - - allow_auditd_uid_user_exclusions + - rhel9cis_allow_auditd_uid_user_exclusions - rhel9cis_auditd_uid_exclude | length > 0 diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 443bfc1..3f80647 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -33,7 +33,7 @@ block: - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" ansible.builtin.set_fact: - sysctl_update: true + rhel9cis_sysctl_update: true - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" ansible.builtin.debug: diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index e972ae2..7ffe31c 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -6,8 +6,8 @@ block: - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv6_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv6_route: true - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable" ansible.builtin.debug: diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index 56e47f7..cc5567f 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -4,8 +4,8 @@ block: - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding" ansible.builtin.debug: @@ -15,7 +15,7 @@ block: - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding | Set Fact" ansible.builtin.set_fact: - flush_ipv6_route: true + rhel9cis_flush_ipv6_route: true - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding" ansible.builtin.debug: @@ -36,8 +36,8 @@ block: - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled" ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 84363e7..e8f3a5f 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -4,8 +4,8 @@ block: - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4 | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4" ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" @@ -14,7 +14,7 @@ block: - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 | Set Fact" ansible.builtin.set_fact: - flush_ipv6_route: true + rhel9cis_flush_ipv6_route: true - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6" ansible.builtin.debug: @@ -33,8 +33,8 @@ block: - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4 | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4" ansible.builtin.debug: @@ -44,7 +44,7 @@ block: - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 | Set Fact" ansible.builtin.set_fact: - flush_ipv6_route: true + rhel9cis_flush_ipv6_route: true - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6" ansible.builtin.debug: @@ -63,8 +63,8 @@ block: - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" ansible.builtin.debug: @@ -82,8 +82,8 @@ block: - name: "3.3.4 | PATCH | Ensure suspicious packets are logged | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.3.4 | PATCH | Ensure suspicious packets are logged" ansible.builtin.debug: @@ -101,8 +101,8 @@ block: - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: 3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" ansible.builtin.debug: @@ -120,8 +120,8 @@ block: - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" ansible.builtin.debug: @@ -139,8 +139,8 @@ block: - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" ansible.builtin.debug: @@ -158,8 +158,8 @@ block: - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" ansible.builtin.debug: @@ -177,8 +177,8 @@ block: - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6 | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv6_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv6_route: true - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6" ansible.builtin.debug: diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 index d8a0b8d..5602632 100644 --- a/templates/audit/98_auditd_exception.rules.j2 +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -1,7 +1,7 @@ ## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! # This file contains users whose actions are not logged by auditd -{% if allow_auditd_uid_user_exclusions %} +{% if rhel9cis_allow_auditd_uid_user_exclusions %} {% for user in rhel9cis_auditd_uid_exclude %} -a never,user -F uid!={{ user }} -F auid!={{ user }} {% endfor %}