sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

added validate & typo fixes

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2022-04-04 16:12:47 +01:00
parent ca24e923c4
commit 790db75501
No known key found for this signature in database
GPG key ID: F734FDFC154B83FB
1 changed files with 23 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

27
tasks/section_5/cis_5.2.x.yml
View file

@ -87,6 +87,7 @@
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: "^AllowUsers" regexp: "^AllowUsers"
line: AllowUsers {{ rhel9cis_sshd['allowusers'] }} line: AllowUsers {{ rhel9cis_sshd['allowusers'] }}
validate: sshd -t -f %s
notify: restart sshd notify: restart sshd
when: "rhel9cis_sshd['allowusers']|default('') | length > 0" when: "rhel9cis_sshd['allowusers']|default('') | length > 0"
@ -96,6 +97,7 @@
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: "^AllowGroups" regexp: "^AllowGroups"
line: AllowGroups {{ rhel9cis_sshd['allowgroups'] }} line: AllowGroups {{ rhel9cis_sshd['allowgroups'] }}
validate: sshd -t -f %s
notify: restart sshd notify: restart sshd
when: "rhel9cis_sshd['allowgroups']|default('') | length > 0" when: "rhel9cis_sshd['allowgroups']|default('') | length > 0"
@ -105,6 +107,7 @@
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: "^DenyUsers" regexp: "^DenyUsers"
line: DenyUsers {{ rhel9cis_sshd['denyusers'] }} line: DenyUsers {{ rhel9cis_sshd['denyusers'] }}
validate: sshd -t -f %s
notify: restart sshd notify: restart sshd
when: "rhel9cis_sshd['denyusers']|default('') | length > 0" when: "rhel9cis_sshd['denyusers']|default('') | length > 0"
@ -114,6 +117,7 @@
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: "^DenyGroups" regexp: "^DenyGroups"
line: DenyGroups {{ rhel9cis_sshd['denygroups'] }} line: DenyGroups {{ rhel9cis_sshd['denygroups'] }}
validate: sshd -t -f %s
notify: restart sshd notify: restart sshd
when: "rhel9cis_sshd['denygroups']|default('') | length > 0" when: "rhel9cis_sshd['denygroups']|default('') | length > 0"
when: when:
@ -132,6 +136,7 @@
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: "^#LogLevel|^LogLevel" regexp: "^#LogLevel|^LogLevel"
line: 'LogLevel {{ rhel9cis_ssh_loglevel }}' line: 'LogLevel {{ rhel9cis_ssh_loglevel }}'
validate: sshd -t -f %s
when: when:
- rhel9cis_rule_5_2_5 - rhel9cis_rule_5_2_5
tags: tags:
@ -148,6 +153,7 @@
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: "^#UsePAM|^UsePAM" regexp: "^#UsePAM|^UsePAM"
line: 'UsePAM yes' line: 'UsePAM yes'
validate: sshd -t -f %s
when: when:
- rhel9cis_rule_5_2_6 - rhel9cis_rule_5_2_6
tags: tags:
@ -164,6 +170,7 @@
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: "^#PermitRootLogin|^PermitRootLogin" regexp: "^#PermitRootLogin|^PermitRootLogin"
line: 'PermitRootLogin no' line: 'PermitRootLogin no'
validate: sshd -t -f %s
when: when:
- rhel9cis_rule_5_2_7 - rhel9cis_rule_5_2_7
tags: tags:
@ -178,8 +185,9 @@
lineinfile: lineinfile:
state: present state: present
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: ^#HostbasedAuthentication|^HostbasedAuthentication" regexp: "^#HostbasedAuthentication|^HostbasedAuthentication"
line: 'HostbasedAuthentication no' line: 'HostbasedAuthentication no'
validate: sshd -t -f %s
when: when:
- rhel9cis_rule_5_2_8 - rhel9cis_rule_5_2_8
tags: tags:
@ -196,6 +204,7 @@
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords" regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords"
line: 'PermitEmptyPasswords no' line: 'PermitEmptyPasswords no'
validate: sshd -t -f %s
when: when:
- rhel9cis_rule_5_2_9 - rhel9cis_rule_5_2_9
tags: tags:
@ -212,6 +221,7 @@
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: "^#PermitUserEnvironment|^PermitUserEnvironment" regexp: "^#PermitUserEnvironment|^PermitUserEnvironment"
line: 'PermitUserEnvironment no' line: 'PermitUserEnvironment no'
validate: sshd -t -f %s
when: when:
- rhel9cis_rule_5_2_10 - rhel9cis_rule_5_2_10
tags: tags:
@ -228,12 +238,13 @@
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: "^#IgnoreRhosts|^IgnoreRhosts" regexp: "^#IgnoreRhosts|^IgnoreRhosts"
line: 'IgnoreRhosts yes' line: 'IgnoreRhosts yes'
validate: sshd -t -f %s
when: when:
- rhel9cis_rule_5_2_11 - rhel9cis_rule_5_2_11
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- autoamted - automated
- patch - patch
- ssh - ssh
- rule_5.2.11 - rule_5.2.11
@ -244,12 +255,13 @@
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: "^#X11Forwarding|^X11Forwarding" regexp: "^#X11Forwarding|^X11Forwarding"
line: 'X11Forwarding no' line: 'X11Forwarding no'
validate: sshd -t -f %s
when: when:
- rhel9cis_rule_5_2_12 - rhel9cis_rule_5_2_12
tags: tags:
- level2-server - level2-server
- level1-workstation - level1-workstation
- autoamted - automated
- patch - patch
- ssh - ssh
- rule_5.2.12 - rule_5.2.12
@ -260,12 +272,13 @@
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: "^#AllowTcpForwarding|^AllowTcpForwarding" regexp: "^#AllowTcpForwarding|^AllowTcpForwarding"
line: 'AllowTcpForwarding no' line: 'AllowTcpForwarding no'
validate: sshd -t -f %s
when: when:
- rhel9cis_rule_5_2_13 - rhel9cis_rule_5_2_13
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation
- autoamted - automated
- patch - patch
- ssh - ssh
- rule_5.2.13 - rule_5.2.13
@ -307,6 +320,7 @@
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: '^(#)?MaxAuthTries \d' regexp: '^(#)?MaxAuthTries \d'
line: 'MaxAuthTries 4' line: 'MaxAuthTries 4'
validate: sshd -t -f %s
when: when:
- rhel9cis_rule_5_2_16 - rhel9cis_rule_5_2_16
tags: tags:
@ -323,6 +337,7 @@
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: "^#MaxStartups|^MaxStartups" regexp: "^#MaxStartups|^MaxStartups"
line: 'MaxStartups 10:30:60' line: 'MaxStartups 10:30:60'
validate: sshd -t -f %s
when: when:
- rhel9cis_rule_5_2_17 - rhel9cis_rule_5_2_17
tags: tags:
@ -339,6 +354,7 @@
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: "^#MaxSessions|^MaxSessions" regexp: "^#MaxSessions|^MaxSessions"
line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}'
validate: sshd -t -f %s
when: when:
- rhel9cis_rule_5_2_18 - rhel9cis_rule_5_2_18
tags: tags:
@ -355,6 +371,7 @@
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: "^#LoginGraceTime|^LoginGraceTime" regexp: "^#LoginGraceTime|^LoginGraceTime"
line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}" line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}"
validate: sshd -t -f %s
when: when:
- rhel9cis_rule_5_2_19 - rhel9cis_rule_5_2_19
tags: tags:
@ -373,6 +390,7 @@
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: '^ClientAliveInterval' regexp: '^ClientAliveInterval'
line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}" line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}"
validate: sshd -t -f %s
- name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3"
lineinfile: lineinfile:
@ -380,6 +398,7 @@
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: '^ClientAliveCountMax' regexp: '^ClientAliveCountMax'
line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}" line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}"
validate: sshd -t -f %s
when: when:
- rhel9cis_rule_5_2_20 - rhel9cis_rule_5_2_20
tags: tags: