sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Merge pull request #12 from ansible-lockdown/lint_dec24

Browse source 
Lint dec24
This commit is contained in:
uk-bolly 2024-12-11 13:40:01 +00:00 committed by GitHub
commit 7a49778b1d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
73 changed files with 570 additions and 797 deletions
Download patch file Download diff file Expand all files Collapse all files

86
tasks/section_1/cis_1.1.1.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available"
when:
- rhel9cis_rule_1_1_1_1
when: rhel9cis_rule_1_1_1_1
tags:
- level1-server
- level1-workstation
@ -17,7 +16,7 @@
regexp: "^(#)?install cramfs(\\s|$)"
line: "install cramfs /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -25,7 +24,7 @@
regexp: "^(#)?blacklist cramfs(\\s|$)"
line: "blacklist cramfs"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs"
when:
@ -35,8 +34,7 @@
state: absent
- name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available"
when:
- rhel9cis_rule_1_1_1_2
when: rhel9cis_rule_1_1_1_2
tags:
- level1-server
- level1-workstation
@ -51,7 +49,7 @@
regexp: "^(#)?install freevxfs(\\s|$)"
line: "install freevxfs /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -59,18 +57,16 @@
regexp: "^(#)?blacklist freevxfs(\\s|$)"
line: "blacklist freevxfs"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Disable freevxfs"
when:
- not system_is_container
when: not system_is_container
community.general.modprobe:
name: freevxfs
state: absent
- name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available"
when:
- rhel9cis_rule_1_1_1_3
when: rhel9cis_rule_1_1_1_3
tags:
- level1-server
- level1-workstation
@ -85,7 +81,7 @@
regexp: "^(#)?install hfs(\\s|$)"
line: "install hfs /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -93,18 +89,16 @@
regexp: "^(#)?blacklist hfs(\\s|$)"
line: "blacklist hfs"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Disable hfs"
when:
- not system_is_container
when: not system_is_container
community.general.modprobe:
name: hfs
state: absent
- name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available"
when:
- rhel9cis_rule_1_1_1_4
when: rhel9cis_rule_1_1_1_4
tags:
- level1-server
- level1-workstation
@ -119,7 +113,7 @@
regexp: "^(#)?install hfsplus(\\s|$)"
line: "install hfsplus /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -127,18 +121,16 @@
regexp: "^(#)?blacklist hfsplus(\\s|$)"
line: "blacklist hfsplus"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Disable hfsplus"
when:
- not system_is_container
when: not system_is_container
community.general.modprobe:
name: hfsplus
state: absent
- name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available"
when:
- rhel9cis_rule_1_1_1_5
when: rhel9cis_rule_1_1_1_5
tags:
- level1-server
- level1-workstation
@ -153,7 +145,7 @@
regexp: "^(#)?install jffs2(\\s|$)"
line: "install jffs2 /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -161,18 +153,16 @@
regexp: "^(#)?blacklist jffs2(\\s|$)"
line: "blacklist jffs2"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Disable jffs2"
when:
- not system_is_container
when: not system_is_container
community.general.modprobe:
name: jffs2
state: absent
- name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available"
when:
- rhel9cis_rule_1_1_1_6
when: rhel9cis_rule_1_1_1_6
tags:
- level2-server
- level2-workstation
@ -187,7 +177,7 @@
regexp: "^(#)?install squashfs(\\s|$)"
line: "install squashfs /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -195,18 +185,16 @@
regexp: "^(#)?blacklist squashfs(\\s|$)"
line: "blacklist squashfs"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Disable squashfs"
when:
- not system_is_container
when: not system_is_container
community.general.modprobe:
name: squashfs
state: absent
- name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available"
when:
- rhel9cis_rule_1_1_1_7
when: rhel9cis_rule_1_1_1_7
tags:
- level2-server
- level2-workstation
@ -221,7 +209,7 @@
regexp: "^(#)?install udf(\\s|$)"
line: "install udf /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -229,18 +217,16 @@
regexp: "^(#)?blacklist udf(\\s|$)"
line: "blacklist udf"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Disable udf"
when:
- not system_is_container
when: not system_is_container
community.general.modprobe:
name: udf
state: absent
- name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available"
when:
- rhel9cis_rule_1_1_1_8
when: rhel9cis_rule_1_1_1_8
tags:
- level1-server
- level2-workstation
@ -255,7 +241,7 @@
regexp: "^(#)?install usb-storage(\\s|$)"
line: "install usb-storage /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -263,18 +249,16 @@
regexp: "^(#)?blacklist usb-storage(\\s|$)"
line: "blacklist usb-storage"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Disable usb"
when:
- not system_is_container
when: not system_is_container
community.general.modprobe:
name: usb-storage
state: absent
- name: "1.1.1.9 | PATCH | Ensure unused filesystems kernel modules are not available"
when:
- rhel9cis_rule_1_1_1_9
when: rhel9cis_rule_1_1_1_9
tags:
- level1-server
- level1-workstation
@ -289,10 +273,10 @@
dest: /var/fs_with_cves.sh
owner: root
group: root
mode: '0744'
mode: 'u+x,go-wx'
- name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Run discovery script"
ansible.builtin.shell: /var/fs_with_cves.sh
ansible.builtin.command: /var/fs_with_cves.sh
changed_when: false
failed_when: discovered_fs_modules_loaded.rc not in [ 0, 99 ]
register: discovered_fs_modules_loaded
@ -302,7 +286,7 @@
ansible.builtin.debug:
msg: |
"Warning!! Discovered loaded Filesystem modules that need attention. This is a manual task
{{ discovered_fs_modules_loaded.stdout_lines}}"
{{ discovered_fs_modules_loaded.stdout_lines }}"
- name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Capture Warning"
when: discovered_fs_modules_loaded.stdout | length > 0

4
tasks/section_1/cis_1.1.2.1.x.yml
View file

@ -17,7 +17,7 @@
block:
- name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition | Absent"
ansible.builtin.debug:
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task"
- name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition | Present"
ansible.builtin.import_tasks:
@ -84,5 +84,5 @@
dest: /etc/systemd/system/tmp.mount
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Systemd restart tmp.mount

7
tasks/section_1/cis_1.1.2.2.x.yml
View file

@ -2,8 +2,7 @@
# Skips if mount is absent
- name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition"
when:
- rhel9cis_rule_1_1_2_2_1
when: rhel9cis_rule_1_1_2_2_1
tags:
- level1-server
- level1-workstation
@ -14,7 +13,7 @@
vars:
warn_control_id: '1.1.2.2.1'
block:
- name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check exists"
- name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check exists" # noqa command-instead-of-module
ansible.builtin.shell: mount -l | grep -w /dev/shm
changed_when: false
register: discovered_dev_shm_mount_check
@ -24,7 +23,7 @@
block:
- name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent"
ansible.builtin.debug:
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task"
- name: "1.1.2.2.1 | AUDIT | Ensure separate partition exists for /home | Present"
ansible.builtin.import_tasks:

2
tasks/section_1/cis_1.1.2.3.x.yml
View file

@ -17,7 +17,7 @@
block:
- name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Absent"
ansible.builtin.debug:
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task"
- name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Present"
ansible.builtin.import_tasks:

2
tasks/section_1/cis_1.1.2.4.x.yml
View file

@ -17,7 +17,7 @@
block:
- name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var | Absent"
ansible.builtin.debug:
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task"
- name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var | Present"
ansible.builtin.import_tasks:

2
tasks/section_1/cis_1.1.2.5.x.yml
View file

@ -18,7 +18,7 @@
block:
- name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent"
ansible.builtin.debug:
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task"
- name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present"
ansible.builtin.import_tasks:

2
tasks/section_1/cis_1.1.2.6.x.yml
View file

@ -17,7 +17,7 @@
block:
- name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Absent"
ansible.builtin.debug:
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task"
- name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Present"
ansible.builtin.import_tasks:

2
tasks/section_1/cis_1.1.2.7.x.yml
View file

@ -17,7 +17,7 @@
block:
- name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent"
ansible.builtin.debug:
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task"
- name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present"
ansible.builtin.import_tasks:

16
tasks/section_1/cis_1.2.1.x.yml
View file

@ -14,18 +14,18 @@
- rule_1.2.1.1
- NIST800-53R5_SI-2
block:
- name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys"
- name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys" # noqa command-instead-of-module
ansible.builtin.shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}"
changed_when: false
failed_when: false
register: discovered_os_installed_pub_keys
- name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Query found keys"
- name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Query found keys" # noqa command-instead-of-module
when: discovered_os_installed_pub_keys.rc == 0
ansible.builtin.shell: 'rpm -q --queryformat "%{PACKAGER} %{VERSION}\\n" {{ os_gpg_key_pubkey_name }} | grep "{{ os_gpg_key_pubkey_content }}"'
changed_when: false
failed_when: false
register: discovered_os_gpg_key_check
when: discovered_os_installed_pub_keys.rc == 0
- name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | expected keys fail"
when:
@ -35,8 +35,7 @@
msg: Installed GPG Keys do not meet expected values or expected keys are not installed
- name: "1.2.1.2 | PATCH | Ensure gpgcheck is globally activated"
when:
- rhel9cis_rule_1_2_1_2
when: rhel9cis_rule_1_2_1_2
tags:
- level1-server
- level1-workstation
@ -94,8 +93,7 @@
label: "{{ item.path }}"
- name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured"
when:
- rhel9cis_rule_1_2_1_4
when: rhel9cis_rule_1_2_1_4
tags:
- level1-server
- level1-workstation
@ -107,11 +105,11 @@
warn_control_id: '1.2.1.4'
block:
- name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured | Get repo list"
ansible.builtin.shell: dnf repolist
ansible.builtin.command: dnf repolist
changed_when: false
failed_when: false
register: discovered_dnf_configured
check_mode: false
register: discovered_dnf_configured
- name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured | Display repo list"
ansible.builtin.debug:

9
tasks/section_1/cis_1.3.1.x.yml
View file

@ -122,8 +122,7 @@
file: warning_facts.yml
- name: "1.3.1.7 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed"
when:
- rhel9cis_rule_1_3_1_7
when: rhel9cis_rule_1_3_1_7
tags:
- level1-server
- level1-workstation
@ -136,9 +135,6 @@
state: absent
- name: "1.3.1.8 | PATCH | Ensure SETroubleshoot is not installed"
ansible.builtin.package:
name: setroubleshoot
state: absent
when:
- rhel9cis_rule_1_3_1_8
- "'setroubleshoot' in ansible_facts.packages"
@ -149,3 +145,6 @@
- rule_1.3.1.8
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
ansible.builtin.package:
name: setroubleshoot
state: absent

9
tasks/section_1/cis_1.4.x.yml
View file

@ -16,12 +16,11 @@
content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
notify: Grub2cfg
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
when:
- rhel9cis_rule_1_4_2
when: rhel9cis_rule_1_4_2
tags:
- level1-server
- level1-workstation
@ -41,5 +40,5 @@
access_time: preserve
loop:
- { path: 'grub.cfg', mode: '0700' }
- { path: 'grubenv', mode: '0600' }
- { path: 'user.cfg', mode: '0600' }
- { path: 'grubenv', mode: 'go-rwx' }
- { path: 'user.cfg', mode: 'go-rwx' }

11
tasks/section_1/cis_1.5.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
when:
- rhel9cis_rule_1_5_1
when: rhel9cis_rule_1_5_1
tags:
- level1-server
- level1-workstation
@ -21,8 +20,7 @@
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf"
- name: "1.5.2 | PATCH | Ensure ptrace_scope is restricted"
when:
- rhel9cis_rule_1_5_2
when: rhel9cis_rule_1_5_2
tags:
- level1-server
- level1-workstation
@ -39,8 +37,7 @@
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf"
- name: "1.5.3 | PATCH | Ensure core dump backtraces are disabled"
when:
- rhel9cis_rule_1_5_3
when: rhel9cis_rule_1_5_3
tags:
- level1-server
- level1-workstation
@ -50,7 +47,7 @@
- NIST800-53R5_CM-6b
ansible.builtin.lineinfile:
path: /etc/systemd/coredump.conf
regexp: '^ProcessSizeMax\s*=\s*.*[1-9]$'
regexp: '(?#)^ProcessSizeMax\s*=\s*.*[1-9].*$'
line: 'ProcessSizeMax=0'
- name: "1.5.4 | PATCH | Ensure core dump storage is disabled"

16
tasks/section_1/cis_1.6.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "1.6.1 | AUDIT | Ensure system-wide crypto policy is not legacy"
when:
- rhel9cis_rule_1_6_1
when: rhel9cis_rule_1_6_1
tags:
- level1-server
- level1-workstation
@ -18,8 +17,7 @@
- Set Crypto Policy
- name: "1.6.2 | PATCH | Ensure system wide crypto policy is not set in sshd configuration"
when:
- rhel9cis_rule_1_6_2
when: rhel9cis_rule_1_6_2
tags:
- level1-server
- level1-workstation
@ -54,7 +52,7 @@
dest: /etc/crypto-policies/policies/modules/NO-SHA1.pmod
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
register: discovered_no_sha1_template
- name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | submodule to crypto policy modules"
@ -85,7 +83,7 @@
dest: /etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
register: discovered_no_weakmac_template
- name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | submodule to crypto policy modules"
@ -115,7 +113,7 @@
dest: /etc/crypto-policies/policies/modules/NO-SSHCBC.pmod
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
register: discovered_no_sshcbc_template
- name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh | submodule to crypto policy modules"
@ -145,7 +143,7 @@
dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
register: discovered_no_sshweakciphers_template
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules"
@ -175,7 +173,7 @@
dest: /etc/crypto-policies/policies/modules/NO-SSHETM.pmod
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
register: discovered_no_sshetm_template
- name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh | submodule to crypto policy modules"

30
tasks/section_1/cis_1.7.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "1.7.1 | PATCH | Ensure message of the day is configured properly"
when:
- rhel9cis_rule_1_7_1
when: rhel9cis_rule_1_7_1
tags:
- level1-server
- level1-workstation
@ -17,11 +16,10 @@
dest: /etc/motd
owner: root
group: root
mode: u-x,go-wx
mode: 'u-x,go-wx'
- name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly"
when:
- rhel9cis_rule_1_7_2
when: rhel9cis_rule_1_7_2
tags:
- level1-server
- level1-workstation
@ -35,11 +33,10 @@
dest: /etc/issue
owner: root
group: root
mode: '0644'
mode: 'go-wx'
- name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly"
when:
- rhel9cis_rule_1_7_3
when: rhel9cis_rule_1_7_3
tags:
- level1-server
- level1-workstation
@ -54,11 +51,10 @@
dest: /etc/issue.net
owner: root
group: root
mode: '0644'
mode: 'go-wx'
- name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured"
when:
- rhel9cis_rule_1_7_4
when: rhel9cis_rule_1_7_4
tags:
- level1-server
- level1-workstation
@ -71,11 +67,10 @@
path: /etc/motd
owner: root
group: root
mode: '0644'
mode: 'go-wx'
- name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured"
when:
- rhel9cis_rule_1_7_5
when: rhel9cis_rule_1_7_5
tags:
- level1-server
- level1-workstation
@ -88,11 +83,10 @@
path: /etc/issue
owner: root
group: root
mode: '0644'
mode: 'go-wx'
- name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured"
when:
- rhel9cis_rule_1_7_6
when: rhel9cis_rule_1_7_6
tags:
- level1-server
- level1-workstation
@ -105,4 +99,4 @@
path: /etc/issue.net
owner: root
group: root
mode: '0644'
mode: 'go-wx'

30
tasks/section_1/cis_1.8.x.yml
View file

@ -35,7 +35,7 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
loop:
- { regexp: 'user-db', line: 'user-db:user' }
@ -48,7 +48,7 @@
dest: /etc/dconf/db/gdm.d/01-banner-message
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
- name: "1.8.3 | PATCH | Ensure GDM disable-user-list option is enabled"
@ -68,7 +68,7 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
loop:
- { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' }
@ -96,7 +96,7 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'go-wx'
loop:
- { regexp: '^user-db', line: 'user-db:user' }
- { regexp: '^system-db', line: 'system-db:local' }
@ -106,7 +106,7 @@
path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d"
owner: root
group: root
mode: '0755'
mode: 'go-w'
state: directory
- name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | Make conf file"
@ -115,7 +115,7 @@
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-screensaver"
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
- name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden"
@ -134,7 +134,7 @@
path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks"
owner: root
group: root
mode: '0755'
mode: 'go-w'
state: directory
- name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock file"
@ -143,7 +143,7 @@
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver_lock"
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
- name: "1.8.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled"
@ -161,7 +161,7 @@
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-media-automount"
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
- name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden"
@ -180,7 +180,7 @@
path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks"
owner: root
group: root
mode: '0755'
mode: 'go-w'
state: directory
- name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | Make lock file"
@ -189,7 +189,7 @@
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-automount_lock"
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
- name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled"
@ -208,7 +208,7 @@
path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d"
owner: root
group: root
mode: '0755'
mode: 'go-w'
state: directory
- name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled | Make conf file"
@ -217,7 +217,7 @@
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-media-autorun"
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
- name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden"
@ -236,7 +236,7 @@
path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks"
owner: root
group: root
mode: '0755'
mode: 'go-w'
state: directory
- name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden | Make lockfile"
@ -245,7 +245,7 @@
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-autorun_lock"
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
- name: "1.8.10 | PATCH | Ensure XDMCP is not enabled"