sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

renamed variable and updated tag

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-09-06 14:49:41 +01:00
parent 14d038e8eb
commit 7c4c3f9e4d
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
3 changed files with 24 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

2
defaults/main.yml
View file

@ -750,7 +750,7 @@ rhel9cis_nft_tables_autochaincreate: true
# This value, containing the absolute filepath of the produced 'sshd' config file, allows usage of
# drop-in files('/etc/ssh/ssh_config.d/{ssh_drop_in_name}.conf', supported by RHEL9) when CIS adopts them.
# Otherwise, the default value is '/etc/ssh/ssh_config'.
rhel9_cis_sshd_config_file: /etc/ssh/sshd_config
rhel9cis_sshd_config_file: /etc/ssh/sshd_config
## Controls:
## - 5.1.7 - Ensure SSH access is limited

6
tasks/prelim.yml
View file

@ -196,14 +196,14 @@
# Added to ensure ssh drop in file exists if not default /etc/ssh/sshd_config
- name: "PRELIM | PATCH | SSH Config file is not exist"
when:
- rhel9_cis_sshd_config_file != '/etc/ssh/sshd_config'
- rhel9cis_sshd_config_file != '/etc/ssh/sshd_config'
- "'openssh-server' in ansible_facts.packages"
tags:
- ssh
- always
- level1_server
- level1_workstation
ansible.builtin.file:
path: "{{ rhel9_cis_sshd_config_file }}"
path: "{{ rhel9cis_sshd_config_file }}"
owner: root
group: root
mode: '0600'

40
tasks/section_5/cis_5.1.x.yml
View file

@ -178,7 +178,7 @@
- name: "5.1.7 | PATCH | Ensure sshd access is configured | Add line to sshd_config for allowusers"
when: "rhel9cis_sshd_allowusers | length > 0"
ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}"
path: "{{ rhel9cis_sshd_config_file }}"
regexp: "^AllowUsers"
line: "AllowUsers {{ rhel9cis_sshd_allowusers }}"
validate: sshd -t -f %s
@ -187,7 +187,7 @@
- name: "5.1.7 | PATCH | Ensure sshd access is configured | Add line to sshd_config for allowgroups"
when: "rhel9cis_sshd_allowgroups | length > 0"
ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}"
path: "{{ rhel9cis_sshd_config_file }}"
regexp: "^AllowGroups"
line: "AllowGroups {{ rhel9cis_sshd_allowgroups }}"
validate: sshd -t -f %s
@ -196,7 +196,7 @@
- name: "5.1.7 | PATCH | Ensure sshd access is configured | Add line to sshd_config for denyusers"
when: "rhel9cis_sshd_denyusers | length > 0"
ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}"
path: "{{ rhel9cis_sshd_config_file }}"
regexp: "^DenyUsers"
line: "DenyUsers {{ rhel9cis_sshd_denyusers }}"
validate: sshd -t -f %s
@ -205,7 +205,7 @@
- name: "5.1.7 | PATCH | Ensure sshd access is configured | Add line to sshd_config for denygroups"
when: "rhel9cis_sshd_denygroups | length > 0"
ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}"
path: "{{ rhel9cis_sshd_config_file }}"
regexp: "^DenyGroups"
line: "DenyGroups {{ rhel9cis_sshd_denygroups }}"
validate: sshd -t -f %s
@ -226,7 +226,7 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}"
path: "{{ rhel9cis_sshd_config_file }}"
regexp: '^Banner'
line: 'Banner /etc/issue.net'
@ -247,7 +247,7 @@
block:
- name: "5.1.9 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured | Add line in sshd_config for ClientAliveInterval"
ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}"
path: "{{ rhel9cis_sshd_config_file }}"
regexp: '^ClientAliveInterval'
line: "ClientAliveInterval {{ rhel9cis_sshd_clientaliveinterval }}"
validate: sshd -t -f %s
@ -255,7 +255,7 @@
- name: "5.1.9 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured | Ensure SSH ClientAliveCountMax set to <= 3"
ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}"
path: "{{ rhel9cis_sshd_config_file }}"
regexp: '^ClientAliveCountMax'
line: "ClientAliveCountMax {{ rhel9cis_sshd_clientalivecountmax }}"
validate: sshd -t -f %s
@ -274,7 +274,7 @@
block:
- name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled | config file"
ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}"
path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(#|)\s*DisableForwarding
line: 'DisableForwarding yes'
validate: sshd -t -f %s
@ -313,7 +313,7 @@
- name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled | ssh config"
ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}"
path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*GSSAPIAuthentication
line: GSSAPIAuthentication no
validate: sshd -t -f %s
@ -334,7 +334,7 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}"
path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*HostbasedAuthentication
line: 'HostbasedAuthentication no'
validate: sshd -t -f %s
@ -355,7 +355,7 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}"
path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*IgnoreRhosts
line: 'IgnoreRhosts yes'
validate: sshd -t -f %s
@ -372,7 +372,7 @@
- rule_5.1.14
- NIST800-53R5_CM-6
ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}"
path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*LoginGraceTime
line: "LoginGraceTime {{ rhel9cis_sshd_logingracetime }}"
validate: sshd -t -f %s
@ -391,7 +391,7 @@
- NIST800-53R5_AU-12
- NIST800-53R5_SI-5
ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}"
path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*LogLevel
line: 'LogLevel {{ rhel9cis_ssh_loglevel }}'
validate: sshd -t -f %s
@ -408,7 +408,7 @@
- rule_5.1.16
- NIST800-53R5_AU-3
ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}"
path: "{{ rhel9cis_sshd_config_file }}"
regexp: '^(#)?MaxAuthTries \d'
line: 'MaxAuthTries {{ rhel9cis_ssh_maxauthtries }}'
validate: sshd -t -f %s
@ -429,7 +429,7 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}"
path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*MaxStartups
line: 'MaxStartups {{ rhel9cis_ssh_maxstartups }}'
validate: sshd -t -f %s
@ -450,7 +450,7 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}"
path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*MaxSessions
line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}'
validate: sshd -t -f %s
@ -471,7 +471,7 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}"
path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*PermitEmptyPasswords
line: 'PermitEmptyPasswords no'
validate: sshd -t -f %s
@ -490,7 +490,7 @@
block:
- name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled | config file"
ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}"
path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*PermitRootLogin
line: 'PermitRootLogin no'
validate: sshd -t -f %s
@ -517,7 +517,7 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}"
path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*PermitUserEnvironment
line: 'PermitUserEnvironment no'
validate: sshd -t -f %s
@ -538,7 +538,7 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}"
path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*UsePAM
line: 'UsePAM yes'
validate: sshd -t -f %s