sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Merge branch 'lint_dec24' into alignment

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-12-11 13:36:08 +00:00
commit 82f7b53a67
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
49 changed files with 375 additions and 606 deletions
Download patch file Download diff file Expand all files Collapse all files

1
tasks/LE_audit_setup.yml
View file

@ -1,5 +1,4 @@
---
- name: Pre Audit Setup | Set audit package name
block:
- name: Pre Audit Setup | Set audit package name | 64bit

1
tasks/audit_only.yml
View file

@ -1,5 +1,4 @@
---
- name: Audit_Only | Create local Directories for hosts
when: fetch_audit_files
ansible.builtin.file:

3
tasks/check_prereqs.yml
View file

@ -1,8 +1,7 @@
---
- name: "PREREQ | If required install libselinux package to manage file changes."
when:
- '"libselinux-python3" not in ansible_facts.packages'
when: '"libselinux-python3" not in ansible_facts.packages'
ansible.builtin.package:
name: libselinux-python3
state: present

42
tasks/main.yml
View file

@ -2,22 +2,19 @@
# tasks file for RHEL9-CIS
- name: "Check OS version and family"
when: os_check
tags: always
ansible.builtin.assert:
that: (ansible_facts.distribution != 'CentOS' and ansible_facts.os_family == 'RedHat' or ansible_facts.os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==')
fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported."
success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}"
when:
- os_check
tags:
- always
- name: "Check ansible version"
tags: always
ansible.builtin.assert:
that: ansible_version.full is version_compare(min_ansible_version, '>=')
fail_msg: "You must use Ansible {{ min_ansible_version }} or greater"
success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
tags:
- always
- name: "Setup rules if container"
when:
@ -36,8 +33,7 @@
file: "{{ container_vars_file }}"
- name: "Output if discovered is a container"
when:
- system_is_container
when: system_is_container
ansible.builtin.debug:
msg: system has been discovered as a container
@ -51,8 +47,7 @@
when:
- rhel9cis_set_boot_pass
- rhel9cis_rule_1_4_1
tags:
- always
tags: always
ansible.builtin.assert:
that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
@ -94,8 +89,7 @@
msg: "No local account found for {{ ansible_env.SUDO_USER }} user. Skipping local account checks."
- name: "Check local account"
when:
- prelim_ansible_user_password_set.stdout != "not found"
when: prelim_ansible_user_password_set.stdout != "not found"
block:
- name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" # noqa name[template]
ansible.builtin.assert:
@ -113,10 +107,8 @@
success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user"
- name: "PRELIM | AUDIT | Check authselect profile is selected"
when:
- rhel9cis_allow_authselect_updates
tags:
- always
when: rhel9cis_allow_authselect_updates
tags: always
block:
- name: "PRELIM | AUDIT | Check authselect profile name has been updated"
ansible.builtin.assert:
@ -136,8 +128,7 @@
fail_msg: Authselect updates have been selected there are issues with profile selection"
- name: "Ensure root password is set"
when:
- rhel9cis_rule_5_4_2_4
when: rhel9cis_rule_5_4_2_4
tags:
- level1-server
- level1-workstation
@ -158,14 +149,12 @@
success_msg: "You have a root password set"
- name: "Gather the package facts"
tags:
- always
tags: always
ansible.builtin.package_facts:
manager: auto
- name: "Include OS specific variables"
tags:
- always
tags: always
ansible.builtin.include_vars:
file: "{{ ansible_facts.distribution }}.yml"
@ -213,8 +202,7 @@
- name: "Run auditd logic"
when: update_audit_template
tags:
- always
tags: always
ansible.builtin.import_tasks:
file: auditd.yml
@ -226,8 +214,7 @@
file: post.yml
- name: "Run post_remediation audit"
when:
- run_audit
when: run_audit
ansible.builtin.import_tasks:
file: post_remediation_audit.yml
@ -238,7 +225,6 @@
- name: "If Warnings found Output count and control IDs affected"
when: warn_count != 0
tags:
- always
tags: always
ansible.builtin.debug:
msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}"

3
tasks/parse_etc_password.yml
View file

@ -1,8 +1,7 @@
---
- name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd"
tags:
- always
tags: always
block:
- name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd"
ansible.builtin.command: cat /etc/passwd

6
tasks/post.yml
View file

@ -1,9 +1,7 @@
---
# Post tasks
- name: POST | Gather the package facts after remediation
tags:
- always
tags: always
ansible.builtin.package_facts:
manager: auto
@ -17,7 +15,7 @@
dest: "/etc/sysctl.d/{{ item }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
notify: Reload sysctl
loop:
- 60-kernel_sysctl.conf

1
tasks/pre_remediation_audit.yml
View file

@ -1,5 +1,4 @@
---
- name: Pre Audit Setup | Setup the LE audit
when: setup_audit
tags: setup_audit

29
tasks/prelim.yml
View file

@ -17,43 +17,37 @@
when:
- run_audit or audit_only
- setup_audit
tags:
- run_audit
tags: run_audit
ansible.builtin.import_tasks: pre_remediation_audit.yml
- name: "PRELIM | AUDIT | Interactive Users"
tags:
- always
tags: always
ansible.builtin.shell: >
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }'
changed_when: false
register: prelim_interactive_usernames
- name: "PRELIM | AUDIT | Interactive User accounts home directories"
tags:
- always
tags: always
ansible.builtin.shell: >
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $6 }'
changed_when: false
register: prelim_interactive_users_home
- name: "PRELIM | AUDIT | Interactive UIDs"
tags:
- always
tags: always
ansible.builtin.shell: >
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $3 }'
changed_when: false
register: prelim_interactive_uids
- name: "PRELIM | AUDIT | Capture /etc/password variables"
tags: always
ansible.builtin.include_tasks:
file: parse_etc_password.yml
tags:
- always
- name: "PRELIM | PATCH | Ensure python3-libselinux is installed"
when:
- '"python3-libselinux" not in ansible_facts.packages'
when: '"python3-libselinux" not in ansible_facts.packages'
ansible.builtin.package:
name: python3-libselinux
state: present
@ -108,14 +102,14 @@
failed_when: false
register: prelim_check_gpg_imported
- name: "PRELIM | AUDIT | Import gpg keys | Check Package"
- name: "PRELIM | AUDIT | Import gpg keys | Check Package" # noqa command-instead-of-module
when: "'not installed' in prelim_check_gpg_imported.stdout"
ansible.builtin.shell: rpm -qi redhat-release | grep Signature # noqa command-instead-of-module
changed_when: false
failed_when: false
register: prelim_os_gpg_package_valid
- name: "PRELIM | PATCH | Force keys to be imported"
- name: "PRELIM | PATCH | Force keys to be imported" # noqa command-instead-of-module
when:
- "'not installed' in prelim_check_gpg_imported.stdout"
- "'Key ID 199e2f91fd431d51' in prelim_os_gpg_package_valid.stdout"
@ -124,8 +118,7 @@
state: present
- name: "PRELIM | AUDIT | Check systemd coredump"
when:
- rhel9cis_rule_1_5_4
when: rhel9cis_rule_1_5_4
tags:
- level1-server
- level1-workstation
@ -208,7 +201,7 @@
- always
block:
- name: "PRELIM | AUDIT | Discover is wirelss adapter on system"
ansible.builtin.shell: find /sys/class/net/*/ -type d -name wireless
ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless
register: discover_wireless_adapters
changed_when: false
failed_when: discover_wireless_adapters.rc not in [ 0, 1 ]
@ -247,7 +240,7 @@
path: "{{ rhel9cis_sshd_config_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
state: touch
- name: "PRELIM | AUDIT | Gather UID 0 accounts other than root"

80
tasks/section_1/cis_1.1.1.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available"
when:
- rhel9cis_rule_1_1_1_1
when: rhel9cis_rule_1_1_1_1
tags:
- level1-server
- level1-workstation
@ -17,7 +16,7 @@
regexp: "^(#)?install cramfs(\\s|$)"
line: "install cramfs /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -25,7 +24,7 @@
regexp: "^(#)?blacklist cramfs(\\s|$)"
line: "blacklist cramfs"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs"
when:
@ -35,8 +34,7 @@
state: absent
- name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available"
when:
- rhel9cis_rule_1_1_1_2
when: rhel9cis_rule_1_1_1_2
tags:
- level1-server
- level1-workstation
@ -51,7 +49,7 @@
regexp: "^(#)?install freevxfs(\\s|$)"
line: "install freevxfs /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -59,18 +57,16 @@
regexp: "^(#)?blacklist freevxfs(\\s|$)"
line: "blacklist freevxfs"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Disable freevxfs"
when:
- not system_is_container
when: not system_is_container
community.general.modprobe:
name: freevxfs
state: absent
- name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available"
when:
- rhel9cis_rule_1_1_1_3
when: rhel9cis_rule_1_1_1_3
tags:
- level1-server
- level1-workstation
@ -85,7 +81,7 @@
regexp: "^(#)?install hfs(\\s|$)"
line: "install hfs /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -93,18 +89,16 @@
regexp: "^(#)?blacklist hfs(\\s|$)"
line: "blacklist hfs"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Disable hfs"
when:
- not system_is_container
when: not system_is_container
community.general.modprobe:
name: hfs
state: absent
- name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available"
when:
- rhel9cis_rule_1_1_1_4
when: rhel9cis_rule_1_1_1_4
tags:
- level1-server
- level1-workstation
@ -119,7 +113,7 @@
regexp: "^(#)?install hfsplus(\\s|$)"
line: "install hfsplus /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -127,18 +121,16 @@
regexp: "^(#)?blacklist hfsplus(\\s|$)"
line: "blacklist hfsplus"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Disable hfsplus"
when:
- not system_is_container
when: not system_is_container
community.general.modprobe:
name: hfsplus
state: absent
- name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available"
when:
- rhel9cis_rule_1_1_1_5
when: rhel9cis_rule_1_1_1_5
tags:
- level1-server
- level1-workstation
@ -153,7 +145,7 @@
regexp: "^(#)?install jffs2(\\s|$)"
line: "install jffs2 /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -161,18 +153,16 @@
regexp: "^(#)?blacklist jffs2(\\s|$)"
line: "blacklist jffs2"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Disable jffs2"
when:
- not system_is_container
when: not system_is_container
community.general.modprobe:
name: jffs2
state: absent
- name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available"
when:
- rhel9cis_rule_1_1_1_6
when: rhel9cis_rule_1_1_1_6
tags:
- level2-server
- level2-workstation
@ -187,7 +177,7 @@
regexp: "^(#)?install squashfs(\\s|$)"
line: "install squashfs /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -195,18 +185,16 @@
regexp: "^(#)?blacklist squashfs(\\s|$)"
line: "blacklist squashfs"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Disable squashfs"
when:
- not system_is_container
when: not system_is_container
community.general.modprobe:
name: squashfs
state: absent
- name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available"
when:
- rhel9cis_rule_1_1_1_7
when: rhel9cis_rule_1_1_1_7
tags:
- level2-server
- level2-workstation
@ -221,7 +209,7 @@
regexp: "^(#)?install udf(\\s|$)"
line: "install udf /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -229,18 +217,16 @@
regexp: "^(#)?blacklist udf(\\s|$)"
line: "blacklist udf"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Disable udf"
when:
- not system_is_container
when: not system_is_container
community.general.modprobe:
name: udf
state: absent
- name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available"
when:
- rhel9cis_rule_1_1_1_8
when: rhel9cis_rule_1_1_1_8
tags:
- level1-server
- level2-workstation
@ -255,7 +241,7 @@
regexp: "^(#)?install usb-storage(\\s|$)"
line: "install usb-storage /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -263,18 +249,16 @@
regexp: "^(#)?blacklist usb-storage(\\s|$)"
line: "blacklist usb-storage"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Disable usb"
when:
- not system_is_container
when: not system_is_container
community.general.modprobe:
name: usb-storage
state: absent
- name: "1.1.1.9 | PATCH | Ensure unused filesystems kernel modules are not available"
when:
- rhel9cis_rule_1_1_1_9
when: rhel9cis_rule_1_1_1_9
tags:
- level1-server
- level1-workstation

9
tasks/section_1/cis_1.2.1.x.yml
View file

@ -26,7 +26,6 @@
changed_when: false
failed_when: false
register: discovered_os_gpg_key_check
when: discovered_os_installed_pub_keys.rc == 0
- name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | If expected keys fail"
when:
@ -36,8 +35,7 @@
msg: Installed GPG Keys do not meet expected values or expected keys are not installed
- name: "1.2.1.2 | PATCH | Ensure gpgcheck is globally activated"
when:
- rhel9cis_rule_1_2_1_2
when: rhel9cis_rule_1_2_1_2
tags:
- level1-server
- level1-workstation
@ -95,8 +93,7 @@
label: "{{ item.path }}"
- name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured"
when:
- rhel9cis_rule_1_2_1_4
when: rhel9cis_rule_1_2_1_4
tags:
- level1-server
- level1-workstation
@ -111,8 +108,8 @@
ansible.builtin.command: dnf repolist
changed_when: false
failed_when: false
register: discovered_dnf_configured
check_mode: false
register: discovered_dnf_configured
- name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured | Display repo list"
ansible.builtin.debug:

9
tasks/section_1/cis_1.3.1.x.yml
View file

@ -122,8 +122,7 @@
file: warning_facts.yml
- name: "1.3.1.7 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed"
when:
- rhel9cis_rule_1_3_1_7
when: rhel9cis_rule_1_3_1_7
tags:
- level1-server
- level1-workstation
@ -136,9 +135,6 @@
state: absent
- name: "1.3.1.8 | PATCH | Ensure SETroubleshoot is not installed"
ansible.builtin.package:
name: setroubleshoot
state: absent
when:
- rhel9cis_rule_1_3_1_8
- "'setroubleshoot' in ansible_facts.packages"
@ -149,3 +145,6 @@
- rule_1.3.1.8
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
ansible.builtin.package:
name: setroubleshoot
state: absent

9
tasks/section_1/cis_1.4.x.yml
View file

@ -16,12 +16,11 @@
content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
notify: Grub2cfg
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
when:
- rhel9cis_rule_1_4_2
when: rhel9cis_rule_1_4_2
tags:
- level1-server
- level1-workstation
@ -41,5 +40,5 @@
access_time: preserve
loop:
- { path: 'grub.cfg', mode: '0700' }
- { path: 'grubenv', mode: '0600' }
- { path: 'user.cfg', mode: '0600' }
- { path: 'grubenv', mode: 'go-rwx' }
- { path: 'user.cfg', mode: 'go-rwx' }

11
tasks/section_1/cis_1.5.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
when:
- rhel9cis_rule_1_5_1
when: rhel9cis_rule_1_5_1
tags:
- level1-server
- level1-workstation
@ -21,8 +20,7 @@
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf"
- name: "1.5.2 | PATCH | Ensure ptrace_scope is restricted"
when:
- rhel9cis_rule_1_5_2
when: rhel9cis_rule_1_5_2
tags:
- level1-server
- level1-workstation
@ -39,8 +37,7 @@
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf"
- name: "1.5.3 | PATCH | Ensure core dump backtraces are disabled"
when:
- rhel9cis_rule_1_5_3
when: rhel9cis_rule_1_5_3
tags:
- level1-server
- level1-workstation
@ -50,7 +47,7 @@
- NIST800-53R5_CM-6b
ansible.builtin.lineinfile:
path: /etc/systemd/coredump.conf
regexp: '^ProcessSizeMax\s*=\s*.*[1-9]$'
regexp: '(?#)^ProcessSizeMax\s*=\s*.*[1-9].*$'
line: 'ProcessSizeMax=0'
- name: "1.5.4 | PATCH | Ensure core dump storage is disabled"

16
tasks/section_1/cis_1.6.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "1.6.1 | AUDIT | Ensure system-wide crypto policy is not legacy"
when:
- rhel9cis_rule_1_6_1
when: rhel9cis_rule_1_6_1
tags:
- level1-server
- level1-workstation
@ -18,8 +17,7 @@
- Set Crypto Policy
- name: "1.6.2 | PATCH | Ensure system wide crypto policy is not set in sshd configuration"
when:
- rhel9cis_rule_1_6_2
when: rhel9cis_rule_1_6_2
tags:
- level1-server
- level1-workstation
@ -54,7 +52,7 @@
dest: /etc/crypto-policies/policies/modules/NO-SHA1.pmod
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
register: discovered_no_sha1_template
- name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | submodule to crypto policy modules"
@ -85,7 +83,7 @@
dest: /etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
register: discovered_no_weakmac_template
- name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | submodule to crypto policy modules"
@ -115,7 +113,7 @@
dest: /etc/crypto-policies/policies/modules/NO-SSHCBC.pmod
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
register: discovered_no_sshcbc_template
- name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh | submodule to crypto policy modules"
@ -145,7 +143,7 @@
dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
register: discovered_no_sshweakciphers_template
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules"
@ -175,7 +173,7 @@
dest: /etc/crypto-policies/policies/modules/NO-SSHETM.pmod
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
register: discovered_no_sshetm_template
- name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh | submodule to crypto policy modules"

30
tasks/section_1/cis_1.7.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "1.7.1 | PATCH | Ensure message of the day is configured properly"
when:
- rhel9cis_rule_1_7_1
when: rhel9cis_rule_1_7_1
tags:
- level1-server
- level1-workstation
@ -17,11 +16,10 @@
dest: /etc/motd
owner: root
group: root
mode: u-x,go-wx
mode: 'u-x,go-wx'
- name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly"
when:
- rhel9cis_rule_1_7_2
when: rhel9cis_rule_1_7_2
tags:
- level1-server
- level1-workstation
@ -35,11 +33,10 @@
dest: /etc/issue
owner: root
group: root
mode: '0644'
mode: 'go-wx'
- name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly"
when:
- rhel9cis_rule_1_7_3
when: rhel9cis_rule_1_7_3
tags:
- level1-server
- level1-workstation
@ -54,11 +51,10 @@
dest: /etc/issue.net
owner: root
group: root
mode: '0644'
mode: 'go-wx'
- name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured"
when:
- rhel9cis_rule_1_7_4
when: rhel9cis_rule_1_7_4
tags:
- level1-server
- level1-workstation
@ -71,11 +67,10 @@
path: /etc/motd
owner: root
group: root
mode: '0644'
mode: 'go-wx'
- name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured"
when:
- rhel9cis_rule_1_7_5
when: rhel9cis_rule_1_7_5
tags:
- level1-server
- level1-workstation
@ -88,11 +83,10 @@
path: /etc/issue
owner: root
group: root
mode: '0644'
mode: 'go-wx'
- name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured"
when:
- rhel9cis_rule_1_7_6
when: rhel9cis_rule_1_7_6
tags:
- level1-server
- level1-workstation
@ -105,4 +99,4 @@
path: /etc/issue.net
owner: root
group: root
mode: '0644'
mode: 'go-wx'

30
tasks/section_1/cis_1.8.x.yml
View file

@ -35,7 +35,7 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
loop:
- { regexp: 'user-db', line: 'user-db:user' }
@ -48,7 +48,7 @@
dest: /etc/dconf/db/gdm.d/01-banner-message
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
- name: "1.8.3 | PATCH | Ensure GDM disable-user-list option is enabled"
@ -68,7 +68,7 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
loop:
- { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' }
@ -96,7 +96,7 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'go-wx'
loop:
- { regexp: '^user-db', line: 'user-db:user' }
- { regexp: '^system-db', line: 'system-db:local' }
@ -106,7 +106,7 @@
path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d"
owner: root
group: root
mode: '0755'
mode: 'go-w'
state: directory
- name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | Make conf file"
@ -115,7 +115,7 @@
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-screensaver"
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
- name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden"
@ -134,7 +134,7 @@
path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks"
owner: root
group: root
mode: '0755'
mode: 'go-w'
state: directory
- name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock file"
@ -143,7 +143,7 @@
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver"
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
- name: "1.8.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled"
@ -161,7 +161,7 @@
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-media-automount"
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
- name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden"
@ -180,7 +180,7 @@
path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks"
owner: root
group: root
mode: '0755'
mode: 'go-w'
state: directory
- name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | Make lock file"
@ -189,7 +189,7 @@
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-automount_lock"
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
- name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled"
@ -208,7 +208,7 @@
path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d"
owner: root
group: root
mode: '0755'
mode: 'go-w'
state: directory
- name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled | Make conf file"
@ -217,7 +217,7 @@
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-media-autorun"
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
- name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden"
@ -236,7 +236,7 @@
path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks"
owner: root
group: root
mode: '0755'
mode: 'go-w'
state: directory
- name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden | Make lockfile"
@ -245,7 +245,7 @@
dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-autorun_lock"
owner: root
group: root
mode: '0644'
mode: 'go-wx'
notify: Reload dconf
- name: "1.8.10 | PATCH | Ensure XDMCP is not enabled"

79
tasks/section_2/cis_2.1.x.yml
View file

@ -33,9 +33,7 @@
masked: true
- name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use"
when:
- rhel9cis_rule_2_1_2
- "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages"
when: rhel9cis_rule_2_1_2
tags:
- level1-server
- level2-workstation
@ -70,9 +68,7 @@
- avahi-daemon.service
- name: "2.1.3 | PATCH | Ensure dhcp server services are not in use"
when:
- "'dhcp-server' in ansible_facts.packages"
- rhel9cis_rule_2_1_3
when: rhel9cis_rule_2_1_3
tags:
- level1-server
- level1-workstation
@ -105,9 +101,7 @@
- dhcpd6.service
- name: "2.1.4 | PATCH | Ensure dns server services are not in use"
when:
- "'bind' in ansible_facts.packages"
- rhel9cis_rule_2_1_4
when: rhel9cis_rule_2_1_4
tags:
- level1-server
- level1-workstation
@ -137,9 +131,7 @@
masked: true
- name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use"
when:
- "'dnsmasq' in ansible_facts.packages"
- rhel9cis_rule_2_1_5
when: rhel9cis_rule_2_1_5
tags:
- level1-server
- level1-workstation
@ -169,9 +161,7 @@
masked: true
- name: "2.1.6 | PATCH | Ensure samba file server services are not in use"
when:
- "'samba' in ansible_facts.packages"
- rhel9cis_rule_2_1_6
when: rhel9cis_rule_2_1_6
tags:
- level1-server
- level1-workstation
@ -202,9 +192,7 @@
masked: true
- name: "2.1.7 | PATCH | Ensure ftp server services are not in use"
when:
- "'ftp' in ansible_facts.packages"
- rhel9cis_rule_2_1_7
when: rhel9cis_rule_2_1_7
tags:
- level1-server
- level1-workstation
@ -235,9 +223,7 @@
masked: true
- name: "2.1.8 | PATCH | Ensure message access server services are not in use"
when:
- "'dovecot' in ansible_facts.packages or 'cyrus-imapd' in ansible_facts.packages"
- rhel9cis_rule_2_1_8
when: rhel9cis_rule_2_1_8
tags:
- level1-server
- level1-workstation
@ -275,9 +261,7 @@
- "cyrus-imapd.service"
- name: "2.1.9 | PATCH | Ensure network file system services are not in use"
when:
- "'nfs-utils' in ansible_facts.packages"
- rhel9cis_rule_2_1_9
when: rhel9cis_rule_2_1_9
tags:
- level1-server
- level1-workstation
@ -309,9 +293,7 @@
masked: true
- name: "2.1.10 | PATCH | Ensure nis server services are not in use"
when:
- "'ypserv' in ansible_facts.packages"
- rhel9cis_rule_2_1_10
when: rhel9cis_rule_2_1_10
tags:
- level1-server
- level1-workstation
@ -341,9 +323,7 @@
masked: true
- name: "2.1.11 | PATCH | Ensure print server services are not in use"
when:
- "'cups' in ansible_facts.packages"
- rhel9cis_rule_2_1_11
when: rhel9cis_rule_2_1_11
tags:
- level1-server
- automated
@ -375,9 +355,7 @@
- "cups.service"
- name: "2.1.12 | PATCH | Ensure rpcbind services are not in use"
when:
- "'rpcbind' in ansible_facts.packages"
- rhel9cis_rule_2_1_12
when: rhel9cis_rule_2_1_12
tags:
- level1-server
- level1-workstation
@ -411,9 +389,7 @@
- rpcbind.socket
- name: "2.1.13 | PATCH | Ensure rsync services are not in use"
when:
- "'rsync-daemon' in ansible_facts.packages"
- rhel9cis_rule_2_1_13
when: rhel9cis_rule_2_1_13
tags:
- level1-server
- level1-workstation
@ -447,9 +423,7 @@
- 'rsyncd.service'
- name: "2.1.14 | PATCH | Ensure snmp services are not in use"
when:
- "'net-snmp' in ansible_facts.packages"
- rhel9cis_rule_2_1_14
when: rhel9cis_rule_2_1_14
tags:
- level1-server
- level1-workstation
@ -479,9 +453,7 @@
masked: true
- name: "2.1.15 | PATCH | Ensure telnet server services are not in use"
when:
- "'telnet-server' in ansible_facts.packages"
- rhel9cis_rule_2_1_15
when: rhel9cis_rule_2_1_15
tags:
- level1-server
- level1-workstation
@ -512,9 +484,7 @@
masked: true
- name: "2.1.16 | PATCH | Ensure tftp server services are not in use"
when:
- "'tftp-server' in ansible_facts.packages"
- rhel9cis_rule_2_1_16
when: rhel9cis_rule_2_1_16
tags:
- level1-server
- level1-workstation
@ -547,9 +517,7 @@
- 'tftp.service'
- name: "2.1.17 | PATCH | Ensure web proxy server services are not in use"
when:
- "'squid' in ansible_facts.packages"
- rhel9cis_rule_2_117
when: rhel9cis_rule_2_1_17
tags:
- level1-server
- level1-workstation
@ -580,8 +548,7 @@
masked: true
- name: "2.1.18 | PATCH | Ensure web server services are not in use"
when:
- rhel9cis_rule_2_1_18
when: rhel9cis_rule_2_1_18
tags:
- level1-server
- level1-workstation
@ -597,7 +564,6 @@
when:
- not rhel9cis_httpd_server
- not rhel9cis_httpd_mask
- "'httpd' in ansible_facts.packages"
ansible.builtin.package:
name: httpd
state: absent
@ -606,7 +572,6 @@
when:
- not rhel9cis_nginx_server
- not rhel9cis_nginx_mask
- "'nginx' in ansible_facts.packages"
ansible.builtin.package:
name: nginx
state: absent
@ -615,7 +580,6 @@
when:
- not rhel9cis_httpd_server
- rhel9cis_httpd_mask
- "'httpd' in ansible_facts.packages"
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: httpd.service
@ -627,7 +591,6 @@
when:
- not rhel9cis_nginx_server
- rhel9cis_nginx_mask
- "'nginx' in ansible_facts.packages"
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: ngnix.service
@ -636,9 +599,7 @@
masked: true
- name: "2.1.19 | PATCH | Ensure xinetd services are not in use"
when:
- "'xinetd' in ansible_facts.packages"
- rhel9cis_rule_2_1_19
when: rhel9cis_rule_2_1_19
tags:
- level1-server
- level1-workstation
@ -670,7 +631,6 @@
- name: "2.1.20 | PATCH | Ensure X window server services are not in use"
when:
- not rhel9cis_xwindow_server
- "'xorg-x11-server-common' in ansible_facts.packages"
- rhel9cis_rule_2_1_20
tags:
- level1-server
@ -704,8 +664,7 @@
line: "inet_interfaces = loopback-only"
- name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface"
when:
- rhel9cis_rule_2_1_22
when: rhel9cis_rule_2_1_22
tags:
- level1-server
- level1-workstation

5
tasks/section_2/cis_2.2.x.yml
View file

@ -3,7 +3,6 @@
- name: "2.2.1 | PATCH | Ensure ftp client is not installed"
when:
- not rhel9cis_ftp_client
- "'ftp' in ansible_facts.packages"
- rhel9cis_rule_2_2_1
tags:
- level1-server
@ -20,7 +19,6 @@
- name: "2.2.2 | PATCH | Ensure ldap client is not installed"
when:
- not rhel9cis_openldap_clients_required
- "'openldap-clients' in ansible_facts.packages"
- rhel9cis_rule_2_2_2
tags:
- level2-server
@ -37,7 +35,6 @@
- name: "2.2.3 | PATCH | Ensure nis client is not installed"
when:
- not rhel9cis_ypbind_required
- "'ypbind' in ansible_facts.packages"
- rhel9cis_rule_2_2_3
tags:
- level1-server
@ -54,7 +51,6 @@
- name: "2.2.4 | PATCH | Ensure telnet client is not installed"
when:
- not rhel9cis_telnet_required
- "'telnet' in ansible_facts.packages"
- rhel9cis_rule_2_2_4
tags:
- level1-server
@ -71,7 +67,6 @@
- name: "2.2.5 | PATCH | Ensure TFTP client is not installed"
when:
- not rhel9cis_tftp_client
- "'tftp' in ansible_facts.packages"
- rhel9cis_rule_2_2_5
tags:
- level1-server

4
tasks/section_2/cis_2.3.x.yml
View file

@ -31,7 +31,7 @@
dest: /etc/chrony.conf
owner: root
group: root
mode: '0644'
mode: 'go-wx'
- name: "2.3.3 | PATCH | Ensure chrony is not run as the root user"
when:
@ -48,4 +48,4 @@
line: OPTIONS="\1 -u chrony"
create: true
backrefs: true
mode: '0644'
mode: 'go-wx'

43
tasks/section_2/cis_2.4.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled"
when:
- rhel9cis_rule_2_4_1_1
when: rhel9cis_rule_2_4_1_1
tags:
- level1-server
- level1-workstation
@ -19,8 +18,7 @@
enabled: true
- name: "2.4.1.2 | PATCH | Ensure permissions on /etc/crontab are configured"
when:
- rhel9cis_rule_2_4_1_2
when: rhel9cis_rule_2_4_1_2
tags:
- level1-server
- level1-workstation
@ -33,11 +31,10 @@
path: /etc/crontab
owner: root
group: root
mode: og-rwx
mode: 'og-rwx'
- name: "2.4.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured"
when:
- rhel9cis_rule_2_4_1_3
when: rhel9cis_rule_2_4_1_3
tags:
- level1-server
- level1-workstation
@ -51,11 +48,10 @@
state: directory
owner: root
group: root
mode: og-rwx
mode: 'og-rwx'
- name: "2.4.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured"
when:
- rhel9cis_rule_2_4_1_4
when: rhel9cis_rule_2_4_1_4
tags:
- level1-server
- level1-workstation
@ -67,11 +63,10 @@
state: directory
owner: root
group: root
mode: og-rwx
mode: 'og-rwx'
- name: "2.4.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured"
when:
- rhel9cis_rule_2_4_1_5
when: rhel9cis_rule_2_4_1_5
tags:
- level1-server
- level1-workstation
@ -84,11 +79,10 @@
state: directory
owner: root
group: root
mode: og-rwx
mode: 'og-rwx'
- name: "2.4.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured"
when:
- rhel9cis_rule_2_4_1_6
when: rhel9cis_rule_2_4_1_6
tags:
- level1-server
- level1-workstation
@ -101,11 +95,10 @@
state: directory
owner: root
group: root
mode: og-rwx
mode: 'og-rwx'
- name: "2.4.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured"
when:
- rhel9cis_rule_2_4_1_7
when: rhel9cis_rule_2_4_1_7
tags:
- level1-server
- level1-workstation
@ -119,11 +112,10 @@
state: directory
owner: root
group: root
mode: '0700'
mode: 'og-rwx'
- name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users"
when:
- rhel9cis_rule_2_4_1_8
when: rhel9cis_rule_2_4_1_8
tags:
- level1-server
- level1-workstation
@ -149,11 +141,10 @@
state: '{{ "file" if discovered_cron_allow_state.stat.exists else "touch" }}'
owner: root
group: root
mode: u-x,g-wx,o-rwx
mode: 'u-x,g-wx,o-rwx'
- name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users"
when:
- rhel9cis_rule_2_4_2_1
when: rhel9cis_rule_2_4_2_1
tags:
- level1-server
- level1-workstation
@ -179,4 +170,4 @@
state: '{{ "file" if discovered_at_allow_state.stat.exists else "touch" }}'
owner: root
group: root
mode: u-x,g-wx,o-rwx
mode: 'u-x,g-wx,o-rwx'

3
tasks/section_3/cis_3.1.x.yml
View file

@ -65,8 +65,7 @@
file: warning_facts.yml
- name: "3.1.3 | PATCH | Ensure bluetooth services are not in use"
when:
- rhel9cis_rule_3_1_3
when: rhel9cis_rule_3_1_3
tags:
- level1-server
- level2-workstation

12
tasks/section_3/cis_3.2.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "3.2.1 | PATCH | Ensure dccp kernel module is not available"
when:
- rhel9cis_rule_3_2_1
when: rhel9cis_rule_3_2_1
tags:
- level2-server
- level2-workstation
@ -32,8 +31,7 @@
mode: 'u-x,go-rwx'
- name: "3.2.2 | PATCH | Ensure tipc kernel module is not available"
when:
- rhel9cis_rule_3_2_2
when: rhel9cis_rule_3_2_2
tags:
- level2-server
- level2-workstation
@ -63,8 +61,7 @@
mode: 'u-x,go-rwx'
- name: "3.2.3 | PATCH | Ensure rds kernel module is not available"
when:
- rhel9cis_rule_3_2_3
when: rhel9cis_rule_3_2_3
tags:
- level2-server
- level2-workstation
@ -94,8 +91,7 @@
mode: 'u-x,go-rwx'
- name: "3.2.4 | PATCH | Ensure sctp kernel module is not available"
when:
- rhel9cis_rule_3_2_4
when: rhel9cis_rule_3_2_4
tags:
- level2-server
- level2-workstation

24
tasks/section_3/cis_3.3.x.yml
View file

@ -61,8 +61,7 @@
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored"
when:
- rhel9cis_rule_3_3_3
when: rhel9cis_rule_3_3_3
tags:
- level1-server
- level1-workstation
@ -85,8 +84,7 @@
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored"
when:
- rhel9cis_rule_3_3_4
when: rhel9cis_rule_3_3_4
tags:
- level1-server
- level1-workstation
@ -109,8 +107,7 @@
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted"
when:
- rhel9cis_rule_3_3_5
when: rhel9cis_rule_3_3_5
tags:
- level1-server
- level1-workstation
@ -144,8 +141,7 @@
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted"
when:
- rhel9cis_rule_3_3_6
when: rhel9cis_rule_3_3_6
tags:
- level1-server
- level1-workstation
@ -179,8 +175,7 @@
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
when:
- rhel9cis_rule_3_3_7
when: rhel9cis_rule_3_3_7
tags:
- level1-server
- level1-workstation
@ -203,8 +198,7 @@
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.8 | PATCH | Ensure source routed packets are not accepted"
when:
- rhel9cis_rule_3_3_8
when: rhel9cis_rule_3_3_8
tags:
- level1-server
- level1-workstation
@ -237,8 +231,7 @@
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
- name: "3.3.9 | PATCH | Ensure suspicious packets are logged"
when:
- rhel9cis_rule_3_3_9
when: rhel9cis_rule_3_3_9
tags:
- level1-server
- level1-workstation
@ -257,8 +250,7 @@
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled"
when:
- rhel9cis_rule_3_3_10
when: rhel9cis_rule_3_3_10
tags:
- level1-server
- level1-workstation

3
tasks/section_4/cis_4.1.x.yml
View file

@ -17,8 +17,7 @@
state: present
- name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use"
when:
- rhel9cis_rule_4_1_2
when: rhel9cis_rule_4_1_2
tags:
- level1-server
- level1-workstation

6
tasks/section_4/cis_4.2.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "4.2.1 | AUDIT | Ensure firewalld drops unnecessary services and ports"
when:
- rhel9cis_rule_4_2_1
when: rhel9cis_rule_4_2_1
tags:
- level1-server
- level1-workstation
@ -25,8 +24,7 @@
- "{{ discovered_services_and_ports.stdout_lines }}"
- name: "4.2.2 | PATCH | Ensure firewalld loopback traffic is configured | firewalld"
when:
- rhel9cis_rule_4_2_2
when: rhel9cis_rule_4_2_2
tags:
- level1-server
- level1-workstation

6
tasks/section_4/cis_4.3.x.yml
View file

@ -12,8 +12,7 @@
changed_when: true
- name: "4.3.1 | PATCH | Ensure nftables base chains exist"
when:
- rhel9cis_rule_4_3_1
when: rhel9cis_rule_4_3_1
tags:
- level1-server
- level1-workstation
@ -65,8 +64,7 @@
- nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; }
- name: "4.3.2 | PATCH | Ensure nftables established connections are configured"
when:
- rhel9cis_rule_4_3_2
when: rhel9cis_rule_4_3_2
tags:
- level1-server
- level1-workstation

65
tasks/section_5/cis_5.1.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured"
when:
- rhel9cis_rule_5_1_1
when: rhel9cis_rule_5_1_1
tags:
- level1-server
- level1-workstation
@ -16,11 +15,10 @@
path: "/etc/ssh/sshd_config"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured"
when:
- rhel9cis_rule_5_1_2
when: rhel9cis_rule_5_1_2
tags:
- level1-server
- level1-workstation
@ -50,8 +48,7 @@
label: "{{ item.path }}"
- name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured"
when:
- rhel9cis_rule_5_1_3
when: rhel9cis_rule_5_1_3
tags:
- level1-server
- level1-workstation
@ -98,7 +95,7 @@
dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
notify:
- Update Crypto Policy
- Set Crypto Policy
@ -126,7 +123,7 @@
dest: /etc/crypto-policies/policies/modules/NO-SHA1.pmod
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
notify:
- Update Crypto Policy
- Set Crypto Policy
@ -154,7 +151,7 @@
dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
notify:
- Update Crypto Policy
- Set Crypto Policy
@ -164,8 +161,7 @@
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKMACS' }}"
- name: "5.1.7 | PATCH | Ensure sshd access is configured"
when:
- rhel9cis_rule_5_1_7
when: rhel9cis_rule_5_1_7
tags:
- level1-server
- level1-workstation
@ -212,8 +208,7 @@
notify: Restart sshd
- name: "5.1.8 | PATCH | Ensure sshd Banner is configured"
when:
- rhel9cis_rule_5_1_8
when: rhel9cis_rule_5_1_8
tags:
- level1-server
- level1-workstation
@ -231,8 +226,7 @@
line: 'Banner /etc/issue.net'
- name: "5.1.9 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured"
when:
- rhel9cis_rule_5_1_9
when: rhel9cis_rule_5_1_9
tags:
- level1-server
- level1-workstation
@ -262,8 +256,7 @@
notify: Restart sshd
- name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled"
when:
- rhel9cis_rule_5_1_10
when: rhel9cis_rule_5_1_10
tags:
- level2-server
- level1-workstation
@ -289,8 +282,7 @@
notify: Restart sshd
- name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled"
when:
- rhel9cis_rule_5_1_11
when: rhel9cis_rule_5_1_11
tags:
- level1-server
- level1-workstation
@ -320,8 +312,7 @@
notify: Restart sshd
- name: "5.1.12 | PATCH | Ensure sshd HostbasedAuthentication is disabled"
when:
- rhel9cis_rule_5_1_12
when: rhel9cis_rule_5_1_12
tags:
- level1-server
- level1-workstation
@ -341,8 +332,7 @@
notify: Restart sshd
- name: "5.1.13 | PATCH | Ensure sshd IgnoreRhosts is enabled"
when:
- rhel9cis_rule_5_1_13
when: rhel9cis_rule_5_1_13
tags:
- level1-server
- level1-workstation
@ -362,8 +352,7 @@
notify: Restart sshd
- name: "5.1.14 | PATCH | Ensure sshd LoginGraceTime is set to one minute or less"
when:
- rhel9cis_rule_5_1_14
when: rhel9cis_rule_5_1_14
tags:
- level1-server
- level1-workstation
@ -379,8 +368,7 @@
notify: Restart sshd
- name: "5.1.15 | PATCH | Ensure sshd LogLevel is appropriate"
when:
- rhel9cis_rule_5_1_15
when: rhel9cis_rule_5_1_15
tags:
- level1-server
- level1-workstation
@ -398,8 +386,7 @@
notify: Restart sshd
- name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is set to 4 or less"
when:
- rhel9cis_rule_5_1_16
when: rhel9cis_rule_5_1_16
tags:
- level1-server
- level1-workstation
@ -415,8 +402,7 @@
notify: Restart sshd
- name: "5.1.17 | PATCH | Ensure sshd MaxStartups is configured"
when:
- rhel9cis_rule_5_1_17
when: rhel9cis_rule_5_1_17
tags:
- level1-server
- level1-workstation
@ -436,8 +422,7 @@
notify: Restart sshd
- name: "5.1.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less"
when:
- rhel9cis_rule_5_1_18
when: rhel9cis_rule_5_1_18
tags:
- level1-server
- level1-workstation
@ -457,8 +442,7 @@
notify: Restart sshd
- name: "5.1.19 | PATCH | Ensure sshd PermitEmptyPasswords is disabled"
when:
- rhel9cis_rule_5_1_19
when: rhel9cis_rule_5_1_19
tags:
- level1-server
- level1-workstation
@ -478,8 +462,7 @@
notify: Restart sshd
- name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled"
when:
- rhel9cis_rule_5_1_20
when: rhel9cis_rule_5_1_20
tags:
- level1-server
- level1-workstation
@ -503,8 +486,7 @@
notify: Restart sshd
- name: "5.1.21 | PATCH | Ensure sshd PermitUserEnvironment is disabled"
when:
- rhel9cis_rule_5_1_21
when: rhel9cis_rule_5_1_21
tags:
- level1-server
- level1-workstation
@ -524,8 +506,7 @@
notify: Restart sshd
- name: "5.1.22 | PATCH | Ensure SSH PAM is enabled"
when:
- rhel9cis_rule_5_1_22
when: rhel9cis_rule_5_1_22
tags:
- level1-server
- level1-workstation

21
tasks/section_5/cis_5.2.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "5.2.1 | PATCH | Ensure sudo is installed"
when:
- rhel9cis_rule_5_2_1
when: rhel9cis_rule_5_2_1
tags:
- level1-server
- level1-workstation
@ -15,8 +14,7 @@
state: present
- name: "5.2.2 | PATCH | Ensure sudo commands use pty"
when:
- rhel9cis_rule_5_2_2
when: rhel9cis_rule_5_2_2
tags:
- level1-server
- level1-workstation
@ -30,8 +28,7 @@
validate: '/usr/sbin/visudo -cf %s'
- name: "5.2.3 | PATCH | Ensure sudo log file exists"
when:
- rhel9cis_rule_5_2_3
when: rhel9cis_rule_5_2_3
tags:
- level1-server
- level1-workstation
@ -47,8 +44,7 @@
validate: '/usr/sbin/visudo -cf %s'
- name: "5.2.4 | PATCH | Ensure users must provide password for escalation"
when:
- rhel9cis_rule_5_2_4
when: rhel9cis_rule_5_2_4
tags:
- level2-server
- level2-workstation
@ -74,8 +70,7 @@
loop: "{{ discovered_nopasswd_sudoers.stdout_lines }}"
- name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally"
when:
- rhel9cis_rule_5_2_5
when: rhel9cis_rule_5_2_5
tags:
- level1-server
- level1-workstation
@ -101,8 +96,7 @@
loop: "{{ discovered_priv_reauth.stdout_lines }}"
- name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly"
when:
- rhel9cis_rule_5_2_6
when: rhel9cis_rule_5_2_6
tags:
- level1-server
- level1-workstation
@ -134,8 +128,7 @@
loop: "{{ discovered_sudo_timeout_files.stdout_lines }}"
- name: "5.2.7 | PATCH | Ensure access to the su command is restricted"
when:
- rhel9cis_rule_5_2_7
when: rhel9cis_rule_5_2_7
tags:
- level1-server
- level1-workstation

9
tasks/section_5/cis_5.3.2.x.yml
View file

@ -67,7 +67,7 @@
failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ]
register: discovered_authselect_current_faillock
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing"
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing" # noqa syntax-check[specific]"
when: discovered_authselect_current_faillock.rc != 0
ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
changed_when: true
@ -141,8 +141,7 @@
- rule_5.3.2.5
block:
- name: "5.3.2.5 | AUDIT | Ensure pam_unix module is enabled"
ansible.builtin.shell: |
grep -P -- '\b(pam_unix\.so)\b' /etc/authselect/"$(head -1 /etc/authselect/authselect.conf)"/{system,password}-auth
ansible.builtin.command: grep -P -- '\b(pam_unix\.so)\b' /etc/authselect/"$(head -1 /etc/authselect/authselect.conf)"/{system,password}-auth
changed_when: false
failed_when: discovered_discovered_authselect_pam_unix.rc not in [ 0, 1 ]
register: discovered_discovered_authselect_pam_unix
@ -150,7 +149,7 @@
- name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | system-auth"
when: "'system-auth:password' not in discovered_authselect_pam_unix.stdout"
ansible.builtin.lineinfile:
path: /etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth
path: /etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/system-auth
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
backrefs: true
@ -164,7 +163,7 @@
- name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | password-auth"
when: "'password-auth:password' not in discovered_authselect_pam_unix.stdout"
ansible.builtin.lineinfile:
path: /etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth
path: /etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/password-auth
line: "{{ item.line }}"
regexp: "{{ item.regexp }}"
backrefs: true

9
tasks/section_5/cis_5.3.3.1.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured"
when:
- rhel9cis_rule_5_3_3_1_1
when: rhel9cis_rule_5_3_3_1_1
tags:
- level1-server
- level1-workstation
@ -44,8 +43,7 @@
notify: Authselect update
- name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured"
when:
- rhel9cis_rule_5_3_3_1_2
when: rhel9cis_rule_5_3_3_1_2
tags:
- level1-server
- level1-workstation
@ -87,8 +85,7 @@
notify: Authselect update
- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account"
when:
- rhel9cis_rule_5_3_3_1_3
when: rhel9cis_rule_5_3_3_1_3
tags:
- level1-server
- level1-workstation

38
tasks/section_5/cis_5.3.3.2.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured"
when:
- rhel9cis_rule_5_3_3_2_1
when: rhel9cis_rule_5_3_3_2_1
tags:
- level1-server
- level1-workstation
@ -30,7 +29,7 @@
dest: "/{{ rhel9cis_passwd_difok_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from pam files Not AuthSelect"
when:
@ -58,8 +57,7 @@
notify: Authselect update
- name: "5.3.3.2.2 | PATCH | Ensure password length is configured"
when:
- rhel9cis_rule_5_3_3_2_2
when: rhel9cis_rule_5_3_3_2_2
tags:
- level1-server
- level1-workstation
@ -87,7 +85,7 @@
dest: "/{{ rhel9cis_passwd_minlen_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files NOT AuthSelect"
when:
@ -115,8 +113,7 @@
notify: Authselect update
- name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured"
when:
- rhel9cis_rule_5_3_3_2_3
when: rhel9cis_rule_5_3_3_2_3
tags:
- level1-server
- level1-workstation
@ -144,7 +141,7 @@
dest: "/{{ rhel9cis_passwd_complex_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove complexity from pam files NOT AuthSelect"
when:
@ -172,8 +169,7 @@
notify: Authselect update
- name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured"
when:
- rhel9cis_rule_5_3_3_2_4
when: rhel9cis_rule_5_3_3_2_4
tags:
- level1-server
- level1-workstation
@ -183,8 +179,7 @@
- pam
block:
- name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file"
when:
- item != rhel9cis_passwd_maxrepeat_file
when: item != rhel9cis_passwd_maxrepeat_file
ansible.builtin.replace:
path: "{{ item }}"
regexp: 'maxrepeat\s*=\s*\d+\b'
@ -200,7 +195,7 @@
dest: "/{{ rhel9cis_passwd_maxrepeat_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat from pam files NOT AuthSelect"
when:
@ -228,8 +223,7 @@
notify: Authselect update
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is is configured"
when:
- rhel9cis_rule_5_3_3_2_5
when: rhel9cis_rule_5_3_3_2_5
tags:
- level1-server
- level1-workstation
@ -257,7 +251,7 @@
dest: "/{{ rhel9cis_passwd_maxsequence_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence from pam files NOT AuthSelect"
when:
@ -285,8 +279,7 @@
notify: Authselect update
- name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled"
when:
- rhel9cis_rule_5_3_3_2_6
when: rhel9cis_rule_5_3_3_2_6
tags:
- level1-server
- level1-workstation
@ -313,7 +306,7 @@
dest: "/{{ rhel9cis_passwd_dictcheck_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck from pam files NOT AuthSelect"
when:
@ -342,8 +335,7 @@
notify: Authselect update
- name: "5.3.3.2.7 | PATCH | Ensure password quality is enforced for the root user"
when:
- rhel9cis_rule_5_3_3_2_7
when: rhel9cis_rule_5_3_3_2_7
tags:
- level1-server
- level1-workstation
@ -356,4 +348,4 @@
dest: "/{{ rhel9cis_passwd_quality_enforce_root_file }}"
owner: root
group: root
mode: '0600'
mode: 'o-rwx'

9
tasks/section_5/cis_5.3.3.3.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured"
when:
- rhel9cis_rule_5_3_3_3_1
when: rhel9cis_rule_5_3_3_3_1
tags:
- level1-server
- level1-workstation
@ -48,8 +47,7 @@
notify: Authselect update
- name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user"
when:
- rhel9cis_rule_5_3_3_3_2
when: rhel9cis_rule_5_3_3_3_2
tags:
- level1-server
- level1-workstation
@ -95,8 +93,7 @@
notify: Authselect update
- name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok"
when:
- rhel9cis_rule_5_3_3_3_3
when: rhel9cis_rule_5_3_3_3_3
tags:
- level1-server
- level1-workstation

12
tasks/section_5/cis_5.3.3.4.x.yml
View file

@ -28,8 +28,7 @@
loop: "{{ discovered_pam_nullok.stdout_lines }}"
- name: "5.3.3.4.1 | PATCH | Ensure password number of changed characters is configured | Remove nullok from pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
when: rhel9cis_allow_authselect_updates
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)\snullok(.*$)
@ -67,8 +66,7 @@
loop: "{{ discovered_pam_remember.stdout_lines }}"
- name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Remove remember from pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
when: rhel9cis_allow_authselect_updates
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)\sremember\s*=\s*=\d*(.*$)
@ -107,8 +105,7 @@
loop: "{{ discovered_pam_remember.stdout_lines }}"
- name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Add hash algorithm to pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
when: rhel9cis_allow_authselect_updates
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)(sha512|yescrypt)(.*$)
@ -150,8 +147,7 @@
loop: "{{ discovered_pam_authtok.stdout_lines }}"
- name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | Add use_authtok pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
when: rhel9cis_allow_authselect_updates
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)use_authtok(.*$)

24
tasks/section_5/cis_5.4.1.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less"
when:
- rhel9cis_rule_5_4_1_1
when: rhel9cis_rule_5_4_1_1
tags:
- level1-server
- level1-workstation
@ -38,8 +37,7 @@
loop: "{{ discovered_max_days.stdout_lines }}"
- name: "5.4.1.2 | PATCH | Ensure minimum password days is configured"
when:
- rhel9cis_rule_5_4_1_2
when: rhel9cis_rule_5_4_1_2
tags:
- level1-server
- level1-workstation
@ -70,8 +68,7 @@
loop: "{{ discovered_min_days.stdout_lines }}"
- name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured"
when:
- rhel9cis_rule_5_4_1_3
when: rhel9cis_rule_5_4_1_3
tags:
- level1-server
- level1-workstation
@ -101,8 +98,7 @@
loop: "{{ discovered_warn_days.stdout_lines }}"
- name: "5.4.1.4 | PATCH | Ensure strong password hashing algorithm is configured"
when:
- rhel9cis_rule_5_4_1_4
when: rhel9cis_rule_5_4_1_4
tags:
- level1-server
- level1-workstation
@ -116,8 +112,7 @@
line: 'ENCRYPT_METHOD {{ rhel9cis_passwd_hash_algo | upper }}'
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured"
when:
- rhel9cis_rule_5_4_1_5
when: rhel9cis_rule_5_4_1_5
tags:
- level1-server
- level1-workstation
@ -139,7 +134,7 @@
changed_when: true
- name: "5.4.1.5 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
ansible.builtin.command: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
changed_when: false
check_mode: false
register: discovered_passwdlck_user_list
@ -151,8 +146,7 @@
loop: "{{ discovered_passwdlck_user_list.stdout_lines }}"
- name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past"
when:
- rhel9cis_rule_5_4_1_6
when: rhel9cis_rule_5_4_1_6
tags:
- level1-server
- level1-workstation
@ -190,9 +184,9 @@
file: warning_facts.yml
- name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
changed_when: true
when:
- discovered_passwdlck_user_future.stdout | length > 0
- rhel9cis_futurepwchgdate_autofix
loop: "{{ discovered_passwdlck_user_future.stdout_lines }}"
ansible.builtin.command: passwd --expire {{ item }}
changed_when: true
loop: "{{ discovered_passwdlck_user_future.stdout_lines }}"

14
tasks/section_5/cis_5.4.2.x.yml
View file

@ -56,8 +56,7 @@
loop: "{{ discovered_gid0_members.stdout_lines }}"
- name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group"
when:
- rhel9cis_rule_5_4_2_3
when: rhel9cis_rule_5_4_2_3
tags:
- level1-server
- level1-workstation
@ -96,8 +95,7 @@
warn_control_id: '5.4.2.3'
- name: "5.4.2.4 | PATCH | Ensure root account access is controlled "
when:
- rhel9cis_rule_5_4_2_4
when: rhel9cis_rule_5_4_2_4
tags:
- level1-server
- level1-workstation
@ -108,8 +106,7 @@
msg: "This is set as an assert in tasks/main"
- name: "5.4.2.5 | PATCH | Ensure root PATH Integrity"
when:
- rhel9cis_rule_5_4_2_5
when: rhel9cis_rule_5_4_2_5
tags:
- level1-server
- level1-workstation
@ -172,15 +169,14 @@
state: directory
owner: root
group: root
mode: '0755'
mode: 'go-w'
follow: false
loop: "{{ discovered_root_path_perms.results }}"
loop_control:
label: "{{ item }}"
- name: "5.4.2.6 | PATCH | Ensure root user umask is configured"
when:
- rhel9cis_rule_5_4_2_6
when: rhel9cis_rule_5_4_2_6
tags:
- level1-server
- level1-workstation

11
tasks/section_5/cis_5.4.3.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "5.4.3.1 | PATCH | Ensure nologin is not listed in /etc/shells"
when:
- rhel9cis_rule_5_4_3_1
when: rhel9cis_rule_5_4_3_1
tags:
- level2-server
- level2-workstation
@ -20,8 +19,7 @@
replace: ""
- name: "5.4.3.2 | PATCH | Ensure default user shell timeout is configured"
when:
- rhel9cis_rule_5_4_3_2
when: rhel9cis_rule_5_4_3_2
tags:
- level1-server
- level1-workstation
@ -33,7 +31,7 @@
state: "{{ item.state }}"
marker: "# {mark} - CIS benchmark - Ansible-lockdown"
create: true
mode: '0644'
mode: 'go-wx'
block: |
TMOUT={{ rhel9cis_shell_session_timeout }}
readonly TMOUT
@ -43,8 +41,7 @@
- { path: /etc/profile, state: "{{ (rhel9cis_shell_session_file == '/etc/profile') | ternary('present', 'absent') }}" }
- name: "5.4.3.3 | PATCH | Ensure default user umask is configured"
when:
- rhel9cis_rule_5_4_3_3
when: rhel9cis_rule_5_4_3_3
tags:
- level1-server
- level1-workstation

16
tasks/section_6/cis_6.2.1.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "6.2.1.1 | PATCH | Ensure journald service is enabled and active"
when:
- rhel9cis_rule_6_2_1_1
when: rhel9cis_rule_6_2_1_1
tags:
- level1-server
- level1-workstation
@ -15,8 +14,7 @@
state: started
- name: "6.2.1.2 | PATCH | Ensure journald log file access is configured"
when:
- rhel9cis_rule_6_2_1_2
when: rhel9cis_rule_6_2_1_2
tags:
- level1-server
- level1-workstation
@ -27,7 +25,7 @@
- name: "6.2.1.2 | PATCH | Ensure journald log file access is configured | Default file permissions"
ansible.builtin.file:
path: /usr/lib/tmpfiles.d/systemd.conf
mode: '0640'
mode: 'g-wx,o-rwx'
- name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | Check for override file"
ansible.builtin.stat:
@ -58,8 +56,7 @@
warn_control_id: '6.2.1.2'
- name: "6.2.1.3 | PATCH | Ensure journald log file rotation is configured"
when:
- rhel9cis_rule_6_2_1_3
when: rhel9cis_rule_6_2_1_3
tags:
- level1-server
- level1-workstation
@ -74,7 +71,7 @@
dest: /etc/systemd/journald.conf.d/rotation.conf
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
- name: "6.2.1.3 | PATCH | Ensure journald log file rotation is configured | comment out current entries"
ansible.builtin.replace:
@ -89,8 +86,7 @@
- '^(\s*MaxFileSec\s*=.*)'
- name: "6.2.1.4 | PATCH | Ensure only one logging system is in use"
when:
- rhel9cis_rule_6_2_1_4
when: rhel9cis_rule_6_2_1_4
tags:
- level1-server
- level1-workstation

15
tasks/section_6/cis_6.2.2.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled"
when:
- rhel9cis_rule_6_2_2_2
when: rhel9cis_rule_6_2_2_2
tags:
- level1-server
- level2-workstation
@ -21,7 +20,7 @@
dest: /etc/systemd/journald.conf.d/forwardtosyslog.conf
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
- name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries"
ansible.builtin.replace:
@ -30,8 +29,7 @@
replace: '#\1'
- name: "6.2.2.3 | PATCH | Ensure journald Compress is configured"
when:
- rhel9cis_rule_6_2_2_3
when: rhel9cis_rule_6_2_2_3
tags:
- level1-server
- level1-workstation
@ -47,7 +45,7 @@
dest: /etc/systemd/journald.conf.d/storage.conf
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
- name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries"
ansible.builtin.replace:
@ -56,8 +54,7 @@
replace: '#\1'
- name: "6.2.2.4 | PATCH | Ensure journald Storage is configured"
when:
- rhel9cis_rule_6_2_2_4
when: rhel9cis_rule_6_2_2_4
tags:
- level1-server
- level1-workstation
@ -74,7 +71,7 @@
dest: /etc/systemd/journald.conf.d/storage.conf
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
- name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries"
ansible.builtin.replace:

20
tasks/section_6/cis_6.2.3.x.yml
View file

@ -18,8 +18,7 @@
state: present
- name: "6.2.3.2 | PATCH | Ensure rsyslog Service is enabled and active"
when:
- rhel9cis_rule_6_2_3_2
when: rhel9cis_rule_6_2_3_2
tags:
- level1-server
- level1-workstation
@ -35,8 +34,7 @@
state: started
- name: "6.2.3.3 | PATCH | Ensure journald is configured to send logs to rsyslog"
when:
- rhel9cis_rule_6_2_3_3
when: rhel9cis_rule_6_2_3_3
tags:
- level1-server
- level1-workstation
@ -54,8 +52,7 @@
notify: Restart rsyslog
- name: "6.2.3.4 | PATCH | Ensure rsyslog log file creation mode is configured"
when:
- rhel9cis_rule_6_2_3_4
when: rhel9cis_rule_6_2_3_4
tags:
- level1-server
- level1-workstation
@ -72,8 +69,7 @@
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured"
when:
- rhel9cis_rule_6_2_3_5
when: rhel9cis_rule_6_2_3_5
tags:
- level1-server
- level1-workstation
@ -200,8 +196,7 @@
notify: Restart rsyslog
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client"
when:
- rhel9cis_rule_6_2_3_7
when: rhel9cis_rule_6_2_3_7
tags:
- level1-server
- level1-workstation
@ -238,8 +233,7 @@
- 'InputTCPServerRun'
- name: "6.2.3.8 | PATCH | Ensure rsyslog logrotate is configured"
when:
- rhel9cis_rule_6_2_3_8
when: rhel9cis_rule_6_2_3_8
tags:
- level1-server
- level1-workstation
@ -266,4 +260,4 @@
dest: /etc/logrotate.d/rsyslog.conf
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'

3
tasks/section_6/cis_6.2.4.1.yml
View file

@ -1,8 +1,7 @@
---
- name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured"
when:
- rhel9cis_rule_6_2_4_1
when: rhel9cis_rule_6_2_4_1
tags:
- level1-server
- level1-workstation

6
tasks/section_6/cis_6.3.1.x.yml
View file

@ -51,8 +51,7 @@
changed_when: true
- name: "6.3.1.3 | PATCH | Ensure audit_backlog_limit is sufficient"
when:
- rhel9cis_rule_6_3_1_3
when: rhel9cis_rule_6_3_1_3
tags:
- level2-server
- level2-workstation
@ -92,8 +91,7 @@
changed_when: true
- name: "6.3.1.4 | PATCH | Ensure auditd service is enabled and active"
when:
- rhel9cis_rule_6_3_1_4
when: rhel9cis_rule_6_3_1_4
tags:
- level2-server
- level2-workstation

12
tasks/section_6/cis_6.3.2.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "6.3.2.1 | PATCH | Ensure audit log storage size is configured"
when:
- rhel9cis_rule_6_3_2_1
when: rhel9cis_rule_6_3_2_1
tags:
- level2-server
- level2-workstation
@ -17,8 +16,7 @@
notify: Restart auditd
- name: "6.3.2.2 | PATCH | Ensure audit logs are not automatically deleted"
when:
- rhel9cis_rule_6_3_2_2
when: rhel9cis_rule_6_3_2_2
tags:
- level2-server
- level2-workstation
@ -33,8 +31,7 @@
notify: Restart auditd
- name: "6.3.2.3 | PATCH | Ensure system is disabled when audit logs are full"
when:
- rhel9cis_rule_6_3_2_3
when: rhel9cis_rule_6_3_2_3
tags:
- level2-server
- level2-workstation
@ -55,8 +52,7 @@
- { regexp: '^disk_error_action', line: 'disk_error_action = {{ rhel9cis_auditd_disk_error_action }}' }
- name: "6.3.2.4 | PATCH | Ensure system warns when audit logs are low on space"
when:
- rhel9cis_rule_6_3_2_4
when: rhel9cis_rule_6_3_2_4
tags:
- level2-server
- level2-workstation

66
tasks/section_6/cis_6.3.3.x.yml
View file

@ -2,8 +2,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected"
when:
- rhel9cis_rule_6_3_3_1
when: rhel9cis_rule_6_3_3_1
tags:
- level2-server
- level2-workstation
@ -16,8 +15,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.2 | PATCH | Ensure actions as another user are always logged"
when:
- rhel9cis_rule_6_3_3_2
when: rhel9cis_rule_6_3_3_2
tags:
- level2-server
- level2-workstation
@ -30,8 +28,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.3 | PATCH | Ensure events that modify the sudo log file are collected"
when:
- rhel9cis_rule_6_3_3_3
when: rhel9cis_rule_6_3_3_3
tags:
- level2-server
- level2-workstation
@ -43,8 +40,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.4 | PATCH | Ensure events that modify date and time information are collected"
when:
- rhel9cis_rule_6_3_3_4
when: rhel9cis_rule_6_3_3_4
tags:
- level2-server
- level2-workstation
@ -58,8 +54,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.5 | PATCH | Ensure events that modify the system's network environment are collected"
when:
- rhel9cis_rule_6_3_3_5
when: rhel9cis_rule_6_3_3_5
tags:
- level2-server
- level2-workstation
@ -73,8 +68,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected"
when:
- rhel9cis_rule_6_3_3_6
when: rhel9cis_rule_6_3_3_6
tags:
- level2-server
- level2-workstation
@ -97,8 +91,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.7 | PATCH | Ensure unsuccessful file access attempts are collected"
when:
- rhel9cis_rule_6_3_3_7
when: rhel9cis_rule_6_3_3_7
tags:
- level2-server
- level2-workstation
@ -111,8 +104,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.8 | PATCH | Ensure events that modify user/group information are collected"
when:
- rhel9cis_rule_6_3_3_8
when: rhel9cis_rule_6_3_3_8
tags:
- level2-server
- level2-workstation
@ -125,8 +117,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.9 | PATCH | Ensure discretionary access control permission modification events are collected"
when:
- rhel9cis_rule_6_3_3_9
when: rhel9cis_rule_6_3_3_9
tags:
- level2-server
- level2-workstation
@ -140,8 +131,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.10 | PATCH | Ensure successful file system mounts are collected"
when:
- rhel9cis_rule_6_3_3_10
when: rhel9cis_rule_6_3_3_10
tags:
- level2-server
- level2-workstation
@ -154,8 +144,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.11 | PATCH | Ensure session initiation information is collected"
when:
- rhel9cis_rule_6_3_3_11
when: rhel9cis_rule_6_3_3_11
tags:
- level2-server
- level2-workstation
@ -168,8 +157,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.12 | PATCH | Ensure login and logout events are collected"
when:
- rhel9cis_rule_6_3_3_12
when: rhel9cis_rule_6_3_3_12
tags:
- level2-server
- level2-workstation
@ -182,8 +170,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.13 | PATCH | Ensure file deletion events by users are collected"
when:
- rhel9cis_rule_6_3_3_13
when: rhel9cis_rule_6_3_3_13
tags:
- level2-server
- level2-workstation
@ -197,8 +184,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected"
when:
- rhel9cis_rule_6_3_3_14
when: rhel9cis_rule_6_3_3_14
tags:
- level2-server
- level2-workstation
@ -212,8 +198,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded"
when:
- rhel9cis_rule_6_3_3_15
when: rhel9cis_rule_6_3_3_15
tags:
- level2-server
- level2- workstation
@ -228,8 +213,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded"
when:
- rhel9cis_rule_6_3_3_16
when: rhel9cis_rule_6_3_3_16
tags:
- level2-server
- level2-workstation
@ -244,8 +228,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded"
when:
- rhel9cis_rule_6_3_3_17
when: rhel9cis_rule_6_3_3_17
tags:
- level2-server
- level2-workstation
@ -260,8 +243,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded"
when:
- rhel9cis_rule_6_3_3_18
when: rhel9cis_rule_6_3_3_18
tags:
- level2-server
- level2-workstation
@ -276,8 +258,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.19 | PATCH | Ensure kernel module loading and unloading and modification is collected"
when:
- rhel9cis_rule_6_3_3_19
when: rhel9cis_rule_6_3_3_19
tags:
- level2-server
- level2-workstation
@ -291,8 +272,7 @@
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.20 | PATCH | Ensure the audit configuration is immutable"
when:
- rhel9cis_rule_6_3_3_20
when: rhel9cis_rule_6_3_3_20
tags:
- level2-server
- level2-workstation
@ -306,8 +286,7 @@
update_audit_template: true
- name: "6.3.3.21 | AUDIT | Ensure the running and on disk configuration is the same"
when:
- rhel9cis_rule_6_3_3_21
when: rhel9cis_rule_6_3_3_21
tags:
- level2-server
- level2-workstation
@ -321,8 +300,7 @@
- "Please run augenrules --load if you suspect there is a configuration that is not active"
- name: Auditd | 6.3.3.x | Auditd controls updated
when:
- update_audit_template
when: update_audit_template
ansible.builtin.debug:
msg: "Auditd Controls handled in POST using template - updating /etc/auditd/rules.d/99_auditd.rules"
changed_when: false

21
tasks/section_6/cis_6.3.4.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "6.3.4.1 | PATCH | Ensure the audit log file directory mode is configured"
when:
- rhel9cis_rule_6_3_4_1
when: rhel9cis_rule_6_3_4_1
tags:
- level2-server
- level2-workstation
@ -39,8 +38,7 @@
group: root
- name: "6.3.4.5 | PATCH | Ensure audit configuration files mode is configured"
when:
- rhel9cis_rule_6_3_4_5
when: rhel9cis_rule_6_3_4_5
tags:
- level2-server
- level2-workstation
@ -57,8 +55,7 @@
label: "{{ item.path }}"
- name: "6.3.4.6 | PATCH | Ensure audit configuration files owner is configured"
when:
- rhel9cis_rule_6_3_4_6
when: rhel9cis_rule_6_3_4_6
tags:
- level2-server
- level2-workstation
@ -75,8 +72,7 @@
label: "{{ item.path }}"
- name: "6.3.4.7 | PATCH | Ensure audit configuration files group owner is configured"
when:
- rhel9cis_rule_6_3_4_7
when: rhel9cis_rule_6_3_4_7
tags:
- level2-server
- level2-workstation
@ -93,8 +89,7 @@
label: "{{ item.path }}"
- name: "6.3.4.8 | PATCH | Ensure audit tools mode is configured"
when:
- rhel9cis_rule_6_3_4_8
when: rhel9cis_rule_6_3_4_8
tags:
- level2-server
- level2-workstation
@ -108,8 +103,7 @@
loop: "{{ audit_bins }}"
- name: "6.3.4.9 | PATCH | Ensure audit tools owner is configured"
when:
- rhel9cis_rule_6_3_4_9
when: rhel9cis_rule_6_3_4_9
tags:
- level2-server
- level2-workstation
@ -123,8 +117,7 @@
loop: "{{ audit_bins }}"
- name: "6.3.4.10 | PATCH | Ensure audit tools group owner is configured"
when:
- rhel9cis_rule_6_3_4_10
when: rhel9cis_rule_6_3_4_10
tags:
- level2-server
- level2-workstation

10
tasks/section_7/cis_7.1.x.yml
View file

@ -83,7 +83,7 @@
path: /etc/shadow
owner: root
group: root
mode: '0000'
mode: 'ugo-rwx'
- name: "7.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured"
when:
@ -100,7 +100,7 @@
path: /etc/shadow-
owner: root
group: root
mode: '0000'
mode: 'ugo-rwx'
- name: "7.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured"
when:
@ -117,7 +117,7 @@
path: /etc/gshadow
owner: root
group: root
mode: '0000'
mode: 'ugo-rwx'
- name: "7.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured"
when:
@ -134,7 +134,7 @@
path: /etc/gshadow-
owner: root
group: root
mode: '0000'
mode: 'ugo-rwx'
- name: "7.1.9 | PATCH | Ensure permissions on /etc/shells are configured"
when:
@ -196,7 +196,7 @@
- rhel9cis_no_world_write_adjust
ansible.builtin.file:
path: '{{ item }}'
mode: o-w
mode: 'o-w'
state: touch
loop: "{{ discovered_world_writable.stdout_lines }}"

1
tasks/warning_facts.yml
View file

@ -1,5 +1,4 @@
---
# This task is used to create variables used in giving a warning summary for manual tasks
# that need attention
#