forked from ansible-lockdown/RHEL9-CIS
update var naming
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
4f566974c9
commit
9196e916fc
4 changed files with 45 additions and 28 deletions
|
|
@ -42,7 +42,7 @@
|
|||
notify: Set Crypto Policy
|
||||
|
||||
- name: Set Crypto Policy
|
||||
when: rhel9cis_system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy
|
||||
when: prelim_system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy
|
||||
ansible.builtin.shell: |
|
||||
update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}"
|
||||
update-crypto-policies
|
||||
|
|
@ -91,13 +91,9 @@
|
|||
ansible.builtin.systemd:
|
||||
daemon-reload: true
|
||||
|
||||
- name: Apply_authselect
|
||||
when: not rhel9cis_rule_5_4_2
|
||||
- name: Authselect update
|
||||
ansible.builtin.shell: authselect apply-changes
|
||||
|
||||
- name: Apply_authselect
|
||||
when: rhel9cis_rule_5_4_2
|
||||
ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }} --force --backup=rhel9cis_commit_{{ ansible_date_time.epoch}}"
|
||||
## Auditd tasks note order for handlers to run
|
||||
|
||||
- name: Auditd immutable check
|
||||
|
|
|
|||
|
|
@ -56,7 +56,7 @@
|
|||
- name: "1.5.4 | PATCH | Ensure core dump storage is disabled"
|
||||
when:
|
||||
- rhel9cis_rule_1_5_4
|
||||
- systemd_coredump.stat.exists
|
||||
- prelim_systemd_coredump.stat.exists
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
|
|||
|
|
@ -2,8 +2,8 @@
|
|||
|
||||
- name: "6.2.2.1.1 | PATCH | Ensure systemd-journal-remote is installed"
|
||||
when:
|
||||
- ubtu22cis_rule_6_2_2_1_1
|
||||
- not ubtu22cis_system_is_log_server
|
||||
- rhel9cis_rule_6_2_2_1_1
|
||||
- not rhel9cis_system_is_log_server
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -19,8 +19,8 @@
|
|||
|
||||
- name: "6.2.2.1.2 | PATCH | Ensure systemd-journal-remote authentication is configured"
|
||||
when:
|
||||
- ubtu22cis_rule_6_2_2_1_2
|
||||
- not ubtu22cis_system_is_log_server
|
||||
- rhel9cis_rule_6_2_2_1_2
|
||||
- not rhel9cis_system_is_log_server
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -35,15 +35,15 @@
|
|||
regexp: "{{ item.regexp }}"
|
||||
line: "{{ item.line }}"
|
||||
loop:
|
||||
- { regexp: 'URL=', line: 'URL={{ ubtu22cis_remote_log_server }}'}
|
||||
- { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ ubtu22cis_journal_upload_serverkeyfile }}'}
|
||||
- { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ ubtu22cis_journal_servercertificatefile }}'}
|
||||
- { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ ubtu22cis_journal_trustedcertificatefile }}'}
|
||||
- { regexp: 'URL=', line: 'URL={{ rhel9cis_remote_log_server }}'}
|
||||
- { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ rhel9cis_journal_upload_serverkeyfile }}'}
|
||||
- { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ rhel9cis_journal_servercertificatefile }}'}
|
||||
- { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ rhel9cis_journal_trustedcertificatefile }}'}
|
||||
|
||||
- name: "6.2.2.1.3 | PATCH | Ensure systemd-journal-remote is enabled and active"
|
||||
when:
|
||||
- not ubtu22cis_system_is_log_server
|
||||
- ubtu22cis_rule_6_2_2_1_3
|
||||
- not rhel9cis_system_is_log_server
|
||||
- rhel9cis_rule_6_2_2_1_3
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -59,8 +59,8 @@
|
|||
|
||||
- name: "6.2.2.1.4 | PATCH | Ensure systemd-journal-remote service is not in use"
|
||||
when:
|
||||
- not ubtu22cis_system_is_log_server
|
||||
- ubtu22cis_rule_6_2_2_1_4
|
||||
- not rhel9cis_system_is_log_server
|
||||
- rhel9cis_rule_6_2_2_1_4
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -81,7 +81,7 @@
|
|||
|
||||
- name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled"
|
||||
when:
|
||||
- ubtu22cis_rule_6_2_2_2
|
||||
- rhel9cis_rule_6_2_2_2
|
||||
tags:
|
||||
- level1-server
|
||||
- level2-workstation
|
||||
|
|
@ -110,7 +110,7 @@
|
|||
|
||||
- name: "6.2.2.3 | PATCH | Ensure journald Compress is configured"
|
||||
when:
|
||||
- ubtu22cis_rule_6_2_2_3
|
||||
- rhel9cis_rule_6_2_2_3
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -136,7 +136,7 @@
|
|||
|
||||
- name: "6.2.2.4 | PATCH | Ensure journald Storage is configured"
|
||||
when:
|
||||
- ubtu22cis_rule_6_2_2_4
|
||||
- rhel9cis_rule_6_2_2_4
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
ansible.builtin.lineinfile:
|
||||
path: /etc/audit/auditd.conf
|
||||
regexp: "^max_log_file( |=)"
|
||||
line: "max_log_file = {{ rhel9cis_auditd['max_log_file'] }}"
|
||||
line: "max_log_file = {{ rhel9cis_auditd_max_log_file_size }}"
|
||||
notify: Restart auditd
|
||||
|
||||
- name: "6.3.2.2 | PATCH | Ensure audit logs are not automatically deleted"
|
||||
|
|
@ -29,7 +29,7 @@
|
|||
ansible.builtin.lineinfile:
|
||||
path: /etc/audit/auditd.conf
|
||||
regexp: "^max_log_file_action"
|
||||
line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}"
|
||||
line: "max_log_file_action = {{ rhel9cis_auditd_max_log_file_action }}"
|
||||
notify: Restart auditd
|
||||
|
||||
- name: "6.3.2.3 | PATCH | Ensure system is disabled when audit logs are full"
|
||||
|
|
@ -51,11 +51,32 @@
|
|||
line: "{{ item.line }}"
|
||||
notify: Restart auditd
|
||||
loop:
|
||||
- { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ rhel9cis_auditd.admin_space_left_action }}' }
|
||||
- { regexp: '^action_mail_acct', line: 'action_mail_acct = {{ rhel9cis_auditd.action_mail_acct }}' }
|
||||
- { regexp: '^space_left_action', line: 'space_left_action = {{ rhel9cis_auditd.space_left_action }}' }
|
||||
- { regexp: '^disk_full_action', line: 'disk_full_action = {{ rhel9cis_auditd_disk_full_action }}' }
|
||||
- { regexp: '^disk_error_action', line: 'disk_error_action = {{ rhel9cis_auditd_disk_error_action }}' }
|
||||
|
||||
- name: PATCH | Configure other keys for auditd.conf
|
||||
- name: "6.3.2.4 | PATCH | Ensure system warns when audit logs are low on space"
|
||||
when:
|
||||
- rhel9cis_rule_6_3_2_4
|
||||
tags:
|
||||
- level2-server
|
||||
- level2-workstation
|
||||
- patch
|
||||
- auditd
|
||||
- rule_6.3.2.4
|
||||
- NIST800-53R5_AU-2
|
||||
- NIST800-53R5_AU-8
|
||||
- NIST800-53R5_AU-12
|
||||
- NIST800-53R5_SI-5
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/audit/auditd.conf
|
||||
regexp: "{{ item.regexp }}"
|
||||
line: "{{ item.line }}"
|
||||
notify: Restart auditd
|
||||
loop:
|
||||
- { regexp: '^space_left_action', line: 'space_left_action = {{ rhel9cis_auditd_space_left_action }}' }
|
||||
- { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ rhel9cis_auditd_admin_space_left_action }}' }
|
||||
|
||||
- name: "PATCH | Configure other keys for auditd.conf"
|
||||
when:
|
||||
- rhel9cis_auditd_extra_conf.keys() | length > 0
|
||||
- rhel9cis_auditd_extra_conf_usage
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue