Initial

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2022-01-07 09:06:18 +00:00 · 2022-01-07 09:06:18 +00:00 · a54b5216eb
commit a54b5216eb
87 changed files with 7693 additions and 0 deletions
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -0,0 +1,134 @@
+---
+# handlers file for RHEL9-CIS
+
+- name: sysctl flush ipv4 route table
+  become: yes
+  sysctl:
+      name: net.ipv4.route.flush
+      value: '1'
+      sysctl_set: yes
+  ignore_errors: yes
+  when: ansible_virtualization_type != "docker"
+  tags:
+      - skip_ansible_lint
+
+- name: sysctl flush ipv6 route table
+  become: yes
+  sysctl:
+      name: net.ipv6.route.flush
+      value: '1'
+      sysctl_set: yes
+  when: ansible_virtualization_type != "docker"
+
+- name: update sysctl
+  template:
+      src: etc/99-sysctl.conf.j2
+      dest: /etc/sysctl.d/99-sysctl.conf
+      owner: root
+      group: root
+      mode: 0600
+  notify: reload sysctl
+  when: ansible_virtualization_type != "docker"
+
+- name: reload sysctl
+  sysctl:
+    name: net.ipv4.route.flush
+    value: '1'
+    state: present
+    reload: yes
+    ignoreerrors: yes
+  when: ansible_virtualization_type != "docker"
+
+- name: systemd restart tmp.mount
+  become: yes
+  systemd:
+      name: tmp.mount
+      daemon_reload: yes
+      enabled: yes
+      masked: no
+      state: reloaded
+
+- name: systemd restart var-tmp.mount
+  become: yes
+  systemd:
+      name: var-tmp.mount
+      daemon_reload: yes
+      enabled: yes
+      masked: no
+      state: reloaded
+
+- name: remount tmp
+  command: mount -o remount /tmp
+  args:
+      warn: false
+
+- name: restart firewalld
+  become: yes
+  service:
+      name: firewalld
+      state: restarted
+
+- name: restart xinetd
+  become: yes
+  service:
+      name: xinetd
+      state: restarted
+
+- name: restart sshd
+  become: yes
+  service:
+      name: sshd
+      state: restarted
+
+- name: restart postfix
+  become: yes
+  service:
+      name: postfix
+      state: restarted
+
+- name: reload dconf
+  become: yes
+  command: dconf update
+
+- name: update auditd
+  template:
+      src: audit/99_auditd.rules.j2
+      dest: /etc/audit/rules.d/99_auditd.rules
+      owner: root
+      group: root
+      mode: 0600
+  notify: restart auditd
+
+- name: restart auditd
+  command: /sbin/service auditd restart
+  changed_when: no
+  check_mode: no
+  failed_when: no
+  args:
+      warn: no
+  when:
+      - not rhel9cis_skip_for_travis
+  tags:
+      - skip_ansible_lint
+
+- name: grub2cfg
+  command: "grub2-mkconfig -o {{ grub_cfg.stat.lnk_source }}"
+  ignore_errors: True
+  tags:
+      - skip_ansible_lint
+
+- name: restart rsyslog
+  become: yes
+  service:
+      name: rsyslog
+      state: restarted
+
+- name: restart syslog-ng
+  become: yes
+  service:
+      name: syslog-ng
+      state: restarted
+
+- name: systemd_daemon_reload
+  systemd:
+      daemon-reload: yes