sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Initial

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2022-01-07 09:06:18 +00:00
commit a54b5216eb
No known key found for this signature in database
GPG key ID: F734FDFC154B83FB
87 changed files with 7693 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

147
tasks/section_5/cis_5.1.x.yml Normal file
View file

@ -0,0 +1,147 @@
---
- name: "5.1.1 | L1 | PATCH | Ensure cron daemon is enabled"
service:
name: crond
enabled: yes
when:
- rhel9cis_rule_5_1_1
tags:
- level1-server
- level1-workstation
- patch
- rule_5.1.1
- name: "5.1.2 | L1 | PATCH | Ensure permissions on /etc/crontab are configured"
file:
dest: /etc/crontab
owner: root
group: root
mode: 0600
when:
- rhel9cis_rule_5_1_2
tags:
- level1-server
- level1-workstation
- patch
- rule_5.1.2
- name: "5.1.3 | L1 | PATCH | Ensure permissions on /etc/cron.hourly are configured"
file:
dest: /etc/cron.hourly
state: directory
owner: root
group: root
mode: 0700
when:
- rhel9cis_rule_5_1_3
tags:
- level1-server
- level1-workstation
- patch
- rule_5.1.3
- name: "5.1.4 | L1 | PATCH | Ensure permissions on /etc/cron.daily are configured"
file:
dest: /etc/cron.daily
state: directory
owner: root
group: root
mode: 0700
when:
- rhel9cis_rule_5_1_4
tags:
- level1-server
- level1-workstation
- patch
- rule_5.1.4
- name: "5.1.5 | L1 | PATCH | Ensure permissions on /etc/cron.weekly are configured"
file:
dest: /etc/cron.weekly
state: directory
owner: root
group: root
mode: 0700
when:
- rhel9cis_rule_5_1_5
tags:
- level1-server
- level1-workstation
- patch
- rule_5.1.5
- name: "5.1.6 | L1 | PATCH | Ensure permissions on /etc/cron.monthly are configured"
file:
dest: /etc/cron.monthly
state: directory
owner: root
group: root
mode: 0700
when:
- rhel9cis_rule_5_1_6
tags:
- level1-server
- level1-workstation
- patch
- rule_5.1.6
- name: "5.1.7 | L1 | PATCH | Ensure permissions on /etc/cron.d are configured"
file:
dest: /etc/cron.d
state: directory
owner: root
group: root
mode: 0700
when:
- rhel9cis_rule_5_1_7
tags:
- level1-server
- level1-workstation
- patch
- rule_5.1.7
- name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users"
block:
- name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Remove at.deny"
file:
dest: /etc/at.deny
state: absent
- name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Check if at.allow exists"
stat:
path: "/etc/at.allow"
register: p
- name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Ensure at.allow is restricted to authorized users"
file:
dest: /etc/at.allow
state: '{{ "file" if p.stat.exists else "touch" }}'
owner: root
group: root
mode: 0600
- name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Remove cron.deny"
file:
dest: /etc/cron.deny
state: absent
- name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Check if cron.allow exists"
stat:
path: "/etc/cron.allow"
register: p
- name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users"
file:
dest: /etc/cron.allow
state: '{{ "file" if p.stat.exists else "touch" }}'
owner: root
group: root
mode: 0600
when:
- rhel9cis_rule_5_1_8
tags:
- level1-server
- level1-workstation
- patch
- rule_5.1.8