forked from ansible-lockdown/RHEL9-CIS
import_tasks file added
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
e202d4bd68
commit
a67a484971
6 changed files with 88 additions and 44 deletions
|
|
@ -1,59 +1,77 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: "SECTION | 1.1.1.x | Disable unused filesystems"
|
- name: "SECTION | 1.1.1.x | Disable unused filesystems"
|
||||||
ansible.builtin.import_tasks: cis_1.1.1.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_1.1.1.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 1.1.2.x | Configure /tmp"
|
- name: "SECTION | 1.1.2.x | Configure /tmp"
|
||||||
ansible.builtin.import_tasks: cis_1.1.2.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_1.1.2.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 1.1.3.x | Configure /var"
|
- name: "SECTION | 1.1.3.x | Configure /var"
|
||||||
ansible.builtin.import_tasks: cis_1.1.3.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_1.1.3.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 1.1.4.x | Configure /var/tmp"
|
- name: "SECTION | 1.1.4.x | Configure /var/tmp"
|
||||||
ansible.builtin.import_tasks: cis_1.1.4.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_1.1.4.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 1.1.5.x | Configure /var/log"
|
- name: "SECTION | 1.1.5.x | Configure /var/log"
|
||||||
ansible.builtin.import_tasks: cis_1.1.5.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_1.1.5.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 1.1.6.x | Configure /var/log/audit"
|
- name: "SECTION | 1.1.6.x | Configure /var/log/audit"
|
||||||
ansible.builtin.import_tasks: cis_1.1.6.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_1.1.6.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 1.1.7.x | Configure /home"
|
- name: "SECTION | 1.1.7.x | Configure /home"
|
||||||
ansible.builtin.import_tasks: cis_1.1.7.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_1.1.7.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 1.1.8.x | Configure /dev/shm"
|
- name: "SECTION | 1.1.8.x | Configure /dev/shm"
|
||||||
ansible.builtin.import_tasks: cis_1.1.8.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_1.1.8.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 1.1.x | Disable various mounting"
|
- name: "SECTION | 1.1.x | Disable various mounting"
|
||||||
ansible.builtin.import_tasks: cis_1.1.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_1.1.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 1.2 | Configure Software Updates"
|
- name: "SECTION | 1.2 | Configure Software Updates"
|
||||||
ansible.builtin.import_tasks: cis_1.2.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_1.2.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 1.3 | Filesystem Integrity Checking"
|
- name: "SECTION | 1.3 | Filesystem Integrity Checking"
|
||||||
ansible.builtin.import_tasks: cis_1.3.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_1.3.x.yml
|
||||||
when: rhel9cis_config_aide
|
when: rhel9cis_config_aide
|
||||||
|
|
||||||
- name: "SECTION | 1.4 | Secure Boot Settings"
|
- name: "SECTION | 1.4 | Secure Boot Settings"
|
||||||
ansible.builtin.import_tasks: cis_1.4.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_1.4.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 1.5 | Additional Process Hardening"
|
- name: "SECTION | 1.5 | Additional Process Hardening"
|
||||||
ansible.builtin.import_tasks: cis_1.5.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_1.5.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 1.6 | Mandatory Access Control"
|
- name: "SECTION | 1.6 | Mandatory Access Control"
|
||||||
include_tasks: cis_1.6.1.x.yml
|
ansible.builtin.include_tasks:
|
||||||
|
file: cis_1.6.1.x.yml
|
||||||
when: not rhel9cis_selinux_disable
|
when: not rhel9cis_selinux_disable
|
||||||
|
|
||||||
- name: "SECTION | 1.7 | Command Line Warning Banners"
|
- name: "SECTION | 1.7 | Command Line Warning Banners"
|
||||||
ansible.builtin.import_tasks: cis_1.7.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_1.7.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 1.8 | Gnome Display Manager"
|
- name: "SECTION | 1.8 | Gnome Display Manager"
|
||||||
ansible.builtin.import_tasks: cis_1.8.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_1.8.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 1.9 | Updates and Patches"
|
- name: "SECTION | 1.9 | Updates and Patches"
|
||||||
ansible.builtin.import_tasks: cis_1.9.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_1.9.yml
|
||||||
|
|
||||||
- name: "SECTION | 1.10 | Crypto policies"
|
- name: "SECTION | 1.10 | Crypto policies"
|
||||||
include_tasks: cis_1.10.yml
|
ansible.builtin.include_tasks:
|
||||||
|
file: cis_1.10.yml
|
||||||
when:
|
when:
|
||||||
- not system_is_ec2
|
- not system_is_ec2
|
||||||
|
|
|
||||||
|
|
@ -1,13 +1,17 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: "SECTION | 2.1 | Time Synchronization"
|
- name: "SECTION | 2.1 | Time Synchronization"
|
||||||
ansible.builtin.import_tasks: cis_2.1.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_2.1.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 2.2 | Special Purpose Services"
|
- name: "SECTION | 2.2 | Special Purpose Services"
|
||||||
ansible.builtin.import_tasks: cis_2.2.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_2.2.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 2.3 | Service Clients"
|
- name: "SECTION | 2.3 | Service Clients"
|
||||||
ansible.builtin.import_tasks: cis_2.3.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_2.3.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 2.4 | Nonessential services removed"
|
- name: "SECTION | 2.4 | Nonessential services removed"
|
||||||
ansible.builtin.import_tasks: cis_2.4.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_2.4.yml
|
||||||
|
|
|
||||||
|
|
@ -1,16 +1,21 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: "SECTION | 3.1.x | Disable unused network protocols and devices"
|
- name: "SECTION | 3.1.x | Disable unused network protocols and devices"
|
||||||
ansible.builtin.import_tasks: cis_3.1.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_3.1.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 3.2.x | Network Parameters (Host Only)"
|
- name: "SECTION | 3.2.x | Network Parameters (Host Only)"
|
||||||
ansible.builtin.import_tasks: cis_3.2.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_3.2.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 3.3.x | Network Parameters (host and Router)"
|
- name: "SECTION | 3.3.x | Network Parameters (host and Router)"
|
||||||
ansible.builtin.import_tasks: cis_3.3.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_3.3.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 3.4.1.x | Firewall configuration"
|
- name: "SECTION | 3.4.1.x | Firewall configuration"
|
||||||
ansible.builtin.import_tasks: cis_3.4.1.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_3.4.1.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 3.4.2.x | Configure firewall"
|
- name: "SECTION | 3.4.2.x | Configure firewall"
|
||||||
ansible.builtin.import_tasks: cis_3.4.2.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_3.4.2.x.yml
|
||||||
|
|
|
||||||
|
|
@ -1,29 +1,37 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: "SECTION | 4.1 | Configure System Accounting (auditd)"
|
- name: "SECTION | 4.1 | Configure System Accounting (auditd)"
|
||||||
ansible.builtin.import_tasks: cis_4.1.1.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_4.1.1.x.yml
|
||||||
when:
|
when:
|
||||||
- not system_is_container
|
- not system_is_container
|
||||||
|
|
||||||
- name: "SECTION | 4.1.2 | Configure Data Retention"
|
- name: "SECTION | 4.1.2 | Configure Data Retention"
|
||||||
ansible.builtin.import_tasks: cis_4.1.2.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_4.1.2.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 4.1.3 | Configure Auditd rules"
|
- name: "SECTION | 4.1.3 | Configure Auditd rules"
|
||||||
ansible.builtin.import_tasks: cis_4.1.3.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_4.1.3.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 4.1.4 | Configure Audit files"
|
- name: "SECTION | 4.1.4 | Configure Audit files"
|
||||||
ansible.builtin.import_tasks: cis_4.1.4.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_4.1.4.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 4.2 | Configure Logging"
|
- name: "SECTION | 4.2 | Configure Logging"
|
||||||
ansible.builtin.import_tasks: cis_4.2.1.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_4.2.1.x.yml
|
||||||
when: rhel9cis_syslog == 'rsyslog'
|
when: rhel9cis_syslog == 'rsyslog'
|
||||||
|
|
||||||
- name: "SECTION | 4.2.2 | Configure journald"
|
- name: "SECTION | 4.2.2 | Configure journald"
|
||||||
ansible.builtin.import_tasks: cis_4.2.2.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_4.2.2.x.yml
|
||||||
when: rhel9cis_syslog == 'journald'
|
when: rhel9cis_syslog == 'journald'
|
||||||
|
|
||||||
- name: "SECTION | 4.2.3 | Configure logile perms"
|
- name: "SECTION | 4.2.3 | Configure logile perms"
|
||||||
ansible.builtin.import_tasks: cis_4.2.3.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_4.2.3.yml
|
||||||
|
|
||||||
- name: "SECTION | 4.3 | Configure logrotate"
|
- name: "SECTION | 4.3 | Configure logrotate"
|
||||||
ansible.builtin.import_tasks: cis_4.3.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_4.3.yml
|
||||||
|
|
|
||||||
|
|
@ -3,24 +3,31 @@
|
||||||
# Access, Authentication, and Authorization
|
# Access, Authentication, and Authorization
|
||||||
|
|
||||||
- name: "SECTION | 5.1 | Configure time-based job schedulers"
|
- name: "SECTION | 5.1 | Configure time-based job schedulers"
|
||||||
ansible.builtin.import_tasks: cis_5.1.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_5.1.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 5.2 | Configure SSH Server"
|
- name: "SECTION | 5.2 | Configure SSH Server"
|
||||||
ansible.builtin.import_tasks: cis_5.2.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_5.2.x.yml
|
||||||
when:
|
when:
|
||||||
- "'openssh-server' in ansible_facts.packages"
|
- "'openssh-server' in ansible_facts.packages"
|
||||||
|
|
||||||
- name: "SECTION | 5.3 | Configure privilege escalation"
|
- name: "SECTION | 5.3 | Configure privilege escalation"
|
||||||
ansible.builtin.import_tasks: cis_5.3.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_5.3.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 5.4 | Configure authselect"
|
- name: "SECTION | 5.4 | Configure authselect"
|
||||||
ansible.builtin.import_tasks: cis_5.4.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_5.4.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 5.5 | Configure PAM "
|
- name: "SECTION | 5.5 | Configure PAM "
|
||||||
ansible.builtin.import_tasks: cis_5.5.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_5.5.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 5.6.1.x | Shadow Password Suite Parameters"
|
- name: "SECTION | 5.6.1.x | Shadow Password Suite Parameters"
|
||||||
ansible.builtin.import_tasks: cis_5.6.1.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_5.6.1.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 5.6.x | Misc. User Account Settings"
|
- name: "SECTION | 5.6.x | Misc. User Account Settings"
|
||||||
ansible.builtin.import_tasks: cis_5.6.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_5.6.x.yml
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,9 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: "SECTION | 6.1 | System File Permissions"
|
- name: "SECTION | 6.1 | System File Permissions"
|
||||||
ansible.builtin.import_tasks: cis_6.1.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_6.1.x.yml
|
||||||
|
|
||||||
- name: "SECTION | 6.2 | User and Group Settings"
|
- name: "SECTION | 6.2 | User and Group Settings"
|
||||||
ansible.builtin.import_tasks: cis_6.2.x.yml
|
ansible.builtin.import_tasks:
|
||||||
|
file: cis_6.2.x.yml
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue