forked from ansible-lockdown/RHEL9-CIS
updated
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
1dbe8b2706
commit
b16d09aa82
1 changed files with 14 additions and 120 deletions
134
README.md
134
README.md
|
|
@ -41,6 +41,11 @@
|
|||
|
||||
Join us on our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users.
|
||||
|
||||
### Contributing
|
||||
|
||||
Issues and Pull requests are welcome please ensure that all commits are signed-off-by and gpg-signed.
|
||||
Refer to [Contributing Guide](./CONTRIBUTING.rst)
|
||||
|
||||
---
|
||||
|
||||
## Caution(s)
|
||||
|
|
@ -60,10 +65,10 @@ To use release version please point to main branch and relevant release for the
|
|||
It is possible to to only run level 1 or level 2 controls for CIS.
|
||||
This is managed using tags:
|
||||
|
||||
- level1_server
|
||||
- level1_workstation
|
||||
- level2_server
|
||||
- level2_workstation
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
- level2-server
|
||||
- level2-workstation
|
||||
|
||||
The control found in defaults main also need to reflect this as this control the testing thet takes place if you are using the audit component.
|
||||
|
||||
|
|
@ -123,7 +128,7 @@ OracleLinux 9
|
|||
- jmespath ( complete list found in requirements.txt)
|
||||
- collections found in collections/requirememnts.yml
|
||||
|
||||
pre-commit is available if installed
|
||||
pre-commit is available if installed on your host for pull request testing.
|
||||
|
||||
## Role Variables
|
||||
|
||||
|
|
@ -173,119 +178,8 @@ uses:
|
|||
|
||||
## Local Testing
|
||||
|
||||
ansible-base 2.10.17 - python 3.8
|
||||
ansible-core 2.13.4 - python 3.10
|
||||
- ansible-base 2.10.17 - python 3.8
|
||||
- ansible-core 2.13.4 - python 3.10
|
||||
- ansible-core 2.15.1 - python 3.11
|
||||
|
||||
- makefile - this is there purely for testing and initial setup purposes.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## v1.0.0 - released Dec 2022
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## Join us
|
||||
|
||||
On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
|
||||
|
||||
## Caution(s)
|
||||
|
||||
This role **will make changes to the system** which may have unintended concequences.
|
||||
|
||||
This role was developed against a clean install of the Operating System. If you are implimenting to an existing system please review this role for any site specific changes that are needed.
|
||||
|
||||
To use release version please point to main branch
|
||||
|
||||
## Documentation
|
||||
|
||||
- [Readthedocs](https://ansible-lockdown.readthedocs.io/en/latest/)
|
||||
- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown)
|
||||
- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise)
|
||||
- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration)
|
||||
- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise)
|
||||
|
||||
## Requirements
|
||||
|
||||
RHEL 9
|
||||
Almalinux 9
|
||||
Rocky 9
|
||||
OracleLinux 9
|
||||
|
||||
ansible 2.10
|
||||
jmespath
|
||||
relevant collections
|
||||
|
||||
- Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.)
|
||||
|
||||
## Tested with
|
||||
|
||||
ansible-base 2.10.17 - python 3.8
|
||||
ansible-core 2.13.4 - python 3.10
|
||||
|
||||
- makefile - this is there purely for testing and initial setup purposes.
|
||||
|
||||
## General
|
||||
|
||||
- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible
|
||||
- [Main Ansible documentation page](https://docs.ansible.com)
|
||||
- [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html)
|
||||
- [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html)
|
||||
- [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html)
|
||||
|
||||
- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup.
|
||||
- Please read through the tasks in this role to gain an understanding of what each control is doing.
|
||||
- Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file
|
||||
|
||||
## Dependencies
|
||||
|
||||
- Python3
|
||||
- Ansible 2.9+
|
||||
- python-def (should be included in RHEL 9)
|
||||
- libselinux-python
|
||||
- pip packages
|
||||
- jmespath ( complete list found in requirements.txt)
|
||||
- collections found in collections/requirememnts.yml
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
### Known Issues
|
||||
|
||||
CIS 1.2.4 - repo_gpgcheck is not carried out for RedHat hosts as the default repos do not have this function. This also affect EPEL(not covered by var).
|
||||
- Rocky and Alma not affected.
|
||||
Variable used to unset.
|
||||
rhel9cis_rhel_default_repo: true # to be set to false if using repo that does have this ability
|
||||
makefile - this is there purely for testing and initial setup purposes.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue