forked from ansible-lockdown/RHEL9-CIS
import_tasks file added
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
af20f70f24
commit
c5ed197e03
19 changed files with 57 additions and 30 deletions
6
site.yml
6
site.yml
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
- hosts: all # noqa: name[play]
|
||||
|
||||
- name: Apply RHEL9 CIS hardening
|
||||
hosts: all
|
||||
become: true
|
||||
|
||||
roles:
|
||||
|
||||
- role: "{{ playbook_dir }}"
|
||||
|
|
|
|||
|
|
@ -20,7 +20,8 @@
|
|||
- Restart auditd
|
||||
|
||||
- name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa no-handler
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
vars:
|
||||
warn_control_id: 'Auditd template updated, see diff output for details'
|
||||
when:
|
||||
|
|
|
|||
|
|
@ -46,7 +46,8 @@
|
|||
- skip_reboot
|
||||
|
||||
- name: "POST | Warning a reboot required but skip option set | warning count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yaml
|
||||
when:
|
||||
- change_requires_reboot
|
||||
- skip_reboot
|
||||
|
|
|
|||
|
|
@ -7,7 +7,8 @@
|
|||
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
|
||||
|
||||
- name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Present"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
vars:
|
||||
warn_control_id: '1.1.2.1'
|
||||
required_mount: '/tmp'
|
||||
|
|
|
|||
|
|
@ -7,7 +7,8 @@
|
|||
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
|
||||
|
||||
- name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yaml
|
||||
vars:
|
||||
warn_control_id: '1.1.3.1'
|
||||
required_mount: '/var'
|
||||
|
|
|
|||
|
|
@ -8,7 +8,8 @@
|
|||
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
|
||||
|
||||
- name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yaml
|
||||
vars:
|
||||
warn_control_id: '1.1.4.1'
|
||||
required_mount: '/var/tmp'
|
||||
|
|
|
|||
|
|
@ -7,7 +7,8 @@
|
|||
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
|
||||
|
||||
- name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yaml
|
||||
|
||||
vars:
|
||||
warn_control_id: '1.1.5.1'
|
||||
|
|
|
|||
|
|
@ -7,7 +7,8 @@
|
|||
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
|
||||
|
||||
- name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yaml
|
||||
|
||||
vars:
|
||||
warn_control_id: '1.1.6.1'
|
||||
|
|
|
|||
|
|
@ -7,7 +7,8 @@
|
|||
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
|
||||
|
||||
- name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yaml
|
||||
|
||||
vars:
|
||||
warn_control_id: '1.1.7.1'
|
||||
|
|
|
|||
|
|
@ -15,7 +15,8 @@
|
|||
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
|
||||
|
||||
- name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yaml
|
||||
when: rhel9cis_1_8_1_1_mount_check.rc == 1
|
||||
|
||||
vars:
|
||||
|
|
|
|||
|
|
@ -73,7 +73,8 @@
|
|||
- "{{ dnf_configured.stdout_lines }}"
|
||||
|
||||
- name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Warn Count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yaml
|
||||
vars:
|
||||
warn_control_id: '1.2.3'
|
||||
when:
|
||||
|
|
|
|||
|
|
@ -93,7 +93,8 @@
|
|||
when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0
|
||||
|
||||
- name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | warning count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yaml
|
||||
when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0
|
||||
vars:
|
||||
warn_control_id: '1.6.1.6'
|
||||
|
|
|
|||
|
|
@ -25,7 +25,8 @@
|
|||
- "{{ rhel9cis_2_4_sockets.stdout_lines }}"
|
||||
|
||||
- name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Warn Count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yamlfacts.yml
|
||||
vars:
|
||||
warn_control_id: '2.4'
|
||||
when:
|
||||
|
|
|
|||
|
|
@ -46,7 +46,8 @@
|
|||
- not rhel9cis_nft_tables_autonewtable
|
||||
|
||||
- name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yamlfacts.yml
|
||||
when:
|
||||
- rhel9cis_3_4_2_2_nft_tables.stdout | length == 0
|
||||
- not rhel9cis_nft_tables_autonewtable
|
||||
|
|
|
|||
|
|
@ -88,7 +88,8 @@
|
|||
when: "'static' not in rhel9cis_4_2_2_2_status.stdout"
|
||||
|
||||
- name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yaml
|
||||
when: "'static' not in rhel9cis_4_2_2_2_status.stdout"
|
||||
vars:
|
||||
warn_control_id: '4.2.2.2'
|
||||
|
|
|
|||
|
|
@ -39,7 +39,8 @@
|
|||
loop: "{{ log_rotates.files }}"
|
||||
|
||||
- name: "4.3 | AUDIT | Ensure logrotate is configured | Warning count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yaml
|
||||
vars:
|
||||
warn_control_id: '4.3'
|
||||
when: log_rotates.matched > 0
|
||||
|
|
|
|||
|
|
@ -97,7 +97,8 @@
|
|||
- not rhel9cis_futurepwchgdate_autofix
|
||||
|
||||
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yaml
|
||||
when:
|
||||
- rhel9cis_5_6_1_5_user_list.stdout | length > 0
|
||||
- not rhel9cis_futurepwchgdate_autofix
|
||||
|
|
|
|||
|
|
@ -177,7 +177,8 @@
|
|||
when: rhel_09_6_1_10_unowned_files_found
|
||||
|
||||
- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yaml
|
||||
vars:
|
||||
warn_control_id: '6.1.10'
|
||||
when: rhel_09_6_1_10_unowned_files_found
|
||||
|
|
@ -223,7 +224,8 @@
|
|||
when: rhel_09_6_1_11_ungrouped_files_found
|
||||
|
||||
- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yaml
|
||||
vars:
|
||||
warn_control_id: '6.1.11'
|
||||
when: rhel_09_6_1_11_ungrouped_files_found
|
||||
|
|
@ -279,7 +281,8 @@
|
|||
when: rhel9_6_1_13_suid_found
|
||||
|
||||
- name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yaml
|
||||
vars:
|
||||
warn_control_id: '6.1.13'
|
||||
when: rhel9_6_1_13_suid_found
|
||||
|
|
@ -321,7 +324,8 @@
|
|||
when: rhel9_6_1_14_sgid_found
|
||||
|
||||
- name: "6.1.14 | AUDIT | Audit SGID executables| warning"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yaml
|
||||
vars:
|
||||
warn_control_id: '6.1.14'
|
||||
when: rhel9_6_1_14_sgid_found
|
||||
|
|
@ -362,7 +366,8 @@
|
|||
The file list can be found in {{ rhel9cis_rpm_audit_file }}"
|
||||
|
||||
- name: "6.1.15 | AUDIT | Audit system file permissions | warning count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yaml
|
||||
vars:
|
||||
warn_control_id: '6.1.15'
|
||||
when: rhel9cis_6_1_15_packages_rpm.stdout|length > 0
|
||||
|
|
|
|||
|
|
@ -15,7 +15,8 @@
|
|||
when: shadow_passwd.stdout | length > 0
|
||||
|
||||
- name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | warning fact"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yaml
|
||||
vars:
|
||||
warn_control_id: '6.2.1'
|
||||
when: shadow_passwd.stdout | length >= 1
|
||||
|
|
@ -59,7 +60,8 @@
|
|||
when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1
|
||||
|
||||
- name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yaml
|
||||
vars:
|
||||
warn_control_id: '6.2.3'
|
||||
when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1
|
||||
|
|
@ -87,7 +89,8 @@
|
|||
when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1
|
||||
|
||||
- name: "6.2.4 | AUDIT| Ensure no duplicate UIDs exist | warning count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yaml
|
||||
when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1
|
||||
vars:
|
||||
warn_control_id: '6.2.4'
|
||||
|
|
@ -115,7 +118,8 @@
|
|||
when: rhel9cis_6_2_5_user_user_check.stdout | length >= 1
|
||||
|
||||
- name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | warning count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yaml
|
||||
vars:
|
||||
warn_control_id: '6.2.5'
|
||||
when: rhel9cis_6_2_5_user_user_check.stdout_lines | length >= 1
|
||||
|
|
@ -144,7 +148,8 @@
|
|||
when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1
|
||||
|
||||
- name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | warning count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yaml
|
||||
vars:
|
||||
warn_control_id: '6.2.6'
|
||||
when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1
|
||||
|
|
@ -173,7 +178,8 @@
|
|||
when: rhel9cis_6_2_7_group_group_check.stdout is not defined
|
||||
|
||||
- name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | warning count"
|
||||
ansible.builtin.import_tasks: warning_facts.yml
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yaml
|
||||
vars:
|
||||
warn_control_id: '6.2.7'
|
||||
when: rhel9cis_6_2_7_group_group_check.stdout is not defined
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue