updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2022-03-30 16:18:11 +01:00 · 2022-03-30 16:18:11 +01:00 · c6caa90059
commit c6caa90059
parent 398bc5bd0c
36 changed files with 2584 additions and 2078 deletions
--- a/tasks/section_5/cis_5.1.x.yml
+++ b/tasks/section_5/cis_5.1.x.yml
@ -1,18 +1,20 @@
 ---

- name: "5.1.1 | L1 | PATCH | Ensure cron daemon is enabled"
+- name: "5.1.1 | PATCH | Ensure cron daemon is enabled"
  service:
      name: crond
-      enabled: true
+      enabled: yes
  when:
      - rhel9cis_rule_5_1_1
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - patch
+      - cron
      - rule_5.1.1

- name: "5.1.2 | L1 | PATCH | Ensure permissions on /etc/crontab are configured"
+- name: "5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured"
  file:
      dest: /etc/crontab
      owner: root
@ -23,10 +25,12 @@
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - patch
+      - cron
      - rule_5.1.2

- name: "5.1.3 | L1 | PATCH | Ensure permissions on /etc/cron.hourly are configured"
+- name: "5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured"
  file:
      dest: /etc/cron.hourly
      state: directory
@ -38,10 +42,12 @@
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - patch
+      - cron
      - rule_5.1.3

- name: "5.1.4 | L1 | PATCH | Ensure permissions on /etc/cron.daily are configured"
+- name: "5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured"
  file:
      dest: /etc/cron.daily
      state: directory
@ -53,10 +59,12 @@
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - patch
+      - cron
      - rule_5.1.4

- name: "5.1.5 | L1 | PATCH | Ensure permissions on /etc/cron.weekly are configured"
+- name: "5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured"
  file:
      dest: /etc/cron.weekly
      state: directory
@ -71,7 +79,7 @@
      - patch
      - rule_5.1.5

- name: "5.1.6 | L1 | PATCH | Ensure permissions on /etc/cron.monthly are configured"
+- name: "5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured"
  file:
      dest: /etc/cron.monthly
      state: directory
@ -83,10 +91,11 @@
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - patch
      - rule_5.1.6

- name: "5.1.7 | L1 | PATCH | Ensure permissions on /etc/cron.d are configured"
+- name: "5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured"
  file:
      dest: /etc/cron.d
      state: directory
@ -98,43 +107,27 @@
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - patch
+      - cron
      - rule_5.1.7

- name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users"
+- name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users"
  block:
-      - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Remove at.deny"
-        file:
-            dest: /etc/at.deny
-            state: absent
-
-      - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Check if at.allow exists"
-        stat:
-            path: "/etc/at.allow"
-        register: p
-
-      - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Ensure at.allow is restricted to authorized users"
-        file:
-            dest: /etc/at.allow
-            state: '{{ "file" if  p.stat.exists else "touch" }}'
-            owner: root
-            group: root
-            mode: 0600
-
-      - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Remove cron.deny"
+      - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny"
        file:
            dest: /etc/cron.deny
            state: absent

-      - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Check if cron.allow exists"
+      - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Check if cron.allow exists"
        stat:
            path: "/etc/cron.allow"
-        register: p
+        register: rhel9cis_5_1_8_cron_allow_state

-      - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users"
+      - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users"
        file:
            dest: /etc/cron.allow
-            state: '{{ "file" if  p.stat.exists else "touch" }}'
+            state: '{{ "file" if  rhel9cis_5_1_8_cron_allow_state.stat.exists else "touch" }}'
            owner: root
            group: root
            mode: 0600
@ -143,5 +136,36 @@
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - patch
+      - cron
      - rule_5.1.8
+
+- name: "5.1.9 | PATCH | Ensure at is restricted to authorized users"
+  block:
+      - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Remove at.deny"
+        file:
+            dest: /etc/at.deny
+            state: absent
+
+      - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users  | Check if at.allow exists"
+        stat:
+            path: "/etc/at.allow"
+        register: rhel9cis_5_1_9_at_allow_state
+
+      - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users"
+        file:
+            dest: /etc/at.allow
+            state: '{{ "file" if  rhel9cis_5_1_9_at_allow_state.stat.exists else "touch" }}'
+            owner: root
+            group: root
+            mode: 0600
+  when:
+      - rhel9cis_rule_5_1_9
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - cron
+      - rule_5.1.9