forked from ansible-lockdown/RHEL9-CIS
updated
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
398bc5bd0c
commit
c6caa90059
36 changed files with 2584 additions and 2078 deletions
|
|
@ -1,8 +1,8 @@
|
|||
---
|
||||
|
||||
- name: "5.5.2 | L1 | PATCH | Ensure system accounts are secured"
|
||||
- name: "5.5.2 | PATCH | Ensure system accounts are secured"
|
||||
block:
|
||||
- name: "5.5.2 | L1 | Ensure system accounts are secured | Set nologin"
|
||||
- name: "5.5.2 | Ensure system accounts are secured | Set nologin"
|
||||
user:
|
||||
name: "{{ item.id }}"
|
||||
shell: /usr/sbin/nologin
|
||||
|
|
@ -13,11 +13,11 @@
|
|||
- item.id != "sync"
|
||||
- item.id != "shutdown"
|
||||
- item.id != "halt"
|
||||
- item.uid < 1000
|
||||
- rhel9cis_int_gid | int > item.gid
|
||||
- item.shell != " /bin/false"
|
||||
- item.shell != " /usr/sbin/nologin"
|
||||
|
||||
- name: "5.5.2 | L1 | PATCH | Ensure system accounts are secured | Lock accounts"
|
||||
- name: "5.5.2 | PATCH | Ensure system accounts are secured | Lock accounts"
|
||||
user:
|
||||
name: "{{ item.id }}"
|
||||
password_lock: true
|
||||
|
|
@ -28,7 +28,7 @@
|
|||
- item.id != "shutdown"
|
||||
- item.id != "sync"
|
||||
- item.id != "root"
|
||||
- min_int_uid | int >= item.uid
|
||||
- rhel9cis_int_gid | int > item.gid
|
||||
- item.shell != " /bin/false"
|
||||
- item.shell != " /usr/sbin/nologin"
|
||||
when:
|
||||
|
|
@ -39,15 +39,15 @@
|
|||
- patch
|
||||
- rule_5.5.2
|
||||
|
||||
- name: "5.5.3 | L1 | PATCH | Ensure default user shell timeout is 900 seconds or less"
|
||||
- name: "5.5.3 | PATCH | Ensure default user shell timeout is 900 seconds or less"
|
||||
blockinfile:
|
||||
create: true
|
||||
create: yes
|
||||
mode: 0644
|
||||
dest: "{{ item.dest }}"
|
||||
state: "{{ item.state }}"
|
||||
marker: "# {mark} ANSIBLE MANAGED"
|
||||
block: |
|
||||
# Set session timeout - CIS ID RHEL-09-5.4.5
|
||||
# Set session timeout - CIS ID RHEL-08-5.4.5
|
||||
TMOUT={{ rhel9cis_shell_session_timeout.timeout }}
|
||||
export TMOUT
|
||||
readonly TMOUT
|
||||
|
|
@ -62,10 +62,8 @@
|
|||
- patch
|
||||
- rule_5.5.3
|
||||
|
||||
- name: "5.5.4 | L1 | PATCH | Ensure default group for the root account is GID 0"
|
||||
shell: usermod -g 0 root
|
||||
args:
|
||||
warn: false
|
||||
- name: "5.5.4 | PATCH | Ensure default group for the root account is GID 0"
|
||||
command: usermod -g 0 root
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
when:
|
||||
|
|
@ -76,15 +74,15 @@
|
|||
- patch
|
||||
- rule_5.5.4
|
||||
|
||||
- name: "5.5.5 | L1 | PATCH | Ensure default user umask is 027 or more restrictive"
|
||||
- name: "5.5.5 | PATCH | Ensure default user umask is 027 or more restrictive"
|
||||
block:
|
||||
- name: "5.5.5 | L1 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc"
|
||||
- name: "5.5.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc"
|
||||
replace:
|
||||
path: /etc/bashrc
|
||||
regexp: '(^\s+umask) 0[012][0-6]'
|
||||
replace: '\1 027'
|
||||
|
||||
- name: "5.5.5 | L1 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile"
|
||||
- name: "5.5.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile"
|
||||
replace:
|
||||
path: /etc/profile
|
||||
regexp: '(^\s+umask) 0[012][0-6]'
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue