Merge branch 'workflow_update' into updates

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2022-08-23 16:31:45 +01:00 · 2022-08-23 16:31:45 +01:00 · d7be86e31c
commit d7be86e31c
parent 90500ceccf 4853d45ca7
8 changed files with 76 additions and 456 deletions
--- a/.github/workflows/github_networks.tf
+++ b/.github/workflows/github_networks.tf
@ -1,11 +1,53 @@
 resource "aws_vpc" "Main" {
  cidr_block       = var.main_vpc_cidr
-  tags       = var.instance_tags
+  instance_tenancy = "default"
+  tags = {
+    Environment = "${var.environment}"
+    Name        = "${var.namespace}-VPC"
+  }
 }

 resource "aws_internet_gateway" "IGW" {
  vpc_id = aws_vpc.Main.id
  tags = {
+    Environment = "${var.environment}"
    Name        = "${var.namespace}-IGW"
  }
 }
+
+resource "aws_subnet" "publicsubnets" {
+  vpc_id            = aws_vpc.Main.id
+  cidr_block        = var.public_subnets
+  availability_zone = var.availability_zone
+  tags = {
+    Environment = "${var.environment}"
+    Name        = "${var.namespace}-pubsub"
+  }
+}
+
+resource "aws_subnet" "Main" {
+  vpc_id     = aws_vpc.Main.id
+  cidr_block = var.private_subnets
+  availability_zone = var.availability_zone
+  tags = {
+    Environment = "${var.environment}"
+    Name        = "${var.namespace}-prvsub"
+  }
+}
+
+resource "aws_route_table" "PublicRT" {
+  vpc_id = aws_vpc.Main.id
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.IGW.id
+  }
+  tags = {
+    Environment = "${var.environment}"
+    Name        = "${var.namespace}-publicRT"
+  }
+}
+
+resource "aws_route_table_association" "rt_associate_public" {
+  subnet_id      = aws_subnet.Main.id
+  route_table_id = aws_route_table.PublicRT.id
+}
--- a/.github/workflows/github_vars.tfvars
+++ b/.github/workflows/github_vars.tfvars
@ -4,6 +4,7 @@
 // 

 namespace   = "github_actions"
+environment = "lockdown_github_repo_workflow"

 // Matching pair name found in AWS for keypairs PEM key
 ami_key_pair_name = "github_actions"
--- a/.github/workflows/linux_benchmark_testing.yml
+++ b/.github/workflows/linux_benchmark_testing.yml
@ -73,7 +73,7 @@ jobs:
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false
+        run: terraform apply -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false

 ## Debug Section
      - name: DEBUG - Show Ansible hostfile
@ -81,18 +81,9 @@ jobs:
        working-directory: .github/workflows
        run: cat hosts.yml

-# Centos 7 images take a while to come up insert sleep or playbook fails
+# Aws deployments taking a while to come up insert sleep or playbook fails

-      - name: Check if test os is rhel7
-        working-directory: .github/workflows
-        id: test_os
-        run: >-
-          echo "::set-output name=RHEL7::$(
-          grep -c RHEL7 OS.tfvars
-          )"
-
-      - name: if RHEL7 - Sleep for 60 seconds
-        #if: steps.test_os.outputs.RHEL7 >= 1
+      - name: Sleep for 60 seconds
        run: sleep 60s
        shell: bash

@ -117,4 +108,4 @@ jobs:
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        run: terraform destroy -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false
+        run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false
--- a/.github/workflows/main.tf
+++ b/.github/workflows/main.tf
@ -5,9 +5,6 @@ provider "aws" {

 // Create a security group with access to port 22 and port 80 open to serve HTTP traffic

-data "aws_vpc" "default" {
-  default = true
-}

 resource "random_id" "server" {
  keepers = {
@ -19,8 +16,8 @@ resource "random_id" "server" {
 }

 resource "aws_security_group" "github_actions" {
-  name   = "${var.namespace}-${random_id.server.hex}"
-  vpc_id = data.aws_vpc.default.id
+  name   = "${var.namespace}-${random_id.server.hex}-SG"
+  vpc_id = aws_vpc.Main.id

  ingress {
    from_port   = 22
@ -43,6 +40,7 @@ resource "aws_security_group" "github_actions" {
    cidr_blocks = ["0.0.0.0/0"]
  }
  tags = {
+    Environment = "${var.environment}"
    Name        = "${var.namespace}-SG"
  }
 }
@ -51,11 +49,13 @@ resource "aws_security_group" "github_actions" {

 resource "aws_instance" "testing_vm" {
  ami                         = var.ami_id
+  availability_zone           = var.availability_zone
  associate_public_ip_address = true
  key_name                    = var.ami_key_pair_name # This is the key as known in the ec2 key_pairs
  instance_type               = var.instance_type
  tags                        = var.instance_tags
  vpc_security_group_ids      = [aws_security_group.github_actions.id]
+  subnet_id                   = aws_subnet.Main.id
  root_block_device {
    delete_on_termination = true
  }
@ -80,3 +80,4 @@ resource "local_file" "inventory" {
        audit_git_version: devel
    EOF
 }
+
--- a/.github/workflows/terraform.tfvars
+++ b/.github/workflows/terraform.tfvars
@ -1,4 +1,5 @@
 // vars should be loaded by OSname.tfvars
+availability_zone      = "us-east-1b"
 aws_region             = "us-east-1"
 ami_os                 = var.ami_os
 ami_username           = var.ami_username
--- a/.github/workflows/variables.tf
+++ b/.github/workflows/variables.tf
@ -6,6 +6,12 @@ variable "aws_region" {
  type        = string
 }

+variable "availability_zone" {
+  description = "List of availability zone in the region"
+  default     = "us-east-1b"
+  type        = string
+}
+
 variable "instance_type" {
  description = "EC2 Instance Type"
  default     = "t3.micro"
@ -52,6 +58,11 @@ variable "namespace" {
  type        = string
 }

+variable "environment" {
+  description = "Env Name used across all tags"
+  type        = string
+}
+
 // taken from github_vars.tfvars &

 variable "main_vpc_cidr" {
--- a/Changelog.md
+++ b/Changelog.md
@ -35,6 +35,8 @@
 - added more to logrotate 4.3.x - sure to logrotate now a seperate package
 - grub path now standard to /boot/grub2/grub.cfg
 - 1.6.1.4 from rh8 removed as selinux.cfg doesnt disable selinux any longer
+- workflow update
+- removed doc update

 ## 0.1

--- a/templates/ansible_vars_goss.yml.old
+++ b/templates/ansible_vars_goss.yml.old
@ -1,429 +0,0 @@
-## metadata for Audit benchmark
-benchmark_version: '1.0.1'
-
-# Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS
-is_redhat_os: {% if ansible_distribution == "RedHat" %}true{% else %}false{% endif %}
-
-rhel9cis_os_distribution: {{ ansible_distribution | lower }}
-
-# timeout for each command to run where set - default = 10seconds/10000ms
-timeout_ms: {{ audit_cmd_timeout }}
-
-# Taken from LE rhel8-cis
-rhel9cis_section1: {{ rhel9cis_section1 }}
-rhel9cis_section2: {{ rhel9cis_section2 }}
-rhel9cis_section3: {{ rhel9cis_section3 }}
-rhel9cis_section4: {{ rhel9cis_section4 }}
-rhel9cis_section5: {{ rhel9cis_section5 }}
-rhel9cis_section6: {{ rhel9cis_section6 }}
-
-rhel9cis_level_1: {{ rhel9cis_level_1 }}
-rhel9cis_level_2: {{ rhel9cis_level_2 }}
-
-rhel9cis_selinux_disable: {{ rhel9cis_selinux_disable }}
-
-
-
-# to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy
-run_heavy_tests: true
-{% if rhel9cis_legacy_boot is defined %}
-rhel9cis_legacy_boot: {{ rhel9cis_legacy_boot }}
-{% endif %}
-
-
-rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }}
-# These variables correspond with the CIS rule IDs or paragraph numbers defined in
-# the CIS benchmark documents.
-# PLEASE NOTE: These work in coordination with the section # group variables and tags.
-# You must enable an entire section in order for the variables below to take effect.
-# Section 1 rules
-rhel9cis_rule_1_1_1_1: {{ rhel9cis_rule_1_1_1_1 }}
-rhel9cis_rule_1_1_1_2: {{ rhel9cis_rule_1_1_1_2 }}
-rhel9cis_rule_1_1_1_3: {{ rhel9cis_rule_1_1_1_3 }}
-rhel9cis_rule_1_1_1_4: {{ rhel9cis_rule_1_1_1_4 }}
-rhel9cis_rule_1_1_2: {{ rhel9cis_rule_1_1_2 }}
-rhel9cis_rule_1_1_3: {{ rhel9cis_rule_1_1_3 }}
-rhel9cis_rule_1_1_4: {{ rhel9cis_rule_1_1_4 }}
-rhel9cis_rule_1_1_5: {{ rhel9cis_rule_1_1_5 }}
-rhel9cis_rule_1_1_6: {{ rhel9cis_rule_1_1_6 }}
-rhel9cis_rule_1_1_7: {{ rhel9cis_rule_1_1_7 }}
-rhel9cis_rule_1_1_8: {{ rhel9cis_rule_1_1_8 }}
-rhel9cis_rule_1_1_9: {{ rhel9cis_rule_1_1_9 }}
-rhel9cis_rule_1_1_10: {{ rhel9cis_rule_1_1_10 }}
-rhel9cis_rule_1_1_11: {{ rhel9cis_rule_1_1_11 }}
-rhel9cis_rule_1_1_12: {{ rhel9cis_rule_1_1_12 }}
-rhel9cis_rule_1_1_13: {{ rhel9cis_rule_1_1_13 }}
-rhel9cis_rule_1_1_14: {{ rhel9cis_rule_1_1_14 }}
-rhel9cis_rule_1_1_15: {{ rhel9cis_rule_1_1_15 }}
-rhel9cis_rule_1_1_16: {{ rhel9cis_rule_1_1_16 }}
-rhel9cis_rule_1_1_17: {{ rhel9cis_rule_1_1_17 }}
-rhel9cis_rule_1_1_18: {{ rhel9cis_rule_1_1_18 }}
-rhel9cis_rule_1_1_19: {{ rhel9cis_rule_1_1_19 }}
-rhel9cis_rule_1_1_20: {{ rhel9cis_rule_1_1_20 }}
-rhel9cis_rule_1_1_21: {{ rhel9cis_rule_1_1_21 }}
-rhel9cis_rule_1_1_22: {{ rhel9cis_rule_1_1_22 }}
-rhel9cis_rule_1_1_23: {{ rhel9cis_rule_1_1_23 }}
-rhel9cis_rule_1_2_1: {% if ansible_distribution == "RedHat" %}True{% else %}False{% endif %}  # Only run if Redhat and Subscribed
-rhel9cis_rule_1_2_2: {{ rhel9cis_rule_1_2_2 }}
-rhel9cis_rule_1_2_3: {{ rhel9cis_rule_1_2_3 }}
-rhel9cis_rule_1_2_4: {{ rhel9cis_rule_1_2_4 }}
-rhel9cis_rule_1_2_5: {{ rhel9cis_rule_1_2_5 }}
-rhel9cis_rule_1_3_1: {{ rhel9cis_rule_1_3_1 }}
-rhel9cis_rule_1_3_2: {{ rhel9cis_rule_1_3_2 }}
-rhel9cis_rule_1_3_3: {{ rhel9cis_rule_1_3_3 }}
-rhel9cis_rule_1_4_1: {{ rhel9cis_rule_1_4_1 }}
-rhel9cis_rule_1_4_2: {{ rhel9cis_rule_1_4_2 }}
-rhel9cis_rule_1_4_3: {{ rhel9cis_rule_1_4_3 }}
-rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }}
-rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }}
-rhel9cis_rule_1_5_3: {{ rhel9cis_rule_1_5_3 }}
-
-rhel9cis_rule_1_7_1_1: {{ rhel9cis_rule_1_7_1_1 }}
-rhel9cis_rule_1_7_1_2: {{ rhel9cis_rule_1_7_1_2 }}
-rhel9cis_rule_1_7_1_3: {{ rhel9cis_rule_1_7_1_3 }}
-rhel9cis_rule_1_7_1_4: {{ rhel9cis_rule_1_7_1_4 }}
-rhel9cis_rule_1_7_1_5: {{ rhel9cis_rule_1_7_1_5 }}
-rhel9cis_rule_1_7_1_6: {{ rhel9cis_rule_1_7_1_6 }}
-rhel9cis_rule_1_7_1_7: {{ rhel9cis_rule_1_7_1_7 }}
-rhel9cis_rule_1_8_1_1: {{ rhel9cis_rule_1_8_1_1 }}
-rhel9cis_rule_1_8_1_2: {{ rhel9cis_rule_1_8_1_2 }}
-rhel9cis_rule_1_8_1_3: {{ rhel9cis_rule_1_8_1_3 }}
-rhel9cis_rule_1_8_1_4: {{ rhel9cis_rule_1_8_1_4 }}
-rhel9cis_rule_1_8_1_5: {{ rhel9cis_rule_1_8_1_5 }}
-rhel9cis_rule_1_8_1_6: {{ rhel9cis_rule_1_8_1_6 }}
-rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }}
-rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }}
-rhel9cis_rule_1_10: {{ rhel9cis_rule_1_10 }}
-
-
-# section 2 rules
-rhel9cis_rule_2_1_1: {{ rhel9cis_rule_2_1_1 }}
-rhel9cis_rule_2_2_1_1: {{ rhel9cis_rule_2_2_1_1 }}
-rhel9cis_rule_2_2_1_2: {{ rhel9cis_rule_2_2_1_2 }}
-rhel9cis_rule_2_2_2: {{ rhel9cis_rule_2_2_2 }}
-rhel9cis_rule_2_2_3: {{ rhel9cis_rule_2_2_3 }}
-rhel9cis_rule_2_2_4: {{ rhel9cis_rule_2_2_4 }}
-rhel9cis_rule_2_2_5: {{ rhel9cis_rule_2_2_5 }}
-rhel9cis_rule_2_2_6: {{ rhel9cis_rule_2_2_6 }}
-rhel9cis_rule_2_2_7: {{ rhel9cis_rule_2_2_7 }}
-rhel9cis_rule_2_2_8: {{ rhel9cis_rule_2_2_8 }}
-rhel9cis_rule_2_2_9: {{ rhel9cis_rule_2_2_9 }}
-rhel9cis_rule_2_2_10: {{ rhel9cis_rule_2_2_10 }}
-rhel9cis_rule_2_2_11: {{ rhel9cis_rule_2_2_11 }}
-rhel9cis_rule_2_2_12: {{ rhel9cis_rule_2_2_12 }}
-rhel9cis_rule_2_2_13: {{ rhel9cis_rule_2_2_13 }}
-rhel9cis_rule_2_2_14: {{ rhel9cis_rule_2_2_14 }}
-rhel9cis_rule_2_2_15: {{ rhel9cis_rule_2_2_15 }}
-rhel9cis_rule_2_2_16: {{ rhel9cis_rule_2_2_16 }}
-rhel9cis_rule_2_2_17: {{ rhel9cis_rule_2_2_17 }}
-rhel9cis_rule_2_2_18: {{ rhel9cis_rule_2_2_18 }}
-rhel9cis_rule_2_3_1: {{ rhel9cis_rule_2_3_1 }}
-rhel9cis_rule_2_3_2: {{ rhel9cis_rule_2_3_2 }}
-rhel9cis_rule_2_3_3: {{ rhel9cis_rule_2_3_3 }}
-
-
-# Section 3 rules
-rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }}
-rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }}
-rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }}
-rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }}
-rhel9cis_rule_3_2_3: {{ rhel9cis_rule_3_2_3 }}
-rhel9cis_rule_3_2_4: {{ rhel9cis_rule_3_2_4 }}
-rhel9cis_rule_3_2_5: {{ rhel9cis_rule_3_2_5 }}
-rhel9cis_rule_3_2_6: {{ rhel9cis_rule_3_2_6 }}
-rhel9cis_rule_3_2_7: {{ rhel9cis_rule_3_2_7 }}
-rhel9cis_rule_3_2_8: {{ rhel9cis_rule_3_2_8 }}
-rhel9cis_rule_3_2_9: {{ rhel9cis_rule_3_2_9 }}
-rhel9cis_rule_3_3_1: {{ rhel9cis_rule_3_3_1 }}
-rhel9cis_rule_3_3_2: {{ rhel9cis_rule_3_3_2 }}
-rhel9cis_rule_3_3_3: {{ rhel9cis_rule_3_3_3 }}
-rhel9cis_rule_3_3_4: {{ rhel9cis_rule_3_3_4 }}
-rhel9cis_rule_3_4_1_1: {{ rhel9cis_rule_3_4_1_1 }}
-rhel9cis_rule_3_4_2_1: {{ rhel9cis_rule_3_4_2_1 }}
-rhel9cis_rule_3_4_2_2: {{ rhel9cis_rule_3_4_2_2 }}
-rhel9cis_rule_3_4_2_3: {{ rhel9cis_rule_3_4_2_3 }}
-rhel9cis_rule_3_4_2_4: {{ rhel9cis_rule_3_4_2_4 }}
-rhel9cis_rule_3_4_2_5: {{ rhel9cis_rule_3_4_2_5 }}
-rhel9cis_rule_3_4_2_6: {{ rhel9cis_rule_3_4_2_6 }}
-rhel9cis_rule_3_5: {{ rhel9cis_rule_3_5 }}
-rhel9cis_rule_3_6: {{ rhel9cis_rule_3_6 }}
-
-
-# Section 4 rules
-rhel9cis_rule_4_1_1_1: {{ rhel9cis_rule_4_1_1_1 }}
-rhel9cis_rule_4_1_1_2: {{ rhel9cis_rule_4_1_1_2 }}
-rhel9cis_rule_4_1_1_3: {{ rhel9cis_rule_4_1_1_3 }}
-rhel9cis_rule_4_1_1_4: {{ rhel9cis_rule_4_1_1_4 }}
-rhel9cis_rule_4_1_2_1: {{ rhel9cis_rule_4_1_2_1 }}
-rhel9cis_rule_4_1_2_2: {{ rhel9cis_rule_4_1_2_2 }}
-rhel9cis_rule_4_1_2_3: {{ rhel9cis_rule_4_1_2_3 }}
-rhel9cis_rule_4_1_3: {{ rhel9cis_rule_4_1_3 }}
-rhel9cis_rule_4_1_4: {{ rhel9cis_rule_4_1_4 }}
-rhel9cis_rule_4_1_5: {{ rhel9cis_rule_4_1_5 }}
-rhel9cis_rule_4_1_6: {{ rhel9cis_rule_4_1_6 }}
-rhel9cis_rule_4_1_7: {{ rhel9cis_rule_4_1_7 }}
-rhel9cis_rule_4_1_8: {{ rhel9cis_rule_4_1_8 }}
-rhel9cis_rule_4_1_9: {{ rhel9cis_rule_4_1_9 }}
-rhel9cis_rule_4_1_10: {{ rhel9cis_rule_4_1_10 }}
-rhel9cis_rule_4_1_11: {{ rhel9cis_rule_4_1_11 }}
-rhel9cis_rule_4_1_12: {{ rhel9cis_rule_4_1_12 }}
-rhel9cis_rule_4_1_13: {{ rhel9cis_rule_4_1_13 }}
-rhel9cis_rule_4_1_14: {{ rhel9cis_rule_4_1_14 }}
-rhel9cis_rule_4_1_15: {{ rhel9cis_rule_4_1_15 }}
-rhel9cis_rule_4_1_16: {{ rhel9cis_rule_4_1_16 }}
-rhel9cis_rule_4_1_17: {{ rhel9cis_rule_4_1_17 }}
-rhel9cis_rule_4_2_1_1: {{ rhel9cis_rule_4_2_1_1 }}
-rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_2 }}
-rhel9cis_rule_4_2_1_3: {{ rhel9cis_rule_4_2_1_3 }}
-rhel9cis_rule_4_2_1_4: {{ rhel9cis_rule_4_2_1_4 }}
-rhel9cis_rule_4_2_1_5: {{ rhel9cis_rule_4_2_1_5 }}
-rhel9cis_rule_4_2_1_6: {{ rhel9cis_rule_4_2_1_6 }}
-rhel9cis_rule_4_2_2_1: {{ rhel9cis_rule_4_2_2_1 }}
-rhel9cis_rule_4_2_2_2: {{ rhel9cis_rule_4_2_2_2 }}
-rhel9cis_rule_4_2_2_3: {{ rhel9cis_rule_4_2_2_3 }}
-rhel9cis_rule_4_2_3: {{ rhel9cis_rule_4_2_3 }}
-rhel9cis_rule_4_3: {{ rhel9cis_rule_4_3 }}
-
-# Section 5
-rhel9cis_rule_5_1_1: {{ rhel9cis_rule_5_1_1 }}
-rhel9cis_rule_5_1_2: {{ rhel9cis_rule_5_1_2 }}
-rhel9cis_rule_5_1_3: {{ rhel9cis_rule_5_1_3 }}
-rhel9cis_rule_5_1_4: {{ rhel9cis_rule_5_1_4 }}
-rhel9cis_rule_5_1_5: {{ rhel9cis_rule_5_1_5 }}
-rhel9cis_rule_5_1_6: {{ rhel9cis_rule_5_1_6 }}
-rhel9cis_rule_5_1_7: {{ rhel9cis_rule_5_1_7 }}
-rhel9cis_rule_5_1_8: {{ rhel9cis_rule_5_1_8 }}
-
-rhel9cis_rule_5_2_1: {{ rhel9cis_rule_5_2_1 }}
-rhel9cis_rule_5_2_2: {{ rhel9cis_rule_5_2_2 }}
-rhel9cis_rule_5_2_3: {{ rhel9cis_rule_5_2_3 }}
-rhel9cis_rule_5_2_4: {{ rhel9cis_rule_5_2_4 }}
-rhel9cis_rule_5_2_5: {{ rhel9cis_rule_5_2_5 }}
-rhel9cis_rule_5_2_6: {{ rhel9cis_rule_5_2_6 }}
-rhel9cis_rule_5_2_7: {{ rhel9cis_rule_5_2_7 }}
-rhel9cis_rule_5_2_8: {{ rhel9cis_rule_5_2_8 }}
-rhel9cis_rule_5_2_9: {{ rhel9cis_rule_5_2_9 }}
-rhel9cis_rule_5_2_10: {{ rhel9cis_rule_5_2_10 }}
-rhel9cis_rule_5_2_11: {{ rhel9cis_rule_5_2_11 }}
-rhel9cis_rule_5_2_12: {{ rhel9cis_rule_5_2_12 }}
-rhel9cis_rule_5_2_13: {{ rhel9cis_rule_5_2_13 }}
-rhel9cis_rule_5_2_14: {{ rhel9cis_rule_5_2_14 }}
-rhel9cis_rule_5_2_15: {{ rhel9cis_rule_5_2_15 }}
-rhel9cis_rule_5_2_16: {{ rhel9cis_rule_5_2_16 }}
-rhel9cis_rule_5_2_17: {{ rhel9cis_rule_5_2_17 }}
-rhel9cis_rule_5_2_18: {{ rhel9cis_rule_5_2_18 }}
-rhel9cis_rule_5_2_19: {{ rhel9cis_rule_5_2_19 }}
-rhel9cis_rule_5_2_20: {{ rhel9cis_rule_5_2_20 }}
-
-rhel9cis_rule_5_3_1: {{ rhel9cis_rule_5_3_1 }}
-rhel9cis_rule_5_3_2: {{ rhel9cis_rule_5_3_2 }}
-rhel9cis_rule_5_3_3: {{ rhel9cis_rule_5_3_3 }}
-
-rhel9cis_rule_5_4_1: {{ rhel9cis_rule_5_4_1 }}
-rhel9cis_rule_5_4_2: {{ rhel9cis_rule_5_4_2 }}
-rhel9cis_rule_5_4_3: {{ rhel9cis_rule_5_4_3 }}
-rhel9cis_rule_5_4_4: {{ rhel9cis_rule_5_4_4 }}
-
-rhel9cis_rule_5_5_1_1: {{ rhel9cis_rule_5_5_1_1 }}
-rhel9cis_rule_5_5_1_2: {{ rhel9cis_rule_5_5_1_2 }}
-rhel9cis_rule_5_5_1_3: {{ rhel9cis_rule_5_5_1_3 }}
-rhel9cis_rule_5_5_1_4: {{ rhel9cis_rule_5_5_1_4 }}
-rhel9cis_rule_5_5_1_5: {{ rhel9cis_rule_5_5_1_5 }}
-
-rhel9cis_rule_5_5_2: {{ rhel9cis_rule_5_5_2 }}
-rhel9cis_rule_5_5_3: {{ rhel9cis_rule_5_5_3 }}
-rhel9cis_rule_5_5_4: {{ rhel9cis_rule_5_5_4 }}
-rhel9cis_rule_5_5_5: {{ rhel9cis_rule_5_5_5 }}
-
-rhel9cis_rule_5_6: {{ rhel9cis_rule_5_6 }}
-rhel9cis_rule_5_7: {{ rhel9cis_rule_5_7 }}
-
-# Section 6
-rhel9cis_rule_6_1_1: {{ rhel9cis_rule_6_1_1 }}
-rhel9cis_rule_6_1_2: {{ rhel9cis_rule_6_1_2 }}
-rhel9cis_rule_6_1_3: {{ rhel9cis_rule_6_1_3 }}
-rhel9cis_rule_6_1_4: {{ rhel9cis_rule_6_1_4 }}
-rhel9cis_rule_6_1_5: {{ rhel9cis_rule_6_1_5 }}
-rhel9cis_rule_6_1_6: {{ rhel9cis_rule_6_1_6 }}
-rhel9cis_rule_6_1_7: {{ rhel9cis_rule_6_1_7 }}
-rhel9cis_rule_6_1_8: {{ rhel9cis_rule_6_1_8 }}
-rhel9cis_rule_6_1_9: {{ rhel9cis_rule_6_1_9 }}
-rhel9cis_rule_6_1_10: {{ rhel9cis_rule_6_1_10 }}
-rhel9cis_rule_6_1_11: {{ rhel9cis_rule_6_1_11 }}
-rhel9cis_rule_6_1_12: {{ rhel9cis_rule_6_1_12 }}
-rhel9cis_rule_6_1_13: {{ rhel9cis_rule_6_1_13 }}
-rhel9cis_rule_6_1_14: {{ rhel9cis_rule_6_1_14 }}
-
-rhel9cis_rule_6_2_1: {{ rhel9cis_rule_6_2_1 }}
-rhel9cis_rule_6_2_2: {{ rhel9cis_rule_6_2_2 }}
-rhel9cis_rule_6_2_3: {{ rhel9cis_rule_6_2_3 }}
-rhel9cis_rule_6_2_4: {{ rhel9cis_rule_6_2_4 }}
-rhel9cis_rule_6_2_5: {{ rhel9cis_rule_6_2_5 }}
-rhel9cis_rule_6_2_6: {{ rhel9cis_rule_6_2_6 }}
-rhel9cis_rule_6_2_7: {{ rhel9cis_rule_6_2_7 }}
-rhel9cis_rule_6_2_8: {{ rhel9cis_rule_6_2_8 }}
-rhel9cis_rule_6_2_9: {{ rhel9cis_rule_6_2_9 }}
-rhel9cis_rule_6_2_10: {{ rhel9cis_rule_6_2_10 }}
-rhel9cis_rule_6_2_11: {{ rhel9cis_rule_6_2_11 }}
-rhel9cis_rule_6_2_12: {{ rhel9cis_rule_6_2_12 }}
-rhel9cis_rule_6_2_13: {{ rhel9cis_rule_6_2_13 }}
-rhel9cis_rule_6_2_14: {{ rhel9cis_rule_6_2_14 }}
-rhel9cis_rule_6_2_15: {{ rhel9cis_rule_6_2_15 }}
-rhel9cis_rule_6_2_16: {{ rhel9cis_rule_6_2_16 }}
-rhel9cis_rule_6_2_17: {{ rhel9cis_rule_6_2_17 }}
-rhel9cis_rule_6_2_18: {{ rhel9cis_rule_6_2_18 }}
-rhel9cis_rule_6_2_19: {{ rhel9cis_rule_6_2_19 }}
-rhel9cis_rule_6_2_20: {{ rhel9cis_rule_6_2_20 }}
-
-
-# Service configuration booleans set true to keep service
-rhel9cis_avahi_server: {{ rhel9cis_avahi_server }}
-rhel9cis_cups_server: {{ rhel9cis_cups_server }}
-rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }}
-rhel9cis_dns_server: {{ rhel9cis_dns_server }}
-rhel9cis_ftp_server: {{ rhel9cis_ftp_server }}
-rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }}
-rhel9cis_tftp_server: {{ rhel9cis_tftp_server }}
-rhel9cis_httpd_server: {{ rhel9cis_httpd_server }}
-rhel9cis_nginx_server: {{ rhel9cis_nginx_server }}
-rhel9cis_dovecot_cyrus_server: {{ rhel9cis_dovecot_cyrus_server }}
-rhel9cis_samba_server: {{ rhel9cis_samba_server }}
-rhel9cis_squid_server: {{ rhel9cis_squid_server }}
-rhel9cis_snmp_server: {{ rhel9cis_snmp_server }}
-rhel9cis_nis_server: {{ rhel9cis_nis_server }}
-rhel9cis_telnet_server: {{ rhel9cis_telnet_server }}
-rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }}
-rhel9cis_nfs_server: {{ rhel9cis_nfs_server }}
-rhel9cis_rpc_server: {{ rhel9cis_rpc_server }}
-rhel9cis_rsync_server: {{ rhel9cis_rsync_server }}
-
-
-rhel9cis_allow_autofs: {{ rhel9cis_allow_autofs }}
-
-# client services
-rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }}
-rhel9cis_rsh_required: {{ rhel9cis_rsh_required }}
-rhel9cis_talk_required: {{ rhel9cis_talk_required }}
-rhel9cis_telnet_required: {{ rhel9cis_telnet_required }}
-rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }}
-rhel9cis_tftp_client: {{ rhel9cis_tftp_client }}
-
-
-
-
-# AIDE
-rhel9cis_config_aide: {{ rhel9cis_config_aide }}
-
-# aide setup via - cron, timer
-rhel9_aide_scan: cron
-
-# AIDE cron settings
-rhel9cis_aide_cron:
-  cron_user: {{ rhel9cis_aide_cron.cron_user }}
-  cron_file: '{{ rhel9cis_aide_cron.cron_file }}'
-  aide_job: ' {{ rhel9cis_aide_cron.aide_job }}'
-  aide_minute: '{{ rhel9cis_aide_cron.aide_minute }}'
-  aide_hour: '{{ rhel9cis_aide_cron.aide_hour }}'
-  aide_day: '{{ rhel9cis_aide_cron.aide_day }}'
-  aide_month: '{{ rhel9cis_aide_cron.aide_month }}'
-  aide_weekday: '{{ rhel9cis_aide_cron.aide_weekday }}'
-
-# 1.5.1 Bootloader password
-rhel9cis_bootloader_password: {{ rhel9cis_bootloader_password_hash }}
-rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }}
-
-# 1.10 crypto
-rhel9cis_crypto_policy: {{ rhel9cis_crypto_policy }}
-
-# Warning Banner Content (issue, issue.net, motd)
-rhel9cis_warning_banner: {{ rhel9cis_warning_banner }}
-# End Banner
-
-
-# Whether or not to run tasks related to auditing/patching the desktop environment
-rhel9cis_gui: {{ rhel9cis_gui }}
-
-# xinetd required
-rhel9cis_xinetd_server: {{ rhel9cis_xinetd_server }}
-
-# IPv6 required
-rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }}
-
-# System network parameters (host only OR host and router)
-rhel9cis_is_router: {{ rhel9cis_is_router }}
-
-
-rhel9cis_firewall: {{ rhel9cis_firewall }}
-#rhel9cis_firewall: iptables
-rhel9cis_default_firewall_zone: {{ rhel9cis_default_zone }}
-rhel9cis_firewall_interface: 
- enp0s3 
- enp0s8
-
-rhel9cis_firewall_services: {{ rhel9cis_firewall_services }}
-
-
-### Section 4
-## auditd settings
-rhel9cis_auditd:
-  space_left_action: {{ rhel9cis_auditd.space_left_action}}
-  action_mail_acct: {{ rhel9cis_auditd.action_mail_acct }}
-  admin_space_left_action: {{ rhel9cis_auditd.admin_space_left_action }}
-  max_log_file_action: {{ rhel9cis_auditd.max_log_file_action }}
-  auditd_backlog_limit: {{ rhel9cis_audit_back_log_limit }}
-
-## syslog
-rhel9_cis_rsyslog: true
-
-### Section 5
-rhel9cis_sshd_limited: false
-#Note the following to understand precedence and layout
-rhel9cis_sshd_access:
-  AllowUser:
-  AllowGroup:
-  DenyUser:
-  DenyGroup:
-
-rhel9cis_ssh_aliveinterval: "300"
-rhel9cis_ssh_countmax: "3"
-
-rhel9cis_sudolog_location: {{ rhel9cis_sudolog_location }}
-
-## PAM
-rhel9cis_pam_password: 
-  minlen: {{ rhel9cis_pam_password.minlen }}
-  minclass: {{ rhel9cis_pam_password.minclass }}
-rhel9cis_pam_passwd_retry: "3"
-# faillock or tally2
-rhel9cis_accountlock: faillock
-
-## note this is to skip tests
-skip_rhel9cis_pam_passwd_auth: true
-skip_rhel9cis_pam_system_auth: true
-
-# choose one of below
-rhel9cis_pwhistory_so: "14"
-rhel9cis_unix_so: false
-rhel9cis_passwd_remember: "5"
-
-# logins.def password settings
-rhel9cis_pass:
-  max_days: {{ rhel9cis_pass.max_days }}
-  min_days: {{ rhel9cis_pass.min_days }}
-  warn_age: {{ rhel9cis_pass.warn_age }}
-
-# 5.3.1/5.3.2 Custon authselect profile settings. Settings in place now will fail, they are place holders from the control example
-rhel9cis_authselect:
-  custom_profile_name: {{ rhel9cis_authselect['custom_profile_name'] }}
-  default_file_to_copy: {{ rhel9cis_authselect.default_file_to_copy }}
-  options: {{ rhel9cis_authselect.options }}
-
-# 5.3.1 Enable automation to creat custom profile settings, using the setings above
-rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile_create }}
-
-# 5.3.2 Enable automation to select custom profile options, using the settings above
-rhel9cis_authselect_custom_profile_select: {{ rhel9cis_authselect_custom_profile_select }}
-
-# 5.7
-rhel9cis_sugroup: {{ rhel9cis_sugroup| default('wheel') }}
-rhel9cis_sugroup_users: {{ rhel9cis_sugroup_users }}