sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

lint

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2023-01-12 13:47:13 +00:00
parent 3321547bfa
commit dae7d03c34
No known key found for this signature in database
GPG key ID: 1DE02A772D0908F9
7 changed files with 48 additions and 48 deletions
Download patch file Download diff file Expand all files Collapse all files

4
tasks/section_3/cis_3.4.1.x.yml
View file

@ -1,7 +1,7 @@
--- ---
- name: "3.4.1.1 | PATCH | Ensure nftables is installed" - name: "3.4.1.1 | PATCH | Ensure nftables is installed"
package: ansible.builtin.package:
name: name:
- nftables - nftables
state: present state: present
@ -38,7 +38,7 @@
- rhel9cis_firewall == 'firewalld' - rhel9cis_firewall == 'firewalld'
- name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled" - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled"
systemd: ansible.builtin.systemd:
name: "{{ rhel9cis_firewall }}" name: "{{ rhel9cis_firewall }}"
enabled: true enabled: true
state: started state: started

18
tasks/section_4/cis_4.1.1.x.yml
View file

@ -3,13 +3,13 @@
- name: "4.1.1.1 | PATCH | Ensure auditd is installed" - name: "4.1.1.1 | PATCH | Ensure auditd is installed"
block: block:
- name: "4.1.1.1 | PATCH | Ensure auditd is installed | Install auditd packages" - name: "4.1.1.1 | PATCH | Ensure auditd is installed | Install auditd packages"
package: ansible.builtin.package:
name: audit name: audit
state: present state: present
when: '"auditd" not in ansible_facts.packages' when: '"auditd" not in ansible_facts.packages'
- name: "4.1.1.1 | PATCH | Ensure auditd is installed | Install auditd-lib packages" - name: "4.1.1.1 | PATCH | Ensure auditd is installed | Install auditd-lib packages"
package: ansible.builtin.package:
name: audit-libs name: audit-libs
state: present state: present
when: '"auditd-lib" not in ansible_facts.packages' when: '"auditd-lib" not in ansible_facts.packages'
@ -25,14 +25,14 @@
- name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
block: block:
- name: "4.1.1.2 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" - name: "4.1.1.2 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX"
shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' ansible.builtin.shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//'
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false check_mode: false
register: rhel9cis_4_1_1_2_grub_cmdline_linux register: rhel9cis_4_1_1_2_grub_cmdline_linux
- name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting" - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting"
replace: ansible.builtin.replace:
dest: /etc/default/grub dest: /etc/default/grub
regexp: 'audit=.' regexp: 'audit=.'
replace: 'audit=1' replace: 'audit=1'
@ -40,7 +40,7 @@
when: "'audit=' in rhel9cis_4_1_1_2_grub_cmdline_linux.stdout" when: "'audit=' in rhel9cis_4_1_1_2_grub_cmdline_linux.stdout"
- name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing" - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing"
lineinfile: ansible.builtin.lineinfile:
path: /etc/default/grub path: /etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX=' regexp: '^GRUB_CMDLINE_LINUX='
line: '{{ rhel9cis_4_1_1_2_grub_cmdline_linux.stdout }} audit=1"' line: '{{ rhel9cis_4_1_1_2_grub_cmdline_linux.stdout }} audit=1"'
@ -59,14 +59,14 @@
- name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient" - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient"
block: block:
- name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Get GRUB_CMDLINE_LINUX" - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Get GRUB_CMDLINE_LINUX"
shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' ansible.builtin.shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//'
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false check_mode: false
register: rhel9cis_4_1_1_3_grub_cmdline_linux register: rhel9cis_4_1_1_3_grub_cmdline_linux
- name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting" - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting"
replace: ansible.builtin.replace:
dest: /etc/default/grub dest: /etc/default/grub
regexp: 'audit_backlog_limit=\d+' regexp: 'audit_backlog_limit=\d+'
replace: 'audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}' replace: 'audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}'
@ -74,7 +74,7 @@
when: "'audit_backlog_limit=' in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout" when: "'audit_backlog_limit=' in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout"
- name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing" - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing"
lineinfile: ansible.builtin.lineinfile:
path: /etc/default/grub path: /etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX=' regexp: '^GRUB_CMDLINE_LINUX='
line: '{{ rhel9cis_4_1_1_3_grub_cmdline_linux.stdout }} audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' line: '{{ rhel9cis_4_1_1_3_grub_cmdline_linux.stdout }} audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"'
@ -91,7 +91,7 @@
- rule_4.1.1.3 - rule_4.1.1.3
- name: "4.1.1.4 | PATCH | Ensure auditd service is enabled" - name: "4.1.1.4 | PATCH | Ensure auditd service is enabled"
service: ansible.builtin.systemd:
name: auditd name: auditd
state: started state: started
enabled: true enabled: true

8
tasks/section_4/cis_4.1.2.x.yml
View file

@ -1,7 +1,7 @@
--- ---
- name: "4.1.2.1 | PATCH | Ensure audit log storage size is configured" - name: "4.1.2.1 | PATCH | Ensure audit log storage size is configured"
lineinfile: ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf path: /etc/audit/auditd.conf
regexp: "^max_log_file( |=)" regexp: "^max_log_file( |=)"
line: "max_log_file = {{ rhel9cis_max_log_file_size }}" line: "max_log_file = {{ rhel9cis_max_log_file_size }}"
@ -17,7 +17,7 @@
- rule_4.1.2.1 - rule_4.1.2.1
- name: "4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted" - name: "4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted"
lineinfile: ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf path: /etc/audit/auditd.conf
regexp: "^max_log_file_action" regexp: "^max_log_file_action"
line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}" line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}"
@ -32,7 +32,7 @@
- rule_4.1.2.2 - rule_4.1.2.2
- name: "4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full" - name: "4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full"
lineinfile: ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf path: /etc/audit/auditd.conf
regexp: "{{ item.regexp }}" regexp: "{{ item.regexp }}"
line: "{{ item.line }}" line: "{{ item.line }}"
@ -51,7 +51,7 @@
- rule_4.1.2.3 - rule_4.1.2.3
- name: PATCH | Configure other keys for auditd.conf - name: PATCH | Configure other keys for auditd.conf
lineinfile: ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf path: /etc/audit/auditd.conf
regexp: "^{{ item }}( |=)" regexp: "^{{ item }}( |=)"
line: "{{ item }} = {{ rhel9cis_auditd_extra_conf[item] }}" line: "{{ item }} = {{ rhel9cis_auditd_extra_conf[item] }}"

2
tasks/section_4/cis_4.1.3.x.yml
View file

@ -70,7 +70,7 @@
- name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected"
block: block:
- name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected"
shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false check_mode: false

2
tasks/section_4/cis_4.2.2.x.yml
View file

@ -188,7 +188,7 @@
- name: "4.2.2.7 | PATCH | Ensure journald default file permissions configured | Set permission" - name: "4.2.2.7 | PATCH | Ensure journald default file permissions configured | Set permission"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ /etc/tmpfiles.d/systemd.conf | default('/usr/lib/tmpfiles.d/systemd.conf') }}" path: "{{ systemd_conf_file | default('/usr/lib/tmpfiles.d/systemd.conf') }}"
regexp: "^z \/var\/log\/journal\/%m\/system.journal (!?06(0|4)0) root" regexp: "^z \/var\/log\/journal\/%m\/system.journal (!?06(0|4)0) root"
line: 'z /var/log/journal/%m/system.journal 0640 root systemd-journal - -' line: 'z /var/log/journal/%m/system.journal 0640 root systemd-journal - -'