From dc5f71d461dc514a4c1629f33e76d2d1b03f60bd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Mar 2022 11:09:55 +0100 Subject: [PATCH] removed not required files Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.11.yml | 17 ----- tasks/section_1/cis_1.6.x.yml | 54 --------------- tasks/section_1/cis_1.7.1.x.yml | 117 -------------------------------- tasks/section_1/cis_1.8.1.x.yml | 96 -------------------------- tasks/section_1/cis_1.8.2.yml | 27 -------- tasks/section_2/cis_2.1.1.yml | 14 ---- tasks/section_2/cis_2.2.1.x.yml | 42 ------------ 7 files changed, 367 deletions(-) delete mode 100644 tasks/section_1/cis_1.11.yml delete mode 100644 tasks/section_1/cis_1.6.x.yml delete mode 100644 tasks/section_1/cis_1.7.1.x.yml delete mode 100644 tasks/section_1/cis_1.8.1.x.yml delete mode 100644 tasks/section_1/cis_1.8.2.yml delete mode 100644 tasks/section_2/cis_2.1.1.yml delete mode 100644 tasks/section_2/cis_2.2.1.x.yml diff --git a/tasks/section_1/cis_1.11.yml b/tasks/section_1/cis_1.11.yml deleted file mode 100644 index bfd8806..0000000 --- a/tasks/section_1/cis_1.11.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -- name: "1.11 | L2 | PATCH | Ensure system-wide crypto policy is FUTURE or FIPS" - shell: | - update-crypto-policies --set "{{ rhel9cis_crypto_policy }}" - update-crypto-policies - args: - warn: false - when: - - rhel9cis_rule_1_11 - - system_wide_crypto_policy['stdout'] not in rhel9cis_allowed_crypto_policies - tags: - - level2-server - - level2-workstation - - not system_is_ec2 - - patch - - rule_1.11 diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml deleted file mode 100644 index 1b37c0d..0000000 --- a/tasks/section_1/cis_1.6.x.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- - -- name: "1.6.1 | L1 | PATCH | Ensure core dumps are restricted" - block: - - name: "1.6.1 | L1 | Ensure core dumps are restricted | Update limits.conf file" - lineinfile: - state: present - dest: /etc/security/limits.conf - regexp: '^#?\\*.*core' - line: '* hard core 0' - insertbefore: '^# End of file' - - - name: "1.6.1 | L1 | PATCH | Ensure core dumps are restricted | Set active kernel parameter" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - - - name: "1.6.1 | L1 | PATCH | Ensure core dumps are restricted | if systemd coredump" - lineinfile: - path: /etc/systemd/coredump.conf - regexp: "{{ item.regexp }}" - line: "{{ item.regexp }}{{ item.line }}" - state: present - with_items: - - {'regexp': 'Storage=', 'line': 'none'} - - {'regexp': 'ProcessSizeMax=', 'line': '0'} - notify: - - systemd_daemon_reload - when: - - systemd_coredump.stat.exists - when: - - rhel9cis_rule_1_6_1 - tags: - - level1-server - - level1-workstation - - scored - - sysctl - - patch - - rule_1.6.1 - -- name: "1.6.2 | L1 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - when: - - rhel9cis_rule_1_6_2 - tags: - - level1-server - - level1-workstation - - scored - - patch - - rule_1.6.2 diff --git a/tasks/section_1/cis_1.7.1.x.yml b/tasks/section_1/cis_1.7.1.x.yml deleted file mode 100644 index ded7128..0000000 --- a/tasks/section_1/cis_1.7.1.x.yml +++ /dev/null @@ -1,117 +0,0 @@ ---- - -- name: "1.7.1.1 | L2 | PATCH | Ensure SELinux is installed" - package: - name: libselinux - state: present - when: - - rhel9cis_rule_1_7_1_1 - tags: - - level2-server - - level2-workstation - - scored - - patch - - rule_1.7.1.1 - -- name: "1.7.1.2 | L2 | PATCH | Ensure SELinux is not disabled in bootloader configuration" - replace: - dest: /etc/default/grub - regexp: '(selinux|enforcing)\s*=\s*0\s*' - replace: '' - register: selinux_grub_patch - ignore_errors: true - notify: grub2cfg - when: - - rhel9cis_rule_1_7_1_2 - tags: - - level2-server - - level2-workstation - - scored - - patch - - rule_1.7.1.2 - -- name: "1.7.1.3 | L2 | PATCH | Ensure SELinux policy is configured" - selinux: - conf: /etc/selinux/config - policy: "{{ rhel9cis_selinux_pol }}" - state: enforcing - when: - - not rhel9cis_selinux_disable - - rhel9cis_rule_1_7_1_3 - tags: - - level2-server - - level2-workstation - - scored - - selinux - - patch - - rule_1.7.1.3 - -- name: "1.7.1.4 | L2 | PATCH | Ensure the SELinux state is enforcing" - selinux: - conf: /etc/selinux/config - policy: "{{ rhel9cis_selinux_pol }}" - state: enforcing - when: - - not rhel9cis_selinux_disable - - rhel9cis_rule_1_7_1_4 - tags: - - level2-server - - level2-workstation - - scored - - selinux - - patch - - rule_1.7.1.4 - -- name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist" - block: - - name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist | Find the unconfined daemons" - shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' - args: - warn: false - register: rhelcis_1_7_1_5_unconf_daemons - failed_when: false - changed_when: false - - - name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist | Message on no unconfined daemones" - debug: - msg: "Good News! There are no unconfined daemons found on your system" - when: rhelcis_1_7_1_5_unconf_daemons.stdout | length == 0 - - - name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist | Message on unconfined daemones" - debug: - msg: "Warning! You have unconfined daemons: {{ rhelcis_1_7_1_5_unconf_daemons.stdout_lines }}" - when: rhelcis_1_7_1_5_unconf_daemons.stdout | length > 0 - when: - - rhel9cis_rule_1_7_1_5 - tags: - - level2-server - - level2-workstation - - audit - - rule_1.7.1.5 - -- name: "1.7.1.6 | L2 | PATCH | Ensure SETroubleshoot is not installed" - package: - name: setroubleshoot - state: absent - when: - - rhel9cis_rule_1_7_1_6 - - "'setroubleshoot' in ansible_facts.packages" - tags: - - level2-server - - scored - - selinux - - patch - - rule_1.7.1.6 - -- name: "1.7.1.7 | L2 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" - package: - name: mcstrans - state: absent - when: - - rhel9cis_rule_1_7_1_7 - tags: - - level2-server - - level2-workstation - - scored - - patch - - rule_1.7.1.7 diff --git a/tasks/section_1/cis_1.8.1.x.yml b/tasks/section_1/cis_1.8.1.x.yml deleted file mode 100644 index d8cbec3..0000000 --- a/tasks/section_1/cis_1.8.1.x.yml +++ /dev/null @@ -1,96 +0,0 @@ ---- - -- name: "1.8.1.1 | L1 | PATCH | Ensure message of the day is configured properly" - template: - src: etc/motd.j2 - dest: /etc/motd - owner: root - group: root - mode: 0644 - when: - - rhel9cis_rule_1_8_1_1 - tags: - - level1-server - - level1-workstation - - banner - - patch - - rule_1.8.1.1 - -- name: "1.8.1.2 | L1 | PATCH | Ensure local login warning banner is configured properly" - template: - src: etc/issue.j2 - dest: /etc/issue - owner: root - group: root - mode: 0644 - when: - - rhel9cis_rule_1_8_1_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.8.1.2 - -- name: "1.8.1.3 | L1 | PATCH | Ensure remote login warning banner is configured properly" - template: - src: etc/issue.net.j2 - dest: /etc/issue.net - owner: root - group: root - mode: 0644 - when: - - rhel9cis_rule_1_8_1_3 - tags: - - level1-server - - level1-workstation - - banner - - patch - - rule_1.8.1.3 - -- name: "1.8.1.4 | L1 | PATCH | Ensure permissions on /etc/motd are configured" - file: - dest: /etc/motd - state: file - owner: root - group: root - mode: 0644 - when: - - rhel9cis_rule_1_8_1_4 - tags: - - level1-server - - level1-workstation - - perms - - patch - - rule_1.8.1.4 - -- name: "1.8.1.5 | L1 | PATCH | Ensure permissions on /etc/issue are configured" - file: - dest: /etc/issue - state: file - owner: root - group: root - mode: 0644 - when: - - rhel9cis_rule_1_8_1_5 - tags: - - level1-server - - level1-workstation - - perms - - patch - - rule_1.8.1.5 - -- name: "1.8.1.6 | L1 | PATCH | Ensure permissions on /etc/issue.net are configured" - file: - dest: /etc/issue.net - state: file - owner: root - group: root - mode: 0644 - when: - - rhel9cis_rule_1_8_1_6 - tags: - - level1-server - - level1-workstation - - perms - - patch - - rule_1.8.1.6 diff --git a/tasks/section_1/cis_1.8.2.yml b/tasks/section_1/cis_1.8.2.yml deleted file mode 100644 index be371dc..0000000 --- a/tasks/section_1/cis_1.8.2.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- - -- name: "1.8.2 | L1 | PATCH | Ensure GDM login banner is configured" - lineinfile: - dest: "{{ item.file }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - state: present - create: true - owner: root - group: root - mode: 0644 - with_items: - - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } - - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } - - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ rhel9cis_warning_banner }}' " } - when: - - rhel9cis_gui - - rhel9cis_rule_1_8_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.8.2 diff --git a/tasks/section_2/cis_2.1.1.yml b/tasks/section_2/cis_2.1.1.yml deleted file mode 100644 index 5b56364..0000000 --- a/tasks/section_2/cis_2.1.1.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- - -- name: "2.1.1 | L1 | PATCH | Ensure xinetd is not installed" - package: - name: xinetd - state: absent - when: - - rhel9cis_rule_2_1_1 - tags: - - level1-server - - level1-workstation - - scored - - patch - - rule_2.1.1 diff --git a/tasks/section_2/cis_2.2.1.x.yml b/tasks/section_2/cis_2.2.1.x.yml deleted file mode 100644 index 8b8b39c..0000000 --- a/tasks/section_2/cis_2.2.1.x.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- - -- name: "2.2.1.1 | L1 | PATCH | Ensure time synchronization is in use - service install" - package: - name: "{{ rhel9cis_time_synchronization }}" - state: present - when: - - rhel9cis_rule_2_2_1_1 - - not system_is_container - tags: - - level1-server - - level1-workstation - - patch - - rule_2.2.1.1 - -- name: "2.2.1.2 | L1 | PATCH | Ensure chrony is configured" - block: - - name: "2.2.1.2 | L1 | PATCH | Ensure chrony is configured | Set configuration" - template: - src: chrony.conf.j2 - dest: /etc/chrony.conf - owner: root - group: root - mode: 0644 - - - name: "2.2.1.2 | L1 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1" - lineinfile: - dest: /etc/sysconfig/chronyd - regexp: "^(#)?OPTIONS" - line: "OPTIONS=\"-u chrony\"" - state: present - create: true - mode: 0644 - when: - - rhel9cis_time_synchronization == "chrony" - - rhel9cis_rule_2_2_1_2 - - not system_is_container - tags: - - level1-server - - level1-workstation - - patch - - rule_2.2.1.2