sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Update Changelog with fixes

Browse source 
Signed-off-by: Frederick Witty <frederickw@mindpointgroup.com>
This commit is contained in:
Frederick Witty 2025-09-02 17:14:30 -04:00
parent 39c7dfa187
commit de7555aa10
No known key found for this signature in database
GPG key ID: D29987C25A47D813
4 changed files with 12 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Changelog.md
View file

@ -1,7 +1,7 @@
# Changes to rhel9CIS # Changes to rhel9CIS
## 2.0.3 - Based on CIS v2.0.0 ## 2.0.3 - Based on CIS v2.0.0
- update command to shell module on tasks
- addressed issue 371 thanks to @bgro and kodebach - addressed issue 371 thanks to @bgro and kodebach
- addressed issue 350 thanks to @chrispipo - addressed issue 350 thanks to @chrispipo
- addressed issue 364 thanks to @polski-g - addressed issue 364 thanks to @polski-g

20
tasks/prelim.yml
View file

@ -167,6 +167,7 @@
current_crypto_module: "{{ prelim_system_wide_crypto_policy.stdout.split(':')[1] }}" current_crypto_module: "{{ prelim_system_wide_crypto_policy.stdout.split(':')[1] }}"
- name: "PRELIM | AUDIT | Set facts based on boot type" - name: "PRELIM | AUDIT | Set facts based on boot type"
tags: always
block: block:
- name: "PRELIM | AUDIT | Check whether machine is UEFI-based" - name: "PRELIM | AUDIT | Check whether machine is UEFI-based"
ansible.builtin.stat: ansible.builtin.stat:
@ -185,17 +186,14 @@
grub2_path: /etc/grub2-efi.cfg grub2_path: /etc/grub2-efi.cfg
- name: "PRELIM | AUDIT | Discover Gnome Desktop Environment" - name: "PRELIM | AUDIT | Discover Gnome Desktop Environment"
tags: tags: always
- always
ansible.builtin.stat: ansible.builtin.stat:
path: /usr/share/gnome/gnome-version.xml path: /usr/share/gnome/gnome-version.xml
register: prelim_gnome_present register: prelim_gnome_present
- name: "PRELIM | PATCH | Install dconf if gui installed" - name: "PRELIM | PATCH | Install dconf if gui installed"
when: when: rhel9cis_gui
- rhel9cis_gui tags: always
tags:
- always
ansible.builtin.package: ansible.builtin.package:
name: dconf name: dconf
state: present state: present
@ -204,8 +202,7 @@
when: when:
- rhel9cis_rule_3_1_2 - rhel9cis_rule_3_1_2
- not system_is_container - not system_is_container
tags: tags: always
- always
block: block:
- name: "PRELIM | AUDIT | Discover is wireless adapter on system" - name: "PRELIM | AUDIT | Discover is wireless adapter on system"
ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless
@ -251,9 +248,7 @@
state: touch state: touch
- name: "PRELIM | PATCH | sshd_config.d/50-redhat.conf exists" - name: "PRELIM | PATCH | sshd_config.d/50-redhat.conf exists"
when: when: rhel9cis_rule_5_1_10 or rhel9cis_rule_5_1_11
- rhel9cis_rule_5_1_10 or
rhel9cis_rule_5_1_11
ansible.builtin.stat: ansible.builtin.stat:
path: /etc/ssh/sshd_config.d/50-redhat.conf path: /etc/ssh/sshd_config.d/50-redhat.conf
register: prelim_sshd_50_redhat_file register: prelim_sshd_50_redhat_file
@ -361,7 +356,6 @@
prelim_max_int_uid: "{{ prelim_uid_max_id.stdout | default(max_int_uid) }}" prelim_max_int_uid: "{{ prelim_uid_max_id.stdout | default(max_int_uid) }}"
- name: "PRELIM | AUDIT | Gather the package facts after prelim" - name: "PRELIM | AUDIT | Gather the package facts after prelim"
tags: tags: always
- always
ansible.builtin.package_facts: ansible.builtin.package_facts:
manager: auto manager: auto

5
tasks/section_1/cis_1.6.x.yml
View file

@ -21,12 +21,14 @@
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- sshd
- automated - automated
- patch - patch
- rule_1.6.2 - rule_1.6.2
- NIST800-53R5_SC-8 - NIST800-53R5_SC-8
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
- NIST800-53R5_AC-17- NIST800-53R5_SC-6 - NIST800-53R5_AC-17
- NIST800-53R5_SC-6
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/sysconfig/sshd path: /etc/sysconfig/sshd
regexp: ^CRYPTO_POLICY\s*= regexp: ^CRYPTO_POLICY\s*=
@ -76,7 +78,6 @@
- rule_1.6.4 - rule_1.6.4
- NIST800-53R5_SC-6 - NIST800-53R5_SC-6
block: block:
- name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | Add submodule exclusion" - name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | Add submodule exclusion"
ansible.builtin.template: ansible.builtin.template:
src: etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2 src: etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2

2
tasks/section_4/cis_4.3.x.yml
View file

@ -81,7 +81,7 @@
register: discovered_nftables_inconnectionrule register: discovered_nftables_inconnectionrule
- name: "4.3.2 | AUDIT | Ensure nftables established connections are configured | Gather outbound connection rules" - name: "4.3.2 | AUDIT | Ensure nftables established connections are configured | Gather outbound connection rules"
ansible.builtin.command: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' ansible.builtin.shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
changed_when: false changed_when: false
failed_when: false failed_when: false
register: discovered_nftables_outconnectionrule register: discovered_nftables_outconnectionrule