forked from ansible-lockdown/RHEL9-CIS
section 4 updates
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
95ad5fac9d
commit
e62e5630b4
10 changed files with 413 additions and 270 deletions
|
|
@ -3,7 +3,7 @@
|
|||
## metadata for benchmark
|
||||
|
||||
## metadata for Audit benchmark
|
||||
benchmark_version: '2.0.0'
|
||||
benchmark_version: '1.0.0'
|
||||
|
||||
# Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS
|
||||
# If run via script this is discovered and set
|
||||
|
|
@ -44,7 +44,6 @@ rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }}
|
|||
# 1.1.1 Disable unused filesystems
|
||||
rhel9cis_rule_1_1_1_1: {{ rhel9cis_rule_1_1_1_1 }}
|
||||
rhel9cis_rule_1_1_1_2: {{ rhel9cis_rule_1_1_1_2 }}
|
||||
rhel9cis_rule_1_1_1_3: {{ rhel9cis_rule_1_1_1_3 }}
|
||||
# 1.1.2 Configure /tmp
|
||||
rhel9cis_rule_1_1_2_1: {{ rhel9cis_rule_1_1_2_1 }}
|
||||
rhel9cis_rule_1_1_2_2: {{ rhel9cis_rule_1_1_2_2 }}
|
||||
|
|
@ -74,28 +73,25 @@ rhel9cis_rule_1_1_6_4: {{ rhel9cis_rule_1_1_6_4 }}
|
|||
rhel9cis_rule_1_1_7_1: {{ rhel9cis_rule_1_1_7_1 }}
|
||||
rhel9cis_rule_1_1_7_2: {{ rhel9cis_rule_1_1_7_2 }}
|
||||
rhel9cis_rule_1_1_7_3: {{ rhel9cis_rule_1_1_7_3 }}
|
||||
rhel9cis_rule_1_1_7_4: {{ rhel9cis_rule_1_1_7_4 }}
|
||||
rhel9cis_rule_1_1_7_5: {{ rhel9cis_rule_1_1_7_5 }}
|
||||
# 1.1.8 Configure /dev/shm
|
||||
rhel9cis_rule_1_1_8_1: {{ rhel9cis_rule_1_1_8_1 }}
|
||||
rhel9cis_rule_1_1_8_2: {{ rhel9cis_rule_1_1_8_2 }}
|
||||
rhel9cis_rule_1_1_8_3: {{ rhel9cis_rule_1_1_8_3 }}
|
||||
# 1.9 autofs
|
||||
rhel9cis_rule_1_1_8_3: {{ rhel9cis_rule_1_1_8_4 }}
|
||||
# 1.9 usb-storage
|
||||
rhel9cis_rule_1_1_9: {{ rhel9cis_rule_1_1_9 }}
|
||||
# 1.10 usb-storage
|
||||
rhel9cis_rule_1_1_10: {{ rhel9cis_rule_1_1_10 }}
|
||||
# 1.2 Configure Software Updates
|
||||
rhel9cis_rule_1_2_1: {% if ansible_distribution == "RedHat" %}True{% else %}False{% endif %} # Only run if Redhat and Subscribed
|
||||
rhel9cis_rule_1_2_1: {{ rhel9cis_rule_1_2_1 }}
|
||||
rhel9cis_rule_1_2_2: {{ rhel9cis_rule_1_2_2 }}
|
||||
rhel9cis_rule_1_2_3: {{ rhel9cis_rule_1_2_3 }}
|
||||
rhel9cis_rule_1_2_4: {{ rhel9cis_rule_1_2_4 }}
|
||||
# 1.3 Filesystem Integrity Checking
|
||||
rhel9cis_rule_1_3_1: {{ rhel9cis_rule_1_3_1 }}
|
||||
rhel9cis_rule_1_3_2: {{ rhel9cis_rule_1_3_2 }}
|
||||
rhel9cis_rule_1_3_3: {{ rhel9cis_rule_1_3_3 }}
|
||||
# 1.4 Secure Boot Settings
|
||||
rhel9cis_rule_1_4_1: {{ rhel9cis_rule_1_4_1 }}
|
||||
rhel9cis_rule_1_4_2: {{ rhel9cis_rule_1_4_2 }}
|
||||
rhel9cis_rule_1_4_3: {{ rhel9cis_rule_1_4_3 }}
|
||||
# 1.5 Additional Process Hardening
|
||||
rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }}
|
||||
rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }}
|
||||
|
|
@ -108,6 +104,7 @@ rhel9cis_rule_1_6_1_4: {{ rhel9cis_rule_1_6_1_4 }}
|
|||
rhel9cis_rule_1_6_1_5: {{ rhel9cis_rule_1_6_1_5 }}
|
||||
rhel9cis_rule_1_6_1_6: {{ rhel9cis_rule_1_6_1_6 }}
|
||||
rhel9cis_rule_1_6_1_7: {{ rhel9cis_rule_1_6_1_7 }}
|
||||
rhel9cis_rule_1_6_1_8: {{ rhel9cis_rule_1_6_1_8 }}
|
||||
# 1.7 Command Line Warning Banners
|
||||
rhel9cis_rule_1_7_1: {{ rhel9cis_rule_1_7_1 }}
|
||||
rhel9cis_rule_1_7_2: {{ rhel9cis_rule_1_7_2 }}
|
||||
|
|
@ -121,6 +118,11 @@ rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }}
|
|||
rhel9cis_rule_1_8_3: {{ rhel9cis_rule_1_8_3 }}
|
||||
rhel9cis_rule_1_8_4: {{ rhel9cis_rule_1_8_4 }}
|
||||
rhel9cis_rule_1_8_5: {{ rhel9cis_rule_1_8_5 }}
|
||||
rhel9cis_rule_1_8_1: {{ rhel9cis_rule_1_8_6 }}
|
||||
rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_7 }}
|
||||
rhel9cis_rule_1_8_3: {{ rhel9cis_rule_1_8_8 }}
|
||||
rhel9cis_rule_1_8_4: {{ rhel9cis_rule_1_8_9 }}
|
||||
rhel9cis_rule_1_8_5: {{ rhel9cis_rule_1_8_10 }}
|
||||
# 1.9 Ensure updates, patches, and additional security software are installed
|
||||
rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }}
|
||||
# Ensure system-wide crypto policy is not legacy
|
||||
|
|
@ -151,24 +153,19 @@ rhel9cis_rule_2_2_15: {{ rhel9cis_rule_2_2_15 }}
|
|||
rhel9cis_rule_2_2_16: {{ rhel9cis_rule_2_2_16 }}
|
||||
rhel9cis_rule_2_2_17: {{ rhel9cis_rule_2_2_17 }}
|
||||
rhel9cis_rule_2_2_18: {{ rhel9cis_rule_2_2_18 }}
|
||||
rhel9cis_rule_2_2_19: {{ rhel9cis_rule_2_2_19 }}
|
||||
rhel9cis_rule_2_2_20: {{ rhel9cis_rule_2_2_20 }}
|
||||
# 2.3 service clients
|
||||
rhel9cis_rule_2_3_1: {{ rhel9cis_rule_2_3_1 }}
|
||||
rhel9cis_rule_2_3_2: {{ rhel9cis_rule_2_3_2 }}
|
||||
rhel9cis_rule_2_3_3: {{ rhel9cis_rule_2_3_3 }}
|
||||
rhel9cis_rule_2_3_4: {{ rhel9cis_rule_2_3_4 }}
|
||||
rhel9cis_rule_2_3_5: {{ rhel9cis_rule_2_3_5 }}
|
||||
rhel9cis_rule_2_3_6: {{ rhel9cis_rule_2_3_6 }}
|
||||
|
||||
rhel9cis_rule_2_4: true # todo
|
||||
rhel9cis_rule_2_4: true
|
||||
|
||||
# Section 3 rules
|
||||
# 3.1 Disable unused network protocols and devices
|
||||
rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }}
|
||||
rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }}
|
||||
rhel9cis_rule_3_1_3: {{ rhel9cis_rule_3_1_3 }}
|
||||
rhel9cis_rule_3_1_4: {{ rhel9cis_rule_3_1_4 }}
|
||||
# 3.2 Network Parameters (Host Only)
|
||||
rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }}
|
||||
rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }}
|
||||
|
|
@ -185,11 +182,7 @@ rhel9cis_rule_3_3_9: {{ rhel9cis_rule_3_3_9 }}
|
|||
# 3.4.1 Configure firewalld
|
||||
rhel9cis_rule_3_4_1_1: {{ rhel9cis_rule_3_4_1_1 }}
|
||||
rhel9cis_rule_3_4_1_2: {{ rhel9cis_rule_3_4_1_2 }}
|
||||
rhel9cis_rule_3_4_1_3: {{ rhel9cis_rule_3_4_1_3 }}
|
||||
rhel9cis_rule_3_4_1_4: {{ rhel9cis_rule_3_4_1_4 }}
|
||||
rhel9cis_rule_3_4_1_5: {{ rhel9cis_rule_3_4_1_5 }}
|
||||
rhel9cis_rule_3_4_1_6: {{ rhel9cis_rule_3_4_1_6 }}
|
||||
rhel9cis_rule_3_4_1_7: {{ rhel9cis_rule_3_4_1_7 }}
|
||||
|
||||
# 3.4.1 Configure nftables
|
||||
rhel9cis_rule_3_4_2_1: {{ rhel9cis_rule_3_4_2_1 }}
|
||||
rhel9cis_rule_3_4_2_2: {{ rhel9cis_rule_3_4_2_2 }}
|
||||
|
|
@ -198,10 +191,7 @@ rhel9cis_rule_3_4_2_4: {{ rhel9cis_rule_3_4_2_4 }}
|
|||
rhel9cis_rule_3_4_2_5: {{ rhel9cis_rule_3_4_2_5 }}
|
||||
rhel9cis_rule_3_4_2_6: {{ rhel9cis_rule_3_4_2_6 }}
|
||||
rhel9cis_rule_3_4_2_7: {{ rhel9cis_rule_3_4_2_7 }}
|
||||
rhel9cis_rule_3_4_2_8: {{ rhel9cis_rule_3_4_2_8 }}
|
||||
rhel9cis_rule_3_4_2_9: {{ rhel9cis_rule_3_4_2_9 }}
|
||||
rhel9cis_rule_3_4_2_10: {{ rhel9cis_rule_3_4_2_10 }}
|
||||
rhel9cis_rule_3_4_2_11: {{ rhel9cis_rule_3_4_2_11 }}
|
||||
|
||||
|
||||
# Section 4 rules
|
||||
# 4.1 Configure System Accounting
|
||||
|
|
@ -238,6 +228,18 @@ rhel9cis_rule_4_1_3_19: {{ rhel9cis_rule_4_1_3_19 }}
|
|||
rhel9cis_rule_4_1_3_20: {{ rhel9cis_rule_4_1_3_20 }}
|
||||
rhel9cis_rule_4_1_3_21: {{ rhel9cis_rule_4_1_3_21 }}
|
||||
|
||||
# 4.1.4 Configure auditd file Access
|
||||
rhel9cis_rule_4_1_4_1: {{ rhel9cis_rule_4_1_4_1 }}
|
||||
rhel9cis_rule_4_1_4_2: {{ rhel9cis_rule_4_1_4_2 }}
|
||||
rhel9cis_rule_4_1_4_3: {{ rhel9cis_rule_4_1_4_3 }}
|
||||
rhel9cis_rule_4_1_4_4: {{ rhel9cis_rule_4_1_4_4 }}
|
||||
rhel9cis_rule_4_1_4_5: {{ rhel9cis_rule_4_1_4_5 }}
|
||||
rhel9cis_rule_4_1_4_6: {{ rhel9cis_rule_4_1_4_6 }}
|
||||
rhel9cis_rule_4_1_4_7: {{ rhel9cis_rule_4_1_4_7 }}
|
||||
rhel9cis_rule_4_1_4_8: {{ rhel9cis_rule_4_1_4_8 }}
|
||||
rhel9cis_rule_4_1_4_9: {{ rhel9cis_rule_4_1_4_9 }}
|
||||
rhel9cis_rule_4_1_4_10: {{ rhel9cis_rule_4_1_4_10 }}
|
||||
|
||||
# 4.2.1 Configure rsyslog
|
||||
rhel9cis_rule_4_2_1_1: {{ rhel9cis_rule_4_2_1_1 }}
|
||||
rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_2 }}
|
||||
|
|
@ -262,9 +264,8 @@ rhel9cis_rule_4_2_2_7: {{ rhel9cis_rule_4_2_2_7 }}
|
|||
rhel9cis_rule_4_2_3: {{ rhel9cis_rule_4_2_3 }}
|
||||
|
||||
# 4.3 Logrotate
|
||||
rhel9cis_rule_4_3_1: {{ rhel9cis_rule_4_3_1 }}
|
||||
rhel9cis_rule_4_3_2: {{ rhel9cis_rule_4_3_2 }}
|
||||
rhel9cis_rule_4_3_3: {{ rhel9cis_rule_4_3_3 }}
|
||||
rhel9cis_rule_4_3: {{ rhel9cis_rule_4_3 }}
|
||||
|
||||
|
||||
# Section 5
|
||||
# Authentication and Authorization
|
||||
|
|
@ -391,12 +392,11 @@ rhel9_aide_scan: cron
|
|||
# Set to 'true' if X Windows is needed in your environment
|
||||
rhel9cis_xwindows_required: false
|
||||
### Service configuration booleans set true to keep service
|
||||
rhel9cis_xinetd_server: {{ rhel9cis_xinetd_server }}
|
||||
rhel9cis_avahi_server: {{ rhel9cis_avahi_server }}
|
||||
rhel9cis_cups_server: {{ rhel9cis_cups_server }}
|
||||
rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }}
|
||||
rhel9cis_dns_server: {{ rhel9cis_dns_server }}
|
||||
rhel9cis_ftp_server: {{ rhel9cis_ftp_server }}
|
||||
rhel9cis_dnsmasq_server: {{ rhel9cis_dnsmasq_server }}
|
||||
rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }}
|
||||
rhel9cis_tftp_server: {{ rhel9cis_tftp_server }}
|
||||
rhel9cis_httpd_server: {{ rhel9cis_httpd_server }}
|
||||
|
|
@ -406,7 +406,6 @@ rhel9cis_imap_server: {{ rhel9cis_imap_server }}
|
|||
rhel9cis_samba_server: {{ rhel9cis_samba_server }}
|
||||
rhel9cis_squid_server: {{ rhel9cis_squid_server }}
|
||||
rhel9cis_snmp_server: {{ rhel9cis_snmp_server }}
|
||||
rhel9cis_nis_server: {{ rhel9cis_nis_server }}
|
||||
rhel9cis_telnet_server: {{ rhel9cis_telnet_server }}
|
||||
rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }}
|
||||
|
||||
|
|
@ -421,12 +420,10 @@ rhel9cis_use_rsync_server: {{ rhel9cis_use_rsync_server }}
|
|||
rhel9cis_use_rsync_service: {{ rhel9cis_use_rsync_service }}
|
||||
|
||||
#### 2.3 Service clients
|
||||
rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }}
|
||||
rhel9cis_rsh_required: {{ rhel9cis_rsh_required }}
|
||||
rhel9cis_talk_required: {{ rhel9cis_talk_required }}
|
||||
rhel9cis_telnet_required: {{ rhel9cis_telnet_required }}
|
||||
rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }}
|
||||
rhel9cis_tftp_client: {{ rhel9cis_tftp_client }}
|
||||
rhel9cis_ftp_client: {{ rhel9cis_ftp_client }}
|
||||
|
||||
# Section 3
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue