sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

section 4 updates

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2023-01-12 11:38:53 +00:00
parent 95ad5fac9d
commit e62e5630b4
No known key found for this signature in database
GPG key ID: 1DE02A772D0908F9
10 changed files with 413 additions and 270 deletions
Download patch file Download diff file Expand all files Collapse all files

79
defaults/main.yml
View file

@ -71,7 +71,6 @@ audit_cmd_timeout: 60000
# Section 1 rules # Section 1 rules
rhel9cis_rule_1_1_1_1: true rhel9cis_rule_1_1_1_1: true
rhel9cis_rule_1_1_1_2: true rhel9cis_rule_1_1_1_2: true
rhel9cis_rule_1_1_1_3: true
rhel9cis_rule_1_1_2_1: true rhel9cis_rule_1_1_2_1: true
rhel9cis_rule_1_1_2_2: true rhel9cis_rule_1_1_2_2: true
rhel9cis_rule_1_1_2_3: true rhel9cis_rule_1_1_2_3: true
@ -79,7 +78,6 @@ rhel9cis_rule_1_1_2_4: true
rhel9cis_rule_1_1_3_1: true rhel9cis_rule_1_1_3_1: true
rhel9cis_rule_1_1_3_2: true rhel9cis_rule_1_1_3_2: true
rhel9cis_rule_1_1_3_3: true rhel9cis_rule_1_1_3_3: true
rhel9cis_rule_1_1_3_4: true
rhel9cis_rule_1_1_4_1: true rhel9cis_rule_1_1_4_1: true
rhel9cis_rule_1_1_4_2: true rhel9cis_rule_1_1_4_2: true
rhel9cis_rule_1_1_4_3: true rhel9cis_rule_1_1_4_3: true
@ -95,26 +93,24 @@ rhel9cis_rule_1_1_6_4: true
rhel9cis_rule_1_1_7_1: true rhel9cis_rule_1_1_7_1: true
rhel9cis_rule_1_1_7_2: true rhel9cis_rule_1_1_7_2: true
rhel9cis_rule_1_1_7_3: true rhel9cis_rule_1_1_7_3: true
rhel9cis_rule_1_1_7_4: true
rhel9cis_rule_1_1_7_5: true
rhel9cis_rule_1_1_8_1: true rhel9cis_rule_1_1_8_1: true
rhel9cis_rule_1_1_8_2: true rhel9cis_rule_1_1_8_2: true
rhel9cis_rule_1_1_8_3: true rhel9cis_rule_1_1_8_3: true
rhel9cis_rule_1_1_8_4: true
rhel9cis_rule_1_1_18: true rhel9cis_rule_1_1_18: true
rhel9cis_rule_1_1_19: true rhel9cis_rule_1_1_19: true
rhel9cis_rule_1_1_20: true rhel9cis_rule_1_1_20: true
rhel9cis_rule_1_1_21: true rhel9cis_rule_1_1_21: true
rhel9cis_rule_1_1_9: true rhel9cis_rule_1_1_9: true
rhel9cis_rule_1_1_10: true
rhel9cis_rule_1_2_1: true rhel9cis_rule_1_2_1: true
rhel9cis_rule_1_2_2: true rhel9cis_rule_1_2_2: true
rhel9cis_rule_1_2_3: true rhel9cis_rule_1_2_3: true
rhel9cis_rule_1_2_4: true rhel9cis_rule_1_2_4: true
rhel9cis_rule_1_3_1: true rhel9cis_rule_1_3_1: true
rhel9cis_rule_1_3_2: true rhel9cis_rule_1_3_2: true
rhel9cis_rule_1_3_3: true
rhel9cis_rule_1_4_1: true rhel9cis_rule_1_4_1: true
rhel9cis_rule_1_4_2: true rhel9cis_rule_1_4_2: true
rhel9cis_rule_1_4_3: true
rhel9cis_rule_1_5_1: true rhel9cis_rule_1_5_1: true
rhel9cis_rule_1_5_2: true rhel9cis_rule_1_5_2: true
rhel9cis_rule_1_5_3: true rhel9cis_rule_1_5_3: true
@ -125,6 +121,7 @@ rhel9cis_rule_1_6_1_4: true
rhel9cis_rule_1_6_1_5: true rhel9cis_rule_1_6_1_5: true
rhel9cis_rule_1_6_1_6: true rhel9cis_rule_1_6_1_6: true
rhel9cis_rule_1_6_1_7: true rhel9cis_rule_1_6_1_7: true
rhel9cis_rule_1_6_1_8: true
rhel9cis_rule_1_7_1: true rhel9cis_rule_1_7_1: true
rhel9cis_rule_1_7_2: true rhel9cis_rule_1_7_2: true
rhel9cis_rule_1_7_3: true rhel9cis_rule_1_7_3: true
@ -136,6 +133,11 @@ rhel9cis_rule_1_8_2: true
rhel9cis_rule_1_8_3: true rhel9cis_rule_1_8_3: true
rhel9cis_rule_1_8_4: true rhel9cis_rule_1_8_4: true
rhel9cis_rule_1_8_5: true rhel9cis_rule_1_8_5: true
rhel9cis_rule_1_8_6: true
rhel9cis_rule_1_8_7: true
rhel9cis_rule_1_8_8: true
rhel9cis_rule_1_8_9: true
rhel9cis_rule_1_8_10: true
rhel9cis_rule_1_9: true rhel9cis_rule_1_9: true
rhel9cis_rule_1_10: true rhel9cis_rule_1_10: true
@ -160,21 +162,16 @@ rhel9cis_rule_2_2_15: true
rhel9cis_rule_2_2_16: true rhel9cis_rule_2_2_16: true
rhel9cis_rule_2_2_17: true rhel9cis_rule_2_2_17: true
rhel9cis_rule_2_2_18: true rhel9cis_rule_2_2_18: true
rhel9cis_rule_2_2_19: true
rhel9cis_rule_2_2_20: true
rhel9cis_rule_2_3_1: true rhel9cis_rule_2_3_1: true
rhel9cis_rule_2_3_2: true rhel9cis_rule_2_3_2: true
rhel9cis_rule_2_3_3: true rhel9cis_rule_2_3_3: true
rhel9cis_rule_2_3_4: true rhel9cis_rule_2_3_4: true
rhel9cis_rule_2_3_5: true
rhel9cis_rule_2_3_6: true
rhel9cis_rule_2_4: true rhel9cis_rule_2_4: true
Section 3 rules Section 3 rules
rhel9cis_rule_3_1_1: true rhel9cis_rule_3_1_1: true
rhel9cis_rule_3_1_2: true rhel9cis_rule_3_1_2: true
rhel9cis_rule_3_1_3: true rhel9cis_rule_3_1_3: true
rhel9cis_rule_3_1_4: true
rhel9cis_rule_3_2_1: true rhel9cis_rule_3_2_1: true
rhel9cis_rule_3_2_2: true rhel9cis_rule_3_2_2: true
rhel9cis_rule_3_3_1: true rhel9cis_rule_3_3_1: true
@ -188,11 +185,6 @@ rhel9cis_rule_3_3_8: true
rhel9cis_rule_3_3_9: true rhel9cis_rule_3_3_9: true
rhel9cis_rule_3_4_1_1: true rhel9cis_rule_3_4_1_1: true
rhel9cis_rule_3_4_1_2: true rhel9cis_rule_3_4_1_2: true
rhel9cis_rule_3_4_1_3: true
rhel9cis_rule_3_4_1_4: true
rhel9cis_rule_3_4_1_5: true
rhel9cis_rule_3_4_1_6: true
rhel9cis_rule_3_4_1_7: true
rhel9cis_rule_3_4_2_1: true rhel9cis_rule_3_4_2_1: true
rhel9cis_rule_3_4_2_2: true rhel9cis_rule_3_4_2_2: true
rhel9cis_rule_3_4_2_3: true rhel9cis_rule_3_4_2_3: true
@ -200,11 +192,6 @@ rhel9cis_rule_3_4_2_4: true
rhel9cis_rule_3_4_2_5: true rhel9cis_rule_3_4_2_5: true
rhel9cis_rule_3_4_2_6: true rhel9cis_rule_3_4_2_6: true
rhel9cis_rule_3_4_2_7: true rhel9cis_rule_3_4_2_7: true
rhel9cis_rule_3_4_2_8: true
rhel9cis_rule_3_4_2_9: true
rhel9cis_rule_3_4_2_10: true
rhel9cis_rule_3_4_2_11: true
# Section 4 rules # Section 4 rules
rhel9cis_rule_4_1_1_1: true rhel9cis_rule_4_1_1_1: true
@ -235,6 +222,16 @@ rhel9cis_rule_4_1_3_18: true
rhel9cis_rule_4_1_3_19: true rhel9cis_rule_4_1_3_19: true
rhel9cis_rule_4_1_3_20: true rhel9cis_rule_4_1_3_20: true
rhel9cis_rule_4_1_3_21: true rhel9cis_rule_4_1_3_21: true
rhel9cis_rule_4_1_4_1: true
rhel9cis_rule_4_1_4_2: true
rhel9cis_rule_4_1_4_3: true
rhel9cis_rule_4_1_4_4: true
rhel9cis_rule_4_1_4_5: true
rhel9cis_rule_4_1_4_6: true
rhel9cis_rule_4_1_4_7: true
rhel9cis_rule_4_1_4_8: true
rhel9cis_rule_4_1_4_9: true
rhel9cis_rule_4_1_4_10: true
rhel9cis_rule_4_2_1_1: true rhel9cis_rule_4_2_1_1: true
rhel9cis_rule_4_2_1_2: true rhel9cis_rule_4_2_1_2: true
rhel9cis_rule_4_2_1_3: true rhel9cis_rule_4_2_1_3: true
@ -253,9 +250,7 @@ rhel9cis_rule_4_2_2_5: true
rhel9cis_rule_4_2_2_6: true rhel9cis_rule_4_2_2_6: true
rhel9cis_rule_4_2_2_7: true rhel9cis_rule_4_2_2_7: true
rhel9cis_rule_4_2_3: true rhel9cis_rule_4_2_3: true
rhel9cis_rule_4_3_1: true rhel9cis_rule_4_3: true
rhel9cis_rule_4_3_2: true
rhel9cis_rule_4_3_3: true
# Section 5 rules # Section 5 rules
rhel9cis_rule_5_1_1: true rhel9cis_rule_5_1_1: true
@ -400,6 +395,8 @@ rhel9cis_aide_cron:
# SELinux policy # SELinux policy
rhel9cis_selinux_pol: targeted rhel9cis_selinux_pol: targeted
# chose onf or enfocing or permissive
rhel9cis_selinux_enforce: enforcing
# Whether or not to run tasks related to auditing/patching the desktop environment # Whether or not to run tasks related to auditing/patching the desktop environment
@ -417,13 +414,12 @@ rhel9cis_chrony_server_options: "minpoll 8"
### 2.2 Special Purposes ### 2.2 Special Purposes
##### Service configuration booleans set true to keep service ##### Service configuration booleans set true to keep service
rhel9cis_xinetd_server: false
rhel9cis_gui: false rhel9cis_gui: false
rhel9cis_avahi_server: false rhel9cis_avahi_server: false
rhel9cis_cups_server: false rhel9cis_cups_server: false
rhel9cis_dhcp_server: false rhel9cis_dhcp_server: false
rhel9cis_dns_server: false rhel9cis_dns_server: false
rhel9cis_ftp_server: false rhel9cis_dnsmasq_server: false
rhel9cis_vsftpd_server: false rhel9cis_vsftpd_server: false
rhel9cis_tftp_server: false rhel9cis_tftp_server: false
rhel9cis_httpd_server: false rhel9cis_httpd_server: false
@ -433,7 +429,6 @@ rhel9cis_imap_server: false
rhel9cis_samba_server: false rhel9cis_samba_server: false
rhel9cis_squid_server: false rhel9cis_squid_server: false
rhel9cis_snmp_server: false rhel9cis_snmp_server: false
rhel9cis_nis_server: false
rhel9cis_telnet_server: false rhel9cis_telnet_server: false
rhel9cis_is_mail_server: false rhel9cis_is_mail_server: false
# Note the options # Note the options
@ -450,12 +445,10 @@ rhel9cis_use_rsync_server: false
rhel9cis_use_rsync_service: false rhel9cis_use_rsync_service: false
#### 2.3 Service clients #### 2.3 Service clients
rhel9cis_ypbind_required: false
rhel9cis_rsh_required: false
rhel9cis_talk_required: false
rhel9cis_telnet_required: false rhel9cis_telnet_required: false
rhel9cis_openldap_clients_required: false rhel9cis_openldap_clients_required: false
rhel9cis_tftp_client: false rhel9cis_tftp_client: false
rhel9cis_ftp_client: false
## Section3 vars ## Section3 vars
@ -473,15 +466,29 @@ rhel9cis_firewall: firewalld
##### firewalld ##### firewalld
rhel9cis_default_zone: public rhel9cis_default_zone: public
rhel9cis_firewalld_nftables_state: masked # Note if absent removes the firewalld pkg dependancy
# These are the default service add accordingly
rhel9_firewalld_service:
- ssh
- dhcpv6-client
# These are added to demonstrate how this can be done
rhel9cis_firewalld_ports:
- number: 80
protocol: tcp
#### nftables #### nftables
rhel9cis_nftables_firewalld_state: masked
rhel9cis_nft_tables_autonewtable: true rhel9cis_nft_tables_autonewtable: true
rhel9cis_nft_tables_tablename: filter rhel9cis_nft_tables_tablename: filter
rhel9cis_nft_tables_autochaincreate: true rhel9cis_nft_tables_autochaincreate: true
rhel9_nftables_ports:
- port: ssh
protocol: tcp
type: dport
rule: accept
- port: igmp
protocol: ip
type: protocol
rule: accept
# Warning Banner Content (issue, issue.net, motd) # Warning Banner Content (issue, issue.net, motd)
rhel9cis_warning_banner: | rhel9cis_warning_banner: |
Authorized uses only. All activity may be monitored and reported. Authorized uses only. All activity may be monitored and reported.
@ -522,6 +529,10 @@ rhel9cis_preferred_log_capture: rsyslog
#### 4.2.1.6 remote and destation log server name #### 4.2.1.6 remote and destation log server name
rhel9cis_remote_log_server: logagg.example.com rhel9cis_remote_log_server: logagg.example.com
rhel9cis_remote_log_port: 514
rhel9cis_remote_log_protocol: tcp
rhel9cis_remote_log_retrycount: 100
rhel9cis_remote_log_queuesize: 1000
#### 4.2.1.7 #### 4.2.1.7
rhel9cis_system_is_log_server: false rhel9cis_system_is_log_server: false

98
tasks/section_4/cis_4.1.1.x.yml
View file

@ -18,92 +18,88 @@
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation
- automated
- patch - patch
- auditd - auditd
- rule_4.1.1.1 - rule_4.1.1.1
- name: "4.1.1.2 | PATCH | Ensure auditd service is enabled" - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
service: block:
name: auditd - name: "4.1.1.2 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX"
state: started shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//'
enabled: true changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_4_1_1_2_grub_cmdline_linux
- name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting"
replace:
dest: /etc/default/grub
regexp: 'audit=.'
replace: 'audit=1'
notify: grub2cfg
when: "'audit=' in rhel9cis_4_1_1_2_grub_cmdline_linux.stdout"
- name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing"
lineinfile:
path: /etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX='
line: '{{ rhel9cis_4_1_1_2_grub_cmdline_linux.stdout }} audit=1"'
notify: grub2cfg
when: "'audit=' not in rhel9cis_4_1_1_2_grub_cmdline_linux.stdout"
when: when:
- rhel9cis_rule_4_1_1_2 - rhel9cis_rule_4_1_1_2
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation
- automated
- patch - patch
- auditd - auditd
- grub
- rule_4.1.1.2 - rule_4.1.1.2
- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient"
block: block:
- name: "4.1.1.3 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Get GRUB_CMDLINE_LINUX"
shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//'
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false check_mode: false
register: rhel9cis_4_1_1_3_grub_cmdline_linux register: rhel9cis_4_1_1_3_grub_cmdline_linux
- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting" - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting"
replace:
dest: /etc/default/grub
regexp: 'audit=.'
replace: 'audit=1'
notify: grub2cfg
when: "'audit=' in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout"
- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing"
lineinfile:
path: /etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX='
line: '{{ rhel9cis_4_1_1_3_grub_cmdline_linux.stdout }} audit=1"'
notify: grub2cfg
when: "'audit=' not in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout"
when:
- rhel9cis_rule_4_1_1_3
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- grub
- rule_4.1.1.3
- name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient"
block:
- name: "4.1.1.4 | AUDIT | Ensure audit_backlog_limit is sufficient | Get GRUB_CMDLINE_LINUX"
shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//'
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_4_1_1_4_grub_cmdline_linux
- name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting"
replace: replace:
dest: /etc/default/grub dest: /etc/default/grub
regexp: 'audit_backlog_limit=\d+' regexp: 'audit_backlog_limit=\d+'
replace: 'audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}' replace: 'audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}'
notify: grub2cfg notify: grub2cfg
when: "'audit_backlog_limit=' in rhel9cis_4_1_1_4_grub_cmdline_linux.stdout" when: "'audit_backlog_limit=' in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout"
- name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing" - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing"
lineinfile: lineinfile:
path: /etc/default/grub path: /etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX=' regexp: '^GRUB_CMDLINE_LINUX='
line: '{{ rhel9cis_4_1_1_4_grub_cmdline_linux.stdout }} audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' line: '{{ rhel9cis_4_1_1_3_grub_cmdline_linux.stdout }} audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"'
notify: grub2cfg notify: grub2cfg
when: "'audit_backlog_limit=' not in rhel9cis_4_1_1_4_grub_cmdline_linux.stdout" when: "'audit_backlog_limit=' not in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout"
when:
- rhel9cis_rule_4_1_1_3
tags:
- level2-server
- level2-workstation
- patch
- auditd
- grub
- rule_4.1.1.3
- name: "4.1.1.4 | PATCH | Ensure auditd service is enabled"
service:
name: auditd
state: started
enabled: true
when: when:
- rhel9cis_rule_4_1_1_4 - rhel9cis_rule_4_1_1_4
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation
- automated
- patch - patch
- auditd - auditd
- grub
- rule_4.1.1.4 - rule_4.1.1.4

3
tasks/section_4/cis_4.1.2.x.yml
View file

@ -27,7 +27,6 @@
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation
- automated
- patch - patch
- auditd - auditd
- rule_4.1.2.2 - rule_4.1.2.2
@ -47,7 +46,6 @@
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation
- automated
- patch - patch
- auditd - auditd
- rule_4.1.2.3 - rule_4.1.2.3
@ -64,6 +62,5 @@
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation
- automated
- patch - patch
- auditd - auditd

62
tasks/section_4/cis_4.1.3.x.yml
View file

@ -2,63 +2,59 @@
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected" - name: "4.1.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected"
set_fact: ansible.builtin.set_fact:
update_audit_template: true update_audit_template: true
when: when:
- rhel9cis_rule_4_1_3_1 - rhel9cis_rule_4_1_3_1
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation
- automated
- patch - patch
- auditd - auditd
- rule_4.1.3.1 - rule_4.1.3.1
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.2 | PATCH | Ensure actions as another user are always logged" - name: "4.1.3.2 | PATCH | Ensure actions as another user are always logged"
set_fact: ansible.builtin.set_fact:
update_audit_template: true update_audit_template: true
when: when:
- rhel9cis_rule_4_1_3_2 - rhel9cis_rule_4_1_3_2
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation
- automated
- patch - patch
- auditd - auditd
- rule_4.1.3.2 - rule_4.1.3.2
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.3 | PATCH | Ensure events that modify the sudo log file are collected" - name: "4.1.3.3 | PATCH | Ensure events that modify the sudo log file are collected"
set_fact: ansible.builtin.set_fact:
update_audit_template: true update_audit_template: true
when: when:
- rhel9cis_rule_4_1_3_3 - rhel9cis_rule_4_1_3_3
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation
- automated
- patch - patch
- auditd - auditd
- rule_4.1.3.3 - rule_4.1.3.3
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.4 | PATCH | Ensure events that modify date and time information are collected" - name: "4.1.3.4 | PATCH | Ensure events that modify date and time information are collected"
set_fact: ansible.builtin.set_fact:
update_audit_template: true update_audit_template: true
when: when:
- rhel9cis_rule_4_1_3_4 - rhel9cis_rule_4_1_3_4
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation
- automated
- patch - patch
- auditd - auditd
- rule_4.1.3.4 - rule_4.1.3.4
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.5 | PATCH | Ensure events that modify the system's network environment are collected" - name: "4.1.3.5 | PATCH | Ensure events that modify the system's network environment are collected"
set_fact: ansible.builtin.set_fact:
update_audit_template: true update_audit_template: true
when: when:
- rhel9cis_rule_4_1_3_5 - rhel9cis_rule_4_1_3_5
@ -81,7 +77,7 @@
register: priv_procs register: priv_procs
- name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected"
set_fact: ansible.builtin.set_fact:
update_audit_template: true update_audit_template: true
notify: update auditd notify: update auditd
when: when:
@ -89,98 +85,91 @@
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation
- automated
- patch - patch
- auditd - auditd
- rule_4.1.3.6 - rule_4.1.3.6
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.7 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" - name: "4.1.3.7 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected"
set_fact: ansible.builtin.set_fact:
update_audit_template: true update_audit_template: true
when: when:
- rhel9cis_rule_4_1_3_7 - rhel9cis_rule_4_1_3_7
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation
- automated
- patch - patch
- auditd - auditd
- rule_4.1.3_7 - rule_4.1.3_7
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected" - name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected"
set_fact: ansible.builtin.set_fact:
update_audit_template: true update_audit_template: true
when: when:
- rhel9cis_rule_4_1_3_8 - rhel9cis_rule_4_1_3_8
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation
- automated
- patch - patch
- auditd - auditd
- rule_4.1.3.8 - rule_4.1.3.8
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.9 | PATCH | Ensure discretionary access control permission modification events are collected" - name: "4.1.3.9 | PATCH | Ensure discretionary access control permission modification events are collected"
set_fact: ansible.builtin.set_fact:
update_audit_template: true update_audit_template: true
when: when:
- rhel9cis_rule_4_1_3_9 - rhel9cis_rule_4_1_3_9
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation
- automated
- patch - patch
- auditd - auditd
- rule_4.1.3.9 - rule_4.1.3.9
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.10 | PATCH | Ensure successful file system mounts are collected" - name: "4.1.3.10 | PATCH | Ensure successful file system mounts are collected"
set_fact: ansible.builtin.set_fact:
update_audit_template: true update_audit_template: true
when: when:
- rhel9cis_rule_4_1_3_10 - rhel9cis_rule_4_1_3_10
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation
- automated
- patch - patch
- auditd - auditd
- rule_4.1.3.10 - rule_4.1.3.10
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.11 | PATCH | Ensure session initiation information is collected" - name: "4.1.3.11 | PATCH | Ensure session initiation information is collected"
set_fact: ansible.builtin.set_fact:
update_audit_template: true update_audit_template: true
when: when:
- rhel9cis_rule_4_1_3_11 - rhel9cis_rule_4_1_3_11
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation
- automated
- patch - patch
- auditd - auditd
- rule_4.1.3.11 - rule_4.1.3.11
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.12 | PATCH | Ensure login and logout events are collected" - name: "4.1.3.12 | PATCH | Ensure login and logout events are collected"
set_fact: ansible.builtin.set_fact:
update_audit_template: true update_audit_template: true
when: when:
- rhel9cis_rule_4_1_3_12 - rhel9cis_rule_4_1_3_12
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation
- automated
- patch - patch
- auditd - auditd
- rule_4.1.3.12 - rule_4.1.3.12
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.13 | PATCH | Ensure file deletion events by users are collected" - name: "4.1.3.13 | PATCH | Ensure file deletion events by users are collected"
set_fact: ansible.builtin.set_fact:
update_audit_template: true update_audit_template: true
when: when:
- rhel9cis_rule_4_1_3_13 - rhel9cis_rule_4_1_3_13
@ -193,104 +182,97 @@
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" - name: "4.1.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected"
set_fact: ansible.builtin.set_fact:
update_audit_template: true update_audit_template: true
when: when:
- rhel9cis_rule_4_1_3_14 - rhel9cis_rule_4_1_3_14
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation
- automated
- patch - patch
- auditd - auditd
- rule_4.1.3.14 - rule_4.1.3.14
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" - name: "4.1.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded"
set_fact: ansible.builtin.set_fact:
update_audit_template: true update_audit_template: true
when: when:
- rhel9cis_rule_4_1_3_15 - rhel9cis_rule_4_1_3_15
tags: tags:
- level2-server - level2-server
- level2- workstation - level2- workstation
- automated
- patch - patch
- auditd - auditd
- rule_4.1.3.15 - rule_4.1.3.15
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" - name: "4.1.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded"
set_fact: ansible.builtin.set_fact:
update_audit_template: true update_audit_template: true
when: when:
- rhel9cis_rule_4_1_3_16 - rhel9cis_rule_4_1_3_16
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation
- automated
- patch - patch
- auditd - auditd
- rule_4.1.3.16 - rule_4.1.3.16
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" - name: "4.1.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded"
set_fact: ansible.builtin.set_fact:
update_audit_template: true update_audit_template: true
when: when:
- rhel9cis_rule_4_1_3_17 - rhel9cis_rule_4_1_3_17
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation
- automated
- patch - patch
- auditd - auditd
- rule_4.1.3.17 - rule_4.1.3.17
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" - name: "4.1.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded"
set_fact: ansible.builtin.set_fact:
update_audit_template: true update_audit_template: true
when: when:
- rhel9cis_rule_4_1_3_18 - rhel9cis_rule_4_1_3_18
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation
- automated
- patch - patch
- auditd - auditd
- rule_4.1.3.18 - rule_4.1.3.18
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.19 | PATCH | Ensure kernel module loading and unloading is collected" - name: "4.1.3.19 | PATCH | Ensure kernel module loading and unloading is collected"
set_fact: ansible.builtin.set_fact:
update_audit_template: true update_audit_template: true
when: when:
- rhel9cis_rule_4_1_3_19 - rhel9cis_rule_4_1_3_19
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation
- automated
- patch - patch
- auditd - auditd
- rule_4.1.3.19 - rule_4.1.3.19
# All changes selected are managed by the POST audit and handlers to update # All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.20 | PATCH | Ensure the audit configuration is immutable" - name: "4.1.3.20 | PATCH | Ensure the audit configuration is immutable"
set_fact: ansible.builtin.set_fact:
update_audit_template: true update_audit_template: true
when: when:
- rhel9cis_rule_4_1_3_20 - rhel9cis_rule_4_1_3_20
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation
- automated
- patch - patch
- auditd - auditd
- rule_4.1.20 - rule_4.1.20
- name: "4.1.3.21 | AUDIT | Ensure the running and on disk configuration is the same" - name: "4.1.3.21 | AUDIT | Ensure the running and on disk configuration is the same"
debug: ansible.builtin.debug:
msg: msg:
- "Please run augenrules --load if you suspect there is a configuration that is not active" - "Please run augenrules --load if you suspect there is a configuration that is not active"
when: when:
@ -304,7 +286,7 @@
- rule_4.1.3.21 - rule_4.1.3.21
- name: Auditd | 4.1.3 | Auditd controls updated - name: Auditd | 4.1.3 | Auditd controls updated
debug: ansible.builtin.debug:
msg: "Auditd Controls handled in POST using template - updating /etc/auditd/rules.d/99_auditd.rules" msg: "Auditd Controls handled in POST using template - updating /etc/auditd/rules.d/99_auditd.rules"
changed_when: false changed_when: false
when: when:

188
tasks/section_4/cis_4.1.4.x.yml Normal file
View file

@ -0,0 +1,188 @@
---
- name: |
"4.1.4.1 | PATCH | Ensure audit log files are mode 0640 or less permissive"
"4.1.4.2 | PATCH | Ensure only authorized users own audit log files"
"4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files"
block:
- name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | discover file"
ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'
register: audit_logfile
changed_when: false
- name: |
"4.1.4.1 | PATCH | Ensure audit log files are mode 0640 or less permissive"
"4.1.4.2 | PATCH | Ensure only authorized users own audit log files"
"4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files"
ansible.builtin.file:
path: "{{ audit_logfile.stdout }}"
state: file
mode: 0640
owner: root
group: root
when:
- rhel9cis_rule_4_1_4_1 or
rhel9cis_rule_4_1_4_2 or
rhel9cis_rule_4_1_4_3
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_4.1.4.1
- rule_4.1.4.2
- rule_4.1.4.3
- name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive"
block:
- name: "4.1.4.4 | AUDIT | Ensure the audit log directory is 0750 or more restrictive | get current permissions"
ansible.builtin.stat:
path: "{{ audit_logfile.stdout | dirname }}"
register: auditlog_dir
- name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive | set"
ansible.builtin.file:
path: "{{ audit_logfile.stdout | dirname }}"
state: directory
mode: 0750
when: not auditlog_dir.stat.mode is match('07(0|5)0')
when:
- rhel9cis_rule_4_1_4_4
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_4.1.4.4
- name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive"
block:
- name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | get permissions"
ansible.builtin.stat:
path: "{{ item.path }}"
register: item_file
loop: "{{ audit_conf_files.results | map(attribute='files') | flatten }}"
loop_control:
label: "{{ item.path }}"
- name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | set permissions"
ansible.builtin.file:
path: "{{ audit_logfile.stdout | dirname }}"
state: file
mode: 0640
loop: "{{ audit_config_files }}"
when: not item_file.stat.mode is match('06(0|4)0')
when:
- rhel9cis_rule_4_1_4_5
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_4.1.4.5
- name: "4.1.4.6 | PATCH | Ensure audit configuration files are owned by root"
ansible.builtin.file:
path: "{{ audit_logfile.stdout | dirname }}"
state: file
owner: root
loop: "{{ audit_config_files }}"
when:
- rhel9cis_rule_4_1_4_6
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_4.1.4.6
- name: "4.1.4.7 | PATCH | Ensure audit configuration files belong to group root"
ansible.builtin.file:
path: "{{ audit_logfile.stdout | dirname }}"
state: file
group: root
loop: "{{ audit_config_files }}"
when:
- rhel9cis_rule_4_1_4_7
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_4.1.4.7
- name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive"
block:
- name: "PRELIM | 4.1.4.8 | Get audit binarty file stat | get current mode"
ansible.builtin.stat:
path: "{{ item }}"
register: "audit_bins"
loop:
- /sbin/auditctl
- /sbin/aureport
- /sbin/ausearch
- /sbin/autrace
- /sbin/auditd
- /sbin/augenrules
- name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required"
ansible.builtin.file:
path: "{{ item }}"
state: file
mode: 0750
register: "audit_bins"
loop: "{{ audit_bins.results.stat.path }}"
when: not audit_bins.stat.mode is match('07(0|5)(0|5)')
when:
- rhel9cis_rule_4_1_4_8
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_4.1.4.8
- name: "4.1.4.9 | PATCH | Ensure audit tools are owned by root"
ansible.builtin.file:
path: "{{ item }}"
state: file
owner: root
group: root
loop:
- /sbin/auditctl
- /sbin/aureport
- /sbin/ausearch
- /sbin/autrace
- /sbin/auditd
- /sbin/augenrules
when:
- rhel9cis_rule_4_1_4_9
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_4.1.4.9
- name: "4.1.4.10 | PATCH | Ensure audit tools belong to group root"
ansible.builtin.file:
path: "{{ item }}"
state: file
group: root
loop:
- /sbin/auditctl
- /sbin/aureport
- /sbin/ausearch
- /sbin/autrace
- /sbin/auditd
- /sbin/augenrules
when:
- rhel9cis_rule_4_1_4_10
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_4.1.4.10

57
tasks/section_4/cis_4.2.1.x.yml
View file

@ -1,7 +1,7 @@
--- ---
- name: "4.2.1.1 | PATCH | Ensure rsyslog installed" - name: "4.2.1.1 | PATCH | Ensure rsyslog installed"
package: ansible.builtin.package:
name: rsyslog name: rsyslog
state: present state: present
when: when:
@ -10,13 +10,12 @@
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- automated
- patch - patch
- rsyslog - rsyslog
- rule_4.2.1.1 - rule_4.2.1.1
- name: "4.2.1.2 | PATCH | Ensure rsyslog Service is enabled" - name: "4.2.1.2 | PATCH | Ensure rsyslog Service is enabled"
service: ansible.builtin.systemd:
name: rsyslog name: rsyslog
enabled: true enabled: true
when: when:
@ -24,29 +23,27 @@
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- automated
- patch - patch
- rsyslog - rsyslog
- rule_4.2.1.2 - rule_4.2.1.2
# This is counter to control 4.2.2.5??
- name: "4.2.1.3 | PATCH | Ensure journald is configured to send logs to rsyslog" - name: "4.2.1.3 | PATCH | Ensure journald is configured to send logs to rsyslog"
lineinfile: ansible.builtin.lineinfile:
path: /etc/systemd/journald.conf path: /etc/systemd/journald.conf
regexp: "^#ForwardToSyslog=|^ForwardToSyslog=" regexp: "^#ForwardToSyslog=|^ForwardToSyslog="
line: ForwardToSyslog=yes line: ForwardToSyslog=yes
notify: restart rsyslog
when: when:
- rhel9cis_rule_4_2_1_3 - rhel9cis_rule_4_2_1_3
- rhel9cis_preferred_log_capture == "rsyslog" - rhel9cis_preferred_log_capture == "rsyslog"
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- manual
- patch - patch
- rule_4.2.1.3 - rule_4.2.1.3
- name: "4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured" - name: "4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured"
lineinfile: ansible.builtin.lineinfile:
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
regexp: '^\$FileCreateMode' regexp: '^\$FileCreateMode'
line: '$FileCreateMode 0640' line: '$FileCreateMode 0640'
@ -56,7 +53,6 @@
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- automated
- patch - patch
- rsyslog - rsyslog
- rule_4.2.1.4 - rule_4.2.1.4
@ -64,20 +60,20 @@
- name: "4.2.1.5 | PATCH | Ensure logging is configured" - name: "4.2.1.5 | PATCH | Ensure logging is configured"
block: block:
- name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out"
command: cat /etc/rsyslog.conf ansible.builtin.command: cat /etc/rsyslog.conf
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false check_mode: false
register: rhel_08_4_2_1_5_audit register: rhel_08_4_2_1_5_audit
- name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out"
debug: ansible.builtin.debug:
msg: msg:
- "These are the current logging configurations for rsyslog, please review:" - "These are the current logging configurations for rsyslog, please review:"
- "{{ rhel_08_4_2_1_5_audit.stdout_lines }}" - "{{ rhel_08_4_2_1_5_audit.stdout_lines }}"
- name: "4.2.1.5 | PATCH | Ensure logging is configured | mail.* log setting" - name: "4.2.1.5 | PATCH | Ensure logging is configured | mail.* log setting"
blockinfile: ansible.builtin.blockinfile:
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
state: present state: present
marker: "# {mark} MAIL LOG SETTINGS (ANSIBLE MANAGED)" marker: "# {mark} MAIL LOG SETTINGS (ANSIBLE MANAGED)"
@ -92,7 +88,7 @@
when: rhel9cis_rsyslog_ansiblemanaged when: rhel9cis_rsyslog_ansiblemanaged
- name: "4.2.1.5 | PATCH | Ensure logging is configured | news.crit log setting" - name: "4.2.1.5 | PATCH | Ensure logging is configured | news.crit log setting"
blockinfile: ansible.builtin.blockinfile:
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
state: present state: present
marker: "# {mark} NEWS LOG SETTINGS (ANSIBLE MANAGED)" marker: "# {mark} NEWS LOG SETTINGS (ANSIBLE MANAGED)"
@ -105,7 +101,7 @@
when: rhel9cis_rsyslog_ansiblemanaged when: rhel9cis_rsyslog_ansiblemanaged
- name: "4.2.1.5 | PATCH | Ensure logging is configured | Misc. log setting" - name: "4.2.1.5 | PATCH | Ensure logging is configured | Misc. log setting"
blockinfile: ansible.builtin.blockinfile:
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
state: present state: present
marker: "# {mark} MISC. LOG SETTINGS (ANSIBLE MANAGED)" marker: "# {mark} MISC. LOG SETTINGS (ANSIBLE MANAGED)"
@ -119,7 +115,7 @@
when: rhel9cis_rsyslog_ansiblemanaged when: rhel9cis_rsyslog_ansiblemanaged
- name: "4.2.1.5 | PATCH | Ensure logging is configured | Local log settings" - name: "4.2.1.5 | PATCH | Ensure logging is configured | Local log settings"
blockinfile: ansible.builtin.blockinfile:
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
state: present state: present
marker: "#{mark} LOCAL LOG SETTINGS (ANSIBLE MANAGED)" marker: "#{mark} LOCAL LOG SETTINGS (ANSIBLE MANAGED)"
@ -134,7 +130,7 @@
notify: restart rsyslog notify: restart rsyslog
- name: "4.2.1.5 | PATCH | Ensure logging is configured | Auth Settings" - name: "4.2.1.5 | PATCH | Ensure logging is configured | Auth Settings"
blockinfile: ansible.builtin.blockinfile:
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
state: present state: present
marker: "#{mark} Auth SETTINGS (ANSIBLE MANAGED)" marker: "#{mark} Auth SETTINGS (ANSIBLE MANAGED)"
@ -145,7 +141,7 @@
notify: restart rsyslog notify: restart rsyslog
- name: "4.2.1.5 | PATCH | Ensure logging is configured | Cron Settings" - name: "4.2.1.5 | PATCH | Ensure logging is configured | Cron Settings"
blockinfile: ansible.builtin.blockinfile:
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
state: present state: present
marker: "#{mark} Cron SETTINGS (ANSIBLE MANAGED)" marker: "#{mark} Cron SETTINGS (ANSIBLE MANAGED)"
@ -159,18 +155,17 @@
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- manual
- patch - patch
- rsyslog - rsyslog
- rule_4.2.1.5 - rule_4.2.1.5
- name: "4.2.1.6 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" - name: "4.2.1.6 | PATCH | Ensure rsyslog is configured to send logs to a remote log host"
blockinfile: ansible.builtin.blockinfile:
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
state: present state: present
block: | block: |
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional # target can be IP or FQDN
*.* @@{{ rhel9cis_remote_log_server }} *.* action(type="omfwd" target="{{ rhel9cis_remote_log_server }}" port="{{ rhel9cis_remote_log_port }}" protocol="{{ rhel9cis_remote_log_protocol }}" action.resumeRetryCount="{{ rhel9cis_remote_log_retrycount }}" queue.type="LinkedList" queue.size="{{ rhel9cis_remote_log_queuesize }}")
insertafter: EOF insertafter: EOF
register: result register: result
failed_when: failed_when:
@ -179,11 +174,10 @@
notify: restart rsyslog notify: restart rsyslog
when: when:
- rhel9cis_rule_4_2_1_6 - rhel9cis_rule_4_2_1_6
- rhel9cis_remote_log_server is defined - rhel9cis_remote_log_server
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- manual
- patch - patch
- rsyslog - rsyslog
- rule_4.2.1.6 - rule_4.2.1.6
@ -191,20 +185,20 @@
- name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client" - name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client"
block: block:
- name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client. | When not log host" - name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client. | When not log host"
replace: ansible.builtin.replace:
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
regexp: '({{ item }})' regexp: '{{ item }}'
replace: '#\1' replace: '#\1'
notify: restart rsyslog notify: restart rsyslog
with_items: with_items:
- '^(\$ModLoad imtcp)' - '^\$ModLoad imtcp'
- '^(\$InputTCPServerRun)' - '^\$InputTCPServerRun'
- '^(module\(load="imtcp"\))' - '^module\(load="imtcp"\)'
- '^(input\(type="imtcp")' - '^input\(type="imtcp" port=.*\)'
when: not rhel9cis_system_is_log_server when: not rhel9cis_system_is_log_server
- name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote clients. | When log host" - name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote clients. | When log host"
replace: ansible.builtin.replace:
path: /etc/rsyslog.conf path: /etc/rsyslog.conf
regexp: '^#(.*{{ item }}.*)' regexp: '^#(.*{{ item }}.*)'
replace: '\1' replace: '\1'
@ -213,14 +207,13 @@
- 'ModLoad imtcp' - 'ModLoad imtcp'
- 'InputTCPServerRun' - 'InputTCPServerRun'
- 'module\(load="imtcp"\)' - 'module\(load="imtcp"\)'
- 'input\(type="imtcp"' - 'input\(type="imtcp" port=".*")'
when: rhel9cis_system_is_log_server when: rhel9cis_system_is_log_server
when: when:
- rhel9cis_rule_4_2_1_7 - rhel9cis_rule_4_2_1_7
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- automated
- patch - patch
- rsyslog - rsyslog
- rule_4.2.1.7 - rule_4.2.1.7

64
tasks/section_4/cis_4.2.2.x.yml
View file

@ -1,7 +1,7 @@
--- ---
- name: "4.2.2.1.1 | PATCH | Ensure systemd-journal-remote is installed" - name: "4.2.2.1.1 | PATCH | Ensure systemd-journal-remote is installed"
package: ansible.builtin.package:
name: systemd-journal-remote name: systemd-journal-remote
state: present state: present
when: when:
@ -15,7 +15,7 @@
- rule_4.2.2.1.1 - rule_4.2.2.1.1
- name: "4.2.2.1.2 | PATCH | Ensure systemd-journal-remote is configured" - name: "4.2.2.1.2 | PATCH | Ensure systemd-journal-remote is configured"
lineinfile: ansible.builtin.lineinfile:
path: /etc/systemd/journal-upload.conf path: /etc/systemd/journal-upload.conf
regexp: "{{ item.regexp }}" regexp: "{{ item.regexp }}"
line: "{{ item.line }}" line: "{{ item.line }}"
@ -36,7 +36,7 @@
- rule_4.2.2.1.2 - rule_4.2.2.1.2
- name: "4.2.2.1.3 | PATCH | Ensure systemd-journal-remote is enabled" - name: "4.2.2.1.3 | PATCH | Ensure systemd-journal-remote is enabled"
systemd: ansible.builtin.systemd:
name: systemd-journal-upload name: systemd-journal-upload
state: started state: started
enabled: true enabled: true
@ -52,7 +52,7 @@
- rule_4.2.2.1.3 - rule_4.2.2.1.3
- name: "4.2.2.1.4 | PATCH | Ensure journald is not configured to recieve logs from a remote client" - name: "4.2.2.1.4 | PATCH | Ensure journald is not configured to recieve logs from a remote client"
systemd: ansible.builtin.systemd:
name: systemd-journal-remote.socket name: systemd-journal-remote.socket
state: stopped state: stopped
enabled: false enabled: false
@ -71,25 +71,25 @@
- name: "4.2.2.2 | PATCH | Ensure journald service is enabled" - name: "4.2.2.2 | PATCH | Ensure journald service is enabled"
block: block:
- name: "4.2.2.2 | PATCH | Ensure journald service is enabled | Enable service" - name: "4.2.2.2 | PATCH | Ensure journald service is enabled | Enable service"
systemd: ansible.builtin.systemd:
name: systemd-journald name: systemd-journald
state: started state: started
enabled: true enabled: true
- name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Capture status" - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Capture status"
shell: systemctl is-enabled systemd-journald.service ansible.builtin.shell: systemctl is-enabled systemd-journald.service
changed_when: false changed_when: false
failed_when: false failed_when: false
register: rhel9cis_4_2_2_2_status register: rhel9cis_4_2_2_2_status
- name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Alert on bad status" - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Alert on bad status"
debug: ansible.builtin.debug:
msg: msg:
- "Warning!! The status of systemd-journald should be static and it is not. Please investigate" - "Warning!! The status of systemd-journald should be static and it is not. Please investigate"
when: "'static' not in rhel9cis_4_2_2_2_status.stdout" when: "'static' not in rhel9cis_4_2_2_2_status.stdout"
- name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count" - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count"
set_fact: ansible.builtin.set_fact:
control_number: "{{ control_number }} + [ 'rule_4.2.2.2' ]" control_number: "{{ control_number }} + [ 'rule_4.2.2.2' ]"
warn_count: "{{ warn_count | int + 1 }}" warn_count: "{{ warn_count | int + 1 }}"
when: "'static' not in rhel9cis_4_2_2_2_status.stdout" when: "'static' not in rhel9cis_4_2_2_2_status.stdout"
@ -104,10 +104,11 @@
- rule_4.2.2.2 - rule_4.2.2.2
- name: "4.2.2.3 | PATCH | Ensure journald is configured to compress large log files" - name: "4.2.2.3 | PATCH | Ensure journald is configured to compress large log files"
lineinfile: ansible.builtin.lineinfile:
path: /etc/systemd/journald.conf path: /etc/systemd/journald.conf
regexp: "^#Compress=|^Compress=" regexp: "^#Compress=|^Compress="
line: Compress=yes line: Compress=yes
notify: restart systemd_journal_upload
when: when:
- rhel9cis_rule_4_2_2_3 - rhel9cis_rule_4_2_2_3
tags: tags:
@ -119,10 +120,11 @@
- rule_4.2.2.3 - rule_4.2.2.3
- name: "4.2.2.4 | PATCH | Ensure journald is configured to write logfiles to persistent disk" - name: "4.2.2.4 | PATCH | Ensure journald is configured to write logfiles to persistent disk"
lineinfile: ansible.builtin.lineinfile:
path: /etc/systemd/journald.conf path: /etc/systemd/journald.conf
regexp: "^#Storage=|^Storage=" regexp: "^#Storage=|^Storage="
line: Storage=persistent line: Storage=persistent
notify: restart systemd_journal_upload
when: when:
- rhel9cis_rule_4_2_2_4 - rhel9cis_rule_4_2_2_4
tags: tags:
@ -135,7 +137,7 @@
# This is counter to control 4.2.1.3?? # This is counter to control 4.2.1.3??
- name: "4.2.2.5 | PATCH | Ensure journald is not configured to send logs to rsyslog" - name: "4.2.2.5 | PATCH | Ensure journald is not configured to send logs to rsyslog"
lineinfile: ansible.builtin.lineinfile:
path: /etc/systemd/journald.conf path: /etc/systemd/journald.conf
regexp: "^ForwardToSyslog=" regexp: "^ForwardToSyslog="
line: "#ForwardToSyslog=yes" line: "#ForwardToSyslog=yes"
@ -151,7 +153,7 @@
- rule_4.2.2.5 - rule_4.2.2.5
- name: "4.2.2.6 | PATCH | Ensure journald log rotation is configured per site policy" - name: "4.2.2.6 | PATCH | Ensure journald log rotation is configured per site policy"
lineinfile: ansible.builtin.lineinfile:
path: /etc/systemd/journald.conf path: /etc/systemd/journald.conf
regexp: "{{ item.regexp }}" regexp: "{{ item.regexp }}"
line: "{{ item.line }}" line: "{{ item.line }}"
@ -175,35 +177,21 @@
- name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured" - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured"
block: block:
- name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Check for override file" - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Check for override file"
find: ansible.builtin.stat:
paths: /etc/tmpfiles.d path: /etc/tmpfiles.d/systemd.conf
patterns: systemd.conf register: rhel9cis_4_2_2_7_override
register: rhel9cis_4_2_2_7_override_status
- name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Get override file settings" - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Set live file"
shell: cat /etc/tmpfiles.d/systemd.conf ansible.builtin.set_fact:
changed_when: false systemd_conf_file: /etc/tmpfiles.d/systemd.conf
failed_when: false when: rhel9cis_4_2_2_7_override_stat.exists
register: rhel9cis_4_2_2_7_override_settings
when: rhel9cis_4_2_2_7_override_status.matched >= 1
- name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Get non-override file settings" - name: "4.2.2.7 | PATCH | Ensure journald default file permissions configured | Set permission"
shell: cat /usr/lib/tmpfiles.d/systemd.conf ansible.builtin.lineinfile:
changed_when: false path: "{{ /etc/tmpfiles.d/systemd.conf | default('/usr/lib/tmpfiles.d/systemd.conf') }}"
failed_when: false regexp: "^z \/var\/log\/journal\/%m\/system.journal (!?06(0|4)0) root"
register: rhel9cis_4_2_2_7_notoverride_settings line: 'z /var/log/journal/%m/system.journal 0640 root systemd-journal - -'
when: rhel9cis_4_2_2_7_override_status.matched == 0
- name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Display file settings"
debug:
msg:
- "Warning!! Below are the current default settings for journald, please confirm they align with your site policies"
- "{{ (rhel9cis_4_2_2_7_override_status.matched >= 1) | ternary(rhel9cis_4_2_2_7_override_settings.stdout_lines, rhel9cis_4_2_2_7_notoverride_settings.stdout_lines) }}"
- name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Warn Count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_4.2.2.7' ]"
warn_count: "{{ warn_count | int + 1 }}"
when: when:
- rhel9cis_rule_4_2_2_7 - rhel9cis_rule_4_2_2_7
tags: tags:

15
tasks/section_4/cis_4.2.3.yml
View file

@ -1,9 +1,18 @@
--- ---
- name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured" - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured"
command: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + block:
changed_when: false - name: "4.2.3 | AUDIT | Ensure permissions on all logfiles are configured | find files"
failed_when: false ansible.builtin.find:
paths: "/var/log"
type: file
register: logfiles
- name: "4.2.3 | AUDIT | Ensure permissions on all logfiles are configured | find files"
ansible.builtin.file:
paths: "{{ item.path }}"
mode: 0640
register: logfiles
when: when:
- rhel9cis_rule_4_2_3 - rhel9cis_rule_4_2_3
tags: tags:

54
tasks/section_4/cis_4.3.yml
View file

@ -1,43 +1,25 @@
--- ---
- name: "4.3.1 | PATCH | Ensure logrotate is installed" - name: "4.3 | PATCH | Ensure logrotate is configured"
package:
name: rsyslog-logrotate
state: present
when:
- rhel9cis_rule_4_3_1
tags:
- level1-server
- level1-workstation
- manual
- patch
- logrotate
- rule_4.3.1
- name: "4.3.2 | PATCH | Ensure logrotate is running and enabled"
systemd:
name: logrotate.timer
state: started
enabled: true
when:
- rhel9cis_rule_4_3_2
tags:
- level1-server
- level1-workstation
- manual
- patch
- logrotate
- rule_4.3.2
- name: "4.3.3 | PATCH | Ensure logrotate is configured"
block: block:
- name: "4.3.3 | AUDIT | Ensure logrotate is configured | Get logrotate settings" - name: "4.3 | PATCH | Ensure logrotate is configured | installed"
find: ansible.builtin.package:
name: rsyslog-logrotate
state: present
- name: "4.3.2 | PATCH | Ensure logrotate is configured | scheduled"
ansible.builtin.systemd:
name: logrotate.timer
state: started
enabled: true
- name: "4.3 | AUDIT | Ensure logrotate is configured | Get logrotate settings"
ansible.builtin.find:
paths: /etc/logrotate.d/ paths: /etc/logrotate.d/
register: log_rotates register: log_rotates
- name: "4.3.3 | PATCH | Ensure logrotate is configured" - name: "4.3 | PATCH | Ensure logrotate is configured"
replace: ansible.builtin.replace:
path: "{{ item.path }}" path: "{{ item.path }}"
regexp: '^(\s*)(daily|weekly|monthly|yearly)$' regexp: '^(\s*)(daily|weekly|monthly|yearly)$'
replace: "\\1{{ rhel9cis_logrotate }}" replace: "\\1{{ rhel9cis_logrotate }}"
@ -47,11 +29,11 @@
loop_control: loop_control:
label: "{{ item.path }}" label: "{{ item.path }}"
when: when:
- rhel9cis_rule_4_3_3 - rhel9cis_rule_4_3
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- manual - manual
- patch - patch
- logrotate - logrotate
- rule_4.3.3 - rule_4.3.1

63
templates/ansible_vars_goss.yml.j2
View file

@ -3,7 +3,7 @@
## metadata for benchmark ## metadata for benchmark
## metadata for Audit benchmark ## metadata for Audit benchmark
benchmark_version: '2.0.0' benchmark_version: '1.0.0'
# Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS # Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS
# If run via script this is discovered and set # If run via script this is discovered and set
@ -44,7 +44,6 @@ rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }}
# 1.1.1 Disable unused filesystems # 1.1.1 Disable unused filesystems
rhel9cis_rule_1_1_1_1: {{ rhel9cis_rule_1_1_1_1 }} rhel9cis_rule_1_1_1_1: {{ rhel9cis_rule_1_1_1_1 }}
rhel9cis_rule_1_1_1_2: {{ rhel9cis_rule_1_1_1_2 }} rhel9cis_rule_1_1_1_2: {{ rhel9cis_rule_1_1_1_2 }}
rhel9cis_rule_1_1_1_3: {{ rhel9cis_rule_1_1_1_3 }}
# 1.1.2 Configure /tmp # 1.1.2 Configure /tmp
rhel9cis_rule_1_1_2_1: {{ rhel9cis_rule_1_1_2_1 }} rhel9cis_rule_1_1_2_1: {{ rhel9cis_rule_1_1_2_1 }}
rhel9cis_rule_1_1_2_2: {{ rhel9cis_rule_1_1_2_2 }} rhel9cis_rule_1_1_2_2: {{ rhel9cis_rule_1_1_2_2 }}
@ -74,28 +73,25 @@ rhel9cis_rule_1_1_6_4: {{ rhel9cis_rule_1_1_6_4 }}
rhel9cis_rule_1_1_7_1: {{ rhel9cis_rule_1_1_7_1 }} rhel9cis_rule_1_1_7_1: {{ rhel9cis_rule_1_1_7_1 }}
rhel9cis_rule_1_1_7_2: {{ rhel9cis_rule_1_1_7_2 }} rhel9cis_rule_1_1_7_2: {{ rhel9cis_rule_1_1_7_2 }}
rhel9cis_rule_1_1_7_3: {{ rhel9cis_rule_1_1_7_3 }} rhel9cis_rule_1_1_7_3: {{ rhel9cis_rule_1_1_7_3 }}
rhel9cis_rule_1_1_7_4: {{ rhel9cis_rule_1_1_7_4 }}
rhel9cis_rule_1_1_7_5: {{ rhel9cis_rule_1_1_7_5 }}
# 1.1.8 Configure /dev/shm # 1.1.8 Configure /dev/shm
rhel9cis_rule_1_1_8_1: {{ rhel9cis_rule_1_1_8_1 }} rhel9cis_rule_1_1_8_1: {{ rhel9cis_rule_1_1_8_1 }}
rhel9cis_rule_1_1_8_2: {{ rhel9cis_rule_1_1_8_2 }} rhel9cis_rule_1_1_8_2: {{ rhel9cis_rule_1_1_8_2 }}
rhel9cis_rule_1_1_8_3: {{ rhel9cis_rule_1_1_8_3 }} rhel9cis_rule_1_1_8_3: {{ rhel9cis_rule_1_1_8_3 }}
# 1.9 autofs rhel9cis_rule_1_1_8_3: {{ rhel9cis_rule_1_1_8_4 }}
# 1.9 usb-storage
rhel9cis_rule_1_1_9: {{ rhel9cis_rule_1_1_9 }} rhel9cis_rule_1_1_9: {{ rhel9cis_rule_1_1_9 }}
# 1.10 usb-storage
rhel9cis_rule_1_1_10: {{ rhel9cis_rule_1_1_10 }}
# 1.2 Configure Software Updates # 1.2 Configure Software Updates
rhel9cis_rule_1_2_1: {% if ansible_distribution == "RedHat" %}True{% else %}False{% endif %} # Only run if Redhat and Subscribed rhel9cis_rule_1_2_1: {{ rhel9cis_rule_1_2_1 }}
rhel9cis_rule_1_2_2: {{ rhel9cis_rule_1_2_2 }} rhel9cis_rule_1_2_2: {{ rhel9cis_rule_1_2_2 }}
rhel9cis_rule_1_2_3: {{ rhel9cis_rule_1_2_3 }} rhel9cis_rule_1_2_3: {{ rhel9cis_rule_1_2_3 }}
rhel9cis_rule_1_2_4: {{ rhel9cis_rule_1_2_4 }} rhel9cis_rule_1_2_4: {{ rhel9cis_rule_1_2_4 }}
# 1.3 Filesystem Integrity Checking # 1.3 Filesystem Integrity Checking
rhel9cis_rule_1_3_1: {{ rhel9cis_rule_1_3_1 }} rhel9cis_rule_1_3_1: {{ rhel9cis_rule_1_3_1 }}
rhel9cis_rule_1_3_2: {{ rhel9cis_rule_1_3_2 }} rhel9cis_rule_1_3_2: {{ rhel9cis_rule_1_3_2 }}
rhel9cis_rule_1_3_3: {{ rhel9cis_rule_1_3_3 }}
# 1.4 Secure Boot Settings # 1.4 Secure Boot Settings
rhel9cis_rule_1_4_1: {{ rhel9cis_rule_1_4_1 }} rhel9cis_rule_1_4_1: {{ rhel9cis_rule_1_4_1 }}
rhel9cis_rule_1_4_2: {{ rhel9cis_rule_1_4_2 }} rhel9cis_rule_1_4_2: {{ rhel9cis_rule_1_4_2 }}
rhel9cis_rule_1_4_3: {{ rhel9cis_rule_1_4_3 }}
# 1.5 Additional Process Hardening # 1.5 Additional Process Hardening
rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }} rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }}
rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }} rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }}
@ -108,6 +104,7 @@ rhel9cis_rule_1_6_1_4: {{ rhel9cis_rule_1_6_1_4 }}
rhel9cis_rule_1_6_1_5: {{ rhel9cis_rule_1_6_1_5 }} rhel9cis_rule_1_6_1_5: {{ rhel9cis_rule_1_6_1_5 }}
rhel9cis_rule_1_6_1_6: {{ rhel9cis_rule_1_6_1_6 }} rhel9cis_rule_1_6_1_6: {{ rhel9cis_rule_1_6_1_6 }}
rhel9cis_rule_1_6_1_7: {{ rhel9cis_rule_1_6_1_7 }} rhel9cis_rule_1_6_1_7: {{ rhel9cis_rule_1_6_1_7 }}
rhel9cis_rule_1_6_1_8: {{ rhel9cis_rule_1_6_1_8 }}
# 1.7 Command Line Warning Banners # 1.7 Command Line Warning Banners
rhel9cis_rule_1_7_1: {{ rhel9cis_rule_1_7_1 }} rhel9cis_rule_1_7_1: {{ rhel9cis_rule_1_7_1 }}
rhel9cis_rule_1_7_2: {{ rhel9cis_rule_1_7_2 }} rhel9cis_rule_1_7_2: {{ rhel9cis_rule_1_7_2 }}
@ -121,6 +118,11 @@ rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }}
rhel9cis_rule_1_8_3: {{ rhel9cis_rule_1_8_3 }} rhel9cis_rule_1_8_3: {{ rhel9cis_rule_1_8_3 }}
rhel9cis_rule_1_8_4: {{ rhel9cis_rule_1_8_4 }} rhel9cis_rule_1_8_4: {{ rhel9cis_rule_1_8_4 }}
rhel9cis_rule_1_8_5: {{ rhel9cis_rule_1_8_5 }} rhel9cis_rule_1_8_5: {{ rhel9cis_rule_1_8_5 }}
rhel9cis_rule_1_8_1: {{ rhel9cis_rule_1_8_6 }}
rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_7 }}
rhel9cis_rule_1_8_3: {{ rhel9cis_rule_1_8_8 }}
rhel9cis_rule_1_8_4: {{ rhel9cis_rule_1_8_9 }}
rhel9cis_rule_1_8_5: {{ rhel9cis_rule_1_8_10 }}
# 1.9 Ensure updates, patches, and additional security software are installed # 1.9 Ensure updates, patches, and additional security software are installed
rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }} rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }}
# Ensure system-wide crypto policy is not legacy # Ensure system-wide crypto policy is not legacy
@ -151,24 +153,19 @@ rhel9cis_rule_2_2_15: {{ rhel9cis_rule_2_2_15 }}
rhel9cis_rule_2_2_16: {{ rhel9cis_rule_2_2_16 }} rhel9cis_rule_2_2_16: {{ rhel9cis_rule_2_2_16 }}
rhel9cis_rule_2_2_17: {{ rhel9cis_rule_2_2_17 }} rhel9cis_rule_2_2_17: {{ rhel9cis_rule_2_2_17 }}
rhel9cis_rule_2_2_18: {{ rhel9cis_rule_2_2_18 }} rhel9cis_rule_2_2_18: {{ rhel9cis_rule_2_2_18 }}
rhel9cis_rule_2_2_19: {{ rhel9cis_rule_2_2_19 }}
rhel9cis_rule_2_2_20: {{ rhel9cis_rule_2_2_20 }}
# 2.3 service clients # 2.3 service clients
rhel9cis_rule_2_3_1: {{ rhel9cis_rule_2_3_1 }} rhel9cis_rule_2_3_1: {{ rhel9cis_rule_2_3_1 }}
rhel9cis_rule_2_3_2: {{ rhel9cis_rule_2_3_2 }} rhel9cis_rule_2_3_2: {{ rhel9cis_rule_2_3_2 }}
rhel9cis_rule_2_3_3: {{ rhel9cis_rule_2_3_3 }} rhel9cis_rule_2_3_3: {{ rhel9cis_rule_2_3_3 }}
rhel9cis_rule_2_3_4: {{ rhel9cis_rule_2_3_4 }} rhel9cis_rule_2_3_4: {{ rhel9cis_rule_2_3_4 }}
rhel9cis_rule_2_3_5: {{ rhel9cis_rule_2_3_5 }}
rhel9cis_rule_2_3_6: {{ rhel9cis_rule_2_3_6 }}
rhel9cis_rule_2_4: true # todo rhel9cis_rule_2_4: true
# Section 3 rules # Section 3 rules
# 3.1 Disable unused network protocols and devices # 3.1 Disable unused network protocols and devices
rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }} rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }}
rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }} rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }}
rhel9cis_rule_3_1_3: {{ rhel9cis_rule_3_1_3 }} rhel9cis_rule_3_1_3: {{ rhel9cis_rule_3_1_3 }}
rhel9cis_rule_3_1_4: {{ rhel9cis_rule_3_1_4 }}
# 3.2 Network Parameters (Host Only) # 3.2 Network Parameters (Host Only)
rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }} rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }}
rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }} rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }}
@ -185,11 +182,7 @@ rhel9cis_rule_3_3_9: {{ rhel9cis_rule_3_3_9 }}
# 3.4.1 Configure firewalld # 3.4.1 Configure firewalld
rhel9cis_rule_3_4_1_1: {{ rhel9cis_rule_3_4_1_1 }} rhel9cis_rule_3_4_1_1: {{ rhel9cis_rule_3_4_1_1 }}
rhel9cis_rule_3_4_1_2: {{ rhel9cis_rule_3_4_1_2 }} rhel9cis_rule_3_4_1_2: {{ rhel9cis_rule_3_4_1_2 }}
rhel9cis_rule_3_4_1_3: {{ rhel9cis_rule_3_4_1_3 }}
rhel9cis_rule_3_4_1_4: {{ rhel9cis_rule_3_4_1_4 }}
rhel9cis_rule_3_4_1_5: {{ rhel9cis_rule_3_4_1_5 }}
rhel9cis_rule_3_4_1_6: {{ rhel9cis_rule_3_4_1_6 }}
rhel9cis_rule_3_4_1_7: {{ rhel9cis_rule_3_4_1_7 }}
# 3.4.1 Configure nftables # 3.4.1 Configure nftables
rhel9cis_rule_3_4_2_1: {{ rhel9cis_rule_3_4_2_1 }} rhel9cis_rule_3_4_2_1: {{ rhel9cis_rule_3_4_2_1 }}
rhel9cis_rule_3_4_2_2: {{ rhel9cis_rule_3_4_2_2 }} rhel9cis_rule_3_4_2_2: {{ rhel9cis_rule_3_4_2_2 }}
@ -198,10 +191,7 @@ rhel9cis_rule_3_4_2_4: {{ rhel9cis_rule_3_4_2_4 }}
rhel9cis_rule_3_4_2_5: {{ rhel9cis_rule_3_4_2_5 }} rhel9cis_rule_3_4_2_5: {{ rhel9cis_rule_3_4_2_5 }}
rhel9cis_rule_3_4_2_6: {{ rhel9cis_rule_3_4_2_6 }} rhel9cis_rule_3_4_2_6: {{ rhel9cis_rule_3_4_2_6 }}
rhel9cis_rule_3_4_2_7: {{ rhel9cis_rule_3_4_2_7 }} rhel9cis_rule_3_4_2_7: {{ rhel9cis_rule_3_4_2_7 }}
rhel9cis_rule_3_4_2_8: {{ rhel9cis_rule_3_4_2_8 }}
rhel9cis_rule_3_4_2_9: {{ rhel9cis_rule_3_4_2_9 }}
rhel9cis_rule_3_4_2_10: {{ rhel9cis_rule_3_4_2_10 }}
rhel9cis_rule_3_4_2_11: {{ rhel9cis_rule_3_4_2_11 }}
# Section 4 rules # Section 4 rules
# 4.1 Configure System Accounting # 4.1 Configure System Accounting
@ -238,6 +228,18 @@ rhel9cis_rule_4_1_3_19: {{ rhel9cis_rule_4_1_3_19 }}
rhel9cis_rule_4_1_3_20: {{ rhel9cis_rule_4_1_3_20 }} rhel9cis_rule_4_1_3_20: {{ rhel9cis_rule_4_1_3_20 }}
rhel9cis_rule_4_1_3_21: {{ rhel9cis_rule_4_1_3_21 }} rhel9cis_rule_4_1_3_21: {{ rhel9cis_rule_4_1_3_21 }}
# 4.1.4 Configure auditd file Access
rhel9cis_rule_4_1_4_1: {{ rhel9cis_rule_4_1_4_1 }}
rhel9cis_rule_4_1_4_2: {{ rhel9cis_rule_4_1_4_2 }}
rhel9cis_rule_4_1_4_3: {{ rhel9cis_rule_4_1_4_3 }}
rhel9cis_rule_4_1_4_4: {{ rhel9cis_rule_4_1_4_4 }}
rhel9cis_rule_4_1_4_5: {{ rhel9cis_rule_4_1_4_5 }}
rhel9cis_rule_4_1_4_6: {{ rhel9cis_rule_4_1_4_6 }}
rhel9cis_rule_4_1_4_7: {{ rhel9cis_rule_4_1_4_7 }}
rhel9cis_rule_4_1_4_8: {{ rhel9cis_rule_4_1_4_8 }}
rhel9cis_rule_4_1_4_9: {{ rhel9cis_rule_4_1_4_9 }}
rhel9cis_rule_4_1_4_10: {{ rhel9cis_rule_4_1_4_10 }}
# 4.2.1 Configure rsyslog # 4.2.1 Configure rsyslog
rhel9cis_rule_4_2_1_1: {{ rhel9cis_rule_4_2_1_1 }} rhel9cis_rule_4_2_1_1: {{ rhel9cis_rule_4_2_1_1 }}
rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_2 }} rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_2 }}
@ -262,9 +264,8 @@ rhel9cis_rule_4_2_2_7: {{ rhel9cis_rule_4_2_2_7 }}
rhel9cis_rule_4_2_3: {{ rhel9cis_rule_4_2_3 }} rhel9cis_rule_4_2_3: {{ rhel9cis_rule_4_2_3 }}
# 4.3 Logrotate # 4.3 Logrotate
rhel9cis_rule_4_3_1: {{ rhel9cis_rule_4_3_1 }} rhel9cis_rule_4_3: {{ rhel9cis_rule_4_3 }}
rhel9cis_rule_4_3_2: {{ rhel9cis_rule_4_3_2 }}
rhel9cis_rule_4_3_3: {{ rhel9cis_rule_4_3_3 }}
# Section 5 # Section 5
# Authentication and Authorization # Authentication and Authorization
@ -391,12 +392,11 @@ rhel9_aide_scan: cron
# Set to 'true' if X Windows is needed in your environment # Set to 'true' if X Windows is needed in your environment
rhel9cis_xwindows_required: false rhel9cis_xwindows_required: false
### Service configuration booleans set true to keep service ### Service configuration booleans set true to keep service
rhel9cis_xinetd_server: {{ rhel9cis_xinetd_server }}
rhel9cis_avahi_server: {{ rhel9cis_avahi_server }} rhel9cis_avahi_server: {{ rhel9cis_avahi_server }}
rhel9cis_cups_server: {{ rhel9cis_cups_server }} rhel9cis_cups_server: {{ rhel9cis_cups_server }}
rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }} rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }}
rhel9cis_dns_server: {{ rhel9cis_dns_server }} rhel9cis_dns_server: {{ rhel9cis_dns_server }}
rhel9cis_ftp_server: {{ rhel9cis_ftp_server }} rhel9cis_dnsmasq_server: {{ rhel9cis_dnsmasq_server }}
rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }} rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }}
rhel9cis_tftp_server: {{ rhel9cis_tftp_server }} rhel9cis_tftp_server: {{ rhel9cis_tftp_server }}
rhel9cis_httpd_server: {{ rhel9cis_httpd_server }} rhel9cis_httpd_server: {{ rhel9cis_httpd_server }}
@ -406,7 +406,6 @@ rhel9cis_imap_server: {{ rhel9cis_imap_server }}
rhel9cis_samba_server: {{ rhel9cis_samba_server }} rhel9cis_samba_server: {{ rhel9cis_samba_server }}
rhel9cis_squid_server: {{ rhel9cis_squid_server }} rhel9cis_squid_server: {{ rhel9cis_squid_server }}
rhel9cis_snmp_server: {{ rhel9cis_snmp_server }} rhel9cis_snmp_server: {{ rhel9cis_snmp_server }}
rhel9cis_nis_server: {{ rhel9cis_nis_server }}
rhel9cis_telnet_server: {{ rhel9cis_telnet_server }} rhel9cis_telnet_server: {{ rhel9cis_telnet_server }}
rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }} rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }}
@ -421,12 +420,10 @@ rhel9cis_use_rsync_server: {{ rhel9cis_use_rsync_server }}
rhel9cis_use_rsync_service: {{ rhel9cis_use_rsync_service }} rhel9cis_use_rsync_service: {{ rhel9cis_use_rsync_service }}
#### 2.3 Service clients #### 2.3 Service clients
rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }}
rhel9cis_rsh_required: {{ rhel9cis_rsh_required }}
rhel9cis_talk_required: {{ rhel9cis_talk_required }}
rhel9cis_telnet_required: {{ rhel9cis_telnet_required }} rhel9cis_telnet_required: {{ rhel9cis_telnet_required }}
rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }} rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }}
rhel9cis_tftp_client: {{ rhel9cis_tftp_client }} rhel9cis_tftp_client: {{ rhel9cis_tftp_client }}
rhel9cis_ftp_client: {{ rhel9cis_ftp_client }}
# Section 3 # Section 3