diff --git a/defaults/main.yml b/defaults/main.yml index d2a2372..78a2c0d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -36,6 +36,9 @@ benchmark: RHEL9-CIS # Whether to skip the reboot skip_reboot: true +# default value will change to true but wont reboot if not enabled but will error +change_requires_reboot: false + #### Basic external goss audit enablement settings #### #### Precise details - per setting can be found at the bottom of this file #### @@ -345,7 +348,7 @@ rhel9cis_rule_6_2_4: true rhel9cis_rule_6_2_5: true rhel9cis_rule_6_2_6: true rhel9cis_rule_6_2_7: true -rhel9cis_rule_6_2_8: false +rhel9cis_rule_6_2_8: true rhel9cis_rule_6_2_9: true rhel9cis_rule_6_2_10: true rhel9cis_rule_6_2_11: true @@ -355,46 +358,19 @@ rhel9cis_rule_6_2_14: true rhel9cis_rule_6_2_15: true rhel9cis_rule_6_2_16: true -# Service configuration booleans set true to keep service -rhel9cis_avahi_server: false -rhel9cis_cups_server: false -rhel9cis_dhcp_server: false -rhel9cis_ldap_server: false -rhel9cis_telnet_server: false -rhel9cis_nfs_server: false -rhel9cis_rpc_server: false -rhel9cis_ntalk_server: false -rhel9cis_rsyncd_server: false -rhel9cis_tftp_server: false -rhel9cis_rsh_server: false -rhel9cis_nis_server: false -rhel9cis_snmp_server: false -rhel9cis_squid_server: false -rhel9cis_smb_server: false -rhel9cis_dovecot_server: false -rhel9cis_httpd_server: false -rhel9cis_vsftpd_server: false -rhel9cis_named_server: false -rhel9cis_nfs_rpc_server: false -rhel9cis_is_mail_server: false -rhel9cis_bind: false -rhel9cis_vsftpd: false -rhel9cis_httpd: false -rhel9cis_dovecot: false -rhel9cis_samba: false -rhel9cis_squid: false -rhel9cis_net_snmp: false -rhel9cis_allow_autofs: false ## Section 1 vars -# 1.1.2 +#### 1.1.2 # These settings go into the /etc/fstab file for the /tmp mount settings # The value must contain nosuid,nodev,noexec to conform to CIS standards # rhel9cis_tmp_tmpfs_settings: "defaults,rw,nosuid,nodev,noexec,relatime 0 0" # If set true uses the tmp.mount service else using fstab configuration rhel9cis_tmp_svc: false +#### 1.1.9 +rhel9cis_allow_autofs: false + # 1.2.1 # This is the login information for your RedHat Subscription # DO NOT USE PLAIN TEXT PASSWORDS!!!!! @@ -407,17 +383,15 @@ rhel9cis_rh_sub_password: password # RedHat Satellite Subscription items rhel9cis_rhnsd_required: false -# 1.3.3 var log location variable -rhel9cis_varlog_location: "/var/log/sudo.log" -# xinetd required -rhel9cis_xinetd_required: false + # 1.4.2 Bootloader password rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' rhel9cis_bootloader_password: random rhel9cis_set_boot_pass: false + # 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS) # Control 1.10 sates not ot use LEGACY and control 1.11 says to use FUTURE or FIPS. rhel9cis_crypto_policy: "FUTURE" @@ -433,7 +407,7 @@ rhel9cis_config_aide: true # AIDE cron settings rhel9cis_aide_cron: cron_user: root - cron_file: /etc/cron.d/aide.cron + cron_file: /etc/cron.d/aide_cron aide_job: '/usr/sbin/aide --check' aide_minute: 0 aide_hour: 5 @@ -445,92 +419,124 @@ rhel9cis_aide_cron: rhel9cis_selinux_pol: targeted # Whether or not to run tasks related to auditing/patching the desktop environment -rhel9cis_gui: false -# Set to 'true' if X Windows is needed in your environment -rhel9cis_xwindows_required: false +## 2. Services -rhel9cis_openldap_clients_required: false -rhel9cis_telnet_required: false -rhel9cis_talk_required: false -rhel9cis_rsh_required: false -rhel9cis_ypbind_required: false -# 2.2.1.1 Time Synchronization - Either chrony or ntp -rhel9cis_time_synchronization: chrony - -# 2.2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 +### 2.1 Time Synchronization +#### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 rhel9cis_time_synchronization_servers: - 0.pool.ntp.org - 1.pool.ntp.org - 2.pool.ntp.org - 3.pool.ntp.org - rhel9cis_chrony_server_options: "minpoll 8" -rhel9cis_ntp_server_options: "iburst" + +### 2.2 Special Purposes +##### Service configuration booleans set true to keep service +rhel9cis_xinetd_server: false +rhel9cis_gui: false +rhel9cis_avahi_server: false +rhel9cis_cups_server: false +rhel9cis_dhcp_server: false +rhel9cis_dns_server: false +rhel9cis_ftp_server: false +rhel9cis_vsftpd_server: false +rhel9cis_tftp_server: false +rhel9cis_httpd_server: false +rhel9cis_nginx_server: false +rhel9cis_dovecot_cyrus_server: false +rhel9cis_samba_server: false +rhel9cis_squid_server: false +rhel9cis_snmp_server: false +rhel9cis_nis_server: false +rhel9cis_telnet_server: false +rhel9cis_is_mail_server: false +rhel9cis_nfs_server: false +rhel9cis_rpc_server: false +rhel9cis_rsync_server: false + +#### 2.3 Service clients +rhel9cis_ypbind_required: false +rhel9cis_rsh_required: false +rhel9cis_talk_required: false +rhel9cis_telnet_required: false +rhel9cis_openldap_clients_required: false +rhel9cis_tftp_client: false + ## Section3 vars -# 3.4.2 | PATCH | Ensure /etc/hosts.allow is configured -rhel9cis_host_allow: - - "10.0.0.0/255.0.0.0" - - "172.16.0.0/255.240.0.0" - - "192.168.0.0/255.255.0.0" - -# Firewall Service - either firewalld, iptables, or nftables +### Firewall Service - either firewalld, iptables, or nftables rhel9cis_firewall: firewalld -# 3.4.2.4 Default zone setting +##### firewalld rhel9cis_default_zone: public - -# 3.4.2.5 Zone and Interface setting -rhel9cis_int_zone: customezone +rhel9cis_int_zone: customzone rhel9cis_interface: eth0 - rhel9cis_firewall_services: - ssh - dhcpv6-client -# 3.4.3.2 Set nftables new table create +#### nftables rhel9cis_nft_tables_autonewtable: true rhel9cis_nft_tables_tablename: filter - -# 3.4.3.3 Set nftables new chain create rhel9cis_nft_tables_autochaincreate: true +#### iptables + # Warning Banner Content (issue, issue.net, motd) rhel9cis_warning_banner: | Authorized uses only. All activity may be monitored and reported. # End Banner ## Section4 vars - +### 4.1 Configure System Accounting +#### 4.1.2 Configure Data Retention rhel9cis_auditd: space_left_action: email action_mail_acct: root admin_space_left_action: halt max_log_file_action: keep_logs -rhel9cis_logrotate: "daily" - # The audit_back_log_limit value should never be below 8192 rhel9cis_audit_back_log_limit: 8192 # The max_log_file parameter should be based on your sites policy rhel9cis_max_log_file_size: 10 -# RHEL-09-4.2.1.4/4.2.1.5 remote and destation log server name +#### 4.2.1.6 remote and destation log server name rhel9cis_remote_log_server: logagg.example.com -# RHEL-09-4.2.1.5 +#### 4.2.1.7 rhel9cis_system_is_log_server: false +# 4.2.2.1.2 +# rhel9cis_journal_upload_url is the ip address to upload the journal entries to +rhel9cis_journal_upload_url: 192.168.50.42 +# The paths below have the default paths/files, but allow user to create custom paths/filenames +rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem" +rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem" +rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem" + +# 4.2.2.1 +# The variables below related to journald, please set these to your site specific values +# rhel9cis_journald_systemmaxuse is the max amount of disk space the logs will use +rhel9cis_journald_systemmaxuse: 10M +# rhel9cis_journald_systemkeepfree is the amount of disk space to keep free +rhel9cis_journald_systemkeepfree: 100G +rhel9cis_journald_runtimemaxuse: 10M +rhel9cis_journald_runtimekeepfree: 100G +# rhel9cis_journald_MaxFileSec is how long in time to keep log files. Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks +rhel9cis_journald_maxfilesec: 1month + +#### 4.3 +rhel9cis_logrotate: "daily" + ## Section5 vars rhel9cis_sshd: clientalivecountmax: 0 clientaliveinterval: 900 - ciphers: "aes256-ctr,aes192-ctr,aes128-ctr" - macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com" logingracetime: 60 # WARNING: make sure you understand the precedence when working with these values!! # allowusers: @@ -553,9 +559,10 @@ rhel9cis_ssh_maxsessions: 4 rhel9cis_inactivelock: lock_days: 30 + +rhel9cis_use_authconfig: false # 5.3.1/5.3.2 Custom authselect profile settings. Settings in place now will fail, they are place holders from the control example # Due to the way many multiple options and ways to configure this control needs to be enabled and settings adjusted to minimise risk -rhel9cis_use_authconfig: false rhel9cis_authselect: custom_profile_name: custom-profile default_file_to_copy: "sssd --symlink-meta" @@ -591,6 +598,11 @@ discover_int_uid: false min_int_uid: 1000 max_int_uid: 65533 +# 5.3.3 var log location variable +rhel9cis_sudolog_location: "/var/log/sudo.log" + +#### 5.3.6 +rhel9cis_sudo_timestamp_timeout: 15 # RHEL-09-5.4.5 # Session timeout setting file (TMOUT setting can be set in multiple files) diff --git a/group_vars/docker b/group_vars/docker deleted file mode 100644 index 5b6e3b2..0000000 --- a/group_vars/docker +++ /dev/null @@ -1,28 +0,0 @@ ---- -ansible_user: root -# AIDE cron settings -rhel9cis_aide_cron: - cron_user: root - cron_file: /var/spool/cron/root - aide_job: '/usr/sbin/aide --check' - aide_minute: 0 - aide_hour: 5 - aide_day: '*' - aide_month: '*' - aide_weekday: '*' - -rhel9cis_sshd: - clientalivecountmax: 3 - clientaliveinterval: 300 - ciphers: "aes256-ctr,aes192-ctr,aes128-ctr" - macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com" - logingracetime: 60 - # - make sure you understand the precedence when working with these values!! - allowusers: vagrant - allowgroups: vagrant - denyusers: root - denygroups: root - -# Workarounds for Docker -rhel9cis_skip_for_travis: true -rhel9cis_selinux_disable: true diff --git a/group_vars/vagrant b/group_vars/vagrant deleted file mode 100644 index 1c0fb37..0000000 --- a/group_vars/vagrant +++ /dev/null @@ -1,28 +0,0 @@ ---- -ansible_user: vagrant -# AIDE cron settings -rhel9cis_aide_cron: - cron_user: root - cron_file: /var/spool/cron/root - aide_job: '/usr/sbin/aide --check' - aide_minute: 0 - aide_hour: 5 - aide_day: '*' - aide_month: '*' - aide_weekday: '*' - -rhel9cis_sshd: - clientalivecountmax: 3 - clientaliveinterval: 300 - ciphers: 'aes256-ctr,aes192-ctr,aes128-ctr' - macs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' - logingracetime: 60 - # - make sure you understand the precedence when working with these values!! - allowusers: vagrant - allowgroups: vagrant - denyusers: root - denygroups: root - -# Vagrant can touch code that Docker cannot -rhel9cis_skip_for_travis: false -rhel9cis_selinux_disable: false diff --git a/handlers/main.yml b/handlers/main.yml index d2cf453..9a99c24 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -76,12 +76,6 @@ name: firewalld state: restarted -- name: restart xinetd - become: true - service: - name: xinetd - state: restarted - - name: restart sshd become: true service: @@ -135,12 +129,20 @@ name: rsyslog state: restarted -- name: restart syslog-ng - become: true +- name: restart journald service: - name: syslog-ng + name: systemd-journald + state: restarted + +- name: restart systemd_journal_upload + service: + name: systemd-journal-upload state: restarted - name: systemd_daemon_reload systemd: daemon-reload: true + +- name: change_requires_reboot + set_fact: + change_requires_reboot: true diff --git a/tasks/main.yml b/tasks/main.yml index b316f67..f44197c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -112,9 +112,11 @@ - rhel9cis_section6 tags: - rule_5.5.2 - - rule_6.2.7 - - rule_6.2.8 - - rule_6.2.20 + - rule_5.6.2 + - rule_6.2.9 + - rule_6.2.10 + - rule_6.2.11 + - rhel9cis_section5 - rhel9cis_section6 - name: run Section 1 tasks diff --git a/tasks/post.yml b/tasks/post.yml index 5f54737..28a2e9e 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -66,7 +66,30 @@ - name: flush handlers meta: flush_handlers -- name: Reboot host - reboot: - when: - - not skip_reboot +- name: POST | reboot system if changes require it and not skipped + block: + - name: POST | Reboot system if changes require it and not skipped + reboot: + when: + - change_requires_reboot + - not skip_reboot + + - name: POST | Warning a reboot required but skip option set + debug: + msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" + changed_when: true + when: + - change_requires_reboot + - skip_reboot + tags: + - grub + - level1-server + - level1-workstation + - level2-server + - level2-workstation + - rhel9cis_section1 + - rhel9cis_section2 + - rhel9cis_section3 + - rhel9cis_section4 + - rhel9cis_section5 + - rhel9cis_section6 diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 5521a8d..1cb873c 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -32,8 +32,9 @@ warn: false changed_when: false check_mode: false - register: uid_zero_accounts_except_root + register: rhel9cis_uid_zero_accounts_except_root tags: + - rule_6.2.8 - level1-server - level1-workstation - users @@ -144,6 +145,19 @@ - authconfig - auditd +- name: "PRELIM | 5.3.4 | Find all sudoers files." + command: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" + changed_when: false + failed_when: false + check_mode: false + register: rhel9cis_sudoers_files + when: + - rhel9cis_rule_5_3_4 or + rhel9cis_rule_5_3_5 + tags: + - rule_5.3.4 + - rule_5.3.5 + - name: "PRELIM | Set facts based on boot type" block: - name: "PRELIM | Check whether machine is UEFI-based" diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 5b5cf13..ba927e9 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -2,11 +2,11 @@ - name: "2.1.1 | PATCH | Ensure time synchronization is in use" package: - name: "{{ rhel9cis_time_synchronization }}" + name: chrony state: present when: - rhel9cis_rule_2_1_1 - - not rhel9cis_system_is_container + - not system_is_container tags: - level1-server - level1-workstation @@ -18,7 +18,7 @@ block: - name: "2.1.2 | PATCH | Ensure chrony is configured | Set configuration" template: - src: chrony.conf.j2 + src: etc/chrony.conf.j2 dest: /etc/chrony.conf owner: root group: root @@ -33,9 +33,8 @@ create: yes mode: 0644 when: - - rhel9cis_time_synchronization == "chrony" - rhel9cis_rule_2_1_2 - - not rhel9cis_system_is_container + - not system_is_container tags: - level1-server - level1-workstation diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index ec397d3..38c9433 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -17,7 +17,7 @@ - update sysctl when: rhel9cis_ipv6_required when: - - rhel9cis_rule_3.2.1 + - rhel9cis_rule_3_2_1 tags: - level1-server - level1-workstation @@ -42,7 +42,7 @@ - update sysctl when: rhel9cis_ipv6_required when: - - rhel9cis_rule_3.2.2 + - rhel9cis_rule_3_2_2 tags: - level1-server - level1-workstation diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 7187816..8c15cde 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -17,7 +17,7 @@ - update sysctl when: rhel9cis_ipv6_required when: - - rhel9cis_rule_3.3.1 + - rhel9cis_rule_3_3_1 tags: - level1-server - level1-workstation @@ -42,7 +42,7 @@ - update sysctl when: rhel9cis_ipv6_required when: - - rhel9cis_rule_3.3.2 + - rhel9cis_rule_3_3_2 tags: - level1-server - level1-workstation @@ -55,7 +55,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3.3.3 + - rhel9cis_rule_3_3_3 tags: - level1-server - level1-workstation @@ -68,7 +68,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3.3.4 + - rhel9cis_rule_3_3_4 tags: - level1-server - level1-workstation @@ -81,7 +81,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3.3.5 + - rhel9cis_rule_3_3_5 tags: - level1-server - level1-workstation @@ -94,7 +94,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3.3.6 + - rhel9cis_rule_3_3_6 tags: - level1-server - level1-workstation @@ -107,7 +107,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3.3.7 + - rhel9cis_rule_3_3_7 tags: - level1-server - level1-workstation @@ -120,7 +120,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - - rhel9cis_rule_3.3.8 + - rhel9cis_rule_3_3_8 tags: - level1-server - level1-workstation @@ -146,7 +146,7 @@ when: rhel9cis_ipv6_required when: - rhel9cis_ipv6_required - - rhel9cis_rule_3.3.9 + - rhel9cis_rule_3_3_9 tags: - level2-server - level2-workstation diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index 753a4e5..5bd6a3c 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -22,7 +22,6 @@ - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | Stop running services" systemd: name: "{{ item }}" - enabled: false masked: true with_items: - iptables diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index 13b42fc..7c6dc9b 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -1,41 +1,35 @@ --- -- name: "SECTION | 3.1.x | Packet and IP redirection" +- name: "SECTION | 3.1.x | Disable unused network protocols and devices" import_tasks: cis_3.1.x.yml - name: "SECTION | 3.2.x | Network Parameters (Host Only)" import_tasks: cis_3.2.x.yml -- name: "SECTION | 3.3.x | Uncommon Network Protocols" +- name: "SECTION | 3.3.x | Network Parameters (host and Router)" import_tasks: cis_3.3.x.yml -- name: "SECTION | 3.4.1.x | firewall defined" - import_tasks: cis_3.4.1.1.yml - -- name: "SECTION | 3.4.2.x | firewalld firewall" - include_tasks: cis_3.4.2.x.yml +- name: "SECTION | 3.4.1.x | Configure firewalld" + import_tasks: cis_3.4.1.x.yml when: - rhel9cis_firewall == "firewalld" -- name: "SECTION | 3.4.3.x | Configure nftables firewall" - include_tasks: cis_3.4.3.x.yml +- name: "SECTION | 3.4.2.x | Configure nftables" + include_tasks: cis_3.4.2.x.yml when: - rhel9cis_firewall == "nftables" -- name: "SECTION | 3.4.4.1.x | Configure iptables IPv4" - include_tasks: cis_3.4.4.1.x.yml +- name: "SECTION | 3.4.3.1.x | Configure iptables" + include_tasks: cis_3.4.3.1.x.yml when: - rhel9cis_firewall == "iptables" -- name: "SECTION | 3.4.4.2.x | Configure iptables IPv6" - include_tasks: cis_3.4.4.2.x.yml +- name: "SECTION | 3.4.3.2.x | Configure iptables IPv4" + include_tasks: cis_3.4.3.2.x.yml + when: + - rhel9cis_firewall == "iptables" + +- name: "SECTION | 3.4.3.3.x | Configure iptables IPv6" + include_tasks: cis_3.4.3.3.x.yml when: - ( rhel9cis_firewall == "iptables" and rhel9cis_ipv6_required ) - -- name: "SECTION | 3.5 | Configure wireless" - import_tasks: cis_3.5.yml - -- name: "SECTION | 3.5 | disable IPv6" - include_tasks: cis_3.5.yml - when: - - not rhel9cis_ipv6_required diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index 3b3ab95..d28e3ce 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -9,7 +9,7 @@ import_tasks: cis_4.1.2.x.yml - name: "SECTION | 4.1.3 | Configure Auditd rules" - import_tasks: cis_4.1.x.yml + import_tasks: cis_4.1.3.x.yml - name: "SECTION | 4.2 | Configure Logging" import_tasks: cis_4.2.1.x.yml diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index b6dc07a..bd97cc3 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -33,7 +33,7 @@ lineinfile: dest: /etc/sudoers regexp: '^Defaults logfile=' - line: 'Defaults logfile="{{ rhel9cis_varlog_location }}"' + line: 'Defaults logfile="{{ rhel9cis_sudolog_location }}"' state: present when: - rhel9cis_rule_5_3_3 diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 8c5d301..71a37e5 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -13,7 +13,7 @@ - item.id != "sync" - item.id != "shutdown" - item.id != "halt" - - rhel9cis_int_gid | int > item.gid + - min_int_uid | int > item.gid - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" @@ -28,7 +28,7 @@ - item.id != "shutdown" - item.id != "sync" - item.id != "root" - - rhel9cis_int_gid | int > item.gid + - min_int_uid | int > item.gid - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" when: diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 3d9cf32..6106e6e 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -13,7 +13,7 @@ - item.id != "sync" - item.id != "shutdown" - item.id != "halt" - - rhel9cis_int_gid | int < item.gid + - min_int_uid | int < item.gid - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" loop_control: @@ -30,7 +30,7 @@ - item.id != "shutdown" - item.id != "sync" - item.id != "root" - - rhel9cis_int_gid | int < item.gid + - min_int_uid | int < item.gid - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" loop_control: diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index ff2b0c3..096a310 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -230,7 +230,7 @@ stat: path: "{{ item }}" register: rhel_08_6_2_9_audit - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" - name: "6.2.9 | AUDIT | Ensure all users' home directories exist" command: find -H {{ item.0 | quote }} -not -type l -perm /027 @@ -270,7 +270,7 @@ recursive: yes etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: not rhel9cis_system_is_container + when: not system_is_container with_nested: - "{{ (ansible_check_mode | ternary(rhel_08_6_2_9_patch_audit, rhel_08_6_2_9_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" @@ -299,13 +299,13 @@ loop_control: label: "{{ rhel9cis_passwd_label }}" when: - - item.uid >= rhel9cis_int_gid + - min_int_uid | int <= item.uid - rhel9cis_rule_6_2_10 tags: - skip_ansible_lint # settings found on 6_2_7 - level1-server - level1-workstation - - autoamted + - automated - patch - users - rule_6.2.10 @@ -315,7 +315,7 @@ - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" stat: path: "{{ item }}" - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" register: rhel_08_6_2_11_audit - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" @@ -356,7 +356,7 @@ recursive: yes etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: not rhel9cis_system_is_container + when: not system_is_container with_nested: - "{{ (ansible_check_mode | ternary(rhel_08_6_2_11_patch_audit, rhel_08_6_2_11_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index ec9dac6..babc8d6 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -281,39 +281,36 @@ rhel9cis_rule_6_2_20: {{ rhel9cis_rule_6_2_20 }} rhel9cis_avahi_server: {{ rhel9cis_avahi_server }} rhel9cis_cups_server: {{ rhel9cis_cups_server }} rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }} -rhel9cis_ldap_server: {{ rhel9cis_ldap_server }} +rhel9cis_dns_server: {{ rhel9cis_dns_server }} +rhel9cis_ftp_server: {{ rhel9cis_ftp_server }} +rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }} +rhel9cis_tftp_server: {{ rhel9cis_tftp_server }} +rhel9cis_httpd_server: {{ rhel9cis_httpd_server }} +rhel9cis_nginx_server: {{ rhel9cis_nginx_server }} +rhel9cis_dovecot_cyrus_server: {{ rhel9cis_dovecot_cyrus_server }} +rhel9cis_samba_server: {{ rhel9cis_samba_server }} +rhel9cis_squid_server: {{ rhel9cis_squid_server }} +rhel9cis_snmp_server: {{ rhel9cis_snmp_server }} +rhel9cis_nis_server: {{ rhel9cis_nis_server }} rhel9cis_telnet_server: {{ rhel9cis_telnet_server }} +rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }} rhel9cis_nfs_server: {{ rhel9cis_nfs_server }} rhel9cis_rpc_server: {{ rhel9cis_rpc_server }} -rhel9cis_ntalk_server: {{ rhel9cis_ntalk_server }} -rhel9cis_rsyncd_server: {{ rhel9cis_rsyncd_server }} -rhel9cis_tftp_server: {{ rhel9cis_tftp_server }} -rhel9cis_rsh_server: {{ rhel9cis_rsh_server }} -rhel9cis_nis_server: {{ rhel9cis_nis_server }} -rhel9cis_snmp_server: {{ rhel9cis_snmp_server }} -rhel9cis_squid_server: {{ rhel9cis_squid_server }} -rhel9cis_smb_server: {{ rhel9cis_smb_server }} -rhel9cis_dovecot_server: {{ rhel9cis_dovecot_server }} -rhel9cis_httpd_server: {{ rhel9cis_httpd_server }} -rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }} -rhel9cis_named_server: {{ rhel9cis_named_server }} -rhel9cis_nfs_rpc_server: {{ rhel9cis_nfs_rpc_server }} -rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }} -rhel9cis_bind: {{ rhel9cis_bind }} -rhel9cis_vsftpd: {{ rhel9cis_vsftpd }} -rhel9cis_httpd: {{ rhel9cis_httpd }} -rhel9cis_dovecot: {{ rhel9cis_dovecot }} -rhel9cis_samba: {{ rhel9cis_samba }} -rhel9cis_squid: {{ rhel9cis_squid }} -rhel9cis_net_snmp: {{ rhel9cis_net_snmp}} +rhel9cis_rsync_server: {{ rhel9cis_rsync_server }} + + rhel9cis_allow_autofs: {{ rhel9cis_allow_autofs }} # client services -rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }} -rhel9cis_telnet_required: {{ rhel9cis_telnet_required }} -rhel9cis_talk_required: {{ rhel9cis_talk_required }} -rhel9cis_rsh_required: {{ rhel9cis_rsh_required }} rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }} +rhel9cis_rsh_required: {{ rhel9cis_rsh_required }} +rhel9cis_talk_required: {{ rhel9cis_talk_required }} +rhel9cis_telnet_required: {{ rhel9cis_telnet_required }} +rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }} +rhel9cis_tftp_client: {{ rhel9cis_tftp_client }} + + + # AIDE rhel9cis_config_aide: {{ rhel9cis_config_aide }} @@ -343,14 +340,12 @@ rhel9cis_crypto_policy: {{ rhel9cis_crypto_policy }} rhel9cis_warning_banner: {{ rhel9cis_warning_banner }} # End Banner -# Set to 'true' if X Windows is needed in your environment -rhel9cis_xwindows_required: {{ rhel9cis_xwindows_required }} # Whether or not to run tasks related to auditing/patching the desktop environment rhel9cis_gui: {{ rhel9cis_gui }} # xinetd required -rhel9cis_xinetd_required: {{ rhel9cis_xinetd_required }} +rhel9cis_xinetd_server: {{ rhel9cis_xinetd_server }} # IPv6 required rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }} @@ -358,10 +353,6 @@ rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }} # System network parameters (host only OR host and router) rhel9cis_is_router: {{ rhel9cis_is_router }} -# Time Synchronization -rhel9cis_time_synchronization: {{ rhel9cis_time_synchronization }} - -rhel9cis_varlog_location: {{ rhel9cis_varlog_location }} rhel9cis_firewall: {{ rhel9cis_firewall }} #rhel9cis_firewall: iptables @@ -373,7 +364,6 @@ rhel9cis_firewall_interface: rhel9cis_firewall_services: {{ rhel9cis_firewall_services }} - ### Section 4 ## auditd settings rhel9cis_auditd: @@ -395,45 +385,11 @@ rhel9cis_sshd_access: DenyUser: DenyGroup: -rhel9cis_ssh_strong_ciphers: Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128- gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr -rhel9cis_ssh_weak_ciphers: - 3des-cbc - aes128-cbc - aes192-cbc - aes256-cbc - arcfour - arcfour128 - arcfour256 - blowfish-cbc - cast128-cbc - rijndael-cbc@lysator.liu.se - -rhel9cis_ssh_strong_macs: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2- 512,hmac-sha2-256 -rhel9cis_ssh_weak_macs: - hmac-md5 - hmac-md5-96 - hmac-ripemd160 - hmac-sha1 - hmac-sha1-96 - umac-64@openssh.com - umac-128@openssh.com - hmac-md5-etm@openssh.com - hmac-md5-96-etm@openssh.com - hmac-ripemd160-etm@openssh.com - hmac-sha1-etm@openssh.com - hmac-sha1-96-etm@openssh.com - umac-64-etm@openssh.com - umac-128-etm@openssh.com - -rhel9cis_ssh_strong_kex: KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman- group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 -rhel9cis_ssh_weak_kex: - diffie-hellman-group1-sha1 - diffie-hellman-group14-sha1 - diffie-hellman-group-exchange-sha1 - rhel9cis_ssh_aliveinterval: "300" rhel9cis_ssh_countmax: "3" +rhel9cis_sudolog_location: {{ rhel9cis_sudolog_location }} + ## PAM rhel9cis_pam_password: minlen: {{ rhel9cis_pam_password.minlen }} diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 4716376..90bddb4 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,14 +1,14 @@ # This template will set all of the auditd configurations via a handler in the role in one task instead of individually {% if rhel9cis_rule_4_1_3_1 %} -w /etc/sudoers -p wa -k scope --w /etc/sudoers.d/ -p wa -k scope +-w /etc/sudoers.d -p wa -k scope {% endif %} {% if rhel9cis_rule_4_1_3_2 %} -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation {% endif %} {% if rhel9cis_rule_4_1_3_3 %} --w {{ rhel9cis_varlog_location }} -p wa -k sudo_log_file +-w {{ rhel9cis_sudolog_location }} -p wa -k sudo_log_file {% endif %} {% if rhel9cis_rule_4_1_3_4 %} -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change @@ -26,14 +26,14 @@ {% endif %} {% if rhel9cis_rule_4_1_3_6 %} {% for proc in priv_procs.stdout_lines -%} --a always,exit -F path={{ proc }} -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k privileged +-a always,exit -F path={{ proc }} -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k privileged {% endfor %} {% endif %} {% if rhel9cis_rule_4_1_3_7 %} --a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access --a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access --a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=-4294967295 -F key=access --a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=-unset -F key=access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -F key=access {% endif %} {% if rhel9cis_rule_4_1_3_8 %} -w /etc/group -p wa -k identity @@ -43,16 +43,16 @@ -w /etc/security/opasswd -p wa -k identity {% endif %} {% if rhel9cis_rule_4_1_3_9 %} --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod --a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod --a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod --a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod {% endif %} {% if rhel9cis_rule_4_1_3_10 %} --a always,exit -F arch=b32 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts --a always,exit -F arch=b64 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>={{ min_int_uid }} -F auid!=unset -k mounts +-a always,exit -F arch=b64 -S mount -F auid>={{ min_int_uid }} -F auid!=unset -k mounts {% endif %} {% if rhel9cis_rule_4_1_3_11 %} -w /var/run/utmp -p wa -k session @@ -64,29 +64,30 @@ -w /var/run/faillock -p wa -k logins {% endif %} {% if rhel9cis_rule_4_1_3_13 %} --a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete --a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete +-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>={{ min_int_uid }} -F auid!=unset -F key=delete +-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>={{ min_int_uid }} -F auid!=unset -F key=delete {% endif %} {% if rhel9cis_rule_4_1_3_14 %} --w /etc/selinux/ -p wa -k MAC-policy --w /usr/share/selinux/ -p wa -k MAC-policy +-w /etc/selinux -p wa -k MAC-policy +-w /usr/share/selinux -p wa -k MAC-policy {% endif %} {% if rhel9cis_rule_4_1_3_15 %} --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_chng +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k perm_chng {% endif %} {% if rhel9cis_rule_4_1_3_16 %} --a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_chng +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k perm_chng {% endif %} {% if rhel9cis_rule_4_1_3_17 %} --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k priv_cmd +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k priv_cmd {% endif %} {% if rhel9cis_rule_4_1_3_18 %} --a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k usermod +-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k usermod {% endif %} {% if rhel9cis_rule_4_1_3_19 %} --a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k kernel_modules --a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k kernel_modules +-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ min_int_uid }} -F auid!=unset -k kernel_modules +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k kernel_modules {% endif %} {% if rhel9cis_rule_4_1_3_20 %} -e 2 + {% endif %} diff --git a/templates/chrony.conf.j2 b/templates/etc/chrony.conf.j2 similarity index 100% rename from templates/chrony.conf.j2 rename to templates/etc/chrony.conf.j2 diff --git a/templates/hosts.allow.j2 b/templates/hosts.allow.j2 deleted file mode 100644 index 4bab3d1..0000000 --- a/templates/hosts.allow.j2 +++ /dev/null @@ -1,11 +0,0 @@ -# -# hosts.allow This file contains access rules which are used to -# allow or deny connections to network services that -# either use the tcp_wrappers library or that have been -# started through a tcp_wrappers-enabled xinetd. -# -# See 'man 5 hosts_options' and 'man 5 hosts_access' -# for information on rule syntax. -# See 'man tcpd' for information on tcp_wrappers -# -ALL: {% for iprange in rhel9cis_host_allow -%}{{ iprange }}{% if not loop.last %}, {% endif %}{% endfor %} diff --git a/templates/ntp.conf.j2 b/templates/ntp.conf.j2 deleted file mode 100644 index c745ab1..0000000 --- a/templates/ntp.conf.j2 +++ /dev/null @@ -1,59 +0,0 @@ -# For more information about this file, see the man pages -# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5). - -driftfile /var/lib/ntp/drift - -# Permit time synchronization with our time source, but do not -# permit the source to query or modify the service on this system. -#restrict default nomodify notrap nopeer noquery -restrict -4 default kod nomodify notrap nopeer noquery -restrict -6 default kod nomodify notrap nopeer noquery - -# Permit all access over the loopback interface. This could -# be tightened as well, but to do so would effect some of -# the administrative functions. -restrict 127.0.0.1 -restrict ::1 - -# Hosts on local network are less restricted. -#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap - -# Use public servers from the pool.ntp.org project. -# Please consider joining the pool (http://www.pool.ntp.org/join.html). -{% for server in rhel9cis_time_synchronization_servers -%} -server {{ server }} {{ rhel9cis_ntp_server_options }} -{% endfor %} - -#broadcast 192.168.1.255 autokey # broadcast server -#broadcastclient # broadcast client -#broadcast 224.0.1.1 autokey # multicast server -#multicastclient 224.0.1.1 # multicast client -#manycastserver 239.255.254.254 # manycast server -#manycastclient 239.255.254.254 autokey # manycast client - -# Enable public key cryptography. -#crypto - -includefile /etc/ntp/crypto/pw - -# Key file containing the keys and key identifiers used when operating -# with symmetric key cryptography. -keys /etc/ntp/keys - -# Specify the key identifiers which are trusted. -#trustedkey 4 8 42 - -# Specify the key identifier to use with the ntpdc utility. -#requestkey 8 - -# Specify the key identifier to use with the ntpq utility. -#controlkey 8 - -# Enable writing of statistics records. -#statistics clockstats cryptostats loopstats peerstats - -# Disable the monitoring facility to prevent amplification attacks using ntpdc -# monlist command when default restrict does not include the noquery flag. See -# CVE-2013-5211 for more details. -# Note: Monitoring will not be disabled with the limited restriction flag. -disable monitor diff --git a/vars/is_container.yml b/vars/is_container.yml index a8ac4fb..33a23e8 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -6,8 +6,6 @@ ## controls -# Authconfig -rhel9cis_use_authconfig: false # Firewall rhel9cis_firewall: None