forked from ansible-lockdown/RHEL9-CIS
lint updates
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
aa0f4d0f6d
commit
f1c4d96412
18 changed files with 578 additions and 835 deletions
|
|
@ -297,14 +297,14 @@
|
|||
failed_when: discovered_fs_modules_loaded.rc not in [ 0, 99 ]
|
||||
register: discovered_fs_modules_loaded
|
||||
|
||||
- name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Output Warning"
|
||||
- name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Output Warning"
|
||||
when: discovered_fs_modules_loaded.stdout | length > 0
|
||||
ansible.builtin.debug:
|
||||
msg: |
|
||||
"Warning!! Discovered loaded Filesystem modules that need attention. This is a manual task
|
||||
{{ discovered_fs_modules_loaded.stdout_lines}}"
|
||||
|
||||
- name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Capture Warning"
|
||||
- name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Capture Warning"
|
||||
when: discovered_fs_modules_loaded.stdout | length > 0
|
||||
ansible.builtin.import_tasks:
|
||||
file: warning_facts.yml
|
||||
|
|
|
|||
|
|
@ -86,4 +86,3 @@
|
|||
group: root
|
||||
mode: '0644'
|
||||
notify: Systemd restart tmp.mount
|
||||
|
||||
|
|
|
|||
|
|
@ -12,8 +12,8 @@
|
|||
- rule_1_1_2.3.1
|
||||
- NIST800-53R5_CM-7
|
||||
vars:
|
||||
warn_control_id: '1.1.2.3.1'
|
||||
required_mount: '/home'
|
||||
warn_control_id: '1.1.2.3.1'
|
||||
required_mount: '/home'
|
||||
block:
|
||||
- name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Absent"
|
||||
ansible.builtin.debug:
|
||||
|
|
@ -40,7 +40,7 @@
|
|||
- NIST800-53R5_CM-7
|
||||
- NIST800-53R5_AC-3
|
||||
- NIST800-53R5_MP-2
|
||||
ansible.builtin.mount:
|
||||
ansible.posix.mount:
|
||||
name: /home
|
||||
src: "{{ item.device }}"
|
||||
fstype: "{{ item.fstype }}"
|
||||
|
|
|
|||
|
|
@ -25,8 +25,8 @@
|
|||
|
||||
# skips if mount is absent
|
||||
- name: |
|
||||
"1.1.2.4.2 | PATCH | Ensure nodev option set on /var partition"
|
||||
"1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition"
|
||||
"1.1.2.4.2 | PATCH | Ensure nodev option set on /var partition
|
||||
1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition"
|
||||
when:
|
||||
- item.mount == "/var"
|
||||
- rhel9cis_rule_1_1_2_4_2 or
|
||||
|
|
@ -40,7 +40,7 @@
|
|||
- rule_1_1_2.4.3
|
||||
- NIST800-53R5_AC-3
|
||||
- NIST800-53R5_MP-2
|
||||
ansible.builtin.mount:
|
||||
ansible.posix.mount:
|
||||
name: /var
|
||||
src: "{{ item.device }}"
|
||||
fstype: "{{ item.fstype }}"
|
||||
|
|
|
|||
|
|
@ -26,9 +26,9 @@
|
|||
|
||||
# skips if mount is absent
|
||||
- name: |
|
||||
"1.1.2.5.2 | PATCH | Ensure nodev option set on /var/tmp partition"
|
||||
"1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition"
|
||||
"1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition"
|
||||
"1.1.2.5.2 | PATCH | Ensure nodev option set on /var/tmp partition
|
||||
1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition
|
||||
1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition"
|
||||
when:
|
||||
- item.mount == "/var/tmp"
|
||||
- rhel9cis_rule_1_1_2_5_2 or
|
||||
|
|
@ -44,7 +44,7 @@
|
|||
- rule_1_1_2.5.4
|
||||
- NIST800-53R5_AC-3
|
||||
- NIST800-53R5_MP-2
|
||||
ansible.builtin.mount:
|
||||
ansible.posix.mount:
|
||||
name: /var/tmp
|
||||
src: "{{ item.device }}"
|
||||
fstype: "{{ item.fstype }}"
|
||||
|
|
|
|||
|
|
@ -12,8 +12,8 @@
|
|||
- rule_1_1_2.6.1
|
||||
- NIST800-53R5_CM-7
|
||||
vars:
|
||||
warn_control_id: '1.1.2.6.1'
|
||||
required_mount: '/var/log'
|
||||
warn_control_id: '1.1.2.6.1'
|
||||
required_mount: '/var/log'
|
||||
block:
|
||||
- name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Absent"
|
||||
ansible.builtin.debug:
|
||||
|
|
@ -24,9 +24,9 @@
|
|||
file: warning_facts.yml
|
||||
|
||||
- name: |
|
||||
"1.1.2.6.2 | PATCH | Ensure nodev option set on /var/log partition"
|
||||
"1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition"
|
||||
"1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition"
|
||||
"1.1.2.6.2 | PATCH | Ensure nodev option set on /var/log partition
|
||||
1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition
|
||||
1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition"
|
||||
when:
|
||||
- item.mount == "/var/log"
|
||||
- rhel9cis_rule_1_1_2_6_2 or
|
||||
|
|
@ -42,7 +42,7 @@
|
|||
- rule_1_1_2.6.4
|
||||
- NIST800-53R5_AC-3
|
||||
- NIST800-53R5_MP-2
|
||||
ansible.builtin.mount:
|
||||
ansible.posix.mount:
|
||||
name: /var/log
|
||||
src: "{{ item.device }}"
|
||||
fstype: "{{ item.fstype }}"
|
||||
|
|
|
|||
|
|
@ -24,19 +24,9 @@
|
|||
file: warning_facts.yml
|
||||
|
||||
- name: |
|
||||
"1.1.2.7.2 | PATCH | Ensure nodev option set on /var/log/audit partition"
|
||||
"1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition"
|
||||
"1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition"
|
||||
ansible.builtin.mount:
|
||||
name: /var/log/audit
|
||||
src: "{{ item.device }}"
|
||||
fstype: "{{ item.fstype }}"
|
||||
state: present
|
||||
opts: defaults,{% if rhel9cis_rule_1_1_2_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_7_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_7_4 %}noexec{% endif %}
|
||||
loop: "{{ ansible_facts.mounts }}"
|
||||
loop_control:
|
||||
label: "{{ item.device }}"
|
||||
notify: Change_requires_reboot
|
||||
"1.1.2.7.2 | PATCH | Ensure nodev option set on /var/log/audit partition
|
||||
1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition
|
||||
1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition"
|
||||
when:
|
||||
- item.mount == "/var/log/audit"
|
||||
- rhel9cis_rule_1_1_2_7_2 or
|
||||
|
|
@ -52,3 +42,13 @@
|
|||
- rule_1_1_2.7.4
|
||||
- NIST800-53R5_AC-3
|
||||
- NIST800-53R5_MP-2
|
||||
ansible.posix.mount:
|
||||
name: /var/log/audit
|
||||
src: "{{ item.device }}"
|
||||
fstype: "{{ item.fstype }}"
|
||||
state: present
|
||||
opts: defaults,{% if rhel9cis_rule_1_1_2_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_7_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_7_4 %}noexec{% endif %}
|
||||
loop: "{{ ansible_facts.mounts }}"
|
||||
loop_control:
|
||||
label: "{{ item.device }}"
|
||||
notify: Change_requires_reboot
|
||||
|
|
|
|||
|
|
@ -1,78 +0,0 @@
|
|||
---
|
||||
|
||||
- name: "1.3.1 | PATCH | Ensure AIDE is installed"
|
||||
block:
|
||||
- name: "1.3.1 | PATCH | Ensure AIDE is installed | Install AIDE"
|
||||
ansible.builtin.package:
|
||||
name: aide
|
||||
state: present
|
||||
|
||||
- name: "1.3.1 | PATCH | Ensure AIDE is installed | Build AIDE DB"
|
||||
ansible.builtin.shell: /usr/sbin/aide --init
|
||||
args:
|
||||
creates: /var/lib/aide/aide.db.new.gz
|
||||
when: not ansible_check_mode
|
||||
|
||||
- name: "1.3.1 | PATCH | Ensure AIDE is installed | Wait for file before continuing"
|
||||
ansible.builtin.wait_for:
|
||||
path: /var/lib/aide/aide.db.new.gz
|
||||
|
||||
- name: "1.3.1 | PATCH | Ensure AIDE is installed | copy AIDE DB"
|
||||
ansible.builtin.copy:
|
||||
src: /var/lib/aide/aide.db.new.gz
|
||||
dest: /var/lib/aide/aide.db.gz
|
||||
remote_src: true
|
||||
when:
|
||||
- rhel9cis_config_aide
|
||||
- rhel9cis_rule_1_3_1
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
- aide
|
||||
- patch
|
||||
- rule_1.3.1
|
||||
|
||||
- name: "1.3.2 | PATCH | Ensure filesystem integrity is regularly checked"
|
||||
ansible.builtin.cron:
|
||||
name: Run AIDE integrity check
|
||||
cron_file: "{{ rhel9cis_aide_cron['cron_file'] }}"
|
||||
user: "{{ rhel9cis_aide_cron['cron_user'] }}"
|
||||
minute: "{{ rhel9cis_aide_cron['aide_minute'] | default('0') }}"
|
||||
hour: "{{ rhel9cis_aide_cron['aide_hour'] | default('5') }}"
|
||||
day: "{{ rhel9cis_aide_cron['aide_day'] | default('*') }}"
|
||||
month: "{{ rhel9cis_aide_cron['aide_month'] | default('*') }}"
|
||||
weekday: "{{ rhel9cis_aide_cron['aide_weekday'] | default('*') }}"
|
||||
job: "{{ rhel9cis_aide_cron['aide_job'] }}"
|
||||
when:
|
||||
- rhel9cis_rule_1_3_2
|
||||
- not system_is_ec2
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
- aide
|
||||
- file_integrity
|
||||
- patch
|
||||
- rule_1.3.2
|
||||
|
||||
- name: "1.3.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools"
|
||||
ansible.builtin.blockinfile:
|
||||
path: /etc/aide.conf
|
||||
marker: "# {mark} Audit tools - CIS benchmark - Ansible-lockdown"
|
||||
block: |
|
||||
/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
|
||||
/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
|
||||
/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
|
||||
/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
|
||||
/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
|
||||
/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
|
||||
validate: aide -D --config %s
|
||||
when:
|
||||
- rhel9cis_rule_1_3_3
|
||||
- not system_is_ec2
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
- aide
|
||||
- file_integrity
|
||||
- patch
|
||||
- rule_1.3.3
|
||||
|
|
@ -15,8 +15,8 @@
|
|||
msg: "Captured in prelim to ensure not LEGACY. Runs handler to update"
|
||||
changed_when: true
|
||||
notify:
|
||||
- Update Crypto Policy
|
||||
- Set Crypto Policy
|
||||
- Update Crypto Policy
|
||||
- Set Crypto Policy
|
||||
|
||||
- name: "1.6.2 | PATCH | Ensure system wide crypto policy is not set in sshd configuration"
|
||||
when:
|
||||
|
|
@ -36,7 +36,7 @@
|
|||
state: absent
|
||||
notify: Restart sshd
|
||||
|
||||
- name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support"
|
||||
- name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | Add submodule exclusion"
|
||||
when:
|
||||
- rhel9cis_rule_1_6_3
|
||||
- "'NO-SHA1' not in rhel9cis_crypto_policy_module"
|
||||
|
|
@ -49,7 +49,7 @@
|
|||
- rule_1.6.3
|
||||
- NIST800-53R5_SC-6
|
||||
block:
|
||||
- name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | Add submodule exclusion"
|
||||
- name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support"
|
||||
ansible.builtin.template:
|
||||
src: etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2
|
||||
dest: /etc/crypto-policies/policies/modules/NO-SHA1.pmod
|
||||
|
|
@ -92,7 +92,6 @@
|
|||
ansible.builtin.set_fact:
|
||||
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-WEAKMAC' }}"
|
||||
|
||||
|
||||
- name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh"
|
||||
when:
|
||||
- rhel9cis_rule_1_6_5
|
||||
|
|
@ -124,7 +123,7 @@
|
|||
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh"
|
||||
when:
|
||||
- rhel9cis_rule_1_6_6
|
||||
- "'NO-SSHCHACHA20' not in rhel9cis_crypto_policy_module"
|
||||
- "'NO-SSHWEAKMAC' not in rhel9cis_crypto_policy_module"
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
|
|
@ -136,8 +135,8 @@
|
|||
block:
|
||||
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | Add submodule exclusion"
|
||||
ansible.builtin.template:
|
||||
src: etc/crypto-policies/policies/modules/NO-SSHCHACHA20.pmod.j2
|
||||
dest: /etc/crypto-policies/policies/modules/NO-SSHCHACHA20.pmod
|
||||
src: etc/crypto-policies/policies/modules/NO-SSHWEAKMAC.pmod.j2
|
||||
dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKMAC.pmod
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0640'
|
||||
|
|
@ -147,7 +146,7 @@
|
|||
|
||||
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules"
|
||||
ansible.builtin.set_fact:
|
||||
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-SSHCHACHA20' }}"
|
||||
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-SSHWEAKMAC' }}"
|
||||
|
||||
- name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh"
|
||||
when:
|
||||
|
|
|
|||
|
|
@ -51,7 +51,6 @@
|
|||
mode: '0644'
|
||||
notify: Reload dconf
|
||||
|
||||
|
||||
- name: "1.8.3 | PATCH | Ensure GDM disable-user-list option is enabled"
|
||||
when:
|
||||
- rhel9cis_rule_1_8_3
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue