sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

tss user and spacing

Browse source 
Signed-off-by: Kristian <kris9854@gmail.com>
This commit is contained in:
Kristian 2022-09-27 17:15:49 +02:00
parent 5098beec03
commit fc407f8329
No known key found for this signature in database
GPG key ID: CB341F6A0D2D2A3C
8 changed files with 12 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

3
collections/requirements.yml
View file

@ -1,8 +1,5 @@
--- ---
collections: collections:
- name: community.general - name: community.general
- name: community.crypto - name: community.crypto
- name: ansible.posix - name: ansible.posix

2
tasks/section_3/cis_3.1.x.yml
View file

@ -64,7 +64,7 @@
- name: "3.1.4 | PATCH | Ensure wireless interfaces are disabled" - name: "3.1.4 | PATCH | Ensure wireless interfaces are disabled"
block: block:
- name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" - name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available"
command: rpm -q NetworkManager command: rpm -q NetworkManager
changed_when: false changed_when: false
failed_when: false failed_when: false

2
tasks/section_4/main.yml
View file

@ -15,7 +15,7 @@
import_tasks: cis_4.2.1.x.yml import_tasks: cis_4.2.1.x.yml
when: rhel9cis_syslog == 'rsyslog' when: rhel9cis_syslog == 'rsyslog'
- name: "SECTION | 4.2.2 Configure journald" - name: "SECTION | 4.2.2 | Configure journald"
import_tasks: cis_4.2.2.x.yml import_tasks: cis_4.2.2.x.yml
when: rhel9cis_syslog == 'journald' when: rhel9cis_syslog == 'journald'

2
tasks/section_5/cis_5.1.x.yml
View file

@ -148,7 +148,7 @@
dest: /etc/at.deny dest: /etc/at.deny
state: absent state: absent
- name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists" - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists"
stat: stat:
path: "/etc/at.allow" path: "/etc/at.allow"
register: rhel9cis_5_1_9_at_allow_state register: rhel9cis_5_1_9_at_allow_state

4
tasks/section_5/cis_5.2.x.yml
View file

@ -296,7 +296,7 @@
- ssh - ssh
- rule_5.2.14 - rule_5.2.14
- name: "5.2.15 | PATCH | Ensure SSH warning banner is configured" - name: "5.2.15 | PATCH | Ensure SSH warning banner is configured"
lineinfile: lineinfile:
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
regexp: '^Banner' regexp: '^Banner'
@ -343,7 +343,7 @@
- ssh - ssh
- rule_5.2.17 - rule_5.2.17
- name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" - name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less"
lineinfile: lineinfile:
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
regexp: "^#MaxSessions|^MaxSessions" regexp: "^#MaxSessions|^MaxSessions"

2
tasks/section_5/cis_5.6.1.x.yml
View file

@ -78,7 +78,7 @@
- password - password
- rule_5.6.1.4 - rule_5.6.1.4
- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past" - name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past"
block: block:
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time"
shell: echo $(($(date --utc --date "$1" +%s)/86400)) shell: echo $(($(date --utc --date "$1" +%s)/86400))

10
tasks/section_6/cis_6.1.x.yml
View file

@ -96,7 +96,7 @@
- permissions - permissions
- rule_6.1.4 - rule_6.1.4
- name: "6.1.5 | PATCH | Ensure permissions on /etc/group are configured" - name: "6.1.5 | PATCH | Ensure permissions on /etc/group are configured"
file: file:
dest: /etc/group- dest: /etc/group-
owner: root owner: root
@ -299,7 +299,7 @@
loop_control: loop_control:
label: "{{ item.mount }}" label: "{{ item.mount }}"
- name: "6.1.14 | AUDIT | Audit SUID executables | Alert no SUID executables exist" - name: "6.1.14 | AUDIT | Audit SUID executables | Alert no SUID executables exist"
debug: debug:
msg: "Good news! We have not found any SUID executable files on your system" msg: "Good news! We have not found any SUID executable files on your system"
failed_when: false failed_when: false
@ -307,7 +307,7 @@
when: when:
- rhel_08_6_1_14_perms_results.stdout is not defined - rhel_08_6_1_14_perms_results.stdout is not defined
- name: "6.1.14 | AUDIT | Audit SUID executables | Alert SUID executables exist" - name: "6.1.14 | AUDIT | Audit SUID executables | Alert SUID executables exist"
debug: debug:
msg: "Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" msg: "Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}"
with_items: "{{ rhel_08_6_1_14_perms_results.stdout_lines }}" with_items: "{{ rhel_08_6_1_14_perms_results.stdout_lines }}"
@ -334,7 +334,7 @@
loop_control: loop_control:
label: "{{ item.mount }}" label: "{{ item.mount }}"
- name: "6.1.15 | AUDIT | Audit SGID executables | Alert no SGID executables exist" - name: "6.1.15 | AUDIT | Audit SGID executables | Alert no SGID executables exist"
debug: debug:
msg: "Good news! We have not found any SGID executable files on your system" msg: "Good news! We have not found any SGID executable files on your system"
failed_when: false failed_when: false
@ -342,7 +342,7 @@
when: when:
- rhel_08_6_1_15_perms_results.stdout is not defined - rhel_08_6_1_15_perms_results.stdout is not defined
- name: "6.1.15 | AUDIT | Audit SGID executables | Alert SGID executables exist" - name: "6.1.15 | AUDIT | Audit SGID executables | Alert SGID executables exist"
debug: debug:
msg: "Manual intervention is required -- SGID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" msg: "Manual intervention is required -- SGID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}"
with_items: "{{ rhel_08_6_1_15_perms_results.stdout_lines }}" with_items: "{{ rhel_08_6_1_15_perms_results.stdout_lines }}"

1
tasks/section_6/cis_6.2.x.yml
View file

@ -333,6 +333,7 @@
when: when:
- item.uid >= min_int_uid | int - item.uid >= min_int_uid | int
- item.id != 'nobody' - item.id != 'nobody'
- (item.id != 'tss' and item.dir != '/dev/null')
- rhel9cis_rule_6_2_10 - rhel9cis_rule_6_2_10
tags: tags:
- skip_ansible_lint # settings found on 6_2_7 - skip_ansible_lint # settings found on 6_2_7