--- - name: "1.3.1.1 | PATCH | Ensure SELinux is installed" when: - rhel9cis_rule_1_3_1_1 - not rhel9cis_selinux_disable tags: - level1-server - level1-workstation - patch - rule_1.3.1.1 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 ansible.builtin.package: name: libselinux state: present - name: "1.3.1.2 | PATCH | Ensure SELinux is not disabled in bootloader configuration" when: - rhel9cis_rule_1_3_1_2 - not rhel9cis_selinux_disable tags: - level1-server - level1-workstation - scored - patch - rule_1.3.1.2 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 ansible.builtin.replace: path: /etc/default/grub regexp: '{{ item }}' replace: '' loop: - selinux=0 - enforcing=0 ignore_errors: true # noqa ignore-errors notify: Grub2cfg # State set to enforcing because control 1.3.1.5 requires enforcing to be set - name: "1.3.1.3 | PATCH | Ensure SELinux policy is configured" when: - rhel9cis_rule_1_3_1_3 - not rhel9cis_selinux_disable tags: - level1-server - level1-workstation - selinux - patch - rule_1.3.1.3 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 ansible.posix.selinux: conf: /etc/selinux/config policy: "{{ rhel9cis_selinux_pol }}" state: "{{ rhel9cis_selinux_enforce }}" - name: "1.3.1.4 | PATCH | Ensure the SELinux state is not disabled" when: - rhel9cis_rule_1_3_1_4 - not rhel9cis_selinux_disable tags: - level1-server - level1-workstation - selinux - patch - rule_1.3.1.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 ansible.posix.selinux: conf: /etc/selinux/config policy: "{{ rhel9cis_selinux_pol }}" state: "{{ rhel9cis_selinux_enforce }}" - name: "1.3.1.5 | PATCH | Ensure the SELinux state is enforcing" when: - rhel9cis_selinux_enforce == 'enforcing' - rhel9cis_rule_1_3_1_5 - not rhel9cis_selinux_disable tags: - level2-server - level2-workstation - selinux - patch - rule_1.3.1.5 - NIST800-53R4_AC-3 - NIST800-53R4_SI-6 ansible.posix.selinux: conf: /etc/selinux/config policy: "{{ rhel9cis_selinux_pol }}" state: enforcing - name: "1.3.1.6 | AUDIT | Ensure no unconfined services exist" when: - rhel9cis_rule_1_3_1_6 - not rhel9cis_selinux_disable tags: - level1-server - level1-workstation - audit - services - rule_1.3.1.6 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 vars: warn_control_id: '1.3.1.6' block: - name: "1.3.1.6 | AUDIT | Ensure no unconfined services exist | Find the unconfined services" ansible.builtin.shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' register: discovered_unconf_services failed_when: false changed_when: false - name: "1.3.1.6 | AUDIT | Ensure no unconfined services exist | Message on unconfined services" when: discovered_unconf_services.stdout | length > 0 ansible.builtin.debug: msg: "Warning!! You have unconfined services: {{ discovered_unconf_services.stdout_lines }}" - name: "1.3.1.6 | AUDIT | Ensure no unconfined services exist | warning count" when: discovered_unconf_services.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml - name: "1.3.1.7 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" when: rhel9cis_rule_1_3_1_7 tags: - level1-server - level1-workstation - patch - rule_1.3.1.7 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 ansible.builtin.package: name: mcstrans state: absent - name: "1.3.1.8 | PATCH | Ensure SETroubleshoot is not installed" when: - rhel9cis_rule_1_3_1_8 - "'setroubleshoot' in ansible_facts.packages" tags: - level1-server - selinux - patch - rule_1.3.1.8 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 ansible.builtin.package: name: setroubleshoot state: absent