forked from ansible-lockdown/RHEL9-CIS
02a36f7f8d
* container standards Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logic on handlers Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * initial container ignore Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tags and containder discovery Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logic on auditd task Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tags and crypto logic Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * distro update for rocky Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * system_is_container updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * ssh pkg check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logrotate pkg check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logic in container check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * add pkg fact and audit conditionals Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tidy up crypto step Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Added missing tags Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * container vars file now a variable Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * added uid discovery and usage Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Updated OS checks and conditionals Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fixed empty become Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * change audit to include task Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Added OS_specific vars Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated import/include Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * OS Specific vars Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated tags Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated changed_when Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fixed UID logic Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * changed reboot var Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * changed skip_reboot var name Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * masked only Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix logic Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * remove debug update logic 6.2.8 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed CentOS Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
178 lines
4.5 KiB
YAML
178 lines
4.5 KiB
YAML
---
|
|
# tasks file for RHEL9-CIS
|
|
|
|
- name: Check OS version and family
|
|
assert:
|
|
that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==')
|
|
fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
|
|
success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}"
|
|
when:
|
|
- os_check
|
|
- not system_is_ec2
|
|
tags:
|
|
- always
|
|
|
|
- name: Check ansible version
|
|
assert:
|
|
that: ansible_version.full is version_compare(min_ansible_version, '>=')
|
|
fail_msg: "You must use Ansible {{ min_ansible_version }} or greater"
|
|
success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
|
|
tags:
|
|
- always
|
|
|
|
- name: Setup rules if container
|
|
block:
|
|
- name: Discover and set container variable if required
|
|
set_fact:
|
|
system_is_container: true
|
|
|
|
- name: Load variable for container
|
|
include_vars:
|
|
file: "{{ container_vars_file }}"
|
|
|
|
- name: output if discovered is a container
|
|
debug:
|
|
msg: system has been discovered as a container
|
|
when:
|
|
- system_is_container
|
|
when:
|
|
- ansible_connection == 'docker' or
|
|
ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
|
|
tags:
|
|
- container_discovery
|
|
- always
|
|
|
|
- name: Check crypto-policy input
|
|
assert:
|
|
that: rhel9cis_crypto_policy in rhel9cis_allowed_crypto_policies
|
|
fail_msg: "Crypto policy is not a permitted version"
|
|
success_msg: "Crypto policy is a permitted version"
|
|
|
|
- name: Check rhel9cis_bootloader_password_hash variable has been changed
|
|
assert:
|
|
that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'
|
|
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set"
|
|
when:
|
|
- rhel9cis_set_boot_pass
|
|
- rhel9cis_rule_1_5_2
|
|
|
|
- name: "check sugroup exists if used"
|
|
block:
|
|
- name: "Check su group exists if defined"
|
|
shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group
|
|
args:
|
|
warn: false
|
|
register: sugroup_exists
|
|
changed_when: false
|
|
failed_when: sugroup_exists.rc >= 2
|
|
tags:
|
|
- skip_ansible_lint
|
|
|
|
- name: Check sugroup if defined exists before continuing
|
|
assert:
|
|
that: sugroup_exists.rc == 0
|
|
msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify"
|
|
when:
|
|
- rhel9cis_sugroup is defined
|
|
- rhel9cis_rule_5_7
|
|
tags:
|
|
- rule_5.7
|
|
|
|
- name: Gather the package facts
|
|
package_facts:
|
|
manager: auto
|
|
tags:
|
|
- always
|
|
|
|
- name: Include OS specific variables
|
|
include_vars: "{{ ansible_distribution }}.yml"
|
|
tags:
|
|
- always
|
|
|
|
- name: Include preliminary steps
|
|
import_tasks: prelim.yml
|
|
tags:
|
|
- prelim_tasks
|
|
- always
|
|
|
|
- name: run pre_remediation audit
|
|
include_tasks: pre_remediation_audit.yml
|
|
when:
|
|
- run_audit
|
|
|
|
- name: Gather the package facts after prelim
|
|
package_facts:
|
|
manager: auto
|
|
tags:
|
|
- always
|
|
|
|
- name: capture /etc/password variables
|
|
include_tasks: parse_etc_password.yml
|
|
when:
|
|
- rhel9cis_section6
|
|
tags:
|
|
- rule_5.5.2
|
|
- rule_6.2.7
|
|
- rule_6.2.8
|
|
- rule_6.2.20
|
|
- rhel9cis_section6
|
|
|
|
- name: run Section 1 tasks
|
|
import_tasks: section_1/main.yml
|
|
become: true
|
|
when: rhel9cis_section1
|
|
tags:
|
|
- rhel9cis_section1
|
|
|
|
- name: run Section 2 tasks
|
|
import_tasks: section_2/main.yml
|
|
become: true
|
|
when: rhel9cis_section2
|
|
tags:
|
|
- rhel9cis_section2
|
|
|
|
- name: run Section 3 tasks
|
|
import_tasks: section_3/main.yml
|
|
become: true
|
|
when: rhel9cis_section3
|
|
tags:
|
|
- rhel9cis_section3
|
|
|
|
- name: run Section 4 tasks
|
|
import_tasks: section_4/main.yml
|
|
become: true
|
|
when: rhel9cis_section4
|
|
tags:
|
|
- rhel9cis_section4
|
|
|
|
- name: run Section 5 tasks
|
|
import_tasks: section_5/main.yml
|
|
become: true
|
|
when: rhel9cis_section5
|
|
tags:
|
|
- rhel9cis_section5
|
|
|
|
- name: run Section 6 tasks
|
|
import_tasks: section_6/main.yml
|
|
become: true
|
|
when: rhel9cis_section6
|
|
tags:
|
|
- rhel9cis_section6
|
|
|
|
- name: run post remediation tasks
|
|
import_tasks: post.yml
|
|
become: true
|
|
tags:
|
|
- post_tasks
|
|
- always
|
|
|
|
- name: run post_remediation audit
|
|
import_tasks: post_remediation_audit.yml
|
|
when:
|
|
- run_audit
|
|
|
|
- name: Show Audit Summary
|
|
debug:
|
|
msg: "{{ audit_results.split('\n') }}"
|
|
when:
|
|
- run_audit
|