swissmakers_gmbh/RHEL9-CIS
12
0
Fork 0
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-05-09 04:19:06 +02:00
Code Issues Packages Projects Releases Wiki Activity

QA, lint, standards, var naming, title aming aligned

Browse Source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
2026-04-08 12:56:24 +01:00
parent 69bef1f371
commit 201edf02e4
39 changed files with 478 additions and 608 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitignore
+18 -5
View File
@@ -1,7 +1,6 @@
.env
*.log
*.retry
.cache
.vagrant
tests/*redhat-subscription
tests/Dockerfile
@@ -10,11 +9,9 @@ tests/Dockerfile
packer_cache
delete*
ignore*
test_inv
# temp remove doc while this is built up
doc/
# VSCode
.vscode
vagrant
# Byte-compiled / optimized / DLL files
__pycache__/
@@ -39,13 +36,29 @@ tramp
rh-creds.env
travis.env
# Secret/key files
*.vault
*.key
*.pem
*.p12
*.pfx
*.keystore
*.jks
*.credentials
*vault_pass*
.vault_pass
# Lockdown-specific
benchparse/
*xccdf.xml
*.retry
*.pdf
*history.md
*plan.md
*qa_report*
# GitHub Action/Workflow files
.github/
# Precommit exclusions
# ansible-lint
.ansible/
.yamllint
+1 -1
View File
@@ -17,7 +17,7 @@ rules:
comments:
ignore-shebangs: true
min-spaces-from-content: 1 # prettier compatibility
comments-indentation: enable
comments-indentation: disable
empty-lines:
max: 1
indentation:
CONTRIBUTING.rst
+2 -2
View File
@@ -1,4 +1,4 @@
Contributing to MindPoint Group Projects
Contributing to Ansible-Lockdown Projects
========================================
Rules
@@ -20,7 +20,7 @@ Signing your contribution
We've chosen to use the Developer's Certificate of Origin (DCO) method
that is employed by the Linux Kernel Project, which provides a simple
way to contribute to MindPoint Group projects.
way to contribute to Ansible-Lockdown projects.
The process is to certify the below DCO 1.1 text
::
Changelog.md
+28 -29
View File
@@ -1,7 +1,34 @@
# Changes to RHEL9CIS
## 2.0.5 - Based on CIS v2.0.0
## April 2026
- bootloader password logic improved thanks to skullbringer on discord community
- 7.1.12 and 7.1.13 fixed thanks to @bubaimondalsch #440
- 4.3 tags updated
- 2.1.x - improve logic for mask/disable/stop thanks to @numericillustration #434
## March 2026 — workspace alignment
- Common files aligned to std
- workflows updates
- titles updates
- levels aligned
- auditd improvement
- grammar, lint
- vars naming
- Linting: converted ~75 single-item when: conditions from list to inline format
- Linting: added blank line after --- YAML document marker in 10 files
- Linting: fixed register: key order in 8 tasks (now appears after changed_when/failed_when)
- Linting: fixed spelling typo sddr → saddr in cis_4.3.x.yml
- Defaults: added justification comments for service client and bluetooth variables
## Based on CIS v2.0.0
# Feb26 2
#430 thanks to @numericillustration - 5.4.2.5 missing echo
# Feb26 1
- QA Fixes
- .j2 Branding Update
- Added rhel9cis_uses_root variable definition for 5.4.2.5 root PATH integrity task
@@ -77,34 +104,6 @@ tidy up tags on tasks/main.yml
- public issue 372
- allow password with different locale
## 2.0.4 - Based on CIS v2.0.0
- addressed issue #419, thank you @aaronk1
- addressed issue #418 thank you @bbaassssiiee
- addressed issue #416 thank you @georgenalen and @bbaassssiiee
- addressed issue #393 thank you to @fragglexarmy
- addressed issue #394 thank you to @dbeuker
- addressed issues #390 and #391 thanks to @polski-g
- addressed issue #398 & #399 thanks to trumbaut
- Added max-concurrent options for audit
- work flow updates
- audit logic improvements
- auditd template 2.19 compatible
- pre-commit updates
- #410 thanks to @kpi-nourman
- #413 thanks to @bbaassssiiee
## 2.0.3 - Based on CIS v2.0.0
- addressed issue #387, thank you @fragglexarmy
- addressed issue #382 to improve regex logic on 5.4.2.4
- improvement on crypto policy managed controls with var logic
- addressed issue #384 thank you @polski-g
- update command to shell module on tasks
- addressed issue 371 thanks to @bgro and kodebach
- addressed issue 350 thanks to @chrispipo
- addressed issue 364 thanks to @polski-g
- pre-commit update
## 2.0.2 - Based on CIS v2.0.0
- Update to audit_only to allow fetching results
defaults/main.yml
+261 -394
View File
File diff suppressed because it is too large Load Diff
tasks/LE_audit_setup.yml
+1 -1
View File
@@ -25,7 +25,7 @@
- name: Pre Audit Setup | Copy audit binary
when: get_audit_binary_method == 'copy'
ansible.builtin.copy:
src: "{{ audit_bin_copy_location }}/goss-linux-{{ audit_pkg_arch_name }}"
src: "{{ audit_bin_copy_location }}"
dest: "{{ audit_bin }}"
owner: root
group: root
tasks/auditd.yml
+22 -34
View File
@@ -3,59 +3,47 @@
# Since auditd rules are dependent on syscalls and syscall tables are architecture specific,
# we need to update the auditd rules depending on the architecture of the system.
# This task passed the syscalls table to the auditd template and updates the auditd rules
- name: "POST | AUDITD | Set supported_syscalls variable"
ansible.builtin.shell: ausyscall --dump | awk '{print $2}'
changed_when: false
check_mode: false
failed_when: discovered_auditd_syscalls.rc not in [ 0, 1 ]
register: discovered_auditd_syscalls
- name: POST | AUDITD | Apply auditd template will for section 6.3.3 - only required rules will be added | stat file
ansible.builtin.stat:
path: /etc/audit/rules.d/99_auditd.rules
register: discovered_auditd_rules_file
- name: "POST | AUDITD | Ensure use of privileged commands is collected"
ansible.builtin.shell: |
{%- set egrep_exclude = "(asdfmnop|{{ rhel9cis_priv_command_excluded_mounts | join('|') }})" -%}
for i in $(df | grep '^/dev' | grep -Ev '{{ egrep_exclude }}' | awk '{ print $NF }'); do
find $i -xdev -type f -perm /6000 2>/dev/null;
done
changed_when: false
failed_when: false
check_mode: false
register: discovered_privileged_commands
- name: POST | Apply auditd template for section 6.3.3.x
- name: "POST | AUDITD | Apply auditd template for section 6.2.4.x"
when: update_audit_template
vars:
supported_syscalls: "{{ discovered_auditd_syscalls.stdout_lines }}"
ansible.builtin.template:
src: audit/99_auditd.rules.j2
src: etc/audit/rules.d/99_auditd.rules.j2
dest: /etc/audit/rules.d/99_auditd.rules
owner: root
group: root
mode: 'u-x,g-wx,o-rwx'
diff: "{{ discovered_auditd_rules_file.stat.exists }}" # Only run diff if not a new file
register: discovered_auditd_rules_template_updated
mode: 'u-x,go-wx'
register: discovered_audit_rules_updated
notify:
- Auditd immutable check
- Audit immutable fact
- Auditd rules reload
- Restart auditd
- name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa no-handler
when:
- discovered_auditd_rules_template_updated.changed
- discovered_auditd_rules_file.stat.exists
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: 'Auditd template updated, validate as expected'
- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file
ansible.builtin.stat:
path: /etc/audit/rules.d/98_auditd_exceptions.rules
register: discovered_auditd_exception_file
- name: POST | Set up auditd user logging exceptions | setup file
when:
- rhel9cis_allow_auditd_uid_user_exclusions
- rhel9cis_auditd_uid_exclude | length > 0
- name: POST | AUDITD | Set up auditd user logging exceptions
when: rhel9cis_allow_auditd_uid_user_exclusions
ansible.builtin.template:
src: audit/98_auditd_exception.rules.j2
src: etc/audit/rules.d/98_auditd_exception.rules.j2
dest: /etc/audit/rules.d/98_auditd_exceptions.rules
owner: root
group: root
mode: '0640'
diff: "{{ discovered_auditd_exception_file.stat.exists }}"
mode: 'u-x,go-rwx'
notify: Restart auditd
- name: POST | AUDITD | Flush handlers
ansible.builtin.meta: flush_handlers
tasks/main.yml
+3 -5
View File
@@ -200,15 +200,13 @@
file: auditd.yml
- name: "Run post remediation tasks"
tags:
- post_tasks
- always
tags: always
ansible.builtin.import_tasks:
file: post.yml
- name: "Run post_remediation audit"
- name: "Run post remediation audit"
when: run_audit
tags: always
tags: run_audit
ansible.builtin.import_tasks:
file: post_remediation_audit.yml
tasks/post_remediation_audit.yml
+5 -5
View File
@@ -1,6 +1,6 @@
---
- name: Post Audit | Run post_remediation {{ benchmark }} audit # noqa name[template]
- name: Post Audit | Run post_remediation {{ benchmark }} audit # noqa name[template]
ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -m {{ audit_max_concurrent }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" # noqa yaml[line-length]
changed_when: true
environment:
@@ -14,11 +14,11 @@
- name: Post Audit | Capture audit data if json format
ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4
changed_when: false
register: post_audit_summary
register: post_audit_summary_json
- name: Post Audit | Set Fact for audit summary
ansible.builtin.set_fact:
post_audit_results: "{{ post_audit_summary.stdout }}"
post_audit_results: "{{ post_audit_summary_json.stdout }}"
- name: Post Audit | Capture audit data if documentation format
when: audit_format == "documentation"
@@ -26,8 +26,8 @@
- name: Post Audit | Capture audit data if documentation format
ansible.builtin.shell: tail -2 "{{ post_audit_outfile }}" | tac | tr '\n' ' '
changed_when: false
register: post_audit_summary
register: post_audit_summary_documentation
- name: Post Audit | Set Fact for audit summary
ansible.builtin.set_fact:
post_audit_results: "{{ post_audit_summary.stdout }}"
post_audit_results: "{{ post_audit_summary_documentation.stdout }}"
tasks/pre_remediation_audit.yml
+7 -9
View File
@@ -6,7 +6,7 @@
ansible.builtin.include_tasks:
file: LE_audit_setup.yml
- name: Pre Audit Setup | Ensure existence of {{ audit_conf_dir }} # noqa name[template]
- name: Pre Audit Setup | Ensure existence of {{ audit_conf_dir }} # noqa name[template]
ansible.builtin.file:
path: "{{ audit_conf_dir }}"
mode: 'go-w'
@@ -71,8 +71,8 @@
dest: "{{ audit_vars_path }}"
mode: 'go-rwx'
- name: Pre Audit | Run pre_remediation audit {{ benchmark }} # noqa name[template]
ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -m {{ audit_max_concurrent }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" # noqa yaml[line-length]
- name: Pre Audit | Run pre_remediation audit {{ benchmark }} # noqa name[template]
ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -m {{ audit_max_concurrent }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" # noqa yaml[line-length]
changed_when: true
environment:
AUDIT_BIN: "{{ audit_bin }}"
@@ -85,12 +85,11 @@
- name: Pre Audit | Capture audit data if json format
ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4
changed_when: false
failed_when: pre_audit_summary.stderr | length > 0
register: pre_audit_summary
register: pre_audit_summary_json
- name: Pre Audit | Set Fact for audit summary
ansible.builtin.set_fact:
pre_audit_results: "{{ pre_audit_summary.stdout }}"
pre_audit_results: "{{ pre_audit_summary_json.stdout }}"
- name: Pre Audit | Capture audit data if documentation format
when: audit_format == "documentation"
@@ -98,12 +97,11 @@
- name: Pre Audit | Capture audit data if documentation format
ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' '
changed_when: false
failed_when: pre_audit_summary.stderr | length > 0
register: pre_audit_summary
register: pre_audit_summary_documentation
- name: Pre Audit | Set Fact for audit summary
ansible.builtin.set_fact:
pre_audit_results: "{{ pre_audit_summary.stdout }}"
pre_audit_results: "{{ pre_audit_summary_documentation.stdout }}"
- name: Audit_Only | Run Audit Only
when: audit_only
tasks/prelim.yml
+7
View File
@@ -295,6 +295,13 @@
state: directory
mode: 'u+x,g-w,o-rwx'
- name: "PRELIM | AUDIT | Discover if auditd is immutable"
tags: always
ansible.builtin.command: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
changed_when: false
failed_when: prelim_auditd_immutable_check.rc not in [ 0, 1, 2 ]
register: prelim_auditd_immutable_check
- name: "PRELIM | PATCH | Configure System Accounting (auditd)"
when:
- '"auditd" not in ansible_facts.packages'
tasks/section_1/cis_1.1.2.3.x.yml
+3 -3
View File
@@ -1,12 +1,12 @@
---
- name: "1.1.2.3.1 | PATCH | Ensure /home is a separate partition"
- name: "1.1.2.3.1 | PATCH | Ensure separate partition exists for /home"
when:
- rhel9cis_rule_1_1_2_3_1
- required_mount not in prelim_mount_names
tags:
- level1-server
- level1-workstation
- level2-server
- level2-workstation
- audit
- mounts
- rule_1.1.2.3.1
tasks/section_1/cis_1.1.2.4.x.yml
+3 -3
View File
@@ -1,12 +1,12 @@
---
- name: "1.1.2.4.1 | PATCH | Ensure /var is a separate partition"
- name: "1.1.2.4.1 | PATCH | Ensure separate partition exists for /var"
when:
- rhel9cis_rule_1_1_2_4_1
- required_mount not in prelim_mount_names
tags:
- level1-server
- level1-workstation
- level2-server
- level2-workstation
- audit
- mounts
- rule_1.1.2.4.1
tasks/section_1/cis_1.1.2.5.x.yml
+3 -3
View File
@@ -1,12 +1,12 @@
---
- name: "1.1.2.5.1 | PATCH | Ensure /var/tmp is a separate partition"
- name: "1.1.2.5.1 | PATCH | Ensure separate partition exists for /var/tmp"
when:
- rhel9cis_rule_1_1_2_5_1
- required_mount not in prelim_mount_names
tags:
- level1-server
- level1-workstation
- level2-server
- level2-workstation
- audit
- mounts
- rule_1.1.2.5.1
tasks/section_1/cis_1.1.2.6.x.yml
+3 -3
View File
@@ -1,12 +1,12 @@
---
- name: "1.1.2.6.1 | PATCH | Ensure /var/log is a separate partition"
- name: "1.1.2.6.1 | PATCH | Ensure separate partition exists for /var/log"
when:
- rhel9cis_rule_1_1_2_6_1
- required_mount not in prelim_mount_names
tags:
- level1-server
- level1-workstation
- level2-server
- level2-workstation
- audit
- mounts
- rule_1.1.2.6.1
tasks/section_1/cis_1.1.2.7.x.yml
+3 -3
View File
@@ -1,12 +1,12 @@
---
- name: "1.1.2.7.1 | PATCH | Ensure /var/log/audit is a separate partition"
- name: "1.1.2.7.1 | PATCH | Ensure separate partition exists for /var/log/audit"
when:
- rhel9cis_rule_1_1_2_7_1
- required_mount not in prelim_mount_names
tags:
- level1-server
- level1-workstation
- level2-server
- level2-workstation
- audit
- mounts
- rule_1.1.2.7.1
tasks/section_1/cis_1.3.1.x.yml
+2 -2
View File
@@ -55,7 +55,7 @@
policy: "{{ rhel9cis_selinux_pol }}"
state: "{{ rhel9cis_selinux_enforce }}"
- name: "1.3.1.4 | PATCH | Ensure the SELinux state is not disabled"
- name: "1.3.1.4 | PATCH | Ensure the SELinux mode is not disabled"
when:
- rhel9cis_rule_1_3_1_4
- not rhel9cis_selinux_disable
@@ -72,7 +72,7 @@
policy: "{{ rhel9cis_selinux_pol }}"
state: "{{ rhel9cis_selinux_enforce }}"
- name: "1.3.1.5 | PATCH | Ensure the SELinux state is enforcing"
- name: "1.3.1.5 | PATCH | Ensure the SELinux mode is enforcing"
when:
- rhel9cis_selinux_enforce == 'enforcing'
- rhel9cis_rule_1_3_1_5
tasks/section_1/cis_1.5.x.yml
+3 -3
View File
@@ -1,6 +1,6 @@
---
- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
- name: "1.5.1 | PATCH | Ensure address space layout randomization is enabled"
when: rhel9cis_rule_1_5_1
tags:
- level1-server
@@ -11,11 +11,11 @@
- NIST800-53R5_CM-6
- NIST800-53R5_CM-6.1
block:
- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
- name: "1.5.1 | PATCH | Ensure address space layout randomization is enabled"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
- name: "1.5.1 | PATCH | Ensure address space layout randomization is enabled"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf"
tasks/section_1/cis_1.6.x.yml
+3 -3
View File
@@ -130,7 +130,7 @@
- Update Crypto Policy
- Set Crypto Policy
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh"
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20- poly1305 for ssh"
when:
- rhel9cis_rule_1_6_6
- "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module"
@@ -144,7 +144,7 @@
- rule_1.6.6
- NIST800-53R5_SC-6
block:
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | Add submodule exclusion"
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20- poly1305 for ssh | Add submodule exclusion"
ansible.builtin.template:
src: etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2
dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod
@@ -153,7 +153,7 @@
mode: 'g-wx,o-rwx'
register: discovered_no_sshweakciphers_template
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules"
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20- poly1305 for ssh | submodule to crypto policy modules"
ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKCIPHERS' }}"
changed_when: discovered_no_sshweakciphers_template is changed # noqa: no-handler
tasks/section_1/cis_1.7.x.yml
+3 -3
View File
@@ -53,7 +53,7 @@
group: root
mode: 'go-wx'
- name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured"
- name: "1.7.4 | PATCH | Ensure access to /etc/motd is configured"
when: rhel9cis_rule_1_7_4
tags:
- level1-server
@@ -69,7 +69,7 @@
group: root
mode: 'go-wx'
- name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured"
- name: "1.7.5 | PATCH | Ensure access to /etc/issue is configured"
when: rhel9cis_rule_1_7_5
tags:
- level1-server
@@ -85,7 +85,7 @@
group: root
mode: 'go-wx'
- name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured"
- name: "1.7.6 | PATCH | Ensure access to /etc/issue.net is configured"
when: rhel9cis_rule_1_7_6
tags:
- level1-server
tasks/section_1/cis_1.8.x.yml
+2 -2
View File
@@ -198,7 +198,7 @@
- rhel9cis_gui
tags:
- level1-server
- level2-workstation
- level1-workstation
- patch
- gui
- rule_1.8.8
@@ -226,7 +226,7 @@
- rhel9cis_gui
tags:
- level1-server
- level2-workstation
- level1-workstation
- patch
- gui
- rule_1.8.9
tasks/section_2/cis_2.2.x.yml
+1 -1
View File
@@ -64,7 +64,7 @@
name: telnet
state: absent
- name: "2.2.5 | PATCH | Ensure TFTP client is not installed"
- name: "2.2.5 | PATCH | Ensure tftp client is not installed"
when:
- not rhel9cis_tftp_client
- rhel9cis_rule_2_2_5
tasks/section_2/cis_2.4.x.yml
+1 -1
View File
@@ -1,6 +1,6 @@
---
- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled"
- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled and active"
when: rhel9cis_rule_2_4_1_1
tags:
- level1-server
tasks/section_3/cis_3.3.x.yml
+34 -34
View File
@@ -1,6 +1,6 @@
---
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled"
- name: "3.3.1 | PATCH | Ensure ip forwarding is disabled"
when:
- not rhel9cis_is_router
- rhel9cis_rule_3_3_1
@@ -16,23 +16,23 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding | Set Fact"
- name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | Disable IPv4 forwarding | Set Fact"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding"
- name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | Disable IPv4 forwarding"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | IPv6"
- name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | IPv6"
when: rhel9cis_ipv6_required
block:
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding | Set Fact"
- name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | Disable IPv6 forwarding | Set Fact"
ansible.builtin.set_fact:
rhel9cis_flush_ipv6_route: true
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding"
- name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | Disable IPv6 forwarding"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
@@ -60,7 +60,7 @@
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored"
- name: "3.3.3 | PATCH | Ensure bogus icmp responses are ignored"
when: rhel9cis_rule_3_3_3
tags:
- level1-server
@@ -74,16 +74,16 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored | Set Fact"
- name: "3.3.3 | PATCH | Ensure bogus icmp responses are ignored | Set Fact"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true
- name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored"
- name: "3.3.3 | PATCH | Ensure bogus icmp responses are ignored"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored"
- name: "3.3.4 | PATCH | Ensure broadcast icmp requests are ignored"
when: rhel9cis_rule_3_3_4
tags:
- level1-server
@@ -97,7 +97,7 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored | Set Fact"
- name: "3.3.4 | PATCH | Ensure broadcast icmp requests are ignored | Set Fact"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true
@@ -106,7 +106,7 @@
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted"
- name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted"
when: rhel9cis_rule_3_3_5
tags:
- level1-server
@@ -120,27 +120,27 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | Set Fact"
- name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted | Set Fact"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted"
- name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv6"
- name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted | IPv6"
when: rhel9cis_ipv6_required
block:
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv6 | Set Fact"
- name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted | IPv6 | Set Fact"
ansible.builtin.set_fact:
rhel9cis_flush_ipv6_route: true
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv6"
- name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted | IPv6"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted"
- name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted"
when: rhel9cis_rule_3_3_6
tags:
- level1-server
@@ -154,27 +154,27 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv4 | Set Fact"
- name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv4 | Set Fact"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv4"
- name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv4"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv6"
- name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv6"
when: rhel9cis_ipv6_required
block:
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv6 | Set Fact"
- name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv6 | Set Fact"
ansible.builtin.set_fact:
rhel9cis_flush_ipv6_route: true
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv6"
- name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv6"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
- name: "3.3.7 | PATCH | Ensure reverse path filtering is enabled"
when: rhel9cis_rule_3_3_7
tags:
- level1-server
@@ -188,12 +188,12 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled | Set Fact"
- name: "3.3.7 | PATCH | Ensure reverse path filtering is enabled | Set Fact"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true
- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
- name: "3.3.7 | PATCH | Ensure reverse path filtering is enabled"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
@@ -249,7 +249,7 @@
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled"
- name: "3.3.10 | PATCH | Ensure tcp syn cookies is enabled"
when: rhel9cis_rule_3_3_10
tags:
- level1-server
@@ -263,22 +263,22 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled | Set Fact"
- name: "3.3.10 | PATCH | Ensure tcp syn cookies is enabled | Set Fact"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true
- name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled"
- name: "3.3.10 | PATCH | Ensure tcp syn cookies is enabled"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted"
- name: "3.3.11 | PATCH | Ensure ipv6 router advertisements are not accepted"
when:
- rhel9cis_ipv6_required
- rhel9cis_rule_3_3_11
tags:
- level2-server
- level2-workstation
- level1-server
- level1-workstation
- sysctl
- patch
- rule_3.3.11
@@ -288,11 +288,11 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6 | Set Fact"
- name: "3.3.11 | PATCH | Ensure ipv6 router advertisements are not accepted | IPv6 | Set Fact"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
rhel9cis_flush_ipv6_route: true
- name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6"
- name: "3.3.11 | PATCH | Ensure ipv6 router advertisements are not accepted | IPv6"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl"
tasks/section_5/cis_5.1.x.yml
+9 -9
View File
@@ -134,7 +134,7 @@
ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-SHA1' }}"
- name: "5.1.6 | PATCH | Ensure sshd KexAlgorithms is configured"
- name: "5.1.6 | PATCH | Ensure sshd MACs are configured"
when:
- rhel9cis_rule_5_1_6
- "'NO-SSHWEAKMACS' not in rhel9cis_crypto_policy_module"
@@ -148,7 +148,7 @@
- rule_5.1.6
- NIST800-53R5_SC-6
block:
- name: "5.1.6 | PATCH | Ensure sshd KexAlgorithms is configured | Add submodule exclusion"
- name: "5.1.6 | PATCH | Ensure sshd MACs are configured | Add submodule exclusion"
ansible.builtin.template:
src: etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2
dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod
@@ -159,7 +159,7 @@
- Update Crypto Policy
- Set Crypto Policy
- name: "5.1.6 | PATCH | Ensure sshd KexAlgorithms is configured | submodule to crypto policy modules"
- name: "5.1.6 | PATCH | Ensure sshd MACs are configured | submodule to crypto policy modules"
ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKMACS' }}"
@@ -290,7 +290,7 @@
- name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled"
when: rhel9cis_rule_5_1_11
tags:
- level1-server
- level2-server
- level1-workstation
- patch
- sshd
@@ -360,7 +360,7 @@
validate: sshd -t -f %s
notify: Restart sshd
- name: "5.1.14 | PATCH | Ensure sshd LoginGraceTime is set to one minute or less"
- name: "5.1.14 | PATCH | Ensure sshd LoginGraceTime is configured"
when: rhel9cis_rule_5_1_14
tags:
- level1-server
@@ -378,7 +378,7 @@
validate: sshd -t -f %s
notify: Restart sshd
- name: "5.1.15 | PATCH | Ensure sshd LogLevel is appropriate"
- name: "5.1.15 | PATCH | Ensure sshd LogLevel is configured"
when: rhel9cis_rule_5_1_15
tags:
- level1-server
@@ -398,7 +398,7 @@
validate: sshd -t -f %s
notify: Restart sshd
- name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is set to 4 or less"
- name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is configured"
when: rhel9cis_rule_5_1_16
tags:
- level1-server
@@ -438,7 +438,7 @@
validate: sshd -t -f %s
notify: Restart sshd
- name: "5.1.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less"
- name: "5.1.18 | PATCH | Ensure sshd MaxSessions is configured"
when: rhel9cis_rule_5_1_18
tags:
- level1-server
@@ -522,7 +522,7 @@
validate: sshd -t -f %s
notify: Restart sshd
- name: "5.1.22 | PATCH | Ensure SSH PAM is enabled"
- name: "5.1.22 | PATCH | Ensure sshd UsePAM is enabled"
when: rhel9cis_rule_5_1_22
tags:
- level1-server
tasks/section_5/cis_5.3.1.x.yml
+1 -1
View File
@@ -39,7 +39,7 @@
ansible.builtin.set_fact:
authselect_update: OK
- name: "5.3.1.3 | PATCH | Ensure libpwquality is installed"
- name: "5.3.1.3 | PATCH | Ensure latest version of libpwquality is installed"
when:
- rhel9cis_rule_5_3_1_3
- ansible_facts.packages['libpwquality'][0]['version'] is version('1.4.4-8', '<') or
tasks/section_5/cis_5.3.2.x.yml
+1 -1
View File
@@ -65,7 +65,7 @@
failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ]
register: discovered_authselect_current_faillock
- name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled | Add feature if missing authselect" # noqa syntax-check[specific]"
- name: '5.3.2.2 | PATCH | Ensure pam_faillock module is enabled | Add feature if missing authselect" # noqa syntax-check[specific]'
when:
- rhel9cis_allow_authselect_updates
- discovered_authselect_current_faillock.rc != 0
tasks/section_5/cis_5.3.3.1.x.yml
+2 -2
View File
@@ -87,8 +87,8 @@
- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account"
when: rhel9cis_rule_5_3_3_1_3
tags:
- level1-server
- level1-workstation
- level2-server
- level2-workstation
- automated
- patch
- pam
tasks/section_5/cis_5.3.3.2.x.yml
+5 -5
View File
@@ -67,7 +67,7 @@
- NIST800-53R5_IA-5
- pam
block:
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from conf files except expected file"
- name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Remove minlen from conf files except expected file"
when:
- item != rhel9cis_passwd_minlen_file
- rhel9cis_disruption_high
@@ -81,7 +81,7 @@
- /etc/pam.d/password-auth
- "{{ prelim_pam_pwquality_confs.files | default([]) }}"
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists"
- name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Ensure minlen file exists"
ansible.builtin.template:
src: "{{ rhel9cis_passwd_minlen_file }}.j2"
dest: "/{{ rhel9cis_passwd_minlen_file }}"
@@ -89,7 +89,7 @@
group: root
mode: 'go-rwx'
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files NOT AuthSelect"
- name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Remove minlen from pam files NOT AuthSelect"
when:
- not rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
@@ -101,7 +101,7 @@
- password
- system
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files AuthSelect"
- name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Remove minlen from pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
@@ -226,7 +226,7 @@
- system
notify: Authselect update
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is is configured"
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured"
when: rhel9cis_rule_5_3_3_2_5
tags:
- level1-server
tasks/section_5/cis_5.3.3.3.x.yml
+3 -3
View File
@@ -15,13 +15,13 @@
failed_when: discovered_pwhistory_remember.rc not in [0, 1]
register: discovered_pwhistory_remember
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Ensure remember is set pwhistory file"
- name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured | Ensure remember is set pwhistory file"
ansible.builtin.lineinfile:
path: "/etc/security/pwhistory.conf"
regexp: remember\s*=\s*\d*
line: remember = {{ rhel9cis_pamd_pwhistory_remember }}
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Remove remember from pam files NOT AuthSelect"
- name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured | Remove remember from pam files NOT AuthSelect"
when:
- not rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
@@ -33,7 +33,7 @@
- password
- system
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Remove remember from pam files AuthSelect"
- name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured | Remove remember from pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
tasks/section_5/cis_5.3.3.4.x.yml
+2 -2
View File
@@ -27,7 +27,7 @@
replace: ''
loop: "{{ discovered_pam_nullok.stdout_lines }}"
- name: "5.3.3.4.1 | PATCH | Ensure password number of changed characters is configured | Remove nullok from pam files AuthSelect"
- name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | Remove nullok from pam files AuthSelect"
when: rhel9cis_allow_authselect_updates
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
@@ -65,7 +65,7 @@
replace: ''
loop: "{{ discovered_pam_remember.stdout_lines }}"
- name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Remove remember from pam files AuthSelect"
- name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Remove remember from pam files AuthSelect"
when: rhel9cis_allow_authselect_updates
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
tasks/section_5/cis_5.4.1.x.yml
+6 -6
View File
@@ -1,6 +1,6 @@
---
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less"
- name: "5.4.1.1 | PATCH | Ensure password expiration is configured"
when: rhel9cis_rule_5_4_1_1
tags:
- level1-server
@@ -14,7 +14,7 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less"
- name: "5.4.1.1 | PATCH | Ensure password expiration is configured"
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^PASS_MAX_DAYS'
@@ -27,7 +27,7 @@
check_mode: false
register: discovered_max_days
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS"
- name: "5.4.1.1 | PATCH | Ensure password expiration is configured | Set existing users PASS_MAX_DAYS"
when:
- discovered_max_days.stdout_lines | length > 0
- item in prelim_interactive_users | map(attribute='username') | list
@@ -40,8 +40,8 @@
- name: "5.4.1.2 | PATCH | Ensure minimum password days is configured"
when: rhel9cis_rule_5_4_1_2
tags:
- level1-server
- level1-workstation
- level2-server
- level2-workstation
- patch
- password
- rule_5.4.1.2
@@ -140,7 +140,7 @@
check_mode: false
register: discovered_passwdlck_user_list
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Apply Inactive setting to existing accounts"
when: item in prelim_interactive_users | map(attribute='username') | list
ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
changed_when: true
tasks/section_5/cis_5.4.2.x.yml
+2 -2
View File
@@ -94,7 +94,7 @@
vars:
warn_control_id: '5.4.2.3'
- name: "5.4.2.4 | PATCH | Ensure root account access is controlled "
- name: "5.4.2.4 | PATCH | Ensure root account access is controlled"
when: rhel9cis_rule_5_4_2_4
tags:
- level1-server
@@ -105,7 +105,7 @@
ansible.builtin.debug:
msg: "This is set as an assert in tasks/main"
- name: "5.4.2.5 | PATCH | Ensure root PATH Integrity"
- name: "5.4.2.5 | PATCH | Ensure root path integrity"
when: rhel9cis_rule_5_4_2_5
tags:
- level1-server
tasks/section_6/cis_6.2.2.x.yml
+1 -1
View File
@@ -4,7 +4,7 @@
when: rhel9cis_rule_6_2_2_2
tags:
- level1-server
- level2-workstation
- level1-workstation
- patch
- journald
- rule_6.2.2.2
tasks/section_6/cis_6.2.3.x.yml
+12 -12
View File
@@ -1,6 +1,6 @@
---
- name: "6.2.3.1 | PATCH | Ensure rsyslog installed"
- name: "6.2.3.1 | PATCH | Ensure rsyslog is installed"
when:
- "'rsyslog' not in ansible_facts.packages"
- rhel9cis_rule_6_2_3_1
@@ -17,7 +17,7 @@
name: rsyslog
state: present
- name: "6.2.3.2 | PATCH | Ensure rsyslog Service is enabled and active"
- name: "6.2.3.2 | PATCH | Ensure rsyslog service is enabled and active"
when: rhel9cis_rule_6_2_3_2
tags:
- level1-server
@@ -68,7 +68,7 @@
line: '$FileCreateMode 0640'
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured"
- name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured"
when: rhel9cis_rule_6_2_3_5
tags:
- level1-server
@@ -93,7 +93,7 @@
- "These are the current logging configurations for rsyslog, please review:"
- "{{ discovered_configured_rsyslog.stdout_lines }}"
- name: "6.2.3.5 | PATCH | Ensure logging is configured | mail.* log setting"
- name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | mail.* log setting"
when: rhel9cis_rsyslog_ansiblemanaged
ansible.builtin.blockinfile:
path: /etc/rsyslog.conf
@@ -107,7 +107,7 @@
insertafter: '# Log all the mail messages in one place.'
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | news.crit log setting"
- name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | news.crit log setting"
when: rhel9cis_rsyslog_ansiblemanaged
ansible.builtin.blockinfile:
path: /etc/rsyslog.conf
@@ -120,7 +120,7 @@
insertafter: '# Save news errors of level crit and higher in a special file.'
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | Misc. log setting"
- name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | Misc. log setting"
when: rhel9cis_rsyslog_ansiblemanaged
ansible.builtin.blockinfile:
path: /etc/rsyslog.conf
@@ -134,7 +134,7 @@
insertbefore: '# ### sample forwarding rule ###'
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | Local log settings"
- name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | Local log settings"
ansible.builtin.blockinfile:
path: /etc/rsyslog.conf
state: present
@@ -149,7 +149,7 @@
insertafter: '#### RULES ####'
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | Auth Settings"
- name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | Auth Settings"
ansible.builtin.blockinfile:
path: /etc/rsyslog.conf
state: present
@@ -160,7 +160,7 @@
insertafter: '#### RULES ####'
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | Cron Settings"
- name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | Cron Settings"
ansible.builtin.blockinfile:
path: /etc/rsyslog.conf
state: present
@@ -208,7 +208,7 @@
- NIST800-53R5_AU-12
- NIST800-53R5_CM-6
block:
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client. | When not log host"
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client | When not log host"
when: not rhel9cis_system_is_log_server
ansible.builtin.replace:
path: /etc/rsyslog.conf
@@ -221,7 +221,7 @@
- '^(module\(load="imtcp"\))'
- '^(input\(type="imtcp")'
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote clients. | When log host"
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client | When log host"
when: rhel9cis_system_is_log_server
ansible.builtin.replace:
path: /etc/rsyslog.conf
@@ -254,7 +254,7 @@
state: started
enabled: true
- name: "6.2.3.8 | PATCH | Ensure logrotate is configured | set rsyslog conf"
- name: "6.2.3.8 | PATCH | Ensure rsyslog logrotate is configured | set rsyslog conf"
ansible.builtin.template:
src: etc/logrotate.d/rsyslog_log.j2
dest: /etc/logrotate.d/rsyslog_log
tasks/section_6/cis_6.3.1.x.yml
+3 -3
View File
@@ -1,6 +1,6 @@
---
- name: "6.3.1.1 | PATCH | Ensure auditd is installed"
- name: "6.3.1.1 | PATCH | Ensure auditd packages are installed"
when: rhel9cis_rule_6_3_1_1
tags:
- level2-server
@@ -13,13 +13,13 @@
- NIST800-53R5_AU-12
- NIST800-53R5_SI-5
block:
- name: "6.3.1.1 | PATCH | Ensure auditd is installed | Install auditd packages"
- name: "6.3.1.1 | PATCH | Ensure auditd packages are installed | Install auditd packages"
when: '"auditd" not in ansible_facts.packages'
ansible.builtin.package:
name: audit
state: present
- name: "6.3.1.1 | PATCH | Ensure auditd is installed | Install auditd-lib packages"
- name: "6.3.1.1 | PATCH | Ensure auditd packages are installed | Install auditd-lib packages"
when: '"auditd-lib" not in ansible_facts.packages'
ansible.builtin.package:
name: audit-libs
tasks/section_6/cis_6.3.3.x.yml
+12 -12
View File
@@ -67,7 +67,7 @@
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected"
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands are collected"
when: rhel9cis_rule_6_3_3_6
tags:
- level2-server
@@ -77,14 +77,14 @@
- rule_6.3.3.6
- NIST800-53R5_AU-3
block:
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected"
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands are collected"
ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm /6000 2>/dev/null; done
changed_when: false
failed_when: false
check_mode: false
register: discovered_priv_procs
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected"
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands are collected"
ansible.builtin.set_fact:
update_audit_template: true
notify: update auditd
@@ -197,11 +197,11 @@
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded"
- name: "6.3.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are collected"
when: rhel9cis_rule_6_3_3_15
tags:
- level2-server
- level2- workstation
- level2-workstation
- patch
- auditd
- rule_6.3.3.15
@@ -212,7 +212,7 @@
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded"
- name: "6.3.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are collected"
when: rhel9cis_rule_6_3_3_16
tags:
- level2-server
@@ -227,7 +227,7 @@
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded"
- name: "6.3.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are collected"
when: rhel9cis_rule_6_3_3_17
tags:
- level2-server
@@ -242,7 +242,7 @@
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded"
- name: "6.3.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are collected"
when: rhel9cis_rule_6_3_3_18
tags:
- level2-server
@@ -257,7 +257,7 @@
update_audit_template: true
# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.19 | PATCH | Ensure kernel module loading and unloading and modification is collected"
- name: "6.3.3.19 | PATCH | Ensure kernel module loading unloading and modification is collected"
when: rhel9cis_rule_6_3_3_19
tags:
- level2-server
@@ -295,9 +295,9 @@
- auditd
- rule_6.3.3.21
- NIST800-53R5_AU-3
ansible.builtin.debug:
msg:
- "Please run augenrules --load if you suspect there is a configuration that is not active"
ansible.builtin.command: augenrules --check
changed_when: false
register: discovered_augenrules_check
- name: Auditd | 6.3.3.x | Auditd controls updated
when: update_audit_template
templates/audit/98_auditd_exception.rules.j2 → templates/etc/audit/rules.d/98_auditd_exception.rules.j2
View File
templates/audit/99_auditd.rules.j2 → templates/etc/audit/rules.d/99_auditd.rules.j2
View File