Skip to content

Commit

Permalink
Merge pull request #2 from iquzart/development
Browse files Browse the repository at this point in the history
Development
  • Loading branch information
iquzart authored Nov 17, 2020
2 parents e9e9fb0 + ec29935 commit 5d4a968
Show file tree
Hide file tree
Showing 10 changed files with 464 additions and 465 deletions.
538 changes: 265 additions & 273 deletions defaults/main.yml

Large diffs are not rendered by default.

16 changes: 8 additions & 8 deletions handlers/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,11 @@
- name: systemd restart tmp.mount
become: yes
systemd:
name: tmp.mount
daemon_reload: yes
enabled: yes
masked: no
state: reloaded
name: tmp.mount
daemon_reload: yes
enabled: yes
masked: no
state: reloaded

- name: generate new grub config
become: yes
Expand All @@ -30,9 +30,9 @@
- name: restart sshd
become: yes
service:
name: sshd
state: restarted
name: sshd
state: restarted

- name: authselect apply changes
become: yes
command: authselect apply-changes
command: authselect apply-changes
2 changes: 1 addition & 1 deletion meta/main.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
galaxy_info:
role_name: cis-centos
role_name: cis_centos_8
author: iquzart
description: CIS Benchmark for RHEL 8 Based Systems
license: MIT
Expand Down
30 changes: 15 additions & 15 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,19 +3,19 @@

- name: Check OS version and family
fail:
msg: "This role can only be run agaist CentOS or RHEL. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
msg: "This role can only be run agaist CentOS or RHEL. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
when:
- not ansible_os_family == "RedHat"
- not ansible_distribution_major_version == "8"
- not ansible_os_family == "RedHat"
- not ansible_distribution_major_version == "8"
tags:
- always
- always

- name: Check ansible version
fail:
msg: You must use ansible 2.9 or greater!
msg: You must use ansible 2.9 or greater!
when: not ansible_version.full is version_compare('2.9', '>=')
tags:
- always
- always

- name: "Set facts | Packages"
package_facts:
Expand All @@ -33,8 +33,8 @@
booted_with_efi: "{{ ansible_mounts | selectattr('mount', 'equalto', '/boot/efi') | list | length > 0 }}"
tags:
- always
- name: Set facts | Grub config file

- name: Set facts | Grub config file
set_fact:
grub_config_file: "{{ '/boot/efi/EFI/{{ ansible_distribution | lower }}/grub.cfg' if booted_with_efi else '/boot/grub2/grub.cfg' }}"
tags:
Expand All @@ -43,35 +43,35 @@
- include: section_1.yml
become: true
when: section_1
tags:
tags:
- section_1

- include: section_2.yml
become: true
when: section_2
tags:
tags:
- section_2

- include: section_3.yml
become: true
when: section_3
tags:
tags:
- section_3

- include: section_4.yml
become: true
when: section_4
tags:
tags:
- section_4

- include: section_5.yml
become: true
when: section_5
tags:
tags:
- section_5

- include: section_6.yml
become: true
when: section_6
tags:
- section_6
tags:
- section_6
90 changes: 55 additions & 35 deletions tasks/section_1.yml
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,6 @@
- scored
- squashfs


- name: "1.1.1.4 | Ensure mounting of udf filesystems is disabled (Scored)"
lineinfile:
dest: /etc/modprobe.d/cis.conf
Expand All @@ -86,7 +85,6 @@
- scored
- udf


- name: "1.1.2 | Ensure separate partition exists for /tmp | Enable and start/restart tmp.mount (Scored)"
systemd:
name: tmp.mount
Expand All @@ -108,10 +106,10 @@
owner: root
group: root
mode: 0644
# notify: systemd restart tmp.mount
when: rule_1_1_3 or
rule_1_1_4 or
rule_1_1_5
# notify: systemd restart tmp.mount
when: rule_1_1_3 or
rule_1_1_4 or
rule_1_1_5
tags:
- section_1
- scored
Expand Down Expand Up @@ -152,8 +150,8 @@
- skip_ansible_lint

- name: "1.1.8 | Ensure nodev option set on /var/tmp partition (Scored)\n
1.1.9 | Ensure nosuid option set on /var/tmp partition (Scored)\n
1.1.10 | Ensure noexec option set on /var/tmp partition (Scored)"
1.1.9 | Ensure nosuid option set on /var/tmp partition (Scored)\n
1.1.10 | Ensure noexec option set on /var/tmp partition (Scored)"
mount:
name: "/var/tmp"
src: "{{ item.device }}"
Expand All @@ -164,7 +162,7 @@
when:
- item.mount == "/var/tmp"
- rule_1_1_7
- rule_1_1_8 or rule_1_1_9 or rule_1_1_10
- rule_1_1_8 or rule_1_1_9 or rule_1_1_10
tags:
- level1
- scored
Expand Down Expand Up @@ -240,8 +238,8 @@
- rule_1.1.14

- name: "1.1.15 | Ensure nodev option set on /dev/shm partition (Scored)\n
1.1.16 | Ensure nosuid option set on /dev/shm partition (Scored)\n
1.1.17 | Ensure noexec option set on /dev/shm partition (Scored)"
1.1.16 | Ensure nosuid option set on /dev/shm partition (Scored)\n
1.1.17 | Ensure noexec option set on /dev/shm partition (Scored)"
mount:
name: /dev/shm
src: tmpfs
Expand Down Expand Up @@ -428,7 +426,7 @@
lineinfile:
dest: /etc/sudoers
regexp: '^\s*Defaults\s+use_pty'
line: 'Defaults use_pty'
line: "Defaults use_pty"
create: yes
when:
- rule_1_3_2
Expand Down Expand Up @@ -470,7 +468,7 @@
- name: "1.4.1 | Ensure AIDE is installed (Scored)"
command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz'
args:
creates: /var/lib/aide/aide.db.gz
creates: /var/lib/aide/aide.db.gz
changed_when: no
failed_when: no
async: 45
Expand Down Expand Up @@ -524,19 +522,18 @@
- patch
- rule_1.5.1


- name: "1.5.2 | Ensure bootloader password is set (Scored)"
- name: "1.5.2 | Ensure bootloader password is set (Scored)"
block:
- name: "1.5.2 | Ensure bootloader password is set (Scored) | Install Python Expect"
dnf:
dnf:
name: python3-pexpect
state: latest

- name: "1.5.2 | Ensure bootloader password is set (Scored) | Configure"
expect:
command: grub2-setpassword
responses:
(?i)password: "{{ bootloader_password }}"
(?i)password: "{{ bootloader_password }}"
notify: generate new grub config
when:
- rule_1_5_2
Expand All @@ -552,14 +549,14 @@
- name: "1.5.3 | Ensure authentication required for single user mode (Scored) | Emergency"
lineinfile:
dest: /usr/lib/systemd/system/emergency.service
regexp: '/sbin/sulogin'
line: 'ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue'
regexp: "/sbin/sulogin"
line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue"

- name: "1.5.3 | Ensure authentication required for single user mode (Scored) | Rescue"
lineinfile:
dest: /usr/lib/systemd/system/rescue.service
regexp: '/sbin/sulogin'
line: 'ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue'
regexp: "/sbin/sulogin"
line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue"
when:
- rule_1_5_3
- ansible_distribution_major_version == "8"
Expand All @@ -574,8 +571,8 @@
state: present
dest: /etc/security/limits.conf
regexp: '^#?\\*.*core'
line: '* hard core 0'
insertbefore: '^# End of file'
line: "* hard core 0"
insertbefore: "^# End of file"
when:
- rule_1_6_1
tags:
Expand All @@ -588,7 +585,7 @@
- name: "1.6.1 | Ensure core dumps are restricted (Scored)"
sysctl:
name: fs.suid_dumpable
value: '0'
value: "0"
state: present
reload: yes
sysctl_set: yes
Expand All @@ -605,7 +602,7 @@
- name: "1.6.2 | Ensure address space layout randomization (ASLR) is enabled (Scored)"
sysctl:
name: kernel.randomize_va_space
value: '2'
value: "2"
state: present
reload: yes
sysctl_set: yes
Expand All @@ -627,7 +624,7 @@
ignore_errors: yes
notify: generate new grub config
when:
- selinux_state == "enforcing"
- selinux_state == "enforcing"
- rule_1_7_1_2
tags:
- level2
Expand All @@ -636,7 +633,7 @@
- rule_1.7.1.2

- name: "1.7.1.3 | Ensure the SELinux policy is configured (Scored)\n
1.7.1.4 | Ensure the SELinux state is enforcing (Scored)"
1.7.1.4 | Ensure the SELinux state is enforcing (Scored)"
selinux:
conf: /etc/selinux/config
policy: "{{ selinux_policy }}"
Expand All @@ -651,7 +648,6 @@
- patch
- rule_1.7.1.4


- name: "1.7.1.5 | Ensure no unconfined services exist (Scored)"
shell: ps -eZ | grep unconfined_service_t
changed_when: no
Expand Down Expand Up @@ -792,12 +788,36 @@
group: root
mode: 0644
with_items:
- { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' }
- { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' }
- { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' }
- { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' }
- { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' }
- { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='Authorized uses only. All activity may be monitored and reported.'" }
- {
file: "/etc/dconf/profile/gdm",
regexp: "user-db",
line: "user-db:user",
}
- {
file: "/etc/dconf/profile/gdm",
regexp: "system-db",
line: "system-db:gdm",
}
- {
file: "/etc/dconf/profile/gdm",
regexp: "file-db",
line: "file-db:/usr/share/gdm/greeter-dconf-defaults",
}
- {
file: "/etc/dconf/db/gdm.d/01-banner-message",
regexp: '\[org\/gnome\/login-screen\]',
line: "[org/gnome/login-screen]",
}
- {
file: "/etc/dconf/db/gdm.d/01-banner-message",
regexp: "banner-message-enable",
line: "banner-message-enable=true",
}
- {
file: "/etc/dconf/db/gdm.d/01-banner-message",
regexp: "banner-message-text",
line: "banner-message-text='Authorized uses only. All activity may be monitored and reported.'",
}
notify: reload dconf
when:
- not rule_2_2_2 | bool
Expand Down Expand Up @@ -854,4 +874,4 @@
- level2
- patch
- rule_1.11
- crypto
- crypto
8 changes: 3 additions & 5 deletions tasks/section_2.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@
state: absent
name:
- "xorg-x11*"

- name: Refresh destination information
setup:

Expand All @@ -59,8 +59,7 @@
- level1
- scored
- xwindows
- rule_2.2.2

- rule_2.2.2

- name: "2.2.3 | Ensure rsync service is not enabled (Scored)"
systemd:
Expand Down Expand Up @@ -137,7 +136,7 @@
enabled: no
when:
- "'dovecot.service' in ansible_facts.services"
- rule_2_2_8
- rule_2_2_8
tags:
- section_2
- level1
Expand Down Expand Up @@ -328,4 +327,3 @@
- section_2
- level1
- rule_2.3.3

Loading

0 comments on commit 5d4a968

Please sign in to comment.