anku33/RHEL9-CIS-Audit
1
0
Fork 0
mirror of https://github.com/ansible-lockdown/RHEL9-CIS-Audit.git synced 2026-06-02 02:51:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

v2.0.0 initial

Browse Source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
2024-08-07 10:59:45 +01:00
parent 082dde4ff6
commit 414f6af5e7
286 changed files with 6592 additions and 3022 deletions
Download Patch File Download Diff File Expand all files Collapse all files
section_1/cis_6.xxx/cis_1.3.1.yml
-16
View File
@@ -1,16 +0,0 @@
{{ if .Vars.rhel9cis_rule_1_3_1 }}
package:
aide:
title: 1.3.1 | Ensure AIDE is installed
installed: true
meta:
server: 1
workstation: 1
CIS_ID:
- 1.3.1
CISv8:
- 3.14
CISv8_IG1: false
CISv8_IG2: false
CISv8_IG3: true
{{ end }}
section_1/cis_6.xxx/cis_1.3.2.yml
-60
View File
@@ -1,60 +0,0 @@
{{ if .Vars.rhel9cis_config_aide }}
{{ if .Vars.rhel9cis_rule_1_3_2 }}
{{ if eq .Vars.rhel9_aide_scan "cron" }}
command:
aide_cron:
title: 1.3.2 | Ensure filesystem integrity is regularly checked
exit-status:
or:
- 0
- 2
exec: "grep -rs aide /etc/cron.* /etc/crontab /var/spool/cron/*"
stdout:
- '!/^#/'
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.3.2
CISv8:
- 3.14
CISv8_IG1: false
CISv8_IG2: false
CISv8_IG3: true
# Can be enabled if using timer and service files
service:
{{ if eq .Vars.rhel9_aide_scan "timer" }}
aidecheck:
title: 1.3.2 | Ensure filesystem integrity is regularly checked
enabled: true
running: true
skip: false
meta:
server: 1
workstation: 1
CIS_ID:
- 1.3.2
CISv8:
- 3.14
CISv8_IG1: false
CISv8_IG2: false
CISv8_IG3: true
aidecheck.timer:
title: 1.3.2 | Ensure filesystem integrity is regularly checked
enabled: true
running: true
skip: false
meta:
server: 1
workstation: 1
CIS_ID:
- 1.3.2
CISv8:
- 3.14
CISv8_IG1: false
CISv8_IG2: false
CISv8_IG3: true
{{ end }}
{{ end }}
{{ end }}
section_1/cis_6.xxx/cis_1.3.3.yml
-28
View File
@@ -1,28 +0,0 @@
{{ if .Vars.rhel9cis_rule_1_3_3 }}
command:
audit_bins_crypto_aide:
title: 1.3.3 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools
exec: grep /sbin/au /etc/aide.conf
exit-status:
or:
- 0
- 2
stdout:
- '/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512'
- '/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512'
- '/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512'
- '/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512'
- '/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512'
- '/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.3.3
CISv8:
- 3.14
CISv8_IG1: false
CISv8_IG2: false
CISv8_IG3: true
{{ end }}
section_2/cis_2.1/cis_2.1.1.yml
+40 -6
View File
@@ -1,16 +1,50 @@
{{ if .Vars.rhel9cis_rule_2_1_1 }}
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_2_1_1 }}
{{ if not .Vars.rhel9cis_autofs_services }}
{{ if not .Vars.rhel9cis_autofs_mask }}
package:
chrony:
title: 2.1.1 | Ensure time synchronization is in use
installed: true
autofs_pkg:
title: 2.1.1 | Ensure autofs services are not in use | pkg removed
name: autofs
installed: false
meta:
server: 1
workstation: 1
workstation: 2
CIS_ID:
- 2.1.1
CISv8:
- 8.4
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- SI-3
- MP-7
{{ end }}
{{ if .Vars.rhel9cis_autofs_mask }}
file:
autofs_masked:
title: 2.1.1 | Ensure autofs services are not in use | masked
path: /etc/systemd/system/autofs.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 2
CIS_ID:
- 2.1.1
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- SI-3
- MP-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}
section_2/cis_2.1/cis_2.1.10.yml
+48
View File
@@ -0,0 +1,48 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_2_1_10 }}
{{ if not .Vars.rhel9cis_nis_server }}
{{ if not .Vars.rhel9cis_nis_mask }}
package:
ypserv_pkg:
title: 2.1.10 | Ensure nis server services are not in use | pkg removed
name: ypserv
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.10
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ if .Vars.rhel9cis_nis_mask }}
file:
ypbind_service_masked:
title: 2.1.10 | Ensure nis server services are not in use | masked
path: /etc/systemd/system/ypbind-server.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.10
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}
section_2/cis_2.1/cis_2.1.11.yml
+66
View File
@@ -0,0 +1,66 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_2_1_11 }}
{{ if not .Vars.rhel9cis_print_server }}
{{ if not .Vars.rhel9cis_print_mask }}
package:
cups_pkg:
title: 2.1.11 | Ensure print server services are not in use | pkg removed
name: cups
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.11
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ if .Vars.rhel9cis_print_mask }}
file:
cups_service_masked:
title: 2.1.11 | Ensure print server services are not in use | masked
path: /etc/systemd/system/cups.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.11
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
cups_socket_masked:
title: 2.1.11 | Ensure print server services are not in use | masked
path: /etc/systemd/system/cups.socket
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.11
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}
section_2/cis_2.1/cis_2.1.12.yml
+69
View File
@@ -0,0 +1,69 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_2_1_12 }}
{{ if not .Vars.rhel9cis_rpc_server }}
{{ if not .Vars.rhel9cis_rpc_mask }}
package:
rpcbind_pkg:
title: 2.1.12 | Ensure rpcbind services are not in use | pkg removed
name: rpcbind
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.12
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-7
{{ end }}
{{ if .Vars.rhel9cis_rpc_mask }}
file:
rpcbind_service_masked:
title: 2.1.12 | Ensure rpc services are not in use | masked
path: /etc/systemd/system/rpcbind.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.12
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-7
rpcbind_socket_masked:
title: 2.1.12 | Ensure rpc services are not in use | masked
path: /etc/systemd/system/rpcbind.socket
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.12
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}
section_2/cis_2.1/cis_2.1.13.yml
+69
View File
@@ -0,0 +1,69 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_2_1_13 }}
{{ if not .Vars.rhel9cis_rsync_server }}
{{ if not .Vars.rhel9cis_rsync_mask }}
package:
rsync_pkg:
title: 2.1.13 | Ensure rsync services are not in use | pkg removed
name: rsync-daemon
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.13
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-7
{{ end }}
{{ if .Vars.rhel9cis_rsync_mask }}
file:
rsync_service_masked:
title: 2.1.13 | Ensure rsync services are not in use | masked
path: /etc/systemd/system/rsyncd.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.13
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-7
rsync_socket_masked:
title: 2.1.13 | Ensure rsync services are not in use | masked
path: /etc/systemd/system/rsyncd.socket
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.13
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}
section_2/cis_2.1/cis_2.1.14.yml
+48
View File
@@ -0,0 +1,48 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_2_1_14 }}
{{ if not .Vars.rhel9cis_snmp_server }}
{{ if not .Vars.rhel9cis_snmp_mask }}
package:
snmp_pkg:
title: 2.1.14 | Ensure snmp services are not in use | pkg removed
name: net-snmp
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.14
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ if .Vars.rhel9cis_snmp_mask }}
file:
snmp_service_masked:
title: 2.1.14 | Ensure snmp services are not in use | masked
path: /etc/systemd/system/snmpd.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.14
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}
section_2/cis_2.1/cis_2.1.15.yml
+69
View File
@@ -0,0 +1,69 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_2_1_15 }}
{{ if not .Vars.rhel9cis_telnet_server }}
{{ if not .Vars.rhel9cis_telnet_mask }}
package:
telnet_pkg:
title: 2.1.15 | Ensure telnet server services are not in use | pkg removed
name: telnet-server
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.15
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- CM-11
{{ end }}
{{ if .Vars.rhel9cis_telnet_mask }}
file:
telnet_service_masked:
title: 2.1.15 | Ensure telnet server services are not in use | masked
path: /etc/systemd/system/telnetd-hpa.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.15
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- CM-11
telnet_socket_masked:
title: 2.1.15 | Ensure telnet server services are not in use | masked
path: /etc/systemd/system/telnet.socket
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.15
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- CM-11
{{ end }}
{{ end }}
{{ end }}
{{ end }}
section_2/cis_2.1/cis_2.1.16.yml
+66
View File
@@ -0,0 +1,66 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_2_1_16 }}
{{ if not .Vars.rhel9cis_tftp_server }}
{{ if not .Vars.rhel9cis_tftp_mask }}
package:
tftp_pkg:
title: 2.1.16 | Ensure tftp server services are not in use | pkg removed
name: tftpd-hpa
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.16
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ if .Vars.rhel9cis_tftp_mask }}
file:
tftp_service_masked:
title: 2.1.16 | Ensure tftp server services are not in use | masked
path: /etc/systemd/system/tftpd-hpa.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.16
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
tftp_socket_masked:
title: 2.1.16 | Ensure tftp server services are not in use | masked
path: /etc/systemd/system/tftp.socket
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.16
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}
section_2/cis_2.1/cis_2.1.17.yml
+50
View File
@@ -0,0 +1,50 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_2_1_17 }}
{{ if not .Vars.rhel9cis_squid_server }}
{{ if not .Vars.rhel9cis_squid_mask }}
package:
squid_pkg:
title: 2.1.17 | Ensure web proxy server services are not in use | pkg removed
name: squid
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.17
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-7
{{ end }}
{{ if .Vars.rhel9cis_squid_mask }}
file:
squid_service_masked:
title: 2.1.17 | Ensure web proxy server services are not in use | masked
path: /etc/systemd/system/squid.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.17
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}
section_2/cis_2.1/cis_2.1.18_httpd.yml
+66
View File
@@ -0,0 +1,66 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_2_1_18 }}
{{ if not .Vars.rhel9cis_httpd_server }}
{{ if not .Vars.rhel9cis_httpd_mask }}
package:
httpd_pkg:
title: 2.1.18 | Ensure web server services are not in use | pkg removed
name: httpd
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.18
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ if .Vars.rhel9cis_httpd_mask }}
file:
httpd_service_masked:
title: 2.1.18 | Ensure web server services are not in use | masked
path: /etc/systemd/system/httpd.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.18
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
httpd_socket_masked:
title: 2.1.18 | Ensure web server services are not in use | masked
path: /etc/systemd/system/httpd.socket
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.18
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}
section_2/cis_2.1/cis_2.1.18_nginx.yml
+48
View File
@@ -0,0 +1,48 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_2_1_18 }}
{{ if not .Vars.rhel9cis_nginx_server }}
{{ if not .Vars.rhel9cis_nginx_mask }}
package:
nginx_pkg:
title: 2.1.18 | Ensure web server services are not in use | pkg removed
name: nginx
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.18
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ if .Vars.rhel9cis_nginx_mask }}
file:
nginx_service_masked:
title: 2.1.18 | Ensure web server services are not in use | masked
path: /etc/systemd/system/nginx.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.18
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}
section_2/cis_2.1/cis_2.1.19.yml
+48
View File
@@ -0,0 +1,48 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_2_1_19 }}
{{ if not .Vars.rhel9cis_xinetd_server }}
{{ if not .Vars.rhel9cis_xinetd_mask }}
package:
xinetd_pkg:
title: 2.1.19 | Ensure xinetd services are not in use | pkg removed
name: xinetd
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.19
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ if .Vars.rhel9cis_xinetd_mask }}
file:
xinetd_service_masked:
title: 2.1.19 | Ensure xinetd services are not in use | masked
path: /etc/systemd/system/xinetd.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.19
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}
section_2/cis_2.1/cis_2.1.2.yml
+46 -17
View File
@@ -1,37 +1,66 @@
{{ if .Vars.rhel9cis_rule_2_1_2 }}
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_2_1_2 }}
{{ if not .Vars.rhel9cis_avahi_server }}
{{ if not .Vars.rhel9cis_avahi_mask }}
package:
avahi_pkg:
title: 2.1.2 | Ensure avahi daemon services are not in use | pkg removed
name: avahi
installed: false
meta:
server: 1
workstation: 2
CIS_ID:
- 2.1.2
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- SI-4
{{ end }}
{{ if .Vars.rhel9cis_avahi_mask }}
file:
chrony_servers_pools:
title: 2.1.2 | Ensure chrony is configured | server
path: /etc/chrony.conf
avahi_socket_masked:
title: 2.1.2 | Ensure avahi daemon services are not in use | masked
path: /etc/systemd/system/avahi-daemon.socket
exists: true
contents:
- '/^(server|pool)\s.*/'
skip: false
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
workstation: 2
CIS_ID:
- 2.1.2
CISv8:
- 8.4
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
chrony_sysconfig:
title: 2.1.2 | Ensure chrony is configured | sysconfig
path: /etc/sysconfig/chronyd
NIST800-53R5:
- SI-4
avahi_service_masked:
title: 2.1.2 | Ensure avahi daemon services are not in use | masked
path: /etc/systemd/system/avahi-daemon.service
exists: true
contents:
- '/^OPTIONS="-u chrony"/'
skip: false
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
workstation: 2
CIS_ID:
- 2.1.2
CISv8:
- 8.4
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- SI-4
{{ end }}
{{ end }}
{{ end }}
{{ end }}
section_2/cis_2.1/cis_2.1.20.yml
+25
View File
@@ -0,0 +1,25 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_2_1_20 }}
{{ if not .Vars.rhel9cis_xwindow_server }}
package:
xwindow_pkg:
title: 2.1.20 | Ensure X window server services are not in use | pkg removed
name: xorg-x11-server-common
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.20
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-11
{{ end }}
{{ end }}
{{ end }}
section_2/cis_2.1/cis_2.1.21.yml
+46
View File
@@ -0,0 +1,46 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_is_mail_server }}
{{ if .Vars.rhel9cis_rule_2_1_21 }}
command:
mta_listening_port25:
title: 2.1.21 Ensure mail transfer agent is configured for local-only mode
exit-status: 1
exec: 'ss -lntu | grep -E ":25\s" | grep -E -v "\s(127.0.0.1|\[?::1\]?):25\s"'
stdout: ['!/./']
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.21
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
file:
/etc/postfix/main.conf:
title: 2.1.21 | Ensure mail transfer agent is configured for local-only mode
exists: true
contents:
- '/^inet_interfaces\s*=\s*loopback-only/'
- '!/^inet_interfaces\s*=\s*all/'
- '!/^(?i)inet_interfaces\s*=\s*ipv4/'
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.21
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
section_2/cis_2.1/cis_2.1.22.yml
+27
View File
@@ -0,0 +1,27 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_2_1_22 }}
command:
manual_listening_ports:
title: 2.1.22 | Ensure only approved services are listening on a network interface | Manual Check required
exit-status:
or:
- 0
- 1
exec: echo "Manual!! - Please check only approved services are listening"
stdout: ['!/./']
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.22
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
section_2/cis_2.1/cis_2.1.3.yml
+66
View File
@@ -0,0 +1,66 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_2_1_3 }}
{{ if not .Vars.rhel9cis_dhcp_server }}
{{ if not .Vars.rhel9cis_dhcp_mask }}
package:
dhcp_pkg:
title: 2.1.3 | Ensure dhcp server services are not in use | pkg removed
name: dhcp-server
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.3
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ if .Vars.rhel9cis_dhcp_mask }}
file:
dhcp_service_masked:
title: 2.1.3 | Ensure dhcp server services are not in use | masked
path: /etc/systemd/system/dhcpd.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.3
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
dhcp6_service_masked:
title: 2.1.3 | Ensure dhcp server services are not in use | masked
path: /etc/systemd/system/dhcpd6.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.3
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}
section_2/cis_2.1/cis_2.1.4.yml
+48
View File
@@ -0,0 +1,48 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_2_1_4 }}
{{ if not .Vars.rhel9cis_dns_server }}
{{ if not .Vars.rhel9cis_dns_mask }}
package:
dns_pkg:
title: 2.1.4 | Ensure dns server services are not in use | pkg removed
name: named
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.4
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ if .Vars.rhel9cis_dns_mask }}
file:
dns_service_masked:
title: 2.1.4 | Ensure dns server services are not in use | masked
path: /etc/systemd/system/named.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.4
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}
section_2/cis_2.1/cis_2.1.5.yml
+48
View File
@@ -0,0 +1,48 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_2_1_5 }}
{{ if not .Vars.rhel9cis_dnsmasq_server }}
{{ if not .Vars.rhel9cis_dnsmasq_mask }}
package:
dnsmasq_pkg:
title: 2.1.5 | Ensure dnsmasq server services are not in use | pkg removed
name: dnsmasq
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.5
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ if .Vars.rhel9cis_dnsmasq_mask }}
file:
dnsmasq_service_masked:
title: 2.1.5 | Ensure dnsmasq server services are not in use | masked
path: /etc/systemd/system/dnsmasq.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.5
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}
section_2/cis_2.1/cis_2.1.6.yml
+50
View File
@@ -0,0 +1,50 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_2_1_6 }}
{{ if not .Vars.rhel9cis_samba_server }}
{{ if not .Vars.rhel9cis_samba_mask }}
package:
samba_pkg:
title: 2.1.6 | Ensure samba file server services are not in use | pkg removed
name: samba
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.6
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-7
{{ end }}
{{ if .Vars.rhel9cis_samba_mask }}
file:
samba_service_masked:
title: 2.1.6 | Ensure samba server services are not in use | masked
path: /etc/systemd/system/smb.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.6
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}
section_2/cis_2.1/cis_2.1.7.yml
+48
View File
@@ -0,0 +1,48 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_2_1_7 }}
{{ if not .Vars.rhel9cis_ftp_server }}
{{ if not .Vars.rhel9cis_ftp_mask }}
package:
ftp_pkg:
title: 2.1.7 | Ensure ftp server services are not in use | pkg removed
name: vsftp
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.7
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ if .Vars.rhel9cis_ftp_mask }}
file:
ftp_service_masked:
title: 2.1.7 | Ensure ftp server services are not in use | masked
path: /etc/systemd/system/vsftpd.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.7
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}
section_2/cis_2.1/cis_2.1.7a.yml
+48
View File
@@ -0,0 +1,48 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_2_1_7 }}
{{ if not .Vars.rhel9cis_ldap_server }}
{{ if not .Vars.rhel9cis_ldap_mask }}
package:
ldap_pkg:
title: 2.1.7 | Ensure ldap server services are not in use | pkg removed
name: slapd
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.7
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ if .Vars.rhel9cis_ldap_mask }}
file:
ldap_service_masked:
title: 2.1.7 | Ensure ldap server services are not in use | masked
path: /etc/systemd/system/slapd.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.7
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}
section_2/cis_2.1/cis_2.1.8.yml
+100
View File
@@ -0,0 +1,100 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_2_1_8 }}
{{ if not .Vars.rhel9cis_message_server }}
{{ if not .Vars.rhel9cis_message_mask }}
package:
dovecot_pkg:
title: 2.1.8 | Ensure message access server services are not in use | pkg removed
name: dovecot
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.8
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
cyrus_impad_pkg:
title: 2.1.8 | Ensure message access server services are not in use | pkg removed
name: cyrus-impad
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.8
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ if .Vars.rhel9cis_message_mask }}
file:
dovecot_service_masked:
title: 2.1.8 | Ensure message access server services are not in use | masked
path: /etc/systemd/system/dovecot.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.8
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
cyrus_imapd_masked:
title: 2.1.8 | Ensure message access server services are not in use | masked
path: /etc/systemd/system/cyrus-imapd.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.8
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
dovecot_socket_masked:
title: 2.1.8 | Ensure message access server services are not in use | masked
path: /etc/systemd/system/dovecot.socket
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.8
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}
section_2/cis_2.1/cis_2.1.9.yml
+50
View File
@@ -0,0 +1,50 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_2_1_9 }}
{{ if not .Vars.rhel9cis_nfs_server }}
{{ if not .Vars.rhel9cis_nfs_mask }}
package:
nfs_pkg:
title: 2.1.9 | Ensure network file system services are not in use | pkg removed
name: nfs-utils
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.9
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-7
{{ end }}
{{ if .Vars.rhel9cis_nfs_mask }}
file:
nfs_service_masked:
title: 2.1.9 | Ensure network file system services are not in use | masked
path: /etc/systemd/system/nfs-server.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.9
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}
section_2/cis_2.2/cis_2.2.1.yml
+12 -5
View File
@@ -1,12 +1,16 @@
{{ if not .Vars.rhel9cis_gui }}
{{ if .Vars.rhel9cis_rule_2_2_1 }}
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if not .Vars.rhel9cis_ftp_client }}
{{ if .Vars.rhel9cis_rule_2_2_1 }}
package:
xorg-x11-server-common:
title: 2.2.1 | Ensure X11 Server components are not installed
ftp:
title: 2.2.1 | Ensure ftp client is not installed
installed: false
name: ftp
meta:
server: 1
workstation: NA
workstation: 1
CIS_ID:
- 2.2.1
CISv8:
@@ -14,5 +18,8 @@ package:
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
section_2/cis_2.2/cis_2.2.10.yml
-18
View File
@@ -1,18 +0,0 @@
{{ if not .Vars.rhel9cis_samba_server}}
{{ if .Vars.rhel9cis_rule_2_2_10 }}
package:
samba:
title: 2.2.10 | Ensure Samba is not installed
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.2.10
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}
section_2/cis_2.2/cis_2.2.11.yml
-18
View File
@@ -1,18 +0,0 @@
{{ if not .Vars.rhel9cis_squid_server }}
{{ if .Vars.rhel9cis_rule_2_2_11 }}
package:
squid:
title: 2.2.11 | Ensure HTTP proxy Server is not installed
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.2.11
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}

Some files were not shown because too many files have changed in this diff Show More