anku33/RHEL9-CIS-Audit
1
0
Fork 0
mirror of https://github.com/ansible-lockdown/RHEL9-CIS-Audit.git synced 2026-06-02 02:51:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

v2.0.0 initial

Browse Source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
2024-08-07 10:59:45 +01:00
parent 082dde4ff6
commit 414f6af5e7
286 changed files with 6592 additions and 3022 deletions
Download Patch File Download Diff File Expand all files Collapse all files
section_5/cis_5.1/cis_5.1.1.yml
+17 -7
View File
@@ -1,16 +1,26 @@
{{ if .Vars.rhel9cis_rule_5_1_1 }}
service:
crond:
title: 5.1.1 | Ensure cron daemon is enabled
running: true
enabled: true
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_5_1_1 }}
file:
sshd_config_perms:
title: 5.1.1 | Ensure permissions on /etc/ssh/sshd_config are configured
path: /etc/ssh/sshd_config
exists: true
mode: "0600"
owner: root
group: root
meta:
server: 1
workstation: 1
CIS_ID:
- 5.1.1
CISv8: 4.1
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AC-3
- MP-2
{{ end }}
{{ end }}
section_5/cis_5.1/cis_5.1.10.yml
+47
View File
@@ -0,0 +1,47 @@
---
{{ if .Vars.rhel9cis_level_2 }}
{{ if .Vars.rhel9cis_rule_5_1_10 }}
file:
sshd_disable_forward:
title: 5.1.10 | Ensure sshd DisableForwarding is enabled | config
path: /etc/ssh/sshd_config
exists: true
contents:
- '/^disableforwarding yes/'
- '!/^disableforwarding no/'
meta:
server: 2
workstation: 1
CIS_ID:
- 5.1.10
CISv8: 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
command:
ssh_disable_forward_live:
title: 5.1.10 | Ensure sshd DisableForwarding is enabled | live
exec: sshd -T | grep disableforwarding
exit-status:
or:
- 0
- 1
stdout:
- '/^disableforwarding yes/'
- '!/^disableforwarding no/'
meta:
server: 2
workstation: 1
CIS_ID:
- 5.1.10
CISv8: 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
section_5/cis_5.1/cis_5.1.11.yml
+55
View File
@@ -0,0 +1,55 @@
---
{{ if .Vars.rhel9cis_level_2 }}
{{ if .Vars.rhel9cis_rule_5_1_11 }}
file:
sshd_gssapi:
title: 5.1.11 | Ensure sshd GSSAPIAuthentication is disabled | config
path: /etc/ssh/sshd_config
exists: true
contents:
- '/^gssapiauthentication no/'
- '!/^gssapiauthentication yes/'
meta:
server: 2
workstation: 1
CIS_ID:
- 5.1.11
CISv8: 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
command:
ssh_gssapi_live:
title: 5.1.10 | Ensure sshd GSSAPIAuthentication is disabled | live
exec: sshd -T | grep gssapiauthentication
exit-status:
or:
- 0
- 1
stdout:
- '/^disableforwarding yes/'
- '!/^disableforwarding no/'
meta:
server: 2
workstation: 1
CIS_ID:
- 5.1.10
CISv8: 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
{{ end }}
{{ end }}
section_5/cis_5.2/cis_5.2.8.yml → section_5/cis_5.1/cis_5.1.12.yml
+21 -5
View File
@@ -1,7 +1,10 @@
{{ if .Vars.rhel9cis_rule_5_2_8 }}
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_5_1_12 }}
file:
ssh_hostbased_auth:
title: 5.2.8 | Ensure SSH HostbasedAuthentication is disabled | config
title: 5.1.12 | Ensure SSH HostbasedAuthentication is disabled | config
path: /etc/ssh/sshd_config
exists: true
contents:
@@ -11,14 +14,20 @@ file:
server: 1
workstation: 1
CIS_ID:
- 5.2.8
- 5.1.12
CISv8: 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
command:
ssh_hostbased_auth_live:
title: 5.2.8 | Ensure SSH HostbasedAuthentication is disabled | live
title: 5.1.12 | Ensure SSH HostbasedAuthentication is disabled | live
exec: sshd -T | grep hostbasedauthentication
exit-status:
or:
@@ -31,9 +40,16 @@ command:
server: 1
workstation: 1
CIS_ID:
- 5.2.8
- 5.1.12
CISv8: 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
{{ end }}
{{ end }}
section_5/cis_5.2/cis_5.2.11.yml → section_5/cis_5.1/cis_5.1.13.yml
+21 -5
View File
@@ -1,7 +1,10 @@
{{ if .Vars.rhel9cis_rule_5_2_11 }}
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_5_1_13 }}
file:
ssh_rhosts:
title: 5.2.11 | Ensure SSH IgnoreRhosts is enabled | config
title: 5.1.13 | Ensure SSH IgnoreRhosts is enabled | config
path: /etc/ssh/sshd_config
exists: true
contents:
@@ -11,14 +14,20 @@ file:
server: 1
workstation: 1
CIS_ID:
- 5.2.11
- 5.1.13
CISv8: 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
command:
ssh_rhosts_live:
title: 5.2.11 | Ensure SSH IgnoreRhosts is enabled | live
title: 5.1.13 | Ensure SSH IgnoreRhosts is enabled | live
exec: sshd -T | grep ignorerhosts
exit-status:
or:
@@ -31,9 +40,16 @@ command:
server: 1
workstation: 1
CIS_ID:
- 5.2.11
- 5.1.13
CISv8: 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
{{ end }}
{{ end }}
section_5/cis_5.2/cis_5.2.19.yml → section_5/cis_5.1/cis_5.1.14.yml
+13 -5
View File
@@ -1,7 +1,10 @@
{{ if .Vars.rhel9cis_rule_5_2_19 }}
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_5_1_14 }}
file:
sshd_logingrace:
title: 5.2.19 | Ensure SSH LoginGraceTime is set to one minute or less
title: 5.1.14 | Ensure sshd LoginGraceTime is configured
path: /etc/ssh/sshd_config
exists: true
contents:
@@ -11,14 +14,16 @@ file:
server: 1
workstation: 1
CIS_ID:
- 5.2.19
- 5.1.14
CISv8: 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
command:
ssh_logingrace_live:
title: 5.2.19 | Ensure SSH LoginGraceTime is set to one minute or less | live
title: 5.1.14 | Ensure sshd LoginGraceTime is configured | live
exec: sshd -T | grep logingracetime
exit-status:
or:
@@ -31,9 +36,12 @@ command:
server: 1
workstation: 1
CIS_ID:
- 5.2.19
- 5.1.14
CISv8: 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
{{ end }}
{{ end }}
section_5/cis_5.1/cis_5.1.15.yml
+51
View File
@@ -0,0 +1,51 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_5_1_15 }}
file:
sshd_loglevel:
title: 5.1.15 | Ensure SSH LogLevel is appropriate | config
path: /etc/ssh/sshd_config
exists: true
contents:
- '/^LogLevel\s(VERBOSE|INFO)/'
- '!/^LogLevel DEBUG/'
meta:
server: 1
workstation: 1
CIS_ID:
- 5.1.15
CISv8: 8.2
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AU-3
- AU-12
- SI-5
command:
ssh_loglevel_live:
title: 5.1.15 | Ensure SSH LogLevel is appropriate | live
exec: sshd -T | grep loglevel
exit-status:
or:
- 0
- 1
stdout:
- '/^loglevel\s(VERBOSE|INFO)/'
- '!/^loglevel DEBUG/'
meta:
server: 1
workstation: 1
CIS_ID:
- 5.1.15
CISv8: 8.2
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AU-3
- AU-12
- SI-5
{{ end }}
{{ end }}
section_5/cis_5.2/cis_5.2.16.yml → section_5/cis_5.1/cis_5.1.16.yml
+13 -5
View File
@@ -1,7 +1,10 @@
{{ if .Vars.rhel9cis_rule_5_2_16 }}
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_5_1_16 }}
path:
sshd_authtries:
title: 5.2.16 | Ensure SSH MaxAuthTries is set to 4 or less
title: 5.1.16 | Ensure sshd MaxAuthTries is configured
path: /etc/ssh/sshd_config
exists: true
contents:
@@ -11,14 +14,16 @@ path:
server: 1
workstation: 1
CIS_ID:
- 5.2.16
- 5.1.16
CISv8: 8.5
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AU-3
command:
sshd_authtries_live:
title: 5.2.16 | Ensure SSH MaxAuthTries is set to 4 or less | live
title: 5.1.16 | Ensure sshd MaxAuthTries is configured | live
exec: sshd -T | grep maxauthtries
exit-status:
or:
@@ -31,9 +36,12 @@ command:
server: 1
workstation: 1
CIS_ID:
- 5.2.16
- 5.1.16
CISv8: 8.5
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AU-3
{[ end ]}
{{ end }}
section_5/cis_5.2/cis_5.2.17.yml → section_5/cis_5.1/cis_5.1.17.yml
+21 -5
View File
@@ -1,7 +1,10 @@
{{ if .Vars.rhel9cis_rule_5_2_17 }}
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_5_1_17 }}
file:
sshd_maxstartups:
title: 5.2.17 | Ensure SSH MaxStartups is configured
title: 5.1.17 | Ensure SSH MaxStartups is configured
path: /etc/ssh/sshd_config
exists: true
contents:
@@ -10,14 +13,20 @@ file:
server: 1
workstation: 1
CIS_ID:
- 5.2.17
- 5.1.17
CISv8: 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
command:
ssh_maxstartups_live:
title: 5.2.17 | Ensure SSH MaxStartups is configured | live
title: 5.1.17 | Ensure SSH MaxStartups is configured | live
exec: sshd -T | grep maxstartups
exit-status:
or:
@@ -29,9 +38,16 @@ command:
server: 1
workstation: 1
CIS_ID:
- 5.2.17
- 5.1.17
CISv8: 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
{{ end }}
{{ end }}
section_5/cis_5.2/cis_5.2.18.yml → section_5/cis_5.1/cis_5.1.18.yml
+21 -5
View File
@@ -1,7 +1,10 @@
{{ if .Vars.rhel9cis_rule_5_2_18 }}
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_5_1_18 }}
file:
sshd_maxsessions:
title: 5.2.18 | Ensure SSH MaxSessions is limited
title: 5.1.18 | Ensure SSH MaxSessions is limited
path: /etc/ssh/sshd_config
exists: true
contents:
@@ -11,14 +14,20 @@ file:
server: 1
workstation: 1
CIS_ID:
- 5.2.18
- 5.1.18
CISv8: 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
command:
ssh_maxsessions_live:
title: 5.2.18 | Ensure SSH MaxSessions is limited | live
title: 5.1.18 | Ensure SSH MaxSessions is limited | live
exec: sshd -T | grep maxsessions
exit-status:
or:
@@ -31,9 +40,16 @@ command:
server: 1
workstation: 1
CIS_ID:
- 5.2.18
- 5.1.18
CISv8: 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
{{ end }}
{{ end }}
section_5/cis_5.2/cis_5.2.9.yml → section_5/cis_5.1/cis_5.1.19.yml
+21 -5
View File
@@ -1,7 +1,10 @@
{{ if .Vars.rhel9cis_rule_5_2_9 }}
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_5_1_19 }}
file:
sshs_permitempty_passwd:
title: 5.2.9 | Ensure SSH PermitEmptyPasswords is disabled | config
title: 5.1.19 | Ensure SSH PermitEmptyPasswords is disabled | config
path: /etc/ssh/sshd_config
exists: true
contents:
@@ -11,14 +14,20 @@ file:
server: 1
workstation: 1
CIS_ID:
- 5.2.9
- 5.1.9
CISv8: 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
command:
ssh_empty_passwd_live:
title: 5.2.9 | Ensure SSH PermitEmptyPasswords is disabled | live
title: 5.1.19 | Ensure SSH PermitEmptyPasswords is disabled | live
exec: sshd -T | grep permitemptypasswords
exit-status:
or:
@@ -31,9 +40,16 @@ command:
server: 1
workstation: 1
CIS_ID:
- 5.2.9
- 5.1.19
CISv8: 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
{{ end }}
{{ end }}
section_5/cis_5.1/cis_5.1.2.yml
+48 -9
View File
@@ -1,12 +1,13 @@
{{ if .Vars.rhel9cis_rule_5_1_2 }}
file:
crontab_perms:
title: 5.1.2 | Ensure permissions on /etc/crontab are configured
path: /etc/crontab
exists: true
owner: root
group: root
mode: "0600"
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_5_1_2 }}
command:
/etc/ssh/ssh_host_prv_key_user:
title: 5.1.2 | Ensure permissions on SSH private host key files are configured_user
exec: "userkeys=$(sudo find /etc/ssh/ -name *_key -type f ! -user root ); echo $userkeys"
exit-status: 0
stdout: ['!/./']
meta:
server: 1
workstation: 1
@@ -16,4 +17,42 @@ file:
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AC-3
- MP-2
/etc/ssh/ssh_host_prv_key_group:
title: 5.1.2 | Ensure permissions on SSH private host key files are configured_group
exec: "groupkeys=$(sudo find /etc/ssh/ -name *_key -type f ! -group root ); echo $groupkeys"
exit-status: 0
stdout: ['!/./']
meta:
server: 1
workstation: 1
CIS_ID:
- 5.1.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AC-3
- MP-2
/etc/ssh/ssh_host_prv_key_perms:
title: 5.1.2 | Ensure permissions on SSH private host key files are configured_user
exec: "keyperms=$(sudo find /etc/ssh/ -name *_key -type f -perm /137 ); echo $keyperms"
exit-status: 0
stdout: ['!/./']
meta:
server: 1
workstation: 1
CIS_ID:
- 5.1.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AC-3
- MP-2
{[ end ]}
{{ end }}
section_5/cis_5.1/cis_5.1.20.yml
+47
View File
@@ -0,0 +1,47 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_5_1_20 }}
file:
sshd_permit_root:
title: 5.1.20 | Ensure SSH root login is disabled | config
path: /etc/ssh/sshd_config
exists: true
contents:
- '/^PermitRootLogin no/'
- '!/^PermitRootLogin yes/'
meta:
server: 1
workstation: 1
CIS_ID:
- 5.1.20
CISv8: 5.4
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AC-6
command:
ssh_permit_root_live:
title: 5.1.20 | Ensure SSH root login is disabled | live
exec: sshd -T | grep permitrootlogin
exit-status:
or:
- 0
- 1
stdout:
- '/^permitrootlogin no/'
- '!/^permitrootlogin yes/'
meta:
server: 1
workstation: 1
CIS_ID:
- 5.1.20
CISv8: 5.4
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AC-6
{{ end }}
{{ end }}
section_5/cis_5.2/cis_5.2.10.yml → section_5/cis_5.1/cis_5.1.21.yml
+21 -5
View File
@@ -1,7 +1,10 @@
{{ if .Vars.rhel9cis_rule_5_2_10 }}
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_5_1_21 }}
file:
sshd_userenv:
title: 5.2.10 | Ensure SSH PermitUserEnvironment is disabled | config
title: 5.1.21 | Ensure SSH PermitUserEnvironment is disabled | config
path: /etc/ssh/sshd_config
exists: true
contents:
@@ -11,14 +14,20 @@ file:
server: 1
workstation: 1
CIS_ID:
- 5.2.10
- 5.1.21
CISv8: 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
command:
ssh_userenv_live:
title: 5.2.10 | Ensure SSH PermitUserEnvironment is disabled | live
title: 5.1.21 | Ensure SSH PermitUserEnvironment is disabled | live
exec: sshd -T | grep permituserenvironment
exit-status:
or:
@@ -31,9 +40,16 @@ command:
server: 1
workstation: 1
CIS_ID:
- 5.2.10
- 5.1.21
CISv8: 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
{{ end }}
{{ end }}
section_5/cis_5.1/cis_5.1.22.yml
+55
View File
@@ -0,0 +1,55 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_5_1_22 }}
file:
sshd_usepam:
title: 5.1.22 | Ensure sshd UsePAM is enabled | config
path: /etc/ssh/sshd_config
exists: true
contents:
- '/^UsePAM yes/'
- '!/^UsePAM no/'
meta:
server: 1
workstation: 1
CIS_ID:
- 5.1.22
CISv8: 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
command:
ssh_usepam_live:
title: 5.1.22 | Ensure sshd UsePAM is enabled | live
exec: sshd -T | grep usepam
exit-status:
or:
- 0
- 1
stdout:
- '/^usepam yes/'
- '!/^usepam no/'
meta:
server: 1
workstation: 1
CIS_ID:
- 5.1.22
CISv8: 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
{{ end }}
{{ end }}
section_5/cis_5.1/cis_5.1.3.yml
+58
View File
@@ -0,0 +1,58 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_5_1_3 }}
command:
/etc/ssh/ssh_host_pub_key_user:
title: 5.1.3 | Ensure permissions on SSH pub host key files are configured_user
exec: "userkeys=$(sudo find /etc/ssh/ -name *_key.pub -type f ! -user root ); echo $userkeys"
exit-status: 0
stdout: ['!/./']
meta:
server: 1
workstation: 1
CIS_ID:
- 5.1.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AC-3
- MP-2
/etc/ssh/ssh_host_pub_key_group:
title: 5.1.3 | Ensure permissions on SSH public host key files are configured_group
exec: "groupkeys=$(sudo find /etc/ssh/ -name *_key.pub -type f ! -group root ); echo $groupkeys"
exit-status: 0
stdout: ['!/./']
meta:
server: 1
workstation: 1
CIS_ID:
- 5.1.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AC-3
- MP-2
/etc/ssh/ssh_host_pub_key_perms:
title: 5.1.3 | Ensure permissions on SSH public host key files are configured_user
exec: "keysperm=$(sudo find /etc/ssh/ -name *_key.pub -type f -perm /133 ); echo $keyperms"
exit-status: 0
stdout: ['!/./']
meta:
server: 1
workstation: 1
CIS_ID:
- 5.1.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AC-3
- MP-2
{{ end }}
{{ end }}
section_5/cis_5.1/cis_5.1.3_7.yml
-91
View File
@@ -1,91 +0,0 @@
{{ if .Vars.rhel9cis_rule_5_1_3 }}
file:
cron_hourly_perms:
title: 5.1.3 | Ensure permissions on /etc/cron.hourly are configured
path: /etc/cron.hourly
exists: true
owner: root
group: root
mode: "0700"
meta:
server: 1
workstation: 1
CIS_ID:
- 5.1.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ if .Vars.rhel9cis_rule_5_1_4 }}
cron_daily_perms:
title: 5.1.4 | Ensure permissions on /etc/cron.daily are configured
path: /etc/cron.daily
exists: true
owner: root
group: root
mode: "0700"
meta:
server: 1
workstation: 1
CIS_ID:
- 5.1.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ if .Vars.rhel9cis_rule_5_1_5 }}
cron_weekly_perms:
title: 5.1.5 | Ensure permissions on /etc/cron.weekly are configured
path: /etc/cron.weekly
exists: true
owner: root
group: root
mode: "0700"
meta:
server: 1
workstation: 1
CIS_ID:
- 5.1.5
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ if .Vars.rhel9cis_rule_5_1_6 }}
cron_month_perms:
title: 5.1.6 | Ensure permissions on /etc/cron.monthly are configured
path: /etc/cron.monthly
exists: true
owner: root
group: root
mode: "0700"
meta:
server: 1
workstation: 1
CIS_ID:
- 5.1.6
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ if .Vars.rhel9cis_rule_5_1_7 }}
crond_perms:
title: 5.1.7 | Ensure permissions on /etc/cron.d are configured
path: /etc/cron.d
exists: true
owner: root
group: root
mode: "0700"
meta:
server: 1
workstation: 1
CIS_ID:
- 5.1.7
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
section_5/cis_5.1/cis_5.1.4.yml
+23
View File
@@ -0,0 +1,23 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_5_1_4 }}
command:
no_weak_ssh_ciphers:
title: 5.1.4 | Ensure sshd Ciphers are configured | weak cipher check
exec: sshd -T | grep -Pi --'^ciphers\h+\"?([^#\n\r]+,)?((3des|blowfish|cast128|aes(128|192|256))-cbc|arcfour(128|256)?|rijndael-cbc@lysator\.liu\.se|chacha20-poly1305@openssh\.com)\b'
exit-status: 0
stdout: ['!/./']
meta:
server: 1
workstation: 1
CIS_ID:
- 5.1.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- SC-8
{{ end }}
{{ end }}
section_5/cis_5.1/cis_5.1.5.yml
+23
View File
@@ -0,0 +1,23 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_5_1_5 }}
command:
no_weak_ssh_kex:
title: 5.1.5 | Ensure sshd KexAlgorithms is configured| weak kex check
exec: sshd -T | grep -Pi -- 'kexalgorithms\h+([^#\n\r]+,)?(diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1)\b'
exit-status: 0
stdout: ['!/./']
meta:
server: 1
workstation: 1
CIS_ID:
- 5.1.5
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- SC-8
{{ end }}
{{ end }}
section_5/cis_5.1/cis_5.1.6.yml
+27
View File
@@ -0,0 +1,27 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_5_1_6 }}
command:
no_weak_ssh_macs:
title: 5.1.6 | Ensure sshd MACs are configured | weak mac check
exec: sshd -T | grep -Pi -- 'macs\h+([^#\n\r]+,)?(hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1-96|umac-64@openssh\.com|hmac-md5-etm@openssh\.com|hmac-md5-96-etm@openssh\.com|hmac-ripemd160-etm@openssh\.com|hmac-sha1-96-etm@openssh\.com|umac-64-etm@openssh\.com|umac-128-etm@openssh\.com)\b'
exit-status: 0
stdout: ['!/./']
meta:
server: 1
workstation: 1
CIS_ID:
- 5.1.6
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
{{ end }}
{{ end }}
section_5/cis_5.1/cis_5.1.7.yml
+32
View File
@@ -0,0 +1,32 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_5_1_7 }}
{{ if .Vars.rhel9cis_sshd_limited }}
command:
sshd_access_limited:
title: 5.1.7 | Ensure SSH access is limited | config
exec: grep -E "^(Allow|Deny)(User|Group)" {{ .Vars.rhel9_cis_sshd_config_file }}
exit-status:
or:
- 0
- 1
stdout:
{{ range .Vars.rhel9cis_sshd_access }}
- {{ . }}
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 5.1.7
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AC-3
- MP-2
{{ end }}
{{ end }}
{{ end }}
section_5/cis_5.2/cis_5.2.15.yml → section_5/cis_5.1/cis_5.1.8.yml
+21 -5
View File
@@ -1,7 +1,10 @@
{{ if .Vars.rhel9cis_rule_5_2_15 }}
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_5_1_8 }}
file:
sshd_banner:
title: 5.2.15 | Ensure SSH warning banner configured | sshd_default
title: 5.1.8 | Ensure SSH warning banner configured | sshd_default
path: /etc/ssh/sshd_config
exists: true
contents:
@@ -11,14 +14,20 @@ file:
server: 1
workstation: 1
CIS_ID:
- 5.2.15
- 5.1.8
CISv8: 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
command:
ssh_configd_banner:
title: 5.3.15 | Ensure SSH warning banner configured | conf.d banner settings
title: 5.3.8 | Ensure SSH warning banner configured | conf.d banner settings
exec: grep -Eis '^\s*Banner\s+"?none\b'/etc/ssh/sshd_config.d/*.conf
exit-status:
or:
@@ -31,9 +40,16 @@ command:
server: 1
workstation: 1
CIS_ID:
- 5.2.15
- 5.1.8
CISv8: 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
{{ end }}
{{ end }}
section_5/cis_5.1/cis_5.1.8_9.yml
-63
View File
@@ -1,63 +0,0 @@
{{ if .Vars.rhel9cis_rule_5_1_8 }}
file:
cron_deny_users:
title: 5.1.8 | Ensure cron is restricted to authorized users
path: /etc/cron.deny
exists: false
meta:
server: 1
workstation: 1
CIS_ID:
- 5.1.8
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
cron_allow_users:
title: 5.1.8 | Ensure cron is restricted to authorized users
path: /etc/cron.allow
exists: true
owner: root
group: root
mode: "0600"
meta:
server: 1
workstation: 1
CIS_ID:
- 5.1.8
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ if .Vars.rhel9cis_rule_5_1_9 }}
at_deny_users:
title: 5.1.9 | Ensure at is restricted to authorized users
path: /etc/at.deny
exists: false
meta:
server: 1
workstation: 1
CIS_ID:
- 5.1.8
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
at_allow_users:
title: 5.1.9 | Ensure at is restricted to authorized users
path: /etc/at.allow
exists: true
owner: root
group: root
mode: "0600"
meta:
server: 1
workstation: 1
CIS_ID:
- 5.1.8
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
section_5/cis_5.2/cis_5.2.20.yml → section_5/cis_5.1/cis_5.1.9.yml
+21 -5
View File
@@ -1,7 +1,10 @@
{{ if .Vars.rhel9cis_rule_5_2_20 }}
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_5_1_9 }}
file:
sshd_clientalive:
title: 5.2.20 | Ensure SSH Idle Timeout Interval is configured
title: 5.1.9 | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured
path: /etc/ssh/sshd_config
exists: true
contents:
@@ -11,14 +14,20 @@ file:
server: 1
workstation: 1
CIS_ID:
- 5.2.20
- 5.1.9
CISv8: 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
command:
sshd_clientalive_live:
title: 5.2.20 | Ensure SSH Idle Timeout Interval is configured | live
title: 5.1.9 | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured | live
exec: sshd -T | grep clientalive
exit-status:
or:
@@ -31,9 +40,16 @@ command:
server: 1
workstation: 1
CIS_ID:
- 5.2.20
- 5.1.9
CISv8: 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
{{ end }}
{{ end }}
section_5/cis_5.2/cis_5.2.1.yml
+12 -10
View File
@@ -1,19 +1,21 @@
{{ if .Vars.rhel9cis_rule_5_2_1 }}
file:
sshd_config_perms:
title: 5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured
path: /etc/ssh/sshd_config
exists: true
mode: "0600"
owner: root
group: root
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_5_2_1}}
package:
sudo:
title: 5.2.1 | Ensure sudo is installed
installed: true
meta:
server: 1
workstation: 1
CIS_ID:
- 5.2.1
CISv8: 3.3
CISv8: 5.4
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AC-6
{{ end }}
{{ end }}
section_5/cis_5.2/cis_5.2.12.yml
-41
View File
@@ -1,41 +0,0 @@
{{ if .Vars.rhel9cis_level_2 }}
{{ if .Vars.rhel9cis_rule_5_2_12 }}
file:
sshd_x11:
title: 5.2.12 | Ensure SSH X11 forwarding is disabled | config
path: /etc/ssh/sshd_config
exists: true
contents:
- '/^X11Forwarding no/'
- '!/^X11Forwarding yes/'
meta:
server: 2
workstation: 1
CIS_ID:
- 5.2.12
CISv8: 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
command:
ssh_x11_live:
title: 5.2.12 | Ensure SSH X11 forwarding is disabled | live
exec: sshd -T | grep x11forwarding
exit-status:
or:
- 0
- 1
stdout:
- '/^x11forwarding no/'
- '!/^x11forwarding yes/'
meta:
server: 2
workstation: 1
CIS_ID:
- 5.2.12
CISv8: 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}
section_5/cis_5.2/cis_5.2.13.yml
-41
View File
@@ -1,41 +0,0 @@
{{ if .Vars.rhel9cis_level_2 }}
{{ if .Vars.rhel9cis_rule_5_2_13 }}
file:
sshd_tcpforwarding:
title: 5.2.13 | Ensure SSH AllowTcpForwarding is disabled
path: /etc/ssh/sshd_config
exists: true
contents:
- '/^AllowTcpForwarding no/'
- '!/^AllowTcpForwarding yes/'
meta:
server: 2
workstation: 2
CIS_ID:
- 5.2.13
CISv8: 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
command:
sshd_tcpforwarding_live:
title: 5.2.13 | Ensure SSH AllowTcpForwarding is disabled | live
exec: sshd -T | grep allowtcpforward
exit-status:
or:
- 0
- 1
stdout:
- '/^allowtcpforwarding no/'
- '!/^allowtcpforwarding yes/'
meta:
server: 2
workstation: 2
CIS_ID:
- 5.2.13
CISv8: 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}
section_5/cis_5.2/cis_5.2.14.yml
-18
View File
@@ -1,18 +0,0 @@
{{ if .Vars.rhel9cis_rule_5_2_14 }}
file:
sshd_crypto:
title: 5.2.14 | Ensure system-wide crypto policy is not over-ridden
path: /etc/ssh/sshd_config
exists: true
contents:
- '!/^CRYPTO_POLICY/'
meta:
server: 1
workstation: 1
CIS_ID:
- 5.2.14
CISv8: 3.10
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
section_5/cis_5.2/cis_5.2.2.yml
+14 -34
View File
@@ -1,45 +1,25 @@
{{ if .Vars.rhel9cis_rule_5_2_2 }}
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_5_2_2 }}
command:
/etc/ssh/ssh_host_prv_key_user:
title: 5.2.2 | Ensure permissions on SSH private host key files are configured_user
exec: "userkeys=$(sudo find /etc/ssh/ -name *_key -type f ! -user root ); echo $userkeys"
pty_sudoers_d:
title: 5.2.2 | Ensure sudo commands use pty
exec: export PTY=`grep -q -Ei '^\s*Defaults\s+(\[^#]+,\s*)?use_pty' /etc/sudoers /etc/sudoers.d/*; echo $?` && if [[ $PTY == 0 ]];then echo OK ;fi
exit-status: 0
stdout: ['!/./']
stdout:
- 'OK'
meta:
server: 1
workstation: 1
CIS_ID:
- 5.2.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
/etc/ssh/ssh_host_prv_key_group:
title: 5.2.2 | Ensure permissions on SSH private host key files are configured_group
exec: "groupkeys=$(sudo find /etc/ssh/ -name *_key -type f ! -group root ); echo $groupkeys"
exit-status: 0
stdout: ['!/./']
meta:
server: 1
workstation: 1
CIS_ID:
- 5.2.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
/etc/ssh/ssh_host_prv_key_perms:
title: 5.2.2 | Ensure permissions on SSH private host key files are configured_user
exec: "keyperms=$(sudo find /etc/ssh/ -name *_key -type f -perm /137 ); echo $keyperms"
exit-status: 0
stdout: ['!/./']
meta:
server: 1
workstation: 1
CIS_ID:
- 5.2.2
CISv8: 3.3
CISv8:
- 5.4
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AC-6
{{ end }}
{{ end }}
section_5/cis_5.2/cis_5.2.3.yml
+15 -34
View File
@@ -1,45 +1,26 @@
{{ if .Vars.rhel9cis_rule_5_2_3 }}
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_5_2_3 }}
command:
/etc/ssh/ssh_host_pub_key_user:
title: 5.2.3 | Ensure permissions on SSH pub host key files are configured_user
exec: "userkeys=$(sudo find /etc/ssh/ -name *_key.pub -type f ! -user root ); echo $userkeys"
log_sudoers_d:
title: 5.2.3 | Ensure sudo log file exists | sudoers.d
exec: export LOG=`grep -q -Esi '^\s*Defaults\s+([^#]+,\s*)?logfile=' /etc/sudoers /etc/sudoers.d/*; echo $?` && if [[ $LOG == 0 ]];then echo OK ;fi
exit-status: 0
stdout: ['!/./']
stdout:
- 'OK'
meta:
server: 1
workstation: 1
CIS_ID:
- 5.2.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
/etc/ssh/ssh_host_pub_key_group:
title: 5.2.3 | Ensure permissions on SSH public host key files are configured_group
exec: "groupkeys=$(sudo find /etc/ssh/ -name *_key.pub -type f ! -group root ); echo $groupkeys"
exit-status: 0
stdout: ['!/./']
meta:
server: 1
workstation: 1
CIS_ID:
- 5.2.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
/etc/ssh/ssh_host_pub_key_perms:
title: 5.2.3 | Ensure permissions on SSH public host key files are configured_user
exec: "keysperm=$(sudo find /etc/ssh/ -name *_key.pub -type f -perm /133 ); echo $keyperms"
exit-status: 0
stdout: ['!/./']
meta:
server: 1
workstation: 1
CIS_ID:
- 5.2.3
CISv8: 3.3
CISv8:
- 8.5
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AU-3
- AU-12
{{ end }}
{{ end }}

Some files were not shown because too many files have changed in this diff Show More