anku33/RHEL9-CIS-Audit
1
0
Fork 0
mirror of https://github.com/ansible-lockdown/RHEL9-CIS-Audit.git synced 2026-06-02 02:51:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

v2.0.0_initial

Browse Source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
2024-07-26 16:50:24 +01:00
parent e317bc5019
commit 8758e2d1bf
61 changed files with 1011 additions and 1404 deletions
Download Patch File Download Diff File Expand all files Collapse all files
section_1/cis_1.1.1.x/cis_1.1.1.1.yml
+39
View File
@@ -0,0 +1,39 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_1_1_1_1 }}
command:
cramfs:
title: 1.1.1.1 | Ensure cramfs kernel module is not available | disabled
exit-status: 0
exec: "modprobe -n -v cramfs | grep -E '(cramfs|install)'"
stdout:
- install /bin/true
meta:
server: 1
workstation: 1
CIS_ID: 1.1.1.1
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
blacklist_cramfs:
title: 1.1.1.1 | Ensure cramfs kernel module is not available | blacklist
exit-status: 0
exec: grep cramfs /etc/modprobe.d/*.conf
stdout:
- '/blacklist cramfs/'
meta:
server: 1
workstation: 1
CIS_ID: 1.1.1.1
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}
section_1/cis_1.1.1.x/cis_1.1.1.2.yml
+39
View File
@@ -0,0 +1,39 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_1_1_1_2 }}
command:
freevxfs:
title: 1.1.1.2 | Ensure freevxfs kernel module is not available | disabled
exit-status: 0
exec: "modprobe -n -v freevxfs | grep -E '(freevxfs|install)'"
stdout:
- install /bin/true
meta:
server: 1
workstation: 1
CIS_ID: 1.1.1.2
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
blacklist_freevxfs:
title: 1.1.1.2 | Ensure freevxfs kernel module is not available | blacklist
exit-status: 0
exec: grep freevxfs /etc/modprobe.d/*.conf
stdout:
- '/blacklist freevxfs/'
meta:
server: 1
workstation: 1
CIS_ID: 1.1.1.2
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}
section_1/cis_1.1.1.x/cis_1.1.1.3.yml
+39
View File
@@ -0,0 +1,39 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_1_1_1_3 }}
command:
hfs_modprobe:
title: 1.1.1.3 | Ensure hfs kernel module is not available | disabled
exit-status: 0
exec: "modprobe -n -v hfs | grep -E '(hfs|install)'"
stdout:
- install /bin/true
meta:
server: 1
workstation: 1
CIS_ID: 1.1.1.3
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
blacklist_hfs:
title: 1.1.1.3 | Ensure hfs kernel module is not available | blacklist
exit-status: 0
exec: grep hfs /etc/modprobe.d/*.conf
stdout:
- '/blacklist hfs/'
meta:
server: 1
workstation: 1
CIS_ID: 1.1.1.3
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}
section_1/cis_1.1.1.x/cis_1.1.1.4.yml
+39
View File
@@ -0,0 +1,39 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_1_1_1_4 }}
command:
hfsplus_modprobe:
title: 1.1.1.4 | Ensure hfsplus kernel module is not available | disabled
exit-status: 0
exec: "modprobe -n -v hfsplus | grep -E '(hfsplus|install)'"
stdout:
- install /bin/true
meta:
server: 1
workstation: 1
CIS_ID: 1.1.1.4
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
blacklist_hfsplus:
title: 1.1.1.4 | Ensure hfsplus kernel module is not available | blacklist
exit-status: 0
exec: grep hfsplus /etc/modprobe.d/*.conf
stdout:
- '/blacklist hfsplus/'
meta:
server: 1
workstation: 1
CIS_ID: 1.1.1.4
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}
section_1/cis_1.1.1.x/cis_1.1.1.5.yml
+39
View File
@@ -0,0 +1,39 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_1_1_1_5 }}
command:
jffs2_modprobe:
title: 1.1.1.5 | Ensure jffs2 kernel module is not available | disabled
exit-status: 0
exec: "modprobe -n -v jffs2 | grep -E '(jffs2|install)'"
stdout:
- install /bin/true
meta:
server: 1
workstation: 1
CIS_ID: 1.1.1.5
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
blacklist_jffs2:
title: 1.1.1.5 | Ensure jffs2 kernel module is not available | blacklist
exit-status: 0
exec: grep jffs2 /etc/modprobe.d/*.conf
stdout:
- '/blacklist jffs2/'
meta:
server: 1
workstation: 1
CIS_ID: 1.1.1.5
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}
section_1/cis_1.1.1.x/cis_1.1.1.6.yml
+39
View File
@@ -0,0 +1,39 @@
---
{{ if .Vars.rhel9cis_level_2 }}
{{ if .Vars.rhel9cis_rule_1_1_1_6 }}
command:
squashfs:
title: 1.1.1.6 | Ensure squashfs kernel module is not available | disabled
exit-status: 0
exec: "modprobe -n -v squashfs | grep -E '(squashfs|install)'"
stdout:
- install /bin/true
meta:
server: 2
workstation: 2
CIS_ID: 1.1.1.6
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
blacklist_squashfs:
title: 1.1.1.6 | Ensure squashfs kernel module is not available | blacklist
exit-status: 0
exec: grep squashfs /etc/modprobe.d/*.conf
stdout:
- '/blacklist squashfs/'
meta:
server: 2
workstation: 2
CIS_ID: 1.1.1.6
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}
section_1/cis_1.1.1.x/cis_1.1.1.7.yml
+39
View File
@@ -0,0 +1,39 @@
---
{{ if .Vars.rhel9cis_level_2 }}
{{ if .Vars.rhel9cis_rule_1_1_1_7 }}
command:
udf:
title: 1.1.1.7 | Ensure udf kernel module is not available
exit-status: 0
exec: "modprobe -n -v udf | grep -E '(udf|install)'"
stdout:
- install /bin/true
meta:
server: 2
workstation: 2
CIS_ID: 1.1.1.7
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
blacklist_udf:
title: 1.1.1.7 | Ensure udf kernel module is not available | blacklist
exit-status: 0
exec: grep udf /etc/modprobe.d/*.conf
stdout:
- '/blacklist udf/'
meta:
server: 2
workstation: 2
CIS_ID: 1.1.1.7
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}
section_1/cis_1.1.1.x/cis_1.1.1.8.yml
+39
View File
@@ -0,0 +1,39 @@
---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_1_1_1_8 }}
command:
usb-storage:
title: 1.1.1.8 | Ensure usb-storage kernel module is not available
exit-status: 0
exec: "modprobe -n -v usb-storage | grep -E '(usb-storage|install)'"
stdout:
- install /bin/true
meta:
server: 1
workstation: 2
CIS_ID: 1.1.1.8
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
blacklist_usb-storage:
title: 1.1.1.8 | Ensure usb-storage kernel module is not available | blacklist
exit-status: 0
exec: grep usb-storage /etc/modprobe.d/*.conf
stdout:
- '/blacklist usb-storage/'
meta:
server: 1
workstation: 2
CIS_ID: 1.1.1.8
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}
section_1/cis_1.1.2.1.x/cis_1.1.2.1.1.yml
+21
View File
@@ -0,0 +1,21 @@
---
{{ if .Vars.rhel9ciscis_level_1 }}
{{ if .Vars.rhel9ciscis_rule_1_1_2_1_1 }}
mount:
tmp_mount:
title: 1.1.2.1.1 | Ensure /tmp is a separate partition
mountpoint: /tmp
exists: true
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.1.1
CISv8: 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}
section_1/cis_1.1.2.1.x/cis_1.1.2.1.2_4.yml
+66
View File
@@ -0,0 +1,66 @@
---
{{ if .Vars.rhel9ciscis_level_1 }}
{{ if .Vars.rhel9ciscis_rule_1_1_2_1_1 }}
mount:
tmp_options:
title: |
1.1.2.1.2 | Ensure nodev option set on /tmp partition
1.1.2.1.3 | Ensure nosuid option set on /tmp partition
1.1.2.1.4 | Ensure noexec option set on /tmp partition
mountpoint: /tmp
exists: true
opts:
{{ if .Vars.rhel9ciscis_rule_1_1_2_1_2 }}
- nodev
{{ end }}
{{ if .Vars.rhel9ciscis_rule_1_1_2_1_3 }}
- nosuid
{{ end }}
{{ if .Vars.rhel9ciscis_rule_1_1_2_1_4 }}
- noexec
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.1.2
- 1.1.2.1.3
- 1.1.2.1.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
tmp_fstab_options:
title: |
1.1.2.1.2 | Ensure nodev option set on /tmp partition
1.1.2.1.3 | Ensure nosuid option set on /tmp partition
1.1.2.1.4 | Ensure noexec option set on /tmp partition
exists: true
path: /etc/fstab
contents:
- '/\s\/tmp.*{{ if .Vars.rhel9ciscis_rule_1_1_2_1_2 }}nodev{{ end }}/'
- '/\s\/tmp.*{{ if .Vars.rhel9ciscis_rule_1_1_2_1_3 }}nosuid{{ end }}.*/'
- '/\s\/tmp.*{{ if .Vars.rhel9ciscis_rule_1_1_2_1_4 }}noexec{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.1.2
- 1.1.2.1.3
- 1.1.2.1.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}
section_1/cis_1.1.2.1.x/cis_1.1.2.2.1.yml
+22
View File
@@ -0,0 +1,22 @@
---
{{ if .Vars.rhel9ciscis_level_1 }}
{{ if .Vars.rhel9ciscis_rule_1_1_2_2_1 }}
mount:
dev_shm_mount:
title: 1.1.2.2.1 | Ensure /dev/shm is a separate partition
mountpoint: /dev/shm
filesystem: tmpfs
exists: true
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.2.1
CISv8: 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}
section_1/cis_1.1.2.1.x/cis_1.1.2.2.2_4.yml
+66
View File
@@ -0,0 +1,66 @@
---
{{ if .Vars.rhel9ciscis_level_1 }}
{{ if .Vars.rhel9ciscis_rule_1_1_2_2_1 }}
mount:
dev_shm_options:
title: |
1.1.2.2.2 | Ensure nodev option set on /dev/shm partition
1.1.2.2.3 | Ensure nosuid option set on /dev/shm partition
1.1.2.2.4 | Ensure noexec option set on /dev/shm partition
mountpoint: /dev/shm
exists: true
opts:
{{ if .Vars.rhel9ciscis_rule_1_1_2_2_2 }}
- nodev
{{ end }}
{{ if .Vars.rhel9ciscis_rule_1_1_2_2_3 }}
- nosuid
{{ end }}
{{ if .Vars.rhel9ciscis_rule_1_1_2_2_4 }}
- noexec
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.2.2
- 1.1.2.2.3
- 1.1.2.2.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
dev_shm_fstab_options:
title: |
1.1.2.2.2 | Ensure nodev option set on /dev/shm partition
1.1.2.2.3 | Ensure nosuid option set on /dev/shm partition
1.1.2.2.4 | Ensure noexec option set on /dev/shm partition
exists: true
path: /etc/fstab
contents:
- '/\s\/dev\/shm.*{{ if .Vars.rhel9ciscis_rule_1_1_2_2_2 }}nodev{{ end }}/'
- '/\s\/dev\/shm.*{{ if .Vars.rhel9ciscis_rule_1_1_2_2_3 }}nosuid{{ end }}.*/'
- '/\s\/dev\/shm.*{{ if .Vars.rhel9ciscis_rule_1_1_2_2_4 }}noexec{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.2.2
- 1.1.2.2.3
- 1.1.2.2.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}
section_1/cis_1.1.2.1.x/cis_1.1.2.3.1.yml
+21
View File
@@ -0,0 +1,21 @@
---
{{ if .Vars.rhel9ciscis_level_2 }}
{{ if .Vars.rhel9ciscis_rule_1_1_2_3_1 }}
mount:
home_mount:
title: 1.1.2.3.1 | Ensure separate partition exists for /home
mountpoint: /home
exists: true
meta:
server: 2
workstation: 2
CIS_ID:
- 1.1.2.3.1
CISv8: 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}
section_1/cis_1.1.2.1.x/cis_1.1.2.3.2_3.yml
+58
View File
@@ -0,0 +1,58 @@
---
{{ if .Vars.rhel9ciscis_level_1 }}
{{ if .Vars.rhel9ciscis_rule_1_1_2_3_2 }}
mount:
home_options:
title: |
1.1.2.3.2 | Ensure nodev option set on /home partition
1.1.2.3.3 | Ensure nosuid option set on /home partition
mountpoint: /home
exists: true
opts:
{{ if .Vars.rhel9ciscis_rule_1_1_2_3_2 }}
- nodev
{{ end }}
{{ if .Vars.rhel9ciscis_rule_1_1_2_3_3 }}
- nosuid
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.3.2
- 1.1.2.3.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
home_fstab_options:
title: |
1.1.2.3.2 | Ensure nodev option set on /home partition
1.1.2.3.3 | Ensure nosuid option set on /home partition
exists: true
path: /etc/fstab
contents:
- '/\s\/home.*{{ if .Vars.rhel9ciscis_rule_1_1_2_3_2 }}nodev{{ end }}/'
- '/\s\/home.*{{ if .Vars.rhel9ciscis_rule_1_1_2_3_3 }}nosuid{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.3.2
- 1.1.2.3.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}
section_1/cis_1.1.2.1.x/cis_1.1.2.4.1.yml
+21
View File
@@ -0,0 +1,21 @@
---
{{ if .Vars.rhel9ciscis_level_2 }}
{{ if .Vars.rhel9ciscis_rule_1_1_2_4_1 }}
mount:
var_mount:
title: 1.1.2.4.1 | Ensure separate partition exists for /var
mountpoint: /var
exists: true
meta:
server: 2
workstation: 2
CIS_ID:
- 1.1.2.4.1
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}
section_1/cis_1.1.2.1.x/cis_1.1.2.4.2_3.yml
+58
View File
@@ -0,0 +1,58 @@
---
{{ if .Vars.rhel9ciscis_level_1 }}
{{ if .Vars.rhel9ciscis_rule_1_1_2_4_2 }}
mount:
var_options:
title: |
1.1.2.4.2 | Ensure nodev option set on /var partition
1.1.2.4.3 | Ensure nosuid option set on /var partition
mountpoint: '/var'
exists: true
opts:
{{ if .Vars.rhel9ciscis_rule_1_1_2_4_2 }}
- nodev
{{ end }}
{{ if .Vars.rhel9ciscis_rule_1_1_2_4_3 }}
- nosuid
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.4.2
- 1.1.2.4.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_fstab_options:
title: |
1.1.2.4.2 | Ensure nodev option set on /var partition
1.1.2.4.3 | Ensure nosuid option set on /var partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\s.*{{ if .Vars.rhel9ciscis_rule_1_1_2_4_2 }}nodev{{ end }}/'
- '/\s\/var\s.*{{ if .Vars.rhel9ciscis_rule_1_1_2_4_3 }}nosuid{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.4.2
- 1.1.2.4.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}
section_1/cis_1.1.2.1.x/cis_1.1.2.5.1.yml
+21
View File
@@ -0,0 +1,21 @@
---
{{ if .Vars.rhel9ciscis_level_2 }}
{{ if .Vars.rhel9ciscis_rule_1_1_2_5_1 }}
mount:
var_tmp_mount:
title: 1.1.2.5.1 | Ensure separate partition exists for /var/tmp
mountpoint: /var/tmp
exists: true
meta:
server: 2
workstation: 2
CIS_ID:
- 1.1.2.5.1
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R4: CM-7
{{ end }}
{{ end }}
section_1/cis_1.1.2.1.x/cis_1.1.2.5.2_4.yml
+66
View File
@@ -0,0 +1,66 @@
---
{{ if .Vars.rhel9ciscis_level_1 }}
{{ if .Vars.rhel9ciscis_rule_1_1_2_5_2 }}
mount:
var_tmp_options:
title: |
1.1.2.5.2 | Ensure nodev option set on /var/tmp partition
1.1.2.5.3 | Ensure nosuid option set on /var/tmp partition
1.1.2.5.4 | Ensure noexec option set on /var/tmp partition
mountpoint: '/var/tmp'
exists: true
opts:
{{ if .Vars.rhel9ciscis_rule_1_1_2_5_2 }}
- nodev
{{ end }}
{{ if .Vars.rhel9ciscis_rule_1_1_2_5_3 }}
- nosuid
{{ end }}
{{ if .Vars.rhel9ciscis_rule_1_1_2_5_4 }}
- noexec
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.5.2
- 1.1.2.5.3
- 1.1.2.5.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_tmp_fstab_options:
title: |
1.1.2.5.2 | Ensure nodev option set on /var/tmp partition
1.1.2.5.3 | Ensure nosuid option set on /var/tmp partition
1.1.2.5.4 | Ensure noexec option set on /var/tmp partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/tmp\s.*{{ if .Vars.rhel9ciscis_rule_1_1_2_5_2 }}nodev{{ end }}/'
- '/\s\/var\/tmp\s.*{{ if .Vars.rhel9ciscis_rule_1_1_2_5_3 }}nosuid{{ end }}.*/'
- '/\s\/var\/tmp\s.*{{ if .Vars.rhel9ciscis_rule_1_1_2_5_4 }}noexec{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.5.2
- 1.1.2.5.3
- 1.1.2.5.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}
section_1/cis_1.1.2.1.x/cis_1.1.2.6.1.yml
+21
View File
@@ -0,0 +1,21 @@
---
{{ if .Vars.rhel9ciscis_level_2 }}
{{ if .Vars.rhel9ciscis_rule_1_1_2_6_1 }}
mount:
var_log_mount:
title: 1.1.2.6.1 | Ensure separate partition exists for /var/log
mountpoint: /var/log
exists: true
meta:
server: 2
workstation: 2
CIS_ID:
- 1.1.2.6.1
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}
section_1/cis_1.1.2.1.x/cis_1.1.2.6.2_4.yml
+66
View File
@@ -0,0 +1,66 @@
---
{{ if .Vars.rhel9ciscis_level_1 }}
{{ if .Vars.rhel9ciscis_rule_1_1_2_6_2 }}
mount:
var_log_options:
title: |
1.1.2.6.2 | Ensure nodev option set on /var/log partition
1.1.2.6.3 | Ensure nosuid option set on /var/log partition
1.1.2.6.4 | Ensure noexec option set on /var/log partition
mountpoint: '/var/log'
exists: true
opts:
{{ if .Vars.rhel9ciscis_rule_1_1_2_6_2 }}
- nodev
{{ end }}
{{ if .Vars.rhel9ciscis_rule_1_1_2_6_3 }}
- nosuid
{{ end }}
{{ if .Vars.rhel9ciscis_rule_1_1_2_6_4 }}
- noexec
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.6.2
- 1.1.2.6.3
- 1.1.2.6.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_log_fstab_options:
title: |
1.1.2.6.2 | Ensure nodev option set on /var/log partition
1.1.2.6.3 | Ensure nosuid option set on /var/log partition
1.1.2.6.4 | Ensure noexec option set on /var/log partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/log\s.*{{ if .Vars.rhel9ciscis_rule_1_1_2_6_2 }}nodev{{ end }}/'
- '/\s\/var\/log\s.*{{ if .Vars.rhel9ciscis_rule_1_1_2_6_3 }}nosuid{{ end }}.*/'
- '/\s\/var\/log\s.*{{ if .Vars.rhel9ciscis_rule_1_1_2_6_4 }}noexec{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.6.2
- 1.1.2.6.3
- 1.1.2.6.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}
section_1/cis_1.1.2.1.x/cis_1.1.2.7.1.yml
+21
View File
@@ -0,0 +1,21 @@
---
{{ if .Vars.rhel9ciscis_level_2 }}
{{ if .Vars.rhel9ciscis_rule_1_1_2_7_1 }}
mount:
var_log_audit_mount:
title: 1.1.2.7.1 | Ensure separate partition exists for /var/log/audit
mountpoint: /var/log/audit
exists: true
meta:
server: 2
workstation: 2
CIS_ID:
- 1.1.2.7.1
CISv8: 8.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}
section_1/cis_1.1.2.1.x/cis_1.1.2.7.2_4.yml
+66
View File
@@ -0,0 +1,66 @@
---
{{ if .Vars.rhel9ciscis_level_1 }}
{{ if .Vars.rhel9ciscis_rule_1_1_2_7_2 }}
mount:
var_log_audit_options:
title: |
1.1.2.7.2 | Ensure nodev option set on /var/log/audit partition
1.1.2.7.3 | Ensure nosuid option set on /var/log/audit partition
1.1.2.7.4 | Ensure noexec option set on /var/log/audit partition
mountpoint: '/var/log/audit'
exists: true
opts:
{{ if .Vars.rhel9ciscis_rule_1_1_2_7_2 }}
- nodev
{{ end }}
{{ if .Vars.rhel9ciscis_rule_1_1_2_7_3 }}
- nosuid
{{ end }}
{{ if .Vars.rhel9ciscis_rule_1_1_2_7_4 }}
- noexec
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.7.2
- 1.1.2.7.3
- 1.1.2.7.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_log_audit_fstab_options:
title: |
1.1.2.7.2 | Ensure nodev option set on /var/log/audit partition
1.1.2.7.3 | Ensure nosuid option set on /var/log/audit partition
1.1.2.7.4 | Ensure noexec option set on /var/log/audit partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/log\/audit\s.*{{ if .Vars.rhel9ciscis_rule_1_1_2_7_2 }}nodev{{ end }}/'
- '/\s\/var\/log\/audit\s.*{{ if .Vars.rhel9ciscis_rule_1_1_2_7_3 }}nosuid{{ end }}.*/'
- '/\s\/var\/log\/audit\s.*{{ if .Vars.rhel9ciscis_rule_1_1_2_7_4 }}noexec{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.7.2
- 1.1.2.7.3
- 1.1.2.7.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}
section_1/cis_1.1/cis_1.1.1.1_3.yml
-67
View File
@@ -1,67 +0,0 @@
command:
{{ if .Vars.rhel9cis_level_2 }}
{{ if .Vars.rhel9cis_rule_1_1_1_1 }}
squashfs:
title: 1.1.1.1 | Ensure mounting of squashfs filesystems is disabled | disabled
exit-status: 0
exec: "modprobe -n -v squashfs | grep -E '(vfat|install)'"
stdout:
- install /bin/true
meta:
server: 2
workstation: 2
CIS_ID: 1.1.1.1
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
blacklist_squashfs:
title: 1.1.1.1 | Ensure mounting of squashfs filesystems is disabled | blacklist
exit-status: 0
exec: grep squashfs /etc/modprobe.d/blacklist.conf
stdout:
- '/blacklist squashfs/'
meta:
server: 2
workstation: 2
CIS_ID: 1.1.1.1
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ if .Vars.rhel9cis_rule_1_1_1_2 }}
udf:
title: 1.1.1.2 | Ensure mounting of udf filesystems is disabled
exit-status: 0
exec: "modprobe -n -v udf | grep -E '(udf|install)'"
stdout:
- install /bin/true
meta:
server: 2
workstation: 2
CIS_ID: 1.1.1.2
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
blacklist_udf:
title: 1.1.1.2 | Ensure mounting of udf filesystems is disabled | blacklist
exit-status: 0
exec: grep udf /etc/modprobe.d/blacklist.conf
stdout:
- '/blacklist udf/'
meta:
server: 2
workstation: 2
CIS_ID: 1.1.1.2
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}
section_1/cis_1.1/cis_1.1.2.1.yml
-20
View File
@@ -1,20 +0,0 @@
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_1_1_2_1 }}
command:
tmp_partition:
title: 1.1.2.1 | Ensure /tmp is a separate partition
exec: mount -l | grep -w /tmp
exit-status: 0
stdout:
- '/tmp type'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.1
CISv8: 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}
section_1/cis_1.1/cis_1.1.2.2_4.yml
-93
View File
@@ -1,93 +0,0 @@
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_1_1_2_1 }}
mount:
/tmp:
title: |
1.1.2.2 | Ensure nodev option set on /tmp partition
1.1.2.3 | Ensure noexec option set on /tmp partition
1.1.2.4 | Ensure nosuid option set on /tmp partition
exists: true
opts:
{{ if .Vars.rhel9cis_rule_1_1_2_2 }}
- nodev
{{ end }}
{{ if .Vars.rhel9cis_rule_1_1_2_3 }}
- noexec
{{ end }}
{{ if .Vars.rhel9cis_rule_1_1_2_4 }}
- nosuid
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.2
- 1.1.2.3
- 1.1.2.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
command:
{{ if .Vars.rhel9cis_rule_1_1_2_2 }}
nodev_tmp_fstab:
title: 1.1.2.3 | Ensure nodev option set on /tmp partition | fstab config
exec: grep '.*\/tmp\s.*nodev.*$' \/etc\/fstab
exit-status:
or:
- 0
- 1
stdout:
- '/.*\/tmp\s.*nodev.*$/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ if .Vars.rhel9cis_rule_1_1_2_3 }}
noexec_tmp_fstab:
title: 1.1.2.3 | Ensure noexec option set on /tmp partition | fstab config
exec: grep '.*\/tmp\s.*noexec.*$' \/etc\/fstab
exit-status:
or:
- 0
- 1
stdout:
- '/.*\/tmp\s.*noexec.*$/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ if .Vars.rhel9cis_rule_1_1_2_4 }}
nosuid_tmp_fstab:
title: 1.1.2.4 | Ensure nosuid option set on /tmp partition | fstab config
exec: grep '.*\/tmp\s.*nosuid.*$' \/etc\/fstab
exit-status:
or:
- 0
- 1
stdout:
- '/.*\/tmp\s.*nosuid.*$/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}
{{ end }}
section_1/cis_1.1/cis_1.1.3.1.yml
-20
View File
@@ -1,20 +0,0 @@
{{ if .Vars.rhel9cis_level_2 }}
{{ if .Vars.rhel9cis_rule_1_1_3_1 }}
command:
var_partition:
title: 1.1.3.1 | Ensure separate partition exists for /var
exec: mount -l | grep -w /var
exit-status: 0
stdout:
- 'on /var'
meta:
server: 2
workstation: 2
CIS_ID:
- 1.1.3.1
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}
section_1/cis_1.1/cis_1.1.3.2_4.yml
-68
View File
@@ -1,68 +0,0 @@
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_1_1_3_1 }}
mount:
/var:
title: |
1.1.3.2 | Ensure nodev option set on /var partition
1.1.3.3 | Ensure noexec option set on /var partition
exists: true
opts:
{{ if .Vars.rhel9cis_rule_1_1_3_2 }}
- nodev
{{ end }}
{{ if .Vars.rhel9cis_rule_1_1_3_3 }}
- nosuid
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.3.2
- 1.1.3.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
command:
{{ if .Vars.rhel9cis_rule_1_1_3_2 }}
nodev_var_fstab:
title: 1.1.3.2 | Ensure nodev option set on /var partition | fstab config
exec: grep '.*\/var\s.*nodev.*$' \/etc\/fstab
exit-status:
or:
- 0
- 1
stdout:
- '/.*\/var\s.*nodev.*$/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.3.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ if .Vars.rhel9cis_rule_1_1_3_3 }}
nosuid_var_fstab:
title: 1.1.3.3 | Ensure nosuid option set on /var partition | fstab config
exec: grep '.*\/var\s.*nosuid.*$' \/etc\/fstab
exit-status:
or:
- 0
- 1
stdout:
- '/.*\/var\s.*nosuid.*$/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.3.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}
{{ end }}
section_1/cis_1.1/cis_1.1.4.1.yml
-20
View File
@@ -1,20 +0,0 @@
{{ if .Vars.rhel9cis_level_2 }}
{{ if .Vars.rhel9cis_rule_1_1_4_1 }}
command:
var_tmp_partition:
title: 1.1.4.1 | Ensure separate partition exists for /var/tmp
exec: mount -l | grep -w /var/tmp
exit-status: 0
stdout:
- 'on /var/tmp'
meta:
server: 2
workstation: 2
CIS_ID:
- 1.1.4.1
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}
section_1/cis_1.1/cis_1.1.4.2_4.yml
-93
View File
@@ -1,93 +0,0 @@
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_1_1_4_1 }}
mount:
/var/tmp:
title: |
1.1.4.2 | Ensure noexec option set on /var/tmp partition
1.1.4.3 | Ensure nosuid option set on /var/tmp partition
1.1.4.4 | Ensure nodev option set on /var/tmp partition
exists: true
opts:
{{ if .Vars.rhel9cis_rule_1_1_4_2 }}
- noexec
{{ end }}
{{ if .Vars.rhel9cis_rule_1_1_4_3 }}
- nosuid
{{ end }}
{{ if .Vars.rhel9cis_rule_1_1_4_4 }}
- nodev
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.4.2
- 1.1.4.3
- 1.1.4.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
command:
{{ if .Vars.rhel9cis_rule_1_1_4_2 }}
noexec_var_tmp_fstab:
title: 1.1.4.2 | Ensure noexec option set on /var/tmp partition | fstab config
exec: grep '.*\/var\/tmp\s.*noexec.*$' \/etc\/fstab
exit-status:
or:
- 0
- 1
stdout:
- '/.*\/var\/tmp\s.*noexec.*$/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.4.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ if .Vars.rhel9cis_rule_1_1_4_3 }}
nosuid_var_tmp_fstab:
title: 1.1.4.3 | Ensure nosuid option set on /var/tmp partition | fstab config
exec: grep '.*\/var\/tmp\s.*nosuid.*$' \/etc\/fstab
exit-status:
or:
- 0
- 1
stdout:
- '/.*\/var\/tmp\s.*nosuid.*$/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.4.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ if .Vars.rhel9cis_rule_1_1_4_4 }}
nodev_var_tmp_fstab:
title: 1.1.4.4 | Ensure nodev option set on /var/tmp partition | fstab config
exec: grep '.*\/var\/tmp\s.*nodev.*$' \/etc\/fstab
exit-status:
or:
- 0
- 1
stdout:
- '/.*\/var\/tmp\s.*nodev.*$/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.4.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}
{{ end }}
section_1/cis_1.1/cis_1.1.5.1.yml
-20
View File
@@ -1,20 +0,0 @@
{{ if .Vars.rhel9cis_level_2 }}
{{ if .Vars.rhel9cis_rule_1_1_5_1 }}
command:
var_log_partition:
title: 1.1.5.1 | Ensure separate partition exists for /var/log
exec: mount -l | grep -w /var/log
exit-status: 0
stdout:
- 'on /var/log'
meta:
server: 2
workstation: 2
CIS_ID:
- 1.1.5.1
CISv8: 8.3
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}

Some files were not shown because too many files have changed in this diff Show More