RHEL 7 CIS STIG
================

Based on [CIS RedHat Enterprise Linux 7 Benchmark v2.1.1 - 01-31-2017 ](https://community.cisecurity.org/collab/public/index.php).

This repo originated from work done by [Sam Doran](https://github.com/samdoran/ansible-role-stig)

Requirements
------------

You should carefully read through the tasks to make sure these changes will not break your systems before running this playbook.
If you want to do a dry run without changing anything, set the below sections (rhel7cis_section1-6) to false. 

Role Variables
--------------
There are many role variables defined in defaults/main.yml. This list shows the most important.

**rhel7cis_notauto**: Run CIS checks that we typically do NOT want to automate due to the high probability of breaking the system (Default: false)

**rhel7cis_section1**: CIS - General Settings (Section 1) (Default: true)

**rhel7cis_section2**: CIS - Services settings (Section 2) (Default: true)

**rhel7cis_section3**: CIS - Network settings (Section 3) (Default: true)

**rhel7cis_section4**: CIS - Logging and Auditing settings (Section 4) (Default: true)

**rhel7cis_section5**: CIS - Access, Authentication and Authorization settings (Section 5) (Default: true)

**rhel7cis_section6**: CIS - System Maintenance settings (Section 6) (Default: true)  

##### Disable all selinux functions
`rhel7cis_selinux_disable: false`


Dependencies
------------

Ansible > 2.2

Example Playbook
-------------------------

This sample playbook should be run in a folder that is above the main RHEL7-CIS / RHEL7-CIS-devel folder.

```
- name: Harden AMI
  hosts: localhost
  become: yes

  roles:
    - RHEL7-CIS
```

Tags
----
Many tags are available for precise control of what is and is not changed.

Some examples of using tags:

```
    # Audit and patch the file
    ansible-playbook file.yml --tags="patch"
```

License
-------

MIT