- name: "SCORED | 5.1.1 | PATCH | Ensure cron daemon is enabled" service: name: crond enabled: yes when: - rhel7cis_rule_5_1_1|bool tags: - level1 - level2 - patch - rule_5.1.1 - name: "SCORED | 5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" file: dest: /etc/crontab owner: root group: root mode: 0600 when: - rhel7cis_rule_5_1_2|bool tags: - level1 - level2 - patch - rule_5.1.2 - name: "SCORED | 5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" file: dest: /etc/cron.hourly state: directory owner: root group: root mode: 0700 when: - rhel7cis_rule_5_1_3|bool tags: - level1 - level2 - patch - rule_5.1.3 - name: "SCORED | 5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" file: dest: /etc/cron.daily state: directory owner: root group: root mode: 0700 when: - rhel7cis_rule_5_1_4|bool tags: - level1 - level2 - patch - rule_5.1.4 - name: "SCORED | 5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" file: dest: /etc/cron.weekly state: directory owner: root group: root mode: 0700 when: - rhel7cis_rule_5_1_5|bool tags: - level1 - level2 - patch - rule_5.1.5 - name: "SCORED | 5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" file: dest: /etc/cron.monthly state: directory owner: root group: root mode: 0700 when: - rhel7cis_rule_5_1_6|bool tags: - level1 - level2 - patch - rule_5.1.6 - name: "SCORED | 5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" file: dest: /etc/cron.d state: directory owner: root group: root mode: 0700 when: - rhel7cis_rule_5_1_7|bool tags: - level1 - level2 - patch - rule_5.1.7 - name: "SCORED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users" block: - name: "SCORED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users" file: dest: /etc/at.deny state: absent - name: "SCORED | 5.1.8 | PATCH | Check if at.allow exists" stat: path: "/etc/at.allow" register: p - name: "SCORED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users" file: dest: /etc/at.allow state: '{{ "file" if p.stat.exists else "touch" }}' owner: root group: root mode: 0600 - name: "SCORED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users" file: dest: /etc/cron.deny state: absent - name: "SCORED | 5.1.8 | PATCH | Check if cron.allow exists" stat: path: "/etc/cron.allow" register: p - name: "SCORED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users" file: dest: /etc/cron.allow state: '{{ "file" if p.stat.exists else "touch" }}' owner: root group: root mode: 0600 when: - rhel7cis_rule_5_1_8|bool tags: - level1 - level2 - patch - rule_5.1.8 - name: "CI | 5.2 | PATCH | Ensure host keys are present." command: /usr/bin/ssh-keygen -A args: creates: /etc/ssh/ssh_host_ed25519_key - name: "SCORED | 5.2.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" file: dest: /etc/ssh/sshd_config state: file owner: root group: root mode: 0600 when: - rhel7cis_rule_5_2_1|bool tags: - level1 - level2 - patch - rule_5.2.1 - name: "SCORED | 5.2.2 | PATCH | Ensure SSH Protocol is set to 2" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '(?i)^Protocol' line: 'Protocol 2' validate: /usr/sbin/sshd -t -f %s when: - rhel7cis_rule_5_2_2|bool tags: - level1 - level2 - patch - rule_5.2.2 - name: "SCORED | 5.2.3 | PATCH | Ensure SSH LogLevel is set to INFO" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '(?i)^LogLevel' line: 'LogLevel INFO' validate: /usr/sbin/sshd -t -f %s when: - rhel7cis_rule_5_2_3|bool notify: restart sshd tags: - level1 - level2 - patch - rule_5.2.3 - name: "SCORED | 5.2.4 | PATCH | Ensure SSH X11 forwarding is disabled" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '(?i)^X11Forwarding' line: 'X11Forwarding no' validate: /usr/sbin/sshd -t -f %s when: - rhel7cis_rule_5_2_4|bool notify: restart sshd tags: - level1 - level2 - patch - rule_5.2.4 - name: "SCORED | 5.2.5 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '(?i)^(#)?MaxAuthTries \d' line: 'MaxAuthTries 4' validate: /usr/sbin/sshd -t -f %s when: - rhel7cis_rule_5_2_5|bool notify: restart sshd tags: - level1 - level2 - patch - rule_5.2.5 - name: "SCORED | 5.2.6 | PATCH | Ensure SSH IgnoreRhosts is enabled" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '(?i)^IgnoreRhosts' line: 'IgnoreRhosts yes' validate: /usr/sbin/sshd -t -f %s when: - rhel7cis_rule_5_2_6|bool notify: restart sshd tags: - level1 - level2 - patch - rule_5.2.6 - name: "SCORED | 5.2.7 | PATCH | Ensure SSH HostbasedAuthentication is disabled" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '(?i)^HostbasedAuthentication' line: 'HostbasedAuthentication no' validate: /usr/sbin/sshd -t -f %s when: - rhel7cis_rule_5_2_7|bool notify: restart sshd tags: - level1 - level2 - patch - rule_5.2.7 - name: "SCORED | 5.2.8 | PATCH | Ensure SSH root login is disabled" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '(?i)^PermitRootLogin' line: 'PermitRootLogin no' validate: /usr/sbin/sshd -t -f %s when: - rhel7cis_rule_5_2_8|bool notify: restart sshd tags: - level1 - level2 - patch - rule_5.2.8 - name: "SCORED | 5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '(?i)^PermitEmptyPasswords' line: 'PermitEmptyPasswords no' validate: /usr/sbin/sshd -t -f %s when: - rhel7cis_rule_5_2_9|bool notify: restart sshd tags: - level1 - level2 - patch - rule_5.2.9 - name: "SCORED | 5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '(?i)^PermitUserEnvironment' line: 'PermitUserEnvironment no' validate: /usr/sbin/sshd -t -f %s when: - rhel7cis_rule_5_2_10|bool notify: restart sshd tags: - level1 - level2 - patch - rule_5.2.10 - name: "SCORED | 5.2.11 | PATCH | Ensure only approved ciphers are used" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '(?i)^Ciphers' line: "Ciphers {{ rhel7cis_sshd['ciphers'] }}" validate: /usr/sbin/sshd -t -f %s when: - rhel7cis_rule_5_2_11|bool notify: restart sshd tags: - level1 - level2 - patch - rule_5.2.11 - name: "SCORED | 5.2.12 | PATCH | Ensure only approved MAC algorithms are used" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '(?i)^MACs' line: "MACs {{ rhel7cis_sshd['macs'] }}" validate: /usr/sbin/sshd -t -f %s when: - rhel7cis_rule_5_2_12|bool notify: restart sshd tags: - level1 - level2 - patch - rule_5.2.12 - name: "SCORED | 5.2.13 | PATCH | Ensure SSH Idle Timeout Interval is configured" block: - name: "SCORED | 5.2.13 | PATCH | Ensure SSH Idle Timeout Interval is configured" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '(?i)^ClientAliveInterval' line: "ClientAliveInterval {{ rhel7cis_sshd['clientaliveinterval'] }}" validate: /usr/sbin/sshd -t -f %s notify: restart sshd - name: "SCORED | 5.2.13 | PATCH | Ensure SSH ClientAliveCountMax set to <= 3" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '(?i)^ClientAliveCountMax' line: "ClientAliveCountMax {{ rhel7cis_sshd['clientalivecountmax'] }}" validate: /usr/sbin/sshd -t -f %s notify: restart sshd when: - rhel7cis_rule_5_2_13|bool tags: - level1 - level2 - patch - rule_5.2.13 - name: "SCORED | 5.2.14 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '(?i)^LoginGraceTime' line: "LoginGraceTime {{ rhel7cis_sshd['logingracetime'] }}" validate: /usr/sbin/sshd -t -f %s when: - rhel7cis_rule_5_2_14|bool notify: restart sshd tags: - level1 - level2 - patch - rule_5.2.14 - name: "SCORED | 5.2.15 | PATCH | Ensure SSH access is limited" block: - name: "SCORED | 5.2.15 | PATCH | Ensure SSH access is limited - allowusers" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: "(?i)^AllowUsers" line: AllowUsers {{ rhel7cis_sshd['allowusers'] }} validate: /usr/sbin/sshd -t -f %s notify: - restart sshd when: - rhel7cis_sshd['allowusers'] | default('') - name: "SCORED | 5.2.15 | PATCH | Ensure SSH access is limited - allowgroups" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: "(?i)^AllowGroups" line: AllowGroups {{ rhel7cis_sshd['allowgroups'] }} validate: /usr/sbin/sshd -t -f %s notify: - restart sshd when: - rhel7cis_sshd['allowgroups'] | default('') - name: "SCORED | 5.2.15 | PATCH | Ensure SSH access is limited - denyusers" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: "(?i)^DenyUsers" line: DenyUsers {{ rhel7cis_sshd['denyusers'] }} validate: /usr/sbin/sshd -t -f %s notify: - restart sshd when: - rhel7cis_sshd['denyusers'] | default('') - name: "SCORED | 5.2.15 | PATCH | Ensure SSH access is limited - denygroups" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: "(?i)^DenyGroups" line: DenyGroups {{ rhel7cis_sshd['denygroups'] }} validate: /usr/sbin/sshd -t -f %s notify: - restart sshd when: - rhel7cis_sshd['denygroups'] | default('') when: - rhel7cis_rule_5_2_15|bool tags: - level1 - level2 - patch - rule_5.2.15 - name: "SCORED | 5.2.16 | PATCH | Ensure SSH warning banner is configured" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '(?i)^Banner' line: 'Banner /etc/issue.net' validate: /usr/sbin/sshd -t -f %s when: - rhel7cis_rule_5_2_16|bool notify: restart sshd tags: - level1 - level2 - patch - rule_5.2.16 - name: "SCORED | 5.3.1 | PATCH | Ensure password creation requirements are configured" lineinfile: state: present dest: /etc/security/pwquality.conf regexp: ^{{ item.key }}[ =] line: '{{ item.key }} = {{ item.value }}' with_dict: "{{ rhel7cis_pwquality }}" when: - rhel7cis_rule_5_3_1|bool tags: - level1 - level2 - patch - rule_5.3.1 - name: "SCORED | 5.3.2 | PATCH | Ensure lockout for failed password attempts is configured" command: /bin/true changed_when: no when: - rhel7cis_rule_5_3_2|bool tags: - level1 - level2 - patch - rule_5.3.2 - notimplemented - name: "SCORED | 5.3.3 | PATCH | Ensure password reuse is limited" command: /bin/true changed_when: no when: - rhel7cis_rule_5_3_3|bool tags: - level1 - level2 - patch - rule_5.3.3 - notimplemented - name: "SCORED | 5.3.4 | PATCH | Ensure password hashing algorithm is SHA-512" command: authconfig --passalgo=sha512 --update changed_when: no failed_when: no when: - rhel7cis_rule_5_3_4|bool tags: - level1 - level2 - patch - rule_5.3.4 - name: "SCORED | 5.4.1.1 | PATCH | Ensure password expiration is 90 days or less" lineinfile: state: present dest: /etc/login.defs regexp: '^PASS_MAX_DAYS' line: "PASS_MAX_DAYS {{ rhel7cis_pass['max_days'] }}" when: - rhel7cis_rule_5_4_1_1|bool tags: - level1 - level2 - patch - rule_5.4.1.1 - name: "SCORED | 5.4.1.2 | PATCH | Ensure minimum days between password changes is 7 or more" lineinfile: state: present dest: /etc/login.defs regexp: '^PASS_MIN_DAYS' line: "PASS_MIN_DAYS {{ rhel7cis_pass['min_days'] }}" when: - rhel7cis_rule_5_4_1_2|bool tags: - level1 - level2 - patch - rule_5.4.1.2 - name: "SCORED | 5.4.1.3 | PATCH | Ensure password expiration warning days is 7 or more" lineinfile: state: present dest: /etc/login.defs regexp: '^PASS_WARN_AGE' line: "PASS_WARN_AGE {{ rhel7cis_pass['warn_age'] }}" when: - rhel7cis_rule_5_4_1_3|bool tags: - level1 - level2 - patch - rule_5.4.1.3 - name: "SCORED | 5.4.1.4 | PATCH | Ensure inactive password lock is 30 days or less" command: /bin/true changed_when: no when: - rhel7cis_rule_5_4_1_4|bool tags: - level1 - level2 - patch - rule_5.4.1.4 - notimplemented - name: "SCORED | 5.4.2 | PATCH | Ensure system accounts are non-login" shell: "awk -F: '($3 < {{ rhel7cis_rule_5_4_2_min_uid }}) {print $1 }' /etc/passwd" changed_when: no check_mode: no register: system_account when: - rhel7cis_rule_5_4_2|bool tags: - level1 - level2 - patch - rule_5.4.2 - name: "SCORED | 5.4.2 | PATCH | Ensure system accounts are non-login" user: name: "{{ item }}" password_lock: true with_items: - "{{ system_account.stdout_lines }}" when: - rhel7cis_rule_5_4_2|bool - item != "root" tags: - level1 - level2 - patch - rule_5.4.2 - name: "SCORED | 5.4.2 | PATCH | Ensure system accounts are non-login" user: name: "{{ item }}" shell: /sbin/nologin with_items: - "{{ system_account.stdout_lines }}" when: - rhel7cis_rule_5_4_2|bool - item != "root" - item != "sync" - item != "shutdown" - item != "halt" tags: - level1 - level2 - patch - rule_5.4.2 - name: "SCORED | 5.4.3 | PATCH | Ensure default group for the root account is GID 0" command: usermod -g 0 root changed_when: no failed_when: no when: - rhel7cis_rule_5_4_3|bool tags: - level1 - level2 - patch - rule_5.4.3 - name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive" block: - name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive - /etc/bashrc" replace: path: /etc/bashrc regexp: '(^\s+umask) 002' replace: '\1 027' - name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive - /etc/profile" replace: path: /etc/profile regexp: '(^\s+umask) 002' replace: '\1 027' when: - rhel7cis_rule_5_4_4|bool tags: - level1 - level2 - patch - rule_5.4.4 - name: "NOTSCORED | 5.5 | PATCH | Ensure root login is restricted to system console" command: /bin/true changed_when: no tags: - level1 - level2 - patch - rule_5.5 - notimplemented - name: "SCORED | 5.6 | PATCH | Ensure access to the su command is restricted" lineinfile: state: present dest: /etc/pam.d/su regexp: '^(#)?auth\s+required\s+pam_wheel\.so' line: 'auth required pam_wheel.so use_uid' tags: - level1 - level2 - patch - rule_5.6 - name: "SCORED | 5.6 | PATCH | Ensure access to the su command is restricted - wheel group contains root" user: name: root groups: wheel tags: - level1 - level2 - patch - rule_5.6