mateusz/portfolio
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add RHEL 9 CIS-inspired hardening playbook

Browse Source
This commit is contained in:
Mateusz Suski
2026-05-06 08:45:33 +00:00
parent 1e2db3e125
commit 75a11f7650
20 changed files with 711 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
infra-run/ansible/roles/cis-rhel9-hardening/tasks/postcheck.yml
+79
View File
@@ -0,0 +1,79 @@
---
- name: Validate sshd effective configuration syntax
ansible.builtin.command: sshd -t
register: cis_sshd_validate
changed_when: false
check_mode: false
- name: Read sysctl values for validation
ansible.builtin.command: "sysctl -n {{ item.key }}"
loop: "{{ cis_sysctl_settings | dict2items }}"
loop_control:
label: "{{ item.key }}"
register: cis_sysctl_validation
changed_when: false
failed_when: false
check_mode: false
when: cis_enable_sysctl_hardening | bool
- name: Gather final service facts
ansible.builtin.service_facts:
- name: Build service state summary
ansible.builtin.set_fact:
cis_service_state_summary:
chronyd: "{{ ansible_facts.services['chronyd.service'].state | default('not-found') }}"
auditd: "{{ ansible_facts.services['auditd.service'].state | default('not-found') }}"
rsyslog: "{{ ansible_facts.services['rsyslog.service'].state | default('not-found') }}"
- name: Build sysctl validation summary
ansible.builtin.set_fact:
cis_sysctl_validation_summary: "{{ cis_sysctl_validation_summary | default({}) | combine({item.item.key: item.stdout | default('unreadable')}) }}"
loop: "{{ cis_sysctl_validation.results | default([]) }}"
loop_control:
label: "{{ item.item.key }}"
when: cis_enable_sysctl_hardening | bool
- name: Build mount option change summary
ansible.builtin.set_fact:
cis_mount_option_summary: >-
{{
cis_mount_option_results.results
| default([])
| selectattr('changed', 'defined')
| selectattr('changed')
| map(attribute='item.path')
| list
}}
- name: Publish validation summary
ansible.builtin.set_fact:
cis_validation_summary:
benchmark: "CIS RHEL 9 Benchmark {{ cis_benchmark_version }} inspired controls"
sshd_config: "{{ 'OK' if cis_sshd_validate.rc == 0 else 'CRITICAL' }}"
services: "{{ cis_service_state_summary }}"
sysctl: "{{ cis_sysctl_validation_summary | default({}) }}"
mount_option_updates: "{{ cis_mount_option_summary | default([]) }}"
applied_controls:
- ssh
- packages
- sysctl
- services
- audit
- sudo
- logging
- filesystem
- name: Show service states
ansible.builtin.debug:
var: cis_service_state_summary
- name: Show changed mount options
ansible.builtin.debug:
msg: >-
{{ cis_mount_option_summary | default([]) if cis_mount_option_summary | default([]) | length > 0
else 'OK: No mount option changes were applied.' }}
- name: Show applied control summary
ansible.builtin.debug:
var: cis_validation_summary