HarryHarcourt.ansible_rhel8_cis_benchmarks

HarryHarcourt.Ansible-RHEL8-CIS-Benchmarks

=========

All credit goes to anthcourtney for the original framework available here: https://github.com/anthcourtney/ansible-role-cis-amazon-linux.

This version has been adapted for Red Hat Enterprise Linux 8.X and CentOS 8.X (not yet tested).

This setup has been made idempotent in many areas, and work continues on this.

This setup allows you to enable and configure certain services.

The CIS RHEL Linux Benchmark can be found here: https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v2.1.1.pdf.

This role was developed and tested on Red Hat Linux 8.0 using the AWS AMI: ami-079596bf7a949ddf8.

Why Would I Use This Role?

If you need to comply with accepted security standards like PCI DSS, APRA, or ISO 27001, you must show that you've applied documented hardening standards to all systems you are assessing.

If you are using Red Hat Linux, this role helps provide part of the solution for compliance.

Important Warnings

If you're thinking of applying this role to servers, you should understand the CIS Benchmark (or similar benchmarks) and consider the potential impact on your system.

Make sure to familiarize yourself with the standard and its default values, and exclude certain items before applying them to your system.

Examples of items to consider excluding (or modifying) include:

3.4.2 and 3.4.3, which by default restrict access to the host (including via SSH) to localhost only.

Example Playbook

Here’s a simple example of a playbook that uses this role:

---

- hosts: localhost
  connection: local
  gather_facts: true
  become: yes

  roles:
    - Ansible-RHEL8-CIS-Benchmarks

For a more advanced example, which includes changes to the default values and excludes unnecessary items for a fictional setup, see below:

---

- hosts: localhost
  connection: local
  gather_facts: true
  become: yes

  vars:
    cis_level_1_exclusions:
      - 5.4.4
      - 3.4.2
      - 3.4.3
      - 6.2.13   
    cis_pass_max_days: 45
    cis_umask_default: 002
 
  roles:
    - Ansible-RHEL8-CIS-Benchmarks

Note: The use of become: yes is necessary because most tasks require elevated privileges to run.

Role Variables

See defaults/main.yml for variables that can be changed as needed.

Options

You can use tags to run specific levels of the CIS standard, a section, or a single recommendation. For example:

Run only Level 1 tasks:

ansible-playbook playbook.yml -t level-1

Run only Section 3 tasks:

ansible-playbook playbook.yml -t section-3

Run tasks 1.3.1 and 2.2.10 only:

ansible-playbook playbook.yml -t 1.3.1,2.2.10

Run scored tasks only:

ansible-playbook playbook.yml -t scored

Limitations

Currently, only Level 1 items of the benchmark are included. Level 2 items will be added as time allows.

The following checks have not been implemented:

Firewall rules (3.6.2 to 3.6.5) are specific to each environment.
Determining what should be logged and where to send messages (4.2.1.2, 4.2.2.2) is environment specific.
Inline editing of the syslog-ng configuration files is too complicated and should use a provided configuration file instead (4.2.2.3 - 4.2.2.5).
Logrotate configuration is site-specific (4.3).
Editing pam configuration files is too risky and should use a provided configuration file instead (5.3.2, 5.3.3).

Compatibility

This role works with the following versions of Ansible:

2.0.2
2.1.3
2.2.0
2.3.0

This role has not been tested with versions of Ansible outside those listed.

Testing

The following testing steps are taken by the developer of this role:

Syntax of the role is checked. Use make syntax.
ansible-review is run on the role, and any important warnings are addressed. Use make review.
The role is tested in a Docker container with both Ansible v2.1.3 and v2.2. Use make test.

Some tests are planned but not yet implemented, including the application of the role against the Vagrant mvbcoding/awslinux image using the Ansible provisioner.