ansible-lockdown.rhel8_cis

Panoramica Versioni Approfondimenti

RHEL 8 CIS

Setting up a RHEL, Rocky, or AlmaLinux 8 machine to follow CIS standards

Following the CIS RedHat Enterprise Linux 8 Benchmark v3.0.0 - 11-10-2023

Org Stars Stars Forks Followers Twitter URL

Discord Badge

Release Branch Release Tag Release Date

Main Pipeline Status

Devel Pipeline Status Devel Commits

Open Issues Closed Issues Pull Requests

License

Need Support?

Lockdown Enterprise

Ansible Support

Join the Community

Come chat with us on Discord to ask questions, discuss features, or connect with other Ansible-Lockdown users.

Important Notes

This setup will change system settings and could lead to unexpected issues. This is a remediation tool meant to be used after an audit, not an audit tool itself.

  • Testing is crucial.

  • Check Mode is not supported! Although this role completes without error in check mode, it's not recommended. Use the RHEL8-CIS-Audit role or a compliance scanner for checks instead.

  • This role works best on a fresh OS installation. If applying it to an existing system, review the role for any specific changes needed.

  • For the latest release version, reference the main branch and appropriate release/tag for the CIS benchmark you want to use.

  • If updating from earlier versions (e.g., v2.0.0 to v3.0.0), expect significant changes—it's recommended to start fresh rather than upgrade.

  • The container settings (vars/is_container.yml) are just examples and should be modified as needed.

  • Have we mentioned testing??

Security Level for CIS

You can choose to only apply level 1 or level 2 controls for CIS using tags:

  • level1_server
  • level1_workstation
  • level2_server
  • level2_workstation

The control settings in the defaults also need to reflect these choices, especially when using the audit component.

From a Previous Release

CIS releases frequently change, so review the new references and variables. There have been substantial updates since the initial release of ansible-lockdown, and it now works with Python 3 if it's the default interpreter, which comes with prerequisites configured accordingly.

Check the Changelog for more information.

Auditing (New)

Auditing can be enabled or disabled in the defaults/main.yml file with the variable rhel8cis_run_audit, which is set to false by default. For more details, refer to the wiki. The defaults file also configures Goss checks based on the enabled controls in the ansible role.

This new auditing is quick and lightweight, aimed at effective compliance and running settings checks using a small (12MB) Go binary called Goss.

It's designed to check not only if configurations are correct but also if they are actively running as configured, aiming to eliminate any false positives.

See RHEL8-CIS-Audit for more information.

Example Audit Summary

This is from a Vagrant image, assuming no GUI or firewall is enabled. Note that more tests are conducted during audits to check both configurations and active states.


ok: [default] => {
    "msg": [
        "Pre-remediation results: ['Total Duration: 5.454s', 'Count: 338, Failed: 47, Skipped: 5'].",
        "Post-remediation results: ['Total Duration: 5.007s', 'Count: 338, Failed: 46, Skipped: 5'].",
        "Full details are available in /var/tmp",
        ""
    ]
}

PLAY RECAP *******************************************************************************************************************************************
default                    : ok=270  changed=23   unreachable=0    failed=0    skipped=140  rescued=0    ignored=0

Requirements

General:

  • Basic Ansible knowledge. Here are some useful links for beginners:

  • A working Ansible and/or Tower environment should be set up and running, including all necessary configurations and packages.

  • Review the tasks in this role to understand their function as some can disrupt a live system. Also, familiarize yourself with the variables in the defaults/main.yml file.

Technical Dependencies:

RHEL/AlmaLinux/Rocky/Oracle 8 - Other versions are not supported.

  • AlmaLinux/Rocky has been tested on version 8.8 (crypto sections 1.10 & 1.11 may break updates or installations as of July 01, 2021).
  • Access to download or add the Goss binary and related content when using auditing.
  • Python 3.8 or higher.
  • Ansible version 2.11 or higher.
  • python-def (included in RHEL 8).
  • libselinux-python.

Role Variables

Users should not need to edit tasks directly. All customizations should be made through the defaults/main.yml file or extra variables within the project, job, or workflow.

Tags

Numerous tags provide precise control. Each control has its specific set of tags, indicating levels, scoring, OS associations, type (patch or audit), and rule numbers.

Here’s an example from a control within this role. If your run settings to skip all controls with the services tag, this task will be skipped. Conversely, you could run only the controls tagged with services.

      tags:
      - level1-server
      - level1-workstation
      - scored
      - avahi
      - services
      - patch
      - rule_2.2.4

Community Contribution

We welcome contributions from the community. Please adhere to the following guidelines:

  • Work in your individual branch and ensure all commits are Signed-off and GPG signed before merging.
  • Community Pull Requests will be reviewed in the devel branch.
  • All commits in the devel branch must have GPG signatures, be Signed-off, and pass functional tests before approval.
  • Once changes are merged and reviewed, they will be consolidated into the main branch for a new release by an authorized member.

Known Issues

  • cloud0init: Due to a bug, adding noexec to /var will cause issues. Refer to bug 1839899.
  • AlmaLinux BaseOS, EPEL, and many cloud provider repositories currently do not permit repo_gpgcheck on rule_1.2.3, which can create issues during the playbook.

Pipeline Testing

Uses:

  • Ansible core 2.12
  • Ansible collections - pulls the latest version based on the requirements file.
  • Runs audits using the devel branch.
  • This testing is automated for pull requests into the devel branch.

Local Testing

You can use Molecule to test this role in different scenarios.

Examples:

molecule test -s default
molecule converge -s wsl -- --check
molecule verify -s localhost

Local testing involves:

  • Ansible 2.13.3
  • Molecule 4.0.1
  • Various molecule plugins like molecule-docker, molecule-podman, molecule-vagrant, and molecule-azure.

Additional Tools

  • You can use pre-commit to check and run from within the directory.
pre-commit run

Special Thanks

Huge thanks to the amazing community and all its members, including the original authors and maintainers: Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, and Mark Bolwell.

Informazioni sul progetto

Apply the DISA RHEL 8 CIS

role system security cis hardening rocky alma oel redhat rhel compliance complianceascode
Installa
ansible-galaxy install ansible-lockdown.rhel8_cis
GitHub repository
260 stelle
162 fork
6 problemi aperti
Licenza
mit
Download
10.6k
Proprietario
Ansible Lockdown
Ansible Lockdown is a security baseline automation project sponsored by Mindpoint Group.