cis-rhel8

This role helps configure a RHEL 8 server to meet the CIS Benchmarks.

Warning: Use this role with caution, as it may disrupt your systems.

Role Variables

Items

For each item, there is a boolean variable in the format cis_rhel8_<section>_<subitem1>_<subitem2>(_<subitem3>)?. These determine whether to apply the related fix. By default, the role will apply all fixes. Be sure to set the correct variables to false if your systems have specific requirements.

For example, to skip the bootloader password setup (1.5.2 - Ensure bootloader password is set), set cis_rhel8_1_5_2 to false.

Customization

Some items allow customization through variables. For instance, if you want to set a bootloader password, you can provide your own or reset it:

• cis_rhel8_grub_password: mynewsecurepassword (this variable should be kept secure)
• cis_rhel8_reset_grub_password: true

By default, these customization variables reflect the recommended settings from the CIS Benchmarks.

Example Playbooks

To apply all fixes with default settings:

$ cat cis.yml
---
- hosts: rhel8_servers
  roles:
    - role: cis-rhel8
$ ansible-playbook cis.yml

To apply only section 1 (Initial Setup):

$ cat cis.yml
---
- hosts: rhel8_servers
  vars:
    cis_rhel8_5_2_11: false
  roles:
    - role: cis-rhel8
$ ansible-playbook cis.yml -t section1

To apply only level 1 fixes, skip some items (1.4.1 Ensure AIDE is installed and 5.2.6 Ensure SSH X11 forwarding is disabled), and customize 5.2.5 Ensure SSH LogLevel is appropriate:

$ cat cis.yml
---
- hosts: rhel8_servers
  vars:
    cis_rhel8_1_4_1: false
    cis_rhel8_5_2_6: false
    cis_rhel8_sshd_log_level: DEBUG
  roles:
    - role: cis-rhel8
$ ansible-playbook cis.yml -t level1

License

BSD

Author Information

Jérémy Bertozzi jeremy.bertozzi@gmail.com