ansible-lockdown · uk-bolly · Dec 4, 2024 · Dec 3, 2024
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -663,23 +663,22 @@ rhel8cis_nft_tables_autochaincreate: true
 ######
 ## If using the allow/deny user groups options
 rhel8cis_sshd_limited: false
-rhel8cis_sshd:
-    clientalivecountmax: 3
-    clientaliveinterval: 15
-    logingracetime: 60
-    loglevel: INFO
-    macs: '-hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com'
-    maxauthtries: 4
-    maxsessions: 10
-    maxstartups: "10:30:60"
-    ciphers: '-3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se'
-    kex: '-diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1'
-    # WARNING: make sure you understand the precedence when working with these values!!
-    ## Only runs if value rhel8cis_sshd_limited is true
-    # allowusers:
-    # allowgroups: systems dba
-    # denyusers:
-    # denygroups:
+rhel8cis_sshd_clientalivecountmax: 3
+rhel8cis_sshd_clientaliveinterval: 15
+rhel8cis_sshd_logingracetime: 60
+rhel8cis_sshd_loglevel: INFO
+rhel8cis_sshd_macs: '-hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com'
+rhel8cis_sshd_maxauthtries: 4
+rhel8cis_sshd_maxsessions: 10
+rhel8cis_sshd_maxstartups: "10:30:60"
+rhel8cis_sshd_ciphers: '-3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se'
+rhel8cis_sshd_kex: '-diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1'
+# WARNING: make sure you understand the precedence when working with these values!!
+## Only runs if value rhel8cis_sshd_limited is true
+# rhel8cis_sshd_allowusers:
+# rhel8cis_sshd_allowgroups: systems dba
+# rhel8cis_sshd_denyusers:
+# rhel8cis_sshd_denygroups:
 
 # 4.3. sudo
 rhel8cis_sudolog_location: "/var/log/sudo.log"
@@ -715,33 +714,29 @@ rhel8cis_authselect_custom_profile_name: cis_example_profile
 # ```authselect list``` on the host to be configured
 rhel8cis_authselect_default_profile_to_copy: "sssd --symlink-meta"
 
-rhel8cis_pam_faillock:
-    attempts: 5
-    deny: 5
-    interval: 900
-    unlock_time: 900
-    root_unlock_time: 60
-    # Choose options below for root options
-    root_option: even_deny_root
-    # root_option: "root_unlock_time = {{ root_unlock_time }}"
-
-rhel8cis_pam_pwquality:
-    difok: 2
-    maxrepeat: 3
-    maxseq: 3
-    minlen: 14
-    minclass: 4
-
-rhel8cis_pam_pwhistory:
-    remember: 24
+rhel8cis_pam_faillock_attempts: 5
+rhel8cis_pam_faillock_deny: 5
+rhel8cis_pam_faillock_interval: 900
+rhel8cis_pam_faillock_unlock_time: 900
+rhel8cis_pam_faillock_root_unlock_time: 60
+# Choose options below for root options
+rhel8cis_pam_faillock_root_option: even_deny_root
+# root_option: "root_unlock_time = {{ root_unlock_time }}"
+
+rhel8cis_pam_pwquality_difok: 2
+rhel8cis_pam_pwquality_maxrepeat: 3
+rhel8cis_pam_pwquality_maxseq: 3
+rhel8cis_pam_pwquality_minlen: 14
+rhel8cis_pam_pwquality_minclass: 4
+
+rhel8cis_pam_pwhistory_remember: 24
 
 rhel8cis_pam_pwhash: sha512
 
-rhel8cis_pass:
-    inactive: 30
-    max_days: 365  # Max 365
-    min_days: 7
-    warn_age: 7
+rhel8cis_pam_pass_inactive: 30
+rhel8cis_pam_pass_max_days: 365  # Max 365
+rhel8cis_pam_pass_min_days: 7
+rhel8cis_pam_pass_warn_age: 7
 
 ## Set the following to true if you wish to adjust accounts greater than rhel8cis_pass['max_days']
 rhel8cis_set_max_expiry: false
@@ -752,9 +747,8 @@ rhel8cis_user_skip_list:
 
 rhel8cis_root_umask: '0027'  # 0027 or more restrictive
 
-rhel8cis_shell_session_timeout:
-    file: /etc/profile.d/tmout.sh
-    timeout: 900
+rhel8cis_shell_session_file: /etc/profile.d/tmout.sh
+rhel8cis_shell_session_timeout: 900
 
 # sugroup
 rhel8cis_sugroup: sugroup
@@ -792,13 +786,18 @@ rhel8cis_remote_log_queuesize: 1000
 
 update_audit_template: false
 
-rhel8cis_auditd:
-    disk_error_action: halt
-    disk_full_action: halt
-    action_mail_acct: root
-    space_left_action: email
-    admin_space_left_action: single
-    max_log_file_action: keep_logs
+# The audit_back_log_limit value should never be below 8192
+rhel8cis_auditd_back_log_limit: 8192
+
+# The max_log_file parameter should be based on your sites policy
+rhel8cis_auditd_max_log_file_size: 10
+
+rhel8cis_auditd_disk_error_action: halt
+rhel8cis_auditd_disk_full_action: halt
+rhel8cis_auditd_action_mail_acct: root
+rhel8cis_auditd_space_left_action: email
+rhel8cis_auditd_admin_space_left_action: single
+rhel8cis_auditd_max_log_file_action: keep_logs
 
 # UID settings for interactive users
 # These are discovered via logins.def if set true
@@ -843,26 +842,19 @@ rhel8cis_journald_maxfilesec: 1month
 # change to true if you wish to change logrotate.d conf files
 allow_logrotate_conf_umask_updates: false
 
-# The audit_back_log_limit value should never be below 8192
-rhel8cis_audit_back_log_limit: 8192
-
-# The max_log_file parameter should be based on your sites policy
-rhel8cis_max_log_file_size: 10
-
 # AIDE
 # aide setup via - cron, timer
 rhel8cis_aide_scan: cron
 rhel8cis_config_aide: true
 # AIDE cron settings
-rhel8cis_aide_cron:
-    cron_user: root
-    cron_file: /etc/cron.d/cis_aide
-    aide_job: '/usr/sbin/aide --check'
-    aide_minute: 0
-    aide_hour: 5
-    aide_day: '*'
-    aide_month: '*'
-    aide_weekday: '*'
+rhel8cis_aide_cron_user: root
+rhel8cis_aide_cron_file: /etc/cron.d/cis_aide
+rhel8cis_aide_cron_job: '/usr/sbin/aide --check'
+rhel8cis_aide_cron_minute: 0
+rhel8cis_aide_cron_hour: 5
+rhel8cis_aide_cron_day: '*'
+rhel8cis_aide_cron_month: '*'
+rhel8cis_aide_cron_weekday: '*'
 
 ## Section6 vars
 

diff --git a/tasks/section_4/cis_4.2.x.yml b/tasks/section_4/cis_4.2.x.yml
@@ -100,33 +100,33 @@
         ansible.builtin.lineinfile:
             path: /etc/ssh/sshd_config
             regexp: "^AllowUsers"
-            line: AllowUsers {{ rhel8cis_sshd['allowusers'] }}
+            line: AllowUsers {{ rhel8cis_sshd_allowusers }}
         notify: Restart_sshd
-        when: "rhel8cis_sshd['allowusers']|default('') | length > 0"
+        when: "rhel8cis_sshd_allowusers|default('') | length > 0"
 
       - name: "4.2.4 | PATCH | Ensure SSH access is configured | Add line to sshd_config for allowgroups"
         ansible.builtin.lineinfile:
             path: /etc/ssh/sshd_config
             regexp: "^AllowGroups"
-            line: AllowGroups {{ rhel8cis_sshd['allowgroups'] }}
+            line: AllowGroups {{ rhel8cis_sshd_allowgroups }}
         notify: Restart_sshd
-        when: "rhel8cis_sshd['allowgroups']|default('') | length > 0"
+        when: "rhel8cis_sshd_allowgroups|default('') | length > 0"
 
       - name: "4.2.4 | PATCH | Ensure SSH access is configured | Add line to sshd_config for denyusers"
         ansible.builtin.lineinfile:
             path: /etc/ssh/sshd_config
             regexp: "^DenyUsers"
-            line: DenyUsers {{ rhel8cis_sshd['denyusers'] }}
+            line: DenyUsers {{ rhel8cis_sshd_denyusers }}
         notify: Restart_sshd
-        when: "rhel8cis_sshd['denyusers']|default('') | length > 0"
+        when: "rhel8cis_sshd_denyusers|default('') | length > 0"
 
       - name: "4.2.4 | PATCH | Ensure SSH access is configured | Add line to sshd_config for denygroups"
         ansible.builtin.lineinfile:
             path: /etc/ssh/sshd_config
             regexp: "^DenyGroups"
-            line: DenyGroups {{ rhel8cis_sshd['denygroups'] }}
+            line: DenyGroups {{ rhel8cis_sshd_denygroups }}
         notify: Restart_sshd
-        when: "rhel8cis_sshd['denygroups']|default('') | length > 0"
+        when: "rhel8cis_sshd_denygroups|default('') | length > 0"
 
 - name: "4.2.5 | PATCH | Ensure SSH warning banner is configured"
   when:
@@ -163,7 +163,7 @@
   ansible.builtin.lineinfile:
       path: /etc/ssh/sshd_config
       regexp: "^#Ciphers|^Ciphers"
-      line: "Ciphers {{ rhel8cis_sshd['ciphers'] }}"
+      line: "Ciphers {{ rhel8cis_sshd_ciphers }}"
 
 - name: "4.2.7 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured"
   when:
@@ -185,13 +185,13 @@
         ansible.builtin.lineinfile:
             path: /etc/ssh/sshd_config
             regexp: '^ClientAliveInterval'
-            line: "ClientAliveInterval {{ rhel8cis_sshd['clientaliveinterval'] }}"
+            line: "ClientAliveInterval {{ rhel8cis_sshd_clientaliveinterval }}"
 
       - name: "4.2.7 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured | Ensure SSH ClientAliveCountMax set to <= 3"
         ansible.builtin.lineinfile:
             path: /etc/ssh/sshd_config
             regexp: '^ClientAliveCountMax'
-            line: "ClientAliveCountMax {{ rhel8cis_sshd['clientalivecountmax'] }}"
+            line: "ClientAliveCountMax {{ rhel8cis_sshd_clientalivecountmax }}"
 
 - name: "4.2.8 | PATCH | Ensure sshd DisableForwarding is enabled"
   when:
@@ -272,7 +272,7 @@
   ansible.builtin.lineinfile:
       path: /etc/ssh/sshd_config
       regexp: "^#KexAlgorithms|^KexAlgorithms"
-      line: "KexAlgorithms {{ rhel8cis_sshd['kex'] }}"
+      line: "KexAlgorithms {{ rhel8cis_sshd_kex }}"
 
 - name: "4.2.12 | PATCH | Ensure sshd LoginGraceTime is configured"
   when:
@@ -288,7 +288,7 @@
   ansible.builtin.lineinfile:
       path: /etc/ssh/sshd_config
       regexp: "^#LoginGraceTime|^LoginGraceTime"
-      line: "LoginGraceTime {{ rhel8cis_sshd['logingracetime'] }}"
+      line: "LoginGraceTime {{ rhel8cis_sshd_logingracetime }}"
 
 - name: "4.2.13 | PATCH | Ensure sshd LogLevel is configured"
   when:
@@ -306,7 +306,7 @@
   ansible.builtin.lineinfile:
       path: /etc/ssh/sshd_config
       regexp: "^#LogLevel|^LogLevel"
-      line: "LogLevel {{ rhel8cis_sshd['loglevel'] }}"
+      line: "LogLevel {{ rhel8cis_sshd_loglevel }}"
 
 - name: "4.2.14 | PATCH | Ensure sshd MACs are configured"
   when:
@@ -327,7 +327,7 @@
   ansible.builtin.lineinfile:
       path: /etc/ssh/sshd_config
       regexp: "^#MACs|^MACs"
-      line: "MACs {{ rhel8cis_sshd['macs'] }}"
+      line: "MACs {{ rhel8cis_sshd_macs }}"
 
 - name: "4.2.15 | PATCH | Ensure sshd MaxAuthTries is configured"
   when:
@@ -343,7 +343,7 @@
   ansible.builtin.lineinfile:
       path: /etc/ssh/sshd_config
       regexp: '^(#)?MaxAuthTries \d'
-      line: "MaxAuthTries {{ rhel8cis_sshd['maxauthtries'] }}"
+      line: "MaxAuthTries {{ rhel8cis_sshd_maxauthtries }}"
 
 - name: "4.2.16 | PATCH | Ensure sshd MaxSessions is configured"
   when:
@@ -363,7 +363,7 @@
   ansible.builtin.lineinfile:
       path: /etc/ssh/sshd_config
       regexp: "^#MaxSessions|^MaxSessions"
-      line: "MaxSessions {{ rhel8cis_sshd['maxsessions'] }}"
+      line: "MaxSessions {{ rhel8cis_sshd_maxsessions }}"
 
 - name: "4.2.17 | PATCH | Ensure sshd MaxStartups is configured"
   when:
@@ -383,7 +383,7 @@
   ansible.builtin.lineinfile:
       path: /etc/ssh/sshd_config
       regexp: (?i)MaxStartups
-      line: "MaxStartups {{ rhel8cis_sshd['maxstartups'] }}"
+      line: "MaxStartups {{ rhel8cis_sshd_maxstartups }}"
 
 - name: "4.2.18 | PATCH | Ensure SSH PermitEmptyPasswords is disabled"
   when:

diff --git a/tasks/section_4/cis_4.4.3.1.x.yml b/tasks/section_4/cis_4.4.3.1.x.yml
@@ -16,7 +16,7 @@
             path: /etc/security/faillock.conf
             state: present
             regexp: '^(#|)\s*deny\s*=\s*\d'
-            line: "deny = {{ rhel8cis_pam_faillock['deny'] }}"
+            line: "deny = {{ rhel8cis_pam_faillock_deny }}"
 
       - name: "4.4.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | pam_files"
         when: not rhel8cis_allow_authselect_updates
@@ -64,7 +64,7 @@
             path: /etc/security/faillock.conf
             state: present
             regexp: '^(#|)\s*unlock_time\s*=\s*\d'
-            line: "unlock_time = {{ rhel8cis_pam_faillock['unlock_time'] }}"
+            line: "unlock_time = {{ rhel8cis_pam_faillock_unlock_time }}"
 
       - name: "4.4.3.1.2 | PATCH | Ensure password unlock time is configured | pam_files"
         when: not rhel8cis_allow_authselect_updates
@@ -104,14 +104,14 @@
         ansible.builtin.lineinfile:
             path: /etc/security/faillock.conf
             state: present
-            regexp: ^(#|)\s*"{{ rhel8cis_pam_faillock['root_option'] }}"(\s*=\s*\d|.*)
-            line: "{{ rhel8cis_pam_faillock['root_option'] }}"
+            regexp: ^(#|)\s*"{{ rhel8cis_pam_faillock_root_option }}"(\s*=\s*\d|.*)
+            line: "{{ rhel8cis_pam_faillock_root_option }}"
 
       - name: "4.4.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | pam_files"
         when: not rhel8cis_allow_authselect_updates
         ansible.builtin.replace:
             path: "/etc/pam.d/{{ item }}-auth"
-            regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s"{{ rhel8cis_pam_faillock['root_option'] }}"(\s*=\s*\d|.*)\S+(.*$)
+            regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s"{{ rhel8cis_pam_faillock_root_option }}"(\s*=\s*\d|.*)\S+(.*$)
             replace: \1\2\3\4
         loop:
             - password
@@ -124,7 +124,7 @@
         notify: Update_authselect
         ansible.builtin.replace:
             path: "/etc/authselect/custom/{{ rhel8cis_authselect_custom_profile_name }}/{{ item }}-auth"
-            regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s"{{ rhel8cis_pam_faillock['root_option'] }}"(\s*=\s*\d|.*)\S+(.*$)
+            regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s"{{ rhel8cis_pam_faillock_root_option }}"(\s*=\s*\d|.*)\S+(.*$)
             replace: \1\2\3\4
         loop:
             - password

diff --git a/tasks/section_4/cis_4.4.3.2.x.yml b/tasks/section_4/cis_4.4.3.2.x.yml
@@ -17,7 +17,7 @@
             path: /etc/security/pwquality.conf
             state: present
             regexp: '^(#|)\s*difok\s*=\s*\d'
-            line: "difok = {{ rhel8cis_pam_pwquality['difok'] }}"
+            line: "difok = {{ rhel8cis_pam_pwquality_difok }}"
 
       - name: "4.4.3.2.1 | PATCH | Ensure password number of changed characters is configured | pam_files"
         when: not rhel8cis_allow_authselect_updates
@@ -59,7 +59,7 @@
             path: /etc/security/pwquality.conf
             state: present
             regexp: '^(#|)\s*minlen\s*=\s*\d'
-            line: "minlen = {{ rhel8cis_pam_pwquality['minlen'] }}"
+            line: "minlen = {{ rhel8cis_pam_pwquality_minlen }}"
 
       - name: "4.4.3.2.2 | PATCH | Ensure password length is configured | pam_files"
         when: not rhel8cis_allow_authselect_updates
@@ -101,7 +101,7 @@
             path: /etc/security/pwquality.conf
             state: present
             regexp: '^(#|)\s*minclass\s*=\s*\d'
-            line: "minclass = {{ rhel8cis_pam_pwquality['minclass'] }}"
+            line: "minclass = {{ rhel8cis_pam_pwquality_minclass }}"
 
       - name: "4.4.3.2.3 | PATCH | Ensure password complexity is configured | pam_files"
         when: not rhel8cis_allow_authselect_updates
@@ -143,7 +143,7 @@
             path: /etc/security/pwquality.conf
             state: present
             regexp: '^(#|)\s*maxrepeat\s*=\s*\d'
-            line: "maxrepeat = {{ rhel8cis_pam_pwquality['maxrepeat'] }}"
+            line: "maxrepeat = {{ rhel8cis_pam_pwquality_maxrepeat }}"
 
       - name: "4.4.3.2.4 | PATCH | Ensure password same consecutive characters is configured | pam_files"
         when: not rhel8cis_allow_authselect_updates
@@ -185,7 +185,7 @@
             path: /etc/security/pwquality.conf
             state: present
             regexp: '^(#|)\s*maxsequence\s*=\s*\d'
-            line: "maxsequence = {{ rhel8cis_pam_pwquality['maxseq'] }}"
+            line: "maxsequence = {{ rhel8cis_pam_pwquality_maxseq }}"
 
       - name: "4.4.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | pam_files"
         when: not rhel8cis_allow_authselect_updates

diff --git a/tasks/section_4/cis_4.4.3.3.x.yml b/tasks/section_4/cis_4.4.3.3.x.yml
@@ -17,7 +17,7 @@
             path: /etc/security/pwhistory.conf
             state: present
             regexp: '^(#|)\s*remember\s*=\s*\d'
-            line: "remember = {{ rhel8cis_pam_pwhistory['remember'] }}"
+            line: "remember = {{ rhel8cis_pam_pwhistory_remember }}"
 
       - name: "4.4.3.3.1 | PATCH | Ensure password number of changed characters is configured | authselect_files"
         when: