Configure RHEL/Centos 7 machine to be CIS compliant. Level 1 and 2 findings will be corrected by default.

This role will make changes to the system that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.

If you want to install this via the ansible-galaxy command you'll need to run it like this:

ansible-galaxy install -p roles -r requirements.yml

With this in the file requirements.yml:

- src: https://github.com/mehmanoglu/rhel7-cis.git

Based on CIS RedHat Enterprise Linux 7 Benchmark v2.2.0 - 12-27-2017 .

You should carefully read through the tasks to make sure these changes will not break your systems before running this playbook. If you want to do a dry run without changing anything, set the below sections (rhel7cis_section1-6) to false.

There are many role variables defined in defaults/main.yml & vars/main.yml. This list shows the most important.

rhel7cis_notauto: Run CIS checks that we typically do NOT want to automate due to the high probability of breaking the system (Default: false)

rhel7cis_section1: CIS - General Settings (Section 1) (Default: true)

rhel7cis_section2: CIS - Services settings (Section 2) (Default: true)

rhel7cis_section3: CIS - Network settings (Section 3) (Default: true)

rhel7cis_section4: CIS - Logging and Auditing settings (Section 4) (Default: true)

rhel7cis_section5: CIS - Access, Authentication and Authorization settings (Section 5) (Default: true)

rhel7cis_section6: CIS - System Maintenance settings (Section 6) (Default: true)

rhel7cis_selinux_disable: false

rhel7cis_avahi_server: false  
rhel7cis_cups_server: false  
rhel7cis_dhcp_server: false  
rhel7cis_ldap_server: false  
rhel7cis_telnet_server: false  
rhel7cis_nfs_server: false  
rhel7cis_rpc_server: false  
rhel7cis_ntalk_server: false  
rhel7cis_rsyncd_server: false  
rhel7cis_tftp_server: false  
rhel7cis_rsh_server: false  
rhel7cis_nis_server: false  
rhel7cis_snmp_server: false  
rhel7cis_squid_server: false  
rhel7cis_smb_server: false  
rhel7cis_dovecot_server: false  
rhel7cis_httpd_server: false  
rhel7cis_vsftpd_server: false  
rhel7cis_named_server: false  
rhel7cis_bind: false  
rhel7cis_vsftpd: false  
rhel7cis_httpd: false  
rhel7cis_dovecot: false  
rhel7cis_samba: false  
rhel7cis_squid: false  
rhel7cis_net_snmp: false  

rhel7cis_is_mail_server: false

rhel7cis_is_router: false

rhel7cis_ipv6_required: true

rhel7cis_config_aide: true

rhel7cis_aide_cron:
  cron_user: root
  cron_file: /etc/crontab
  aide_job: '/usr/sbin/aide --check'
  aide_minute: 0
  aide_hour: 5
  aide_day: '*'
  aide_month: '*'
  aide_weekday: '*'  

rhel7cis_selinux_pol: targeted

rhel7cis_xwindows_required: no

rhel7cis_openldap_clients_required: false 
rhel7cis_telnet_required: false 
rhel7cis_talk_required: false  
rhel7cis_rsh_required: false 
rhel7cis_ypbind_required: false 

rhel7cis_time_synchronization: chrony
rhel7cis_time_Synchronization: ntp

rhel7cis_time_synchronization_servers:
    - 0.pool.ntp.org
    - 1.pool.ntp.org
    - 2.pool.ntp.org
    - 3.pool.ntp.org  

rhel7cis_host_allow:
  - "10.0.0.0/255.0.0.0"  
  - "172.16.0.0/255.240.0.0"  
  - "192.168.0.0/255.255.0.0"    

rhel7cis_firewall: firewalld
rhel7cis_firewall: iptables

Ansible > 2.4

Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:

- name: RHEL7 CIS Remediation
  hosts: servers
  become: yes
  roles:
     - { role: nazarov.rhel-cis }

Many tags are available for precise control of what is and is not changed.

Some examples of using tags:

    # Audit and patch the site
    ansible-playbook site.yml --tags="patch"


License
-------

MIT