Configure RHEL/Centos 7 machine to be CIS compliant. Level 1 and 2 findings will be corrected by default.
This role will make changes to the system that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.
If you want to install this via the ansible-galaxy
command you'll need to run it like this:
ansible-galaxy install -p roles -r requirements.yml
With this in the file requirements.yml:
- src: https://github.com/mehmanoglu/rhel7-cis.git
Based on CIS RedHat Enterprise Linux 7 Benchmark v2.2.0 - 12-27-2017 .
You should carefully read through the tasks to make sure these changes will not break your systems before running this playbook. If you want to do a dry run without changing anything, set the below sections (rhel7cis_section1-6) to false.
There are many role variables defined in defaults/main.yml & vars/main.yml. This list shows the most important.
rhel7cis_notauto: Run CIS checks that we typically do NOT want to automate due to the high probability of breaking the system (Default: false)
rhel7cis_section1: CIS - General Settings (Section 1) (Default: true)
rhel7cis_section2: CIS - Services settings (Section 2) (Default: true)
rhel7cis_section3: CIS - Network settings (Section 3) (Default: true)
rhel7cis_section4: CIS - Logging and Auditing settings (Section 4) (Default: true)
rhel7cis_section5: CIS - Access, Authentication and Authorization settings (Section 5) (Default: true)
rhel7cis_section6: CIS - System Maintenance settings (Section 6) (Default: true)
rhel7cis_selinux_disable: false
rhel7cis_avahi_server: false
rhel7cis_cups_server: false
rhel7cis_dhcp_server: false
rhel7cis_ldap_server: false
rhel7cis_telnet_server: false
rhel7cis_nfs_server: false
rhel7cis_rpc_server: false
rhel7cis_ntalk_server: false
rhel7cis_rsyncd_server: false
rhel7cis_tftp_server: false
rhel7cis_rsh_server: false
rhel7cis_nis_server: false
rhel7cis_snmp_server: false
rhel7cis_squid_server: false
rhel7cis_smb_server: false
rhel7cis_dovecot_server: false
rhel7cis_httpd_server: false
rhel7cis_vsftpd_server: false
rhel7cis_named_server: false
rhel7cis_bind: false
rhel7cis_vsftpd: false
rhel7cis_httpd: false
rhel7cis_dovecot: false
rhel7cis_samba: false
rhel7cis_squid: false
rhel7cis_net_snmp: false
rhel7cis_is_mail_server: false
rhel7cis_is_router: false
rhel7cis_ipv6_required: true
rhel7cis_config_aide: true
rhel7cis_aide_cron:
cron_user: root
cron_file: /etc/crontab
aide_job: '/usr/sbin/aide --check'
aide_minute: 0
aide_hour: 5
aide_day: '*'
aide_month: '*'
aide_weekday: '*'
rhel7cis_selinux_pol: targeted
rhel7cis_xwindows_required: no
rhel7cis_openldap_clients_required: false
rhel7cis_telnet_required: false
rhel7cis_talk_required: false
rhel7cis_rsh_required: false
rhel7cis_ypbind_required: false
rhel7cis_time_synchronization: chrony
rhel7cis_time_Synchronization: ntp
rhel7cis_time_synchronization_servers:
- 0.pool.ntp.org
- 1.pool.ntp.org
- 2.pool.ntp.org
- 3.pool.ntp.org
rhel7cis_host_allow:
- "10.0.0.0/255.0.0.0"
- "172.16.0.0/255.240.0.0"
- "192.168.0.0/255.255.0.0"
rhel7cis_firewall: firewalld
rhel7cis_firewall: iptables
Ansible > 2.4
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- name: RHEL7 CIS Remediation
hosts: servers
become: yes
roles:
- { role: nazarov.rhel-cis }
Many tags are available for precise control of what is and is not changed.
Some examples of using tags:
# Audit and patch the site
ansible-playbook site.yml --tags="patch"
License
-------
MIT