Skip to content

Commit

Permalink
Replace inline strings with module parameters
Browse files Browse the repository at this point in the history
Signed-off-by: Anže Luzar <[email protected]>
  • Loading branch information
anzoman committed Sep 15, 2023
1 parent a77cc2c commit 99edfdc
Show file tree
Hide file tree
Showing 27 changed files with 164 additions and 82 deletions.
3 changes: 2 additions & 1 deletion tasks/auditd.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,8 @@
- Restart auditd

- name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa no-handler
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: 'Auditd template updated, see diff output for details'
when:
Expand Down
33 changes: 22 additions & 11 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -86,77 +86,88 @@
- always

- name: Include preliminary steps
ansible.builtin.import_tasks: prelim.yml
ansible.builtin.import_tasks:
file: prelim.yml
tags:
- prelim_tasks
- always

- name: Run pre_remediation audit
when:
- run_audit
ansible.builtin.include_tasks: pre_remediation_audit.yml
ansible.builtin.include_tasks:
file: pre_remediation_audit.yml
tags:
- run_audit

- name: Run Section 1 tasks
when:
- amzn2023cis_section1
ansible.builtin.import_tasks: section_1/main.yml
ansible.builtin.import_tasks:
file: section_1/main.yml
tags:
- amzn2023cis_section1

- name: Run Section 2 tasks
when:
- amzn2023cis_section2
ansible.builtin.import_tasks: section_2/main.yml
ansible.builtin.import_tasks:
file: section_2/main.yml
tags:
- amzn2023cis_section2

- name: Run Section 3 tasks
when:
- amzn2023cis_section3
ansible.builtin.import_tasks: section_3/main.yml
ansible.builtin.import_tasks:
file: section_3/main.yml
tags:
- amzn2023cis_section3

- name: Run Section 4 tasks
when:
- amzn2023cis_section4
ansible.builtin.import_tasks: section_4/main.yml
ansible.builtin.import_tasks:
file: section_4/main.yml
tags:
- amzn2023cis_section4

- name: Run Section 5 tasks
when:
- amzn2023cis_section5
ansible.builtin.import_tasks: section_5/main.yml
ansible.builtin.import_tasks:
file: section_5/main.yml
tags:
- amzn2023cis_section5

- name: Run Section 6 tasks
when:
- amzn2023cis_section6
ansible.builtin.import_tasks: section_6/main.yml
ansible.builtin.import_tasks:
file: section_6/main.yml
tags:
- amzn2023cis_section6

- name: run auditd logic
when:
- update_audit_template
ansible.builtin.import_tasks: auditd.yml
ansible.builtin.import_tasks:
file: auditd.yml
tags:
- always

- name: run post remediation tasks
ansible.builtin.import_tasks: post.yml
ansible.builtin.import_tasks:
file: post.yml
tags:
- post_tasks
- always

- name: run post_remediation audit
when:
- run_audit
ansible.builtin.import_tasks: post_remediation_audit.yml
ansible.builtin.import_tasks:
file: post_remediation_audit.yml

- name: Show Audit Summary
when:
Expand Down
3 changes: 2 additions & 1 deletion tasks/post.yml
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,8 @@
- skip_reboot

- name: "POST | Warning a reboot required but skip option set | warning count"
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml
when:
- change_requires_reboot
- skip_reboot
Expand Down
3 changes: 2 additions & 1 deletion tasks/pre_remediation_audit.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
---

- name: Pre Audit Binary Setup | Setup the LE audit
ansible.builtin.include_tasks: LE_audit_setup.yml
ansible.builtin.include_tasks:
file: LE_audit_setup.yml
when:
- setup_audit
tags:
Expand Down
3 changes: 2 additions & 1 deletion tasks/prelim.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@
- users

- name: "PRELIM | capture /etc/password variables"
ansible.builtin.include_tasks: parse_etc_password.yml
ansible.builtin.include_tasks:
file: parse_etc_password.yml
tags:
- rule_5.5.2
- rule_5.6.2
Expand Down
3 changes: 2 additions & 1 deletion tasks/section_1/cis_1.1.2.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"

- name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Present"
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.1.2.1'
required_mount: '/tmp'
Expand Down
3 changes: 2 additions & 1 deletion tasks/section_1/cis_1.1.3.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"

- name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present"
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.1.3.1'
required_mount: '/var'
Expand Down
3 changes: 2 additions & 1 deletion tasks/section_1/cis_1.1.4.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"

- name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present"
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.1.4.1'
required_mount: '/var/tmp'
Expand Down
3 changes: 2 additions & 1 deletion tasks/section_1/cis_1.1.5.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"

- name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present"
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml

vars:
warn_control_id: '1.1.5.1'
Expand Down
3 changes: 2 additions & 1 deletion tasks/section_1/cis_1.1.6.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"

- name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present"
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml

vars:
warn_control_id: '1.1.6.1'
Expand Down
3 changes: 2 additions & 1 deletion tasks/section_1/cis_1.1.7.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"

- name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present"
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml

vars:
warn_control_id: '1.1.7.1'
Expand Down
3 changes: 2 additions & 1 deletion tasks/section_1/cis_1.1.8.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"

- name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present"
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml

vars:
warn_control_id: '1.1.8.1'
Expand Down
3 changes: 2 additions & 1 deletion tasks/section_1/cis_1.2.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,8 @@
- "{{ dnf_configured.stdout_lines }}"

- name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Warn Count"
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.2.3'
when:
Expand Down
3 changes: 2 additions & 1 deletion tasks/section_1/cis_1.6.1.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,8 @@
when: amzn2023cis_1_6_1_6_unconf_services.stdout | length > 0

- name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | warning count"
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml
when: amzn2023cis_1_6_1_6_unconf_services.stdout | length > 0
vars:
warn_control_id: '1.6.1.6'
Expand Down
51 changes: 34 additions & 17 deletions tasks/section_1/main.yml
Original file line number Diff line number Diff line change
@@ -1,54 +1,71 @@
---

- name: "SECTION | 1.1.1.x | Disable unused filesystems"
ansible.builtin.import_tasks: cis_1.1.1.x.yml
ansible.builtin.import_tasks:
file: cis_1.1.1.x.yml

- name: "SECTION | 1.1.2.x | Configure /tmp"
ansible.builtin.import_tasks: cis_1.1.2.x.yml
ansible.builtin.import_tasks:
file: cis_1.1.2.x.yml

- name: "SECTION | 1.1.3.x | Configure /var"
ansible.builtin.import_tasks: cis_1.1.3.x.yml
ansible.builtin.import_tasks:
file: cis_1.1.3.x.yml

- name: "SECTION | 1.1.4.x | Configure /var/tmp"
ansible.builtin.import_tasks: cis_1.1.4.x.yml
ansible.builtin.import_tasks:
file: cis_1.1.4.x.yml

- name: "SECTION | 1.1.5.x | Configure /var/log"
ansible.builtin.import_tasks: cis_1.1.5.x.yml
ansible.builtin.import_tasks:
file: cis_1.1.5.x.yml

- name: "SECTION | 1.1.6.x | Configure /var/log/audit"
ansible.builtin.import_tasks: cis_1.1.6.x.yml
ansible.builtin.import_tasks:
file: cis_1.1.6.x.yml

- name: "SECTION | 1.1.7.x | Configure /home"
ansible.builtin.import_tasks: cis_1.1.7.x.yml
ansible.builtin.import_tasks:
file: cis_1.1.7.x.yml

- name: "SECTION | 1.1.8.x | Configure /dev/shm"
ansible.builtin.import_tasks: cis_1.1.8.x.yml
ansible.builtin.import_tasks:
file: cis_1.1.8.x.yml

- name: "SECTION | 1.1.9 | Disable various mounting"
ansible.builtin.import_tasks: cis_1.1.9.yml
ansible.builtin.import_tasks:
file: cis_1.1.9.yml

- name: "SECTION | 1.2 | Configure Software Updates"
ansible.builtin.import_tasks: cis_1.2.x.yml
ansible.builtin.import_tasks:
file: cis_1.2.x.yml

- name: "SECTION | 1.3 | Filesystem Integrity Checking"
ansible.builtin.import_tasks: cis_1.3.x.yml
ansible.builtin.import_tasks:
file: cis_1.3.x.yml
when: amzn2023cis_config_aide

- name: "SECTION | 1.4 | Secure Boot Settings"
ansible.builtin.import_tasks: cis_1.4.x.yml
ansible.builtin.import_tasks:
file: cis_1.4.x.yml

- name: "SECTION | 1.5 | Additional Process Hardening"
ansible.builtin.import_tasks: cis_1.5.x.yml
ansible.builtin.import_tasks:
file: cis_1.5.x.yml

- name: "SECTION | 1.6 | Mandatory Access Control"
include_tasks: cis_1.6.1.x.yml
ansible.builtin.include_tasks:
file: cis_1.6.1.x.yml
when: not amzn2023cis_selinux_disable

- name: "SECTION | 1.7 | Command Line Warning Banners"
ansible.builtin.import_tasks: cis_1.7.x.yml
ansible.builtin.import_tasks:
file: cis_1.7.x.yml

- name: "SECTION | 1.8 | Updates and Patches"
ansible.builtin.import_tasks: cis_1.8.yml
ansible.builtin.import_tasks:
file: cis_1.8.yml

- name: "SECTION | 1.9 | Crypto policies"
include_tasks: cis_1.9.yml
ansible.builtin.include_tasks:
file: cis_1.9.yml
3 changes: 2 additions & 1 deletion tasks/section_2/cis_2.4.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@
- "{{ amzn2023cis_2_4_sockets.stdout_lines }}"

- name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Warn Count"
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '2.4'
when:
Expand Down
12 changes: 8 additions & 4 deletions tasks/section_2/main.yml
Original file line number Diff line number Diff line change
@@ -1,13 +1,17 @@
---

- name: "SECTION | 2.1 | Time Synchronization"
ansible.builtin.import_tasks: cis_2.1.x.yml
ansible.builtin.import_tasks:
file: cis_2.1.x.yml

- name: "SECTION | 2.2 | Special Purpose Services"
ansible.builtin.import_tasks: cis_2.2.x.yml
ansible.builtin.import_tasks:
file: cis_2.2.x.yml

- name: "SECTION | 2.3 | Service Clients"
ansible.builtin.import_tasks: cis_2.3.x.yml
ansible.builtin.import_tasks:
file: cis_2.3.x.yml

- name: "SECTION | 2.4 | Nonessential services removed"
ansible.builtin.import_tasks: cis_2.4.yml
ansible.builtin.import_tasks:
file: cis_2.4.yml
3 changes: 2 additions & 1 deletion tasks/section_3/cis_3.4.2.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,8 @@
- not amzn2023cis_nft_tables_autonewtable

- name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count"
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml
when:
- amzn2023cis_3_4_2_2_nft_tables.stdout | length == 0
- not amzn2023cis_nft_tables_autonewtable
Expand Down
15 changes: 10 additions & 5 deletions tasks/section_3/main.yml
Original file line number Diff line number Diff line change
@@ -1,16 +1,21 @@
---

- name: "SECTION | 3.1.x | Disable unused network protocols and devices"
ansible.builtin.import_tasks: cis_3.1.x.yml
ansible.builtin.import_tasks:
file: cis_3.1.x.yml

- name: "SECTION | 3.2.x | Network Parameters (Host Only)"
ansible.builtin.import_tasks: cis_3.2.x.yml
ansible.builtin.import_tasks:
file: cis_3.2.x.yml

- name: "SECTION | 3.3.x | Network Parameters (host and Router)"
ansible.builtin.import_tasks: cis_3.3.x.yml
ansible.builtin.import_tasks:
file: cis_3.3.x.yml

- name: "SECTION | 3.4.1.x | Firewall configuration"
ansible.builtin.import_tasks: cis_3.4.1.x.yml
ansible.builtin.import_tasks:
file: cis_3.4.1.x.yml

- name: "SECTION | 3.4.2.x | Configure firewall"
ansible.builtin.import_tasks: cis_3.4.2.x.yml
ansible.builtin.import_tasks:
file: cis_3.4.2.x.yml
3 changes: 2 additions & 1 deletion tasks/section_4/cis_4.6.1.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,8 @@
- not amzn2023cis_futurepwchgdate_autofix

- name: "4.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count"
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml
when:
- amzn2023cis_4_6_1_5_user_list.stdout | length > 0
- not amzn2023cis_futurepwchgdate_autofix
Expand Down
Loading

0 comments on commit 99edfdc

Please sign in to comment.