├── .github └── workflows │ ├── ci.yml │ └── release.yml ├── .yamllint ├── LICENSE ├── README.md ├── defaults └── main.yml ├── handlers └── main.yml ├── meta └── main.yml ├── tasks └── main.yml ├── tests ├── inventory └── test.yml └── vars └── main.yml /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: CI 3 | 'on': 4 | pull_request: 5 | workflow_dispatch: 6 | push: 7 | branches: 8 | - master 9 | schedule: 10 | - cron: "0 1 * * 3" 11 | 12 | defaults: 13 | run: 14 | working-directory: 'redhatofficial.rhel8-cui' 15 | 16 | jobs: 17 | 18 | lint: 19 | name: Lint 20 | runs-on: ubuntu-latest 21 | steps: 22 | - name: Check out the codebase. 23 | uses: actions/checkout@v2 24 | with: 25 | path: 'redhatofficial.rhel8-cui' 26 | 27 | - name: Set up Python 3. 28 | uses: actions/setup-python@v2 29 | with: 30 | python-version: '3.x' 31 | 32 | - name: Install test dependencies. 33 | run: pip3 install yamllint 34 | 35 | - name: Lint code. 36 | run: | 37 | yamllint . 38 | 39 | # molecule: 40 | # name: Molecule 41 | # runs-on: ubuntu-latest 42 | # strategy: 43 | # matrix: 44 | # distro: 45 | # - centos8 46 | # 47 | # steps: 48 | # - name: Check out the codebase. 49 | # uses: actions/checkout@v2 50 | # with: 51 | # path: 'redhatofficial.rhel8-cui' 52 | # 53 | # - name: Set up Python 3. 54 | # uses: actions/setup-python@v2 55 | # with: 56 | # python-version: '3.x' 57 | # 58 | # - name: Install test dependencies. 59 | # run: pip3 install ansible molecule[docker] docker 60 | # 61 | # - name: Destroy existing molecule 62 | # run: molecule destroy --scenario-name default 63 | # 64 | # - name: Run Molecule tests. 65 | # run: molecule -vvv test --scenario-name default 66 | # env: 67 | # PY_COLORS: '1' 68 | # ANSIBLE_FORCE_COLOR: '1' 69 | # MOLECULE_DISTRO: ${{ matrix.distro }} 70 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # This workflow requires a GALAXY_API_KEY secret present in the GitHub 3 | # repository or organization. 4 | # 5 | # See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy 6 | # See: https://github.com/ansible/galaxy/issues/46 7 | 8 | name: Release 9 | 'on': 10 | workflow_dispatch: 11 | push: 12 | tags: 13 | - '*' 14 | 15 | defaults: 16 | run: 17 | working-directory: 'redhatofficial.rhel8-cui' 18 | 19 | jobs: 20 | 21 | release: 22 | name: Release 23 | runs-on: ubuntu-latest 24 | steps: 25 | - name: Check out the codebase. 26 | uses: actions/checkout@v2 27 | with: 28 | path: 'redhatofficial.rhel8-cui' 29 | 30 | - name: Set up Python 3. 31 | uses: actions/setup-python@v2 32 | with: 33 | python-version: '3.x' 34 | 35 | - name: Install Ansible. 36 | run: pip3 install ansible-base 37 | 38 | - name: Trigger a new import on Galaxy. 39 | run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} --role-name $(echo ${{ github.repository }} | cut -d/ -f2 | sed 's|ansible-role-||') $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2) 40 | -------------------------------------------------------------------------------- /.yamllint: -------------------------------------------------------------------------------- 1 | --- 2 | # Based on ansible-lint config 3 | extends: default 4 | 5 | rules: 6 | braces: {max-spaces-inside: 1, level: error} 7 | brackets: {max-spaces-inside: 1, level: error} 8 | colons: {max-spaces-after: -1, level: error} 9 | commas: {max-spaces-after: -1, level: error} 10 | comments: disable 11 | comments-indentation: disable 12 | document-start: disable 13 | empty-lines: {max: 3, level: error} 14 | hyphens: {level: error} 15 | indentation: disable 16 | key-duplicates: enable 17 | line-length: disable 18 | new-line-at-end-of-file: disable 19 | new-lines: {type: unix} 20 | trailing-spaces: disable 21 | truthy: disable 22 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | SPDX license identifier: BSD-3-Clause 2 | Copyright (c) 2012-2017, Red Hat, Inc. 3 | All rights reserved. 4 | 5 | Redistribution and use in source and binary forms, with or without 6 | modification, are permitted provided that the following conditions are met: 7 | * Redistributions of source code must retain the above copyright 8 | notice, this list of conditions and the following disclaimer. 9 | * Redistributions in binary form must reproduce the above copyright 10 | notice, this list of conditions and the following disclaimer in the 11 | documentation and/or other materials provided with the distribution. 12 | * Neither the name of the Red Hat nor the 13 | names of its contributors may be used to endorse or promote products 14 | derived from this software without specific prior written permission. 15 | 16 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 17 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 18 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY 20 | DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 21 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 22 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 23 | ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 25 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) 2 | ========= 3 | 4 | Ansible Role for Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) 5 | 6 | Profile Description: 7 | From NIST 800-171, Section 2.2: 8 | Security requirements for protecting the confidentiality of CUI in nonfederal 9 | information systems and organizations have a well-defined structure that 10 | consists of: 11 | (i) a basic security requirements section; 12 | (ii) a derived security requirements section. 13 | The basic security requirements are obtained from FIPS Publication 200, which 14 | provides the high-level and fundamental security requirements for federal 15 | information and information systems. The derived security requirements, which 16 | supplement the basic security requirements, are taken from the security controls 17 | in NIST Special Publication 800-53. 18 | This profile configures Red Hat Enterprise Linux 8 to the NIST Special 19 | Publication 800-53 controls identified for securing Controlled Unclassified 20 | Information (CUI)." 21 | 22 | The tasks that are used in this role are generated using OpenSCAP. 23 | See the OpenSCAP project for more details on Ansible playbook generation at [https://github.com/OpenSCAP/openscap](https://github.com/OpenSCAP/openscap) 24 | 25 | To submit a fix or enhancement for an Ansible task that is failing or missing in this role, 26 | see the ComplianceAsCode project at [https://github.com/ComplianceAsCode/content](https://github.com/ComplianceAsCode/content) 27 | 28 | Requirements 29 | ------------ 30 | 31 | - Ansible version 2.9 or higher 32 | 33 | Role Variables 34 | -------------- 35 | 36 | To customize the role to your liking, check out the [list of variables](defaults/main.yml). 37 | 38 | Dependencies 39 | ------------ 40 | 41 | N/A 42 | 43 | Example Role Usage 44 | ---------------- 45 | 46 | Run `ansible-galaxy install RedHatOfficial.rhel8_cui` to 47 | download and install the role. Then, you can use the following playbook snippet to run the Ansible role: 48 | 49 | - hosts: all 50 | roles: 51 | - { role: RedHatOfficial.rhel8_cui } 52 | 53 | Next, check the playbook using (on the localhost) the following example: 54 | 55 | ansible-playbook -i "localhost," -c local --check playbook.yml 56 | 57 | To deploy it, use (this may change configuration of your local machine!): 58 | 59 | ansible-playbook -i "localhost," -c local playbook.yml 60 | 61 | License 62 | ------- 63 | 64 | BSD-3-Clause 65 | 66 | Author Information 67 | ------------------ 68 | 69 | This Ansible remediation role has been generated from the body of security 70 | policies developed by the ComplianceAsCode project. Please see 71 | [https://github.com/complianceascode/content/blob/master/Contributors.md](https://github.com/complianceascode/content/blob/master/Contributors.md) 72 | for an updated list of authors and contributors. 73 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for rhel8_cui 3 | var_system_crypto_policy: FIPS:OSPP 4 | var_authselect_profile: minimal 5 | var_password_pam_unix_remember: '5' 6 | var_accounts_passwords_pam_faillock_deny: '3' 7 | var_accounts_passwords_pam_faillock_fail_interval: '900' 8 | var_accounts_passwords_pam_faillock_unlock_time: '0' 9 | var_password_pam_dcredit: '-1' 10 | var_password_pam_difok: '4' 11 | var_password_pam_lcredit: '-1' 12 | var_password_pam_maxclassrepeat: '4' 13 | var_password_pam_maxrepeat: '3' 14 | var_password_pam_minlen: '12' 15 | var_password_pam_ocredit: '-1' 16 | var_password_pam_ucredit: '-1' 17 | var_accounts_max_concurrent_login_sessions: '10' 18 | var_accounts_user_umask: '027' 19 | var_auditd_flush: incremental_async 20 | var_auditd_name_format: hostname 21 | sysctl_net_ipv6_conf_all_accept_ra_value: '0' 22 | sysctl_net_ipv6_conf_all_accept_redirects_value: '0' 23 | sysctl_net_ipv6_conf_all_accept_source_route_value: '0' 24 | sysctl_net_ipv6_conf_default_accept_ra_value: '0' 25 | sysctl_net_ipv6_conf_default_accept_redirects_value: '0' 26 | sysctl_net_ipv6_conf_default_accept_source_route_value: '0' 27 | sysctl_net_ipv4_conf_all_accept_redirects_value: '0' 28 | sysctl_net_ipv4_conf_all_accept_source_route_value: '0' 29 | sysctl_net_ipv4_conf_all_log_martians_value: '1' 30 | sysctl_net_ipv4_conf_all_rp_filter_value: '1' 31 | sysctl_net_ipv4_conf_all_secure_redirects_value: '0' 32 | sysctl_net_ipv4_conf_default_accept_redirects_value: '0' 33 | sysctl_net_ipv4_conf_default_accept_source_route_value: '0' 34 | sysctl_net_ipv4_conf_default_log_martians_value: '1' 35 | sysctl_net_ipv4_conf_default_rp_filter_value: '1' 36 | sysctl_net_ipv4_conf_default_secure_redirects_value: '0' 37 | sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value: '1' 38 | sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value: '1' 39 | sysctl_net_ipv4_tcp_syncookies_value: '1' 40 | sysctl_kernel_kptr_restrict_value: '1' 41 | var_slub_debug_options: P 42 | var_selinux_policy_name: targeted 43 | var_selinux_state: enforcing 44 | var_ssh_client_rekey_limit_size: 1G 45 | var_ssh_client_rekey_limit_time: 1h 46 | sshd_idle_timeout_value: '840' 47 | var_rekey_limit_size: 1G 48 | var_rekey_limit_time: 1h 49 | DISA_STIG_RHEL_08_010019: true 50 | DISA_STIG_RHEL_08_010020: true 51 | DISA_STIG_RHEL_08_010040: true 52 | DISA_STIG_RHEL_08_010151: true 53 | DISA_STIG_RHEL_08_010161: true 54 | DISA_STIG_RHEL_08_010162: true 55 | DISA_STIG_RHEL_08_010170: true 56 | DISA_STIG_RHEL_08_010171: true 57 | DISA_STIG_RHEL_08_010201: true 58 | DISA_STIG_RHEL_08_010287: true 59 | DISA_STIG_RHEL_08_010292: true 60 | DISA_STIG_RHEL_08_010293: true 61 | DISA_STIG_RHEL_08_010359: true 62 | DISA_STIG_RHEL_08_010370: true 63 | DISA_STIG_RHEL_08_010371: true 64 | DISA_STIG_RHEL_08_010372: true 65 | DISA_STIG_RHEL_08_010373: true 66 | DISA_STIG_RHEL_08_010374: true 67 | DISA_STIG_RHEL_08_010375: true 68 | DISA_STIG_RHEL_08_010376: true 69 | DISA_STIG_RHEL_08_010421: true 70 | DISA_STIG_RHEL_08_010422: true 71 | DISA_STIG_RHEL_08_010423: true 72 | DISA_STIG_RHEL_08_010450: true 73 | DISA_STIG_RHEL_08_010500: true 74 | DISA_STIG_RHEL_08_010521: true 75 | DISA_STIG_RHEL_08_010522: true 76 | DISA_STIG_RHEL_08_010550: true 77 | DISA_STIG_RHEL_08_010570: true 78 | DISA_STIG_RHEL_08_010571: true 79 | DISA_STIG_RHEL_08_010580: true 80 | DISA_STIG_RHEL_08_010670: true 81 | DISA_STIG_RHEL_08_010671: true 82 | DISA_STIG_RHEL_08_010672: true 83 | DISA_STIG_RHEL_08_010673: true 84 | DISA_STIG_RHEL_08_010674: true 85 | DISA_STIG_RHEL_08_010675: true 86 | DISA_STIG_RHEL_08_020011: true 87 | DISA_STIG_RHEL_08_020012: true 88 | DISA_STIG_RHEL_08_020013: true 89 | DISA_STIG_RHEL_08_020014: true 90 | DISA_STIG_RHEL_08_020015: true 91 | DISA_STIG_RHEL_08_020024: true 92 | DISA_STIG_RHEL_08_020039: true 93 | DISA_STIG_RHEL_08_020040: true 94 | DISA_STIG_RHEL_08_020070: true 95 | DISA_STIG_RHEL_08_020110: true 96 | DISA_STIG_RHEL_08_020120: true 97 | DISA_STIG_RHEL_08_020130: true 98 | DISA_STIG_RHEL_08_020140: true 99 | DISA_STIG_RHEL_08_020150: true 100 | DISA_STIG_RHEL_08_020170: true 101 | DISA_STIG_RHEL_08_020230: true 102 | DISA_STIG_RHEL_08_020280: true 103 | DISA_STIG_RHEL_08_020330: true 104 | DISA_STIG_RHEL_08_020331: true 105 | DISA_STIG_RHEL_08_020332: true 106 | DISA_STIG_RHEL_08_020353: true 107 | DISA_STIG_RHEL_08_030061: true 108 | DISA_STIG_RHEL_08_030062: true 109 | DISA_STIG_RHEL_08_030063: true 110 | DISA_STIG_RHEL_08_030180: true 111 | DISA_STIG_RHEL_08_030181: true 112 | DISA_STIG_RHEL_08_030601: true 113 | DISA_STIG_RHEL_08_030602: true 114 | DISA_STIG_RHEL_08_030670: true 115 | DISA_STIG_RHEL_08_030741: true 116 | DISA_STIG_RHEL_08_030742: true 117 | DISA_STIG_RHEL_08_040001: true 118 | DISA_STIG_RHEL_08_040002: true 119 | DISA_STIG_RHEL_08_040004: true 120 | DISA_STIG_RHEL_08_040021: true 121 | DISA_STIG_RHEL_08_040022: true 122 | DISA_STIG_RHEL_08_040023: true 123 | DISA_STIG_RHEL_08_040024: true 124 | DISA_STIG_RHEL_08_040025: true 125 | DISA_STIG_RHEL_08_040026: true 126 | DISA_STIG_RHEL_08_040100: true 127 | DISA_STIG_RHEL_08_040101: true 128 | DISA_STIG_RHEL_08_040111: true 129 | DISA_STIG_RHEL_08_040120: true 130 | DISA_STIG_RHEL_08_040121: true 131 | DISA_STIG_RHEL_08_040122: true 132 | DISA_STIG_RHEL_08_040123: true 133 | DISA_STIG_RHEL_08_040124: true 134 | DISA_STIG_RHEL_08_040125: true 135 | DISA_STIG_RHEL_08_040126: true 136 | DISA_STIG_RHEL_08_040127: true 137 | DISA_STIG_RHEL_08_040128: true 138 | DISA_STIG_RHEL_08_040129: true 139 | DISA_STIG_RHEL_08_040130: true 140 | DISA_STIG_RHEL_08_040131: true 141 | DISA_STIG_RHEL_08_040132: true 142 | DISA_STIG_RHEL_08_040133: true 143 | DISA_STIG_RHEL_08_040134: true 144 | DISA_STIG_RHEL_08_040135: true 145 | DISA_STIG_RHEL_08_040136: true 146 | DISA_STIG_RHEL_08_040139: true 147 | DISA_STIG_RHEL_08_040141: true 148 | DISA_STIG_RHEL_08_040159: true 149 | DISA_STIG_RHEL_08_040161: true 150 | DISA_STIG_RHEL_08_040170: true 151 | DISA_STIG_RHEL_08_040172: true 152 | DISA_STIG_RHEL_08_040180: true 153 | DISA_STIG_RHEL_08_040209: true 154 | DISA_STIG_RHEL_08_040210: true 155 | DISA_STIG_RHEL_08_040220: true 156 | DISA_STIG_RHEL_08_040230: true 157 | DISA_STIG_RHEL_08_040239: true 158 | DISA_STIG_RHEL_08_040240: true 159 | DISA_STIG_RHEL_08_040249: true 160 | DISA_STIG_RHEL_08_040250: true 161 | DISA_STIG_RHEL_08_040261: true 162 | DISA_STIG_RHEL_08_040262: true 163 | DISA_STIG_RHEL_08_040270: true 164 | DISA_STIG_RHEL_08_040279: true 165 | DISA_STIG_RHEL_08_040280: true 166 | DISA_STIG_RHEL_08_040281: true 167 | DISA_STIG_RHEL_08_040282: true 168 | DISA_STIG_RHEL_08_040283: true 169 | DISA_STIG_RHEL_08_040284: true 170 | DISA_STIG_RHEL_08_040285: true 171 | DISA_STIG_RHEL_08_040286: true 172 | DISA_STIG_RHEL_08_040370: true 173 | DISA_STIG_RHEL_08_040380: true 174 | accounts_max_concurrent_login_sessions: true 175 | accounts_password_pam_dcredit: true 176 | accounts_password_pam_difok: true 177 | accounts_password_pam_lcredit: true 178 | accounts_password_pam_maxclassrepeat: true 179 | accounts_password_pam_maxrepeat: true 180 | accounts_password_pam_minlen: true 181 | accounts_password_pam_ocredit: true 182 | accounts_password_pam_ucredit: true 183 | accounts_password_pam_unix_remember: true 184 | accounts_passwords_pam_faillock_deny: true 185 | accounts_passwords_pam_faillock_interval: true 186 | accounts_passwords_pam_faillock_unlock_time: true 187 | accounts_umask_etc_bashrc: true 188 | accounts_umask_etc_csh_cshrc: true 189 | accounts_umask_etc_profile: true 190 | audit_access_failed: true 191 | audit_access_success: true 192 | audit_basic_configuration: true 193 | audit_create_failed: true 194 | audit_create_success: true 195 | audit_delete_failed: true 196 | audit_delete_success: true 197 | audit_immutable_login_uids: true 198 | audit_modify_failed: true 199 | audit_modify_success: true 200 | audit_module_load: true 201 | audit_ospp_general: true 202 | audit_owner_change_failed: true 203 | audit_owner_change_success: true 204 | audit_perm_change_failed: true 205 | audit_perm_change_success: true 206 | auditd_data_retention_flush: true 207 | auditd_freq: true 208 | auditd_local_events: true 209 | auditd_log_format: true 210 | auditd_name_format: true 211 | auditd_write_logs: true 212 | chronyd_client_only: true 213 | chronyd_no_chronyc_network: true 214 | configure_bashrc_exec_tmux: true 215 | configure_crypto_policy: true 216 | configure_kerberos_crypto_policy: true 217 | configure_libreswan_crypto_policy: true 218 | configure_openssl_crypto_policy: true 219 | configure_ssh_crypto_policy: true 220 | configure_strategy: true 221 | configure_tmux_lock_after_time: true 222 | configure_tmux_lock_command: true 223 | coredump_disable_backtraces: true 224 | coredump_disable_storage: true 225 | disable_ctrlaltdel_burstaction: true 226 | disable_ctrlaltdel_reboot: true 227 | disable_host_auth: true 228 | disable_strategy: true 229 | disable_users_coredumps: true 230 | enable_authselect: true 231 | enable_dracut_fips_module: true 232 | enable_fips_mode: true 233 | enable_strategy: true 234 | ensure_gpgcheck_globally_activated: true 235 | ensure_gpgcheck_local_packages: true 236 | ensure_gpgcheck_never_disabled: true 237 | ensure_redhat_gpgkey_installed: true 238 | grub2_audit_argument: true 239 | grub2_audit_backlog_limit_argument: true 240 | grub2_disable_recovery: true 241 | grub2_kernel_trust_cpu_rng: true 242 | grub2_page_poison_argument: true 243 | grub2_pti_argument: true 244 | grub2_slub_debug_argument: true 245 | grub2_vsyscall_argument: true 246 | high_disruption: true 247 | high_severity: true 248 | kerberos_disable_no_keytab: true 249 | kernel_module_atm_disabled: true 250 | kernel_module_bluetooth_disabled: true 251 | kernel_module_can_disabled: true 252 | kernel_module_cramfs_disabled: true 253 | kernel_module_sctp_disabled: true 254 | kernel_module_tipc_disabled: true 255 | low_complexity: true 256 | low_disruption: true 257 | low_severity: true 258 | medium_complexity: true 259 | medium_disruption: true 260 | medium_severity: true 261 | mount_option_boot_nodev: true 262 | mount_option_boot_nosuid: true 263 | mount_option_dev_shm_nodev: true 264 | mount_option_dev_shm_noexec: true 265 | mount_option_dev_shm_nosuid: true 266 | mount_option_home_nodev: true 267 | mount_option_home_nosuid: true 268 | mount_option_nodev_nonroot_local_partitions: true 269 | mount_option_tmp_nodev: true 270 | mount_option_tmp_noexec: true 271 | mount_option_tmp_nosuid: true 272 | mount_option_var_log_audit_nodev: true 273 | mount_option_var_log_audit_noexec: true 274 | mount_option_var_log_audit_nosuid: true 275 | mount_option_var_log_nodev: true 276 | mount_option_var_log_noexec: true 277 | mount_option_var_log_nosuid: true 278 | mount_option_var_nodev: true 279 | mount_option_var_tmp_nodev: true 280 | mount_option_var_tmp_noexec: true 281 | mount_option_var_tmp_nosuid: true 282 | no_empty_passwords: true 283 | no_reboot_needed: true 284 | openssl_use_strong_entropy: true 285 | package_abrt_addon_ccpp_removed: true 286 | package_abrt_addon_kerneloops_removed: true 287 | package_abrt_cli_removed: true 288 | package_abrt_plugin_sosreport_removed: true 289 | package_abrt_removed: true 290 | package_aide_installed: true 291 | package_audit_installed: true 292 | package_chrony_installed: true 293 | package_crypto_policies_installed: true 294 | package_dnf_automatic_installed: true 295 | package_dnf_plugin_subscription_manager_installed: true 296 | package_fapolicyd_installed: true 297 | package_firewalld_installed: true 298 | package_gnutls_utils_installed: true 299 | package_gssproxy_removed: true 300 | package_iprutils_removed: true 301 | package_krb5_workstation_removed: true 302 | package_libreport_plugin_logger_removed: true 303 | package_libreport_plugin_rhtsupport_removed: true 304 | package_nfs_utils_removed: true 305 | package_openscap_scanner_installed: true 306 | package_openssh_clients_installed: true 307 | package_openssh_server_installed: true 308 | package_policycoreutils_installed: true 309 | package_policycoreutils_python_utils_installed: true 310 | package_python3_abrt_addon_removed: true 311 | package_rsyslog_installed: true 312 | package_scap_security_guide_installed: true 313 | package_sendmail_removed: true 314 | package_subscription_manager_installed: true 315 | package_sudo_installed: true 316 | package_tmux_installed: true 317 | package_usbguard_installed: true 318 | reboot_required: true 319 | require_singleuser_auth: true 320 | restrict_strategy: true 321 | securetty_root_login_console_only: true 322 | selinux_policytype: true 323 | selinux_state: true 324 | service_auditd_enabled: true 325 | service_debug_shell_disabled: true 326 | service_fapolicyd_enabled: true 327 | service_firewalld_enabled: true 328 | service_kdump_disabled: true 329 | service_systemd_coredump_disabled: true 330 | service_usbguard_enabled: true 331 | ssh_client_rekey_limit: true 332 | ssh_client_use_strong_rng_csh: true 333 | ssh_client_use_strong_rng_sh: true 334 | sshd_disable_empty_passwords: true 335 | sshd_disable_gssapi_auth: true 336 | sshd_disable_kerb_auth: true 337 | sshd_disable_root_login: true 338 | sshd_enable_strictmodes: true 339 | sshd_enable_warning_banner: true 340 | sshd_rekey_limit: true 341 | sshd_set_idle_timeout: true 342 | sshd_set_keepalive_0: true 343 | sshd_use_strong_rng: true 344 | sysctl_fs_protected_hardlinks: true 345 | sysctl_fs_protected_symlinks: true 346 | sysctl_kernel_core_pattern: true 347 | sysctl_kernel_dmesg_restrict: true 348 | sysctl_kernel_kexec_load_disabled: true 349 | sysctl_kernel_kptr_restrict: true 350 | sysctl_kernel_perf_event_paranoid: true 351 | sysctl_kernel_unprivileged_bpf_disabled: true 352 | sysctl_kernel_yama_ptrace_scope: true 353 | sysctl_net_core_bpf_jit_harden: true 354 | sysctl_net_ipv4_conf_all_accept_redirects: true 355 | sysctl_net_ipv4_conf_all_accept_source_route: true 356 | sysctl_net_ipv4_conf_all_log_martians: true 357 | sysctl_net_ipv4_conf_all_rp_filter: true 358 | sysctl_net_ipv4_conf_all_secure_redirects: true 359 | sysctl_net_ipv4_conf_all_send_redirects: true 360 | sysctl_net_ipv4_conf_default_accept_redirects: true 361 | sysctl_net_ipv4_conf_default_accept_source_route: true 362 | sysctl_net_ipv4_conf_default_log_martians: true 363 | sysctl_net_ipv4_conf_default_rp_filter: true 364 | sysctl_net_ipv4_conf_default_secure_redirects: true 365 | sysctl_net_ipv4_conf_default_send_redirects: true 366 | sysctl_net_ipv4_icmp_echo_ignore_broadcasts: true 367 | sysctl_net_ipv4_icmp_ignore_bogus_error_responses: true 368 | sysctl_net_ipv4_ip_forward: true 369 | sysctl_net_ipv4_tcp_syncookies: true 370 | sysctl_net_ipv6_conf_all_accept_ra: true 371 | sysctl_net_ipv6_conf_all_accept_redirects: true 372 | sysctl_net_ipv6_conf_all_accept_source_route: true 373 | sysctl_net_ipv6_conf_default_accept_ra: true 374 | sysctl_net_ipv6_conf_default_accept_redirects: true 375 | sysctl_net_ipv6_conf_default_accept_source_route: true 376 | sysctl_user_max_user_namespaces: true 377 | unknown_severity: true 378 | unknown_strategy: true 379 | usbguard_allow_hid_and_hub: true 380 | use_pam_wheel_for_su: true 381 | zipl_audit_argument: true 382 | zipl_audit_backlog_limit_argument: true 383 | zipl_bootmap_is_up_to_date: true 384 | zipl_page_poison_argument: true 385 | zipl_slub_debug_argument: true 386 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for ansible-role-rhel8-cui -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | role_name: rhel8_cui 3 | author: ComplianceAsCode development team 4 | description: Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) 5 | 6 | issue_tracker_url: https://github.com/ComplianceAsCode/content/issues 7 | 8 | license: BSD-3-Clause 9 | 10 | min_ansible_version: 2.9 11 | 12 | platforms: 13 | - name: EL 14 | versions: 15 | - 8 16 | 17 | galaxy_tags: [system, hardening, openscap, ssg, scap, security, compliance, complianceascode, 18 | redhatofficial, redhat, rhel8, cui] 19 | 20 | 21 | dependencies: [] 22 | -------------------------------------------------------------------------------- /tests/inventory: -------------------------------------------------------------------------------- 1 | localhost 2 | 3 | -------------------------------------------------------------------------------- /tests/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | remote_user: root 4 | roles: 5 | - ansible-role-rhel8-cui -------------------------------------------------------------------------------- /vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for rhel8_cui 3 | --------------------------------------------------------------------------------