Configure a RHEL 8 server to conform CIS Benchmarks.
Be carefull before to use this role, it might break your systems.
There is one boolean variable per item cis_rhel8_<section>_<subitem1>_<subitem2>(_<subitem3>)? that will apply or not the associated remediation. By default the role will remediate all the items. Be carefull to set proper variables to false if your systems have specific a specific need.
For instance, if you don't want to setup a bootloader password (1.5.2 - Ensure bootloader password is set), set the variable cis_rhel8_1_5_2 to false.
For some items, you can configure one or more variables. For example, if you decide to set up a bootloaded password, you can set your own or decide to reset it with:
cis_rhel8_grub_password: mynewsecurepassword(this variable should probably be vaulted)cis_rhel8_reset_grub_password: true
By default, those customization variables are set to the recommended value by the CIS Benchmarks.
Apply all remediations using default values:
$ cat cis.yml
---
- hosts: rhel8_servers
roles:
- role: cis-rhel8
$ ansible-playbook cis.yml
Apply only section 1 (Initial Setup):
$ cat cis.yml
---
- hosts: rhel8_servers
vars:
cis_rhel8_5_2_11: false
roles:
- role: cis-rhel8
$ ansible-playbook cis.yml -t section1
Apply only level 1 items, do not remediate a few items (1.4.1 Ensure AIDE is installed and 5.2.6 Ensure SSH X11 forwarding is disabled) and customize 5.2.5 Ensure SSH LogLevel is appropriate:
$ cat cis.yml
---
- hosts: rhel8_servers
vars:
cis_rhel8_1_4_1: false
cis_rhel8_5_2_6: false
cis_rhel8_sshd_log_level: DEBUG
roles:
- role: cis-rhel8
$ ansible-playbook cis.yml -t level1
BSD
Jérémy Bertozzi [email protected]