From 14f054dce9080744a0159be392c45f73fb641991 Mon Sep 17 00:00:00 2001 From: Andrew Williams Date: Sat, 13 Jul 2024 18:12:23 +0100 Subject: [PATCH] Add support for Debian --- defaults/main.yaml | 4 +++- meta/main.yaml | 5 ++++- tasks/aide.yaml | 2 +- tasks/auditd.yaml | 9 +++++++++ tasks/cron.yaml | 4 ++-- tasks/main.yaml | 6 ++++++ vars/os/Debian.yaml | 2 ++ vars/os/RedHat.yaml | 1 + 8 files changed, 28 insertions(+), 5 deletions(-) create mode 100644 vars/os/Debian.yaml create mode 100644 vars/os/RedHat.yaml diff --git a/defaults/main.yaml b/defaults/main.yaml index f664805..414af2f 100644 --- a/defaults/main.yaml +++ b/defaults/main.yaml @@ -1,2 +1,4 @@ --- -cis_hide_proc: false \ No newline at end of file +cis_hide_proc: false + +cis_cron_service_name: crond \ No newline at end of file diff --git a/meta/main.yaml b/meta/main.yaml index c29a65e..f0972ae 100644 --- a/meta/main.yaml +++ b/meta/main.yaml @@ -3,7 +3,7 @@ allow_duplicates: false galaxy_info: role_name: cis - author: Andrew Williams + author: nikdoof description: Configures a RHEL systems to CIS specs license: MIT @@ -13,6 +13,9 @@ galaxy_info: - name: RedHat versions: - 8 + - name: Debian + versions: + - bookworm collections: - ansible.posix diff --git a/tasks/aide.yaml b/tasks/aide.yaml index 23cb51a..e394d2d 100644 --- a/tasks/aide.yaml +++ b/tasks/aide.yaml @@ -2,7 +2,7 @@ - name: Install AIDE ansible.builtin.package: name: aide - state: installed + state: present notify: init aide - name: Install AIDE crontab ansible.builtin.copy: diff --git a/tasks/auditd.yaml b/tasks/auditd.yaml index 3971b3b..197cadf 100644 --- a/tasks/auditd.yaml +++ b/tasks/auditd.yaml @@ -1,4 +1,13 @@ --- +- name: Install auditd + ansible.builtin.package: + name: auditd + state: present +- name: Start auditd + ansible.builtin.service: + name: auditd + state: started + enabled: true - name: Copy main CIS benchmark ruleset ansible.builtin.copy: src: auditd/cis-hardening.rules diff --git a/tasks/cron.yaml b/tasks/cron.yaml index 040d13c..718678f 100644 --- a/tasks/cron.yaml +++ b/tasks/cron.yaml @@ -1,7 +1,7 @@ --- -- name: Enable crond +- name: Enable cron ansible.builtin.service: - name: crond + name: "{{ cis_cron_service_name }}" state: started enabled: true - name: Set cron file security diff --git a/tasks/main.yaml b/tasks/main.yaml index 2bdc7e3..7813212 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -1,4 +1,10 @@ --- +- name: CIS - Get OS specific vars + include_vars: "{{ item }}" + with_first_found: + - "os/{{ ansible_os_family }}/{{ ansible_distribution_major_version }}.yaml" + - "os/{{ ansible_os_family }}.yaml" + - include_tasks: auditd.yaml - include_tasks: limits.yaml - include_tasks: proc.yaml diff --git a/vars/os/Debian.yaml b/vars/os/Debian.yaml new file mode 100644 index 0000000..5697805 --- /dev/null +++ b/vars/os/Debian.yaml @@ -0,0 +1,2 @@ +--- +cis_cron_service_name: cron \ No newline at end of file diff --git a/vars/os/RedHat.yaml b/vars/os/RedHat.yaml new file mode 100644 index 0000000..73b314f --- /dev/null +++ b/vars/os/RedHat.yaml @@ -0,0 +1 @@ +--- \ No newline at end of file