hardening corrections

This commit is contained in:
nazunalika 2020-12-11 17:31:21 -07:00
parent 42abf5df58
commit 67e17edf7a

View File

@ -213,6 +213,8 @@
group: root group: root
mode: '0644' mode: '0644'
line: "install {{ item }} /bin/true" line: "install {{ item }} /bin/true"
state: present
create: true
with_items: "{{ modprobe_unused_filesystems }}" with_items: "{{ modprobe_unused_filesystems }}"
tags: tags:
- harden - harden
@ -223,7 +225,7 @@
state: present state: present
regexp: ^umask regexp: ^umask
line: "umask 027" line: "umask 027"
create: yes create: true
owner: root owner: root
group: root group: root
mode: '0644' mode: '0644'
@ -240,8 +242,8 @@
content: | content: |
Defaults use_pty Defaults use_pty
Defaults logfile="/var/log/sudo.log" Defaults logfile="/var/log/sudo.log"
tags: tags:
- harden - harden
- name: Remove packages not allowed by CIS - name: Remove packages not allowed by CIS
package: package:
@ -282,16 +284,6 @@
- kernel - kernel
- harden - harden
- name: Append /etc/default/grub file
lineinfile:
path: /etc/default/grub
line: for x in $(ls /etc/default/grub.d) ; do source /etc/default/grub.d/$x ; done
state: present
tags:
- grub
- kernel
- harden
- name: Grub command line defaults - name: Grub command line defaults
copy: copy:
dest: "/etc/default/grub.d/99-rocky.cfg" dest: "/etc/default/grub.d/99-rocky.cfg"
@ -304,19 +296,6 @@
- kernel - kernel
- harden - harden
- name: Grub command line defaults
template:
src: etc/default/grub.d/99-aoc.cfg.j2
dest: /etc/default/grub.d/99-aoc.cfg
owner: root
group: root
mode: '0644'
backup: true
tags:
- grub
- kernel
- harden
- name: rebuild grub - name: rebuild grub
command: /usr/sbin/grub2-mkconfig -o {{ grub_config_path_link }} command: /usr/sbin/grub2-mkconfig -o {{ grub_config_path_link }}
tags: tags: