updated section1

README.md

@@ -8,7 +8,7 @@ Configure RHEL/Centos 7 machine to be [CIS](https://www.cisecurity.org/cis-bench
 
 This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.
 
-Based on [CIS RedHat Enterprise Linux 7 Benchmark v2.1.1 - 01-31-2017 ](https://community.cisecurity.org/collab/public/index.php).
+Based on [CIS RedHat Enterprise Linux 7 Benchmark v3.0.1 - 09-21-2020 ](https://community.cisecurity.org/collab/public/index.php).
 
 This repo originated from work done by [Sam Doran](https://github.com/samdoran/ansible-role-stig)
 

defaults/main.yml

@@ -1,6 +1,5 @@
 ---
 # defaults file for RHEL7-CIS
-rhel7cis_oscap_scan: false
 rhel7cis_report_dir: /tmp
 
 rhel7cis_skip_for_travis: false
@@ -16,19 +15,22 @@ rhel7cis_section6: true
 
 rhel7cis_selinux_disable: false
 
+# change to false if using EFI boot changes 1.1.1.4 to stop vfat
+rhel7cis_legacy_boot: true
+
+# if set true uses the tmp.mount service else using fstab configuration
+rhel7cis_tmp_svc: false
+
 # These variables correspond with the CIS rule IDs or paragraph numbers defined in
 # the CIS benchmark documents.
 # PLEASE NOTE: These work in coordination with the section # group variables and tags.
 # You must enable an entire section in order for the variables below to take effect.
 # Section 1 rules
+rhel7cis_tmp_svc
 rhel7cis_rule_1_1_1_1: true
 rhel7cis_rule_1_1_1_2: true
 rhel7cis_rule_1_1_1_3: true
 rhel7cis_rule_1_1_1_4: true
-rhel7cis_rule_1_1_1_5: true
-rhel7cis_rule_1_1_1_6: true
-rhel7cis_rule_1_1_1_7: true
-rhel7cis_rule_1_1_1_8: true
 rhel7cis_rule_1_1_2: true
 rhel7cis_rule_1_1_3: true
 rhel7cis_rule_1_1_4: true
@@ -50,35 +52,40 @@ rhel7cis_rule_1_1_19: true
 rhel7cis_rule_1_1_20: true
 rhel7cis_rule_1_1_21: true
 rhel7cis_rule_1_1_22: true
+rhel7cis_rule_1_1_23: true
+rhel7cis_rule_1_1_24: true
 rhel7cis_rule_1_2_1: true
 rhel7cis_rule_1_2_2: true
 rhel7cis_rule_1_2_3: true
 rhel7cis_rule_1_2_4: true
 rhel7cis_rule_1_2_5: true
 rhel7cis_rule_1_3_1: true
 rhel7cis_rule_1_3_2: true
+rhel7cis_rule_1_3_3: true
 rhel7cis_rule_1_4_1: true
 rhel7cis_rule_1_4_2: true
-rhel7cis_rule_1_4_3: true
 rhel7cis_rule_1_5_1: true
 rhel7cis_rule_1_5_2: true
 rhel7cis_rule_1_5_3: true
-rhel7cis_rule_1_5_4: true
-rhel7cis_rule_1_6_1_1: true
-rhel7cis_rule_1_6_1_2: true
-rhel7cis_rule_1_6_1_3: true
-rhel7cis_rule_1_6_1_4: true
-rhel7cis_rule_1_6_1_5: true
-rhel7cis_rule_1_6_1_6: true
+rhel7cis_rule_1_6_1: true
 rhel7cis_rule_1_6_2: true
+rhel7cis_rule_1_6_3: true
+rhel7cis_rule_1_6_4: true
 rhel7cis_rule_1_7_1_1: true
 rhel7cis_rule_1_7_1_2: true
 rhel7cis_rule_1_7_1_3: true
 rhel7cis_rule_1_7_1_4: true
 rhel7cis_rule_1_7_1_5: true
 rhel7cis_rule_1_7_1_6: true
-rhel7cis_rule_1_7_2: true
-rhel7cis_rule_1_8: true
+rhel7cis_rule_1_7_1_7: true
+rhel7cis_rule_1_7_1_8: true
+rhel7cis_rule_1_8_1_1: true
+rhel7cis_rule_1_8_1_2: true
+rhel7cis_rule_1_8_1_3: true
+rhel7cis_rule_1_8_1_4: true
+rhel7cis_rule_1_8_1_5: true
+rhel7cis_rule_1_8_1_6: true
+rhel7cis_rule_1_9: true
 
 # Section 2 rules
 rhel7cis_rule_2_1_1: true
@@ -286,6 +293,10 @@ rhel7cis_squid: false
 rhel7cis_net_snmp: false
 rhel7cis_allow_autofs: false
 
+## Section 1 vars
+# 1.3.3 var log location variable
+rhel7cis_varlog_location: "/var/log/sudo.log"
+
 # xinetd required
 rhel7cis_xinetd_required: false
 

handlers/main.yml

@@ -26,6 +26,18 @@
       masked: no
       state: reloaded
 
+- name: remount tmp
+  become: yes
+  command: mount -o remount /tmp
+
+- name: remount dev_shm
+  become: yes
+  command: mount -o remount /dev/shm
+
+- name: remount var_tmp
+  become: yes
+  command: mount -o remount /var/tmp
+
 - name: systemd restart var-tmp.mount
   become: yes
   systemd:
@@ -35,10 +47,18 @@
       masked: no
       state: reloaded
 
+- name: remount /home
+  become: yes
+  command: mount -o remount /home
+
 - name: generate new grub config
   become: yes
   command: grub2-mkconfig -o "{{ grub_cfg.stat.lnk_source }}"
 
+- name: update dconf
+  become: yes
+  command: dconf update
+
 - name: restart firewalld
   become: yes
   service:

tasks/main.yml

@@ -11,17 +11,11 @@
 
 - name: Check ansible version
   fail:
-      msg: You must use ansible 2.1 or greater
-  when: not ansible_version.full is version_compare('2.1', '>=')
+      msg: You must use ansible 2.8 or greater
+  when: not ansible_version.full is version_compare('2.8', '>=')
   tags:
       - always
 
-- name: Install OpenSCAP and run a report
-  import_tasks: audit_oscap_scan_before.yml
-  when: rhel7cis_oscap_scan
-  tags:
-      - oscapreport
-
 - include: prelim.yml
   become: yes
   tags:
@@ -62,9 +56,3 @@
   tags:
       - post_tasks
       - always
-
-- name: run the OpenSCAP reporting tool again
-  import_tasks: audit_oscap_scan_after.yml
-  when: rhel7cis_oscap_scan
-  tags:
-      - oscapreport