Harden Linux



ServerPlaybookTaskModuleChange
JC-HardenTestharden_rhel7.ymlAD.1.1.1.0.0 | PATCH_RHEL | PASSWORD | Implement all password controls for key common services (PAM)community.general.system.pamd
JC-HardenTestharden_rhel7.ymlAD.1.1.1.1 | PATCH_RHEL | PASSWORD | Default maximum password age (login.defs)ansible.builtin.lineinfile
"--- before: /etc/login.defs (content)
+++ after: /etc/login.defs (content)
@@ -22,7 +22,7 @@
 #\tPASS_MIN_LEN\tMinimum acceptable password length.
 #\tPASS_WARN_AGE\tNumber of days warning given before a password expires.
 #
-PASS_MAX_DAYS\t99999
+PASS_MAX_DAYS 90
 PASS_MIN_DAYS\t0
 PASS_MIN_LEN\t5
 PASS_WARN_AGE\t7

"

after_header: /etc/login.defs (file attributes)
before_header: /etc/login.defs (file attributes)


JC-HardenTestharden_rhel7.ymlAD.1.1.1.2 | PATCH_RHEL | PASSWORD | Per-userid password age setting, in days (shadow)ansible.builtin.user
JC-HardenTestharden_rhel7.ymlAD.1.1.2 | PATCH_RHEL | PASSWORD | Default password minimal length (login.defs)ansible.builtin.lineinfile
"--- before: /etc/login.defs (content)
+++ after: /etc/login.defs (content)
@@ -24,7 +24,7 @@
 #
 PASS_MAX_DAYS 90
 PASS_MIN_DAYS\t0
-PASS_MIN_LEN\t5
+PASS_MIN_LEN 8
 PASS_WARN_AGE\t7
 
 #

"

after_header: /etc/login.defs (file attributes)
before_header: /etc/login.defs (file attributes)


JC-HardenTestharden_rhel7.ymlAD.1.1.2 | PATCH_RHEL | PASSWORD | Complexity (PAM)community.general.system.pamd
JC-HardenTestharden_rhel7.ymlAD.1.1.3.1 | PATCH_RHEL | PASSWORD | Default minimum number of days that must elapse between password changes (login.defs)ansible.builtin.lineinfile
"--- before: /etc/login.defs (content)
+++ after: /etc/login.defs (content)
@@ -23,7 +23,7 @@
 #\tPASS_WARN_AGE\tNumber of days warning given before a password expires.
 #
 PASS_MAX_DAYS 90
-PASS_MIN_DAYS\t0
+PASS_MIN_DAYS 1
 PASS_MIN_LEN 8
 PASS_WARN_AGE\t7
 

"

after_header: /etc/login.defs (file attributes)
before_header: /etc/login.defs (file attributes)


JC-HardenTestharden_rhel7.ymlAD.1.1.3.2 | PATCH_RHEL | PASSWORD | Per-userid min number of days between user-initiated password changes (shadow)ansible.builtin.user
JC-HardenTestharden_rhel7.ymlAD.1.1.4.1 | PATCH_RHEL | PASSWORD | Prevent reuse of last eight passwords (PAM)community.general.system.pamd
JC-HardenTestharden_rhel7.ymlAD.1.1.6.0 | PATCH_RHEL | PASSWORD | Threshold for consecutive failed login attempts (PAM)community.general.system.pamd
JC-HardenTestharden_rhel7.ymlAD.1.1.9.1 | PATCH_RHEL | PASSWORD | Exemptions to password rules, Non expiring passwordansible.builtin.lineinfile
"--- before: /etc/login.defs (content)
+++ after: /etc/login.defs (content)
@@ -22,7 +22,7 @@
 #\tPASS_MIN_LEN\tMinimum acceptable password length.
 #\tPASS_WARN_AGE\tNumber of days warning given before a password expires.
 #
-PASS_MAX_DAYS 90
+PASS_MAX_DAYS           99999
 PASS_MIN_DAYS 1
 PASS_MIN_LEN 8
 PASS_WARN_AGE\t7

"

after_header: /etc/login.defs (file attributes)
before_header: /etc/login.defs (file attributes)


JC-HardenTestharden_rhel7.ymlAD.1.1.10.1 | PATCH_RHEL | PASSWORD | Value of login shell attribute in /etc/passwd must be /sbin/nologinansible.builtin.lineinfile
JC-HardenTestharden_rhel7.ymlAD.1.1.12.1 | PATCH_RHEL | PASSWORD | "x","!", "!!", or "*" specified in the password (2nd) field of the useridansible.builtin.lineinfile
JC-HardenTestharden_rhel7.ymlAD.1.2.1.1 | PATCH_RHEL | LOGGING | Implement logging for syslog systemsansible.builtin.copy
after: '*.info;mail.none;authpriv.none;cron.none /var/log/messages

    authpriv.* /var/log/secure'
after_header: /runner/project/roles/harden-rhel7/files/AD_1_2_1_1_rhel.j2
before: ''


JC-HardenTestharden_rhel7.ymlAD.1.2.1.3 | PATCH_RHEL | LOGGING | Implement rsyslog.confansible.builtin.blockinfile
"--- before: /etc/rsyslog.conf (content)
+++ after: /etc/rsyslog.conf (content)
@@ -21,6 +21,12 @@
 
 
 #### GLOBAL DIRECTIVES ####
+# BEGIN ANSIBLE MANAGED BLOCK
+filter f_authpriv { facility(authpriv); };
+destination authpriv { file(\"/var/log/secure;RSYSLOG_TraditionalFileFormat\"); };
+source src { internal(); };
+log { source(src); filter(f_authpriv); destination(authpriv); };
+# END ANSIBLE MANAGED BLOCK
 
 # Where to place auxiliary files
 $WorkDirectory /var/lib/rsyslog

"

after_header: /etc/rsyslog.conf (file attributes)
before_header: /etc/rsyslog.conf (file attributes)


JC-HardenTestharden_rhel7.ymlAD.1.2.1.4 | PATCH_RHEL | LOGGING | rsyslog.conf additionansible.builtin.blockinfile
"--- before: /etc/rsyslog.conf (content)
+++ after: /etc/rsyslog.conf (content)
@@ -22,10 +22,9 @@
 
 #### GLOBAL DIRECTIVES ####
 # BEGIN ANSIBLE MANAGED BLOCK
-filter f_authpriv { facility(authpriv); };
-destination authpriv { file(\"/var/log/secure;RSYSLOG_TraditionalFileFormat\"); };
-source src { internal(); };
-log { source(src); filter(f_authpriv); destination(authpriv); };
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+*.info;mail.none;authpriv.none;cron.none /var/log/messages
+authpriv.* /var/log/secure
 # END ANSIBLE MANAGED BLOCK
 
 # Where to place auxiliary files

"

after_header: /etc/rsyslog.conf (file attributes)
before_header: /etc/rsyslog.conf (file attributes)


JC-HardenTestharden_rhel7.ymlAD.1.2.4.1 | PATCH_RHEL | LOGGING | Creating /var/log/faillog fileansible.builtin.file
after
...

before
...


JC-HardenTestharden_rhel7.ymlAD.20.1.2.2 | PATCH_RHEL | LOGGING | audit.log must existansible.builtin.file
after
...

before
...


JC-HardenTestharden_rhel7.ymlAD.20.1.2.3.1 | PATCH_RHEL | LOGGING | audit.rules must contain /usr permsansible.builtin.lineinfile
"--- before: /etc/audit/audit.rules (content)
+++ after: /etc/audit/audit.rules (content)
@@ -3,3 +3,4 @@
 
 
 
+-a exit,always -F path=/usr -F perm=a

"

after_header: /etc/audit/audit.rules (file attributes)
before_header: /etc/audit/audit.rules (file attributes)


JC-HardenTestharden_rhel7.ymlAD.20.1.2.3.2 | PATCH_RHEL | LOGGING | audit.rules must contain /etc permsansible.builtin.lineinfile
"--- before: /etc/audit/audit.rules (content)
+++ after: /etc/audit/audit.rules (content)
@@ -4,3 +4,4 @@
 
 
 -a exit,always -F path=/usr -F perm=a
+-a exit,always -F path=/etc -F perm=a

"

after_header: /etc/audit/audit.rules (file attributes)
before_header: /etc/audit/audit.rules (file attributes)


JC-HardenTestharden_rhel7.ymlAD.20.1.2.3.3 | PATCH_RHEL | LOGGING | audit.rules must contain /var/log permsansible.builtin.lineinfile
"--- before: /etc/audit/audit.rules (content)
+++ after: /etc/audit/audit.rules (content)
@@ -5,3 +5,4 @@
 
 -a exit,always -F path=/usr -F perm=a
 -a exit,always -F path=/etc -F perm=a
+-a exit,always -F path=/var/log -F perm=a

"

after_header: /etc/audit/audit.rules (file attributes)
before_header: /etc/audit/audit.rules (file attributes)


JC-HardenTestharden_rhel7.ymlAD.20.1.2.3.4 | PATCH_RHEL | LOGGING | audit.rules must contain /tmp permsansible.builtin.lineinfile
"--- before: /etc/audit/audit.rules (content)
+++ after: /etc/audit/audit.rules (content)
@@ -6,3 +6,4 @@
 -a exit,always -F path=/usr -F perm=a
 -a exit,always -F path=/etc -F perm=a
 -a exit,always -F path=/var/log -F perm=a
+-a exit,always -F path=/tmp -F perm=a

"

after_header: /etc/audit/audit.rules (file attributes)
before_header: /etc/audit/audit.rules (file attributes)


JC-HardenTestharden_rhel7.ymlAD.20.1.2.3.5 | PATCH_RHEL | LOGGING | audit.rules must contain /var/log/faillog permsansible.builtin.lineinfile
"--- before: /etc/audit/audit.rules (content)
+++ after: /etc/audit/audit.rules (content)
@@ -7,3 +7,4 @@
 -a exit,always -F path=/etc -F perm=a
 -a exit,always -F path=/var/log -F perm=a
 -a exit,always -F path=/tmp -F perm=a
+-a exit,always -F path=/var/log/faillog -F perm=a

"

after_header: /etc/audit/audit.rules (file attributes)
before_header: /etc/audit/audit.rules (file attributes)


JC-HardenTestharden_rhel7.ymlAD.20.1.2.3.6 | PATCH_RHEL | LOGGING | audit.rules must contain /var/log/messages permsansible.builtin.lineinfile
"--- before: /etc/audit/audit.rules (content)
+++ after: /etc/audit/audit.rules (content)
@@ -8,3 +8,4 @@
 -a exit,always -F path=/var/log -F perm=a
 -a exit,always -F path=/tmp -F perm=a
 -a exit,always -F path=/var/log/faillog -F perm=a
+-a exit,always -F path=/var/log/messages -F perm=a

"

after_header: /etc/audit/audit.rules (file attributes)
before_header: /etc/audit/audit.rules (file attributes)


JC-HardenTestharden_rhel7.ymlAD.20.1.2.3.7 | PATCH_RHEL | LOGGING | audit.rules must contain /var/log/wtmp permsansible.builtin.lineinfile
"--- before: /etc/audit/audit.rules (content)
+++ after: /etc/audit/audit.rules (content)
@@ -9,3 +9,4 @@
 -a exit,always -F path=/tmp -F perm=a
 -a exit,always -F path=/var/log/faillog -F perm=a
 -a exit,always -F path=/var/log/messages -F perm=a
+-a exit,always -F path=/var/log/wtmp -F perm=a

"

after_header: /etc/audit/audit.rules (file attributes)
before_header: /etc/audit/audit.rules (file attributes)


JC-HardenTestharden_rhel7.ymlAD.20.1.2.3.8 | PATCH_RHEL | LOGGING | audit.rules must contain /var/log/secure permsansible.builtin.lineinfile
"--- before: /etc/audit/audit.rules (content)
+++ after: /etc/audit/audit.rules (content)
@@ -10,3 +10,4 @@
 -a exit,always -F path=/var/log/faillog -F perm=a
 -a exit,always -F path=/var/log/messages -F perm=a
 -a exit,always -F path=/var/log/wtmp -F perm=a
+-a exit,always -F path=/var/log/secure -F perm=a

"

after_header: /etc/audit/audit.rules (file attributes)
before_header: /etc/audit/audit.rules (file attributes)


JC-HardenTestharden_rhel7.ymlAD.20.1.2.3.9 | PATCH_RHEL | LOGGING | audit.rules must contain /etc/ssh/sshd_config permsansible.builtin.lineinfile
"--- before: /etc/audit/audit.rules (content)
+++ after: /etc/audit/audit.rules (content)
@@ -11,3 +11,4 @@
 -a exit,always -F path=/var/log/messages -F perm=a
 -a exit,always -F path=/var/log/wtmp -F perm=a
 -a exit,always -F path=/var/log/secure -F perm=a
+-a exit,always -F path=/etc/ssh/sshd_config -F perm=wa

"

after_header: /etc/audit/audit.rules (file attributes)
before_header: /etc/audit/audit.rules (file attributes)


JC-HardenTestharden_rhel7.ymlAD.20.1.2.3.10 | PATCH_RHEL | LOGGING | audit.rules must contain /etc/default permsansible.builtin.lineinfile
"--- before: /etc/audit/audit.rules (content)
+++ after: /etc/audit/audit.rules (content)
@@ -12,3 +12,4 @@
 -a exit,always -F path=/var/log/wtmp -F perm=a
 -a exit,always -F path=/var/log/secure -F perm=a
 -a exit,always -F path=/etc/ssh/sshd_config -F perm=wa
+-a exit,always -F path=/etc/default -F perm=wa

"

after_header: /etc/audit/audit.rules (file attributes)
before_header: /etc/audit/audit.rules (file attributes)


JC-HardenTestharden_rhel7.ymlAD.20.1.2.3.11 | PATCH_RHEL | LOGGING | audit.rules must contain /var/log/audit/audit.log permsansible.builtin.lineinfile
"--- before: /etc/audit/audit.rules (content)
+++ after: /etc/audit/audit.rules (content)
@@ -13,3 +13,4 @@
 -a exit,always -F path=/var/log/secure -F perm=a
 -a exit,always -F path=/etc/ssh/sshd_config -F perm=wa
 -a exit,always -F path=/etc/default -F perm=wa
+-a exit,always -F path=/var/log/audit/audit.log -F perm=a

"

after_header: /etc/audit/audit.rules (file attributes)
before_header: /etc/audit/audit.rules (file attributes)


JC-HardenTestharden_rhel7.ymlAD.20.1.2.3.12 | PATCH_RHEL | LOGGING | audit.rules must contain /etc/audit/auditd.conf permsansible.builtin.lineinfile
"--- before: /etc/audit/audit.rules (content)
+++ after: /etc/audit/audit.rules (content)
@@ -14,3 +14,4 @@
 -a exit,always -F path=/etc/ssh/sshd_config -F perm=wa
 -a exit,always -F path=/etc/default -F perm=wa
 -a exit,always -F path=/var/log/audit/audit.log -F perm=a
+-a exit,always -F path=/etc/audit/auditd.conf -F perm=wa

"

after_header: /etc/audit/audit.rules (file attributes)
before_header: /etc/audit/audit.rules (file attributes)


JC-HardenTestharden_rhel7.ymlAD.20.1.2.3.13 | PATCH_RHEL | LOGGING | audit.rules must contain /etc/audit/audit.rules permsansible.builtin.lineinfile
"--- before: /etc/audit/audit.rules (content)
+++ after: /etc/audit/audit.rules (content)
@@ -15,3 +15,4 @@
 -a exit,always -F path=/etc/default -F perm=wa
 -a exit,always -F path=/var/log/audit/audit.log -F perm=a
 -a exit,always -F path=/etc/audit/auditd.conf -F perm=wa
+-a exit,always -F path=/etc/audit/audit.rules -F perm=wa

"

after_header: /etc/audit/audit.rules (file attributes)
before_header: /etc/audit/audit.rules (file attributes)


JC-HardenTestharden_rhel7.ymlAD.20.1.2.3.14 | PATCH_RHEL | LOGGING | audit.rules must contain /sbin/auditctl permsansible.builtin.lineinfile
"--- before: /etc/audit/audit.rules (content)
+++ after: /etc/audit/audit.rules (content)
@@ -16,3 +16,4 @@
 -a exit,always -F path=/var/log/audit/audit.log -F perm=a
 -a exit,always -F path=/etc/audit/auditd.conf -F perm=wa
 -a exit,always -F path=/etc/audit/audit.rules -F perm=wa
+-a exit,always -F path=/sbin/auditctl -F perm=a

"

after_header: /etc/audit/audit.rules (file attributes)
before_header: /etc/audit/audit.rules (file attributes)


JC-HardenTestharden_rhel7.ymlAD.20.1.2.3.15 | PATCH_RHEL | LOGGING | audit.rules must contain /sbin/auditd permsansible.builtin.lineinfile
"--- before: /etc/audit/audit.rules (content)
+++ after: /etc/audit/audit.rules (content)
@@ -17,3 +17,4 @@
 -a exit,always -F path=/etc/audit/auditd.conf -F perm=wa
 -a exit,always -F path=/etc/audit/audit.rules -F perm=wa
 -a exit,always -F path=/sbin/auditctl -F perm=a
+-a exit,always -F path=/sbin/auditd -F perm=a

"

after_header: /etc/audit/audit.rules (file attributes)
before_header: /etc/audit/audit.rules (file attributes)


JC-HardenTestharden_rhel7.ymlAD.20.1.2.3.16 | PATCH_RHEL | LOGGING | audit.rules must contain /sbin/ausearch permsansible.builtin.lineinfile
"--- before: /etc/audit/audit.rules (content)
+++ after: /etc/audit/audit.rules (content)
@@ -18,3 +18,4 @@
 -a exit,always -F path=/etc/audit/audit.rules -F perm=wa
 -a exit,always -F path=/sbin/auditctl -F perm=a
 -a exit,always -F path=/sbin/auditd -F perm=a
+-a exit,always -F path=/sbin/ausearch -F perm=a

"

after_header: /etc/audit/audit.rules (file attributes)
before_header: /etc/audit/audit.rules (file attributes)


JC-HardenTestharden_rhel7.ymlAD.20.1.2.3.18 | PATCH_RHEL | LOGGING | audit.rules must contain /etc/syslog.conf permsansible.builtin.lineinfile
"--- before: /etc/audit/audit.rules (content)
+++ after: /etc/audit/audit.rules (content)
@@ -19,3 +19,4 @@
 -a exit,always -F path=/sbin/auditctl -F perm=a
 -a exit,always -F path=/sbin/auditd -F perm=a
 -a exit,always -F path=/sbin/ausearch -F perm=a
+-a exit,always -F path=/etc/syslog.conf -F perm=wa

"

after_header: /etc/audit/audit.rules (file attributes)
before_header: /etc/audit/audit.rules (file attributes)


JC-HardenTestharden_rhel7.ymlAD.20.1.2.3.19 | PATCH_RHEL | LOGGING | audit.rules must contain /etc/snmpd.conf permsansible.builtin.lineinfile
"--- before: /etc/audit/audit.rules (content)
+++ after: /etc/audit/audit.rules (content)
@@ -20,3 +20,4 @@
 -a exit,always -F path=/sbin/auditd -F perm=a
 -a exit,always -F path=/sbin/ausearch -F perm=a
 -a exit,always -F path=/etc/syslog.conf -F perm=wa
+-a exit,always -F path=/etc/snmpd.conf -F perm=wa

"

after_header: /etc/audit/audit.rules (file attributes)
before_header: /etc/audit/audit.rules (file attributes)


JC-HardenTestharden_rhel7.ymlAD.20.1.2.3.20 | PATCH_RHEL | LOGGING | audit.rules must contain /etc/snmp/snmpd.conf permsansible.builtin.lineinfile
"--- before: /etc/audit/audit.rules (content)
+++ after: /etc/audit/audit.rules (content)
@@ -21,3 +21,4 @@
 -a exit,always -F path=/sbin/ausearch -F perm=a
 -a exit,always -F path=/etc/syslog.conf -F perm=wa
 -a exit,always -F path=/etc/snmpd.conf -F perm=wa
+-a exit,always -F path=/etc/snmp/snmpd.conf -F perm=wa

"

after_header: /etc/audit/audit.rules (file attributes)
before_header: /etc/audit/audit.rules (file attributes)


JC-HardenTestharden_rhel7.ymlAD.20.1.2.3.21 | PATCH_RHEL | LOGGING | audit.rules must contain /etc/snmpd/snmpd.conf permsansible.builtin.lineinfile
"--- before: /etc/audit/audit.rules (content)
+++ after: /etc/audit/audit.rules (content)
@@ -22,3 +22,4 @@
 -a exit,always -F path=/etc/syslog.conf -F perm=wa
 -a exit,always -F path=/etc/snmpd.conf -F perm=wa
 -a exit,always -F path=/etc/snmp/snmpd.conf -F perm=wa
+-a exit,always -F path=/etc/snmpd/snmpd.conf -F perm=wa

"

after_header: /etc/audit/audit.rules (file attributes)
before_header: /etc/audit/audit.rules (file attributes)


JC-HardenTestharden_rhel7.ymlAD.20.1.2.3.22 | PATCH_RHEL | LOGGING | audit.rules must contain /root/.rhosts permsansible.builtin.lineinfile
"--- before: /etc/audit/audit.rules (content)
+++ after: /etc/audit/audit.rules (content)
@@ -23,3 +23,4 @@
 -a exit,always -F path=/etc/snmpd.conf -F perm=wa
 -a exit,always -F path=/etc/snmp/snmpd.conf -F perm=wa
 -a exit,always -F path=/etc/snmpd/snmpd.conf -F perm=wa
+-a exit,always -F path=/root/.rhosts -F perm=wa

"

after_header: /etc/audit/audit.rules (file attributes)
before_header: /etc/audit/audit.rules (file attributes)


JC-HardenTestharden_rhel7.ymlAD.20.1.2.3.23 | PATCH_RHEL | LOGGING | audit.rules must contain /root/.netrc permsansible.builtin.lineinfile
"--- before: /etc/audit/audit.rules (content)
+++ after: /etc/audit/audit.rules (content)
@@ -24,3 +24,4 @@
 -a exit,always -F path=/etc/snmp/snmpd.conf -F perm=wa
 -a exit,always -F path=/etc/snmpd/snmpd.conf -F perm=wa
 -a exit,always -F path=/root/.rhosts -F perm=wa
+-a exit,always -F path=/root/.netrc -F perm=wa

"

after_header: /etc/audit/audit.rules (file attributes)
before_header: /etc/audit/audit.rules (file attributes)




JC-HardenTestharden_rhel7.ymlAD.1.5.1.2 | PATCH_RHEL | NETWORK SETTINGS | Anonymous FTP - ftp account home directoryansible.builtin.file
after
...

before
...


JC-HardenTestharden_rhel7.ymlAD.1.5.8.8 | PATCH_RHEL | NETWORK SETTINGS | NETSTAT must be enabled for monitoringansible.builtin.yum
JC-HardenTestharden_rhel7.ymlAD.1.5.9.18 | PATCH_RHEL | NETWORK SETTINGS | NO REMEDIATION | SNMP community string set to publicansible.builtin.lineinfile
"--- before: /etc/snmp/snmpd.conf (content)
+++ after: /etc/snmp/snmpd.conf (content)
@@ -38,7 +38,6 @@
 # First, map the community name \"public\" into a \"security name\"
 
 #       sec.name  source          community
-com2sec notConfigUser  default       public
 
 ####
 # Second, map the security name into a group name:
@@ -109,7 +108,6 @@
 
 # First, map the community name \"public\" into a \"security name\"
 #       sec.name        source          community
-#com2sec notConfigUser   default         public
 
 # Second, map the security name into a group name:
 #       groupName       securityModel   securityName

"

after_header: /etc/snmp/snmpd.conf (file attributes)
before_header: /etc/snmp/snmpd.conf (file attributes)


JC-HardenTestharden_rhel7.ymlAD.1.5.9.20 | PATCH_RHEL | NETWORK SETTINGS | Enable tcp syncookies to prevent syn flooding (sysctl.conf)ansible.posix.sysctl
JC-HardenTestharden_rhel7.ymlAD.1.5.9.21 | PATCH_RHEL | NETWORK SETTINGS | Turn off ICMP broadcasts (sysctl.conf)ansible.posix.sysctl
JC-HardenTestharden_rhel7.ymlAD.1.5.9.22 | PATCH_RHEL | NETWORK SETTINGS | Disable ICMP Redirect Acceptance (sysctl.conf)ansible.posix.sysctl
JC-HardenTestharden_rhel7.ymlAD.1.8.2.1 | PATCH_RHEL | OSR | Creating root/.rhosts fileansible.builtin.file
after
...

before
...


JC-HardenTestharden_rhel7.ymlAD.1.8.2.2 | PATCH_RHEL | OSR | Creating root/.netrc fileansible.builtin.file
after
...

before
...


JC-HardenTestharden_rhel7.ymlAD.1.8.4.1 | PATCH_RHEL | OSR | Setting permissions on /etc/security/passwd fileansible.builtin.file
after
...

before
...


JC-HardenTestharden_rhel7.ymlAD.1.8.4.2 | PATCH_RHEL | OSR | Setting permissions on /etc/shadow fileansible.builtin.file
after
...

before
...


JC-HardenTestharden_rhel7.ymlAD.1.8.6.1 | PATCH_RHEL | OSR | Setting permissions on /var/log/faillog fileansible.builtin.file
after
...

before
...


JC-HardenTestharden_rhel7.ymlAD.1.8.6.2 | PATCH_RHEL | OSR | Setting permissions on /var/log/tallylog fileansible.builtin.file
after
...

before
...


JC-HardenTestharden_rhel7.ymlAD.1.8.7.1 | PATCH_RHEL | OSR | Setting permissions on /var/log/messages fileansible.builtin.file
after
...

before
...


JC-HardenTestharden_rhel7.ymlAD.1.8.7.2 | PATCH_RHEL | OSR | Setting permissions on /var/log/wtmp fileansible.builtin.file
after
...

before
...


JC-HardenTestharden_rhel7.ymlAD.1.8.8 | PATCH_RHEL | OSR | Setting permissions on /var/log/secure fileansible.builtin.file
after
...

before
...


JC-HardenTestharden_rhel7.ymlAD.1.8.9 | PATCH_RHEL | OSR | Setting permissions on /tmp directoryansible.builtin.file
after
...

before
...


JC-HardenTestharden_rhel7.ymlAD.1.8.10 | PATCH_RHEL | OSR | Setting permissions on snmpd.confansible.builtin.file
JC-HardenTestharden_rhel7.ymlAD.1.8.11 | PATCH_RHEL | OSR | Setting permissions on /var/tmp directoryansible.builtin.file
after
...

before
...


JC-HardenTestharden_rhel7.ymlAD.1.8.12.3 | PATCH_RHEL | OSR | Setting permissions on /var/log/wtmp directoryansible.builtin.file
after
...

before
...


JC-HardenTestharden_rhel7.ymlAD.1.8.22.3 | PATCH_RHEL | OSR | Files in /usr/local should not have other write / executeansible.builtin.file
JC-HardenTestharden_rhel7.ymlAD.1.8.22.4 | PATCH_RHEL | OSR | Files in /tmp should not have other write / executeansible.builtin.file
JC-HardenTestharden_rhel7.ymlAD.1.9.1.2 | PATCH_RHEL | OSR | Default UMASK /etc/bashrcansible.builtin.lineinfile
"--- before: /etc/bashrc (content)
+++ after: /etc/bashrc (content)
@@ -70,7 +70,7 @@
     if [ $UID -gt 199 ] && [ \"`/usr/bin/id -gn`\" = \"`/usr/bin/id -un`\" ]; then
        umask 002
     else
-       umask 022
+umask x77
     fi
 
     SHELL=/bin/bash

"

after_header: /etc/bashrc (file attributes)
before_header: /etc/bashrc (file attributes)


JC-HardenTestharden_rhel7.ymlAD.1.9.1.2.1 | PATCH_RHEL | OSR | Default UMASK /etc/login.defsansible.builtin.lineinfile
"--- before: /etc/login.defs (content)
+++ after: /etc/login.defs (content)
@@ -70,3 +70,4 @@
 # Use SHA512 to encrypt password.
 ENCRYPT_METHOD SHA512 
 
+umask 077

"

after_header: /etc/login.defs (file attributes)
before_header: /etc/login.defs (file attributes)




JC-HardenTestharden_rhel7.ymlAD.1.9.1.7 | PATCH_RHEL | OSR | Default UMASK (multiple files)ansible.builtin.lineinfile


JC-HardenTestharden_rhel7.ymlAD.99.1.2 | PATCH_RHEL | BUILD SPECIFIC | Network Time Protocol (NTP) should be installedansible.builtin.yum


JC-HardenTestharden_rhel7.ymlAD.99.1.2 | PATCH_RHEL | BUILD SPECIFIC | Network Time Protocol (NTP) should be enabledansible.builtin.service


JC-HardenTestharden_rhel7.ymlAD.99.1.8 | PATCH_RHEL | BUILD SPECIFIC | IPV6 should be disabled (net.ipv6.conf.all.disable_ipv6)ansible.posix.sysctl


JC-HardenTestharden_rhel7.ymlAD.99.1.8 | PATCH_RHEL | BUILD SPECIFIC | IPV6 should be disabled (net.ipv6.conf.default.disable_ipv6)ansible.posix.sysctl
JC-HardenTestharden_rhel7.ymlAD.99.1.10 | PATCH_RHEL | BUILD SPECIFIC | Enable Network Autonegotiateansible.builtin.lineinfile
"--- before: /etc/sysconfig/network-scripts/ifcfg-ens192 (content)
+++ after: /etc/sysconfig/network-scripts/ifcfg-ens192 (content)
@@ -15,3 +15,4 @@
 UUID=\"f415b800-14dd-4e10-8e5a-480c2aa228bf\"
 DEVICE=\"ens192\"
 ONBOOT=\"yes\"
+ETHTOOL_OPTS=\"autoneg on\"

"

after_header: /etc/sysconfig/network-scripts/ifcfg-ens192 (file attributes)
before_header: /etc/sysconfig/network-scripts/ifcfg-ens192 (file attributes)


JC-HardenTestharden_rhel7.ymlAD.99.1.13 | PATCH_RHEL | BUILD SPECIFIC | SNMP should be enabledansible.builtin.service
JC-HardenTestharden_rhel7.ymlAD.99.1.14 | PATCH_RHEL | BUILD SPECIFIC | Iptables should be installedansible.builtin.yum
JC-HardenTestharden_rhel7.ymlAD.99.1.15 | PATCH_RHEL | BUILD SPECIFIC | Firewalld should be disabledansible.builtin.service
JC-HardenTestharden_rhel7.ymlAD.99.1.16 | PATCH_RHEL | BUILD SPECIFIC | Selinux should be disabledansible.posix.selinux
JC-HardenTestharden_rhel7.ymlAD.99.1.17 | PATCH_RHEL | BUILD SPECIFIC | biosdevname should be disabledansible.builtin.lineinfile
"--- before: /etc/default/grub (content)
+++ after: /etc/default/grub (content)
@@ -3,5 +3,5 @@
 GRUB_DEFAULT=saved
 GRUB_DISABLE_SUBMENU=true
 GRUB_TERMINAL_OUTPUT=\"console\"
-GRUB_CMDLINE_LINUX=\"rd.lvm.lv=cl/root rd.lvm.lv=cl/swap rhgb quiet\"
+GRUB_CMDLINE_LINUX=\"rd.lvm.lv=cl/root rd.lvm.lv=cl/swap rhgb quiet biosdevname=0\"
 GRUB_DISABLE_RECOVERY=\"true\"

"

after_header: /etc/default/grub (file attributes)
before_header: /etc/default/grub (file attributes)


JC-HardenTestharden_rhel7.ymlAD.99.1.20 | PATCH_RHEL | BUILD SPECIFIC | IP Forwarding should be disabledansible.posix.sysctl
JC-HardenTestharden_rhel7.ymlAD.99.1.43 | PATCH_RHEL | BUILD SPECIFIC | Set Daemon umaskansible.builtin.lineinfile
"--- before: /etc/sysconfig/init (content)
+++ after: /etc/sysconfig/init (content)
@@ -15,3 +15,4 @@
 SETCOLOR_WARNING=\"echo -en \\\\033[0;33m\"
 # terminal sequence to reset to the default color.
 SETCOLOR_NORMAL=\"echo -en \\\\033[0;39m\"
+umask 027

"

after_header: /etc/sysconfig/init (file attributes)
before_header: /etc/sysconfig/init (file attributes)


JC-HardenTestharden_rhel7.ymlAD.99.1.44 | PATCH_RHEL | BUILD SPECIFIC | Remove X Windowsansible.builtin.lineinfile
"--- before: /etc/inittab (content)
+++ after: /etc/inittab (content)
@@ -15,3 +15,4 @@
 # To set a default target, run:
 # systemctl set-default TARGET.target
 #
+id:3:initdefault:

"

after_header: /etc/inittab (file attributes)
before_header: /etc/inittab (file attributes)


JC-HardenTestharden_rhel7.ymlAD.99.1.45 | PATCH_RHEL | BUILD SPECIFIC | Disable Avahi Server (remove ZeroConf)ansible.builtin.lineinfile
'--- before: /etc/sysconfig/network (content)

    +++ after: /etc/sysconfig/network (content)

    @@ -1 +1,2 @@

     # Created by anaconda

    +NOZEROCONF=yes

    

'

after_header: /etc/sysconfig/network (file attributes)
before_header: /etc/sysconfig/network (file attributes)


JC-HardenTestharden_rhel7.ymlAD.99.1.48 | PATCH_RHEL | BUILD SPECIFIC | Disable Send Packet Redirectsansible.posix.sysctl
JC-HardenTestharden_rhel7.ymlAD.99.1.49 | PATCH_RHEL | BUILD SPECIFIC | Disable Source Routed Packet Acceptanceansible.posix.sysctl
JC-HardenTestharden_rhel7.ymlAD.99.1.50 | PATCH_RHEL | BUILD SPECIFIC | Log Suspicious Packets (all)ansible.posix.sysctl
JC-HardenTestharden_rhel7.ymlAD.99.1.50 | PATCH_RHEL | BUILD SPECIFIC | Log Suspicious Packets (default)ansible.posix.sysctl
JC-HardenTestharden_rhel7.ymlAD.99.1.54 | PATCH_RHEL | BUILD SPECIFIC | Set SSH Protocol to 2ansible.builtin.lineinfile
"--- before: /etc/ssh/sshd_config (content)
+++ after: /etc/ssh/sshd_config (content)
@@ -20,7 +20,7 @@
 #ListenAddress ::
 
 # The default requires explicit activation of protocol 1
-#Protocol 2
+Protocol 2
 
 # HostKey for protocol version 1
 #HostKey /etc/ssh/ssh_host_key

"

after_header: /etc/ssh/sshd_config (file attributes)
before_header: /etc/ssh/sshd_config (file attributes)


JC-HardenTestharden_rhel7.ymlAD.99.1.55 | PATCH_RHEL | BUILD SPECIFIC | Set SSH LogLevel to INFOansible.builtin.lineinfile
"--- before: /etc/ssh/sshd_config (content)
+++ after: /etc/ssh/sshd_config (content)
@@ -41,7 +41,7 @@
 # obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
 SyslogFacility AUTHPRIV
-#LogLevel INFO
+LogLevel INFO
 
 # Authentication:
 

"

after_header: /etc/ssh/sshd_config (file attributes)
before_header: /etc/ssh/sshd_config (file attributes)


JC-HardenTestharden_rhel7.ymlAD.99.1.56 | PATCH_RHEL | BUILD SPECIFIC | Disable SSH X11 Forwardingansible.builtin.lineinfile
"--- before: /etc/ssh/sshd_config (content)
+++ after: /etc/ssh/sshd_config (content)
@@ -112,7 +112,7 @@
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
-X11Forwarding yes
+X11Forwarding no
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PermitTTY yes

"

after_header: /etc/ssh/sshd_config (file attributes)
before_header: /etc/ssh/sshd_config (file attributes)


JC-HardenTestharden_rhel7.ymlAD.99.1.57 | PATCH_RHEL | BUILD SPECIFIC | Set SSH IgnoreRhosts to Yesansible.builtin.lineinfile
"--- before: /etc/ssh/sshd_config (content)
+++ after: /etc/ssh/sshd_config (content)
@@ -71,7 +71,7 @@
 # RhostsRSAAuthentication and HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
+IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes

"

after_header: /etc/ssh/sshd_config (file attributes)
before_header: /etc/ssh/sshd_config (file attributes)


JC-HardenTestharden_rhel7.ymlAD.99.1.58 | PATCH_RHEL | BUILD SPECIFIC | Set SSH PermitEmptyPasswords to Noansible.builtin.lineinfile
"--- before: /etc/ssh/sshd_config (content)
+++ after: /etc/ssh/sshd_config (content)
@@ -75,7 +75,7 @@
 
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
-#PermitEmptyPasswords no
+PermitEmptyPasswords no
 PasswordAuthentication yes
 
 # Change to no to disable s/key passwords

"

after_header: /etc/ssh/sshd_config (file attributes)
before_header: /etc/ssh/sshd_config (file attributes)


JC-HardenTestharden_rhel7.ymlAD.99.1.59 | PATCH_RHEL | BUILD SPECIFIC | Use Only Approved Cipher in Counter Modeansible.builtin.lineinfile
"--- before: /etc/ssh/sshd_config (content)
+++ after: /etc/ssh/sshd_config (content)
@@ -151,3 +151,4 @@
 #\tAllowTcpForwarding no
 #\tPermitTTY no
 #\tForceCommand cvs server
+Ciphers aes128-ctr,aes192-ctr,aes256-ctr

"

after_header: /etc/ssh/sshd_config (file attributes)
before_header: /etc/ssh/sshd_config (file attributes)


JC-HardenTestharden_rhel7.ymlAD.99.1.60 | PATCH_RHEL | BUILD SPECIFIC | Upgrade Password Hashing Algorithm to SHA-512ansible.builtin.lineinfile
"--- before: /etc/login.defs (content)
+++ after: /etc/login.defs (content)
@@ -68,6 +68,6 @@
 USERGROUPS_ENAB yes
 
 # Use SHA512 to encrypt password.
-ENCRYPT_METHOD SHA512 
+ENCRYPT_METHOD SHA512
 
 umask 077

"

after_header: /etc/login.defs (file attributes)
before_header: /etc/login.defs (file attributes)


JC-HardenTestharden_rhel7.ymlrestart sshansible.builtin.service