major/cis-rhel-ansible major/cis-rhel-ansible

  • This repository has been archived on 23/Nov/2019
  • Stars
    star
    339
  • Rank 120,668 (Top 3 %)
  • Language
  • License
    Apache License 2.0
  • Created over 10 years ago
  • Updated over 4 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
major/cis-rhel-ansible
github

major

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Ansible playbooks for CIS Benchmarks on RHEL/CentOS 6

Ansible + CIS Benchmarks + RHEL/CentOS 6

Build Status

This is an ansible playbook for automatically applying CIS Security Benchmarks to a system running Red Hat Enterprise Linux 6 or CentOS 6.

RHEL 7 and CentOS 7 bencharks are coming soon.

What are these benchmarks?

The Center for Internet Security publishes security benchmarks for various systems. Refer to the CIS site as the authoritative site for anything regarding these benchmarks. You can join their community and contribute to the security benchmarks project.

Please be aware that I'm not affiliated with CIS in any way and the data in this repository has absolutely no relation to CIS.

What does this playbook do?

The playbook will attempt to configure your system to meet as many of the CIS security benchmarks as possible. Any benchmarks marked as "not scored" or benchmarks that are only checks will be skipped.

For full details and caveats, refer to the notes.

How do I run it?

WAIT! DANGER!

http://media.giphy.com/media/7U1XfwZ94okRW/giphy.gif

Don't run this blindly on an actively running system. The playbook will make serious modifications to your system that could affect its availability.

Basic operation

Perform a dry run first:

ansible-playbook -i hosts -C playbook.yml

If you're really really ready to apply changes, run it in regular mode:

ansible-playbook -i hosts playbook.yml

Advanced options

Tags are available for running a section at a time:

# Test only items from section 4
ansible-playbook -i hosts -C playbook.yml -t section4

# Apply changes only from items in section 4, 5, and 6
ansible-playbook -i hosts playbook.yml -t section4,section5,section6

The checks are also broken up into Level 1 and Level 2 checks:

  • Level 1: Good security improvements with less effects on production workloads
  • Level 2: Strong security improvements with greater effects on production workloads

Running checks for a particular level is easy:

ansible-playbook -i hosts playbook.yml -t level1
ansible-playbook -i hosts playbook.yml -t level2

How is this playbook licensed?

It's licensed under the Apache License 2.0. The quick summary is:

A license that allows you much freedom with the software, including an explicit right to a patent. “State changes” means that you have to include a notice in each file you modified.

Something doesn't work. You're awful at ansible playbooks.

Pull requests and GitHub issues are welcome!

-- Major

More Repositories

1

MySQLTuner-perl

MySQLTuner is a script written in Perl that will assist you with your MySQL configuration and make recommendations for increased performance and stability.
Perl
8,611
star
2

icanhaz

The code behind icanhaz 2.0
Python
734
star
3

resume

If you're a nerd, your resume should be equally nerdy.
121
star
4

securekickstarts

Secured kickstarts based on CIS Security Benchmarks
Python
110
star
5

supernova

Use novaclient with multiple OpenStack nova environments the easy way
Python
86
star
6

mysql-json-bridge

Get MySQL result sets via JSON
Python
75
star
7

ansible-role-cis

DEPRECATED: Use https://github.com/major/cis-rhel-ansible
41
star
8

rackspace-clouddns-gui

[DEPRECATED. USE https://mycloud.rackspace.com/ INSTEAD] A web-based frontend to Rackspace's Cloud DNS service
Python
34
star
9

letsencrypt-rackspace-hook

Rackspace DNS hooks for letsencrypt.sh
Python
31
star
10

redhat-summit-2015-notes

Notes from talks at the 2015 Red Hat Summit (and DevNation)
25
star
11

icanhazip.com-nginx

The nginx configuration that drives icanhazip.com
20
star
12

kickstarts

Various kickstart files for Red Hat-based installations
15
star
13

ansible-mailgun

Ansible role for configuring Mailgun SMTP relaying with Postfix
Python
15
star
14

yotagrabber

Retrieve inventory data from Toyota's GraphQL APIs
Python
12
star
15

arksearch

Search Intel's ARK site on the command line
Python
11
star
16

imagebuilder-fedora

🤖 Build Fedora AWS images with Image Builder in a container using GitHub Actions
Shell
9
star
17

rhel7stig-sphinx

Red Hat Enterprise Linux 7 Security Technical Implementation Guide in Sphinx
Python
9
star
18

major.io

Source code for major.io
JavaScript
8
star
19

python-mysqltuner

Python
8
star
20

ansible-lxc

Simple playbook to try out LXC on Fedora 21
7
star
21

gitlog-to-deblog

Converts git log formatted commit logs to debian changelogs suitable for debian packages
Ruby
7
star
22

gitops

5
star
23

stock-scripts

Major's random stock scripts
Python
5
star
24

mac-drac-automation

Automatically open horribly-named DRAC 7 JNLP files on your Mac
4
star
25

ansible-systemd-networkd

Ansible role for making systemd-networkd .network files
4
star
26

quadlets-wordpress

Deploy self-healing and self-updating Wordpress on Fedora CoreOS with podman quadlets
Shell
4
star
27

ansible-openstack-summit-demo

Files used in a live demo from the 2016 Red Hat Summit
Shell
3
star
28

thetagang-notifications

Notifications for the ThetaGang Discord
Python
3
star
29

toyota-inventory

4Runner inventory (not affiliated with Toyota)
HTML
3
star
30

dotfiles

My dotfiles managed by chezmoi
Shell
2
star
31

icanhaz-containers

Containerized versions of the icanhaz sites
Python
2
star
32

rpm-doctl

Packaging the digitalocean doctl tool into an RPM
2
star
33

stigdocs

Pretty documentation for STIG XML
2
star
34

selinuxfaq.com

The source for selinuxfaq.com
CSS
2
star
35

dns

DNS records for my infrastructure
JavaScript
2
star
36

lbaasv2-demo

Demonstration of LBaaSv2 in OpenStack
2
star
37

ansible-rax-fedora21

Test out Fedora 21 on Rackspace Cloud
2
star
38

stopdisablingselinux.com

Files for hosting stopdisablingselinux.com
HTML
2
star
39

rotate_wallpaper

Simple python script to rotate wallpaper for Cinnamon (among others)
Python
2
star
40

imagebuilder

Containers for Image Builder
Dockerfile
2
star
41

rpm-httpry

Mirror of Fedora git repository for httpry's RPM packaging files
2
star
42

ibm-edge-2016-notes

My notes from IBM Edge 2016
1
star
43

ubi-flask

Example repo with flask inside a RHEL UBI container built with buildah and podman
Dockerfile
1
star
44

python-thetagang

Python
1
star
45

hashlimit-stats

Get basic statistics on iptables hashlimit
Python
1
star
46

cronjobs

Regular tasks I run in GitHub Actions
Python
1
star
47

kernel-builders

Docker containers that can build Linux kernels
Dockerfile
1
star
48

monitorstack

Monitoring plugins for OpenStack
Python
1
star
49

ansible-mysql-benchmark

Just some ansible hacking for some quick MySQL benchmarks
1
star
50

mysql-json-bridge-client

Makeshift client for the mysql-json-bridge
Python
1
star
51

skt-lite

Work in progress
Shell
1
star
52

w5wut

Web site for my radio callsign W5WUT
1
star
53

dynamic-matrix-example

Example of a dynamic matrix in GitHub Actions
1
star
54

ansible-lockdown

An emerging project to develop security content for hardening systems with Ansible
1
star
55

azure-cli-epel9

📦 Backporting azure-cli to EPEL 9
Python
1
star
56

imagebuilder-containerized

Shell
1
star
57

gerritwatch

Python
1
star
58

cloudshort

My personal URL shortener using Cloudflare Workers and GitHub Actions
JavaScript
1
star
59

openstack-ansible-builder

Ansible build playbook for OSAD
Python
1
star
60

carfinder

Search vehicle inventory from multiple manufacturers
Python
1
star
61

lexgrabber

Retrieve inventory data from the Lexus GraphQL APIs
Python
1
star