{"id":19402423,"url":"https://github.com/robertdebock/ansible-role-cis","last_synced_at":"2025-04-24T07:31:57.732Z","repository":{"id":90625705,"uuid":"282721472","full_name":"robertdebock/ansible-role-cis","owner":"robertdebock","description":"Apply and/or check recommendations from the CIS benchmarks.","archived":false,"fork":false,"pushed_at":"2025-03-06T15:39:16.000Z","size":476,"stargazers_count":21,"open_issues_count":4,"forks_count":5,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-04-20T10:16:38.895Z","etag":null,"topics":["ansible","cis","molecule","playbook","security","tox"],"latest_commit_sha":null,"homepage":"https://robertdebock.nl/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/robertdebock.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"robertdebock"}},"created_at":"2020-07-26T19:45:35.000Z","updated_at":"2025-04-04T12:47:29.000Z","dependencies_parsed_at":"2023-06-02T16:30:29.230Z","dependency_job_id":"a6b02af2-ff2f-4670-a4f7-514ce035ead2","html_url":"https://github.com/robertdebock/ansible-role-cis","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/robertdebock%2Fansible-role-cis","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/robertdebock%2Fansible-role-cis/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/robertdebock%2Fansible-role-cis/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/robertdebock%2Fansible-role-cis/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/robertdebock","download_url":"https://codeload.github.com/robertdebock/ansible-role-cis/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250582989,"owners_count":21453933,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","cis","molecule","playbook","security","tox"],"created_at":"2024-11-10T11:23:42.118Z","updated_at":"2025-04-24T07:31:57.295Z","avatar_url":"https://github.com/robertdebock.png","language":null,"funding_links":["https://github.com/sponsors/robertdebock"],"categories":[],"sub_categories":[],"readme":"# [Ansible role cis](#cis)\n\nApply and/or check recommendations from the CIS benchmarks.\n\n|GitHub|GitLab|Downloads|Version|\n|------|------|---------|-------|\n|[![github](https://github.com/robertdebock/ansible-role-cis/workflows/Ansible%20Molecule/badge.svg)](https://github.com/robertdebock/ansible-role-cis/actions)|[![gitlab](https://gitlab.com/robertdebock-iac/ansible-role-cis/badges/master/pipeline.svg)](https://gitlab.com/robertdebock-iac/ansible-role-cis)|[![downloads](https://img.shields.io/ansible/role/d/robertdebock/cis)](https://galaxy.ansible.com/robertdebock/cis)|[![Version](https://img.shields.io/github/release/robertdebock/ansible-role-cis.svg)](https://github.com/robertdebock/ansible-role-cis/releases/)|\n\n## [Example Playbook](#example-playbook)\n\nThis example is taken from [`molecule/default/converge.yml`](https://github.com/robertdebock/ansible-role-cis/blob/master/molecule/default/converge.yml) and is tested on each push, pull request and release.\n\n```yaml\n---\n- name: Converge\n  hosts: all\n  become: true\n  gather_facts: true\n\n  vars_files:\n    - defaults.yml\n\n  roles:\n    - role: robertdebock.cis\n```\n\nThe machine needs to be prepared. In CI this is done using [`molecule/default/prepare.yml`](https://github.com/robertdebock/ansible-role-cis/blob/master/molecule/default/prepare.yml):\n\n```yaml\n---\n- name: Prepare\n  hosts: all\n  become: true\n  gather_facts: false\n\n  roles:\n    - role: robertdebock.bootstrap\n    - role: robertdebock.cron\n    - role: robertdebock.update\n```\n\nAlso see a [full explanation and example](https://robertdebock.nl/how-to-use-these-roles.html) on how to use these roles.\n\n## [Role Variables](#role-variables)\n\nThe default values for the variables are set in [`defaults/main.yml`](https://github.com/robertdebock/ansible-role-cis/blob/master/defaults/main.yml):\n\n```yaml\n---\n# defaults file for cis\n\n# The CIS guidelines determines many settings of a system. The values used in\n# this file will make a system compliant to the CIS specifications.\n# There are many reasons why you do not want to adhere to one or more specific\n# rules. You can overwrite values in you group_vars, host_vars, inventory or\n# playbook.\n\n# 1.1.1.1 Ensure mounting of cramfs filesystems is disabled (Scored)\ncis_cramfs_disabled: true\n\n# 1.1.1.2 Ensure mounting of vFAT filesystems is limited (Not Scored)\ncis_vfat_disabled: true\n\n# 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored)\ncis_squashfs_disabled: true\n\n# 1.1.1.4 Ensure mounting of udf filesystems is disabled (Scored)\ncis_udf_disabled: true\n\n# 1.1.2 Ensure /tmp is configured (Scored)\ncis_tmp_configured: true\n\n# 1.1.3 Ensure nodev option set on /tmp partition (Scored)\ncis_tmp_nodev: true\n\n# 1.1.4 Ensure nosuid option set on /tmp partition (Scored)\ncis_tmp_nosuid: true\n\n# 1.1.5 Ensure noexec option set on /tmp partition (Scored)\ncis_tmp_noexec: true\n\n# 1.1.6 Ensure separate partition exists for /var (Scored)\ncis_var_partition: true\n\n# 1.1.7 Ensure separate partition exists for /var/tmp (Scored)\ncis_var_tmp_partition: true\n\n# 1.1.8 Ensure nodev option set on /var/tmp partition (Scored)\ncis_var_tmp_nodev: true\n\n# 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored)\ncis_var_tmp_nosuid: true\n\n# 1.1.10 Ensure noexec option set on /var/tmp partition (Scored)\ncis_var_tmp_noexec: true\n\n# 1.1.11 Ensure separate partition exists for /var/log (Scored)\ncis_var_log_partition: true\n\n# 1.1.12 Ensure separate partition exists for /var/log/audit (Scored)\ncis_var_log_audit_partition: true\n\n# 1.1.13 Ensure separate partition exists for /home (Scored)\ncis_home_partition: true\n\n# 1.1.14 Ensure nodev option set on /home partition (Scored)\ncis_home_nodev: true\n\n# 1.1.15 Ensure nodev option set on /dev/shm partition (Scored)\ncis_dev_shm_nodev: true\n\n# 1.1.16 Ensure nosuid option set on /dev/shm partition (Scored)\ncis_dev_shm_nosuid: true\n\n# 1.1.17 Ensure noexec option set on /dev/shm partition (Scored)\ncis_dev_shm_noexec: true\n\n# 1.1.18 Ensure nodev option set on removable media partitions (Not Scored)\ncis_removable_media_nodev: true\n\n# 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored)\ncis_removable_media_nosuid: true\n\n# 1.1.20 Ensure noexec option set on removable media partitions (Not Scored)\ncis_removable_media_noexec: true\n\n# 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored)\ncis_fix_sticky_bit: true\n\n# 1.1.22 Disable Automounting\ncis_disable_automount: true\n\n# 1.1.23 Disable USB Storage (Scored)\ncis_usb_storage_disabled: true\n\n# 1.2.1 Ensure GPG keys are configured (Not Scored)\ncis_gpg_keys_configured: true\n\n# 1.2.2 Ensure gpgcheck is globally activated (Scored)\ncis_gpgcheck_enabled: true\n\n# 1.2.3 Ensure package manager repositories are configured (Not Scored)\ncis_repositories_configured: true\n\n# 1.3.1 Ensure sudo is installed (Scored)\ncis_sudo_installed: true\n\n# 1.3.2 Ensure sudo commands use pty (Scored)\ncis_sudo_use_pty: true\n\n# 1.3.3 Ensure sudo log file exists (Scored)\ncis_sudo_logfile: true\n\n# 1.4.1 Ensure AIDE is installed (Scored)\ncis_aide_installed: true\n\n# 1.4.2 Ensure filesystem integrity is regularly checked (Scored)\ncis_filesystem_integrity_checked: true\n\n# 1.5.1 Ensure permissions on bootloader config are configured (Scored)\ncis_permissions_bootloader: true\n\n# 1.5.2 Ensure bootloader password is set (Scored)\ncis_bootloader_password_set: true\ncis_bootloader_password: changeme\n\n# 1.5.3 Ensure authentication required for single user mode (Scored)\ncis_authentication_single_user_mode: true\n\n# 1.6.1 Ensure core dumps are restricted (Scored)\ncis_core_dumps_restricted: true\n\n# 1.6.2 Ensure address space layout randomization (ASLR) is enabled (Scored)\ncis_aslr_enabled: true\n\n# 1.7.1.1 Ensure SELinux is installed (Scored)\ncis_selinux_installed: true\n\n# 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration (Scored)\ncis_selinux_not_disabled: true\n\n# 1.7.1.3 Ensure SELinux policy is configured (Scored)\ncis_selinux_policy_configured: true\ncis_selinux_policy: targeted\n\n# 1.7.1.4 Ensure the SELinux state is enforcing (Scored)\ncis_selinux_state_enforcing: true\n\n# 1.7.1.5 Ensure no unconfined services exist (Scored)\ncis_no_unconfined_services: true\n\n# 1.7.1.6 Ensure SETroubleshoot is not installed (Scored)\ncis_setroubleshoot_not_installed: true\n\n# 1.7.1.7 Ensure the MCS Translation Service (mcstrans) is not installed (Scored)\ncis_mcs_translation_service_not_installed: true\n\n# 1.8.1.1 Ensure message of the day is configured properly (Scored)\ncis_message_of_the_day_configured: true\ncis_message_of_the_day: |\n  UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED\n  You must have explicit, authorized permission to access or configure this device. Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties. All activities performed on this device are logged and monitored.\n\n# 1.8.1.2 Ensure local login warning banner is configured properly (Scored)\ncis_local_login_banner_configured: true\n\n# 1.8.1.3 Ensure remote login warning banner is configured properly (Scored)\ncis_remote_login_banner_configured: true\n\n# 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored)\ncis_permissions_etc_motd: true\n\n# 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored)\ncis_permissions_etc_issue: true\n\n# 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored)\ncis_permissions_etc_issue_net: true\n\n# 1.8.2 Ensure GDM login banner is configured (Scored)\ncis_gdm_login_banner_configured: true\n\n# 1.9 Ensure updates, patches, and additional security software are installed (Not Scored)\ncis_updates_installed: true\n\n# 1.10 Ensure system-wide crypto policy is not legacy (Scored)\ncis_crypto_policy_not_legacy: true\ncis_crypto_policy: FIPS\n\n# 1.11 Ensure system-wide crypto policy is FUTURE or FIPS (Scored)\ncis_ensure_crypto_policy: true\n\n# 2.1.1 Ensure xinetd is not installed (Scored)\ncis_xinet_not_installed: true\n\n# 2.2.1.1 Ensure time synchronization is in use (Not Scored)\ncis_time_synchronization: true\n\n# 2.2.1.2 Ensure chrony is configured (Scored)\ncis_chrony_configured: true\ncis_chrony_servers: []\ncis_chrony_pools:\n  - name: \"2.fedora.pool.ntp.org\"\n    options: iburst\n\n# 2.2.2 Ensure X Window System is not installed (Scored)\ncis_x_windows_system_not_installed: true\n\n# 2.2.3 Ensure rsync service is not enabled (Scored)\ncis_rsync_service_not_enabled: true\n\n# 2.2.4 Ensure Avahi Server is not enabled (Scored)\ncis_avahi_server_not_enabled: true\n\n# 2.2.5 Ensure SNMP Server is not enabled (Scored)\ncis_snmp_server_not_enabled: true\n\n# 2.2.6 Ensure HTTP Proxy Server is not enabled (Scored)\ncis_http_proxy_server_not_enabled: true\n\n# 2.2.7 Ensure Samba is not enabled (Scored)\ncis_samba_server_not_enabled: true\n\n# 2.2.8 Ensure IMAP and POP3 server is not enabled (Scored)\ncis_imap_and_pop3_server_not_enabled: true\n\n# 2.2.9 Ensure HTTP server is not enabled (Scored)\ncis_http_server_not_enabled: true\n\n# 2.2.10 Ensure FTP Server is not enabled (Scored)\ncis_ftp_server_not_enabled: true\n\n# 2.2.11 Ensure DNS Server is not enabled (Scored)\ncis_dns_server_not_enabled: true\n\n# 2.2.12 Ensure NFS is not enabled (Scored)\ncis_nfs_server_not_enabled: true\n\n# 2.2.13 Ensure RPC is not enabled (Scored)\ncis_rpc_not_enabled: true\n\n# 2.2.14 Ensure LDAP server is not enabled (Scored)\ncis_ldap_server_not_enabled: true\n\n# 2.2.15 Ensure DHCP Server is not enabled (Scored)\ncis_dhcp_server_not_enabled: true\n\n# 2.2.16 Ensure CUPS is not enabled (Scored)\ncis_cups_not_enabled: true\n\n# 2.2.17 Ensure NIS Server is not enabled (Scored)\ncis_nis_server_not_enabled: true\n\n# 2.2.18 Ensure mail transfer agent is configured for local-only mode (Scored)\ncis_mta_local_only_mode: true\n\n# 2.3.1 Ensure NIS Client is not installed (Scored)\ncis_nis_client_not_installed: true\n\n# 2.3.2 Ensure telnet client is not installed (Scored)\ncis_telnet_client_not_installed: true\n\n# 2.3.3 Ensure LDAP client is not installed (Scored)\ncis_ldap_client_not_installed: true\n\n# 3.1.1 Ensure IP forwarding is disabled (Scored)\ncis_ip_forwarding_disabled: true\n\n# 3.1.2 Ensure packet redirect sending is disabled (Scored)\ncis_packet_redirect_sending_disabled: true\n\n# 3.2.1 Ensure source routed packets are not accepted (Scored)\ncis_source_routed_packets_not_accepted: true\n\n# 3.2.2 Ensure ICMP redirects are not accepted (Scored)\ncis_icmp_redirects_not_accepted: true\n\n# 3.2.3 Ensure secure ICMP redirects are not accepted (Scored)\ncis_secure_icmp_redirects_not_accepted: true\n\n# 3.2.4 Ensure suspicious packets are logged (Scored)\ncis_suspicious_packets_logged: true\n\n# 3.2.5 Ensure broadcast ICMP requests are ignored (Scored)\ncis_broadcast_icmp_requests_ignored: true\n\n# 3.2.6 Ensure bogus ICMP responses are ignored (Scored)\ncis_bogus_icmp_responses_ignored: true\n\n# 3.2.7 Ensure Reverse Path Filtering is enabled (Scored)\ncis_reverse_path_filtering: true\n\n# 3.2.8 Ensure TCP SYN Cookies is enabled (Scored)\ncis_tcp_syn_cookies_enabled: true\n\n# 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored)\ncis_ipv6_router_advertisements_not_accepted: true\n\n# 3.3.1 Ensure DCCP is disabled (Scored)\ncis_dccp_disabled: true\n\n# 3.3.2 Ensure SCTP is disabled (Scored)\ncis_sctp_disabled: true\n\n# 3.3.3 Ensure RDS is disabled (Scored)\ncis_rds_disabled: true\n\n# 3.3.4 Ensure TIPC is disabled (Scored)\ncis_tipc_disabled: true\n\n# 3.4.1.1 Ensure a Firewall package is installed (Scored)\ncis_firewall_package_installed: true\ncis_firewall_package: firewalld\n\n# 3.4.2.1 Ensure firewalld service is enabled and running (Scored)\ncis_firewalld_enabled_and_running: true\n\n# 3.4.2.2 Ensure nftables is not enabled (Scored)\ncis_nftables_not_enabled: true\n\n# 3.4.2.3 Ensure default zone is set (Scored)\ncis_default_zone_set: true\ncis_default_zone: public\n\n# 3.4.2.4 Ensure network interfaces are assigned to appropriate zone (Not Scored)\ncis_firewalld_network_interface_assigned_zones: true\ncis_firewalld_zone_interface_mapping:\n  - zone: public\n    interface: eth0\n\n# 3.4.2.5 Ensure unnecessary services and ports are not accepted (Not Scored)\ncis_unnecessary_services_ports_not_accepted: true\ncis_unnecessary_services:\n  - cockpit\ncis_unnecessary_ports:\n  - 12345/tcp\n\n# 3.4.2.6 Ensure iptables is not enabled (Scored)\ncis_iptables_not_enabled: true\n\n# 3.4.3 Configure nftables\n# This section and all the subsection under 3.4.3 is skipped because section\n# 3.4.2 (Configure firewalld) and this section 3.4.3 (Configure nftables) are\n# mutually exclusive and firewalld is the default, which uses nft as a backend.\n\n# 3.4.4 Configure iptables\n# This section and all the subsection under 3.4.4 is skipped because section\n# 3.4.2 (Configure firewalld) and this section 3.4.4 (Configure iptables) are\n# mutually exclusive and firewalld is the default, which uses nft as a backend.\n\n# 3.5 Ensure wireless interfaces are disabled (Scored)\ncis_wireless_interface_disabled: true\n\n# 3.6 Disable IPv6 (Not Scored)\ncis_disable_ipv6: true\n\n# 4.1.1.1 Ensure auditd is installed (Scored)\ncis_auditd_installed: true\n\n# 4.1.1.2 Ensure auditd service is enabled (Scored)\ncis_auditd_service_enabled: true\n\n# 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled (Scored)\ncis_auditing_processes_prior_start: true\n\n# 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored)\ncis_audit_backlog_limit_sufficient: true\n\n# 4.1.2.1 Ensure audit log storage size is configured (Scored)\ncis_audit_log_storage_size_configured: true\ncis_audit_log_storage_size: 128\n\n# 4.1.2.2 Ensure audit logs are not automatically deleted (Scored)\ncis_audit_logs_no_automatically_deleted: true\n\n# 4.1.2.3 Ensure system is disabled when audit logs are full (Scored)\ncis_system_disabled_audit_logs_full: true\n\n# 4.1.3 Ensure changes to system administration scope (sudoers) is collected (Scored)\ncis_changed_to_system_administrator_scope_collected: true\n\n# 4.1.4 Ensure login and logout events are collected (Scored)\ncis_login_and_login_events_collected: true\n\n# 4.1.5 Ensure session initiation information is collected (Scored)\ncis_session_initiation_information_collected: true\n\n# 4.1.6 Ensure events that modify date and time information are collected (Scored)\ncis_events_modify_time_and_date_collected: true\n\n# 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected (Scored)\ncis_events_modifying_mac_collected: true\n\n# 4.1.8 Ensure events that modify the system's network environment are collected (Scored)\ncis_events_modifying_systems_network_collected: true\n\n# 4.1.9 Ensure discretionary access control permission modification events are collected (Scored)\ncis_dac_permission_modification_collected: true\n\n# 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected (Scored)\ncis_unsuccessful_files_access_collected: true\n\n# 4.1.11 Ensure events that modify user/group information are collected (Scored)\ncis_events_modifying_user_group_collected: true\n\n# 4.1.12 Ensure successful file system mounts are collected (Scored)\ncis_successful_mounts_collected: true\n\n# 4.1.13 Ensure use of privileged commands is collected (Scored)\ncis_privileged_commands_collected: true\n# A list of partitions that will be checked. Extend this with all partitions\n# that could contain executables.\ncis_privileged_commands_collected_partitions:\n  - /\n\n# 4.1.14 Ensure file deletion events by users are collected (Scored)\ncis_file_deletion_users_collected: true\n\n# 4.1.15 Ensure kernel module loading and unloading is collected (Scored)\ncis_kernel_module_loading_unloading_collected: true\n\n# 4.1.16 Ensure system administrator actions (sudolog) are collected (Scored)\ncis_system_administrator_actions_collected: true\n\n# 4.1.17 Ensure the audit configuration is immutable (Scored)\ncis_audit_configuration_immutable: true\n\n# 4.2.1.1 Ensure rsyslog is installed (Scored)\ncis_syslog_installed: true\n\n# 4.2.1.2 Ensure rsyslog Service is enabled (Scored)\ncis_rsyslog_enabled: true\n\n# 4.2.1.3 Ensure rsyslog default file permissions configured (Scored)\ncis_rsyslog_file_permissions_configured: true\n\n# 4.2.1.4 Ensure logging is configured (Not Scored)\ncis_logging_configured: true\n\ncis_logging_site_policy:\n  - rule: |-\n      '*.emerg'\n    destination: |-\n      ':omusrmsg:*'\n  - rule: 'auth,authpriv.*'\n    destination: '/var/log/secure'\n  - rule: |-\n      'mail.*'\n    destination: '-/var/log/mail'\n  - rule: 'mail.info'\n    destination: '-/var/log/mail.info'\n  - rule: 'mail.warning'\n    destination: '-/var/log/mail.warn'\n  - rule: 'mail.err'\n    destination: '/var/log/mail.err'\n  - rule: 'news.crit'\n    destination: '-/var/log/news/news.crit'\n  - rule: 'news.err'\n    destination: '-/var/log/news/news.err'\n  - rule: 'news.notice'\n    destination: '-/var/log/news/news.notice'\n  - rule: |-\n      '*.=warning;*.=err'\n    destination: '-/var/log/warn'\n  - rule: |-\n      '*.crit'\n    destination: '/var/log/warn'\n  - rule: |-\n      '*.*;mail.none;news.none'\n    destination: '-/var/log/messages'\n  - rule: |-\n      'local0,local1.*'\n    destination: '-/var/log/localmessages'\n  - rule: 'local2,local3.*'\n    destination: '-/var/log/localmessages'\n  - rule: |-\n      'local4,local5.*'\n    destination: '-/var/log/localmessages'\n  - rule: |-\n      'local6,local7.*'\n    destination: '-/var/log/localmessages'\n\n# 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host (Scored)\ncis_rsyslog_configured_remote_log_host: true\n\n# 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host (Scored)\ncis_rsyslog_site_policy_host: loghost.example.com\n\n# 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. (Not Scored)\n# This item is not implemented because it would need to run on another host.\n\n# 4.2.2.1 Ensure journald is configured to send logs to rsyslog (Scored)\ncis_journald_send_to_rsyslog: true\n\n# 4.2.2.2 Ensure journald is configured to compress large log files (Scored)\ncis_journald_compless_log_files: true\n\n# 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk (Scored)\ncis_journald_write_logfiles_to_disk: true\n\n# 4.2.3 Ensure permissions on all logfiles are configured (Scored)\ncis_permissions_on_logfiles: true\n\n# 4.3 Ensure logrotate is configured (Not Scored)\ncis_logrotate_configured: true\ncis_logrotate_policy:\n  - name: dnf\n\n# 5.1.1 Ensure cron daemon is enabled (Scored)\ncis_cron_enabled: true\n\n# 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)\ncis_cron_permissions_configured: true\n\n# 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored)\ncis_cron_hourly_permissions_configured: true\n\n# 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored)\ncis_cron_daily_permissions_configured: true\n\n# 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored)\ncis_cron_weekly_permissions_configured: true\n\n# 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)\ncis_cron_monthly_permissions_configured: true\n\n# 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored)\ncis_cron_d_permissions_configured: true\n```\n\n## [Requirements](#requirements)\n\n- pip packages listed in [requirements.txt](https://github.com/robertdebock/ansible-role-cis/blob/master/requirements.txt).\n\n## [State of used roles](#state-of-used-roles)\n\nThe following roles are used to prepare a system. You can prepare your system in another way.\n\n| Requirement | GitHub | GitLab |\n|-------------|--------|--------|\n|[robertdebock.bootstrap](https://galaxy.ansible.com/robertdebock/bootstrap)|[![Build Status GitHub](https://github.com/robertdebock/ansible-role-bootstrap/workflows/Ansible%20Molecule/badge.svg)](https://github.com/robertdebock/ansible-role-bootstrap/actions)|[![Build Status GitLab](https://gitlab.com/robertdebock-iac/ansible-role-bootstrap/badges/master/pipeline.svg)](https://gitlab.com/robertdebock-iac/ansible-role-bootstrap)|\n|[robertdebock.cron](https://galaxy.ansible.com/robertdebock/cron)|[![Build Status GitHub](https://github.com/robertdebock/ansible-role-cron/workflows/Ansible%20Molecule/badge.svg)](https://github.com/robertdebock/ansible-role-cron/actions)|[![Build Status GitLab](https://gitlab.com/robertdebock-iac/ansible-role-cron/badges/master/pipeline.svg)](https://gitlab.com/robertdebock-iac/ansible-role-cron)|\n|[robertdebock.update](https://galaxy.ansible.com/robertdebock/update)|[![Build Status GitHub](https://github.com/robertdebock/ansible-role-update/workflows/Ansible%20Molecule/badge.svg)](https://github.com/robertdebock/ansible-role-update/actions)|[![Build Status GitLab](https://gitlab.com/robertdebock-iac/ansible-role-update/badges/master/pipeline.svg)](https://gitlab.com/robertdebock-iac/ansible-role-update)|\n\n## [Context](#context)\n\nThis role is a part of many compatible roles. Have a look at [the documentation of these roles](https://robertdebock.nl/) for further information.\n\nHere is an overview of related roles:\n![dependencies](https://raw.githubusercontent.com/robertdebock/ansible-role-cis/png/requirements.png \"Dependencies\")\n\n## [Compatibility](#compatibility)\n\nThis role has been tested on these [container images](https://hub.docker.com/u/robertdebock):\n\n|container|tags|\n|---------|----|\n|[EL](https://hub.docker.com/r/robertdebock/enterpriselinux)|9|\n\nThe minimum version of Ansible required is 2.12, tests have been done to:\n\n- The previous version.\n- The current version.\n- The development version.\n\nIf you find issues, please register them in [GitHub](https://github.com/robertdebock/ansible-role-cis/issues).\n\n## [License](#license)\n\n[Apache-2.0](https://github.com/robertdebock/ansible-role-cis/blob/master/LICENSE).\n\n## [Author Information](#author-information)\n\n[robertdebock](https://robertdebock.nl/)\n\nPlease consider [sponsoring me](https://github.com/sponsors/robertdebock).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frobertdebock%2Fansible-role-cis","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frobertdebock%2Fansible-role-cis","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frobertdebock%2Fansible-role-cis/lists"}