Skip to content

Commit 240c59f

Browse files
author
Anth Courtney
committedJan 9, 2018
Merge branch 'master' of github.com:anthcourtney/ansible-role-cis-amazon-linux
2 parents 984f3ea + daba4b9 commit 240c59f

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

46 files changed

+1160
-19
lines changed
 

‎README.md

+19
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,25 @@ An examples of items that should be immediately considered for exclusion (or at
2323

2424
* ```3.4.2``` and ```3.4.3```, which by default effectively limit access to the host (including via ssh) to localhost only.
2525

26+
Amazon Linux and SE Linux
27+
----------------
28+
By default SElinux is disabled via grub in amazon linux.
29+
30+
To enable edit ;
31+
32+
```/boot/grub/menu.lst```
33+
34+
Modifiy ```selinux=0 to selinux=1```
35+
36+
```touch /etc/selinux/config```
37+
38+
Also install the following package to allow the ansible SElinux module to function on the host.
39+
40+
```yum install libselinux-python```
41+
42+
A reboot will be neccessary for the changes to take effect.
43+
44+
2645
Example Playbook
2746
----------------
2847

‎defaults/main.yml

+15-1
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ cis_apply_level_1_profile: true # Whether Level 1 of the benchmark should be
99
cis_apply_level_2_profile: false # Whether Level 2 of the benchmark should be applied
1010

1111
cis_level_1_exclusions: [] # A list of Level 1 recommendations to exclude (i.e. ['1.1.1.1'])
12-
cis_level_2_exclusions: [] # A list of Level 2 recommendations to exclude
12+
cis_level_2_exclusions: [] # A list of Level 2 recommendations to exclude
1313

1414
# Whether to fail when remediation items are found for recommendations which can't be automatically fixed.
1515
# If false, a debug message will be generated instead, with the preface *** ACTION REQUIRED ***..
@@ -18,6 +18,20 @@ fail_on_manual_remediation_actions: false # True or false.
1818
###############################################
1919
# Check specific values which can be overridden
2020
###############################################
21+
# 1.1.11
22+
cis_partition_dev_val_log: "/dev/xvda2"
23+
cis_partition_mnt_val_log: "/var/log"
24+
cis_partition_fs_val_log: "ext4"
25+
26+
# 1.1.12
27+
cis_partition_dev_val_log_audit: "/dev/xvda3"
28+
cis_partition_mnt_val_log_audit: "/var/log/audit"
29+
cis_partition_fs_val_log_audit: "ext4"
30+
31+
# 1.1.13
32+
cis_partition_dev_home: "/dev/xvda4"
33+
cis_partition_mnt_home: "/home"
34+
cis_partition_fs_home: "ext4"
2135

2236
# 1.3.1
2337
cis_aide_database_filename: "/var/lib/aide/aide.db.gz"

0 commit comments

Comments
 (0)