Inicio en un nuevo servidor

1 subscription-manager register
2 subscription-manager refresh
3 subscription-manager attach --auto
4 dnf install python3
5 yum install ansible-core
6 ansible --version

Actualizar ansible a partit de 8.6 en adelante :

Ensure the system is running RHEL 8.6:

# cat /etc/redhat-release

Uninstall Ansible Engine 2.9:

# yum remove ansible

Disable the ansible-2-for-rhel-8-x86_64-rpms repository:

# subscription-manager repos --disable ansible-2-for-rhel-8-x86_64-rpms

Install Ansible Core which is available in the RHEL 8 AppStream repository:

# yum install ansible-core

verificar el siguiente comando :

sudo subscription-manager attach --auto

Instalar las colecciones necesarias y no marque error:

ansible-galaxy collection install dsglaser.cis_security

ansible-galaxy collection install ansible.posix

instalar goss:

curl -L https://github.com/goss-org/goss/releases/latest/download/goss-linux-amd64 -o
/usr/local/bin/goss

chmod +rx /usr/local/bin/goss

curl -L https://github.com/goss-org/goss/releases/latest/download/dgoss -o /usr/local/bin/dgoss

chmod +rx /usr/local/bin/dgoss

epel para rhel 8

subscription-manager repos --enable codeready-builder-for-rhel-8-$(arch)-rpms

dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

yum install python3-jmespath

yum install python3.11-jmespath

Instalar el rol desde github

reglas completas para RHEL 8
ansible-galaxy install git+https://github.com/ansible-lockdown/RHEL8-CIS.git

*NOTA : Puede eliminar el rol completo con el siguiente comando

rm -rf /root/.ansible/roles/RHEL8-CIS

crear audit.yml
---
- name: RHEL8 CIS Audit
hosts: all
become: true
roles:
- name: "CIS1"
vars:
setup_audit: true
run_audit: true

crear site.yml
---
- name: Run RHEL8 CIS hardening
hosts: all
become: true

roles:

- role: "CIS1"

Para ejecutar una seccion en particular

para ejecutar un playbook con un par de etiquetas diferentes

para ejecutar dos secciones diferentes

para ejecutat auditoria en local

cd /root/.ansible/roles/RHEL8-CIS
ansible-playbook -i "localhost," -c local audit.yml
para ver las reglas que hay
[root@cis RHEL8-CIS]# ansible-playbook -i "localhost," -c local site.yml --list-tags

para correr una regla en especifico

[root@cis1 RHEL8-CIS]# ansible-playbook -i "localhost," -c local site.yml --tags rule_1.1.1.3

otra forma de corre el rol

errores al correr el ROL CIS-RHEL8

TASK [RHEL8-CIS : PRELIM | Add the required packages]

****************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed to download metadata for repo
'codeready-builder-for-rhel-8-x86_64-rpms': Cannot download repomd.xml: Cannot download
repodata/repomd.xml: All mirrors were tried", "rc": 1, "results": []}

solucion:
: TASK [RHEL8-CIS : 1.2.5 | PATCH | Ensure updates, patches, and additional security software
are installed | Patch] ***
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed to download metadata for repo
'epel': GPG verification is enabled, but GPG signature is not available. This may be an error or the
repository does not support GPG verification: Status code: 404 for
http://mirrors.upr.edu/epel/8/Everything/x86_64/repodata/repomd.xml.asc (IP: 136.145.244.40)",
"rc": 1, "results": []}

solucion: fuente : https://access.redhat.com/solutions/7019126

*Modificacion del archivo /root/.ansible/roles/RHEL8-CIS/tasks/section_1/cis_1.2.x.yml

Linea 52
#line: line: gpgcheck=1 --> line: gpgcheck=0 Modificacion

Linea 85
#line: line: gpgcheck=1 --> line: gpgcheck=0 Modificacion

archivo del server

vi /etc/dnf/dnf.conf

[main]
gpgcheck=0
installonly_limit=3
clean_requirements_on_remove=True
best=True
skip_if_unavailable=False
repo_gpgcheck=0

TASK [RHEL8-CIS-OK : 5.3.3 | Ensure cryptographic mechanisms are used to protect the integrity
of audit tools] ***
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Path /etc/aide.conf does not exist !", "rc":
257}

solution:
cd /root/.ansible/roles/CIS-RHEL8/
379 LL
380 ll
381 git init
382 git pull
384 git add .
385 git commit -m "first commit"
386 git commit -m "chequeo de reglas"
387 git branch -M main
388 git remote add origin https://github.com/JohanaER/CISPRUEBA.git
389 git push -u origin main

cd /root/.ansible/roles/RHEL8-CIS
355 git pull
356 git init
357 git config --global init.defaultBranch custom-changes
358 git pull
359 git config --global --edit
360 git commit --amend –reset-author

TASK [RHEL8-CIS : Show Audit Summary]

**************************************************************************
ok: [localhost] => {
"msg": [
"The pre remediation results are: Count: 657, Failed: 199, Skipped: 25, Duration: 8.590s.",
"The post remediation results are: Count: 657, Failed: 65, Skipped: 15, Duration: 6.850s.",
"Full breakdown can be found in /opt",
""
]
}

TASK [RHEL8-CIS : Output Warning count and control IDs affected]

***********************************************
ok: [localhost] => {
"msg": "You have 10 warning(s) that require investigating that are related to the following
benchmark ID(s) [1.1.2.1.1] [1.1.2.3.1] [1.1.2.4.1] [1.1.2.5.1] [1.1.2.6.1] [1.1.2.7.1] [1.2.4] [2.2.22]
[4.5.1.2] [Reboot_required]"
}