Ansible role for remediation of CIS benchmarks items, for Centos/RHEL 6 and 7
This role can be used to audit or remediate a host against the Center for Internet Security (CIS) security benchmarks.
Disclaimer: This project has no affiliation with CIS. The role and its contents have not been reviewed or endorsed by CIS.
This role implements benchmark v2.0.2
This role has no requirements or dependencies.
See defaults/main.yml
Some sensible defaults are configured and documented within defaults/main.yml. These defaults are set so they would cause minimal disruption to a production system. However, it’s your responsibility to verify that the default configuration will not harm your production server. Always run the role in check mode if you’re unsure of its effects.
Be aware that some of the default variables are set against CIS recommendations in the hopes that they will cause minimal disruption to a system.
Playbooks can utilize the CIS role without much effort:
- hosts: allroles:- cis
The role is thoroughly tagged so that you can run certain sections or certain levels of checks:
# Test only items from section 4ansible-playbook -i hosts -C playbook.yml -t section4# Apply changes only from items in section 4, 5, and 6ansible-playbook -i hosts playbook.yml -t section4,section5,section6
You’ll need credentials to an AWS account, ruby and bundler (gem install bundler).
bundle installkitchen testApache License, Version 2.0
Ricardo Oliveira, based on the work of Team VVL Systems and Major Hayden