ansible-lockdown · uk-bolly · Feb 11, 2025 · Feb 10, 2025 · Feb 10, 2025 · Feb 10, 2025
diff --git a/site.yml b/site.yml
@@ -1,6 +1,6 @@
 ---
 
-- name: Amazon 2023 cis benchmark
+- name: Apply Amazon Linux 2023 CIS hardening
   hosts: all
   become: true
 

diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml
@@ -31,7 +31,7 @@
       - patch
       - rule_1.1.1.1
       - squashfs
-      - nist_sp800-53r5_CM-7
+      - NIST800-53R5_CM-7
 
 - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disabled"
   block:
@@ -94,7 +94,7 @@
       - patch
       - rule_1.1.1.3
       - cramfs
-      - nist_sp800-53r5_CM-7
+      - NIST800-53R5_CM-7
 
 - name: "1.1.1.4 | PATCH | Ensure mounting of freevxfs filesystems is disabled"
   block:
@@ -126,7 +126,7 @@
       - patch
       - rule_1.1.1.4
       - freevxfs
-      - nist_sp800-53r5_CM-7
+      - NIST800-53R5_CM-7
 
 - name: "1.1.1.5 | PATCH | Ensure mounting of jffs2 filesystems is disabled"
   block:
@@ -158,7 +158,7 @@
       - patch
       - rule_1.1.1.5
       - jffs2
-      - nist_sp800-53r5_CM-7
+      - NIST800-53R5_CM-7
 
 - name: "1.1.1.6 | PATCH | Ensure mounting of hfs filesystems is disabled"
   block:
@@ -190,7 +190,7 @@
       - patch
       - rule_1.1.1.6
       - hfs
-      - nist_sp800-53r5_CM-7
+      - NIST800-53R5_CM-7
 
 - name: "1.1.1.7 | PATCH | Ensure mounting of hfsplus filesystems is disabled"
   block:
@@ -222,4 +222,4 @@
       - patch
       - rule_1.1.1.7
       - hfsplus
-      - nist_sp800-53r5_CM-7
+      - NIST800-53R5_CM-7
diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml
@@ -20,7 +20,7 @@
       - audit
       - mounts
       - rule_1.1.2.1
-      - nist_sp800-53r5_CM-7
+      - NIST800-53R5_CM-7
 
 # via fstab
 - name: |
@@ -50,7 +50,7 @@
       - rule_1.1.2.2
       - rule_1.1.2.3
       - rule_1.1.2.4
-      - nist_sp800-53r5_CM-7
+      - NIST800-53R5_CM-7
 
 # via systemd
 - name: |
@@ -76,6 +76,6 @@
       - rule_1.1.2.2
       - rule_1.1.2.3
       - rule_1.1.2.4
-      - nist_sp800-53r5_CM-7
-      - nist_sp800-53r5_AC-3
-      - nist_sp800-53r5_MP-2
+      - NIST800-53R5_CM-7
+      - NIST800-53R5_AC-3
+      - NIST800-53R5_MP-2
diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml
@@ -46,5 +46,5 @@
       - skip_ansible_lint
       - rule_1.1.3.2
       - rule_1.1.3.3
-      - nist_sp800-53r5_AC-3
-      - nist_sp800-53r5_MP-2
+      - NIST800-53R5_AC-3
+      - NIST800-53R5_MP-2
diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml
@@ -50,5 +50,5 @@
       - rule_1.1.4.2
       - rule_1.1.4.3
       - rule_1.1.4.4
-      - nist_sp800-53r5_AC-3
-      - nist_sp800-53r5_MP-2
+      - NIST800-53R5_AC-3
+      - NIST800-53R5_MP-2
diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml
@@ -21,7 +21,7 @@
       - audit
       - mounts
       - rule_1.1.5.1
-      - nist_sp800-53r5_CM-6
+      - NIST800-53R5_CM-6
 
 - name: |
           "1.1.5.2 | PATCH | Ensure nodev option set on /var/log partition"
@@ -50,5 +50,5 @@
       - rule_1.1.5.2
       - rule_1.1.5.3
       - rule_1.1.5.4
-      - nist_sp800-53r5_AC-3
-      - nist_sp800-53r5_MP-2
+      - NIST800-53R5_AC-3
+      - NIST800-53R5_MP-2
diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml
@@ -21,7 +21,7 @@
       - audit
       - mounts
       - rule_1.1.6.1
-      - nist_sp800-53r5_CM-6
+      - NIST800-53R5_CM-6
 
 - name: |
           "1.1.6.2 | PATCH | Ensure noexec option set on /var/log/audit partition"
@@ -49,5 +49,5 @@
       - rule_1.1.6.2
       - rule_1.1.6.3
       - rule_1.1.6.4
-      - nist_sp800-53r5_AC-3
-      - nist_sp800-53r5_MP-2
+      - NIST800-53R5_AC-3
+      - NIST800-53R5_MP-2
diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml
@@ -21,7 +21,7 @@
       - audit
       - mounts
       - rule_1.1.7.1
-      - nist_sp800-53r5_CM-6
+      - NIST800-53R5_CM-6
 
 - name: |
     "1.1.7.2 | PATCH | Ensure nodev option set on /home partition
@@ -46,5 +46,5 @@
       - mounts
       - rule_1.1.7.2
       - rule_1.1.7.3
-      - nist_sp800-53r5_AC-3
-      - nist_sp800-53r5_MP-2
+      - NIST800-53R5_AC-3
+      - NIST800-53R5_MP-2
diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml
@@ -22,7 +22,7 @@
       - audit
       - mounts
       - rule_1.1.8.1
-      - nist_sp800-53r5_CM-7
+      - NIST800-53R5_CM-7
 
 - name: |
        "1.1.8.2 | PATCH | Ensure nodev option set on /dev/shm partition | Set nodev option
@@ -46,5 +46,5 @@
       - rule_1.1.8.2
       - rule_1.1.8.3
       - rule_1.1.8.4
-      - nist_sp800-53r5_AC-3
-      - nist_sp800-53r5_MP-2
+      - NIST800-53R5_AC-3
+      - NIST800-53R5_MP-2
diff --git a/tasks/section_1/cis_1.1.9.yml b/tasks/section_1/cis_1.1.9.yml
@@ -33,4 +33,4 @@
       - mounts
       - removable_storage
       - rule_1.1.9
-      - nist_sp800-53r5_SI-3
+      - NIST800-53R5_SI-3
diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml
@@ -29,7 +29,7 @@
       - manual
       - patch
       - rule_1.2.1
-      - nist_sp800-53r5_SI-2
+      - NIST800-53R5_SI-2
 
 - name: "1.2.2 | PATCH | Ensure gpgcheck is globally activated"
   block:
@@ -53,7 +53,7 @@
       - level1-server
       - patch
       - rule_1.2.2
-      - nist_sp800-53r5_SI-3
+      - NIST800-53R5_SI-3
 
 - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured"
   block:
@@ -82,7 +82,7 @@
       - manual
       - audit
       - rule_1.2.3
-      - nist_sp800-53r5_SI-3
+      - NIST800-53R5_SI-3
 
 - name: "1.2.4 | AUDIT | Ensure repo_gpgcheck is globally activated"
   block:
@@ -114,4 +114,4 @@
       - manual
       - audit
       - rule_1.2.4
-      - nist_sp800-53r5_SI-3
+      - NIST800-53R5_SI-3
diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml
@@ -30,7 +30,7 @@
       - aide
       - patch
       - rule_1.3.1
-      - nist_sp800-53r5_AU-2
+      - NIST800-53R5_AU-2
 
 - name: "1.3.2 | PATCH | Ensure filesystem integrity is regularly checked"
   ansible.builtin.cron:
@@ -51,7 +51,7 @@
       - file_integrity
       - patch
       - rule_1.3.2
-      - nist_sp800-53r5_AU-2
+      - NIST800-53R5_AU-2
 
 - name: "1.3.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools"
   ansible.builtin.blockinfile:
@@ -73,4 +73,4 @@
       - file_integrity
       - patch
       - rule_1.3.3
-      - nist_sp800-53r5_AU-2
+      - NIST800-53R5_AU-2
diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml
@@ -16,7 +16,7 @@
       - patch
       - sysctl
       - rule_1.5.1
-      - nist_sp800-53r5_CM-6
+      - NIST800-53R5_CM-6
 
 - name: "1.5.2 | PATCH | Ensure ptrace_scope is restricted"
   block:
@@ -34,7 +34,7 @@
       - patch
       - sysctl
       - rule_1.5.2
-      - nist_sp800-53r5_CM-6
+      - NIST800-53R5_CM-6
 
 - name: "1.5.3 | PATCH | Ensure core dump storage is disabled"
   ansible.builtin.lineinfile:
@@ -49,7 +49,7 @@
       - level1-server
       - patch
       - rule_1.5.3
-      - nist_sp800-53r5_CM-7
+      - NIST800-53R5_CM-7
 
 - name: "1.5.4 | PATCH | Ensure core dump backtraces are disabled"
   ansible.builtin.lineinfile:
@@ -63,4 +63,4 @@
       - patch
       - sysctl
       - rule_1.5.4
-      - nist_sp800-53r5_CM-6
+      - NIST800-53R5_CM-6
diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml
@@ -10,8 +10,8 @@
       - level1-server
       - patch
       - rule_1.6.1.1
-      - nist_sp800-53r5_AC-3
-      - nist_sp800-53r5_MP-2
+      - NIST800-53R5_AC-3
+      - NIST800-53R5_MP-2
 
 - name: "1.6.1.2 | PATCH | Ensure SELinux is not disabled in bootloader configuration"
   ansible.builtin.replace:
@@ -31,7 +31,7 @@
       - scored
       - patch
       - rule_1.6.1.2
-      - nist_sp800-53r5_SI-7
+      - NIST800-53R5_SI-7
 
 # State set to enforcing because control 1.6.1.5 requires enforcing to be set
 - name: "1.6.1.3 | PATCH | Ensure SELinux policy is configured"
@@ -47,8 +47,8 @@
       - selinux
       - patch
       - rule_1.6.1.3
-      - nist_sp800-53r5_AC-3
-      - nist_sp800-53r5_MP-2
+      - NIST800-53R5_AC-3
+      - NIST800-53R5_MP-2
 
 - name: "1.6.1.4 | PATCH | Ensure the SELinux state is not disabled"
   ansible.posix.selinux:
@@ -63,8 +63,8 @@
       - selinux
       - patch
       - rule_1.6.1.4
-      - nist_sp800-53r5_AC-3
-      - nist_sp800-53r5_MP-2
+      - NIST800-53R5_AC-3
+      - NIST800-53R5_MP-2
 
 - name: "1.6.1.5 | PATCH | Ensure the SELinux state is enforcing"
   ansible.posix.selinux:
@@ -80,8 +80,8 @@
       - selinux
       - patch
       - rule_1.6.1.5
-      - nist_sp800-53r5_AC-3
-      - nist_sp800-53r5_SI-6
+      - NIST800-53R5_AC-3
+      - NIST800-53R5_SI-6
 
 - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist"
   block:
@@ -109,8 +109,8 @@
       - audit
       - services
       - rule_1.6.1.6
-      - nist_sp800-53r5_AC-3
-      - nist_sp800-53r5_MP-2
+      - NIST800-53R5_AC-3
+      - NIST800-53R5_MP-2
 
 - name: "1.6.1.7 | PATCH | Ensure SETroubleshoot is not installed"
   ansible.builtin.package:
@@ -124,8 +124,8 @@
       - selinux
       - patch
       - rule_1.6.1.7
-      - nist_sp800-53r5_AC-3
-      - nist_sp800-53r5_MP-2
+      - NIST800-53R5_AC-3
+      - NIST800-53R5_MP-2
 
 - name: "1.6.1.8 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed"
   ansible.builtin.package:
@@ -137,4 +137,4 @@
       - level1-server
       - patch
       - rule_1.6.1.8
-      - nist_sp800-53r5_SI-4
+      - NIST800-53R5_SI-4