RHEL9-CIS/tasks/post.yml

---
# Post tasks

- name: Gather the package facts after remediation
  ansible.builtin.package_facts:
      manager: auto
  tags:
      - always

- name: Update sysctl
  ansible.builtin.template:
      src: "etc/sysctl.d/{{ item }}.j2"
      dest: "/etc/sysctl.d/{{ item }}"
      owner: root
      group: root
      mode: 0600
  register: sysctl_updated
  notify: Reload sysctl
  loop:
      - 60-kernel_sysctl.conf
      - 60-disable_ipv6.conf
      - 60-netipv4_sysctl.conf
      - 60-netipv6_sysctl.conf
  when:
      - sysctl_update
      - not system_is_container
      - "'procps-ng' in ansible_facts.packages"

- name: Flush handlers
  ansible.builtin.meta: flush_handlers

- name: POST | reboot system if changes require it and not skipped
  block:
      - name: POST | Reboot system if changes require it and not skipped
        ansible.builtin.reboot:
        when:
            - change_requires_reboot
            - not skip_reboot

      - name: POST | Warning a reboot required but skip option set
        ansible.builtin.debug:
            msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results"
        changed_when: true
        when:
            - change_requires_reboot
            - skip_reboot

      - name: "POST | Warning a reboot required but skip option set | warning count"
        ansible.builtin.import_tasks: warning_facts.yml
        when:
            - change_requires_reboot
            - skip_reboot
  vars:
      warn_control_id: Reboot_required
  tags:
      - grub
      - level1-server
      - level1-workstation
      - level2-server
      - level2-workstation
      - rhel9cis_section1
      - rhel9cis_section2
      - rhel9cis_section3
      - rhel9cis_section4
      - rhel9cis_section5
      - rhel9cis_section6
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`---`
			`# Post tasks`

Fix in logic for Alma (#4) * container standards Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logic on handlers Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * initial container ignore Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tags and containder discovery Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logic on auditd task Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tags and crypto logic Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * distro update for rocky Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * system_is_container updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * ssh pkg check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logrotate pkg check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logic in container check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * add pkg fact and audit conditionals Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tidy up crypto step Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Added missing tags Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * container vars file now a variable Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * added uid discovery and usage Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Updated OS checks and conditionals Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fixed empty become Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * change audit to include task Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Added OS_specific vars Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated import/include Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * OS Specific vars Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated tags Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated changed_when Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fixed UID logic Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * changed reboot var Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * changed skip_reboot var name Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * masked only Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix logic Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * remove debug update logic 6.2.8 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed CentOS Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-02-02 11:25:03 +00:00			`- name: Gather the package facts after remediation`
lint updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-13 12:10:18 +00:00			`ansible.builtin.package_facts:`
Fix in logic for Alma (#4) * container standards Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logic on handlers Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * initial container ignore Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tags and containder discovery Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logic on auditd task Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tags and crypto logic Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * distro update for rocky Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * system_is_container updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * ssh pkg check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logrotate pkg check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logic in container check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * add pkg fact and audit conditionals Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tidy up crypto step Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Added missing tags Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * container vars file now a variable Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * added uid discovery and usage Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Updated OS checks and conditionals Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fixed empty become Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * change audit to include task Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Added OS_specific vars Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated import/include Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * OS Specific vars Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated tags Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated changed_when Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fixed UID logic Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * changed reboot var Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * changed skip_reboot var name Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * masked only Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix logic Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * remove debug update logic 6.2.8 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed CentOS Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-02-02 11:25:03 +00:00			`manager: auto`
			`tags:`
lint Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-04-05 10:24:47 +01:00			`- always`
Fix in logic for Alma (#4) * container standards Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logic on handlers Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * initial container ignore Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tags and containder discovery Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logic on auditd task Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tags and crypto logic Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * distro update for rocky Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * system_is_container updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * ssh pkg check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logrotate pkg check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logic in container check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * add pkg fact and audit conditionals Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tidy up crypto step Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Added missing tags Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * container vars file now a variable Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * added uid discovery and usage Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Updated OS checks and conditionals Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fixed empty become Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * change audit to include task Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Added OS_specific vars Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated import/include Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * OS Specific vars Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated tags Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated changed_when Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fixed UID logic Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * changed reboot var Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * changed skip_reboot var name Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * masked only Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix logic Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * remove debug update logic 6.2.8 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed CentOS Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-02-02 11:25:03 +00:00
lint updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-13 12:10:18 +00:00			`- name: Update sysctl`
			`ansible.builtin.template:`
auditd, sysctl, become tidy up Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-06-20 17:07:39 +01:00			`src: "etc/sysctl.d/{{ item }}.j2"`
			`dest: "/etc/sysctl.d/{{ item }}"`
			`owner: root`
			`group: root`
			`mode: 0600`
			`register: sysctl_updated`
lint updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-13 12:10:18 +00:00			`notify: Reload sysctl`
with_items to loop Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-25 09:59:33 +00:00			`loop:`
auditd, sysctl, become tidy up Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-06-20 17:07:39 +01:00			`- 60-kernel_sysctl.conf`
			`- 60-disable_ipv6.conf`
			`- 60-netipv4_sysctl.conf`
			`- 60-netipv6_sysctl.conf`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`when:`
auditd, sysctl, become tidy up Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-06-20 17:07:39 +01:00			`- sysctl_update`
			`- not system_is_container`
			`- "'procps-ng' in ansible_facts.packages"`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00
lint updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-13 12:10:18 +00:00			`- name: Flush handlers`
			`ansible.builtin.meta: flush_handlers`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00
updated controls Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-04-01 15:26:13 +01:00			`- name: POST \| reboot system if changes require it and not skipped`
			`block:`
			`- name: POST \| Reboot system if changes require it and not skipped`
lint updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-13 12:10:18 +00:00			`ansible.builtin.reboot:`
updated controls Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-04-01 15:26:13 +01:00			`when:`
fixed changed_requires_reboot Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-13 14:16:15 +00:00			`- change_requires_reboot`
updated controls Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-04-01 15:26:13 +01:00			`- not skip_reboot`

			`- name: POST \| Warning a reboot required but skip option set`
lint updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-13 12:10:18 +00:00			`ansible.builtin.debug:`
Added warning to reboot required Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-07-29 18:28:17 +01:00			`msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results"`
updated controls Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-04-01 15:26:13 +01:00			`changed_when: true`
			`when:`
fixed changed_requires_reboot Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-13 14:16:15 +00:00			`- change_requires_reboot`
updated controls Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-04-01 15:26:13 +01:00			`- skip_reboot`
Added warning to reboot required Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-07-29 18:28:17 +01:00
			`- name: "POST \| Warning a reboot required but skip option set \| warning count"`
warn control count updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-13 11:05:25 +00:00			`ansible.builtin.import_tasks: warning_facts.yml`
Added warning to reboot required Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-07-29 18:28:17 +01:00			`when:`
fixed changed_requires_reboot Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-13 14:16:15 +00:00			`- change_requires_reboot`
Added warning to reboot required Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-07-29 18:28:17 +01:00			`- skip_reboot`
warn control count updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-13 11:05:25 +00:00			`vars:`
			`warn_control_id: Reboot_required`
updated controls Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-04-01 15:26:13 +01:00			`tags:`
			`- grub`
			`- level1-server`
			`- level1-workstation`
			`- level2-server`
			`- level2-workstation`
			`- rhel9cis_section1`
			`- rhel9cis_section2`
			`- rhel9cis_section3`
			`- rhel9cis_section4`
			`- rhel9cis_section5`
			`- rhel9cis_section6`