From 0c460d4b70c0555d6e4a83828e2ed5c013c1a426 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Thu, 26 Jan 2023 08:31:12 +0000
Subject: [PATCH] updated task 6.2.8

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/section_6/cis_6.2.x.yml | 99 ++++++++++++++++++++---------------
 1 file changed, 56 insertions(+), 43 deletions(-)

diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml
index 2a98e90..e9ebed7 100644
--- a/tasks/section_6/cis_6.2.x.yml
+++ b/tasks/section_6/cis_6.2.x.yml
@@ -189,43 +189,56 @@
 
 - name: "6.2.8 | PATCH | Ensure root PATH Integrity"
   block:
-      - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Determine empty value"
-        ansible.builtin.shell: 'echo $PATH | grep ::'
+      - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Get root paths"
+        ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2
         changed_when: false
-        failed_when: rhel9cis_6_2_8_path_colon.rc == 0
-        check_mode: false
-        register: rhel9cis_6_2_8_path_colon
+        register: rhel9cis_6_2_8_root_paths
 
-      - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Determin colon end"
-        ansible.builtin.shell: 'echo $PATH | grep :$'
+      - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Set fact"
+        ansible.builtin.set_fact:
+            root_paths: "{{ rhel9cis_6_2_8_root_paths.stdout }}"
+
+      - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for empty dirs"
+        ansible.builtin.shell: 'echo {{ root_paths }} | grep -q "::" && echo "roots path contains a empty directory (::)"'
         changed_when: false
-        failed_when: rhel9cis_6_2_8_path_colon_end.rc == 0
-        check_mode: false
-        register: rhel9cis_6_2_8_path_colon_end
+        failed_when: root_path_empty_dir.rc not in [ 0, 1 ]
+        register: root_path_empty_dir
 
-      - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Determine dot in path"
-        ansible.builtin.shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'"
+      - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for trailing ':'"
+        ansible.builtin.shell: '{{ root_paths }} | cut -d= -f2 | grep -q ":$" && echo "roots path contains a trailing (:)"'
         changed_when: false
-        failed_when: '"." in rhel9cis_6_2_8_dot_in_path.stdout_lines'
-        check_mode: false
-        register: rhel9cis_6_2_8_dot_in_path
+        failed_when: root_path_trailing_colon.rc not in [ 0, 1 ]
+        register: root_path_trailing_colon
+
+      - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions"
+        block:
+            - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions"
+              ansible.builtin.stat:
+                  path: "{{ item }}"
+              register: root_path_perms
+              loop: "{{ root_paths | split(':') }}"
+
+            - ansible.builtin.debug:
+                  msg: "{{ root_path_perms.results }}"
+
+            - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions"
+              ansible.builtin.file:
+                  path: "{{ item.stat.path }}"
+                  state: directory
+                  owner: root
+                  group: root
+                  mode: 0755
+                  follow: true
+              loop: "{{ root_path_perms.results }}"
+              loop_control:
+                  label: "{{ item.stat }}"
+              when:
+                  - item.stat.pw_name != 'root' or
+                    item.stat.gr_name != 'root' or
+                    item.stat.woth or
+                    item.stat.wgrp
 
-      - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path"
-        ansible.builtin.debug:
-            msg:
-                - "Warning!!"
-                - "The following paths have an empty value: {{ rhel9cis_6_2_8_path_colon.stdout_lines }}"
-                - "The following paths have colon end: {{ rhel9cis_6_2_8_path_colon_end.stdout_lines }}"
-                - "The following paths have a dot in the path: {{ rhel9cis_6_2_8_dot_in_path.stdout_lines }}"
 
-      - name: "6.2.8 | PATCH | Ensure root PATH Integrity | Determine rights and owner"
-        ansible.builtin.file: >
-          path='{{ item }}'
-          follow=yes
-          state=directory
-          owner=root
-          mode='o-w,g-w'
-        loop: "{{ rhel9cis_6_2_8_dot_in_path.stdout_lines }}"
   when:
       - rhel9cis_rule_6_2_8
   tags:
@@ -264,14 +277,14 @@
         check_mode: false
         changed_when: rhel_09_6_2_10_patch_audit.stdout | length > 0
         register: rhel_09_6_2_10_patch_audit
-        when:
-            - ansible_check_mode
-            - item.1.exists
         with_together:
             - "{{ rhel_09_6_2_10_audit.results | map(attribute='item') | list }}"
             - "{{ rhel_09_6_2_10_audit.results | map(attribute='stat') | list }}"
         loop_control:
             label: "{{ item.0 }}"
+        when:
+            - ansible_check_mode
+            - item.1.exists
 
       - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist"
         ansible.builtin.file:
@@ -279,14 +292,14 @@
             recurse: true
             mode: a-st,g-w,o-rwx
         register: rhel_09_6_2_10_patch
-        when:
-            - not ansible_check_mode
-            - item.1.exists
         with_together:
             - "{{ rhel_09_6_2_10_audit.results | map(attribute='item') | list }}"
             - "{{ rhel_09_6_2_10_audit.results | map(attribute='stat') | list }}"
         loop_control:
             label: "{{ item.0 }}"
+        when:
+            - not ansible_check_mode
+            - item.1.exists
 
       # set default ACLs so the homedir has an effective umask of 0027
       - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist"
@@ -297,8 +310,6 @@
             recursive: true
             etype: "{{ item.1.etype }}"
             permissions: "{{ item.1.mode }}"
-        when:
-            - not system_is_container
         with_nested:
             - "{{ (ansible_check_mode | ternary(rhel_09_6_2_10_patch_audit, rhel_09_6_2_10_patch)).results |
               rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}"
@@ -307,6 +318,8 @@
                   mode: rx
                 - etype: other
                   mode: '0'
+        when:
+            - not system_is_container
   when:
       - rhel9cis_rule_6_2_10
   tags:
@@ -350,14 +363,14 @@
         check_mode: false
         changed_when: rhel_09_6_2_12_patch_audit.stdout | length > 0
         register: rhel_09_6_2_12_patch_audit
-        when:
-            - ansible_check_mode
-            - item.1.exists
         with_together:
             - "{{ rhel_09_6_2_12_audit.results | map(attribute='item') | list }}"
             - "{{ rhel_09_6_2_12_audit.results | map(attribute='stat') | list }}"
         loop_control:
             label: "{{ item.0 }}"
+        when:
+            - ansible_check_mode
+            - item.1.exists
 
       - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive"
         ansible.builtin.file:
@@ -383,8 +396,6 @@
             recursive: true
             etype: "{{ item.1.etype }}"
             permissions: "{{ item.1.mode }}"
-        when:
-            - not system_is_container
         with_nested:
             - "{{ (ansible_check_mode | ternary(rhel_09_6_2_12_patch_audit, rhel_09_6_2_12_patch)).results |
               rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}"
@@ -393,6 +404,8 @@
                   mode: rx
                 - etype: other
                   mode: '0'
+        when:
+            - not system_is_container
   when:
       - rhel9cis_rule_6_2_12
   tags: