diff --git a/handlers/main.yml b/handlers/main.yml index 1894300..71f5554 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -150,7 +150,7 @@ ansible.posix.mount: path: "{{ mount_point }}" state: remounted - notify: Change_requires_reboot + notify: Set reboot required listen: "Remount /boot/efi" - name: Reload sysctl @@ -194,7 +194,7 @@ ansible.builtin.command: update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}" changed_when: true notify: - - Change_requires_reboot + - Set reboot required - Restart sshd - name: Restart firewalld @@ -255,7 +255,7 @@ when: discovered_auditd_immutable_check.stdout == '1' ansible.builtin.debug: msg: "Reboot required for auditd to apply new rules as immutable set" - notify: Change_requires_reboot + notify: Set reboot required - name: Stop auditd process ansible.builtin.command: systemctl kill auditd @@ -268,6 +268,6 @@ state: started listen: Restart auditd -- name: Change_requires_reboot +- name: Set reboot required ansible.builtin.set_fact: change_requires_reboot: true diff --git a/tasks/main.yml b/tasks/main.yml index 9bfcc51..f5a57db 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -17,9 +17,7 @@ success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" - name: "Setup rules if container" - when: - - ansible_connection == 'docker' or - ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] + when: ansible_connection == 'docker' or ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] tags: - container_discovery - always @@ -101,8 +99,7 @@ - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" # noqa name[template] ansible.builtin.assert: - that: - - not prelim_ansible_user_password_set.stdout.startswith("!") + that: not prelim_ansible_user_password_set.stdout.startswith("!") fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access" success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user" @@ -132,7 +129,7 @@ - rule_5.4.2.4 block: - name: "Ensure root password is set" - ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)" + ansible.builtin.shell: passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)" changed_when: false register: prelim_root_passwd_set diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 61959fa..80df209 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,4 +1,5 @@ --- + - name: Pre Audit Setup | Setup the LE audit when: setup_audit tags: setup_audit @@ -46,7 +47,7 @@ remote_src: "{{ (audit_conf_source is contains('http')) | ternary(true, false) }}" extra_opts: "{{ (audit_conf_source is contains('github')) | ternary('--strip-components=1', []) }}" -- name: Pre Audit Setup | Check Goss is available +- name: Pre Audit Setup | Check goss is available when: run_audit block: - name: Pre Audit Setup | Check for goss file diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 1eed552..80decfd 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -136,8 +136,7 @@ register: prelim_systemd_coredump - name: "PRELIM | PATCH | Setup crypto-policy" - when: - - rhel9cis_rule_1_6_1 + when: rhel9cis_rule_1_6_1 tags: - level1-server - level1-workstation @@ -185,17 +184,14 @@ grub2_path: /etc/grub2-efi.cfg - name: "PRELIM | AUDIT | Discover Gnome Desktop Environment" - tags: - - always + tags: always ansible.builtin.stat: path: /usr/share/gnome/gnome-version.xml register: prelim_gnome_present - name: "PRELIM | PATCH | Install dconf if gui installed" - when: - - rhel9cis_gui - tags: - - always + when: rhel9cis_gui + tags: always ansible.builtin.package: name: dconf state: present @@ -204,8 +200,7 @@ when: - rhel9cis_rule_3_1_2 - not system_is_container - tags: - - always + tags: always block: - name: "PRELIM | AUDIT | Discover is wireless adapter on system" ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless @@ -251,9 +246,7 @@ state: touch - name: "PRELIM | PATCH | sshd_config.d/50-redhat.conf exists" - when: - - rhel9cis_rule_5_1_10 or - rhel9cis_rule_5_1_11 + when: rhel9cis_rule_5_1_10 or rhel9cis_rule_5_1_11 ansible.builtin.stat: path: /etc/ssh/sshd_config.d/50-redhat.conf register: prelim_sshd_50_redhat_file @@ -281,8 +274,7 @@ - name: "PRELIM | PATCH | Create journald config directory" when: - rhel9cis_syslog == 'journald' - - rhel9cis_rule_6_2_1_3 or - rhel9cis_rule_6_2_1_4 + - rhel9cis_rule_6_2_1_3 or rhel9cis_rule_6_2_1_4 tags: always ansible.builtin.file: path: /etc/systemd/journald.conf.d diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index adc094d..e67bb39 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -27,8 +27,7 @@ mode: 'go-rwx' - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: cramfs state: absent diff --git a/tasks/section_1/cis_1.2.2.x.yml b/tasks/section_1/cis_1.2.2.x.yml index 2ccb59f..379b92d 100644 --- a/tasks/section_1/cis_1.2.2.x.yml +++ b/tasks/section_1/cis_1.2.2.x.yml @@ -13,4 +13,4 @@ ansible.builtin.package: name: "*" state: latest - notify: Change_requires_reboot + notify: Set reboot required