ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-25 22:37:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #31 from ansible-lockdown/JUNE2025QA

Browse source 
June 2025 QA: Replace egrep to grep
This commit is contained in:
Fred W. 2025-06-23 08:36:55 -04:00 committed by GitHub
commit 0efd92e2a3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
6 changed files with 18 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

8
handlers/main.yml
View file

@ -150,7 +150,7 @@
ansible.posix.mount: ansible.posix.mount:
path: "{{ mount_point }}" path: "{{ mount_point }}"
state: remounted state: remounted
notify: Change_requires_reboot notify: Set reboot required
listen: "Remount /boot/efi" listen: "Remount /boot/efi"
- name: Reload sysctl - name: Reload sysctl
@ -194,7 +194,7 @@
ansible.builtin.command: update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}" ansible.builtin.command: update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}"
changed_when: true changed_when: true
notify: notify:
- Change_requires_reboot - Set reboot required
- Restart sshd - Restart sshd
- name: Restart firewalld - name: Restart firewalld
@ -255,7 +255,7 @@
when: discovered_auditd_immutable_check.stdout == '1' when: discovered_auditd_immutable_check.stdout == '1'
ansible.builtin.debug: ansible.builtin.debug:
msg: "Reboot required for auditd to apply new rules as immutable set" msg: "Reboot required for auditd to apply new rules as immutable set"
notify: Change_requires_reboot notify: Set reboot required
- name: Stop auditd process - name: Stop auditd process
ansible.builtin.command: systemctl kill auditd ansible.builtin.command: systemctl kill auditd
@ -268,6 +268,6 @@
state: started state: started
listen: Restart auditd listen: Restart auditd
- name: Change_requires_reboot - name: Set reboot required
ansible.builtin.set_fact: ansible.builtin.set_fact:
change_requires_reboot: true change_requires_reboot: true

9
tasks/main.yml
View file

@ -17,9 +17,7 @@
success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
- name: "Setup rules if container" - name: "Setup rules if container"
when: when: ansible_connection == 'docker' or ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_connection == 'docker' or
ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
tags: tags:
- container_discovery - container_discovery
- always - always
@ -101,8 +99,7 @@
- name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" # noqa name[template] - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" # noqa name[template]
ansible.builtin.assert: ansible.builtin.assert:
that: that: not prelim_ansible_user_password_set.stdout.startswith("!")
- not prelim_ansible_user_password_set.stdout.startswith("!")
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access" fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access"
success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user" success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user"
@ -132,7 +129,7 @@
- rule_5.4.2.4 - rule_5.4.2.4
block: block:
- name: "Ensure root password is set" - name: "Ensure root password is set"
ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)" ansible.builtin.shell: passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)"
changed_when: false changed_when: false
register: prelim_root_passwd_set register: prelim_root_passwd_set

3
tasks/pre_remediation_audit.yml
View file

@ -1,4 +1,5 @@
--- ---
- name: Pre Audit Setup | Setup the LE audit - name: Pre Audit Setup | Setup the LE audit
when: setup_audit when: setup_audit
tags: setup_audit tags: setup_audit
@ -46,7 +47,7 @@
remote_src: "{{ (audit_conf_source is contains('http')) | ternary(true, false) }}" remote_src: "{{ (audit_conf_source is contains('http')) | ternary(true, false) }}"
extra_opts: "{{ (audit_conf_source is contains('github')) | ternary('--strip-components=1', []) }}" extra_opts: "{{ (audit_conf_source is contains('github')) | ternary('--strip-components=1', []) }}"
- name: Pre Audit Setup | Check Goss is available - name: Pre Audit Setup | Check goss is available
when: run_audit when: run_audit
block: block:
- name: Pre Audit Setup | Check for goss file - name: Pre Audit Setup | Check for goss file

22
tasks/prelim.yml
View file

@ -136,8 +136,7 @@
register: prelim_systemd_coredump register: prelim_systemd_coredump
- name: "PRELIM | PATCH | Setup crypto-policy" - name: "PRELIM | PATCH | Setup crypto-policy"
when: when: rhel9cis_rule_1_6_1
- rhel9cis_rule_1_6_1
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -185,17 +184,14 @@
grub2_path: /etc/grub2-efi.cfg grub2_path: /etc/grub2-efi.cfg
- name: "PRELIM | AUDIT | Discover Gnome Desktop Environment" - name: "PRELIM | AUDIT | Discover Gnome Desktop Environment"
tags: tags: always
- always
ansible.builtin.stat: ansible.builtin.stat:
path: /usr/share/gnome/gnome-version.xml path: /usr/share/gnome/gnome-version.xml
register: prelim_gnome_present register: prelim_gnome_present
- name: "PRELIM | PATCH | Install dconf if gui installed" - name: "PRELIM | PATCH | Install dconf if gui installed"
when: when: rhel9cis_gui
- rhel9cis_gui tags: always
tags:
- always
ansible.builtin.package: ansible.builtin.package:
name: dconf name: dconf
state: present state: present
@ -204,8 +200,7 @@
when: when:
- rhel9cis_rule_3_1_2 - rhel9cis_rule_3_1_2
- not system_is_container - not system_is_container
tags: tags: always
- always
block: block:
- name: "PRELIM | AUDIT | Discover is wireless adapter on system" - name: "PRELIM | AUDIT | Discover is wireless adapter on system"
ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless
@ -251,9 +246,7 @@
state: touch state: touch
- name: "PRELIM | PATCH | sshd_config.d/50-redhat.conf exists" - name: "PRELIM | PATCH | sshd_config.d/50-redhat.conf exists"
when: when: rhel9cis_rule_5_1_10 or rhel9cis_rule_5_1_11
- rhel9cis_rule_5_1_10 or
rhel9cis_rule_5_1_11
ansible.builtin.stat: ansible.builtin.stat:
path: /etc/ssh/sshd_config.d/50-redhat.conf path: /etc/ssh/sshd_config.d/50-redhat.conf
register: prelim_sshd_50_redhat_file register: prelim_sshd_50_redhat_file
@ -281,8 +274,7 @@
- name: "PRELIM | PATCH | Create journald config directory" - name: "PRELIM | PATCH | Create journald config directory"
when: when:
- rhel9cis_syslog == 'journald' - rhel9cis_syslog == 'journald'
- rhel9cis_rule_6_2_1_3 or - rhel9cis_rule_6_2_1_3 or rhel9cis_rule_6_2_1_4
rhel9cis_rule_6_2_1_4
tags: always tags: always
ansible.builtin.file: ansible.builtin.file:
path: /etc/systemd/journald.conf.d path: /etc/systemd/journald.conf.d

3
tasks/section_1/cis_1.1.1.x.yml
View file

@ -27,8 +27,7 @@
mode: 'go-rwx' mode: 'go-rwx'
- name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs" - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs"
when: when: not system_is_container
- not system_is_container
community.general.modprobe: community.general.modprobe:
name: cramfs name: cramfs
state: absent state: absent

2
tasks/section_1/cis_1.2.2.x.yml
View file

@ -13,4 +13,4 @@
ansible.builtin.package: ansible.builtin.package:
name: "*" name: "*"
state: latest state: latest
notify: Change_requires_reboot notify: Set reboot required