QA Fixes

Signed-off-by: Frederick Witty <frederick.witty@gotyto.com>
2026-03-25 22:37:11 +00:00 · 2026-02-10 16:01:05 -05:00 · 2026-02-10 16:01:05 -05:00 · 11becb32c5
commit 11becb32c5
parent 2863be6c02
17 changed files with 132 additions and 58 deletions
--- a/tasks/audit_only.yml
+++ b/tasks/audit_only.yml
@ -7,6 +7,30 @@
  ansible.builtin.import_tasks:
    file: fetch_audit_output.yml

+- name: Audit_only | Capture audit files to control node
+  when:
+    - audit_only
+    - audit_capture_files_dir is defined
+    - audit_capture_files_dir | length > 0
+  block:
+    - name: Audit_only | Ensure capture directory exists
+      ansible.builtin.file:
+        path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}"
+        state: directory
+        mode: 'u=rwx,go=rx'
+      become: false
+      delegate_to: localhost
+
+    - name: Audit_only | Copy audit files to capture directory
+      ansible.builtin.fetch:
+        src: "{{ item }}"
+        dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/"
+        flat: true
+      failed_when: false
+      loop:
+        - "{{ pre_audit_outfile }}"
+        - "{{ post_audit_outfile }}"
+
 - name: Audit_only | Show Audit Summary
  when: audit_only
  ansible.builtin.debug:
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -97,7 +97,7 @@
              or
                (ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list)
              )
-            fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or or the user is not included in the exception list for rule 5.2.4 - It can break access"
+            fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or the user is not included in the exception list for rule 5.2.4 - It can break access"
            success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user or the user is included in the exception list for rule 5.2.4"

        - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked"  # noqa name[template]
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@ -221,6 +221,7 @@

    - name: "PRELIM | PATCH | Install Network-Manager | if wireless adapter present"
      when:
+        - rhel9cis_install_network_manager
        - discover_wireless_adapters.rc == 0
        - "'NetworkManager' not in ansible_facts.packages"
      ansible.builtin.package:
--- a/tasks/section_5/cis_5.3.2.x.yml
+++ b/tasks/section_5/cis_5.3.2.x.yml
@ -14,7 +14,9 @@
    - rule_5.3.2.1
  block:
    - name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Create custom profiles"
-      when: rhel9cis_authselect_custom_profile_name not in prelim_authselect_profile_list.stdout
+      when:
+        - rhel9cis_authselect_custom_profile_create
+        - rhel9cis_authselect_custom_profile_name not in prelim_authselect_profile_list.stdout
      ansible.builtin.command: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}"
      changed_when: false
      args:
--- a/tasks/section_5/cis_5.3.3.2.x.yml
+++ b/tasks/section_5/cis_5.3.3.2.x.yml
@ -340,7 +340,7 @@
        - system
      notify: Authselect update

- name: "5.3.3.2.7 | PATCH | Ensure password quality is enforced for the root user"
+- name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced"
  when: rhel9cis_rule_5_3_3_2_7
  tags:
    - level1-server
@ -350,8 +350,8 @@
    - NIST800-53R5_IA-5
    - pam
  ansible.builtin.template:
-    src: "{{ rhel9cis_passwd_quality_enforce_root_file }}.j2"
-    dest: "/{{ rhel9cis_passwd_quality_enforce_root_file }}"
+    src: "{{ rhel9cis_passwd_quality_enforce_file }}.j2"
+    dest: "/{{ rhel9cis_passwd_quality_enforce_file }}"
    owner: root
    group: root
    mode: 'o-rwx'
--- a/tasks/section_5/cis_5.4.2.x.yml
+++ b/tasks/section_5/cis_5.4.2.x.yml
@ -179,7 +179,7 @@
            - item.stat.exists
            - item.stat.isdir
            - item.stat.pw_name != 'root' or item.stat.gr_name != 'root' or item.stat.woth or item.stat.wgrp
-            - (item != 'root') and (not rhel9cis_uses_root)
+            - (item != 'root') and (not rhel9cis_uses_root )
          ansible.builtin.file:
            path: "{{ item.stat.path }}"
            state: directory
--- a/tasks/section_7/cis_7.1.x.yml
+++ b/tasks/section_7/cis_7.1.x.yml
@ -254,7 +254,7 @@
      ansible.builtin.file:
        path: "{{ item }}"
        owner: "{{ rhel9cis_unowned_owner }}"
-        group: "{{ rhel9cis_unowned_group }}"
+        group: "{{ rhel9cis_ungrouped_group }}"
      with_items:
        - "{{ discovered_unowned_files_flatten }}"