ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

added check mode logic

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2025-05-23 14:34:30 +01:00
parent 2b37d0d732
commit 15bf03c754
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
1 changed files with 7 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
tasks/prelim.yml
View file

@ -25,6 +25,7 @@
ansible.builtin.shell: > ansible.builtin.shell: >
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }' grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }'
changed_when: false changed_when: false
check_mode: false
register: prelim_interactive_usernames register: prelim_interactive_usernames
- name: "PRELIM | AUDIT | Interactive User accounts home directories" - name: "PRELIM | AUDIT | Interactive User accounts home directories"
@ -32,6 +33,7 @@
ansible.builtin.shell: > ansible.builtin.shell: >
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $6 }' grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $6 }'
changed_when: false changed_when: false
check_mode: false
register: prelim_interactive_users_home register: prelim_interactive_users_home
- name: "PRELIM | AUDIT | Interactive UIDs" - name: "PRELIM | AUDIT | Interactive UIDs"
@ -39,6 +41,7 @@
ansible.builtin.shell: > ansible.builtin.shell: >
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $3 }' grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $3 }'
changed_when: false changed_when: false
check_mode: false
register: prelim_interactive_uids register: prelim_interactive_uids
- name: "PRELIM | AUDIT | Capture /etc/password variables" - name: "PRELIM | AUDIT | Capture /etc/password variables"
@ -64,6 +67,7 @@
ansible.builtin.shell: | ansible.builtin.shell: |
mount | awk '{print $1, $3, $5, $6}' mount | awk '{print $1, $3, $5, $6}'
changed_when: false changed_when: false
check_mode: false
register: prelim_mount_output register: prelim_mount_output
- name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - build fact # This is inherited and used in mountpoints tasks - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - build fact # This is inherited and used in mountpoints tasks
@ -100,6 +104,7 @@
ansible.builtin.command: rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' # noqa command-instead-of-module ansible.builtin.command: rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' # noqa command-instead-of-module
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false
register: prelim_check_gpg_imported register: prelim_check_gpg_imported
- name: "PRELIM | AUDIT | Import gpg keys | Check Package" # noqa command-instead-of-module - name: "PRELIM | AUDIT | Import gpg keys | Check Package" # noqa command-instead-of-module
@ -328,12 +333,14 @@
ansible.builtin.command: awk '/^UID_MIN/ {print $2}' /etc/login.defs ansible.builtin.command: awk '/^UID_MIN/ {print $2}' /etc/login.defs
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false
register: prelim_uid_min_id register: prelim_uid_min_id
- name: "PRELIM | AUDIT | Capture UID_MAX from /etc/login.defs" - name: "PRELIM | AUDIT | Capture UID_MAX from /etc/login.defs"
ansible.builtin.command: awk '/^UID_MAX/ {print $2}' /etc/login.defs ansible.builtin.command: awk '/^UID_MAX/ {print $2}' /etc/login.defs
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false
register: prelim_uid_max_id register: prelim_uid_max_id
- name: "PRELIM | AUDIT | Set facts for interactive UID/GID ranges" - name: "PRELIM | AUDIT | Set facts for interactive UID/GID ranges"