ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-25 22:37:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

QA Fixes

Browse source 
Signed-off-by: Frederick Witty <frederickw@mindpointgroup.com>
This commit is contained in:
Frederick Witty 2025-05-15 16:48:44 -04:00
parent ee5f604a66
commit 23b2909073
No known key found for this signature in database
GPG key ID: D29987C25A47D813
8 changed files with 20 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

19
Changelog.md
View file

@ -1,5 +1,10 @@
# Changes to rhel9CIS # Changes to rhel9CIS
## 2.0.0 - Based on CIS v2.0.0
- May 2025 QA Fixes
- Typo fixes and Banner verbiage
## 1.1.6 - Based on CIS v1.0.0 ## 1.1.6 - Based on CIS v1.0.0
- #190 - thanks to @ipruteanu-sie - #190 - thanks to @ipruteanu-sie
@ -14,7 +19,7 @@
- updated controls 6.2.10-6.2.14 - updated controls 6.2.10-6.2.14
- audit - audit
- steps moved to prelim - steps moved to prelim
- update to coipy and archive logic and variables - update to copy and archive logic and variables
- removed vars not used - removed vars not used
- updated quotes used in mode tasks - updated quotes used in mode tasks
- pre-commit update - pre-commit update
@ -48,7 +53,7 @@
- lint updates - lint updates
- .secrets updated - .secrets updated
- file mode quoted - file mode quoted
- updated 5.6.5 thansk to feedback from S!ghs on discord community - updated 5.6.5 thanks to feedback from S!ghs on discord community
## 1.1.1 - Based on CIS v1.0.0 ## 1.1.1 - Based on CIS v1.0.0
@ -80,7 +85,7 @@
## 1.0.10 ## 1.0.10
- [#72](https://github.com/ansible-lockdown/RHEL9-CIS/issues/72) - [#72](https://github.com/ansible-lockdown/RHEL9-CIS/issues/72)
- Only run check when paybook user not a superuser - Only run check when playbook user not a superuser
- fix for 5.5.3 thanks to @nrg-fv - fix for 5.5.3 thanks to @nrg-fv
## 1.0.9 ## 1.0.9
@ -152,7 +157,7 @@ Jan-2023 release
- updated ansible minimum to 2.10 - updated ansible minimum to 2.10
- Lint file updates and improvements - Lint file updates and improvements
- auditd now shows diff ater initial template added - auditd now shows diff after initial template added
- many control rewritten - many control rewritten
- Many controls moved ID references - Many controls moved ID references
- Audit updates aligned - Audit updates aligned
@ -217,11 +222,11 @@ Jan-2023 release
- not all controls work with rhel8 releases any longer - not all controls work with rhel8 releases any longer
- selinux disabled 1.6.1.4 - selinux disabled 1.6.1.4
- logrotate - 4.3.x - logrotate - 4.3.x
- updated to rhel8cis v2.0 benchamrk requirements - updated to rhel8cis v2.0 benchmark requirements
- removed iptables firewall controls (not valid on rhel9) - removed iptables firewall controls (not valid on rhel9)
- added more to logrotate 4.3.x - sure to logrotate now a seperate package - added more to logrotate 4.3.x - sure to logrotate now a separate package
- grub path now standard to /boot/grub2/grub.cfg - grub path now standard to /boot/grub2/grub.cfg
- 1.6.1.4 from rh8 removed as selinux.cfg doesnt disable selinux any longer - 1.6.1.4 from rh8 removed as selinux.cfg doesn't disable selinux any longer
- workflow update - workflow update
- removed doc update - removed doc update

4
defaults/main.yml
View file

@ -116,7 +116,7 @@ audit_log_dir: '/opt'
fetch_audit_output: false fetch_audit_output: false
# Method of getting,uploading the summary files # Method of getting,uploading the summary files
## Ensure access and permissions are avaiable for these to occur. ## Ensure access and permissions are available for these to occur.
## options are ## options are
# fetch - fetches from server and moves to location on the ansible controller (could be a mount point available to controller) # fetch - fetches from server and moves to location on the ansible controller (could be a mount point available to controller)
# copy - copies file to a location available to the managed node # copy - copies file to a location available to the managed node
@ -587,7 +587,7 @@ rhel9cis_crypto_policy_module: ''
# - 1.7.2 - Ensure local login warning banner is configured properly # - 1.7.2 - Ensure local login warning banner is configured properly
# - 1.7.3 - Ensure remote login warning banner is configured properly # - 1.7.3 - Ensure remote login warning banner is configured properly
# This variable stores the content for the Warning Banner(relevant for issue, issue.net, motd). # This variable stores the content for the Warning Banner(relevant for issue, issue.net, motd).
rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and reported. rhel9cis_warning_banner: Authorized users only. All activity may be monitored and reported.
# End Banner # End Banner
## Control 1.8.x - Settings for GDM ## Control 1.8.x - Settings for GDM

1
tasks/LE_audit_setup.yml
View file

@ -1,4 +1,5 @@
--- ---
- name: Pre Audit Setup | Set audit package name - name: Pre Audit Setup | Set audit package name
block: block:
- name: Pre Audit Setup | Set audit package name | 64bit - name: Pre Audit Setup | Set audit package name | 64bit

1
tasks/audit_only.yml
View file

@ -1,4 +1,5 @@
--- ---
- name: Audit_Only | Create local Directories for hosts - name: Audit_Only | Create local Directories for hosts
when: fetch_audit_files when: fetch_audit_files
ansible.builtin.file: ansible.builtin.file:

4
tasks/main.yml
View file

@ -17,9 +17,7 @@
success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
- name: "Setup rules if container" - name: "Setup rules if container"
when: when: ansible_connection == 'docker' or ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_connection == 'docker' or
ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
tags: tags:
- container_discovery - container_discovery
- always - always

3
tasks/post.yml
View file

@ -28,8 +28,7 @@
- name: POST | reboot system if changes require it and not skipped - name: POST | reboot system if changes require it and not skipped
when: change_requires_reboot when: change_requires_reboot
tags: tags: always
- always
vars: vars:
warn_control_id: Reboot_required warn_control_id: Reboot_required
block: block:

2
tasks/prelim.yml
View file

@ -200,7 +200,7 @@
tags: tags:
- always - always
block: block:
- name: "PRELIM | AUDIT | Discover is wirelss adapter on system" - name: "PRELIM | AUDIT | Discover is wireless adapter on system"
ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless
register: discover_wireless_adapters register: discover_wireless_adapters
changed_when: false changed_when: false

2
vars/is_container.yml
View file

@ -2,7 +2,7 @@
# File to skip controls if container # File to skip controls if container
# Based on standard image no changes # Based on standard image no changes
# it expected all pkgs required for the container are alreday installed # it expected all pkgs required for the container are already installed
## controls ## controls