1.2.2 rpm gpg key check

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2025-12-25 06:33:06 +00:00 · 2022-07-25 11:26:27 +01:00 · 2022-07-25 11:26:27 +01:00 · 28bbc2ff5f
commit 28bbc2ff5f
parent 22326c5de6
4 changed files with 36 additions and 9 deletions
--- a/tasks/section_1/cis_1.2.x.yml
+++ b/tasks/section_1/cis_1.2.x.yml
@ -20,8 +20,36 @@
      - skip_ansible_lint  # Added as no_log still errors on ansuible-lint

 - name: "1.2.2 | AUDIT | Ensure GPG keys are configured"
-  shell: "PKG=`rpm -qf {{ rpm_gpg_key }}` && rpm -q --queryformat \"%{PACKAGER} %{SIGPGP:pgpsig}\\n\" \"${PKG}\" | grep \"^{{ rpm_packager }}.*Key.ID.{{ rpm_key }}\""
-  changed_when: false
+  block:
+      - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys"
+        shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}"
+        changed_when: false
+        failed_when: false
+        register: os_installed_pub_keys
+
+      #- debug:
+      #    msg: "{{ os_installed_pub_keys }}"
+
+      - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Query found keys"
+        shell: "rpm -q --queryformat \"%{PACKAGER} %{VERSION}\\n\" {{ os_gpg_key_pubkey_name }} | grep \"{{ os_gpg_key_pubkey_content }}\""
+        register: os_gpg_key_check
+        changed_when: false
+        failed_when: false
+        when: os_installed_pub_keys.rc == 0
+
+      - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | expected keys pass"
+        debug:
+            msg: "Congratulations !! - The installed gpg keys match expected values"
+        when: 
+            - os_installed_pub_keys.rc == 0
+            - os_gpg_key_check.rc == 0
+
+      - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | expected keys fail"
+        fail:
+            msg: Installed GPG Keys do not meet expected values or keys installed that are not expected
+        when:
+            - os_installed_pub_keys.rc == 1 or
+              os_gpg_key_check.rc == 1
  when:
      - rhel9cis_rule_1_2_2
      - ansible_distribution == "RedHat" or