ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-26 15:13:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge pull request #33 from ansible-lockdown/rule_6_2_16

Browse source 
new option to 6_2_16 not follow symlinks
This commit is contained in:
uk-bolly 2023-02-20 11:07:01 +00:00 committed by GitHub
commit 2b906aa3a6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 17 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/linux_benchmark_testing.yml vendored
View file

@ -91,7 +91,7 @@ jobs:
- name: add urandom passwd to root account - name: add urandom passwd to root account
shell: bash shell: bash
run: | run: |
ANSIBLE_HOST_KEY_CHECKING=False && ansible all -i .github/workflows/hosts.yml -m shell -a "cat /dev/urandom | tr -dc [:print:] | head -c50 | passwd --stdin root" --private-key ${{ secrets.SSH_PRV_KEY }} -b ANSIBLE_HOST_KEY_CHECKING=False && ansible all -i .github/workflows/hosts.yml -m shell -a "cat /dev/urandom | tr -dc [:print:] | head -c50 | passwd --stdin root" -b
# Run the ansible playbook # Run the ansible playbook
- name: Run_Ansible_Playbook - name: Run_Ansible_Playbook

7
Changelog.md
View file

@ -1,5 +1,12 @@
# Changes to rhel9CIS # Changes to rhel9CIS
## 1.0.1
Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8
Will not follow ynlink in hoe directoris and amend permissions.
- rhel_09_6_2_16_home_follow_symlink: false
## Initial CIS v1.0.0 - released Dec 2022 ## Initial CIS v1.0.0 - released Dec 2022
### Official CIS release ### Official CIS release

10
defaults/main.yml
View file

@ -653,8 +653,14 @@ rhel9cis_rpm_audit_file: /var/tmp/rpm_file_check
# RHEL-09_6.1.10 Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable # RHEL-09_6.1.10 Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable
rhel9cis_no_world_write_adjust: true rhel9cis_no_world_write_adjust: true
rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}"
# 6.2.9
rhel9cis_dotperm_ansiblemanaged: true
# 6.2.16
## Dont follow symlinks for changes to user home directory thanks to @dulin-gnet and comminty for rhel8-cis reedbacj
rhel_09_6_2_16_home_follow_symlinks: false
#### Goss Configuration Settings #### #### Goss Configuration Settings ####
# Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" # Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
audit_run_script_environment: audit_run_script_environment:

1
tasks/section_6/cis_6.2.x.yml
View file

@ -436,6 +436,7 @@
ansible.builtin.file: ansible.builtin.file:
path: "{{ item.path }}" path: "{{ item.path }}"
mode: go-w mode: go-w
follow: "{{ rhel_09_6_2_16_home_follow_symlinks }}"
loop: "{{ user_dot_files.files }}" loop: "{{ user_dot_files.files }}"
loop_control: loop_control:
label: "{{ item.path }}" label: "{{ item.path }}"