ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

updated yamllint, company naming, linting and spacing

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-12-04 11:45:13 +00:00
parent 1b694832bb
commit 2de8a39cdc
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
66 changed files with 461 additions and 675 deletions
Download patch file Download diff file Expand all files Collapse all files

50
tasks/main.yml
View file

@ -2,22 +2,19 @@
# tasks file for RHEL9-CIS
- name: "Check OS version and family"
when: os_check
tags: always
ansible.builtin.assert:
that: (ansible_facts.distribution != 'CentOS' and ansible_facts.os_family == 'RedHat' or ansible_facts.os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==')
fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported."
success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}"
when:
- os_check
tags:
- always
- name: "Check ansible version"
tags: always
ansible.builtin.assert:
that: ansible_version.full is version_compare(min_ansible_version, '>=')
fail_msg: "You must use Ansible {{ min_ansible_version }} or greater"
success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
tags:
- always
- name: "Setup rules if container"
when:
@ -36,8 +33,7 @@
file: "{{ container_vars_file }}"
- name: "Output if discovered is a container"
when:
- system_is_container
when: system_is_container
ansible.builtin.debug:
msg: system has been discovered as a container
@ -51,8 +47,7 @@
when:
- rhel9cis_set_boot_pass
- rhel9cis_rule_1_4_1
tags:
- always
tags: always
ansible.builtin.assert:
that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
@ -81,23 +76,22 @@
vars:
sudo_password_rule: rhel9cis_rule_5_2_4 # pragma: allowlist secret
block:
- name: "Check password set for {{ ansible_env.SUDO_USER }} | password state"
- name: "Check password set for {{ ansible_env.SUDO_USER }} | password state" # noqa name[template]
ansible.builtin.shell: "(grep {{ ansible_env.SUDO_USER }} /etc/shadow || echo 'not found:not found') | awk -F: '{print $2}'"
changed_when: false
failed_when: false
check_mode: false
register: prelim_ansible_user_password_set
- name: "Check for local account {{ ansible_env.SUDO_USER }} | Check for local account"
- name: "Check for local account {{ ansible_env.SUDO_USER }} | Check for local account" # noqa name[template]
when: prelim_ansible_user_password_set.stdout == "not found"
ansible.builtin.debug:
msg: "No local account found for {{ ansible_env.SUDO_USER }} user. Skipping local account checks."
- name: "Check local account"
when:
- prelim_ansible_user_password_set.stdout != "not found"
when: prelim_ansible_user_password_set.stdout != "not found"
block:
- name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set"
- name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" # noqa name[template]
ansible.builtin.assert:
that:
- prelim_ansible_user_password_set.stdout | length != 0
@ -105,7 +99,7 @@
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user"
- name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked"
- name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" # noqa name[template]
ansible.builtin.assert:
that:
- not prelim_ansible_user_password_set.stdout.startswith("!")
@ -113,10 +107,8 @@
success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user"
- name: "PRELIM | AUDIT | Check authselect profile is selected"
when:
- rhel9cis_allow_authselect_updates
tags:
- always
when: rhel9cis_allow_authselect_updates
tags: always
block:
- name: "PRELIM | AUDIT | Check authselect profile name has been updated"
ansible.builtin.assert:
@ -136,8 +128,7 @@
fail_msg: Authselect updates have been selected there are issues with profile selection"
- name: "Ensure root password is set"
when:
- rhel9cis_rule_5_4_2_4
when: rhel9cis_rule_5_4_2_4
tags:
- level1-server
- level1-workstation
@ -158,14 +149,12 @@
success_msg: "You have a root password set"
- name: "Gather the package facts"
tags:
- always
tags: always
ansible.builtin.package_facts:
manager: auto
- name: "Include OS specific variables"
tags:
- always
tags: always
ansible.builtin.include_vars:
file: "{{ ansible_facts.distribution }}.yml"
@ -213,8 +202,7 @@
- name: "Run auditd logic"
when: update_audit_template
tags:
- always
tags: always
ansible.builtin.import_tasks:
file: auditd.yml
@ -226,8 +214,7 @@
file: post.yml
- name: "Run post_remediation audit"
when:
- run_audit
when: run_audit
ansible.builtin.import_tasks:
file: post_remediation_audit.yml
@ -238,7 +225,6 @@
- name: "If Warnings found Output count and control IDs affected"
when: warn_count != 0
tags:
- always
tags: always
ansible.builtin.debug:
msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}"