Merge branch 'benchmark_v2.0.0' into interactive_user_update

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2026-03-25 22:37:11 +00:00 · 2025-05-28 16:14:18 +01:00 · 2025-05-28 16:14:18 +01:00 · 3197252611
commit 3197252611
parent 7673c2ff00 2256456f0e
7 changed files with 24 additions and 21 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -12,7 +12,7 @@ os_check: true
 # Disruption is high
 ## Run tests that are considered higher risk and could have a system impact if not properly tested
 ## Default false
-## Will be fine if clean new unconfigured build
+## Will be fine if clean new un configured build
 rhel9cis_disruption_high: false

 ## Switching on/off specific baseline sections
@ -513,7 +513,7 @@ rhel9cis_rule_7_2_9: true

 ## Section 1 vars

-## Ability to enabe debug on mounts to assist in troubleshooting
+## Ability to enable debug on mounts to assist in troubleshooting
 # Mount point changes are set based upon facts created in Prelim
 # these then build the variable and options that is passed to the handler to set the mount point for the controls in section1.
 rhel9cis_debug_mount_data: false
@ -723,6 +723,7 @@ rhel9cis_ipv6_required: true
 ## 3.1.2 wireless network requirements
 # if wireless adapter found allow network manager to be installed
 rhel9cis_install_network_manager: false
+rhel9cis_network_manager_package_name: NetworkManager
 # 3.3 System network parameters (host only OR host and router)
 # This variable governs whether specific CIS rules
 # concerned with acceptance and routing of packages are skipped.
@ -815,7 +816,7 @@ rhel9cis_sshd_clientalivecountmax: 3
 rhel9cis_sshd_clientaliveinterval: 15

 ## Control 5.1.12 - disable forwarding
-# By Default this will also disablex11 forwarding
+# By Default this will also disable x11 forwarding
 # set 'yes' if x11 is required this can be changed to run in /etc/ssh/ssh_config.d/50-redhat.conf
 rhel9cis_sshd_x11forwarding: 'no'

@ -1045,14 +1046,14 @@ rhel9cis_bash_umask: '0027'  # 0027 or more restrictive
 # These are discovered via logins.def if set true
 rhel9cis_discover_int_uid: true
 # This variable sets the minimum number from which to search for UID
-# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has
+# Note that the value will be dynamically overwritten if variable `discover_int_uid` has
 # been set to `true`.
 min_int_uid: 1000
 ### Controls:
 # - Ensure local interactive user home directories exist
 # - Ensure local interactive users own their home directories
 # This variable sets the maximum number at which the search stops for UID
-# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has
+# Note that the value will be dynamically overwritten if variable `discover_int_uid` has
 # been set to `true`.
 max_int_uid: 65533

--- a/tasks/audit_only.yml
+++ b/tasks/audit_only.yml
@ -1,15 +1,5 @@
 ---

- name: Audit_Only | Create local Directories for hosts
-  when: fetch_audit_files
-  ansible.builtin.file:
-    mode: 'u+x,go-w'
-    path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}"
-    recurse: true
-    state: directory
-  delegate_to: localhost
-  become: false
-
 - name: Audit_only | Show Audit Summary
  when: audit_only
  ansible.builtin.debug:
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -17,7 +17,9 @@
    success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"

 - name: "Setup rules if container"
-  when: ansible_connection == 'docker' or ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
+  when:
+    - ansible_connection == 'docker' or
+      ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"
  tags:
    - container_discovery
    - always
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@ -254,6 +254,14 @@
    mode: 'go-rwx'
    state: touch

+- name: "PRELIM | PATCH | sshd_config.d/50-redhat.conf exists"
+  when:
+    - rhel9cis_rule_5_1_10 or
+      rhel9cis_rule_5_1_11
+  ansible.builtin.stat:
+    path: /etc/ssh/sshd_config.d/50-redhat.conf
+  register: discovered_sshd_50_redhat_file
+
 - name: "PRELIM | AUDIT | Capture pam security related files"
  tags: always
  ansible.builtin.find:
--- a/tasks/section_3/cis_3.1.x.yml
+++ b/tasks/section_3/cis_3.1.x.yml
@ -39,7 +39,7 @@
    warn_control_id: '3.1.2'
  block:
    - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool"
-      when: "'network-manager' in ansible_facts.packages"
+      when: "rhel9cis_network_manager_package_name in ansible_facts.packages"
      ansible.builtin.command: nmcli radio wifi
      changed_when: false
      failed_when: false
@ -48,19 +48,19 @@

    - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed"
      when:
-        - "'network-manager' in ansible_facts.packages"
+        - "rhel9cis_network_manager_package_name in ansible_facts.packages"
        - "'enabled' in discovered_wifi_status.stdout"
      ansible.builtin.command: nmcli radio all off
      changed_when: discovered_nmcli_radio_off.rc == 0
      register: discovered_nmcli_radio_off

    - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed"
-      when: "'network-manager' not in ansible_facts.packages"
+      when: "rhel9cis_network_manager_package_name not in ansible_facts.packages"
      ansible.builtin.debug:
        msg: "Warning!! You need to disable wireless interfaces manually since network-manager is not installed"

    - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Set warning count"
-      when: "'network-manager' not in ansible_facts.packages"
+      when: "rhel9cis_network_manager_package_name not in ansible_facts.packages"
      ansible.builtin.import_tasks:
        file: warning_facts.yml

--- a/tasks/section_5/cis_5.1.x.yml
+++ b/tasks/section_5/cis_5.1.x.yml
@ -276,6 +276,7 @@
      notify: Restart sshd

    - name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled | override"
+      when: discovered_sshd_50_redhat_file.stat.exists
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config.d/50-redhat.conf
        regexp: ^(?i)(#|)\s*X11Forwarding
@ -298,6 +299,7 @@
    - NIST800-53R5_IA-5
  block:
    - name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled | redhat file"
+      when: discovered_sshd_50_redhat_file.stat.exists
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config.d/50-redhat.conf
        regexp: ^(?i)(#|)\s*GSSAPIAuthentication
--- a/tasks/section_7/cis_7.2.x.yml
+++ b/tasks/section_7/cis_7.2.x.yml
@ -220,7 +220,7 @@
    - name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names"
      when: discovered_group_check.stdout | length > 0
      ansible.builtin.debug:
-        msg: "Warning!! The following group names are duplicates: {{ discovered_group_group_check.stdout_lines }}"
+        msg: "Warning!! The following group names are duplicates: {{ discovered_group_check.stdout_lines }}"

    - name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Set warning count"
      when: discovered_group_check.stdout | length > 0