diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index d0a9eaa..1c99b62 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -7,7 +7,7 @@ path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install cramfs(\\s|$)" line: "install cramfs /bin/true" - create: yes + create: true mode: 0600 - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs" @@ -32,7 +32,7 @@ path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" - create: yes + create: true mode: 0600 - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" @@ -57,7 +57,7 @@ path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" - create: yes + create: true mode: 0600 - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index d43d768..d7db5a6 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -11,7 +11,7 @@ - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.2.1' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 6dbc1d2..9e4feb8 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -13,7 +13,7 @@ - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.3.1' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 62c4306..d05db6a 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -14,7 +14,7 @@ - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.4.1' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names @@ -68,4 +68,4 @@ - skip_ansible_lint - rule_1.1.4.2 - rule_1.1.4.3 - - rule_1.1.4.4 \ No newline at end of file + - rule_1.1.4.4 diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index 985b3d8..dd4ab9f 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -13,7 +13,7 @@ - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.5.1' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 47bcba7..afbe41a 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -13,7 +13,7 @@ - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.6.1' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names @@ -66,4 +66,4 @@ - skip_ansible_lint - rule_1.1.6.2 - rule_1.1.6.3 - - rule_1.1.6.4 \ No newline at end of file + - rule_1.1.6.4 diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 6ba442d..59f28ba 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -13,7 +13,7 @@ - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.7.1' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index a61a6af..26ae877 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -13,7 +13,7 @@ shell: mount -l | grep -E '\s/dev/shm\s' changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_1_1_8_x_dev_shm_status - name: | diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index a77e524..ea5c862 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -3,7 +3,7 @@ - name: "1.1.9 | PATCH | Disable Automounting" service: name: autofs - enabled: no + enabled: false when: - not rhel9cis_allow_autofs - "'autofs' in ansible_facts.packages" @@ -24,7 +24,7 @@ path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install usb-storage(\\s|$)" line: "install usb-storage /bin/true" - create: yes + create: true owner: root group: root mode: 0600 diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 4d8cd68..81e996d 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -27,7 +27,7 @@ failed_when: false register: os_installed_pub_keys - #- debug: + # - debug: # msg: "{{ os_installed_pub_keys }}" - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Query found keys" @@ -40,7 +40,7 @@ - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | expected keys pass" debug: msg: "Congratulations !! - The installed gpg keys match expected values" - when: + when: - os_installed_pub_keys.rc == 0 - os_gpg_key_check.rc == 0 @@ -96,7 +96,7 @@ changed_when: false failed_when: false register: dnf_configured - check_mode: no + check_mode: false args: warn: false @@ -109,7 +109,7 @@ - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Warn Count" set_fact: control_number: "{{ control_number }} + ['rule_1.2.4']" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - rhel9cis_rule_1_2_4 tags: diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 6ac4979..8ba419e 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -58,7 +58,7 @@ path: /etc/systemd/system/rescue.service.d/00-require-auth.conf regexp: '^ExecStart=' line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" - create: yes + create: true owner: root group: root mode: 0644 diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index 494176d..f2b231e 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -84,7 +84,7 @@ - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.6.1.5' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0 when: - rhel9cis_rule_1_6_1_5 @@ -121,4 +121,4 @@ - level1-workstation - automated - patch - - rule_1.6.1.7 \ No newline at end of file + - rule_1.6.1.7 diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index a126a0a..f47d2a1 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -21,7 +21,7 @@ regexp: "{{ item.regexp }}" line: "{{ item.line }}" state: present - create: yes + create: true owner: root group: root mode: 0644 @@ -50,7 +50,7 @@ path: "{{ item.file }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" - create: yes + create: true owner: root group: root mode: 0644 @@ -93,7 +93,10 @@ path: /etc/dconf/db/local.d/00-media-automount regexp: "{{ item.regex }}" line: "{{ item.line }}" - create: yes + create: true + owner: root + group: root + mode: 0644 notify: reload dconf with_items: - { regex: '\[org\/gnome\/desktop\/media-handling\]', line: '[org/gnome/desktop/media-handling]' }