mirror of
https://github.com/ansible-lockdown/RHEL9-CIS.git
synced 2025-12-24 14:23:05 +00:00
lint updates
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
1992eea6da
commit
3df35e03a0
14 changed files with 58 additions and 55 deletions
|
|
@ -14,7 +14,7 @@
|
|||
name: net.ipv4.route.flush
|
||||
value: '1'
|
||||
sysctl_set: true
|
||||
ignore_errors: true
|
||||
ignore_errors: true # noqa ignore-errors
|
||||
when:
|
||||
- flush_ipv4_route
|
||||
- not system_is_container
|
||||
|
|
@ -78,7 +78,7 @@
|
|||
shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
|
||||
args:
|
||||
warn: false
|
||||
ignore_errors: true
|
||||
ignore_errors: true # noqa ignore-errors
|
||||
tags:
|
||||
- skip_ansible_lint
|
||||
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
regexp: 'selinux=0'
|
||||
replace: ''
|
||||
register: selinux_grub_patch
|
||||
ignore_errors: yes
|
||||
ignore_errors: true # noqa ignore-errors
|
||||
notify: grub2cfg
|
||||
when:
|
||||
- rhel9cis_rule_1_6_1_2
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@
|
|||
name: "{{ item }}"
|
||||
enabled: false
|
||||
masked: true
|
||||
ignore_errors: true
|
||||
ignore_errors: true # noqa ignore-errors
|
||||
with_items:
|
||||
- iptables
|
||||
- ip6tables
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@
|
|||
service:
|
||||
name: auditd
|
||||
state: started
|
||||
enabled: yes
|
||||
enabled: true
|
||||
when:
|
||||
- rhel9cis_rule_4_1_1_2
|
||||
tags:
|
||||
|
|
@ -44,7 +44,7 @@
|
|||
shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//'
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
check_mode: no
|
||||
check_mode: false
|
||||
register: rhel9cis_4_1_1_3_grub_cmdline_linux
|
||||
|
||||
- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting"
|
||||
|
|
@ -79,7 +79,7 @@
|
|||
shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//'
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
check_mode: no
|
||||
check_mode: false
|
||||
register: rhel9cis_4_1_1_4_grub_cmdline_linux
|
||||
|
||||
- name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting"
|
||||
|
|
|
|||
|
|
@ -77,7 +77,7 @@
|
|||
shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
check_mode: no
|
||||
check_mode: false
|
||||
register: priv_procs
|
||||
|
||||
- name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected"
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@
|
|||
- name: "4.2.1.2 | PATCH | Ensure rsyslog Service is enabled"
|
||||
service:
|
||||
name: rsyslog
|
||||
enabled: yes
|
||||
enabled: true
|
||||
when:
|
||||
- rhel9cis_rule_4_2_1_2
|
||||
tags:
|
||||
|
|
@ -65,10 +65,10 @@
|
|||
block:
|
||||
- name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out"
|
||||
command: cat /etc/rsyslog.conf
|
||||
become: yes
|
||||
become: true
|
||||
changed_when: false
|
||||
failed_when: no
|
||||
check_mode: no
|
||||
failed_when: false
|
||||
check_mode: false
|
||||
register: rhel_08_4_2_1_5_audit
|
||||
|
||||
- name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out"
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@
|
|||
systemd:
|
||||
name: systemd-journal-upload
|
||||
state: started
|
||||
enabled: yes
|
||||
enabled: true
|
||||
when:
|
||||
- rhel9cis_system_is_log_server
|
||||
- rhel9cis_rule_4_2_2_1_3
|
||||
|
|
@ -55,8 +55,8 @@
|
|||
systemd:
|
||||
name: systemd-journal-remote.socket
|
||||
state: stopped
|
||||
enabled: no
|
||||
masked: yes
|
||||
enabled: false
|
||||
masked: true
|
||||
when:
|
||||
- not rhel9cis_system_is_log_server
|
||||
- rhel9cis_rule_4_2_2_1_4
|
||||
|
|
@ -74,7 +74,7 @@
|
|||
systemd:
|
||||
name: systemd-journald
|
||||
state: started
|
||||
enabled: yes
|
||||
enabled: true
|
||||
|
||||
- name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Capture status"
|
||||
shell: systemctl is-enabled systemd-journald.service
|
||||
|
|
@ -91,7 +91,7 @@
|
|||
- name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count"
|
||||
set_fact:
|
||||
control_number: "{{ control_number }} + [ 'rule_4.2.2.2' ]"
|
||||
warn_count: "{{ warn_count|int + 1 }}"
|
||||
warn_count: "{{ warn_count | int + 1 }}"
|
||||
when: "'static' not in rhel9cis_4_2_2_2_status.stdout"
|
||||
when:
|
||||
- rhel9cis_rule_4_2_2_2
|
||||
|
|
@ -203,7 +203,7 @@
|
|||
- name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Warn Count"
|
||||
set_fact:
|
||||
control_number: "{{ control_number }} + [ 'rule_4.2.2.7' ]"
|
||||
warn_count: "{{ warn_count|int + 1 }}"
|
||||
warn_count: "{{ warn_count | int + 1 }}"
|
||||
when:
|
||||
- rhel9cis_rule_4_2_2_7
|
||||
tags:
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
- name: "5.1.1 | PATCH | Ensure cron daemon is enabled"
|
||||
service:
|
||||
name: crond
|
||||
enabled: yes
|
||||
enabled: true
|
||||
when:
|
||||
- rhel9cis_rule_5_1_1
|
||||
tags:
|
||||
|
|
|
|||
|
|
@ -275,15 +275,15 @@
|
|||
- name: "5.2.14 | AUDIT | Ensure system-wide crypto policy is not over-ridden"
|
||||
shell: grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd
|
||||
args:
|
||||
warn: no
|
||||
warn: false
|
||||
changed_when: false
|
||||
failed_when: ( ssh_crypto_discovery.rc not in [ 0, 1 ] )
|
||||
register: ssh_crypto_discovery
|
||||
|
||||
|
||||
- name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden"
|
||||
shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd
|
||||
args:
|
||||
warn: no
|
||||
warn: false
|
||||
notify: restart sshd
|
||||
when: ssh_crypto_discovery.stdout | length > 0
|
||||
when:
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
shell: 'authselect current | grep "Profile ID: custom/"'
|
||||
failed_when: false
|
||||
changed_when: false
|
||||
check_mode: no
|
||||
check_mode: false
|
||||
register: rhel9cis_5_4_1_profiles
|
||||
|
||||
- name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Show profiles"
|
||||
|
|
@ -18,7 +18,7 @@
|
|||
- name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles"
|
||||
shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }}
|
||||
args:
|
||||
warn: no
|
||||
warn: false
|
||||
when: rhel9cis_authselect_custom_profile_create
|
||||
when:
|
||||
- rhel9cis_rule_5_4_1
|
||||
|
|
@ -36,7 +36,7 @@
|
|||
shell: "authselect current | grep with-faillock"
|
||||
failed_when: false
|
||||
changed_when: false
|
||||
check_mode: no
|
||||
check_mode: false
|
||||
register: rhel9cis_5_4_2_profiles_faillock
|
||||
|
||||
- name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock| Show profiles"
|
||||
|
|
@ -48,7 +48,7 @@
|
|||
- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles"
|
||||
shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock"
|
||||
args:
|
||||
warn: no
|
||||
warn: false
|
||||
when: rhel9cis_authselect_custom_profile_select
|
||||
when:
|
||||
- rhel9cis_rule_5_4_2
|
||||
|
|
|
|||
|
|
@ -51,7 +51,7 @@
|
|||
shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d=
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
check_mode: no
|
||||
check_mode: false
|
||||
register: rhel9cis_5_6_1_4_inactive_settings
|
||||
|
||||
- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting"
|
||||
|
|
@ -61,7 +61,7 @@
|
|||
- name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
|
||||
shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
|
||||
changed_when: false
|
||||
check_mode: no
|
||||
check_mode: false
|
||||
register: rhel_8_5_6_1_4_user_list
|
||||
|
||||
- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
|
||||
|
|
@ -84,14 +84,14 @@
|
|||
shell: echo $(($(date --utc --date "$1" +%s)/86400))
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
check_mode: no
|
||||
check_mode: false
|
||||
register: rhel9cis_5_6_1_5_currentut
|
||||
|
||||
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future"
|
||||
shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_6_1_5_currentut.stdout }})print$1}'"
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
check_mode: no
|
||||
check_mode: false
|
||||
register: rhel9cis_5_6_1_5_user_list
|
||||
|
||||
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist"
|
||||
|
|
@ -109,7 +109,7 @@
|
|||
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count"
|
||||
set_fact:
|
||||
control_number: "{{ control_number }} + [ 'rule_5.6.1.5' ]"
|
||||
warn_count: "{{ warn_count|int + 1 }}"
|
||||
warn_count: "{{ warn_count | int + 1 }}"
|
||||
when:
|
||||
- rhel9cis_5_6_1_5_user_list.stdout | length > 0
|
||||
- not rhel9cis_futurepwchgdate_autofix
|
||||
|
|
|
|||
|
|
@ -49,7 +49,7 @@
|
|||
|
||||
- name: "5.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less"
|
||||
blockinfile:
|
||||
create: yes
|
||||
create: true
|
||||
mode: 0644
|
||||
dest: "{{ item.dest }}"
|
||||
state: "{{ item.state }}"
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
- name: "6.1.1 | AUDIT | Audit system file permissions | Audit the packages"
|
||||
shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto
|
||||
args:
|
||||
warn: no
|
||||
warn: false
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
register: rhel9cis_6_1_1_packages_rpm
|
||||
|
|
@ -16,6 +16,9 @@
|
|||
copy:
|
||||
dest: "{{ rhel9cis_rpm_audit_file }}"
|
||||
content: "{{ rhel9cis_6_1_1_packages_rpm.stdout }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
|
||||
- name: "6.1.1 | AUDIT | Audit system file permissions | Message out alert for package descrepancies"
|
||||
debug:
|
||||
|
|
@ -26,7 +29,7 @@
|
|||
- name: "6.1.1 | AUDIT | Audit system file permissions | warning count"
|
||||
set_fact:
|
||||
control_number: "{{ control_number }} + [ 'rule_6.1.1' ]"
|
||||
warn_count: "{{ warn_count|int + 1 }}"
|
||||
warn_count: "{{ warn_count | int + 1 }}"
|
||||
when: rhel9cis_6_1_1_packages_rpm.stdout|length > 0
|
||||
|
||||
- name: "6.1.1 | AUDIT | Audit system file permissions | Message out no package descrepancies"
|
||||
|
|
@ -46,7 +49,7 @@
|
|||
- name: "6.1.2 | PATCH | Ensure sticky bit is set on all world-writable directories"
|
||||
shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
|
||||
args:
|
||||
warn: no
|
||||
warn: false
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
when:
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@
|
|||
- name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count"
|
||||
set_fact:
|
||||
control_number: "{{ control_number }} + [ 'rule_6.2.2' ]"
|
||||
warn_count: "{{ warn_count|int + 1 }}"
|
||||
warn_count: "{{ warn_count | int + 1 }}"
|
||||
when: rhel9cis_6_2_2_passwd_gid_check.stdout | length >= 1
|
||||
when:
|
||||
- rhel9cis_rule_6_2_2
|
||||
|
|
@ -73,7 +73,7 @@
|
|||
- name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | warning count"
|
||||
set_fact:
|
||||
control_number: "{{ control_number }} + [ 'rule_6.2.3' ]"
|
||||
warn_count: "{{ warn_count|int + 1 }}"
|
||||
warn_count: "{{ warn_count | int + 1 }}"
|
||||
when: rhel9cis_6_2_3_user_uid_check.stdout | length >= 1
|
||||
when:
|
||||
- rhel9cis_rule_6_2_3
|
||||
|
|
@ -107,7 +107,7 @@
|
|||
- name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | warning count"
|
||||
set_fact:
|
||||
control_number: "{{ control_number }} + [ 'rule_6.2.4' ]"
|
||||
warn_count: "{{ warn_count|int + 1 }}"
|
||||
warn_count: "{{ warn_count | int + 1 }}"
|
||||
when: rhel9cis_6_2_4_user_user_check.stdout | length >= 1
|
||||
|
||||
when:
|
||||
|
|
@ -142,7 +142,7 @@
|
|||
- name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | warning count"
|
||||
set_fact:
|
||||
control_number: "{{ control_number }} + [ 'rule_6.2.5' ]"
|
||||
warn_count: "{{ warn_count|int + 1 }}"
|
||||
warn_count: "{{ warn_count | int + 1 }}"
|
||||
when: rhel9cis_6_2_5_user_username_check.stdout | length >= 1
|
||||
when:
|
||||
- rhel9cis_rule_6_2_5
|
||||
|
|
@ -161,7 +161,7 @@
|
|||
shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d'
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
check_mode: no
|
||||
check_mode: false
|
||||
register: rhel9cis_6_2_6_group_group_check
|
||||
|
||||
- name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist"
|
||||
|
|
@ -177,7 +177,7 @@
|
|||
- name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | warning count"
|
||||
set_fact:
|
||||
control_number: "{{ control_number }} + [ 'rule_6.2.6' ]"
|
||||
warn_count: "{{ warn_count|int + 1 }}"
|
||||
warn_count: "{{ warn_count | int + 1 }}"
|
||||
when: rhel9cis_6_2_6_group_group_check.stdout is not defined
|
||||
when:
|
||||
- rhel9cis_rule_6_2_6
|
||||
|
|
@ -194,23 +194,23 @@
|
|||
block:
|
||||
- name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine empty value"
|
||||
shell: 'echo $PATH | grep ::'
|
||||
changed_when: False
|
||||
changed_when: false
|
||||
failed_when: rhel9cis_6_2_7_path_colon.rc == 0
|
||||
check_mode: no
|
||||
check_mode: false
|
||||
register: rhel9cis_6_2_7_path_colon
|
||||
|
||||
- name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determin colon end"
|
||||
shell: 'echo $PATH | grep :$'
|
||||
changed_when: False
|
||||
changed_when: false
|
||||
failed_when: rhel9cis_6_2_7_path_colon_end.rc == 0
|
||||
check_mode: no
|
||||
check_mode: false
|
||||
register: rhel9cis_6_2_7_path_colon_end
|
||||
|
||||
- name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine dot in path"
|
||||
shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'"
|
||||
changed_when: False
|
||||
changed_when: false
|
||||
failed_when: '"." in rhel9cis_6_2_7_dot_in_path.stdout_lines'
|
||||
check_mode: no
|
||||
check_mode: false
|
||||
register: rhel9cis_6_2_7_dot_in_path
|
||||
|
||||
- name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path"
|
||||
|
|
@ -280,7 +280,7 @@
|
|||
- name: "6.2.9 | PATCH | Ensure all users' home directories exist"
|
||||
file:
|
||||
path: "{{ item.0 }}"
|
||||
recurse: yes
|
||||
recurse: true
|
||||
mode: a-st,g-w,o-rwx
|
||||
register: rhel_08_6_2_9_patch
|
||||
when:
|
||||
|
|
@ -296,12 +296,12 @@
|
|||
- name: "6.2.9 | PATCH | Ensure all users' home directories exist"
|
||||
acl:
|
||||
path: "{{ item.0 }}"
|
||||
default: yes
|
||||
default: true
|
||||
state: present
|
||||
recursive: yes
|
||||
recursive: true
|
||||
etype: "{{ item.1.etype }}"
|
||||
permissions: "{{ item.1.mode }}"
|
||||
when:
|
||||
when:
|
||||
- not system_is_container
|
||||
with_nested:
|
||||
- "{{ (ansible_check_mode | ternary(rhel_08_6_2_9_patch_audit, rhel_08_6_2_9_patch)).results |
|
||||
|
|
@ -368,7 +368,7 @@
|
|||
- name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
|
||||
file:
|
||||
path: "{{ item.0 }}"
|
||||
recurse: yes
|
||||
recurse: true
|
||||
mode: a-st,g-w,o-rwx
|
||||
register: rhel_08_6_2_11_patch
|
||||
when:
|
||||
|
|
@ -384,12 +384,12 @@
|
|||
- name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
|
||||
acl:
|
||||
path: "{{ item.0 }}"
|
||||
default: yes
|
||||
default: true
|
||||
state: present
|
||||
recursive: yes
|
||||
recursive: true
|
||||
etype: "{{ item.1.etype }}"
|
||||
permissions: "{{ item.1.mode }}"
|
||||
when:
|
||||
when:
|
||||
- not system_is_container
|
||||
with_nested:
|
||||
- "{{ (ansible_check_mode | ternary(rhel_08_6_2_11_patch_audit, rhel_08_6_2_11_patch)).results |
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue