Feb24 updates (#179)

* change logic thanks to @rjacobs1990 see #175

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* thanks to @ipruteani-sie #134

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* Thanks to @stwongst #125

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* thanks to @sgomez86 #146

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* Added updates from #115

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* removed rp_filter in post added in error

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated yamllint precommit

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated fqcn fo json_query

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* fix typo for virt type query

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

---------

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

tasks/main.yml

@@ -3,7 +3,7 @@
 
 - name: Check OS version and family
   ansible.builtin.assert:
-      that: (ansible_facts.distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==')
+      that: (ansible_facts.distribution != 'CentOS' and ansible_facts.os_family == 'RedHat' or ansible_facts.os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==')
       fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported."
       success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}"
   when:
@@ -66,7 +66,7 @@
 - name: Ensure root password is set
   block:
       - name: Ensure root password is set
-        ansible.builtin.shell: passwd -S root | grep "Password set, SHA512 crypt"
+        ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)"
         changed_when: false
         register: root_passwd_set
 
@@ -102,7 +102,7 @@
             - system_is_container
   when:
       - ansible_connection == 'docker' or
-        ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
+        ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
       - container_discovery
       - always

tasks/post.yml

@@ -26,19 +26,6 @@
       - not system_is_container
       - "'procps-ng' in ansible_facts.packages"
 
-- name: POST | Update usr sysctl
-  ansible.builtin.lineinfile:
-      dest: /usr/lib/sysctl.d/50-default.conf
-      regexp: "{{ item.regexp }}"
-      line: "{{ item.line }}"
-  loop:
-      - { regexp: '^net.ipv4.conf.default.rp_filter', line: 'net.ipv4.conf.default.rp_filter = 1' }
-      - { regexp: '^net.ipv4.conf.*.rp_filter', line: 'net.ipv4.conf.*.rp_filter = 1' }
-  when:
-      - rhel9cis_sysctl_update
-      - not system_is_container
-      - "'procps-ng' in ansible_facts.packages"
-
 - name: Flush handlers
   ansible.builtin.meta: flush_handlers
 

tasks/post_remediation_audit.yml

@@ -28,7 +28,7 @@
 
       - name: Capture post-audit result
         ansible.builtin.set_fact:
-            post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}"
+            post_audit_summary: "{{ post_audit.stdout | from_json | community.general.json_query(summary) }}"
         vars:
             summary: summary."summary-line"
 

tasks/pre_remediation_audit.yml

@@ -95,7 +95,7 @@
 
       - name: Pre Audit | Capture pre-audit result
         ansible.builtin.set_fact:
-            pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}"
+            pre_audit_summary: "{{ pre_audit.stdout | from_json | community.general.json_query(summary) }}"
         vars:
             summary: summary."summary-line"
 

tasks/prelim.yml

@@ -97,7 +97,7 @@
 
 - name: "PRELIM | Section 1.1 | Create list of mount points"
   ansible.builtin.set_fact:
-      mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}"
+      mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}"
   tags:
       - level1-server
       - level1-workstation

tasks/section_4/cis_4.1.4.x.yml

@@ -64,12 +64,11 @@
 - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive"
   ansible.builtin.file:
       path: "{{ item.path }}"
-      mode: '0640'
-  loop: "{{ auditd_conf_files.files }}"
+      mode: "{{ '0600' if item.mode == '0600' else '0640' }}"
+  loop: "{{ auditd_conf_files.files | default([]) }}"
   loop_control:
       label: "{{ item.path }}"
   when:
-      - item.mode != '06(0|4)0'
       - rhel9cis_rule_4_1_4_5
   tags:
       - level2-server
@@ -82,7 +81,7 @@
   ansible.builtin.file:
       path: "{{ item.path }}"
       owner: root
-  loop: "{{ auditd_conf_files.files }}"
+  loop: "{{ auditd_conf_files.files | default([]) }}"
   loop_control:
       label: "{{ item.path }}"
   when:
@@ -98,7 +97,7 @@
   ansible.builtin.file:
       path: "{{ item.path }}"
       group: root
-  loop: "{{ auditd_conf_files.files }}"
+  loop: "{{ auditd_conf_files.files | default([]) }}"
   loop_control:
       label: "{{ item.path }}"
   when:

tasks/section_6/cis_6.1.x.yml

@@ -173,7 +173,7 @@
 
       - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories"
         ansible.builtin.debug:
-            msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit | json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
+            msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit | community.general.json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
         when: rhel_09_6_1_10_unowned_files_found
 
       - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning"
@@ -220,7 +220,7 @@
 
       - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories"
         ansible.builtin.debug:
-            msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit | json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
+            msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit | community.general.json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
         when: rhel_09_6_1_11_ungrouped_files_found
 
       - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning"
@@ -277,7 +277,7 @@
 
       - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist"
         ansible.builtin.debug:
-            msg: "Warning!! SUID set on items in {{ rhel_09_6_1_13_suid_perms | json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
+            msg: "Warning!! SUID set on items in {{ rhel_09_6_1_13_suid_perms | community.general.json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
         when: rhel9_6_1_13_suid_found
 
       - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning"
@@ -320,7 +320,7 @@
 
       - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist"
         ansible.builtin.debug:
-            msg: "Warning!! SGID set on items in {{ rhel_09_6_1_14_sgid_perms | json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
+            msg: "Warning!! SGID set on items in {{ rhel_09_6_1_14_sgid_perms | community.general.json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
         when: rhel9_6_1_14_sgid_found
 
       - name: "6.1.14 | AUDIT | Audit SGID executables| warning"