Feb24 updates (#179)

* change logic thanks to @rjacobs1990 see #175 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * thanks to @ipruteani-sie #134 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Thanks to @stwongst #125 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * thanks to @sgomez86 #146 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Added updates from #115 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed rp_filter in post added in error Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated yamllint precommit Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated fqcn fo json_query Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix typo for virt type query Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2025-12-24 22:23:06 +00:00 · 2024-02-20 15:43:43 +00:00 · 2024-02-20 15:43:43 +00:00 · 40bc7aa082
commit 40bc7aa082
parent 06ec3de5c4
13 changed files with 21 additions and 55 deletions
--- a/.github/workflows/devel_pipeline_validation.yml
+++ b/.github/workflows/devel_pipeline_validation.yml
@ -125,6 +125,7 @@
              env:
                ANSIBLE_HOST_KEY_CHECKING: "false"
                ANSIBLE_DEPRECATION_WARNINGS: "false"
+                ANSIBLE_INJECT_FACT_VARS: "false"

          # Remove test system - User secrets to keep if necessary

--- a/.github/workflows/main_pipeline_validation.yml
+++ b/.github/workflows/main_pipeline_validation.yml
@ -114,6 +114,7 @@
              env:
                ANSIBLE_HOST_KEY_CHECKING: "false"
                ANSIBLE_DEPRECATION_WARNINGS: "false"
+                ANSIBLE_INJECT_FACT_VARS: "false"

          # Remove test system - User secrets to keep if necessary

--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -62,6 +62,6 @@ repos:
    - ansible-core>=2.10.1

 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.34.0  # or higher tag
+  rev: v1.35.1  # or higher tag
  hooks:
  - id: yamllint
--- a/README.md
+++ b/README.md
@ -132,8 +132,8 @@ os_check: false
 - python-def (should be included in RHEL 9)
 - libselinux-python
 - pip packages
-  - jmespath ( complete list found in requirements.txt)
- collections found in collections/requirememnts.yml
+  - jmespath
+- collections found in collections/requirements.yml

 pre-commit is available if installed on your host for pull request testing.

--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -424,21 +424,6 @@ rhel9cis_rule_6_2_16: true
 # These /tmp settings will include nosuid,nodev,noexec to conform to CIS standards.
 rhel9cis_tmp_svc: false

-## Control 1.1.9
-rhel9cis_allow_autofs: false
-
-## Control 1.2.1
-# This is the login information for your RedHat Subscription
-# DO NOT USE PLAIN TEXT PASSWORDS!!!!!
-# The intent here is to use a password utility like Ansible Vault here
-rhel9cis_rh_sub_user: user
-rhel9cis_rh_sub_password: password  # pragma: allowlist secret
-
-## Control 1.2.2
-# Do you require rhnsd
-# RedHat Satellite Subscription items
-rhel9cis_rhnsd_required: false
-
 ## Control 1.2.4
 # When installing RHEL from authorized Red Hat source, RHEL will come with default YUM repository. NOT having a default YUM
 # repo ('rhel9cis_rhel_default_repo' set as 'false'), in conjunction with 'rhel9cis_rule_enable_repogpg' set as 'True', will enable the tasks
@ -455,7 +440,7 @@ rhel9cis_rule_enable_repogpg: true
 # must be changed to a value that may be generated with this command 'grub2-mkpasswd-pbkdf2' and must comply with
 # this format: 'grub.pbkdf2.sha512.<Rounds>.<Salt>.<Checksum>'
 rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B'  # pragma: allowlist secret
-rhel9cis_bootloader_password: random  # pragma: allowlist secret
+
 ## Control 1.4.1
 # This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
 rhel9cis_set_boot_pass: true
@ -781,11 +766,6 @@ rhel9cis_firewall: firewalld
 # to another zone): if there is no zone assigned to a connection, interface or source, only the default zone is used.
 rhel9cis_default_zone: public

-# These settings are added to demonstrate how this update can be done (eventually will require a new control)
-rhel9cis_firewalld_ports:
-    - number: 80
-      protocol: tcp
-
 ## Control 3.4.2.2 - Ensure at least one nftables table exists
 # This variable governs if a table will be automatically created in nftables. Without a table (no default one), nftables
 # will not filter network traffic, so if this variable is set to 'false' and no tables exist, an alarm will be triggered!
@ -1230,8 +1210,6 @@ rhel9cis_rpm_audit_file: /var/tmp/rpm_file_check
 # Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable.
 rhel9cis_no_world_write_adjust: true

-rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}"
-
 ## Control 6.2.16 - Ensure local interactive user dot files are not group or world writable
 # This boolean variable governs if current role should follow filesystem links for changes to
 # user home directory.
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -3,7 +3,7 @@

 - name: Check OS version and family
  ansible.builtin.assert:
-      that: (ansible_facts.distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==')
+      that: (ansible_facts.distribution != 'CentOS' and ansible_facts.os_family == 'RedHat' or ansible_facts.os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==')
      fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported."
      success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}"
  when:
@ -66,7 +66,7 @@
 - name: Ensure root password is set
  block:
      - name: Ensure root password is set
-        ansible.builtin.shell: passwd -S root | grep "Password set, SHA512 crypt"
+        ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)"
        changed_when: false
        register: root_passwd_set

@ -102,7 +102,7 @@
            - system_is_container
  when:
      - ansible_connection == 'docker' or
-        ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
+        ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
      - container_discovery
      - always
--- a/tasks/post.yml
+++ b/tasks/post.yml
@ -26,19 +26,6 @@
      - not system_is_container
      - "'procps-ng' in ansible_facts.packages"

- name: POST | Update usr sysctl
-  ansible.builtin.lineinfile:
-      dest: /usr/lib/sysctl.d/50-default.conf
-      regexp: "{{ item.regexp }}"
-      line: "{{ item.line }}"
-  loop:
-      - { regexp: '^net.ipv4.conf.default.rp_filter', line: 'net.ipv4.conf.default.rp_filter = 1' }
-      - { regexp: '^net.ipv4.conf.*.rp_filter', line: 'net.ipv4.conf.*.rp_filter = 1' }
-  when:
-      - rhel9cis_sysctl_update
-      - not system_is_container
-      - "'procps-ng' in ansible_facts.packages"
-
 - name: Flush handlers
  ansible.builtin.meta: flush_handlers

--- a/tasks/post_remediation_audit.yml
+++ b/tasks/post_remediation_audit.yml
@ -28,7 +28,7 @@

      - name: Capture post-audit result
        ansible.builtin.set_fact:
-            post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}"
+            post_audit_summary: "{{ post_audit.stdout | from_json | community.general.json_query(summary) }}"
        vars:
            summary: summary."summary-line"

--- a/tasks/pre_remediation_audit.yml
+++ b/tasks/pre_remediation_audit.yml
@ -95,7 +95,7 @@

      - name: Pre Audit | Capture pre-audit result
        ansible.builtin.set_fact:
-            pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}"
+            pre_audit_summary: "{{ pre_audit.stdout | from_json | community.general.json_query(summary) }}"
        vars:
            summary: summary."summary-line"

--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@ -97,7 +97,7 @@

 - name: "PRELIM | Section 1.1 | Create list of mount points"
  ansible.builtin.set_fact:
-      mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}"
+      mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}"
  tags:
      - level1-server
      - level1-workstation
--- a/tasks/section_4/cis_4.1.4.x.yml
+++ b/tasks/section_4/cis_4.1.4.x.yml
@ -64,12 +64,11 @@
 - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive"
  ansible.builtin.file:
      path: "{{ item.path }}"
-      mode: '0640'
-  loop: "{{ auditd_conf_files.files }}"
+      mode: "{{ '0600' if item.mode == '0600' else '0640' }}"
+  loop: "{{ auditd_conf_files.files | default([]) }}"
  loop_control:
      label: "{{ item.path }}"
  when:
-      - item.mode != '06(0|4)0'
      - rhel9cis_rule_4_1_4_5
  tags:
      - level2-server
@ -82,7 +81,7 @@
  ansible.builtin.file:
      path: "{{ item.path }}"
      owner: root
-  loop: "{{ auditd_conf_files.files }}"
+  loop: "{{ auditd_conf_files.files | default([]) }}"
  loop_control:
      label: "{{ item.path }}"
  when:
@ -98,7 +97,7 @@
  ansible.builtin.file:
      path: "{{ item.path }}"
      group: root
-  loop: "{{ auditd_conf_files.files }}"
+  loop: "{{ auditd_conf_files.files | default([]) }}"
  loop_control:
      label: "{{ item.path }}"
  when:
--- a/tasks/section_6/cis_6.1.x.yml
+++ b/tasks/section_6/cis_6.1.x.yml
@ -173,7 +173,7 @@

      - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories"
        ansible.builtin.debug:
-            msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit | json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
+            msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit | community.general.json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
        when: rhel_09_6_1_10_unowned_files_found

      - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning"
@ -220,7 +220,7 @@

      - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories"
        ansible.builtin.debug:
-            msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit | json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
+            msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit | community.general.json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
        when: rhel_09_6_1_11_ungrouped_files_found

      - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning"
@ -277,7 +277,7 @@

      - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist"
        ansible.builtin.debug:
-            msg: "Warning!! SUID set on items in {{ rhel_09_6_1_13_suid_perms | json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
+            msg: "Warning!! SUID set on items in {{ rhel_09_6_1_13_suid_perms | community.general.json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
        when: rhel9_6_1_13_suid_found

      - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning"
@ -320,7 +320,7 @@

      - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist"
        ansible.builtin.debug:
-            msg: "Warning!! SGID set on items in {{ rhel_09_6_1_14_sgid_perms | json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
+            msg: "Warning!! SGID set on items in {{ rhel_09_6_1_14_sgid_perms | community.general.json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
        when: rhel9_6_1_14_sgid_found

      - name: "6.1.14 | AUDIT | Audit SGID executables| warning"
--- a/vars/main.yml
+++ b/vars/main.yml
@ -16,4 +16,4 @@ rhel9cis_allowed_crypto_policies_modules:
 warn_control_list: ""
 warn_count: 0

-gpg_key_package: "{{ ansible_distribution | lower }}-gpg-keys"
+gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys"