ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

revamp set facts premlim_ max_int_uid and prelim_min_int_uid

Browse source 
Signed-off-by: Frederick Witty <frederickw@mindpointgroup.com>
This commit is contained in:
Frederick Witty 2025-04-23 12:47:22 -04:00
parent 350b30dfe4
commit 42024903e3
No known key found for this signature in database
GPG key ID: D29987C25A47D813
2 changed files with 14 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

4
defaults/main.yml
View file

@ -1048,14 +1048,14 @@ rhel9cis_discover_int_uid: true
# This variable sets the minimum number from which to search for UID # This variable sets the minimum number from which to search for UID
# Note that the value will be dynamically overwritten if variable `rhel9cis_discover_int_uid` has # Note that the value will be dynamically overwritten if variable `rhel9cis_discover_int_uid` has
# been set to `true`. # been set to `true`.
prelim_min_int_uid: 1000 min_int_uid: 1000
### Controls: ### Controls:
# - Ensure local interactive user home directories exist # - Ensure local interactive user home directories exist
# - Ensure local interactive users own their home directories # - Ensure local interactive users own their home directories
# This variable sets the maximum number at which the search stops for UID # This variable sets the maximum number at which the search stops for UID
# Note that the value will be dynamically overwritten if variable `rhel9cis_discover_int_uid` has # Note that the value will be dynamically overwritten if variable `rhel9cis_discover_int_uid` has
# been set to `true`. # been set to `true`.
prelim_max_int_uid: 65533 max_int_uid: 65533
## Section6 vars ## Section6 vars
## Control 6.1.x - allow aide to be configured ## Control 6.1.x - allow aide to be configured

21
tasks/prelim.yml
View file

@ -320,24 +320,27 @@
patterns: '*.conf,*.rules' patterns: '*.conf,*.rules'
register: prelim_auditd_conf_files register: prelim_auditd_conf_files
- name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def" - name: "PRELIM | AUDIT | Discover Interactive UID_MIN and UID_MAX from /etc/login.defs"
when: rhel9cis_discover_int_uid when: rhel9cis_discover_int_uid
tags: always tags: always
block: block:
- name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def" - name: "PRELIM | AUDIT | Capture UID_MIN from /etc/login.defs"
ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' ansible.builtin.command: awk '/^UID_MIN/ {print $2}' /etc/login.defs
changed_when: false changed_when: false
failed_when: false
register: prelim_uid_min_id register: prelim_uid_min_id
- name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" - name: "PRELIM | AUDIT | Capture UID_MAX from /etc/login.defs"
ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' ansible.builtin.command: awk '/^UID_MAX/ {print $2}' /etc/login.defs
changed_when: false changed_when: false
failed_when: false
register: prelim_uid_max_id register: prelim_uid_max_id
- name: "PRELIM | AUDIT | Set Fact for interactive uid/gid" - name: "PRELIM | AUDIT | Set facts for interactive UID/GID ranges"
ansible.builtin.set_fact: tags: always
prelim_min_int_uid: "{{ prelim_uid_min_id.stdout }}" ansible.builtin.set_fact:
prelim_max_int_uid: "{{ prelim_uid_max_id.stdout }}" prelim_min_int_uid: "{{ prelim_uid_min_id.stdout | default(min_int_uid) }}"
prelim_max_int_uid: "{{ prelim_uid_max_id.stdout | default(max_int_uid) }}"
- name: "PRELIM | AUDIT | Gather the package facts after prelim" - name: "PRELIM | AUDIT | Gather the package facts after prelim"
tags: tags: