diff --git a/handlers/main.yml b/handlers/main.yml index a350df0..212eacc 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -56,7 +56,7 @@ - name: Reload dconf ansible.builtin.shell: dconf update -- name: grub2cfg +- name: Grub2cfg ansible.builtin.shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" ignore_errors: true # noqa ignore-errors tags: @@ -77,18 +77,18 @@ name: systemd-journal-upload state: restarted -- name: Systemd_daemon_reload +- name: Systemd daemon reload ansible.builtin.systemd: daemon-reload: true ## Auditd tasks note order for handlers to run -- name: Auditd_immutable_check +- name: Auditd immutable check ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules changed_when: false register: auditd_immutable_check -- name: Audit_immutable_fact +- name: Audit immutable fact ansible.builtin.debug: msg: "Reboot required for auditd to apply new rules as immutable set" notify: Change_requires_reboot diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 632e4d1..6704125 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -9,8 +9,8 @@ mode: 0640 register: audit_rules_updated notify: - - Auditd_immutable_check - - Audit_immutable_fact + - Auditd immutable check + - Audit immutable fact - Restart auditd - name: POST | Set up auditd user logging exceptions diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index af1579f..f2dcaee 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -7,7 +7,7 @@ owner: root group: root mode: 0600 - notify: grub2cfg + notify: Grub2cfg when: - rhel9cis_set_boot_pass - rhel9cis_rule_1_4_1 diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 6d3eb4e..443bfc1 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -5,7 +5,7 @@ path: /etc/systemd/coredump.conf regexp: '^Storage\s*=\s*(?!none).*' line: 'Storage=none' - notify: Systemd_daemon_reload + notify: Systemd daemon reload when: - rhel9cis_rule_1_5_1 - systemd_coredump.stat.exists diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index c1fdd79..6c52535 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -22,7 +22,7 @@ - enforcing=0 register: selinux_grub_patch ignore_errors: true # noqa ignore-errors - notify: grub2cfg + notify: Grub2cfg when: - rhel9cis_rule_1_6_1_2 tags: diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index 167f8d2..c430f2d 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -36,7 +36,7 @@ dest: /etc/default/grub regexp: 'audit=.' replace: 'audit=1' - notify: grub2cfg + notify: Grub2cfg when: "'audit=' in rhel9cis_4_1_1_2_grub_cmdline_linux.stdout" - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing" @@ -44,7 +44,7 @@ path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' line: '{{ rhel9cis_4_1_1_2_grub_cmdline_linux.stdout }} audit=1"' - notify: grub2cfg + notify: Grub2cfg when: "'audit=' not in rhel9cis_4_1_1_2_grub_cmdline_linux.stdout" when: - rhel9cis_rule_4_1_1_2 @@ -70,7 +70,7 @@ dest: /etc/default/grub regexp: 'audit_backlog_limit=\d+' replace: 'audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}' - notify: grub2cfg + notify: Grub2cfg when: "'audit_backlog_limit=' in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout" - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing" @@ -78,7 +78,7 @@ path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' line: '{{ rhel9cis_4_1_1_3_grub_cmdline_linux.stdout }} audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' - notify: grub2cfg + notify: Grub2cfg when: "'audit_backlog_limit=' not in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout" when: - rhel9cis_rule_4_1_1_3