ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

standardize handler naming

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2023-01-25 09:41:32 +00:00
parent a90941af41
commit 4adb0ec812
No known key found for this signature in database
GPG key ID: 1DE02A772D0908F9
6 changed files with 13 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

8
handlers/main.yml
View file

@ -56,7 +56,7 @@
- name: Reload dconf - name: Reload dconf
ansible.builtin.shell: dconf update ansible.builtin.shell: dconf update
- name: grub2cfg - name: Grub2cfg
ansible.builtin.shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" ansible.builtin.shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
ignore_errors: true # noqa ignore-errors ignore_errors: true # noqa ignore-errors
tags: tags:
@ -77,18 +77,18 @@
name: systemd-journal-upload name: systemd-journal-upload
state: restarted state: restarted
- name: Systemd_daemon_reload - name: Systemd daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
daemon-reload: true daemon-reload: true
## Auditd tasks note order for handlers to run ## Auditd tasks note order for handlers to run
- name: Auditd_immutable_check - name: Auditd immutable check
ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
changed_when: false changed_when: false
register: auditd_immutable_check register: auditd_immutable_check
- name: Audit_immutable_fact - name: Audit immutable fact
ansible.builtin.debug: ansible.builtin.debug:
msg: "Reboot required for auditd to apply new rules as immutable set" msg: "Reboot required for auditd to apply new rules as immutable set"
notify: Change_requires_reboot notify: Change_requires_reboot

4
tasks/auditd.yml
View file

@ -9,8 +9,8 @@
mode: 0640 mode: 0640
register: audit_rules_updated register: audit_rules_updated
notify: notify:
- Auditd_immutable_check - Auditd immutable check
- Audit_immutable_fact - Audit immutable fact
- Restart auditd - Restart auditd
- name: POST | Set up auditd user logging exceptions - name: POST | Set up auditd user logging exceptions

2
tasks/section_1/cis_1.4.x.yml
View file

@ -7,7 +7,7 @@
owner: root owner: root
group: root group: root
mode: 0600 mode: 0600
notify: grub2cfg notify: Grub2cfg
when: when:
- rhel9cis_set_boot_pass - rhel9cis_set_boot_pass
- rhel9cis_rule_1_4_1 - rhel9cis_rule_1_4_1

2
tasks/section_1/cis_1.5.x.yml
View file

@ -5,7 +5,7 @@
path: /etc/systemd/coredump.conf path: /etc/systemd/coredump.conf
regexp: '^Storage\s*=\s*(?!none).*' regexp: '^Storage\s*=\s*(?!none).*'
line: 'Storage=none' line: 'Storage=none'
notify: Systemd_daemon_reload notify: Systemd daemon reload
when: when:
- rhel9cis_rule_1_5_1 - rhel9cis_rule_1_5_1
- systemd_coredump.stat.exists - systemd_coredump.stat.exists

2
tasks/section_1/cis_1.6.1.x.yml
View file

@ -22,7 +22,7 @@
- enforcing=0 - enforcing=0
register: selinux_grub_patch register: selinux_grub_patch
ignore_errors: true # noqa ignore-errors ignore_errors: true # noqa ignore-errors
notify: grub2cfg notify: Grub2cfg
when: when:
- rhel9cis_rule_1_6_1_2 - rhel9cis_rule_1_6_1_2
tags: tags:

8
tasks/section_4/cis_4.1.1.x.yml
View file

@ -36,7 +36,7 @@
dest: /etc/default/grub dest: /etc/default/grub
regexp: 'audit=.' regexp: 'audit=.'
replace: 'audit=1' replace: 'audit=1'
notify: grub2cfg notify: Grub2cfg
when: "'audit=' in rhel9cis_4_1_1_2_grub_cmdline_linux.stdout" when: "'audit=' in rhel9cis_4_1_1_2_grub_cmdline_linux.stdout"
- name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing" - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing"
@ -44,7 +44,7 @@
path: /etc/default/grub path: /etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX=' regexp: '^GRUB_CMDLINE_LINUX='
line: '{{ rhel9cis_4_1_1_2_grub_cmdline_linux.stdout }} audit=1"' line: '{{ rhel9cis_4_1_1_2_grub_cmdline_linux.stdout }} audit=1"'
notify: grub2cfg notify: Grub2cfg
when: "'audit=' not in rhel9cis_4_1_1_2_grub_cmdline_linux.stdout" when: "'audit=' not in rhel9cis_4_1_1_2_grub_cmdline_linux.stdout"
when: when:
- rhel9cis_rule_4_1_1_2 - rhel9cis_rule_4_1_1_2
@ -70,7 +70,7 @@
dest: /etc/default/grub dest: /etc/default/grub
regexp: 'audit_backlog_limit=\d+' regexp: 'audit_backlog_limit=\d+'
replace: 'audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}' replace: 'audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}'
notify: grub2cfg notify: Grub2cfg
when: "'audit_backlog_limit=' in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout" when: "'audit_backlog_limit=' in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout"
- name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing" - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing"
@ -78,7 +78,7 @@
path: /etc/default/grub path: /etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX=' regexp: '^GRUB_CMDLINE_LINUX='
line: '{{ rhel9cis_4_1_1_3_grub_cmdline_linux.stdout }} audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' line: '{{ rhel9cis_4_1_1_3_grub_cmdline_linux.stdout }} audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"'
notify: grub2cfg notify: Grub2cfg
when: "'audit_backlog_limit=' not in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout" when: "'audit_backlog_limit=' not in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout"
when: when:
- rhel9cis_rule_4_1_1_3 - rhel9cis_rule_4_1_1_3