diff --git a/defaults/main.yml b/defaults/main.yml index 7edfc83..1bffc3f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -405,7 +405,7 @@ rhel9cis_aide_cron: rhel9cis_selinux_pol: targeted # Whether or not to run tasks related to auditing/patching the desktop environment -rhel9cis_gui: no +rhel9cis_gui: false # Set to 'true' if X Windows is needed in your environment rhel9cis_xwindows_required: false @@ -539,7 +539,7 @@ rhel9cis_vartmp: source: /tmp fstype: none opts: "defaults,nodev,nosuid,noexec,bind" - enabled: no + enabled: false ## PAM rhel9cis_pam_password: minlen: "14" diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index 29b7d86..6a9ef7b 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -4,8 +4,8 @@ block: - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd" shell: cat /etc/passwd - changed_when: no - check_mode: no + changed_when: false + check_mode: false register: rhel9cis_passwd_file_audit - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Split passwd entries" diff --git a/tasks/post.yml b/tasks/post.yml index c51fc76..c5f225f 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -4,7 +4,7 @@ - name: Perform DNF package cleanup dnf: autoremove: true - changed_when: no + changed_when: false - name: trigger update sysctl shell: /bin/true diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 239c7b6..43206cb 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -4,33 +4,33 @@ - name: "PRELIM | List users accounts" shell: "awk -F: '{print $1}' /etc/passwd" args: - warn: no - changed_when: no - check_mode: no + warn: false + changed_when: false + check_mode: false register: users - name: "PRELIM | Gather accounts with empty password fields" shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'" args: - warn: no - changed_when: no - check_mode: no + warn: false + changed_when: false + check_mode: false register: empty_password_accounts - name: "PRELIM | Gather UID 0 accounts other than root" shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" args: - warn: no - changed_when: no - check_mode: no + warn: false + changed_when: false + check_mode: false register: uid_zero_accounts_except_root - name: "PRELIM | Gather system-wide crypto-policy" shell: update-crypto-policies --show args: - warn: no - changed_when: no - check_mode: no + warn: false + changed_when: false + check_mode: false register: system_wide_crypto_policy - name: "PRELIM | if systemd coredump" @@ -50,15 +50,16 @@ state: present become: true when: + - '"auditd" not in ansible_facts.packages' - rhel9cis_level_2 or rhel9cis_rule_4_1_1_1 - - '"auditd" not in ansible_facts.packages' + - name: "PRELIM | 4.1.12 | Ensure successful file system mounts are collected" shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done changed_when: false failed_when: false - check_mode: no + check_mode: false register: priv_procs tags: - always diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index fa381ad..dc8ae32 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -7,7 +7,7 @@ dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install cramfs(\\s|$)" line: "install cramfs /bin/true" - create: yes + create: true mode: 0600 - name: "1.1.1.1 | L1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs" @@ -32,7 +32,7 @@ dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install vfat(\\s|$)" line: "install vfat /bin/true" - create: yes + create: true mode: 0600 - name: "1.1.1.2 | L2 | PATCH | Ensure mounting of vFAT filesystems is limited | Disable vFAT" @@ -58,7 +58,7 @@ dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" - create: yes + create: true mode: 0600 - name: "1.1.1.3 | L1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" @@ -83,7 +83,7 @@ dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" - create: yes + create: true mode: 0600 - name: "1.1.1.4 | L1 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index 279084d..2becc11 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -256,7 +256,7 @@ warn: false changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_1_1_15_dev_shm_status - name: | @@ -325,7 +325,7 @@ - name: "1.1.22 | L1 | PATCH | Disable Automounting" service: name: autofs - enabled: no + enabled: false when: - not rhel9cis_allow_autofs - "'autofs' in ansible_facts.packages" @@ -345,7 +345,7 @@ dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install usb-storage(\\s|$)" line: "install usb-storage /bin/true" - create: yes + create: true owner: root group: root mode: 0600 diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 12c4d03..9580f53 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -23,7 +23,7 @@ service: name: rhnsd state: stopped - enabled: no + enabled: false masked: true when: - ansible_distribution == "RedHat" @@ -84,7 +84,7 @@ changed_when: false failed_when: false register: dnf_configured - check_mode: no + check_mode: false - name: "1.2.5 | L1 | AUDIT | Ensure package manager repositories are configured | Display repo list" debug: diff --git a/tasks/section_1/cis_1.7.1.x.yml b/tasks/section_1/cis_1.7.1.x.yml index 378da5c..ded7128 100644 --- a/tasks/section_1/cis_1.7.1.x.yml +++ b/tasks/section_1/cis_1.7.1.x.yml @@ -19,7 +19,7 @@ regexp: '(selinux|enforcing)\s*=\s*0\s*' replace: '' register: selinux_grub_patch - ignore_errors: yes + ignore_errors: true notify: grub2cfg when: - rhel9cis_rule_1_7_1_2 diff --git a/tasks/section_1/cis_1.8.2.yml b/tasks/section_1/cis_1.8.2.yml index 2062c69..be371dc 100644 --- a/tasks/section_1/cis_1.8.2.yml +++ b/tasks/section_1/cis_1.8.2.yml @@ -6,7 +6,7 @@ regexp: "{{ item.regexp }}" line: "{{ item.line }}" state: present - create: yes + create: true owner: root group: root mode: 0644 diff --git a/tasks/section_2/cis_2.2.1.x.yml b/tasks/section_2/cis_2.2.1.x.yml index fbdf9c1..78f52ae 100644 --- a/tasks/section_2/cis_2.2.1.x.yml +++ b/tasks/section_2/cis_2.2.1.x.yml @@ -29,7 +29,7 @@ regexp: "^(#)?OPTIONS" line: "OPTIONS=\"-u chrony\"" state: present - create: yes + create: true mode: 0644 when: - rhel9cis_time_synchronization == "chrony" diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 08197cc..f21bcd0 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -7,7 +7,7 @@ args: warn: false failed_when: xorg_x11_installed.rc >=2 - check_mode: no + check_mode: false changed_when: false register: xorg_x11_installed @@ -32,7 +32,7 @@ service: name: rsyncd state: stopped - enabled: no + enabled: false when: - not rhel9cis_rsyncd_server - "'rsyncd' in ansible_facts.packages" @@ -47,7 +47,7 @@ service: name: avahi-daemon state: stopped - enabled: no + enabled: false when: - not rhel9cis_avahi_server - "'avahi' in ansible_facts.packages" @@ -65,7 +65,7 @@ service: name: snmpd state: stopped - enabled: no + enabled: false when: - not rhel9cis_snmp_server - "'net-snmp' in ansible_facts.packages" @@ -80,7 +80,7 @@ service: name: squid state: stopped - enabled: no + enabled: false when: - not rhel9cis_squid_server - "'squid' in ansible_facts.packages" @@ -95,7 +95,7 @@ service: name: smb state: stopped - enabled: no + enabled: false when: - not rhel9cis_smb_server - "'samba' in ansible_facts.packages" @@ -110,7 +110,7 @@ service: name: dovecot state: stopped - enabled: no + enabled: false when: - not rhel9cis_dovecot_server - "'dovecot' in ansible_facts.packages" @@ -125,7 +125,7 @@ service: name: httpd state: stopped - enabled: no + enabled: false when: - not rhel9cis_httpd_server - "'httpd' in ansible_facts.packages" @@ -140,7 +140,7 @@ service: name: vsftpd state: stopped - enabled: no + enabled: false when: - not rhel9cis_vsftpd_server - "'vsftpd' in ansible_facts.packages" @@ -155,7 +155,7 @@ service: name: named state: stopped - enabled: no + enabled: false when: - not rhel9cis_named_server - "'bind' in ansible_facts.packages" @@ -170,7 +170,7 @@ service: name: nfs-server state: stopped - enabled: no + enabled: false when: - not rhel9cis_nfs_rpc_server - "'nfs-utils' in ansible_facts.packages" @@ -188,7 +188,7 @@ service: name: rpcbind state: stopped - enabled: no + enabled: false when: - not rhel9cis_nfs_rpc_server - "'rpcbind' in ansible_facts.packages" @@ -206,7 +206,7 @@ service: name: slapd state: stopped - enabled: no + enabled: false when: - not rhel9cis_ldap_server - "'openldap-servers' in ansible_facts.packages" @@ -224,7 +224,7 @@ service: name: dhcpd state: stopped - enabled: no + enabled: false when: - not rhel9cis_dhcp_server - "'dhcp' in ansible_facts.packages" @@ -242,7 +242,7 @@ service: name: cups state: stopped - enabled: no + enabled: false when: - not rhel9cis_cups_server - "'cups' in ansible_facts.packages" @@ -260,7 +260,7 @@ service: name: ypserv state: stopped - enabled: no + enabled: false when: - not rhel9cis_nis_server - "'ypserv' in ansible_facts.packages" diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 8789558..0b49ba4 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -5,7 +5,7 @@ dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install dccp(\\s|$)" line: "install dccp /bin/true" - create: yes + create: true mode: 0600 when: - rhel9cis_rule_3_3_1 @@ -20,7 +20,7 @@ dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install sctp(\\s|$)" line: "install sctp /bin/true" - create: yes + create: true mode: 0600 when: - rhel9cis_rule_3_3_2 @@ -35,7 +35,7 @@ dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install rds(\\s|$)" line: "install rds /bin/true" - create: yes + create: true mode: 0600 when: - rhel9cis_rule_3_3_3 @@ -50,7 +50,7 @@ dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install tipc(\\s|$)" line: "install tipc /bin/true" - create: yes + create: true mode: 0600 when: - rhel9cis_rule_3_3_4 diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 1a13db9..b199ac9 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -4,7 +4,7 @@ service: name: firewalld state: started - enabled: yes + enabled: true when: - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_2_1 @@ -19,9 +19,9 @@ name: iptables enabled: false masked: true - ignore_errors: true when: - rhel9cis_firewall == "firewalld" + - "'iptables' in ansible_facts.packages" - rhel9cis_rule_3_4_2_2 tags: - skip_ansible_lint @@ -37,6 +37,7 @@ masked: true when: - rhel9cis_firewall == "firewalld" + - "'nftables' in ansible_facts.packages" - rhel9cis_rule_3_4_2_3 tags: - level1-server @@ -65,7 +66,7 @@ warn: false changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_3_4_2_5_interfacepolicy - name: "3.4.2.5 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies | Show the interface to policy" @@ -90,7 +91,7 @@ warn: false changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_3_4_2_6_servicesport - name: "3.4.2.6 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports" diff --git a/tasks/section_3/cis_3.4.3.x.yml b/tasks/section_3/cis_3.4.3.x.yml index 46c8f01..4212139 100644 --- a/tasks/section_3/cis_3.4.3.x.yml +++ b/tasks/section_3/cis_3.4.3.x.yml @@ -44,7 +44,7 @@ shell: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" args: warn: false - failed_when: no + failed_when: false when: rhel9cis_nft_tables_autonewtable when: - rhel9cis_firewall == "nftables" @@ -96,7 +96,7 @@ shell: "{{ item }}" args: warn: false - failed_when: no + failed_when: false with_items: - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { type filter hook forward priority 0 \; } @@ -294,7 +294,7 @@ - name: "3.4.3.7 | L1 | PATCH | Ensure nftables service is enabled | Check if nftables is enabled" service: name: nftables - enabled: yes + enabled: true when: - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_3_7 diff --git a/tasks/section_3/cis_3.4.4.1.x.yml b/tasks/section_3/cis_3.4.4.1.x.yml index e36fa3b..a18e7ef 100644 --- a/tasks/section_3/cis_3.4.4.1.x.yml +++ b/tasks/section_3/cis_3.4.4.1.x.yml @@ -136,7 +136,7 @@ - name: "3.4.4.1.5 | L1 | PATCH | Ensure iptables service is enabled and active | Check if iptables is enabled" service: name: iptables - enabled: yes + enabled: true state: started when: - rhel9cis_firewall == "iptables" diff --git a/tasks/section_3/cis_3.4.4.2.x.yml b/tasks/section_3/cis_3.4.4.2.x.yml index 4e96f49..be4bf54 100644 --- a/tasks/section_3/cis_3.4.4.2.x.yml +++ b/tasks/section_3/cis_3.4.4.2.x.yml @@ -124,7 +124,7 @@ - name: "3.4.4.2.5 | L1 | PATCH | Ensure ip6tables service is enabled and active | Check if ip6tables is enabled" service: name: ip6tables - enabled: yes + enabled: true state: started when: - rhel9cis_firewall == "iptables" diff --git a/tasks/section_3/cis_3.6.yml b/tasks/section_3/cis_3.6.yml index 9b39318..4fa1ae5 100644 --- a/tasks/section_3/cis_3.6.yml +++ b/tasks/section_3/cis_3.6.yml @@ -5,7 +5,7 @@ dest: /etc/default/grub regexp: '(^GRUB_CMDLINE_LINUX\s*\=\s*)(?:")(.+)(?