ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-25 22:37:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Updates from Public

Browse source 
Signed-off-by: Frederick Witty <frederickw@mindpointgroup.com>
This commit is contained in:
Frederick Witty 2025-09-10 12:57:50 -04:00
parent a1d88edde0
commit 67c574d8a9
No known key found for this signature in database
GPG key ID: D29987C25A47D813
10 changed files with 32 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

3
tasks/section_5/cis_5.1.x.yml
View file

@ -80,6 +80,7 @@
when:
- rhel9cis_rule_5_1_4
- "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module"
- rhel9cis_crypto_policy_ansiblemanaged
tags:
- level1-server
- level1-workstation
@ -108,6 +109,7 @@
when:
- rhel9cis_rule_5_1_5
- "'NO-SHA1' not in rhel9cis_crypto_policy_module"
- rhel9cis_crypto_policy_ansiblemanaged
tags:
- level1-server
- level1-workstation
@ -136,6 +138,7 @@
when:
- rhel9cis_rule_5_1_6
- "'NO-SSHWEAKMACS' not in rhel9cis_crypto_policy_module"
- rhel9cis_crypto_policy_ansiblemanaged
tags:
- level1-server
- level1-workstation

3
tasks/section_5/cis_5.4.1.x.yml
View file

@ -24,6 +24,7 @@
ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5> {{ rhel9cis_pass_max_days }} || $5< {{ rhel9cis_pass_max_days }} || $5 == -1)){print $1}' /etc/shadow"
changed_when: false
failed_when: false
check_mode: false
register: discovered_max_days
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS"
@ -64,7 +65,7 @@
- rhel9cis_force_user_mindays
ansible.builtin.user:
name: "{{ item }}"
password_expire_max: "{{ rhel9cis_pass_min_days }}"
password_expire_min: "{{ rhel9cis_pass_min_days }}"
loop: "{{ discovered_min_days.stdout_lines }}"
- name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured"

4
tasks/section_5/cis_5.4.2.x.yml
View file

@ -139,7 +139,7 @@
ansible.builtin.stat:
path: "{{ item }}"
loop: "{{ discovered_root_paths_split.stdout_lines }}"
register: paths_stat
register: discovered_root_paths_stat
- name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Create dirs for some paths that are not dirs"
ansible.builtin.file:
@ -148,7 +148,7 @@
owner: root
group: root
mode: 'go-w'
loop: "{{ paths_stat.results }}"
loop: "{{ discovered_root_paths_stat.results }}"
when: not item.stat.exists
- name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for empty dirs"