diff --git a/handlers/main.yml b/handlers/main.yml index 2009fa2..27e4a56 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -98,11 +98,11 @@ - name: Auditd immutable check ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules changed_when: false - register: auditd_immutable_check + register: discovered_auditd_immutable_check - name: Audit immutable fact when: - - auditd_immutable_check.stdout == '1' + - discovered_auditd_immutable_check.stdout == '1' ansible.builtin.debug: msg: "Reboot required for auditd to apply new rules as immutable set" notify: Change_requires_reboot diff --git a/tasks/auditd.yml b/tasks/auditd.yml index ac5b8f8..502497c 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -3,7 +3,7 @@ - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file ansible.builtin.stat: path: /etc/audit/rules.d/99_auditd.rules - register: rhel9cis_auditd_file + register: discovered_auditd_rules_file - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | setup file ansible.builtin.template: @@ -12,8 +12,8 @@ owner: root group: root mode: '0640' - diff: "{{ rhel9cis_auditd_file.stat.exists }}" # Only run diff if not a new file - register: rhel9cis_auditd_template_updated + diff: "{{ discovered_auditd_rules_file.stat.exists }}" # Only run diff if not a new file + register: discovered_auditd_rules_template_updated notify: - Auditd immutable check - Audit immutable fact @@ -21,8 +21,8 @@ - name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa no-handler when: - - rhel9cis_auditd_template_updated.changed - - rhel9cis_auditd_file.stat.exists + - discovered_auditd_rules_template_updated.changed + - discovered_auditd_rules_file.stat.exists ansible.builtin.import_tasks: file: warning_facts.yml vars: @@ -31,7 +31,7 @@ - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file ansible.builtin.stat: path: /etc/audit/rules.d/98_auditd_exceptions.rules - register: rhel9cis_auditd_exception_file + register: discovered_auditd_exception_file - name: POST | Set up auditd user logging exceptions | setup file when: @@ -43,5 +43,5 @@ owner: root group: root mode: '0640' - diff: "{{ rhel9cis_auditd_exception_file.stat.exists }}" + diff: "{{ discovered_auditd_exception_file.stat.exists }}" notify: Restart auditd diff --git a/tasks/main.yml b/tasks/main.yml index 1dd529e..4598f85 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -86,29 +86,29 @@ changed_when: false failed_when: false check_mode: false - register: rhel9cis_ansible_user_password_set + register: prelim_ansible_user_password_set - name: "Check for local account {{ ansible_env.SUDO_USER }} | Check for local account" - when: rhel9cis_ansible_user_password_set.stdout == "not found" + when: prelim_ansible_user_password_set.stdout == "not found" ansible.builtin.debug: msg: "No local account found for {{ ansible_env.SUDO_USER }} user. Skipping local account checks." - name: "Check local account" when: - - rhel9cis_ansible_user_password_set.stdout != "not found" + - prelim_ansible_user_password_set.stdout != "not found" block: - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" ansible.builtin.assert: that: - - rhel9cis_ansible_user_password_set.stdout | length != 0 - - rhel9cis_ansible_user_password_set.stdout != "!!" + - prelim_ansible_user_password_set.stdout | length != 0 + - prelim_ansible_user_password_set.stdout != "!!" fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" ansible.builtin.assert: that: - - not rhel9cis_ansible_user_password_set.stdout.startswith("!") + - not prelim_ansible_user_password_set.stdout.startswith("!") fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access" success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user" @@ -149,11 +149,11 @@ - name: "Ensure root password is set" ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)" changed_when: false - register: root_passwd_set + register: prelim_root_passwd_set - name: "Ensure root password is set" ansible.builtin.assert: - that: root_passwd_set.rc == 0 + that: prelim_root_passwd_set.rc == 0 fail_msg: "You have rule 5.4.2.4 enabled this requires that you have a root password set" success_msg: "You have a root password set" diff --git a/tasks/post.yml b/tasks/post.yml index b3909bf..198d9c0 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -18,7 +18,6 @@ owner: root group: root mode: '0600' - register: sysctl_updated notify: Reload sysctl loop: - 60-kernel_sysctl.conf diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 9a2c2ce..3a3304c 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -60,11 +60,11 @@ - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: path: "{{ audit_bin }}" - register: goss_available + register: discovered_goss_available - name: Pre Audit Setup | If audit ensure goss is available when: - - not goss_available.stat.exists + - not discovered_goss_available.stat.exists ansible.builtin.assert: msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" diff --git a/tasks/section_1/cis_1.2.1.x.yml b/tasks/section_1/cis_1.2.1.x.yml index c6ee203..d5ea30f 100644 --- a/tasks/section_1/cis_1.2.1.x.yml +++ b/tasks/section_1/cis_1.2.1.x.yml @@ -18,19 +18,19 @@ ansible.builtin.shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}" changed_when: false failed_when: false - register: os_installed_pub_keys + register: discovered_os_installed_pub_keys - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Query found keys" ansible.builtin.shell: 'rpm -q --queryformat "%{PACKAGER} %{VERSION}\\n" {{ os_gpg_key_pubkey_name }} | grep "{{ os_gpg_key_pubkey_content }}"' changed_when: false failed_when: false - register: os_gpg_key_check - when: os_installed_pub_keys.rc == 0 + register: discovered_os_gpg_key_check + when: discovered_os_installed_pub_keys.rc == 0 - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | expected keys fail" when: - - os_installed_pub_keys.rc == 1 or - os_gpg_key_check.rc == 1 + - discovered_os_installed_pub_keys.rc == 1 or + discovered_os_gpg_key_check.rc == 1 ansible.builtin.fail: msg: Installed GPG Keys do not meet expected values or expected keys are not installed @@ -48,14 +48,14 @@ ansible.builtin.find: paths: /etc/yum.repos.d patterns: "*.repo" - register: yum_repos + register: discovered_yum_repos - name: "1.2.1.2 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" ansible.builtin.replace: name: "{{ item.path }}" regexp: "^gpgcheck=0" replace: "gpgcheck=1" - loop: "{{ yum_repos.files }}" + loop: "{{ discovered_yum_repos.files }}" loop_control: label: "{{ item.path }}" @@ -82,14 +82,14 @@ ansible.builtin.find: paths: /etc/yum.repos.d patterns: "*.repo" - register: repo_files + register: discovered_repo_files - name: "1.2.1.3 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files" ansible.builtin.replace: path: "{{ item.path }}" regexp: '^repo_gpgcheck( |)=( |)0' replace: repo_gpgcheck=1 - loop: "{{ repo_files.files }}" + loop: "{{ discovered_repo_files.files }}" loop_control: label: "{{ item.path }}" @@ -110,14 +110,14 @@ ansible.builtin.shell: dnf repolist changed_when: false failed_when: false - register: dnf_configured + register: discovered_dnf_configured check_mode: false - name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured | Display repo list" ansible.builtin.debug: msg: - "Warning!! Below are the configured repos. Please review and make sure all align with site policy" - - "{{ dnf_configured.stdout_lines }}" + - "{{ discovered_dnf_configured.stdout_lines }}" - name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured | Warn Count" ansible.builtin.import_tasks: diff --git a/tasks/section_1/cis_1.3.1.x.yml b/tasks/section_1/cis_1.3.1.x.yml index 197e474..f3f67f8 100644 --- a/tasks/section_1/cis_1.3.1.x.yml +++ b/tasks/section_1/cis_1.3.1.x.yml @@ -34,7 +34,6 @@ loop: - selinux=0 - enforcing=0 - register: selinux_grub_patch ignore_errors: true # noqa ignore-errors notify: Grub2cfg @@ -108,17 +107,17 @@ block: - name: "1.3.1.6 | AUDIT | Ensure no unconfined services exist | Find the unconfined services" ansible.builtin.shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' - register: rhelcis_1_3_1_6_unconf_services + register: discovered_unconf_services failed_when: false changed_when: false - name: "1.3.1.6 | AUDIT | Ensure no unconfined services exist | Message on unconfined services" - when: rhelcis_1_3_1_6_unconf_services.stdout | length > 0 + when: discovered_unconf_services.stdout | length > 0 ansible.builtin.debug: - msg: "Warning!! You have unconfined services: {{ rhelcis_1_3_1_6_unconf_services.stdout_lines }}" + msg: "Warning!! You have unconfined services: {{ discovered_unconf_services.stdout_lines }}" - name: "1.3.1.6 | AUDIT | Ensure no unconfined services exist | warning count" - when: rhelcis_1_3_1_6_unconf_services.stdout | length > 0 + when: discovered_unconf_services.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index f497f15..5d9441e 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -55,12 +55,12 @@ owner: root group: root mode: '0640' - register: no_sha1_template + register: discovered_no_sha1_template - name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | submodule to crypto policy modules" ansible.builtin.set_fact: rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SHA1' }}" - changed_when: no_sha1_template is defined + changed_when: discovered_no_sha1_template is changed # noqa: no-handler notify: - Update Crypto Policy - Set Crypto Policy @@ -86,12 +86,12 @@ owner: root group: root mode: '0640' - register: no_weakmac_template + register: discovered_no_weakmac_template - name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | submodule to crypto policy modules" ansible.builtin.set_fact: rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-WEAKMAC' }}" - changed_when: no_weakmac_template is defined + changed_when: discovered_no_weakmac_template is changed # noqa: no-handler notify: - Update Crypto Policy - Set Crypto Policy @@ -116,12 +116,12 @@ owner: root group: root mode: '0640' - register: no_sshcbc_template + register: discovered_no_sshcbc_template - name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh | submodule to crypto policy modules" ansible.builtin.set_fact: rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHCBC' }}" - changed_when: no_sshcbc_template is defined + changed_when: discovered_no_sshcbc_template is changed # noqa: no-handler notify: - Update Crypto Policy - Set Crypto Policy @@ -146,12 +146,12 @@ owner: root group: root mode: '0640' - register: no_sshweakciphers_template + register: discovered_no_sshweakciphers_template - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules" ansible.builtin.set_fact: rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKCIPHERS' }}" - changed_when: no_sshweakciphers_template is defined + changed_when: discovered_no_sshweakciphers_template is changed # noqa: no-handler notify: - Update Crypto Policy - Set Crypto Policy @@ -176,12 +176,12 @@ owner: root group: root mode: '0640' - register: no_sshetm_template + register: discovered_no_sshetm_template - name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh | submodule to crypto policy modules" ansible.builtin.set_fact: rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHETM' }}" - changed_when: no_sshetm_template is defined + changed_when: discovered_no_sshetm_template is changed # noqa: no-handler notify: - Update Crypto Policy - Set Crypto Policy diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 2e46de4..87fe46e 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -89,16 +89,16 @@ become: true changed_when: false failed_when: false - register: rhel9cis_5_2_4_authenticate + register: discovered_priv_reauth - name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally" - when: rhel9cis_5_2_4_authenticate.stdout | length > 0 + when: discovered_priv_reauth.stdout | length > 0 ansible.builtin.replace: path: "{{ item }}" regexp: '^([^#].*)!authenticate(.*)' replace: '\1authenticate\2' validate: '/usr/sbin/visudo -cf %s' - loop: "{{ rhel9cis_5_2_4_authenticate.stdout_lines }}" + loop: "{{ discovered_priv_reauth.stdout_lines }}" - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly" when: diff --git a/tasks/section_5/cis_5.3.1.x.yml b/tasks/section_5/cis_5.3.1.x.yml index b8a5576..ce5ae8a 100644 --- a/tasks/section_5/cis_5.3.1.x.yml +++ b/tasks/section_5/cis_5.3.1.x.yml @@ -32,10 +32,10 @@ ansible.builtin.package: name: authselect state: latest - register: rhel9cis_authselect_update + register: discovered_authselect_updated - name: "5.3.1.2 | AUDIT | Ensure latest version of authselect is installed | Patch" - when: rhel9cis_authselect_update.changed # noqa no-handler + when: discovered_authselect_updated.changed # noqa no-handler ansible.builtin.set_fact: authselect_update: OK diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml index 3996edc..18e9cfd 100644 --- a/tasks/section_5/cis_5.3.2.x.yml +++ b/tasks/section_5/cis_5.3.2.x.yml @@ -136,11 +136,11 @@ ansible.builtin.shell: | grep -P -- '\b(pam_unix\.so)\b' /etc/authselect/"$(head -1 /etc/authselect/authselect.conf)"/{system,password}-auth changed_when: false - failed_when: rhel9cis_authselect_pam_unix.rc not in [ 0, 1 ] - register: rhel9cis_authselect_pam_unix + failed_when: discovered_discovered_authselect_pam_unix.rc not in [ 0, 1 ] + register: discovered_discovered_authselect_pam_unix - name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | system-auth" - when: "'system-auth:password' not in rhel9cis_authselect_pam_unix.stdout" + when: "'system-auth:password' not in discovered_authselect_pam_unix.stdout" ansible.builtin.lineinfile: path: /etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth regexp: "{{ item.regexp }}" @@ -154,7 +154,7 @@ notify: Authselect update - name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | password-auth" - when: "'password-auth:password' not in rhel9cis_authselect_pam_unix.stdout" + when: "'password-auth:password' not in discovered_authselect_pam_unix.stdout" ansible.builtin.lineinfile: path: /etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth line: "{{ item.line }}" diff --git a/tasks/section_5/cis_5.3.3.3.x.yml b/tasks/section_5/cis_5.3.3.3.x.yml index 6c04d33..21a03ee 100644 --- a/tasks/section_5/cis_5.3.3.3.x.yml +++ b/tasks/section_5/cis_5.3.3.3.x.yml @@ -12,9 +12,9 @@ block: - name: "5.3.3.3.1 | AUDIT | Ensure password history remember is configured | Check existing files" ansible.builtin.shell: grep -Psi -- '^\h*password\s+[^#\n\r]+\h+pam_pwhistory\.so\s+([^#\n\r]+\s+)?remember=\d+\b' /etc/pam.d/password-auth /etc/pam.d/system-auth - register: rhel9_pwhistory_remember changed_when: false - failed_when: rhel9_pwhistory_remember.rc not in [0, 1] + failed_when: discovered_pwhistory_remember.rc not in [0, 1] + register: discovered_pwhistory_remember - name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Ensure remember is set pwhistory file" ansible.builtin.lineinfile: @@ -59,9 +59,9 @@ block: - name: "5.3.3.3.2 | AUDIT | Ensure password history is enforced for the root user | Check existing files" ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?enforce_for_root\b' /etc/pam.d/{system,password}-auth - register: rhel9_pwhistory_enforce_for_root + register: discovered_pwhistory_enforce_for_root changed_when: false - failed_when: rhel9_pwhistory_enforce_for_root.rc not in [0, 1] + failed_when: discovered_pwhistory_enforce_for_root.rc not in [0, 1] - name: "5.3.3.3.2 | PATCH| Ensure password history is enforced for the root user | Ensure enforce_for_root is set pwhistory file" ansible.builtin.lineinfile: @@ -72,7 +72,7 @@ - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure enforce_for_root is set" when: - not rhel9cis_allow_authselect_updates - - rhel9_pwhistory_enforce_for_root.stdout | length == 0 + - discovered_pwhistory_enforce_for_root.stdout | length == 0 - rhel9cis_disruption_high ansible.builtin.lineinfile: path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}" @@ -83,7 +83,7 @@ - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure enforce_for_root is set" when: - rhel9cis_allow_authselect_updates - - rhel9_pwhistory_enforce_for_root.stdout | length == 0 + - discovered_pwhistory_enforce_for_root.stdout | length == 0 - rhel9cis_disruption_high ansible.builtin.replace: path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" @@ -106,9 +106,9 @@ block: - name: "5.3.3.3.3 | AUDIT | Ensure pam_pwhistory includes use_authtok | Check existing files" ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/{system,password}-auth - register: rhel9_pwhistory_use_authtok + register: discovered_pwhistory_use_authtok changed_when: false - failed_when: rhel9_pwhistory_use_authtok.rc not in [0, 1] + failed_when: discovered_pwhistory_use_authtok.rc not in [0, 1] - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Update pwhistory for use_authtok" ansible.builtin.lineinfile: @@ -119,7 +119,7 @@ - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Ensure use_authtok is set" when: - not rhel9cis_allow_authselect_updates - - rhel9_pwhistory_use_authtok.stdout | length == 0 + - discovered_pwhistory_use_authtok.stdout | length == 0 - rhel9cis_disruption_high ansible.builtin.lineinfile: path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}" @@ -130,7 +130,7 @@ - name: "PATCH | Ensure pam_pwhistory includes use_authtok | add authtok to pam files AuthSelect" when: - rhel9cis_allow_authselect_updates - - rhel9_pwhistory_use_authtok.stdout | length == 0 + - discovered_pwhistory_use_authtok.stdout | length == 0 - rhel9cis_disruption_high ansible.builtin.lineinfile: path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 95f8064..898444f 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -16,10 +16,10 @@ ansible.builtin.package: name: aide state: present - register: aide_installed + register: discovered_aide_installed - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB" - when: aide_installed.changed # noqa: no-handler + when: discovered_aide_installed.changed # noqa: no-handler block: - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB" ansible.builtin.shell: /usr/sbin/aide --init diff --git a/tasks/section_6/cis_6.2.1.x.yml b/tasks/section_6/cis_6.2.1.x.yml index 603e471..1a2a8aa 100644 --- a/tasks/section_6/cis_6.2.1.x.yml +++ b/tasks/section_6/cis_6.2.1.x.yml @@ -32,26 +32,26 @@ - name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | Check for override file" ansible.builtin.stat: path: /etc/tmpfiles.d/systemd.conf - register: tmpfile_override + register: discovered_tmpfile_override - name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | If override file check for journal" - when: tmpfile_override.stat.exists + when: discovered_tmpfile_override.stat.exists ansible.builtin.shell: grep -E 'z /var/log/journal/%m/system.journal \d*' /usr/lib/tmpfiles.d/systemd.conf - register: journald_fileperms_override + register: discovered_journald_fileperms_override changed_when: false - failed_when: journald_fileperms_override.rc not in [ 0, 1 ] + failed_when: discovered_journald_fileperms_override.rc not in [ 0, 1 ] - name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found" when: - - tmpfile_override.stat.exists - - journald_fileperms_override.stdout | length > 0 + - discovered_tmpfile_override.stat.exists + - discovered_journald_fileperms_override.stdout | length > 0 ansible.builtin.debug: msg: "Warning!! - tmpfiles override found /usr/lib/tmpfiles.d/systemd.conf affecting journald files please confirm matches site policy" - name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found" when: - - tmpfile_override.stat.exists - - journald_fileperms_override.stdout | length > 0 + - discovered_tmpfile_override.stat.exists + - discovered_journald_fileperms_override.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml vars: diff --git a/tasks/section_6/cis_6.2.3.x.yml b/tasks/section_6/cis_6.2.3.x.yml index 9e42ee2..5af5fcd 100644 --- a/tasks/section_6/cis_6.2.3.x.yml +++ b/tasks/section_6/cis_6.2.3.x.yml @@ -89,13 +89,13 @@ changed_when: false failed_when: false check_mode: false - register: rhel_09_6_2_3_5_audit + register: discovered_configured_rsyslog - name: "6.2.3.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" ansible.builtin.debug: msg: - "These are the current logging configurations for rsyslog, please review:" - - "{{ rhel_09_4_2_1_5_audit.stdout_lines }}" + - "{{ discovered_configured_rsyslog.stdout_lines }}" - name: "6.2.3.5 | PATCH | Ensure logging is configured | mail.* log setting" when: rhel9cis_rsyslog_ansiblemanaged @@ -193,10 +193,10 @@ # target can be IP or FQDN *.* action(type="omfwd" target="{{ rhel9cis_remote_log_host }}" port="{{ rhel9cis_remote_log_port }}" protocol="{{ rhel9cis_remote_log_protocol }}" action.resumeRetryCount="{{ rhel9cis_remote_log_retrycount }}" queue.type="LinkedList" queue.size="{{ rhel9cis_remote_log_queuesize }}") insertafter: EOF - register: result failed_when: - - result is failed - - result.rc != 257 + - discovered_rsyslog_remote_host is failed + - discovered_rsyslog_remote_host.rc != 257 + register: discovered_rsyslog_remote_host notify: Restart rsyslog - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client" diff --git a/tasks/section_6/cis_6.3.3.x.yml b/tasks/section_6/cis_6.3.3.x.yml index 7e7e479..d279259 100644 --- a/tasks/section_6/cis_6.3.3.x.yml +++ b/tasks/section_6/cis_6.3.3.x.yml @@ -88,7 +88,7 @@ changed_when: false failed_when: false check_mode: false - register: priv_procs + register: discovered_priv_procs - name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected" ansible.builtin.set_fact: diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml index 8d0a730..232b224 100644 --- a/tasks/section_7/cis_7.1.x.yml +++ b/tasks/section_7/cis_7.1.x.yml @@ -187,18 +187,18 @@ ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 failed_when: false changed_when: false - register: rhel_09_7_1_11_perms_results + register: discovered_world_writable - name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" when: - - rhel_09_7_1_11_perms_results.stdout_lines is defined - - rhel_09_7_1_11_perms_results.stdout_lines | length > 0 + - discovered_world_writable.stdout_lines is defined + - discovered_world_writable.stdout_lines | length > 0 - rhel9cis_no_world_write_adjust ansible.builtin.file: path: '{{ item }}' mode: o-w state: touch - loop: "{{ rhel_09_7_1_11_perms_results.stdout_lines }}" + loop: "{{ discovered_world_writable.stdout_lines }}" - name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable directories add sticky bit" ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -o+w ! -perm -1002 2>/dev/null | xargs chmod a+t diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index bfb925b..bf2d191 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -30,7 +30,7 @@ -w /etc/sysconfig/network-scripts -p wa -k system-locale {% endif %} {% if rhel9cis_rule_6_3_3_6 %} -{% for proc in priv_procs.stdout_lines -%} +{% for proc in discovered_priv_procs.stdout_lines -%} -a always,exit -F path={{ proc }} -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k privileged {% endfor %} {% endif %}