ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-26 23:13:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

lint and var renaming

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-11-04 18:39:01 +00:00
parent fa13b06b1f
commit 879d9c9a1b
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
18 changed files with 84 additions and 86 deletions
Download patch file Download diff file Expand all files Collapse all files

22
tasks/section_1/cis_1.2.1.x.yml
View file

@ -18,19 +18,19 @@
ansible.builtin.shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}"
changed_when: false
failed_when: false
register: os_installed_pub_keys
register: discovered_os_installed_pub_keys
- name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Query found keys"
ansible.builtin.shell: 'rpm -q --queryformat "%{PACKAGER} %{VERSION}\\n" {{ os_gpg_key_pubkey_name }} | grep "{{ os_gpg_key_pubkey_content }}"'
changed_when: false
failed_when: false
register: os_gpg_key_check
when: os_installed_pub_keys.rc == 0
register: discovered_os_gpg_key_check
when: discovered_os_installed_pub_keys.rc == 0
- name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | expected keys fail"
when:
- os_installed_pub_keys.rc == 1 or
os_gpg_key_check.rc == 1
- discovered_os_installed_pub_keys.rc == 1 or
discovered_os_gpg_key_check.rc == 1
ansible.builtin.fail:
msg: Installed GPG Keys do not meet expected values or expected keys are not installed
@ -48,14 +48,14 @@
ansible.builtin.find:
paths: /etc/yum.repos.d
patterns: "*.repo"
register: yum_repos
register: discovered_yum_repos
- name: "1.2.1.2 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos"
ansible.builtin.replace:
name: "{{ item.path }}"
regexp: "^gpgcheck=0"
replace: "gpgcheck=1"
loop: "{{ yum_repos.files }}"
loop: "{{ discovered_yum_repos.files }}"
loop_control:
label: "{{ item.path }}"
@ -82,14 +82,14 @@
ansible.builtin.find:
paths: /etc/yum.repos.d
patterns: "*.repo"
register: repo_files
register: discovered_repo_files
- name: "1.2.1.3 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files"
ansible.builtin.replace:
path: "{{ item.path }}"
regexp: '^repo_gpgcheck( |)=( |)0'
replace: repo_gpgcheck=1
loop: "{{ repo_files.files }}"
loop: "{{ discovered_repo_files.files }}"
loop_control:
label: "{{ item.path }}"
@ -110,14 +110,14 @@
ansible.builtin.shell: dnf repolist
changed_when: false
failed_when: false
register: dnf_configured
register: discovered_dnf_configured
check_mode: false
- name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured | Display repo list"
ansible.builtin.debug:
msg:
- "Warning!! Below are the configured repos. Please review and make sure all align with site policy"
- "{{ dnf_configured.stdout_lines }}"
- "{{ discovered_dnf_configured.stdout_lines }}"
- name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured | Warn Count"
ansible.builtin.import_tasks: