section1 v2 initial

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2025-12-24 22:23:06 +00:00 · 2024-07-19 17:01:23 +01:00 · 2024-07-19 17:01:23 +01:00 · 8b58d71e4b
commit 8b58d71e4b
parent cf4376f1f7
47 changed files with 2181 additions and 1707 deletions
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -36,20 +36,34 @@
      path: /tmp
      state: remounted

+- name: Update Crypto Policy
+  ansible.builtin.set_fact:
+    rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{% if rhel9cis_crypto_policy_module | length > 0 %}:{{ rhel9cis_crypto_policy_module }}{% endif %}"
+  notify: Set Crypto Policy
+
+- name: Set Crypto Policy
+  when: rhel9cis_system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy
+  ansible.builtin.shell: |
+    update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}"
+    update-crypto-policies
+  notify:
+    - Change_requires_reboot
+    - Restart sshd
+
 - name: Restart firewalld
  ansible.builtin.systemd:
-      name: firewalld
-      state: restarted
+    name: firewalld
+    state: restarted

 - name: Restart sshd
  ansible.builtin.systemd:
-      name: sshd
-      state: restarted
+    name: sshd
+    state: restarted

 - name: Restart postfix
  ansible.builtin.systemd:
-      name: postfix
-      state: restarted
+    name: postfix
+    state: restarted

 - name: Reload dconf
  ansible.builtin.shell: dconf update
@ -57,35 +71,33 @@
 - name: Grub2cfg
  ansible.builtin.shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
  ignore_errors: true  # noqa ignore-errors
-  tags:
-      - skip_ansible_lint

 - name: Restart rsyslog
  ansible.builtin.systemd:
-      name: rsyslog
-      state: restarted
+    name: rsyslog
+    state: restarted

 - name: Restart journald
  ansible.builtin.systemd:
-      name: systemd-journald
-      state: restarted
+    name: systemd-journald
+    state: restarted

 - name: Restart systemd_journal_upload
  ansible.builtin.systemd:
-      name: systemd-journal-upload
-      state: restarted
+    name: systemd-journal-upload
+    state: restarted

 - name: Systemd daemon reload
  ansible.builtin.systemd:
-      daemon-reload: true
+    daemon-reload: true

 - name: Apply_authselect
-  ansible.builtin.shell: authselect apply-changes
  when: not rhel9cis_rule_5_4_2
+  ansible.builtin.shell: authselect apply-changes

 - name: Apply_authselect
-  ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }} --force --backup=rhel9cis_commit_{{ ansible_date_time.epoch}}"
  when: rhel9cis_rule_5_4_2
+  ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }} --force --backup=rhel9cis_commit_{{ ansible_date_time.epoch}}"
 ## Auditd tasks note order for handlers to run

 - name: Auditd immutable check
@ -94,17 +106,15 @@
  register: auditd_immutable_check

 - name: Audit immutable fact
-  ansible.builtin.debug:
-      msg: "Reboot required for auditd to apply new rules as immutable set"
-  notify: Change_requires_reboot
  when:
-      - auditd_immutable_check.stdout == '1'
+    - auditd_immutable_check.stdout == '1'
+  ansible.builtin.debug:
+    msg: "Reboot required for auditd to apply new rules as immutable set"
+  notify: Change_requires_reboot

 - name: Restart auditd
  ansible.builtin.shell: service auditd restart
-  tags:
-      - skip_ansible_lint

 - name: Change_requires_reboot
  ansible.builtin.set_fact:
-      change_requires_reboot: true
+    change_requires_reboot: true