From 95d81526031b652042711abfe0d81fcba782739a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 13 Jan 2022 12:08:30 +0000 Subject: [PATCH] added args warn for shell Signed-off-by: Mark Bolwell --- handlers/main.yml | 6 +++- tasks/check_prereqs.yml | 6 ++-- tasks/section_1/cis_1.1.x.yml | 4 ++- tasks/section_1/cis_1.10.yml | 2 ++ tasks/section_1/cis_1.11.yml | 2 ++ tasks/section_1/cis_1.2.x.yml | 6 ++-- tasks/section_1/cis_1.4.x.yml | 5 +-- tasks/section_1/cis_1.7.1.x.yml | 2 ++ tasks/section_2/cis_2.2.x.yml | 4 +-- tasks/section_3/cis_3.4.2.x.yml | 6 ++++ tasks/section_3/cis_3.4.3.x.yml | 58 ++++++++++++++++++++++++++++++- tasks/section_3/cis_3.4.4.1.x.yml | 4 +++ tasks/section_3/cis_3.5.yml | 12 +++---- tasks/section_4/cis_4.1.1.x.yml | 4 +++ tasks/section_4/cis_4.1.x.yml | 2 ++ tasks/section_4/cis_4.2.1.x.yml | 2 ++ tasks/section_4/cis_4.2.3.yml | 2 ++ tasks/section_5/cis_5.2.x.yml | 2 +- tasks/section_5/cis_5.3.x.yml | 12 ++++--- tasks/section_5/cis_5.5.1.x.yml | 14 ++++++++ tasks/section_5/cis_5.5.x.yml | 2 ++ tasks/section_5/cis_5.6.yml | 2 ++ tasks/section_6/cis_6.1.x.yml | 12 ++++++- tasks/section_6/cis_6.2.x.yml | 40 +++++++++++++++++++++ 24 files changed, 187 insertions(+), 24 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 628d481..e512f6b 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -89,6 +89,8 @@ - name: reload dconf become: yes shell: dconf update + args: + warn: false - name: update auditd template: @@ -105,7 +107,7 @@ check_mode: no failed_when: no args: - warn: no + warn: false when: - not rhel9cis_skip_for_travis tags: @@ -113,6 +115,8 @@ - name: grub2cfg shell: "grub2-mkconfig -o {{ grub_cfg.stat.lnk_source }}" + args: + warn: false ignore_errors: True tags: - skip_ansible_lint diff --git a/tasks/check_prereqs.yml b/tasks/check_prereqs.yml index cdaf930..36f1999 100644 --- a/tasks/check_prereqs.yml +++ b/tasks/check_prereqs.yml @@ -4,10 +4,10 @@ block: - name: Check if python36-rpm package installed shell: rpm -q python36-rpm - failed_when: ( python36_rpm_present.rc not in [ 0, 1 ] ) - changed_when: false args: warn: false + failed_when: ( python36_rpm_present.rc not in [ 0, 1 ] ) + changed_when: false register: python36_rpm_present - name: Add the EPEL repository required for the python36-rpm pkg @@ -29,6 +29,8 @@ - name: Disable Epel repo if installed earlier shell: yum-config-manager disable epel + args: + warn: false when: epel_installed.changed when: - ( ansible_python.version.major == 3 and ansible_python.version.minor == 6 ) diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index 65e2260..279084d 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -252,6 +252,8 @@ 1.1.16 | L1 | AUDIT | Ensure nosuid option set on /dev/shm partition | Check for /dev/shm existence 1.1.17 | L1 | AUDIT | Ensure noexec option set on /dev/shm partition | Check for /dev/shm existence" shell: mount -l | grep -E '\s/dev/shm\s' + args: + warn: false changed_when: false failed_when: false check_mode: no @@ -306,7 +308,7 @@ - name: "1.1.21 | L1 | PATCH | Ensure sticky bit is set on all world-writable directories" shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t args: - warn: no + warn: false changed_when: false failed_when: false when: diff --git a/tasks/section_1/cis_1.10.yml b/tasks/section_1/cis_1.10.yml index 91b8cad..6b4a161 100644 --- a/tasks/section_1/cis_1.10.yml +++ b/tasks/section_1/cis_1.10.yml @@ -4,6 +4,8 @@ shell: | update-crypto-policies --set "{{ rhel9cis_crypto_policy }}" update-crypto-policies + args: + warn: false when: - rhel9cis_rule_1_10 - system_wide_crypto_policy['stdout'] == 'LEGACY' diff --git a/tasks/section_1/cis_1.11.yml b/tasks/section_1/cis_1.11.yml index 34245b1..bfd8806 100644 --- a/tasks/section_1/cis_1.11.yml +++ b/tasks/section_1/cis_1.11.yml @@ -4,6 +4,8 @@ shell: | update-crypto-policies --set "{{ rhel9cis_crypto_policy }}" update-crypto-policies + args: + warn: false when: - rhel9cis_rule_1_11 - system_wide_crypto_policy['stdout'] not in rhel9cis_allowed_crypto_policies diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 79935ef..12c4d03 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -38,6 +38,8 @@ - name: "1.2.3 | L1 | AUDIT | Ensure GPG keys are configured" shell: gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-release + args: + warn: false when: - rhel9cis_rule_1_2_3 - ansible_distribution == "RedHat" @@ -77,12 +79,12 @@ block: - name: "1.2.5 | L1 | AUDIT | Ensure package manager repositories are configured | Get repo list" shell: dnf repolist + args: + warn: false changed_when: false failed_when: false register: dnf_configured check_mode: no - args: - warn: false - name: "1.2.5 | L1 | AUDIT | Ensure package manager repositories are configured | Display repo list" debug: diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 56819b4..a5b1f3b 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -9,12 +9,13 @@ - name: "1.4.1 | L1 | PATCH | Ensure AIDE is installed | Configure AIDE" shell: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' + args: + warn: false + creates: /var/lib/aide/aide.db.gz changed_when: false failed_when: false async: 45 poll: 0 - args: - creates: /var/lib/aide/aide.db.gz when: not ansible_check_mode when: - rhel9cis_config_aide diff --git a/tasks/section_1/cis_1.7.1.x.yml b/tasks/section_1/cis_1.7.1.x.yml index ea1f805..378da5c 100644 --- a/tasks/section_1/cis_1.7.1.x.yml +++ b/tasks/section_1/cis_1.7.1.x.yml @@ -66,6 +66,8 @@ block: - name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist | Find the unconfined daemons" shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' + args: + warn: false register: rhelcis_1_7_1_5_unconf_daemons failed_when: false changed_when: false diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index f6203da..08197cc 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -5,7 +5,7 @@ - name: "2.2.2 | L1 | AUDIT | Ensure X Window System is not installed | capture xorg-x11 packages" shell: rpm -qa | grep xorg-x11 args: - warn: no + warn: false failed_when: xorg_x11_installed.rc >=2 check_mode: no changed_when: false @@ -14,7 +14,7 @@ - name: "2.2.2 | L1 | PATCH | Ensure X Window System is not installed | remove packages if found" shell: "dnf remove {{ item }}" args: - warn: no + warn: false with_items: - xorg_x11_installed.stdout_lines when: xorg_x11_installed.stdout | length > 0 diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index bcb8f89..1a13db9 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -46,6 +46,8 @@ - name: "3.4.2.4 | L1 | PATCH | Ensure default zone is set" shell: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" + args: + warn: false when: - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_2_4 @@ -59,6 +61,8 @@ block: - name: "3.4.2.5 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies" shell: "nmcli -t connection show | awk -F: '{ if($4){print $4} }' | while read INT; do firewall-cmd --get-active-zones | grep -B1 $INT; done" + args: + warn: false changed_when: false failed_when: false check_mode: no @@ -82,6 +86,8 @@ block: - name: "3.4.2.6 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports" shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done" + args: + warn: false changed_when: false failed_when: false check_mode: no diff --git a/tasks/section_3/cis_3.4.3.x.yml b/tasks/section_3/cis_3.4.3.x.yml index 4677b6a..46c8f01 100644 --- a/tasks/section_3/cis_3.4.3.x.yml +++ b/tasks/section_3/cis_3.4.3.x.yml @@ -2,6 +2,8 @@ - name: "3.4.3.1 | L1 | PATCH | Ensure iptables are flushed with nftables" shell: ip6tables -F + args: + warn: false when: - rhel9cis_rule_3_4_3_1 - rhel9cis_firewall != "iptables" @@ -16,6 +18,8 @@ block: - name: "3.4.3.2 | L1 | AUDIT | Ensure a table exists | Check for tables" shell: nft list tables + args: + warn: false changed_when: false failed_when: false register: rhel9cis_3_4_3_2_nft_tables @@ -38,6 +42,8 @@ - name: "3.4.3.2 | L1 | PATCH | Ensure a table exists | Create table if needed" shell: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" + args: + warn: false failed_when: no when: rhel9cis_nft_tables_autonewtable when: @@ -53,18 +59,24 @@ block: - name: "3.4.3.3 | L1 | Ensure nftables base chains exist | Get current chains for INPUT" shell: nft list ruleset | grep 'hook input' + args: + warn: false changed_when: false failed_when: false register: rhel9cis_3_4_3_3_input_chains - name: "3.4.3.3 | L1 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD" shell: nft list ruleset | grep 'hook forward' + args: + warn: false changed_when: false failed_when: false register: rhel9cis_3_4_3_3_forward_chains - name: "3.4.3.3 | L1 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT" shell: nft list ruleset | grep 'hook output' + args: + warn: false changed_when: false failed_when: false register: rhel9cis_3_4_3_3_output_chains @@ -83,7 +95,7 @@ - name: "3.4.3.3 | L1 | PATCH | Ensure nftables base chains exist | Create chains if needed" shell: "{{ item }}" args: - warn: no + warn: false failed_when: no with_items: - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } @@ -103,32 +115,44 @@ block: - name: "3.4.3.4 | L1 | AUDIT | Ensure nftables loopback traffic is configured | Gather iif lo accept existence" shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' + args: + warn: false changed_when: false failed_when: false register: rhel9cis_3_4_3_4_iiflo - name: "3.4.3.4 | L1 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip saddr existence" shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' + args: + warn: false changed_when: false failed_when: false register: rhel9cis_3_4_3_4_ipsaddr - name: "3.4.3.4 | L1 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip6 saddr existence" shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' + args: + warn: false changed_when: false failed_when: false register: rhel9cis_3_4_3_4_ip6saddr - name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule" shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept + args: + warn: false when: '"iif \"lo\" accept" not in rhel9cis_3_4_3_4_iiflo.stdout' - name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule" shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop + args: + warn: false when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_3_4_ipsaddr.stdout' - name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule" shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop + args: + warn: false when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_3_4_ip6saddr.stdout' when: - rhel9cis_firewall == "nftables" @@ -143,38 +167,54 @@ block: - name: "3.4.3.5 | L1 | AUDIT | Ensure nftables outbound and established connections are configured | Gather incoming connection rules" shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + args: + warn: false changed_when: false failed_when: false register: rhel9cis_3_4_3_5_inconnectionrule - name: "3.4.3.5 | L1 | AUDIT | Ensure nftables outbound and established connections are configured | Gather outbound connection rules" shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + args: + warn: false changed_when: false failed_when: false register: rhel9cis_3_4_3_5_outconnectionrule - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input tcp established accept policy" shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept + args: + warn: false when: '"ip protocol tcp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout' - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input udp established accept policy" shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept + args: + warn: false when: '"ip protocol udp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout' - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input icmp established accept policy" shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept + args: + warn: false when: '"ip protocol icmp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout' - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output tcp new, related, established accept policy" shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept + args: + warn: false when: '"ip protocol tcp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout' - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output udp new, related, established accept policy" shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept + args: + warn: false when: '"ip protocol udp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout' - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output icmp new, related, established accept policy" shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept + args: + warn: false when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout' when: - rhel9cis_firewall == "nftables" @@ -189,42 +229,58 @@ block: - name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for hook input deny policy" shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input' + args: + warn: false failed_when: false changed_when: false register: rhel9cis_3_4_3_6_inputpolicy - name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy" shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward' + args: + warn: false failed_when: false changed_when: false register: rhel9cis_3_4_3_6_forwardpolicy - name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy" shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output' + args: + warn: false failed_when: false changed_when: false register: rhel9cis_3_4_3_6_outputpolicy - name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow" shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh' + args: + warn: false failed_when: false changed_when: false register: rhel9cis_3_4_3_6_sshallowcheck - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept + args: + warn: false when: '"tcp dport ssh accept" not in rhel9cis_3_4_3_6_sshallowcheck.stdout' - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } + args: + warn: false when: '"type filter hook input priority 0; policy drop;" not in rhel9cis_3_4_3_6_inputpolicy.stdout' - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy" shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } + args: + warn: false when: '"type filter hook forward priority 0; policy drop;" not in rhel9cis_3_4_3_6_forwardpolicy.stdout' - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } + args: + warn: false when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_3_6_outputpolicy.stdout' when: - rhel9cis_firewall == "nftables" diff --git a/tasks/section_3/cis_3.4.4.1.x.yml b/tasks/section_3/cis_3.4.4.1.x.yml index edeb498..e36fa3b 100644 --- a/tasks/section_3/cis_3.4.4.1.x.yml +++ b/tasks/section_3/cis_3.4.4.1.x.yml @@ -85,12 +85,16 @@ block: - name: "3.4.4.1.4 | L1 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of TCP open ports" shell: netstat -ant |grep "tcp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://' + args: + warn: false changed_when: false failed_when: false register: rhel9cis_3_4_4_1_4_otcp - name: "3.4.4.1.4 | L1 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get the list of udp open ports" shell: netstat -ant |grep "udp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://' + args: + warn: false changed_when: false failed_when: false register: rhel9cis_3_4_4_1_4_oudp diff --git a/tasks/section_3/cis_3.5.yml b/tasks/section_3/cis_3.5.yml index 1d24b7d..59b3e64 100644 --- a/tasks/section_3/cis_3.5.yml +++ b/tasks/section_3/cis_3.5.yml @@ -2,15 +2,10 @@ - name: "3.5 | L1 | PATCH | Ensure wireless interfaces are disabled" block: - - name: "3.5 | L1 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" - shell: rpm -q NetworkManager -# changed_when: false -# failed_when: false - check_mode: no - register: rhel_09_nmcli_available - - name: "3.5 | L1 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" shell: nmcli radio wifi + args: + warn: false register: rhel_09_wifi_enabled changed_when: rhel_09_wifi_enabled.stdout != "disabled" failed_when: false @@ -18,10 +13,13 @@ - name: "3.5 | L1 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" shell: nmcli radio all off + args: + warn: false changed_when: false failed_when: false when: rhel_09_wifi_enabled is changed when: + - '"NetworkManager" in ansible_facts.packages' - rhel9cis_rule_3_5 tags: - level1-server diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index 69c395d..43dab23 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -41,6 +41,8 @@ block: - name: "4.1.1.3 | L2 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' + args: + warn: false changed_when: false failed_when: false check_mode: no @@ -74,6 +76,8 @@ block: - name: "4.1.1.4 | L2 | AUDIT | Ensure audit_backlog_limit is sufficient | Get GRUB_CMDLINE_LINUX" shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' + args: + warn: false changed_when: false failed_when: false check_mode: no diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml index fd43b3c..e54265e 100644 --- a/tasks/section_4/cis_4.1.x.yml +++ b/tasks/section_4/cis_4.1.x.yml @@ -121,6 +121,8 @@ block: - name: "4.1.12 | L2 | AUDIT | Ensure successful file system mounts are collected" shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done + args: + warn: false changed_when: false failed_when: false check_mode: no diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 911e23c..63b86c5 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -44,6 +44,8 @@ block: - name: "4.2.1.4 | L1 | AUDIT | Ensure logging is configured | rsyslog current config message out" shell: cat /etc/rsyslog.conf + args: + warn: false become: yes changed_when: false failed_when: no diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index ece189b..bd13030 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -2,6 +2,8 @@ - name: "4.2.3 | L1 | PATCH | Ensure permissions on all logfiles are configured" shell: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + + args: + warn: false changed_when: false failed_when: false when: diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index cce0226..0629cc7 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -334,7 +334,7 @@ - name: "5.2.20 | L1 | PATCH | Ensure system-wide crypto policy is not over-ridden" shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd args: - warn: no + warn: false notify: restart sshd when: - rhel9cis_rule_5_2_20 diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index c643b0e..7e2242e 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -4,6 +4,8 @@ block: - name: "5.3.1 | L1 | PATCH | Create custom authselect profile | Gather profiles" shell: 'authselect current | grep "Profile ID: custom/"' + args: + warn: false failed_when: false changed_when: false check_mode: no @@ -18,7 +20,7 @@ - name: "5.3.1 | L1 | PATCH | Create custom authselect profile | Create custom profiles" shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }} args: - warn: no + warn: false when: rhel9cis_authselect_custom_profile_create when: - rhel9cis_rule_5_3_1 @@ -34,7 +36,7 @@ - name: "5.3.2 | L1 | AUDIT | Select authselect profile | Gather profiles and enabled features" shell: "authselect current" args: - warn: no + warn: false failed_when: false changed_when: false check_mode: no @@ -49,7 +51,7 @@ - name: "5.3.2 | L1 | PATCH | Select authselect profile | Create custom profiles" shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }}" args: - warn: no + warn: false when: rhel9cis_authselect_custom_profile_select when: - rhel9cis_rule_5_3_2 @@ -64,6 +66,8 @@ block: - name: "5.3.3 | L1 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features" shell: "authselect current | grep with-faillock" + args: + warn: false failed_when: false changed_when: false check_mode: no @@ -78,7 +82,7 @@ - name: "5.3.3 | L1 | PATCH | Ensure authselect includes with-faillock | Create custom profiles" shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock" args: - warn: no + warn: false when: rhel9cis_authselect_custom_profile_select when: - rhel9cis_rule_5_3_3 diff --git a/tasks/section_5/cis_5.5.1.x.yml b/tasks/section_5/cis_5.5.1.x.yml index 570e83c..3ad80a6 100644 --- a/tasks/section_5/cis_5.5.1.x.yml +++ b/tasks/section_5/cis_5.5.1.x.yml @@ -46,6 +46,8 @@ block: - name: "5.5.1.4 | L1 | AUDIT | Ensure inactive password lock is 30 days or less | Check current settings" shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d= + args: + warn: false changed_when: false failed_when: false check_mode: no @@ -53,16 +55,22 @@ - name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting" shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} + args: + warn: false when: rhel9cis_5_5_1_4_inactive_settings.stdout | length == 0 - name: "5.5.1.4 | L1 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" shell: 'egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1' + args: + warn: false check_mode: no register: rhel_09_5_5_1_4_audit changed_when: false - name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" + args: + warn: false with_items: - "{{ rhel_09_5_5_1_4_audit.stdout_lines }}" when: @@ -77,6 +85,8 @@ block: - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" shell: echo $(($(date --utc --date "$1" +%s)/86400)) + args: + warn: false failed_when: false changed_when: false check_mode: no @@ -84,6 +94,8 @@ - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future" shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_5_1_5_currentut.stdout }})print$1}'" + args: + warn: false changed_when: false failed_when: false check_mode: no @@ -103,6 +115,8 @@ - name: "5.5.1.5 | L1 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" shell: passwd --expire {{ item }} + args: + warn: false when: - rhel9cis_5_5_1_5_user_list | length > 0 - rhel9cis_futurepwchgdate_autofix diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 5b23d83..6d1fcf3 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -64,6 +64,8 @@ - name: "5.5.4 | L1 | PATCH | Ensure default group for the root account is GID 0" shell: usermod -g 0 root + args: + warn: false changed_when: false failed_when: false when: diff --git a/tasks/section_5/cis_5.6.yml b/tasks/section_5/cis_5.6.yml index 973b1d6..6262c3c 100644 --- a/tasks/section_5/cis_5.6.yml +++ b/tasks/section_5/cis_5.6.yml @@ -10,6 +10,8 @@ - name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Capture consoles" shell: cat /etc/securetty + args: + warn: false changed_when: false register: rhel_09_5_6_audit when: rhel9cis_securetty_check.stat.exists diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 9650e5d..c596ed1 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -5,7 +5,7 @@ - name: "6.1.1 | L2 | AUDIT | Audit system file permissions | Audit the packages" shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto args: - warn: no + warn: false changed_when: false failed_when: false register: rhel9cis_6_1_1_packages_rpm @@ -152,6 +152,8 @@ block: - name: "6.1.10 | L1 | AUDIT | Ensure no world writable files exist | Get list of world-writable files" shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 + args: + warn: false failed_when: false changed_when: false register: rhel_09_6_1_10_perms_results @@ -183,6 +185,8 @@ block: - name: "6.1.11 | L1 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories" shell: find "{{ item.mount }}" -xdev -nouser + args: + warn: false check_mode: false failed_when: false changed_when: false @@ -209,6 +213,8 @@ block: - name: "6.1.12 | L1 | AUDIT | Ensure no ungrouped files or directories exist | Finding all ungrouped files or directories" shell: find "{{ item.mount }}" -xdev -nogroup + args: + warn: false check_mode: false failed_when: false changed_when: false @@ -235,6 +241,8 @@ block: - name: "6.1.13 | L1 | AUDIT | Audit SUID executables | Find all SUID executables" shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 + args: + warn: false failed_when: false changed_when: false register: rhel_09_6_1_13_perms_results @@ -266,6 +274,8 @@ block: - name: "6.1.14 | L1 | AUDIT | Audit SGID executables | Find all SGID executables" shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 + args: + warn: false failed_when: false changed_when: false register: rhel_09_6_1_14_perms_results diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 43c57f2..8464790 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -2,6 +2,8 @@ - name: "6.2.1 | L1 | AUDIT | Ensure password fields are not empty" shell: passwd -l {{ item }} + args: + warn: false changed_when: false failed_when: false with_items: "{{ empty_password_accounts.stdout_lines }}" @@ -16,6 +18,8 @@ - name: "6.2.2 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/passwd" shell: sed -i '/^+/ d' /etc/passwd + args: + warn: false changed_when: false failed_when: false when: @@ -31,6 +35,8 @@ block: - name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determine empty value" shell: 'echo $PATH | grep ::' + args: + warn: false check_mode: no register: path_colon changed_when: False @@ -38,6 +44,8 @@ - name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determin colon end" shell: 'echo $PATH | grep :$' + args: + warn: false check_mode: no register: path_colon_end changed_when: False @@ -45,6 +53,8 @@ - name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determine dot in path" shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'" + args: + warn: false check_mode: no register: dot_in_path changed_when: False @@ -75,6 +85,8 @@ - name: "6.2.4 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/shadow" shell: sed -i '/^+/ d' /etc/shadow + args: + warn: false changed_when: false failed_when: false when: @@ -88,6 +100,8 @@ - name: "6.2.5 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/group" shell: sed -i '/^+/ d' /etc/group + args: + warn: false changed_when: false failed_when: false when: @@ -101,6 +115,8 @@ - name: "6.2.6 | L1 | PATCH | Ensure root is the only UID 0 account" shell: passwd -l {{ item }} + args: + warn: false changed_when: false failed_when: false with_items: "{{ uid_zero_accounts_except_root.stdout_lines }}" @@ -123,6 +139,8 @@ - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" shell: find -H {{ item.0 | quote }} -not -type l -perm /027 + args: + warn: false check_mode: false changed_when: rhel_09_6_2_7_patch_audit.stdout | length > 0 register: rhel_09_6_2_7_patch_audit @@ -198,6 +216,8 @@ block: - name: "6.2.9 | L1 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files" shell: find /home/ -name "\.*" -perm /g+w,o+w + args: + warn: false changed_when: false failed_when: false register: rhel9cis_6_2_9_audit @@ -252,6 +272,8 @@ - name: "6.2.12 | L1 | PATCH | Ensure users' .netrc Files are not group or world accessible" shell: /bin/true + args: + warn: false changed_when: false failed_when: false when: @@ -279,6 +301,8 @@ block: - name: "6.2.14 | L1 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' + args: + warn: false changed_when: false failed_when: false check_mode: false @@ -305,6 +329,8 @@ block: - name: "6.2.15 | L1 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" + args: + warn: false changed_when: false failed_when: false register: user_uid_check @@ -330,6 +356,8 @@ block: - name: "6.2.16 | L1 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" + args: + warn: false changed_when: false failed_when: false register: user_user_check @@ -355,6 +383,8 @@ block: - name: "6.2.17 | L1 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" + args: + warn: false changed_when: false failed_when: false register: user_username_check @@ -380,6 +410,8 @@ block: - name: "6.2.18 | L1 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' + args: + warn: false changed_when: false failed_when: false check_mode: no @@ -406,6 +438,8 @@ block: - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check for shadow group and pull group id" shell: "getent group shadow | cut -d: -f3" + args: + warn: false changed_when: false failed_when: false check_mode: no @@ -413,6 +447,8 @@ - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check /etc/group for empty shadow group" shell: grep ^shadow:[^:]*:[^:]*:[^:]+ /etc/group + args: + warn: false changed_when: false failed_when: false check_mode: no @@ -420,6 +456,8 @@ - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check for users assigned to shadow" shell: "getent passwd | awk -F: '$4 == '{{ rhel9cis_shadow_gid.stdout }}' {print $1}'" + args: + warn: false changed_when: false failed_when: false check_mode: no @@ -465,6 +503,8 @@ - name: "6.2.20 | L1 | AUDIT | Ensure all users' home directories exist" shell: find -H {{ item.0 | quote }} -not -type l -perm /027 + args: + warn: false check_mode: false changed_when: rhel_09_6_2_20_patch_audit.stdout | length > 0 register: rhel_09_6_2_20_patch_audit