ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-25 22:37:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

QA Fixes

Browse source 
Signed-off-by: Frederick Witty <frederickw@mindpointgroup.com>
This commit is contained in:
Frederick Witty 2025-06-16 17:18:08 -04:00
parent 38a173546c
commit acacb7a6bc
No known key found for this signature in database
GPG key ID: D29987C25A47D813
4 changed files with 6 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

7
tasks/main.yml
View file

@ -17,9 +17,7 @@
success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
- name: "Setup rules if container" - name: "Setup rules if container"
when: when: ansible_connection == 'docker' or ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_connection == 'docker' or
ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
tags: tags:
- container_discovery - container_discovery
- always - always
@ -101,8 +99,7 @@
- name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" # noqa name[template] - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" # noqa name[template]
ansible.builtin.assert: ansible.builtin.assert:
that: that: not prelim_ansible_user_password_set.stdout.startswith("!")
- not prelim_ansible_user_password_set.stdout.startswith("!")
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access" fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access"
success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user" success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user"

1
tasks/pre_remediation_audit.yml
View file

@ -1,4 +1,5 @@
--- ---
- name: Pre Audit Setup | Setup the LE audit - name: Pre Audit Setup | Setup the LE audit
when: setup_audit when: setup_audit
tags: setup_audit tags: setup_audit

6
tasks/prelim.yml
View file

@ -191,8 +191,7 @@
- name: "PRELIM | PATCH | Install dconf if gui installed" - name: "PRELIM | PATCH | Install dconf if gui installed"
when: rhel9cis_gui when: rhel9cis_gui
tags: tags: always
- always
ansible.builtin.package: ansible.builtin.package:
name: dconf name: dconf
state: present state: present
@ -201,8 +200,7 @@
when: when:
- rhel9cis_rule_3_1_2 - rhel9cis_rule_3_1_2
- not system_is_container - not system_is_container
tags: tags: always
- always
block: block:
- name: "PRELIM | AUDIT | Discover is wireless adapter on system" - name: "PRELIM | AUDIT | Discover is wireless adapter on system"
ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless

3
tasks/section_1/cis_1.1.1.x.yml
View file

@ -27,8 +27,7 @@
mode: 'go-rwx' mode: 'go-rwx'
- name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs" - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs"
when: when: not system_is_container
- not system_is_container
community.general.modprobe: community.general.modprobe:
name: cramfs name: cramfs
state: absent state: absent