From acf0104f7afe46ee10ce472a4689551e6e25e1eb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 12:10:18 +0000 Subject: [PATCH] lint updates Signed-off-by: Mark Bolwell --- handlers/main.yml | 93 +++++++++++++----------------- site.yml | 1 + tasks/LE_audit_setup.yml | 10 ++-- tasks/auditd.yml | 12 ++-- tasks/check_prereqs.yml | 2 +- tasks/main.yml | 60 +++++++++---------- tasks/parse_etc_password.yml | 4 +- tasks/post.yml | 24 ++++---- tasks/post_remediation_audit.yml | 14 ++--- tasks/pre_remediation_audit.yml | 28 ++++----- tasks/prelim.yml | 42 +++++++------- tasks/section_1/cis_1.1.2.x.yml | 4 +- tasks/section_1/cis_1.1.3.x.yml | 2 +- tasks/section_1/cis_1.1.4.x.yml | 2 +- tasks/section_1/cis_1.1.5.x.yml | 2 +- tasks/section_1/cis_1.1.6.x.yml | 6 +- tasks/section_1/cis_1.1.7.x.yml | 2 +- tasks/section_1/cis_1.1.8.x.yml | 2 +- tasks/section_1/cis_1.10.yml | 2 +- tasks/section_1/cis_1.2.x.yml | 2 +- tasks/section_1/cis_1.3.x.yml | 2 +- tasks/section_1/cis_1.8.x.yml | 6 +- tasks/section_1/cis_1.9.yml | 2 +- tasks/section_2/cis_2.2.x.yml | 4 +- tasks/section_3/cis_3.1.x.yml | 6 +- tasks/section_4/cis_4.1.2.x.yml | 8 +-- tasks/section_4/cis_4.1.4.x.yml | 6 +- tasks/section_4/cis_4.2.1.x.yml | 26 ++++----- tasks/section_4/cis_4.2.2.x.yml | 12 ++-- tasks/section_5/cis_5.2.x.yml | 10 ++-- tasks/section_5/cis_5.6.1.x.yml | 10 ++-- tasks/section_6/cis_6.1.x.yml | 2 +- templates/ansible_vars_goss.yml.j2 | 2 +- vars/main.yml | 2 +- 34 files changed, 199 insertions(+), 213 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 6b47f85..404d74b 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,14 +1,13 @@ --- # handlers file for RHEL9-CIS -- name: reload sysctl - shell: sysctl --system +- name: Reload sysctl + ansible.builtin.shell: sysctl --system when: - sysctl_updated.changed -- name: sysctl flush ipv4 route table - become: true - sysctl: +- name: Sysctl flush ipv4 route table + ansible.posix.sysctl: name: net.ipv4.route.flush value: '1' sysctl_set: true @@ -16,12 +15,9 @@ when: - flush_ipv4_route - not system_is_container - tags: - - skip_ansible_lint -- name: sysctl flush ipv6 route table - become: true - sysctl: +- name: Sysctl flush ipv6 route table + ansible.posix.sysctl: name: net.ipv6.route.flush value: '1' sysctl_set: true @@ -29,92 +25,81 @@ - flush_ipv6_route - not system_is_container -- name: systemd restart tmp.mount - become: true - systemd: +- name: Systemd restart tmp.mount + ansible.builtin.systemd: name: tmp.mount - daemon_reload: true + daemon_Reload: true enabled: true masked: false - state: reloaded + state: Reloaded -- name: systemd restart var-tmp.mount - become: true - systemd: - name: var-tmp.mount - daemon_reload: true - enabled: true - masked: false - state: reloaded +- name: Remount tmp + ansible.posix.mount: + path: /tmp + state: remounted -- name: remount tmp - ansible.posix.mount: - path: /tmp - state: remounted - -- name: restart firewalld - service: +- name: Restart firewalld + ansible.builtin.systemd: name: firewalld state: restarted -- name: restart sshd - service: +- name: Restart sshd + ansible.builtin.systemd: name: sshd state: restarted -- name: restart postfix - service: +- name: Restart postfix + ansible.builtin.systemd: name: postfix state: restarted -- name: reload dconf - shell: dconf update +- name: Reload dconf + ansible.builtin.shell: dconf update - name: grub2cfg - shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" + ansible.builtin.shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" ignore_errors: true # noqa ignore-errors tags: - skip_ansible_lint -- name: restart rsyslog - become: true - service: +- name: Restart rsyslog + ansible.builtin.systemd: name: rsyslog state: restarted -- name: restart journald - service: +- name: Restart journald + ansible.builtin.systemd: name: systemd-journald state: restarted -- name: restart systemd_journal_upload - service: +- name: Restart systemd_journal_upload + ansible.builtin.systemd: name: systemd-journal-upload state: restarted -- name: systemd_daemon_reload - systemd: +- name: Systemd_daemon_Reload + ansible.builtin.systemd: daemon-reload: true ## Auditd tasks note order for handlers to run -- name: auditd_immutable_check - shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules +- name: Auditd_immutable_check + ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules changed_when: false register: auditd_immutable_check -- name: audit_immutable_fact - debug: +- name: Audit_immutable_fact + ansible.builtin.debug: msg: "Reboot required for auditd to apply new rules as immutable set" notify: change_requires_reboot when: - auditd_immutable_check.stdout == '1' -- name: restart auditd - shell: service auditd restart +- name: Restart auditd + ansible.builtin.shell: service auditd restart tags: - skip_ansible_lint -- name: change_requires_reboot - set_fact: +- name: Change_requires_reboot + ansible.builtin.set_fact: change_requires_reboot: true diff --git a/site.yml b/site.yml index 4446d3e..148ca0b 100644 --- a/site.yml +++ b/site.yml @@ -1,4 +1,5 @@ --- + - hosts: all become: true roles: diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 98f3855..bc929ae 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -1,7 +1,7 @@ --- - name: Download audit binary - get_url: + ansible.builtin.get_url: url: "{{ goss_url }}" dest: "{{ audit_bin }}" owner: root @@ -11,8 +11,8 @@ when: - get_goss_file == 'download' -- name: copy audit binary - copy: +- name: Copy audit binary + ansible.builtin.copy: src: dest: "{{ audit_bin }}" mode: 0555 @@ -21,8 +21,8 @@ when: - get_goss_file == 'copy' -- name: install git if not present - package: +- name: Install git if not present + ansible.builtin.package: name: git state: present register: git_installed diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 74830ca..a36a744 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -1,7 +1,7 @@ --- - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added - template: + ansible.builtin.template: src: audit/99_auditd.rules.j2 dest: /etc/audit/rules.d/99_auditd.rules owner: root @@ -9,18 +9,18 @@ mode: 0600 register: audit_rules_updated notify: - - auditd_immutable_check - - audit_immutable_fact - - restart auditd + - Auditd_immutable_check + - Audit_immutable_fact + - Restart auditd - name: POST | Set up auditd user logging exceptions - template: + ansible.builtin.template: src: audit/98_auditd_exception.rules.j2 dest: /etc/audit/rules.d/98_auditd_exceptions.rules owner: root group: root mode: 0600 - notify: restart auditd + notify: Restart auditd when: - allow_auditd_uid_user_exclusions - rhel9cis_auditd_uid_exclude | length > 0 diff --git a/tasks/check_prereqs.yml b/tasks/check_prereqs.yml index abe6248..dcfee57 100644 --- a/tasks/check_prereqs.yml +++ b/tasks/check_prereqs.yml @@ -1,7 +1,7 @@ --- - name: "PREREQ | If required install libselinux package to manage file changes." - package: + ansible.builtin.package: name: libselinux-python3 state: present when: diff --git a/tasks/main.yml b/tasks/main.yml index d1918d2..8229390 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,7 +2,7 @@ # tasks file for RHEL9-CIS - name: Check OS version and family - assert: + ansible.builtin.assert: that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('9', '==') fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" @@ -13,7 +13,7 @@ - always - name: Check ansible version - assert: + ansible.builtin.assert: that: ansible_version.full is version_compare(min_ansible_version, '>=') fail_msg: "You must use Ansible {{ min_ansible_version }} or greater" success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" @@ -23,14 +23,14 @@ - name: "Check password set for {{ ansible_user }}" block: - name: Capture current password state of "{{ ansible_user }}" - shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'" + ansible.builtin.shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'" changed_when: false failed_when: false check_mode: false register: ansible_user_password_set - name: "Assert that password set for {{ ansible_user }} and account not locked" - assert: + ansible.builtin.assert: that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access" success_msg: "You a password set for the {{ ansible_user }}" @@ -45,15 +45,15 @@ - name: Setup rules if container block: - name: Discover and set container variable if required - set_fact: + ansible.builtin.set_fact: system_is_container: true - name: Load variable for container - include_vars: + ansible.builtin.include_vars: file: "{{ container_vars_file }}" - - name: output if discovered is a container - debug: + - name: Output if discovered is a container + ansible.builtin.debug: msg: system has been discovered as a container when: - system_is_container @@ -65,13 +65,13 @@ - always - name: Check crypto-policy input - assert: + ansible.builtin.assert: that: rhel9cis_crypto_policy in rhel9cis_allowed_crypto_policies fail_msg: "Crypto policy is not a permitted version" success_msg: "Crypto policy is a permitted version" - name: Check rhel9cis_bootloader_password_hash variable has been changed - assert: + ansible.builtin.assert: that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly" when: @@ -80,10 +80,10 @@ tags: - always -- name: "check sugroup exists if used" +- name: Check sugroup exists if used block: - name: "Check su group exists if defined" - shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group + ansible.builtin.shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group register: sugroup_exists changed_when: false failed_when: sugroup_exists.rc >= 2 @@ -91,7 +91,7 @@ - skip_ansible_lint - name: Check sugroup if defined exists before continuing - assert: + ansible.builtin.assert: that: sugroup_exists.rc == 0 msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify" when: @@ -101,35 +101,35 @@ - rule_5.7 - name: Gather the package facts - package_facts: + ansible.builtin.package_facts: manager: auto tags: - always - name: Include OS specific variables - include_vars: "{{ ansible_distribution }}.yml" + ansible.builtin.include_vars: "{{ ansible_distribution }}.yml" tags: - always - name: Include preliminary steps - import_tasks: prelim.yml + ansible.builtin.import_tasks: prelim.yml tags: - prelim_tasks - always - name: run pre_remediation audit - include_tasks: pre_remediation_audit.yml + ansible.builtin.include_tasks: pre_remediation_audit.yml when: - run_audit - name: Gather the package facts after prelim - package_facts: + ansible.builtin.package_facts: manager: auto tags: - always - name: capture /etc/password variables - include_tasks: parse_etc_password.yml + ansible.builtin.include_tasks: parse_etc_password.yml when: - rhel9cis_section6 tags: @@ -142,67 +142,67 @@ - rhel9cis_section6 - name: run Section 1 tasks - import_tasks: section_1/main.yml + ansible.builtin.import_tasks: section_1/main.yml when: rhel9cis_section1 tags: - rhel9cis_section1 - name: run Section 2 tasks - import_tasks: section_2/main.yml + ansible.builtin.import_tasks: section_2/main.yml when: rhel9cis_section2 tags: - rhel9cis_section2 - name: run Section 3 tasks - import_tasks: section_3/main.yml + ansible.builtin.import_tasks: section_3/main.yml when: rhel9cis_section3 tags: - rhel9cis_section3 - name: run Section 4 tasks - import_tasks: section_4/main.yml + ansible.builtin.import_tasks: section_4/main.yml when: rhel9cis_section4 tags: - rhel9cis_section4 - name: run Section 5 tasks - import_tasks: section_5/main.yml + ansible.builtin.import_tasks: section_5/main.yml when: rhel9cis_section5 tags: - rhel9cis_section5 - name: run Section 6 tasks - import_tasks: section_6/main.yml + ansible.builtin.import_tasks: section_6/main.yml when: rhel9cis_section6 tags: - rhel9cis_section6 - name: run auditd logic - import_tasks: auditd.yml + ansible.builtin.import_tasks: auditd.yml when: - update_audit_template tags: - always - name: run post remediation tasks - import_tasks: post.yml + ansible.builtin.import_tasks: post.yml tags: - post_tasks - always - name: run post_remediation audit - import_tasks: post_remediation_audit.yml + ansible.builtin.import_tasks: post_remediation_audit.yml when: - run_audit - name: Show Audit Summary - debug: + ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" when: - run_audit - name: If Warnings found Output count and control IDs affected - debug: + ansible.builtin.debug: msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}" when: warn_count != 0 tags: diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index 6a9ef7b..76cb085 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -3,13 +3,13 @@ - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd" block: - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd" - shell: cat /etc/passwd + ansible.builtin.shell: cat /etc/passwd changed_when: false check_mode: false register: rhel9cis_passwd_file_audit - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Split passwd entries" - set_fact: + ansible.builtin.set_fact: rhel9cis_passwd: "{{ rhel9cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" with_items: "{{ rhel9cis_passwd_file_audit.stdout_lines }}" vars: diff --git a/tasks/post.yml b/tasks/post.yml index 0d1260d..7f8b1fb 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -2,25 +2,25 @@ # Post tasks - name: Perform DNF package cleanup - dnf: + ansible.builtin.package: autoremove: true changed_when: false - name: Gather the package facts after remediation - package_facts: + ansible.builtin.package_facts: manager: auto tags: - always -- name: update sysctl - template: +- name: Update sysctl + ansible.builtin.template: src: "etc/sysctl.d/{{ item }}.j2" dest: "/etc/sysctl.d/{{ item }}" owner: root group: root mode: 0600 register: sysctl_updated - notify: reload sysctl + notify: Reload sysctl with_items: - 60-kernel_sysctl.conf - 60-disable_ipv6.conf @@ -31,29 +31,29 @@ - not system_is_container - "'procps-ng' in ansible_facts.packages" -- name: flush handlers - meta: flush_handlers +- name: Flush handlers + ansible.builtin.meta: flush_handlers - name: POST | reboot system if changes require it and not skipped block: - name: POST | Reboot system if changes require it and not skipped - reboot: + ansible.builtin.reboot: when: - - change_requires_reboot + - Change_requires_reboot - not skip_reboot - name: POST | Warning a reboot required but skip option set - debug: + ansible.builtin.debug: msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" changed_when: true when: - - change_requires_reboot + - Change_requires_reboot - skip_reboot - name: "POST | Warning a reboot required but skip option set | warning count" ansible.builtin.import_tasks: warning_facts.yml when: - - change_requires_reboot + - Change_requires_reboot - skip_reboot vars: warn_control_id: Reboot_required diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 599e104..0eb7608 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,13 +1,13 @@ --- - name: "Post Audit | Run post_remediation {{ benchmark }} audit" - shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" environment: "{{ audit_run_script_environment | default({}) }}" changed_when: audit_run_post_remediation.rc == 0 register: audit_run_post_remediation - name: Post Audit | ensure audit files readable by users - file: + ansible.builtin.file: path: "{{ item }}" mode: 0644 state: file @@ -17,13 +17,13 @@ - name: Post Audit | Capture audit data if json format block: - - name: "capture data {{ post_audit_outfile }}" - shell: "cat {{ post_audit_outfile }}" + - name: "Capture data {{ post_audit_outfile }}" + ansible.builtin.shell: "cat {{ post_audit_outfile }}" register: post_audit changed_when: false - name: Capture post-audit result - set_fact: + ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" vars: summary: 'summary."summary-line"' @@ -33,12 +33,12 @@ - name: Post Audit | Capture audit data if documentation format block: - name: "Post Audit | capture data {{ post_audit_outfile }}" - shell: "tail -2 {{ post_audit_outfile }}" + ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" register: post_audit changed_when: false - name: Post Audit | Capture post-audit result - set_fact: + ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout_lines }}" when: - audit_format == "documentation" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 94e9bcf..96f16fe 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,20 +1,20 @@ --- - name: Pre Audit | Setup the audit - include_tasks: LE_audit_setup.yml + ansible.builtin.include_tasks: LE_audit_setup.yml when: - setup_audit tags: - setup_audit - name: "Pre Audit | Ensure {{ audit_conf_dir }} exists" - file: + ansible.builtin.file: path: "{{ audit_conf_dir }}" state: directory mode: '0755' - name: Pre Audit | retrieve audit content files from git - git: + ansible.builtin.git: repo: "{{ audit_file_git }}" dest: "{{ audit_conf_dir }}" version: "{{ audit_git_version }}" @@ -22,7 +22,7 @@ - audit_content == 'git' - name: Pre Audit | copy to audit content files to server - copy: + ansible.builtin.copy: src: "{{ audit_local_copy }}" dest: "{{ audit_conf_dir }}" mode: 0644 @@ -30,7 +30,7 @@ - audit_content == 'copy' - name: Pre Audit | get audit content from url - get_url: + ansible.builtin.get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" owner: root @@ -42,12 +42,12 @@ - name: Pre Audit | Check Goss is available block: - name: Pre Audit | Check for goss file - stat: + ansible.builtin.stat: path: "{{ audit_bin }}" register: goss_available - name: Pre Audit | Alert if goss not available - assert: + ansible.builtin.assert: that: goss_available.stat.exists fail_msg: "Audit binary file {{ audit_bin }} does not exist" success_msg: "Audit binary file {{ audit_bin }} exists" @@ -55,14 +55,14 @@ - run_audit - name: "Pre Audit | Check whether machine is UEFI-based" - stat: + ansible.builtin.stat: path: /sys/firmware/efi register: rhel9_efi_boot tags: - goss_template - name: Pre Audit | Copy ansible default vars values to test audit - template: + ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" mode: 0600 @@ -72,7 +72,7 @@ - goss_template - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" - shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" environment: "{{ audit_run_script_environment | default({}) }}" changed_when: audit_run_pre_remediation.rc == 0 register: audit_run_pre_remediation @@ -80,12 +80,12 @@ - name: Pre Audit | Capture audit data if json format block: - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - shell: "cat {{ pre_audit_outfile }}" + ansible.builtin.shell: "cat {{ pre_audit_outfile }}" register: pre_audit changed_when: false - name: Pre Audit | Capture pre-audit result - set_fact: + ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" vars: summary: 'summary."summary-line"' @@ -95,12 +95,12 @@ - name: Pre Audit | Capture audit data if documentation format block: - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - shell: "tail -2 {{ pre_audit_outfile }}" + ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" register: pre_audit changed_when: false - name: Pre Audit | Capture pre-audit result - set_fact: + ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout_lines }}" when: - audit_format == "documentation" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index d133108..eaae1a3 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -3,7 +3,7 @@ # Preliminary tasks that should always be run # List users in order to look files inside each home directory - name: "PRELIM | List users accounts" - shell: "awk -F: '{print $1}' /etc/passwd" + ansible.builtin.shell: "awk -F: '{print $1}' /etc/passwd" changed_when: false check_mode: false register: users @@ -13,7 +13,7 @@ - users - name: "PRELIM | Gather accounts with empty password fields" - shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'" + ansible.builtin.shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'" changed_when: false check_mode: false register: empty_password_accounts @@ -23,7 +23,7 @@ - passwords - name: "PRELIM | Gather UID 0 accounts other than root" - shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" + ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" changed_when: false check_mode: false register: rhel9cis_uid_zero_accounts_except_root @@ -36,14 +36,14 @@ - name: "PRELIM | Setup crypto-policy" block: - name: "PRELIM | Install crypto-policies" - dnf: + ansible.builtin.package: name: - crypto-policies - crypto-policies-scripts state: present - name: "PRELIM | Gather system-wide crypto-policy" - shell: update-crypto-policies --show + ansible.builtin.shell: update-crypto-policies --show changed_when: false check_mode: false register: system_wide_crypto_policy @@ -56,7 +56,7 @@ - crypto - name: "PRELIM | if systemd coredump" - stat: + ansible.builtin.stat: path: /etc/systemd/coredump.conf register: systemd_coredump when: @@ -68,14 +68,14 @@ - systemd - name: "PRELIM | Section 1.1 | Create list of mount points" - set_fact: + ansible.builtin.set_fact: mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}" tags: - level1-server - level1-workstation - name: "PRELIM | Ensure python3-libselinux is installed" - package: + ansible.builtin.package: name: python3-libselinux state: present when: @@ -84,23 +84,23 @@ - name: "PRELIM | Set facts based on boot type" block: - name: "PRELIM | Check whether machine is UEFI-based" - stat: + ansible.builtin.stat: path: /sys/firmware/efi register: rhel_09_efi_boot - name: "PRELIM | AUDIT | set legacy boot and grub path | Bios" - set_fact: + ansible.builtin.set_fact: rhel9cis_legacy_boot: true grub2_path: /etc/grub2.cfg when: not rhel_09_efi_boot.stat.exists - name: "PRELIM | set grub fact | UEFI" - set_fact: + ansible.builtin.set_fact: grub2_path: /etc/grub2-efi.cfg when: rhel_09_efi_boot.stat.exists - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" - package: + ansible.builtin.package: name: audit state: present become: true @@ -135,7 +135,7 @@ - rule_4.1.4.7 - name: "PRELIM | Section 5.1 | Configure cron" - package: + ansible.builtin.package: name: cronie state: present become: true @@ -149,7 +149,7 @@ - cron - name: "PRELIM | Install authconfig" - package: + ansible.builtin.package: name: authconfig state: present become: true @@ -170,7 +170,7 @@ - auditd - name: "PRELIM | 5.3.4 | Find all sudoers files." - command: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" + ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" changed_when: false failed_when: false check_mode: false @@ -183,7 +183,7 @@ - rule_5.3.5 - name: "PRELIM | Check for rhnsd service" - shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2" + ansible.builtin.shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2" changed_when: false check_mode: false become: true @@ -198,28 +198,28 @@ - name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def" block: - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def" - shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' + ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' changed_when: false register: uid_min_id - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" - shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' + ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' changed_when: false register: uid_max_id - name: "PRELIM | AUDIT | Capture GID_MIN information from logins.def" - shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}' + ansible.builtin.shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}' changed_when: false register: gid_min_id - name: "PRELIM | AUDIT | set_facts for interactive uid/gid" - set_fact: + ansible.builtin.set_fact: min_int_uid: "{{ uid_min_id.stdout }}" max_int_uid: "{{ uid_max_id.stdout }}" min_int_gid: "{{ gid_min_id.stdout }}" - name: Output of uid findings - debug: + ansible.builtin.debug: msg: "{{ min_int_uid }} {{ max_int_uid }}" when: diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 118f93b..d4a7f7d 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -32,7 +32,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %} - notify: remount tmp + notify: Remount tmp with_items: - "{{ ansible_mounts }}" loop_control: @@ -64,7 +64,7 @@ owner: root group: root mode: 0644 - notify: systemd restart tmp.mount + notify: Systemd restart tmp.mount when: - rhel9cis_tmp_svc - rhel9cis_rule_1_1_2_1 or diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index afe1b8c..7ea30d9 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -35,7 +35,7 @@ - "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" - notify: change_requires_reboot + notify: Change_requires_reboot when: - var_mount_present is defined - item.mount == "/var" diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 4a1deb0..b32260b 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -37,7 +37,7 @@ - "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" - notify: change_requires_reboot + notify: Change_requires_reboot when: - var_tmp_mount_present is defined - item.mount == "/var/tmp" diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index ccaeb5c..da3c0e8 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -37,7 +37,7 @@ - "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" - notify: change_requires_reboot + notify: Change_requires_reboot when: - var_log_mount_present is defined - item.mount == "/var/log" diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 4191899..b030e8f 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -10,8 +10,8 @@ ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: '1.1.6.1' - required_mount: '/var/log/audit' + warn_control_id: '1.1.6.1' + required_mount: '/var/log/audit' when: - required_mount not in mount_names - rhel9cis_rule_1_1_6_1 @@ -36,7 +36,7 @@ - "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" - notify: change_requires_reboot + notify: Change_requires_reboot when: - var_log_audit_mount_present is defined - item.mount == "/var/log/audit" diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 60192d7..946572c 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -36,7 +36,7 @@ - "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" - notify: change_requires_reboot + notify: Change_requires_reboot when: - home_mount_present is defined - item.mount == "/home" diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 7703ed4..3b85af3 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -34,7 +34,7 @@ fstype: tmpfs state: mounted opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_4 %}nosuid{% endif %} - notify: change_requires_reboot + notify: Change_requires_reboot when: - rhel9cis_rule_1_1_8_2 or rhel9cis_rule_1_1_8_3 or diff --git a/tasks/section_1/cis_1.10.yml b/tasks/section_1/cis_1.10.yml index 1b0d2a2..c43e445 100644 --- a/tasks/section_1/cis_1.10.yml +++ b/tasks/section_1/cis_1.10.yml @@ -4,7 +4,7 @@ ansible.builtin.shell: | update-crypto-policies --set "{{ rhel9cis_crypto_policy }}" update-crypto-policies - notify: change_requires_reboot + notify: Change_requires_reboot when: - rhel9cis_rule_1_10 - system_wide_crypto_policy['stdout'] == 'LEGACY' diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index dcc8e5c..99f24ea 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -68,7 +68,7 @@ - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured" block: - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Get repo list" - ansible.builtin.command: dnf repolist + ansible.builtin.shell: dnf repolist changed_when: false failed_when: false register: dnf_configured diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index 607065c..cf20cb9 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -8,7 +8,7 @@ state: present - name: "1.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE" - ansible.builtin.command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' + ansible.builtin.shell: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' changed_when: false failed_when: false async: 45 diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index fe690c5..20be846 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -25,7 +25,7 @@ owner: root group: root mode: 0644 - notify: reload dconf + notify: Reload dconf with_items: - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } @@ -54,7 +54,7 @@ owner: root group: root mode: 0644 - notify: reload dconf + notify: Reload dconf with_items: - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } @@ -81,7 +81,7 @@ owner: root group: root mode: 0644 - notify: reload dconf + notify: Reload dconf with_items: - { regex: '\[org\/gnome\/desktop\/media-handling\]', line: '[org/gnome/desktop/media-handling]' } - { regex: 'automount=', line: 'automount=false' } diff --git a/tasks/section_1/cis_1.9.yml b/tasks/section_1/cis_1.9.yml index 37ede1b..e226948 100644 --- a/tasks/section_1/cis_1.9.yml +++ b/tasks/section_1/cis_1.9.yml @@ -4,7 +4,7 @@ ansible.builtin.package: name: "*" state: latest - notify: change_requires_reboot + notify: Change_requires_reboot when: - rhel9cis_rule_1_9 - not system_is_ec2 diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 4f1be78..aac8a27 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -228,7 +228,7 @@ ansible.builtin.package: name: dnsmasq state: absent - notify: restart postfix + notify: Restart postfix when: - not rhel9cis_is_mail_server - "'dnsmasq' in ansible_facts.packages" @@ -245,7 +245,7 @@ path: /etc/postfix/main.cf regexp: "^(#)?inet_interfaces" line: "inet_interfaces = loopback-only" - notify: restart postfix + notify: Restart postfix when: - not rhel9cis_is_mail_server - "'postfix' in ansible_facts.packages" diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 9e1e484..b2e104a 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -27,21 +27,21 @@ - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" block: - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" - ansible.builtin.command: rpm -q NetworkManager + ansible.builtin.shell: rpm -q NetworkManager changed_when: false failed_when: false check_mode: false register: rhel_08_nmcli_available - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" - ansible.builtin.command: nmcli radio wifi + ansible.builtin.shell: nmcli radio wifi register: rhel_08_wifi_enabled changed_when: rhel_08_wifi_enabled.stdout != "disabled" failed_when: false when: rhel_08_nmcli_available.rc == 0 - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" - ansible.builtin.command: nmcli radio all off + ansible.builtin.shell: nmcli radio all off changed_when: false failed_when: false when: rhel_08_wifi_enabled is changed diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index 9850ce4..2473e87 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -5,7 +5,7 @@ path: /etc/audit/auditd.conf regexp: "^max_log_file( |=)" line: "max_log_file = {{ rhel9cis_max_log_file_size }}" - notify: restart auditd + notify: Restart auditd when: - rhel9cis_rule_4_1_2_1 tags: @@ -21,7 +21,7 @@ path: /etc/audit/auditd.conf regexp: "^max_log_file_action" line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}" - notify: restart auditd + notify: Restart auditd when: - rhel9cis_rule_4_1_2_2 tags: @@ -36,7 +36,7 @@ path: /etc/audit/auditd.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" - notify: restart auditd + notify: Restart auditd with_items: - { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ rhel9cis_auditd.admin_space_left_action }}' } - { regexp: '^action_mail_acct', line: 'action_mail_acct = {{ rhel9cis_auditd.action_mail_acct }}' } @@ -56,7 +56,7 @@ regexp: "^{{ item }}( |=)" line: "{{ item }} = {{ rhel9cis_auditd_extra_conf[item] }}" loop: "{{ rhel9cis_auditd_extra_conf.keys() }}" - notify: restart auditd + notify: Restart auditd when: - rhel9cis_auditd_extra_conf.keys() | length > 0 tags: diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index ca69e3d..5ee9b55 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -64,9 +64,9 @@ loop: "{{ auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" - when: - - item.mode != '06(0|4)0' - - rhel9cis_rule_4_1_4_5 + when: + - item.mode != '06(0|4)0' + - rhel9cis_rule_4_1_4_5 tags: - level2-server - level2-workstation diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index b1a20a9..5ff7e75 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -32,10 +32,10 @@ path: /etc/systemd/journald.conf regexp: "^#ForwardToSyslog=|^ForwardToSyslog=" line: ForwardToSyslog=yes - notify: restart rsyslog + notify: Restart rsyslog when: - rhel9cis_rule_4_2_1_3 - - rhel9cis_preferred_log_capture == "rsyslog" + - rhel9cis_syslog == "rsyslog" tags: - level1-server - level1-workstation @@ -47,7 +47,7 @@ path: /etc/rsyslog.conf regexp: '^\$FileCreateMode' line: '$FileCreateMode 0640' - notify: restart rsyslog + notify: Restart rsyslog when: - rhel9cis_rule_4_2_1_4 tags: @@ -60,7 +60,7 @@ - name: "4.2.1.5 | PATCH | Ensure logging is configured" block: - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" - ansible.builtin.command: cat /etc/rsyslog.conf + ansible.builtin.shell: cat /etc/rsyslog.conf changed_when: false failed_when: false check_mode: false @@ -84,7 +84,7 @@ mail.warning -/var/log/mail.warning mail.err /var/log/mail.err insertafter: '# Log all the mail messages in one place.' - notify: restart rsyslog + notify: Restart rsyslog when: rhel9cis_rsyslog_ansiblemanaged - name: "4.2.1.5 | PATCH | Ensure logging is configured | news.crit log setting" @@ -97,7 +97,7 @@ news.crit -/var/log/news/news.crit news.notice -/var/log/news/news.crit insertafter: '# Save news errors of level crit and higher in a special file.' - notify: restart rsyslog + notify: Restart rsyslog when: rhel9cis_rsyslog_ansiblemanaged - name: "4.2.1.5 | PATCH | Ensure logging is configured | Misc. log setting" @@ -111,7 +111,7 @@ *.crit /var/log/warn *.*;mail.none;news.none /var/log/messages insertafter: '#### RULES ####' - notify: restart rsyslog + notify: Restart rsyslog when: rhel9cis_rsyslog_ansiblemanaged - name: "4.2.1.5 | PATCH | Ensure logging is configured | Local log settings" @@ -127,7 +127,7 @@ local6,local7.* -/var/log/localmessages *.emrg :omusrmsg:* insertafter: '#### RULES ####' - notify: restart rsyslog + notify: Restart rsyslog - name: "4.2.1.5 | PATCH | Ensure logging is configured | Auth Settings" ansible.builtin.blockinfile: @@ -138,7 +138,7 @@ # Private settings to meet CIS standards auth,authpriv.* /var/log/secure insertafter: '#### RULES ####' - notify: restart rsyslog + notify: Restart rsyslog - name: "4.2.1.5 | PATCH | Ensure logging is configured | Cron Settings" ansible.builtin.blockinfile: @@ -149,7 +149,7 @@ # Cron settings to meet CIS standards cron.* /var/log/cron insertafter: '#### RULES ####' - notify: restart rsyslog + notify: Restart rsyslog when: - rhel9cis_rule_4_2_1_5 tags: @@ -171,7 +171,7 @@ failed_when: - result is failed - result.rc != 257 - notify: restart rsyslog + notify: Restart rsyslog when: - rhel9cis_rule_4_2_1_6 - rhel9cis_remote_log_server @@ -189,7 +189,7 @@ path: /etc/rsyslog.conf regexp: '{{ item }}' replace: '#\1' - notify: restart rsyslog + notify: Restart rsyslog loop: - '^(\$ModLoad imtcp)' - '^(\$InputTCPServerRun)' @@ -202,7 +202,7 @@ path: /etc/rsyslog.conf regexp: '^#(.*{{ item }}.*)' replace: '\1' - notify: restart rsyslog + notify: Restart rsyslog loop: - 'ModLoad imtcp' - 'InputTCPServerRun' diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 0c53795..c6b0e2e 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -19,7 +19,7 @@ path: /etc/systemd/journal-upload.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" - notify: restart systemd_journal_upload + notify: Restart systemd_journal_upload with_items: - { regexp: 'URL=', line: 'URL={{ rhel9cis_journal_upload_url }}'} - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ rhel9cis_journal_upload_serverkeyfile }}'} @@ -92,7 +92,7 @@ ansible.builtin.import_tasks: warning_facts.yml when: "'static' not in rhel9cis_4_2_2_2_status.stdout" vars: - warn_control_id: '4.2.2.2' + warn_control_id: '4.2.2.2' when: - rhel9cis_rule_4_2_2_2 tags: @@ -108,7 +108,7 @@ path: /etc/systemd/journald.conf regexp: "^#Compress=|^Compress=" line: Compress=yes - notify: restart systemd_journal_upload + notify: Restart systemd_journal_upload when: - rhel9cis_rule_4_2_2_3 tags: @@ -124,7 +124,7 @@ path: /etc/systemd/journald.conf regexp: "^#Storage=|^Storage=" line: Storage=persistent - notify: restart systemd_journal_upload + notify: Restart systemd_journal_upload when: - rhel9cis_rule_4_2_2_4 tags: @@ -141,7 +141,7 @@ path: /etc/systemd/journald.conf regexp: "^ForwardToSyslog=" line: "#ForwardToSyslog=yes" - notify: restart systemd_journal_upload + notify: Restart systemd_journal_upload when: - rhel9cis_rule_4_2_2_5 tags: @@ -157,7 +157,7 @@ path: /etc/systemd/journald.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" - notify: restart journald + notify: Restart systemd_journal_upload with_items: - { regexp: '^#SystemMaxUse=|^SystemMaxUse=', line: 'SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}'} - { regexp: '^#SystemKeepFree=|^SystemKeepFree=', line: 'SystemKeepFree={{ rhel9cis_journald_systemkeepfree }}' } diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 9dc785e..f0286d9 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -84,7 +84,7 @@ regexp: "^AllowUsers" line: "AllowUsers {{ rhel9cis_sshd['allowusers'] }}" validate: sshd -t -f %s - notify: restart sshd + notify: Restart sshd when: "rhel9cis_sshd['allowusers']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups" @@ -93,7 +93,7 @@ regexp: "^AllowGroups" line: "AllowGroups {{ rhel9cis_sshd['allowgroups'] }}" validate: sshd -t -f %s - notify: restart sshd + notify: Restart sshd when: "rhel9cis_sshd['allowgroups']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers" @@ -102,7 +102,7 @@ regexp: "^DenyUsers" line: "DenyUsers {{ rhel9cis_sshd['denyusers'] }}" validate: sshd -t -f %s - notify: restart sshd + notify: Restart sshd when: "rhel9cis_sshd['denyusers']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups" @@ -111,7 +111,7 @@ regexp: "^DenyGroups" line: "DenyGroups {{ rhel9cis_sshd['denygroups'] }}" validate: sshd -t -f %s - notify: restart sshd + notify: Restart sshd when: "rhel9cis_sshd['denygroups']|default('') | length > 0" when: - rhel9cis_rule_5_2_4 @@ -267,7 +267,7 @@ - name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden" ansible.builtin.shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd - notify: restart sshd + notify: Restart sshd when: ssh_crypto_discovery.stdout | length > 0 when: - rhel9cis_rule_5_2_14 diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 5b4704c..1f6b691 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -52,19 +52,19 @@ register: rhel9cis_5_6_1_4_inactive_settings - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting" - ansible.builtin.command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} + ansible.builtin.shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} when: rhel9cis_5_6_1_4_inactive_settings.stdout | length == 0 - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" changed_when: false check_mode: false - register: rhel_8_5_6_1_4_user_list + register: rhel9cis_5_6_1_4_user_list - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" - ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" + ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" with_items: - - "{{ rhel_8_5_6_1_4_user_list.stdout_lines }}" + - "{{ rhel9cis_5_6_1_4_user_list.stdout_lines }}" when: - rhel9cis_rule_5_6_1_4 tags: @@ -104,7 +104,7 @@ - not rhel9cis_futurepwchgdate_autofix - name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" - ansible.builtin.command: passwd --expire {{ item }} + ansible.builtin.shell: passwd --expire {{ item }} when: - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - rhel9cis_futurepwchgdate_autofix diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index e2985f8..e8cd62f 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -207,7 +207,7 @@ when: - item.stdout_lines is defined - item.stdout_lines | length > 0 - + - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning" ansible.builtin.import_tasks: warning_facts.yml vars: diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index c553121..ebc51d4 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -450,7 +450,7 @@ rhel9cis_nft_tables_autochaincreate: {{ rhel9cis_nft_tables_autochaincreate }} # Section 4 ## syslog -rhel9cis_syslog: {{ rhel9cis_preferred_log_capture }} +rhel9cis_syslog: {{ rhel9cis_syslog }} # Section 5 ## 5.2.4 Note the following to understand precedence and layout diff --git a/vars/main.yml b/vars/main.yml index 2ba64a1..165eff5 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -8,5 +8,5 @@ rhel9cis_allowed_crypto_policies: - 'FIPS' # Used to control warning summary -control_number: "" +warn_control_list: "" warn_count: 0