mirror of
https://github.com/ansible-lockdown/RHEL9-CIS.git
synced 2025-12-24 22:23:06 +00:00
lint updates
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
3ead0d63ac
commit
acf0104f7a
34 changed files with 199 additions and 213 deletions
|
|
@ -2,7 +2,7 @@
|
|||
# tasks file for RHEL9-CIS
|
||||
|
||||
- name: Check OS version and family
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('9', '==')
|
||||
fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
|
||||
success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}"
|
||||
|
|
@ -13,7 +13,7 @@
|
|||
- always
|
||||
|
||||
- name: Check ansible version
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that: ansible_version.full is version_compare(min_ansible_version, '>=')
|
||||
fail_msg: "You must use Ansible {{ min_ansible_version }} or greater"
|
||||
success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
|
||||
|
|
@ -23,14 +23,14 @@
|
|||
- name: "Check password set for {{ ansible_user }}"
|
||||
block:
|
||||
- name: Capture current password state of "{{ ansible_user }}"
|
||||
shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'"
|
||||
ansible.builtin.shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'"
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
check_mode: false
|
||||
register: ansible_user_password_set
|
||||
|
||||
- name: "Assert that password set for {{ ansible_user }} and account not locked"
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!"
|
||||
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access"
|
||||
success_msg: "You a password set for the {{ ansible_user }}"
|
||||
|
|
@ -45,15 +45,15 @@
|
|||
- name: Setup rules if container
|
||||
block:
|
||||
- name: Discover and set container variable if required
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
system_is_container: true
|
||||
|
||||
- name: Load variable for container
|
||||
include_vars:
|
||||
ansible.builtin.include_vars:
|
||||
file: "{{ container_vars_file }}"
|
||||
|
||||
- name: output if discovered is a container
|
||||
debug:
|
||||
- name: Output if discovered is a container
|
||||
ansible.builtin.debug:
|
||||
msg: system has been discovered as a container
|
||||
when:
|
||||
- system_is_container
|
||||
|
|
@ -65,13 +65,13 @@
|
|||
- always
|
||||
|
||||
- name: Check crypto-policy input
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that: rhel9cis_crypto_policy in rhel9cis_allowed_crypto_policies
|
||||
fail_msg: "Crypto policy is not a permitted version"
|
||||
success_msg: "Crypto policy is a permitted version"
|
||||
|
||||
- name: Check rhel9cis_bootloader_password_hash variable has been changed
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'
|
||||
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
|
||||
when:
|
||||
|
|
@ -80,10 +80,10 @@
|
|||
tags:
|
||||
- always
|
||||
|
||||
- name: "check sugroup exists if used"
|
||||
- name: Check sugroup exists if used
|
||||
block:
|
||||
- name: "Check su group exists if defined"
|
||||
shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group
|
||||
ansible.builtin.shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group
|
||||
register: sugroup_exists
|
||||
changed_when: false
|
||||
failed_when: sugroup_exists.rc >= 2
|
||||
|
|
@ -91,7 +91,7 @@
|
|||
- skip_ansible_lint
|
||||
|
||||
- name: Check sugroup if defined exists before continuing
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that: sugroup_exists.rc == 0
|
||||
msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify"
|
||||
when:
|
||||
|
|
@ -101,35 +101,35 @@
|
|||
- rule_5.7
|
||||
|
||||
- name: Gather the package facts
|
||||
package_facts:
|
||||
ansible.builtin.package_facts:
|
||||
manager: auto
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: Include OS specific variables
|
||||
include_vars: "{{ ansible_distribution }}.yml"
|
||||
ansible.builtin.include_vars: "{{ ansible_distribution }}.yml"
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: Include preliminary steps
|
||||
import_tasks: prelim.yml
|
||||
ansible.builtin.import_tasks: prelim.yml
|
||||
tags:
|
||||
- prelim_tasks
|
||||
- always
|
||||
|
||||
- name: run pre_remediation audit
|
||||
include_tasks: pre_remediation_audit.yml
|
||||
ansible.builtin.include_tasks: pre_remediation_audit.yml
|
||||
when:
|
||||
- run_audit
|
||||
|
||||
- name: Gather the package facts after prelim
|
||||
package_facts:
|
||||
ansible.builtin.package_facts:
|
||||
manager: auto
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: capture /etc/password variables
|
||||
include_tasks: parse_etc_password.yml
|
||||
ansible.builtin.include_tasks: parse_etc_password.yml
|
||||
when:
|
||||
- rhel9cis_section6
|
||||
tags:
|
||||
|
|
@ -142,67 +142,67 @@
|
|||
- rhel9cis_section6
|
||||
|
||||
- name: run Section 1 tasks
|
||||
import_tasks: section_1/main.yml
|
||||
ansible.builtin.import_tasks: section_1/main.yml
|
||||
when: rhel9cis_section1
|
||||
tags:
|
||||
- rhel9cis_section1
|
||||
|
||||
- name: run Section 2 tasks
|
||||
import_tasks: section_2/main.yml
|
||||
ansible.builtin.import_tasks: section_2/main.yml
|
||||
when: rhel9cis_section2
|
||||
tags:
|
||||
- rhel9cis_section2
|
||||
|
||||
- name: run Section 3 tasks
|
||||
import_tasks: section_3/main.yml
|
||||
ansible.builtin.import_tasks: section_3/main.yml
|
||||
when: rhel9cis_section3
|
||||
tags:
|
||||
- rhel9cis_section3
|
||||
|
||||
- name: run Section 4 tasks
|
||||
import_tasks: section_4/main.yml
|
||||
ansible.builtin.import_tasks: section_4/main.yml
|
||||
when: rhel9cis_section4
|
||||
tags:
|
||||
- rhel9cis_section4
|
||||
|
||||
- name: run Section 5 tasks
|
||||
import_tasks: section_5/main.yml
|
||||
ansible.builtin.import_tasks: section_5/main.yml
|
||||
when: rhel9cis_section5
|
||||
tags:
|
||||
- rhel9cis_section5
|
||||
|
||||
- name: run Section 6 tasks
|
||||
import_tasks: section_6/main.yml
|
||||
ansible.builtin.import_tasks: section_6/main.yml
|
||||
when: rhel9cis_section6
|
||||
tags:
|
||||
- rhel9cis_section6
|
||||
|
||||
- name: run auditd logic
|
||||
import_tasks: auditd.yml
|
||||
ansible.builtin.import_tasks: auditd.yml
|
||||
when:
|
||||
- update_audit_template
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: run post remediation tasks
|
||||
import_tasks: post.yml
|
||||
ansible.builtin.import_tasks: post.yml
|
||||
tags:
|
||||
- post_tasks
|
||||
- always
|
||||
|
||||
- name: run post_remediation audit
|
||||
import_tasks: post_remediation_audit.yml
|
||||
ansible.builtin.import_tasks: post_remediation_audit.yml
|
||||
when:
|
||||
- run_audit
|
||||
|
||||
- name: Show Audit Summary
|
||||
debug:
|
||||
ansible.builtin.debug:
|
||||
msg: "{{ audit_results.split('\n') }}"
|
||||
when:
|
||||
- run_audit
|
||||
|
||||
- name: If Warnings found Output count and control IDs affected
|
||||
debug:
|
||||
ansible.builtin.debug:
|
||||
msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}"
|
||||
when: warn_count != 0
|
||||
tags:
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue