ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-25 14:27:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

var fixes for 1.1.2.3.x and 1.1.2.4.x

Browse source 
Signed-off-by: Frederick Witty <frederickw@mindpointgroup.com>
This commit is contained in:
Frederick Witty 2025-06-16 15:14:08 -04:00
parent 6ced990430
commit b38e7d06eb
No known key found for this signature in database
GPG key ID: D29987C25A47D813
4 changed files with 10 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

2
tasks/pre_remediation_audit.yml
View file

@ -46,7 +46,7 @@
remote_src: "{{ (audit_conf_source is contains('http')) | ternary(true, false) }}" remote_src: "{{ (audit_conf_source is contains('http')) | ternary(true, false) }}"
extra_opts: "{{ (audit_conf_source is contains('github')) | ternary('--strip-components=1', []) }}" extra_opts: "{{ (audit_conf_source is contains('github')) | ternary('--strip-components=1', []) }}"
- name: Pre Audit Setup | Check Goss is available - name: Pre Audit Setup | Check goss is available
when: run_audit when: run_audit
block: block:
- name: Pre Audit Setup | Check for goss file - name: Pre Audit Setup | Check for goss file

16
tasks/prelim.yml
View file

@ -136,8 +136,7 @@
register: prelim_systemd_coredump register: prelim_systemd_coredump
- name: "PRELIM | PATCH | Setup crypto-policy" - name: "PRELIM | PATCH | Setup crypto-policy"
when: when: rhel9cis_rule_1_6_1
- rhel9cis_rule_1_6_1
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -185,15 +184,13 @@
grub2_path: /etc/grub2-efi.cfg grub2_path: /etc/grub2-efi.cfg
- name: "PRELIM | AUDIT | Discover Gnome Desktop Environment" - name: "PRELIM | AUDIT | Discover Gnome Desktop Environment"
tags: tags: always
- always
ansible.builtin.stat: ansible.builtin.stat:
path: /usr/share/gnome/gnome-version.xml path: /usr/share/gnome/gnome-version.xml
register: prelim_gnome_present register: prelim_gnome_present
- name: "PRELIM | PATCH | Install dconf if gui installed" - name: "PRELIM | PATCH | Install dconf if gui installed"
when: when: rhel9cis_gui
- rhel9cis_gui
tags: tags:
- always - always
ansible.builtin.package: ansible.builtin.package:
@ -251,9 +248,7 @@
state: touch state: touch
- name: "PRELIM | PATCH | sshd_config.d/50-redhat.conf exists" - name: "PRELIM | PATCH | sshd_config.d/50-redhat.conf exists"
when: when: rhel9cis_rule_5_1_10 or rhel9cis_rule_5_1_11
- rhel9cis_rule_5_1_10 or
rhel9cis_rule_5_1_11
ansible.builtin.stat: ansible.builtin.stat:
path: /etc/ssh/sshd_config.d/50-redhat.conf path: /etc/ssh/sshd_config.d/50-redhat.conf
register: discovered_sshd_50_redhat_file register: discovered_sshd_50_redhat_file
@ -281,8 +276,7 @@
- name: "PRELIM | PATCH | Create journald config directory" - name: "PRELIM | PATCH | Create journald config directory"
when: when:
- rhel9cis_syslog == 'journald' - rhel9cis_syslog == 'journald'
- rhel9cis_rule_6_2_1_3 or - rhel9cis_rule_6_2_1_3 or rhel9cis_rule_6_2_1_4
rhel9cis_rule_6_2_1_4
tags: always tags: always
ansible.builtin.file: ansible.builtin.file:
path: /etc/systemd/journald.conf.d path: /etc/systemd/journald.conf.d

4
tasks/section_1/cis_1.1.2.3.x.yml
View file

@ -21,12 +21,12 @@
register: discovered_home_mount register: discovered_home_mount
- name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Absent" - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Absent"
when: discovered_dev_shm_mount is undefined when: discovered_home_mount is undefined
ansible.builtin.debug: ansible.builtin.debug:
msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" msg: "Warning!! {{ required_mount }} is not mounted on a separate partition"
- name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Present" - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Present"
when: discovered_dev_shm_mount is undefined when: discovered_home_mount is undefined
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: warning_facts.yml file: warning_facts.yml

4
tasks/section_1/cis_1.1.2.4.x.yml
View file

@ -22,12 +22,12 @@
register: discovered_var_mount register: discovered_var_mount
- name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Absent" - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Absent"
when: discovered_dev_shm_mount is undefined when: discovered_var_mount is undefined
ansible.builtin.debug: ansible.builtin.debug:
msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" msg: "Warning!! {{ required_mount }} is not mounted on a separate partition"
- name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Present" - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Present"
when: discovered_dev_shm_mount is undefined when: discovered_var_mount is undefined
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: warning_facts.yml file: warning_facts.yml