Merge pull request #40 from ansible-lockdown/august_updates

August updates
2026-03-26 06:37:11 +00:00 · 2025-08-14 16:37:22 -04:00 · 2025-08-14 16:37:22 -04:00 · c630c23725
commit c630c23725
parent c501e3d210 811b70612e
14 changed files with 65 additions and 19 deletions
--- a/tasks/auditd.yml
+++ b/tasks/auditd.yml
@ -25,7 +25,7 @@
    dest: /etc/audit/rules.d/99_auditd.rules
    owner: root
    group: root
-    mode: 'u-x,go-wx'
+    mode: 'u-x,g-wx,o-rwx'
  diff: "{{ discovered_auditd_rules_file.stat.exists }}"  # Only run diff if not a new file
  register: discovered_auditd_rules_template_updated
  notify:
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -91,11 +91,14 @@
      block:
        - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set"  # noqa name[template]
          ansible.builtin.assert:
-            that:
-              - prelim_ansible_user_password_set.stdout | length != 0
-              - prelim_ansible_user_password_set.stdout != "!!"
-            fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
-            success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user"
+            that: |
+              (
+                ((prelim_ansible_user_password_set.stdout | length != 0) and (prelim_ansible_user_password_set.stdout != "!!" ))
+              or
+                (ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list)
+              )
+            fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or or the user is not included in the exception list for rule 5.2.4 - It can break access"
+            success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user or the user is included in the exception list for rule 5.2.4"

        - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked"  # noqa name[template]
          ansible.builtin.assert:
@ -129,7 +132,7 @@
    - rule_5.4.2.4
  block:
    - name: "Ensure root password is set"
-      ansible.builtin.shell: passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)"
+      ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)"
      changed_when: false
      failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ]
      register: prelim_root_passwd_set
--- a/tasks/section_1/cis_1.1.2.6.x.yml
+++ b/tasks/section_1/cis_1.1.2.6.x.yml
@ -1,6 +1,6 @@
 ---

- name: "1/.1 | PATCH | Ensure /var/log is a separate partition"
+- name: "1.1.2.6.1 | PATCH | Ensure /var/log is a separate partition"
  when:
    - rhel9cis_rule_1_1_2_6_1
    - required_mount not in prelim_mount_names
--- a/tasks/section_1/cis_1.1.2.7.x.yml
+++ b/tasks/section_1/cis_1.1.2.7.x.yml
@ -1,6 +1,6 @@
 ---

- name: "1/.1 | PATCH | Ensure /var/log/audit is a separate partition"
+- name: "1.1.2.7.1 | PATCH | Ensure /var/log/audit is a separate partition"
  when:
    - rhel9cis_rule_1_1_2_7_1
    - required_mount not in prelim_mount_names
--- a/tasks/section_1/main.yml
+++ b/tasks/section_1/main.yml
@ -41,7 +41,7 @@
    file: cis_1.2.2.x.yml

 - name: "SECTION | 1.3.1 | Configure SELinux"
-  ansible.builtin.include_tasks:
+  ansible.builtin.import_tasks:
    file: cis_1.3.1.x.yml

 - name: "SECTION | 1.4 | Configure Bootloader"
@ -61,5 +61,6 @@
    file: cis_1.7.x.yml

 - name: "SECTION | 1.8 | Gnome Display Manager"
+  when: rhel9cis_display_manager == 'gdm'
  ansible.builtin.import_tasks:
    file: cis_1.8.x.yml
--- a/tasks/section_3/cis_3.3.x.yml
+++ b/tasks/section_3/cis_3.3.x.yml
@ -240,12 +240,12 @@
    - rule_3.3.9
    - NIST800-53R5_AU-3
  block:
-    - name: "3.3.4 | PATCH | Ensure suspicious packets are logged | Set Fact"
+    - name: "3.3.9 | PATCH | Ensure suspicious packets are logged | Set Fact"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true
        rhel9cis_flush_ipv4_route: true

-    - name: "3.3.4 | PATCH | Ensure suspicious packets are logged"
+    - name: "3.3.9 | PATCH | Ensure suspicious packets are logged"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"

--- a/tasks/section_5/cis_5.4.2.x.yml
+++ b/tasks/section_5/cis_5.4.2.x.yml
@ -61,7 +61,7 @@
    - level1-server
    - level1-workstation
    - patch
-    - rule_5.4.2.2
+    - rule_5.4.2.3
    - user
    - system
    - NIST800-53R5_CM-1
@ -135,6 +135,22 @@
      ansible.builtin.set_fact:
        root_paths: "{{ discovered_root_paths.stdout }}"

+    - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for presence of non-dirs"
+      ansible.builtin.stat:
+        path: "{{ item }}"
+      loop: "{{ discovered_root_paths_split.stdout_lines }}"
+      register: paths_stat
+
+    - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Create dirs for some paths that are not dirs"
+      ansible.builtin.file:
+        path: "{{ item.item }}"
+        state: directory
+        owner: root
+        group: root
+        mode: 'go-w'
+      loop: "{{ paths_stat.results }}"
+      when: not item.stat.exists
+
    - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for empty dirs"
      when: discovered_root_paths is defined
      ansible.builtin.shell: 'echo {{ root_paths }} | grep -q "::" && echo "roots path contains a empty directory (::)"'
--- a/tasks/section_6/cis_6.1.x.yml
+++ b/tasks/section_6/cis_6.1.x.yml
@ -91,13 +91,13 @@

    - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service"
      when: rhel9cis_aide_scan == "timer"
-      ansible.builtin.systemd_service:
+      ansible.builtin.systemd:
        name: aidecheck.service
        enabled: true

    - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service"
      when: rhel9cis_aide_scan == "timer"
-      ansible.builtin.systemd_service:
+      ansible.builtin.systemd:
        name: aidecheck.timer
        state: started
        enabled: true
--- a/tasks/section_6/cis_6.2.3.x.yml
+++ b/tasks/section_6/cis_6.2.3.x.yml
@ -131,7 +131,7 @@
          *.=warning;*.=err                                        -/var/log/warn
          *.crit                                                   /var/log/warn
          *.*;mail.none;news.none                                  /var/log/messages
-        insertafter: '#### RULES ####'
+        insertbefore: '# ### sample forwarding rule ###'
      notify: Restart rsyslog

    - name: "6.2.3.5 | PATCH | Ensure logging is configured | Local log settings"
--- a/tasks/section_6/cis_6.3.4.x.yml
+++ b/tasks/section_6/cis_6.3.4.x.yml
@ -27,9 +27,9 @@
    - level2-workstation
    - patch
    - auditd
-    - rule_6.3.4.1
    - rule_6.3.4.2
    - rule_6.3.4.3
+    - rule_6.3.4.4
    - NIST800-53R5_AU-3
  ansible.builtin.file:
    path: "{{ prelim_auditd_logfile.stdout }}"