Revert "Merge 'devel' of kris9854/RHEL9-CIS-fix into devel"

This reverts commit d4471a3016, reversing changes made to d6ca36a91f.
2025-12-28 07:53:07 +00:00 · 2022-09-26 19:10:53 +02:00 · 2022-09-26 19:10:53 +02:00 · da0734c3a8
commit da0734c3a8
parent 66d8fb8b32
65 changed files with 461 additions and 801 deletions
--- a/tasks/section_5/cis_5.1.x.yml
+++ b/tasks/section_5/cis_5.1.x.yml
@ -3,7 +3,7 @@
 - name: "5.1.1 | PATCH | Ensure cron daemon is enabled"
  service:
      name: crond
-      enabled: true
+      enabled: yes
  when:
      - rhel9cis_rule_5_1_1
  tags:
--- a/tasks/section_5/cis_5.2.x.yml
+++ b/tasks/section_5/cis_5.2.x.yml
@ -271,21 +271,10 @@
      - rule_5.2.13

 - name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden"
-  block:
-      - name: "5.2.14 | AUDIT | Ensure system-wide crypto policy is not over-ridden"
-        shell: grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd
-        args:
-            warn: false
-        changed_when: false
-        failed_when: ( ssh_crypto_discovery.rc not in [ 0, 1 ] )
-        register: ssh_crypto_discovery
-
-      - name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden"
-        shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd
-        args:
-            warn: false
-        notify: restart sshd
-        when: ssh_crypto_discovery.stdout | length > 0
+  shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd
+  args:
+      warn: no
+  notify: restart sshd
  when:
      - rhel9cis_rule_5_2_14
  tags:
--- a/tasks/section_5/cis_5.4.x.yml
+++ b/tasks/section_5/cis_5.4.x.yml
@ -6,7 +6,7 @@
        shell: 'authselect current | grep "Profile ID: custom/"'
        failed_when: false
        changed_when: false
-        check_mode: false
+        check_mode: no
        register: rhel9cis_5_4_1_profiles

      - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Show profiles"
@ -18,7 +18,7 @@
      - name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles"
        shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }}
        args:
-            warn: false
+            warn: no
        when: rhel9cis_authselect_custom_profile_create
  when:
      - rhel9cis_rule_5_4_1
@ -36,7 +36,7 @@
        shell: "authselect current | grep with-faillock"
        failed_when: false
        changed_when: false
-        check_mode: false
+        check_mode: no
        register: rhel9cis_5_4_2_profiles_faillock

      - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock| Show profiles"
@ -48,7 +48,7 @@
      - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles"
        shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock"
        args:
-            warn: false
+            warn: no
        when: rhel9cis_authselect_custom_profile_select
  when:
      - rhel9cis_rule_5_4_2
--- a/tasks/section_5/cis_5.6.1.x.yml
+++ b/tasks/section_5/cis_5.6.1.x.yml
@ -51,7 +51,7 @@
        shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d=
        changed_when: false
        failed_when: false
-        check_mode: false
+        check_mode: no
        register: rhel9cis_5_6_1_4_inactive_settings

      - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting"
@ -59,9 +59,9 @@
        when: rhel9cis_5_6_1_4_inactive_settings.stdout | length == 0

      - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
-        shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
+        shell: 'egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1'
        changed_when: false
-        check_mode: false
+        check_mode: no
        register: rhel_8_5_6_1_4_user_list

      - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
@ -78,20 +78,20 @@
      - password
      - rule_5.6.1.4

- name: "5.6.1.5 |  PATCH | Ensure all users last password change date is in the past"
+- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past"
  block:
      - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time"
        shell: echo $(($(date --utc --date "$1" +%s)/86400))
        changed_when: false
        failed_when: false
-        check_mode: false
+        check_mode: no
        register: rhel9cis_5_6_1_5_currentut

      - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future"
        shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_6_1_5_currentut.stdout }})print$1}'"
        changed_when: false
        failed_when: false
-        check_mode: false
+        check_mode: no
        register: rhel9cis_5_6_1_5_user_list

      - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist"
@ -101,15 +101,7 @@

      - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future"
        debug:
-            msg: "Warning!! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}"
-        when:
-            - rhel9cis_5_6_1_5_user_list.stdout | length > 0
-            - not rhel9cis_futurepwchgdate_autofix
-
-      - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count"
-        set_fact:
-            control_number: "{{ control_number }} + [ 'rule_5.6.1.5' ]"
-            warn_count: "{{ warn_count | int + 1 }}"
+            msg: "Warning! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}"
        when:
            - rhel9cis_5_6_1_5_user_list.stdout | length > 0
            - not rhel9cis_futurepwchgdate_autofix
@ -117,7 +109,7 @@
      - name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
        command: passwd --expire {{ item }}
        when:
-            - rhel9cis_5_6_1_5_user_list.stdout | length > 0
+            - rhel9cis_5_6_1_5_user_list | length > 0
            - rhel9cis_futurepwchgdate_autofix
        with_items:
            - "{{ rhel9cis_5_6_1_5_user_list.stdout_lines }}"
--- a/tasks/section_5/cis_5.6.x.yml
+++ b/tasks/section_5/cis_5.6.x.yml
@ -32,7 +32,7 @@
            - item.id != "sync"
            - item.id != "root"
            - item.id != "nfsnobody"
-            - item.gid < min_int_uid | int
+            - min_int_uid | int < item.gid
            - item.shell != "      /bin/false"
            - item.shell != "      /usr/sbin/nologin"
        loop_control:
@ -49,7 +49,7 @@

 - name: "5.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less"
  blockinfile:
-      create: true
+      create: yes
      mode: 0644
      dest: "{{ item.dest }}"
      state: "{{ item.state }}"