lin and 7.1.12/13 logic improvements

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2026-05-09 23:33:53 +00:00 · 2026-04-08 12:53:02 +01:00 · 2026-04-08 12:53:02 +01:00 · dab815f7b6
commit dab815f7b6
parent 2b17f3f168
1 changed files with 18 additions and 31 deletions
--- a/tasks/section_7/cis_7.1.x.yml
+++ b/tasks/section_7/cis_7.1.x.yml
@ -1,8 +1,7 @@
 ---

 - name: "7.1.1 | PATCH | Ensure permissions on /etc/passwd are configured"
-  when:
-    - rhel9cis_rule_7_1_1
+  when: rhel9cis_rule_7_1_1
  tags:
    - level1-server
    - level1-workstation
@ -18,8 +17,7 @@
    mode: 'u-x,go-wx'

 - name: "7.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured"
-  when:
-    - rhel9cis_rule_7_1_2
+  when: rhel9cis_rule_7_1_2
  tags:
    - level1-server
    - level1-workstation
@ -35,8 +33,7 @@
    mode: 'u-x,go-wx'

 - name: "7.1.3 | PATCH | Ensure permissions on /etc/group are configured"
-  when:
-    - rhel9cis_rule_7_1_3
+  when: rhel9cis_rule_7_1_3
  tags:
    - level1-server
    - level1-workstation
@ -52,8 +49,7 @@
    mode: 'u-x,go-wx'

 - name: "7.1.4 | PATCH | Ensure permissions on /etc/group- are configured"
-  when:
-    - rhel9cis_rule_7_1_4
+  when: rhel9cis_rule_7_1_4
  tags:
    - level1-server
    - level1-workstation
@ -69,8 +65,7 @@
    mode: 'u-x,go-wx'

 - name: "7.1.5 | PATCH | Ensure permissions on /etc/shadow are configured"
-  when:
-    - rhel9cis_rule_7_1_5
+  when: rhel9cis_rule_7_1_5
  tags:
    - level1-server
    - level1-workstation
@ -86,8 +81,7 @@
    mode: 'ugo-rwx'

 - name: "7.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured"
-  when:
-    - rhel9cis_rule_7_1_6
+  when: rhel9cis_rule_7_1_6
  tags:
    - level1-server
    - level1-workstation
@ -103,8 +97,7 @@
    mode: 'ugo-rwx'

 - name: "7.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured"
-  when:
-    - rhel9cis_rule_7_1_7
+  when: rhel9cis_rule_7_1_7
  tags:
    - level1-server
    - level1-workstation
@ -120,8 +113,7 @@
    mode: 'ugo-rwx'

 - name: "7.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured"
-  when:
-    - rhel9cis_rule_7_1_8
+  when: rhel9cis_rule_7_1_8
  tags:
    - level1-server
    - level1-workstation
@ -137,8 +129,7 @@
    mode: 'ugo-rwx'

 - name: "7.1.9 | PATCH | Ensure permissions on /etc/shells are configured"
-  when:
-    - rhel9cis_rule_7_1_9
+  when: rhel9cis_rule_7_1_9
  tags:
    - level1-server
    - level1-workstation
@ -154,8 +145,7 @@
    mode: 'u-x,go-wx'

 - name: "7.1.10 | PATCH | Ensure permissions on /etc/security/opasswd are configured"
-  when:
-    - rhel9cis_rule_7_1_10
+  when: rhel9cis_rule_7_1_10
  tags:
    - level1-server
    - level1-workstation
@ -173,8 +163,7 @@
  register: discovered_file_exists

 - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured"
-  when:
-    - rhel9cis_rule_7_1_11
+  when: rhel9cis_rule_7_1_11
  tags:
    - level1-server
    - level1-workstation
@ -191,7 +180,7 @@
      changed_when: false
      register: discovered_world_writable

-    - name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)"
+    - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured | Adjust world-writable files if they exist (Configurable)"
      when:
        - discovered_world_writable.stdout_lines is defined
        - discovered_world_writable.stdout_lines | length > 0
@ -202,15 +191,14 @@
        state: touch
      loop: "{{ discovered_world_writable.stdout_lines }}"

-    - name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable directories add sticky bit"
+    - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured | Adjust world-writable directories add sticky bit"
      ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -o+w ! -perm -1002 2>/dev/null | xargs chmod a+t
      failed_when: discovered_set_stickybit.rc not in [ 0, 123 ]
      changed_when: discovered_set_stickybit.rc == 0
      register: discovered_set_stickybit

 - name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist"
-  when:
-    - rhel9cis_rule_7_1_12
+  when: rhel9cis_rule_7_1_12
  tags:
    - level1-server
    - level1-workstation
@ -223,7 +211,7 @@
    warn_control_id: '7.1.12'
  block:
    - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories"
-      ansible.builtin.command: find {{ rhel9cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs
+      ansible.builtin.command: "find {{ item.mount }} -xdev {{ rhel9cis_exclude_unowned_search_path }} \\( -nouser -o -nogroup \\) -not -fstype nfs"
      changed_when: false
      failed_when: false
      check_mode: false
@ -266,8 +254,7 @@
        file: warning_facts.yml

 - name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed"
-  when:
-    - rhel9cis_rule_7_1_13
+  when: rhel9cis_rule_7_1_13
  tags:
    - level1-server
    - level1-workstation
@ -285,7 +272,7 @@
    warn_control_id: '7.1.13'
  block:
    - name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Find SUID and SGID"
-      ansible.builtin.command: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs
+      ansible.builtin.command: find {{ item.mount }} -xdev -type f -perm \( -02000 -o -04000 \) -not -fstype nfs
      changed_when: false
      failed_when: false
      check_mode: false
@ -309,7 +296,7 @@
          - "The files are listed below, please confirm the integrity of these binaries"
          - "{{ discovered_suid_sgid_files_flatten }}"

-    - name: "7.1.13 | PATCH | Audit SUID executables | Remove SUID bit"
+    - name: "7.1.13 | PATCH | Ensure SUID and SGID files are reviewed | Remove SUID bit"
      when:
        - rhel9cis_suid_sgid_adjust
        - discovered_suid_sgid_files_flatten | length > 0