From e5ce163fcf6584a9f59a8fd0d3a30a684c9c411b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 14 Feb 2023 08:54:21 +0000 Subject: [PATCH] new option to 6_2_16 not follow symlinks Signed-off-by: Mark Bolwell --- Changelog.md | 7 +++++++ defaults/main.yml | 10 ++++++++-- tasks/section_6/cis_6.2.x.yml | 1 + 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index 35e9e44..24d6b64 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,12 @@ # Changes to rhel9CIS +## 1.0.1 + +Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8 +Will not follow ynlink in hoe directoris and amend permissions. + +-rhel_09_6_2_16_home_follow_symlink: false + ## Initial CIS v1.0.0 - released Dec 2022 ### Official CIS release diff --git a/defaults/main.yml b/defaults/main.yml index b3f73d8..b7a3e4f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -653,8 +653,14 @@ rhel9cis_rpm_audit_file: /var/tmp/rpm_file_check # RHEL-09_6.1.10 Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable rhel9cis_no_world_write_adjust: true rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" -# 6.2.9 -rhel9cis_dotperm_ansiblemanaged: true + + +# 6.2.16 +## Dont follow symlinks for changes to user home directory thanks to @dulin-gnet and comminty for rhel8-cis reedbacj +rhel_09_6_2_16_home_follow_symlinks: false + + + #### Goss Configuration Settings #### # Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" audit_run_script_environment: diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index bfd371a..618cadb 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -436,6 +436,7 @@ ansible.builtin.file: path: "{{ item.path }}" mode: go-w + follow: "{{ rhel_09_6_2_16_home_follow_symlinks }}" loop: "{{ user_dot_files.files }}" loop_control: label: "{{ item.path }}"