ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-25 22:37:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

variable networkmanager package and typo fixes

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2025-05-28 16:11:36 +01:00
parent 260005415c
commit f2c03f1e68
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
2 changed files with 10 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

11
defaults/main.yml
View file

@ -12,7 +12,7 @@ os_check: true
# Disruption is high # Disruption is high
## Run tests that are considered higher risk and could have a system impact if not properly tested ## Run tests that are considered higher risk and could have a system impact if not properly tested
## Default false ## Default false
## Will be fine if clean new unconfigured build ## Will be fine if clean new un configured build
rhel9cis_disruption_high: false rhel9cis_disruption_high: false
## Switching on/off specific baseline sections ## Switching on/off specific baseline sections
@ -513,7 +513,7 @@ rhel9cis_rule_7_2_9: true
## Section 1 vars ## Section 1 vars
## Ability to enabe debug on mounts to assist in troubleshooting ## Ability to enable debug on mounts to assist in troubleshooting
# Mount point changes are set based upon facts created in Prelim # Mount point changes are set based upon facts created in Prelim
# these then build the variable and options that is passed to the handler to set the mount point for the controls in section1. # these then build the variable and options that is passed to the handler to set the mount point for the controls in section1.
rhel9cis_debug_mount_data: false rhel9cis_debug_mount_data: false
@ -723,6 +723,7 @@ rhel9cis_ipv6_required: true
## 3.1.2 wireless network requirements ## 3.1.2 wireless network requirements
# if wireless adapter found allow network manager to be installed # if wireless adapter found allow network manager to be installed
rhel9cis_install_network_manager: false rhel9cis_install_network_manager: false
rhel9cis_network_manager_package_name: NetworkManager
# 3.3 System network parameters (host only OR host and router) # 3.3 System network parameters (host only OR host and router)
# This variable governs whether specific CIS rules # This variable governs whether specific CIS rules
# concerned with acceptance and routing of packages are skipped. # concerned with acceptance and routing of packages are skipped.
@ -815,7 +816,7 @@ rhel9cis_sshd_clientalivecountmax: 3
rhel9cis_sshd_clientaliveinterval: 15 rhel9cis_sshd_clientaliveinterval: 15
## Control 5.1.12 - disable forwarding ## Control 5.1.12 - disable forwarding
# By Default this will also disablex11 forwarding # By Default this will also disable x11 forwarding
# set 'yes' if x11 is required this can be changed to run in /etc/ssh/ssh_config.d/50-redhat.conf # set 'yes' if x11 is required this can be changed to run in /etc/ssh/ssh_config.d/50-redhat.conf
rhel9cis_sshd_x11forwarding: 'no' rhel9cis_sshd_x11forwarding: 'no'
@ -1045,14 +1046,14 @@ rhel9cis_bash_umask: '0027' # 0027 or more restrictive
# These are discovered via logins.def if set true # These are discovered via logins.def if set true
rhel9cis_discover_int_uid: true rhel9cis_discover_int_uid: true
# This variable sets the minimum number from which to search for UID # This variable sets the minimum number from which to search for UID
# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has # Note that the value will be dynamically overwritten if variable `discover_int_uid` has
# been set to `true`. # been set to `true`.
min_int_uid: 1000 min_int_uid: 1000
### Controls: ### Controls:
# - Ensure local interactive user home directories exist # - Ensure local interactive user home directories exist
# - Ensure local interactive users own their home directories # - Ensure local interactive users own their home directories
# This variable sets the maximum number at which the search stops for UID # This variable sets the maximum number at which the search stops for UID
# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has # Note that the value will be dynamically overwritten if variable `discover_int_uid` has
# been set to `true`. # been set to `true`.
max_int_uid: 65533 max_int_uid: 65533

8
tasks/section_3/cis_3.1.x.yml
View file

@ -39,7 +39,7 @@
warn_control_id: '3.1.2' warn_control_id: '3.1.2'
block: block:
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool" - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool"
when: "'network-manager' in ansible_facts.packages" when: "rhel9cis_network_manager_package_name in ansible_facts.packages"
ansible.builtin.command: nmcli radio wifi ansible.builtin.command: nmcli radio wifi
changed_when: false changed_when: false
failed_when: false failed_when: false
@ -48,19 +48,19 @@
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed" - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed"
when: when:
- "'network-manager' in ansible_facts.packages" - "rhel9cis_network_manager_package_name in ansible_facts.packages"
- "'enabled' in discovered_wifi_status.stdout" - "'enabled' in discovered_wifi_status.stdout"
ansible.builtin.command: nmcli radio all off ansible.builtin.command: nmcli radio all off
changed_when: discovered_nmcli_radio_off.rc == 0 changed_when: discovered_nmcli_radio_off.rc == 0
register: discovered_nmcli_radio_off register: discovered_nmcli_radio_off
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed" - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed"
when: "'network-manager' not in ansible_facts.packages" when: "rhel9cis_network_manager_package_name not in ansible_facts.packages"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Warning!! You need to disable wireless interfaces manually since network-manager is not installed" msg: "Warning!! You need to disable wireless interfaces manually since network-manager is not installed"
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Set warning count" - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Set warning count"
when: "'network-manager' not in ansible_facts.packages" when: "rhel9cis_network_manager_package_name not in ansible_facts.packages"
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: warning_facts.yml file: warning_facts.yml