mirror of
https://github.com/ansible-lockdown/RHEL9-CIS.git
synced 2025-12-24 14:23:05 +00:00
lint and best practise
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
69e01b84f3
commit
fcf9eb674f
6 changed files with 33 additions and 30 deletions
|
|
@ -145,7 +145,8 @@
|
|||
listen: "Remount /var/log/audit"
|
||||
|
||||
- name: Reload sysctl
|
||||
ansible.builtin.shell: sysctl --system
|
||||
ansible.builtin.command: sysctl --system
|
||||
changed_when: true
|
||||
|
||||
- name: Sysctl flush ipv4 route table
|
||||
when:
|
||||
|
|
@ -181,8 +182,8 @@
|
|||
|
||||
- name: Set Crypto Policy
|
||||
when: prelim_system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy
|
||||
ansible.builtin.shell: |
|
||||
update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}"
|
||||
ansible.builtin.command: update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}"
|
||||
changed_when: true
|
||||
notify:
|
||||
- Change_requires_reboot
|
||||
- Restart sshd
|
||||
|
|
@ -203,10 +204,12 @@
|
|||
state: restarted
|
||||
|
||||
- name: Reload dconf
|
||||
ansible.builtin.shell: dconf update
|
||||
ansible.builtin.command: dconf update
|
||||
changed_when: true
|
||||
|
||||
- name: Grub2cfg
|
||||
ansible.builtin.shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
|
||||
ansible.builtin.command: "grub2-mkconfig -o /boot/grub2/grub.cfg"
|
||||
changed_when: true
|
||||
ignore_errors: true # noqa ignore-errors
|
||||
|
||||
- name: Restart rsyslog
|
||||
|
|
@ -229,12 +232,13 @@
|
|||
daemon-reload: true
|
||||
|
||||
- name: Authselect update
|
||||
ansible.builtin.shell: authselect apply-changes
|
||||
ansible.builtin.command: authselect apply-changes
|
||||
changed_when: true
|
||||
|
||||
## Auditd tasks note order for handlers to run
|
||||
|
||||
- name: Auditd immutable check
|
||||
ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
|
||||
ansible.builtin.command: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
|
||||
changed_when: false
|
||||
register: discovered_auditd_immutable_check
|
||||
|
||||
|
|
@ -246,7 +250,8 @@
|
|||
notify: Change_requires_reboot
|
||||
|
||||
- name: Stop auditd process
|
||||
ansible.builtin.shell: systemctl kill auditd
|
||||
ansible.builtin.command: systemctl kill auditd
|
||||
changed_when: true
|
||||
listen: Restart auditd
|
||||
|
||||
- name: Start auditd process
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue