--- # tasks file for RHEL9-CIS - name: Check OS version and family ansible.builtin.assert: that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('9', '==') fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" when: - os_check - not system_is_ec2 tags: - always - name: Check ansible version ansible.builtin.assert: that: ansible_version.full is version_compare(min_ansible_version, '>=') fail_msg: "You must use Ansible {{ min_ansible_version }} or greater" success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" tags: - always - name: "Check password set for {{ ansible_user }}" block: - name: Capture current password state of "{{ ansible_user }}" ansible.builtin.shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'" changed_when: false failed_when: false check_mode: false register: ansible_user_password_set - name: "Assert that password set for {{ ansible_user }} and account not locked" ansible.builtin.assert: that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access" success_msg: "You a password set for the {{ ansible_user }}" vars: sudo_password_rule: rhel9cis_rule_5_3_4 when: - rhel9cis_rule_5_3_4 - not system_is_ec2 tags: - user_passwd - name: "Ensure root password is set" block: - name: "Ensure root password is set" ansible.builtin.shell: passwd -S root | grep "Password set, SHA512 crypt" changed_when: false register: root_passwd_set - name: "Ensure root password is set" ansible.builtin.assert: that: root_passwd_set.rc == 0 fail_msg: "You have rule 5.6.6 enabled this requires that you have a root password set" success_msg: "You have a root password set" when: - rhel9cis_rule_5_6_6 tags: - level1-server - level1-workstation - patch - accounts - root - rule_5.6.6 - name: Setup rules if container block: - name: Discover and set container variable if required ansible.builtin.set_fact: system_is_container: true - name: Load variable for container ansible.builtin.include_vars: file: "{{ container_vars_file }}" - name: Output if discovered is a container ansible.builtin.debug: msg: system has been discovered as a container when: - system_is_container when: - ansible_connection == 'docker' or ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] tags: - container_discovery - always - name: Check crypto-policy input ansible.builtin.assert: that: rhel9cis_crypto_policy in rhel9cis_allowed_crypto_policies fail_msg: "Crypto policy is not a permitted version" success_msg: "Crypto policy is a permitted version" - name: Check rhel9cis_bootloader_password_hash variable has been changed ansible.builtin.assert: that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly" when: - rhel9cis_set_boot_pass - rhel9cis_rule_1_4_1 tags: - always - name: Gather the package facts ansible.builtin.package_facts: manager: auto tags: - always - name: Include OS specific variables ansible.builtin.include_vars: "{{ ansible_distribution }}.yml" tags: - always - name: Include preliminary steps ansible.builtin.import_tasks: prelim.yml tags: - prelim_tasks - always - name: run pre_remediation audit ansible.builtin.include_tasks: pre_remediation_audit.yml when: - run_audit - name: run Section 1 tasks ansible.builtin.import_tasks: section_1/main.yml when: rhel9cis_section1 tags: - rhel9cis_section1 - name: run Section 2 tasks ansible.builtin.import_tasks: section_2/main.yml when: rhel9cis_section2 tags: - rhel9cis_section2 - name: run Section 3 tasks ansible.builtin.import_tasks: section_3/main.yml when: rhel9cis_section3 tags: - rhel9cis_section3 - name: run Section 4 tasks ansible.builtin.import_tasks: section_4/main.yml when: rhel9cis_section4 tags: - rhel9cis_section4 - name: run Section 5 tasks ansible.builtin.import_tasks: section_5/main.yml when: rhel9cis_section5 tags: - rhel9cis_section5 - name: run Section 6 tasks ansible.builtin.import_tasks: section_6/main.yml when: rhel9cis_section6 tags: - rhel9cis_section6 - name: run auditd logic ansible.builtin.import_tasks: auditd.yml when: update_audit_template tags: - always - name: run post remediation tasks ansible.builtin.import_tasks: post.yml tags: - post_tasks - always - name: run post_remediation audit ansible.builtin.import_tasks: post_remediation_audit.yml when: - run_audit - name: Show Audit Summary ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" when: run_audit - name: If Warnings found Output count and control IDs affected ansible.builtin.debug: msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}" when: warn_count != 0 tags: - always