that:(ansible_facts.distribution != 'CentOS' and ansible_facts.os_family == 'RedHat' or ansible_facts.os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==')
fail_msg:"This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported."
success_msg:"This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}"
- name:"Check ansible version"
tags:always
ansible.builtin.assert:
that:ansible_version.full is version_compare(min_ansible_version, '>=')
fail_msg:"You must use Ansible {{ min_ansible_version }} or greater"
success_msg:"This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
- name:"Setup rules if container"
when:ansible_connection == 'docker' or ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' or (rhel9cis_bootloader_salt != '' and rhel9cis_bootloader_password != 'password') # pragma:allowlist secret
msg:"This role will not be able to run single user password commands as rhel9cis_bootloader_password or rhel9cis_bootloader_password_hash variable has not been set correctly"
- name:"Check crypto-policy module input"
when:
- rhel9cis_crypto_policy_ansiblemanaged
- rhel9cis_crypto_policy_module | length > 0
tags:
- rule_1.6.1
- crypto
- NIST800-53R5_SC-6
ansible.builtin.assert:
that:rhel9cis_additional_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules
fail_msg:"Crypto policy module is not a permitted version"
success_msg:"Crypto policy module is a permitted version"
- name:"Check password set for {{ ansible_env.SUDO_USER }}"
- name:"Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set"# noqa name[template]
ansible.builtin.assert:
that:|
(
((prelim_ansible_user_password_set.stdout | length != 0) and (prelim_ansible_user_password_set.stdout != "!!" ))
or
(ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list)
)
fail_msg:"You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or the user is not included in the exception list for rule 5.2.4 - It can break access"
success_msg:"You have a password set for the {{ ansible_env.SUDO_USER }} user or the user is included in the exception list for rule 5.2.4"
- name:"Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked"# noqa name[template]
ansible.builtin.assert:
that:(not prelim_ansible_user_password_set.stdout.startswith("!")) or (ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list)
fail_msg:"You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access"
success_msg:"The local account {{ ansible_env.SUDO_USER }} is not locked or included in the exception list for rule 5.2.4"
- name:"Check authselect profile is selected"
when:rhel9cis_allow_authselect_updates
tags:always
block:
- name:"Check authselect profile name has been updated | Ensure name from default is changed"
