Fix in logic for Alma (#4)

* container standards Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logic on handlers Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * initial container ignore Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tags and containder discovery Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logic on auditd task Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tags and crypto logic Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * distro update for rocky Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * system_is_container updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * ssh pkg check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logrotate pkg check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logic in container check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * add pkg fact and audit conditionals Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tidy up crypto step Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Added missing tags Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * container vars file now a variable Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * added uid discovery and usage Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Updated OS checks and conditionals Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fixed empty become Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * change audit to include task Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Added OS_specific vars Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated import/include Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * OS Specific vars Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated tags Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated changed_when Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fixed UID logic Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * changed reboot var Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * changed skip_reboot var name Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * masked only Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix logic Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * remove debug update logic 6.2.8 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed CentOS Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2022-02-02 11:25:03 +00:00 · 2022-02-02 11:25:03 +00:00 · 02a36f7f8d
commit 02a36f7f8d
parent 876ac290d5
27 changed files with 392 additions and 113 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -2,11 +2,15 @@
 # defaults file for rhel9-cis

 rhel9cis_skip_for_travis: false
-rhel9cis_system_is_container: false
+system_is_container: false
+container_vars_file: is_container.yml
 # rhel9cis is left off the front of this var for consistency in testing pipeline
 # system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks
 system_is_ec2: false

+# Run the OS validation check
+os_check: true
+
 rhel9cis_notauto: false
 rhel9cis_section1: true
 rhel9cis_section2: true
@ -30,7 +34,7 @@ python2_bin: /bin/python2.7
 benchmark: RHEL9-CIS

 # Whether to skip the reboot
-rhel9cis_skip_reboot: true
+skip_reboot: true

 #### Basic external goss audit enablement settings ####
 #### Precise details - per setting can be found at the bottom of this file ####
@ -545,8 +549,12 @@ rhel9cis_pam_password:
    minlen: "14"
    minclass: "4"

-# Starting GID for interactive users
-rhel9cis_int_gid: 1000
+# UID settings for interactive users
+# These are discovered via logins.def is set true
+discover_int_uid: false
+min_int_uid: 1000
+max_int_uid: 65533
+

 # RHEL-09-5.4.5
 # Session timeout setting file (TMOUT setting can be set in multiple files)
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -28,7 +28,9 @@
      group: root
      mode: 0600
  notify: reload sysctl
-  when: ansible_virtualization_type != "docker"
+  when: 
+      - ansible_virtualization_type != "docker"
+      - "'procps-ng' in ansible_facts.packages"

 - name: reload sysctl
  sysctl:
@ -37,7 +39,9 @@
    state: present
    reload: true
    ignoreerrors: true
-  when: ansible_virtualization_type != "docker"
+  when: 
+      - ansible_virtualization_type != "docker"
+      - "'systemd' in ansible_facts.packages"

 - name: systemd restart tmp.mount
  become: true
--- a/local.yml
+++ b/local.yml
@ -3,10 +3,7 @@
 - hosts: localhost
  connection: local
  become: true
-  vars:
-      is_container: false

  roles:
  - role: "{{ playbook_dir }}"
-    rhel9cis_system_is_container: "{{ is_container | default(false) }}"
-    rhel9cis_skip_for_travis: false
+
--- a/site.yml
+++ b/site.yml
@ -1,11 +1,7 @@
 ---
 - hosts: all
  become: true
-  vars:
-      is_container: false

  roles:

      - role: "{{ playbook_dir }}"
-        rhel9cis_system_is_container: "{{ is_container | default(false) }}"
-        rhel9cis_skip_for_travis: false
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,23 +1,46 @@
 ---
 # tasks file for RHEL9-CIS
+
 - name: Check OS version and family
  assert:
-      that:
-          - ansible_os_family == 'RedHat'
-          - ansible_distribution_major_version |int >= 8
-      fail_msg: "This role can only be run against RHEL 8 or 9. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
-      success_msg: "Supported OS release and version"
+      that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==')
+      fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
+      success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}"
+  when: 
+    - os_check
+    - not system_is_ec2
  tags:
-  - always
+      - always

 - name: Check ansible version
  assert:
-      that:
-          - "ansible_version.full is version_compare ('2.9', '>=')"
-      fail_msg: "You must use ansible 2.9 or greater"
-      success_msg: "Supported ansible_version"
+      that: ansible_version.full is version_compare(min_ansible_version, '>=')
+      fail_msg: "You must use Ansible {{ min_ansible_version }} or greater"
+      success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
  tags:
-  - always
+      - always
+
+- name: Setup rules if container
+  block:
+      - name: Discover and set container variable if required
+        set_fact:
+            system_is_container: true
+
+      - name: Load variable for container
+        include_vars:
+            file: "{{ container_vars_file }}"
+      
+      - name: output if discovered is a container
+        debug:
+            msg: system has been discovered as a container
+        when:
+            - system_is_container
+  when:
+      - ansible_connection == 'docker' or
+        ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
+  tags:
+      - container_discovery
+      - always

 - name: Check crypto-policy input
  assert:
@ -61,15 +84,19 @@
  tags:
  - always

+- name: Include OS specific variables
+  include_vars: "{{ ansible_distribution }}.yml"
+  tags:
+  - always
+
 - name: Include preliminary steps
  import_tasks: prelim.yml
-  become: 
  tags:
  - prelim_tasks
  - always

 - name: run pre_remediation audit
-  import_tasks: pre_remediation_audit.yml
+  include_tasks: pre_remediation_audit.yml
  when:
  - run_audit

@ -81,7 +108,14 @@

 - name: capture /etc/password variables
  include_tasks: parse_etc_password.yml
-  when: rhel9cis_section6
+  when: 
+  - rhel9cis_section6
+  tags:
+  - rule_5.5.2
+  - rule_6.2.7
+  - rule_6.2.8
+  - rule_6.2.20
+  - rhel9cis_section6

 - name: run Section 1 tasks
  import_tasks: section_1/main.yml
@ -94,26 +128,36 @@
  import_tasks: section_2/main.yml
  become: true
  when: rhel9cis_section2
+  tags:
+  - rhel9cis_section2

 - name: run Section 3 tasks
  import_tasks: section_3/main.yml
  become: true
  when: rhel9cis_section3
+  tags:
+  - rhel9cis_section3

 - name: run Section 4 tasks
  import_tasks: section_4/main.yml
  become: true
  when: rhel9cis_section4
+  tags:
+  - rhel9cis_section4

 - name: run Section 5 tasks
  import_tasks: section_5/main.yml
  become: true
  when: rhel9cis_section5
+  tags:
+  - rhel9cis_section5

 - name: run Section 6 tasks
  import_tasks: section_6/main.yml
  become: true
  when: rhel9cis_section6
+  tags:
+  - rhel9cis_section6

 - name: run post remediation tasks
  import_tasks: post.yml
--- a/tasks/post.yml
+++ b/tasks/post.yml
@ -6,6 +6,12 @@
      autoremove: true
  changed_when: false

+- name: Gather the package facts after remediation
+  package_facts:
+      manager: auto
+  tags:
+  - always
+
 - name: trigger update sysctl
  shell: /bin/true
  args:
@ -38,7 +44,13 @@
  changed_when: true
  check_mode: false
  when:
-      - rhel9cis_rule_4_1_3 or
+      - rhel9cis_rule_4_1_1_1 or
+        rhel9cis_rule_4_1_1_2 or
+        rhel9cis_rule_4_1_1_3 or
+        rhel9cis_rule_4_1_2_1 or
+        rhel9cis_rule_4_1_2_2 or
+        rhel9cis_rule_4_1_2_3 or
+        rhel9cis_rule_4_1_3 or
        rhel9cis_rule_4_1_4 or
        rhel9cis_rule_4_1_5 or
        rhel9cis_rule_4_1_6 or
@ -57,4 +69,4 @@
 - name: Reboot host
  reboot:
  when:
-  - not rhel9cis_skip_reboot
+  - not skip_reboot
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@ -1,4 +1,5 @@
 ---
+
 # Preliminary tasks that should always be run
 # List users in order to look files inside each home directory
 - name: "PRELIM | List users accounts"
@ -8,6 +9,10 @@
  changed_when: false
  check_mode: false
  register: users
+  tags:
+      - level1-server
+      - level1-workstation
+      - users

 - name: "PRELIM | Gather accounts with empty password fields"
  shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'"
@ -16,6 +21,10 @@
  changed_when: false
  check_mode: false
  register: empty_password_accounts
+  tags:
+      - level1-server
+      - level1-workstation
+      - passwords

 - name: "PRELIM | Gather UID 0 accounts other than root"
  shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'"
@ -24,14 +33,36 @@
  changed_when: false
  check_mode: false
  register: uid_zero_accounts_except_root
+  tags:
+      - level1-server
+      - level1-workstation
+      - users

- name: "PRELIM | Gather system-wide crypto-policy"
-  shell: update-crypto-policies --show
-  args:
-      warn: false
-  changed_when: false
-  check_mode: false
-  register: system_wide_crypto_policy
+- name: "PRELIM | Setup crypto-policy"
+  block:
+      - name: "PRELIM | Install crypto-policies"
+        dnf:
+            name:
+                - crypto-policies
+                - crypto-policies-scripts
+            state: present
+
+      - name: "PRELIM | Gather system-wide crypto-policy"
+        shell: update-crypto-policies --show
+        args:
+            warn: false
+        changed_when: false
+        check_mode: false
+        register: system_wide_crypto_policy
+  when:
+      - rhel9cis_rule_1_10 or
+        rhel9cis_rule_1_11
+  tags:
+      - level1-server
+      - level1-workstation
+      - rule_1.10 or
+        rule_1.11
+      - crypto

 - name: "PRELIM | if systemd coredump"
  stat:
@ -39,10 +70,18 @@
  register: systemd_coredump
  when:
      - rhel9cis_rule_1_6_1
+  tags:
+      - level1-server
+      - level1-workstation
+      - rule_1.6.1
+      - systemd

 - name: "PRELIM | Section 1.1 | Create list of mount points"
  set_fact:
      mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}"
+  tags:
+      - level1-server
+      - level1-workstation

 - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)"
  package:
@ -51,9 +90,13 @@
  become: true
  when: 
      - '"auditd" not in ansible_facts.packages'
-      - rhel9cis_level_2 or
-        rhel9cis_rule_4_1_1_1
-
+      - rhel9cis_rule_4_1_1_1
+  tags:
+      - level2-server
+      - level2-workstation
+      - patch
+      - rule_4.1.1.1
+      - auditd

 - name: "PRELIM | 4.1.12 | Ensure successful file system mounts are collected"
  shell: for i in  $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
@ -62,16 +105,23 @@
  check_mode: false
  register: priv_procs
  tags:
-  - always
+      - level1-server
+      - level1-workstation
+      - always

 - name: "PRELIM | Section 5.1 | Configure cron"
  package:
      name: cronie
      state: present
  become: true
-  when: 
+  when:
      - rhel9cis_rule_5_1_1
      - '"cronie" not in ansible_facts.packages'
+  tags:
+      - level1-server
+      - level1-workstation
+      - rule_5.1.1
+      - cron

 - name: "PRELIM | Install authconfig"
  package:
@ -83,8 +133,16 @@
      - rhel9cis_rule_5_3_1 or
        rhel9cis_rule_5_3_2 or
        rhel9cis_rule_5_3_3 or
-       '"authconfig" not in ansible_facts.packages' or
-       '"auditd-lib" not in ansible_facts.packages'
+       '"authconfig" not in ansible_facts.packages or
+       "auditd-lib" not in ansible_facts.packages'
+  tags:
+      - level1-server
+      - level1-workstation
+      - rule_5.3.1 or
+        rule_5.3.2 or
+        rule_5.3.3
+      - authconfig
+      - auditd

 - name: "PRELIM | Set facts based on boot type"
  block:
@ -103,12 +161,22 @@
        set_fact:
            grub2_path: /etc/grub2-efi.cfg
        when: rhel_09_efi_boot.stat.exists
+  when:
+      - not system_is_container
+  tags:
+      - bootloader
+      - grub

 - name: "PRELIM | AUDIT | Ensure permissions on bootloader config are configured | Get grub config file stats"
  stat:
      path: "{{ grub2_path }}"
  changed_when: false
  register: grub_cfg
+  when:
+      - not system_is_container
+  tags:
+      - bootloader
+      - grub

 - name: "PRELIM | Check for rhnsd service"
  shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2"
@ -118,5 +186,36 @@
  register: rhnsd_service_status
  when:
      - rhel9cis_rule_1_2_2
+      - ansible_distribution == "RedHat"
  tags:
+      - rule_1.2.2
      - skip_ansible_lint
+
+- name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def"
+  block:
+      - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def"
+        shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}'
+        changed_when: false
+        register: uid_min_id
+   
+      - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def"
+        shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}'
+        changed_when: false
+        register: uid_max_id
+
+      - name: "PRELIM | AUDIT | Capture GID_MIN information from logins.def"
+        shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}'
+        changed_when: false
+        register: gid_min_id
+
+      - name: "PRELIM | AUDIT | set_facts for interactive uid/gid"
+        set_fact:
+            min_int_uid: "{{ uid_min_id.stdout }}"
+            max_int_uid: "{{ uid_max_id.stdout }}"
+            min_int_gid: "{{ gid_min_id.stdout }}"
+- debug:
+    msg: "{{ min_int_uid }} {{ max_int_uid }}"
+
+  when:
+      - not discover_int_uid
+
--- a/tasks/section_1/cis_1.2.x.yml
+++ b/tasks/section_1/cis_1.2.x.yml
@ -37,12 +37,13 @@
      - rule_1.2.2

 - name: "1.2.3 | L1 | AUDIT | Ensure GPG keys are configured"
-  shell: gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-release
+  shell: gpg --quiet --with-fingerprint "{{ rpm_gpg_key }}"
  args:
      warn: false
  when:
      - rhel9cis_rule_1_2_3
-      - ansible_distribution == "RedHat"
+      - ansible_distribution == "RedHat" or
+        ansible_distribution == "Rocky"
  tags:
      - level1-server
      - level1-workstation
--- a/tasks/section_1/main.yml
+++ b/tasks/section_1/main.yml
@ -2,41 +2,41 @@

 - name: "SECTION | 1.1 | FileSystem Configurations\n
         SECTION | 1.1.1.x | Disable unused filesystems"
-  include_tasks: cis_1.1.1.x.yml
- include_tasks: cis_1.1.x.yml
+  import_tasks: cis_1.1.1.x.yml
+- import_tasks: cis_1.1.x.yml

 - name: "SECTION | 1.2 | Configure Software Updates"
-  include_tasks: cis_1.2.x.yml
+  import_tasks: cis_1.2.x.yml

 - name: "SECTION | 1.3 | Configure sudo"
-  include_tasks: cis_1.3.x.yml
+  import_tasks: cis_1.3.x.yml

 - name: "SECTION | 1.4 | Filesystem Integrity"
-  import_tasks: cis_1.4.x.yml
+  include_tasks: cis_1.4.x.yml
  when: rhel9cis_config_aide

 - name: "SECTION | 1.5 | Secure Boot Settings"
-  include_tasks: cis_1.5.x.yml
+  import_tasks: cis_1.5.x.yml

 - name: "SECTION | 1.6 | Additional Process Hardening"
-  include_tasks: cis_1.6.x.yml
+  import_tasks: cis_1.6.x.yml

 - name: "SECTION | 1.7 | bootloader and Mandatory Access Control"
-  import_tasks: cis_1.7.1.x.yml
+  include_tasks: cis_1.7.1.x.yml
  when: not rhel9cis_selinux_disable

 - name: "SECTION | 1.8 | Warning Banners"
-  include_tasks: cis_1.8.1.x.yml
+  import_tasks: cis_1.8.1.x.yml

 - name: "SECTION | 1.9 | Updated and Patches"
-  include_tasks: cis_1.9.yml
+  import_tasks: cis_1.9.yml

 - name: "SECTION | 1.10 | Crypto policies"
-  import_tasks: cis_1.10.yml
+  include_tasks: cis_1.10.yml
  when:
  - not system_is_ec2

 - name: "SECTION | 1.11 | FIPS/FUTURE Crypto policies"
-  import_tasks: cis_1.11.yml
+  include_tasks: cis_1.11.yml
  when:
  - not system_is_ec2
--- a/tasks/section_2/cis_2.2.1.x.yml
+++ b/tasks/section_2/cis_2.2.1.x.yml
@ -6,7 +6,7 @@
      state: present
  when:
      - rhel9cis_rule_2_2_1_1
-      - not rhel9cis_system_is_container
+      - not system_is_container
  tags:
      - level1-server
      - level1-workstation
@ -34,7 +34,7 @@
  when:
      - rhel9cis_time_synchronization == "chrony"
      - rhel9cis_rule_2_2_1_2
-      - not rhel9cis_system_is_container
+      - not system_is_container
  tags:
      - level1-server
      - level1-workstation
--- a/tasks/section_2/main.yml
+++ b/tasks/section_2/main.yml
@ -1,13 +1,13 @@
 ---

 - name: "SECTION | 2.1 | xinetd"
-  include_tasks: cis_2.1.1.yml
+  import_tasks: cis_2.1.1.yml

 - name: "SECTION | 2.2.1 | Time Synchronization"
-  include_tasks: cis_2.2.1.x.yml
+  import_tasks: cis_2.2.1.x.yml

 - name: "SECTION | 2.2 | Special Purpose Services"
-  include_tasks: cis_2.2.x.yml
+  import_tasks: cis_2.2.x.yml

 - name: "SECTION | 2.3 | Service Clients"
-  include_tasks: cis_2.3.x.yml
+  import_tasks: cis_2.3.x.yml
--- a/tasks/section_3/cis_3.4.1.1.yml
+++ b/tasks/section_3/cis_3.4.1.1.yml
@ -6,6 +6,7 @@
      state: present
  when:
      - rhel9cis_rule_3_4_1_1
+      - not system_is_container
  tags:
      - level1-server
      - level1-workstation
--- a/tasks/section_3/cis_3.4.2.x.yml
+++ b/tasks/section_3/cis_3.4.2.x.yml
@ -17,7 +17,6 @@
 - name: "3.4.2.2 | L1 | PATCH | Ensure iptables is not enabled with firewalld"
  systemd:
      name: iptables
-      enabled: false
      masked: true
  when:
      - rhel9cis_firewall == "firewalld"
--- a/tasks/section_3/main.yml
+++ b/tasks/section_3/main.yml
@ -1,41 +1,41 @@
 ---

 - name: "SECTION | 3.1.x | Packet and IP redirection"
-  include_tasks: cis_3.1.x.yml
+  import_tasks: cis_3.1.x.yml

 - name: "SECTION | 3.2.x | Network Parameters (Host Only)"
-  include_tasks: cis_3.2.x.yml
+  import_tasks: cis_3.2.x.yml

 - name: "SECTION | 3.3.x | Uncommon Network Protocols"
-  include_tasks: cis_3.3.x.yml
+  import_tasks: cis_3.3.x.yml

 - name: "SECTION | 3.4.1.x | firewall defined"
-  include_tasks: cis_3.4.1.1.yml
+  import_tasks: cis_3.4.1.1.yml

 - name: "SECTION | 3.4.2.x | firewalld firewall"
-  import_tasks: cis_3.4.2.x.yml
+  include_tasks: cis_3.4.2.x.yml
  when:
  - rhel9cis_firewall == "firewalld"

 - name: "SECTION | 3.4.3.x | Configure nftables firewall"
-  import_tasks: cis_3.4.3.x.yml
+  include_tasks: cis_3.4.3.x.yml
  when:
  - rhel9cis_firewall == "nftables"

 - name: "SECTION | 3.4.4.1.x | Configure iptables IPv4"
-  import_tasks: cis_3.4.4.1.x.yml
+  include_tasks: cis_3.4.4.1.x.yml
  when:
  - rhel9cis_firewall == "iptables"

 - name: "SECTION | 3.4.4.2.x | Configure iptables IPv6"
-  import_tasks: cis_3.4.4.2.x.yml
+  include_tasks: cis_3.4.4.2.x.yml
  when:
  - ( rhel9cis_firewall == "iptables" and rhel9cis_ipv6_required )

 - name: "SECTION | 3.5 | Configure wireless"
-  include_tasks: cis_3.5.yml
+  import_tasks: cis_3.5.yml

 - name: "SECTION | 3.5 | disable IPv6"
-  import_tasks: cis_3.5.yml
+  include_tasks: cis_3.5.yml
  when:
  - not rhel9cis_ipv6_required
--- a/tasks/section_4/cis_4.1.1.x.yml
+++ b/tasks/section_4/cis_4.1.1.x.yml
@ -20,6 +20,7 @@
      - level2-workstation
      - patch
      - rule_4.1.1.1
+      - auditd

 - name: "4.1.1.2 | L2 | PATCH | Ensure auditd service is enabled"
  service:
@ -29,7 +30,7 @@
  when:
      - not rhel9cis_skip_for_travis
      - rhel9cis_rule_4_1_1_2
-      - ansible_connection != 'docker'
+      - not system_is_container
  tags:
      - level2-server
      - level2-workstation
@ -104,4 +105,5 @@
      - level2-server
      - level2-workstation
      - patch
+      - auditd
      - rule_4.1.1.4
--- a/tasks/section_4/cis_4.3.yml
+++ b/tasks/section_4/cis_4.3.yml
@ -17,6 +17,7 @@
            - { path: "/etc/logrotate.conf" }
  when:
      - rhel9cis_rule_4_3
+      - "'logrotate' in ansible_facts.packages"
  tags:
      - level1-server
      - level1-workstation
--- a/tasks/section_4/main.yml
+++ b/tasks/section_4/main.yml
@ -2,22 +2,24 @@

 - name: "SECTION | 4.1| Configure System Accounting (auditd)"
  include_tasks: cis_4.1.1.x.yml
+  when:
+      - not system_is_container

 - name: "SECTION | 4.1.2.x| Configure Data Retention"
-  include_tasks: cis_4.1.2.x.yml
+  import_tasks: cis_4.1.2.x.yml

 - name: "SECTION | 4.1.x| Auditd rules"
-  include_tasks: cis_4.1.x.yml
+  import_tasks: cis_4.1.x.yml

 - name: "SECTION | 4.2.x| Configure Logging"
  import_tasks: cis_4.2.1.x.yml
  when: rhel9cis_syslog == 'rsyslog'

 - name: "SECTION | 4.2.2.x| Configure journald"
-  include_tasks: cis_4.2.2.x.yml
+  import_tasks: cis_4.2.2.x.yml

 - name: "SECTION | 4.2.3 | Configure logile perms"
-  include_tasks: cis_4.2.3.yml
+  import_tasks: cis_4.2.3.yml

 - name: "SECTION | 4.3 | Configure logrotate"
-  include_tasks: cis_4.3.yml
+  import_tasks: cis_4.3.yml
--- a/tasks/section_5/cis_5.5.x.yml
+++ b/tasks/section_5/cis_5.5.x.yml
@ -13,7 +13,7 @@
            - item.id != "sync"
            - item.id != "shutdown"
            - item.id != "halt"
-            - item.gid < rhel9cis_int_gid
+            - item.uid < 1000
            - item.shell != "      /bin/false"
            - item.shell != "      /usr/sbin/nologin"

@ -28,7 +28,7 @@
            - item.id != "shutdown"
            - item.id != "sync"
            - item.id != "root"
-            - item.gid < rhel9cis_int_gid
+            - min_int_uid | int >= item.uid
            - item.shell != "      /bin/false"
            - item.shell != "      /usr/sbin/nologin"
  when:
--- a/tasks/section_5/main.yml
+++ b/tasks/section_5/main.yml
@ -1,27 +1,29 @@
 ---

 - name: "SECTION | 5.1 | Configure time-based job schedulers"
-  include_tasks: cis_5.1.x.yml
+  import_tasks: cis_5.1.x.yml

 - name: "SECTION | 5.2 | Configure SSH Server"
  include_tasks: cis_5.2.x.yml
+  when:
+      - "'openssh-server' in ansible_facts.packages"

 - name: "SECTION | 5.3 | Configure Profiles"
-  import_tasks: cis_5.3.x.yml
+  include_tasks: cis_5.3.x.yml
  when:
-  - rhel9cis_use_authconfig
+      - rhel9cis_use_authconfig

 - name: "SECTION | 5.4 | Configure PAM "
-  include_tasks: cis_5.4.x.yml
+  import_tasks: cis_5.4.x.yml

 - name: "SECTION | 5.5.1.x | Passwords and Accounts"
-  include_tasks: cis_5.5.1.x.yml
+  import_tasks: cis_5.5.1.x.yml

 - name: "SECTION | 5.5.x | System Accounts and User Settings"
-  include_tasks: cis_5.5.x.yml
+  import_tasks: cis_5.5.x.yml

 - name: "SECTION | 5.6 | Root Login"
-  include_tasks: cis_5.6.yml
+  import_tasks: cis_5.6.yml

 - name: Section | 5.7 | su Command Restriction
-  include_tasks: cis_5.7.yml
+  import_tasks: cis_5.7.yml
--- a/tasks/section_6/cis_6.2.x.yml
+++ b/tasks/section_6/cis_6.2.x.yml
@ -134,7 +134,7 @@
      - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
        stat:
            path: "{{ item }}"
-        with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}"
+        with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<', max_int_uid | int) | selectattr('dir', '!=', '/') | map(attribute='dir') | list }}"
        register: rhel_09_6_2_7_audit

      - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
@ -177,7 +177,8 @@
            recursive: true
            etype: "{{ item.1.etype }}"
            permissions: "{{ item.1.mode }}"
-        when: not rhel9cis_system_is_container
+        when: 
+            - not system_is_container
        with_nested:
            - "{{ (ansible_check_mode | ternary(rhel_09_6_2_7_patch_audit, rhel_09_6_2_7_patch)).results |
              rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}"
@ -203,7 +204,7 @@
  loop_control:
      label: "{{ rhel9cis_passwd_label }}"
  when:
-      - item.uid >= rhel9cis_int_gid
+      - min_int_uid | int >= item.uid
      - rhel9cis_rule_6_2_8
  tags:
      - skip_ansible_lint  # settings found on 6_2_7
@ -499,7 +500,7 @@
        stat:
            path: "{{ item }}"
        register: rhel_09_6_2_20_audit
-        with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}"
+        with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<', max_int_uid | int) | selectattr('dir', '!=', '/') | map(attribute='dir') | list }}"

      - name: "6.2.20 | L1 | AUDIT | Ensure all users' home directories exist"
        shell: find -H {{ item.0 | quote }} -not -type l -perm /027
@ -541,7 +542,8 @@
            recursive: true
            etype: "{{ item.1.etype }}"
            permissions: "{{ item.1.mode }}"
-        when: not rhel9cis_system_is_container
+        when: 
+            - not system_is_container
        with_nested:
            - "{{ (ansible_check_mode | ternary(rhel_09_6_2_20_patch_audit, rhel_09_6_2_20_patch)).results |
              rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}"
--- a/tasks/section_6/main.yml
+++ b/tasks/section_6/main.yml
@ -1,7 +1,7 @@
 ---

 - name: "SECTION | 6.1 | System File Permissions"
-  include_tasks: cis_6.1.x.yml
+  import_tasks: cis_6.1.x.yml

 - name: "SECTION | 6.2 | User and Group Settings"
-  include_tasks: cis_6.2.x.yml
+  import_tasks: cis_6.2.x.yml
--- a/templates/audit/99_auditd.rules.j2
+++ b/templates/audit/99_auditd.rules.j2
@ -32,18 +32,18 @@
 -w /etc/sysconfig/network -p wa -k system-locale
 {% endif %}
 {% if rhel9cis_rule_4_1_9 %}
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod
 {% endif %}
 {% if rhel9cis_rule_4_1_10 %}
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access
 {% endif %}
 {% if rhel9cis_rule_4_1_11 %}
 -w /etc/group -p wa -k identity
@ -53,17 +53,17 @@
 -w /etc/security/opasswd -p wa -k identity
 {% endif %}
 {% if rhel9cis_rule_4_1_12 %}
-a always,exit -F arch=b32 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts
+-a always,exit -F arch=b32 -S mount -F auid>={{ min_int_uid }} -F auid!=4294967295 -k mounts
+-a always,exit -F arch=b64 -S mount -F auid>={{ min_int_uid }} -F auid!=4294967295 -k mounts
 {% endif %}
 {% if rhel9cis_rule_4_1_13 %}
 {% for proc in priv_procs.stdout_lines -%}
-a always,exit -F path={{ proc }} -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k privileged
+-a always,exit -F path={{ proc }} -F perm=x -F auid>={{ min_int_uid }} -F auid!=4294967295 -k privileged
 {% endfor %}
 {% endif %}
 {% if rhel9cis_rule_4_1_14 %}
-a always,exit -F arch=b32 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b64 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete
+-a always,exit -F arch=b32 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=delete
+-a always,exit -F arch=b64 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=delete
 {% endif %}
 {% if rhel9cis_rule_4_1_15 %}
 -w /usr/sbin/insmod -p x -k modules
--- a/vars/AlmaLinux.yml
+++ b/vars/AlmaLinux.yml
@ -0,0 +1,4 @@
+---
+# OS Specific Settings
+
+rpm_gpg_key: RPM-GPG-KEY-AlmaLinux
--- a/vars/RedHat.yml
+++ b/vars/RedHat.yml
@ -0,0 +1,4 @@
+---
+# OS Specific Settings
+
+rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-official
--- a/vars/Rocky.yml
+++ b/vars/Rocky.yml
@ -0,0 +1,4 @@
+---
+# OS Specific Settings
+
+rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial
--- a/vars/is_container.yml
+++ b/vars/is_container.yml
@ -0,0 +1,95 @@
+---
+
+# File to skip controls if container
+# Based on standard image no changes
+# it expected all pkgs required for the container are alreday installed
+
+## controls
+
+# Authconfig
+rhel9cis_use_authconfig: false
+
+# Firewall
+rhel9cis_firewall: None
+
+# SElinux
+rhel9cis_selinux_disable: true
+
+
+## Related individual rules
+# Aide
+rhel9cis_rule_1_4_1: false
+rhel9cis_rule_1_4_2: false
+
+# auditd
+rhel9cis_rule_4_1_1_1: false
+rhel9cis_rule_4_1_2_1: false
+rhel9cis_rule_4_1_2_2: false
+rhel9cis_rule_4_1_2_3: false
+
+# time sync
+rhel9cis_rule_2_2_1_1: false
+rhel9cis_rule_2_2_1_2: false
+
+# cron
+rhel9cis_rule_5_1_1: false
+rhel9cis_rule_5_1_2: false
+rhel9cis_rule_5_1_3: false
+rhel9cis_rule_5_1_4: false
+rhel9cis_rule_5_1_5: false
+rhel9cis_rule_5_1_6: false
+rhel9cis_rule_5_1_7: false
+rhel9cis_rule_5_1_8: false
+
+# crypto
+rhel9cis_rule_1_10: false
+rhel9cis_rule_1_11: false
+
+# grub
+rhel9cis_rule_1_5_1: false
+rhel9cis_rule_1_5_2: false
+rhel9cis_rule_1_5_3: false
+
+## mounts
+# /tmp
+rhel9cis_rule_1_1_2: false
+rhel9cis_rule_1_1_3: false
+rhel9cis_rule_1_1_4: false
+rhel9cis_rule_1_1_5: false
+#/var
+rhel9cis_rule_1_1_6: false
+# /var/tmp
+rhel9cis_rule_1_1_7: false
+rhel9cis_rule_1_1_8: false
+rhel9cis_rule_1_1_9: false
+rhel9cis_rule_1_1_10: false
+# /var/log
+rhel9cis_rule_1_1_11: false
+# /var/log/audit
+rhel9cis_rule_1_1_12: false
+# /home
+rhel9cis_rule_1_1_13: false
+rhel9cis_rule_1_1_14: false
+# /dev/shm
+rhel9cis_rule_1_1_15: false
+rhel9cis_rule_1_1_16: false
+rhel9cis_rule_1_1_17: false
+# usb-storage
+rhel9cis_rule_1_1_23: false
+
+# logging
+rhel9cis_rule_4_2_1_1: false
+rhel9cis_rule_4_2_1_2: false
+rhel9cis_rule_4_2_1_3: false
+rhel9cis_rule_4_2_1_4: false
+rhel9cis_rule_4_2_1_5: false
+rhel9cis_rule_4_2_1_6: false
+rhel9cis_rule_4_2_2_1: false
+rhel9cis_rule_4_2_2_2: false
+rhel9cis_rule_4_2_2_3: false
+
+# systemd
+rhel9cis_rule_1_6_1: false
+
+# Users/passwords/accounts
+rhel9cis_rule_5_5_2: false
--- a/vars/main.yml
+++ b/vars/main.yml
@ -1,5 +1,7 @@
 ---
 # vars file for RHEL9-CIS
+
+min_ansible_version: 2.9
 rhel9cis_allowed_crypto_policies:
    - 'FUTURE'
    - 'FIPS'