Fix in logic for Alma (#4)

* container standards Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logic on handlers Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * initial container ignore Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tags and containder discovery Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logic on auditd task Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tags and crypto logic Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * distro update for rocky Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * system_is_container updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * ssh pkg check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logrotate pkg check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logic in container check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * add pkg fact and audit conditionals Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tidy up crypto step Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Added missing tags Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * container vars file now a variable Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * added uid discovery and usage Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Updated OS checks and conditionals Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fixed empty become Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * change audit to include task Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Added OS_specific vars Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated import/include Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * OS Specific vars Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated tags Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated changed_when Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fixed UID logic Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * changed reboot var Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * changed skip_reboot var name Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * masked only Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix logic Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * remove debug update logic 6.2.8 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed CentOS Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2022-02-02 11:25:03 +00:00 · 2022-02-02 11:25:03 +00:00 · 02a36f7f8d
commit 02a36f7f8d
parent 876ac290d5
27 changed files with 392 additions and 113 deletions
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,23 +1,46 @@
 ---
 # tasks file for RHEL9-CIS
+
 - name: Check OS version and family
  assert:
-      that:
-          - ansible_os_family == 'RedHat'
-          - ansible_distribution_major_version |int >= 8
-      fail_msg: "This role can only be run against RHEL 8 or 9. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
-      success_msg: "Supported OS release and version"
+      that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==')
+      fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
+      success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}"
+  when: 
+    - os_check
+    - not system_is_ec2
  tags:
-  - always
+      - always

 - name: Check ansible version
  assert:
-      that:
-          - "ansible_version.full is version_compare ('2.9', '>=')"
-      fail_msg: "You must use ansible 2.9 or greater"
-      success_msg: "Supported ansible_version"
+      that: ansible_version.full is version_compare(min_ansible_version, '>=')
+      fail_msg: "You must use Ansible {{ min_ansible_version }} or greater"
+      success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
  tags:
-  - always
+      - always
+
+- name: Setup rules if container
+  block:
+      - name: Discover and set container variable if required
+        set_fact:
+            system_is_container: true
+
+      - name: Load variable for container
+        include_vars:
+            file: "{{ container_vars_file }}"
+      
+      - name: output if discovered is a container
+        debug:
+            msg: system has been discovered as a container
+        when:
+            - system_is_container
+  when:
+      - ansible_connection == 'docker' or
+        ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
+  tags:
+      - container_discovery
+      - always

 - name: Check crypto-policy input
  assert:
@ -61,15 +84,19 @@
  tags:
  - always

+- name: Include OS specific variables
+  include_vars: "{{ ansible_distribution }}.yml"
+  tags:
+  - always
+
 - name: Include preliminary steps
  import_tasks: prelim.yml
-  become: 
  tags:
  - prelim_tasks
  - always

 - name: run pre_remediation audit
-  import_tasks: pre_remediation_audit.yml
+  include_tasks: pre_remediation_audit.yml
  when:
  - run_audit

@ -81,7 +108,14 @@

 - name: capture /etc/password variables
  include_tasks: parse_etc_password.yml
-  when: rhel9cis_section6
+  when: 
+  - rhel9cis_section6
+  tags:
+  - rule_5.5.2
+  - rule_6.2.7
+  - rule_6.2.8
+  - rule_6.2.20
+  - rhel9cis_section6

 - name: run Section 1 tasks
  import_tasks: section_1/main.yml
@ -94,26 +128,36 @@
  import_tasks: section_2/main.yml
  become: true
  when: rhel9cis_section2
+  tags:
+  - rhel9cis_section2

 - name: run Section 3 tasks
  import_tasks: section_3/main.yml
  become: true
  when: rhel9cis_section3
+  tags:
+  - rhel9cis_section3

 - name: run Section 4 tasks
  import_tasks: section_4/main.yml
  become: true
  when: rhel9cis_section4
+  tags:
+  - rhel9cis_section4

 - name: run Section 5 tasks
  import_tasks: section_5/main.yml
  become: true
  when: rhel9cis_section5
+  tags:
+  - rhel9cis_section5

 - name: run Section 6 tasks
  import_tasks: section_6/main.yml
  become: true
  when: rhel9cis_section6
+  tags:
+  - rhel9cis_section6

 - name: run post remediation tasks
  import_tasks: post.yml