From 06e96ba7694ab93e9ba3973aba88261095840121 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 5 Jun 2024 23:57:18 +0100 Subject: [PATCH] improvements Signed-off-by: Mark Bolwell --- handlers/main.yml | 4 ++++ tasks/section_5/cis_5.4.x.yml | 30 +++++++++++++++++------------- 2 files changed, 21 insertions(+), 13 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index e0598e2..dd97fec 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -81,7 +81,11 @@ - name: Apply_authselect ansible.builtin.shell: authselect apply-changes + when: not rhel9cis_rule_5_4_2 +- name: Apply_authselect + ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }} --force --backup=rhel9cis_commit_{{ ansible_date_time.epoch}}" + when: rhel9cis_rule_5_4_2 ## Auditd tasks note order for handlers to run - name: Auditd immutable check diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 638cc69..e463998 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -3,21 +3,25 @@ - name: "5.4.1 | PATCH | Ensure custom authselect profile is used" block: - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Gather profiles" - ansible.builtin.shell: 'authselect current | grep "Profile ID: custom/"' + ansible.builtin.shell: 'authselect list | grep custom' failed_when: false changed_when: false check_mode: false - register: rhel9cis_5_4_1_profiles - - - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Show profiles" - ansible.builtin.debug: - msg: - - "Below are the current custom profiles" - - "{{ rhel9cis_5_4_1_profiles.stdout_lines }}" + register: rhel9cis_5_4_1_current_profile - name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles" ansible.builtin.shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }} - when: rhel9cis_authselect_custom_profile_create + when: + - rhel9cis_authselect_custom_profile_create + - "rhel9cis_authselect.custom_profile_name not in rhel9cis_5_4_1_current_profile.stdout" + + - name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Force custom profile creates backup" + ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} --force --backup=rhel9cis_5_4_1_{{ ansible_date_time.epoch}}" + register: authselect_5_4_1_select + when: + - rhel9cis_authselect_custom_profile_create + - "rhel9cis_authselect.custom_profile_name not in rhel9cis_5_4_1_current_profile.stdout" + when: - rhel9cis_rule_5_4_1 tags: @@ -28,7 +32,7 @@ - authselect - rule_5.4.1 -- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | with auth select profile" +- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Get Authselect profile options" block: - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features" ansible.builtin.shell: "authselect current | grep with-faillock" @@ -43,11 +47,11 @@ - "Below are the current custom profiles" - "{{ rhel9cis_5_4_2_profiles_faillock.stdout_lines }}" - - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles" + - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Authselect add options" ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }} --force" when: rhel9cis_authselect_custom_profile_select - - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile" + - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not Authselect profile" ansible.builtin.lineinfile: path: "/etc/pam.d/password-auth" regexp: "{{ item.regexp }}" @@ -61,7 +65,7 @@ - rhel9cis_add_faillock_without_authselect - rhel9cis_5_4_2_risks == 'ACCEPT' - - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile" + - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not Authselect profile" ansible.builtin.lineinfile: path: "/etc/pam.d/system-auth" regexp: "{{ item.regexp }}"