From 0f58436212c55b38859cac6389e311e54af8a5a0 Mon Sep 17 00:00:00 2001 From: uk-bolly Date: Wed, 6 Mar 2024 09:10:06 +0000 Subject: [PATCH] Gpg import for rhel servers (#185) * change logic thanks to @rjacobs1990 see #175 * 1.2.1 force gpg import rhel * fix missing facts --------- Signed-off-by: Mark Bolwell --- Changelog.md | 4 ++++ defaults/main.yml | 5 +++++ tasks/LE_audit_setup.yml | 4 ++-- tasks/prelim.yml | 25 +++++++++++++++++++++++++ tasks/section_4/cis_4.1.4.x.yml | 2 +- 5 files changed, 37 insertions(+), 3 deletions(-) diff --git a/Changelog.md b/Changelog.md index baa0d44..b6f9886 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,9 @@ # Changes to rhel9CIS +## 1.1.4 - Based on CIS v1.0.0 + +- 1.2.1 new option for a new system to import gpg key for 1.2.1 to pass redhat only + ## 1.1.3 - Based on CIS v1.0.0 - updated goss binary to 0.4.4 diff --git a/defaults/main.yml b/defaults/main.yml index 6cd15ce..43671f3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -424,6 +424,11 @@ rhel9cis_rule_6_2_16: true # These /tmp settings will include nosuid,nodev,noexec to conform to CIS standards. rhel9cis_tmp_svc: false +## Control 1.2.1 +# For new systems that have not yet run update the gpg key is not yet imported +# Setting to `true` will allow a test on the package and the foce the import of the key +rhel9cis_force_gpg_key_import: true + ## Control 1.2.4 # When installing RHEL from authorized Red Hat source, RHEL will come with default YUM repository. NOT having a default YUM # repo ('rhel9cis_rhel_default_repo' set as 'false'), in conjunction with 'rhel9cis_rule_enable_repogpg' set as 'True', will enable the tasks diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 56ffbd6..7ef94b4 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -5,12 +5,12 @@ - name: Pre Audit Setup | Set audit package name | 64bit ansible.builtin.set_fact: audit_pkg_arch_name: AMD64 - when: ansible_machine == "x86_64" + when: ansible_facts.machine == "x86_64" - name: Pre Audit Setup | Set audit package name | ARM64 ansible.builtin.set_fact: audit_pkg_arch_name: ARM64 - when: ansible_machine == "arm64" + when: ansible_facts.machine == "arm64" - name: Pre Audit Setup | Download audit binary ansible.builtin.get_url: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 4eee776..d363a9f 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -136,6 +136,31 @@ - ansible_facts.distribution != 'RedHat' - ansible_facts.distribution != 'OracleLinux' +- name: "PRELIM | Check gpg keys are imported will cause 1.2.1 to fail if not | RedHat Only" + block: + - name: "PRELIM | Check gpg keys are imported will cause 1.2.1 to fail if not" + ansible.builtin.shell: rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' + changed_when: false + failed_when: false + register: check_gpg_imported + + - name: "PRELIM | Check key package matches RedHat" + ansible.builtin.shell: rpm -qi redhat-release | grep Signature + changed_when: false + failed_when: false + register: os_gpg_package_valid + when: "'not installed' in check_gpg_imported.stdout" + + - name: "PRELIM | Force keys to be imported" + ansible.builtin.shell: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release + when: + - "'not installed' in check_gpg_imported.stdout" + - "'Key ID 199e2f91fd431d51' in os_gpg_package_valid.stdout" + when: + - rhel9cis_rule_1_2_1 + - rhel9cis_force_gpg_key_import + - ansible_facts.distribution == 'RedHat' + - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" ansible.builtin.package: name: audit diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index 7d683cf..c42f876 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -65,7 +65,7 @@ ansible.builtin.file: path: "{{ item.path }}" mode: "{{ '0600' if item.mode == '0600' else '0640' }}" - loop: "{{ auditd_conf_files.files | default([]) }}" + loop: "{{ auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" when: