From 14d038e8eb5b81127585c22335f180e52286c577 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 5 Sep 2024 17:36:07 +0100 Subject: [PATCH] renamed variables Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.2.2.x.yml | 4 +-- tasks/section_2/cis_2.4.x.yml | 8 ++--- tasks/section_3/cis_3.1.x.yml | 8 ++--- tasks/section_4/cis_4.2.x.yml | 4 +-- tasks/section_4/cis_4.3.x.yml | 56 +++++++++++++++---------------- tasks/section_5/cis_5.1.x.yml | 8 ++--- tasks/section_5/cis_5.2.x.yml | 10 +++--- tasks/section_5/cis_5.3.2.x.yml | 18 +++++----- tasks/section_5/cis_5.3.3.4.x.yml | 34 +++++++++---------- tasks/section_5/cis_5.4.1.x.yml | 24 ++++++------- tasks/section_6/cis_6.2.4.1.yml | 12 +++---- tasks/section_6/cis_6.3.1.x.yml | 22 ++++++------ tasks/section_6/cis_6.3.4.x.yml | 12 +++---- tasks/section_7/cis_7.1.x.yml | 6 ++-- 14 files changed, 113 insertions(+), 113 deletions(-) diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml index f93a1d4..eb82773 100644 --- a/tasks/section_1/cis_1.1.2.2.x.yml +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -17,10 +17,10 @@ - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check exists" ansible.builtin.shell: mount -l | grep -w /dev/shm changed_when: false - register: rhel9cis_1_8_1_1_mount_check + register: discovered_dev_shm_mount_check - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition" - when: rhel9cis_1_8_1_1_mount_check.rc == 1 + when: discovered_dev_shm_mount_check.rc == 1 block: - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" ansible.builtin.debug: diff --git a/tasks/section_2/cis_2.4.x.yml b/tasks/section_2/cis_2.4.x.yml index 072fa0b..16ed0e9 100644 --- a/tasks/section_2/cis_2.4.x.yml +++ b/tasks/section_2/cis_2.4.x.yml @@ -141,12 +141,12 @@ - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Check if cron.allow exists" ansible.builtin.stat: path: "/etc/cron.allow" - register: rhel9cis_2_4_1_8_cron_allow_state + register: discovered_cron_allow_state - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Ensure cron.allow is restricted to authorized users" ansible.builtin.file: path: /etc/cron.allow - state: '{{ "file" if rhel9cis_2_4_1_8_cron_allow_state.stat.exists else "touch" }}' + state: '{{ "file" if discovered_cron_allow_state.stat.exists else "touch" }}' owner: root group: root mode: u-x,g-wx,o-rwx @@ -171,12 +171,12 @@ - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists" ansible.builtin.stat: path: "/etc/at.allow" - register: rhel9cis_rule_2_4_2_1_at_allow_state + register: discovered_at_allow_state - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users" ansible.builtin.file: path: /etc/at.allow - state: '{{ "file" if rhel9cis_rule_2_4_2_1_at_allow_state.stat.exists else "touch" }}' + state: '{{ "file" if discovered_at_allow_state.stat.exists else "touch" }}' owner: root group: root mode: u-x,g-wx,o-rwx diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 5c76ab6..98e3a93 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -44,15 +44,15 @@ changed_when: false failed_when: false check_mode: false - register: rhel9cis_3_1_2_wifi_status + register: discovered_wifi_status - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed" when: - "'network-manager' in ansible_facts.packages" - - "'enabled' in rhel9cis_3_1_2_wifi_status.stdout" + - "'enabled' in discovered_wifi_status.stdout" ansible.builtin.shell: nmcli radio all off - changed_when: rhel9cis_3_1_2_nmcli_radio_off.rc == 0 - register: rhel9cis_3_1_2_nmcli_radio_off + changed_when: discovered_nmcli_radio_off.rc == 0 + register: discovered_nmcli_radio_off - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed" when: "'network-manager' not in ansible_facts.packages" diff --git a/tasks/section_4/cis_4.2.x.yml b/tasks/section_4/cis_4.2.x.yml index 01fd1eb..0fca4cc 100644 --- a/tasks/section_4/cis_4.2.x.yml +++ b/tasks/section_4/cis_4.2.x.yml @@ -16,13 +16,13 @@ changed_when: false failed_when: false check_mode: false - register: rhel9cis_4_2_5_servicesport + register: discovered_services_and_ports - name: "4.2.1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports" ansible.builtin.debug: msg: - "The items below are the services and ports that are accepted, please correct as needed" - - "{{ rhel9cis_4_2_5_servicesport.stdout_lines }}" + - "{{ discovered_services_and_ports.stdout_lines }}" - name: "4.2.2 | PATCH | Ensure firewalld loopback traffic is configured | firewalld" when: diff --git a/tasks/section_4/cis_4.3.x.yml b/tasks/section_4/cis_4.3.x.yml index 09e8979..06e27c0 100644 --- a/tasks/section_4/cis_4.3.x.yml +++ b/tasks/section_4/cis_4.3.x.yml @@ -15,30 +15,30 @@ ansible.builtin.shell: nft list ruleset | grep 'hook input' changed_when: false failed_when: false - register: rhel9cis_4_3_1_input_chains + register: discovered_nftables_input_chains - name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD" ansible.builtin.shell: nft list ruleset | grep 'hook forward' changed_when: false failed_when: false - register: rhel9cis_4_3_1_forward_chains + register: discovered_nftables_forward_chains - name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT" ansible.builtin.shell: nft list ruleset | grep 'hook output' changed_when: false failed_when: false - register: rhel9cis_4_3_1_output_chains + register: discovered_nftables_output_chains - name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Display chains for review" when: not rhel9cis_nft_tables_autochaincreate ansible.builtin.debug: msg: - "Below are the current INPUT chains" - - "{{ rhel9cis_4_3_1_input_chains.stdout_lines }}" + - "{{ discovered_nftables_input_chains.stdout_lines }}" - "Below are the current FORWARD chains" - - "{{ rhel9cis_4_3_1_forward_chains.stdout_lines }}" + - "{{ discovered_nftables_forward_chains.stdout_lines }}" - "Below are teh current OUTPUT chains" - - "{{ rhel9cis_4_3_1_output_chains.stdout_lines }}" + - "{{ discovered_nftables_output_chains.stdout_lines }}" - name: "4.3.1 | PATCH | Ensure nftables base chains exist | Create chains if needed" when: rhel9cis_nft_tables_autochaincreate @@ -64,36 +64,36 @@ ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' changed_when: false failed_when: false - register: rhel9cis_4_3_2_inconnectionrule + register: discovered_nftables_inconnectionrule - name: "4.3.2| AUDIT | Ensure nftables established connections are configured | Gather outbound connection rules" ansible.builtin.shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' changed_when: false failed_when: false - register: rhel9cis_4_3_2_outconnectionrule + register: discovered_nftables_outconnectionrule - name: "4.3.2| PATCH | Ensure nftables established connections are configured | Add input tcp established accept policy" - when: '"ip protocol tcp ct state established accept" not in rhel9cis_4_3_2_inconnectionrule.stdout' + when: '"ip protocol tcp ct state established accept" not in discovered_nftables_inconnectionrule.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input udp established accept policy" - when: '"ip protocol udp ct state established accept" not in rhel9cis_4_3_2_inconnectionrule.stdout' + when: '"ip protocol udp ct state established accept" not in discovered_nftables_inconnectionrule.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input icmp established accept policy" - when: '"ip protocol icmp ct state established accept" not in rhel9cis_4_3_2_inconnectionrule.stdout' + when: '"ip protocol icmp ct state established accept" not in discovered_nftables_inconnectionrule.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output tcp new, related, established accept policy" - when: '"ip protocol tcp ct state established,related,new accept" not in rhel9cis_4_3_2_outconnectionrule.stdout' + when: '"ip protocol tcp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output udp new, related, established accept policy" - when: '"ip protocol udp ct state established,related,new accept" not in rhel9cis_4_3_2_outconnectionrule.stdout' + when: '"ip protocol udp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output icmp new, related, established accept policy" - when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_4_3_2_outconnectionrule.stdout' + when: '"ip protocol icmp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy" @@ -111,40 +111,40 @@ ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input' failed_when: false changed_when: false - register: rhel9cis_4_3_3_inputpolicy + register: discovered_nftables_inputpolicy - name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy" ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward' failed_when: false changed_when: false - register: rhel9cis_4_3_3_forwardpolicy + register: discovered_nftables_forwardpolicy - name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy" ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output' failed_when: false changed_when: false - register: rhel9cis_4_3_3_outputpolicy + register: discovered_nftables_outputpolicy - name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow" ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh' failed_when: false changed_when: false - register: rhel9cis_4_3_3_sshallowcheck + register: discovered_nftables_sshallowcheck - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" - when: '"tcp dport ssh accept" not in rhel9cis_4_3_3_sshallowcheck.stdout' + when: '"tcp dport ssh accept" not in discovered_nftables_sshallowcheck.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" - when: '"type filter hook input priority 0; policy drop;" not in rhel9cis_4_3_3_inputpolicy.stdout' + when: '"type filter hook input priority 0; policy drop;" not in discovered_nftables_inputpolicy.stdout' ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy" - when: '"type filter hook forward priority 0; policy drop;" not in rhel9cis_4_3_3_forwardpolicy.stdout' + when: '"type filter hook forward priority 0; policy drop;" not in discovered_nftables_forwardpolicy.stdout' ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" - when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_4_3_3_outputpolicy.stdout' + when: '"type filter hook output priority 0; policy drop;" not in discovered_nftables_outputpolicy.stdout' ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured" @@ -162,28 +162,28 @@ ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' changed_when: false failed_when: false - register: rhel9cis_4_3_4_iiflo + register: discovered_nftables_iiflo - name: "4.3.4 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip saddr existence | nftables" ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' changed_when: false failed_when: false - register: rhel9cis_4_3_4_ipsaddr + register: discovered_nftables_ipsaddr - name: "4.3.4 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip6 saddr existence | nftables" ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' changed_when: false failed_when: false - register: rhel9cis_4_3_4_ip6saddr + register: discovered_nftables_ip6saddr - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule | nftables" - when: '"iif \"lo\" accept" not in rhel9cis_4_3_4_iiflo.stdout' + when: '"iif \"lo\" accept" not in discovered_nftables_iiflo.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule | nftables" - when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel9cis_4_3_4_ipsaddr.stdout' + when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in discovered_nftables_ipsaddr.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule | nftables" - when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_4_3_4_ip6saddr.stdout' + when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in discovered_nftables_ip6saddr.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 95addf3..b68ae3a 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -37,7 +37,7 @@ patterns: 'ssh_host_*_key' recurse: true file_type: any - register: rhel9cis_5_1_2_ssh_private_host_key + register: discovered_ssh_private_host_key - name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions on SSH private host keys" ansible.builtin.file: @@ -45,7 +45,7 @@ owner: root group: root mode: 'u-x,go-rwx' - loop: "{{ rhel9cis_5_1_2_ssh_private_host_key.files }}" + loop: "{{ discovered_ssh_private_host_key.files }}" loop_control: label: "{{ item.path }}" @@ -67,7 +67,7 @@ patterns: 'ssh_host_*_key.pub' recurse: true file_type: any - register: rhel9cis_5_1_3_ssh_public_host_key + register: discovered_ssh_public_host_key - name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions on SSH public host keys" ansible.builtin.file: @@ -75,7 +75,7 @@ owner: root group: root mode: 'u-x,go-wx' - loop: "{{ rhel9cis_5_1_3_ssh_public_host_key.files }}" + loop: "{{ discovered_ssh_public_host_key.files }}" loop_control: label: "{{ item.path }}" diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index f129956..2e46de4 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -114,24 +114,24 @@ ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort changed_when: false failed_when: false - register: rhel9cis_5_2_6_timeout_files + register: discovered_sudo_timeout_files - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results" + when: discovered_sudo_timeout_files.stdout | length == 0 ansible.builtin.lineinfile: path: /etc/sudoers regexp: 'Defaults timestamp_timeout=' line: "Defaults timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}" validate: '/usr/sbin/visudo -cf %s' - when: rhel9cis_5_2_6_timeout_files.stdout | length == 0 - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results" + when: discovered_sudo_timeout_files.stdout | length > 0 ansible.builtin.replace: path: "{{ item }}" regexp: 'timestamp_timeout=(\d+)' replace: "timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}" validate: '/usr/sbin/visudo -cf %s' - loop: "{{ rhel9cis_5_2_6_timeout_files.stdout_lines }}" - when: rhel9cis_5_2_6_timeout_files.stdout | length > 0 + loop: "{{ discovered_sudo_timeout_files.stdout_lines }}" - name: "5.2.7 | PATCH | Ensure access to the su command is restricted" when: @@ -149,7 +149,7 @@ ansible.builtin.group: name: "{{ rhel9cis_sugroup }}" state: present - register: rhel9cis_5_2_7_sugroup + register: discovered_sugroup - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | remove users from group" ansible.builtin.lineinfile: diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml index c9a7559..3996edc 100644 --- a/tasks/section_5/cis_5.3.2.x.yml +++ b/tasks/section_5/cis_5.3.2.x.yml @@ -61,11 +61,11 @@ - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Get current config" ansible.builtin.shell: authselect current | grep faillock changed_when: false - failed_when: rhel9cis_authselect_current_faillock.rc not in [ 0, 1 ] - register: rhel9cis_authselect_current_faillock + failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ] + register: discovered_authselect_current_faillock - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing" - when: rhel9cis_authselect_current_faillock.rc != 0 + when: discovered_authselect_current_faillock.rc != 0 ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" - name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled" @@ -85,11 +85,11 @@ - name: "5.3.2.3 | AUDIT | Ensure pam_pwquality module is enabled | Get current config" ansible.builtin.shell: authselect current | grep quality changed_when: false - failed_when: rhel9cis_authselect_current_quality.rc not in [ 0, 1 ] - register: rhel9cis_authselect_current_quality + failed_when: discovered_authselect_current_quality.rc not in [ 0, 1 ] + register: discovered_authselect_current_quality - name: "5.3.2.3 | AUDIT | Ensure pam_pwquality module is enabled | Add feature if missing" - when: rhel9cis_authselect_current_quality.rc != 0 + when: discovered_authselect_current_quality.rc != 0 ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" notify: Authselect update @@ -110,11 +110,11 @@ - name: "5.3.2.4 | AUDIT | Ensure pam_pwhistory module is enabled | Get current config" ansible.builtin.shell: authselect current | grep pwhistory changed_when: false - failed_when: rhel9cis_authselect_current_history.rc not in [ 0, 1 ] - register: rhel9cis_authselect_current_history + failed_when: discovered_authselect_current_history.rc not in [ 0, 1 ] + register: discovered_authselect_current_history - name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled | enable feature" - when: rhel9cis_authselect_current_history.rc != 0 + when: discovered_authselect_current_history.rc != 0 ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" notify: Authselect update diff --git a/tasks/section_5/cis_5.3.3.4.x.yml b/tasks/section_5/cis_5.3.3.4.x.yml index 4712373..a1e5768 100644 --- a/tasks/section_5/cis_5.3.3.4.x.yml +++ b/tasks/section_5/cis_5.3.3.4.x.yml @@ -14,18 +14,18 @@ - name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | capture state" ansible.builtin.shell: grep -E "pam_unix.so.*nullok" /etc/pam.d/*-auth | cut -d ':' -f1 | uniq changed_when: false - failed_when: rhel9cis_pam_nullok.rc not in [ 0, 1 ] - register: rhel9cis_pam_nullok + failed_when: discovered_pam_nullok.rc not in [ 0, 1 ] + register: discovered_pam_nullok - name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | Ensure nullok removed" when: - - rhel9cis_pam_nullok.stdout | length > 0 + - discovered_pam_nullok.stdout | length > 0 - not rhel9cis_allow_authselect_updates ansible.builtin.replace: path: "{{ item }}" regexp: nullok replace: '' - loop: "{{ rhel9cis_pam_nullok.stdout_lines }}" + loop: "{{ discovered_pam_nullok.stdout_lines }}" - name: "5.3.3.4.1 | PATCH | Ensure password number of changed characters is configured | Remove nullok from pam files AuthSelect" when: @@ -53,18 +53,18 @@ - name: "5.3.3.4.2 | AUDIT | Ensure pam_unix does not include remember | capture state" ansible.builtin.shell: grep -E "password.*pam_unix.so.*remember" /etc/pam.d/*-auth | cut -d ':' -f1 | uniq changed_when: false - failed_when: rhel9cis_pam_remember.rc not in [ 0, 1 ] - register: rhel9cis_pam_remember + failed_when: discovered_pam_remember.rc not in [ 0, 1 ] + register: discovered_pam_remember - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Ensure remember removed" when: - not rhel9cis_allow_authselect_updates - - rhel9cis_pam_remember.stdout | length > 0 + - discovered_pam_remember.stdout | length > 0 ansible.builtin.replace: path: "{{ item }}" regexp: remember replace: '' - loop: "{{ rhel9cis_pam_remember.stdout_lines }}" + loop: "{{ discovered_pam_remember.stdout_lines }}" - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Remove remember from pam files AuthSelect" when: @@ -93,18 +93,18 @@ - name: "5.3.3.4.3 | AUDIT | Ensure pam_unix includes a strong password hashing algorithm | capture state" ansible.builtin.shell: grep -E "password.*pam_unix.so.*(sha512|yescrypt)" /etc/pam.d/*-auth | cut -d ':' -f1 | uniq changed_when: false - failed_when: rhel9cis_pam_pwhash.rc not in [ 0, 1 ] - register: rhel9cis_pam_pwhash + failed_when: discovered_pam_pwhash.rc not in [ 0, 1 ] + register: discovered_pam_pwhash - name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Ensure hash algorithm set" when: - not rhel9cis_allow_authselect_updates - - rhel9cis_pam_remember.stdout | length > 0 + - discovered_pam_remember.stdout | length > 0 ansible.builtin.replace: path: "{{ item }}" regexp: "(md5|bigcrypt|sha256|blowfish|gost_yescrypt|sha512|yescrypt)" replace: '{{ rhel9cis_passwd_hash_algo }}' - loop: "{{ rhel9cis_pam_remember.stdout_lines }}" + loop: "{{ discovered_pam_remember.stdout_lines }}" - name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Add hash algorithm to pam files AuthSelect" when: @@ -134,20 +134,20 @@ - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | capture state" ansible.builtin.shell: grep -PH -- '^\h*^password\h*[^#\n\r]+\h+pam_unix.so\b' /etc/pam.d/{password,system}-auth | grep -Pv -- '\buse_authtok\b' changed_when: false - failed_when: rhel9cis_pam_authtok.rc not in [ 0, 1 ] - register: rhel9cis_pam_authtok + failed_when: discovered_pam_authtok.rc not in [ 0, 1 ] + register: discovered_pam_authtok - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | pam_files" when: - not rhel9cis_allow_authselect_updates - - rhel9cis_pam_authtok is defined - - rhel9cis_pam_authtok.stdout | length > 0 + - discovered_pam_authtok is defined + - discovered_pam_authtok.stdout | length > 0 ansible.builtin.lineinfile: path: "{{ item }}" regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)use_authtok(.*$) line: \1\2\3\4use_authtok \5 backrefs: true - loop: "{{ rhel9cis_pam_authtok.stdout_lines }}" + loop: "{{ discovered_pam_authtok.stdout_lines }}" - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | Add use_authtok pam files AuthSelect" when: diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index a5cd8c5..9e92e86 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -129,22 +129,22 @@ changed_when: false failed_when: false check_mode: false - register: rhel9cis_5_4_1_5_inactive_settings + register: discovered_passwdlck_inactive_settings - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Set default inactive setting" ansible.builtin.shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} - when: rhel9cis_5_4_1_5_inactive_settings.stdout | length == 0 + when: discovered_passwdlck_inactive_settings.stdout | length == 0 - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" changed_when: false check_mode: false - register: rhel9cis_5_4_1_5_user_list + register: discovered_passwdlck_user_list - name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" when: item in prelim_interactive_usernames.stdout ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" - loop: "{{ rhel9cis_5_4_1_5_user_list.stdout_lines }}" + loop: "{{ discovered_passwdlck_user_list.stdout_lines }}" - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past" when: @@ -162,32 +162,32 @@ changed_when: false failed_when: false check_mode: false - register: rhel9cis_5_4_1_6_currentut + register: discovered_passwdlck_currentunixtime - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future" - ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_4_1_6_currentut.stdout }})print$1}'" + ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ discovered_passwdlck_currentunixtime.stdout }})print$1}'" changed_when: false failed_when: false check_mode: false - register: rhel9cis_5_4_1_6_user_list + register: discovered_passwdlck_user_future - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future" ansible.builtin.debug: - msg: "Warning!! The following accounts have the last PW change date in the future: {{ rhel9cis_5_4_1_6_user_list.stdout_lines }}" + msg: "Warning!! The following accounts have the last PW change date in the future: {{ discovered_passwdlck_user_future.stdout_lines }}" when: - - rhel9cis_5_4_1_6_user_list.stdout | length > 0 + - discovered_passwdlck_user_future.stdout | length > 0 - not rhel9cis_futurepwchgdate_autofix - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | warning count" ansible.builtin.import_tasks: file: warning_facts.yml when: - - rhel9cis_5_4_1_6_user_list.stdout | length > 0 + - discovered_passwdlck_user_future.stdout | length > 0 - not rhel9cis_futurepwchgdate_autofix - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" ansible.builtin.shell: passwd --expire {{ item }} when: - - rhel9cis_5_4_1_5_user_list.stdout | length > 0 + - discovered_passwdlck_user_future.stdout | length > 0 - rhel9cis_futurepwchgdate_autofix - loop: "{{ rhel9cis_5_4_1_6_user_list.stdout_lines }}" + loop: "{{ discovered_passwdlck_user_future.stdout_lines }}" diff --git a/tasks/section_6/cis_6.2.4.1.yml b/tasks/section_6/cis_6.2.4.1.yml index dd584e0..8111ef4 100644 --- a/tasks/section_6/cis_6.2.4.1.yml +++ b/tasks/section_6/cis_6.2.4.1.yml @@ -27,8 +27,8 @@ ansible.builtin.file: path: "{{ item }}" mode: 'u-x,g-wx,o-rwx' - failed_when: rhel9cis_logfile_list.state not in '[ file, absent ]' - register: rhel9cis_logfile_list + failed_when: discovered_logfile_list.state not in '[ file, absent ]' + register: discovered_logfile_list loop: "{{ discovered_logfiles.stdout_lines }}" - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" @@ -38,8 +38,8 @@ ansible.builtin.file: path: "{{ item }}" mode: 'u-x,g-x,o-rwx' - failed_when: rhel9cis_logfile_list.state not in '[ file, absent ]' - register: rhel9cis_logfile_list + failed_when: discovered_logfile_list.state not in '[ file, absent ]' + register: discovered_logfile_list loop: "{{ discovered_logfiles.stdout_lines }}" - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" @@ -53,6 +53,6 @@ ansible.builtin.file: path: "{{ item }}" mode: 'ug-x,o-wx' - failed_when: rhel9cis_logfile_list.state not in '[ file, absent ]' - register: rhel9cis_logfile_list + failed_when: discovered_logfile_list.state not in '[ file, absent ]' + register: discovered_logfile_list loop: "{{ discovered_logfiles.stdout_lines }}" diff --git a/tasks/section_6/cis_6.3.1.x.yml b/tasks/section_6/cis_6.3.1.x.yml index b25ab69..3039f2c 100644 --- a/tasks/section_6/cis_6.3.1.x.yml +++ b/tasks/section_6/cis_6.3.1.x.yml @@ -42,13 +42,13 @@ changed_when: false failed_when: false check_mode: false - register: rhel9cis_6_3_1_2_grubby_curr_value_audit_linux + register: discovered_grubby_curr_value_audit_linux - name: "6.3.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby update, if needed" when: - - rhel9cis_6_3_1_2_grubby_curr_value_audit_linux.stdout == '' or - '0' in rhel9cis_6_3_1_2_grubby_curr_value_audit_linux.stdout or - 'off' in rhel9cis_6_3_1_2_grubby_curr_value_audit_linux.stdout|lower + - discovered_grubby_curr_value_audit_linux.stdout == '' or + '0' in discovered_grubby_curr_value_audit_linux.stdout or + 'off' in discovered_grubby_curr_value_audit_linux.stdout|lower ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1" - name: "6.3.1.3 | PATCH | Ensure audit_backlog_limit is sufficient" @@ -71,25 +71,25 @@ changed_when: false failed_when: false check_mode: false - register: rhel9cis_6_3_1_3_grubby_curr_value_backlog_linux + register: discovered_grubby_curr_value_backlog_linux - name: "6.3.1.3 | AUDIT | Check to see if limits are set" when: - - rhel9cis_6_3_1_3_grubby_curr_value_backlog_linux is not defined or - rhel9cis_6_3_1_3_grubby_curr_value_backlog_linux.stdout_lines == [] + - discovered_grubby_curr_value_backlog_linux is not defined or + discovered_grubby_curr_value_backlog_linux.stdout_lines == [] ansible.builtin.set_fact: - rhel9cis_6_3_1_3_reset_backlog_limits: true + discovered_reset_backlog_limits: true - name: "6.3.1.3 | AUDIT | Check to see if any limits are too low" when: - (item | int < rhel9cis_audit_back_log_limit) ansible.builtin.set_fact: - rhel9cis_6_3_1_3_reset_backlog_limits: true - loop: "{{ rhel9cis_6_3_1_3_grubby_curr_value_backlog_linux.stdout_lines }}" + discovered_reset_backlog_limits: true + loop: "{{ discovered_grubby_curr_value_backlog_linux.stdout_lines }}" - name: "6.3.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update applied" when: - - rhel9cis_6_3_1_3_reset_backlog_limits is defined + - discovered_reset_backlog_limits is defined ansible.builtin.shell: cmd: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' diff --git a/tasks/section_6/cis_6.3.4.x.yml b/tasks/section_6/cis_6.3.4.x.yml index 5977406..c89af87 100644 --- a/tasks/section_6/cis_6.3.4.x.yml +++ b/tasks/section_6/cis_6.3.4.x.yml @@ -50,8 +50,8 @@ ansible.builtin.file: path: "{{ item.path }}" mode: 'u-x,g-wx,o-rwx' - failed_when: rhel9cis_6_3_4_5_file_list.state not in '[ file, absent ]' - register: rhel9cis_6_3_4_5_file_list + failed_when: discovered_audit_conf_file_list.state not in '[ file, absent ]' + register: discovered_audit_conf_file_list loop: "{{ prelim_auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" @@ -68,8 +68,8 @@ ansible.builtin.file: path: "{{ item.path }}" owner: root - failed_when: rhel9cis_6_3_4_6_file_list.state not in '[ file, absent ]' - register: rhel9cis_6_3_4_6_file_list + failed_when: discovered_audit_conf_file_list.state not in '[ file, absent ]' + register: discovered_audit_conf_file_list loop: "{{ prelim_auditd_conf_files.files | default([]) }}" loop_control: label: "{{ item.path }}" @@ -86,8 +86,8 @@ ansible.builtin.file: path: "{{ item.path }}" group: root - failed_when: rhel9cis_6_3_4_7_file_list.state not in '[ file, absent ]' - register: rhel9cis_6_3_4_7_file_list + failed_when: discovered_audit_conf_file_list.state not in '[ file, absent ]' + register: discovered_audit_conf_file_list loop: "{{ prelim_auditd_conf_files.files | default([]) }}" loop_control: label: "{{ item.path }}" diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml index 4c95687..0fe5fe7 100644 --- a/tasks/section_7/cis_7.1.x.yml +++ b/tasks/section_7/cis_7.1.x.yml @@ -202,9 +202,9 @@ - name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable directories add sticky bit" ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -o+w ! -perm -1002 2>/dev/null | xargs chmod a+t - failed_when: rhel9cis_set_stickybit.rc not in [ 0, 123 ] - changed_when: rhel9cis_set_stickybit.rc == 0 - register: rhel9cis_set_stickybit + failed_when: discovered_set_stickybit.rc not in [ 0, 123 ] + changed_when: discovered_set_stickybit.rc == 0 + register: discovered_set_stickybit - name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist" when: