Merge pull request #68 from ansible-lockdown/june23_updates

June23 updates
2023-07-05 13:32:52 +01:00 · 2023-07-05 13:32:52 +01:00 · 166e231e9d
commit 166e231e9d
parent 4004b1b4c3 e19402d613
6 changed files with 11 additions and 5 deletions
--- a/Changelog.md
+++ b/Changelog.md
@ -1,5 +1,11 @@
 # Changes to rhel9CIS

+## 1.0.9
+fixed assert for user password set
+
+thanks to @byjunks
+[#66](https://github.com/ansible-lockdown/RHEL9-CIS/issues/66)
+
 ## 1.0.8

 rule_1.10 improvements allowing for module checking (useful for AD)
--- a/ansible.cfg
+++ b/ansible.cfg
@ -8,7 +8,7 @@ retry_files_save_path=/dev/null
 pipelining=true

 # Use the YAML callback plugin.
-stdout_callback = yaml
+#stdout_callback = yaml
 # Use the stdout_callback when running ad-hoc commands.
 bin_ansible_callbacks = True

--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -477,7 +477,7 @@ rhel9cis_firewall: firewalld
 ##### firewalld
 rhel9cis_default_zone: public

-# These are added to demonstrate how this can be done
+# These settings are added to demonstrate how this update can be done (eventually will require a new control)
 rhel9cis_firewalld_ports:
    - number: 80
      protocol: tcp
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -31,7 +31,7 @@

      - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert password set and not locked"
        ansible.builtin.assert:
-            that: ansible_user_password_set.stdout | length != 0 and rhel9cis_ansible_user_password_set.stdout != "!!"
+            that: rhel9cis_ansible_user_password_set.stdout | length != 0 and rhel9cis_ansible_user_password_set.stdout != "!!"
            fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
            success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user"
        vars:
--- a/tasks/section_3/cis_3.4.2.x.yml
+++ b/tasks/section_3/cis_3.4.2.x.yml
@ -202,7 +202,7 @@

 - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured"
  block:
-      - name: "3.4.2.6 | AUDIT | EEnsure nftables established connections are configured | Gather incoming connection rules"
+      - name: "3.4.2.6 | AUDIT | Ensure nftables established connections are configured | Gather incoming connection rules"
        ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
        changed_when: false
        failed_when: false
--- a/tasks/section_5/cis_5.6.x.yml
+++ b/tasks/section_5/cis_5.6.x.yml
@ -100,7 +100,7 @@
      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile"
        ansible.builtin.replace:
            path: /etc/profile
-            regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]'
+            regexp: '(?i)(umask)\s0[0-2][0-6]'
            replace: '\1 027'
  when:
      - rhel9cis_rule_5_6_5