From ddec58c419733b90ff5d9e5698c44e8d3c7e47c8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 28 Jun 2023 10:49:55 +0100 Subject: [PATCH 1/8] #66 5.6.5 regex improvment Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 3e49a46..527208d 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -100,7 +100,7 @@ - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile" ansible.builtin.replace: path: /etc/profile - regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]' + regexp: '(?i)(umask)\s0[0-2][0-6]' replace: '\1 027' when: - rhel9cis_rule_5_6_5 From 6b8746a9e1af40c33f91899e552cec25c05ca9e0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 28 Jun 2023 10:50:01 +0100 Subject: [PATCH 2/8] updated Signed-off-by: Mark Bolwell --- Changelog.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Changelog.md b/Changelog.md index 34b805a..00f5819 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,10 @@ # Changes to rhel9CIS +## 1.0.9 + +thanks to @byjunks +[#66](https://github.com/ansible-lockdown/RHEL9-CIS/issues/66) + ## 1.0.8 rule_1.10 improvements allowing for module checking (useful for AD) From 456671acdf2983e6aa729d9fd34c9f2f09b9b7c0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 28 Jun 2023 11:33:58 +0100 Subject: [PATCH 3/8] removed yaml from stdout Signed-off-by: Mark Bolwell --- ansible.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible.cfg b/ansible.cfg index 8b5bba7..1f4e5c4 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -8,7 +8,7 @@ retry_files_save_path=/dev/null pipelining=true # Use the YAML callback plugin. -stdout_callback = yaml +#stdout_callback = yaml # Use the stdout_callback when running ad-hoc commands. bin_ansible_callbacks = True From 612bb018959a1b58e7136052d2ec9e314d8be713 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 28 Jun 2023 11:34:15 +0100 Subject: [PATCH 4/8] fixed error in assert user password set Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index f30753b..f895847 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -31,7 +31,7 @@ - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert password set and not locked" ansible.builtin.assert: - that: ansible_user_password_set.stdout | length != 0 and rhel9cis_ansible_user_password_set.stdout != "!!" + that: rhel9cis_ansible_user_password_set.stdout | length != 0 and rhel9cis_ansible_user_password_set.stdout != "!!" fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" vars: From edb7a3bcf0af618818b2f6e86ef5c934f7cc6dc7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 28 Jun 2023 11:34:44 +0100 Subject: [PATCH 5/8] updated Signed-off-by: Mark Bolwell --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index 00f5819..adbc58b 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,7 @@ # Changes to rhel9CIS ## 1.0.9 +fixed assert for user password set thanks to @byjunks [#66](https://github.com/ansible-lockdown/RHEL9-CIS/issues/66) From fe1bddf15b298249c3f3bacc1f8efb84f197421c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 28 Jun 2023 11:45:58 +0100 Subject: [PATCH 6/8] typo fix Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.4.2.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 865fe59..16644c5 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -202,7 +202,7 @@ - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured" block: - - name: "3.4.2.6 | AUDIT | EEnsure nftables established connections are configured | Gather incoming connection rules" + - name: "3.4.2.6 | AUDIT | Ensure nftables established connections are configured | Gather incoming connection rules" ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' changed_when: false failed_when: false From 12c5d6e81388db2a80c363b37ac8b517ca5cab7b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 28 Jun 2023 11:46:08 +0100 Subject: [PATCH 7/8] update comment Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9d3c003..205ec9c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -477,7 +477,7 @@ rhel9cis_firewall: firewalld ##### firewalld rhel9cis_default_zone: public -# These are added to demonstrate how this can be done +# These are added to demonstrate how this can be done will require a new control rhel9cis_firewalld_ports: - number: 80 protocol: tcp From e19402d613fdabecac0b6e766df9a85c77630c82 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 5 Jul 2023 13:01:56 +0100 Subject: [PATCH 8/8] updated comment Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 205ec9c..81df6a1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -477,7 +477,7 @@ rhel9cis_firewall: firewalld ##### firewalld rhel9cis_default_zone: public -# These are added to demonstrate how this can be done will require a new control +# These settings are added to demonstrate how this update can be done (eventually will require a new control) rhel9cis_firewalld_ports: - number: 80 protocol: tcp