sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Merge pull request #68 from ansible-lockdown/june23_updates

Browse source 
June23 updates
This commit is contained in:
uk-bolly 2023-07-05 13:32:52 +01:00 committed by GitHub
commit 166e231e9d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 11 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

6
Changelog.md
View file

@ -1,5 +1,11 @@
# Changes to rhel9CIS # Changes to rhel9CIS
## 1.0.9
fixed assert for user password set
thanks to @byjunks
[#66](https://github.com/ansible-lockdown/RHEL9-CIS/issues/66)
## 1.0.8 ## 1.0.8
rule_1.10 improvements allowing for module checking (useful for AD) rule_1.10 improvements allowing for module checking (useful for AD)

2
ansible.cfg
View file

@ -8,7 +8,7 @@ retry_files_save_path=/dev/null
pipelining=true pipelining=true
# Use the YAML callback plugin. # Use the YAML callback plugin.
stdout_callback = yaml #stdout_callback = yaml
# Use the stdout_callback when running ad-hoc commands. # Use the stdout_callback when running ad-hoc commands.
bin_ansible_callbacks = True bin_ansible_callbacks = True

2
defaults/main.yml
View file

@ -477,7 +477,7 @@ rhel9cis_firewall: firewalld
##### firewalld ##### firewalld
rhel9cis_default_zone: public rhel9cis_default_zone: public
# These are added to demonstrate how this can be done # These settings are added to demonstrate how this update can be done (eventually will require a new control)
rhel9cis_firewalld_ports: rhel9cis_firewalld_ports:
- number: 80 - number: 80
protocol: tcp protocol: tcp

2
tasks/main.yml
View file

@ -31,7 +31,7 @@
- name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert password set and not locked" - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert password set and not locked"
ansible.builtin.assert: ansible.builtin.assert:
that: ansible_user_password_set.stdout | length != 0 and rhel9cis_ansible_user_password_set.stdout != "!!" that: rhel9cis_ansible_user_password_set.stdout | length != 0 and rhel9cis_ansible_user_password_set.stdout != "!!"
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user"
vars: vars:

2
tasks/section_3/cis_3.4.2.x.yml
View file

@ -202,7 +202,7 @@
- name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured" - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured"
block: block:
- name: "3.4.2.6 | AUDIT | EEnsure nftables established connections are configured | Gather incoming connection rules" - name: "3.4.2.6 | AUDIT | Ensure nftables established connections are configured | Gather incoming connection rules"
ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
changed_when: false changed_when: false
failed_when: false failed_when: false

2
tasks/section_5/cis_5.6.x.yml
View file

@ -100,7 +100,7 @@
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile" - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile"
ansible.builtin.replace: ansible.builtin.replace:
path: /etc/profile path: /etc/profile
regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]' regexp: '(?i)(umask)\s0[0-2][0-6]'
replace: '\1 027' replace: '\1 027'
when: when:
- rhel9cis_rule_5_6_5 - rhel9cis_rule_5_6_5