From 194925be2faf5facf5544d85e9b9be130677081a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 7 Jun 2023 09:24:32 +0100 Subject: [PATCH] consistent vars and names Signed-off-by: Mark Bolwell --- tasks/main.yml | 11 ++++++----- tasks/prelim.yml | 14 +++++++------- tasks/section_1/cis_1.10.yml | 2 +- 3 files changed, 14 insertions(+), 13 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 2bab3f6..f30753b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -20,18 +20,18 @@ tags: - always -- name: "Check password set for {{ ansible_user }}" +- name: "Check password set for {{ ansible_env.SUDO_USER }}" block: - - name: Capture current password state of connecting user" + - name: "Check password set for {{ ansible_env.SUDO_USER }} | password state" ansible.builtin.shell: "grep {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'" changed_when: false failed_when: false check_mode: false - register: ansible_user_password_set + register: rhel9cis_ansible_user_password_set - - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked" + - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert password set and not locked" ansible.builtin.assert: - that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" + that: ansible_user_password_set.stdout | length != 0 and rhel9cis_ansible_user_password_set.stdout != "!!" fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" vars: @@ -41,6 +41,7 @@ - not system_is_ec2 tags: - user_passwd + - rule_5.3.4 - name: "Ensure root password is set" block: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 47d1750..65d4be4 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -54,7 +54,7 @@ - name: "PRELIM | Setup crypto-policy" block: - - name: "PRELIM | Install crypto-policies" + - name: "PRELIM | Install crypto-policies | pkgs present" ansible.builtin.package: name: - crypto-policies @@ -65,16 +65,16 @@ ansible.builtin.shell: 'update-crypto-policies --show' changed_when: false check_mode: false - register: system_wide_crypto_policy + register: rhel9cis_system_wide_crypto_policy - - name: "PRELIM | Gather system-wide crypto-policy" + - name: "PRELIM | Gather system-wide crypto-policy | set fact system policy" ansible.builtin.set_fact: - current_crypto_policy: "{{ system_wide_crypto_policy.stdout.split(':')[0] }}" + current_crypto_policy: "{{ rhel9cis_system_wide_crypto_policy.stdout.split(':')[0] }}" - - name: "PRELIM | Gather system-wide crypto-policy module" + - name: "PRELIM | Gather system-wide crypto-policy module | set fact system policy submodule" ansible.builtin.set_fact: - current_crypto_module: "{{ system_wide_crypto_policy.stdout.split(':')[1] }}" - when: "':' in system_wide_crypto_policy.stdout" + current_crypto_module: "{{ rhel9cis_system_wide_crypto_policy.stdout.split(':')[1] }}" + when: "':' in rhel9cis_system_wide_crypto_policy.stdout" when: - rhel9cis_rule_1_10 tags: diff --git a/tasks/section_1/cis_1.10.yml b/tasks/section_1/cis_1.10.yml index e61e367..ed6774d 100644 --- a/tasks/section_1/cis_1.10.yml +++ b/tasks/section_1/cis_1.10.yml @@ -12,7 +12,7 @@ update-crypto-policies notify: change_requires_reboot when: - - system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy + - rhel9cis_system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy when: - rhel9cis_rule_1_10