From 1992eea6dab1d56cc58a3265df61c9d0cb4b2358 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 11:19:01 +0100 Subject: [PATCH] lint updates Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.1.x.yml | 2 +- tasks/section_2/cis_2.4.yml | 8 ++++---- tasks/section_3/cis_3.1.x.yml | 6 +++--- tasks/section_3/cis_3.2.x.yml | 19 +++++++++++-------- tasks/section_3/cis_3.3.x.yml | 30 ++++++++++++++++-------------- tasks/section_3/cis_3.4.1.x.yml | 10 +++++----- tasks/section_3/cis_3.4.2.x.yml | 10 +++++----- 7 files changed, 45 insertions(+), 40 deletions(-) diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index effe806..1db8179 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -29,7 +29,7 @@ path: /etc/sysconfig/chronyd regexp: "^(#)?OPTIONS" line: "OPTIONS=\"-u chrony\"" - create: yes + create: true mode: 0644 when: - rhel9cis_rule_2_1_2 diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index 14b86ed..3373e54 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -6,7 +6,7 @@ shell: systemctl list-units --type=service changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_2_4_services - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Display list of services" @@ -16,10 +16,10 @@ - "Please review to make sure all are essential" - "{{ rhel9cis_2_4_services.stdout_lines }}" - - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Warn Count" + - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Warn Count" set_fact: control_number: "{{ control_number }} + ['rule_2.4']" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - rhel9cis_rule_2_4 tags: @@ -28,4 +28,4 @@ - manual - audit - services - - rule_2.4 \ No newline at end of file + - rule_2.4 diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index bb6d09c..6eaf58f 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -10,7 +10,7 @@ flush_ipv6_route: true - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" - debug: + debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" when: - not rhel9cis_ipv6_required @@ -68,9 +68,9 @@ command: rpm -q NetworkManager changed_when: false failed_when: false - check_mode: no + check_mode: false args: - warn: no + warn: false register: rhel_08_nmcli_available - name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index 36a4628..6e07c55 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -6,18 +6,21 @@ set_fact: sysctl_update: true flush_ipv4_route: true + - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - - block: - - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding | Set Fact" - set_fact: - flush_ipv6_route: true - - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" - + - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | IPv6" + block: + - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding | Set Fact" + set_fact: + flush_ipv6_route: true + + - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" + when: rhel9cis_ipv6_required when: - not rhel9cis_is_router diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 2559925..5a1454e 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -10,14 +10,15 @@ debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - - block: - - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 | Set Fact" - set_fact: - flush_ipv6_route: true + - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6" + block: + - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 | Set Fact" + set_fact: + flush_ipv6_route: true - - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" + - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" when: rhel9cis_ipv6_required when: - rhel9cis_rule_3_3_1 @@ -39,14 +40,15 @@ debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - - block: - - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 | Set Fact" - set_fact: - flush_ipv6_route: true + - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6" + block: + - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 | Set Fact" + set_fact: + flush_ipv6_route: true - - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" + - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" when: rhel9cis_ipv6_required when: - rhel9cis_rule_3_3_2 diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index cef70de..d43dfe6 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -49,7 +49,7 @@ systemd: name: nftables state: stopped - masked: yes + masked: true when: - rhel9cis_firewalld_nftables_state == "masked" @@ -73,7 +73,7 @@ systemd: name: firewalld state: started - enabled: yes + enabled: true when: - rhel9cis_rule_3_4_1_4 tags: @@ -90,7 +90,7 @@ changed_when: false failed_when: ( firewalld_zone_set.rc not in [ 0, 1 ] ) register: firewalld_zone_set - + - name: "3.4.1.5 | AUDIT | Ensure firewalld default zone is set" command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" when: @@ -112,7 +112,7 @@ shell: "nmcli -t connection show | awk -F: '{ if($4){print $4} }' | while read INT; do firewall-cmd --get-active-zones | grep -B1 $INT; done" changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_3_4_1_6_interfacepolicy - name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies | Show the interface to policy" @@ -135,7 +135,7 @@ shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done" changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_3_4_1_7_servicesport - name: "3.4.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports" diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index b74eda1..7169fb3 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -105,14 +105,14 @@ - name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_3.4.2.5' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - rhel9cis_3_4_2_5_nft_tables.stdout | length == 0 - not rhel9cis_nft_tables_autonewtable - name: "3.4.2.5 | PATCH | Ensure a table exists | Create table if needed" command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" - failed_when: no + failed_when: false when: rhel9cis_nft_tables_autonewtable when: - rhel9cis_firewall == "nftables" @@ -159,8 +159,8 @@ - name: "3.4.2.6 | PATCH | Ensure nftables base chains exist | Create chains if needed" shell: "{{ item }}" args: - warn: no - failed_when: no + warn: false + failed_when: false with_items: - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { type filter hook forward priority 0 \; } @@ -322,7 +322,7 @@ - name: "3.4.2.10 | PATCH | Ensure nftables service is enabled" service: name: nftables - enabled: yes + enabled: true when: - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_10