forked from ansible-lockdown/RHEL9-CIS
linting
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
2974fa5385
commit
1e22c13794
8 changed files with 38 additions and 31 deletions
|
|
@ -15,7 +15,7 @@
|
||||||
value: '1'
|
value: '1'
|
||||||
sysctl_set: true
|
sysctl_set: true
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
when:
|
when:
|
||||||
- flush_ipv4_route
|
- flush_ipv4_route
|
||||||
- not system_is_container
|
- not system_is_container
|
||||||
tags:
|
tags:
|
||||||
|
|
@ -27,7 +27,7 @@
|
||||||
name: net.ipv6.route.flush
|
name: net.ipv6.route.flush
|
||||||
value: '1'
|
value: '1'
|
||||||
sysctl_set: true
|
sysctl_set: true
|
||||||
when:
|
when:
|
||||||
- flush_ipv6_route
|
- flush_ipv6_route
|
||||||
- not system_is_container
|
- not system_is_container
|
||||||
|
|
||||||
|
|
@ -78,7 +78,7 @@
|
||||||
shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
|
shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
|
||||||
args:
|
args:
|
||||||
warn: false
|
warn: false
|
||||||
ignore_errors: True
|
ignore_errors: true
|
||||||
tags:
|
tags:
|
||||||
- skip_ansible_lint
|
- skip_ansible_lint
|
||||||
|
|
||||||
|
|
@ -130,4 +130,4 @@
|
||||||
|
|
||||||
- name: change_requires_reboot
|
- name: change_requires_reboot
|
||||||
set_fact:
|
set_fact:
|
||||||
change_requires_reboot: true
|
change_requires_reboot: true
|
||||||
|
|
|
||||||
|
|
@ -22,7 +22,7 @@
|
||||||
- get_goss_file == 'copy'
|
- get_goss_file == 'copy'
|
||||||
|
|
||||||
- name: install git if not present
|
- name: install git if not present
|
||||||
package:
|
package:
|
||||||
name: git
|
name: git
|
||||||
state: present
|
state: present
|
||||||
register: git_installed
|
register: git_installed
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,5 @@
|
||||||
|
---
|
||||||
|
|
||||||
- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added
|
- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added
|
||||||
template:
|
template:
|
||||||
src: audit/99_auditd.rules.j2
|
src: audit/99_auditd.rules.j2
|
||||||
|
|
@ -6,18 +8,18 @@
|
||||||
group: root
|
group: root
|
||||||
mode: 0600
|
mode: 0600
|
||||||
register: audit_rules_updated
|
register: audit_rules_updated
|
||||||
notify:
|
notify:
|
||||||
- auditd_immutable_check
|
- auditd_immutable_check
|
||||||
- audit_immutable_fact
|
- audit_immutable_fact
|
||||||
- restart auditd
|
- restart auditd
|
||||||
|
|
||||||
- name: POST | Set up auditd user logging exceptions
|
- name: POST | Set up auditd user logging exceptions
|
||||||
template:
|
template:
|
||||||
src: audit/98_auditd_exception.rules.j2
|
src: audit/98_auditd_exception.rules.j2
|
||||||
dest: /etc/audit/rules.d/98_auditd_exceptions.rules
|
dest: /etc/audit/rules.d/98_auditd_exceptions.rules
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0600
|
mode: 0600
|
||||||
notify: restart auditd
|
notify: restart auditd
|
||||||
when:
|
when:
|
||||||
- allow_auditd_uid_user_exclusions
|
- allow_auditd_uid_user_exclusions
|
||||||
|
|
|
||||||
|
|
@ -22,20 +22,20 @@
|
||||||
|
|
||||||
- name: "Check password set for {{ ansible_user }}"
|
- name: "Check password set for {{ ansible_user }}"
|
||||||
block:
|
block:
|
||||||
- name: Capture current password state of "{{ ansible_user }}"
|
- name: Capture current password state of "{{ ansible_user }}"
|
||||||
shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'"
|
shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'"
|
||||||
changed_when: false
|
changed_when: false
|
||||||
failed_when: false
|
failed_when: false
|
||||||
check_mode: false
|
check_mode: false
|
||||||
register: ansible_user_password_set
|
register: ansible_user_password_set
|
||||||
|
|
||||||
- name: "Assert that password set for {{ ansible_user }} and account not locked"
|
- name: "Assert that password set for {{ ansible_user }} and account not locked"
|
||||||
assert:
|
assert:
|
||||||
that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!"
|
that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!"
|
||||||
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access"
|
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access"
|
||||||
success_msg: "You a password set for the {{ ansible_user }}"
|
success_msg: "You a password set for the {{ ansible_user }}"
|
||||||
vars:
|
vars:
|
||||||
sudo_password_rule: rhel9cis_rule_5_3_4
|
sudo_password_rule: rhel9cis_rule_5_3_4
|
||||||
when:
|
when:
|
||||||
- rhel9cis_rule_5_3_4
|
- rhel9cis_rule_5_3_4
|
||||||
- not system_is_ec2
|
- not system_is_ec2
|
||||||
|
|
@ -205,7 +205,7 @@
|
||||||
|
|
||||||
- name: If Warnings found Output count and control IDs affected
|
- name: If Warnings found Output count and control IDs affected
|
||||||
debug:
|
debug:
|
||||||
msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ control_number }}"
|
msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ control_number }}"
|
||||||
when: warn_count != 0
|
when: warn_count != 0
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
|
||||||
|
|
@ -53,7 +53,7 @@
|
||||||
- name: "POST | Warning a reboot required but skip option set | warning count"
|
- name: "POST | Warning a reboot required but skip option set | warning count"
|
||||||
set_fact:
|
set_fact:
|
||||||
control_number: "{{ control_number }} + [ 'Reboot_required' ]"
|
control_number: "{{ control_number }} + [ 'Reboot_required' ]"
|
||||||
warn_count: "{{ warn_count|int + 1 }}"
|
warn_count: "{{ warn_count | int + 1 }}"
|
||||||
when:
|
when:
|
||||||
- change_requires_reboot
|
- change_requires_reboot
|
||||||
- skip_reboot
|
- skip_reboot
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
- name: "Post Audit | Run post_remediation {{ benchmark }} audit"
|
- name: "Post Audit | Run post_remediation {{ benchmark }} audit"
|
||||||
shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}"
|
shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}"
|
||||||
environment: "{{ audit_run_script_environment|default({}) }}"
|
environment: "{{ audit_run_script_environment | default({}) }}"
|
||||||
changed_when: audit_run_post_remediation.rc == 0
|
changed_when: audit_run_post_remediation.rc == 0
|
||||||
register: audit_run_post_remediation
|
register: audit_run_post_remediation
|
||||||
args:
|
args:
|
||||||
|
|
@ -28,7 +28,7 @@
|
||||||
|
|
||||||
- name: Capture post-audit result
|
- name: Capture post-audit result
|
||||||
set_fact:
|
set_fact:
|
||||||
post_audit_summary: "{{ post_audit.stdout | from_json |json_query(summary) }}"
|
post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}"
|
||||||
vars:
|
vars:
|
||||||
summary: 'summary."summary-line"'
|
summary: 'summary."summary-line"'
|
||||||
when:
|
when:
|
||||||
|
|
|
||||||
|
|
@ -33,6 +33,9 @@
|
||||||
get_url:
|
get_url:
|
||||||
url: "{{ audit_files_url }}"
|
url: "{{ audit_files_url }}"
|
||||||
dest: "{{ audit_conf_dir }}"
|
dest: "{{ audit_conf_dir }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0755
|
||||||
when:
|
when:
|
||||||
- audit_content == 'get_url'
|
- audit_content == 'get_url'
|
||||||
|
|
||||||
|
|
@ -70,7 +73,7 @@
|
||||||
|
|
||||||
- name: "Pre Audit | Run pre_remediation {{ benchmark }} audit"
|
- name: "Pre Audit | Run pre_remediation {{ benchmark }} audit"
|
||||||
shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}"
|
shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}"
|
||||||
environment: "{{ audit_run_script_environment|default({}) }}"
|
environment: "{{ audit_run_script_environment | default({}) }}"
|
||||||
changed_when: audit_run_pre_remediation.rc == 0
|
changed_when: audit_run_pre_remediation.rc == 0
|
||||||
register: audit_run_pre_remediation
|
register: audit_run_pre_remediation
|
||||||
args:
|
args:
|
||||||
|
|
@ -87,7 +90,7 @@
|
||||||
|
|
||||||
- name: Pre Audit | Capture pre-audit result
|
- name: Pre Audit | Capture pre-audit result
|
||||||
set_fact:
|
set_fact:
|
||||||
pre_audit_summary: "{{ pre_audit.stdout | from_json |json_query(summary) }}"
|
pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}"
|
||||||
vars:
|
vars:
|
||||||
summary: 'summary."summary-line"'
|
summary: 'summary."summary-line"'
|
||||||
when:
|
when:
|
||||||
|
|
|
||||||
|
|
@ -217,7 +217,9 @@
|
||||||
min_int_uid: "{{ uid_min_id.stdout }}"
|
min_int_uid: "{{ uid_min_id.stdout }}"
|
||||||
max_int_uid: "{{ uid_max_id.stdout }}"
|
max_int_uid: "{{ uid_max_id.stdout }}"
|
||||||
min_int_gid: "{{ gid_min_id.stdout }}"
|
min_int_gid: "{{ gid_min_id.stdout }}"
|
||||||
- debug:
|
|
||||||
|
- name: Output of uid findings
|
||||||
|
debug:
|
||||||
msg: "{{ min_int_uid }} {{ max_int_uid }}"
|
msg: "{{ min_int_uid }} {{ max_int_uid }}"
|
||||||
|
|
||||||
when:
|
when:
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue