sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

linting

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2022-09-16 11:04:19 +01:00
parent 2974fa5385
commit 1e22c13794
No known key found for this signature in database
GPG key ID: F734FDFC154B83FB
8 changed files with 38 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

8
handlers/main.yml
View file

@ -15,7 +15,7 @@
value: '1'
sysctl_set: true
ignore_errors: true
when:
when:
- flush_ipv4_route
- not system_is_container
tags:
@ -27,7 +27,7 @@
name: net.ipv6.route.flush
value: '1'
sysctl_set: true
when:
when:
- flush_ipv6_route
- not system_is_container
@ -78,7 +78,7 @@
shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
args:
warn: false
ignore_errors: True
ignore_errors: true
tags:
- skip_ansible_lint
@ -130,4 +130,4 @@
- name: change_requires_reboot
set_fact:
change_requires_reboot: true
change_requires_reboot: true

2
tasks/LE_audit_setup.yml
View file

@ -22,7 +22,7 @@
- get_goss_file == 'copy'
- name: install git if not present
package:
package:
name: git
state: present
register: git_installed

14
tasks/auditd.yml
View file

@ -1,3 +1,5 @@
---
- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added
template:
src: audit/99_auditd.rules.j2
@ -6,18 +8,18 @@
group: root
mode: 0600
register: audit_rules_updated
notify:
notify:
- auditd_immutable_check
- audit_immutable_fact
- restart auditd
- name: POST | Set up auditd user logging exceptions
template:
src: audit/98_auditd_exception.rules.j2
dest: /etc/audit/rules.d/98_auditd_exceptions.rules
owner: root
group: root
mode: 0600
src: audit/98_auditd_exception.rules.j2
dest: /etc/audit/rules.d/98_auditd_exceptions.rules
owner: root
group: root
mode: 0600
notify: restart auditd
when:
- allow_auditd_uid_user_exclusions

28
tasks/main.yml
View file

@ -22,20 +22,20 @@
- name: "Check password set for {{ ansible_user }}"
block:
- name: Capture current password state of "{{ ansible_user }}"
shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'"
changed_when: false
failed_when: false
check_mode: false
register: ansible_user_password_set
- name: Capture current password state of "{{ ansible_user }}"
shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'"
changed_when: false
failed_when: false
check_mode: false
register: ansible_user_password_set
- name: "Assert that password set for {{ ansible_user }} and account not locked"
assert:
that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!"
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access"
success_msg: "You a password set for the {{ ansible_user }}"
vars:
sudo_password_rule: rhel9cis_rule_5_3_4
- name: "Assert that password set for {{ ansible_user }} and account not locked"
assert:
that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!"
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access"
success_msg: "You a password set for the {{ ansible_user }}"
vars:
sudo_password_rule: rhel9cis_rule_5_3_4
when:
- rhel9cis_rule_5_3_4
- not system_is_ec2
@ -205,7 +205,7 @@
- name: If Warnings found Output count and control IDs affected
debug:
msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ control_number }}"
msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ control_number }}"
when: warn_count != 0
tags:
- always

2
tasks/post.yml
View file

@ -53,7 +53,7 @@
- name: "POST | Warning a reboot required but skip option set | warning count"
set_fact:
control_number: "{{ control_number }} + [ 'Reboot_required' ]"
warn_count: "{{ warn_count|int + 1 }}"
warn_count: "{{ warn_count | int + 1 }}"
when:
- change_requires_reboot
- skip_reboot

4
tasks/post_remediation_audit.yml
View file

@ -2,7 +2,7 @@
- name: "Post Audit | Run post_remediation {{ benchmark }} audit"
shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}"
environment: "{{ audit_run_script_environment|default({}) }}"
environment: "{{ audit_run_script_environment | default({}) }}"
changed_when: audit_run_post_remediation.rc == 0
register: audit_run_post_remediation
args:
@ -28,7 +28,7 @@
- name: Capture post-audit result
set_fact:
post_audit_summary: "{{ post_audit.stdout | from_json |json_query(summary) }}"
post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}"
vars:
summary: 'summary."summary-line"'
when:

7
tasks/pre_remediation_audit.yml
View file

@ -33,6 +33,9 @@
get_url:
url: "{{ audit_files_url }}"
dest: "{{ audit_conf_dir }}"
owner: root
group: root
mode: 0755
when:
- audit_content == 'get_url'
@ -70,7 +73,7 @@
- name: "Pre Audit | Run pre_remediation {{ benchmark }} audit"
shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}"
environment: "{{ audit_run_script_environment|default({}) }}"
environment: "{{ audit_run_script_environment | default({}) }}"
changed_when: audit_run_pre_remediation.rc == 0
register: audit_run_pre_remediation
args:
@ -87,7 +90,7 @@
- name: Pre Audit | Capture pre-audit result
set_fact:
pre_audit_summary: "{{ pre_audit.stdout | from_json |json_query(summary) }}"
pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}"
vars:
summary: 'summary."summary-line"'
when:

4
tasks/prelim.yml
View file

@ -217,7 +217,9 @@
min_int_uid: "{{ uid_min_id.stdout }}"
max_int_uid: "{{ uid_max_id.stdout }}"
min_int_gid: "{{ gid_min_id.stdout }}"
- debug:
- name: Output of uid findings
debug:
msg: "{{ min_int_uid }} {{ max_int_uid }}"
when: