Merge pull request #392 from ansible-lockdown/2025_Sep_Updates

2025 Sep Updates: Issue fixes and Improved logic
2025-09-10 08:05:19 -04:00 · 2025-09-10 08:05:19 -04:00 · 282d7fe0bc
commit 282d7fe0bc
parent 39c7dfa187 d92ec8c564
9 changed files with 36 additions and 27 deletions
--- a/Changelog.md
+++ b/Changelog.md
@ -1,7 +1,11 @@
 # Changes to rhel9CIS

 ## 2.0.3 - Based on CIS v2.0.0
-
+- addressed issue #387, thank you @fragglexarmy
+- addressed issue #382 to improve regex logic on 5.4.2.4
+- improvement on crypto policy managed controls with var logic
+- addressed issue #384 thank you @polski-g
+- update command to shell module on tasks
 - addressed issue 371 thanks to @bgro and kodebach
 - addressed issue 350 thanks to @chrispipo
 - addressed issue 364 thanks to @polski-g
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -586,7 +586,9 @@ rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'  # pr
 # This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
 rhel9cis_set_boot_pass: true

-## Controls 1.6.x
+## Controls 1.6.x and Controls 5.1.x
+# This variable governs if current Ansible role should manage system-wide crypto policy.
+rhel9cis_crypto_policy_ansiblemanaged: true
 # This variable contains the value to be set as the system-wide crypto policy. Current rule enforces NOT USING
 # 'LEGACY' value(as it is less secure, it just ensures compatibility with legacy systems), therefore
 # possible values for this variable are, as explained by RedHat docs:
@ -594,7 +596,6 @@ rhel9cis_set_boot_pass: true
 #  -'FUTURE': conservative security level that is believed to withstand any near-term future attacks
 #  -'FIPS': A level that conforms to the FIPS140-2 requirements
 rhel9cis_crypto_policy: 'DEFAULT'
-## Controls 1.6.x and Controls 5.1.x
 # This variable contains the value of the crypto policy module(combinations of policies and
 # sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file,
 # using 'rhel9cis_allowed_crypto_policies_modules' variable, which currently are:
@ -618,7 +619,7 @@ rhel9cis_warning_banner: Authorized users only. All activity may be monitored an

 ## Control 1.8.x - Settings for GDM
 # do not run Control 1.8.x if using a display manager different than gdm
-rhel10cis_display_manager: "gdm"
+rhel9cis_display_manager: "gdm"
 # This variable governs whether rules dealing with GUI specific packages(and/or their settings) should
 # be executed either to:
 # - secure GDM, if GUI is needed('rhel9cis_gui: true')
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -97,7 +97,7 @@
              (
                ((prelim_ansible_user_password_set.stdout | length != 0) and (prelim_ansible_user_password_set.stdout != "!!" ))
              or
-                (ansible_env.SUDO_USER in rhel10cis_sudoers_exclude_nopasswd_list)
+                (ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list)
              )
            fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or or the user is not included in the exception list for rule 5.2.4 - It can break access"
            success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user or the user is included in the exception list for rule 5.2.4"
@ -134,7 +134,7 @@
    - rule_5.4.2.4
  block:
    - name: "Ensure root password is set"
-      ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)"
+      ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set|Password locked)"
      changed_when: false
      failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ]
      register: prelim_root_passwd_set
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@ -136,8 +136,7 @@
  register: prelim_systemd_coredump

 - name: "PRELIM | PATCH | Setup crypto-policy"
-  when:
-    - rhel9cis_rule_1_6_1
+  when: rhel9cis_crypto_policy_ansiblemanaged
  tags:
    - level1-server
    - level1-workstation
@ -167,6 +166,7 @@
        current_crypto_module: "{{ prelim_system_wide_crypto_policy.stdout.split(':')[1] }}"

 - name: "PRELIM | AUDIT | Set facts based on boot type"
+  tags: always
  block:
    - name: "PRELIM | AUDIT | Check whether machine is UEFI-based"
      ansible.builtin.stat:
@ -185,17 +185,14 @@
        grub2_path: /etc/grub2-efi.cfg

 - name: "PRELIM | AUDIT | Discover Gnome Desktop Environment"
-  tags:
-    - always
+  tags: always
  ansible.builtin.stat:
    path: /usr/share/gnome/gnome-version.xml
  register: prelim_gnome_present

 - name: "PRELIM | PATCH | Install dconf if gui installed"
-  when:
-    - rhel9cis_gui
-  tags:
-    - always
+  when: rhel9cis_gui
+  tags: always
  ansible.builtin.package:
    name: dconf
    state: present
@ -204,8 +201,7 @@
  when:
    - rhel9cis_rule_3_1_2
    - not system_is_container
-  tags:
-    - always
+  tags: always
  block:
    - name: "PRELIM | AUDIT | Discover is wireless adapter on system"
      ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless
@ -251,9 +247,7 @@
    state: touch

 - name: "PRELIM | PATCH | sshd_config.d/50-redhat.conf exists"
-  when:
-    - rhel9cis_rule_5_1_10 or
-      rhel9cis_rule_5_1_11
+  when: rhel9cis_rule_5_1_10 or rhel9cis_rule_5_1_11
  ansible.builtin.stat:
    path: /etc/ssh/sshd_config.d/50-redhat.conf
  register: prelim_sshd_50_redhat_file
@ -361,7 +355,6 @@
    prelim_max_int_uid: "{{ prelim_uid_max_id.stdout | default(max_int_uid) }}"

 - name: "PRELIM | AUDIT | Gather the package facts after prelim"
-  tags:
-    - always
+  tags: always
  ansible.builtin.package_facts:
    manager: auto
--- a/tasks/section_1/cis_1.6.x.yml
+++ b/tasks/section_1/cis_1.6.x.yml
@ -1,7 +1,9 @@
 ---

 - name: "1.6.1 | AUDIT | Ensure system-wide crypto policy is not legacy"
-  when: rhel9cis_rule_1_6_1
+  when:
+    - rhel9cis_rule_1_6_1
+    - rhel9cis_crypto_policy_ansiblemanaged
  tags:
    - level1-server
    - level1-workstation
@ -21,12 +23,14 @@
  tags:
    - level1-server
    - level1-workstation
+    - sshd
    - automated
    - patch
    - rule_1.6.2
    - NIST800-53R5_SC-8
    - NIST800-53R5_IA-5
-    - NIST800-53R5_AC-17- NIST800-53R5_SC-6
+    - NIST800-53R5_AC-17
+    - NIST800-53R5_SC-6
  ansible.builtin.lineinfile:
    path: /etc/sysconfig/sshd
    regexp: ^CRYPTO_POLICY\s*=
@ -37,6 +41,7 @@
  when:
    - rhel9cis_rule_1_6_3
    - "'NO-SHA1' not in rhel9cis_crypto_policy_module"
+    - rhel9cis_crypto_policy_ansiblemanaged
  tags:
    - level1-server
    - level1-workstation
@ -67,6 +72,7 @@
  when:
    - rhel9cis_rule_1_6_4
    - "'NO-WEAKMAC' not in rhel9cis_crypto_policy_module"
+    - rhel9cis_crypto_policy_ansiblemanaged
  tags:
    - level1-server
    - level1-workstation
@ -76,7 +82,6 @@
    - rule_1.6.4
    - NIST800-53R5_SC-6
  block:
-
    - name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | Add submodule exclusion"
      ansible.builtin.template:
        src: etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2
@ -98,6 +103,7 @@
  when:
    - rhel9cis_rule_1_6_5
    - "'NO-SSHCBC' not in rhel9cis_crypto_policy_module"
+    - rhel9cis_crypto_policy_ansiblemanaged
  tags:
    - level1-server
    - level1-workstation
@ -128,6 +134,7 @@
  when:
    - rhel9cis_rule_1_6_6
    - "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module"
+    - rhel9cis_crypto_policy_ansiblemanaged
  tags:
    - level1-server
    - level1-workstation
@ -158,6 +165,7 @@
  when:
    - rhel9cis_rule_1_6_7
    - "'NO-SSHETM' not in rhel9cis_crypto_policy_module"
+    - rhel9cis_crypto_policy_ansiblemanaged
  tags:
    - level1-server
    - level1-workstation
--- a/tasks/section_1/main.yml
+++ b/tasks/section_1/main.yml
@ -61,6 +61,6 @@
    file: cis_1.7.x.yml

 - name: "SECTION | 1.8 | Gnome Display Manager"
-  when: rhel10cis_display_manager == 'gdm'
+  when: rhel9cis_display_manager == 'gdm'
  ansible.builtin.import_tasks:
    file: cis_1.8.x.yml
--- a/tasks/section_4/cis_4.3.x.yml
+++ b/tasks/section_4/cis_4.3.x.yml
@ -81,7 +81,7 @@
      register: discovered_nftables_inconnectionrule

    - name: "4.3.2 | AUDIT | Ensure nftables established connections are configured | Gather outbound connection rules"
-      ansible.builtin.command: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
+      ansible.builtin.shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
      changed_when: false
      failed_when: false
      register: discovered_nftables_outconnectionrule
--- a/tasks/section_5/cis_5.1.x.yml
+++ b/tasks/section_5/cis_5.1.x.yml
@ -80,6 +80,7 @@
  when:
    - rhel9cis_rule_5_1_4
    - "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module"
+    - rhel9cis_crypto_policy_ansiblemanaged
  tags:
    - level1-server
    - level1-workstation
@ -108,6 +109,7 @@
  when:
    - rhel9cis_rule_5_1_5
    - "'NO-SHA1' not in rhel9cis_crypto_policy_module"
+    - rhel9cis_crypto_policy_ansiblemanaged
  tags:
    - level1-server
    - level1-workstation
@ -136,6 +138,7 @@
  when:
    - rhel9cis_rule_5_1_6
    - "'NO-SSHWEAKMACS' not in rhel9cis_crypto_policy_module"
+    - rhel9cis_crypto_policy_ansiblemanaged
  tags:
    - level1-server
    - level1-workstation
--- a/tasks/section_5/cis_5.4.1.x.yml
+++ b/tasks/section_5/cis_5.4.1.x.yml
@ -64,7 +64,7 @@
        - rhel9cis_force_user_mindays
      ansible.builtin.user:
        name: "{{ item }}"
-        password_expire_max: "{{ rhel9cis_pass_min_days }}"
+        password_expire_min: "{{ rhel9cis_pass_min_days }}"
      loop: "{{ discovered_min_days.stdout_lines }}"

 - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured"