1.2.2 rpm gpg key check

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2022-07-25 11:26:27 +01:00 · 2022-07-25 11:26:27 +01:00 · 28bbc2ff5f
commit 28bbc2ff5f
parent 22326c5de6
4 changed files with 36 additions and 9 deletions
--- a/tasks/section_1/cis_1.2.x.yml
+++ b/tasks/section_1/cis_1.2.x.yml
@ -20,8 +20,36 @@
      - skip_ansible_lint  # Added as no_log still errors on ansuible-lint

 - name: "1.2.2 | AUDIT | Ensure GPG keys are configured"
-  shell: "PKG=`rpm -qf {{ rpm_gpg_key }}` && rpm -q --queryformat \"%{PACKAGER} %{SIGPGP:pgpsig}\\n\" \"${PKG}\" | grep \"^{{ rpm_packager }}.*Key.ID.{{ rpm_key }}\""
+  block:
+      - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys"
+        shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}"
        changed_when: false
+        failed_when: false
+        register: os_installed_pub_keys
+
+      #- debug:
+      #    msg: "{{ os_installed_pub_keys }}"
+
+      - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Query found keys"
+        shell: "rpm -q --queryformat \"%{PACKAGER} %{VERSION}\\n\" {{ os_gpg_key_pubkey_name }} | grep \"{{ os_gpg_key_pubkey_content }}\""
+        register: os_gpg_key_check
+        changed_when: false
+        failed_when: false
+        when: os_installed_pub_keys.rc == 0
+
+      - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | expected keys pass"
+        debug:
+            msg: "Congratulations !! - The installed gpg keys match expected values"
+        when: 
+            - os_installed_pub_keys.rc == 0
+            - os_gpg_key_check.rc == 0
+
+      - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | expected keys fail"
+        fail:
+            msg: Installed GPG Keys do not meet expected values or keys installed that are not expected
+        when:
+            - os_installed_pub_keys.rc == 1 or
+              os_gpg_key_check.rc == 1
  when:
      - rhel9cis_rule_1_2_2
      - ansible_distribution == "RedHat" or
--- a/vars/AlmaLinux.yml
+++ b/vars/AlmaLinux.yml
@ -1,6 +1,5 @@
 ---
 # OS Specific Settings

-rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9
-rpm_packager: "AlmaLinux Packaging Team <packager@almalinux.org>"
-rpm_key: "d36cb86cb86b3716"
+os_gpg_key_pubkey_name: gpg-pubkey-b86b3716-61e69f29
+os_gpg_key_pubkey_content: "AlmaLinux OS 9 <packager@almalinux.org> b86b3716"
--- a/vars/RedHat.yml
+++ b/vars/RedHat.yml
@ -1,6 +1,5 @@
 ---
 # OS Specific Settings

-rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-release
-rpm_packager: "Red Hat, Inc"
-rpm_key: "199e2f91fd431d51"  # found on https://access.redhat.com/security/team/key/
+os_gpg_key_pubkey_name: gpg-pubkey-fd431d51-4ae0493b
+os_gpg_key_pubkey_content: "Red Hat, Inc. (release key 2) <security@redhat.com> fd431d51"
--- a/vars/Rocky.yml
+++ b/vars/Rocky.yml
@ -1,4 +1,5 @@
 ---
 # OS Specific Settings

-rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial
+os_gpg_key_pubkey_name: gpg-pubkey-350d275d-6279464b
+os_gpg_key_pubkey_content: "Rocky Enterprise Software Foundation - Release key 2022 <releng@rockylinux.org> 350d275d"