improvements

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2024-08-07 10:31:31 +01:00 · 2024-08-07 10:31:31 +01:00 · 2a7d08da08
commit 2a7d08da08
parent 47dc0c5b4c
5 changed files with 211 additions and 284 deletions
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,7 +1,7 @@
 ---
 # tasks file for RHEL9-CIS

- name: Check OS version and family
+- name: "Check OS version and family"
  ansible.builtin.assert:
    that: (ansible_facts.distribution != 'CentOS' and ansible_facts.os_family == 'RedHat' or ansible_facts.os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==')
    fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported."
@ -11,7 +11,7 @@
  tags:
    - always

- name: Check ansible version
+- name: "Check ansible version"
  ansible.builtin.assert:
    that: ansible_version.full is version_compare(min_ansible_version, '>=')
    fail_msg: "You must use Ansible {{ min_ansible_version }} or greater"
@ -19,16 +19,67 @@
  tags:
    - always

+- name: "Setup rules if container"
+  when:
+    - ansible_connection == 'docker' or
+      ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
+  tags:
+    - container_discovery
+    - always
+  block:
+    - name: "Discover and set container variable if required"
+      ansible.builtin.set_fact:
+        system_is_container: true
+
+    - name: "Load variable for container"
+      ansible.builtin.include_vars:
+        file: "{{ container_vars_file }}"
+
+    - name: "Output if discovered is a container"
+      when:
+        - system_is_container
+      ansible.builtin.debug:
+        msg: system has been discovered as a container
+
+- name: "Check crypto-policy input"
+  ansible.builtin.assert:
+    that: rhel9cis_crypto_policy in rhel9cis_allowed_crypto_policies
+    fail_msg: "Crypto policy is not a permitted version"
+    success_msg: "Crypto policy is a permitted version"
+
+- name: "Check rhel9cis_bootloader_password_hash variable has been changed"
+  when:
+    - rhel9cis_set_boot_pass
+    - rhel9cis_rule_1_4_1
+  tags:
+    - always
+  ansible.builtin.assert:
+    that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
+    msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
+
+- name: "Check crypto-policy module input"
+  when:
+    - rhel9cis_rule_1_6_1
+    - rhel9cis_crypto_policy_module | length > 0
+  tags:
+    - rule_1.6.1
+    - crypto
+    - NIST800-53R5_SC-6
+  ansible.builtin.assert:
+    that: rhel9cis_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules
+    fail_msg: "Crypto policy module is not a permitted version"
+    success_msg: "Crypto policy module is a permitted version"
+
 - name: "Check password set for {{ ansible_env.SUDO_USER }}"
  when:
-    - rhel9cis_rule_5_3_4
+    - rhel9cis_rule_5_2_4
    - ansible_env.SUDO_USER is defined
    - not system_is_ec2
  tags:
    - user_passwd
-    - rule_5.3.4
+    - rule_5.2.4
  vars:
-    sudo_password_rule: rhel9cis_rule_5_3_4  # pragma: allowlist secret
+    sudo_password_rule: rhel9cis_rule_5_2_4  # pragma: allowlist secret
  block:
    - name: "Check password set for {{ ansible_env.SUDO_USER }} | password state"
      ansible.builtin.shell: "(grep {{ ansible_env.SUDO_USER }} /etc/shadow || echo 'not found:not found') | awk -F: '{print $2}'"
@ -61,173 +112,108 @@
            fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access"
            success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user"

- name: Ensure root password is set
+- name: "Ensure root password is set"
  when:
-    - rhel9cis_rule_5_6_6
+    - rhel9cis_rule_5_4_2_4
  tags:
    - level1-server
    - level1-workstation
    - patch
    - accounts
    - root
-    - rule_5.6.6
+    - rule_5.4.2.4
  block:
-    - name: Ensure root password is set
+    - name: "Ensure root password is set"
      ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)"
      changed_when: false
      register: root_passwd_set

-    - name: Ensure root password is set
+    - name: "Ensure root password is set"
      ansible.builtin.assert:
        that: root_passwd_set.rc == 0
-        fail_msg: "You have rule 5.6.6 enabled this requires that you have a root password set"
+        fail_msg: "You have rule 5.4.2.4 enabled this requires that you have a root password set"
        success_msg: "You have a root password set"

- name: Setup rules if container
-  when:
-    - ansible_connection == 'docker' or
-      ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
-  tags:
-    - container_discovery
-    - always
-  block:
-    - name: Discover and set container variable if required
-      ansible.builtin.set_fact:
-        system_is_container: true
-
-    - name: Load variable for container
-      ansible.builtin.include_vars:
-        file: "{{ container_vars_file }}"
-
-    - name: Output if discovered is a container
-      when:
-        - system_is_container
-      ansible.builtin.debug:
-        msg: system has been discovered as a container
-
- name: Check crypto-policy input
-  ansible.builtin.assert:
-    that: rhel9cis_crypto_policy in rhel9cis_allowed_crypto_policies
-    fail_msg: "Crypto policy is not a permitted version"
-    success_msg: "Crypto policy is a permitted version"
-
- name: Check crypto-policy module input
-  when:
-    - rhel9cis_rule_1_6_1
-    - rhel9cis_crypto_policy_module | length > 0
-  tags:
-    - rule_1.6.1
-    - crypto
-    - NIST800-53R5_SC-6
-  ansible.builtin.assert:
-    that: rhel9cis_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules
-    fail_msg: "Crypto policy module is not a permitted version"
-    success_msg: "Crypto policy module is a permitted version"
-
- name: Check rhel9cis_bootloader_password_hash variable has been changed
-  when:
-    - rhel9cis_set_boot_pass
-    - rhel9cis_rule_1_4_1
-  tags:
-    - always
-  ansible.builtin.assert:
-    that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
-    msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
-
- name: Gather the package facts
+- name: "Gather the package facts"
  tags:
    - always
  ansible.builtin.package_facts:
    manager: auto

- name: Include OS specific variables
+- name: "Include OS specific variables"
  tags:
    - always
  ansible.builtin.include_vars:
    file: "{{ ansible_facts.distribution }}.yml"

- name: Include preliminary steps
+- name: "Include preliminary steps"
  tags:
    - prelim_tasks
    - always
  ansible.builtin.import_tasks:
    file: prelim.yml

- name: Run Section 1 tasks
+- name: "Run Section 1 tasks"
  when: rhel9cis_section1
-  tags:
-    - rhel9cis_section1
  ansible.builtin.import_tasks:
    file: section_1/main.yml

- name: Run Section 2 tasks
+- name: "Run Section 2 tasks"
  when: rhel9cis_section2
-  tags:
-    - rhel9cis_section2
  ansible.builtin.import_tasks:
    file: section_2/main.yml

- name: Run Section 3 tasks
+- name: "Run Section 3 tasks"
  when: rhel9cis_section3
-  tags:
-    - rhel9cis_section3
  ansible.builtin.import_tasks:
    file: section_3/main.yml

- name: Run Section 4 tasks
+- name: "Run Section 4 tasks"
  when: rhel9cis_section4
-  tags:
-    - rhel9cis_section4
  ansible.builtin.import_tasks:
    file: section_4/main.yml

- name: Run Section 5 tasks
+- name: "Run Section 5 tasks"
  when: rhel9cis_section5
-  tags:
-    - rhel9cis_section5
  ansible.builtin.import_tasks:
    file: section_5/main.yml

- name: Run Section 6 tasks
+- name: "Run Section 6 tasks"
  when: rhel9cis_section6
-  tags:
-    - rhel9cis_section6
  ansible.builtin.import_tasks:
    file: section_6/main.yml

-# - name: Run Section 7 tasks
-#   when: rhel9cis_section7
-#   tags:
-#     - rhel9cis_section7
-#   ansible.builtin.import_tasks:
-#     file: section_7/main.yml
+- name: "Run Section 7 tasks"
+  when: rhel9cis_section7
+  ansible.builtin.import_tasks:
+    file: section_7/main.yml

- name: Run auditd logic
+- name: "Run auditd logic"
  when: update_audit_template
  tags:
    - always
  ansible.builtin.import_tasks:
    file: auditd.yml

- name: Run post remediation tasks
+- name: "Run post remediation tasks"
  tags:
    - post_tasks
    - always
  ansible.builtin.import_tasks:
    file: post.yml

- name: Run post_remediation audit
+- name: "Run post_remediation audit"
  when:
    - run_audit
  ansible.builtin.import_tasks:
    file: post_remediation_audit.yml

- name: Show Audit Summary
+- name: "Show Audit Summary"
  when: run_audit
  ansible.builtin.debug:
    msg: "{{ audit_results.split('\n') }}"

- name: If Warnings found Output count and control IDs affected
+- name: "If Warnings found Output count and control IDs affected"
  when: warn_count != 0
  tags:
    - always