From 3b19db6812813dfe88b9682f782cc2edb52b16b9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 13 Jan 2022 11:27:26 +0000 Subject: [PATCH] replaced command with shell Signed-off-by: Mark Bolwell --- handlers/main.yml | 8 ++++---- tasks/check_prereqs.yml | 4 ++-- tasks/parse_etc_password.yml | 2 +- tasks/post.yml | 4 ++-- tasks/post_remediation_audit.yml | 4 ++-- tasks/pre_remediation_audit.yml | 12 +++++------ tasks/prelim.yml | 28 ++++++++++++++------------ tasks/section_1/cis_1.2.x.yml | 4 ++-- tasks/section_1/cis_1.4.x.yml | 2 +- tasks/section_3/cis_3.4.2.x.yml | 2 +- tasks/section_3/cis_3.4.3.x.yml | 34 ++++++++++++++++---------------- tasks/section_3/cis_3.5.yml | 12 +++++------ tasks/section_4/cis_4.2.1.x.yml | 2 +- tasks/section_4/cis_4.2.3.yml | 2 +- tasks/section_5/cis_5.5.1.x.yml | 6 +++--- tasks/section_5/cis_5.5.x.yml | 2 +- tasks/section_5/cis_5.6.yml | 2 +- tasks/section_6/cis_6.1.x.yml | 4 ++-- tasks/section_6/cis_6.2.x.yml | 16 +++++++-------- 19 files changed, 75 insertions(+), 75 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index fdd9354..628d481 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -58,7 +58,7 @@ state: reloaded - name: remount tmp - command: mount -o remount /tmp + shell: mount -o remount /tmp args: warn: false @@ -88,7 +88,7 @@ - name: reload dconf become: yes - command: dconf update + shell: dconf update - name: update auditd template: @@ -100,7 +100,7 @@ notify: restart auditd - name: restart auditd - command: /sbin/service auditd restart + shell: /sbin/service auditd restart changed_when: no check_mode: no failed_when: no @@ -112,7 +112,7 @@ - skip_ansible_lint - name: grub2cfg - command: "grub2-mkconfig -o {{ grub_cfg.stat.lnk_source }}" + shell: "grub2-mkconfig -o {{ grub_cfg.stat.lnk_source }}" ignore_errors: True tags: - skip_ansible_lint diff --git a/tasks/check_prereqs.yml b/tasks/check_prereqs.yml index 5ce4ab4..cdaf930 100644 --- a/tasks/check_prereqs.yml +++ b/tasks/check_prereqs.yml @@ -3,7 +3,7 @@ - name: "PREREQ | Add the required packages | Python 3" block: - name: Check if python36-rpm package installed - command: rpm -q python36-rpm + shell: rpm -q python36-rpm failed_when: ( python36_rpm_present.rc not in [ 0, 1 ] ) changed_when: false args: @@ -28,7 +28,7 @@ - libselinux-python3 - name: Disable Epel repo if installed earlier - command: yum-config-manager disable epel + shell: yum-config-manager disable epel when: epel_installed.changed when: - ( ansible_python.version.major == 3 and ansible_python.version.minor == 6 ) diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index de29ff1..29b7d86 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -3,7 +3,7 @@ - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd" block: - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd" - command: cat /etc/passwd + shell: cat /etc/passwd changed_when: no check_mode: no register: rhel9cis_passwd_file_audit diff --git a/tasks/post.yml b/tasks/post.yml index 35c3b79..a3eae23 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -7,7 +7,7 @@ changed_when: no - name: trigger update sysctl - command: /bin/true + shell: /bin/true changed_when: false check_mode: false notify: update sysctl @@ -29,7 +29,7 @@ - sysctl - name: trigger update auditd - command: /bin/true + shell: /bin/true notify: update auditd changed_when: false check_mode: false diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 17ef3f8..9a14c5c 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -17,7 +17,7 @@ - name: Post Audit | Capture audit data if json format block: - name: "capture data {{ post_audit_outfile }}" - command: "cat {{ post_audit_outfile }}" + shell: "cat {{ post_audit_outfile }}" register: post_audit changed_when: false @@ -32,7 +32,7 @@ - name: Post Audit | Capture audit data if documentation format block: - name: "Post Audit | capture data {{ post_audit_outfile }}" - command: "tail -2 {{ post_audit_outfile }}" + shell: "tail -2 {{ post_audit_outfile }}" register: post_audit changed_when: false diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 4e568dc..2821cd2 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -59,11 +59,11 @@ path: "{{ audit_bin }}" register: goss_available - - name: Pre Audit | If audit ensure goss is available + - name: Pre Audit | Alert if goss not available assert: - msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - when: - - not goss_available.stat.exists + that: goss_available.stat.exists + fail_msg: "Audit binary file {{ audit_bin }} does not exist" + success_msg: "Audit binary file {{ audit_bin }} exists" when: - run_audit @@ -92,7 +92,7 @@ - name: Pre Audit | Capture audit data if json format block: - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - command: "cat {{ pre_audit_outfile }}" + shell: "cat {{ pre_audit_outfile }}" register: pre_audit changed_when: false @@ -107,7 +107,7 @@ - name: Pre Audit | Capture audit data if documentation format block: - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - command: "tail -2 {{ pre_audit_outfile }}" + shell: "tail -2 {{ pre_audit_outfile }}" register: pre_audit changed_when: false diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 5451c31..239c7b6 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -2,7 +2,7 @@ # Preliminary tasks that should always be run # List users in order to look files inside each home directory - name: "PRELIM | List users accounts" - command: "awk -F: '{print $1}' /etc/passwd" + shell: "awk -F: '{print $1}' /etc/passwd" args: warn: no changed_when: no @@ -48,7 +48,11 @@ package: name: audit state: present - when: rhel9cis_level_2 + become: true + when: + - rhel9cis_level_2 or + rhel9cis_rule_4_1_1_1 + - '"auditd" not in ansible_facts.packages' - name: "PRELIM | 4.1.12 | Ensure successful file system mounts are collected" shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done @@ -63,16 +67,23 @@ package: name: cronie state: present + become: true + when: + - rhel9cis_rule_5_1_1 + - '"cronie" not in ansible_facts.packages' - name: "PRELIM | Install authconfig" package: name: authconfig state: present + become: true when: - rhel9cis_use_authconfig - rhel9cis_rule_5_3_1 or rhel9cis_rule_5_3_2 or - rhel9cis_rule_5_3_3 + rhel9cis_rule_5_3_3 or + '"authconfig" not in ansible_facts.packages' or + '"auditd-lib" not in ansible_facts.packages' - name: "PRELIM | Set facts based on boot type" block: @@ -92,26 +103,17 @@ grub2_path: /etc/grub2-efi.cfg when: rhel_09_efi_boot.stat.exists -# - name: debug legacy boot var -# debug: -# msg: | -# legacy_boot={{ rhel9cis_legacy_boot }} -# grub2_path={{ grub2_path }} - - name: "PRELIM | AUDIT | Ensure permissions on bootloader config are configured | Get grub config file stats" stat: path: "{{ grub2_path }}" changed_when: false register: grub_cfg -# - name: debug grub stat -# debug: -# var: grub_cfg.stat - - name: "PRELIM | Check for rhnsd service" shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2" changed_when: false check_mode: false + become: true register: rhnsd_service_status when: - rhel9cis_rule_1_2_2 diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 07a8285..79935ef 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -37,7 +37,7 @@ - rule_1.2.2 - name: "1.2.3 | L1 | AUDIT | Ensure GPG keys are configured" - command: gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-release + shell: gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-release when: - rhel9cis_rule_1_2_3 - ansible_distribution == "RedHat" @@ -76,7 +76,7 @@ - name: "1.2.5 | L1 | Ensure package manager repositories are configured" block: - name: "1.2.5 | L1 | AUDIT | Ensure package manager repositories are configured | Get repo list" - command: dnf repolist + shell: dnf repolist changed_when: false failed_when: false register: dnf_configured diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 6bd3bc2..56819b4 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -8,7 +8,7 @@ state: present - name: "1.4.1 | L1 | PATCH | Ensure AIDE is installed | Configure AIDE" - command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' + shell: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' changed_when: false failed_when: false async: 45 diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 9f90c67..bcb8f89 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -45,7 +45,7 @@ - rule_3_4_2_3 - name: "3.4.2.4 | L1 | PATCH | Ensure default zone is set" - command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" + shell: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" when: - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_2_4 diff --git a/tasks/section_3/cis_3.4.3.x.yml b/tasks/section_3/cis_3.4.3.x.yml index 202daa0..4677b6a 100644 --- a/tasks/section_3/cis_3.4.3.x.yml +++ b/tasks/section_3/cis_3.4.3.x.yml @@ -1,7 +1,7 @@ --- - name: "3.4.3.1 | L1 | PATCH | Ensure iptables are flushed with nftables" - command: ip6tables -F + shell: ip6tables -F when: - rhel9cis_rule_3_4_3_1 - rhel9cis_firewall != "iptables" @@ -15,7 +15,7 @@ - name: "3.4.3.2 | L1 | AUDIT | Ensure an nftables table exists" block: - name: "3.4.3.2 | L1 | AUDIT | Ensure a table exists | Check for tables" - command: nft list tables + shell: nft list tables changed_when: false failed_when: false register: rhel9cis_3_4_3_2_nft_tables @@ -31,13 +31,13 @@ debug: msg: - "Warning! You currently have no nft tables, please review your setup" - - 'Use the command "nft create table inet " to create a new table' + - 'Use the shell "nft create table inet
" to create a new table' when: - rhel9cis_3_4_3_2_nft_tables.stdout | length == 0 - not rhel9cis_nft_tables_autonewtable - name: "3.4.3.2 | L1 | PATCH | Ensure a table exists | Create table if needed" - command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" + shell: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" failed_when: no when: rhel9cis_nft_tables_autonewtable when: @@ -120,15 +120,15 @@ register: rhel9cis_3_4_3_4_ip6saddr - name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept + shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept when: '"iif \"lo\" accept" not in rhel9cis_3_4_3_4_iiflo.stdout' - name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop + shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_3_4_ipsaddr.stdout' - name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop + shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_3_4_ip6saddr.stdout' when: - rhel9cis_firewall == "nftables" @@ -154,27 +154,27 @@ register: rhel9cis_3_4_3_5_outconnectionrule - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input tcp established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept + shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept when: '"ip protocol tcp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout' - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input udp established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept + shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept when: '"ip protocol udp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout' - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input icmp established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept + shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept when: '"ip protocol icmp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout' - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output tcp new, related, established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept + shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept when: '"ip protocol tcp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout' - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output udp new, related, established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept + shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept when: '"ip protocol udp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout' - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output icmp new, related, established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept + shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout' when: - rhel9cis_firewall == "nftables" @@ -212,19 +212,19 @@ register: rhel9cis_3_4_3_6_sshallowcheck - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept + shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept when: '"tcp dport ssh accept" not in rhel9cis_3_4_3_6_sshallowcheck.stdout' - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" - command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } + shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } when: '"type filter hook input priority 0; policy drop;" not in rhel9cis_3_4_3_6_inputpolicy.stdout' - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy" - command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } + shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } when: '"type filter hook forward priority 0; policy drop;" not in rhel9cis_3_4_3_6_forwardpolicy.stdout' - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" - command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } + shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_3_6_outputpolicy.stdout' when: - rhel9cis_firewall == "nftables" diff --git a/tasks/section_3/cis_3.5.yml b/tasks/section_3/cis_3.5.yml index 5a60a5e..1d24b7d 100644 --- a/tasks/section_3/cis_3.5.yml +++ b/tasks/section_3/cis_3.5.yml @@ -3,23 +3,21 @@ - name: "3.5 | L1 | PATCH | Ensure wireless interfaces are disabled" block: - name: "3.5 | L1 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" - command: rpm -q NetworkManager - changed_when: false - failed_when: false + shell: rpm -q NetworkManager +# changed_when: false +# failed_when: false check_mode: no - args: - warn: no register: rhel_09_nmcli_available - name: "3.5 | L1 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" - command: nmcli radio wifi + shell: nmcli radio wifi register: rhel_09_wifi_enabled changed_when: rhel_09_wifi_enabled.stdout != "disabled" failed_when: false when: rhel_09_nmcli_available.rc == 0 - name: "3.5 | L1 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" - command: nmcli radio all off + shell: nmcli radio all off changed_when: false failed_when: false when: rhel_09_wifi_enabled is changed diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index b9d525e..911e23c 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -43,7 +43,7 @@ - name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured" block: - name: "4.2.1.4 | L1 | AUDIT | Ensure logging is configured | rsyslog current config message out" - command: cat /etc/rsyslog.conf + shell: cat /etc/rsyslog.conf become: yes changed_when: false failed_when: no diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index d199269..ece189b 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -1,7 +1,7 @@ --- - name: "4.2.3 | L1 | PATCH | Ensure permissions on all logfiles are configured" - command: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + + shell: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + changed_when: false failed_when: false when: diff --git a/tasks/section_5/cis_5.5.1.x.yml b/tasks/section_5/cis_5.5.1.x.yml index 453f31b..570e83c 100644 --- a/tasks/section_5/cis_5.5.1.x.yml +++ b/tasks/section_5/cis_5.5.1.x.yml @@ -52,7 +52,7 @@ register: rhel9cis_5_5_1_4_inactive_settings - name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting" - command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} + shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} when: rhel9cis_5_5_1_4_inactive_settings.stdout | length == 0 - name: "5.5.1.4 | L1 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" @@ -62,7 +62,7 @@ changed_when: false - name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" - command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" + shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" with_items: - "{{ rhel_09_5_5_1_4_audit.stdout_lines }}" when: @@ -102,7 +102,7 @@ - not rhel9cis_futurepwchgdate_autofix - name: "5.5.1.5 | L1 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" - command: passwd --expire {{ item }} + shell: passwd --expire {{ item }} when: - rhel9cis_5_5_1_5_user_list | length > 0 - rhel9cis_futurepwchgdate_autofix diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 856e6b4..5b23d83 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -63,7 +63,7 @@ - rule_5.5.3 - name: "5.5.4 | L1 | PATCH | Ensure default group for the root account is GID 0" - command: usermod -g 0 root + shell: usermod -g 0 root changed_when: false failed_when: false when: diff --git a/tasks/section_5/cis_5.6.yml b/tasks/section_5/cis_5.6.yml index 58eb7e5..973b1d6 100644 --- a/tasks/section_5/cis_5.6.yml +++ b/tasks/section_5/cis_5.6.yml @@ -9,7 +9,7 @@ register: rhel9cis_securetty_check - name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Capture consoles" - command: cat /etc/securetty + shell: cat /etc/securetty changed_when: false register: rhel_09_5_6_audit when: rhel9cis_securetty_check.stat.exists diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index ad162e3..9650e5d 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -182,7 +182,7 @@ - name: "6.1.11 | L1 | AUDIT | Ensure no unowned files or directories exist" block: - name: "6.1.11 | L1 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories" - command: find "{{ item.mount }}" -xdev -nouser + shell: find "{{ item.mount }}" -xdev -nouser check_mode: false failed_when: false changed_when: false @@ -208,7 +208,7 @@ - name: "6.1.12 | L1 | AUDIT | Ensure no ungrouped files or directories exist" block: - name: "6.1.12 | L1 | AUDIT | Ensure no ungrouped files or directories exist | Finding all ungrouped files or directories" - command: find "{{ item.mount }}" -xdev -nogroup + shell: find "{{ item.mount }}" -xdev -nogroup check_mode: false failed_when: false changed_when: false diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 1edab26..43c57f2 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -1,7 +1,7 @@ --- - name: "6.2.1 | L1 | AUDIT | Ensure password fields are not empty" - command: passwd -l {{ item }} + shell: passwd -l {{ item }} changed_when: false failed_when: false with_items: "{{ empty_password_accounts.stdout_lines }}" @@ -15,7 +15,7 @@ - rule_6.2.1 - name: "6.2.2 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/passwd" - command: sed -i '/^+/ d' /etc/passwd + shell: sed -i '/^+/ d' /etc/passwd changed_when: false failed_when: false when: @@ -74,7 +74,7 @@ - rule_6.2.3 - name: "6.2.4 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/shadow" - command: sed -i '/^+/ d' /etc/shadow + shell: sed -i '/^+/ d' /etc/shadow changed_when: false failed_when: false when: @@ -87,7 +87,7 @@ - skip_ansible_lint - name: "6.2.5 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/group" - command: sed -i '/^+/ d' /etc/group + shell: sed -i '/^+/ d' /etc/group changed_when: false failed_when: false when: @@ -100,7 +100,7 @@ - skip_ansible_lint - name: "6.2.6 | L1 | PATCH | Ensure root is the only UID 0 account" - command: passwd -l {{ item }} + shell: passwd -l {{ item }} changed_when: false failed_when: false with_items: "{{ uid_zero_accounts_except_root.stdout_lines }}" @@ -122,7 +122,7 @@ register: rhel_09_6_2_7_audit - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" - command: find -H {{ item.0 | quote }} -not -type l -perm /027 + shell: find -H {{ item.0 | quote }} -not -type l -perm /027 check_mode: false changed_when: rhel_09_6_2_7_patch_audit.stdout | length > 0 register: rhel_09_6_2_7_patch_audit @@ -251,7 +251,7 @@ - rule_6.2.11 - name: "6.2.12 | L1 | PATCH | Ensure users' .netrc Files are not group or world accessible" - command: /bin/true + shell: /bin/true changed_when: false failed_when: false when: @@ -464,7 +464,7 @@ with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" - name: "6.2.20 | L1 | AUDIT | Ensure all users' home directories exist" - command: find -H {{ item.0 | quote }} -not -type l -perm /027 + shell: find -H {{ item.0 | quote }} -not -type l -perm /027 check_mode: false changed_when: rhel_09_6_2_20_patch_audit.stdout | length > 0 register: rhel_09_6_2_20_patch_audit