diff --git a/handlers/main.yml b/handlers/main.yml index 533660d..f96d9fb 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -14,7 +14,7 @@ name: net.ipv4.route.flush value: '1' sysctl_set: true - ignore_errors: true + ignore_errors: true # noqa ignore-errors when: - flush_ipv4_route - not system_is_container @@ -78,7 +78,7 @@ shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" args: warn: false - ignore_errors: true + ignore_errors: true # noqa ignore-errors tags: - skip_ansible_lint diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index f2b231e..9a8d134 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -19,7 +19,7 @@ regexp: 'selinux=0' replace: '' register: selinux_grub_patch - ignore_errors: yes + ignore_errors: true # noqa ignore-errors notify: grub2cfg when: - rhel9cis_rule_1_6_1_2 diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 7169fb3..81fe733 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -39,7 +39,7 @@ name: "{{ item }}" enabled: false masked: true - ignore_errors: true + ignore_errors: true # noqa ignore-errors with_items: - iptables - ip6tables diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index ffe7205..258b64f 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -27,7 +27,7 @@ service: name: auditd state: started - enabled: yes + enabled: true when: - rhel9cis_rule_4_1_1_2 tags: @@ -44,7 +44,7 @@ shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_4_1_1_3_grub_cmdline_linux - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting" @@ -79,7 +79,7 @@ shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_4_1_1_4_grub_cmdline_linux - name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting" diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index 40a7517..8272b7e 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -77,7 +77,7 @@ shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done changed_when: false failed_when: false - check_mode: no + check_mode: false register: priv_procs - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 7e70a02..99e253a 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -18,7 +18,7 @@ - name: "4.2.1.2 | PATCH | Ensure rsyslog Service is enabled" service: name: rsyslog - enabled: yes + enabled: true when: - rhel9cis_rule_4_2_1_2 tags: @@ -65,10 +65,10 @@ block: - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" command: cat /etc/rsyslog.conf - become: yes + become: true changed_when: false - failed_when: no - check_mode: no + failed_when: false + check_mode: false register: rhel_08_4_2_1_5_audit - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 7a35d8f..f172f96 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -39,7 +39,7 @@ systemd: name: systemd-journal-upload state: started - enabled: yes + enabled: true when: - rhel9cis_system_is_log_server - rhel9cis_rule_4_2_2_1_3 @@ -55,8 +55,8 @@ systemd: name: systemd-journal-remote.socket state: stopped - enabled: no - masked: yes + enabled: false + masked: true when: - not rhel9cis_system_is_log_server - rhel9cis_rule_4_2_2_1_4 @@ -74,7 +74,7 @@ systemd: name: systemd-journald state: started - enabled: yes + enabled: true - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Capture status" shell: systemctl is-enabled systemd-journald.service @@ -91,7 +91,7 @@ - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_4.2.2.2' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: "'static' not in rhel9cis_4_2_2_2_status.stdout" when: - rhel9cis_rule_4_2_2_2 @@ -203,7 +203,7 @@ - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_4.2.2.7' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - rhel9cis_rule_4_2_2_7 tags: diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 734b434..ef82f98 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -3,7 +3,7 @@ - name: "5.1.1 | PATCH | Ensure cron daemon is enabled" service: name: crond - enabled: yes + enabled: true when: - rhel9cis_rule_5_1_1 tags: diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 73b804f..202ee8c 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -275,15 +275,15 @@ - name: "5.2.14 | AUDIT | Ensure system-wide crypto policy is not over-ridden" shell: grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd args: - warn: no + warn: false changed_when: false failed_when: ( ssh_crypto_discovery.rc not in [ 0, 1 ] ) register: ssh_crypto_discovery - + - name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden" shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd args: - warn: no + warn: false notify: restart sshd when: ssh_crypto_discovery.stdout | length > 0 when: diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 501af41..11ddbbd 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -6,7 +6,7 @@ shell: 'authselect current | grep "Profile ID: custom/"' failed_when: false changed_when: false - check_mode: no + check_mode: false register: rhel9cis_5_4_1_profiles - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Show profiles" @@ -18,7 +18,7 @@ - name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles" shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }} args: - warn: no + warn: false when: rhel9cis_authselect_custom_profile_create when: - rhel9cis_rule_5_4_1 @@ -36,7 +36,7 @@ shell: "authselect current | grep with-faillock" failed_when: false changed_when: false - check_mode: no + check_mode: false register: rhel9cis_5_4_2_profiles_faillock - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock| Show profiles" @@ -48,7 +48,7 @@ - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles" shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock" args: - warn: no + warn: false when: rhel9cis_authselect_custom_profile_select when: - rhel9cis_rule_5_4_2 diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 4addbc5..1163abb 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -51,7 +51,7 @@ shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d= changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_5_6_1_4_inactive_settings - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting" @@ -61,7 +61,7 @@ - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" changed_when: false - check_mode: no + check_mode: false register: rhel_8_5_6_1_4_user_list - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" @@ -84,14 +84,14 @@ shell: echo $(($(date --utc --date "$1" +%s)/86400)) changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_5_6_1_5_currentut - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future" shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_6_1_5_currentut.stdout }})print$1}'" changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_5_6_1_5_user_list - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist" @@ -109,7 +109,7 @@ - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_5.6.1.5' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - not rhel9cis_futurepwchgdate_autofix diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 14b4a50..474a378 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -49,7 +49,7 @@ - name: "5.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less" blockinfile: - create: yes + create: true mode: 0644 dest: "{{ item.dest }}" state: "{{ item.state }}" diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index c61b51e..2cef0f7 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -5,7 +5,7 @@ - name: "6.1.1 | AUDIT | Audit system file permissions | Audit the packages" shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto args: - warn: no + warn: false changed_when: false failed_when: false register: rhel9cis_6_1_1_packages_rpm @@ -16,6 +16,9 @@ copy: dest: "{{ rhel9cis_rpm_audit_file }}" content: "{{ rhel9cis_6_1_1_packages_rpm.stdout }}" + owner: root + group: root + mode: 0640 - name: "6.1.1 | AUDIT | Audit system file permissions | Message out alert for package descrepancies" debug: @@ -26,7 +29,7 @@ - name: "6.1.1 | AUDIT | Audit system file permissions | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_6.1.1' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: rhel9cis_6_1_1_packages_rpm.stdout|length > 0 - name: "6.1.1 | AUDIT | Audit system file permissions | Message out no package descrepancies" @@ -46,7 +49,7 @@ - name: "6.1.2 | PATCH | Ensure sticky bit is set on all world-writable directories" shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t args: - warn: no + warn: false changed_when: false failed_when: false when: diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 3225895..eb4bcde 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -39,7 +39,7 @@ - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_6.2.2' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: rhel9cis_6_2_2_passwd_gid_check.stdout | length >= 1 when: - rhel9cis_rule_6_2_2 @@ -73,7 +73,7 @@ - name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_6.2.3' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: rhel9cis_6_2_3_user_uid_check.stdout | length >= 1 when: - rhel9cis_rule_6_2_3 @@ -107,7 +107,7 @@ - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_6.2.4' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: rhel9cis_6_2_4_user_user_check.stdout | length >= 1 when: @@ -142,7 +142,7 @@ - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_6.2.5' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: rhel9cis_6_2_5_user_username_check.stdout | length >= 1 when: - rhel9cis_rule_6_2_5 @@ -161,7 +161,7 @@ shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_6_2_6_group_group_check - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" @@ -177,7 +177,7 @@ - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_6.2.6' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: rhel9cis_6_2_6_group_group_check.stdout is not defined when: - rhel9cis_rule_6_2_6 @@ -194,23 +194,23 @@ block: - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine empty value" shell: 'echo $PATH | grep ::' - changed_when: False + changed_when: false failed_when: rhel9cis_6_2_7_path_colon.rc == 0 - check_mode: no + check_mode: false register: rhel9cis_6_2_7_path_colon - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determin colon end" shell: 'echo $PATH | grep :$' - changed_when: False + changed_when: false failed_when: rhel9cis_6_2_7_path_colon_end.rc == 0 - check_mode: no + check_mode: false register: rhel9cis_6_2_7_path_colon_end - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine dot in path" shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'" - changed_when: False + changed_when: false failed_when: '"." in rhel9cis_6_2_7_dot_in_path.stdout_lines' - check_mode: no + check_mode: false register: rhel9cis_6_2_7_dot_in_path - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path" @@ -280,7 +280,7 @@ - name: "6.2.9 | PATCH | Ensure all users' home directories exist" file: path: "{{ item.0 }}" - recurse: yes + recurse: true mode: a-st,g-w,o-rwx register: rhel_08_6_2_9_patch when: @@ -296,12 +296,12 @@ - name: "6.2.9 | PATCH | Ensure all users' home directories exist" acl: path: "{{ item.0 }}" - default: yes + default: true state: present - recursive: yes + recursive: true etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: + when: - not system_is_container with_nested: - "{{ (ansible_check_mode | ternary(rhel_08_6_2_9_patch_audit, rhel_08_6_2_9_patch)).results | @@ -368,7 +368,7 @@ - name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" file: path: "{{ item.0 }}" - recurse: yes + recurse: true mode: a-st,g-w,o-rwx register: rhel_08_6_2_11_patch when: @@ -384,12 +384,12 @@ - name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" acl: path: "{{ item.0 }}" - default: yes + default: true state: present - recursive: yes + recursive: true etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: + when: - not system_is_container with_nested: - "{{ (ansible_check_mode | ternary(rhel_08_6_2_11_patch_audit, rhel_08_6_2_11_patch)).results |