forked from ansible-lockdown/RHEL9-CIS
lint updates
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
1992eea6da
commit
3df35e03a0
14 changed files with 58 additions and 55 deletions
|
|
@ -3,7 +3,7 @@
|
|||
- name: "5.1.1 | PATCH | Ensure cron daemon is enabled"
|
||||
service:
|
||||
name: crond
|
||||
enabled: yes
|
||||
enabled: true
|
||||
when:
|
||||
- rhel9cis_rule_5_1_1
|
||||
tags:
|
||||
|
|
|
|||
|
|
@ -275,15 +275,15 @@
|
|||
- name: "5.2.14 | AUDIT | Ensure system-wide crypto policy is not over-ridden"
|
||||
shell: grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd
|
||||
args:
|
||||
warn: no
|
||||
warn: false
|
||||
changed_when: false
|
||||
failed_when: ( ssh_crypto_discovery.rc not in [ 0, 1 ] )
|
||||
register: ssh_crypto_discovery
|
||||
|
||||
|
||||
- name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden"
|
||||
shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd
|
||||
args:
|
||||
warn: no
|
||||
warn: false
|
||||
notify: restart sshd
|
||||
when: ssh_crypto_discovery.stdout | length > 0
|
||||
when:
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
shell: 'authselect current | grep "Profile ID: custom/"'
|
||||
failed_when: false
|
||||
changed_when: false
|
||||
check_mode: no
|
||||
check_mode: false
|
||||
register: rhel9cis_5_4_1_profiles
|
||||
|
||||
- name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Show profiles"
|
||||
|
|
@ -18,7 +18,7 @@
|
|||
- name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles"
|
||||
shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }}
|
||||
args:
|
||||
warn: no
|
||||
warn: false
|
||||
when: rhel9cis_authselect_custom_profile_create
|
||||
when:
|
||||
- rhel9cis_rule_5_4_1
|
||||
|
|
@ -36,7 +36,7 @@
|
|||
shell: "authselect current | grep with-faillock"
|
||||
failed_when: false
|
||||
changed_when: false
|
||||
check_mode: no
|
||||
check_mode: false
|
||||
register: rhel9cis_5_4_2_profiles_faillock
|
||||
|
||||
- name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock| Show profiles"
|
||||
|
|
@ -48,7 +48,7 @@
|
|||
- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles"
|
||||
shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock"
|
||||
args:
|
||||
warn: no
|
||||
warn: false
|
||||
when: rhel9cis_authselect_custom_profile_select
|
||||
when:
|
||||
- rhel9cis_rule_5_4_2
|
||||
|
|
|
|||
|
|
@ -51,7 +51,7 @@
|
|||
shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d=
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
check_mode: no
|
||||
check_mode: false
|
||||
register: rhel9cis_5_6_1_4_inactive_settings
|
||||
|
||||
- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting"
|
||||
|
|
@ -61,7 +61,7 @@
|
|||
- name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
|
||||
shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
|
||||
changed_when: false
|
||||
check_mode: no
|
||||
check_mode: false
|
||||
register: rhel_8_5_6_1_4_user_list
|
||||
|
||||
- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
|
||||
|
|
@ -84,14 +84,14 @@
|
|||
shell: echo $(($(date --utc --date "$1" +%s)/86400))
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
check_mode: no
|
||||
check_mode: false
|
||||
register: rhel9cis_5_6_1_5_currentut
|
||||
|
||||
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future"
|
||||
shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_6_1_5_currentut.stdout }})print$1}'"
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
check_mode: no
|
||||
check_mode: false
|
||||
register: rhel9cis_5_6_1_5_user_list
|
||||
|
||||
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist"
|
||||
|
|
@ -109,7 +109,7 @@
|
|||
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count"
|
||||
set_fact:
|
||||
control_number: "{{ control_number }} + [ 'rule_5.6.1.5' ]"
|
||||
warn_count: "{{ warn_count|int + 1 }}"
|
||||
warn_count: "{{ warn_count | int + 1 }}"
|
||||
when:
|
||||
- rhel9cis_5_6_1_5_user_list.stdout | length > 0
|
||||
- not rhel9cis_futurepwchgdate_autofix
|
||||
|
|
|
|||
|
|
@ -49,7 +49,7 @@
|
|||
|
||||
- name: "5.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less"
|
||||
blockinfile:
|
||||
create: yes
|
||||
create: true
|
||||
mode: 0644
|
||||
dest: "{{ item.dest }}"
|
||||
state: "{{ item.state }}"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue