sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

lint updates

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2022-09-16 11:34:42 +01:00
parent 1992eea6da
commit 3df35e03a0
No known key found for this signature in database
GPG key ID: F734FDFC154B83FB
14 changed files with 58 additions and 55 deletions
Download patch file Download diff file Expand all files Collapse all files

4
handlers/main.yml
View file

@ -14,7 +14,7 @@
name: net.ipv4.route.flush
value: '1'
sysctl_set: true
ignore_errors: true
ignore_errors: true # noqa ignore-errors
when:
- flush_ipv4_route
- not system_is_container
@ -78,7 +78,7 @@
shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
args:
warn: false
ignore_errors: true
ignore_errors: true # noqa ignore-errors
tags:
- skip_ansible_lint

2
tasks/section_1/cis_1.6.1.x.yml
View file

@ -19,7 +19,7 @@
regexp: 'selinux=0'
replace: ''
register: selinux_grub_patch
ignore_errors: yes
ignore_errors: true # noqa ignore-errors
notify: grub2cfg
when:
- rhel9cis_rule_1_6_1_2

2
tasks/section_3/cis_3.4.2.x.yml
View file

@ -39,7 +39,7 @@
name: "{{ item }}"
enabled: false
masked: true
ignore_errors: true
ignore_errors: true # noqa ignore-errors
with_items:
- iptables
- ip6tables

6
tasks/section_4/cis_4.1.1.x.yml
View file

@ -27,7 +27,7 @@
service:
name: auditd
state: started
enabled: yes
enabled: true
when:
- rhel9cis_rule_4_1_1_2
tags:
@ -44,7 +44,7 @@
shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//'
changed_when: false
failed_when: false
check_mode: no
check_mode: false
register: rhel9cis_4_1_1_3_grub_cmdline_linux
- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting"
@ -79,7 +79,7 @@
shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//'
changed_when: false
failed_when: false
check_mode: no
check_mode: false
register: rhel9cis_4_1_1_4_grub_cmdline_linux
- name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting"

2
tasks/section_4/cis_4.1.3.x.yml
View file

@ -77,7 +77,7 @@
shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
changed_when: false
failed_when: false
check_mode: no
check_mode: false
register: priv_procs
- name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected"

8
tasks/section_4/cis_4.2.1.x.yml
View file

@ -18,7 +18,7 @@
- name: "4.2.1.2 | PATCH | Ensure rsyslog Service is enabled"
service:
name: rsyslog
enabled: yes
enabled: true
when:
- rhel9cis_rule_4_2_1_2
tags:
@ -65,10 +65,10 @@
block:
- name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out"
command: cat /etc/rsyslog.conf
become: yes
become: true
changed_when: false
failed_when: no
check_mode: no
failed_when: false
check_mode: false
register: rhel_08_4_2_1_5_audit
- name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out"

8
tasks/section_4/cis_4.2.2.x.yml
View file

@ -39,7 +39,7 @@
systemd:
name: systemd-journal-upload
state: started
enabled: yes
enabled: true
when:
- rhel9cis_system_is_log_server
- rhel9cis_rule_4_2_2_1_3
@ -55,8 +55,8 @@
systemd:
name: systemd-journal-remote.socket
state: stopped
enabled: no
masked: yes
enabled: false
masked: true
when:
- not rhel9cis_system_is_log_server
- rhel9cis_rule_4_2_2_1_4
@ -74,7 +74,7 @@
systemd:
name: systemd-journald
state: started
enabled: yes
enabled: true
- name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Capture status"
shell: systemctl is-enabled systemd-journald.service

2
tasks/section_5/cis_5.1.x.yml
View file

@ -3,7 +3,7 @@
- name: "5.1.1 | PATCH | Ensure cron daemon is enabled"
service:
name: crond
enabled: yes
enabled: true
when:
- rhel9cis_rule_5_1_1
tags:

4
tasks/section_5/cis_5.2.x.yml
View file

@ -275,7 +275,7 @@
- name: "5.2.14 | AUDIT | Ensure system-wide crypto policy is not over-ridden"
shell: grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd
args:
warn: no
warn: false
changed_when: false
failed_when: ( ssh_crypto_discovery.rc not in [ 0, 1 ] )
register: ssh_crypto_discovery
@ -283,7 +283,7 @@
- name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden"
shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd
args:
warn: no
warn: false
notify: restart sshd
when: ssh_crypto_discovery.stdout | length > 0
when:

8
tasks/section_5/cis_5.4.x.yml
View file

@ -6,7 +6,7 @@
shell: 'authselect current | grep "Profile ID: custom/"'
failed_when: false
changed_when: false
check_mode: no
check_mode: false
register: rhel9cis_5_4_1_profiles
- name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Show profiles"
@ -18,7 +18,7 @@
- name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles"
shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }}
args:
warn: no
warn: false
when: rhel9cis_authselect_custom_profile_create
when:
- rhel9cis_rule_5_4_1
@ -36,7 +36,7 @@
shell: "authselect current | grep with-faillock"
failed_when: false
changed_when: false
check_mode: no
check_mode: false
register: rhel9cis_5_4_2_profiles_faillock
- name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock| Show profiles"
@ -48,7 +48,7 @@
- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles"
shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock"
args:
warn: no
warn: false
when: rhel9cis_authselect_custom_profile_select
when:
- rhel9cis_rule_5_4_2

8
tasks/section_5/cis_5.6.1.x.yml
View file

@ -51,7 +51,7 @@
shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d=
changed_when: false
failed_when: false
check_mode: no
check_mode: false
register: rhel9cis_5_6_1_4_inactive_settings
- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting"
@ -61,7 +61,7 @@
- name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
changed_when: false
check_mode: no
check_mode: false
register: rhel_8_5_6_1_4_user_list
- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
@ -84,14 +84,14 @@
shell: echo $(($(date --utc --date "$1" +%s)/86400))
changed_when: false
failed_when: false
check_mode: no
check_mode: false
register: rhel9cis_5_6_1_5_currentut
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future"
shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_6_1_5_currentut.stdout }})print$1}'"
changed_when: false
failed_when: false
check_mode: no
check_mode: false
register: rhel9cis_5_6_1_5_user_list
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist"

2
tasks/section_5/cis_5.6.x.yml
View file

@ -49,7 +49,7 @@
- name: "5.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less"
blockinfile:
create: yes
create: true
mode: 0644
dest: "{{ item.dest }}"
state: "{{ item.state }}"

7
tasks/section_6/cis_6.1.x.yml
View file

@ -5,7 +5,7 @@
- name: "6.1.1 | AUDIT | Audit system file permissions | Audit the packages"
shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto
args:
warn: no
warn: false
changed_when: false
failed_when: false
register: rhel9cis_6_1_1_packages_rpm
@ -16,6 +16,9 @@
copy:
dest: "{{ rhel9cis_rpm_audit_file }}"
content: "{{ rhel9cis_6_1_1_packages_rpm.stdout }}"
owner: root
group: root
mode: 0640
- name: "6.1.1 | AUDIT | Audit system file permissions | Message out alert for package descrepancies"
debug:
@ -46,7 +49,7 @@
- name: "6.1.2 | PATCH | Ensure sticky bit is set on all world-writable directories"
shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
args:
warn: no
warn: false
changed_when: false
failed_when: false
when:

26
tasks/section_6/cis_6.2.x.yml
View file

@ -161,7 +161,7 @@
shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d'
changed_when: false
failed_when: false
check_mode: no
check_mode: false
register: rhel9cis_6_2_6_group_group_check
- name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist"
@ -194,23 +194,23 @@
block:
- name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine empty value"
shell: 'echo $PATH | grep ::'
changed_when: False
changed_when: false
failed_when: rhel9cis_6_2_7_path_colon.rc == 0
check_mode: no
check_mode: false
register: rhel9cis_6_2_7_path_colon
- name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determin colon end"
shell: 'echo $PATH | grep :$'
changed_when: False
changed_when: false
failed_when: rhel9cis_6_2_7_path_colon_end.rc == 0
check_mode: no
check_mode: false
register: rhel9cis_6_2_7_path_colon_end
- name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine dot in path"
shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'"
changed_when: False
changed_when: false
failed_when: '"." in rhel9cis_6_2_7_dot_in_path.stdout_lines'
check_mode: no
check_mode: false
register: rhel9cis_6_2_7_dot_in_path
- name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path"
@ -280,7 +280,7 @@
- name: "6.2.9 | PATCH | Ensure all users' home directories exist"
file:
path: "{{ item.0 }}"
recurse: yes
recurse: true
mode: a-st,g-w,o-rwx
register: rhel_08_6_2_9_patch
when:
@ -296,9 +296,9 @@
- name: "6.2.9 | PATCH | Ensure all users' home directories exist"
acl:
path: "{{ item.0 }}"
default: yes
default: true
state: present
recursive: yes
recursive: true
etype: "{{ item.1.etype }}"
permissions: "{{ item.1.mode }}"
when:
@ -368,7 +368,7 @@
- name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
file:
path: "{{ item.0 }}"
recurse: yes
recurse: true
mode: a-st,g-w,o-rwx
register: rhel_08_6_2_11_patch
when:
@ -384,9 +384,9 @@
- name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
acl:
path: "{{ item.0 }}"
default: yes
default: true
state: present
recursive: yes
recursive: true
etype: "{{ item.1.etype }}"
permissions: "{{ item.1.mode }}"
when: