Merge pull request #348 from ansible-lockdown/root_user_check

root password and other improvements

tasks/main.yml

@@ -132,8 +132,9 @@
     - rule_5.4.2.4
   block:
     - name: "Ensure root password is set"
-      ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)"
+      ansible.builtin.shell: passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)"
       changed_when: false
+      failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ]
       register: prelim_root_passwd_set
 
     - name: "Ensure root password is set"

tasks/prelim.yml

@@ -4,9 +4,7 @@
 # List users in order to look files inside each home directory
 
 - name: "PRELIM | Include audit specific variables"
-  when:
-    - run_audit or audit_only
-    - setup_audit
+  when: run_audit or audit_only or setup_audit
   tags:
     - setup_audit
     - run_audit
@@ -14,9 +12,7 @@
     file: audit.yml
 
 - name: "PRELIM | Include pre-remediation audit tasks"
-  when:
-    - run_audit or audit_only
-    - setup_audit
+  when: run_audit or audit_only or setup_audit
   tags: run_audit
   ansible.builtin.import_tasks: pre_remediation_audit.yml
 
@@ -260,7 +256,7 @@
       rhel9cis_rule_5_1_11
   ansible.builtin.stat:
     path: /etc/ssh/sshd_config.d/50-redhat.conf
-  register: discovered_sshd_50_redhat_file
+  register: prelim_sshd_50_redhat_file
 
 - name: "PRELIM | AUDIT | Capture pam security related files"
   tags: always

tasks/section_1/cis_1.1.2.3.x.yml

@@ -21,12 +21,12 @@
       register: discovered_home_mount
 
     - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Absent"
-      when: discovered_dev_shm_mount is undefined
+      when: discovered_home_mount is undefined
       ansible.builtin.debug:
         msg: "Warning!! {{ required_mount }} is not mounted on a separate partition"
 
     - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Present"
-      when: discovered_dev_shm_mount is undefined
+      when: discovered_home_mount is undefined
       ansible.builtin.import_tasks:
         file: warning_facts.yml
 

tasks/section_1/cis_1.1.2.4.x.yml

@@ -22,12 +22,12 @@
       register: discovered_var_mount
 
     - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Absent"
-      when: discovered_dev_shm_mount is undefined
+      when: discovered_var_mount is undefined
       ansible.builtin.debug:
         msg: "Warning!! {{ required_mount }} is not mounted on a separate partition"
 
     - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Present"
-      when: discovered_dev_shm_mount is undefined
+      when: discovered_var_mount is undefined
       ansible.builtin.import_tasks:
         file: warning_facts.yml
 

tasks/section_1/cis_1.3.1.x.yml

@@ -106,7 +106,7 @@
     warn_control_id: '1.3.1.6'
   block:
     - name: "1.3.1.6 | AUDIT | Ensure no unconfined services exist | Find the unconfined services"
-      ansible.builtin.shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
+      ansible.builtin.shell: ps -eZ | grep unconfined_service_t | grep -Evw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
       register: discovered_unconf_services
       failed_when: false
       changed_when: false

tasks/section_5/cis_5.1.x.yml

@@ -276,10 +276,10 @@
       notify: Restart sshd
 
     - name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled | override"
-      when: discovered_sshd_50_redhat_file.stat.exists
+      when: prelim_sshd_50_redhat_file.stat.exists
       ansible.builtin.lineinfile:
         path: /etc/ssh/sshd_config.d/50-redhat.conf
-        regexp: ^(?i)(#|)\s*X11Forwarding
+        regexp: (?i)^(#|)\s*X11Forwarding
         line: 'X11Forwarding {{ rhel9cis_sshd_x11forwarding }}'
         validate: sshd -t -f %s
       notify: Restart sshd
@@ -299,10 +299,10 @@
     - NIST800-53R5_IA-5
   block:
     - name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled | redhat file"
-      when: discovered_sshd_50_redhat_file.stat.exists
+      when: prelim_sshd_50_redhat_file.stat.exists
       ansible.builtin.lineinfile:
         path: /etc/ssh/sshd_config.d/50-redhat.conf
-        regexp: ^(?i)(#|)\s*GSSAPIAuthentication
+        regexp: (?i)^(#|)\s*GSSAPIAuthentication
         line: GSSAPIAuthentication no
         validate: sshd -t -f %s
       notify: Restart sshd
@@ -310,7 +310,7 @@
     - name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled | ssh config"
       ansible.builtin.lineinfile:
         path: "{{ rhel9cis_sshd_config_file }}"
-        regexp: ^(?i)(#|)\s*GSSAPIAuthentication
+        regexp: (?i)^(#|)\s*GSSAPIAuthentication
         line: GSSAPIAuthentication no
         validate: sshd -t -f %s
       notify: Restart sshd
@@ -330,7 +330,7 @@
     - NIST800-53R5_IA-5
   ansible.builtin.lineinfile:
     path: "{{ rhel9cis_sshd_config_file }}"
-    regexp: ^(?i)(#|)\s*HostbasedAuthentication
+    regexp: (?i)^(#|)\s*HostbasedAuthentication
     line: 'HostbasedAuthentication no'
     validate: sshd -t -f %s
   notify: Restart sshd
@@ -350,7 +350,7 @@
     - NIST800-53R5_IA-5
   ansible.builtin.lineinfile:
     path: "{{ rhel9cis_sshd_config_file }}"
-    regexp: ^(?i)(#|)\s*IgnoreRhosts
+    regexp: (?i)^(#|)\s*IgnoreRhosts
     line: 'IgnoreRhosts yes'
     insertbefore: "^Match"
     firstmatch: true
@@ -368,7 +368,7 @@
     - NIST800-53R5_CM-6
   ansible.builtin.lineinfile:
     path: "{{ rhel9cis_sshd_config_file }}"
-    regexp: ^(?i)(#|)\s*LoginGraceTime
+    regexp: (?i)^(#|)\s*LoginGraceTime
     line: "LoginGraceTime {{ rhel9cis_sshd_logingracetime }}"
     insertbefore: "^Match"
     firstmatch: true
@@ -388,7 +388,7 @@
     - NIST800-53R5_SI-5
   ansible.builtin.lineinfile:
     path: "{{ rhel9cis_sshd_config_file }}"
-    regexp: ^(?i)(#|)\s*LogLevel
+    regexp: (?i)^(#|)\s*LogLevel
     line: 'LogLevel {{ rhel9cis_ssh_loglevel }}'
     insertbefore: "^Match"
     firstmatch: true
@@ -426,7 +426,7 @@
     - NIST800-53R5_IA-5
   ansible.builtin.lineinfile:
     path: "{{ rhel9cis_sshd_config_file }}"
-    regexp: ^(?i)(#|)\s*MaxStartups
+    regexp: (?i)^(#|)\s*MaxStartups
     line: 'MaxStartups {{ rhel9cis_ssh_maxstartups }}'
     validate: sshd -t -f %s
   notify: Restart sshd
@@ -446,7 +446,7 @@
     - NIST800-53R5_IA-5
   ansible.builtin.lineinfile:
     path: "{{ rhel9cis_sshd_config_file }}"
-    regexp: ^(?i)(#|)\s*MaxSessions
+    regexp: (?i)^(#|)\s*MaxSessions
     line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}'
     validate: sshd -t -f %s
   notify: Restart sshd
@@ -466,7 +466,7 @@
     - NIST800-53R5_IA-5
   ansible.builtin.lineinfile:
     path: "{{ rhel9cis_sshd_config_file }}"
-    regexp: ^(?i)(#|)\s*PermitEmptyPasswords
+    regexp: (?i)^(#|)\s*PermitEmptyPasswords
     line: 'PermitEmptyPasswords no'
     validate: sshd -t -f %s
   notify: Restart sshd
@@ -484,7 +484,7 @@
     - name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled | config file"
       ansible.builtin.lineinfile:
         path: "{{ rhel9cis_sshd_config_file }}"
-        regexp: ^(?i)(#|)\s*PermitRootLogin
+        regexp: (?i)^(#|)\s*PermitRootLogin
         line: 'PermitRootLogin no'
         validate: sshd -t -f %s
       notify: Restart sshd
@@ -510,7 +510,7 @@
     - NIST800-53R5_IA-5
   ansible.builtin.lineinfile:
     path: "{{ rhel9cis_sshd_config_file }}"
-    regexp: ^(?i)(#|)\s*PermitUserEnvironment
+    regexp: (?i)^(#|)\s*PermitUserEnvironment
     line: 'PermitUserEnvironment no'
     validate: sshd -t -f %s
   notify: Restart sshd
@@ -530,7 +530,7 @@
     - NIST800-53R5_IA-5
   ansible.builtin.lineinfile:
     path: "{{ rhel9cis_sshd_config_file }}"
-    regexp: ^(?i)(#|)\s*UsePAM
+    regexp: (?i)^(#|)\s*UsePAM
     line: 'UsePAM yes'
     validate: sshd -t -f %s
   notify: Restart sshd