Feb24 updates (#179)

* change logic thanks to @rjacobs1990 see #175 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * thanks to @ipruteani-sie #134 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Thanks to @stwongst #125 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * thanks to @sgomez86 #146 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Added updates from #115 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed rp_filter in post added in error Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated yamllint precommit Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated fqcn fo json_query Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix typo for virt type query Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2024-02-20 15:43:43 +00:00 · 2024-02-20 15:43:43 +00:00 · 40bc7aa082
commit 40bc7aa082
parent 06ec3de5c4
13 changed files with 21 additions and 55 deletions
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -3,7 +3,7 @@

 - name: Check OS version and family
  ansible.builtin.assert:
-      that: (ansible_facts.distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==')
+      that: (ansible_facts.distribution != 'CentOS' and ansible_facts.os_family == 'RedHat' or ansible_facts.os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==')
      fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported."
      success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}"
  when:
@ -66,7 +66,7 @@
 - name: Ensure root password is set
  block:
      - name: Ensure root password is set
-        ansible.builtin.shell: passwd -S root | grep "Password set, SHA512 crypt"
+        ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)"
        changed_when: false
        register: root_passwd_set

@ -102,7 +102,7 @@
            - system_is_container
  when:
      - ansible_connection == 'docker' or
-        ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
+        ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
      - container_discovery
      - always
--- a/tasks/post.yml
+++ b/tasks/post.yml
@ -26,19 +26,6 @@
      - not system_is_container
      - "'procps-ng' in ansible_facts.packages"

- name: POST | Update usr sysctl
-  ansible.builtin.lineinfile:
-      dest: /usr/lib/sysctl.d/50-default.conf
-      regexp: "{{ item.regexp }}"
-      line: "{{ item.line }}"
-  loop:
-      - { regexp: '^net.ipv4.conf.default.rp_filter', line: 'net.ipv4.conf.default.rp_filter = 1' }
-      - { regexp: '^net.ipv4.conf.*.rp_filter', line: 'net.ipv4.conf.*.rp_filter = 1' }
-  when:
-      - rhel9cis_sysctl_update
-      - not system_is_container
-      - "'procps-ng' in ansible_facts.packages"
-
 - name: Flush handlers
  ansible.builtin.meta: flush_handlers

--- a/tasks/post_remediation_audit.yml
+++ b/tasks/post_remediation_audit.yml
@ -28,7 +28,7 @@

      - name: Capture post-audit result
        ansible.builtin.set_fact:
-            post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}"
+            post_audit_summary: "{{ post_audit.stdout | from_json | community.general.json_query(summary) }}"
        vars:
            summary: summary."summary-line"

--- a/tasks/pre_remediation_audit.yml
+++ b/tasks/pre_remediation_audit.yml
@ -95,7 +95,7 @@

      - name: Pre Audit | Capture pre-audit result
        ansible.builtin.set_fact:
-            pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}"
+            pre_audit_summary: "{{ pre_audit.stdout | from_json | community.general.json_query(summary) }}"
        vars:
            summary: summary."summary-line"

--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@ -97,7 +97,7 @@

 - name: "PRELIM | Section 1.1 | Create list of mount points"
  ansible.builtin.set_fact:
-      mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}"
+      mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}"
  tags:
      - level1-server
      - level1-workstation
--- a/tasks/section_4/cis_4.1.4.x.yml
+++ b/tasks/section_4/cis_4.1.4.x.yml
@ -64,12 +64,11 @@
 - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive"
  ansible.builtin.file:
      path: "{{ item.path }}"
-      mode: '0640'
-  loop: "{{ auditd_conf_files.files }}"
+      mode: "{{ '0600' if item.mode == '0600' else '0640' }}"
+  loop: "{{ auditd_conf_files.files | default([]) }}"
  loop_control:
      label: "{{ item.path }}"
  when:
-      - item.mode != '06(0|4)0'
      - rhel9cis_rule_4_1_4_5
  tags:
      - level2-server
@ -82,7 +81,7 @@
  ansible.builtin.file:
      path: "{{ item.path }}"
      owner: root
-  loop: "{{ auditd_conf_files.files }}"
+  loop: "{{ auditd_conf_files.files | default([]) }}"
  loop_control:
      label: "{{ item.path }}"
  when:
@ -98,7 +97,7 @@
  ansible.builtin.file:
      path: "{{ item.path }}"
      group: root
-  loop: "{{ auditd_conf_files.files }}"
+  loop: "{{ auditd_conf_files.files | default([]) }}"
  loop_control:
      label: "{{ item.path }}"
  when:
--- a/tasks/section_6/cis_6.1.x.yml
+++ b/tasks/section_6/cis_6.1.x.yml
@ -173,7 +173,7 @@

      - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories"
        ansible.builtin.debug:
-            msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit | json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
+            msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit | community.general.json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
        when: rhel_09_6_1_10_unowned_files_found

      - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning"
@ -220,7 +220,7 @@

      - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories"
        ansible.builtin.debug:
-            msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit | json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
+            msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit | community.general.json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
        when: rhel_09_6_1_11_ungrouped_files_found

      - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning"
@ -277,7 +277,7 @@

      - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist"
        ansible.builtin.debug:
-            msg: "Warning!! SUID set on items in {{ rhel_09_6_1_13_suid_perms | json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
+            msg: "Warning!! SUID set on items in {{ rhel_09_6_1_13_suid_perms | community.general.json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
        when: rhel9_6_1_13_suid_found

      - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning"
@ -320,7 +320,7 @@

      - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist"
        ansible.builtin.debug:
-            msg: "Warning!! SGID set on items in {{ rhel_09_6_1_14_sgid_perms | json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
+            msg: "Warning!! SGID set on items in {{ rhel_09_6_1_14_sgid_perms | community.general.json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
        when: rhel9_6_1_14_sgid_found

      - name: "6.1.14 | AUDIT | Audit SGID executables| warning"