Merge pull request #9 from ansible-lockdown/mount_opts_updates

Mount opts and gpg updates
2024-11-12 13:49:20 +00:00 · 2024-11-12 13:49:20 +00:00 · 4869103bf5
commit 4869103bf5
parent af003176e7 f02a9d442f
8 changed files with 13 additions and 7 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -992,6 +992,11 @@ rhel9cis_futurepwchgdate_autofix: true
 # 5.4.2.x
 rhel9cis_root_umask: '0027'  # 0027 or more restrictive

+## Control 5.4.2.7 - Ensure system accounts are secured | Set nologin
+# The system users on this list are allowed to have a shell (e.g. applications
+# that require a shell to function)
+rhel9cis_system_users_shell: []
+
 ## Control 5.4.3.2 - Configuring user shell timeout
 # This dictionary is related to ensuring the rule about user shell timeout
 # This variable represents the amount of seconds a command or process is allowed to
--- a/tasks/section_1/cis_1.1.2.1.x.yml
+++ b/tasks/section_1/cis_1.1.2.1.x.yml
@ -33,7 +33,7 @@
    src: "{{ item.device }}"
    fstype: "{{ item.fstype }}"
    state: present
-    opts: defaults,{% if rhel9cis_rule_1_1_2_1_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_1_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_1_4 %}noexec{% endif %}
+    opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_1_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_1_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_1_4) %},noexec{% endif %}"
  notify: Remount tmp
  loop: "{{ ansible_facts.mounts }}"
  loop_control:
--- a/tasks/section_1/cis_1.1.2.4.x.yml
+++ b/tasks/section_1/cis_1.1.2.4.x.yml
@ -45,7 +45,7 @@
    src: "{{ item.device }}"
    fstype: "{{ item.fstype }}"
    state: present
-    opts: defaults,{% if rhel9cis_rule_1_1_2_4_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_4_3 %}nosuid{% endif %}
+    opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_4_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_4_2) %},nosuid{% endif %}"
  loop: "{{ ansible_facts.mounts }}"
  loop_control:
    label: "{{ item.device }}"
--- a/tasks/section_1/cis_1.1.2.5.x.yml
+++ b/tasks/section_1/cis_1.1.2.5.x.yml
@ -49,7 +49,7 @@
    src: "{{ item.device }}"
    fstype: "{{ item.fstype }}"
    state: present
-    opts: defaults,{% if rhel9cis_rule_1_1_2_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_5_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_5_4 %}noexec{% endif %}
+    opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_5_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_5_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_5_4) %},noexec{% endif %}"
  loop: "{{ ansible_facts.mounts }}"
  loop_control:
    label: "{{ item.device }}"
--- a/tasks/section_1/cis_1.1.2.6.x.yml
+++ b/tasks/section_1/cis_1.1.2.6.x.yml
@ -47,7 +47,7 @@
    src: "{{ item.device }}"
    fstype: "{{ item.fstype }}"
    state: present
-    opts: defaults,{% if rhel9cis_rule_1_1_2_6_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_6_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_6_4 %}noexec{% endif %}
+    opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_6_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_6_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_6_4) %},noexec{% endif %}"
  loop: "{{ ansible_facts.mounts }}"
  loop_control:
    label: "{{ item.device }}"
--- a/tasks/section_1/cis_1.1.2.7.x.yml
+++ b/tasks/section_1/cis_1.1.2.7.x.yml
@ -47,7 +47,7 @@
    src: "{{ item.device }}"
    fstype: "{{ item.fstype }}"
    state: present
-    opts: defaults,{% if rhel9cis_rule_1_1_2_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_7_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_7_4 %}noexec{% endif %}
+    opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_7_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_7_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_7_4) %},noexec{% endif %}"
  loop: "{{ ansible_facts.mounts }}"
  loop_control:
    label: "{{ item.device }}"
--- a/tasks/section_1/cis_1.2.1.x.yml
+++ b/tasks/section_1/cis_1.2.1.x.yml
@ -53,7 +53,7 @@
    - name: "1.2.1.2 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos"
      ansible.builtin.replace:
        name: "{{ item.path }}"
-        regexp: "^gpgcheck=0"
+        regexp: ^gpgcheck\s*=\s*0
        replace: "gpgcheck=1"
      loop: "{{ discovered_yum_repos.files }}"
      loop_control:
@ -87,7 +87,7 @@
    - name: "1.2.1.3 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files"
      ansible.builtin.replace:
        path: "{{ item.path }}"
-        regexp: '^repo_gpgcheck( |)=( |)0'
+        regexp: ^repo_gpgcheck\s*=s*0
        replace: repo_gpgcheck=1
      loop: "{{ discovered_repo_files.files }}"
      loop_control:
--- a/tasks/section_5/cis_5.4.2.x.yml
+++ b/tasks/section_5/cis_5.4.2.x.yml
@ -199,6 +199,7 @@
  when:
    - rhel9cis_rule_5_4_2_7
    - "item.id not in prelim_interactive_usernames.stdout"
+    - item.id not in rhel9cis_system_users_shell
    - "'root' not in item.id"
    - rhel9cis_disruption_high
  tags: