diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index 93e2eae..f917a99 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -47,8 +47,7 @@ - patch - rule_1.6.1.3 -# State set to enforcing because control 1.6.1.5 requires enforcing to be set -- name: "1.6.1.4 | PATCH | Ensure the SELinux mode is not disabled" +- name: "1.6.1.4 | PATCH | Ensure the SELinux state is enforcing" selinux: conf: /etc/selinux/config policy: "{{ rhel9cis_selinux_pol }}" @@ -56,80 +55,64 @@ when: - not rhel9cis_selinux_disable - rhel9cis_rule_1_6_1_4 - tags: - - level1-server - - level1-workstation - - auotmated - - selinux - - patch - - rule_1.6.1.4 - -- name: "1.6.1.5 | PATCH | Ensure the SELinux state is enforcing" - selinux: - conf: /etc/selinux/config - policy: "{{ rhel9cis_selinux_pol }}" - state: enforcing - when: - - not rhel9cis_selinux_disable - - rhel9cis_rule_1_6_1_5 tags: - level2-server - level2-workstation - automated - selinux - patch - - rule_1.6.1.5 + - rule_1.6.1.4 -- name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist" +- name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist" block: - - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Find the unconfined services" + - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Find the unconfined services" shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' - register: rhelcis_1_6_1_6_unconf_services + register: rhelcis_1_6_1_5_unconf_services failed_when: false changed_when: false - - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Message on no unconfined services" + - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Message on no unconfined services" debug: msg: "Good News! There are no services found on your system" - when: rhelcis_1_6_1_6_unconf_services.stdout | length == 0 + when: rhelcis_1_6_1_5_unconf_services.stdout | length == 0 - - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Message on unconfined services" + - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Message on unconfined services" debug: - msg: "Warning! You have unconfined services: {{ rhelcis_1_6_1_6_unconf_services.stdout_lines }}" - when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 + msg: "Warning! You have unconfined services: {{ rhelcis_1_6_1_5_unconf_services.stdout_lines }}" + when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0 when: - - rhel9cis_rule_1_6_1_6 + - rhel9cis_rule_1_6_1_5 tags: - level1-server - level1-workstation - automated - audit - services - - rule_1.6.1.6 + - rule_1.6.1.5 -- name: "1.6.1.7 | PATCH | Ensure SETroubleshoot is not installed" +- name: "1.6.1.6 | PATCH | Ensure SETroubleshoot is not installed" package: name: setroubleshoot state: absent when: - - rhel9cis_rule_1_6_1_7 + - rhel9cis_rule_1_6_1_6 - "'setroubleshoot' in ansible_facts.packages" tags: - level1-server - automated - selinux - patch - - rule_1.6.1.7 + - rule_1.6.1.6 -- name: "1.6.1.8 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" +- name: "1.6.1.7 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" package: name: mcstrans state: absent when: - - rhel9cis_rule_1_6_1_8 + - rhel9cis_rule_1_6_1_7 tags: - level1-server - level1-workstation - automated - patch - - rule_1.6.1.8 + - rule_1.6.1.7