improvments v2

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2024-08-07 10:30:08 +01:00 · 2024-08-07 10:30:08 +01:00 · 4f566974c9
commit 4f566974c9
parent 0fc418a222
15 changed files with 110 additions and 58 deletions
--- a/tasks/section_1/cis_1.6.x.yml
+++ b/tasks/section_1/cis_1.6.x.yml
@ -13,7 +13,6 @@
    - NIST800-53R5_SC-6
  ansible.builtin.debug:
    msg: "Captured in prelim to ensure not LEGACY. Runs handler to update"
-  changed_when: true
  notify:
    - Update Crypto Policy
    - Set Crypto Policy
@ -135,8 +134,8 @@
  block:
    - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | Add submodule exclusion"
      ansible.builtin.template:
-        src: etc/crypto-policies/policies/modules/NO-SSHWEAKMAC.pmod.j2
-        dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKMAC.pmod
+        src: etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2
+        dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod
        owner: root
        group: root
        mode: '0640'
@ -146,7 +145,7 @@

    - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules"
      ansible.builtin.set_fact:
-        rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-SSHWEAKMAC' }}"
+        rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-SSHWEAKCIPHERS' }}"

 - name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh"
  when:
--- a/tasks/section_6/cis_6.1.x.yml
+++ b/tasks/section_6/cis_6.1.x.yml
@ -12,25 +12,27 @@
    - rule_6.1.1
    - NIST800-53R5_AU-2
  block:
-    - name: "6.1.1 | PATCH | Ensure AIDE is installed | Install AIDE"
+    - name: "6.1.1 | PATCH | Ensure AIDE is installed"
      ansible.builtin.package:
        name: aide
        state: present
+      register: aide_installed

-    - name: "6.1.1 | PATCH | Ensure AIDE is installed | Build AIDE DB"
-      when: not ansible_check_mode
-      ansible.builtin.shell: /usr/sbin/aide --init
-      args:
+    - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB"
+      when: aide_installed.changed  # noqa: no-handler
+      block:
+        - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB"
+          ansible.builtin.shell: /usr/sbin/aide --init

-    - name: "6.1.1 | PATCH | Ensure AIDE is installed | Wait for file before continuing"
-      ansible.builtin.wait_for:
-        path: /var/lib/aide/aide.db.new.gz
+        - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB | Wait for file before continuing"
+          ansible.builtin.wait_for:
+            path: /var/lib/aide/aide.db.new.gz

-    - name: "6.1.1 | PATCH | Ensure AIDE is installed | copy AIDE DB"
-      ansible.builtin.copy:
-        src: /var/lib/aide/aide.db.new.gz
-        dest: /var/lib/aide/aide.db.gz
-        remote_src: true
+        - name: "6.1.1 | PATCH | Ensure AIDE is installed | Build AIDE DB |copy AIDE DB"
+          ansible.builtin.copy:
+            src: /var/lib/aide/aide.db.new.gz
+            dest: /var/lib/aide/aide.db.gz
+            remote_src: true

 - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked"
  when: