forked from ansible-lockdown/RHEL9-CIS
linting updates
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
4fc57c5a1f
commit
671ba154e7
13 changed files with 86 additions and 546 deletions
|
|
@ -114,26 +114,26 @@
|
|||
|
||||
- name: "PRELIM | AUDIT | Check authselect profile is selected"
|
||||
when:
|
||||
- rhel9cis_allow_authselect_updates
|
||||
- rhel9cis_allow_authselect_updates
|
||||
tags:
|
||||
- always
|
||||
- always
|
||||
block:
|
||||
- name: "PRELIM | AUDIT | Check authselect profile name has been updated"
|
||||
ansible.builtin.assert:
|
||||
that: rhel9cis_authselect_custom_profile_name != 'cis_example_profile'
|
||||
fail_msg: "You still have the default name for your authselect profile"
|
||||
- name: "PRELIM | AUDIT | Check authselect profile name has been updated"
|
||||
ansible.builtin.assert:
|
||||
that: rhel9cis_authselect_custom_profile_name != 'cis_example_profile'
|
||||
fail_msg: "You still have the default name for your authselect profile"
|
||||
|
||||
- name: "PRELIM | AUDIT | Check authselect profile is selected"
|
||||
ansible.builtin.shell: authselect current | head -1 | awk '{print $NF}'
|
||||
changed_when: false
|
||||
failed_when: prelim_authselect_current_profile.rc not in [ 0, 1 ]
|
||||
register: prelim_authselect_current_profile
|
||||
- name: "PRELIM | AUDIT | Check authselect profile is selected"
|
||||
ansible.builtin.shell: authselect current | head -1 | awk '{print $NF}'
|
||||
changed_when: false
|
||||
failed_when: prelim_authselect_current_profile.rc not in [ 0, 1 ]
|
||||
register: prelim_authselect_current_profile
|
||||
|
||||
- name: "PRELIM | AUDIT | Check authselect profile is selected"
|
||||
ansible.builtin.assert:
|
||||
that: prelim_authselect_current_profile is defined
|
||||
success_msg: "Authselect is running and profile is selected"
|
||||
fail_msg: Authselect updates have been selected there are issues with profile selection"
|
||||
- name: "PRELIM | AUDIT | Check authselect profile is selected"
|
||||
ansible.builtin.assert:
|
||||
that: prelim_authselect_current_profile is defined
|
||||
success_msg: "Authselect is running and profile is selected"
|
||||
fail_msg: Authselect updates have been selected there are issues with profile selection"
|
||||
|
||||
- name: "Ensure root password is set"
|
||||
when:
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@
|
|||
vars:
|
||||
ld_passwd_regex: >-
|
||||
^(?P<id>[^:]*):(?P<password>[^:]*):(?P<uid>[^:]*):(?P<gid>[^:]*):(?P<gecos>[^:]*):(?P<dir>[^:]*):(?P<shell>[^:]*)
|
||||
ld_passwd_yaml: |
|
||||
ld_passwd_yaml: | # pragma: allowlist secret
|
||||
id: >-4
|
||||
\g<id>
|
||||
password: >-4
|
||||
|
|
|
|||
|
|
@ -55,12 +55,12 @@
|
|||
owner: root
|
||||
group: root
|
||||
mode: '0640'
|
||||
register: NO_SHA1_TEMPLATE
|
||||
register: no_sha1_template
|
||||
|
||||
- name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | submodule to crypto policy modules"
|
||||
ansible.builtin.set_fact:
|
||||
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SHA1' }}"
|
||||
changed_when: NO_SHA1_TEMPLATE is defined
|
||||
changed_when: no_sha1_template is defined
|
||||
notify:
|
||||
- Update Crypto Policy
|
||||
- Set Crypto Policy
|
||||
|
|
@ -79,8 +79,6 @@
|
|||
- NIST800-53R5_SC-6
|
||||
block:
|
||||
|
||||
- ansible.builtin.debug:
|
||||
msg: "{{ rhel9cis_crypto_policy_module }}"
|
||||
- name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | Add submodule exclusion"
|
||||
ansible.builtin.template:
|
||||
src: etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2
|
||||
|
|
@ -88,12 +86,12 @@
|
|||
owner: root
|
||||
group: root
|
||||
mode: '0640'
|
||||
register: NO_WEAKMAC_TEMPLATE
|
||||
register: no_weakmac_template
|
||||
|
||||
- name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | submodule to crypto policy modules"
|
||||
ansible.builtin.set_fact:
|
||||
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-WEAKMAC' }}"
|
||||
changed_when: NO_WEAKMAC_TEMPLATE is defined
|
||||
changed_when: no_weakmac_template is defined
|
||||
notify:
|
||||
- Update Crypto Policy
|
||||
- Set Crypto Policy
|
||||
|
|
@ -111,8 +109,6 @@
|
|||
- rule_1.6.5
|
||||
- NIST800-53R5_SC-6
|
||||
block:
|
||||
- ansible.builtin.debug:
|
||||
msg: "{{ rhel9cis_crypto_policy_module }}"
|
||||
- name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh | Add submodule exclusion"
|
||||
ansible.builtin.template:
|
||||
src: etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2
|
||||
|
|
@ -120,12 +116,12 @@
|
|||
owner: root
|
||||
group: root
|
||||
mode: '0640'
|
||||
register: NO_SSHCBC_TEMPLATE
|
||||
register: no_sshcbc_template
|
||||
|
||||
- name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh | submodule to crypto policy modules"
|
||||
ansible.builtin.set_fact:
|
||||
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHCBC' }}"
|
||||
changed_when: NO_SSHCBC_TEMPLATE is defined
|
||||
changed_when: no_sshcbc_template is defined
|
||||
notify:
|
||||
- Update Crypto Policy
|
||||
- Set Crypto Policy
|
||||
|
|
@ -143,8 +139,6 @@
|
|||
- rule_1.6.6
|
||||
- NIST800-53R5_SC-6
|
||||
block:
|
||||
- ansible.builtin.debug:
|
||||
msg: "{{ rhel9cis_crypto_policy_module }}"
|
||||
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | Add submodule exclusion"
|
||||
ansible.builtin.template:
|
||||
src: etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2
|
||||
|
|
@ -152,12 +146,12 @@
|
|||
owner: root
|
||||
group: root
|
||||
mode: '0640'
|
||||
register: NO_SSHWEAKCIPHERS_TEMPLATE
|
||||
register: no_sshweakciphers_template
|
||||
|
||||
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules"
|
||||
ansible.builtin.set_fact:
|
||||
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKCIPHERS' }}"
|
||||
changed_when: NO_SSHWEAKCIPHERS_TEMPLATE is defined
|
||||
changed_when: no_sshweakciphers_template is defined
|
||||
notify:
|
||||
- Update Crypto Policy
|
||||
- Set Crypto Policy
|
||||
|
|
@ -175,8 +169,6 @@
|
|||
- rule_1.6.7
|
||||
- NIST800-53R5_SC-6
|
||||
block:
|
||||
- ansible.builtin.debug:
|
||||
msg: "{{ rhel9cis_crypto_policy_module }}"
|
||||
- name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh | Add submodule exclusion"
|
||||
ansible.builtin.template:
|
||||
src: etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2
|
||||
|
|
@ -184,12 +176,12 @@
|
|||
owner: root
|
||||
group: root
|
||||
mode: '0640'
|
||||
register: NO_SSHETM_TEMPLATE
|
||||
register: no_sshetm_template
|
||||
|
||||
- name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh | submodule to crypto policy modules"
|
||||
ansible.builtin.set_fact:
|
||||
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHETM' }}"
|
||||
changed_when: NO_SSHETM_TEMPLATE is defined
|
||||
changed_when: no_sshetm_template is defined
|
||||
notify:
|
||||
- Update Crypto Policy
|
||||
- Set Crypto Policy
|
||||
|
|
|
|||
|
|
@ -139,9 +139,6 @@
|
|||
failed_when: rhel9cis_authselect_pam_unix.rc not in [ 0, 1 ]
|
||||
register: rhel9cis_authselect_pam_unix
|
||||
|
||||
- debug:
|
||||
msg: "{{ rhel9cis_authselect_pam_unix }}"
|
||||
|
||||
- name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | system-auth"
|
||||
when: "'system-auth:password' not in rhel9cis_authselect_pam_unix.stdout"
|
||||
ansible.builtin.lineinfile:
|
||||
|
|
|
|||
|
|
@ -263,7 +263,7 @@
|
|||
- name: "6.2.3.8 | PATCH | Ensure logrotate is configured | set rsyslog conf"
|
||||
ansible.builtin.template:
|
||||
src: etc/logrotate.d/rsyslog.conf.j2
|
||||
dest: /etc/logrotate.d/rsyslog.conf
|
||||
dest: /etc/logrotate.d/rsyslog.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0640'
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue