sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

standardise naming and move items to prelim

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2023-01-25 11:35:47 +00:00
parent 7760f35161
commit 9fe177f9ce
No known key found for this signature in database
GPG key ID: 1DE02A772D0908F9
2 changed files with 28 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

18
tasks/main.yml
View file

@ -103,24 +103,6 @@
when: when:
- run_audit - run_audit
- name: Gather the package facts after prelim
ansible.builtin.package_facts:
manager: auto
tags:
- always
- name: capture /etc/password variables
ansible.builtin.include_tasks: parse_etc_password.yml
tags:
- rule_5.5.2
- rule_5.6.2
- rule_6.2.9
- rule_6.2.10
- rule_6.2.11
- rhel9cis_section5
- rhel9cis_section6
- level1-server
- name: run Section 1 tasks - name: run Section 1 tasks
ansible.builtin.import_tasks: section_1/main.yml ansible.builtin.import_tasks: section_1/main.yml
when: rhel9cis_section1 when: rhel9cis_section1

38
tasks/prelim.yml
View file

@ -12,6 +12,18 @@
- level1-workstation - level1-workstation
- users - users
- name: "PRELIM | capture /etc/password variables"
ansible.builtin.include_tasks: parse_etc_password.yml
tags:
- rule_5.5.2
- rule_5.6.2
- rule_6.2.9
- rule_6.2.10
- rule_6.2.11
- rhel9cis_section5
- rhel9cis_section6
- level1-server
- name: "PRELIM | Interactive User accounts" - name: "PRELIM | Interactive User accounts"
ansible.builtin.shell: 'cat /etc/passwd | grep -Ev "nologin|/sbin" | cut -d: -f6' ansible.builtin.shell: 'cat /etc/passwd | grep -Ev "nologin|/sbin" | cut -d: -f6'
changed_when: false changed_when: false
@ -95,7 +107,7 @@
path: /sys/firmware/efi path: /sys/firmware/efi
register: rhel_09_efi_boot register: rhel_09_efi_boot
- name: "PRELIM | AUDIT | set legacy boot and grub path | Bios" - name: "PRELIM | set legacy boot and grub path | Bios"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_legacy_boot: true rhel9cis_legacy_boot: true
grub2_path: /etc/grub2.cfg grub2_path: /etc/grub2.cfg
@ -197,9 +209,9 @@
- rule_5.3.4 - rule_5.3.4
- rule_5.3.5 - rule_5.3.5
- name: Check sugroup exists if used - name: "PRELIM | Check sugroup exists if used"
block: block:
- name: "Check su group exists if defined" - name: "PRELIM | Check su group exists if defined"
ansible.builtin.shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group ansible.builtin.shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group
register: sugroup_exists register: sugroup_exists
changed_when: false changed_when: false
@ -207,7 +219,7 @@
tags: tags:
- skip_ansible_lint - skip_ansible_lint
- name: Check sugroup if defined exists before continuing - name: "PRELIM | Check sugroup if defined exists before continuing"
ansible.builtin.assert: ansible.builtin.assert:
that: sugroup_exists.rc == 0 that: sugroup_exists.rc == 0
msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify" msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify"
@ -217,32 +229,38 @@
tags: tags:
- rule_5.7 - rule_5.7
- name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def" - name: "PRELIM | Discover Interactive UID MIN and MIN from logins.def"
block: block:
- name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def" - name: "PRELIM | Capture UID_MIN information from logins.def"
ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}'
changed_when: false changed_when: false
register: uid_min_id register: uid_min_id
- name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" - name: "PRELIM | Capture UID_MAX information from logins.def"
ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}'
changed_when: false changed_when: false
register: uid_max_id register: uid_max_id
- name: "PRELIM | AUDIT | Capture GID_MIN information from logins.def" - name: "PRELIM | Capture GID_MIN information from logins.def"
ansible.builtin.shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}' ansible.builtin.shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}'
changed_when: false changed_when: false
register: gid_min_id register: gid_min_id
- name: "PRELIM | AUDIT | set_facts for interactive uid/gid" - name: "PRELIM | set_facts for interactive uid/gid"
ansible.builtin.set_fact: ansible.builtin.set_fact:
min_int_uid: "{{ uid_min_id.stdout }}" min_int_uid: "{{ uid_min_id.stdout }}"
max_int_uid: "{{ uid_max_id.stdout }}" max_int_uid: "{{ uid_max_id.stdout }}"
min_int_gid: "{{ gid_min_id.stdout }}" min_int_gid: "{{ gid_min_id.stdout }}"
- name: Output of uid findings - name: "PRELIM | Output of uid findings"
ansible.builtin.debug: ansible.builtin.debug:
msg: "{{ min_int_uid }} {{ max_int_uid }}" msg: "{{ min_int_uid }} {{ max_int_uid }}"
when: when:
- not discover_int_uid - not discover_int_uid
- name: "PRELIM | Gather the package facts after prelim"
ansible.builtin.package_facts:
manager: auto
tags:
- always