sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

loop improvememts

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2023-01-12 15:01:31 +00:00
parent c18151e158
commit a85902ef2f
No known key found for this signature in database
GPG key ID: 1DE02A772D0908F9
1 changed files with 27 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

44
tasks/section_4/cis_4.1.4.x.yml
View file

@ -57,24 +57,15 @@
- rule_4.1.4.4 - rule_4.1.4.4
- name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive"
block:
- name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | get permissions"
ansible.builtin.stat:
path: "{{ item.path }}"
register: item_file
loop: "{{ audit_conf_files.results | map(attribute='files') | flatten }}"
loop_control:
label: "{{ item.path }}"
- name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | set permissions"
ansible.builtin.file: ansible.builtin.file:
path: "{{ audit_logfile.stdout | dirname }}" path: "{{ item.path }}"
state: file state: file
mode: 0640 mode: 0640
loop: "{{ audit_config_files }}" loop: "{{ auditd_conf_files.files }}"
when: not item_file.stat.mode is match('06(0|4)0') loop_control:
label: "{{ item.path }}"
when: when:
- item.mode != '06(0|4)0'
- rhel9cis_rule_4_1_4_5 - rhel9cis_rule_4_1_4_5
tags: tags:
- level2-server - level2-server
@ -85,10 +76,12 @@
- name: "4.1.4.6 | PATCH | Ensure audit configuration files are owned by root" - name: "4.1.4.6 | PATCH | Ensure audit configuration files are owned by root"
ansible.builtin.file: ansible.builtin.file:
path: "{{ audit_logfile.stdout | dirname }}" path: "{{ item.path }}"
state: file state: file
owner: root owner: root
loop: "{{ audit_config_files }}" loop: "{{ auditd_conf_files.files }}"
loop_control:
label: "{{ item.path }}"
when: when:
- rhel9cis_rule_4_1_4_6 - rhel9cis_rule_4_1_4_6
tags: tags:
@ -100,10 +93,12 @@
- name: "4.1.4.7 | PATCH | Ensure audit configuration files belong to group root" - name: "4.1.4.7 | PATCH | Ensure audit configuration files belong to group root"
ansible.builtin.file: ansible.builtin.file:
path: "{{ audit_logfile.stdout | dirname }}" path: "{{ item.path }}"
state: file state: file
group: root group: root
loop: "{{ audit_config_files }}" loop: "{{ auditd_conf_files.files }}"
loop_control:
label: "{{ item.path }}"
when: when:
- rhel9cis_rule_4_1_4_7 - rhel9cis_rule_4_1_4_7
tags: tags:
@ -115,7 +110,7 @@
- name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive" - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive"
block: block:
- name: "PRELIM | 4.1.4.8 | Get audit binarty file stat | get current mode" - name: "PRELIM | 4.1.4.8 | Get audit binary file stat | get current mode"
ansible.builtin.stat: ansible.builtin.stat:
path: "{{ item }}" path: "{{ item }}"
register: "audit_bins" register: "audit_bins"
@ -127,14 +122,19 @@
- /sbin/auditd - /sbin/auditd
- /sbin/augenrules - /sbin/augenrules
- debug:
msg: "{{ audit_bins }}"
- name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required" - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required"
ansible.builtin.file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item.item }}"
state: file state: file
mode: 0750 mode: 0750
register: "audit_bins" register: "audit_bins"
loop: "{{ audit_bins.results.stat.path }}" loop: "{{ audit_bins.results }}"
when: not audit_bins.stat.mode is match('07(0|5)(0|5)') loop_control:
label: "{{ item.item }}"
when: not item.stat.mode is match('07(0|5)0')
when: when:
- rhel9cis_rule_4_1_4_8 - rhel9cis_rule_4_1_4_8
tags: tags: