updated issues and added improvements

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2022-04-25 16:58:11 +01:00 · 2022-04-25 16:58:11 +01:00 · a8602689b8
commit a8602689b8
parent 49ab8c6f9f
7 changed files with 18 additions and 12 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -376,9 +376,9 @@ rhel9cis_bootloader_password: random
 rhel9cis_set_boot_pass: false


-# 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS)
-# Control 1.10 sates not ot use LEGACY and control 1.11 says to use FUTURE or FIPS.
-rhel9cis_crypto_policy: "FUTURE"
+# 1.10 Set crypto policy DEFAULT
+# Control 1.10 states not to use LEGACY
+rhel9cis_crypto_policy: "DEFAULT"

 # System network parameters (host only OR host and router)
 rhel9cis_is_router: false
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -50,11 +50,13 @@

 - name: Check rhel9cis_bootloader_password_hash variable has been changed
  assert:
-      that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'
-      msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set"
+      that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'
+      msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
  when:
      - rhel9cis_set_boot_pass
-      - rhel9cis_rule_1_5_2
+      - rhel9cis_rule_1_4_1
+  tags: 
+      - always

 - name: "check sugroup exists if used"
  block:
--- a/tasks/section_1/cis_1.4.x.yml
+++ b/tasks/section_1/cis_1.4.x.yml
@ -10,8 +10,6 @@
  notify: grub2cfg
  when:
      - rhel9cis_set_boot_pass
-      - grub_pass is defined and grub_pass.passhash is defined
-      - grub_pass.passhash | length > 0
      - rhel9cis_rule_1_4_1
  tags:
      - level1-server
--- a/tasks/section_1/cis_1.8.x.yml
+++ b/tasks/section_1/cis_1.8.x.yml
@ -91,7 +91,7 @@
 - name: "1.8.5 | PATCH | Ensure automatic mounting of removable media is disabled"
  lineinfile:
      path: /etc/dconf/db/local.d/00-media-automount
-      regex: "{{ item.regex }}"
+      regexp: "{{ item.regex }}"
      line: "{{ item.line }}"
      create: yes
  notify: reload dconf
--- a/tasks/section_3/cis_3.4.1.x.yml
+++ b/tasks/section_3/cis_3.4.1.x.yml
@ -21,8 +21,11 @@
      - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | Stop running services"
        systemd:
            name: "{{ item }}"
-            state: stopped
-            enabled: false
+            masked: true
+        with_items:
+            - iptables
+            - ip6tables
+        when: item in ansible_facts.packages

      - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | remove iptables-services pkg "
        package:
--- a/vars/RedHat.yml
+++ b/vars/RedHat.yml
@ -1,4 +1,6 @@
 ---
 # OS Specific Settings

-rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-official
+rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-release
+rpm_packager: "Red Hat, Inc"
+rpm_key: "199e2f91fd431d51"  # found on https://access.redhat.com/security/team/key/
--- a/vars/main.yml
+++ b/vars/main.yml
@ -3,5 +3,6 @@

 min_ansible_version: 2.10
 rhel9cis_allowed_crypto_policies:
+    - 'DEFAULT'
    - 'FUTURE'
    - 'FIPS'