diff --git a/defaults/main.yml b/defaults/main.yml index 290bbb6..02b0422 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -376,9 +376,9 @@ rhel9cis_bootloader_password: random rhel9cis_set_boot_pass: false -# 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS) -# Control 1.10 sates not ot use LEGACY and control 1.11 says to use FUTURE or FIPS. -rhel9cis_crypto_policy: "FUTURE" +# 1.10 Set crypto policy DEFAULT +# Control 1.10 states not to use LEGACY +rhel9cis_crypto_policy: "DEFAULT" # System network parameters (host only OR host and router) rhel9cis_is_router: false diff --git a/tasks/main.yml b/tasks/main.yml index 8bda2a6..94ab74c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -50,11 +50,13 @@ - name: Check rhel9cis_bootloader_password_hash variable has been changed assert: - that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' - msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set" + that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' + msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly" when: - rhel9cis_set_boot_pass - - rhel9cis_rule_1_5_2 + - rhel9cis_rule_1_4_1 + tags: + - always - name: "check sugroup exists if used" block: diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 45414cd..6ac4979 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -10,8 +10,6 @@ notify: grub2cfg when: - rhel9cis_set_boot_pass - - grub_pass is defined and grub_pass.passhash is defined - - grub_pass.passhash | length > 0 - rhel9cis_rule_1_4_1 tags: - level1-server diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index e056cef..a126a0a 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -91,7 +91,7 @@ - name: "1.8.5 | PATCH | Ensure automatic mounting of removable media is disabled" lineinfile: path: /etc/dconf/db/local.d/00-media-automount - regex: "{{ item.regex }}" + regexp: "{{ item.regex }}" line: "{{ item.line }}" create: yes notify: reload dconf diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index 7c25ff2..3518b42 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -21,8 +21,11 @@ - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | Stop running services" systemd: name: "{{ item }}" - state: stopped - enabled: false + masked: true + with_items: + - iptables + - ip6tables + when: item in ansible_facts.packages - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | remove iptables-services pkg " package: diff --git a/vars/RedHat.yml b/vars/RedHat.yml index d67cedc..0b1c2cc 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -1,4 +1,6 @@ --- # OS Specific Settings -rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-official +rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-release +rpm_packager: "Red Hat, Inc" +rpm_key: "199e2f91fd431d51" # found on https://access.redhat.com/security/team/key/ diff --git a/vars/main.yml b/vars/main.yml index e68cec0..dbbc71f 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -3,5 +3,6 @@ min_ansible_version: 2.10 rhel9cis_allowed_crypto_policies: + - 'DEFAULT' - 'FUTURE' - 'FIPS'