updated issues and added improvements

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2022-04-25 16:58:11 +01:00 · 2022-04-25 16:58:11 +01:00 · a8602689b8
commit a8602689b8
parent 49ab8c6f9f
7 changed files with 18 additions and 12 deletions
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -50,11 +50,13 @@

 - name: Check rhel9cis_bootloader_password_hash variable has been changed
  assert:
-      that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'
-      msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set"
+      that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'
+      msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
  when:
      - rhel9cis_set_boot_pass
-      - rhel9cis_rule_1_5_2
+      - rhel9cis_rule_1_4_1
+  tags: 
+      - always

 - name: "check sugroup exists if used"
  block:
--- a/tasks/section_1/cis_1.4.x.yml
+++ b/tasks/section_1/cis_1.4.x.yml
@ -10,8 +10,6 @@
  notify: grub2cfg
  when:
      - rhel9cis_set_boot_pass
-      - grub_pass is defined and grub_pass.passhash is defined
-      - grub_pass.passhash | length > 0
      - rhel9cis_rule_1_4_1
  tags:
      - level1-server
--- a/tasks/section_1/cis_1.8.x.yml
+++ b/tasks/section_1/cis_1.8.x.yml
@ -91,7 +91,7 @@
 - name: "1.8.5 | PATCH | Ensure automatic mounting of removable media is disabled"
  lineinfile:
      path: /etc/dconf/db/local.d/00-media-automount
-      regex: "{{ item.regex }}"
+      regexp: "{{ item.regex }}"
      line: "{{ item.line }}"
      create: yes
  notify: reload dconf
--- a/tasks/section_3/cis_3.4.1.x.yml
+++ b/tasks/section_3/cis_3.4.1.x.yml
@ -21,8 +21,11 @@
      - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | Stop running services"
        systemd:
            name: "{{ item }}"
-            state: stopped
-            enabled: false
+            masked: true
+        with_items:
+            - iptables
+            - ip6tables
+        when: item in ansible_facts.packages

      - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | remove iptables-services pkg "
        package: