sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

lint

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2023-01-12 13:38:27 +00:00
parent 256f582b66
commit b347e5dd00
No known key found for this signature in database
GPG key ID: 1DE02A772D0908F9
1 changed files with 10 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

19
tasks/section_1/cis_1.2.x.yml
View file

@ -9,7 +9,7 @@
register: os_installed_pub_keys register: os_installed_pub_keys
- name: "1.2.1 | AUDIT | Ensure GPG keys are configured | Query found keys" - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | Query found keys"
ansible.builtin.shell: "rpm -q --queryformat \"%{PACKAGER} %{VERSION}\\n\" {{ os_gpg_key_pubkey_name }} | grep \"{{ os_gpg_key_pubkey_content }}\"" ansible.builtin.shell: 'rpm -q --queryformat "%{PACKAGER} %{VERSION}\\n" {{ os_gpg_key_pubkey_name }} | grep "{{ os_gpg_key_pubkey_content }}"'
changed_when: false changed_when: false
failed_when: false failed_when: false
register: os_gpg_key_check register: os_gpg_key_check
@ -47,15 +47,13 @@
paths: /etc/yum.repos.d paths: /etc/yum.repos.d
patterns: "*.repo" patterns: "*.repo"
register: yum_repos register: yum_repos
changed_when: false
- name: "1.2.2 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" - name: "1.2.2 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos"
ansible.builtin.replace: ansible.builtin.replace:
name: "{{ item.path }}" name: "{{ item.path }}"
regexp: "^gpgcheck=0" regexp: "^gpgcheck=0"
replace: "gpgcheck=1" replace: "gpgcheck=1"
with_items: loop: "{{ yum_repos.files }}"
- "{{ yum_repos.files }}"
loop_control: loop_control:
label: "{{ item.path }}" label: "{{ item.path }}"
when: when:
@ -102,20 +100,23 @@
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/dnf/dnf.conf path: /etc/dnf/dnf.conf
regexp: '^repo_gpgcheck' regexp: '^repo_gpgcheck'
line: repo_gpgcheck 1 line: repo_gpgcheck=1
- name: "1.2.4 | AUDIT| Ensure repo_gpgcheck is globally activated | get repo files" - name: "1.2.4 | AUDIT| Ensure repo_gpgcheck is globally activated | get repo files"
ansible.builtin.find: ansible.builtin.find:
path: /etc/yum.repos.d paths: /etc/yum.repos.d
patterns: '*.repo' patterns: "*.repo"
register: repo_files register: repo_files
- name: "1.2.4 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files" - name: "1.2.4 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ item }}" path: "{{ item.path }}"
regexp: '^repo_gpgcheck' regexp: '^repo_gpgcheck'
line: repo_gpgcheck=1 line: repo_gpgcheck=1
loop: "{{ repo_files.files }}" loop: "{{ repo_files.files }}"
loop_control:
label: "{{ item.path }}"
when: when:
- rhel9cis_rule_1_2_4 - rhel9cis_rule_1_2_4
tags: tags: