sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

lint and best practise

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-12-11 11:20:19 +00:00
parent 69e01b84f3
commit fcf9eb674f
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
6 changed files with 33 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

21
handlers/main.yml
View file

@ -145,7 +145,8 @@
listen: "Remount /var/log/audit"
- name: Reload sysctl
ansible.builtin.shell: sysctl --system
ansible.builtin.command: sysctl --system
changed_when: true
- name: Sysctl flush ipv4 route table
when:
@ -181,8 +182,8 @@
- name: Set Crypto Policy
when: prelim_system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy
ansible.builtin.shell: |
update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}"
ansible.builtin.command: update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}"
changed_when: true
notify:
- Change_requires_reboot
- Restart sshd
@ -203,10 +204,12 @@
state: restarted
- name: Reload dconf
ansible.builtin.shell: dconf update
ansible.builtin.command: dconf update
changed_when: true
- name: Grub2cfg
ansible.builtin.shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
ansible.builtin.command: "grub2-mkconfig -o /boot/grub2/grub.cfg"
changed_when: true
ignore_errors: true # noqa ignore-errors
- name: Restart rsyslog
@ -229,12 +232,13 @@
daemon-reload: true
- name: Authselect update
ansible.builtin.shell: authselect apply-changes
ansible.builtin.command: authselect apply-changes
changed_when: true
## Auditd tasks note order for handlers to run
- name: Auditd immutable check
ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
ansible.builtin.command: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
changed_when: false
register: discovered_auditd_immutable_check
@ -246,7 +250,8 @@
notify: Change_requires_reboot
- name: Stop auditd process
ansible.builtin.shell: systemctl kill auditd
ansible.builtin.command: systemctl kill auditd
changed_when: true
listen: Restart auditd
- name: Start auditd process