--- - name: "1.6.1.1 | PATCH | Ensure SELinux is installed" ansible.builtin.package: name: libselinux state: present when: - rhel9cis_rule_1_6_1_1 tags: - level1-server - level1-workstation - patch - rule_1.6.1.1 - name: "1.6.1.2 | PATCH | Ensure SELinux is not disabled in bootloader configuration" ansible.builtin.replace: dest: /etc/default/grub regexp: '{{ item }}' replace: '' loop: - selinux=0 - enforcing=0 register: selinux_grub_patch ignore_errors: true # noqa ignore-errors notify: Grub2cfg when: - rhel9cis_rule_1_6_1_2 tags: - level1-server - level1-workstation - scored - patch - rule_1.6.1.2 # State set to enforcing because control 1.6.1.5 requires enforcing to be set - name: "1.6.1.3 | PATCH | Ensure SELinux policy is configured" ansible.posix.selinux: conf: /etc/selinux/config policy: "{{ rhel9cis_selinux_pol }}" state: "{{ rhel9cis_selinux_enforce }}" when: - not rhel9cis_selinux_disable - rhel9cis_rule_1_6_1_3 tags: - level1-server - level1-workstation - selinux - patch - rule_1.6.1.3 - name: "1.6.1.4 | PATCH | Ensure the SELinux state is not disabled" ansible.posix.selinux: conf: /etc/selinux/config policy: "{{ rhel9cis_selinux_pol }}" state: "{{ rhel9cis_selinux_enforce }}" when: - not rhel9cis_selinux_disable - rhel9cis_rule_1_6_1_4 tags: - level1-server - level1-workstation - selinux - patch - rule_1.6.1.4 - name: "1.6.1.5 | PATCH | Ensure the SELinux state is enforcing" ansible.posix.selinux: conf: /etc/selinux/config policy: "{{ rhel9cis_selinux_pol }}" state: enforcing when: - not rhel9cis_selinux_disable - rhel9cis_selinux_enforce == 'enforcing' - rhel9cis_rule_1_6_1_5 tags: - level2-server - level2-workstation - selinux - patch - rule_1.6.1.5 - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist" block: - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Find the unconfined services" ansible.builtin.shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' register: rhelcis_1_6_1_6_unconf_services failed_when: false changed_when: false - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Message on unconfined services" ansible.builtin.debug: msg: "Warning!! You have unconfined services: {{ rhelcis_1_6_1_6_unconf_services.stdout_lines }}" when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | warning count" ansible.builtin.import_tasks: warning_facts.yml when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 vars: warn_control_id: '1.6.1.6' when: - rhel9cis_rule_1_6_1_6 tags: - level1-server - level1-workstation - audit - services - rule_1.6.1.6 - name: "1.6.1.7 | PATCH | Ensure SETroubleshoot is not installed" ansible.builtin.package: name: setroubleshoot state: absent when: - rhel9cis_rule_1_6_1_7 - "'setroubleshoot' in ansible_facts.packages" tags: - level1-server - selinux - patch - rule_1.6.1.7 - name: "1.6.1.8 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" ansible.builtin.package: name: mcstrans state: absent when: - rhel9cis_rule_1_6_1_8 tags: - level1-server - level1-workstation - patch - rule_1.6.1.8