forked from ansible-lockdown/RHEL9-CIS
111 lines
2.5 KiB
YAML
111 lines
2.5 KiB
YAML
---
|
|
# tasks file for RHEL9-CIS
|
|
- name: Check OS version and family
|
|
fail:
|
|
msg: "This role can only be run against RHEL 8. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
|
|
when:
|
|
- ansible_os_family == 'RedHat'
|
|
- ansible_distribution_major_version is version_compare('9', '!=')
|
|
tags:
|
|
- always
|
|
|
|
- name: Check ansible version
|
|
fail:
|
|
msg: You must use ansible 2.9 or greater
|
|
when: not ansible_version.full is version_compare('2.9', '>=')
|
|
tags:
|
|
- always
|
|
|
|
- name: Check crypto-policy input
|
|
assert:
|
|
that: rhel9cis_crypto_policy in rhel9cis_allowed_crypto_policies
|
|
|
|
- name: Check rhel9cis_bootloader_password_hash variable has been changed
|
|
assert:
|
|
that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'
|
|
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set"
|
|
when:
|
|
- rhel9cis_set_boot_pass
|
|
- rhel9cis_rule_1_5_2
|
|
|
|
- name: "check sugroup exists if used"
|
|
block:
|
|
- name: "Check su group exists if defined"
|
|
shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group
|
|
register: sugroup_exists
|
|
changed_when: false
|
|
failed_when: sugroup_exists.rc >= 2
|
|
tags:
|
|
- skip_ansible_lint
|
|
|
|
- name: Check sugroup if defined exists before continuing
|
|
assert:
|
|
that: sugroup_exists.rc == 0
|
|
msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify"
|
|
when:
|
|
- rhel9cis_sugroup is defined
|
|
- rhel9cis_rule_5_7
|
|
tags:
|
|
- rule_5.7
|
|
|
|
- include: prelim.yml
|
|
become: yes
|
|
tags:
|
|
- prelim_tasks
|
|
- always
|
|
|
|
- import_tasks: pre_remediation_audit.yml
|
|
when:
|
|
- run_audit
|
|
|
|
- name: Gather the package facts
|
|
package_facts:
|
|
manager: auto
|
|
tags:
|
|
- always
|
|
|
|
- include: parse_etc_password.yml
|
|
become: yes
|
|
when: rhel9cis_section6
|
|
|
|
- include: section_1/main.yml
|
|
become: yes
|
|
when: rhel9cis_section1
|
|
tags:
|
|
- rhel9cis_section1
|
|
|
|
- include: section_2/main.yml
|
|
become: yes
|
|
when: rhel9cis_section2
|
|
|
|
- include: section_3/main.yml
|
|
become: yes
|
|
when: rhel9cis_section3
|
|
|
|
- include: section_4/main.yml
|
|
become: yes
|
|
when: rhel9cis_section4
|
|
|
|
- include: section_5/main.yml
|
|
become: yes
|
|
when: rhel9cis_section5
|
|
|
|
- include: section_6/main.yml
|
|
become: yes
|
|
when: rhel9cis_section6
|
|
|
|
- include: post.yml
|
|
become: yes
|
|
tags:
|
|
- post_tasks
|
|
- always
|
|
|
|
- import_tasks: post_remediation_audit.yml
|
|
when:
|
|
- run_audit
|
|
|
|
- name: Show Audit Summary
|
|
debug:
|
|
msg: "{{ audit_results.split('\n') }}"
|
|
when:
|
|
- run_audit
|