From 895d42b26588e6fbad09715fca4bd4a893b6f22b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=C5=BEe=20Luzar?= Date: Wed, 13 Sep 2023 15:53:56 +0200 Subject: [PATCH 1/6] Replace service with systemd module MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Anže Luzar --- tasks/section_1/cis_1.2.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 179e73dc..8b4a1f37 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -74,7 +74,7 @@ - rule_1.2.4 - name: "1.2.5 | PATCH | Disable the rhnsd Daemon" - ansible.builtin.service: + ansible.builtin.systemd: name: rhnsd state: stopped enabled: false From 30667fd69bd2cfc8eabe88e33ef474d3bc193292 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=C5=BEe=20Luzar?= Date: Wed, 13 Sep 2023 15:55:22 +0200 Subject: [PATCH 2/6] Use FQCNs in tasks/section_5/cis_5.5.x.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Anže Luzar --- tasks/section_5/cis_5.5.x.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 4e9481f2..23eb9d21 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -3,7 +3,7 @@ - name: "5.5.2 | PATCH | Ensure system accounts are secured" block: - name: "5.5.2 | PATCH | Ensure system accounts are secured | Set nologin" - user: + ansible.builtin.user: name: "{{ item.id }}" shell: /usr/sbin/nologin loop: "{{ rhel7cis_passwd }}" @@ -19,7 +19,7 @@ - item.shell != " /usr/sbin/nologin" - name: "5.5.2 | PATCH | Ensure system accounts are secured | Lock accounts" - user: + ansible.builtin.user: name: "{{ item.id }}" password_lock: true loop: "{{ rhel7cis_passwd }}" @@ -42,7 +42,7 @@ - rule_5.5.2 - name: "5.5.3 | PATCH | Ensure default group for the root account is GID 0" - shell: usermod -g 0 root + ansible.builtin.shell: usermod -g 0 root changed_when: false failed_when: false when: From fd6be3b2a7dee9f0fef1205552230bd86b7d8502 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=C5=BEe=20Luzar?= Date: Wed, 13 Sep 2023 15:56:01 +0200 Subject: [PATCH 3/6] Use FQCN for user module MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Anže Luzar --- tasks/section_5/cis_5.7.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.7.yml b/tasks/section_5/cis_5.7.yml index 04709c86..b3c467fd 100644 --- a/tasks/section_5/cis_5.7.yml +++ b/tasks/section_5/cis_5.7.yml @@ -10,7 +10,7 @@ line: 'auth required pam_wheel.so use_uid {% if rhel7cis_sugroup is defined %}group={{ rhel7cis_sugroup }}{% endif %}' - name: "5.7 | PATCH | Ensure access to the su command is restricted | wheel group contains root" - ansible.builtin.group: + ansible.builtin.user: name: root groups: "{{ rhel7cis_sugroup }}" when: From 2cde1d5587bb6928d729aec7579bbcc26d3a90bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=C5=BEe=20Luzar?= Date: Wed, 13 Sep 2023 16:18:38 +0200 Subject: [PATCH 4/6] Use FQCN for debug module MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Anže Luzar --- tasks/section_6/cis_6.2.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 08eb8b28..89fb7297 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -10,7 +10,7 @@ - rhel7cis_passwd | selectattr('password', '!=', 'x') - name: "6.2.1 | PATCH | Ensure accounts in /etc/passwd use shadow passwords | Good News" - debug: + ansible.builtin.debug: msg: "Good News!! No Unshadowed passwords have been found" when: rhel7_6_2_1_shadow is not changed when: From 7e98687fd8563511a536db9c733837c59f38f6b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=C5=BEe=20Luzar?= Date: Wed, 13 Sep 2023 16:19:14 +0200 Subject: [PATCH 5/6] Use name instead of list in package MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Anže Luzar --- tasks/check_prereqs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/check_prereqs.yml b/tasks/check_prereqs.yml index 09a1b670..d26c29a1 100644 --- a/tasks/check_prereqs.yml +++ b/tasks/check_prereqs.yml @@ -2,7 +2,7 @@ - name: "PREREQ | Check required packages installed | Python2" ansible.builtin.package: - list: "{{ item }}" + name: "{{ item }}" state: present loop: - rpm-python From aa610ce32ee2a111b4eeaa7246b56ea8a2855147 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=C5=BEe=20Luzar?= Date: Wed, 13 Sep 2023 16:21:34 +0200 Subject: [PATCH 6/6] Add that parameter and remove when for the assert module MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Anže Luzar --- tasks/pre_remediation_audit.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 6109d5ca..5608fa9b 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -66,9 +66,8 @@ - name: Pre Audit Setup | If audit ensure goss is available ansible.builtin.assert: + that: goss_available.stat.exists msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - when: - - not goss_available.stat.exists when: - run_audit