Skip to content

Commit

Permalink
Merge pull request #51 from ansible-lockdown/warning_improvements
Browse files Browse the repository at this point in the history
Warning improvements
  • Loading branch information
uk-bolly authored Apr 13, 2023
2 parents 1ef886c + a5df4c2 commit 9d7cfc9
Show file tree
Hide file tree
Showing 2 changed files with 51 additions and 31 deletions.
5 changes: 5 additions & 0 deletions Changelog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
# Changes to rhel9CIS

## 1.0.7

lint and yamll updates
improvemnst to 6.1.10, 6.1.11, 6.1.13, 6.1.14

## 1.0.6

updated ymlalint as galaxy doenst honouyr local settings
Expand Down
77 changes: 46 additions & 31 deletions tasks/section_6/cis_6.1.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -160,22 +160,24 @@
label: "{{ item.mount }}"
when: item['device'].startswith('/dev') and not 'bind' in item['options']

- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | set fact"
ansible.builtin.set_fact:
rhel_09_6_1_10_unowned_files_found: true
loop: "{{ rhel_09_6_1_10_audit.results }}"
when: item.stdout | length > 0

- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories"
ansible.builtin.debug:
msg: "Warning !! Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}"
loop: "{{ rhel_09_6_1_10_audit.results }}"
when:
- item.stdout_lines is defined
- item.stdout_lines | length > 0
msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit | json_query('results[*].stdout_lines[*]') | flatten }}"
when: rhel_09_6_1_10_unowned_files_found

- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning"
ansible.builtin.import_tasks: warning_facts.yml
vars:
warn_control_id: '6.1.10'
when:
- item.stdout_lines is defined
- item.stdout_lines | length > 0

when: rhel_09_6_1_10_unowned_files_found
vars:
rhel_09_6_1_10_unowned_files_found: false
when:
- rhel9cis_rule_6_1_10
tags:
Expand All @@ -199,21 +201,24 @@
label: "{{ item.mount }}"
when: item['device'].startswith('/dev') and not 'bind' in item['options']

- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | set fact"
ansible.builtin.set_fact:
rhel_09_6_1_11_ungrouped_files_found: true
loop: "{{ rhel_09_6_1_11_audit.results }}"
when: item.stdout | length > 0

- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories"
ansible.builtin.debug:
msg: "Warning !! Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}"
loop: "{{ rhel_09_6_1_11_audit.results }}"
when:
- item.stdout_lines is defined
- item.stdout_lines | length > 0
msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit | json_query('results[*].stdout_lines[*]') | flatten }}"
when: rhel_09_6_1_11_ungrouped_files_found

- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning"
ansible.builtin.import_tasks: warning_facts.yml
vars:
warn_control_id: '6.1.11'
when:
- item.stdout_lines is defined
- item.stdout_lines | length > 0
when: rhel_09_6_1_11_ungrouped_files_found
vars:
- rhel_09_6_1_11_ungrouped_files_found: false
when:
- rhel9cis_rule_6_1_11
tags:
Expand Down Expand Up @@ -244,24 +249,29 @@
ansible.builtin.shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000
failed_when: false
changed_when: false
register: rhel_09_6_1_13_perms_results
register: rhel_09_6_1_13_suid_perms
loop: "{{ ansible_mounts }}"
loop_control:
label: "{{ item.mount }}"

- name: "6.1.13 | AUDIT | Audit SUID executables | set fact SUID executables"
ansible.builtin.set_fact:
rhel9_6_1_13_suid_found: true
loop: "{{ rhel_09_6_1_13_suid_perms.results }}"
when: item.stdout | length > 0

- name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist"
ansible.builtin.debug:
msg: "Warning!! Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}"
loop: "{{ rhel_09_6_1_13_perms_results.stdout_lines }}"
when:
- rhel_09_6_1_13_perms_results.stdout is defined
msg: "Warning!! SUID set on items in {{ rhel_09_6_1_13_suid_perms | json_query('results[*].stdout_lines[*]') | flatten }}"
when: rhel9_6_1_13_suid_found

- name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning"
ansible.builtin.import_tasks: warning_facts.yml
vars:
warn_control_id: '6.1.13'
when:
- rhel_09_6_1_13_perms_results.stdout is defined
when: rhel9_6_1_13_suid_found
vars:
rhel9_6_1_13_suid_found: false
when:
- rhel9cis_rule_6_1_13
tags:
Expand All @@ -278,24 +288,29 @@
ansible.builtin.shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000
failed_when: false
changed_when: false
register: rhel_09_6_1_14_perms_results
register: rhel_09_6_1_14_sgid_perms
loop: "{{ ansible_mounts }}"
loop_control:
label: "{{ item.mount }}"

- name: "6.1.14 | AUDIT | Audit SGID executables | Set fact SGID executables"
ansible.builtin.set_fact:
rhel9_6_1_14_sgid_found: true
loop: "{{ rhel_09_6_1_14_sgid_perms.results }}"
when: item.stdout | length > 0

- name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist"
ansible.builtin.debug:
msg: "Manual intervention is required -- SGID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}"
loop: "{{ rhel_09_6_1_14_perms_results.stdout_lines }}"
when:
- rhel_09_6_1_14_perms_results.stdout is defined
msg: "Warning!! SGID set on items in {{ rhel_09_6_1_14_sgid_perms | json_query('results[*].stdout_lines[*]') | flatten }}"
when: rhel9_6_1_14_sgid_found

- name: "6.1.14 | AUDIT | Audit SGID executables| warning"
ansible.builtin.import_tasks: warning_facts.yml
vars:
warn_control_id: '6.1.14'
when:
- rhel_09_6_1_14_perms_results.stdout is defined
when: rhel9_6_1_14_sgid_found
vars:
rhel9_6_1_14_sgid_found: false
when:
- rhel9cis_rule_6_1_14
tags:
Expand Down

0 comments on commit 9d7cfc9

Please sign in to comment.