Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Gpg import for rhel servers #185

Merged
merged 3 commits into from
Mar 6, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions Changelog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
# Changes to rhel9CIS

## 1.1.4 - Based on CIS v1.0.0

- 1.2.1 new option for a new system to import gpg key for 1.2.1 to pass redhat only

## 1.1.3 - Based on CIS v1.0.0

- updated goss binary to 0.4.4
Expand Down
5 changes: 5 additions & 0 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -424,6 +424,11 @@ rhel9cis_rule_6_2_16: true
# These /tmp settings will include nosuid,nodev,noexec to conform to CIS standards.
rhel9cis_tmp_svc: false

## Control 1.2.1
# For new systems that have not yet run update the gpg key is not yet imported
# Setting to `true` will allow a test on the package and the foce the import of the key
rhel9cis_force_gpg_key_import: true

## Control 1.2.4
# When installing RHEL from authorized Red Hat source, RHEL will come with default YUM repository. NOT having a default YUM
# repo ('rhel9cis_rhel_default_repo' set as 'false'), in conjunction with 'rhel9cis_rule_enable_repogpg' set as 'True', will enable the tasks
Expand Down
4 changes: 2 additions & 2 deletions tasks/LE_audit_setup.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,12 @@
- name: Pre Audit Setup | Set audit package name | 64bit
ansible.builtin.set_fact:
audit_pkg_arch_name: AMD64
when: ansible_machine == "x86_64"
when: ansible_facts.machine == "x86_64"

- name: Pre Audit Setup | Set audit package name | ARM64
ansible.builtin.set_fact:
audit_pkg_arch_name: ARM64
when: ansible_machine == "arm64"
when: ansible_facts.machine == "arm64"

- name: Pre Audit Setup | Download audit binary
ansible.builtin.get_url:
Expand Down
25 changes: 25 additions & 0 deletions tasks/prelim.yml
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,31 @@
- ansible_facts.distribution != 'RedHat'
- ansible_facts.distribution != 'OracleLinux'

- name: "PRELIM | Check gpg keys are imported will cause 1.2.1 to fail if not | RedHat Only"
block:
- name: "PRELIM | Check gpg keys are imported will cause 1.2.1 to fail if not"
ansible.builtin.shell: rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
changed_when: false
failed_when: false
register: check_gpg_imported

- name: "PRELIM | Check key package matches RedHat"
ansible.builtin.shell: rpm -qi redhat-release | grep Signature
changed_when: false
failed_when: false
register: os_gpg_package_valid
when: "'not installed' in check_gpg_imported.stdout"

- name: "PRELIM | Force keys to be imported"
ansible.builtin.shell: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
when:
- "'not installed' in check_gpg_imported.stdout"
- "'Key ID 199e2f91fd431d51' in os_gpg_package_valid.stdout"
when:
- rhel9cis_rule_1_2_1
- rhel9cis_force_gpg_key_import
- ansible_facts.distribution == 'RedHat'

- name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)"
ansible.builtin.package:
name: audit
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_4/cis_4.1.4.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@
ansible.builtin.file:
path: "{{ item.path }}"
mode: "{{ '0600' if item.mode == '0600' else '0640' }}"
loop: "{{ auditd_conf_files.files | default([]) }}"
loop: "{{ auditd_conf_files.files }}"
loop_control:
label: "{{ item.path }}"
when:
Expand Down