Merge pull request #206 from ansible-lockdown/devel

June devel to main

Changelog.md

@@ -1,5 +1,13 @@
 # Changes to RHEL8STIG
 
+## 2.9.1
+
+- Issue #204 address
+  - tidy up of prelim
+- update to allow against container
+  - vars/is_container.yml updated and aligned
+- prelim fqcn
+
 ## 2.9.0 Stig V1R10 27th April 2023
 
 - Added new controls

ansible.cfg

@@ -7,7 +7,7 @@ nocows=1
 retry_files_save_path=/dev/null
 
 # Use the YAML callback plugin.
-stdout_callback = yaml
+# stdout_callback = yaml
 # Use the stdout_callback when running ad-hoc commands.
 bin_ansible_callbacks = True
 

handlers/main.yml

@@ -111,6 +111,8 @@
 
 - name: rebuild initramfs
   ansible.builtin.shell: dracut -f
+  when:
+      - not system_is_container
 
 - name: undo existing prelinking
   ansible.builtin.shell: prelink -ua

tasks/fix-cat1.yml

@@ -18,9 +18,7 @@
   block:
       - name: "HIGH | RHEL-08-010020 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | install FIPS"
         ansible.builtin.package:
-            name:
-                - dracut-fips
-                - crypto-policies-scripts
+            name: dracut-fips
             state: present
         notify:
             - rebuild initramfs
@@ -95,13 +93,13 @@
         with_items:
             - "{{ ansible_mounts | json_query(query) }}"
         vars:
-            query: "[?mount=='{{ rhel8stig_boot_part }}'] | [0]"
+            query: "[?mount=='{{ rhel8stig_boot_part.stdout }}'] | [0]"
             key: GRUB_CMDLINE_LINUX
             param: boot
             value: UUID={{ item.uuid }}
             insert: true
         when:
-            - rhel8stig_boot_part not in ['/', '']
+            - rhel8stig_boot_part.stdout not in ['/', '']
             - not ansible_check_mode or
               rhel_08_010020_default_grub_missing_audit is not changed
         notify: confirm grub2 user cfg
@@ -114,12 +112,12 @@
             - fips=1
             - boot=UUID={{ ansible_mounts | json_query(query) }}
         vars:
-            query: "[?mount=='{{ rhel8stig_boot_part }}'].uuid | [0]"
+            query: "[?mount=='{{ rhel8stig_boot_part.stdout }}'].uuid | [0]"
         register: rhel_08_010020_audit
         when:
             - not ansible_check_mode or
               rhel_08_010020_default_grub_missing_audit is not changed
-            - "rhel8stig_boot_part not in ['/', ''] or
+            - "rhel8stig_boot_part.stdout not in ['/', ''] or
               'boot=' not in item"
         changed_when:
             - ansible_check_mode
@@ -129,7 +127,6 @@
             - not ansible_check_mode or
               rhel_08_010020_audit.rc > 1
   when:
-      - not system_is_container
       - rhel_08_010020
   tags:
       - RHEL-08-010020
@@ -193,7 +190,6 @@
             mode: 0640
         notify: confirm grub2 user cfg
   when:
-      - not system_is_container
       - not system_is_ec2
       - rhel_08_010140 or
         rhel_08_010150
@@ -415,7 +411,6 @@
         notify: systemctl daemon-reload
   when:
       - rhel_08_040170
-      - not system_is_container
   tags:
       - RHEL-08-040170
       - CAT1
@@ -474,7 +469,6 @@
   notify: systemctl daemon-reload
   when:
       - rhel_08_040172
-      - not system_is_container
   tags:
       - RHEL-08-040172
       - CAT1

tasks/fix-cat2.yml

@@ -478,7 +478,6 @@
   notify: change_requires_reboot
   when:
       - rhel_08_010170 or rhel_08_010450
-      - not system_is_container
       - rhel8stig_disruption_high
   tags:
       - CAT2
@@ -569,7 +568,6 @@
       - rhel_08_010210 or
         rhel_08_010220 or
         rhel_08_010230
-      - not system_is_container
   tags:
       - CAT2
       - RHEL-08-010210
@@ -1398,7 +1396,6 @@
       state: present
   when:
       - rhel_08_010410
-      - not system_is_container
   tags:
       - RHEL-08-010410
       - CAT2
@@ -1975,7 +1972,7 @@
             removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}"
   when:
       - rhel_08_010600
-      - not (rhel8stig_system_is_chroot and system_is_container)
+      - not rhel8stig_system_is_chroot
   tags:
       - RHEL-08-010600
       - CAT2
@@ -2376,7 +2373,6 @@
   when:
       - rhel_08_010680
       - not rhel8stig_system_is_chroot
-      - not system_is_container
       - not system_is_ec2
   tags:
       - RHEL-08-010680
@@ -3242,7 +3238,6 @@
   when:
       - rhel_08_020027 or
         rhel_08_020028
-      - not system_is_container
   tags:
       - RHEL-08-020027
       - RHEL-08-020028
@@ -5837,7 +5832,6 @@
         when:
             - rhel_08_040030
             - not rhel8stig_system_is_chroot
-            - not system_is_container
             - rhel8stig_firewall_service == "firewalld"
             - rhel8stig_start_firewall_service
         tags:
@@ -5872,7 +5866,6 @@
         when:
             - rhel_08_040030
             - not rhel8stig_system_is_chroot
-            - not system_is_container
             - rhel8stig_firewall_service == "iptables"
             - rhel8stig_start_firewall_service
         tags:
@@ -6132,7 +6125,6 @@
             - { regexp: '^blacklist bluetooth', line: 'blacklist bluetooth', insertafter: '#blacklist bluetooth kernel module' }
   when:
       - rhel_08_040111
-      - not system_is_container
   tags:
       - RHEL-08-040111
       - CAT2
@@ -6490,7 +6482,6 @@
       - rhel_08_040139 or
         rhel_08_040140 or
         rhel_08_040141
-      - not system_is_container
   tags:
       - RHEL-08-040139
       - RHEL-08-040140
@@ -7347,7 +7338,6 @@
   when:
       - rhel_08_040330
       - not rhel8stig_net_promisc_mode_required
-      - not system_is_container
   tags:
       - RHEL-08-040330
       - CAT2

tasks/fix-cat3.yml

@@ -151,7 +151,6 @@
   when:
       - rhel_08_010471 or
         rhel_08_010472
-      - not system_is_container
   tags:
       - RHEL-08-010471
       - RHEL-08-010472

tasks/main.yml

@@ -26,6 +26,28 @@
   tags:
       - always
 
+- name: Setup rules if container
+  block:
+      - name: Discover and set container variable if required
+        ansible.builtin.set_fact:
+            system_is_container: true
+
+      - name: Load variable for container
+        ansible.builtin.include_vars:
+            file: "{{ container_vars_file }}"
+
+      - name: output if discovered is a container
+        ansible.builtin.debug:
+            msg: system has been discovered as a container
+        when:
+            - system_is_container
+  when:
+      - ansible_connection == 'docker' or
+        ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
+  tags:
+      - container_discovery
+      - always
+
 - name: "Check password set for connecting user"
   block:
       - name: Capture current password state of connecting user"
@@ -68,28 +90,6 @@
       - RHEL-08-010141
       - RHEL-08-010149
 
-- name: Setup rules if container
-  block:
-      - name: Discover and set container variable if required
-        ansible.builtin.set_fact:
-            system_is_container: true
-
-      - name: Load variable for container
-        ansible.builtin.include_vars:
-            file: "{{ container_vars_file }}"
-
-      - name: output if discovered is a container
-        ansible.builtin.debug:
-            msg: system has been discovered as a container
-        when:
-            - system_is_container
-  when:
-      - ansible_connection == 'docker' or
-        ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
-  tags:
-      - container_discovery
-      - always
-
 - name: Include OS specific variables
   ansible.builtin.include_vars: "{{ ansible_distribution }}.yml"
   tags:
@@ -175,9 +175,7 @@
       - change_requires_reboot
       - not rhel8stig_skip_reboot
   tags:
-      - CAT1
-      - CAT2
-      - CAT3
+      - always
 
 - name: Include post-remediation tasks
   ansible.builtin.import_tasks: post_remediation_audit.yml
@@ -200,6 +198,4 @@
       - change_requires_reboot
       - rhel8stig_skip_reboot
   tags:
-      - CAT1
-      - CAT2
-      - CAT3
+      - always