Feb24 updates (ansible-lockdown#179)

* change logic thanks to @rjacobs1990 see ansible-lockdown#175

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* thanks to @ipruteani-sie ansible-lockdown#134

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* Thanks to @stwongst ansible-lockdown#125

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* thanks to @sgomez86 ansible-lockdown#146

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* Added updates from ansible-lockdown#115

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* removed rp_filter in post added in error

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated yamllint precommit

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated fqcn fo json_query

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* fix typo for virt type query

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

---------

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

.github/workflows/devel_pipeline_validation.yml

@@ -125,6 +125,7 @@
               env:
                 ANSIBLE_HOST_KEY_CHECKING: "false"
                 ANSIBLE_DEPRECATION_WARNINGS: "false"
+                ANSIBLE_INJECT_FACT_VARS: "false"
 
           # Remove test system - User secrets to keep if necessary
 

.github/workflows/main_pipeline_validation.yml

@@ -114,6 +114,7 @@
               env:
                 ANSIBLE_HOST_KEY_CHECKING: "false"
                 ANSIBLE_DEPRECATION_WARNINGS: "false"
+                ANSIBLE_INJECT_FACT_VARS: "false"
 
           # Remove test system - User secrets to keep if necessary
 

.pre-commit-config.yaml

@@ -62,6 +62,6 @@ repos:
     - ansible-core>=2.10.1
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.34.0  # or higher tag
+  rev: v1.35.1  # or higher tag
   hooks:
   - id: yamllint

README.md

@@ -132,8 +132,8 @@ os_check: false
 - python-def (should be included in RHEL 9)
 - libselinux-python
 - pip packages
-  - jmespath ( complete list found in requirements.txt)
-- collections found in collections/requirememnts.yml
+  - jmespath
+- collections found in collections/requirements.yml
 
 pre-commit is available if installed on your host for pull request testing.
 

defaults/main.yml

@@ -424,21 +424,6 @@ rhel9cis_rule_6_2_16: true
 # These /tmp settings will include nosuid,nodev,noexec to conform to CIS standards.
 rhel9cis_tmp_svc: false
 
-## Control 1.1.9
-rhel9cis_allow_autofs: false
-
-## Control 1.2.1
-# This is the login information for your RedHat Subscription
-# DO NOT USE PLAIN TEXT PASSWORDS!!!!!
-# The intent here is to use a password utility like Ansible Vault here
-rhel9cis_rh_sub_user: user
-rhel9cis_rh_sub_password: password  # pragma: allowlist secret
-
-## Control 1.2.2
-# Do you require rhnsd
-# RedHat Satellite Subscription items
-rhel9cis_rhnsd_required: false
-
 ## Control 1.2.4
 # When installing RHEL from authorized Red Hat source, RHEL will come with default YUM repository. NOT having a default YUM
 # repo ('rhel9cis_rhel_default_repo' set as 'false'), in conjunction with 'rhel9cis_rule_enable_repogpg' set as 'True', will enable the tasks
@@ -455,7 +440,7 @@ rhel9cis_rule_enable_repogpg: true
 # must be changed to a value that may be generated with this command 'grub2-mkpasswd-pbkdf2' and must comply with
 # this format: 'grub.pbkdf2.sha512.<Rounds>.<Salt>.<Checksum>'
 rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B'  # pragma: allowlist secret
-rhel9cis_bootloader_password: random  # pragma: allowlist secret
+
 ## Control 1.4.1
 # This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
 rhel9cis_set_boot_pass: true
@@ -781,11 +766,6 @@ rhel9cis_firewall: firewalld
 # to another zone): if there is no zone assigned to a connection, interface or source, only the default zone is used.
 rhel9cis_default_zone: public
 
-# These settings are added to demonstrate how this update can be done (eventually will require a new control)
-rhel9cis_firewalld_ports:
-    - number: 80
-      protocol: tcp
-
 ## Control 3.4.2.2 - Ensure at least one nftables table exists
 # This variable governs if a table will be automatically created in nftables. Without a table (no default one), nftables
 # will not filter network traffic, so if this variable is set to 'false' and no tables exist, an alarm will be triggered!
@@ -1236,8 +1216,6 @@ rhel9cis_rpm_audit_file: /var/tmp/rpm_file_check
 # Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable.
 rhel9cis_no_world_write_adjust: true
 
-rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}"
-
 ## Control 6.2.16 - Ensure local interactive user dot files are not group or world writable
 # This boolean variable governs if current role should follow filesystem links for changes to
 # user home directory.

tasks/main.yml

@@ -3,7 +3,7 @@
 
 - name: Check OS version and family
   ansible.builtin.assert:
-      that: (ansible_facts.distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==')
+      that: (ansible_facts.distribution != 'CentOS' and ansible_facts.os_family == 'RedHat' or ansible_facts.os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==')
       fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported."
       success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}"
   when:
@@ -66,7 +66,7 @@
 - name: Ensure root password is set
   block:
       - name: Ensure root password is set
-        ansible.builtin.shell: passwd -S root | grep "Password set, SHA512 crypt"
+        ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)"
         changed_when: false
         register: root_passwd_set
 
@@ -102,7 +102,7 @@
             - system_is_container
   when:
       - ansible_connection == 'docker' or
-        ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
+        ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
       - container_discovery
       - always

tasks/post.yml

@@ -26,19 +26,6 @@
       - not system_is_container
       - "'procps-ng' in ansible_facts.packages"
 
-- name: POST | Update usr sysctl
-  ansible.builtin.lineinfile:
-      dest: /usr/lib/sysctl.d/50-default.conf
-      regexp: "{{ item.regexp }}"
-      line: "{{ item.line }}"
-  loop:
-      - { regexp: '^net.ipv4.conf.default.rp_filter', line: 'net.ipv4.conf.default.rp_filter = 1' }
-      - { regexp: '^net.ipv4.conf.*.rp_filter', line: 'net.ipv4.conf.*.rp_filter = 1' }
-  when:
-      - rhel9cis_sysctl_update
-      - not system_is_container
-      - "'procps-ng' in ansible_facts.packages"
-
 - name: Flush handlers
   ansible.builtin.meta: flush_handlers
 

tasks/post_remediation_audit.yml

@@ -28,7 +28,7 @@
 
       - name: Capture post-audit result
         ansible.builtin.set_fact:
-            post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}"
+            post_audit_summary: "{{ post_audit.stdout | from_json | community.general.json_query(summary) }}"
         vars:
             summary: summary."summary-line"
 

tasks/pre_remediation_audit.yml

@@ -95,7 +95,7 @@
 
       - name: Pre Audit | Capture pre-audit result
         ansible.builtin.set_fact:
-            pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}"
+            pre_audit_summary: "{{ pre_audit.stdout | from_json | community.general.json_query(summary) }}"
         vars:
             summary: summary."summary-line"
 

tasks/prelim.yml

@@ -97,7 +97,7 @@
 
 - name: "PRELIM | Section 1.1 | Create list of mount points"
   ansible.builtin.set_fact:
-      mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}"
+      mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}"
   tags:
       - level1-server
       - level1-workstation

tasks/section_4/cis_4.1.4.x.yml

@@ -64,12 +64,11 @@
 - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive"
   ansible.builtin.file:
       path: "{{ item.path }}"
-      mode: '0640'
-  loop: "{{ auditd_conf_files.files }}"
+      mode: "{{ '0600' if item.mode == '0600' else '0640' }}"
+  loop: "{{ auditd_conf_files.files | default([]) }}"
   loop_control:
       label: "{{ item.path }}"
   when:
-      - item.mode != '06(0|4)0'
       - rhel9cis_rule_4_1_4_5
   tags:
       - level2-server
@@ -82,7 +81,7 @@
   ansible.builtin.file:
       path: "{{ item.path }}"
       owner: root
-  loop: "{{ auditd_conf_files.files }}"
+  loop: "{{ auditd_conf_files.files | default([]) }}"
   loop_control:
       label: "{{ item.path }}"
   when:
@@ -98,7 +97,7 @@
   ansible.builtin.file:
       path: "{{ item.path }}"
       group: root
-  loop: "{{ auditd_conf_files.files }}"
+  loop: "{{ auditd_conf_files.files | default([]) }}"
   loop_control:
       label: "{{ item.path }}"
   when:

tasks/section_6/cis_6.1.x.yml

@@ -173,7 +173,7 @@
 
       - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories"
         ansible.builtin.debug:
-            msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit | json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
+            msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit | community.general.json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
         when: rhel_09_6_1_10_unowned_files_found
 
       - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning"
@@ -220,7 +220,7 @@
 
       - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories"
         ansible.builtin.debug:
-            msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit | json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
+            msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit | community.general.json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
         when: rhel_09_6_1_11_ungrouped_files_found
 
       - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning"
@@ -277,7 +277,7 @@
 
       - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist"
         ansible.builtin.debug:
-            msg: "Warning!! SUID set on items in {{ rhel_09_6_1_13_suid_perms | json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
+            msg: "Warning!! SUID set on items in {{ rhel_09_6_1_13_suid_perms | community.general.json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
         when: rhel9_6_1_13_suid_found
 
       - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning"
@@ -320,7 +320,7 @@
 
       - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist"
         ansible.builtin.debug:
-            msg: "Warning!! SGID set on items in {{ rhel_09_6_1_14_sgid_perms | json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
+            msg: "Warning!! SGID set on items in {{ rhel_09_6_1_14_sgid_perms | community.general.json_query('results[*].stdout_lines[*]') | flatten }}"  # noqa jinja[invalid]
         when: rhel9_6_1_14_sgid_found
 
       - name: "6.1.14 | AUDIT | Audit SGID executables| warning"

vars/main.yml

@@ -16,4 +16,4 @@ rhel9cis_allowed_crypto_policies_modules:
 warn_control_list: ""
 warn_count: 0
 
-gpg_key_package: "{{ ansible_distribution | lower }}-gpg-keys"
+gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys"