Issues March24 (#366)

* #359 addressed thanks to @bbaassssiiee

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* sysctl matches requirement & handler added

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* container updated and cautions updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* issues #360 addressed thanks to @bbaassssiiee

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* Added #361 ensure local interface on 3.4.2.2

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* issue #363 addressed

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* variable naming and lint

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* variable naming and lint

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated handler

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* variable naming and lint updates

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* fix issues with pam_unix

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* added extra options

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* issue #365 addressed

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* fixed commenting alternate file

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated var name to discovered

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* renamed variable tomake it clearer

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* fix typo

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated discovered variable naming

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated variable naming

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

---------

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

Changelog.md

@@ -6,10 +6,19 @@
 
 ### Changes and improvements (March24)
 
+Changes to variable naming for those variables discovered
+some lint updates
+
 thanks to @bbaassssiiee
 
 - #353
 - #354
+- #359
+- #360
+- #361
+- #363
+- #364
+- #365
 
 Audit and audit_only changed to run prior to any significant changes
 

README.md

@@ -47,13 +47,19 @@ Join us on our [Discord Server](https://www.lockdownenterprise.com/discord) to a
 
 This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.
 
-Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. The RHEL8-CIS-Audit role or a compliance scanner should be used for compliance checking over check mode.
+- Testing is the most important thing you can do.
 
-This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed.
+- Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. The RHEL8-CIS-Audit role or a compliance scanner should be used for compliance checking over check mode.
 
-To use release version please point to main branch and relevant release for the cis benchmark you wish to work with.
+- This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed.
 
-If moving across major releases e.g. v2.0.0 - v3.0.0 there are significant changes to the benchmarks and controls it is suggested to start as a new standard not to upgrade.
+- To use release version please point to main branch and relevant release/tag for the cis benchmark you wish to work with.
+
+- If moving across major releases e.g. v2.0.0 - v3.0.0 there are significant changes to the benchmarks and controls it is suggested to start as a new standard not to upgrade.
+
+- Containers references vars/is_container.yml this is an example and to be updated for your requirements
+
+- Did we mention testing??
 
 ---
 

defaults/main.yml

@@ -705,10 +705,10 @@ rhel8cis_pass:
  warn_age: 7
 
 ## Set the following to true if you wish to adjust accounts greater than rhel8cis_pass['max_days']
-rhel8cis_4_5_1_2_set_max_expiry: false
+rhel8cis_set_max_expiry: false
 
 ## Add users to be skipped if required
-rhel8cis_4_5_1_2_user_skip_list:
+rhel8cis_user_skip_list:
  root
 
 rhel8cis_root_umask: '0027' # 0027 or more restrictive

handlers/main.yml

@@ -15,6 +15,9 @@
  masked: false
  state: reloaded
 
+- name: Reload_sysctl
+ ansible.builtin.shell: sysctl --system
+
 - name: Sysctl_flush_ipv4_routes
  ansible.posix.sysctl:
  name: net.ipv4.route.flush
@@ -71,7 +74,7 @@
  state: restarted
 
 - name: Rebuild_grub
- ansible.builtin.shell: "grub2-mkconfig -o {{ grub_cfg.stat.lnk_source }}"
+ ansible.builtin.shell: "grub2-mkconfig -o {{ discovered_grub_cfg.stat.lnk_source }}"
  ignore_errors: true # noqa ignore-errors
  notify: Change_requires_reboot
  tags:
@@ -91,14 +94,14 @@
 - name: Auditd_immutable_check
  ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
  changed_when: false
- register: auditd_immutable_check
+ register: discovered_auditd_immutable_check
 
 - name: Audit_immutable_fact
  ansible.builtin.debug:
  msg: "Reboot required for auditd to apply new rules as immutable set"
  notify: Change_requires_reboot
  when:
- - auditd_immutable_check.stdout == '1'
+ - discovered_auditd_immutable_check.stdout == '1'
 
 - name: Restart_auditd
  ansible.builtin.shell: /sbin/service auditd restart

tasks/auditd.yml

@@ -1,13 +1,12 @@
 ---
 
-- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added
+- name: POST | AUDITD | Apply auditd template will for section 5.2.3 - only required rules will be added
  ansible.builtin.template:
  src: audit/99_auditd.rules.j2
  dest: /etc/audit/rules.d/99_auditd.rules
  owner: root
  group: root
- mode: 0600
- register: audit_rules_updated
+ mode: '0600'
  notify:
  - Auditd_immutable_check
  - Audit_immutable_fact

tasks/main.yml

@@ -56,11 +56,11 @@
  ansible.builtin.shell: passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked|root\s(LK|L)\s)"
  changed_when: false
  failed_when: false
- register: root_passwd_set
+ register: discovered_root_passwd_set
 
  - name: Ensure root password is set
  ansible.builtin.assert:
- that: root_passwd_set.rc == 0
+ that: discovered_root_passwd_set.rc == 0
  fail_msg: "You have rule 4.5.2.4 enabled this requires that you have a root password set"
  success_msg: "You have a root password set"
 
@@ -98,11 +98,11 @@
  changed_when: false
  failed_when: false
  check_mode: false
- register: ansible_user_password_set
+ register: discovered_ansible_user_password_set
 
  - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked"
  ansible.builtin.assert:
- that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!"
+ that: discovered_ansible_user_password_set.stdout | length != 0 and discovered_ansible_user_password_set.stdout != "!!"
  fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
  success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user"
  vars:

tasks/parse_etc_password.yml

@@ -6,12 +6,12 @@
  ansible.builtin.shell: cat /etc/passwd
  changed_when: false
  check_mode: false
- register: rhel8cis_passwd_file_audit
+ register: discovered_passwd_file_audit
 
  - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Split passwd entries"
  ansible.builtin.set_fact:
- rhel8cis_passwd: "{{ rhel8cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}"
- with_items: "{{ rhel8cis_passwd_file_audit.stdout_lines }}"
+ rhel8cis_passwd: "{{ discovered_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}"
+ with_items: "{{ discovered_passwd_file_audit.stdout_lines }}"
  vars:
  ld_passwd_regex: >-
  ^(?P<id>[^:]*):(?P<password>[^:]*):(?P<uid>[^:]*):(?P<gid>[^:]*):(?P<gecos>[^:]*):(?P<dir>[^:]*):(?P<shell>[^:]*)

tasks/post_remediation_audit.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Post Audit | Run post_remediation {{ benchmark }} audit
- ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g {{ group_names }}"
+ ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""
  changed_when: true
  environment:
  AUDIT_BIN: "{{ audit_bin }}"
@@ -23,12 +23,12 @@
  block:
  - name: Post Audit | Capture data {{ post_audit_outfile }}
  ansible.builtin.shell: cat {{ post_audit_outfile }}
- register: post_audit
+ register: discovered_post_audit
  changed_when: false
 
  - name: Post Audit | Capture post-audit result
  ansible.builtin.set_fact:
- post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}"
+ post_audit_summary: "{{ discovered_post_audit.stdout | from_json | json_query(summary) }}"
  vars:
  summary: summary."summary-line"
 
@@ -38,9 +38,9 @@
  block:
  - name: Post Audit | Capture data {{ post_audit_outfile }}
  ansible.builtin.shell: tail -2 {{ post_audit_outfile }}
- register: post_audit
+ register: discovered_post_audit
  changed_when: false
 
  - name: Post Audit | Capture post-audit result
  ansible.builtin.set_fact:
- post_audit_summary: "{{ post_audit.stdout_lines }}"
+ post_audit_summary: "{{ discovered_post_audit.stdout_lines }}"

tasks/pre_remediation_audit.yml

@@ -58,11 +58,11 @@
  - name: Pre Audit Setup | Check for goss file
  ansible.builtin.stat:
  path: "{{ audit_bin }}"
- register: goss_available
+ register: discovered_goss_available
 
  - name: Pre Audit Setup | If audit ensure goss is available
  ansible.builtin.assert:
- that: goss_available.stat.exists
+ that: discovered_goss_available.stat.exists
  msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}"
 
 - name: Pre Audit Setup | Copy ansible default vars values to test audit
@@ -77,7 +77,7 @@
  mode: '0600'
 
 - name: Pre Audit | Run pre_remediation {{ benchmark }} audit
- ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g {{ group_names }}"
+ ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\""
  changed_when: true
  environment:
  AUDIT_BIN: "{{ audit_bin }}"
@@ -88,29 +88,29 @@
  when:
  - audit_format == "json"
  block:
- - name: capture data {{ pre_audit_outfile }}
+ - name: Pre Audit | Capture data {{ pre_audit_outfile }}
  ansible.builtin.shell: cat {{ pre_audit_outfile }}
- register: pre_audit
+ register: discovered_pre_audit
  changed_when: false
 
  - name: Pre Audit | Capture pre-audit result
  ansible.builtin.set_fact:
- pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}"
+ pre_audit_summary: "{{ discovered_pre_audit.stdout | from_json | json_query(summary) }}"
  vars:
  summary: summary."summary-line"
 
 - name: Pre Audit | Capture audit data if documentation format
  when:
  - audit_format == "documentation"
  block:
- - name: Pre Audit | capture data {{ pre_audit_outfile }} | documentation format
+ - name: Pre Audit | Capture data {{ pre_audit_outfile }} | documentation format
  ansible.builtin.shell: tail -2 {{ pre_audit_outfile }}
- register: pre_audit
+ register: discovered_pre_audit
  changed_when: false
 
  - name: Pre Audit | Capture pre-audit result | documentation format
  ansible.builtin.set_fact:
- pre_audit_summary: "{{ pre_audit.stdout_lines }}"
+ pre_audit_summary: "{{ discovered_pre_audit.stdout_lines }}"
 
 - name: Audit_Only | Run Audit Only
  when: