Merge pull request #325 from ansible-lockdown/Oct23_issues

Oct23 issues
ansible-lockdown · Oct 24, 2023 · 9df7942 · 9df7942
2 parents 1ff04af + 2ac4e23
commit 9df7942
Show file tree

Hide file tree

Showing 8 changed files with 36 additions and 20 deletions.
diff --git a/Changelog.md b/Changelog.md
@@ -1,5 +1,18 @@
 # Changes to rhel8CIS
 
+## 1.5.14 based on CIS v2.0.0
+
+- audit updates
+  - pre and post and format type updates
+  - #323 thanks to @cobrin preserve copied audit files permissions
+  - python 3 only
+
+- journald
+  - #320 thanks to @bbbbaassiieeee set files even if rsyslog chosen
+
+- home directories files change links
+  - #322 thanks to @mballon
+
 ## 1.5.13
 
 - Improvements for workflow and new pipeline methods

diff --git a/README.md b/README.md
@@ -12,7 +12,6 @@
 ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social)
 [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown)
 
-![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/56380?label=Quality&&logo=ansible)
 ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord)
 
 ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen)

diff --git a/collections/requirements.yml b/collections/requirements.yml
@@ -1,8 +1,14 @@
 ---
 
 collections:
-- name: community.general
+    - name: community.general
+      source: https://github.com/ansible-collections/community.general
+      type: git
 
-- name: community.crypto
+    - name: community.crypto
+      source: https://github.com/ansible-collections/community.crypto
+      type: git
 
-- name: ansible.posix
+    - name: ansible.posix
+      source: https://github.com/ansible-collections/ansible.posix
+      type: git
diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml
@@ -15,19 +15,10 @@
 
 - name: Pre Audit | If using git for content set up
   block:
-      - name: Pre Audit | Install git (rh8 python3)
+      - name: Pre Audit | Install git
         ansible.builtin.package:
             name: git
             state: present
-        when: ansible_distribution_major_version == '8'
-
-      - name: Pre Audit | Install git (rh7 python2)
-        ansible.builtin.package:
-            name: git
-            state: present
-        vars:
-            ansible_python_interpreter: "{{ python2_bin }}"
-        when: ansible_distribution_major_version == '7'
 
       - name: Pre Audit | retrieve audit content files from git
         ansible.builtin.git:
@@ -41,7 +32,7 @@
   ansible.builtin.copy:
       src: "{{ audit_local_copy }}"
       dest: "{{ audit_conf_dir }}"
-      mode: 0644
+      mode: preserve
   when:
       - audit_content == 'copy'
 

diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml
@@ -14,7 +14,6 @@
         with_items:
             - net.ipv6.conf.all.disable_ipv6
             - net.ipv6.conf.default.disable_ipv6
-            - net.ipv6.conf.lo.disable_ipv6
 
       - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system | disable localhost sysctl"
         ansible.posix.sysctl:

diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml
@@ -6,6 +6,7 @@
       state: present
   when:
       - rhel8cis_rule_4_2_2_1_1
+      - rhel8cis_syslog == 'journald'
   tags:
       - level1-server
       - level1-workstation
@@ -27,6 +28,7 @@
       - { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ rhel8cis_journal_trustedcertificatefile }}'}
   when:
       - rhel8cis_rule_4_2_2_1_2
+      - rhel8cis_syslog == 'journald'
   tags:
       - level1-server
       - level1-workstation
@@ -43,6 +45,7 @@
   when:
       - rhel8cis_system_is_log_server
       - rhel8cis_rule_4_2_2_1_3
+      - rhel8cis_syslog == 'journald'
   tags:
       - level1-server
       - level1-workstation
@@ -60,6 +63,7 @@
   when:
       - not rhel8cis_system_is_log_server
       - rhel8cis_rule_4_2_2_1_4
+      - rhel8cis_syslog == 'journald'
   tags:
       - level1-server
       - level1-workstation
@@ -95,6 +99,7 @@
         when: "'static' not in rhel8cis_4_2_2_2_status.stdout"
   when:
       - rhel8cis_rule_4_2_2_2
+      - rhel8cis_syslog == 'journald'
   tags:
       - level1-server
       - level1-workstation
@@ -147,6 +152,7 @@
   notify: restart systemd_journal_upload
   when:
       - rhel8cis_rule_4_2_2_5
+      - rhel8cis_syslog == 'journald'
   tags:
       - level1-server
       - level2-workstation
@@ -169,6 +175,7 @@
       - { regexp: '^#MaxFileSec=|^MaxFileSec=', line: 'MaxFileSec={{ rhel8cis_journald_maxfilesec }}'}
   when:
       - rhel8cis_rule_4_2_2_6
+      - rhel8cis_syslog == 'journald'
   tags:
       - level1-server
       - level1-workstation
@@ -211,6 +218,7 @@
             warn_control_id: '4.2.2.7'
   when:
       - rhel8cis_rule_4_2_2_7
+      - rhel8cis_syslog == 'journald'
   tags:
       - level1-server
       - level1-workstation

diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml
@@ -19,7 +19,6 @@
 
 - name: "SECTION | 4.2.2.x| Configure journald"
   ansible.builtin.import_tasks: cis_4.2.2.x.yml
-  when: rhel8cis_syslog == 'journald'
 
 - name: "SECTION | 4.2.3 | Configure logile perms"
   ansible.builtin.import_tasks: cis_4.2.3.yml

diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml
@@ -238,7 +238,7 @@
         with_items: "{{ rhel8cis_passwd | selectattr('uid', '>=', rhel8uid_interactive_uid_start | int ) | selectattr('uid', '<=', rhel8uid_interactive_uid_stop | int ) | map(attribute='dir') | list }}"
 
       - name: "6.2.9 | AUDIT | Ensure all users' home directories exist"
-        ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027
+        ansible.builtin.shell: find -H {{ item.0 | quote }} -type d -not -type l -perm /027
         check_mode: false
         changed_when: rhel_08_6_2_9_patch_audit.stdout | length > 0
         register: rhel_08_6_2_9_patch_audit
@@ -254,7 +254,7 @@
       - name: "6.2.9 | PATCH | Ensure all users' home directories exist"
         ansible.builtin.file:
             path: "{{ item.0 }}"
-            recurse: true
+            recurse: false
             mode: a-st,g-w,o-rwx
         register: rhel_08_6_2_9_patch
         when:
@@ -327,7 +327,7 @@
         register: rhel_08_6_2_11_audit
 
       - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
-        ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027
+        ansible.builtin.shell: find -H {{ item.0 | quote }} type -d -not -type l -perm /027
         check_mode: false
         changed_when: rhel_08_6_2_11_patch_audit.stdout | length > 0
         register: rhel_08_6_2_11_patch_audit
@@ -345,6 +345,7 @@
             path: "{{ item.0 }}"
             recurse: true
             mode: a-st,g-w,o-rwx
+            follow: false
         register: rhel_08_6_2_11_patch
         when:
             - not ansible_check_mode