Skip to content

Commit

Permalink
moved check_mode
Browse files Browse the repository at this point in the history 
Signed-off-by: Mark Bolwell <[email protected]>
  • Loading branch information
@uk-bolly
uk-bolly committed Nov 1, 2024
1 parent 18f123f commit aa0be1c
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 20 deletions.
6 changes: 3 additions & 3 deletions tasks/fix-cat1.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -573,8 +573,8 @@
block:
- name: "HIGH | RHEL-07-040540 | AUDIT | The Red Hat Enterprise Linux operating system must not contain .shosts files."
ansible.builtin.shell: find / -xdev -not -fstype nfs -name '.shosts'
check_mode: false
changed_when: false
check_mode: false
register: rhel_07_040540_audit

- name: "HIGH | RHEL-07-040540 | PATCH | The Red Hat Enterprise Linux operating system must not contain .shosts files."
Expand All @@ -598,8 +598,8 @@
block:
- name: "HIGH | RHEL-07-040550 | AUDIT | The Red Hat Enterprise Linux operating system must not contain shosts.equiv files."
ansible.builtin.shell: find / -xdev -not -fstype nfs -name 'shosts.equiv'
check_mode: false
changed_when: false
check_mode: false
register: rhel_07_040550_audit

- name: "HIGH | RHEL-07-040550 | PATCH | The Red Hat Enterprise Linux operating system must not contain shosts.equiv files."
Expand Down Expand Up @@ -667,9 +667,9 @@
block:
- name: "HIGH | RHEL-07-040800 | AUDIT | SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default."
ansible.builtin.shell: grep {{ item }} /etc/snmp/snmpd.conf
check_mode: false
failed_when: false
changed_when: false
check_mode: false
register: rhel_07_040800_audit
with_items:
- public
Expand Down
34 changes: 17 additions & 17 deletions tasks/fix-cat2.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -610,14 +610,14 @@
block:
- name: "MEDIUM | RHEL-07-010240 | AUDIT | Passwords must be restricted to a 24 hours/1 day minimum lifetime."
ansible.builtin.shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $4 < 1 {print $1}' /etc/shadow"
check_mode: false
changed_when: false
check_mode: false
register: rhel_07_010240_audit

- name: "MEDIUM | RHEL-07-010240 | PATCH | Passwords must be restricted to a 24 hours/1 day minimum lifetime."
ansible.builtin.shell: chage -m 1 {{ item }}
check_mode: false
changed_when: true
check_mode: false
with_items:
- "{{ rhel_07_010240_audit.stdout_lines }}"
when:
Expand Down Expand Up @@ -653,8 +653,8 @@
block:
- name: "MEDIUM | RHEL-07-010260 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime."
ansible.builtin.shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow"
check_mode: false
changed_when: false
check_mode: false
register: rhel_07_010260_audit

- name: "MEDIUM | RHEL-07-010260 | PATCH | Reset password timeout to prevent locking out user."
Expand Down Expand Up @@ -1428,9 +1428,9 @@
block:
- name: "MEDIUM | RHEL-07-020270 | AUDIT | The Red Hat Enterprise Linux operating system must not have unnecessary accounts."
ansible.builtin.shell: "grep '^{{ item }}:' /etc/passwd"
check_mode: false
failed_when: rhel_07_020270_audit.rc > 1
changed_when: rhel_07_020270_audit.rc == 0
check_mode: false
register: rhel_07_020270_audit
with_items:
- "{{ rhel7stig_unnecessary_accounts }}"
Expand Down Expand Up @@ -1465,9 +1465,9 @@
block:
- name: "MEDIUM | RHEL-07-020320 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner."
ansible.builtin.shell: find "{{ item }}" -xdev -nouser
check_mode: false
failed_when: false
changed_when: false
check_mode: false
register: rhel_07_020320_audit
with_items:
- "{{ prelim_local_mount_names }}"
Expand Down Expand Up @@ -1497,9 +1497,9 @@
block:
- name: "MEDIUM | RHEL-07-020330 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner."
ansible.builtin.shell: find "{{ item }}" -xdev -nogroup
check_mode: false
failed_when: false
changed_when: false
check_mode: false
register: rhel_07_020330_audit
with_items:
- "{{ prelim_local_mount_names }}"
Expand Down Expand Up @@ -1632,8 +1632,8 @@
block:
- name: "MEDIUM | RHEL-07-020660 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory."
ansible.builtin.shell: "{{ find_command_base }} -print -quit"
check_mode: false
changed_when: rhel_07_020660_audit.stdout |length > 0
check_mode: false
register: rhel_07_020660_audit
with_items: "{{ rhel7stig_passwd }}"
loop_control:
Expand Down Expand Up @@ -1669,8 +1669,8 @@
block:
- name: "MEDIUM | RHEL-07-020670 | AUDIT | Get all GIDs for each user."
ansible.builtin.shell: id -G "{{ item.id }}"
check_mode: false
changed_when: false
check_mode: false
register: rhel_07_all_gid_audit
with_items:
- "{{ rhel7stig_passwd }}"
Expand All @@ -1679,8 +1679,8 @@

- name: "MEDIUM | RHEL-07-020670 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member."
ansible.builtin.shell: "{{ find_command_base }} -print -quit"
check_mode: false
changed_when: rhel_07_020670_audit.stdout| length > 0
check_mode: false
register: rhel_07_020670_audit
with_items:
- "{{ rhel_07_all_gid_audit.results }}"
Expand Down Expand Up @@ -1725,8 +1725,8 @@

- name: "MEDIUM | RHEL-07-020680 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive."
ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027
check_mode: false
changed_when: rhel_07_020680_patch_audit.stdout| length > 0
check_mode: false
register: rhel_07_020680_patch_audit
with_together:
- "{{ rhel_07_020680_audit.results | map(attribute='item') | list }}"
Expand Down Expand Up @@ -1785,8 +1785,8 @@
block:
- name: "MEDIUM | RHEL-07-020690 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root."
ansible.builtin.shell: "{{ find_command_base }} -print -quit"
check_mode: false
changed_when: rhel_07_020690_audit.stdout | length > 0
check_mode: false
register: rhel_07_020690_audit
with_items:
- "{{ rhel7stig_passwd }}"
Expand Down Expand Up @@ -1823,8 +1823,8 @@
block:
- name: "MEDIUM | RHEL-07-020700 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root."
ansible.builtin.shell: "{{ find_command_base }} -print -quit"
check_mode: false
changed_when: rhel_07_020700_audit.stdout| length > 0
check_mode: false
register: rhel_07_020700_audit
with_items:
- "{{ rhel7stig_passwd }}"
Expand Down Expand Up @@ -2220,9 +2220,9 @@
block:
- name: "MEDIUM | RHEL-07-021300 | PATCH | The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed."
ansible.builtin.shell: "systemctl show kdump | grep LoadState | cut -d = -f 2"
register: rhel_07_021300_kdump_service_status
changed_when: false
check_mode: false
register: rhel_07_021300_kdump_service_status

- name: "MEDIUM | RHEL-07-021300 | PATCH | The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed."
ansible.builtin.service:
Expand Down Expand Up @@ -3352,9 +3352,9 @@
"MEDIUM | RHEL-07-040190 | AUDIT | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications."
"MEDIUM | RHEL-07-040200 | AUDIT | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications."
ansible.builtin.shell: systemctl status sssd.service | grep "Active" | cut -d ':' -f1 | tr " " "\n" | sed '/^$/d'
check_mode: false
failed_when: false
changed_when: false
check_mode: false
register: rhel_07_040180_audit
- name: |
Expand Down Expand Up @@ -4105,8 +4105,8 @@
block:
- name: "MEDIUM | RHEL-07-040680 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying."
ansible.builtin.shell: "/usr/sbin/postconf -n smtpd_client_restrictions"
check_mode: false
changed_when: false
check_mode: false
register: rhel_07_040680_postconf_audit
when: "'postfix' in ansible_facts.packages"

Expand Down Expand Up @@ -4231,10 +4231,10 @@
block:
- name: "MEDIUM | RHEL-07-040750 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS."
ansible.builtin.shell: cat /etc/fstab | grep nfs
register: rhel_07_040750_nfssec_check
changed_when: false
failed_when: false
check_mode: false
register: rhel_07_040750_nfssec_check

- name: "MEDIUM | RHEL-07-040750 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS."
ansible.builtin.debug:
Expand Down Expand Up @@ -4361,13 +4361,13 @@
block:
- name: "MEDIUM | RHEL-07-041002 | AUDIT | Check if pam service is configured in sssd file"
ansible.builtin.shell: 'grep -E "^\s*services\s*=.*pam" /etc/sssd/sssd.conf'
check_mode: false
changed_when:
- sssd_services_check.rc == 1
- not rhel7stig_skip_for_travis
failed_when: false
# todo: only run if sssd installed and config file present
# failed_when: sssd_services_check.rc > 1
check_mode: false
register: sssd_services_check

- name: "MEDIUM | RHEL-07-041002 | PATCH | The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM)."
Expand Down

0 comments on commit aa0be1c

Please sign in to comment.