Issue #57, #58, #59 fixes and handler items from PR #51

Signed-off-by: George Nalen <[email protected]>
ansible-lockdown · Oct 18, 2021 · 1e8f9a3 · 1e8f9a3
1 parent 817bce1
commit 1e8f9a3
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 9 deletions.
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -33,16 +33,17 @@
 
 - name: confirm grub2 user cfg
   stat:
-      path: /boot/grub2/user.cfg
+      path: "{{ rhel8stig_grub_cfg_path | dirname }}/user.cfg"
+  changed_when: rhel8stig_grub2_user_cfg.stat.exists
   register: rhel8stig_grub2_user_cfg
   notify: make grub2 config
 
 - name: make grub2 config
   command: /usr/sbin/grub2-mkconfig --output={{ rhel8stig_grub_cfg_path }}
   when:
-      - rhel7stig_grub2_user_cfg.stat.exists
-      - not rhel7stig_skip_for_travis
-      - not rhel7stig_system_is_container
+      - rhel8stig_grub2_user_cfg.stat.exists
+      - not rhel8stig_skip_for_travis
+      - not rhel8stig_system_is_container
 
 - name: copy grub2 config to BIOS/UEFI to satisfy benchmark
   listen: make grub2 config

diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml
@@ -1194,11 +1194,12 @@
       path: '{{ rhel8stig_sssd_conf }}'
       regexp: '^certificate_verification = {{ item.regexp }}'
       state: "{{ item.state }}"
+      line: "{{ item.line | default(omit) }}"
   with_items:
       - { regexp: 'no_ocsp, no_verification', state: absent }
       - { regexp: 'no_ocsp', state: absent }
       - { regexp: 'no_verification', state: absent }
-      - { regexp: 'ocsp_dgst=sha1', state: present }
+      - { regexp: 'ocsp_dgst=sha1', state: present, line: 'certificate_verification = ocsp_dgst=sha1' }
   notify: restart sssd
   when:
       - rhel8stig_sssd_conf_present.stat.exists
@@ -1269,6 +1270,9 @@
 
       - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 as active"
         shell: grubby --update-kernel=ALL --args="page_poison=1"
+        when:
+            - (ansible_proc_cmdline.page_poison is defined and ansible_proc_cmdline.page_poison != '1') or
+              (ansible_proc_cmdline.page_poison is not defined)
 
       - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if doesn't exist"
         lineinfile:
@@ -5618,8 +5622,7 @@
       - /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
       - /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
       - /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
-      - /usr/sbin/audisp-remote p+i+n+u+g+s+b+acl+xattrs+sha512
-      - /usr/sbin/audisp-syslog p+i+n+u+g+s+b+acl+xattrs+sha512
+      - /usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512
       - /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
   when:
       - rhel_08_030650

diff --git a/templates/aide.conf.j2 b/templates/aide.conf.j2
@@ -314,8 +314,7 @@ DATAONLY =  FIPSR
 /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
 /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
 /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
-/usr/sbin/audisp-remote p+i+n+u+g+s+b+acl+xattrs+sha512
-/usr/sbin/audisp-syslog p+i+n+u+g+s+b+acl+xattrs+sha512
+/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512
 /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512