From 444074df1e271f4a156a5233ca86d69f2c0ae1c8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 14 Nov 2023 16:28:23 +0000 Subject: [PATCH 1/5] rhel7stig_boot_part variable now discovered Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 -- tasks/prelim.yml | 15 +++------------ 2 files changed, 3 insertions(+), 14 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5310cee1..d773ab60 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -693,8 +693,6 @@ rhel7stig_auditd_failure_flag: "{{ rhel7stig_availability_override | ternary(1, rhel7stig_audit_part: "{{ rhel_07_audit_part.stdout }}" -rhel7stig_boot_part: "{{ rhel_07_boot_part.stdout }}" - rhel7stig_legacy_boot_path: '/boot/grub2/' rhel7stig_efi_boot_path: '/boot/efi/EFI/' diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 8bfaf00b..5c66c1a1 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -300,18 +300,6 @@ - RHEL-07-031000 - RHEL-07-031010 -- name: "PRELIM | RHEL-07-021350 | Check if /boot or /boot/efi reside on separate partitions" - ansible.builtin.shell: df --output=target /boot | tail -n 1 - changed_when: false - check_mode: false - register: rhel_07_boot_part - when: - - rhel_07_021350 - tags: - - cat1 - - high - - RHEL-07-021350 - - name: "PRELIM | RHEL-07-030300 | RHEL-07-030310 | RHEL-07-030320 | RHEL-07-030321 | Install audit remote plugin." ansible.builtin.package: name: audispd-plugins @@ -443,6 +431,7 @@ rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}redhat" rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" rhel7stig_legacy_boot: false + rhel7stig_boot_part: /boot/efi when: - rhel7_efi_boot.stat.exists - ansible_distribution != 'CentOS' # Note: rhel & OEL both use redhat path @@ -452,6 +441,7 @@ rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}centos" rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" rhel7stig_legacy_boot: false + rhel7stig_boot_part: /boot/efi when: - rhel7_efi_boot.stat.exists - ansible_distribution == 'CentOS' @@ -461,6 +451,7 @@ rhel7stig_bootloader_path: "{{ rhel7stig_legacy_boot_path }}" rhel7stig_not_boot_path: "{{ rhel7stig_efi_boot_path }}" rhel7stig_legacy_boot: true + rhel7stig_boot_part: /boot when: not rhel7_efi_boot.stat.exists - name: PRELIM | output bootloader and efi state From 6276776d77ab640872d7aba4365b765516d80110 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 14 Nov 2023 17:22:51 +0000 Subject: [PATCH 2/5] tidy up of rhel7stig_boot_part variable Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 ++ tasks/prelim.yml | 3 --- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d773ab60..89b65ab1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -693,6 +693,8 @@ rhel7stig_auditd_failure_flag: "{{ rhel7stig_availability_override | ternary(1, rhel7stig_audit_part: "{{ rhel_07_audit_part.stdout }}" +rhel7stig_boot_part: /boot + rhel7stig_legacy_boot_path: '/boot/grub2/' rhel7stig_efi_boot_path: '/boot/efi/EFI/' diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 5c66c1a1..17fe42bb 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -431,7 +431,6 @@ rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}redhat" rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" rhel7stig_legacy_boot: false - rhel7stig_boot_part: /boot/efi when: - rhel7_efi_boot.stat.exists - ansible_distribution != 'CentOS' # Note: rhel & OEL both use redhat path @@ -441,7 +440,6 @@ rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}centos" rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" rhel7stig_legacy_boot: false - rhel7stig_boot_part: /boot/efi when: - rhel7_efi_boot.stat.exists - ansible_distribution == 'CentOS' @@ -451,7 +449,6 @@ rhel7stig_bootloader_path: "{{ rhel7stig_legacy_boot_path }}" rhel7stig_not_boot_path: "{{ rhel7stig_efi_boot_path }}" rhel7stig_legacy_boot: true - rhel7stig_boot_part: /boot when: not rhel7_efi_boot.stat.exists - name: PRELIM | output bootloader and efi state From ad3b174385559e249b5d644bb058c50bc660dc5f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 15 Nov 2023 17:23:22 +0000 Subject: [PATCH 3/5] changed logic on 20620 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 0355d7a5..efc68379 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1554,7 +1554,7 @@ label: "{{ rhel7stig_passwd_label }}" when: - rhel_07_020620 - - rhel7stig_interactive_uid_start | int <= item.uid + - item.uid >= rhel7stig_interactive_uid_start | int tags: - RHEL-07-020620 - CAT2 From 617e0084622f1fcdf8be449221d2a0c4ba8c98f4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Nov 2023 18:23:48 +0000 Subject: [PATCH 4/5] updated logic for uuid Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index a46c1f74..37dd1f24 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -441,6 +441,7 @@ - name: "HIGH | RHEL-07-021350 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." block: + - name: "HIGH | RHEL-07-021350 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." ansible.builtin.replace: path: /etc/default/grub @@ -456,6 +457,7 @@ insert: true when: - rhel7stig_boot_part not in ['/', ''] + - item.uuid is defined - not ansible_check_mode or rhel7_stig_grub_template is not changed notify: confirm grub2 user cfg @@ -474,9 +476,9 @@ - ansible_check_mode - rhel_07_021350_audit is failed failed_when: - - rhel_07_021350_audit is failed - - not ansible_check_mode or - rhel_07_021350_audit.rc > 1 + - rhel_07_021350_audit.rc not in [ 0, 1 ] + - not ansible_check_mode + when: - not ansible_check_mode or rhel7_stig_grub_template is not changed From 6e7329b786396c601791d3221e9a2ba4f76e5dac Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Nov 2023 14:06:20 +0000 Subject: [PATCH 5/5] removed extra line Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 37dd1f24..a8dab97d 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -441,7 +441,6 @@ - name: "HIGH | RHEL-07-021350 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." block: - - name: "HIGH | RHEL-07-021350 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." ansible.builtin.replace: path: /etc/default/grub