March 24 updates (#356)

* added conditional to user password check #354 thanks to @bbaassssiiee

Signed-off-by: Mark Bolwell <[email protected]>

* updated logic to check root passwd locked

Signed-off-by: Mark Bolwell <[email protected]>

* Updated

Signed-off-by: Mark Bolwell <[email protected]>

* lint and audit order change

Signed-off-by: Mark Bolwell <[email protected]>

* updated for documentation format

Signed-off-by: Mark Bolwell <[email protected]>

---------

Signed-off-by: Mark Bolwell <[email protected]>

Changelog.md

@@ -4,6 +4,17 @@
 
 ### This is not an upgrade for CIS v2.0.0 due to the number of changes treat as a new baseline
 
+### Changes and improvements (March24)
+
+thanks to @bbaassssiiee
+
+- #353
+- #354
+
+Audit and audit_only changed to run prior to any significant changes
+
+#### Initial
+
 Inline with new CIS baseline
 Rewrite and ordering of nearly all controls
 Many new controls added

defaults/main.yml

@@ -492,7 +492,7 @@ rhel8cis_selinux_policy: targeted
 
 # 1.6 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS)
 rhel8cis_crypto_policy: 'DEFAULT'
-# Added module to be allowed as default setting (Allowed options in vars/main.yml)
+# Added module to be loaded - (Allowed options in vars/main.yml - OSPP and AD-SUPPORT)
 rhel8cis_crypto_policy_module: ''
 
 # 1.7

tasks/audit_only.yml

@@ -1,22 +1,22 @@
 ---
 
 - name: Audit_Only | Create local Directories for hosts
+  when: fetch_audit_files
   ansible.builtin.file:
       mode: '0755'
       path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}"
       recurse: true
       state: directory
-  when: fetch_audit_files
   delegate_to: localhost
   become: false
 
 - name: Audit_only | Get audits from systems and put in group dir
+  when: fetch_audit_files
   ansible.builtin.fetch:
       dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/"
       flat: true
       mode: '0644'
       src: "{{ pre_audit_outfile }}"
-  when: fetch_audit_files
 
 - name: Audit_only | Show Audit Summary
   when:

tasks/main.yml

@@ -53,7 +53,7 @@
       - always
   block:
       - name: Ensure root password is set
-        ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)"
+        ansible.builtin.shell: passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked|root\s(LK|L)\s)"
         changed_when: false
         failed_when: false
         register: root_passwd_set
@@ -91,6 +91,7 @@
       - ansible_env.SUDO_USER is defined
       - not system_is_ec2
       - not audit_only
+      - rhel8cis_rule_4_3_4
   block:
       - name: Capture current password state of connecting user"
         ansible.builtin.shell: "grep {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'"
@@ -105,7 +106,7 @@
             fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
             success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user"
         vars:
-            sudo_password_rule: rhel8cis_rule_5_3_4  # pragma: allowlist secret
+            sudo_password_rule: rhel8cis_rule_4_3_4  # pragma: allowlist secret
 
 - name: Include prelim tasks
   tags:
@@ -114,25 +115,6 @@
   ansible.builtin.import_tasks:
       file: prelim.yml
 
-- name: Include audit specific variables
-  when:
-      - run_audit or audit_only
-      - setup_audit
-  tags:
-      - setup_audit
-      - run_audit
-  ansible.builtin.include_vars:
-      file: audit.yml
-
-- name: Include pre-remediation audit tasks
-  when:
-      - run_audit or audit_only
-      - setup_audit
-  tags:
-      - run_audit
-  ansible.builtin.import_tasks:
-      file: pre_remediation_audit.yml
-
 - name: Gather the package facts after prelim
   tags:
       - always

tasks/post_remediation_audit.yml

@@ -1,14 +1,14 @@
 ---
 
 - name: Post Audit | Run post_remediation {{ benchmark }} audit
-  ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}"
+  ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g {{ group_names }}"
   changed_when: true
   environment:
       AUDIT_BIN: "{{ audit_bin }}"
       AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
       AUDIT_FILE: goss.yml
 
-- name: Post Audit | ensure audit files readable by users
+- name: Post Audit | Ensure audit files readable by users
   ansible.builtin.file:
       path: "{{ item }}"
       mode: '0644'
@@ -21,12 +21,12 @@
   when:
       - audit_format == "json"
   block:
-      - name: capture data {{ post_audit_outfile }}
+      - name: Post Audit | Capture data {{ post_audit_outfile }}
         ansible.builtin.shell: cat {{ post_audit_outfile }}
         register: post_audit
         changed_when: false
 
-      - name: Capture post-audit result
+      - name: Post Audit | Capture post-audit result
         ansible.builtin.set_fact:
             post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}"
         vars:
@@ -36,7 +36,7 @@
   when:
       - audit_format == "documentation"
   block:
-      - name: Post Audit | capture data {{ post_audit_outfile }}
+      - name: Post Audit | Capture data {{ post_audit_outfile }}
         ansible.builtin.shell: tail -2 {{ post_audit_outfile }}
         register: post_audit
         changed_when: false

tasks/pre_remediation_audit.yml

@@ -77,7 +77,7 @@
       mode: '0600'
 
 - name: Pre Audit | Run pre_remediation {{ benchmark }} audit
-  ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}"
+  ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g {{ group_names }}"
   changed_when: true
   environment:
       AUDIT_BIN: "{{ audit_bin }}"