ansible-lockdown · uk-bolly · Aug 13, 2024 · Aug 9, 2024 · Aug 9, 2024 · Aug 9, 2024
diff --git a/.config/requirements.txt b/.config/requirements.txt
@@ -1,5 +1,4 @@
 passlib
 lxml
 xmltodict
-jmespath
 yamllint
diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml
@@ -22,7 +22,7 @@
   when:
       - audit_only
   ansible.builtin.debug:
-      msg: "The Audit results are: {{ pre_audit_summary }}."
+      msg: "{{ audit_results.split('\n') }}"
 
 - name: Audit_only | Stop Playbook Audit Only selected
   when:

diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml
@@ -35,7 +35,7 @@
       - audit_format == "documentation"
   block:
       - name: Post Audit | Capture audit data if documentation format
-        ansible.builtin.shell: "tail -2 /opt/audit_ubuntu2204-CIS-UBUNTU22_1720624848.documentation"
+        ansible.builtin.shell: tail -2 "{{ post_audit_outfile }}"  | tac | tr '\n' ' '
         register: post_audit_summary
         changed_when: false
 

diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml
@@ -23,7 +23,7 @@
             "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files"
         ansible.builtin.file:
             path: "{{ audit_discovered_logfile.stdout }}"
-            mode: "{% if auditd_logfile.stat.mode != '0600' %}0640{% endif %}"
+            mode: 'u-x,g-rw,o-rwx'
             owner: root
             group: root
   when:
@@ -50,7 +50,7 @@
         ansible.builtin.file:
             path: "{{ audit_discovered_logfile.stdout | dirname }}"
             state: directory
-            mode: '0750'
+            mode: 'g-w,o-rwx'
         when: not auditlog_dir.stat.mode is match('07(0|5)0')
   when:
       - rhel9cis_rule_4_1_4_4
@@ -64,7 +64,9 @@
 - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive"
   ansible.builtin.file:
       path: "{{ item.path }}"
-      mode: "{{ '0600' if item.mode == '0600' else '0640' }}"
+      mode: 'u-x,g-wx,o-rwx'
+  failed_when: rhel9cis_4_1_4_5_file_list.state not in '[ file, absent ]'
+  register: rhel9cis_4_1_4_5_file_list
   loop: "{{ auditd_conf_files.files }}"
   loop_control:
       label: "{{ item.path }}"
@@ -81,6 +83,8 @@
   ansible.builtin.file:
       path: "{{ item.path }}"
       owner: root
+  failed_when: rhel9cis_4_1_4_6_file_list.state not in '[ file, absent ]'
+  register: rhel9cis_4_1_4_6_file_list
   loop: "{{ auditd_conf_files.files | default([]) }}"
   loop_control:
       label: "{{ item.path }}"
@@ -97,6 +101,8 @@
   ansible.builtin.file:
       path: "{{ item.path }}"
       group: root
+  failed_when: rhel9cis_4_1_4_7_file_list.state not in '[ file, absent ]'
+  register: rhel9cis_4_1_4_7_file_list
   loop: "{{ auditd_conf_files.files | default([]) }}"
   loop_control:
       label: "{{ item.path }}"
@@ -126,8 +132,7 @@
       - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required"
         ansible.builtin.file:
             path: "{{ item.item }}"
-            mode: '0750'
-
+            mode: 'go-w'
         loop: "{{ audit_bins.results }}"
         loop_control:
             label: "{{ item.item }}"

diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml
@@ -14,6 +14,8 @@
         ansible.builtin.file:
             path: "{{ item.path }}"
             mode: "{{ '0600' if item.mode == '0600' else '0640' }}"
+        failed_when: rhel9cis_4_2_3_file_list.state not in '[ file, absent ]'
+        register: rhel9cis_4_2_3_file_list
         loop: "{{ logfiles.files }}"
         loop_control:
             label: "{{ item.path }}"

diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml
@@ -150,7 +150,7 @@
 - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist"
   block:
       - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories"
-        ansible.builtin.shell: find "{{ item.mount }}" -xdev -nouser
+        ansible.builtin.shell: find "{{ item.mount }}" -xdev -nouser -not -fstype nfs
         changed_when: false
         failed_when: false
         check_mode: false
@@ -162,28 +162,21 @@
             - item['device'].startswith('/dev')
             - not 'bind' in item['options']
 
-      - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | set fact"
+      - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Flatten no_user_items results for easier use"
         ansible.builtin.set_fact:
-            rhel_09_6_1_10_unowned_files_found: true
-        loop: "{{ rhel_09_6_1_10_audit.results }}"
-        when:
-            - item | length > 0
-            - item.stdout is defined  # skipped items are part of results list, but don't have the registered module properties
-            - item.stdout | length > 0
+            discovered_unowned_files_flatten: "{{ rhel_09_6_1_10_audit.results | map(attribute='stdout_lines') | flatten }}"
 
       - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories"
         ansible.builtin.debug:
-            msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit.stdout_lines }}"
-        when: rhel_09_6_1_10_unowned_files_found
+            msg: "Warning!! Missing owner on items in {{ discovered_unowned_files_flatten }}"
+        when: discovered_unowned_files_flatten | length > 0
 
       - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning"
         ansible.builtin.import_tasks:
             file: warning_facts.yml
         vars:
             warn_control_id: '6.1.10'
-        when: rhel_09_6_1_10_unowned_files_found
-  vars:
-      rhel_09_6_1_10_unowned_files_found: false
+        when: discovered_unowned_files_flatten | length > 0
   when:
       - rhel9cis_rule_6_1_10
   tags:
@@ -209,28 +202,21 @@
             - item['device'].startswith('/dev')
             - not 'bind' in item['options']
 
-      - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | set fact"
+      - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Flatten no_user_items results for easier use"
         ansible.builtin.set_fact:
-            rhel_09_6_1_11_ungrouped_files_found: true
-        loop: "{{ rhel_09_6_1_11_audit.results }}"
-        when:
-            - item | length > 0
-            - item.stdout is defined  # skipped items are part of results list, but don't have the registered module properties
-            - item.stdout | length > 0
+            discovered_ungrouped_files_flatten: "{{ rhel_09_6_1_11_audit.results | map(attribute='stdout_lines') | flatten }}"
 
       - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories"
         ansible.builtin.debug:
-            msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit.stdout_lines }}"
-        when: rhel_09_6_1_11_ungrouped_files_found
+            msg: "Warning!! Missing group on items in {{ discovered_ungrouped_files_flatten }}"
+        when: discovered_ungrouped_files_flatten | length > 0
 
       - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning"
         ansible.builtin.import_tasks:
             file: warning_facts.yml
         vars:
             warn_control_id: '6.1.11'
-        when: rhel_09_6_1_11_ungrouped_files_found
-  vars:
-      rhel_09_6_1_11_ungrouped_files_found: false
+        when: discovered_ungrouped_files_flatten | length > 0
   when:
       - rhel9cis_rule_6_1_11
   tags: