From da144c22d4117630135d12771fe029ac1d4eee9c Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 13 Dec 2022 15:50:48 -0500 Subject: [PATCH] updates for #244 mount tasks Signed-off-by: George Nalen --- tasks/section_1/cis_1.1.3.x.yml | 26 ++++++-------------------- tasks/section_1/cis_1.1.4.x.yml | 27 ++++++--------------------- tasks/section_1/cis_1.1.5.x.yml | 27 +++++++-------------------- tasks/section_1/cis_1.1.6.x.yml | 27 +++++++-------------------- tasks/section_1/cis_1.1.7.x.yml | 27 +++++++-------------------- 5 files changed, 33 insertions(+), 101 deletions(-) diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 73a99684..efd81cfe 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -2,29 +2,16 @@ - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var" block: - - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Absent" + - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Warn if partition is absent" debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_mount_absent - changed_when: var_mount_absent.skipped is undefined - when: - - required_mount not in mount_names + msg: "Warning!! /var does not exist, which is not STIG compliant. This is a manual task remediate" + when: "'/var' not in mount_names" - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.3.1' ]" warn_count: "{{ warn_count | int + 1 }}" - when: - - required_mount not in mount_names - - - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" - debug: - msg: "Congratulations: {{ required_mount }} exists." - register: var_mount_present - when: - - required_mount in mount_names - vars: - required_mount: '/var' + when: "'/var' not in mount_names" when: - rhel8cis_rule_1_1_3_1 tags: @@ -46,15 +33,14 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel8cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_3_4 %}nosuid{% endif %} + notify: change_requires_reboot with_items: - "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" - notify: change_requires_reboot when: - - var_mount_present is defined + - "'/var' in mount_names" - item.mount == "/var" - - rhel8cis_rule_1_1_3_1 # This is required so the check takes place - rhel8cis_rule_1_1_3_2 or rhel8cis_rule_1_1_3_3 or rhel8cis_rule_1_1_3_4 diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index f6026941..39440af3 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -1,31 +1,17 @@ --- -# Skips if mount is absent - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp" block: - - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" + - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn if partition is absent" debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_tmp_mount_absent - changed_when: var_tmp_mount_absent.skipped is undefined - when: - - required_mount not in mount_names + msg: "Warning!! /var/tmp does not exist, which is not STIG compliant. This is a manual task remediate" + when: "'/var/tmp' not in mount_names" - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.4.1' ]" warn_count: "{{ warn_count | int + 1 }}" - when: - - required_mount not in mount_names - - - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" - debug: - msg: "Congratulations: {{ required_mount }} exists." - register: var_tmp_mount_present - when: - - required_mount in mount_names - vars: - required_mount: '/var/tmp' + when: "'/var/tmp' not in mount_names" when: - rhel8cis_rule_1_1_4_1 tags: @@ -47,15 +33,14 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel8cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_4_3 %}nosuid{% endif %} + notify: change_requires_reboot with_items: - "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" - notify: change_requires_reboot when: - - var_tmp_mount_present is defined + - "'/var/tmp' in mount_names" - item.mount == "/var/tmp" - - rhel8cis_rule_1_1_4_1 # This is required so the check takes place - rhel8cis_rule_1_1_4_2 or rhel8cis_rule_1_1_4_3 or rhel8cis_rule_1_1_4_4 diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index 21f29c74..0773eb2d 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -2,29 +2,16 @@ - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log" block: - - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Absent" + - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Warn if partition is absent" debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_log_mount_absent - changed_when: var_log_mount_absent.skipped is undefined - when: - - required_mount not in mount_names + msg: "Warning!! /var/log does not exist, which is not STIG compliant. This is a manual task remediate" + when: "'/var/log' not in mount_names" - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.5.1' ]" warn_count: "{{ warn_count | int + 1 }}" - when: - - required_mount not in mount_names - - - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present" - debug: - msg: "Congratulations: {{ required_mount }} exists." - register: var_log_mount_present - when: - - required_mount in mount_names - vars: - required_mount: '/var/log' + when: "'/var/log' not in mount_names" when: - rhel8cis_rule_1_1_5_1 tags: @@ -36,6 +23,7 @@ - rule_1.1.5.1 - skip_ansible_lint +# skips if mount is absent - name: | "1.1.5.2 | PATCH | Ensure nodev option set on /var/log partition" "1.1.5.3 | PATCH | Ensure noexec option set on /var/log partition" @@ -46,15 +34,14 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel8cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_5_4 %}nosuid{% endif %} + notify: change_requires_reboot with_items: - "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" - notify: change_requires_reboot when: - - var_log_mount_present is defined + - "'/var/log' in mount_names" - item.mount == "/var/log" - - rhel8cis_rule_1_1_5_1 # This is required so the check takes place - rhel8cis_rule_1_1_5_2 or rhel8cis_rule_1_1_5_3 or rhel8cis_rule_1_1_5_4 diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index cb84c915..082d3433 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -2,29 +2,16 @@ - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit" block: - - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent" + - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn if partition is absent" debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_log_audit_mount_absent - changed_when: var_log_audit_mount_absent.skipped is undefined - when: - - required_mount not in mount_names + msg: "Warning!! /var/log/audit does not exist, which is not STIG compliant. This is a manual task remediate" + when: "'/var/log/audit' not in mount_names" - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.6.1' ]" warn_count: "{{ warn_count | int + 1 }}" - when: - - required_mount not in mount_names - - - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" - debug: - msg: "Congratulations: {{ required_mount }} exists." - register: var_log_audit_mount_present - when: - - required_mount in mount_names - vars: - required_mount: '/var/log/audit' + when: "'/var/log/audit' not in mount_names" when: - rhel8cis_rule_1_1_6_1 tags: @@ -35,6 +22,7 @@ - mounts - rule_1.1.6.1 +# skips if mount is absent - name: | "1.1.6.2 | PATCH | Ensure noexec option set on /var/log/audit partition" "1.1.6.3 | PATCH | Ensure nodev option set on /var/log/audit partition" @@ -45,15 +33,14 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel8cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_6_4 %}nosuid{% endif %} + notify: change_requires_reboot with_items: - "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" - notify: change_requires_reboot when: - - var_log_audit_mount_present is defined + - "'/var/log/audit' not in mount_names" - item.mount == "/var/log/audit" - - rhel8cis_rule_1_1_6_1 # This is required so the check takes place - rhel8cis_rule_1_1_6_2 or rhel8cis_rule_1_1_6_3 or rhel8cis_rule_1_1_6_4 diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 58e1178b..1e48eb47 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -2,29 +2,16 @@ - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home" block: - - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Absent" + - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Warn if partition is absent" debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: home_mount_absent - changed_when: home_mount_absent.skipped is undefined - when: - - required_mount not in mount_names + msg: "Warning!! /home does not exist, which is not STIG compliant. This is a manual task remediate" + when: "'/home' not in mount_names" - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.7.1' ]" warn_count: "{{ warn_count | int + 1 }}" - when: - - required_mount not in mount_names - - - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present" - debug: - msg: "Congratulations: {{ required_mount }} exists." - register: home_mount_present - when: - - required_mount in mount_names - vars: - required_mount: '/home' + when: "'/home' not in mount_names" when: - rhel8cis_rule_1_1_7_1 tags: @@ -36,6 +23,7 @@ - rule_1.1.7.1 - skip_ansible_lint +# skips if mount is absent - name: | "1.1.7.2 | PATCH | Ensure nodev option set on /home partition 1.1.7.3 | PATCH | Ensure nosuid option set on /home partition @@ -47,15 +35,14 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel8cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_7_3 %}nosuid,{% endif %}{% if rhel8cis_rule_1_1_7_4 %}usrquota,{% endif %}{% if rhel8cis_rule_1_1_7_5 %}grpquota{% endif %} + notify: change_requires_reboot with_items: - "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" - notify: change_requires_reboot when: - - home_mount_present is defined + - "'/home' not in mount_names" - item.mount == "/home" - - rhel8cis_rule_1_1_7_1 - rhel8cis_rule_1_1_7_2 or rhel8cis_rule_1_1_7_3 or rhel8cis_rule_1_1_7_4 or