From bb631b10dbe470e3679715640e15de83b3ec62e8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Nov 2024 15:43:44 +0000 Subject: [PATCH 1/4] improved idempotence on mount point options Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.2.x.yml | 2 +- tasks/section_1/cis_1.1.3.x.yml | 4 +--- tasks/section_1/cis_1.1.4.x.yml | 2 +- tasks/section_1/cis_1.1.5.x.yml | 2 +- tasks/section_1/cis_1.1.6.x.yml | 2 +- tasks/section_1/cis_1.1.8.x.yml | 2 +- 6 files changed, 6 insertions(+), 8 deletions(-) diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 10d6d2de..861e679f 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -32,7 +32,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_2) %},nodev{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_3) %},noexec{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_4) %},nosuid{% endif %}" notify: Remount tmp loop: "{{ ansible_facts.mounts }}" loop_control: diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 3a64a066..423b15cc 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -31,9 +31,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}nosuid{% endif %} - loop: "{{ ansible_facts.mounts }}" - loop_control: + opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_3_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_3_3) %},nosuid" label: "{{ item.device }}" notify: Change_requires_reboot when: diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 713dba6e..4487e9be 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -33,7 +33,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev{% endif %} + opts: "{{ item.options }}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_4_2) %},noexec{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_4_3) %},nosuid{% endif %}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_4_4) %},nodev{% endif %}" loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index ac8b8275..8c4732ff 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -33,7 +33,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_5_2) %},nodev{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_5_3) %},noexec{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_5_4) %},nosuid{% endif %}" loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 5a7c8f40..709a2061 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -32,7 +32,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_6_4 %}nosuid{% endif %} + opts: "{{ item.options }}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_6_2) %},noexec{% endif %}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_6_3) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_6_4) %},nosuid{% endif %}" loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 6a50de89..506c1a68 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -40,7 +40,7 @@ src: tmpfs fstype: tmpfs state: mounted - opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_4 %}nosuid{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_8_2) %},nodev{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_8_3) %},noexec{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_8_4) %},nosuid{% endif %}" notify: Change_requires_reboot when: - rhel9cis_rule_1_1_8_2 or From 1c1a39c58b5e7b2ea129c15aad4cdda1d4fdc963 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Nov 2024 15:46:17 +0000 Subject: [PATCH 2/4] improved gpg regex Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.2.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index fc0bf272..babf8699 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -44,7 +44,7 @@ - name: "1.2.2 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" ansible.builtin.replace: name: "{{ item.path }}" - regexp: "^gpgcheck=0" + regexp: ^gpgcheck\s*=\s*0 replace: "gpgcheck=1" loop: "{{ yum_repos.files }}" loop_control: @@ -104,7 +104,7 @@ - name: "1.2.4 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files" ansible.builtin.replace: path: "{{ item.path }}" - regexp: '^repo_gpgcheck( |)=( |)0' + regexp: ^repo_gpgcheck\s*=\s*0 replace: repo_gpgcheck=1 loop: "{{ repo_files.files }}" loop_control: From fbf16ec54dc9664b9380fe887ca2c37eb859fa96 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Nov 2024 15:59:07 +0000 Subject: [PATCH 3/4] readded lines removed in error Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.3.x.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 423b15cc..e6d07058 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -31,7 +31,9 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_3_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_3_3) %},nosuid" + opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_3_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_3_3) %},nosuid{% endif %}" + loop: "{{ ansible_facts.mounts }}" + loop_control: label: "{{ item.device }}" notify: Change_requires_reboot when: From d6c9e426855bac16047a75ae72238816279c1e2b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Nov 2024 16:00:01 +0000 Subject: [PATCH 4/4] reverted back to original Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.8.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 506c1a68..6a50de89 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -40,7 +40,7 @@ src: tmpfs fstype: tmpfs state: mounted - opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_8_2) %},nodev{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_8_3) %},noexec{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_8_4) %},nosuid{% endif %}" + opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_4 %}nosuid{% endif %} notify: Change_requires_reboot when: - rhel9cis_rule_1_1_8_2 or