#156 incorporated

Signed-off-by: Mark Bolwell <[email protected]>
ansible-lockdown · Feb 1, 2022 · cbd7d74 · cbd7d74
1 parent fff2085
commit cbd7d74
Show file tree

Hide file tree

Showing 7 changed files with 76 additions and 67 deletions.
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -52,64 +52,73 @@
  tags:
  - rule_5.7
 
-- include: prelim.yml
- become: yes
+- name: Include preliminary steps
+ import_tasks: prelim.yml
  tags:
  - prelim_tasks
  - always
 
-- import_tasks: pre_remediation_audit.yml
+- name: run pre_remediation audit
+ include_tasks: pre_remediation_audit.yml
  when:
  - run_audit
 
-- name: Gather the package facts
+- name: Gather the package facts after prelim
  package_facts:
  manager: auto
  tags:
  - always
 
-- include: parse_etc_password.yml
- become: yes
+- name: capture /etc/password variables
+ include_tasks: parse_etc_password.yml
  when: rhel8cis_section6
 
-- include: section_1/main.yml
- become: yes
+- name: run Section 1 tasks
+ import_tasks: section_1/main.yml
+ become: true
  when: rhel8cis_section1
  tags:
  - rhel8cis_section1
 
-- include: section_2/main.yml
- become: yes
+- name: run Section 2 tasks
+ import_tasks: section_2/main.yml
+ become: true
  when: rhel8cis_section2
 
-- include: section_3/main.yml
- become: yes
+- name: run Section 3 tasks
+ import_tasks: section_3/main.yml
+ become: true
  when: rhel8cis_section3
 
-- include: section_4/main.yml
- become: yes
+- name: run Section 4 tasks
+ import_tasks: section_4/main.yml
+ become: true
  when: rhel8cis_section4
 
-- include: section_5/main.yml
- become: yes
+- name: run Section 5 tasks
+ import_tasks: section_5/main.yml
+ become: true
  when: rhel8cis_section5
 
-- include: section_6/main.yml
- become: yes
+- name: run Section 6 tasks
+ import_tasks: section_6/main.yml
+ become: true
  when: rhel8cis_section6
 
-- include: post.yml
- become: yes
+- name: run post remediation tasks
+ import_tasks: post.yml
+ become: true
  tags:
  - post_tasks
  - always
 
-- import_tasks: post_remediation_audit.yml
+- name: run post_remediation audit
+ import_tasks: post_remediation_audit.yml
  when:
  - run_audit
 
 - name: Show Audit Summary
  debug:
  msg: "{{ audit_results.split('\n') }}"
  when:
- - run_audit
+ - run_audit
diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml
@@ -2,41 +2,41 @@
 
 - name: "SECTION | 1.1 | FileSystem Configurations\n
  SECTION | 1.1.1.x | Disable unused filesystems"
- include: cis_1.1.1.x.yml
-- include: cis_1.1.x.yml
+ include_tasks: cis_1.1.1.x.yml
+- include_tasks: cis_1.1.x.yml
 
 - name: "SECTION | 1.2 | Configure Software Updates"
- include: cis_1.2.x.yml
+ include_tasks: cis_1.2.x.yml
 
 - name: "SECTION | 1.3 | Configure sudo"
- include: cis_1.3.x.yml
+ include_tasks: cis_1.3.x.yml
 
 - name: "SECTION | 1.4 | Filesystem Integrity"
- include: cis_1.4.x.yml
+ import_tasks: cis_1.4.x.yml
  when: rhel8cis_config_aide
 
 - name: "SECTION | 1.5 | Secure Boot Settings"
- include: cis_1.5.x.yml
+ include_tasks: cis_1.5.x.yml
 
 - name: "SECTION | 1.6 | Additional Process Hardening"
- include: cis_1.6.x.yml
+ include_tasks: cis_1.6.x.yml
 
 - name: "SECTION | 1.7 | bootloader and Mandatory Access Control"
- include: cis_1.7.1.x.yml
+ import_tasks: cis_1.7.1.x.yml
  when: not rhel8cis_selinux_disable
 
 - name: "SECTION | 1.8 | Warning Banners"
- include: cis_1.8.1.x.yml
+ include_tasks: cis_1.8.1.x.yml
 
 - name: "SECTION | 1.9 | Updated and Patches"
- include: cis_1.9.yml
+ include_tasks: cis_1.9.yml
 
 - name: "SECTION | 1.10 | Crypto policies"
- include: cis_1.10.yml
+ import_tasks: cis_1.10.yml
  when:
  - not system_is_ec2
 
 - name: "SECTION | 1.11 | FIPS/FUTURE Crypto policies"
- include: cis_1.11.yml
+ import_tasks: cis_1.11.yml
  when:
- - not system_is_ec2
+ - not system_is_ec2
diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml
@@ -1,13 +1,13 @@
 ---
 
 - name: "SECTION | 2.1 | xinetd"
- include: cis_2.1.1.yml
+ include_tasks: cis_2.1.1.yml
 
 - name: "SECTION | 2.2.1 | Time Synchronization"
- include: cis_2.2.1.x.yml
+ include_tasks: cis_2.2.1.x.yml
 
 - name: "SECTION | 2.2 | Special Purpose Services"
- include: cis_2.2.x.yml
+ include_tasks: cis_2.2.x.yml
 
 - name: "SECTION | 2.3 | Service Clients"
- include: cis_2.3.x.yml
+ include_tasks: cis_2.3.x.yml
diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml
@@ -1,41 +1,41 @@
 ---
 
 - name: "SECTION | 3.1.x | Packet and IP redirection"
- include: cis_3.1.x.yml
+ include_tasks: cis_3.1.x.yml
 
 - name: "SECTION | 3.2.x | Network Parameters (Host Only)"
- include: cis_3.2.x.yml
+ include_tasks: cis_3.2.x.yml
 
 - name: "SECTION | 3.3.x | Uncommon Network Protocols"
- include: cis_3.3.x.yml
+ include_tasks: cis_3.3.x.yml
 
 - name: "SECTION | 3.4.1.x | firewall defined"
- include: cis_3.4.1.1.yml
+ include_tasks: cis_3.4.1.1.yml
 
 - name: "SECTION | 3.4.2.x | firewalld firewall"
- include: cis_3.4.2.x.yml
+ import_tasks: cis_3.4.2.x.yml
  when:
  - rhel8cis_firewall == "firewalld"
 
 - name: "SECTION | 3.4.3.x | Configure nftables firewall"
- include: cis_3.4.3.x.yml
+ import_tasks: cis_3.4.3.x.yml
  when:
  - rhel8cis_firewall == "nftables"
 
 - name: "SECTION | 3.4.4.1.x | Configure iptables IPv4"
- include: cis_3.4.4.1.x.yml
+ import_tasks: cis_3.4.4.1.x.yml
  when:
  - rhel8cis_firewall == "iptables"
 
 - name: "SECTION | 3.4.4.2.x | Configure iptables IPv6"
- include: cis_3.4.4.2.x.yml
+ import_tasks: cis_3.4.4.2.x.yml
  when:
  - ( rhel8cis_firewall == "iptables" and rhel8cis_ipv6_required )
 
 - name: "SECTION | 3.5 | Configure wireless"
- include: cis_3.5.yml
+ include_tasks: cis_3.5.yml
 
 - name: "SECTION | 3.5 | disable IPv6"
- include: cis_3.5.yml
+ import_tasks: cis_3.5.yml
  when:
- - not rhel8cis_ipv6_required
+ - not rhel8cis_ipv6_required
diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml
@@ -1,23 +1,23 @@
 ---
 
 - name: "SECTION | 4.1| Configure System Accounting (auditd)"
- include: cis_4.1.1.x.yml
+ include_tasks: cis_4.1.1.x.yml
 
 - name: "SECTION | 4.1.2.x| Configure Data Retention"
- include: cis_4.1.2.x.yml
+ include_tasks: cis_4.1.2.x.yml
 
 - name: "SECTION | 4.1.x| Auditd rules"
- include: cis_4.1.x.yml
+ include_tasks: cis_4.1.x.yml
 
 - name: "SECTION | 4.2.x| Configure Logging"
- include: cis_4.2.1.x.yml
+ import_tasks: cis_4.2.1.x.yml
  when: rhel8cis_syslog == 'rsyslog'
 
 - name: "SECTION | 4.2.2.x| Configure journald"
- include: cis_4.2.2.x.yml
+ include_tasks: cis_4.2.2.x.yml
 
 - name: "SECTION | 4.2.3 | Configure logile perms"
- include: cis_4.2.3.yml
+ include_tasks: cis_4.2.3.yml
 
 - name: "SECTION | 4.3 | Configure logrotate"
- include: cis_4.3.yml
+ include_tasks: cis_4.3.yml
diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml
@@ -1,27 +1,27 @@
 ---
 
 - name: "SECTION | 5.1 | Configure time-based job schedulers"
- include: cis_5.1.x.yml
+ include_tasks: cis_5.1.x.yml
 
 - name: "SECTION | 5.2 | Configure SSH Server"
- include: cis_5.2.x.yml
+ include_tasks: cis_5.2.x.yml
 
 - name: "SECTION | 5.3 | Configure Profiles"
- include: cis_5.3.x.yml
+ import_tasks: cis_5.3.x.yml
  when:
  - rhel8cis_use_authconfig
 
 - name: "SECTION | 5.4 | Configure PAM "
- include: cis_5.4.x.yml
+ include_tasks: cis_5.4.x.yml
 
 - name: "SECTION | 5.5.1.x | Passwords and Accounts"
- include: cis_5.5.1.x.yml
+ include_tasks: cis_5.5.1.x.yml
 
 - name: "SECTION | 5.5.x | System Accounts and User Settings"
- include: cis_5.5.x.yml
+ include_tasks: cis_5.5.x.yml
 
 - name: "SECTION | 5.6 | Root Login"
- include: cis_5.6.yml
+ include_tasks: cis_5.6.yml
 
 - name: Section | 5.7 | su Command Restriction
- include: cis_5.7.yml
+ include_tasks: cis_5.7.yml
diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml
@@ -1,7 +1,7 @@
 ---
 
 - name: "SECTION | 6.1 | System File Permissions"
- include: cis_6.1.x.yml
+ include_tasks: cis_6.1.x.yml
 
 - name: "SECTION | 6.2 | User and Group Settings"
- include: cis_6.2.x.yml
+ include_tasks: cis_6.2.x.yml