Merge branch 'jan_24_updates' into stig_v3r13

ansible-lockdown · Jan 26, 2024 · 9f52057 · 9f52057
2 parents ad96dd7 + e401d83
commit 9f52057
Show file tree

Hide file tree

Showing 6 changed files with 13 additions and 38 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -7,7 +7,7 @@ ci:
 
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v3.2.0
+  rev: v4.5.0
   hooks:
   # Safety
   - id: detect-aws-credentials
@@ -34,16 +34,15 @@ repos:
   hooks:
   - id: detect-secrets
     args: [ '--baseline', '.config/.secrets.baseline' ]
-    exclude: .config/.gitleaks-report.json
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.17.0
+  rev: v8.18.1
   hooks:
   - id: gitleaks
     args: ['--baseline-path', '.config/.gitleaks-report.json']
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v6.17.2
+  rev: v6.22.2
   hooks:
   - id: ansible-lint
     name: Ansible-lint
@@ -62,6 +61,6 @@ repos:
     - ansible-core>=2.10.1
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.32.0  # or higher tag
+  rev: v1.33.0  # or higher tag
   hooks:
   - id: yamllint
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -696,7 +696,7 @@ rhel7stig_auditd_failure_flag: "{{ rhel7stig_availability_override | ternary(1,
 
 rhel7stig_audit_part: "{{ rhel_07_audit_part.stdout }}"
 
-rhel7stig_boot_part: "{{ rhel_07_boot_part.stdout }}"
+rhel7stig_boot_part: /boot
 
 rhel7stig_legacy_boot_path: '/boot/grub2/'
 rhel7stig_efi_boot_path: '/boot/efi/EFI/'

diff --git a/doc/README.md b/doc/README.md
diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml
@@ -457,6 +457,7 @@
                   insert: true
               when:
                   - rhel7stig_boot_part not in ['/', '']
+                  - item.uuid is defined
                   - not ansible_check_mode or
                     rhel7_stig_grub_template is not changed
               notify: confirm grub2 user cfg
@@ -475,9 +476,9 @@
                   - ansible_check_mode
                   - rhel_07_021350_audit is failed
               failed_when:
-                  - rhel_07_021350_audit is failed
-                  - not ansible_check_mode or
-                    rhel_07_021350_audit.rc > 1
+                  - rhel_07_021350_audit.rc not in [ 0, 1 ]
+                  - not ansible_check_mode
+
               when:
                   - not ansible_check_mode or
                     rhel7_stig_grub_template is not changed

diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml
@@ -1554,7 +1554,7 @@
       label: "{{ rhel7stig_passwd_label }}"
   when:
       - rhel_07_020620
-      - rhel7stig_interactive_uid_start | int <= item.uid
+      - item.uid >= rhel7stig_interactive_uid_start | int
   tags:
       - RHEL-07-020620
       - CAT2
@@ -2042,7 +2042,7 @@
             removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}"  # noqa: jinja[invalid]
         when:
             - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0
-            - "'nosuid' not in home_mount.options"
+            - "'nosuid' not in removable_mount.options"
 
       - name: "MEDIUM | RHEL-07-021010 | AUDIT | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media."
         ansible.posix.mount:
@@ -2055,7 +2055,7 @@
             removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}"  # noqa: jinja[invalid]
         when:
             - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0
-            - "'nosuid' not in home_mount.options"
+            - "'nosuid' not in removable_mount2.options"
   when:
       - rhel_07_021010
       - not (rhel7stig_system_is_chroot and rhel7stig_system_is_container)

diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -159,13 +159,7 @@
         rhel_07_010491 or
         rhel_07_021350
   tags:
-      - cat1
-      - high
-      - RHEL-07-010481
-      - RHEL-07-010482
-      - RHEL-07-010483
-      - RHEL-07-010491
-      - RHEL-07-021350
+      - always
 
 - name: "PRELIM | RHEL-07-010480 | RHEL-07-010490 | RHEL-07-021350 | RHEL-07-021700 | Check whether machine is UEFI-based"
   ansible.builtin.stat:
@@ -300,18 +294,6 @@
       - RHEL-07-031000
       - RHEL-07-031010
 
-- name: "PRELIM | RHEL-07-021350 | Check if /boot or /boot/efi reside on separate partitions"
-  ansible.builtin.shell: df --output=target /boot | tail -n 1
-  changed_when: false
-  check_mode: false
-  register: rhel_07_boot_part
-  when:
-      - rhel_07_021350
-  tags:
-      - cat1
-      - high
-      - RHEL-07-021350
-
 - name: "PRELIM | RHEL-07-030300 | RHEL-07-030310 | RHEL-07-030320 | RHEL-07-030321 | Install audit remote plugin."
   ansible.builtin.package:
       name: audispd-plugins