colin
/
UBUNTU24-CIS
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #14 from ShawnHardwick/shawn.hardwick/idempotency 

Multiple fixes around idempotency and check_mode
This commit is contained in:
uk-bolly 2025-02-11 12:09:11 +01:00 committed by GitHub
parent 3c39ff1ed0 9a2a7ad96f
commit 9aa55e5616
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
defaults/main.yml
View File

@ -626,6 +626,10 @@ ubtu24cis_desktop_required: false
# This will also purge any packages not removed via this playbook # This will also purge any packages not removed via this playbook
ubtu24cis_purge_apt: false ubtu24cis_purge_apt: false
## Ignore change_when for apt update task
# Modifies behavior of 'changed_when' for 'apt update' task in prelim that always changes
ignore_apt_update_changed_when: false
## ##
## Section 1 Control Variables ## Section 1 Control Variables
## ##
@ -647,6 +651,7 @@ ubtu24cis_tmp_svc: false
# The following variables are related to the set of rules from section 1.6.1.x # The following variables are related to the set of rules from section 1.6.1.x
## Controls 1.3.1.3 and 1.3.1.4 Ensure all AppArmor Profiles are in enforce (1.3.1.3/4) or complain (1.3.1.3) mode ## Controls 1.3.1.3 and 1.3.1.4 Ensure all AppArmor Profiles are in enforce (1.3.1.3/4) or complain (1.3.1.3) mode
control_1_3_1_4_was_run: false
# This variable disables the implementation of rules 1.3.1.3 and 1.3.1.4 # This variable disables the implementation of rules 1.3.1.3 and 1.3.1.4
# regarding enforcing profiles or putting them in complain mode # regarding enforcing profiles or putting them in complain mode

2
tasks/prelim.yml
View File

@ -55,6 +55,7 @@
tags: always tags: always
ansible.builtin.package: ansible.builtin.package:
update_cache: true update_cache: true
changed_when: not ignore_apt_update_changed_when
- name: Include audit specific variables - name: Include audit specific variables
when: when:
@ -229,6 +230,7 @@
tags: always tags: always
ansible.builtin.shell: "grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'" ansible.builtin.shell: "grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'"
changed_when: false changed_when: false
check_mode: false
failed_when: prelim_auditd_logfile.rc not in [ 0, 1 ] failed_when: prelim_auditd_logfile.rc not in [ 0, 1 ]
register: prelim_auditd_logfile register: prelim_auditd_logfile

2
tasks/section_2/cis_2.1.x.yml
View File

@ -699,7 +699,7 @@
notify: Restart postfix notify: Restart postfix
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/postfix/main.cf path: /etc/postfix/main.cf
regexp: '^(#)?inet_interfaces' regexp: '^(#)?inet_interfaces\s*=(?!\s*loopback-only\s*).*'
line: 'inet_interfaces = loopback-only' line: 'inet_interfaces = loopback-only'
- name: "2.1.21 | WARN | Ensure mail transfer agents are configured for local-only mode | Message out other main agents" - name: "2.1.21 | WARN | Ensure mail transfer agents are configured for local-only mode | Message out other main agents"

4
tasks/section_5/cis_5.4.1.x.yml
View File

@ -130,13 +130,13 @@
- login - login
block: block:
- name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | General setting" - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | General setting"
ansible.builtin.command: useradd -D | grep INACTIVE | cut -d= -f2 ansible.builtin.shell: useradd -D | grep INACTIVE | cut -d= -f2
changed_when: false changed_when: false
failed_when: false failed_when: false
register: discovered_passwd_inactive_setting register: discovered_passwd_inactive_setting
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured| Set inactive period for new users" - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured| Set inactive period for new users"
when: discovered_passwd_inactive_setting.stdout != ubtu24cis_pass_inactive | string when: discovered_passwd_inactive_setting.stdout != (ubtu24cis_pass_inactive | string)
ansible.builtin.command: useradd -D -f {{ ubtu24cis_pass_inactive }} ansible.builtin.command: useradd -D -f {{ ubtu24cis_pass_inactive }}
failed_when: false failed_when: false
changed_when: true changed_when: true