From 5cca3231676aa3a62e6696036b38b7a8287a2315 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 30 Apr 2024 10:34:57 +0100 Subject: [PATCH 01/17] Updated rules for v1r14 Signed-off-by: Mark Bolwell --- Changelog.md | 24 +++++++++++++++++++++++- tasks/fix-cat1.yml | 2 +- tasks/fix-cat2.yml | 31 ++++++++++++++++--------------- 3 files changed, 40 insertions(+), 17 deletions(-) diff --git a/Changelog.md b/Changelog.md index f2d02d0..68c4bd0 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,28 @@ # Changes to RHEL8STIG -## 3.2 - STIV V1R13 - 24th Jan 2024 +## 3.3 STIG V1R14 + +Updated ruleids + +- CAT I + - RHEL-08-020330 - cat1 +- CAT II + - RHEL-08-010040 + - RHEL-08-010070 + - RHEL-08-010200 + - RHEL-08-010201 + - RHEL-08-010423 + - RHEL-08-010520 + - RHEL-08-010521 + - RHEL-08-010522 + - RHEL-08-010550 + - RHEL-08-010830 + - RHEL-08-020350 + - RHEL-08-040161 + - RHEL-08-040340 + - RHEL-08-040341 + +## 3.2 - STIG V1R13 - 24th Jan 2024 - Audit updated - moved audit into prelim diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 04597be..ae7e2ca 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -332,7 +332,7 @@ - CAT1 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230380r858715_rule + - SV-230380r951612_rule - V-230380 - disruption_high diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 3f3e96a..e11f349 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -139,7 +139,7 @@ - RHEL-08-010060 - CCI-000048 - SRG-OS-000023-GPOS-00006 - - SV-230225r858694_rule + - SV-230225r951590_rule - SV-230227r627750_rule - V-230225 - V-230227 @@ -236,7 +236,7 @@ - CAT2 - CCI-000067 - SRG-OS-000032-GPOS-00013 - - SV-230228r627750_rule + - SV-230228r951592_rule - V-230228 - rsyslog @@ -571,7 +571,7 @@ - CAT2 - CCI-001133 - SRG-OS-000163-GPOS-00072 - - SV-230244r917867_rule + - SV-230244r951594_rule - V-230244 - ssh @@ -590,7 +590,7 @@ - CAT2 - CCI-001133 - SRG-OS-000163-GPOS-00072 - - SV-244525r917886_rule + - SV-244525r951596_rule - V-244525 - ssh @@ -1592,7 +1592,7 @@ - CAT2 - CCI-001084 - SRG-OS-000134-GPOS-00068 - - SV-230279r792888_rule + - SV-230279r951598_rule - V-230279 - grub @@ -1721,7 +1721,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230290r858705_rule + - SV-230290r951602_rule - V-230290 - ssh @@ -1740,7 +1740,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230291r858707_rule + - SV-230291r952105_rule - V-230291 - ssh @@ -1758,7 +1758,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-244528r858709_rule + - SV-244528r952106_rule - V-244528 - ssh @@ -1816,7 +1816,7 @@ - CAT2 - CCI-000770 - SRG-OS-000109-GPOS-00056 - - SV-230296r858711_rule + - SV-230296r951608_rule - V-230296 - ssh @@ -2777,7 +2777,7 @@ - V-230330 - CCI-000366 - SRG-OS-000480-GPOS-00229 - - SV-230330r858713_rule + - SV-230330r951610_rule - V-230330 - ssh - disruption_high @@ -4345,7 +4345,7 @@ - CAT2 - CCI-000052 - SRG-OS-000480-GPOS-00227 - - SV-230382r858717_rule + - SV-230382r951614_rule - V-230382 - ssh @@ -6645,8 +6645,8 @@ - RHEL-08-040161 - CAT2 - CCI-000068 - - RG-OS-000033-GPOS-00014 - - SV-230527r858719_rule + - SRG-OS-000033-GPOS-00014 + - SV-230527r951616_rule - V-230527 - ssh @@ -7507,7 +7507,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230555r858721_rule + - V-230555r951618_rule - V-230555 - ssh @@ -7525,7 +7525,8 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230556r858723_rule + - SV-230556r951620_rule + - V-230556 - ssh - name: "MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | Add KEXs" From c68ab5272d0314440d6cc35a1336ccd9ac6e2d25 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 24 May 2024 12:05:27 +0100 Subject: [PATCH 02/17] updated conditional 040260 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index e11f349..ab0ec52 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -7015,6 +7015,7 @@ sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040260 + - rhel8stig_ipv6_required - not rhel8stig_system_is_router tags: - RHEL-08-040260 From 6655110b7c803e56ed050640be44b838443f7149 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 31 May 2024 11:26:02 +0100 Subject: [PATCH 03/17] updated audit version Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 2169f0e..2a228de 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ --- ## metadata for Audit benchmark -benchmark_version: 'v1r13' +benchmark_version: 'v1r14' ## Benchmark name used by audting control role # The audit variable found at the base From 958ebeb5c3db397f3796ba1f6f063901ae4d8ccf Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 31 May 2024 11:28:14 +0100 Subject: [PATCH 04/17] updated version Signed-off-by: Mark Bolwell --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 98fbeab..ddccccf 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a RHEL8 based system to be complaint with Disa STIG -This role is based on RHEL 8 DISA STIG: [Version 1, Rel 13 released on Jan 24, 2024](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R13_STIG.zip). +This role is based on RHEL 8 DISA STIG: [Version 1, Rel 14 released on 24, April 2024](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R14_STIG.zip). --- From 06caba6b7558d370c500f829f4b5aa87cc9f3989 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 22 Oct 2024 12:20:35 +0100 Subject: [PATCH 05/17] updated changelog Signed-off-by: Mark Bolwell --- Changelog.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/Changelog.md b/Changelog.md index f38e3af..b2d9fe6 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,27 @@ # Changes to RHEL8STIG +## 3.3 STIG V1R14 + +Updated ruleids + +- CAT I + - RHEL-08-020330 - cat1 +- CAT II + - RHEL-08-010040 + - RHEL-08-010070 + - RHEL-08-010200 + - RHEL-08-010201 + - RHEL-08-010423 + - RHEL-08-010520 + - RHEL-08-010521 + - RHEL-08-010522 + - RHEL-08-010550 + - RHEL-08-010830 + - RHEL-08-020350 + - RHEL-08-040161 + - RHEL-08-040340 + - RHEL-08-040341 + ## 3.3 - STIG V1R13 - 24th Jan 2024 - updated audit variables From f98e0ac02cf82fe62e2593874960c2cb5537a615 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 22 Oct 2024 12:20:52 +0100 Subject: [PATCH 06/17] updated changelog Signed-off-by: Mark Bolwell --- Changelog.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Changelog.md b/Changelog.md index b2d9fe6..36182e1 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,6 +2,10 @@ ## 3.3 STIG V1R14 +- #232 - thanks to @eday87 @BJSmithIEEE + - #301 - thansk to @dglider + + Updated ruleids - CAT I From 5a2cb94b50eb0a312054c37ac4a9ec94c58cbfd6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 22 Oct 2024 12:23:20 +0100 Subject: [PATCH 07/17] added gui discovery Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- tasks/prelim.yml | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 42344eb..0b43219 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -498,7 +498,7 @@ rhel_08_040300: true rhel_08_040310: true # Whether or not to run tasks related to auditing/patching the desktop environment -rhel8stig_gui: false +rhel8stig_gui: "{{ prelim_gnome_present.stat.exists | default(false) }}" # Whether or not you need kdump. False will disable service and true will leave service rhel8stig_kdump_needed: false diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 6879596..d846b1c 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -143,6 +143,13 @@ - RHEL-08-010140 - RHEL-08-010150 +- name: "PRELIM | Discover Gnome Desktop Environment" + tags: + - always + ansible.builtin.stat: + path: /usr/share/gnome/gnome-version.xml + register: prelim_gnome_present + - name: "PRELIM | dconf" block: - name: "PRELIM | Install dconf" From 16a63232773094261b75f60b2bd5603aa94b0bca Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 22 Oct 2024 15:10:14 +0100 Subject: [PATCH 08/17] Addressed #298 Signed-off-by: Mark Bolwell --- Changelog.md | 6 ++++-- tasks/prelim.yml | 33 ++++++++++++++------------------- 2 files changed, 18 insertions(+), 21 deletions(-) diff --git a/Changelog.md b/Changelog.md index 36182e1..79480b7 100644 --- a/Changelog.md +++ b/Changelog.md @@ -3,10 +3,12 @@ ## 3.3 STIG V1R14 - #232 - thanks to @eday87 @BJSmithIEEE - - #301 - thansk to @dglider + - #301 - thanks to @dglider +- #298 thanks to mikefrompsu -Updated ruleids +- Added gui discovery option +updated ruleids - CAT I - RHEL-08-020330 - cat1 diff --git a/tasks/prelim.yml b/tasks/prelim.yml index d846b1c..2fc2172 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -97,27 +97,22 @@ tags: - run_audit -- name: "PRELIM | RHEL-08-010020" - block: - - name: "PRELIM | RHEL-08-010020 | Check if /boot or /boot/efi reside on separate partitions" - ansible.builtin.shell: df --output=target /boot | tail -n 1 - changed_when: false - check_mode: false - register: rhel8stig_boot_part - - - name: "PRELIM | RHEL-08-010020 | Check if /boot or /boot/efi reside on separate partitions | get UUID" - ansible.builtin.shell: lsblk -f | grep -E "{{ rhel8stig_boot_part.stdout }}$" | awk '{ print $3 }' - changed_when: false - check_mode: false - register: rhel8stig_boot_uuid +- name: "PRELIM | Find boot partition UUID" + ansible.builtin.shell: if [ -d /sys/firmware/efi ]; then lsblk -l -o +UUID | grep -i efi | awk '{print $NF}'; else lsblk -l -o +UUID | grep -w '/boot' | awk '{print $NF}'; fi + changed_when: false + check_mode: false + register: rhel8stig_boot_uuid + when: + - rhel_08_010020 + tags: + - always - - name: "PRELIM | RHEL-08-010020 | Crypto-policies-scripts package for FIPS" - ansible.builtin.package: - name: crypto-policies-scripts - state: present - when: - - "'crypto-policies-scripts' not in ansible_facts.packages" +- name: "PRELIM | RHEL-08-010020 | Crypto-policies-scripts package for FIPS" + ansible.builtin.package: + name: crypto-policies-scripts + state: present when: + - "'crypto-policies-scripts' not in ansible_facts.packages" - rhel_08_010020 tags: - RHEL-08-010020 From 7752c5c51c23d004ef27de3d30722aef52804080 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 22 Oct 2024 15:16:29 +0100 Subject: [PATCH 09/17] Addressed #299 Signed-off-by: Mark Bolwell --- Changelog.md | 3 ++- tasks/fix-cat2.yml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index 79480b7..58ca961 100644 --- a/Changelog.md +++ b/Changelog.md @@ -5,7 +5,8 @@ - #232 - thanks to @eday87 @BJSmithIEEE - #301 - thanks to @dglider -- #298 thanks to mikefrompsu +- #298 thanks to @mikefrompsu +- #299 thanks to @cpu010100 - Added gui discovery option updated ruleids diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 1e879a5..9d66844 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -7219,7 +7219,7 @@ - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes." block: - name: "MEDIUM | RHEL-08-040282 | AUDIT | RHEL 8 must restrict usage of ptrace to descendant processes. | Find conflicting instances" - ansible.builtin.shell: grep -rs "kernel.yama.ptrace_scope\s*=\s*1" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -Ers "kernel.yama.ptrace_scope\s*=\s*.*" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040282_conflicting_settings From d9c6b83dab9cbf7cdd1065001a391cac9ddd528c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 22 Oct 2024 16:11:40 +0100 Subject: [PATCH 10/17] updated 10020 uuid boot part Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 12 ++++++------ tasks/prelim.yml | 10 ++++++++-- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index c8a51b6..cd95892 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -94,7 +94,7 @@ - change_requires_reboot - name: "HIGH | RHEL-08-010020 | AUDIT | Verify boot kernel parameters in /etc/default/grub" - ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ])boot=UUID={{ rhel8stig_boot_uuid.stdout }}(?=[" ]).*"$' /etc/default/grub + ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ])boot=UUID={{ prelim_rhel8stig_boot_uuid.stdout }}(?=[" ]).*"$' /etc/default/grub check_mode: false changed_when: false failed_when: rhel_08_010020_boot_kernel_set.rc not in [ 0, 1 ] @@ -106,13 +106,13 @@ regexp: "{{ rhel8stig_regexp_quoted_params }}" replace: "{{ rhel8stig_replace_quoted_params }}" vars: - query: "{{ rhel8stig_boot_part.stdout }}" + query: "{{ prelim_rhel8stig_boot_part.stdout }}" key: GRUB_CMDLINE_LINUX param: boot - value: UUID={{ rhel8stig_boot_uuid.stdout }} + value: UUID={{ prelim_rhel8stig_boot_uuid.stdout }} insert: true when: - - rhel8stig_boot_part.stdout not in ['/', ''] + - prelim_rhel8stig_boot_part.stdout not in ['/', ''] - rhel_08_010020_boot_kernel_set.stdout | length == 0 - not ansible_check_mode or rhel_08_010020_default_grub_missing_audit is not changed @@ -125,12 +125,12 @@ check_mode: false with_items: - fips=1 - - boot=UUID={{ rhel8stig_boot_uuid.stdout }} + - boot=UUID={{ prelim_rhel8stig_boot_uuid.stdout }} register: rhel_08_010020_audit when: - not ansible_check_mode or rhel_08_010020_default_grub_missing_audit is not changed - - "rhel8stig_boot_part.stdout not in ['/', ''] or + - "prelim_rhel8stig_boot_part.stdout not in ['/', ''] or 'boot=' not in item" changed_when: - ansible_check_mode diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 2fc2172..731bcc9 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -97,11 +97,17 @@ tags: - run_audit +- name: "PRELIM | Find boot partition" + ansible.builtin.shell: if [ -d /sys/firmware/efi ]; then echo "/boot/efi" ; else echo "/boot"; fi + changed_when: false + check_mode: false + register: prelim_rhel8stig_boot_part + - name: "PRELIM | Find boot partition UUID" ansible.builtin.shell: if [ -d /sys/firmware/efi ]; then lsblk -l -o +UUID | grep -i efi | awk '{print $NF}'; else lsblk -l -o +UUID | grep -w '/boot' | awk '{print $NF}'; fi changed_when: false check_mode: false - register: rhel8stig_boot_uuid + register: prelim_rhel8stig_boot_uuid when: - rhel_08_010020 tags: @@ -351,7 +357,7 @@ path: "{{ rhel8stig_aide_db_file }}" register: rhel8stig_aide_db_status check_mode: false - changed_when: not rhel8stig_aide_db_status.stat.exists + changed_when: false notify: "{{ rhel8stig_aide_handler }}" when: - not system_is_container From 9782461b1b6fd8c0c11536b4043e42ec740ab0e8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 22 Oct 2024 16:11:54 +0100 Subject: [PATCH 11/17] variable hosts and lint Signed-off-by: Mark Bolwell --- site.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/site.yml b/site.yml index c56b473..0333fb4 100644 --- a/site.yml +++ b/site.yml @@ -1,7 +1,8 @@ --- -- hosts: all # noqa: name[play] + +- name: Run RHEL8 STiG hardening + hosts: "{{ hosts | default('all') }}" become: true roles: - - role: "{{ playbook_dir }}" From 3a2ca486ab33d45e2983ca07d34f275fbc0415bc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 22 Oct 2024 16:12:22 +0100 Subject: [PATCH 12/17] issue #302 addressed Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 9d66844..b755574 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1390,16 +1390,17 @@ - multifactor - name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication." - ansible.builtin.lineinfile: + community.general.ini_file: path: '{{ rhel8stig_sssd_conf }}' - regexp: '^certificate_verification = {{ item.regexp }}' state: "{{ item.state }}" - line: "{{ item.line | default(omit) }}" + section: "{{ item.section | default(omit) }}" + option: "certificate_verification" + value: "{{ item.value }}" with_items: - - { regexp: 'no_ocsp, no_verification', state: absent } - - { regexp: 'no_ocsp', state: absent } - - { regexp: 'no_verification', state: absent } - - { regexp: 'ocsp_dgst=sha1', state: present, line: 'certificate_verification = ocsp_dgst=sha1' } + - { value: 'no_ocsp, no_verification', state: absent } + - { value: 'no_ocsp', state: absent } + - { value: 'no_verification', state: absent } + - { value: 'ocsp_dgst=sha1', state: present, section: "sssd" } notify: restart sssd when: - rhel_08_010400 From af99c37752f8ae5eee1072e2ecb25cd181fd340a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 22 Oct 2024 16:12:36 +0100 Subject: [PATCH 13/17] allow control ssh Signed-off-by: Mark Bolwell --- ansible.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible.cfg b/ansible.cfg index 8b4596e..0a443cf 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -18,7 +18,7 @@ record_host_keys=False [ssh_connection] transfer_method=scp -ssh_args = -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no +ssh_args = -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o ControlMaster=auto -o ControlPersist=60s [accelerate] From 069ecdf0052798224ae009d7e07a49f0928e2f2f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 22 Oct 2024 16:32:18 +0100 Subject: [PATCH 14/17] updated Signed-off-by: Mark Bolwell --- Changelog.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index 58ca961..70fc25e 100644 --- a/Changelog.md +++ b/Changelog.md @@ -3,10 +3,12 @@ ## 3.3 STIG V1R14 - #232 - thanks to @eday87 @BJSmithIEEE - - #301 - thanks to @dglider - - #298 thanks to @mikefrompsu - #299 thanks to @cpu010100 +- thanks to @dglinder + - #301 + - #302 +- ansible config update - Added gui discovery option updated ruleids From 288d6d8c6017295a71db42f18a8331cdff957e6d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 23 Oct 2024 08:32:49 +0100 Subject: [PATCH 15/17] updated tag for boot_part Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 731bcc9..90c9fb1 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -102,6 +102,8 @@ changed_when: false check_mode: false register: prelim_rhel8stig_boot_part + tags: + - always - name: "PRELIM | Find boot partition UUID" ansible.builtin.shell: if [ -d /sys/firmware/efi ]; then lsblk -l -o +UUID | grep -i efi | awk '{print $NF}'; else lsblk -l -o +UUID | grep -w '/boot' | awk '{print $NF}'; fi From a1c1a104006b9cd748c06a35ab45f993c4cc8a7b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 23 Oct 2024 09:46:40 +0100 Subject: [PATCH 16/17] updated uuid discovery allowing for default e2 Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 90c9fb1..233da60 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -106,7 +106,7 @@ - always - name: "PRELIM | Find boot partition UUID" - ansible.builtin.shell: if [ -d /sys/firmware/efi ]; then lsblk -l -o +UUID | grep -i efi | awk '{print $NF}'; else lsblk -l -o +UUID | grep -w '/boot' | awk '{print $NF}'; fi + ansible.builtin.shell: if [ -d /sys/firmware/efi ]; then lsblk -l -o +UUID | grep -i efi | awk '{print $NF}'; else lsblk -l -o +UUID | grep -w '/boot' | grep -v efi | awk '{print $NF}'; fi changed_when: false check_mode: false register: prelim_rhel8stig_boot_uuid From b28efc75ba56f374940a5511e03670ea2e51d11b Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 28 Oct 2024 18:01:21 +0000 Subject: [PATCH 17/17] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.21.1 → v8.21.2](https://github.com/gitleaks/gitleaks/compare/v8.21.1...v8.21.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 8f80796..cf55dc7 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -35,7 +35,7 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.21.1 + rev: v8.21.2 hooks: - id: gitleaks