Skip to content

Commit

Permalink
lineinfile updates
Browse files Browse the repository at this point in the history 
Signed-off-by: Mark Bolwell <[email protected]>
  • Loading branch information
@uk-bolly
uk-bolly committed Jul 11, 2024
1 parent e69d1a6 commit 9795227
Show file tree
Hide file tree
Showing 11 changed files with 222 additions and 222 deletions.
20 changes: 10 additions & 10 deletions tasks/Cat1/RHEL-09-2xxxxx.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,10 @@
- NIST800-53R4_AC-6
notify: Systemd_daemon_reload
ansible.builtin.lineinfile:
create: true
line: CtrlAltDelBurstAction=none
path: /etc/systemd/system.conf
regexp: ^CtrlAltDelBurstAction=none
line: CtrlAltDelBurstAction=none
create: true

- name: HIGH | RHEL-09-211050 | PATCH | The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled
when:
Expand Down Expand Up @@ -79,10 +79,10 @@
- grub
notify: Rebuild_grub
ansible.builtin.lineinfile:
insertafter: "{{ grub_superusers.after }}"
line: "{{ grub_superusers.line }}"
path: /etc/grub2.cfg
regexp: "{{ grub_superusers.regexp }}"
line: "{{ grub_superusers.line }}"
insertafter: "{{ grub_superusers.after }}"
loop:
- { regexp: '^set_superusers=', line: 'set superusers="{{ rhel9stig_grub_superuser }}"', after: "### BEGIN /etc/grub.d/01_users ###" }
- { regexp: export superusers, line: 'export superusers', after: set_superusers= }
Expand All @@ -104,9 +104,9 @@
- dnf
- packages
ansible.builtin.lineinfile:
line: gpgcheck=1
path: /etc/dnf/dnf.conf
regexp: ^gpgcheck
line: gpgcheck=1

- name: HIGH | RHEL-09-214020 | PATCH | RHEL 9 must check the GPG signature of locally installed software packages before installation.
when:
Expand All @@ -122,9 +122,9 @@
- dnf
- packages
ansible.builtin.lineinfile:
line: localpkg_gpgcheck=1
path: /etc/dnf/dnf.conf
regexp: ^localpkg_gpgcheck
line: localpkg_gpgcheck=1

- name: HIGH | RHEL-09-214025 | PATCH | RHEL 9 must check the GPG signature of locally installed software packages before installation.
when:
Expand Down Expand Up @@ -329,9 +329,9 @@
- NIST800-53R4_IA-2
- ssh
ansible.builtin.lineinfile:
line: PermitEmptyPasswords no
path: "{{ rhel9stig_sshd_config_file }}"
regexp: (?i)^(#|)PermitEmptyPasswords yes
line: PermitEmptyPasswords no
validate: sshd -t -f %s
notify: Sshd_restart

Expand All @@ -350,9 +350,9 @@
- pam
notify: Sshd_restart
ansible.builtin.lineinfile:
line: UsePAM yes
path: "{{ rhel9stig_sshd_config_file }}"
regexp: (?i)^(#|)usepam
line: UsePAM yes
validate: sshd -t -f %s

- name: HIGH | RHEL-09-271040 | PATCH | RHEL 9 must not allow unattended or automatic logon via the graphical user interface.
Expand All @@ -369,10 +369,10 @@
- NIST800-53R4_CM-6
- gui
ansible.builtin.lineinfile:
insertafter: "{{ autologin.after | default(omit) }}"
line: "{{ autologin.line }}"
path: /etc/gdm/custom.conf
regexp: "{{ autologin.regexp }}"
line: "{{ autologin.line }}"
insertafter: "{{ autologin.after | default(omit) }}"
create: true
loop:
- { regexp: "[daemon]", line: "[daemon]" }
Expand Down
2 changes: 1 addition & 1 deletion tasks/Cat1/RHEL-09-4xxxxx.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,6 @@
- NIST800-53R4_SI-6
- selinux
ansible.builtin.lineinfile:
line: SELINUX=enforcing
path: /etc/selinux/config
regexp: (?i)^selinux=
line: SELINUX=enforcing
47 changes: 24 additions & 23 deletions tasks/Cat2/RHEL-09-21xxxx.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,9 +36,9 @@
block:
- name: "MEDIUM | RHEL-09-211020 | PATCH | RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Uncomment banner keyword and set banner path"
ansible.builtin.lineinfile:
line: 'Banner /etc/issue'
path: /etc/ssh/sshd_config
regexp: '(?i)^#?Banner'
line: 'Banner /etc/issue'
when:
- rhel9stig_ssh_required

Expand Down Expand Up @@ -271,21 +271,21 @@
- name: "MEDIUM | RHEL-09-212035 | PATCH | RHEL 9 must disable virtual system calls. | Set default"
when: rhel9stig_212035_def_grub_vsyscall.rc != 0
ansible.builtin.lineinfile:
backrefs: true
line: '\1\2 vsyscall=none'
path: /etc/default/grub
regexp: ^(GRUB_CMDLINE_LINUX=")(.*)"
line: '\1\2 vsyscall=none'
backrefs: true
notify: Rebuild_grub

- name: "MEDIUM | RHEL-09-212035 | PATCH | RHEL 9 must disable virtual system calls. | Change default"
when:
- rhel9stig_212035_def_grub_vsyscall.rc == 0
- "'vsyscall=none' not in rhel9stig_212035_def_grub_vsyscall.stdout"
ansible.builtin.lineinfile:
backrefs: true
line: '\1\2vsyscall=none\3'
path: /etc/default/grub
regexp: ^(GRUB_CMDLINE_LINUX=)(".*)vsyscall=\w+(.*")
line: '\1\2vsyscall=none\3'
backrefs: true
notify: Rebuild_grub

- name: "MEDIUM | RHEL-09-212040 | PATCH | RHEL 9 must clear the page allocator to prevent use-after-free attacks."
Expand Down Expand Up @@ -322,19 +322,19 @@
- name: "MEDIUM | RHEL-09-212040 | PATCH | RHEL 9 must clear the page allocator to prevent use-after-free attacks. | Set default"
when: rhel9stig_212040_def_grub_poison.rc != 0
ansible.builtin.lineinfile:
backrefs: true
line: '\1\2 page_poison=1"'
regexp: ^(GRUB_CMDLINE_LINUX=")(.*)"
path: /etc/default/grub
regexp: ^(GRUB_CMDLINE_LINUX=")(.*)"
line: '\1\2 page_poison=1"'
backrefs: true
notify: Rebuild_grub

- name: "MEDIUM | RHEL-09-212040 | PATCH | RHEL 9 must clear the page allocator to prevent use-after-free attacks. | Change default"
when: rhel9stig_212040_def_grub_poison.rc == 0
ansible.builtin.lineinfile:
backrefs: true
line: '\1\2page_poison=1\3'
regexp: ^(GRUB_CMDLINE_LINUX=)(".*)page_poison=\d(.*")
path: /etc/default/grub
regexp: ^(GRUB_CMDLINE_LINUX=)(".*)page_poison=\d(.*")
line: '\1\2page_poison=1\3'
backrefs: true
notify: Rebuild_grub

- name: "MEDIUM | RHEL-09-212045 | PATCH | RHEL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks"
Expand Down Expand Up @@ -370,21 +370,22 @@
- name: "MEDIUM | RHEL-09-212045 | PATCH | RHEL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks | Set default"
when: rhel9stig_212045_def_grub_slub.rc != 0
ansible.builtin.lineinfile:
backrefs: true
line: '\1\2 slub_debug=P"'
regexp: ^(GRUB_CMDLINE_LINUX=")(.*)"
path: /etc/default/grub
regexp: ^(GRUB_CMDLINE_LINUX=")(.*)"
line: '\1\2 slub_debug=P"'
backrefs: true

notify: Rebuild_grub

- name: "MEDIUM | RHEL-09-212045 | PATCH | RHEL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks | Change default"
when:
- "'slub_debug=P' not in rhel9stig_212045_def_grub_slub.stdout"
- rhel9stig_212045_def_grub_slub.rc == 0
ansible.builtin.lineinfile:
backrefs: true
line: '\1\2slub_debug=P\3'
regexp: ^(GRUB_CMDLINE_LINUX=)(".*)slub_debug=\w+\b(.*")
path: /etc/default/grub
regexp: ^(GRUB_CMDLINE_LINUX=)(".*)slub_debug=\w+\b(.*")
line: '\1\2slub_debug=P\3'
backrefs: true
notify: Rebuild_grub

- name: "MEDIUM | RHEL-09-213010 | PATCH | RHEL 9 must restrict access to the kernel message buffer."
Expand Down Expand Up @@ -707,9 +708,9 @@
- V-257812
- NIST800-53R4_CM-6
ansible.builtin.lineinfile:
line: ProcessSizeMax=0
regexp: ^(#|)ProcessSizeMax\s*=\s*(?!0)\d+
path: /etc/systemd/coredump.conf
regexp: ^(#|)ProcessSizeMax\s*=\s*(?!0)\d+
line: ProcessSizeMax=0
create: true

- name: "MEDIUM | RHEL-09-213090 | PATCH | RHEL 9 must storage core dumps."
Expand All @@ -724,9 +725,9 @@
- V-257813
- NIST800-53R4_CM-6
ansible.builtin.lineinfile:
line: Storage=none
regexp: ^(#|)Storage=.*
path: /etc/systemd/coredump.conf
regexp: ^(#|)Storage=.*
line: Storage=none
create: true

- name: "MEDIUM | RHEL-09-213095 | PATCH | RHEL 9 must disable core dumps for all users."
Expand All @@ -741,9 +742,9 @@
- V-257814
- NIST800-53R4_CM-6
ansible.builtin.lineinfile:
line: '* hard core 0'
regexp: '^\* hard core (?!0)\d*'
path: /etc/security/limits.conf
regexp: '^\* hard core (?!0)\d*'
line: '* hard core 0'

- name: "MEDIUM | RHEL-09-213100 | PATCH | RHEL 9 must disable acquiring, saving, and processing core dumps."
when:
Expand Down
Loading

0 comments on commit 9795227

Please sign in to comment.