Made adjustments based on suggestions.

README.md

@@ -14,12 +14,12 @@ Role Variables
 
 | Name              | Default Value       | Description          |
 |-------------------|---------------------|----------------------|
-| `rhel7stig_cat1_audit` | True  | Audit for CAT I findings      |
-| `rhel7stig_cat2_audit` | False | Audit for CAT II findings     |
-| `rhel7stig_cat3_audit` | False | Audit for CAT III findings    |
-| `rhel7stig_cat1_patch` | True  | Correct CAT I findings        |
-| `rhel7stig_cat2_patch` | False | Correct CAT II findings       |
-| `rhel7stig_cat3_patch` | False | Correct CAT III findings      |
+| `rhel7stig_cat1_audit` | 'yes' | Audit for CAT I findings      |
+| `rhel7stig_cat2_audit` | 'no'  | Audit for CAT II findings     |
+| `rhel7stig_cat3_audit` | 'no'  | Audit for CAT III findings    |
+| `rhel7stig_cat1_patch` | 'yes' | Correct CAT I findings        |
+| `rhel7stig_cat2_patch` | 'no'  | Correct CAT II findings       |
+| `rhel7stig_cat3_patch` | 'no'  | Correct CAT III findings      |
 
 
 Dependencies

defaults/main.yml

@@ -4,9 +4,9 @@ rhel7stig_cat3_patch: no
 
 # These values match patch values by defaults. To override these values,
 # set them in group_vars, host_sars, or with the -e flag via CLI
-rhel7stig_cat1_audit: yes
-rhel7stig_cat2_audit: no
-rhel7stig_cat3_audit: no
+rhel7stig_cat1_audit: "{{ rhel7stig_cat1_patch }}"
+rhel7stig_cat2_audit: "{{ rhel7stig_cat2_patch }}"
+rhel7stig_cat3_audit: "{{ rhel7stig_cat3_patch }}"
 
 # Whether or not to run tasks related to auditing/patching the desktop environment
 rhel7stig_gui: no

tasks/audit-cat2.yml

@@ -1,45 +1,37 @@
-- name: "MEDIUM | RHEL-07-040640 | AUDIT | The SSH public host key files must have mode 0644 or less permissive."
-  find:
-      paths: /
-      recurse: yes
-      file_type: file
-      patterns: '*.pub'
-      hidden: true
+- name: "MEDIUM | RHEL-07-040180 | AUDIT | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications."
+  command: grep -i useldapauth /etc/sysconfig/authconfig
+  register: rhel_07_040180_audit
   failed_when: no
   changed_when: no
   ignore_errors: yes
-  register: rhel_07_040640_audit
   tags:
       - cat2
-      - high
+      - medium
       - audit
-      - RHEL-07-040640
-      - always
-      - ssh
+      - RHEL-07-040180
+      - ldap
 
-- name: "MEDIUM | RHEL-07-040650 | AUDIT | The SSH private host key files must have mode 0600 or less permissive."
-  find:
-      paths: /
-      recurse: yes
-      file_type: file
-      patterns: '*ssh_host*key'
-      hidden: true
+- name: "MEDIUM | RHEL-07-040210 | AUDIT | The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."
+  stat:
+      path: /etc/ntp.conf
+  register: rhel_07_040210_audit
   failed_when: no
   changed_when: no
   ignore_errors: yes
-  register: rhel_07_040650_audit
   tags:
       - cat2
-      - high
+      - medium
       - audit
-      - RHEL-07-040650
-      - always
-      - ssh
+      - RHEL-07-040210
+      - ntpd
 
 - name: "MEDIUM | RHEL-07-040230 | AUDIT | The operating system, if using PKI-based authentication, must implement a local cache of revocation data to certificate validation in case of the inability to access revocation information via the network."
   stat:
       path: /var/lib/pki-kra/conf/server.xml
   register: rhel_07_040230_audit
+  failed_when: no
+  changed_when: no
+  ignore_errors: yes
   tags:
       - cat2
       - medium
@@ -48,33 +40,40 @@
       - always
       - pki
 
-- name: "MEDIUM | RHEL-07-040210 | AUDIT | The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."
-  stat:
-      path: /etc/ntp.conf
-  register: rhel_07_040210_audit
-  tags:
-      - cat2
-      - medium
-      - audit
-      - RHEL-07-040210
-      - ntp
-
-- name: "MEDIUM | RHEL-07-040180 | AUDIT | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications."
-  command: grep -i useldapauth /etc/sysconfig/authconfig
-  register: rhel_07_040180_audit
+- name: "MEDIUM | RHEL-07-040650 | AUDIT | The SSH private host key files must have mode 0600 or less permissive."
+  find:
+      paths: /
+      recurse: yes
+      file_type: file
+      patterns: '*ssh_host*key'
+      hidden: true
+  failed_when: no
+  changed_when: no
+  ignore_errors: yes
+  register: rhel_07_040650_audit
   tags:
       - cat2
-      - medium
+      - high
       - audit
-      - RHEL-07-040180
-      - ldap
+      - RHEL-07-040650
+      - always
+      - ssh
 
-- name: "MEDIUM | RHEL-07-040180 | AUDIT | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications."
-  command: systemctl status nails
-  register: rhel_07_040180_audit
+- name: "MEDIUM | RHEL-07-040640 | AUDIT | The SSH public host key files must have mode 0644 or less permissive."
+  find:
+      paths: /
+      recurse: yes
+      file_type: file
+      patterns: '*.pub'
+      hidden: true
+  failed_when: no
+  changed_when: no
+  ignore_errors: yes
+  register: rhel_07_040640_audit
   tags:
       - cat2
-      - medium
+      - high
       - audit
-      - RHEL-07-040180
-      - ldap
+      - RHEL-07-040640
+      - always
+      - ssh

tasks/fix-cat2.yml

@@ -1231,7 +1231,7 @@
 
 - name: "MEDIUM | RHEL-07-040180 | PATCH | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications."
   command: "true"
-  when: '"yes" in "{{ rhel_07_040180_audit.stdout_lines }}"'
+  when: "'yes' in rhel_07_040180_audit.stdout"
   tags:
       - cat2
       - medium