ansible-lockdown · uk-bolly · Sep 24, 2024 · Sep 11, 2024 · Sep 16, 2024 · Sep 16, 2024
diff --git a/tasks/Cat2/RHEL-09-23xxxx.yml b/tasks/Cat2/RHEL-09-23xxxx.yml
@@ -1886,20 +1886,18 @@
 
     - name: "MEDIUM | RHEL-09-232250 | AUDIT | All RHEL 9 local files and directories must have a valid group owner."
       ansible.builtin.set_fact:
-        rhel9stig_ungrouped_files_found: true
-      loop: "{{ rhel9stig_ungrouped_files_dirs_audit.results }}"
+        rhel9stig_ungrouped_files_results: "{{ rhel9stig_ungrouped_files_dirs_audit.results.0['stdout_lines'] }}"
       when:
-        - item | length > 0
-        - item.stdout is defined  # skipped items are part of results list, but don't have the registered module properties
-        - item.stdout | length > 0
+        - rhel9stig_ungrouped_files_dirs_audit.results | length > 0
+        - rhel9stig_ungrouped_files_dirs_audit is defined
 
     - name: "MEDIUM | RHEL-09-232250 | WARN | All RHEL 9 local files and directories must have a valid group owner."
-      when: rhel9stig_ungrouped_files_found is defined
+      when: rhel9stig_ungrouped_files_results | length > 1
       ansible.builtin.debug:
-        msg: "Warning!! Missing group on items in {{ rhel9stig_ungrouped_files_dirs_audit.stdout_lines  }}"
+        msg: "Warning!! Missing group on items in {{ rhel9stig_ungrouped_files_results }}"
 
     - name: "MEDIUM | RHEL-09-232250 | WARN | All RHEL 9 local files and directories must have a valid group owner."
-      when: rhel9stig_ungrouped_files_found is defined
+      when: rhel9stig_ungrouped_files_results | length > 1
       ansible.builtin.import_tasks:
         file: warning_facts.yml
 
@@ -1921,7 +1919,7 @@
       when:
         - item['device'].startswith('/dev')
         - not 'bind' in item['options']
-      ansible.builtin.shell: find "{{ item.mount }}" -xdev -nogroup
+      ansible.builtin.shell: find "{{ item.mount }}" -xdev -nouser
       check_mode: false
       failed_when: false
       changed_when: false
@@ -1932,20 +1930,18 @@
 
     - name: "MEDIUM | RHEL-09-232255 | AUDIT | All RHEL 9 local files and directories must have a valid owner."
       ansible.builtin.set_fact:
-        rhel9stig_unowned_files_found: true
-      loop: "{{ rhel9stig_unowned_files_dirs_audit.results }}"
+        rhel9stig_unowned_files_results: "{{ rhel9stig_unowned_files_dirs_audit.results.0['stdout_lines'] }}"
       when:
-        - item | length > 0
-        - item.stdout is defined  # skipped items are part of results list, but don't have the registered module properties
-        - item.stdout | length > 0
+        - rhel9stig_unowned_files_dirs_audit.results | length > 0
+        - rhel9stig_unowned_files_dirs_audit is defined
 
     - name: "MEDIUM | RHEL-09-232255 | WARN | All RHEL 9 local files and directories must have a valid owner."
-      when: rhel9stig_unowned_files_found is defined
+      when: rhel9stig_unowned_files_results | length > 1
       ansible.builtin.debug:
-        msg: "Warning!! Missing group on items in {{ rhel9stig_ungrouped_files_dirs_audit.stdout_lines }}"
+        msg: "Warning!! Missing owner on items in {{ rhel9stig_unowned_files_results }}"
 
     - name: "MEDIUM | RHEL-09-232255 | WARN | All RHEL 9 local files and directories must have a valid owner."
-      when: rhel9stig_unowned_files_found is defined
+      when: rhel9stig_unowned_files_results | length > 1
       ansible.builtin.import_tasks:
         file: warning_facts.yml
 

diff --git a/tasks/Cat2/RHEL-09-25xxxx.yml b/tasks/Cat2/RHEL-09-25xxxx.yml
@@ -79,7 +79,14 @@
         state: enabled
         target: DROP
 
-    - name: "MEDIUM | RHEL-09-251020 | PATCH | A RHEL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems."
+    - name: "MEDIUM | RHEL-09-251020 | AUDIT | A RHEL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Get default zone"
+      ansible.builtin.shell: "firewall-cmd --get-default-zone"
+      changed_when: false
+      failed_when: discovered_current_firewalld_zone.rc not in [ 0, 1 ]
+      register: discovered_current_firewalld_zone
+
+    - name: "MEDIUM | RHEL-09-251020 | PATCH | A RHEL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set zone if not curent"
+      when: "(discovered_current_firewalld_zone.stdout | default([])) not in rhel9stig_custom_firewall.zone"
       ansible.builtin.shell: "firewall-cmd --set-default-zone={{ rhel9stig_custom_firewall.zone }}"
 
     - name: "MEDIUM | RHEL-09-251020 | PATCH | A RHEL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Setup Connections"

diff --git a/tasks/Cat2/RHEL-09-4xxxxx.yml b/tasks/Cat2/RHEL-09-4xxxxx.yml
@@ -41,14 +41,14 @@
         - rhel9stig_disruption_high
         - rhel9stig_users_passwd_max is defined
         - rhel9stig_users_passwd_max.stdout | length > 0
-        - "item in rhel9stig_interactive_users.stdout_lines"
+        - "ansible_user not in item"
       ansible.builtin.shell: "chage -M 60 {{ item }}"
       failed_when: rhel9stig_users_passwd_max.rc not in [ 0, 1 ]
       loop: "{{ rhel9stig_users_passwd_max.stdout_lines }}"
 
     - name: "MEDIUM | RHEL-09-411015 | WARN | RHEL 9 user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs."
       when:
-        - not rhel9stig_disruption_high
+        - not rhel9stig_disruption_high or "ansible_facts.user in rhel9stig_interactive_users.stdout_lines"
         - rhel9stig_users_passwd_max is defined
         - rhel9stig_users_passwd_max.stdout | length > 0
       ansible.builtin.debug:

diff --git a/tasks/Cat3/RHEL-09-2xxxxx.yml b/tasks/Cat3/RHEL-09-2xxxxx.yml
@@ -110,7 +110,7 @@
 - name: "LOW | RHEL-09-231020 | AUDIT | RHEL 9 must use a separate file system for /var."
   when:
     - rhel_09_231020
-    - ansible_facts['mounts']| selectattr('mount', '==', '/var')
+    - ansible_facts['mounts']| selectattr('mount', 'equalto', '/var' | list | length > 0)
   tags:
     - RHEL-09-231020
     - CAT2
@@ -134,7 +134,7 @@
 - name: "LOW | RHEL-09-231025 | AUDIT | RHEL 9 must use a separate file system for /var/log."
   when:
     - rhel_09_231025
-    - ansible_facts['mounts']| selectattr('mount', '==', '/var/log')
+    - ansible_facts['mounts']| selectattr('mount', 'equalto', '/var/log' | list | length > 0)
   tags:
     - RHEL-09-231025
     - CAT2
@@ -158,7 +158,7 @@
 - name: "LOW | RHEL-09-231030 | AUDIT | RHEL 9 must use a separate file system for /var/log/audit."
   when:
     - rhel_09_231030
-    - ansible_facts['mounts']| selectattr('mount', '==', rhel9stig_audit_log_filesystem )
+    - ansible_facts['mounts']| selectattr('mount', 'equalto', rhel9stig_audit_log_filesystem | list | length > 0)
   tags:
     - RHEL-09-231030
     - CAT2

diff --git a/vars/main.yml b/vars/main.yml
@@ -47,3 +47,7 @@ rhel9stig_dod_macs_server:  # Server also has client mac listed above don't dupl
 - hmac-sha1
 - [email protected]
 rhel9stig_dod_kex:
+
+# Defaults added for searches
+rhel9stig_ungrouped_files_found: false
+rhel9stig_unowned_files_found: false