Merge pull request #280 from ansible-lockdown/issue_275_and_checkmode…

…_changes

Issue 275 and checkmode changes

handlers/main.yml

@@ -2,23 +2,20 @@
 # handlers file for RHEL7-CIS
 
 - name: sysctl flush ipv4 route table
-  become: yes
   sysctl:
       name: net.ipv4.route.flush
       value: '1'
       sysctl_set: yes
   when: ansible_virtualization_type != "docker"
 
 - name: sysctl flush ipv6 route table
-  become: yes
   sysctl:
       name: net.ipv6.route.flush
       value: '1'
       sysctl_set: yes
   when: ansible_virtualization_type != "docker"
 
 - name: systemd restart tmp.mount
-  become: yes
   systemd:
       name: tmp.mount
       daemon_reload: yes
@@ -55,35 +52,29 @@
       warn: false
 
 - name: update dconf
-  become: yes
   command: dconf update
 
 - name: restart firewalld
-  become: yes
   service:
       name: firewalld
       state: restarted
 
 - name: restart xinetd
-  become: yes
   service:
       name: xinetd
       state: restarted
 
 - name: restart sshd
-  become: yes
   service:
       name: sshd
       state: restarted
 
 - name: restart postfix
-  become: yes
   service:
       name: postfix
       state: restarted
 
 - name: reload dconf
-  become: yes
   command: dconf update
 
 - name: restart auditd
@@ -102,13 +93,11 @@
   command: /sbin/grub2-mkconfig -o "{{ rhel7cis_bootloader_path }}grub.cfg"
 
 - name: restart rsyslog
-  become: yes
   service:
       name: rsyslog
       state: restarted
 
 - name: restart syslog-ng
-  become: yes
   service:
       name: syslog-ng
       state: restarted

site.yml

@@ -1,8 +1,6 @@
 ---
 - hosts: all
   become: true
-  vars:
-      is_container: false
 
   roles:
   - role: "{{ playbook_dir }}"

tasks/main.yml

@@ -52,7 +52,6 @@
       - prereqs
 
 - include: prelim.yml
-  become: yes
   tags:
       - prelim_tasks
       - always
@@ -70,7 +69,6 @@
       - always
 
 - include: parse_etc_password.yml
-  become: yes
   when:
       - rhel7cis_section5 or
         rhel7cis_section6

tasks/section_1/cis_1.1.x.yml

@@ -45,6 +45,8 @@
             opts: defaults,{% if rhel7cis_rule_1_1_3 %}noexec,{% endif %}{% if rhel7cis_rule_1_1_4 %}nodev,{% endif %}{% if rhel7cis_rule_1_1_5 %}nosuid{% endif %}
         notify: remount tmp
         loop: "{{ ansible_mounts }}"
+        loop_control:
+            label: "{{ item.mount }}"
         when:
             - not rhel7cis_tmp_svc
             - item.mount == "/tmp"
@@ -192,6 +194,8 @@
       state: present
       opts: defaults,{% if rhel7cis_rule_1_1_12 %}noexec,{% endif %}{% if rhel7cis_rule_1_1_13 %}nodev,{% endif %}{% if rhel7cis_rule_1_1_14 %}nosuid{% endif %}
   loop: "{{ ansible_mounts }}"
+  loop_control:
+      label: "{{ item.mount }}"
   when:
       - var_tmp_mount_present is defined
       - item.mount == "/var/tmp"
@@ -297,6 +301,8 @@
       state: present
       opts: defaults,{% if rhel7cis_rule_1_1_17 %}nodev{% endif %}
   loop: "{{ ansible_mounts }}"
+  loop_control:
+      label: "{{ item.mount }}"
   when:
       - home_mount_present is defined
       - item.mount == "/home"

tasks/section_1/cis_1.2.x.yml

@@ -24,6 +24,9 @@
         shell: yum repolist
         changed_when: false
         register: repolist
+        check_mode: false
+        args:
+            warn: false
         tags:
             - skip_ansible_lint
 
@@ -46,15 +49,17 @@
         find:
             paths: /etc/yum.repos.d
             patterns: "*.repo"
-        register: yum_repos
         changed_when: false
+        register: yum_repos
 
       - name: "1.2.3 | L1 | PATCH | Ensure gpgcheck is globally activated"
         replace:
             path: "{{ item.path }}"
             regexp: "^gpgcheck=0"
             replace: "gpgcheck=1"
         loop: "{{ yum_repos.files }}"
+        loop_control:
+            label: "{{ item.path }}"
   when:
       - rhel7cis_rule_1_2_3
   tags:

tasks/section_1/cis_1.3.x.yml

@@ -13,7 +13,7 @@
             creates: /var/lib/aide/aide.db.gz
         changed_when: false
         failed_when: false
-        async: 45
+        async: "{{ ansible_check_mode | ternary(0, 45) }}"
         poll: 0
   when:
       - rhel7cis_config_aide

tasks/section_1/cis_1.4.x.yml

@@ -38,6 +38,8 @@
             opts: defaults,umask=0027,fmask=0077,uid=0,gid=0
             passno: '0'
         loop: "{{ ansible_mounts }}"
+        loop_control:
+            label: "{{ item.mount }}"
         when:
             - not rhel7cis_legacy_boot
             - item.mount == "/boot/efi"

tasks/section_1/cis_1.6.x.yml

@@ -65,9 +65,10 @@
   block:
       - name: "1.6.1.6 | L1 | AUDIT | Ensure no unconfined daemons exist | Find the unconfined daemons"
         shell: ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
-        register: rhelcis_1_6_1_6_unconf_daemons
         failed_when: false
         changed_when: false
+        check_mode: false
+        register: rhelcis_1_6_1_6_unconf_daemons
 
       - name: "1.6.1.6 | L1 | AUDIT | Ensure no unconfined daemons exist | Message on no unconfined daemones"
         debug:

tasks/section_3/cis_3.5.1.x.yml

@@ -60,6 +60,7 @@
       - name: "3.5.1.5 | L1 | AUDIT | Ensure default zone is set"
         command: firewall-cmd --get-default-zone
         changed_when: false
+        check_mode: false
         register: current_default_zone
 
       - name: "3.5.1.5 | L1 | PATCH | Ensure default zone is set"
@@ -77,9 +78,9 @@
   block:
       - name: "3.5.1.6 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and policies"
         shell: "nmcli -t connection show | awk -F: '{ if($4){print $4} }' | while read INT; do firewall-cmd --get-active-zones | grep -B1 $INT; done"
-        register: rhel7cis_3_5_1_6_interfacepolicy
         changed_when: false
-        become: yes
+        check_mode: false
+        register: rhel7cis_3_5_1_6_interfacepolicy
 
       - name: "3.5.1.6 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and policies | Show the interface to policy"
         debug:
@@ -97,9 +98,9 @@
   block:
       - name: "3.5.1.7 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports"
         shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done"
-        register: rhel7cis_3_5_1_7_servicesport
-        become: true
         changed_when: no
+        check_mode: false
+        register: rhel7cis_3_5_1_7_servicesport
 
       - name: "3.5.1.7 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports"
         debug:

tasks/section_3/cis_3.5.2.x.yml

@@ -141,38 +141,34 @@
   block:
       - name: "3.5.2.7 | L1 | AUDIT | Ensure nftables loopback traffic is configured | Gather iif lo accept existence"
         shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept'
-        register: rhel7cis_3_5_2_7_iiflo
         changed_when: false
         failed_when: false
+        register: rhel7cis_3_5_2_7_iiflo
 
       - name: "3.5.2.7 | L1 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip saddr existence"
         shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr'
-        register: rhel7cis_3_5_2_7_ipsaddr
         changed_when: false
         failed_when: false
+        register: rhel7cis_3_5_2_7_ipsaddr
 
       - name: "3.5.2.7 | L1 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip6 saddr existence"
         shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr'
-        become: true
-        register: rhel7cis_3_5_2_7_ip6saddr
         changed_when: false
         failed_when: false
+        register: rhel7cis_3_5_2_7_ip6saddr
 
       - name: "3.5.2.7 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule"
         command: nft add rule inet "{{ rhel7cis_nft_tables_tableName }}" input iif lo accept
-        become: true
         when:
             - '"iif \"lo\" accept" not in rhel7cis_3_5_2_7_iiflo.stdout'
 
       - name: "3.5.2.7 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule"
         command: nft add rule inet "{{ rhel7cis_nft_tables_tableName }}" input ip saddr 127.0.0.0/8 counter drop
-        become: true
         when:
             - '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel7cis_3_5_2_7_ipsaddr.stdout'
 
       - name: "3.5.2.7 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule"
         command: nft add rule inet "{{ rhel7cis_nft_tables_tableName }}" input ip6 saddr ::1 counter drop
-        become: true
         when:
             - '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel7cis_3_5_2_7_ip6saddr.stdout'
   when:
@@ -186,17 +182,15 @@
   block:
       - name: "3.5.2.8 | L1 | AUDIT | Ensure nftables outbound and established connections are configured | Gather incoming connection rules"
         shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
-        become: true
-        register: rhel7cis_3_5_2_8_inconnectionrule
         changed_when: false
         failed_when: false
+        register: rhel7cis_3_5_2_8_inconnectionrule
 
       - name: "3.5.2.8 | L1 | AUDIT | Ensure nftables outbound and established connections are configured | Gather outbound connection rules"
         shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
-        become: true
-        register: rhel7cis_3_5_2_8_outconnectionrule
         changed_when: false
         failed_when: false
+        register: rhel7cis_3_5_2_8_outconnectionrule
 
       - name: "3.5.2.8 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input tcp established accpet policy"
         command: nft add rule inet "{{ rhel7cis_nft_tables_tableName }}" input ip protocol tcp ct state established accept

tasks/section_4/cis_4.1.2.x.yml

@@ -55,6 +55,7 @@
         shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | cut -f2 -d'"'
         changed_when: false
         failed_when: false
+        check_mode: false
         register: rhel7cis_4_1_2_4_grub_cmdline_linux_settings
 
       - name: "4.1.2.4 | L2 | PATCH | Ensure audit_backlog_limit is sufficient | Set audit_backlog_limit if not configured"

tasks/section_4/cis_4.2.1.x.yml

@@ -44,7 +44,6 @@
   block:
       - name: "4.2.1.4 | L1 | AUDIT | Ensure logging is configured | rsyslog current config message out"
         shell: cat /etc/rsyslog.conf
-        become: yes
         changed_when: false
         failed_when: false
         register: rhel_07_4_2_1_4_audit
@@ -74,6 +73,8 @@
             - { regexp: '^news.crit(.*)$', line: 'news.crit                                               -/var/log/news/news.crit', insertafter: '# Save news errors of level crit and higher in a special file.' }
             - { regexp: '^news.err(.*)$', line: 'news.err                                             -/var/log/news/news.err', insertafter: '# Save news errors of level crit and higher in a special file.' }
             - { regexp: '^news.notice(.*)$', line: 'news.notice                                             -/var/log/news/news.notice', insertafter: '# Save news errors of level crit and higher in a special file.' }
+        loop_control:
+            label: "{{ item.regexp }}"
         notify: restart rsyslog
         when:
             - rhel7cis_rsyslog_ansiblemanaged

tasks/section_5/cis_5.3.x.yml

@@ -33,6 +33,8 @@
             group: root
             mode: 0600
         loop: "{{ rhel_07_5_3_2_priv_results.files }}"
+        loop_control:
+            label: "{{ item.path }}"
   when:
       - rhel7cis_rule_5_3_2
   tags:
@@ -59,6 +61,8 @@
             group: root
             mode: 0600
         loop: "{{ rhel_07_5_3_3_pub_results.files }}"
+        loop_control:
+            label: "{{ item.path }}"
   when:
       - rhel7cis_rule_5_3_3
   tags:

tasks/section_5/cis_5.5.1.x.yml

@@ -51,8 +51,9 @@
       - name: "5.5.1.4 | L1 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
         # shell: 'egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1'
         shell: "egrep ^[^:]+:[^\\!*] /etc/shadow | awk -F: '{print $1 \",\" $7}' | egrep -v  ',\\d|,[1-2][0-9]|,30|{{ rhel7cis_inactive_whitelist | join('|') }}' | cut -d , -f1"
-        register: rhel_07_5_5_1_4_audit
         changed_when: false
+        check_mode: false
+        register: rhel_07_5_5_1_4_audit
 
       - name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
         shell: "chage --inactive {{ rhel7cis_inactivelock.lock_days }} {{ item }}"
@@ -73,10 +74,12 @@
         shell: echo $(($(date --utc --date "$1" +%s)/86400))
         failed_when: false
         changed_when: false
+        check_mode: false
         register: rhel7cis_5_5_1_5_current_unix_time
 
       - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future"
         shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel7cis_5_5_1_5_current_unix_time.stdout }})print$1}'"
+        check_mode: false
         register: rhel7cis_5_5_1_5_user_list
 
       - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist"

tasks/section_5/cis_5.5.x.yml

@@ -7,7 +7,8 @@
             name: "{{ item.id }}"
             shell: /usr/sbin/nologin
         loop: "{{ rhel7cis_passwd }}"
-        become: true
+        loop_control:
+            label: "{{ item.id }}"
         when:
             - item.id != "root"
             - item.id != "sync"
@@ -22,7 +23,8 @@
             name: "{{ item.id }}"
             password_lock: true
         loop: "{{ rhel7cis_passwd }}"
-        become: true
+        loop_control:
+            label: "{{ item.id }}"
         when:
             - item.id != "halt"
             - item.id != "shutdown"

tasks/section_5/cis_5.6.yml

@@ -5,7 +5,7 @@
       - name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console"
         command: cat /etc/securetty
         changed_when: false
-        become: yes
+        check_mode: false
         register: rhel_07_5_6_audit
 
       - name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console"