From 6eb716fd38e0687404ed32262f1dfab4b4c1dbb1 Mon Sep 17 00:00:00 2001 From: ComplianceAsCode development team Date: Mon, 7 Aug 2023 17:28:35 -0400 Subject: [PATCH] Updated tasks/main.yml --- tasks/main.yml | 89 ++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 86 insertions(+), 3 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index ab54b0d..f64e168 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -436,10 +436,10 @@ - name: Ensure AIDE is installed package: - name: - - aide - - crontabs + name: '{{ item }}' state: present + with_items: + - aide when: - aide_periodic_cron_checking | bool - low_complexity | bool @@ -663,6 +663,50 @@ - medium_severity | bool - reboot_required | bool +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-81003-6 + - PCI-DSS-Req-6.2 + - PCI-DSSv4-6.3.3 + - dconf_db_up_to_date + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + when: + - dconf_db_up_to_date | bool + - high_severity | bool + - low_complexity | bool + - medium_disruption | bool + - no_reboot_needed | bool + - unknown_strategy | bool + +- name: Run dconf update + ansible.builtin.command: + cmd: dconf update + when: + - dconf_db_up_to_date | bool + - high_severity | bool + - low_complexity | bool + - medium_disruption | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-81003-6 + - PCI-DSS-Req-6.2 + - PCI-DSSv4-6.3.3 + - dconf_db_up_to_date + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + - name: Gather the package facts package_facts: manager: auto @@ -1494,6 +1538,7 @@ tags: - CCE-80795-8 - CJIS-5.10.4.1 + - DISA-STIG-RHEL-08-010019 - NIST-800-171-3.4.8 - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) @@ -1508,6 +1553,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_08_010019 | bool - ensure_redhat_gpgkey_installed | bool - high_severity | bool - medium_complexity | bool @@ -1523,6 +1569,7 @@ tags: - CCE-80795-8 - CJIS-5.10.4.1 + - DISA-STIG-RHEL-08-010019 - NIST-800-171-3.4.8 - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) @@ -1537,6 +1584,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_08_010019 | bool - ensure_redhat_gpgkey_installed | bool - high_severity | bool - medium_complexity | bool @@ -1552,6 +1600,7 @@ tags: - CCE-80795-8 - CJIS-5.10.4.1 + - DISA-STIG-RHEL-08-010019 - NIST-800-171-3.4.8 - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) @@ -1566,6 +1615,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_08_010019 | bool - ensure_redhat_gpgkey_installed | bool - high_severity | bool - medium_complexity | bool @@ -1579,6 +1629,7 @@ tags: - CCE-80795-8 - CJIS-5.10.4.1 + - DISA-STIG-RHEL-08-010019 - NIST-800-171-3.4.8 - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) @@ -1593,6 +1644,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_08_010019 | bool - ensure_redhat_gpgkey_installed | bool - high_severity | bool - medium_complexity | bool @@ -1605,6 +1657,7 @@ state: present key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release when: + - DISA_STIG_RHEL_08_010019 | bool - ensure_redhat_gpgkey_installed | bool - high_severity | bool - medium_complexity | bool @@ -1618,6 +1671,7 @@ tags: - CCE-80795-8 - CJIS-5.10.4.1 + - DISA-STIG-RHEL-08-010019 - NIST-800-171-3.4.8 - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) @@ -14408,6 +14462,34 @@ - medium_severity - no_reboot_needed +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80877-4 + - DISA-STIG-RHEL-08-040101 + - NIST-800-171-3.1.3 + - NIST-800-171-3.4.7 + - NIST-800-53-AC-4 + - NIST-800-53-CA-3(5) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(21) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_firewalld_enabled + when: + - DISA_STIG_RHEL_08_040101 | bool + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - service_firewalld_enabled | bool + - name: Enable service firewalld block: - name: Gather the package facts @@ -14430,6 +14512,7 @@ - no_reboot_needed | bool - service_firewalld_enabled | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"firewalld" in ansible_facts.packages' tags: - CCE-80877-4 - DISA-STIG-RHEL-08-040101