updated tasks 6.1.14/15 issue #247

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
ansible-lockdown · Apr 12, 2023 · 1bd7748 · 1bd7748
1 parent 8b913cc
commit 1bd7748
Showing 1 changed file with 23 additions and 11 deletions.
diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml
@@ -311,24 +311,30 @@
         ansible.builtin.shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000
         failed_when: false
         changed_when: false
-        register: rhel_08_6_1_14_perms_results
+        register: rhel_08_6_1_14_suid_perms
         with_items: "{{ ansible_mounts }}"
         loop_control:
             label: "{{ item.mount }}"
 
+      - name: "6.1.14 | AUDIT | Audit SUID executables | set fact SUID executables"
+        ansible.builtin.set_fact:
+            rhel8cis_6_1_14_suid_found: true
+        loop: "{{ rhel_08_6_1_14_suid_perms.results }}"
+        when:
+            - item.stdout | length > 0
+
       - name: "6.1.14 | AUDIT | Audit SUID executables |  Alert SUID executables exist"
         ansible.builtin.debug:
-            msg: "Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}"
-        with_items: "{{ rhel_08_6_1_14_perms_results.stdout_lines }}"
+            msg: "Warning!! -- SUID set on items in {{ rhel_08_6_1_14_suid_perms | json_query('results[*].stdout_lines[*]') | flatten }}"
         when:
-            - rhel_08_6_1_14_perms_results.stdout is defined
+            - rhel8cis_6_1_14_suid_found
 
       - name: "6.1.14 | AUDIT | Audit SUID executables | Warn Count"
         ansible.builtin.import_tasks: warning_facts.yml
         vars:
             warn_control_id: '6.1.14'
         when:
-            - rhel_08_6_1_14_perms_results.stdout is defined
+            - rhel8cis_6_1_14_suid_found
   when:
       - rhel8cis_rule_6_1_14
   tags:
@@ -345,24 +351,30 @@
         ansible.builtin.shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000
         failed_when: false
         changed_when: false
-        register: rhel_08_6_1_15_perms_results
-        with_items: "{{ ansible_mounts }}"
+        register: rhel_08_6_1_15_sgid_perms
+        loop: "{{ ansible_mounts }}"
         loop_control:
             label: "{{ item.mount }}"
 
+      - name: "6.1.15 | AUDIT | Audit SGID executables | Set fact SGID executables"
+        ansible.builtin.set_fact:
+            rhel8cis_6_1_15_sgid_found: true
+        loop: "{{ rhel_08_6_1_15_sgid_perms.results }}"
+        when:
+            - item.stdout | length > 0
+
       - name: "6.1.15 | AUDIT | Audit SGID executables |  Alert SGID executables exist"
         ansible.builtin.debug:
-            msg: "Manual intervention is required -- SGID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}"
-        with_items: "{{ rhel_08_6_1_15_perms_results.stdout_lines }}"
+            msg: "Warning!! -- SGID set on items in {{ rhel_08_6_1_15_sgid_perms | json_query('results[*].stdout_lines[*]') | flatten }}"
         when:
-            - rhel_08_6_1_15_perms_results.stdout is defined
+            - rhel8cis_6_1_15_sgid_found
 
       - name: "6.1.15 | AUDIT | Audit SGID executables | Warn Count"
         ansible.builtin.import_tasks: warning_facts.yml
         vars:
             warn_control_id: '6.1.15'
         when:
-            - rhel_08_6_1_15_perms_results.stdout is defined
+            - rhel8cis_6_1_15_sgid_found
   when:
       - rhel8cis_rule_6_1_15
   tags: