Merge pull request #197 from ansible-lockdown/devel

Version 1.0.1 Fixes
Signed-off-by: George Nalen <georgen@mindpointgroup.com>

ChangeLog.md

@@ -1,12 +1,16 @@
 # release CIS RedHat Enterprise Linux 7 Benchmark v3.0.1 - 09-21-2020
 
-## Whats new
+## Whats new 1.0.0
 
 - New auditing tool all controlled via defaults main. run on host using [goss](https://github.com/aelsabbahy/goss)
 - reorder of rules inline with CIS changes
 - If Python3 discovered adds the epel repo to install python-rpm and then disables the repo after installing
 - Adding of the goss module to the library path
 
+## Whats new 1.0.1
+- Fixed typos
+- Added audit output file permissions
+
 ## High level changes within tasks
 
 - Python3 now default for control node (should be backward compatible in setup)

README.md

@@ -2,6 +2,7 @@ RHEL 7 CIS
 ================
 
 ![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL7-CIS/CommunityToDevel?label=Devel%20Build%20Status&style=plastic)
+![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL7-CIS/DevelToMain?label=Main%20Build%20Status&style=plastic)
 ![Release](https://img.shields.io/github/v/release/ansible-lockdown/RHEL7-CIS?style=plastic)
 
 Configure RHEL/Centos 7 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant

tasks/post_LE_audit.yml

@@ -9,6 +9,15 @@
     output_file: "{{ post_audit_outfile }}"
   failed_when: false
 
+- name: ensure audit files readable by users
+  file:
+    path: "{{ item }}"
+    mode: 0644
+    state: file
+  loop:
+  - "{{ post_audit_outfile }}"
+  - "{{ pre_audit_outfile }}"
+
 - name: Capture audit data if json format
   block:
   - name: "capture data {{ post_audit_outfile }}"

tasks/section_1/cis_1.7.x.yml

@@ -92,7 +92,7 @@
 
   - name: "AUTOMATED | 1.7.1.6 | AUDIT | Ensure no unconfined daemons exist | Message on unconfined daemones"
     debug:
-      msg: "Warning! You have unconfined daemons: {{ rhelcis_1_7_1_5_unconf_daemons.stdout_lines }}"
+      msg: "Warning! You have unconfined daemons: {{ rhelcis_1_7_1_6_unconf_daemons.stdout_lines }}"
     when: rhelcis_1_7_1_6_unconf_daemons.stdout != ""
   when:
   - rhel7cis_rule_1_7_1_6

tasks/section_2/cis_2.2.x.yml

@@ -105,7 +105,7 @@
       name: nfs-server
       masked: true
     when:
-    - rhel7_cis_nfs_rpc_server and not rhel7cis_nfs_server
+    - rhel7cis_nfs_rpc_server and not rhel7cis_nfs_server
   when:
   - "'nfs-utils' in ansible_facts.packages"
   - rhel7cis_rule_2_2_7
@@ -133,7 +133,7 @@
       name: rpcbind
       masked: true
     when:
-    - rhel7_cis_nfs_rpc_server and not rhel7cis_rpc_server
+    - rhel7cis_nfs_rpc_server and not rhel7cis_rpc_server
   when:
   - "'rpcbind' in ansible_facts.packages"
   - rhel7cis_rule_2_2_8
@@ -338,4 +338,4 @@
   - telnet
   - services
   - patch
-  - rule_2.2.19
+  - rule_2.2.19

templates/ansible_vars_goss.yml

@@ -377,7 +377,9 @@ rhel7cis_auditd:
   auditd_backlog_limit: {{ rhel7cis_audit_backlog_limit }}
 
 ## syslog
-rhel7_cis_rsyslog: true
+{% if rhel7cis_syslog == "rsyslog" %}
+rhel7cis_rsyslog: true
+{% endif %}
 
 ### Section 5
 rhel7cis_sshd_limited: false
@@ -441,10 +443,10 @@ skip_rhel7cis_pam_system_auth: true
 # choose one of below
 rhel7cis_pwhistory_so: "14"
 rhel7cis_unix_so: false
-rhel7cis_passwd_remember: "5"
+rhel7cis_passwd_remember: "{{ rhel7cis_pam_faillock.remember }}"
 
 # logins.def password settings
-rhel7_cis_pass_max_days: 365
-rhel7_cis_pass_min_days: 1
-rhel7_cis_pass_warn_age: 7
+rhel7cis_pass_max_days: {{ rhel7cis_pass.max_days }}
+rhel7cis_pass_min_days: {{ rhel7cis_pass.min_days }}
+rhel7cis_pass_warn_age: {{ rhel7cis_pass.warn_age }}