Merge pull request #436 from ansible-lockdown/Nov24_logic_updates

Nov24 logic updates
ansible-lockdown · Dec 3, 2024 · 89166c3 · 89166c3
2 parents d1bf968 + ca8dd72
commit 89166c3
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 24 deletions.
diff --git a/tasks/post.yml b/tasks/post.yml
@@ -4,7 +4,6 @@
 - name: POST | Perform DNF package cleanup
   ansible.builtin.dnf:
       autoremove: true
-  changed_when: false
 
 - name: POST | flush handlers
   ansible.builtin.meta: flush_handlers

diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -193,30 +193,10 @@
   check_mode: false
   register: prelim_sudoers_files
 
-- name: "PRELIM | AUDIT | Check authselect package versions"
-  tags:
-      - always
-      - authselect
-  vars:
-      warn_control_id: 'authselect_pkg_version_too_low'
-      authselect_pkg_version: 1.2.6
-  block:
-      - name: "PRELIM | AUDIT | Check authselect package versions | set fact"
-        when: ansible_facts.packages.authselect[0].version is version(authselect_pkg_version, '>=')
-        ansible.builtin.set_fact:
-            authselect_version: OK
-
-      - name: "PRELIM | WARNING | Check authselect package versions | Warning"
-        when: ansible_facts.packages.authselect[0].version is version(authselect_pkg_version, '<')
-        ansible.builtin.debug:
-            msg: "Warning!! Authselect controls won't run as authselect pkg version too low"
-
-      - name: "PRELIM | WARNING | Check authselect package versions | Warning"
-        when: ansible_facts.packages.authselect[0].version is version(authselect_pkg_version, '<')
-        ansible.builtin.import_tasks:
-            file: warning_facts.yml
-
 - name: "PRELIM | AUDIT | Check pam package versions"
+  when:
+      - "'pam' in ansible_facts.packages"
+      - rhel8cis_rule_4_4_1_1
   tags:
       - always
   vars:
@@ -245,6 +225,32 @@
         ansible.builtin.import_tasks:
             file: warning_facts.yml
 
+- name: "PRELIM | AUDIT | Check authselect package versions"
+  when:
+      - "'authselect' in ansible_facts.packages"
+      - rhel8cis_rule_4_4_1_2
+  tags:
+      - always
+      - authselect
+  vars:
+      warn_control_id: 'authselect_pkg_version_too_low'
+      authselect_pkg_version: 1.2.6
+  block:
+      - name: "PRELIM | AUDIT | Check authselect package versions | set fact"
+        when: ansible_facts.packages.authselect[0].version is version(authselect_pkg_version, '>=')
+        ansible.builtin.set_fact:
+            authselect_version: OK
+
+      - name: "PRELIM | WARNING | Check authselect package versions | Warning"
+        when: ansible_facts.packages.authselect[0].version is version(authselect_pkg_version, '<')
+        ansible.builtin.debug:
+            msg: "Warning!! Authselect controls won't run as authselect pkg version too low"
+
+      - name: "PRELIM | WARNING | Check authselect package versions | Warning"
+        when: ansible_facts.packages.authselect[0].version is version(authselect_pkg_version, '<')
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
+
 - name: "PRELIM | AUDIT | Interactive User accounts home directories"
   tags:
       - always

diff --git a/tasks/section_4/cis_4.4.1.x.yml b/tasks/section_4/cis_4.4.1.x.yml
@@ -3,6 +3,7 @@
 - name: "4.4.1.1 | PATCH | Ensure latest version of pam is installed"
   when:
       - rhel8cis_rule_4_4_1_1
+      - pam_version is not defined or pam_version != 'OK'
   tags:
       - level1-server
       - level1-workstation
@@ -18,6 +19,7 @@
   when:
       - rhel8cis_rule_4_4_1_2
       - rhel8cis_authselect_pkg_update
+      - authselect_version is not defined or authselect__version != 'OK'
   tags:
       - level1-server
       - level1-workstation