search

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.22k stars 698 forks source link

Change rule platforms - Part 1: Groups of services #12496

Closed jan-cerny closed 1 month ago

jan-cerny commented 1 month ago

Many rules currently marked with the machine platform should be applicable also to bootable containers. The reason is that often these rules check configuration that should be applied if the bootable container is deployed and booted on a real system. The applicability of these rules needs to be extended by marking them with the system_with_kernel platform instead.

We change the platforms carefully, we don't perform a blind mass platform replacement because not every rule that is currently marked as machine should be applicable to bootable containers, for example partition rules should be evaluated as "not applicable" when scanning a bootable container.

For more details, please read commit messages of all commits.

Review hints

For normal (non-bootable) containers, run a scan and verify that the rules affected by this change are still evaluated as notapplicable as they were before this change. For example: sudo oscap-podman centos:stream9 xccdf eval --profile stig --report /tmp/report.html build/ssg-cs9-ds.xml

openshift-ci[bot] commented 1 month ago

Skipping CI for Draft Pull Request. If you want CI signal for your change, please convert it to an actual PR. You can still manually trigger a test run with /test all

github-actions[bot] commented 1 month ago

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment) Open in Gitpod

Fedora Testing Environment Open in Gitpod

Oracle Linux 8 Environment Open in Gitpod

github-actions[bot] commented 1 month ago

This datastream diff is auto generated by the check Compare DS/Generate Diff. Due to the excessive size of the diff, it has been trimmed to fit the 65535-character limit.

Click here to see the trimmed diff ```diff bash remediation for rule 'xccdf_org.ssgproject.content_rule_package_cron_installed' differs. --- xccdf_org.ssgproject.content_rule_package_cron_installed +++ xccdf_org.ssgproject.content_rule_package_cron_installed @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then if ! rpm -q --quiet "cron" ; then yum install -y "cron" ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_cron_installed' differs. --- xccdf_org.ssgproject.content_rule_package_cron_installed +++ xccdf_org.ssgproject.content_rule_package_cron_installed @@ -1,8 +1,6 @@ -- name: Ensure cron is installed - package: - name: cron - state: present - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- name: Gather the package facts + package_facts: + manager: auto tags: - NIST-800-53-CM-6(a) - enable_strategy @@ -11,3 +9,17 @@ - medium_severity - no_reboot_needed - package_cron_installed + +- name: Ensure cron is installed + package: + name: cron + state: present + when: '"kernel" in ansible_facts.packages' + tags: + - NIST-800-53-CM-6(a) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_cron_installed bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_cron_enabled' differs. --- xccdf_org.ssgproject.content_rule_service_cron_enabled +++ xccdf_org.ssgproject.content_rule_service_cron_enabled @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" unmask 'crond.service' ansible remediation for rule 'xccdf_org.ssgproject.content_rule_service_cron_enabled' differs. --- xccdf_org.ssgproject.content_rule_service_cron_enabled +++ xccdf_org.ssgproject.content_rule_service_cron_enabled @@ -1,3 +1,15 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-CM-6(a) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_cron_enabled + - name: Enable cron Service - Enable service crond block: @@ -13,7 +25,7 @@ masked: false when: - '"cron" in ansible_facts.packages' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - NIST-800-53-CM-6(a) - enable_strategy bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_crond_enabled' differs. --- xccdf_org.ssgproject.content_rule_service_crond_enabled +++ xccdf_org.ssgproject.content_rule_service_crond_enabled @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" unmask 'crond.service' ansible remediation for rule 'xccdf_org.ssgproject.content_rule_service_crond_enabled' differs. --- xccdf_org.ssgproject.content_rule_service_crond_enabled +++ xccdf_org.ssgproject.content_rule_service_crond_enabled @@ -1,3 +1,16 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80875-8 + - NIST-800-53-CM-6(a) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_crond_enabled + - name: Enable cron Service - Enable service crond block: @@ -13,7 +26,7 @@ masked: false when: - '"cronie" in ansible_facts.packages' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-80875-8 - NIST-800-53-CM-6(a) bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_atd_disabled' differs. --- xccdf_org.ssgproject.content_rule_service_atd_disabled +++ xccdf_org.ssgproject.content_rule_service_atd_disabled @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'atd.service' ansible remediation for rule 'xccdf_org.ssgproject.content_rule_service_atd_disabled' differs. --- xccdf_org.ssgproject.content_rule_service_atd_disabled +++ xccdf_org.ssgproject.content_rule_service_atd_disabled @@ -1,10 +1,25 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80871-7 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_atd_disabled + - name: Disable At Service (atd) - Collect systemd Services Present in the System ansible.builtin.command: systemctl -q list-unit-files --type service register: service_exists changed_when: false failed_when: service_exists.rc not in [0, 1] check_mode: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-80871-7 - NIST-800-53-CM-6(a) @@ -24,7 +39,7 @@ enabled: false masked: true when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"kernel" in ansible_facts.packages' - service_exists.stdout_lines is search("atd.service", multiline=True) tags: - CCE-80871-7 @@ -44,7 +59,7 @@ changed_when: false failed_when: socket_file_exists.rc not in [0, 1] check_mode: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-80871-7 - NIST-800-53-CM-6(a) @@ -64,7 +79,7 @@ state: stopped masked: true when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"kernel" in ansible_facts.packages' - socket_file_exists.stdout_lines is search("atd.socket", multiline=True) tags: - CCE-80871-7 Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_service_atd_disabled' --- xccdf_org.ssgproject.content_rule_service_atd_disabled +++ xccdf_org.ssgproject.content_rule_service_atd_disabled @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 + bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_d' differs. --- xccdf_org.ssgproject.content_rule_file_groupowner_cron_d +++ xccdf_org.ssgproject.content_rule_file_groupowner_cron_d @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then find -H /etc/cron.d/ -maxdepth 1 -L -type d -exec chgrp -L 0 {} \; ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_d' differs. --- xccdf_org.ssgproject.content_rule_file_groupowner_cron_d +++ xccdf_org.ssgproject.content_rule_file_groupowner_cron_d @@ -1,9 +1,6 @@ -- name: Ensure group owner on /etc/cron.d/ - file: - path: /etc/cron.d/ - state: directory - group: '0' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- name: Gather the package facts + package_facts: + manager: auto tags: - CCE-82268-4 - NIST-800-53-AC-6(1) @@ -16,3 +13,22 @@ - low_disruption - medium_severity - no_reboot_needed + +- name: Ensure group owner on /etc/cron.d/ + file: + path: /etc/cron.d/ + state: directory + group: '0' + when: '"kernel" in ansible_facts.packages' + tags: + - CCE-82268-4 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_groupowner_cron_d + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_daily' differs. --- xccdf_org.ssgproject.content_rule_file_groupowner_cron_daily +++ xccdf_org.ssgproject.content_rule_file_groupowner_cron_daily @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then find -H /etc/cron.daily/ -maxdepth 1 -L -type d -exec chgrp -L 0 {} \; ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_daily' differs. --- xccdf_org.ssgproject.content_rule_file_groupowner_cron_daily +++ xccdf_org.ssgproject.content_rule_file_groupowner_cron_daily @@ -1,9 +1,6 @@ -- name: Ensure group owner on /etc/cron.daily/ - file: - path: /etc/cron.daily/ - state: directory - group: '0' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- name: Gather the package facts + package_facts: + manager: auto tags: - CCE-82234-6 - NIST-800-53-AC-6(1) @@ -16,3 +13,22 @@ - low_disruption - medium_severity - no_reboot_needed + +- name: Ensure group owner on /etc/cron.daily/ + file: + path: /etc/cron.daily/ + state: directory + group: '0' + when: '"kernel" in ansible_facts.packages' + tags: + - CCE-82234-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_groupowner_cron_daily + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_hourly' differs. --- xccdf_org.ssgproject.content_rule_file_groupowner_cron_hourly +++ xccdf_org.ssgproject.content_rule_file_groupowner_cron_hourly @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then find -H /etc/cron.hourly/ -maxdepth 1 -L -type d -exec chgrp -L 0 {} \; ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_hourly' differs. --- xccdf_org.ssgproject.content_rule_file_groupowner_cron_hourly +++ xccdf_org.ssgproject.content_rule_file_groupowner_cron_hourly @@ -1,9 +1,6 @@ -- name: Ensure group owner on /etc/cron.hourly/ - file: - path: /etc/cron.hourly/ - state: directory - group: '0' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- name: Gather the package facts + package_facts: + manager: auto tags: - CCE-82227-0 - NIST-800-53-AC-6(1) @@ -16,3 +13,22 @@ - low_disruption - medium_severity - no_reboot_needed + +- name: Ensure group owner on /etc/cron.hourly/ + file: + path: /etc/cron.hourly/ + state: directory + group: '0' + when: '"kernel" in ansible_facts.packages' + tags: + - CCE-82227-0 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_groupowner_cron_hourly + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_monthly' differs. --- xccdf_org.ssgproject.content_rule_file_groupowner_cron_monthly +++ xccdf_org.ssgproject.content_rule_file_groupowner_cron_monthly @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then find -H /etc/cron.monthly/ -maxdepth 1 -L -type d -exec chgrp -L 0 {} \; ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_monthly' differs. --- xccdf_org.ssgproject.content_rule_file_groupowner_cron_monthly +++ xccdf_org.ssgproject.content_rule_file_groupowner_cron_monthly @@ -1,9 +1,6 @@ -- name: Ensure group owner on /etc/cron.monthly/ - file: - path: /etc/cron.monthly/ - state: directory - group: '0' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- name: Gather the package facts + package_facts: + manager: auto tags: - CCE-82256-9 - NIST-800-53-AC-6(1) @@ -16,3 +13,22 @@ - low_disruption - medium_severity - no_reboot_needed + +- name: Ensure group owner on /etc/cron.monthly/ + file: + path: /etc/cron.monthly/ + state: directory + group: '0' + when: '"kernel" in ansible_facts.packages' + tags: + - CCE-82256-9 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_groupowner_cron_monthly + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_weekly' differs. --- xccdf_org.ssgproject.content_rule_file_groupowner_cron_weekly +++ xccdf_org.ssgproject.content_rule_file_groupowner_cron_weekly @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then find -H /etc/cron.weekly/ -maxdepth 1 -L -type d -exec chgrp -L 0 {} \; ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_weekly' differs. --- xccdf_org.ssgproject.content_rule_file_groupowner_cron_weekly +++ xccdf_org.ssgproject.content_rule_file_groupowner_cron_weekly @@ -1,9 +1,6 @@ -- name: Ensure group owner on /etc/cron.weekly/ - file: - path: /etc/cron.weekly/ - state: directory - group: '0' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- name: Gather the package facts + package_facts: + manager: auto tags: - CCE-82244-5 - NIST-800-53-AC-6(1) @@ -16,3 +13,22 @@ - low_disruption - medium_severity - no_reboot_needed + +- name: Ensure group owner on /etc/cron.weekly/ + file: + path: /etc/cron.weekly/ + state: directory + group: '0' + when: '"kernel" in ansible_facts.packages' + tags: + - CCE-82244-5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_groupowner_cron_weekly + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_crontab' differs. --- xccdf_org.ssgproject.content_rule_file_groupowner_crontab +++ xccdf_org.ssgproject.content_rule_file_groupowner_crontab @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then chgrp 0 /etc/crontab ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_crontab' differs. --- xccdf_org.ssgproject.content_rule_file_groupowner_crontab +++ xccdf_org.ssgproject.content_rule_file_groupowner_crontab @@ -1,8 +1,24 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-82223-9 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_groupowner_crontab + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Test for existence /etc/crontab stat: path: /etc/crontab register: file_exists - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-82223-9 - NIST-800-53-AC-6(1) @@ -21,7 +37,7 @@ path: /etc/crontab group: '0' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"kernel" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-82223-9 bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_d' differs. --- xccdf_org.ssgproject.content_rule_file_owner_cron_d +++ xccdf_org.ssgproject.content_rule_file_owner_cron_d @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then find -H /etc/cron.d/ -maxdepth 1 -type d -exec chown -L 0 {} \; ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_d' differs. --- xccdf_org.ssgproject.content_rule_file_owner_cron_d +++ xccdf_org.ssgproject.content_rule_file_owner_cron_d @@ -1,9 +1,6 @@ -- name: Ensure owner on directory /etc/cron.d/ - file: - path: /etc/cron.d/ - state: directory - owner: '0' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- name: Gather the package facts + package_facts: + manager: auto tags: - CCE-82272-6 - NIST-800-53-AC-6(1) @@ -16,3 +13,22 @@ - low_disruption - medium_severity - no_reboot_needed + +- name: Ensure owner on directory /etc/cron.d/ + file: + path: /etc/cron.d/ + state: directory + owner: '0' + when: '"kernel" in ansible_facts.packages' + tags: + - CCE-82272-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_owner_cron_d + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_daily' differs. --- xccdf_org.ssgproject.content_rule_file_owner_cron_daily +++ xccdf_org.ssgproject.content_rule_file_owner_cron_daily @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then find -H /etc/cron.daily/ -maxdepth 1 -type d -exec chown -L 0 {} \; ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_daily' differs. --- xccdf_org.ssgproject.content_rule_file_owner_cron_daily +++ xccdf_org.ssgproject.content_rule_file_owner_cron_daily @@ -1,9 +1,6 @@ -- name: Ensure owner on directory /etc/cron.daily/ - file: - path: /etc/cron.daily/ - state: directory - owner: '0' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- name: Gather the package facts + package_facts: + manager: auto tags: - CCE-82237-9 - NIST-800-53-AC-6(1) @@ -16,3 +13,22 @@ - low_disruption - medium_severity - no_reboot_needed + +- name: Ensure owner on directory /etc/cron.daily/ + file: + path: /etc/cron.daily/ + state: directory + owner: '0' + when: '"kernel" in ansible_facts.packages' + tags: + - CCE-82237-9 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_owner_cron_daily + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_hourly' differs. --- xccdf_org.ssgproject.content_rule_file_owner_cron_hourly +++ xccdf_org.ssgproject.content_rule_file_owner_cron_hourly @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then find -H /etc/cron.hourly/ -maxdepth 1 -type d -exec chown -L 0 {} \; ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_hourly' differs. --- xccdf_org.ssgproject.content_rule_file_owner_cron_hourly +++ xccdf_org.ssgproject.content_rule_file_owner_cron_hourly @@ -1,9 +1,6 @@ -- name: Ensure owner on directory /etc/cron.hourly/ - file: - path: /etc/cron.hourly/ - state: directory - owner: '0' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- name: Gather the package facts + package_facts: + manager: auto tags: - CCE-82209-8 - NIST-800-53-AC-6(1) @@ -16,3 +13,22 @@ - low_disruption - medium_severity - no_reboot_needed + +- name: Ensure owner on directory /etc/cron.hourly/ + file: + path: /etc/cron.hourly/ + state: directory + owner: '0' + when: '"kernel" in ansible_facts.packages' + tags: + - CCE-82209-8 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_owner_cron_hourly + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_monthly' differs. --- xccdf_org.ssgproject.content_rule_file_owner_cron_monthly +++ xccdf_org.ssgproject.content_rule_file_owner_cron_monthly @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then find -H /etc/cron.monthly/ -maxdepth 1 -type d -exec chown -L 0 {} \; ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_monthly' differs. --- xccdf_org.ssgproject.content_rule_file_owner_cron_monthly +++ xccdf_org.ssgproject.content_rule_file_owner_cron_monthly @@ -1,9 +1,6 @@ -- name: Ensure owner on directory /etc/cron.monthly/ - file: - path: /etc/cron.monthly/ - state: directory - owner: '0' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- name: Gather the package facts + package_facts: + manager: auto tags: - CCE-82260-1 - NIST-800-53-AC-6(1) @@ -16,3 +13,22 @@ - low_disruption - medium_severity - no_reboot_needed + +- name: Ensure owner on directory /etc/cron.monthly/ + file: + path: /etc/cron.monthly/ + state: directory + owner: '0' + when: '"kernel" in ansible_facts.packages' + tags: + - CCE-82260-1 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_owner_cron_monthly + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_weekly' differs. --- xccdf_org.ssgproject.content_rule_file_owner_cron_weekly +++ xccdf_org.ssgproject.content_rule_file_owner_cron_weekly @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then find -H /etc/cron.weekly/ -maxdepth 1 -type d -exec chown -L 0 {} \; ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_weekly' differs. --- xccdf_org.ssgproject.content_rule_file_owner_cron_weekly +++ xccdf_org.ssgproject.content_rule_file_owner_cron_weekly @@ -1,9 +1,6 @@ -- name: Ensure owner on directory /etc/cron.weekly/ - file: - path: /etc/cron.weekly/ - state: directory - owner: '0' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- name: Gather the package facts + package_facts: + manager: auto tags: - CCE-82247-8 - NIST-800-53-AC-6(1) @@ -16,3 +13,22 @@ - low_disruption - medium_severity - no_reboot_needed + +- name: Ensure owner on directory /etc/cron.weekly/ + file: + path: /etc/cron.weekly/ + state: directory + owner: '0' + when: '"kernel" in ansible_facts.packages' + tags: + - CCE-82247-8 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_owner_cron_weekly + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_crontab' differs. --- xccdf_org.ssgproject.content_rule_file_owner_crontab +++ xccdf_org.ssgproject.content_rule_file_owner_crontab @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then chown 0 /etc/crontab ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_crontab' differs. --- xccdf_org.ssgproject.content_rule_file_owner_crontab +++ xccdf_org.ssgproject.content_rule_file_owner_crontab @@ -1,8 +1,24 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-82224-7 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_owner_crontab + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Test for existence /etc/crontab stat: path: /etc/crontab register: file_exists - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-82224-7 - NIST-800-53-AC-6(1) @@ -21,7 +37,7 @@ path: /etc/crontab owner: '0' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"kernel" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-82224-7 bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_d' differs. --- xccdf_org.ssgproject.content_rule_file_permissions_cron_d +++ xccdf_org.ssgproject.content_rule_file_permissions_cron_d @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then find -H /etc/cron.d/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_d' differs. --- xccdf_org.ssgproject.content_rule_file_permissions_cron_d +++ xccdf_org.ssgproject.content_rule_file_permissions_cron_d @@ -1,10 +1,26 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-82277-5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_permissions_cron_d + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Find /etc/cron.d/ file(s) command: 'find -H /etc/cron.d/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' register: files_found changed_when: false failed_when: false check_mode: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-82277-5 - NIST-800-53-AC-6(1) @@ -25,7 +41,7 @@ state: directory with_items: - '{{ files_found.stdout_lines }}' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-82277-5 - NIST-800-53-AC-6(1) bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_daily' differs. --- xccdf_org.ssgproject.content_rule_file_permissions_cron_daily +++ xccdf_org.ssgproject.content_rule_file_permissions_cron_daily @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then find -H /etc/cron.daily/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_daily' differs. --- xccdf_org.ssgproject.content_rule_file_permissions_cron_daily +++ xccdf_org.ssgproject.content_rule_file_permissions_cron_daily @@ -1,10 +1,26 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-82240-3 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_permissions_cron_daily + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Find /etc/cron.daily/ file(s) command: 'find -H /etc/cron.daily/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' register: files_found changed_when: false failed_when: false check_mode: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-82240-3 - NIST-800-53-AC-6(1) @@ -25,7 +41,7 @@ state: directory with_items: - '{{ files_found.stdout_lines }}' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-82240-3 - NIST-800-53-AC-6(1) bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_hourly' differs. --- xccdf_org.ssgproject.content_rule_file_permissions_cron_hourly +++ xccdf_org.ssgproject.content_rule_file_permissions_cron_hourly @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then find -H /etc/cron.hourly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_hourly' differs. --- xccdf_org.ssgproject.content_rule_file_permissions_cron_hourly +++ xccdf_org.ssgproject.content_rule_file_permissions_cron_hourly @@ -1,3 +1,19 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-82230-4 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_permissions_cron_hourly + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Find /etc/cron.hourly/ file(s) command: 'find -H /etc/cron.hourly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' @@ -5,7 +21,7 @@ changed_when: false failed_when: false check_mode: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-82230-4 - NIST-800-53-AC-6(1) @@ -26,7 +42,7 @@ state: directory with_items: - '{{ files_found.stdout_lines }}' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-82230-4 - NIST-800-53-AC-6(1) bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_monthly' differs. --- xccdf_org.ssgproject.content_rule_file_permissions_cron_monthly +++ xccdf_org.ssgproject.content_rule_file_permissions_cron_monthly @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then find -H /etc/cron.monthly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_monthly' differs. --- xccdf_org.ssgproject.content_rule_file_permissions_cron_monthly +++ xccdf_org.ssgproject.content_rule_file_permissions_cron_monthly @@ -1,3 +1,19 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-82263-5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_permissions_cron_monthly + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Find /etc/cron.monthly/ file(s) command: 'find -H /etc/cron.monthly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' @@ -5,7 +21,7 @@ changed_when: false failed_when: false check_mode: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-82263-5 - NIST-800-53-AC-6(1) @@ -26,7 +42,7 @@ state: directory with_items: - '{{ files_found.stdout_lines }}' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-82263-5 - NIST-800-53-AC-6(1) bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_weekly' differs. --- xccdf_org.ssgproject.content_rule_file_permissions_cron_weekly +++ xccdf_org.ssgproject.content_rule_file_permissions_cron_weekly @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then find -H /etc/cron.weekly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_weekly' differs. --- xccdf_org.ssgproject.content_rule_file_permissions_cron_weekly +++ xccdf_org.ssgproject.content_rule_file_permissions_cron_weekly @@ -1,3 +1,19 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-82253-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_permissions_cron_weekly + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Find /etc/cron.weekly/ file(s) command: 'find -H /etc/cron.weekly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' @@ -5,7 +21,7 @@ changed_when: false failed_when: false check_mode: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-82253-6 - NIST-800-53-AC-6(1) @@ -26,7 +42,7 @@ state: directory with_items: - '{{ files_found.stdout_lines }}' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-82253-6 - NIST-800-53-AC-6(1) bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_crontab' differs. --- xccdf_org.ssgproject.content_rule_file_permissions_crontab +++ xccdf_org.ssgproject.content_rule_file_permissions_crontab @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then chmod u-xs,g-xwrs,o-xwrt /etc/crontab ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_crontab' differs. --- xccdf_org.ssgproject.content_rule_file_permissions_crontab +++ xccdf_org.ssgproject.content_rule_file_permissions_crontab @@ -1,8 +1,24 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-82206-4 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_permissions_crontab + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Test for existence /etc/crontab stat: path: /etc/crontab register: file_exists - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-82206-4 - NIST-800-53-AC-6(1) @@ -21,7 +37,7 @@ path: /etc/crontab mode: u-xs,g-xwrs,o-xwrt when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"kernel" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-82206-4 bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_at_deny_not_exist' differs. --- xccdf_org.ssgproject.content_rule_file_at_deny_not_exist +++ xccdf_org.ssgproject.content_rule_file_at_deny_not_exist @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then if [[ -f /etc/at.deny ]]; then rm /etc/at.deny ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_at_deny_not_exist' differs. --- xccdf_org.ssgproject.content_rule_file_at_deny_not_exist +++ xccdf_org.ssgproject.content_rule_file_at_deny_not_exist @@ -1,8 +1,6 @@ -- name: Remove /etc/at.deny - file: - path: /etc/at.deny - state: absent - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- name: Gather the package facts + package_facts: + manager: auto tags: - CCE-86945-3 - PCI-DSSv4-2.2 @@ -13,3 +11,19 @@ - low_disruption - medium_severity - no_reboot_needed + +- name: Remove /etc/at.deny + file: + path: /etc/at.deny + state: absent + when: '"kernel" in ansible_facts.packages' + tags: + - CCE-86945-3 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - disable_strategy + - file_at_deny_not_exist + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_cron_allow_exists' differs. --- xccdf_org.ssgproject.content_rule_file_cron_allow_exists +++ xccdf_org.ssgproject.content_rule_file_cron_allow_exists @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then touch /etc/cron.allow chown 0 /etc/cron.allow ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_cron_allow_exists' differs. --- xccdf_org.ssgproject.content_rule_file_cron_allow_exists +++ xccdf_org.ssgproject.content_rule_file_cron_allow_exists @@ -1,10 +1,6 @@ -- name: Add empty /etc/cron.allow - file: - path: /etc/cron.allow - state: touch - owner: '0' - mode: '0600' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- name: Gather the package facts + package_facts: + manager: auto tags: - CCE-86184-9 - disable_strategy @@ -13,3 +9,19 @@ - low_disruption - medium_severity - no_reboot_needed + +- name: Add empty /etc/cron.allow + file: + path: /etc/cron.allow + state: touch + owner: '0' + mode: '0600' + when: '"kernel" in ansible_facts.packages' + tags: + - CCE-86184-9 + - disable_strategy + - file_cron_allow_exists + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_cron_deny_not_exist' differs. --- xccdf_org.ssgproject.content_rule_file_cron_deny_not_exist +++ xccdf_org.ssgproject.content_rule_file_cron_deny_not_exist @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then if [[ -f /etc/cron.deny ]]; then rm /etc/cron.deny ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_cron_deny_not_exist' differs. --- xccdf_org.ssgproject.content_rule_file_cron_deny_not_exist +++ xccdf_org.ssgproject.content_rule_file_cron_deny_not_exist @@ -1,8 +1,6 @@ -- name: Remove /etc/cron.deny - file: - path: /etc/cron.deny - state: absent - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- name: Gather the package facts + package_facts: + manager: auto tags: - CCE-86849-7 - PCI-DSSv4-2.2 @@ -13,3 +11,19 @@ - low_disruption - medium_severity - no_reboot_needed + +- name: Remove /etc/cron.deny + file: + path: /etc/cron.deny + state: absent + when: '"kernel" in ansible_facts.packages' + tags: + - CCE-86849-7 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - disable_strategy + - file_cron_deny_not_exist + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_at_allow' differs. --- xccdf_org.ssgproject.content_rule_file_groupowner_at_allow +++ xccdf_org.ssgproject.content_rule_file_groupowner_at_allow @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then chgrp 0 /etc/at.allow ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_at_allow' differs. --- xccdf_org.ssgproject.content_rule_file_groupowner_at_allow +++ xccdf_org.ssgproject.content_rule_file_groupowner_at_allow @@ -1,8 +1,22 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-87102-0 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_groupowner_at_allow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Test for existence /etc/at.allow stat: path: /etc/at.allow register: file_exists - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-87102-0 - PCI-DSSv4-2.2 @@ -19,7 +33,7 @@ path: /etc/at.allow group: '0' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"kernel" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-87102-0 bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow' differs. --- xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow +++ xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then chgrp 0 /etc/cron.allow ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow' differs. --- xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow +++ xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow @@ -1,8 +1,24 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86829-9 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_groupowner_cron_allow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Test for existence /etc/cron.allow stat: path: /etc/cron.allow register: file_exists - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-86829-9 - NIST-800-53-AC-6(1) @@ -21,7 +37,7 @@ path: /etc/cron.allow group: '0' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"kernel" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86829-9 bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_allow' differs. --- xccdf_org.ssgproject.content_rule_file_owner_cron_allow +++ xccdf_org.ssgproject.content_rule_file_owner_cron_allow @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then chown 0 /etc/cron.allow ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_allow' differs. --- xccdf_org.ssgproject.content_rule_file_owner_cron_allow +++ xccdf_org.ssgproject.content_rule_file_owner_cron_allow @@ -1,8 +1,24 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86843-0 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_owner_cron_allow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Test for existence /etc/cron.allow stat: path: /etc/cron.allow register: file_exists - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-86843-0 - NIST-800-53-AC-6(1) @@ -21,7 +37,7 @@ path: /etc/cron.allow owner: '0' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"kernel" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86843-0 bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_at_allow' differs. --- xccdf_org.ssgproject.content_rule_file_permissions_at_allow +++ xccdf_org.ssgproject.content_rule_file_permissions_at_allow @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then chmod u-xs,g-xwrs,o-xwrt /etc/at.allow ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_at_allow' differs. --- xccdf_org.ssgproject.content_rule_file_permissions_at_allow +++ xccdf_org.ssgproject.content_rule_file_permissions_at_allow @@ -1,8 +1,22 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86903-2 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_permissions_at_allow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Test for existence /etc/at.allow stat: path: /etc/at.allow register: file_exists - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-86903-2 - PCI-DSSv4-2.2 @@ -19,7 +33,7 @@ path: /etc/at.allow mode: u-xs,g-xwrs,o-xwrt when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"kernel" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86903-2 bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_allow' differs. --- xccdf_org.ssgproject.content_rule_file_permissions_cron_allow +++ xccdf_org.ssgproject.content_rule_file_permissions_cron_allow @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then chmod u-xs,g-xwrs,o-xwrt /etc/cron.allow ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_allow' differs. --- xccdf_org.ssgproject.content_rule_file_permissions_cron_allow +++ xccdf_org.ssgproject.content_rule_file_permissions_cron_allow @@ -1,8 +1,22 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86876-0 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_permissions_cron_allow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Test for existence /etc/cron.allow stat: path: /etc/cron.allow register: file_exists - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-86876-0 - PCI-DSSv4-2.2 @@ -19,7 +33,7 @@ path: /etc/cron.allow mode: u-xs,g-xwrs,o-xwrt when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"kernel" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86876-0 bash remediation for rule 'xccdf_org.ssgproject.content_rule_package_fapolicyd_installed' differs. --- xccdf_org.ssgproject.content_rule_package_fapolicyd_installed +++ xccdf_org.ssgproject.content_rule_package_fapolicyd_installed @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then if ! rpm -q --quiet "fapolicyd" ; then yum install -y "fapolicyd" ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_fapolicyd_installed' differs. --- xccdf_org.ssgproject.content_rule_package_fapolicyd_installed +++ xccdf_org.ssgproject.content_rule_package_fapolicyd_installed @@ -1,8 +1,6 @@ -- name: Ensure fapolicyd is installed - package: - name: fapolicyd - state: present - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- name: Gather the package facts + package_facts: + manager: auto tags: - CCE-82191-8 - DISA-STIG-RHEL-08-040135 @@ -14,3 +12,20 @@ - medium_severity - no_reboot_needed - package_fapolicyd_installed + +- name: Ensure fapolicyd is installed + package: + name: fapolicyd + state: present + when: '"kernel" in ansible_facts.packages' + tags: + - CCE-82191-8 + - DISA-STIG-RHEL-08-040135 + - NIST-800-53-CM-6(a) + - NIST-800-53-SI-4(22) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_fapolicyd_installed bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled' differs. --- xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled +++ xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" unmask 'fapolicyd.service' ansible remediation for rule 'xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled' differs. --- xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled +++ xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled @@ -1,3 +1,18 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-82249-4 + - DISA-STIG-RHEL-08-040136 + - NIST-800-53-CM-6(a) + - NIST-800-53-SI-4(22) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_fapolicyd_enabled + - name: Enable the File Access Policy Service - Enable service fapolicyd block: @@ -13,7 +28,7 @@ masked: false when: - '"fapolicyd" in ansible_facts.packages' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-82249-4 - DISA-STIG-RHEL-08-040136 bash remediation for rule 'xccdf_org.ssgproject.content_rule_fapolicy_default_deny' differs. --- xccdf_org.ssgproject.content_rule_fapolicy_default_deny +++ xccdf_org.ssgproject.content_rule_fapolicy_default_deny @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then cat > /etc/fapolicyd/rules.d/99-deny-everything.rules << EOF # Red Hat KCS 7003854 (https://access.redhat.com/solutions/7003854) ansible remediation for rule 'xccdf_org.ssgproject.content_rule_fapolicy_default_deny' differs. --- xccdf_org.ssgproject.content_rule_fapolicy_default_deny +++ xccdf_org.ssgproject.content_rule_fapolicy_default_deny @@ -1,3 +1,19 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86478-5 + - DISA-STIG-RHEL-08-040137 + - NIST-800-53-CM-6 b + - NIST-800-53-CM-7 (2) + - NIST-800-53-CM-7 (5) (b) + - fapolicy_default_deny + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - name: Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs. - Ensure a Final Rule Denying Everything @@ -10,7 +26,7 @@ group: fapolicyd mode: '0644' register: result_fapolicyd_final_rule - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-86478-5 - DISA-STIG-RHEL-08-040137 @@ -33,7 +49,7 @@ line: \1 0 backrefs: true register: result_fapolicyd_enforced - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-86478-5 - DISA-STIG-RHEL-08-040137 @@ -54,7 +70,7 @@ name: fapolicyd state: restarted when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"kernel" in ansible_facts.packages' - result_fapolicyd_final_rule is changed or result_fapolicyd_enforced is changed tags: - CCE-86478-5 bash remediation for rule 'xccdf_org.ssgproject.content_rule_package_krb5-server_removed' differs. --- xccdf_org.ssgproject.content_rule_package_krb5-server_removed +++ xccdf_org.ssgproject.content_rule_package_krb5-server_removed @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then # CAUTION: This remediation script will remove krb5-server # from the system, and may remove any packages ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_krb5-server_removed' differs. --- xccdf_org.ssgproject.content_rule_package_krb5-server_removed +++ xccdf_org.ssgproject.content_rule_package_krb5-server_removed @@ -1,8 +1,6 @@ -- name: Ensure krb5-server is removed - package: - name: krb5-server - state: absent - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- name: Gather the package facts + package_facts: + manager: auto tags: - CCE-85887-8 - DISA-STIG-RHEL-08-010163 @@ -14,3 +12,20 @@ - medium_severity - no_reboot_needed - package_krb5-server_removed + +- name: Ensure krb5-server is removed + package: + name: krb5-server + state: absent + when: '"kernel" in ansible_facts.packages' + tags: + - CCE-85887-8 + - DISA-STIG-RHEL-08-010163 + - NIST-800-53-IA-7 + - NIST-800-53-IA-7.1 + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_krb5-server_removed bash remediation for rule 'xccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab' differs. --- xccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab +++ xccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then rm -f /etc/*.keytab ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab' differs. --- xccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab +++ xccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab @@ -1,9 +1,22 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-82175-1 + - DISA-STIG-RHEL-08-010161 + - disable_strategy + - kerberos_disable_no_keytab + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Find keytab files find: paths: /etc/ patterns: '*.keytab' register: keytab_files - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-82175-1 - DISA-STIG-RHEL-08-010161 @@ -19,7 +32,7 @@ path: '{{ item.path }}' state: absent with_items: '{{ keytab_files.files }}' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-82175-1 - DISA-STIG-RHEL-08-010161 bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_netfs_disabled' differs. --- xccdf_org.ssgproject.content_rule_service_netfs_disabled +++ xccdf_org.ssgproject.content_rule_service_netfs_disabled @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'netfs.service' ansible remediation for rule 'xccdf_org.ssgproject.content_rule_service_netfs_disabled' differs. --- xccdf_org.ssgproject.content_rule_service_netfs_disabled +++ xccdf_org.ssgproject.content_rule_service_netfs_disabled @@ -1,3 +1,14 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - service_netfs_disabled + - unknown_severity + - name: Disable Network File Systems (netfs) - Collect systemd Services Present in the System ansible.builtin.command: systemctl -q list-unit-files --type service @@ -5,7 +16,7 @@ changed_when: false failed_when: service_exists.rc not in [0, 1] check_mode: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - disable_strategy - low_complexity @@ -21,7 +32,7 @@ enabled: false masked: true when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"kernel" in ansible_facts.packages' - service_exists.stdout_lines is search("netfs.service", multiline=True) tags: - disable_strategy @@ -37,7 +48,7 @@ changed_when: false failed_when: socket_file_exists.rc not in [0, 1] check_mode: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - disable_strategy - low_complexity @@ -53,7 +64,7 @@ state: stopped masked: true when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"kernel" in ansible_facts.packages' - socket_file_exists.stdout_lines is search("netfs.socket", multiline=True) tags: - disable_strategy bash remediation for rule 'xccdf_org.ssgproject.content_rule_package_rpcbind_removed' differs. --- xccdf_org.ssgproject.content_rule_package_rpcbind_removed +++ xccdf_org.ssgproject.content_rule_package_rpcbind_removed @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then # CAUTION: This remediation script will remove rpcbind # from the system, and may remove any packages ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_rpcbind_removed' differs. --- xccdf_org.ssgproject.content_rule_package_rpcbind_removed +++ xccdf_org.ssgproject.content_rule_package_rpcbind_removed @@ -1,8 +1,6 @@ -- name: Ensure rpcbind is removed - package: - name: rpcbind - state: absent - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- name: Gather the package facts + package_facts: + manager: auto tags: - CCE-86645-9 - disable_strategy @@ -11,3 +9,17 @@ - low_severity - no_reboot_needed - package_rpcbind_removed + +- name: Ensure rpcbind is removed + package: + name: rpcbind + state: absent + when: '"kernel" in ansible_facts.packages' + tags: + - CCE-86645-9 + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_rpcbind_removed bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_nfslock_disabled' differs. --- xccdf_org.ssgproject.content_rule_service_nfslock_disabled +++ xccdf_org.ssgproject.content_rule_service_nfslock_disabled @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'nfslock.service' ansible remediation for rule 'xccdf_org.ssgproject.content_rule_service_nfslock_disabled' differs. --- xccdf_org.ssgproject.content_rule_service_nfslock_disabled +++ xccdf_org.ssgproject.content_rule_service_nfslock_disabled @@ -1,3 +1,14 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - service_nfslock_disabled + - unknown_severity + - name: Disable Network File System Lock Service (nfslock) - Collect systemd Services Present in the System ansible.builtin.command: systemctl -q list-unit-files --type service @@ -5,7 +16,7 @@ changed_when: false failed_when: service_exists.rc not in [0, 1] check_mode: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - disable_strategy - low_complexity @@ -22,7 +33,7 @@ enabled: false masked: true when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"kernel" in ansible_facts.packages' - service_exists.stdout_lines is search("nfslock.service", multiline=True) tags: - disable_strategy @@ -38,7 +49,7 @@ changed_when: false failed_when: socket_file_exists.rc not in [0, 1] check_mode: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - disable_strategy - low_complexity @@ -54,7 +65,7 @@ state: stopped masked: true when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"kernel" in ansible_facts.packages' - socket_file_exists.stdout_lines is search("nfslock.socket", multiline=True) tags: - disable_strategy bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_rpcbind_disabled' differs. --- xccdf_org.ssgproject.content_rule_service_rpcbind_disabled +++ xccdf_org.ssgproject.content_rule_service_rpcbind_disabled @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'rpcbind.service' ansible remediation for rule 'xccdf_org.ssgproject.content_rule_service_rpcbind_disabled' differs. --- xccdf_org.ssgproject.content_rule_service_rpcbind_disabled +++ xccdf_org.ssgproject.content_rule_service_rpcbind_disabled @@ -1,10 +1,24 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-82858-2 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.4 + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - service_rpcbind_disabled + - name: Disable rpcbind Service - Collect systemd Services Present in the System ansible.builtin.command: systemctl -q list-unit-files --type service register: service_exists changed_when: false failed_when: service_exists.rc not in [0, 1] check_mode: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-82858-2 - PCI-DSSv4-2.2 @@ -23,7 +37,7 @@ enabled: false masked: true when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"kernel" in ansible_facts.packages' - service_exists.stdout_lines is search("rpcbind.service", multiline=True) tags: - CCE-82858-2 @@ -42,7 +56,7 @@ changed_when: false failed_when: socket_file_exists.rc not in [0, 1] check_mode: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-82858-2 - PCI-DSSv4-2.2 @@ -61,7 +75,7 @@ state: stopped masked: true when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"kernel" in ansible_facts.packages' - socket_file_exists.stdout_lines is search("rpcbind.socket", multiline=True) tags: - CCE-82858-2 bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_rpcgssd_disabled' differs. --- xccdf_org.ssgproject.content_rule_service_rpcgssd_disabled +++ xccdf_org.ssgproject.content_rule_service_rpcgssd_disabled @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'rpcgssd.service' ansible remediation for rule 'xccdf_org.ssgproject.content_rule_service_rpcgssd_disabled' differs. --- xccdf_org.ssgproject.content_rule_service_rpcgssd_disabled +++ xccdf_org.ssgproject.content_rule_service_rpcgssd_disabled @@ -1,3 +1,14 @@ +- name: Gather the package facts + package_facts: + ... The diff is trimmed here ... ```
codeclimate[bot] commented 1 month ago

Code Climate has analyzed commit 56852395 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.5% (0.0% change).

View more on Code Climate.