Missing OracleLinux.yml or override method for running CIS on Oracle Linux.

ansible-lockdown / RHEL7-CIS

Ansible role for Red Hat 7 CIS Baseline

https://ansible-lockdown.readthedocs.io/en/latest/

MIT License

473 stars 303 forks source link

Missing OracleLinux.yml or override method for running CIS on Oracle Linux. #308

Closed gearboxscott closed 1 year ago

gearboxscott commented 1 year ago

Describe the Issue This issue goes back to https://github.com/ansible-lockdown/RHEL7-CIS/issues/96 and the PR that was accepted.

At first read, I thought I could set the os check to false and let it work with OracleLinux. Soon I discovered the in tasks/main.yml line https://github.com/ansible-lockdown/RHEL7-CIS/issues/96 that it doesn't escape the fact that there needs to be OracleLinux.yml file in vars directory for it to proceed or add a toggle there at line https://github.com/ansible-lockdown/RHEL7-CIS/issues/96 in tasks/main.yml not to use it.

I think that would mean a rule for running yum update would need to be disable or set to false.

Is there another way to get RHEL7_CIS and RHEL8_CIS to run on OEL 7 or OL7 and OEL8 or OL8?

Possible Solution Add a OracleLinux.yml file or a method to allow me to override this need for a OS dependency file.

schesa commented 1 year ago

Are you reffering to PR #307 ?

Is it a workaround to add an empty OracleLinux.yml and to disable rule rhel7cis_rule_1_2_1 ?

Chris-Harper-KCA commented 1 year ago

After trying this workaround it does run some of the playbook but errors out on an undifined rpm gpg key.

"FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'rpm_gpg_key' is undefined\n\nThe error appears to be in '/home/Admin/CIS_Hardening/RHEL7-CIS/tasks/section_1/cis_1.2.x.yml': line 5, column 9, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n block:\n - name: \"1.2.1 | PATCH | Ensure GPG keys are configured\"\n ^ here\n"}"

Would be handy to have this working with OEL 7/8.

uk-bolly commented 1 year ago

I have added the required files for rhel8-cis and should now be in devel branch. We are getting round to the rhel7-cis after we have caught up on all new vendor benchmarks and client priorities. RHEL7 unfortunately wasn't one of those. If someone is able to get the file details for oracle on rh7 and test happy to bring that PR in. Hoping over the next couple of weeks we should be able to get on this one.

Apologies for the delay.

Regards

uk-bolly

gearboxscott commented 1 year ago

Hi uk-bolly,

Thank you!!!

uk-bolly commented 1 year ago

Hi @gearboxscott

I have added this to the latest PR and tested with oracle 7.9. The audit is also aligned so you can run that aswell.

Hope to get thePR into devel this week.

regards

uk-bolly