Browse Source

Added more rules

010010-020620
Micah Halter 1 year ago
parent
commit
f385fa4c06
  1. 133
      roles/disa-v2r6/tasks/main.yml

133
roles/disa-v2r6/tasks/main.yml

@ -153,7 +153,7 @@
warn: false
when:
- (console_banner_check.rc > 0)
tags:
tags:
- CAT-II
- RHEL-07-010050
@ -191,13 +191,13 @@
else
sed -i "/^\s*${section}\s*$/a ${varname}=true" $filename
fi
# dconf update
dconf update
args:
warn: false
register: testing
when:
- (gui_lock_enable_check.rc > 0)
tags:
tags:
- CAT-II
- RHEL-07-010060
@ -240,7 +240,7 @@
warn: false
when:
- (smartcard_enable_check.rc > 0)
tags:
tags:
- CAT-II
- RHEL-07-010061
@ -356,3 +356,128 @@
tags:
- CAT-II
- RHEL-07-010082
- name: "CAT II | RHEL-07-010090 | The Red Hat Enterprise Linux operating system must have the screen package installed."
block:
- name: Check for screen or tmux installation
shell: |
yum list installed|grep -qs '^screen\.\|^tmux\.'
args:
warn: false
register: screen_check
ignore_errors: true
changed_when: false
tags:
- CAT-II
- RHEL-07-010090
- name: "CAT II | RHEL-07-010100 | The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces."
block:
- name: Check for lock timeout
shell: |
if rpm -qa|grep -qs gnome; then
currstatus=$(sed -n -r "/^\s*\[org\/gnome\/desktop\/screensaver\]\s*$/,/^\s*\[/ s/^\s*idle-activation-enabled\s*=\s*(.*)$/\1/p" /etc/dconf/db/local.d/00-screensaver)
if [[ "${currstatus}" == "true" ]]; then
exit 0
else
exit 1
fi
else
exit 0
fi
args:
warn: false
register: gui_idle_activation_check
failed_when: gui_idle_activation_check.rc > 1
changed_when: false
- name: Correct session lock
shell: |
filename="/etc/dconf/db/local.d/00-screensaver"
section="\[org\/gnome\/desktop\/screensaver\]"
regsection="[org/gnome/desktop/screensaver]"
varname="idle-activation-enabled"
if [[ ! -f $filename ]] || sed -n "/^\s*${section}\s*$/q 1" $filename; then
echo $regsection >> $filename
fi
sed -n -r "/^\s*${section}\s*$/,/^\s*\[/{/^\s*${varname}/q 10}" $filename
if [[ $? -eq 10 ]]; then
sed -i -r "/^\s*${section}\s*$/,/^\s*\[/ s/^(\s*${varname}\s*=\s*).*$/\1true/" $filename
else
sed -i "/^\s*${section}\s*$/a ${varname}=true" $filename
fi
dconf update
args:
warn: false
register: testing
when:
- (gui_idle_activation_check.rc > 0)
tags:
- CAT-II
- RHEL-07-010100
- name: "CAT II | RHEL-07-010101 | The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface."
block:
- name: Check for prevention of overriding idle activation setting
shell: |
if rpm -qa|grep -qs gnome; then
grep -qsi "/org/gnome/desktop/screensaver/idle-activation-enabled" /etc/dconf/db/local.d/locks/*
fi
args:
warn: false
register: idle_activation_override_check
failed_when: idle_activation_override_check.rc > 2
changed_when: false
- name: Correct idle activation override prevention
shell: |
echo "/org/gnome/desktop/screensaver/idle-activation-enabled" >> /etc/dconf/db/local.d/locks/session
args:
warn: false
when:
- (idle_activation_override_check.rc > 0)
tags:
- CAT-II
- RHEL-07-010101
- name: "CAT II | RHEL-07-010110 | The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated."
block:
- name: Check for screensaver delay
shell: |
if rpm -qa|grep -qs gnome; then
currstatus=$(sed -n -r "/^\s*\[org\/gnome\/desktop\/screensaver\]\s*$/,/^\s*\[/ s/^\s*lock-delay\s*=\s*(.*)$/\1/p" /etc/dconf/db/local.d/00-screensaver)
if [[ "${currstatus}" == "uint32 5" ]]; then
exit 0
else
exit 1
fi
else
exit 0
fi
args:
warn: false
register: screensaver_delay_check
failed_when: screensaver_delay_check.rc > 1
changed_when: false
- name: Correct screensaver delay
shell: |
filename="/etc/dconf/db/local.d/00-screensaver"
section="\[org\/gnome\/desktop\/screensaver\]"
regsection="[org/gnome/desktop/screensaver]"
varname="lock-delay"
status="uint32 5"
if [[ ! -f $filename ]] || sed -n "/^\s*${section}\s*$/q 1" $filename; then
echo $regsection >> $filename
fi
sed -n -r "/^\s*${section}\s*$/,/^\s*\[/{/^\s*${varname}/q 10}" $filename
if [[ $? -eq 10 ]]; then
sed -i -r "/^\s*${section}\s*$/,/^\s*\[/ s/^(\s*${varname}\s*=\s*).*$/\1${status}/" $filename
else
sed -i "/^\s*${section}\s*$/a ${varname}=${status}" $filename
fi
dconf update
args:
warn: false
when:
- (screensaver_delay_check.rc > 0)
tags:
- CAT-II
- RHEL-07-010110
Loading…
Cancel
Save