Merge pull request #201 from ansible-lockdown/devel

georgenalen · web-flow · commit a04287cca997 · 2021-03-31T08:56:47.000-04:00
Version 1.0.2 updates - Minor fixes
Signed-off-by: George Nalen &lt;georgen@mindpointgroup.com&gt;
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -8,9 +8,18 @@
 - Adding of the goss module to the library path
 
 ## Whats new 1.0.1
+
 - Fixed typos
 - Added audit output file permissions
 
+## Whats new in 1.0.2
+
+- renamed goss library and aligned ansible.cfg file
+  - thanks to Thulium-Drake
+
+- selinux variable in defaults main - default enforcing
+  - 1.7.1.3-5 now idempotent
+
 ## High level changes within tasks
 
 - Python3 now default for control node (should be backward compatible in setup)
diff --git a/ansible.cfg b/ansible.cfg
@@ -6,7 +6,7 @@ deprecation_warnings=False
 command_warnings=False
 nocows=1
 retry_files_save_path=/dev/null
-library=~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules:./..
+library=~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules:./library
 
 [privilege_escalation]
 
@@ -22,4 +22,4 @@ transfer_method=scp
 
 [colors]
 
-[diff]
+[diff]
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -31,6 +31,7 @@ rhel7cis_run_audit: false
 
 # Enable/Disable SELinux
 rhel7cis_selinux_disable: false
+rhel7cis_selinux_state: enforcing
 
 # Misc. environment variables
 rhel7cis_skip_for_travis: false
diff --git a/library/goss.py b/library/goss.py
diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml
@@ -31,35 +31,22 @@
   - patch
   - rule_1.7.1.2
 
-- name: "AUTOMATED | 1.7.1.3 | PATCH | Ensure SELinux policy is configured"
+- name: "AUTOMATED | 1.7.1.3 | PATCH | Ensure SELinux policy is configured\n
+         AUTOMATED | 1.7.1.4 | PATCH | Ensure the SELinux state is enforcing or permissive"
   selinux:
     conf: /etc/selinux/config
     policy: "{{ rhel7cis_selinux_pol }}"
-    state: permissive
+    state: "{{ rhel7cis_selinux_state }}"
   when:
   - not rhel7cis_selinux_disable
   - rhel7cis_rule_1_7_1_3
-  tags:
-  - level1
-  - AUTOMATED
-  - selinux
-  - patch
-  - rule_1.7.1.3
-
-- name: "AUTOMATED | 1.7.1.4 | PATCH | Ensure the SELinux state is enforcing or permissive"
-  selinux:
-    conf: /etc/selinux/config
-    policy: "{{ rhel7cis_selinux_pol }}"
-    state: permissive
-  when:
-  - not rhel7cis_selinux_disable
-  - not rhel7cis_rule_1_7_1_5
   - rhel7cis_rule_1_7_1_4
   tags:
   - level1
   - AUTOMATED
   - selinux
   - patch
+  - rule_1.7.1.3
   - rule_1.7.1.4
 
 - name: "AUTOMATED | 1.7.1.5 | PATCH | Ensure the SELinux state is enforcing"
@@ -69,6 +56,7 @@
     state: enforcing
   when:
   - not rhel7cis_selinux_disable
+  - not rhel7cis_selinux_state == "permissive"
   - rhel7cis_rule_1_7_1_5
   tags:
   - level2
diff --git a/templates/ansible_vars_goss.yml b/templates/ansible_vars_goss.yml
@@ -8,6 +8,7 @@ rhel7cis_section5: {{ rhel7cis_section5 }}
 rhel7cis_section6: {{ rhel7cis_section6 }}
 
 rhel7cis_selinux_disable: {{ rhel7cis_selinux_disable }}
+rhel7cis_selinux_state: {{ rhel7cis_selinux_state }}
 
 
 rhel7cis_level1: true
