Removed two more lingering commented out controls

Signed-off-by: George Nalen <georgen@mindpointgroup.com>
ansible-lockdown · Aug 25, 2021 · bdb070e · bdb070e
1 parent 5cca341
commit bdb070e
Show file tree

Hide file tree

Showing 2 changed files with 0 additions and 126 deletions.
diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml
@@ -333,22 +333,6 @@
       - V-204448
       - yum
 
-# - name: |
-#     "HIGH | RHEL-07-020210 | PATCH | The Red Hat Enterprise Linux operating system must enable SELinux."
-#     "HIGH | RHEL-07-020220 | PATCH | The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy."
-#   selinux:
-#     state: enforcing
-#     policy: targeted
-#   check_mode: "{{ ansible_check_mode or rhel7stig_system_is_chroot }}"
-#   when:
-#   - rhel_07_020210 or rhel_07_020220
-#   - not rhel7stig_system_is_container
-#   - ansible_distribution_file_variety == "RedHat"
-#   tags:
-#   - RHEL-07-020210
-#   - RHEL-07-020220
-#   - selinux
-
 - name: "HIGH | RHEL-07-020230 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line."
   systemd:
       name: ctrl-alt-del.target

diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml
@@ -1267,60 +1267,6 @@
       - V-204464
       - complexity-high
 
-# - name: "MEDIUM | RHEL-07-020600 | The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned in the /etc/passwd file."
-#   block:
-#   - name: capture audit task for missing homedirs
-#     block: &r7s_homedir_audit
-#     - name: "MEDIUM | RHEL-07-020600 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned in the /etc/passwd file."
-#       shell: set -o pipefail ; pwck -r | grep -P {{ ld_regex | quote }}
-#       check_mode: no
-#       register: rhel7stig_users_missing_home
-#       changed_when: rhel7stig_07_20600_audit | length > 0
-#       # failed_when: 0: success, 1: no grep match, 2: pwck found something
-#       failed_when: rhel7stig_users_missing_home.rc not in [0,1,2]
-#     when:
-#     - rhel7stig_disruptive
-#     tags:
-#     - disruption-high
-
-#   ### NOTE: due to https://github.com/ansible/ansible/issues/24862 This is a shell command, and is quite frankly less than ideal.
-#   - name: "MEDIUM | RHEL-07-020600 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned in the /etc/passwd file."
-#     command: "mkhomedir_helper {{ item }}"
-#     check_mode: "{{ rhel7stig_disruptive_check_mode }}"
-#     with_items: "{{ rhel7stig_07_20600_audit | map(attribute='id') | list }}"
-#     when:
-#     - rhel7stig_users_missing_home is changed
-#     - rhel7stig_disruptive  # not technically required
-#     tags:
-#     - disruption-high
-#   ### NOTE: Now we need to address that SELINUX will not let mkhomedir_helper create home directories for UUID < 500, so the ftp user will still show up in a pwck. Not sure this is needed, as the ftp user is removed in rhel7stig_unnecessary_accounts. However these next two tasks won't make any changes if the system accounts are removed previously in RHEL-07-020270.
-#   ### ^ Likely doesn't matter as 020620 defines "local interactive users" as those w/ uid 1000-4999
-#   - name: replay audit task
-#     block: *r7s_homedir_audit
-#     when:
-#     - rhel7stig_complex
-#     tags:
-#     - complexity-high
-#   # CAUTION: debug loops don't show changed since 2.4:
-#   # Fix: https://github.com/ansible/ansible/pull/59958
-#   - name: "MEDIUM | RHEL-07-020600 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned in the /etc/passwd file."
-#     debug: msg="You will need to mkdir -p {{ item }} and chown properly to the correct owner and group."
-#     with_items: "{{ rhel7stig_07_20600_audit | map(attribute='dir') | list }}"
-#     changed_when: rhel7stig_audit_complex
-#     when:
-#     - rhel7stig_users_missing_home is changed
-#     - rhel7stig_complex  # not technically required
-#     tags:
-#     - complexity-high
-#   vars:
-#     ld_regex: >-
-#         ^user '(?P<user>.*)': directory '(?P<dir>.*)' does not exist$
-#     ld_users: "{{ rhel7stig_users_missing_home.stdout_lines | map('regex_replace', ld_regex, '\\g<user>') | list }}"
-#     rhel7stig_07_20600_audit: "{{ rhel7stig_passwd | selectattr('uid', '>=', rhel7stig_int_gid) | selectattr('id', 'in', ld_users) | list }}"
-#   when:
-#   - rhel_07_020600
-#   - ansible_distribution_file_variety == "RedHat"
-
 - name: "MEDIUM | RHEL-07-020610 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory."
   lineinfile:
       dest: /etc/login.defs
@@ -2708,62 +2654,6 @@
 # ####### 040000 #######
 # ######################
 
-# # NOTE: 040520 has to come before 040100 because the naming conventions of STIG do not lend themselves to ordered operations. IE: I need to start the service before I can audit incoming ports to what zones, etc.
-# - name: "MEDIUM | RHEL-07-040520 | PATCH | The Red Hat Enterprise Linux operating system must enable an application firewall, if available."
-#   block:
-#   - name: "MEDIUM | RHEL-07-040520 | PATCH | The Red Hat Enterprise Linux operating system must enable an application firewall, if available."
-#     package:
-#       name: firewalld
-#       state: present
-#     vars:
-#       ansible_python_interpreter: "{{ python2_bin }}"
-#     when:
-#     - "'firewalld' not in ansible_facts.packages"
-#     - rhel_07_040520
-#     - rhel7stig_firewall_service == "firewalld"
-#     - not (rhel7stig_system_is_chroot and rhel7stig_system_is_container)
-#     tags:
-#     - RHEL-07-040520
-#     - firewall
-
-#   - name: "MEDIUM | RHEL-07-040520 | PATCH | The Red Hat Enterprise Linux operating system must enable an application firewall, if available."
-#     package:
-#       name: iptables-services
-#       state: present
-#     vars:
-#       ansible_python_interpreter: "{{ python2_bin }}"
-#     when:
-#     - "'iptables-services' not in ansible_facts.packages"
-#     - rhel_07_040520
-#     - rhel7stig_firewall_service == "iptables"
-#     - not (rhel7stig_system_is_chroot and rhel7stig_system_is_container)
-#     tags:
-#     - RHEL-07-040520
-#     - firewall
-
-#   - name: "MEDIUM | RHEL-07-040520 | PATCH | The Red Hat Enterprise Linux operating system must enable an application firewall, if available."
-#     service:
-#       name: "{{ rhel7stig_firewall_service }}"
-#       state: "{{ rhel7stig_service_started }}"
-#       enabled: yes
-#     when:
-#     - rhel_07_040520
-#     - not (rhel7stig_system_is_chroot and rhel7stig_system_is_container)
-#     - rhel7stig_start_firewall_service
-#     tags:
-#     - RHEL-07-040520
-#     - firewall
-#   when:
-#   - rhel_07_040520
-#   - rhel7stig_firewall_service == 'firewalld' or rhel7stig_firewall_service == 'iptables'
-#   - not (rhel7stig_system_is_chroot and rhel7stig_system_is_container)
-#   - rhel7stig_disruptive
-#   - not ansible_distribution == "OracleLinux"
-#   tags:
-#   - RHEL-07-040520
-#   - firewall
-#   - disruption-high
-
 - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments."
   block:
       - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments."