From 93a43052361c257d939abe6158f1fd041f4a25bb Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Wed, 11 Sep 2024 22:42:42 +0100
Subject: [PATCH 1/4] updated filesystem checks 231020-231030

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/Cat3/RHEL-09-2xxxxx.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tasks/Cat3/RHEL-09-2xxxxx.yml b/tasks/Cat3/RHEL-09-2xxxxx.yml
index d38cbe0..ef00d93 100644
--- a/tasks/Cat3/RHEL-09-2xxxxx.yml
+++ b/tasks/Cat3/RHEL-09-2xxxxx.yml
@@ -110,7 +110,7 @@
 - name: "LOW | RHEL-09-231020 | AUDIT | RHEL 9 must use a separate file system for /var."
   when:
     - rhel_09_231020
-    - ansible_facts['mounts']| selectattr('mount', '==', '/var')
+    - ansible_facts['mounts']| selectattr('mount', 'equalto', '/var' | list | length > 0)
   tags:
     - RHEL-09-231020
     - CAT2
@@ -134,7 +134,7 @@
 - name: "LOW | RHEL-09-231025 | AUDIT | RHEL 9 must use a separate file system for /var/log."
   when:
     - rhel_09_231025
-    - ansible_facts['mounts']| selectattr('mount', '==', '/var/log')
+    - ansible_facts['mounts']| selectattr('mount', 'equalto', '/var/log' | list | length > 0)
   tags:
     - RHEL-09-231025
     - CAT2
@@ -158,7 +158,7 @@
 - name: "LOW | RHEL-09-231030 | AUDIT | RHEL 9 must use a separate file system for /var/log/audit."
   when:
     - rhel_09_231030
-    - ansible_facts['mounts']| selectattr('mount', '==', rhel9stig_audit_log_filesystem )
+    - ansible_facts['mounts']| selectattr('mount', 'equalto', rhel9stig_audit_log_filesystem | list | length > 0)
   tags:
     - RHEL-09-231030
     - CAT2

From 0a34dbec66df17468d3ad6371dd98e508c69fce0 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Mon, 16 Sep 2024 13:02:02 +0100
Subject: [PATCH 2/4] improved firewalld logic 251020

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/Cat2/RHEL-09-25xxxx.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/tasks/Cat2/RHEL-09-25xxxx.yml b/tasks/Cat2/RHEL-09-25xxxx.yml
index 96e5d3f..e3f3347 100644
--- a/tasks/Cat2/RHEL-09-25xxxx.yml
+++ b/tasks/Cat2/RHEL-09-25xxxx.yml
@@ -79,7 +79,14 @@
         state: enabled
         target: DROP
 
-    - name: "MEDIUM | RHEL-09-251020 | PATCH | A RHEL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems."
+    - name: "MEDIUM | RHEL-09-251020 | AUDIT | A RHEL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Get default zone"
+      ansible.builtin.shell: "firewall-cmd --get-default-zone"
+      changed_when: false
+      failed_when: discovered_current_firewalld_zone.rc not in [ 0, 1 ]
+      register: discovered_current_firewalld_zone
+
+    - name: "MEDIUM | RHEL-09-251020 | PATCH | A RHEL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set zone if not curent"
+      when: "(discovered_current_firewalld_zone.stdout | default([])) not in rhel9stig_custom_firewall.zone"
       ansible.builtin.shell: "firewall-cmd --set-default-zone={{ rhel9stig_custom_firewall.zone }}"
 
     - name: "MEDIUM | RHEL-09-251020 | PATCH | A RHEL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Setup Connections"

From f289f36ac1763c908f33088674ecdd788d144f4e Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Mon, 16 Sep 2024 13:02:45 +0100
Subject: [PATCH 3/4] improved logic for ansible user 411015

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/Cat2/RHEL-09-4xxxxx.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tasks/Cat2/RHEL-09-4xxxxx.yml b/tasks/Cat2/RHEL-09-4xxxxx.yml
index 0ffef69..a16bb96 100644
--- a/tasks/Cat2/RHEL-09-4xxxxx.yml
+++ b/tasks/Cat2/RHEL-09-4xxxxx.yml
@@ -41,14 +41,14 @@
         - rhel9stig_disruption_high
         - rhel9stig_users_passwd_max is defined
         - rhel9stig_users_passwd_max.stdout | length > 0
-        - "item in rhel9stig_interactive_users.stdout_lines"
+        - "ansible_user not in item"
       ansible.builtin.shell: "chage -M 60 {{ item }}"
       failed_when: rhel9stig_users_passwd_max.rc not in [ 0, 1 ]
       loop: "{{ rhel9stig_users_passwd_max.stdout_lines }}"
 
     - name: "MEDIUM | RHEL-09-411015 | WARN | RHEL 9 user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs."
       when:
-        - not rhel9stig_disruption_high
+        - not rhel9stig_disruption_high or "ansible_facts.user in rhel9stig_interactive_users.stdout_lines"
         - rhel9stig_users_passwd_max is defined
         - rhel9stig_users_passwd_max.stdout | length > 0
       ansible.builtin.debug:

From 5348282b9c6faa9be45e6e789a71a6c48197fffd Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Mon, 23 Sep 2024 10:35:38 +0100
Subject: [PATCH 4/4] Addressed #31 thanks to @Coconutcoo

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/Cat2/RHEL-09-23xxxx.yml | 30 +++++++++++++-----------------
 vars/main.yml                 |  4 ++++
 2 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/tasks/Cat2/RHEL-09-23xxxx.yml b/tasks/Cat2/RHEL-09-23xxxx.yml
index 3bbcd47..a6e4e65 100644
--- a/tasks/Cat2/RHEL-09-23xxxx.yml
+++ b/tasks/Cat2/RHEL-09-23xxxx.yml
@@ -1886,20 +1886,18 @@
 
     - name: "MEDIUM | RHEL-09-232250 | AUDIT | All RHEL 9 local files and directories must have a valid group owner."
       ansible.builtin.set_fact:
-        rhel9stig_ungrouped_files_found: true
-      loop: "{{ rhel9stig_ungrouped_files_dirs_audit.results }}"
+        rhel9stig_ungrouped_files_results: "{{ rhel9stig_ungrouped_files_dirs_audit.results.0['stdout_lines'] }}"
       when:
-        - item | length > 0
-        - item.stdout is defined  # skipped items are part of results list, but don't have the registered module properties
-        - item.stdout | length > 0
+        - rhel9stig_ungrouped_files_dirs_audit.results | length > 0
+        - rhel9stig_ungrouped_files_dirs_audit is defined
 
     - name: "MEDIUM | RHEL-09-232250 | WARN | All RHEL 9 local files and directories must have a valid group owner."
-      when: rhel9stig_ungrouped_files_found is defined
+      when: rhel9stig_ungrouped_files_results | length > 1
       ansible.builtin.debug:
-        msg: "Warning!! Missing group on items in {{ rhel9stig_ungrouped_files_dirs_audit.stdout_lines  }}"
+        msg: "Warning!! Missing group on items in {{ rhel9stig_ungrouped_files_results }}"
 
     - name: "MEDIUM | RHEL-09-232250 | WARN | All RHEL 9 local files and directories must have a valid group owner."
-      when: rhel9stig_ungrouped_files_found is defined
+      when: rhel9stig_ungrouped_files_results | length > 1
       ansible.builtin.import_tasks:
         file: warning_facts.yml
 
@@ -1921,7 +1919,7 @@
       when:
         - item['device'].startswith('/dev')
         - not 'bind' in item['options']
-      ansible.builtin.shell: find "{{ item.mount }}" -xdev -nogroup
+      ansible.builtin.shell: find "{{ item.mount }}" -xdev -nouser
       check_mode: false
       failed_when: false
       changed_when: false
@@ -1932,20 +1930,18 @@
 
     - name: "MEDIUM | RHEL-09-232255 | AUDIT | All RHEL 9 local files and directories must have a valid owner."
       ansible.builtin.set_fact:
-        rhel9stig_unowned_files_found: true
-      loop: "{{ rhel9stig_unowned_files_dirs_audit.results }}"
+        rhel9stig_unowned_files_results: "{{ rhel9stig_unowned_files_dirs_audit.results.0['stdout_lines'] }}"
       when:
-        - item | length > 0
-        - item.stdout is defined  # skipped items are part of results list, but don't have the registered module properties
-        - item.stdout | length > 0
+        - rhel9stig_unowned_files_dirs_audit.results | length > 0
+        - rhel9stig_unowned_files_dirs_audit is defined
 
     - name: "MEDIUM | RHEL-09-232255 | WARN | All RHEL 9 local files and directories must have a valid owner."
-      when: rhel9stig_unowned_files_found is defined
+      when: rhel9stig_unowned_files_results | length > 1
       ansible.builtin.debug:
-        msg: "Warning!! Missing group on items in {{ rhel9stig_ungrouped_files_dirs_audit.stdout_lines }}"
+        msg: "Warning!! Missing owner on items in {{ rhel9stig_unowned_files_results }}"
 
     - name: "MEDIUM | RHEL-09-232255 | WARN | All RHEL 9 local files and directories must have a valid owner."
-      when: rhel9stig_unowned_files_found is defined
+      when: rhel9stig_unowned_files_results | length > 1
       ansible.builtin.import_tasks:
         file: warning_facts.yml
 
diff --git a/vars/main.yml b/vars/main.yml
index ad3250a..03bea1a 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -47,3 +47,7 @@ rhel9stig_dod_macs_server:  # Server also has client mac listed above don't dupl
 - hmac-sha1
 - umac-128@openssh.com
 rhel9stig_dod_kex:
+
+# Defaults added for searches
+rhel9stig_ungrouped_files_found: false
+rhel9stig_unowned_files_found: false