Check for kdump before disabling it

Signed-off-by: Eric Lehmann <[email protected]>

tasks/Cat2/RHEL-09-21xxxx.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: "MEDIUM | RHEL-09-211015 | PATCH | RHEL 9 vendor packaged system security patches and updates must be installed and up to date."
   when:
     - rhel_09_211015
@@ -36,18 +35,18 @@
   block:
     - name: "MEDIUM | RHEL-09-211020 | PATCH | RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Uncomment banner keyword and set banner path"
       ansible.builtin.lineinfile:
-        line: 'Banner /etc/issue'
+        line: "Banner /etc/issue"
         path: /etc/ssh/sshd_config
-        regexp: '(?i)^#?Banner'
+        regexp: "(?i)^#?Banner"
       when:
         - rhel9stig_ssh_required
 
     - name: "MEDIUM | RHEL-09-211020 | PATCH | RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Set banner message"
-      ansible.builtin.copy:  # noqa: template-instead-of-copy
+      ansible.builtin.copy: # noqa: template-instead-of-copy
         content: "{{ rhel9stig_logon_banner }}"
         dest: "{{ item }}"
         group: root
-        mode: '0644'
+        mode: "0644"
         owner: root
       notify: Sshd_restart
       loop:
@@ -78,7 +77,7 @@
     - name: MEDIUM | RHEL-09-211025 | WARN | RHEL 9 must implement the Endpoint Security for Linux Threat Prevention tool.
       when:
         - "'mcafeetp' not in ansible_facts.packages or
-           rhel9stig_av_pid is undefined"
+          rhel9stig_av_pid is undefined"
       ansible.builtin.import_tasks: warning_facts.yml
 
 - name: "MEDIUM | RHEL-09-211030 | PATCH | The graphical display manager must not be the default target on RHEL 9 unless approved."
@@ -158,7 +157,7 @@
         owner: root
         src: "{{ item.file }}.j2"
       loop:
-        - { file: 'boot/grub2/user.cfg', mode: '0644' }
+        - { file: "boot/grub2/user.cfg", mode: "0644" }
 
     - name: "MEDIUM | RHEL-09-212010 | AUDIT | RHEL 9 must require a boot loader superuser password.| warning"
       when: not rhel9stig_set_bootloader_password
@@ -203,7 +202,7 @@
     - name: "MEDIUM | RHEL-09-212015 | PATCH | RHEL 9 must disable the ability of systemd to spawn an interactive boot process."
       ansible.builtin.replace:
         path: /etc/default/grub
-        regexp: '(.*)systemd.confirm_spawn=(1|yes|true|on)(.*)'
+        regexp: "(.*)systemd.confirm_spawn=(1|yes|true|on)(.*)"
         replace: '\1\3'
       notify: Rebuild_grub
 
@@ -406,7 +405,7 @@
     state: present
     sysctl_file: "{{ rhel9stig_sysctl_file.kernel }}"
     sysctl_set: true
-    value: '1'
+    value: "1"
   notify: Reload_sysctl
 
 - name: "MEDIUM | RHEL-09-213015 | PATCH | RHEL 9 must prevent kernel profiling by nonprivileged users."
@@ -428,7 +427,7 @@
     state: present
     sysctl_file: "{{ rhel9stig_sysctl_file.kernel }}"
     sysctl_set: true
-    value: '2'
+    value: "2"
   notify: Reload_sysctl
 
 - name: "MEDIUM | RHEL-09-213020 | PATCH | RHEL 9 must prevent the loading of a new kernel for later execution."
@@ -450,7 +449,7 @@
     state: present
     sysctl_file: "{{ rhel9stig_sysctl_file.kernel }}"
     sysctl_set: true
-    value: '1'
+    value: "1"
   notify: Reload_sysctl
 
 - name: "MEDIUM | RHEL-09-213025 | PATCH | RHEL 9 must restrict exposed kernel pointer addresses access."
@@ -472,7 +471,7 @@
     state: present
     sysctl_file: "{{ rhel9stig_sysctl_file.kernel }}"
     sysctl_set: true
-    value: '1'
+    value: "1"
   notify: Reload_sysctl
 
 - name: "MEDIUM | RHEL-09-213030 | PATCH | RHEL 9 must enable kernel parameters to enforce discretionary access control on hardlinks."
@@ -494,7 +493,7 @@
     state: present
     sysctl_file: "{{ rhel9stig_sysctl_file.fs }}"
     sysctl_set: true
-    value: '1'
+    value: "1"
   notify: Reload_sysctl
 
 - name: "MEDIUM | RHEL-09-213035 | PATCH | RHEL 9 must enable kernel parameters to enforce discretionary access control on symlinks."
@@ -516,7 +515,7 @@
     state: present
     sysctl_file: "{{ rhel9stig_sysctl_file.fs }}"
     sysctl_set: true
-    value: '1'
+    value: "1"
   notify: Reload_sysctl
 
 - name: "MEDIUM | RHEL-09-213040 | PATCH | RHEL 9 must disable the kernel.core_pattern."
@@ -535,7 +534,7 @@
     state: present
     sysctl_file: "{{ rhel9stig_sysctl_file.kernel }}"
     sysctl_set: true
-    value: '|/bin/false'
+    value: "|/bin/false"
   notify: Reload_sysctl
 
 - name: "MEDIUM | RHEL-09-213045 | PATCH | RHEL 9 must be configured to disable the Asynchronous Transfer Mode kernel module."
@@ -550,7 +549,7 @@
     - V-257804
     - NIST800-53R4_CM-7
   vars:
-    blacklist: 'atm'
+    blacklist: "atm"
   ansible.builtin.template:
     dest: "/etc/modprobe.d/{{ blacklist }}.conf"
     src: etc/modprobe.d/module.conf.j2
@@ -568,7 +567,7 @@
     - V-257805
     - NIST800-53R4_CM-7
   vars:
-    blacklist: 'can'
+    blacklist: "can"
   ansible.builtin.template:
     dest: "/etc/modprobe.d/{{ blacklist }}.conf"
     src: etc/modprobe.d/module.conf.j2
@@ -586,8 +585,8 @@
     - V-257806
     - NIST800-53R4_CM-7
   vars:
-    blacklist: 'firewire-core'
-    mod_value: 'true'
+    blacklist: "firewire-core"
+    mod_value: "true"
   ansible.builtin.template:
     dest: "/etc/modprobe.d/{{ blacklist }}.conf"
     src: etc/modprobe.d/module.conf.j2
@@ -605,7 +604,7 @@
     - V-257807
     - NIST800-53R4_CM-7
   vars:
-    blacklist: 'sctp'
+    blacklist: "sctp"
   ansible.builtin.template:
     dest: "/etc/modprobe.d/{{ blacklist }}.conf"
     src: etc/modprobe.d/module.conf.j2
@@ -623,7 +622,7 @@
     - V-257808
     - NIST800-53R4_CM-7
   vars:
-    blacklist: 'tipc'
+    blacklist: "tipc"
   ansible.builtin.template:
     dest: "/etc/modprobe.d/{{ blacklist }}.conf"
     src: etc/modprobe.d/module.conf.j2
@@ -648,7 +647,7 @@
     state: present
     sysctl_file: "{{ rhel9stig_sysctl_file.kernel }}"
     sysctl_set: true
-    value: '2'
+    value: "2"
   notify: Reload_sysctl
 
 - name: "MEDIUM | RHEL-09-213075 | PATCH | RHEL 9 must disable access to network bpf system call from nonprivileged processes."
@@ -670,7 +669,7 @@
     state: present
     sysctl_file: "{{ rhel9stig_sysctl_file.kernel }}"
     sysctl_set: true
-    value: '1'
+    value: "1"
   notify: Reload_sysctl
 
 - name: "MEDIUM | RHEL-09-213080 | PATCH | RHEL 9 must restrict usage of ptrace to descendant processes."
@@ -692,7 +691,7 @@
     state: present
     sysctl_file: "{{ rhel9stig_sysctl_file.kernel }}"
     sysctl_set: true
-    value: '1'
+    value: "1"
   notify: Reload_sysctl
 
 - name: "MEDIUM | RHEL-09-213085 | PATCH | RHEL 9 must disable core dump backtraces."
@@ -741,7 +740,7 @@
     - V-257814
     - NIST800-53R4_CM-6
   ansible.builtin.lineinfile:
-    line: '* hard core 0'
+    line: "* hard core 0"
     regexp: '^\* hard core (?!0)\d*'
     path: /etc/security/limits.conf
 
@@ -779,7 +778,7 @@
     state: present
     sysctl_file: "{{ rhel9stig_sysctl_file.user }}"
     sysctl_set: true
-    value: '0'
+    value: "0"
   notify: Reload_sysctl
 
 - name: "MEDIUM | RHEL-09-213110 | PATCH | RHEL 9 must implement nonexecutable data to protect its memory from unauthorized code execution."
@@ -808,6 +807,7 @@
 - name: "MEDIUM | RHEL-09-213115 | PATCH | The kdump service on RHEL 9 must be disabled."
   when:
     - rhel_09_213115
+    - "'kdump' is in ansible_facts.packages"
   tags:
     - RHEL-09-213115
     - CAT2