From 0945bc3b744ed8d584a17e620a866dfc2b5058b3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Oct 2023 11:39:02 +0100 Subject: [PATCH 001/202] ruleid updates for v1r12 refer changelog Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 2 +- tasks/fix-cat2.yml | 2 +- tasks/fix-cat3.yml | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index a215e10c..7b180d70 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -133,7 +133,7 @@ - CAT1 - CCI-000068 - SRG-OS-000033-GPOS-00014 - - SV-230223r792855_rule + - SV-230223r928585_rule - V-230223 - name: "HIGH | RHEL-08-010121 | PATCH | The RHEL 8 operating system must not have accounts configured with blank or null passwords." diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 41eada91..4bfd77dd 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -7585,7 +7585,7 @@ - CAT2 - CCI-002265 - SRG-OS-000324-GPOS-00125 - - SV-254520r858835_rule + - SV-254520r928805_rule - V-254520 - selinux diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 66c817ca..31c8abb7 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -163,7 +163,7 @@ - CAT3 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230285r917876_rule + - SV-230285r928587_rule - SV-244527r743830_rule - V-230285 - V-244527 @@ -406,7 +406,7 @@ - CAT3 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230485r627750_rule + - SV-230485r928590_rule - V-230485 - chrony @@ -422,7 +422,7 @@ - CAT3 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230486r627750_rule + - SV-230486r928593_rule - V-230486 - chrony From 7dbe85d75532d4b83e3d8b58de4e8a96d276f4c9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Oct 2023 11:39:41 +0100 Subject: [PATCH 002/202] updated Signed-off-by: Mark Bolwell --- Changelog.md | 12 +++++++++++- README.md | 2 +- defaults/main.yml | 2 +- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/Changelog.md b/Changelog.md index 9dd2c8df..06c4077a 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,7 +1,17 @@ # Changes to RHEL8STIG +## 3.1 - STIG V1R12 - 25th Oct 2023 + +ruleid updated + +- 010020 +- 010471 +- 030741 +- 030742 +- 040400 + ## 3.0.3 - Stig V1R11 - 26th July 2023 -q + - updates to collections since galaxy updated - updates to audit diff --git a/README.md b/README.md index 8e66d0fa..0a0abb05 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a RHEL8 based system to be complaint with Disa STIG -This role is based on RHEL 8 DISA STIG: [Version 1, Rel 11 released on July 26, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R11_STIG.zip). +This role is based on RHEL 8 DISA STIG: [Version 1, Rel 12 released on Oct 25, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R12_STIG.zip). --- diff --git a/defaults/main.yml b/defaults/main.yml index 4efc7f89..3c71a077 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ --- ## metadata for Audit benchmark -benchmark_version: 'v1r11' +benchmark_version: 'v1r12' ## Benchmark name used by audting control role # The audit variable found at the base From e7edfc1c93ecda2c26e83baab9b57e2965431bcf Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Oct 2023 11:42:16 +0100 Subject: [PATCH 003/202] updated PRELIM in title Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 2a723ee6..be0b2a46 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -49,7 +49,7 @@ - "'dconf' not in ansible_facts.packages" - rhel8stig_gui - - name: dconf directory structure + - name: "PRELIM | dconf directory structure setup" ansible.builtin.file: path: /etc/dconf/db/local.d/locks state: directory @@ -106,7 +106,7 @@ tags: - always -- name: ensure cronie is available +- name: "PRELIM | ensure cronie is available" ansible.builtin.package: name: cronie when: @@ -302,7 +302,7 @@ - RHEL-08-010770 - complexity-high -- name: "MEDIUM | RHEL-08-010660 | RHEL-08-010770 | Set fact for home directory paths for interactive users" +- name: "PRELIM | RHEL-08-010660 | RHEL-08-010770 | Set fact for home directory paths for interactive users" ansible.builtin.set_fact: rhel_08_stig_interactive_homedir_inifiles: "{{ rhel_08_010770_ini_file_list.results | map(attribute='stdout_lines') | list }}" when: From 00c2ab8e082d118aa003743f285a0eba6b3487c3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 31 Oct 2023 16:03:52 +0000 Subject: [PATCH 004/202] updated the workflow version and galaxy setup Signed-off-by: Mark Bolwell --- .../workflows/devel_pipeline_validation.yml | 18 +++++++++--------- .github/workflows/main_pipeline_validation.yml | 18 +++++++++--------- .github/workflows/update_galaxy.yml | 14 ++++++-------- 3 files changed, 24 insertions(+), 26 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index dba39dc0..9fbe7aa8 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -29,7 +29,7 @@ Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. - # This workflow contains a single job which tests the playbook + # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on runs-on: ubuntu-latest @@ -44,13 +44,13 @@ steps: - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} # Pull in terraform code for linux servers - - name: Clone github IaC plan - uses: actions/checkout@v3 + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 with: repository: ansible-lockdown/github_linux_IaC path: .github/workflows/github_linux_IaC @@ -74,7 +74,7 @@ pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -82,7 +82,7 @@ id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -90,7 +90,7 @@ id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -111,9 +111,9 @@ # Aws deployments taking a while to come up insert sleep or playbook fails - name: Sleep for 60 seconds - run: sleep 60s + run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the ansible playbook + # Run the Ansibleplaybook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 0b149fb3..67ee9d90 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -18,7 +18,7 @@ # that can run sequentially or in parallel jobs: - # This workflow contains a single job which tests the playbook + # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on runs-on: ubuntu-latest @@ -33,13 +33,13 @@ steps: - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} # Pull in terraform code for linux servers - - name: Clone github IaC plan - uses: actions/checkout@v3 + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 with: repository: ansible-lockdown/github_linux_IaC path: .github/workflows/github_linux_IaC @@ -63,7 +63,7 @@ pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -71,7 +71,7 @@ id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -79,7 +79,7 @@ id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -100,9 +100,9 @@ # Aws deployments taking a while to come up insert sleep or playbook fails - name: Sleep for 60 seconds - run: sleep 60s + run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the ansible playbook + # Run the Ansibleplaybook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index 951a53cb..f9352800 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -1,11 +1,7 @@ --- -# This is a basic workflow to help you get started with Actions - name: update galaxy -# Controls when the action will run. -# Triggers the workflow on merge request events to the main branch on: push: branches: @@ -14,8 +10,10 @@ jobs: update_role: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: robertdebock/galaxy-action@master + - name: Checkout repo + uses: actions/checkout@v4 + + - name: Action Ansible Galaxy Release ${{ github.ref_name }} + uses: ansible-actions/ansible-galaxy-action@main with: - galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} - git_branch: main + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} From 805b7743fa63f5433a1d57f3421311ba97db8f3a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 2 Nov 2023 08:30:11 +0000 Subject: [PATCH 005/202] fix typo Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 2 +- .github/workflows/main_pipeline_validation.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 9fbe7aa8..39af625a 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -113,7 +113,7 @@ - name: Sleep for 60 seconds run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the Ansibleplaybook + # Run the Ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 67ee9d90..8ded7018 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -102,7 +102,7 @@ - name: Sleep for 60 seconds run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the Ansibleplaybook + # Run the Ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: From 9ff31ad18f08f30d450178692e30b8ff56eeaf62 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 26 Jan 2024 11:56:17 +0000 Subject: [PATCH 006/202] Oraclelinux updated thanks to @BillSkiCO Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index be0b2a46..26fa1b2b 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -386,7 +386,7 @@ rhel8stig_legacy_boot: false when: - rhel8_efi_boot.stat.exists - - ansible_distribution == 'Oracle Linux' + - ansible_distribution == 'OracleLinux' - name: "PRELIM | set if not UEFI boot" ansible.builtin.set_fact: From 141f134be0e85ee5e9a194bc1f64d35ff611c351 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 26 Jan 2024 11:57:06 +0000 Subject: [PATCH 007/202] updated task 20030 thanks to @BillSkiCO Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 4bfd77dd..45143311 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3260,7 +3260,7 @@ - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." block: - name: "MEDIUM | RHEL-08-020030 | AUDIT | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Check for lock-enabled" - ansible.builtin.shell: "grep lock-enabled /etc/dconf/db/* -r | cut -f1 -d:" + ansible.builtin.shell: "grep lock-enabled /etc/dconf/db/* -rI | sort -u | tail -n 1 | cut -f1 -d:" changed_when: false failed_when: false register: rhel_08_020030_lock_enabled From 7acd113d482504c6858d63f2293356ad599b1236 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 26 Jan 2024 11:58:20 +0000 Subject: [PATCH 008/202] updated 40321 thanks to @whitehat237 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 45143311..b43e1ef7 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -7401,6 +7401,7 @@ state: link when: - rhel_08_040321 + - not rhel8stig_gui tags: - RHEL-08-040321 - CAT2 From 574d4c1a0e9937239b1d37d928ddfa05bb2061dd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 20 Feb 2024 16:46:53 +0000 Subject: [PATCH 009/202] updated after feedback from #245 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index b43e1ef7..bb871172 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3260,16 +3260,17 @@ - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." block: - name: "MEDIUM | RHEL-08-020030 | AUDIT | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Check for lock-enabled" - ansible.builtin.shell: "grep lock-enabled /etc/dconf/db/* -rI | sort -u | tail -n 1 | cut -f1 -d:" + ansible.builtin.shell: "grep -IlR ^lock-enabled /etc/dconf/db/*" changed_when: false failed_when: false register: rhel_08_020030_lock_enabled - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if exists" ansible.builtin.lineinfile: - path: "{{ rhel_08_020030_lock_enabled.stdout }}" + path: "{{ item }}" regexp: '^lock-enabled' line: lock-enabled=true + loop: "{{ rhel_08_020030_lock_enabled.stdout }}" when: rhel_08_020030_lock_enabled.stdout | length > 0 notify: dconf update @@ -3372,13 +3373,13 @@ - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed." block: - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" - ansible.builtin.shell: 'grep "removal-action=" /etc/dconf/db/* -R | cut -f1 -d:' + ansible.builtin.shell: "grep -IlR removal-action= /etc/dconf/db/*" changed_when: false failed_when: false register: rhel_08_020050_removal_action - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" - ansible.builtin.shell: "grep removal-action= /etc/dconf/db/* -R | cut -f1 -d: | sed 's:.*/::'" + ansible.builtin.shell: "grep -IlR removal-action= /etc/dconf/db/* | sed 's:.*/::'" changed_when: false failed_when: false register: rhel_08_020050_removal_action_file @@ -3398,9 +3399,10 @@ - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Update removal-action if exists" ansible.builtin.lineinfile: - path: "{{ rhel_08_020050_removal_action.stdout }}" + path: "{{ item }}" regexp: ^removal-action= line: removal-action='lock-screen' + loop: "{{ rhel_08_020050_removal_action.stdout }}" when: rhel_08_020050_removal_action.stdout | length > 0 notify: dconf update @@ -3436,7 +3438,7 @@ - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity." block: - name: "MEDIUM | RHEL-08-020060 | AUDIT | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Find idle-delay parameter" - ansible.builtin.shell: 'grep idle-delay= /etc/dconf/db/* -R | cut -f1 -d:' + ansible.builtin.shell: 'grep -IlR idle-delay= /etc/dconf/db/*' changed_when: false failed_when: false register: rhel_08_020060_idle_delay_param @@ -3458,14 +3460,15 @@ - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if exists" ansible.builtin.lineinfile: - path: "{{ rhel_08_020060_idle_delay_param.stdout }}" + path: "{{ item }}" regexp: '^idle-delay=' line: idle-delay=uint32 900 owner: root group: root mode: 0640 - notify: dconf update + loop: "{{ rhel_08_020060_idle_delay_param.stdout }}" when: rhel_08_020060_idle_delay_param.stdout | length > 0 + notify: dconf update when: - rhel_08_020060 - "'dconf' in ansible_facts.packages" @@ -7473,7 +7476,7 @@ - name: "MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | Add KEXs" block: - name: "MEDIUM | RHEL-08-040342 | AUDIT | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | get KEXs" - ansible.builtin.shell: grep "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i okexa | sed s'/-o//g' + ansible.builtin.shell: grep ^CRYPTO_POLICY /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i okexa | sed s'/-o//g changed_when: false register: rhel8stig_current_kex From 52f0cae74f7a05121c8f10ea90ee7acd347eba1d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 20 Feb 2024 17:16:01 +0000 Subject: [PATCH 010/202] added issue #248 fix Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 38 +++++++++++++++++++++++++++++++++----- 1 file changed, 33 insertions(+), 5 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index bb871172..b6954040 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -191,11 +191,39 @@ - V-230226 - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." - ansible.builtin.lineinfile: - path: /etc/rsyslog.conf - line: "auth.*;authpriv.*;daemon.* /var/log/secure" - create: true - mode: '0644' + block: + - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | check settings" + ansible.builtin.shell: grep "*.info" /etc/rsyslog.conf + changed_when: false + failed_when: false + register: rhel_08_010070_info_set_rsyslog + + - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | check settings" + ansible.builtin.shell: grep "authpriv.* /var/log/secure" /etc/rsyslog.conf + changed_when: false + failed_when: false + register: rhel_08_010070_authpriv_set_rsyslog + + - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | Adjust settings" + path: /etc/rsyslog.conf + regexp: ^(?#).*\/var\/log\/secure + line: "auth.*;authpriv.*;daemon.* /var/log/secure" + create: true + mode: '0644' + when: + - rhel_08_010070_info_set_rsyslog.stdout == 0 + - rhel_08_010070_authpriv_set_rsyslog.stdout > 0 + + - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | Adjust settings" + path: /etc/rsyslog.conf + backrefs: true + regexp: ^(?!#)(.*)(authpriv\.\*)(.*\/var\/log\/secure) + line: \1authpriv.*\2/var/log/secure + create: true + mode: '0644' + when: + - rhel_08_010070_info_set_rsyslog.stdout > 0 + - rhel_08_010070_authpriv_set_rsyslog.stdout == 0 notify: restart rsyslog when: - rhel_08_010070 From 1d23663b65d6f256a87a3a980b45703698fe10ea Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 20 Feb 2024 17:17:13 +0000 Subject: [PATCH 011/202] Added fix for #254 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index b6954040..8c82bd41 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6150,7 +6150,7 @@ - CCI-001444 - SRG-OS-000299-GPOS-00117 - SV-230506r627750_rule - - V-23050 + - V-230506 - wifi - name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled." From 7879a03964ade2ac29ac751f751debe1bd68d3f8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 21 Feb 2024 08:59:01 +0000 Subject: [PATCH 012/202] fix syntax Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 42 +++++++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 19 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 8c82bd41..a5d007b9 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -192,38 +192,41 @@ - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." block: - - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | check settings" - ansible.builtin.shell: grep "*.info" /etc/rsyslog.conf + - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | check settings info" + ansible.builtin.shell: grep '*.info' /etc/rsyslog.conf changed_when: false failed_when: false register: rhel_08_010070_info_set_rsyslog - - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | check settings" - ansible.builtin.shell: grep "authpriv.* /var/log/secure" /etc/rsyslog.conf + - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | check settings authpriv" + ansible.builtin.shell: grep 'authpriv.* /var/log/secure' /etc/rsyslog.conf changed_when: false failed_when: false register: rhel_08_010070_authpriv_set_rsyslog - - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | Adjust settings" - path: /etc/rsyslog.conf - regexp: ^(?#).*\/var\/log\/secure - line: "auth.*;authpriv.*;daemon.* /var/log/secure" - create: true - mode: '0644' + - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored. | Adjust settings no info" + ansible.builtin.lineinfile: + path: /etc/rsyslog.conf + regexp: ^(?!#).*\/var\/log\/secure + line: 'auth.*;authpriv.*;daemon.* /var/log/secure' + create: true + mode: '0644' when: - rhel_08_010070_info_set_rsyslog.stdout == 0 - rhel_08_010070_authpriv_set_rsyslog.stdout > 0 - - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | Adjust settings" - path: /etc/rsyslog.conf - backrefs: true - regexp: ^(?!#)(.*)(authpriv\.\*)(.*\/var\/log\/secure) - line: \1authpriv.*\2/var/log/secure - create: true - mode: '0644' + - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored. | Adjust settings if info set" + ansible.builtin.lineinfile: + path: /etc/rsyslog.conf + backrefs: true + regexp: ^(?!#)(.*)(authpriv\.\*)(.*\/var\/log\/secure) + line: \1authpriv.*\2/var/log/secure + create: true + mode: '0644' when: - rhel_08_010070_info_set_rsyslog.stdout > 0 - rhel_08_010070_authpriv_set_rsyslog.stdout == 0 + notify: restart rsyslog when: - rhel_08_010070 @@ -7504,11 +7507,12 @@ - name: "MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | Add KEXs" block: - name: "MEDIUM | RHEL-08-040342 | AUDIT | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | get KEXs" - ansible.builtin.shell: grep ^CRYPTO_POLICY /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i okexa | sed s'/-o//g + ansible.builtin.shell: grep -E "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i okexa | sed s'/-o//g' changed_when: false + failed_when: false register: rhel8stig_current_kex - - name: MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | get KEXs" + - name: MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | update KEXs" ansible.builtin.lineinfile: path: /etc/crypto-policies/back-ends/opensshserver.config regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_kex.stdout }}(.*$)' From ad7e0a20b8f06baca2c02165678c338cc3fbe2df Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 21 Feb 2024 15:54:42 +0000 Subject: [PATCH 013/202] Squashed commit of the following: commit 14d7da6a3335dea85d73044cac45f851d45e721f Author: Mark Bolwell Date: Wed Feb 21 15:52:45 2024 +0000 updated Signed-off-by: Mark Bolwell commit e6b8a7c2008da9cf11075265801723c597284d6e Author: Mark Bolwell Date: Wed Feb 21 15:52:05 2024 +0000 lint and variable improvements Signed-off-by: Mark Bolwell commit 79948fb314df745bc37f94dffcdf6ec818d945bc Author: Mark Bolwell Date: Wed Feb 21 15:51:32 2024 +0000 ssh validation added Signed-off-by: Mark Bolwell commit 4742d58286387ffdbf569c2094d34290c8f2f90a Author: Mark Bolwell Date: Wed Feb 21 15:50:46 2024 +0000 ssh validation added Signed-off-by: Mark Bolwell commit 33348bc1d3a0537d0cdbcfc70c10286875d97261 Author: Mark Bolwell Date: Wed Feb 21 15:50:25 2024 +0000 changed ordering and added logic Signed-off-by: Mark Bolwell commit 6c2d07987d379575c6ecf766e528da19ba5ffae0 Author: Mark Bolwell Date: Wed Feb 21 15:50:12 2024 +0000 removed as mnot required Signed-off-by: Mark Bolwell commit 1d775c698c9270f707dddbd955d096bfaa978dae Author: Mark Bolwell Date: Wed Feb 21 15:50:04 2024 +0000 updated Signed-off-by: Mark Bolwell commit 562d7604e5263ed4d5cd97cdd2a46ea4a1c3f58f Author: Mark Bolwell Date: Wed Feb 21 15:49:57 2024 +0000 updated precommit Signed-off-by: Mark Bolwell commit bb46131304f00cfe9c9b7b62dda9150ab5d19643 Author: Mark Bolwell Date: Wed Feb 21 12:04:15 2024 +0000 Added ability for audit_only Signed-off-by: Mark Bolwell Signed-off-by: Mark Bolwell --- .config/.gitleaks-report.json | 1 - .config/.secrets.baseline | 120 -------------- .pre-commit-config.yaml | 3 - Changelog.md | 8 + defaults/main.yml | 84 ++++------ handlers/main.yml | 13 +- tasks/LE_audit_setup.yml | 20 ++- tasks/audit_only.yml | 30 ++++ tasks/fix-cat1.yml | 1 + tasks/fix-cat2.yml | 14 +- tasks/main.yml | 25 ++- tasks/parse_etc_passwd.yml | 2 +- tasks/post_remediation_audit.yml | 62 +++---- tasks/pre_remediation_audit.yml | 94 ++++++----- tasks/prelim.yml | 4 +- templates/ansible_vars_goss.yml.j2 | 19 +-- templates/pam_pkcs11.conf.j2 | 249 ----------------------------- vars/audit.yml | 41 +++++ 18 files changed, 244 insertions(+), 546 deletions(-) delete mode 100644 .config/.gitleaks-report.json delete mode 100644 .config/.secrets.baseline create mode 100644 tasks/audit_only.yml delete mode 100644 templates/pam_pkcs11.conf.j2 create mode 100644 vars/audit.yml diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json deleted file mode 100644 index fe51488c..00000000 --- a/.config/.gitleaks-report.json +++ /dev/null @@ -1 +0,0 @@ -[] diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline deleted file mode 100644 index 2ad77429..00000000 --- a/.config/.secrets.baseline +++ /dev/null @@ -1,120 +0,0 @@ -{ - "version": "1.4.0", - "plugins_used": [ - { - "name": "ArtifactoryDetector" - }, - { - "name": "AWSKeyDetector" - }, - { - "name": "AzureStorageKeyDetector" - }, - { - "name": "Base64HighEntropyString", - "limit": 4.5 - }, - { - "name": "BasicAuthDetector" - }, - { - "name": "CloudantDetector" - }, - { - "name": "DiscordBotTokenDetector" - }, - { - "name": "GitHubTokenDetector" - }, - { - "name": "HexHighEntropyString", - "limit": 3.0 - }, - { - "name": "IbmCloudIamDetector" - }, - { - "name": "IbmCosHmacDetector" - }, - { - "name": "JwtTokenDetector" - }, - { - "name": "KeywordDetector", - "keyword_exclude": "" - }, - { - "name": "MailchimpDetector" - }, - { - "name": "NpmDetector" - }, - { - "name": "PrivateKeyDetector" - }, - { - "name": "SendGridDetector" - }, - { - "name": "SlackDetector" - }, - { - "name": "SoftlayerDetector" - }, - { - "name": "SquareOAuthDetector" - }, - { - "name": "StripeDetector" - }, - { - "name": "TwilioKeyDetector" - } - ], - "filters_used": [ - { - "path": "detect_secrets.filters.allowlist.is_line_allowlisted" - }, - { - "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", - "min_level": 2 - }, - { - "path": "detect_secrets.filters.heuristic.is_indirect_reference" - }, - { - "path": "detect_secrets.filters.heuristic.is_likely_id_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_lock_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_potential_uuid" - }, - { - "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" - }, - { - "path": "detect_secrets.filters.heuristic.is_sequential_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_swagger_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_templated_secret" - }, - { - "path": "detect_secrets.filters.regex.should_exclude_file", - "pattern": [ - ".config/.gitleaks-report.json", - "tasks/parse_etc_passwd.yml", - "templates/pam_pkcs11.conf.j2" - ] - } - ], - "results": {}, - "generated_at": "2023-09-25T15:48:01Z" -} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 84807cde..30819d0b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -33,14 +33,11 @@ repos: rev: v1.4.0 hooks: - id: detect-secrets - args: [ '--baseline', '.config/.secrets.baseline' ] - exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks rev: v8.18.0 hooks: - id: gitleaks - args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint rev: v6.20.2 diff --git a/Changelog.md b/Changelog.md index 06c4077a..c0bcafc1 100644 --- a/Changelog.md +++ b/Changelog.md @@ -10,6 +10,14 @@ ruleid updated - 030742 - 040400 +- added SSH validation +- added ansible_facts for variable usage + +- AUDIT + - Audit_only ability now added to run standalone audit + - audit_only: true + - Related Audit repo updated to improve tests audit binary(goss updated to latest version) + ## 3.0.3 - Stig V1R11 - 26th July 2023 - updates to collections since galaxy updated diff --git a/defaults/main.yml b/defaults/main.yml index 3c71a077..d05b5ad6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -56,24 +56,46 @@ rhel8stig_skip_reboot: true # Defined will change if control requires change_requires_reboot: false -### Goss is required on the remote host +########################################## +### Goss is required on the remote host ### +## Refer to vars/auditd.yml for any other settings ## + +# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system) setup_audit: false + +# enable audits to run - this runs the audit and get the latest content +run_audit: false + +# Only run Audit do not remediate +audit_only: false +# As part of audit_only +# This will enable files to be copied back to control node +fetch_audit_files: false +# Path to copy the files to will create dir structure +audit_capture_files_dir: /some/location to copy to on control node + # How to retrieve audit binary # Options are copy or download - detailed settings at the bottom of this file # you will need to access to either github or the file already dowmloaded get_audit_binary_method: download +## if get_audit_binary_method - copy the following needs to be updated for your environment +## it is expected that it will be copied from somewhere accessible to the control node +## e.g copy from ansible control node to remote host +audit_bin_copy_location: /some/accessible/path + # how to get audit files onto host options # options are git/copy/get_url other e.g. if you wish to run from already downloaded conf audit_content: git -# enable audits to run - this runs the audit and get the latest content -run_audit: false +# archive or copy: +audit_conf_copy: "some path to copy from" + +# get_url: +audit_files_url: "some url maybe s3?" # Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system audit_run_heavy_tests: true -# Timeout for those cmds that take longer to run where timeout set -audit_cmd_timeout: 60000 ### End Goss enablements #### #### Detailed settings found at the end of this document #### @@ -904,55 +926,3 @@ rhel8stig_tmux_lock_after_time: 900 # The value given to Defaults timestamp timeout= in the sudo file. # Value must be greater than 0 to conform to STIG standards rhel8stig_sudo_timestamp_timeout: 1 - -#### Goss Configuration Settings #### -# Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_run_script_environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_FILE: 'goss.yml' - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - -### Goss binary settings ### -audit_bin_version: - release: v0.3.23 - checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d' -audit_bin_path: /usr/local/bin/ -audit_bin: "{{ audit_bin_path }}goss" -audit_format: json - -# if get_audit_binary_method == download change accordingly -audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-amd64" - -## if get_audit_binary_method - copy the following needs to be updated for your environment -## it is expected that it will be copied from somewhere accessible to the control node -## e.g copy from ansible control node to remote host -audit_bin_copy_location: /some/accessible/path - -#### Goss Audit Benchmark file ### -## managed by the control audit_content -# git -audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_git_version: "benchmark_{{ benchmark_version }}_rh8" - -# archive or copy: -audit_conf_copy: "some path to copy from" - -# get_url: -audit_files_url: "some url maybe s3?" - -## Goss configuration information -# Where the goss configs and outputs are stored -audit_out_dir: '/opt' -# Where the goss audit configuration will be stored -audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit" - -# If changed these can affect other products -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" - -## The following should not need changing -audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml" -audit_results: | - The pre remediation results are: {{ pre_audit_summary }}. - The post remediation results are: {{ post_audit_summary }}. - Full breakdown can be found in {{ audit_out_dir }} diff --git a/handlers/main.yml b/handlers/main.yml index 3e6ff61d..c210d6f1 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,4 +1,9 @@ --- + +- name: change_requires_reboot + ansible.builtin.set_fact: + change_requires_reboot: true + - name: systemctl daemon-reload ansible.builtin.systemd: daemon_reload: true @@ -16,6 +21,7 @@ when: - not rhel8stig_system_is_chroot - "'openssh-server' in ansible_facts.packages" + - not change_requires_reboot - name: restart sssd ansible.builtin.service: @@ -30,6 +36,7 @@ state: restarted when: - not rhel8stig_system_is_chroot + - not change_requires_reboot - name: restart rsyslog ansible.builtin.service: @@ -82,6 +89,7 @@ - not rhel8stig_skip_for_travis - not rhel8stig_system_is_chroot - not system_is_container + - not change_requires_reboot - name: update auditd ansible.builtin.template: @@ -98,6 +106,7 @@ - not rhel8stig_skip_for_travis - not rhel8stig_system_is_chroot - not system_is_container + - not change_requires_reboot - name: rebuild initramfs ansible.builtin.shell: dracut -f @@ -146,7 +155,3 @@ ansible.builtin.debug: msg: "Post-run OpenSCAP score is {{ rhel8stig_postscanresults.Benchmark.TestResult.score['#text'] }}" when: rhel8stig_oscap_scan - -- name: change_requires_reboot - ansible.builtin.set_fact: - change_requires_reboot: true diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index c8222b8e..7ef94b4a 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -1,22 +1,34 @@ --- +- name: Pre Audit Setup | Set audit package name + block: + - name: Pre Audit Setup | Set audit package name | 64bit + ansible.builtin.set_fact: + audit_pkg_arch_name: AMD64 + when: ansible_facts.machine == "x86_64" + + - name: Pre Audit Setup | Set audit package name | ARM64 + ansible.builtin.set_fact: + audit_pkg_arch_name: ARM64 + when: ansible_facts.machine == "arm64" + - name: Pre Audit Setup | Download audit binary ansible.builtin.get_url: - url: "{{ audit_bin_url }}" + url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}" dest: "{{ audit_bin }}" owner: root group: root - checksum: "{{ audit_bin_version.checksum }}" + checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" mode: '0555' when: - get_audit_binary_method == 'download' -- name: Pre Audit Setup | copy audit binary +- name: Pre Audit Setup | Copy audit binary ansible.builtin.copy: src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" + mode: '0555' owner: root group: root - mode: '0555' when: - get_audit_binary_method == 'copy' diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml new file mode 100644 index 00000000..864f5bbe --- /dev/null +++ b/tasks/audit_only.yml @@ -0,0 +1,30 @@ +--- + +- name: Audit_Only | Create local Directories for hosts + ansible.builtin.file: + mode: '0755' + path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" + recurse: true + state: directory + when: fetch_audit_files + delegate_to: localhost + become: false + +- name: Audit_only | Get audits from systems and put in group dir + ansible.builtin.fetch: + dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" + flat: true + mode: '0644' + src: "{{ pre_audit_outfile }}" + when: fetch_audit_files + +- name: Audit_only | Show Audit Summary + when: + - audit_only + ansible.builtin.debug: + msg: "The Audit results are: {{ pre_audit_summary }}." + +- name: Audit_only | Stop Playbook Audit Only selected + when: + - audit_only + ansible.builtin.meta: end_play diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 7b180d70..69fbcdbf 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -321,6 +321,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?PermitEmptyPasswords' line: 'PermitEmptyPasswords no' + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_020330 diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index a5d007b9..e453e73b 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -112,6 +112,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?Banner' line: 'Banner /etc/issue' + validate: '/usr/sbin/sshd -T -f %s' when: - rhel8stig_ssh_required @@ -224,7 +225,7 @@ create: true mode: '0644' when: - - rhel_08_010070_info_set_rsyslog.stdout > 0 + - rhel_08_010070_info_set_rsyslog.stdout | length > 0 - rhel_08_010070_authpriv_set_rsyslog.stdout == 0 notify: restart rsyslog @@ -555,6 +556,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?ClientAliveCountMax.*' line: ClientAliveCountMax 1 + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_010200 @@ -573,6 +575,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?ClientAliveInterval.*' line: "ClientAliveInterval {{ rhel8stig_ssh_session_timeout }}" + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_010201 @@ -1697,6 +1700,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?StrictModes' line: 'StrictModes yes' + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_010500 @@ -1715,6 +1719,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?IgnoreUserKnownHosts' line: 'IgnoreUserKnownHosts yes' + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_010520 @@ -1733,6 +1738,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?KerberosAuthentication' line: "KerberosAuthentication no" + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_010521 @@ -1751,6 +1757,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?GSSAPIAuthentication' line: "GSSAPIAuthentication no" + validate: '/usr/sbin/sshd -T -f %s' when: - rhel_08_010522 - rhel8stig_ssh_required @@ -1807,6 +1814,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?PermitRootLogin' line: 'PermitRootLogin no' + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_010550 @@ -2778,6 +2786,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?PermitUserEnvironment' line: 'PermitUserEnvironment no' + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_010830 @@ -6615,6 +6624,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?RekeyLimit' line: 'RekeyLimit 1G 1h' + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_040161 @@ -7475,6 +7485,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?X11Forwarding' line: 'X11Forwarding no' + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_040340 @@ -7493,6 +7504,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?X11UseLocalhost' line: 'X11UseLocalhost yes' + validate: '/usr/sbin/sshd -T -f %s' when: - rhel_08_040341 - rhel8stig_ssh_required diff --git a/tasks/main.yml b/tasks/main.yml index c516e703..a1acf152 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -4,15 +4,15 @@ ansible.builtin.setup: gather_subset: distribution,!all,!min when: - - ansible_distribution is not defined + - ansible_facts.distribution is not defined tags: - always - name: Check OS version and family ansible.builtin.assert: - that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==') - fail_msg: "This role can only be run against RHEL/Rocky 8. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." - success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" + that: (ansible_facts.distribution != 'CentOS' and ansible_facts.os_family == 'RedHat' or ansible_facts.os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('8', '==') + fail_msg: "This role can only be run against RHEL/Rocky 8. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported." + success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}" when: - not skip_os_check tags: @@ -43,7 +43,7 @@ - system_is_container when: - ansible_connection == 'docker' or - ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] + ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] tags: - container_discovery - always @@ -92,7 +92,7 @@ - RHEL-08-010149 - name: Include OS specific variables - ansible.builtin.include_vars: "{{ ansible_distribution }}.yml" + ansible.builtin.include_vars: "{{ ansible_facts.distribution }}.yml" tags: - always @@ -134,10 +134,19 @@ - prelim_tasks - run_audit -- name: Include pre-remediation tasks - ansible.builtin.import_tasks: pre_remediation_audit.yml +- name: Include audit specific variables + ansible.builtin.include_vars: audit.yml when: + - run_audit or audit_only + - setup_audit + tags: + - setup_audit - run_audit + +- name: Include pre-remediation audit tasks + ansible.builtin.import_tasks: pre_remediation_audit.yml + when: + - run_audit or audit_only - setup_audit tags: - run_audit diff --git a/tasks/parse_etc_passwd.yml b/tasks/parse_etc_passwd.yml index ef4fbf6a..aada90e2 100644 --- a/tasks/parse_etc_passwd.yml +++ b/tasks/parse_etc_passwd.yml @@ -15,7 +15,7 @@ vars: ld_passwd_regex: >- ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) - ld_passwd_yaml: | + ld_passwd_yaml: | # pragma: allowlist secret id: >-4 \g password: >-4 diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index fa9614b6..2c51bbb0 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,18 +1,28 @@ --- -- name: Post Audit | Capture audit data if json format - block: +- name: Post Audit | Run post_remediation {{ benchmark }} audit + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: goss.yml - - name: "Post Audit | Run post_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" - changed_when: true - environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - AUDIT_FILE: "goss.yml" +- name: Post Audit | ensure audit files readable by users + ansible.builtin.file: + path: "{{ item }}" + mode: '0644' + state: file + loop: + - "{{ post_audit_outfile }}" + - "{{ pre_audit_outfile }}" - - name: "capture data {{ post_audit_outfile }}" - ansible.builtin.shell: "cat {{ post_audit_outfile }}" +- name: Post Audit | Capture audit data if json format + when: + - audit_format == "json" + block: + - name: capture data {{ post_audit_outfile }} + ansible.builtin.shell: cat {{ post_audit_outfile }} register: post_audit changed_when: false @@ -20,37 +30,17 @@ ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" vars: - summary: 'summary."summary-line"' - when: - - audit_format == "json" + summary: summary."summary-line" - name: Post Audit | Capture audit data if documentation format + when: + - audit_format == "documentation" block: - - - name: "Post Audit | Run post_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }} -f documentation" - changed_when: true - environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - AUDIT_FILE: "goss.yml" - - - name: "Post Audit | capture data {{ post_audit_outfile }}" - ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" + - name: Post Audit | capture data {{ post_audit_outfile }} + ansible.builtin.shell: tail -2 {{ post_audit_outfile }} register: post_audit changed_when: false - name: Post Audit | Capture post-audit result ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout_lines }}" - when: - - audit_format == "documentation" - -- name: Post Audit | ensure audit files readable by users - ansible.builtin.file: - path: "{{ item }}" - mode: '0644' - state: file - loop: - - "{{ post_audit_outfile }}" - - "{{ pre_audit_outfile }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 290170d6..e3a261e7 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,58 +1,58 @@ --- -- name: Audit Binary Setup | Setup the LE audit - ansible.builtin.include_tasks: - file: LE_audit_setup.yml +- name: Pre Audit Setup | Setup the LE audit when: - setup_audit tags: - setup_audit + ansible.builtin.include_tasks: LE_audit_setup.yml -- name: "Pre Audit Setup | Ensure {{ audit_conf_dir }} exists" +- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists ansible.builtin.file: path: "{{ audit_conf_dir }}" state: directory mode: '0755' - name: Pre Audit Setup | If using git for content set up + when: + - audit_content == 'git' block: - name: Pre Audit Setup | Install git ansible.builtin.package: name: git state: present - when: "'git' not in ansible_facts.packages" - - name: Pre Audit Setup | retrieve audit content files from git + - name: Pre Audit Setup | Retrieve audit content files from git ansible.builtin.git: repo: "{{ audit_file_git }}" dest: "{{ audit_conf_dir }}" version: "{{ audit_git_version }}" - when: - - audit_content == 'git' -- name: Pre Audit Setup | copy to audit content files to server +- name: Pre Audit Setup | Copy to audit content files to server + when: + - audit_content == 'copy' ansible.builtin.copy: src: "{{ audit_local_copy }}" dest: "{{ audit_conf_dest }}" mode: preserve - when: - - audit_content == 'copy' -- name: Pre Audit Setup | unarchive audit content files on server +- name: Pre Audit Setup | Unarchive audit content files on server + when: + - audit_content == 'archived' ansible.builtin.unarchive: src: "{{ audit_conf_copy }}" dest: "{{ audit_conf_dir }}" - when: - - audit_content == 'archived' -- name: Pre Audit Setup | get audit content from url +- name: Pre Audit Setup | Get audit content from url + when: + - audit_content == 'get_url' ansible.builtin.get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" - when: - - audit_content == 'get_url' - name: Pre Audit Setup | Check Goss is available + when: + - run_audit block: - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: @@ -60,34 +60,36 @@ register: goss_available - name: Pre Audit Setup | If audit ensure goss is available + when: + - not goss_available.stat.exists ansible.builtin.assert: - that: goss_available.stat.exists msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - when: - - run_audit - name: Pre Audit Setup | Copy ansible default vars values to test audit + tags: + - goss_template + - run_audit + when: + - run_audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" mode: '0600' - when: - - run_audit - tags: - - goss_template + +- name: Pre Audit | Run pre_remediation {{ benchmark }} audit + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format + when: + - audit_format == "json" block: - - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" - changed_when: true - environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - AUDIT_FILE: "goss.yml" - - - name: "capture data {{ pre_audit_outfile }}" - ansible.builtin.shell: "cat {{ pre_audit_outfile }}" + - name: capture data {{ pre_audit_outfile }} + ansible.builtin.shell: cat {{ pre_audit_outfile }} register: pre_audit changed_when: false @@ -95,28 +97,22 @@ ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" vars: - summary: 'summary."summary-line"' - when: - - audit_format == "json" + summary: summary."summary-line" - name: Pre Audit | Capture audit data if documentation format + when: + - audit_format == "documentation" block: - - - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }} -f documentation" - changed_when: true - environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - AUDIT_FILE: "goss.yml" - - - name: "Pre Audit | capture data {{ pre_audit_outfile }} | documentation format" - ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" + - name: Pre Audit | capture data {{ pre_audit_outfile }} | documentation format + ansible.builtin.shell: tail -2 {{ pre_audit_outfile }} register: pre_audit changed_when: false - name: Pre Audit | Capture pre-audit result | documentation format ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout_lines }}" + +- name: Audit_Only | Run Audit Only when: - - audit_format == "documentation" + - audit_only + ansible.builtin.import_tasks: audit_only.yml diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 26fa1b2b..91b429df 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -274,12 +274,12 @@ state: "{{ rhel8stig_service_started }}" enabled: true - - name: PRELIM | check if ssh host key exists + - name: PRELIM | Check if ssh host key exists ansible.builtin.stat: path: /etc/ssh/ssh_host_rsa_key register: rhel8stig_ssh_host_rsa_key_stat - - name: PRELIM | create ssh host key to allow 'sshd -t -f %s' to succeed + - name: PRELIM | Create ssh host key to allow 'sshd -t -f %s' to succeed ansible.builtin.shell: ssh-keygen -N '' -f /etc/ssh/ssh_host_rsa_key -t rsa -b 4096 when: not rhel8stig_ssh_host_rsa_key_stat.stat.exists notify: clean up ssh host key diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 69484221..d9af9eae 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -1,6 +1,6 @@ ## metadata for Audit benchmark -benchmark_version: '1.11' +benchmark_version: {{ benchmark_version }} rhel8stig_os_distribution: {{ ansible_distribution | lower }} @@ -443,13 +443,13 @@ MAX_UID: {{ rhel8stig_interactive_uid_stop }} # RHEL_08_010040-010050-010060 rhel8stig_banner_file: /etc/issue rhel8stig_logon_banner: -- You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. -- By using this IS (which includes any device attached to this IS), you consent to the following conditions -- -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -- -At any time, the USG may inspect and seize data stored on this IS. -- -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -- -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -- -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. + You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + By using this IS (which includes any device attached to this IS), you consent to the following conditions + -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + -At any time, the USG may inspect and seize data stored on this IS. + -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. # RHEL_08_010680 to change if using hostfile only - seperate checks rhel8stig_uses_dns: true @@ -479,6 +479,3 @@ rhel8stig_remotelog_protocol: '{{ rhel8stig_remotelog_server.protocol }}' # RHEL_08_040137 python_bin: {{ ansible_python.executable }} - -# RHEL_08_040260-62 -rhel8stig_system_is_router: {{ rhel8stig_system_is_router }} diff --git a/templates/pam_pkcs11.conf.j2 b/templates/pam_pkcs11.conf.j2 deleted file mode 100644 index 32c441b5..00000000 --- a/templates/pam_pkcs11.conf.j2 +++ /dev/null @@ -1,249 +0,0 @@ -# -# Configuration file for pam_pkcs11 module -# -# Version 0.4 -# Author: Juan Antonio Martinez -# -pam_pkcs11 { - # Allow empty passwords - nullok = true; - - # Enable debugging support. - debug = false; - - # If the smart card is inserted, only use it - card_only = true; - - # Do not prompt the user for the passwords but take them from the - # PAM_ items instead. - use_first_pass = false; - - # Do not prompt the user for the passwords unless PAM_(OLD)AUTHTOK - # is unset. - try_first_pass = false; - - # Like try_first_pass, but fail if the new PAM_AUTHTOK has not been - # previously set (intended for stacking password modules only). - use_authtok = false; - - # Filename of the PKCS #11 module. The default value is "default" - use_pkcs11_module = {{ rhel08stig_smartcarddriver }}; - - screen_savers = gnome-screensaver,xscreensaver,kscreensaver - - pkcs11_module {{ rhel08stig_smartcarddriver }} { - {% if rhel08stig_smartcarddriver == 'cackey' %}module = /usr/lib64/libcackey.so;{% elif rhel08stig_smartcarddriver == 'coolkey' %}module = libcoolkeypk11.so;{% endif %} - module = /usr/lib64/libcackey.so; - description = "{{ rhel08stig_smartcarddriver }}"; - slot_num = 0; - support_threads = false; - ca_dir = /etc/pam_pkcs11/cacerts; - crl_dir = /etc/pam_pkcs11/crls; - cert_policy = signature; - } - - pkcs11_module opensc { - module = opensc-pkcs11.so; - description = "OpenSC PKCS#11 module"; - # Slot-number to use. One for the first, two for the second and so - # on. The default value is zero which means to use the first slot - # with an available token. - slot_num = 0; - - # Path to the directory where the NSS CA certificate database is stored. - # you can mange the certs in this database with the certutil command in - # the package nss-tools - nss_dir = /etc/pki/nssdb; - - # Sets the Certificate Policy, (see above) - cert_policy = ca, signature; - } - - # Default pkcs11 module - pkcs11_module default { - module = /usr/$LIB/pam_pkcs11/pkcs11_module.so; - description = "Default pkcs#11 module"; - slot_num = 0; - #ca_dir = /etc/pam_pkcs11/cacerts; - #crl_dir = /etc/pam_pkcs11/crls; - nss_dir = /etc/pki/nssdb; - cert_policy = ca, signature; - } - - # Which mappers ( Cert to login ) to use? - # you can use several mappers: - # - # subject - Cert Subject to login file based mapper - # pwent - CN to getpwent() login or gecos fields mapper - # ldap - LDAP mapper - # opensc - Search certificate in ${HOME}/.eid/authorized_certificates - # openssh - Search certificate public key in ${HOME}/.ssh/authorized_keys - # mail - Compare email fields from certificate - # ms - Use Microsoft Universal Principal Name extension - # krb - Compare againts Kerberos Principal Name - # cn - Compare Common Name (CN) - # uid - Compare Unique Identifier - # digest - Certificate digest to login (mapfile based) mapper - # generic - User defined certificate contents mapped - # null - blind access/deny mapper - # - # You can select a comma-separated mapper list. - # If used null mapper should be the last in the list :-) - # Also you should select at least one mapper, otherwise - # certificate will not match :-) - use_mappers = cn, uid, pwent, null; - - # When no absolute path or module info is provided, use this - # value as module search path - # TODO: - # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH - mapper_search_path = /usr/$LIB/pam_pkcs11; - - # - # Generic certificate contents mapper - mapper generic { - debug = true; - module = /usr/$LIB/pam_pkcs11/generic_mapper.so; - # ignore letter case on match/compare - ignorecase = false; - # Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid" - cert_item = cn; - # Define mapfile if needed, else select "none" - mapfile = file:///etc/pam_pkcs11/generic_mapping - # Decide if use getpwent() to map login - use_getpwent = false; - } - - # Certificate Subject to login based mapper - # provided file stores one or more "Subject -> login" lines - mapper subject { - debug = false; - # module = /usr/$LIB/pam_pkcs11/subject_mapper.so; - module = internal; - ignorecase = false; - mapfile = file:///etc/pam_pkcs11/subject_mapping; - } - - # Search public keys from $HOME/.ssh/authorized_keys to match users - mapper openssh { - debug = false; - module = /usr/$LIB/pam_pkcs11/openssh_mapper.so; - } - - # Search certificates from $HOME/.eid/authorized_certificates to match users - mapper opensc { - debug = false; - module = /usr/$LIB/pam_pkcs11/opensc_mapper.so; - } - - # Certificate Common Name ( CN ) to getpwent() mapper - mapper pwent { - debug = false; - ignorecase = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/pwent_mapper.so; - } - - # Null ( no map ) mapper. when user as finder matchs to NULL or "nobody" - mapper null { - debug = false; - # module = /usr/$LIB/pam_pkcs11/null_mapper.so; - module = internal ; - # select behavior: always match, or always fail - default_match = false; - # on match, select returned user - default_user = nobody ; - } - - # Directory ( ldap style ) mapper - mapper ldap { - debug = false; - module = /usr/$LIB/pam_pkcs11/ldap_mapper.so; - # where base directory resides - basedir = /etc/pam_pkcs11/mapdir; - # hostname of ldap server - ldaphost = "localhost"; - # Port on ldap server to connect - ldapport = 389; - # Scope of search: 0 = x, 1 = y, 2 = z - scope = 2; - # DN to bind with. Must have read-access for user entries under "base" - binddn = "cn=pam,o=example,c=com"; - # Password for above DN - passwd = "test"; - # Searchbase for user entries - base = "ou=People,o=example,c=com"; - # Attribute of user entry which contains the certificate - attribute = "userCertificate"; - # Searchfilter for user entry. Must only let pass user entry for the login user. - filter = "(&(objectClass=posixAccount)(uid=%s))" - } - - # Assume common name (CN) to be the login - mapper cn { - debug = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/cn_mapper.so; - ignorecase = true; - mapfile = file:///etc/pam_pkcs11/cn_map; - } - - # mail - Compare email field from certificate - mapper mail { - debug = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/mail_mapper.so; - # Declare mapfile or - # leave empty "" or "none" to use no map - mapfile = file:///etc/pam_pkcs11/mail_mapping; - # Some certs store email in uppercase. take care on this - ignorecase = true; - # Also check that host matches mx domain - # when using mapfile this feature is ignored - ignoredomain = false; - } - - # ms - Use Microsoft Universal Principal Name extension - # UPN is in format login@ADS_Domain. No map is needed, just - # check domain name. - mapper ms { - debug = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/ms_mapper.so; - ignorecase = false; - ignoredomain = false; - domain = "domain.com"; - } - - # krb - Compare againts Kerberos Principal Name - mapper krb { - debug = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/krb_mapper.so; - ignorecase = false; - mapfile = "none"; - } - - # uid - Maps Subject Unique Identifier field (if exist) to login - mapper uid { - debug = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/uid_mapper.so; - ignorecase = false; - mapfile = "none"; - } - - # digest - elaborate certificate digest and map it into a file - mapper digest { - debug = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/digest_mapper.so; - # algorithm used to evaluate certificate digest - # Select one of: - # "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160" - algorithm = "sha1"; - mapfile = file:///etc/pam_pkcs11/digest_mapping; - # mapfile = "none"; - } - -} diff --git a/vars/audit.yml b/vars/audit.yml new file mode 100644 index 00000000..89e61a84 --- /dev/null +++ b/vars/audit.yml @@ -0,0 +1,41 @@ +--- + +#### Audit Configuration Settings #### + +# Timeout for those cmds that take longer to run where timeout set +audit_cmd_timeout: 120000 + +# if get_audit_binary_method == download change accordingly +audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-" + +### Goss Audit Benchmark file ### +## managed by the control audit_content +# git +audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" +audit_git_version: "benchmark_{{ benchmark_version }}_rh8" + +## Goss configuration information +# Where the goss configs and outputs are stored +audit_out_dir: '/opt' +# Where the goss audit configuration will be stored +audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit" + +# If changed these can affect other products +pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" + +## The following should not need changing + +### Audit binary settings ### +audit_bin_version: + release: v0.4.4 + AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5' +audit_bin_path: /usr/local/bin/ +audit_bin: "{{ audit_bin_path }}goss" +audit_format: json + +audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" +audit_results: | + The pre remediation results are: {{ pre_audit_summary }}. + The post remediation results are: {{ post_audit_summary }}. + Full breakdown can be found in {{ audit_out_dir }} From 20661beeb935ffd0f1f0d582596d57b5e5f86d8c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 21 Feb 2024 16:14:46 +0000 Subject: [PATCH 014/202] fix typo line 020030 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index e453e73b..527e99ef 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3308,9 +3308,9 @@ - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if exists" ansible.builtin.lineinfile: path: "{{ item }}" - regexp: '^lock-enabled' + regexp: ^lock-enabled line: lock-enabled=true - loop: "{{ rhel_08_020030_lock_enabled.stdout }}" + loop: "{{ rhel_08_020030_lock_enabled.stdout_lines }}" when: rhel_08_020030_lock_enabled.stdout | length > 0 notify: dconf update From ccd1285b941e6616e4c4c6b6f45090f9f9d09547 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Mar 2024 12:30:26 +0000 Subject: [PATCH 015/202] updated due to galaxy_ng changes Signed-off-by: Mark Bolwell --- README.md | 6 ++++++ meta/main.yml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 0a0abb05..1c42a6cf 100644 --- a/README.md +++ b/README.md @@ -190,3 +190,9 @@ This repo originated from work done by [Sam Doran](https://github.com/samdoran/a ```sh pre-commit run ``` + +## Credits and Thanks + +Massive thanks to the fantastic community and all is members +Huge thanks and Credit to the original authors and maintainers. +Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell diff --git a/meta/main.yml b/meta/main.yml index f260b661..a9a9978b 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,6 +1,6 @@ --- galaxy_info: - author: "Sam Doran, Josh Springer, Daniel Shepherd, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell" + author: "MindPoint Group" description: "Apply the DISA RHEL 8 STIG" company: "MindPoint Group" license: MIT From 756c791cab9498599706235ceba82543d0e2c80e Mon Sep 17 00:00:00 2001 From: William Panlener Date: Mon, 23 Oct 2023 21:06:30 -0500 Subject: [PATCH 016/202] Revert "fixed gnutls as per issue 196 thansk to @jmalpede" This reverts commit 63c4c8406e7f6b49eeb94d787f258917e8716b0b. Signed-off-by: William Panlener --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index d05b5ad6..64812982 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -916,7 +916,7 @@ rhel8stig_ssh_server_crypto_settings: "-oCiphers=aes256-ctr,aes192-ctr,aes128-ct # RHEL-08-010295 # This will be teh GnuTLS ecryption packages. The task sets the +VERS-ALL: setting, the only items needed are the DoD approved encryptions # to conform to STIG standards this variable must contain +VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0 -rhel8stig_gnutls_encryption: "-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0" +rhel8stig_gnutls_encryption: "+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0" # RHEL-08-020070 # This is the value for the tmux lock after setting. To conform to STIG standards value needs to be set to 900 or less From 20fa9531cd451edd038503a9716f696e49fe3ff9 Mon Sep 17 00:00:00 2001 From: William Golembieski Date: Thu, 9 Nov 2023 15:56:54 -0500 Subject: [PATCH 017/202] Update main.yml Removing stale var rhel8stig_sshd_compression Signed-off-by: William Golembieski --- defaults/main.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 64812982..58382591 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -867,10 +867,6 @@ rhel8stig_path_to_sshkey: "/root/.ssh/" # To conform to STIG standards these directories need to be 755 or less permissive rhel8stig_lib_dir_perms: 0755 -# RHEL-08-010510 -# rhel8stig_sshd_compression to meet STIG requirements needs to be set to "no" or "delayed" -rhel8stig_sshd_compression: "no" - # now in prelim # rhel8stig_interactive_uid_start: '1000' From 303c3d8b3a771ef7656ae32e2567ae3a3005e8ba Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 4 Dec 2023 17:36:39 +0000 Subject: [PATCH 018/202] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/pre-commit/pre-commit-hooks: v4.4.0 → v4.5.0](https://github.com/pre-commit/pre-commit-hooks/compare/v4.4.0...v4.5.0) - [github.com/gitleaks/gitleaks: v8.18.0 → v8.18.1](https://github.com/gitleaks/gitleaks/compare/v8.18.0...v8.18.1) - [github.com/ansible-community/ansible-lint: v6.20.2 → v6.22.1](https://github.com/ansible-community/ansible-lint/compare/v6.20.2...v6.22.1) - [github.com/adrienverge/yamllint.git: v1.32.0 → v1.33.0](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.33.0) --- .pre-commit-config.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 30819d0b..3bf09a94 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.4.0 + rev: v4.5.0 hooks: # Safety - id: detect-aws-credentials @@ -35,12 +35,12 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.0 + rev: v8.18.1 hooks: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v6.20.2 + rev: v6.22.1 hooks: - id: ansible-lint name: Ansible-lint @@ -59,6 +59,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.32.0 # or higher tag + rev: v1.33.0 # or higher tag hooks: - id: yamllint From 180e9b05dab391163edc36d4d25ee101ac8bdc51 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 20 Feb 2024 01:17:54 +0000 Subject: [PATCH 019/202] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.18.1 → v8.18.2](https://github.com/gitleaks/gitleaks/compare/v8.18.1...v8.18.2) - [github.com/ansible-community/ansible-lint: v6.22.1 → v24.2.0](https://github.com/ansible-community/ansible-lint/compare/v6.22.1...v24.2.0) - [github.com/adrienverge/yamllint.git: v1.33.0 → v1.35.1](https://github.com/adrienverge/yamllint.git/compare/v1.33.0...v1.35.1) --- .pre-commit-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3bf09a94..717f0e69 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -35,12 +35,12 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.1 + rev: v8.18.2 hooks: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v6.22.1 + rev: v24.2.0 hooks: - id: ansible-lint name: Ansible-lint @@ -59,6 +59,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.33.0 # or higher tag + rev: v1.35.1 # or higher tag hooks: - id: yamllint From 9fb6548ae9c6244b457a06442972c1c8568280c0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Mar 2024 14:59:34 +0000 Subject: [PATCH 020/202] updated Readme credits Signed-off-by: Mark Bolwell --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1c42a6cf..467f0ef0 100644 --- a/README.md +++ b/README.md @@ -193,6 +193,6 @@ pre-commit run ## Credits and Thanks -Massive thanks to the fantastic community and all is members -Huge thanks and Credit to the original authors and maintainers. +Massive thanks to the fantastic community and all is members. +This includes a huge thanks and credit to the original authors and maintainers. Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell From 35eca322e69100fa9f6b4131346cd0658c7cbbef Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Mar 2024 15:06:54 +0000 Subject: [PATCH 021/202] updated credits Signed-off-by: Mark Bolwell --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 467f0ef0..9ed50479 100644 --- a/README.md +++ b/README.md @@ -193,6 +193,6 @@ pre-commit run ## Credits and Thanks -Massive thanks to the fantastic community and all is members. +Massive thanks to the fantastic community and all its members. This includes a huge thanks and credit to the original authors and maintainers. Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell From 97dd517a6e8463c196c8ab0ea7617abda820ea35 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 18 Mar 2024 17:48:38 +0000 Subject: [PATCH 022/202] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v24.2.0 → v24.2.1](https://github.com/ansible-community/ansible-lint/compare/v24.2.0...v24.2.1) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 717f0e69..88d4f0da 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -40,7 +40,7 @@ repos: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v24.2.0 + rev: v24.2.1 hooks: - id: ansible-lint name: Ansible-lint From 5ee5bf2f69fe140de33fdb0ad954f8a4684a1655 Mon Sep 17 00:00:00 2001 From: Phenix66 <34311559+Phenix66@users.noreply.github.com> Date: Tue, 19 Mar 2024 23:00:32 -0400 Subject: [PATCH 023/202] Updated RHEL-08-020050 to loop over stdout_lines. Fixes issue #261. Signed-off-by: Phenix66 <34311559+Phenix66@users.noreply.github.com> --- tasks/fix-cat2.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 527e99ef..7f0527c6 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3434,7 +3434,7 @@ line: | [org/gnome/settings-daemon/peripherals/smartcard] removal-action='lock-screen' - when: rhel_08_020050_removal_action.stdout | length == 0 + when: rhel_08_020050_removal_action.stdout_lines | length == 0 notify: dconf update - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Update removal-action if exists" @@ -3442,15 +3442,16 @@ path: "{{ item }}" regexp: ^removal-action= line: removal-action='lock-screen' - loop: "{{ rhel_08_020050_removal_action.stdout }}" - when: rhel_08_020050_removal_action.stdout | length > 0 + loop: "{{ rhel_08_020050_removal_action.stdout_lines }}" + when: rhel_08_020050_removal_action.stdout_lines | length > 0 notify: dconf update - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" ansible.builtin.lineinfile: - path: '/etc/dconf/db/distro.d/locks/{{ rhel_08_020050_removal_action_file.stdout }}' + path: '/etc/dconf/db/distro.d/locks/{{ item }}' line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action - when: rhel_08_020050_removal_action_file.stdout | length > 0 + loop: "{{ rhel_08_020050_removal_action_file.stdout_lines }}" + when: rhel_08_020050_removal_action_file.stdout_lines | length > 0 notify: dconf update - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" @@ -3461,7 +3462,7 @@ owner: root group: root mode: 0640 - when: rhel_08_020050_removal_action_file.stdout | length == 0 + when: rhel_08_020050_removal_action_file.stdout_lines | length == 0 notify: dconf update when: - rhel_08_020050 From 384dd10843a4a4396d973a67a06714ce351f3ecf Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 8 Apr 2024 17:54:43 +0000 Subject: [PATCH 024/202] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/pre-commit/pre-commit-hooks: v4.5.0 → v4.6.0](https://github.com/pre-commit/pre-commit-hooks/compare/v4.5.0...v4.6.0) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 88d4f0da..1f3f17bf 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.5.0 + rev: v4.6.0 hooks: # Safety - id: detect-aws-credentials From b6ecf05ac2438a22a95fbef9c7fad2828feb065b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Apr 2024 12:12:28 +0100 Subject: [PATCH 025/202] addressing #251 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 64 +++++++++++++++++----------------------------- tasks/prelim.yml | 44 +++++++++++++++++++++++-------- 2 files changed, 58 insertions(+), 50 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 7f0527c6..75c0b161 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2230,7 +2230,6 @@ when: - rhel_08_010660 - rhel8stig_disruption_high - # - rhel_08_stig_interactive_homedir_inifiles is defined tags: - RHEL-08-010660 - CAT2 @@ -2441,7 +2440,7 @@ block: - name: "MEDIUM | RHEL-08-010690 | AUDIT | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. | Find path files" ansible.builtin.shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath - with_items: "{{ rhel_08_stig_interactive_homedir_results }}" + with_items: "{{ discovered_interactive_users_home.stdout_list }}" register: rhel_08_010690_ini_path_grep_list changed_when: false failed_when: false @@ -2558,15 +2557,31 @@ - SV-230320r627750_rule - V-230320 +# Required for RHEL-08-010730 +- name: "MEDIUM | RHEL-08-010750 | PATCH | All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist." + ansible.builtin.file: + path: "{{ item }}" + state: directory + with_items: "{{ discovered_interactive_users_home.stdout_lines }}" + when: + - rhel_08_010750 + tags: + - RHEL-08-010750 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230323r627750_rule + - V-230323 + - permissions + - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." ansible.builtin.file: path: "{{ item }}" mode: "{{ rhel8stig_local_int_home_perms }}" with_items: - - "{{ local_home_directories.stdout_lines }}" + - "{{ discovered_interactive_users_home.stdout_lines }}" when: - rhel_08_010730 - - local_home_directories.stdout | length > 0 tags: - RHEL-08-010730 - CAT2 @@ -2578,20 +2593,12 @@ - name: "MEDIUM | RHEL-08-010731 | PATCH | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive." block: - - name: "MEDIUM | RHEL-08-010731 | AUDIT | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Find out of compliance files" - ansible.builtin.shell: "find {{ item }} -perm -750 ! -perm 750" - changed_when: false - failed_when: false - register: rhel_08_010731_files - with_items: - - "{{ rhel8stig_passwd | selectattr('uid', '>=', rhel8stig_interactive_uid_start | int) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" - - name: "MEDIUM | RHEL-08-010731 | PATCH | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Bring files into compliance" ansible.builtin.file: path: "{{ item }}" mode: "{{ rhel8stig_local_int_home_file_perms }}" with_items: - - "{{ rhel_08_010731_files.results | map(attribute='stdout_lines') | flatten }}" + - "{{ discovered_interactive_users_home.stdout_lines }}" when: rhel8stig_disruption_high - name: "MEDIUM | RHEL-08-010731 | AUDIT | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Alert on out of compliance files" @@ -2599,7 +2606,7 @@ msg: - "Alert! Below are the files that are in interactive user folders but permissiosn less restrictiv than 0750." - "Please review the files to bring into STIG compliance" - - "{{ rhel_08_010731_files.results | map(attribute='stdout_lines') | flatten }}" + - "{{ discovered_interactive_users_home.stdout_lines }}" when: not rhel8stig_disruption_high when: - rhel_08_010731 @@ -2622,10 +2629,8 @@ label: "{{ rhel8stig_passwd_label }}" when: - rhel_08_010740 - - (item.uid >= rhel8stig_interactive_uid_start | int) - - (item.uid >= rhel8stig_interactive_uid_stop | int) + - item.uid is search(discovered_interactive_uids.stdout) tags: - - skip_ansible_lint - RHEL-08-010740 - CAT2 - CCI-000366 @@ -2645,8 +2650,7 @@ label: "{{ rhel8stig_passwd_label }}" when: - rhel_08_010741 - - (item.uid >= rhel8stig_interactive_uid_start | int) - - item.uid != 65534 + - item.uid is search(discovered_interactive_uids.stdout) tags: - RHEL-08-010741 - CAT2 @@ -2656,26 +2660,6 @@ - V-244532 - permissions -- name: "MEDIUM | RHEL-08-010750 | PATCH | All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist." - ansible.builtin.file: - path: "{{ item.dir }}" - state: directory - with_items: "{{ rhel8stig_passwd }}" - loop_control: - label: "{{ rhel8stig_passwd_label }}" - when: - - rhel_08_010750 - - (item.uid >= rhel8stig_interactive_uid_start | int) - tags: - - skip_ansible_lint - - RHEL-08-010750 - - CAT2 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-230323r627750_rule - - V-230323 - - permissions - - name: "MEDIUM | RHEL-08-010760 | PATCH | All RHEL 8 local interactive user accounts must be assigned a home directory upon creation." ansible.builtin.lineinfile: path: /etc/login.defs @@ -4396,7 +4380,7 @@ hidden: true use_regex: true register: rhel8stig_020352_file - loop: "{{ local_home_directories.stdout_lines }}" + loop: "{{ discovered_interactive_users_home.stdout_lines }}" - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Remove umask param" ansible.builtin.lineinfile: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 91b429df..07034aee 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -139,6 +139,30 @@ - RHEL-08-010750 - RHEL-08-020320 +- name: "PRELIM | AUDIT | Discover Interactive Users" + tags: + - always + ansible.builtin.shell: > + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $1 }' + changed_when: false + register: discovered_interactive_usernames + +- name: "PRELIM | AUDIT | Discover Interactive User accounts home directories" + tags: + - always + ansible.builtin.shell: > + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $6 }' + changed_when: false + register: discovered_interactive_users_home + +- name: "PRELIM | AUDIT | Discover Interactive user UIDs" + tags: + - always + ansible.builtin.shell: > + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $3 }' + changed_when: false + register: discovered_interactive_uids + - name: "PRELIM | RHEL-08-010690 Ensure user enumeration command is modified when autofs remote home directories are in use" block: - name: Ensure that rhel8stig_auto_mount_home_dirs_local_mount_point is defined and not length zero @@ -188,16 +212,16 @@ - RHEL-08-010070 - RHEL-08-030010 -- name: "PRELIM | RHEL-08-010730 | RHEL-08-20352 | Get local interactive user home directories" - ansible.builtin.shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) - changed_when: false - failed_when: false - register: local_home_directories - when: - - rhel_08_010730 or - rhel_08_020352 - tags: - - always +# - name: "PRELIM | RHEL-08-010730 | RHEL-08-20352 | Get local interactive user home directories" +# ansible.builtin.shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) +# changed_when: false +# failed_when: false +# register: local_home_directories +# when: +# - rhel_08_010730 or +# rhel_08_020352 +# tags: +# - always - name: "PRELIM | RHEL-08-030620 | RHEL-08-030630 | RHEL-08-030640 | RHEL-08-030650 | Install audit remote plugin." ansible.builtin.package: From 08818062296be611cd9f67479ec3988b51bea795 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Apr 2024 12:16:33 +0100 Subject: [PATCH 026/202] fix issue #263 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 75c0b161..e495060a 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -7125,7 +7125,7 @@ - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Use template to create file" ansible.posix.sysctl: - name: net.ipv4.conf.all.send_redirects + name: net.ipv4.conf.all.accept_redirects value: 0 state: present reload: "{{ rhel8stig_sysctl_reload }}" From 6f485dafa09c50d0a167404693c3dab0cd5f50bb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Apr 2024 13:26:36 +0100 Subject: [PATCH 027/202] Address issues #242 Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 12 ++++++------ tasks/fix-cat2.yml | 45 ++++++++++++++++----------------------------- 2 files changed, 22 insertions(+), 35 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 69fbcdbf..f89014d5 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -276,18 +276,18 @@ - name: "HIGH | RHEL-08-010470 | PATCH | There must be no .shosts files on the RHEL 8 operating system." block: - name: "HIGH | RHEL-08-010470 | PATCH | There must be no .shosts files on the RHEL 8 operating system. | Find .shosts files" - ansible.builtin.find: - path: '/' - recurse: true - patterns: '*.shosts' + ansible.builtin.shell: find / -name "*.shosts" + changed_when: false + failed_when: rhel_08_010470_shost_files.rc not in [ 0, 1 ] register: rhel_08_010470_shost_files - name: "HIGH | RHEL-08-010470 | PATCH | There must be no .shosts files on the RHEL 8 operating system. | Remove .shosts files" ansible.builtin.file: - path: "{{ item.path }}" + path: "{{ item }}" state: absent with_items: - - "{{ rhel_08_010470_shost_files.files }}" + - "{{ rhel_08_010470_shost_files.stdout_lines }}" + when: rhel_08_010470_shost_files.stdout | length > 0 when: - rhel_08_010470 tags: diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index e495060a..18cad8e8 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -461,19 +461,18 @@ - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication." block: - name: "MEDIUM | RHEL-08-010161 | AUDIT | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Find .keytab files" - ansible.builtin.find: - path: / - patterns: '*.keytab' - recurse: true + ansible.builtin.shell: find / -name *.keytab + changed_when: false + failed_when: rhel8stig_010161_keytab_files.rc not in [ 0, 1 ] register: rhel8stig_010161_keytab_files - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Remove .keytab files" ansible.builtin.file: - path: "{{ item.path }}" + path: "{{ item }}" state: absent with_items: - - "{{ rhel8stig_010161_keytab_files.files }}" - when: rhel8stig_010161_keytab_files.matched > 0 + - "{{ rhel8stig_010161_keytab_files.stdout_lines }}" + when: rhel8stig_010161_keytab_files.stdout | length > 0 when: - rhel_08_010161 tags: @@ -1630,25 +1629,19 @@ - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive." block: - name: "MEDIUM | RHEL-08-010480 | AUDIT | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Find files" - ansible.builtin.find: - paths: /etc/ssh - recurse: true - file_type: file - patterns: 'ssh_host*_key.pub' - hidden: true + ansible.builtin.shell: find /etc/ssh -name ssh_host*_key.pub changed_when: false - failed_when: false + failed_when: rhel_08_010480_public_files.rc not in [ 0, 1 ] register: rhel_08_010480_public_files - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Set permissions" ansible.builtin.file: - path: "{{ item.path }}" + path: "{{ item }}" mode: "{{ rhel8stig_ssh_pub_key_perm }}" with_items: - - "{{ rhel_08_010480_public_files.files }}" - loop_control: - label: "{{ item.path }}" + - "{{ rhel_08_010480_public_files.stdout_lines }}" notify: restart sshd + when: rhel_08_010480_public_files.stdout | length > 0 when: - rhel_08_010480 - rhel8stig_ssh_required @@ -1664,25 +1657,19 @@ - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive." block: - name: "MEDIUM | RHEL-08-010490 | AUDIT | The RHEL 8 SSH private host key files must have mode 0640 or less permissive. | Find files" - ansible.builtin.find: - paths: /etc/ssh - recurse: true - file_type: file - patterns: 'ssh_host*key' - hidden: true + ansible.builtin.shell: find /etc/ssh -name ssh_host*_key changed_when: false - failed_when: false + failed_when: rhel_08_010490_private_host_key_files.rc not in [ 0, 1 ] register: rhel_08_010490_private_host_key_files - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive. | Set permissions" ansible.builtin.file: - path: "{{ item.path }}" + path: "{{ item }}" mode: "{{ rhel8stig_ssh_priv_key_perm }}" with_items: - - "{{ rhel_08_010490_private_host_key_files.files }}" - loop_control: - label: "{{ item.path }}" + - "{{ rhel_08_010490_private_host_key_files.stdout_lines }}" notify: restart sshd + when: rhel_08_010490_private_host_key_files.stdout | length > 0 when: - rhel_08_010490 - rhel8stig_ssh_required From ac7520f950402fb914343cb57c9a83420e3bb4de Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Apr 2024 15:23:13 +0100 Subject: [PATCH 028/202] housekeeping lint Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 4 ++-- tasks/main.yml | 12 ++++++------ tasks/prelim.yml | 8 ++++---- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 18cad8e8..07e9614e 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6057,8 +6057,8 @@ zone: "{{ rhel8stig_custom_firewall_zone }}" permanent: true state: enabled - service: "{{ (item == (item | regex_search('^[a-z]+$'))) | bool | ternary(item, omit) }}" - port: "{{ (item == (item | regex_search('^[0-9]+/[a-z]+$'))) | bool | ternary(item, omit) }}" + service: "{{ (item == (item | regex_search('^[a-z]+$'))) | ternary(item, omit) }}" + port: "{{ (item == (item | regex_search('^[0-9]+/[a-z]+$'))) | ternary(item, omit) }}" with_items: - "{{ rhel8stig_white_list_services }}" diff --git a/tasks/main.yml b/tasks/main.yml index a1acf152..14a40c90 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -36,7 +36,7 @@ ansible.builtin.include_vars: file: "{{ container_vars_file }}" - - name: output if discovered is a container + - name: Output if discovered is a container ansible.builtin.debug: msg: system has been discovered as a container when: @@ -167,17 +167,17 @@ - name: Include CAT III patches ansible.builtin.import_tasks: fix-cat3.yml - when: rhel8stig_cat3_patch | bool + when: rhel8stig_cat3_patch tags: - CAT3 - low -- name: flush handlers +- name: Flush handlers ansible.builtin.meta: flush_handlers -- name: reboot system +- name: Reboot system block: - - name: reboot system if not skipped + - name: Reboot system if not skipped ansible.builtin.reboot: when: - change_requires_reboot @@ -191,7 +191,7 @@ - change_requires_reboot - rhel8stig_skip_reboot -- name: run post remediation audit +- name: Run post remediation audit ansible.builtin.import_tasks: post_remediation_audit.yml when: - run_audit diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 07034aee..9583a072 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -163,15 +163,15 @@ changed_when: false register: discovered_interactive_uids -- name: "PRELIM | RHEL-08-010690 Ensure user enumeration command is modified when autofs remote home directories are in use" +- name: "PRELIM | RHEL-08-010690 | Ensure user enumeration command is modified when autofs remote home directories are in use" block: - - name: Ensure that rhel8stig_auto_mount_home_dirs_local_mount_point is defined and not length zero + - name: PRELIM | RHEL-08-010690 | AUDIT | Ensure that rhel8stig_auto_mount_home_dirs_local_mount_point is defined and not length zero ansible.builtin.assert: that: - rhel8stig_auto_mount_home_dirs_local_mount_point is defined - rhel8stig_auto_mount_home_dirs_local_mount_point | length > 0 - - name: Modify local_interactive_user_dir_command to exclude remote automounted home directories + - name: PRELIM | RHEL-08-010690 | PATCH | Modify local_interactive_user_dir_command to exclude remote automounted home directories ansible.builtin.set_fact: local_interactive_user_dir_command: "{{ local_interactive_user_dir_command }} | grep -v '{{ rhel8stig_auto_mount_home_dirs_local_mount_point }}" @@ -381,7 +381,7 @@ tags: - always -- name: Gather the package facts +- name: "PRELIM | Gather the package facts" ansible.builtin.package_facts: manager: auto tags: From 98a71203b024ea774c5276512b27094e204d162f Mon Sep 17 00:00:00 2001 From: Eric Lehmann Date: Wed, 10 Apr 2024 15:33:35 -0400 Subject: [PATCH 029/202] Meet fix text of V-244546 Signed-off-by: Eric Lehmann --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 58382591..dd7edf06 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -878,7 +878,7 @@ rhel8stig_ntp_server_name: 0.us.pool.ntp.mil # rhel8stig_fapolicy_white_list is the whitelist for fapolicyd, the last item in the list must be dyny all all rhel8stig_fapolicy_white_list: - 'deny_audit perm=any pattern=ld_so : all' - - deny all all + - 'deny perm=any all : all' # RHEL-08-040090 # rhel8stig_custom_firewall_zone is the desired name for the new customer firewall zone From 9872968c93b62580ed85fb4857c588b48d3d1285 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 11 Apr 2024 16:01:02 +0100 Subject: [PATCH 030/202] issue #267 Signed-off-by: Mark Bolwell --- defaults/main.yml | 10 ++++++++-- tasks/fix-cat2.yml | 31 +++++++++++++++++++++++++++++-- 2 files changed, 37 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 58382591..9e6f1cfd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -884,14 +884,20 @@ rhel8stig_fapolicy_white_list: # rhel8stig_custom_firewall_zone is the desired name for the new customer firewall zone rhel8stig_custom_firewall_zone: "new_fw_zone" +# rhel8stig_copy_existing_zone - if you wish to copy an existing zones rules to the new zone +rhel8stig_copy_existing_zone: true +# rhel8stig_existing_zone_to_copy - name of the zone that you wish to copy from +rhel8stig_existing_zone_to_copy: public + # RHEL-08-040090 -# rhel8stig_white_list_services is the services that you want to allow through initially for teh new firewall zone +# This designed not work with rhel8stig_existing_zone_to_copy and when deploy new rules +# rhel8stig_white_list_services is the services that you want to allow through initially for the new firewall zone # http and ssh need to be enabled for the role to run. # This can also be a port number if no service exists rhel8stig_white_list_services: + - ssh - http - https - - ssh # RHEL-08-010290 # RHEL-08-010290 diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 07e9614e..1b1471e9 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6052,6 +6052,27 @@ permanent: true state: present + - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Copy existing rules to new zone" + ansible.builtin.copy: + src: "/etc/firewalld/zones/{{ rhel8stig_existing_zone_to_copy }}.xml" + dest: "/etc/firewalld/zones/{{ rhel8stig_custom_firewall_zone }}.xml" + remote_src: true + when: + - rhel8stig_copy_existing_zone + - rhel8stig_existing_zone_to_copy | length > 0 + + - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Amend copied file" + ansible.builtin.replace: + path: "/etc/firewalld/zones/{{ rhel8stig_custom_firewall_zone }}.xml" + regexp: "{{ item.regexp }}" + replace: \1{{ item.replace }}\2 + loop: + - { regexp: (\s*(\s*$), replace: ' target="DROP">' } + - { regexp: (\s*).*(<\/short>), replace: "{{ rhel8stig_custom_firewall_zone }}" } + when: + - rhel8stig_copy_existing_zone + - rhel8stig_existing_zone_to_copy | length > 0 + - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Allow internet and ssh" ansible.posix.firewalld: zone: "{{ rhel8stig_custom_firewall_zone }}" @@ -6061,6 +6082,8 @@ port: "{{ (item == (item | regex_search('^[0-9]+/[a-z]+$'))) | ternary(item, omit) }}" with_items: - "{{ rhel8stig_white_list_services }}" + when: + - not rhel8stig_copy_existing_zone - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Target Drop | 2.10+" ansible.posix.firewalld: @@ -6068,7 +6091,9 @@ permanent: true state: enabled target: DROP - when: ansible_version.full is version_compare('2.10.0 | int', '>=') + when: + - ansible_version.full is version_compare('2.10.0 | int', '>=') + - not rhel8stig_copy_existing_zone - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Target Drop | 2.9" block: @@ -6082,7 +6107,9 @@ ansible.builtin.shell: firewall-cmd --permanent --zone={{ rhel8stig_custom_firewall_zone }} --set-target=DROP when: - rhel8stig_target_drop_set.rc != 0 - when: ansible_version.full is version_compare('2.10 | int', '<') + when: + - ansible_version.full is version_compare('2.10 | int', '<') + - not rhel8stig_copy_existing_zone - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Reload zones" ansible.builtin.shell: firewall-cmd --reload From 40b5070f8546ccfd55d1de28880945236c554097 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 15 Apr 2024 17:51:26 +0000 Subject: [PATCH 031/202] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v24.2.1 → v24.2.2](https://github.com/ansible-community/ansible-lint/compare/v24.2.1...v24.2.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1f3f17bf..71a7e81a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -40,7 +40,7 @@ repos: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v24.2.1 + rev: v24.2.2 hooks: - id: ansible-lint name: Ansible-lint From db1b008e1105eafe46170c83a33d30e0ddfa243a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 25 Apr 2024 09:20:33 +0100 Subject: [PATCH 032/202] fixed error in conditional rhel-08-020022 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 1b1471e9..8e50668b 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3206,7 +3206,7 @@ - password-auth when: - rhel_08_020022 - - ansible_distribution_version is version('8.2', '>=') + - ansible_distribution_version is version('8.1', '<=') tags: - RHEL-08-020022 - CAT2 From 18d8335a420f91849a4e69cfe5371c15eddf9615 Mon Sep 17 00:00:00 2001 From: uk-bolly Date: Tue, 30 Apr 2024 09:57:33 +0100 Subject: [PATCH 033/202] Merge in changes from v1r13 - Jan 24 (#274) * updated v1r13 reference Signed-off-by: Mark Bolwell * v1r13 updates Signed-off-by: Mark Bolwell * updated thanks to @Phenix66 Signed-off-by: Mark Bolwell * updated thanks to @fallenpixel Signed-off-by: Mark Bolwell * tidy up quotes around mode Signed-off-by: Mark Bolwell * tidy up variables Signed-off-by: Mark Bolwell * updates to auditing order Signed-off-by: Mark Bolwell * #266 fix added Signed-off-by: Mark Bolwell * added prelim to includes Signed-off-by: Mark Bolwell * updated v1r13 reference Signed-off-by: Mark Bolwell * v1r13 updates Signed-off-by: Mark Bolwell * updated thanks to @Phenix66 Signed-off-by: Mark Bolwell * tidy up quotes around mode Signed-off-by: Mark Bolwell * tidy up variables Signed-off-by: Mark Bolwell * updates to auditing order Signed-off-by: Mark Bolwell * added prelim to includes Signed-off-by: Mark Bolwell * file mode updates with improved var usage Signed-off-by: Mark Bolwell --------- Signed-off-by: Mark Bolwell --- Changelog.md | 29 +++++ README.md | 3 +- defaults/main.yml | 87 +++++++------- handlers/main.yml | 9 +- tasks/fix-cat1.yml | 6 +- tasks/fix-cat2.yml | 145 ++++++++++++----------- tasks/fix-cat3.yml | 40 +++---- tasks/main.yml | 17 --- tasks/post_remediation_audit.yml | 8 +- tasks/pre_remediation_audit.yml | 31 ++--- tasks/prelim.yml | 191 ++++++++++++++++--------------- vars/audit.yml | 17 ++- 12 files changed, 306 insertions(+), 277 deletions(-) diff --git a/Changelog.md b/Changelog.md index c0bcafc1..f2d02d09 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,34 @@ # Changes to RHEL8STIG +## 3.2 - STIV V1R13 - 24th Jan 2024 + +- Audit updated + - moved audit into prelim + - updates to audit logic for copy and archive options + +ruleid updated + +- 010001 +- 020250 +- 020290 +- 040090 + +CAT II + +- 020035 - updated rule and added handler for logind restart +- 040020 - /bin/false update and ruleid update +- 040080 - /bin/false and ruleid +- 040111 - /bin/false and ruleid + +CAT III + +- 040021 - /bin/false and ruleid +- 040022 - /bin/false and ruleid +- 040023 - /bin/false and ruleid +- 040024 - /bin/false and ruleid +- 040025 - /bin/false and ruleid +- 040026 - /bin/false and ruleid + ## 3.1 - STIG V1R12 - 25th Oct 2023 ruleid updated diff --git a/README.md b/README.md index 9ed50479..b56d32d6 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a RHEL8 based system to be complaint with Disa STIG -This role is based on RHEL 8 DISA STIG: [Version 1, Rel 12 released on Oct 25, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R12_STIG.zip). +This role is based on RHEL 8 DISA STIG: [Version 1, Rel 13 released on Jan 24, 2024](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R13_STIG.zip). --- @@ -29,7 +29,6 @@ This role is based on RHEL 8 DISA STIG: [Version 1, Rel 12 released on Oct 25, 2 ![License](https://img.shields.io/github/license/ansible-lockdown/RHEL8-STIG?label=License) - --- ## Looking for support? diff --git a/defaults/main.yml b/defaults/main.yml index acc87c40..ccfc9ea6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ --- ## metadata for Audit benchmark -benchmark_version: 'v1r12' +benchmark_version: 'v1r13' ## Benchmark name used by audting control role # The audit variable found at the base @@ -35,7 +35,6 @@ rhel8stig_audit_disruptive: false rhel8stig_skip_for_travis: false rhel8stig_workaround_for_disa_benchmark: true -rhel8stig_workaround_for_ssg_benchmark: true # tweak role to run in a chroot, such as in kickstart %post script rhel8stig_system_is_chroot: "{{ ansible_is_chroot | default(False) }}" @@ -56,23 +55,26 @@ rhel8stig_skip_reboot: true # Defined will change if control requires change_requires_reboot: false -########################################## +########################################### ### Goss is required on the remote host ### -## Refer to vars/auditd.yml for any other settings ## +### vars/auditd.yml for other settings ### # Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system) setup_audit: false # enable audits to run - this runs the audit and get the latest content run_audit: false +# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system +audit_run_heavy_tests: true -# Only run Audit do not remediate +## Only run Audit do not remediate audit_only: false -# As part of audit_only -# This will enable files to be copied back to control node +### As part of audit_only ### +# This will enable files to be copied back to control node in audit_only mode fetch_audit_files: false -# Path to copy the files to will create dir structure +# Path to copy the files to will create dir structure in audit_only mode audit_capture_files_dir: /some/location to copy to on control node +############################# # How to retrieve audit binary # Options are copy or download - detailed settings at the bottom of this file @@ -85,20 +87,24 @@ get_audit_binary_method: download audit_bin_copy_location: /some/accessible/path # how to get audit files onto host options -# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf +# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf audit_content: git -# archive or copy: -audit_conf_copy: "some path to copy from" +# If using either archive, copy, get_url: +## Note will work with .tar files - zip will require extra configuration +### If using get_url this is expecting github url in tar.gz format e.g. +### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz +audit_conf_source: "some path or url to copy from" -# get_url: -audit_files_url: "some url maybe s3?" +# Destination for the audit content to be placed on managed node +# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory +audit_conf_dest: "/opt" -# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system -audit_run_heavy_tests: true +# Where the audit logs are stored +audit_log_dir: '/opt' -### End Goss enablements #### -#### Detailed settings found at the end of this document #### +### Goss Settings ## +####### END ######## # These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules. # PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group @@ -501,11 +507,6 @@ rhel8stig_kdump_needed: false # or rhel8stig_gui) rhel8stig_always_configure_dconf: false -# Whether or not to run tasks related to smart card authentication enforcement -rhel8stig_smartcard: false -# Configure your smartcard driver -rhel8stig_smartcarddriver: cackey - # Set the file that sysctl should write to rhel8stig_sysctl_file: /etc/sysctl.d/99_stig_sysctl.conf @@ -528,6 +529,11 @@ rhel8stig_ipv6_required: true # When set to anything other than mcafee it will skip this control assuming localized threat prevention management rhel8stig_av_sftw: mcafee +# RHEL-08-010110 & 010130 & 010760 & 020190 & 020200 & 020231 & 020310 & 020351 +# rhel8stig_login_defs_file_perms +# Permissions set on /etc/login.defs +rhel8stig_login_defs_file_perms: 0644 + # RHEL-08-010210 # rhel8stig_var_log_messages_perm is the permissions the /var/log/messages file is set to. # To conform to STIG standards this needs to be 0640 or more restrictive @@ -559,10 +565,6 @@ rhel8stig_ssh_pub_key_perm: 0644 rhel8stig_ssh_priv_key_perm: 0600 # RHEL-08-010690 -# Set standard user paths here -# Also set whether we should automatically remediate paths in user ini files. -# rhel_08_020720_user_path: "PATH=$PATH:$HOME/.local/bin:$HOME/bin" -rhel8stig_standard_user_path: "PATH=$PATH:$HOME/.local/bin:$HOME/bin" rhel8stig_change_user_path: false # RHEL-08-010700 @@ -591,6 +593,19 @@ rhel8stig_local_int_home_file_perms: 0750 # To connform to STIG standards this needs to be set to 0740 or less permissive rhel8stig_local_int_perm: 0740 +# RHEL-08-020100 pamd file permissions - /etc/pam.d/(password-auth|system-auth) files +# rhel8stig_pamd_file_perms +# This needs a minimum of 0644 ( more restrictive may cause issues testing will be required) +rhel8stig_pamd_file_perms: 0644 + +# RHEL-08-020110 - pwquality file permissions +# mode: "{{ rhel8stig_pamd_file_perms }}" +rhel8stig_pwquality_file_perms: 0644 + +# RHEL-08-0400xx +# blacklist.conf - /etc/modprobe.d/blacklist.conf file permissions +rhel8stig_blacklist_conf_file_perms: 0640 + # RHEL-08-020250 # This is a check for a "supported release" # These are the minimum supported releases. @@ -707,13 +722,6 @@ rhel8stig_sssd: maprule: (userCertificate;binary={cert!bin}) domains: "{{ rhel8stig_sssd_domain }}" -# RHEL-08-020070 -# Session timeout setting file (TMOUT setting can be set in multiple files) -# Timeout value is in seconds. (60 seconds * 10 = 600) -rhel8stig_shell_session_timeout: - file: /etc/profile.d/tmout.sh - timeout: 600 - # RHEL-08-010200 | All network connections associated with SSH traffic must # terminate at the end of the session or after 10 minutes of inactivity, except # to fulfill documented and validated mission requirements. @@ -763,14 +771,6 @@ rhel8stig_pam_faillock: # RHEL-08-020035 rhel_08_020035_idlesessiontimeout: 900 -# RHEL-08-030670 -# rhel8stig_audisp_disk_full_action options are syslog, halt, and single to fit STIG standards -rhel8stig_audisp_disk_full_action: single - -# RHEL-08-030680 -# rhel8stig_audisp_network_failure_action optoins are syslog, halt, and single -rhel8stig_audisp_network_failure_action: single - # RHEL-08-030060 # rhel8stig_auditd_disk_full_action options are SYSLOG, HALT, and SINGLE to fit STIG standards rhel8stig_auditd_disk_full_action: HALT @@ -910,11 +910,6 @@ rhel8stig_ssh_ciphers: "Ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@open # Expected Values for FIPS KEX algorithims rhel8stig_ssh_kex: "KexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512" -# This will be the CRYPTO_POLICY settings in the opensshserver.conf file. It will be a string for the entirety of the setting -# to conform to STIG standard control RHEL-08-010290 this variable must contain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256 settings -# to conform to STIG standard control RHEL-08-010291 this variable must cotnain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -rhel8stig_ssh_server_crypto_settings: "-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256" - # RHEL-08-010295 # This will be teh GnuTLS ecryption packages. The task sets the +VERS-ALL: setting, the only items needed are the DoD approved encryptions # to conform to STIG standards this variable must contain +VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0 diff --git a/handlers/main.yml b/handlers/main.yml index c210d6f1..cd5e4829 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -10,6 +10,11 @@ when: - not system_is_container +- name: Restart_systemdlogin + ansible.builtin.systemd: + name: systemd-logind + state: restarted + - name: sysctl system ansible.builtin.shell: sysctl --system when: "'procps-ng' in ansible_facts.packages" @@ -74,7 +79,7 @@ remote_src: true owner: root group: root - mode: 0755 + mode: '0755' when: - rhel8stig_grub2_user_cfg.stat.exists - rhel8stig_workaround_for_disa_benchmark @@ -97,7 +102,7 @@ dest: /etc/audit/rules.d/99_auditd.rules owner: root group: root - mode: 0600 + mode: '0600' notify: restart auditd - name: restart auditd diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index f89014d5..04597be6 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -63,7 +63,7 @@ dest: /etc/default/grub owner: root group: root - mode: 0644 + mode: '0644' vars: grub_cmdline_linux: "{{ rhel_08_010020_grub_cmdline_linux_audit.stdout }}" when: rhel_08_010020_default_grub_missing_audit is changed # noqa no-handler @@ -187,7 +187,7 @@ line: "GRUB2_PASSWORD={{ rhel8stig_bootloader_password_hash }}" owner: root group: root - mode: 0640 + mode: '0640' notify: confirm grub2 user cfg when: - not system_is_ec2 @@ -437,7 +437,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' with_items: - { regexp: '^\[org/gnome/settings-daemon/plugins/media-keys\]', line: '[org/gnome/settings-daemon/plugins/media-keys]', insertafter: 'EOF' } - { regexp: 'logout=', line: "logout=''", insertafter: '\[org/gnome/settings-daemon/plugins/media-keys\]' } diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 8e50668b..3f3e96ae 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -25,7 +25,7 @@ - CAT2 - CCI-001233 - SRG-OS-000191-GPOS-00080 - - SV-245540r754730_rule + - SV-245540r942951_rule - V-245540 - name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." @@ -293,6 +293,9 @@ path: /etc/login.defs regexp: '^ENCRYPT_METHOD.*' line: "ENCRYPT_METHOD {{ rhel8stig_login_defaults.encrypt_method | default('SHA512') }}" + owner: root + group: root + mode: "{{ rhel8stig_login_defs_file_perms }}" when: - rhel_08_010110 tags: @@ -344,6 +347,9 @@ path: /etc/login.defs regexp: ^.*SHA_CRYPT_MIN_ROUNDS\s line: SHA_CRYPT_MIN_ROUNDS {{ rhel8stig_hashing_rounds }} + owner: root + group: root + mode: "{{ rhel8stig_login_defs_file_perms }}" when: - rhel_08_010130 tags: @@ -363,7 +369,7 @@ dest: /etc/grub.d/01_users owner: root group: root - mode: 0755 + mode: '0755' notify: confirm grub2 user cfg when: - rhel_08_010141 or @@ -388,7 +394,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' when: - rhel_08_010151 tags: @@ -408,7 +414,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' when: - rhel_08_010152 tags: @@ -842,7 +848,6 @@ - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Enable FIPS" ansible.builtin.shell: fips-mode-setup --enable - register: rhel_08_010290_fips_enable notify: change_requires_reboot when: '"disabled" in rhel_08_010293_pre_fips_check.stdout' when: @@ -2398,7 +2403,7 @@ dest: /etc/resolv.conf owner: root group: root - mode: 0644 + mode: '0644' when: - rhel_08_010680_networkmanager_check.stdout == '0' - rhel8_stig_use_resolv_template @@ -2652,6 +2657,9 @@ path: /etc/login.defs regexp: '.*?CREATE_HOME.*' line: CREATE_HOME yes + owner: root + group: root + mode: "{{ rhel8stig_login_defs_file_perms }}" when: - rhel_08_010760 tags: @@ -3292,7 +3300,7 @@ regexp: '^lock-enabled' owner: root group: root - mode: 0644 + mode: '0644' line: | [org/gnome/desktop/screensaver] # Set this to true to lock the screen when the screensaver activates @@ -3315,8 +3323,12 @@ - name: "MEDIUM | RHEL-08-020035 | PATCH | RHEL 8 must terminate idle user sessions." ansible.builtin.lineinfile: path: "/etc/systemd/logind.conf" - regexp: '^StopIdleSessionSec=|^\# StopIdleSessionSec=' - line: "StopIdleSessionSec= {{ rhel_08_020035_idlesessiontimeout }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + loop: + - { regexp: '^(?#)\s*StopIdleSessionSec\s*=', line: "StopIdleSessionSec={{ rhel_08_020035_idlesessiontimeout }}" } + - { regexp: '^(?#)\s*KillUserProccesses\s*=', line: "KillUserProccesses=no" } + notify: Restart_systemdlogin when: - rhel_08_020035 tags: @@ -3324,7 +3336,7 @@ - CAT2 - CCI-001133 - SRG-OS-000163-GPOS-00072 - - SV-257258r917891_rule + - SV-257258r942953_rule - V-257258 - session @@ -3344,7 +3356,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' loop: - { regexp: '^set -g lock-command', line: 'set -g lock-command vlock' } - { regexp: '^bind X lock-session', line: 'bind X lock-session' } @@ -3401,7 +3413,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' line: | [org/gnome/settings-daemon/peripherals/smartcard] removal-action='lock-screen' @@ -3432,7 +3444,7 @@ line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action owner: root group: root - mode: 0640 + mode: '0640' when: rhel_08_020050_removal_action_file.stdout_lines | length == 0 notify: dconf update when: @@ -3461,14 +3473,14 @@ create: true owner: root group: root - mode: 0640 + mode: '0640' regexp: '^idle-delay' line: | [org/gnome/desktop/session] # Set the lock time out to 900 seconds before the session is considered idle idle-delay=uint32 900 notify: dconf update - when: rhel_08_020060_idle_delay_param.stdout | length == 0 + when: rhel_08_020060_idle_delay_param.stdout_lines | length == 0 - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if exists" ansible.builtin.lineinfile: @@ -3477,9 +3489,9 @@ line: idle-delay=uint32 900 owner: root group: root - mode: 0640 - loop: "{{ rhel_08_020060_idle_delay_param.stdout }}" - when: rhel_08_020060_idle_delay_param.stdout | length > 0 + mode: '0640' + loop: "{{ rhel_08_020060_idle_delay_param.stdout_lines }}" + when: rhel_08_020060_idle_delay_param.stdout_lines | length > 0 notify: dconf update when: - rhel_08_020060 @@ -3509,7 +3521,7 @@ line: "set -g lock-after-time {{ rhel8stig_tmux_lock_after_time }}" owner: root group: root - mode: 0644 + mode: '0644' when: - rhel_08_020070 tags: @@ -3528,7 +3540,7 @@ line: /org/gnome/desktop/screensaver/lock-delay owner: root group: root - mode: 0640 + mode: '0640' when: - rhel_08_020080 - "'dconf' in ansible_facts.packages" @@ -3549,7 +3561,7 @@ line: "{{ item.line }}" owner: root group: root - mode: 0600 + mode: '0600' with_items: - { regexp: '^\[{{ rhel8stig_sssd.certmap }}\]', line: '[{{ rhel8stig_sssd.certmap }}]' } - { regexp: '^matchrule {{ rhel8stig_sssd.matchrule }}', line: 'matchrule {{ rhel8stig_sssd.matchrule }}' } @@ -3576,7 +3588,7 @@ insertafter: '^password' owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pamd_file_perms }}" when: - rhel_08_020100 tags: @@ -3596,7 +3608,7 @@ insertafter: '^password' owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pamd_file_perms }}" when: - rhel_08_020101 tags: @@ -3624,7 +3636,7 @@ insertafter: '^password' owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pamd_file_perms }}" when: rhel_08_020102_pwquality_status.stdout | length == 0 - name: "MEDIUM | RHEL-08-020102 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Replace if already exists" @@ -3664,7 +3676,7 @@ insertafter: '^password' owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pamd_file_perms }}" when: rhel_08_020103_pwquality_status.stdout | length == 0 - name: "MEDIUM | RHEL-08-020103 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. | Replace if already exists" @@ -3693,6 +3705,7 @@ path: /etc/security/pwquality.conf regexp: '^retry =|^#.*retry =' line: retry = {{ rhel8stig_pam_pwquality_retry }} + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020104 - ansible_distribution_version is version('8.4', '>=') @@ -3712,7 +3725,7 @@ line: "ucredit = {{ rhel8stig_password_complexity.ucredit | default('-1') }}" owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" create: true when: - rhel_08_020110 @@ -3733,7 +3746,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020120 tags: @@ -3753,7 +3766,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020130 tags: @@ -3773,7 +3786,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020140 tags: @@ -3793,7 +3806,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020150 tags: @@ -3813,7 +3826,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020160 tags: @@ -3833,7 +3846,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020170 tags: @@ -3875,7 +3888,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_login_defs_file_perms }}" when: - rhel_08_020190 tags: @@ -3891,11 +3904,11 @@ ansible.builtin.lineinfile: path: /etc/login.defs create: true - owner: root - group: root - mode: 0644 regexp: ^#?PASS_MAX_DAYS line: "PASS_MAX_DAYS {{ rhel8stig_login_defaults.pass_max_days | default('60') }}" + owner: root + group: root + mode: "{{ rhel8stig_login_defs_file_perms }}" when: - rhel_08_020200 tags: @@ -3953,7 +3966,7 @@ insertafter: '^password' owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pamd_file_perms }}" when: rhel_08_020220_pwhistory_status.stdout | length == 0 - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Set if pw required pwhistory exists" @@ -3992,7 +4005,7 @@ insertafter: '^password' owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pamd_file_perms }}" when: rhel_08_020221_pwhistory_status.stdout | length == 0 - name: "MEDIUM | RHEL-08-020221 | PATCH | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations. | Set if pw required pwhistory exists" @@ -4023,7 +4036,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020230 tags: @@ -4042,7 +4055,7 @@ line: "PASS_MIN_LEN 15" owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_login_defs_file_perms }}" when: - rhel_08_020231 tags: @@ -4100,7 +4113,7 @@ insertafter: "{{ item.insertafter }}" owner: root group: root - mode: 0600 + mode: '0600' notify: restart sssd with_items: - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } @@ -4112,7 +4125,7 @@ line: auth sufficient pam_sss.so try_cert_auth owner: root group: root - mode: 0644 + mode: '0644' notify: restart sssd when: rhel_08_020250_sc_auth_sss.stdout | length == 0 @@ -4159,7 +4172,7 @@ - CAT2 - CCI-000765 - SRG-OS-000105-GPOS-00052 - - SV-230372r627750_rule + - SV-230372r942945_rule - V-230372 - pamd @@ -4208,7 +4221,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020280 tags: @@ -4228,7 +4241,7 @@ insertafter: "{{ item.insertafter }}" owner: root group: root - mode: 0600 + mode: '0600' with_items: - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } - { regexp: '^offline_credentials_expiration =', insertafter: '\[pam\]', line: 'offline_credentials_expiration = 1' } @@ -4240,7 +4253,7 @@ - CAT2 - CCI-002007 - SRG-OS-000383-GPOS-00166 - - SV-230376r627750_rule + - SV-230376r942948_rule - V-230376 - sssd @@ -4252,7 +4265,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020300 tags: @@ -4271,7 +4284,7 @@ line: "FAIL_DELAY {{ rhel8stig_login_defaults.fail_delay_secs | default('4') }}" owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_login_defs_file_perms }}" when: - rhel_08_020310 tags: @@ -4343,7 +4356,7 @@ line: "UMASK {{ rhel8stig_login_defaults.umask | default('077') }}" owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_login_defs_file_perms }}" when: - rhel_08_020351 tags: @@ -4559,7 +4572,7 @@ ansible.builtin.file: path: "{{ rhel08_030070_auditlog_location.stdout }}" state: "{{ (rhel08_030070_auditlog.stat.exists) | ternary('file', 'touch') }}" - mode: '0600' + mode: o-x,go-rwx when: - rhel_08_030070 tags: @@ -4687,7 +4700,7 @@ - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access. | Set audit log dir perms" ansible.builtin.file: path: "{{ rhel_08_030120_audit_log_dir.stdout }}" - mode: 0700 + mode: go-rwx state: directory when: rhel_08_030120_audit_log_dir.stdout | length > 0 when: @@ -5473,7 +5486,7 @@ - name: "MEDIUM | RHEL-08-030610 | PATCH | RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." ansible.builtin.file: path: "{{ item }}" - mode: 0640 + mode: '0640' with_items: - /etc/audit/rules.d/audit.rules - /etc/audit/auditd.conf @@ -5500,7 +5513,7 @@ - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Set permissions to 755 on tools" ansible.builtin.file: path: "{{ item }}" - mode: 0755 + mode: go-w with_items: - "{{ rhel_08_030620_tools.stdout_lines }}" when: @@ -5571,7 +5584,7 @@ line: "{{ item }}" owner: root group: root - mode: 0600 + mode: '0600' with_items: - "# Audit Tools" - /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 @@ -5696,7 +5709,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' regexp: "{{ item.regexp }}" line: "{{ item.line }}" with_items: @@ -5823,12 +5836,12 @@ line: "{{ item.line }}" owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" insertafter: "{{ item.insertafter }}" notify: change_requires_reboot with_items: - { regexp: '##Disable WebCam', line: '##Disable WebCam', insertafter: 'EOF' } - - { regexp: '^install uvcvideo', line: 'install uvcvideo /bin/true', insertafter: '##Disable WebCam' } + - { regexp: '^install uvcvideo', line: 'install uvcvideo /bin/false', insertafter: '##Disable WebCam' } - { regexp: '^blacklist uvcvideo', line: 'blacklist uvcvideo', insertafter: '##Disable WebCam' } when: - rhel_08_040020 @@ -5837,7 +5850,7 @@ - CAT2 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230493r809316_rule + - SV-230493r942915_rule - V-230493 - camera @@ -5971,9 +5984,9 @@ create: true owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" with_items: - - { regexp: '^install usb-storage', line: 'install usb-storage /bin/true', insertafter: 'EOF' } + - { regexp: '^install usb-storage', line: 'install usb-storage /bin/false', insertafter: 'EOF' } - { regexp: '^blacklist usb-storage', line: 'blacklist usb-storage', insertafter: '#blacklist usb-storage'} when: - rhel_08_040080 @@ -5982,7 +5995,7 @@ - CAT2 - CCI-000778 - SRG-OS-000114-GPOS-00059 - - SV-230503r809319_rule + - SV-230503r942936_rule - V-230503 - usb_devices @@ -6130,7 +6143,7 @@ - CAT2 - CCI-002314 - SRG-OS-000297-GPOS-00115 - - SV-230504r809321_rule + - SV-230504r942942_rule - V-230504 - firewall @@ -6170,11 +6183,11 @@ ansible.builtin.lineinfile: path: /etc/modprobe.d/bluetooth.conf regexp: '^install bluetooth ' - line: "install bluetooth /bin/true" + line: "install bluetooth /bin/false" create: true owner: root group: root - mode: 0640 + mode: '0640' notify: change_requires_reboot - name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled. | Disable Bluetooth kernel module" @@ -6185,7 +6198,7 @@ line: "{{ item.line }}" owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" insertafter: "{{ item.insertafter }}" notify: change_requires_reboot with_items: @@ -6197,7 +6210,7 @@ - CAT2 - CCI-001443 - SRG-OS-000300-GPOS-00118 - - SV-230507r833336_rule + - SV-230507r942939_rule - V-230507 - bluetooth diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 31c8abb7..6a8a5dbc 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -238,7 +238,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' when: - rhel_08_020024 tags: @@ -381,7 +381,7 @@ create: true owner: root group: root - mode: 0600 + mode: '0600' when: - rhel_08_030603 tags: @@ -472,10 +472,10 @@ create: true owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" notify: change_requires_reboot with_items: - - { regexp: '^install atm', line: 'install atm /bin/true', insertafter: 'EOF' } + - { regexp: '^install atm', line: 'install atm /bin/false', insertafter: 'EOF' } - { regexp: '^blacklist atm', line: 'blacklist atm', insertafter: '^install atm /bin/true' } when: - rhel_08_040021 @@ -484,7 +484,7 @@ - CAT3 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230494r792911_rule + - SV-230494r942918_rule - V-230494 - modprobe - atm @@ -498,10 +498,10 @@ create: true owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" notify: change_requires_reboot with_items: - - { regexp: '^install can', line: 'install can /bin/true', insertafter: 'EOF' } + - { regexp: '^install can', line: 'install can /bin/false', insertafter: 'EOF' } - { regexp: 'blacklist can', line: 'blacklist can', insertafter: '^install can /bin/true' } when: - rhel_08_040022 @@ -510,7 +510,7 @@ - CAT3 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230495r792914_rule + - SV-230495r942921_rule - V-230495 - modprobe - can @@ -524,10 +524,10 @@ create: true owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" notify: change_requires_reboot with_items: - - { regexp: '^install sctp', line: 'install sctp /bin/true', insertafter: 'EOF' } + - { regexp: '^install sctp', line: 'install sctp /bin/false', insertafter: 'EOF' } - { regexp: '^blacklist sctp', line: 'blacklist sctp', insertafter: '^install sctp' } when: - rhel_08_040023 @@ -536,7 +536,7 @@ - CAT3 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230496r792917_rule + - SV-230496r942924_rule - V-230496 - modprobe - sctp @@ -550,10 +550,10 @@ create: true owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" notify: change_requires_reboot with_items: - - { regexp: '^install tipc', line: 'install tipc /bin/true', insertafter: 'EOF' } + - { regexp: '^install tipc', line: 'install tipc /bin/false', insertafter: 'EOF' } - { regexp: '^blacklist tipc', line: 'blacklist tipc', insertafter: '^install tipc' } when: - rhel_08_040024 @@ -562,7 +562,7 @@ - CAT3 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230497r792920_rule + - SV-230497r942927_rule - V-230497 - modprobe - tipc @@ -576,10 +576,10 @@ create: true owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" notify: change_requires_reboot with_items: - - { regexp: '^install cramfs', line: 'install cramfs /bin/true', insertafter: 'EOF' } + - { regexp: '^install cramfs', line: 'install cramfs /bin/false', insertafter: 'EOF' } - { regexp: 'blacklist cramfs', line: 'blacklist cramfs', insertafter: '^install cramfs' } when: - rhel_08_040025 @@ -588,7 +588,7 @@ - CAT3 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230498r792922_rule + - SV-230497r942927_rule - V-230498 - modprobe - cramfs @@ -602,10 +602,10 @@ create: true owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" notify: change_requires_reboot with_items: - - { regexp: '^install firewire-core', line: 'install firewire-core /bin/true', insertafter: 'EOF' } + - { regexp: '^install firewire-core', line: 'install firewire-core /bin/false', insertafter: 'EOF' } - { regexp: '^blacklist firewire-core', line: 'blacklist firewire-core', insertafter: '^install firewire-core' } when: - rhel_08_040026 @@ -614,7 +614,7 @@ - CAT3 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230499r792924_rule + - SV-230499r942933_rule - V-230499 - modprobe - firewire diff --git a/tasks/main.yml b/tasks/main.yml index 14a40c90..96d3f1df 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -134,23 +134,6 @@ - prelim_tasks - run_audit -- name: Include audit specific variables - ansible.builtin.include_vars: audit.yml - when: - - run_audit or audit_only - - setup_audit - tags: - - setup_audit - - run_audit - -- name: Include pre-remediation audit tasks - ansible.builtin.import_tasks: pre_remediation_audit.yml - when: - - run_audit or audit_only - - setup_audit - tags: - - run_audit - - name: Include CAT I patches ansible.builtin.import_tasks: fix-cat1.yml when: rhel8stig_cat1_patch diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 2c51bbb0..b3111c80 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,11 +1,11 @@ --- - name: Post Audit | Run post_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" AUDIT_FILE: goss.yml - name: Post Audit | ensure audit files readable by users @@ -22,7 +22,7 @@ - audit_format == "json" block: - name: capture data {{ post_audit_outfile }} - ansible.builtin.shell: cat {{ post_audit_outfile }} + ansible.builtin.shell: "cat {{ post_audit_outfile }}" register: post_audit changed_when: false @@ -37,7 +37,7 @@ - audit_format == "documentation" block: - name: Post Audit | capture data {{ post_audit_outfile }} - ansible.builtin.shell: tail -2 {{ post_audit_outfile }} + ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" register: post_audit changed_when: false diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index e3a261e7..d0137e81 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -5,7 +5,8 @@ - setup_audit tags: - setup_audit - ansible.builtin.include_tasks: LE_audit_setup.yml + ansible.builtin.include_tasks: + file: LE_audit_setup.yml - name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists ansible.builtin.file: @@ -32,23 +33,25 @@ when: - audit_content == 'copy' ansible.builtin.copy: - src: "{{ audit_local_copy }}" + src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}" mode: preserve - name: Pre Audit Setup | Unarchive audit content files on server when: - - audit_content == 'archived' + - audit_content == 'archive' ansible.builtin.unarchive: - src: "{{ audit_conf_copy }}" - dest: "{{ audit_conf_dir }}" + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}" - name: Pre Audit Setup | Get audit content from url when: - audit_content == 'get_url' - ansible.builtin.get_url: - url: "{{ audit_files_url }}" - dest: "{{ audit_conf_dir }}" + ansible.builtin.unarchive: + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit" + remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}" + extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}" - name: Pre Audit Setup | Check Goss is available when: @@ -77,19 +80,19 @@ mode: '0600' - name: Pre Audit | Run pre_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format when: - audit_format == "json" block: - - name: capture data {{ pre_audit_outfile }} - ansible.builtin.shell: cat {{ pre_audit_outfile }} + - name: Pre Audit | Capture data {{ pre_audit_outfile }} + ansible.builtin.shell: "cat {{ pre_audit_outfile }}" register: pre_audit changed_when: false @@ -103,8 +106,8 @@ when: - audit_format == "documentation" block: - - name: Pre Audit | capture data {{ pre_audit_outfile }} | documentation format - ansible.builtin.shell: tail -2 {{ pre_audit_outfile }} + - name: Pre Audit | Capture data {{ pre_audit_outfile }} | documentation format + ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" register: pre_audit changed_when: false diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 9583a072..17891e57 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,5 +1,100 @@ --- +- name: PRELIM | set bootloader type + block: + - name: "PRELIM | Check whether machine is UEFI-based" + ansible.builtin.stat: + path: /sys/firmware/efi + register: rhel8_efi_boot + + - name: "PRELIM | set fact if UEFI boot" + ansible.builtin.set_fact: + rhel8stig_bootloader_path: /boot/efi/EFI/{{ ansible_distribution | lower }} + rhel8stig_legacy_boot: false + when: + - rhel8_efi_boot.stat.exists + + - name: "PRELIM | set fact if UEFI boot | Oracle Linux" + ansible.builtin.set_fact: + rhel8stig_bootloader_path: /boot/efi/EFI/redhat + rhel8stig_legacy_boot: false + when: + - rhel8_efi_boot.stat.exists + - ansible_distribution == 'OracleLinux' + + - name: "PRELIM | set if not UEFI boot" + ansible.builtin.set_fact: + rhel8stig_bootloader_path: /boot/grub2/ + rhel8stig_legacy_boot: true + when: not rhel8_efi_boot.stat.exists + + - name: PRELIM | output bootloader and efi state + ansible.builtin.debug: + msg: + - "bootloader path set to {{ rhel8stig_bootloader_path }}" + - "legacy boot equals {{ rhel8stig_legacy_boot }}" + tags: + - always + +- name: "PRELIM | Gather interactive user ID min" + block: + - name: "PRELIM | Gather interactive user ID min" + ansible.builtin.shell: grep ^UID_MIN /etc/login.defs | awk '{print $2}' + changed_when: false + failed_when: false + register: rhel8stig_min_uid + + - name: "PRELIM | Gather interactive user ID max" + ansible.builtin.shell: grep ^UID_MAX /etc/login.defs | awk '{print $2}' + changed_when: false + failed_when: false + register: rhel8stig_max_uid + + - name: "PRELIM | Setting the fact" + ansible.builtin.set_fact: + rhel8stig_interactive_uid_start: "{{ rhel8stig_min_uid.stdout | string }}" + rhel8stig_interactive_uid_stop: "{{ rhel8stig_max_uid.stdout | string }}" + tags: + - always + +- name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | set sssd.conf location" + block: + - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location" + ansible.builtin.stat: + path: "{{ rhel8stig_sssd_conf }}" + register: rhel8stig_sssd_conf_present + + - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location | Warning if not found" + ansible.builtin.debug: + msg: "Warning!! The configured sssd config file {{ rhel8stig_sssd_conf }} has not been found, some items will skip" + changed_when: true + when: + - not rhel8stig_sssd_conf_present.stat.exists + when: + - rhel_08_010400 or + rhel_08_020090 or + rhel_08_020250 or + rhel_08_020290 + tags: + - always + +- name: "PRELIM | Include audit specific variables" + ansible.builtin.include_vars: audit.yml + when: + - run_audit or audit_only + - setup_audit + tags: + - setup_audit + - run_audit + +- name: "PRELIM | Include pre-remediation audit tasks" + ansible.builtin.import_tasks: pre_remediation_audit.yml + when: + - run_audit or audit_only + - setup_audit + tags: + - run_audit + - name: "PRELIM | RHEL-08-010020" block: - name: "PRELIM | RHEL-08-010020 | Check if /boot or /boot/efi reside on separate partitions" @@ -212,17 +307,6 @@ - RHEL-08-010070 - RHEL-08-030010 -# - name: "PRELIM | RHEL-08-010730 | RHEL-08-20352 | Get local interactive user home directories" -# ansible.builtin.shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) -# changed_when: false -# failed_when: false -# register: local_home_directories -# when: -# - rhel_08_010730 or -# rhel_08_020352 -# tags: -# - always - - name: "PRELIM | RHEL-08-030620 | RHEL-08-030630 | RHEL-08-030640 | RHEL-08-030650 | Install audit remote plugin." ansible.builtin.package: name: audispd-plugins @@ -339,94 +423,13 @@ - RHEL-08-010770 - complexity-high -- name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | set sssd.conf location" - block: - - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location" - ansible.builtin.stat: - path: "{{ rhel8stig_sssd_conf }}" - register: rhel8stig_sssd_conf_present - - - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location | Warning if not found" - ansible.builtin.debug: - msg: "Warning!! The configured sssd config file {{ rhel8stig_sssd_conf }} has not been found, some items will skip" - changed_when: true - when: - - not rhel8stig_sssd_conf_present.stat.exists - when: - - rhel_08_010400 or - rhel_08_020090 or - rhel_08_020250 or - rhel_08_020290 - tags: - - always - -- name: "PRELIM | Gather interactive user ID min" - block: - - name: "PRELIM | Gather interactive user ID min" - ansible.builtin.shell: grep ^UID_MIN /etc/login.defs | awk '{print $2}' - changed_when: false - failed_when: false - register: rhel8stig_min_uid - - - name: "PRELIM | Gather interactive user ID max" - ansible.builtin.shell: grep ^UID_MAX /etc/login.defs | awk '{print $2}' - changed_when: false - failed_when: false - register: rhel8stig_max_uid - - - name: "PRELIM | Setting the fact" - ansible.builtin.set_fact: - rhel8stig_interactive_uid_start: "{{ rhel8stig_min_uid.stdout | string }}" - rhel8stig_interactive_uid_stop: "{{ rhel8stig_max_uid.stdout | string }}" - tags: - - always - - name: "PRELIM | Gather the package facts" ansible.builtin.package_facts: manager: auto tags: - always -- name: "PRELIM | Check whether machine is UEFI-based" - ansible.builtin.stat: - path: /sys/firmware/efi - register: rhel8_efi_boot - tags: - - always - - goss_template - -- name: PRELIM | set bootloader type - block: - - name: "PRELIM | set fact if UEFI boot" - ansible.builtin.set_fact: - rhel8stig_bootloader_path: /boot/efi/EFI/{{ ansible_distribution | lower }} - rhel8stig_legacy_boot: false - when: - - rhel8_efi_boot.stat.exists - - - name: "PRELIM | set fact if UEFI boot | Oracle Linux" - ansible.builtin.set_fact: - rhel8stig_bootloader_path: /boot/efi/EFI/redhat - rhel8stig_legacy_boot: false - when: - - rhel8_efi_boot.stat.exists - - ansible_distribution == 'OracleLinux' - - - name: "PRELIM | set if not UEFI boot" - ansible.builtin.set_fact: - rhel8stig_bootloader_path: /boot/grub2/ - rhel8stig_legacy_boot: true - when: not rhel8_efi_boot.stat.exists - - - name: PRELIM | output bootloader and efi state - ansible.builtin.debug: - msg: - - "bootloader path set to {{ rhel8stig_bootloader_path }}" - - "legacy boot equals {{ rhel8stig_legacy_boot }}" - tags: - - always - -- name: "PRELIM | RHEL-08-020017 | RHEL-08-020027 | REHL-08-020028 | If using selinux set up system prereqs" +- name: "PRELIM | RHEL-08-020017 | RHEL-08-020027 | RHEL-08-020028 | If using selinux set up system prereqs" block: - name: "PRELIM | RHEL-08-020017 | Install policycoreutils-python-utils" ansible.builtin.package: @@ -438,7 +441,7 @@ ansible.builtin.file: path: "{{ rhel8stig_pam_faillock.dir }}" state: directory - mode: 0755 + mode: '0755' owner: root group: root recurse: true diff --git a/vars/audit.yml b/vars/audit.yml index 89e61a84..2802b3e6 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -15,14 +15,12 @@ audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" audit_git_version: "benchmark_{{ benchmark_version }}_rh8" ## Goss configuration information -# Where the goss configs and outputs are stored -audit_out_dir: '/opt' -# Where the goss audit configuration will be stored -audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit" +# Where the goss audit configuration will be stored - NOTE benchmark-audit is expected +audit_conf_dir: "{{ audit_conf_dest | default('/opt') }}/{{ benchmark }}-Audit" # If changed these can affect other products -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +pre_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" ## The following should not need changing @@ -36,6 +34,7 @@ audit_format: json audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" audit_results: | - The pre remediation results are: {{ pre_audit_summary }}. - The post remediation results are: {{ post_audit_summary }}. - Full breakdown can be found in {{ audit_out_dir }} + The audit results are: {{ pre_audit_summary }} + {% if not audit_only %}The post remediation audit results are: {{ post_audit_summary }}{% endif %} + + Full breakdown can be found in {{ audit_log_dir }} From 3626696f0c31d22171978fac13427e31b4fd18ac Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 24 May 2024 11:59:38 +0100 Subject: [PATCH 034/202] updated conditional 040260 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 3f3e96ae..71c5664b 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -7015,6 +7015,7 @@ sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040260 + - rhel8stig_ipv6_required - not rhel8stig_system_is_router tags: - RHEL-08-040260 From 26bbaadeea6ee4549146b140a3705a5db56f049e Mon Sep 17 00:00:00 2001 From: Jacob Buskirk Date: Wed, 22 Feb 2023 14:30:11 -0500 Subject: [PATCH 035/202] #174 Correct opensshserver.config CRYPTO_POLICY Signed-off-by: Jacob Buskirk Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 99f8544b..5464c9d7 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -772,7 +772,7 @@ "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Add ssh ciphers" lineinfile: path: /etc/crypto-policies/back-ends/opensshserver.config - regexp: '^CRYPTO_POLICY=' + regexp: "^CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}'" line: CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}' notify: change_requires_reboot when: @@ -7322,8 +7322,8 @@ - name: "MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms." lineinfile: path: /etc/crypto-policies/back-ends/opensshserver.config - regexp: "^CRYPTO_POLICY={{ FIPS_KEX_ALGO }}" - line: "CRYPTO_POLICY={{ FIPS_KEX_ALGO }}" + regexp: "^CRYPTO_POLICY='{{ FIPS_KEX_ALGO }}'" + line: "CRYPTO_POLICY='{{ FIPS_KEX_ALGO }}'" when: - rhel_08_040342 - rhel8stig_ssh_required From 9227a9c879f95ac7398df55bc4626fe60824ee21 Mon Sep 17 00:00:00 2001 From: Jacob Buskirk Date: Wed, 22 Feb 2023 14:42:02 -0500 Subject: [PATCH 036/202] #175 Signed-off-by: Jacob Buskirk Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 5464c9d7..5014e785 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4389,9 +4389,6 @@ path: /etc/audit/auditd.conf regexp: '^disk_full_action =' line: "disk_full_action = {{ rhel8stig_auditd_disk_full_action }}" - owner: root - group: root - mode: 0644 when: - rhel_08_030060 tags: @@ -4408,9 +4405,6 @@ path: /etc/audit/auditd.conf regexp: '^local_events =' line: "local_events = yes" - owner: root - group: root - mode: 0644 when: - rhel_08_030061 tags: @@ -4444,7 +4438,6 @@ path: /etc/audit/auditd.conf regexp: '^log_group =' line: "log_group = root" - mode: 0600 when: - rhel_08_030070 tags: From 8912c5c8f840380ceece08a2bf54ef1ae3fe4840 Mon Sep 17 00:00:00 2001 From: Jacob Buskirk Date: Wed, 22 Feb 2023 14:45:40 -0500 Subject: [PATCH 037/202] #176 Signed-off-by: Jacob Buskirk Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 01e61326..85b2880b 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -124,7 +124,7 @@ args: warn: false register: rhel_08_010690_getent - changed_when: rhel_08_010690_getent.stdout_lines is defined + changed_when: false failed_when: false tags: - RHEL-08-010690 From 16f725b6ad0d4412bfb832d1aac9203e0aee6704 Mon Sep 17 00:00:00 2001 From: Jacob Buskirk Date: Tue, 28 Feb 2023 07:20:46 -0500 Subject: [PATCH 038/202] RHEL-08-010690 Prelim remove args Signed-off-by: Jacob Buskirk Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 85b2880b..43ab7ef0 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -121,8 +121,6 @@ - name: "PRELIM | RHEL-08-010690 | Gather local interactive user directories" # shell: "getent passwd { {{ rhel8stig_int_gid }}..65535} | cut -d: -f6 | sort -u | grep -v '/var/' | grep -v '/nonexistent/*' | grep -v '/run/*'" shell: "getent passwd {% raw %}{{% endraw %}{{ rhel8stig_int_gid }}..24339{% raw %}}{% endraw %} | cut -d: -f6 | sort -u | grep -v '/var/' | grep -v '/nonexistent/*' | grep -v '/run/*'" - args: - warn: false register: rhel_08_010690_getent changed_when: false failed_when: false From 2f42bdb00a7ecbcc86dbde09e916828fe7563bc9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Mar 2023 08:46:27 +0000 Subject: [PATCH 039/202] pamd updates and logic improvements Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 114 ++++++++++++++++++++++++++------------------- 1 file changed, 65 insertions(+), 49 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 5014e785..dbb6a120 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -558,28 +558,29 @@ - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set preauth" lineinfile: path: /etc/pam.d/system-auth - regexp: '^auth.*required.*pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + regexp: '^auth\s+required\s+pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth\s+required\s+pam_env.so' notify: restart sssd - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set authfail" lineinfile: path: /etc/pam.d/system-auth - regexp: '^auth.*required.*pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + regexp: '^auth\s+required\s+pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set account faillock" lineinfile: path: /etc/pam.d/system-auth - regexp: '^account required pam_faillock.so' + regexp: '^account\s+required\s+pam_faillock.so' line: 'account required pam_faillock.so' - insertafter: '^account' + insertbefore: '^account' notify: restart sssd when: - rhel_08_020025 + - ansible_distribution_version is version('8.2', '>=') tags: - RHEL-08-020025 - CAT2 @@ -594,15 +595,15 @@ - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set preauth" lineinfile: path: /etc/pam.d/password-auth - regexp: '^auth required pam_faillock.so preauth' + regexp: '^auth\s+required\s+pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' + insertafter: '^auth\s+required\s+pam_env.so' notify: restart sssd - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set authfail" lineinfile: path: /etc/pam.d/password-auth - regexp: '^auth required pam_faillock.so authfail' + regexp: '^auth\s+required\s+pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd @@ -610,12 +611,13 @@ - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set account faillock" lineinfile: path: /etc/pam.d/password-auth - regexp: '^account required pam_faillock.so' + regexp: '^account\s+required\s+pam_faillock.so' line: 'account required pam_faillock.so' - insertafter: '^account' + insertbefore: '^account' notify: restart sssd when: - rhel_08_020026 + - ansible_distribution_version is version('8.2', '>=') tags: - RHEL-08-020026 - CAT2 @@ -2722,7 +2724,7 @@ - name: "MEDIUM | RHEL-08-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" lineinfile: path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' + regexp: '^auth\s+required\s+pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd @@ -2733,7 +2735,7 @@ - name: "MEDIUM | RHEL-08-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" lineinfile: path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' + regexp: '^auth\s+required\s+pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd @@ -2744,7 +2746,7 @@ - name: "MEDIUM | RHEL-08-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" lineinfile: path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' + regexp: '^account\s+required\s+pam_faillock.so' line: 'account required pam_faillock.so' insertafter: '^account' notify: restart sssd @@ -2753,6 +2755,7 @@ - password-auth when: - rhel_08_020010 + - ansible_distribution_version is version('8.1', '<=') tags: - RHEL-08-020010 - CAT2 @@ -2769,6 +2772,7 @@ line: "deny = {{ rhel8stig_pam_faillock.attempts }}" when: - rhel_08_020011 + - ansible_distribution_version|int >= 8.2 tags: - RHEL-08-020011 - CAT2 @@ -2783,7 +2787,7 @@ - name: "MEDIUM | RHEL-08-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" lineinfile: path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' + regexp: '^auth\s+required\s+pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd @@ -2794,7 +2798,7 @@ - name: "MEDIUM | RHEL-08-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" lineinfile: path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' + regexp: '^auth\s+required\s+pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd @@ -2805,7 +2809,7 @@ - name: "MEDIUM | RHEL-08-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" lineinfile: path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' + regexp: '^account\s+required\s+pam_faillock.so' line: 'account required pam_faillock.so' insertafter: '^account' notify: restart sssd @@ -2814,6 +2818,7 @@ - password-auth when: - rhel_08_020012 + - ansible_distribution_version is version('8.1', '<=') tags: - RHEL-08-020012 - CAT2 @@ -2830,6 +2835,7 @@ line: "fail_interval = {{ rhel8stig_pam_faillock.interval }}" when: - rhel_08_020013 + - ansible_distribution_version is version('8.2', '>=') tags: - RHEL-08-020013 - CAT2 @@ -2844,9 +2850,9 @@ - name: "MEDIUM | RHEL-08-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" lineinfile: path: "/etc/pam.d/{{ item }}" - regexp: '^auth\s+required pam_faillock.so preauth' + regexp: '^auth\s+required\s+pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' + insertafter: '^auth required pam_env.so' notify: restart sssd with_items: - system-auth @@ -2855,7 +2861,7 @@ - name: "MEDIUM | RHEL-08-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" lineinfile: path: "/etc/pam.d/{{ item }}" - regexp: '^auth\s+required pam_faillock.so authfail' + regexp: '^auth\s+required\s+pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd @@ -2866,15 +2872,16 @@ - name: "MEDIUM | RHEL-08-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" lineinfile: path: "/etc/pam.d/{{ item }}" - regexp: '^account\s+required pam_faillock.so' + regexp: '^account\s+requireds+pam_faillock.so' line: 'account required pam_faillock.so' - insertafter: '^account' + insertbefore: '^account' notify: restart sssd with_items: - system-auth - password-auth when: - rhel_08_020014 + - ansible_distribution_version is version('8.1', '<=') tags: - RHEL-08-020014 - CAT2 @@ -2891,6 +2898,7 @@ line: "unlock_time = {{ rhel8stig_pam_faillock.unlock_time }}" when: - rhel_08_020015 + - ansible_distribution_version is version('8.2', '>=') tags: - RHEL-08-020015 - CAT2 @@ -2936,6 +2944,7 @@ - password-auth when: - rhel_08_020016 + - ansible_distribution_version is version('8.1', '<=') tags: - RHEL-08-020016 - CAT2 @@ -2952,6 +2961,7 @@ line: "dir = {{ rhel8stig_pam_faillock.dir }}" when: - rhel_08_020017 + - ansible_distribution_version is version('8.2', '>=') tags: - RHEL-08-020017 - CAT2 @@ -2966,9 +2976,9 @@ - name: "MEDIUM | RHEL-08-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.| Set preauth" lineinfile: path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' + regexp: '^auth\s+required\s+pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' + insertafter: '^auth required pam_env.so' notify: restart sssd with_items: - system-auth @@ -2977,7 +2987,7 @@ - name: "MEDIUM | RHEL-08-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" lineinfile: path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' + regexp: '^auth\s+required\s+pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd @@ -2988,15 +2998,16 @@ - name: "MEDIUM | RHEL-08-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" lineinfile: path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' + regexp: '^account\s+required\s+pam_faillock.so' line: 'account required pam_faillock.so' - insertafter: '^account' + insertbefore: '^account' notify: restart sssd with_items: - system-auth - password-auth when: - rhel_08_020018 + - ansible_distribution_version is version('8.1', '<=') tags: - RHEL-08-020018 - CAT2 @@ -3013,6 +3024,7 @@ line: "silent" when: - rhel_08_020019 + - ansible_distribution_version is version('8.2', '>=') tags: - RHEL-08-020019 - CAT2 @@ -3024,12 +3036,12 @@ - name: "MEDIUM | RHEL-08-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." block: - - name: "MEDIUM | RHEL-08-020018 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" + - name: "MEDIUM | RHEL-08-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" lineinfile: path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' + regexp: '^auth\s+required\s+pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' + insertafter: '^auth required pam_env.so' notify: restart sssd with_items: - system-auth @@ -3038,7 +3050,7 @@ - name: "MEDIUM | RHEL-08-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" lineinfile: path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' + regexp: '^auth\s+required\s+pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd @@ -3049,15 +3061,16 @@ - name: "MEDIUM | RHEL-08-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" lineinfile: path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' + regexp: '^account\s+required\s+pam_faillock.so' line: 'account required pam_faillock.so' - insertafter: '^account' + insertbefore: '^account' notify: restart sssd with_items: - system-auth - password-auth when: - rhel_08_020020 + - ansible_distribution_version is version('8.1', '<=') tags: - RHEL-08-020020 - CAT2 @@ -3067,13 +3080,14 @@ - V-230342 - pamd -- name: "MEDIUM | RHEL-08-020021| PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." +- name: "MEDIUM | RHEL-08-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." lineinfile: path: "/etc/security/faillock.conf" regexp: '^audit|^\# audit' line: "audit" when: - rhel_08_020021 + - ansible_distribution_version is version('8.2', '>=') tags: - RHEL-08-020021 - CAT2 @@ -3088,9 +3102,9 @@ - name: "MEDIUM | RHEL-08-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" lineinfile: path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' + regexp: '^auth\s+required\s+pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' + insertafter: '^auth required pam_env.so' notify: restart sssd with_items: - system-auth @@ -3099,7 +3113,7 @@ - name: "MEDIUM | RHEL-08-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" lineinfile: path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' + regexp: '^auth\s+required\s+pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd @@ -3110,15 +3124,16 @@ - name: "MEDIUM | RHEL-08-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" lineinfile: path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' + regexp: '^account\s+required\s+pam_faillock.so' line: 'account required pam_faillock.so' - insertafter: '^account' + insertbefore: '^account' notify: restart sssd with_items: - system-auth - password-auth when: - rhel_08_020022 + - ansible_distribution_version is version('8.2', '>=') tags: - RHEL-08-020022 - CAT2 @@ -3135,6 +3150,7 @@ line: "even_deny_root" when: - rhel_08_020023 + - ansible_distribution_version is version('8.2', '>=') tags: - RHEL-08-020023 - CAT2 @@ -3467,7 +3483,7 @@ - name: "MEDIUM | RHEL-08-020100 | PATCH | RHEL 8 must ensure the password complexity module is enabled in the password-auth file." lineinfile: path: /etc/pam.d/password-auth - regexp: '^password required pam_pwquality.so' + regexp: '^password\s+required\s+pam_pwquality.so' line: 'password required pam_pwquality.so' insertafter: '^password' owner: root @@ -3487,7 +3503,7 @@ - name: "MEDIUM | RHEL-08-020101 | PATCH | RHEL 8 must ensure the password complexity module is enabled in the system-auth file." lineinfile: path: /etc/pam.d/system-auth - regexp: '^password required pam_pwquality.so' + regexp: '^password\s+required\s+pam_pwquality.so' line: 'password required pam_pwquality.so' insertafter: '^password' owner: root @@ -3515,7 +3531,7 @@ - name: "MEDIUM | RHEL-08-020102 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Set if no pw required pam_pwquality" lineinfile: path: /etc/pam.d/system-auth - line: 'ppassword required pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}' + line: 'password required pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}' insertafter: '^password' owner: root group: root @@ -3533,7 +3549,7 @@ when: rhel_08_020102_pwquality_status.stdout | length > 0 when: - rhel_08_020102 - - ansible_distribution_version <= "8.4" + - ansible_distribution_version is version('8.3', '<=') tags: - RHEL-08-020102 - CAT2 @@ -3572,7 +3588,7 @@ when: rhel_08_020103_pwquality_status.stdout | length > 0 when: - rhel_08_020103 - - ansible_distribution_version <= "8.4" + - ansible_distribution_version is version('8.3', '<=') tags: - RHEL-08-020103 - CAT2 @@ -3589,7 +3605,7 @@ line: retry = {{ rhel8stig_pam_pwquality_retry }} when: - rhel_08_020104 - - ansible_distribution_version >= "8.4" + - ansible_distribution_version is version('8.4', '>=') tags: - RHEL-08-020104 - CAT2 @@ -3842,7 +3858,7 @@ - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Set if no pw required pw_history" lineinfile: path: /etc/pam.d/password-auth - line: "password required pam_pwhistory.so use_authtok remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}" + line: "password required pam_pwhistory.so use_authtok remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}" insertafter: '^password' owner: root group: root @@ -3880,7 +3896,7 @@ - name: "MEDIUM | RHEL-08-020221 | PATCH | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations. | Set if no pw required pwhistory" lineinfile: path: /etc/pam.d/system-auth - line: "password required pam_pwhistory.so use_authtok remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}" + line: "password required pam_pwhistory.so use_authtok remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}" insertafter: '^password' owner: root group: root @@ -6333,7 +6349,7 @@ - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist on newer than 8.4" lineinfile: - path: "{{ '/etc/fapolicyd/rules.d/99-stig.rules' if rhel_08_040137_rules_dir.stat.exists else '/etc/fapolicyd/fapolicyd.rules' }}" + path: '/etc/fapolicyd/rules.d/99-stig.rules' line: "{{ item }}" create: true with_items: @@ -6357,7 +6373,7 @@ notify: - generate fapolicyd rules - restart fapolicyd - when: ansible_distribution_version is version('8.4', '<=') + when: ansible_distribution_version is version('8.3', '<=') - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" lineinfile: From d66fec407bbfc6be6c987b7788e700fe714d84f8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Mar 2023 08:47:05 +0000 Subject: [PATCH 040/202] Added tags pamd controls Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 43ab7ef0..8e6d0be6 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -321,6 +321,12 @@ rhel_08_020090 or rhel_08_020250 or rhel_08_020290 + tags: + - RHEL-08-010400 + - RHEL-08-020250 + - RHEL-08-020090 + - RHEL-08-020290 + - pamd - name: "PRELIM | Gather interactive user ID min" block: From 7a40819aa4e4d2e4b4b238e90c9343c041d05a5c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Mar 2023 08:47:44 +0000 Subject: [PATCH 041/202] updated Signed-off-by: Mark Bolwell --- Changelog.md | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/Changelog.md b/Changelog.md index e77e0bb9..b13e74c8 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,22 @@ # Changes to RHEL8STIG +## Release 2.8.1 + +- updates to pamd logic thanks to @JacobBuskirk for highlighting + + Also following issues/PRs + +- #168 +- #169 +- #170 +- #171 +- #172 +- #177 +- #178 +- #179 +- #180 +- #181 + ## Release 2.8.0 - updates to workflow @@ -20,11 +37,12 @@ - new FIPS_KEX_ALGO variable ## Release 2.7.0 + - lint updates - Benchmark 1.8 Updates - New RULEID for the following, plus additional notes if needed - CAT1 - - RHEL-08-010000  + - RHEL-08-010000 - CAT2 - RHEL-08-010040 - RHEL-08-010090 @@ -64,7 +82,7 @@ - RHEL-08-020230 - RHEL-08-010280 - RHEL-08-020300 - - RHEL-08-020350 - Updated CCI + - RHEL-08-020350 - Updated CCI - RHEL-08-020352 - RHEL-08-040127 - Added tasks to deal with different versions of RHEL8 - RHEL-08-040161 @@ -91,7 +109,6 @@ - RHEL-08-040286 - Updated to include find adn remove for conflicting parameters - RHEL-08-040340 - RHEL-08-040341 - - RHEL-08-040400 - New control + - RHEL-08-040400 - New control - CAT3 - RHEL-08-020340 - Updated CCI - From 19753c9b8b51d39c6bfafafcebea24ded3ea17a5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Mar 2023 09:04:11 +0000 Subject: [PATCH 042/202] inventory now allows correct audit benchamrk to run Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index a8a11315..f9b6d0ed 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -76,6 +76,5 @@ resource "local_file" "inventory" { setup_audit: true run_audit: true system_is_ec2: true - audit_git_version: devel EOF } From fc79ac206986e289be4aa92a75372dd813a3248b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Mar 2023 15:05:47 +0000 Subject: [PATCH 043/202] updated logic and seperated tasks Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 87 ++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 76 insertions(+), 11 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index dbb6a120..08367831 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -769,28 +769,63 @@ - V-244526 - ssh -- name: | - "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Add ssh ciphers" - "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Add ssh ciphers" - lineinfile: - path: /etc/crypto-policies/back-ends/opensshserver.config - regexp: "^CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}'" - line: CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}' +- name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Add MACs" + block: + - name: "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | get MACs" + ansible.builtin.shell: grep "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i MACs | sed s'/-o//g' + changed_when: false + register: rhel8stig_current_macs + + - debug: + var: rhel8stig_current_macs + + - name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | get MACs" + ansible.builtin.lineinfile: + path: /etc/crypto-policies/back-ends/opensshserver.config + regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_macs.stdout }}(.*$)' + line: '\g<1>-o{{ rhel8stig_ssh_macs }}\g<2>' + backrefs: true notify: change_requires_reboot when: - - rhel_08_010290 or - rhel_08_010291 + - rhel_08_010290 tags: - CAT2 - RHEL-08-010290 - - RHEL-08-010291 - CCI-001453 - SRG-OS-000250-GPOS-00093 - SV-230251r743937_rule - - SV-230252r743940_rule - V-230251 + - fips + - bolly + +- name: "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. | Add Ciphers" + block: + - name: "MEDIUM | RHEL-08-010291 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. | get Ciphers" + ansible.builtin.shell: grep "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i Ciphers | sed s'/-o//g' + changed_when: false + register: rhel8stig_current_ciphers + + - debug: + var: rhel8stig_current_ciphers + + - name: "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. | get Ciphers" + ansible.builtin.lineinfile: + path: /etc/crypto-policies/back-ends/opensshserver.config + regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_ciphers.stdout }}(.*$)' + line: '\g<1>-o{{ rhel8stig_ssh_ciphers }}\g<2>' + backrefs: true + notify: change_requires_reboot + when: + - rhel_08_010291 + tags: + - CAT2 + - RHEL-08-010291 + - CCI-001453 + - SRG-OS-000250-GPOS-00093 + - SV-230252r877394_rule - V-230252 - fips + - bolly - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package." block: @@ -7328,6 +7363,36 @@ - SV-230556r858723_rule - ssh + +- name: "MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | Add KEXs" + block: + - name: "MEDIUM | RHEL-08-040342 | AUDIT | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | get KEXs" + ansible.builtin.shell: grep "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i okexa | sed s'/-o//g' + changed_when: false + register: rhel8stig_current_kex + + - debug: + var: rhel8stig_current_kex + + - name: MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | get KEXs" + ansible.builtin.lineinfile: + path: /etc/crypto-policies/back-ends/opensshserver.config + regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_kex.stdout }}(.*$)' + line: '\g<1>-o{{ rhel8stig_ssh_kex }}\g<2>' + backrefs: true + notify: change_requires_reboot + when: + - rhel_08_040342 + - rhel8stig_ssh_required + tags: + - RHEL-08-040342 + - CAT2 + - CCI-001453 + - SRG-OS-000250-GPOS-00093 + - SV-255924r880733_rule + - fips + - bolly + - name: "MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms." lineinfile: path: /etc/crypto-policies/back-ends/opensshserver.config From 364063beab616c8df372f5953e7fcdf19e1835c6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Mar 2023 15:06:42 +0000 Subject: [PATCH 044/202] added isolated cipher/mac/kex configs Signed-off-by: Mark Bolwell --- defaults/main.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 443841a8..9338ca56 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -855,7 +855,10 @@ rhel8stig_white_list_services: # This will be the MACs setting. It is a string that will be the entirety of the MAC's setting in the openssh.config file # to conform to STIG standard control RHEL-08-010290 this variable must include hmac-sha2-512,hmac-sha2-256 # to conform to STIG standard control RHEL-08-010291 this variable must include aes256-ctr,aes192-ctr,aes128-ctr -rhel8stig_ssh_cipher_settings: "aes256-ctr,aes192-ctr,aes128-ctr" +rhel8stig_ssh_macs: 'MACS=hmac-sha2-512,hmac-sha2-256' +rhel8stig_ssh_ciphers: "Ciphers=aes256-ctr,aes192-ctr,aes128-ctr" +rhel8stig_ssh_kex: "KexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512" + # This will be the CRYPTO_POLICY settings in the opensshserver.conf file. It will be a string for the entirety of the setting # to conform to STIG standard control RHEL-08-010290 this variable must contain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256 settings # to conform to STIG standard control RHEL-08-010291 this variable must cotnain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr From 5e5606d835af6ac5b6b82c16c569f7bcb00a8ee4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Mar 2023 15:06:56 +0000 Subject: [PATCH 045/202] updated Signed-off-by: Mark Bolwell --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index b13e74c8..2e2b42e3 100644 --- a/Changelog.md +++ b/Changelog.md @@ -3,6 +3,7 @@ ## Release 2.8.1 - updates to pamd logic thanks to @JacobBuskirk for highlighting +- improvements to openssh configs and seperated tasks Also following issues/PRs From d3b04b1be7b49cb85e879afbf1c238e9f660d391 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Mar 2023 15:33:46 +0000 Subject: [PATCH 046/202] removed debug Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 08367831..94a83a21 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -776,9 +776,6 @@ changed_when: false register: rhel8stig_current_macs - - debug: - var: rhel8stig_current_macs - - name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | get MACs" ansible.builtin.lineinfile: path: /etc/crypto-policies/back-ends/opensshserver.config @@ -805,9 +802,6 @@ changed_when: false register: rhel8stig_current_ciphers - - debug: - var: rhel8stig_current_ciphers - - name: "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. | get Ciphers" ansible.builtin.lineinfile: path: /etc/crypto-policies/back-ends/opensshserver.config @@ -7371,9 +7365,6 @@ changed_when: false register: rhel8stig_current_kex - - debug: - var: rhel8stig_current_kex - - name: MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | get KEXs" ansible.builtin.lineinfile: path: /etc/crypto-policies/back-ends/opensshserver.config From 3741ff365d21af306428b3cd9b091978dd297399 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Mar 2023 15:47:46 +0000 Subject: [PATCH 047/202] removed test tag Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 94a83a21..22720966 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -793,7 +793,6 @@ - SV-230251r743937_rule - V-230251 - fips - - bolly - name: "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. | Add Ciphers" block: @@ -819,7 +818,6 @@ - SV-230252r877394_rule - V-230252 - fips - - bolly - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package." block: @@ -7382,7 +7380,6 @@ - SRG-OS-000250-GPOS-00093 - SV-255924r880733_rule - fips - - bolly - name: "MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms." lineinfile: From d14c5cf8a93a1277fba684b0c3f25a7d738ed7cf Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Mar 2023 16:53:46 +0000 Subject: [PATCH 048/202] removed repeated content Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 22720966..9e8a7c32 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -7381,22 +7381,6 @@ - SV-255924r880733_rule - fips -- name: "MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms." - lineinfile: - path: /etc/crypto-policies/back-ends/opensshserver.config - regexp: "^CRYPTO_POLICY='{{ FIPS_KEX_ALGO }}'" - line: "CRYPTO_POLICY='{{ FIPS_KEX_ALGO }}'" - when: - - rhel_08_040342 - - rhel8stig_ssh_required - tags: - - RHEL-08-040342 - - CAT2 - - CCI-001453 - - SRG-OS-000250-GPOS-00093 - - SV-255924r880733_rule - - ssh - - name: "MEDIUM | RHEL-08-040350 | PATCH | If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode." lineinfile: path: /etc/xinetd.d/tftp From 5cc5d7e632dc33c3647fef61a32f2fbb0d27eed6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Mar 2023 16:58:35 +0000 Subject: [PATCH 049/202] updated Signed-off-by: Mark Bolwell --- Changelog.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index 2e2b42e3..baa51bd2 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,10 +1,13 @@ # Changes to RHEL8STIG -## Release 2.8.1 +## Relase 2.8.3 -- updates to pamd logic thanks to @JacobBuskirk for highlighting - improvements to openssh configs and seperated tasks +## Release 2.8.2 + +- updates to pamd logic thanks to @JacobBuskirk for highlighting + Also following issues/PRs - #168 From 77dd1dd5808f93ee4a60967784a235dafed9820a Mon Sep 17 00:00:00 2001 From: whitehat237 Date: Tue, 7 Mar 2023 18:35:05 -0600 Subject: [PATCH 050/202] Adds default variables and task to modify getent user enumeration command when autofs remote home directories are used. Signed-off-by: whitehat237 Signed-off-by: Mark Bolwell --- defaults/main.yml | 11 +++++++++++ tasks/prelim.yml | 22 ++++++++++++++++++---- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9338ca56..3667b6c0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -477,6 +477,17 @@ rhel8stig_smartcard: false # Configure your smartcard driver rhel8stig_smartcarddriver: cackey +#Whether or not system uses remote automounted home directories via autofs +rhel8stig_autofs_remote_home_dirs: false + +#The local mount point used by autofs to mount remote home directory to. This location will be excluded during getent user enumeration, if rhel8stig_autofs_remote_home_dirs is true +rhel8stig_auto_mount_home_dirs_local_mount_point: "/home/" + +#The default shell command to gather local interactive user directories +## NOTE: You will need to adjust the UID range in parenthesis below. +## ALSO NOTE: We weed out any user with a home dir not in standard locations because interactive users shouldn't have those paths as a home dir. Add or removed directory paths as needed below. +local_interactive_user_dir_command: "getent passwd { {{ rhel8stig_int_gid }}..65535} | cut -d: -f6 | sort -u | grep -v '/var/' | grep -v '/nonexistent/*' | grep -v '/run/*'" + # IPv6 required rhel8stig_ipv6_required: true diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 8e6d0be6..bfcc798b 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -116,11 +116,25 @@ - RHEL-08-010750 - RHEL-08-020320 -## NOTE: You will need to adjust the UID range in parenthases below. -## ALSO NOTE: We weed out any user with a home dir not in standard locations because interactive users shouldn't have those paths as a home dir. Add or removed directory paths as needed below. +- name: Ensure user enumeration command is modified when autofs remote home directories are used + block: + - name: Ensure that rhel8stig_auto_mount_home_dirs_local_mount_point is defined and not length zero + assert: + that: + - rhel8stig_auto_mount_home_dirs_local_mount_point is defined + - rhel8stig_auto_mount_home_dirs_local_mount_point | length > 0 + + - name: Modify local_interactive_user_dir_command to exclude remote automounted home directories + set_fact: + local_interactive_user_dir_command: "{{ local_interactive_user_dir_command }} | grep -v '{{ rhel8stig_auto_mount_home_dirs_local_mount_point }}" + when: + - rhel8stig_autofs_remote_home_dirs + tags: + - RHEL-08-010690 + - complexity-high + - name: "PRELIM | RHEL-08-010690 | Gather local interactive user directories" - # shell: "getent passwd { {{ rhel8stig_int_gid }}..65535} | cut -d: -f6 | sort -u | grep -v '/var/' | grep -v '/nonexistent/*' | grep -v '/run/*'" - shell: "getent passwd {% raw %}{{% endraw %}{{ rhel8stig_int_gid }}..24339{% raw %}}{% endraw %} | cut -d: -f6 | sort -u | grep -v '/var/' | grep -v '/nonexistent/*' | grep -v '/run/*'" + shell: "{{ local_interactive_user_dir_command }}" register: rhel_08_010690_getent changed_when: false failed_when: false From a0213a1838c32763944dd08b82792e77d555b333 Mon Sep 17 00:00:00 2001 From: whitehat237 Date: Tue, 7 Mar 2023 18:50:09 -0600 Subject: [PATCH 051/202] Adds default variables and task to modify getent user enumeration command when autofs remote home directories are used. Signed-off-by: whitehat237 Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3667b6c0..980ee84f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -482,7 +482,7 @@ rhel8stig_autofs_remote_home_dirs: false #The local mount point used by autofs to mount remote home directory to. This location will be excluded during getent user enumeration, if rhel8stig_autofs_remote_home_dirs is true rhel8stig_auto_mount_home_dirs_local_mount_point: "/home/" - + #The default shell command to gather local interactive user directories ## NOTE: You will need to adjust the UID range in parenthesis below. ## ALSO NOTE: We weed out any user with a home dir not in standard locations because interactive users shouldn't have those paths as a home dir. Add or removed directory paths as needed below. From 1735f6ecff488994f2b928df9c6f1e2703257ecf Mon Sep 17 00:00:00 2001 From: whitehat237 Date: Tue, 7 Mar 2023 19:25:41 -0600 Subject: [PATCH 052/202] Updates task name per task naming convention standard used Signed-off-by: whitehat237 Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index bfcc798b..8c94777f 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -116,7 +116,7 @@ - RHEL-08-010750 - RHEL-08-020320 -- name: Ensure user enumeration command is modified when autofs remote home directories are used +- name: "PRELIM | RHEL-08-010690 Ensure user enumeration command is modified when autofs remote home directories are used" block: - name: Ensure that rhel8stig_auto_mount_home_dirs_local_mount_point is defined and not length zero assert: @@ -127,8 +127,9 @@ - name: Modify local_interactive_user_dir_command to exclude remote automounted home directories set_fact: local_interactive_user_dir_command: "{{ local_interactive_user_dir_command }} | grep -v '{{ rhel8stig_auto_mount_home_dirs_local_mount_point }}" + when: - - rhel8stig_autofs_remote_home_dirs + - rhel8stig_autofs_remote_home_dirs tags: - RHEL-08-010690 - complexity-high From 97e3ace99bd5227a703f7784c1cc555e5b2e12cb Mon Sep 17 00:00:00 2001 From: whitehat237 Date: Thu, 16 Mar 2023 11:23:15 -0500 Subject: [PATCH 053/202] Updates task name Signed-off-by: whitehat237 Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 8c94777f..c6af2480 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -116,7 +116,7 @@ - RHEL-08-010750 - RHEL-08-020320 -- name: "PRELIM | RHEL-08-010690 Ensure user enumeration command is modified when autofs remote home directories are used" +- name: "PRELIM | RHEL-08-010690 Ensure user enumeration command is modified when autofs remote home directories are in use" block: - name: Ensure that rhel8stig_auto_mount_home_dirs_local_mount_point is defined and not length zero assert: From f1f19c17e2b58f28f87eada0d22e97773a5b022f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 24 Mar 2023 08:19:59 +0000 Subject: [PATCH 054/202] updated check for ansible user password Signed-off-by: Mark Bolwell --- tasks/main.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 685d2557..d616c996 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -26,20 +26,20 @@ tags: - always -- name: "Check password set for {{ ansible_user }}" +- name: "Check password set for connecting user" block: - - name: Capture current password state of "{{ ansible_user }}" - shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'" + - name: Capture current password state of connecting user" + shell: "grep {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'" changed_when: false failed_when: false check_mode: false register: ansible_user_password_set - - name: "Assert that password set for {{ ansible_user }} and account not locked" + - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked" assert: that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" - fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access" - success_msg: "You a password set for the {{ ansible_user }}" + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" + success_msg: "You a password set for the {{ ansible_env.SUDO_USER }}" vars: sudo_password_rule: RHEL-08-010380 when: From ad44918dfb0030686094c6398dbe40319953a753 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 24 Mar 2023 09:29:33 +0000 Subject: [PATCH 055/202] updated layout and details Signed-off-by: Mark Bolwell --- README.md | 101 +++++++++++++++++++++++++++++++----------------------- 1 file changed, 59 insertions(+), 42 deletions(-) diff --git a/README.md b/README.md index cb447591..e8f9012c 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,52 @@ # RHEL 8 DISA STIG -![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL8-STIG/CommunityToDevel?label=Devel%20Build%20Status&style=plastic) -![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL8-STIG/DevelToMain?label=Main%20Build%20Status&style=plastic) -![Release](https://img.shields.io/github/v/release/ansible-lockdown/RHEL8-STIG?style=plastic) - -Configure a RHEL/Rocky 8 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel8stig_disruption_high` to `yes`. +## Configure a RHEL8 based system to be complaint with Disa STIG This role is based on RHEL 8 DISA STIG: [Version 1, Rel 9 released on Jan 26, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R9_STIG.zip). -## Join us +--- + +![Org Stars](https://img.shields.io/github/stars/ansible-lockdown?label=Org%20Stars&style=social) +![Stars](https://img.shields.io/github/stars/ansible-lockdown/rhel8-stig?label=Repo%20Stars&style=social) +![Forks](https://img.shields.io/github/forks/ansible-lockdown/rhel8-stig?style=social) +![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social) +[![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown) + +![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/56380?label=Quality&&logo=ansible) +![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) + +![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel8-stig/linux_benchmark_testing.yml?label=Devel%20Build%20Status) +![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/rhel8-stig/devel?color=dark%20green&label=Devel%20Branch%20commits) + +![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) +![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel8-stig/linux_benchmark_testing.yml?label=Build%20Status) +![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/rhel8-stig?label=Release%20Date) +![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/rhel8-stig?label=Release%20Tag&&color=success) + +![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/rhel8-stig?label=Open%20Issues) +![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/rhel8-stig?label=Closed%20Issues&&color=success) +![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/rhel8-stig?label=Pull%20Requests) + +![License](https://img.shields.io/github/license/ansible-lockdown/rhel8-stig?label=License) + +--- + +## Looking for support? + +[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_RH8_stig) + +[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_RH8_stig) + +### Community On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users +--- + +Configure a RHEL/Rocky 8 system to be DISA STIG compliant. +Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. +Disruptive finding remediation can be enabled by setting `rhel8stig_disruption_high` to `true`. + ## Updating Coming from a previous release. @@ -21,41 +56,27 @@ This contains rewrites and ID reference changes as per STIG documentation. ## Auditing -This can be turned on or off within the defaults/main.yml file with the variable rhel8stig_run_audit. The value is false by default, please refer to the wiki for more details. +This can be turned on or off within the defaults/main.yml file with the variable rhel7cis_run_audit. The value is false by default, please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role. This is a much quicker, very lightweight, checking (where possible) config compliance and live/running settings. -A new form of auditing has been develeoped, by using a small (12MB) go binary called [goss](https://github.com/aelsabbahy/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling. +A new form of auditing has been developed, by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling. This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also trying to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process. -Refer to [RHEL8-STIG-Audit](https://github.com/ansible-lockdown/RHEL8-STIG-Audit). +## Documentation + +- [Read The Docs](https://ansible-lockdown.readthedocs.io/en/latest/) +- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown#GH_AL_RH8_stig) +- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise#GH_AL_RH8_stig) +- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration#GH_AL_RH8_stig) +- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise#GH_AL_RH8_stig) ## Requirements -- RHEL/Rocky/AlmaLinux 8 - Other versions are not supported. +- RHEL/Rocky/AlmaLinux/OL 8 - Other versions are not supported. - Other OSs can be checked by changing the skip_os_check to true for testing purposes. - Access to download or add the goss binary and content to the system if using auditing. options are available on how to get the content to the system. -### General - -- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible - - - [Main Ansible documentation page](https://docs.ansible.com) - - [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html) - - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) - - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html) -- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. -- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/RHEL8-STIG/wiki/Main-Variables). - -## Documentation - -- [Repo GitHub Page](https://ansible-lockdown.github.io/RHEL8-STIG/) -- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown) -- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise) -- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration) -- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise) -- [Wiki](https://github.com/ansible-lockdown/RHEL8-STIG/wiki) - ## Dependencies The following packages must be installed on the controlling host/host where ansible is executed: @@ -69,7 +90,7 @@ Package 'python-xmltodict' is required if you enable the OpenSCAP tool installat ## Role Variables -This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. These variables can be found [here](https://github.com/ansible-lockdown/RHEL8-STIG/wiki/Main-Variables) in the Main Variables Wiki page. All variables are listed there along with descriptions. +This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. ### Tags @@ -91,18 +112,14 @@ This is based on a vagrant image with selections enabled. e.g. No Gui or firewal Note: More tests are run during audit as we check config and running state. ```sh -ok: [rhel8test] => { - "msg": [ - "The pre remediation results are: Count: 308, Failed: 156, Duration: 44.108s.", - "The post remediation results are: Count: 308, Failed: 14, Duration: 37.647s.", - "Full breakdown can be found in /var/tmp", - "" - ] -} - ] -} +ok: [rocky8_efi] => + msg: + - 'The pre remediation results are: Count: 804, Failed: 416, Duration: 6.488s.' + - 'The post remediation results are: Count: 804, Failed: 28, Duration: 68.687s.' + - Full breakdown can be found in /opt + PLAY RECAP **************************************************************************************************************** -rhel8test : ok=369 changed=192 unreachable=0 failed=0 skipped=125 rescued=0 ignored=0 +rocky8_efi : ok=482 changed=269 unreachable=0 failed=0 skipped=207 rescued=0 ignored=0 ``` ## Branches From f559dea24e673f540244cd5db451ae19fb9f5f0b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 24 Mar 2023 09:30:03 +0000 Subject: [PATCH 056/202] changed default disruption to false Signed-off-by: Mark Bolwell --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 980ee84f..715615ce 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -26,11 +26,11 @@ rhel8stig_audit_complex: true # We've defined disruption-high to indicate items that are likely to cause # disruption in a normal workflow. These items can be remediated automatically # but are disabled by default to avoid disruption. -rhel8stig_disruption_high: true +rhel8stig_disruption_high: false # Show "changed" for disruptive items not remediated per disruption-high # setting to make them stand out. -rhel8stig_audit_disruptive: true +rhel8stig_audit_disruptive: false rhel8stig_skip_for_travis: false From 69251ec442567921bb9f658811a64d5afa75cd45 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 24 Mar 2023 09:30:11 +0000 Subject: [PATCH 057/202] updated Signed-off-by: Mark Bolwell --- Changelog.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index baa51bd2..08767226 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,12 @@ # Changes to RHEL8STIG -## Relase 2.8.3 +## Release 2.8.4 + +- updated to ansible user check for passwd rule 010380 +- update readme layout and latest audit example +- changed disruptive back to false to allow users to control the settings + +## Release 2.8.3 - improvements to openssh configs and seperated tasks From 5b9e1b6d102f37c80512d167697bf557eb285a24 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 24 Mar 2023 09:31:49 +0000 Subject: [PATCH 058/202] updated Signed-off-by: Mark Bolwell --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index 08767226..3f2d3508 100644 --- a/Changelog.md +++ b/Changelog.md @@ -3,6 +3,7 @@ ## Release 2.8.4 - updated to ansible user check for passwd rule 010380 + - thanks to discord community member PoundsOfFlesh - update readme layout and latest audit example - changed disruptive back to false to allow users to control the settings From 761a3c1d4e0b74cda667666247425bbb9034ee53 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 29 Mar 2023 10:06:17 +0100 Subject: [PATCH 059/202] Ansible version update Signed-off-by: Mark Bolwell --- meta/main.yml | 2 +- vars/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/main.yml b/meta/main.yml index a9cf5b99..f260b661 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -6,7 +6,7 @@ galaxy_info: license: MIT role_name: rhel8_stig namespace: mindpointgroup - min_ansible_version: '2.9.0' + min_ansible_version: '2.10.1' platforms: - name: EL versions: diff --git a/vars/main.yml b/vars/main.yml index 04f6eac4..3d2ab14d 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,5 +1,5 @@ --- -rhel8stig_min_ansible_version: 2.9.0 +rhel8stig_min_ansible_version: 2.10.1 rhel8stig_dconf_available: "{{ rhel8stig_gui or rhel8stig_dconf_audit.rc == 0 or rhel8stig_always_configure_dconf }}" From 6460e838e2704e2d4b916715b7312dc0a18ae418 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 29 Mar 2023 10:06:32 +0100 Subject: [PATCH 060/202] removed unnecssary conditional Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index c6af2480..bf42c7b8 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -69,7 +69,6 @@ gather_subset: chroot,!all,!min filter: ansible_is_chroot when: - - ansible_version.string is version_compare('2.7', '>=') - ansible_is_chroot is not defined tags: - always From d2642529121a6bbace0d12fecbdbee7370f26354 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 29 Mar 2023 10:07:10 +0100 Subject: [PATCH 061/202] updated Signed-off-by: Mark Bolwell --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index 3f2d3508..9cdc4f21 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,6 +2,7 @@ ## Release 2.8.4 +- ansible version updated to 2.10.1 minimum - updated to ansible user check for passwd rule 010380 - thanks to discord community member PoundsOfFlesh - update readme layout and latest audit example From 52ec1b0890563968a9e4e46233d26c3018865370 Mon Sep 17 00:00:00 2001 From: Jacob Buskirk Date: Sun, 9 Apr 2023 16:30:13 -0400 Subject: [PATCH 062/202] Fix RHEL-08-020011 Conditional Signed-off-by: Jacob Buskirk Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 9e8a7c32..3a8dd0d3 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2799,7 +2799,7 @@ line: "deny = {{ rhel8stig_pam_faillock.attempts }}" when: - rhel_08_020011 - - ansible_distribution_version|int >= 8.2 + - ansible_distribution_version is version('8.2', '>=') tags: - RHEL-08-020011 - CAT2 From 7691781c03c39c93dab647052c2b26d9e295b8d9 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Tue, 11 Apr 2023 14:33:45 -0400 Subject: [PATCH 063/202] Module Name Update, Module Command To Shell, Fixed " Issue, Yamllint Check, Ansilbe-lint Check Signed-off-by: Stephen Williams Signed-off-by: Mark Bolwell --- .ansible-lint | 2 + .github/workflows/linux_benchmark_testing.yml | 2 +- .yamllint | 57 +- collections/requirements.yml | 6 +- defaults/main.yml | 9 +- handlers/main.yml | 52 +- tasks/LE_audit_setup.yml | 4 +- tasks/audit_homedirinifiles.yml | 2 +- tasks/fix-cat1.yml | 80 +- tasks/fix-cat2.yml | 1077 ++++++++--------- tasks/fix-cat3.yml | 82 +- tasks/main.yml | 55 +- tasks/parse_etc_passwd.yml | 4 +- tasks/post_remediation_audit.yml | 16 +- tasks/pre_remediation_audit.yml | 32 +- tasks/prelim.yml | 12 +- vars/is_container.yml | 1 - 17 files changed, 745 insertions(+), 748 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 42cbe296..964eb052 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,4 +1,5 @@ --- + parseable: true quiet: true skip_list: @@ -7,6 +8,7 @@ skip_list: - 'var-spacing' - 'fqcn-builtins' - 'experimental' + - 'name[play]' - 'name[casing]' - 'name[template]' - 'fqcn[action]' diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 26ee32de..6ceb2cbb 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -5,7 +5,7 @@ name: linux_benchmark_pipeline # Controls when the action will run. # Triggers the workflow on push or pull request # events but only for the devel branch -on: +on: # yamllint disable-line rule:truthy pull_request_target: types: [opened, reopened, synchronize] branches: diff --git a/.yamllint b/.yamllint index a3c37e1c..ec469292 100644 --- a/.yamllint +++ b/.yamllint @@ -1,32 +1,33 @@ --- -ignore: | - tests/ - molecule/ - .github/ - .gitlab-ci.yml - *molecule.yml - extends: default +ignore: | + tests/ + molecule/ + .github/ + .gitlab-ci.yml + *molecule.yml + rules: - indentation: - # Requiring 4 space indentation - spaces: 4 - # Requiring consistent indentation within a file, either indented or not - indent-sequences: consistent - level: error - braces: - max-spaces-inside: 1 - level: error - brackets: - max-spaces-inside: 1 - level: error - line-length: disable - key-duplicates: enable - new-line-at-end-of-file: enable - new-lines: - type: unix - trailing-spaces: enable - truthy: - allowed-values: ['true', 'false'] - check-keys: false + indentation: + # Requiring 4 space indentation + spaces: 4 + # Requiring consistent indentation within a file, either indented or not + indent-sequences: consistent + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + empty-lines: + max: 1 + line-length: disable + key-duplicates: enable + new-line-at-end-of-file: enable + new-lines: + type: unix + trailing-spaces: enable + truthy: + allowed-values: ['true', 'false'] + check-keys: false diff --git a/collections/requirements.yml b/collections/requirements.yml index 4a418efa..23596ec0 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -1,8 +1,8 @@ --- collections: -- name: community.general + - name: community.general -- name: community.crypto + - name: community.crypto -- name: ansible.posix + - name: ansible.posix diff --git a/defaults/main.yml b/defaults/main.yml index 715615ce..c8803033 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -477,13 +477,13 @@ rhel8stig_smartcard: false # Configure your smartcard driver rhel8stig_smartcarddriver: cackey -#Whether or not system uses remote automounted home directories via autofs +# Whether or not system uses remote automounted home directories via autofs rhel8stig_autofs_remote_home_dirs: false -#The local mount point used by autofs to mount remote home directory to. This location will be excluded during getent user enumeration, if rhel8stig_autofs_remote_home_dirs is true +# The local mount point used by autofs to mount remote home directory to. This location will be excluded during getent user enumeration, if rhel8stig_autofs_remote_home_dirs is true rhel8stig_auto_mount_home_dirs_local_mount_point: "/home/" -#The default shell command to gather local interactive user directories +# The default shell command to gather local interactive user directories ## NOTE: You will need to adjust the UID range in parenthesis below. ## ALSO NOTE: We weed out any user with a home dir not in standard locations because interactive users shouldn't have those paths as a home dir. Add or removed directory paths as needed below. local_interactive_user_dir_command: "getent passwd { {{ rhel8stig_int_gid }}..65535} | cut -d: -f6 | sort -u | grep -v '/var/' | grep -v '/nonexistent/*' | grep -v '/run/*'" @@ -533,7 +533,6 @@ rhel8stig_ssh_priv_key_perm: 0600 rhel8stig_standard_user_path: "PATH=$PATH:$HOME/.local/bin:$HOME/bin" rhel8stig_change_user_path: false - # RHEL-08-010700 # rhel8stig_ww_dir_owner is the owenr of all world-writable directories # To conform to STIG standards this needs to be set to root, sys, bin, or an application group @@ -794,7 +793,6 @@ rhel8stig_auditd_failure_flag: "{{ rhel8stig_availability_override | ternary(1, # REHL-08-010020 rhel8stig_boot_part: "{{ rhel_08_boot_part.stdout }}" - # RHEL-08-010740/RHEL-08-010750 rhel8stig_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" @@ -889,7 +887,6 @@ rhel8stig_tmux_lock_after_time: 900 # Value must be greater than 0 to conform to STIG standards rhel8stig_sudo_timestamp_timeout: 1 - #### Goss Configuration Settings #### # Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" audit_run_script_environment: diff --git a/handlers/main.yml b/handlers/main.yml index 2599f6c7..03ff8870 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,12 +1,12 @@ --- - name: systemctl daemon-reload - systemd: + ansible.builtin.systemd: daemon_reload: true when: - not system_is_container - name: update sysctl - template: + ansible.builtin.template: src: 99-sysctl.conf.j2 dest: /etc/sysctl.d/99-sysctl.conf owner: root @@ -16,11 +16,11 @@ when: "'procps-ng' in ansible_facts.packages" - name: sysctl system - command: sysctl --system + ansible.builtin.shell: sysctl --system when: "'procps-ng' in ansible_facts.packages" - name: restart sshd - service: + ansible.builtin.service: name: sshd state: restarted when: @@ -28,42 +28,42 @@ - "'openssh-server' in ansible_facts.packages" - name: restart sssd - service: + ansible.builtin.service: name: sssd state: restarted when: - "'sssd' in ansible_facts.packages" - name: restart snmpd - service: + ansible.builtin.service: name: snmpd state: restarted when: - not rhel8stig_system_is_chroot - name: restart rsyslog - service: + ansible.builtin.service: name: rsyslog state: restarted - name: generate fapolicyd rules - command: fagenrules --load + ansible.builtin.shell: fagenrules --load when: rhel_08_040137_rules_dir.stat.exists - name: restart fapolicyd - service: + ansible.builtin.service: name: fapolicyd state: restarted - name: confirm grub2 user cfg - stat: + ansible.builtin.stat: path: "/etc/grub.d/01_users" changed_when: rhel8stig_grub2_user_cfg.stat.exists register: rhel8stig_grub2_user_cfg notify: make grub2 config - name: make grub2 config - command: /usr/sbin/grub2-mkconfig --output={{ rhel8stig_bootloader_path }}/grub.cfg + ansible.builtin.shell: /usr/sbin/grub2-mkconfig --output={{ rhel8stig_bootloader_path }}/grub.cfg when: - rhel8stig_grub2_user_cfg.stat.exists - not rhel8stig_skip_for_travis @@ -71,7 +71,7 @@ - name: copy grub2 config to BIOS/UEFI to satisfy benchmark listen: make grub2 config - copy: + ansible.builtin.copy: src: "{{ rhel8stig_bootloader_path }}/grub.cfg" dest: "{{ rhel8stig_bootloader_path }}/grub.cfg" remote_src: true @@ -85,7 +85,7 @@ - not system_is_container - name: "restart {{ rhel8stig_time_service }}" - service: + ansible.builtin.service: name: "{{ rhel8stig_time_service }}" state: restarted when: @@ -94,7 +94,7 @@ - not system_is_container - name: update auditd - template: + ansible.builtin.template: src: audit/99_auditd.rules.j2 dest: /etc/audit/rules.d/99_auditd.rules owner: root @@ -103,7 +103,7 @@ notify: restart auditd - name: restart auditd - command: /usr/sbin/service auditd restart + ansible.builtin.shell: /usr/sbin/service auditd restart args: warn: false when: @@ -112,17 +112,17 @@ - not system_is_container - name: rebuild initramfs - command: dracut -f + ansible.builtin.shell: dracut -f - name: undo existing prelinking - command: prelink -ua + ansible.builtin.shell: prelink -ua - name: update running audit failure mode - command: auditctl -f {{ rhel8stig_auditd_failure_flag }} + ansible.builtin.shell: auditctl -f {{ rhel8stig_auditd_failure_flag }} failed_when: false - name: clean up ssh host key - file: + ansible.builtin.file: path: "{{ item }}" state: absent with_items: @@ -130,33 +130,33 @@ - /etc/ssh/ssh_host_rsa_key.pub - name: init aide and wait - command: /usr/sbin/aide --init -B 'database_out=file:{{ rhel8stig_aide_temp_db_file }}' + ansible.builtin.shell: /usr/sbin/aide --init -B 'database_out=file:{{ rhel8stig_aide_temp_db_file }}' notify: move aide db - name: init aide - shell: nohup /usr/sbin/aide --init -B 'database_out=file:{{ rhel8stig_aide_temp_db_file }}' > /dev/null & + ansible.builtin.shell: nohup /usr/sbin/aide --init -B 'database_out=file:{{ rhel8stig_aide_temp_db_file }}' > /dev/null & notify: move aide db - name: move aide db - command: "mv {{ rhel8stig_aide_temp_db_file }} {{ rhel8stig_aide_db_file }}" + ansible.builtin.shell: "mv {{ rhel8stig_aide_temp_db_file }} {{ rhel8stig_aide_db_file }}" when: not rhel8stig_aide_db_status.stat.exists or rhel8stig_overwrite_aide_db - name: dconf update - command: dconf update + ansible.builtin.shell: dconf update when: - "'dconf' in ansible_facts.packages" - rhel8stig_always_configure_dconf - name: prereport score - debug: + ansible.builtin.debug: msg: "Pre-run OpenSCAP score is {{ rhel8stig_prescanresults.Benchmark.TestResult.score['#text'] }}" when: rhel8stig_oscap_scan - name: postreport score - debug: + ansible.builtin.debug: msg: "Post-run OpenSCAP score is {{ rhel8stig_postscanresults.Benchmark.TestResult.score['#text'] }}" when: rhel8stig_oscap_scan - name: change_requires_reboot - set_fact: + ansible.builtin.set_fact: change_requires_reboot: true diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 61a4cdf1..b4ac4d25 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -1,7 +1,7 @@ --- - name: Download audit binary - get_url: + ansible.builtin.get_url: url: "{{ goss_url }}" dest: "{{ audit_bin }}" owner: root @@ -12,7 +12,7 @@ - get_goss_file == 'download' - name: copy audit binary - copy: + ansible.builtin.copy: src: dest: "{{ audit_bin }}" mode: 0555 diff --git a/tasks/audit_homedirinifiles.yml b/tasks/audit_homedirinifiles.yml index 9e365e21..cafc0457 100644 --- a/tasks/audit_homedirinifiles.yml +++ b/tasks/audit_homedirinifiles.yml @@ -1,6 +1,6 @@ --- - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs." - debug: + ansible.builtin.debug: msg: "You will need to audit {{ ini_item }} for reference to {{ item }}, which has been found with world-writable permissions. Those permissions will be changed in the next task to 0755." failed_when: false changed_when: false diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 5520f960..e265d327 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -1,7 +1,7 @@ --- - name: "HIGH | RHEL-08-010000 | AUDIT | The RHEL 8 must be a vendor-supported release." - debug: + ansible.builtin.debug: msg: Minimum supported version of {{ ansible_distribution }} is {{ rhel8stig_min_supported_os_ver[ansible_distribution] }} changed_when: ansible_distribution_version is not version_compare(rhel8stig_min_supported_os_ver[ansible_distribution], '>=') when: @@ -17,7 +17,7 @@ - name: "HIGH | RHEL-08-010020 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." block: - name: "HIGH | RHEL-08-010020 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | install FIPS" - package: + ansible.builtin.package: name: - dracut-fips - crypto-policies-scripts @@ -28,7 +28,7 @@ when: "'dracut-fips' not in ansible_facts.packages" - name: "HIGH | RHEL-08-010020 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Enables FIPS mode on kernel" - command: fips-mode-setup --enable + ansible.builtin.shell: fips-mode-setup --enable register: rhel_08_010020_kernel_fips_enable changed_when: rhel_08_010020_kernel_fips_enable.rc == 0 notify: change_requires_reboot @@ -37,7 +37,7 @@ (ansible_proc_cmdline.fips is defined and ansible_proc_cmdline.fips != '1') - name: "HIGH | RHEL-08-010020 | PATCH | Disable prelinking." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/sysconfig/prelink regexp: ^#?PRELINKING line: PRELINKING=no @@ -45,14 +45,14 @@ notify: undo existing prelinking - name: "HIGH | RHEL-08-010020 | AUDIT | Check for GRUB_CMDLINE_LINUX in /etc/default/grub" - command: grep -P '^\s*GRUB_CMDLINE_LINUX=".*"$' /etc/default/grub + ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*"$' /etc/default/grub check_mode: false failed_when: false changed_when: rhel_08_010020_default_grub_missing_audit.rc > 0 register: rhel_08_010020_default_grub_missing_audit - name: "HIGH | RHEL-08-010020 | AUDIT | parse sane GRUB_CMDLINE_LINUX from /proc/cmdline" - command: grep -oP ' ro \K.*?(?= ?LANG=)' /proc/cmdline + ansible.builtin.shell: grep -oP ' ro \K.*?(?= ?LANG=)' /proc/cmdline check_mode: false changed_when: false failed_when: rhel_08_010020_grub_cmdline_linux_audit.rc > 1 @@ -60,7 +60,7 @@ register: rhel_08_010020_grub_cmdline_linux_audit - name: "HIGH | RHEL-08-010020 | PATCH | Copy over a sane /etc/default/grub" - template: + ansible.builtin.template: src: etc_default_grub.j2 dest: /etc/default/grub owner: root @@ -71,7 +71,7 @@ when: rhel_08_010020_default_grub_missing_audit is changed - name: "HIGH | RHEL-08-010020 | PATCH | fips=1 must be in /etc/default/grub" - replace: + ansible.builtin.replace: path: /etc/default/grub regexp: "{{ rhel8stig_regexp_quoted_params }}" replace: "{{ rhel8stig_replace_quoted_params }}" @@ -88,7 +88,7 @@ - change_requires_reboot - name: "HIGH | RHEL-08-010020 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." - replace: + ansible.builtin.replace: path: /etc/default/grub regexp: "{{ rhel8stig_regexp_quoted_params }}" replace: "{{ rhel8stig_replace_quoted_params }}" @@ -108,7 +108,7 @@ register: result - name: "HIGH | RHEL-08-010020 | AUDIT | Verify kernel parameters in /etc/default/grub" - command: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ]){{ item | regex_escape }}(?=[" ]).*"$' /etc/default/grub + ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ]){{ item | regex_escape }}(?=[" ]).*"$' /etc/default/grub check_mode: false with_items: - fips=1 @@ -120,7 +120,7 @@ - not ansible_check_mode or rhel_08_010020_default_grub_missing_audit is not changed - rhel8stig_boot_part not in ['/', ''] or - 'boot=' not in item + "'boot=' not in item" changed_when: - ansible_check_mode - rhel_08_010020_audit is failed @@ -142,14 +142,14 @@ - name: "HIGH | RHEL-08-010121 | PATCH | The RHEL 8 operating system must not have accounts configured with blank or null passwords." block: - name: "HIGH | RHEL-08-010121 | AUDIT | The RHEL 8 operating system must not have accounts configured with blank or null passwords. | Get users with no pw set" - shell: "awk -F: '!$2 {print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '!$2 {print $1}' /etc/shadow" changed_when: false failed_when: false check_mode: false register: rhel_08_010121_no_pw_users - name: "HIGH | RHEL-08-010121 | PATCH | The RHEL 8 operating system must not have accounts configured with blank or null passwords. | Warn on accounts with no passwords" - debug: + ansible.builtin.debug: msg: - "Alert! You have users that are not using passwords. Please either set a password, lock, or remove the accounts below:" - "{{ rhel_08_010121_no_pw_users.stdout_lines }}" @@ -158,7 +158,7 @@ - not rhel8stig_disruption_high - name: "HIGH | RHEL-08-010121 | PATCH | The RHEL 8 operating system must not have accounts configured with blank or null passwords. | Lock accounts with no passwords, disruptive" - user: + ansible.builtin.user: name: "{{ item }}" password_lock: true with_items: @@ -183,7 +183,7 @@ - name: | "HIGH | RHEL-08-010140 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Set Grub Password" "HIGH | RHEL-08-010150 | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Set Grub Password" - lineinfile: + ansible.builtin.lineinfile: path: "{{ rhel8stig_bootloader_path }}/user.cfg" create: true regexp: ^GRUB2_PASSWORD= @@ -213,23 +213,23 @@ - name: "HIGH | RHEL-08-010370 | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." block: - name: "HIGH | RHEL-08-010370 | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Dnf Default" - lineinfile: + ansible.builtin.lineinfile: path: /etc/dnf/dnf.conf regexp: '^gpgcheck=' line: gpgcheck=1 - name: "HIGH | RHEL-08-010370 | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Gather Repos" - find: + ansible.builtin.find: paths: /etc/yum.repos.d pattern: '*.repo' register: rhel_08_010370_repos_files_list_full - name: "HIGH | RHEL-08-010370 | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Flatten result" - set_fact: + ansible.builtin.set_fact: rhel_08_010370_repos_files_list: "{{ rhel_08_010370_repos_files_list_full.files | map(attribute='path') | flatten }}" - name: "HIGH | RHEL-08-010370 | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Set gpgcheck" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: '^gpgcheck' line: gpgcheck=1 @@ -247,7 +247,7 @@ - yum - name: "HIGH | RHEL-08-010371 | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." - lineinfile: + ansible.builtin.lineinfile: path: /etc/dnf/dnf.conf regexp: '^localpkg_gpgcheck=' line: localpkg_gpgcheck=True @@ -263,7 +263,7 @@ - dnf - name: "HIGH | RHEL-08-010460 | PATCH | There must be no shosts.equiv files on the RHEL 8 operating system." - file: + ansible.builtin.file: path: /etc/ssh/shosts.equiv state: absent when: @@ -280,14 +280,14 @@ - name: "HIGH | RHEL-08-010470 | PATCH | There must be no .shosts files on the RHEL 8 operating system." block: - name: "HIGH | RHEL-08-010470 | PATCH | There must be no .shosts files on the RHEL 8 operating system. | Find .shosts files" - find: + ansible.builtin.find: path: '/' recurse: true patterns: '*.shosts' register: rhel_08_010470_shost_files - name: "HIGH | RHEL-08-010470 | PATCH | There must be no .shosts files on the RHEL 8 operating system. | Remove .shosts files" - file: + ansible.builtin.file: path: "{{ item.path }}" state: absent with_items: @@ -304,7 +304,7 @@ - shosts - name: "HIGH | RHEL-08-010820 | PATCH | Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed." - lineinfile: + ansible.builtin.lineinfile: path: /etc/gdm/custom.conf regexp: (?i)automaticloginenable line: AutomaticLoginEnable=false @@ -321,7 +321,7 @@ - V-230329 - name: "HIGH | RHEL-08-020330 | PATCH | RHEL 8 must not have accounts configured with blank or null passwords." - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?PermitEmptyPasswords' line: 'PermitEmptyPasswords no' @@ -340,7 +340,7 @@ - disruption_high - name: "HIGH | RHEL-08-020331 | PATCH | RHEL 8 must not allow blank or null passwords in the system-auth file." - replace: + ansible.builtin.replace: path: /etc/pam.d/system-auth regexp: ' nullok' replace: '' @@ -355,7 +355,7 @@ - V-244540 - name: "HIGH | RHEL-08-020332 | PATCH | RHEL 8 must not allow blank or null passwords in the password-auth file." - replace: + ansible.builtin.replace: path: /etc/pam.d/password-auth regexp: ' nullok' replace: '' @@ -370,7 +370,7 @@ - V-244541 - name: "HIGH | RHEL-08-040000 | PATCH | RHEL 8 must not have the telnet-server package installed." - package: + ansible.builtin.package: name: telnet-server state: absent when: @@ -385,7 +385,7 @@ - V-230487 - name: "HIGH | RHEL-08-040010 | PATCH | RHEL 8 must not have the rsh-server package installed." - package: + ansible.builtin.package: name: rsh-server state: absent when: @@ -402,13 +402,13 @@ - name: "HIGH | RHEL-08-040170 | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8." block: - name: "HIGH | RHEL-08-040170 | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8. | Mask ctrl-alt-del.target" - systemd: + ansible.builtin.systemd: name: ctrl-alt-del.target masked: true notify: systemctl daemon-reload - name: "HIGH | RHEL-08-040170 | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8. | Create symlink to /dev/null" - file: + ansible.builtin.file: src: /dev/null dest: /etc/systemd/system/ctrl-alt-del.target state: link @@ -427,13 +427,13 @@ - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed." block: - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Check for setting existing" - command: grep -s logout /etc/dconf/db/local.d/* + ansible.builtin.shell: grep -s logout /etc/dconf/db/local.d/* changed_when: false failed_when: false register: rhel_08_040171_logout_settings_status - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Add if missing" - lineinfile: + ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/00-disable-CAD regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -450,7 +450,7 @@ when: rhel_08_040171_logout_settings_status.stdout | length == 0 - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Edit if exists" - replace: + ansible.builtin.replace: path: "{{ rhel_08_040171_logout_settings_status.stdout }}" regexp: '^[L|l]ogout=.*' replace: "logout=''" @@ -467,7 +467,7 @@ - V-230530 - name: "HIGH | RHEL-08-040172 | PATCH | The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled." - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/system.conf regexp: '^CtrlAltDelBurstAction=|^#CtrlAltDelBurstAction=' line: CtrlAltDelBurstAction=none @@ -484,7 +484,7 @@ - V-230531 - name: "HIGH | RHEL-08-040190 | PATCH | The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support." - package: + ansible.builtin.package: name: tftp-server state: absent when: @@ -503,19 +503,19 @@ - name: "HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system." block: - name: "HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Get list of non-root accounts with UID of 0" - shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" + ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" changed_when: false failed_when: false register: rhel_08_040200_nonroot_uid - name: "HIGH | HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Lock non-root account with UID of 0" - command: "passwd -l {{ item }}" + ansible.builtin.shell: "passwd -l {{ item }}" with_items: - "{{ rhel_08_040200_nonroot_uid.stdout_lines }}" when: rhel_08_040200_nonroot_uid.stdout | length > 0 - name: "HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Display accounts that were locked" - debug: + ansible.builtin.debug: msg: - "WARNING!! The following accounts were locked since they had UID of 0 and were not the root user" - " {{ rhel_08_040200_nonroot_uid.stdout_lines }}" @@ -533,7 +533,7 @@ - disruption_high - name: "HIGH | RHEL-08-040360 | PATCH | A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8." - package: + ansible.builtin.package: name: vsftpd state: absent when: diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 3a8dd0d3..63a9b43d 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3,7 +3,7 @@ - name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool." block: - name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool. | Alert no McAfee" - debug: + ansible.builtin.debug: msg: - "WARNING!! You have no McAfee installed. To comply with STIG ID RHEL-08-010001 you need an AV tool" - "McAfee is the suggested by STIG" @@ -12,7 +12,7 @@ 'mfetpd' not in ansible_facts.packages" - name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool. | Alert on McAfee present" - debug: + ansible.builtin.debug: msg: "Congratulations! You have McAfee installed" when: - "'mcafeetp' in ansible_facts.packages or @@ -29,7 +29,7 @@ - V-245540 - name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." - package: + ansible.builtin.package: name: "*" state: latest when: @@ -46,13 +46,13 @@ - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection." block: - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Get partition layout" - command: lsblk + ansible.builtin.shell: lsblk changed_when: false failed_when: false register: rhel_08_010030_partition_layout - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Message out warning" - debug: + ansible.builtin.debug: msg: - 'WARNING!! Below is the partition layout. Please run the "sudo more /etc/crypttab" command to confirm every persistent disk partition has an entry.' - "If partitions other than pseudo file systems (such as /var or /sys) this is a finding" @@ -74,7 +74,7 @@ - name: | "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Uncomment banner keyword and set banner path"" "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Uncomment banner keyword and set banner path"" - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?Banner' line: 'Banner /etc/issue' @@ -84,7 +84,7 @@ - name: | "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Set banner message"" "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Set banner message"" - copy: # noqa: template-instead-of-copy + ansible.builtin.copy: # noqa: template-instead-of-copy dest: "{{ item }}" content: "{{ rhel8stig_logon_banner }}" owner: root @@ -110,7 +110,7 @@ - V-230227 - name: "MEDIUM | RHEL-08-010049 | PATCH | RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon" - lineinfile: + ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/01-banner-message regexp: 'banner-message-enabled=' line: banner-message-enable=true @@ -132,7 +132,7 @@ - banner - name: "MEDIUM | RHEL-08-010050 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." - copy: # noqa: template-instead-of-copy + ansible.builtin.copy: # noqa: template-instead-of-copy dest: /etc/dconf/db/local.d/01-banner-message content: | [org/gnome/login-screen] @@ -157,7 +157,7 @@ - V-230226 - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." - lineinfile: + ansible.builtin.lineinfile: path: /etc/rsyslog.conf line: "auth.*;authpriv.*;daemon.* /var/log/secure" create: true @@ -178,13 +178,13 @@ - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor." block: - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Get current certs" - command: openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem + ansible.builtin.shell: openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem changed_when: false failed_when: false register: rhel_08_010090_certs_list - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Message out certs" - debug: + ansible.builtin.debug: msg: - "WARNING!! The certs below are the ones applied to this system. Please review and confirm they are the latest issued from the DoD" - "If they are not please apply the latest PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into /etc/sssd/pki/sssd_auth_ca_db.pem" @@ -203,7 +203,7 @@ - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key." block: - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create .ssh folder" - file: + ansible.builtin.file: path: "{{ rhel8stig_path_to_sshkey }}" state: directory mode: '0700' @@ -223,7 +223,7 @@ - V-230230 - name: "MEDIUM | RHEL-08-010110 | PATCH | RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm." - lineinfile: + ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^ENCRYPT_METHOD.*' line: "ENCRYPT_METHOD {{ rhel8stig_login_defaults.encrypt_method | default('SHA512') }}" @@ -241,13 +241,13 @@ - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords." block: - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Get user accounts not using FIPS 140-2 hashing" - command: 'cat /etc/shadow | grep -v "*" | grep -v "!" | grep -v ":$6$" | cut -f1 -d:' + ansible.builtin.shell: 'cat /etc/shadow | grep -v "*" | grep -v "!" | grep -v ":$6$" | cut -f1 -d:' changed_when: false failed_when: false register: rhel_08_010120_non_fips_hashed_accounts - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Lock user not using FIPS 140-2 hashing" - command: "passwd -l {{ item }}" + ansible.builtin.shell: "passwd -l {{ item }}" args: warn: false with_items: @@ -256,7 +256,7 @@ - rhel_08_010120_non_fips_hashed_accounts.stdout | length > 0 - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Message out user accounts" - debug: + ansible.builtin.debug: msg: - "WARNING!! The following accounts do not have FIPS 140-2 hashing. Please review the accounts and correct to conform to control 010120 of the RHEL8 STIG" - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" @@ -276,7 +276,7 @@ - disruption_high - name: "MEDIUM | RHEL-08-010130 | PATCH | The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds." - lineinfile: + ansible.builtin.lineinfile: path: /etc/login.defs regexp: ^.*SHA_CRYPT_MIN_ROUNDS\s line: SHA_CRYPT_MIN_ROUNDS {{ rhel8stig_hashing_rounds }} @@ -294,7 +294,7 @@ - name: | "MEDIUM | RHEL-08-010141 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance." "MEDIUM | RHEL-08-010149 | PATCH | RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes." - template: + ansible.builtin.template: src: 01_users.j2 dest: /etc/grub.d/01_users owner: root @@ -317,7 +317,7 @@ - grub - name: "MEDIUM | RHEL-08-010151 | PATCH | RHEL 8 operating systems must require authentication upon booting into emergency or rescue modes." - lineinfile: + ansible.builtin.lineinfile: path: /usr/lib/systemd/system/rescue.service regexp: '^ExecStart=' line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" @@ -337,7 +337,7 @@ - systemd - name: "MEDIUM | RHEL-08-010152 | PATCH | RHEL 8 operating systems must require authentication upon booting into emergency mode." - lineinfile: + ansible.builtin.lineinfile: path: /usr/lib/systemd/system/emergency.service regexp: '^ExecStart=' line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency" @@ -357,7 +357,7 @@ - systemd - name: "MEDIUM | RHEL-08-010159 | PATCH | The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication." - pamd: + community.general.pamd: name: system-auth type: password control: sufficient @@ -376,7 +376,7 @@ - pamd - name: "MEDIUM | RHEL-08-010160 | PATCH | The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication." - pamd: + community.general.pamd: name: password-auth type: password control: sufficient @@ -397,14 +397,14 @@ - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication." block: - name: "MEDIUM | RHEL-08-010161 | AUDIT | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Find .keytab files" - find: + ansible.builtin.find: path: / patterns: '*.keytab' recurse: true register: rhel8stig_010161_keytab_files - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Remove .keytab files" - file: + ansible.builtin.file: path: "{{ item.path }}" state: absent with_items: @@ -422,7 +422,7 @@ - kerberos - name: "MEDIUM | RHEL-08-010162 | PATCH | The krb5-workstation package must not be installed on RHEL 8." - package: + ansible.builtin.package: name: krb5-workstation state: absent when: @@ -439,7 +439,7 @@ - name: "| MEDIUM | RHEL-08-010170 | PATCH | RHEL8 must use a Linux Security Module configured to enforce limits on system services. MEDIUM | RHEL-08-010450 | PATCH | RHEL 8 must enable the SELinux targeted policy." - selinux: + ansible.posix.selinux: state: enforcing policy: targeted check_mode: "{{ ansible_check_mode or rhel8stig_system_is_chroot }}" @@ -466,13 +466,13 @@ - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources." block: - name: "MEDIUM | RHEL-08-010190 | AUDIT | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Find world-writable directories" - shell: "find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null | sed 's/.* //'" + ansible.builtin.shell: "find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null | sed 's/.* //'" changed_when: false failed_when: false register: rhel_08_010190_world_writable_files - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Set sticky bit to world-writable files" - file: + ansible.builtin.file: path: "{{ item }}" mode: '1777' with_items: @@ -489,7 +489,7 @@ - permissions - name: "MEDIUM | RHEL-08-010200 | PATCH | RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements." - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?ClientAliveCountMax.*' line: ClientAliveCountMax 1 @@ -507,7 +507,7 @@ - ssh - name: "MEDIUM | RHEL-08-010201 | PATCH | The RHEL 8 SSH daemon must be configured with a timeout interval" - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?ClientAliveInterval.*' line: "ClientAliveInterval {{ rhel8stig_ssh_session_timeout }}" @@ -528,7 +528,7 @@ "MEDIUM | RHEL-08-010210 | PATCH | The RHEL 8 /var/log/messages file must have mode 0640 or less permissive." "MEDIUM | RHEL-08-010220 | PATCH | The RHEL 8 /var/log/messages file must be owned by root." "MEDIUM | RHEL-08-010230 | PATCH | The RHEL 8 /var/log/messages file must be group-owned by root." - file: + ansible.builtin.file: path: /var/log/messages owner: root group: root @@ -556,7 +556,7 @@ - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file." block: - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set preauth" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/system-auth regexp: '^auth\s+required\s+pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" @@ -564,7 +564,7 @@ notify: restart sssd - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set authfail" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/system-auth regexp: '^auth\s+required\s+pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' @@ -572,7 +572,7 @@ notify: restart sssd - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set account faillock" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/system-auth regexp: '^account\s+required\s+pam_faillock.so' line: 'account required pam_faillock.so' @@ -593,7 +593,7 @@ - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file." block: - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set preauth" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/password-auth regexp: '^auth\s+required\s+pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" @@ -601,7 +601,7 @@ notify: restart sssd - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set authfail" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/password-auth regexp: '^auth\s+required\s+pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' @@ -609,7 +609,7 @@ notify: restart sssd - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set account faillock" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/password-auth regexp: '^account\s+required\s+pam_faillock.so' line: 'account required pam_faillock.so' @@ -628,7 +628,7 @@ - pamd - name: "MEDIUM | RHEL-08-020031 | PATCH | RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/00-screensaver_rhel_08_020031 content: | [org/gnome/desktop/screensaver] @@ -649,7 +649,7 @@ - dconf - name: "MEDIUM | RHEL-08-020032 | PATCH | RHEL 8 must disable the user list at logon for graphical user interfaces." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/02-login-screen_rhel_08_020032 content: | [org/gnome/login-screen] @@ -669,7 +669,7 @@ - dconf - name: "MEDIUM | RHEL-08-020039 | PATCH | RHEL 8 must have the tmux package installed." - package: + ansible.builtin.package: name: tmux state: present when: @@ -688,7 +688,7 @@ "MEDIUM | RHEL-08-010240 | PATCH | The RHEL 8 /var/log directory must have mode 0755 or less permissive." "MEDIUM | RHEL-08-010250 | PATCH | The RHEL 8 /var/log directory must be owned by root." "MEDIUM | RHEL-08-010260 | PATCH | The RHEL 8 /var/log directory must be group-owned by root." - file: + ansible.builtin.file: path: /var/log owner: root group: root @@ -713,7 +713,7 @@ - permissions - name: "MEDIUM | RHEL-08-020081 | PATCH | RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/locks/session_rhel_08_020081 content: | /org/gnome/desktop/session/idle-delay @@ -732,7 +732,7 @@ - V-244538 - name: "MEDIUM | RHEL-08-020082 | PATCH | RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/locks/session_rhel_08_020082 content: | /org/gnome/desktop/screensaver/lock-enabled @@ -752,7 +752,7 @@ - dconf - name: "MEDIUM | RHEL-08-010287 | PATCH | The RHEL 8 SSH daemon must be configured to use system-wide crypto policies." - lineinfile: + ansible.builtin.lineinfile: path: /etc/sysconfig/sshd regexp: '^CRYPTO_POLICY=' line: '# CRYPTO_POLICY=' @@ -771,17 +771,17 @@ - name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Add MACs" block: - - name: "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | get MACs" - ansible.builtin.shell: grep "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i MACs | sed s'/-o//g' - changed_when: false - register: rhel8stig_current_macs - - - name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | get MACs" - ansible.builtin.lineinfile: - path: /etc/crypto-policies/back-ends/opensshserver.config - regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_macs.stdout }}(.*$)' - line: '\g<1>-o{{ rhel8stig_ssh_macs }}\g<2>' - backrefs: true + - name: "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | get MACs" + ansible.builtin.shell: grep "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i MACs | sed s'/-o//g' + changed_when: false + register: rhel8stig_current_macs + + - name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | get MACs" + ansible.builtin.lineinfile: + path: /etc/crypto-policies/back-ends/opensshserver.config + regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_macs.stdout }}(.*$)' + line: '\g<1>-o{{ rhel8stig_ssh_macs }}\g<2>' + backrefs: true notify: change_requires_reboot when: - rhel_08_010290 @@ -796,17 +796,17 @@ - name: "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. | Add Ciphers" block: - - name: "MEDIUM | RHEL-08-010291 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. | get Ciphers" - ansible.builtin.shell: grep "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i Ciphers | sed s'/-o//g' - changed_when: false - register: rhel8stig_current_ciphers - - - name: "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. | get Ciphers" - ansible.builtin.lineinfile: - path: /etc/crypto-policies/back-ends/opensshserver.config - regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_ciphers.stdout }}(.*$)' - line: '\g<1>-o{{ rhel8stig_ssh_ciphers }}\g<2>' - backrefs: true + - name: "MEDIUM | RHEL-08-010291 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. | get Ciphers" + ansible.builtin.shell: grep "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i Ciphers | sed s'/-o//g' + changed_when: false + register: rhel8stig_current_ciphers + + - name: "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. | get Ciphers" + ansible.builtin.lineinfile: + path: /etc/crypto-policies/back-ends/opensshserver.config + regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_ciphers.stdout }}(.*$)' + line: '\g<1>-o{{ rhel8stig_ssh_ciphers }}\g<2>' + backrefs: true notify: change_requires_reboot when: - rhel_08_010291 @@ -822,13 +822,13 @@ - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package." block: - name: "MEDIUM | RHEL-08-010293 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Get current FIPS mode state" - command: fips-mode-setup --check + ansible.builtin.shell: fips-mode-setup --check changed_when: false failed_when: rhel_08_010293_pre_fips_check.stdout is not defined register: rhel_08_010293_pre_fips_check - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Enable FIPS" - command: fips-mode-setup --enable + ansible.builtin.shell: fips-mode-setup --enable register: rhel_08_010290_fips_enable notify: change_requires_reboot when: '"disabled" in rhel_08_010293_pre_fips_check.stdout' @@ -846,7 +846,7 @@ - name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package." block: - name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package." - lineinfile: + ansible.builtin.lineinfile: path: /etc/crypto-policies/back-ends/opensslcnf.config regexp: '^MinProtocol =' line: "MinProtocol = TLSv1.2" @@ -854,7 +854,7 @@ when: ansible_facts.packages['crypto-policies'][0].version | int < 20210617 - name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package." - lineinfile: + ansible.builtin.lineinfile: path: /etc/crypto-policies/back-ends/opensslcnf.config regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -875,7 +875,7 @@ - openssl - name: "MEDIUM | RHEL-08-010295 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package" - lineinfile: + ansible.builtin.lineinfile: path: /etc/crypto-policies/back-ends/gnutls.config regexp: '^(.*)\+VERS-ALL:' line: '\1{{ rhel8stig_gnutls_encryption }}' @@ -901,7 +901,7 @@ "MEDIUM | RHEL-08-010300 | AUDIT | RHEL 8 system commands must have mode 0755 or less permissive. | Get commands less permissive" "MEDIUM | RHEL-08-010310 | AUDIT | RHEL 8 system commands must be owned by root. | Get commands not owned by root" "MEDIUM | RHEL-08-010320 | AUDIT | RHEL 8 system commands must be group-owned by root or a system account. | Get commands no group-owned by root" - shell: "find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /0022 -o ! -user root -o ! -group root" + ansible.builtin.shell: "find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /0022 -o ! -user root -o ! -group root" args: warn: false changed_when: false @@ -912,7 +912,7 @@ "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive. | Set permissions" "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root. | Set permissions" "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root or a system account. | Set permissions" - file: + ansible.builtin.file: path: "{{ item }}" owner: root group: root @@ -948,7 +948,7 @@ "MEDIUM | RHEL-08-010330 | AUDIT | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root. | Get library files not owned by root" "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root or a system account. | Get library files not group-owned by root" - shell: "find -L /lib /lib64 /usr/lib /usr/lib64 -perm /0022 -type f -o ! -user root -o ! -group root" + ansible.builtin.shell: "find -L /lib /lib64 /usr/lib /usr/lib64 -perm /0022 -type f -o ! -user root -o ! -group root" args: warn: false changed_when: false @@ -959,7 +959,7 @@ "MEDIUM | RHEL-08-010330 | PATCH | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" "MEDIUM | RHEL-08-010340 | PATCH | RHEL 8 library files must be owned by root. | Get library files not owned by root" "MEDIUM | RHEL-08-010350 | PATCH | RHEL 8 library files must be group-owned by root or a system account. | Get library files not group-owned by root" - file: + ansible.builtin.file: path: "{{ item }}" owner: "{{ rhel_08_010340 | ternary('root',omit) }}" group: "{{ rhel_08_010350 | ternary('root',omit) }}" @@ -988,14 +988,14 @@ - name: "MEDIUM | RHEL-08-010331 | PATCH | RHEL 8 library directories must have mode 755 or less permissive." block: - name: "MEDIUM | RHEL-08-010331 | AUDIT | RHEL 8 library directories must have mode 755 or less permissive. | Get directories" - shell: find /lib /lib64 /usr/lib /usr/lib64 -perm /0022 -type d + ansible.builtin.shell: find /lib /lib64 /usr/lib /usr/lib64 -perm /0022 -type d changed_when: false failed_when: false check_mode: false register: rhel_08_010331_directories - name: "MEDIUM | RHEL-08-010331 | AUDIT | RHEL 8 library directories must have mode 755 or less permissive. | Alert on permissions" - debug: + ansible.builtin.debug: msg: - "Alert! There are library directories that have permessions set to more permissive than 755" - "To conform to STIG standards, please review these directories and set to 755 or less permissive" @@ -1005,7 +1005,7 @@ - rhel_08_010331_directories.stdout | length > 0 - name: "MEDIUM | RHEL-08-010331 | PATCH | RHEL 8 library directories must have mode 755 or less permissive. | Set permissions" - file: + ansible.builtin.file: path: "{{ item }}" state: directory mode: "{{ rhel8stig_lib_dir_perms }}" @@ -1027,14 +1027,14 @@ - name: "MEDIUM | RHEL-08-010341 | PATCH | RHEL 8 library directories must be owned by root." block: - name: "MEDIUM | RHEL-08-010341 | AUDIT | RHEL 8 library directories must be owned by root. | Get directories" - shell: find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d + ansible.builtin.shell: find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d changed_when: false failed_when: false check_mode: false register: rhel_08_010341_directories - name: "MEDIUM | RHEL-08-010341 | AUDIT | RHEL 8 library directories must be owned by root. | Alert on permissions" - debug: + ansible.builtin.debug: msg: - "Alert! There are library directories that are not owned by root" - "To conform to STIG standards, please review these directories and change owner to root" @@ -1044,7 +1044,7 @@ - not rhel8stig_disruption_high - name: "MEDIUM | RHEL-08-010341 | PATCH | RHEL 8 library directories must be owned by root. | Set permissions" - file: + ansible.builtin.file: path: "{{ item }}" state: directory owner: root @@ -1067,14 +1067,14 @@ - name: "MEDIUM | RHEL-08-010351 | PATCH | RHEL 8 library directories must be group-owned by root or a system account." block: - name: "MEDIUM | RHEL-08-010351 | AUDIT | RHEL 8 library directories must be group-owned by root or a system account. | Get directories" - shell: find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d + ansible.builtin.shell: find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d changed_when: false failed_when: false check_mode: false register: rhel_08_010351_directories - name: "MEDIUM | RHEL-08-010351 | AUDIT | RHEL 8 library directories must be group-owned by root or a system account. | Alert on permissions" - debug: + ansible.builtin.debug: msg: - "Alert! There are library directories that are not group owned by root." - "To conform to STIG standards, please review these directories and change group owner to root" @@ -1084,7 +1084,7 @@ - not rhel8stig_disruption_high - name: "MEDIUM | RHEL-08-010351 | PATCH | RHEL 8 library directories must be group-owned by root or a system account. | Set permissions" - file: + ansible.builtin.file: path: "{{ item }}" state: directory group: root @@ -1105,7 +1105,7 @@ - permissions - name: "MEDIUM | RHEL-08-010359 | PATCH | The RHEL 8 operating system must use a file integrity tool to verify correct operation of all security functions. | pkg install" - package: + ansible.builtin.package: name: aide state: present when: @@ -1121,7 +1121,7 @@ - aide - name: "MEDIUM | RHEL-08-010360 | PATCH | The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency." - cron: + ansible.builtin.cron: name: 'Run AIDE integrity check {{ rhel8stig_aide_cron.special_time }}' user: "{{ rhel8stig_aide_cron.user }}" cron_file: "{{ rhel8stig_aide_cron.cron_file }}" @@ -1158,19 +1158,19 @@ - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution." block: - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl - name: "MEDIUM | RHEL-08-010372 | AUDIT | RHEL 8 must prevent the loading of a new kernel for later execution. | Find conflicting instances" - shell: grep -rs "kernel.kexec_load_disabled = 0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "kernel.kexec_load_disabled = 0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_010372_conflicting_settings - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Remove conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: '^kernel.kexec_load_disabled = 0' state: absent @@ -1190,13 +1190,13 @@ - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks." block: - name: "MEDIUM | RHEL-08-010373 | AUDIT | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Find conflicting instances" - shell: grep -rs "fs.protected_symlinks = 0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "fs.protected_symlinks = 0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_010373_conflicting_settings - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Remove conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: '^fs.protected_symlinks = 0' state: absent @@ -1204,7 +1204,7 @@ when: rhel_08_010373_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -1222,13 +1222,13 @@ - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks." block: - name: "MEDIUM | RHEL-08-010374 | AUDIT | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. | Find conflicting instances" - shell: grep -rs "fs.protected_hardlinks = 0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "fs.protected_hardlinks = 0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_010374_conflicting_settings - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. | Remove conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: '^fs.protected_hardlinks = 0' state: absent @@ -1236,7 +1236,7 @@ when: rhel_08_010374_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -1252,7 +1252,7 @@ - sysctl - name: "MEDIUM | RHEL-08-010379 | PATCH | RHEL 8 must specify the default 'include' directory for the /etc/sudoers file." - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers regex: '^#includedir' line: '#includedir /etc/sudoers.d' @@ -1269,7 +1269,7 @@ - sudoers - name: "MEDIUM | RHEL-08-010380 | PATCH | RHEL 8 must require users to provide a password for privilege escalation." - replace: + ansible.builtin.replace: path: "{{ item }}" regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' replace: '\1PASSWD\2' @@ -1288,7 +1288,7 @@ - sudo - name: "MEDIUM | RHEL-08-010381 | PATCH | RHEL 8 must require users to reauthenticate for privilege escalation." - replace: + ansible.builtin.replace: path: "{{ item }}" regexp: '^([^#].*)!authenticate(.*)' replace: '\1authenticate\2' @@ -1307,7 +1307,7 @@ - sudo - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed." - package: + ansible.builtin.package: name: openssl-pkcs11 state: present when: @@ -1323,7 +1323,7 @@ - multifactor - name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication." - lineinfile: + ansible.builtin.lineinfile: path: '{{ rhel8stig_sssd_conf }}' regexp: '^certificate_verification = {{ item.regexp }}' state: "{{ item.state }}" @@ -1347,7 +1347,7 @@ - multifactor - name: "MEDIUM | RHEL-08-010410 | PATCH | RHEL 8 must accept Personal Identity Verification (PIV) credentials." - package: + ansible.builtin.package: name: opensc state: present when: @@ -1366,19 +1366,19 @@ - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution." block: - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Get NX bit state" - shell: dmesg |grep "NX (" + ansible.builtin.shell: dmesg |grep "NX (" changed_when: false failed_when: false register: rhel_08_010420_nx_bit_state - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX being set" - debug: + ansible.builtin.debug: msg: - "Good News! You are setup with execute disable active." when: '"(Execute Disable) protection: active" in rhel_08_010420_nx_bit_state.stdout' - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX no being set" - debug: + ansible.builtin.debug: msg: - "WARNING!! You do not have execute disable active. Please change the setting in your BIOS settings" when: '"(Execute Disable) protection: active" not in rhel_08_010420_nx_bit_state.stdout' @@ -1395,7 +1395,7 @@ - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks." block: - name: "MEDIUM | RHEL-08-010421 | AUDIT | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings" - shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + ansible.builtin.shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' args: warn: false changed_when: false @@ -1403,20 +1403,20 @@ register: rhel8stig_010421_grub_cmdline_linux - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 as active" - shell: grubby --update-kernel=ALL --args="page_poison=1" + ansible.builtin.shell: grubby --update-kernel=ALL --args="page_poison=1" when: - (ansible_proc_cmdline.page_poison is defined and ansible_proc_cmdline.page_poison != '1') or (ansible_proc_cmdline.page_poison is not defined) - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if doesn't exist" - lineinfile: + ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010421_grub_cmdline_linux.stdout }} page_poison=1"' when: '"page_poison=" not in rhel8stig_010421_grub_cmdline_linux.stdout' - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if exists" - replace: + ansible.builtin.replace: path: /etc/default/grub regexp: 'page_poison=([^\s|"])+' replace: "page_poison=1" @@ -1435,7 +1435,7 @@ - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls." block: - name: "MEDIUM | RHEL-08-010422 | AUDIT | RHEL 8 must disable virtual syscalls. | Get GRUB_CMDLINE_LINUX settings" - shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + ansible.builtin.shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' args: warn: false changed_when: false @@ -1443,20 +1443,20 @@ register: rhel8stig_010422_grub_cmdline_linux - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none as active" - shell: grubby --update-kernel=ALL --args="vsyscall=none" + ansible.builtin.shell: grubby --update-kernel=ALL --args="vsyscall=none" when: - (ansible_proc_cmdline.vsyscall is defined and ansible_proc_cmdline.vsyscall != 'none') or (ansible_proc_cmdline.vsyscall is not defined) - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if doesn't exist" - lineinfile: + ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010422_grub_cmdline_linux.stdout }} vsyscall=none"' when: '"vsyscall=" not in rhel8stig_010422_grub_cmdline_linux.stdout' - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if exists" - replace: + ansible.builtin.replace: path: /etc/default/grub regexp: 'vsyscall=([^\s|"])+' replace: "vsyscall=none" @@ -1475,7 +1475,7 @@ - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks." block: - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings" - shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + ansible.builtin.shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' args: warn: false changed_when: false @@ -1483,20 +1483,20 @@ register: rhel8stig_010423_grub_cmdline_linux - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P as active" - shell: grubby --update-kernel=ALL --args="slub_debug=P" + ansible.builtin.shell: grubby --update-kernel=ALL --args="slub_debug=P" when: - (ansible_proc_cmdline.slub_debug is defined and ansible_proc_cmdline.slub_debug != 'P') or (ansible_proc_cmdline.slub_debug is not defined) - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if doesn't exist" - lineinfile: + ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010423_grub_cmdline_linux.stdout }} slub_debug=P"' when: '"slub_debug=" not in rhel8stig_010423_grub_cmdline_linux.stdout' - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if exists" - replace: + ansible.builtin.replace: path: /etc/default/grub regexp: 'slub_debug=([^\s|"])+' replace: "slub_debug=P" @@ -1515,13 +1515,13 @@ - name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution." block: - name: " MEDIUM | RHEL-08-010430 | AUDIT | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. | Find conflicting instances" - shell: grep -rs "kernel.randomize_va_space = [^2]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "kernel.randomize_va_space = [^2]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_010430_conflicting_settings - name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. | Remove conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: "kernel.randomize_va_space = [^2]" state: absent @@ -1529,7 +1529,7 @@ when: rhel_08_010430_conflicting_settings.stdout | length > 0 - name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -1547,7 +1547,7 @@ - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive." block: - name: "MEDIUM | RHEL-08-010480 | AUDIT | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Find files" - find: + ansible.builtin.find: paths: /etc/ssh recurse: true file_type: file @@ -1558,7 +1558,7 @@ register: rhel_08_010480_public_files - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Set permissions" - file: + ansible.builtin.file: path: "{{ item.path }}" mode: "{{ rhel8stig_ssh_pub_key_perm }}" with_items: @@ -1581,7 +1581,7 @@ - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive." block: - name: "MEDIUM | RHEL-08-010490 | AUDIT | The RHEL 8 SSH private host key files must have mode 0640 or less permissive. | Find files" - find: + ansible.builtin.find: paths: /etc/ssh recurse: true file_type: file @@ -1592,7 +1592,7 @@ register: rhel_08_010490_private_host_key_files - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive. | Set permissions" - file: + ansible.builtin.file: path: "{{ item.path }}" mode: "{{ rhel8stig_ssh_priv_key_perm }}" with_items: @@ -1613,7 +1613,7 @@ - ssh - name: "MEDIUM | RHEL-08-010500 | PATCH | The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files." - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?StrictModes' line: 'StrictModes yes' @@ -1631,7 +1631,7 @@ - ssh - name: "MEDIUM | RHEL-08-010520 | PATCH | The RHEL 8 SSH daemon must not allow authentication using known host’s authentication." - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?IgnoreUserKnownHosts' line: 'IgnoreUserKnownHosts yes' @@ -1649,7 +1649,7 @@ - ssh - name: "MEDIUM | RHEL-08-010521 | PATCH | The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements." - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?KerberosAuthentication' line: "KerberosAuthentication no" @@ -1667,7 +1667,7 @@ - ssh - name: "MEDIUM | RHEL-08-010522 | PATCH | The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements." - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?GSSAPIAuthentication' line: "GSSAPIAuthentication no" @@ -1684,7 +1684,7 @@ - ssh - name: "MEDIUM | RHEL-08-010543 | PATCH | A separate RHEL 8 filesystem must be used for the /tmp directory." - debug: + ansible.builtin.debug: msg: "WARNING!! /tmp is not mounted on a separate partition" changed_when: - rhel8stig_audit_complex @@ -1706,14 +1706,14 @@ - name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp." block: - name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp. | Alert on missing mount" - debug: + ansible.builtin.debug: msg: "WARNING!! /var/tmp does not exist, /var/tmp needs to use a sperate file system. This is a manual task" register: var_tmp_mount_absent changed_when: var_tmp_mount_absent.skipped is defined when: "'/var/tmp' not in mount_names" - name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp. | Mount is present" - debug: + ansible.builtin.debug: msg: "Congratulations: /var/tmp does exist." when: "'/var/tmp' in mount_names" when: @@ -1728,7 +1728,7 @@ - mounts - name: "MEDIUM | RHEL-08-010550 | PATCH | The RHEL 8 must not permit direct logons to the root account using remote access via SSH." - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?PermitRootLogin' line: 'PermitRootLogin no' @@ -1746,7 +1746,7 @@ - ssh - name: "MEDIUM | RHEL-08-010561 | PATCH | The rsyslog service must be running in RHEL 8." - service: + ansible.builtin.service: name: rsyslog.service state: started enabled: true @@ -1762,7 +1762,7 @@ - rsyslog - name: "MEDIUM | RHEL-08-010570 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories." - mount: + ansible.posix.mount: path: /home state: mounted src: "{{ home_mount.device }}" @@ -1785,7 +1785,7 @@ - home - name: "MEDIUM | RHEL-08-010571 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory." - mount: + ansible.posix.mount: path: /boot state: mounted src: "{{ boot_mount.device }}" @@ -1808,7 +1808,7 @@ - boot - name: "MEDIUM | RHEL-08-010572 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory." - mount: + ansible.posix.mount: path: /boot/efi state: mounted src: "{{ boot_efi_mount.device }}" @@ -1833,7 +1833,7 @@ - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions." block: - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Get mounts" - shell: mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev' | awk '{print $1,$3,$5,$6}' | sed 's/[()]//g' + ansible.builtin.shell: mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev' | awk '{print $1,$3,$5,$6}' | sed 's/[()]//g' args: warn: false changed_when: false @@ -1841,7 +1841,7 @@ register: rhel8stig_010580_mounts_nodev - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Split results" - set_fact: + ansible.builtin.set_fact: rhel8stig_010580_mounts: "{{ rhel8stig_010580_mounts_nodev.stdout_lines | map('regex_replace', ld_mount_regex, ld_mount_yaml) | map('from_yaml') | list }}" with_items: "{{ rhel8stig_010580_mounts_nodev.stdout_lines }}" @@ -1860,7 +1860,7 @@ when: rhel8stig_010580_mounts_nodev.stdout | length > 0 - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Set value" - mount: + ansible.posix.mount: path: "{{ item.mpoint }}" state: mounted src: "{{ item.device }}" @@ -1886,7 +1886,7 @@ - mounts - name: "MEDIUM | RHEL-08-010590 | PATCH | RHEL 8 must prevent code from being executed on file systems that contain user home directories." - mount: + ansible.posix.mount: path: /home state: mounted src: "{{ home_mount.device }}" @@ -1911,7 +1911,7 @@ - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media." block: - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /media" - mount: + ansible.posix.mount: path: /media state: mounted src: "{{ removable_mount.device }}" @@ -1925,7 +1925,7 @@ removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /mnt" - mount: + ansible.posix.mount: path: /mnt state: mounted src: "{{ removable_mount2.device }}" @@ -1953,7 +1953,7 @@ - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media." block: - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | Set noexec to /media" - mount: + ansible.posix.mount: path: /media state: mounted src: "{{ removable_mount.device }}" @@ -1967,7 +1967,7 @@ removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | Set noexec to /mnt" - mount: + ansible.posix.mount: path: /mnt state: mounted src: "{{ removable_mount2.device }}" @@ -1995,7 +1995,7 @@ - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." block: - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /media" - mount: + ansible.posix.mount: path: /media state: mounted src: "{{ removable_mount.device }}" @@ -2009,7 +2009,7 @@ removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /mnt" - mount: + ansible.posix.mount: path: /mnt state: mounted src: "{{ removable_mount2.device }}" @@ -2035,7 +2035,7 @@ - media - name: "MEDIUM | RHEL-08-010630 | PATCH | RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS)." - mount: + ansible.posix.mount: path: "{{ item }}" src: "{{ ansible_mounts | json_query(device_query) }}" fstype: "{{ ansible_mounts | json_query(fstype_query) }}" @@ -2060,7 +2060,7 @@ - nfs - name: "MEDIUM | RHEL-08-010640 | PATCH | RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS)." - mount: + ansible.posix.mount: path: "{{ item }}" src: "{{ ansible_mounts | json_query(device_query) }}" fstype: "{{ ansible_mounts | json_query(fstype_query) }}" @@ -2085,7 +2085,7 @@ - nfs - name: "MEDIUM | RHEL-08-010650 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS)" - mount: + ansible.posix.mount: path: "{{ item }}" src: "{{ ansible_mounts | json_query(device_query) }}" fstype: "{{ ansible_mounts | json_query(fstype_query) }}" @@ -2112,7 +2112,7 @@ - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs." block: - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Find world-writable files on all partitions" - shell: find {{ item.mount }} -xdev -type f -perm -002 + ansible.builtin.shell: find {{ item.mount }} -xdev -type f -perm -002 args: warn: false changed_when: false @@ -2124,11 +2124,11 @@ label: "{{ item.mount }}" - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set fact for flattening" - set_fact: + ansible.builtin.set_fact: rhel_08_010660_change_perms: "{{ rhel_08_010660_world_writable_files.results | map(attribute='stdout_lines') | flatten }}" - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Compare to home directories" - include_tasks: audit_homedirinifiles.yml + ansible.builtin.include_tasks: audit_homedirinifiles.yml loop: - "{{ rhel_08_stig_interactive_homedir_inifiles }}" loop_control: @@ -2137,7 +2137,7 @@ - rhel_08_010660_change_perms != [] - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set permissions" - file: + ansible.builtin.file: path: "{{ item }}" mode: '0755' state: file @@ -2159,7 +2159,7 @@ - permissions - name: "MEDIUM | RHEL-08-010670 | PATCH | RHEL 8 must disable kernel dumps unless needed." - service: + ansible.builtin.service: name: kdump enabled: false state: stopped @@ -2179,13 +2179,13 @@ - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern." block: - name: "MEDIUM | RHEL-08-010671 | AUDIT | RHEL 8 must disable the kernel.core_pattern." - shell: grep -rs 'kernel.core_pattern\s+=\s*[? 0 - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -2209,7 +2209,7 @@ - sysctl - name: "MEDIUM | RHEL-08-010672 | PATCH | RHEL 8 must disable acquiring, saving, and processing core dumps." - systemd: + ansible.builtin.systemd: name: systemd-coredump.socket masked: true daemon_reload: true @@ -2227,7 +2227,7 @@ - systemd - name: "MEDIUM | RHEL-08-010673 | PATCH | RHEL 8 must disable core dumps for all users." - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/limits.conf regexp: '^\*.*hard.*core' line: "* hard core 0" @@ -2245,7 +2245,7 @@ - limits - name: "MEDIUM | RHEL-08-010674 | PATCH | RHEL 8 must disable storing core dumps." - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/coredump.conf regexp: '^(S|s)torage=|#(S|s)torage=' line: "Storage=none" @@ -2262,7 +2262,7 @@ - systemd - name: "MEDIUM | RHEL-08-010675 | PATCH | RHEL 8 must disable core dump backtraces." - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/coredump.conf regexp: '^(P|p)rocess(S|s)ize(M|m)ax=|(P|p)rocess(S|s)ize(M|m)ax=' line: "ProcessSizeMax=0" @@ -2282,33 +2282,33 @@ - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured." block: - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Audit the /etc/nsswitch.conf" - shell: grep "dns" /etc/nsswitch.conf | grep -v "#" + ansible.builtin.shell: grep "dns" /etc/nsswitch.conf | grep -v "#" changed_when: false failed_when: false check_mode: false register: rhel_08_010680_nsswitch_check - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine if networkmanager is setting /etc/resolv.conf" - command: grep -c "# Generated by NetworkManager" /etc/resolv.conf + ansible.builtin.shell: grep -c "# Generated by NetworkManager" /etc/resolv.conf changed_when: false failed_when: false check_mode: false register: rhel_08_010680_networkmanager_check - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine number of nameserver lines in /etc/resolv.conf" - shell: grep -i "nameserver" /etc/resolv.conf | grep -v "#" | wc -l + ansible.builtin.shell: grep -i "nameserver" /etc/resolv.conf | grep -v "#" | wc -l changed_when: false failed_when: false check_mode: false register: rhel_08_010680_nameserver_count - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Change resolv.conf if dns is not present in nsswitch.conf" - shell: echo -n > /etc/resolv.conf && chattr +i /etc/resolv.conf + ansible.builtin.shell: echo -n > /etc/resolv.conf && chattr +i /etc/resolv.conf when: - "'dns' not in rhel_08_010680_nsswitch_check.stdout" - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf if dns is set in nsswitch.conf" - lineinfile: + ansible.builtin.lineinfile: dest: /etc/resolv.conf regexp: "{{ item.regexp }}" line: "nameserver {{ item.line }}" @@ -2322,7 +2322,7 @@ - rhel_08_010680_nameserver_count.stdout | int >= 2 - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf using a template when not NetworkManager controlled" - template: + ansible.builtin.template: src: resolv.conf.j2 dest: /etc/resolv.conf owner: root @@ -2333,7 +2333,7 @@ - rhel8_stig_use_resolv_template - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | If networkmanager is setting resolv.conf, debug msg to audit/change DNS settings in dhcp." - debug: + ansible.builtin.debug: msg: "The file /etc/resolv.conf is managed by network manager and/or shows less than two DNS servers configured. Please correct this in your DHCP configurations." changed_when: true when: @@ -2356,20 +2356,20 @@ - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." block: - name: "MEDIUM | RHEL-08-010690 | AUDIT | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. | Find path files" - shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath + ansible.builtin.shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath with_items: "{{ rhel_08_stig_interactive_homedir_results }}" register: rhel_08_010690_ini_path_grep_list changed_when: false failed_when: false - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." - debug: + ansible.builtin.debug: msg: You will need to audit and correct executable paths set in "{{ item }}" to contain only paths that resolve to the user's home directory. with_items: - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: "^PATH=" line: "{{ rhel_08_010690_user_path }}" @@ -2390,13 +2390,13 @@ - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group." block: - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Get directories" - command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -uid +999 + ansible.builtin.shell: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -uid +999 changed_when: false failed_when: false register: rhel_08_010700_world_writable_directories - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Set permissions" - file: + ansible.builtin.file: path: "{{ item }}" owner: "{{ rhel8stig_ww_dir_owner }}" with_items: @@ -2418,13 +2418,13 @@ - name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group." block: - name: "MEDIUM | RHEL-08-010710 | AUDIT | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Get directories" - command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -gid +999 + ansible.builtin.shell: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -gid +999 changed_when: false failed_when: false register: rhel_08_010710_world_writable_directories - name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Set permissions" - file: + ansible.builtin.file: path: "{{ item }}" group: "{{ rhel8stig_ww_dir_grpowner }}" with_items: @@ -2446,19 +2446,19 @@ - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file." block: - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get users with no home directory" - shell: pwck -r | grep user | cut -f2 -d"'" + ansible.builtin.shell: pwck -r | grep user | cut -f2 -d"'" changed_when: false failed_when: false register: rhel_08_010720_users_no_home_dir - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get interactive users with no home directory" - shell: grep vboxadd /etc/passwd | awk -F ":" '$3>{{ rhel8stig_interactive_uid_start }} {print $1}' + ansible.builtin.shell: grep vboxadd /etc/passwd | awk -F ":" '$3>{{ rhel8stig_interactive_uid_start }} {print $1}' changed_when: false failed_when: false register: rhel_08_010720_user_list - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Message out user list" - debug: + ansible.builtin.debug: msg: - "WARNING!! The users listed below are interactive users with no home directories. Please create home directories to confirm with STIG standards" - "{{ rhel_08_010720_user_list.stdout_lines }}" @@ -2477,13 +2477,13 @@ - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." block: - name: "MEDIUM | RHEL-08-010730 | AUDIT | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." - shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) + ansible.builtin.shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) changed_when: false failed_when: false register: rhel_08_010730_home_directories - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." - file: + ansible.builtin.file: path: "{{ item }}" mode: "{{ rhel8stig_local_int_home_perms }}" with_items: @@ -2503,7 +2503,7 @@ - name: "MEDIUM | RHEL-08-010731 | PATCH | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive." block: - name: "MEDIUM | RHEL-08-010731 | AUDIT | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Find out of compliance files" - shell: "find {{ item }} -perm -750 ! -perm 750" + ansible.builtin.shell: "find {{ item }} -perm -750 ! -perm 750" changed_when: false failed_when: false register: rhel_08_010731_files @@ -2511,7 +2511,7 @@ - "{{ rhel8stig_passwd | selectattr('uid', '>=', rhel8stig_interactive_uid_start | int) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" - name: "MEDIUM | RHEL-08-010731 | PATCH | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Bring files into compliance" - file: + ansible.builtin.file: path: "{{ item }}" mode: "{{ rhel8stig_local_int_home_file_perms }}" with_items: @@ -2519,7 +2519,7 @@ when: rhel8stig_disruption_high - name: "MEDIUM | RHEL-08-010731 | AUDIT | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Alert on out of compliance files" - debug: + ansible.builtin.debug: msg: - "Alert! Below are the files that are in interactive user folders but permissiosn less restrictiv than 0750." - "Please review the files to bring into STIG compliance" @@ -2537,7 +2537,7 @@ - permissions - name: "MEDIUM | RHEL-08-010740 | PATCH | All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group." - file: + ansible.builtin.file: path: "{{ item.dir }}" group: "{{ item.gid }}" state: directory @@ -2559,7 +2559,7 @@ - permissions - name: "MEDIUM | RHEL-08-010741 | PATCH | RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member." - file: + ansible.builtin.file: path: "{{ item.dir }}" group: "{{ item.gid }}" state: directory @@ -2581,7 +2581,7 @@ - permissions - name: "MEDIUM | RHEL-08-010750 | PATCH | All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist." - file: + ansible.builtin.file: path: "{{ item.dir }}" state: directory with_items: "{{ rhel8stig_passwd }}" @@ -2601,7 +2601,7 @@ - permissions - name: "MEDIUM | RHEL-08-010760 | PATCH | All RHEL 8 local interactive user accounts must be assigned a home directory upon creation." - lineinfile: + ansible.builtin.lineinfile: path: /etc/login.defs regexp: '.*?CREATE_HOME.*' line: CREATE_HOME yes @@ -2618,7 +2618,7 @@ - home - name: "MEDIUM | RHEL-08-010770 | PATCH | All RHEL 8 local initialization files must have mode 0740 or less permissive." - file: + ansible.builtin.file: path: "{{ item }}" mode: "{{ rhel8stig_local_int_perm }}" with_items: "{{ rhel_08_stig_interactive_homedir_inifiles }}" @@ -2638,7 +2638,7 @@ - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner." block: - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Get nouser files" - shell: find / -nouser + ansible.builtin.shell: find / -nouser args: warn: false changed_when: false @@ -2646,7 +2646,7 @@ register: rhel_08_010780_nouser_files - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Alert nouser files" - debug: + ansible.builtin.debug: msg: - "WARNING!! There are files with no user assigned. Please review files listed below and assign owner" - "{{ rhel_08_010780_nouser_files.stdout_lines }}" @@ -2665,13 +2665,13 @@ - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner." block: - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Get nogroup files" - shell: find / -nogroup + ansible.builtin.shell: find / -nogroup changed_when: false failed_when: false register: rhel_08_010790_nogroup_files - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Alert nogroup files" - debug: + ansible.builtin.debug: msg: - "WARNING!! There are files with no group assigned. Please review files listed below and assign group" - "{{ rhel_08_010790_nogroup_files.stdout_lines }}" @@ -2688,7 +2688,7 @@ - permissions - name: "MEDIUM | RHEL-08-010800 | PATCH | A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent)." - debug: + ansible.builtin.debug: msg: "WARNING!! /home is not mounted on a separate partition" changed_when: - rhel8stig_audit_complex @@ -2708,7 +2708,7 @@ - home - name: "MEDIUM | RHEL-08-010830 | PATCH | RHEL 8 must not allow users to override SSH environment variables." - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?PermitUserEnvironment' line: 'PermitUserEnvironment no' @@ -2729,7 +2729,7 @@ - disruption_high - name: "MEDIUM | RHEL-08-020000 | AUDIT | RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less." - debug: + ansible.builtin.debug: msg: - "WARNING!! Please check temporary accounts for expiration dates to be 72 hours or less." - "To do this please run sudo chage -l account_name for the accounts you need to check" @@ -2749,7 +2749,7 @@ - name: "MEDIUM | RHEL-08-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." block: - name: "MEDIUM | RHEL-08-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth\s+required\s+pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" @@ -2760,7 +2760,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth\s+required\s+pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' @@ -2771,7 +2771,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account\s+required\s+pam_faillock.so' line: 'account required pam_faillock.so' @@ -2793,7 +2793,7 @@ - pamd - name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." - lineinfile: + ansible.builtin.lineinfile: path: "/etc/security/faillock.conf" regexp: '^deny =|^\# deny =' line: "deny = {{ rhel8stig_pam_faillock.attempts }}" @@ -2812,7 +2812,7 @@ - name: "MEDIUM | RHEL-08-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." block: - name: "MEDIUM | RHEL-08-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth\s+required\s+pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" @@ -2823,7 +2823,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth\s+required\s+pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' @@ -2834,7 +2834,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account\s+required\s+pam_faillock.so' line: 'account required pam_faillock.so' @@ -2856,7 +2856,7 @@ - pamd - name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." - lineinfile: + ansible.builtin.lineinfile: path: "/etc/security/faillock.conf" regexp: '^fail_interval =|^\# fail_interval =' line: "fail_interval = {{ rhel8stig_pam_faillock.interval }}" @@ -2875,7 +2875,7 @@ - name: "MEDIUM | RHEL-08-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." block: - name: "MEDIUM | RHEL-08-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth\s+required\s+pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" @@ -2886,7 +2886,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth\s+required\s+pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' @@ -2897,7 +2897,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account\s+requireds+pam_faillock.so' line: 'account required pam_faillock.so' @@ -2919,7 +2919,7 @@ - pamd - name: "MEDIUM | RHEL-08-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." - lineinfile: + ansible.builtin.lineinfile: path: "/etc/security/faillock.conf" regexp: '^unlock_time =|^\# unlock_time =' line: "unlock_time = {{ rhel8stig_pam_faillock.unlock_time }}" @@ -2938,7 +2938,7 @@ - name: "MEDIUM | RHEL-08-020016 | PATCH | RHEL 8 must ensure account lockouts persist." block: - name: "MEDIUM | RHEL-08-020016 | PATCH | RHEL 8 must ensure account lockouts persist.| Set preauth" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" @@ -2949,7 +2949,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' @@ -2960,7 +2960,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account required pam_faillock.so' line: 'account required pam_faillock.so' @@ -2982,7 +2982,7 @@ - pamd - name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist." - lineinfile: + ansible.builtin.lineinfile: path: "/etc/security/faillock.conf" regexp: '^dir =|^\# dir =' line: "dir = {{ rhel8stig_pam_faillock.dir }}" @@ -3001,7 +3001,7 @@ - name: "MEDIUM | RHEL-08-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." block: - name: "MEDIUM | RHEL-08-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.| Set preauth" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth\s+required\s+pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" @@ -3012,7 +3012,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth\s+required\s+pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' @@ -3023,7 +3023,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account\s+required\s+pam_faillock.so' line: 'account required pam_faillock.so' @@ -3045,7 +3045,7 @@ - pamd - name: "MEDIUM | RHEL-08-020019| PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." - lineinfile: + ansible.builtin.lineinfile: path: "/etc/security/faillock.conf" regexp: '^silent|^\# silent' line: "silent" @@ -3064,7 +3064,7 @@ - name: "MEDIUM | RHEL-08-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." block: - name: "MEDIUM | RHEL-08-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth\s+required\s+pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" @@ -3075,7 +3075,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth\s+required\s+pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' @@ -3086,7 +3086,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account\s+required\s+pam_faillock.so' line: 'account required pam_faillock.so' @@ -3108,7 +3108,7 @@ - pamd - name: "MEDIUM | RHEL-08-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." - lineinfile: + ansible.builtin.lineinfile: path: "/etc/security/faillock.conf" regexp: '^audit|^\# audit' line: "audit" @@ -3127,7 +3127,7 @@ - name: "MEDIUM | RHEL-08-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." block: - name: "MEDIUM | RHEL-08-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth\s+required\s+pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" @@ -3138,7 +3138,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth\s+required\s+pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' @@ -3149,7 +3149,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account\s+required\s+pam_faillock.so' line: 'account required pam_faillock.so' @@ -3171,7 +3171,7 @@ - pamd - name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." - lineinfile: + ansible.builtin.lineinfile: path: "/etc/security/faillock.conf" regexp: '^even_deny_root|^\# even_deny_root' line: "even_deny_root" @@ -3194,7 +3194,7 @@ - name: | "MEDIUM | RHEL-08-020027 | PATCH | RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory MEDIUM | RHEL-08-020028 | PATCH | RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory." - sefcontext: + community.general.sefcontext: target: "{{ rhel8stig_pam_faillock.dir }}(/.*)?" ftype: a setype: faillog_t @@ -3205,7 +3205,7 @@ - name: | "MEDIUM | RHEL-08-020027 | RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory. MEDIUM | RHEL-08-020028 | RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory." - shell: "restorecon -irvF {{ rhel8stig_pam_faillock.dir }}" + ansible.builtin.shell: "restorecon -irvF {{ rhel8stig_pam_faillock.dir }}" when: add_faillock_secontext.changed when: - rhel_08_020027 or @@ -3226,13 +3226,13 @@ - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." block: - name: "MEDIUM | RHEL-08-020030 | AUDIT | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Check for lock-enabled" - command: "grep lock-enabled /etc/dconf/db/* -r | cut -f1 -d:" + ansible.builtin.shell: "grep lock-enabled /etc/dconf/db/* -r | cut -f1 -d:" changed_when: false failed_when: false register: rhel_08_020030_lock_enabled - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if exists" - lineinfile: + ansible.builtin.lineinfile: path: "{{ rhel_08_020030_lock_enabled.stdout }}" regexp: '^lock-enabled' line: lock-enabled=true @@ -3240,7 +3240,7 @@ notify: dconf update - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if does not exist" - lineinfile: + ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/00-screensaver create: true regexp: '^lock-enabled' @@ -3269,13 +3269,13 @@ - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions." block: - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Install tmux" - package: + ansible.builtin.package: name: tmux state: present when: "'tmux' not in ansible_facts.packages" - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Configure tmux" - lineinfile: + ansible.builtin.lineinfile: path: /etc/tmux.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -3298,7 +3298,7 @@ - tmux - name: "MEDIUM | RHEL-08-020041 | PATCH | RHEL 8 must ensure session control is automatically started at shell initialization. | Set tmux.sh if file exists" - blockinfile: + ansible.builtin.blockinfile: path: /etc/profile.d/tmux.sh marker: "# " block: | @@ -3322,7 +3322,7 @@ - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed." block: - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" - shell: 'grep "removal-action=" /etc/dconf/db/* -R | cut -f1 -d:' + ansible.builtin.shell: 'grep "removal-action=" /etc/dconf/db/* -R | cut -f1 -d:' args: warn: false changed_when: false @@ -3330,13 +3330,13 @@ register: rhel_08_020050_removal_action - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" - shell: "grep removal-action= /etc/dconf/db/* -R | cut -f1 -d: | sed 's:.*/::'" + ansible.builtin.shell: "grep removal-action= /etc/dconf/db/* -R | cut -f1 -d: | sed 's:.*/::'" changed_when: false failed_when: false register: rhel_08_020050_removal_action_file - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set removal-action param if doesn't exist" - lineinfile: + ansible.builtin.lineinfile: path: /etc/dconf/db/distro.d/20-authselect create: true owner: root @@ -3349,7 +3349,7 @@ notify: dconf update - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Update removal-action if exists" - lineinfile: + ansible.builtin.lineinfile: path: "{{ rhel_08_020050_removal_action.stdout }}" regexp: ^removal-action= line: removal-action='lock-screen' @@ -3357,14 +3357,14 @@ notify: dconf update - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" - lineinfile: + ansible.builtin.lineinfile: path: '/etc/dconf/db/distro.d/locks/{{ rhel_08_020050_removal_action_file.stdout }}' line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action when: rhel_08_020050_removal_action_file.stdout | length > 0 notify: dconf update - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" - lineinfile: + ansible.builtin.lineinfile: path: /etc/dconf/db/distro.d/locks/20-authselect create: true line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action @@ -3388,7 +3388,7 @@ - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity." block: - name: "MEDIUM | RHEL-08-020060 | AUDIT | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Find idle-delay parameter" - shell: 'grep idle-delay= /etc/dconf/db/* -R | cut -f1 -d:' + ansible.builtin.shell: 'grep idle-delay= /etc/dconf/db/* -R | cut -f1 -d:' args: warn: false changed_when: false @@ -3396,7 +3396,7 @@ register: rhel_08_020060_idle_delay_param - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if doesn't exist" - lineinfile: + ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/00-screensaver create: true owner: root @@ -3411,7 +3411,7 @@ when: rhel_08_020060_idle_delay_param.stdout | length == 0 - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if exists" - lineinfile: + ansible.builtin.lineinfile: path: "{{ rhel_08_020060_idle_delay_param.stdout }}" regexp: '^idle-delay=' line: idle-delay=uint32 900 @@ -3436,13 +3436,13 @@ - name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity." block: - name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity. | Install tmux if needed" - package: + ansible.builtin.package: name: tmux state: present when: "'tmux' not in ansible_facts.packages" - name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity. | Set tmux settings" - lineinfile: + ansible.builtin.lineinfile: path: /etc/tmux.conf regexp: '^set -g lock-after-time' line: "set -g lock-after-time {{ rhel8stig_tmux_lock_after_time }}" @@ -3461,7 +3461,7 @@ - tmux - name: "MEDIUM | RHEL-08-020080 | PATCH | RHEL 8 must prevent a user from overriding graphical user interface settings." - lineinfile: + ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/locks/session create: true line: /org/gnome/desktop/screensaver/lock-delay @@ -3482,7 +3482,7 @@ - gui - name: "MEDIUM | RHEL-08-020090 | PATCH | RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication." - lineinfile: + ansible.builtin.lineinfile: path: "{{ rhel8stig_sssd_conf }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -3508,7 +3508,7 @@ - authentication - name: "MEDIUM | RHEL-08-020100 | PATCH | RHEL 8 must ensure the password complexity module is enabled in the password-auth file." - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/password-auth regexp: '^password\s+required\s+pam_pwquality.so' line: 'password required pam_pwquality.so' @@ -3528,7 +3528,7 @@ - pamd - name: "MEDIUM | RHEL-08-020101 | PATCH | RHEL 8 must ensure the password complexity module is enabled in the system-auth file." - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/system-auth regexp: '^password\s+required\s+pam_pwquality.so' line: 'password required pam_pwquality.so' @@ -3550,13 +3550,13 @@ - name: "MEDIUM | RHEL-08-020102 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less." block: - name: "MEDIUM | RHEL-08-020102 | AUDIT | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Get pam_pwquality state" - shell: cat /etc/pam.d/system-auth | grep "password.*required.*pam_pwquality.so" + ansible.builtin.shell: cat /etc/pam.d/system-auth | grep "password.*required.*pam_pwquality.so" changed_when: false failed_when: false register: rhel_08_020102_pwquality_status - name: "MEDIUM | RHEL-08-020102 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Set if no pw required pam_pwquality" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/system-auth line: 'password required pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}' insertafter: '^password' @@ -3566,7 +3566,7 @@ when: rhel_08_020102_pwquality_status.stdout | length == 0 - name: "MEDIUM | RHEL-08-020102 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Replace if already exists" - pamd: + community.general.pamd: name: system-auth type: password control: required @@ -3589,13 +3589,13 @@ - name: "MEDIUM | RHEL-08-020103 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less." block: - name: "MEDIUM | RHEL-08-020103 | AUDIT | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. | Get pam_pwquality state" - shell: cat /etc/pam.d/password-auth | grep "password.*required.*pam_pwquality.so" + ansible.builtin.shell: cat /etc/pam.d/password-auth | grep "password.*required.*pam_pwquality.so" changed_when: false failed_when: false register: rhel_08_020103_pwquality_status - name: "MEDIUM | RHEL-08-020103 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. | Set if no pw required pam_pwquality" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/password-auth line: 'password required pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}' insertafter: '^password' @@ -3605,7 +3605,7 @@ when: rhel_08_020103_pwquality_status.stdout | length == 0 - name: "MEDIUM | RHEL-08-020103 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. | Replace if already exists" - pamd: + community.general.pamd: name: password-auth type: password control: required @@ -3626,7 +3626,7 @@ - pamd - name: "MEDIUM | RHEL-08-020104 | PATCH | RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less." - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/pwquality.conf regexp: '^retry =|^#.*retry =' line: retry = {{ rhel8stig_pam_pwquality_retry }} @@ -3643,10 +3643,10 @@ - pamd - name: "MEDIUM | RHEL-08-020110 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one upper-case character be used." - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/pwquality.conf regexp: '^#?\s*ucredit' - line: "ucredit = {{ rhel8stig_password_complexity.ucredit | default('-1') }}" + line: "ucredit = {{ rhel8stig_password_complexity.ucredit | default('-1') }}" owner: root group: root mode: 0644 @@ -3663,7 +3663,7 @@ - pwquality - name: "MEDIUM | RHEL-08-020120 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used." - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/pwquality.conf regexp: '^#?\s*lcredit' line: "lcredit = {{ rhel8stig_password_complexity.lcredit | default('-1') }}" @@ -3683,7 +3683,7 @@ - pwquality - name: "MEDIUM | RHEL-08-020130 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one numeric character be used." - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/pwquality.conf regexp: '^#?\s*dcredit' line: "dcredit = {{ rhel8stig_password_complexity.dcredit | default('-1') }}" @@ -3703,7 +3703,7 @@ - pwquality - name: "MEDIUM | RHEL-08-020140 | PATCH | RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed." - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/pwquality.conf regexp: '^#?\s*maxclassrepeat' line: "maxclassrepeat = {{ rhel8stig_password_complexity.maxclassrepeat | default('4') }}" @@ -3723,7 +3723,7 @@ - pwquality - name: "MEDIUM | RHEL-08-20150 | PATCH | RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed." - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/pwquality.conf regexp: '^#?\s*maxrepeat' line: "maxrepeat = {{ rhel8stig_password_complexity.maxrepeat | default('3') }}" @@ -3743,7 +3743,7 @@ - pwquality - name: "MEDIUM | RHEL-08-020160 | PATCH | RHEL 8 must require the change of at least four character classes when passwords are changed." - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/pwquality.conf regexp: '^#?\s*minclass' line: "minclass = {{ rhel8stig_password_complexity.minclass | default('4') }}" @@ -3763,7 +3763,7 @@ - pwquality - name: "MEDIUM | RHEL-08-020170 | PATCH | RHEL 8 must require the change of at least 8 characters when passwords are changed." - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/pwquality.conf regexp: '^#?\s*difok' line: "difok = {{ rhel8stig_password_complexity.difok | default('8') }}" @@ -3785,13 +3785,13 @@ - name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow." block: - name: "MEDIUM | RHEL8-08-020180 | AUDIT | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Get list of users" - command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $4 < 1 {print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $4 < 1 {print $1}' /etc/shadow" changed_when: false failed_when: false register: rhel_08_020180_users - name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Change user restriction" - command: chage -m 1 {{ item }} + ansible.builtin.shell: chage -m 1 {{ item }} with_items: "{{ rhel_08_020180_users.stdout_lines }}" when: - rhel_08_020180 @@ -3805,7 +3805,7 @@ - password - name: "MEDIUM | RHEL-08-020190 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/logins.def." - lineinfile: + ansible.builtin.lineinfile: path: /etc/login.defs regexp: ^#?PASS_MIN_DAYS line: "PASS_MIN_DAYS {{ rhel8stig_login_defaults.pass_min_days | default('1') }}" @@ -3825,7 +3825,7 @@ - login - name: "MEDIUM | RHEL-08-020200 | PATCH | RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction." - lineinfile: + ansible.builtin.lineinfile: path: /etc/login.defs create: true owner: root @@ -3847,18 +3847,18 @@ - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime." block: - name: "MEDIUM | RHEL-08-020210 | AUDIT | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Get list of users" - command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow" check_mode: false changed_when: rhel_08_020210_users.stdout | length > 0 register: rhel_08_020210_users - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Reset password timeout to prevent locking out user." - command: chage -d '-1 day' {{ item }} + ansible.builtin.shell: chage -d '-1 day' {{ item }} check_mode: "{{ rhel8stig_disruptive_check_mode }}" with_items: "{{ rhel_08_020210_users.stdout_lines }}" - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Set 60 max lifetime" - command: chage -M 60 {{ item }} + ansible.builtin.shell: chage -M 60 {{ item }} check_mode: "{{ rhel8stig_disruptive_check_mode }}" with_items: "{{ rhel_08_020210_users.stdout_lines }}" when: @@ -3877,13 +3877,13 @@ - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations." block: - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Get pam_pwhistory status" - shell: cat /etc/pam.d/password-auth | grep "password.*required.*pam_pwhistory.so" + ansible.builtin.shell: cat /etc/pam.d/password-auth | grep "password.*required.*pam_pwhistory.so" changed_when: false failed_when: false register: rhel_08_020220_pwhistory_status - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Set if no pw required pw_history" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/password-auth line: "password required pam_pwhistory.so use_authtok remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}" insertafter: '^password' @@ -3893,7 +3893,7 @@ when: rhel_08_020220_pwhistory_status.stdout | length == 0 - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Set if pw required pwhistory exists" - pamd: + community.general.pamd: name: password-auth type: password control: required @@ -3915,13 +3915,13 @@ - name: "MEDIUM | RHEL-08-020221 | PATCH | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations." block: - name: "MEDIUM | RHEL-08-020221 | AUDIT | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations. | Get pam_pwhistory state " - shell: cat /etc/pam.d/system-auth | grep "password.*required.*pam_pwhistory.so" + ansible.builtin.shell: cat /etc/pam.d/system-auth | grep "password.*required.*pam_pwhistory.so" changed_when: false failed_when: false register: rhel_08_020221_pwhistory_status - name: "MEDIUM | RHEL-08-020221 | PATCH | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations. | Set if no pw required pwhistory" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/system-auth line: "password required pam_pwhistory.so use_authtok remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}" insertafter: '^password' @@ -3931,7 +3931,7 @@ when: rhel_08_020221_pwhistory_status.stdout | length == 0 - name: "MEDIUM | RHEL-08-020221 | PATCH | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations. | Set if pw required pwhistory exists" - pamd: + community.general.pamd: name: system-auth type: password control: required @@ -3951,7 +3951,7 @@ - pamd - name: "MEDIUM | RHEL-08-20230 | PATCH | RHEL 8 passwords must have a minimum of 15 characters." - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/pwquality.conf regexp: '^#?\s*minlen' line: "minlen = {{ rhel8stig_password_complexity.minlen | default('15') }}" @@ -3971,7 +3971,7 @@ - pwquality - name: "MEDIUM | RHEL-08-020231 | PATCH | RHEL 8 passwords for new users must have a minimum of 15 characters." - lineinfile: + ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^PASS_MIN_LEN|^#PASS_MIN_LEN' line: "PASS_MIN_LEN 15" @@ -3992,13 +3992,13 @@ - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users." block: - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Get duplicate UID users" - command: awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd + ansible.builtin.shell: awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd changed_when: false failed_when: false register: rhel_08_020240_duplicate_uid_users - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Message out duplicate users" - debug: + ansible.builtin.debug: msg: - "WARNING!! Below are a list of users with duplicate UID's. Please review and create a unique ID for each user" - "{{ rhel_08_020240_duplicate_uid_users.stdout_lines }}" @@ -4016,19 +4016,19 @@ - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts." block: - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in smartcard-auth" - shell: grep 'auth sufficient pam_sss.so' /etc/pam.d/smartcard-auth + ansible.builtin.shell: grep 'auth sufficient pam_sss.so' /etc/pam.d/smartcard-auth changed_when: false failed_when: false register: rhel_08_020250_sc_auth_sss - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in system-auth" - shell: grep 'auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so' /etc/pam.d/system-auth + ansible.builtin.shell: grep 'auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so' /etc/pam.d/system-auth changed_when: false failed_when: false register: rhel_08_020250_system_auth_sss - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_cert_aut in sssd.conf" - lineinfile: + ansible.builtin.lineinfile: path: "{{ rhel8stig_sssd_conf }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -4042,7 +4042,7 @@ - { regexp: '^pam_cert_auth =', insertafter: '\[pam\]', line: 'pam_cert_auth = True' } - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in smartcard-auth" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/smartcard-auth line: auth sufficient pam_sss.so try_cert_auth owner: root @@ -4052,7 +4052,7 @@ when: rhel_08_020250_sc_auth_sss.stdout | length == 0 - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in smartcard-auth" - pamd: + community.general.pamd: name: /etc/pam.d/smartcard-auth state: updated type: auth @@ -4063,7 +4063,7 @@ when: rhel_08_020250_sc_auth_sss.stdout | length > 0 - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in system-auth" - pamd: + community.general.pamd: name: /etc/pam.d/system-auth state: after type: auth @@ -4077,7 +4077,7 @@ when: rhel_08_020250_system_auth_sss.stdout | length == 0 - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in system-auth" - pamd: + community.general.pamd: name: /etc/pam.d/system-auth state: updated type: auth @@ -4099,7 +4099,7 @@ - pamd - name: "MEDIUM | RHEL-08-20260 | PATCH | RHEL 8 account identifiers (individuals, groups, roles, and devices) must disabled after 35 days of inactivity." - command: useradd -D -f 35 + ansible.builtin.shell: useradd -D -f 35 when: - rhel_08_020260 tags: @@ -4114,13 +4114,13 @@ - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." block: - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." - command: "awk -F: '{if ($3 <= {{ rhel8stig_interactive_uid_start }}) { print $1 }}' /etc/passwd" + ansible.builtin.shell: "awk -F: '{if ($3 <= {{ rhel8stig_interactive_uid_start }}) { print $1 }}' /etc/passwd" changed_when: false failed_when: false register: rhel_08_020270_system_users - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." - debug: + ansible.builtin.debug: msg: - "WARNING!! Below are the system accounts. If any where emergency accounts plese make sure they are removed or disabled after the crisis is resovled or within 72 hours" - "{{ rhel_08_020270_system_users.stdout_lines }}" @@ -4136,7 +4136,7 @@ - user - name: "MEDIUM | RHEL-08-020280 | PATCH | All RHEL 8 passwords must contain at least one special character." - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/pwquality.conf regexp: '^#?\s*ocredit' line: "ocredit = {{ rhel8stig_password_complexity.ocredit | default('-1') }}" @@ -4156,7 +4156,7 @@ - pwquality - name: "MEDIUM | RHEL-08-020290 | PATCH | The RHEL 8 must prohibit the use of cached authentications after one day." - lineinfile: + ansible.builtin.lineinfile: path: "{{ rhel8stig_sssd_conf }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -4180,7 +4180,7 @@ - sssd - name: "MEDIUM | RHEL-08-020300 | PATCH | RHEL 8 must prevent the use of dictionary words for passwords." - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/pwquality.conf regexp: '^#?\s*dictcheck' line: "dictcheck = {{ rhel8stig_password_complexity.dictcheck | default('1') }}" @@ -4200,7 +4200,7 @@ - pwquality - name: "MEDIUM | RHEL-08-020310 | PATCH | RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/login.defs regexp: ^#?FAIL_DELAY line: "FAIL_DELAY {{ rhel8stig_login_defaults.fail_delay_secs | default('4') }}" @@ -4221,7 +4221,7 @@ - name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts." block: - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Find unnecessary accounts" - command: "grep '^{{ item }}:' /etc/passwd" + ansible.builtin.shell: "grep '^{{ item }}:' /etc/passwd" check_mode: false failed_when: rhel_08_020320_unnecessary_accounts_found.rc > 1 changed_when: rhel_08_020320_unnecessary_accounts_found.rc == 0 @@ -4229,7 +4229,7 @@ with_items: "{{ rhel8stig_unnecessary_accounts }}" - name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts. | Remove accounts" - user: + ansible.builtin.user: name: "{{ item }}" state: absent remove: "{{ rhel8stig_remove_unnecessary_user_files }}" @@ -4253,7 +4253,7 @@ - accounts - name: "MEDIUM | RHEL-08-020350 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon an SSH logon." - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^(#PrintLastLog yes?|^#?.rintLastLog no)' line: 'PrintLastLog yes' @@ -4272,7 +4272,7 @@ - ssh - name: "MEDIUM | RHEL-08-020351 | PATCH | RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files." - lineinfile: + ansible.builtin.lineinfile: path: /etc/login.defs regexp: ^#?UMASK.* line: "UMASK {{ rhel8stig_login_defaults.umask | default('077') }}" @@ -4294,7 +4294,7 @@ - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts." block: - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Find umask files" - find: + ansible.builtin.find: paths: /home patterns: '^\.' contains: 'umask' @@ -4304,7 +4304,7 @@ register: rhel8stig_020352_files - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Remove umask param" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item.path }}" regexp: "umask\\s+(?!{{ rhel8stig_login_defaults.umask | default('077') }})" state: absent @@ -4323,7 +4323,7 @@ - umask - name: "MEDIUM | RHEL-08-020353 | PATCH | RHEL 8 must define default permissions for logon and non-logon shells." - replace: + ansible.builtin.replace: path: "{{ item }}" regexp: 'umask\s\d\d\d' replace: "umask {{ rhel8stig_login_defaults.umask | default('077') }}" @@ -4343,7 +4343,7 @@ - umask - name: "MEDIUM | RHEL-08-030000 | PATCH | The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -4359,7 +4359,7 @@ - auditd - name: "MEDIUM | RHEL-08-030010 | PATCH | Cron logging must be implemented in RHEL 8." - lineinfile: + ansible.builtin.lineinfile: path: /etc/rsyslog.conf regexp: '^cron.*' line: 'cron.* /var/log/cron' @@ -4376,7 +4376,7 @@ - rsyslog - name: "MEDIUM | RHEL-08-030020 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: '^action_mail_acct =' line: "action_mail_acct = {{ rhel8stig_auditd_mail_acct }}" @@ -4396,7 +4396,7 @@ - auditd - name: "MEDIUM | RHEL-08-030030 | PATCH | The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure." - lineinfile: + ansible.builtin.lineinfile: path: /etc/aliases regexp: '^postmaster:' line: 'postmaster: root' @@ -4412,7 +4412,7 @@ - aliases - name: "MEDIUM | RHEL-08-030040 | PATCH | The RHEL 8 System must take appropriate action when an audit processing failure occurs." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: '^disk_error_action =' line: "disk_error_action = {{ rhel8stig_auditd_disk_error_action }}" @@ -4428,7 +4428,7 @@ - auditd - name: "MEDIUM | RHEL-08-030060 | PATCH | The RHEL 8 audit system must take appropriate action when the audit storage volume is full." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: '^disk_full_action =' line: "disk_full_action = {{ rhel8stig_auditd_disk_full_action }}" @@ -4444,7 +4444,7 @@ - auditd - name: "MEDIUM | RHEL-08-030061 | PATCH | The RHEL 8 audit system must audit local events." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: '^local_events =' line: "local_events = yes" @@ -4460,7 +4460,7 @@ - auditd - name: "MEDIUM | RHEL-08-030062 | PATCH | RHEL 8 must label all off-loaded audit logs before sending them to the central log server." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: '^name_format =' line: "name_format = hostname" @@ -4477,7 +4477,7 @@ - auditd - name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: '^log_group =' line: "log_group = root" @@ -4497,13 +4497,13 @@ - name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access." block: - name: "MEDIUM | RHEL-08-030080 | AUDIT | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Get audit log file" - shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " + ansible.builtin.shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " changed_when: false failed_when: false register: rhel8stig_030080_audit_log_file - name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Set audit log owner" - file: + ansible.builtin.file: path: "{{ rhel8stig_030080_audit_log_file.stdout }}" owner: root when: rhel8stig_030080_audit_log_file.stdout | length > 0 @@ -4521,7 +4521,7 @@ - auditd - name: "MEDIUM | RHEL-08-030090 | PATCH | RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: '^log_group' line: "log_group = root" @@ -4541,13 +4541,13 @@ - name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access." block: - name: "MEDIUM | RHEL-08-030100 | AUDIT | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Get audit log directory" - shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' + ansible.builtin.shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' changed_when: false failed_when: false register: rhel_08_030100_audit_log_dir - name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Set audit log dir owner" - file: + ansible.builtin.file: path: "{{ rhel_08_030100_audit_log_dir.stdout }}" owner: root state: directory @@ -4570,7 +4570,7 @@ - name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access." block: - name: "MEDIUM | RHEL-08-030110 | AUDIT | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Get audit log directory" - shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' + ansible.builtin.shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' args: warn: false changed_when: false @@ -4578,7 +4578,7 @@ register: rhel_08_030110_audit_log_dir - name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Set audit log dir group" - file: + ansible.builtin.file: path: "{{ rhel_08_030110_audit_log_dir.stdout }}" group: root state: directory @@ -4602,13 +4602,13 @@ - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access." block: - name: "MEDIUM | RHEL-08-030120 | AUDIT | RHEL 8 audit log directories must have a mode of 700 or less permissive to prevent unauthorized read access. | Get audit log directory" - shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' + ansible.builtin.shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' changed_when: false failed_when: false register: rhel_08_030120_audit_log_dir - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access. | Set audit log dir perms" - file: + ansible.builtin.file: path: "{{ rhel_08_030120_audit_log_dir.stdout }}" mode: 0700 state: directory @@ -4627,7 +4627,7 @@ - auditd - name: "MEDIUM | RHEL-08-030121 | PATCH | RHEL 8 audit system must protect auditing rules from unauthorized change." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/rules.d/audit.rules regexp: '^-e ' line: "-e 2" @@ -4643,7 +4643,7 @@ - auditd - name: "MEDIUM | RHEL-08-030122 | PATCH | RHEL 8 audit system must protect logon UIDs from unauthorized change." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/rules.d/audit.rules regexp: '^--loginuid-' line: "--loginuid-immutable" @@ -4659,7 +4659,7 @@ - auditd - name: "MEDIUM | RHEL-08-030130 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/rules.d/audit.rules regexp: '^-w /etc/shadow' line: '-w /etc/shadow -p wa -k identity' @@ -4676,7 +4676,7 @@ - auditd - name: "MEDIUM | RHEL-08-030140 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/rules.d/audit.rules regexp: '^-w /etc/security/opasswd' line: -w /etc/security/opasswd -p wa -k identity @@ -4693,7 +4693,7 @@ - auditd - name: "MEDIUM | RHEL-08-030150 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/rules.d/audit.rules regexp: '^-w /etc/passwd' line: -w /etc/passwd -p wa -k identity @@ -4710,7 +4710,7 @@ - auditd - name: "MEDIUM | RHEL-08-030160 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/rules.d/audit.rules regexp: '^-w /etc/gshadow' line: -w /etc/gshadow -p wa -k identity @@ -4727,7 +4727,7 @@ - auditd - name: "MEDIUM | RHEL-08-030170 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/rules.d/audit.rules regexp: '^-w /etc/group' line: -w /etc/group -p wa -k identity @@ -4744,7 +4744,7 @@ - auditd - name: "MEDIUM | RHEL-08-030171 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/rules.d/audit.rules regexp: '^-w /etc/sudoers ' line: -w /etc/sudoers -p wa -k identity @@ -4761,7 +4761,7 @@ - auditd - name: "MEDIUM | RHEL-08-030172 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/rules.d/audit.rules regexp: '^-w /etc/sudoers.d/' line: -w /etc/sudoers.d/ -p wa -k identity @@ -4780,12 +4780,12 @@ - name: "MEDIUM | RHEL-08-030180 | PATCH | The RHEL 8 audit package must be installed." block: - name: "MEDIUM | RHEL-08-030180 | PATCH | The RHEL 8 audit package must be installed. | Install audit" - package: + ansible.builtin.package: name: audit state: present - name: "MEDIUM | RHEL-08-030180 | PATCH | The RHEL 8 audit package must be installed. | Enable and start service" - service: + ansible.builtin.service: name: auditd enabled: true state: started @@ -4802,7 +4802,7 @@ - auditd - name: "MEDIUM | RHEL-08-030181 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events." - service: + ansible.builtin.service: name: auditd state: started enabled: true @@ -4818,7 +4818,7 @@ - auditd - name: "MEDIUM | RHEL-08-030190 | PATCH | Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -4834,7 +4834,7 @@ - auditd - name: "MEDIUM | RHEL-08-030200 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -4850,7 +4850,7 @@ - auditd - name: "MEDIUM | RHEL-08-030250 | PATCH | Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -4866,7 +4866,7 @@ - auditd - name: "MEDIUM | RHEL-08-030260 | PATCH | Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -4882,7 +4882,7 @@ - auditd - name: "MEDIUM | RHEL-08-030280 | PATCH | Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -4898,7 +4898,7 @@ - auditd - name: "MEDIUM | RHEL-08-030290 | PATCH | Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -4914,7 +4914,7 @@ - auditd - name: "MEDIUM | RHEL-08-030300 | PATCH | Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -4930,7 +4930,7 @@ - auditd - name: "MEDIUM | RHEL-08-030301 | PATCH | Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -4946,7 +4946,7 @@ - auditd - name: "MEDIUM | RHEL-08-030302 | PATCH | Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -4962,7 +4962,7 @@ - auditd - name: "MEDIUM | RHEL-08-030310 | PATCH | Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -4978,7 +4978,7 @@ - auditd - name: "MEDIUM | RHEL-08-030311 | PATCH | Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -4994,7 +4994,7 @@ - auditd - name: "MEDIUM | RHEL-08-030312 | PATCH | Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5010,7 +5010,7 @@ - auditd - name: "MEDIUM | RHEL-08-030313 | PATCH | Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5026,7 +5026,7 @@ - auditd - name: "MEDIUM | RHEL-08-030314 | PATCH | Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5042,7 +5042,7 @@ - auditd - name: "MEDIUM | RHEL-08-030315 | PATCH | Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5058,7 +5058,7 @@ - auditd - name: "MEDIUM | RHEL-08-030316 | PATCH | Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5074,7 +5074,7 @@ - auditd - name: "MEDIUM | RHEL-08-030317 | PATCH | Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5090,7 +5090,7 @@ - auditd - name: "MEDIUM | RHEL-08-030320 | PATCH | Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5106,7 +5106,7 @@ - auditd - name: "MEDIUM | RHEL-08-030330 | PATCH | Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5122,7 +5122,7 @@ - auditd - name: "MEDIUM | RHEL-08-030340 | PATCH | Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5138,7 +5138,7 @@ - auditd - name: "MEDIUM | RHEL-08-030350 | PATCH | Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5154,7 +5154,7 @@ - auditd - name: "MEDIUM | RHEL-08-030360 | PATCH | Successful/unsuccessful uses of the init_module command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5170,7 +5170,7 @@ - auditd - name: "MEDIUM | RHEL-08-030361 | PATCH | Successful/unsuccessful uses of the rename command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5186,7 +5186,7 @@ - auditd - name: "MEDIUM | RHEL-08-030370 | PATCH | Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5202,7 +5202,7 @@ - auditd - name: "MEDIUM | RHEL-08-030390 | PATCH | Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5218,7 +5218,7 @@ - auditd - name: "MEDIUM | RHEL-08-030400 | PATCH | Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5234,7 +5234,7 @@ - auditd - name: "MEDIUM | RHEL-08-030410 | PATCH | Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5250,7 +5250,7 @@ - auditd - name: "MEDIUM | RHEL-08-030420 | PATCH | Successful/unsuccessful uses of the truncate command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5266,7 +5266,7 @@ - auditd - name: "MEDIUM | RHEL-08-030480 | PATCH | Successful/unsuccessful uses of the chown command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5282,7 +5282,7 @@ - auditd - name: "MEDIUM | RHEL-08-030490 | PATCH | Successful/unsuccessful uses of the chmod command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5298,7 +5298,7 @@ - auditd - name: "MEDIUM | RHEL-08-030550 | PATCH | Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5314,7 +5314,7 @@ - auditd - name: "MEDIUM | RHEL-08-030560 | PATCH | Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5330,7 +5330,7 @@ - auditd - name: "MEDIUM | RHEL-08-030570 | PATCH | Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5346,7 +5346,7 @@ - auditd - name: "MEDIUM | RHEL-08-030580 | PATCH | Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5362,7 +5362,7 @@ - auditd - name: "MEDIUM | RHEL-08-030590 | PATCH | Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5378,7 +5378,7 @@ - auditd - name: "MEDIUM | RHEL-08-030600 | PATCH | Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5394,7 +5394,7 @@ - auditd - name: "MEDIUM | RHEL-08-030610 | PATCH | RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." - file: + ansible.builtin.file: path: "{{ item }}" mode: 0640 with_items: @@ -5415,13 +5415,13 @@ - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive." block: - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Find toosl with less than 755 perms" - shell: stat -c "%a %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audisp-remote /sbin/audisp-syslog /sbin/augenrules | cut -f2 -d" " + ansible.builtin.shell: stat -c "%a %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audisp-remote /sbin/audisp-syslog /sbin/augenrules | cut -f2 -d" " changed_when: false failed_when: false register: rhel_08_030620_tools - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Set permissions to 755 on tools" - file: + ansible.builtin.file: path: "{{ item }}" mode: 0755 with_items: @@ -5439,7 +5439,7 @@ - auditd - name: "MEDIUM | RHEL-08-030630 | PATCH | RHEL 8 audit tools must be owned by root." - file: + ansible.builtin.file: path: "{{ item }}" owner: root with_items: @@ -5464,7 +5464,7 @@ - auditd - name: "MEDIUM | RHEL-08-030640 | PATCH | RHEL 8 audit tools must be group-owned by root." - file: + ansible.builtin.file: path: "{{ item }}" owner: root with_items: @@ -5489,7 +5489,7 @@ - auditd - name: "MEDIUM | RHEL-08-030650 | PATCH | RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools." - lineinfile: + ansible.builtin.lineinfile: path: /etc/aide.conf line: "{{ item }}" owner: root @@ -5518,19 +5518,19 @@ - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility." block: - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get audit log partition" - shell: grep log_file /etc/audit/auditd.conf | grep -v max | awk '{print $3}' | sed 's|\(.*\)/.*|\1|' + ansible.builtin.shell: grep log_file /etc/audit/auditd.conf | grep -v max | awk '{print $3}' | sed 's|\(.*\)/.*|\1|' changed_when: false failed_when: false register: rhel_08_030660_audit_log_path - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get size of audit log partition" - shell: "df -h {{ rhel_08_030660_audit_log_path.stdout }}" + ansible.builtin.shell: "df -h {{ rhel_08_030660_audit_log_path.stdout }}" changed_when: false failed_when: false register: rhel_08_030660_audit_log_partition - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Message out partition size" - debug: + ansible.builtin.debug: msg: - "WARNING!! Below is the path and size of the partiion for the audit logs. Please make sure there is enough disk space for logs and logs are on their own partition" - "Path: {{ rhel_08_030660_audit_log_path.stdout }}" @@ -5547,7 +5547,7 @@ - auditd - name: "MEDIUM | RHEL-08-030670 | PATCH | RHEL 8 must have the packages required for offloading audit logs installed." - package: + ansible.builtin.package: name: rsyslog state: present when: @@ -5563,7 +5563,7 @@ - rsyslog - name: "MEDIUM | RHEL-08-030680 | PATCH | RHEL 8 must have the packages required for encrypting offloaded audit logs installed." - package: + ansible.builtin.package: name: rsyslog-gnutls state: present when: @@ -5580,7 +5580,7 @@ - rsyslog - name: "MEDIUM | RHEL-08-030690 | PATCH | The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited." - lineinfile: + ansible.builtin.lineinfile: path: /etc/rsyslog.conf regexp: '^.*\@\@' line: "*.* @@{{ rhel8stig_remotelog_server.server }}:{{ rhel8stig_remotelog_server.port }}" @@ -5597,7 +5597,7 @@ - rsyslog - name: "MEDIUM | RHEL-08-030700 | PATCH | RHEL 8 must take appropriate action when the internal event queue is full." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: '^overflow_action =' line: 'overflow_action = {{ rhel8stig_audisp_overflow_action }}' @@ -5614,7 +5614,7 @@ - auditd - name: "MEDIUM | RHEL-08-03710 | PATCH | RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited." - lineinfile: + ansible.builtin.lineinfile: path: /etc/rsyslog.conf create: true owner: root @@ -5638,7 +5638,7 @@ - rsyslog - name: "MEDIUM | RHEL-08-030720 | PATCH | RHEL 8 must authenticate the remote logging server for off-loading audit logs." - lineinfile: + ansible.builtin.lineinfile: path: /etc/rsyslog.conf regexp: '^\$ActionSendStreamDriverAuthMode' line: "$ActionSendStreamDriverAuthMode x509/name" @@ -5656,7 +5656,7 @@ - rsyslog - name: "MEDIUM | RHEL-08-030730 | PATCH | RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: '^space_left =' line: 'space_left = 25%' @@ -5672,7 +5672,7 @@ - auditd - name: "MEDIUM | RHEL-08-030731 | PATCH | RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: '^space_left_action =' line: 'space_left_action = EMAIL' @@ -5688,7 +5688,7 @@ - auditd - name: "MEDIUM | RHEL-08-030740 | PATCH | RHEL 8 must compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." - lineinfile: + ansible.builtin.lineinfile: path: /etc/chrony.conf regexp: '^server' line: 'server {{ rhel8stig_ntp_server_name }} iburst maxpoll 16' @@ -5706,9 +5706,9 @@ - chrony - name: "MEDIUM | RHEL-08-040001 | PATCH | RHEL 8 must not have any automated bug reporting tools installed." - package: - name: "abrt*" - state: absent + ansible.builtin.package: + name: "abrt*" + state: absent when: - rhel_08_040001 tags: @@ -5722,7 +5722,7 @@ - abrt - name: "MEDIUM | RHEL-08-040002 | PATCH | RHEL 8 must not have the sendmail package installed." - package: + ansible.builtin.package: name: sendmail state: absent when: @@ -5739,7 +5739,7 @@ - sendmail - name: "MEDIUM | RHEL-08-040020 | PATCH | RHEL 8 must cover or disable the built-in or attached camera when not in use." - lineinfile: + ansible.builtin.lineinfile: path: /etc/modprobe.d/blacklist.conf create: true regexp: "{{ item.regexp }}" @@ -5769,7 +5769,7 @@ - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Firewalld block" block: - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using firewalld" - shell: firewall-cmd --list-all | grep services | cut -d ':' -f 2 | tr " " "\n" | sed '/^$/d' | sort -u + ansible.builtin.shell: firewall-cmd --list-all | grep services | cut -d ':' -f 2 | tr " " "\n" | sed '/^$/d' | sort -u register: rhel8stig_ppsm_clsa_check_firewalld changed_when: false failed_when: false @@ -5781,7 +5781,7 @@ - firewall - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" - debug: + ansible.builtin.debug: msg: - "The following output is what firewalld is accepting on service ports to {{ ansible_hostname }}." - "{{ rhel8stig_ppsm_clsa_check_firewalld.stdout_lines }}" @@ -5805,7 +5805,7 @@ - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | IPTables block" block: - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using iptables" - shell: iptables-save | grep -i accept | grep -i input + ansible.builtin.shell: iptables-save | grep -i accept | grep -i input register: rhel8stig_ppsm_clsa_check_iptables changed_when: false failed_when: false @@ -5816,7 +5816,7 @@ - firewall - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" - debug: + ansible.builtin.debug: msg: - "The following output is what iptabes is accepting on service ports to {{ ansible_hostname }}." - "{{ rhel8stig_ppsm_clsa_check_iptables.stdout_lines }}" @@ -5838,7 +5838,7 @@ - firewall - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Warn no firewall is in use" - debug: + ansible.builtin.debug: msg: "Your configured firewall service is {{ rhel8stig_firewall_service }}, but you have set the variable rhel8stig_start_firewall_service to false. We cannot audit control RHEL-08-040030 - RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments." changed_when: true when: @@ -5865,13 +5865,13 @@ - name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required." block: - name: "MEDIUM | RHEL-08-040070 | AUDIT | The RHEL 8 file system automounter must be disabled unless required. | Check on autofs service to prevent disable error" - shell: "systemctl show autofs | grep LoadState | cut -d= -f2" + ansible.builtin.shell: "systemctl show autofs | grep LoadState | cut -d= -f2" changed_when: false failed_when: false register: rhel_08_040070_autofs_status - name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required. | Disable autofs if exists" - service: + ansible.builtin.service: name: autofs state: stopped enabled: false @@ -5888,7 +5888,7 @@ - autofs - name: "MEDIUM | RHEL-08-040080 | PATCH | RHEL 8 must be configured to disable USB mass storage." - lineinfile: + ansible.builtin.lineinfile: path: /etc/modprobe.d/blacklist.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -5914,19 +5914,19 @@ - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8." block: - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install firewalld" - package: + ansible.builtin.package: name: firewalld.noarch state: present when: rhel8stig_firewall_service == "firewalld" - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install IPTables" - package: + ansible.builtin.package: name: iptables-services state: present when: rhel8stig_firewall_service == "iptables" - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Start and enable service" - service: + ansible.builtin.service: name: "{{ rhel8stig_firewall_service }}" state: started enabled: true @@ -5946,13 +5946,13 @@ - name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8" block: - name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8 | Install firewalld if needed" - package: + ansible.builtin.package: name: firewalld state: present when: "'firewalld' not in ansible_facts.packages" - name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8 | Enable the service" - systemd: + ansible.builtin.systemd: name: firewalld state: started enabled: true @@ -5972,13 +5972,13 @@ - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems." block: - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone" - firewalld: + ansible.posix.firewalld: zone: "{{ rhel8stig_custom_firewall_zone }}" permanent: true state: present - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Allow internet and ssh" - firewalld: + ansible.posix.firewalld: zone: "{{ rhel8stig_custom_firewall_zone }}" permanent: true state: enabled @@ -5988,7 +5988,7 @@ - "{{ rhel8stig_white_list_services }}" - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Target Drop | 2.10+" - firewalld: + ansible.posix.firewalld: zone: "{{ rhel8stig_custom_firewall_zone }}" permanent: true state: enabled @@ -5998,25 +5998,25 @@ - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Target Drop | 2.9" block: - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | current setting" - shell: "firewall-cmd --list-all --zone={{ rhel8stig_custom_firewall_zone }} | grep 'target: DROP'" + ansible.builtin.shell: "firewall-cmd --list-all --zone={{ rhel8stig_custom_firewall_zone }} | grep 'target: DROP'" changed_when: false failed_when: false register: rhel8stig_target_drop_set - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Target Drop | 2.9" - shell: firewall-cmd --permanent --zone={{ rhel8stig_custom_firewall_zone }} --set-target=DROP + ansible.builtin.shell: firewall-cmd --permanent --zone={{ rhel8stig_custom_firewall_zone }} --set-target=DROP when: - rhel8stig_target_drop_set.rc != 0 when: ansible_version.full is version_compare('2.10 | int', '<') - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Reload zones" - command: firewall-cmd --reload + ansible.builtin.shell: firewall-cmd --reload changed_when: rhel_08_040090_zone_reload.rc == 0 failed_when: rhel_08_040090_zone_reload.rc >= 2 register: rhel_08_040090_zone_reload - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone as default" - command: "firewall-cmd --set-default-zone={{ rhel8stig_custom_firewall_zone }}" + ansible.builtin.shell: "firewall-cmd --set-default-zone={{ rhel8stig_custom_firewall_zone }}" changed_when: rhel_08_040090_default_zone_set.rc == 0 failed_when: rhel_08_040090_default_zone_set.rc >= 2 register: rhel_08_040090_default_zone_set @@ -6035,7 +6035,7 @@ - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled." block: - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if nmcli command is available" - command: rpm -q NetworkManager + ansible.builtin.shell: rpm -q NetworkManager args: warn: false check_mode: false @@ -6044,7 +6044,7 @@ failed_when: false - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if wifi is enabled" - command: nmcli radio wifi + ansible.builtin.shell: nmcli radio wifi args: warn: false register: rhel_08_wifi_enabled @@ -6053,7 +6053,7 @@ when: rhel_08_nmcli_available.rc == 0 - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled. | Disable wifi if enabled" - command: nmcli radio wifi off + ansible.builtin.shell: nmcli radio wifi off when: rhel_08_wifi_enabled is changed when: - rhel_08_040110 @@ -6069,7 +6069,7 @@ - name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled." block: - name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled. | Disable Bluetooth" - lineinfile: + ansible.builtin.lineinfile: path: /etc/modprobe.d/bluetooth.conf regexp: '^install bluetooth ' line: "install bluetooth /bin/true" @@ -6080,7 +6080,7 @@ notify: change_requires_reboot - name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled. | Disable Bluetooth kernel module" - lineinfile: + ansible.builtin.lineinfile: path: /etc/modprobe.d/blacklist.conf create: true regexp: "{{ item.regexp }}" @@ -6113,7 +6113,7 @@ "MEDIUM | RHEL-08-040120 | AUDIT | RHEL 8 must mount /dev/shm with the nodev option." "MEDIUM | RHEL-08-040121 | AUDIT | RHEL 8 must mount /dev/shm with the nosuid option." "MEDIUM | RHEL-08-040122 | AUDIT | RHEL 8 must mount /dev/shm with the noexec option." - shell: mount | grep /dev/shm + ansible.builtin.shell: mount | grep /dev/shm args: warn: false changed_when: false @@ -6124,7 +6124,7 @@ "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with the nodev option." "MEDIUM | RHEL-08-040121 | PATCH | RHEL 8 must mount /dev/shm with the nosuid option." "MEDIUM | RHEL-08-040122 | PATCH | RHEL 8 must mount /dev/shm with the noexec option." - mount: + ansible.posix.mount: path: /dev/shm state: mounted src: tmpfs @@ -6159,7 +6159,7 @@ "MEDIUM | RHEL-08-040123 | AUDIT | RHEL 8 must mount /tmp with the nodev option." "MEDIUM | RHEL-08-040124 | AUDIT | RHEL 8 must mount /tmp with the nosuid option." "MEDIUM | RHEL-08-040125 | AUDIT | RHEL 8 must mount /tmp with the noexec option." - shell: mount | grep /tmp + ansible.builtin.shell: mount | grep /tmp changed_when: false failed_when: false register: rhel8stig_040123_dev_status @@ -6168,7 +6168,7 @@ "MEDIUM | RHEL-08-040123 | PATCH | RHEL 8 must mount /tmp with the nodev option." "MEDIUM | RHEL-08-040124 | PATCH | RHEL 8 must mount /tmp with the nosuid option." "MEDIUM | RHEL-08-040125 | PATCH | RHEL 8 must mount /tmp with the noexec option." - mount: + ansible.posix.mount: path: /tmp state: mounted src: "{{ tmp_mount.device }}" @@ -6206,7 +6206,7 @@ "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." - shell: mount | grep /var/log + ansible.builtin.shell: mount | grep /var/log changed_when: false failed_when: false register: rhel8stig_040126_var_log_status @@ -6215,7 +6215,7 @@ "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." - mount: + ansible.posix.mount: path: /var/log state: mounted src: "{{ var_log_mount.device }}" @@ -6252,7 +6252,7 @@ "MEDIUM | RHEL-08-040129 | AUDIT | RHEL 8 must mount /var/log/audit with the nodev option." "MEDIUM | RHEL-08-040130 | AUDIT | RHEL 8 must mount /var/log/audit with the nosuid option." "MEDIUM | RHEL-08-040131 | AUDIT | RHEL 8 must mount /var/log/audit with the noexec option." - shell: mount | grep /var/log/audit + ansible.builtin.shell: mount | grep /var/log/audit changed_when: false failed_when: false register: rhel8stig_040129_var_log_audit_status @@ -6261,7 +6261,7 @@ "MEDIUM | RHEL-08-040129 | PATCH | RHEL 8 must mount /var/log/audit with the nodev option." "MEDIUM | RHEL-08-040130 | PATCH | RHEL 8 must mount /var/log/audit with the nosuid option." "MEDIUM | RHEL-08-040131 | PATCH | RHEL 8 must mount /var/log/audit with the noexec option." - mount: + ansible.posix.mount: path: /var/log/audit state: mounted src: "{{ audit_mount.device }}" @@ -6298,7 +6298,7 @@ "MEDIUM | RHEL-08-040132 | AUDIT | RHEL 8 must mount /var/tmp with the nodev option" "MEDIUM | RHEL-08-040133 | AUDIT | RHEL 8 must mount /var/tmp with the nosuid option." "MEDIUM | RHEL-08-040134 | AUDIT | RHEL 8 must mount /var/tmp with the noexec option." - shell: mount | grep /var/tmp + ansible.builtin.shell: mount | grep /var/tmp changed_when: false failed_when: false register: rhel8stig_040132_var_tmp_status @@ -6307,7 +6307,7 @@ "MEDIUM | RHEL-08-040132 | PATCH | RHEL 8 must mount /var/tmp with the nodev option" "MEDIUM | RHEL-08-040133 | PATCH | RHEL 8 must mount /var/tmp with the nosuid option." "MEDIUM | RHEL-08-040134 | PATCH | RHEL 8 must mount /var/tmp with the noexec option." - mount: + ansible.posix.mount: path: /var/tmp state: mounted src: "{{ var_tmp_mount.device }}" @@ -6336,7 +6336,7 @@ - mounts - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be installed." - package: + ansible.builtin.package: name: fapolicyd state: present when: @@ -6352,7 +6352,7 @@ - fapolicy - name: "MEDIUM | RHEL-08-040136 | PATCH | The RHEL 8 fapolicy module must be enabled." - systemd: + ansible.builtin.systemd: name: fapolicyd state: started enabled: true @@ -6370,12 +6370,12 @@ - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." block: - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Check for rules.d/ directory" - stat: + ansible.builtin.stat: path: /etc/fapolicyd/rules.d/ register: rhel_08_040137_rules_dir - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist on newer than 8.4" - lineinfile: + ansible.builtin.lineinfile: path: '/etc/fapolicyd/rules.d/99-stig.rules' line: "{{ item }}" create: true @@ -6390,7 +6390,7 @@ - rhel_08_040137_rules_dir.stat.isdir - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist on older than 8.4" - lineinfile: + ansible.builtin.lineinfile: path: /etc/fapolicyd/fapolicyd.rules line: "{{ item }}" create: true @@ -6403,7 +6403,7 @@ when: ansible_distribution_version is version('8.3', '<=') - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" - lineinfile: + ansible.builtin.lineinfile: path: /etc/fapolicyd/fapolicyd.conf regexp: '^permissive =' line: 'permissive = 0' @@ -6427,7 +6427,7 @@ "MEDIUM | RHEL-08-040141 | PATCH | RHEL 8 must enable the USBGuard." block: - name: "MEDIUM | RHEL-08-040139 | PATCH | RHEL 8 must have the USBGuard installed. | Install usbguard" - package: + ansible.builtin.package: name: usbguard state: present when: @@ -6435,14 +6435,14 @@ - "'usbguard' not in ansible_facts.packages" - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | generate policy" - shell: usbguard generate-policy > /etc/usbguard/rules.conf + ansible.builtin.shell: usbguard generate-policy > /etc/usbguard/rules.conf when: - rhel_08_040140 - rhel_08_040139 or "'usbguard' in ansible_facts.packages" - name: "MEDIUM | RHEL-08-040141 | PATCH | RHEL 8 must enable the USBGuard. | Start/Enable service" - service: + ansible.builtin.service: name: usbguard state: started enabled: true @@ -6471,7 +6471,7 @@ - usbguard - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces." - lineinfile: + ansible.builtin.lineinfile: path: /etc/firewalld/firewalld.conf regexp: '^FirewallBackend=' line: 'FirewallBackend=nftables' @@ -6493,7 +6493,7 @@ "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission." block: - name: "MEDIUM | RHEL-08-040159 | PATCH | All RHEL 8 networked systems must have SSH installed. | Install openssh-server" - package: + ansible.builtin.package: name: openssh-server state: present when: @@ -6501,7 +6501,7 @@ - rhel_08_040159 - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Start/Enable ssh server" - service: + ansible.builtin.service: name: sshd state: started enabled: true @@ -6525,7 +6525,7 @@ - ssh - name: "MEDIUM | RHEL-08-040161 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections to the server." - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?RekeyLimit' line: 'RekeyLimit 1G 1h' @@ -6543,7 +6543,7 @@ - ssh - name: "MEDIUM | RHEL-08-040180 | PATCH | The debug-shell systemd service must be disabled on RHEL 8." - systemd: + ansible.builtin.systemd: name: debug-shell.service state: stopped enabled: false @@ -6564,13 +6564,13 @@ - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted." block: - name: "MEDIUM | RHEL-08-040209 | AUDIT | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Find conflicting instances" - shell: grep -rs "net.ipv4.conf.default.accept_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv4.conf.default.accept_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040209_conflicting_settings - name: "MEDIUM | RHEL-08-040209 | AUDIT | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Remove conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv4.conf.default.accept_redirects = [^0] state: absent @@ -6578,7 +6578,7 @@ when: rhel_08_040209_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -6596,13 +6596,13 @@ - name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted." block: - name: "MEDIUM | RHEL-08-040210 | AUDIT | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Find conflicting instances" - shell: grep -rs "net.ipv6.conf.default.accept_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv6.conf.default.accept_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040210_conflicting_settings - name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Remove conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv6.conf.default.accept_redirects = [^0] state: absent @@ -6610,7 +6610,7 @@ when: rhel_08_040210_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -6630,13 +6630,13 @@ - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects." block: - name: "MEDIUM | RHEL-08-040220 | AUDIT | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Find conflicting instances" - shell: grep -rs "net.ipv4.conf.all.send_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv4.conf.all.send_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040220_conflicting_settings - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv4.conf.all.send_redirects = [^0] state: absent @@ -6644,7 +6644,7 @@ when: rhel_08_040220_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -6662,13 +6662,13 @@ - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." block: - name: "MEDIUM | RHEL-08-040230 | AUDIT | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Find conflicting instances" - shell: grep -rs "net.ipv4.icmp_echo_ignore_broadcasts = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv4.icmp_echo_ignore_broadcasts = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040230_conflicting_settings - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv4.icmp_echo_ignore_broadcasts = [^1] state: absent @@ -6676,7 +6676,7 @@ when: rhel_08_040230_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -6694,13 +6694,13 @@ - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets." block: - name: "MEDIUM | RHEL-08-040239 | AUDIT | RHEL 8 must not forward IPv4 source-routed packets. | Find conflicting instances" - shell: grep -rs "net.ipv4.conf.all.accept_source_route = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv4.conf.all.accept_source_route = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040239_conflicting_settings - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv4.conf.all.accept_source_route = [^0] state: absent @@ -6708,7 +6708,7 @@ when: rhel_08_040239_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -6726,13 +6726,13 @@ - name: "MEDIUM | RHEL-08-040240 | PATCH | RHEL 8 must not forward IPv6 source-routed packets." block: - name: "MEDIUM | RHEL-08-040240 | AUDIT | RHEL 8 must not forward IPv6 source-routed packets. | Find conflicting instances" - shell: grep -rs "net.ipv6.conf.all.accept_source_route = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv6.conf.all.accept_source_route = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040240_conflicting_settings - name: "MEDIUM | RHEL-08-040240 | PATCH | RHEL 8 must not forward IPv6 source-routed packets. | Remove conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv6.conf.all.accept_source_route = [^0] state: absent @@ -6740,7 +6740,7 @@ when: rhel_08_040240_conflicting_settings.stdout |length > 0 - name: "MEDIUM | RHEL-08-040240 | PATCH | RHEL 8 must not forward IPv6 source-routed packets. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -6759,13 +6759,13 @@ - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default." block: - name: "MEDIUM | RHEL-08-040249 | AUDIT | RHEL 8 must not forward IPv4 source-routed packets by default. | Find conflicting instances" - shell: grep -rs "net.ipv4.conf.default.accept_source_route = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv4.conf.default.accept_source_route = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040249_conflicting_settings - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv4.conf.default.accept_source_route = [^0] state: absent @@ -6773,7 +6773,7 @@ when: rhel_08_040249_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -6791,13 +6791,13 @@ - name: "MEDIUM | RHEL-08-040250 | PATCH | RHEL 8 must not forward IPv6 source-routed packets by default." block: - name: "MEDIUM | RHEL-08-040250 | AUDIT | RHEL 8 must not forward IPv6 source-routed packets by default. | Find conflicting instances" - shell: grep -rs "net.ipv6.conf.default.accept_source_route = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv6.conf.default.accept_source_route = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040250_conflicting_findings - name: "MEDIUM | RHEL-08-040250 | PATCH | RHEL 8 must not forward IPv6 source-routed packets by default. | Remove conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv6.conf.default.accept_source_route = [^0] state: absent @@ -6805,7 +6805,7 @@ when: rhel_08_040250_conflicting_findings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040250 | PATCH | RHEL 8 must not forward IPv6 source-routed packets by default. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -6824,21 +6824,21 @@ - name: "MEDIUM | RHEL-08-040259 | PATCH | RHEL 8 must not enable IPv4 packet forwarding unless the system is a router." block: - name: "MEDIUM | RHEL-08-040259 | AUDIT | RHEL 8 must not enable IPv4 packet forwarding unless the system is a router. | Find conflicting instances" - shell: grep -rs "net.ipv4.conf.all.forwarding = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv4.conf.all.forwarding = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040259_conflicting_settings - name: "MEDIUM | RHEL-08-040259 | PATCH | RHEL 8 must not enable IPv4 packet forwarding unless the system is a router. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv4.conf.all.forwarding = [^0] state: absent loop: "{{ rhel_08_040259_conflicting_settings.stdout_lines }}" when: rhel_08_040259_conflicting_settings.stdout | length > 0 - + - name: "MEDIUM | RHEL-08-040259 | PATCH | RHEL 8 must not enable IPv4 packet forwarding unless the system is a router. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -6857,13 +6857,13 @@ - name: "MEDIUM | RHEL-08-040260 | PATCH | RHEL 8 must not enable IPv6 packet forwarding unless the system is a router." block: - name: "MEDIUM | RHEL-08-040260 | AUDIT | RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. | Find conflicting instances" - shell: grep -rs "net.ipv6.conf.all.forwarding = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv6.conf.all.forwarding = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040260_conflicting_settings - name: "MEDIUM | RHEL-08-040260 | PATCH | RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv6.conf.all.forwarding = [^0] state: absent @@ -6871,7 +6871,7 @@ when: rhel_08_040260_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040260 | PATCH | RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -6890,13 +6890,13 @@ - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces." block: - name: "MEDIUM | RHEL-08-040261 | AUDIT | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Find conflicting instances" - shell: grep -rs "net.ipv6.conf.all.accept_ra = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv6.conf.all.accept_ra = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040261_conflicting_settings - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv6.conf.all.accept_ra = [^0] state: absent @@ -6904,7 +6904,7 @@ when: rhel_08_040261_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -6924,13 +6924,13 @@ - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default." block: - name: "MEDIUM | RHEL-08-040262 | AUDIT | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Find conflicting instances" - shell: grep -rs "net.ipv6.conf.default.accept_ra = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv6.conf.default.accept_ra = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false - failed_when: False + failed_when: false register: rhel_08_040262_conflicting_settings - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv6.conf.default.accept_ra = [^0] state: absent @@ -6938,7 +6938,7 @@ when: rhel_08_040262_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -6958,13 +6958,13 @@ - name: "MEDIUM | RHEL-08-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default." block: - name: "MEDIUM | RHEL-08-040270 | AUDIT | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Find conflicting instances" - shell: grep -rs "net.ipv4.conf.default.send_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv4.conf.default.send_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040270_conflicting_settings - name: "MEDIUM | RHEL-08-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv4.conf.default.send_redirects = [^0] state: absent @@ -6972,7 +6972,7 @@ when: rhel_08_040270_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -6990,13 +6990,13 @@ - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages." block: - name: "MEDIUM | RHEL-08-040279 | AUDIT | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Find conflicting instances" - shell: grep -rs "net.ipv4.conf.all.accept_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv4.conf.all.accept_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040279_conflicting_settings - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv4.conf.all.accept_redirects = [^0] state: absent @@ -7004,7 +7004,7 @@ when: rhel_08_040279_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -7022,13 +7022,13 @@ - name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages." block: - name: "MEDIUM | RHEL-08-040280 | AUDIT | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | Find conflicting instances" - shell: grep -rs "net.ipv6.conf.all.accept_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv6.conf.all.accept_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040280_conflicting_settings - name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv6.conf.all.accept_redirects = [^0] state: absent @@ -7036,7 +7036,7 @@ when: rhel_08_040280_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -7055,13 +7055,13 @@ - name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes." block: - name: "MEDIUM | RHEL-08-040281 | AUDIT | RHEL 8 must disable access to network bpf syscall from unprivileged processes. | Find conflicting instances" - shell: grep -rs "kernel.unprivileged_bpf_disabled = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "kernel.unprivileged_bpf_disabled = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040281_conflicting_settings - name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: kernel.unprivileged_bpf_disabled = [^1] state: absent @@ -7069,7 +7069,7 @@ when: rhel_08_040281_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -7087,13 +7087,13 @@ - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes." block: - name: "MEDIUM | RHEL-08-040282 | AUDIT | RHEL 8 must restrict usage of ptrace to descendant processes. | Find conflicting instances" - shell: grep -rs "kernel.yama.ptrace_scope = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "kernel.yama.ptrace_scope = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040282_conflicting_settings - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: kernel.yama.ptrace_scope = [^1] state: absent @@ -7101,7 +7101,7 @@ when: rhel_08_040282_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -7119,13 +7119,13 @@ - name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access." block: - name: "MEDIUM | RHEL-08-040283 | AUDIT | RHEL 8 must restrict exposed kernel pointer addresses access. | Find conflicting instances" - shell: grep -rs "kernel.kptr_restrict = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "kernel.kptr_restrict = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040283_conflicting_settings - name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: kernel.kptr_restrict = [^1] state: absent @@ -7133,7 +7133,7 @@ when: rhel_08_040283_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -7151,13 +7151,13 @@ - name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces." block: - name: "MEDIUM | RHEL-08-040284 | AUDIT | RHEL 8 must disable the use of user namespaces. | Find conflicting instances" - shell: grep -rs "user.max_user_namespaces = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "user.max_user_namespaces = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040284_conflicting_settings - name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: user.max_user_namespaces = [^0] state: absent @@ -7165,7 +7165,7 @@ when: rhel_08_040284_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -7183,13 +7183,13 @@ - name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces." block: - name: "MEDIUM | RHEL-08-040285 | AUDIT | RHEL 8 must use reverse path filtering on all IPv4 interfaces. | Find conflicting instances" - shell: grep -rs "net.ipv4.conf.all.rp_filter = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv4.conf.all.rp_filter = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040285_conflicting_settings - name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv4.conf.all.rp_filter = [^1] state: absent @@ -7197,7 +7197,7 @@ when: rhel_08_040285_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -7215,13 +7215,13 @@ - name: "MEDIUM | RHEL-08-040286 | PATCH | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler." block: - name: "MEDIUM | RHEL-08-040286 | AUDIT | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. | Find conflicting instances" - shell: grep -rs "net.core.bpf_jit_harden = [^2]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.core.bpf_jit_harden = [^2]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040286_conflicting_settings - name: "MEDIUM | RHEL-08-040286 | PATCH | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.core.bpf_jit_harden = [^2] state: absent @@ -7229,7 +7229,7 @@ when: rhel_08_040286_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040286 | PATCH | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -7244,7 +7244,7 @@ - V-244554 - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Set restriction" - command: "postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'" + ansible.builtin.shell: "postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'" when: - "'postfix' in ansible_facts.packages" - rhel_08_040290 @@ -7258,7 +7258,7 @@ - mail - name: "MEDIUM | RHEL-08-040320 | PATCH | The graphical display manager must not be installed on RHEL 8 unless approved." - package: + ansible.builtin.package: name: - xorg-x11-server-Xorg - xorg-x11-server-common @@ -7280,7 +7280,7 @@ - gui - name: "MEDIUM | RHEL-08-040321 | PATCH | The graphical display manager must not be the default target on RHEL 8 unless approved." - file: + ansible.builtin.file: src: /usr/lib/systemd/system/multi-user.target dest: /etc/systemd/system/default.target state: link @@ -7298,7 +7298,7 @@ - name: "MEDIUM | RHEL-08-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode." block: - name: "MEDIUM | RHEL-08-040330 | AUDIT | RHEL 8 network interfaces must not be in promiscuous mode. | Check promiscuous mode" - shell: "ip link | grep -i promisc | cut -d ':' -f 2" + ansible.builtin.shell: "ip link | grep -i promisc | cut -d ':' -f 2" check_mode: false failed_when: false changed_when: rhel_08_040670_promisc_check.stdout != '' @@ -7306,7 +7306,7 @@ register: rhel_08_040670_promisc_check - name: "MEDIUM | RHEL-08-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode. | Set promiscuous mode" - shell: "ip link set dev {{ item }} promisc off" + ansible.builtin.shell: "ip link set dev {{ item }} promisc off" with_items: "{{ rhel_08_040670_promisc_check.stdout_lines }}" when: - rhel_08_040330 @@ -7322,7 +7322,7 @@ - network - name: "MEDIUM | RHEL-08-040340 | PATCH | RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements." - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?X11Forwarding' line: 'X11Forwarding no' @@ -7340,7 +7340,7 @@ - ssh - name: "MEDIUM | RHEL-08-040341 | PATCH | The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display." - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?X11UseLocalhost' line: 'X11UseLocalhost yes' @@ -7355,20 +7355,19 @@ - SV-230556r858723_rule - ssh - - name: "MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | Add KEXs" block: - - name: "MEDIUM | RHEL-08-040342 | AUDIT | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | get KEXs" - ansible.builtin.shell: grep "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i okexa | sed s'/-o//g' - changed_when: false - register: rhel8stig_current_kex - - - name: MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | get KEXs" - ansible.builtin.lineinfile: - path: /etc/crypto-policies/back-ends/opensshserver.config - regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_kex.stdout }}(.*$)' - line: '\g<1>-o{{ rhel8stig_ssh_kex }}\g<2>' - backrefs: true + - name: "MEDIUM | RHEL-08-040342 | AUDIT | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | get KEXs" + ansible.builtin.shell: grep "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i okexa | sed s'/-o//g' + changed_when: false + register: rhel8stig_current_kex + + - name: MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | get KEXs" + ansible.builtin.lineinfile: + path: /etc/crypto-policies/back-ends/opensshserver.config + regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_kex.stdout }}(.*$)' + line: '\g<1>-o{{ rhel8stig_ssh_kex }}\g<2>' + backrefs: true notify: change_requires_reboot when: - rhel_08_040342 @@ -7382,7 +7381,7 @@ - fips - name: "MEDIUM | RHEL-08-040350 | PATCH | If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode." - lineinfile: + ansible.builtin.lineinfile: path: /etc/xinetd.d/tftp regexp: "(?i)^.*server_args.*=" line: "\tserver_args\t\t= -s /var/lib/tftpboot" @@ -7406,7 +7405,7 @@ - tftp - name: "MEDIUM | RHEL-08-040370 | PATCH | The gssproxy package must not be installed unless mission essential on RHEL 8." - package: + ansible.builtin.package: name: gssproxy state: absent when: @@ -7423,7 +7422,7 @@ - gssproxy - name: "MEDIUM | RHEL-08-040380 | PATCH | The iprutils package must not be installed unless mission essential on RHEL 8." - package: + ansible.builtin.package: name: iprutils state: absent when: @@ -7439,7 +7438,7 @@ - iprutils - name: "MEDIUM | RHEL-08-040390 | PATCH | The tuned package must not be installed unless mission essential on RHEL 8." - package: + ansible.builtin.package: name: tuned state: absent when: @@ -7455,7 +7454,7 @@ - tuned - name: "MEDIUM | RHEL-08-040400 | AUDIT | RHEL 8 must prevent non-privileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures." - debug: + ansible.builtin.debug: msg: - "Warning! This task is a manual task" - "Please do the following to conform to STIG standards" @@ -7473,7 +7472,7 @@ - selinux - name: "MEDIUM | RHEL-08-010163 | PATCH | The krb5-server package must not be installed on RHEL 8." - package: + ansible.builtin.package: name: krb5-server state: absent when: @@ -7491,13 +7490,13 @@ - name: "MEDIUM | RHEL-08-010382 | PATCH | RHEL 8 must restrict privilege elevation to authorized personnel." block: - name: "MEDIUM | RHEL-08-010382 | AUDIT | RHEL 8 must restrict privilege elevation to authorized personnel. | Get ALL settings" - shell: grep -iws 'ALL' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort + ansible.builtin.shell: grep -iws 'ALL' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort changed_when: false failed_when: false register: rhel_08_010382_sudoers_all - name: "MEDIUM | RHEL-08-010382 | PATCH | RHEL 8 must restrict privilege elevation to authorized personnel. | Remove format 1" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'ALL ALL=(ALL) ALL' state: absent @@ -7507,7 +7506,7 @@ when: rhel_08_010382_sudoers_all.stdout | length > 0 - name: "MEDIUM | RHEL-08-010382 | PATCH | RHEL 8 must restrict privilege elevation to authorized personnel. | Remove format 2" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'ALL ALL=(ALL:ALL) ALL' state: absent @@ -7530,13 +7529,13 @@ - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using sudo." block: - name: "MEDIUM | RHEL-08-010383 | AUDIT | RHEL 8 must use the invoking user's password for privilege escalation when using sudo. | Get privilege escalation" - shell: egrep -is '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | cut -d ':' -f1 | sort --uniq + ansible.builtin.shell: egrep -is '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | cut -d ':' -f1 | sort --uniq changed_when: false failed_when: false register: rhel_08_010383_priv_escalation - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for no findings" - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers line: "{{ item }}" validate: '/usr/sbin/visudo -cf %s' @@ -7547,7 +7546,7 @@ when: rhel_08_010383_priv_escalation.stdout | length == 0 - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for targetpw with findings" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'Defaults !targetpw' line: 'Defaults !targetpw' @@ -7558,7 +7557,7 @@ - rhel_08_010383_priv_escalation.stdout | length > 0 - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for rootpw with findings" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'Defaults !rootpw' line: 'Defaults !rootpw' @@ -7569,7 +7568,7 @@ - rhel_08_010383_priv_escalation.stdout | length > 0 - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for runaspw with findings" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'Defaults !runaspw' line: 'Defaults !runaspw' @@ -7593,13 +7592,13 @@ - name: "MEDIUM | RHEL-08-010384 | PATCH | RHEL 8 must require re-authentication when using the sudo command." block: - name: "MEDIUM | RHEL-08-010384 | AUDIT | RHEL 8 must require re-authentication when using the sudo command. | Get files with timeout set" - shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort + ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort changed_when: false failed_when: false register: rhel_08_010384_timeout_files - name: "MEDIUM | RHEL-08-010384 | PATCH | RHEL 8 must require re-authentication when using the sudo command. | Set value if no results" - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers regexp: 'Defaults timestamp_timeout=' line: "Defaults timestamp_timeout={{ rhel8stig_sudo_timestamp_timeout }}" @@ -7607,7 +7606,7 @@ when: rhel_08_010384_timeout_files.stdout | length == 0 - name: "MEDIUM | RHEL-08-010384 | PATCH | RHEL 8 must require re-authentication when using the sudo command. | Set value if has results" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'Defaults timestamp_timeout=' line: "Defaults timestamp_timeout={{ rhel8stig_sudo_timestamp_timeout }}" @@ -7628,7 +7627,7 @@ - sudo - name: "MEDIUM | RHEL-08-010385 | PATCH | The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation." - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/sudo regex: 'pam_succeed_if' state: absent diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 871333e8..0b41d7de 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -1,7 +1,7 @@ --- - name: "LOW | RHEL-08-010171 | PATCH | RHEL 8 must have policycoreutils package installed." - package: + ansible.builtin.package: name: policycoreutils when: - rhel_08_010171 @@ -15,7 +15,7 @@ - policycoreutils - name: "LOW | RHEL-08-010292 | PATCH | RHEL 8 must ensure the SSH server uses strong entropy." - lineinfile: + ansible.builtin.lineinfile: path: /etc/sysconfig/sshd regexp: '^(#)?SSH_USE_STRONG_RNG=' line: SSH_USE_STRONG_RNG=32 @@ -35,13 +35,13 @@ - name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer." block: - name: "LOW | RHEL-08-010375 | AUIDT | RHEL 8 must restrict access to the kernel message buffer. | Find conflicting instances" - shell: grep -rs "kernel.dmesg_restrict = 0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "kernel.dmesg_restrict = 0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_010375_conflicting_settings - name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer. | Remove conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: '^kernel.dmesg_restrict = 0' state: absent @@ -49,7 +49,7 @@ when: rhel_08_010375_conflicting_settings.stdout | length > 0 - name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -67,13 +67,13 @@ - name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users." block: - name: "LOW | RHEL-08-010376 | AUDIT | RHEL 8 must prevent kernel profiling by unprivileged users. | Find conflicting instances" - shell: grep -rs "kernel.perf_event_paranoid = [^2]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "kernel.perf_event_paranoid = [^2]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_010376_conflicting_settings - name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users. | Remove conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: '^kernel.perf_event_paranoid = [^2]' state: absent @@ -81,7 +81,7 @@ when: rhel_08_010376_conflicting_settings.stdout | length > 0 - name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -99,7 +99,7 @@ - name: "LOW | RHEL-08-010440 | PATCH | YUM must remove all software components after updated versions have been installed on RHEL 8." block: - name: "LOW | RHEL-08-010440 | PATCH | YUM must remove all software components after updated versions have been installed on RHEL 8. | Find .conf files" - find: + ansible.builtin.find: paths: /etc recurse: true file_type: any @@ -110,7 +110,7 @@ register: rhel_08_010440_package_confs - name: "LOW | RHEL-08-010440 | PATCH | YUM must remove all software components after updated versions have been installed on RHEL 8. | Set settings" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item.path }}" regexp: '^.*clean_requirements_on_remove' line: 'clean_requirements_on_remove=True' @@ -133,7 +133,7 @@ LOW | RHEL-08-010472 | PATCH | RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service" block: - name: "LOW | RHEL-08-010472 | PATCH | RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service" - package: + ansible.builtin.package: name: rng-tools state: present when: @@ -141,7 +141,7 @@ - "'rng-tools' not in ansible_facts.packages" - name: "LOW | RHEL-08-010471 | PATCH | RHEL 8 must enable the hardware random number generator entropy gatherer service." - systemd: + ansible.builtin.systemd: name: rngd.service state: started enabled: true @@ -164,7 +164,7 @@ - V-244527 - name: "LOW | RHEL-08-010540 | AUDIT | The RHEL 8 must use a separate file system for /var." - debug: + ansible.builtin.debug: msg: "WARNING!! /var is not mounted on a separate partition" changed_when: - rhel8stig_audit_complex @@ -184,7 +184,7 @@ - var - name: "LOW | RHEL-08-010541 | AUDIT | RHEL 8 must use a separate file system for /var/log." - debug: + ansible.builtin.debug: msg: - "WARNING!! /var/log is not mounted on a separate partition" changed_when: @@ -204,7 +204,7 @@ - mounts - name: "LOW | RHEL-08-010542 | AUDIT | The RHEL 8 must use a separate file system for the system audit data path." - debug: + ansible.builtin.debug: msg: - "WARNING!! /var/log/audit is not mounted on a seperate partition" changed_when: @@ -225,7 +225,7 @@ - auditd - name: "LOW | RHEL-08-020024 | PATCH | RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types." - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/limits.conf regexp: '^\* hard maxlogins' line: '* hard maxlogins {{ rhel8stig_maxlogins }}' @@ -245,7 +245,7 @@ - V-230346 - name: "LOW | RHEL-08-020042 | PATCH | RHEL 8 must prevent users from disabling session control mechanisms." - lineinfile: + ansible.builtin.lineinfile: path: /etc/shells regexp: 'tmux' state: absent @@ -261,7 +261,7 @@ - tmux - name: "LOW | RHEL-08-020340 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon logon." - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/postlogin regexp: 'session.*required.*pam_lastlog\.so.*showfailed' line: "session required pam_lastlog.so showfailed" @@ -277,7 +277,7 @@ - V-230381 - name: "LOW | RHEL-08-030063 | PATCH | RHEL 8 must resolve audit information before writing to disk." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: '^log_format =' line: "log_format = ENRICHED" @@ -296,27 +296,27 @@ - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon." block: - name: "LOW | RHEL-08-030601 | AUDIT | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Get GRUB_CMDLINE_LINUX settings" - shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + ansible.builtin.shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' changed_when: false failed_when: false register: rhel8stig_030601_grub_cmdline_linux - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit to 1 as active" - shell: grubby --update-kernel=ALL --args="audit=1" + ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1" args: warn: false when: (ansible_proc_cmdline.audit is defined and ansible_proc_cmdline.audit != '1') or (ansible_proc_cmdline.audit is not defined) - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit=1 for kernel updates if doesnt exist" - lineinfile: + ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_030601_grub_cmdline_linux.stdout }} audit=1"' when: '"audit=" not in rhel8stig_030601_grub_cmdline_linux.stdout' - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit=1 for kernel updates if exists" - replace: + ansible.builtin.replace: path: /etc/default/grub regexp: 'audit=([^\s|"])+' replace: "audit=1" @@ -335,27 +335,27 @@ - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon." block: - name: "LOW | RHEL-08-030602 | AUDIT | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Get GRUB_CMDLINE_LINUX settings" - shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + ansible.builtin.shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' changed_when: false failed_when: false register: rhel8stig_030602_grub_cmdline_linux - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | set audit_backlog_limit active" - shell: grubby --update-kernel=ALL --args="audit_backlog_limit=8192" + ansible.builtin.shell: grubby --update-kernel=ALL --args="audit_backlog_limit=8192" args: warn: false when: (ansible_proc_cmdline.audit_backlog_limit is defined and ansible_proc_cmdline.audit_backlog_limit != '8192') or (ansible_proc_cmdline.audit_backlog_limit is not defined) - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Set audit audit_backlog_limit for kernel updates if doesn't exist" - lineinfile: + ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_030602_grub_cmdline_linux.stdout }} audit_backlog_limit=8192"' when: '"audit_backlog_limit=" not in rhel8stig_030602_grub_cmdline_linux.stdout' - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Set audit audit_backlog_limit for kernel updates if exists" - replace: + ansible.builtin.replace: path: /etc/default/grub regexp: 'audit_backlog_limit=([^\s|"])+' replace: "audit_backlog_limit=8192" @@ -373,7 +373,7 @@ - auditd - name: "LOW | RHEL-08-030603 | PATCH | RHEL 8 must enable Linux audit logging for the USBGuard daemon" - lineinfile: + ansible.builtin.lineinfile: path: /etc/usbguard/usbguard-daemon.conf regexp: '^AuditBackend=' line: "AuditBackend=LinuxAudit" @@ -393,7 +393,7 @@ - usb - name: "LOW | RHEL-08-030741 | PATCH | RHEL 8 must disable the chrony daemon from acting as a server." - lineinfile: + ansible.builtin.lineinfile: path: /etc/chrony.conf regexp: '^port|#port' line: "port 0" @@ -410,7 +410,7 @@ - chrony - name: "LOW | RHEL-08-030742 | PATCH | RHEL 8 must disable network management of the chrony daemon." - lineinfile: + ansible.builtin.lineinfile: path: /etc/chrony.conf regexp: '^cmdport|#cmdport' line: "cmdport 0" @@ -428,14 +428,14 @@ - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities." block: - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti=on active" - shell: grubby --update-kernel=ALL --args="pti=on" + ansible.builtin.shell: grubby --update-kernel=ALL --args="pti=on" args: warn: false when: (ansible_proc_cmdline.pti is defined and ansible_proc_cmdline.pti != 'on') or (ansible_proc_cmdline.pti is not defined ) - name: "LOW | RHEL-08-040004 | AUDIT | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Get GRUB_CMDLINE_LINUX settings" - shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + ansible.builtin.shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' args: warn: false changed_when: false @@ -443,14 +443,14 @@ register: rhel8stig_040004_grub_cmdline_linux - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti if doesn't exist" - lineinfile: + ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_040004_grub_cmdline_linux.stdout }} pti=on"' when: '"pti=on" not in rhel8stig_040004_grub_cmdline_linux.stdout' - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti exists" - replace: + ansible.builtin.replace: path: /etc/default/grub regexp: 'pti=([^\s|"])+' replace: "pti=on" @@ -467,7 +467,7 @@ - grub - name: "LOW | RHEL-08-040021 | PATCH | RHEL 8 must disable the asynchronous transfer mode (ATM) protocol." - lineinfile: + ansible.builtin.lineinfile: path: /etc/modprobe.d/blacklist.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -493,7 +493,7 @@ - atm - name: "LOW | RHEL-08-040022 | PATCH | RHEL 8 must disable the controller area network (CAN) protocol." - lineinfile: + ansible.builtin.lineinfile: path: /etc/modprobe.d/blacklist.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -519,7 +519,7 @@ - can - name: "LOW | RHEL-08-040023 | PATCH | RHEL 8 must disable the stream control transmission (SCTP) protocol." - lineinfile: + ansible.builtin.lineinfile: path: /etc/modprobe.d/blacklist.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -545,7 +545,7 @@ - sctp - name: "LOW | RHEL-08-040024 | PATCH | RHEL 8 must disable the transparent inter-process communication (TIPC) protocol." - lineinfile: + ansible.builtin.lineinfile: path: /etc/modprobe.d/blacklist.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -571,7 +571,7 @@ - tipc - name: "LOW | RHEL-08-040025 | PATCH | RHEL 8 must disable mounting of cramfs." - lineinfile: + ansible.builtin.lineinfile: path: /etc/modprobe.d/blacklist.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -597,7 +597,7 @@ - cramfs - name: "LOW | RHEL-08-040026 | PATCH | RHEL 8 must disable IEEE 1394 (FireWire) Support." - lineinfile: + ansible.builtin.lineinfile: path: /etc/modprobe.d/blacklist.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -625,7 +625,7 @@ - name: | "LOW | RHEL-08-040300 | PATCH | The RHEL 8 file integrity tool must be configured to verify extended attributes." "LOW | RHEL-08-040310 | PATCH | The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs)." - template: + ansible.builtin.template: src: aide.conf.j2 dest: /etc/aide.conf owner: root diff --git a/tasks/main.yml b/tasks/main.yml index d616c996..34fb84d2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Gather distribution info - setup: + ansible.builtin.setup: gather_subset: distribution,!all,!min when: - ansible_distribution is not defined @@ -9,7 +9,7 @@ - always - name: Check OS version and family - assert: + ansible.builtin.assert: that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==') fail_msg: "This role can only be run against RHEL/Rocky 8. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" @@ -19,7 +19,7 @@ - always - name: Check ansible version - assert: + ansible.builtin.assert: that: ansible_version.full is version_compare(rhel8stig_min_ansible_version, '>=') fail_msg: "You must use Ansible {{ rhel8stig_min_ansible_version }} or greater" success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ rhel8stig_min_ansible_version }}" @@ -29,14 +29,14 @@ - name: "Check password set for connecting user" block: - name: Capture current password state of connecting user" - shell: "grep {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'" + ansible.builtin.shell: "grep {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'" changed_when: false failed_when: false check_mode: false register: ansible_user_password_set - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked" - assert: + ansible.builtin.assert: that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You a password set for the {{ ansible_env.SUDO_USER }}" @@ -51,14 +51,14 @@ - name: "Ensure superuser for grub does not match existing user" block: - name: "Ensure superuser for grub does not match existing user | capture users" - shell: cat /etc/passwd | cut -d':' -f1 + ansible.builtin.shell: cat /etc/passwd | cut -d':' -f1 changed_when: false failed_when: false check_mode: false register: rhel8stig_user_list - name: "Ensure superuser for grub does not match existing user" - assert: + ansible.builtin.assert: that: rhel8stig_boot_superuser not in rhel8stig_user_list.stdout_lines fail_msg: "A unique name must be used for bootloader access user='{{ rhel8stig_boot_superuser }}' already exists refer to variable rhel8stig_boot_superuser" when: @@ -71,15 +71,15 @@ - name: Setup rules if container block: - name: Discover and set container variable if required - set_fact: + ansible.builtin.set_fact: system_is_container: true - name: Load variable for container - include_vars: + ansible.builtin.include_vars: file: "{{ container_vars_file }}" - name: output if discovered is a container - debug: + ansible.builtin.debug: msg: system has been discovered as a container when: - system_is_container @@ -91,7 +91,7 @@ - always - name: Check rhel8stig_bootloader_password_hash variable has been changed - assert: + ansible.builtin.assert: that: rhel8stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' msg: "This role will not be able to run single user password commands as rhel8stig_bootloader_password_hash variable has not been set" @@ -104,7 +104,7 @@ - grub - name: Check if using resolv.conf template settings are changed - assert: + ansible.builtin.assert: that: - rhel8_stig_resolv_domain != 'example.com' - rhel8_stig_resolv_search | length > 0 @@ -117,19 +117,19 @@ - always - name: Gather the package facts - package_facts: + ansible.builtin.package_facts: manager: auto tags: - always - name: Include prelim tasks - import_tasks: prelim.yml + ansible.builtin.import_tasks: prelim.yml tags: - prelim_tasks - run_audit - name: Include pre-remediation tasks - import_tasks: pre_remediation_audit.yml + ansible.builtin.import_tasks: pre_remediation_audit.yml when: - run_audit - setup_audit @@ -137,51 +137,50 @@ - run_audit - name: Include CAT I patches - import_tasks: fix-cat1.yml + ansible.builtin.import_tasks: fix-cat1.yml when: rhel8stig_cat1_patch tags: - CAT1 - high - name: Include CAT II patches - import_tasks: fix-cat2.yml + ansible.builtin.import_tasks: fix-cat2.yml when: rhel8stig_cat2_patch tags: - CAT2 - medium - name: Include CAT III patches - import_tasks: fix-cat3.yml + ansible.builtin.import_tasks: fix-cat3.yml when: rhel8stig_cat3_patch | bool tags: - CAT3 - low - name: flush handlers - meta: flush_handlers + ansible.builtin.meta: flush_handlers tags: - CAT1 - CAT2 - CAT3 - - name: reboot system if changes require it and not skipped - reboot: + ansible.builtin.reboot: when: - - change_requires_reboot - - not rhel8stig_skip_reboot + - change_requires_reboot + - not rhel8stig_skip_reboot tags: - CAT1 - CAT2 - CAT3 - name: Include post-remediation tasks - import_tasks: post_remediation_audit.yml + ansible.builtin.import_tasks: post_remediation_audit.yml when: - run_audit - name: Show Audit Summary - debug: + ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" when: - run_audit @@ -189,12 +188,12 @@ - run_audit - name: Warning a reboot required but skip option set - debug: + ansible.builtin.debug: msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" changed_when: true when: - - change_requires_reboot - - rhel8stig_skip_reboot + - change_requires_reboot + - rhel8stig_skip_reboot tags: - CAT1 - CAT2 diff --git a/tasks/parse_etc_passwd.yml b/tasks/parse_etc_passwd.yml index c42159ea..ef4fbf6a 100644 --- a/tasks/parse_etc_passwd.yml +++ b/tasks/parse_etc_passwd.yml @@ -2,13 +2,13 @@ - name: "PRELIM | {{ rhel8stig_passwd_tasks }} | Parse /etc/passwd" block: - name: "PRELIM | {{ rhel8stig_passwd_tasks }} | Parse /etc/passwd" - command: cat /etc/passwd + ansible.builtin.shell: cat /etc/passwd changed_when: false check_mode: false register: rhel8stig_passwd_file_audit - name: "PRELIM | {{ rhel8stig_passwd_tasks }} | Split passwd entries" - set_fact: + ansible.builtin.set_fact: rhel8stig_passwd: "{{ rhel8stig_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" with_items: "{{ rhel8stig_passwd_file_audit.stdout_lines }}" diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 2249563c..821afd4d 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,7 +1,7 @@ --- - name: "Post Audit | Run post_remediation {{ benchmark }} audit" - shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" environment: "{{ audit_run_script_environment | default({}) }}" changed_when: rhel8stig_run_post_remediation.rc == 0 register: rhel8stig_run_post_remediation @@ -9,7 +9,7 @@ warn: false - name: Post Audit | ensure audit files readable by users - file: + ansible.builtin.file: path: "{{ item }}" mode: 0644 state: file @@ -19,13 +19,13 @@ - name: Post Audit | Capture audit data if json format block: - - name: "capture data {{ post_audit_outfile }}" - command: "cat {{ post_audit_outfile }}" + - name: Post Audit | "capture data {{ post_audit_outfile }}" + ansible.builtin.shell: "cat {{ post_audit_outfile }}" register: post_audit changed_when: false - - name: Capture post-audit result - set_fact: + - name: Post Audit | Capture post-audit result + ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" vars: summary: 'summary."summary-line"' @@ -35,12 +35,12 @@ - name: Post Audit | Capture audit data if documentation format block: - name: "Post Audit | capture data {{ post_audit_outfile }}" - command: "tail -2 {{ post_audit_outfile }}" + ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" register: post_audit changed_when: false - name: Post Audit | Capture post-audit result - set_fact: + ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout_lines }}" when: - audit_format == "documentation" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index a72b60b1..c09253a3 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,14 +1,14 @@ --- - name: "Pre Audit | Setup the audit" - include_tasks: LE_audit_setup.yml + ansible.builtin.include_tasks: LE_audit_setup.yml when: - setup_audit tags: - setup_audit - name: "Pre Audit | Ensure {{ audit_conf_dir }} exists" - file: + ansible.builtin.file: path: "{{ audit_conf_dir }}" state: directory mode: '0755' @@ -16,7 +16,7 @@ - name: "Pre Audit | If using git for content set up" block: - name: Pre Audit | Install git (rh8 python3) - package: + ansible.builtin.package: name: git state: present when: @@ -25,7 +25,7 @@ - "'git' not in ansible_facts.packages" - name: "Pre Audit | Install git (rh7 python2)" - package: + ansible.builtin.package: name: git state: present vars: @@ -36,7 +36,7 @@ - "'git' not in ansible_facts.packages" - name: "Pre Audit | retrieve audit content files from git" - git: + ansible.builtin.git: repo: "{{ audit_file_git }}" dest: "{{ audit_conf_dir }}" version: "{{ audit_git_version }}" @@ -44,7 +44,7 @@ - audit_content == 'git' - name: "Pre Audit | copy to audit content files to server" - copy: + ansible.builtin.copy: src: "{{ audit_local_copy }}" dest: "{{ audit_conf_dir }}" mode: 0644 @@ -52,7 +52,7 @@ - audit_content == 'copy' - name: "Pre Audit | get audit content from url" - get_url: + ansible.builtin.get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" when: @@ -61,12 +61,12 @@ - name: "Pre Audit | Check Goss is available" block: - name: Pre Audit | Check for goss file - stat: + ansible.builtin.stat: path: "{{ audit_bin }}" register: goss_available - name: "Pre Audit | If audit ensure goss is available" - assert: + ansible.builtin.assert: msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" when: - not goss_available.stat.exists @@ -74,14 +74,14 @@ - run_audit - name: "Pre Audit | Check whether machine is UEFI-based" - stat: + ansible.builtin.stat: path: /sys/firmware/efi register: rhel8_efi_boot tags: - goss_template - name: "Pre Audit | Copy ansible default vars values to test audit" - template: + ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" mode: 0600 @@ -91,7 +91,7 @@ - goss_template - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" - shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" environment: "{{ audit_run_script_environment | default({}) }}" changed_when: rhel8stig_run_pre_remediation.rc == 0 register: rhel8stig_run_pre_remediation @@ -101,12 +101,12 @@ - name: "Pre Audit | Capture audit data if json format" block: - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - command: "cat {{ pre_audit_outfile }}" + ansible.builtin.shell: "cat {{ pre_audit_outfile }}" register: pre_audit changed_when: false - name: "Pre Audit | Capture pre-audit result" - set_fact: + ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" vars: summary: 'summary."summary-line"' @@ -116,12 +116,12 @@ - name: "Pre Audit | Capture audit data if documentation format" block: - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - command: "tail -2 {{ pre_audit_outfile }}" + ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" register: pre_audit changed_when: false - name: "Pre Audit | Capture pre-audit result" - set_fact: + ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout_lines }}" when: - audit_format == "documentation" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index bf42c7b8..17f6e7a8 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -119,19 +119,19 @@ block: - name: Ensure that rhel8stig_auto_mount_home_dirs_local_mount_point is defined and not length zero assert: - that: - - rhel8stig_auto_mount_home_dirs_local_mount_point is defined - - rhel8stig_auto_mount_home_dirs_local_mount_point | length > 0 + that: + - rhel8stig_auto_mount_home_dirs_local_mount_point is defined + - rhel8stig_auto_mount_home_dirs_local_mount_point | length > 0 - name: Modify local_interactive_user_dir_command to exclude remote automounted home directories set_fact: local_interactive_user_dir_command: "{{ local_interactive_user_dir_command }} | grep -v '{{ rhel8stig_auto_mount_home_dirs_local_mount_point }}" when: - - rhel8stig_autofs_remote_home_dirs + - rhel8stig_autofs_remote_home_dirs tags: - - RHEL-08-010690 - - complexity-high + - RHEL-08-010690 + - complexity-high - name: "PRELIM | RHEL-08-010690 | Gather local interactive user directories" shell: "{{ local_interactive_user_dir_command }}" diff --git a/vars/is_container.yml b/vars/is_container.yml index 37e1ef6d..5241528e 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -91,7 +91,6 @@ rhel_08_030731: false rhel_08_030063: false # rhel_08_030602: false # Also grub - # rsyslog rhel_08_010070: false rhel_08_010561: false From 63db6135d89ebfd121571dc1e928af92621b725c Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Tue, 11 Apr 2023 14:46:09 -0400 Subject: [PATCH 064/202] Revert " Change Signed-off-by: Stephen Williams Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index e265d327..3c95362f 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -120,7 +120,7 @@ - not ansible_check_mode or rhel_08_010020_default_grub_missing_audit is not changed - rhel8stig_boot_part not in ['/', ''] or - "'boot=' not in item" + 'boot=' not in item changed_when: - ansible_check_mode - rhel_08_010020_audit is failed From eb5c860fde0c55adeed5258190e956d85839ca20 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Tue, 11 Apr 2023 15:22:03 -0400 Subject: [PATCH 065/202] Fixed " Change Signed-off-by: Stephen Williams Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 3c95362f..58217d32 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -119,8 +119,8 @@ when: - not ansible_check_mode or rhel_08_010020_default_grub_missing_audit is not changed - - rhel8stig_boot_part not in ['/', ''] or - 'boot=' not in item + - "rhel8stig_boot_part not in ['/', ''] or + 'boot=' not in item" changed_when: - ansible_check_mode - rhel_08_010020_audit is failed From e92010802cbff344c2ce9e5a5e3c47b28b702b12 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Apr 2023 10:39:52 +0100 Subject: [PATCH 066/202] updated /var/log check, comments on 10600 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 63a9b43d..c8322a00 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1908,6 +1908,9 @@ - mounts - home +## Note Azure is currently default mounting /mnt for cloud-init this will cause issues +## refer to https://github.com/Azure/WALinuxAgent/issues/1971 + - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media." block: - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /media" @@ -6206,7 +6209,7 @@ "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." - ansible.builtin.shell: mount | grep /var/log + ansible.builtin.shell: mount | grep -w "/var/log " changed_when: false failed_when: false register: rhel8stig_040126_var_log_status From a378d31aa3eb399dadba33a35c01414ba54be8c6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Apr 2023 10:40:20 +0100 Subject: [PATCH 067/202] Added comments around 10600-10620 Signed-off-by: Mark Bolwell --- defaults/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index c8803033..18e95201 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -190,9 +190,12 @@ rhel_08_010571: true rhel_08_010572: true rhel_08_010580: true rhel_08_010590: true +## Note Azure is currently default mounting /mnt for cloud-init this will cause issues with these controls +## refer to https://github.com/Azure/WALinuxAgent/issues/1971 rhel_08_010600: true rhel_08_010610: true rhel_08_010620: true +## rhel_08_010630: true rhel_08_010640: true rhel_08_010650: true From 9d30f4d6ef066ddd877c3f3203ebfcbb0798d0a8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Apr 2023 10:41:16 +0100 Subject: [PATCH 068/202] updated Signed-off-by: Mark Bolwell --- Changelog.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Changelog.md b/Changelog.md index 9cdc4f21..e3d7abdb 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,9 @@ # Changes to RHEL8STIG +## Release 2.8.5 +- updated to /var/log mount check +- added commnets for /mnt and removeable media on Azure systems + ## Release 2.8.4 - ansible version updated to 2.10.1 minimum From 2dd7b0bf51417a7a182d9426ca4ae09a165e41ff Mon Sep 17 00:00:00 2001 From: Jacob Buskirk Date: Mon, 24 Apr 2023 17:08:08 +0000 Subject: [PATCH 069/202] Remove warn from command and shell Signed-off-by: Jacob Buskirk Signed-off-by: Mark Bolwell --- handlers/main.yml | 2 -- tasks/fix-cat2.yml | 30 ------------------------------ tasks/fix-cat3.yml | 8 -------- tasks/prelim.yml | 4 ---- 4 files changed, 44 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 03ff8870..2f59864e 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -104,8 +104,6 @@ - name: restart auditd ansible.builtin.shell: /usr/sbin/service auditd restart - args: - warn: false when: - not rhel8stig_skip_for_travis - not rhel8stig_system_is_chroot diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index c8322a00..56476096 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -248,8 +248,6 @@ - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Lock user not using FIPS 140-2 hashing" ansible.builtin.shell: "passwd -l {{ item }}" - args: - warn: false with_items: - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" when: @@ -902,8 +900,6 @@ "MEDIUM | RHEL-08-010310 | AUDIT | RHEL 8 system commands must be owned by root. | Get commands not owned by root" "MEDIUM | RHEL-08-010320 | AUDIT | RHEL 8 system commands must be group-owned by root or a system account. | Get commands no group-owned by root" ansible.builtin.shell: "find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /0022 -o ! -user root -o ! -group root" - args: - warn: false changed_when: false failed_when: false register: rhel_08_010300_commands @@ -949,8 +945,6 @@ "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root. | Get library files not owned by root" "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root or a system account. | Get library files not group-owned by root" ansible.builtin.shell: "find -L /lib /lib64 /usr/lib /usr/lib64 -perm /0022 -type f -o ! -user root -o ! -group root" - args: - warn: false changed_when: false failed_when: false register: rhel_08_010330_library_files @@ -1396,8 +1390,6 @@ block: - name: "MEDIUM | RHEL-08-010421 | AUDIT | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings" ansible.builtin.shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' - args: - warn: false changed_when: false failed_when: false register: rhel8stig_010421_grub_cmdline_linux @@ -1436,8 +1428,6 @@ block: - name: "MEDIUM | RHEL-08-010422 | AUDIT | RHEL 8 must disable virtual syscalls. | Get GRUB_CMDLINE_LINUX settings" ansible.builtin.shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' - args: - warn: false changed_when: false failed_when: false register: rhel8stig_010422_grub_cmdline_linux @@ -1476,8 +1466,6 @@ block: - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings" ansible.builtin.shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' - args: - warn: false changed_when: false failed_when: false register: rhel8stig_010423_grub_cmdline_linux @@ -1834,8 +1822,6 @@ block: - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Get mounts" ansible.builtin.shell: mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev' | awk '{print $1,$3,$5,$6}' | sed 's/[()]//g' - args: - warn: false changed_when: false check_mode: false register: rhel8stig_010580_mounts_nodev @@ -2116,8 +2102,6 @@ block: - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Find world-writable files on all partitions" ansible.builtin.shell: find {{ item.mount }} -xdev -type f -perm -002 - args: - warn: false changed_when: false failed_when: false register: rhel_08_010660_world_writable_files @@ -2642,8 +2626,6 @@ block: - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Get nouser files" ansible.builtin.shell: find / -nouser - args: - warn: false changed_when: false failed_when: false register: rhel_08_010780_nouser_files @@ -3326,8 +3308,6 @@ block: - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" ansible.builtin.shell: 'grep "removal-action=" /etc/dconf/db/* -R | cut -f1 -d:' - args: - warn: false changed_when: false failed_when: false register: rhel_08_020050_removal_action @@ -3392,8 +3372,6 @@ block: - name: "MEDIUM | RHEL-08-020060 | AUDIT | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Find idle-delay parameter" ansible.builtin.shell: 'grep idle-delay= /etc/dconf/db/* -R | cut -f1 -d:' - args: - warn: false changed_when: false failed_when: false register: rhel_08_020060_idle_delay_param @@ -4574,8 +4552,6 @@ block: - name: "MEDIUM | RHEL-08-030110 | AUDIT | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Get audit log directory" ansible.builtin.shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' - args: - warn: false changed_when: false failed_when: false register: rhel_08_030110_audit_log_dir @@ -6039,8 +6015,6 @@ block: - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if nmcli command is available" ansible.builtin.shell: rpm -q NetworkManager - args: - warn: false check_mode: false changed_when: false register: rhel_08_nmcli_available @@ -6048,8 +6022,6 @@ - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if wifi is enabled" ansible.builtin.shell: nmcli radio wifi - args: - warn: false register: rhel_08_wifi_enabled check_mode: false changed_when: rhel_08_wifi_enabled.stdout != "disabled" @@ -6117,8 +6089,6 @@ "MEDIUM | RHEL-08-040121 | AUDIT | RHEL 8 must mount /dev/shm with the nosuid option." "MEDIUM | RHEL-08-040122 | AUDIT | RHEL 8 must mount /dev/shm with the noexec option." ansible.builtin.shell: mount | grep /dev/shm - args: - warn: false changed_when: false failed_when: false register: rhel8stig_040120_dev_shm_status diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 0b41d7de..974616f3 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -303,8 +303,6 @@ - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit to 1 as active" ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1" - args: - warn: false when: (ansible_proc_cmdline.audit is defined and ansible_proc_cmdline.audit != '1') or (ansible_proc_cmdline.audit is not defined) @@ -342,8 +340,6 @@ - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | set audit_backlog_limit active" ansible.builtin.shell: grubby --update-kernel=ALL --args="audit_backlog_limit=8192" - args: - warn: false when: (ansible_proc_cmdline.audit_backlog_limit is defined and ansible_proc_cmdline.audit_backlog_limit != '8192') or (ansible_proc_cmdline.audit_backlog_limit is not defined) @@ -429,15 +425,11 @@ block: - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti=on active" ansible.builtin.shell: grubby --update-kernel=ALL --args="pti=on" - args: - warn: false when: (ansible_proc_cmdline.pti is defined and ansible_proc_cmdline.pti != 'on') or (ansible_proc_cmdline.pti is not defined ) - name: "LOW | RHEL-08-040004 | AUDIT | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Get GRUB_CMDLINE_LINUX settings" ansible.builtin.shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' - args: - warn: false changed_when: false failed_when: false register: rhel8stig_040004_grub_cmdline_linux diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 17f6e7a8..835f8ef7 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -166,8 +166,6 @@ - name: "PRELIM | RHEL-08-010020 | Check if /boot or /boot/efi reside on separate partitions" shell: df --output=target /boot | tail -n 1 - args: - warn: false changed_when: false check_mode: false register: rhel_08_boot_part @@ -288,8 +286,6 @@ - name: "MEDIUM | RHEL-08-010660 | RHEL-08-010770 | AUDIT | Find ini files for interactive users." shell: find "{{ item }}" -maxdepth 1 -type f | grep '/\.[^/]*' - args: - warn: false with_items: "{{ rhel_08_stig_interactive_homedir_results }}" register: rhel_08_010770_ini_file_list changed_when: false From f30ef007abf69e0d4cc2d8ce0097556765a4823b Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Fri, 28 Apr 2023 12:02:14 -0400 Subject: [PATCH 070/202] Fix rule RHEL-08-040171 Add -l option to grep to produce a list of file names instead of a list of matches.66818F2AD22C537F Signed-off-by: PoundsOfFlesh Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 58217d32..c47855b2 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -427,7 +427,7 @@ - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed." block: - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Check for setting existing" - ansible.builtin.shell: grep -s logout /etc/dconf/db/local.d/* + ansible.builtin.shell: grep -sl logout /etc/dconf/db/local.d/* changed_when: false failed_when: false register: rhel_08_040171_logout_settings_status From 588b073f393bedef2767ab596a437da722f30a0a Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Fri, 28 Apr 2023 12:50:40 -0400 Subject: [PATCH 071/202] Fixed lookbehind regex for rule RHEL-08-010671 Fixed the regular expression for finding lines containing the text "kernel.core_pattern" that do not end in /bin/false. Needed to add the -P option to enable look around expressions in grep. Signed-off-by: PoundsOfFlesh Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 56476096..c0ad277e 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2166,7 +2166,7 @@ - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern." block: - name: "MEDIUM | RHEL-08-010671 | AUDIT | RHEL 8 must disable the kernel.core_pattern." - ansible.builtin.shell: grep -rs 'kernel.core_pattern\s+=\s*[? 0 From 2e6a40ef3fb1d1ad12ddc64592c87bf2f06dc8fd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 May 2023 16:48:30 +0100 Subject: [PATCH 072/202] fixed spacing Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index c47855b2..5fd0c7dd 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -2,7 +2,7 @@ - name: "HIGH | RHEL-08-010000 | AUDIT | The RHEL 8 must be a vendor-supported release." ansible.builtin.debug: - msg: Minimum supported version of {{ ansible_distribution }} is {{ rhel8stig_min_supported_os_ver[ansible_distribution] }} + msg: Minimum supported version of {{ ansible_distribution }} is {{ rhel8stig_min_supported_os_ver[ansible_distribution] }} changed_when: ansible_distribution_version is not version_compare(rhel8stig_min_supported_os_ver[ansible_distribution], '>=') when: - rhel_08_010000 From 5be42712929adfed70c50cc7ebf5e7cdecef33be Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 May 2023 16:48:58 +0100 Subject: [PATCH 073/202] Added OS specific vars Signed-off-by: Mark Bolwell --- tasks/main.yml | 5 +++++ vars/AlmaLinux.yml | 9 +++++++++ vars/RedHat.yml | 13 +++++++++++++ vars/Rocky.yml | 9 +++++++++ 4 files changed, 36 insertions(+) create mode 100644 vars/AlmaLinux.yml create mode 100644 vars/RedHat.yml create mode 100644 vars/Rocky.yml diff --git a/tasks/main.yml b/tasks/main.yml index 34fb84d2..a7ab4fec 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -90,6 +90,11 @@ - container_discovery - always +- name: Include OS specific variables + ansible.builtin.include_vars: "{{ ansible_distribution }}.yml" + tags: + - always + - name: Check rhel8stig_bootloader_password_hash variable has been changed ansible.builtin.assert: that: rhel8stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' diff --git a/vars/AlmaLinux.yml b/vars/AlmaLinux.yml new file mode 100644 index 00000000..1d3aa592 --- /dev/null +++ b/vars/AlmaLinux.yml @@ -0,0 +1,9 @@ +--- + +gpg_keys: + - name: 'AlmaLinux' + packager: "packager@almalinux.org" + fingerprint: "5E9B 8F56 17B5 066C E920 57C3 488F CF7C 3ABB 34F8" + +gpg_package: almalinux-release +rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux diff --git a/vars/RedHat.yml b/vars/RedHat.yml new file mode 100644 index 00000000..7cb76337 --- /dev/null +++ b/vars/RedHat.yml @@ -0,0 +1,13 @@ +--- + +gpg_keys: + - name: 'release key 2' + packager: 'security@redhat.com' + fingerprint: '567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51' + + - name: 'auxiliary key' + packager: 'security@redhat.com' + fingerprint: '6A6A A7C9 7C88 90AE C6AE BFE2 F76F 66C3 D408 2792' + +gpg_package: redhat-release +rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution | lower }}-release diff --git a/vars/Rocky.yml b/vars/Rocky.yml new file mode 100644 index 00000000..0af890b7 --- /dev/null +++ b/vars/Rocky.yml @@ -0,0 +1,9 @@ +--- + +gpg_keys: + - name: 'Release Engineering' + packager: "infrastructure@rockylinux.org" + fingerprint: "7051 C470 A929 F454 CEBE 37B7 15AF 5DAC 6D74 5A60" + +gpg_package: rocky-gpg-keys +rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial From 694e8a1923b1ab4f4106d552575d1a7733f099e4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 May 2023 16:49:13 +0100 Subject: [PATCH 074/202] fixed title naming Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 835f8ef7..816515a1 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -284,7 +284,7 @@ when: - rhel8stig_ssh_required -- name: "MEDIUM | RHEL-08-010660 | RHEL-08-010770 | AUDIT | Find ini files for interactive users." +- name: "PRELIM | RHEL-08-010660 | RHEL-08-010770 | AUDIT | Find ini files for interactive users." shell: find "{{ item }}" -maxdepth 1 -type f | grep '/\.[^/]*' with_items: "{{ rhel_08_stig_interactive_homedir_results }}" register: rhel_08_010770_ini_file_list From 47a24856846583427e3fdff95e6319d162c410a5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 May 2023 17:40:42 +0100 Subject: [PATCH 075/202] Os specific vars Signed-off-by: Mark Bolwell --- vars/OracleLinux.yml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 vars/OracleLinux.yml diff --git a/vars/OracleLinux.yml b/vars/OracleLinux.yml new file mode 100644 index 00000000..90639e13 --- /dev/null +++ b/vars/OracleLinux.yml @@ -0,0 +1,9 @@ +--- + +gpg_keys: + - name: 'Oracle OSS group' + packager: "build@oss.oracle.com" + fingerprint: "76FD 3DB1 3AB6 7410 B89D B10E 8256 2EA9 AD98 6DA3" + +gpg_package: oraclelinux-release +rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle From 64b1a7b42fb571492efbc7e6dcef631df6e11b53 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 May 2023 17:40:53 +0100 Subject: [PATCH 076/202] updated Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index e6ff9daf..e1176058 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -1,9 +1,16 @@ ## metadata for Audit benchmark -benchmark_version: '1.9' +benchmark_version: '1.10' rhel8stig_os_distribution: {{ ansible_distribution | lower }} +gpg_keys: +{% for info in gpg_keys %} + - name: {{ info.name }} + fingerprint: {{ info.fingerprint }} +{% endfor %} +gpg_package: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ gpg_package }} + rhel8stig_os_version_pre_8_2: {% if ansible_distribution_version >= '8.2' %}false{% else %}true{% endif %} @@ -67,6 +74,7 @@ RHEL_08_040360: {{ rhel_08_040360 }} # Cat 2 rules RHEL_08_010001: {{ rhel_08_010001 }} RHEL_08_010010: {{ rhel_08_010010 }} +RHEL_08_010019: {{ rhel_08_010019 }} RHEL_08_010030: {{ rhel_08_010030 }} RHEL_08_010040: {{ rhel_08_010040 }} # Variable options below RHEL_08_010049: {{ rhel_08_010049 }} # Variable options below @@ -113,6 +121,7 @@ RHEL_08_010340: {{ rhel_08_010340 }} RHEL_08_010341: {{ rhel_08_010341 }} RHEL_08_010350: {{ rhel_08_010350 }} RHEL_08_010351: {{ rhel_08_010351 }} +RHEL_08_010358: {{ rhel_08_010358 }} RHEL_08_010359: {{ rhel_08_010359 }} RHEL_08_010360: {{ rhel_08_010360 }} RHEL_08_010372: {{ rhel_08_010372 }} From fa24d9d9ab6e66a5b89d89c2806275b77bf6e626 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 May 2023 17:41:00 +0100 Subject: [PATCH 077/202] updated Signed-off-by: Mark Bolwell --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e8f9012c..3b48ccf1 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a RHEL8 based system to be complaint with Disa STIG -This role is based on RHEL 8 DISA STIG: [Version 1, Rel 9 released on Jan 26, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R9_STIG.zip). +This role is based on RHEL 8 DISA STIG: [Version 1, Rel 10 released on April 24, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R10_STIG.zip). --- From 9fff2f627e3b1a8d3036270993a1d15d23712cd6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 May 2023 17:44:15 +0100 Subject: [PATCH 078/202] updated Signed-off-by: Mark Bolwell --- Changelog.md | 31 +++++++++++++++++++++++++++++++ defaults/main.yml | 6 ++++-- 2 files changed, 35 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index e3d7abdb..67a65e77 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,37 @@ # Changes to RHEL8STIG +## 2.9.0 Stig V1R10 27th April 2023 + +- Added new controls + - RHEL-08-10019 + - RHEL-08-10358 +- updated control IDs + - RHEL-08-10360 + - RHEL-08-10540 + - RHEL-08-10541 + - RHEL-08-10544 + - RHEL-08-10800 + - RHEL-08-20040 + - RHEL-08-20100 + - RHEL-08-20101 + - RHEL-08-20102 + - RHEL-08-20103 + - RHEL-08-20220 + - RHEL-08-20221 + - RHEL-08-20270 + - RHEL-08-30070 + - RHEL-08-40150 + +## Release 2.8.6 + +- [#194](https://github.com/ansible-lockdown/RHEL8-STIG/issues/194) thanks to @JacobBuskirk +- [#196](https://github.com/ansible-lockdown/RHEL8-STIG/issues/196) thanks to @jmalpede + +- [#195](https://github.com/ansible-lockdown/RHEL8-STIG/pull/195) thanks to PoundsOfFlesh +- [#197](https://github.com/ansible-lockdown/RHEL8-STIG/pull/197) thanks to PoundsOfFlesh + ## Release 2.8.5 + - updated to /var/log mount check - added commnets for /mnt and removeable media on Azure systems diff --git a/defaults/main.yml b/defaults/main.yml index 18e95201..73f94b26 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ --- ## metadata for Audit benchmark -benchmark_version: 'v1r9' +benchmark_version: 'v1r10' ## Benchmark name used by audting control role # The audit variable found at the base @@ -108,6 +108,7 @@ rhel_08_040360: true # CAT 2 rules rhel_08_010001: true rhel_08_010010: true +rhel_08_010019: true rhel_08_010030: true rhel_08_010040: true rhel_08_010049: true @@ -154,6 +155,7 @@ rhel_08_010340: true rhel_08_010341: true rhel_08_010350: true rhel_08_010351: true +rhel_08_010358: true rhel_08_010359: true rhel_08_010360: true rhel_08_010372: true @@ -614,7 +616,7 @@ rhel8stig_aide_cron: special_time: daily # Disable the notification check rule to disable mailing notifications notify_by_mail: true - notify_cmd: ' | /var/spool/mail -s "$(hostname) - Daily aide integrity check run" root@localhost' + notify_cmd: ' | /bin/mail -s "$(hostname) - Daily aide integrity check run" root@localhost' rhel8stig_cron_special_disable: "{{ rhel8stig_workaround_for_disa_benchmark or From 588809a73ce30f13c35e49df16df9eeece7839d4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 May 2023 17:44:27 +0100 Subject: [PATCH 079/202] new controls and rule updates Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 161 +++++++++++++++++++++++++++++++-------------- 1 file changed, 112 insertions(+), 49 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index c0ad277e..0817bd69 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -43,6 +43,40 @@ - SV-230222r627750_rule - V-230222 +- name: "MEDIUM | RHEL-08-010019 | PATCH | RHEL 8 must ensure cryptographic verification of vendor software packages." + block: + - name: "MEDIUM | RHEL-08-010019 | PATCH | RHEL 8 must ensure cryptographic verification of vendor software packages. | package installed" + ansible.builtin.package: + name: "{{ gpg_package }}" + state: present + when: "gpg_package not in ansible_facts.packages" + + - name: "MEDIUM | RHEL-08-010019 | AUDIT | RHEL 8 must ensure cryptographic verification of vendor software packages. | Confirm keys" + ansible.builtin.shell: "gpg -q --keyid-format short --with-fingerprint {{ rpm_gpg_key }} | grep -B1 '{{ item.name }}' | grep '{{ item.fingerprint }}'" + changed_when: false + failed_when: rhel_08_010019_gpg_info.rc not in [ 0, 1] + register: rhel_08_010019_gpg_info + loop: "{{ gpg_keys }}" + loop_control: + label: item.name + + - name: "MEDIUM | RHEL-08-010019 | AUDIT | RHEL 8 must ensure cryptographic verification of vendor software packages. | warn" + ansible.builtin.debug: + msg: + - "WARNING!! Please investigate the vendor gpgkeys match expected values" + loop: "{{ rhel_08_010019_gpg_info.results }}" + when: item.rc != 0 + when: + - not system_is_ec2 + - rhel_08_010019 + tags: + - RHEL-08-010019 + - CAT2 + - CCI-001749 + - SRG-OS-000366-GPOS-00153 + - SV-256973r902752_rule + - V-256973 + - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection." block: - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Get partition layout" @@ -1098,6 +1132,22 @@ - V-251709 - permissions +- name: "MEDIUM | RHEL-08-010358 | PATCH | RHEL 8 must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel. | pkg install" + ansible.builtin.package: + name: mailx + state: present + when: + - "'mailx' not in ansible_facts.packages" + - rhel_08_010358 + tags: + - RHEL-08-010358 + - CAT2 + - CCI-001744 + - SRG-OS-000363-GPOS-00150 + - SV-251710r880730_rule + - V-256974 + - mailx + - name: "MEDIUM | RHEL-08-010359 | PATCH | The RHEL 8 operating system must use a file integrity tool to verify correct operation of all security functions. | pkg install" ansible.builtin.package: name: aide @@ -1144,7 +1194,9 @@ - CAT2 - CCI-001744 - SRG-OS-000363-GPOS-00150 - - SV-230263r880708_rule + - SRG-OS-000446-GPOS-00200 + - SRG-OS-000447-GPOS-00201 + - SV-230263r902716_rule - V-230263 - aide - cron @@ -1692,26 +1744,21 @@ - tmp - name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp." - block: - - name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp. | Alert on missing mount" - ansible.builtin.debug: - msg: "WARNING!! /var/tmp does not exist, /var/tmp needs to use a sperate file system. This is a manual task" - register: var_tmp_mount_absent - changed_when: var_tmp_mount_absent.skipped is defined - when: "'/var/tmp' not in mount_names" - - - name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp. | Mount is present" - ansible.builtin.debug: - msg: "Congratulations: /var/tmp does exist." - when: "'/var/tmp' in mount_names" + ansible.builtin.debug: + msg: + - "WARNING!! /var/tmp is not mounted on a seperate partition" + changed_when: + - rhel8stig_audit_complex when: - rhel_08_010544 + - rhel8stig_complex + - ansible_mounts | selectattr('mount', 'match', '^/var/tmp$') | list | length == 0 tags: - RHEL-08-010544 - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-244529r743836_rule + - SV-244529r902737_rule - V-244529 - mounts @@ -2686,7 +2733,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230328r627750_rule + - SSV-230328r902723_rule - V-23032 - complexity-high - mounts @@ -3278,7 +3325,7 @@ - CAT2 - CCI-000056 - SRG-OS-000028-GPOS-00009 - - SV-230348r880720_rule + - SV-230348r902725_rule - V-230348 - tmux @@ -3491,8 +3538,8 @@ - name: "MEDIUM | RHEL-08-020100 | PATCH | RHEL 8 must ensure the password complexity module is enabled in the password-auth file." ansible.builtin.lineinfile: path: /etc/pam.d/password-auth - regexp: '^password\s+required\s+pam_pwquality.so' - line: 'password required pam_pwquality.so' + regexp: '^password\s+(required|requisite)\s+pam_pwquality.so' + line: 'password requisite pam_pwquality.so' insertafter: '^password' owner: root group: root @@ -3504,15 +3551,15 @@ - CAT2 - CCI-000366 - SRG-OS-000069-GPOS-00037 - - SV-230356r809379_rule + - SV-230356r902728_rule - V-230356 - pamd - name: "MEDIUM | RHEL-08-020101 | PATCH | RHEL 8 must ensure the password complexity module is enabled in the system-auth file." ansible.builtin.lineinfile: path: /etc/pam.d/system-auth - regexp: '^password\s+required\s+pam_pwquality.so' - line: 'password required pam_pwquality.so' + regexp: '^password\s+(required|requisite)\s+pam_pwquality.so' + line: 'password requisite pam_pwquality.so' insertafter: '^password' owner: root group: root @@ -3524,14 +3571,14 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-251713r810407_rule + - SV-251713r902740_rule - V-251713 - pamd - name: "MEDIUM | RHEL-08-020102 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less." block: - name: "MEDIUM | RHEL-08-020102 | AUDIT | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Get pam_pwquality state" - ansible.builtin.shell: cat /etc/pam.d/system-auth | grep "password.*required.*pam_pwquality.so" + ansible.builtin.shell: cat /etc/pam.d/system-auth | grep "password.*requisite.*pam_pwquality.so" changed_when: false failed_when: false register: rhel_08_020102_pwquality_status @@ -3539,7 +3586,8 @@ - name: "MEDIUM | RHEL-08-020102 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Set if no pw required pam_pwquality" ansible.builtin.lineinfile: path: /etc/pam.d/system-auth - line: 'password required pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}' + regexp: '^password\s+(required|requisite)\s+pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}' + line: 'password requisite pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}' insertafter: '^password' owner: root group: root @@ -3550,7 +3598,7 @@ community.general.pamd: name: system-auth type: password - control: required + control: requisite module_path: pam_pwquality.so module_arguments: 'retry={{ rhel8stig_pam_pwquality_retry }}' state: args_present @@ -3563,14 +3611,14 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-251714r810410_rule + - SV-251714r902743_rule - V-251714 - pamd - name: "MEDIUM | RHEL-08-020103 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less." block: - name: "MEDIUM | RHEL-08-020103 | AUDIT | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. | Get pam_pwquality state" - ansible.builtin.shell: cat /etc/pam.d/password-auth | grep "password.*required.*pam_pwquality.so" + ansible.builtin.shell: cat /etc/pam.d/password-auth | grep "password.*requisite.*pam_pwquality.so" changed_when: false failed_when: false register: rhel_08_020103_pwquality_status @@ -3578,7 +3626,8 @@ - name: "MEDIUM | RHEL-08-020103 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. | Set if no pw required pam_pwquality" ansible.builtin.lineinfile: path: /etc/pam.d/password-auth - line: 'password required pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}' + regexp: '^password\s+(required|requisite)\s+pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}' + line: 'password requisite pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}' insertafter: '^password' owner: root group: root @@ -3589,7 +3638,7 @@ community.general.pamd: name: password-auth type: password - control: required + control: requisite module_path: pam_pwquality.so module_arguments: 'retry={{ rhel8stig_pam_pwquality_retry }}' state: args_present @@ -3602,7 +3651,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-251715r810412_rule + - SV-251715r902746_rule - V-251715 - pamd @@ -3858,7 +3907,7 @@ - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations." block: - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Get pam_pwhistory status" - ansible.builtin.shell: cat /etc/pam.d/password-auth | grep "password.*required.*pam_pwhistory.so" + ansible.builtin.shell: cat /etc/pam.d/password-auth | grep "password.*requisite.*pam_pwhistory.so" changed_when: false failed_when: false register: rhel_08_020220_pwhistory_status @@ -3866,7 +3915,8 @@ - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Set if no pw required pw_history" ansible.builtin.lineinfile: path: /etc/pam.d/password-auth - line: "password required pam_pwhistory.so use_authtok remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}" + regexp: 'password\s+(required|requisite)\s+pam_pwhistory.so use_authtok remember=' + line: "password requisite pam_pwhistory.so use_authtok remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}" insertafter: '^password' owner: root group: root @@ -3877,7 +3927,7 @@ community.general.pamd: name: password-auth type: password - control: required + control: requisite module_path: pam_pwhistory.so module_arguments: 'remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}' state: args_present @@ -3889,14 +3939,14 @@ - CAT2 - CCI-000200 - SRG-OS-000077-GPOS-00045 - - SV-230368r810414_rule + - SV-230368r902759_rule - V-230368 - pamd - name: "MEDIUM | RHEL-08-020221 | PATCH | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations." block: - name: "MEDIUM | RHEL-08-020221 | AUDIT | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations. | Get pam_pwhistory state " - ansible.builtin.shell: cat /etc/pam.d/system-auth | grep "password.*required.*pam_pwhistory.so" + ansible.builtin.shell: cat /etc/pam.d/system-auth | grep "password.*requisite.*pam_pwhistory.so" changed_when: false failed_when: false register: rhel_08_020221_pwhistory_status @@ -3904,7 +3954,8 @@ - name: "MEDIUM | RHEL-08-020221 | PATCH | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations. | Set if no pw required pwhistory" ansible.builtin.lineinfile: path: /etc/pam.d/system-auth - line: "password required pam_pwhistory.so use_authtok remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}" + regexp: 'password\s+(required|requisite)\s+pam_pwhistory.so use_authtok remember=' + line: "password requisite pam_pwhistory.so use_authtok remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}" insertafter: '^password' owner: root group: root @@ -3915,7 +3966,7 @@ community.general.pamd: name: system-auth type: password - control: required + control: requisite module_path: pam_pwhistory.so module_arguments: 'remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}' state: args_present @@ -3927,7 +3978,7 @@ - CAT2 - CCI-000200 - SRG-OS-000077-GPOS-00045 - - SV-251717r858745_rule + - SV-251717r902749_rule - V-251717 - pamd @@ -4092,15 +4143,15 @@ - V-230373 - useradd -- name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." +- name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 must automatically expire temporary accounts within 72 hours." block: - - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." + - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 must automatically expire temporary accounts within 72 hours." ansible.builtin.shell: "awk -F: '{if ($3 <= {{ rhel8stig_interactive_uid_start }}) { print $1 }}' /etc/passwd" changed_when: false failed_when: false register: rhel_08_020270_system_users - - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." + - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 must automatically expire temporary accounts within 72 hours." ansible.builtin.debug: msg: - "WARNING!! Below are the system accounts. If any where emergency accounts plese make sure they are removed or disabled after the crisis is resovled or within 72 hours" @@ -4112,7 +4163,7 @@ - CAT2 - CCI-001682 - SRG-OS-000123-GPOS-00064 - - SV-230374r627750_rule + - SV-230374r903129_rule - V-230374 - user @@ -4458,10 +4509,22 @@ - auditd - name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access." - ansible.builtin.lineinfile: - path: /etc/audit/auditd.conf - regexp: '^log_group =' - line: "log_group = root" + block: + - name: "MEDIUM | RHEL-08-030070 | AUDIT | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. | logfile location" + ansible.builtin.shell: grep -iw log_file /etc/audit/auditd.conf | awk '{print $NF}' + register: rhel08_030070_auditlog_location + changed_when: false + + - name: "MEDIUM | RHEL-08-030070 | AUDIT | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. | check file exists" + ansible.builtin.stat: + path: "{{ rhel08_030070_auditlog_location.stdout }}" + register: rhel08_030070_auditlog + + - name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. | logfile location" + ansible.builtin.file: + path: "{{ rhel08_030070_auditlog_location.stdout }}" + state: "{{ (rhel08_030070_auditlog.stat.exists) | ternary('file', 'touch') }}" + mode: '0600' when: - rhel_08_030070 tags: @@ -4469,7 +4532,7 @@ - CAT2 - CCI-000162 - SRG-OS-000057-GPOS-00027 - - SV-230396r627750_rule + - SV-230396r902733_rule - V-230396 - permissions - log @@ -5592,7 +5655,7 @@ - V-230480 - auditd -- name: "MEDIUM | RHEL-08-03710 | PATCH | RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited." +- name: "MEDIUM | RHEL-08-030710 | PATCH | RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited." ansible.builtin.lineinfile: path: /etc/rsyslog.conf create: true @@ -6456,7 +6519,7 @@ - CAT2 - CCI-002385 - SRG-OS-000420-GPOS-00186 - - SV-230525r744029_rule + - SV-230525r902735_rule - V-230525 - firewall - nftables From a98046c475413a7fa27ecf4424567da4783ab936 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 May 2023 17:44:34 +0100 Subject: [PATCH 080/202] rule updates Signed-off-by: Mark Bolwell --- tasks/fix-cat3.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 974616f3..4dadae25 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -177,7 +177,7 @@ - CAT3 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230292r627750_rule + - SV-230292r902718_rule - V-230292 - complexity-high - mounts @@ -198,7 +198,7 @@ - CAT3 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230293r627750_rule + - SV-230293r902720_rule - V-230293 - complexity_high - mounts From d96583a20b465373ce739513bd20219eb04bda70 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 May 2023 09:35:54 +0100 Subject: [PATCH 081/202] fixed gnutls as per issue 196 thansk to @jmalpede Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 73f94b26..6ac940ce 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -881,7 +881,7 @@ rhel8stig_ssh_server_crypto_settings: "-oCiphers=aes256-ctr,aes192-ctr,aes128-ct # RHEL-08-010295 # This will be teh GnuTLS ecryption packages. The task sets the +VERS-ALL: setting, the only items needed are the DoD approved encryptions # to conform to STIG standards this variable must contain +VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0 -rhel8stig_gnutls_encryption: "+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0" +rhel8stig_gnutls_encryption: "-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0" # RHEL-08-020070 # This is the value for the tmux lock after setting. To conform to STIG standards value needs to be set to 900 or less From 7fe9e314860e28c0350943c74ad224fcec79de0c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 3 May 2023 08:59:27 +0100 Subject: [PATCH 082/202] tidy spacing Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 5fd0c7dd..59c223f4 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -2,7 +2,7 @@ - name: "HIGH | RHEL-08-010000 | AUDIT | The RHEL 8 must be a vendor-supported release." ansible.builtin.debug: - msg: Minimum supported version of {{ ansible_distribution }} is {{ rhel8stig_min_supported_os_ver[ansible_distribution] }} + msg: Minimum supported version of {{ ansible_distribution }} is {{ rhel8stig_min_supported_os_ver[ansible_distribution] }} changed_when: ansible_distribution_version is not version_compare(rhel8stig_min_supported_os_ver[ansible_distribution], '>=') when: - rhel_08_010000 From 0807abc2cf77404e4005b63fc7527c94fae01a1f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 3 May 2023 08:59:40 +0100 Subject: [PATCH 083/202] Added OracleLinux Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/defaults/main.yml b/defaults/main.yml index 6ac940ce..2e444387 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -573,6 +573,7 @@ rhel8stig_min_supported_os_ver: CentOS: "8.7" Rocky: "8.7" AlmaLinux: "8.7" + OracleLinux: "8.7" # RHEL-08-040260 # If system is not router, run tasks that disable router functions. From 325a54c2c16148442233e0958453399a5bc0fa96 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 3 May 2023 08:59:52 +0100 Subject: [PATCH 084/202] Updated Signed-off-by: Mark Bolwell --- Changelog.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog.md b/Changelog.md index 67a65e77..a49d2bcd 100644 --- a/Changelog.md +++ b/Changelog.md @@ -22,6 +22,8 @@ - RHEL-08-30070 - RHEL-08-40150 +- OracleLinux tested and added + ## Release 2.8.6 - [#194](https://github.com/ansible-lockdown/RHEL8-STIG/issues/194) thanks to @JacobBuskirk From df31a8e7358df30adfb614dd4a850e98181cf0f4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 3 May 2023 09:01:16 +0100 Subject: [PATCH 085/202] lint Signed-off-by: Mark Bolwell --- vars/AlmaLinux.yml | 6 +++--- vars/OracleLinux.yml | 6 +++--- vars/RedHat.yml | 12 ++++++------ vars/Rocky.yml | 6 +++--- 4 files changed, 15 insertions(+), 15 deletions(-) diff --git a/vars/AlmaLinux.yml b/vars/AlmaLinux.yml index 1d3aa592..676316f6 100644 --- a/vars/AlmaLinux.yml +++ b/vars/AlmaLinux.yml @@ -1,9 +1,9 @@ --- gpg_keys: - - name: 'AlmaLinux' - packager: "packager@almalinux.org" - fingerprint: "5E9B 8F56 17B5 066C E920 57C3 488F CF7C 3ABB 34F8" + - name: 'AlmaLinux' + packager: "packager@almalinux.org" + fingerprint: "5E9B 8F56 17B5 066C E920 57C3 488F CF7C 3ABB 34F8" gpg_package: almalinux-release rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux diff --git a/vars/OracleLinux.yml b/vars/OracleLinux.yml index 90639e13..9c205dfd 100644 --- a/vars/OracleLinux.yml +++ b/vars/OracleLinux.yml @@ -1,9 +1,9 @@ --- gpg_keys: - - name: 'Oracle OSS group' - packager: "build@oss.oracle.com" - fingerprint: "76FD 3DB1 3AB6 7410 B89D B10E 8256 2EA9 AD98 6DA3" + - name: 'Oracle OSS group' + packager: "build@oss.oracle.com" + fingerprint: "76FD 3DB1 3AB6 7410 B89D B10E 8256 2EA9 AD98 6DA3" gpg_package: oraclelinux-release rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle diff --git a/vars/RedHat.yml b/vars/RedHat.yml index 7cb76337..e5c0c7bc 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -1,13 +1,13 @@ --- gpg_keys: - - name: 'release key 2' - packager: 'security@redhat.com' - fingerprint: '567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51' + - name: 'release key 2' + packager: 'security@redhat.com' + fingerprint: '567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51' - - name: 'auxiliary key' - packager: 'security@redhat.com' - fingerprint: '6A6A A7C9 7C88 90AE C6AE BFE2 F76F 66C3 D408 2792' + - name: 'auxiliary key' + packager: 'security@redhat.com' + fingerprint: '6A6A A7C9 7C88 90AE C6AE BFE2 F76F 66C3 D408 2792' gpg_package: redhat-release rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution | lower }}-release diff --git a/vars/Rocky.yml b/vars/Rocky.yml index 0af890b7..0e8502c7 100644 --- a/vars/Rocky.yml +++ b/vars/Rocky.yml @@ -1,9 +1,9 @@ --- gpg_keys: - - name: 'Release Engineering' - packager: "infrastructure@rockylinux.org" - fingerprint: "7051 C470 A929 F454 CEBE 37B7 15AF 5DAC 6D74 5A60" + - name: 'Release Engineering' + packager: "infrastructure@rockylinux.org" + fingerprint: "7051 C470 A929 F454 CEBE 37B7 15AF 5DAC 6D74 5A60" gpg_package: rocky-gpg-keys rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial From b4b9d4fa6088713a5991d3bb4c57de7194c2261d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 4 May 2023 12:09:37 +0100 Subject: [PATCH 086/202] updated checkout version Signed-off-by: Mark Bolwell --- .github/workflows/update_galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index 5d41affe..21a888ef 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -14,7 +14,7 @@ jobs: update_role: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: hspaans/ansible-galaxy-action@master with: api_key: ${{ secrets.GALAXY_API_KEY }} From 3baf91c56fb88f9a58498d3d145a66b810f417a1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 4 May 2023 12:29:13 +0100 Subject: [PATCH 087/202] fixed var naming Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index e1176058..93f210e6 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -9,7 +9,7 @@ gpg_keys: - name: {{ info.name }} fingerprint: {{ info.fingerprint }} {% endfor %} -gpg_package: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ gpg_package }} +rpm_gpg_key: {{ rpm_gpg_key }} rhel8stig_os_version_pre_8_2: {% if ansible_distribution_version >= '8.2' %}false{% else %}true{% endif %} From 41468506090e61b0927c98eda8b4c0ddfbba5580 Mon Sep 17 00:00:00 2001 From: Phenix66 <34311559+Phenix66@users.noreply.github.com> Date: Mon, 8 May 2023 11:55:53 -0400 Subject: [PATCH 088/202] Update main.yml Fixed typo in user password assertion Signed-off-by: Phenix66 <34311559+Phenix66@users.noreply.github.com> Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index a7ab4fec..7a6b91f6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -39,7 +39,7 @@ ansible.builtin.assert: that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" - success_msg: "You a password set for the {{ ansible_env.SUDO_USER }}" + success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }}" vars: sudo_password_rule: RHEL-08-010380 when: From 223065fe355fb4241569f527e07ee0cb14b4b395 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 24 May 2023 11:09:07 +0100 Subject: [PATCH 089/202] updated for containers Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 4 ---- tasks/fix-cat2.yml | 12 +----------- tasks/fix-cat3.yml | 1 - tasks/main.yml | 44 +++++++++++++++++++++---------------------- vars/is_container.yml | 23 +++++++++++++++++++++- 5 files changed, 45 insertions(+), 39 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 59c223f4..e89b6a6d 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -129,7 +129,6 @@ - not ansible_check_mode or rhel_08_010020_audit.rc > 1 when: - - not system_is_container - rhel_08_010020 tags: - RHEL-08-010020 @@ -193,7 +192,6 @@ mode: 0640 notify: confirm grub2 user cfg when: - - not system_is_container - not system_is_ec2 - rhel_08_010140 or rhel_08_010150 @@ -415,7 +413,6 @@ notify: systemctl daemon-reload when: - rhel_08_040170 - - not system_is_container tags: - RHEL-08-040170 - CAT1 @@ -474,7 +471,6 @@ notify: systemctl daemon-reload when: - rhel_08_040172 - - not system_is_container tags: - RHEL-08-040172 - CAT1 diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 0817bd69..4b62cf1b 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -478,7 +478,6 @@ notify: change_requires_reboot when: - rhel_08_010170 or rhel_08_010450 - - not system_is_container - rhel8stig_disruption_high tags: - CAT2 @@ -569,7 +568,6 @@ - rhel_08_010210 or rhel_08_010220 or rhel_08_010230 - - not system_is_container tags: - CAT2 - RHEL-08-010210 @@ -1398,7 +1396,6 @@ state: present when: - rhel_08_010410 - - not system_is_container tags: - RHEL-08-010410 - CAT2 @@ -1975,7 +1972,7 @@ removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" when: - rhel_08_010600 - - not (rhel8stig_system_is_chroot and system_is_container) + - not rhel8stig_system_is_chroot tags: - RHEL-08-010600 - CAT2 @@ -2376,7 +2373,6 @@ when: - rhel_08_010680 - not rhel8stig_system_is_chroot - - not system_is_container - not system_is_ec2 tags: - RHEL-08-010680 @@ -3242,7 +3238,6 @@ when: - rhel_08_020027 or rhel_08_020028 - - not system_is_container tags: - RHEL-08-020027 - RHEL-08-020028 @@ -5837,7 +5832,6 @@ when: - rhel_08_040030 - not rhel8stig_system_is_chroot - - not system_is_container - rhel8stig_firewall_service == "firewalld" - rhel8stig_start_firewall_service tags: @@ -5872,7 +5866,6 @@ when: - rhel_08_040030 - not rhel8stig_system_is_chroot - - not system_is_container - rhel8stig_firewall_service == "iptables" - rhel8stig_start_firewall_service tags: @@ -6132,7 +6125,6 @@ - { regexp: '^blacklist bluetooth', line: 'blacklist bluetooth', insertafter: '#blacklist bluetooth kernel module' } when: - rhel_08_040111 - - not system_is_container tags: - RHEL-08-040111 - CAT2 @@ -6490,7 +6482,6 @@ - rhel_08_040139 or rhel_08_040140 or rhel_08_040141 - - not system_is_container tags: - RHEL-08-040139 - RHEL-08-040140 @@ -7347,7 +7338,6 @@ when: - rhel_08_040330 - not rhel8stig_net_promisc_mode_required - - not system_is_container tags: - RHEL-08-040330 - CAT2 diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 4dadae25..ac9b6dc3 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -151,7 +151,6 @@ when: - rhel_08_010471 or rhel_08_010472 - - not system_is_container tags: - RHEL-08-010471 - RHEL-08-010472 diff --git a/tasks/main.yml b/tasks/main.yml index 7a6b91f6..68d9436e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -26,6 +26,28 @@ tags: - always +- name: Setup rules if container + block: + - name: Discover and set container variable if required + ansible.builtin.set_fact: + system_is_container: true + + - name: Load variable for container + ansible.builtin.include_vars: + file: "{{ container_vars_file }}" + + - name: output if discovered is a container + ansible.builtin.debug: + msg: system has been discovered as a container + when: + - system_is_container + when: + - ansible_connection == 'docker' or + ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - container_discovery + - always + - name: "Check password set for connecting user" block: - name: Capture current password state of connecting user" @@ -68,28 +90,6 @@ - RHEL-08-010141 - RHEL-08-010149 -- name: Setup rules if container - block: - - name: Discover and set container variable if required - ansible.builtin.set_fact: - system_is_container: true - - - name: Load variable for container - ansible.builtin.include_vars: - file: "{{ container_vars_file }}" - - - name: output if discovered is a container - ansible.builtin.debug: - msg: system has been discovered as a container - when: - - system_is_container - when: - - ansible_connection == 'docker' or - ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - container_discovery - - always - - name: Include OS specific variables ansible.builtin.include_vars: "{{ ansible_distribution }}.yml" tags: diff --git a/vars/is_container.yml b/vars/is_container.yml index 5241528e..33f19096 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -1,4 +1,3 @@ ---- # Container vars file rhel8stig_ssh_required: false @@ -94,6 +93,9 @@ rhel_08_030063: false # rsyslog rhel_08_010070: false rhel_08_010561: false +rhel_08_010210: false +rhel_08_010220: false +rhel_08_010230: false rhel_08_030010: false rhel_08_030670: false rhel_08_030680: false @@ -101,6 +103,12 @@ rhel_08_030690: false rhel_08_030710: false rhel_08_030720: false +# selinux +rhel_08_010170: false +rhel_08_010450: false +rhel_08_020027: false +rhel_08_020028: false + ## mounts # /tmp rhel_08_010543: false @@ -133,6 +141,7 @@ rhel_08_010572: false # rhel_08_010580: false # /media +rhel_08_010600: false rhel_08_010610: false # /mnt rhel_08_010620: false @@ -149,6 +158,7 @@ rhel_08_010540: false # firewall rhel8stig_firewall_service: not_required +rhel_08_040030: false # fapolicy rhel_08_040135: false @@ -197,3 +207,14 @@ rhel_08_010381: false rhel_08_010382: false rhel_08_010383: false rhel_08_010384: false + +# Other +rhel_08_010410: false +rhel_08_010672: false +rhel_08_010680: false +rhel_08_040111: false +rhel_08_040139: false +rhel_08_040140: false +rhel_08_040141: false +rhel_08_040180: false +rhel_08_040330: false From 41ac6ba2403b73ca2274a56dc55521d856c91faa Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 25 May 2023 09:17:29 +0100 Subject: [PATCH 090/202] Issue_204 addressed Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 7 +- tasks/prelim.yml | 163 +++++++++++++++++++++------------------------ 2 files changed, 81 insertions(+), 89 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index e89b6a6d..7ddbc3c9 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -18,15 +18,16 @@ block: - name: "HIGH | RHEL-08-010020 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | install FIPS" ansible.builtin.package: - name: - - dracut-fips - - crypto-policies-scripts + name: dracut-fips state: present notify: - rebuild initramfs - change_requires_reboot when: "'dracut-fips' not in ansible_facts.packages" + - name: pause + ansible.builtin.pause: + - name: "HIGH | RHEL-08-010020 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Enables FIPS mode on kernel" ansible.builtin.shell: fips-mode-setup --enable register: rhel_08_010020_kernel_fips_enable diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 816515a1..36ba127e 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,15 +1,56 @@ --- + +- name: "PRELIM | RHEL-08-010020" + block: + - name: "PRELIM | RHEL-08-010020 | Check if /boot or /boot/efi reside on separate partitions" + ansible.builtin.shell: df --ouAtput=target /boot | tail -n 1 + changed_when: false + check_mode: false + register: rhel_08_boot_part + + - name: "PRELIM | RHEL-08-010020 | crypto-policies-scripts package for FIPS" + ansible.builtin.package: + name: crypto-policies-scripts + state: present + when: + - "'crypto-policies-scripts' not in ansible_facts.packages" + when: + - rhel_08_010020 + tags: + - RHEL-08-010020 + - CAT1 + - CCI-000068 + - SRG-OS-000033-GPOS-00014 + - SV-230223r792855_rule + - V-230223 + +- name: "PRELIM | RHEL-08-010020 | RHEL-08-010140 | RHEL-08-010150| Install grub2-tools." + ansible.builtin.package: + name: grub2-tools + when: + - not system_is_container + - "'grub2-tools' not in ansible_facts.packages" + - rhel_08_010020 or + rhel_08_010140 or + rhel_08_010150 + tags: + - cat1 + - high + - RHEL-08-010020 + - RHEL-08-010140 + - RHEL-08-010150 + - name: "PRELIM | dconf" block: - name: "PRELIM | Install dconf" - package: + ansible.builtin.package: name: dconf when: - "'dconf' not in ansible_facts.packages" - rhel8stig_gui - name: dconf directory structure - file: + ansible.builtin.file: path: /etc/dconf/db/local.d/locks state: directory mode: '0755' @@ -33,7 +74,7 @@ # - rhel_08_040180 - removed from section 1 waiting to see if it comes up somewhere else - name: "PRELIM | Find all sudoers files." - command: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" + ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" check_mode: false changed_when: false failed_when: false @@ -47,25 +88,8 @@ - RHEL-08-010380 - sudo -- name: "PRELIM | RHEL-08-010020 | RHEL-08-010140 | RHEL-08-010150| Install grub2-tools." - package: - name: grub2-tools - when: - - not system_is_container - - "'grub2-tools' not in ansible_facts.packages" - - rhel_08_010020 or - rhel_08_010140 or - rhel_08_010150 - - tags: - - cat1 - - high - - RHEL-08-010020 - - RHEL-08-010140 - - RHEL-08-010150 - - name: "PRELIM | Gather chroot status" - setup: + ansible.builtin.setup: gather_subset: chroot,!all,!min filter: ansible_is_chroot when: @@ -74,7 +98,7 @@ - always - name: "PRELIM | Gather mount information" - setup: + ansible.builtin.setup: gather_subset: hardware,!all,!min filter: ansible_mounts when: @@ -83,7 +107,7 @@ - always - name: ensure cronie is available - package: + ansible.builtin.package: name: cronie when: - not system_is_container @@ -95,7 +119,7 @@ - RHEL-08-010360 - name: "PRELIM | RHEL-08-010740 | RHEL-08-010750 | RHEL-08-020320 | Parse /etc/passwd" - import_tasks: parse_etc_passwd.yml + ansible.builtin.import_tasks: parse_etc_passwd.yml vars: rhel8stig_passwd_tasks: "RHEL-08-010740 RHEL-08-010750 RHEL-08-020320" when: @@ -118,13 +142,13 @@ - name: "PRELIM | RHEL-08-010690 Ensure user enumeration command is modified when autofs remote home directories are in use" block: - name: Ensure that rhel8stig_auto_mount_home_dirs_local_mount_point is defined and not length zero - assert: + ansible.builtin.assert: that: - rhel8stig_auto_mount_home_dirs_local_mount_point is defined - rhel8stig_auto_mount_home_dirs_local_mount_point | length > 0 - name: Modify local_interactive_user_dir_command to exclude remote automounted home directories - set_fact: + ansible.builtin.set_fact: local_interactive_user_dir_command: "{{ local_interactive_user_dir_command }} | grep -v '{{ rhel8stig_auto_mount_home_dirs_local_mount_point }}" when: @@ -134,7 +158,7 @@ - complexity-high - name: "PRELIM | RHEL-08-010690 | Gather local interactive user directories" - shell: "{{ local_interactive_user_dir_command }}" + ansible.builtin.shell: "{{ local_interactive_user_dir_command }}" register: rhel_08_010690_getent changed_when: false failed_when: false @@ -143,7 +167,7 @@ - complexity-high - name: "PRELIM | RHEL-08-010690 | Set fact for home directory paths for interactive users" - set_fact: + ansible.builtin.set_fact: rhel_08_stig_interactive_homedir_results: "{{ rhel_08_010690_getent.stdout_lines }}" when: rhel_08_010690_getent.stdout_lines is defined tags: @@ -151,7 +175,7 @@ - complexity-high - name: "PRELIM | RHEL-08-010070 | RHEL-08-030010 | Ensure rsyslog is installed when required." - package: + ansible.builtin.package: name: rsyslog when: - not system_is_container @@ -164,20 +188,8 @@ - RHEL-08-010070 - RHEL-08-030010 -- name: "PRELIM | RHEL-08-010020 | Check if /boot or /boot/efi reside on separate partitions" - shell: df --output=target /boot | tail -n 1 - changed_when: false - check_mode: false - register: rhel_08_boot_part - when: - - rhel_08_010020 - tags: - - cat1 - - high - - RHEL-08-010020 - - name: "PRELIM | RHEL-08-030620 | RHEL-08-030630 | RHEL-08-030640 | RHEL-08-030650 | Install audit remote plugin." - package: + ansible.builtin.package: name: audispd-plugins when: - not system_is_container @@ -195,31 +207,10 @@ - RHEL-08-030640 - RHEL-08-030650 -# - name: "PRELIM | RHEL-08-030330 | Determine audit log partition." -# block: -# - name: "PRELIM | RHEL-08-030330 | Find audit.log location" -# command: grep -oP '^log_file\s*=\s*\K.*?(?=\s*$)' /etc/audit/auditd.conf -# changed_when: false -# check_mode: false -# register: rhel_08_audit_log_file - -# - name: "PRELIM | RHEL-08-030330 | Find partition holding audit.log" -# shell: df --output=target {{ rhel_08_audit_log_file.stdout }} | tail -n 1 -# changed_when: false -# check_mode: false -# register: rhel_08_audit_part -# when: -# - rhel_08_030330 -# tags: -# - cat2 -# - medium -# - auditd -# - RHEL-08-030330 - - name: "PRELIM | RHEL-08-010360 | RHEL-08-010380 | RHEL-08-040310 | Install and initialize AIDE" block: - name: "PRELIM | RHEL-08-010360 | RHEL-08-010380 | RHEL-08-040310 | Install AIDE" - package: + ansible.builtin.package: name: aide state: present notify: "{{ rhel8stig_aide_handler }}" @@ -227,7 +218,7 @@ - "'aide' not in ansible_facts.packages" - name: "PRELIM | RHEL-08-010360 | RHEL-08-010380 | RHEL-08-040310 | Check for existing AIDE database" - stat: + ansible.builtin.stat: path: "{{ rhel8stig_aide_db_file }}" register: rhel8stig_aide_db_status check_mode: false @@ -248,7 +239,7 @@ - RHEL-08-040310 - name: "PRELIM | RHEL-08-010170 | RHEL-08-010450 | Install SELinux related dependencies" - package: + ansible.builtin.package: name: libselinux-utils state: present when: @@ -260,32 +251,32 @@ - name: "PRELIM | Bare bones SSH Server" block: - name: "PRELIM | Install SSH" - package: + ansible.builtin.package: name: openssh-server state: present when: - "'openssh-server' not in ansible_facts.packages" - name: PRELIM | Start SSH - service: + ansible.builtin.service: name: sshd state: "{{ rhel8stig_service_started }}" enabled: true - name: PRELIM | check if ssh host key exists - stat: + ansible.builtin.stat: path: /etc/ssh/ssh_host_rsa_key register: rhel8stig_ssh_host_rsa_key_stat - name: PRELIM | create ssh host key to allow 'sshd -t -f %s' to succeed - command: ssh-keygen -N '' -f /etc/ssh/ssh_host_rsa_key -t rsa -b 4096 + ansible.builtin.shell: ssh-keygen -N '' -f /etc/ssh/ssh_host_rsa_key -t rsa -b 4096 when: not rhel8stig_ssh_host_rsa_key_stat.stat.exists notify: clean up ssh host key when: - rhel8stig_ssh_required - name: "PRELIM | RHEL-08-010660 | RHEL-08-010770 | AUDIT | Find ini files for interactive users." - shell: find "{{ item }}" -maxdepth 1 -type f | grep '/\.[^/]*' + ansible.builtin.shell: find "{{ item }}" -maxdepth 1 -type f | grep '/\.[^/]*' with_items: "{{ rhel_08_stig_interactive_homedir_results }}" register: rhel_08_010770_ini_file_list changed_when: false @@ -301,7 +292,7 @@ - complexity-high - name: "MEDIUM | RHEL-08-010660 | RHEL-08-010770 | Set fact for home directory paths for interactive users" - set_fact: + ansible.builtin.set_fact: rhel_08_stig_interactive_homedir_inifiles: "{{ rhel_08_010770_ini_file_list.results | map(attribute='stdout_lines') | list }}" when: - rhel_08_stig_interactive_homedir_results is defined @@ -316,12 +307,12 @@ - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | set sssd.conf location" block: - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location" - stat: + ansible.builtin.stat: path: "{{ rhel8stig_sssd_conf }}" register: rhel8stig_sssd_conf_present - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location | Warning if not found" - debug: + ansible.builtin.debug: msg: "Warning!! The configured sssd config file {{ rhel8stig_sssd_conf }} has not been found, some items will skip" changed_when: true when: @@ -341,30 +332,30 @@ - name: "PRELIM | Gather interactive user ID min" block: - name: "PRELIM | Gather interactive user ID min" - shell: grep ^UID_MIN /etc/login.defs | awk '{print $2}' + ansible.builtin.shell: grep ^UID_MIN /etc/login.defs | awk '{print $2}' changed_when: false failed_when: false register: rhel8stig_min_uid - name: "PRELIM | Gather interactive user ID max" - shell: grep ^UID_MAX /etc/login.defs | awk '{print $2}' + ansible.builtin.shell: grep ^UID_MAX /etc/login.defs | awk '{print $2}' changed_when: false failed_when: false register: rhel8stig_max_uid - name: "PRELIM | Setting the fact" - set_fact: + ansible.builtin.set_fact: rhel8stig_interactive_uid_start: "{{ rhel8stig_min_uid.stdout | string }}" rhel8stig_interactive_uid_stop: "{{ rhel8stig_max_uid.stdout | string }}" - name: Gather the package facts - package_facts: + ansible.builtin.package_facts: manager: auto tags: - always - name: "PRELIM | Check whether machine is UEFI-based" - stat: + ansible.builtin.stat: path: /sys/firmware/efi register: rhel8_efi_boot tags: @@ -374,14 +365,14 @@ - name: PRELIM | set bootloader type block: - name: "PRELIM | set fact if UEFI boot" - set_fact: + ansible.builtin.set_fact: rhel8stig_bootloader_path: /boot/efi/EFI/{{ ansible_distribution | lower }} rhel8stig_legacy_boot: false when: - rhel8_efi_boot.stat.exists - name: "PRELIM | set fact if UEFI boot | Oracle Linux" - set_fact: + ansible.builtin.set_fact: rhel8stig_bootloader_path: /boot/efi/EFI/redhat rhel8stig_legacy_boot: false when: @@ -389,13 +380,13 @@ - ansible_distribution == 'Oracle Linux' - name: "PRELIM | set if not UEFI boot" - set_fact: + ansible.builtin.set_fact: rhel8stig_bootloader_path: /boot/grub2/ rhel8stig_legacy_boot: true when: not rhel8_efi_boot.stat.exists - name: PRELIM | output bootloader and efi state - debug: + ansible.builtin.debug: msg: - "bootloader path set to {{ rhel8stig_bootloader_path }}" - "legacy boot equals {{ rhel8stig_legacy_boot }}" @@ -405,13 +396,13 @@ - name: "PRELIM | RHEL-08-020017 | RHEL-08-020027 | REHL-08-020028 | If using selinux set up system prereqs" block: - name: "PRELIM | RHEL-08-020017 | Install policycoreutils-python-utils" - package: + ansible.builtin.package: name: policycoreutils-python-utils state: present when: "'policycoreutils-python-utils' not in ansible_facts.packages" - name: "PRELIM | RHEL-08-020027 | create faillock dir if rhel_08_020027" - file: + ansible.builtin.file: path: "{{ rhel8stig_pam_faillock.dir }}" state: directory mode: 0755 @@ -427,5 +418,5 @@ rhel_08_020028 - name: "PRELIM | Section 1.1 | Create list of mount points" - set_fact: + ansible.builtin.set_fact: mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}" From cbd4095ed33bfe6f860552ba314b7a8ae5c7f868 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 25 May 2023 09:27:15 +0100 Subject: [PATCH 091/202] updated Signed-off-by: Mark Bolwell --- Changelog.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Changelog.md b/Changelog.md index a49d2bcd..b38dfadf 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,13 @@ # Changes to RHEL8STIG +## 2.9.1 + +- Issue #204 address + - tidy up of prelim +- update to allow against container + - vars/is_container.yml updated and aligned +- prelim fqcn + ## 2.9.0 Stig V1R10 27th April 2023 - Added new controls From db9512186dc0cfdb4ca19817e3bd6fce2b53ce6b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 25 May 2023 13:48:14 +0100 Subject: [PATCH 092/202] added 010472 Signed-off-by: Mark Bolwell --- vars/is_container.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/vars/is_container.yml b/vars/is_container.yml index 33f19096..f8f2f8c2 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -210,6 +210,7 @@ rhel_08_010384: false # Other rhel_08_010410: false +rhel_08_010472: false rhel_08_010672: false rhel_08_010680: false rhel_08_040111: false From af2e70e79cfd3bf36b0033b4bd5e2461a5fa0c26 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 25 May 2023 13:57:10 +0100 Subject: [PATCH 093/202] added skip for initramfs when container Signed-off-by: Mark Bolwell --- handlers/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/handlers/main.yml b/handlers/main.yml index 2f59864e..e7f323d7 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -111,6 +111,8 @@ - name: rebuild initramfs ansible.builtin.shell: dracut -f + when: + - not system_is_container - name: undo existing prelinking ansible.builtin.shell: prelink -ua From c3da0a15fa6c601b9a20b98952e405161445efa3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 25 May 2023 14:04:01 +0100 Subject: [PATCH 094/202] removed legacy pause Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 7ddbc3c9..fa4ca9ee 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -25,9 +25,6 @@ - change_requires_reboot when: "'dracut-fips' not in ansible_facts.packages" - - name: pause - ansible.builtin.pause: - - name: "HIGH | RHEL-08-010020 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Enables FIPS mode on kernel" ansible.builtin.shell: fips-mode-setup --enable register: rhel_08_010020_kernel_fips_enable From 90e6624d578b0684edf183c64e791943b7375e7f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 11 Jul 2023 13:32:31 +0100 Subject: [PATCH 095/202] removed yaml for ansible cli from config Signed-off-by: Mark Bolwell --- ansible.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible.cfg b/ansible.cfg index 427d0fa3..fe93a962 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -7,7 +7,7 @@ nocows=1 retry_files_save_path=/dev/null # Use the YAML callback plugin. -stdout_callback = yaml +#stdout_callback = yaml # Use the stdout_callback when running ad-hoc commands. bin_ansible_callbacks = True From f88315ede0eed428f9095ce305ad93a29504df08 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 11 Jul 2023 13:32:43 +0100 Subject: [PATCH 096/202] fixed 10020 Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index fa4ca9ee..7b147fa5 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -93,13 +93,13 @@ with_items: - "{{ ansible_mounts | json_query(query) }}" vars: - query: "[?mount=='{{ rhel8stig_boot_part }}'] | [0]" + query: "[?mount=='{{ rhel8stig_boot_part.stdout }}'] | [0]" key: GRUB_CMDLINE_LINUX param: boot value: UUID={{ item.uuid }} insert: true when: - - rhel8stig_boot_part not in ['/', ''] + - rhel8stig_boot_part.stdout not in ['/', ''] - not ansible_check_mode or rhel_08_010020_default_grub_missing_audit is not changed notify: confirm grub2 user cfg @@ -112,12 +112,12 @@ - fips=1 - boot=UUID={{ ansible_mounts | json_query(query) }} vars: - query: "[?mount=='{{ rhel8stig_boot_part }}'].uuid | [0]" + query: "[?mount=='{{ rhel8stig_boot_part.stdout }}'].uuid | [0]" register: rhel_08_010020_audit when: - not ansible_check_mode or rhel_08_010020_default_grub_missing_audit is not changed - - "rhel8stig_boot_part not in ['/', ''] or + - "rhel8stig_boot_part.stdout not in ['/', ''] or 'boot=' not in item" changed_when: - ansible_check_mode From f60ae5b2fd9ef3d2f271f9c09b8e7e3abb541f57 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 11 Jul 2023 13:32:51 +0100 Subject: [PATCH 097/202] updated tags Signed-off-by: Mark Bolwell --- tasks/main.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 68d9436e..ab438ff9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -175,9 +175,7 @@ - change_requires_reboot - not rhel8stig_skip_reboot tags: - - CAT1 - - CAT2 - - CAT3 + - always - name: Include post-remediation tasks ansible.builtin.import_tasks: post_remediation_audit.yml @@ -200,6 +198,4 @@ - change_requires_reboot - rhel8stig_skip_reboot tags: - - CAT1 - - CAT2 - - CAT3 + - always From d608e2a33a34ebaeaf288f4c1afe93edfb136868 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 11 Jul 2023 13:33:05 +0100 Subject: [PATCH 098/202] fix boot_part var Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 36ba127e..b6436d95 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -3,10 +3,10 @@ - name: "PRELIM | RHEL-08-010020" block: - name: "PRELIM | RHEL-08-010020 | Check if /boot or /boot/efi reside on separate partitions" - ansible.builtin.shell: df --ouAtput=target /boot | tail -n 1 + ansible.builtin.shell: df --output=target /boot | tail -n 1 changed_when: false check_mode: false - register: rhel_08_boot_part + register: rhel8stig_boot_part - name: "PRELIM | RHEL-08-010020 | crypto-policies-scripts package for FIPS" ansible.builtin.package: From af2af1bfef538002796628186c798182091ea8c2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 18 Jul 2023 15:26:49 +0100 Subject: [PATCH 099/202] updated layout Signed-off-by: Mark Bolwell --- ansible.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible.cfg b/ansible.cfg index fe93a962..dbe143da 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -7,7 +7,7 @@ nocows=1 retry_files_save_path=/dev/null # Use the YAML callback plugin. -#stdout_callback = yaml +# stdout_callback = yaml # Use the stdout_callback when running ad-hoc commands. bin_ansible_callbacks = True From eb8114ca5639ece815dd55448882f5c1d2e3d62c Mon Sep 17 00:00:00 2001 From: Eric Lehmann Date: Tue, 25 Jul 2023 08:40:21 -0400 Subject: [PATCH 100/202] Fix typo in defaults/main Signed-off-by: Eric Lehmann Signed-off-by: Mark Bolwell --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 2e444387..fdbd905f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -539,12 +539,12 @@ rhel8stig_standard_user_path: "PATH=$PATH:$HOME/.local/bin:$HOME/bin" rhel8stig_change_user_path: false # RHEL-08-010700 -# rhel8stig_ww_dir_owner is the owenr of all world-writable directories +# rhel8stig_ww_dir_owner is the owner of all world-writable directories # To conform to STIG standards this needs to be set to root, sys, bin, or an application group rhel8stig_ww_dir_owner: root # RHEL-08-010710 -# rhel8stig_ww_dir_grpowner is the owenr of all world-writable directories +# rhel8stig_ww_dir_grpowner is the owner of all world-writable directories # To conform to STIG standards this needs to be set to root, sys, bin, or an application group rhel8stig_ww_dir_grpowner: root From 802bdaa535e19fb5585351ce56a83b5c3ddb6c6c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 08:59:40 +0100 Subject: [PATCH 101/202] #216 improve password check Signed-off-by: Mark Bolwell --- Changelog.md | 5 +++++ tasks/main.yml | 1 + 2 files changed, 6 insertions(+) diff --git a/Changelog.md b/Changelog.md index b38dfadf..1198104f 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,10 @@ # Changes to RHEL8STIG +## 2.9.2 + +- #216 check that sudo user has a password check improvement + - thanks to manish on discord for highlighting this + ## 2.9.1 - Issue #204 address diff --git a/tasks/main.yml b/tasks/main.yml index ab438ff9..4e8f298c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -66,6 +66,7 @@ sudo_password_rule: RHEL-08-010380 when: - rhel_08_010380 + - ansible_env.SUDO_USER is defined - not system_is_ec2 tags: - user_passwd From cacb0233a71db550f1c061923f9272cb2bb0a3c2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 11:29:24 +0100 Subject: [PATCH 102/202] 20035 added and new vars Signed-off-by: Mark Bolwell --- defaults/main.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index fdbd905f..b76b7c04 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ --- ## metadata for Audit benchmark -benchmark_version: 'v1r10' +benchmark_version: 'v1r11' ## Benchmark name used by audting control role # The audit variable found at the base @@ -275,6 +275,7 @@ rhel_08_020210: true rhel_08_020220: true rhel_08_020221: true rhel_08_020230: true +rhel_08_020235: true rhel_08_020231: true rhel_08_020240: true rhel_08_020250: true @@ -733,6 +734,9 @@ rhel8stig_pam_faillock: fail_for_root: true dir: /var/log/faillock +# RHEL-08-020035 +rhel_08_020035_idlesessiontimeout: 900 + # RHEL-08-030670 # rhel8stig_audisp_disk_full_action options are syslog, halt, and single to fit STIG standards rhel8stig_audisp_disk_full_action: single @@ -773,9 +777,11 @@ rhel8stig_login_defaults: create_home: 'yes' # RHEL-08-030690 uncomment and set the value to a remote IP address that can receive audit logs +# NOTE different protocol configs '@''=UDP '@@''=TCP '':omrelp:'=RELP rhel8stig_remotelog_server: server: 10.10.10.10 port: 9999 + protocol: '@@' # RHEL-08-030020 rhel8stig_auditd_mail_acct: root @@ -870,8 +876,8 @@ rhel8stig_white_list_services: # This will be the MACs setting. It is a string that will be the entirety of the MAC's setting in the openssh.config file # to conform to STIG standard control RHEL-08-010290 this variable must include hmac-sha2-512,hmac-sha2-256 # to conform to STIG standard control RHEL-08-010291 this variable must include aes256-ctr,aes192-ctr,aes128-ctr -rhel8stig_ssh_macs: 'MACS=hmac-sha2-512,hmac-sha2-256' -rhel8stig_ssh_ciphers: "Ciphers=aes256-ctr,aes192-ctr,aes128-ctr" +rhel8stig_ssh_macs: 'MACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com' +rhel8stig_ssh_ciphers: "Ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com" rhel8stig_ssh_kex: "KexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512" # This will be the CRYPTO_POLICY settings in the opensshserver.conf file. It will be a string for the entirety of the setting From 8073ae151667d34551c2334e9781b58ad2caeddc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 12:20:11 +0100 Subject: [PATCH 103/202] added 20035 and vars Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 93f210e6..8218bcf0 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -1,6 +1,6 @@ ## metadata for Audit benchmark -benchmark_version: '1.10' +benchmark_version: '1.11' rhel8stig_os_distribution: {{ ansible_distribution | lower }} @@ -210,6 +210,7 @@ RHEL_08_020028: {{ rhel_08_020028 }} RHEL_08_020030: {{ rhel_08_020030 }} RHEL_08_020031: {{ rhel_08_020031 }} RHEL_08_020032: {{ rhel_08_020032 }} +RHEL_08_020035: {{ rhel_08_020035 }} RHEL_08_020039: {{ rhel_08_020039 }} RHEL_08_020040: {{ rhel_08_020040 }} RHEL_08_020041: {{ rhel_08_020041 }} @@ -459,6 +460,9 @@ rhel8stig_aide_cron_file: /etc/cron.d/aide # RHEL_08_200027 &28 rhel8stig_pam_faillock_dir: {{ rhel8stig_pam_faillock.dir }} +# RHEL_08_020035 +rhel_08_020035_idlesessiontimeout: {{ rhel_08_020035_idlesessiontimeout }} + # RHEL_08_030040 - Options are SYSLOG, SINGLE, and HALT to fit STIG standards rhel8stig_auditd_disk_error_action: {{ rhel8stig_auditd_disk_error_action }} @@ -471,6 +475,7 @@ rhel8stig_auditd_disk_full_action: {{ rhel8stig_auditd_disk_full_action }} # RHEL_08_030690 if using remote syslog server rhel8stig_remotelog_server: {{ rhel8stig_remotelog_server.server }} rhel8stig_remotelog_port: {{ rhel8stig_remotelog_server.port }} +rhel8stig_remotelog_protocol: {{ rhel8stig_remotelog_server.protocol }} # RHEL_08_040137 python_bin: {{ ansible_python.executable }} From 4fa17d16fd3dca8391fc3c63d218895d45041b31 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 12:21:25 +0100 Subject: [PATCH 104/202] 20035added. tmux update and ruleid Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 43 ++++++++++++++++++++++++++++++------------- 1 file changed, 30 insertions(+), 13 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 4b62cf1b..2b23d85c 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -98,7 +98,7 @@ - CAT2 - CCI-001199 - SRG-OS-000185-GPOS-00079 - - SV-230224r809268_rule + - SV-230224r917864_rule - V-230224 - name: | @@ -533,7 +533,7 @@ - CAT2 - CCI-001133 - SRG-OS-000163-GPOS-00072 - - SV-230244r858697_rule + - SV-230244r917867_rule - V-230244 - ssh @@ -551,7 +551,7 @@ - CAT2 - CCI-001133 - SRG-OS-000163-GPOS-00072 - - SV-244525r858699_rule + - SV-244525r917886_rule - V-244525 - ssh @@ -820,7 +820,7 @@ - RHEL-08-010290 - CCI-001453 - SRG-OS-000250-GPOS-00093 - - SV-230251r743937_rule + - SV-230251r917870_rule - V-230251 - fips @@ -845,7 +845,7 @@ - RHEL-08-010291 - CCI-001453 - SRG-OS-000250-GPOS-00093 - - SV-230252r877394_rule + - SV-230252r917873_rule - V-230252 - fips @@ -2661,7 +2661,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230325r627750_rule + - SV-230325r917879_rule - V-230325 - complexity-high @@ -3293,6 +3293,22 @@ - V-230347 - gui +- name: "MEDIUM | RHEL-08-020035 | PATCH | RHEL 8 must terminate idle user sessions." + ansible.builtin.lineinfile: + path: "/etc/systemd/logind.conf" + regexp: '^StopIdleSessionSec=|^\# StopIdleSessionSec=' + line: "StopIdleSessionSec= {{ rhel_08_020035_idlesessiontimeout }}" + when: + - rhel_08_020035 + tags: + - RHEL-08-020035 + - CAT2 + - CCI-001133 + - SRG-OS-000163-GPOS-00072 + - SV-257258r917891_rule + - V-257258 + - session + - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions." block: - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Install tmux" @@ -3332,7 +3348,7 @@ if [ "$PS1" ]; then parent=$(ps -o ppid= -p $$) name=$(ps -o comm= -p $parent) - case "$name" in (sshd|login) exec tmux ;; esac + case "$name" in (sshd|login) tmux ;; esac fi create: true when: @@ -3342,7 +3358,7 @@ - CAT2 - CCI-000056 - SRG-OS-000028-GPOS-00009 - - SV-230349r880737_rule + - SV-230349r917920_rule - V-230349 - tmux @@ -5620,7 +5636,7 @@ ansible.builtin.lineinfile: path: /etc/rsyslog.conf regexp: '^.*\@\@' - line: "*.* @@{{ rhel8stig_remotelog_server.server }}:{{ rhel8stig_remotelog_server.port }}" + line: "*.* {{ rhel8stig_remotelog_server.protocol }}{{ rhel8stig_remotelog_server.server }}:{{ rhel8stig_remotelog_server.port }}" when: - rhel_08_030690 tags: @@ -5628,7 +5644,7 @@ - CAT2 - CCI-001851 - SRG-OS-000342-GPOS-00133 - - SV-230479r627750_rule + - SV-230479r917883_rule - V-230479 - auditd - rsyslog @@ -6545,8 +6561,8 @@ - CAT2 - CCI-002418 - SRG-OS-000423-GPOS-00187 - - SV-244549r743896_rule - - SV-230526r744032_rule + - SV-244549r916422_rule + - SV-230526r916422_rule - V-244549 - V-230526 - ssh @@ -7403,7 +7419,8 @@ - CAT2 - CCI-001453 - SRG-OS-000250-GPOS-00093 - - SV-255924r880733_rule + - SV-255924r917888_rule + - V-255924 - fips - name: "MEDIUM | RHEL-08-040350 | PATCH | If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode." From b9b270944c667ea64e73ce3d3812b0b05b38b611 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 12:21:36 +0100 Subject: [PATCH 105/202] ruleid update Signed-off-by: Mark Bolwell --- tasks/fix-cat3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index ac9b6dc3..39c12a56 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -157,7 +157,7 @@ - CAT3 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230285r627750_rule + - SV-230285r917876_rule - SV-244527r743830_rule - V-230285 - V-244527 From 44f38fa3acb8fa3b63787da1c5d70b6208e9c6fb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 12:21:49 +0100 Subject: [PATCH 106/202] 1.11 update Signed-off-by: Mark Bolwell --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3b48ccf1..79083a39 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a RHEL8 based system to be complaint with Disa STIG -This role is based on RHEL 8 DISA STIG: [Version 1, Rel 10 released on April 24, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R10_STIG.zip). +This role is based on RHEL 8 DISA STIG: [Version 1, Rel 11 released on July 26, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R11_STIG.zip). --- From 73aea8aaf335010040203a9bbec974e5bc3dd69f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 12:22:00 +0100 Subject: [PATCH 107/202] updated Signed-off-by: Mark Bolwell --- Changelog.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/Changelog.md b/Changelog.md index 1198104f..e6091c5a 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,28 @@ # Changes to RHEL8STIG +## Stig V1R11 - 26th July 2023 + +### 3.0.0 + +Controls updated + +- CAT2: + - 010030 - ruleid + - 010200 - ruleid + - 010201 - ruleid + - 010290 - ruleid and SSH MACS updated + - 010291 - ruleid and SSH Ciphers updated + - 010770 - ruleid + - 020035 - new control idlesession timeout new var rhel_08_020035_idlesessiontimeout + - 020041 - ruleid and tmux script update + - 030690 - ruleid and protocol options added + - 040159 - ruleid + - 040160 - ruleid + - 040342 - ruleid and SSH KEX algorithms updated + +- CAT3 + - 010471 - ruleid + ## 2.9.2 - #216 check that sudo user has a password check improvement From 88ed759857b4bdfc3b34a22d5302922aff722953 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 13:35:49 +0100 Subject: [PATCH 108/202] updated lint config Signed-off-by: Mark Bolwell --- .ansible-lint | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 964eb052..b717f678 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -6,12 +6,11 @@ skip_list: - 'schema' - 'no-changed-when' - 'var-spacing' - - 'fqcn-builtins' - 'experimental' - 'name[play]' - 'name[casing]' - 'name[template]' - - 'fqcn[action]' + - 'key-order[task]' - '204' - '305' - '303' From fce5d8c51ac9435cc6adf5c92fb95240f8392c71 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 13:36:02 +0100 Subject: [PATCH 109/202] updated kex comments Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index b76b7c04..f346d73b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -878,6 +878,8 @@ rhel8stig_white_list_services: # to conform to STIG standard control RHEL-08-010291 this variable must include aes256-ctr,aes192-ctr,aes128-ctr rhel8stig_ssh_macs: 'MACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com' rhel8stig_ssh_ciphers: "Ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com" +# RHEL-08-040342 +# Expected Values for FIPS KEX algorithims rhel8stig_ssh_kex: "KexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512" # This will be the CRYPTO_POLICY settings in the opensshserver.conf file. It will be a string for the entirety of the setting From 0ea530f410be600df8b1de0273dee05129807090 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 13:36:23 +0100 Subject: [PATCH 110/202] lint Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 4 ++-- tasks/fix-cat2.yml | 10 +++++----- vars/is_container.yml | 2 ++ 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 7b147fa5..03408954 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -54,7 +54,7 @@ check_mode: false changed_when: false failed_when: rhel_08_010020_grub_cmdline_linux_audit.rc > 1 - when: rhel_08_010020_default_grub_missing_audit is changed + when: rhel_08_010020_default_grub_missing_audit is changed # noqa no-handler register: rhel_08_010020_grub_cmdline_linux_audit - name: "HIGH | RHEL-08-010020 | PATCH | Copy over a sane /etc/default/grub" @@ -66,7 +66,7 @@ mode: 0644 vars: grub_cmdline_linux: "{{ rhel_08_010020_grub_cmdline_linux_audit.stdout }}" - when: rhel_08_010020_default_grub_missing_audit is changed + when: rhel_08_010020_default_grub_missing_audit is changed # noqa no-handler - name: "HIGH | RHEL-08-010020 | PATCH | fips=1 must be in /etc/default/grub" ansible.builtin.replace: diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 2b23d85c..c481acf8 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -243,7 +243,7 @@ mode: '0700' - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create key pair" - openssh_keypair: + community.crypto.openssh_keypair: path: "{{ rhel8stig_path_to_sshkey }}/id_rsa" when: - rhel_08_010100 @@ -3234,7 +3234,7 @@ "MEDIUM | RHEL-08-020027 | RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory. MEDIUM | RHEL-08-020028 | RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory." ansible.builtin.shell: "restorecon -irvF {{ rhel8stig_pam_faillock.dir }}" - when: add_faillock_secontext.changed + when: add_faillock_secontext.changed # noqa no-handler when: - rhel_08_020027 or rhel_08_020028 @@ -4280,10 +4280,10 @@ with_items: "{{ rhel8stig_unnecessary_accounts }}" - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Re-parse passwd file" - include_tasks: parse_etc_passwd.yml + ansible.builtin.include_tasks: parse_etc_passwd.yml vars: rhel8stig_passwd_tasks: "RHEL-08-020320" - when: rhel_08_020320_accounts_removed is changed + when: rhel_08_020320_accounts_removed is changed # noqa no-handler when: - rhel_08_020320 tags: @@ -6101,7 +6101,7 @@ - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled. | Disable wifi if enabled" ansible.builtin.shell: nmcli radio wifi off - when: rhel_08_wifi_enabled is changed + when: rhel_08_wifi_enabled is changed # noqa no-handler when: - rhel_08_040110 tags: diff --git a/vars/is_container.yml b/vars/is_container.yml index f8f2f8c2..e08cbead 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -1,3 +1,5 @@ +--- + # Container vars file rhel8stig_ssh_required: false From 60f85c87b2830c8ac177e151bfabe663df29e6e7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 13:36:37 +0100 Subject: [PATCH 111/202] removed var not used Signed-off-by: Mark Bolwell --- vars/main.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/vars/main.yml b/vars/main.yml index 3d2ab14d..f01c9ff9 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,4 +1,5 @@ --- + rhel8stig_min_ansible_version: 2.10.1 rhel8stig_dconf_available: "{{ rhel8stig_gui or rhel8stig_dconf_audit.rc == 0 or @@ -43,7 +44,3 @@ rhel8stig_re_qp_key_end: (?:" *) # insert the parameter at the beginning or append to the end, default append rhel8stig_re_qp_insert: "{{ insert | default(not (append | default(true))) }}" - -# RHEL-08-040342 -# Expected Values for FIPS KEX algorithims -FIPS_KEX_ALGO: '-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512' From 18bbcbce1b8b006b727428c7efe4be4d44e12315 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 15:52:55 +0100 Subject: [PATCH 112/202] added rule 020035 Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/defaults/main.yml b/defaults/main.yml index f346d73b..ae94f434 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -246,6 +246,7 @@ rhel_08_020028: true rhel_08_020030: true rhel_08_020031: true rhel_08_020032: true +rhel_08_020035: true rhel_08_020039: true rhel_08_020040: true rhel_08_020041: true From b39d2fa382ed103010db390267a22c4c697c81f6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 16:43:59 +0100 Subject: [PATCH 113/202] updates to auditing with goss Signed-off-by: Mark Bolwell --- defaults/main.yml | 29 +++++------ tasks/LE_audit_setup.yml | 14 ++--- tasks/post_remediation_audit.yml | 14 ++--- tasks/pre_remediation_audit.yml | 83 ++++++++++++++---------------- tasks/prelim.yml | 8 ++- templates/ansible_vars_goss.yml.j2 | 18 +------ 6 files changed, 71 insertions(+), 95 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ae94f434..12466a98 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -61,7 +61,7 @@ setup_audit: false # How to retrieve audit binary # Options are copy or download - detailed settings at the bottom of this file # you will need to access to either github or the file already dowmloaded -get_goss_file: download +get_audit_binary_method: download # how to get audit files onto host options # options are git/copy/get_url other e.g. if you wish to run from already downloaded conf @@ -910,29 +910,29 @@ audit_run_script_environment: AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" ### Goss binary settings ### -goss_version: - release: v0.3.21 - checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3' +audit_bin_version: + release: v0.3.23 + checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json -# if get_goss_file == download change accordingly -goss_url: "https://github.com/goss-org/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64" +# if get_audit_binary_method == download change accordingly +audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-amd64" -## if get_goss_file - copy the following needs to be updated for your environment +## if get_audit_binary_method - copy the following needs to be updated for your environment ## it is expected that it will be copied from somewhere accessible to the control node ## e.g copy from ansible control node to remote host -copy_goss_from_path: /some/accessible/path +audit_bin_copy_location: /some/accessible/path -### Goss Audit Benchmark file ### +#### Goss Audit Benchmark file ### ## managed by the control audit_content # git audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" audit_git_version: "benchmark_{{ benchmark_version }}_rh8" -# copy: -audit_local_copy: "some path to copy from" +# archive or copy: +audit_conf_copy: "some path to copy from" # get_url: audit_files_url: "some url maybe s3?" @@ -941,14 +941,13 @@ audit_files_url: "some url maybe s3?" # Where the goss configs and outputs are stored audit_out_dir: '/opt' # Where the goss audit configuration will be stored -audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/" +audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit" # If changed these can affect other products -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" +pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" ## The following should not need changing -goss_file: "{{ audit_conf_dir }}goss.yml" audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml" audit_results: | The pre remediation results are: {{ pre_audit_summary }}. diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index b4ac4d25..4ef8469f 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -1,22 +1,22 @@ --- -- name: Download audit binary +- name: Pre Audit Setup | Download audit binary ansible.builtin.get_url: - url: "{{ goss_url }}" + url: "{{ audit_bin_url }}" dest: "{{ audit_bin }}" owner: root group: root - checksum: "{{ goss_version.checksum }}" + checksum: "{{ audit_bin_version.checksum }}" mode: 0555 when: - - get_goss_file == 'download' + - get_audit_binary_method == 'download' -- name: copy audit binary +- name: Pre Audit Setup | copy audit binary ansible.builtin.copy: - src: + src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" mode: 0555 owner: root group: root when: - - get_goss_file == 'copy' + - get_audit_binary_method == 'copy' diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 821afd4d..370d2f66 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -2,11 +2,11 @@ - name: "Post Audit | Run post_remediation {{ benchmark }} audit" ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment | default({}) }}" - changed_when: rhel8stig_run_post_remediation.rc == 0 - register: rhel8stig_run_post_remediation - vars: - warn: false + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" - name: Post Audit | ensure audit files readable by users ansible.builtin.file: @@ -19,12 +19,12 @@ - name: Post Audit | Capture audit data if json format block: - - name: Post Audit | "capture data {{ post_audit_outfile }}" + - name: "capture data {{ post_audit_outfile }}" ansible.builtin.shell: "cat {{ post_audit_outfile }}" register: post_audit changed_when: false - - name: Post Audit | Capture post-audit result + - name: Capture post-audit result ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" vars: diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index c09253a3..8083b7f2 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,71 +1,72 @@ --- -- name: "Pre Audit | Setup the audit" +- name: Audit Binary Setup | Setup the LE audit ansible.builtin.include_tasks: LE_audit_setup.yml when: - setup_audit tags: - setup_audit -- name: "Pre Audit | Ensure {{ audit_conf_dir }} exists" +- name: "Pre Audit Setup | Ensure {{ audit_conf_dir }} exists" ansible.builtin.file: path: "{{ audit_conf_dir }}" state: directory mode: '0755' -- name: "Pre Audit | If using git for content set up" +- name: Pre Audit Setup | If using git for content set up block: - - name: Pre Audit | Install git (rh8 python3) + - name: Pre Audit Setup | Install git (rh8 python3) ansible.builtin.package: name: git state: present - when: - - ansible_distribution_major_version == "8" - - audit_content == "git" - - "'git' not in ansible_facts.packages" + when: ansible_distribution_major_version == '8' - - name: "Pre Audit | Install git (rh7 python2)" + - name: Pre Audit Setup | Install git (rh7 python2) ansible.builtin.package: name: git state: present vars: ansible_python_interpreter: "{{ python2_bin }}" - when: - - ansible_distribution_major_version == "7" - - audit_content == "git" - - "'git' not in ansible_facts.packages" + when: ansible_distribution_major_version == '7' -- name: "Pre Audit | retrieve audit content files from git" - ansible.builtin.git: - repo: "{{ audit_file_git }}" - dest: "{{ audit_conf_dir }}" - version: "{{ audit_git_version }}" + - name: Pre Audit Setup | retrieve audit content files from git + ansible.builtin.git: + repo: "{{ audit_file_git }}" + dest: "{{ audit_conf_dir }}" + version: "{{ audit_git_version }}" when: - audit_content == 'git' -- name: "Pre Audit | copy to audit content files to server" +- name: Pre Audit Setup | copy to audit content files to server ansible.builtin.copy: src: "{{ audit_local_copy }}" - dest: "{{ audit_conf_dir }}" - mode: 0644 + dest: "{{ audit_conf_dest }}" + mode: preserve when: - audit_content == 'copy' -- name: "Pre Audit | get audit content from url" +- name: Pre Audit Setup | unarchive audit content files on server + ansible.builtin.unarchive: + src: "{{ audit_conf_copy }}" + dest: "{{ audit_conf_dir }}" + when: + - audit_content == 'archived' + +- name: Pre Audit Setup | get audit content from url ansible.builtin.get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" when: - audit_content == 'get_url' -- name: "Pre Audit | Check Goss is available" +- name: Pre Audit Setup | Check Goss is available block: - - name: Pre Audit | Check for goss file + - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: path: "{{ audit_bin }}" register: goss_available - - name: "Pre Audit | If audit ensure goss is available" + - name: Pre Audit Setup | If audit ensure goss is available ansible.builtin.assert: msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" when: @@ -73,14 +74,7 @@ when: - run_audit -- name: "Pre Audit | Check whether machine is UEFI-based" - ansible.builtin.stat: - path: /sys/firmware/efi - register: rhel8_efi_boot - tags: - - goss_template - -- name: "Pre Audit | Copy ansible default vars values to test audit" +- name: Pre Audit Setup | Copy ansible default vars values to test audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" @@ -89,23 +83,24 @@ - run_audit tags: - goss_template + - always - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment | default({}) }}" - changed_when: rhel8stig_run_pre_remediation.rc == 0 - register: rhel8stig_run_pre_remediation - vars: - warn: false + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" -- name: "Pre Audit | Capture audit data if json format" +- name: Pre Audit | Capture audit data if json format block: - - name: "Pre Audit | capture data {{ pre_audit_outfile }}" + - name: "capture data {{ pre_audit_outfile }}" ansible.builtin.shell: "cat {{ pre_audit_outfile }}" register: pre_audit changed_when: false - - name: "Pre Audit | Capture pre-audit result" + - name: Pre Audit | Capture pre-audit result ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" vars: @@ -113,14 +108,14 @@ when: - audit_format == "json" -- name: "Pre Audit | Capture audit data if documentation format" +- name: Pre Audit | Capture audit data if documentation format block: - - name: "Pre Audit | capture data {{ pre_audit_outfile }}" + - name: "Pre Audit | capture data {{ pre_audit_outfile }} | documentation format" ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" register: pre_audit changed_when: false - - name: "Pre Audit | Capture pre-audit result" + - name: Pre Audit | Capture pre-audit result | documentation format ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout_lines }}" when: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index b6436d95..a2984325 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -323,11 +323,7 @@ rhel_08_020250 or rhel_08_020290 tags: - - RHEL-08-010400 - - RHEL-08-020250 - - RHEL-08-020090 - - RHEL-08-020290 - - pamd + - always - name: "PRELIM | Gather interactive user ID min" block: @@ -347,6 +343,8 @@ ansible.builtin.set_fact: rhel8stig_interactive_uid_start: "{{ rhel8stig_min_uid.stdout | string }}" rhel8stig_interactive_uid_stop: "{{ rhel8stig_max_uid.stdout | string }}" + tags: + - always - name: Gather the package facts ansible.builtin.package_facts: diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 8218bcf0..e81f9658 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -475,26 +475,10 @@ rhel8stig_auditd_disk_full_action: {{ rhel8stig_auditd_disk_full_action }} # RHEL_08_030690 if using remote syslog server rhel8stig_remotelog_server: {{ rhel8stig_remotelog_server.server }} rhel8stig_remotelog_port: {{ rhel8stig_remotelog_server.port }} -rhel8stig_remotelog_protocol: {{ rhel8stig_remotelog_server.protocol }} +rhel8stig_remotelog_protocol: '{{ rhel8stig_remotelog_server.protocol }}' # RHEL_08_040137 python_bin: {{ ansible_python.executable }} # RHEL_08_040260-62 rhel8stig_system_is_router: {{ rhel8stig_system_is_router }} - -# RHEL-08-020010 -# RHEL-08-020011 -# RHEL-08-020012 -# RHEL-08-020013 -# RHEL-08-020014 -# RHEL-08-020015 -# RHEL-08-020016 -# RHEL-08-020017 -# RHEL-08-020018 -# RHEL-08-020019 -# RHEL-08-020020 -# RHEL-08-020021 -# RHEL-08-020022 -# RHEL-08-020023 - From 4e89cf303a33590e66b0f98a961806e73921bc5a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 16:48:24 +0100 Subject: [PATCH 114/202] updated Signed-off-by: Mark Bolwell --- Changelog.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog.md b/Changelog.md index e6091c5a..564fd851 100644 --- a/Changelog.md +++ b/Changelog.md @@ -23,6 +23,8 @@ Controls updated - CAT3 - 010471 - ruleid +- audit updated new version and variable naming + ## 2.9.2 - #216 check that sudo user has a password check improvement From faea7adb4e7f40c48980850e24c1dc1fb3e76164 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 28 Jul 2023 08:46:57 +0100 Subject: [PATCH 115/202] improved run order for finish of playbook Signed-off-by: Mark Bolwell --- tasks/main.yml | 39 ++++++++++++++++++--------------------- 1 file changed, 18 insertions(+), 21 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 4e8f298c..53875d00 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -165,23 +165,29 @@ - name: flush handlers ansible.builtin.meta: flush_handlers - tags: - - CAT1 - - CAT2 - - CAT3 -- name: reboot system if changes require it and not skipped - ansible.builtin.reboot: - when: - - change_requires_reboot - - not rhel8stig_skip_reboot - tags: - - always +- name: reboot system + block: + - name: reboot system if not skipped + ansible.builtin.reboot: + when: + - change_requires_reboot + - not rhel8stig_skip_reboot -- name: Include post-remediation tasks + - name: Warning a reboot required but skip option set + ansible.builtin.debug: + msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" + changed_when: true + when: + - change_requires_reboot + - rhel8stig_skip_reboot + +- name: run post remediation audit ansible.builtin.import_tasks: post_remediation_audit.yml when: - run_audit + tags: + - always - name: Show Audit Summary ansible.builtin.debug: @@ -190,13 +196,4 @@ - run_audit tags: - run_audit - -- name: Warning a reboot required but skip option set - ansible.builtin.debug: - msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" - changed_when: true - when: - - change_requires_reboot - - rhel8stig_skip_reboot - tags: - always From c3cb4b0ddfdc1e264aa9d73a979e679945e51738 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 28 Jul 2023 08:47:04 +0100 Subject: [PATCH 116/202] updated Signed-off-by: Mark Bolwell --- Changelog.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 564fd851..0b5158f6 100644 --- a/Changelog.md +++ b/Changelog.md @@ -23,7 +23,8 @@ Controls updated - CAT3 - 010471 - ruleid -- audit updated new version and variable naming +- audit variables updated, new version +- tidied up the end of the playbook ordering with reboot taking place(if set and enabled) prior to audit now. ## 2.9.2 From 72f8c9612544c5f23184216e2f561e2a7da93f3d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 5 Jul 2023 09:00:01 +0100 Subject: [PATCH 117/202] #207 - FIPS ordering Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 50 +++++++++++++++++++++++----------------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index c481acf8..4d4fdcbe 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -799,6 +799,30 @@ - V-244526 - ssh +- name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package." + block: + - name: "MEDIUM | RHEL-08-010293 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Get current FIPS mode state" + ansible.builtin.shell: fips-mode-setup --check + changed_when: false + failed_when: rhel_08_010293_pre_fips_check.stdout is not defined + register: rhel_08_010293_pre_fips_check + + - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Enable FIPS" + ansible.builtin.shell: fips-mode-setup --enable + register: rhel_08_010290_fips_enable + notify: change_requires_reboot + when: '"disabled" in rhel_08_010293_pre_fips_check.stdout' + when: + - rhel_08_010293 + tags: + - RHEL-08-010293 + - CAT2 + - CCI-001453 + - SRG-OS-000250-GPOS-00093 + - SV-230254r627750_rule + - V-230254 + - fips + - name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Add MACs" block: - name: "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | get MACs" @@ -831,7 +855,7 @@ changed_when: false register: rhel8stig_current_ciphers - - name: "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. | get Ciphers" + - name: "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. | Apply Ciphers" ansible.builtin.lineinfile: path: /etc/crypto-policies/back-ends/opensshserver.config regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_ciphers.stdout }}(.*$)' @@ -849,30 +873,6 @@ - V-230252 - fips -- name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package." - block: - - name: "MEDIUM | RHEL-08-010293 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Get current FIPS mode state" - ansible.builtin.shell: fips-mode-setup --check - changed_when: false - failed_when: rhel_08_010293_pre_fips_check.stdout is not defined - register: rhel_08_010293_pre_fips_check - - - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Enable FIPS" - ansible.builtin.shell: fips-mode-setup --enable - register: rhel_08_010290_fips_enable - notify: change_requires_reboot - when: '"disabled" in rhel_08_010293_pre_fips_check.stdout' - when: - - rhel_08_010293 - tags: - - RHEL-08-010293 - - CAT2 - - CCI-001453 - - SRG-OS-000250-GPOS-00093 - - SV-230254r627750_rule - - V-230254 - - fips - - name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package." block: - name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package." From 71f8446bd53ddbc327217b36a8a936636c3c8be8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 5 Jul 2023 09:30:32 +0100 Subject: [PATCH 118/202] #208 ignore shell /sbin/nologin for homedir fact Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 12466a98..fb425f93 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -493,7 +493,7 @@ rhel8stig_auto_mount_home_dirs_local_mount_point: "/home/" # The default shell command to gather local interactive user directories ## NOTE: You will need to adjust the UID range in parenthesis below. ## ALSO NOTE: We weed out any user with a home dir not in standard locations because interactive users shouldn't have those paths as a home dir. Add or removed directory paths as needed below. -local_interactive_user_dir_command: "getent passwd { {{ rhel8stig_int_gid }}..65535} | cut -d: -f6 | sort -u | grep -v '/var/' | grep -v '/nonexistent/*' | grep -v '/run/*'" +local_interactive_user_dir_command: "getent passwd { {{ rhel8stig_int_gid }}..65535} | grep -v '/sbin/nologin' | cut -d: -f6 | sort -u | grep -Ev '/var/|/nonexistent/|/run/*'" # IPv6 required rhel8stig_ipv6_required: true From 3e142cfeb28777382a74c969eb8e336a4a0aaa97 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 5 Jul 2023 09:38:59 +0100 Subject: [PATCH 119/202] #209 kex algo when blank updated Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 4d4fdcbe..fd5bf368 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -7410,6 +7410,10 @@ regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_kex.stdout }}(.*$)' line: '\g<1>-o{{ rhel8stig_ssh_kex }}\g<2>' backrefs: true + when: + - rhel8stig_current_kex is defined + - rhel8stig_current_kex.stdout | length > 0 + notify: change_requires_reboot when: - rhel_08_040342 From d9eccddb0073b7f3b0f0eb2804f35a8d04065bd0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 5 Jul 2023 09:59:03 +0100 Subject: [PATCH 120/202] #210 ensure local mounts checked only Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index fd5bf368..c59bdb77 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -497,7 +497,7 @@ - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources." block: - name: "MEDIUM | RHEL-08-010190 | AUDIT | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Find world-writable directories" - ansible.builtin.shell: "find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null | sed 's/.* //'" + ansible.builtin.shell: "find / -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null | sed 's/.* //'" changed_when: false failed_when: false register: rhel_08_010190_world_writable_files From 991bfdc4ec31bf8040fbe5be84cf3e224656919c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 5 Jul 2023 11:14:51 +0100 Subject: [PATCH 121/202] #211 Tidy up local interactive users home dirs Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 33 ++++++++++++++------------------- tasks/prelim.yml | 11 +++++++++++ 2 files changed, 25 insertions(+), 19 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index c59bdb77..6b5ccdbe 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2505,22 +2505,14 @@ - V-230320 - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." - block: - - name: "MEDIUM | RHEL-08-010730 | AUDIT | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." - ansible.builtin.shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) - changed_when: false - failed_when: false - register: rhel_08_010730_home_directories - - - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." - ansible.builtin.file: - path: "{{ item }}" - mode: "{{ rhel8stig_local_int_home_perms }}" - with_items: - - "{{ rhel_08_010730_home_directories.stdout_lines }}" - when: rhel_08_010730_home_directories.stdout | length > 0 + ansible.builtin.file: + path: "{{ item }}" + mode: "{{ rhel8stig_local_int_home_perms }}" + with_items: + - "{{ local_home_directories.stdout_lines }}" when: - rhel_08_010730 + - local_home_directories.stdout | length > 0 tags: - RHEL-08-010730 - CAT2 @@ -4338,22 +4330,25 @@ block: - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Find umask files" ansible.builtin.find: - paths: /home + paths: "{{ item }}" patterns: '^\.' contains: 'umask' recurse: true hidden: true use_regex: true - register: rhel8stig_020352_files + register: rhel8stig_020352_file + loop: "{{ local_home_directories.stdout_lines }}" - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Remove umask param" ansible.builtin.lineinfile: - path: "{{ item.path }}" + path: "{{ item }}" regexp: "umask\\s+(?!{{ rhel8stig_login_defaults.umask | default('077') }})" state: absent with_items: - - "{{ rhel8stig_020352_files.files }}" - when: rhel8stig_020352_files.matched > 0 + - "{{ rhel8stig_020352_file | json_query('results[*].files[*].path') | flatten }}" + when: + - (rhel8stig_020352_file | json_query('results[*].files[*].path') | flatten ) is defined + when: - rhel_08_020352 tags: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index a2984325..f0099036 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -188,6 +188,17 @@ - RHEL-08-010070 - RHEL-08-030010 +- name: "PRELIM | RHEL-08-010730 | RHEL-08-20352 | Get local interactive user home directories" + ansible.builtin.shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) + changed_when: false + failed_when: false + register: local_home_directories + when: + - rhel_08_010730 + - rhel_08_020352 + tags: + - always + - name: "PRELIM | RHEL-08-030620 | RHEL-08-030630 | RHEL-08-030640 | RHEL-08-030650 | Install audit remote plugin." ansible.builtin.package: name: audispd-plugins From 37033e5093affb85bca93c7eb836d146f626dbbc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 5 Jul 2023 11:32:53 +0100 Subject: [PATCH 122/202] #212 possibly - improve even_deny_root Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index fb425f93..8b68badf 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -732,7 +732,7 @@ rhel8stig_pam_faillock: attempts: 3 interval: 900 unlock_time: 0 - fail_for_root: true + fail_for_root: "{{ rhel_08_020023 }}" dir: /var/log/faillock # RHEL-08-020035 From b4f4e09dbf2fb6f3505e4eefcb6a499d462c7984 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 8 Aug 2023 09:01:15 +0100 Subject: [PATCH 123/202] changelog updated Signed-off-by: Mark Bolwell --- Changelog.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/Changelog.md b/Changelog.md index 0b5158f6..73a22b0f 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,6 +2,17 @@ ## Stig V1R11 - 26th July 2023 +### 3.0.1 + +Issues: + +- [#207](https://github.com/ansible-lockdown/RHEL8-STIG/issues/207) +- [#208](https://github.com/ansible-lockdown/RHEL8-STIG/issues/208) +- [#209](https://github.com/ansible-lockdown/RHEL8-STIG/issues/209) +- [#210](https://github.com/ansible-lockdown/RHEL8-STIG/issues/210) +- [#211](https://github.com/ansible-lockdown/RHEL8-STIG/issues/211) +- [#212](https://github.com/ansible-lockdown/RHEL8-STIG/issues/212) + ### 3.0.0 Controls updated From ed9d36bbc16e22c26c39ff12797c8d2bc9a8c32c Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 31 Aug 2023 16:04:31 -0400 Subject: [PATCH 124/202] Updated when on line 197 of prelim to use an or instead of and Signed-off-by: George Nalen Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index f0099036..20435f73 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -194,8 +194,8 @@ failed_when: false register: local_home_directories when: - - rhel_08_010730 - - rhel_08_020352 + - rhel_08_010730 or + rhel_08_020352 tags: - always From fd44e922915469136e6d6c42abaddb4f5e8ca6be Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 09:48:01 +0100 Subject: [PATCH 125/202] updated Signed-off-by: Mark Bolwell --- .ansible-lint | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.ansible-lint b/.ansible-lint index b717f678..057c65e0 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -6,10 +6,12 @@ skip_list: - 'schema' - 'no-changed-when' - 'var-spacing' + - 'fqcn-builtins' - 'experimental' - 'name[play]' - 'name[casing]' - 'name[template]' + - 'fqcn[action]' - 'key-order[task]' - '204' - '305' From de0de029782913f007cec9be428eabbb6e444b17 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 09:48:13 +0100 Subject: [PATCH 126/202] updated date Signed-off-by: Mark Bolwell --- LICENSE | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/LICENSE b/LICENSE index 19045696..c0d26910 100644 --- a/LICENSE +++ b/LICENSE @@ -1,7 +1,6 @@ - The MIT License -Copyright (c) 2022 MindPoint Group http://www.mindpointgroup.com +Copyright (c) 2023 MindPoint Group http://www.mindpointgroup.com Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal From 0b15656efecb24d1fda07fffd0336141e43f8fd2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 09:48:28 +0100 Subject: [PATCH 127/202] precommit and modules Signed-off-by: Mark Bolwell --- .config/.gitleaks-report.json | 1 + .config/.secrets.baseline | 190 ++++++++++++++++++++++++++++++++++ .pre-commit-config.yaml | 67 ++++++++++++ 3 files changed, 258 insertions(+) create mode 100644 .config/.gitleaks-report.json create mode 100644 .config/.secrets.baseline create mode 100644 .pre-commit-config.yaml diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json new file mode 100644 index 00000000..fe51488c --- /dev/null +++ b/.config/.gitleaks-report.json @@ -0,0 +1 @@ +[] diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline new file mode 100644 index 00000000..41368ff4 --- /dev/null +++ b/.config/.secrets.baseline @@ -0,0 +1,190 @@ +{ + "version": "1.4.0", + "plugins_used": [ + { + "name": "ArtifactoryDetector" + }, + { + "name": "AWSKeyDetector" + }, + { + "name": "AzureStorageKeyDetector" + }, + { + "name": "Base64HighEntropyString", + "limit": 4.5 + }, + { + "name": "BasicAuthDetector" + }, + { + "name": "CloudantDetector" + }, + { + "name": "DiscordBotTokenDetector" + }, + { + "name": "GitHubTokenDetector" + }, + { + "name": "HexHighEntropyString", + "limit": 3.0 + }, + { + "name": "IbmCloudIamDetector" + }, + { + "name": "IbmCosHmacDetector" + }, + { + "name": "JwtTokenDetector" + }, + { + "name": "KeywordDetector", + "keyword_exclude": "" + }, + { + "name": "MailchimpDetector" + }, + { + "name": "NpmDetector" + }, + { + "name": "PrivateKeyDetector" + }, + { + "name": "SendGridDetector" + }, + { + "name": "SlackDetector" + }, + { + "name": "SoftlayerDetector" + }, + { + "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TwilioKeyDetector" + } + ], + "filters_used": [ + { + "path": "detect_secrets.filters.allowlist.is_line_allowlisted" + }, + { + "path": "detect_secrets.filters.common.is_baseline_file", + "filename": ".config/.secrets.baseline" + }, + { + "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", + "min_level": 2 + }, + { + "path": "detect_secrets.filters.heuristic.is_indirect_reference" + }, + { + "path": "detect_secrets.filters.heuristic.is_likely_id_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_lock_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_potential_uuid" + }, + { + "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" + }, + { + "path": "detect_secrets.filters.heuristic.is_sequential_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_swagger_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_templated_secret" + }, + { + "path": "detect_secrets.filters.regex.should_exclude_file", + "pattern": [ + ".config/.gitleaks-report.json" + ] + } + ], + "results": { + "defaults/main.yml": [ + { + "type": "Secret Keyword", + "filename": "defaults/main.yml", + "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "is_verified": false, + "line_number": 600, + "is_secret": false + } + ], + "tasks/fix-cat2.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/fix-cat2.yml", + "hashed_secret": "8458c0f07cce6d8c92d030b23562f791e57e30d6", + "is_verified": false, + "line_number": 4277, + "is_secret": false + } + ], + "tasks/main.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/main.yml", + "hashed_secret": "8eab8633ccf31cc656649638e6d6b45bd7235ffe", + "is_verified": false, + "line_number": 66, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": "tasks/main.yml", + "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "is_verified": false, + "line_number": 101, + "is_secret": false + } + ], + "tasks/parse_etc_passwd.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/parse_etc_passwd.yml", + "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", + "is_verified": false, + "line_number": 18 + } + ], + "tasks/prelim.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/prelim.yml", + "hashed_secret": "43c1e0cadc7daa65d95fbf97f335a9896c8e58c6", + "is_verified": false, + "line_number": 124, + "is_secret": false + } + ], + "templates/pam_pkcs11.conf.j2": [ + { + "type": "Secret Keyword", + "filename": "templates/pam_pkcs11.conf.j2", + "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", + "is_verified": false, + "line_number": 173, + "is_secret": false + } + ] + }, + "generated_at": "2023-09-15T08:39:31Z" +} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..97c79434 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,67 @@ +--- +##### CI for use by github no need for action to be added +##### Inherited +ci: + autofix_prs: false + skip: [detect-aws-credentials, ansible-lint ] + +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v3.2.0 + hooks: + # Safety + - id: detect-aws-credentials + - id: detect-private-key + + # git checks + - id: check-merge-conflict + - id: check-added-large-files + - id: check-case-conflict + + # General checks + - id: trailing-whitespace + name: Trim Trailing Whitespace + description: This hook trims trailing whitespace. + entry: trailing-whitespace-fixer + language: python + types: [text] + args: [--markdown-linebreak-ext=md] + - id: end-of-file-fixer + +# Scan for passwords +- repo: https://github.com/Yelp/detect-secrets + rev: v1.4.0 + hooks: + - id: detect-secrets + args: [ '--baseline', '.config/.secrets.baseline' ] + exclude: .config/.gitleaks-report.json + +- repo: https://github.com/gitleaks/gitleaks + rev: v8.17.0 + hooks: + - id: gitleaks + args: ['--baseline-path', '.config/.gitleaks-report.json'] + +- repo: https://github.com/ansible-community/ansible-lint + rev: v6.17.2 + hooks: + - id: ansible-lint + name: Ansible-lint + description: This hook runs ansible-lint. + entry: python3 -m ansiblelint --force-color site.yml -c .ansible-lint + language: python + # do not pass files to ansible-lint, see: + # https://github.com/ansible/ansible-lint/issues/611 + pass_filenames: false + always_run: true + additional_dependencies: + # https://github.com/pre-commit/pre-commit/issues/1526 + # If you want to use specific version of ansible-core or ansible, feel + # free to override `additional_dependencies` in your own hook config + # file. + - ansible-core>=2.10.1 + +- repo: https://github.com/adrienverge/yamllint.git + rev: v1.32.0 # or higher tag + hooks: + - id: yamllint From f48341a7af04764aa99aec9c7d68037f133066fb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 09:48:35 +0100 Subject: [PATCH 128/202] updated Signed-off-by: Mark Bolwell --- README.md | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 79083a39..7593de99 100644 --- a/README.md +++ b/README.md @@ -16,9 +16,9 @@ This role is based on RHEL 8 DISA STIG: [Version 1, Rel 11 released on July 26, ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) ![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel8-stig/linux_benchmark_testing.yml?label=Devel%20Build%20Status) -![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/rhel8-stig/devel?color=dark%20green&label=Devel%20Branch%20commits) +![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/rhel8-stig/devel?color=dark%20green&label=Devel%20Branch%20Commits) -![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) +![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) ![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel8-stig/linux_benchmark_testing.yml?label=Build%20Status) ![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/rhel8-stig?label=Release%20Date) ![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/rhel8-stig?label=Release%20Tag&&color=success) @@ -39,7 +39,7 @@ This role is based on RHEL 8 DISA STIG: [Version 1, Rel 11 released on July 26, ### Community -On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users +On our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users --- @@ -112,14 +112,14 @@ This is based on a vagrant image with selections enabled. e.g. No Gui or firewal Note: More tests are run during audit as we check config and running state. ```sh -ok: [rocky8_efi] => +ok: [rocky8_efi] => msg: - 'The pre remediation results are: Count: 804, Failed: 416, Duration: 6.488s.' - 'The post remediation results are: Count: 804, Failed: 28, Duration: 68.687s.' - Full breakdown can be found in /opt PLAY RECAP **************************************************************************************************************** -rocky8_efi : ok=482 changed=269 unreachable=0 failed=0 skipped=207 rescued=0 ignored=0 +rocky8_efi : ok=482 changed=269 unreachable=0 failed=0 skipped=207 rescued=0 ignored=0 ``` ## Branches @@ -180,3 +180,12 @@ If you would are interested in dedicated support to assist or provide bespoke se ## Credits This repo originated from work done by [Sam Doran](https://github.com/samdoran/ansible-role-stig) + +## Added Extras + +- makefile - this is there purely for testing and initial setup purposes. +- [pre-commit](https://pre-commit.com) can be tested and can be run from within the directory + +```sh +pre-commit run +``` From 3ce5328358e1dc6f2aeef143e0c90766370df625 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 09:48:50 +0100 Subject: [PATCH 129/202] Linting Signed-off-by: Mark Bolwell --- tasks/post_remediation_audit.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 370d2f66..f0a7664e 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -4,9 +4,9 @@ ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" changed_when: true environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - AUDIT_FILE: "goss.yml" + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" - name: Post Audit | ensure audit files readable by users ansible.builtin.file: From 2fd5c829b9f579ad9ba42a2e4a322941720cdba3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 09:49:20 +0100 Subject: [PATCH 130/202] updated Signed-off-by: Mark Bolwell --- .github/workflows/update_galaxy.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index 21a888ef..951a53cb 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -7,14 +7,15 @@ name: update galaxy # Controls when the action will run. # Triggers the workflow on merge request events to the main branch on: - push: - branches: - - main + push: + branches: + - main jobs: update_role: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: hspaans/ansible-galaxy-action@master - with: - api_key: ${{ secrets.GALAXY_API_KEY }} + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: robertdebock/galaxy-action@master + with: + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} + git_branch: main From a091aab19e1f7898a93f192ba16f8ff540e13d18 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 09:49:36 +0100 Subject: [PATCH 131/202] removed file not required Signed-off-by: Mark Bolwell --- .github/ISSUE_TEMPLATE/bug_report.md | 32 ----- .../feature-request-or-enhancement.md | 21 ---- .github/ISSUE_TEMPLATE/question.md | 17 --- .github/pull_request_template.md | 11 -- .github/workflows/linux_benchmark_testing.yml | 111 ------------------ .github/workflows/test.sh | 4 - 6 files changed, 196 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/bug_report.md delete mode 100644 .github/ISSUE_TEMPLATE/feature-request-or-enhancement.md delete mode 100644 .github/ISSUE_TEMPLATE/question.md delete mode 100644 .github/pull_request_template.md delete mode 100644 .github/workflows/linux_benchmark_testing.yml delete mode 100644 .github/workflows/test.sh diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md deleted file mode 100644 index 3a19c72b..00000000 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -name: Report Issue -about: Create a bug issue ticket to help us improve -title: '' -labels: bug -assignees: '' - ---- - -**Describe the Issue** -A clear and concise description of what the bug is. - -**Expected Behavior** -A clear and concise description of what you expected to happen. - -**Actual Behavior** -A clear and concise description of what's happening. - -**Control(s) Affected** -What controls are being affected by the issue - -**Environment (please complete the following information):** - - Ansible Version: [e.g. 2.10] - - Host Python Version: [e.g. Python 3.7.6] - - Ansible Server Python Version: [e.g. Python 3.7.6] - - Additional Details: - -**Additional Notes** -Anything additional goes here - -**Possible Solution** -Enter a suggested fix here diff --git a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md b/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md deleted file mode 100644 index bf457005..00000000 --- a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -name: Feature Request or Enhancement -about: Suggest an idea for this project -title: '' -labels: enhancement -assignees: '' - ---- - -**Feature Request or Enhancement** - - Feature [] - - Enhancement [] - -**Summary of Request** -A clear and concise description of what you want to happen. - -**Describe alternatives you've considered** -A clear and concise description of any alternative solutions or features you've considered. - -**Suggested Code** -Please provide any code you have in mind to fulfill the request diff --git a/.github/ISSUE_TEMPLATE/question.md b/.github/ISSUE_TEMPLATE/question.md deleted file mode 100644 index cbab6e73..00000000 --- a/.github/ISSUE_TEMPLATE/question.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -name: Question -about: Ask away....... -title: '' -labels: question -assignees: '' - ---- - -**Question** -Pose question here. - -**Environment (please complete the following information):** - - Ansible Version: [e.g. 2.10] - - Host Python Version: [e.g. Python 3.7.6] - - Ansible Server Python Version: [e.g. Python 3.7.6] - - Additional Details: diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md deleted file mode 100644 index 1bf89d37..00000000 --- a/.github/pull_request_template.md +++ /dev/null @@ -1,11 +0,0 @@ -**Overall Review of Changes:** -A general description of the changes made that are being requested for merge - -**Issue Fixes:** -Please list (using linking) any open issues this PR addresses - -**Enhancements:** -Please list any enhancements/features that are not open issue tickets - -**How has this been tested?:** -Please give an overview of how these changes were tested. If they were not please use N/A diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml deleted file mode 100644 index 6ceb2cbb..00000000 --- a/.github/workflows/linux_benchmark_testing.yml +++ /dev/null @@ -1,111 +0,0 @@ -# This is a basic workflow to help you get started with Actions ---- -name: linux_benchmark_pipeline - -# Controls when the action will run. -# Triggers the workflow on push or pull request -# events but only for the devel branch -on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - devel - - main - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' - -# A workflow run is made up of one or more jobs -# that can run sequentially or in parallel -jobs: - # This will create messages for first time contributers and direct them to the Discord server - welcome: - runs-on: ubuntu-latest - - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: ubuntu-latest - - env: - ENABLE_DEBUG: false - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, - # so your job can access it - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - - - name: Add_ssh_key - working-directory: .github/workflows - env: - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - run: | - mkdir .ssh - chmod 700 .ssh - echo $PRIVATE_KEY > .ssh/github_actions.pem - chmod 600 .ssh/github_actions.pem - -### Build out the server - - name: Terraform_Init - working-directory: .github/workflows - run: terraform init - - - name: Terraform_Validate - working-directory: .github/workflows - run: terraform validate - - - name: Terraform_Apply - working-directory: .github/workflows - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false - - ## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - working-directory: .github/workflows - run: cat hosts.yml - - # Aws deployments taking a while to come up insert sleep or playbook fails - - - name: Sleep for 60 seconds - run: sleep 60s - shell: bash - - # Run the ansible playbook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} - # verbose: 3 - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - - # Remove test system - User secrets to keep if necessary - - - name: Terraform_Destroy - working-directory: .github/workflows - if: always() && env.ENABLE_DEBUG == 'false' - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false diff --git a/.github/workflows/test.sh b/.github/workflows/test.sh deleted file mode 100644 index 4b939870..00000000 --- a/.github/workflows/test.sh +++ /dev/null @@ -1,4 +0,0 @@ -RHEL7=$(grep -c RHEL7 OS.tfvars) -if [ `echo $?` != 0 ]; then - exit 0 -fi From 97ec92901bb1eaf536a52ab5796789c215e55fc1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 09:50:44 +0100 Subject: [PATCH 132/202] New pipeline files Signed-off-by: Mark Bolwell --- .../workflows/devel_pipeline_validation.yml | 138 ++++++++++++++++++ .../workflows/main_pipeline_validation.yml | 127 ++++++++++++++++ 2 files changed, 265 insertions(+) create mode 100644 .github/workflows/devel_pipeline_validation.yml create mode 100644 .github/workflows/main_pipeline_validation.yml diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml new file mode 100644 index 00000000..a4e7d48a --- /dev/null +++ b/.github/workflows/devel_pipeline_validation.yml @@ -0,0 +1,138 @@ +--- + + name: Devel pipeline + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: ubuntu-latest + + steps: + - uses: actions/first-interaction@main + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + + # This workflow contains a single job which tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: ubuntu-latest + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + + steps: + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + # Pull in terraform code for linux servers + - name: Clone github IaC plan + uses: actions/checkout@v3 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + + - name: Add_ssh_key + working-directory: .github/workflows + env: + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + run: | + mkdir .ssh + chmod 700 .ssh + echo $PRIVATE_KEY > .ssh/github_actions.pem + chmod 600 .ssh/github_actions.pem + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + pwd + ls + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Init + id: init + run: terraform init + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Validate + id: validate + run: terraform validate + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Apply + id: apply + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + + ## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep for 60 seconds + run: sleep 60s + + # Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/github_linux_IaC/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Remove test system - User secrets to keep if necessary + + - name: Terraform_Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml new file mode 100644 index 00000000..0b149fb3 --- /dev/null +++ b/.github/workflows/main_pipeline_validation.yml @@ -0,0 +1,127 @@ +--- + + name: Main pipeline + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + + # This workflow contains a single job which tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: ubuntu-latest + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + + steps: + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + # Pull in terraform code for linux servers + - name: Clone github IaC plan + uses: actions/checkout@v3 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + + - name: Add_ssh_key + working-directory: .github/workflows + env: + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + run: | + mkdir .ssh + chmod 700 .ssh + echo $PRIVATE_KEY > .ssh/github_actions.pem + chmod 600 .ssh/github_actions.pem + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + pwd + ls + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Init + id: init + run: terraform init + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Validate + id: validate + run: terraform validate + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Apply + id: apply + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + + ## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep for 60 seconds + run: sleep 60s + + # Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/github_linux_IaC/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Remove test system - User secrets to keep if necessary + + - name: Terraform_Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false From 56ed235c28192e1ec3432251fee266a3d5b90129 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 10:03:15 +0100 Subject: [PATCH 133/202] lint updates Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 4 ++-- tasks/fix-cat2.yml | 40 ++++++++++++++++++++-------------------- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 03408954..a215e10c 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -91,7 +91,7 @@ regexp: "{{ rhel8stig_regexp_quoted_params }}" replace: "{{ rhel8stig_replace_quoted_params }}" with_items: - - "{{ ansible_mounts | json_query(query) }}" + - "{{ ansible_mounts | json_query(query) }}" # noqa: jinja[invalid] vars: query: "[?mount=='{{ rhel8stig_boot_part.stdout }}'] | [0]" key: GRUB_CMDLINE_LINUX @@ -112,7 +112,7 @@ - fips=1 - boot=UUID={{ ansible_mounts | json_query(query) }} vars: - query: "[?mount=='{{ rhel8stig_boot_part.stdout }}'].uuid | [0]" + query: "[?mount=='{{ rhel8stig_boot_part.stdout }}'].uuid | [0]" # noqa: jinja[invalid] register: rhel_08_010020_audit when: - not ansible_check_mode or diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 6b5ccdbe..3e0543a0 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1805,7 +1805,7 @@ - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 - "'nosuid' not in home_mount.options" vars: - home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" + home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" # noqa: jinja[invalid] tags: - RHEL-08-010570 - CAT2 @@ -1828,7 +1828,7 @@ - ansible_mounts | selectattr('mount', 'match', '^/boot$') | list | length != 0 - "'nosuid' not in boot_mount.options" vars: - boot_mount: "{{ ansible_mounts | json_query('[?mount == `/boot`] | [0]') }}" + boot_mount: "{{ ansible_mounts | json_query('[?mount == `/boot`] | [0]') }}" # noqa: jinja[invalid] tags: - RHEL-08-010571 - CAT2 @@ -1851,7 +1851,7 @@ - ansible_mounts | selectattr('mount', 'match', '^/boot/efi$') | list | length != 0 - "'nosuid' not in boot_efi_mount.options" vars: - boot_efi_mount: "{{ ansible_mounts | json_query('[?mount == `/boot/efi`] | [0]') }}" + boot_efi_mount: "{{ ansible_mounts | json_query('[?mount == `/boot/efi`] | [0]') }}" # noqa: jinja[invalid] tags: - RHEL-08-010572 - CAT2 @@ -1927,7 +1927,7 @@ - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 - "'noexec' not in home_mount.options" vars: - home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" + home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" # noqa: jinja[invalid] tags: - RHEL-08-010590 - CAT2 @@ -1955,7 +1955,7 @@ - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - "'nodev' not in home_mount.options" vars: - removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" + removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" # noqa: jinja[invalid] - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /mnt" ansible.posix.mount: @@ -1969,7 +1969,7 @@ - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - "'nodev' not in home_mount.options" vars: - removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" + removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" # noqa: jinja[invalid] when: - rhel_08_010600 - not rhel8stig_system_is_chroot @@ -1997,7 +1997,7 @@ - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - "'noexec' not in home_mount.options" vars: - removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" + removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" # noqa: jinja[invalid] - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | Set noexec to /mnt" ansible.posix.mount: @@ -2011,7 +2011,7 @@ - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - "'noexec' not in home_mount.options" vars: - removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" + removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" # noqa: jinja[invalid] when: - rhel_08_010610 - not rhel8stig_system_is_chroot @@ -2039,7 +2039,7 @@ - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - "'nosuid' not in home_mount.options" vars: - removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" + removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" # noqa: jinja[invalid] - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /mnt" ansible.posix.mount: @@ -2053,7 +2053,7 @@ - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - "'nosuid' not in home_mount.options" vars: - removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" + removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" # noqa: jinja[invalid] when: - rhel_08_010620 - not rhel8stig_system_is_chroot @@ -2075,9 +2075,9 @@ opts: "{{ ansible_mounts | json_query(options_query) }},noexec" state: mounted vars: - device_query: '[?mount == `{{ item }}`] | [0].device' - fstype_query: '[?mount == `{{ item }}`] | [0].fstype' - options_query: '[?mount == `{{ item }}`] | [0].options' + device_query: '[?mount == `{{ item }}`] | [0].device' # noqa: jinja[invalid] + fstype_query: '[?mount == `{{ item }}`] | [0].fstype' # noqa: jinja[invalid] + options_query: '[?mount == `{{ item }}`] | [0].options' # noqa: jinja[invalid] with_items: "{{ rhel8stig_nfs_mounts }}" when: - rhel_08_010630 @@ -2100,9 +2100,9 @@ opts: "{{ ansible_mounts | json_query(options_query) }},nodev" state: mounted vars: - device_query: '[?mount == `{{ item }}`] | [0].device' - fstype_query: '[?mount == `{{ item }}`] | [0].fstype' - options_query: '[?mount == `{{ item }}`] | [0].options' + device_query: '[?mount == `{{ item }}`] | [0].device' # noqa: jinja[invalid] + fstype_query: '[?mount == `{{ item }}`] | [0].fstype' # noqa: jinja[invalid] + options_query: '[?mount == `{{ item }}`] | [0].options' # noqa: jinja[invalid] with_items: "{{ rhel8stig_nfs_mounts }}" when: - rhel_08_010640 @@ -6214,7 +6214,7 @@ fstype: "{{ tmp_mount.fstype }}" opts: "defaults{{ rhel_08_040123 | ternary (',nodev', '') }}{{ rhel_08_040124 | ternary (',nosuid', '') }}{{ rhel_08_040125 | ternary (',noexec', '') }}" vars: - tmp_mount: "{{ ansible_mounts | json_query('[?mount == `/tmp`] | [0]') }}" + tmp_mount: "{{ ansible_mounts | json_query('[?mount == `/tmp`] | [0]') }}" # noqa: jinja[invalid] when: rhel8stig_040123_dev_status.stdout | length > 0 when: @@ -6261,7 +6261,7 @@ fstype: "{{ var_log_mount.fstype }}" opts: "defaults{{ rhel_08_040126 | ternary (',nodev', '') }}{{ rhel_08_040127 | ternary (',nosuid', '') }}{{ rhel_08_040128 | ternary (',noexec', '') }}" vars: - var_log_mount: "{{ ansible_mounts | json_query('[?mount == `/var/log`] | [0]') }}" + var_log_mount: "{{ ansible_mounts | json_query('[?mount == `/var/log`] | [0]') }}" # noqa: jinja[invalid] when: rhel8stig_040126_var_log_status.stdout | length > 0 when: - rhel_08_040126 or @@ -6307,7 +6307,7 @@ fstype: "{{ audit_mount.fstype }}" opts: "defaults{{ rhel_08_040129 | ternary (',nodev', '') }}{{ rhel_08_040130 | ternary (',nosuid', '') }}{{ rhel_08_040131 | ternary (',noexec', '') }}" vars: - audit_mount: "{{ ansible_mounts | json_query('[?mount == `/var/log/audit`] | [0]') }}" + audit_mount: "{{ ansible_mounts | json_query('[?mount == `/var/log/audit`] | [0]') }}" # noqa: jinja[invalid] when: rhel8stig_040129_var_log_audit_status.stdout | length > 0 when: - rhel_08_040129 or @@ -6353,7 +6353,7 @@ fstype: "{{ var_tmp_mount.fstype }}" opts: "defaults{{ rhel_08_040132 | ternary (',nodev', '') }}{{ rhel_08_040133 | ternary (',nosuid', '') }}{{ rhel_08_040134 | ternary (',noexec', '') }}" vars: - var_tmp_mount: "{{ ansible_mounts | json_query('[?mount == `/var/tmp`] | [0]') }}" + var_tmp_mount: "{{ ansible_mounts | json_query('[?mount == `/var/tmp`] | [0]') }}" # noqa: jinja[invalid] when: rhel8stig_040132_var_tmp_status.stdout | length > 0 when: - rhel_08_040132 or From c7dc822d9aae40d062d2b18adc6600a17ebd704d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 10:03:23 +0100 Subject: [PATCH 134/202] lint update Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 3e0543a0..ac57b66e 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4348,7 +4348,6 @@ - "{{ rhel8stig_020352_file | json_query('results[*].files[*].path') | flatten }}" when: - (rhel8stig_020352_file | json_query('results[*].files[*].path') | flatten ) is defined - when: - rhel_08_020352 tags: From e2e7d1de431bce03edfd040e18d64dd5027a3fb9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 10:07:38 +0100 Subject: [PATCH 135/202] lint Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index ac57b66e..88f0ba57 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2125,9 +2125,9 @@ opts: "{{ ansible_mounts | json_query(options_query) }},nosuid" state: mounted vars: - device_query: '[?mount == `{{ item }}`] | [0].device' - fstype_query: '[?mount == `{{ item }}`] | [0].fstype' - options_query: '[?mount == `{{ item }}`] | [0].options' + device_query: '[?mount == `{{ item }}`] | [0].device' # noqa: jinja[invalid] + fstype_query: '[?mount == `{{ item }}`] | [0].fstype' # noqa: jinja[invalid] + options_query: '[?mount == `{{ item }}`] | [0].options' # noqa: jinja[invalid] with_items: "{{ rhel8stig_nfs_mounts }}" when: - rhel_08_010650 @@ -4345,7 +4345,7 @@ regexp: "umask\\s+(?!{{ rhel8stig_login_defaults.umask | default('077') }})" state: absent with_items: - - "{{ rhel8stig_020352_file | json_query('results[*].files[*].path') | flatten }}" + - "{{ rhel8stig_020352_file | json_query('results[*].files[*].path') | flatten }}" # noqa: jinja[invalid] when: - (rhel8stig_020352_file | json_query('results[*].files[*].path') | flatten ) is defined when: From 543350be22871dec0cda93e7ff8688f40acd1ac7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 18 Sep 2023 15:46:06 +0100 Subject: [PATCH 136/202] updated discord link Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index a4e7d48a..dba39dc0 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -27,7 +27,7 @@ repo-token: ${{ secrets.GITHUB_TOKEN }} pr-message: |- Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. # This workflow contains a single job which tests the playbook playbook-test: From b26497c84e6aa43dbbfbdaea1dadda05eb61142e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 19 Sep 2023 08:44:28 +0100 Subject: [PATCH 137/202] moved src to uuid Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 88f0ba57..4acccb0e 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1843,7 +1843,7 @@ ansible.posix.mount: path: /boot/efi state: mounted - src: "{{ boot_efi_mount.device }}" + src: "UUID={{ boot_efi_mount.uuid }}" fstype: "{{ boot_efi_mount.fstype }}" opts: "{{ boot_efi_mount.options }},nosuid" when: From 9e8048cd853d51f8a609965003a5e1d466bea994 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 19 Sep 2023 08:46:36 +0100 Subject: [PATCH 138/202] remove legacy files Signed-off-by: Mark Bolwell --- .github/workflows/OS.tfvars | 9 ---- .github/workflows/github_networks.tf | 53 ------------------ .github/workflows/github_vars.tfvars | 13 ----- .github/workflows/main.tf | 80 ---------------------------- .github/workflows/terraform.tfvars | 5 -- .github/workflows/variables.tf | 76 -------------------------- 6 files changed, 236 deletions(-) delete mode 100644 .github/workflows/OS.tfvars delete mode 100644 .github/workflows/github_networks.tf delete mode 100644 .github/workflows/github_vars.tfvars delete mode 100644 .github/workflows/main.tf delete mode 100644 .github/workflows/terraform.tfvars delete mode 100644 .github/workflows/variables.tf diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars deleted file mode 100644 index bf529279..00000000 --- a/.github/workflows/OS.tfvars +++ /dev/null @@ -1,9 +0,0 @@ -#Ami Rocky 85 - US_east 1 -ami_id = "ami-043ceee68871e0bb5" -ami_os = "rocky8" -ami_username = "rocky" -ami_user_home = "/home/rocky" -instance_tags = { - Name = "RHEL8-STIG" - Environment = "lockdown_github_repo_workflow" -} diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf deleted file mode 100644 index 5001dc27..00000000 --- a/.github/workflows/github_networks.tf +++ /dev/null @@ -1,53 +0,0 @@ -resource "aws_vpc" "Main" { - cidr_block = var.main_vpc_cidr - instance_tenancy = "default" - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-VPC" - } -} - -resource "aws_internet_gateway" "IGW" { - vpc_id = aws_vpc.Main.id - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-IGW" - } -} - -resource "aws_subnet" "publicsubnets" { - vpc_id = aws_vpc.Main.id - cidr_block = var.public_subnets - availability_zone = var.availability_zone - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-pubsub" - } -} - -resource "aws_subnet" "Main" { - vpc_id = aws_vpc.Main.id - availability_zone = var.availability_zone - cidr_block = var.private_subnets - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-prvsub" - } -} - -resource "aws_route_table" "PublicRT" { - vpc_id = aws_vpc.Main.id - route { - cidr_block = "0.0.0.0/0" - gateway_id = aws_internet_gateway.IGW.id - } - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-publicRT" - } -} - -resource "aws_route_table_association" "rt_associate_public" { - subnet_id = aws_subnet.Main.id - route_table_id = aws_route_table.PublicRT.id -} diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars deleted file mode 100644 index 3ea5253d..00000000 --- a/.github/workflows/github_vars.tfvars +++ /dev/null @@ -1,13 +0,0 @@ -// github_actions variables -// Resourced in github_networks.tf -// Declared in variables.tf -// - -namespace = "github_actions" -environment = "lockdown_github_repo_workflow" - -// Matching pair name found in AWS for keypairs PEM key -ami_key_pair_name = "github_actions" -main_vpc_cidr = "172.22.0.0/24" -public_subnets = "172.22.0.128/26" -private_subnets = "172.22.0.192/26" diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf deleted file mode 100644 index f9b6d0ed..00000000 --- a/.github/workflows/main.tf +++ /dev/null @@ -1,80 +0,0 @@ -provider "aws" { - profile = "" - region = var.aws_region -} - -// Create a security group with access to port 22 and port 80 open to serve HTTP traffic - -resource "random_id" "server" { - keepers = { - # Generate a new id each time we switch to a new AMI id - ami_id = "${var.ami_id}" - } - - byte_length = 8 -} - -resource "aws_security_group" "github_actions" { - name = "${var.namespace}-${random_id.server.hex}-SG" - vpc_id = aws_vpc.Main.id - - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - ingress { - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-SG" - } -} - -// instance setup - -resource "aws_instance" "testing_vm" { - ami = var.ami_id - availability_zone = var.availability_zone - associate_public_ip_address = true - key_name = var.ami_key_pair_name # This is the key as known in the ec2 key_pairs - instance_type = var.instance_type - tags = var.instance_tags - vpc_security_group_ids = [aws_security_group.github_actions.id] - subnet_id = aws_subnet.Main.id - root_block_device { - delete_on_termination = true - } -} - -// generate inventory file -resource "local_file" "inventory" { - filename = "./hosts.yml" - directory_permission = "0755" - file_permission = "0644" - content = < Date: Tue, 19 Sep 2023 08:49:22 +0100 Subject: [PATCH 139/202] tidy up tags Signed-off-by: Mark Bolwell --- tasks/main.yml | 3 +-- tasks/pre_remediation_audit.yml | 1 - 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 53875d00..36cb7639 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -187,7 +187,7 @@ when: - run_audit tags: - - always + - run_audit - name: Show Audit Summary ansible.builtin.debug: @@ -196,4 +196,3 @@ - run_audit tags: - run_audit - - always diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 8083b7f2..fc9ed887 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -83,7 +83,6 @@ - run_audit tags: - goss_template - - always - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" From c948ace18997b8975edc1cc866a958ae63bde99c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 22 Sep 2023 16:30:21 +0100 Subject: [PATCH 140/202] fixed notify error on black #226 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 4acccb0e..e1c9236d 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -836,7 +836,7 @@ regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_macs.stdout }}(.*$)' line: '\g<1>-o{{ rhel8stig_ssh_macs }}\g<2>' backrefs: true - notify: change_requires_reboot + notify: change_requires_reboot when: - rhel_08_010290 tags: @@ -861,7 +861,7 @@ regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_ciphers.stdout }}(.*$)' line: '\g<1>-o{{ rhel8stig_ssh_ciphers }}\g<2>' backrefs: true - notify: change_requires_reboot + notify: change_requires_reboot when: - rhel_08_010291 tags: @@ -7407,8 +7407,7 @@ when: - rhel8stig_current_kex is defined - rhel8stig_current_kex.stdout | length > 0 - - notify: change_requires_reboot + notify: change_requires_reboot when: - rhel_08_040342 - rhel8stig_ssh_required From 427ec05ef01fe20bb272e598216fb09d69d230fa Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Sep 2023 16:43:11 +0100 Subject: [PATCH 141/202] updated Signed-off-by: Mark Bolwell --- README.md | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 7593de99..7436dc28 100644 --- a/README.md +++ b/README.md @@ -15,19 +15,21 @@ This role is based on RHEL 8 DISA STIG: [Version 1, Rel 11 released on July 26, ![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/56380?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) -![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel8-stig/linux_benchmark_testing.yml?label=Devel%20Build%20Status) -![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/rhel8-stig/devel?color=dark%20green&label=Devel%20Branch%20Commits) - ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) -![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel8-stig/linux_benchmark_testing.yml?label=Build%20Status) -![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/rhel8-stig?label=Release%20Date) -![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/rhel8-stig?label=Release%20Tag&&color=success) +![Release Tag](https://img.shields.io/github/v/release/ansible-lockdown/RHEL8-STIG) +![Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL8-STIG) + +[![Main Pipeline Status](https://github.com/ansible-lockdown/RHEL8-STIG/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL8-STIG/actions/workflows/main_pipeline_validation.yml) + +[![Devel Pipeline Status](https://github.com/ansible-lockdown/RHEL8-STIG/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL8-STIG/actions/workflows/devel_pipeline_validation.yml) +![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL8-STIG/devel?color=dark%20green&label=Devel%20Branch%20Commits) + +![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL8-STIG?label=Open%20Issues) +![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL8-STIG?label=Closed%20Issues&&color=success) +![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/RHEL8-STIG?label=Pull%20Requests) -![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/rhel8-stig?label=Open%20Issues) -![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/rhel8-stig?label=Closed%20Issues&&color=success) -![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/rhel8-stig?label=Pull%20Requests) +![License](https://img.shields.io/github/license/ansible-lockdown/RHEL8-STIG?label=License) -![License](https://img.shields.io/github/license/ansible-lockdown/rhel8-stig?label=License) --- From a662083198435e54b70ccc9ab3f0bf3af05a94ef Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Sep 2023 16:43:42 +0100 Subject: [PATCH 142/202] updated config Signed-off-by: Mark Bolwell --- .ansible-lint | 2 -- .yamllint | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 057c65e0..b717f678 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -6,12 +6,10 @@ skip_list: - 'schema' - 'no-changed-when' - 'var-spacing' - - 'fqcn-builtins' - 'experimental' - 'name[play]' - 'name[casing]' - 'name[template]' - - 'fqcn[action]' - 'key-order[task]' - '204' - '305' diff --git a/.yamllint b/.yamllint index ec469292..65faae6c 100644 --- a/.yamllint +++ b/.yamllint @@ -30,4 +30,4 @@ rules: trailing-spaces: enable truthy: allowed-values: ['true', 'false'] - check-keys: false + check-keys: true From e36e0ba99ef35f76d64b288fe54c74f8d5df7fd9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Sep 2023 16:48:30 +0100 Subject: [PATCH 143/202] updated exclusions Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 80 +++------------------------------------ 1 file changed, 5 insertions(+), 75 deletions(-) diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index 41368ff4..2ad77429 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -75,10 +75,6 @@ { "path": "detect_secrets.filters.allowlist.is_line_allowlisted" }, - { - "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".config/.secrets.baseline" - }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", "min_level": 2 @@ -113,78 +109,12 @@ { "path": "detect_secrets.filters.regex.should_exclude_file", "pattern": [ - ".config/.gitleaks-report.json" + ".config/.gitleaks-report.json", + "tasks/parse_etc_passwd.yml", + "templates/pam_pkcs11.conf.j2" ] } ], - "results": { - "defaults/main.yml": [ - { - "type": "Secret Keyword", - "filename": "defaults/main.yml", - "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "is_verified": false, - "line_number": 600, - "is_secret": false - } - ], - "tasks/fix-cat2.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/fix-cat2.yml", - "hashed_secret": "8458c0f07cce6d8c92d030b23562f791e57e30d6", - "is_verified": false, - "line_number": 4277, - "is_secret": false - } - ], - "tasks/main.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "8eab8633ccf31cc656649638e6d6b45bd7235ffe", - "is_verified": false, - "line_number": 66, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "is_verified": false, - "line_number": 101, - "is_secret": false - } - ], - "tasks/parse_etc_passwd.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/parse_etc_passwd.yml", - "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "is_verified": false, - "line_number": 18 - } - ], - "tasks/prelim.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/prelim.yml", - "hashed_secret": "43c1e0cadc7daa65d95fbf97f335a9896c8e58c6", - "is_verified": false, - "line_number": 124, - "is_secret": false - } - ], - "templates/pam_pkcs11.conf.j2": [ - { - "type": "Secret Keyword", - "filename": "templates/pam_pkcs11.conf.j2", - "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", - "is_verified": false, - "line_number": 173, - "is_secret": false - } - ] - }, - "generated_at": "2023-09-15T08:39:31Z" + "results": {}, + "generated_at": "2023-09-25T15:48:01Z" } From 6b14fd455b5dc161eb75589faaa52ace9f3bce26 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Sep 2023 16:48:40 +0100 Subject: [PATCH 144/202] updated with allowed Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- tasks/fix-cat2.yml | 2 +- tasks/main.yml | 6 +++--- tasks/prelim.yml | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 8b68badf..e60a576d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -597,7 +597,7 @@ rhel8stig_tftp_required: false # RHEL-08-010140 and RHEL-08-020280 # Password protect the boot loader -rhel8stig_bootloader_password_hash: grub.pbkdf2.sha512.changethispassword +rhel8stig_bootloader_password_hash: grub.pbkdf2.sha512.changethispassword # pragma: allowlist secret rhel8stig_boot_superuser: bootloader_admin # AIDE settings diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index e1c9236d..a651125f 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4274,7 +4274,7 @@ - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Re-parse passwd file" ansible.builtin.include_tasks: parse_etc_passwd.yml vars: - rhel8stig_passwd_tasks: "RHEL-08-020320" + rhel8stig_passwd_tasks: "RHEL-08-020320" # pragma: allowlist secret when: rhel_08_020320_accounts_removed is changed # noqa no-handler when: - rhel_08_020320 diff --git a/tasks/main.yml b/tasks/main.yml index 36cb7639..c516e703 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -63,7 +63,7 @@ fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }}" vars: - sudo_password_rule: RHEL-08-010380 + sudo_password_rule: RHEL-08-010380 # pragma: allowlist secret when: - rhel_08_010380 - ansible_env.SUDO_USER is defined @@ -98,8 +98,8 @@ - name: Check rhel8stig_bootloader_password_hash variable has been changed ansible.builtin.assert: - that: rhel8stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' - msg: "This role will not be able to run single user password commands as rhel8stig_bootloader_password_hash variable has not been set" + that: rhel8stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret + msg: "This role will not be able to run single user password commands as rhel8stig_bootloader_password_hash variable has not been set" # pragma: allowlist secret when: - not system_is_ec2 diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 20435f73..2a723ee6 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -121,7 +121,7 @@ - name: "PRELIM | RHEL-08-010740 | RHEL-08-010750 | RHEL-08-020320 | Parse /etc/passwd" ansible.builtin.import_tasks: parse_etc_passwd.yml vars: - rhel8stig_passwd_tasks: "RHEL-08-010740 RHEL-08-010750 RHEL-08-020320" + rhel8stig_passwd_tasks: "RHEL-08-010740 RHEL-08-010750 RHEL-08-020320" # pragma: allowlist secret when: - rhel_08_010141 or rhel_08_010149 or From f5ccd4bf669ce712c295c92c6b17d7c283f02d59 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Sep 2023 16:49:37 +0100 Subject: [PATCH 145/202] lint updates Signed-off-by: Mark Bolwell --- .gitattributes | 2 +- templates/01-banner-message.j2 | 2 +- templates/aide.conf.j2 | 2 +- templates/ansible_vars_goss.yml.j2 | 2 +- templates/pam_pkcs11.conf.j2 | 12 ++++++------ templates/resolv.conf.j2 | 2 +- test_plugins/rhel8_stig_ansible_backport.py | 2 +- test_plugins/rhel8_stig_jinja_compat.py | 2 +- 8 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.gitattributes b/.gitattributes index 9a24540b..b2daffb9 100644 --- a/.gitattributes +++ b/.gitattributes @@ -3,4 +3,4 @@ *.yml linguist-detectable=true *.ps1 linguist-detectable=true *.j2 linguist-detectable=true -*.md linguist-documentation \ No newline at end of file +*.md linguist-documentation diff --git a/templates/01-banner-message.j2 b/templates/01-banner-message.j2 index 23974c01..1a1a581b 100644 --- a/templates/01-banner-message.j2 +++ b/templates/01-banner-message.j2 @@ -1,4 +1,4 @@ -[org/gnome/login-screen] +[org/gnome/login-screen] banner-message-enable=true banner-message-text='{{ rhel8stig_logon_banner }}' diff --git a/templates/aide.conf.j2 b/templates/aide.conf.j2 index 92ebb20a..fc93abe9 100644 --- a/templates/aide.conf.j2 +++ b/templates/aide.conf.j2 @@ -319,4 +319,4 @@ DATAONLY = FIPSR # Ditto /var/log/sa/ same reason... -!/var/log/httpd/ \ No newline at end of file +!/var/log/httpd/ diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index e81f9658..69484221 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -14,7 +14,7 @@ rpm_gpg_key: {{ rpm_gpg_key }} rhel8stig_os_version_pre_8_2: {% if ansible_distribution_version >= '8.2' %}false{% else %}true{% endif %} -# Some tests may need to scan every filesystem or have an impact on a system +# Some tests may need to scan every filesystem or have an impact on a system # these may need be scheduled to minimise impact also ability to set a timeout if taking too long run_heavy_tests: {{ audit_run_heavy_tests }} timeout_ms: {{ audit_cmd_timeout }} diff --git a/templates/pam_pkcs11.conf.j2 b/templates/pam_pkcs11.conf.j2 index febf193e..32c441b5 100644 --- a/templates/pam_pkcs11.conf.j2 +++ b/templates/pam_pkcs11.conf.j2 @@ -9,7 +9,7 @@ pam_pkcs11 { nullok = true; # Enable debugging support. - debug = false; + debug = false; # If the smart card is inserted, only use it card_only = true; @@ -32,7 +32,7 @@ pam_pkcs11 { screen_savers = gnome-screensaver,xscreensaver,kscreensaver pkcs11_module {{ rhel08stig_smartcarddriver }} { - {% if rhel08stig_smartcarddriver == 'cackey' %}module = /usr/lib64/libcackey.so;{% elif rhel08stig_smartcarddriver == 'coolkey' %}module = libcoolkeypk11.so;{% endif %} + {% if rhel08stig_smartcarddriver == 'cackey' %}module = /usr/lib64/libcackey.so;{% elif rhel08stig_smartcarddriver == 'coolkey' %}module = libcoolkeypk11.so;{% endif %} module = /usr/lib64/libcackey.so; description = "{{ rhel08stig_smartcarddriver }}"; slot_num = 0; @@ -54,7 +54,7 @@ pam_pkcs11 { # you can mange the certs in this database with the certutil command in # the package nss-tools nss_dir = /etc/pki/nssdb; - + # Sets the Certificate Policy, (see above) cert_policy = ca, signature; } @@ -96,10 +96,10 @@ pam_pkcs11 { # When no absolute path or module info is provided, use this # value as module search path # TODO: - # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH + # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH mapper_search_path = /usr/$LIB/pam_pkcs11; - # + # # Generic certificate contents mapper mapper generic { debug = true; @@ -194,7 +194,7 @@ pam_pkcs11 { module = internal; # module = /usr/$LIB/pam_pkcs11/mail_mapper.so; # Declare mapfile or - # leave empty "" or "none" to use no map + # leave empty "" or "none" to use no map mapfile = file:///etc/pam_pkcs11/mail_mapping; # Some certs store email in uppercase. take care on this ignorecase = true; diff --git a/templates/resolv.conf.j2 b/templates/resolv.conf.j2 index 483018cd..8f214a7b 100644 --- a/templates/resolv.conf.j2 +++ b/templates/resolv.conf.j2 @@ -11,4 +11,4 @@ nameserver {{ server }} {% endif %} {% if rhel8_stig_resolv_options is iterable %} options {{ rhel8_stig_resolv_options | join(' ') }} -{% endif %} \ No newline at end of file +{% endif %} diff --git a/test_plugins/rhel8_stig_ansible_backport.py b/test_plugins/rhel8_stig_ansible_backport.py index 87b412b9..343b5bdc 100644 --- a/test_plugins/rhel8_stig_ansible_backport.py +++ b/test_plugins/rhel8_stig_ansible_backport.py @@ -19,4 +19,4 @@ def tests(self): return { # set theory 'contains': contains, - } \ No newline at end of file + } diff --git a/test_plugins/rhel8_stig_jinja_compat.py b/test_plugins/rhel8_stig_jinja_compat.py index 10bc9409..979aded8 100644 --- a/test_plugins/rhel8_stig_jinja_compat.py +++ b/test_plugins/rhel8_stig_jinja_compat.py @@ -38,4 +38,4 @@ def tests(self): 'lessthan': operator.lt, '<=': operator.le, 'le': operator.le, - } \ No newline at end of file + } From 3a319658bfaf217e5bad7c1c36d937dd6ddb4c8d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Sep 2023 16:53:50 +0100 Subject: [PATCH 146/202] updated Signed-off-by: Mark Bolwell --- Changelog.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index 73a22b0f..249241bd 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,8 +1,16 @@ # Changes to RHEL8STIG -## Stig V1R11 - 26th July 2023 +## 3.0.2 - Stig V1R11 - 26th July 2023 -### 3.0.1 +- workflow and pipeline updates +- links updates in documentation +- #222 thanks to @BJSmithIEEE +- #226 thanks to @jmalpede +- lint config updates +- lint updates +- precommit added and configured + +### 3.0.1 - Stig V1R11 - 26th July 2023 Issues: From d630e21f4b541d57841775f7996b08f989d9f714 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 6 Oct 2023 22:06:13 +0100 Subject: [PATCH 147/202] updated collections Signed-off-by: Mark Bolwell --- collections/requirements.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/collections/requirements.yml b/collections/requirements.yml index 23596ec0..8ebc6180 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -2,7 +2,13 @@ collections: - name: community.general + source: https://github.com/ansible-collections/community.general + type: git - name: community.crypto + source: https://github.com/ansible-collections/community.crypto + type: git - name: ansible.posix + source: https://github.com/ansible-collections/ansible.posix + type: git From 3d7ccea4338147d0ef2cb05bf6592d6a75440058 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 15:04:27 +0100 Subject: [PATCH 148/202] updated as host_key changes for fips Signed-off-by: Mark Bolwell --- ansible.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible.cfg b/ansible.cfg index dbe143da..8b4596ec 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -18,6 +18,7 @@ record_host_keys=False [ssh_connection] transfer_method=scp +ssh_args = -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no [accelerate] From 4cd17ab732f79fdf9d7ea3569abc45b1d6156ce3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 15:05:53 +0100 Subject: [PATCH 149/202] updated versions Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 97c79434..84807cde 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v3.2.0 + rev: v4.4.0 hooks: # Safety - id: detect-aws-credentials @@ -37,13 +37,13 @@ repos: exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.17.0 + rev: v8.18.0 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.17.2 + rev: v6.20.2 hooks: - id: ansible-lint name: Ansible-lint From 73acc53a08e7588a070be293c3cf6638e4b9e6a0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 15:07:46 +0100 Subject: [PATCH 150/202] Issue #229 sysctl approach thanks to @JacobBuskirk Signed-off-by: Mark Bolwell --- defaults/main.yml | 3 + handlers/main.yml | 10 -- tasks/fix-cat2.yml | 290 +++++++++++++++++++++++------------- tasks/fix-cat3.yml | 22 ++- templates/99-sysctl.conf.j2 | 153 ------------------- vars/main.yml | 2 +- 6 files changed, 202 insertions(+), 278 deletions(-) delete mode 100644 templates/99-sysctl.conf.j2 diff --git a/defaults/main.yml b/defaults/main.yml index e60a576d..4efc7f89 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -484,6 +484,9 @@ rhel8stig_smartcard: false # Configure your smartcard driver rhel8stig_smartcarddriver: cackey +# Set the file that sysctl should write to +rhel8stig_sysctl_file: /etc/sysctl.d/99_stig_sysctl.conf + # Whether or not system uses remote automounted home directories via autofs rhel8stig_autofs_remote_home_dirs: false diff --git a/handlers/main.yml b/handlers/main.yml index e7f323d7..3e6ff61d 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -5,16 +5,6 @@ when: - not system_is_container -- name: update sysctl - ansible.builtin.template: - src: 99-sysctl.conf.j2 - dest: /etc/sysctl.d/99-sysctl.conf - owner: root - group: root - mode: 0644 - notify: sysctl system - when: "'procps-ng' in ansible_facts.packages" - - name: sysctl system ansible.builtin.shell: sysctl --system when: "'procps-ng' in ansible_facts.packages" diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index a651125f..41eada91 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1202,10 +1202,13 @@ - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution." block: - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.kexec_load_disabled + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" - name: "MEDIUM | RHEL-08-010372 | AUDIT | RHEL 8 must prevent the loading of a new kernel for later execution. | Find conflicting instances" ansible.builtin.shell: grep -rs "kernel.kexec_load_disabled = 0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 @@ -1247,11 +1250,14 @@ loop: "{{ rhel_08_010373_conflicting_settings.stdout_lines }}" when: rhel_08_010373_conflicting_settings.stdout | length > 0 - - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set sysctl" + ansible.posix.sysctl: + name: fs.protected_symlinks + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_010373 tags: @@ -1280,10 +1286,13 @@ when: rhel_08_010374_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks." - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: fs.protected_hardlinks + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_010374 tags: @@ -1566,10 +1575,13 @@ when: rhel_08_010430_conflicting_settings.stdout | length > 0 - name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.randomize_va_space + value: 2 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_010430 tags: @@ -2224,10 +2236,13 @@ when: rhel_08_010671_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern." - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.core_pattern + value: "|/bin/false" + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_010671 tags: @@ -3340,7 +3355,7 @@ if [ "$PS1" ]; then parent=$(ps -o ppid= -p $$) name=$(ps -o comm= -p $parent) - case "$name" in (sshd|login) tmux ;; esac + case "$name" in (sshd|login) exec tmux ;; esac fi create: true when: @@ -6615,10 +6630,13 @@ when: rhel_08_040209_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.default.accept_redirects + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040209 tags: @@ -6647,10 +6665,13 @@ when: rhel_08_040210_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.default.accept_redirects + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040210 @@ -6681,10 +6702,13 @@ when: rhel_08_040220_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.all.send_redirects + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040220 tags: @@ -6713,10 +6737,13 @@ when: rhel_08_040230_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.icmp_echo_ignore_broadcasts + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040230 tags: @@ -6745,10 +6772,13 @@ when: rhel_08_040239_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.all.accept_source_route + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040239 tags: @@ -6777,10 +6807,13 @@ when: rhel_08_040240_conflicting_settings.stdout |length > 0 - name: "MEDIUM | RHEL-08-040240 | PATCH | RHEL 8 must not forward IPv6 source-routed packets. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.all.accept_source_route + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040240 - rhel8stig_ipv6_required @@ -6810,10 +6843,13 @@ when: rhel_08_040249_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.default.accept_source_route + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040249 tags: @@ -6842,10 +6878,13 @@ when: rhel_08_040250_conflicting_findings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040250 | PATCH | RHEL 8 must not forward IPv6 source-routed packets by default. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.default.accept_source_route + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040250 - rhel8stig_ipv6_required @@ -6875,10 +6914,13 @@ when: rhel_08_040259_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040259 | PATCH | RHEL 8 must not enable IPv4 packet forwarding unless the system is a router. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.all.forwarding + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040259 - not rhel8stig_system_is_router @@ -6908,10 +6950,13 @@ when: rhel_08_040260_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040260 | PATCH | RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.all.forwarding + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040260 - not rhel8stig_system_is_router @@ -6941,10 +6986,13 @@ when: rhel_08_040261_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.all.accept_ra + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040261 - rhel8stig_ipv6_required @@ -6975,10 +7023,13 @@ when: rhel_08_040262_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.default.accept_ra + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040262 - rhel8stig_ipv6_required @@ -7009,10 +7060,13 @@ when: rhel_08_040270_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.default.send_redirects + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040270 tags: @@ -7041,10 +7095,13 @@ when: rhel_08_040279_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.all.send_redirects + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040279 tags: @@ -7073,10 +7130,13 @@ when: rhel_08_040280_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.all.accept_redirects + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040280 - rhel8stig_ipv6_required @@ -7106,10 +7166,13 @@ when: rhel_08_040281_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.unprivileged_bpf_disabled + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040281 tags: @@ -7138,10 +7201,13 @@ when: rhel_08_040282_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.yama.ptrace_scope + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040282 tags: @@ -7170,10 +7236,13 @@ when: rhel_08_040283_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.kptr_restrict + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040283 tags: @@ -7202,10 +7271,13 @@ when: rhel_08_040284_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: user.max_user_namespaces + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040284 tags: @@ -7234,10 +7306,13 @@ when: rhel_08_040285_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.all.rp_filter + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040285 tags: @@ -7266,10 +7341,13 @@ when: rhel_08_040286_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040286 | PATCH | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.core.bpf_jit_harden + value: 2 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040286 tags: diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 39c12a56..66c817ca 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -49,10 +49,13 @@ when: rhel_08_010375_conflicting_settings.stdout | length > 0 - name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer." - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.dmesg_restrict + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_010375 tags: @@ -81,10 +84,13 @@ when: rhel_08_010376_conflicting_settings.stdout | length > 0 - name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users." - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.perf_event_paranoid + value: 2 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_010376 tags: diff --git a/templates/99-sysctl.conf.j2 b/templates/99-sysctl.conf.j2 deleted file mode 100644 index 3958c9f2..00000000 --- a/templates/99-sysctl.conf.j2 +++ /dev/null @@ -1,153 +0,0 @@ -# sysctl settings are defined through files in -# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/. -# -# Vendors settings live in /usr/lib/sysctl.d/. -# To override a whole file, create a new file with the same in -# /etc/sysctl.d/ and put new settings there. To override -# only specific settings, add a file with a lexically later -# name in /etc/sysctl.d/ and put new settings there. -# -# For more information, see sysctl.conf(5) and sysctl.d(5). - -# sysctl file Added via stig ansible remediation -# Each line is added if set - -{% if rhel_08_010372 %} -# RHEL-08-010372 -kernel.kexec_load_disabled = 1 -{% endif %} - -{% if rhel_08_010373 %} -# RHEL-08-010373 -fs.protected_symlinks = 1 -{% endif %} - -{% if rhel_08_010374 %} -# RHEL-08-010374 -fs.protected_hardlinks = 1 -{% endif %} - -{% if rhel_08_010375 %} -# RHEL-08-010375 -kernel.dmesg_restrict = 1 -{% endif %} - -{% if rhel_08_010376 %} -# RHEL-08-010376 -kernel.perf_event_paranoid = 2 -{% endif %} - -{% if rhel_08_010430 %} -# RHEL-08-010430 -kernel.randomize_va_space = 2 -{% endif %} - -{% if rhel_08_010671 %} -# RHEL-08-010671 -kernel.core_pattern = |/bin/false -{% endif %} - -{% if rhel_08_040209 %} -# RHEL-08-040209 -net.ipv4.conf.default.accept_redirects = 0 -{% endif %} - -{% if rhel_08_040210 and rhel8stig_ipv6_required %} -# RHEL-08-040210 -net.ipv6.conf.default.accept_redirects = 0 -{% endif %} - -{% if rhel_08_040220 %} -# RHEL-08-040220 -net.ipv4.conf.all.send_redirects = 0 -{% endif %} - -{% if rhel_08_040230 %} -# RHEL-08-040230 -net.ipv4.icmp_echo_ignore_broadcasts = 1 -{% endif %} - -{% if rhel_08_040239 %} -# RHEL-08-040239 -net.ipv4.conf.all.accept_source_route = 0 -{% endif %} - -{% if rhel_08_040240 %} -# RHEL-08-040240 -net.ipv6.conf.all.accept_source_route = 0 -{% endif %} - -{% if rhel_08_040249 %} -# RHEL-08-040249 -net.ipv4.conf.default.accept_source_route = 0 -{% endif %} - -{% if rhel_08_040250 and rhel8stig_ipv6_required %} -# RHEL-08-040250 -net.ipv6.conf.default.accept_source_route = 0 -{% endif %} - -{% if rhel_08_040259 and not rhel8stig_system_is_router %} -# RHEL-08-040259 -net.ipv4.conf.all.forwarding = 0 -{% endif %} - -{% if rhel_08_040260 and not rhel8stig_system_is_router %} -# RHEL-08-040260 -net.ipv6.conf.all.forwarding = 0 -{% endif %} - -{% if rhel_08_040261 and rhel8stig_ipv6_required and not rhel8stig_system_is_router %} -# RHEL-08-040261 -net.ipv6.conf.all.accept_ra = 0 -{% endif %} - -{% if rhel_08_040262 and rhel8stig_ipv6_required and not rhel8stig_system_is_router %} -# RHEL-08-040262 -net.ipv6.conf.default.accept_ra = 0 -{% endif %} - -{% if rhel_08_040270 %} -# RHEL-08-040270 -net.ipv4.conf.default.send_redirects = 0 -{% endif %} - -{% if rhel_08_040279 %} -# RHEL-08-040279 -net.ipv4.conf.all.accept_redirects = 0 -{% endif %} - -{% if rhel_08_040280 and rhel8stig_ipv6_required %} -# RHEL-08-040280 -net.ipv6.conf.all.accept_redirects = 0 -{% endif %} - -{% if rhel_08_040281 %} -# RHEL-08-040281 -kernel.unprivileged_bpf_disabled = 1 -{% endif %} - -{% if rhel_08_040282 %} -# RHEL-08-040282 -kernel.yama.ptrace_scope = 1 -{% endif %} - -{% if rhel_08_040283 %} -# RHEL-08-040283 -kernel.kptr_restrict = 1 -{% endif %} - -{% if rhel_08_040284 %} -# RHEL-08-040284 -user.max_user_namespaces = 0 -{% endif %} - -{% if rhel_08_040285 %} -# RHEL-08-040285 -net.ipv4.conf.all.rp_filter = 1 -{% endif %} - -{% if rhel_08_040286 %} -# RHEL-08-040286 -net.core.bpf_jit_harden = 2 -{% endif %} diff --git a/vars/main.yml b/vars/main.yml index f01c9ff9..92b42958 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -10,7 +10,7 @@ rhel8stig_service_started: "{{ rhel8stig_system_is_chroot | ternary(omit, 'start # !!!!!!!!possibly delete # rhel8stig_systemd_daemon_reload: "{{ not rhel8stig_system_is_chroot }}" -rhel8stig_sysctl_reload: "{{ not rhel8stig_system_is_container }}" +rhel8stig_sysctl_reload: "{{ not system_is_container }}" # these variables are for enabling tasks to run that will be further controled # by check_mode to prevent the remediation task from making changes as From 2465b97a77fc4bc837990c8873a7b186ec73beb0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 24 Oct 2023 11:00:49 +0100 Subject: [PATCH 151/202] updated for copy and format outputs Signed-off-by: Mark Bolwell --- tasks/LE_audit_setup.yml | 4 +-- tasks/post_remediation_audit.yml | 44 +++++++++++++++++++------------ tasks/pre_remediation_audit.yml | 45 ++++++++++++++++---------------- 3 files changed, 52 insertions(+), 41 deletions(-) diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 4ef8469f..c8222b8e 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -7,7 +7,7 @@ owner: root group: root checksum: "{{ audit_bin_version.checksum }}" - mode: 0555 + mode: '0555' when: - get_audit_binary_method == 'download' @@ -15,8 +15,8 @@ ansible.builtin.copy: src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" - mode: 0555 owner: root group: root + mode: '0555' when: - get_audit_binary_method == 'copy' diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index f0a7664e..fa9614b6 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,24 +1,16 @@ --- -- name: "Post Audit | Run post_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" - changed_when: true - environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - AUDIT_FILE: "goss.yml" - -- name: Post Audit | ensure audit files readable by users - ansible.builtin.file: - path: "{{ item }}" - mode: 0644 - state: file - loop: - - "{{ post_audit_outfile }}" - - "{{ pre_audit_outfile }}" - - name: Post Audit | Capture audit data if json format block: + + - name: "Post Audit | Run post_remediation {{ benchmark }} audit" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" + - name: "capture data {{ post_audit_outfile }}" ansible.builtin.shell: "cat {{ post_audit_outfile }}" register: post_audit @@ -34,6 +26,15 @@ - name: Post Audit | Capture audit data if documentation format block: + + - name: "Post Audit | Run post_remediation {{ benchmark }} audit" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }} -f documentation" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" + - name: "Post Audit | capture data {{ post_audit_outfile }}" ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" register: post_audit @@ -44,3 +45,12 @@ post_audit_summary: "{{ post_audit.stdout_lines }}" when: - audit_format == "documentation" + +- name: Post Audit | ensure audit files readable by users + ansible.builtin.file: + path: "{{ item }}" + mode: '0644' + state: file + loop: + - "{{ post_audit_outfile }}" + - "{{ pre_audit_outfile }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index fc9ed887..290170d6 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,7 +1,8 @@ --- - name: Audit Binary Setup | Setup the LE audit - ansible.builtin.include_tasks: LE_audit_setup.yml + ansible.builtin.include_tasks: + file: LE_audit_setup.yml when: - setup_audit tags: @@ -15,19 +16,11 @@ - name: Pre Audit Setup | If using git for content set up block: - - name: Pre Audit Setup | Install git (rh8 python3) + - name: Pre Audit Setup | Install git ansible.builtin.package: name: git state: present - when: ansible_distribution_major_version == '8' - - - name: Pre Audit Setup | Install git (rh7 python2) - ansible.builtin.package: - name: git - state: present - vars: - ansible_python_interpreter: "{{ python2_bin }}" - when: ansible_distribution_major_version == '7' + when: "'git' not in ansible_facts.packages" - name: Pre Audit Setup | retrieve audit content files from git ansible.builtin.git: @@ -68,9 +61,8 @@ - name: Pre Audit Setup | If audit ensure goss is available ansible.builtin.assert: + that: goss_available.stat.exists msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - when: - - not goss_available.stat.exists when: - run_audit @@ -78,22 +70,22 @@ ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" - mode: 0600 + mode: '0600' when: - run_audit tags: - goss_template -- name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" - changed_when: true - environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - AUDIT_FILE: "goss.yml" - - name: Pre Audit | Capture audit data if json format block: + - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" + - name: "capture data {{ pre_audit_outfile }}" ansible.builtin.shell: "cat {{ pre_audit_outfile }}" register: pre_audit @@ -109,6 +101,15 @@ - name: Pre Audit | Capture audit data if documentation format block: + + - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }} -f documentation" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" + - name: "Pre Audit | capture data {{ pre_audit_outfile }} | documentation format" ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" register: pre_audit From 8f9052f5c4250707a33513f8cf6b53be821f44b3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 24 Oct 2023 11:03:33 +0100 Subject: [PATCH 152/202] updated Signed-off-by: Mark Bolwell --- Changelog.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Changelog.md b/Changelog.md index 249241bd..9dd2c8df 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,12 @@ # Changes to RHEL8STIG +## 3.0.3 - Stig V1R11 - 26th July 2023 +q +- updates to collections since galaxy updated +- updates to audit + +- #229 thanks to @JacobBuskirk + ## 3.0.2 - Stig V1R11 - 26th July 2023 - workflow and pipeline updates From c58d334b1a7ecb05acc43f5fb8342ae787a0b9f1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 24 Oct 2023 11:04:37 +0100 Subject: [PATCH 153/202] removed quality badge since galaxy removed Signed-off-by: Mark Bolwell --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 7436dc28..8e66d0fa 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,6 @@ This role is based on RHEL 8 DISA STIG: [Version 1, Rel 11 released on July 26, ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social) [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown) -![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/56380?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) From 84a47f315a42c6db406b2ffd82ea3ddc655a68ab Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Oct 2023 11:39:02 +0100 Subject: [PATCH 154/202] ruleid updates for v1r12 refer changelog Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 2 +- tasks/fix-cat2.yml | 2 +- tasks/fix-cat3.yml | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index a215e10c..7b180d70 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -133,7 +133,7 @@ - CAT1 - CCI-000068 - SRG-OS-000033-GPOS-00014 - - SV-230223r792855_rule + - SV-230223r928585_rule - V-230223 - name: "HIGH | RHEL-08-010121 | PATCH | The RHEL 8 operating system must not have accounts configured with blank or null passwords." diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 41eada91..4bfd77dd 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -7585,7 +7585,7 @@ - CAT2 - CCI-002265 - SRG-OS-000324-GPOS-00125 - - SV-254520r858835_rule + - SV-254520r928805_rule - V-254520 - selinux diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 66c817ca..31c8abb7 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -163,7 +163,7 @@ - CAT3 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230285r917876_rule + - SV-230285r928587_rule - SV-244527r743830_rule - V-230285 - V-244527 @@ -406,7 +406,7 @@ - CAT3 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230485r627750_rule + - SV-230485r928590_rule - V-230485 - chrony @@ -422,7 +422,7 @@ - CAT3 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230486r627750_rule + - SV-230486r928593_rule - V-230486 - chrony From 87e93aee7c9ffb141c575ca449fcf43f81329e9f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Oct 2023 11:39:41 +0100 Subject: [PATCH 155/202] updated Signed-off-by: Mark Bolwell --- Changelog.md | 12 +++++++++++- README.md | 2 +- defaults/main.yml | 2 +- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/Changelog.md b/Changelog.md index 9dd2c8df..06c4077a 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,7 +1,17 @@ # Changes to RHEL8STIG +## 3.1 - STIG V1R12 - 25th Oct 2023 + +ruleid updated + +- 010020 +- 010471 +- 030741 +- 030742 +- 040400 + ## 3.0.3 - Stig V1R11 - 26th July 2023 -q + - updates to collections since galaxy updated - updates to audit diff --git a/README.md b/README.md index 8e66d0fa..0a0abb05 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a RHEL8 based system to be complaint with Disa STIG -This role is based on RHEL 8 DISA STIG: [Version 1, Rel 11 released on July 26, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R11_STIG.zip). +This role is based on RHEL 8 DISA STIG: [Version 1, Rel 12 released on Oct 25, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R12_STIG.zip). --- diff --git a/defaults/main.yml b/defaults/main.yml index 4efc7f89..3c71a077 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ --- ## metadata for Audit benchmark -benchmark_version: 'v1r11' +benchmark_version: 'v1r12' ## Benchmark name used by audting control role # The audit variable found at the base From 094eea98ff9f97798f2a998816f54fc1ca7aa14e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Oct 2023 11:42:16 +0100 Subject: [PATCH 156/202] updated PRELIM in title Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 2a723ee6..be0b2a46 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -49,7 +49,7 @@ - "'dconf' not in ansible_facts.packages" - rhel8stig_gui - - name: dconf directory structure + - name: "PRELIM | dconf directory structure setup" ansible.builtin.file: path: /etc/dconf/db/local.d/locks state: directory @@ -106,7 +106,7 @@ tags: - always -- name: ensure cronie is available +- name: "PRELIM | ensure cronie is available" ansible.builtin.package: name: cronie when: @@ -302,7 +302,7 @@ - RHEL-08-010770 - complexity-high -- name: "MEDIUM | RHEL-08-010660 | RHEL-08-010770 | Set fact for home directory paths for interactive users" +- name: "PRELIM | RHEL-08-010660 | RHEL-08-010770 | Set fact for home directory paths for interactive users" ansible.builtin.set_fact: rhel_08_stig_interactive_homedir_inifiles: "{{ rhel_08_010770_ini_file_list.results | map(attribute='stdout_lines') | list }}" when: From d5a8e7165a96d6ecfcac379a6901d1fd012136b8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 31 Oct 2023 16:03:52 +0000 Subject: [PATCH 157/202] updated the workflow version and galaxy setup Signed-off-by: Mark Bolwell --- .../workflows/devel_pipeline_validation.yml | 18 +++++++++--------- .github/workflows/main_pipeline_validation.yml | 18 +++++++++--------- .github/workflows/update_galaxy.yml | 14 ++++++-------- 3 files changed, 24 insertions(+), 26 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index dba39dc0..9fbe7aa8 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -29,7 +29,7 @@ Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. - # This workflow contains a single job which tests the playbook + # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on runs-on: ubuntu-latest @@ -44,13 +44,13 @@ steps: - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} # Pull in terraform code for linux servers - - name: Clone github IaC plan - uses: actions/checkout@v3 + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 with: repository: ansible-lockdown/github_linux_IaC path: .github/workflows/github_linux_IaC @@ -74,7 +74,7 @@ pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -82,7 +82,7 @@ id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -90,7 +90,7 @@ id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -111,9 +111,9 @@ # Aws deployments taking a while to come up insert sleep or playbook fails - name: Sleep for 60 seconds - run: sleep 60s + run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the ansible playbook + # Run the Ansibleplaybook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 0b149fb3..67ee9d90 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -18,7 +18,7 @@ # that can run sequentially or in parallel jobs: - # This workflow contains a single job which tests the playbook + # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on runs-on: ubuntu-latest @@ -33,13 +33,13 @@ steps: - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} # Pull in terraform code for linux servers - - name: Clone github IaC plan - uses: actions/checkout@v3 + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 with: repository: ansible-lockdown/github_linux_IaC path: .github/workflows/github_linux_IaC @@ -63,7 +63,7 @@ pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -71,7 +71,7 @@ id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -79,7 +79,7 @@ id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -100,9 +100,9 @@ # Aws deployments taking a while to come up insert sleep or playbook fails - name: Sleep for 60 seconds - run: sleep 60s + run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the ansible playbook + # Run the Ansibleplaybook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index 951a53cb..f9352800 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -1,11 +1,7 @@ --- -# This is a basic workflow to help you get started with Actions - name: update galaxy -# Controls when the action will run. -# Triggers the workflow on merge request events to the main branch on: push: branches: @@ -14,8 +10,10 @@ jobs: update_role: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: robertdebock/galaxy-action@master + - name: Checkout repo + uses: actions/checkout@v4 + + - name: Action Ansible Galaxy Release ${{ github.ref_name }} + uses: ansible-actions/ansible-galaxy-action@main with: - galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} - git_branch: main + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} From 28ac97777ae900ce5950708bcb23535d10a61123 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 2 Nov 2023 08:30:11 +0000 Subject: [PATCH 158/202] fix typo Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 2 +- .github/workflows/main_pipeline_validation.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 9fbe7aa8..39af625a 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -113,7 +113,7 @@ - name: Sleep for 60 seconds run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the Ansibleplaybook + # Run the Ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 67ee9d90..8ded7018 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -102,7 +102,7 @@ - name: Sleep for 60 seconds run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the Ansibleplaybook + # Run the Ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: From 041e4adb4b08ceb7529e8b42a75830e2415e4d5e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 26 Jan 2024 11:56:17 +0000 Subject: [PATCH 159/202] Oraclelinux updated thanks to @BillSkiCO Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index be0b2a46..26fa1b2b 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -386,7 +386,7 @@ rhel8stig_legacy_boot: false when: - rhel8_efi_boot.stat.exists - - ansible_distribution == 'Oracle Linux' + - ansible_distribution == 'OracleLinux' - name: "PRELIM | set if not UEFI boot" ansible.builtin.set_fact: From 5a80e57377eaee2220508a9382084e7f24ed8f80 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 26 Jan 2024 11:57:06 +0000 Subject: [PATCH 160/202] updated task 20030 thanks to @BillSkiCO Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 4bfd77dd..45143311 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3260,7 +3260,7 @@ - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." block: - name: "MEDIUM | RHEL-08-020030 | AUDIT | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Check for lock-enabled" - ansible.builtin.shell: "grep lock-enabled /etc/dconf/db/* -r | cut -f1 -d:" + ansible.builtin.shell: "grep lock-enabled /etc/dconf/db/* -rI | sort -u | tail -n 1 | cut -f1 -d:" changed_when: false failed_when: false register: rhel_08_020030_lock_enabled From 9ecb0eed996e3947af007a4c3ee3880de3f1978c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 26 Jan 2024 11:58:20 +0000 Subject: [PATCH 161/202] updated 40321 thanks to @whitehat237 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 45143311..b43e1ef7 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -7401,6 +7401,7 @@ state: link when: - rhel_08_040321 + - not rhel8stig_gui tags: - RHEL-08-040321 - CAT2 From fe2744424af669d841d882456503ea332d20cb80 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 20 Feb 2024 16:46:53 +0000 Subject: [PATCH 162/202] updated after feedback from #245 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index b43e1ef7..bb871172 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3260,16 +3260,17 @@ - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." block: - name: "MEDIUM | RHEL-08-020030 | AUDIT | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Check for lock-enabled" - ansible.builtin.shell: "grep lock-enabled /etc/dconf/db/* -rI | sort -u | tail -n 1 | cut -f1 -d:" + ansible.builtin.shell: "grep -IlR ^lock-enabled /etc/dconf/db/*" changed_when: false failed_when: false register: rhel_08_020030_lock_enabled - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if exists" ansible.builtin.lineinfile: - path: "{{ rhel_08_020030_lock_enabled.stdout }}" + path: "{{ item }}" regexp: '^lock-enabled' line: lock-enabled=true + loop: "{{ rhel_08_020030_lock_enabled.stdout }}" when: rhel_08_020030_lock_enabled.stdout | length > 0 notify: dconf update @@ -3372,13 +3373,13 @@ - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed." block: - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" - ansible.builtin.shell: 'grep "removal-action=" /etc/dconf/db/* -R | cut -f1 -d:' + ansible.builtin.shell: "grep -IlR removal-action= /etc/dconf/db/*" changed_when: false failed_when: false register: rhel_08_020050_removal_action - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" - ansible.builtin.shell: "grep removal-action= /etc/dconf/db/* -R | cut -f1 -d: | sed 's:.*/::'" + ansible.builtin.shell: "grep -IlR removal-action= /etc/dconf/db/* | sed 's:.*/::'" changed_when: false failed_when: false register: rhel_08_020050_removal_action_file @@ -3398,9 +3399,10 @@ - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Update removal-action if exists" ansible.builtin.lineinfile: - path: "{{ rhel_08_020050_removal_action.stdout }}" + path: "{{ item }}" regexp: ^removal-action= line: removal-action='lock-screen' + loop: "{{ rhel_08_020050_removal_action.stdout }}" when: rhel_08_020050_removal_action.stdout | length > 0 notify: dconf update @@ -3436,7 +3438,7 @@ - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity." block: - name: "MEDIUM | RHEL-08-020060 | AUDIT | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Find idle-delay parameter" - ansible.builtin.shell: 'grep idle-delay= /etc/dconf/db/* -R | cut -f1 -d:' + ansible.builtin.shell: 'grep -IlR idle-delay= /etc/dconf/db/*' changed_when: false failed_when: false register: rhel_08_020060_idle_delay_param @@ -3458,14 +3460,15 @@ - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if exists" ansible.builtin.lineinfile: - path: "{{ rhel_08_020060_idle_delay_param.stdout }}" + path: "{{ item }}" regexp: '^idle-delay=' line: idle-delay=uint32 900 owner: root group: root mode: 0640 - notify: dconf update + loop: "{{ rhel_08_020060_idle_delay_param.stdout }}" when: rhel_08_020060_idle_delay_param.stdout | length > 0 + notify: dconf update when: - rhel_08_020060 - "'dconf' in ansible_facts.packages" @@ -7473,7 +7476,7 @@ - name: "MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | Add KEXs" block: - name: "MEDIUM | RHEL-08-040342 | AUDIT | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | get KEXs" - ansible.builtin.shell: grep "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i okexa | sed s'/-o//g' + ansible.builtin.shell: grep ^CRYPTO_POLICY /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i okexa | sed s'/-o//g changed_when: false register: rhel8stig_current_kex From a48ab9b9888e4e34bddbac54f02725ea7fdea190 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 20 Feb 2024 17:16:01 +0000 Subject: [PATCH 163/202] added issue #248 fix Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 38 +++++++++++++++++++++++++++++++++----- 1 file changed, 33 insertions(+), 5 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index bb871172..b6954040 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -191,11 +191,39 @@ - V-230226 - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." - ansible.builtin.lineinfile: - path: /etc/rsyslog.conf - line: "auth.*;authpriv.*;daemon.* /var/log/secure" - create: true - mode: '0644' + block: + - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | check settings" + ansible.builtin.shell: grep "*.info" /etc/rsyslog.conf + changed_when: false + failed_when: false + register: rhel_08_010070_info_set_rsyslog + + - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | check settings" + ansible.builtin.shell: grep "authpriv.* /var/log/secure" /etc/rsyslog.conf + changed_when: false + failed_when: false + register: rhel_08_010070_authpriv_set_rsyslog + + - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | Adjust settings" + path: /etc/rsyslog.conf + regexp: ^(?#).*\/var\/log\/secure + line: "auth.*;authpriv.*;daemon.* /var/log/secure" + create: true + mode: '0644' + when: + - rhel_08_010070_info_set_rsyslog.stdout == 0 + - rhel_08_010070_authpriv_set_rsyslog.stdout > 0 + + - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | Adjust settings" + path: /etc/rsyslog.conf + backrefs: true + regexp: ^(?!#)(.*)(authpriv\.\*)(.*\/var\/log\/secure) + line: \1authpriv.*\2/var/log/secure + create: true + mode: '0644' + when: + - rhel_08_010070_info_set_rsyslog.stdout > 0 + - rhel_08_010070_authpriv_set_rsyslog.stdout == 0 notify: restart rsyslog when: - rhel_08_010070 From de55153c46cba93dbb127ea213ddcc90d91c5e09 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 20 Feb 2024 17:17:13 +0000 Subject: [PATCH 164/202] Added fix for #254 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index b6954040..8c82bd41 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6150,7 +6150,7 @@ - CCI-001444 - SRG-OS-000299-GPOS-00117 - SV-230506r627750_rule - - V-23050 + - V-230506 - wifi - name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled." From e06b0c75d2818f6c98c7938a1fe30dc0c7865eb8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 21 Feb 2024 08:59:01 +0000 Subject: [PATCH 165/202] fix syntax Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 42 +++++++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 19 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 8c82bd41..a5d007b9 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -192,38 +192,41 @@ - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." block: - - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | check settings" - ansible.builtin.shell: grep "*.info" /etc/rsyslog.conf + - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | check settings info" + ansible.builtin.shell: grep '*.info' /etc/rsyslog.conf changed_when: false failed_when: false register: rhel_08_010070_info_set_rsyslog - - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | check settings" - ansible.builtin.shell: grep "authpriv.* /var/log/secure" /etc/rsyslog.conf + - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | check settings authpriv" + ansible.builtin.shell: grep 'authpriv.* /var/log/secure' /etc/rsyslog.conf changed_when: false failed_when: false register: rhel_08_010070_authpriv_set_rsyslog - - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | Adjust settings" - path: /etc/rsyslog.conf - regexp: ^(?#).*\/var\/log\/secure - line: "auth.*;authpriv.*;daemon.* /var/log/secure" - create: true - mode: '0644' + - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored. | Adjust settings no info" + ansible.builtin.lineinfile: + path: /etc/rsyslog.conf + regexp: ^(?!#).*\/var\/log\/secure + line: 'auth.*;authpriv.*;daemon.* /var/log/secure' + create: true + mode: '0644' when: - rhel_08_010070_info_set_rsyslog.stdout == 0 - rhel_08_010070_authpriv_set_rsyslog.stdout > 0 - - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | Adjust settings" - path: /etc/rsyslog.conf - backrefs: true - regexp: ^(?!#)(.*)(authpriv\.\*)(.*\/var\/log\/secure) - line: \1authpriv.*\2/var/log/secure - create: true - mode: '0644' + - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored. | Adjust settings if info set" + ansible.builtin.lineinfile: + path: /etc/rsyslog.conf + backrefs: true + regexp: ^(?!#)(.*)(authpriv\.\*)(.*\/var\/log\/secure) + line: \1authpriv.*\2/var/log/secure + create: true + mode: '0644' when: - rhel_08_010070_info_set_rsyslog.stdout > 0 - rhel_08_010070_authpriv_set_rsyslog.stdout == 0 + notify: restart rsyslog when: - rhel_08_010070 @@ -7504,11 +7507,12 @@ - name: "MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | Add KEXs" block: - name: "MEDIUM | RHEL-08-040342 | AUDIT | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | get KEXs" - ansible.builtin.shell: grep ^CRYPTO_POLICY /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i okexa | sed s'/-o//g + ansible.builtin.shell: grep -E "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i okexa | sed s'/-o//g' changed_when: false + failed_when: false register: rhel8stig_current_kex - - name: MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | get KEXs" + - name: MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | update KEXs" ansible.builtin.lineinfile: path: /etc/crypto-policies/back-ends/opensshserver.config regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_kex.stdout }}(.*$)' From 78afa356c143a033e855c21cb19b99bce4417f4f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 21 Feb 2024 15:54:42 +0000 Subject: [PATCH 166/202] Squashed commit of the following: commit 14d7da6a3335dea85d73044cac45f851d45e721f Author: Mark Bolwell Date: Wed Feb 21 15:52:45 2024 +0000 updated Signed-off-by: Mark Bolwell commit e6b8a7c2008da9cf11075265801723c597284d6e Author: Mark Bolwell Date: Wed Feb 21 15:52:05 2024 +0000 lint and variable improvements Signed-off-by: Mark Bolwell commit 79948fb314df745bc37f94dffcdf6ec818d945bc Author: Mark Bolwell Date: Wed Feb 21 15:51:32 2024 +0000 ssh validation added Signed-off-by: Mark Bolwell commit 4742d58286387ffdbf569c2094d34290c8f2f90a Author: Mark Bolwell Date: Wed Feb 21 15:50:46 2024 +0000 ssh validation added Signed-off-by: Mark Bolwell commit 33348bc1d3a0537d0cdbcfc70c10286875d97261 Author: Mark Bolwell Date: Wed Feb 21 15:50:25 2024 +0000 changed ordering and added logic Signed-off-by: Mark Bolwell commit 6c2d07987d379575c6ecf766e528da19ba5ffae0 Author: Mark Bolwell Date: Wed Feb 21 15:50:12 2024 +0000 removed as mnot required Signed-off-by: Mark Bolwell commit 1d775c698c9270f707dddbd955d096bfaa978dae Author: Mark Bolwell Date: Wed Feb 21 15:50:04 2024 +0000 updated Signed-off-by: Mark Bolwell commit 562d7604e5263ed4d5cd97cdd2a46ea4a1c3f58f Author: Mark Bolwell Date: Wed Feb 21 15:49:57 2024 +0000 updated precommit Signed-off-by: Mark Bolwell commit bb46131304f00cfe9c9b7b62dda9150ab5d19643 Author: Mark Bolwell Date: Wed Feb 21 12:04:15 2024 +0000 Added ability for audit_only Signed-off-by: Mark Bolwell Signed-off-by: Mark Bolwell --- .config/.gitleaks-report.json | 1 - .config/.secrets.baseline | 120 -------------- .pre-commit-config.yaml | 3 - Changelog.md | 8 + defaults/main.yml | 84 ++++------ handlers/main.yml | 13 +- tasks/LE_audit_setup.yml | 20 ++- tasks/audit_only.yml | 30 ++++ tasks/fix-cat1.yml | 1 + tasks/fix-cat2.yml | 14 +- tasks/main.yml | 25 ++- tasks/parse_etc_passwd.yml | 2 +- tasks/post_remediation_audit.yml | 62 +++---- tasks/pre_remediation_audit.yml | 94 ++++++----- tasks/prelim.yml | 4 +- templates/ansible_vars_goss.yml.j2 | 19 +-- templates/pam_pkcs11.conf.j2 | 249 ----------------------------- vars/audit.yml | 41 +++++ 18 files changed, 244 insertions(+), 546 deletions(-) delete mode 100644 .config/.gitleaks-report.json delete mode 100644 .config/.secrets.baseline create mode 100644 tasks/audit_only.yml delete mode 100644 templates/pam_pkcs11.conf.j2 create mode 100644 vars/audit.yml diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json deleted file mode 100644 index fe51488c..00000000 --- a/.config/.gitleaks-report.json +++ /dev/null @@ -1 +0,0 @@ -[] diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline deleted file mode 100644 index 2ad77429..00000000 --- a/.config/.secrets.baseline +++ /dev/null @@ -1,120 +0,0 @@ -{ - "version": "1.4.0", - "plugins_used": [ - { - "name": "ArtifactoryDetector" - }, - { - "name": "AWSKeyDetector" - }, - { - "name": "AzureStorageKeyDetector" - }, - { - "name": "Base64HighEntropyString", - "limit": 4.5 - }, - { - "name": "BasicAuthDetector" - }, - { - "name": "CloudantDetector" - }, - { - "name": "DiscordBotTokenDetector" - }, - { - "name": "GitHubTokenDetector" - }, - { - "name": "HexHighEntropyString", - "limit": 3.0 - }, - { - "name": "IbmCloudIamDetector" - }, - { - "name": "IbmCosHmacDetector" - }, - { - "name": "JwtTokenDetector" - }, - { - "name": "KeywordDetector", - "keyword_exclude": "" - }, - { - "name": "MailchimpDetector" - }, - { - "name": "NpmDetector" - }, - { - "name": "PrivateKeyDetector" - }, - { - "name": "SendGridDetector" - }, - { - "name": "SlackDetector" - }, - { - "name": "SoftlayerDetector" - }, - { - "name": "SquareOAuthDetector" - }, - { - "name": "StripeDetector" - }, - { - "name": "TwilioKeyDetector" - } - ], - "filters_used": [ - { - "path": "detect_secrets.filters.allowlist.is_line_allowlisted" - }, - { - "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", - "min_level": 2 - }, - { - "path": "detect_secrets.filters.heuristic.is_indirect_reference" - }, - { - "path": "detect_secrets.filters.heuristic.is_likely_id_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_lock_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_potential_uuid" - }, - { - "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" - }, - { - "path": "detect_secrets.filters.heuristic.is_sequential_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_swagger_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_templated_secret" - }, - { - "path": "detect_secrets.filters.regex.should_exclude_file", - "pattern": [ - ".config/.gitleaks-report.json", - "tasks/parse_etc_passwd.yml", - "templates/pam_pkcs11.conf.j2" - ] - } - ], - "results": {}, - "generated_at": "2023-09-25T15:48:01Z" -} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 84807cde..30819d0b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -33,14 +33,11 @@ repos: rev: v1.4.0 hooks: - id: detect-secrets - args: [ '--baseline', '.config/.secrets.baseline' ] - exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks rev: v8.18.0 hooks: - id: gitleaks - args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint rev: v6.20.2 diff --git a/Changelog.md b/Changelog.md index 06c4077a..c0bcafc1 100644 --- a/Changelog.md +++ b/Changelog.md @@ -10,6 +10,14 @@ ruleid updated - 030742 - 040400 +- added SSH validation +- added ansible_facts for variable usage + +- AUDIT + - Audit_only ability now added to run standalone audit + - audit_only: true + - Related Audit repo updated to improve tests audit binary(goss updated to latest version) + ## 3.0.3 - Stig V1R11 - 26th July 2023 - updates to collections since galaxy updated diff --git a/defaults/main.yml b/defaults/main.yml index 3c71a077..d05b5ad6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -56,24 +56,46 @@ rhel8stig_skip_reboot: true # Defined will change if control requires change_requires_reboot: false -### Goss is required on the remote host +########################################## +### Goss is required on the remote host ### +## Refer to vars/auditd.yml for any other settings ## + +# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system) setup_audit: false + +# enable audits to run - this runs the audit and get the latest content +run_audit: false + +# Only run Audit do not remediate +audit_only: false +# As part of audit_only +# This will enable files to be copied back to control node +fetch_audit_files: false +# Path to copy the files to will create dir structure +audit_capture_files_dir: /some/location to copy to on control node + # How to retrieve audit binary # Options are copy or download - detailed settings at the bottom of this file # you will need to access to either github or the file already dowmloaded get_audit_binary_method: download +## if get_audit_binary_method - copy the following needs to be updated for your environment +## it is expected that it will be copied from somewhere accessible to the control node +## e.g copy from ansible control node to remote host +audit_bin_copy_location: /some/accessible/path + # how to get audit files onto host options # options are git/copy/get_url other e.g. if you wish to run from already downloaded conf audit_content: git -# enable audits to run - this runs the audit and get the latest content -run_audit: false +# archive or copy: +audit_conf_copy: "some path to copy from" + +# get_url: +audit_files_url: "some url maybe s3?" # Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system audit_run_heavy_tests: true -# Timeout for those cmds that take longer to run where timeout set -audit_cmd_timeout: 60000 ### End Goss enablements #### #### Detailed settings found at the end of this document #### @@ -904,55 +926,3 @@ rhel8stig_tmux_lock_after_time: 900 # The value given to Defaults timestamp timeout= in the sudo file. # Value must be greater than 0 to conform to STIG standards rhel8stig_sudo_timestamp_timeout: 1 - -#### Goss Configuration Settings #### -# Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_run_script_environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_FILE: 'goss.yml' - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - -### Goss binary settings ### -audit_bin_version: - release: v0.3.23 - checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d' -audit_bin_path: /usr/local/bin/ -audit_bin: "{{ audit_bin_path }}goss" -audit_format: json - -# if get_audit_binary_method == download change accordingly -audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-amd64" - -## if get_audit_binary_method - copy the following needs to be updated for your environment -## it is expected that it will be copied from somewhere accessible to the control node -## e.g copy from ansible control node to remote host -audit_bin_copy_location: /some/accessible/path - -#### Goss Audit Benchmark file ### -## managed by the control audit_content -# git -audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_git_version: "benchmark_{{ benchmark_version }}_rh8" - -# archive or copy: -audit_conf_copy: "some path to copy from" - -# get_url: -audit_files_url: "some url maybe s3?" - -## Goss configuration information -# Where the goss configs and outputs are stored -audit_out_dir: '/opt' -# Where the goss audit configuration will be stored -audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit" - -# If changed these can affect other products -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" - -## The following should not need changing -audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml" -audit_results: | - The pre remediation results are: {{ pre_audit_summary }}. - The post remediation results are: {{ post_audit_summary }}. - Full breakdown can be found in {{ audit_out_dir }} diff --git a/handlers/main.yml b/handlers/main.yml index 3e6ff61d..c210d6f1 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,4 +1,9 @@ --- + +- name: change_requires_reboot + ansible.builtin.set_fact: + change_requires_reboot: true + - name: systemctl daemon-reload ansible.builtin.systemd: daemon_reload: true @@ -16,6 +21,7 @@ when: - not rhel8stig_system_is_chroot - "'openssh-server' in ansible_facts.packages" + - not change_requires_reboot - name: restart sssd ansible.builtin.service: @@ -30,6 +36,7 @@ state: restarted when: - not rhel8stig_system_is_chroot + - not change_requires_reboot - name: restart rsyslog ansible.builtin.service: @@ -82,6 +89,7 @@ - not rhel8stig_skip_for_travis - not rhel8stig_system_is_chroot - not system_is_container + - not change_requires_reboot - name: update auditd ansible.builtin.template: @@ -98,6 +106,7 @@ - not rhel8stig_skip_for_travis - not rhel8stig_system_is_chroot - not system_is_container + - not change_requires_reboot - name: rebuild initramfs ansible.builtin.shell: dracut -f @@ -146,7 +155,3 @@ ansible.builtin.debug: msg: "Post-run OpenSCAP score is {{ rhel8stig_postscanresults.Benchmark.TestResult.score['#text'] }}" when: rhel8stig_oscap_scan - -- name: change_requires_reboot - ansible.builtin.set_fact: - change_requires_reboot: true diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index c8222b8e..7ef94b4a 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -1,22 +1,34 @@ --- +- name: Pre Audit Setup | Set audit package name + block: + - name: Pre Audit Setup | Set audit package name | 64bit + ansible.builtin.set_fact: + audit_pkg_arch_name: AMD64 + when: ansible_facts.machine == "x86_64" + + - name: Pre Audit Setup | Set audit package name | ARM64 + ansible.builtin.set_fact: + audit_pkg_arch_name: ARM64 + when: ansible_facts.machine == "arm64" + - name: Pre Audit Setup | Download audit binary ansible.builtin.get_url: - url: "{{ audit_bin_url }}" + url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}" dest: "{{ audit_bin }}" owner: root group: root - checksum: "{{ audit_bin_version.checksum }}" + checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" mode: '0555' when: - get_audit_binary_method == 'download' -- name: Pre Audit Setup | copy audit binary +- name: Pre Audit Setup | Copy audit binary ansible.builtin.copy: src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" + mode: '0555' owner: root group: root - mode: '0555' when: - get_audit_binary_method == 'copy' diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml new file mode 100644 index 00000000..864f5bbe --- /dev/null +++ b/tasks/audit_only.yml @@ -0,0 +1,30 @@ +--- + +- name: Audit_Only | Create local Directories for hosts + ansible.builtin.file: + mode: '0755' + path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" + recurse: true + state: directory + when: fetch_audit_files + delegate_to: localhost + become: false + +- name: Audit_only | Get audits from systems and put in group dir + ansible.builtin.fetch: + dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" + flat: true + mode: '0644' + src: "{{ pre_audit_outfile }}" + when: fetch_audit_files + +- name: Audit_only | Show Audit Summary + when: + - audit_only + ansible.builtin.debug: + msg: "The Audit results are: {{ pre_audit_summary }}." + +- name: Audit_only | Stop Playbook Audit Only selected + when: + - audit_only + ansible.builtin.meta: end_play diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 7b180d70..69fbcdbf 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -321,6 +321,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?PermitEmptyPasswords' line: 'PermitEmptyPasswords no' + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_020330 diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index a5d007b9..e453e73b 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -112,6 +112,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?Banner' line: 'Banner /etc/issue' + validate: '/usr/sbin/sshd -T -f %s' when: - rhel8stig_ssh_required @@ -224,7 +225,7 @@ create: true mode: '0644' when: - - rhel_08_010070_info_set_rsyslog.stdout > 0 + - rhel_08_010070_info_set_rsyslog.stdout | length > 0 - rhel_08_010070_authpriv_set_rsyslog.stdout == 0 notify: restart rsyslog @@ -555,6 +556,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?ClientAliveCountMax.*' line: ClientAliveCountMax 1 + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_010200 @@ -573,6 +575,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?ClientAliveInterval.*' line: "ClientAliveInterval {{ rhel8stig_ssh_session_timeout }}" + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_010201 @@ -1697,6 +1700,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?StrictModes' line: 'StrictModes yes' + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_010500 @@ -1715,6 +1719,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?IgnoreUserKnownHosts' line: 'IgnoreUserKnownHosts yes' + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_010520 @@ -1733,6 +1738,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?KerberosAuthentication' line: "KerberosAuthentication no" + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_010521 @@ -1751,6 +1757,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?GSSAPIAuthentication' line: "GSSAPIAuthentication no" + validate: '/usr/sbin/sshd -T -f %s' when: - rhel_08_010522 - rhel8stig_ssh_required @@ -1807,6 +1814,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?PermitRootLogin' line: 'PermitRootLogin no' + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_010550 @@ -2778,6 +2786,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?PermitUserEnvironment' line: 'PermitUserEnvironment no' + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_010830 @@ -6615,6 +6624,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?RekeyLimit' line: 'RekeyLimit 1G 1h' + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_040161 @@ -7475,6 +7485,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?X11Forwarding' line: 'X11Forwarding no' + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_040340 @@ -7493,6 +7504,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?X11UseLocalhost' line: 'X11UseLocalhost yes' + validate: '/usr/sbin/sshd -T -f %s' when: - rhel_08_040341 - rhel8stig_ssh_required diff --git a/tasks/main.yml b/tasks/main.yml index c516e703..a1acf152 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -4,15 +4,15 @@ ansible.builtin.setup: gather_subset: distribution,!all,!min when: - - ansible_distribution is not defined + - ansible_facts.distribution is not defined tags: - always - name: Check OS version and family ansible.builtin.assert: - that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==') - fail_msg: "This role can only be run against RHEL/Rocky 8. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." - success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" + that: (ansible_facts.distribution != 'CentOS' and ansible_facts.os_family == 'RedHat' or ansible_facts.os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('8', '==') + fail_msg: "This role can only be run against RHEL/Rocky 8. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported." + success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}" when: - not skip_os_check tags: @@ -43,7 +43,7 @@ - system_is_container when: - ansible_connection == 'docker' or - ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] + ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] tags: - container_discovery - always @@ -92,7 +92,7 @@ - RHEL-08-010149 - name: Include OS specific variables - ansible.builtin.include_vars: "{{ ansible_distribution }}.yml" + ansible.builtin.include_vars: "{{ ansible_facts.distribution }}.yml" tags: - always @@ -134,10 +134,19 @@ - prelim_tasks - run_audit -- name: Include pre-remediation tasks - ansible.builtin.import_tasks: pre_remediation_audit.yml +- name: Include audit specific variables + ansible.builtin.include_vars: audit.yml when: + - run_audit or audit_only + - setup_audit + tags: + - setup_audit - run_audit + +- name: Include pre-remediation audit tasks + ansible.builtin.import_tasks: pre_remediation_audit.yml + when: + - run_audit or audit_only - setup_audit tags: - run_audit diff --git a/tasks/parse_etc_passwd.yml b/tasks/parse_etc_passwd.yml index ef4fbf6a..aada90e2 100644 --- a/tasks/parse_etc_passwd.yml +++ b/tasks/parse_etc_passwd.yml @@ -15,7 +15,7 @@ vars: ld_passwd_regex: >- ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) - ld_passwd_yaml: | + ld_passwd_yaml: | # pragma: allowlist secret id: >-4 \g password: >-4 diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index fa9614b6..2c51bbb0 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,18 +1,28 @@ --- -- name: Post Audit | Capture audit data if json format - block: +- name: Post Audit | Run post_remediation {{ benchmark }} audit + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: goss.yml - - name: "Post Audit | Run post_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" - changed_when: true - environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - AUDIT_FILE: "goss.yml" +- name: Post Audit | ensure audit files readable by users + ansible.builtin.file: + path: "{{ item }}" + mode: '0644' + state: file + loop: + - "{{ post_audit_outfile }}" + - "{{ pre_audit_outfile }}" - - name: "capture data {{ post_audit_outfile }}" - ansible.builtin.shell: "cat {{ post_audit_outfile }}" +- name: Post Audit | Capture audit data if json format + when: + - audit_format == "json" + block: + - name: capture data {{ post_audit_outfile }} + ansible.builtin.shell: cat {{ post_audit_outfile }} register: post_audit changed_when: false @@ -20,37 +30,17 @@ ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" vars: - summary: 'summary."summary-line"' - when: - - audit_format == "json" + summary: summary."summary-line" - name: Post Audit | Capture audit data if documentation format + when: + - audit_format == "documentation" block: - - - name: "Post Audit | Run post_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }} -f documentation" - changed_when: true - environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - AUDIT_FILE: "goss.yml" - - - name: "Post Audit | capture data {{ post_audit_outfile }}" - ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" + - name: Post Audit | capture data {{ post_audit_outfile }} + ansible.builtin.shell: tail -2 {{ post_audit_outfile }} register: post_audit changed_when: false - name: Post Audit | Capture post-audit result ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout_lines }}" - when: - - audit_format == "documentation" - -- name: Post Audit | ensure audit files readable by users - ansible.builtin.file: - path: "{{ item }}" - mode: '0644' - state: file - loop: - - "{{ post_audit_outfile }}" - - "{{ pre_audit_outfile }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 290170d6..e3a261e7 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,58 +1,58 @@ --- -- name: Audit Binary Setup | Setup the LE audit - ansible.builtin.include_tasks: - file: LE_audit_setup.yml +- name: Pre Audit Setup | Setup the LE audit when: - setup_audit tags: - setup_audit + ansible.builtin.include_tasks: LE_audit_setup.yml -- name: "Pre Audit Setup | Ensure {{ audit_conf_dir }} exists" +- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists ansible.builtin.file: path: "{{ audit_conf_dir }}" state: directory mode: '0755' - name: Pre Audit Setup | If using git for content set up + when: + - audit_content == 'git' block: - name: Pre Audit Setup | Install git ansible.builtin.package: name: git state: present - when: "'git' not in ansible_facts.packages" - - name: Pre Audit Setup | retrieve audit content files from git + - name: Pre Audit Setup | Retrieve audit content files from git ansible.builtin.git: repo: "{{ audit_file_git }}" dest: "{{ audit_conf_dir }}" version: "{{ audit_git_version }}" - when: - - audit_content == 'git' -- name: Pre Audit Setup | copy to audit content files to server +- name: Pre Audit Setup | Copy to audit content files to server + when: + - audit_content == 'copy' ansible.builtin.copy: src: "{{ audit_local_copy }}" dest: "{{ audit_conf_dest }}" mode: preserve - when: - - audit_content == 'copy' -- name: Pre Audit Setup | unarchive audit content files on server +- name: Pre Audit Setup | Unarchive audit content files on server + when: + - audit_content == 'archived' ansible.builtin.unarchive: src: "{{ audit_conf_copy }}" dest: "{{ audit_conf_dir }}" - when: - - audit_content == 'archived' -- name: Pre Audit Setup | get audit content from url +- name: Pre Audit Setup | Get audit content from url + when: + - audit_content == 'get_url' ansible.builtin.get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" - when: - - audit_content == 'get_url' - name: Pre Audit Setup | Check Goss is available + when: + - run_audit block: - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: @@ -60,34 +60,36 @@ register: goss_available - name: Pre Audit Setup | If audit ensure goss is available + when: + - not goss_available.stat.exists ansible.builtin.assert: - that: goss_available.stat.exists msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - when: - - run_audit - name: Pre Audit Setup | Copy ansible default vars values to test audit + tags: + - goss_template + - run_audit + when: + - run_audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" mode: '0600' - when: - - run_audit - tags: - - goss_template + +- name: Pre Audit | Run pre_remediation {{ benchmark }} audit + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format + when: + - audit_format == "json" block: - - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" - changed_when: true - environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - AUDIT_FILE: "goss.yml" - - - name: "capture data {{ pre_audit_outfile }}" - ansible.builtin.shell: "cat {{ pre_audit_outfile }}" + - name: capture data {{ pre_audit_outfile }} + ansible.builtin.shell: cat {{ pre_audit_outfile }} register: pre_audit changed_when: false @@ -95,28 +97,22 @@ ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" vars: - summary: 'summary."summary-line"' - when: - - audit_format == "json" + summary: summary."summary-line" - name: Pre Audit | Capture audit data if documentation format + when: + - audit_format == "documentation" block: - - - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }} -f documentation" - changed_when: true - environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - AUDIT_FILE: "goss.yml" - - - name: "Pre Audit | capture data {{ pre_audit_outfile }} | documentation format" - ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" + - name: Pre Audit | capture data {{ pre_audit_outfile }} | documentation format + ansible.builtin.shell: tail -2 {{ pre_audit_outfile }} register: pre_audit changed_when: false - name: Pre Audit | Capture pre-audit result | documentation format ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout_lines }}" + +- name: Audit_Only | Run Audit Only when: - - audit_format == "documentation" + - audit_only + ansible.builtin.import_tasks: audit_only.yml diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 26fa1b2b..91b429df 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -274,12 +274,12 @@ state: "{{ rhel8stig_service_started }}" enabled: true - - name: PRELIM | check if ssh host key exists + - name: PRELIM | Check if ssh host key exists ansible.builtin.stat: path: /etc/ssh/ssh_host_rsa_key register: rhel8stig_ssh_host_rsa_key_stat - - name: PRELIM | create ssh host key to allow 'sshd -t -f %s' to succeed + - name: PRELIM | Create ssh host key to allow 'sshd -t -f %s' to succeed ansible.builtin.shell: ssh-keygen -N '' -f /etc/ssh/ssh_host_rsa_key -t rsa -b 4096 when: not rhel8stig_ssh_host_rsa_key_stat.stat.exists notify: clean up ssh host key diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 69484221..d9af9eae 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -1,6 +1,6 @@ ## metadata for Audit benchmark -benchmark_version: '1.11' +benchmark_version: {{ benchmark_version }} rhel8stig_os_distribution: {{ ansible_distribution | lower }} @@ -443,13 +443,13 @@ MAX_UID: {{ rhel8stig_interactive_uid_stop }} # RHEL_08_010040-010050-010060 rhel8stig_banner_file: /etc/issue rhel8stig_logon_banner: -- You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. -- By using this IS (which includes any device attached to this IS), you consent to the following conditions -- -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -- -At any time, the USG may inspect and seize data stored on this IS. -- -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -- -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -- -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. + You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + By using this IS (which includes any device attached to this IS), you consent to the following conditions + -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + -At any time, the USG may inspect and seize data stored on this IS. + -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. # RHEL_08_010680 to change if using hostfile only - seperate checks rhel8stig_uses_dns: true @@ -479,6 +479,3 @@ rhel8stig_remotelog_protocol: '{{ rhel8stig_remotelog_server.protocol }}' # RHEL_08_040137 python_bin: {{ ansible_python.executable }} - -# RHEL_08_040260-62 -rhel8stig_system_is_router: {{ rhel8stig_system_is_router }} diff --git a/templates/pam_pkcs11.conf.j2 b/templates/pam_pkcs11.conf.j2 deleted file mode 100644 index 32c441b5..00000000 --- a/templates/pam_pkcs11.conf.j2 +++ /dev/null @@ -1,249 +0,0 @@ -# -# Configuration file for pam_pkcs11 module -# -# Version 0.4 -# Author: Juan Antonio Martinez -# -pam_pkcs11 { - # Allow empty passwords - nullok = true; - - # Enable debugging support. - debug = false; - - # If the smart card is inserted, only use it - card_only = true; - - # Do not prompt the user for the passwords but take them from the - # PAM_ items instead. - use_first_pass = false; - - # Do not prompt the user for the passwords unless PAM_(OLD)AUTHTOK - # is unset. - try_first_pass = false; - - # Like try_first_pass, but fail if the new PAM_AUTHTOK has not been - # previously set (intended for stacking password modules only). - use_authtok = false; - - # Filename of the PKCS #11 module. The default value is "default" - use_pkcs11_module = {{ rhel08stig_smartcarddriver }}; - - screen_savers = gnome-screensaver,xscreensaver,kscreensaver - - pkcs11_module {{ rhel08stig_smartcarddriver }} { - {% if rhel08stig_smartcarddriver == 'cackey' %}module = /usr/lib64/libcackey.so;{% elif rhel08stig_smartcarddriver == 'coolkey' %}module = libcoolkeypk11.so;{% endif %} - module = /usr/lib64/libcackey.so; - description = "{{ rhel08stig_smartcarddriver }}"; - slot_num = 0; - support_threads = false; - ca_dir = /etc/pam_pkcs11/cacerts; - crl_dir = /etc/pam_pkcs11/crls; - cert_policy = signature; - } - - pkcs11_module opensc { - module = opensc-pkcs11.so; - description = "OpenSC PKCS#11 module"; - # Slot-number to use. One for the first, two for the second and so - # on. The default value is zero which means to use the first slot - # with an available token. - slot_num = 0; - - # Path to the directory where the NSS CA certificate database is stored. - # you can mange the certs in this database with the certutil command in - # the package nss-tools - nss_dir = /etc/pki/nssdb; - - # Sets the Certificate Policy, (see above) - cert_policy = ca, signature; - } - - # Default pkcs11 module - pkcs11_module default { - module = /usr/$LIB/pam_pkcs11/pkcs11_module.so; - description = "Default pkcs#11 module"; - slot_num = 0; - #ca_dir = /etc/pam_pkcs11/cacerts; - #crl_dir = /etc/pam_pkcs11/crls; - nss_dir = /etc/pki/nssdb; - cert_policy = ca, signature; - } - - # Which mappers ( Cert to login ) to use? - # you can use several mappers: - # - # subject - Cert Subject to login file based mapper - # pwent - CN to getpwent() login or gecos fields mapper - # ldap - LDAP mapper - # opensc - Search certificate in ${HOME}/.eid/authorized_certificates - # openssh - Search certificate public key in ${HOME}/.ssh/authorized_keys - # mail - Compare email fields from certificate - # ms - Use Microsoft Universal Principal Name extension - # krb - Compare againts Kerberos Principal Name - # cn - Compare Common Name (CN) - # uid - Compare Unique Identifier - # digest - Certificate digest to login (mapfile based) mapper - # generic - User defined certificate contents mapped - # null - blind access/deny mapper - # - # You can select a comma-separated mapper list. - # If used null mapper should be the last in the list :-) - # Also you should select at least one mapper, otherwise - # certificate will not match :-) - use_mappers = cn, uid, pwent, null; - - # When no absolute path or module info is provided, use this - # value as module search path - # TODO: - # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH - mapper_search_path = /usr/$LIB/pam_pkcs11; - - # - # Generic certificate contents mapper - mapper generic { - debug = true; - module = /usr/$LIB/pam_pkcs11/generic_mapper.so; - # ignore letter case on match/compare - ignorecase = false; - # Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid" - cert_item = cn; - # Define mapfile if needed, else select "none" - mapfile = file:///etc/pam_pkcs11/generic_mapping - # Decide if use getpwent() to map login - use_getpwent = false; - } - - # Certificate Subject to login based mapper - # provided file stores one or more "Subject -> login" lines - mapper subject { - debug = false; - # module = /usr/$LIB/pam_pkcs11/subject_mapper.so; - module = internal; - ignorecase = false; - mapfile = file:///etc/pam_pkcs11/subject_mapping; - } - - # Search public keys from $HOME/.ssh/authorized_keys to match users - mapper openssh { - debug = false; - module = /usr/$LIB/pam_pkcs11/openssh_mapper.so; - } - - # Search certificates from $HOME/.eid/authorized_certificates to match users - mapper opensc { - debug = false; - module = /usr/$LIB/pam_pkcs11/opensc_mapper.so; - } - - # Certificate Common Name ( CN ) to getpwent() mapper - mapper pwent { - debug = false; - ignorecase = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/pwent_mapper.so; - } - - # Null ( no map ) mapper. when user as finder matchs to NULL or "nobody" - mapper null { - debug = false; - # module = /usr/$LIB/pam_pkcs11/null_mapper.so; - module = internal ; - # select behavior: always match, or always fail - default_match = false; - # on match, select returned user - default_user = nobody ; - } - - # Directory ( ldap style ) mapper - mapper ldap { - debug = false; - module = /usr/$LIB/pam_pkcs11/ldap_mapper.so; - # where base directory resides - basedir = /etc/pam_pkcs11/mapdir; - # hostname of ldap server - ldaphost = "localhost"; - # Port on ldap server to connect - ldapport = 389; - # Scope of search: 0 = x, 1 = y, 2 = z - scope = 2; - # DN to bind with. Must have read-access for user entries under "base" - binddn = "cn=pam,o=example,c=com"; - # Password for above DN - passwd = "test"; - # Searchbase for user entries - base = "ou=People,o=example,c=com"; - # Attribute of user entry which contains the certificate - attribute = "userCertificate"; - # Searchfilter for user entry. Must only let pass user entry for the login user. - filter = "(&(objectClass=posixAccount)(uid=%s))" - } - - # Assume common name (CN) to be the login - mapper cn { - debug = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/cn_mapper.so; - ignorecase = true; - mapfile = file:///etc/pam_pkcs11/cn_map; - } - - # mail - Compare email field from certificate - mapper mail { - debug = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/mail_mapper.so; - # Declare mapfile or - # leave empty "" or "none" to use no map - mapfile = file:///etc/pam_pkcs11/mail_mapping; - # Some certs store email in uppercase. take care on this - ignorecase = true; - # Also check that host matches mx domain - # when using mapfile this feature is ignored - ignoredomain = false; - } - - # ms - Use Microsoft Universal Principal Name extension - # UPN is in format login@ADS_Domain. No map is needed, just - # check domain name. - mapper ms { - debug = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/ms_mapper.so; - ignorecase = false; - ignoredomain = false; - domain = "domain.com"; - } - - # krb - Compare againts Kerberos Principal Name - mapper krb { - debug = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/krb_mapper.so; - ignorecase = false; - mapfile = "none"; - } - - # uid - Maps Subject Unique Identifier field (if exist) to login - mapper uid { - debug = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/uid_mapper.so; - ignorecase = false; - mapfile = "none"; - } - - # digest - elaborate certificate digest and map it into a file - mapper digest { - debug = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/digest_mapper.so; - # algorithm used to evaluate certificate digest - # Select one of: - # "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160" - algorithm = "sha1"; - mapfile = file:///etc/pam_pkcs11/digest_mapping; - # mapfile = "none"; - } - -} diff --git a/vars/audit.yml b/vars/audit.yml new file mode 100644 index 00000000..89e61a84 --- /dev/null +++ b/vars/audit.yml @@ -0,0 +1,41 @@ +--- + +#### Audit Configuration Settings #### + +# Timeout for those cmds that take longer to run where timeout set +audit_cmd_timeout: 120000 + +# if get_audit_binary_method == download change accordingly +audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-" + +### Goss Audit Benchmark file ### +## managed by the control audit_content +# git +audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" +audit_git_version: "benchmark_{{ benchmark_version }}_rh8" + +## Goss configuration information +# Where the goss configs and outputs are stored +audit_out_dir: '/opt' +# Where the goss audit configuration will be stored +audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit" + +# If changed these can affect other products +pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" + +## The following should not need changing + +### Audit binary settings ### +audit_bin_version: + release: v0.4.4 + AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5' +audit_bin_path: /usr/local/bin/ +audit_bin: "{{ audit_bin_path }}goss" +audit_format: json + +audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" +audit_results: | + The pre remediation results are: {{ pre_audit_summary }}. + The post remediation results are: {{ post_audit_summary }}. + Full breakdown can be found in {{ audit_out_dir }} From 5675d6eda9bea8cfd0657f0cb47a8db9dca1baca Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 21 Feb 2024 16:14:46 +0000 Subject: [PATCH 167/202] fix typo line 020030 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index e453e73b..527e99ef 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3308,9 +3308,9 @@ - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if exists" ansible.builtin.lineinfile: path: "{{ item }}" - regexp: '^lock-enabled' + regexp: ^lock-enabled line: lock-enabled=true - loop: "{{ rhel_08_020030_lock_enabled.stdout }}" + loop: "{{ rhel_08_020030_lock_enabled.stdout_lines }}" when: rhel_08_020030_lock_enabled.stdout | length > 0 notify: dconf update From 43bb99ff7bc731eac167c8602a72a7f99e0fc0e9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Mar 2024 12:30:26 +0000 Subject: [PATCH 168/202] updated due to galaxy_ng changes Signed-off-by: Mark Bolwell --- README.md | 6 ++++++ meta/main.yml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 0a0abb05..1c42a6cf 100644 --- a/README.md +++ b/README.md @@ -190,3 +190,9 @@ This repo originated from work done by [Sam Doran](https://github.com/samdoran/a ```sh pre-commit run ``` + +## Credits and Thanks + +Massive thanks to the fantastic community and all is members +Huge thanks and Credit to the original authors and maintainers. +Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell diff --git a/meta/main.yml b/meta/main.yml index f260b661..a9a9978b 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,6 +1,6 @@ --- galaxy_info: - author: "Sam Doran, Josh Springer, Daniel Shepherd, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell" + author: "MindPoint Group" description: "Apply the DISA RHEL 8 STIG" company: "MindPoint Group" license: MIT From 28adcc07d7ebf797894683000c962dc3124048e8 Mon Sep 17 00:00:00 2001 From: William Panlener Date: Mon, 23 Oct 2023 21:06:30 -0500 Subject: [PATCH 169/202] Revert "fixed gnutls as per issue 196 thansk to @jmalpede" This reverts commit 63c4c8406e7f6b49eeb94d787f258917e8716b0b. Signed-off-by: William Panlener Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index d05b5ad6..64812982 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -916,7 +916,7 @@ rhel8stig_ssh_server_crypto_settings: "-oCiphers=aes256-ctr,aes192-ctr,aes128-ct # RHEL-08-010295 # This will be teh GnuTLS ecryption packages. The task sets the +VERS-ALL: setting, the only items needed are the DoD approved encryptions # to conform to STIG standards this variable must contain +VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0 -rhel8stig_gnutls_encryption: "-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0" +rhel8stig_gnutls_encryption: "+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0" # RHEL-08-020070 # This is the value for the tmux lock after setting. To conform to STIG standards value needs to be set to 900 or less From a96bfcffc72622b5c00fd81400094f2f124f2900 Mon Sep 17 00:00:00 2001 From: William Golembieski Date: Thu, 9 Nov 2023 15:56:54 -0500 Subject: [PATCH 170/202] Update main.yml Removing stale var rhel8stig_sshd_compression Signed-off-by: William Golembieski Signed-off-by: Mark Bolwell --- defaults/main.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 64812982..58382591 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -867,10 +867,6 @@ rhel8stig_path_to_sshkey: "/root/.ssh/" # To conform to STIG standards these directories need to be 755 or less permissive rhel8stig_lib_dir_perms: 0755 -# RHEL-08-010510 -# rhel8stig_sshd_compression to meet STIG requirements needs to be set to "no" or "delayed" -rhel8stig_sshd_compression: "no" - # now in prelim # rhel8stig_interactive_uid_start: '1000' From a7d782d314b62bca735bc24183218460f82f32d4 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 4 Dec 2023 17:36:39 +0000 Subject: [PATCH 171/202] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/pre-commit/pre-commit-hooks: v4.4.0 → v4.5.0](https://github.com/pre-commit/pre-commit-hooks/compare/v4.4.0...v4.5.0) - [github.com/gitleaks/gitleaks: v8.18.0 → v8.18.1](https://github.com/gitleaks/gitleaks/compare/v8.18.0...v8.18.1) - [github.com/ansible-community/ansible-lint: v6.20.2 → v6.22.1](https://github.com/ansible-community/ansible-lint/compare/v6.20.2...v6.22.1) - [github.com/adrienverge/yamllint.git: v1.32.0 → v1.33.0](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.33.0) Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 30819d0b..3bf09a94 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.4.0 + rev: v4.5.0 hooks: # Safety - id: detect-aws-credentials @@ -35,12 +35,12 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.0 + rev: v8.18.1 hooks: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v6.20.2 + rev: v6.22.1 hooks: - id: ansible-lint name: Ansible-lint @@ -59,6 +59,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.32.0 # or higher tag + rev: v1.33.0 # or higher tag hooks: - id: yamllint From 8eea9ca41c08885706fb8ef0208bea97a69e9532 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 20 Feb 2024 01:17:54 +0000 Subject: [PATCH 172/202] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.18.1 → v8.18.2](https://github.com/gitleaks/gitleaks/compare/v8.18.1...v8.18.2) - [github.com/ansible-community/ansible-lint: v6.22.1 → v24.2.0](https://github.com/ansible-community/ansible-lint/compare/v6.22.1...v24.2.0) - [github.com/adrienverge/yamllint.git: v1.33.0 → v1.35.1](https://github.com/adrienverge/yamllint.git/compare/v1.33.0...v1.35.1) Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3bf09a94..717f0e69 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -35,12 +35,12 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.1 + rev: v8.18.2 hooks: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v6.22.1 + rev: v24.2.0 hooks: - id: ansible-lint name: Ansible-lint @@ -59,6 +59,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.33.0 # or higher tag + rev: v1.35.1 # or higher tag hooks: - id: yamllint From 5cf7da4b96ce8a666c6601a8aebb6a5fcbb849f6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Mar 2024 14:59:34 +0000 Subject: [PATCH 173/202] updated Readme credits Signed-off-by: Mark Bolwell --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1c42a6cf..467f0ef0 100644 --- a/README.md +++ b/README.md @@ -193,6 +193,6 @@ pre-commit run ## Credits and Thanks -Massive thanks to the fantastic community and all is members -Huge thanks and Credit to the original authors and maintainers. +Massive thanks to the fantastic community and all is members. +This includes a huge thanks and credit to the original authors and maintainers. Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell From ddcff9c7151ed90074bc05f07d1026489cbab281 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Mar 2024 15:06:54 +0000 Subject: [PATCH 174/202] updated credits Signed-off-by: Mark Bolwell --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 467f0ef0..9ed50479 100644 --- a/README.md +++ b/README.md @@ -193,6 +193,6 @@ pre-commit run ## Credits and Thanks -Massive thanks to the fantastic community and all is members. +Massive thanks to the fantastic community and all its members. This includes a huge thanks and credit to the original authors and maintainers. Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell From 97eb04f521a4748fac6808d8d2106c204cbea93b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Mar 2024 12:27:18 +0000 Subject: [PATCH 175/202] Update meta and readme due to galaxy_ng Signed-off-by: Mark Bolwell --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 9ed50479..52560a4c 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,6 @@ This role is based on RHEL 8 DISA STIG: [Version 1, Rel 12 released on Oct 25, 2 ![License](https://img.shields.io/github/license/ansible-lockdown/RHEL8-STIG?label=License) - --- ## Looking for support? From 0d9d32c04e17e2d4cab80d1d38157f331814754b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Mar 2024 14:58:44 +0000 Subject: [PATCH 176/202] updated Readme credits Signed-off-by: Mark Bolwell --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 52560a4c..85a2396b 100644 --- a/README.md +++ b/README.md @@ -193,5 +193,7 @@ pre-commit run ## Credits and Thanks Massive thanks to the fantastic community and all its members. + This includes a huge thanks and credit to the original authors and maintainers. + Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell From a8ec93ffbfb541376442a2f417f23a88b5801f8e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Mar 2024 10:58:56 +0000 Subject: [PATCH 177/202] updated Signed-off-by: Mark Bolwell --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 85a2396b..825e6d56 100644 --- a/README.md +++ b/README.md @@ -193,7 +193,6 @@ pre-commit run ## Credits and Thanks Massive thanks to the fantastic community and all its members. - This includes a huge thanks and credit to the original authors and maintainers. Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell From 6db5e1f10e2bebb83ed9afaf331fbdf0d8aec14b Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 18 Mar 2024 17:48:38 +0000 Subject: [PATCH 178/202] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v24.2.0 → v24.2.1](https://github.com/ansible-community/ansible-lint/compare/v24.2.0...v24.2.1) Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 717f0e69..88d4f0da 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -40,7 +40,7 @@ repos: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v24.2.0 + rev: v24.2.1 hooks: - id: ansible-lint name: Ansible-lint From 206ad199b6c24f5f6374da0d4a0978c1424fca36 Mon Sep 17 00:00:00 2001 From: Phenix66 <34311559+Phenix66@users.noreply.github.com> Date: Tue, 19 Mar 2024 23:00:32 -0400 Subject: [PATCH 179/202] Updated RHEL-08-020050 to loop over stdout_lines. Fixes issue #261. Signed-off-by: Phenix66 <34311559+Phenix66@users.noreply.github.com> Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 527e99ef..7f0527c6 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3434,7 +3434,7 @@ line: | [org/gnome/settings-daemon/peripherals/smartcard] removal-action='lock-screen' - when: rhel_08_020050_removal_action.stdout | length == 0 + when: rhel_08_020050_removal_action.stdout_lines | length == 0 notify: dconf update - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Update removal-action if exists" @@ -3442,15 +3442,16 @@ path: "{{ item }}" regexp: ^removal-action= line: removal-action='lock-screen' - loop: "{{ rhel_08_020050_removal_action.stdout }}" - when: rhel_08_020050_removal_action.stdout | length > 0 + loop: "{{ rhel_08_020050_removal_action.stdout_lines }}" + when: rhel_08_020050_removal_action.stdout_lines | length > 0 notify: dconf update - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" ansible.builtin.lineinfile: - path: '/etc/dconf/db/distro.d/locks/{{ rhel_08_020050_removal_action_file.stdout }}' + path: '/etc/dconf/db/distro.d/locks/{{ item }}' line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action - when: rhel_08_020050_removal_action_file.stdout | length > 0 + loop: "{{ rhel_08_020050_removal_action_file.stdout_lines }}" + when: rhel_08_020050_removal_action_file.stdout_lines | length > 0 notify: dconf update - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" @@ -3461,7 +3462,7 @@ owner: root group: root mode: 0640 - when: rhel_08_020050_removal_action_file.stdout | length == 0 + when: rhel_08_020050_removal_action_file.stdout_lines | length == 0 notify: dconf update when: - rhel_08_020050 From b9e1fa11cb22398baa44ef5cce8ebed30a3cd7b8 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 8 Apr 2024 17:54:43 +0000 Subject: [PATCH 180/202] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/pre-commit/pre-commit-hooks: v4.5.0 → v4.6.0](https://github.com/pre-commit/pre-commit-hooks/compare/v4.5.0...v4.6.0) Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 88d4f0da..1f3f17bf 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.5.0 + rev: v4.6.0 hooks: # Safety - id: detect-aws-credentials From 2f81776ecc07b7b8a717077c4de0e69d2a353965 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Apr 2024 12:12:28 +0100 Subject: [PATCH 181/202] addressing #251 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 64 +++++++++++++++++----------------------------- tasks/prelim.yml | 44 +++++++++++++++++++++++-------- 2 files changed, 58 insertions(+), 50 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 7f0527c6..75c0b161 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2230,7 +2230,6 @@ when: - rhel_08_010660 - rhel8stig_disruption_high - # - rhel_08_stig_interactive_homedir_inifiles is defined tags: - RHEL-08-010660 - CAT2 @@ -2441,7 +2440,7 @@ block: - name: "MEDIUM | RHEL-08-010690 | AUDIT | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. | Find path files" ansible.builtin.shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath - with_items: "{{ rhel_08_stig_interactive_homedir_results }}" + with_items: "{{ discovered_interactive_users_home.stdout_list }}" register: rhel_08_010690_ini_path_grep_list changed_when: false failed_when: false @@ -2558,15 +2557,31 @@ - SV-230320r627750_rule - V-230320 +# Required for RHEL-08-010730 +- name: "MEDIUM | RHEL-08-010750 | PATCH | All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist." + ansible.builtin.file: + path: "{{ item }}" + state: directory + with_items: "{{ discovered_interactive_users_home.stdout_lines }}" + when: + - rhel_08_010750 + tags: + - RHEL-08-010750 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230323r627750_rule + - V-230323 + - permissions + - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." ansible.builtin.file: path: "{{ item }}" mode: "{{ rhel8stig_local_int_home_perms }}" with_items: - - "{{ local_home_directories.stdout_lines }}" + - "{{ discovered_interactive_users_home.stdout_lines }}" when: - rhel_08_010730 - - local_home_directories.stdout | length > 0 tags: - RHEL-08-010730 - CAT2 @@ -2578,20 +2593,12 @@ - name: "MEDIUM | RHEL-08-010731 | PATCH | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive." block: - - name: "MEDIUM | RHEL-08-010731 | AUDIT | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Find out of compliance files" - ansible.builtin.shell: "find {{ item }} -perm -750 ! -perm 750" - changed_when: false - failed_when: false - register: rhel_08_010731_files - with_items: - - "{{ rhel8stig_passwd | selectattr('uid', '>=', rhel8stig_interactive_uid_start | int) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" - - name: "MEDIUM | RHEL-08-010731 | PATCH | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Bring files into compliance" ansible.builtin.file: path: "{{ item }}" mode: "{{ rhel8stig_local_int_home_file_perms }}" with_items: - - "{{ rhel_08_010731_files.results | map(attribute='stdout_lines') | flatten }}" + - "{{ discovered_interactive_users_home.stdout_lines }}" when: rhel8stig_disruption_high - name: "MEDIUM | RHEL-08-010731 | AUDIT | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Alert on out of compliance files" @@ -2599,7 +2606,7 @@ msg: - "Alert! Below are the files that are in interactive user folders but permissiosn less restrictiv than 0750." - "Please review the files to bring into STIG compliance" - - "{{ rhel_08_010731_files.results | map(attribute='stdout_lines') | flatten }}" + - "{{ discovered_interactive_users_home.stdout_lines }}" when: not rhel8stig_disruption_high when: - rhel_08_010731 @@ -2622,10 +2629,8 @@ label: "{{ rhel8stig_passwd_label }}" when: - rhel_08_010740 - - (item.uid >= rhel8stig_interactive_uid_start | int) - - (item.uid >= rhel8stig_interactive_uid_stop | int) + - item.uid is search(discovered_interactive_uids.stdout) tags: - - skip_ansible_lint - RHEL-08-010740 - CAT2 - CCI-000366 @@ -2645,8 +2650,7 @@ label: "{{ rhel8stig_passwd_label }}" when: - rhel_08_010741 - - (item.uid >= rhel8stig_interactive_uid_start | int) - - item.uid != 65534 + - item.uid is search(discovered_interactive_uids.stdout) tags: - RHEL-08-010741 - CAT2 @@ -2656,26 +2660,6 @@ - V-244532 - permissions -- name: "MEDIUM | RHEL-08-010750 | PATCH | All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist." - ansible.builtin.file: - path: "{{ item.dir }}" - state: directory - with_items: "{{ rhel8stig_passwd }}" - loop_control: - label: "{{ rhel8stig_passwd_label }}" - when: - - rhel_08_010750 - - (item.uid >= rhel8stig_interactive_uid_start | int) - tags: - - skip_ansible_lint - - RHEL-08-010750 - - CAT2 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-230323r627750_rule - - V-230323 - - permissions - - name: "MEDIUM | RHEL-08-010760 | PATCH | All RHEL 8 local interactive user accounts must be assigned a home directory upon creation." ansible.builtin.lineinfile: path: /etc/login.defs @@ -4396,7 +4380,7 @@ hidden: true use_regex: true register: rhel8stig_020352_file - loop: "{{ local_home_directories.stdout_lines }}" + loop: "{{ discovered_interactive_users_home.stdout_lines }}" - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Remove umask param" ansible.builtin.lineinfile: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 91b429df..07034aee 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -139,6 +139,30 @@ - RHEL-08-010750 - RHEL-08-020320 +- name: "PRELIM | AUDIT | Discover Interactive Users" + tags: + - always + ansible.builtin.shell: > + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $1 }' + changed_when: false + register: discovered_interactive_usernames + +- name: "PRELIM | AUDIT | Discover Interactive User accounts home directories" + tags: + - always + ansible.builtin.shell: > + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $6 }' + changed_when: false + register: discovered_interactive_users_home + +- name: "PRELIM | AUDIT | Discover Interactive user UIDs" + tags: + - always + ansible.builtin.shell: > + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $3 }' + changed_when: false + register: discovered_interactive_uids + - name: "PRELIM | RHEL-08-010690 Ensure user enumeration command is modified when autofs remote home directories are in use" block: - name: Ensure that rhel8stig_auto_mount_home_dirs_local_mount_point is defined and not length zero @@ -188,16 +212,16 @@ - RHEL-08-010070 - RHEL-08-030010 -- name: "PRELIM | RHEL-08-010730 | RHEL-08-20352 | Get local interactive user home directories" - ansible.builtin.shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) - changed_when: false - failed_when: false - register: local_home_directories - when: - - rhel_08_010730 or - rhel_08_020352 - tags: - - always +# - name: "PRELIM | RHEL-08-010730 | RHEL-08-20352 | Get local interactive user home directories" +# ansible.builtin.shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) +# changed_when: false +# failed_when: false +# register: local_home_directories +# when: +# - rhel_08_010730 or +# rhel_08_020352 +# tags: +# - always - name: "PRELIM | RHEL-08-030620 | RHEL-08-030630 | RHEL-08-030640 | RHEL-08-030650 | Install audit remote plugin." ansible.builtin.package: From 4d759445784bc22db7b8f14ff9369a728389a3c3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Apr 2024 12:16:33 +0100 Subject: [PATCH 182/202] fix issue #263 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 75c0b161..e495060a 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -7125,7 +7125,7 @@ - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Use template to create file" ansible.posix.sysctl: - name: net.ipv4.conf.all.send_redirects + name: net.ipv4.conf.all.accept_redirects value: 0 state: present reload: "{{ rhel8stig_sysctl_reload }}" From 050ac2804e4b36a2285bfcc2a469adfd77087d36 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Apr 2024 13:26:36 +0100 Subject: [PATCH 183/202] Address issues #242 Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 12 ++++++------ tasks/fix-cat2.yml | 45 ++++++++++++++++----------------------------- 2 files changed, 22 insertions(+), 35 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 69fbcdbf..f89014d5 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -276,18 +276,18 @@ - name: "HIGH | RHEL-08-010470 | PATCH | There must be no .shosts files on the RHEL 8 operating system." block: - name: "HIGH | RHEL-08-010470 | PATCH | There must be no .shosts files on the RHEL 8 operating system. | Find .shosts files" - ansible.builtin.find: - path: '/' - recurse: true - patterns: '*.shosts' + ansible.builtin.shell: find / -name "*.shosts" + changed_when: false + failed_when: rhel_08_010470_shost_files.rc not in [ 0, 1 ] register: rhel_08_010470_shost_files - name: "HIGH | RHEL-08-010470 | PATCH | There must be no .shosts files on the RHEL 8 operating system. | Remove .shosts files" ansible.builtin.file: - path: "{{ item.path }}" + path: "{{ item }}" state: absent with_items: - - "{{ rhel_08_010470_shost_files.files }}" + - "{{ rhel_08_010470_shost_files.stdout_lines }}" + when: rhel_08_010470_shost_files.stdout | length > 0 when: - rhel_08_010470 tags: diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index e495060a..18cad8e8 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -461,19 +461,18 @@ - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication." block: - name: "MEDIUM | RHEL-08-010161 | AUDIT | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Find .keytab files" - ansible.builtin.find: - path: / - patterns: '*.keytab' - recurse: true + ansible.builtin.shell: find / -name *.keytab + changed_when: false + failed_when: rhel8stig_010161_keytab_files.rc not in [ 0, 1 ] register: rhel8stig_010161_keytab_files - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Remove .keytab files" ansible.builtin.file: - path: "{{ item.path }}" + path: "{{ item }}" state: absent with_items: - - "{{ rhel8stig_010161_keytab_files.files }}" - when: rhel8stig_010161_keytab_files.matched > 0 + - "{{ rhel8stig_010161_keytab_files.stdout_lines }}" + when: rhel8stig_010161_keytab_files.stdout | length > 0 when: - rhel_08_010161 tags: @@ -1630,25 +1629,19 @@ - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive." block: - name: "MEDIUM | RHEL-08-010480 | AUDIT | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Find files" - ansible.builtin.find: - paths: /etc/ssh - recurse: true - file_type: file - patterns: 'ssh_host*_key.pub' - hidden: true + ansible.builtin.shell: find /etc/ssh -name ssh_host*_key.pub changed_when: false - failed_when: false + failed_when: rhel_08_010480_public_files.rc not in [ 0, 1 ] register: rhel_08_010480_public_files - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Set permissions" ansible.builtin.file: - path: "{{ item.path }}" + path: "{{ item }}" mode: "{{ rhel8stig_ssh_pub_key_perm }}" with_items: - - "{{ rhel_08_010480_public_files.files }}" - loop_control: - label: "{{ item.path }}" + - "{{ rhel_08_010480_public_files.stdout_lines }}" notify: restart sshd + when: rhel_08_010480_public_files.stdout | length > 0 when: - rhel_08_010480 - rhel8stig_ssh_required @@ -1664,25 +1657,19 @@ - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive." block: - name: "MEDIUM | RHEL-08-010490 | AUDIT | The RHEL 8 SSH private host key files must have mode 0640 or less permissive. | Find files" - ansible.builtin.find: - paths: /etc/ssh - recurse: true - file_type: file - patterns: 'ssh_host*key' - hidden: true + ansible.builtin.shell: find /etc/ssh -name ssh_host*_key changed_when: false - failed_when: false + failed_when: rhel_08_010490_private_host_key_files.rc not in [ 0, 1 ] register: rhel_08_010490_private_host_key_files - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive. | Set permissions" ansible.builtin.file: - path: "{{ item.path }}" + path: "{{ item }}" mode: "{{ rhel8stig_ssh_priv_key_perm }}" with_items: - - "{{ rhel_08_010490_private_host_key_files.files }}" - loop_control: - label: "{{ item.path }}" + - "{{ rhel_08_010490_private_host_key_files.stdout_lines }}" notify: restart sshd + when: rhel_08_010490_private_host_key_files.stdout | length > 0 when: - rhel_08_010490 - rhel8stig_ssh_required From 3c33a35d0d8e04e6351cf4a10d545443d3165cbe Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Apr 2024 15:23:13 +0100 Subject: [PATCH 184/202] housekeeping lint Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 4 ++-- tasks/main.yml | 12 ++++++------ tasks/prelim.yml | 8 ++++---- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 18cad8e8..07e9614e 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6057,8 +6057,8 @@ zone: "{{ rhel8stig_custom_firewall_zone }}" permanent: true state: enabled - service: "{{ (item == (item | regex_search('^[a-z]+$'))) | bool | ternary(item, omit) }}" - port: "{{ (item == (item | regex_search('^[0-9]+/[a-z]+$'))) | bool | ternary(item, omit) }}" + service: "{{ (item == (item | regex_search('^[a-z]+$'))) | ternary(item, omit) }}" + port: "{{ (item == (item | regex_search('^[0-9]+/[a-z]+$'))) | ternary(item, omit) }}" with_items: - "{{ rhel8stig_white_list_services }}" diff --git a/tasks/main.yml b/tasks/main.yml index a1acf152..14a40c90 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -36,7 +36,7 @@ ansible.builtin.include_vars: file: "{{ container_vars_file }}" - - name: output if discovered is a container + - name: Output if discovered is a container ansible.builtin.debug: msg: system has been discovered as a container when: @@ -167,17 +167,17 @@ - name: Include CAT III patches ansible.builtin.import_tasks: fix-cat3.yml - when: rhel8stig_cat3_patch | bool + when: rhel8stig_cat3_patch tags: - CAT3 - low -- name: flush handlers +- name: Flush handlers ansible.builtin.meta: flush_handlers -- name: reboot system +- name: Reboot system block: - - name: reboot system if not skipped + - name: Reboot system if not skipped ansible.builtin.reboot: when: - change_requires_reboot @@ -191,7 +191,7 @@ - change_requires_reboot - rhel8stig_skip_reboot -- name: run post remediation audit +- name: Run post remediation audit ansible.builtin.import_tasks: post_remediation_audit.yml when: - run_audit diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 07034aee..9583a072 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -163,15 +163,15 @@ changed_when: false register: discovered_interactive_uids -- name: "PRELIM | RHEL-08-010690 Ensure user enumeration command is modified when autofs remote home directories are in use" +- name: "PRELIM | RHEL-08-010690 | Ensure user enumeration command is modified when autofs remote home directories are in use" block: - - name: Ensure that rhel8stig_auto_mount_home_dirs_local_mount_point is defined and not length zero + - name: PRELIM | RHEL-08-010690 | AUDIT | Ensure that rhel8stig_auto_mount_home_dirs_local_mount_point is defined and not length zero ansible.builtin.assert: that: - rhel8stig_auto_mount_home_dirs_local_mount_point is defined - rhel8stig_auto_mount_home_dirs_local_mount_point | length > 0 - - name: Modify local_interactive_user_dir_command to exclude remote automounted home directories + - name: PRELIM | RHEL-08-010690 | PATCH | Modify local_interactive_user_dir_command to exclude remote automounted home directories ansible.builtin.set_fact: local_interactive_user_dir_command: "{{ local_interactive_user_dir_command }} | grep -v '{{ rhel8stig_auto_mount_home_dirs_local_mount_point }}" @@ -381,7 +381,7 @@ tags: - always -- name: Gather the package facts +- name: "PRELIM | Gather the package facts" ansible.builtin.package_facts: manager: auto tags: From ddaf901cc5c7bf70e18253f4c6434f46b85a684c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 11 Apr 2024 16:01:02 +0100 Subject: [PATCH 185/202] issue #267 Signed-off-by: Mark Bolwell --- defaults/main.yml | 10 ++++++++-- tasks/fix-cat2.yml | 31 +++++++++++++++++++++++++++++-- 2 files changed, 37 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 58382591..9e6f1cfd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -884,14 +884,20 @@ rhel8stig_fapolicy_white_list: # rhel8stig_custom_firewall_zone is the desired name for the new customer firewall zone rhel8stig_custom_firewall_zone: "new_fw_zone" +# rhel8stig_copy_existing_zone - if you wish to copy an existing zones rules to the new zone +rhel8stig_copy_existing_zone: true +# rhel8stig_existing_zone_to_copy - name of the zone that you wish to copy from +rhel8stig_existing_zone_to_copy: public + # RHEL-08-040090 -# rhel8stig_white_list_services is the services that you want to allow through initially for teh new firewall zone +# This designed not work with rhel8stig_existing_zone_to_copy and when deploy new rules +# rhel8stig_white_list_services is the services that you want to allow through initially for the new firewall zone # http and ssh need to be enabled for the role to run. # This can also be a port number if no service exists rhel8stig_white_list_services: + - ssh - http - https - - ssh # RHEL-08-010290 # RHEL-08-010290 diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 07e9614e..1b1471e9 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6052,6 +6052,27 @@ permanent: true state: present + - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Copy existing rules to new zone" + ansible.builtin.copy: + src: "/etc/firewalld/zones/{{ rhel8stig_existing_zone_to_copy }}.xml" + dest: "/etc/firewalld/zones/{{ rhel8stig_custom_firewall_zone }}.xml" + remote_src: true + when: + - rhel8stig_copy_existing_zone + - rhel8stig_existing_zone_to_copy | length > 0 + + - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Amend copied file" + ansible.builtin.replace: + path: "/etc/firewalld/zones/{{ rhel8stig_custom_firewall_zone }}.xml" + regexp: "{{ item.regexp }}" + replace: \1{{ item.replace }}\2 + loop: + - { regexp: (\s*(\s*$), replace: ' target="DROP">' } + - { regexp: (\s*).*(<\/short>), replace: "{{ rhel8stig_custom_firewall_zone }}" } + when: + - rhel8stig_copy_existing_zone + - rhel8stig_existing_zone_to_copy | length > 0 + - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Allow internet and ssh" ansible.posix.firewalld: zone: "{{ rhel8stig_custom_firewall_zone }}" @@ -6061,6 +6082,8 @@ port: "{{ (item == (item | regex_search('^[0-9]+/[a-z]+$'))) | ternary(item, omit) }}" with_items: - "{{ rhel8stig_white_list_services }}" + when: + - not rhel8stig_copy_existing_zone - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Target Drop | 2.10+" ansible.posix.firewalld: @@ -6068,7 +6091,9 @@ permanent: true state: enabled target: DROP - when: ansible_version.full is version_compare('2.10.0 | int', '>=') + when: + - ansible_version.full is version_compare('2.10.0 | int', '>=') + - not rhel8stig_copy_existing_zone - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Target Drop | 2.9" block: @@ -6082,7 +6107,9 @@ ansible.builtin.shell: firewall-cmd --permanent --zone={{ rhel8stig_custom_firewall_zone }} --set-target=DROP when: - rhel8stig_target_drop_set.rc != 0 - when: ansible_version.full is version_compare('2.10 | int', '<') + when: + - ansible_version.full is version_compare('2.10 | int', '<') + - not rhel8stig_copy_existing_zone - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Reload zones" ansible.builtin.shell: firewall-cmd --reload From 1cf603c2b6048a55a21c95fe70b7df150cccd695 Mon Sep 17 00:00:00 2001 From: Eric Lehmann Date: Wed, 10 Apr 2024 15:33:35 -0400 Subject: [PATCH 186/202] Meet fix text of V-244546 Signed-off-by: Eric Lehmann Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9e6f1cfd..acc87c40 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -878,7 +878,7 @@ rhel8stig_ntp_server_name: 0.us.pool.ntp.mil # rhel8stig_fapolicy_white_list is the whitelist for fapolicyd, the last item in the list must be dyny all all rhel8stig_fapolicy_white_list: - 'deny_audit perm=any pattern=ld_so : all' - - deny all all + - 'deny perm=any all : all' # RHEL-08-040090 # rhel8stig_custom_firewall_zone is the desired name for the new customer firewall zone From 81b5e676742b848d44d17ae9e2cf44b4e69becfe Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 15 Apr 2024 17:51:26 +0000 Subject: [PATCH 187/202] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v24.2.1 → v24.2.2](https://github.com/ansible-community/ansible-lint/compare/v24.2.1...v24.2.2) Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1f3f17bf..71a7e81a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -40,7 +40,7 @@ repos: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v24.2.1 + rev: v24.2.2 hooks: - id: ansible-lint name: Ansible-lint From d709014720ef676d76835b57b6bed0bf147d6d13 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 25 Apr 2024 09:20:33 +0100 Subject: [PATCH 188/202] fixed error in conditional rhel-08-020022 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 1b1471e9..8e50668b 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3206,7 +3206,7 @@ - password-auth when: - rhel_08_020022 - - ansible_distribution_version is version('8.2', '>=') + - ansible_distribution_version is version('8.1', '<=') tags: - RHEL-08-020022 - CAT2 From e86bb7023a5d0b6aed456dd9abde5da1dfb46362 Mon Sep 17 00:00:00 2001 From: uk-bolly Date: Tue, 30 Apr 2024 09:57:33 +0100 Subject: [PATCH 189/202] Merge in changes from v1r13 - Jan 24 (#274) * updated v1r13 reference Signed-off-by: Mark Bolwell * v1r13 updates Signed-off-by: Mark Bolwell * updated thanks to @Phenix66 Signed-off-by: Mark Bolwell * updated thanks to @fallenpixel Signed-off-by: Mark Bolwell * tidy up quotes around mode Signed-off-by: Mark Bolwell * tidy up variables Signed-off-by: Mark Bolwell * updates to auditing order Signed-off-by: Mark Bolwell * #266 fix added Signed-off-by: Mark Bolwell * added prelim to includes Signed-off-by: Mark Bolwell * updated v1r13 reference Signed-off-by: Mark Bolwell * v1r13 updates Signed-off-by: Mark Bolwell * updated thanks to @Phenix66 Signed-off-by: Mark Bolwell * tidy up quotes around mode Signed-off-by: Mark Bolwell * tidy up variables Signed-off-by: Mark Bolwell * updates to auditing order Signed-off-by: Mark Bolwell * added prelim to includes Signed-off-by: Mark Bolwell * file mode updates with improved var usage Signed-off-by: Mark Bolwell --------- Signed-off-by: Mark Bolwell --- Changelog.md | 29 +++++ README.md | 2 +- defaults/main.yml | 87 +++++++------- handlers/main.yml | 9 +- tasks/fix-cat1.yml | 6 +- tasks/fix-cat2.yml | 145 ++++++++++++----------- tasks/fix-cat3.yml | 40 +++---- tasks/main.yml | 17 --- tasks/post_remediation_audit.yml | 8 +- tasks/pre_remediation_audit.yml | 31 ++--- tasks/prelim.yml | 191 ++++++++++++++++--------------- vars/audit.yml | 17 ++- 12 files changed, 306 insertions(+), 276 deletions(-) diff --git a/Changelog.md b/Changelog.md index c0bcafc1..f2d02d09 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,34 @@ # Changes to RHEL8STIG +## 3.2 - STIV V1R13 - 24th Jan 2024 + +- Audit updated + - moved audit into prelim + - updates to audit logic for copy and archive options + +ruleid updated + +- 010001 +- 020250 +- 020290 +- 040090 + +CAT II + +- 020035 - updated rule and added handler for logind restart +- 040020 - /bin/false update and ruleid update +- 040080 - /bin/false and ruleid +- 040111 - /bin/false and ruleid + +CAT III + +- 040021 - /bin/false and ruleid +- 040022 - /bin/false and ruleid +- 040023 - /bin/false and ruleid +- 040024 - /bin/false and ruleid +- 040025 - /bin/false and ruleid +- 040026 - /bin/false and ruleid + ## 3.1 - STIG V1R12 - 25th Oct 2023 ruleid updated diff --git a/README.md b/README.md index 825e6d56..98fbeab0 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a RHEL8 based system to be complaint with Disa STIG -This role is based on RHEL 8 DISA STIG: [Version 1, Rel 12 released on Oct 25, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R12_STIG.zip). +This role is based on RHEL 8 DISA STIG: [Version 1, Rel 13 released on Jan 24, 2024](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R13_STIG.zip). --- diff --git a/defaults/main.yml b/defaults/main.yml index acc87c40..ccfc9ea6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ --- ## metadata for Audit benchmark -benchmark_version: 'v1r12' +benchmark_version: 'v1r13' ## Benchmark name used by audting control role # The audit variable found at the base @@ -35,7 +35,6 @@ rhel8stig_audit_disruptive: false rhel8stig_skip_for_travis: false rhel8stig_workaround_for_disa_benchmark: true -rhel8stig_workaround_for_ssg_benchmark: true # tweak role to run in a chroot, such as in kickstart %post script rhel8stig_system_is_chroot: "{{ ansible_is_chroot | default(False) }}" @@ -56,23 +55,26 @@ rhel8stig_skip_reboot: true # Defined will change if control requires change_requires_reboot: false -########################################## +########################################### ### Goss is required on the remote host ### -## Refer to vars/auditd.yml for any other settings ## +### vars/auditd.yml for other settings ### # Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system) setup_audit: false # enable audits to run - this runs the audit and get the latest content run_audit: false +# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system +audit_run_heavy_tests: true -# Only run Audit do not remediate +## Only run Audit do not remediate audit_only: false -# As part of audit_only -# This will enable files to be copied back to control node +### As part of audit_only ### +# This will enable files to be copied back to control node in audit_only mode fetch_audit_files: false -# Path to copy the files to will create dir structure +# Path to copy the files to will create dir structure in audit_only mode audit_capture_files_dir: /some/location to copy to on control node +############################# # How to retrieve audit binary # Options are copy or download - detailed settings at the bottom of this file @@ -85,20 +87,24 @@ get_audit_binary_method: download audit_bin_copy_location: /some/accessible/path # how to get audit files onto host options -# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf +# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf audit_content: git -# archive or copy: -audit_conf_copy: "some path to copy from" +# If using either archive, copy, get_url: +## Note will work with .tar files - zip will require extra configuration +### If using get_url this is expecting github url in tar.gz format e.g. +### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz +audit_conf_source: "some path or url to copy from" -# get_url: -audit_files_url: "some url maybe s3?" +# Destination for the audit content to be placed on managed node +# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory +audit_conf_dest: "/opt" -# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system -audit_run_heavy_tests: true +# Where the audit logs are stored +audit_log_dir: '/opt' -### End Goss enablements #### -#### Detailed settings found at the end of this document #### +### Goss Settings ## +####### END ######## # These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules. # PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group @@ -501,11 +507,6 @@ rhel8stig_kdump_needed: false # or rhel8stig_gui) rhel8stig_always_configure_dconf: false -# Whether or not to run tasks related to smart card authentication enforcement -rhel8stig_smartcard: false -# Configure your smartcard driver -rhel8stig_smartcarddriver: cackey - # Set the file that sysctl should write to rhel8stig_sysctl_file: /etc/sysctl.d/99_stig_sysctl.conf @@ -528,6 +529,11 @@ rhel8stig_ipv6_required: true # When set to anything other than mcafee it will skip this control assuming localized threat prevention management rhel8stig_av_sftw: mcafee +# RHEL-08-010110 & 010130 & 010760 & 020190 & 020200 & 020231 & 020310 & 020351 +# rhel8stig_login_defs_file_perms +# Permissions set on /etc/login.defs +rhel8stig_login_defs_file_perms: 0644 + # RHEL-08-010210 # rhel8stig_var_log_messages_perm is the permissions the /var/log/messages file is set to. # To conform to STIG standards this needs to be 0640 or more restrictive @@ -559,10 +565,6 @@ rhel8stig_ssh_pub_key_perm: 0644 rhel8stig_ssh_priv_key_perm: 0600 # RHEL-08-010690 -# Set standard user paths here -# Also set whether we should automatically remediate paths in user ini files. -# rhel_08_020720_user_path: "PATH=$PATH:$HOME/.local/bin:$HOME/bin" -rhel8stig_standard_user_path: "PATH=$PATH:$HOME/.local/bin:$HOME/bin" rhel8stig_change_user_path: false # RHEL-08-010700 @@ -591,6 +593,19 @@ rhel8stig_local_int_home_file_perms: 0750 # To connform to STIG standards this needs to be set to 0740 or less permissive rhel8stig_local_int_perm: 0740 +# RHEL-08-020100 pamd file permissions - /etc/pam.d/(password-auth|system-auth) files +# rhel8stig_pamd_file_perms +# This needs a minimum of 0644 ( more restrictive may cause issues testing will be required) +rhel8stig_pamd_file_perms: 0644 + +# RHEL-08-020110 - pwquality file permissions +# mode: "{{ rhel8stig_pamd_file_perms }}" +rhel8stig_pwquality_file_perms: 0644 + +# RHEL-08-0400xx +# blacklist.conf - /etc/modprobe.d/blacklist.conf file permissions +rhel8stig_blacklist_conf_file_perms: 0640 + # RHEL-08-020250 # This is a check for a "supported release" # These are the minimum supported releases. @@ -707,13 +722,6 @@ rhel8stig_sssd: maprule: (userCertificate;binary={cert!bin}) domains: "{{ rhel8stig_sssd_domain }}" -# RHEL-08-020070 -# Session timeout setting file (TMOUT setting can be set in multiple files) -# Timeout value is in seconds. (60 seconds * 10 = 600) -rhel8stig_shell_session_timeout: - file: /etc/profile.d/tmout.sh - timeout: 600 - # RHEL-08-010200 | All network connections associated with SSH traffic must # terminate at the end of the session or after 10 minutes of inactivity, except # to fulfill documented and validated mission requirements. @@ -763,14 +771,6 @@ rhel8stig_pam_faillock: # RHEL-08-020035 rhel_08_020035_idlesessiontimeout: 900 -# RHEL-08-030670 -# rhel8stig_audisp_disk_full_action options are syslog, halt, and single to fit STIG standards -rhel8stig_audisp_disk_full_action: single - -# RHEL-08-030680 -# rhel8stig_audisp_network_failure_action optoins are syslog, halt, and single -rhel8stig_audisp_network_failure_action: single - # RHEL-08-030060 # rhel8stig_auditd_disk_full_action options are SYSLOG, HALT, and SINGLE to fit STIG standards rhel8stig_auditd_disk_full_action: HALT @@ -910,11 +910,6 @@ rhel8stig_ssh_ciphers: "Ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@open # Expected Values for FIPS KEX algorithims rhel8stig_ssh_kex: "KexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512" -# This will be the CRYPTO_POLICY settings in the opensshserver.conf file. It will be a string for the entirety of the setting -# to conform to STIG standard control RHEL-08-010290 this variable must contain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256 settings -# to conform to STIG standard control RHEL-08-010291 this variable must cotnain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -rhel8stig_ssh_server_crypto_settings: "-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256" - # RHEL-08-010295 # This will be teh GnuTLS ecryption packages. The task sets the +VERS-ALL: setting, the only items needed are the DoD approved encryptions # to conform to STIG standards this variable must contain +VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0 diff --git a/handlers/main.yml b/handlers/main.yml index c210d6f1..cd5e4829 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -10,6 +10,11 @@ when: - not system_is_container +- name: Restart_systemdlogin + ansible.builtin.systemd: + name: systemd-logind + state: restarted + - name: sysctl system ansible.builtin.shell: sysctl --system when: "'procps-ng' in ansible_facts.packages" @@ -74,7 +79,7 @@ remote_src: true owner: root group: root - mode: 0755 + mode: '0755' when: - rhel8stig_grub2_user_cfg.stat.exists - rhel8stig_workaround_for_disa_benchmark @@ -97,7 +102,7 @@ dest: /etc/audit/rules.d/99_auditd.rules owner: root group: root - mode: 0600 + mode: '0600' notify: restart auditd - name: restart auditd diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index f89014d5..04597be6 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -63,7 +63,7 @@ dest: /etc/default/grub owner: root group: root - mode: 0644 + mode: '0644' vars: grub_cmdline_linux: "{{ rhel_08_010020_grub_cmdline_linux_audit.stdout }}" when: rhel_08_010020_default_grub_missing_audit is changed # noqa no-handler @@ -187,7 +187,7 @@ line: "GRUB2_PASSWORD={{ rhel8stig_bootloader_password_hash }}" owner: root group: root - mode: 0640 + mode: '0640' notify: confirm grub2 user cfg when: - not system_is_ec2 @@ -437,7 +437,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' with_items: - { regexp: '^\[org/gnome/settings-daemon/plugins/media-keys\]', line: '[org/gnome/settings-daemon/plugins/media-keys]', insertafter: 'EOF' } - { regexp: 'logout=', line: "logout=''", insertafter: '\[org/gnome/settings-daemon/plugins/media-keys\]' } diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 8e50668b..3f3e96ae 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -25,7 +25,7 @@ - CAT2 - CCI-001233 - SRG-OS-000191-GPOS-00080 - - SV-245540r754730_rule + - SV-245540r942951_rule - V-245540 - name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." @@ -293,6 +293,9 @@ path: /etc/login.defs regexp: '^ENCRYPT_METHOD.*' line: "ENCRYPT_METHOD {{ rhel8stig_login_defaults.encrypt_method | default('SHA512') }}" + owner: root + group: root + mode: "{{ rhel8stig_login_defs_file_perms }}" when: - rhel_08_010110 tags: @@ -344,6 +347,9 @@ path: /etc/login.defs regexp: ^.*SHA_CRYPT_MIN_ROUNDS\s line: SHA_CRYPT_MIN_ROUNDS {{ rhel8stig_hashing_rounds }} + owner: root + group: root + mode: "{{ rhel8stig_login_defs_file_perms }}" when: - rhel_08_010130 tags: @@ -363,7 +369,7 @@ dest: /etc/grub.d/01_users owner: root group: root - mode: 0755 + mode: '0755' notify: confirm grub2 user cfg when: - rhel_08_010141 or @@ -388,7 +394,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' when: - rhel_08_010151 tags: @@ -408,7 +414,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' when: - rhel_08_010152 tags: @@ -842,7 +848,6 @@ - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Enable FIPS" ansible.builtin.shell: fips-mode-setup --enable - register: rhel_08_010290_fips_enable notify: change_requires_reboot when: '"disabled" in rhel_08_010293_pre_fips_check.stdout' when: @@ -2398,7 +2403,7 @@ dest: /etc/resolv.conf owner: root group: root - mode: 0644 + mode: '0644' when: - rhel_08_010680_networkmanager_check.stdout == '0' - rhel8_stig_use_resolv_template @@ -2652,6 +2657,9 @@ path: /etc/login.defs regexp: '.*?CREATE_HOME.*' line: CREATE_HOME yes + owner: root + group: root + mode: "{{ rhel8stig_login_defs_file_perms }}" when: - rhel_08_010760 tags: @@ -3292,7 +3300,7 @@ regexp: '^lock-enabled' owner: root group: root - mode: 0644 + mode: '0644' line: | [org/gnome/desktop/screensaver] # Set this to true to lock the screen when the screensaver activates @@ -3315,8 +3323,12 @@ - name: "MEDIUM | RHEL-08-020035 | PATCH | RHEL 8 must terminate idle user sessions." ansible.builtin.lineinfile: path: "/etc/systemd/logind.conf" - regexp: '^StopIdleSessionSec=|^\# StopIdleSessionSec=' - line: "StopIdleSessionSec= {{ rhel_08_020035_idlesessiontimeout }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + loop: + - { regexp: '^(?#)\s*StopIdleSessionSec\s*=', line: "StopIdleSessionSec={{ rhel_08_020035_idlesessiontimeout }}" } + - { regexp: '^(?#)\s*KillUserProccesses\s*=', line: "KillUserProccesses=no" } + notify: Restart_systemdlogin when: - rhel_08_020035 tags: @@ -3324,7 +3336,7 @@ - CAT2 - CCI-001133 - SRG-OS-000163-GPOS-00072 - - SV-257258r917891_rule + - SV-257258r942953_rule - V-257258 - session @@ -3344,7 +3356,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' loop: - { regexp: '^set -g lock-command', line: 'set -g lock-command vlock' } - { regexp: '^bind X lock-session', line: 'bind X lock-session' } @@ -3401,7 +3413,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' line: | [org/gnome/settings-daemon/peripherals/smartcard] removal-action='lock-screen' @@ -3432,7 +3444,7 @@ line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action owner: root group: root - mode: 0640 + mode: '0640' when: rhel_08_020050_removal_action_file.stdout_lines | length == 0 notify: dconf update when: @@ -3461,14 +3473,14 @@ create: true owner: root group: root - mode: 0640 + mode: '0640' regexp: '^idle-delay' line: | [org/gnome/desktop/session] # Set the lock time out to 900 seconds before the session is considered idle idle-delay=uint32 900 notify: dconf update - when: rhel_08_020060_idle_delay_param.stdout | length == 0 + when: rhel_08_020060_idle_delay_param.stdout_lines | length == 0 - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if exists" ansible.builtin.lineinfile: @@ -3477,9 +3489,9 @@ line: idle-delay=uint32 900 owner: root group: root - mode: 0640 - loop: "{{ rhel_08_020060_idle_delay_param.stdout }}" - when: rhel_08_020060_idle_delay_param.stdout | length > 0 + mode: '0640' + loop: "{{ rhel_08_020060_idle_delay_param.stdout_lines }}" + when: rhel_08_020060_idle_delay_param.stdout_lines | length > 0 notify: dconf update when: - rhel_08_020060 @@ -3509,7 +3521,7 @@ line: "set -g lock-after-time {{ rhel8stig_tmux_lock_after_time }}" owner: root group: root - mode: 0644 + mode: '0644' when: - rhel_08_020070 tags: @@ -3528,7 +3540,7 @@ line: /org/gnome/desktop/screensaver/lock-delay owner: root group: root - mode: 0640 + mode: '0640' when: - rhel_08_020080 - "'dconf' in ansible_facts.packages" @@ -3549,7 +3561,7 @@ line: "{{ item.line }}" owner: root group: root - mode: 0600 + mode: '0600' with_items: - { regexp: '^\[{{ rhel8stig_sssd.certmap }}\]', line: '[{{ rhel8stig_sssd.certmap }}]' } - { regexp: '^matchrule {{ rhel8stig_sssd.matchrule }}', line: 'matchrule {{ rhel8stig_sssd.matchrule }}' } @@ -3576,7 +3588,7 @@ insertafter: '^password' owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pamd_file_perms }}" when: - rhel_08_020100 tags: @@ -3596,7 +3608,7 @@ insertafter: '^password' owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pamd_file_perms }}" when: - rhel_08_020101 tags: @@ -3624,7 +3636,7 @@ insertafter: '^password' owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pamd_file_perms }}" when: rhel_08_020102_pwquality_status.stdout | length == 0 - name: "MEDIUM | RHEL-08-020102 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Replace if already exists" @@ -3664,7 +3676,7 @@ insertafter: '^password' owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pamd_file_perms }}" when: rhel_08_020103_pwquality_status.stdout | length == 0 - name: "MEDIUM | RHEL-08-020103 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. | Replace if already exists" @@ -3693,6 +3705,7 @@ path: /etc/security/pwquality.conf regexp: '^retry =|^#.*retry =' line: retry = {{ rhel8stig_pam_pwquality_retry }} + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020104 - ansible_distribution_version is version('8.4', '>=') @@ -3712,7 +3725,7 @@ line: "ucredit = {{ rhel8stig_password_complexity.ucredit | default('-1') }}" owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" create: true when: - rhel_08_020110 @@ -3733,7 +3746,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020120 tags: @@ -3753,7 +3766,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020130 tags: @@ -3773,7 +3786,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020140 tags: @@ -3793,7 +3806,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020150 tags: @@ -3813,7 +3826,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020160 tags: @@ -3833,7 +3846,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020170 tags: @@ -3875,7 +3888,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_login_defs_file_perms }}" when: - rhel_08_020190 tags: @@ -3891,11 +3904,11 @@ ansible.builtin.lineinfile: path: /etc/login.defs create: true - owner: root - group: root - mode: 0644 regexp: ^#?PASS_MAX_DAYS line: "PASS_MAX_DAYS {{ rhel8stig_login_defaults.pass_max_days | default('60') }}" + owner: root + group: root + mode: "{{ rhel8stig_login_defs_file_perms }}" when: - rhel_08_020200 tags: @@ -3953,7 +3966,7 @@ insertafter: '^password' owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pamd_file_perms }}" when: rhel_08_020220_pwhistory_status.stdout | length == 0 - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Set if pw required pwhistory exists" @@ -3992,7 +4005,7 @@ insertafter: '^password' owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pamd_file_perms }}" when: rhel_08_020221_pwhistory_status.stdout | length == 0 - name: "MEDIUM | RHEL-08-020221 | PATCH | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations. | Set if pw required pwhistory exists" @@ -4023,7 +4036,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020230 tags: @@ -4042,7 +4055,7 @@ line: "PASS_MIN_LEN 15" owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_login_defs_file_perms }}" when: - rhel_08_020231 tags: @@ -4100,7 +4113,7 @@ insertafter: "{{ item.insertafter }}" owner: root group: root - mode: 0600 + mode: '0600' notify: restart sssd with_items: - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } @@ -4112,7 +4125,7 @@ line: auth sufficient pam_sss.so try_cert_auth owner: root group: root - mode: 0644 + mode: '0644' notify: restart sssd when: rhel_08_020250_sc_auth_sss.stdout | length == 0 @@ -4159,7 +4172,7 @@ - CAT2 - CCI-000765 - SRG-OS-000105-GPOS-00052 - - SV-230372r627750_rule + - SV-230372r942945_rule - V-230372 - pamd @@ -4208,7 +4221,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020280 tags: @@ -4228,7 +4241,7 @@ insertafter: "{{ item.insertafter }}" owner: root group: root - mode: 0600 + mode: '0600' with_items: - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } - { regexp: '^offline_credentials_expiration =', insertafter: '\[pam\]', line: 'offline_credentials_expiration = 1' } @@ -4240,7 +4253,7 @@ - CAT2 - CCI-002007 - SRG-OS-000383-GPOS-00166 - - SV-230376r627750_rule + - SV-230376r942948_rule - V-230376 - sssd @@ -4252,7 +4265,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020300 tags: @@ -4271,7 +4284,7 @@ line: "FAIL_DELAY {{ rhel8stig_login_defaults.fail_delay_secs | default('4') }}" owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_login_defs_file_perms }}" when: - rhel_08_020310 tags: @@ -4343,7 +4356,7 @@ line: "UMASK {{ rhel8stig_login_defaults.umask | default('077') }}" owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_login_defs_file_perms }}" when: - rhel_08_020351 tags: @@ -4559,7 +4572,7 @@ ansible.builtin.file: path: "{{ rhel08_030070_auditlog_location.stdout }}" state: "{{ (rhel08_030070_auditlog.stat.exists) | ternary('file', 'touch') }}" - mode: '0600' + mode: o-x,go-rwx when: - rhel_08_030070 tags: @@ -4687,7 +4700,7 @@ - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access. | Set audit log dir perms" ansible.builtin.file: path: "{{ rhel_08_030120_audit_log_dir.stdout }}" - mode: 0700 + mode: go-rwx state: directory when: rhel_08_030120_audit_log_dir.stdout | length > 0 when: @@ -5473,7 +5486,7 @@ - name: "MEDIUM | RHEL-08-030610 | PATCH | RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." ansible.builtin.file: path: "{{ item }}" - mode: 0640 + mode: '0640' with_items: - /etc/audit/rules.d/audit.rules - /etc/audit/auditd.conf @@ -5500,7 +5513,7 @@ - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Set permissions to 755 on tools" ansible.builtin.file: path: "{{ item }}" - mode: 0755 + mode: go-w with_items: - "{{ rhel_08_030620_tools.stdout_lines }}" when: @@ -5571,7 +5584,7 @@ line: "{{ item }}" owner: root group: root - mode: 0600 + mode: '0600' with_items: - "# Audit Tools" - /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 @@ -5696,7 +5709,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' regexp: "{{ item.regexp }}" line: "{{ item.line }}" with_items: @@ -5823,12 +5836,12 @@ line: "{{ item.line }}" owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" insertafter: "{{ item.insertafter }}" notify: change_requires_reboot with_items: - { regexp: '##Disable WebCam', line: '##Disable WebCam', insertafter: 'EOF' } - - { regexp: '^install uvcvideo', line: 'install uvcvideo /bin/true', insertafter: '##Disable WebCam' } + - { regexp: '^install uvcvideo', line: 'install uvcvideo /bin/false', insertafter: '##Disable WebCam' } - { regexp: '^blacklist uvcvideo', line: 'blacklist uvcvideo', insertafter: '##Disable WebCam' } when: - rhel_08_040020 @@ -5837,7 +5850,7 @@ - CAT2 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230493r809316_rule + - SV-230493r942915_rule - V-230493 - camera @@ -5971,9 +5984,9 @@ create: true owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" with_items: - - { regexp: '^install usb-storage', line: 'install usb-storage /bin/true', insertafter: 'EOF' } + - { regexp: '^install usb-storage', line: 'install usb-storage /bin/false', insertafter: 'EOF' } - { regexp: '^blacklist usb-storage', line: 'blacklist usb-storage', insertafter: '#blacklist usb-storage'} when: - rhel_08_040080 @@ -5982,7 +5995,7 @@ - CAT2 - CCI-000778 - SRG-OS-000114-GPOS-00059 - - SV-230503r809319_rule + - SV-230503r942936_rule - V-230503 - usb_devices @@ -6130,7 +6143,7 @@ - CAT2 - CCI-002314 - SRG-OS-000297-GPOS-00115 - - SV-230504r809321_rule + - SV-230504r942942_rule - V-230504 - firewall @@ -6170,11 +6183,11 @@ ansible.builtin.lineinfile: path: /etc/modprobe.d/bluetooth.conf regexp: '^install bluetooth ' - line: "install bluetooth /bin/true" + line: "install bluetooth /bin/false" create: true owner: root group: root - mode: 0640 + mode: '0640' notify: change_requires_reboot - name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled. | Disable Bluetooth kernel module" @@ -6185,7 +6198,7 @@ line: "{{ item.line }}" owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" insertafter: "{{ item.insertafter }}" notify: change_requires_reboot with_items: @@ -6197,7 +6210,7 @@ - CAT2 - CCI-001443 - SRG-OS-000300-GPOS-00118 - - SV-230507r833336_rule + - SV-230507r942939_rule - V-230507 - bluetooth diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 31c8abb7..6a8a5dbc 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -238,7 +238,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' when: - rhel_08_020024 tags: @@ -381,7 +381,7 @@ create: true owner: root group: root - mode: 0600 + mode: '0600' when: - rhel_08_030603 tags: @@ -472,10 +472,10 @@ create: true owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" notify: change_requires_reboot with_items: - - { regexp: '^install atm', line: 'install atm /bin/true', insertafter: 'EOF' } + - { regexp: '^install atm', line: 'install atm /bin/false', insertafter: 'EOF' } - { regexp: '^blacklist atm', line: 'blacklist atm', insertafter: '^install atm /bin/true' } when: - rhel_08_040021 @@ -484,7 +484,7 @@ - CAT3 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230494r792911_rule + - SV-230494r942918_rule - V-230494 - modprobe - atm @@ -498,10 +498,10 @@ create: true owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" notify: change_requires_reboot with_items: - - { regexp: '^install can', line: 'install can /bin/true', insertafter: 'EOF' } + - { regexp: '^install can', line: 'install can /bin/false', insertafter: 'EOF' } - { regexp: 'blacklist can', line: 'blacklist can', insertafter: '^install can /bin/true' } when: - rhel_08_040022 @@ -510,7 +510,7 @@ - CAT3 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230495r792914_rule + - SV-230495r942921_rule - V-230495 - modprobe - can @@ -524,10 +524,10 @@ create: true owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" notify: change_requires_reboot with_items: - - { regexp: '^install sctp', line: 'install sctp /bin/true', insertafter: 'EOF' } + - { regexp: '^install sctp', line: 'install sctp /bin/false', insertafter: 'EOF' } - { regexp: '^blacklist sctp', line: 'blacklist sctp', insertafter: '^install sctp' } when: - rhel_08_040023 @@ -536,7 +536,7 @@ - CAT3 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230496r792917_rule + - SV-230496r942924_rule - V-230496 - modprobe - sctp @@ -550,10 +550,10 @@ create: true owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" notify: change_requires_reboot with_items: - - { regexp: '^install tipc', line: 'install tipc /bin/true', insertafter: 'EOF' } + - { regexp: '^install tipc', line: 'install tipc /bin/false', insertafter: 'EOF' } - { regexp: '^blacklist tipc', line: 'blacklist tipc', insertafter: '^install tipc' } when: - rhel_08_040024 @@ -562,7 +562,7 @@ - CAT3 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230497r792920_rule + - SV-230497r942927_rule - V-230497 - modprobe - tipc @@ -576,10 +576,10 @@ create: true owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" notify: change_requires_reboot with_items: - - { regexp: '^install cramfs', line: 'install cramfs /bin/true', insertafter: 'EOF' } + - { regexp: '^install cramfs', line: 'install cramfs /bin/false', insertafter: 'EOF' } - { regexp: 'blacklist cramfs', line: 'blacklist cramfs', insertafter: '^install cramfs' } when: - rhel_08_040025 @@ -588,7 +588,7 @@ - CAT3 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230498r792922_rule + - SV-230497r942927_rule - V-230498 - modprobe - cramfs @@ -602,10 +602,10 @@ create: true owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" notify: change_requires_reboot with_items: - - { regexp: '^install firewire-core', line: 'install firewire-core /bin/true', insertafter: 'EOF' } + - { regexp: '^install firewire-core', line: 'install firewire-core /bin/false', insertafter: 'EOF' } - { regexp: '^blacklist firewire-core', line: 'blacklist firewire-core', insertafter: '^install firewire-core' } when: - rhel_08_040026 @@ -614,7 +614,7 @@ - CAT3 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230499r792924_rule + - SV-230499r942933_rule - V-230499 - modprobe - firewire diff --git a/tasks/main.yml b/tasks/main.yml index 14a40c90..96d3f1df 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -134,23 +134,6 @@ - prelim_tasks - run_audit -- name: Include audit specific variables - ansible.builtin.include_vars: audit.yml - when: - - run_audit or audit_only - - setup_audit - tags: - - setup_audit - - run_audit - -- name: Include pre-remediation audit tasks - ansible.builtin.import_tasks: pre_remediation_audit.yml - when: - - run_audit or audit_only - - setup_audit - tags: - - run_audit - - name: Include CAT I patches ansible.builtin.import_tasks: fix-cat1.yml when: rhel8stig_cat1_patch diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 2c51bbb0..b3111c80 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,11 +1,11 @@ --- - name: Post Audit | Run post_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" AUDIT_FILE: goss.yml - name: Post Audit | ensure audit files readable by users @@ -22,7 +22,7 @@ - audit_format == "json" block: - name: capture data {{ post_audit_outfile }} - ansible.builtin.shell: cat {{ post_audit_outfile }} + ansible.builtin.shell: "cat {{ post_audit_outfile }}" register: post_audit changed_when: false @@ -37,7 +37,7 @@ - audit_format == "documentation" block: - name: Post Audit | capture data {{ post_audit_outfile }} - ansible.builtin.shell: tail -2 {{ post_audit_outfile }} + ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" register: post_audit changed_when: false diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index e3a261e7..d0137e81 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -5,7 +5,8 @@ - setup_audit tags: - setup_audit - ansible.builtin.include_tasks: LE_audit_setup.yml + ansible.builtin.include_tasks: + file: LE_audit_setup.yml - name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists ansible.builtin.file: @@ -32,23 +33,25 @@ when: - audit_content == 'copy' ansible.builtin.copy: - src: "{{ audit_local_copy }}" + src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}" mode: preserve - name: Pre Audit Setup | Unarchive audit content files on server when: - - audit_content == 'archived' + - audit_content == 'archive' ansible.builtin.unarchive: - src: "{{ audit_conf_copy }}" - dest: "{{ audit_conf_dir }}" + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}" - name: Pre Audit Setup | Get audit content from url when: - audit_content == 'get_url' - ansible.builtin.get_url: - url: "{{ audit_files_url }}" - dest: "{{ audit_conf_dir }}" + ansible.builtin.unarchive: + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit" + remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}" + extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}" - name: Pre Audit Setup | Check Goss is available when: @@ -77,19 +80,19 @@ mode: '0600' - name: Pre Audit | Run pre_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format when: - audit_format == "json" block: - - name: capture data {{ pre_audit_outfile }} - ansible.builtin.shell: cat {{ pre_audit_outfile }} + - name: Pre Audit | Capture data {{ pre_audit_outfile }} + ansible.builtin.shell: "cat {{ pre_audit_outfile }}" register: pre_audit changed_when: false @@ -103,8 +106,8 @@ when: - audit_format == "documentation" block: - - name: Pre Audit | capture data {{ pre_audit_outfile }} | documentation format - ansible.builtin.shell: tail -2 {{ pre_audit_outfile }} + - name: Pre Audit | Capture data {{ pre_audit_outfile }} | documentation format + ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" register: pre_audit changed_when: false diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 9583a072..17891e57 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,5 +1,100 @@ --- +- name: PRELIM | set bootloader type + block: + - name: "PRELIM | Check whether machine is UEFI-based" + ansible.builtin.stat: + path: /sys/firmware/efi + register: rhel8_efi_boot + + - name: "PRELIM | set fact if UEFI boot" + ansible.builtin.set_fact: + rhel8stig_bootloader_path: /boot/efi/EFI/{{ ansible_distribution | lower }} + rhel8stig_legacy_boot: false + when: + - rhel8_efi_boot.stat.exists + + - name: "PRELIM | set fact if UEFI boot | Oracle Linux" + ansible.builtin.set_fact: + rhel8stig_bootloader_path: /boot/efi/EFI/redhat + rhel8stig_legacy_boot: false + when: + - rhel8_efi_boot.stat.exists + - ansible_distribution == 'OracleLinux' + + - name: "PRELIM | set if not UEFI boot" + ansible.builtin.set_fact: + rhel8stig_bootloader_path: /boot/grub2/ + rhel8stig_legacy_boot: true + when: not rhel8_efi_boot.stat.exists + + - name: PRELIM | output bootloader and efi state + ansible.builtin.debug: + msg: + - "bootloader path set to {{ rhel8stig_bootloader_path }}" + - "legacy boot equals {{ rhel8stig_legacy_boot }}" + tags: + - always + +- name: "PRELIM | Gather interactive user ID min" + block: + - name: "PRELIM | Gather interactive user ID min" + ansible.builtin.shell: grep ^UID_MIN /etc/login.defs | awk '{print $2}' + changed_when: false + failed_when: false + register: rhel8stig_min_uid + + - name: "PRELIM | Gather interactive user ID max" + ansible.builtin.shell: grep ^UID_MAX /etc/login.defs | awk '{print $2}' + changed_when: false + failed_when: false + register: rhel8stig_max_uid + + - name: "PRELIM | Setting the fact" + ansible.builtin.set_fact: + rhel8stig_interactive_uid_start: "{{ rhel8stig_min_uid.stdout | string }}" + rhel8stig_interactive_uid_stop: "{{ rhel8stig_max_uid.stdout | string }}" + tags: + - always + +- name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | set sssd.conf location" + block: + - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location" + ansible.builtin.stat: + path: "{{ rhel8stig_sssd_conf }}" + register: rhel8stig_sssd_conf_present + + - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location | Warning if not found" + ansible.builtin.debug: + msg: "Warning!! The configured sssd config file {{ rhel8stig_sssd_conf }} has not been found, some items will skip" + changed_when: true + when: + - not rhel8stig_sssd_conf_present.stat.exists + when: + - rhel_08_010400 or + rhel_08_020090 or + rhel_08_020250 or + rhel_08_020290 + tags: + - always + +- name: "PRELIM | Include audit specific variables" + ansible.builtin.include_vars: audit.yml + when: + - run_audit or audit_only + - setup_audit + tags: + - setup_audit + - run_audit + +- name: "PRELIM | Include pre-remediation audit tasks" + ansible.builtin.import_tasks: pre_remediation_audit.yml + when: + - run_audit or audit_only + - setup_audit + tags: + - run_audit + - name: "PRELIM | RHEL-08-010020" block: - name: "PRELIM | RHEL-08-010020 | Check if /boot or /boot/efi reside on separate partitions" @@ -212,17 +307,6 @@ - RHEL-08-010070 - RHEL-08-030010 -# - name: "PRELIM | RHEL-08-010730 | RHEL-08-20352 | Get local interactive user home directories" -# ansible.builtin.shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) -# changed_when: false -# failed_when: false -# register: local_home_directories -# when: -# - rhel_08_010730 or -# rhel_08_020352 -# tags: -# - always - - name: "PRELIM | RHEL-08-030620 | RHEL-08-030630 | RHEL-08-030640 | RHEL-08-030650 | Install audit remote plugin." ansible.builtin.package: name: audispd-plugins @@ -339,94 +423,13 @@ - RHEL-08-010770 - complexity-high -- name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | set sssd.conf location" - block: - - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location" - ansible.builtin.stat: - path: "{{ rhel8stig_sssd_conf }}" - register: rhel8stig_sssd_conf_present - - - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location | Warning if not found" - ansible.builtin.debug: - msg: "Warning!! The configured sssd config file {{ rhel8stig_sssd_conf }} has not been found, some items will skip" - changed_when: true - when: - - not rhel8stig_sssd_conf_present.stat.exists - when: - - rhel_08_010400 or - rhel_08_020090 or - rhel_08_020250 or - rhel_08_020290 - tags: - - always - -- name: "PRELIM | Gather interactive user ID min" - block: - - name: "PRELIM | Gather interactive user ID min" - ansible.builtin.shell: grep ^UID_MIN /etc/login.defs | awk '{print $2}' - changed_when: false - failed_when: false - register: rhel8stig_min_uid - - - name: "PRELIM | Gather interactive user ID max" - ansible.builtin.shell: grep ^UID_MAX /etc/login.defs | awk '{print $2}' - changed_when: false - failed_when: false - register: rhel8stig_max_uid - - - name: "PRELIM | Setting the fact" - ansible.builtin.set_fact: - rhel8stig_interactive_uid_start: "{{ rhel8stig_min_uid.stdout | string }}" - rhel8stig_interactive_uid_stop: "{{ rhel8stig_max_uid.stdout | string }}" - tags: - - always - - name: "PRELIM | Gather the package facts" ansible.builtin.package_facts: manager: auto tags: - always -- name: "PRELIM | Check whether machine is UEFI-based" - ansible.builtin.stat: - path: /sys/firmware/efi - register: rhel8_efi_boot - tags: - - always - - goss_template - -- name: PRELIM | set bootloader type - block: - - name: "PRELIM | set fact if UEFI boot" - ansible.builtin.set_fact: - rhel8stig_bootloader_path: /boot/efi/EFI/{{ ansible_distribution | lower }} - rhel8stig_legacy_boot: false - when: - - rhel8_efi_boot.stat.exists - - - name: "PRELIM | set fact if UEFI boot | Oracle Linux" - ansible.builtin.set_fact: - rhel8stig_bootloader_path: /boot/efi/EFI/redhat - rhel8stig_legacy_boot: false - when: - - rhel8_efi_boot.stat.exists - - ansible_distribution == 'OracleLinux' - - - name: "PRELIM | set if not UEFI boot" - ansible.builtin.set_fact: - rhel8stig_bootloader_path: /boot/grub2/ - rhel8stig_legacy_boot: true - when: not rhel8_efi_boot.stat.exists - - - name: PRELIM | output bootloader and efi state - ansible.builtin.debug: - msg: - - "bootloader path set to {{ rhel8stig_bootloader_path }}" - - "legacy boot equals {{ rhel8stig_legacy_boot }}" - tags: - - always - -- name: "PRELIM | RHEL-08-020017 | RHEL-08-020027 | REHL-08-020028 | If using selinux set up system prereqs" +- name: "PRELIM | RHEL-08-020017 | RHEL-08-020027 | RHEL-08-020028 | If using selinux set up system prereqs" block: - name: "PRELIM | RHEL-08-020017 | Install policycoreutils-python-utils" ansible.builtin.package: @@ -438,7 +441,7 @@ ansible.builtin.file: path: "{{ rhel8stig_pam_faillock.dir }}" state: directory - mode: 0755 + mode: '0755' owner: root group: root recurse: true diff --git a/vars/audit.yml b/vars/audit.yml index 89e61a84..2802b3e6 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -15,14 +15,12 @@ audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" audit_git_version: "benchmark_{{ benchmark_version }}_rh8" ## Goss configuration information -# Where the goss configs and outputs are stored -audit_out_dir: '/opt' -# Where the goss audit configuration will be stored -audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit" +# Where the goss audit configuration will be stored - NOTE benchmark-audit is expected +audit_conf_dir: "{{ audit_conf_dest | default('/opt') }}/{{ benchmark }}-Audit" # If changed these can affect other products -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +pre_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" ## The following should not need changing @@ -36,6 +34,7 @@ audit_format: json audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" audit_results: | - The pre remediation results are: {{ pre_audit_summary }}. - The post remediation results are: {{ post_audit_summary }}. - Full breakdown can be found in {{ audit_out_dir }} + The audit results are: {{ pre_audit_summary }} + {% if not audit_only %}The post remediation audit results are: {{ post_audit_summary }}{% endif %} + + Full breakdown can be found in {{ audit_log_dir }} From 69908d1a7b13e719a5c0a850b5555926610474ee Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 24 May 2024 11:59:38 +0100 Subject: [PATCH 190/202] updated conditional 040260 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 3f3e96ae..71c5664b 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -7015,6 +7015,7 @@ sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040260 + - rhel8stig_ipv6_required - not rhel8stig_system_is_router tags: - RHEL-08-040260 From 5750a672ab5a2406f4f1272cbafa2dcc5d5b368b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 28 May 2024 16:52:02 +0100 Subject: [PATCH 191/202] 040230 updated Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 71c5664b..542acc05 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6779,7 +6779,7 @@ - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." block: - name: "MEDIUM | RHEL-08-040230 | AUDIT | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Find conflicting instances" - ansible.builtin.shell: grep -rs "net.ipv4.icmp_echo_ignore_broadcasts = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040230_conflicting_settings @@ -6787,7 +6787,7 @@ - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Replace conflicting instances" ansible.builtin.lineinfile: path: "{{ item }}" - regexp: net.ipv4.icmp_echo_ignore_broadcasts = [^1] + regexp: ^net.ipv4.icmp_echo_ignore_broadcasts.* state: absent loop: "{{ rhel_08_040230_conflicting_settings.stdout_lines }}" when: rhel_08_040230_conflicting_settings.stdout | length > 0 @@ -6795,11 +6795,12 @@ - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Use template to create file" ansible.posix.sysctl: name: net.ipv4.icmp_echo_ignore_broadcasts - value: 0 + value: 1 state: present reload: "{{ rhel8stig_sysctl_reload }}" sysctl_set: true sysctl_file: "{{ rhel8stig_sysctl_file }}" + when: - rhel_08_040230 tags: From 7e766179422d086e0c16e54f79622a3dbea8af83 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 28 May 2024 17:13:32 +0100 Subject: [PATCH 192/202] updated conditional sysctl improvements Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 100 +++++++++++++++++++++++++++++++++------------ 1 file changed, 74 insertions(+), 26 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 542acc05..2d85ee7b 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1260,7 +1260,9 @@ regexp: '^kernel.kexec_load_disabled = 0' state: absent loop: "{{ rhel_08_010372_conflicting_settings.stdout_lines }}" - when: rhel_08_010372_conflicting_settings.stdout | length > 0 + when: + - rhel_08_010372_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file when: - rhel_08_010372 tags: @@ -1286,7 +1288,9 @@ regexp: '^fs.protected_symlinks = 0' state: absent loop: "{{ rhel_08_010373_conflicting_settings.stdout_lines }}" - when: rhel_08_010373_conflicting_settings.stdout | length > 0 + when: + - rhel_08_010373_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set sysctl" ansible.posix.sysctl: @@ -1321,7 +1325,9 @@ regexp: '^fs.protected_hardlinks = 0' state: absent loop: "{{ rhel_08_010374_conflicting_settings.stdout_lines }}" - when: rhel_08_010374_conflicting_settings.stdout | length > 0 + when: + - rhel_08_010374_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks." ansible.posix.sysctl: @@ -1610,7 +1616,9 @@ regexp: "kernel.randomize_va_space = [^2]" state: absent loop: "{{ rhel_08_010430_conflicting_settings.stdout_lines }}" - when: rhel_08_010430_conflicting_settings.stdout | length > 0 + when: + - rhel_08_010430_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. | Use template to create file" ansible.posix.sysctl: @@ -2263,7 +2271,9 @@ regexp: kernel.core_pattern\s*=\s*.*(? 0 + when: + - rhel_08_010671_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern." ansible.posix.sysctl: @@ -6683,7 +6693,9 @@ regexp: net.ipv4.conf.default.accept_redirects = [^0] state: absent loop: "{{ rhel_08_040209_conflicting_settings.stdout_lines }}" - when: rhel_08_040209_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040209_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Use template to create file" ansible.posix.sysctl: @@ -6718,7 +6730,9 @@ regexp: net.ipv6.conf.default.accept_redirects = [^0] state: absent loop: "{{ rhel_08_040210_conflicting_settings.stdout_lines }}" - when: rhel_08_040210_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040210_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Use template to create file" ansible.posix.sysctl: @@ -6755,7 +6769,9 @@ regexp: net.ipv4.conf.all.send_redirects = [^0] state: absent loop: "{{ rhel_08_040220_conflicting_settings.stdout_lines }}" - when: rhel_08_040220_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040220_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Use template to create file" ansible.posix.sysctl: @@ -6790,7 +6806,9 @@ regexp: ^net.ipv4.icmp_echo_ignore_broadcasts.* state: absent loop: "{{ rhel_08_040230_conflicting_settings.stdout_lines }}" - when: rhel_08_040230_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040230_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Use template to create file" ansible.posix.sysctl: @@ -6826,7 +6844,9 @@ regexp: net.ipv4.conf.all.accept_source_route = [^0] state: absent loop: "{{ rhel_08_040239_conflicting_settings.stdout_lines }}" - when: rhel_08_040239_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040239_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets. | Use template to create file" ansible.posix.sysctl: @@ -6897,7 +6917,9 @@ regexp: net.ipv4.conf.default.accept_source_route = [^0] state: absent loop: "{{ rhel_08_040249_conflicting_settings.stdout_lines }}" - when: rhel_08_040249_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040249_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default. | Use template to create file" ansible.posix.sysctl: @@ -6968,7 +6990,9 @@ regexp: net.ipv4.conf.all.forwarding = [^0] state: absent loop: "{{ rhel_08_040259_conflicting_settings.stdout_lines }}" - when: rhel_08_040259_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040259_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040259 | PATCH | RHEL 8 must not enable IPv4 packet forwarding unless the system is a router. | Use template to create file" ansible.posix.sysctl: @@ -7004,7 +7028,9 @@ regexp: net.ipv6.conf.all.forwarding = [^0] state: absent loop: "{{ rhel_08_040260_conflicting_settings.stdout_lines }}" - when: rhel_08_040260_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040260_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040260 | PATCH | RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. | Use template to create file" ansible.posix.sysctl: @@ -7041,7 +7067,9 @@ regexp: net.ipv6.conf.all.accept_ra = [^0] state: absent loop: "{{ rhel_08_040261_conflicting_settings.stdout_lines }}" - when: rhel_08_040261_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040261_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Use template to create file" ansible.posix.sysctl: @@ -7078,7 +7106,9 @@ regexp: net.ipv6.conf.default.accept_ra = [^0] state: absent loop: "{{ rhel_08_040262_conflicting_settings.stdout_lines }}" - when: rhel_08_040262_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040262_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Use template to create file" ansible.posix.sysctl: @@ -7115,7 +7145,9 @@ regexp: net.ipv4.conf.default.send_redirects = [^0] state: absent loop: "{{ rhel_08_040270_conflicting_settings.stdout_lines }}" - when: rhel_08_040270_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040270_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Use template to create file" ansible.posix.sysctl: @@ -7150,7 +7182,9 @@ regexp: net.ipv4.conf.all.accept_redirects = [^0] state: absent loop: "{{ rhel_08_040279_conflicting_settings.stdout_lines }}" - when: rhel_08_040279_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040279_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Use template to create file" ansible.posix.sysctl: @@ -7185,7 +7219,9 @@ regexp: net.ipv6.conf.all.accept_redirects = [^0] state: absent loop: "{{ rhel_08_040280_conflicting_settings.stdout_lines }}" - when: rhel_08_040280_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040280_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | Use template to create file" ansible.posix.sysctl: @@ -7221,7 +7257,9 @@ regexp: kernel.unprivileged_bpf_disabled = [^1] state: absent loop: "{{ rhel_08_040281_conflicting_settings.stdout_lines }}" - when: rhel_08_040281_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040281_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes. | Use template to create file" ansible.posix.sysctl: @@ -7245,7 +7283,7 @@ - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes." block: - name: "MEDIUM | RHEL-08-040282 | AUDIT | RHEL 8 must restrict usage of ptrace to descendant processes. | Find conflicting instances" - ansible.builtin.shell: grep -rs "kernel.yama.ptrace_scope = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "kernel.yama.ptrace_scope\s*=\s*1" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040282_conflicting_settings @@ -7253,10 +7291,12 @@ - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes. | Replace conflicting instances" ansible.builtin.lineinfile: path: "{{ item }}" - regexp: kernel.yama.ptrace_scope = [^1] + regexp: kernel.yama.ptrace_scope.* state: absent loop: "{{ rhel_08_040282_conflicting_settings.stdout_lines }}" - when: rhel_08_040282_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040282_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes. | Use template to create file" ansible.posix.sysctl: @@ -7291,7 +7331,9 @@ regexp: kernel.kptr_restrict = [^1] state: absent loop: "{{ rhel_08_040283_conflicting_settings.stdout_lines }}" - when: rhel_08_040283_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040283_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access. | Use template to create file" ansible.posix.sysctl: @@ -7326,7 +7368,9 @@ regexp: user.max_user_namespaces = [^0] state: absent loop: "{{ rhel_08_040284_conflicting_settings.stdout_lines }}" - when: rhel_08_040284_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040284_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces. | Use template to create file" ansible.posix.sysctl: @@ -7361,7 +7405,9 @@ regexp: net.ipv4.conf.all.rp_filter = [^1] state: absent loop: "{{ rhel_08_040285_conflicting_settings.stdout_lines }}" - when: rhel_08_040285_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040285_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces. | Use template to create file" ansible.posix.sysctl: @@ -7396,7 +7442,9 @@ regexp: net.core.bpf_jit_harden = [^2] state: absent loop: "{{ rhel_08_040286_conflicting_settings.stdout_lines }}" - when: rhel_08_040286_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040286_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040286 | PATCH | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. | Use template to create file" ansible.posix.sysctl: From 88767b89faa060d77c4c1783e551c127340fa43a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 29 May 2024 09:49:32 +0100 Subject: [PATCH 193/202] updated to 010070 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 42 ++++++------------------------------------ 1 file changed, 6 insertions(+), 36 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 2d85ee7b..7f2c93b5 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -192,42 +192,12 @@ - V-230226 - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." - block: - - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | check settings info" - ansible.builtin.shell: grep '*.info' /etc/rsyslog.conf - changed_when: false - failed_when: false - register: rhel_08_010070_info_set_rsyslog - - - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | check settings authpriv" - ansible.builtin.shell: grep 'authpriv.* /var/log/secure' /etc/rsyslog.conf - changed_when: false - failed_when: false - register: rhel_08_010070_authpriv_set_rsyslog - - - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored. | Adjust settings no info" - ansible.builtin.lineinfile: - path: /etc/rsyslog.conf - regexp: ^(?!#).*\/var\/log\/secure - line: 'auth.*;authpriv.*;daemon.* /var/log/secure' - create: true - mode: '0644' - when: - - rhel_08_010070_info_set_rsyslog.stdout == 0 - - rhel_08_010070_authpriv_set_rsyslog.stdout > 0 - - - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored. | Adjust settings if info set" - ansible.builtin.lineinfile: - path: /etc/rsyslog.conf - backrefs: true - regexp: ^(?!#)(.*)(authpriv\.\*)(.*\/var\/log\/secure) - line: \1authpriv.*\2/var/log/secure - create: true - mode: '0644' - when: - - rhel_08_010070_info_set_rsyslog.stdout | length > 0 - - rhel_08_010070_authpriv_set_rsyslog.stdout == 0 - + ansible.builtin.lineinfile: + path: /etc/rsyslog.conf + regexp: ^(?!#).*\/var\/log\/secure + line: 'auth.*;authpriv.*;daemon.* /var/log/secure' + create: true + mode: '0644' notify: restart rsyslog when: - rhel_08_010070 From 196898d4f7167a1ae70d6ca41f7b30403c38d914 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 29 May 2024 17:43:54 +0100 Subject: [PATCH 194/202] added OS_ver variable Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index d9af9eae..8ac23fc6 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -13,6 +13,7 @@ rpm_gpg_key: {{ rpm_gpg_key }} rhel8stig_os_version_pre_8_2: {% if ansible_distribution_version >= '8.2' %}false{% else %}true{% endif %} +OS_ver: {{ ansible_distribution_version }} # Some tests may need to scan every filesystem or have an impact on a system # these may need be scheduled to minimise impact also ability to set a timeout if taking too long From f5651dd2e5600974eaf591791700082fdff525be Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 29 May 2024 17:48:21 +0100 Subject: [PATCH 195/202] added updated variable Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 8ac23fc6..ff70c46d 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -11,9 +11,9 @@ gpg_keys: {% endfor %} rpm_gpg_key: {{ rpm_gpg_key }} -rhel8stig_os_version_pre_8_2: {% if ansible_distribution_version >= '8.2' %}false{% else %}true{% endif %} +rhel8stig_os_version_pre_8_2: {% if ansible_facts.distribution_version >= '8.2' %}false{% else %}true{% endif %} -OS_ver: {{ ansible_distribution_version }} +OS_ver: {{ ansible_facts.distribution_version }} # Some tests may need to scan every filesystem or have an impact on a system # these may need be scheduled to minimise impact also ability to set a timeout if taking too long From efddae6e3d851eac9dfc0cc20ebed3743b101f4d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 29 May 2024 17:57:49 +0100 Subject: [PATCH 196/202] added updated variable Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index ff70c46d..21244faf 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -11,9 +11,9 @@ gpg_keys: {% endfor %} rpm_gpg_key: {{ rpm_gpg_key }} -rhel8stig_os_version_pre_8_2: {% if ansible_facts.distribution_version >= '8.2' %}false{% else %}true{% endif %} +rhel8stig_os_version_pre_8_2: {% if ansible_facts['distribution_version'] is version('8.1', '<=') %}true{% else %}false{% endif %} -OS_ver: {{ ansible_facts.distribution_version }} +OS_ver: {{ ansible_facts['distribution_version'] }} # Some tests may need to scan every filesystem or have an impact on a system # these may need be scheduled to minimise impact also ability to set a timeout if taking too long From 2a00e98aba58262d8b52931596f476c8cf0c8622 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 29 May 2024 18:00:02 +0100 Subject: [PATCH 197/202] improved ansible facts variables Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 21244faf..d66b1045 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -2,7 +2,7 @@ ## metadata for Audit benchmark benchmark_version: {{ benchmark_version }} -rhel8stig_os_distribution: {{ ansible_distribution | lower }} +rhel8stig_os_distribution: {{ ansible_facts['distribution'] | lower }} gpg_keys: {% for info in gpg_keys %} From 0e30a66fe734a9b1cd2519f47fb4c666f7bf6b6c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 30 May 2024 09:25:44 +0100 Subject: [PATCH 198/202] updated 10471 based on OS version Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index d66b1045..472b4ffc 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -408,7 +408,7 @@ RHEL_08_010292: {{ rhel_08_010292 }} RHEL_08_010375: {{ rhel_08_010375 }} RHEL_08_010376: {{ rhel_08_010376 }} RHEL_08_010440: {{ rhel_08_010440 }} -RHEL_08_010471: {{ rhel_08_010471 }} +RHEL_08_010471: {% if ansible_facts['distribution_version'] is version('8.4', '<=') %}true{% else %}false{% endif %} # Only runs if 8.4 or less RHEL_08_010540: {{ rhel_08_010540 }} RHEL_08_010541: {{ rhel_08_010541 }} RHEL_08_010542: {{ rhel_08_010542 }} From 95d876d5fd5825ab9b15d64a34eea7af159abc7e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 30 May 2024 13:27:24 +0100 Subject: [PATCH 199/202] removed dupe line Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 53419862..2bb4fb03 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -898,7 +898,6 @@ rhel8stig_existing_zone_to_copy: public # http and ssh need to be enabled for the role to run. # This can also be a port number if no service exists rhel8stig_white_list_services: - - ssh - ssh - http - https From 426bb02ce7d186c427d0250ee2c94c9a5442d33c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 30 May 2024 13:29:47 +0100 Subject: [PATCH 200/202] removed dupe lines Signed-off-by: Mark Bolwell --- defaults/main.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 2bb4fb03..2169f0e1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -879,7 +879,6 @@ rhel8stig_ntp_server_name: 0.us.pool.ntp.mil rhel8stig_fapolicy_white_list: - 'deny_audit perm=any pattern=ld_so : all' - 'deny perm=any all : all' - - 'deny perm=any all : all' # RHEL-08-040090 # rhel8stig_custom_firewall_zone is the desired name for the new customer firewall zone @@ -893,9 +892,6 @@ rhel8stig_existing_zone_to_copy: public # RHEL-08-040090 # This designed not work with rhel8stig_existing_zone_to_copy and when deploy new rules # rhel8stig_white_list_services is the services that you want to allow through initially for the new firewall zone -# This designed not work with rhel8stig_existing_zone_to_copy and when deploy new rules -# rhel8stig_white_list_services is the services that you want to allow through initially for the new firewall zone -# http and ssh need to be enabled for the role to run. # This can also be a port number if no service exists rhel8stig_white_list_services: - ssh From e47a1eb57e4b8febf406cd9691253869936575d9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 30 May 2024 16:06:47 +0100 Subject: [PATCH 201/202] improved logic on 20104 and 10471 Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 472b4ffc..bbb1c773 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -226,7 +226,7 @@ RHEL_08_020100: {{ rhel_08_020100 }} RHEL_08_020101: {{ rhel_08_020101 }} RHEL_08_020102: {{ rhel_08_020102 }} RHEL_08_020103: {{ rhel_08_020103 }} -RHEL_08_020104: {{ rhel_08_020104 }} +RHEL_08_020104: {% if ansible_facts['distribution_version'] is version('8.4', '>=') %}true{% else %}false{% endif %} # Only runs if 8.4 or greater RHEL_08_020110: {{ rhel_08_020110 }} RHEL_08_020120: {{ rhel_08_020120 }} RHEL_08_020130: {{ rhel_08_020130 }} @@ -408,7 +408,7 @@ RHEL_08_010292: {{ rhel_08_010292 }} RHEL_08_010375: {{ rhel_08_010375 }} RHEL_08_010376: {{ rhel_08_010376 }} RHEL_08_010440: {{ rhel_08_010440 }} -RHEL_08_010471: {% if ansible_facts['distribution_version'] is version('8.4', '<=') %}true{% else %}false{% endif %} # Only runs if 8.4 or less +RHEL_08_010471: {% if ansible_facts['distribution_version'] is version('8.4', '>=') %}false{% else %}true{% endif %} # Only runs if 8.3 or less RHEL_08_010540: {{ rhel_08_010540 }} RHEL_08_010541: {{ rhel_08_010541 }} RHEL_08_010542: {{ rhel_08_010542 }} From cbf87b967d5adde50037babec7f432b4369a545d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 30 May 2024 16:10:40 +0100 Subject: [PATCH 202/202] lint update Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 7f2c93b5..50effba0 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6664,8 +6664,8 @@ state: absent loop: "{{ rhel_08_040209_conflicting_settings.stdout_lines }}" when: - - rhel_08_040209_conflicting_settings.stdout | length > 0 - - item != rhel8stig_sysctl_file + - rhel_08_040209_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Use template to create file" ansible.posix.sysctl: @@ -6777,8 +6777,8 @@ state: absent loop: "{{ rhel_08_040230_conflicting_settings.stdout_lines }}" when: - - rhel_08_040230_conflicting_settings.stdout | length > 0 - - item != rhel8stig_sysctl_file + - rhel_08_040230_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Use template to create file" ansible.posix.sysctl: