-
Notifications
You must be signed in to change notification settings - Fork 143
Main Variables
RHEL7-STIG Role Variables
As the end user you should only need to adjust the variables found within the defaults/main.yml. These address settings ranging from very high-level role controls to site specific host settings. Please review these before running the role to get a full understanding of what will need to be configured before running this role.
rhel7stig_cat1_patch: true
rhel7stig_cat2_patch: true
rhel7stig_cat3_patch: true
python2_bin: /bin/python2.7
benchmark: RHEL7-STIG'
rhel7stig_setup_audit: false
get_goss_file: download
rhel7stig_run_audit: false
We've defined complexity-high to mean that we cannot automatically remediate the rule in question. In the future this might mean that the remediation may fail in some cases.
rhel7stig_complexity_high: no
Show "changed" for complex items not remediated per complexity-high setting to make them stand out.
"Changed" items on a second run of the role would indicate items requiring manual review.
rhel7stig_audit_complex: yes
We've defined disruption-high to indicate items that are likely to cause disruption in a normal workflow. These items can be remediated automatically but are disabled by default to avoid disruption.
rhel7stig_disruption_high: no
Show "changed" for disruptive items not remediated per disruption-high setting to make them stand out.
rhel7stig_audit_disruptive: yes
Disables controls that fail within travis testing pipelines. Setting to true will skip controls that are not supported with travis.
rhel7stig_skip_for_travis: false
rhel7stig_workaround_for_disa_benchmark: true
rhel7stig_workaround_for_ssg_benchmark: true
rhel7stig_system_is_chroot: "{{ ansible_is_chroot | default(False) }}"
rhel7stig_system_is_container: false
These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules.
PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group in order for the variables below to take effect.
rhel_07_010010: true
rhel_07_010020: true
rhel_07_010290: true
rhel_07_010300: true
rhel_07_010440: true
rhel_07_010450: true
rhel_07_010480: true
rhel_07_010482: true
rhel_07_010490: true
rhel_07_010491: true
rhel_07_020000: true
rhel_07_020010: true
rhel_07_020050: true
rhel_07_020060: true
rhel_07_020230: true
rhel_07_020231: true
# Not an automated task
rhel_07_020250: true
rhel_07_020310: true
rhel_07_021350: true
rhel_07_021710: true
rhel_07_032000: true
rhel_07_040390: true
rhel_07_040540: true
rhel_07_040550: true
rhel_07_040690: true
rhel_07_040700: true
rhel_07_040800: true
rhel_07_010030: "{{ rhel7stig_gui }}"
rhel_07_010040: "{{ rhel7stig_gui }}"
rhel_07_010050: "{{ rhel7stig_gui }}"
rhel_07_010060: "{{ rhel7stig_gui }}"
rhel_07_010061: "{{ rhel7stig_gui }}"
rhel_07_010062: "{{ rhel7stig_gui }}"
rhel_07_010070: "{{ rhel7stig_gui }}"
rhel_07_010081: "{{ rhel7stig_gui }}"
rhel_07_010082: "{{ rhel7stig_gui }}"
rhel_07_010090: true
rhel_07_010100: "{{ rhel7stig_gui }}"
rhel_07_010101: "{{ rhel7stig_gui }}"
rhel_07_010110: "{{ rhel7stig_gui }}"
rhel_07_010118: true
rhel_07_010119: true
rhel_07_010120: true
rhel_07_010130: true
rhel_07_010140: true
rhel_07_010150: true
rhel_07_010160: true
rhel_07_010170: true
rhel_07_010180: true
rhel_07_010190: true
rhel_07_010200: true
rhel_07_010210: true
rhel_07_010220: true
rhel_07_010230: true
rhel_07_010240: true
rhel_07_010250: true
rhel_07_010260: true
rhel_07_010270: true
rhel_07_010280: true
rhel_07_010310: true
rhel_07_010320: true
rhel_07_010330: true
rhel_07_010340: true
rhel_07_010350: true
rhel_07_010430: true
rhel_07_010460: true
rhel_07_010470: true
rhel_07_010481: true
rhel_07_010500: true
rhel_07_020019: true
rhel_07_020020: true
rhel_07_020030: true
# Send AIDE reports as mail notifications - Disabled by default as this is a non-ideal way to do notifications
rhel_07_020040: "{{ rhel7stig_disruption_high }}"
rhel_07_020100: true
rhel_07_020101: true
rhel_07_020110: true
rhel_07_020111: true
rhel_07_020210: true
rhel_07_020220: true
rhel_07_020240: true
rhel_07_020260: true
rhel_07_020270: true
rhel_07_020320: true
rhel_07_020330: true
rhel_07_020600: true
rhel_07_020610: true
rhel_07_020620: true
rhel_07_020630: true
rhel_07_020640: true
rhel_07_020650: true
rhel_07_020660: true
rhel_07_020670: true
rhel_07_020680: true
rhel_07_020690: true
rhel_07_020700: true
rhel_07_020710: true
rhel_07_020720: true
rhel_07_020730: true
rhel_07_020900: true
rhel_07_021000: true
rhel_07_021010: true
rhel_07_021020: true
rhel_07_021021: true
rhel_07_021030: true
rhel_07_021031: true
rhel_07_021040: true
rhel_07_021100: true
rhel_07_021110: true
rhel_07_021120: true
rhel_07_021300: true
rhel_07_021620: true
rhel_07_021700: true
rhel_07_030000: true
rhel_07_030010: true
rhel_07_030201: true
rhel_07_030210: true
rhel_07_030211: true
# if you set 030300 to 'true' ensure you define rhel7stig_audisp_remote_server
rhel_07_030300: "{{ rhel7stig_audisp_remote_server is defined }}"
rhel_07_030310: true
rhel_07_030320: true
rhel_07_030321: true
rhel_07_030330: true
rhel_07_030340: true
rhel_07_030350: true
rhel_07_030360: true
rhel_07_030370: true
rhel_07_030380: true
rhel_07_030390: true
rhel_07_030400: true
rhel_07_030410: true
rhel_07_030420: true
rhel_07_030430: true
rhel_07_030440: true
rhel_07_030450: true
rhel_07_030460: true
rhel_07_030470: true
rhel_07_030480: true
rhel_07_030490: true
rhel_07_030500: true
rhel_07_030510: true
rhel_07_030520: true
rhel_07_030530: true
rhel_07_030540: true
rhel_07_030550: true
rhel_07_030560: true
rhel_07_030570: true
rhel_07_030580: true
rhel_07_030590: true
rhel_07_030610: true
rhel_07_030620: true
rhel_07_030630: true
rhel_07_030640: true
rhel_07_030650: true
rhel_07_030660: true
rhel_07_030670: true
rhel_07_030680: true
rhel_07_030690: true
rhel_07_030700: true
rhel_07_030710: true
rhel_07_030720: true
rhel_07_030740: true
rhel_07_030750: true
rhel_07_030760: true
rhel_07_030770: true
rhel_07_030780: true
rhel_07_030800: true
rhel_07_030810: true
rhel_07_030819: true
rhel_07_030820: true
rhel_07_030821: true
rhel_07_030830: true
rhel_07_030840: true
rhel_07_030870: true
rhel_07_030871: true
rhel_07_030872: true
rhel_07_030873: true
rhel_07_030874: true
rhel_07_030880: true
rhel_07_030890: true
rhel_07_030900: true
rhel_07_030910: true
rhel_07_030920: true
rhel_07_031000: true
rhel_07_031010: true
rhel_07_040100: true
rhel_07_040110: true
rhel_07_040160: true
rhel_07_040170: true
rhel_07_040180: true
rhel_07_040190: true
rhel_07_040200: true
rhel_07_040201: true
rhel_07_040300: true
rhel_07_040310: true
rhel_07_040320: true
rhel_07_040330: true
rhel_07_040340: true
rhel_07_040350: true
rhel_07_040360: true
rhel_07_040370: true
rhel_07_040380: true
rhel_07_040400: true
rhel_07_040410: true
rhel_07_040420: true
rhel_07_040430: true
rhel_07_040440: true
rhel_07_040450: true
rhel_07_040460: true
rhel_07_040470: true
rhel_07_040500: true
rhel_07_040520: true
rhel_07_040610: true
rhel_07_040611: true
rhel_07_040612: true
rhel_07_040620: true
rhel_07_040630: true
rhel_07_040640: true
rhel_07_040641: true
rhel_07_040650: true
rhel_07_040660: true
rhel_07_040670: true
rhel_07_040680: true
rhel_07_040710: true
rhel_07_040711: true
rhel_07_040720: true
rhel_07_040730: true
rhel_07_040740: true
rhel_07_040750: true
rhel_07_040810: true
rhel_07_040820: true
rhel_07_040830: true
rhel_07_041001: true
rhel_07_041002: true
rhel_07_041003: true
rhel_07_041010: true
rhel_07_910055: true
rhel_07_020200: true
rhel_07_020300: true
rhel_07_021024: true
rhel_07_021310: true
rhel_07_021320: true
rhel_07_021330: true
rhel_07_021340: true
rhel_07_021600: true
rhel_07_021610: true
rhel_07_040000: true
rhel_07_040530: true
rhel_07_040600: true
rhel7stig_gui: false
rhel7stig_always_configure_dconf: no
rhel7stig_smartcard: false
rhel7stig_smartcarddriver: cackey
RHEL_07_020020
Set "selinux_change_users" false to disable this control's actions and just report results.
You will need to adjust the paths for installed HIPS/HBSS for this control.
You will need to map both the local interactive and LDAP groups to map selinux user groups to
if LDAP is not in use, it will ignore the settings below and not attempt to map LDAP users.
rhel_07_020020_selinux_change_users: true
rhel_07_020020_HBSS_path: /opt/McAfee/Agent/bin
rhel_07_020020_HIPS_path: /opt/McAfee/Agent/bin
rhel_07_020020_selinux_ldap_maps: false
rhel_07_020020_selinux_local_interactive_admin_group: wheel
rhel_07_020020_selinux_local_interactive_users_group: users
RHEL-07-020710
Set standard user paths here
Also set whether we should automatically remediate paths in user ini files.
rhel_07_020720_user_path: "PATH=$PATH:$HOME/.local/bin:$HOME/bin"
rhel7stig_change_user_path: false
rhel_07_020730_WWP_Change: true
RHEL-07-020250
This is a check for a "supported release"
These are the minimum supported releases.
(Red Hat has support for older versions if you pay extra for it.)
rhel7stig_min_supported_os_ver:
RedHat: "7.9"
CentOS: "7.9.2009"
OracleLinux: "7.9"
rhel7stig_system_is_router: no
RHEL-07-032000
Install and enable a DOD-approved AV program. ClamAV and McAfee (nails)
are the currently approved applications. This variable is used in two separate
tasks that will install the package and start and enable the service.
Only set this to true if you have a valid
antivirus solution in your repositories, else it will fail every time.
rhel7stig_antivirus_required: no
rhel7stig_av_package:
package:
- clamav
- clamav-scanner
- clamav-server
service: clamav-daemon
rhel7stig_time_service: chronyd
rhel7stig_time_service_configs:
chronyd:
conf: /etc/chrony.conf
block: |
server 0.rhel.pool.ntp.org iburst maxpoll 10
server 1.rhel.pool.ntp.org iburst maxpoll 10
server 2.rhel.pool.ntp.org iburst maxpoll 10
server 3.rhel.pool.ntp.org iburst maxpoll 10
ntpd:
conf: /etc/ntp.conf
lines:
- regexp: ^#?maxpoll
line: maxpoll 10
rhel7stig_firewall_service: firewalld
The toggle to start the firewall service. Set to true the role will start the service for you where needed
rhel7stig_start_firewall_service: true
rhel7stig_system_is_log_aggregator: false
rhel7stig_use_FIPS: true
fips_value: fips=0
rhel7stig_FIPS_ciphers: aes256-ctr,aes192-ctr,aes128-ctr
rhel7stig_FIPS_MACs: hmac-sha2-512,hmac-sha2-256
rhel7stig_ssh_required: yes
rhel7stig_ssh_ciphers: "{{ rhel7stig_FIPS_ciphers }}"
rhel7stig_ssh_macs: "{{ rhel7stig_FIPS_MACs }}"
rhel7stig_vsftpd_required: no
rhel7stig_tftp_required: no
rhel7stig_autofs_required: false
rhel7stig_kdump_required: false
rhel7stig_snmp_community: Endgam3Ladyb0g
whether to force role-specified packages to be installed regardless of the
presence of another compliant equivalent
rhel7stig_force_exact_packages: "{{ rhel7stig_disruption_high }}"
#rhel7stig_bootloader_password: 'Boot1tUp!'
#rhel7stig_bootloader_password_hash: "{{ rhel7stig_bootloader_password | grub2_hash(salt='KeokpkECTJeoDhEA5XtiLQ') }}"
rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'
rhel7stig_boot_superuser: root
rhel7stig_grub_bootloader_validorder: " set root='hd0,msdos1'"
rhel_07_040200_cabundle_path: etc/pki/tls/certs/ca-bundle.crt
rhel7stig_wait_for_aide_init: true
rhel7stig_aide_handler: "{{ (rhel7stig_wait_for_aide_init) | ternary('init aide and wait','init aide') }}"
rhel7stig_overwrite_aide_db: true
rhel7stig_aide_temp_db_file: /var/lib/aide/aide.db.new.gz
rhel7stig_aide_db_file: /var/lib/aide/aide.db.gz
rhel7stig_aide_cron:
user: root
cron_file: aide
job: '/usr/sbin/aide --check'
hour: '5'
minute: '0'
special_time: daily
# Disable the notification check rule to disable mailing notifications
notify_by_mail: "{{ rhel_07_020040 }}"
notify_cmd: ' | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost'
rhel7stig_cron_special_disable: "{{
rhel7stig_workaround_for_disa_benchmark or
rhel7stig_workaround_for_ssg_benchmark or
false }}"
rhel7stig_aide_conf:
file: /etc/aide.conf
rhel7stig_maxlogins: 10
rhel7stig_logon_banner: "{{ rhel7stig_workaround_for_disa_benchmark | ternary(
rhel7stig_logon_banner_nice | regex_replace('(?s)(?<!\\n)\\n(?!(\n|$))', ' '),
rhel7stig_logon_banner_nice) }}"
rhel7stig_logon_banner_nice: |
You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent
to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for
purposes including, but not limited to, penetration testing, COMSEC monitoring,
network operations and defense, personnel misconduct (PM), law enforcement
(LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject
to routine monitoring, interception, and search, and may be disclosed or used
for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls)
to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE
or CI investigative searching or monitoring of the content of privileged
communications, or work product, related to personal representation or services
by attorneys, psychotherapists, or clergy, and their assistants. Such
communications and work product are private and confidential. See User
Agreement for details.
rhel7stig_password_complexity:
ucredit: -1
lcredit: -1
dcredit: -1
ocredit: -1
difok: 8
minclass: 4
maxrepeat: 3
maxclassrepeat: 4
minlen: 15
RHEL-07-040160
Session timeout setting file (TMOUT setting can be set in multiple files)
Timeout value is in seconds. (60 seconds * 10 = 600)
rhel7stig_shell_session_timeout:
file: /etc/profile.d/tmout.sh
timeout: 600
RHEL-07-040320 | All network connections associated with SSH traffic must terminate at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements. Timeout value is in seconds. (60 seconds * 10 = 600)
rhel7stig_ssh_session_timeout: 600
RHEL-07-020260
Configure regular automatic package updates using yum-cron
update_cmd options:
default = yum upgrade
security = yum --security upgrade
security-severity:Critical = yum --sec-severity=Critical upgrade
minimal = yum --bugfix upgrade-minimal
minimal-security = yum --security upgrade-minimal
minimal-security-severity:Critical = --sec-severity=Critical upgrade-minimal
rhel7stig_auto_package_updates_enabled: no
rhel7stig_auto_package_updates:
enabled: "{{ rhel7stig_auto_package_updates_enabled }}"
update_cmd: "minimal-security"
frequency: daily
By default, files owned by removed users will be retained, but this may trigger RHEL-07-020320 (all files and directories must have a valid owner). Set rhel7stig_remove_unnecessary_user_files to yes to remove old files, but this could remove files you intended to keep. And it's probably best to avoid removing 'dbus', 'nobody', 'systemd-network', and 'polkitd', as they all have home directories of '/' by default.
rhel7stig_unnecessary_accounts:
- ftp
- games
rhel7stig_remove_unnecessary_user_files: no
RHEL-07-010270
pam_pwhistory settings - Verify the operating system prohibits password reuse for a minimum of five generations.
rhel7stig_pam_pwhistory:
remember: 5
retries: 3
RHEL-07-010320
RHEL-07-010330
pam_faillock settings - accounts must be locked for max time period after 3 unsuccessful attempts within 15 minutes.
rhel7stig_pam_faillock:
attempts: 3
interval: 900
unlock_time: 900
fail_for_root: yes
rhel7stig_audisp_disk_full_action: syslog
rhel7stig_audisp_network_failure_action: syslog
rhel7stig_net_promisc_mode_required: no
/etc/login.defs settings
RHEL-07-010210
RHEL-07-010230
RHEL-07-010250
RHEL-07-010430
RHEL-07-020240
RHEL-07-020610
rhel7stig_login_defaults:
encrypt_method: SHA512
pass_min_days: 1
pass_max_days: 60
fail_delay_secs: 4
umask: '077'
create_home: 'yes'
rhel7stig_audisp_remote_server: 10.10.10.10
rhel7stig_auditd_space_left: "{{ ( ansible_mounts | json_query(rhel7stig_audit_disk_size_query) | int / 4 / 1024 / 1024 ) | int + 1 }}"
rhel7stig_audit_disk_size_query: "[?mount=='{{ rhel7stig_audit_part }}'].size_total | [0]"
rhel7stig_auditd_mail_acct: root
rhel7stig_homedir_mode: g-w,o-rwx
rhel7stig_log_aggregation_server: logagg.example.com
rhel7stig_auth_settings:
use_ldap: yes
use_sssd: yes
rhel7stig_ipsec_required: no
RHEL-07-010340
Setting to enable or disable fixes that depend on password-based authentication
i.e. if users authenticate with a means other than passwords (pubkey)
and will not know or use passwords then this should be 'no'
rhel7stig_using_password_auth: yes
rhel7stig_availability_override: false
auditd_failure_flag
Tells your system to perform an immediate shutdown without flushing any pending data to disk when the limits of your audit system are exceeded. Because this shutdown is not a clean shutdown. Restrict the use of -f 2 to only the most security conscious environments 1 system continues to run, issues a warning and audit stops.Use this for any other setup to avoid loss of data or data corruption.
rhel7stig_auditd_failure_flag: "{{ rhel7stig_availability_override | ternary(1, 2) }}"
rhel7stig_audit_part: "{{ rhel_07_audit_part.stdout }}"
rhel7stig_boot_part: "{{ rhel_07_boot_part.stdout }}"
rhel7stig_machine_uses_uefi: "{{ rhel_07_sys_firmware_efi.stat.exists }}"
rhel7stig_grub_cfg_path: "{{ rhel7stig_machine_uses_uefi | ternary('/boot/efi/EFI/' ~ (ansible_distribution | lower) ~ '/grub.cfg', '/boot/grub2/grub.cfg') }}"
rhel7stig_grub_cfg_path_invalid: "{{ (not rhel7stig_machine_uses_uefi) | ternary('/boot/efi/EFI/' ~ (ansible_distribution | lower) ~ '/grub.cfg', '/boot/grub2/grub.cfg') }}"
oracle7stig_grub_cfg_path: "{{ rhel7stig_machine_uses_uefi | ternary('/boot/efi/EFI/redhat/grub.cfg', '/boot/grub2/grub.cfg') }}"
oracle7stig_grub_cfg_path_invalid: "{{ (not rhel7stig_machine_uses_uefi) | ternary('/boot/efi/EFI/redhat/grub.cfg', '/boot/grub2/grub.cfg') }}"
rhel7stig_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}"
rhel7stig_local_mounts: "{{ ansible_mounts | to_json | from_json | json_query(rhel7stig_local_mounts_query) }}"
rhel7stig_local_mounts_query: "[?starts_with(device, '/dev/')].mount"
rhel7stig_nfs_mounts: "{{ ansible_mounts | to_json | from_json | json_query(rhel7stig_nfs_mounts_query) }}"
rhel7stig_nfs_mounts_query: "[?starts_with(fstype, 'nfs')].mount"
rhel_07_040600_dns_servers:
- 9.9.9.9
- 149.112.112.112
rhel7stig_int_gid: 1000
Control OL-07-040510
Sets the invalid rate limit for IPv4 connections. Should be set to less than 1000 to conform to STIG standards
ol7stig_ipv4_tcp_invalid_ratelimit: 500
Control OL-07-021031
This control sets all world writable files to be owned by root. To conform to STIG standard all world-writable files must be owned by root or another system account. With this toggle off it will list all world-writable files not owned by system accounts
ol7stig_world_write_files_owner_root: false
'rhel7stig_audit_content: git'
rhel7stig_audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
rhel7stig_audit_git_version: main
#rhel7stig_audit_local_copy: "some path to copy from"
#rhel7stig_audit_files_url: "some url maybe s3?"
rhel7stig_audit_files: "/var/tmp/{{ benchmark }}-Audit/"
goss_version:
release: v0.3.16
checksum: 'sha256:827e354b48f93bce933f5efcd1f00dc82569c42a179cf2d384b040d8a80bfbfb'
#goss_checksum: "checksum_{{ goss_version }}"
goss_path: /usr/local/bin/
goss_bin: "{{ goss_path }}goss"
goss_format: documentation
goss_url: "https://github.com/aelsabbahy/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64"
goss_audit_dir: "/var/tmp/{{ benchmark }}-Audit/"
goss_file: "{{ goss_audit_dir }}goss.yml"
goss_vars_path: "{{ goss_audit_dir }}/vars/{{ ansible_hostname }}.yml"
goss_out_dir: '/var/tmp'
pre_audit_outfile: "{{ goss_out_dir }}/pre_remediation_scan"
post_audit_outfile: "{{ goss_out_dir }}/post_remediation_scan"
Audit_results: |
The pre remediation results are: {{ pre_audit_summary }}.
The post remediation results are: {{ post_audit_summary }}.
Full breakdown can be found in {{ goss_out_dir }}