diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 97c79434..84807cde 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v3.2.0 + rev: v4.4.0 hooks: # Safety - id: detect-aws-credentials @@ -37,13 +37,13 @@ repos: exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.17.0 + rev: v8.18.0 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.17.2 + rev: v6.20.2 hooks: - id: ansible-lint name: Ansible-lint diff --git a/Changelog.md b/Changelog.md index 249241bd..9dd2c8df 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,12 @@ # Changes to RHEL8STIG +## 3.0.3 - Stig V1R11 - 26th July 2023 +q +- updates to collections since galaxy updated +- updates to audit + +- #229 thanks to @JacobBuskirk + ## 3.0.2 - Stig V1R11 - 26th July 2023 - workflow and pipeline updates diff --git a/README.md b/README.md index 7436dc28..8e66d0fa 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,6 @@ This role is based on RHEL 8 DISA STIG: [Version 1, Rel 11 released on July 26, ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social) [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown) -![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/56380?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) diff --git a/ansible.cfg b/ansible.cfg index dbe143da..8b4596ec 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -18,6 +18,7 @@ record_host_keys=False [ssh_connection] transfer_method=scp +ssh_args = -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no [accelerate] diff --git a/collections/requirements.yml b/collections/requirements.yml index 23596ec0..8ebc6180 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -2,7 +2,13 @@ collections: - name: community.general + source: https://github.com/ansible-collections/community.general + type: git - name: community.crypto + source: https://github.com/ansible-collections/community.crypto + type: git - name: ansible.posix + source: https://github.com/ansible-collections/ansible.posix + type: git diff --git a/defaults/main.yml b/defaults/main.yml index e60a576d..4efc7f89 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -484,6 +484,9 @@ rhel8stig_smartcard: false # Configure your smartcard driver rhel8stig_smartcarddriver: cackey +# Set the file that sysctl should write to +rhel8stig_sysctl_file: /etc/sysctl.d/99_stig_sysctl.conf + # Whether or not system uses remote automounted home directories via autofs rhel8stig_autofs_remote_home_dirs: false diff --git a/handlers/main.yml b/handlers/main.yml index e7f323d7..3e6ff61d 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -5,16 +5,6 @@ when: - not system_is_container -- name: update sysctl - ansible.builtin.template: - src: 99-sysctl.conf.j2 - dest: /etc/sysctl.d/99-sysctl.conf - owner: root - group: root - mode: 0644 - notify: sysctl system - when: "'procps-ng' in ansible_facts.packages" - - name: sysctl system ansible.builtin.shell: sysctl --system when: "'procps-ng' in ansible_facts.packages" diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 4ef8469f..c8222b8e 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -7,7 +7,7 @@ owner: root group: root checksum: "{{ audit_bin_version.checksum }}" - mode: 0555 + mode: '0555' when: - get_audit_binary_method == 'download' @@ -15,8 +15,8 @@ ansible.builtin.copy: src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" - mode: 0555 owner: root group: root + mode: '0555' when: - get_audit_binary_method == 'copy' diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index a651125f..41eada91 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1202,10 +1202,13 @@ - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution." block: - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.kexec_load_disabled + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" - name: "MEDIUM | RHEL-08-010372 | AUDIT | RHEL 8 must prevent the loading of a new kernel for later execution. | Find conflicting instances" ansible.builtin.shell: grep -rs "kernel.kexec_load_disabled = 0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 @@ -1247,11 +1250,14 @@ loop: "{{ rhel_08_010373_conflicting_settings.stdout_lines }}" when: rhel_08_010373_conflicting_settings.stdout | length > 0 - - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set sysctl" + ansible.posix.sysctl: + name: fs.protected_symlinks + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_010373 tags: @@ -1280,10 +1286,13 @@ when: rhel_08_010374_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks." - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: fs.protected_hardlinks + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_010374 tags: @@ -1566,10 +1575,13 @@ when: rhel_08_010430_conflicting_settings.stdout | length > 0 - name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.randomize_va_space + value: 2 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_010430 tags: @@ -2224,10 +2236,13 @@ when: rhel_08_010671_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern." - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.core_pattern + value: "|/bin/false" + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_010671 tags: @@ -3340,7 +3355,7 @@ if [ "$PS1" ]; then parent=$(ps -o ppid= -p $$) name=$(ps -o comm= -p $parent) - case "$name" in (sshd|login) tmux ;; esac + case "$name" in (sshd|login) exec tmux ;; esac fi create: true when: @@ -6615,10 +6630,13 @@ when: rhel_08_040209_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.default.accept_redirects + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040209 tags: @@ -6647,10 +6665,13 @@ when: rhel_08_040210_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.default.accept_redirects + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040210 @@ -6681,10 +6702,13 @@ when: rhel_08_040220_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.all.send_redirects + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040220 tags: @@ -6713,10 +6737,13 @@ when: rhel_08_040230_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.icmp_echo_ignore_broadcasts + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040230 tags: @@ -6745,10 +6772,13 @@ when: rhel_08_040239_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.all.accept_source_route + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040239 tags: @@ -6777,10 +6807,13 @@ when: rhel_08_040240_conflicting_settings.stdout |length > 0 - name: "MEDIUM | RHEL-08-040240 | PATCH | RHEL 8 must not forward IPv6 source-routed packets. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.all.accept_source_route + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040240 - rhel8stig_ipv6_required @@ -6810,10 +6843,13 @@ when: rhel_08_040249_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.default.accept_source_route + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040249 tags: @@ -6842,10 +6878,13 @@ when: rhel_08_040250_conflicting_findings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040250 | PATCH | RHEL 8 must not forward IPv6 source-routed packets by default. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.default.accept_source_route + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040250 - rhel8stig_ipv6_required @@ -6875,10 +6914,13 @@ when: rhel_08_040259_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040259 | PATCH | RHEL 8 must not enable IPv4 packet forwarding unless the system is a router. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.all.forwarding + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040259 - not rhel8stig_system_is_router @@ -6908,10 +6950,13 @@ when: rhel_08_040260_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040260 | PATCH | RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.all.forwarding + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040260 - not rhel8stig_system_is_router @@ -6941,10 +6986,13 @@ when: rhel_08_040261_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.all.accept_ra + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040261 - rhel8stig_ipv6_required @@ -6975,10 +7023,13 @@ when: rhel_08_040262_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.default.accept_ra + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040262 - rhel8stig_ipv6_required @@ -7009,10 +7060,13 @@ when: rhel_08_040270_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.default.send_redirects + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040270 tags: @@ -7041,10 +7095,13 @@ when: rhel_08_040279_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.all.send_redirects + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040279 tags: @@ -7073,10 +7130,13 @@ when: rhel_08_040280_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.all.accept_redirects + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040280 - rhel8stig_ipv6_required @@ -7106,10 +7166,13 @@ when: rhel_08_040281_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.unprivileged_bpf_disabled + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040281 tags: @@ -7138,10 +7201,13 @@ when: rhel_08_040282_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.yama.ptrace_scope + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040282 tags: @@ -7170,10 +7236,13 @@ when: rhel_08_040283_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.kptr_restrict + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040283 tags: @@ -7202,10 +7271,13 @@ when: rhel_08_040284_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: user.max_user_namespaces + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040284 tags: @@ -7234,10 +7306,13 @@ when: rhel_08_040285_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.all.rp_filter + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040285 tags: @@ -7266,10 +7341,13 @@ when: rhel_08_040286_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040286 | PATCH | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.core.bpf_jit_harden + value: 2 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040286 tags: diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 39c12a56..66c817ca 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -49,10 +49,13 @@ when: rhel_08_010375_conflicting_settings.stdout | length > 0 - name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer." - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.dmesg_restrict + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_010375 tags: @@ -81,10 +84,13 @@ when: rhel_08_010376_conflicting_settings.stdout | length > 0 - name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users." - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.perf_event_paranoid + value: 2 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_010376 tags: diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index f0a7664e..fa9614b6 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,24 +1,16 @@ --- -- name: "Post Audit | Run post_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" - changed_when: true - environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - AUDIT_FILE: "goss.yml" - -- name: Post Audit | ensure audit files readable by users - ansible.builtin.file: - path: "{{ item }}" - mode: 0644 - state: file - loop: - - "{{ post_audit_outfile }}" - - "{{ pre_audit_outfile }}" - - name: Post Audit | Capture audit data if json format block: + + - name: "Post Audit | Run post_remediation {{ benchmark }} audit" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" + - name: "capture data {{ post_audit_outfile }}" ansible.builtin.shell: "cat {{ post_audit_outfile }}" register: post_audit @@ -34,6 +26,15 @@ - name: Post Audit | Capture audit data if documentation format block: + + - name: "Post Audit | Run post_remediation {{ benchmark }} audit" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }} -f documentation" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" + - name: "Post Audit | capture data {{ post_audit_outfile }}" ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" register: post_audit @@ -44,3 +45,12 @@ post_audit_summary: "{{ post_audit.stdout_lines }}" when: - audit_format == "documentation" + +- name: Post Audit | ensure audit files readable by users + ansible.builtin.file: + path: "{{ item }}" + mode: '0644' + state: file + loop: + - "{{ post_audit_outfile }}" + - "{{ pre_audit_outfile }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index fc9ed887..290170d6 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,7 +1,8 @@ --- - name: Audit Binary Setup | Setup the LE audit - ansible.builtin.include_tasks: LE_audit_setup.yml + ansible.builtin.include_tasks: + file: LE_audit_setup.yml when: - setup_audit tags: @@ -15,19 +16,11 @@ - name: Pre Audit Setup | If using git for content set up block: - - name: Pre Audit Setup | Install git (rh8 python3) + - name: Pre Audit Setup | Install git ansible.builtin.package: name: git state: present - when: ansible_distribution_major_version == '8' - - - name: Pre Audit Setup | Install git (rh7 python2) - ansible.builtin.package: - name: git - state: present - vars: - ansible_python_interpreter: "{{ python2_bin }}" - when: ansible_distribution_major_version == '7' + when: "'git' not in ansible_facts.packages" - name: Pre Audit Setup | retrieve audit content files from git ansible.builtin.git: @@ -68,9 +61,8 @@ - name: Pre Audit Setup | If audit ensure goss is available ansible.builtin.assert: + that: goss_available.stat.exists msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - when: - - not goss_available.stat.exists when: - run_audit @@ -78,22 +70,22 @@ ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" - mode: 0600 + mode: '0600' when: - run_audit tags: - goss_template -- name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" - changed_when: true - environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - AUDIT_FILE: "goss.yml" - - name: Pre Audit | Capture audit data if json format block: + - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" + - name: "capture data {{ pre_audit_outfile }}" ansible.builtin.shell: "cat {{ pre_audit_outfile }}" register: pre_audit @@ -109,6 +101,15 @@ - name: Pre Audit | Capture audit data if documentation format block: + + - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }} -f documentation" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" + - name: "Pre Audit | capture data {{ pre_audit_outfile }} | documentation format" ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" register: pre_audit diff --git a/templates/99-sysctl.conf.j2 b/templates/99-sysctl.conf.j2 deleted file mode 100644 index 3958c9f2..00000000 --- a/templates/99-sysctl.conf.j2 +++ /dev/null @@ -1,153 +0,0 @@ -# sysctl settings are defined through files in -# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/. -# -# Vendors settings live in /usr/lib/sysctl.d/. -# To override a whole file, create a new file with the same in -# /etc/sysctl.d/ and put new settings there. To override -# only specific settings, add a file with a lexically later -# name in /etc/sysctl.d/ and put new settings there. -# -# For more information, see sysctl.conf(5) and sysctl.d(5). - -# sysctl file Added via stig ansible remediation -# Each line is added if set - -{% if rhel_08_010372 %} -# RHEL-08-010372 -kernel.kexec_load_disabled = 1 -{% endif %} - -{% if rhel_08_010373 %} -# RHEL-08-010373 -fs.protected_symlinks = 1 -{% endif %} - -{% if rhel_08_010374 %} -# RHEL-08-010374 -fs.protected_hardlinks = 1 -{% endif %} - -{% if rhel_08_010375 %} -# RHEL-08-010375 -kernel.dmesg_restrict = 1 -{% endif %} - -{% if rhel_08_010376 %} -# RHEL-08-010376 -kernel.perf_event_paranoid = 2 -{% endif %} - -{% if rhel_08_010430 %} -# RHEL-08-010430 -kernel.randomize_va_space = 2 -{% endif %} - -{% if rhel_08_010671 %} -# RHEL-08-010671 -kernel.core_pattern = |/bin/false -{% endif %} - -{% if rhel_08_040209 %} -# RHEL-08-040209 -net.ipv4.conf.default.accept_redirects = 0 -{% endif %} - -{% if rhel_08_040210 and rhel8stig_ipv6_required %} -# RHEL-08-040210 -net.ipv6.conf.default.accept_redirects = 0 -{% endif %} - -{% if rhel_08_040220 %} -# RHEL-08-040220 -net.ipv4.conf.all.send_redirects = 0 -{% endif %} - -{% if rhel_08_040230 %} -# RHEL-08-040230 -net.ipv4.icmp_echo_ignore_broadcasts = 1 -{% endif %} - -{% if rhel_08_040239 %} -# RHEL-08-040239 -net.ipv4.conf.all.accept_source_route = 0 -{% endif %} - -{% if rhel_08_040240 %} -# RHEL-08-040240 -net.ipv6.conf.all.accept_source_route = 0 -{% endif %} - -{% if rhel_08_040249 %} -# RHEL-08-040249 -net.ipv4.conf.default.accept_source_route = 0 -{% endif %} - -{% if rhel_08_040250 and rhel8stig_ipv6_required %} -# RHEL-08-040250 -net.ipv6.conf.default.accept_source_route = 0 -{% endif %} - -{% if rhel_08_040259 and not rhel8stig_system_is_router %} -# RHEL-08-040259 -net.ipv4.conf.all.forwarding = 0 -{% endif %} - -{% if rhel_08_040260 and not rhel8stig_system_is_router %} -# RHEL-08-040260 -net.ipv6.conf.all.forwarding = 0 -{% endif %} - -{% if rhel_08_040261 and rhel8stig_ipv6_required and not rhel8stig_system_is_router %} -# RHEL-08-040261 -net.ipv6.conf.all.accept_ra = 0 -{% endif %} - -{% if rhel_08_040262 and rhel8stig_ipv6_required and not rhel8stig_system_is_router %} -# RHEL-08-040262 -net.ipv6.conf.default.accept_ra = 0 -{% endif %} - -{% if rhel_08_040270 %} -# RHEL-08-040270 -net.ipv4.conf.default.send_redirects = 0 -{% endif %} - -{% if rhel_08_040279 %} -# RHEL-08-040279 -net.ipv4.conf.all.accept_redirects = 0 -{% endif %} - -{% if rhel_08_040280 and rhel8stig_ipv6_required %} -# RHEL-08-040280 -net.ipv6.conf.all.accept_redirects = 0 -{% endif %} - -{% if rhel_08_040281 %} -# RHEL-08-040281 -kernel.unprivileged_bpf_disabled = 1 -{% endif %} - -{% if rhel_08_040282 %} -# RHEL-08-040282 -kernel.yama.ptrace_scope = 1 -{% endif %} - -{% if rhel_08_040283 %} -# RHEL-08-040283 -kernel.kptr_restrict = 1 -{% endif %} - -{% if rhel_08_040284 %} -# RHEL-08-040284 -user.max_user_namespaces = 0 -{% endif %} - -{% if rhel_08_040285 %} -# RHEL-08-040285 -net.ipv4.conf.all.rp_filter = 1 -{% endif %} - -{% if rhel_08_040286 %} -# RHEL-08-040286 -net.core.bpf_jit_harden = 2 -{% endif %} diff --git a/vars/main.yml b/vars/main.yml index f01c9ff9..92b42958 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -10,7 +10,7 @@ rhel8stig_service_started: "{{ rhel8stig_system_is_chroot | ternary(omit, 'start # !!!!!!!!possibly delete # rhel8stig_systemd_daemon_reload: "{{ not rhel8stig_system_is_chroot }}" -rhel8stig_sysctl_reload: "{{ not rhel8stig_system_is_container }}" +rhel8stig_sysctl_reload: "{{ not system_is_container }}" # these variables are for enabling tasks to run that will be further controled # by check_mode to prevent the remediation task from making changes as