From 5750a672ab5a2406f4f1272cbafa2dcc5d5b368b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 28 May 2024 16:52:02 +0100 Subject: [PATCH 01/10] 040230 updated Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 71c5664..542acc0 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6779,7 +6779,7 @@ - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." block: - name: "MEDIUM | RHEL-08-040230 | AUDIT | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Find conflicting instances" - ansible.builtin.shell: grep -rs "net.ipv4.icmp_echo_ignore_broadcasts = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040230_conflicting_settings @@ -6787,7 +6787,7 @@ - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Replace conflicting instances" ansible.builtin.lineinfile: path: "{{ item }}" - regexp: net.ipv4.icmp_echo_ignore_broadcasts = [^1] + regexp: ^net.ipv4.icmp_echo_ignore_broadcasts.* state: absent loop: "{{ rhel_08_040230_conflicting_settings.stdout_lines }}" when: rhel_08_040230_conflicting_settings.stdout | length > 0 @@ -6795,11 +6795,12 @@ - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Use template to create file" ansible.posix.sysctl: name: net.ipv4.icmp_echo_ignore_broadcasts - value: 0 + value: 1 state: present reload: "{{ rhel8stig_sysctl_reload }}" sysctl_set: true sysctl_file: "{{ rhel8stig_sysctl_file }}" + when: - rhel_08_040230 tags: From 7e766179422d086e0c16e54f79622a3dbea8af83 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 28 May 2024 17:13:32 +0100 Subject: [PATCH 02/10] updated conditional sysctl improvements Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 100 +++++++++++++++++++++++++++++++++------------ 1 file changed, 74 insertions(+), 26 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 542acc0..2d85ee7 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1260,7 +1260,9 @@ regexp: '^kernel.kexec_load_disabled = 0' state: absent loop: "{{ rhel_08_010372_conflicting_settings.stdout_lines }}" - when: rhel_08_010372_conflicting_settings.stdout | length > 0 + when: + - rhel_08_010372_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file when: - rhel_08_010372 tags: @@ -1286,7 +1288,9 @@ regexp: '^fs.protected_symlinks = 0' state: absent loop: "{{ rhel_08_010373_conflicting_settings.stdout_lines }}" - when: rhel_08_010373_conflicting_settings.stdout | length > 0 + when: + - rhel_08_010373_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set sysctl" ansible.posix.sysctl: @@ -1321,7 +1325,9 @@ regexp: '^fs.protected_hardlinks = 0' state: absent loop: "{{ rhel_08_010374_conflicting_settings.stdout_lines }}" - when: rhel_08_010374_conflicting_settings.stdout | length > 0 + when: + - rhel_08_010374_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks." ansible.posix.sysctl: @@ -1610,7 +1616,9 @@ regexp: "kernel.randomize_va_space = [^2]" state: absent loop: "{{ rhel_08_010430_conflicting_settings.stdout_lines }}" - when: rhel_08_010430_conflicting_settings.stdout | length > 0 + when: + - rhel_08_010430_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. | Use template to create file" ansible.posix.sysctl: @@ -2263,7 +2271,9 @@ regexp: kernel.core_pattern\s*=\s*.*(? 0 + when: + - rhel_08_010671_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern." ansible.posix.sysctl: @@ -6683,7 +6693,9 @@ regexp: net.ipv4.conf.default.accept_redirects = [^0] state: absent loop: "{{ rhel_08_040209_conflicting_settings.stdout_lines }}" - when: rhel_08_040209_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040209_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Use template to create file" ansible.posix.sysctl: @@ -6718,7 +6730,9 @@ regexp: net.ipv6.conf.default.accept_redirects = [^0] state: absent loop: "{{ rhel_08_040210_conflicting_settings.stdout_lines }}" - when: rhel_08_040210_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040210_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Use template to create file" ansible.posix.sysctl: @@ -6755,7 +6769,9 @@ regexp: net.ipv4.conf.all.send_redirects = [^0] state: absent loop: "{{ rhel_08_040220_conflicting_settings.stdout_lines }}" - when: rhel_08_040220_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040220_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Use template to create file" ansible.posix.sysctl: @@ -6790,7 +6806,9 @@ regexp: ^net.ipv4.icmp_echo_ignore_broadcasts.* state: absent loop: "{{ rhel_08_040230_conflicting_settings.stdout_lines }}" - when: rhel_08_040230_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040230_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Use template to create file" ansible.posix.sysctl: @@ -6826,7 +6844,9 @@ regexp: net.ipv4.conf.all.accept_source_route = [^0] state: absent loop: "{{ rhel_08_040239_conflicting_settings.stdout_lines }}" - when: rhel_08_040239_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040239_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets. | Use template to create file" ansible.posix.sysctl: @@ -6897,7 +6917,9 @@ regexp: net.ipv4.conf.default.accept_source_route = [^0] state: absent loop: "{{ rhel_08_040249_conflicting_settings.stdout_lines }}" - when: rhel_08_040249_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040249_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default. | Use template to create file" ansible.posix.sysctl: @@ -6968,7 +6990,9 @@ regexp: net.ipv4.conf.all.forwarding = [^0] state: absent loop: "{{ rhel_08_040259_conflicting_settings.stdout_lines }}" - when: rhel_08_040259_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040259_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040259 | PATCH | RHEL 8 must not enable IPv4 packet forwarding unless the system is a router. | Use template to create file" ansible.posix.sysctl: @@ -7004,7 +7028,9 @@ regexp: net.ipv6.conf.all.forwarding = [^0] state: absent loop: "{{ rhel_08_040260_conflicting_settings.stdout_lines }}" - when: rhel_08_040260_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040260_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040260 | PATCH | RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. | Use template to create file" ansible.posix.sysctl: @@ -7041,7 +7067,9 @@ regexp: net.ipv6.conf.all.accept_ra = [^0] state: absent loop: "{{ rhel_08_040261_conflicting_settings.stdout_lines }}" - when: rhel_08_040261_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040261_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Use template to create file" ansible.posix.sysctl: @@ -7078,7 +7106,9 @@ regexp: net.ipv6.conf.default.accept_ra = [^0] state: absent loop: "{{ rhel_08_040262_conflicting_settings.stdout_lines }}" - when: rhel_08_040262_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040262_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Use template to create file" ansible.posix.sysctl: @@ -7115,7 +7145,9 @@ regexp: net.ipv4.conf.default.send_redirects = [^0] state: absent loop: "{{ rhel_08_040270_conflicting_settings.stdout_lines }}" - when: rhel_08_040270_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040270_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Use template to create file" ansible.posix.sysctl: @@ -7150,7 +7182,9 @@ regexp: net.ipv4.conf.all.accept_redirects = [^0] state: absent loop: "{{ rhel_08_040279_conflicting_settings.stdout_lines }}" - when: rhel_08_040279_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040279_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Use template to create file" ansible.posix.sysctl: @@ -7185,7 +7219,9 @@ regexp: net.ipv6.conf.all.accept_redirects = [^0] state: absent loop: "{{ rhel_08_040280_conflicting_settings.stdout_lines }}" - when: rhel_08_040280_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040280_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | Use template to create file" ansible.posix.sysctl: @@ -7221,7 +7257,9 @@ regexp: kernel.unprivileged_bpf_disabled = [^1] state: absent loop: "{{ rhel_08_040281_conflicting_settings.stdout_lines }}" - when: rhel_08_040281_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040281_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes. | Use template to create file" ansible.posix.sysctl: @@ -7245,7 +7283,7 @@ - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes." block: - name: "MEDIUM | RHEL-08-040282 | AUDIT | RHEL 8 must restrict usage of ptrace to descendant processes. | Find conflicting instances" - ansible.builtin.shell: grep -rs "kernel.yama.ptrace_scope = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "kernel.yama.ptrace_scope\s*=\s*1" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040282_conflicting_settings @@ -7253,10 +7291,12 @@ - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes. | Replace conflicting instances" ansible.builtin.lineinfile: path: "{{ item }}" - regexp: kernel.yama.ptrace_scope = [^1] + regexp: kernel.yama.ptrace_scope.* state: absent loop: "{{ rhel_08_040282_conflicting_settings.stdout_lines }}" - when: rhel_08_040282_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040282_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes. | Use template to create file" ansible.posix.sysctl: @@ -7291,7 +7331,9 @@ regexp: kernel.kptr_restrict = [^1] state: absent loop: "{{ rhel_08_040283_conflicting_settings.stdout_lines }}" - when: rhel_08_040283_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040283_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access. | Use template to create file" ansible.posix.sysctl: @@ -7326,7 +7368,9 @@ regexp: user.max_user_namespaces = [^0] state: absent loop: "{{ rhel_08_040284_conflicting_settings.stdout_lines }}" - when: rhel_08_040284_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040284_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces. | Use template to create file" ansible.posix.sysctl: @@ -7361,7 +7405,9 @@ regexp: net.ipv4.conf.all.rp_filter = [^1] state: absent loop: "{{ rhel_08_040285_conflicting_settings.stdout_lines }}" - when: rhel_08_040285_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040285_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces. | Use template to create file" ansible.posix.sysctl: @@ -7396,7 +7442,9 @@ regexp: net.core.bpf_jit_harden = [^2] state: absent loop: "{{ rhel_08_040286_conflicting_settings.stdout_lines }}" - when: rhel_08_040286_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040286_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040286 | PATCH | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. | Use template to create file" ansible.posix.sysctl: From 88767b89faa060d77c4c1783e551c127340fa43a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 29 May 2024 09:49:32 +0100 Subject: [PATCH 03/10] updated to 010070 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 42 ++++++------------------------------------ 1 file changed, 6 insertions(+), 36 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 2d85ee7..7f2c93b 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -192,42 +192,12 @@ - V-230226 - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." - block: - - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | check settings info" - ansible.builtin.shell: grep '*.info' /etc/rsyslog.conf - changed_when: false - failed_when: false - register: rhel_08_010070_info_set_rsyslog - - - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | check settings authpriv" - ansible.builtin.shell: grep 'authpriv.* /var/log/secure' /etc/rsyslog.conf - changed_when: false - failed_when: false - register: rhel_08_010070_authpriv_set_rsyslog - - - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored. | Adjust settings no info" - ansible.builtin.lineinfile: - path: /etc/rsyslog.conf - regexp: ^(?!#).*\/var\/log\/secure - line: 'auth.*;authpriv.*;daemon.* /var/log/secure' - create: true - mode: '0644' - when: - - rhel_08_010070_info_set_rsyslog.stdout == 0 - - rhel_08_010070_authpriv_set_rsyslog.stdout > 0 - - - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored. | Adjust settings if info set" - ansible.builtin.lineinfile: - path: /etc/rsyslog.conf - backrefs: true - regexp: ^(?!#)(.*)(authpriv\.\*)(.*\/var\/log\/secure) - line: \1authpriv.*\2/var/log/secure - create: true - mode: '0644' - when: - - rhel_08_010070_info_set_rsyslog.stdout | length > 0 - - rhel_08_010070_authpriv_set_rsyslog.stdout == 0 - + ansible.builtin.lineinfile: + path: /etc/rsyslog.conf + regexp: ^(?!#).*\/var\/log\/secure + line: 'auth.*;authpriv.*;daemon.* /var/log/secure' + create: true + mode: '0644' notify: restart rsyslog when: - rhel_08_010070 From 196898d4f7167a1ae70d6ca41f7b30403c38d914 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 29 May 2024 17:43:54 +0100 Subject: [PATCH 04/10] added OS_ver variable Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index d9af9ea..8ac23fc 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -13,6 +13,7 @@ rpm_gpg_key: {{ rpm_gpg_key }} rhel8stig_os_version_pre_8_2: {% if ansible_distribution_version >= '8.2' %}false{% else %}true{% endif %} +OS_ver: {{ ansible_distribution_version }} # Some tests may need to scan every filesystem or have an impact on a system # these may need be scheduled to minimise impact also ability to set a timeout if taking too long From f5651dd2e5600974eaf591791700082fdff525be Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 29 May 2024 17:48:21 +0100 Subject: [PATCH 05/10] added updated variable Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 8ac23fc..ff70c46 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -11,9 +11,9 @@ gpg_keys: {% endfor %} rpm_gpg_key: {{ rpm_gpg_key }} -rhel8stig_os_version_pre_8_2: {% if ansible_distribution_version >= '8.2' %}false{% else %}true{% endif %} +rhel8stig_os_version_pre_8_2: {% if ansible_facts.distribution_version >= '8.2' %}false{% else %}true{% endif %} -OS_ver: {{ ansible_distribution_version }} +OS_ver: {{ ansible_facts.distribution_version }} # Some tests may need to scan every filesystem or have an impact on a system # these may need be scheduled to minimise impact also ability to set a timeout if taking too long From efddae6e3d851eac9dfc0cc20ebed3743b101f4d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 29 May 2024 17:57:49 +0100 Subject: [PATCH 06/10] added updated variable Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index ff70c46..21244fa 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -11,9 +11,9 @@ gpg_keys: {% endfor %} rpm_gpg_key: {{ rpm_gpg_key }} -rhel8stig_os_version_pre_8_2: {% if ansible_facts.distribution_version >= '8.2' %}false{% else %}true{% endif %} +rhel8stig_os_version_pre_8_2: {% if ansible_facts['distribution_version'] is version('8.1', '<=') %}true{% else %}false{% endif %} -OS_ver: {{ ansible_facts.distribution_version }} +OS_ver: {{ ansible_facts['distribution_version'] }} # Some tests may need to scan every filesystem or have an impact on a system # these may need be scheduled to minimise impact also ability to set a timeout if taking too long From 2a00e98aba58262d8b52931596f476c8cf0c8622 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 29 May 2024 18:00:02 +0100 Subject: [PATCH 07/10] improved ansible facts variables Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 21244fa..d66b104 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -2,7 +2,7 @@ ## metadata for Audit benchmark benchmark_version: {{ benchmark_version }} -rhel8stig_os_distribution: {{ ansible_distribution | lower }} +rhel8stig_os_distribution: {{ ansible_facts['distribution'] | lower }} gpg_keys: {% for info in gpg_keys %} From 0e30a66fe734a9b1cd2519f47fb4c666f7bf6b6c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 30 May 2024 09:25:44 +0100 Subject: [PATCH 08/10] updated 10471 based on OS version Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index d66b104..472b4ff 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -408,7 +408,7 @@ RHEL_08_010292: {{ rhel_08_010292 }} RHEL_08_010375: {{ rhel_08_010375 }} RHEL_08_010376: {{ rhel_08_010376 }} RHEL_08_010440: {{ rhel_08_010440 }} -RHEL_08_010471: {{ rhel_08_010471 }} +RHEL_08_010471: {% if ansible_facts['distribution_version'] is version('8.4', '<=') %}true{% else %}false{% endif %} # Only runs if 8.4 or less RHEL_08_010540: {{ rhel_08_010540 }} RHEL_08_010541: {{ rhel_08_010541 }} RHEL_08_010542: {{ rhel_08_010542 }} From e47a1eb57e4b8febf406cd9691253869936575d9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 30 May 2024 16:06:47 +0100 Subject: [PATCH 09/10] improved logic on 20104 and 10471 Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 472b4ff..bbb1c77 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -226,7 +226,7 @@ RHEL_08_020100: {{ rhel_08_020100 }} RHEL_08_020101: {{ rhel_08_020101 }} RHEL_08_020102: {{ rhel_08_020102 }} RHEL_08_020103: {{ rhel_08_020103 }} -RHEL_08_020104: {{ rhel_08_020104 }} +RHEL_08_020104: {% if ansible_facts['distribution_version'] is version('8.4', '>=') %}true{% else %}false{% endif %} # Only runs if 8.4 or greater RHEL_08_020110: {{ rhel_08_020110 }} RHEL_08_020120: {{ rhel_08_020120 }} RHEL_08_020130: {{ rhel_08_020130 }} @@ -408,7 +408,7 @@ RHEL_08_010292: {{ rhel_08_010292 }} RHEL_08_010375: {{ rhel_08_010375 }} RHEL_08_010376: {{ rhel_08_010376 }} RHEL_08_010440: {{ rhel_08_010440 }} -RHEL_08_010471: {% if ansible_facts['distribution_version'] is version('8.4', '<=') %}true{% else %}false{% endif %} # Only runs if 8.4 or less +RHEL_08_010471: {% if ansible_facts['distribution_version'] is version('8.4', '>=') %}false{% else %}true{% endif %} # Only runs if 8.3 or less RHEL_08_010540: {{ rhel_08_010540 }} RHEL_08_010541: {{ rhel_08_010541 }} RHEL_08_010542: {{ rhel_08_010542 }} From cbf87b967d5adde50037babec7f432b4369a545d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 30 May 2024 16:10:40 +0100 Subject: [PATCH 10/10] lint update Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 7f2c93b..50effba 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6664,8 +6664,8 @@ state: absent loop: "{{ rhel_08_040209_conflicting_settings.stdout_lines }}" when: - - rhel_08_040209_conflicting_settings.stdout | length > 0 - - item != rhel8stig_sysctl_file + - rhel_08_040209_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Use template to create file" ansible.posix.sysctl: @@ -6777,8 +6777,8 @@ state: absent loop: "{{ rhel_08_040230_conflicting_settings.stdout_lines }}" when: - - rhel_08_040230_conflicting_settings.stdout | length > 0 - - item != rhel8stig_sysctl_file + - rhel_08_040230_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Use template to create file" ansible.posix.sysctl: