diff --git a/.ansible-lint b/.ansible-lint index 964eb052..b717f678 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -6,12 +6,11 @@ skip_list: - 'schema' - 'no-changed-when' - 'var-spacing' - - 'fqcn-builtins' - 'experimental' - 'name[play]' - 'name[casing]' - 'name[template]' - - 'fqcn[action]' + - 'key-order[task]' - '204' - '305' - '303' diff --git a/Changelog.md b/Changelog.md index b38dfadf..73a22b0f 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,47 @@ # Changes to RHEL8STIG +## Stig V1R11 - 26th July 2023 + +### 3.0.1 + +Issues: + +- [#207](https://github.com/ansible-lockdown/RHEL8-STIG/issues/207) +- [#208](https://github.com/ansible-lockdown/RHEL8-STIG/issues/208) +- [#209](https://github.com/ansible-lockdown/RHEL8-STIG/issues/209) +- [#210](https://github.com/ansible-lockdown/RHEL8-STIG/issues/210) +- [#211](https://github.com/ansible-lockdown/RHEL8-STIG/issues/211) +- [#212](https://github.com/ansible-lockdown/RHEL8-STIG/issues/212) + +### 3.0.0 + +Controls updated + +- CAT2: + - 010030 - ruleid + - 010200 - ruleid + - 010201 - ruleid + - 010290 - ruleid and SSH MACS updated + - 010291 - ruleid and SSH Ciphers updated + - 010770 - ruleid + - 020035 - new control idlesession timeout new var rhel_08_020035_idlesessiontimeout + - 020041 - ruleid and tmux script update + - 030690 - ruleid and protocol options added + - 040159 - ruleid + - 040160 - ruleid + - 040342 - ruleid and SSH KEX algorithms updated + +- CAT3 + - 010471 - ruleid + +- audit variables updated, new version +- tidied up the end of the playbook ordering with reboot taking place(if set and enabled) prior to audit now. + +## 2.9.2 + +- #216 check that sudo user has a password check improvement + - thanks to manish on discord for highlighting this + ## 2.9.1 - Issue #204 address diff --git a/README.md b/README.md index 3b48ccf1..79083a39 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a RHEL8 based system to be complaint with Disa STIG -This role is based on RHEL 8 DISA STIG: [Version 1, Rel 10 released on April 24, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R10_STIG.zip). +This role is based on RHEL 8 DISA STIG: [Version 1, Rel 11 released on July 26, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R11_STIG.zip). --- diff --git a/defaults/main.yml b/defaults/main.yml index 2e444387..8b68badf 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ --- ## metadata for Audit benchmark -benchmark_version: 'v1r10' +benchmark_version: 'v1r11' ## Benchmark name used by audting control role # The audit variable found at the base @@ -61,7 +61,7 @@ setup_audit: false # How to retrieve audit binary # Options are copy or download - detailed settings at the bottom of this file # you will need to access to either github or the file already dowmloaded -get_goss_file: download +get_audit_binary_method: download # how to get audit files onto host options # options are git/copy/get_url other e.g. if you wish to run from already downloaded conf @@ -246,6 +246,7 @@ rhel_08_020028: true rhel_08_020030: true rhel_08_020031: true rhel_08_020032: true +rhel_08_020035: true rhel_08_020039: true rhel_08_020040: true rhel_08_020041: true @@ -275,6 +276,7 @@ rhel_08_020210: true rhel_08_020220: true rhel_08_020221: true rhel_08_020230: true +rhel_08_020235: true rhel_08_020231: true rhel_08_020240: true rhel_08_020250: true @@ -491,7 +493,7 @@ rhel8stig_auto_mount_home_dirs_local_mount_point: "/home/" # The default shell command to gather local interactive user directories ## NOTE: You will need to adjust the UID range in parenthesis below. ## ALSO NOTE: We weed out any user with a home dir not in standard locations because interactive users shouldn't have those paths as a home dir. Add or removed directory paths as needed below. -local_interactive_user_dir_command: "getent passwd { {{ rhel8stig_int_gid }}..65535} | cut -d: -f6 | sort -u | grep -v '/var/' | grep -v '/nonexistent/*' | grep -v '/run/*'" +local_interactive_user_dir_command: "getent passwd { {{ rhel8stig_int_gid }}..65535} | grep -v '/sbin/nologin' | cut -d: -f6 | sort -u | grep -Ev '/var/|/nonexistent/|/run/*'" # IPv6 required rhel8stig_ipv6_required: true @@ -539,12 +541,12 @@ rhel8stig_standard_user_path: "PATH=$PATH:$HOME/.local/bin:$HOME/bin" rhel8stig_change_user_path: false # RHEL-08-010700 -# rhel8stig_ww_dir_owner is the owenr of all world-writable directories +# rhel8stig_ww_dir_owner is the owner of all world-writable directories # To conform to STIG standards this needs to be set to root, sys, bin, or an application group rhel8stig_ww_dir_owner: root # RHEL-08-010710 -# rhel8stig_ww_dir_grpowner is the owenr of all world-writable directories +# rhel8stig_ww_dir_grpowner is the owner of all world-writable directories # To conform to STIG standards this needs to be set to root, sys, bin, or an application group rhel8stig_ww_dir_grpowner: root @@ -730,9 +732,12 @@ rhel8stig_pam_faillock: attempts: 3 interval: 900 unlock_time: 0 - fail_for_root: true + fail_for_root: "{{ rhel_08_020023 }}" dir: /var/log/faillock +# RHEL-08-020035 +rhel_08_020035_idlesessiontimeout: 900 + # RHEL-08-030670 # rhel8stig_audisp_disk_full_action options are syslog, halt, and single to fit STIG standards rhel8stig_audisp_disk_full_action: single @@ -773,9 +778,11 @@ rhel8stig_login_defaults: create_home: 'yes' # RHEL-08-030690 uncomment and set the value to a remote IP address that can receive audit logs +# NOTE different protocol configs '@''=UDP '@@''=TCP '':omrelp:'=RELP rhel8stig_remotelog_server: server: 10.10.10.10 port: 9999 + protocol: '@@' # RHEL-08-030020 rhel8stig_auditd_mail_acct: root @@ -870,8 +877,10 @@ rhel8stig_white_list_services: # This will be the MACs setting. It is a string that will be the entirety of the MAC's setting in the openssh.config file # to conform to STIG standard control RHEL-08-010290 this variable must include hmac-sha2-512,hmac-sha2-256 # to conform to STIG standard control RHEL-08-010291 this variable must include aes256-ctr,aes192-ctr,aes128-ctr -rhel8stig_ssh_macs: 'MACS=hmac-sha2-512,hmac-sha2-256' -rhel8stig_ssh_ciphers: "Ciphers=aes256-ctr,aes192-ctr,aes128-ctr" +rhel8stig_ssh_macs: 'MACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com' +rhel8stig_ssh_ciphers: "Ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com" +# RHEL-08-040342 +# Expected Values for FIPS KEX algorithims rhel8stig_ssh_kex: "KexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512" # This will be the CRYPTO_POLICY settings in the opensshserver.conf file. It will be a string for the entirety of the setting @@ -901,29 +910,29 @@ audit_run_script_environment: AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" ### Goss binary settings ### -goss_version: - release: v0.3.21 - checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3' +audit_bin_version: + release: v0.3.23 + checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json -# if get_goss_file == download change accordingly -goss_url: "https://github.com/goss-org/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64" +# if get_audit_binary_method == download change accordingly +audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-amd64" -## if get_goss_file - copy the following needs to be updated for your environment +## if get_audit_binary_method - copy the following needs to be updated for your environment ## it is expected that it will be copied from somewhere accessible to the control node ## e.g copy from ansible control node to remote host -copy_goss_from_path: /some/accessible/path +audit_bin_copy_location: /some/accessible/path -### Goss Audit Benchmark file ### +#### Goss Audit Benchmark file ### ## managed by the control audit_content # git audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" audit_git_version: "benchmark_{{ benchmark_version }}_rh8" -# copy: -audit_local_copy: "some path to copy from" +# archive or copy: +audit_conf_copy: "some path to copy from" # get_url: audit_files_url: "some url maybe s3?" @@ -932,14 +941,13 @@ audit_files_url: "some url maybe s3?" # Where the goss configs and outputs are stored audit_out_dir: '/opt' # Where the goss audit configuration will be stored -audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/" +audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit" # If changed these can affect other products -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" +pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" ## The following should not need changing -goss_file: "{{ audit_conf_dir }}goss.yml" audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml" audit_results: | The pre remediation results are: {{ pre_audit_summary }}. diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index b4ac4d25..4ef8469f 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -1,22 +1,22 @@ --- -- name: Download audit binary +- name: Pre Audit Setup | Download audit binary ansible.builtin.get_url: - url: "{{ goss_url }}" + url: "{{ audit_bin_url }}" dest: "{{ audit_bin }}" owner: root group: root - checksum: "{{ goss_version.checksum }}" + checksum: "{{ audit_bin_version.checksum }}" mode: 0555 when: - - get_goss_file == 'download' + - get_audit_binary_method == 'download' -- name: copy audit binary +- name: Pre Audit Setup | copy audit binary ansible.builtin.copy: - src: + src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" mode: 0555 owner: root group: root when: - - get_goss_file == 'copy' + - get_audit_binary_method == 'copy' diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 7b147fa5..03408954 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -54,7 +54,7 @@ check_mode: false changed_when: false failed_when: rhel_08_010020_grub_cmdline_linux_audit.rc > 1 - when: rhel_08_010020_default_grub_missing_audit is changed + when: rhel_08_010020_default_grub_missing_audit is changed # noqa no-handler register: rhel_08_010020_grub_cmdline_linux_audit - name: "HIGH | RHEL-08-010020 | PATCH | Copy over a sane /etc/default/grub" @@ -66,7 +66,7 @@ mode: 0644 vars: grub_cmdline_linux: "{{ rhel_08_010020_grub_cmdline_linux_audit.stdout }}" - when: rhel_08_010020_default_grub_missing_audit is changed + when: rhel_08_010020_default_grub_missing_audit is changed # noqa no-handler - name: "HIGH | RHEL-08-010020 | PATCH | fips=1 must be in /etc/default/grub" ansible.builtin.replace: diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 4b62cf1b..6b5ccdbe 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -98,7 +98,7 @@ - CAT2 - CCI-001199 - SRG-OS-000185-GPOS-00079 - - SV-230224r809268_rule + - SV-230224r917864_rule - V-230224 - name: | @@ -243,7 +243,7 @@ mode: '0700' - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create key pair" - openssh_keypair: + community.crypto.openssh_keypair: path: "{{ rhel8stig_path_to_sshkey }}/id_rsa" when: - rhel_08_010100 @@ -497,7 +497,7 @@ - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources." block: - name: "MEDIUM | RHEL-08-010190 | AUDIT | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Find world-writable directories" - ansible.builtin.shell: "find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null | sed 's/.* //'" + ansible.builtin.shell: "find / -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null | sed 's/.* //'" changed_when: false failed_when: false register: rhel_08_010190_world_writable_files @@ -533,7 +533,7 @@ - CAT2 - CCI-001133 - SRG-OS-000163-GPOS-00072 - - SV-230244r858697_rule + - SV-230244r917867_rule - V-230244 - ssh @@ -551,7 +551,7 @@ - CAT2 - CCI-001133 - SRG-OS-000163-GPOS-00072 - - SV-244525r858699_rule + - SV-244525r917886_rule - V-244525 - ssh @@ -799,6 +799,30 @@ - V-244526 - ssh +- name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package." + block: + - name: "MEDIUM | RHEL-08-010293 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Get current FIPS mode state" + ansible.builtin.shell: fips-mode-setup --check + changed_when: false + failed_when: rhel_08_010293_pre_fips_check.stdout is not defined + register: rhel_08_010293_pre_fips_check + + - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Enable FIPS" + ansible.builtin.shell: fips-mode-setup --enable + register: rhel_08_010290_fips_enable + notify: change_requires_reboot + when: '"disabled" in rhel_08_010293_pre_fips_check.stdout' + when: + - rhel_08_010293 + tags: + - RHEL-08-010293 + - CAT2 + - CCI-001453 + - SRG-OS-000250-GPOS-00093 + - SV-230254r627750_rule + - V-230254 + - fips + - name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Add MACs" block: - name: "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | get MACs" @@ -820,7 +844,7 @@ - RHEL-08-010290 - CCI-001453 - SRG-OS-000250-GPOS-00093 - - SV-230251r743937_rule + - SV-230251r917870_rule - V-230251 - fips @@ -831,7 +855,7 @@ changed_when: false register: rhel8stig_current_ciphers - - name: "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. | get Ciphers" + - name: "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. | Apply Ciphers" ansible.builtin.lineinfile: path: /etc/crypto-policies/back-ends/opensshserver.config regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_ciphers.stdout }}(.*$)' @@ -845,34 +869,10 @@ - RHEL-08-010291 - CCI-001453 - SRG-OS-000250-GPOS-00093 - - SV-230252r877394_rule + - SV-230252r917873_rule - V-230252 - fips -- name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package." - block: - - name: "MEDIUM | RHEL-08-010293 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Get current FIPS mode state" - ansible.builtin.shell: fips-mode-setup --check - changed_when: false - failed_when: rhel_08_010293_pre_fips_check.stdout is not defined - register: rhel_08_010293_pre_fips_check - - - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Enable FIPS" - ansible.builtin.shell: fips-mode-setup --enable - register: rhel_08_010290_fips_enable - notify: change_requires_reboot - when: '"disabled" in rhel_08_010293_pre_fips_check.stdout' - when: - - rhel_08_010293 - tags: - - RHEL-08-010293 - - CAT2 - - CCI-001453 - - SRG-OS-000250-GPOS-00093 - - SV-230254r627750_rule - - V-230254 - - fips - - name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package." block: - name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package." @@ -2505,22 +2505,14 @@ - V-230320 - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." - block: - - name: "MEDIUM | RHEL-08-010730 | AUDIT | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." - ansible.builtin.shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) - changed_when: false - failed_when: false - register: rhel_08_010730_home_directories - - - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." - ansible.builtin.file: - path: "{{ item }}" - mode: "{{ rhel8stig_local_int_home_perms }}" - with_items: - - "{{ rhel_08_010730_home_directories.stdout_lines }}" - when: rhel_08_010730_home_directories.stdout | length > 0 + ansible.builtin.file: + path: "{{ item }}" + mode: "{{ rhel8stig_local_int_home_perms }}" + with_items: + - "{{ local_home_directories.stdout_lines }}" when: - rhel_08_010730 + - local_home_directories.stdout | length > 0 tags: - RHEL-08-010730 - CAT2 @@ -2661,7 +2653,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230325r627750_rule + - SV-230325r917879_rule - V-230325 - complexity-high @@ -3234,7 +3226,7 @@ "MEDIUM | RHEL-08-020027 | RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory. MEDIUM | RHEL-08-020028 | RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory." ansible.builtin.shell: "restorecon -irvF {{ rhel8stig_pam_faillock.dir }}" - when: add_faillock_secontext.changed + when: add_faillock_secontext.changed # noqa no-handler when: - rhel_08_020027 or rhel_08_020028 @@ -3293,6 +3285,22 @@ - V-230347 - gui +- name: "MEDIUM | RHEL-08-020035 | PATCH | RHEL 8 must terminate idle user sessions." + ansible.builtin.lineinfile: + path: "/etc/systemd/logind.conf" + regexp: '^StopIdleSessionSec=|^\# StopIdleSessionSec=' + line: "StopIdleSessionSec= {{ rhel_08_020035_idlesessiontimeout }}" + when: + - rhel_08_020035 + tags: + - RHEL-08-020035 + - CAT2 + - CCI-001133 + - SRG-OS-000163-GPOS-00072 + - SV-257258r917891_rule + - V-257258 + - session + - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions." block: - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Install tmux" @@ -3332,7 +3340,7 @@ if [ "$PS1" ]; then parent=$(ps -o ppid= -p $$) name=$(ps -o comm= -p $parent) - case "$name" in (sshd|login) exec tmux ;; esac + case "$name" in (sshd|login) tmux ;; esac fi create: true when: @@ -3342,7 +3350,7 @@ - CAT2 - CCI-000056 - SRG-OS-000028-GPOS-00009 - - SV-230349r880737_rule + - SV-230349r917920_rule - V-230349 - tmux @@ -4264,10 +4272,10 @@ with_items: "{{ rhel8stig_unnecessary_accounts }}" - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Re-parse passwd file" - include_tasks: parse_etc_passwd.yml + ansible.builtin.include_tasks: parse_etc_passwd.yml vars: rhel8stig_passwd_tasks: "RHEL-08-020320" - when: rhel_08_020320_accounts_removed is changed + when: rhel_08_020320_accounts_removed is changed # noqa no-handler when: - rhel_08_020320 tags: @@ -4322,22 +4330,25 @@ block: - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Find umask files" ansible.builtin.find: - paths: /home + paths: "{{ item }}" patterns: '^\.' contains: 'umask' recurse: true hidden: true use_regex: true - register: rhel8stig_020352_files + register: rhel8stig_020352_file + loop: "{{ local_home_directories.stdout_lines }}" - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Remove umask param" ansible.builtin.lineinfile: - path: "{{ item.path }}" + path: "{{ item }}" regexp: "umask\\s+(?!{{ rhel8stig_login_defaults.umask | default('077') }})" state: absent with_items: - - "{{ rhel8stig_020352_files.files }}" - when: rhel8stig_020352_files.matched > 0 + - "{{ rhel8stig_020352_file | json_query('results[*].files[*].path') | flatten }}" + when: + - (rhel8stig_020352_file | json_query('results[*].files[*].path') | flatten ) is defined + when: - rhel_08_020352 tags: @@ -5620,7 +5631,7 @@ ansible.builtin.lineinfile: path: /etc/rsyslog.conf regexp: '^.*\@\@' - line: "*.* @@{{ rhel8stig_remotelog_server.server }}:{{ rhel8stig_remotelog_server.port }}" + line: "*.* {{ rhel8stig_remotelog_server.protocol }}{{ rhel8stig_remotelog_server.server }}:{{ rhel8stig_remotelog_server.port }}" when: - rhel_08_030690 tags: @@ -5628,7 +5639,7 @@ - CAT2 - CCI-001851 - SRG-OS-000342-GPOS-00133 - - SV-230479r627750_rule + - SV-230479r917883_rule - V-230479 - auditd - rsyslog @@ -6085,7 +6096,7 @@ - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled. | Disable wifi if enabled" ansible.builtin.shell: nmcli radio wifi off - when: rhel_08_wifi_enabled is changed + when: rhel_08_wifi_enabled is changed # noqa no-handler when: - rhel_08_040110 tags: @@ -6545,8 +6556,8 @@ - CAT2 - CCI-002418 - SRG-OS-000423-GPOS-00187 - - SV-244549r743896_rule - - SV-230526r744032_rule + - SV-244549r916422_rule + - SV-230526r916422_rule - V-244549 - V-230526 - ssh @@ -7394,6 +7405,10 @@ regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_kex.stdout }}(.*$)' line: '\g<1>-o{{ rhel8stig_ssh_kex }}\g<2>' backrefs: true + when: + - rhel8stig_current_kex is defined + - rhel8stig_current_kex.stdout | length > 0 + notify: change_requires_reboot when: - rhel_08_040342 @@ -7403,7 +7418,8 @@ - CAT2 - CCI-001453 - SRG-OS-000250-GPOS-00093 - - SV-255924r880733_rule + - SV-255924r917888_rule + - V-255924 - fips - name: "MEDIUM | RHEL-08-040350 | PATCH | If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode." diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index ac9b6dc3..39c12a56 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -157,7 +157,7 @@ - CAT3 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230285r627750_rule + - SV-230285r917876_rule - SV-244527r743830_rule - V-230285 - V-244527 diff --git a/tasks/main.yml b/tasks/main.yml index ab438ff9..53875d00 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -66,6 +66,7 @@ sudo_password_rule: RHEL-08-010380 when: - rhel_08_010380 + - ansible_env.SUDO_USER is defined - not system_is_ec2 tags: - user_passwd @@ -164,23 +165,29 @@ - name: flush handlers ansible.builtin.meta: flush_handlers - tags: - - CAT1 - - CAT2 - - CAT3 -- name: reboot system if changes require it and not skipped - ansible.builtin.reboot: - when: - - change_requires_reboot - - not rhel8stig_skip_reboot - tags: - - always +- name: reboot system + block: + - name: reboot system if not skipped + ansible.builtin.reboot: + when: + - change_requires_reboot + - not rhel8stig_skip_reboot -- name: Include post-remediation tasks + - name: Warning a reboot required but skip option set + ansible.builtin.debug: + msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" + changed_when: true + when: + - change_requires_reboot + - rhel8stig_skip_reboot + +- name: run post remediation audit ansible.builtin.import_tasks: post_remediation_audit.yml when: - run_audit + tags: + - always - name: Show Audit Summary ansible.builtin.debug: @@ -189,13 +196,4 @@ - run_audit tags: - run_audit - -- name: Warning a reboot required but skip option set - ansible.builtin.debug: - msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" - changed_when: true - when: - - change_requires_reboot - - rhel8stig_skip_reboot - tags: - always diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 821afd4d..370d2f66 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -2,11 +2,11 @@ - name: "Post Audit | Run post_remediation {{ benchmark }} audit" ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment | default({}) }}" - changed_when: rhel8stig_run_post_remediation.rc == 0 - register: rhel8stig_run_post_remediation - vars: - warn: false + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" - name: Post Audit | ensure audit files readable by users ansible.builtin.file: @@ -19,12 +19,12 @@ - name: Post Audit | Capture audit data if json format block: - - name: Post Audit | "capture data {{ post_audit_outfile }}" + - name: "capture data {{ post_audit_outfile }}" ansible.builtin.shell: "cat {{ post_audit_outfile }}" register: post_audit changed_when: false - - name: Post Audit | Capture post-audit result + - name: Capture post-audit result ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" vars: diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index c09253a3..8083b7f2 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,71 +1,72 @@ --- -- name: "Pre Audit | Setup the audit" +- name: Audit Binary Setup | Setup the LE audit ansible.builtin.include_tasks: LE_audit_setup.yml when: - setup_audit tags: - setup_audit -- name: "Pre Audit | Ensure {{ audit_conf_dir }} exists" +- name: "Pre Audit Setup | Ensure {{ audit_conf_dir }} exists" ansible.builtin.file: path: "{{ audit_conf_dir }}" state: directory mode: '0755' -- name: "Pre Audit | If using git for content set up" +- name: Pre Audit Setup | If using git for content set up block: - - name: Pre Audit | Install git (rh8 python3) + - name: Pre Audit Setup | Install git (rh8 python3) ansible.builtin.package: name: git state: present - when: - - ansible_distribution_major_version == "8" - - audit_content == "git" - - "'git' not in ansible_facts.packages" + when: ansible_distribution_major_version == '8' - - name: "Pre Audit | Install git (rh7 python2)" + - name: Pre Audit Setup | Install git (rh7 python2) ansible.builtin.package: name: git state: present vars: ansible_python_interpreter: "{{ python2_bin }}" - when: - - ansible_distribution_major_version == "7" - - audit_content == "git" - - "'git' not in ansible_facts.packages" + when: ansible_distribution_major_version == '7' -- name: "Pre Audit | retrieve audit content files from git" - ansible.builtin.git: - repo: "{{ audit_file_git }}" - dest: "{{ audit_conf_dir }}" - version: "{{ audit_git_version }}" + - name: Pre Audit Setup | retrieve audit content files from git + ansible.builtin.git: + repo: "{{ audit_file_git }}" + dest: "{{ audit_conf_dir }}" + version: "{{ audit_git_version }}" when: - audit_content == 'git' -- name: "Pre Audit | copy to audit content files to server" +- name: Pre Audit Setup | copy to audit content files to server ansible.builtin.copy: src: "{{ audit_local_copy }}" - dest: "{{ audit_conf_dir }}" - mode: 0644 + dest: "{{ audit_conf_dest }}" + mode: preserve when: - audit_content == 'copy' -- name: "Pre Audit | get audit content from url" +- name: Pre Audit Setup | unarchive audit content files on server + ansible.builtin.unarchive: + src: "{{ audit_conf_copy }}" + dest: "{{ audit_conf_dir }}" + when: + - audit_content == 'archived' + +- name: Pre Audit Setup | get audit content from url ansible.builtin.get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" when: - audit_content == 'get_url' -- name: "Pre Audit | Check Goss is available" +- name: Pre Audit Setup | Check Goss is available block: - - name: Pre Audit | Check for goss file + - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: path: "{{ audit_bin }}" register: goss_available - - name: "Pre Audit | If audit ensure goss is available" + - name: Pre Audit Setup | If audit ensure goss is available ansible.builtin.assert: msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" when: @@ -73,14 +74,7 @@ when: - run_audit -- name: "Pre Audit | Check whether machine is UEFI-based" - ansible.builtin.stat: - path: /sys/firmware/efi - register: rhel8_efi_boot - tags: - - goss_template - -- name: "Pre Audit | Copy ansible default vars values to test audit" +- name: Pre Audit Setup | Copy ansible default vars values to test audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" @@ -89,23 +83,24 @@ - run_audit tags: - goss_template + - always - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment | default({}) }}" - changed_when: rhel8stig_run_pre_remediation.rc == 0 - register: rhel8stig_run_pre_remediation - vars: - warn: false + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" -- name: "Pre Audit | Capture audit data if json format" +- name: Pre Audit | Capture audit data if json format block: - - name: "Pre Audit | capture data {{ pre_audit_outfile }}" + - name: "capture data {{ pre_audit_outfile }}" ansible.builtin.shell: "cat {{ pre_audit_outfile }}" register: pre_audit changed_when: false - - name: "Pre Audit | Capture pre-audit result" + - name: Pre Audit | Capture pre-audit result ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" vars: @@ -113,14 +108,14 @@ when: - audit_format == "json" -- name: "Pre Audit | Capture audit data if documentation format" +- name: Pre Audit | Capture audit data if documentation format block: - - name: "Pre Audit | capture data {{ pre_audit_outfile }}" + - name: "Pre Audit | capture data {{ pre_audit_outfile }} | documentation format" ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" register: pre_audit changed_when: false - - name: "Pre Audit | Capture pre-audit result" + - name: Pre Audit | Capture pre-audit result | documentation format ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout_lines }}" when: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index b6436d95..20435f73 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -188,6 +188,17 @@ - RHEL-08-010070 - RHEL-08-030010 +- name: "PRELIM | RHEL-08-010730 | RHEL-08-20352 | Get local interactive user home directories" + ansible.builtin.shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) + changed_when: false + failed_when: false + register: local_home_directories + when: + - rhel_08_010730 or + rhel_08_020352 + tags: + - always + - name: "PRELIM | RHEL-08-030620 | RHEL-08-030630 | RHEL-08-030640 | RHEL-08-030650 | Install audit remote plugin." ansible.builtin.package: name: audispd-plugins @@ -323,11 +334,7 @@ rhel_08_020250 or rhel_08_020290 tags: - - RHEL-08-010400 - - RHEL-08-020250 - - RHEL-08-020090 - - RHEL-08-020290 - - pamd + - always - name: "PRELIM | Gather interactive user ID min" block: @@ -347,6 +354,8 @@ ansible.builtin.set_fact: rhel8stig_interactive_uid_start: "{{ rhel8stig_min_uid.stdout | string }}" rhel8stig_interactive_uid_stop: "{{ rhel8stig_max_uid.stdout | string }}" + tags: + - always - name: Gather the package facts ansible.builtin.package_facts: diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 93f210e6..e81f9658 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -1,6 +1,6 @@ ## metadata for Audit benchmark -benchmark_version: '1.10' +benchmark_version: '1.11' rhel8stig_os_distribution: {{ ansible_distribution | lower }} @@ -210,6 +210,7 @@ RHEL_08_020028: {{ rhel_08_020028 }} RHEL_08_020030: {{ rhel_08_020030 }} RHEL_08_020031: {{ rhel_08_020031 }} RHEL_08_020032: {{ rhel_08_020032 }} +RHEL_08_020035: {{ rhel_08_020035 }} RHEL_08_020039: {{ rhel_08_020039 }} RHEL_08_020040: {{ rhel_08_020040 }} RHEL_08_020041: {{ rhel_08_020041 }} @@ -459,6 +460,9 @@ rhel8stig_aide_cron_file: /etc/cron.d/aide # RHEL_08_200027 &28 rhel8stig_pam_faillock_dir: {{ rhel8stig_pam_faillock.dir }} +# RHEL_08_020035 +rhel_08_020035_idlesessiontimeout: {{ rhel_08_020035_idlesessiontimeout }} + # RHEL_08_030040 - Options are SYSLOG, SINGLE, and HALT to fit STIG standards rhel8stig_auditd_disk_error_action: {{ rhel8stig_auditd_disk_error_action }} @@ -471,25 +475,10 @@ rhel8stig_auditd_disk_full_action: {{ rhel8stig_auditd_disk_full_action }} # RHEL_08_030690 if using remote syslog server rhel8stig_remotelog_server: {{ rhel8stig_remotelog_server.server }} rhel8stig_remotelog_port: {{ rhel8stig_remotelog_server.port }} +rhel8stig_remotelog_protocol: '{{ rhel8stig_remotelog_server.protocol }}' # RHEL_08_040137 python_bin: {{ ansible_python.executable }} # RHEL_08_040260-62 rhel8stig_system_is_router: {{ rhel8stig_system_is_router }} - -# RHEL-08-020010 -# RHEL-08-020011 -# RHEL-08-020012 -# RHEL-08-020013 -# RHEL-08-020014 -# RHEL-08-020015 -# RHEL-08-020016 -# RHEL-08-020017 -# RHEL-08-020018 -# RHEL-08-020019 -# RHEL-08-020020 -# RHEL-08-020021 -# RHEL-08-020022 -# RHEL-08-020023 - diff --git a/vars/is_container.yml b/vars/is_container.yml index f8f2f8c2..e08cbead 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -1,3 +1,5 @@ +--- + # Container vars file rhel8stig_ssh_required: false diff --git a/vars/main.yml b/vars/main.yml index 3d2ab14d..f01c9ff9 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,4 +1,5 @@ --- + rhel8stig_min_ansible_version: 2.10.1 rhel8stig_dconf_available: "{{ rhel8stig_gui or rhel8stig_dconf_audit.rc == 0 or @@ -43,7 +44,3 @@ rhel8stig_re_qp_key_end: (?:" *) # insert the parameter at the beginning or append to the end, default append rhel8stig_re_qp_insert: "{{ insert | default(not (append | default(true))) }}" - -# RHEL-08-040342 -# Expected Values for FIPS KEX algorithims -FIPS_KEX_ALGO: '-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512'