diff --git a/handlers/main.yml b/handlers/main.yml index d958d25..71d8ed3 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -102,7 +102,7 @@ remote_src: true owner: root group: root - mode: '0755' + mode: 'u+x,go-w' when: - rhel8stig_grub2_user_cfg.stat.exists - rhel8stig_workaround_for_disa_benchmark @@ -125,7 +125,7 @@ dest: /etc/audit/rules.d/99_auditd.rules owner: root group: root - mode: '0600' + mode: 'u-x,go-rwx' notify: restart auditd - name: restart auditd diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index cd95892..7bc7ed7 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -63,7 +63,7 @@ dest: /etc/default/grub owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' vars: grub_cmdline_linux: "{{ rhel_08_010020_grub_cmdline_linux_audit.stdout }}" when: rhel_08_010020_default_grub_missing_audit is changed # noqa no-handler @@ -200,7 +200,7 @@ line: "GRUB2_PASSWORD={{ rhel8stig_bootloader_password_hash }}" owner: root group: root - mode: '0640' + mode: 'u-x,g-wx,o-rwx' notify: confirm grub2 user cfg when: - not system_is_ec2 @@ -450,7 +450,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' with_items: - { regexp: '^\[org/gnome/settings-daemon/plugins/media-keys\]', line: '[org/gnome/settings-daemon/plugins/media-keys]', insertafter: 'EOF' } - { regexp: 'logout=', line: "logout=''", insertafter: '\[org/gnome/settings-daemon/plugins/media-keys\]' } diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index dae1b90..cbd7fc8 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -124,7 +124,7 @@ content: "{{ rhel8stig_logon_banner }}" owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' notify: restart sshd with_items: - /etc/issue @@ -150,7 +150,7 @@ regexp: 'banner-message-enabled=' line: banner-message-enable=true create: true - mode: '0644' + mode: 'u-x,go-wx' owner: root group: root insertafter: '[org/gnome/login-screen]' @@ -173,7 +173,7 @@ [org/gnome/login-screen] banner-message-text='{{ rhel8stig_logon_banner | replace(newline, "\n") }}' banner-message-enable=true - mode: '0644' + mode: 'u-x,go-wx' owner: root group: root vars: @@ -197,7 +197,7 @@ regexp: ^(?!#).*\/var\/log\/secure line: 'auth.*;authpriv.*;daemon.* /var/log/secure' create: true - mode: '0644' + mode: 'u-x,go-wx' notify: restart rsyslog when: - rhel_08_010070 @@ -242,7 +242,7 @@ ansible.builtin.file: path: "{{ rhel8stig_path_to_sshkey }}" state: directory - mode: '0700' + mode: 'u+x,go-rwx' - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create key pair" community.crypto.openssh_keypair: @@ -339,7 +339,7 @@ dest: /etc/grub.d/01_users owner: root group: root - mode: '0755' + mode: 'u+x,go-w' notify: confirm grub2 user cfg when: - rhel_08_010141 or @@ -364,7 +364,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - rhel_08_010151 tags: @@ -384,7 +384,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - rhel_08_010152 tags: @@ -512,7 +512,7 @@ - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Set sticky bit to world-writable files" ansible.builtin.file: path: "{{ item }}" - mode: '1777' + mode: '+t' with_items: - "{{ rhel_08_010190_world_writable_files.stdout_lines }}" when: @@ -672,7 +672,7 @@ content: | [org/gnome/desktop/screensaver] lock-delay=uint32 5 - mode: '0644' + mode: 'u-x,go-wx' notify: dconf update when: - rhel_08_020031 @@ -693,7 +693,7 @@ content: | [org/gnome/login-screen] disable-user-list=true - mode: '0644' + mode: 'u-x,go-wx' when: - rhel_08_020032 - rhel8stig_always_configure_dconf @@ -756,7 +756,7 @@ dest: /etc/dconf/db/local.d/locks/session_rhel_08_020081 content: | /org/gnome/desktop/session/idle-delay - mode: '0644' + mode: 'u-x,go-wx' notify: dconf update when: - rhel_08_020081 @@ -775,7 +775,7 @@ dest: /etc/dconf/db/local.d/locks/session_rhel_08_020082 content: | /org/gnome/desktop/screensaver/lock-enabled - mode: '0644' + mode: 'u-x,go-wx' notify: dconf update when: - rhel_08_020082 @@ -2171,7 +2171,7 @@ - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set permissions" ansible.builtin.file: path: "{{ item }}" - mode: '0755' + mode: 'u+x,go-w' state: file with_items: - "{{ rhel_08_010660_change_perms }}" @@ -2363,7 +2363,7 @@ dest: /etc/resolv.conf owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - rhel_08_010680_networkmanager_check.stdout == '0' - rhel8_stig_use_resolv_template @@ -3259,7 +3259,7 @@ regexp: '^lock-enabled' owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' line: | [org/gnome/desktop/screensaver] # Set this to true to lock the screen when the screensaver activates @@ -3315,7 +3315,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' loop: - { regexp: '^set -g lock-command', line: 'set -g lock-command vlock' } - { regexp: '^bind X lock-session', line: 'bind X lock-session' } @@ -3370,7 +3370,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' line: | [org/gnome/settings-daemon/peripherals/smartcard] removal-action='lock-screen' @@ -3401,7 +3401,7 @@ line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action owner: root group: root - mode: '0640' + mode: 'u-x,g-wx,o-rwx' when: rhel_08_020050_removal_action_file.stdout_lines | length == 0 notify: dconf update when: @@ -3430,7 +3430,7 @@ create: true owner: root group: root - mode: '0640' + mode: 'u-x,g-wx,o-rwx' regexp: '^idle-delay' line: | [org/gnome/desktop/session] @@ -3446,7 +3446,7 @@ line: idle-delay=uint32 900 owner: root group: root - mode: '0640' + mode: 'u-x,g-wx,o-rwx' loop: "{{ rhel_08_020060_idle_delay_param.stdout_lines }}" when: rhel_08_020060_idle_delay_param.stdout_lines | length > 0 notify: dconf update @@ -3478,7 +3478,7 @@ line: "set -g lock-after-time {{ rhel8stig_tmux_lock_after_time }}" owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - rhel_08_020070 tags: @@ -3497,7 +3497,7 @@ line: /org/gnome/desktop/screensaver/lock-delay owner: root group: root - mode: '0640' + mode: 'u-x,g-wx,o-rwx' when: - rhel_08_020080 - "'dconf' in ansible_facts.packages" @@ -3518,7 +3518,7 @@ line: "{{ item.line }}" owner: root group: root - mode: '0600' + mode: 'u-x,go-rwx' with_items: - { regexp: '^\[{{ rhel8stig_sssd.certmap }}\]', line: '[{{ rhel8stig_sssd.certmap }}]' } - { regexp: '^matchrule {{ rhel8stig_sssd.matchrule }}', line: 'matchrule {{ rhel8stig_sssd.matchrule }}' } @@ -4070,7 +4070,7 @@ insertafter: "{{ item.insertafter }}" owner: root group: root - mode: '0600' + mode: 'u-x,go-rwx' notify: restart sssd with_items: - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } @@ -4082,7 +4082,7 @@ line: auth sufficient pam_sss.so try_cert_auth owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' notify: restart sssd when: rhel_08_020250_sc_auth_sss.stdout | length == 0 @@ -4198,7 +4198,7 @@ insertafter: "{{ item.insertafter }}" owner: root group: root - mode: '0600' + mode: 'u-x,go-rwx' with_items: - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } - { regexp: '^offline_credentials_expiration =', insertafter: '\[pam\]', line: 'offline_credentials_expiration = 1' } @@ -4528,7 +4528,7 @@ ansible.builtin.file: path: "{{ rhel08_030070_auditlog_location.stdout }}" state: "{{ (rhel08_030070_auditlog.stat.exists) | ternary('file', 'touch') }}" - mode: o-x,go-rwx + mode: 'o-x,go-rwx' when: - rhel_08_030070 tags: @@ -4656,7 +4656,7 @@ - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access. | Set audit log dir perms" ansible.builtin.file: path: "{{ rhel_08_030120_audit_log_dir.stdout }}" - mode: go-rwx + mode: 'go-rwx' state: directory when: rhel_08_030120_audit_log_dir.stdout | length > 0 when: @@ -5434,7 +5434,7 @@ - name: "MEDIUM | RHEL-08-030610 | PATCH | RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." ansible.builtin.file: path: "{{ item }}" - mode: '0640' + mode: 'u-x,g-wx,o-rwx' with_items: - /etc/audit/rules.d/audit.rules - /etc/audit/auditd.conf @@ -5461,7 +5461,7 @@ - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Set permissions to 755 on tools" ansible.builtin.file: path: "{{ item }}" - mode: go-w + mode: 'go-w' with_items: - "{{ rhel_08_030620_tools.stdout_lines }}" when: @@ -5532,7 +5532,7 @@ line: "{{ item }}" owner: root group: root - mode: '0600' + mode: 'u-x,go-rwx' with_items: - "# Audit Tools" - /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 @@ -5657,7 +5657,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' regexp: "{{ item.regexp }}" line: "{{ item.line }}" with_items: @@ -6130,7 +6130,7 @@ create: true owner: root group: root - mode: '0640' + mode: 'u-x,g-wx,o-rwx' notify: change_requires_reboot - name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled. | Disable Bluetooth kernel module" diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 1813522..681c31e 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -239,7 +239,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - rhel_08_020024 tags: @@ -382,7 +382,7 @@ create: true owner: root group: root - mode: '0600' + mode: 'u-x,go-rwx' when: - rhel_08_030603 tags: @@ -628,7 +628,7 @@ dest: /etc/aide.conf owner: root group: root - mode: '0600' + mode: 'u-x,go-rwx' when: - rhel_08_040300 - rhel_08_040310 diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 233da60..904474a 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -166,7 +166,7 @@ ansible.builtin.file: path: /etc/dconf/db/local.d/locks state: directory - mode: '0755' + mode: 'u+x,go-w' when: - rhel8stig_always_configure_dconf when: @@ -459,7 +459,7 @@ ansible.builtin.file: path: "{{ rhel8stig_pam_faillock.dir }}" state: directory - mode: '0755' + mode: 'u+x,go-w' owner: root group: root recurse: true