diff --git a/README.md b/README.md index 9c69ebaa..a8744cff 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ Configure a RHEL/Rocky 8 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel8stig_disruption_high` to `yes`. -This role is based on RHEL 8 DISA STIG: [Version 1, Rel 5 released on Jan 27, 2022](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R5_STIG.zip). +This role is based on RHEL 8 DISA STIG: [Version 1, Rel 6 released on April 27, 2022](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R6_STIG.zip). ## Join us @@ -145,6 +145,12 @@ uses: - runs the audit using the devel branch - This is an automated test that occurs on pull requests into devel +## Known Issues + +If adopting stig rule RHEL-08-040134 + +This will affect cloud init as per https://bugs.launchpad.net/cloud-init/+bug/1839899 + ## Support This is a community project at its core and will be managed as such. diff --git a/defaults/main.yml b/defaults/main.yml index c740213b..d92fedd9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -885,6 +885,11 @@ rhel8stig_tmux_lock_after_time: 900 rhel8stig_sudo_timestamp_timeout: 1 #### Goss Configuration Settings #### +# Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" +audit_run_script_environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_FILE: 'goss.yml' + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" ### Goss binary settings ### goss_version: diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 98a952a5..fe44c993 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1166,7 +1166,7 @@ - CAT2 - CCI-001749 - SRG-OS-000366-GPOS-00153 - - SV-230266r792870_rule + - SV-230266r818816_rule - V-230266 - sysctl @@ -1182,7 +1182,7 @@ - CAT2 - CCI-002165 - SRG-OS-000312-GPOS-00122 - - SV-230267r792873_rule + - SV-230267r818819_rule - V-230267 - sysctl @@ -1198,7 +1198,7 @@ - CAT2 - CCI-002165 - SRG-OS-000312-GPOS-00122 - - SV-230268r792876_rule + - SV-230268r818822_rule - V-230268 - sysctl @@ -1475,7 +1475,7 @@ - CAT2 - CCI-002824 - SRG-OS-000433-GPOS-00193 - - SV-230280r792891_rule + - SV-230280r818831_rule - V-230280 - sysctl @@ -2141,7 +2141,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230311r792894_rule + - SV-230311r818834_rule - V-230311 - sysctl @@ -3442,7 +3442,7 @@ - CAT2 - CCI-000187 - SRG-OS-000068-GPOS-00036 - - SV-230355r627750_rule + - SV-230355r818836_rule - V-230355 - authentication @@ -4762,7 +4762,7 @@ - CAT2 - CCI-000169 - SRG-OS-000062-GPOS-00031 - - SV-244542r743875_rule + - SV-244542r818838_rule - V-244542 - auditd @@ -5581,7 +5581,7 @@ - CAT2 - CCI-001851 - SRG-OS-000342-GPOS-00133 - - SV-230481r627750_rule + - SV-230481r818840_rule - V-230481 - auditd - rsyslog @@ -6468,7 +6468,7 @@ - CAT2 - CI-000366 - SRG-OS-000480-GPOS-00227 - - SV-244550r792987_rule + - SV-244550r818845_rule - V-244550 - ipv4 @@ -6485,7 +6485,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230535r792936_rule + - SV-230535r818848_rule - V-230535 - icmp @@ -6501,7 +6501,7 @@ - CAT2 - CCI-00036 - SRG-OS-000480-GPOS-00227 - - SV-230536r792939_rule + - SV-230536r818851_rule - V-230536 - icmp @@ -6517,7 +6517,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230537r792942_rule + - SV-230537r818854_rule - V-230537 - icmp @@ -6533,7 +6533,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-244551r792990_rule + - SV-244551r818857_rule - V-244551 - ip4 @@ -6550,7 +6550,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230538r792945_rule + - SV-230538r818860_rule - V-230538 - icmp @@ -6566,7 +6566,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-244552r792993_rule + - SV-244552r818863_rule - V-244552 - ipv4 @@ -6583,7 +6583,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230539r792948_rule + - SV-230539r818866_rule - V-230539 - icmp @@ -6600,7 +6600,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-250317r793008_rule + - SV-250317r818869_rule - V-250317 - icmp @@ -6617,7 +6617,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230540r792951_rule + - SV-230540r818872_rule - V-230540 - icmp @@ -6635,7 +6635,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230541r792954_rule + - SV-230541r818875_rule - V-230541 - icmp @@ -6653,7 +6653,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230542r792957_rule + - SV-230542r818878_rule - V-230542 - icmp @@ -6669,7 +6669,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230543r792960_rule + - SV-230543r818881_rule - V-230543 - icmp @@ -6685,7 +6685,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-244553r792996_rule + - SV-244553r818884_rule - V-244553 - ipv4 @@ -6702,7 +6702,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230544r792963_rule + - SV-230544r818887_rule - V-230544 - icmp @@ -6718,7 +6718,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230545r792966_rule + - SV-230545r818890_rule - V-230545 - sysctl @@ -6734,7 +6734,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230546r792969_rule + - SV-230546r818893_rule - V-230546 - sysctl @@ -6750,7 +6750,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230547r792972_rule + - SV-230547r818896_rule - V-230547 - sysctl @@ -6766,7 +6766,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230548r792975_rule + - SV-230548r818899_rule - V-230548 - sysctl @@ -6782,7 +6782,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230549r792978_rule + - SV-230549r818902_rule - V-230549 - sysctl @@ -6798,7 +6798,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - V-244554r792999_rule + - SV-244554r818905_rule - V-244554 - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Set restriction" diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 5447ddcf..7b52afbf 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -43,7 +43,7 @@ - CAT3 - CCI-001090 - SRG-OS-000138-GPOS-00069 - - SV-230269r792879_rule + - SV-230269r818825_rule - V-230269 - sysctl @@ -58,7 +58,7 @@ - CAT3 - CCI-001090 - SRG-OS-000138-GPOS-00069 - - SV-230270r792882_rule + - SV-230270r818828_rule - V-230270 - sysctl @@ -428,7 +428,7 @@ - CAT3 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230491r792908_rule + - SV-230491r818842_rule - V-230491 - grub diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index fec86d78..9036338e 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -2,6 +2,7 @@ - name: "Post Audit | Run post_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" + environment: "{{ audit_run_script_environment|default({}) }}" changed_when: rhel8stig_run_post_remediation.rc == 0 register: rhel8stig_run_post_remediation vars: diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index a4d40082..4d3c0bd2 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -90,6 +90,7 @@ - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" + environment: "{{ audit_run_script_environment|default({}) }}" changed_when: rhel8stig_run_pre_remediation.rc == 0 register: rhel8stig_run_pre_remediation vars: diff --git a/templates/99-sysctl.conf.j2 b/templates/99-sysctl.conf.j2 index 4adf6704..3a40910d 100644 --- a/templates/99-sysctl.conf.j2 +++ b/templates/99-sysctl.conf.j2 @@ -78,7 +78,7 @@ net.ipv6.conf.all.accept_source_route = 0 {% endif %} {% if rhel_08_040249 %} -# RHEL-08-040240 +# RHEL-08-040249 net.ipv4.conf.default.accept_source_route = 0 {% endif %}