diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 8f80796..cf55dc7 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -35,7 +35,7 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.21.1 + rev: v8.21.2 hooks: - id: gitleaks diff --git a/Changelog.md b/Changelog.md index f38e3af..70fc25e 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,36 @@ # Changes to RHEL8STIG +## 3.3 STIG V1R14 + +- #232 - thanks to @eday87 @BJSmithIEEE +- #298 thanks to @mikefrompsu +- #299 thanks to @cpu010100 +- thanks to @dglinder + - #301 + - #302 +- ansible config update + +- Added gui discovery option +updated ruleids + +- CAT I + - RHEL-08-020330 - cat1 +- CAT II + - RHEL-08-010040 + - RHEL-08-010070 + - RHEL-08-010200 + - RHEL-08-010201 + - RHEL-08-010423 + - RHEL-08-010520 + - RHEL-08-010521 + - RHEL-08-010522 + - RHEL-08-010550 + - RHEL-08-010830 + - RHEL-08-020350 + - RHEL-08-040161 + - RHEL-08-040340 + - RHEL-08-040341 + ## 3.3 - STIG V1R13 - 24th Jan 2024 - updated audit variables diff --git a/README.md b/README.md index 07f0f5f..987ef8b 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a RHEL8 based system to be complaint with Disa STIG -This role is based on RHEL 8 DISA STIG: [Version 1, Rel 13 released on Jan 24, 2024](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R13_STIG.zip). +This role is based on RHEL 8 DISA STIG: [Version 1, Rel 14 released on 24, April 2024](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R14_STIG.zip). --- diff --git a/ansible.cfg b/ansible.cfg index 8b4596e..0a443cf 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -18,7 +18,7 @@ record_host_keys=False [ssh_connection] transfer_method=scp -ssh_args = -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no +ssh_args = -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o ControlMaster=auto -o ControlPersist=60s [accelerate] diff --git a/defaults/main.yml b/defaults/main.yml index ef4fc82..0b43219 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ --- ## metadata for Audit benchmark -benchmark_version: 'v1r13' +benchmark_version: 'v1r14' ## Benchmark name used by audting control role # The audit variable found at the base @@ -498,7 +498,7 @@ rhel_08_040300: true rhel_08_040310: true # Whether or not to run tasks related to auditing/patching the desktop environment -rhel8stig_gui: false +rhel8stig_gui: "{{ prelim_gnome_present.stat.exists | default(false) }}" # Whether or not you need kdump. False will disable service and true will leave service rhel8stig_kdump_needed: false diff --git a/site.yml b/site.yml index c56b473..0333fb4 100644 --- a/site.yml +++ b/site.yml @@ -1,7 +1,8 @@ --- -- hosts: all # noqa: name[play] + +- name: Run RHEL8 STiG hardening + hosts: "{{ hosts | default('all') }}" become: true roles: - - role: "{{ playbook_dir }}" diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index a620305..cd95892 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -94,7 +94,7 @@ - change_requires_reboot - name: "HIGH | RHEL-08-010020 | AUDIT | Verify boot kernel parameters in /etc/default/grub" - ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ])boot=UUID={{ rhel8stig_boot_uuid.stdout }}(?=[" ]).*"$' /etc/default/grub + ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ])boot=UUID={{ prelim_rhel8stig_boot_uuid.stdout }}(?=[" ]).*"$' /etc/default/grub check_mode: false changed_when: false failed_when: rhel_08_010020_boot_kernel_set.rc not in [ 0, 1 ] @@ -106,13 +106,13 @@ regexp: "{{ rhel8stig_regexp_quoted_params }}" replace: "{{ rhel8stig_replace_quoted_params }}" vars: - query: "{{ rhel8stig_boot_part.stdout }}" + query: "{{ prelim_rhel8stig_boot_part.stdout }}" key: GRUB_CMDLINE_LINUX param: boot - value: UUID={{ rhel8stig_boot_uuid.stdout }} + value: UUID={{ prelim_rhel8stig_boot_uuid.stdout }} insert: true when: - - rhel8stig_boot_part.stdout not in ['/', ''] + - prelim_rhel8stig_boot_part.stdout not in ['/', ''] - rhel_08_010020_boot_kernel_set.stdout | length == 0 - not ansible_check_mode or rhel_08_010020_default_grub_missing_audit is not changed @@ -125,12 +125,12 @@ check_mode: false with_items: - fips=1 - - boot=UUID={{ rhel8stig_boot_uuid.stdout }} + - boot=UUID={{ prelim_rhel8stig_boot_uuid.stdout }} register: rhel_08_010020_audit when: - not ansible_check_mode or rhel_08_010020_default_grub_missing_audit is not changed - - "rhel8stig_boot_part.stdout not in ['/', ''] or + - "prelim_rhel8stig_boot_part.stdout not in ['/', ''] or 'boot=' not in item" changed_when: - ansible_check_mode @@ -345,7 +345,7 @@ - CAT1 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230380r858715_rule + - SV-230380r951612_rule - V-230380 - disruption_high diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 089e812..b755574 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -139,7 +139,7 @@ - RHEL-08-010060 - CCI-000048 - SRG-OS-000023-GPOS-00006 - - SV-230225r858694_rule + - SV-230225r951590_rule - SV-230227r627750_rule - V-230225 - V-230227 @@ -206,7 +206,7 @@ - CAT2 - CCI-000067 - SRG-OS-000032-GPOS-00013 - - SV-230228r627750_rule + - SV-230228r951592_rule - V-230228 - rsyslog @@ -541,7 +541,7 @@ - CAT2 - CCI-001133 - SRG-OS-000163-GPOS-00072 - - SV-230244r917867_rule + - SV-230244r951594_rule - V-230244 - ssh @@ -560,7 +560,7 @@ - CAT2 - CCI-001133 - SRG-OS-000163-GPOS-00072 - - SV-244525r917886_rule + - SV-244525r951596_rule - V-244525 - ssh @@ -1390,16 +1390,17 @@ - multifactor - name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication." - ansible.builtin.lineinfile: + community.general.ini_file: path: '{{ rhel8stig_sssd_conf }}' - regexp: '^certificate_verification = {{ item.regexp }}' state: "{{ item.state }}" - line: "{{ item.line | default(omit) }}" + section: "{{ item.section | default(omit) }}" + option: "certificate_verification" + value: "{{ item.value }}" with_items: - - { regexp: 'no_ocsp, no_verification', state: absent } - - { regexp: 'no_ocsp', state: absent } - - { regexp: 'no_verification', state: absent } - - { regexp: 'ocsp_dgst=sha1', state: present, line: 'certificate_verification = ocsp_dgst=sha1' } + - { value: 'no_ocsp, no_verification', state: absent } + - { value: 'no_ocsp', state: absent } + - { value: 'no_verification', state: absent } + - { value: 'ocsp_dgst=sha1', state: present, section: "sssd" } notify: restart sssd when: - rhel_08_010400 @@ -1568,7 +1569,7 @@ - CAT2 - CCI-001084 - SRG-OS-000134-GPOS-00068 - - SV-230279r792888_rule + - SV-230279r951598_rule - V-230279 - grub @@ -1699,7 +1700,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230290r858705_rule + - SV-230290r951602_rule - V-230290 - ssh @@ -1718,7 +1719,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230291r858707_rule + - SV-230291r952105_rule - V-230291 - ssh @@ -1736,7 +1737,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-244528r858709_rule + - SV-244528r952106_rule - V-244528 - ssh @@ -1794,7 +1795,7 @@ - CAT2 - CCI-000770 - SRG-OS-000109-GPOS-00056 - - SV-230296r858711_rule + - SV-230296r951608_rule - V-230296 - ssh @@ -2735,7 +2736,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00229 - - SV-230330r858713_rule + - SV-230330r951610_rule - V-230330 - ssh - disruption_high @@ -3334,11 +3335,9 @@ path: /etc/profile.d/tmux.sh marker: "# " block: | - if [ "$PS1" ]; then - parent=$(ps -o ppid= -p $$) - name=$(ps -o comm= -p $parent) - case "$name" in (sshd|login) exec tmux ;; esac - fi + ### Updated to recognize other session control per Red Hat Case 03115293 + [ $( /bin/id -u ) -eq 0 ] && [ x$TMUX = x ] && exec tmux + [[ $( /bin/tty ) =~ '/dev/tty' ]] && [ -n "$PS1" -a -z "$TMUX" ] && exec tmux create: true when: - rhel_08_020041 @@ -4303,7 +4302,7 @@ - CAT2 - CCI-000052 - SRG-OS-000480-GPOS-00227 - - SV-230382r858717_rule + - SV-230382r951614_rule - V-230382 - ssh @@ -6593,8 +6592,8 @@ - RHEL-08-040161 - CAT2 - CCI-000068 - - RG-OS-000033-GPOS-00014 - - SV-230527r858719_rule + - SRG-OS-000033-GPOS-00014 + - SV-230527r951616_rule - V-230527 - ssh @@ -7221,7 +7220,7 @@ - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes." block: - name: "MEDIUM | RHEL-08-040282 | AUDIT | RHEL 8 must restrict usage of ptrace to descendant processes. | Find conflicting instances" - ansible.builtin.shell: grep -rs "kernel.yama.ptrace_scope\s*=\s*1" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -Ers "kernel.yama.ptrace_scope\s*=\s*.*" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040282_conflicting_settings @@ -7495,7 +7494,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230555r858721_rule + - V-230555r951618_rule - V-230555 - ssh @@ -7513,7 +7512,8 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230556r858723_rule + - SV-230556r951620_rule + - V-230556 - ssh - name: "MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | Add KEXs" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 6879596..233da60 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -97,27 +97,30 @@ tags: - run_audit -- name: "PRELIM | RHEL-08-010020" - block: - - name: "PRELIM | RHEL-08-010020 | Check if /boot or /boot/efi reside on separate partitions" - ansible.builtin.shell: df --output=target /boot | tail -n 1 - changed_when: false - check_mode: false - register: rhel8stig_boot_part +- name: "PRELIM | Find boot partition" + ansible.builtin.shell: if [ -d /sys/firmware/efi ]; then echo "/boot/efi" ; else echo "/boot"; fi + changed_when: false + check_mode: false + register: prelim_rhel8stig_boot_part + tags: + - always - - name: "PRELIM | RHEL-08-010020 | Check if /boot or /boot/efi reside on separate partitions | get UUID" - ansible.builtin.shell: lsblk -f | grep -E "{{ rhel8stig_boot_part.stdout }}$" | awk '{ print $3 }' - changed_when: false - check_mode: false - register: rhel8stig_boot_uuid +- name: "PRELIM | Find boot partition UUID" + ansible.builtin.shell: if [ -d /sys/firmware/efi ]; then lsblk -l -o +UUID | grep -i efi | awk '{print $NF}'; else lsblk -l -o +UUID | grep -w '/boot' | grep -v efi | awk '{print $NF}'; fi + changed_when: false + check_mode: false + register: prelim_rhel8stig_boot_uuid + when: + - rhel_08_010020 + tags: + - always - - name: "PRELIM | RHEL-08-010020 | Crypto-policies-scripts package for FIPS" - ansible.builtin.package: - name: crypto-policies-scripts - state: present - when: - - "'crypto-policies-scripts' not in ansible_facts.packages" +- name: "PRELIM | RHEL-08-010020 | Crypto-policies-scripts package for FIPS" + ansible.builtin.package: + name: crypto-policies-scripts + state: present when: + - "'crypto-policies-scripts' not in ansible_facts.packages" - rhel_08_010020 tags: - RHEL-08-010020 @@ -143,6 +146,13 @@ - RHEL-08-010140 - RHEL-08-010150 +- name: "PRELIM | Discover Gnome Desktop Environment" + tags: + - always + ansible.builtin.stat: + path: /usr/share/gnome/gnome-version.xml + register: prelim_gnome_present + - name: "PRELIM | dconf" block: - name: "PRELIM | Install dconf" @@ -349,7 +359,7 @@ path: "{{ rhel8stig_aide_db_file }}" register: rhel8stig_aide_db_status check_mode: false - changed_when: not rhel8stig_aide_db_status.stat.exists + changed_when: false notify: "{{ rhel8stig_aide_handler }}" when: - not system_is_container