diff --git a/Changelog.md b/Changelog.md index a49d2bcd..b38dfadf 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,13 @@ # Changes to RHEL8STIG +## 2.9.1 + +- Issue #204 address + - tidy up of prelim +- update to allow against container + - vars/is_container.yml updated and aligned +- prelim fqcn + ## 2.9.0 Stig V1R10 27th April 2023 - Added new controls diff --git a/ansible.cfg b/ansible.cfg index 427d0fa3..dbe143da 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -7,7 +7,7 @@ nocows=1 retry_files_save_path=/dev/null # Use the YAML callback plugin. -stdout_callback = yaml +# stdout_callback = yaml # Use the stdout_callback when running ad-hoc commands. bin_ansible_callbacks = True diff --git a/handlers/main.yml b/handlers/main.yml index 2f59864e..e7f323d7 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -111,6 +111,8 @@ - name: rebuild initramfs ansible.builtin.shell: dracut -f + when: + - not system_is_container - name: undo existing prelinking ansible.builtin.shell: prelink -ua diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 59c223f4..7b147fa5 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -18,9 +18,7 @@ block: - name: "HIGH | RHEL-08-010020 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | install FIPS" ansible.builtin.package: - name: - - dracut-fips - - crypto-policies-scripts + name: dracut-fips state: present notify: - rebuild initramfs @@ -95,13 +93,13 @@ with_items: - "{{ ansible_mounts | json_query(query) }}" vars: - query: "[?mount=='{{ rhel8stig_boot_part }}'] | [0]" + query: "[?mount=='{{ rhel8stig_boot_part.stdout }}'] | [0]" key: GRUB_CMDLINE_LINUX param: boot value: UUID={{ item.uuid }} insert: true when: - - rhel8stig_boot_part not in ['/', ''] + - rhel8stig_boot_part.stdout not in ['/', ''] - not ansible_check_mode or rhel_08_010020_default_grub_missing_audit is not changed notify: confirm grub2 user cfg @@ -114,12 +112,12 @@ - fips=1 - boot=UUID={{ ansible_mounts | json_query(query) }} vars: - query: "[?mount=='{{ rhel8stig_boot_part }}'].uuid | [0]" + query: "[?mount=='{{ rhel8stig_boot_part.stdout }}'].uuid | [0]" register: rhel_08_010020_audit when: - not ansible_check_mode or rhel_08_010020_default_grub_missing_audit is not changed - - "rhel8stig_boot_part not in ['/', ''] or + - "rhel8stig_boot_part.stdout not in ['/', ''] or 'boot=' not in item" changed_when: - ansible_check_mode @@ -129,7 +127,6 @@ - not ansible_check_mode or rhel_08_010020_audit.rc > 1 when: - - not system_is_container - rhel_08_010020 tags: - RHEL-08-010020 @@ -193,7 +190,6 @@ mode: 0640 notify: confirm grub2 user cfg when: - - not system_is_container - not system_is_ec2 - rhel_08_010140 or rhel_08_010150 @@ -415,7 +411,6 @@ notify: systemctl daemon-reload when: - rhel_08_040170 - - not system_is_container tags: - RHEL-08-040170 - CAT1 @@ -474,7 +469,6 @@ notify: systemctl daemon-reload when: - rhel_08_040172 - - not system_is_container tags: - RHEL-08-040172 - CAT1 diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 0817bd69..4b62cf1b 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -478,7 +478,6 @@ notify: change_requires_reboot when: - rhel_08_010170 or rhel_08_010450 - - not system_is_container - rhel8stig_disruption_high tags: - CAT2 @@ -569,7 +568,6 @@ - rhel_08_010210 or rhel_08_010220 or rhel_08_010230 - - not system_is_container tags: - CAT2 - RHEL-08-010210 @@ -1398,7 +1396,6 @@ state: present when: - rhel_08_010410 - - not system_is_container tags: - RHEL-08-010410 - CAT2 @@ -1975,7 +1972,7 @@ removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" when: - rhel_08_010600 - - not (rhel8stig_system_is_chroot and system_is_container) + - not rhel8stig_system_is_chroot tags: - RHEL-08-010600 - CAT2 @@ -2376,7 +2373,6 @@ when: - rhel_08_010680 - not rhel8stig_system_is_chroot - - not system_is_container - not system_is_ec2 tags: - RHEL-08-010680 @@ -3242,7 +3238,6 @@ when: - rhel_08_020027 or rhel_08_020028 - - not system_is_container tags: - RHEL-08-020027 - RHEL-08-020028 @@ -5837,7 +5832,6 @@ when: - rhel_08_040030 - not rhel8stig_system_is_chroot - - not system_is_container - rhel8stig_firewall_service == "firewalld" - rhel8stig_start_firewall_service tags: @@ -5872,7 +5866,6 @@ when: - rhel_08_040030 - not rhel8stig_system_is_chroot - - not system_is_container - rhel8stig_firewall_service == "iptables" - rhel8stig_start_firewall_service tags: @@ -6132,7 +6125,6 @@ - { regexp: '^blacklist bluetooth', line: 'blacklist bluetooth', insertafter: '#blacklist bluetooth kernel module' } when: - rhel_08_040111 - - not system_is_container tags: - RHEL-08-040111 - CAT2 @@ -6490,7 +6482,6 @@ - rhel_08_040139 or rhel_08_040140 or rhel_08_040141 - - not system_is_container tags: - RHEL-08-040139 - RHEL-08-040140 @@ -7347,7 +7338,6 @@ when: - rhel_08_040330 - not rhel8stig_net_promisc_mode_required - - not system_is_container tags: - RHEL-08-040330 - CAT2 diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 4dadae25..ac9b6dc3 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -151,7 +151,6 @@ when: - rhel_08_010471 or rhel_08_010472 - - not system_is_container tags: - RHEL-08-010471 - RHEL-08-010472 diff --git a/tasks/main.yml b/tasks/main.yml index 7a6b91f6..ab438ff9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -26,6 +26,28 @@ tags: - always +- name: Setup rules if container + block: + - name: Discover and set container variable if required + ansible.builtin.set_fact: + system_is_container: true + + - name: Load variable for container + ansible.builtin.include_vars: + file: "{{ container_vars_file }}" + + - name: output if discovered is a container + ansible.builtin.debug: + msg: system has been discovered as a container + when: + - system_is_container + when: + - ansible_connection == 'docker' or + ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - container_discovery + - always + - name: "Check password set for connecting user" block: - name: Capture current password state of connecting user" @@ -68,28 +90,6 @@ - RHEL-08-010141 - RHEL-08-010149 -- name: Setup rules if container - block: - - name: Discover and set container variable if required - ansible.builtin.set_fact: - system_is_container: true - - - name: Load variable for container - ansible.builtin.include_vars: - file: "{{ container_vars_file }}" - - - name: output if discovered is a container - ansible.builtin.debug: - msg: system has been discovered as a container - when: - - system_is_container - when: - - ansible_connection == 'docker' or - ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - container_discovery - - always - - name: Include OS specific variables ansible.builtin.include_vars: "{{ ansible_distribution }}.yml" tags: @@ -175,9 +175,7 @@ - change_requires_reboot - not rhel8stig_skip_reboot tags: - - CAT1 - - CAT2 - - CAT3 + - always - name: Include post-remediation tasks ansible.builtin.import_tasks: post_remediation_audit.yml @@ -200,6 +198,4 @@ - change_requires_reboot - rhel8stig_skip_reboot tags: - - CAT1 - - CAT2 - - CAT3 + - always diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 816515a1..b6436d95 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,15 +1,56 @@ --- + +- name: "PRELIM | RHEL-08-010020" + block: + - name: "PRELIM | RHEL-08-010020 | Check if /boot or /boot/efi reside on separate partitions" + ansible.builtin.shell: df --output=target /boot | tail -n 1 + changed_when: false + check_mode: false + register: rhel8stig_boot_part + + - name: "PRELIM | RHEL-08-010020 | crypto-policies-scripts package for FIPS" + ansible.builtin.package: + name: crypto-policies-scripts + state: present + when: + - "'crypto-policies-scripts' not in ansible_facts.packages" + when: + - rhel_08_010020 + tags: + - RHEL-08-010020 + - CAT1 + - CCI-000068 + - SRG-OS-000033-GPOS-00014 + - SV-230223r792855_rule + - V-230223 + +- name: "PRELIM | RHEL-08-010020 | RHEL-08-010140 | RHEL-08-010150| Install grub2-tools." + ansible.builtin.package: + name: grub2-tools + when: + - not system_is_container + - "'grub2-tools' not in ansible_facts.packages" + - rhel_08_010020 or + rhel_08_010140 or + rhel_08_010150 + tags: + - cat1 + - high + - RHEL-08-010020 + - RHEL-08-010140 + - RHEL-08-010150 + - name: "PRELIM | dconf" block: - name: "PRELIM | Install dconf" - package: + ansible.builtin.package: name: dconf when: - "'dconf' not in ansible_facts.packages" - rhel8stig_gui - name: dconf directory structure - file: + ansible.builtin.file: path: /etc/dconf/db/local.d/locks state: directory mode: '0755' @@ -33,7 +74,7 @@ # - rhel_08_040180 - removed from section 1 waiting to see if it comes up somewhere else - name: "PRELIM | Find all sudoers files." - command: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" + ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" check_mode: false changed_when: false failed_when: false @@ -47,25 +88,8 @@ - RHEL-08-010380 - sudo -- name: "PRELIM | RHEL-08-010020 | RHEL-08-010140 | RHEL-08-010150| Install grub2-tools." - package: - name: grub2-tools - when: - - not system_is_container - - "'grub2-tools' not in ansible_facts.packages" - - rhel_08_010020 or - rhel_08_010140 or - rhel_08_010150 - - tags: - - cat1 - - high - - RHEL-08-010020 - - RHEL-08-010140 - - RHEL-08-010150 - - name: "PRELIM | Gather chroot status" - setup: + ansible.builtin.setup: gather_subset: chroot,!all,!min filter: ansible_is_chroot when: @@ -74,7 +98,7 @@ - always - name: "PRELIM | Gather mount information" - setup: + ansible.builtin.setup: gather_subset: hardware,!all,!min filter: ansible_mounts when: @@ -83,7 +107,7 @@ - always - name: ensure cronie is available - package: + ansible.builtin.package: name: cronie when: - not system_is_container @@ -95,7 +119,7 @@ - RHEL-08-010360 - name: "PRELIM | RHEL-08-010740 | RHEL-08-010750 | RHEL-08-020320 | Parse /etc/passwd" - import_tasks: parse_etc_passwd.yml + ansible.builtin.import_tasks: parse_etc_passwd.yml vars: rhel8stig_passwd_tasks: "RHEL-08-010740 RHEL-08-010750 RHEL-08-020320" when: @@ -118,13 +142,13 @@ - name: "PRELIM | RHEL-08-010690 Ensure user enumeration command is modified when autofs remote home directories are in use" block: - name: Ensure that rhel8stig_auto_mount_home_dirs_local_mount_point is defined and not length zero - assert: + ansible.builtin.assert: that: - rhel8stig_auto_mount_home_dirs_local_mount_point is defined - rhel8stig_auto_mount_home_dirs_local_mount_point | length > 0 - name: Modify local_interactive_user_dir_command to exclude remote automounted home directories - set_fact: + ansible.builtin.set_fact: local_interactive_user_dir_command: "{{ local_interactive_user_dir_command }} | grep -v '{{ rhel8stig_auto_mount_home_dirs_local_mount_point }}" when: @@ -134,7 +158,7 @@ - complexity-high - name: "PRELIM | RHEL-08-010690 | Gather local interactive user directories" - shell: "{{ local_interactive_user_dir_command }}" + ansible.builtin.shell: "{{ local_interactive_user_dir_command }}" register: rhel_08_010690_getent changed_when: false failed_when: false @@ -143,7 +167,7 @@ - complexity-high - name: "PRELIM | RHEL-08-010690 | Set fact for home directory paths for interactive users" - set_fact: + ansible.builtin.set_fact: rhel_08_stig_interactive_homedir_results: "{{ rhel_08_010690_getent.stdout_lines }}" when: rhel_08_010690_getent.stdout_lines is defined tags: @@ -151,7 +175,7 @@ - complexity-high - name: "PRELIM | RHEL-08-010070 | RHEL-08-030010 | Ensure rsyslog is installed when required." - package: + ansible.builtin.package: name: rsyslog when: - not system_is_container @@ -164,20 +188,8 @@ - RHEL-08-010070 - RHEL-08-030010 -- name: "PRELIM | RHEL-08-010020 | Check if /boot or /boot/efi reside on separate partitions" - shell: df --output=target /boot | tail -n 1 - changed_when: false - check_mode: false - register: rhel_08_boot_part - when: - - rhel_08_010020 - tags: - - cat1 - - high - - RHEL-08-010020 - - name: "PRELIM | RHEL-08-030620 | RHEL-08-030630 | RHEL-08-030640 | RHEL-08-030650 | Install audit remote plugin." - package: + ansible.builtin.package: name: audispd-plugins when: - not system_is_container @@ -195,31 +207,10 @@ - RHEL-08-030640 - RHEL-08-030650 -# - name: "PRELIM | RHEL-08-030330 | Determine audit log partition." -# block: -# - name: "PRELIM | RHEL-08-030330 | Find audit.log location" -# command: grep -oP '^log_file\s*=\s*\K.*?(?=\s*$)' /etc/audit/auditd.conf -# changed_when: false -# check_mode: false -# register: rhel_08_audit_log_file - -# - name: "PRELIM | RHEL-08-030330 | Find partition holding audit.log" -# shell: df --output=target {{ rhel_08_audit_log_file.stdout }} | tail -n 1 -# changed_when: false -# check_mode: false -# register: rhel_08_audit_part -# when: -# - rhel_08_030330 -# tags: -# - cat2 -# - medium -# - auditd -# - RHEL-08-030330 - - name: "PRELIM | RHEL-08-010360 | RHEL-08-010380 | RHEL-08-040310 | Install and initialize AIDE" block: - name: "PRELIM | RHEL-08-010360 | RHEL-08-010380 | RHEL-08-040310 | Install AIDE" - package: + ansible.builtin.package: name: aide state: present notify: "{{ rhel8stig_aide_handler }}" @@ -227,7 +218,7 @@ - "'aide' not in ansible_facts.packages" - name: "PRELIM | RHEL-08-010360 | RHEL-08-010380 | RHEL-08-040310 | Check for existing AIDE database" - stat: + ansible.builtin.stat: path: "{{ rhel8stig_aide_db_file }}" register: rhel8stig_aide_db_status check_mode: false @@ -248,7 +239,7 @@ - RHEL-08-040310 - name: "PRELIM | RHEL-08-010170 | RHEL-08-010450 | Install SELinux related dependencies" - package: + ansible.builtin.package: name: libselinux-utils state: present when: @@ -260,32 +251,32 @@ - name: "PRELIM | Bare bones SSH Server" block: - name: "PRELIM | Install SSH" - package: + ansible.builtin.package: name: openssh-server state: present when: - "'openssh-server' not in ansible_facts.packages" - name: PRELIM | Start SSH - service: + ansible.builtin.service: name: sshd state: "{{ rhel8stig_service_started }}" enabled: true - name: PRELIM | check if ssh host key exists - stat: + ansible.builtin.stat: path: /etc/ssh/ssh_host_rsa_key register: rhel8stig_ssh_host_rsa_key_stat - name: PRELIM | create ssh host key to allow 'sshd -t -f %s' to succeed - command: ssh-keygen -N '' -f /etc/ssh/ssh_host_rsa_key -t rsa -b 4096 + ansible.builtin.shell: ssh-keygen -N '' -f /etc/ssh/ssh_host_rsa_key -t rsa -b 4096 when: not rhel8stig_ssh_host_rsa_key_stat.stat.exists notify: clean up ssh host key when: - rhel8stig_ssh_required - name: "PRELIM | RHEL-08-010660 | RHEL-08-010770 | AUDIT | Find ini files for interactive users." - shell: find "{{ item }}" -maxdepth 1 -type f | grep '/\.[^/]*' + ansible.builtin.shell: find "{{ item }}" -maxdepth 1 -type f | grep '/\.[^/]*' with_items: "{{ rhel_08_stig_interactive_homedir_results }}" register: rhel_08_010770_ini_file_list changed_when: false @@ -301,7 +292,7 @@ - complexity-high - name: "MEDIUM | RHEL-08-010660 | RHEL-08-010770 | Set fact for home directory paths for interactive users" - set_fact: + ansible.builtin.set_fact: rhel_08_stig_interactive_homedir_inifiles: "{{ rhel_08_010770_ini_file_list.results | map(attribute='stdout_lines') | list }}" when: - rhel_08_stig_interactive_homedir_results is defined @@ -316,12 +307,12 @@ - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | set sssd.conf location" block: - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location" - stat: + ansible.builtin.stat: path: "{{ rhel8stig_sssd_conf }}" register: rhel8stig_sssd_conf_present - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location | Warning if not found" - debug: + ansible.builtin.debug: msg: "Warning!! The configured sssd config file {{ rhel8stig_sssd_conf }} has not been found, some items will skip" changed_when: true when: @@ -341,30 +332,30 @@ - name: "PRELIM | Gather interactive user ID min" block: - name: "PRELIM | Gather interactive user ID min" - shell: grep ^UID_MIN /etc/login.defs | awk '{print $2}' + ansible.builtin.shell: grep ^UID_MIN /etc/login.defs | awk '{print $2}' changed_when: false failed_when: false register: rhel8stig_min_uid - name: "PRELIM | Gather interactive user ID max" - shell: grep ^UID_MAX /etc/login.defs | awk '{print $2}' + ansible.builtin.shell: grep ^UID_MAX /etc/login.defs | awk '{print $2}' changed_when: false failed_when: false register: rhel8stig_max_uid - name: "PRELIM | Setting the fact" - set_fact: + ansible.builtin.set_fact: rhel8stig_interactive_uid_start: "{{ rhel8stig_min_uid.stdout | string }}" rhel8stig_interactive_uid_stop: "{{ rhel8stig_max_uid.stdout | string }}" - name: Gather the package facts - package_facts: + ansible.builtin.package_facts: manager: auto tags: - always - name: "PRELIM | Check whether machine is UEFI-based" - stat: + ansible.builtin.stat: path: /sys/firmware/efi register: rhel8_efi_boot tags: @@ -374,14 +365,14 @@ - name: PRELIM | set bootloader type block: - name: "PRELIM | set fact if UEFI boot" - set_fact: + ansible.builtin.set_fact: rhel8stig_bootloader_path: /boot/efi/EFI/{{ ansible_distribution | lower }} rhel8stig_legacy_boot: false when: - rhel8_efi_boot.stat.exists - name: "PRELIM | set fact if UEFI boot | Oracle Linux" - set_fact: + ansible.builtin.set_fact: rhel8stig_bootloader_path: /boot/efi/EFI/redhat rhel8stig_legacy_boot: false when: @@ -389,13 +380,13 @@ - ansible_distribution == 'Oracle Linux' - name: "PRELIM | set if not UEFI boot" - set_fact: + ansible.builtin.set_fact: rhel8stig_bootloader_path: /boot/grub2/ rhel8stig_legacy_boot: true when: not rhel8_efi_boot.stat.exists - name: PRELIM | output bootloader and efi state - debug: + ansible.builtin.debug: msg: - "bootloader path set to {{ rhel8stig_bootloader_path }}" - "legacy boot equals {{ rhel8stig_legacy_boot }}" @@ -405,13 +396,13 @@ - name: "PRELIM | RHEL-08-020017 | RHEL-08-020027 | REHL-08-020028 | If using selinux set up system prereqs" block: - name: "PRELIM | RHEL-08-020017 | Install policycoreutils-python-utils" - package: + ansible.builtin.package: name: policycoreutils-python-utils state: present when: "'policycoreutils-python-utils' not in ansible_facts.packages" - name: "PRELIM | RHEL-08-020027 | create faillock dir if rhel_08_020027" - file: + ansible.builtin.file: path: "{{ rhel8stig_pam_faillock.dir }}" state: directory mode: 0755 @@ -427,5 +418,5 @@ rhel_08_020028 - name: "PRELIM | Section 1.1 | Create list of mount points" - set_fact: + ansible.builtin.set_fact: mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}" diff --git a/vars/is_container.yml b/vars/is_container.yml index 5241528e..f8f2f8c2 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -1,4 +1,3 @@ ---- # Container vars file rhel8stig_ssh_required: false @@ -94,6 +93,9 @@ rhel_08_030063: false # rsyslog rhel_08_010070: false rhel_08_010561: false +rhel_08_010210: false +rhel_08_010220: false +rhel_08_010230: false rhel_08_030010: false rhel_08_030670: false rhel_08_030680: false @@ -101,6 +103,12 @@ rhel_08_030690: false rhel_08_030710: false rhel_08_030720: false +# selinux +rhel_08_010170: false +rhel_08_010450: false +rhel_08_020027: false +rhel_08_020028: false + ## mounts # /tmp rhel_08_010543: false @@ -133,6 +141,7 @@ rhel_08_010572: false # rhel_08_010580: false # /media +rhel_08_010600: false rhel_08_010610: false # /mnt rhel_08_010620: false @@ -149,6 +158,7 @@ rhel_08_010540: false # firewall rhel8stig_firewall_service: not_required +rhel_08_040030: false # fapolicy rhel_08_040135: false @@ -197,3 +207,15 @@ rhel_08_010381: false rhel_08_010382: false rhel_08_010383: false rhel_08_010384: false + +# Other +rhel_08_010410: false +rhel_08_010472: false +rhel_08_010672: false +rhel_08_010680: false +rhel_08_040111: false +rhel_08_040139: false +rhel_08_040140: false +rhel_08_040141: false +rhel_08_040180: false +rhel_08_040330: false