From e031cfc57dba27ea8161a193c786c9bc009894fb Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 7 Jan 2022 15:16:41 -0500 Subject: [PATCH 001/101] Fix for issue #72 Signed-off-by: George Nalen --- tasks/prelim.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 828ade65..5fd14dc2 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -314,11 +314,6 @@ stat: path: "{{ rhel8stig_sssd_conf }}" register: rhel8stig_sssd_conf_present - when: - - rhel_08_010400 or - rhel_08_020090 or - rhel_08_020250 or - rhel_08_020290 - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location | Warning if not found" debug: @@ -326,6 +321,11 @@ changed_when: true when: - not rhel8stig_sssd_conf_present.stat.exists + when: + - rhel_08_010400 or + rhel_08_020090 or + rhel_08_020250 or + rhel_08_020290 - name: "PRELIM | Gather interactive user ID min" block: From 512a01d7a9847dd071c4931eb4458d124baccaff Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 10 Jan 2022 15:44:02 +0000 Subject: [PATCH 002/101] updated with correct stig version Signed-off-by: Mark Bolwell --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 914ef744..7d41be70 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ RHEL 8 DISA STIG Configure a RHEL 8 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel8stig_disruption_high` to `yes`. -This role is based on RHEL 8 DISA STIG: [Version 1, Rel 3 released on July 23, 2021](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R3_STIG.zip). +This role is based on RHEL 8 DISA STIG: [Version 1, Rel 4 released on Oct 27, 2021](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R4_STIG.zip). Updating -------- From aa8f1381e6e3e3cb004cc2b943bb246807c3cc69 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 12 Jan 2022 16:28:24 -0500 Subject: [PATCH 003/101] Fixe for issue #75 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 32f9142a..9d8ed5cc 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6686,7 +6686,7 @@ - name: "MEDIUM | RHEL-08-040259 | PATCH | RHEL 8 must not enable IPv4 packet forwarding unless the system is a router." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: update sys + notify: update sysctl when: - rhel_08_040259 - not rhel8stig_system_is_router @@ -6702,7 +6702,7 @@ - name: "MEDIUM | RHEL-08-040260 | PATCH | RHEL 8 must not enable IPv6 packet forwarding unless the system is a router." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: update sys + notify: update sysctl when: - rhel_08_040260 - not rhel8stig_system_is_router From 7bb12ca8467bd9c091865f5e6dcfaa680eafcc73 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 09:52:18 +0000 Subject: [PATCH 004/101] updated 10001 check and warning statements Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 9d8ed5cc..bb9becdf 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -5,16 +5,18 @@ - name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool. | Alert no McAfee" debug: msg: - - "ALERT! You have no McAfee installed. To comply with STIG ID RHEL-08-010001 you need an AV tool" + - "WARNING!! You have no McAfee installed. To comply with STIG ID RHEL-08-010001 you need an AV tool" - "McAfee is the suggested by STIG" when: - - "'mcafeetp' or 'mfetpd' not in ansible_facts.packages" + - "'mcafeetp' not in ansible_facts.packages or + 'mfetpd' not in ansible_facts.packages" - name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool. | Alert on McAfee present" debug: msg: "Congratulations! You have McAfee installed" when: - - "'mcafeetp' or 'mfetpd' in ansible_facts.packages" + - "'mcafeetp' in ansible_facts.packages or + 'mfetpd' in ansible_facts.packages" when: - rhel_08_040286 - rhel8stig_av_sftw == 'mcafee' @@ -180,7 +182,7 @@ - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Message out certs" debug: msg: - - "WARNING!!!!The certs below are the ones applied to this system. Please review and confirm they are the latest issued from the DoD" + - "WARNING!! The certs below are the ones applied to this system. Please review and confirm they are the latest issued from the DoD" - "If they are not please apply the latest PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into /etc/sssd/pki/sssd_auth_ca_db.pem" - "{{ rhel_08_010090_certs_list.stdout_lines }}" when: @@ -1469,7 +1471,7 @@ - name: "MEDIUM | RHEL-08-010543 | PATCH | A separate RHEL 8 filesystem must be used for the /tmp directory." debug: - msg: "WARNING!!!! /tmp is not mounted on a separate partition" + msg: "WARNING!! /tmp is not mounted on a separate partition" changed_when: - rhel8stig_audit_complex when: @@ -2239,7 +2241,7 @@ - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Message out user list" debug: msg: - - "WARNING!!!!The users listed below are interactive users with no home directories. Please create home directories to confirm with STIG standards" + - "WARNING!! The users listed below are interactive users with no home directories. Please create home directories to confirm with STIG standards" - "{{ rhel_08_010720_user_list.stdout_lines }}" when: rhel_08_010720_user_list.stdout | length > 0 when: @@ -2466,7 +2468,7 @@ - name: "MEDIUM | RHEL-08-010800 | PATCH | A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent)." debug: - msg: "WARNING!!!! /home is not mounted on a separate partition" + msg: "WARNING!! /home is not mounted on a separate partition" changed_when: - rhel8stig_audit_complex when: @@ -3757,7 +3759,7 @@ - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." debug: msg: - - "WARNING!!!Below are the system accounts. If any where emergency accounts plese make sure they are removed or disabled after the crisis is resovled or within 72 hours" + - "WARNING!! Below are the system accounts. If any where emergency accounts plese make sure they are removed or disabled after the crisis is resovled or within 72 hours" - "{{ rhel_08_020270_system_users.stdout_lines }}" when: - rhel_08_020270 From c1e3d12c63b2e2506f64168f4d25a8e87ba396e6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 09:58:09 +0000 Subject: [PATCH 005/101] Added Rocky family Signed-off-by: Mark Bolwell --- tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index c79bb9a4..3f3e16d2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,4 +1,5 @@ --- + - name: Gather distribution info setup: gather_subset: distribution,!all,!min @@ -9,7 +10,7 @@ - name: Check OS version and family assert: - that: ansible_os_family == 'RedHat' and ansible_distribution_major_version is version_compare('8', '==') + that: (ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==') msg: "This role can only be run against RHEL/CENTOS 8. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." tags: - always From 6631cd2b7a759c5ec8d3e04ee4b27014a8722f47 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 10:28:42 +0000 Subject: [PATCH 006/101] std warning message Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index bb9becdf..ab80f3d7 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -252,7 +252,7 @@ - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Message out user accounts" debug: msg: - - "ALERT!! The following accounts do not have FIPS 140-2 hasing. Please review the accounts and correct to conform to control 010120 of the RHEL8 STIG" + - "WARNING!! The following accounts do not have FIPS 140-2 hasing. Please review the accounts and correct to conform to control 010120 of the RHEL8 STIG" - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" when: - not rhel8stig_disruption_high @@ -1171,7 +1171,7 @@ - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX no being set" debug: msg: - - "ALERT!! You do not have execute disable active. Please change the setting in your BIOS settings" + - "WARNING!! You do not have execute disable active. Please change the setting in your BIOS settings" when: '"(Execute Disable) protection: active" not in rhel_08_010420_nx_bit_state.stdout' when: - rhel_08_010420 @@ -1494,7 +1494,7 @@ block: - name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp. | Alert on missing mount" debug: - msg: "Warning! /var/tmp does not exist, /var/tmp needs to use a sperate file system. This is a manual task" + msg: "WARNING!! /var/tmp does not exist, /var/tmp needs to use a sperate file system. This is a manual task" register: var_tmp_mount_absent changed_when: var_tmp_mount_absent.skipped is defined when: "'/var/tmp' not in mount_names" @@ -2427,7 +2427,7 @@ - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Alert nouser files" debug: msg: - - "ALERT!!! There are files with no user assigned. Please review files listed below and assign owner" + - "WARNING!! There are files with no user assigned. Please review files listed below and assign owner" - "{{ rhel_08_010780_nouser_files.stdout_lines }}" when: rhel_08_010780_nouser_files.stdout | length > 0 when: @@ -2452,7 +2452,7 @@ - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Alert nogroup files" debug: msg: - - "ALERT!!!! There are files with no group assigned. Please review files listed below and assign group" + - "WARNING!! There are files with no group assigned. Please review files listed below and assign group" - "{{ rhel_08_010790_nogroup_files.stdout_lines }}" when: rhel_08_010790_nogroup_files.stdout | length > 0 when: @@ -2510,7 +2510,7 @@ - name: "MEDIUM | RHEL-08-020000 | AUDIT | RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less." debug: msg: - - "ALERT!!!! Please check temporary accounts for expiration dates to be 72 hours or less." + - "WARNING!! Please check temporary accounts for expiration dates to be 72 hours or less." - "To do this please run sudo chage -l account_name for the accounts you need to check" - "The results will display the Account Expires information" - 'To set account expire run sudo chage -E `date -d "+3 days" +%Y-%m-%d` account_name' @@ -3637,7 +3637,7 @@ - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Message out duplicate users" debug: msg: - - "ALERT!!! Below are a list of users with duplicate UID's. Please review and create a unique ID for each user" + - "WARNING!! Below are a list of users with duplicate UID's. Please review and create a unique ID for each user" - "{{ rhel_08_020240_duplicate_uid_users.stdout_lines }}" when: - rhel_08_020240 @@ -5610,7 +5610,7 @@ - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Message out partition size" debug: msg: - - "ALERT!!!Below is the path and size of the partiion for the audit logs. Please make sure there is enough disk space for logs and logs are on their own partition" + - "WARNING!! Below is the path and size of the partiion for the audit logs. Please make sure there is enough disk space for logs and logs are on their own partition" - "Path: {{ rhel_08_030660_audit_log_path.stdout }}" - "Disk Space: {{ rhel_08_030660_audit_log_partition.stdout }}" when: From e55434cdddd3dbe4acf7b19450db3f08315305e2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 10:30:16 +0000 Subject: [PATCH 007/101] Std warning message Signed-off-by: Mark Bolwell --- tasks/fix-cat3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 4ca813f8..a0d85748 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -127,7 +127,7 @@ - name: "LOW | RHEL-08-010540 | AUDIT | The RHEL 8 must use a separate file system for /var." debug: - msg: "WARNING: /var is not mounted on a separate partition" + msg: "WARNING!! /var is not mounted on a separate partition" changed_when: - rhel8stig_audit_complex when: From 0453b17bbd25ecb5b69fa0305d15a18606e2db08 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 11:19:50 +0000 Subject: [PATCH 008/101] system_is_container variable improvement usage Signed-off-by: Mark Bolwell --- defaults/main.yml | 4 ++-- tasks/main.yml | 11 +++++++++-- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d08d3d46..442ed718 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -40,8 +40,8 @@ rhel8stig_workaround_for_ssg_benchmark: true # tweak role to run in a chroot, such as in kickstart %post script rhel8stig_system_is_chroot: "{{ ansible_is_chroot | default(False) }}" -# tweak role to run in a non-privileged container -rhel8stig_system_is_container: false +# tweak role to run in a non-privileged container (default value)- dynamically discovered in tasks/main.yml +system_is_container: false # rhel8cis/stig is left off the front of this var for consistency in testing pipeline # system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks diff --git a/tasks/main.yml b/tasks/main.yml index 3f3e16d2..1414015e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,5 +1,3 @@ ---- - - name: Gather distribution info setup: gather_subset: distribution,!all,!min @@ -22,6 +20,15 @@ tags: - always +- name: Discover and set container variable if required + set_fact: + system_is_container: true + when: + - ansible_connection == 'docker' or + ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - always + - name: Check rhel8stig_bootloader_password_hash variable has been changed assert: that: rhel8stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' From 4d5d09be12558b0b5c255dcad906c76c26b11dab Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 18:15:00 +0000 Subject: [PATCH 009/101] updated assert statements Signed-off-by: Mark Bolwell --- tasks/main.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 1414015e..12d50f55 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -9,14 +9,16 @@ - name: Check OS version and family assert: that: (ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==') - msg: "This role can only be run against RHEL/CENTOS 8. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." + fail_msg: "This role can only be run against RHEL/CENTOS 8. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." + success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" tags: - always - name: Check ansible version assert: that: ansible_version.full is version_compare(rhel8stig_min_ansible_version, '>=') - msg: You must use Ansible {{ rhel8stig_min_ansible_version }} or greater + fail_msg: "You must use Ansible {{ rhel8stig_min_ansible_version }} or greater" + success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ rhel8stig_min_ansible_version }}" tags: - always From d2080e825387109a1e8986157245957b5f8ddb5d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 18:17:14 +0000 Subject: [PATCH 010/101] 010090 - updated debug msg Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index ab80f3d7..11be0d89 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -184,7 +184,7 @@ msg: - "WARNING!! The certs below are the ones applied to this system. Please review and confirm they are the latest issued from the DoD" - "If they are not please apply the latest PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into /etc/sssd/pki/sssd_auth_ca_db.pem" - - "{{ rhel_08_010090_certs_list.stdout_lines }}" + - "{{ rhel_08_010090_certs_list.stdout_lines | default('None-found') }}" when: - rhel_08_010090 tags: From 742bfb60e66aa0ca9e42190189d62bd07164ba06 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 18:22:50 +0000 Subject: [PATCH 011/101] updated system_is_container variable Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 11be0d89..2061651f 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -464,7 +464,7 @@ notify: change_requires_reboot when: - rhel_08_010170 or rhel_08_010450 - - not rhel8stig_system_is_container + - not system_is_container - rhel8stig_disruption_high tags: - CAT2 @@ -1476,7 +1476,7 @@ - rhel8stig_audit_complex when: - rhel_08_010543 - - not rhel8stig_system_is_container + - not system_is_container - rhel8stig_complex - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0 tags: @@ -1539,7 +1539,7 @@ enabled: yes when: - rhel_08_010560 - - not rhel8stig_system_is_container + - not system_is_container tags: - RHEL-08-010560 - CAT2 @@ -1723,7 +1723,7 @@ - rhel_08_010600 - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - "'nodev' not in home_mount.options" - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + - not (rhel8stig_system_is_chroot and system_is_container) vars: removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" @@ -1738,12 +1738,12 @@ - rhel_08_010600 - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - "'nodev' not in home_mount.options" - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + - not (rhel8stig_system_is_chroot and system_is_container) vars: removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" when: - rhel_08_010600 - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + - not (rhel8stig_system_is_chroot and system_is_container) tags: - RHEL-08-010600 - CAT2 @@ -1767,7 +1767,7 @@ - rhel_08_010600 - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - "'noexec' not in home_mount.options" - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + - not (rhel8stig_system_is_chroot and system_is_container) vars: removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" @@ -1782,12 +1782,12 @@ - rhel_08_010610 - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - "'noexec' not in home_mount.options" - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + - not (rhel8stig_system_is_chroot and system_is_container) vars: removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" when: - rhel_08_010610 - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + - not (rhel8stig_system_is_chroot and system_is_container) tags: - RHEL-08-010610 - CAT2 @@ -1811,7 +1811,7 @@ - rhel_08_010620 - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - "'nosuid' not in home_mount.options" - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + - not (rhel8stig_system_is_chroot and system_is_container) vars: removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" @@ -1826,12 +1826,12 @@ - rhel_08_010620 - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - "'nosuid' not in home_mount.options" - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + - not (rhel8stig_system_is_chroot and system_is_container) vars: removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" when: - rhel_08_010620 - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + - not (rhel8stig_system_is_chroot and system_is_container) tags: - RHEL-08-010620 - CAT2 @@ -2127,7 +2127,7 @@ when: - rhel_08_010680 - not rhel8stig_system_is_chroot - - not rhel8stig_system_is_container + - not system_is_container - not system_is_ec2 tags: - RHEL-08-010680 @@ -2473,7 +2473,7 @@ - rhel8stig_audit_complex when: - rhel_08_010800 - - not rhel8stig_system_is_container + - not system_is_container - rhel8stig_complex - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length == 0 tags: @@ -5868,7 +5868,7 @@ when: - rhel_08_040030 - not rhel8stig_system_is_chroot - - not rhel8stig_system_is_container + - not system_is_container - rhel8stig_firewall_service == "firewalld" - rhel8stig_start_firewall_service tags: @@ -5903,7 +5903,7 @@ when: - rhel_08_040030 - not rhel8stig_system_is_chroot - - not rhel8stig_system_is_container + - not system_is_container - rhel8stig_firewall_service == "iptables" - rhel8stig_start_firewall_service tags: @@ -5923,7 +5923,7 @@ when: - rhel_08_040030 - not rhel8stig_system_is_chroot - - not rhel8stig_system_is_container + - not system_is_container - rhel8stig_disruptive tags: - RHEL-08-040030 From 2fe7cf86eb78ddf5377d45f43eb00b23b81bbf88 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 18:23:24 +0000 Subject: [PATCH 012/101] logic if is_container Signed-off-by: Mark Bolwell --- handlers/main.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/handlers/main.yml b/handlers/main.yml index 9074d659..d13b23e6 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,6 +1,9 @@ --- - name: systemctl daemon-reload - systemd: daemon_reload=yes + systemd: + daemon_reload: True + when: + - not system_is_container - name: update sysctl template: @@ -13,6 +16,7 @@ - name: sysctl system command: sysctl --system + when: "'procps-ng' in ansible_facts.packages" - name: restart sshd service: From 7269f6581f504b72772723158cb643395f8241fc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 18:24:34 +0000 Subject: [PATCH 013/101] 10672 - conditional Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 2061651f..4ece4b28 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2004,6 +2004,7 @@ notify: systemctl daemon-reload when: - rhel_08_010672 + - "'systemd' in ansible_facts.packages" tags: - RHEL-08-010672 - CAT2 From 56d561ff0b82394cbfa0b9b6f50b4de10afbd9a7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 18:28:08 +0000 Subject: [PATCH 014/101] 010674 - package conditional Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 4ece4b28..f73a77ee 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2039,6 +2039,7 @@ line: "Storage=none" when: - rhel_08_010674 + - "'systemd' in ansible_facts.packages" tags: - RHEL-08-010674 - CAT2 From 5fc9d97e176b5fe31a4e4cdaf8f9d80df9602eca Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 18:29:29 +0000 Subject: [PATCH 015/101] 010675 - package conditional Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index f73a77ee..224e45be 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2056,6 +2056,7 @@ line: "ProcessSizeMax=0" when: - rhel_08_010675 + - "'systemd' in ansible_facts.packages" tags: - RHEL-08-010675 - CAT2 From 3b8311ffd742a7156c3dcc8492739a6ca971eec5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 18:38:03 +0000 Subject: [PATCH 016/101] updated rsyslog tags Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 224e45be..cc23fdd2 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -5658,6 +5658,7 @@ - SV-230478r744011_rule - V-230478 - gnutls + - rsyslog - name: "MEDIUM | RHEL-08-030690 | PATCH | The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited." lineinfile: @@ -5674,6 +5675,7 @@ - SV-230479r627750_rule - V-230479 - auditd + - rsyslog - name: "MEDIUM | RHEL-08-030700 | PATCH | RHEL 8 must take appropriate action when the internal event queue is full." lineinfile: @@ -5714,6 +5716,7 @@ - SV-230481r627750_rule - V-230481 - auditd + - rsyslog - name: "MEDIUM | RHEL-08-030720 | PATCH | RHEL 8 must authenticate the remote logging server for off-loading audit logs." lineinfile: @@ -5731,6 +5734,7 @@ - SV-230482r627750_rule - V-230482 - auditd + - rsyslog - name: "MEDIUM | RHEL-08-030730 | PATCH | RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity." lineinfile: From dd82774143f9b0639fd7ca6ef7b22c612192607d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 18:40:07 +0000 Subject: [PATCH 017/101] 030740 - tag and conditional Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index cc23fdd2..f4a15701 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -5776,6 +5776,7 @@ notify: restart {{ rhel8stig_time_service }} when: - rhel_08_030740 + - "'chrony' in ansible_facts.packages" tags: - RHEL-08-030740 - CAT2 @@ -5783,7 +5784,7 @@ - SRG-OS-000355-GPOS-00143 - SV-230484r627750_rule - V-230484 - - chronyd + - chrony - name: "MEDIUM | RHEL-08-040001 | PATCH | RHEL 8 must not have any automated bug reporting tools installed." shell: dnf remove abrt* From bd582e062eea7094cceacbd936513253f79022f1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 18:53:36 +0000 Subject: [PATCH 018/101] updated systemd logic Signed-off-by: Mark Bolwell --- handlers/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/handlers/main.yml b/handlers/main.yml index d13b23e6..a2badc6a 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -13,6 +13,7 @@ group: root mode: 0644 notify: sysctl system + when: "'systemd' in ansible_facts.packages" - name: sysctl system command: sysctl --system From 3a4e6ce7e37c83f415bf7036149ae6492b4b6c3b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 18:56:59 +0000 Subject: [PATCH 019/101] 010210 - system_is_container conditional added Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index f4a15701..08a7a721 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -555,6 +555,7 @@ - rhel_08_010210 or rhel_08_010220 or rhel_08_010230 + - not system_is_container tags: - CAT2 - RHEL-08-010210 From 44621defac48043698e47e7ab7d1097617971bac Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 19:00:42 +0000 Subject: [PATCH 020/101] 010410 - system_is_container conditional added Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 08a7a721..055cf8a5 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1145,6 +1145,7 @@ state: present when: - rhel_08_010410 + - not system_is_container tags: - RHEL-08-010410 - CAT2 From bcc57ce0ed744471bcb681fd766ab6d6e0bc193b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 19:02:12 +0000 Subject: [PATCH 021/101] 010544 - system_is_container conditional added Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 055cf8a5..bdeb0cb0 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1473,7 +1473,7 @@ - name: "MEDIUM | RHEL-08-010543 | PATCH | A separate RHEL 8 filesystem must be used for the /tmp directory." debug: - msg: "WARNING!! /tmp is not mounted on a separate partition" + msg: "WARNING!! /tmp is not mounted on a separate partition" changed_when: - rhel8stig_audit_complex when: @@ -1507,6 +1507,7 @@ when: "'/var/tmp' in mount_names" when: - rhel_08_010544 + - not system_is_container tags: - RHEL-08-010544 - CAT2 From 8c97239f42740ffd0d53f98cff989a91b147ce2e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 19:03:32 +0000 Subject: [PATCH 022/101] 010600 - system_is_container conditional logic Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index bdeb0cb0..6ecd49a8 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1726,7 +1726,6 @@ - rhel_08_010600 - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - "'nodev' not in home_mount.options" - - not (rhel8stig_system_is_chroot and system_is_container) vars: removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" @@ -1741,7 +1740,6 @@ - rhel_08_010600 - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - "'nodev' not in home_mount.options" - - not (rhel8stig_system_is_chroot and system_is_container) vars: removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" when: From 2b9a8bdb22bf4b0cf20ef6a4efa53cfb40bd6e3c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 19:04:29 +0000 Subject: [PATCH 023/101] 010610 - system_is_container conditional logic Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 6ecd49a8..6aa9a18c 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1768,7 +1768,6 @@ - rhel_08_010600 - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - "'noexec' not in home_mount.options" - - not (rhel8stig_system_is_chroot and system_is_container) vars: removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" @@ -1783,7 +1782,6 @@ - rhel_08_010610 - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - "'noexec' not in home_mount.options" - - not (rhel8stig_system_is_chroot and system_is_container) vars: removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" when: From 12c489e7a06ab37f1a1a2ee60faaac91386fb52b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 19:05:22 +0000 Subject: [PATCH 024/101] 010620 - system_is_container conditional logic Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 6aa9a18c..33240396 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1810,7 +1810,6 @@ - rhel_08_010620 - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - "'nosuid' not in home_mount.options" - - not (rhel8stig_system_is_chroot and system_is_container) vars: removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" @@ -1825,7 +1824,6 @@ - rhel_08_010620 - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - "'nosuid' not in home_mount.options" - - not (rhel8stig_system_is_chroot and system_is_container) vars: removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" when: From 017f255f61b3a3f20948863f151d0f551b5f5721 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 19:07:05 +0000 Subject: [PATCH 025/101] 010800 - tags naming mounts Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 33240396..5e858876 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2484,7 +2484,7 @@ - SV-230328r627750_rule - V-23032 - complexity-high - - mount + - mounts - home - name: "MEDIUM | RHEL-08-010830 | PATCH | RHEL 8 must not allow users to override SSH environment variables." From 71c00de63ec1d0d5d34e59e697761cee322d7ed7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 19:07:47 +0000 Subject: [PATCH 026/101] 010543 - tag naming mounts Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 5e858876..49242740 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1489,7 +1489,7 @@ - SV-230295r627750_rule - V-230295 - complexity-high - - mount + - mounts - tmp - name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp." From dde01bbe8c549571b83339454c55517589e7fe81 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 19:09:10 +0000 Subject: [PATCH 027/101] 020027 - system_is_container conditional added tag Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 49242740..aab217d6 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2994,6 +2994,7 @@ when: - rhel_08_020027 or rhel_08_020028 + - not system_is_container tags: - RHEL-08-020027 - RHEL-08-020028 @@ -3004,6 +3005,7 @@ - SV-250316r793010_rule - V-250315 - V-250316 + - selinux - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." block: From dfd6c0f3a6726d06fd5a229d2a5d2a8b56d5ce09 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 19:12:23 +0000 Subject: [PATCH 028/101] 040139 - system_is_container conditional added Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index aab217d6..6e4f01a4 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6132,6 +6132,7 @@ notify: change_requires_reboot when: - rhel_08_040111 + - not system_is_container tags: - RHEL-08-040111 - CAT2 @@ -6467,6 +6468,7 @@ - rhel_08_040139 or rhel_08_040140 or rhel_08_040141 + - not system_is_container tags: - RHEL-08-040139 - RHEL-08-040140 From 8207139395959cdf93b5ed14cb14cca31d13dcfd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 19:13:05 +0000 Subject: [PATCH 029/101] 040330 - system_is_container conditional added Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 6e4f01a4..32654423 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6942,6 +6942,7 @@ when: - rhel_08_040330 - not rhel8stig_net_promisc_mode_required + - not system_is_container tags: - RHEL-08-040330 - CAT2 From 7585114860d2d43b1d2a61d628b8d8bbd68a664f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 19:24:06 +0000 Subject: [PATCH 030/101] updated mounts tag Signed-off-by: Mark Bolwell --- tasks/fix-cat3.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index a0d85748..bea27431 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -143,7 +143,7 @@ - SV-230292r627750_rule - V-230292 - complexity-high - - mount + - mounts - var - name: "LOW | RHEL-08-010541 | AUDIT | RHEL 8 must use a separate file system for /var/log." @@ -165,7 +165,7 @@ - SV-230293r627750_rule - V-230293 - complexity_high - - mount + - mounts - auditd - name: "LOW | RHEL-08-010542 | AUDIT | The RHEL 8 must use a separate file system for the system audit data path." @@ -187,7 +187,7 @@ - SV-230294r627750_rule - V-230294 - complexity_high - - mount + - mounts - auditd - name: "LOW | RHEL-08-020024 | PATCH | RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types." From 8cd38c9e88d527f247664f45124dea7d004a4c8a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 17 Jan 2022 19:26:10 +0000 Subject: [PATCH 031/101] system_is_container conditional Signed-off-by: Mark Bolwell --- tasks/fix-cat3.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index bea27431..ea8b2604 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -114,6 +114,7 @@ when: - rhel_08_010471 or rhel_08_010472 + - not system_is_container tags: - RHEL-08-010471 - RHEL-08-010472 @@ -132,7 +133,7 @@ - rhel8stig_audit_complex when: - rhel_08_010540 - - not rhel8stig_system_is_container + - not system_is_container - rhel8stig_complex - ansible_mounts | selectattr('mount', 'match', '^/var$') | list | length == 0 tags: @@ -154,7 +155,7 @@ - rhel8stig_audit_complex when: - rhel_08_010541 - - not rhel8stig_system_is_container + - not system_is_container - rhel8stig_complex - ansible_mounts | selectattr('mount', 'match', '^/var/log$') | list | length == 0 tags: @@ -176,7 +177,7 @@ - rhel8stig_audit_complex when: - rhel_08_010542 - - not rhel8stig_system_is_container + - not system_is_container - rhel8stig_complex - ansible_mounts | selectattr('mount', 'match', '^/var/log/audit$') | list | length == 0 tags: From e0817e96561f53d8e7706057c5c5551192130a50 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 18 Jan 2022 07:35:24 +0000 Subject: [PATCH 032/101] standard ssh tags Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- tasks/fix-cat3.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 32654423..c8df1d7d 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6551,7 +6551,7 @@ - RG-OS-000033-GPOS-00014 - SV-230527r627750_rule - V-230527 - - sshd + - ssh - name: "MEDIUM | RHEL-08-040180 | PATCH | The debug-shell systemd service must be disabled on RHEL 8." systemd: diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index ea8b2604..c7bc052f 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -29,7 +29,7 @@ - SRG-OS-000480-GPOS-00227 - SV-230253r627750_rule - V-230253 - - sshd + - ssh - name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer." debug: From e34a2bc6d324fcde97c4eeeef8dbaea6653b34a5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 18 Jan 2022 09:33:24 +0000 Subject: [PATCH 033/101] 10070 - added rsyslog tag Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index c8df1d7d..f3d01360 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -169,6 +169,7 @@ - SRG-OS-000032-GPOS-00013 - SV-230228r627750_rule - V-230228 + - rsyslog # This task wants you to download the latest DoD root certs and place the chain pem in /etc/sssd/pki/sssd_auth_ca_db.pem. This might need to be a message out, but I will circle back to this and confirm. - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor." From b0c965ede90ad12a1f945d693ea96255b6a29cca Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 18 Jan 2022 09:45:39 +0000 Subject: [PATCH 034/101] 030010 added rsyslog tag Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index f3d01360..c7da3f75 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4022,6 +4022,7 @@ - SV-230387r743996_rule - V-230387 - cron + - rsyslog - name: "MEDIUM | RHEL-08-030020 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event." lineinfile: From 3c969864637fba639fc8473d3f81382c684d5eba Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 19 Jan 2022 09:37:35 +0000 Subject: [PATCH 035/101] Fix container logic Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 12d50f55..b786cb26 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -27,7 +27,7 @@ system_is_container: true when: - ansible_connection == 'docker' or - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] tags: - always From eb1aee0867759f0cbdef869e2864d4ceecd2263d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 19 Jan 2022 13:45:31 +0000 Subject: [PATCH 036/101] updated container conditional naming Signed-off-by: Mark Bolwell --- handlers/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index a2badc6a..d361ad6a 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -62,7 +62,7 @@ when: - rhel8stig_grub2_user_cfg.stat.exists - not rhel8stig_skip_for_travis - - not rhel8stig_system_is_container + - not system_is_container - name: copy grub2 config to BIOS/UEFI to satisfy benchmark listen: make grub2 config @@ -80,7 +80,7 @@ - rhel8stig_grub2_user_cfg.stat.exists - rhel8stig_workaround_for_disa_benchmark - not rhel8stig_skip_for_travis - - not rhel8stig_system_is_container + - not system_is_container - name: "restart {{ rhel8stig_time_service }}" service: @@ -89,7 +89,7 @@ when: - not rhel8stig_skip_for_travis - not rhel8stig_system_is_chroot - - not rhel8stig_system_is_container + - not system_is_container - name: restart auditd command: /usr/sbin/service auditd restart @@ -98,7 +98,7 @@ when: - not rhel8stig_skip_for_travis - not rhel8stig_system_is_chroot - - not rhel8stig_system_is_container + - not system_is_container - name: rebuild initramfs command: dracut -f From 534feb8a22919e8c6b48ea71bf1dedc0c456da38 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 19 Jan 2022 17:26:09 +0000 Subject: [PATCH 037/101] added tag to passwd check Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tasks/main.yml b/tasks/main.yml index b786cb26..527c9107 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -40,6 +40,8 @@ - not system_is_ec2 - rhel_08_010140 or rhel_08_010150 + tags: + - grub - name: Check if using resolv.conf template settings are changed assert: From 054bb0af48269f189a750eb43e46cdc3bec24853 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 19 Jan 2022 17:38:09 +0000 Subject: [PATCH 038/101] container updates Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 7 ++++++- tasks/prelim.yml | 12 ++++++++++-- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 68bd852b..4cbf3a4d 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -127,6 +127,7 @@ - not ansible_check_mode or rhel_08_010020_audit.rc > 1 when: + - not system_is_container - rhel_08_010020 tags: - RHEL-08-010020 @@ -153,6 +154,7 @@ mode: 0640 notify: confirm grub2 user cfg when: + - not system_is_container - not system_is_ec2 - rhel_08_010140 or rhel_08_010150 @@ -288,6 +290,7 @@ when: - rhel_08_020330 - rhel8stig_disruption_high + - rhel8stig_ssh_required tags: - RHEL-08-020330 - CAT1 @@ -373,6 +376,7 @@ notify: systemctl daemon-reload when: - rhel_08_040170 + - not system_is_container tags: - RHEL-08-040170 - CAT1 @@ -429,6 +433,7 @@ notify: systemctl daemon-reload when: - rhel_08_040172 + - not system_is_container tags: - RHEL-08-040172 - CAT1 @@ -500,4 +505,4 @@ - SRG-OS-000480-GPOS-00227 - SV-230558r627750_rule - V-230558 - - ftp + - ftp \ No newline at end of file diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 5fd14dc2..525fafe5 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -49,6 +49,7 @@ dnf: name: grub2-tools when: + - not system_is_container - "'grub2-tools' not in ansible_facts.packages" - rhel_08_010020 or rhel_08_010140 or @@ -101,6 +102,7 @@ dnf: name: cronie when: + - not system_is_container - "'cronie' not in ansible_facts.packages" - rhel_08_010360 tags: @@ -150,6 +152,7 @@ dnf: name: rsyslog when: + - not system_is_container - rhel_08_010070 or rhel_08_030010 - "'rsyslog' not in ansible_facts.packages" @@ -177,6 +180,7 @@ dnf: name: audispd-plugins when: + - not system_is_container - rhel_08_030620 or rhel_08_030630 or rhel_08_030640 or @@ -230,6 +234,7 @@ changed_when: not rhel8stig_aide_db_status.stat.exists notify: "{{ rhel8stig_aide_handler }}" when: + - not system_is_container - rhel_08_010360 or rhel_08_010380 or rhel_08_040310 @@ -247,6 +252,7 @@ name: libselinux-utils state: present when: + - not system_is_container - "'libselinux-utils' not in ansible_facts.packages" - rhel_08_010170 or rhel_08_010450 @@ -275,7 +281,8 @@ command: ssh-keygen -N '' -f /etc/ssh/ssh_host_rsa_key -t rsa -b 4096 when: not rhel8stig_ssh_host_rsa_key_stat.stat.exists notify: clean up ssh host key - when: rhel8stig_ssh_required + when: + - rhel8stig_ssh_required - name: "MEDIUM | RHEL-08-010660 | RHEL-08-010770 | AUDIT | Find ini files for interactive users." shell: find "{{ item }}" -maxdepth 1 -type f | awk -F"/" '$NF ~ /^\..*$/ {print $NF}' | grep -v history @@ -406,10 +413,11 @@ group: root register: faillock_dir when: + - not system_is_container - rhel_08_020017 - rhel_08_020027 - rhel_08_020028 - name: "PRELIM | Section 1.1 | Create list of mount points" set_fact: - mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}" + mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}" \ No newline at end of file From 6da6f97cf22cec59e5be2cd857e9a8e9da6d0548 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Jan 2022 10:28:31 +0000 Subject: [PATCH 039/101] updated tags Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 525fafe5..bbf62faf 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -44,6 +44,7 @@ - cat2 - medium - RHEL-08-010380 + - sudo - name: "PRELIM | RHEL-08-010020 | RHEL-08-010140 | RHEL-08-010150| Install grub2-tools." dnf: From 04666c2efa7bd9d18b6075dd348c19b72a1d0875 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Jan 2022 10:29:00 +0000 Subject: [PATCH 040/101] updated container discovery Signed-off-by: Mark Bolwell --- tasks/main.yml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 527c9107..c57f8a47 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -22,13 +22,22 @@ tags: - always -- name: Discover and set container variable if required - set_fact: - system_is_container: true +- name: Setup rules if container + block: + - name: Discover and set container variable if required + set_fact: + system_is_container: true + + - name: output if discovered is a container + debug: + msg: system has been discovered as a container + when: + - system_is_container when: - ansible_connection == 'docker' or ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] tags: + - container_discovery - always - name: Check rhel8stig_bootloader_password_hash variable has been changed From 38ae4baadf2875bdd0c70f3b4fe67bd9b0c00d48 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Jan 2022 10:31:05 +0000 Subject: [PATCH 041/101] ssh conditionals and logic changes Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index c7da3f75..53c2d725 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -78,6 +78,8 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?Banner' line: 'Banner /etc/issue' + when: + - rhel8stig_ssh_required - name: | "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Set banner message"" @@ -209,6 +211,7 @@ path: "{{ rhel8stig_path_to_sshkey }}/id_rsa" when: - rhel_08_010100 + - rhel8stig_ssh_required tags: - RHEL-08-010100 - CAT2 @@ -334,6 +337,7 @@ - SV-244522r792984_rule - V-244521 - V-244522 + - grub - name: "MEDIUM | RHEL-08-010151 | PATCH | RHEL 8 operating systems must require authentication upon booting into emergency or rescue modes." lineinfile: @@ -776,6 +780,7 @@ notify: change_requires_reboot when: - rhel_08_010287 + - rhel8stig_ssh_required tags: - RHEL-08-010287 - CAT2 @@ -794,7 +799,7 @@ "MEDIUM | RHEL-08-010291 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Get current FIPS mode state" command: fips-mode-setup --check changed_when: false - failed_when: false + failed_when: rhel_08_010290_pre_fips_check.stdout is not defined register: rhel_08_010290_pre_fips_check - name: | @@ -833,7 +838,7 @@ - name: "MEDIUM | RHEL-08-010293 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Get current FIPS mode state" command: fips-mode-setup --check changed_when: false - failed_when: false + failed_when: rhel_08_010293_pre_fips_check.stdout is not defined register: rhel_08_010293_pre_fips_check - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Enable FIPS" @@ -1016,6 +1021,7 @@ - SV-230263r627750_rule - V-230263 - aide + - cron - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution." debug: @@ -1447,6 +1453,7 @@ notify: restart sshd when: - rhel_08_010521 + - rhel8stig_ssh_required tags: - RHEL-08-010521 - CAT2 @@ -1463,6 +1470,7 @@ line: "GSSAPIAuthentication no" when: - rhel_08_010522 + - rhel8stig_ssh_required tags: - RHEL-08-010522 - CAT2 @@ -2496,6 +2504,7 @@ notify: restart sshd when: - rhel_08_010830 + - rhel8stig_ssh_required - rhel8stig_disruption_high tags: - RHEL-08-010830 @@ -6526,6 +6535,7 @@ when: - rhel_08_040159 or rhel_08_040160 + - rhel8stig_ssh_required tags: - RHEL-08-040159 - RHEL-08-040160 @@ -6546,6 +6556,7 @@ notify: restart sshd when: - rhel_08_040161 + - rhel8stig_ssh_required tags: - RHEL-08-040161 - CAT2 @@ -6983,6 +6994,7 @@ line: 'X11UseLocalhost yes' when: - rhel_08_040341 + - rhel8stig_ssh_required tags: - RHEL-08-040341 - CAT2 From af693270fe5235a7b884cb11897bbfae0855bf28 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Jan 2022 11:06:04 +0000 Subject: [PATCH 042/101] 10360 - conditional added crontabs pkgs required Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 53c2d725..027984fd 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1013,6 +1013,7 @@ when: - rhel_08_010360 - rhel8stig_disruption_high + - "'crontabs' in ansible_facts.packages" tags: - RHEL-08-010360 - CAT2 From de278fa17ef7ba2c20e8d9d7a88cf8b6f1137e5e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Jan 2022 12:30:00 +0000 Subject: [PATCH 043/101] 10670 added conditional pkg check Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 027984fd..162905e7 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1978,6 +1978,7 @@ state: stopped when: - rhel_08_010670 + - "'kexec-tools' in ansible_facts.packages" - not rhel8stig_kdump_needed tags: - RHEL-08-010670 From 68af3125138a66e5f0a904b9fa3277adfe898eb2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Jan 2022 12:33:23 +0000 Subject: [PATCH 044/101] 10672- changed conditional for systemd Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 162905e7..4dfec7b0 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2012,7 +2012,7 @@ notify: systemctl daemon-reload when: - rhel_08_010672 - - "'systemd' in ansible_facts.packages" + - ansible_service_mgr == 'systemd' tags: - RHEL-08-010672 - CAT2 From 7f8cc2cc2a257738765d7efa063d96ddc183fb0b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Jan 2022 12:41:34 +0000 Subject: [PATCH 045/101] 30070-300121 auditd tag added Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 4dfec7b0..19e15b07 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4175,6 +4175,7 @@ - V-230396 - permissions - log + - auditd - name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access." block: @@ -4200,6 +4201,7 @@ - V-230397 - permissions - log + - auditd - name: "MEDIUM | RHEL-08-030090 | PATCH | RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access." lineinfile: @@ -4217,6 +4219,7 @@ - V-230398 - permissions - log + - auditd - name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access." block: @@ -4245,6 +4248,7 @@ - V-230399 - permissions - log + - auditd - name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access." block: @@ -4276,6 +4280,7 @@ - V-230400 - permissions - log + - auditd - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access." block: @@ -4302,6 +4307,7 @@ - V-230401 - permissions - log + - auditd - name: "MEDIUM | RHEL-08-030121 | PATCH | RHEL 8 audit system must protect auditing rules from unauthorized change." lineinfile: From 1d21df49db362d9c42f5e8be3e201a3ef56eb3ea Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Jan 2022 12:44:19 +0000 Subject: [PATCH 046/101] auditd tags added Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 19e15b07..1cbf55ad 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -5513,6 +5513,7 @@ - SV-230471r627750_rule - V-230471 - permissions + - auditd - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive." block: @@ -5538,6 +5539,7 @@ - SV-230472r627750_rule - V-230472 - permissions + - auditd - name: "MEDIUM | RHEL-08-030630 | PATCH | RHEL 8 audit tools must be owned by root." file: @@ -5562,6 +5564,7 @@ - SV-230473r744008_rule - V-230473 - permissions + - auditd - name: "MEDIUM | RHEL-08-030640 | PATCH | RHEL 8 audit tools must be group-owned by root." file: @@ -5586,6 +5589,7 @@ - SV-230474r627750_rule - V-230474 - permissions + - auditd - name: "MEDIUM | RHEL-08-030650 | PATCH | RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools." lineinfile: From 1d443860b54c2661ced8897b0d4f05b940c6b66e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Jan 2022 13:11:51 +0000 Subject: [PATCH 047/101] yamllint Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 2 +- tasks/fix-cat2.yml | 58 +++++++++++++++++++++++----------------------- tasks/fix-cat3.yml | 6 +++-- 3 files changed, 34 insertions(+), 32 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 4cbf3a4d..439fca6e 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -505,4 +505,4 @@ - SRG-OS-000480-GPOS-00227 - SV-230558r627750_rule - V-230558 - - ftp \ No newline at end of file + - ftp diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 1cbf55ad..49b62394 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1026,7 +1026,7 @@ - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_010372 @@ -1041,7 +1041,7 @@ - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_010373 @@ -1056,7 +1056,7 @@ - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_010374 @@ -1086,7 +1086,7 @@ - SRG-OS-000373-GPOS-00156 - SV-230271r627750_rule - V-230271 - - sudoers + - sudo - name: "MEDIUM | RHEL-08-010381 | PATCH | RHEL 8 must require users to reauthenticate for privilege escalation." replace: @@ -1105,7 +1105,7 @@ - SRG-OS-000373-GPOS-00156 - SV-230272r627750_rule - V-230272 - - sudoers + - sudo - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed." package: @@ -1229,7 +1229,7 @@ - CAT2 - CCI-001084 - SRG-OS-000134-GPOS-00068 - - SV-230277r792884_rule + - SV-230277r792884_rule - V-230277 - grub @@ -1315,7 +1315,7 @@ - name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_010430 @@ -1991,7 +1991,7 @@ - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_010671 @@ -6598,7 +6598,7 @@ - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_040209 @@ -6613,7 +6613,7 @@ - name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_040210 @@ -6629,7 +6629,7 @@ - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_040220 @@ -6644,7 +6644,7 @@ - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_040230 @@ -6659,7 +6659,7 @@ - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_040239 @@ -6674,7 +6674,7 @@ - name: "MEDIUM | RHEL-08-040240 | PATCH | RHEL 8 must not forward IPv6 source-routed packets." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_040240 @@ -6690,7 +6690,7 @@ - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_040249 @@ -6705,7 +6705,7 @@ - name: "MEDIUM | RHEL-08-040250 | PATCH | RHEL 8 must not forward IPv6 source-routed packets by default." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_040250 @@ -6721,7 +6721,7 @@ - name: "MEDIUM | RHEL-08-040259 | PATCH | RHEL 8 must not enable IPv4 packet forwarding unless the system is a router." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_040259 @@ -6737,7 +6737,7 @@ - name: "MEDIUM | RHEL-08-040260 | PATCH | RHEL 8 must not enable IPv6 packet forwarding unless the system is a router." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_040260 @@ -6753,7 +6753,7 @@ - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_040261 @@ -6770,7 +6770,7 @@ - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_040262 @@ -6787,7 +6787,7 @@ - name: "MEDIUM | RHEL-08-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_040270 @@ -6802,7 +6802,7 @@ - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_040279 @@ -6817,7 +6817,7 @@ - name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_040280 @@ -6833,7 +6833,7 @@ - name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_040281 @@ -6848,7 +6848,7 @@ - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_040282 @@ -6863,7 +6863,7 @@ - name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_040283 @@ -6878,7 +6878,7 @@ - name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_040284 @@ -6893,7 +6893,7 @@ - name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_040285 @@ -6908,7 +6908,7 @@ - name: "MEDIUM | RHEL-08-040286 | PATCH | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_040286 diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index c7bc052f..cdbae025 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -33,7 +33,7 @@ - name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_010375 @@ -48,7 +48,7 @@ - name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_010376 @@ -337,6 +337,7 @@ - SV-230469r792906_rule - V-230469 - grub + - auditd - name: "LOW | RHEL-08-030603 | PATCH | RHEL 8 must enable Linux audit logging for the USBGuard daemon" lineinfile: @@ -349,6 +350,7 @@ mode: 0600 when: - rhel_08_030603 + - "'usbguard' in ansible_facts.packages" tags: - RHEL-08-030603 - CAT3 From d892fab04b16f753ddffa2e670ed40ad9f31c033 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Jan 2022 13:14:08 +0000 Subject: [PATCH 048/101] ssh conditional 10292 Signed-off-by: Mark Bolwell --- tasks/fix-cat3.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index cdbae025..f7fb3171 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -22,6 +22,7 @@ notify: restart sshd when: - rhel_08_010292 + - rhel8stig_ssh_required tags: - RHEL-08-010292 - CAT3 From 73e4cf1fdb99bf8faac5bcf1ee57648bb18bcb10 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Jan 2022 13:26:07 +0000 Subject: [PATCH 049/101] changed update sysctl conditional Signed-off-by: Mark Bolwell --- handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/handlers/main.yml b/handlers/main.yml index d361ad6a..d0b69c55 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -13,7 +13,7 @@ group: root mode: 0644 notify: sysctl system - when: "'systemd' in ansible_facts.packages" + when: "'procps-ng' in ansible_facts.packages" - name: sysctl system command: sysctl --system From 730daef86199268f1176bbe751cf8e0ddf82982f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Jan 2022 13:26:25 +0000 Subject: [PATCH 050/101] 10700 - added conditional Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 49b62394..f57155b1 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2197,7 +2197,9 @@ owner: "{{ rhel8stig_ww_dir_owner }}" with_items: - "{{ rhel_08_010700_world_writable_directories.stdout_lines }}" - when: rhel_08_010700_world_writable_directories.stdout | length > 0 + when: + - rhel_08_010700_world_writable_directories.stdout is defined + - rhel_08_010700_world_writable_directories.stdout | length > 0 when: - rhel_08_010700 tags: From fa4ab96a57feaf296399bb9f4d2ef5fa3d3daa8a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Jan 2022 13:38:28 +0000 Subject: [PATCH 051/101] 10700 - 10710 conditional update Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index f57155b1..5c040bd3 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2225,7 +2225,9 @@ group: "{{ rhel8stig_ww_dir_grpowner }}" with_items: - "{{ rhel_08_010710_world_writable_directories.stdout_lines }}" - when: rhel_08_010710_world_writable_directories.stdout | length > 0 + when: + - rhel_08_010710_world_writable_directories.stdout is defined + - rhel_08_010710_world_writable_directories.stdout | length > 0 when: - rhel_08_010710 tags: @@ -2256,7 +2258,9 @@ msg: - "WARNING!! The users listed below are interactive users with no home directories. Please create home directories to confirm with STIG standards" - "{{ rhel_08_010720_user_list.stdout_lines }}" - when: rhel_08_010720_user_list.stdout | length > 0 + when: + - rhel_08_010720_user_list.stdout is defined + - rhel_08_010720_user_list.stdout | length > 0 when: - rhel_08_010720 tags: From 7a6a3c9007a055fdb8b59c032096d203b98fac26 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Jan 2022 17:16:32 +0000 Subject: [PATCH 052/101] updated 40180 conditional Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 5c040bd3..6b4ec5e9 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6592,6 +6592,7 @@ masked: yes daemon_reload: yes when: + - ansible_service_mgr == 'systemd' - rhel_08_040180 tags: - RHEL-08-040180 From b247c75e8869450635b6cd8cd70a7e7f3e25d04d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Jan 2022 17:16:52 +0000 Subject: [PATCH 053/101] added ssh check to handler Signed-off-by: Mark Bolwell --- handlers/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/handlers/main.yml b/handlers/main.yml index d0b69c55..7f07cdaf 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -25,6 +25,7 @@ state: restarted when: - not rhel8stig_system_is_chroot + - "'openssh-server' in ansible_facts.packages" - name: restart sssd service: From 7ef1d1b0b0579275907ab006e25e72170f1772e7 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 21 Jan 2022 08:21:01 -0500 Subject: [PATCH 054/101] issue #77 fixed Signed-off-by: George Nalen --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index d08d3d46..5a7273ca 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -550,7 +550,7 @@ rhel8stig_local_int_home_perms: 0750 # rhel8stig_local_int_home_file_perms is the permissions set to files in the local interactive # user home directories. These are only set when rhel8stig_disruption_high is set to true # All files users home directories that are less restrictive than 0750 will be set to this value -rhel8stig_local_int_home_file_perms: 750 +rhel8stig_local_int_home_file_perms: 0750 # RHEL-08-010770 # rhel8stig_local_int_perm is the permissions set to the local initialization files From 10ccb41f086c34bdf09cd86aaede5ed14cb5e06f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 25 Jan 2022 16:13:49 +0000 Subject: [PATCH 055/101] initial Signed-off-by: Mark Bolwell --- vars/is_container.yml | 180 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 180 insertions(+) create mode 100644 vars/is_container.yml diff --git a/vars/is_container.yml b/vars/is_container.yml new file mode 100644 index 00000000..67749ed1 --- /dev/null +++ b/vars/is_container.yml @@ -0,0 +1,180 @@ +--- +# Container vars file + +rhel8stig_ssh_required: false + +# tmux +rhel_08_020040: false +rhel_08_020070: false + +# auditd +rhel_08_010560: false +rhel_08_030000: false +rhel_08_030020: false +rhel_08_030040: false +rhel_08_030050: false +rhel_08_030060: false +rhel_08_030061: false +rhel_08_030062: false +rhel_08_030070: false +rhel_08_030080: false +rhel_08_030090: false +rhel_08_030100: false +rhel_08_030110: false +rhel_08_030120: false +rhel_08_030121: false +rhel_08_030122: false +rhel_08_030130: false +rhel_08_030140: false +rhel_08_030150: false +rhel_08_030160: false +rhel_08_030170: false +rhel_08_030171: false +rhel_08_030172: false +rhel_08_030180: false +rhel_08_030181: false +rhel_08_030190: false +rhel_08_030200: false +rhel_08_030210: false +rhel_08_030220: false +rhel_08_030230: false +rhel_08_030240: false +rhel_08_030250: false +rhel_08_030260: false +rhel_08_030270: false +rhel_08_030280: false +rhel_08_030290: false +rhel_08_030300: false +rhel_08_030301: false +rhel_08_030302: false +rhel_08_030310: false +rhel_08_030311: false +rhel_08_030312: false +rhel_08_030313: false +rhel_08_030314: false +rhel_08_030315: false +rhel_08_030316: false +rhel_08_030317: false +rhel_08_030320: false +rhel_08_030330: false +rhel_08_030340: false +rhel_08_030350: false +rhel_08_030360: false +rhel_08_030361: false +rhel_08_030362: false +rhel_08_030363: false +rhel_08_030364: false +rhel_08_030365: false +rhel_08_030370: false +rhel_08_030380: false +rhel_08_030390: false +rhel_08_030400: false +rhel_08_030410: false +rhel_08_030420: false +rhel_08_030430: false +rhel_08_030440: false +rhel_08_030450: false +rhel_08_030460: false +rhel_08_030470: false +rhel_08_030480: false +rhel_08_030490: false +rhel_08_030500: false +rhel_08_030510: false +rhel_08_030520: false +rhel_08_030530: false +rhel_08_030540: false +rhel_08_030550: false +rhel_08_030560: false +rhel_08_030570: false +rhel_08_030580: false +rhel_08_030590: false +rhel_08_030600: false +rhel_08_030610: false +rhel_08_030620: false +rhel_08_030630: false +rhel_08_030640: false +rhel_08_030660: false +rhel_08_030690: false +rhel_08_030700: false +rhel_08_030710: false +rhel_08_030720: false +rhel_08_030730: false +rhel_08_030731: false + +rhel_08_010542 +rhel_08_030063 +rhel_08_030602 + + +# rsyslog +rhel_08_010070 +rhel_08_010561 +rhel_08_030010 +rhel_08_030670 +rhel_08_030680 +rhel_08_030690 +rhel_08_030710 +rhel_08_030720 + +## mounts +#/tmp +rhel_08_010543 +rhel_08_040123 +rhel_08_040124 +rhel_08_040125 +# /var/log +rhel_08_040126 +rhel_08_040127 +rhel_08_040128 +rhel_08_010541 +# /var/tmp +rhel_08_010544 +rhel_08_040132 +rhel_08_040133 +rhel_08_040134 +# /var/log/audit +rhel_08_040129 +rhel_08_040130 +rhel_08_040131 +rhel_08_010542 +# /home +rhel_08_010570 +rhel_08_010590 +rhel_08_010800 +# /boot +rhel_08_010571 +# /boot/efi +rhel_08_010572 +# +rhel_08_010580 +# /media +rhel_08_010610 +# /mnt +rhel_08_010620 +# NFS +rhel_08_010630 +rhel_08_010640 +rhel_08_010650 +# /dev/shm +rhel_08_040120 +rhel_08_040121 +rhel_08_040122 +# /var +rhel_08_010540 + +# firewall +rhel8stig_firewall_service: not_required + +# fapolicy + +# grub + +# modprobe + +# chrony + +# fips + +# aide + +# sudo From e52b5bce653b09a9ad5245756ab38e5e77f748ae Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 25 Jan 2022 16:14:49 +0000 Subject: [PATCH 056/101] not system_is_container removed Signed-off-by: Mark Bolwell --- tasks/fix-cat3.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index f7fb3171..ff2d7f81 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -134,7 +134,6 @@ - rhel8stig_audit_complex when: - rhel_08_010540 - - not system_is_container - rhel8stig_complex - ansible_mounts | selectattr('mount', 'match', '^/var$') | list | length == 0 tags: @@ -156,7 +155,6 @@ - rhel8stig_audit_complex when: - rhel_08_010541 - - not system_is_container - rhel8stig_complex - ansible_mounts | selectattr('mount', 'match', '^/var/log$') | list | length == 0 tags: @@ -168,7 +166,6 @@ - V-230293 - complexity_high - mounts - - auditd - name: "LOW | RHEL-08-010542 | AUDIT | The RHEL 8 must use a separate file system for the system audit data path." debug: @@ -178,7 +175,6 @@ - rhel8stig_audit_complex when: - rhel_08_010542 - - not system_is_container - rhel8stig_complex - ansible_mounts | selectattr('mount', 'match', '^/var/log/audit$') | list | length == 0 tags: From 524a029fadbe10cbd1404d23c3496a8a659ffb02 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 25 Jan 2022 16:15:32 +0000 Subject: [PATCH 057/101] system_is_container tidy Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 6b4ec5e9..938b51f8 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1488,7 +1488,6 @@ - rhel8stig_audit_complex when: - rhel_08_010543 - - not system_is_container - rhel8stig_complex - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0 tags: @@ -1517,7 +1516,6 @@ when: "'/var/tmp' in mount_names" when: - rhel_08_010544 - - not system_is_container tags: - RHEL-08-010544 - CAT2 @@ -1796,7 +1794,7 @@ removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" when: - rhel_08_010610 - - not (rhel8stig_system_is_chroot and system_is_container) + - not rhel8stig_system_is_chroot tags: - RHEL-08-010610 - CAT2 @@ -1838,7 +1836,7 @@ removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" when: - rhel_08_010620 - - not (rhel8stig_system_is_chroot and system_is_container) + - not rhel8stig_system_is_chroot tags: - RHEL-08-010620 - CAT2 @@ -2490,7 +2488,6 @@ - rhel8stig_audit_complex when: - rhel_08_010800 - - not system_is_container - rhel8stig_complex - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length == 0 tags: From 973d63be70943c8ebebc1a838ddd0777cfe355aa Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 25 Jan 2022 16:16:52 +0000 Subject: [PATCH 058/101] 40030 conditional != not_required firewall Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 938b51f8..eef1dad0 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -5956,7 +5956,8 @@ when: - rhel_08_040030 - not rhel8stig_system_is_chroot - - not system_is_container + - rhel8stig_firewall_service != "not_required" + - rhel8stig_disruptive tags: - RHEL-08-040030 From dcb7a933e0ecd1da0723d9de1502e458d5d7d818 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 25 Jan 2022 16:23:53 +0000 Subject: [PATCH 059/101] fix conditional 010149 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index eef1dad0..c947bc43 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -326,7 +326,7 @@ - { regexp: '^password_pbkdf2', line: 'password_pbkdf2 {{ rhel8stig_boot_superuser }} ${GRUB2_PASSWORD}', insertafter: '^export superusers' } when: - rhel_08_010141 or - rhel_08_010141 + rhel_08_010149 tags: - RHEL-08-010141 - RHEL-08-010149 From c881f75ef006e6b5fcf5306c7150b8b80785fbd3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 25 Jan 2022 18:49:33 +0000 Subject: [PATCH 060/101] updated container discovery Signed-off-by: Mark Bolwell --- tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tasks/main.yml b/tasks/main.yml index c57f8a47..99c077c7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -28,6 +28,10 @@ set_fact: system_is_container: true + - name: Load variable for container + include_vars: + file: "{{ container_vars_file }}" + - name: output if discovered is a container debug: msg: system has been discovered as a container @@ -47,6 +51,7 @@ when: - not system_is_ec2 + - not system_is_container - rhel_08_010140 or rhel_08_010150 tags: From 174656bafdf753085b9ac576745de086e5602b3a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 25 Jan 2022 18:49:56 +0000 Subject: [PATCH 061/101] initial Signed-off-by: Mark Bolwell --- vars/is_container.yml | 123 ++++++++++++++++++++++++++---------------- 1 file changed, 77 insertions(+), 46 deletions(-) diff --git a/vars/is_container.yml b/vars/is_container.yml index 67749ed1..b5330290 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -94,87 +94,118 @@ rhel_08_030620: false rhel_08_030630: false rhel_08_030640: false rhel_08_030660: false -rhel_08_030690: false +# rhel_08_030690: false # Also rsyslog rhel_08_030700: false -rhel_08_030710: false -rhel_08_030720: false +# rhel_08_030710: false # Also rsyslog +# rhel_08_030720: false # Also rsyslog rhel_08_030730: false rhel_08_030731: false - -rhel_08_010542 -rhel_08_030063 -rhel_08_030602 +# rhel_08_010542: false # Also Rsyslog +rhel_08_030063: false +# rhel_08_030602: false # Also grub # rsyslog -rhel_08_010070 -rhel_08_010561 -rhel_08_030010 -rhel_08_030670 -rhel_08_030680 -rhel_08_030690 -rhel_08_030710 -rhel_08_030720 +rhel_08_010070: false +rhel_08_010561: false +rhel_08_030010: false +rhel_08_030670: false +rhel_08_030680: false +rhel_08_030690: false +rhel_08_030710: false +rhel_08_030720: false ## mounts #/tmp -rhel_08_010543 -rhel_08_040123 -rhel_08_040124 -rhel_08_040125 +rhel_08_010543: false +rhel_08_040123: false +rhel_08_040124: false +rhel_08_040125: false # /var/log -rhel_08_040126 -rhel_08_040127 -rhel_08_040128 -rhel_08_010541 +rhel_08_040126: false +rhel_08_040127: false +rhel_08_040128: false +rhel_08_010541: false # /var/tmp -rhel_08_010544 -rhel_08_040132 -rhel_08_040133 -rhel_08_040134 +rhel_08_010544: false +rhel_08_040132: false +rhel_08_040133: false +rhel_08_040134: false # /var/log/audit -rhel_08_040129 -rhel_08_040130 -rhel_08_040131 -rhel_08_010542 +rhel_08_040129: false +rhel_08_040130: false +rhel_08_040131: false +rhel_08_010542: false # /home -rhel_08_010570 -rhel_08_010590 -rhel_08_010800 +rhel_08_010570: false +rhel_08_010590: false +rhel_08_010800: false # /boot -rhel_08_010571 +rhel_08_010571: false # /boot/efi -rhel_08_010572 +rhel_08_010572: false # -rhel_08_010580 +rhel_08_010580: false # /media -rhel_08_010610 +rhel_08_010610: false # /mnt -rhel_08_010620 +rhel_08_010620: false # NFS -rhel_08_010630 -rhel_08_010640 -rhel_08_010650 +rhel_08_010630: false +rhel_08_010640: false +rhel_08_010650: false # /dev/shm -rhel_08_040120 -rhel_08_040121 -rhel_08_040122 +rhel_08_040120: false +rhel_08_040121: false +rhel_08_040122: false # /var -rhel_08_010540 +rhel_08_010540: false # firewall rhel8stig_firewall_service: not_required # fapolicy +rhel_08_040135: false +rhel_08_040136: false +rhel_08_040137: false # grub +rhel_08_010141: false +rhel_08_010149: false +rhel_08_010421: false +rhel_08_010422: false +rhel_08_010423: false +rhel_08_030601: false +rhel_08_030602: false +rhel_08_040004: false # modprobe +rhel_08_040021: false +rhel_08_040022: false +rhel_08_040023: false +rhel_08_040024: false +rhel_08_040025: false +rhel_08_040026: false # chrony +rhel_08_030740: false +rhel_08_030741: false +rhel_08_030742: false # fips +rhel_08_010290: false +rhel_08_010291: false +rhel_08_010293: false # aide +rhel_08_010360: false +rhel_08_030650: false +rhel_08_040300: false +rhel_08_040310: false # sudo +rhel_08_010380: false +rhel_08_010381: false +rhel_08_010382: false +rhel_08_010383: false +rhel_08_010384: false From 0493509a5a586f4e9befc81b101f6b390eda875f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 25 Jan 2022 18:51:55 +0000 Subject: [PATCH 062/101] updated conditional Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index c947bc43..e9b82128 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6038,6 +6038,7 @@ enabled: yes when: - rhel_08_040100 + - rhel8stig_firewall_service != "not_required" tags: - RHEL-08-040100 - CAT2 @@ -6104,6 +6105,7 @@ register: rhel_08_040090_default_zone_set when: - rhel_08_040090 + - rhel8stig_firewall_service != "not_required" tags: - RHEL-08-040090 - CAT2 @@ -6518,6 +6520,7 @@ line: 'FirewallBackend=nftables' when: - rhel_08_040150 + - rhel8stig_firewall_service != "not_required" tags: - RHEL-08-040150 - CAT2 From 1c2cf461cadff35371eeac7cc64bd7602fb917ad Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 25 Jan 2022 18:52:50 +0000 Subject: [PATCH 063/101] 020014 updated regexp Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index e9b82128..cc0abb4b 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2667,7 +2667,7 @@ - name: "MEDIUM | RHEL-08-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" lineinfile: path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' + regexp: '^auth\s+required pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd @@ -2678,7 +2678,7 @@ - name: "MEDIUM | RHEL-08-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" lineinfile: path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' + regexp: '^auth\s+required pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd From cab92df4862993ab1d7e93122e38c10e26cfbf0d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 25 Jan 2022 18:54:41 +0000 Subject: [PATCH 064/101] added container_vars_file Signed-off-by: Mark Bolwell --- defaults/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 442ed718..56b9e674 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -43,6 +43,10 @@ rhel8stig_system_is_chroot: "{{ ansible_is_chroot | default(False) }}" # tweak role to run in a non-privileged container (default value)- dynamically discovered in tasks/main.yml system_is_container: false +# Place to find the container yml file for your environment - /vars/... +container_vars_file: is_container.yml + + # rhel8cis/stig is left off the front of this var for consistency in testing pipeline # system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks system_is_ec2: false From 20968da33e8f5940b8822b15629ed281cc083f5b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 25 Jan 2022 18:55:06 +0000 Subject: [PATCH 065/101] 20014 regexp Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index cc0abb4b..79571d5f 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2689,7 +2689,7 @@ - name: "MEDIUM | RHEL-08-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" lineinfile: path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' + regexp: '^account\s+required pam_faillock.so' line: 'account required pam_faillock.so' insertafter: '^account' notify: restart sssd From 9e507d156965de5113483905804e2323011ecf8d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 25 Jan 2022 18:56:46 +0000 Subject: [PATCH 066/101] fixed when and tags Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 79571d5f..23604827 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2697,9 +2697,9 @@ - system-auth - password-auth when: - - rhel_08_020013 + - rhel_08_020014 tags: - - RHEL-08-020013 + - RHEL-08-020014 - CAT2 - CCI-000044 - SRG-OS-000021-GPOS-00005 From 686c994e0bcddc849e85e8b11434edc04fe911bc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jan 2022 11:02:43 +0000 Subject: [PATCH 067/101] #79 added port number not just service name option thanks dglinder Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 + tasks/fix-cat2.yml | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 56b9e674..43d74791 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -848,6 +848,7 @@ rhel8stig_custom_firewall_zone: "new_fw_zone" # RHEL-08-040090 # rhel8stig_white_list_services is the services that you want to allow through initially for teh new firewall zone # http and ssh need to be enabled for the role to run. +# This can also be a port number if no service exists rhel8stig_white_list_services: - http - https diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 23604827..b2365528 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6088,7 +6088,8 @@ zone: "{{ rhel8stig_custom_firewall_zone }}" permanent: true state: enabled - service: "{{ item }}" + service: "{{ (item == (item | regex_search('^[a-z]+$'))) | bool | ternary(item, omit) }}" + port: "{{ (item == (item | regex_search('^[0-9]+/[a-z]+$'))) | bool | ternary(item, omit) }}" with_items: - "{{ rhel8stig_white_list_services }}" From c610c5aa6c3ff6b789781b284e37f8d773f827ec Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jan 2022 11:06:05 +0000 Subject: [PATCH 068/101] #77 fix added Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 43d74791..e61a9712 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -554,7 +554,7 @@ rhel8stig_local_int_home_perms: 0750 # rhel8stig_local_int_home_file_perms is the permissions set to files in the local interactive # user home directories. These are only set when rhel8stig_disruption_high is set to true # All files users home directories that are less restrictive than 0750 will be set to this value -rhel8stig_local_int_home_file_perms: 750 +rhel8stig_local_int_home_file_perms: 0750 # RHEL-08-010770 # rhel8stig_local_int_perm is the permissions set to the local initialization files From b82dbc0698b6979831a612e23be040b63c06cea0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jan 2022 11:26:24 +0000 Subject: [PATCH 069/101] Added containers update and headings Signed-off-by: Mark Bolwell --- README.md | 52 ++++++++++++++++++++++++++++------------------------ 1 file changed, 28 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index 7d41be70..0269d5ab 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,4 @@ -RHEL 8 DISA STIG -================ +# RHEL 8 DISA STIG ![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL8-STIG/CommunityToDevel?label=Devel%20Build%20Status&style=plastic) ![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL8-STIG/DevelToMain?label=Main%20Build%20Status&style=plastic) @@ -9,16 +8,14 @@ Configure a RHEL 8 system to be DISA STIG compliant. All findings will be audite This role is based on RHEL 8 DISA STIG: [Version 1, Rel 4 released on Oct 27, 2021](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R4_STIG.zip). -Updating --------- +## Updating Coming from a previous release. As with all releases and updates, It is suggested to test and align controls. This contains rewrites and ID reference changes as per STIG documentation. -Auditing (new) --------------- +## Auditing This can be turned on or off within the defaults/main.yml file with the variable rhel8stig_run_audit. The value is false by default, please refer to the wiki for more details. @@ -29,13 +26,13 @@ This audit will not only check the config has the correct setting but aims to ca Refer to [RHEL8-STIG-Audit](https://github.com/ansible-lockdown/RHEL8-STIG-Audit). -Requirements ------------- +## Requirements -RHEL 8 or CentOS 8 - Other versions are not supported. +RHEL 8 or CentOS 8 - Other versions are not supported. Although tested on rocky and almalinux +Containers Access to download or add the goss binary and content to the system if using auditing. options are available on how to get the content to the system. -**General:** +### General - Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible @@ -46,8 +43,7 @@ Access to download or add the goss binary and content to the system if using aud - Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. - Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/RHEL8-STIG/wiki/Main-Variables). -Documentation -------------- +## Documentation - [Repo GitHub Page](https://ansible-lockdown.github.io/RHEL8-STIG/) - [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown) @@ -56,8 +52,7 @@ Documentation - [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise) - [Wiki](https://github.com/ansible-lockdown/RHEL8-STIG/wiki) -Dependencies ------------- +## Dependencies The following packages must be installed on the controlling host/host where ansible is executed: @@ -68,13 +63,11 @@ The following packages must be installed on the controlling host/host where ansi Package 'python-xmltodict' is required if you enable the OpenSCAP tool installation and run a report. Packages python(2)-passlib and python-jmespath are required for tasks with custom filters or modules. These are all required on the controller host that executes Ansible. -Role Variables --------------- +## Role Variables This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. These variables can be found [here](https://github.com/ansible-lockdown/RHEL8-STIG/wiki/Main-Variables) in the Main Variables Wiki page. All variables are listed there along with descriptions. -Tags ----- +### Tags There are many tags available for added control precision. Each control has it's own set of tags noting the control number as well as what parts of the system that control addresses. @@ -88,8 +81,7 @@ tags: - dod_logon_banner ``` -Example Audit Summary ---------------------- +### Example Audit Summary This is based on a vagrant image with selections enabled. e.g. No Gui or firewall. Note: More tests are run during audit as we check config and running state. @@ -109,8 +101,7 @@ PLAY RECAP ********************************************************************* rhel8test : ok=369 changed=192 unreachable=0 failed=0 skipped=125 rescued=0 ignored=0 ``` -Branches -------- +## Branches - **devel** - This is the default branch and the working development branch. Community pull requests will pull into this branch - **main** - This is the release branch @@ -118,8 +109,21 @@ Branches - **gh_pages** - github pages - **all other branches** - Individual community member branches -Community Contribution ----------------------- +## Containers - testing + +- system_is_container + +This is set to false by defaults/main.yml +If discovered it is a container type or ansible_connection == docker it will convert to run to with with true. +Some controls will skip is this is true as they are not applicable at all. Others runs a subset of controls found in vars/is_container.yml based on a vendor supplied un altered image. + +**NON altered vendor image.** + +- container_vars_file: is_container.yml + +This vars file runs controls are grouped into tags so if the container does later have ssh it could be re-enabled by loading an alternative vars file. + +## Community Contribution We encourage you (the community) to contribute to this role. Please read the rules below. From e422d8070c5afa3e7a11137e66ad28f3694effc0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jan 2022 15:55:39 +0000 Subject: [PATCH 070/101] fixed case for boolean Signed-off-by: Mark Bolwell --- handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/handlers/main.yml b/handlers/main.yml index 7f07cdaf..c75c8a34 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,7 +1,7 @@ --- - name: systemctl daemon-reload systemd: - daemon_reload: True + daemon_reload: true when: - not system_is_container From 0cf2dcc09dc3ab54033eededc24022da025d7ec7 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 28 Jan 2022 08:43:05 -0500 Subject: [PATCH 071/101] updated STIG version info in README Signed-off-by: George Nalen --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0269d5ab..18bbd947 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ Configure a RHEL 8 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel8stig_disruption_high` to `yes`. -This role is based on RHEL 8 DISA STIG: [Version 1, Rel 4 released on Oct 27, 2021](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R4_STIG.zip). +This role is based on RHEL 8 DISA STIG: [Version 1, Rel 5 released on Jan 27, 2022](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R5_STIG.zip). ## Updating From 0f93d8724e23f81c1cf4a1b4a93ad78484ac32f1 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 28 Jan 2022 12:38:13 -0500 Subject: [PATCH 072/101] Added RHEL-08-010121 and updates to 010030, 010400, 020140, 010090, 040080, and 040090 Signed-off-by: George Nalen --- tasks/fix-cat1.yml | 37 +++++++++++++++++++++++++++++++++++++ tasks/fix-cat2.yml | 35 ++++++++++++++++++----------------- 2 files changed, 55 insertions(+), 17 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 439fca6e..2175a256 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -137,6 +137,43 @@ - SV-230223r792855_rule - V-230223 +- name: "MEDIUM | RHEL-08-010121 | PATCH | The RHEL 8 operating system must not have accounts configured with blank or null passwords." + block: + - name: "MEDIUM | RHEL-08-010121 | PATCH | The RHEL 8 operating system must not have accounts configured with blank or null passwords. | Get users with no pw set" + command: "awk -F: '!$2 {print $1}' /etc/shadow" + changed_when: false + failed_when: false + check_mode: false + register: rhel_08_010121_no_pw_users + + - name: "MEDIUM | RHEL-08-010121 | PATCH | The RHEL 8 operating system must not have accounts configured with blank or null passwords. | Warn on accounts with no passwords" + debug: + msg: + - "Alert! You have users that are not using passwords. Please either set a password, lock, or remove the accounts below:" + - "{{ rhel_08_010121_no_pw_users.stdout_lines }}" + when: + - rhel_08_010121_no_pw_users.stdout | length > 0 + - not rhel8stig_disruption_high + + - name: "MEDIUM | RHEL-08-010121 | PATCH | The RHEL 8 operating system must not have accounts configured with blank or null passwords. | Lock accounts with no passwords, disruptive" + user: + name: "{{ item }}" + password_lock: yes + with_items: + - "{{ rhel_08_010121_no_pw_users.stdout_lines }}" + when: + - rhel_08_010121_no_pw_users.stdout | length > 0 + - rhel8stig_disruption_high + when: + - RHEL-08-010121 + tags: + - RHEL-08-010121 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-251706r809342_rule + - V-251706 + - name: | "HIGH | RHEL-08-010140 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance." "HIGH | RHEL-08-010150 | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes." diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index b2365528..2d333e52 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -54,17 +54,18 @@ - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Message out warning" debug: msg: - - 'WARNING!! Below is partition layout. Please run the "sudo more /etc/crypttab" command to confirm' - - "every persistent disk partition has an entry. If partitions other than psuedo file systems (such as /var or /sys) this is a finding" + - 'WARNING!! Below is the partition layout. Please run the "sudo more /etc/crypttab" command to confirm every persistent disk partition has an entry.' + - "If partitions other than psuedo file systems (such as /var or /sys) this is a finding" - "{{ rhel_08_010030_partition_layout.stdout_lines }}" - when: rhel_08_010030 + when: + - rhel_08_010030 tags: - RHEL-08-010030 - CAT2 - CCI-001199 - SRG-OS-000185-GPOS-00079 - - SV-230224r627750_rule + - SV-230224r809268_rule - V-230224 - name: | @@ -195,7 +196,7 @@ - CAT2 - CCI-000185 - SRG-OS-000066-GPOS-00034 - - SV-230229r627750_rule + - SV-230229r809270_rule - V-230229 - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key." @@ -1143,7 +1144,7 @@ - CAT2 - CCI-001948 - SRG-OS-000375-GPOS-00160 - - SV-230274r743945_rule + - SV-230274r809281_rule - V-230274 - multifactor @@ -3383,12 +3384,12 @@ - name: "MEDIUM | RHEL-08-020140 | PATCH | RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed." lineinfile: path: /etc/security/pwquality.conf + regexp: '^#?\s*maxclassrepeat' + line: "maxclassrepeat = {{ rhel8stig_password_complexity.maxclassrepeat | default('4') }}" create: yes owner: root group: root mode: 0644 - regexp: '^#?\s*maxclassrepeat' - line: "maxclassrepeat = {{ rhel8stig_password_complexity.maxclassrepeat | default('4') }}" when: - rhel_08_020140 tags: @@ -3396,7 +3397,7 @@ - CAT2 - CCI-000195 - SRG-OS-000072-GPOS-00040 - - SV-230360r627750_rule + - SV-230360r809289_rule - V-230360 - pwquality @@ -5995,17 +5996,17 @@ - name: "MEDIUM | RHEL-08-040080 | PATCH | RHEL 8 must be configured to disable USB mass storage." lineinfile: - path: "{{ item.path }}" + path: /etc/modprobe.d/blacklist.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" create: yes owner: root group: root mode: 0640 - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" with_items: - - { path: /etc/modprobe.d/usb-storage.conf, regexp: '^install usb-storage', line: 'install usb-storage /bin/true', insertafter: 'EOF' } - - { path: /etc/modprobe.d/blacklist.conf, regexp: '^blacklist usb-storage', line: 'blacklist usb-storage', insertafter: '#blacklist usb-storage'} + - { regexp: '^install usb-storage', line: 'install usb-storage /bin/true', insertafter: 'EOF' } + - { regexp: '^blacklist usb-storage', line: 'blacklist usb-storage', insertafter: '#blacklist usb-storage'} when: - rhel_08_040080 tags: @@ -6013,7 +6014,7 @@ - CAT2 - CCI-000778 - SRG-OS-000114-GPOS-00059 - - SV-230503r627750_rule + - SV-230503r809319_rule - V-230503 - usb_devices @@ -6112,7 +6113,7 @@ - CAT2 - CCI-002314 - SRG-OS-000297-GPOS-00115 - - SV-230504r627750_rule + - SV-230504r809321_rule - V-230504 - firewall From fac18c3acbb7afd65116dfb1e00283a77c59e1c7 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 28 Jan 2022 16:08:35 -0500 Subject: [PATCH 073/101] updated 010130 Signed-off-by: George Nalen --- defaults/main.yml | 2 +- tasks/fix-cat2.yml | 13 +++++-------- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e61a9712..6c7ceaa5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -818,7 +818,7 @@ rhel8stig_dns_servers: # The order needs to be set as expected. If you have 3 y rhel8stig_int_gid: 1000 # RHEL-08-010130 -# The rounds parameter goes into the password sufficient pam_unix.so element of the password-auth and system-auth files. The value shoudl be set no lower than 5000 +# The rounds parameter goes into the SHA_CRYPT_MIN_ROUNDS element of the /etc/login.defs file. The value shoudl be set no lower than 5000 rhel8stig_hashing_rounds: 5000 # RHEL-08-010100 diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 2d333e52..03f7f6eb 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -274,14 +274,11 @@ - V-230232 - disruption_high -- name: "MEDIUM | RHEL-08-010130 | PATCH | The RHEL 8 password-auth file must be configured to use a sufficient number of hashing rounds." - pamd: - name: password-auth - type: password - control: sufficient - module_path: pam_unix.so - module_arguments: "rounds={{ rhel8stig_hashing_rounds }}" - state: args_present +- name: "MEDIUM | RHEL-08-010130 | PATCH | The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds." + lineinfile: + path: /etc/login.defs + regexp: ^.*SHA_CRYPT_MIN_ROUNDS\s + line: SHA_CRYPT_MIN_ROUNDS {{ rhel8stig_hashing_rounds }} when: - rhel_08_010130 tags: From c14e6dc6507e3f73b862fb54cd00ce0a8d1385fe Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 28 Jan 2022 16:15:08 -0500 Subject: [PATCH 074/101] updated 020220 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 22 ++++++++-------------- 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 03f7f6eb..0d52580d 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -286,7 +286,7 @@ - CAT2 - CCI-000196 - SRG-OS-000073-GPOS-00041 - - SV-230233r743919_rule + - SV-230233r809273_rule - V-230233 - pamd @@ -3550,11 +3550,11 @@ - disruption-high - password -- name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations." +- name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations." block: - - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory rule exists" + - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Ensure pam_pwhistory rule exists" pamd: - name: "{{ item }}" + name: password-auth state: before type: password control: sufficient @@ -3562,23 +3562,17 @@ new_type: password new_control: required new_module_path: pam_pwhistory.so - with_items: - - "system-auth" - - "password-auth" # TODO: Remove temporary audit check to determine if the following pamd module task needs to be run since the module is not idempotent - - name: "MEDIUM | RHEL-08-020220 | AUDIT | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Check for existing password history reuse settings" - command: "grep -iE '^password\\s+requisite\\s+pam_pwhistory.so\\s+use_authtok\\s+remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}\\s+retry={{ rhel8stig_pam_pwhistory.retries | default(3) }}$' /etc/pam.d/{{ item }}" + - name: "MEDIUM | RHEL-08-020220 | AUDIT | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Check for existing password history reuse settings" + command: "grep -iE '^password\\s+requisite\\s+pam_pwhistory.so\\s+use_authtok\\s+remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}\\s+retry={{ rhel8stig_pam_pwhistory.retries | default(3) }}$' /etc/pam.d/password-auth" check_mode: no changed_when: no failed_when: rhel_08_020220_pw_hist_settings.rc > 1 register: rhel_08_020220_pw_hist_settings - with_items: - - "system-auth" - - "password-auth" # TODO: Once the pamd module is fixed (either args_present or updated) then remove the previous grep task and update the following. - - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory module arguments are set" + - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Ensure pam_pwhistory module arguments are set" pamd: name: "{{ item.item }}" state: updated @@ -3598,7 +3592,7 @@ - CAT2 - CCI-000200 - SRG-OS-000077-GPOS-00045 - - SV-230368r627750_rule + - SV-230368r810414_rule - V-230368 - pamd From 65ae0d2323306c430a74182c0b9a776541cda2c4 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Sun, 30 Jan 2022 14:31:40 -0500 Subject: [PATCH 075/101] Updated 040020 Signed-off-by: George Nalen --- defaults/main.yml | 2 +- tasks/fix-cat2.yml | 51 +++++++++++++++++++++++----------------------- 2 files changed, 27 insertions(+), 26 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 6c7ceaa5..a05b8d3a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -121,7 +121,7 @@ rhel_08_010100: true rhel_08_010110: true rhel_08_010120: true rhel_08_010130: true -rhel_08_010131: true +# rhel_08_010131: true rhel_08_010141: true rhel_08_010149: true rhel_08_010151: true diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 0d52580d..fe04fff1 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -290,24 +290,24 @@ - V-230233 - pamd -- name: "MEDIUM | RHEL-08-010131 | PATCH | The RHEL 8 system-auth file must be configured to use a sufficient number of hashing rounds." - pamd: - name: system-auth - type: password - control: sufficient - module_path: pam_unix.so - module_arguments: "rounds={{ rhel8stig_hashing_rounds }}" - state: args_present - when: - - rhel_08_010131 - tags: - - RHEL-08-010131 - - CAT2 - - CCI-000196 - - SRG-OS-000073-GPOS-00041 - - SV-244520r743809_rule - - V-244520 - - pamd +# - name: "MEDIUM | RHEL-08-010131 | PATCH | The RHEL 8 system-auth file must be configured to use a sufficient number of hashing rounds." +# pamd: +# name: system-auth +# type: password +# control: sufficient +# module_path: pam_unix.so +# module_arguments: "rounds={{ rhel8stig_hashing_rounds }}" +# state: args_present +# when: +# - rhel_08_010131 +# tags: +# - RHEL-08-010131 +# - CAT2 +# - CCI-000196 +# - SRG-OS-000073-GPOS-00041 +# - SV-244520r743809_rule +# - V-244520 +# - pamd - name: | "MEDIUM | RHEL-08-010141 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance." @@ -392,11 +392,11 @@ - CAT2 - CCI-000803 - SRG-OS-000120-GPOS-00061 - - SV-244524r743821_rule + - SV-244524r809331_rule - V-244524 - pamd -- name: "MEDIUM | RHEL-08-010160 | PATCH | The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication." +- name: "MEDIUM | RHEL-08-010160 | PATCH | The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication." pamd: name: password-auth type: password @@ -411,7 +411,7 @@ - CAT2 - CCI-000803 - SRG-OS-000120-GPOS-00061 - - SV-230237r743931_rule + - SV-230237r809276_rule - V-230237 - pamd @@ -784,7 +784,7 @@ - CAT2 - CCI-001453 - SRG-OS-000250-GPOS-00093 - - SV-244526r743827_rule + - SV-244526r809334_rule - V-244526 - ssh @@ -868,7 +868,7 @@ - CAT2 - CCI-001453 - SRG-OS-000250-GPOS-00093 - - SV-230255r627750_rule + - SV-230255r809382_rule - V-230255 - openssl @@ -3103,7 +3103,7 @@ - CAT2 - CCI-000056 - SRG-OS-000028-GPOS-00009 - - SV-230349r627750_rul + - SV-230349r810020_rule - V-230349 - tmux @@ -5850,6 +5850,7 @@ notify: change_requires_reboot with_items: - { regexp: '##Disable WebCam', line: '##Disable WebCam', insertafter: 'EOF' } + - { regexp: '^install uvcvideo', line: 'install uvcvideo /bin/true', insertafter: '##Disable WebCam' } - { regexp: '^blacklist uvcvideo', line: 'blacklist uvcvideo', insertafter: '##Disable WebCam' } when: - rhel_08_040020 @@ -5858,7 +5859,7 @@ - CAT2 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230493r627750_rule + - SV-230493r809316_rule - V-230493 - camera From 9a1fe85bb16e44a4f9cb3e27ce4ae6b3c1eb2e2b Mon Sep 17 00:00:00 2001 From: George Nalen Date: Sun, 30 Jan 2022 15:15:16 -0500 Subject: [PATCH 076/101] added 010331 Signed-off-by: George Nalen --- defaults/main.yml | 5 +++++ tasks/fix-cat2.yml | 38 +++++++++++++++++++++++++++++++++++++- 2 files changed, 42 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index a05b8d3a..5861fad6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -824,6 +824,11 @@ rhel8stig_hashing_rounds: 5000 # RHEL-08-010100 rhel8stig_path_to_sshkey: "/root/.ssh/" +# RHEL-08-010331 +# rhel8stig_lib_dir_perms is the permissions that will be set to library directories when they are found to be 755 or more permissive and rhel8stig_disruption_high is true +# To conform to STIG standards these directories need to be 755 or less permissive +rhel8stig_lib_dir_perms: 0755 + # RHEL-08-010510 # rhel8stig_sshd_compression to meet STIG requirements needs to be set to "no" or "delayed" rhel8stig_sshd_compression: "no" diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index fe04fff1..a03e1ebf 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -987,6 +987,42 @@ - V-230262 - permissions +- name: "MEDIUM | RHEL-08-010331 | PATCH | RHEL 8 library directories must have mode 755 or less permissive." + block: + - name: "MEDIUM | RHEL-08-010331 | AUDIT | RHEL 8 library directories must have mode 755 or less permissive. | Get directories" + shell: find /lib /lib64 /usr/lib /usr/lib64 -perm /0022 -type d + changed_when: false + failed_when: false + check_mode: false + register: rhel_08_010331_directories + + - name: "MEDIUM | RHEL-08-010331 | AUDIT | RHEL 8 library directories must have mode 755 or less permissive. | Set permissions" + debug: + msg: + - "Alert! There are library directories that have permessions set to more permissive than 755" + - "To conform to STIG standards, please review these directories and set to 755 or less permissive" + - "{{ rhel_08_010331_directories.stdout_lines }}" + when: + - not rhel8stig_disruption_high + - rhel_08_010331_directories.stdout | length > 0 + + - name: "MEDIUM | RHEL-08-010331 | PATCH | RHEL 8 library directories must have mode 755 or less permissive. | Set permissions" + file: + path: "{{ item }}" + state: directory + mode: "{{ rhel8stig_lib_dir_perms }}" + with_items: + - "{{ rhel_08_010331_directories.stdout_lines }}" + when: + - rhel8stig_disruption_high + - rhel_08_010331_directories.stdout | length > 0 + when: + - RHEL-08-010331 + - CAT2 + - CCI-001499 + - SV-251707r809345_rule + - V-251707 + - name: "MEDIUM | RHEL-08-010360 | PATCH | The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency." cron: name: 'Run AIDE integrity check {{ rhel8stig_aide_cron.special_time }}' @@ -6454,7 +6490,7 @@ - CAT2 - CCI-001764 - SRG-OS-000368-GPOS-00154 - - SV-244546r743887_rule + - SV-244546r809339_rule - V-244546 - fapolicy From 837bd717607aff57cc0f385b68b777c5e34f9006 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Sun, 30 Jan 2022 17:06:47 -0500 Subject: [PATCH 077/101] added 010341, 010351, 010359, and 010379 Signed-off-by: George Nalen --- defaults/main.yml | 5 ++ tasks/fix-cat2.yml | 119 ++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 123 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5861fad6..71511161 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -152,12 +152,17 @@ rhel_08_010300: true rhel_08_010310: true rhel_08_010320: true rhel_08_010330: true +rhel_08_010331: true rhel_08_010340: true +rhel_08_010341: true rhel_08_010350: true +rhel_08_010351: true +rhel_08_010359: true rhel_08_010360: true rhel_08_010372: true rhel_08_010373: true rhel_08_010374: true +rhel_08_010379: true rhel_08_010380: true rhel_08_010381: true rhel_08_010382: true diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index a03e1ebf..0f47e26e 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -996,7 +996,7 @@ check_mode: false register: rhel_08_010331_directories - - name: "MEDIUM | RHEL-08-010331 | AUDIT | RHEL 8 library directories must have mode 755 or less permissive. | Set permissions" + - name: "MEDIUM | RHEL-08-010331 | AUDIT | RHEL 8 library directories must have mode 755 or less permissive. | Alert on permissions" debug: msg: - "Alert! There are library directories that have permessions set to more permissive than 755" @@ -1017,11 +1017,112 @@ - rhel8stig_disruption_high - rhel_08_010331_directories.stdout | length > 0 when: + - rhel_08_010331 + tags: - RHEL-08-010331 - CAT2 - CCI-001499 - SV-251707r809345_rule - V-251707 + - permissions + +- name: "MEDIUM | RHEL-08-010341 | PATCH | RHEL 8 library directories must be owned by root." + block: + - name: "MEDIUM | RHEL-08-010341 | AUDIT | RHEL 8 library directories must be owned by root. | Get directories" + shell: find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d + changed_when: false + failed_when: false + check_mode: false + register: rhel_08_010341_directories + + - name: "MEDIUM | RHEL-08-010341 | AUDIT | RHEL 8 library directories must be owned by root. | Alert on permissions" + debug: + msg: + - "Alert! There are library directories that are not owned by root" + - "To conform to STIG standards, please review these directories and change owner to root" + - "{{ rhel_08_010341_directories.stdout_lines }}" + when: + - rhel_08_010341_directories.stdout | length > 0 + - not rhel8stig_disruption_high + + - name: "MEDIUM | RHEL-08-010341 | PATCH | RHEL 8 library directories must be owned by root. | Set permissions" + file: + path: "{{ item }}" + state: directory + owner: root + with_items: + - "{{ rhel_08_010341_directories.stdout_lines }}" + when: + - rhel_08_010341_directories.stdout | length > 0 + - rhel8stig_disruption_high + when: + - rhel_08_010341 + tags: + - RHEL-08-010341 + - CAT2 + - CCI-001499 + - SRG-OS-000259-GPOS-00100 + - SV-251708r810012_rule + - V-251708 + - permissions + +- name: "MEDIUM | RHEL-08-010351 | PATCH | RHEL 8 library directories must be group-owned by root or a system account." + block: + - name: "MEDIUM | RHEL-08-010351 | AUDIT | RHEL 8 library directories must be group-owned by root or a system account. | Get directories" + shell: find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d + changed_when: false + failed_when: false + check_mode: false + register: rhel_08_010351_directories + + - debug: var=rhel_08_010351_directories + + - name: "MEDIUM | RHEL-08-010351 | AUDIT | RHEL 8 library directories must be group-owned by root or a system account. | Alert on permissions" + debug: + msg: + - "Alert! There are library directories that are not group owned by root." + - "To conform to STIG standards, please review these directories and change group owner to root" + - "{{ rhel_08_010351_directories.stdout_lines }}" + when: + - rhel_08_010351_directories.stdout | length > 0 + - not rhel8stig_disruption_high + + - name: "MEDIUM | RHEL-08-010351 | PATCH | RHEL 8 library directories must be group-owned by root or a system account. | Set permissions" + file: + path: "{{ item }}" + state: directory + group: root + with_items: + - "{{ rhel_08_010351_directories.stdout_lines }}" + when: + - rhel_08_010351_directories.stdout | length > 0 + - rhel8stig_disruption_high + when: + - rhel_08_010351 + tags: + - RHEL-08-010351 + - CAT2 + - CCI-001499 + - SRG-OS-000259-GPOS-00100 + - SV-251709r810014_rule + - V-251709 + - permissions + +- name: "MEDIUM | RHEL-08-010359 | PATCH | The RHEL 8 operating system must use a file integrity tool to verify correct operation of all security functions." + package: + name: aide + state: present + when: + - rhel_08_010359 + - "'aide' not in ansible_facts.packages" + tags: + - RHEL-08-010359 + - CAT2 + - CCI-002696 + - SRG-OS-000445-GPOS-00199 + - SV-251710r809354_rule + - V-251710 + - aide - name: "MEDIUM | RHEL-08-010360 | PATCH | The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency." cron: @@ -1103,6 +1204,22 @@ - V-230268 - sysctl +- name: "MEDIUM | RHEL-08-010379 | PATCH | RHEL 8 must specify the default 'include' directory for the /etc/sudoers file." + lineinfile: + path: /etc/sudoers + regex: '^#includedir' + line: '#includedir /etc/sudoers.d' + when: + - rhel_08_010379 + tags: + - RHEL-08-010379 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-251711r810015_rule + - V-251711 + - sudoers + - name: "MEDIUM | RHEL-08-010380 | PATCH | RHEL 8 must require users to provide a password for privilege escalation." replace: path: "{{ item }}" From 3c0529f7ce11fc8a40c5b320e1715f2ce1ee0880 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 31 Jan 2022 13:17:20 -0500 Subject: [PATCH 078/101] Updaetd and added 010383, 010384, 010385, 010560, 010572, 020100, 020101, 020102, 020103, and 010204 Signed-off-by: George Nalen --- defaults/main.yml | 10 +++ tasks/fix-cat2.yml | 184 ++++++++++++++++++++++++++++++++++++++------- 2 files changed, 166 insertions(+), 28 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 71511161..99a1fd36 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -256,6 +256,10 @@ rhel_08_020081: true rhel_08_020082: true rhel_08_020090: true rhel_08_020100: true +rhel_08_020101: true +rhel_08_020102: true +rhel_08_020103: true +rhel_08_020104: true rhel_08_020110: true rhel_08_020120: true rhel_08_020130: true @@ -694,6 +698,12 @@ rhel8stig_shell_session_timeout: # Timeout value is in seconds. (60 seconds * 10 = 600) rhel8stig_ssh_session_timeout: 600 +# RHEL-08-020102 +# RHEL-08-020103 +# rhel8stig_pam_pwquality_retry is the number of retries set to the password required pam_pwquality.so in system and password auth files +# To conform to STIG standards this value needs to be 3 or less +rhel8stig_pam_pwquality_retry: 3 + # RHEL-08-020320 # If vsftpd is required, remove 'ftp' from rhel8stig_unnecessary_accounts. # diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 0f47e26e..668d2d00 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1209,6 +1209,7 @@ path: /etc/sudoers regex: '^#includedir' line: '#includedir /etc/sudoers.d' + validate: '/usr/sbin/visudo -cf %s' when: - rhel_08_010379 tags: @@ -1694,22 +1695,22 @@ - V-230296 - ssh -- name: "MEDIUM | RHEL-08-010560 | PATCH | The auditd service must be running in RHEL 8." - service: - name: auditd - state: started - enabled: yes - when: - - rhel_08_010560 - - not system_is_container - tags: - - RHEL-08-010560 - - CAT2 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-230297r627750_rule - - V-230297 - - auditd +# - name: "MEDIUM | RHEL-08-010560 | PATCH | The auditd service must be running in RHEL 8." +# service: +# name: auditd +# state: started +# enabled: yes +# when: +# - rhel_08_010560 +# - not system_is_container +# tags: +# - RHEL-08-010560 +# - CAT2 +# - CCI-000366 +# - SRG-OS-000480-GPOS-00227 +# - SV-230297r627750_rule +# - V-230297 +# - auditd - name: "MEDIUM | RHEL-08-010561 | PATCH | The rsyslog service must be running in RHEL 8." service: @@ -1791,7 +1792,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-244530r743839_rule + - SV-244530r809336_rule - V-244530 - mounts - efi @@ -3448,29 +3449,141 @@ - V-230355 - authentication -- name: "MEDIUM | RHEL-08-020100 | PATCH RHEL 8 must ensure a password complexity module is enabled." +- name: "MEDIUM | RHEL-08-020100 | PATCH | RHEL 8 must ensure the password complexity module is enabled in the password-auth file." lineinfile: - path: "{{ item.path }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" + path: /etc/pam.d/password-auth + regexp: '^password required pam_pwquality.so' + line: 'password required pam_pwquality.so' insertafter: '^password' owner: root group: root mode: 0640 - with_items: - - { path: /etc/pam.d/system-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } - - { path: /etc/pam.d/password-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } when: - rhel_08_020100 tags: - RHEL-08-020100 - CAT2 - - CCI-000192 + - CCI-000366 - SRG-OS-000069-GPOS-00037 - - SV-230356r627750_rule + - SV-230356r809379_rule - V-230356 - pamd +- name: "MEDIUM | RHEL-08-020101 | PATCH | RHEL 8 must ensure the password complexity module is enabled in the system-auth file." + lineinfile: + path: /etc/pam.d/system-auth + regexp: '^password required pam_pwquality.so' + line: 'password required pam_pwquality.so' + insertafter: '^password' + owner: root + group: root + mode: 0640 + when: + - rhel_08_020101 + tags: + - RHEL-08-020101 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-251713r810407_rule + - V-251713 + - pamd + +- name: "MEDIUM | RHEL-08-020102 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less." + block: + - name: "MEDIUM | RHEL-08-020102 | AUDIT | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Get pam_pwquality state" + shell: cat /etc/pam.d/system-auth | grep "password.*required.*pam_pwquality.so" + changed_when: false + failed_when: false + register: rhel_08_020102_pwquality_status + + - name: "MEDIUM | RHEL-08-020102 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Set if no pw required pam_pwquality" + lineinfile: + path: /etc/pam.d/system-auth + line: 'ppassword required pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}' + insertafter: '^password' + owner: root + group: root + mode: 0640 + when: rhel_08_020102_pwquality_status.stdout | length == 0 + + - name: "MEDIUM | RHEL-08-020102 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Replace if already exists" + pamd: + name: system-auth + type: password + control: required + module_path: pam_pwquality.so + module_arguments: 'retry={{ rhel8stig_pam_pwquality_retry }}' + state: args_present + when: rhel_08_020102_pwquality_status.stdout | length > 0 + when: + - rhel_08_020102 + - ansible_distribution_version <= "8.4" + tags: + - RHEL-08-020102 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-251714r810410_rule + - V-251714 + - pamd + +- name: "MEDIUM | RHEL-08-020103 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less." + block: + - name: "MEDIUM | RHEL-08-020103 | AUDIT | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. | Get pam_pwquality state" + shell: cat /etc/pam.d/password-auth | grep "password.*required.*pam_pwquality.so" + changed_when: false + failed_when: false + register: rhel_08_020103_pwquality_status + + - name: "MEDIUM | RHEL-08-020103 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. | Set if no pw required pam_pwquality" + lineinfile: + path: /etc/pam.d/password-auth + line: 'password required pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}' + insertafter: '^password' + owner: root + group: root + mode: 0640 + when: rhel_08_020103_pwquality_status.stdout | length == 0 + + - name: "MEDIUM | RHEL-08-020103 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. | Replace if already exists" + pamd: + name: password-auth + type: password + control: required + module_path: pam_pwquality.so + module_arguments: 'retry={{ rhel8stig_pam_pwquality_retry }}' + state: args_present + when: rhel_08_020103_pwquality_status.stdout | length > 0 + when: + - rhel_08_020103 + - ansible_distribution_version <= "8.4" + tags: + - RHEL-08-020103 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-251715r810412_rule + - V-251715 + - pamd + +- name: "MEDIUM | RHEL-08-020104 | PATCH | RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less." + lineinfile: + path: /etc/security/pwquality.conf + regexp: '^retry =|^#.*retry =' + line: retry = {{ rhel8stig_pam_pwquality_retry }} + when: + - rhel_08_020104 + - ansible_distribution_version >= "8.4" + tags: + - RHEL-08-020104 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-251716r809372_rule + - V-251716 + - pamd + - name: "MEDIUM | RHEL-08-020110 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one upper-case character be used." lineinfile: path: /etc/security/pwquality.conf @@ -7357,7 +7470,7 @@ - CAT2 - CCI-002227 - SRG-OS-000480-GPOS-00227 - - SV-237642r646896_rule + - SV-237642r809326_rule - V-237642 - sudo @@ -7394,6 +7507,21 @@ - CAT2 - CCI-002038 - SRG-OS-000373-GPOS-00156 - - SV-237643r792980_rule + - SV-237643r809328_rule - V-237643 - sudo + +- name: "MEDIUM | RHEL-08-010385 | PATCH | The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation." + lineinfile: + path: /etc/pam.d/sudo + regex: 'pam_succeed_if' + state: absent + when: + - rhel_08_010385 + tags: + - RHEL-08-010385 + - CAT2 + - CCI-002038 + - SRG-OS-000373-GPOS-00156 + - SV-251712r810017_rule + - V-251712 From b5a2af06bc08b5887d25c4de61063e92a3d2c14a Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 31 Jan 2022 15:05:03 -0500 Subject: [PATCH 079/101] updated and added 020221, 030050, 030200, 030360,030361, 030420, 030480, 030490, 030210, 030220, 030230, 030240, 030270, 030362, 030363, 030364, 030365, 030380, 030430, 030440, 030450, 030460, 030470, 030500, 030510, 030520, 030530, 030540, 030660, 040320, and 040321 Signed-off-by: George Nalen --- defaults/main.yml | 43 ++- tasks/fix-cat2.yml | 902 ++++++++++++++++++++++++--------------------- 2 files changed, 504 insertions(+), 441 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 99a1fd36..512f5b99 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -272,6 +272,7 @@ rhel_08_020190: true rhel_08_020200: true rhel_08_020210: true rhel_08_020220: true +rhel_08_020221: true rhel_08_020230: true rhel_08_020231: true rhel_08_020240: true @@ -292,7 +293,7 @@ rhel_08_030010: true rhel_08_030020: true rhel_08_030030: true rhel_08_030040: true -rhel_08_030050: true +# rhel_08_030050: true rhel_08_030060: true rhel_08_030061: true rhel_08_030062: true @@ -315,13 +316,13 @@ rhel_08_030180: true rhel_08_030181: true rhel_08_030190: true rhel_08_030200: true -rhel_08_030210: true -rhel_08_030220: true -rhel_08_030230: true -rhel_08_030240: true +# rhel_08_030210: true +# rhel_08_030220: true +# rhel_08_030230: true +# rhel_08_030240: true rhel_08_030250: true rhel_08_030260: true -rhel_08_030270: true +# rhel_08_030270: true rhel_08_030280: true rhel_08_030290: true rhel_08_030300: true @@ -341,28 +342,28 @@ rhel_08_030340: true rhel_08_030350: true rhel_08_030360: true rhel_08_030361: true -rhel_08_030362: true -rhel_08_030363: true -rhel_08_030364: true -rhel_08_030365: true +# rhel_08_030362: true +# rhel_08_030363: true +# rhel_08_030364: true +# rhel_08_030365: true rhel_08_030370: true -rhel_08_030380: true +# rhel_08_030380: true rhel_08_030390: true rhel_08_030400: true rhel_08_030410: true rhel_08_030420: true -rhel_08_030430: true -rhel_08_030440: true -rhel_08_030450: true -rhel_08_030460: true +# rhel_08_030430: true +# rhel_08_030440: true +# rhel_08_030450: true +# rhel_08_030460: true rhel_08_030470: true rhel_08_030480: true rhel_08_030490: true -rhel_08_030500: true -rhel_08_030510: true -rhel_08_030520: true -rhel_08_030530: true -rhel_08_030540: true +# rhel_08_030500: true +# rhel_08_030510: true +# rhel_08_030520: true +# rhel_08_030530: true +# rhel_08_030540: true rhel_08_030550: true rhel_08_030560: true rhel_08_030570: true @@ -445,6 +446,7 @@ rhel_08_040285: true rhel_08_040286: true rhel_08_040290: true rhel_08_040320: true +rhel_08_040321: true rhel_08_040330: true rhel_08_040340: true rhel_08_040341: true @@ -719,6 +721,7 @@ rhel8stig_unnecessary_accounts: rhel8stig_remove_unnecessary_user_files: no # RHEL-08-020220 +# RHEL-08-020221 # pam_pwhistory settings - Verify the operating system prohibits password reuse for a minimum of five generations. rhel8stig_pam_pwhistory: remember: 5 diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 668d2d00..18c7abaa 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3862,6 +3862,45 @@ - V-230368 - pamd +- name: "MEDIUM | RHEL-08-020221 | PATCH | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations." + block: + - name: "MEDIUM | RHEL-08-020221 | AUDIT | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations. | Get pam_pwhistory state " + shell: cat /etc/pam.d/system-auth | grep "password.*required.*pam_pwhistory.so" + changed_when: false + failed_when: false + register: rhel_08_020221_pwhistory_status + + - debug: var=rhel_08_020221_pwhistory_status + - name: "MEDIUM | RHEL-08-020221 | PATCH | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations. | Set if no pw required pwhistory" + lineinfile: + path: /etc/pam.d/system-auth + line: "password required pam_pwhistory.so use_authtok remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}" + insertafter: '^password' + owner: root + group: root + mode: 0640 + when: rhel_08_020221_pwhistory_status.stdout | length == 0 + + - name: "MEDIUM | RHEL-08-020221 | PATCH | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations. | Set if pw required pwhistory exists" + pamd: + name: system-auth + type: password + control: required + module_path: pam_pwhistory.so + module_arguments: 'remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}' + state: args_present + when: rhel_08_020221_pwhistory_status.stdout | length > 0 + when: + - rhel_08_020221 + tags: + - RHEL-08-020221 + - CAT2 + - CCI-000200 + - SRG-OS-000077-GPOS-00045 + - SV-251717r810415_rule + - V-251717 + - pamd + - name: "MEDIUM | RHEL-08-20230 | PATCH | RHEL 8 passwords must have a minimum of 15 characters." lineinfile: path: /etc/security/pwquality.conf @@ -4348,21 +4387,21 @@ - V-230390 - auditd -- name: "MEDIUM | RHEL-08-030050 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full." - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^max_log_file_action =' - line: "max_log_file_action = {{ rhel8stig_auditd_max_log_file_action }}" - when: - - rhel_08_030050 - tags: - - RHEL-08-030050 - - CAT2 - - CCI-000140 - - SRG-OS-000047-GPOS-00023 - - SV-230391r743998_rule - - V-230391 - - auditd +# - name: "MEDIUM | RHEL-08-030050 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full." +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: '^max_log_file_action =' +# line: "max_log_file_action = {{ rhel8stig_auditd_max_log_file_action }}" +# when: +# - rhel_08_030050 +# tags: +# - RHEL-08-030050 +# - CAT2 +# - CCI-000140 +# - SRG-OS-000047-GPOS-00023 +# - SV-230391r743998_rule +# - V-230391 +# - auditd - name: "MEDIUM | RHEL-08-030060 | PATCH | The RHEL 8 audit system must take appropriate action when the audit storage volume is full." lineinfile: @@ -4783,10 +4822,10 @@ path: /etc/audit/rules.d/audit.rules line: "{{ item }}" with_items: - - -a always,exit -F arch=b32 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod + - -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod + - -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod notify: restart auditd when: - rhel_08_030200 @@ -4795,93 +4834,93 @@ - CAT2 - CCI-000169 - SRG-OS-000062-GPOS-00031 - - SV-230413r627750_rule + - SV-230413r810463_rule - V-230413 - auditd -- name: "MEDIUM | RHEL-08-030210 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the removexattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030210 - tags: - - RHEL-08-030210 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230414r627750_rule - - V-230414 - - auditd +# - name: "MEDIUM | RHEL-08-030210 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the removexattr system call." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod +# - -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030210 +# tags: +# - RHEL-08-030210 +# - CAT2 +# - CCI-000169 +# - SRG-OS-000062-GPOS-00031 +# - SV-230414r627750_rule +# - V-230414 +# - auditd -- name: "MEDIUM | RHEL-08-030220 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lsetxattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030220 - tags: - - RHEL-08-030220 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230415r627750_rule - - V-230415 - - auditd +# - name: "MEDIUM | RHEL-08-030220 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lsetxattr system call." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod +# - -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030220 +# tags: +# - RHEL-08-030220 +# - CAT2 +# - CCI-000169 +# - SRG-OS-000062-GPOS-00031 +# - SV-230415r627750_rule +# - V-230415 +# - auditd -- name: "MEDIUM | RHEL-08-030230 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fsetxattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030230 - tags: - - RHEL-08-030230 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230416r627750_rule - - V-230416 - - auditd +# - name: "MEDIUM | RHEL-08-030230 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fsetxattr system call." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod +# - -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030230 +# tags: +# - RHEL-08-030230 +# - CAT2 +# - CCI-000169 +# - SRG-OS-000062-GPOS-00031 +# - SV-230416r627750_rule +# - V-230416 +# - auditd -- name: "MEDIUM | RHEL-08-030240 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fremovexattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030240 - tags: - - RHEL-08-030240 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230417r627750_rule - - V-230417 - - auditd +# - name: "MEDIUM | RHEL-08-030240 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fremovexattr system call." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod +# - -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030240 +# tags: +# - RHEL-08-030240 +# - CAT2 +# - CCI-000169 +# - SRG-OS-000062-GPOS-00031 +# - SV-230417r627750_rule +# - V-230417 +# - auditd - name: "MEDIUM | RHEL-08-030250 | PATCH | Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record." lineinfile: @@ -4915,26 +4954,26 @@ - V-230419 - auditd -- name: "MEDIUM | RHEL-08-030270 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the setxattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030270 - tags: - - RHEL-08-030270 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230420r627750_rule - - V-230420 - - auditd +# - name: "MEDIUM | RHEL-08-030270 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the setxattr system call." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod +# - -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030270 +# tags: +# - RHEL-08-030270 +# - CAT2 +# - CCI-000169 +# - SRG-OS-000062-GPOS-00031 +# - SV-230420r627750_rule +# - V-230420 +# - auditd - name: "MEDIUM | RHEL-08-030280 | PATCH | Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record." lineinfile: @@ -5207,8 +5246,8 @@ path: /etc/audit/rules.d/audit.rules line: "{{ item }}" with_items: - - -a always,exit -F arch=b32 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - - -a always,exit -F arch=b64 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng + - -a always,exit -F arch=b32 -S init_module,finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng + - -a always,exit -F arch=b64 -S init_module,finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng notify: restart auditd when: - rhel_08_030360 @@ -5217,7 +5256,7 @@ - CAT2 - CCI-000169 - SRG-OS-000062-GPOS-00031 - - SV-230438r627750_rule + - SV-230438r810464_rule - V-230438 - auditd @@ -5226,8 +5265,8 @@ path: /etc/audit/rules.d/audit.rules line: "{{ item }}" with_items: - - -a always,exit -F arch=b32 -S rename -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - - -a always,exit -F arch=b64 -S rename -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + - -a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + - -a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete notify: restart auditd when: - rhel_08_030361 @@ -5236,85 +5275,85 @@ - CAT2 - CCI-000169 - SRG-OS-000062-GPOS-00031 - - SV-230439r627750_rule + - SV-230439r810465_rule - V-230439 - auditd -- name: "MEDIUM | RHEL-08-030362 | PATCH | Successful/unsuccessful uses of the renameat command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S renameat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - - -a always,exit -F arch=b64 -S renameat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - notify: restart auditd - when: - - rhel_08_030362 - tags: - - RHEL-08-030362 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230440r627750_rule - - V-230440 - - auditd +# - name: "MEDIUM | RHEL-08-030362 | PATCH | Successful/unsuccessful uses of the renameat command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S renameat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# - -a always,exit -F arch=b64 -S renameat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# notify: restart auditd +# when: +# - rhel_08_030362 +# tags: +# - RHEL-08-030362 +# - CAT2 +# - CCI-000169 +# - SRG-OS-000062-GPOS-00031 +# - SV-230440r627750_rule +# - V-230440 +# - auditd -- name: "MEDIUM | RHEL-08-030363 | PATCH | Successful/unsuccessful uses of the rmdir command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S rmdir -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - - -a always,exit -F arch=b64 -S rmdir -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - notify: restart auditd - when: - - rhel_08_030363 - tags: - - RHEL-08-030363 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230441r627750_rule - - V-230441 - - auditd +# - name: "MEDIUM | RHEL-08-030363 | PATCH | Successful/unsuccessful uses of the rmdir command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S rmdir -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# - -a always,exit -F arch=b64 -S rmdir -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# notify: restart auditd +# when: +# - rhel_08_030363 +# tags: +# - RHEL-08-030363 +# - CAT2 +# - CCI-000169 +# - SRG-OS-000062-GPOS-00031 +# - SV-230441r627750_rule +# - V-230441 +# - auditd -- name: "MEDIUM | RHEL-08-030364 | PATCH | Successful/unsuccessful uses of the unlink command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S unlink -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - - -a always,exit -F arch=b64 -S unlink -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - notify: restart auditd - when: - - rhel_08_030364 - tags: - - RHEL-08-030364 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230442r627750_rule - - V-230442 - - auditd +# - name: "MEDIUM | RHEL-08-030364 | PATCH | Successful/unsuccessful uses of the unlink command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S unlink -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# - -a always,exit -F arch=b64 -S unlink -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# notify: restart auditd +# when: +# - rhel_08_030364 +# tags: +# - RHEL-08-030364 +# - CAT2 +# - CCI-000169 +# - SRG-OS-000062-GPOS-00031 +# - SV-230442r627750_rule +# - V-230442 +# - auditd -- name: "MEDIUM | RHEL-08-030365 | PATCH | Successful/unsuccessful uses of the unlinkat command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - - -a always,exit -F arch=b64 -S unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - notify: restart auditd - when: - - rhel_08_030365 - tags: - - RHEL-08-030365 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230443r627750_rule - - V-230443 - - auditd +# - name: "MEDIUM | RHEL-08-030365 | PATCH | Successful/unsuccessful uses of the unlinkat command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# - -a always,exit -F arch=b64 -S unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# notify: restart auditd +# when: +# - rhel_08_030365 +# tags: +# - RHEL-08-030365 +# - CAT2 +# - CCI-000169 +# - SRG-OS-000062-GPOS-00031 +# - SV-230443r627750_rule +# - V-230443 +# - auditd - name: "MEDIUM | RHEL-08-030370 | PATCH | Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record." lineinfile: @@ -5332,24 +5371,24 @@ - V-230444 - auditd -- name: "MEDIUM | RHEL-08-030380 | PATCH | Successful/unsuccessful uses of the finit_module command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - - -a always,exit -F arch=b64 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - notify: restart auditd - when: - - rhel_08_030380 - tags: - - RHEL-08-030380 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230445r627750_rule - - V-230445 - - auditd +# - name: "MEDIUM | RHEL-08-030380 | PATCH | Successful/unsuccessful uses of the finit_module command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +# - -a always,exit -F arch=b64 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +# notify: restart auditd +# when: +# - rhel_08_030380 +# tags: +# - RHEL-08-030380 +# - CAT2 +# - CCI-000169 +# - SRG-OS-000062-GPOS-00031 +# - SV-230445r627750_rule +# - V-230445 +# - auditd - name: "MEDIUM | RHEL-08-030390 | PATCH | Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record." lineinfile: @@ -5407,10 +5446,10 @@ path: /etc/audit/rules.d/audit.rules line: "{{ item }}" with_items: - - -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access notify: restart auditd when: - rhel_08_030420 @@ -5419,122 +5458,122 @@ - CAT2 - CCI-000169 - SRG-OS-000062-GPOS-00031 - - SV-230449r627750_rule + - SV-230449r810455_rule - V-230449 - auditd -- name: "MEDIUM | RHEL-08-030430 | PATCH | Successful/unsuccessful uses of the openat system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030430 - tags: - - RHEL-08-030430 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230450r627750_rule - - V-230450 - - auditd +# - name: "MEDIUM | RHEL-08-030430 | PATCH | Successful/unsuccessful uses of the openat system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# notify: restart auditd +# when: +# - rhel_08_030430 +# tags: +# - RHEL-08-030430 +# - CAT2 +# - CCI-000169 +# - SRG-OS-000062-GPOS-00031 +# - SV-230450r627750_rule +# - V-230450 +# - auditd -- name: "MEDIUM | RHEL-08-030440 | PATCH | Successful/unsuccessful uses of the open system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030440 - tags: - - RHEL-08-030440 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230451r627750_rule - - V-230451 - - auditd +# - name: "MEDIUM | RHEL-08-030440 | PATCH | Successful/unsuccessful uses of the open system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# notify: restart auditd +# when: +# - rhel_08_030440 +# tags: +# - RHEL-08-030440 +# - CAT2 +# - CCI-000169 +# - SRG-OS-000062-GPOS-00031 +# - SV-230451r627750_rule +# - V-230451 +# - auditd -- name: "MEDIUM | RHEL-08-030450 | PATCH | Successful/unsuccessful uses of the open_by_handle_at system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030450 - tags: - - RHEL-08-030450 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230452r627750_rule - - V-230452 - - auditd +# - name: "MEDIUM | RHEL-08-030450 | PATCH | Successful/unsuccessful uses of the open_by_handle_at system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# notify: restart auditd +# when: +# - rhel_08_030450 +# tags: +# - RHEL-08-030450 +# - CAT2 +# - CCI-000169 +# - SRG-OS-000062-GPOS-00031 +# - SV-230452r627750_rule +# - V-230452 +# - auditd -- name: "MEDIUM | RHEL-08-030460 | PATCH | Successful/unsuccessful uses of the ftruncate command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030460 - tags: - - RHEL-08-030460 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230453r627750_rule - - V-230453 - - auditd +# - name: "MEDIUM | RHEL-08-030460 | PATCH | Successful/unsuccessful uses of the ftruncate command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# notify: restart auditd +# when: +# - rhel_08_030460 +# tags: +# - RHEL-08-030460 +# - CAT2 +# - CCI-000169 +# - SRG-OS-000062-GPOS-00031 +# - SV-230453r627750_rule +# - V-230453 +# - auditd -- name: "MEDIUM | RHEL-08-030470 | PATCH | Successful/unsuccessful uses of the creat system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030470 - tags: - - RHEL-08-030470 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230454r627750_rule - - V-230454 - - auditd +# - name: "MEDIUM | RHEL-08-030470 | PATCH | Successful/unsuccessful uses of the creat system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# notify: restart auditd +# when: +# - rhel_08_030470 +# tags: +# - RHEL-08-030470 +# - CAT2 +# - CCI-000169 +# - SRG-OS-000062-GPOS-00031 +# - SV-230454r627750_rule +# - V-230454 +# - auditd - name: "MEDIUM | RHEL-08-030480 | PATCH | Successful/unsuccessful uses of the chown command in RHEL 8 must generate an audit record." lineinfile: path: /etc/audit/rules.d/audit.rules line: "{{ item }}" with_items: - - -a always,exit -F arch=b32 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod notify: restart auditd when: - rhel_08_030480 @@ -5543,7 +5582,7 @@ - CAT2 - CCI-000169 - SRG-OS-000062-GPOS-00031 - - SV-230455r627750_rule + - SV-230455r810459_rule - V-230455 - auditd @@ -5552,8 +5591,8 @@ path: /etc/audit/rules.d/audit.rules line: "{{ item }}" with_items: - - -a always,exit -F arch=b32 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod notify: restart auditd when: - rhel_08_030490 @@ -5562,104 +5601,104 @@ - CAT2 - CCI-000169 - SRG-OS-000062-GPOS-00031 - - SV-230456r627750_rule + - SV-230456r810462_rule - V-230456 - auditd -- name: "MEDIUM | RHEL-08-030500 | PATCH | Successful/unsuccessful uses of the lchown system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - notify: restart auditd - when: - - rhel_08_030500 - tags: - - RHEL-08-030500 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230457r627750_rule - - V-230457 - - auditd +# - name: "MEDIUM | RHEL-08-030500 | PATCH | Successful/unsuccessful uses of the lchown system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030500 +# tags: +# - RHEL-08-030500 +# - CAT2 +# - CCI-000169 +# - SRG-OS-000062-GPOS-00031 +# - SV-230457r627750_rule +# - V-230457 +# - auditd -- name: "MEDIUM | RHEL-08-030510 | PATCH | Successful/unsuccessful uses of the fchownat system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - notify: restart auditd - when: - - rhel_08_030510 - tags: - - RHEL-08-030510 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230458r627750_rule - - V-230458 - - auditd +# - name: "MEDIUM | RHEL-08-030510 | PATCH | Successful/unsuccessful uses of the fchownat system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030510 +# tags: +# - RHEL-08-030510 +# - CAT2 +# - CCI-000169 +# - SRG-OS-000062-GPOS-00031 +# - SV-230458r627750_rule +# - V-230458 +# - auditd -- name: "MEDIUM | RHEL-08-030520 | PATCH | Successful/unsuccessful uses of the fchown system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - notify: restart auditd - when: - - rhel_08_030520 - tags: - - RHEL-08-030520 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230459r627750_rule - - V-230459 - - auditd +# - name: "MEDIUM | RHEL-08-030520 | PATCH | Successful/unsuccessful uses of the fchown system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030520 +# tags: +# - RHEL-08-030520 +# - CAT2 +# - CCI-000169 +# - SRG-OS-000062-GPOS-00031 +# - SV-230459r627750_rule +# - V-230459 +# - auditd -- name: "MEDIUM | RHEL-08-030530 | PATCH | Successful/unsuccessful uses of the fchmodat system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - notify: restart auditd - when: - - rhel_08_030530 - tags: - - RHEL-08-030530 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230460r627750_rule - - V-230460 - - auditd +# - name: "MEDIUM | RHEL-08-030530 | PATCH | Successful/unsuccessful uses of the fchmodat system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030530 +# tags: +# - RHEL-08-030530 +# - CAT2 +# - CCI-000169 +# - SRG-OS-000062-GPOS-00031 +# - SV-230460r627750_rule +# - V-230460 +# - auditd -- name: "MEDIUM | RHEL-08-030540 | PATCH | Successful/unsuccessful uses of the fchmod system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - notify: restart auditd - when: - - rhel_08_030540 - tags: - - RHEL-08-030540 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230461r627750_rule - - V-230461 - - auditd +# - name: "MEDIUM | RHEL-08-030540 | PATCH | Successful/unsuccessful uses of the fchmod system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030540 +# tags: +# - RHEL-08-030540 +# - CAT2 +# - CCI-000169 +# - SRG-OS-000062-GPOS-00031 +# - SV-230461r627750_rule +# - V-230461 +# - auditd - name: "MEDIUM | RHEL-08-030550 | PATCH | Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record." lineinfile: @@ -5906,7 +5945,7 @@ - CAT2 - CCI-001849 - SRG-OS-000341-GPOS-00132 - - SV-230476r627750_rule + - SV-230476r809313_rule - V-230476 - auditd @@ -7204,21 +7243,42 @@ - name: "MEDIUM | RHEL-08-040320 | PATCH | The graphical display manager must not be installed on RHEL 8 unless approved." package: - name: xorg-x11-server-common + name: + - xorg-x11-server-Xorg + - xorg-x11-server-common + - xorg-x11-server-utils + - xorg-x11-server-Xwayland state: absent + notify: change_requires_reboot when: - rhel_08_040320 - not rhel8stig_gui - - "'xorg-x11-server-common' in ansible_facts.packages" + - "'xorg-x11-server-Xorg' in ansible_facts.packages or 'xorg-x11-server-common' in ansible_facts.packages or 'xorg-x11-server-utils' in ansible_facts.packages or 'xorg-x11-server-Xwayland' in ansible_facts.packages" tags: - RHEL-08-040320 - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230553r646886_rule + - SV-230553r809324_rule - V-230553 - gui +- name: "MEDIUM | RHEL-08-040321 | PATCH | The graphical display manager must not be the default target on RHEL 8 unless approved." + file: + src: /usr/lib/systemd/system/multi-user.target + dest: /etc/systemd/system/default.target + state: link + when: + - rhel_08_040321 + tags: + - RHEL-08-040321 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-251718r809378_rule + - V-251718 + - systemctl + - name: "MEDIUM | RHEL-08-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode." block: - name: "MEDIUM | RHEL-08-040330 | AUDIT | RHEL 8 network interfaces must not be in promiscuous mode. | Check promiscuous mode" From a88c52741f26aad7ac18a058cf3eeb023593c1f9 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 31 Jan 2022 15:44:32 -0500 Subject: [PATCH 080/101] updated 010294 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 18c7abaa..73f1c484 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -856,11 +856,25 @@ - fips - name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package." - lineinfile: - path: /etc/crypto-policies/back-ends/opensslcnf.config - regexp: '^MinProtocol =' - line: "MinProtocol = TLSv1.2" - notify: change_requires_reboot + block: + - name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package." + lineinfile: + path: /etc/crypto-policies/back-ends/opensslcnf.config + regexp: '^MinProtocol =' + line: "MinProtocol = TLSv1.2" + notify: change_requires_reboot + when: ansible_facts.packages['crypto-policies'][0].version | int < 20210617 + + - name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package." + lineinfile: + path: /etc/crypto-policies/back-ends/opensslcnf.config + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + notify: change_requires_reboot + with_items: + - { regexp: '^TLS.MinProtocol = ', line: "TLS.MinProtocol = TLSv1.2" } + - { regexp: '^DTLS.MinProtocol =', line: "DTLS.MinProtocol = DTLSv1.2" } + when: ansible_facts.packages['crypto-policies'][0].version | int >= 20210617 when: - rhel_08_010294 tags: From 737f6849f9dc42782b76973111cbfcf00102e704 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 1 Feb 2022 14:30:10 -0500 Subject: [PATCH 081/101] updated 020041 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 73f1c484..14c3d7bd 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3259,11 +3259,17 @@ - V-230348 - tmux -- name: " MEDIUM | RHEL-08-020041 | PATCH | RHEL 8 must ensure session control is automatically started at shell initialization." - lineinfile: - path: /etc/bashrc - regexp: '^\[ -n "$PS1" -a -z "$TMUX" \]' - line: '[ -n "$PS1" -a -z "$TMUX" ] && exec tmux' +- name: "MEDIUM | RHEL-08-020041 | PATCH | RHEL 8 must ensure session control is automatically started at shell initialization. | Set tmux.sh if file exists" + blockinfile: + path: /etc/profile.d/tmux.sh + marker: "# " + block: | + if [ "$PS1" ]; then + parent=$(ps -o ppid= -p $$) + name=$(ps -o comm= -p $parent) + case "$name" in (sshd|login) exec tmux ;; esac + fi + create: true when: - rhel_08_020041 tags: From 858a219ebef82f6b2e155e2e96dc298c2649c5d8 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 1 Feb 2022 16:06:14 -0500 Subject: [PATCH 082/101] moved auditd controls to single template in handlers Signed-off-by: George Nalen --- handlers/main.yml | 9 ++ tasks/fix-cat2.yml | 245 +++++++++++------------------ templates/audit/99_auditd.rules.j2 | 127 +++++++++++++++ 3 files changed, 227 insertions(+), 154 deletions(-) create mode 100644 templates/audit/99_auditd.rules.j2 diff --git a/handlers/main.yml b/handlers/main.yml index c75c8a34..bb00e60c 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -92,6 +92,15 @@ - not rhel8stig_system_is_chroot - not system_is_container +- name: update auditd + template: + src: audit/99_auditd.rules.j2 + dest: /etc/audit/rules.d/99_auditd.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + - name: restart auditd command: /usr/sbin/service auditd restart args: diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 14c3d7bd..47902a2e 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4317,15 +4317,8 @@ - umask - name: "MEDIUM | RHEL-08-030000 | PATCH | The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv', line: '-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv' } - - { regexp: '^-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv', line: '-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv' } - - { regexp: '^-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv', line: '-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv' } - - { regexp: '^-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv', line: '-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv' } + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030000 @@ -4821,10 +4814,8 @@ - auditd - name: "MEDIUM | RHEL-08-030190 | PATCH | Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^-a always,exit -F path=/usr/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' - line: '-a always,exit -F path=/usr/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030190 @@ -4838,14 +4829,8 @@ - auditd - name: "MEDIUM | RHEL-08-030200 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030200 @@ -4943,9 +4928,8 @@ # - auditd - name: "MEDIUM | RHEL-08-030250 | PATCH | Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-chage + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030250 @@ -4959,9 +4943,8 @@ - auditd - name: "MEDIUM | RHEL-08-030260 | PATCH | Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030260 @@ -4996,9 +4979,8 @@ # - auditd - name: "MEDIUM | RHEL-08-030280 | PATCH | Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030280 @@ -5012,9 +4994,8 @@ - auditd - name: "MEDIUM | RHEL-08-030290 | PATCH | Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-passwd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030290 @@ -5027,36 +5008,24 @@ - V-230422 - auditd -- name: | - "MEDIUM | RHEL-08-030300 | PATCH | Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record." - "MEDIUM | RHEL-08-030302 | PATCH | Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount - - -a always,exit -F arch=b32 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount - - -a always,exit -F arch=b64 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount +- name: "MEDIUM | RHEL-08-030300 | PATCH | Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record." + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - - rhel_08_030300 or - rhel_08_030302 + - rhel_08_030300 tags: - - CAT2 - RHEL-08-030300 - - RHEL-08-030302 + - CAT2 - CCI-000169 - SRG-OS-000062-GPOS-00031 - SV-230423r627750_rule - - SV-230425r627750_rule - V-230423 - - V-230425 - auditd - name: "MEDIUM | RHEL-08-030301 | PATCH | Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030301 @@ -5069,10 +5038,24 @@ - V-230424 - auditd +- name: "MEDIUM | RHEL-08-030302 | PATCH | Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record." + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + notify: restart auditd + when: + - rhel_08_030302 + tags: + - RHEL-08-030302 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230425r627750_rule + - V-230425 + - auditd + - name: "MEDIUM | RHEL-08-030310 | PATCH | Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030310 @@ -5086,9 +5069,8 @@ - auditd - name: "MEDIUM | RHEL-08-030311 | PATCH | Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030311 @@ -5102,9 +5084,8 @@ - auditd - name: "MEDIUM | RHEL-08-030312 | PATCH | Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030312 @@ -5118,9 +5099,8 @@ - auditd - name: "MEDIUM | RHEL-08-030313 | PATCH | Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030313 @@ -5134,9 +5114,8 @@ - auditd - name: "MEDIUM | RHEL-08-030314 | PATCH | Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030314 @@ -5150,9 +5129,8 @@ - auditd - name: "MEDIUM | RHEL-08-030315 | PATCH | Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030315 @@ -5166,9 +5144,8 @@ - auditd - name: "MEDIUM | RHEL-08-030316 | PATCH | Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030316 @@ -5182,9 +5159,8 @@ - auditd - name: "MEDIUM | RHEL-08-030317 | PATCH | Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030317 @@ -5198,9 +5174,8 @@ - auditd - name: "MEDIUM | RHEL-08-030320 | PATCH | Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030320 @@ -5214,9 +5189,8 @@ - auditd - name: "MEDIUM | RHEL-08-030330 | PATCH | Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030330 @@ -5230,9 +5204,8 @@ - auditd - name: "MEDIUM | RHEL-08-030340 | PATCH | Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-pam_timestamp_check + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030340 @@ -5246,9 +5219,8 @@ - auditd - name: "MEDIUM | RHEL-08-030350 | PATCH | Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030350 @@ -5262,12 +5234,8 @@ - auditd - name: "MEDIUM | RHEL-08-030360 | PATCH | Successful/unsuccessful uses of the init_module command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S init_module,finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - - -a always,exit -F arch=b64 -S init_module,finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030360 @@ -5281,12 +5249,8 @@ - auditd - name: "MEDIUM | RHEL-08-030361 | PATCH | Successful/unsuccessful uses of the rename command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - - -a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030361 @@ -5376,9 +5340,8 @@ # - auditd - name: "MEDIUM | RHEL-08-030370 | PATCH | Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-gpasswd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030370 @@ -5411,12 +5374,8 @@ # - auditd - name: "MEDIUM | RHEL-08-030390 | PATCH | Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - - -a always,exit -F arch=b64 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030390 @@ -5430,9 +5389,8 @@ - auditd - name: "MEDIUM | RHEL-08-030400 | PATCH | Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-crontab + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030400 @@ -5446,9 +5404,8 @@ - auditd - name: "MEDIUM | RHEL-08-030410 | PATCH | Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030410 @@ -5462,15 +5419,9 @@ - auditd - name: "MEDIUM | RHEL-08-030420 | PATCH | Successful/unsuccessful uses of the truncate command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + notify: restart auditd when: - rhel_08_030420 tags: @@ -5588,12 +5539,8 @@ # - auditd - name: "MEDIUM | RHEL-08-030480 | PATCH | Successful/unsuccessful uses of the chown command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030480 @@ -5607,12 +5554,8 @@ - auditd - name: "MEDIUM | RHEL-08-030490 | PATCH | Successful/unsuccessful uses of the chmod command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030490 @@ -5721,9 +5664,8 @@ # - auditd - name: "MEDIUM | RHEL-08-030550 | PATCH | Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030550 @@ -5737,9 +5679,8 @@ - auditd - name: "MEDIUM | RHEL-08-030560 | PATCH | Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-usermod + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030560 @@ -5753,9 +5694,8 @@ - auditd - name: "MEDIUM | RHEL-08-030570 | PATCH | Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030570 @@ -5769,9 +5709,8 @@ - auditd - name: "MEDIUM | RHEL-08-030580 | PATCH | Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030580 @@ -5785,9 +5724,8 @@ - auditd - name: "MEDIUM | RHEL-08-030590 | PATCH | Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "-w {{ rhel8stig_pam_faillock.dir }} -p wa -k logins" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030590 @@ -5801,9 +5739,8 @@ - auditd - name: "MEDIUM | RHEL-08-030600 | PATCH | Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -w /var/log/lastlog -p wa -k logins + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" notify: restart auditd when: - rhel_08_030600 diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 new file mode 100644 index 00000000..9fb3c9e0 --- /dev/null +++ b/templates/audit/99_auditd.rules.j2 @@ -0,0 +1,127 @@ +# This template will set all of the auditd configurations via a handler in the role in one task instead of individually +{% if rhel_08_030000 %} +-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv +-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv +-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv +-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv +{% endif %} +{% if rhel_08_030190 %} +-a always,exit -F path=/usr/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change +{% endif %} +{% if rhel_08_030200 %} +-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod +-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod +{% endif %} +{% if rhel_08_030250 %} +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-chage +{% endif %} +{% if rhel_08_030260 %} +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +{% endif %} +{% if rhel_08_030280 %} +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh +{% endif %} +{% if rhel_08_030290 %} +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-passwd +{% endif %} +{% if rhel_08_030300 %} +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount +{% endif %} +{% if rhel_08_030301 %} +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount +{% endif %} +{% if rhel_08_030302 %} +-a always,exit -F arch=b32 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount +-a always,exit -F arch=b64 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount +{% endif %} +{% if rhel_08_030310 %} +-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +{% endif %} +{% if rhel_08_030311 %} +-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +{% endif %} +{% if rhel_08_030312 %} +-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +{% endif %} +{% if rhel_08_030313 %} +-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +{% endif %} +{% if rhel_08_030314 %} +-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +{% endif %} +{% if rhel_08_030315 %} +-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +{% endif %} +{% if rhel_08_030316 %} +-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +{% endif %} +{% if rhel_08_030317 %} +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +{% endif %} +{% if rhel_08_030320 %} +-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh +{% endif %} +{% if rhel_08_030330 %} +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +{% endif %} +{% if rhel_08_030340 %} +-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-pam_timestamp_check +{% endif %} +{% if rhel_08_030350 %} +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd +{% endif %} +{% if rhel_08_030360 %} +-a always,exit -F arch=b32 -S init_module,finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +-a always,exit -F arch=b64 -S init_module,finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +{% endif %} +{% if rhel_08_030361 %} +-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +{% endif %} +{% if rhel_08_030370 %} +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-gpasswd +{% endif %} +{% if rhel_08_030390 %} +-a always,exit -F arch=b32 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +-a always,exit -F arch=b64 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +{% endif %} +{% if rhel_08_030400 %} +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-crontab +{% endif %} +{% if rhel_08_030410 %} +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd +{% endif %} +{% if rhel_08_030420 %} +-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +{% endif %} +{% if rhel_08_030480 %} +-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +{% endif %} +{% if rhel_08_030490 %} +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +{% endif %} +{% if rhel_08_030550 %} +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd +{% endif %} +{% if rhel_08_030560 %} +-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-usermod +{% endif %} +{% if rhel_08_030570 %} +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +{% endif %} +{% if rhel_08_030580 %} +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules +{% endif %} +{% if rhel_08_030590 %} +-w {{ rhel8stig_pam_faillock.dir }} -p wa -k logins +{% endif %} +{% if rhel_08_030600 %} +-w /var/log/lastlog -p wa -k logins +{% endif %} \ No newline at end of file From 0f311c8775e788bf87c235b6dd57042d887395f0 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 4 Feb 2022 10:45:26 -0500 Subject: [PATCH 083/101] Changes needed after testing Signed-off-by: George Nalen --- defaults/main.yml | 6 +- tasks/fix-cat1.yml | 12 +- tasks/fix-cat2.yml | 188 +++++++++++++++++++---------- tasks/prelim.yml | 6 +- templates/ansible_vars_goss.yml.j2 | 42 +++---- 5 files changed, 152 insertions(+), 102 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 512f5b99..5a5f5e50 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -87,6 +87,7 @@ audit_cmd_timeout: 60000 # CAT 1 rules rhel_08_010000: true rhel_08_010020: true +rhel_08_010121: true rhel_08_010140: true rhel_08_010150: true rhel_08_010370: true @@ -168,6 +169,7 @@ rhel_08_010381: true rhel_08_010382: true rhel_08_010383: true rhel_08_010384: true +rhel_08_010385: true rhel_08_010390: true rhel_08_010400: true rhel_08_010410: true @@ -187,7 +189,7 @@ rhel_08_010522: true rhel_08_010543: true rhel_08_010544: true rhel_08_010550: true -rhel_08_010560: true +# rhel_08_010560: true rhel_08_010561: true rhel_08_010570: true rhel_08_010571: true @@ -356,7 +358,7 @@ rhel_08_030420: true # rhel_08_030440: true # rhel_08_030450: true # rhel_08_030460: true -rhel_08_030470: true +# rhel_08_030470: true rhel_08_030480: true rhel_08_030490: true # rhel_08_030500: true diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 2175a256..3a17d581 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -137,16 +137,16 @@ - SV-230223r792855_rule - V-230223 -- name: "MEDIUM | RHEL-08-010121 | PATCH | The RHEL 8 operating system must not have accounts configured with blank or null passwords." +- name: "HIGH | RHEL-08-010121 | PATCH | The RHEL 8 operating system must not have accounts configured with blank or null passwords." block: - - name: "MEDIUM | RHEL-08-010121 | PATCH | The RHEL 8 operating system must not have accounts configured with blank or null passwords. | Get users with no pw set" - command: "awk -F: '!$2 {print $1}' /etc/shadow" + - name: "HIGH | RHEL-08-010121 | AUDIT | The RHEL 8 operating system must not have accounts configured with blank or null passwords. | Get users with no pw set" + shell: "awk -F: '!$2 {print $1}' /etc/shadow" changed_when: false failed_when: false check_mode: false register: rhel_08_010121_no_pw_users - - name: "MEDIUM | RHEL-08-010121 | PATCH | The RHEL 8 operating system must not have accounts configured with blank or null passwords. | Warn on accounts with no passwords" + - name: "HIGH | RHEL-08-010121 | PATCH | The RHEL 8 operating system must not have accounts configured with blank or null passwords. | Warn on accounts with no passwords" debug: msg: - "Alert! You have users that are not using passwords. Please either set a password, lock, or remove the accounts below:" @@ -155,7 +155,7 @@ - rhel_08_010121_no_pw_users.stdout | length > 0 - not rhel8stig_disruption_high - - name: "MEDIUM | RHEL-08-010121 | PATCH | The RHEL 8 operating system must not have accounts configured with blank or null passwords. | Lock accounts with no passwords, disruptive" + - name: "HIGH | RHEL-08-010121 | PATCH | The RHEL 8 operating system must not have accounts configured with blank or null passwords. | Lock accounts with no passwords, disruptive" user: name: "{{ item }}" password_lock: yes @@ -165,7 +165,7 @@ - rhel_08_010121_no_pw_users.stdout | length > 0 - rhel8stig_disruption_high when: - - RHEL-08-010121 + - rhel_08_010121 tags: - RHEL-08-010121 - CAT1 diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 47902a2e..215d775d 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1176,6 +1176,7 @@ - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_010372 @@ -1191,6 +1192,7 @@ - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_010373 @@ -1206,6 +1208,7 @@ - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_010374 @@ -1482,6 +1485,7 @@ - name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_010430 @@ -2156,6 +2160,7 @@ - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_010671 @@ -3156,9 +3161,9 @@ "MEDIUM | RHEL-08-020027 | RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory. MEDIUM | RHEL-08-020028 | RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory." shell: "ls -Zd {{ rhel8stig_pam_faillock.dir }}| grep -c faillog_t" - register: faillock_secontext changed_when: false failed_when: false + register: faillock_secontext - name: | "MEDIUM | RHEL-08-020027 | RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory. @@ -3838,39 +3843,31 @@ - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations." block: - - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Ensure pam_pwhistory rule exists" - pamd: - name: password-auth - state: before - type: password - control: sufficient - module_path: pam_unix.so - new_type: password - new_control: required - new_module_path: pam_pwhistory.so - - # TODO: Remove temporary audit check to determine if the following pamd module task needs to be run since the module is not idempotent - - name: "MEDIUM | RHEL-08-020220 | AUDIT | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Check for existing password history reuse settings" - command: "grep -iE '^password\\s+requisite\\s+pam_pwhistory.so\\s+use_authtok\\s+remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}\\s+retry={{ rhel8stig_pam_pwhistory.retries | default(3) }}$' /etc/pam.d/password-auth" - check_mode: no - changed_when: no - failed_when: rhel_08_020220_pw_hist_settings.rc > 1 - register: rhel_08_020220_pw_hist_settings + - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Get pam_pwhistory status" + shell: cat /etc/pam.d/password-auth | grep "password.*required.*pam_pwhistory.so" + changed_when: false + failed_when: false + register: rhel_08_020220_pwhistory_status - # TODO: Once the pamd module is fixed (either args_present or updated) then remove the previous grep task and update the following. - - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Ensure pam_pwhistory module arguments are set" + - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Set if no pw required pw_history" + lineinfile: + path: /etc/pam.d/password-auth + line: "password required pam_pwhistory.so use_authtok remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}" + insertafter: '^password' + owner: root + group: root + mode: 0640 + when: rhel_08_020220_pwhistory_status.stdout | length == 0 + + - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Set if pw required pwhistory exists" pamd: - name: "{{ item.item }}" - state: updated + name: password-auth type: password control: required module_path: pam_pwhistory.so - module_arguments: - - use_authtok - - remember={{ rhel8stig_pam_pwhistory.remember | default(5) }} - - retry={{ rhel8stig_pam_pwhistory.retries | default(3) }} - with_items: "{{ rhel_08_020220_pw_hist_settings.results }}" - when: item.rc == 1 + module_arguments: 'remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}' + state: args_present + when: rhel_08_020220_pwhistory_status.stdout | length > 0 when: - rhel_08_020220 tags: @@ -3890,7 +3887,6 @@ failed_when: false register: rhel_08_020221_pwhistory_status - - debug: var=rhel_08_020221_pwhistory_status - name: "MEDIUM | RHEL-08-020221 | PATCH | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations. | Set if no pw required pwhistory" lineinfile: path: /etc/pam.d/system-auth @@ -4319,7 +4315,8 @@ - name: "MEDIUM | RHEL-08-030000 | PATCH | The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030000 tags: @@ -4816,7 +4813,8 @@ - name: "MEDIUM | RHEL-08-030190 | PATCH | Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030190 tags: @@ -4831,7 +4829,8 @@ - name: "MEDIUM | RHEL-08-030200 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030200 tags: @@ -4930,7 +4929,8 @@ - name: "MEDIUM | RHEL-08-030250 | PATCH | Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030250 tags: @@ -4945,7 +4945,8 @@ - name: "MEDIUM | RHEL-08-030260 | PATCH | Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030260 tags: @@ -4981,7 +4982,8 @@ - name: "MEDIUM | RHEL-08-030280 | PATCH | Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030280 tags: @@ -4996,7 +4998,8 @@ - name: "MEDIUM | RHEL-08-030290 | PATCH | Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030290 tags: @@ -5011,7 +5014,8 @@ - name: "MEDIUM | RHEL-08-030300 | PATCH | Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030300 tags: @@ -5026,7 +5030,8 @@ - name: "MEDIUM | RHEL-08-030301 | PATCH | Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030301 tags: @@ -5041,7 +5046,8 @@ - name: "MEDIUM | RHEL-08-030302 | PATCH | Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030302 tags: @@ -5056,7 +5062,8 @@ - name: "MEDIUM | RHEL-08-030310 | PATCH | Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030310 tags: @@ -5071,7 +5078,8 @@ - name: "MEDIUM | RHEL-08-030311 | PATCH | Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030311 tags: @@ -5086,7 +5094,8 @@ - name: "MEDIUM | RHEL-08-030312 | PATCH | Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030312 tags: @@ -5101,7 +5110,8 @@ - name: "MEDIUM | RHEL-08-030313 | PATCH | Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030313 tags: @@ -5116,7 +5126,8 @@ - name: "MEDIUM | RHEL-08-030314 | PATCH | Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030314 tags: @@ -5131,7 +5142,8 @@ - name: "MEDIUM | RHEL-08-030315 | PATCH | Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030315 tags: @@ -5146,7 +5158,8 @@ - name: "MEDIUM | RHEL-08-030316 | PATCH | Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030316 tags: @@ -5161,7 +5174,8 @@ - name: "MEDIUM | RHEL-08-030317 | PATCH | Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030317 tags: @@ -5176,7 +5190,8 @@ - name: "MEDIUM | RHEL-08-030320 | PATCH | Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030320 tags: @@ -5191,7 +5206,8 @@ - name: "MEDIUM | RHEL-08-030330 | PATCH | Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030330 tags: @@ -5206,7 +5222,8 @@ - name: "MEDIUM | RHEL-08-030340 | PATCH | Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030340 tags: @@ -5221,7 +5238,8 @@ - name: "MEDIUM | RHEL-08-030350 | PATCH | Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030350 tags: @@ -5236,7 +5254,8 @@ - name: "MEDIUM | RHEL-08-030360 | PATCH | Successful/unsuccessful uses of the init_module command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030360 tags: @@ -5251,7 +5270,8 @@ - name: "MEDIUM | RHEL-08-030361 | PATCH | Successful/unsuccessful uses of the rename command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030361 tags: @@ -5342,7 +5362,8 @@ - name: "MEDIUM | RHEL-08-030370 | PATCH | Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030370 tags: @@ -5376,7 +5397,8 @@ - name: "MEDIUM | RHEL-08-030390 | PATCH | Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030390 tags: @@ -5391,7 +5413,8 @@ - name: "MEDIUM | RHEL-08-030400 | PATCH | Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030400 tags: @@ -5406,7 +5429,8 @@ - name: "MEDIUM | RHEL-08-030410 | PATCH | Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030410 tags: @@ -5421,7 +5445,8 @@ - name: "MEDIUM | RHEL-08-030420 | PATCH | Successful/unsuccessful uses of the truncate command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030420 tags: @@ -5541,7 +5566,8 @@ - name: "MEDIUM | RHEL-08-030480 | PATCH | Successful/unsuccessful uses of the chown command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030480 tags: @@ -5556,7 +5582,8 @@ - name: "MEDIUM | RHEL-08-030490 | PATCH | Successful/unsuccessful uses of the chmod command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030490 tags: @@ -5666,7 +5693,8 @@ - name: "MEDIUM | RHEL-08-030550 | PATCH | Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030550 tags: @@ -5681,7 +5709,8 @@ - name: "MEDIUM | RHEL-08-030560 | PATCH | Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030560 tags: @@ -5696,7 +5725,8 @@ - name: "MEDIUM | RHEL-08-030570 | PATCH | Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030570 tags: @@ -5711,7 +5741,8 @@ - name: "MEDIUM | RHEL-08-030580 | PATCH | Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030580 tags: @@ -5726,7 +5757,8 @@ - name: "MEDIUM | RHEL-08-030590 | PATCH | Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030590 tags: @@ -5741,7 +5773,8 @@ - name: "MEDIUM | RHEL-08-030600 | PATCH | Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + changed_when: true + notify: update auditd when: - rhel_08_030600 tags: @@ -6863,6 +6896,7 @@ - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040209 @@ -6878,6 +6912,7 @@ - name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040210 @@ -6894,6 +6929,7 @@ - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040220 @@ -6909,6 +6945,7 @@ - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040230 @@ -6924,6 +6961,7 @@ - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040239 @@ -6939,6 +6977,7 @@ - name: "MEDIUM | RHEL-08-040240 | PATCH | RHEL 8 must not forward IPv6 source-routed packets." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040240 @@ -6955,6 +6994,7 @@ - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040249 @@ -6970,6 +7010,7 @@ - name: "MEDIUM | RHEL-08-040250 | PATCH | RHEL 8 must not forward IPv6 source-routed packets by default." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040250 @@ -6986,6 +7027,7 @@ - name: "MEDIUM | RHEL-08-040259 | PATCH | RHEL 8 must not enable IPv4 packet forwarding unless the system is a router." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040259 @@ -7002,6 +7044,7 @@ - name: "MEDIUM | RHEL-08-040260 | PATCH | RHEL 8 must not enable IPv6 packet forwarding unless the system is a router." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040260 @@ -7018,6 +7061,7 @@ - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040261 @@ -7035,6 +7079,7 @@ - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040262 @@ -7052,6 +7097,7 @@ - name: "MEDIUM | RHEL-08-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040270 @@ -7067,6 +7113,7 @@ - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040279 @@ -7082,6 +7129,7 @@ - name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040280 @@ -7098,6 +7146,7 @@ - name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040281 @@ -7113,6 +7162,7 @@ - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040282 @@ -7128,6 +7178,7 @@ - name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040283 @@ -7143,6 +7194,7 @@ - name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040284 @@ -7158,6 +7210,7 @@ - name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040285 @@ -7173,6 +7226,7 @@ - name: "MEDIUM | RHEL-08-040286 | PATCH | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler." debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040286 diff --git a/tasks/prelim.yml b/tasks/prelim.yml index bbf62faf..642ffe35 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -421,4 +421,8 @@ - name: "PRELIM | Section 1.1 | Create list of mount points" set_fact: - mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}" \ No newline at end of file + mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}" + +# - name: "PRELIM | Get OS Version" +# set_fact: +# os_release: "{{ distribution_version }}" \ No newline at end of file diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index ce2d32ae..56622e40 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -42,6 +42,7 @@ rhel8stig_bootloader_path: {{ rhel8stig_bootloader_path }} # Cat 1 rules RHEL_08_010000: {{ rhel_08_010000 }} RHEL_08_010020: {{ rhel_08_010020 }} +RHEL_08_010121: {{ rhel_08_010121 }} RHEL_08_010140: {{ rhel_08_010140 }} RHEL_08_010150: {{ rhel_08_010150 }} RHEL_08_010370: {{ rhel_08_010370 }} @@ -54,6 +55,7 @@ RHEL_08_020331: {{ rhel_08_020331 }} RHEL_08_020332: {{ rhel_08_020332 }} RHEL_08_040000: {{ rhel_08_040000 }} RHEL_08_040010: {{ rhel_08_040010 }} +RHEL_08_040060: {{ rhel_08_040060 }} RHEL_08_040170: {{ rhel_08_040170 }} RHEL_08_040171: {{ rhel_08_040171 }} RHEL_08_040172: {{ rhel_08_040172 }} @@ -76,7 +78,6 @@ RHEL_08_010100: {{ rhel_08_010100 }} RHEL_08_010110: {{ rhel_08_010110 }} RHEL_08_010120: {{ rhel_08_010120 }} RHEL_08_010130: {{ rhel_08_010130 }} -RHEL_08_010131: {{ rhel_08_010131 }} RHEL_08_010141: {{ rhel_08_010141 }} RHEL_08_010149: {{ rhel_08_010149 }} RHEL_08_010151: {{ rhel_08_010151 }} @@ -107,17 +108,23 @@ RHEL_08_010300: {{ rhel_08_010300 }} RHEL_08_010310: {{ rhel_08_010310 }} RHEL_08_010320: {{ rhel_08_010320 }} RHEL_08_010330: {{ rhel_08_010330 }} +RHEL_08_010331: {{ rhel_08_010331 }} RHEL_08_010340: {{ rhel_08_010340 }} +RHEL_08_010341: {{ rhel_08_010341 }} RHEL_08_010350: {{ rhel_08_010350 }} +RHEL_08_010351: {{ rhel_08_010351 }} +RHEL_08_010359: {{ rhel_08_010359 }} RHEL_08_010360: {{ rhel_08_010360 }} RHEL_08_010372: {{ rhel_08_010372 }} RHEL_08_010373: {{ rhel_08_010373 }} RHEL_08_010374: {{ rhel_08_010374 }} +RHEL_08_010379: {{ rhel_08_010379 }} RHEL_08_010380: {{ rhel_08_010380 }} RHEL_08_010381: {{ rhel_08_010380 }} RHEL_08_010382: {{ rhel_08_010382 }} RHEL_08_010383: {{ rhel_08_010383 }} RHEL_08_010384: {{ rhel_08_010384 }} +RHEL_08_010385: {{ rhel_08_010385 }} RHEL_08_010390: {{ rhel_08_010390 }} RHEL_08_010400: {{ rhel_08_010400 }} RHEL_08_010410: {{ rhel_08_010410 }} @@ -138,7 +145,6 @@ RHEL_08_010522: {{ rhel_08_010522 }} RHEL_08_010543: {{ rhel_08_010543 }} RHEL_08_010544: {{ rhel_08_010544 }} RHEL_08_010550: {{ rhel_08_010550 }} -RHEL_08_010560: {{ rhel_08_010560 }} RHEL_08_010561: {{ rhel_08_010561 }} RHEL_08_010570: {{ rhel_08_010570 }} RHEL_08_010571: {{ rhel_08_010571 }} @@ -174,7 +180,6 @@ RHEL_08_010780: {{ rhel_08_010780 }} RHEL_08_010790: {{ rhel_08_010790 }} RHEL_08_010800: {{ rhel_08_010800 }} RHEL_08_010830: {{ rhel_08_010830 }} - RHEL_08_020000: {{ rhel_08_020000 }} RHEL_08_020010: {{ rhel_08_020010 }} RHEL_08_020011: {{ rhel_08_020011 }} @@ -208,6 +213,10 @@ RHEL_08_020081: {{ rhel_08_020081 }} RHEL_08_020082: {{ rhel_08_020082 }} RHEL_08_020090: {{ rhel_08_020090 }} # TODO RHEL_08_020100: {{ rhel_08_020100 }} +RHEL_08_020101: {{ rhel_08_020101 }} +RHEL_08_020102: {{ rhel_08_020102 }} +RHEL_08_020103: {{ rhel_08_020103 }} +RHEL_08_020104: {{ rhel_08_020104 }} RHEL_08_020110: {{ rhel_08_020110 }} RHEL_08_020120: {{ rhel_08_020120 }} RHEL_08_020130: {{ rhel_08_020130 }} @@ -220,6 +229,7 @@ RHEL_08_020190: {{ rhel_08_020190 }} RHEL_08_020200: {{ rhel_08_020200 }} RHEL_08_020210: {{ rhel_08_020210 }} RHEL_08_020220: {{ rhel_08_020220 }} +RHEL_08_020221: {{ rhel_08_020221 }} RHEL_08_020230: {{ rhel_08_020230 }} RHEL_08_020231: {{ rhel_08_020231 }} RHEL_08_020240: {{ rhel_08_020240 }} @@ -240,7 +250,6 @@ RHEL_08_030010: {{ rhel_08_030010 }} RHEL_08_030020: {{ rhel_08_030020 }} RHEL_08_030030: {{ rhel_08_030030 }} RHEL_08_030040: {{ rhel_08_030040 }} -RHEL_08_030050: {{ rhel_08_030050 }} RHEL_08_030060: {{ rhel_08_030060 }} RHEL_08_030061: {{ rhel_08_030061 }} RHEL_08_030062: {{ rhel_08_030062 }} @@ -263,13 +272,8 @@ RHEL_08_030180: {{ rhel_08_030180 }} RHEL_08_030181: {{ rhel_08_030181 }} RHEL_08_030190: {{ rhel_08_030190 }} RHEL_08_030200: {{ rhel_08_030200 }} -RHEL_08_030210: {{ rhel_08_030210 }} -RHEL_08_030220: {{ rhel_08_030220 }} -RHEL_08_030230: {{ rhel_08_030230 }} -RHEL_08_030240: {{ rhel_08_030240 }} RHEL_08_030250: {{ rhel_08_030250 }} RHEL_08_030260: {{ rhel_08_030260 }} -RHEL_08_030270: {{ rhel_08_030270 }} RHEL_08_030280: {{ rhel_08_030280 }} RHEL_08_030290: {{ rhel_08_030290 }} RHEL_08_030300: {{ rhel_08_030300 }} @@ -289,28 +293,13 @@ RHEL_08_030340: {{ rhel_08_030340 }} RHEL_08_030350: {{ rhel_08_030350 }} RHEL_08_030360: {{ rhel_08_030360 }} RHEL_08_030361: {{ rhel_08_030361 }} -RHEL_08_030362: {{ rhel_08_030362 }} -RHEL_08_030363: {{ rhel_08_030363 }} -RHEL_08_030364: {{ rhel_08_030364 }} -RHEL_08_030365: {{ rhel_08_030365 }} RHEL_08_030370: {{ rhel_08_030370 }} -RHEL_08_030380: {{ rhel_08_030380 }} RHEL_08_030390: {{ rhel_08_030390 }} RHEL_08_030400: {{ rhel_08_030400 }} RHEL_08_030410: {{ rhel_08_030410 }} RHEL_08_030420: {{ rhel_08_030420 }} -RHEL_08_030430: {{ rhel_08_030430 }} -RHEL_08_030440: {{ rhel_08_030440 }} -RHEL_08_030450: {{ rhel_08_030450 }} -RHEL_08_030460: {{ rhel_08_030460 }} -RHEL_08_030470: {{ rhel_08_030470 }} RHEL_08_030480: {{ rhel_08_030480 }} RHEL_08_030490: {{ rhel_08_030490 }} -RHEL_08_030500: {{ rhel_08_030500 }} -RHEL_08_030510: {{ rhel_08_030510 }} -RHEL_08_030520: {{ rhel_08_030520 }} -RHEL_08_030530: {{ rhel_08_030530 }} -RHEL_08_030540: {{ rhel_08_030540 }} RHEL_08_030550: {{ rhel_08_030550 }} RHEL_08_030560: {{ rhel_08_030560 }} RHEL_08_030570: {{ rhel_08_030570 }} @@ -323,8 +312,8 @@ RHEL_08_030630: {{ rhel_08_030630 }} RHEL_08_030640: {{ rhel_08_030640 }} RHEL_08_030650: {{ rhel_08_030650 }} RHEL_08_030660: {{ rhel_08_030660 }} -RHEL_08_030670: {{ rhel_08_030370 }} -RHEL_08_030680: {{ rhel_08_030380 }} +RHEL_08_030670: {{ rhel_08_030670 }} +RHEL_08_030680: {{ rhel_08_030680 }} RHEL_08_030690: {{ rhel_08_030090 }} RHEL_08_030700: {{ rhel_08_030700 }} RHEL_08_030710: {{ rhel_08_030710 }} @@ -392,6 +381,7 @@ RHEL_08_040285: {{ rhel_08_040285 }} RHEL_08_040286: {{ rhel_08_040286 }} RHEL_08_040290: {{ rhel_08_040290 }} RHEL_08_040320: {{ rhel_08_040320 }} +RHEL_08_040321: {{ rhel_08_040321 }} RHEL_08_040330: {{ rhel_08_040330 }} RHEL_08_040340: {{ rhel_08_040340 }} RHEL_08_040341: {{ rhel_08_040341 }} From fbddcae1ffd56da85e7dd79f9a9902de81197ea5 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 7 Feb 2022 14:59:28 -0500 Subject: [PATCH 084/101] removed un-necessary controls Signed-off-by: George Nalen --- .github/workflows/communitytodevel.yml | 2 +- .github/workflows/develtomaster.yml | 2 +- defaults/main.yml | 23 -- tasks/fix-cat2.yml | 452 ------------------------- 4 files changed, 2 insertions(+), 477 deletions(-) diff --git a/.github/workflows/communitytodevel.yml b/.github/workflows/communitytodevel.yml index ea378d8e..b696c735 100644 --- a/.github/workflows/communitytodevel.yml +++ b/.github/workflows/communitytodevel.yml @@ -33,6 +33,6 @@ jobs: # Job ID job_id: 5f933cbcf9c74e86b1609c00 # Variables - variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL8-STIG.git", "image": "ami-066df92ac6f03efca", "githubBranch": "${{ github.head_ref }}", "username": "ec2-user" }' + variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL8-STIG.git", "image": "ami-0335e1660e1197d63", "githubBranch": "${{ github.head_ref }}", "username": "rocky" }' # Refactr API base URL api_url: # optional diff --git a/.github/workflows/develtomaster.yml b/.github/workflows/develtomaster.yml index 1573b2f8..fb4803da 100644 --- a/.github/workflows/develtomaster.yml +++ b/.github/workflows/develtomaster.yml @@ -33,6 +33,6 @@ jobs: # Job ID job_id: 5f90ad90f9c74e6d1e606e33 # Variables - variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL8-STIG.git", "image": "ami-066df92ac6f03efca", "username": "ec2-user" }' + variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL8-STIG.git", "image": "ami-0335e1660e1197d63", "username": "rocky" }' # Refactr API base URL api_url: # optional diff --git a/defaults/main.yml b/defaults/main.yml index 5a5f5e50..dc2c9d1c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -122,7 +122,6 @@ rhel_08_010100: true rhel_08_010110: true rhel_08_010120: true rhel_08_010130: true -# rhel_08_010131: true rhel_08_010141: true rhel_08_010149: true rhel_08_010151: true @@ -189,7 +188,6 @@ rhel_08_010522: true rhel_08_010543: true rhel_08_010544: true rhel_08_010550: true -# rhel_08_010560: true rhel_08_010561: true rhel_08_010570: true rhel_08_010571: true @@ -295,7 +293,6 @@ rhel_08_030010: true rhel_08_030020: true rhel_08_030030: true rhel_08_030040: true -# rhel_08_030050: true rhel_08_030060: true rhel_08_030061: true rhel_08_030062: true @@ -318,13 +315,8 @@ rhel_08_030180: true rhel_08_030181: true rhel_08_030190: true rhel_08_030200: true -# rhel_08_030210: true -# rhel_08_030220: true -# rhel_08_030230: true -# rhel_08_030240: true rhel_08_030250: true rhel_08_030260: true -# rhel_08_030270: true rhel_08_030280: true rhel_08_030290: true rhel_08_030300: true @@ -344,28 +336,13 @@ rhel_08_030340: true rhel_08_030350: true rhel_08_030360: true rhel_08_030361: true -# rhel_08_030362: true -# rhel_08_030363: true -# rhel_08_030364: true -# rhel_08_030365: true rhel_08_030370: true -# rhel_08_030380: true rhel_08_030390: true rhel_08_030400: true rhel_08_030410: true rhel_08_030420: true -# rhel_08_030430: true -# rhel_08_030440: true -# rhel_08_030450: true -# rhel_08_030460: true -# rhel_08_030470: true rhel_08_030480: true rhel_08_030490: true -# rhel_08_030500: true -# rhel_08_030510: true -# rhel_08_030520: true -# rhel_08_030530: true -# rhel_08_030540: true rhel_08_030550: true rhel_08_030560: true rhel_08_030570: true diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 215d775d..677c5d3e 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -290,25 +290,6 @@ - V-230233 - pamd -# - name: "MEDIUM | RHEL-08-010131 | PATCH | The RHEL 8 system-auth file must be configured to use a sufficient number of hashing rounds." -# pamd: -# name: system-auth -# type: password -# control: sufficient -# module_path: pam_unix.so -# module_arguments: "rounds={{ rhel8stig_hashing_rounds }}" -# state: args_present -# when: -# - rhel_08_010131 -# tags: -# - RHEL-08-010131 -# - CAT2 -# - CCI-000196 -# - SRG-OS-000073-GPOS-00041 -# - SV-244520r743809_rule -# - V-244520 -# - pamd - - name: | "MEDIUM | RHEL-08-010141 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance." "MEDIUM | RHEL-08-010149 | PATCH | RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes." @@ -1713,23 +1694,6 @@ - V-230296 - ssh -# - name: "MEDIUM | RHEL-08-010560 | PATCH | The auditd service must be running in RHEL 8." -# service: -# name: auditd -# state: started -# enabled: yes -# when: -# - rhel_08_010560 -# - not system_is_container -# tags: -# - RHEL-08-010560 -# - CAT2 -# - CCI-000366 -# - SRG-OS-000480-GPOS-00227 -# - SV-230297r627750_rule -# - V-230297 -# - auditd - - name: "MEDIUM | RHEL-08-010561 | PATCH | The rsyslog service must be running in RHEL 8." service: name: rsyslog.service @@ -4397,22 +4361,6 @@ - V-230390 - auditd -# - name: "MEDIUM | RHEL-08-030050 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full." -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: '^max_log_file_action =' -# line: "max_log_file_action = {{ rhel8stig_auditd_max_log_file_action }}" -# when: -# - rhel_08_030050 -# tags: -# - RHEL-08-030050 -# - CAT2 -# - CCI-000140 -# - SRG-OS-000047-GPOS-00023 -# - SV-230391r743998_rule -# - V-230391 -# - auditd - - name: "MEDIUM | RHEL-08-030060 | PATCH | The RHEL 8 audit system must take appropriate action when the audit storage volume is full." lineinfile: path: /etc/audit/auditd.conf @@ -4842,90 +4790,6 @@ - V-230413 - auditd -# - name: "MEDIUM | RHEL-08-030210 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the removexattr system call." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod -# - -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030210 -# tags: -# - RHEL-08-030210 -# - CAT2 -# - CCI-000169 -# - SRG-OS-000062-GPOS-00031 -# - SV-230414r627750_rule -# - V-230414 -# - auditd - -# - name: "MEDIUM | RHEL-08-030220 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lsetxattr system call." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod -# - -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030220 -# tags: -# - RHEL-08-030220 -# - CAT2 -# - CCI-000169 -# - SRG-OS-000062-GPOS-00031 -# - SV-230415r627750_rule -# - V-230415 -# - auditd - -# - name: "MEDIUM | RHEL-08-030230 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fsetxattr system call." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod -# - -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030230 -# tags: -# - RHEL-08-030230 -# - CAT2 -# - CCI-000169 -# - SRG-OS-000062-GPOS-00031 -# - SV-230416r627750_rule -# - V-230416 -# - auditd - -# - name: "MEDIUM | RHEL-08-030240 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fremovexattr system call." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod -# - -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030240 -# tags: -# - RHEL-08-030240 -# - CAT2 -# - CCI-000169 -# - SRG-OS-000062-GPOS-00031 -# - SV-230417r627750_rule -# - V-230417 -# - auditd - - name: "MEDIUM | RHEL-08-030250 | PATCH | Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" @@ -4958,27 +4822,6 @@ - V-230419 - auditd -# - name: "MEDIUM | RHEL-08-030270 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the setxattr system call." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod -# - -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030270 -# tags: -# - RHEL-08-030270 -# - CAT2 -# - CCI-000169 -# - SRG-OS-000062-GPOS-00031 -# - SV-230420r627750_rule -# - V-230420 -# - auditd - - name: "MEDIUM | RHEL-08-030280 | PATCH | Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" @@ -5283,82 +5126,6 @@ - V-230439 - auditd -# - name: "MEDIUM | RHEL-08-030362 | PATCH | Successful/unsuccessful uses of the renameat command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S renameat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# - -a always,exit -F arch=b64 -S renameat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# notify: restart auditd -# when: -# - rhel_08_030362 -# tags: -# - RHEL-08-030362 -# - CAT2 -# - CCI-000169 -# - SRG-OS-000062-GPOS-00031 -# - SV-230440r627750_rule -# - V-230440 -# - auditd - -# - name: "MEDIUM | RHEL-08-030363 | PATCH | Successful/unsuccessful uses of the rmdir command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S rmdir -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# - -a always,exit -F arch=b64 -S rmdir -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# notify: restart auditd -# when: -# - rhel_08_030363 -# tags: -# - RHEL-08-030363 -# - CAT2 -# - CCI-000169 -# - SRG-OS-000062-GPOS-00031 -# - SV-230441r627750_rule -# - V-230441 -# - auditd - -# - name: "MEDIUM | RHEL-08-030364 | PATCH | Successful/unsuccessful uses of the unlink command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S unlink -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# - -a always,exit -F arch=b64 -S unlink -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# notify: restart auditd -# when: -# - rhel_08_030364 -# tags: -# - RHEL-08-030364 -# - CAT2 -# - CCI-000169 -# - SRG-OS-000062-GPOS-00031 -# - SV-230442r627750_rule -# - V-230442 -# - auditd - -# - name: "MEDIUM | RHEL-08-030365 | PATCH | Successful/unsuccessful uses of the unlinkat command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# - -a always,exit -F arch=b64 -S unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# notify: restart auditd -# when: -# - rhel_08_030365 -# tags: -# - RHEL-08-030365 -# - CAT2 -# - CCI-000169 -# - SRG-OS-000062-GPOS-00031 -# - SV-230443r627750_rule -# - V-230443 -# - auditd - - name: "MEDIUM | RHEL-08-030370 | PATCH | Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" @@ -5375,25 +5142,6 @@ - V-230444 - auditd -# - name: "MEDIUM | RHEL-08-030380 | PATCH | Successful/unsuccessful uses of the finit_module command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng -# - -a always,exit -F arch=b64 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng -# notify: restart auditd -# when: -# - rhel_08_030380 -# tags: -# - RHEL-08-030380 -# - CAT2 -# - CCI-000169 -# - SRG-OS-000062-GPOS-00031 -# - SV-230445r627750_rule -# - V-230445 -# - auditd - - name: "MEDIUM | RHEL-08-030390 | PATCH | Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" @@ -5458,111 +5206,6 @@ - V-230449 - auditd -# - name: "MEDIUM | RHEL-08-030430 | PATCH | Successful/unsuccessful uses of the openat system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# notify: restart auditd -# when: -# - rhel_08_030430 -# tags: -# - RHEL-08-030430 -# - CAT2 -# - CCI-000169 -# - SRG-OS-000062-GPOS-00031 -# - SV-230450r627750_rule -# - V-230450 -# - auditd - -# - name: "MEDIUM | RHEL-08-030440 | PATCH | Successful/unsuccessful uses of the open system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# notify: restart auditd -# when: -# - rhel_08_030440 -# tags: -# - RHEL-08-030440 -# - CAT2 -# - CCI-000169 -# - SRG-OS-000062-GPOS-00031 -# - SV-230451r627750_rule -# - V-230451 -# - auditd - -# - name: "MEDIUM | RHEL-08-030450 | PATCH | Successful/unsuccessful uses of the open_by_handle_at system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# notify: restart auditd -# when: -# - rhel_08_030450 -# tags: -# - RHEL-08-030450 -# - CAT2 -# - CCI-000169 -# - SRG-OS-000062-GPOS-00031 -# - SV-230452r627750_rule -# - V-230452 -# - auditd - -# - name: "MEDIUM | RHEL-08-030460 | PATCH | Successful/unsuccessful uses of the ftruncate command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# notify: restart auditd -# when: -# - rhel_08_030460 -# tags: -# - RHEL-08-030460 -# - CAT2 -# - CCI-000169 -# - SRG-OS-000062-GPOS-00031 -# - SV-230453r627750_rule -# - V-230453 -# - auditd - -# - name: "MEDIUM | RHEL-08-030470 | PATCH | Successful/unsuccessful uses of the creat system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# notify: restart auditd -# when: -# - rhel_08_030470 -# tags: -# - RHEL-08-030470 -# - CAT2 -# - CCI-000169 -# - SRG-OS-000062-GPOS-00031 -# - SV-230454r627750_rule -# - V-230454 -# - auditd - - name: "MEDIUM | RHEL-08-030480 | PATCH | Successful/unsuccessful uses of the chown command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" @@ -5595,101 +5238,6 @@ - V-230456 - auditd -# - name: "MEDIUM | RHEL-08-030500 | PATCH | Successful/unsuccessful uses of the lchown system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030500 -# tags: -# - RHEL-08-030500 -# - CAT2 -# - CCI-000169 -# - SRG-OS-000062-GPOS-00031 -# - SV-230457r627750_rule -# - V-230457 -# - auditd - -# - name: "MEDIUM | RHEL-08-030510 | PATCH | Successful/unsuccessful uses of the fchownat system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030510 -# tags: -# - RHEL-08-030510 -# - CAT2 -# - CCI-000169 -# - SRG-OS-000062-GPOS-00031 -# - SV-230458r627750_rule -# - V-230458 -# - auditd - -# - name: "MEDIUM | RHEL-08-030520 | PATCH | Successful/unsuccessful uses of the fchown system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030520 -# tags: -# - RHEL-08-030520 -# - CAT2 -# - CCI-000169 -# - SRG-OS-000062-GPOS-00031 -# - SV-230459r627750_rule -# - V-230459 -# - auditd - -# - name: "MEDIUM | RHEL-08-030530 | PATCH | Successful/unsuccessful uses of the fchmodat system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030530 -# tags: -# - RHEL-08-030530 -# - CAT2 -# - CCI-000169 -# - SRG-OS-000062-GPOS-00031 -# - SV-230460r627750_rule -# - V-230460 -# - auditd - -# - name: "MEDIUM | RHEL-08-030540 | PATCH | Successful/unsuccessful uses of the fchmod system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030540 -# tags: -# - RHEL-08-030540 -# - CAT2 -# - CCI-000169 -# - SRG-OS-000062-GPOS-00031 -# - SV-230461r627750_rule -# - V-230461 -# - auditd - - name: "MEDIUM | RHEL-08-030550 | PATCH | Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record." debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" From aa8714a375e79deeea3985a4e8d269c56b985ac7 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 7 Feb 2022 15:08:53 -0500 Subject: [PATCH 085/101] updated CENTOS references Signed-off-by: George Nalen --- README.md | 5 ++--- tasks/main.yml | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 18bbd947..c859ad24 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ ![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL8-STIG/DevelToMain?label=Main%20Build%20Status&style=plastic) ![Release](https://img.shields.io/github/v/release/ansible-lockdown/RHEL8-STIG?style=plastic) -Configure a RHEL 8 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel8stig_disruption_high` to `yes`. +Configure a RHEL/Rocky 8 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel8stig_disruption_high` to `yes`. This role is based on RHEL 8 DISA STIG: [Version 1, Rel 5 released on Jan 27, 2022](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R5_STIG.zip). @@ -28,8 +28,7 @@ Refer to [RHEL8-STIG-Audit](https://github.com/ansible-lockdown/RHEL8-STIG-Audit ## Requirements -RHEL 8 or CentOS 8 - Other versions are not supported. Although tested on rocky and almalinux -Containers +RHEL/Rocky/AlmaLinux 8 - Other versions are not supported. Access to download or add the goss binary and content to the system if using auditing. options are available on how to get the content to the system. ### General diff --git a/tasks/main.yml b/tasks/main.yml index 99c077c7..f7255eb0 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -8,8 +8,8 @@ - name: Check OS version and family assert: - that: (ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==') - fail_msg: "This role can only be run against RHEL/CENTOS 8. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." + that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==') + fail_msg: "This role can only be run against RHEL/Rocky 8. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" tags: - always From 2599228c9b87e7c141859698c71569ed69eef654 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 7 Feb 2022 15:42:14 -0500 Subject: [PATCH 086/101] Updated loop control items to clean up display Signed-off-by: George Nalen --- tasks/fix-cat1.yml | 2 ++ tasks/fix-cat2.yml | 10 ++++++++++ tasks/fix-cat3.yml | 2 ++ 3 files changed, 14 insertions(+) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 3a17d581..4dc5a7fc 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -443,6 +443,8 @@ with_items: - { regexp: '^\[org/gnome/settings-daemon/plugins/media-keys\]', line: '[org/gnome/settings-daemon/plugins/media-keys]', insertafter: 'EOF' } - { regexp: 'logout=', line: "logout=''", insertafter: '\[org/gnome/settings-daemon/plugins/media-keys\]' } + loop_control: + label: "{{ item.line }}" when: rhel_08_040171_logout_settings_status.stdout | length == 0 - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Edit if exists" diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 677c5d3e..14cba197 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -303,6 +303,8 @@ - { regexp: '^set superusers', line: 'set superusers="{{ rhel8stig_boot_superuser }}"', insertafter: '### BEGIN /etc/grub.d/01_users ###' } - { regexp: '^export superusers', line: 'export superusers', insertafter: '^set superusers' } - { regexp: '^password_pbkdf2', line: 'password_pbkdf2 {{ rhel8stig_boot_superuser }} ${GRUB2_PASSWORD}', insertafter: '^export superusers' } + loop_control: + label: "{{ item.line }}" when: - rhel_08_010141 or rhel_08_010149 @@ -1498,6 +1500,8 @@ mode: "{{ rhel8stig_ssh_pub_key_perm }}" with_items: - "{{ rhel_08_010480_public_files.files }}" + loop_control: + label: "{{ item.path }}" notify: restart sshd when: - rhel_08_010480 @@ -1530,6 +1534,8 @@ mode: "{{ rhel8stig_ssh_priv_key_perm }}" with_items: - "{{ rhel_08_010490_private_host_key_files.files }}" + loop_control: + label: "{{ item.path }}" notify: restart sshd when: - rhel_08_010490 @@ -1817,6 +1823,8 @@ opts: "{{ item.opts }},nodev" with_items: - "{{ rhel8stig_010580_mounts | default([]) }}" + loop_control: + label: "{{ item.mpoint }}" when: - item.device != "/" - "'odev' not in item.opts" @@ -2067,6 +2075,8 @@ register: rhel_08_010660_world_writable_files with_items: - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.mount }}" - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set fact for flattening" set_fact: diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index ff2d7f81..6b676867 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -82,6 +82,8 @@ line: 'clean_requirements_on_remove=True' with_items: - "{{ rhel_08_010440_package_confs.files }}" + loop_control: + label: "{{ item.path }}" when: - rhel_08_010440 tags: From 165c2cb36ea737e1c1eb8c0bfb40bc09a265caad Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 7 Feb 2022 16:20:37 -0500 Subject: [PATCH 087/101] Updated git install when Signed-off-by: George Nalen --- tasks/pre_remediation_audit.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 78728628..fcc3bdc3 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -19,7 +19,9 @@ package: name: git state: present - when: ansible_distribution_major_version == 8 + when: + - ansible_distribution_major_version == "8" + - "'git' not in ansible_facts.packages" - name: Pre Audit | Install git (rh7 python2) package: @@ -27,7 +29,9 @@ state: present vars: ansible_python_interpreter: "{{ python2_bin }}" - when: ansible_distribution_major_version == 7 + when: + - ansible_distribution_major_version == "7" + - - "'git' not in ansible_facts.packages" - name: Pre Audit | retrieve audit content files from git git: From 5681d93c6b0881da60064be29d17f0808dded12a Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 7 Feb 2022 17:22:53 -0500 Subject: [PATCH 088/101] updates for linting Signed-off-by: George Nalen --- .ansible-lint | 1 + handlers/main.yml | 2 +- tasks/fix-cat2.yml | 44 +++++----- tasks/main.yml | 10 ++- tasks/post_remediation_audit.yml | 2 + tasks/pre_remediation_audit.yml | 142 ++++++++++++++++--------------- tasks/prelim.yml | 4 - vars/is_container.yml | 4 +- 8 files changed, 106 insertions(+), 103 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index f2a7e7cc..7ca23137 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -7,5 +7,6 @@ skip_list: - '403' - '306' - '602' + - '208' use_default_rules: true verbosity: 0 diff --git a/handlers/main.yml b/handlers/main.yml index bb00e60c..86348284 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: systemctl daemon-reload - systemd: + systemd: daemon_reload: true when: - not system_is_container diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 14cba197..30ef52ea 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -277,7 +277,7 @@ - name: "MEDIUM | RHEL-08-010130 | PATCH | The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds." lineinfile: path: /etc/login.defs - regexp: ^.*SHA_CRYPT_MIN_ROUNDS\s + regexp: ^.*SHA_CRYPT_MIN_ROUNDS\s line: SHA_CRYPT_MIN_ROUNDS {{ rhel8stig_hashing_rounds }} when: - rhel_08_010130 @@ -1072,8 +1072,6 @@ check_mode: false register: rhel_08_010351_directories - - debug: var=rhel_08_010351_directories - - name: "MEDIUM | RHEL-08-010351 | AUDIT | RHEL 8 library directories must be group-owned by root or a system account. | Alert on permissions" debug: msg: @@ -2340,7 +2338,7 @@ owner: "{{ rhel8stig_ww_dir_owner }}" with_items: - "{{ rhel_08_010700_world_writable_directories.stdout_lines }}" - when: + when: - rhel_08_010700_world_writable_directories.stdout is defined - rhel_08_010700_world_writable_directories.stdout | length > 0 when: @@ -2368,7 +2366,7 @@ group: "{{ rhel8stig_ww_dir_grpowner }}" with_items: - "{{ rhel_08_010710_world_writable_directories.stdout_lines }}" - when: + when: - rhel_08_010710_world_writable_directories.stdout is defined - rhel_08_010710_world_writable_directories.stdout | length > 0 when: @@ -2401,7 +2399,7 @@ msg: - "WARNING!! The users listed below are interactive users with no home directories. Please create home directories to confirm with STIG standards" - "{{ rhel_08_010720_user_list.stdout_lines }}" - when: + when: - rhel_08_010720_user_list.stdout is defined - rhel_08_010720_user_list.stdout | length > 0 when: @@ -3498,12 +3496,12 @@ - name: "MEDIUM | RHEL-08-020102 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Set if no pw required pam_pwquality" lineinfile: - path: /etc/pam.d/system-auth - line: 'ppassword required pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}' - insertafter: '^password' - owner: root - group: root - mode: 0640 + path: /etc/pam.d/system-auth + line: 'ppassword required pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}' + insertafter: '^password' + owner: root + group: root + mode: 0640 when: rhel_08_020102_pwquality_status.stdout | length == 0 - name: "MEDIUM | RHEL-08-020102 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Replace if already exists" @@ -3537,12 +3535,12 @@ - name: "MEDIUM | RHEL-08-020103 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. | Set if no pw required pam_pwquality" lineinfile: - path: /etc/pam.d/password-auth - line: 'password required pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}' - insertafter: '^password' - owner: root - group: root - mode: 0640 + path: /etc/pam.d/password-auth + line: 'password required pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}' + insertafter: '^password' + owner: root + group: root + mode: 0640 when: rhel_08_020103_pwquality_status.stdout | length == 0 - name: "MEDIUM | RHEL-08-020103 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. | Replace if already exists" @@ -3870,7 +3868,7 @@ group: root mode: 0640 when: rhel_08_020221_pwhistory_status.stdout | length == 0 - + - name: "MEDIUM | RHEL-08-020221 | PATCH | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations. | Set if pw required pwhistory exists" pamd: name: system-auth @@ -5204,7 +5202,7 @@ debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true - notify: update auditd + notify: update auditd when: - rhel_08_030420 tags: @@ -5228,7 +5226,7 @@ - CAT2 - CCI-000169 - SRG-OS-000062-GPOS-00031 - - SV-230455r810459_rule + - SV-230455r810459_rule - V-230455 - auditd @@ -5841,7 +5839,7 @@ - name: "MEDIUM | RHEL-08-040080 | PATCH | RHEL 8 must be configured to disable USB mass storage." lineinfile: - path: /etc/modprobe.d/blacklist.conf + path: /etc/modprobe.d/blacklist.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" insertafter: "{{ item.insertafter }}" @@ -5935,7 +5933,7 @@ permanent: true state: enabled service: "{{ (item == (item | regex_search('^[a-z]+$'))) | bool | ternary(item, omit) }}" - port: "{{ (item == (item | regex_search('^[0-9]+/[a-z]+$'))) | bool | ternary(item, omit) }}" + port: "{{ (item == (item | regex_search('^[0-9]+/[a-z]+$'))) | bool | ternary(item, omit) }}" with_items: - "{{ rhel8stig_white_list_services }}" diff --git a/tasks/main.yml b/tasks/main.yml index f7255eb0..ec64ce9f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,3 +1,5 @@ +--- + - name: Gather distribution info setup: gather_subset: distribution,!all,!min @@ -31,7 +33,7 @@ - name: Load variable for container include_vars: file: "{{ container_vars_file }}" - + - name: output if discovered is a container debug: msg: system has been discovered as a container @@ -110,10 +112,12 @@ - CAT3 - low -- name: trigger update sysctl +- name: trigger update sysctl command: /bin/true - notify: update sysctl + changed_when: rhel8stig_trigger_update_sysctl.rc == 0 check_mode: false + register: rhel8stig_trigger_update_sysctl + notify: update sysctl tags: - CAT1 - CAT2 diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 17ef3f87..fec86d78 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -2,6 +2,8 @@ - name: "Post Audit | Run post_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" + changed_when: rhel8stig_run_post_remediation.rc == 0 + register: rhel8stig_run_post_remediation vars: warn: false diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index fcc3bdc3..a4d40082 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,11 +1,11 @@ --- -- name: Pre Audit | Setup the audit +- name: "Pre Audit | Setup the audit" include_tasks: LE_audit_setup.yml when: - - setup_audit + - setup_audit tags: - - setup_audit + - setup_audit - name: "Pre Audit | Ensure {{ audit_conf_dir }} exists" file: @@ -13,110 +13,112 @@ state: directory mode: '0755' -- name: Pre Audit | If using git for content set up +- name: "Pre Audit | If using git for content set up" block: - - name: Pre Audit | Install git (rh8 python3) - package: - name: git - state: present - when: - - ansible_distribution_major_version == "8" - - "'git' not in ansible_facts.packages" - - - name: Pre Audit | Install git (rh7 python2) - package: - name: git - state: present - vars: - ansible_python_interpreter: "{{ python2_bin }}" - when: - - ansible_distribution_major_version == "7" - - - "'git' not in ansible_facts.packages" - - - name: Pre Audit | retrieve audit content files from git - git: - repo: "{{ audit_file_git }}" - dest: "{{ audit_conf_dir }}" - version: "{{ audit_git_version }}" + - name: Pre Audit | Install git (rh8 python3) + package: + name: git + state: present + when: + - ansible_distribution_major_version == "8" + - "'git' not in ansible_facts.packages" + + - name: "Pre Audit | Install git (rh7 python2)" + package: + name: git + state: present + vars: + ansible_python_interpreter: "{{ python2_bin }}" + when: + - ansible_distribution_major_version == "7" + - "'git' not in ansible_facts.packages" + +- name: "Pre Audit | retrieve audit content files from git" + git: + repo: "{{ audit_file_git }}" + dest: "{{ audit_conf_dir }}" + version: "{{ audit_git_version }}" when: - - audit_content == 'git' + - audit_content == 'git' -- name: Pre Audit | copy to audit content files to server +- name: "Pre Audit | copy to audit content files to server" copy: src: "{{ audit_local_copy }}" dest: "{{ audit_conf_dir }}" mode: 0644 when: - - audit_content == 'copy' + - audit_content == 'copy' -- name: Pre Audit | get audit content from url +- name: "Pre Audit | get audit content from url" get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" when: - - audit_content == 'get_url' + - audit_content == 'get_url' -- name: Pre Audit | Check Goss is available +- name: "Pre Audit | Check Goss is available" block: - - name: Pre Audit | Check for goss file - stat: - path: "{{ audit_bin }}" - register: goss_available - - - name: Pre Audit | If audit ensure goss is available - assert: - msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - when: - - not goss_available.stat.exists + - name: Pre Audit | Check for goss file + stat: + path: "{{ audit_bin }}" + register: goss_available + + - name: "Pre Audit | If audit ensure goss is available" + assert: + msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" + when: + - not goss_available.stat.exists when: - - run_audit + - run_audit - name: "Pre Audit | Check whether machine is UEFI-based" stat: path: /sys/firmware/efi register: rhel8_efi_boot tags: - - goss_template + - goss_template -- name: Pre Audit | Copy ansible default vars values to test audit +- name: "Pre Audit | Copy ansible default vars values to test audit" template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" mode: 0600 when: - - run_audit + - run_audit tags: - - goss_template + - goss_template - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" + changed_when: rhel8stig_run_pre_remediation.rc == 0 + register: rhel8stig_run_pre_remediation vars: warn: false -- name: Pre Audit | Capture audit data if json format +- name: "Pre Audit | Capture audit data if json format" block: - - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - command: "cat {{ pre_audit_outfile }}" - register: pre_audit - changed_when: false - - - name: Pre Audit | Capture pre-audit result - set_fact: - pre_audit_summary: "{{ pre_audit.stdout | from_json |json_query(summary) }}" - vars: - summary: 'summary."summary-line"' + - name: "Pre Audit | capture data {{ pre_audit_outfile }}" + command: "cat {{ pre_audit_outfile }}" + register: pre_audit + changed_when: false + + - name: "Pre Audit | Capture pre-audit result" + set_fact: + pre_audit_summary: "{{ pre_audit.stdout | from_json |json_query(summary) }}" + vars: + summary: 'summary."summary-line"' when: - - audit_format == "json" + - audit_format == "json" -- name: Pre Audit | Capture audit data if documentation format +- name: "Pre Audit | Capture audit data if documentation format" block: - - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - command: "tail -2 {{ pre_audit_outfile }}" - register: pre_audit - changed_when: false - - - name: Pre Audit | Capture pre-audit result - set_fact: - pre_audit_summary: "{{ pre_audit.stdout_lines }}" + - name: "Pre Audit | capture data {{ pre_audit_outfile }}" + command: "tail -2 {{ pre_audit_outfile }}" + register: pre_audit + changed_when: false + + - name: "Pre Audit | Capture pre-audit result" + set_fact: + pre_audit_summary: "{{ pre_audit.stdout_lines }}" when: - - audit_format == "documentation" + - audit_format == "documentation" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 642ffe35..68c5d2ff 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -422,7 +422,3 @@ - name: "PRELIM | Section 1.1 | Create list of mount points" set_fact: mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}" - -# - name: "PRELIM | Get OS Version" -# set_fact: -# os_release: "{{ distribution_version }}" \ No newline at end of file diff --git a/vars/is_container.yml b/vars/is_container.yml index b5330290..c1e62a22 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -116,12 +116,12 @@ rhel_08_030710: false rhel_08_030720: false ## mounts -#/tmp +# /tmp rhel_08_010543: false rhel_08_040123: false rhel_08_040124: false rhel_08_040125: false -# /var/log +# /var/log rhel_08_040126: false rhel_08_040127: false rhel_08_040128: false From 2d09648249fbe45e3a6f9445ac1994a6ffd5a706 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 8 Feb 2022 08:01:38 -0500 Subject: [PATCH 089/101] added space at the end of auditd template Signed-off-by: George Nalen --- templates/audit/99_auditd.rules.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 9fb3c9e0..3d9da0ea 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -124,4 +124,4 @@ {% endif %} {% if rhel_08_030600 %} -w /var/log/lastlog -p wa -k logins -{% endif %} \ No newline at end of file +{% endif %} From c4c347579f1cd2f9fa0ab6aca976fc1635d571d7 Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Tue, 1 Mar 2022 09:34:26 +0000 Subject: [PATCH 090/101] Collections workflows (#86) * added collections file Signed-off-by: Mark Bolwell * updated workflows Signed-off-by: Mark Bolwell * updated with pipeline data Signed-off-by: Mark Bolwell * added meta collections Signed-off-by: Mark Bolwell * updated build workflow to have head.sha ref Signed-off-by: George Nalen * updates to pipelines Signed-off-by: Mark Bolwell * updates to pipelines Signed-off-by: Mark Bolwell * added tag to audit Signed-off-by: Mark Bolwell * updated date Signed-off-by: Mark Bolwell * updated tags Signed-off-by: Mark Bolwell * updated discord id Signed-off-by: Mark Bolwell * updated readme Signed-off-by: George Nalen * updated run_audit tag in tasks/main.yml Signed-off-by: George Nalen Co-authored-by: George Nalen --- .github/workflows/OS.tfvars | 9 ++ .github/workflows/communitytodevel.yml | 38 ------ .github/workflows/develtomaster.yml | 38 ------ .github/workflows/github_networks.tf | 11 ++ .github/workflows/github_vars.tfvars | 12 ++ .github/workflows/linux_benchmark_testing.yml | 120 ++++++++++++++++++ .github/workflows/main.tf | 83 ++++++++++++ .github/workflows/terraform.tfvars | 5 + .github/workflows/test.sh | 6 + .github/workflows/variables.tf | 65 ++++++++++ LICENSE | 2 +- README.md | 26 ++++ collections/requirements.yml | 8 ++ meta/main.yml | 10 ++ tasks/main.yml | 2 + 15 files changed, 358 insertions(+), 77 deletions(-) create mode 100644 .github/workflows/OS.tfvars delete mode 100644 .github/workflows/communitytodevel.yml delete mode 100644 .github/workflows/develtomaster.yml create mode 100644 .github/workflows/github_networks.tf create mode 100644 .github/workflows/github_vars.tfvars create mode 100644 .github/workflows/linux_benchmark_testing.yml create mode 100644 .github/workflows/main.tf create mode 100644 .github/workflows/terraform.tfvars create mode 100644 .github/workflows/test.sh create mode 100644 .github/workflows/variables.tf create mode 100644 collections/requirements.yml diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars new file mode 100644 index 00000000..6017787b --- /dev/null +++ b/.github/workflows/OS.tfvars @@ -0,0 +1,9 @@ +#Ami Rocky 85 +ami_id = "ami-043ceee68871e0bb5" +ami_os = "rocky8" +ami_username = "rocky" +ami_user_home = "/home/rocky" +instance_tags = { + Name = "RHEL8-STIG" + Environment = "lockdown_github_repo_workflow" +} diff --git a/.github/workflows/communitytodevel.yml b/.github/workflows/communitytodevel.yml deleted file mode 100644 index b696c735..00000000 --- a/.github/workflows/communitytodevel.yml +++ /dev/null @@ -1,38 +0,0 @@ -# This is a basic workflow to help you get started with Actions - -name: CommunityToDevel - -# Controls when the action will run. Triggers the workflow on push or pull request -# events but only for the devel branch -on: - pull_request: - branches: [ devel ] - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -jobs: - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: ubuntu-latest - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 - - # Refactr pipeline for devel pull request/merge - - name: Refactr - Run Pipeline (to devel) - # You may pin to the exact commit or the version. - # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53 - uses: refactr/action-run-pipeline@v0.1.2 - with: - # API token - api_token: '${{ secrets.REFACTR_KEY }}' - # Project ID - project_id: 5f47f0c4a13c7b18373e5556 - # Job ID - job_id: 5f933cbcf9c74e86b1609c00 - # Variables - variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL8-STIG.git", "image": "ami-0335e1660e1197d63", "githubBranch": "${{ github.head_ref }}", "username": "rocky" }' - # Refactr API base URL - api_url: # optional diff --git a/.github/workflows/develtomaster.yml b/.github/workflows/develtomaster.yml deleted file mode 100644 index fb4803da..00000000 --- a/.github/workflows/develtomaster.yml +++ /dev/null @@ -1,38 +0,0 @@ -# This is a basic workflow to help you get started with Actions - -name: DevelToMain - -# Controls when the action will run. Triggers the workflow on push or pull request -# events but only for the devel branch -on: - pull_request: - branches: [ main ] - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -jobs: - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: ubuntu-latest - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 - - # Refactr pipeline for devel pull request/merge - - name: Refactr - Run Pipeline (to master) - # You may pin to the exact commit or the version. - # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53 - uses: refactr/action-run-pipeline@v0.1.2 - with: - # API token - api_token: '${{ secrets.REFACTR_KEY }}' - # Project ID - project_id: 5f47f0c4a13c7b18373e5556 - # Job ID - job_id: 5f90ad90f9c74e6d1e606e33 - # Variables - variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL8-STIG.git", "image": "ami-0335e1660e1197d63", "username": "rocky" }' - # Refactr API base URL - api_url: # optional diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf new file mode 100644 index 00000000..d5a0db02 --- /dev/null +++ b/.github/workflows/github_networks.tf @@ -0,0 +1,11 @@ +resource "aws_vpc" "Main" { + cidr_block = var.main_vpc_cidr + tags = var.instance_tags +} + +resource "aws_internet_gateway" "IGW" { + vpc_id = aws_vpc.Main.id + tags = { + Name = "${var.namespace}-IGW" + } +} diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars new file mode 100644 index 00000000..38be3edc --- /dev/null +++ b/.github/workflows/github_vars.tfvars @@ -0,0 +1,12 @@ +// github_actions variables +// Resourced in github_networks.tf +// Declared in variables.tf +// + +namespace = "github_actions" + +// Matching pair name found in AWS for keypairs PEM key +ami_key_pair_name = "github_actions" +main_vpc_cidr = "172.22.0.0/24" +public_subnets = "172.22.0.128/26" +private_subnets = "172.22.0.192/26" \ No newline at end of file diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml new file mode 100644 index 00000000..3c4cf3f5 --- /dev/null +++ b/.github/workflows/linux_benchmark_testing.yml @@ -0,0 +1,120 @@ +# This is a basic workflow to help you get started with Actions + +name: linux_benchmark_pipeline + +# Controls when the action will run. +# Triggers the workflow on push or pull request +# events but only for the devel branch +on: + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + +# A workflow run is made up of one or more jobs +# that can run sequentially or in parallel +jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: ubuntu-latest + + steps: + - uses: actions/first-interaction@v1.1.0 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://discord.gg/JFxpSgPFEJ) as well. + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + env: + ENABLE_DEBUG: false + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, + # so your job can access it + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Add_ssh_key + working-directory: .github/workflows + env: + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + run: | + mkdir .ssh + chmod 700 .ssh + echo $PRIVATE_KEY > .ssh/github_actions.pem + chmod 600 .ssh/github_actions.pem + +### Build out the server + - name: Terraform_Init + working-directory: .github/workflows + run: terraform init + + - name: Terraform_Validate + working-directory: .github/workflows + run: terraform validate + + - name: Terraform_Apply + working-directory: .github/workflows + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false + +## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + working-directory: .github/workflows + run: cat hosts.yml + +# Centos 7 images take a while to come up insert sleep or playbook fails + + - name: Check if test os is rhel7 + working-directory: .github/workflows + id: test_os + run: >- + echo "::set-output name=RHEL7::$( + grep -c RHEL7 OS.tfvars + )" + + - name: if RHEL7 - Sleep for 60 seconds + if: steps.test_os.outputs.RHEL7 >= 1 + run: sleep 60s + shell: bash + +# Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} +# verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + +# Remove test system - User secrets to keep if necessary + + - name: Terraform_Destroy + working-directory: .github/workflows + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + run: terraform destroy -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf new file mode 100644 index 00000000..9ad9240b --- /dev/null +++ b/.github/workflows/main.tf @@ -0,0 +1,83 @@ +provider "aws" { + profile = "" + region = var.aws_region +} + +// Create a security group with access to port 22 and port 80 open to serve HTTP traffic + +data "aws_vpc" "default" { + default = true +} + +resource "random_id" "server" { + keepers = { + # Generate a new id each time we switch to a new AMI id + ami_id = "${var.ami_id}" + } + + byte_length = 8 +} + +resource "aws_security_group" "github_actions" { + name = "${var.namespace}-${random_id.server.hex}" + vpc_id = data.aws_vpc.default.id + + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + tags = { + Name = "${var.namespace}-SG" + } +} + +// instance setup + +resource "aws_instance" "testing_vm" { + ami = var.ami_id + associate_public_ip_address = true + key_name = var.ami_key_pair_name # This is the key as known in the ec2 key_pairs + instance_type = var.instance_type + tags = var.instance_tags + vpc_security_group_ids = [aws_security_group.github_actions.id] + root_block_device { + delete_on_termination = true + } +} + +// generate inventory file +resource "local_file" "inventory" { + filename = "./hosts.yml" + directory_permission = "0755" + file_permission = "0644" + content = < Date: Tue, 1 Mar 2022 12:43:45 -0500 Subject: [PATCH 091/101] Added fix for issue #88 Signed-off-by: George Nalen --- tasks/fix-cat1.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 4dc5a7fc..a2bb5202 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -455,7 +455,7 @@ when: rhel_08_040171_logout_settings_status.stdout | length > 0 when: - rhel_08_040171 - - "'gnome-desktop' in ansible_facts.packages" + - "'gnome-desktop' in ansible_facts.packages or 'gnome-desktop3' in ansible_facts.packages" tags: - RHEL-08-040171 - CAT1 From 43220fa284d051f6ebae485f254007cd2459c37c Mon Sep 17 00:00:00 2001 From: Adam Rustam Date: Tue, 1 Mar 2022 13:58:40 -0500 Subject: [PATCH 092/101] Added additional conditionals to template to align with conditionals in the tasks Signed-off-by: Adam Rustam --- templates/99-sysctl.conf.j2 | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/templates/99-sysctl.conf.j2 b/templates/99-sysctl.conf.j2 index 17bb66cd..4adf6704 100644 --- a/templates/99-sysctl.conf.j2 +++ b/templates/99-sysctl.conf.j2 @@ -52,7 +52,7 @@ kernel.core_pattern = |/bin/false net.ipv4.conf.default.accept_redirects = 0 {% endif %} -{% if rhel_08_040210 %} +{% if rhel_08_040210 and rhel8stig_ipv6_required %} # RHEL-08-040210 net.ipv6.conf.default.accept_redirects = 0 {% endif %} @@ -82,27 +82,27 @@ net.ipv6.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 {% endif %} -{% if rhel_08_040250 %} +{% if rhel_08_040250 and rhel8stig_ipv6_required %} # RHEL-08-040250 net.ipv6.conf.default.accept_source_route = 0 {% endif %} -{% if rhel_08_040259 %} +{% if rhel_08_040259 and not rhel8stig_system_is_router %} # RHEL-08-040259 net.ipv4.ip_forward = 0 {% endif %} -{% if rhel_08_040260 %} +{% if rhel_08_040260 and not rhel8stig_system_is_router %} # RHEL-08-040260 net.ipv6.conf.all.forwarding = 0 {% endif %} -{% if rhel_08_040261 %} +{% if rhel_08_040261 and rhel8stig_ipv6_required and not rhel8stig_system_is_router %} # RHEL-08-040261 net.ipv6.conf.all.accept_ra = 0 {% endif %} -{% if rhel_08_040262 %} +{% if rhel_08_040262 and rhel8stig_ipv6_required and not rhel8stig_system_is_router %} # RHEL-08-040262 net.ipv6.conf.default.accept_ra = 0 {% endif %} @@ -117,7 +117,7 @@ net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 {% endif %} -{% if rhel_08_040280 %} +{% if rhel_08_040280 and rhel8stig_ipv6_required %} # RHEL-08-040280 net.ipv6.conf.all.accept_redirects = 0 {% endif %} From bbf66c7c9318c1307c3020fd51ed8be9b9ae1eab Mon Sep 17 00:00:00 2001 From: Adam Rustam <62815294+asomiddinrustamov@users.noreply.github.com> Date: Tue, 1 Mar 2022 14:47:06 -0500 Subject: [PATCH 093/101] Added additional conditionals to template to align with conditionals in the tasks (#90) Signed-off-by: Adam Rustam --- templates/99-sysctl.conf.j2 | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/templates/99-sysctl.conf.j2 b/templates/99-sysctl.conf.j2 index 17bb66cd..4adf6704 100644 --- a/templates/99-sysctl.conf.j2 +++ b/templates/99-sysctl.conf.j2 @@ -52,7 +52,7 @@ kernel.core_pattern = |/bin/false net.ipv4.conf.default.accept_redirects = 0 {% endif %} -{% if rhel_08_040210 %} +{% if rhel_08_040210 and rhel8stig_ipv6_required %} # RHEL-08-040210 net.ipv6.conf.default.accept_redirects = 0 {% endif %} @@ -82,27 +82,27 @@ net.ipv6.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 {% endif %} -{% if rhel_08_040250 %} +{% if rhel_08_040250 and rhel8stig_ipv6_required %} # RHEL-08-040250 net.ipv6.conf.default.accept_source_route = 0 {% endif %} -{% if rhel_08_040259 %} +{% if rhel_08_040259 and not rhel8stig_system_is_router %} # RHEL-08-040259 net.ipv4.ip_forward = 0 {% endif %} -{% if rhel_08_040260 %} +{% if rhel_08_040260 and not rhel8stig_system_is_router %} # RHEL-08-040260 net.ipv6.conf.all.forwarding = 0 {% endif %} -{% if rhel_08_040261 %} +{% if rhel_08_040261 and rhel8stig_ipv6_required and not rhel8stig_system_is_router %} # RHEL-08-040261 net.ipv6.conf.all.accept_ra = 0 {% endif %} -{% if rhel_08_040262 %} +{% if rhel_08_040262 and rhel8stig_ipv6_required and not rhel8stig_system_is_router %} # RHEL-08-040262 net.ipv6.conf.default.accept_ra = 0 {% endif %} @@ -117,7 +117,7 @@ net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 {% endif %} -{% if rhel_08_040280 %} +{% if rhel_08_040280 and rhel8stig_ipv6_required %} # RHEL-08-040280 net.ipv6.conf.all.accept_redirects = 0 {% endif %} From 41695149f4e07392ad4504e190d6922ed67ed593 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 4 Mar 2022 09:19:33 -0500 Subject: [PATCH 094/101] updated 020027 prelim file task for issue #87 Signed-off-by: George Nalen --- tasks/prelim.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 68c5d2ff..ac98aaba 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -412,6 +412,8 @@ mode: 0755 owner: root group: root + recurse: yes + setype: faillog_t register: faillock_dir when: - not system_is_container From 9c414501fe0cfefcd7df9ff56d92b9c662e531a1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 8 Mar 2022 16:21:24 +0000 Subject: [PATCH 095/101] ability to skip supported os check Signed-off-by: Mark Bolwell --- README.md | 5 +++-- defaults/main.yml | 3 +++ tasks/main.yml | 2 ++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 307474c2..9c69ebaa 100644 --- a/README.md +++ b/README.md @@ -32,8 +32,9 @@ Refer to [RHEL8-STIG-Audit](https://github.com/ansible-lockdown/RHEL8-STIG-Audit ## Requirements -RHEL/Rocky/AlmaLinux 8 - Other versions are not supported. -Access to download or add the goss binary and content to the system if using auditing. options are available on how to get the content to the system. +- RHEL/Rocky/AlmaLinux 8 - Other versions are not supported. +- Other OSs can be checked by changing the skip_os_check to true for testing purposes. +- Access to download or add the goss binary and content to the system if using auditing. options are available on how to get the content to the system. ### General diff --git a/defaults/main.yml b/defaults/main.yml index dc2c9d1c..c740213b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -9,6 +9,9 @@ benchmark: RHEL8-STIG # Whether to skip the reboot rhel8cis_skip_reboot: true +# Whether to skip the OS check for supported OS's +skip_os_check: false + rhel8stig_cat1_patch: true rhel8stig_cat2_patch: true rhel8stig_cat3_patch: true diff --git a/tasks/main.yml b/tasks/main.yml index d1fae8af..695a1aee 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -13,6 +13,8 @@ that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==') fail_msg: "This role can only be run against RHEL/Rocky 8. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" + when: + - not skip_os_check tags: - always From 9f5c91b6f55656902a5b9dce4bf13da91c76f112 Mon Sep 17 00:00:00 2001 From: Adam Rustam Date: Thu, 10 Mar 2022 15:09:57 -0500 Subject: [PATCH 096/101] Fix for issue #99 Signed-off-by: Adam Rustam --- tasks/fix-cat3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 6b676867..5447ddcf 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -17,7 +17,7 @@ - name: "LOW | RHEL-08-010292 | PATCH | RHEL 8 must ensure the SSH server uses strong entropy." lineinfile: path: /etc/sysconfig/sshd - regexp: '^SSH_USE_STRONG_RNG=|^.*SSH_USE_STRONG_RNG=' + regexp: '^(#)?SSH_USE_STRONG_RNG=' line: SSH_USE_STRONG_RNG=32 notify: restart sshd when: From c3a88b6a2c6b77f8f7c0ce06ef0b2c33ca61da54 Mon Sep 17 00:00:00 2001 From: Chad Cravens Date: Tue, 8 Mar 2022 10:39:49 -0500 Subject: [PATCH 097/101] Added fapolicy rules directory check step Signed-off-by: Chad Cravens --- tasks/fix-cat2.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 30ef52ea..8ca35628 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6281,6 +6281,11 @@ - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." block: + - name: Check if Rules Directory Exists + stat: + path: /etc/fapolicyd/rules.d/ + register: rules_dir + - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " lineinfile: path: /etc/fapolicyd/fapolicyd.rules From a8e29e65fa10adea8398d4484ac1f3433a9a416b Mon Sep 17 00:00:00 2001 From: Chad Cravens Date: Tue, 8 Mar 2022 21:17:44 -0500 Subject: [PATCH 098/101] Implement update to handle new version of fapolicyd by using the rules.d/ directory for rules files and compiling the rules Signed-off-by: Chad Cravens --- handlers/main.yml | 4 ++++ tasks/fix-cat2.yml | 6 ++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 86348284..97fe681a 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -46,6 +46,10 @@ name: rsyslog state: restarted +- name: generate fapolicyd rules + command: fagenrules --load + when: rules_dir is defined and not rules_dir.stat.exists + - name: restart fapolicyd service: name: fapolicyd diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 8ca35628..be0d4a3a 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6281,19 +6281,21 @@ - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." block: - - name: Check if Rules Directory Exists + - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Check for rules.d/ directory" stat: path: /etc/fapolicyd/rules.d/ register: rules_dir - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " lineinfile: - path: /etc/fapolicyd/fapolicyd.rules + create: yes + path: "{{ '/etc/fapolicyd/rules.d/99-stig.rules' if rules_dir.stat.exists else '/etc/fapolicyd/fapolicyd.rules' }}" line: "{{ item }}" with_items: - "allow exe={{ ansible_python.executable }} : ftype=text/x-python" - "{{ rhel8stig_fapolicy_white_list }}" notify: + - generate fapolicyd rules - restart fapolicyd - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" From 1459fc2f92a2dc20f101c101e2642ddcc87aba2e Mon Sep 17 00:00:00 2001 From: Chad Cravens Date: Thu, 10 Mar 2022 22:28:12 -0500 Subject: [PATCH 099/101] Fix when operator on fagenrules handler Signed-off-by: Chad Cravens --- handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/handlers/main.yml b/handlers/main.yml index 97fe681a..519f8069 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -48,7 +48,7 @@ - name: generate fapolicyd rules command: fagenrules --load - when: rules_dir is defined and not rules_dir.stat.exists + when: rules_dir.stat.exists - name: restart fapolicyd service: From 21e4b5d27f71699d2831abfb3f10b3db4df342b1 Mon Sep 17 00:00:00 2001 From: Chad Cravens Date: Fri, 11 Mar 2022 08:55:56 -0500 Subject: [PATCH 100/101] Applying updates to adhere to project code quality standards Signed-off-by: Chad Cravens --- handlers/main.yml | 2 +- tasks/fix-cat2.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 519f8069..26e8a88b 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -48,7 +48,7 @@ - name: generate fapolicyd rules command: fagenrules --load - when: rules_dir.stat.exists + when: rhel_08_040137_rules_dir.stat.exists - name: restart fapolicyd service: diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index be0d4a3a..41fab160 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6284,13 +6284,13 @@ - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Check for rules.d/ directory" stat: path: /etc/fapolicyd/rules.d/ - register: rules_dir + register: rhel_08_040137_rules_dir - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " lineinfile: - create: yes - path: "{{ '/etc/fapolicyd/rules.d/99-stig.rules' if rules_dir.stat.exists else '/etc/fapolicyd/fapolicyd.rules' }}" + path: "{{ '/etc/fapolicyd/rules.d/99-stig.rules' if rhel_08_040137_rules_dir.stat.exists else '/etc/fapolicyd/fapolicyd.rules' }}" line: "{{ item }}" + create: yes with_items: - "allow exe={{ ansible_python.executable }} : ftype=text/x-python" - "{{ rhel8stig_fapolicy_white_list }}" From 3a60b8d0107c49c47c3cd76d44bc5b8aefa0f437 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 25 Mar 2022 16:07:03 -0400 Subject: [PATCH 101/101] updates for container testing Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 2 +- vars/is_container.yml | 23 ++++++----------------- 2 files changed, 7 insertions(+), 18 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 41fab160..98a952a5 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -675,7 +675,7 @@ name: tmux state: present when: - - rhel_08_020032 + - rhel_08_020039 - "'tmux' not in ansible_facts.packages" tags: - RHEL-08-020039 diff --git a/vars/is_container.yml b/vars/is_container.yml index c1e62a22..37e1ef6d 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -4,7 +4,9 @@ rhel8stig_ssh_required: false # tmux +rhel_08_020039: false rhel_08_020040: false +rhel_08_020041: false rhel_08_020070: false # auditd @@ -12,7 +14,7 @@ rhel_08_010560: false rhel_08_030000: false rhel_08_030020: false rhel_08_030040: false -rhel_08_030050: false +# rhel_08_030050: false rhel_08_030060: false rhel_08_030061: false rhel_08_030062: false @@ -41,7 +43,7 @@ rhel_08_030230: false rhel_08_030240: false rhel_08_030250: false rhel_08_030260: false -rhel_08_030270: false +# rhel_08_030270: false rhel_08_030280: false rhel_08_030290: false rhel_08_030300: false @@ -61,28 +63,13 @@ rhel_08_030340: false rhel_08_030350: false rhel_08_030360: false rhel_08_030361: false -rhel_08_030362: false -rhel_08_030363: false -rhel_08_030364: false -rhel_08_030365: false rhel_08_030370: false -rhel_08_030380: false rhel_08_030390: false rhel_08_030400: false rhel_08_030410: false rhel_08_030420: false -rhel_08_030430: false -rhel_08_030440: false -rhel_08_030450: false -rhel_08_030460: false -rhel_08_030470: false rhel_08_030480: false rhel_08_030490: false -rhel_08_030500: false -rhel_08_030510: false -rhel_08_030520: false -rhel_08_030530: false -rhel_08_030540: false rhel_08_030550: false rhel_08_030560: false rhel_08_030570: false @@ -198,12 +185,14 @@ rhel_08_010291: false rhel_08_010293: false # aide +rhel_08_010359: false rhel_08_010360: false rhel_08_030650: false rhel_08_040300: false rhel_08_040310: false # sudo +rhel_08_010379: false rhel_08_010380: false rhel_08_010381: false rhel_08_010382: false