Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Name and alignment #319

Merged
merged 2 commits into from
Dec 17, 2024
+50 −50
Merged

Name and alignment #319

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
edf6953
name updated
uk-bolly Dec 17, 2024
49565e8
Adjusted file mode to symbolic
uk-bolly Dec 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions LICENSE
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
The MIT License
MIT License

Copyright (c) 2023 MindPoint Group http://www.mindpointgroup.com
Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
Expand All @@ -9,13 +9,13 @@ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
4 changes: 2 additions & 2 deletions handlers/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@
remote_src: true
owner: root
group: root
mode: '0755'
mode: 'u+x,go-w'
when:
- rhel8stig_grub2_user_cfg.stat.exists
- rhel8stig_workaround_for_disa_benchmark
Expand All @@ -125,7 +125,7 @@
dest: /etc/audit/rules.d/99_auditd.rules
owner: root
group: root
mode: '0600'
mode: 'u-x,go-rwx'
notify: restart auditd

- name: restart auditd
Expand Down
6 changes: 3 additions & 3 deletions tasks/fix-cat1.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@
dest: /etc/default/grub
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
vars:
grub_cmdline_linux: "{{ rhel_08_010020_grub_cmdline_linux_audit.stdout }}"
when: rhel_08_010020_default_grub_missing_audit is changed # noqa no-handler
Expand Down Expand Up @@ -200,7 +200,7 @@
line: "GRUB2_PASSWORD={{ rhel8stig_bootloader_password_hash }}"
owner: root
group: root
mode: '0640'
mode: 'u-x,g-wx,o-rwx'
notify: confirm grub2 user cfg
when:
- not system_is_ec2
Expand Down Expand Up @@ -450,7 +450,7 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
with_items:
- { regexp: '^\[org/gnome/settings-daemon/plugins/media-keys\]', line: '[org/gnome/settings-daemon/plugins/media-keys]', insertafter: 'EOF' }
- { regexp: 'logout=', line: "logout=''", insertafter: '\[org/gnome/settings-daemon/plugins/media-keys\]' }
Expand Down
68 changes: 34 additions & 34 deletions tasks/fix-cat2.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,7 @@
content: "{{ rhel8stig_logon_banner }}"
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
notify: restart sshd
with_items:
- /etc/issue
Expand All @@ -150,7 +150,7 @@
regexp: 'banner-message-enabled='
line: banner-message-enable=true
create: true
mode: '0644'
mode: 'u-x,go-wx'
owner: root
group: root
insertafter: '[org/gnome/login-screen]'
Expand All @@ -173,7 +173,7 @@
[org/gnome/login-screen]
banner-message-text='{{ rhel8stig_logon_banner | replace(newline, "\n") }}'
banner-message-enable=true
mode: '0644'
mode: 'u-x,go-wx'
owner: root
group: root
vars:
Expand All @@ -197,7 +197,7 @@
regexp: ^(?!#).*\/var\/log\/secure
line: 'auth.*;authpriv.*;daemon.* /var/log/secure'
create: true
mode: '0644'
mode: 'u-x,go-wx'
notify: restart rsyslog
when:
- rhel_08_010070
Expand Down Expand Up @@ -242,7 +242,7 @@
ansible.builtin.file:
path: "{{ rhel8stig_path_to_sshkey }}"
state: directory
mode: '0700'
mode: 'u+x,go-rwx'

- name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create key pair"
community.crypto.openssh_keypair:
Expand Down Expand Up @@ -339,7 +339,7 @@
dest: /etc/grub.d/01_users
owner: root
group: root
mode: '0755'
mode: 'u+x,go-w'
notify: confirm grub2 user cfg
when:
- rhel_08_010141 or
Expand All @@ -364,7 +364,7 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
when:
- rhel_08_010151
tags:
Expand All @@ -384,7 +384,7 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
when:
- rhel_08_010152
tags:
Expand Down Expand Up @@ -512,7 +512,7 @@
- name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Set sticky bit to world-writable files"
ansible.builtin.file:
path: "{{ item }}"
mode: '1777'
mode: '+t'
with_items:
- "{{ rhel_08_010190_world_writable_files.stdout_lines }}"
when:
Expand Down Expand Up @@ -672,7 +672,7 @@
content: |
[org/gnome/desktop/screensaver]
lock-delay=uint32 5
mode: '0644'
mode: 'u-x,go-wx'
notify: dconf update
when:
- rhel_08_020031
Expand All @@ -693,7 +693,7 @@
content: |
[org/gnome/login-screen]
disable-user-list=true
mode: '0644'
mode: 'u-x,go-wx'
when:
- rhel_08_020032
- rhel8stig_always_configure_dconf
Expand Down Expand Up @@ -756,7 +756,7 @@
dest: /etc/dconf/db/local.d/locks/session_rhel_08_020081
content: |
/org/gnome/desktop/session/idle-delay
mode: '0644'
mode: 'u-x,go-wx'
notify: dconf update
when:
- rhel_08_020081
Expand All @@ -775,7 +775,7 @@
dest: /etc/dconf/db/local.d/locks/session_rhel_08_020082
content: |
/org/gnome/desktop/screensaver/lock-enabled
mode: '0644'
mode: 'u-x,go-wx'
notify: dconf update
when:
- rhel_08_020082
Expand Down Expand Up @@ -2171,7 +2171,7 @@
- name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set permissions"
ansible.builtin.file:
path: "{{ item }}"
mode: '0755'
mode: 'u+x,go-w'
state: file
with_items:
- "{{ rhel_08_010660_change_perms }}"
Expand Down Expand Up @@ -2363,7 +2363,7 @@
dest: /etc/resolv.conf
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
when:
- rhel_08_010680_networkmanager_check.stdout == '0'
- rhel8_stig_use_resolv_template
Expand Down Expand Up @@ -3259,7 +3259,7 @@
regexp: '^lock-enabled'
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
line: |
[org/gnome/desktop/screensaver]
# Set this to true to lock the screen when the screensaver activates
Expand Down Expand Up @@ -3315,7 +3315,7 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
loop:
- { regexp: '^set -g lock-command', line: 'set -g lock-command vlock' }
- { regexp: '^bind X lock-session', line: 'bind X lock-session' }
Expand Down Expand Up @@ -3370,7 +3370,7 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
line: |
[org/gnome/settings-daemon/peripherals/smartcard]
removal-action='lock-screen'
Expand Down Expand Up @@ -3401,7 +3401,7 @@
line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action
owner: root
group: root
mode: '0640'
mode: 'u-x,g-wx,o-rwx'
when: rhel_08_020050_removal_action_file.stdout_lines | length == 0
notify: dconf update
when:
Expand Down Expand Up @@ -3430,7 +3430,7 @@
create: true
owner: root
group: root
mode: '0640'
mode: 'u-x,g-wx,o-rwx'
regexp: '^idle-delay'
line: |
[org/gnome/desktop/session]
Expand All @@ -3446,7 +3446,7 @@
line: idle-delay=uint32 900
owner: root
group: root
mode: '0640'
mode: 'u-x,g-wx,o-rwx'
loop: "{{ rhel_08_020060_idle_delay_param.stdout_lines }}"
when: rhel_08_020060_idle_delay_param.stdout_lines | length > 0
notify: dconf update
Expand Down Expand Up @@ -3478,7 +3478,7 @@
line: "set -g lock-after-time {{ rhel8stig_tmux_lock_after_time }}"
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
when:
- rhel_08_020070
tags:
Expand All @@ -3497,7 +3497,7 @@
line: /org/gnome/desktop/screensaver/lock-delay
owner: root
group: root
mode: '0640'
mode: 'u-x,g-wx,o-rwx'
when:
- rhel_08_020080
- "'dconf' in ansible_facts.packages"
Expand All @@ -3518,7 +3518,7 @@
line: "{{ item.line }}"
owner: root
group: root
mode: '0600'
mode: 'u-x,go-rwx'
with_items:
- { regexp: '^\[{{ rhel8stig_sssd.certmap }}\]', line: '[{{ rhel8stig_sssd.certmap }}]' }
- { regexp: '^matchrule {{ rhel8stig_sssd.matchrule }}', line: 'matchrule {{ rhel8stig_sssd.matchrule }}' }
Expand Down Expand Up @@ -4070,7 +4070,7 @@
insertafter: "{{ item.insertafter }}"
owner: root
group: root
mode: '0600'
mode: 'u-x,go-rwx'
notify: restart sssd
with_items:
- { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' }
Expand All @@ -4082,7 +4082,7 @@
line: auth sufficient pam_sss.so try_cert_auth
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
notify: restart sssd
when: rhel_08_020250_sc_auth_sss.stdout | length == 0

Expand Down Expand Up @@ -4198,7 +4198,7 @@
insertafter: "{{ item.insertafter }}"
owner: root
group: root
mode: '0600'
mode: 'u-x,go-rwx'
with_items:
- { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' }
- { regexp: '^offline_credentials_expiration =', insertafter: '\[pam\]', line: 'offline_credentials_expiration = 1' }
Expand Down Expand Up @@ -4528,7 +4528,7 @@
ansible.builtin.file:
path: "{{ rhel08_030070_auditlog_location.stdout }}"
state: "{{ (rhel08_030070_auditlog.stat.exists) | ternary('file', 'touch') }}"
mode: o-x,go-rwx
mode: 'o-x,go-rwx'
when:
- rhel_08_030070
tags:
Expand Down Expand Up @@ -4656,7 +4656,7 @@
- name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access. | Set audit log dir perms"
ansible.builtin.file:
path: "{{ rhel_08_030120_audit_log_dir.stdout }}"
mode: go-rwx
mode: 'go-rwx'
state: directory
when: rhel_08_030120_audit_log_dir.stdout | length > 0
when:
Expand Down Expand Up @@ -5434,7 +5434,7 @@
- name: "MEDIUM | RHEL-08-030610 | PATCH | RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited."
ansible.builtin.file:
path: "{{ item }}"
mode: '0640'
mode: 'u-x,g-wx,o-rwx'
with_items:
- /etc/audit/rules.d/audit.rules
- /etc/audit/auditd.conf
Expand All @@ -5461,7 +5461,7 @@
- name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Set permissions to 755 on tools"
ansible.builtin.file:
path: "{{ item }}"
mode: go-w
mode: 'go-w'
with_items:
- "{{ rhel_08_030620_tools.stdout_lines }}"
when:
Expand Down Expand Up @@ -5532,7 +5532,7 @@
line: "{{ item }}"
owner: root
group: root
mode: '0600'
mode: 'u-x,go-rwx'
with_items:
- "# Audit Tools"
- /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
Expand Down Expand Up @@ -5657,7 +5657,7 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
with_items:
Expand Down Expand Up @@ -6130,7 +6130,7 @@
create: true
owner: root
group: root
mode: '0640'
mode: 'u-x,g-wx,o-rwx'
notify: change_requires_reboot

- name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled. | Disable Bluetooth kernel module"
Expand Down
Loading