diff --git a/tasks/Cat2/RHEL-09-21xxxx.yml b/tasks/Cat2/RHEL-09-21xxxx.yml index 2db8718..2b96bf3 100644 --- a/tasks/Cat2/RHEL-09-21xxxx.yml +++ b/tasks/Cat2/RHEL-09-21xxxx.yml @@ -47,7 +47,7 @@ content: "{{ rhel9stig_logon_banner }}" dest: "{{ item }}" group: root - mode: '0644' + mode: 'u-x,go-wx' owner: root notify: Sshd_restart loop: @@ -158,7 +158,7 @@ owner: root src: "{{ item.file }}.j2" loop: - - { file: 'boot/grub2/user.cfg', mode: '0644' } + - { file: 'boot/grub2/user.cfg', mode: 'u-x,go-wx' } - name: "MEDIUM | RHEL-09-212010 | AUDIT | RHEL 9 must require a boot loader superuser password.| warning" when: not rhel9stig_set_bootloader_password diff --git a/tasks/Cat2/RHEL-09-23xxxx.yml b/tasks/Cat2/RHEL-09-23xxxx.yml index e67df39..4da54f5 100644 --- a/tasks/Cat2/RHEL-09-23xxxx.yml +++ b/tasks/Cat2/RHEL-09-23xxxx.yml @@ -871,7 +871,7 @@ - name: "MEDIUM | RHEL-09-232010 | PATCH | RHEL 9 system commands must have mode 755 or less permissive." when: rhel9stig_system_command_permissions.stdout | length > 0 ansible.builtin.file: - mode: '0755' + mode: 'u+x,go-w' path: "{{ item }}" loop: - "{{ rhel9stig_system_command_permissions.stdout_lines }}" @@ -898,7 +898,7 @@ - name: "MEDIUM | RHEL-09-232015 | PATCH | RHEL 9 library directories must have mode 755 or less permissive." when: rhel9stig_library_directory_perms.stdout | length > 0 ansible.builtin.file: - mode: '0755' + mode: 'u+x,go-w' path: "{{ item }}" loop: - "{{ rhel9stig_library_directory_perms.stdout_lines }}" @@ -925,7 +925,7 @@ - name: "MEDIUM | RHEL-09-232020 | PATCH | RHEL 9 library files must have mode 755 or less permissive." when: rhel9stig_library_directory_perms.stdout | length > 0 ansible.builtin.file: - mode: '0755' + mode: 'u+x,go-w' path: "{{ item }}" loop: "{{ rhel9stig_library_directory_perms.stdout_lines }}" @@ -942,7 +942,7 @@ - V-257885 - NIST800-53R4_SI-11 ansible.builtin.file: - mode: u=rwx,g-w,o-w + mode: 'u+x,go-w' modification_time: preserve path: /var/log state: directory @@ -960,7 +960,7 @@ - V-257886 - NIST800-53R4_SI-11 ansible.builtin.file: - mode: u=rw,g-wx,o-rwx + mode: 'u-x,g-wx,o-rwx' modification_time: preserve path: /var/log/messages state: file @@ -977,7 +977,7 @@ - V-257887 - NIST800-53R4_AU-9 ansible.builtin.file: - mode: u=rwx,g-w,o-w + mode: 'u+x,go-w' modification_time: preserve owner: root path: "{{ item }}" @@ -1002,7 +1002,7 @@ - V-257888 - NIST800-53R4_CM-6 ansible.builtin.file: - mode: u=rwx,go-rwx + mode: 'u+x,go-rwx' modification_time: preserve owner: root path: "/etc/{{ item }}" @@ -1039,7 +1039,7 @@ - name: "MEDIUM | RHEL-09-232045 | AUDIT | All RHEL 9 local initialization files must have mode 0740 or less permissive. | update permissions" ansible.builtin.file: path: "{{ item.path }}" - mode: g-wx,o-rwx + mode: 'g-wx,o-rwx' follow: false loop: "{{ user_dot_files.files }}" loop_control: @@ -1067,11 +1067,10 @@ - name: "MEDIUM | RHEL-09-232050 | PATCH | All RHEL 9 local interactive user home directories must have mode 0750 or less permissive. | amend if needed" when: - item.stat.path is defined - - item.stat.mode > '0750' ansible.builtin.file: path: "{{ item.stat.path }}" state: directory - mode: u=rwx,g-w,o-rwx + mode: 'u+x,g-w,o-rwx' loop: "{{ rhel9stig_home_dir_perms.results }}" loop_control: label: "{{ item }}" @@ -1117,7 +1116,7 @@ - V-257891 - NIST800-53R4_CM-6 ansible.builtin.file: - mode: u=rw,go-wx + mode: 'u-x,go-wx' path: /etc/group - name: "MEDIUM | RHEL-09-232060 | PATCH | RHEL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access." @@ -1132,7 +1131,7 @@ - V-257892 - NIST800-53R4_CM-6 ansible.builtin.file: - mode: u=rw,go-wx + mode: 'u-x,go-wx' path: /etc/group- - name: "MEDIUM | RHEL-09-232065 | PATCH | RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access." @@ -1147,7 +1146,7 @@ - V-257893 - NIST800-53R4_CM-6 ansible.builtin.file: - mode: '0000' + mode: 'ugo-rwx' path: /etc/gshadow - name: "MEDIUM | RHEL-09-232070 | PATCH | RHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access." @@ -1162,7 +1161,7 @@ - V-257894 - NIST800-53R4_CM-6 ansible.builtin.file: - mode: '0000' + mode: 'ugo-rwx' path: /etc/gshadow- - name: "MEDIUM | RHEL-09-232075 | PATCH | RHEL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access." @@ -1177,7 +1176,7 @@ - V-257895 - NIST800-53R4_CM-6 ansible.builtin.file: - mode: u=rw,go-wx + mode: 'u-x,go-wx' path: /etc/passwd - name: "MEDIUM | RHEL-09-232080 | PATCH | RHEL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access." @@ -1192,7 +1191,7 @@ - V-257896 - NIST800-53R4_CM-6 ansible.builtin.file: - mode: u=rw,go-wx + mode: 'u-x,go-wx' path: /etc/passwd- - name: "MEDIUM | RHEL-09-232085 | PATCH | RHEL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access." @@ -1207,7 +1206,7 @@ - V-257897 - NIST800-53R4_CM-6 ansible.builtin.file: - mode: '0000' + mode: 'ugo-rwx' path: /etc/shadow- - name: "MEDIUM | RHEL-09-232090 | PATCH | RHEL 9 /etc/group file must be owned by root." @@ -1996,7 +1995,7 @@ - NIST800-53R4_CM-6 ansible.builtin.file: path: /etc/crontab - mode: '0600' + mode: 'u-x,go-rwx' - name: "MEDIUM | RHEL-09-232270 | PATCH | RHEL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access." when: @@ -2011,4 +2010,4 @@ - NIST800-53R4_CM-6 ansible.builtin.file: path: /etc/shadow - mode: '0000' + mode: 'ugo-rwx' diff --git a/tasks/Cat2/RHEL-09-25xxxx.yml b/tasks/Cat2/RHEL-09-25xxxx.yml index df5d11d..f4cc416 100644 --- a/tasks/Cat2/RHEL-09-25xxxx.yml +++ b/tasks/Cat2/RHEL-09-25xxxx.yml @@ -297,7 +297,7 @@ ansible.builtin.template: dest: /etc/chrony.conf src: etc/chrony.conf.j2 - mode: '0644' + mode: 'u-x,go-wx' # Required before 252035 to set DNS value in NetworkManager - name: "MEDIUM | RHEL-09-252040 | PATCH | RHEL 9 must configure a DNS processing mode set be Network Manager." @@ -339,7 +339,7 @@ rhel9stig_network_manager_dns.stdout == 'unmanaged' ansible.builtin.template: dest: /etc/resolv.conf - mode: '0644' + mode: 'u-x,go-wx' src: etc/resolv.conf.j2 - name: "MEDIUM | RHEL-09-252035 | PATCH | RHEL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured." @@ -1242,7 +1242,7 @@ - NIST800-53R4_CM-6 - ssh ansible.builtin.file: - mode: go-rwx + mode: 'u-x,go-rwx' path: "{{ rhel9stig_sshd_config_file }}" - name: "MEDIUM | RHEL-09-255120 | PATCH | RHEL 9 SSH private host key files must have mode 0640 or less permissive." @@ -1264,9 +1264,8 @@ register: rhel9stig_private_ssh_keys - name: "MEDIUM | RHEL-09-255120 | PATCH | RHEL 9 SSH private host key files must have mode 0640 or less permissive." - when: item.mode > '0640' ansible.builtin.file: - mode: u-x,g-wx,o-rwx + mode: 'u-x,g-wx,o-rwx' path: "{{ item.path }}" loop: "{{ rhel9stig_private_ssh_keys.files }}" @@ -1289,9 +1288,8 @@ register: rhel9stig_pub_ssh_keys - name: "MEDIUM | RHEL-09-255125 | PATCH | RHEL 9 SSH public host key files must have mode 0644 or less permissive." - when: item.mode > '0644' ansible.builtin.file: - mode: u-x,g-wx,o-wx + mode: 'u-x,go-wx' path: "{{ item.path }}" loop: "{{ rhel9stig_pub_ssh_keys.files }}" diff --git a/tasks/Cat2/RHEL-09-27xxxx.yml b/tasks/Cat2/RHEL-09-27xxxx.yml index 5db9328..929e6a4 100644 --- a/tasks/Cat2/RHEL-09-27xxxx.yml +++ b/tasks/Cat2/RHEL-09-27xxxx.yml @@ -48,7 +48,7 @@ path: "/etc/dconf/db/{{ item }}.d/locks/session" line: /org/gnome/login-screen/banner-message-enable create: true - mode: '0644' + mode: 'u-x,go-wx' modification_time: preserve state: present loop: "{{ rhel9stig_dconf_db.stdout_lines }}" @@ -72,7 +72,7 @@ notify: Update_dconf community.general.ini_file: create: true - mode: '0644' + mode: 'u-x,go-wx' option: automount-open path: "/etc/dconf/db/{{ item }}.d/00-security-settings" section: 'org/gnome/desktop/media-handling' diff --git a/tasks/Cat2/RHEL-09-4xxxxx.yml b/tasks/Cat2/RHEL-09-4xxxxx.yml index 1f27ec8..17950f5 100644 --- a/tasks/Cat2/RHEL-09-4xxxxx.yml +++ b/tasks/Cat2/RHEL-09-4xxxxx.yml @@ -583,7 +583,7 @@ - name: "MEDIUM | RHEL-09-411115 | AUDIT | Local RHEL 9 initialization files must not execute world-writable programs." when: rhel9stig_user_exec_ww_files is defined ansible.builtin.file: - mode: go-w + mode: 'go-wx' path: "{{ item }}" loop: "{{ rhel9stig_user_exec_ww_files.stdout_lines }}" @@ -622,7 +622,7 @@ dest: /etc/profile.d/tmux.sh group: root owner: root - mode: '0755' + mode: 'u+x,go-w' src: etc/profile.d/tmux.sh.j2 - name: "MEDIUM | RHEL-09-412020 | PATCH | RHEL 9 must have the tmux package installed." @@ -641,7 +641,7 @@ regexp: "{{ item }}" line: "{{ item }}" create: true - mode: '0644' + mode: 'u-x,go-wx' state: present loop: - 'set -g lock-command vlock' @@ -664,7 +664,7 @@ dest: /etc/tmux.conf group: root owner: root - mode: '0644' + mode: 'u-x,go-wx' src: etc/tmux.conf.j2 - name: "MEDIUM | RHEL-09-412035 | PATCH | RHEL 9 must automatically exit interactive command shell user sessions after 15 minutes of inactivity." @@ -685,7 +685,7 @@ dest: /etc/profile.d/tmout.sh group: root owner: root - mode: '0755' + mode: 'u+x,go-w' src: etc/profile.d/tmout.sh.j2 - name: "MEDIUM | RHEL-09-412045 | PATCH | RHEL 9 must log username information when unsuccessful logon attempts occur." diff --git a/tasks/Cat2/RHEL-09-61xxxx.yml b/tasks/Cat2/RHEL-09-61xxxx.yml index 95defdc..54cd3ea 100644 --- a/tasks/Cat2/RHEL-09-61xxxx.yml +++ b/tasks/Cat2/RHEL-09-61xxxx.yml @@ -890,7 +890,7 @@ group: root option: certificate_verification owner: root - mode: '0600' + mode: 'u-x,go-rwx' path: /etc/sssd/conf.d/certificate_verification.conf section: 'sssd' value: 'ocsp_dgst=sha512' diff --git a/tasks/Cat2/RHEL-09-65xxxx.yml b/tasks/Cat2/RHEL-09-65xxxx.yml index f665a0d..d62ffa3 100644 --- a/tasks/Cat2/RHEL-09-65xxxx.yml +++ b/tasks/Cat2/RHEL-09-65xxxx.yml @@ -870,7 +870,7 @@ - auditd ansible.builtin.file: path: "{{ discovered_auditd_logfile.stdout }}" - mode: go-rwx + mode: 'go-rwx' - name: "MEDIUM | RHEL-09-653095 | PATCH | RHEL 9 must periodically flush audit records to disk to prevent the loss of audit records." when: @@ -941,12 +941,12 @@ block: - name: "MEDIUM | RHEL-09-653110 | PATCH | RHEL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." ansible.builtin.file: - mode: '0640' + mode: 'u-x,g-w,o-rwx' path: /etc/audit/auditd.conf - name: "MEDIUM | RHEL-09-653110 | PATCH | RHEL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." ansible.builtin.file: - mode: '0640' + mode: 'u-x,g-w,o-rwx' path: "{{ item }}" with_fileglob: - "etc/audit/rules.d/*.rules" @@ -965,7 +965,7 @@ - auditd ansible.builtin.file: path: /etc/audit/auditd.conf - mode: u-x,g-wx,o-rwx + mode: 'u-x,g-wx,o-rwx' - name: "MEDIUM | RHEL-09-653125 | PATCH | RHEL 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure." when: