diff --git a/.ansible-lint b/.ansible-lint index 4dee422..c7095e2 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -10,7 +10,7 @@ skip_list: - 'name[play]' - 'name[casing]' - 'name[template]' - # - 'key-order[task]' + - 'key-order[task]' - 'yaml[line-length]' - '204' - '305' diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 9fbe7aa..e02fe1f 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -1,138 +1,159 @@ --- - name: Devel pipeline - - on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - devel - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' - - # A workflow run is made up of one or more jobs - # that can run sequentially or in parallel - jobs: - # This will create messages for first time contributers and direct them to the Discord server - welcome: - runs-on: ubuntu-latest - - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. - - # This workflow contains a single job that tests the playbook - playbook-test: - # The type of runner that the job will run on - runs-on: ubuntu-latest - env: - ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} - # Imported as a variable by terraform - TF_VAR_repository: ${{ github.event.repository.name }} - defaults: - run: - shell: bash - working-directory: .github/workflows/github_linux_IaC - - steps: - - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v4 + name: Devel pipeline + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + # Allow manual running of workflow + workflow_dispatch: + + # Allow permissions for AWS auth + permissions: + id-token: write + contents: read + pull-requests: read + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: self-hosted + + steps: + - uses: actions/first-interaction@main with: - ref: ${{ github.event.pull_request.head.sha }} - - # Pull in terraform code for linux servers - - name: Clone GitHub IaC plan - uses: actions/checkout@v4 - with: - repository: ansible-lockdown/github_linux_IaC - path: .github/workflows/github_linux_IaC - - - name: Add_ssh_key - working-directory: .github/workflows - env: - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - run: | - mkdir .ssh - chmod 700 .ssh - echo $PRIVATE_KEY > .ssh/github_actions.pem - chmod 600 .ssh/github_actions.pem - - - name: DEBUG - Show IaC files - if: env.ENABLE_DEBUG == 'true' - run: | - echo "OSVAR = $OSVAR" - echo "benchmark_type = $benchmark_type" - pwd - ls - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Init - id: init - run: terraform init - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Validate - id: validate - run: terraform validate - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Apply - id: apply - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false - - ## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - run: cat hosts.yml - - # Aws deployments taking a while to come up insert sleep or playbook fails - - - name: Sleep for 60 seconds - run: sleep ${{ vars.BUILD_SLEEPTIME }} - - # Run the Ansibleplaybook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/github_linux_IaC/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} - # verbose: 3 - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - - # Remove test system - User secrets to keep if necessary - - - name: Terraform_Destroy - if: always() && env.ENABLE_DEBUG == 'false' - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. + + # This workflow contains a single job that tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: self-hosted + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + AWS_REGION: "us-east-1" + ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + # working-directory: .github/workflows + + steps: + + - name: Git clone the lockdown repository to test + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: If a variable for IAC_BRANCH is set use that branch + working-directory: .github/workflows + run: | + if [ ${{ vars.IAC_BRANCH }} != '' ]; then + echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV + echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}" + else + echo IAC_BRANCH=main >> $GITHUB_ENV + fi + + + # Pull in terraform code for linux servers + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + ref: ${{ env.IAC_BRANCH }} + + # Uses dedicated restricted role and policy to enable this only for this task + # No credentials are part of github for AWS auth + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@main + with: + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + role-session-name: ${{ secrets.AWS_ROLE_SESSION }} + aws-region: ${{ env.AWS_REGION }} + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID" + echo "VPC_ID" = $AWS_VPC_SECGRP_ID" + pwd + ls + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }} + VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }} + + - name: Tofu init + id: init + run: tofu init + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu validate + id: validate + run: tofu validate + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu apply + id: apply + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false + +## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep to allow system to come up + run: sleep ${{ vars.BUILD_SLEEPTIME }} + + # Run the Ansible playbook + - name: Run_Ansible_Playbook + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + run: | + /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml + + # Remove test system - User secrets to keep if necessary + + - name: Tofu Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 67ee9d9..4a5adc9 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -1,127 +1,156 @@ --- - name: Main pipeline - - on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - main - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' - - # A workflow run is made up of one or more jobs - # that can run sequentially or in parallel - jobs: - - # This workflow contains a single job that tests the playbook - playbook-test: - # The type of runner that the job will run on - runs-on: ubuntu-latest - env: - ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} - # Imported as a variable by terraform - TF_VAR_repository: ${{ github.event.repository.name }} - defaults: - run: - shell: bash - working-directory: .github/workflows/github_linux_IaC - - steps: - - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v4 + name: Main pipeline + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + + # Allow permissions for AWS auth + permissions: + id-token: write + contents: read + pull-requests: read + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: self-hosted + + steps: + - uses: actions/first-interaction@main with: - ref: ${{ github.event.pull_request.head.sha }} - - # Pull in terraform code for linux servers - - name: Clone GitHub IaC plan - uses: actions/checkout@v4 - with: - repository: ansible-lockdown/github_linux_IaC - path: .github/workflows/github_linux_IaC - - - name: Add_ssh_key - working-directory: .github/workflows - env: - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - run: | - mkdir .ssh - chmod 700 .ssh - echo $PRIVATE_KEY > .ssh/github_actions.pem - chmod 600 .ssh/github_actions.pem - - - name: DEBUG - Show IaC files - if: env.ENABLE_DEBUG == 'true' - run: | - echo "OSVAR = $OSVAR" - echo "benchmark_type = $benchmark_type" - pwd - ls - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Init - id: init - run: terraform init - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Validate - id: validate - run: terraform validate - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Apply - id: apply - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false - - ## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - run: cat hosts.yml - - # Aws deployments taking a while to come up insert sleep or playbook fails - - - name: Sleep for 60 seconds - run: sleep ${{ vars.BUILD_SLEEPTIME }} - - # Run the Ansibleplaybook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/github_linux_IaC/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} - # verbose: 3 - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - - # Remove test system - User secrets to keep if necessary - - - name: Terraform_Destroy - if: always() && env.ENABLE_DEBUG == 'false' - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. + + # This workflow contains a single job that tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: self-hosted + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + AWS_REGION : "us-east-1" + ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + # working-directory: .github/workflows + + steps: + + - name: Git clone the lockdown repository to test + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: If a variable for IAC_BRANCH is set use that branch + working-directory: .github/workflows + run: | + if [ ${{ vars.IAC_BRANCH }} != '' ]; then + echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV + echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}" + else + echo IAC_BRANCH=main >> $GITHUB_ENV + fi + + # Pull in terraform code for linux servers + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + ref: ${{ env.IAC_BRANCH }} + + # Uses dedicated restricted role and policy to enable this only for this task + # No credentials are part of github for AWS auth + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@main + with: + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + role-session-name: ${{ secrets.AWS_ROLE_SESSION }} + aws-region: ${{ env.AWS_REGION }} + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID" + echo "VPC_ID" = $AWS_VPC_SECGRP_ID" + pwd + ls + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }} + VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }} + + - name: Tofu init + id: init + run: tofu init + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu validate + id: validate + run: tofu validate + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu apply + id: apply + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false + +## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep to allow system to come up + run: sleep ${{ vars.BUILD_SLEEPTIME }} + + # Run the Ansible playbook + - name: Run_Ansible_Playbook + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + run: | + /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml + + # Remove test system - User secrets to keep if necessary + + - name: Tofu Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index f935280..b6ee6a1 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -1,19 +1,19 @@ --- -name: update galaxy + name: update galaxy -on: - push: - branches: - - main -jobs: - update_role: - runs-on: ubuntu-latest - steps: - - name: Checkout repo - uses: actions/checkout@v4 + on: + push: + branches: + - main + jobs: + update_role: + runs-on: ubuntu-latest + steps: + - name: Checkout repo + uses: actions/checkout@v4 - - name: Action Ansible Galaxy Release ${{ github.ref_name }} - uses: ansible-actions/ansible-galaxy-action@main - with: - galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} + - name: Action Ansible Galaxy Release ${{ github.ref_name }} + uses: ansible-actions/ansible-galaxy-action@main + with: + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2d8d9b9..f9907b1 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -31,17 +31,17 @@ repos: # Scan for passwords - repo: https://github.com/Yelp/detect-secrets - rev: v1.4.0 + rev: v1.5.0 hooks: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.2 + rev: v8.18.4 hooks: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v24.2.2 + rev: v24.7.0 hooks: - id: ansible-lint name: Ansible-lint @@ -57,7 +57,7 @@ repos: # If you want to use specific version of ansible-core or ansible, feel # free to override `additional_dependencies` in your own hook config # file. - - ansible-core>=2.10.1 + - ansible-core>=2.12.1 - repo: https://github.com/adrienverge/yamllint.git rev: v1.35.1 # or higher tag diff --git a/Changelog.md b/Changelog.md new file mode 100644 index 0000000..ab16030 --- /dev/null +++ b/Changelog.md @@ -0,0 +1,26 @@ +# Ubuntu22CIS + +## 1.2.1 Based on STIG V1R2 Jan24 2024 + +- precommit updates +- issues + - #12 thanks to @layluke + - #13 thanks to @PoundsOfFlesh - some excellent items from PR + - update audit sumamry output + +## 1.2 Based on STIG V1R2 Jan24 2024 + +- control updates +- pre-commit updates +- rule IDs +- lint +- audit updates +- tag updates +- issues + - #2 + - #3 + - #4 + +## 1.1 Based on STIG V1R1 + +Initial release diff --git a/README.md b/README.md index 2f39965..2528458 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a RHEL9 based system to be complaint with Disa STIG -This role is based on RHEL 9 DISA STIG: [Version 1, Rel 1 released on Sept 22, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/U_RHEL_9_V1R1_STIG.zip). +This role is based on RHEL 9 DISA STIG: [Version 1, Rel 2 released on Jan 24, 2024](https://dl.dod.cyber.mil/wp-content/uploads/stigs/U_RHEL_9_V1R2_STIG.zip). ## Initial Relase from STIG, still many items that not quite aligned in the documentation @@ -84,12 +84,10 @@ This audit will not only check the config has the correct setting but aims to ca The following packages must be installed on the controlling host/host where ansible is executed: -- python2-passlib (or just passlib, if using python3) - python-lxml - python-xmltodict -- python-jmespath -Package 'python-xmltodict' is required if you enable the OpenSCAP tool installation and run a report. Packages python(2)-passlib and python-jmespath are required for tasks with custom filters or modules. These are all required on the controller host that executes Ansible. +Package 'python-xmltodict' is required if you enable the OpenSCAP tool installation and run a report. These are all required on the controller host that executes Ansible. ## Role Variables diff --git a/defaults/main.yml b/defaults/main.yml index ede0d14..23b8064 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,7 @@ --- ## metadata for Audit benchmark -benchmark_version: '1.1.0' +benchmark_version: 'v1r2' ## Benchmark name used by audting control role # The audit variable found at the base @@ -51,42 +51,60 @@ rhel9stig_workaround_for_ssg_benchmark: true # system acts or requires router networking options rhel9stig_system_is_router: false -########################################## +### +### Settings for associated Audit role using Goss +### + +########################################### ### Goss is required on the remote host ### -## Refer to vars/auditd.yml for any other settings ## +### vars/audit.yml for other settings ### # Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system) setup_audit: false # enable audits to run - this runs the audit and get the latest content run_audit: false +# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system +audit_run_heavy_tests: true -# Only run Audit do not remediate +## Only run Audit do not remediate audit_only: false -# As part of audit_only -# This will enable files to be copied back to control node +### As part of audit_only ### +# This will enable files to be copied back to control node in audit_only mode fetch_audit_files: false -# Path to copy the files to will create dir structure +# Path to copy the files to will create dir structure in audit_only mode audit_capture_files_dir: /some/location to copy to on control node +############################# # How to retrieve audit binary # Options are copy or download - detailed settings at the bottom of this file # you will need to access to either github or the file already dowmloaded get_audit_binary_method: download +## if get_audit_binary_method - copy the following needs to be updated for your environment +## it is expected that it will be copied from somewhere accessible to the control node +## e.g copy from ansible control node to remote host +audit_bin_copy_location: /some/accessible/path + # how to get audit files onto host options -# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf +# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf audit_content: git -# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system -audit_run_heavy_tests: true +# If using either archive, copy, get_url: +## Note will work with .tar files - zip will require extra configuration +### If using get_url this is expecting github url in tar.gz format e.g. +### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz +audit_conf_source: "some path or url to copy from" -# This variable specifies the timeout (in ms) for audit commands that -# take a very long time: if a command takes too long to complete, -# it will be forcefully terminated after the specified duration. -audit_cmd_timeout: 120000 +# Destination for the audit content to be placed on managed node +# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory +audit_conf_dest: "/opt" -### End Goss enablements #### +# Where the audit logs are stored +audit_log_dir: '/opt' + +### Goss Settings ## +####### END ######## #### CAT 1 rhel_09_211010: true @@ -343,6 +361,7 @@ rhel_09_271075: true rhel_09_271080: true rhel_09_271085: true rhel_09_271090: true +rhel_09_271095: true rhel_09_271100: true rhel_09_271105: true rhel_09_271110: true @@ -672,10 +691,9 @@ rhel9stig_home_filesystem: '/home' # rhel9stig_custom_firewall_zone is the desired name for the firewall zone rhel9stig_custom_firewall: zone: "drop" - interface: - - "{{ ansible_default_ipv4.interface }}" + interface: "{{ ansible_default_ipv4.interface }}" -# rhel9stig_white_list_services is the services that you want to allow through initially for teh new firewall zone +# rhel9stig_white_list_services is the services that you want to allow through initially for the new firewall zone # http and ssh need to be enabled for the role to run. # This can also be a port number if no service exists rhel9stig_white_list_services: @@ -801,10 +819,13 @@ rhel9stig_remotelog_server: protocol: '@@' ### AUDITD +# Ensure this matches the filesystem where the audit logs are stored. +# It will affect checks for control RHEL-09-653030 + rhel9stig_audit_log_filesystem: /var/log/audit rhel9stig_audit_conf: action_mail_acct: root - admin_space_left: 5 + admin_space_left: 5% admin_space_left_action: single disk_error_action: HALT # Can be one of "SYSLOG", "SINGLE", or "HALT" disk_full_action: HALT # Can be one of "SYSLOG", "SINGLE", or "HALT" @@ -816,7 +837,7 @@ rhel9stig_audit_conf: max_log_file_action: ROTATE name_format: hostname overflow_action: syslog - space_left: 25 + space_left: 25% space_left_action: email write_logs: 'yes' diff --git a/tasks/Cat1/RHEL-09-2xxxxx.yml b/tasks/Cat1/RHEL-09-2xxxxx.yml index 7c3debe..bed37bc 100644 --- a/tasks/Cat1/RHEL-09-2xxxxx.yml +++ b/tasks/Cat1/RHEL-09-2xxxxx.yml @@ -31,10 +31,10 @@ - NIST800-53R4_AC-6 notify: Systemd_daemon_reload ansible.builtin.lineinfile: - create: true - line: CtrlAltDelBurstAction=none path: /etc/systemd/system.conf regexp: ^CtrlAltDelBurstAction=none + line: CtrlAltDelBurstAction=none + create: true - name: HIGH | RHEL-09-211050 | PATCH | The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled when: @@ -73,16 +73,16 @@ - CAT1 - CCI-000213 - SRG-OS-000080-GPOS-00048 - - SV-257789r925354_rule + - SV-257789r943055_rule - V-257789 - NIST800-53R4_AC-3 - grub notify: Rebuild_grub ansible.builtin.lineinfile: - insertafter: "{{ grub_superusers.after }}" - line: "{{ grub_superusers.line }}" path: /etc/grub2.cfg regexp: "{{ grub_superusers.regexp }}" + line: "{{ grub_superusers.line }}" + insertafter: "{{ grub_superusers.after }}" loop: - { regexp: '^set_superusers=', line: 'set superusers="{{ rhel9stig_grub_superuser }}"', after: "### BEGIN /etc/grub.d/01_users ###" } - { regexp: export superusers, line: 'export superusers', after: set_superusers= } @@ -104,9 +104,9 @@ - dnf - packages ansible.builtin.lineinfile: - line: gpgcheck=1 path: /etc/dnf/dnf.conf regexp: ^gpgcheck + line: gpgcheck=1 - name: HIGH | RHEL-09-214020 | PATCH | RHEL 9 must check the GPG signature of locally installed software packages before installation. when: @@ -122,9 +122,9 @@ - dnf - packages ansible.builtin.lineinfile: - line: localpkg_gpgcheck=1 path: /etc/dnf/dnf.conf regexp: ^localpkg_gpgcheck + line: localpkg_gpgcheck=1 - name: HIGH | RHEL-09-214025 | PATCH | RHEL 9 must check the GPG signature of locally installed software packages before installation. when: @@ -197,7 +197,7 @@ name: tftp state: absent -- name: HIGH | RHEL-08-231190 | AUDIT | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification +- name: HIGH | RHEL-09-231190 | AUDIT | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. when: - rhel_09_231190 @@ -218,14 +218,14 @@ vars: warn_control_id: "HIGH | RHEL-09-231190" block: - - name: HIGH | RHEL-08-231190 | AUDIT | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification + - name: HIGH | RHEL-09-231190 | AUDIT | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Get partition layout ansible.builtin.shell: blkid changed_when: false failed_when: false register: rhel_09_231190_partition_layout - - name: HIGH | RHEL-08-231190 | WARN | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification + - name: HIGH | RHEL-09-231190 | WARN | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Message out warning ansible.builtin.debug: msg: @@ -233,7 +233,7 @@ - If partitions other than pseudo file systems (such as /proc or /sys or tmpfs) this is a finding - "{{ rhel_09_231190_partition_layout.stdout_lines }}" - - name: HIGH | RHEL-08-231190 | WARN | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification + - name: HIGH | RHEL-09-231190 | WARN | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Message out warning ansible.builtin.import_tasks: file: warning_facts.yml @@ -323,15 +323,15 @@ - SRG-OS-000106-GPOS-00053 - SRG-OS-000480-GPOS-00229 - SRG-OS-000480-GPOS-00227 - - SV-257984r925939_rule + - SV-257984r943034_rule - V-257984 - NIST800-53R4_CM-6 - NIST800-53R4_IA-2 - ssh ansible.builtin.lineinfile: - line: PermitEmptyPasswords no path: "{{ rhel9stig_sshd_config_file }}" regexp: (?i)^(#|)PermitEmptyPasswords yes + line: PermitEmptyPasswords no validate: sshd -t -f %s notify: Sshd_restart @@ -343,16 +343,16 @@ - CAT1 - CCI-000877 - SRG-OS-000125-GPOS-00065 - - SV-257986r925945_rule + - SV-257986r943038_rule - V-257986 - NIST800-53R4_MA-4 - ssh - pam notify: Sshd_restart ansible.builtin.lineinfile: - line: UsePAM yes path: "{{ rhel9stig_sshd_config_file }}" regexp: (?i)^(#|)usepam + line: UsePAM yes validate: sshd -t -f %s - name: HIGH | RHEL-09-271040 | PATCH | RHEL 9 must not allow unattended or automatic logon via the graphical user interface. @@ -369,10 +369,10 @@ - NIST800-53R4_CM-6 - gui ansible.builtin.lineinfile: - insertafter: "{{ autologin.after | default(omit) }}" - line: "{{ autologin.line }}" path: /etc/gdm/custom.conf regexp: "{{ autologin.regexp }}" + line: "{{ autologin.line }}" + insertafter: "{{ autologin.after | default(omit) }}" create: true loop: - { regexp: "[daemon]", line: "[daemon]" } diff --git a/tasks/Cat1/RHEL-09-4xxxxx.yml b/tasks/Cat1/RHEL-09-4xxxxx.yml index 3cc37a0..ff5da43 100644 --- a/tasks/Cat1/RHEL-09-4xxxxx.yml +++ b/tasks/Cat1/RHEL-09-4xxxxx.yml @@ -55,6 +55,6 @@ - NIST800-53R4_SI-6 - selinux ansible.builtin.lineinfile: - line: SELINUX=enforcing path: /etc/selinux/config regexp: (?i)^selinux= + line: SELINUX=enforcing diff --git a/tasks/Cat2/RHEL-09-21xxxx.yml b/tasks/Cat2/RHEL-09-21xxxx.yml index 2ab0296..619e42a 100644 --- a/tasks/Cat2/RHEL-09-21xxxx.yml +++ b/tasks/Cat2/RHEL-09-21xxxx.yml @@ -36,9 +36,9 @@ block: - name: "MEDIUM | RHEL-09-211020 | PATCH | RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Uncomment banner keyword and set banner path" ansible.builtin.lineinfile: - line: 'Banner /etc/issue' path: /etc/ssh/sshd_config regexp: '(?i)^#?Banner' + line: 'Banner /etc/issue' when: - rhel9stig_ssh_required @@ -123,7 +123,7 @@ - CCI-001665 - SRG-OS-000324-GPOS-00125 - SRG-OS-000480-GPOS-00227 - - SV-257786r925345_rule + - SV-257786r943026_rule - V-257786 - NIST800-53R4_CM-6 - NIST800-53R4_AC-6 @@ -271,10 +271,10 @@ - name: "MEDIUM | RHEL-09-212035 | PATCH | RHEL 9 must disable virtual system calls. | Set default" when: rhel9stig_212035_def_grub_vsyscall.rc != 0 ansible.builtin.lineinfile: - backrefs: true - line: '\1\2 vsyscall=none' path: /etc/default/grub regexp: ^(GRUB_CMDLINE_LINUX=")(.*)" + line: '\1\2 vsyscall=none' + backrefs: true notify: Rebuild_grub - name: "MEDIUM | RHEL-09-212035 | PATCH | RHEL 9 must disable virtual system calls. | Change default" @@ -282,10 +282,10 @@ - rhel9stig_212035_def_grub_vsyscall.rc == 0 - "'vsyscall=none' not in rhel9stig_212035_def_grub_vsyscall.stdout" ansible.builtin.lineinfile: - backrefs: true - line: '\1\2vsyscall=none\3' path: /etc/default/grub regexp: ^(GRUB_CMDLINE_LINUX=)(".*)vsyscall=\w+(.*") + line: '\1\2vsyscall=none\3' + backrefs: true notify: Rebuild_grub - name: "MEDIUM | RHEL-09-212040 | PATCH | RHEL 9 must clear the page allocator to prevent use-after-free attacks." @@ -322,19 +322,19 @@ - name: "MEDIUM | RHEL-09-212040 | PATCH | RHEL 9 must clear the page allocator to prevent use-after-free attacks. | Set default" when: rhel9stig_212040_def_grub_poison.rc != 0 ansible.builtin.lineinfile: - backrefs: true - line: '\1\2 page_poison=1"' - regexp: ^(GRUB_CMDLINE_LINUX=")(.*)" path: /etc/default/grub + regexp: ^(GRUB_CMDLINE_LINUX=")(.*)" + line: '\1\2 page_poison=1"' + backrefs: true notify: Rebuild_grub - name: "MEDIUM | RHEL-09-212040 | PATCH | RHEL 9 must clear the page allocator to prevent use-after-free attacks. | Change default" when: rhel9stig_212040_def_grub_poison.rc == 0 ansible.builtin.lineinfile: - backrefs: true - line: '\1\2page_poison=1\3' - regexp: ^(GRUB_CMDLINE_LINUX=)(".*)page_poison=\d(.*") path: /etc/default/grub + regexp: ^(GRUB_CMDLINE_LINUX=)(".*)page_poison=\d(.*") + line: '\1\2page_poison=1\3' + backrefs: true notify: Rebuild_grub - name: "MEDIUM | RHEL-09-212045 | PATCH | RHEL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks" @@ -370,10 +370,11 @@ - name: "MEDIUM | RHEL-09-212045 | PATCH | RHEL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks | Set default" when: rhel9stig_212045_def_grub_slub.rc != 0 ansible.builtin.lineinfile: - backrefs: true - line: '\1\2 slub_debug=P"' - regexp: ^(GRUB_CMDLINE_LINUX=")(.*)" path: /etc/default/grub + regexp: ^(GRUB_CMDLINE_LINUX=")(.*)" + line: '\1\2 slub_debug=P"' + backrefs: true + notify: Rebuild_grub - name: "MEDIUM | RHEL-09-212045 | PATCH | RHEL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks | Change default" @@ -381,10 +382,10 @@ - "'slub_debug=P' not in rhel9stig_212045_def_grub_slub.stdout" - rhel9stig_212045_def_grub_slub.rc == 0 ansible.builtin.lineinfile: - backrefs: true - line: '\1\2slub_debug=P\3' - regexp: ^(GRUB_CMDLINE_LINUX=)(".*)slub_debug=\w+\b(.*") path: /etc/default/grub + regexp: ^(GRUB_CMDLINE_LINUX=)(".*)slub_debug=\w+\b(.*") + line: '\1\2slub_debug=P\3' + backrefs: true notify: Rebuild_grub - name: "MEDIUM | RHEL-09-213010 | PATCH | RHEL 9 must restrict access to the kernel message buffer." @@ -397,7 +398,7 @@ - CCI-001090 - SRG-OS-000132-GPOS-00067 - SRG-OS-000138-GPOS-00069 - - SV-257797r925378_rule + - SV-257797r942965_rule - V-257797 - NIST800-53R4_SC-2 - NIST800-53R4_SC-4 @@ -419,7 +420,7 @@ - CCI-001090 - SRG-OS-000132-GPOS-00067 - SRG-OS-000138-GPOS-00069 - - SV-257798r925381_rule + - SV-257798r942967_rule - V-257798 - NIST800-53R4_SC-2 - NIST800-53R4_SC-4 @@ -441,7 +442,7 @@ - CCI-00749 - SRG-OS-000480-GPOS-00227 - SRG-OS-000366-GPOS-00153 - - SV-257799r925384_rule + - SV-257799r942969_rule - V-257799 - NIST800-53R4_CM-6 - NIST800-53R4_CM-5 @@ -463,7 +464,7 @@ - CCI-001082 - SRG-OS-000132-GPOS-00067 - SRG-OS-000433-GPOS-00192 - - SV-257800r925387_rule + - SV-257800r942971_rule - V-257800 - NIST800-53R4_CM-6 - NIST800-53R4_SC-2 @@ -527,7 +528,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257803r925396_rule + - SV-257803r942973_rule - V-257803 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -582,12 +583,12 @@ - CAT2 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-257806r928942_rule + - SV-257806r942955_rule - V-257806 - NIST800-53R4_CM-7 vars: blacklist: 'firewire-core' - mod_value: 'true' + mod_value: 'false' ansible.builtin.template: dest: "/etc/modprobe.d/{{ blacklist }}.conf" src: etc/modprobe.d/module.conf.j2 @@ -639,7 +640,7 @@ - CCI-002824 - SRG-OS-000433-GPOS-00193 - SRG-OS-000480-GPOS-00227 - - SV-257809r925414_rule + - SV-257809r942975_rule - V-257809 - NIST800-53R4_CM-6 - NIST800-53R4_SI-16 @@ -661,7 +662,7 @@ - CCI-001082 - SRG-OS-000132-GPOS-00067 - SRG-OS-000480-GPOS-00227 - - SV-257810r925417_rule + - SV-257810r942977_rule - V-257810 - NIST800-53R4_CM-6 - NIST800-53R4_SC-2 @@ -683,7 +684,7 @@ - CCI-001082 - SRG-OS-000132-GPOS-00067 - SRG-OS-000480-GPOS-00227 - - SV-257811r925420_rule + - SV-257811r942979_rule - V-257811 - NIST800-53R4_CM-6 - NIST800-53R4_SC-2 @@ -707,9 +708,9 @@ - V-257812 - NIST800-53R4_CM-6 ansible.builtin.lineinfile: - line: ProcessSizeMax=0 - regexp: ^(#|)ProcessSizeMax\s*=\s*(?!0)\d+ path: /etc/systemd/coredump.conf + regexp: ^(#|)ProcessSizeMax\s*=\s*(?!0)\d+ + line: ProcessSizeMax=0 create: true - name: "MEDIUM | RHEL-09-213090 | PATCH | RHEL 9 must storage core dumps." @@ -724,9 +725,9 @@ - V-257813 - NIST800-53R4_CM-6 ansible.builtin.lineinfile: - line: Storage=none - regexp: ^(#|)Storage=.* path: /etc/systemd/coredump.conf + regexp: ^(#|)Storage=.* + line: Storage=none create: true - name: "MEDIUM | RHEL-09-213095 | PATCH | RHEL 9 must disable core dumps for all users." @@ -741,9 +742,9 @@ - V-257814 - NIST800-53R4_CM-6 ansible.builtin.lineinfile: - line: '* hard core 0' - regexp: '^\* hard core (?!0)\d*' path: /etc/security/limits.conf + regexp: '^\* hard core (?!0)\d*' + line: '* hard core 0' - name: "MEDIUM | RHEL-09-213100 | PATCH | RHEL 9 must disable acquiring, saving, and processing core dumps." when: @@ -771,7 +772,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257816r925435_rule + - SV-257816r942981_rule - V-257816 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -1155,7 +1156,7 @@ - CAT2 - CCI-001744 - SRG-OS-000363-GPOS-00150 - - SV-257842r925513_rule + - SV-257842r942959_rule - V-257842 - NIST800-53R4_CM-3 ansible.builtin.package: diff --git a/tasks/Cat2/RHEL-09-23xxxx.yml b/tasks/Cat2/RHEL-09-23xxxx.yml index d3a1e8b..3bbcd47 100644 --- a/tasks/Cat2/RHEL-09-23xxxx.yml +++ b/tasks/Cat2/RHEL-09-23xxxx.yml @@ -564,7 +564,7 @@ - item.mount == '/var' - "'nodev' not in item.options" notify: - - Remount_tmp + - Remount_var tags: - RHEL-09-231140 - CAT2 @@ -838,7 +838,7 @@ warn_control_id: "MEDIUM | RHEL-09-231200" block: - name: "MEDIUM | RHEL-09-231200 | AUDIT | RHEL 9 must prevent special devices on non-root local partitions. | discover partition" - ansible.builtin.shell: mount | grep '^/dev\S* on /\S' | grep nodev | awk -F" " '{ print $3}' + ansible.builtin.shell: mount | grep '^/dev\S* on /\S' | grep -v nodev | awk -F" " '{ print $3}' changed_when: false failed_when: rhel9stig_non_root_missing_nodev.rc not in [ 0, 1 ] register: rhel9stig_non_root_missing_nodev @@ -931,8 +931,7 @@ ansible.builtin.file: mode: '0755' path: "{{ item }}" - loop: - - "{{ rhel9stig_library_directory_perms.stdout_lines }}" + loop: "{{ rhel9stig_library_directory_perms.stdout_lines }}" - name: "MEDIUM | RHEL-09-232025 | PATCH | RHEL 9 /var/log directory must have mode 0755 or less permissive." when: @@ -1031,17 +1030,17 @@ - V-257889 - NIST800-53R4_CM-6 block: - - name: "RHEL-09-232045 | AUDIT | All RHEL 9 local initialization files must have mode 0740 or less permissive. | Check for files" + - name: "MEDIUM | RHEL-09-232045 | AUDIT | All RHEL 9 local initialization files must have mode 0740 or less permissive. | Check for files" ansible.builtin.find: depth: 3 file_type: file hidden: true - path: "{{ rhel9stig_home_filesystem }}" + path: ["{{ rhel9stig_home_filesystem}}", /root ] patterns: ".*" recurse: true register: user_dot_files - - name: "RHEL-09-232045 | AUDIT | All RHEL 9 local initialization files must have mode 0740 or less permissive. | update permissions" + - name: "MEDIUM | RHEL-09-232045 | AUDIT | All RHEL 9 local initialization files must have mode 0740 or less permissive. | update permissions" ansible.builtin.file: path: "{{ item.path }}" mode: g-wx,o-rwx @@ -1050,7 +1049,7 @@ loop_control: label: "{{ item.path }}" -- name: "RHEL-09-232050 | PATCH | All RHEL 9 local interactive user home directories must have mode 0750 or less permissive." +- name: "MEDIUM | RHEL-09-232050 | PATCH | All RHEL 9 local interactive user home directories must have mode 0750 or less permissive." when: - rhel_09_232050 - rhel9stig_disruption_high @@ -1063,13 +1062,13 @@ - V-257890 - NIST800-53R4_CM-6 block: - - name: "RHEL-09-232050 | AUDIT | All RHEL 9 local interactive user home directories must have mode 0750 or less permissive. | get stat" + - name: "MEDIUM | RHEL-09-232050 | AUDIT | All RHEL 9 local interactive user home directories must have mode 0750 or less permissive. | get stat" ansible.builtin.stat: path: "{{ item }}" register: rhel9stig_home_dir_perms loop: "{{ rhel9stig_interactive_users_home.stdout_lines }}" - - name: "RHEL-09-232050 | PATCH | All RHEL 9 local interactive user home directories must have mode 0750 or less permissive. | amend if needed" + - name: "MEDIUM | RHEL-09-232050 | PATCH | All RHEL 9 local interactive user home directories must have mode 0750 or less permissive. | amend if needed" when: - item.stat.path is defined - item.stat.mode > '0750' @@ -1082,7 +1081,7 @@ label: "{{ item }}" # set default ACLs so the homedir has an effective umask of 0027 - - name: "RHEL-09-232050 | PATCH | All RHEL 9 local interactive user home directories must have mode 0750 or less permissive. | Set group ACL" + - name: "MEDIUM | RHEL-09-232050 | PATCH | All RHEL 9 local interactive user home directories must have mode 0750 or less permissive. | Set group ACL" when: - not system_is_container - item.stat.path is defined @@ -1096,7 +1095,7 @@ loop_control: label: "{{ item }}" - - name: "RHEL-09-232050 | PATCH | All RHEL 9 local interactive user home directories must have mode 0750 or less permissive. | Set other ACL" + - name: "MEDIUM | RHEL-09-232050 | PATCH | All RHEL 9 local interactive user home directories must have mode 0750 or less permissive. | Set other ACL" when: - not system_is_container - item.stat.path is defined @@ -1110,7 +1109,7 @@ loop_control: label: "{{ item }}" -- name: "RHEL-09-232055 | PATCH | RHEL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access." +- name: "MEDIUM | RHEL-09-232055 | PATCH | RHEL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access." when: - rhel_09_232055 tags: @@ -1125,7 +1124,7 @@ mode: u=rw,go-wx path: /etc/group -- name: "RHEL-09-232060 | PATCH | RHEL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access." +- name: "MEDIUM | RHEL-09-232060 | PATCH | RHEL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access." when: - rhel_09_232060 tags: @@ -1140,7 +1139,7 @@ mode: u=rw,go-wx path: /etc/group- -- name: "RHEL-09-232065 | PATCH | RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access." +- name: "MEDIUM | RHEL-09-232065 | PATCH | RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access." when: - rhel_09_232065 tags: @@ -1155,7 +1154,7 @@ mode: '0000' path: /etc/gshadow -- name: "RHEL-09-232070 | PATCH | RHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access." +- name: "MEDIUM | RHEL-09-232070 | PATCH | RHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access." when: - rhel_09_232070 tags: @@ -1170,7 +1169,7 @@ mode: '0000' path: /etc/gshadow- -- name: "RHEL-09-232075 | PATCH | RHEL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access." +- name: "MEDIUM | RHEL-09-232075 | PATCH | RHEL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access." when: - rhel_09_232075 tags: @@ -1185,7 +1184,7 @@ mode: u=rw,go-wx path: /etc/passwd -- name: "RHEL-09-232080 | PATCH | RHEL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access." +- name: "MEDIUM | RHEL-09-232080 | PATCH | RHEL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access." when: - rhel_09_232080 tags: @@ -1200,7 +1199,7 @@ mode: u=rw,go-wx path: /etc/passwd- -- name: "RHEL-09-232085 | PATCH | RHEL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access." +- name: "MEDIUM | RHEL-09-232085 | PATCH | RHEL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access." when: - rhel_09_232085 tags: @@ -1215,7 +1214,7 @@ mode: '0000' path: /etc/shadow- -- name: "RHEL-09-232090 | PATCH | RHEL 9 /etc/group file must be owned by root." +- name: "MEDIUM | RHEL-09-232090 | PATCH | RHEL 9 /etc/group file must be owned by root." when: - rhel_09_232090 tags: @@ -1230,7 +1229,7 @@ owner: root path: /etc/group -- name: "RHEL-09-232095 | PATCH | RHEL 9 /etc/group file must be group-owned by root." +- name: "MEDIUM | RHEL-09-232095 | PATCH | RHEL 9 /etc/group file must be group-owned by root." when: - rhel_09_232095 tags: @@ -1245,7 +1244,7 @@ group: root path: /etc/group -- name: "RHEL-09-232100 | PATCH | RHEL 9 /etc/group- file must be owned by root." +- name: "MEDIUM | RHEL-09-232100 | PATCH | RHEL 9 /etc/group- file must be owned by root." when: - rhel_09_232100 tags: @@ -1260,7 +1259,7 @@ owner: root path: /etc/group- -- name: "RHEL-09-232105 | PATCH | RHEL 9 /etc/group- file must be group-owned by root." +- name: "MEDIUM | RHEL-09-232105 | PATCH | RHEL 9 /etc/group- file must be group-owned by root." when: - rhel_09_232105 tags: @@ -1275,7 +1274,7 @@ group: root path: /etc/group- -- name: "RHEL-09-232110 | PATCH | RHEL 9 /etc/gshadow file must be owned by root." +- name: "MEDIUM | RHEL-09-232110 | PATCH | RHEL 9 /etc/gshadow file must be owned by root." when: - rhel_09_232110 tags: @@ -1290,7 +1289,7 @@ owner: root path: /etc/gshadow -- name: "RHEL-09-232115 | PATCH | RHEL 9 /etc/gshadow file must be group-owned by root." +- name: "MEDIUM | RHEL-09-232115 | PATCH | RHEL 9 /etc/gshadow file must be group-owned by root." when: - rhel_09_232115 tags: @@ -1305,7 +1304,7 @@ group: root path: /etc/gshadow -- name: "RHEL-09-232120 | PATCH | RHEL 9 /etc/gshadow- file must be owned by root." +- name: "MEDIUM | RHEL-09-232120 | PATCH | RHEL 9 /etc/gshadow- file must be owned by root." when: - rhel_09_232120 tags: @@ -1320,7 +1319,7 @@ owner: root path: /etc/gshadow- -- name: "RHEL-09-232125 | PATCH | RHEL 9 /etc/gshadow- file must be group-owned by root." +- name: "MEDIUM | RHEL-09-232125 | PATCH | RHEL 9 /etc/gshadow- file must be group-owned by root." when: - rhel_09_232125 tags: @@ -1335,7 +1334,7 @@ group: root path: /etc/gshadow- -- name: "RHEL-09-232130 | PATCH | RHEL 9 /etc/passwd file must be owned by root." +- name: "MEDIUM | RHEL-09-232130 | PATCH | RHEL 9 /etc/passwd file must be owned by root." when: - rhel_09_232130 tags: @@ -1350,7 +1349,7 @@ owner: root path: /etc/passwd -- name: "RHEL-09-232135 | PATCH | RHEL 9 /etc/passwd file must be group-owned by root." +- name: "MEDIUM | RHEL-09-232135 | PATCH | RHEL 9 /etc/passwd file must be group-owned by root." when: - rhel_09_232135 tags: @@ -1365,7 +1364,7 @@ group: root path: /etc/passwd -- name: "RHEL-09-232140 | PATCH | RHEL 9 /etc/passwd- file must be owned by root." +- name: "MEDIUM | RHEL-09-232140 | PATCH | RHEL 9 /etc/passwd- file must be owned by root." when: - rhel_09_232140 tags: @@ -1380,7 +1379,7 @@ owner: root path: /etc/passwd- -- name: "RHEL-09-232145 | PATCH | RHEL 9 /etc/passwd- file must be group-owned by root." +- name: "MEDIUM | RHEL-09-232145 | PATCH | RHEL 9 /etc/passwd- file must be group-owned by root." when: - rhel_09_232145 tags: @@ -1395,7 +1394,7 @@ group: root path: /etc/passwd- -- name: "RHEL-09-232150 | PATCH | RHEL 9 /etc/shadow file must be owned by root." +- name: "MEDIUM | RHEL-09-232150 | PATCH | RHEL 9 /etc/shadow file must be owned by root." when: - rhel_09_232150 tags: @@ -1410,7 +1409,7 @@ owner: root path: /etc/shadow -- name: "RHEL-09-232155 | PATCH | RHEL 9 /etc/shadow file must be group-owned by root." +- name: "MEDIUM | RHEL-09-232155 | PATCH | RHEL 9 /etc/shadow file must be group-owned by root." when: - rhel_09_232155 tags: @@ -1425,7 +1424,7 @@ group: root path: /etc/shadow -- name: "RHEL-09-232160 | PATCH | RHEL 9 /etc/shadow- file must be owned by root." +- name: "MEDIUM | RHEL-09-232160 | PATCH | RHEL 9 /etc/shadow- file must be owned by root." when: - rhel_09_232160 tags: @@ -1440,7 +1439,7 @@ owner: root path: /etc/shadow- -- name: "RHEL-09-232165 | PATCH | RHEL 9 /etc/shadow- file must be group-owned by root." +- name: "MEDIUM | RHEL-09-232165 | PATCH | RHEL 9 /etc/shadow- file must be group-owned by root." when: - rhel_09_232165 tags: @@ -1455,7 +1454,7 @@ group: root path: /etc/shadow -- name: "RHEL-09-232170 | PATCH | RHEL 9 /var/log directory must be owned by root." +- name: "MEDIUM | RHEL-09-232170 | PATCH | RHEL 9 /var/log directory must be owned by root." when: - rhel_09_232170 tags: @@ -1471,7 +1470,7 @@ path: /var/log state: directory -- name: "RHEL-09-232175 | PATCH | RHEL 9 /var/log directory must be group-owned by root." +- name: "MEDIUM | RHEL-09-232175 | PATCH | RHEL 9 /var/log directory must be group-owned by root." when: - rhel_09_232175 tags: @@ -1487,7 +1486,7 @@ path: /var/log state: directory -- name: "RHEL-09-232180 | PATCH | RHEL 9 /var/log/messages file must be owned by root." +- name: "MEDIUM | RHEL-09-232180 | PATCH | RHEL 9 /var/log/messages file must be owned by root." when: - rhel_09_232180 tags: @@ -1502,7 +1501,7 @@ owner: root path: /var/log/messages -- name: "RHEL-09-232185 | PATCH | RHEL 9 /var/log/messages file must be group-owned by root." +- name: "MEDIUM | RHEL-09-232185 | PATCH | RHEL 9 /var/log/messages file must be group-owned by root." when: - rhel_09_232185 tags: @@ -1517,7 +1516,7 @@ group: root path: /var/log/messages -- name: "RHEL-09-232190 | PATCH | RHEL 9 system commands must be owned by root." +- name: "MEDIUM | RHEL-09-232190 | PATCH | RHEL 9 system commands must be owned by root." when: - rhel_09_232190 tags: @@ -1529,13 +1528,13 @@ - V-257918 - NIST800-53R4_CM-5 block: - - name: "RHEL-09-232190 | AUDIT | RHEL 9 system commands must be owned by root." + - name: "MEDIUM | RHEL-09-232190 | AUDIT | RHEL 9 system commands must be owned by root." ansible.builtin.shell: find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin ! -user root -exec ls {} \; changed_when: false failed_when: rhel9stig_sys_commands_owner.rc not in [ 0, 1 ] register: rhel9stig_sys_commands_owner - - name: "RHEL-09-232190 | PATCH | RHEL 9 system commands must be owned by root." + - name: "MEDIUM | RHEL-09-232190 | PATCH | RHEL 9 system commands must be owned by root." when: rhel9stig_sys_commands_owner.stdout | length > 0 ansible.builtin.file: owner: root @@ -1543,7 +1542,7 @@ loop: - "{{ rhel9stig_sys_commands_owner.stdout_lines }}" -- name: "RHEL-09-232195 | PATCH | RHEL 9 system commands must be group-owned by root or a system account." +- name: "MEDIUM | RHEL-09-232195 | PATCH | RHEL 9 system commands must be group-owned by root or a system account." when: - rhel_09_232195 tags: @@ -1557,25 +1556,25 @@ vars: warn_control_id: "MEDIUM | RHEL-09-232195" block: - - name: "RHEL-09-232195 | AUDIT | RHEL 9 system commands must be group-owned by root or a system account." + - name: "MEDIUM | RHEL-09-232195 | AUDIT | RHEL 9 system commands must be group-owned by root or a system account." ansible.builtin.shell: find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! \( -group root -o -group tty \) -exec ls -l {} \; changed_when: false failed_when: rhel9stig_sys_commands_group.rc not in [ 0, 1 ] register: rhel9stig_sys_commands_group - - name: "RHEL-09-232195 | WARN | RHEL 9 system commands must be group-owned by root or a system account." + - name: "MEDIUM | RHEL-09-232195 | WARN | RHEL 9 system commands must be group-owned by root or a system account." when: rhel9stig_sys_commands_group.stdout | length > 0 ansible.builtin.debug: msg: | "Warning!! Please validate group ownership of the following system commands {{ rhel9stig_sys_commands_group.stdout_lines }}" - - name: "RHEL-09-232195 | WARN | RHEL 9 system commands must be group-owned by root or a system account." + - name: "MEDIUM | RHEL-09-232195 | WARN | RHEL 9 system commands must be group-owned by root or a system account." when: rhel9stig_sys_commands_group.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml -- name: "RHEL-09-232200 | PATCH | RHEL 9 library files must be owned by root." +- name: "MEDIUM | RHEL-09-232200 | PATCH | RHEL 9 library files must be owned by root." when: - rhel_09_232200 tags: @@ -1587,21 +1586,20 @@ - V-257920 - NIST800-53R4_CM-5 block: - - name: "RHEL-09-232200 | AUDIT | RHEL 9 library files must be owned by root." - ansible.builtin.shell: find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root -exec ls {} \; + - name: "MEDIUM | RHEL-09-232200 | AUDIT | RHEL 9 library files must be owned by root." + ansible.builtin.shell: find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root changed_when: false failed_when: rhel9stig_lib_files_owner.rc not in [ 0, 1 ] register: rhel9stig_lib_files_owner - - name: "RHEL-09-232200 | PATCH | RHEL 9 library files must be owned by root." + - name: "MEDIUM | RHEL-09-232200 | PATCH | RHEL 9 library files must be owned by root." when: rhel9stig_lib_files_owner.stdout | length > 0 ansible.builtin.file: owner: root - path: "{{ path }}" - loop: - - "{{ rhel9stig_lib_files_owner.stdout_lines }}" + path: "{{ item }}" + loop: "{{ rhel9stig_lib_files_owner.stdout_lines }}" -- name: "RHEL-09-232205 | PATCH | RHEL 9 library files must be group-owned by root or a system account." +- name: "MEDIUM | RHEL-09-232205 | PATCH | RHEL 9 library files must be group-owned by root or a system account." when: - rhel_09_232205 tags: @@ -1615,25 +1613,25 @@ vars: warn_control_id: "MEDIUM | RHEL-09-232205" block: - - name: "RHEL-09-232205 | AUDIT | RHEL 9 library files must be group-owned by root or a system account." + - name: "MEDIUM | RHEL-09-232205 | AUDIT | RHEL 9 library files must be group-owned by root or a system account." ansible.builtin.shell: find -L /lib /lib64 /usr/lib /usr/lib64 ! \( -group root -o -group utmp -o -group ssh_keys -o -group tty \) -exec ls {} \; changed_when: false failed_when: rhel9stig_lib_files_group.rc not in [ 0, 1 ] register: rhel9stig_lib_files_group - - name: "RHEL-09-232205 | WARN | RHEL 9 library files must be group-owned by root or a system account." + - name: "MEDIUM | RHEL-09-232205 | WARN | RHEL 9 library files must be group-owned by root or a system account." when: rhel9stig_lib_files_group.stdout | length > 0 ansible.builtin.debug: msg: | "Warning!! Please validate group ownership of the following library files or symlinks {{ rhel9stig_lib_files_group.stdout_lines }}" - - name: "RHEL-09-232205 | WARN | RHEL 9 library files must be group-owned by root or a system account." + - name: "MEDIUM | RHEL-09-232205 | WARN | RHEL 9 library files must be group-owned by root or a system account." when: rhel9stig_lib_files_group.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml -- name: "RHEL-09-232210 | PATCH | RHEL 9 library directories must be owned by root." +- name: "MEDIUM | RHEL-09-232210 | PATCH | RHEL 9 library directories must be owned by root." when: - rhel_09_232210 tags: @@ -1653,7 +1651,7 @@ - '/usr/lib' - '/usr/lib64' -- name: "RHEL-09-232215 | PATCH | RHEL 9 library directories must be group-owned by root or a system account." +- name: "MEDIUM | RHEL-09-232215 | PATCH | RHEL 9 library directories must be group-owned by root or a system account." when: - rhel_09_232215 tags: @@ -1667,25 +1665,25 @@ vars: warn_control_id: "MEDIUM | RHEL-09-232215" block: - - name: "RHEL-09-232215 | AUDIT | RHEL 9 library directories must be group-owned by root or a system account." + - name: "MEDIUM | RHEL-09-232215 | AUDIT | RHEL 9 library directories must be group-owned by root or a system account." ansible.builtin.shell: find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \; changed_when: false failed_when: rhel9stig_lib_dirs_group.rc not in [ 0, 1 ] register: rhel9stig_lib_dirs_group - - name: "RHEL-09-232215 | WARN | RHEL 9 library directories must be group-owned by root or a system account." + - name: "MEDIUM | RHEL-09-232215 | WARN | RHEL 9 library directories must be group-owned by root or a system account." when: rhel9stig_lib_dirs_group.stdout | length > 0 ansible.builtin.debug: msg: | "Warning!! Please validate group ownership of the following library directories {{ rhel9stig_lib_dirs_group.stdout_lines }}" - - name: "RHEL-09-232215 | WARN | RHEL 9 library directories must be group-owned by root or a system account." + - name: "MEDIUM | RHEL-09-232215 | WARN | RHEL 9 library directories must be group-owned by root or a system account." when: rhel9stig_lib_dirs_group.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml -- name: "RHEL-09-232220 | PATCH | RHEL 9 audit tools must be owned by root." +- name: "MEDIUM | RHEL-09-232220 | PATCH | RHEL 9 audit tools must be owned by root." when: - rhel_09_232220 tags: @@ -1708,7 +1706,7 @@ - '/sbin/rsyslogd' - '/sbin/augenrules' -- name: "RHEL-09-232225 | PATCH | RHEL 9 audit tools must be group-owned by root." +- name: "MEDIUM | RHEL-09-232225 | PATCH | RHEL 9 audit tools must be group-owned by root." when: - rhel_09_232225 tags: @@ -1731,7 +1729,7 @@ - '/sbin/rsyslogd' - '/sbin/augenrules' -- name: "RHEL-09-232230 | PATCH | RHEL 9 cron configuration files directory must be owned by root." +- name: "MEDIUM | RHEL-09-232230 | PATCH | RHEL 9 cron configuration files directory must be owned by root." when: - rhel_09_232230 tags: @@ -1754,7 +1752,7 @@ - '/etc/cron.weekly' - '/etc/crontab' -- name: "RHEL-09-232235 | PATCH | RHEL 9 cron configuration files directory must be group-owned by root." +- name: "MEDIUM | RHEL-09-232235 | PATCH | RHEL 9 cron configuration files directory must be group-owned by root." when: - rhel_09_232235 tags: @@ -1777,7 +1775,7 @@ - '/etc/cron.weekly' - '/etc/crontab' -- name: "RHEL-09-232240 | PATCH | All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user." +- name: "MEDIUM | RHEL-09-232240 | PATCH | All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user." when: - rhel_09_232240 - rhel9stig_disruption_high @@ -1795,25 +1793,25 @@ vars: warn_control_id: "MEDIUM | RHEL-09-232240" block: - - name: "RHEL-09-232240 | AUDIT | All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user." + - name: "MEDIUM | RHEL-09-232240 | AUDIT | All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user." ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 -uid +0 changed_when: false failed_when: rhel9stig_worldwide_dir_owners.rc not in [ 0, 1 ] register: rhel9stig_worldwide_dir_owners - - name: "RHEL-09-232240 | WARN | All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user." + - name: "MEDIUM | RHEL-09-232240 | WARN | All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user." when: rhel9stig_worldwide_dir_owners.stdout | length > 0 ansible.builtin.debug: msg: | "Warning!! The following Directories do not match requirements for RHEL_09_232240 {{ rhel9stig_worldwide_dir_owners.stdout_lines }}" - - name: "RHEL-09-232240 | WARN | All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user." + - name: "MEDIUM | RHEL-09-232240 | WARN | All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user." when: rhel9stig_worldwide_dir_owners.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml -- name: "RHEL-09-232245 | PATCH | A sticky bit must be set on all RHEL 9 public directories." +- name: "MEDIUM | RHEL-09-232245 | PATCH | A sticky bit must be set on all RHEL 9 public directories." when: - rhel_09_232245 - rhel9stig_disruption_high @@ -1828,23 +1826,22 @@ vars: warn_control_id: "MEDIUM | RHEL-09-232245" block: - - name: "RHEL-09-232245 | AUDIT | A sticky bit must be set on all RHEL 9 public directories." + - name: "MEDIUM | RHEL-09-232245 | AUDIT | A sticky bit must be set on all RHEL 9 public directories." ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 -a ! -perm -1000 2>/dev/null changed_when: false failed_when: rhel9stig_public_dirs_stickybit.rc not in [ 0, 1 ] register: rhel9stig_public_dirs_stickybit - - name: "RHEL-09-232245 | PATCH | A sticky bit must be set on all RHEL 9 public directories." + - name: "MEDIUM | RHEL-09-232245 | PATCH | A sticky bit must be set on all RHEL 9 public directories." when: - rhel9stig_disruption_high - rhel9stig_public_dirs_stickybit.stdout | length > 0 ansible.builtin.file: path: "{{ item }}" mode: +t - loop: - - "{{ rhel9stig_public_dirs_stickybit.stdout_lines }}" + loop: "{{ rhel9stig_public_dirs_stickybit.stdout_lines }}" - - name: "RHEL-09-232245 | WARN | A sticky bit must be set on all RHEL 9 public directories." + - name: "MEDIUM | RHEL-09-232245 | WARN | A sticky bit must be set on all RHEL 9 public directories." when: - not rhel9stig_disruption_high - rhel9stig_public_dirs_stickybit.stdout | length > 0 @@ -1853,14 +1850,14 @@ "Warning!! The following file require sticky bit to be set {{ rhel9stig_public_dirs_stickybit.stdout_lines }}" - - name: "RHEL-09-232245 | WARN | A sticky bit must be set on all RHEL 9 public directories." + - name: "MEDIUM | RHEL-09-232245 | WARN | A sticky bit must be set on all RHEL 9 public directories." when: - not rhel9stig_disruption_high - rhel9stig_public_dirs_stickybit.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml -- name: "RHEL-09-232250 | PATCH | All RHEL 9 local files and directories must have a valid group owner." +- name: "MEDIUM | RHEL-09-232250 | PATCH | All RHEL 9 local files and directories must have a valid group owner." when: - rhel_09_232250 tags: @@ -1874,9 +1871,9 @@ vars: warn_control_id: "MEDIUM | RHEL-09-232250" block: - - name: "RHEL-09-232250 | AUDIT | All RHEL 9 local files and directories must have a valid group owner." + - name: "MEDIUM | RHEL-09-232250 | AUDIT | All RHEL 9 local files and directories must have a valid group owner." when: - - not item['device'].startswith('/dev') + - item['device'].startswith('/dev') - not 'bind' in item['options'] ansible.builtin.shell: find "{{ item.mount }}" -xdev -nogroup check_mode: false @@ -1887,7 +1884,7 @@ loop_control: label: "{{ item.mount }}" - - name: "RHEL-09-232250 | AUDIT | All RHEL 9 local files and directories must have a valid group owner." + - name: "MEDIUM | RHEL-09-232250 | AUDIT | All RHEL 9 local files and directories must have a valid group owner." ansible.builtin.set_fact: rhel9stig_ungrouped_files_found: true loop: "{{ rhel9stig_ungrouped_files_dirs_audit.results }}" @@ -1896,17 +1893,17 @@ - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties - item.stdout | length > 0 - - name: "RHEL-09-232250 | WARN | All RHEL 9 local files and directories must have a valid group owner." + - name: "MEDIUM | RHEL-09-232250 | WARN | All RHEL 9 local files and directories must have a valid group owner." when: rhel9stig_ungrouped_files_found is defined ansible.builtin.debug: - msg: "Warning!! Missing group on items in {{ rhel9stig_ungrouped_files_dirs_audit | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] + msg: "Warning!! Missing group on items in {{ rhel9stig_ungrouped_files_dirs_audit.stdout_lines }}" - - name: "RHEL-09-232250 | WARN | All RHEL 9 local files and directories must have a valid group owner." + - name: "MEDIUM | RHEL-09-232250 | WARN | All RHEL 9 local files and directories must have a valid group owner." when: rhel9stig_ungrouped_files_found is defined ansible.builtin.import_tasks: file: warning_facts.yml -- name: "RHEL-09-232255 | PATCH | All RHEL 9 local files and directories must have a valid owner." +- name: "MEDIUM | RHEL-09-232255 | PATCH | All RHEL 9 local files and directories must have a valid owner." when: - rhel_09_232255 tags: @@ -1920,9 +1917,9 @@ vars: warn_control_id: "MEDIUM | RHEL-09-232255" block: - - name: "RHEL-09-232255 | AUDIT | All RHEL 9 local files and directories must have a valid owner." + - name: "MEDIUM | RHEL-09-232255 | AUDIT | All RHEL 9 local files and directories must have a valid owner." when: - - not item['device'].startswith('/dev') + - item['device'].startswith('/dev') - not 'bind' in item['options'] ansible.builtin.shell: find "{{ item.mount }}" -xdev -nogroup check_mode: false @@ -1933,7 +1930,7 @@ loop_control: label: "{{ item.mount }}" - - name: "RHEL-09-232255 | AUDIT | All RHEL 9 local files and directories must have a valid owner." + - name: "MEDIUM | RHEL-09-232255 | AUDIT | All RHEL 9 local files and directories must have a valid owner." ansible.builtin.set_fact: rhel9stig_unowned_files_found: true loop: "{{ rhel9stig_unowned_files_dirs_audit.results }}" @@ -1942,17 +1939,17 @@ - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties - item.stdout | length > 0 - - name: "RHEL-09-232255 | WARN | All RHEL 9 local files and directories must have a valid owner." + - name: "MEDIUM | RHEL-09-232255 | WARN | All RHEL 9 local files and directories must have a valid owner." when: rhel9stig_unowned_files_found is defined ansible.builtin.debug: - msg: "Warning!! Missing group on items in {{ rhel9stig_ungrouped_files_dirs_audit | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] + msg: "Warning!! Missing group on items in {{ rhel9stig_ungrouped_files_dirs_audit.stdout_lines }}" - - name: "RHEL-09-232255 | WARN | All RHEL 9 local files and directories must have a valid owner." + - name: "MEDIUM | RHEL-09-232255 | WARN | All RHEL 9 local files and directories must have a valid owner." when: rhel9stig_unowned_files_found is defined ansible.builtin.import_tasks: file: warning_facts.yml -- name: "RHEL-09-232260 | PATCH | RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification." +- name: "MEDIUM | RHEL-09-232260 | PATCH | RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification." when: - rhel_09_232260 tags: @@ -1966,34 +1963,34 @@ vars: warn_control_id: "MEDIUM | RHEL-09-232260" block: - - name: "RHEL-09-232260 | AUDIT | RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification. | / scan" + - name: "MEDIUM | RHEL-09-232260 | AUDIT | RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification. | / scan" ansible.builtin.shell: find / -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z" changed_when: false failed_when: rhel9stig_unlabelled_files.rc not in [ 0, 1 ] register: rhel9stig_unlabelled_files - - name: "RHEL-09-232260 | AUDIT | RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification. | / scan" + - name: "MEDIUM | RHEL-09-232260 | AUDIT | RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification. | / scan" when: - rhel9stig_unlabelled_files.stdout | length > 0 - rhel9stig_disruption_high ansible.builtin.shell: "restorecon -v {{ item }}" loop: "{{ rhel9stig_unlabelled_files.stdout_lines }}" - - name: "RHEL-09-232260 | WARN | RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification." + - name: "MEDIUM | RHEL-09-232260 | WARN | RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification." when: - rhel9stig_unlabelled_files.stdout | length > 0 - not rhel9stig_disruption_high ansible.builtin.debug: msg: "Warning!! Unlabelled device files found on the system {{ rhel9stig_unlabelled_files }}" - - name: "RHEL-09-232260 | WARN | RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification." + - name: "MEDIUM | RHEL-09-232260 | WARN | RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification." when: - rhel9stig_unlabelled_files.stdout | length > 0 - not rhel9stig_disruption_high ansible.builtin.import_tasks: file: warning_facts.yml -- name: "RHEL-09-232265 | PATCH | RHEL 9 /etc/crontab file must have mode 0600." +- name: "MEDIUM | RHEL-09-232265 | PATCH | RHEL 9 /etc/crontab file must have mode 0600." when: - rhel_09_232265 tags: @@ -2008,7 +2005,7 @@ path: /etc/crontab mode: '0600' -- name: "RHEL-09-232270 | PATCH | RHEL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access." +- name: "MEDIUM | RHEL-09-232270 | PATCH | RHEL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access." when: - rhel_09_232270 tags: diff --git a/tasks/Cat2/RHEL-09-25xxxx.yml b/tasks/Cat2/RHEL-09-25xxxx.yml index ef7c1da..96e5d3f 100644 --- a/tasks/Cat2/RHEL-09-25xxxx.yml +++ b/tasks/Cat2/RHEL-09-25xxxx.yml @@ -134,9 +134,9 @@ - V-257939 - NIST800-53R4_SC-5 ansible.builtin.lineinfile: - line: FirewallBackend=nftables - regexp: ^(#|)FirewallBackend=.* path: /etc/firewalld/firewalld.conf + regexp: ^(#|)FirewallBackend=.* + line: FirewallBackend=nftables - name: "MEDIUM | RHEL-09-251035 | AUDIT | To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems." when: @@ -185,10 +185,10 @@ - item not in rhel9stig_promisc_if - rhel9stig_disruption_high ansible.builtin.lineinfile: - create: true - line: PROMISC=NO - regexp: ^(?i)PROMISC=(YES|TRUE|NO|FALSE) path: "/etc/sysconfig/network-scripts/ifcfg-{{ item }}" + regexp: ^(?i)PROMISC=(YES|TRUE|NO|FALSE) + line: PROMISC=NO + create: true notify: Restart_NetworkManager loop: "{{ ansible_facts.interfaces }}" @@ -310,6 +310,7 @@ section: main state: present value: none + no_extra_spaces: true register: rhel09stig_dns_nm_set - name: "MEDIUM | RHEL-09-252035 | PATCH | RHEL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured." @@ -438,9 +439,9 @@ - name: "MEDIUM | RHEL-09-252055 | PATCH | If the Trivial File Transfer Protocol (TFTP) server is required, RHEL 9 TFTP daemon must be configured to operate in secure mode." ansible.builtin.lineinfile: - line: ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot path: "{{ rhel9stig_tftp_systemd_file.stdout }}" regexp: ^ExecStart + line: ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot - name: "MEDIUM | RHEL-09-252060 | PATCH | RHEL 9 must forward mail from postmaster to the root account using a postfix alias." when: @@ -456,10 +457,10 @@ - NIST800-53R4_AU-5 notify: Update_aliases ansible.builtin.lineinfile: - create: true - line: 'postmaster: root' path: /etc/aliases regexp: postmaster:\s*root + line: 'postmaster: root' + create: true - name: "MEDIUM | RHEL-09-252065 | PATCH | RHEL 9 libreswan package must be installed." when: @@ -492,7 +493,7 @@ - SRG-OS-000480-GPOS-00227 - SRG-OS-000420-GPOS-00186 - SRG-OS-000142-GPOS-00071 - - SV-257957r925858_rule + - SV-257957r942983_rule - V-257957 - NIST800-53R4_CM-6 - NIST800-53R4_SC-5 @@ -510,7 +511,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257958r925861_rule + - SV-257958r942985_rule - V-257958 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -527,7 +528,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257959r925864_rule + - SV-257959r942987_rule - V-257959 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -578,7 +579,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257962r925873_rule + - SV-257962r942989_rule - V-257962 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -595,7 +596,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257963r925876_rule + - SV-257963r942991_rule - V-257963 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -612,7 +613,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257964r925879_rule + - SV-257964r942993_rule - V-257964 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -646,7 +647,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257966r925885_rule + - SV-257966r942995_rule - V-257966 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -680,7 +681,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257968r925891_rule + - SV-257968r942997_rule - V-257968 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -697,7 +698,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257969r925894_rule + - SV-257969r942999_rule - V-257969 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -715,7 +716,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257970r925897_rule + - SV-257970r943001_rule - V-257970 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -766,7 +767,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257973r925906_rule + - SV-257973r943003_rule - V-257973 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -784,7 +785,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257974r925909_rule + - SV-257974r943005_rule - V-257974 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -801,7 +802,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257975r925912_rule + - SV-257975r943007_rule - V-257975 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -818,7 +819,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257976r925915_rule + - SV-257976r943009_rule - V-257976 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -835,7 +836,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257977r925918_rule + - SV-257977r943011_rule - V-257977 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -917,15 +918,17 @@ - CCI-001388 - SRG-OS-000023-GPOS-00006 - SRG-OS-000228-GPOS-00088 - - SV-257981r925930_rule + - SV-257981r943028_rule - V-257981 - NIST800-53R4_AC-8 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "banner {{ rhel9stig_sshd_config.banner_file }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)banner \/.*\/.* + line: "banner {{ rhel9stig_sshd_config.banner_file }}" + create: true + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255030 | PATCH | RHEL 9 must log SSH connection attempts and failures to the server." when: @@ -935,15 +938,17 @@ - CAT2 - CCI-000067 - SRG-OS-000032-GPOS-00013 - - SV-257982r925933_rule + - SV-257982r943030_rule - V-257982 - NIST800-53R4_AC-17 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "LogLevel {{ rhel9stig_sshd_config.loglevel }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)LogLevel.* + line: "LogLevel {{ rhel9stig_sshd_config.loglevel }}" + create: true + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255035 | PATCH | RHEL 9 SSHD must accept public key authentication" when: @@ -959,15 +964,17 @@ - SRG-OS-000106-GPOS-00053 - SRG-OS-000107-GPOS-00054 - SRG-OS-000108-GPOS-00055 - - SV-257983r925936_rule + - SV-257983r943032_rule - V-257983 - NIST800-53R4_IA-2 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "PubkeyAuthentication {{ rhel9stig_sshd_config.pubkeyauth }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)PubkeyAuthentication\s*(yes|no) + line: "PubkeyAuthentication {{ rhel9stig_sshd_config.pubkeyauth }}" + create: true + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255045 | PATCH | RHEL 9 must not permit direct logons to the root account using remote access via SSH." when: @@ -979,16 +986,18 @@ - CCI-000770 - SRG-OS-000109-GPOS-00056 - SRG-OS-000480-GPOS-00227 - - SV-257985r928961_rule + - SV-257985r943036_rule - V-257985 - NIST800-53R4_CM-6 - NIST800-53R4_IA-2 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "PermitRootLogin {{ rhel9stig_sshd_config.permitroot }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)PermitRootLogin\s*(yes|no) + line: "PermitRootLogin {{ rhel9stig_sshd_config.permitroot }}" + create: true + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255055 | PATCH | RHEL 9 SSH daemon must be configured to use system-wide crypto policies." when: @@ -1001,12 +1010,14 @@ - SV-257987r925948_rule - V-257987 - NIST800-53R4_AC-17 + - ssh notify: Restart_sshd ansible.builtin.lineinfile: - create: true - line: "Include {{ rhel9stig_sshd_config.include_conf }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)Include.* + line: "Include {{ rhel9stig_sshd_config.include_conf }}" + create: true + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255060 | PATCH | RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH client connections." when: @@ -1019,12 +1030,14 @@ - SV-257988r925951_rule - V-257988 - NIST800-53R4_AC-17 + - ssh notify: Restart_sshd ansible.builtin.lineinfile: - create: true - line: "Include {{ rhel9stig_sshd_config.include_conf }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)Include.* + line: "Include {{ rhel9stig_sshd_config.include_conf }}" + create: true + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255065 | PATCH | RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH server connections." when: @@ -1034,14 +1047,14 @@ - CAT2 - CCI-001453 - SRG-OS-000250-GPOS-00093 - - SV-257989r925954_rule + - SV-257989r943014_rule - V-257989 - NIST800-53R4_AC-17 notify: Change_requires_reboot ansible.builtin.lineinfile: - line: "Ciphers {{ rhel9stig_sshd_config.ciphers | join(',') }}" - path: /etc/crypto-policies/back-ends/opensshserver.config + path: /etc/crypto-policies/back-ends/openssh.config regexp: ^Ciphers + line: "Ciphers {{ rhel9stig_sshd_config.ciphers | join(',') }}" - name: "MEDIUM | RHEL-09-255070 | PATCH | RHEL 9 SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms." when: @@ -1056,9 +1069,9 @@ - NIST800-53R4_AC-17 notify: Change_requires_reboot ansible.builtin.lineinfile: - line: "MACs {{ rhel9stig_sshd_config.macs_clients | join(',') }}" path: /etc/crypto-policies/back-ends/openssh.config regexp: ^MACs + line: "MACs {{ rhel9stig_sshd_config.macs_clients | join(',') }}" - name: "MEDIUM | RHEL-09-255075 | PATCH | RHEL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms." when: @@ -1073,9 +1086,9 @@ - NIST800-53R4_AC-17 notify: Change_requires_reboot ansible.builtin.lineinfile: - line: "MACs {{ rhel9stig_sshd_config.macs_clients | join(',') + ',' + rhel9stig_sshd_config.macs_server | join(',') }}" path: /etc/crypto-policies/back-ends/opensshserver.config regexp: ^MACs + line: "MACs {{ rhel9stig_sshd_config.macs_clients | join(',') + ',' + rhel9stig_sshd_config.macs_server | join(',') }}" - name: "MEDIUM | RHEL-09-255080 | PATCH | RHEL 9 must not allow a noncertificate trusted host SSH logon to the system." when: @@ -1085,15 +1098,17 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257992r925963_rule + - SV-257992r943040_rule - V-257992 - NIST800-53R4_CM-6 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "HostbasedAuthentication {{ rhel9stig_sshd_config.hostauth }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)HostbasedAuthentication\s*(yes|no) + line: "HostbasedAuthentication {{ rhel9stig_sshd_config.hostauth }}" + create: true + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255085 | PATCH | RHEL 9 must not allow users to override SSH environment variables." when: @@ -1103,15 +1118,17 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00229 - - SV-257993r925966_rule + - SV-257993r943042_rule - V-257993 - NIST800-53R4_CM-6 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "PermitUserEnvironment {{ rhel9stig_sshd_config.userenv }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)PermitUserEnvironments\s*(yes|no) + line: "PermitUserEnvironment {{ rhel9stig_sshd_config.userenv }}" + create: true + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255090 | PATCH | RHEL 9 must force a frequent session key renegotiation for SSH connections to the server." when: @@ -1125,16 +1142,18 @@ - SRG-OS-000423-GPOS-00187 - SRG-OS-000033-GPOS-00014 - SRG-OS-000424-GPOS-00188 - - SV-257994r925969_rule + - SV-257994r943044_rule - V-257994 - NIST800-53R4_AC-17 - NIST800-53R4_SC-8 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "RekeyLimit {{ rhel9stig_sshd_config.rekeylimit }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)RekeyLimit.* + line: "RekeyLimit {{ rhel9stig_sshd_config.rekeylimit }}" + create: true + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255095 | PATCH | RHEL 9 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive." when: @@ -1147,16 +1166,18 @@ - CCI-002421 - SRG-OS-000163-GPOS-00072 - SRG-OS-000279-GPOS-00109 - - SV-257995r925972_rule + - SV-257995r942963_rule - V-257995 - NIST800-53R4_SC-10 - NIST800-53R4_AC-12 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "ClientAliveCountMax {{ rhel9stig_sshd_config.clientalivecountmax }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)ClientAliveCountMax\s\d* + line: "ClientAliveCountMax {{ rhel9stig_sshd_config.clientalivecountmax }}" + create: true + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255100 | PATCH | RHEL 9 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive." when: @@ -1172,17 +1193,19 @@ - SRG-OS-000163-GPOS-00072 - SRG-OS-000279-GPOS-00109 - SRG-OS-000395-GPOS-00175 - - SV-257996r925975_rule + - SV-257996r943046_rule - V-257996 - NIST800-53R4_MA-4 - NIST800-53R4_SC-10 - NIST800-53R4_AC-12 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "ClientAliveInterval {{ rhel9stig_sshd_config.clientaliveinterval }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)ClientAliveInterval\s\d* + line: "ClientAliveInterval {{ rhel9stig_sshd_config.clientaliveinterval }}" + create: true + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255105 | PATCH | RHEL 9 SSH server configuration file must be group-owned by root." when: @@ -1195,6 +1218,7 @@ - SV-257997r925978_rule - V-257997 - NIST800-53R4_CM-6 + - ssh ansible.builtin.file: group: root path: "{{ rhel9stig_sshd_config_file }}" @@ -1210,6 +1234,7 @@ - SV-257998r925981_rule - V-257998 - NIST800-53R4_CM-6 + - ssh ansible.builtin.file: owner: root path: "{{ rhel9stig_sshd_config_file }}" @@ -1225,6 +1250,7 @@ - SV-257999r925984_rule - V-257999 - NIST800-53R4_CM-6 + - ssh ansible.builtin.file: mode: go-rwx path: "{{ rhel9stig_sshd_config_file }}" @@ -1290,12 +1316,14 @@ - SV-258002r925993_rule - V-258002 - NIST800-53R4_CM-6 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "Compression {{ rhel9stig_sshd_config.compress }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)Compression\s*(yes|no) + line: "Compression {{ rhel9stig_sshd_config.compress }}" + create: true + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255135 | PATCH | RHEL 9 SSH daemon must not allow GSSAPI authentication." when: @@ -1311,12 +1339,14 @@ - V-258003 - NIST800-53R4_CM-5 - NIST800-53R4_CM-6 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "GSSAPIAuthentication {{ rhel9stig_sshd_config.gssapiauth }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)GSSAPIAuthentication\s*(yes|no) + line: "GSSAPIAuthentication {{ rhel9stig_sshd_config.gssapiauth }}" + create: true + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255140 | PATCH | RHEL 9 SSH daemon must not allow Kerberos authentication." when: @@ -1332,12 +1362,14 @@ - V-258004 - NIST800-53R4_CM-5 - NIST800-53R4_CM-6 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "KerberosAuthentication {{ rhel9stig_sshd_config.gssapiauth }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)KerberosAuthentication\s*(yes|no) + line: "KerberosAuthentication {{ rhel9stig_sshd_config.kerbauth }}" + create: true + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255145 | PATCH | RHEL 9 SSH daemon must not allow rhosts authentication" when: @@ -1350,12 +1382,14 @@ - SV-258005r926002_rule - V-258005 - NIST800-53R4_CM-6 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "IgnoreRhosts {{ rhel9stig_sshd_config.ignorerhosts }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)IgnoreRhosts\s*(yes|no) + line: "IgnoreRhosts {{ rhel9stig_sshd_config.ignorerhosts }}" + create: true + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255150 | PATCH | RHEL 9 SSH daemon must not allow known hosts authentication." when: @@ -1368,12 +1402,14 @@ - SV-258006r926005rule - V-258006 - NIST800-53R4_CM-6 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "IgnoreUserKnownHosts {{ rhel9stig_sshd_config.ignoreknownhosts }}" - path: "{{ rhel9stig_sshd_config_file }}" + path: /etc/ssh/sshd_config.d/50-redhat.conf regexp: ^(?i)(#|)IgnoreUserKnownHosts\s*(yes|no) + line: "IgnoreUserKnownHosts {{ rhel9stig_sshd_config.ignoreknownhosts }}" + create: true + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255155 | PATCH | RHEL 9 SSH daemon must disable remote X connections for interactive users." when: @@ -1383,15 +1419,17 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-258007r926008rule + - SV-258007r943048_rule - V-258007 - NIST800-53R4_CM-6 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "X11forwarding {{ rhel9stig_sshd_config.x11forward }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)X11forwarding\s*(yes|no) + line: "X11forwarding {{ rhel9stig_sshd_config.x11forward }}" + create: true + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255160 | PATCH | RHEL 9 SSH daemon must perform strict mode checking of home directory configuration files." when: @@ -1404,12 +1442,14 @@ - SV-258008r926011rule - V-258008 - NIST800-53R4_CM-6 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "StrictModes {{ rhel9stig_sshd_config.strictmodes }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)StrictModes\s*(yes|no) + line: "StrictModes {{ rhel9stig_sshd_config.strictmodes }}" + create: true + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255165 | PATCH | RHEL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon." when: @@ -1422,12 +1462,14 @@ - SV-258009r926014rule - V-258009 - NIST800-53R4_CM-6 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "PrintLastLog {{ rhel9stig_sshd_config.lastlog }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)PrintLastLog\s*(yes|no) + line: "PrintLastLog {{ rhel9stig_sshd_config.lastlog }}" + create: true + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255170 | PATCH | RHEL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon." when: @@ -1440,12 +1482,14 @@ - SV-258010r926017rule - V-258010 - NIST800-53R4_CM-6 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "UsePrivilegeSeparation {{ rhel9stig_sshd_config.privsep }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)UsePrivilegeSeparation\s*(yes|no) + line: "UsePrivilegeSeparation {{ rhel9stig_sshd_config.privsep }}" + create: true + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255175 | PATCH | RHEL 9 SSH daemon must prevent remote hosts from connecting to the proxy display." when: @@ -1455,12 +1499,14 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-258011r926020rule + - SV-258011r943050_rule - V-258011 - NIST800-53R4_CM-6 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "X11UseLocalhost {{ rhel9stig_sshd_config.x11uselocal }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)X11UseLocalhost\s*(yes|no) + line: "X11UseLocalhost {{ rhel9stig_sshd_config.x11uselocal }}" + create: true + validate: sshd -t -f %s diff --git a/tasks/Cat2/RHEL-09-27xxxx.yml b/tasks/Cat2/RHEL-09-27xxxx.yml index c728158..5db9328 100644 --- a/tasks/Cat2/RHEL-09-27xxxx.yml +++ b/tasks/Cat2/RHEL-09-27xxxx.yml @@ -45,11 +45,13 @@ - NIST800-53R4_CM-6 notify: Update_dconf ansible.builtin.lineinfile: - line: banner-message-enable - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session" + path: "/etc/dconf/db/{{ item }}.d/locks/session" + line: /org/gnome/login-screen/banner-message-enable + create: true mode: '0644' modification_time: preserve - state: touch + state: present + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271020 | PATCH | RHEL 9 must disable the graphical user interface automount function unless required." when: @@ -71,10 +73,11 @@ community.general.ini_file: create: true mode: '0644' - options: automount-open - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings" + option: automount-open + path: "/etc/dconf/db/{{ item }}.d/00-security-settings" section: 'org/gnome/desktop/media-handling' value: 'false' + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271025 | PATCH | RHEL 9 must prevent a user from overriding the disabling of the graphical user interface automount function." when: @@ -95,9 +98,10 @@ - NIST800-53R4_IA-3 notify: Update_dconf ansible.builtin.lineinfile: - create: true + path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock" line: /org/gnome/desktop/media-handling/automount-open - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/00-security-settings-lock" + create: true + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271030 | PATCH | RHEL 9 must disable the graphical user interface autorun function unless required." when: @@ -115,9 +119,10 @@ community.general.ini_file: create: true option: autorun-never - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings" + path: "/etc/dconf/db/{{ item }}.d/00-security-settings" section: 'org/gnome/desktop/media-handling' value: 'true' + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271035 | PATCH | RHEL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function." when: @@ -138,9 +143,10 @@ - NIST800-53R4_IA-3 notify: Update_dconf ansible.builtin.lineinfile: - create: true + path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock" line: /org/gnome/desktop/media-handling/autorun-never - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/00-security-settings-lock" + create: true + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271045 | PATCH | RHEL 9 must be able to initiate directly a session lock for all connection types using smart card when the smart card is removed." when: @@ -159,10 +165,12 @@ notify: Update_dconf community.general.ini_file: create: true + no_extra_spaces: true option: removal-action - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings" + path: "/etc/dconf/db/{{ item }}.d/00-security-settings" section: 'org/gnome/settings-daemon/peripherals/smartcard' - value: 'lock-screen' + value: "'lock-screen'" + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271050 | PATCH | RHEL 9 must prevent a user from overriding the disabling of the graphical user smart card removal action." when: @@ -180,9 +188,10 @@ - NIST800-53R4_AC-11 notify: Update_dconf ansible.builtin.lineinfile: - create: true + path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock" line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/00-security-settings-lock" + create: true + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271055 | PATCH | RHEL 9 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." when: @@ -202,9 +211,10 @@ community.general.ini_file: create: true option: lock-enabled - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings" + path: "/etc/dconf/db/{{ item }}.d/00-screensaver" section: 'org/gnome/desktop/screensaver' value: 'true' + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271060 | PATCH | RHEL 9 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface." when: @@ -222,9 +232,10 @@ - NIST800-53R4_AC-11 notify: Update_dconf ansible.builtin.lineinfile: - create: true + path: "/etc/dconf/db/{{ item }}.d/locks/session" line: /org/gnome/desktop/screensaver/lock-enabled - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session" + create: true + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271065 | PATCH | RHEL 9 must automatically lock graphical user sessions after 15 minutes of inactivity." when: @@ -244,9 +255,10 @@ community.general.ini_file: create: true option: idle-delay - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-screensaver" + path: "/etc/dconf/db/{{ item }}.d/00-screensaver" section: 'org/gnome/desktop/session' value: 'uint32 900' + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271070 | PATCH | RHEL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface" when: @@ -264,9 +276,10 @@ - NIST800-53R4_AC-11 notify: Update_dconf ansible.builtin.lineinfile: - create: true + path: "/etc/dconf/db/{{ item }}.d/locks/session" line: /org/gnome/desktop/session/idle-delay - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session" + create: true + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271075 | PATCH | RHEL 9 must initiate a session lock for graphical user interfaces when the screensaver is activated." when: @@ -284,9 +297,10 @@ community.general.ini_file: create: true option: lock-delay - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-screensaver" + path: "/etc/dconf/db/{{ item }}.d/00-screensaver" section: 'org/gnome/desktop/screensaver' value: 'uint32 5' + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271080 | PATCH | RHEL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface" when: @@ -302,9 +316,10 @@ - NIST800-53R4_AC-11 notify: Update_dconf ansible.builtin.lineinfile: - create: true + path: "/etc/dconf/db/{{ item }}.d/locks/session" line: /org/gnome/desktop/screensaver/lock-delay - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session" + create: true + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271085 | PATCH | RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image." when: @@ -324,15 +339,17 @@ community.general.ini_file: create: true option: picture-uri - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings" + path: "/etc/dconf/db/{{ item }}.d/00-security-settings" section: 'org/gnome/desktop/screensaver' - value: '' + value: "''" + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271085 | PATCH | RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image." ansible.builtin.lineinfile: - create: true + path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock" line: /org/gnome/desktop/screensaver/picture-uri - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/00-security-settings-lock" + create: true + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271090 | PATCH | RHEL 9 effective dconf policy must match the policy keyfiles." when: @@ -358,16 +375,18 @@ - CAT2 - CCI-00366 - SRG-OS-000480-GPOS-00227 - - SV-258029r926074_rule + - SV-258029r943059_rule - V-258029 - NIST800-53R4_CM-6 notify: Update_dconf community.general.ini_file: create: true option: disable-restart-buttons - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings" - section: 'org/gnome/settings-daemon/peripherals/smartcard' - value: 'true' + path: "/etc/dconf/db/{{ item }}.d/02-login-screen" + section: 'org/gnome/login-screen' + value: "true" + no_extra_spaces: true + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271100 | PATCH | RHEL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface." when: @@ -383,9 +402,10 @@ - NIST800-53R4_CM-6 notify: Update_dconf ansible.builtin.lineinfile: - create: true + path: "/etc/dconf/db/{{ item }}.d/locks/session" line: /org/gnome/login-screen/disable-restart-buttons - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session" + create: true + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271105 | PATCH | RHEL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot." when: @@ -403,9 +423,10 @@ community.general.ini_file: create: true option: logout - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings" + path: "/etc/dconf/db/{{ item }}.d/00-security-settings" section: 'org/gnome/settings-daemon/plugins/media-keys' value: "['']" + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271110 | PATCH | RHEL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface." when: @@ -421,9 +442,10 @@ - NIST800-53R4_CM-6 notify: Update_dconf ansible.builtin.lineinfile: + path: "/etc/dconf/db/{{ item }}.d/locks/session" + line: /org/gnome/settings-daemon/plugins/media-keys/logout create: true - line: org/gnome/settings-daemon/plugins/media-keys/logout - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session" + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271115 | PATCH | RHEL 9 must disable the user list at logon for graphical user interfaces." when: @@ -441,6 +463,7 @@ community.general.ini_file: create: true option: disable-user-list - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/02-login-screen" + path: "/etc/dconf/db/{{ item }}.d/02-login-screen" section: 'org/gnome/login-screen' value: 'true' + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" diff --git a/tasks/Cat2/RHEL-09-29xxxx.yml b/tasks/Cat2/RHEL-09-29xxxx.yml index 6aacd73..be93230 100644 --- a/tasks/Cat2/RHEL-09-29xxxx.yml +++ b/tasks/Cat2/RHEL-09-29xxxx.yml @@ -62,7 +62,7 @@ - CAT2 - CCI-001958 - SRG-OS-000378-GPOS-00163 - - SV-258038r926101_rule + - SV-258038r943052_rule - V-258038 - NIST800-53R4_IA-3 block: diff --git a/tasks/Cat2/RHEL-09-4xxxxx.yml b/tasks/Cat2/RHEL-09-4xxxxx.yml index 361887c..0ffef69 100644 --- a/tasks/Cat2/RHEL-09-4xxxxx.yml +++ b/tasks/Cat2/RHEL-09-4xxxxx.yml @@ -12,9 +12,9 @@ - V-258041 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - line: "PASS_MAX_DAYS {{ rhel9stig_pass['max_days'] }}" path: /etc/login.defs regexp: '^PASS_MAX_DAYS' + line: "PASS_MAX_DAYS {{ rhel9stig_pass['max_days'] }}" - name: "MEDIUM | RHEL-09-411015 | PATCH | RHEL 9 user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs." when: @@ -44,8 +44,7 @@ - "item in rhel9stig_interactive_users.stdout_lines" ansible.builtin.shell: "chage -M 60 {{ item }}" failed_when: rhel9stig_users_passwd_max.rc not in [ 0, 1 ] - loop: - - "{{ rhel9stig_users_passwd_max.stdout_lines }}" + loop: "{{ rhel9stig_users_passwd_max.stdout_lines }}" - name: "MEDIUM | RHEL-09-411015 | WARN | RHEL 9 user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs." when: @@ -75,9 +74,9 @@ - V-258043 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - line: "CREATE_HOME yes" path: /etc/login.defs regexp: ^(?i)(|#)\s*CREATE_HOME (no|yes) + line: "CREATE_HOME yes" - name: "MEDIUM | RHEL-09-411025 | PATCH | RHEL 9 must set the umask value to 077 for all local interactive user accounts." when: @@ -259,7 +258,7 @@ - name: "MEDIUM | RHEL-09-411050 | PATCH | RHEL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity." when: - rhel9stig_inactive_user_setting is defined - - "'-1' not in rhel9stig_inactive_user_setting.stdout" + - "'-1' in rhel9stig_inactive_user_setting.stdout" - "rhel9stig_user_inactive_days not in rhel9stig_inactive_user_setting.stdout" ansible.builtin.shell: "useradd -D -f {{ rhel9stig_user_inactive_days }}" @@ -289,9 +288,9 @@ - name: "MEDIUM | RHEL-09-411055 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 9 users must only contain paths that resolve to the system default or the users home directory." ansible.builtin.lineinfile: - line: "PATH={{ rhel9stig_env_path }}" path: "{{ item.path }}" regexp: ^\s*PATH + line: "PATH={{ rhel9stig_env_path }}" loop: "{{ rhel9stig_user_initialization.files }}" - name: | @@ -384,9 +383,9 @@ - V-258054 - NIST800-53R4_CM-6 ansible.builtin.lineinfile: - line: "deny = {{ rhel9stig_faillock.deny }}" path: /etc/security/faillock.conf regexp: '^\s*deny\s*=\s*([0-2]|[4-9]|{{ rhel9stig_faillock.deny }}[0-9]{1,})\d*' + line: "deny = {{ rhel9stig_faillock.deny }}" - name: "MEDIUM | RHEL-09-411080 | PATCH | RHEL 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." when: @@ -402,9 +401,9 @@ - V-258055 - NIST800-53R4_AC-7 ansible.builtin.lineinfile: - line: even_deny_root path: /etc/security/faillock.conf regexp: ^(#|)even_deny_root + line: even_deny_root - name: "MEDIUM | RHEL-09-411085 | PATCH | RHEL 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." when: @@ -420,9 +419,9 @@ - V-258056 - NIST800-53R4_AC-7 ansible.builtin.lineinfile: - line: "fail_interval = {{ rhel9stig_faillock.fail_interval }}" path: /etc/security/faillock.conf regexp: '^fail_interval\s*=\s*' + line: "fail_interval = {{ rhel9stig_faillock.fail_interval }}" - name: "MEDIUM | RHEL-09-411090 | PATCH | RHEL 9 must maintain an account lock until the locked account is released by an administrator." when: @@ -442,9 +441,9 @@ block: - name: "MEDIUM | RHEL-09-411090 | PATCH | RHEL 9 must maintain an account lock until the locked account is released by an administrator." ansible.builtin.lineinfile: - line: "unlock_time = 0" path: /etc/security/faillock.conf regexp: '^unlock_time\s*=\s*[1-9]' + line: "unlock_time = 0" - name: "MEDIUM | RHEL-09-411090 | AUDIT | RHEL 9 must maintain an account lock until the locked account is released by an administrator. | not auth select profile" ansible.builtin.lineinfile: @@ -527,9 +526,9 @@ - name: "MEDIUM | RHEL-09-411105 | PATCH | RHEL 9 must ensure account lockouts persist." ansible.builtin.lineinfile: - line: "dir = {{ rhel9stig_faillock.dir }}" path: /etc/security/faillock.conf regexp: '^dir\s*=\s*' + line: "dir = {{ rhel9stig_faillock.dir }}" notify: Change_requires_reboot - name: "MEDIUM | RHEL-09-411110 | PATCH | RHEL 9 groups must have unique Group ID (GID)." @@ -616,7 +615,7 @@ - CCI-000060 - SRG-OS-000031-GPOS-00012 - SRG-OS-000028-GPOS-00009 - - SV-258064r926179_rule + - SV-258064r943016_rule - V-258064 - NIST800-53R4_AC-11 ansible.builtin.template: @@ -638,11 +637,11 @@ - V-258065 - NIST800-53R4_AC-11 ansible.builtin.lineinfile: - create: true - line: "{{ item }}" - mode: '0644' path: /etc/tmux.conf regexp: "{{ item }}" + line: "{{ item }}" + create: true + mode: '0644' state: present loop: - 'set -g lock-command vlock' @@ -701,9 +700,9 @@ - V-258070 - NIST800-53R4_AC-7 ansible.builtin.lineinfile: - line: "audit" path: /etc/security/faillock.conf regexp: '^\s*audit' + line: "audit" - name: "MEDIUM | RHEL-09-412050 | PATCH | RHEL 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt." when: @@ -717,9 +716,9 @@ - V-258071 - NIST800-53R4_CM-6 ansible.builtin.lineinfile: - line: "FAIL_DELAY {{ rhel9stig_login_defs.fail_delay }}" path: /etc/login.defs regexp: \s*FAIL_DELAY + line: "FAIL_DELAY {{ rhel9stig_login_defs.fail_delay }}" - name: "MEDIUM | RHEL-09-412055 | PATCH | RHEL 9 must define default permissions for the bash shell." when: @@ -735,9 +734,9 @@ block: - name: "MEDIUM | RHEL-09-412055 | PATCH | RHEL 9 must define default permissions for the bash shell. | Exists" ansible.builtin.lineinfile: - line: umask 077 path: /etc/bashrc regexp: umask \d\d\d + line: umask 077 - name: "MEDIUM | RHEL-09-412055 | PATCH | RHEL 9 must define default permissions for the bash shell.| Amend all instances" ansible.builtin.replace: @@ -759,9 +758,9 @@ block: - name: "MEDIUM | RHEL-09-412060 | PATCH | RHEL 9 must define default permissions for the c shell. | Exists" ansible.builtin.lineinfile: - line: umask 077 path: /etc/csh.cshrc regexp: umask \d\d\d + line: umask 077 - name: "MEDIUM | RHEL-09-412060 | PATCH | RHEL 9 must define default permissions for the c shell.| Amend all instances" ansible.builtin.replace: @@ -783,9 +782,9 @@ block: - name: "MEDIUM | RHEL-09-412065 | PATCH | RHEL 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. | Exists" ansible.builtin.lineinfile: - line: UMASK 077 path: /etc/login.defs regexp: UMASK \d\d\d + line: UMASK 077 - name: "MEDIUM | RHEL-09-412065 | PATCH | RHEL 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. | Amend all instances" ansible.builtin.replace: @@ -807,9 +806,9 @@ block: - name: "MEDIUM | RHEL-09-412070 | PATCH | RHEL 9 must define default permissions for the system default profile. | Exists" ansible.builtin.lineinfile: - line: umask 077 path: /etc/profile regexp: umask \d\d\d + line: umask 077 - name: "MEDIUM | RHEL-09-412070 | PATCH | RHEL 9 must define default permissions for the system default profile. | Amend all instances" ansible.builtin.replace: @@ -829,9 +828,9 @@ - V-258077 - NIST800-53R4_CM-6 ansible.builtin.lineinfile: - line: "StopIdleSessionSec={{ rhel9stig_logind_conf.stopsessionidle }}" path: /etc/systemd/logind.conf regexp: ^(#|)StopIdleSessionSec\s*=\s*\d* + line: "StopIdleSessionSec={{ rhel9stig_logind_conf.stopsessionidle }}" - name: "MEDIUM | RHEL-09-431015 | PATCH | RHEL 9 must enable the SELinux targeted policy." when: @@ -845,9 +844,9 @@ - V-258079 - NIST800-53R4_SI-6 ansible.builtin.lineinfile: - line: SELINUXTYPE=targeted path: /etc/selinux/config regexp: ^(#|)SELINUXTYPE\s*=\s*\w+ + line: SELINUXTYPE=targeted - name: "MEDIUM | RHEL-09-431025 | PATCH | RHEL 9 must have policycoreutils package installed." when: @@ -931,13 +930,13 @@ - CAT2 - CCI-002038 - SRG-OS-000373-GPOS-00156 - - SV-258084r926239_rule + - SV-258084r943061_rule - V-258084 - NIST800-53R4_IA-11 ansible.builtin.lineinfile: - line: Defaults timestamp_timeout=0 path: "{{ item }}" regexp: ^Defaults timestamp_timeout\s*=\s*(-|)\d + line: Defaults timestamp_timeout=0 loop: "{{ rhel9stig_sudoers_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-432020 | PATCH | RHEL 9 must use the invoking user's password for privilege escalation when using 'sudo'." @@ -948,29 +947,29 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-258085r926242_rule + - SV-258085r943063_rule - V-258085 - NIST800-53R4_CM-6 block: - name: "MEDIUM | RHEL-09-432020 | PATCH | RHEL 9 must use the invoking user's password for privilege escalation when using 'sudo'. | targetpw" ansible.builtin.lineinfile: - line: Defaults !targetpw path: "{{ item }}" regexp: ^(#|)Defaults !targetpw + line: Defaults !targetpw loop: "{{ rhel9stig_sudoers_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-432020 | PATCH | RHEL 9 must use the invoking user's password for privilege escalation when using 'sudo'. | rootpw" ansible.builtin.lineinfile: - line: Defaults !rootpw path: "{{ item }}" regexp: ^(#|)Defaults !rootpw + line: Defaults !rootpw loop: "{{ rhel9stig_sudoers_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-432020 | PATCH | RHEL 9 must use the invoking user's password for privilege escalation when using 'sudo'. | runaspw" ansible.builtin.lineinfile: - line: Defaults !runaspw path: "{{ item }}" regexp: ^(#|)Defaults !runaspw + line: Defaults !runaspw loop: "{{ rhel9stig_sudoers_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-432025 | PATCH | RHEL 9 must require users to reauthenticate for privilege escalation." @@ -981,12 +980,12 @@ - CAT2 - CCI-002038 - SRG-OS-000373-GPOS-00156 - - SV-258086r926245_rule + - SV-258086r943065_rule - V-258086 - NIST800-53R4_IA-11 ansible.builtin.lineinfile: - line: '!authenticate' path: "{{ item }}" + line: '!authenticate' state: absent loop: "{{ rhel9stig_sudoers_files.stdout_lines }}" @@ -1002,9 +1001,9 @@ - V-258087 - NIST800-53R4_CM-6 ansible.builtin.lineinfile: - line: '!authenticate' path: "{{ item }}" regexp: ALL\s*ALL=\(ALL(:ALL|)\)\s*ALL + line: '!authenticate' state: absent loop: "{{ rhel9stig_sudoers_files.stdout_lines }}" @@ -1022,9 +1021,9 @@ - NIST800-53R4_IA-11 - NIST800-53R4_AC-3 ansible.builtin.lineinfile: - line: auth required pam_wheel.so use_uid path: /etc/pam.d/su regexp: ^(#|)(auth\s*required\s*)pam_wheel.so(.*) + line: auth required pam_wheel.so use_uid - name: "MEDIUM | RHEL-09-433010 | PATCH | RHEL 9 fapolicy module must be installed." when: diff --git a/tasks/Cat2/RHEL-09-61xxxx.yml b/tasks/Cat2/RHEL-09-61xxxx.yml index 3eeb897..f3d84f6 100644 --- a/tasks/Cat2/RHEL-09-61xxxx.yml +++ b/tasks/Cat2/RHEL-09-61xxxx.yml @@ -22,11 +22,11 @@ - name: "MEDIUM | RHEL-09-611010 | PATCH | RHEL 9 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Set if no pw required pam_pwquality" when: rhel9stig_pwquality_system_auth_status.stdout | length == 0 ansible.builtin.lineinfile: - backrefs: true - insertafter: '^password' - line: '\1required\3 retry="{{ rhel9stig_pam.retry }}"\4' path: /etc/pam.d/system-auth regexp: '^(password\s+)(required|requisite)(\s+pam_pwquality.so.*)\sretry=\d(.*)' + line: '\1required\3 retry="{{ rhel9stig_pam.retry }}"\4' + insertafter: '^password' + backrefs: true - name: "MEDIUM | RHEL-09-611010 | PATCH | RHEL 9 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Replace if already exists" when: rhel9stig_pwquality_system_auth_status.stdout | length > 0 @@ -240,10 +240,10 @@ block: - name: "MEDIUM | RHEL-09-611040 | PATCH | RHEL 9 must ensure the password complexity module is enabled in the password-auth file." ansible.builtin.lineinfile: - backrefs: true - line: '\1required\2' path: /etc/pam.d/password-auth regexp: ^(password\s+)requisite(.*) + line: '\1required\2' + backrefs: true - name: "MEDIUM | RHEL-09-611040 | PATCH | RHEL 9 must ensure the password complexity module is enabled in the password-auth file." community.general.pamd: @@ -271,10 +271,10 @@ block: - name: "MEDIUM | RHEL-09-611045 | PATCH | RHEL 9 must ensure the password complexity module is enabled in the system-auth file." ansible.builtin.lineinfile: - backrefs: true - line: '\1required\2' path: /etc/pam.d/system-auth regexp: ^(password\s+)requisite(.*) + line: '\1required\2' + backrefs: true - name: "MEDIUM | RHEL-09-611045 | PATCH | RHEL 9 must ensure the password complexity module is enabled in the system-auth file." community.general.pamd: @@ -359,10 +359,10 @@ - NIST800-53R4_CM-6 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: enforce_for_root path: "{{ item }}" regexp: ^#\s*enforce_for_root + line: enforce_for_root + backrefs: true loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-611065 | PATCH | RHEL 9 must enforce password complexity by requiring that at least one lowercase character be used." @@ -378,10 +378,10 @@ - V-258102 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: lcredit = {{ rhel9stig_pwquality.lcredit }} path: "{{ item }}" regexp: \s*lcredit = + line: lcredit = "{{ rhel9stig_pwquality.lcredit }}" + backrefs: true loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-611070 | PATCH | RHEL 9 must enforce password complexity by requiring that at least one numeric character be used." @@ -397,10 +397,10 @@ - V-258103 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: dcredit = {{ rhel9stig_pwquality.dcredit }} path: "{{ item }}" regexp: \s*dcredit = + line: dcredit = "{{ rhel9stig_pwquality.dcredit }}" + backrefs: true loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-611075 | PATCH | RHEL 9 passwords for new users or password changes must have a 24 hours minimum password lifetime restriction in /etc/login.defs." @@ -416,10 +416,10 @@ - V-258104 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: PASS_MIN_DAYS {{ rhel9stig_pass.min_days }} path: /etc/login.defs regexp: \s*PASS_MIN_DAYS\s* + line: PASS_MIN_DAYS "{{ rhel9stig_pass.min_days }}" + backrefs: true - name: "MEDIUM | RHEL-09-611080 | PATCH | RHEL 9 passwords must have a 24 hours minimum password lifetime restriction in /etc/shadow." when: @@ -482,7 +482,7 @@ warn_control_id: "MEDIUM | RHEL-09-611085" block: - name: "MEDIUM | RHEL-09-611085 | AUDIT | RHEL 9 must require users to provide a password for privilege escalation" - ansible.builtin.shell: grep NOPASSWD /etc/sudoers /etc/sudoers.d/* + ansible.builtin.shell: grep -r NOPASSWD /etc/sudoers /etc/sudoers.d/ changed_when: false failed_when: rhel9stig_sudo_nopasswd.rc not in [ 0, 1 ] register: rhel9stig_sudo_nopasswd @@ -506,10 +506,10 @@ - rhel9stig_sudo_nopasswd.stdout | length > 0 - rhel9stig_disruption_high ansible.builtin.lineinfile: - backrefs: true - line: '#\1NOPASSWD\2' path: "{{ item }}" regexp: (.*)(?!#)NOPASSWD(.*) + line: '#\1NOPASSWD\2' + backrefs: true validate: visudo -cf %s loop: "{{ rhel9stig_sudoers_files.stdout_lines }}" @@ -525,10 +525,10 @@ - V-258107 - NIST800-53R4_IA-11 ansible.builtin.lineinfile: - backrefs: true - line: minlen = {{ rhel9stig_pass.minlen }} path: /etc/security/pwquality.conf regexp: \s*minlen\s*=\s*([0-9]|1[0-4]) + line: minlen = "{{ rhel9stig_pass.minlen }}" + backrefs: true - name: "MEDIUM | RHEL-09-611095 | PATCH | RHEL 9 passwords for new users must have a minimum of 15 characters." when: @@ -542,10 +542,10 @@ - V-258108 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: PASS_MIN_LEN {{ rhel9stig_pass.minlen }} path: /etc/login.defs regexp: PASS_MIN_LEN + line: PASS_MIN_LEN "{{ rhel9stig_pass.minlen }}" + backrefs: true - name: "MEDIUM | RHEL-09-611100 | PATCH | RHEL 9 must enforce password complexity by requiring that at least one special character be used." when: @@ -560,10 +560,10 @@ - V-258109 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: ocredit = {{ rhel9stig_pwquality.ocredit }} path: "{{ item }}" regexp: \s*ocredit = + line: ocredit = "{{ rhel9stig_pwquality.ocredit }}" + backrefs: true loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-611105 | PATCH | RHEL 9 must prevent the use of dictionary words for passwords." @@ -579,10 +579,10 @@ - V-258110 - NIST800-53R4_CM-6 ansible.builtin.lineinfile: - backrefs: true - line: dictcheck={{ rhel9stig_pwquality.dictcheck }} path: "{{ item }}" regexp: \s*dictcheck\s*=\s* + line: dictcheck="{{ rhel9stig_pwquality.dictcheck }}" + backrefs: true loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-611110 | PATCH | RHEL 9 must enforce password complexity by requiring that at least one uppercase character be used." @@ -598,10 +598,10 @@ - V-258111 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: ucredit = {{ rhel9stig_pwquality.ucredit }} path: "{{ item }}" regexp: \s*ucredit\s*=\s* + line: ucredit = "{{ rhel9stig_pwquality.ucredit }}" + backrefs: true loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-611115 | PATCH | RHEL 9 must require the change of at least eight characters when passwords are changed." @@ -617,10 +617,10 @@ - V-258112 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: difok = {{ rhel9stig_pwquality.difok }} path: "{{ item }}" regexp: \s*difok\s*=\s* + line: difok = "{{ rhel9stig_pwquality.difok }}" + backrefs: true loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-611120 | PATCH | RHEL 9 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed." @@ -636,10 +636,10 @@ - V-258113 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: maxclassrepeat = {{ rhel9stig_pwquality.maxclassrepeat }} path: /etc/security/pwquality.conf regexp: \s*maxclassrepeat\s*=\s* + line: maxclassrepeat = "{{ rhel9stig_pwquality.maxclassrepeat }}" + backrefs: true - name: "MEDIUM | RHEL-09-611125 | PATCH | RHEL 9 must require the maximum number of repeating characters be limited to three when passwords are changed." when: @@ -654,10 +654,10 @@ - V-258114 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: maxrepeat = {{ rhel9stig_pwquality.maxrepeat }} path: /etc/security/pwquality.conf regexp: \s*maxrepeat\s*=\s* + line: maxrepeat = "{{ rhel9stig_pwquality.maxrepeat }}" + backrefs: true - name: "MEDIUM | RHEL-09-611130 | PATCH | RHEL 9 must require the change of at least four character classes when passwords are changed." when: @@ -672,10 +672,10 @@ - V-258115 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: minclass = {{ rhel9stig_pwquality.minclass }} path: /etc/security/pwquality.conf regexp: \s*minclass\s*=\s* + line: minclass = "{{ rhel9stig_pwquality.minclass }}" + backrefs: true - name: "MEDIUM | RHEL-09-611135 | PATCH | RHEL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords." when: @@ -708,10 +708,10 @@ - V-258117 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: ENCRYPT_METHOD SHA512 path: /etc/login.defs regexp: \s*ENCRYPT_METHOD + line: ENCRYPT_METHOD SHA512 + backrefs: true - name: "MEDIUM | RHEL-09-611145 | PATCH | RHEL 9 must not be configured to bypass password requirements for privilege escalation." when: @@ -726,10 +726,10 @@ - V-258118 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: '\1\2' path: /etc/pam.d/sudo regexp: ^(.*)pam_succeed_if(.) + line: '\1\2' + backrefs: true - name: "MEDIUM | RHEL-09-611150 | PATCH | RHEL 9 shadow password suite must be configured to use a sufficient number of hashing rounds." when: @@ -746,10 +746,10 @@ - NIST800-53R4_IA-5 - NIST800-53R4_IA-7 ansible.builtin.lineinfile: - backrefs: true - line: "SHA_CRYPT_MIN_ROUNDS {{ rhel9stig_pam.rounds }}" path: /etc/login.defs regexp: \s*SHA_CRYPT_MIN_ROUNDS + line: "SHA_CRYPT_MIN_ROUNDS {{ rhel9stig_pam.rounds }}" + backrefs: true - name: "MEDIUM | RHEL-09-611155 | PATCH | RHEL 9 must not have accounts configured with blank or null passwords." when: @@ -787,6 +787,25 @@ password_lock: true loop: "{{ rhel9stig_empty_password_accounts.stdout_lines }}" +- name: "MEDIUM | RHEL-09-611185 | PATCH | RHEL 9 must have the opensc package installed." + when: + - rhel_09_611185 + - "'opensc' not in ansible_facts.packages" + - rhel9stig_smartcard_reader + tags: + - RHEL-09-611185 + - CAT2 + - CCI-001948 + - CCI-001953 + - SRG-OS-000375-GPOS-00160 + - SRG-OS-000376-GPOS-00161 + - V-2581126r926365_rule + - V-258126 + - NIST800-53R4_IA-2 + ansible.builtin.package: + name: opensc + state: present + - name: "MEDIUM | RHEL-09-611160 | PATCH | RHEL 9 must use the CAC smart card driver." when: - rhel_09_611160 @@ -813,11 +832,11 @@ - V-258121 - NIST800-53R4_IA-2 ansible.builtin.lineinfile: - create: true - backrefs: true - line: card_drivers = cac,\3\4; path: /etc/opensc.conf regexp: ^(#|)card_drivers(\s*=\s*)(.*)cac(.*); + line: card_drivers = cac,\3\4; + create: true + backrefs: true - name: "MEDIUM | RHEL-09-611165 | PATCH | RHEL 9 must enable certificate based smart card authentication." when: @@ -836,10 +855,10 @@ - V-258122 - NIST800-53R4_IA-2 ansible.builtin.lineinfile: - backrefs: true - line: pam_cert_auth = True path: /etc/sssd/sssd.conf regexp: ^(?i)(#|)pam_cert_auth\s*=\s*false + line: pam_cert_auth = True + backrefs: true - name: "MEDIUM | RHEL-09-611170 | PATCH | RHEL 9 must implement certificate status checking for multifactor authentication." when: @@ -879,10 +898,10 @@ - name: "MEDIUM | RHEL-09-611170 | PATCH | RHEL 9 must implement certificate status checking for multifactor authentication. | Add if missing" when: rhel9stig_sssd_cert_verification_files.stdout | length > 0 ansible.builtin.lineinfile: - backrefs: true - line: '#\1' - path: "{{ item }}" + path: "{{ item.split(':').0 }}" regexp: ^((#|)certificate_verification =.*) + line: '#\1' + backrefs: true loop: "{{ rhel9stig_sssd_cert_verification_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-611175 | PATCH | RHEL 9 must have the pcsc-lite package installed." @@ -919,25 +938,6 @@ name: pcscd state: started -- name: "MEDIUM | RHEL-09-611185 | PATCH | RHEL 9 must have the opensc package installed." - when: - - rhel_09_611185 - - "'opensc' not in ansible_facts.packages" - - rhel9stig_smartcard_reader - tags: - - RHEL-09-611185 - - CAT2 - - CCI-001948 - - CCI-001953 - - SRG-OS-000375-GPOS-00160 - - SRG-OS-000376-GPOS-00161 - - V-2581126r926365_rule - - V-258126 - - NIST800-53R4_IA-2 - ansible.builtin.package: - name: opensc - state: present - - name: "MEDIUM | RHEL-09-611190 | PATCH | RHEL 9, for PKI-based authentication, must enforce authorized access to the corresponding private key." when: - rhel_09_611190 @@ -972,10 +972,10 @@ - V-258128 - NIST800-53R4_AC-3 ansible.builtin.lineinfile: - backrefs: true - line: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency path: /usr/lib/systemd/system/emergency.service regexp: ^(#|)ExecStart= + line: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency + backrefs: true - name: "MEDIUM | RHEL-09-611200 | PATCH | RHEL 9 must require authentication to access single-user mode" when: @@ -989,10 +989,10 @@ - V-258129 - NIST800-53R4_AC-3 ansible.builtin.lineinfile: - backrefs: true - line: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue path: /usr/lib/systemd/system/rescue.service regexp: ^(#|)ExecStart= + line: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue + backrefs: true - name: "MEDIUM | RHEL-09-611205 | PATCH | RHEL 9 must require authentication to access single-user mode" when: @@ -1017,6 +1017,6 @@ when: - rhel9stig_keytab_files.matched > 0 ansible.builtin.file: - path: "{{ item }}" + path: "{{ item.path }}" state: absent loop: "{{ rhel9stig_keytab_files.files }}" diff --git a/tasks/Cat2/RHEL-09-654xxx.yml b/tasks/Cat2/RHEL-09-654xxx.yml index 197633d..d49da3a 100644 --- a/tasks/Cat2/RHEL-09-654xxx.yml +++ b/tasks/Cat2/RHEL-09-654xxx.yml @@ -1040,7 +1040,7 @@ - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - - SV-258215r926632_rule + - SV-258215r943018_rule - V-258215 - NIST800-53R4_AU-3 - NIST800-53R4_AU-12 diff --git a/tasks/Cat2/RHEL-09-65xxxx.yml b/tasks/Cat2/RHEL-09-65xxxx.yml index 401766b..95d196f 100644 --- a/tasks/Cat2/RHEL-09-65xxxx.yml +++ b/tasks/Cat2/RHEL-09-65xxxx.yml @@ -81,7 +81,7 @@ - SRG-OS-000257-GPOS-00098 - SRG-OS-000258-GPOS-00099 - SRG-OS-000278-GPOS-00108 - - SV-258137r926398_rule + - SV-258137r943021_rule - V-258137 - NIST800-53R4_AU-9 - aide @@ -183,8 +183,7 @@ line: '#\1\2\3' path: "{{ item.path }}" regex: (Input|ModLoad)(TCP|UDP|RELP|imtcp|imudp|imrelp)(.*) - loop: - - "{{ rhel9stig_rsyslog_conf.files }}" + loop: "{{ rhel9stig_rsyslog_conf.files }}" - name: "MEDIUM | RHEL-09-652030 | PATCH | All RHEL 9 remote access methods must be monitored." when: @@ -200,9 +199,8 @@ - rsyslog notify: Restart_rsyslog ansible.builtin.lineinfile: - line: 'auth.*;authpriv.*;daemon.* /var/log/secure' path: /etc/rsyslog.conf - + line: 'auth.*;authpriv.*;daemon.* /var/log/secure' ## Required for 652035 to run - name: "MEDIUM | RHEL-09-653130 | PATCH | RHEL 9 audispd-plugins package must be installed" when: @@ -238,9 +236,9 @@ - rsyslog notify: Restart_rsyslog ansible.builtin.lineinfile: - line: 'active = yes' path: /etc/audit/plugins.d/syslog.conf regexp: 'active\s*=' + line: 'active = yes' - name: "MEDIUM | RHEL-09-652040 | AUDIT | RHEL 9 must authenticate the remote logging server for offloading audit logs via rsyslog." when: @@ -407,9 +405,9 @@ - NIST800-53R4_CM-6 - rsyslog ansible.builtin.lineinfile: - line: "*.* {{ rhel9stig_remotelog_server.protocol }}{{ rhel9stig_remotelog_server.server }}:{{ rhel9stig_remotelog_server.port }}" path: /etc/rsyslog.conf regexp: '^.*\@\@' + line: "*.* {{ rhel9stig_remotelog_server.protocol }}{{ rhel9stig_remotelog_server.server }}:{{ rhel9stig_remotelog_server.port }}" - name: "MEDIUM | RHEL-09-652060 | PATCH | RHEL 9 must use cron logging." when: @@ -424,11 +422,11 @@ - NIST800-53R4_CM-6 - rsyslog ansible.builtin.lineinfile: - backrefs: true - insertafter: "# Log cron stuff" - line: 'cron.*\1/var/log/cron' path: /etc/rsyslog.conf regexp: 'cron\.\*(\s+)' + line: 'cron.*\1/var/log/cron' + backrefs: true + insertafter: "# Log cron stuff" - name: "MEDIUM | RHEL-09-653010 | PATCH | RHEL 9 audit package must be installed." when: @@ -586,9 +584,9 @@ - NIST800-53R4_AU-5 - auditd ansible.builtin.lineinfile: - line: disk_error_action = {{ rhel9stig_audit_conf.disk_error_action }} path: /etc/audit/auditd.conf regexp: ^\s*disk_error_action + line: disk_error_action = {{ rhel9stig_audit_conf.disk_error_action }} - name: "MEDIUM | RHEL-09-653025 | PATCH | RHEL 9 audit system must take appropriate action when the audit storage volume is full." when: @@ -603,9 +601,9 @@ - NIST800-53R4_AU-5 - auditd ansible.builtin.lineinfile: - line: disk_full_action = {{ rhel9stig_audit_conf.disk_full_action }} path: /etc/audit/auditd.conf regexp: ^\s*disk_full_action + line: disk_full_action = {{ rhel9stig_audit_conf.disk_full_action }} - name: "MEDIUM | RHEL-09-653030 | AUDIT | RHEL 9 must allocate audit record storage capacity to store at least one week's worth of audit records." when: @@ -635,7 +633,7 @@ msg: - "WARNING!! Below is the path and size of the partition for the audit logs." - "Please make sure there is enough disk space for 1 week of logs" - - "Munt: {{ rhel9stig_audit_log_filesystem }}" + - "Mount: {{ rhel9stig_audit_log_filesystem }}" - "Logfile: {{ discovered_auditd_logfile.stdout }}" - "Disk Space remaining: {{ audit_filesystem_space_left }}MB" @@ -656,9 +654,9 @@ - NIST800-53R4_AU-5 - auditd ansible.builtin.lineinfile: - line: space_left = {{ rhel9stig_audit_conf.space_left }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)space_left\s*= + line: space_left = {{ rhel9stig_audit_conf.space_left }} - name: "MEDIUM | RHEL-09-653040 | PATCH | RHEL 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization." when: @@ -673,9 +671,9 @@ - NIST800-53R4_AU-5 - auditd ansible.builtin.lineinfile: - line: space_left_action = {{ rhel9stig_audit_conf.space_left_action }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)space_left_action\s*= + line: space_left_action = {{ rhel9stig_audit_conf.space_left_action }} - name: "MEDIUM | RHEL-09-653045 | PATCH | RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity." when: @@ -690,9 +688,9 @@ - NIST800-53R4_AU-5 - auditd ansible.builtin.lineinfile: - line: admin_space_left = {{ rhel9stig_audit_conf.admin_space_left }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)admin_space_left\s*= + line: admin_space_left = {{ rhel9stig_audit_conf.admin_space_left }} - name: "MEDIUM | RHEL-09-653050 | PATCH | RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity." when: @@ -707,9 +705,9 @@ - NIST800-53R4_AU-5 - auditd ansible.builtin.lineinfile: - line: admin_space_left_action = {{ rhel9stig_audit_conf.admin_space_left_action }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)admin_space_left_action\s* + line: admin_space_left_action = {{ rhel9stig_audit_conf.admin_space_left_action }} - name: "MEDIUM | RHEL-09-653055 | PATCH | RHEL 9 audit system must take appropriate action when the audit files have reached maximum size." when: @@ -724,9 +722,9 @@ - NIST800-53R4_AU-5 - auditd ansible.builtin.lineinfile: - line: max_log_file_action = {{ rhel9stig_audit_conf.max_log_file_action }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)max_log_file_action + line: max_log_file_action = {{ rhel9stig_audit_conf.max_log_file_action }} - name: "MEDIUM | RHEL-09-653060 | PATCH | RHEL 9 must label all offloaded audit logs before sending them to the central log server." when: @@ -742,9 +740,9 @@ - NIST800-53R4_AU-4 - auditd ansible.builtin.lineinfile: - line: name_format = {{ rhel9stig_audit_conf.name_format }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)name_format + line: name_format = {{ rhel9stig_audit_conf.name_format }} - name: "MEDIUM | RHEL-09-653065 | PATCH | RHEL 9 must take appropriate action when the internal event queue is full." when: @@ -759,9 +757,9 @@ - NIST800-53R4_AU-4 - auditd ansible.builtin.lineinfile: - line: overflow_action = {{ rhel9stig_audit_conf.overflow_action }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)overflow_action + line: overflow_action = {{ rhel9stig_audit_conf.overflow_action }} - name: "MEDIUM | RHEL-09-653070 | PATCH | RHEL 9 System Administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event." when: @@ -779,9 +777,9 @@ - NIST800-53R4_AU-5 - auditd ansible.builtin.lineinfile: - line: overflow_action = {{ rhel9stig_audit_conf.overflow_action }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)overflow_action + line: overflow_action = {{ rhel9stig_audit_conf.overflow_action }} - name: "MEDIUM | RHEL-09-653075 | PATCH | RHEL 9 audit system must audit local events." when: @@ -799,9 +797,9 @@ - NIST800-53R4_CM-6 - auditd ansible.builtin.lineinfile: - line: overflow_action = {{ rhel9stig_audit_conf.overflow_action }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)overflow_action + line: overflow_action = {{ rhel9stig_audit_conf.overflow_action }} - name: "MEDIUM | RHEL-09-653080 | PATCH | RHEL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access." when: @@ -823,9 +821,9 @@ block: - name: "MEDIUM | RHEL-09-653080 | PATCH | RHEL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access. | set logfile_group" ansible.builtin.lineinfile: - line: log_group = {{ rhel9stig_audit_conf.logfile_group }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)log_group + line: log_group = {{ rhel9stig_audit_conf.logfile_group }} - name: "MEDIUM | RHEL-09-653080 | PATCH | RHEL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access. | Set perms" ansible.builtin.file: @@ -871,8 +869,8 @@ - NIST800-53R4_SI-11 - auditd ansible.builtin.file: - mode: go-rwx path: "{{ discovered_auditd_logfile.stdout }}" + mode: go-rwx - name: "MEDIUM | RHEL-09-653095 | PATCH | RHEL 9 must periodically flush audit records to disk to prevent the loss of audit records." when: @@ -882,14 +880,14 @@ - CAT2 - CCI-000154 - SRG-OS-000051-GPOS-00024 - - SV-258168r926491_rule + - SV-258168r943024_rule - V-258168 - NIST800-53R4_AU-6 - auditd ansible.builtin.lineinfile: - line: freq = {{ rhel9stig_audit_conf.freq }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)freq\s*= + line: freq = {{ rhel9stig_audit_conf.freq }} - name: "MEDIUM | RHEL-09-653100 | PATCH | RHEL 9 must produce audit records containing information to establish the identity of any individual or process associated with the event." when: @@ -907,9 +905,9 @@ - NIST800-53R4_CM-6 - auditd ansible.builtin.lineinfile: - line: log_format = {{ rhel9stig_audit_conf.log_format }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)log_format\s*= + line: log_format = {{ rhel9stig_audit_conf.log_format }} - name: "MEDIUM | RHEL-09-653105 | PATCH | RHEL 9 must write audit records to disk." when: @@ -924,9 +922,9 @@ - NIST800-53R4_CM-6 - auditd ansible.builtin.lineinfile: - line: write_logs = {{ rhel9stig_audit_conf.write_logs }} path: /etc/audit/auditd.conf regexp: ^\s*write_logs + line: write_logs = {{ rhel9stig_audit_conf.write_logs }} - name: "MEDIUM | RHEL-09-653110 | PATCH | RHEL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." when: @@ -936,7 +934,7 @@ - CAT2 - CCI-000171 - SRG-OS-000063-GPOS-00032 - - SV-258171r926500_rule + - SV-258171r943057_rule - V-258171 - NIST800-53R4_AU-12 - auditd @@ -966,10 +964,10 @@ - NIST800-53R4_AU-12 - auditd ansible.builtin.file: - mode: '0640' path: /etc/audit/auditd.conf + mode: u-x,g-wx,o-rwx -- name: "MEDIUM | RHEL-09-653125 | PATCH | RHEL 9 /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized access." +- name: "MEDIUM | RHEL-09-653125 | PATCH | RHEL 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure." when: - rhel_09_653125 tags: @@ -982,6 +980,6 @@ - NIST800-53R4_AU-5 - postfix ansible.builtin.lineinfile: - line: 'root: ISSO' path: /etc/aliases regexp: '^root:\s.*' + line: 'root: ISSO' diff --git a/tasks/Cat2/RHEL-09-67xxxx.yml b/tasks/Cat2/RHEL-09-67xxxx.yml index 3d8f028..c3f75f6 100644 --- a/tasks/Cat2/RHEL-09-67xxxx.yml +++ b/tasks/Cat2/RHEL-09-67xxxx.yml @@ -55,9 +55,9 @@ - fips - tunnel ansible.builtin.lineinfile: - line: include /etc/crypto-policies/back-ends/libreswan.config path: /etc/ipsec.conf regexp: ^(|\s*)include /etc/crypto-policies/back-ends + line: include /etc/crypto-policies/back-ends/libreswan.config - name: "MEDIUM | RHEL-09-671025 | PATCH | RHEL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication." when: @@ -81,11 +81,11 @@ - name: "MEDIUM | RHEL-09-671025 | PATCH | RHEL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication." when: rhel9stig_pamunix_fips_auth_status.stdout | length == 0 ansible.builtin.lineinfile: - backrefs: true - insertafter: '^password' - line: '\1required\3 sha512"\4' path: /etc/pam.d/password-auth regexp: '^(password\s+)(sufficient)(\s+pam_pwquality.so.*)\ssha512\d(.*)' + line: '\1required\3 sha512"\4' + insertafter: '^password' + backrefs: true - name: "MEDIUM | RHEL-09-671025 | PATCH | RHEL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication." when: rhel9stig_pamunix_fips_auth_status.stdout | length > 0 @@ -140,7 +140,7 @@ warn_control_id: "MEDIUM | RHEL-09-672020" block: - name: "MEDIUM | RHEL-09-672020 | AUDIT | RHEL 9 crypto policy must not be overridden." - ansible.builtin.shell: ls -l /etc/crypto-policies/back-ends/ | grep -V FIPS + ansible.builtin.shell: ls -l /etc/crypto-policies/back-ends/ | grep -v FIPS changed_when: false failed_when: rhel9stig_crypto_policies_fips.rc not in [ 0, 1 ] register: rhel9stig_crypto_policies_fips @@ -208,9 +208,9 @@ - ssl notify: Change_requires_reboot ansible.builtin.lineinfile: - line: '.include = /etc/crypto-policies/back-ends/opensslcnf.config' path: /etc/pki/tls/openssl.cnf regexp: ^(|\s*)\.include = /etc/crypto-policies + line: '.include = /etc/crypto-policies/back-ends/opensslcnf.config' - name: "MEDIUM | RHEL-09-672040 | PATCH | RHEL 9 must implement DOD-approved TLS encryption in the OpenSSL package." when: @@ -226,9 +226,9 @@ - ssl notify: Change_requires_reboot ansible.builtin.lineinfile: - line: "{{ item.line }}" path: /etc/crypto-policies/back-ends/opensslcnf.config regexp: "{{ item.regexp }}" + line: "{{ item.line }}" loop: - {line: 'TLS.MinProtocol = TLSv1.2', regexp: '^(\s*|#)TLS.MinProtocol = '} - {line: 'DTLS.MinProtocol = DTLSv1.2', regexp: '^(\s*|#)DTLS.MinProtocol = '} @@ -283,10 +283,10 @@ - name: "MEDIUM | RHEL-09-672050 | PATCH | RHEL 9 must implement DOD-approved encryption in the bind package." when: - - rhel_09_672045 + - rhel_09_672050 - "'bind' in ansible_facts.packages" tags: - - RHEL-09-672045 + - RHEL-09-672050 - CAT2 - CCI-002418 - CCI-002422 @@ -298,6 +298,6 @@ - bind - encryption ansible.builtin.lineinfile: - line: 'include "/etc/crypto-policies/back-ends/bind.config";' path: /etc/named.conf - regexp: ^(|\s*)\include = /etc/crypto-policies + regexp: ^(|\s*)include = /etc/crypto-policies + line: 'include "/etc/crypto-policies/back-ends/bind.config";' diff --git a/tasks/Cat3/RHEL-09-2xxxxx.yml b/tasks/Cat3/RHEL-09-2xxxxx.yml index d472619..d38cbe0 100644 --- a/tasks/Cat3/RHEL-09-2xxxxx.yml +++ b/tasks/Cat3/RHEL-09-2xxxxx.yml @@ -8,7 +8,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257782r925333_rule + - SV-257782r942961_rule - V-257782 - NIST800-53R4_CM-6 - entropy @@ -103,9 +103,9 @@ - NIST800-53R4_SI-2 - dnf ansible.builtin.lineinfile: - line: clean_requirements_on_remove=1 path: /etc/dnf/dnf.conf regexp: ^(#|\s*)clean_requirements_on_remove + line: clean_requirements_on_remove=1 - name: "LOW | RHEL-09-231020 | AUDIT | RHEL 9 must use a separate file system for /var." when: @@ -187,7 +187,7 @@ - CAT2 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-257880r925627_rule + - SV-257880r942957_rule - V-257880 - NIST800-53R4_CM-7 - modprobe @@ -214,9 +214,9 @@ - NIST800-53R4_CM-7 - chrony ansible.builtin.lineinfile: - line: 'port 0' path: /etc/chrony.conf regexp: ^(#|\s*)port \d* + line: 'port 0' - name: "LOW | RHEL-09-252030 | PATCH | RHEL 9 must disable network management of the chrony daemon." when: @@ -233,9 +233,9 @@ - NIST800-53R4_CM-7 - chrony ansible.builtin.lineinfile: - line: 'cmdport 0' path: /etc/chrony.conf regexp: ^(#|\s*)cmdport \d* + line: 'cmdport 0' - name: "LOW | RHEL-09-291025 | PATCH | RHEL 9 must disable network management of the chrony daemon." when: @@ -250,6 +250,6 @@ - NIST800-53R4_AU-12 - usb ansible.builtin.lineinfile: - line: AuditBackend=LinuxAudit path: /etc/usbguard/usbguard-daemon.conf regexp: AuditBackend= + line: AuditBackend=LinuxAudit diff --git a/tasks/Cat3/RHEL-09-4xxxxx.yml b/tasks/Cat3/RHEL-09-4xxxxx.yml index d49835a..79a2c64 100644 --- a/tasks/Cat3/RHEL-09-4xxxxx.yml +++ b/tasks/Cat3/RHEL-09-4xxxxx.yml @@ -34,9 +34,9 @@ - NIST800-53R4_AC-10 - limits ansible.builtin.lineinfile: - line: "* hard maxlogins 10" path: /etc/security/limits.conf regexp: '^\s*\*\s+hard\s+maxlogins\s+\d{1,}' + line: "* hard maxlogins 10" - name: "LOW | RHEL-09-412075 | PATCH | RHEL 9 must display the date and time of the last successful account logon upon logon." when: @@ -50,8 +50,16 @@ - V-258076 - NIST800-53R4_CM-6 - pam - ansible.builtin.lineinfile: - insertbefore: BOF - line: session required pam_lastlog.so showfailed - path: /etc/pam.d/postlogin - regex: session required pam_lastlog.so showfailed + block: + - name: "LOW | RHEL-09-412075 | PATCH | RHEL 9 must display the date and time of the last successful account logon upon logon." + ansible.builtin.lineinfile: + path: /etc/pam.d/postlogin + regex: session required pam_lastlog.so showfailed + line: session required pam_lastlog.so showfailed + insertbefore: BOF + + - name: "LOW | RHEL-09-412075 | PATCH | RHEL 9 must display the date and time of the last successful account logon upon logon." + ansible.builtin.replace: + path: /etc/pam.d/postlogin + replace: '\1\2' + regexp: '^(.*\spam_lastlog\.so\s.*)silent(\s.*)$' diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 02797e7..7067414 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -2,33 +2,33 @@ - name: Pre Audit Setup | Set audit package name block: - - name: Pre Audit Setup | Set audit package name | 64bit - ansible.builtin.set_fact: - audit_pkg_arch_name: AMD64 - when: ansible_machine == "x86_64" + - name: Pre Audit Setup | Set audit package name | 64bit + when: ansible_facts.machine == "x86_64" + ansible.builtin.set_fact: + audit_pkg_arch_name: AMD64 - - name: Pre Audit Setup | Set audit package name | ARM64 - ansible.builtin.set_fact: - audit_pkg_arch_name: ARM64 - when: ansible_machine == "arm64" + - name: Pre Audit Setup | Set audit package name | ARM64 + when: ansible_facts.machine == "arm64" + ansible.builtin.set_fact: + audit_pkg_arch_name: ARM64 - name: Pre Audit Setup | Download audit binary - ansible.builtin.get_url: - url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}" - dest: "{{ audit_bin }}" - owner: root - group: root - checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" - mode: '0555' when: - - get_audit_binary_method == 'download' + - get_audit_binary_method == 'download' + ansible.builtin.get_url: + url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}" + dest: "{{ audit_bin }}" + owner: root + group: root + checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" + mode: '0555' - name: Pre Audit Setup | Copy audit binary - ansible.builtin.copy: - src: "{{ audit_bin_copy_location }}" - dest: "{{ audit_bin }}" - mode: '0555' - owner: root - group: root when: - - get_audit_binary_method == 'copy' + - get_audit_binary_method == 'copy' + ansible.builtin.copy: + src: "{{ audit_bin_copy_location }}" + dest: "{{ audit_bin }}" + mode: '0555' + owner: root + group: root diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml index 5a4aec2..b7dad08 100644 --- a/tasks/audit_only.yml +++ b/tasks/audit_only.yml @@ -1,28 +1,28 @@ --- - name: Audit_Only | Create local Directories for hosts + when: fetch_audit_files ansible.builtin.file: mode: '0755' path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" recurse: true state: directory - when: fetch_audit_files delegate_to: localhost become: false - name: Audit_only | Get audits from systems and put in group dir + when: fetch_audit_files ansible.builtin.fetch: dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" flat: true mode: '0644' src: "{{ pre_audit_outfile }}" - when: fetch_audit_files - name: Audit_only | Show Audit Summary when: - audit_only ansible.builtin.debug: - msg: "The Audit results are: {{ pre_audit_summary }}." + msg: "{{ audit_results.split('\n') }}" - name: Audit_only | Stop Playbook Audit Only selected when: diff --git a/tasks/main.yml b/tasks/main.yml index 8df031c..84d9c7c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -95,25 +95,6 @@ ansible.builtin.import_tasks: file: prelim.yml -- name: Include audit specific variables - when: - - run_audit or audit_only - - setup_audit - tags: - - setup_audit - - run_audit - ansible.builtin.include_vars: - file: audit.yml - -- name: Include pre-remediation audit tasks - when: - - run_audit or audit_only - - setup_audit - tags: - - run_audit - ansible.builtin.import_tasks: - file: pre_remediation_audit.yml - - name: Include CAT I patches when: - rhel9stig_cat1 diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 0c8f480..a6f9461 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,14 +1,14 @@ --- - name: Post Audit | Run post_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" AUDIT_FILE: goss.yml -- name: Post Audit | ensure audit files readable by users +- name: Post Audit | Ensure audit files readable by users ansible.builtin.file: path: "{{ item }}" mode: '0644' @@ -21,26 +21,24 @@ when: - audit_format == "json" block: - - name: capture data {{ post_audit_outfile }} - ansible.builtin.shell: cat {{ post_audit_outfile }} - register: post_audit + - name: Post Audit | Capture audit data if json format + ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4 + register: post_audit_summary changed_when: false - - name: Capture post-audit result + - name: Post Audit | Set Fact for audit summary ansible.builtin.set_fact: - post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" - vars: - summary: summary."summary-line" + post_audit_results: "{{ post_audit_summary.stdout }}" - name: Post Audit | Capture audit data if documentation format when: - audit_format == "documentation" block: - - name: Post Audit | capture data {{ post_audit_outfile }} - ansible.builtin.shell: tail -2 {{ post_audit_outfile }} - register: post_audit + - name: Post Audit | Capture audit data if documentation format + ansible.builtin.shell: "tail -2 /opt/audit_ubuntu2204-CIS-UBUNTU22_1720624848.documentation" + register: post_audit_summary changed_when: false - - name: Post Audit | Capture post-audit result + - name: Post Audit | Set Fact for audit summary ansible.builtin.set_fact: - post_audit_summary: "{{ post_audit.stdout_lines }}" + post_audit_results: "{{ post_audit_summary.stdout }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 535029c..6f215c3 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -5,7 +5,8 @@ - setup_audit tags: - setup_audit - ansible.builtin.include_tasks: LE_audit_setup.yml + ansible.builtin.include_tasks: + file: LE_audit_setup.yml - name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists ansible.builtin.file: @@ -32,23 +33,25 @@ when: - audit_content == 'copy' ansible.builtin.copy: - src: "{{ audit_local_copy }}" + src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}" mode: preserve - name: Pre Audit Setup | Unarchive audit content files on server when: - - audit_content == 'archived' + - audit_content == 'archive' ansible.builtin.unarchive: - src: "{{ audit_conf_copy }}" - dest: "{{ audit_conf_dir }}" + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}" - name: Pre Audit Setup | Get audit content from url when: - audit_content == 'get_url' - ansible.builtin.get_url: - url: "{{ audit_files_url }}" - dest: "{{ audit_conf_dir }}" + ansible.builtin.unarchive: + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit" + remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}" + extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}" - name: Pre Audit Setup | Check Goss is available when: @@ -60,8 +63,9 @@ register: goss_available - name: Pre Audit Setup | If audit ensure goss is available + when: + - not goss_available.stat.exists ansible.builtin.assert: - that: goss_available.stat.exists msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - name: Pre Audit Setup | Copy ansible default vars values to test audit @@ -76,42 +80,41 @@ mode: '0600' - name: Pre Audit | Run pre_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format when: - audit_format == "json" block: - - name: capture data {{ pre_audit_outfile }} - ansible.builtin.shell: cat {{ pre_audit_outfile }} - register: pre_audit + - name: Pre Audit | Capture audit data if json format + ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4 + register: pre_audit_summary changed_when: false - - name: Pre Audit | Capture pre-audit result + - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" - vars: - summary: summary."summary-line" + pre_audit_results: "{{ pre_audit_summary.stdout }}" - name: Pre Audit | Capture audit data if documentation format when: - audit_format == "documentation" block: - - name: Pre Audit | capture data {{ pre_audit_outfile }} | documentation format - ansible.builtin.shell: tail -2 {{ pre_audit_outfile }} - register: pre_audit + - name: Pre Audit | Capture audit data if documentation format + ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' + register: pre_audit_summary changed_when: false - - name: Pre Audit | Capture pre-audit result | documentation format + - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout_lines }}" + pre_audit_results: "{{ pre_audit_summary.stdout }}" - name: Audit_Only | Run Audit Only when: - audit_only - ansible.builtin.import_tasks: audit_only.yml + ansible.builtin.import_tasks: + file: audit_only.yml diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 8c92d81..090b658 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -21,13 +21,13 @@ changed_when: false register: gid_min_id - - name: PRELIM | set_facts for interactive uid/gid + - name: PRELIM | Set_facts for interactive uid/gid ansible.builtin.set_fact: min_int_uid: "{{ uid_min_id.stdout }}" max_int_uid: "{{ uid_max_id.stdout }}" min_int_gid: "{{ gid_min_id.stdout }}" -- name: PRELIM | capture /etc/password variables +- name: PRELIM | Capture /etc/password variables tags: - always ansible.builtin.include_tasks: @@ -40,6 +40,25 @@ tags: - always +- name: Include audit specific variables + when: + - run_audit or audit_only + - setup_audit + tags: + - setup_audit + - run_audit + ansible.builtin.include_vars: + file: audit.yml + +- name: Include pre-remediation audit tasks + when: + - run_audit or audit_only + - setup_audit + tags: + - run_audit + ansible.builtin.import_tasks: + file: pre_remediation_audit.yml + - name: PRELIM | Interactive User account home ansible.builtin.shell: 'cat /etc/passwd | grep -Ev "nologin|/sbin" | cut -d: -f6' changed_when: false @@ -79,16 +98,6 @@ - RHEL-09-672030 - crypto -# - name: "PRELIM | if systemd coredump" -# ansible.builtin.stat: -# path: /etc/systemd/coredump.conf -# register: systemd_coredump -# tags: -# - level1-server -# - level1-workstation -# - rule_1.5.1 -# - systemd - - name: PRELIM | Create list of mount points ansible.builtin.set_fact: mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}" @@ -111,7 +120,7 @@ path: /sys/firmware/efi register: rhel_09_efi_boot - - name: PRELIM | set legacy boot and grub path | Bios + - name: PRELIM | Set legacy boot and grub path | Bios ansible.builtin.set_fact: rhel9stig_legacy_boot: true when: not rhel_09_efi_boot.stat.exists @@ -169,30 +178,6 @@ changed_when: false register: discovered_auditd_logfile -# - name: "PRELIM | Audit conf and rules files | list files" -# ansible.builtin.find: -# path: /etc/audit -# file_type: file -# recurse: true -# patterns: '*.conf,*.rules' -# register: auditd_conf_files -# when: -# - rhel9_09_653105 -# tags: -# - cat2 -# - auditd -# - RHEL-09-653105 - -# - name: "PRELIM | Configure cron" -# ansible.builtin.package: -# name: cronie -# state: present -# become: true -# when: -# - '"cronie" not in ansible_facts.packages' -# tags: -# - cron - # Added to ensure ssh drop in file exists if not default /etc/ssh/sshd_config - name: PRELIM | SSH ansible.builtin.file: @@ -225,18 +210,6 @@ failed_when: rhel9stig_network_manager_dns.rc not in [ 0, 1 ] register: rhel9stig_network_manager_dns -# - name: "PRELIM | Install authconfig" -# ansible.builtin.package: -# name: authconfig -# state: present -# become: true -# when: -# '"authconfig" not in ansible_facts.packages or -# "auditd-lib" not in ansible_facts.packages' -# tags: -# - authconfig -# - auditd - - name: PRELIM | Discover dconf systemdb when: - rhel9stig_gui diff --git a/templates/etc/audit/rules.d/audit.rules.j2 b/templates/etc/audit/rules.d/audit.rules.j2 index aa94650..4601ab9 100644 --- a/templates/etc/audit/rules.d/audit.rules.j2 +++ b/templates/etc/audit/rules.d/audit.rules.j2 @@ -171,10 +171,11 @@ -a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-shutdown {% endif %} {% if rhel_09_654030 %} -# RHEL9-STIG rule 654205 Overruled by 654030 +# RHEL9-STIG rule 654030 #-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k perm_mod #-a always,exit -F arch=b64 -S umount -F auid>=1000 -F auid!=unset -k perm_mod -{% elif rhel_09_654205 %} +{% endif %} +{% if rhel_09_654205 %} # RHEL9-STIG rule 654205 -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S umount -F auid>=1000 -F auid!=unset -k perm_mod diff --git a/vars/audit.yml b/vars/audit.yml index 97d9b09..9dc666a 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -8,32 +8,19 @@ audit_cmd_timeout: 120000 # if get_audit_binary_method == download change accordingly audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-" -## if get_audit_binary_method - copy the following needs to be updated for your environment -## it is expected that it will be copied from somewhere accessible to the control node -## e.g copy from ansible control node to remote host -audit_bin_copy_location: /some/accessible/path - ### Goss Audit Benchmark file ### ## managed by the control audit_content # git audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_git_version: "benchmark-{{ benchmark_version }}" - -# archive or copy: -audit_conf_copy: "some path to copy from" - -# get_url: -audit_files_url: "some url maybe s3?" +audit_git_version: "benchmark_{{ benchmark_version }}" ## Goss configuration information -# Where the goss configs and outputs are stored -audit_out_dir: '/opt' -# Where the goss audit configuration will be stored -audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit" +# Where the goss audit configuration will be stored - NOTE benchmark-audit is expected +audit_conf_dir: "{{ audit_conf_dest | default('/opt') }}/{{ benchmark }}-Audit" # If changed these can affect other products -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +pre_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" ## The following should not need changing @@ -47,6 +34,7 @@ audit_format: json audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" audit_results: | - The pre remediation results are: {{ pre_audit_summary }}. - The post remediation results are: {{ post_audit_summary }}. - Full breakdown can be found in {{ audit_out_dir }} + The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results}} + {% if not audit_only %}The post remediation audit results are: {{ post_audit_results }}{% endif %} + + Full breakdown can be found in {{ audit_log_dir }}