From c5e82546019f6afa2012084817d31e1f458510dc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Mar 2024 16:01:08 +0000 Subject: [PATCH 01/41] updated for v1r2 Signed-off-by: Mark Bolwell --- tasks/Cat1/RHEL-09-2xxxxx.yml | 2 +- tasks/Cat2/RHEL-09-21xxxx.yml | 20 ++++++++++---------- tasks/Cat2/RHEL-09-25xxxx.yml | 28 ++++++++++++++-------------- tasks/Cat3/RHEL-09-2xxxxx.yml | 2 +- 4 files changed, 26 insertions(+), 26 deletions(-) diff --git a/tasks/Cat1/RHEL-09-2xxxxx.yml b/tasks/Cat1/RHEL-09-2xxxxx.yml index 7c3debe..2b9b96a 100644 --- a/tasks/Cat1/RHEL-09-2xxxxx.yml +++ b/tasks/Cat1/RHEL-09-2xxxxx.yml @@ -73,7 +73,7 @@ - CAT1 - CCI-000213 - SRG-OS-000080-GPOS-00048 - - SV-257789r925354_rule + - SV-257789r943055_rule - V-257789 - NIST800-53R4_AC-3 - grub diff --git a/tasks/Cat2/RHEL-09-21xxxx.yml b/tasks/Cat2/RHEL-09-21xxxx.yml index cd569fe..4a52ef6 100644 --- a/tasks/Cat2/RHEL-09-21xxxx.yml +++ b/tasks/Cat2/RHEL-09-21xxxx.yml @@ -123,7 +123,7 @@ - CCI-001665 - SRG-OS-000324-GPOS-00125 - SRG-OS-000480-GPOS-00227 - - SV-257786r925345_rule + - SV-257786r943026_rule - V-257786 - NIST800-53R4_CM-6 - NIST800-53R4_AC-6 @@ -397,7 +397,7 @@ - CCI-001090 - SRG-OS-000132-GPOS-00067 - SRG-OS-000138-GPOS-00069 - - SV-257797r925378_rule + - SV-257797r942965_rule - V-257797 - NIST800-53R4_SC-2 - NIST800-53R4_SC-4 @@ -419,7 +419,7 @@ - CCI-001090 - SRG-OS-000132-GPOS-00067 - SRG-OS-000138-GPOS-00069 - - SV-257798r925381_rule + - SV-257798r942967_rule - V-257798 - NIST800-53R4_SC-2 - NIST800-53R4_SC-4 @@ -441,7 +441,7 @@ - CCI-00749 - SRG-OS-000480-GPOS-00227 - SRG-OS-000366-GPOS-00153 - - SV-257799r925384_rule + - SV-257799r942969_rule - V-257799 - NIST800-53R4_CM-6 - NIST800-53R4_CM-5 @@ -463,7 +463,7 @@ - CCI-001082 - SRG-OS-000132-GPOS-00067 - SRG-OS-000433-GPOS-00192 - - SV-257800r925387_rule + - SV-257800r942971_rule - V-257800 - NIST800-53R4_CM-6 - NIST800-53R4_SC-2 @@ -527,7 +527,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257803r925396_rule + - SV-257803r942973_rule - V-257803 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -639,7 +639,7 @@ - CCI-002824 - SRG-OS-000433-GPOS-00193 - SRG-OS-000480-GPOS-00227 - - SV-257809r925414_rule + - SV-257809r942975_rule - V-257809 - NIST800-53R4_CM-6 - NIST800-53R4_SI-16 @@ -661,7 +661,7 @@ - CCI-001082 - SRG-OS-000132-GPOS-00067 - SRG-OS-000480-GPOS-00227 - - SV-257810r925417_rule + - SV-257810r942977_rule - V-257810 - NIST800-53R4_CM-6 - NIST800-53R4_SC-2 @@ -683,7 +683,7 @@ - CCI-001082 - SRG-OS-000132-GPOS-00067 - SRG-OS-000480-GPOS-00227 - - SV-257811r925420_rule + - SV-257811r942979_rule - V-257811 - NIST800-53R4_CM-6 - NIST800-53R4_SC-2 @@ -771,7 +771,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257816r925435_rule + - SV-257816r942981_rule - V-257816 - NIST800-53R4_CM-6 ansible.posix.sysctl: diff --git a/tasks/Cat2/RHEL-09-25xxxx.yml b/tasks/Cat2/RHEL-09-25xxxx.yml index 291db5b..98b5903 100644 --- a/tasks/Cat2/RHEL-09-25xxxx.yml +++ b/tasks/Cat2/RHEL-09-25xxxx.yml @@ -490,7 +490,7 @@ - SRG-OS-000480-GPOS-00227 - SRG-OS-000420-GPOS-00186 - SRG-OS-000142-GPOS-00071 - - SV-257957r925858_rule + - SV-257957r942983_rule - V-257957 - NIST800-53R4_CM-6 - NIST800-53R4_SC-5 @@ -508,7 +508,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257958r925861_rule + - SV-257958r942985_rule - V-257958 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -525,7 +525,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257959r925864_rule + - SV-257959r942987_rule - V-257959 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -576,7 +576,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257962r925873_rule + - SV-257962r942989_rule - V-257962 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -593,7 +593,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257963r925876_rule + - SV-257963r942991_rule - V-257963 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -610,7 +610,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257964r925879_rule + - SV-257964r942993_rule - V-257964 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -644,7 +644,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257966r925885_rule + - SV-257966r942995_rule - V-257966 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -678,7 +678,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257968r925891_rule + - SV-257968r942997_rule - V-257968 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -695,7 +695,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257969r925894_rule + - SV-257969r942999_rule - V-257969 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -764,7 +764,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257973r925906_rule + - SV-257973r943003_rule - V-257973 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -782,7 +782,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257974r925909_rule + - SV-257974r943005_rule - V-257974 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -799,7 +799,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257975r925912_rule + - SV-257975r943007_rule - V-257975 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -816,7 +816,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257976r925915_rule + - SV-257976r943009_rule - V-257976 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -833,7 +833,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257977r925918_rule + - SV-257977r943011_rule - V-257977 - NIST800-53R4_CM-6 ansible.posix.sysctl: diff --git a/tasks/Cat3/RHEL-09-2xxxxx.yml b/tasks/Cat3/RHEL-09-2xxxxx.yml index d472619..fb62753 100644 --- a/tasks/Cat3/RHEL-09-2xxxxx.yml +++ b/tasks/Cat3/RHEL-09-2xxxxx.yml @@ -8,7 +8,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257782r925333_rule + - SV-257782r942961_rule - V-257782 - NIST800-53R4_CM-6 - entropy From 495dc9b5ced6e59258d14ddbffde2786f3722b91 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Mar 2024 16:30:06 +0000 Subject: [PATCH 02/41] updated for v1r2 Signed-off-by: Mark Bolwell --- tasks/Cat1/RHEL-09-2xxxxx.yml | 4 ++-- tasks/Cat2/RHEL-09-21xxxx.yml | 6 +++--- tasks/Cat2/RHEL-09-25xxxx.yml | 26 +++++++++++++------------- tasks/Cat2/RHEL-09-27xxxx.yml | 2 +- tasks/Cat2/RHEL-09-29xxxx.yml | 2 +- tasks/Cat2/RHEL-09-4xxxxx.yml | 8 ++++---- tasks/Cat2/RHEL-09-654xxx.yml | 2 +- tasks/Cat2/RHEL-09-65xxxx.yml | 6 +++--- tasks/Cat3/RHEL-09-2xxxxx.yml | 2 +- 9 files changed, 29 insertions(+), 29 deletions(-) diff --git a/tasks/Cat1/RHEL-09-2xxxxx.yml b/tasks/Cat1/RHEL-09-2xxxxx.yml index 2b9b96a..569b3ad 100644 --- a/tasks/Cat1/RHEL-09-2xxxxx.yml +++ b/tasks/Cat1/RHEL-09-2xxxxx.yml @@ -323,7 +323,7 @@ - SRG-OS-000106-GPOS-00053 - SRG-OS-000480-GPOS-00229 - SRG-OS-000480-GPOS-00227 - - SV-257984r925939_rule + - SV-257984r943034_rule - V-257984 - NIST800-53R4_CM-6 - NIST800-53R4_IA-2 @@ -343,7 +343,7 @@ - CAT1 - CCI-000877 - SRG-OS-000125-GPOS-00065 - - SV-257986r925945_rule + - SV-257986r943038_rule - V-257986 - NIST800-53R4_MA-4 - ssh diff --git a/tasks/Cat2/RHEL-09-21xxxx.yml b/tasks/Cat2/RHEL-09-21xxxx.yml index 4a52ef6..f34ed66 100644 --- a/tasks/Cat2/RHEL-09-21xxxx.yml +++ b/tasks/Cat2/RHEL-09-21xxxx.yml @@ -582,12 +582,12 @@ - CAT2 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-257806r928942_rule + - SV-257806r942955_rule - V-257806 - NIST800-53R4_CM-7 vars: blacklist: 'firewire-core' - mod_value: 'true' + mod_value: 'false' ansible.builtin.template: dest: "/etc/modprobe.d/{{ blacklist }}.conf" src: etc/modprobe.d/module.conf.j2 @@ -1154,7 +1154,7 @@ - CAT2 - CCI-001744 - SRG-OS-000363-GPOS-00150 - - SV-257842r925513_rule + - SV-257842r942959_rule - V-257842 - NIST800-53R4_CM-3 ansible.builtin.package: diff --git a/tasks/Cat2/RHEL-09-25xxxx.yml b/tasks/Cat2/RHEL-09-25xxxx.yml index 98b5903..222e461 100644 --- a/tasks/Cat2/RHEL-09-25xxxx.yml +++ b/tasks/Cat2/RHEL-09-25xxxx.yml @@ -713,7 +713,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257970r925897_rule + - SV-257970r943001_rule - V-257970 - NIST800-53R4_CM-6 ansible.posix.sysctl: @@ -915,7 +915,7 @@ - CCI-001388 - SRG-OS-000023-GPOS-00006 - SRG-OS-000228-GPOS-00088 - - SV-257981r925930_rule + - SV-257981r943028_rule - V-257981 - NIST800-53R4_AC-8 notify: Restart_ssh @@ -933,7 +933,7 @@ - CAT2 - CCI-000067 - SRG-OS-000032-GPOS-00013 - - SV-257982r925933_rule + - SV-257982r943030_rule - V-257982 - NIST800-53R4_AC-17 notify: Restart_ssh @@ -957,7 +957,7 @@ - SRG-OS-000106-GPOS-00053 - SRG-OS-000107-GPOS-00054 - SRG-OS-000108-GPOS-00055 - - SV-257983r925936_rule + - SV-257983r943032_rule - V-257983 - NIST800-53R4_IA-2 notify: Restart_ssh @@ -977,7 +977,7 @@ - CCI-000770 - SRG-OS-000109-GPOS-00056 - SRG-OS-000480-GPOS-00227 - - SV-257985r928961_rule + - SV-257985r943036_rule - V-257985 - NIST800-53R4_CM-6 - NIST800-53R4_IA-2 @@ -1032,7 +1032,7 @@ - CAT2 - CCI-001453 - SRG-OS-000250-GPOS-00093 - - SV-257989r925954_rule + - SV-257989r943014_rule - V-257989 - NIST800-53R4_AC-17 notify: Change_requires_reboot @@ -1083,7 +1083,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257992r925963_rule + - SV-257992r943040_rule - V-257992 - NIST800-53R4_CM-6 notify: Restart_ssh @@ -1101,7 +1101,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00229 - - SV-257993r925966_rule + - SV-257993r943042_rule - V-257993 - NIST800-53R4_CM-6 notify: Restart_ssh @@ -1123,7 +1123,7 @@ - SRG-OS-000423-GPOS-00187 - SRG-OS-000033-GPOS-00014 - SRG-OS-000424-GPOS-00188 - - SV-257994r925969_rule + - SV-257994r943044_rule - V-257994 - NIST800-53R4_AC-17 - NIST800-53R4_SC-8 @@ -1145,7 +1145,7 @@ - CCI-002421 - SRG-OS-000163-GPOS-00072 - SRG-OS-000279-GPOS-00109 - - SV-257995r925972_rule + - SV-257995r942963_rule - V-257995 - NIST800-53R4_SC-10 - NIST800-53R4_AC-12 @@ -1170,7 +1170,7 @@ - SRG-OS-000163-GPOS-00072 - SRG-OS-000279-GPOS-00109 - SRG-OS-000395-GPOS-00175 - - SV-257996r925975_rule + - SV-257996r943046_rule - V-257996 - NIST800-53R4_MA-4 - NIST800-53R4_SC-10 @@ -1381,7 +1381,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-258007r926008rule + - SV-258007r943048_rule - V-258007 - NIST800-53R4_CM-6 notify: Restart_ssh @@ -1453,7 +1453,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-258011r926020rule + - SV-258011r943050_rule - V-258011 - NIST800-53R4_CM-6 notify: Restart_ssh diff --git a/tasks/Cat2/RHEL-09-27xxxx.yml b/tasks/Cat2/RHEL-09-27xxxx.yml index c728158..19011cf 100644 --- a/tasks/Cat2/RHEL-09-27xxxx.yml +++ b/tasks/Cat2/RHEL-09-27xxxx.yml @@ -358,7 +358,7 @@ - CAT2 - CCI-00366 - SRG-OS-000480-GPOS-00227 - - SV-258029r926074_rule + - SV-258029r943059_rule - V-258029 - NIST800-53R4_CM-6 notify: Update_dconf diff --git a/tasks/Cat2/RHEL-09-29xxxx.yml b/tasks/Cat2/RHEL-09-29xxxx.yml index 6aacd73..be93230 100644 --- a/tasks/Cat2/RHEL-09-29xxxx.yml +++ b/tasks/Cat2/RHEL-09-29xxxx.yml @@ -62,7 +62,7 @@ - CAT2 - CCI-001958 - SRG-OS-000378-GPOS-00163 - - SV-258038r926101_rule + - SV-258038r943052_rule - V-258038 - NIST800-53R4_IA-3 block: diff --git a/tasks/Cat2/RHEL-09-4xxxxx.yml b/tasks/Cat2/RHEL-09-4xxxxx.yml index 361887c..ad564fc 100644 --- a/tasks/Cat2/RHEL-09-4xxxxx.yml +++ b/tasks/Cat2/RHEL-09-4xxxxx.yml @@ -616,7 +616,7 @@ - CCI-000060 - SRG-OS-000031-GPOS-00012 - SRG-OS-000028-GPOS-00009 - - SV-258064r926179_rule + - SV-258064r943016_rule - V-258064 - NIST800-53R4_AC-11 ansible.builtin.template: @@ -931,7 +931,7 @@ - CAT2 - CCI-002038 - SRG-OS-000373-GPOS-00156 - - SV-258084r926239_rule + - SV-258084r943061_rule - V-258084 - NIST800-53R4_IA-11 ansible.builtin.lineinfile: @@ -948,7 +948,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-258085r926242_rule + - SV-258085r943063_rule - V-258085 - NIST800-53R4_CM-6 block: @@ -981,7 +981,7 @@ - CAT2 - CCI-002038 - SRG-OS-000373-GPOS-00156 - - SV-258086r926245_rule + - SV-258086r943065_rule - V-258086 - NIST800-53R4_IA-11 ansible.builtin.lineinfile: diff --git a/tasks/Cat2/RHEL-09-654xxx.yml b/tasks/Cat2/RHEL-09-654xxx.yml index 197633d..d49da3a 100644 --- a/tasks/Cat2/RHEL-09-654xxx.yml +++ b/tasks/Cat2/RHEL-09-654xxx.yml @@ -1040,7 +1040,7 @@ - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - - SV-258215r926632_rule + - SV-258215r943018_rule - V-258215 - NIST800-53R4_AU-3 - NIST800-53R4_AU-12 diff --git a/tasks/Cat2/RHEL-09-65xxxx.yml b/tasks/Cat2/RHEL-09-65xxxx.yml index ba4d828..4b85d25 100644 --- a/tasks/Cat2/RHEL-09-65xxxx.yml +++ b/tasks/Cat2/RHEL-09-65xxxx.yml @@ -81,7 +81,7 @@ - SRG-OS-000257-GPOS-00098 - SRG-OS-000258-GPOS-00099 - SRG-OS-000278-GPOS-00108 - - SV-258137r926398_rule + - SV-258137r943021_rule - V-258137 - NIST800-53R4_AU-9 - aide @@ -890,7 +890,7 @@ - CAT2 - CCI-000154 - SRG-OS-000051-GPOS-00024 - - SV-258168r926491_rule + - SV-258168r943024_rule - V-258168 - NIST800-53R4_AU-6 - auditd @@ -944,7 +944,7 @@ - CAT2 - CCI-000171 - SRG-OS-000063-GPOS-00032 - - SV-258171r926500_rule + - SV-258171r943057_rule - V-258171 - NIST800-53R4_AU-12 - auditd diff --git a/tasks/Cat3/RHEL-09-2xxxxx.yml b/tasks/Cat3/RHEL-09-2xxxxx.yml index fb62753..8b29b1e 100644 --- a/tasks/Cat3/RHEL-09-2xxxxx.yml +++ b/tasks/Cat3/RHEL-09-2xxxxx.yml @@ -187,7 +187,7 @@ - CAT2 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-257880r925627_rule + - SV-257880r942957_rule - V-257880 - NIST800-53R4_CM-7 - modprobe From 9c50d1cc8afe9dc87b5405af278dd603a4ede769 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Mar 2024 16:31:08 +0000 Subject: [PATCH 03/41] updated version references Signed-off-by: Mark Bolwell --- README.md | 2 +- defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 2f39965..bf896d0 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a RHEL9 based system to be complaint with Disa STIG -This role is based on RHEL 9 DISA STIG: [Version 1, Rel 1 released on Sept 22, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/U_RHEL_9_V1R1_STIG.zip). +This role is based on RHEL 9 DISA STIG: [Version 1, Rel 2 released on Jan 24, 2024](https://dl.dod.cyber.mil/wp-content/uploads/stigs/U_RHEL_9_V1R2_STIG.zip). ## Initial Relase from STIG, still many items that not quite aligned in the documentation diff --git a/defaults/main.yml b/defaults/main.yml index ede0d14..ace29f0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,7 @@ --- ## metadata for Audit benchmark -benchmark_version: '1.1.0' +benchmark_version: '1.2.0' ## Benchmark name used by audting control role # The audit variable found at the base From bc4df89bc407495bc90894b0042650f4f56509ec Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 10 Apr 2024 09:20:38 +0100 Subject: [PATCH 04/41] added ssh tags and validate Signed-off-by: Mark Bolwell --- tasks/Cat2/RHEL-09-25xxxx.yml | 45 +++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/tasks/Cat2/RHEL-09-25xxxx.yml b/tasks/Cat2/RHEL-09-25xxxx.yml index 222e461..0f1cbd5 100644 --- a/tasks/Cat2/RHEL-09-25xxxx.yml +++ b/tasks/Cat2/RHEL-09-25xxxx.yml @@ -918,12 +918,14 @@ - SV-257981r943028_rule - V-257981 - NIST800-53R4_AC-8 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: create: true line: "banner {{ rhel9stig_sshd_config.banner_file }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)banner \/.*\/.* + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255030 | PATCH | RHEL 9 must log SSH connection attempts and failures to the server." when: @@ -936,12 +938,14 @@ - SV-257982r943030_rule - V-257982 - NIST800-53R4_AC-17 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: create: true line: "LogLevel {{ rhel9stig_sshd_config.loglevel }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)LogLevel.* + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255035 | PATCH | RHEL 9 SSHD must accept public key authentication" when: @@ -960,12 +964,14 @@ - SV-257983r943032_rule - V-257983 - NIST800-53R4_IA-2 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: create: true line: "PubkeyAuthentication {{ rhel9stig_sshd_config.pubkeyauth }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)PubkeyAuthentication\s*(yes|no) + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255045 | PATCH | RHEL 9 must not permit direct logons to the root account using remote access via SSH." when: @@ -981,12 +987,14 @@ - V-257985 - NIST800-53R4_CM-6 - NIST800-53R4_IA-2 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: create: true line: "PermitRootLogin {{ rhel9stig_sshd_config.permitroot }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)PermitRootLogin\s*(yes|no) + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255055 | PATCH | RHEL 9 SSH daemon must be configured to use system-wide crypto policies." when: @@ -999,12 +1007,14 @@ - SV-257987r925948_rule - V-257987 - NIST800-53R4_AC-17 + - ssh notify: Restart_sshd ansible.builtin.lineinfile: create: true line: "Include {{ rhel9stig_sshd_config.include_conf }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)Include.* + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255060 | PATCH | RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH client connections." when: @@ -1017,12 +1027,14 @@ - SV-257988r925951_rule - V-257988 - NIST800-53R4_AC-17 + - ssh notify: Restart_sshd ansible.builtin.lineinfile: create: true line: "Include {{ rhel9stig_sshd_config.include_conf }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)Include.* + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255065 | PATCH | RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH server connections." when: @@ -1086,12 +1098,14 @@ - SV-257992r943040_rule - V-257992 - NIST800-53R4_CM-6 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: create: true line: "HostbasedAuthentication {{ rhel9stig_sshd_config.hostauth }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)HostbasedAuthentication\s*(yes|no) + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255085 | PATCH | RHEL 9 must not allow users to override SSH environment variables." when: @@ -1104,12 +1118,14 @@ - SV-257993r943042_rule - V-257993 - NIST800-53R4_CM-6 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: create: true line: "PermitUserEnvironment {{ rhel9stig_sshd_config.userenv }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)PermitUserEnvironments\s*(yes|no) + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255090 | PATCH | RHEL 9 must force a frequent session key renegotiation for SSH connections to the server." when: @@ -1127,12 +1143,14 @@ - V-257994 - NIST800-53R4_AC-17 - NIST800-53R4_SC-8 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: create: true line: "RekeyLimit {{ rhel9stig_sshd_config.rekeylimit }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)RekeyLimit.* + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255095 | PATCH | RHEL 9 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive." when: @@ -1149,12 +1167,14 @@ - V-257995 - NIST800-53R4_SC-10 - NIST800-53R4_AC-12 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: create: true line: "ClientAliveCountMax {{ rhel9stig_sshd_config.clientalivecountmax }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)ClientAliveCountMax\s\d* + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255100 | PATCH | RHEL 9 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive." when: @@ -1175,12 +1195,14 @@ - NIST800-53R4_MA-4 - NIST800-53R4_SC-10 - NIST800-53R4_AC-12 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: create: true line: "ClientAliveInterval {{ rhel9stig_sshd_config.clientaliveinterval }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)ClientAliveInterval\s\d* + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255105 | PATCH | RHEL 9 SSH server configuration file must be group-owned by root." when: @@ -1193,6 +1215,7 @@ - SV-257997r925978_rule - V-257997 - NIST800-53R4_CM-6 + - ssh ansible.builtin.file: group: root path: "{{ rhel9stig_sshd_config_file }}" @@ -1208,6 +1231,7 @@ - SV-257998r925981_rule - V-257998 - NIST800-53R4_CM-6 + - ssh ansible.builtin.file: owner: root path: "{{ rhel9stig_sshd_config_file }}" @@ -1223,6 +1247,7 @@ - SV-257999r925984_rule - V-257999 - NIST800-53R4_CM-6 + - ssh ansible.builtin.file: mode: go-rwx path: "{{ rhel9stig_sshd_config_file }}" @@ -1288,12 +1313,14 @@ - SV-258002r925993_rule - V-258002 - NIST800-53R4_CM-6 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: create: true line: "Compression {{ rhel9stig_sshd_config.compress }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)Compression\s*(yes|no) + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255135 | PATCH | RHEL 9 SSH daemon must not allow GSSAPI authentication." when: @@ -1309,12 +1336,14 @@ - V-258003 - NIST800-53R4_CM-5 - NIST800-53R4_CM-6 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: create: true line: "GSSAPIAuthentication {{ rhel9stig_sshd_config.gssapiauth }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)GSSAPIAuthentication\s*(yes|no) + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255140 | PATCH | RHEL 9 SSH daemon must not allow Kerberos authentication." when: @@ -1330,12 +1359,14 @@ - V-258004 - NIST800-53R4_CM-5 - NIST800-53R4_CM-6 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: create: true line: "KerberosAuthentication {{ rhel9stig_sshd_config.gssapiauth }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)KerberosAuthentication\s*(yes|no) + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255145 | PATCH | RHEL 9 SSH daemon must not allow rhosts authentication" when: @@ -1348,12 +1379,14 @@ - SV-258005r926002_rule - V-258005 - NIST800-53R4_CM-6 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: create: true line: "IgnoreRhosts {{ rhel9stig_sshd_config.ignorerhosts }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)IgnoreRhosts\s*(yes|no) + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255150 | PATCH | RHEL 9 SSH daemon must not allow known hosts authentication." when: @@ -1366,12 +1399,14 @@ - SV-258006r926005rule - V-258006 - NIST800-53R4_CM-6 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: create: true line: "IgnoreUserKnownHosts {{ rhel9stig_sshd_config.ignoreknownhosts }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)IgnoreUserKnownHosts\s*(yes|no) + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255155 | PATCH | RHEL 9 SSH daemon must disable remote X connections for interactive users." when: @@ -1384,12 +1419,14 @@ - SV-258007r943048_rule - V-258007 - NIST800-53R4_CM-6 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: create: true line: "X11forwarding {{ rhel9stig_sshd_config.x11forward }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)X11forwarding\s*(yes|no) + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255160 | PATCH | RHEL 9 SSH daemon must perform strict mode checking of home directory configuration files." when: @@ -1402,12 +1439,14 @@ - SV-258008r926011rule - V-258008 - NIST800-53R4_CM-6 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: create: true line: "StrictModes {{ rhel9stig_sshd_config.strictmodes }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)StrictModes\s*(yes|no) + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255165 | PATCH | RHEL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon." when: @@ -1420,12 +1459,14 @@ - SV-258009r926014rule - V-258009 - NIST800-53R4_CM-6 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: create: true line: "PrintLastLog {{ rhel9stig_sshd_config.lastlog }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)PrintLastLog\s*(yes|no) + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255170 | PATCH | RHEL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon." when: @@ -1438,12 +1479,14 @@ - SV-258010r926017rule - V-258010 - NIST800-53R4_CM-6 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: create: true line: "UsePrivilegeSeparation {{ rhel9stig_sshd_config.privsep }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)UsePrivilegeSeparation\s*(yes|no) + validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255175 | PATCH | RHEL 9 SSH daemon must prevent remote hosts from connecting to the proxy display." when: @@ -1456,9 +1499,11 @@ - SV-258011r943050_rule - V-258011 - NIST800-53R4_CM-6 + - ssh notify: Restart_ssh ansible.builtin.lineinfile: create: true line: "X11UseLocalhost {{ rhel9stig_sshd_config.x11uselocal }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)X11UseLocalhost\s*(yes|no) + validate: sshd -t -f %s From 3f9a01446b5e2cb03fecbefa936a22dae54b5236 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 18 Apr 2024 16:54:18 +0100 Subject: [PATCH 05/41] updated 652025 as per #2 Signed-off-by: Mark Bolwell --- tasks/Cat2/RHEL-09-65xxxx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/Cat2/RHEL-09-65xxxx.yml b/tasks/Cat2/RHEL-09-65xxxx.yml index ba4d828..04a0583 100644 --- a/tasks/Cat2/RHEL-09-65xxxx.yml +++ b/tasks/Cat2/RHEL-09-65xxxx.yml @@ -177,7 +177,7 @@ - name: "MEDIUM | RHEL-09-652025 | PATCH | RHEL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation." when: - - rhel9stig_rsyslog_conf.matched > 0 + - rhel9stig_rsyslog_conf.matched > 1 ansible.builtin.lineinfile: backrefs: true line: '#\1\2\3' From 81f2383dc64a4a5d0bc17b1dc94ce10478fcdc6e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 18 Apr 2024 17:15:47 +0100 Subject: [PATCH 06/41] updated lint settings Signed-off-by: Mark Bolwell --- .ansible-lint | 2 +- .pre-commit-config.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 4dee422..c7095e2 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -10,7 +10,7 @@ skip_list: - 'name[play]' - 'name[casing]' - 'name[template]' - # - 'key-order[task]' + - 'key-order[task]' - 'yaml[line-length]' - '204' - '305' diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 187d1a8..d967bcd 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -57,7 +57,7 @@ repos: # If you want to use specific version of ansible-core or ansible, feel # free to override `additional_dependencies` in your own hook config # file. - - ansible-core>=2.10.1 + - ansible-core>=2.12.1 - repo: https://github.com/adrienverge/yamllint.git rev: v1.32.0 # or higher tag From 63b1e3da97719e99471be653aae5a99f048e85c5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 18 Apr 2024 17:24:23 +0100 Subject: [PATCH 07/41] Added comments to assist with issue #3 Signed-off-by: Mark Bolwell --- defaults/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index ede0d14..d9fe622 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -801,6 +801,9 @@ rhel9stig_remotelog_server: protocol: '@@' ### AUDITD +# Ensure this matches the filesystem where the audit logs are stored. +# It will affect checks for control RHEL-09-653030 + rhel9stig_audit_log_filesystem: /var/log/audit rhel9stig_audit_conf: action_mail_acct: root From c5e8b516d61f8a35a7e6a8b39fa8fa3d319dac98 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 18 Apr 2024 17:37:09 +0100 Subject: [PATCH 08/41] improve logic thanks to #4 Signed-off-by: Mark Bolwell --- tasks/Cat2/RHEL-09-23xxxx.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tasks/Cat2/RHEL-09-23xxxx.yml b/tasks/Cat2/RHEL-09-23xxxx.yml index d3a1e8b..962aedd 100644 --- a/tasks/Cat2/RHEL-09-23xxxx.yml +++ b/tasks/Cat2/RHEL-09-23xxxx.yml @@ -1588,7 +1588,7 @@ - NIST800-53R4_CM-5 block: - name: "RHEL-09-232200 | AUDIT | RHEL 9 library files must be owned by root." - ansible.builtin.shell: find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root -exec ls {} \; + ansible.builtin.shell: find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root changed_when: false failed_when: rhel9stig_lib_files_owner.rc not in [ 0, 1 ] register: rhel9stig_lib_files_owner @@ -1597,9 +1597,8 @@ when: rhel9stig_lib_files_owner.stdout | length > 0 ansible.builtin.file: owner: root - path: "{{ path }}" - loop: - - "{{ rhel9stig_lib_files_owner.stdout_lines }}" + path: "{{ item }}" + loop: "{{ rhel9stig_lib_files_owner.stdout_lines }}" - name: "RHEL-09-232205 | PATCH | RHEL 9 library files must be group-owned by root or a system account." when: From 00b5c092c09ecb8931b4085dee3fb2d6871a78ff Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 18 Apr 2024 17:38:02 +0100 Subject: [PATCH 09/41] improve logic thanks to #4 Signed-off-by: Mark Bolwell --- tasks/Cat2/RHEL-09-27xxxx.yml | 66 +++++++++++++++++++++++------------ 1 file changed, 43 insertions(+), 23 deletions(-) diff --git a/tasks/Cat2/RHEL-09-27xxxx.yml b/tasks/Cat2/RHEL-09-27xxxx.yml index 19011cf..feacd20 100644 --- a/tasks/Cat2/RHEL-09-27xxxx.yml +++ b/tasks/Cat2/RHEL-09-27xxxx.yml @@ -46,10 +46,11 @@ notify: Update_dconf ansible.builtin.lineinfile: line: banner-message-enable - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session" + path: "/etc/dconf/db/{{ item }}.d/locks/session" mode: '0644' modification_time: preserve - state: touch + state: present + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271020 | PATCH | RHEL 9 must disable the graphical user interface automount function unless required." when: @@ -71,10 +72,11 @@ community.general.ini_file: create: true mode: '0644' - options: automount-open - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings" + option: automount-open + path: "/etc/dconf/db/{{ item }}.d/00-security-settings" section: 'org/gnome/desktop/media-handling' value: 'false' + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271025 | PATCH | RHEL 9 must prevent a user from overriding the disabling of the graphical user interface automount function." when: @@ -97,7 +99,8 @@ ansible.builtin.lineinfile: create: true line: /org/gnome/desktop/media-handling/automount-open - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/00-security-settings-lock" + path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock" + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271030 | PATCH | RHEL 9 must disable the graphical user interface autorun function unless required." when: @@ -115,9 +118,10 @@ community.general.ini_file: create: true option: autorun-never - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings" + path: "/etc/dconf/db/{{ item }}.d/00-security-settings" section: 'org/gnome/desktop/media-handling' value: 'true' + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271035 | PATCH | RHEL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function." when: @@ -140,7 +144,8 @@ ansible.builtin.lineinfile: create: true line: /org/gnome/desktop/media-handling/autorun-never - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/00-security-settings-lock" + path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock" + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271045 | PATCH | RHEL 9 must be able to initiate directly a session lock for all connection types using smart card when the smart card is removed." when: @@ -160,9 +165,10 @@ community.general.ini_file: create: true option: removal-action - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings" + path: "/etc/dconf/db/{{ item }}.d/00-security-settings" section: 'org/gnome/settings-daemon/peripherals/smartcard' - value: 'lock-screen' + value: "'lock-screen'" + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271050 | PATCH | RHEL 9 must prevent a user from overriding the disabling of the graphical user smart card removal action." when: @@ -182,7 +188,8 @@ ansible.builtin.lineinfile: create: true line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/00-security-settings-lock" + path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock" + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271055 | PATCH | RHEL 9 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." when: @@ -202,9 +209,10 @@ community.general.ini_file: create: true option: lock-enabled - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings" + path: "/etc/dconf/db/{{ item }}.d/00-security-settings" section: 'org/gnome/desktop/screensaver' value: 'true' + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271060 | PATCH | RHEL 9 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface." when: @@ -224,7 +232,8 @@ ansible.builtin.lineinfile: create: true line: /org/gnome/desktop/screensaver/lock-enabled - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session" + path: "/etc/dconf/db/{{ item }}.d/locks/session" + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271065 | PATCH | RHEL 9 must automatically lock graphical user sessions after 15 minutes of inactivity." when: @@ -244,9 +253,10 @@ community.general.ini_file: create: true option: idle-delay - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-screensaver" + path: "/etc/dconf/db/{{ item }}.d/00-screensaver" section: 'org/gnome/desktop/session' value: 'uint32 900' + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271070 | PATCH | RHEL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface" when: @@ -266,7 +276,8 @@ ansible.builtin.lineinfile: create: true line: /org/gnome/desktop/session/idle-delay - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session" + path: "/etc/dconf/db/{{ item }}.d/locks/session" + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271075 | PATCH | RHEL 9 must initiate a session lock for graphical user interfaces when the screensaver is activated." when: @@ -284,9 +295,10 @@ community.general.ini_file: create: true option: lock-delay - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-screensaver" + path: "/etc/dconf/db/{{ item }}.d/00-screensaver" section: 'org/gnome/desktop/screensaver' value: 'uint32 5' + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271080 | PATCH | RHEL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface" when: @@ -304,7 +316,8 @@ ansible.builtin.lineinfile: create: true line: /org/gnome/desktop/screensaver/lock-delay - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session" + path: "/etc/dconf/db/{{ item }}.d/locks/session" + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271085 | PATCH | RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image." when: @@ -324,15 +337,17 @@ community.general.ini_file: create: true option: picture-uri - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings" + path: "/etc/dconf/db/{{ item }}.d/00-security-settings" section: 'org/gnome/desktop/screensaver' value: '' + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271085 | PATCH | RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image." ansible.builtin.lineinfile: create: true line: /org/gnome/desktop/screensaver/picture-uri - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/00-security-settings-lock" + path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock" + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271090 | PATCH | RHEL 9 effective dconf policy must match the policy keyfiles." when: @@ -365,9 +380,10 @@ community.general.ini_file: create: true option: disable-restart-buttons - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings" + path: "/etc/dconf/db/{{ item }}.d/00-security-settings" section: 'org/gnome/settings-daemon/peripherals/smartcard' value: 'true' + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271100 | PATCH | RHEL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface." when: @@ -385,7 +401,8 @@ ansible.builtin.lineinfile: create: true line: /org/gnome/login-screen/disable-restart-buttons - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session" + path: "/etc/dconf/db/{{ item }}.d/locks/session" + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271105 | PATCH | RHEL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot." when: @@ -403,9 +420,10 @@ community.general.ini_file: create: true option: logout - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings" + path: "/etc/dconf/db/{{ item }}.d/00-security-settings" section: 'org/gnome/settings-daemon/plugins/media-keys' value: "['']" + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271110 | PATCH | RHEL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface." when: @@ -423,7 +441,8 @@ ansible.builtin.lineinfile: create: true line: org/gnome/settings-daemon/plugins/media-keys/logout - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session" + path: "/etc/dconf/db/{{ item }}.d/locks/session" + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271115 | PATCH | RHEL 9 must disable the user list at logon for graphical user interfaces." when: @@ -441,6 +460,7 @@ community.general.ini_file: create: true option: disable-user-list - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/02-login-screen" + path: "/etc/dconf/db/{{ item }}.d/02-login-screen" section: 'org/gnome/login-screen' value: 'true' + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" From 25ff857b0dffe150a115fcae7f9fb4445aa5fb25 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 18 Apr 2024 17:38:46 +0100 Subject: [PATCH 10/41] improve logic thanks to #4 Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 37e812b..929cbd1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -675,7 +675,7 @@ rhel9stig_custom_firewall: interface: - "{{ ansible_default_ipv4.interface }}" -# rhel9stig_white_list_services is the services that you want to allow through initially for teh new firewall zone +# rhel9stig_white_list_services is the services that you want to allow through initially for the new firewall zone # http and ssh need to be enabled for the role to run. # This can also be a port number if no service exists rhel9stig_white_list_services: From d9d866924053a12fce056f8d766d12534b03c5ab Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 18 Apr 2024 21:23:19 +0100 Subject: [PATCH 11/41] updated audit branch name Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- vars/audit.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 929cbd1..e66fc34 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,7 @@ --- ## metadata for Audit benchmark -benchmark_version: '1.2.0' +benchmark_version: 'v1r2' ## Benchmark name used by audting control role # The audit variable found at the base diff --git a/vars/audit.yml b/vars/audit.yml index 97d9b09..6ca6a79 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -17,7 +17,7 @@ audit_bin_copy_location: /some/accessible/path ## managed by the control audit_content # git audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_git_version: "benchmark-{{ benchmark_version }}" +audit_git_version: "benchmark_{{ benchmark_version }}" # archive or copy: audit_conf_copy: "some path to copy from" From 0a75802e2aee66f4d36952b1979ef60952dc3e36 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 29 Apr 2024 11:09:57 +0100 Subject: [PATCH 12/41] updated audit components Signed-off-by: Mark Bolwell --- defaults/main.yml | 46 ++++++++++++++++++++--------- tasks/LE_audit_setup.yml | 46 ++++++++++++++--------------- tasks/audit_only.yml | 6 ++-- tasks/main.yml | 19 ------------ tasks/post_remediation_audit.yml | 24 +++++++-------- tasks/pre_remediation_audit.yml | 50 +++++++++++++++++--------------- tasks/prelim.yml | 19 ++++++++++++ vars/audit.yml | 28 +++++------------- 8 files changed, 124 insertions(+), 114 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e66fc34..121d357 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -51,42 +51,60 @@ rhel9stig_workaround_for_ssg_benchmark: true # system acts or requires router networking options rhel9stig_system_is_router: false -########################################## +### +### Settings for associated Audit role using Goss +### + +########################################### ### Goss is required on the remote host ### -## Refer to vars/auditd.yml for any other settings ## +### vars/auditd.yml for other settings ### # Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system) setup_audit: false # enable audits to run - this runs the audit and get the latest content run_audit: false +# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system +audit_run_heavy_tests: true -# Only run Audit do not remediate +## Only run Audit do not remediate audit_only: false -# As part of audit_only -# This will enable files to be copied back to control node +### As part of audit_only ### +# This will enable files to be copied back to control node in audit_only mode fetch_audit_files: false -# Path to copy the files to will create dir structure +# Path to copy the files to will create dir structure in audit_only mode audit_capture_files_dir: /some/location to copy to on control node +############################# # How to retrieve audit binary # Options are copy or download - detailed settings at the bottom of this file # you will need to access to either github or the file already dowmloaded get_audit_binary_method: download +## if get_audit_binary_method - copy the following needs to be updated for your environment +## it is expected that it will be copied from somewhere accessible to the control node +## e.g copy from ansible control node to remote host +audit_bin_copy_location: /some/accessible/path + # how to get audit files onto host options -# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf +# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf audit_content: git -# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system -audit_run_heavy_tests: true +# If using either archive, copy, get_url: +## Note will work with .tar files - zip will require extra configuration +### If using get_url this is expecting github url in tar.gz format e.g. +### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz +audit_conf_source: "some path or url to copy from" + +# Destination for the audit content to be placed on managed node +# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory +audit_conf_dest: "/opt" -# This variable specifies the timeout (in ms) for audit commands that -# take a very long time: if a command takes too long to complete, -# it will be forcefully terminated after the specified duration. -audit_cmd_timeout: 120000 +# Where the audit logs are stored +audit_log_dir: '/opt' -### End Goss enablements #### +### Goss Settings ## +####### END ######## #### CAT 1 rhel_09_211010: true diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 02797e7..7067414 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -2,33 +2,33 @@ - name: Pre Audit Setup | Set audit package name block: - - name: Pre Audit Setup | Set audit package name | 64bit - ansible.builtin.set_fact: - audit_pkg_arch_name: AMD64 - when: ansible_machine == "x86_64" + - name: Pre Audit Setup | Set audit package name | 64bit + when: ansible_facts.machine == "x86_64" + ansible.builtin.set_fact: + audit_pkg_arch_name: AMD64 - - name: Pre Audit Setup | Set audit package name | ARM64 - ansible.builtin.set_fact: - audit_pkg_arch_name: ARM64 - when: ansible_machine == "arm64" + - name: Pre Audit Setup | Set audit package name | ARM64 + when: ansible_facts.machine == "arm64" + ansible.builtin.set_fact: + audit_pkg_arch_name: ARM64 - name: Pre Audit Setup | Download audit binary - ansible.builtin.get_url: - url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}" - dest: "{{ audit_bin }}" - owner: root - group: root - checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" - mode: '0555' when: - - get_audit_binary_method == 'download' + - get_audit_binary_method == 'download' + ansible.builtin.get_url: + url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}" + dest: "{{ audit_bin }}" + owner: root + group: root + checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" + mode: '0555' - name: Pre Audit Setup | Copy audit binary - ansible.builtin.copy: - src: "{{ audit_bin_copy_location }}" - dest: "{{ audit_bin }}" - mode: '0555' - owner: root - group: root when: - - get_audit_binary_method == 'copy' + - get_audit_binary_method == 'copy' + ansible.builtin.copy: + src: "{{ audit_bin_copy_location }}" + dest: "{{ audit_bin }}" + mode: '0555' + owner: root + group: root diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml index 5a4aec2..b7dad08 100644 --- a/tasks/audit_only.yml +++ b/tasks/audit_only.yml @@ -1,28 +1,28 @@ --- - name: Audit_Only | Create local Directories for hosts + when: fetch_audit_files ansible.builtin.file: mode: '0755' path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" recurse: true state: directory - when: fetch_audit_files delegate_to: localhost become: false - name: Audit_only | Get audits from systems and put in group dir + when: fetch_audit_files ansible.builtin.fetch: dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" flat: true mode: '0644' src: "{{ pre_audit_outfile }}" - when: fetch_audit_files - name: Audit_only | Show Audit Summary when: - audit_only ansible.builtin.debug: - msg: "The Audit results are: {{ pre_audit_summary }}." + msg: "{{ audit_results.split('\n') }}" - name: Audit_only | Stop Playbook Audit Only selected when: diff --git a/tasks/main.yml b/tasks/main.yml index 8df031c..84d9c7c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -95,25 +95,6 @@ ansible.builtin.import_tasks: file: prelim.yml -- name: Include audit specific variables - when: - - run_audit or audit_only - - setup_audit - tags: - - setup_audit - - run_audit - ansible.builtin.include_vars: - file: audit.yml - -- name: Include pre-remediation audit tasks - when: - - run_audit or audit_only - - setup_audit - tags: - - run_audit - ansible.builtin.import_tasks: - file: pre_remediation_audit.yml - - name: Include CAT I patches when: - rhel9stig_cat1 diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 0c8f480..50a3fa2 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,14 +1,14 @@ --- - name: Post Audit | Run post_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" AUDIT_FILE: goss.yml -- name: Post Audit | ensure audit files readable by users +- name: Post Audit | Ensure audit files readable by users ansible.builtin.file: path: "{{ item }}" mode: '0644' @@ -21,14 +21,14 @@ when: - audit_format == "json" block: - - name: capture data {{ post_audit_outfile }} - ansible.builtin.shell: cat {{ post_audit_outfile }} - register: post_audit + - name: Post Audit | Capture data {{ post_audit_outfile }} + ansible.builtin.shell: "cat {{ post_audit_outfile }}" + register: discovered_post_audit changed_when: false - - name: Capture post-audit result + - name: Post Audit | Capture post-audit result ansible.builtin.set_fact: - post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" + post_audit_summary: "{{ discovered_post_audit.stdout | from_json | json_query(summary) }}" vars: summary: summary."summary-line" @@ -36,11 +36,11 @@ when: - audit_format == "documentation" block: - - name: Post Audit | capture data {{ post_audit_outfile }} - ansible.builtin.shell: tail -2 {{ post_audit_outfile }} - register: post_audit + - name: Post Audit | Capture data {{ post_audit_outfile }} + ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" + register: discovered_post_audit changed_when: false - name: Post Audit | Capture post-audit result ansible.builtin.set_fact: - post_audit_summary: "{{ post_audit.stdout_lines }}" + post_audit_summary: "{{ discovered_post_audit.stdout_lines }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 535029c..9515a35 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -5,7 +5,8 @@ - setup_audit tags: - setup_audit - ansible.builtin.include_tasks: LE_audit_setup.yml + ansible.builtin.include_tasks: + file: LE_audit_setup.yml - name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists ansible.builtin.file: @@ -32,23 +33,25 @@ when: - audit_content == 'copy' ansible.builtin.copy: - src: "{{ audit_local_copy }}" + src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}" mode: preserve - name: Pre Audit Setup | Unarchive audit content files on server when: - - audit_content == 'archived' + - audit_content == 'archive' ansible.builtin.unarchive: - src: "{{ audit_conf_copy }}" - dest: "{{ audit_conf_dir }}" + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}" - name: Pre Audit Setup | Get audit content from url when: - audit_content == 'get_url' - ansible.builtin.get_url: - url: "{{ audit_files_url }}" - dest: "{{ audit_conf_dir }}" + ansible.builtin.unarchive: + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit" + remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}" + extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}" - name: Pre Audit Setup | Check Goss is available when: @@ -57,44 +60,44 @@ - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: path: "{{ audit_bin }}" - register: goss_available + register: discovered_goss_available - name: Pre Audit Setup | If audit ensure goss is available ansible.builtin.assert: - that: goss_available.stat.exists + that: discovered_goss_available.stat.exists msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - name: Pre Audit Setup | Copy ansible default vars values to test audit + when: + - run_audit tags: - goss_template - run_audit - when: - - run_audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" mode: '0600' - name: Pre Audit | Run pre_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format when: - audit_format == "json" block: - - name: capture data {{ pre_audit_outfile }} - ansible.builtin.shell: cat {{ pre_audit_outfile }} - register: pre_audit + - name: Pre Audit | Capture data {{ pre_audit_outfile }} + ansible.builtin.shell: "cat {{ pre_audit_outfile }}" + register: discovered_pre_audit changed_when: false - name: Pre Audit | Capture pre-audit result ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" + pre_audit_summary: "{{ discovered_pre_audit.stdout | from_json | json_query(summary) }}" vars: summary: summary."summary-line" @@ -102,16 +105,17 @@ when: - audit_format == "documentation" block: - - name: Pre Audit | capture data {{ pre_audit_outfile }} | documentation format - ansible.builtin.shell: tail -2 {{ pre_audit_outfile }} - register: pre_audit + - name: Pre Audit | Capture data {{ pre_audit_outfile }} | documentation format + ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" + register: discovered_pre_audit changed_when: false - name: Pre Audit | Capture pre-audit result | documentation format ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout_lines }}" + pre_audit_summary: "{{ discovered_pre_audit.stdout_lines }}" - name: Audit_Only | Run Audit Only when: - audit_only - ansible.builtin.import_tasks: audit_only.yml + ansible.builtin.import_tasks: + file: audit_only.yml diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 5059445..ccdefe8 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -40,6 +40,25 @@ tags: - always +- name: Include audit specific variables + when: + - run_audit or audit_only + - setup_audit + tags: + - setup_audit + - run_audit + ansible.builtin.include_vars: + file: audit.yml + +- name: Include pre-remediation audit tasks + when: + - run_audit or audit_only + - setup_audit + tags: + - run_audit + ansible.builtin.import_tasks: + file: pre_remediation_audit.yml + - name: PRELIM | Interactive User account home ansible.builtin.shell: 'cat /etc/passwd | grep -Ev "nologin|/sbin" | cut -d: -f6' changed_when: false diff --git a/vars/audit.yml b/vars/audit.yml index 6ca6a79..bb50f6d 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -8,32 +8,19 @@ audit_cmd_timeout: 120000 # if get_audit_binary_method == download change accordingly audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-" -## if get_audit_binary_method - copy the following needs to be updated for your environment -## it is expected that it will be copied from somewhere accessible to the control node -## e.g copy from ansible control node to remote host -audit_bin_copy_location: /some/accessible/path - ### Goss Audit Benchmark file ### ## managed by the control audit_content # git audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" audit_git_version: "benchmark_{{ benchmark_version }}" -# archive or copy: -audit_conf_copy: "some path to copy from" - -# get_url: -audit_files_url: "some url maybe s3?" - ## Goss configuration information -# Where the goss configs and outputs are stored -audit_out_dir: '/opt' -# Where the goss audit configuration will be stored -audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit" +# Where the goss audit configuration will be stored - NOTE benchmark-audit is expected +audit_conf_dir: "{{ audit_conf_dest | default('/opt') }}/{{ benchmark }}-Audit" # If changed these can affect other products -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +pre_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" ## The following should not need changing @@ -47,6 +34,7 @@ audit_format: json audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" audit_results: | - The pre remediation results are: {{ pre_audit_summary }}. - The post remediation results are: {{ post_audit_summary }}. - Full breakdown can be found in {{ audit_out_dir }} + The audit results are: {{ pre_audit_summary }} + {% if not audit_only %}The post remediation audit results are: {{ post_audit_summary }}{% endif %} + + Full breakdown can be found in {{ audit_log_dir }} From 3cf5f1a311f006beb0c61db5fbfb5d198f5d0430 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 29 Apr 2024 11:30:44 +0100 Subject: [PATCH 13/41] Updated 213115 inline for kexec Signed-off-by: Mark Bolwell --- tasks/Cat2/RHEL-09-21xxxx.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/Cat2/RHEL-09-21xxxx.yml b/tasks/Cat2/RHEL-09-21xxxx.yml index f34ed66..f64b9bb 100644 --- a/tasks/Cat2/RHEL-09-21xxxx.yml +++ b/tasks/Cat2/RHEL-09-21xxxx.yml @@ -808,6 +808,7 @@ - name: "MEDIUM | RHEL-09-213115 | PATCH | The kdump service on RHEL 9 must be disabled." when: - rhel_09_213115 + - "'kexec-tools' in ansible_facts.packages" tags: - RHEL-09-213115 - CAT2 From 64fdbe99c08d4e78839d19b043bf221ce00643e9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 29 Apr 2024 11:48:07 +0100 Subject: [PATCH 14/41] added fix for 251040 Signed-off-by: Mark Bolwell --- tasks/Cat2/RHEL-09-25xxxx.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tasks/Cat2/RHEL-09-25xxxx.yml b/tasks/Cat2/RHEL-09-25xxxx.yml index 0f1cbd5..dcf2d3a 100644 --- a/tasks/Cat2/RHEL-09-25xxxx.yml +++ b/tasks/Cat2/RHEL-09-25xxxx.yml @@ -195,16 +195,18 @@ - name: "MEDIUM | RHEL-09-251040 | PATCH | RHEL 9 network interfaces must not be in promiscuous mode." when: - not rhel9stig_disruption_high - - item not in rhel9stig_promisc_if + - item in rhel9stig_promisc_if ansible.builtin.debug: msg: "Warning!! You have interfaces set to promicious mode no in the exception list" + loop: "{{ ansible_facts.interfaces }}" - name: "MEDIUM | RHEL-09-251040 | PATCH | RHEL 9 network interfaces must not be in promiscuous mode." when: - not rhel9stig_disruption_high - - item not in rhel9stig_promisc_if - ansible.builtin.import_tasks: + - item in rhel9stig_promisc_if + ansible.builtin.include_tasks: file: warning_facts.yml + loop: "{{ ansible_facts.interfaces }}" - name: "MEDIUM | RHEL-09-251045 | PATCH | RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler." when: From ef767bd084470c79aad7c6acfb06e2f560cc42f8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 29 Apr 2024 12:13:42 +0100 Subject: [PATCH 15/41] updated auditd file logic Signed-off-by: Mark Bolwell --- tasks/Cat2/RHEL-09-65xxxx.yml | 20 ++++++-------------- tasks/prelim.yml | 33 ++++++++++----------------------- 2 files changed, 16 insertions(+), 37 deletions(-) diff --git a/tasks/Cat2/RHEL-09-65xxxx.yml b/tasks/Cat2/RHEL-09-65xxxx.yml index b27f2aa..d2edc1f 100644 --- a/tasks/Cat2/RHEL-09-65xxxx.yml +++ b/tasks/Cat2/RHEL-09-65xxxx.yml @@ -635,7 +635,8 @@ msg: - "WARNING!! Below is the path and size of the partition for the audit logs." - "Please make sure there is enough disk space for 1 week of logs" - - "Path: {{ rhel9stig_audit_conf.logfile }}" + - "Mount: {{ rhel9stig_audit_log_filesystem }}" + - "Logfile: {{ discovered_auditd_logfile.stdout }}" - "Disk Space remaining: {{ audit_filesystem_space_left }}MB" - name: "MEDIUM | RHEL-09-653030 | WARN | RHEL 9 must allocate audit record storage capacity to store at least one week's worth of audit records." @@ -850,7 +851,7 @@ - auditd ansible.builtin.file: owner: root - path: "{{ rhel9stig_audit_log_filesystem }}" + path: "{{ discovered_auditd_logfile.stdout }}" - name: "MEDIUM | RHEL-09-653090 | PATCH | RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log." when: @@ -869,18 +870,9 @@ - NIST800-53R4_AU-9 - NIST800-53R4_SI-11 - auditd - block: - - name: "MEDIUM | RHEL-09-653090 | PATCH | RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log." - ansible.builtin.file: - mode: '0600' - path: "{{ rhel9stig_audit_conf.logfile }}" - - - name: "MEDIUM | RHEL-09-653090 | PATCH | RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log." - ansible.builtin.file: - mode: '0440' - path: "{{ item }}" - with_fileglob: - - "{{ rhel9stig_audit_conf.logfile }}*" + ansible.builtin.file: + mode: go-rwx + path: "{{ discovered_auditd_logfile.stdout }}" - name: "MEDIUM | RHEL-09-653095 | PATCH | RHEL 9 must periodically flush audit records to disk to prevent the loss of audit records." when: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index ccdefe8..f8aaebd 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -177,29 +177,16 @@ - SRG-OS-000475-GPOS-00220 - auditd -# - name: "PRELIM | Audit conf and rules files | list files" -# ansible.builtin.find: -# path: /etc/audit -# file_type: file -# recurse: true -# patterns: '*.conf,*.rules' -# register: auditd_conf_files -# when: -# - rhel9_09_653105 -# tags: -# - cat2 -# - auditd -# - RHEL-09-653105 - -# - name: "PRELIM | Configure cron" -# ansible.builtin.package: -# name: cronie -# state: present -# become: true -# when: -# - '"cronie" not in ansible_facts.packages' -# tags: -# - cron +- name: "PRELIM | Discover auditd_logfile_path" + when: + - rhel_09_653085 or + rhel_09_653085 or + rhel_09_653090 + tags: + - always + ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }' + changed_when: false + register: discovered_auditd_logfile # Added to ensure ssh drop in file exists if not default /etc/ssh/sshd_config - name: PRELIM | SSH From 3bb0cc97579eda6bbc41646d4e90c2df9c62f995 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 3 Jun 2024 17:46:39 +0000 Subject: [PATCH 16/41] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/Yelp/detect-secrets: v1.4.0 → v1.5.0](https://github.com/Yelp/detect-secrets/compare/v1.4.0...v1.5.0) - [github.com/gitleaks/gitleaks: v8.18.2 → v8.18.3](https://github.com/gitleaks/gitleaks/compare/v8.18.2...v8.18.3) - [github.com/ansible-community/ansible-lint: v24.2.2 → v24.5.0](https://github.com/ansible-community/ansible-lint/compare/v24.2.2...v24.5.0) --- .pre-commit-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a930570..e099a0c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -31,17 +31,17 @@ repos: # Scan for passwords - repo: https://github.com/Yelp/detect-secrets - rev: v1.4.0 + rev: v1.5.0 hooks: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.2 + rev: v8.18.3 hooks: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v24.2.2 + rev: v24.5.0 hooks: - id: ansible-lint name: Ansible-lint From f00e009ba76525efe214502d426086755ccff336 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 10 Jun 2024 17:49:49 +0000 Subject: [PATCH 17/41] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v24.5.0 → v24.6.0](https://github.com/ansible-community/ansible-lint/compare/v24.5.0...v24.6.0) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e099a0c..f0fc72a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -41,7 +41,7 @@ repos: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v24.5.0 + rev: v24.6.0 hooks: - id: ansible-lint name: Ansible-lint From 7027e1288e241b036e4b69ca5a3ba07e2ebcd6f2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 13 Jun 2024 13:01:42 +0100 Subject: [PATCH 18/41] addressed issue #12 thanks to @layluke Signed-off-by: Mark Bolwell --- tasks/Cat2/RHEL-09-23xxxx.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/Cat2/RHEL-09-23xxxx.yml b/tasks/Cat2/RHEL-09-23xxxx.yml index 962aedd..878f821 100644 --- a/tasks/Cat2/RHEL-09-23xxxx.yml +++ b/tasks/Cat2/RHEL-09-23xxxx.yml @@ -1875,7 +1875,7 @@ block: - name: "RHEL-09-232250 | AUDIT | All RHEL 9 local files and directories must have a valid group owner." when: - - not item['device'].startswith('/dev') + - item['device'].startswith('/dev') - not 'bind' in item['options'] ansible.builtin.shell: find "{{ item.mount }}" -xdev -nogroup check_mode: false @@ -1921,7 +1921,7 @@ block: - name: "RHEL-09-232255 | AUDIT | All RHEL 9 local files and directories must have a valid owner." when: - - not item['device'].startswith('/dev') + - item['device'].startswith('/dev') - not 'bind' in item['options'] ansible.builtin.shell: find "{{ item.mount }}" -xdev -nogroup check_mode: false From e21ec7da89b504176660817047547eecff7b399f Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 24 Jun 2024 17:47:05 +0000 Subject: [PATCH 19/41] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.18.3 → v8.18.4](https://github.com/gitleaks/gitleaks/compare/v8.18.3...v8.18.4) - [github.com/ansible-community/ansible-lint: v24.6.0 → v24.6.1](https://github.com/ansible-community/ansible-lint/compare/v24.6.0...v24.6.1) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f0fc72a..2e4e221 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -36,12 +36,12 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.3 + rev: v8.18.4 hooks: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v24.6.0 + rev: v24.6.1 hooks: - id: ansible-lint name: Ansible-lint From 11fac347bc2a164427c75d1092b97647e12dc0c9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Jul 2024 13:19:54 +0100 Subject: [PATCH 20/41] addressed #17 thanks to @knbrende Signed-off-by: Mark Bolwell --- tasks/Cat2/RHEL-09-23xxxx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/Cat2/RHEL-09-23xxxx.yml b/tasks/Cat2/RHEL-09-23xxxx.yml index 878f821..6311e5c 100644 --- a/tasks/Cat2/RHEL-09-23xxxx.yml +++ b/tasks/Cat2/RHEL-09-23xxxx.yml @@ -564,7 +564,7 @@ - item.mount == '/var' - "'nodev' not in item.options" notify: - - Remount_tmp + - Remount_var tags: - RHEL-09-231140 - CAT2 From 3f3ca2369dd6fb4c5772f17424d913a29d285fcd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Jul 2024 13:23:12 +0100 Subject: [PATCH 21/41] updated workflows Signed-off-by: Mark Bolwell --- .../workflows/devel_pipeline_validation.yml | 291 ++++++++++-------- .../workflows/main_pipeline_validation.yml | 277 +++++++++-------- .github/workflows/update_galaxy.yml | 30 +- 3 files changed, 324 insertions(+), 274 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 9fbe7aa..e02fe1f 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -1,138 +1,159 @@ --- - name: Devel pipeline - - on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - devel - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' - - # A workflow run is made up of one or more jobs - # that can run sequentially or in parallel - jobs: - # This will create messages for first time contributers and direct them to the Discord server - welcome: - runs-on: ubuntu-latest - - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. - - # This workflow contains a single job that tests the playbook - playbook-test: - # The type of runner that the job will run on - runs-on: ubuntu-latest - env: - ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} - # Imported as a variable by terraform - TF_VAR_repository: ${{ github.event.repository.name }} - defaults: - run: - shell: bash - working-directory: .github/workflows/github_linux_IaC - - steps: - - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v4 + name: Devel pipeline + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + # Allow manual running of workflow + workflow_dispatch: + + # Allow permissions for AWS auth + permissions: + id-token: write + contents: read + pull-requests: read + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: self-hosted + + steps: + - uses: actions/first-interaction@main with: - ref: ${{ github.event.pull_request.head.sha }} - - # Pull in terraform code for linux servers - - name: Clone GitHub IaC plan - uses: actions/checkout@v4 - with: - repository: ansible-lockdown/github_linux_IaC - path: .github/workflows/github_linux_IaC - - - name: Add_ssh_key - working-directory: .github/workflows - env: - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - run: | - mkdir .ssh - chmod 700 .ssh - echo $PRIVATE_KEY > .ssh/github_actions.pem - chmod 600 .ssh/github_actions.pem - - - name: DEBUG - Show IaC files - if: env.ENABLE_DEBUG == 'true' - run: | - echo "OSVAR = $OSVAR" - echo "benchmark_type = $benchmark_type" - pwd - ls - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Init - id: init - run: terraform init - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Validate - id: validate - run: terraform validate - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Apply - id: apply - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false - - ## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - run: cat hosts.yml - - # Aws deployments taking a while to come up insert sleep or playbook fails - - - name: Sleep for 60 seconds - run: sleep ${{ vars.BUILD_SLEEPTIME }} - - # Run the Ansibleplaybook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/github_linux_IaC/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} - # verbose: 3 - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - - # Remove test system - User secrets to keep if necessary - - - name: Terraform_Destroy - if: always() && env.ENABLE_DEBUG == 'false' - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. + + # This workflow contains a single job that tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: self-hosted + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + AWS_REGION: "us-east-1" + ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + # working-directory: .github/workflows + + steps: + + - name: Git clone the lockdown repository to test + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: If a variable for IAC_BRANCH is set use that branch + working-directory: .github/workflows + run: | + if [ ${{ vars.IAC_BRANCH }} != '' ]; then + echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV + echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}" + else + echo IAC_BRANCH=main >> $GITHUB_ENV + fi + + + # Pull in terraform code for linux servers + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + ref: ${{ env.IAC_BRANCH }} + + # Uses dedicated restricted role and policy to enable this only for this task + # No credentials are part of github for AWS auth + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@main + with: + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + role-session-name: ${{ secrets.AWS_ROLE_SESSION }} + aws-region: ${{ env.AWS_REGION }} + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID" + echo "VPC_ID" = $AWS_VPC_SECGRP_ID" + pwd + ls + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }} + VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }} + + - name: Tofu init + id: init + run: tofu init + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu validate + id: validate + run: tofu validate + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu apply + id: apply + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false + +## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep to allow system to come up + run: sleep ${{ vars.BUILD_SLEEPTIME }} + + # Run the Ansible playbook + - name: Run_Ansible_Playbook + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + run: | + /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml + + # Remove test system - User secrets to keep if necessary + + - name: Tofu Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 67ee9d9..4a5adc9 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -1,127 +1,156 @@ --- - name: Main pipeline - - on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - main - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' - - # A workflow run is made up of one or more jobs - # that can run sequentially or in parallel - jobs: - - # This workflow contains a single job that tests the playbook - playbook-test: - # The type of runner that the job will run on - runs-on: ubuntu-latest - env: - ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} - # Imported as a variable by terraform - TF_VAR_repository: ${{ github.event.repository.name }} - defaults: - run: - shell: bash - working-directory: .github/workflows/github_linux_IaC - - steps: - - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v4 + name: Main pipeline + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + + # Allow permissions for AWS auth + permissions: + id-token: write + contents: read + pull-requests: read + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: self-hosted + + steps: + - uses: actions/first-interaction@main with: - ref: ${{ github.event.pull_request.head.sha }} - - # Pull in terraform code for linux servers - - name: Clone GitHub IaC plan - uses: actions/checkout@v4 - with: - repository: ansible-lockdown/github_linux_IaC - path: .github/workflows/github_linux_IaC - - - name: Add_ssh_key - working-directory: .github/workflows - env: - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - run: | - mkdir .ssh - chmod 700 .ssh - echo $PRIVATE_KEY > .ssh/github_actions.pem - chmod 600 .ssh/github_actions.pem - - - name: DEBUG - Show IaC files - if: env.ENABLE_DEBUG == 'true' - run: | - echo "OSVAR = $OSVAR" - echo "benchmark_type = $benchmark_type" - pwd - ls - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Init - id: init - run: terraform init - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Validate - id: validate - run: terraform validate - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Apply - id: apply - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false - - ## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - run: cat hosts.yml - - # Aws deployments taking a while to come up insert sleep or playbook fails - - - name: Sleep for 60 seconds - run: sleep ${{ vars.BUILD_SLEEPTIME }} - - # Run the Ansibleplaybook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/github_linux_IaC/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} - # verbose: 3 - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - - # Remove test system - User secrets to keep if necessary - - - name: Terraform_Destroy - if: always() && env.ENABLE_DEBUG == 'false' - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. + + # This workflow contains a single job that tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: self-hosted + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + AWS_REGION : "us-east-1" + ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + # working-directory: .github/workflows + + steps: + + - name: Git clone the lockdown repository to test + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: If a variable for IAC_BRANCH is set use that branch + working-directory: .github/workflows + run: | + if [ ${{ vars.IAC_BRANCH }} != '' ]; then + echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV + echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}" + else + echo IAC_BRANCH=main >> $GITHUB_ENV + fi + + # Pull in terraform code for linux servers + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + ref: ${{ env.IAC_BRANCH }} + + # Uses dedicated restricted role and policy to enable this only for this task + # No credentials are part of github for AWS auth + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@main + with: + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + role-session-name: ${{ secrets.AWS_ROLE_SESSION }} + aws-region: ${{ env.AWS_REGION }} + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID" + echo "VPC_ID" = $AWS_VPC_SECGRP_ID" + pwd + ls + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }} + VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }} + + - name: Tofu init + id: init + run: tofu init + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu validate + id: validate + run: tofu validate + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu apply + id: apply + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false + +## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep to allow system to come up + run: sleep ${{ vars.BUILD_SLEEPTIME }} + + # Run the Ansible playbook + - name: Run_Ansible_Playbook + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + run: | + /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml + + # Remove test system - User secrets to keep if necessary + + - name: Tofu Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index f935280..b6ee6a1 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -1,19 +1,19 @@ --- -name: update galaxy + name: update galaxy -on: - push: - branches: - - main -jobs: - update_role: - runs-on: ubuntu-latest - steps: - - name: Checkout repo - uses: actions/checkout@v4 + on: + push: + branches: + - main + jobs: + update_role: + runs-on: ubuntu-latest + steps: + - name: Checkout repo + uses: actions/checkout@v4 - - name: Action Ansible Galaxy Release ${{ github.ref_name }} - uses: ansible-actions/ansible-galaxy-action@main - with: - galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} + - name: Action Ansible Galaxy Release ${{ github.ref_name }} + uses: ansible-actions/ansible-galaxy-action@main + with: + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} From eb15ea2a3b2802157a287a76ea20e7f35101d101 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Jul 2024 13:47:39 +0100 Subject: [PATCH 22/41] updated vars from #13 Signed-off-by: Mark Bolwell --- defaults/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 121d357..3def906 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -361,6 +361,7 @@ rhel_09_271075: true rhel_09_271080: true rhel_09_271085: true rhel_09_271090: true +rhel_09_271095: true rhel_09_271100: true rhel_09_271105: true rhel_09_271110: true @@ -690,8 +691,7 @@ rhel9stig_home_filesystem: '/home' # rhel9stig_custom_firewall_zone is the desired name for the firewall zone rhel9stig_custom_firewall: zone: "drop" - interface: - - "{{ ansible_default_ipv4.interface }}" + interface: "{{ ansible_default_ipv4.interface }}" # rhel9stig_white_list_services is the services that you want to allow through initially for the new firewall zone # http and ssh need to be enabled for the role to run. @@ -825,7 +825,7 @@ rhel9stig_remotelog_server: rhel9stig_audit_log_filesystem: /var/log/audit rhel9stig_audit_conf: action_mail_acct: root - admin_space_left: 5 + admin_space_left: 5% admin_space_left_action: single disk_error_action: HALT # Can be one of "SYSLOG", "SINGLE", or "HALT" disk_full_action: HALT # Can be one of "SYSLOG", "SINGLE", or "HALT" @@ -837,7 +837,7 @@ rhel9stig_audit_conf: max_log_file_action: ROTATE name_format: hostname overflow_action: syslog - space_left: 25 + space_left: 25% space_left_action: email write_logs: 'yes' From 31ce9c9ed367b3182e4e01c5d34e784d599f8383 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Jul 2024 13:48:41 +0100 Subject: [PATCH 23/41] updated title typos #13 Signed-off-by: Mark Bolwell --- tasks/Cat1/RHEL-09-2xxxxx.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/Cat1/RHEL-09-2xxxxx.yml b/tasks/Cat1/RHEL-09-2xxxxx.yml index 569b3ad..e5f37a4 100644 --- a/tasks/Cat1/RHEL-09-2xxxxx.yml +++ b/tasks/Cat1/RHEL-09-2xxxxx.yml @@ -197,7 +197,7 @@ name: tftp state: absent -- name: HIGH | RHEL-08-231190 | AUDIT | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification +- name: HIGH | RHEL-09-231190 | AUDIT | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. when: - rhel_09_231190 @@ -218,14 +218,14 @@ vars: warn_control_id: "HIGH | RHEL-09-231190" block: - - name: HIGH | RHEL-08-231190 | AUDIT | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification + - name: HIGH | RHEL-09-231190 | AUDIT | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Get partition layout ansible.builtin.shell: blkid changed_when: false failed_when: false register: rhel_09_231190_partition_layout - - name: HIGH | RHEL-08-231190 | WARN | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification + - name: HIGH | RHEL-09-231190 | WARN | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Message out warning ansible.builtin.debug: msg: @@ -233,7 +233,7 @@ - If partitions other than pseudo file systems (such as /proc or /sys or tmpfs) this is a finding - "{{ rhel_09_231190_partition_layout.stdout_lines }}" - - name: HIGH | RHEL-08-231190 | WARN | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification + - name: HIGH | RHEL-09-231190 | WARN | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Message out warning ansible.builtin.import_tasks: file: warning_facts.yml From f2b1d4bd6da14ead564a8d16a338bd2e8b4c6031 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Jul 2024 13:53:37 +0100 Subject: [PATCH 24/41] updates from #13 Signed-off-by: Mark Bolwell --- tasks/Cat2/RHEL-09-25xxxx.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tasks/Cat2/RHEL-09-25xxxx.yml b/tasks/Cat2/RHEL-09-25xxxx.yml index dcf2d3a..5cfbcf4 100644 --- a/tasks/Cat2/RHEL-09-25xxxx.yml +++ b/tasks/Cat2/RHEL-09-25xxxx.yml @@ -310,6 +310,7 @@ section: main state: present value: none + no_extra_spaces: true register: rhel09stig_dns_nm_set - name: "MEDIUM | RHEL-09-252035 | PATCH | RHEL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured." @@ -1052,7 +1053,7 @@ notify: Change_requires_reboot ansible.builtin.lineinfile: line: "Ciphers {{ rhel9stig_sshd_config.ciphers | join(',') }}" - path: /etc/crypto-policies/back-ends/opensshserver.config + path: /etc/crypto-policies/back-ends/openssh.config regexp: ^Ciphers - name: "MEDIUM | RHEL-09-255070 | PATCH | RHEL 9 SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms." @@ -1406,7 +1407,7 @@ ansible.builtin.lineinfile: create: true line: "IgnoreUserKnownHosts {{ rhel9stig_sshd_config.ignoreknownhosts }}" - path: "{{ rhel9stig_sshd_config_file }}" + path: /etc/ssh/sshd_config.d/50-redhat.conf regexp: ^(?i)(#|)IgnoreUserKnownHosts\s*(yes|no) validate: sshd -t -f %s From 25dd18b445389e535ce51b1b333663d4d4407492 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Jul 2024 14:07:24 +0100 Subject: [PATCH 25/41] updated thanks to #13 Signed-off-by: Mark Bolwell --- tasks/Cat2/RHEL-09-27xxxx.yml | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/tasks/Cat2/RHEL-09-27xxxx.yml b/tasks/Cat2/RHEL-09-27xxxx.yml index feacd20..8f35791 100644 --- a/tasks/Cat2/RHEL-09-27xxxx.yml +++ b/tasks/Cat2/RHEL-09-27xxxx.yml @@ -45,7 +45,8 @@ - NIST800-53R4_CM-6 notify: Update_dconf ansible.builtin.lineinfile: - line: banner-message-enable + create: true + line: /org/gnome/login-screen/banner-message-enable path: "/etc/dconf/db/{{ item }}.d/locks/session" mode: '0644' modification_time: preserve @@ -164,6 +165,7 @@ notify: Update_dconf community.general.ini_file: create: true + no_extra_spaces: true option: removal-action path: "/etc/dconf/db/{{ item }}.d/00-security-settings" section: 'org/gnome/settings-daemon/peripherals/smartcard' @@ -209,7 +211,7 @@ community.general.ini_file: create: true option: lock-enabled - path: "/etc/dconf/db/{{ item }}.d/00-security-settings" + path: "/etc/dconf/db/{{ item }}.d/00-screensaver" section: 'org/gnome/desktop/screensaver' value: 'true' loop: "{{ rhel9stig_dconf_db.stdout_lines }}" @@ -339,7 +341,7 @@ option: picture-uri path: "/etc/dconf/db/{{ item }}.d/00-security-settings" section: 'org/gnome/desktop/screensaver' - value: '' + value: "''" loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271085 | PATCH | RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image." @@ -380,9 +382,10 @@ community.general.ini_file: create: true option: disable-restart-buttons - path: "/etc/dconf/db/{{ item }}.d/00-security-settings" - section: 'org/gnome/settings-daemon/peripherals/smartcard' - value: 'true' + path: "/etc/dconf/db/{{ item }}.d/02-login-screen" + section: 'org/gnome/login-screen' + value: "true" + no_extra_spaces: true loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271100 | PATCH | RHEL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface." @@ -440,7 +443,7 @@ notify: Update_dconf ansible.builtin.lineinfile: create: true - line: org/gnome/settings-daemon/plugins/media-keys/logout + line: /org/gnome/settings-daemon/plugins/media-keys/logout path: "/etc/dconf/db/{{ item }}.d/locks/session" loop: "{{ rhel9stig_dconf_db.stdout_lines }}" From bc108ddd2f1336ff28a4eeb5e9b1c612bd4ff61a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Jul 2024 14:09:22 +0100 Subject: [PATCH 26/41] updated from items in #13 Signed-off-by: Mark Bolwell --- tasks/Cat2/RHEL-09-4xxxxx.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tasks/Cat2/RHEL-09-4xxxxx.yml b/tasks/Cat2/RHEL-09-4xxxxx.yml index ad564fc..8f1ec70 100644 --- a/tasks/Cat2/RHEL-09-4xxxxx.yml +++ b/tasks/Cat2/RHEL-09-4xxxxx.yml @@ -44,8 +44,7 @@ - "item in rhel9stig_interactive_users.stdout_lines" ansible.builtin.shell: "chage -M 60 {{ item }}" failed_when: rhel9stig_users_passwd_max.rc not in [ 0, 1 ] - loop: - - "{{ rhel9stig_users_passwd_max.stdout_lines }}" + loop: "{{ rhel9stig_users_passwd_max.stdout_lines }}" - name: "MEDIUM | RHEL-09-411015 | WARN | RHEL 9 user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs." when: @@ -259,7 +258,7 @@ - name: "MEDIUM | RHEL-09-411050 | PATCH | RHEL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity." when: - rhel9stig_inactive_user_setting is defined - - "'-1' not in rhel9stig_inactive_user_setting.stdout" + - "'-1' in rhel9stig_inactive_user_setting.stdout" - "rhel9stig_user_inactive_days not in rhel9stig_inactive_user_setting.stdout" ansible.builtin.shell: "useradd -D -f {{ rhel9stig_user_inactive_days }}" From 4a2561c4f51da4877d028cbf4c502b5df2447b96 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Jul 2024 14:17:49 +0100 Subject: [PATCH 27/41] updated thanks to #13 Signed-off-by: Mark Bolwell --- tasks/Cat2/RHEL-09-61xxxx.yml | 44 +++++++++++++++++------------------ tasks/Cat2/RHEL-09-65xxxx.yml | 3 +-- tasks/Cat2/RHEL-09-67xxxx.yml | 8 +++---- tasks/Cat3/RHEL-09-4xxxxx.yml | 18 ++++++++++---- 4 files changed, 40 insertions(+), 33 deletions(-) diff --git a/tasks/Cat2/RHEL-09-61xxxx.yml b/tasks/Cat2/RHEL-09-61xxxx.yml index 3eeb897..e4c6129 100644 --- a/tasks/Cat2/RHEL-09-61xxxx.yml +++ b/tasks/Cat2/RHEL-09-61xxxx.yml @@ -482,7 +482,7 @@ warn_control_id: "MEDIUM | RHEL-09-611085" block: - name: "MEDIUM | RHEL-09-611085 | AUDIT | RHEL 9 must require users to provide a password for privilege escalation" - ansible.builtin.shell: grep NOPASSWD /etc/sudoers /etc/sudoers.d/* + ansible.builtin.shell: grep -r NOPASSWD /etc/sudoers /etc/sudoers.d/ changed_when: false failed_when: rhel9stig_sudo_nopasswd.rc not in [ 0, 1 ] register: rhel9stig_sudo_nopasswd @@ -787,6 +787,25 @@ password_lock: true loop: "{{ rhel9stig_empty_password_accounts.stdout_lines }}" +- name: "MEDIUM | RHEL-09-611185 | PATCH | RHEL 9 must have the opensc package installed." + when: + - rhel_09_611185 + - "'opensc' not in ansible_facts.packages" + - rhel9stig_smartcard_reader + tags: + - RHEL-09-611185 + - CAT2 + - CCI-001948 + - CCI-001953 + - SRG-OS-000375-GPOS-00160 + - SRG-OS-000376-GPOS-00161 + - V-2581126r926365_rule + - V-258126 + - NIST800-53R4_IA-2 + ansible.builtin.package: + name: opensc + state: present + - name: "MEDIUM | RHEL-09-611160 | PATCH | RHEL 9 must use the CAC smart card driver." when: - rhel_09_611160 @@ -881,7 +900,7 @@ ansible.builtin.lineinfile: backrefs: true line: '#\1' - path: "{{ item }}" + path: "{{ item.split(':').0 }}" regexp: ^((#|)certificate_verification =.*) loop: "{{ rhel9stig_sssd_cert_verification_files.stdout_lines }}" @@ -919,25 +938,6 @@ name: pcscd state: started -- name: "MEDIUM | RHEL-09-611185 | PATCH | RHEL 9 must have the opensc package installed." - when: - - rhel_09_611185 - - "'opensc' not in ansible_facts.packages" - - rhel9stig_smartcard_reader - tags: - - RHEL-09-611185 - - CAT2 - - CCI-001948 - - CCI-001953 - - SRG-OS-000375-GPOS-00160 - - SRG-OS-000376-GPOS-00161 - - V-2581126r926365_rule - - V-258126 - - NIST800-53R4_IA-2 - ansible.builtin.package: - name: opensc - state: present - - name: "MEDIUM | RHEL-09-611190 | PATCH | RHEL 9, for PKI-based authentication, must enforce authorized access to the corresponding private key." when: - rhel_09_611190 @@ -1017,6 +1017,6 @@ when: - rhel9stig_keytab_files.matched > 0 ansible.builtin.file: - path: "{{ item }}" + path: "{{ item.path }}" state: absent loop: "{{ rhel9stig_keytab_files.files }}" diff --git a/tasks/Cat2/RHEL-09-65xxxx.yml b/tasks/Cat2/RHEL-09-65xxxx.yml index d2edc1f..34169df 100644 --- a/tasks/Cat2/RHEL-09-65xxxx.yml +++ b/tasks/Cat2/RHEL-09-65xxxx.yml @@ -183,8 +183,7 @@ line: '#\1\2\3' path: "{{ item.path }}" regex: (Input|ModLoad)(TCP|UDP|RELP|imtcp|imudp|imrelp)(.*) - loop: - - "{{ rhel9stig_rsyslog_conf.files }}" + loop: "{{ rhel9stig_rsyslog_conf.files }}" - name: "MEDIUM | RHEL-09-652030 | PATCH | All RHEL 9 remote access methods must be monitored." when: diff --git a/tasks/Cat2/RHEL-09-67xxxx.yml b/tasks/Cat2/RHEL-09-67xxxx.yml index 3d8f028..cd6fdac 100644 --- a/tasks/Cat2/RHEL-09-67xxxx.yml +++ b/tasks/Cat2/RHEL-09-67xxxx.yml @@ -140,7 +140,7 @@ warn_control_id: "MEDIUM | RHEL-09-672020" block: - name: "MEDIUM | RHEL-09-672020 | AUDIT | RHEL 9 crypto policy must not be overridden." - ansible.builtin.shell: ls -l /etc/crypto-policies/back-ends/ | grep -V FIPS + ansible.builtin.shell: ls -l /etc/crypto-policies/back-ends/ | grep -v FIPS changed_when: false failed_when: rhel9stig_crypto_policies_fips.rc not in [ 0, 1 ] register: rhel9stig_crypto_policies_fips @@ -283,10 +283,10 @@ - name: "MEDIUM | RHEL-09-672050 | PATCH | RHEL 9 must implement DOD-approved encryption in the bind package." when: - - rhel_09_672045 + - rhel_09_672050 - "'bind' in ansible_facts.packages" tags: - - RHEL-09-672045 + - RHEL-09-672050 - CAT2 - CCI-002418 - CCI-002422 @@ -300,4 +300,4 @@ ansible.builtin.lineinfile: line: 'include "/etc/crypto-policies/back-ends/bind.config";' path: /etc/named.conf - regexp: ^(|\s*)\include = /etc/crypto-policies + regexp: ^(|\s*)include = /etc/crypto-policies diff --git a/tasks/Cat3/RHEL-09-4xxxxx.yml b/tasks/Cat3/RHEL-09-4xxxxx.yml index d49835a..657ada8 100644 --- a/tasks/Cat3/RHEL-09-4xxxxx.yml +++ b/tasks/Cat3/RHEL-09-4xxxxx.yml @@ -50,8 +50,16 @@ - V-258076 - NIST800-53R4_CM-6 - pam - ansible.builtin.lineinfile: - insertbefore: BOF - line: session required pam_lastlog.so showfailed - path: /etc/pam.d/postlogin - regex: session required pam_lastlog.so showfailed + block: + - name: "LOW | RHEL-09-412075 | PATCH | RHEL 9 must display the date and time of the last successful account logon upon logon." + ansible.builtin.lineinfile: + insertbefore: BOF + line: session required pam_lastlog.so showfailed + path: /etc/pam.d/postlogin + regex: session required pam_lastlog.so showfailed + + - name: "LOW | RHEL-09-412075 | PATCH | RHEL 9 must display the date and time of the last successful account logon upon logon." + ansible.builtin.replace: + path: /etc/pam.d/postlogin + replace: '\1\2' + regexp: '^(.*\spam_lastlog\.so\s.*)silent(\s.*)$' From ff4e3302fe472cf44fcf5b7b676a1d4d5524e68a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Jul 2024 14:20:43 +0100 Subject: [PATCH 28/41] updated thanks to #13 Signed-off-by: Mark Bolwell --- templates/etc/audit/rules.d/audit.rules.j2 | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/templates/etc/audit/rules.d/audit.rules.j2 b/templates/etc/audit/rules.d/audit.rules.j2 index aa94650..4601ab9 100644 --- a/templates/etc/audit/rules.d/audit.rules.j2 +++ b/templates/etc/audit/rules.d/audit.rules.j2 @@ -171,10 +171,11 @@ -a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-shutdown {% endif %} {% if rhel_09_654030 %} -# RHEL9-STIG rule 654205 Overruled by 654030 +# RHEL9-STIG rule 654030 #-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k perm_mod #-a always,exit -F arch=b64 -S umount -F auid>=1000 -F auid!=unset -k perm_mod -{% elif rhel_09_654205 %} +{% endif %} +{% if rhel_09_654205 %} # RHEL9-STIG rule 654205 -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S umount -F auid>=1000 -F auid!=unset -k perm_mod From 12a5fe7e40df1af2533e99c0782fcc1e34eb4d1b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Jul 2024 14:31:50 +0100 Subject: [PATCH 29/41] updated parts from #13 Signed-off-by: Mark Bolwell --- tasks/Cat2/RHEL-09-23xxxx.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/tasks/Cat2/RHEL-09-23xxxx.yml b/tasks/Cat2/RHEL-09-23xxxx.yml index 6311e5c..e4d3946 100644 --- a/tasks/Cat2/RHEL-09-23xxxx.yml +++ b/tasks/Cat2/RHEL-09-23xxxx.yml @@ -838,7 +838,7 @@ warn_control_id: "MEDIUM | RHEL-09-231200" block: - name: "MEDIUM | RHEL-09-231200 | AUDIT | RHEL 9 must prevent special devices on non-root local partitions. | discover partition" - ansible.builtin.shell: mount | grep '^/dev\S* on /\S' | grep nodev | awk -F" " '{ print $3}' + ansible.builtin.shell: mount | grep '^/dev\S* on /\S' | grep -v nodev | awk -F" " '{ print $3}' changed_when: false failed_when: rhel9stig_non_root_missing_nodev.rc not in [ 0, 1 ] register: rhel9stig_non_root_missing_nodev @@ -931,8 +931,7 @@ ansible.builtin.file: mode: '0755' path: "{{ item }}" - loop: - - "{{ rhel9stig_library_directory_perms.stdout_lines }}" + loop: "{{ rhel9stig_library_directory_perms.stdout_lines }}" - name: "MEDIUM | RHEL-09-232025 | PATCH | RHEL 9 /var/log directory must have mode 0755 or less permissive." when: @@ -1036,7 +1035,7 @@ depth: 3 file_type: file hidden: true - path: "{{ rhel9stig_home_filesystem }}" + path: ["{{ rhel9stig_home_filesystem}}", /root ] patterns: ".*" recurse: true register: user_dot_files @@ -1840,8 +1839,7 @@ ansible.builtin.file: path: "{{ item }}" mode: +t - loop: - - "{{ rhel9stig_public_dirs_stickybit.stdout_lines }}" + loop: "{{ rhel9stig_public_dirs_stickybit.stdout_lines }}" - name: "RHEL-09-232245 | WARN | A sticky bit must be set on all RHEL 9 public directories." when: From 46571a8c8463c9af92a2bb0dbb05088364ec706c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Jul 2024 14:33:22 +0100 Subject: [PATCH 30/41] Added and updated Signed-off-by: Mark Bolwell --- Changelog.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 Changelog.md diff --git a/Changelog.md b/Changelog.md new file mode 100644 index 0000000..4e565b8 --- /dev/null +++ b/Changelog.md @@ -0,0 +1,25 @@ +# Ubuntu22CIS + +## 1.2.1 Based on STIG V1R2 Jan24 2024 + +- precommit updates +- issues + - #12 thanks to @layluke + - #13 thanks to @PoundsOfFlesh - some excellent items from PR + +## 1.2 Based on STIG V1R2 Jan24 2024 + +- control updates +- pre-commit updates +- rule IDs +- lint +- audit updates +- tag updates +- issues + - #2 + - #3 + - #4 + +## 1.1 Based on STIG V1R1 + +Initial release From cafa20c5939cdd0929bbe5b9aaab336554d005e8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Jul 2024 16:55:55 +0100 Subject: [PATCH 31/41] udpated Signed-off-by: Mark Bolwell --- Changelog.md | 1 + vars/audit.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 4e565b8..ab16030 100644 --- a/Changelog.md +++ b/Changelog.md @@ -6,6 +6,7 @@ - issues - #12 thanks to @layluke - #13 thanks to @PoundsOfFlesh - some excellent items from PR + - update audit sumamry output ## 1.2 Based on STIG V1R2 Jan24 2024 diff --git a/vars/audit.yml b/vars/audit.yml index bb50f6d..d41ef37 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -34,7 +34,7 @@ audit_format: json audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" audit_results: | - The audit results are: {{ pre_audit_summary }} + The {% if not audit_only %}pre remediation{% endif %} audit results are: {{ pre_audit_summary }} {% if not audit_only %}The post remediation audit results are: {{ post_audit_summary }}{% endif %} Full breakdown can be found in {{ audit_log_dir }} From e69d1a64319eb15d655ec4651a4ba79b333156c6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Jul 2024 16:59:01 +0100 Subject: [PATCH 32/41] linting Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 9ac52a4..090b658 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -21,13 +21,13 @@ changed_when: false register: gid_min_id - - name: PRELIM | set_facts for interactive uid/gid + - name: PRELIM | Set_facts for interactive uid/gid ansible.builtin.set_fact: min_int_uid: "{{ uid_min_id.stdout }}" max_int_uid: "{{ uid_max_id.stdout }}" min_int_gid: "{{ gid_min_id.stdout }}" -- name: PRELIM | capture /etc/password variables +- name: PRELIM | Capture /etc/password variables tags: - always ansible.builtin.include_tasks: @@ -120,7 +120,7 @@ path: /sys/firmware/efi register: rhel_09_efi_boot - - name: PRELIM | set legacy boot and grub path | Bios + - name: PRELIM | Set legacy boot and grub path | Bios ansible.builtin.set_fact: rhel9stig_legacy_boot: true when: not rhel_09_efi_boot.stat.exists From 9795227a8e09ad939d4adc39431ddb89cc522d7f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 11 Jul 2024 08:12:04 +0100 Subject: [PATCH 33/41] lineinfile updates Signed-off-by: Mark Bolwell --- tasks/Cat1/RHEL-09-2xxxxx.yml | 20 +++---- tasks/Cat1/RHEL-09-4xxxxx.yml | 2 +- tasks/Cat2/RHEL-09-21xxxx.yml | 47 +++++++-------- tasks/Cat2/RHEL-09-25xxxx.yml | 106 +++++++++++++++++----------------- tasks/Cat2/RHEL-09-27xxxx.yml | 40 ++++++------- tasks/Cat2/RHEL-09-4xxxxx.yml | 52 ++++++++--------- tasks/Cat2/RHEL-09-61xxxx.yml | 104 ++++++++++++++++----------------- tasks/Cat2/RHEL-09-65xxxx.yml | 45 +++++++-------- tasks/Cat2/RHEL-09-67xxxx.yml | 14 ++--- tasks/Cat3/RHEL-09-2xxxxx.yml | 8 +-- tasks/Cat3/RHEL-09-4xxxxx.yml | 6 +- 11 files changed, 222 insertions(+), 222 deletions(-) diff --git a/tasks/Cat1/RHEL-09-2xxxxx.yml b/tasks/Cat1/RHEL-09-2xxxxx.yml index e5f37a4..bed37bc 100644 --- a/tasks/Cat1/RHEL-09-2xxxxx.yml +++ b/tasks/Cat1/RHEL-09-2xxxxx.yml @@ -31,10 +31,10 @@ - NIST800-53R4_AC-6 notify: Systemd_daemon_reload ansible.builtin.lineinfile: - create: true - line: CtrlAltDelBurstAction=none path: /etc/systemd/system.conf regexp: ^CtrlAltDelBurstAction=none + line: CtrlAltDelBurstAction=none + create: true - name: HIGH | RHEL-09-211050 | PATCH | The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled when: @@ -79,10 +79,10 @@ - grub notify: Rebuild_grub ansible.builtin.lineinfile: - insertafter: "{{ grub_superusers.after }}" - line: "{{ grub_superusers.line }}" path: /etc/grub2.cfg regexp: "{{ grub_superusers.regexp }}" + line: "{{ grub_superusers.line }}" + insertafter: "{{ grub_superusers.after }}" loop: - { regexp: '^set_superusers=', line: 'set superusers="{{ rhel9stig_grub_superuser }}"', after: "### BEGIN /etc/grub.d/01_users ###" } - { regexp: export superusers, line: 'export superusers', after: set_superusers= } @@ -104,9 +104,9 @@ - dnf - packages ansible.builtin.lineinfile: - line: gpgcheck=1 path: /etc/dnf/dnf.conf regexp: ^gpgcheck + line: gpgcheck=1 - name: HIGH | RHEL-09-214020 | PATCH | RHEL 9 must check the GPG signature of locally installed software packages before installation. when: @@ -122,9 +122,9 @@ - dnf - packages ansible.builtin.lineinfile: - line: localpkg_gpgcheck=1 path: /etc/dnf/dnf.conf regexp: ^localpkg_gpgcheck + line: localpkg_gpgcheck=1 - name: HIGH | RHEL-09-214025 | PATCH | RHEL 9 must check the GPG signature of locally installed software packages before installation. when: @@ -329,9 +329,9 @@ - NIST800-53R4_IA-2 - ssh ansible.builtin.lineinfile: - line: PermitEmptyPasswords no path: "{{ rhel9stig_sshd_config_file }}" regexp: (?i)^(#|)PermitEmptyPasswords yes + line: PermitEmptyPasswords no validate: sshd -t -f %s notify: Sshd_restart @@ -350,9 +350,9 @@ - pam notify: Sshd_restart ansible.builtin.lineinfile: - line: UsePAM yes path: "{{ rhel9stig_sshd_config_file }}" regexp: (?i)^(#|)usepam + line: UsePAM yes validate: sshd -t -f %s - name: HIGH | RHEL-09-271040 | PATCH | RHEL 9 must not allow unattended or automatic logon via the graphical user interface. @@ -369,10 +369,10 @@ - NIST800-53R4_CM-6 - gui ansible.builtin.lineinfile: - insertafter: "{{ autologin.after | default(omit) }}" - line: "{{ autologin.line }}" path: /etc/gdm/custom.conf regexp: "{{ autologin.regexp }}" + line: "{{ autologin.line }}" + insertafter: "{{ autologin.after | default(omit) }}" create: true loop: - { regexp: "[daemon]", line: "[daemon]" } diff --git a/tasks/Cat1/RHEL-09-4xxxxx.yml b/tasks/Cat1/RHEL-09-4xxxxx.yml index 3cc37a0..ff5da43 100644 --- a/tasks/Cat1/RHEL-09-4xxxxx.yml +++ b/tasks/Cat1/RHEL-09-4xxxxx.yml @@ -55,6 +55,6 @@ - NIST800-53R4_SI-6 - selinux ansible.builtin.lineinfile: - line: SELINUX=enforcing path: /etc/selinux/config regexp: (?i)^selinux= + line: SELINUX=enforcing diff --git a/tasks/Cat2/RHEL-09-21xxxx.yml b/tasks/Cat2/RHEL-09-21xxxx.yml index f64b9bb..619e42a 100644 --- a/tasks/Cat2/RHEL-09-21xxxx.yml +++ b/tasks/Cat2/RHEL-09-21xxxx.yml @@ -36,9 +36,9 @@ block: - name: "MEDIUM | RHEL-09-211020 | PATCH | RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Uncomment banner keyword and set banner path" ansible.builtin.lineinfile: - line: 'Banner /etc/issue' path: /etc/ssh/sshd_config regexp: '(?i)^#?Banner' + line: 'Banner /etc/issue' when: - rhel9stig_ssh_required @@ -271,10 +271,10 @@ - name: "MEDIUM | RHEL-09-212035 | PATCH | RHEL 9 must disable virtual system calls. | Set default" when: rhel9stig_212035_def_grub_vsyscall.rc != 0 ansible.builtin.lineinfile: - backrefs: true - line: '\1\2 vsyscall=none' path: /etc/default/grub regexp: ^(GRUB_CMDLINE_LINUX=")(.*)" + line: '\1\2 vsyscall=none' + backrefs: true notify: Rebuild_grub - name: "MEDIUM | RHEL-09-212035 | PATCH | RHEL 9 must disable virtual system calls. | Change default" @@ -282,10 +282,10 @@ - rhel9stig_212035_def_grub_vsyscall.rc == 0 - "'vsyscall=none' not in rhel9stig_212035_def_grub_vsyscall.stdout" ansible.builtin.lineinfile: - backrefs: true - line: '\1\2vsyscall=none\3' path: /etc/default/grub regexp: ^(GRUB_CMDLINE_LINUX=)(".*)vsyscall=\w+(.*") + line: '\1\2vsyscall=none\3' + backrefs: true notify: Rebuild_grub - name: "MEDIUM | RHEL-09-212040 | PATCH | RHEL 9 must clear the page allocator to prevent use-after-free attacks." @@ -322,19 +322,19 @@ - name: "MEDIUM | RHEL-09-212040 | PATCH | RHEL 9 must clear the page allocator to prevent use-after-free attacks. | Set default" when: rhel9stig_212040_def_grub_poison.rc != 0 ansible.builtin.lineinfile: - backrefs: true - line: '\1\2 page_poison=1"' - regexp: ^(GRUB_CMDLINE_LINUX=")(.*)" path: /etc/default/grub + regexp: ^(GRUB_CMDLINE_LINUX=")(.*)" + line: '\1\2 page_poison=1"' + backrefs: true notify: Rebuild_grub - name: "MEDIUM | RHEL-09-212040 | PATCH | RHEL 9 must clear the page allocator to prevent use-after-free attacks. | Change default" when: rhel9stig_212040_def_grub_poison.rc == 0 ansible.builtin.lineinfile: - backrefs: true - line: '\1\2page_poison=1\3' - regexp: ^(GRUB_CMDLINE_LINUX=)(".*)page_poison=\d(.*") path: /etc/default/grub + regexp: ^(GRUB_CMDLINE_LINUX=)(".*)page_poison=\d(.*") + line: '\1\2page_poison=1\3' + backrefs: true notify: Rebuild_grub - name: "MEDIUM | RHEL-09-212045 | PATCH | RHEL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks" @@ -370,10 +370,11 @@ - name: "MEDIUM | RHEL-09-212045 | PATCH | RHEL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks | Set default" when: rhel9stig_212045_def_grub_slub.rc != 0 ansible.builtin.lineinfile: - backrefs: true - line: '\1\2 slub_debug=P"' - regexp: ^(GRUB_CMDLINE_LINUX=")(.*)" path: /etc/default/grub + regexp: ^(GRUB_CMDLINE_LINUX=")(.*)" + line: '\1\2 slub_debug=P"' + backrefs: true + notify: Rebuild_grub - name: "MEDIUM | RHEL-09-212045 | PATCH | RHEL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks | Change default" @@ -381,10 +382,10 @@ - "'slub_debug=P' not in rhel9stig_212045_def_grub_slub.stdout" - rhel9stig_212045_def_grub_slub.rc == 0 ansible.builtin.lineinfile: - backrefs: true - line: '\1\2slub_debug=P\3' - regexp: ^(GRUB_CMDLINE_LINUX=)(".*)slub_debug=\w+\b(.*") path: /etc/default/grub + regexp: ^(GRUB_CMDLINE_LINUX=)(".*)slub_debug=\w+\b(.*") + line: '\1\2slub_debug=P\3' + backrefs: true notify: Rebuild_grub - name: "MEDIUM | RHEL-09-213010 | PATCH | RHEL 9 must restrict access to the kernel message buffer." @@ -707,9 +708,9 @@ - V-257812 - NIST800-53R4_CM-6 ansible.builtin.lineinfile: - line: ProcessSizeMax=0 - regexp: ^(#|)ProcessSizeMax\s*=\s*(?!0)\d+ path: /etc/systemd/coredump.conf + regexp: ^(#|)ProcessSizeMax\s*=\s*(?!0)\d+ + line: ProcessSizeMax=0 create: true - name: "MEDIUM | RHEL-09-213090 | PATCH | RHEL 9 must storage core dumps." @@ -724,9 +725,9 @@ - V-257813 - NIST800-53R4_CM-6 ansible.builtin.lineinfile: - line: Storage=none - regexp: ^(#|)Storage=.* path: /etc/systemd/coredump.conf + regexp: ^(#|)Storage=.* + line: Storage=none create: true - name: "MEDIUM | RHEL-09-213095 | PATCH | RHEL 9 must disable core dumps for all users." @@ -741,9 +742,9 @@ - V-257814 - NIST800-53R4_CM-6 ansible.builtin.lineinfile: - line: '* hard core 0' - regexp: '^\* hard core (?!0)\d*' path: /etc/security/limits.conf + regexp: '^\* hard core (?!0)\d*' + line: '* hard core 0' - name: "MEDIUM | RHEL-09-213100 | PATCH | RHEL 9 must disable acquiring, saving, and processing core dumps." when: diff --git a/tasks/Cat2/RHEL-09-25xxxx.yml b/tasks/Cat2/RHEL-09-25xxxx.yml index 5cfbcf4..96e5d3f 100644 --- a/tasks/Cat2/RHEL-09-25xxxx.yml +++ b/tasks/Cat2/RHEL-09-25xxxx.yml @@ -134,9 +134,9 @@ - V-257939 - NIST800-53R4_SC-5 ansible.builtin.lineinfile: - line: FirewallBackend=nftables - regexp: ^(#|)FirewallBackend=.* path: /etc/firewalld/firewalld.conf + regexp: ^(#|)FirewallBackend=.* + line: FirewallBackend=nftables - name: "MEDIUM | RHEL-09-251035 | AUDIT | To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems." when: @@ -185,10 +185,10 @@ - item not in rhel9stig_promisc_if - rhel9stig_disruption_high ansible.builtin.lineinfile: - create: true - line: PROMISC=NO - regexp: ^(?i)PROMISC=(YES|TRUE|NO|FALSE) path: "/etc/sysconfig/network-scripts/ifcfg-{{ item }}" + regexp: ^(?i)PROMISC=(YES|TRUE|NO|FALSE) + line: PROMISC=NO + create: true notify: Restart_NetworkManager loop: "{{ ansible_facts.interfaces }}" @@ -439,9 +439,9 @@ - name: "MEDIUM | RHEL-09-252055 | PATCH | If the Trivial File Transfer Protocol (TFTP) server is required, RHEL 9 TFTP daemon must be configured to operate in secure mode." ansible.builtin.lineinfile: - line: ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot path: "{{ rhel9stig_tftp_systemd_file.stdout }}" regexp: ^ExecStart + line: ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot - name: "MEDIUM | RHEL-09-252060 | PATCH | RHEL 9 must forward mail from postmaster to the root account using a postfix alias." when: @@ -457,10 +457,10 @@ - NIST800-53R4_AU-5 notify: Update_aliases ansible.builtin.lineinfile: - create: true - line: 'postmaster: root' path: /etc/aliases regexp: postmaster:\s*root + line: 'postmaster: root' + create: true - name: "MEDIUM | RHEL-09-252065 | PATCH | RHEL 9 libreswan package must be installed." when: @@ -924,10 +924,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "banner {{ rhel9stig_sshd_config.banner_file }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)banner \/.*\/.* + line: "banner {{ rhel9stig_sshd_config.banner_file }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255030 | PATCH | RHEL 9 must log SSH connection attempts and failures to the server." @@ -944,10 +944,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "LogLevel {{ rhel9stig_sshd_config.loglevel }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)LogLevel.* + line: "LogLevel {{ rhel9stig_sshd_config.loglevel }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255035 | PATCH | RHEL 9 SSHD must accept public key authentication" @@ -970,10 +970,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "PubkeyAuthentication {{ rhel9stig_sshd_config.pubkeyauth }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)PubkeyAuthentication\s*(yes|no) + line: "PubkeyAuthentication {{ rhel9stig_sshd_config.pubkeyauth }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255045 | PATCH | RHEL 9 must not permit direct logons to the root account using remote access via SSH." @@ -993,10 +993,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "PermitRootLogin {{ rhel9stig_sshd_config.permitroot }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)PermitRootLogin\s*(yes|no) + line: "PermitRootLogin {{ rhel9stig_sshd_config.permitroot }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255055 | PATCH | RHEL 9 SSH daemon must be configured to use system-wide crypto policies." @@ -1013,10 +1013,10 @@ - ssh notify: Restart_sshd ansible.builtin.lineinfile: - create: true - line: "Include {{ rhel9stig_sshd_config.include_conf }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)Include.* + line: "Include {{ rhel9stig_sshd_config.include_conf }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255060 | PATCH | RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH client connections." @@ -1033,10 +1033,10 @@ - ssh notify: Restart_sshd ansible.builtin.lineinfile: - create: true - line: "Include {{ rhel9stig_sshd_config.include_conf }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)Include.* + line: "Include {{ rhel9stig_sshd_config.include_conf }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255065 | PATCH | RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH server connections." @@ -1052,9 +1052,9 @@ - NIST800-53R4_AC-17 notify: Change_requires_reboot ansible.builtin.lineinfile: - line: "Ciphers {{ rhel9stig_sshd_config.ciphers | join(',') }}" path: /etc/crypto-policies/back-ends/openssh.config regexp: ^Ciphers + line: "Ciphers {{ rhel9stig_sshd_config.ciphers | join(',') }}" - name: "MEDIUM | RHEL-09-255070 | PATCH | RHEL 9 SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms." when: @@ -1069,9 +1069,9 @@ - NIST800-53R4_AC-17 notify: Change_requires_reboot ansible.builtin.lineinfile: - line: "MACs {{ rhel9stig_sshd_config.macs_clients | join(',') }}" path: /etc/crypto-policies/back-ends/openssh.config regexp: ^MACs + line: "MACs {{ rhel9stig_sshd_config.macs_clients | join(',') }}" - name: "MEDIUM | RHEL-09-255075 | PATCH | RHEL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms." when: @@ -1086,9 +1086,9 @@ - NIST800-53R4_AC-17 notify: Change_requires_reboot ansible.builtin.lineinfile: - line: "MACs {{ rhel9stig_sshd_config.macs_clients | join(',') + ',' + rhel9stig_sshd_config.macs_server | join(',') }}" path: /etc/crypto-policies/back-ends/opensshserver.config regexp: ^MACs + line: "MACs {{ rhel9stig_sshd_config.macs_clients | join(',') + ',' + rhel9stig_sshd_config.macs_server | join(',') }}" - name: "MEDIUM | RHEL-09-255080 | PATCH | RHEL 9 must not allow a noncertificate trusted host SSH logon to the system." when: @@ -1104,10 +1104,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "HostbasedAuthentication {{ rhel9stig_sshd_config.hostauth }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)HostbasedAuthentication\s*(yes|no) + line: "HostbasedAuthentication {{ rhel9stig_sshd_config.hostauth }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255085 | PATCH | RHEL 9 must not allow users to override SSH environment variables." @@ -1124,10 +1124,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "PermitUserEnvironment {{ rhel9stig_sshd_config.userenv }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)PermitUserEnvironments\s*(yes|no) + line: "PermitUserEnvironment {{ rhel9stig_sshd_config.userenv }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255090 | PATCH | RHEL 9 must force a frequent session key renegotiation for SSH connections to the server." @@ -1149,10 +1149,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "RekeyLimit {{ rhel9stig_sshd_config.rekeylimit }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)RekeyLimit.* + line: "RekeyLimit {{ rhel9stig_sshd_config.rekeylimit }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255095 | PATCH | RHEL 9 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive." @@ -1173,10 +1173,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "ClientAliveCountMax {{ rhel9stig_sshd_config.clientalivecountmax }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)ClientAliveCountMax\s\d* + line: "ClientAliveCountMax {{ rhel9stig_sshd_config.clientalivecountmax }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255100 | PATCH | RHEL 9 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive." @@ -1201,10 +1201,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "ClientAliveInterval {{ rhel9stig_sshd_config.clientaliveinterval }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)ClientAliveInterval\s\d* + line: "ClientAliveInterval {{ rhel9stig_sshd_config.clientaliveinterval }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255105 | PATCH | RHEL 9 SSH server configuration file must be group-owned by root." @@ -1319,10 +1319,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "Compression {{ rhel9stig_sshd_config.compress }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)Compression\s*(yes|no) + line: "Compression {{ rhel9stig_sshd_config.compress }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255135 | PATCH | RHEL 9 SSH daemon must not allow GSSAPI authentication." @@ -1342,10 +1342,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "GSSAPIAuthentication {{ rhel9stig_sshd_config.gssapiauth }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)GSSAPIAuthentication\s*(yes|no) + line: "GSSAPIAuthentication {{ rhel9stig_sshd_config.gssapiauth }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255140 | PATCH | RHEL 9 SSH daemon must not allow Kerberos authentication." @@ -1365,10 +1365,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "KerberosAuthentication {{ rhel9stig_sshd_config.gssapiauth }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)KerberosAuthentication\s*(yes|no) + line: "KerberosAuthentication {{ rhel9stig_sshd_config.kerbauth }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255145 | PATCH | RHEL 9 SSH daemon must not allow rhosts authentication" @@ -1385,10 +1385,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "IgnoreRhosts {{ rhel9stig_sshd_config.ignorerhosts }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)IgnoreRhosts\s*(yes|no) + line: "IgnoreRhosts {{ rhel9stig_sshd_config.ignorerhosts }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255150 | PATCH | RHEL 9 SSH daemon must not allow known hosts authentication." @@ -1405,10 +1405,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "IgnoreUserKnownHosts {{ rhel9stig_sshd_config.ignoreknownhosts }}" path: /etc/ssh/sshd_config.d/50-redhat.conf regexp: ^(?i)(#|)IgnoreUserKnownHosts\s*(yes|no) + line: "IgnoreUserKnownHosts {{ rhel9stig_sshd_config.ignoreknownhosts }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255155 | PATCH | RHEL 9 SSH daemon must disable remote X connections for interactive users." @@ -1425,10 +1425,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "X11forwarding {{ rhel9stig_sshd_config.x11forward }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)X11forwarding\s*(yes|no) + line: "X11forwarding {{ rhel9stig_sshd_config.x11forward }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255160 | PATCH | RHEL 9 SSH daemon must perform strict mode checking of home directory configuration files." @@ -1445,10 +1445,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "StrictModes {{ rhel9stig_sshd_config.strictmodes }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)StrictModes\s*(yes|no) + line: "StrictModes {{ rhel9stig_sshd_config.strictmodes }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255165 | PATCH | RHEL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon." @@ -1465,10 +1465,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "PrintLastLog {{ rhel9stig_sshd_config.lastlog }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)PrintLastLog\s*(yes|no) + line: "PrintLastLog {{ rhel9stig_sshd_config.lastlog }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255170 | PATCH | RHEL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon." @@ -1485,10 +1485,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "UsePrivilegeSeparation {{ rhel9stig_sshd_config.privsep }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)UsePrivilegeSeparation\s*(yes|no) + line: "UsePrivilegeSeparation {{ rhel9stig_sshd_config.privsep }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255175 | PATCH | RHEL 9 SSH daemon must prevent remote hosts from connecting to the proxy display." @@ -1505,8 +1505,8 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "X11UseLocalhost {{ rhel9stig_sshd_config.x11uselocal }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)X11UseLocalhost\s*(yes|no) + line: "X11UseLocalhost {{ rhel9stig_sshd_config.x11uselocal }}" + create: true validate: sshd -t -f %s diff --git a/tasks/Cat2/RHEL-09-27xxxx.yml b/tasks/Cat2/RHEL-09-27xxxx.yml index 8f35791..5db9328 100644 --- a/tasks/Cat2/RHEL-09-27xxxx.yml +++ b/tasks/Cat2/RHEL-09-27xxxx.yml @@ -45,9 +45,9 @@ - NIST800-53R4_CM-6 notify: Update_dconf ansible.builtin.lineinfile: - create: true - line: /org/gnome/login-screen/banner-message-enable path: "/etc/dconf/db/{{ item }}.d/locks/session" + line: /org/gnome/login-screen/banner-message-enable + create: true mode: '0644' modification_time: preserve state: present @@ -98,9 +98,9 @@ - NIST800-53R4_IA-3 notify: Update_dconf ansible.builtin.lineinfile: - create: true - line: /org/gnome/desktop/media-handling/automount-open path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock" + line: /org/gnome/desktop/media-handling/automount-open + create: true loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271030 | PATCH | RHEL 9 must disable the graphical user interface autorun function unless required." @@ -143,9 +143,9 @@ - NIST800-53R4_IA-3 notify: Update_dconf ansible.builtin.lineinfile: - create: true - line: /org/gnome/desktop/media-handling/autorun-never path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock" + line: /org/gnome/desktop/media-handling/autorun-never + create: true loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271045 | PATCH | RHEL 9 must be able to initiate directly a session lock for all connection types using smart card when the smart card is removed." @@ -188,9 +188,9 @@ - NIST800-53R4_AC-11 notify: Update_dconf ansible.builtin.lineinfile: - create: true - line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock" + line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action + create: true loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271055 | PATCH | RHEL 9 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." @@ -232,9 +232,9 @@ - NIST800-53R4_AC-11 notify: Update_dconf ansible.builtin.lineinfile: - create: true - line: /org/gnome/desktop/screensaver/lock-enabled path: "/etc/dconf/db/{{ item }}.d/locks/session" + line: /org/gnome/desktop/screensaver/lock-enabled + create: true loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271065 | PATCH | RHEL 9 must automatically lock graphical user sessions after 15 minutes of inactivity." @@ -276,9 +276,9 @@ - NIST800-53R4_AC-11 notify: Update_dconf ansible.builtin.lineinfile: - create: true - line: /org/gnome/desktop/session/idle-delay path: "/etc/dconf/db/{{ item }}.d/locks/session" + line: /org/gnome/desktop/session/idle-delay + create: true loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271075 | PATCH | RHEL 9 must initiate a session lock for graphical user interfaces when the screensaver is activated." @@ -316,9 +316,9 @@ - NIST800-53R4_AC-11 notify: Update_dconf ansible.builtin.lineinfile: - create: true - line: /org/gnome/desktop/screensaver/lock-delay path: "/etc/dconf/db/{{ item }}.d/locks/session" + line: /org/gnome/desktop/screensaver/lock-delay + create: true loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271085 | PATCH | RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image." @@ -346,9 +346,9 @@ - name: "MEDIUM | RHEL-09-271085 | PATCH | RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image." ansible.builtin.lineinfile: - create: true - line: /org/gnome/desktop/screensaver/picture-uri path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock" + line: /org/gnome/desktop/screensaver/picture-uri + create: true loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271090 | PATCH | RHEL 9 effective dconf policy must match the policy keyfiles." @@ -402,9 +402,9 @@ - NIST800-53R4_CM-6 notify: Update_dconf ansible.builtin.lineinfile: - create: true - line: /org/gnome/login-screen/disable-restart-buttons path: "/etc/dconf/db/{{ item }}.d/locks/session" + line: /org/gnome/login-screen/disable-restart-buttons + create: true loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271105 | PATCH | RHEL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot." @@ -442,9 +442,9 @@ - NIST800-53R4_CM-6 notify: Update_dconf ansible.builtin.lineinfile: - create: true - line: /org/gnome/settings-daemon/plugins/media-keys/logout path: "/etc/dconf/db/{{ item }}.d/locks/session" + line: /org/gnome/settings-daemon/plugins/media-keys/logout + create: true loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271115 | PATCH | RHEL 9 must disable the user list at logon for graphical user interfaces." diff --git a/tasks/Cat2/RHEL-09-4xxxxx.yml b/tasks/Cat2/RHEL-09-4xxxxx.yml index 8f1ec70..0ffef69 100644 --- a/tasks/Cat2/RHEL-09-4xxxxx.yml +++ b/tasks/Cat2/RHEL-09-4xxxxx.yml @@ -12,9 +12,9 @@ - V-258041 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - line: "PASS_MAX_DAYS {{ rhel9stig_pass['max_days'] }}" path: /etc/login.defs regexp: '^PASS_MAX_DAYS' + line: "PASS_MAX_DAYS {{ rhel9stig_pass['max_days'] }}" - name: "MEDIUM | RHEL-09-411015 | PATCH | RHEL 9 user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs." when: @@ -74,9 +74,9 @@ - V-258043 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - line: "CREATE_HOME yes" path: /etc/login.defs regexp: ^(?i)(|#)\s*CREATE_HOME (no|yes) + line: "CREATE_HOME yes" - name: "MEDIUM | RHEL-09-411025 | PATCH | RHEL 9 must set the umask value to 077 for all local interactive user accounts." when: @@ -288,9 +288,9 @@ - name: "MEDIUM | RHEL-09-411055 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 9 users must only contain paths that resolve to the system default or the users home directory." ansible.builtin.lineinfile: - line: "PATH={{ rhel9stig_env_path }}" path: "{{ item.path }}" regexp: ^\s*PATH + line: "PATH={{ rhel9stig_env_path }}" loop: "{{ rhel9stig_user_initialization.files }}" - name: | @@ -383,9 +383,9 @@ - V-258054 - NIST800-53R4_CM-6 ansible.builtin.lineinfile: - line: "deny = {{ rhel9stig_faillock.deny }}" path: /etc/security/faillock.conf regexp: '^\s*deny\s*=\s*([0-2]|[4-9]|{{ rhel9stig_faillock.deny }}[0-9]{1,})\d*' + line: "deny = {{ rhel9stig_faillock.deny }}" - name: "MEDIUM | RHEL-09-411080 | PATCH | RHEL 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." when: @@ -401,9 +401,9 @@ - V-258055 - NIST800-53R4_AC-7 ansible.builtin.lineinfile: - line: even_deny_root path: /etc/security/faillock.conf regexp: ^(#|)even_deny_root + line: even_deny_root - name: "MEDIUM | RHEL-09-411085 | PATCH | RHEL 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." when: @@ -419,9 +419,9 @@ - V-258056 - NIST800-53R4_AC-7 ansible.builtin.lineinfile: - line: "fail_interval = {{ rhel9stig_faillock.fail_interval }}" path: /etc/security/faillock.conf regexp: '^fail_interval\s*=\s*' + line: "fail_interval = {{ rhel9stig_faillock.fail_interval }}" - name: "MEDIUM | RHEL-09-411090 | PATCH | RHEL 9 must maintain an account lock until the locked account is released by an administrator." when: @@ -441,9 +441,9 @@ block: - name: "MEDIUM | RHEL-09-411090 | PATCH | RHEL 9 must maintain an account lock until the locked account is released by an administrator." ansible.builtin.lineinfile: - line: "unlock_time = 0" path: /etc/security/faillock.conf regexp: '^unlock_time\s*=\s*[1-9]' + line: "unlock_time = 0" - name: "MEDIUM | RHEL-09-411090 | AUDIT | RHEL 9 must maintain an account lock until the locked account is released by an administrator. | not auth select profile" ansible.builtin.lineinfile: @@ -526,9 +526,9 @@ - name: "MEDIUM | RHEL-09-411105 | PATCH | RHEL 9 must ensure account lockouts persist." ansible.builtin.lineinfile: - line: "dir = {{ rhel9stig_faillock.dir }}" path: /etc/security/faillock.conf regexp: '^dir\s*=\s*' + line: "dir = {{ rhel9stig_faillock.dir }}" notify: Change_requires_reboot - name: "MEDIUM | RHEL-09-411110 | PATCH | RHEL 9 groups must have unique Group ID (GID)." @@ -637,11 +637,11 @@ - V-258065 - NIST800-53R4_AC-11 ansible.builtin.lineinfile: - create: true - line: "{{ item }}" - mode: '0644' path: /etc/tmux.conf regexp: "{{ item }}" + line: "{{ item }}" + create: true + mode: '0644' state: present loop: - 'set -g lock-command vlock' @@ -700,9 +700,9 @@ - V-258070 - NIST800-53R4_AC-7 ansible.builtin.lineinfile: - line: "audit" path: /etc/security/faillock.conf regexp: '^\s*audit' + line: "audit" - name: "MEDIUM | RHEL-09-412050 | PATCH | RHEL 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt." when: @@ -716,9 +716,9 @@ - V-258071 - NIST800-53R4_CM-6 ansible.builtin.lineinfile: - line: "FAIL_DELAY {{ rhel9stig_login_defs.fail_delay }}" path: /etc/login.defs regexp: \s*FAIL_DELAY + line: "FAIL_DELAY {{ rhel9stig_login_defs.fail_delay }}" - name: "MEDIUM | RHEL-09-412055 | PATCH | RHEL 9 must define default permissions for the bash shell." when: @@ -734,9 +734,9 @@ block: - name: "MEDIUM | RHEL-09-412055 | PATCH | RHEL 9 must define default permissions for the bash shell. | Exists" ansible.builtin.lineinfile: - line: umask 077 path: /etc/bashrc regexp: umask \d\d\d + line: umask 077 - name: "MEDIUM | RHEL-09-412055 | PATCH | RHEL 9 must define default permissions for the bash shell.| Amend all instances" ansible.builtin.replace: @@ -758,9 +758,9 @@ block: - name: "MEDIUM | RHEL-09-412060 | PATCH | RHEL 9 must define default permissions for the c shell. | Exists" ansible.builtin.lineinfile: - line: umask 077 path: /etc/csh.cshrc regexp: umask \d\d\d + line: umask 077 - name: "MEDIUM | RHEL-09-412060 | PATCH | RHEL 9 must define default permissions for the c shell.| Amend all instances" ansible.builtin.replace: @@ -782,9 +782,9 @@ block: - name: "MEDIUM | RHEL-09-412065 | PATCH | RHEL 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. | Exists" ansible.builtin.lineinfile: - line: UMASK 077 path: /etc/login.defs regexp: UMASK \d\d\d + line: UMASK 077 - name: "MEDIUM | RHEL-09-412065 | PATCH | RHEL 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. | Amend all instances" ansible.builtin.replace: @@ -806,9 +806,9 @@ block: - name: "MEDIUM | RHEL-09-412070 | PATCH | RHEL 9 must define default permissions for the system default profile. | Exists" ansible.builtin.lineinfile: - line: umask 077 path: /etc/profile regexp: umask \d\d\d + line: umask 077 - name: "MEDIUM | RHEL-09-412070 | PATCH | RHEL 9 must define default permissions for the system default profile. | Amend all instances" ansible.builtin.replace: @@ -828,9 +828,9 @@ - V-258077 - NIST800-53R4_CM-6 ansible.builtin.lineinfile: - line: "StopIdleSessionSec={{ rhel9stig_logind_conf.stopsessionidle }}" path: /etc/systemd/logind.conf regexp: ^(#|)StopIdleSessionSec\s*=\s*\d* + line: "StopIdleSessionSec={{ rhel9stig_logind_conf.stopsessionidle }}" - name: "MEDIUM | RHEL-09-431015 | PATCH | RHEL 9 must enable the SELinux targeted policy." when: @@ -844,9 +844,9 @@ - V-258079 - NIST800-53R4_SI-6 ansible.builtin.lineinfile: - line: SELINUXTYPE=targeted path: /etc/selinux/config regexp: ^(#|)SELINUXTYPE\s*=\s*\w+ + line: SELINUXTYPE=targeted - name: "MEDIUM | RHEL-09-431025 | PATCH | RHEL 9 must have policycoreutils package installed." when: @@ -934,9 +934,9 @@ - V-258084 - NIST800-53R4_IA-11 ansible.builtin.lineinfile: - line: Defaults timestamp_timeout=0 path: "{{ item }}" regexp: ^Defaults timestamp_timeout\s*=\s*(-|)\d + line: Defaults timestamp_timeout=0 loop: "{{ rhel9stig_sudoers_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-432020 | PATCH | RHEL 9 must use the invoking user's password for privilege escalation when using 'sudo'." @@ -953,23 +953,23 @@ block: - name: "MEDIUM | RHEL-09-432020 | PATCH | RHEL 9 must use the invoking user's password for privilege escalation when using 'sudo'. | targetpw" ansible.builtin.lineinfile: - line: Defaults !targetpw path: "{{ item }}" regexp: ^(#|)Defaults !targetpw + line: Defaults !targetpw loop: "{{ rhel9stig_sudoers_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-432020 | PATCH | RHEL 9 must use the invoking user's password for privilege escalation when using 'sudo'. | rootpw" ansible.builtin.lineinfile: - line: Defaults !rootpw path: "{{ item }}" regexp: ^(#|)Defaults !rootpw + line: Defaults !rootpw loop: "{{ rhel9stig_sudoers_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-432020 | PATCH | RHEL 9 must use the invoking user's password for privilege escalation when using 'sudo'. | runaspw" ansible.builtin.lineinfile: - line: Defaults !runaspw path: "{{ item }}" regexp: ^(#|)Defaults !runaspw + line: Defaults !runaspw loop: "{{ rhel9stig_sudoers_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-432025 | PATCH | RHEL 9 must require users to reauthenticate for privilege escalation." @@ -984,8 +984,8 @@ - V-258086 - NIST800-53R4_IA-11 ansible.builtin.lineinfile: - line: '!authenticate' path: "{{ item }}" + line: '!authenticate' state: absent loop: "{{ rhel9stig_sudoers_files.stdout_lines }}" @@ -1001,9 +1001,9 @@ - V-258087 - NIST800-53R4_CM-6 ansible.builtin.lineinfile: - line: '!authenticate' path: "{{ item }}" regexp: ALL\s*ALL=\(ALL(:ALL|)\)\s*ALL + line: '!authenticate' state: absent loop: "{{ rhel9stig_sudoers_files.stdout_lines }}" @@ -1021,9 +1021,9 @@ - NIST800-53R4_IA-11 - NIST800-53R4_AC-3 ansible.builtin.lineinfile: - line: auth required pam_wheel.so use_uid path: /etc/pam.d/su regexp: ^(#|)(auth\s*required\s*)pam_wheel.so(.*) + line: auth required pam_wheel.so use_uid - name: "MEDIUM | RHEL-09-433010 | PATCH | RHEL 9 fapolicy module must be installed." when: diff --git a/tasks/Cat2/RHEL-09-61xxxx.yml b/tasks/Cat2/RHEL-09-61xxxx.yml index e4c6129..f3d84f6 100644 --- a/tasks/Cat2/RHEL-09-61xxxx.yml +++ b/tasks/Cat2/RHEL-09-61xxxx.yml @@ -22,11 +22,11 @@ - name: "MEDIUM | RHEL-09-611010 | PATCH | RHEL 9 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Set if no pw required pam_pwquality" when: rhel9stig_pwquality_system_auth_status.stdout | length == 0 ansible.builtin.lineinfile: - backrefs: true - insertafter: '^password' - line: '\1required\3 retry="{{ rhel9stig_pam.retry }}"\4' path: /etc/pam.d/system-auth regexp: '^(password\s+)(required|requisite)(\s+pam_pwquality.so.*)\sretry=\d(.*)' + line: '\1required\3 retry="{{ rhel9stig_pam.retry }}"\4' + insertafter: '^password' + backrefs: true - name: "MEDIUM | RHEL-09-611010 | PATCH | RHEL 9 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Replace if already exists" when: rhel9stig_pwquality_system_auth_status.stdout | length > 0 @@ -240,10 +240,10 @@ block: - name: "MEDIUM | RHEL-09-611040 | PATCH | RHEL 9 must ensure the password complexity module is enabled in the password-auth file." ansible.builtin.lineinfile: - backrefs: true - line: '\1required\2' path: /etc/pam.d/password-auth regexp: ^(password\s+)requisite(.*) + line: '\1required\2' + backrefs: true - name: "MEDIUM | RHEL-09-611040 | PATCH | RHEL 9 must ensure the password complexity module is enabled in the password-auth file." community.general.pamd: @@ -271,10 +271,10 @@ block: - name: "MEDIUM | RHEL-09-611045 | PATCH | RHEL 9 must ensure the password complexity module is enabled in the system-auth file." ansible.builtin.lineinfile: - backrefs: true - line: '\1required\2' path: /etc/pam.d/system-auth regexp: ^(password\s+)requisite(.*) + line: '\1required\2' + backrefs: true - name: "MEDIUM | RHEL-09-611045 | PATCH | RHEL 9 must ensure the password complexity module is enabled in the system-auth file." community.general.pamd: @@ -359,10 +359,10 @@ - NIST800-53R4_CM-6 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: enforce_for_root path: "{{ item }}" regexp: ^#\s*enforce_for_root + line: enforce_for_root + backrefs: true loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-611065 | PATCH | RHEL 9 must enforce password complexity by requiring that at least one lowercase character be used." @@ -378,10 +378,10 @@ - V-258102 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: lcredit = {{ rhel9stig_pwquality.lcredit }} path: "{{ item }}" regexp: \s*lcredit = + line: lcredit = "{{ rhel9stig_pwquality.lcredit }}" + backrefs: true loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-611070 | PATCH | RHEL 9 must enforce password complexity by requiring that at least one numeric character be used." @@ -397,10 +397,10 @@ - V-258103 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: dcredit = {{ rhel9stig_pwquality.dcredit }} path: "{{ item }}" regexp: \s*dcredit = + line: dcredit = "{{ rhel9stig_pwquality.dcredit }}" + backrefs: true loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-611075 | PATCH | RHEL 9 passwords for new users or password changes must have a 24 hours minimum password lifetime restriction in /etc/login.defs." @@ -416,10 +416,10 @@ - V-258104 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: PASS_MIN_DAYS {{ rhel9stig_pass.min_days }} path: /etc/login.defs regexp: \s*PASS_MIN_DAYS\s* + line: PASS_MIN_DAYS "{{ rhel9stig_pass.min_days }}" + backrefs: true - name: "MEDIUM | RHEL-09-611080 | PATCH | RHEL 9 passwords must have a 24 hours minimum password lifetime restriction in /etc/shadow." when: @@ -506,10 +506,10 @@ - rhel9stig_sudo_nopasswd.stdout | length > 0 - rhel9stig_disruption_high ansible.builtin.lineinfile: - backrefs: true - line: '#\1NOPASSWD\2' path: "{{ item }}" regexp: (.*)(?!#)NOPASSWD(.*) + line: '#\1NOPASSWD\2' + backrefs: true validate: visudo -cf %s loop: "{{ rhel9stig_sudoers_files.stdout_lines }}" @@ -525,10 +525,10 @@ - V-258107 - NIST800-53R4_IA-11 ansible.builtin.lineinfile: - backrefs: true - line: minlen = {{ rhel9stig_pass.minlen }} path: /etc/security/pwquality.conf regexp: \s*minlen\s*=\s*([0-9]|1[0-4]) + line: minlen = "{{ rhel9stig_pass.minlen }}" + backrefs: true - name: "MEDIUM | RHEL-09-611095 | PATCH | RHEL 9 passwords for new users must have a minimum of 15 characters." when: @@ -542,10 +542,10 @@ - V-258108 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: PASS_MIN_LEN {{ rhel9stig_pass.minlen }} path: /etc/login.defs regexp: PASS_MIN_LEN + line: PASS_MIN_LEN "{{ rhel9stig_pass.minlen }}" + backrefs: true - name: "MEDIUM | RHEL-09-611100 | PATCH | RHEL 9 must enforce password complexity by requiring that at least one special character be used." when: @@ -560,10 +560,10 @@ - V-258109 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: ocredit = {{ rhel9stig_pwquality.ocredit }} path: "{{ item }}" regexp: \s*ocredit = + line: ocredit = "{{ rhel9stig_pwquality.ocredit }}" + backrefs: true loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-611105 | PATCH | RHEL 9 must prevent the use of dictionary words for passwords." @@ -579,10 +579,10 @@ - V-258110 - NIST800-53R4_CM-6 ansible.builtin.lineinfile: - backrefs: true - line: dictcheck={{ rhel9stig_pwquality.dictcheck }} path: "{{ item }}" regexp: \s*dictcheck\s*=\s* + line: dictcheck="{{ rhel9stig_pwquality.dictcheck }}" + backrefs: true loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-611110 | PATCH | RHEL 9 must enforce password complexity by requiring that at least one uppercase character be used." @@ -598,10 +598,10 @@ - V-258111 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: ucredit = {{ rhel9stig_pwquality.ucredit }} path: "{{ item }}" regexp: \s*ucredit\s*=\s* + line: ucredit = "{{ rhel9stig_pwquality.ucredit }}" + backrefs: true loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-611115 | PATCH | RHEL 9 must require the change of at least eight characters when passwords are changed." @@ -617,10 +617,10 @@ - V-258112 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: difok = {{ rhel9stig_pwquality.difok }} path: "{{ item }}" regexp: \s*difok\s*=\s* + line: difok = "{{ rhel9stig_pwquality.difok }}" + backrefs: true loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-611120 | PATCH | RHEL 9 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed." @@ -636,10 +636,10 @@ - V-258113 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: maxclassrepeat = {{ rhel9stig_pwquality.maxclassrepeat }} path: /etc/security/pwquality.conf regexp: \s*maxclassrepeat\s*=\s* + line: maxclassrepeat = "{{ rhel9stig_pwquality.maxclassrepeat }}" + backrefs: true - name: "MEDIUM | RHEL-09-611125 | PATCH | RHEL 9 must require the maximum number of repeating characters be limited to three when passwords are changed." when: @@ -654,10 +654,10 @@ - V-258114 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: maxrepeat = {{ rhel9stig_pwquality.maxrepeat }} path: /etc/security/pwquality.conf regexp: \s*maxrepeat\s*=\s* + line: maxrepeat = "{{ rhel9stig_pwquality.maxrepeat }}" + backrefs: true - name: "MEDIUM | RHEL-09-611130 | PATCH | RHEL 9 must require the change of at least four character classes when passwords are changed." when: @@ -672,10 +672,10 @@ - V-258115 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: minclass = {{ rhel9stig_pwquality.minclass }} path: /etc/security/pwquality.conf regexp: \s*minclass\s*=\s* + line: minclass = "{{ rhel9stig_pwquality.minclass }}" + backrefs: true - name: "MEDIUM | RHEL-09-611135 | PATCH | RHEL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords." when: @@ -708,10 +708,10 @@ - V-258117 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: ENCRYPT_METHOD SHA512 path: /etc/login.defs regexp: \s*ENCRYPT_METHOD + line: ENCRYPT_METHOD SHA512 + backrefs: true - name: "MEDIUM | RHEL-09-611145 | PATCH | RHEL 9 must not be configured to bypass password requirements for privilege escalation." when: @@ -726,10 +726,10 @@ - V-258118 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: '\1\2' path: /etc/pam.d/sudo regexp: ^(.*)pam_succeed_if(.) + line: '\1\2' + backrefs: true - name: "MEDIUM | RHEL-09-611150 | PATCH | RHEL 9 shadow password suite must be configured to use a sufficient number of hashing rounds." when: @@ -746,10 +746,10 @@ - NIST800-53R4_IA-5 - NIST800-53R4_IA-7 ansible.builtin.lineinfile: - backrefs: true - line: "SHA_CRYPT_MIN_ROUNDS {{ rhel9stig_pam.rounds }}" path: /etc/login.defs regexp: \s*SHA_CRYPT_MIN_ROUNDS + line: "SHA_CRYPT_MIN_ROUNDS {{ rhel9stig_pam.rounds }}" + backrefs: true - name: "MEDIUM | RHEL-09-611155 | PATCH | RHEL 9 must not have accounts configured with blank or null passwords." when: @@ -832,11 +832,11 @@ - V-258121 - NIST800-53R4_IA-2 ansible.builtin.lineinfile: - create: true - backrefs: true - line: card_drivers = cac,\3\4; path: /etc/opensc.conf regexp: ^(#|)card_drivers(\s*=\s*)(.*)cac(.*); + line: card_drivers = cac,\3\4; + create: true + backrefs: true - name: "MEDIUM | RHEL-09-611165 | PATCH | RHEL 9 must enable certificate based smart card authentication." when: @@ -855,10 +855,10 @@ - V-258122 - NIST800-53R4_IA-2 ansible.builtin.lineinfile: - backrefs: true - line: pam_cert_auth = True path: /etc/sssd/sssd.conf regexp: ^(?i)(#|)pam_cert_auth\s*=\s*false + line: pam_cert_auth = True + backrefs: true - name: "MEDIUM | RHEL-09-611170 | PATCH | RHEL 9 must implement certificate status checking for multifactor authentication." when: @@ -898,10 +898,10 @@ - name: "MEDIUM | RHEL-09-611170 | PATCH | RHEL 9 must implement certificate status checking for multifactor authentication. | Add if missing" when: rhel9stig_sssd_cert_verification_files.stdout | length > 0 ansible.builtin.lineinfile: - backrefs: true - line: '#\1' path: "{{ item.split(':').0 }}" regexp: ^((#|)certificate_verification =.*) + line: '#\1' + backrefs: true loop: "{{ rhel9stig_sssd_cert_verification_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-611175 | PATCH | RHEL 9 must have the pcsc-lite package installed." @@ -972,10 +972,10 @@ - V-258128 - NIST800-53R4_AC-3 ansible.builtin.lineinfile: - backrefs: true - line: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency path: /usr/lib/systemd/system/emergency.service regexp: ^(#|)ExecStart= + line: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency + backrefs: true - name: "MEDIUM | RHEL-09-611200 | PATCH | RHEL 9 must require authentication to access single-user mode" when: @@ -989,10 +989,10 @@ - V-258129 - NIST800-53R4_AC-3 ansible.builtin.lineinfile: - backrefs: true - line: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue path: /usr/lib/systemd/system/rescue.service regexp: ^(#|)ExecStart= + line: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue + backrefs: true - name: "MEDIUM | RHEL-09-611205 | PATCH | RHEL 9 must require authentication to access single-user mode" when: diff --git a/tasks/Cat2/RHEL-09-65xxxx.yml b/tasks/Cat2/RHEL-09-65xxxx.yml index 34169df..e38db74 100644 --- a/tasks/Cat2/RHEL-09-65xxxx.yml +++ b/tasks/Cat2/RHEL-09-65xxxx.yml @@ -199,9 +199,8 @@ - rsyslog notify: Restart_rsyslog ansible.builtin.lineinfile: - line: 'auth.*;authpriv.*;daemon.* /var/log/secure' path: /etc/rsyslog.conf - + line: 'auth.*;authpriv.*;daemon.* /var/log/secure' ## Required for 652035 to run - name: "MEDIUM | RHEL-09-653130 | PATCH | RHEL 9 audispd-plugins package must be installed" when: @@ -237,9 +236,9 @@ - rsyslog notify: Restart_rsyslog ansible.builtin.lineinfile: - line: 'active = yes' path: /etc/audit/plugins.d/syslog.conf regexp: 'active\s*=' + line: 'active = yes' - name: "MEDIUM | RHEL-09-652040 | AUDIT | RHEL 9 must authenticate the remote logging server for offloading audit logs via rsyslog." when: @@ -406,9 +405,9 @@ - NIST800-53R4_CM-6 - rsyslog ansible.builtin.lineinfile: - line: "*.* {{ rhel9stig_remotelog_server.protocol }}{{ rhel9stig_remotelog_server.server }}:{{ rhel9stig_remotelog_server.port }}" path: /etc/rsyslog.conf regexp: '^.*\@\@' + line: "*.* {{ rhel9stig_remotelog_server.protocol }}{{ rhel9stig_remotelog_server.server }}:{{ rhel9stig_remotelog_server.port }}" - name: "MEDIUM | RHEL-09-652060 | PATCH | RHEL 9 must use cron logging." when: @@ -423,11 +422,11 @@ - NIST800-53R4_CM-6 - rsyslog ansible.builtin.lineinfile: - backrefs: true - insertafter: "# Log cron stuff" - line: 'cron.*\1/var/log/cron' path: /etc/rsyslog.conf regexp: 'cron\.\*(\s+)' + line: 'cron.*\1/var/log/cron' + backrefs: true + insertafter: "# Log cron stuff" - name: "MEDIUM | RHEL-09-653010 | PATCH | RHEL 9 audit package must be installed." when: @@ -585,9 +584,9 @@ - NIST800-53R4_AU-5 - auditd ansible.builtin.lineinfile: - line: disk_error_action = {{ rhel9stig_audit_conf.disk_error_action }} path: /etc/audit/auditd.conf regexp: ^\s*disk_error_action + line: disk_error_action = "{{ rhel9stig_audit_conf.disk_error_action }}" - name: "MEDIUM | RHEL-09-653025 | PATCH | RHEL 9 audit system must take appropriate action when the audit storage volume is full." when: @@ -602,9 +601,9 @@ - NIST800-53R4_AU-5 - auditd ansible.builtin.lineinfile: - line: disk_full_action = {{ rhel9stig_audit_conf.disk_full_action }} path: /etc/audit/auditd.conf regexp: ^\s*disk_full_action + line: disk_full_action = "{{ rhel9stig_audit_conf.disk_full_action }}" - name: "MEDIUM | RHEL-09-653030 | AUDIT | RHEL 9 must allocate audit record storage capacity to store at least one week's worth of audit records." when: @@ -655,9 +654,9 @@ - NIST800-53R4_AU-5 - auditd ansible.builtin.lineinfile: - line: space_left = {{ rhel9stig_audit_conf.space_left }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)space_left\s*= + line: space_left = "{{ rhel9stig_audit_conf.space_left }}" - name: "MEDIUM | RHEL-09-653040 | PATCH | RHEL 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization." when: @@ -672,9 +671,9 @@ - NIST800-53R4_AU-5 - auditd ansible.builtin.lineinfile: - line: space_left_action = {{ rhel9stig_audit_conf.space_left_action }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)space_left_action\s*= + line: space_left_action = "{{ rhel9stig_audit_conf.space_left_action }}" - name: "MEDIUM | RHEL-09-653045 | PATCH | RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity." when: @@ -689,9 +688,9 @@ - NIST800-53R4_AU-5 - auditd ansible.builtin.lineinfile: - line: admin_space_left = {{ rhel9stig_audit_conf.admin_space_left }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)admin_space_left\s*= + line: admin_space_left = "{{ rhel9stig_audit_conf.admin_space_left }}" - name: "MEDIUM | RHEL-09-653050 | PATCH | RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity." when: @@ -706,9 +705,9 @@ - NIST800-53R4_AU-5 - auditd ansible.builtin.lineinfile: - line: admin_space_left_action = {{ rhel9stig_audit_conf.admin_space_left_action }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)admin_space_left_action\s* + line: admin_space_left_action = "{{ rhel9stig_audit_conf.admin_space_left_action }}" - name: "MEDIUM | RHEL-09-653055 | PATCH | RHEL 9 audit system must take appropriate action when the audit files have reached maximum size." when: @@ -723,9 +722,9 @@ - NIST800-53R4_AU-5 - auditd ansible.builtin.lineinfile: - line: max_log_file_action = {{ rhel9stig_audit_conf.max_log_file_action }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)max_log_file_action + line: max_log_file_action = "{{ rhel9stig_audit_conf.max_log_file_action }}" - name: "MEDIUM | RHEL-09-653060 | PATCH | RHEL 9 must label all offloaded audit logs before sending them to the central log server." when: @@ -741,9 +740,9 @@ - NIST800-53R4_AU-4 - auditd ansible.builtin.lineinfile: - line: name_format = {{ rhel9stig_audit_conf.name_format }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)name_format + line: name_format = "{{ rhel9stig_audit_conf.name_format }}" - name: "MEDIUM | RHEL-09-653065 | PATCH | RHEL 9 must take appropriate action when the internal event queue is full." when: @@ -758,9 +757,9 @@ - NIST800-53R4_AU-4 - auditd ansible.builtin.lineinfile: - line: overflow_action = {{ rhel9stig_audit_conf.overflow_action }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)overflow_action + line: overflow_action = "{{ rhel9stig_audit_conf.overflow_action }}" - name: "MEDIUM | RHEL-09-653070 | PATCH | RHEL 9 System Administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event." when: @@ -778,9 +777,9 @@ - NIST800-53R4_AU-5 - auditd ansible.builtin.lineinfile: - line: overflow_action = {{ rhel9stig_audit_conf.overflow_action }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)overflow_action + line: overflow_action = "{{ rhel9stig_audit_conf.overflow_action }}" - name: "MEDIUM | RHEL-09-653075 | PATCH | RHEL 9 audit system must audit local events." when: @@ -798,9 +797,9 @@ - NIST800-53R4_CM-6 - auditd ansible.builtin.lineinfile: - line: overflow_action = {{ rhel9stig_audit_conf.overflow_action }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)overflow_action + line: "overflow_action = {{ rhel9stig_audit_conf.overflow_action }}" - name: "MEDIUM | RHEL-09-653080 | PATCH | RHEL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access." when: @@ -822,9 +821,9 @@ block: - name: "MEDIUM | RHEL-09-653080 | PATCH | RHEL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access. | set logfile_group" ansible.builtin.lineinfile: - line: log_group = {{ rhel9stig_audit_conf.logfile_group }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)log_group + line: log_group = "{{ rhel9stig_audit_conf.logfile_group }}" - name: "MEDIUM | RHEL-09-653080 | PATCH | RHEL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access. | Set perms" ansible.builtin.file: @@ -886,9 +885,9 @@ - NIST800-53R4_AU-6 - auditd ansible.builtin.lineinfile: - line: freq = {{ rhel9stig_audit_conf.freq }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)freq\s*= + line: freq = "{{ rhel9stig_audit_conf.freq }}" - name: "MEDIUM | RHEL-09-653100 | PATCH | RHEL 9 must produce audit records containing information to establish the identity of any individual or process associated with the event." when: @@ -906,9 +905,9 @@ - NIST800-53R4_CM-6 - auditd ansible.builtin.lineinfile: - line: log_format = {{ rhel9stig_audit_conf.log_format }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)log_format\s*= + line: log_format = "{{ rhel9stig_audit_conf.log_format }}" - name: "MEDIUM | RHEL-09-653105 | PATCH | RHEL 9 must write audit records to disk." when: @@ -923,9 +922,9 @@ - NIST800-53R4_CM-6 - auditd ansible.builtin.lineinfile: - line: write_logs = {{ rhel9stig_audit_conf.write_logs }} path: /etc/audit/auditd.conf regexp: ^\s*write_logs + line: write_logs = "{{ rhel9stig_audit_conf.write_logs }}" - name: "MEDIUM | RHEL-09-653110 | PATCH | RHEL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." when: @@ -981,6 +980,6 @@ - NIST800-53R4_AU-5 - postfix ansible.builtin.lineinfile: - line: 'root: ISSO' path: /etc/aliases regexp: '^root:\s.*' + line: 'root: ISSO' diff --git a/tasks/Cat2/RHEL-09-67xxxx.yml b/tasks/Cat2/RHEL-09-67xxxx.yml index cd6fdac..c3f75f6 100644 --- a/tasks/Cat2/RHEL-09-67xxxx.yml +++ b/tasks/Cat2/RHEL-09-67xxxx.yml @@ -55,9 +55,9 @@ - fips - tunnel ansible.builtin.lineinfile: - line: include /etc/crypto-policies/back-ends/libreswan.config path: /etc/ipsec.conf regexp: ^(|\s*)include /etc/crypto-policies/back-ends + line: include /etc/crypto-policies/back-ends/libreswan.config - name: "MEDIUM | RHEL-09-671025 | PATCH | RHEL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication." when: @@ -81,11 +81,11 @@ - name: "MEDIUM | RHEL-09-671025 | PATCH | RHEL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication." when: rhel9stig_pamunix_fips_auth_status.stdout | length == 0 ansible.builtin.lineinfile: - backrefs: true - insertafter: '^password' - line: '\1required\3 sha512"\4' path: /etc/pam.d/password-auth regexp: '^(password\s+)(sufficient)(\s+pam_pwquality.so.*)\ssha512\d(.*)' + line: '\1required\3 sha512"\4' + insertafter: '^password' + backrefs: true - name: "MEDIUM | RHEL-09-671025 | PATCH | RHEL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication." when: rhel9stig_pamunix_fips_auth_status.stdout | length > 0 @@ -208,9 +208,9 @@ - ssl notify: Change_requires_reboot ansible.builtin.lineinfile: - line: '.include = /etc/crypto-policies/back-ends/opensslcnf.config' path: /etc/pki/tls/openssl.cnf regexp: ^(|\s*)\.include = /etc/crypto-policies + line: '.include = /etc/crypto-policies/back-ends/opensslcnf.config' - name: "MEDIUM | RHEL-09-672040 | PATCH | RHEL 9 must implement DOD-approved TLS encryption in the OpenSSL package." when: @@ -226,9 +226,9 @@ - ssl notify: Change_requires_reboot ansible.builtin.lineinfile: - line: "{{ item.line }}" path: /etc/crypto-policies/back-ends/opensslcnf.config regexp: "{{ item.regexp }}" + line: "{{ item.line }}" loop: - {line: 'TLS.MinProtocol = TLSv1.2', regexp: '^(\s*|#)TLS.MinProtocol = '} - {line: 'DTLS.MinProtocol = DTLSv1.2', regexp: '^(\s*|#)DTLS.MinProtocol = '} @@ -298,6 +298,6 @@ - bind - encryption ansible.builtin.lineinfile: - line: 'include "/etc/crypto-policies/back-ends/bind.config";' path: /etc/named.conf regexp: ^(|\s*)include = /etc/crypto-policies + line: 'include "/etc/crypto-policies/back-ends/bind.config";' diff --git a/tasks/Cat3/RHEL-09-2xxxxx.yml b/tasks/Cat3/RHEL-09-2xxxxx.yml index 8b29b1e..d38cbe0 100644 --- a/tasks/Cat3/RHEL-09-2xxxxx.yml +++ b/tasks/Cat3/RHEL-09-2xxxxx.yml @@ -103,9 +103,9 @@ - NIST800-53R4_SI-2 - dnf ansible.builtin.lineinfile: - line: clean_requirements_on_remove=1 path: /etc/dnf/dnf.conf regexp: ^(#|\s*)clean_requirements_on_remove + line: clean_requirements_on_remove=1 - name: "LOW | RHEL-09-231020 | AUDIT | RHEL 9 must use a separate file system for /var." when: @@ -214,9 +214,9 @@ - NIST800-53R4_CM-7 - chrony ansible.builtin.lineinfile: - line: 'port 0' path: /etc/chrony.conf regexp: ^(#|\s*)port \d* + line: 'port 0' - name: "LOW | RHEL-09-252030 | PATCH | RHEL 9 must disable network management of the chrony daemon." when: @@ -233,9 +233,9 @@ - NIST800-53R4_CM-7 - chrony ansible.builtin.lineinfile: - line: 'cmdport 0' path: /etc/chrony.conf regexp: ^(#|\s*)cmdport \d* + line: 'cmdport 0' - name: "LOW | RHEL-09-291025 | PATCH | RHEL 9 must disable network management of the chrony daemon." when: @@ -250,6 +250,6 @@ - NIST800-53R4_AU-12 - usb ansible.builtin.lineinfile: - line: AuditBackend=LinuxAudit path: /etc/usbguard/usbguard-daemon.conf regexp: AuditBackend= + line: AuditBackend=LinuxAudit diff --git a/tasks/Cat3/RHEL-09-4xxxxx.yml b/tasks/Cat3/RHEL-09-4xxxxx.yml index 657ada8..79a2c64 100644 --- a/tasks/Cat3/RHEL-09-4xxxxx.yml +++ b/tasks/Cat3/RHEL-09-4xxxxx.yml @@ -34,9 +34,9 @@ - NIST800-53R4_AC-10 - limits ansible.builtin.lineinfile: - line: "* hard maxlogins 10" path: /etc/security/limits.conf regexp: '^\s*\*\s+hard\s+maxlogins\s+\d{1,}' + line: "* hard maxlogins 10" - name: "LOW | RHEL-09-412075 | PATCH | RHEL 9 must display the date and time of the last successful account logon upon logon." when: @@ -53,10 +53,10 @@ block: - name: "LOW | RHEL-09-412075 | PATCH | RHEL 9 must display the date and time of the last successful account logon upon logon." ansible.builtin.lineinfile: - insertbefore: BOF - line: session required pam_lastlog.so showfailed path: /etc/pam.d/postlogin regex: session required pam_lastlog.so showfailed + line: session required pam_lastlog.so showfailed + insertbefore: BOF - name: "LOW | RHEL-09-412075 | PATCH | RHEL 9 must display the date and time of the last successful account logon upon logon." ansible.builtin.replace: From b669ab421199bde06c2ab36de45be233e5c5e2fd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 11 Jul 2024 11:59:21 +0100 Subject: [PATCH 34/41] remove requirement for jmespath Signed-off-by: Mark Bolwell --- tasks/Cat2/RHEL-09-23xxxx.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/Cat2/RHEL-09-23xxxx.yml b/tasks/Cat2/RHEL-09-23xxxx.yml index e4d3946..07d1d5b 100644 --- a/tasks/Cat2/RHEL-09-23xxxx.yml +++ b/tasks/Cat2/RHEL-09-23xxxx.yml @@ -1896,7 +1896,7 @@ - name: "RHEL-09-232250 | WARN | All RHEL 9 local files and directories must have a valid group owner." when: rhel9stig_ungrouped_files_found is defined ansible.builtin.debug: - msg: "Warning!! Missing group on items in {{ rhel9stig_ungrouped_files_dirs_audit | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] + msg: "Warning!! Missing group on items in {{ rhel9stig_ungrouped_files_dirs_audit.stdout_lines }}" - name: "RHEL-09-232250 | WARN | All RHEL 9 local files and directories must have a valid group owner." when: rhel9stig_ungrouped_files_found is defined @@ -1942,7 +1942,7 @@ - name: "RHEL-09-232255 | WARN | All RHEL 9 local files and directories must have a valid owner." when: rhel9stig_unowned_files_found is defined ansible.builtin.debug: - msg: "Warning!! Missing group on items in {{ rhel9stig_ungrouped_files_dirs_audit | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] + msg: "Warning!! Missing group on items in {{ rhel9stig_ungrouped_files_dirs_audit.stdout_lines }}" - name: "RHEL-09-232255 | WARN | All RHEL 9 local files and directories must have a valid owner." when: rhel9stig_unowned_files_found is defined From d539918410a66a4a0a4cba60a0eac6a4570ab760 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 11 Jul 2024 12:00:20 +0100 Subject: [PATCH 35/41] fix typo Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3def906..23b8064 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -57,7 +57,7 @@ rhel9stig_system_is_router: false ########################################### ### Goss is required on the remote host ### -### vars/auditd.yml for other settings ### +### vars/audit.yml for other settings ### # Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system) setup_audit: false From 11313ba8618cf6aa6562385bb3e085c6127c4853 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 11 Jul 2024 12:01:46 +0100 Subject: [PATCH 36/41] updated and removed jmespath requirement Signed-off-by: Mark Bolwell --- tasks/post_remediation_audit.yml | 24 +++++++++++------------- tasks/pre_remediation_audit.yml | 31 +++++++++++++++---------------- vars/audit.yml | 4 ++-- 3 files changed, 28 insertions(+), 31 deletions(-) diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 50a3fa2..5e5623b 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -8,7 +8,7 @@ AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" AUDIT_FILE: goss.yml -- name: Post Audit | Ensure audit files readable by users +- name: Post Audit | ensure audit files readable by users ansible.builtin.file: path: "{{ item }}" mode: '0644' @@ -21,26 +21,24 @@ when: - audit_format == "json" block: - - name: Post Audit | Capture data {{ post_audit_outfile }} - ansible.builtin.shell: "cat {{ post_audit_outfile }}" - register: discovered_post_audit + - name: Post Audit | Capture audit data if json format + ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4 + register: post_audit_summary changed_when: false - - name: Post Audit | Capture post-audit result + - name: Post Audit | Set Fact for audit summary ansible.builtin.set_fact: - post_audit_summary: "{{ discovered_post_audit.stdout | from_json | json_query(summary) }}" - vars: - summary: summary."summary-line" + post_audit_results: "{{ post_audit_summary.stdout }}" - name: Post Audit | Capture audit data if documentation format when: - audit_format == "documentation" block: - - name: Post Audit | Capture data {{ post_audit_outfile }} - ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" - register: discovered_post_audit + - name: Post Audit | Capture audit data if documentation format + ansible.builtin.shell: "tail -2 /opt/audit_ubuntu2204-CIS-UBUNTU22_1720624848.documentation" + register: post_audit_summary changed_when: false - - name: Post Audit | Capture post-audit result + - name: Post Audit | Set Fact for audit summary ansible.builtin.set_fact: - post_audit_summary: "{{ discovered_post_audit.stdout_lines }}" + post_audit_results: "{{ post_audit_summary.stdout }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 9515a35..6f215c3 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -60,19 +60,20 @@ - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: path: "{{ audit_bin }}" - register: discovered_goss_available + register: goss_available - name: Pre Audit Setup | If audit ensure goss is available + when: + - not goss_available.stat.exists ansible.builtin.assert: - that: discovered_goss_available.stat.exists msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - name: Pre Audit Setup | Copy ansible default vars values to test audit - when: - - run_audit tags: - goss_template - run_audit + when: + - run_audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" @@ -90,29 +91,27 @@ when: - audit_format == "json" block: - - name: Pre Audit | Capture data {{ pre_audit_outfile }} - ansible.builtin.shell: "cat {{ pre_audit_outfile }}" - register: discovered_pre_audit + - name: Pre Audit | Capture audit data if json format + ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4 + register: pre_audit_summary changed_when: false - - name: Pre Audit | Capture pre-audit result + - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: - pre_audit_summary: "{{ discovered_pre_audit.stdout | from_json | json_query(summary) }}" - vars: - summary: summary."summary-line" + pre_audit_results: "{{ pre_audit_summary.stdout }}" - name: Pre Audit | Capture audit data if documentation format when: - audit_format == "documentation" block: - - name: Pre Audit | Capture data {{ pre_audit_outfile }} | documentation format - ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" - register: discovered_pre_audit + - name: Pre Audit | Capture audit data if documentation format + ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' + register: pre_audit_summary changed_when: false - - name: Pre Audit | Capture pre-audit result | documentation format + - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: - pre_audit_summary: "{{ discovered_pre_audit.stdout_lines }}" + pre_audit_results: "{{ pre_audit_summary.stdout }}" - name: Audit_Only | Run Audit Only when: diff --git a/vars/audit.yml b/vars/audit.yml index d41ef37..9dc666a 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -34,7 +34,7 @@ audit_format: json audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" audit_results: | - The {% if not audit_only %}pre remediation{% endif %} audit results are: {{ pre_audit_summary }} - {% if not audit_only %}The post remediation audit results are: {{ post_audit_summary }}{% endif %} + The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results}} + {% if not audit_only %}The post remediation audit results are: {{ post_audit_results }}{% endif %} Full breakdown can be found in {{ audit_log_dir }} From be9654de255bfa71cc8ae7d1b666177234d5ff13 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 11 Jul 2024 12:24:13 +0100 Subject: [PATCH 37/41] updated quoting for auditd Signed-off-by: Mark Bolwell --- tasks/Cat2/RHEL-09-65xxxx.yml | 36 +++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/tasks/Cat2/RHEL-09-65xxxx.yml b/tasks/Cat2/RHEL-09-65xxxx.yml index e38db74..95d196f 100644 --- a/tasks/Cat2/RHEL-09-65xxxx.yml +++ b/tasks/Cat2/RHEL-09-65xxxx.yml @@ -586,7 +586,7 @@ ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: ^\s*disk_error_action - line: disk_error_action = "{{ rhel9stig_audit_conf.disk_error_action }}" + line: disk_error_action = {{ rhel9stig_audit_conf.disk_error_action }} - name: "MEDIUM | RHEL-09-653025 | PATCH | RHEL 9 audit system must take appropriate action when the audit storage volume is full." when: @@ -603,7 +603,7 @@ ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: ^\s*disk_full_action - line: disk_full_action = "{{ rhel9stig_audit_conf.disk_full_action }}" + line: disk_full_action = {{ rhel9stig_audit_conf.disk_full_action }} - name: "MEDIUM | RHEL-09-653030 | AUDIT | RHEL 9 must allocate audit record storage capacity to store at least one week's worth of audit records." when: @@ -656,7 +656,7 @@ ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: ^(#|\s*)space_left\s*= - line: space_left = "{{ rhel9stig_audit_conf.space_left }}" + line: space_left = {{ rhel9stig_audit_conf.space_left }} - name: "MEDIUM | RHEL-09-653040 | PATCH | RHEL 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization." when: @@ -673,7 +673,7 @@ ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: ^(#|\s*)space_left_action\s*= - line: space_left_action = "{{ rhel9stig_audit_conf.space_left_action }}" + line: space_left_action = {{ rhel9stig_audit_conf.space_left_action }} - name: "MEDIUM | RHEL-09-653045 | PATCH | RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity." when: @@ -690,7 +690,7 @@ ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: ^(#|\s*)admin_space_left\s*= - line: admin_space_left = "{{ rhel9stig_audit_conf.admin_space_left }}" + line: admin_space_left = {{ rhel9stig_audit_conf.admin_space_left }} - name: "MEDIUM | RHEL-09-653050 | PATCH | RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity." when: @@ -707,7 +707,7 @@ ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: ^(#|\s*)admin_space_left_action\s* - line: admin_space_left_action = "{{ rhel9stig_audit_conf.admin_space_left_action }}" + line: admin_space_left_action = {{ rhel9stig_audit_conf.admin_space_left_action }} - name: "MEDIUM | RHEL-09-653055 | PATCH | RHEL 9 audit system must take appropriate action when the audit files have reached maximum size." when: @@ -724,7 +724,7 @@ ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: ^(#|\s*)max_log_file_action - line: max_log_file_action = "{{ rhel9stig_audit_conf.max_log_file_action }}" + line: max_log_file_action = {{ rhel9stig_audit_conf.max_log_file_action }} - name: "MEDIUM | RHEL-09-653060 | PATCH | RHEL 9 must label all offloaded audit logs before sending them to the central log server." when: @@ -742,7 +742,7 @@ ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: ^(#|\s*)name_format - line: name_format = "{{ rhel9stig_audit_conf.name_format }}" + line: name_format = {{ rhel9stig_audit_conf.name_format }} - name: "MEDIUM | RHEL-09-653065 | PATCH | RHEL 9 must take appropriate action when the internal event queue is full." when: @@ -759,7 +759,7 @@ ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: ^(#|\s*)overflow_action - line: overflow_action = "{{ rhel9stig_audit_conf.overflow_action }}" + line: overflow_action = {{ rhel9stig_audit_conf.overflow_action }} - name: "MEDIUM | RHEL-09-653070 | PATCH | RHEL 9 System Administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event." when: @@ -779,7 +779,7 @@ ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: ^(#|\s*)overflow_action - line: overflow_action = "{{ rhel9stig_audit_conf.overflow_action }}" + line: overflow_action = {{ rhel9stig_audit_conf.overflow_action }} - name: "MEDIUM | RHEL-09-653075 | PATCH | RHEL 9 audit system must audit local events." when: @@ -799,7 +799,7 @@ ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: ^(#|\s*)overflow_action - line: "overflow_action = {{ rhel9stig_audit_conf.overflow_action }}" + line: overflow_action = {{ rhel9stig_audit_conf.overflow_action }} - name: "MEDIUM | RHEL-09-653080 | PATCH | RHEL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access." when: @@ -823,7 +823,7 @@ ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: ^(#|\s*)log_group - line: log_group = "{{ rhel9stig_audit_conf.logfile_group }}" + line: log_group = {{ rhel9stig_audit_conf.logfile_group }} - name: "MEDIUM | RHEL-09-653080 | PATCH | RHEL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access. | Set perms" ansible.builtin.file: @@ -869,8 +869,8 @@ - NIST800-53R4_SI-11 - auditd ansible.builtin.file: - mode: go-rwx path: "{{ discovered_auditd_logfile.stdout }}" + mode: go-rwx - name: "MEDIUM | RHEL-09-653095 | PATCH | RHEL 9 must periodically flush audit records to disk to prevent the loss of audit records." when: @@ -887,7 +887,7 @@ ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: ^(#|\s*)freq\s*= - line: freq = "{{ rhel9stig_audit_conf.freq }}" + line: freq = {{ rhel9stig_audit_conf.freq }} - name: "MEDIUM | RHEL-09-653100 | PATCH | RHEL 9 must produce audit records containing information to establish the identity of any individual or process associated with the event." when: @@ -907,7 +907,7 @@ ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: ^(#|\s*)log_format\s*= - line: log_format = "{{ rhel9stig_audit_conf.log_format }}" + line: log_format = {{ rhel9stig_audit_conf.log_format }} - name: "MEDIUM | RHEL-09-653105 | PATCH | RHEL 9 must write audit records to disk." when: @@ -924,7 +924,7 @@ ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: ^\s*write_logs - line: write_logs = "{{ rhel9stig_audit_conf.write_logs }}" + line: write_logs = {{ rhel9stig_audit_conf.write_logs }} - name: "MEDIUM | RHEL-09-653110 | PATCH | RHEL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." when: @@ -964,10 +964,10 @@ - NIST800-53R4_AU-12 - auditd ansible.builtin.file: - mode: '0640' path: /etc/audit/auditd.conf + mode: u-x,g-wx,o-rwx -- name: "MEDIUM | RHEL-09-653125 | PATCH | RHEL 9 /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized access." +- name: "MEDIUM | RHEL-09-653125 | PATCH | RHEL 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure." when: - rhel_09_653125 tags: From 332e9ff95571f693d8297e86ef35efa33554d19f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 11 Jul 2024 12:25:04 +0100 Subject: [PATCH 38/41] lint Signed-off-by: Mark Bolwell --- tasks/post_remediation_audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 5e5623b..a6f9461 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -8,7 +8,7 @@ AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" AUDIT_FILE: goss.yml -- name: Post Audit | ensure audit files readable by users +- name: Post Audit | Ensure audit files readable by users ansible.builtin.file: path: "{{ item }}" mode: '0644' From c742a4e13a61042ebbbebefed0da0134f7c4cb97 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 11 Jul 2024 12:25:59 +0100 Subject: [PATCH 39/41] tidy up dependency list Signed-off-by: Mark Bolwell --- README.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/README.md b/README.md index bf896d0..2528458 100644 --- a/README.md +++ b/README.md @@ -84,12 +84,10 @@ This audit will not only check the config has the correct setting but aims to ca The following packages must be installed on the controlling host/host where ansible is executed: -- python2-passlib (or just passlib, if using python3) - python-lxml - python-xmltodict -- python-jmespath -Package 'python-xmltodict' is required if you enable the OpenSCAP tool installation and run a report. Packages python(2)-passlib and python-jmespath are required for tasks with custom filters or modules. These are all required on the controller host that executes Ansible. +Package 'python-xmltodict' is required if you enable the OpenSCAP tool installation and run a report. These are all required on the controller host that executes Ansible. ## Role Variables From 0bbfaa000ae9f72981f1cd02929bf2e581321148 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 11 Jul 2024 14:02:40 +0100 Subject: [PATCH 40/41] Updated Title Signed-off-by: Mark Bolwell --- tasks/Cat2/RHEL-09-23xxxx.yml | 166 +++++++++++++++++----------------- 1 file changed, 83 insertions(+), 83 deletions(-) diff --git a/tasks/Cat2/RHEL-09-23xxxx.yml b/tasks/Cat2/RHEL-09-23xxxx.yml index 07d1d5b..3bbcd47 100644 --- a/tasks/Cat2/RHEL-09-23xxxx.yml +++ b/tasks/Cat2/RHEL-09-23xxxx.yml @@ -1030,7 +1030,7 @@ - V-257889 - NIST800-53R4_CM-6 block: - - name: "RHEL-09-232045 | AUDIT | All RHEL 9 local initialization files must have mode 0740 or less permissive. | Check for files" + - name: "MEDIUM | RHEL-09-232045 | AUDIT | All RHEL 9 local initialization files must have mode 0740 or less permissive. | Check for files" ansible.builtin.find: depth: 3 file_type: file @@ -1040,7 +1040,7 @@ recurse: true register: user_dot_files - - name: "RHEL-09-232045 | AUDIT | All RHEL 9 local initialization files must have mode 0740 or less permissive. | update permissions" + - name: "MEDIUM | RHEL-09-232045 | AUDIT | All RHEL 9 local initialization files must have mode 0740 or less permissive. | update permissions" ansible.builtin.file: path: "{{ item.path }}" mode: g-wx,o-rwx @@ -1049,7 +1049,7 @@ loop_control: label: "{{ item.path }}" -- name: "RHEL-09-232050 | PATCH | All RHEL 9 local interactive user home directories must have mode 0750 or less permissive." +- name: "MEDIUM | RHEL-09-232050 | PATCH | All RHEL 9 local interactive user home directories must have mode 0750 or less permissive." when: - rhel_09_232050 - rhel9stig_disruption_high @@ -1062,13 +1062,13 @@ - V-257890 - NIST800-53R4_CM-6 block: - - name: "RHEL-09-232050 | AUDIT | All RHEL 9 local interactive user home directories must have mode 0750 or less permissive. | get stat" + - name: "MEDIUM | RHEL-09-232050 | AUDIT | All RHEL 9 local interactive user home directories must have mode 0750 or less permissive. | get stat" ansible.builtin.stat: path: "{{ item }}" register: rhel9stig_home_dir_perms loop: "{{ rhel9stig_interactive_users_home.stdout_lines }}" - - name: "RHEL-09-232050 | PATCH | All RHEL 9 local interactive user home directories must have mode 0750 or less permissive. | amend if needed" + - name: "MEDIUM | RHEL-09-232050 | PATCH | All RHEL 9 local interactive user home directories must have mode 0750 or less permissive. | amend if needed" when: - item.stat.path is defined - item.stat.mode > '0750' @@ -1081,7 +1081,7 @@ label: "{{ item }}" # set default ACLs so the homedir has an effective umask of 0027 - - name: "RHEL-09-232050 | PATCH | All RHEL 9 local interactive user home directories must have mode 0750 or less permissive. | Set group ACL" + - name: "MEDIUM | RHEL-09-232050 | PATCH | All RHEL 9 local interactive user home directories must have mode 0750 or less permissive. | Set group ACL" when: - not system_is_container - item.stat.path is defined @@ -1095,7 +1095,7 @@ loop_control: label: "{{ item }}" - - name: "RHEL-09-232050 | PATCH | All RHEL 9 local interactive user home directories must have mode 0750 or less permissive. | Set other ACL" + - name: "MEDIUM | RHEL-09-232050 | PATCH | All RHEL 9 local interactive user home directories must have mode 0750 or less permissive. | Set other ACL" when: - not system_is_container - item.stat.path is defined @@ -1109,7 +1109,7 @@ loop_control: label: "{{ item }}" -- name: "RHEL-09-232055 | PATCH | RHEL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access." +- name: "MEDIUM | RHEL-09-232055 | PATCH | RHEL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access." when: - rhel_09_232055 tags: @@ -1124,7 +1124,7 @@ mode: u=rw,go-wx path: /etc/group -- name: "RHEL-09-232060 | PATCH | RHEL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access." +- name: "MEDIUM | RHEL-09-232060 | PATCH | RHEL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access." when: - rhel_09_232060 tags: @@ -1139,7 +1139,7 @@ mode: u=rw,go-wx path: /etc/group- -- name: "RHEL-09-232065 | PATCH | RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access." +- name: "MEDIUM | RHEL-09-232065 | PATCH | RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access." when: - rhel_09_232065 tags: @@ -1154,7 +1154,7 @@ mode: '0000' path: /etc/gshadow -- name: "RHEL-09-232070 | PATCH | RHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access." +- name: "MEDIUM | RHEL-09-232070 | PATCH | RHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access." when: - rhel_09_232070 tags: @@ -1169,7 +1169,7 @@ mode: '0000' path: /etc/gshadow- -- name: "RHEL-09-232075 | PATCH | RHEL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access." +- name: "MEDIUM | RHEL-09-232075 | PATCH | RHEL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access." when: - rhel_09_232075 tags: @@ -1184,7 +1184,7 @@ mode: u=rw,go-wx path: /etc/passwd -- name: "RHEL-09-232080 | PATCH | RHEL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access." +- name: "MEDIUM | RHEL-09-232080 | PATCH | RHEL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access." when: - rhel_09_232080 tags: @@ -1199,7 +1199,7 @@ mode: u=rw,go-wx path: /etc/passwd- -- name: "RHEL-09-232085 | PATCH | RHEL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access." +- name: "MEDIUM | RHEL-09-232085 | PATCH | RHEL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access." when: - rhel_09_232085 tags: @@ -1214,7 +1214,7 @@ mode: '0000' path: /etc/shadow- -- name: "RHEL-09-232090 | PATCH | RHEL 9 /etc/group file must be owned by root." +- name: "MEDIUM | RHEL-09-232090 | PATCH | RHEL 9 /etc/group file must be owned by root." when: - rhel_09_232090 tags: @@ -1229,7 +1229,7 @@ owner: root path: /etc/group -- name: "RHEL-09-232095 | PATCH | RHEL 9 /etc/group file must be group-owned by root." +- name: "MEDIUM | RHEL-09-232095 | PATCH | RHEL 9 /etc/group file must be group-owned by root." when: - rhel_09_232095 tags: @@ -1244,7 +1244,7 @@ group: root path: /etc/group -- name: "RHEL-09-232100 | PATCH | RHEL 9 /etc/group- file must be owned by root." +- name: "MEDIUM | RHEL-09-232100 | PATCH | RHEL 9 /etc/group- file must be owned by root." when: - rhel_09_232100 tags: @@ -1259,7 +1259,7 @@ owner: root path: /etc/group- -- name: "RHEL-09-232105 | PATCH | RHEL 9 /etc/group- file must be group-owned by root." +- name: "MEDIUM | RHEL-09-232105 | PATCH | RHEL 9 /etc/group- file must be group-owned by root." when: - rhel_09_232105 tags: @@ -1274,7 +1274,7 @@ group: root path: /etc/group- -- name: "RHEL-09-232110 | PATCH | RHEL 9 /etc/gshadow file must be owned by root." +- name: "MEDIUM | RHEL-09-232110 | PATCH | RHEL 9 /etc/gshadow file must be owned by root." when: - rhel_09_232110 tags: @@ -1289,7 +1289,7 @@ owner: root path: /etc/gshadow -- name: "RHEL-09-232115 | PATCH | RHEL 9 /etc/gshadow file must be group-owned by root." +- name: "MEDIUM | RHEL-09-232115 | PATCH | RHEL 9 /etc/gshadow file must be group-owned by root." when: - rhel_09_232115 tags: @@ -1304,7 +1304,7 @@ group: root path: /etc/gshadow -- name: "RHEL-09-232120 | PATCH | RHEL 9 /etc/gshadow- file must be owned by root." +- name: "MEDIUM | RHEL-09-232120 | PATCH | RHEL 9 /etc/gshadow- file must be owned by root." when: - rhel_09_232120 tags: @@ -1319,7 +1319,7 @@ owner: root path: /etc/gshadow- -- name: "RHEL-09-232125 | PATCH | RHEL 9 /etc/gshadow- file must be group-owned by root." +- name: "MEDIUM | RHEL-09-232125 | PATCH | RHEL 9 /etc/gshadow- file must be group-owned by root." when: - rhel_09_232125 tags: @@ -1334,7 +1334,7 @@ group: root path: /etc/gshadow- -- name: "RHEL-09-232130 | PATCH | RHEL 9 /etc/passwd file must be owned by root." +- name: "MEDIUM | RHEL-09-232130 | PATCH | RHEL 9 /etc/passwd file must be owned by root." when: - rhel_09_232130 tags: @@ -1349,7 +1349,7 @@ owner: root path: /etc/passwd -- name: "RHEL-09-232135 | PATCH | RHEL 9 /etc/passwd file must be group-owned by root." +- name: "MEDIUM | RHEL-09-232135 | PATCH | RHEL 9 /etc/passwd file must be group-owned by root." when: - rhel_09_232135 tags: @@ -1364,7 +1364,7 @@ group: root path: /etc/passwd -- name: "RHEL-09-232140 | PATCH | RHEL 9 /etc/passwd- file must be owned by root." +- name: "MEDIUM | RHEL-09-232140 | PATCH | RHEL 9 /etc/passwd- file must be owned by root." when: - rhel_09_232140 tags: @@ -1379,7 +1379,7 @@ owner: root path: /etc/passwd- -- name: "RHEL-09-232145 | PATCH | RHEL 9 /etc/passwd- file must be group-owned by root." +- name: "MEDIUM | RHEL-09-232145 | PATCH | RHEL 9 /etc/passwd- file must be group-owned by root." when: - rhel_09_232145 tags: @@ -1394,7 +1394,7 @@ group: root path: /etc/passwd- -- name: "RHEL-09-232150 | PATCH | RHEL 9 /etc/shadow file must be owned by root." +- name: "MEDIUM | RHEL-09-232150 | PATCH | RHEL 9 /etc/shadow file must be owned by root." when: - rhel_09_232150 tags: @@ -1409,7 +1409,7 @@ owner: root path: /etc/shadow -- name: "RHEL-09-232155 | PATCH | RHEL 9 /etc/shadow file must be group-owned by root." +- name: "MEDIUM | RHEL-09-232155 | PATCH | RHEL 9 /etc/shadow file must be group-owned by root." when: - rhel_09_232155 tags: @@ -1424,7 +1424,7 @@ group: root path: /etc/shadow -- name: "RHEL-09-232160 | PATCH | RHEL 9 /etc/shadow- file must be owned by root." +- name: "MEDIUM | RHEL-09-232160 | PATCH | RHEL 9 /etc/shadow- file must be owned by root." when: - rhel_09_232160 tags: @@ -1439,7 +1439,7 @@ owner: root path: /etc/shadow- -- name: "RHEL-09-232165 | PATCH | RHEL 9 /etc/shadow- file must be group-owned by root." +- name: "MEDIUM | RHEL-09-232165 | PATCH | RHEL 9 /etc/shadow- file must be group-owned by root." when: - rhel_09_232165 tags: @@ -1454,7 +1454,7 @@ group: root path: /etc/shadow -- name: "RHEL-09-232170 | PATCH | RHEL 9 /var/log directory must be owned by root." +- name: "MEDIUM | RHEL-09-232170 | PATCH | RHEL 9 /var/log directory must be owned by root." when: - rhel_09_232170 tags: @@ -1470,7 +1470,7 @@ path: /var/log state: directory -- name: "RHEL-09-232175 | PATCH | RHEL 9 /var/log directory must be group-owned by root." +- name: "MEDIUM | RHEL-09-232175 | PATCH | RHEL 9 /var/log directory must be group-owned by root." when: - rhel_09_232175 tags: @@ -1486,7 +1486,7 @@ path: /var/log state: directory -- name: "RHEL-09-232180 | PATCH | RHEL 9 /var/log/messages file must be owned by root." +- name: "MEDIUM | RHEL-09-232180 | PATCH | RHEL 9 /var/log/messages file must be owned by root." when: - rhel_09_232180 tags: @@ -1501,7 +1501,7 @@ owner: root path: /var/log/messages -- name: "RHEL-09-232185 | PATCH | RHEL 9 /var/log/messages file must be group-owned by root." +- name: "MEDIUM | RHEL-09-232185 | PATCH | RHEL 9 /var/log/messages file must be group-owned by root." when: - rhel_09_232185 tags: @@ -1516,7 +1516,7 @@ group: root path: /var/log/messages -- name: "RHEL-09-232190 | PATCH | RHEL 9 system commands must be owned by root." +- name: "MEDIUM | RHEL-09-232190 | PATCH | RHEL 9 system commands must be owned by root." when: - rhel_09_232190 tags: @@ -1528,13 +1528,13 @@ - V-257918 - NIST800-53R4_CM-5 block: - - name: "RHEL-09-232190 | AUDIT | RHEL 9 system commands must be owned by root." + - name: "MEDIUM | RHEL-09-232190 | AUDIT | RHEL 9 system commands must be owned by root." ansible.builtin.shell: find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin ! -user root -exec ls {} \; changed_when: false failed_when: rhel9stig_sys_commands_owner.rc not in [ 0, 1 ] register: rhel9stig_sys_commands_owner - - name: "RHEL-09-232190 | PATCH | RHEL 9 system commands must be owned by root." + - name: "MEDIUM | RHEL-09-232190 | PATCH | RHEL 9 system commands must be owned by root." when: rhel9stig_sys_commands_owner.stdout | length > 0 ansible.builtin.file: owner: root @@ -1542,7 +1542,7 @@ loop: - "{{ rhel9stig_sys_commands_owner.stdout_lines }}" -- name: "RHEL-09-232195 | PATCH | RHEL 9 system commands must be group-owned by root or a system account." +- name: "MEDIUM | RHEL-09-232195 | PATCH | RHEL 9 system commands must be group-owned by root or a system account." when: - rhel_09_232195 tags: @@ -1556,25 +1556,25 @@ vars: warn_control_id: "MEDIUM | RHEL-09-232195" block: - - name: "RHEL-09-232195 | AUDIT | RHEL 9 system commands must be group-owned by root or a system account." + - name: "MEDIUM | RHEL-09-232195 | AUDIT | RHEL 9 system commands must be group-owned by root or a system account." ansible.builtin.shell: find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! \( -group root -o -group tty \) -exec ls -l {} \; changed_when: false failed_when: rhel9stig_sys_commands_group.rc not in [ 0, 1 ] register: rhel9stig_sys_commands_group - - name: "RHEL-09-232195 | WARN | RHEL 9 system commands must be group-owned by root or a system account." + - name: "MEDIUM | RHEL-09-232195 | WARN | RHEL 9 system commands must be group-owned by root or a system account." when: rhel9stig_sys_commands_group.stdout | length > 0 ansible.builtin.debug: msg: | "Warning!! Please validate group ownership of the following system commands {{ rhel9stig_sys_commands_group.stdout_lines }}" - - name: "RHEL-09-232195 | WARN | RHEL 9 system commands must be group-owned by root or a system account." + - name: "MEDIUM | RHEL-09-232195 | WARN | RHEL 9 system commands must be group-owned by root or a system account." when: rhel9stig_sys_commands_group.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml -- name: "RHEL-09-232200 | PATCH | RHEL 9 library files must be owned by root." +- name: "MEDIUM | RHEL-09-232200 | PATCH | RHEL 9 library files must be owned by root." when: - rhel_09_232200 tags: @@ -1586,20 +1586,20 @@ - V-257920 - NIST800-53R4_CM-5 block: - - name: "RHEL-09-232200 | AUDIT | RHEL 9 library files must be owned by root." + - name: "MEDIUM | RHEL-09-232200 | AUDIT | RHEL 9 library files must be owned by root." ansible.builtin.shell: find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root changed_when: false failed_when: rhel9stig_lib_files_owner.rc not in [ 0, 1 ] register: rhel9stig_lib_files_owner - - name: "RHEL-09-232200 | PATCH | RHEL 9 library files must be owned by root." + - name: "MEDIUM | RHEL-09-232200 | PATCH | RHEL 9 library files must be owned by root." when: rhel9stig_lib_files_owner.stdout | length > 0 ansible.builtin.file: owner: root path: "{{ item }}" loop: "{{ rhel9stig_lib_files_owner.stdout_lines }}" -- name: "RHEL-09-232205 | PATCH | RHEL 9 library files must be group-owned by root or a system account." +- name: "MEDIUM | RHEL-09-232205 | PATCH | RHEL 9 library files must be group-owned by root or a system account." when: - rhel_09_232205 tags: @@ -1613,25 +1613,25 @@ vars: warn_control_id: "MEDIUM | RHEL-09-232205" block: - - name: "RHEL-09-232205 | AUDIT | RHEL 9 library files must be group-owned by root or a system account." + - name: "MEDIUM | RHEL-09-232205 | AUDIT | RHEL 9 library files must be group-owned by root or a system account." ansible.builtin.shell: find -L /lib /lib64 /usr/lib /usr/lib64 ! \( -group root -o -group utmp -o -group ssh_keys -o -group tty \) -exec ls {} \; changed_when: false failed_when: rhel9stig_lib_files_group.rc not in [ 0, 1 ] register: rhel9stig_lib_files_group - - name: "RHEL-09-232205 | WARN | RHEL 9 library files must be group-owned by root or a system account." + - name: "MEDIUM | RHEL-09-232205 | WARN | RHEL 9 library files must be group-owned by root or a system account." when: rhel9stig_lib_files_group.stdout | length > 0 ansible.builtin.debug: msg: | "Warning!! Please validate group ownership of the following library files or symlinks {{ rhel9stig_lib_files_group.stdout_lines }}" - - name: "RHEL-09-232205 | WARN | RHEL 9 library files must be group-owned by root or a system account." + - name: "MEDIUM | RHEL-09-232205 | WARN | RHEL 9 library files must be group-owned by root or a system account." when: rhel9stig_lib_files_group.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml -- name: "RHEL-09-232210 | PATCH | RHEL 9 library directories must be owned by root." +- name: "MEDIUM | RHEL-09-232210 | PATCH | RHEL 9 library directories must be owned by root." when: - rhel_09_232210 tags: @@ -1651,7 +1651,7 @@ - '/usr/lib' - '/usr/lib64' -- name: "RHEL-09-232215 | PATCH | RHEL 9 library directories must be group-owned by root or a system account." +- name: "MEDIUM | RHEL-09-232215 | PATCH | RHEL 9 library directories must be group-owned by root or a system account." when: - rhel_09_232215 tags: @@ -1665,25 +1665,25 @@ vars: warn_control_id: "MEDIUM | RHEL-09-232215" block: - - name: "RHEL-09-232215 | AUDIT | RHEL 9 library directories must be group-owned by root or a system account." + - name: "MEDIUM | RHEL-09-232215 | AUDIT | RHEL 9 library directories must be group-owned by root or a system account." ansible.builtin.shell: find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \; changed_when: false failed_when: rhel9stig_lib_dirs_group.rc not in [ 0, 1 ] register: rhel9stig_lib_dirs_group - - name: "RHEL-09-232215 | WARN | RHEL 9 library directories must be group-owned by root or a system account." + - name: "MEDIUM | RHEL-09-232215 | WARN | RHEL 9 library directories must be group-owned by root or a system account." when: rhel9stig_lib_dirs_group.stdout | length > 0 ansible.builtin.debug: msg: | "Warning!! Please validate group ownership of the following library directories {{ rhel9stig_lib_dirs_group.stdout_lines }}" - - name: "RHEL-09-232215 | WARN | RHEL 9 library directories must be group-owned by root or a system account." + - name: "MEDIUM | RHEL-09-232215 | WARN | RHEL 9 library directories must be group-owned by root or a system account." when: rhel9stig_lib_dirs_group.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml -- name: "RHEL-09-232220 | PATCH | RHEL 9 audit tools must be owned by root." +- name: "MEDIUM | RHEL-09-232220 | PATCH | RHEL 9 audit tools must be owned by root." when: - rhel_09_232220 tags: @@ -1706,7 +1706,7 @@ - '/sbin/rsyslogd' - '/sbin/augenrules' -- name: "RHEL-09-232225 | PATCH | RHEL 9 audit tools must be group-owned by root." +- name: "MEDIUM | RHEL-09-232225 | PATCH | RHEL 9 audit tools must be group-owned by root." when: - rhel_09_232225 tags: @@ -1729,7 +1729,7 @@ - '/sbin/rsyslogd' - '/sbin/augenrules' -- name: "RHEL-09-232230 | PATCH | RHEL 9 cron configuration files directory must be owned by root." +- name: "MEDIUM | RHEL-09-232230 | PATCH | RHEL 9 cron configuration files directory must be owned by root." when: - rhel_09_232230 tags: @@ -1752,7 +1752,7 @@ - '/etc/cron.weekly' - '/etc/crontab' -- name: "RHEL-09-232235 | PATCH | RHEL 9 cron configuration files directory must be group-owned by root." +- name: "MEDIUM | RHEL-09-232235 | PATCH | RHEL 9 cron configuration files directory must be group-owned by root." when: - rhel_09_232235 tags: @@ -1775,7 +1775,7 @@ - '/etc/cron.weekly' - '/etc/crontab' -- name: "RHEL-09-232240 | PATCH | All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user." +- name: "MEDIUM | RHEL-09-232240 | PATCH | All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user." when: - rhel_09_232240 - rhel9stig_disruption_high @@ -1793,25 +1793,25 @@ vars: warn_control_id: "MEDIUM | RHEL-09-232240" block: - - name: "RHEL-09-232240 | AUDIT | All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user." + - name: "MEDIUM | RHEL-09-232240 | AUDIT | All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user." ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 -uid +0 changed_when: false failed_when: rhel9stig_worldwide_dir_owners.rc not in [ 0, 1 ] register: rhel9stig_worldwide_dir_owners - - name: "RHEL-09-232240 | WARN | All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user." + - name: "MEDIUM | RHEL-09-232240 | WARN | All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user." when: rhel9stig_worldwide_dir_owners.stdout | length > 0 ansible.builtin.debug: msg: | "Warning!! The following Directories do not match requirements for RHEL_09_232240 {{ rhel9stig_worldwide_dir_owners.stdout_lines }}" - - name: "RHEL-09-232240 | WARN | All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user." + - name: "MEDIUM | RHEL-09-232240 | WARN | All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user." when: rhel9stig_worldwide_dir_owners.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml -- name: "RHEL-09-232245 | PATCH | A sticky bit must be set on all RHEL 9 public directories." +- name: "MEDIUM | RHEL-09-232245 | PATCH | A sticky bit must be set on all RHEL 9 public directories." when: - rhel_09_232245 - rhel9stig_disruption_high @@ -1826,13 +1826,13 @@ vars: warn_control_id: "MEDIUM | RHEL-09-232245" block: - - name: "RHEL-09-232245 | AUDIT | A sticky bit must be set on all RHEL 9 public directories." + - name: "MEDIUM | RHEL-09-232245 | AUDIT | A sticky bit must be set on all RHEL 9 public directories." ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 -a ! -perm -1000 2>/dev/null changed_when: false failed_when: rhel9stig_public_dirs_stickybit.rc not in [ 0, 1 ] register: rhel9stig_public_dirs_stickybit - - name: "RHEL-09-232245 | PATCH | A sticky bit must be set on all RHEL 9 public directories." + - name: "MEDIUM | RHEL-09-232245 | PATCH | A sticky bit must be set on all RHEL 9 public directories." when: - rhel9stig_disruption_high - rhel9stig_public_dirs_stickybit.stdout | length > 0 @@ -1841,7 +1841,7 @@ mode: +t loop: "{{ rhel9stig_public_dirs_stickybit.stdout_lines }}" - - name: "RHEL-09-232245 | WARN | A sticky bit must be set on all RHEL 9 public directories." + - name: "MEDIUM | RHEL-09-232245 | WARN | A sticky bit must be set on all RHEL 9 public directories." when: - not rhel9stig_disruption_high - rhel9stig_public_dirs_stickybit.stdout | length > 0 @@ -1850,14 +1850,14 @@ "Warning!! The following file require sticky bit to be set {{ rhel9stig_public_dirs_stickybit.stdout_lines }}" - - name: "RHEL-09-232245 | WARN | A sticky bit must be set on all RHEL 9 public directories." + - name: "MEDIUM | RHEL-09-232245 | WARN | A sticky bit must be set on all RHEL 9 public directories." when: - not rhel9stig_disruption_high - rhel9stig_public_dirs_stickybit.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml -- name: "RHEL-09-232250 | PATCH | All RHEL 9 local files and directories must have a valid group owner." +- name: "MEDIUM | RHEL-09-232250 | PATCH | All RHEL 9 local files and directories must have a valid group owner." when: - rhel_09_232250 tags: @@ -1871,7 +1871,7 @@ vars: warn_control_id: "MEDIUM | RHEL-09-232250" block: - - name: "RHEL-09-232250 | AUDIT | All RHEL 9 local files and directories must have a valid group owner." + - name: "MEDIUM | RHEL-09-232250 | AUDIT | All RHEL 9 local files and directories must have a valid group owner." when: - item['device'].startswith('/dev') - not 'bind' in item['options'] @@ -1884,7 +1884,7 @@ loop_control: label: "{{ item.mount }}" - - name: "RHEL-09-232250 | AUDIT | All RHEL 9 local files and directories must have a valid group owner." + - name: "MEDIUM | RHEL-09-232250 | AUDIT | All RHEL 9 local files and directories must have a valid group owner." ansible.builtin.set_fact: rhel9stig_ungrouped_files_found: true loop: "{{ rhel9stig_ungrouped_files_dirs_audit.results }}" @@ -1893,17 +1893,17 @@ - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties - item.stdout | length > 0 - - name: "RHEL-09-232250 | WARN | All RHEL 9 local files and directories must have a valid group owner." + - name: "MEDIUM | RHEL-09-232250 | WARN | All RHEL 9 local files and directories must have a valid group owner." when: rhel9stig_ungrouped_files_found is defined ansible.builtin.debug: msg: "Warning!! Missing group on items in {{ rhel9stig_ungrouped_files_dirs_audit.stdout_lines }}" - - name: "RHEL-09-232250 | WARN | All RHEL 9 local files and directories must have a valid group owner." + - name: "MEDIUM | RHEL-09-232250 | WARN | All RHEL 9 local files and directories must have a valid group owner." when: rhel9stig_ungrouped_files_found is defined ansible.builtin.import_tasks: file: warning_facts.yml -- name: "RHEL-09-232255 | PATCH | All RHEL 9 local files and directories must have a valid owner." +- name: "MEDIUM | RHEL-09-232255 | PATCH | All RHEL 9 local files and directories must have a valid owner." when: - rhel_09_232255 tags: @@ -1917,7 +1917,7 @@ vars: warn_control_id: "MEDIUM | RHEL-09-232255" block: - - name: "RHEL-09-232255 | AUDIT | All RHEL 9 local files and directories must have a valid owner." + - name: "MEDIUM | RHEL-09-232255 | AUDIT | All RHEL 9 local files and directories must have a valid owner." when: - item['device'].startswith('/dev') - not 'bind' in item['options'] @@ -1930,7 +1930,7 @@ loop_control: label: "{{ item.mount }}" - - name: "RHEL-09-232255 | AUDIT | All RHEL 9 local files and directories must have a valid owner." + - name: "MEDIUM | RHEL-09-232255 | AUDIT | All RHEL 9 local files and directories must have a valid owner." ansible.builtin.set_fact: rhel9stig_unowned_files_found: true loop: "{{ rhel9stig_unowned_files_dirs_audit.results }}" @@ -1939,17 +1939,17 @@ - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties - item.stdout | length > 0 - - name: "RHEL-09-232255 | WARN | All RHEL 9 local files and directories must have a valid owner." + - name: "MEDIUM | RHEL-09-232255 | WARN | All RHEL 9 local files and directories must have a valid owner." when: rhel9stig_unowned_files_found is defined ansible.builtin.debug: msg: "Warning!! Missing group on items in {{ rhel9stig_ungrouped_files_dirs_audit.stdout_lines }}" - - name: "RHEL-09-232255 | WARN | All RHEL 9 local files and directories must have a valid owner." + - name: "MEDIUM | RHEL-09-232255 | WARN | All RHEL 9 local files and directories must have a valid owner." when: rhel9stig_unowned_files_found is defined ansible.builtin.import_tasks: file: warning_facts.yml -- name: "RHEL-09-232260 | PATCH | RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification." +- name: "MEDIUM | RHEL-09-232260 | PATCH | RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification." when: - rhel_09_232260 tags: @@ -1963,34 +1963,34 @@ vars: warn_control_id: "MEDIUM | RHEL-09-232260" block: - - name: "RHEL-09-232260 | AUDIT | RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification. | / scan" + - name: "MEDIUM | RHEL-09-232260 | AUDIT | RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification. | / scan" ansible.builtin.shell: find / -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z" changed_when: false failed_when: rhel9stig_unlabelled_files.rc not in [ 0, 1 ] register: rhel9stig_unlabelled_files - - name: "RHEL-09-232260 | AUDIT | RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification. | / scan" + - name: "MEDIUM | RHEL-09-232260 | AUDIT | RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification. | / scan" when: - rhel9stig_unlabelled_files.stdout | length > 0 - rhel9stig_disruption_high ansible.builtin.shell: "restorecon -v {{ item }}" loop: "{{ rhel9stig_unlabelled_files.stdout_lines }}" - - name: "RHEL-09-232260 | WARN | RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification." + - name: "MEDIUM | RHEL-09-232260 | WARN | RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification." when: - rhel9stig_unlabelled_files.stdout | length > 0 - not rhel9stig_disruption_high ansible.builtin.debug: msg: "Warning!! Unlabelled device files found on the system {{ rhel9stig_unlabelled_files }}" - - name: "RHEL-09-232260 | WARN | RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification." + - name: "MEDIUM | RHEL-09-232260 | WARN | RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification." when: - rhel9stig_unlabelled_files.stdout | length > 0 - not rhel9stig_disruption_high ansible.builtin.import_tasks: file: warning_facts.yml -- name: "RHEL-09-232265 | PATCH | RHEL 9 /etc/crontab file must have mode 0600." +- name: "MEDIUM | RHEL-09-232265 | PATCH | RHEL 9 /etc/crontab file must have mode 0600." when: - rhel_09_232265 tags: @@ -2005,7 +2005,7 @@ path: /etc/crontab mode: '0600' -- name: "RHEL-09-232270 | PATCH | RHEL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access." +- name: "MEDIUM | RHEL-09-232270 | PATCH | RHEL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access." when: - rhel_09_232270 tags: From 85e9f1c816d770c786a0926db894d0974da512d4 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 15 Jul 2024 17:50:02 +0000 Subject: [PATCH 41/41] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v24.6.1 → v24.7.0](https://github.com/ansible-community/ansible-lint/compare/v24.6.1...v24.7.0) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2e4e221..f9907b1 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -41,7 +41,7 @@ repos: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v24.6.1 + rev: v24.7.0 hooks: - id: ansible-lint name: Ansible-lint