From 9795227a8e09ad939d4adc39431ddb89cc522d7f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 11 Jul 2024 08:12:04 +0100 Subject: [PATCH] lineinfile updates Signed-off-by: Mark Bolwell --- tasks/Cat1/RHEL-09-2xxxxx.yml | 20 +++---- tasks/Cat1/RHEL-09-4xxxxx.yml | 2 +- tasks/Cat2/RHEL-09-21xxxx.yml | 47 +++++++-------- tasks/Cat2/RHEL-09-25xxxx.yml | 106 +++++++++++++++++----------------- tasks/Cat2/RHEL-09-27xxxx.yml | 40 ++++++------- tasks/Cat2/RHEL-09-4xxxxx.yml | 52 ++++++++--------- tasks/Cat2/RHEL-09-61xxxx.yml | 104 ++++++++++++++++----------------- tasks/Cat2/RHEL-09-65xxxx.yml | 45 +++++++-------- tasks/Cat2/RHEL-09-67xxxx.yml | 14 ++--- tasks/Cat3/RHEL-09-2xxxxx.yml | 8 +-- tasks/Cat3/RHEL-09-4xxxxx.yml | 6 +- 11 files changed, 222 insertions(+), 222 deletions(-) diff --git a/tasks/Cat1/RHEL-09-2xxxxx.yml b/tasks/Cat1/RHEL-09-2xxxxx.yml index e5f37a4..bed37bc 100644 --- a/tasks/Cat1/RHEL-09-2xxxxx.yml +++ b/tasks/Cat1/RHEL-09-2xxxxx.yml @@ -31,10 +31,10 @@ - NIST800-53R4_AC-6 notify: Systemd_daemon_reload ansible.builtin.lineinfile: - create: true - line: CtrlAltDelBurstAction=none path: /etc/systemd/system.conf regexp: ^CtrlAltDelBurstAction=none + line: CtrlAltDelBurstAction=none + create: true - name: HIGH | RHEL-09-211050 | PATCH | The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled when: @@ -79,10 +79,10 @@ - grub notify: Rebuild_grub ansible.builtin.lineinfile: - insertafter: "{{ grub_superusers.after }}" - line: "{{ grub_superusers.line }}" path: /etc/grub2.cfg regexp: "{{ grub_superusers.regexp }}" + line: "{{ grub_superusers.line }}" + insertafter: "{{ grub_superusers.after }}" loop: - { regexp: '^set_superusers=', line: 'set superusers="{{ rhel9stig_grub_superuser }}"', after: "### BEGIN /etc/grub.d/01_users ###" } - { regexp: export superusers, line: 'export superusers', after: set_superusers= } @@ -104,9 +104,9 @@ - dnf - packages ansible.builtin.lineinfile: - line: gpgcheck=1 path: /etc/dnf/dnf.conf regexp: ^gpgcheck + line: gpgcheck=1 - name: HIGH | RHEL-09-214020 | PATCH | RHEL 9 must check the GPG signature of locally installed software packages before installation. when: @@ -122,9 +122,9 @@ - dnf - packages ansible.builtin.lineinfile: - line: localpkg_gpgcheck=1 path: /etc/dnf/dnf.conf regexp: ^localpkg_gpgcheck + line: localpkg_gpgcheck=1 - name: HIGH | RHEL-09-214025 | PATCH | RHEL 9 must check the GPG signature of locally installed software packages before installation. when: @@ -329,9 +329,9 @@ - NIST800-53R4_IA-2 - ssh ansible.builtin.lineinfile: - line: PermitEmptyPasswords no path: "{{ rhel9stig_sshd_config_file }}" regexp: (?i)^(#|)PermitEmptyPasswords yes + line: PermitEmptyPasswords no validate: sshd -t -f %s notify: Sshd_restart @@ -350,9 +350,9 @@ - pam notify: Sshd_restart ansible.builtin.lineinfile: - line: UsePAM yes path: "{{ rhel9stig_sshd_config_file }}" regexp: (?i)^(#|)usepam + line: UsePAM yes validate: sshd -t -f %s - name: HIGH | RHEL-09-271040 | PATCH | RHEL 9 must not allow unattended or automatic logon via the graphical user interface. @@ -369,10 +369,10 @@ - NIST800-53R4_CM-6 - gui ansible.builtin.lineinfile: - insertafter: "{{ autologin.after | default(omit) }}" - line: "{{ autologin.line }}" path: /etc/gdm/custom.conf regexp: "{{ autologin.regexp }}" + line: "{{ autologin.line }}" + insertafter: "{{ autologin.after | default(omit) }}" create: true loop: - { regexp: "[daemon]", line: "[daemon]" } diff --git a/tasks/Cat1/RHEL-09-4xxxxx.yml b/tasks/Cat1/RHEL-09-4xxxxx.yml index 3cc37a0..ff5da43 100644 --- a/tasks/Cat1/RHEL-09-4xxxxx.yml +++ b/tasks/Cat1/RHEL-09-4xxxxx.yml @@ -55,6 +55,6 @@ - NIST800-53R4_SI-6 - selinux ansible.builtin.lineinfile: - line: SELINUX=enforcing path: /etc/selinux/config regexp: (?i)^selinux= + line: SELINUX=enforcing diff --git a/tasks/Cat2/RHEL-09-21xxxx.yml b/tasks/Cat2/RHEL-09-21xxxx.yml index f64b9bb..619e42a 100644 --- a/tasks/Cat2/RHEL-09-21xxxx.yml +++ b/tasks/Cat2/RHEL-09-21xxxx.yml @@ -36,9 +36,9 @@ block: - name: "MEDIUM | RHEL-09-211020 | PATCH | RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Uncomment banner keyword and set banner path" ansible.builtin.lineinfile: - line: 'Banner /etc/issue' path: /etc/ssh/sshd_config regexp: '(?i)^#?Banner' + line: 'Banner /etc/issue' when: - rhel9stig_ssh_required @@ -271,10 +271,10 @@ - name: "MEDIUM | RHEL-09-212035 | PATCH | RHEL 9 must disable virtual system calls. | Set default" when: rhel9stig_212035_def_grub_vsyscall.rc != 0 ansible.builtin.lineinfile: - backrefs: true - line: '\1\2 vsyscall=none' path: /etc/default/grub regexp: ^(GRUB_CMDLINE_LINUX=")(.*)" + line: '\1\2 vsyscall=none' + backrefs: true notify: Rebuild_grub - name: "MEDIUM | RHEL-09-212035 | PATCH | RHEL 9 must disable virtual system calls. | Change default" @@ -282,10 +282,10 @@ - rhel9stig_212035_def_grub_vsyscall.rc == 0 - "'vsyscall=none' not in rhel9stig_212035_def_grub_vsyscall.stdout" ansible.builtin.lineinfile: - backrefs: true - line: '\1\2vsyscall=none\3' path: /etc/default/grub regexp: ^(GRUB_CMDLINE_LINUX=)(".*)vsyscall=\w+(.*") + line: '\1\2vsyscall=none\3' + backrefs: true notify: Rebuild_grub - name: "MEDIUM | RHEL-09-212040 | PATCH | RHEL 9 must clear the page allocator to prevent use-after-free attacks." @@ -322,19 +322,19 @@ - name: "MEDIUM | RHEL-09-212040 | PATCH | RHEL 9 must clear the page allocator to prevent use-after-free attacks. | Set default" when: rhel9stig_212040_def_grub_poison.rc != 0 ansible.builtin.lineinfile: - backrefs: true - line: '\1\2 page_poison=1"' - regexp: ^(GRUB_CMDLINE_LINUX=")(.*)" path: /etc/default/grub + regexp: ^(GRUB_CMDLINE_LINUX=")(.*)" + line: '\1\2 page_poison=1"' + backrefs: true notify: Rebuild_grub - name: "MEDIUM | RHEL-09-212040 | PATCH | RHEL 9 must clear the page allocator to prevent use-after-free attacks. | Change default" when: rhel9stig_212040_def_grub_poison.rc == 0 ansible.builtin.lineinfile: - backrefs: true - line: '\1\2page_poison=1\3' - regexp: ^(GRUB_CMDLINE_LINUX=)(".*)page_poison=\d(.*") path: /etc/default/grub + regexp: ^(GRUB_CMDLINE_LINUX=)(".*)page_poison=\d(.*") + line: '\1\2page_poison=1\3' + backrefs: true notify: Rebuild_grub - name: "MEDIUM | RHEL-09-212045 | PATCH | RHEL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks" @@ -370,10 +370,11 @@ - name: "MEDIUM | RHEL-09-212045 | PATCH | RHEL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks | Set default" when: rhel9stig_212045_def_grub_slub.rc != 0 ansible.builtin.lineinfile: - backrefs: true - line: '\1\2 slub_debug=P"' - regexp: ^(GRUB_CMDLINE_LINUX=")(.*)" path: /etc/default/grub + regexp: ^(GRUB_CMDLINE_LINUX=")(.*)" + line: '\1\2 slub_debug=P"' + backrefs: true + notify: Rebuild_grub - name: "MEDIUM | RHEL-09-212045 | PATCH | RHEL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks | Change default" @@ -381,10 +382,10 @@ - "'slub_debug=P' not in rhel9stig_212045_def_grub_slub.stdout" - rhel9stig_212045_def_grub_slub.rc == 0 ansible.builtin.lineinfile: - backrefs: true - line: '\1\2slub_debug=P\3' - regexp: ^(GRUB_CMDLINE_LINUX=)(".*)slub_debug=\w+\b(.*") path: /etc/default/grub + regexp: ^(GRUB_CMDLINE_LINUX=)(".*)slub_debug=\w+\b(.*") + line: '\1\2slub_debug=P\3' + backrefs: true notify: Rebuild_grub - name: "MEDIUM | RHEL-09-213010 | PATCH | RHEL 9 must restrict access to the kernel message buffer." @@ -707,9 +708,9 @@ - V-257812 - NIST800-53R4_CM-6 ansible.builtin.lineinfile: - line: ProcessSizeMax=0 - regexp: ^(#|)ProcessSizeMax\s*=\s*(?!0)\d+ path: /etc/systemd/coredump.conf + regexp: ^(#|)ProcessSizeMax\s*=\s*(?!0)\d+ + line: ProcessSizeMax=0 create: true - name: "MEDIUM | RHEL-09-213090 | PATCH | RHEL 9 must storage core dumps." @@ -724,9 +725,9 @@ - V-257813 - NIST800-53R4_CM-6 ansible.builtin.lineinfile: - line: Storage=none - regexp: ^(#|)Storage=.* path: /etc/systemd/coredump.conf + regexp: ^(#|)Storage=.* + line: Storage=none create: true - name: "MEDIUM | RHEL-09-213095 | PATCH | RHEL 9 must disable core dumps for all users." @@ -741,9 +742,9 @@ - V-257814 - NIST800-53R4_CM-6 ansible.builtin.lineinfile: - line: '* hard core 0' - regexp: '^\* hard core (?!0)\d*' path: /etc/security/limits.conf + regexp: '^\* hard core (?!0)\d*' + line: '* hard core 0' - name: "MEDIUM | RHEL-09-213100 | PATCH | RHEL 9 must disable acquiring, saving, and processing core dumps." when: diff --git a/tasks/Cat2/RHEL-09-25xxxx.yml b/tasks/Cat2/RHEL-09-25xxxx.yml index 5cfbcf4..96e5d3f 100644 --- a/tasks/Cat2/RHEL-09-25xxxx.yml +++ b/tasks/Cat2/RHEL-09-25xxxx.yml @@ -134,9 +134,9 @@ - V-257939 - NIST800-53R4_SC-5 ansible.builtin.lineinfile: - line: FirewallBackend=nftables - regexp: ^(#|)FirewallBackend=.* path: /etc/firewalld/firewalld.conf + regexp: ^(#|)FirewallBackend=.* + line: FirewallBackend=nftables - name: "MEDIUM | RHEL-09-251035 | AUDIT | To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems." when: @@ -185,10 +185,10 @@ - item not in rhel9stig_promisc_if - rhel9stig_disruption_high ansible.builtin.lineinfile: - create: true - line: PROMISC=NO - regexp: ^(?i)PROMISC=(YES|TRUE|NO|FALSE) path: "/etc/sysconfig/network-scripts/ifcfg-{{ item }}" + regexp: ^(?i)PROMISC=(YES|TRUE|NO|FALSE) + line: PROMISC=NO + create: true notify: Restart_NetworkManager loop: "{{ ansible_facts.interfaces }}" @@ -439,9 +439,9 @@ - name: "MEDIUM | RHEL-09-252055 | PATCH | If the Trivial File Transfer Protocol (TFTP) server is required, RHEL 9 TFTP daemon must be configured to operate in secure mode." ansible.builtin.lineinfile: - line: ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot path: "{{ rhel9stig_tftp_systemd_file.stdout }}" regexp: ^ExecStart + line: ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot - name: "MEDIUM | RHEL-09-252060 | PATCH | RHEL 9 must forward mail from postmaster to the root account using a postfix alias." when: @@ -457,10 +457,10 @@ - NIST800-53R4_AU-5 notify: Update_aliases ansible.builtin.lineinfile: - create: true - line: 'postmaster: root' path: /etc/aliases regexp: postmaster:\s*root + line: 'postmaster: root' + create: true - name: "MEDIUM | RHEL-09-252065 | PATCH | RHEL 9 libreswan package must be installed." when: @@ -924,10 +924,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "banner {{ rhel9stig_sshd_config.banner_file }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)banner \/.*\/.* + line: "banner {{ rhel9stig_sshd_config.banner_file }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255030 | PATCH | RHEL 9 must log SSH connection attempts and failures to the server." @@ -944,10 +944,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "LogLevel {{ rhel9stig_sshd_config.loglevel }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)LogLevel.* + line: "LogLevel {{ rhel9stig_sshd_config.loglevel }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255035 | PATCH | RHEL 9 SSHD must accept public key authentication" @@ -970,10 +970,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "PubkeyAuthentication {{ rhel9stig_sshd_config.pubkeyauth }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)PubkeyAuthentication\s*(yes|no) + line: "PubkeyAuthentication {{ rhel9stig_sshd_config.pubkeyauth }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255045 | PATCH | RHEL 9 must not permit direct logons to the root account using remote access via SSH." @@ -993,10 +993,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "PermitRootLogin {{ rhel9stig_sshd_config.permitroot }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)PermitRootLogin\s*(yes|no) + line: "PermitRootLogin {{ rhel9stig_sshd_config.permitroot }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255055 | PATCH | RHEL 9 SSH daemon must be configured to use system-wide crypto policies." @@ -1013,10 +1013,10 @@ - ssh notify: Restart_sshd ansible.builtin.lineinfile: - create: true - line: "Include {{ rhel9stig_sshd_config.include_conf }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)Include.* + line: "Include {{ rhel9stig_sshd_config.include_conf }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255060 | PATCH | RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH client connections." @@ -1033,10 +1033,10 @@ - ssh notify: Restart_sshd ansible.builtin.lineinfile: - create: true - line: "Include {{ rhel9stig_sshd_config.include_conf }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)Include.* + line: "Include {{ rhel9stig_sshd_config.include_conf }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255065 | PATCH | RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH server connections." @@ -1052,9 +1052,9 @@ - NIST800-53R4_AC-17 notify: Change_requires_reboot ansible.builtin.lineinfile: - line: "Ciphers {{ rhel9stig_sshd_config.ciphers | join(',') }}" path: /etc/crypto-policies/back-ends/openssh.config regexp: ^Ciphers + line: "Ciphers {{ rhel9stig_sshd_config.ciphers | join(',') }}" - name: "MEDIUM | RHEL-09-255070 | PATCH | RHEL 9 SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms." when: @@ -1069,9 +1069,9 @@ - NIST800-53R4_AC-17 notify: Change_requires_reboot ansible.builtin.lineinfile: - line: "MACs {{ rhel9stig_sshd_config.macs_clients | join(',') }}" path: /etc/crypto-policies/back-ends/openssh.config regexp: ^MACs + line: "MACs {{ rhel9stig_sshd_config.macs_clients | join(',') }}" - name: "MEDIUM | RHEL-09-255075 | PATCH | RHEL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms." when: @@ -1086,9 +1086,9 @@ - NIST800-53R4_AC-17 notify: Change_requires_reboot ansible.builtin.lineinfile: - line: "MACs {{ rhel9stig_sshd_config.macs_clients | join(',') + ',' + rhel9stig_sshd_config.macs_server | join(',') }}" path: /etc/crypto-policies/back-ends/opensshserver.config regexp: ^MACs + line: "MACs {{ rhel9stig_sshd_config.macs_clients | join(',') + ',' + rhel9stig_sshd_config.macs_server | join(',') }}" - name: "MEDIUM | RHEL-09-255080 | PATCH | RHEL 9 must not allow a noncertificate trusted host SSH logon to the system." when: @@ -1104,10 +1104,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "HostbasedAuthentication {{ rhel9stig_sshd_config.hostauth }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)HostbasedAuthentication\s*(yes|no) + line: "HostbasedAuthentication {{ rhel9stig_sshd_config.hostauth }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255085 | PATCH | RHEL 9 must not allow users to override SSH environment variables." @@ -1124,10 +1124,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "PermitUserEnvironment {{ rhel9stig_sshd_config.userenv }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)PermitUserEnvironments\s*(yes|no) + line: "PermitUserEnvironment {{ rhel9stig_sshd_config.userenv }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255090 | PATCH | RHEL 9 must force a frequent session key renegotiation for SSH connections to the server." @@ -1149,10 +1149,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "RekeyLimit {{ rhel9stig_sshd_config.rekeylimit }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)RekeyLimit.* + line: "RekeyLimit {{ rhel9stig_sshd_config.rekeylimit }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255095 | PATCH | RHEL 9 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive." @@ -1173,10 +1173,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "ClientAliveCountMax {{ rhel9stig_sshd_config.clientalivecountmax }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)ClientAliveCountMax\s\d* + line: "ClientAliveCountMax {{ rhel9stig_sshd_config.clientalivecountmax }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255100 | PATCH | RHEL 9 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive." @@ -1201,10 +1201,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "ClientAliveInterval {{ rhel9stig_sshd_config.clientaliveinterval }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)ClientAliveInterval\s\d* + line: "ClientAliveInterval {{ rhel9stig_sshd_config.clientaliveinterval }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255105 | PATCH | RHEL 9 SSH server configuration file must be group-owned by root." @@ -1319,10 +1319,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "Compression {{ rhel9stig_sshd_config.compress }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)Compression\s*(yes|no) + line: "Compression {{ rhel9stig_sshd_config.compress }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255135 | PATCH | RHEL 9 SSH daemon must not allow GSSAPI authentication." @@ -1342,10 +1342,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "GSSAPIAuthentication {{ rhel9stig_sshd_config.gssapiauth }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)GSSAPIAuthentication\s*(yes|no) + line: "GSSAPIAuthentication {{ rhel9stig_sshd_config.gssapiauth }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255140 | PATCH | RHEL 9 SSH daemon must not allow Kerberos authentication." @@ -1365,10 +1365,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "KerberosAuthentication {{ rhel9stig_sshd_config.gssapiauth }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)KerberosAuthentication\s*(yes|no) + line: "KerberosAuthentication {{ rhel9stig_sshd_config.kerbauth }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255145 | PATCH | RHEL 9 SSH daemon must not allow rhosts authentication" @@ -1385,10 +1385,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "IgnoreRhosts {{ rhel9stig_sshd_config.ignorerhosts }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)IgnoreRhosts\s*(yes|no) + line: "IgnoreRhosts {{ rhel9stig_sshd_config.ignorerhosts }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255150 | PATCH | RHEL 9 SSH daemon must not allow known hosts authentication." @@ -1405,10 +1405,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "IgnoreUserKnownHosts {{ rhel9stig_sshd_config.ignoreknownhosts }}" path: /etc/ssh/sshd_config.d/50-redhat.conf regexp: ^(?i)(#|)IgnoreUserKnownHosts\s*(yes|no) + line: "IgnoreUserKnownHosts {{ rhel9stig_sshd_config.ignoreknownhosts }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255155 | PATCH | RHEL 9 SSH daemon must disable remote X connections for interactive users." @@ -1425,10 +1425,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "X11forwarding {{ rhel9stig_sshd_config.x11forward }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)X11forwarding\s*(yes|no) + line: "X11forwarding {{ rhel9stig_sshd_config.x11forward }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255160 | PATCH | RHEL 9 SSH daemon must perform strict mode checking of home directory configuration files." @@ -1445,10 +1445,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "StrictModes {{ rhel9stig_sshd_config.strictmodes }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)StrictModes\s*(yes|no) + line: "StrictModes {{ rhel9stig_sshd_config.strictmodes }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255165 | PATCH | RHEL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon." @@ -1465,10 +1465,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "PrintLastLog {{ rhel9stig_sshd_config.lastlog }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)PrintLastLog\s*(yes|no) + line: "PrintLastLog {{ rhel9stig_sshd_config.lastlog }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255170 | PATCH | RHEL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon." @@ -1485,10 +1485,10 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "UsePrivilegeSeparation {{ rhel9stig_sshd_config.privsep }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)UsePrivilegeSeparation\s*(yes|no) + line: "UsePrivilegeSeparation {{ rhel9stig_sshd_config.privsep }}" + create: true validate: sshd -t -f %s - name: "MEDIUM | RHEL-09-255175 | PATCH | RHEL 9 SSH daemon must prevent remote hosts from connecting to the proxy display." @@ -1505,8 +1505,8 @@ - ssh notify: Restart_ssh ansible.builtin.lineinfile: - create: true - line: "X11UseLocalhost {{ rhel9stig_sshd_config.x11uselocal }}" path: "{{ rhel9stig_sshd_config_file }}" regexp: ^(?i)(#|)X11UseLocalhost\s*(yes|no) + line: "X11UseLocalhost {{ rhel9stig_sshd_config.x11uselocal }}" + create: true validate: sshd -t -f %s diff --git a/tasks/Cat2/RHEL-09-27xxxx.yml b/tasks/Cat2/RHEL-09-27xxxx.yml index 8f35791..5db9328 100644 --- a/tasks/Cat2/RHEL-09-27xxxx.yml +++ b/tasks/Cat2/RHEL-09-27xxxx.yml @@ -45,9 +45,9 @@ - NIST800-53R4_CM-6 notify: Update_dconf ansible.builtin.lineinfile: - create: true - line: /org/gnome/login-screen/banner-message-enable path: "/etc/dconf/db/{{ item }}.d/locks/session" + line: /org/gnome/login-screen/banner-message-enable + create: true mode: '0644' modification_time: preserve state: present @@ -98,9 +98,9 @@ - NIST800-53R4_IA-3 notify: Update_dconf ansible.builtin.lineinfile: - create: true - line: /org/gnome/desktop/media-handling/automount-open path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock" + line: /org/gnome/desktop/media-handling/automount-open + create: true loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271030 | PATCH | RHEL 9 must disable the graphical user interface autorun function unless required." @@ -143,9 +143,9 @@ - NIST800-53R4_IA-3 notify: Update_dconf ansible.builtin.lineinfile: - create: true - line: /org/gnome/desktop/media-handling/autorun-never path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock" + line: /org/gnome/desktop/media-handling/autorun-never + create: true loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271045 | PATCH | RHEL 9 must be able to initiate directly a session lock for all connection types using smart card when the smart card is removed." @@ -188,9 +188,9 @@ - NIST800-53R4_AC-11 notify: Update_dconf ansible.builtin.lineinfile: - create: true - line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock" + line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action + create: true loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271055 | PATCH | RHEL 9 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." @@ -232,9 +232,9 @@ - NIST800-53R4_AC-11 notify: Update_dconf ansible.builtin.lineinfile: - create: true - line: /org/gnome/desktop/screensaver/lock-enabled path: "/etc/dconf/db/{{ item }}.d/locks/session" + line: /org/gnome/desktop/screensaver/lock-enabled + create: true loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271065 | PATCH | RHEL 9 must automatically lock graphical user sessions after 15 minutes of inactivity." @@ -276,9 +276,9 @@ - NIST800-53R4_AC-11 notify: Update_dconf ansible.builtin.lineinfile: - create: true - line: /org/gnome/desktop/session/idle-delay path: "/etc/dconf/db/{{ item }}.d/locks/session" + line: /org/gnome/desktop/session/idle-delay + create: true loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271075 | PATCH | RHEL 9 must initiate a session lock for graphical user interfaces when the screensaver is activated." @@ -316,9 +316,9 @@ - NIST800-53R4_AC-11 notify: Update_dconf ansible.builtin.lineinfile: - create: true - line: /org/gnome/desktop/screensaver/lock-delay path: "/etc/dconf/db/{{ item }}.d/locks/session" + line: /org/gnome/desktop/screensaver/lock-delay + create: true loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271085 | PATCH | RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image." @@ -346,9 +346,9 @@ - name: "MEDIUM | RHEL-09-271085 | PATCH | RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image." ansible.builtin.lineinfile: - create: true - line: /org/gnome/desktop/screensaver/picture-uri path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock" + line: /org/gnome/desktop/screensaver/picture-uri + create: true loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271090 | PATCH | RHEL 9 effective dconf policy must match the policy keyfiles." @@ -402,9 +402,9 @@ - NIST800-53R4_CM-6 notify: Update_dconf ansible.builtin.lineinfile: - create: true - line: /org/gnome/login-screen/disable-restart-buttons path: "/etc/dconf/db/{{ item }}.d/locks/session" + line: /org/gnome/login-screen/disable-restart-buttons + create: true loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271105 | PATCH | RHEL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot." @@ -442,9 +442,9 @@ - NIST800-53R4_CM-6 notify: Update_dconf ansible.builtin.lineinfile: - create: true - line: /org/gnome/settings-daemon/plugins/media-keys/logout path: "/etc/dconf/db/{{ item }}.d/locks/session" + line: /org/gnome/settings-daemon/plugins/media-keys/logout + create: true loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271115 | PATCH | RHEL 9 must disable the user list at logon for graphical user interfaces." diff --git a/tasks/Cat2/RHEL-09-4xxxxx.yml b/tasks/Cat2/RHEL-09-4xxxxx.yml index 8f1ec70..0ffef69 100644 --- a/tasks/Cat2/RHEL-09-4xxxxx.yml +++ b/tasks/Cat2/RHEL-09-4xxxxx.yml @@ -12,9 +12,9 @@ - V-258041 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - line: "PASS_MAX_DAYS {{ rhel9stig_pass['max_days'] }}" path: /etc/login.defs regexp: '^PASS_MAX_DAYS' + line: "PASS_MAX_DAYS {{ rhel9stig_pass['max_days'] }}" - name: "MEDIUM | RHEL-09-411015 | PATCH | RHEL 9 user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs." when: @@ -74,9 +74,9 @@ - V-258043 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - line: "CREATE_HOME yes" path: /etc/login.defs regexp: ^(?i)(|#)\s*CREATE_HOME (no|yes) + line: "CREATE_HOME yes" - name: "MEDIUM | RHEL-09-411025 | PATCH | RHEL 9 must set the umask value to 077 for all local interactive user accounts." when: @@ -288,9 +288,9 @@ - name: "MEDIUM | RHEL-09-411055 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 9 users must only contain paths that resolve to the system default or the users home directory." ansible.builtin.lineinfile: - line: "PATH={{ rhel9stig_env_path }}" path: "{{ item.path }}" regexp: ^\s*PATH + line: "PATH={{ rhel9stig_env_path }}" loop: "{{ rhel9stig_user_initialization.files }}" - name: | @@ -383,9 +383,9 @@ - V-258054 - NIST800-53R4_CM-6 ansible.builtin.lineinfile: - line: "deny = {{ rhel9stig_faillock.deny }}" path: /etc/security/faillock.conf regexp: '^\s*deny\s*=\s*([0-2]|[4-9]|{{ rhel9stig_faillock.deny }}[0-9]{1,})\d*' + line: "deny = {{ rhel9stig_faillock.deny }}" - name: "MEDIUM | RHEL-09-411080 | PATCH | RHEL 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." when: @@ -401,9 +401,9 @@ - V-258055 - NIST800-53R4_AC-7 ansible.builtin.lineinfile: - line: even_deny_root path: /etc/security/faillock.conf regexp: ^(#|)even_deny_root + line: even_deny_root - name: "MEDIUM | RHEL-09-411085 | PATCH | RHEL 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." when: @@ -419,9 +419,9 @@ - V-258056 - NIST800-53R4_AC-7 ansible.builtin.lineinfile: - line: "fail_interval = {{ rhel9stig_faillock.fail_interval }}" path: /etc/security/faillock.conf regexp: '^fail_interval\s*=\s*' + line: "fail_interval = {{ rhel9stig_faillock.fail_interval }}" - name: "MEDIUM | RHEL-09-411090 | PATCH | RHEL 9 must maintain an account lock until the locked account is released by an administrator." when: @@ -441,9 +441,9 @@ block: - name: "MEDIUM | RHEL-09-411090 | PATCH | RHEL 9 must maintain an account lock until the locked account is released by an administrator." ansible.builtin.lineinfile: - line: "unlock_time = 0" path: /etc/security/faillock.conf regexp: '^unlock_time\s*=\s*[1-9]' + line: "unlock_time = 0" - name: "MEDIUM | RHEL-09-411090 | AUDIT | RHEL 9 must maintain an account lock until the locked account is released by an administrator. | not auth select profile" ansible.builtin.lineinfile: @@ -526,9 +526,9 @@ - name: "MEDIUM | RHEL-09-411105 | PATCH | RHEL 9 must ensure account lockouts persist." ansible.builtin.lineinfile: - line: "dir = {{ rhel9stig_faillock.dir }}" path: /etc/security/faillock.conf regexp: '^dir\s*=\s*' + line: "dir = {{ rhel9stig_faillock.dir }}" notify: Change_requires_reboot - name: "MEDIUM | RHEL-09-411110 | PATCH | RHEL 9 groups must have unique Group ID (GID)." @@ -637,11 +637,11 @@ - V-258065 - NIST800-53R4_AC-11 ansible.builtin.lineinfile: - create: true - line: "{{ item }}" - mode: '0644' path: /etc/tmux.conf regexp: "{{ item }}" + line: "{{ item }}" + create: true + mode: '0644' state: present loop: - 'set -g lock-command vlock' @@ -700,9 +700,9 @@ - V-258070 - NIST800-53R4_AC-7 ansible.builtin.lineinfile: - line: "audit" path: /etc/security/faillock.conf regexp: '^\s*audit' + line: "audit" - name: "MEDIUM | RHEL-09-412050 | PATCH | RHEL 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt." when: @@ -716,9 +716,9 @@ - V-258071 - NIST800-53R4_CM-6 ansible.builtin.lineinfile: - line: "FAIL_DELAY {{ rhel9stig_login_defs.fail_delay }}" path: /etc/login.defs regexp: \s*FAIL_DELAY + line: "FAIL_DELAY {{ rhel9stig_login_defs.fail_delay }}" - name: "MEDIUM | RHEL-09-412055 | PATCH | RHEL 9 must define default permissions for the bash shell." when: @@ -734,9 +734,9 @@ block: - name: "MEDIUM | RHEL-09-412055 | PATCH | RHEL 9 must define default permissions for the bash shell. | Exists" ansible.builtin.lineinfile: - line: umask 077 path: /etc/bashrc regexp: umask \d\d\d + line: umask 077 - name: "MEDIUM | RHEL-09-412055 | PATCH | RHEL 9 must define default permissions for the bash shell.| Amend all instances" ansible.builtin.replace: @@ -758,9 +758,9 @@ block: - name: "MEDIUM | RHEL-09-412060 | PATCH | RHEL 9 must define default permissions for the c shell. | Exists" ansible.builtin.lineinfile: - line: umask 077 path: /etc/csh.cshrc regexp: umask \d\d\d + line: umask 077 - name: "MEDIUM | RHEL-09-412060 | PATCH | RHEL 9 must define default permissions for the c shell.| Amend all instances" ansible.builtin.replace: @@ -782,9 +782,9 @@ block: - name: "MEDIUM | RHEL-09-412065 | PATCH | RHEL 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. | Exists" ansible.builtin.lineinfile: - line: UMASK 077 path: /etc/login.defs regexp: UMASK \d\d\d + line: UMASK 077 - name: "MEDIUM | RHEL-09-412065 | PATCH | RHEL 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. | Amend all instances" ansible.builtin.replace: @@ -806,9 +806,9 @@ block: - name: "MEDIUM | RHEL-09-412070 | PATCH | RHEL 9 must define default permissions for the system default profile. | Exists" ansible.builtin.lineinfile: - line: umask 077 path: /etc/profile regexp: umask \d\d\d + line: umask 077 - name: "MEDIUM | RHEL-09-412070 | PATCH | RHEL 9 must define default permissions for the system default profile. | Amend all instances" ansible.builtin.replace: @@ -828,9 +828,9 @@ - V-258077 - NIST800-53R4_CM-6 ansible.builtin.lineinfile: - line: "StopIdleSessionSec={{ rhel9stig_logind_conf.stopsessionidle }}" path: /etc/systemd/logind.conf regexp: ^(#|)StopIdleSessionSec\s*=\s*\d* + line: "StopIdleSessionSec={{ rhel9stig_logind_conf.stopsessionidle }}" - name: "MEDIUM | RHEL-09-431015 | PATCH | RHEL 9 must enable the SELinux targeted policy." when: @@ -844,9 +844,9 @@ - V-258079 - NIST800-53R4_SI-6 ansible.builtin.lineinfile: - line: SELINUXTYPE=targeted path: /etc/selinux/config regexp: ^(#|)SELINUXTYPE\s*=\s*\w+ + line: SELINUXTYPE=targeted - name: "MEDIUM | RHEL-09-431025 | PATCH | RHEL 9 must have policycoreutils package installed." when: @@ -934,9 +934,9 @@ - V-258084 - NIST800-53R4_IA-11 ansible.builtin.lineinfile: - line: Defaults timestamp_timeout=0 path: "{{ item }}" regexp: ^Defaults timestamp_timeout\s*=\s*(-|)\d + line: Defaults timestamp_timeout=0 loop: "{{ rhel9stig_sudoers_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-432020 | PATCH | RHEL 9 must use the invoking user's password for privilege escalation when using 'sudo'." @@ -953,23 +953,23 @@ block: - name: "MEDIUM | RHEL-09-432020 | PATCH | RHEL 9 must use the invoking user's password for privilege escalation when using 'sudo'. | targetpw" ansible.builtin.lineinfile: - line: Defaults !targetpw path: "{{ item }}" regexp: ^(#|)Defaults !targetpw + line: Defaults !targetpw loop: "{{ rhel9stig_sudoers_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-432020 | PATCH | RHEL 9 must use the invoking user's password for privilege escalation when using 'sudo'. | rootpw" ansible.builtin.lineinfile: - line: Defaults !rootpw path: "{{ item }}" regexp: ^(#|)Defaults !rootpw + line: Defaults !rootpw loop: "{{ rhel9stig_sudoers_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-432020 | PATCH | RHEL 9 must use the invoking user's password for privilege escalation when using 'sudo'. | runaspw" ansible.builtin.lineinfile: - line: Defaults !runaspw path: "{{ item }}" regexp: ^(#|)Defaults !runaspw + line: Defaults !runaspw loop: "{{ rhel9stig_sudoers_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-432025 | PATCH | RHEL 9 must require users to reauthenticate for privilege escalation." @@ -984,8 +984,8 @@ - V-258086 - NIST800-53R4_IA-11 ansible.builtin.lineinfile: - line: '!authenticate' path: "{{ item }}" + line: '!authenticate' state: absent loop: "{{ rhel9stig_sudoers_files.stdout_lines }}" @@ -1001,9 +1001,9 @@ - V-258087 - NIST800-53R4_CM-6 ansible.builtin.lineinfile: - line: '!authenticate' path: "{{ item }}" regexp: ALL\s*ALL=\(ALL(:ALL|)\)\s*ALL + line: '!authenticate' state: absent loop: "{{ rhel9stig_sudoers_files.stdout_lines }}" @@ -1021,9 +1021,9 @@ - NIST800-53R4_IA-11 - NIST800-53R4_AC-3 ansible.builtin.lineinfile: - line: auth required pam_wheel.so use_uid path: /etc/pam.d/su regexp: ^(#|)(auth\s*required\s*)pam_wheel.so(.*) + line: auth required pam_wheel.so use_uid - name: "MEDIUM | RHEL-09-433010 | PATCH | RHEL 9 fapolicy module must be installed." when: diff --git a/tasks/Cat2/RHEL-09-61xxxx.yml b/tasks/Cat2/RHEL-09-61xxxx.yml index e4c6129..f3d84f6 100644 --- a/tasks/Cat2/RHEL-09-61xxxx.yml +++ b/tasks/Cat2/RHEL-09-61xxxx.yml @@ -22,11 +22,11 @@ - name: "MEDIUM | RHEL-09-611010 | PATCH | RHEL 9 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Set if no pw required pam_pwquality" when: rhel9stig_pwquality_system_auth_status.stdout | length == 0 ansible.builtin.lineinfile: - backrefs: true - insertafter: '^password' - line: '\1required\3 retry="{{ rhel9stig_pam.retry }}"\4' path: /etc/pam.d/system-auth regexp: '^(password\s+)(required|requisite)(\s+pam_pwquality.so.*)\sretry=\d(.*)' + line: '\1required\3 retry="{{ rhel9stig_pam.retry }}"\4' + insertafter: '^password' + backrefs: true - name: "MEDIUM | RHEL-09-611010 | PATCH | RHEL 9 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Replace if already exists" when: rhel9stig_pwquality_system_auth_status.stdout | length > 0 @@ -240,10 +240,10 @@ block: - name: "MEDIUM | RHEL-09-611040 | PATCH | RHEL 9 must ensure the password complexity module is enabled in the password-auth file." ansible.builtin.lineinfile: - backrefs: true - line: '\1required\2' path: /etc/pam.d/password-auth regexp: ^(password\s+)requisite(.*) + line: '\1required\2' + backrefs: true - name: "MEDIUM | RHEL-09-611040 | PATCH | RHEL 9 must ensure the password complexity module is enabled in the password-auth file." community.general.pamd: @@ -271,10 +271,10 @@ block: - name: "MEDIUM | RHEL-09-611045 | PATCH | RHEL 9 must ensure the password complexity module is enabled in the system-auth file." ansible.builtin.lineinfile: - backrefs: true - line: '\1required\2' path: /etc/pam.d/system-auth regexp: ^(password\s+)requisite(.*) + line: '\1required\2' + backrefs: true - name: "MEDIUM | RHEL-09-611045 | PATCH | RHEL 9 must ensure the password complexity module is enabled in the system-auth file." community.general.pamd: @@ -359,10 +359,10 @@ - NIST800-53R4_CM-6 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: enforce_for_root path: "{{ item }}" regexp: ^#\s*enforce_for_root + line: enforce_for_root + backrefs: true loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-611065 | PATCH | RHEL 9 must enforce password complexity by requiring that at least one lowercase character be used." @@ -378,10 +378,10 @@ - V-258102 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: lcredit = {{ rhel9stig_pwquality.lcredit }} path: "{{ item }}" regexp: \s*lcredit = + line: lcredit = "{{ rhel9stig_pwquality.lcredit }}" + backrefs: true loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-611070 | PATCH | RHEL 9 must enforce password complexity by requiring that at least one numeric character be used." @@ -397,10 +397,10 @@ - V-258103 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: dcredit = {{ rhel9stig_pwquality.dcredit }} path: "{{ item }}" regexp: \s*dcredit = + line: dcredit = "{{ rhel9stig_pwquality.dcredit }}" + backrefs: true loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-611075 | PATCH | RHEL 9 passwords for new users or password changes must have a 24 hours minimum password lifetime restriction in /etc/login.defs." @@ -416,10 +416,10 @@ - V-258104 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: PASS_MIN_DAYS {{ rhel9stig_pass.min_days }} path: /etc/login.defs regexp: \s*PASS_MIN_DAYS\s* + line: PASS_MIN_DAYS "{{ rhel9stig_pass.min_days }}" + backrefs: true - name: "MEDIUM | RHEL-09-611080 | PATCH | RHEL 9 passwords must have a 24 hours minimum password lifetime restriction in /etc/shadow." when: @@ -506,10 +506,10 @@ - rhel9stig_sudo_nopasswd.stdout | length > 0 - rhel9stig_disruption_high ansible.builtin.lineinfile: - backrefs: true - line: '#\1NOPASSWD\2' path: "{{ item }}" regexp: (.*)(?!#)NOPASSWD(.*) + line: '#\1NOPASSWD\2' + backrefs: true validate: visudo -cf %s loop: "{{ rhel9stig_sudoers_files.stdout_lines }}" @@ -525,10 +525,10 @@ - V-258107 - NIST800-53R4_IA-11 ansible.builtin.lineinfile: - backrefs: true - line: minlen = {{ rhel9stig_pass.minlen }} path: /etc/security/pwquality.conf regexp: \s*minlen\s*=\s*([0-9]|1[0-4]) + line: minlen = "{{ rhel9stig_pass.minlen }}" + backrefs: true - name: "MEDIUM | RHEL-09-611095 | PATCH | RHEL 9 passwords for new users must have a minimum of 15 characters." when: @@ -542,10 +542,10 @@ - V-258108 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: PASS_MIN_LEN {{ rhel9stig_pass.minlen }} path: /etc/login.defs regexp: PASS_MIN_LEN + line: PASS_MIN_LEN "{{ rhel9stig_pass.minlen }}" + backrefs: true - name: "MEDIUM | RHEL-09-611100 | PATCH | RHEL 9 must enforce password complexity by requiring that at least one special character be used." when: @@ -560,10 +560,10 @@ - V-258109 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: ocredit = {{ rhel9stig_pwquality.ocredit }} path: "{{ item }}" regexp: \s*ocredit = + line: ocredit = "{{ rhel9stig_pwquality.ocredit }}" + backrefs: true loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-611105 | PATCH | RHEL 9 must prevent the use of dictionary words for passwords." @@ -579,10 +579,10 @@ - V-258110 - NIST800-53R4_CM-6 ansible.builtin.lineinfile: - backrefs: true - line: dictcheck={{ rhel9stig_pwquality.dictcheck }} path: "{{ item }}" regexp: \s*dictcheck\s*=\s* + line: dictcheck="{{ rhel9stig_pwquality.dictcheck }}" + backrefs: true loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-611110 | PATCH | RHEL 9 must enforce password complexity by requiring that at least one uppercase character be used." @@ -598,10 +598,10 @@ - V-258111 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: ucredit = {{ rhel9stig_pwquality.ucredit }} path: "{{ item }}" regexp: \s*ucredit\s*=\s* + line: ucredit = "{{ rhel9stig_pwquality.ucredit }}" + backrefs: true loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-611115 | PATCH | RHEL 9 must require the change of at least eight characters when passwords are changed." @@ -617,10 +617,10 @@ - V-258112 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: difok = {{ rhel9stig_pwquality.difok }} path: "{{ item }}" regexp: \s*difok\s*=\s* + line: difok = "{{ rhel9stig_pwquality.difok }}" + backrefs: true loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-611120 | PATCH | RHEL 9 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed." @@ -636,10 +636,10 @@ - V-258113 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: maxclassrepeat = {{ rhel9stig_pwquality.maxclassrepeat }} path: /etc/security/pwquality.conf regexp: \s*maxclassrepeat\s*=\s* + line: maxclassrepeat = "{{ rhel9stig_pwquality.maxclassrepeat }}" + backrefs: true - name: "MEDIUM | RHEL-09-611125 | PATCH | RHEL 9 must require the maximum number of repeating characters be limited to three when passwords are changed." when: @@ -654,10 +654,10 @@ - V-258114 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: maxrepeat = {{ rhel9stig_pwquality.maxrepeat }} path: /etc/security/pwquality.conf regexp: \s*maxrepeat\s*=\s* + line: maxrepeat = "{{ rhel9stig_pwquality.maxrepeat }}" + backrefs: true - name: "MEDIUM | RHEL-09-611130 | PATCH | RHEL 9 must require the change of at least four character classes when passwords are changed." when: @@ -672,10 +672,10 @@ - V-258115 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: minclass = {{ rhel9stig_pwquality.minclass }} path: /etc/security/pwquality.conf regexp: \s*minclass\s*=\s* + line: minclass = "{{ rhel9stig_pwquality.minclass }}" + backrefs: true - name: "MEDIUM | RHEL-09-611135 | PATCH | RHEL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords." when: @@ -708,10 +708,10 @@ - V-258117 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: ENCRYPT_METHOD SHA512 path: /etc/login.defs regexp: \s*ENCRYPT_METHOD + line: ENCRYPT_METHOD SHA512 + backrefs: true - name: "MEDIUM | RHEL-09-611145 | PATCH | RHEL 9 must not be configured to bypass password requirements for privilege escalation." when: @@ -726,10 +726,10 @@ - V-258118 - NIST800-53R4_IA-5 ansible.builtin.lineinfile: - backrefs: true - line: '\1\2' path: /etc/pam.d/sudo regexp: ^(.*)pam_succeed_if(.) + line: '\1\2' + backrefs: true - name: "MEDIUM | RHEL-09-611150 | PATCH | RHEL 9 shadow password suite must be configured to use a sufficient number of hashing rounds." when: @@ -746,10 +746,10 @@ - NIST800-53R4_IA-5 - NIST800-53R4_IA-7 ansible.builtin.lineinfile: - backrefs: true - line: "SHA_CRYPT_MIN_ROUNDS {{ rhel9stig_pam.rounds }}" path: /etc/login.defs regexp: \s*SHA_CRYPT_MIN_ROUNDS + line: "SHA_CRYPT_MIN_ROUNDS {{ rhel9stig_pam.rounds }}" + backrefs: true - name: "MEDIUM | RHEL-09-611155 | PATCH | RHEL 9 must not have accounts configured with blank or null passwords." when: @@ -832,11 +832,11 @@ - V-258121 - NIST800-53R4_IA-2 ansible.builtin.lineinfile: - create: true - backrefs: true - line: card_drivers = cac,\3\4; path: /etc/opensc.conf regexp: ^(#|)card_drivers(\s*=\s*)(.*)cac(.*); + line: card_drivers = cac,\3\4; + create: true + backrefs: true - name: "MEDIUM | RHEL-09-611165 | PATCH | RHEL 9 must enable certificate based smart card authentication." when: @@ -855,10 +855,10 @@ - V-258122 - NIST800-53R4_IA-2 ansible.builtin.lineinfile: - backrefs: true - line: pam_cert_auth = True path: /etc/sssd/sssd.conf regexp: ^(?i)(#|)pam_cert_auth\s*=\s*false + line: pam_cert_auth = True + backrefs: true - name: "MEDIUM | RHEL-09-611170 | PATCH | RHEL 9 must implement certificate status checking for multifactor authentication." when: @@ -898,10 +898,10 @@ - name: "MEDIUM | RHEL-09-611170 | PATCH | RHEL 9 must implement certificate status checking for multifactor authentication. | Add if missing" when: rhel9stig_sssd_cert_verification_files.stdout | length > 0 ansible.builtin.lineinfile: - backrefs: true - line: '#\1' path: "{{ item.split(':').0 }}" regexp: ^((#|)certificate_verification =.*) + line: '#\1' + backrefs: true loop: "{{ rhel9stig_sssd_cert_verification_files.stdout_lines }}" - name: "MEDIUM | RHEL-09-611175 | PATCH | RHEL 9 must have the pcsc-lite package installed." @@ -972,10 +972,10 @@ - V-258128 - NIST800-53R4_AC-3 ansible.builtin.lineinfile: - backrefs: true - line: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency path: /usr/lib/systemd/system/emergency.service regexp: ^(#|)ExecStart= + line: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency + backrefs: true - name: "MEDIUM | RHEL-09-611200 | PATCH | RHEL 9 must require authentication to access single-user mode" when: @@ -989,10 +989,10 @@ - V-258129 - NIST800-53R4_AC-3 ansible.builtin.lineinfile: - backrefs: true - line: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue path: /usr/lib/systemd/system/rescue.service regexp: ^(#|)ExecStart= + line: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue + backrefs: true - name: "MEDIUM | RHEL-09-611205 | PATCH | RHEL 9 must require authentication to access single-user mode" when: diff --git a/tasks/Cat2/RHEL-09-65xxxx.yml b/tasks/Cat2/RHEL-09-65xxxx.yml index 34169df..e38db74 100644 --- a/tasks/Cat2/RHEL-09-65xxxx.yml +++ b/tasks/Cat2/RHEL-09-65xxxx.yml @@ -199,9 +199,8 @@ - rsyslog notify: Restart_rsyslog ansible.builtin.lineinfile: - line: 'auth.*;authpriv.*;daemon.* /var/log/secure' path: /etc/rsyslog.conf - + line: 'auth.*;authpriv.*;daemon.* /var/log/secure' ## Required for 652035 to run - name: "MEDIUM | RHEL-09-653130 | PATCH | RHEL 9 audispd-plugins package must be installed" when: @@ -237,9 +236,9 @@ - rsyslog notify: Restart_rsyslog ansible.builtin.lineinfile: - line: 'active = yes' path: /etc/audit/plugins.d/syslog.conf regexp: 'active\s*=' + line: 'active = yes' - name: "MEDIUM | RHEL-09-652040 | AUDIT | RHEL 9 must authenticate the remote logging server for offloading audit logs via rsyslog." when: @@ -406,9 +405,9 @@ - NIST800-53R4_CM-6 - rsyslog ansible.builtin.lineinfile: - line: "*.* {{ rhel9stig_remotelog_server.protocol }}{{ rhel9stig_remotelog_server.server }}:{{ rhel9stig_remotelog_server.port }}" path: /etc/rsyslog.conf regexp: '^.*\@\@' + line: "*.* {{ rhel9stig_remotelog_server.protocol }}{{ rhel9stig_remotelog_server.server }}:{{ rhel9stig_remotelog_server.port }}" - name: "MEDIUM | RHEL-09-652060 | PATCH | RHEL 9 must use cron logging." when: @@ -423,11 +422,11 @@ - NIST800-53R4_CM-6 - rsyslog ansible.builtin.lineinfile: - backrefs: true - insertafter: "# Log cron stuff" - line: 'cron.*\1/var/log/cron' path: /etc/rsyslog.conf regexp: 'cron\.\*(\s+)' + line: 'cron.*\1/var/log/cron' + backrefs: true + insertafter: "# Log cron stuff" - name: "MEDIUM | RHEL-09-653010 | PATCH | RHEL 9 audit package must be installed." when: @@ -585,9 +584,9 @@ - NIST800-53R4_AU-5 - auditd ansible.builtin.lineinfile: - line: disk_error_action = {{ rhel9stig_audit_conf.disk_error_action }} path: /etc/audit/auditd.conf regexp: ^\s*disk_error_action + line: disk_error_action = "{{ rhel9stig_audit_conf.disk_error_action }}" - name: "MEDIUM | RHEL-09-653025 | PATCH | RHEL 9 audit system must take appropriate action when the audit storage volume is full." when: @@ -602,9 +601,9 @@ - NIST800-53R4_AU-5 - auditd ansible.builtin.lineinfile: - line: disk_full_action = {{ rhel9stig_audit_conf.disk_full_action }} path: /etc/audit/auditd.conf regexp: ^\s*disk_full_action + line: disk_full_action = "{{ rhel9stig_audit_conf.disk_full_action }}" - name: "MEDIUM | RHEL-09-653030 | AUDIT | RHEL 9 must allocate audit record storage capacity to store at least one week's worth of audit records." when: @@ -655,9 +654,9 @@ - NIST800-53R4_AU-5 - auditd ansible.builtin.lineinfile: - line: space_left = {{ rhel9stig_audit_conf.space_left }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)space_left\s*= + line: space_left = "{{ rhel9stig_audit_conf.space_left }}" - name: "MEDIUM | RHEL-09-653040 | PATCH | RHEL 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization." when: @@ -672,9 +671,9 @@ - NIST800-53R4_AU-5 - auditd ansible.builtin.lineinfile: - line: space_left_action = {{ rhel9stig_audit_conf.space_left_action }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)space_left_action\s*= + line: space_left_action = "{{ rhel9stig_audit_conf.space_left_action }}" - name: "MEDIUM | RHEL-09-653045 | PATCH | RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity." when: @@ -689,9 +688,9 @@ - NIST800-53R4_AU-5 - auditd ansible.builtin.lineinfile: - line: admin_space_left = {{ rhel9stig_audit_conf.admin_space_left }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)admin_space_left\s*= + line: admin_space_left = "{{ rhel9stig_audit_conf.admin_space_left }}" - name: "MEDIUM | RHEL-09-653050 | PATCH | RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity." when: @@ -706,9 +705,9 @@ - NIST800-53R4_AU-5 - auditd ansible.builtin.lineinfile: - line: admin_space_left_action = {{ rhel9stig_audit_conf.admin_space_left_action }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)admin_space_left_action\s* + line: admin_space_left_action = "{{ rhel9stig_audit_conf.admin_space_left_action }}" - name: "MEDIUM | RHEL-09-653055 | PATCH | RHEL 9 audit system must take appropriate action when the audit files have reached maximum size." when: @@ -723,9 +722,9 @@ - NIST800-53R4_AU-5 - auditd ansible.builtin.lineinfile: - line: max_log_file_action = {{ rhel9stig_audit_conf.max_log_file_action }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)max_log_file_action + line: max_log_file_action = "{{ rhel9stig_audit_conf.max_log_file_action }}" - name: "MEDIUM | RHEL-09-653060 | PATCH | RHEL 9 must label all offloaded audit logs before sending them to the central log server." when: @@ -741,9 +740,9 @@ - NIST800-53R4_AU-4 - auditd ansible.builtin.lineinfile: - line: name_format = {{ rhel9stig_audit_conf.name_format }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)name_format + line: name_format = "{{ rhel9stig_audit_conf.name_format }}" - name: "MEDIUM | RHEL-09-653065 | PATCH | RHEL 9 must take appropriate action when the internal event queue is full." when: @@ -758,9 +757,9 @@ - NIST800-53R4_AU-4 - auditd ansible.builtin.lineinfile: - line: overflow_action = {{ rhel9stig_audit_conf.overflow_action }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)overflow_action + line: overflow_action = "{{ rhel9stig_audit_conf.overflow_action }}" - name: "MEDIUM | RHEL-09-653070 | PATCH | RHEL 9 System Administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event." when: @@ -778,9 +777,9 @@ - NIST800-53R4_AU-5 - auditd ansible.builtin.lineinfile: - line: overflow_action = {{ rhel9stig_audit_conf.overflow_action }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)overflow_action + line: overflow_action = "{{ rhel9stig_audit_conf.overflow_action }}" - name: "MEDIUM | RHEL-09-653075 | PATCH | RHEL 9 audit system must audit local events." when: @@ -798,9 +797,9 @@ - NIST800-53R4_CM-6 - auditd ansible.builtin.lineinfile: - line: overflow_action = {{ rhel9stig_audit_conf.overflow_action }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)overflow_action + line: "overflow_action = {{ rhel9stig_audit_conf.overflow_action }}" - name: "MEDIUM | RHEL-09-653080 | PATCH | RHEL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access." when: @@ -822,9 +821,9 @@ block: - name: "MEDIUM | RHEL-09-653080 | PATCH | RHEL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access. | set logfile_group" ansible.builtin.lineinfile: - line: log_group = {{ rhel9stig_audit_conf.logfile_group }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)log_group + line: log_group = "{{ rhel9stig_audit_conf.logfile_group }}" - name: "MEDIUM | RHEL-09-653080 | PATCH | RHEL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access. | Set perms" ansible.builtin.file: @@ -886,9 +885,9 @@ - NIST800-53R4_AU-6 - auditd ansible.builtin.lineinfile: - line: freq = {{ rhel9stig_audit_conf.freq }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)freq\s*= + line: freq = "{{ rhel9stig_audit_conf.freq }}" - name: "MEDIUM | RHEL-09-653100 | PATCH | RHEL 9 must produce audit records containing information to establish the identity of any individual or process associated with the event." when: @@ -906,9 +905,9 @@ - NIST800-53R4_CM-6 - auditd ansible.builtin.lineinfile: - line: log_format = {{ rhel9stig_audit_conf.log_format }} path: /etc/audit/auditd.conf regexp: ^(#|\s*)log_format\s*= + line: log_format = "{{ rhel9stig_audit_conf.log_format }}" - name: "MEDIUM | RHEL-09-653105 | PATCH | RHEL 9 must write audit records to disk." when: @@ -923,9 +922,9 @@ - NIST800-53R4_CM-6 - auditd ansible.builtin.lineinfile: - line: write_logs = {{ rhel9stig_audit_conf.write_logs }} path: /etc/audit/auditd.conf regexp: ^\s*write_logs + line: write_logs = "{{ rhel9stig_audit_conf.write_logs }}" - name: "MEDIUM | RHEL-09-653110 | PATCH | RHEL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." when: @@ -981,6 +980,6 @@ - NIST800-53R4_AU-5 - postfix ansible.builtin.lineinfile: - line: 'root: ISSO' path: /etc/aliases regexp: '^root:\s.*' + line: 'root: ISSO' diff --git a/tasks/Cat2/RHEL-09-67xxxx.yml b/tasks/Cat2/RHEL-09-67xxxx.yml index cd6fdac..c3f75f6 100644 --- a/tasks/Cat2/RHEL-09-67xxxx.yml +++ b/tasks/Cat2/RHEL-09-67xxxx.yml @@ -55,9 +55,9 @@ - fips - tunnel ansible.builtin.lineinfile: - line: include /etc/crypto-policies/back-ends/libreswan.config path: /etc/ipsec.conf regexp: ^(|\s*)include /etc/crypto-policies/back-ends + line: include /etc/crypto-policies/back-ends/libreswan.config - name: "MEDIUM | RHEL-09-671025 | PATCH | RHEL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication." when: @@ -81,11 +81,11 @@ - name: "MEDIUM | RHEL-09-671025 | PATCH | RHEL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication." when: rhel9stig_pamunix_fips_auth_status.stdout | length == 0 ansible.builtin.lineinfile: - backrefs: true - insertafter: '^password' - line: '\1required\3 sha512"\4' path: /etc/pam.d/password-auth regexp: '^(password\s+)(sufficient)(\s+pam_pwquality.so.*)\ssha512\d(.*)' + line: '\1required\3 sha512"\4' + insertafter: '^password' + backrefs: true - name: "MEDIUM | RHEL-09-671025 | PATCH | RHEL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication." when: rhel9stig_pamunix_fips_auth_status.stdout | length > 0 @@ -208,9 +208,9 @@ - ssl notify: Change_requires_reboot ansible.builtin.lineinfile: - line: '.include = /etc/crypto-policies/back-ends/opensslcnf.config' path: /etc/pki/tls/openssl.cnf regexp: ^(|\s*)\.include = /etc/crypto-policies + line: '.include = /etc/crypto-policies/back-ends/opensslcnf.config' - name: "MEDIUM | RHEL-09-672040 | PATCH | RHEL 9 must implement DOD-approved TLS encryption in the OpenSSL package." when: @@ -226,9 +226,9 @@ - ssl notify: Change_requires_reboot ansible.builtin.lineinfile: - line: "{{ item.line }}" path: /etc/crypto-policies/back-ends/opensslcnf.config regexp: "{{ item.regexp }}" + line: "{{ item.line }}" loop: - {line: 'TLS.MinProtocol = TLSv1.2', regexp: '^(\s*|#)TLS.MinProtocol = '} - {line: 'DTLS.MinProtocol = DTLSv1.2', regexp: '^(\s*|#)DTLS.MinProtocol = '} @@ -298,6 +298,6 @@ - bind - encryption ansible.builtin.lineinfile: - line: 'include "/etc/crypto-policies/back-ends/bind.config";' path: /etc/named.conf regexp: ^(|\s*)include = /etc/crypto-policies + line: 'include "/etc/crypto-policies/back-ends/bind.config";' diff --git a/tasks/Cat3/RHEL-09-2xxxxx.yml b/tasks/Cat3/RHEL-09-2xxxxx.yml index 8b29b1e..d38cbe0 100644 --- a/tasks/Cat3/RHEL-09-2xxxxx.yml +++ b/tasks/Cat3/RHEL-09-2xxxxx.yml @@ -103,9 +103,9 @@ - NIST800-53R4_SI-2 - dnf ansible.builtin.lineinfile: - line: clean_requirements_on_remove=1 path: /etc/dnf/dnf.conf regexp: ^(#|\s*)clean_requirements_on_remove + line: clean_requirements_on_remove=1 - name: "LOW | RHEL-09-231020 | AUDIT | RHEL 9 must use a separate file system for /var." when: @@ -214,9 +214,9 @@ - NIST800-53R4_CM-7 - chrony ansible.builtin.lineinfile: - line: 'port 0' path: /etc/chrony.conf regexp: ^(#|\s*)port \d* + line: 'port 0' - name: "LOW | RHEL-09-252030 | PATCH | RHEL 9 must disable network management of the chrony daemon." when: @@ -233,9 +233,9 @@ - NIST800-53R4_CM-7 - chrony ansible.builtin.lineinfile: - line: 'cmdport 0' path: /etc/chrony.conf regexp: ^(#|\s*)cmdport \d* + line: 'cmdport 0' - name: "LOW | RHEL-09-291025 | PATCH | RHEL 9 must disable network management of the chrony daemon." when: @@ -250,6 +250,6 @@ - NIST800-53R4_AU-12 - usb ansible.builtin.lineinfile: - line: AuditBackend=LinuxAudit path: /etc/usbguard/usbguard-daemon.conf regexp: AuditBackend= + line: AuditBackend=LinuxAudit diff --git a/tasks/Cat3/RHEL-09-4xxxxx.yml b/tasks/Cat3/RHEL-09-4xxxxx.yml index 657ada8..79a2c64 100644 --- a/tasks/Cat3/RHEL-09-4xxxxx.yml +++ b/tasks/Cat3/RHEL-09-4xxxxx.yml @@ -34,9 +34,9 @@ - NIST800-53R4_AC-10 - limits ansible.builtin.lineinfile: - line: "* hard maxlogins 10" path: /etc/security/limits.conf regexp: '^\s*\*\s+hard\s+maxlogins\s+\d{1,}' + line: "* hard maxlogins 10" - name: "LOW | RHEL-09-412075 | PATCH | RHEL 9 must display the date and time of the last successful account logon upon logon." when: @@ -53,10 +53,10 @@ block: - name: "LOW | RHEL-09-412075 | PATCH | RHEL 9 must display the date and time of the last successful account logon upon logon." ansible.builtin.lineinfile: - insertbefore: BOF - line: session required pam_lastlog.so showfailed path: /etc/pam.d/postlogin regex: session required pam_lastlog.so showfailed + line: session required pam_lastlog.so showfailed + insertbefore: BOF - name: "LOW | RHEL-09-412075 | PATCH | RHEL 9 must display the date and time of the last successful account logon upon logon." ansible.builtin.replace: