From 37a0ce9120c3bc5f3b37e135fec492d0c542b68b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 19 Apr 2024 10:45:01 +0100 Subject: [PATCH 1/4] added kexec pkg chekc to 213115 Signed-off-by: Mark Bolwell --- tasks/Cat2/RHEL-09-21xxxx.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/Cat2/RHEL-09-21xxxx.yml b/tasks/Cat2/RHEL-09-21xxxx.yml index cd569fe..2ab0296 100644 --- a/tasks/Cat2/RHEL-09-21xxxx.yml +++ b/tasks/Cat2/RHEL-09-21xxxx.yml @@ -808,6 +808,7 @@ - name: "MEDIUM | RHEL-09-213115 | PATCH | The kdump service on RHEL 9 must be disabled." when: - rhel_09_213115 + - "'kexec-tools' in ansible_facts.packages" tags: - RHEL-09-213115 - CAT2 From 0c844305f65a9b5efd7ca5694ec5461d9488f8de Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 19 Apr 2024 11:04:49 +0100 Subject: [PATCH 2/4] Applied #6 fix Signed-off-by: Mark Bolwell --- tasks/Cat2/RHEL-09-25xxxx.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tasks/Cat2/RHEL-09-25xxxx.yml b/tasks/Cat2/RHEL-09-25xxxx.yml index 291db5b..ef7c1da 100644 --- a/tasks/Cat2/RHEL-09-25xxxx.yml +++ b/tasks/Cat2/RHEL-09-25xxxx.yml @@ -195,16 +195,18 @@ - name: "MEDIUM | RHEL-09-251040 | PATCH | RHEL 9 network interfaces must not be in promiscuous mode." when: - not rhel9stig_disruption_high - - item not in rhel9stig_promisc_if + - item in rhel9stig_promisc_if ansible.builtin.debug: msg: "Warning!! You have interfaces set to promicious mode no in the exception list" + loop: "{{ ansible_facts.interfaces }}" - name: "MEDIUM | RHEL-09-251040 | PATCH | RHEL 9 network interfaces must not be in promiscuous mode." when: - not rhel9stig_disruption_high - - item not in rhel9stig_promisc_if - ansible.builtin.import_tasks: + - item in rhel9stig_promisc_if + ansible.builtin.include_tasks: file: warning_facts.yml + loop: "{{ ansible_facts.interfaces }}" - name: "MEDIUM | RHEL-09-251045 | PATCH | RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler." when: From eb795cf3c283355d6684f45d83f44829f19bdb9a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 19 Apr 2024 11:49:10 +0100 Subject: [PATCH 3/4] added fix for #2 Signed-off-by: Mark Bolwell --- tasks/Cat2/RHEL-09-65xxxx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/Cat2/RHEL-09-65xxxx.yml b/tasks/Cat2/RHEL-09-65xxxx.yml index ba4d828..04a0583 100644 --- a/tasks/Cat2/RHEL-09-65xxxx.yml +++ b/tasks/Cat2/RHEL-09-65xxxx.yml @@ -177,7 +177,7 @@ - name: "MEDIUM | RHEL-09-652025 | PATCH | RHEL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation." when: - - rhel9stig_rsyslog_conf.matched > 0 + - rhel9stig_rsyslog_conf.matched > 1 ansible.builtin.lineinfile: backrefs: true line: '#\1\2\3' From 764605b8825da39284756663d65f35807ed1403f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 19 Apr 2024 14:20:43 +0100 Subject: [PATCH 4/4] updated some logic on auditd files and dirs Signed-off-by: Mark Bolwell --- tasks/Cat2/RHEL-09-65xxxx.yml | 20 ++++++-------------- tasks/prelim.yml | 11 +++++++++++ 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/tasks/Cat2/RHEL-09-65xxxx.yml b/tasks/Cat2/RHEL-09-65xxxx.yml index 04a0583..401766b 100644 --- a/tasks/Cat2/RHEL-09-65xxxx.yml +++ b/tasks/Cat2/RHEL-09-65xxxx.yml @@ -635,7 +635,8 @@ msg: - "WARNING!! Below is the path and size of the partition for the audit logs." - "Please make sure there is enough disk space for 1 week of logs" - - "Path: {{ rhel9stig_audit_conf.logfile }}" + - "Munt: {{ rhel9stig_audit_log_filesystem }}" + - "Logfile: {{ discovered_auditd_logfile.stdout }}" - "Disk Space remaining: {{ audit_filesystem_space_left }}MB" - name: "MEDIUM | RHEL-09-653030 | WARN | RHEL 9 must allocate audit record storage capacity to store at least one week's worth of audit records." @@ -850,7 +851,7 @@ - auditd ansible.builtin.file: owner: root - path: "{{ rhel9stig_audit_log_filesystem }}" + path: "{{ discovered_auditd_logfile.stdout }}" - name: "MEDIUM | RHEL-09-653090 | PATCH | RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log." when: @@ -869,18 +870,9 @@ - NIST800-53R4_AU-9 - NIST800-53R4_SI-11 - auditd - block: - - name: "MEDIUM | RHEL-09-653090 | PATCH | RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log." - ansible.builtin.file: - mode: '0600' - path: "{{ rhel9stig_audit_conf.logfile }}" - - - name: "MEDIUM | RHEL-09-653090 | PATCH | RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log." - ansible.builtin.file: - mode: '0440' - path: "{{ item }}" - with_fileglob: - - "{{ rhel9stig_audit_conf.logfile }}*" + ansible.builtin.file: + mode: go-rwx + path: "{{ discovered_auditd_logfile.stdout }}" - name: "MEDIUM | RHEL-09-653095 | PATCH | RHEL 9 must periodically flush audit records to disk to prevent the loss of audit records." when: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 5059445..8c92d81 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -158,6 +158,17 @@ - SRG-OS-000475-GPOS-00220 - auditd +- name: "PRELIM | Discover auditd_logfile_path" + when: + - rhel_09_653085 or + rhel_09_653085 or + rhel_09_653090 + tags: + - always + ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }' + changed_when: false + register: discovered_auditd_logfile + # - name: "PRELIM | Audit conf and rules files | list files" # ansible.builtin.find: # path: /etc/audit