diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 494540a..cb848d4 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -36,7 +36,7 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.21.1 + rev: v8.21.2 hooks: - id: gitleaks diff --git a/README.md b/README.md index 2528458..d3d1d37 100644 --- a/README.md +++ b/README.md @@ -2,9 +2,9 @@ ## Configure a RHEL9 based system to be complaint with Disa STIG -This role is based on RHEL 9 DISA STIG: [Version 1, Rel 2 released on Jan 24, 2024](https://dl.dod.cyber.mil/wp-content/uploads/stigs/U_RHEL_9_V1R2_STIG.zip). +This role is based on RHEL 9 DISA STIG: [Version 1, Rel 3 released on Apr 24, 2024](https://dl.dod.cyber.mil/wp-content/uploads/stigs/U_RHEL_9_V1R3_STIG.zip). -## Initial Relase from STIG, still many items that not quite aligned in the documentation +## Initial Release from STIG, still many items that not quite aligned in the documentation --- diff --git a/defaults/main.yml b/defaults/main.yml index e052144..1ec00d2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,7 @@ --- ## metadata for Audit benchmark -benchmark_version: 'v1r2' +benchmark_version: 'v1r3' ## Benchmark name used by audting control role # The audit variable found at the base @@ -323,7 +323,6 @@ rhel_09_255045: true rhel_09_255055: true rhel_09_255060: true rhel_09_255065: true -rhel_09_255070: true rhel_09_255075: true rhel_09_255080: true rhel_09_255085: true @@ -617,8 +616,7 @@ rhel9stig_sshd_config: kerbauth: 'no' lastlog: 'yes' loglevel: VERBOSE - macs_clients: "{{ rhel9stig_dod_macs_clients }}" - macs_server: "{{ rhel9stig_dod_macs_server }}" + macs: "{{ rhel9stig_dod_macs }}" pubkeyauth: 'yes' permitroot: 'no' privsep: sandbox @@ -822,7 +820,7 @@ rhel9stig_remotelog_server: # Ensure this matches the filesystem where the audit logs are stored. # It will affect checks for control RHEL-09-653030 -rhel9stig_audit_log_filesystem: /var/log/audit +rhel9stig_audit_log_filesystem: '/var/log/audit' rhel9stig_audit_conf: action_mail_acct: root admin_space_left: 5% diff --git a/tasks/Cat1/RHEL-09-2xxxxx.yml b/tasks/Cat1/RHEL-09-2xxxxx.yml index bed37bc..aea5cdb 100644 --- a/tasks/Cat1/RHEL-09-2xxxxx.yml +++ b/tasks/Cat1/RHEL-09-2xxxxx.yml @@ -182,19 +182,19 @@ - name: HIGH | RHEL-09-215060 | PATCH | RHEL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed. when: - - "'tftp' in ansible_facts.packages" + - "'tftp-server' in ansible_facts.packages" - rhel_09_215060 tags: - RHEL-09-215060 - CAT1 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257835r925492_rule + - SV-257835r952171_rule - V-257835 - NIST800-53R4_CM-6 - tftp ansible.builtin.package: - name: tftp + name: tftp-server state: absent - name: HIGH | RHEL-09-231190 | AUDIT | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification @@ -323,7 +323,7 @@ - SRG-OS-000106-GPOS-00053 - SRG-OS-000480-GPOS-00229 - SRG-OS-000480-GPOS-00227 - - SV-257984r943034_rule + - SV-257984r952179_rule - V-257984 - NIST800-53R4_CM-6 - NIST800-53R4_IA-2 @@ -343,7 +343,7 @@ - CAT1 - CCI-000877 - SRG-OS-000125-GPOS-00065 - - SV-257986r943038_rule + - SV-257986r952183_rule - V-257986 - NIST800-53R4_MA-4 - ssh diff --git a/tasks/Cat2/RHEL-09-21xxxx.yml b/tasks/Cat2/RHEL-09-21xxxx.yml index 315674d..2db8718 100644 --- a/tasks/Cat2/RHEL-09-21xxxx.yml +++ b/tasks/Cat2/RHEL-09-21xxxx.yml @@ -346,7 +346,7 @@ - CCI-001084 - SRG-OS-000433-GPOS-00192 - SRG-OS-000134-GPOS-00068 - - SV-257794r925369_rule + - SV-257794r952164_rule - V-257794 - NIST800-53R4_SC-3 - NIST800-53R4_SI-16 @@ -602,7 +602,7 @@ - CAT2 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-257807r925408_rule + - SV-257807r952166_rule - V-257807 - NIST800-53R4_CM-7 vars: @@ -662,7 +662,7 @@ - CCI-001082 - SRG-OS-000132-GPOS-00067 - SRG-OS-000480-GPOS-00227 - - SV-257810r942977_rule + - SV-257810r952168_rule - V-257810 - NIST800-53R4_CM-6 - NIST800-53R4_SC-2 diff --git a/tasks/Cat2/RHEL-09-25xxxx.yml b/tasks/Cat2/RHEL-09-25xxxx.yml index 1a59fd7..df5d11d 100644 --- a/tasks/Cat2/RHEL-09-25xxxx.yml +++ b/tasks/Cat2/RHEL-09-25xxxx.yml @@ -925,7 +925,7 @@ - CCI-001388 - SRG-OS-000023-GPOS-00006 - SRG-OS-000228-GPOS-00088 - - SV-257981r943028_rule + - SV-257981r952173_rule - V-257981 - NIST800-53R4_AC-8 - ssh @@ -945,7 +945,7 @@ - CAT2 - CCI-000067 - SRG-OS-000032-GPOS-00013 - - SV-257982r943030_rule + - SV-257982r952175_rule - V-257982 - NIST800-53R4_AC-17 - ssh @@ -971,7 +971,7 @@ - SRG-OS-000106-GPOS-00053 - SRG-OS-000107-GPOS-00054 - SRG-OS-000108-GPOS-00055 - - SV-257983r943032_rule + - SV-257983r952177_rule - V-257983 - NIST800-53R4_IA-2 - ssh @@ -993,7 +993,7 @@ - CCI-000770 - SRG-OS-000109-GPOS-00056 - SRG-OS-000480-GPOS-00227 - - SV-257985r943036_rule + - SV-257985r952181_rule - V-257985 - NIST800-53R4_CM-6 - NIST800-53R4_IA-2 @@ -1014,7 +1014,7 @@ - CAT2 - CCI-001453 - SRG-OS-000250-GPOS-00093 - - SV-257987r925948_rule + - SV-257987r952185_rule - V-257987 - NIST800-53R4_AC-17 - ssh @@ -1059,26 +1059,9 @@ - NIST800-53R4_AC-17 notify: Change_requires_reboot ansible.builtin.lineinfile: - path: /etc/crypto-policies/back-ends/openssh.config - regexp: ^Ciphers line: "Ciphers {{ rhel9stig_sshd_config.ciphers | join(',') }}" - -- name: "MEDIUM | RHEL-09-255070 | PATCH | RHEL 9 SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms." - when: - - rhel_09_255070 - tags: - - RHEL-09-255070 - - CAT2 - - CCI-001453 - - SRG-OS-000250-GPOS-00093 - - SV-257990r925957_rule - - V-257990 - - NIST800-53R4_AC-17 - notify: Change_requires_reboot - ansible.builtin.lineinfile: path: /etc/crypto-policies/back-ends/openssh.config - regexp: ^MACs - line: "MACs {{ rhel9stig_sshd_config.macs_clients | join(',') }}" + regexp: ^Ciphers - name: "MEDIUM | RHEL-09-255075 | PATCH | RHEL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms." when: @@ -1088,14 +1071,14 @@ - CAT2 - CCI-001453 - SRG-OS-000250-GPOS-00093 - - SV-257991r925960_rule + - SV-257991r952188_rule - V-257991 - NIST800-53R4_AC-17 notify: Change_requires_reboot ansible.builtin.lineinfile: - path: /etc/crypto-policies/back-ends/opensshserver.config + path: /etc/crypto-policies/back-ends/openssh.config regexp: ^MACs - line: "MACs {{ rhel9stig_sshd_config.macs_clients | join(',') + ',' + rhel9stig_sshd_config.macs_server | join(',') }}" + line: "MACs {{ rhel9stig_sshd_config.macs | join(',') }}" - name: "MEDIUM | RHEL-09-255080 | PATCH | RHEL 9 must not allow a noncertificate trusted host SSH logon to the system." when: @@ -1105,7 +1088,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257992r943040_rule + - SV-257992r952190_rule - V-257992 - NIST800-53R4_CM-6 - ssh @@ -1125,7 +1108,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00229 - - SV-257993r943042_rule + - SV-257993r952192_rule - V-257993 - NIST800-53R4_CM-6 - ssh @@ -1149,7 +1132,7 @@ - SRG-OS-000423-GPOS-00187 - SRG-OS-000033-GPOS-00014 - SRG-OS-000424-GPOS-00188 - - SV-257994r943044_rule + - SV-257994r952194_rule - V-257994 - NIST800-53R4_AC-17 - NIST800-53R4_SC-8 @@ -1173,7 +1156,7 @@ - CCI-002421 - SRG-OS-000163-GPOS-00072 - SRG-OS-000279-GPOS-00109 - - SV-257995r942963_rule + - SV-257995r952196_rule - V-257995 - NIST800-53R4_SC-10 - NIST800-53R4_AC-12 @@ -1200,7 +1183,7 @@ - SRG-OS-000163-GPOS-00072 - SRG-OS-000279-GPOS-00109 - SRG-OS-000395-GPOS-00175 - - SV-257996r943046_rule + - SV-257996r952198_rule - V-257996 - NIST800-53R4_MA-4 - NIST800-53R4_SC-10 @@ -1320,7 +1303,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-258002r925993_rule + - SV-258002r952200_rule - V-258002 - NIST800-53R4_CM-6 - ssh @@ -1342,7 +1325,7 @@ - CCI-001813 - SRG-OS-000364-GPOS-00151 - SRG-OS-000480-GPOS-00227 - - SV-258003r925996_rule + - SV-258003r952202_rule - V-258003 - NIST800-53R4_CM-5 - NIST800-53R4_CM-6 @@ -1365,7 +1348,7 @@ - CCI-001813 - SRG-OS-000364-GPOS-00151 - SRG-OS-000480-GPOS-00227 - - SV-258004r925999_rule + - SV-258004r952204_rule - V-258004 - NIST800-53R4_CM-5 - NIST800-53R4_CM-6 @@ -1386,7 +1369,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-258005r926002_rule + - SV-258005r952206_rule - V-258005 - NIST800-53R4_CM-6 - ssh @@ -1406,7 +1389,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-258006r926005rule + - SV-258006r952208_rule - V-258006 - NIST800-53R4_CM-6 - ssh @@ -1426,7 +1409,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-258007r943048_rule + - SV-258007r952210_rule - V-258007 - NIST800-53R4_CM-6 - ssh @@ -1446,7 +1429,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-258008r926011rule + - SV-258008r952212_rule - V-258008 - NIST800-53R4_CM-6 - ssh @@ -1466,7 +1449,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-258009r926014rule + - SV-258009r952214_rule - V-258009 - NIST800-53R4_CM-6 - ssh @@ -1486,7 +1469,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-258010r926017rule + - SV-258010r952216_rule - V-258010 - NIST800-53R4_CM-6 - ssh @@ -1506,7 +1489,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-258011r943050_rule + - SV-258011r952218_rule - V-258011 - NIST800-53R4_CM-6 - ssh diff --git a/tasks/Cat2/RHEL-09-67xxxx.yml b/tasks/Cat2/RHEL-09-67xxxx.yml index c349ba9..e0d79bb 100644 --- a/tasks/Cat2/RHEL-09-67xxxx.yml +++ b/tasks/Cat2/RHEL-09-67xxxx.yml @@ -256,7 +256,7 @@ warn_control_id: "MEDIUM | RHEL-09-672045" block: - name: "MEDIUM | RHEL-09-672045 | AUDIT | RHEL 9 must implement a system-wide encryption policy." - ansible.builtin.shell: update-crypto-policies --check + ansible.builtin.shell: update-crypto-policies --show changed_when: false failed_when: crypto_policies_check.rc not in [0 , 1] register: crypto_policies_check diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index e684480..18ac52c 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -274,7 +274,6 @@ rhel_09_255045: {{ rhel_09_255045 }} rhel_09_255055: {{ rhel_09_255055 }} rhel_09_255060: {{ rhel_09_255060 }} rhel_09_255065: {{ rhel_09_255065 }} -rhel_09_255070: {{ rhel_09_255070 }} rhel_09_255075: {{ rhel_09_255075 }} rhel_09_255080: {{ rhel_09_255080 }} rhel_09_255085: {{ rhel_09_255085 }} @@ -659,16 +658,7 @@ rhel9stig_sshd_config: kerbauth: {{ rhel9stig_sshd_config.kerbauth }} lastlog: {{ rhel9stig_sshd_config.lastlog }} loglevel: {{ rhel9stig_sshd_config.loglevel }} - macs_clients: - {% for macs in rhel9stig_sshd_config.macs_clients %} - - {{ macs }} - {% endfor -%} - - macs_server: - {% for macs in rhel9stig_sshd_config.macs_server %} - - {{ macs }} - {% endfor -%} - + macs: {{ rhel9stig_sshd_config.macs }} pubkeyauth: {{ rhel9stig_sshd_config.pubkeyauth }} permitroot: {{ rhel9stig_sshd_config.permitroot }} privsep: {{ rhel9stig_sshd_config.privsep }} diff --git a/vars/audit.yml b/vars/audit.yml index 9dc666a..13777d5 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -26,8 +26,8 @@ post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchma ### Audit binary settings ### audit_bin_version: - release: v0.4.4 - AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5' + release: v0.4.7 + AMD64_checksum: 'sha256:1206cc17af6d529baefae79c0cad6383c75f3cc68dc152632d393be827b13d5f' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json diff --git a/vars/main.yml b/vars/main.yml index 4ee1fc5..490834c 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -32,20 +32,19 @@ update_audit_template: false # DOD encryption rhel9stig_dod_ciphers: - aes256-gcm@openssh.com -- chacha20-poly1305@openssh.com +# - chacha20-poly1305@openssh.com # Removed due to terrapin ssh cve - aes256-ctr - aes128-gcm@openssh.com - aes128-ctr -rhel9stig_dod_macs_clients: +rhel9stig_dod_macs: - hmac-sha2-256-etm@openssh.com +# - hmac-sha1-etm@openssh.com +# - umac-128-etm@openssh.com - hmac-sha2-256 - hmac-sha2-512-etm@openssh.com +# - hmac-sha1 +# - umac-128@openssh.com - hmac-sha2-512 -rhel9stig_dod_macs_server: # Server also has client mac listed above don't duplicate -- hmac-sha1-etm@openssh.com -- umac-128-etm@openssh.com -- hmac-sha1 -- umac-128@openssh.com rhel9stig_dod_kex: # Defaults added for searches