Update the numbering to the release from the draft (#14)

* Update from Draft to Released STIG * Increase coverage based on OSCAP reporting * Continued cleanup against oscap report
samdoran · May 24, 2017 · ee09a1f · ee09a1f
1 parent 9be00d5
commit ee09a1f
Show file tree

Hide file tree

Showing 13 changed files with 928 additions and 729 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1 +1,3 @@
 *.pyc
+
+*.retry
diff --git a/README.md b/README.md
@@ -5,7 +5,8 @@ RHEL 7 DISA STIG
 
 Configure a RHEL 7 system to be DISA STIG compliant. CAT I findings will be corrected and audited by default. CAT II and III findings can be enabled by setting the appropriate variables to `yes`.
 
-The RHEL 7 STIG is currently in draft form. This role is based on [Version 1, Revision 0.2 released on July 15, 2016](http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx).
+
+This role is based on RHEL 7 DISA STIG: [Version 1, Rel 1 released on March 13, 2017](http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx).
 
 
 Requirements
@@ -26,6 +27,7 @@ Role Variables
 | `rhel7stig_cat3_patch` | `no`  | Correct CAT III findings      |
 | `rhel7stig_gui` | `no` | Whether or not to run tasks related to auditing/patching the desktop environment |
 | `rhel7stig_av_package` | `no` | Anti-virus package(s) to install and service to start and enable. |
+| `rhel7stig_antivirus_required` | `no` | Weather or not an antivirus must be installed |
 | `rhel7stig_time_service` | `chronyd` | Set to `ntpd` or `chronyd`. |
 | `rhel7stig_lftpd_required` | `no` | If set to `no`, remove `lftpd`. |
 | `rhel7stig_tftp_required` | `no` | If set to `no`, remove `tftp` client and server packages. |

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,6 +1,6 @@
 rhel7stig_cat1_patch: yes
-rhel7stig_cat2_patch: no
-rhel7stig_cat3_patch: no
+rhel7stig_cat2_patch: yes
+rhel7stig_cat3_patch: yes
 
 # These values match patch values by defaults. To override these values,
 # set them in group_vars, host_vars, or with the -e flag via CLI
@@ -11,14 +11,19 @@ rhel7stig_cat3_audit: "{{ rhel7stig_cat3_patch }}"
 # Whether or not to run tasks related to auditing/patching the desktop environment
 rhel7stig_gui: no
 
-# RHEL-07-040730
+# RHEL-07-040740
 # If system is not router, run tasks that disable router functions.
 rhel7stig_system_is_router: no
 
-# RHEL-07-030810
+# RHEL-07-032000
 # Install and enable a DOD-approved AV program. ClamAV and McAfee (nails)
 # are the currently approved applications. This variable is used in two separate
 # tasks that will install the package and start and enable the service.
+
+# Only set this to true if you have a valid
+# antivirus solution in your repositories, else it will fail every time.
+rhel7stig_antivirus_required: no
+
 rhel7stig_av_package:
     package:
         - clamav
@@ -50,3 +55,14 @@ rhel7stig_boot_password_config:
     - regexp: ^password_pbkdf2 root
       line: password_pbkdf2 root {{ rhel7stig_bootloader_password | grub2_hash(salt='KeokpkECTJeoDhEA5XtiLQ') }}
 
+# AIDE settings
+rhel7stig_aide_cron:
+  aide_job: '/usr/sbin/aide --check'
+  aide_minute: '05'
+  aide_hour: '4'
+  aide_day: '*'
+  aide_month: '*'
+  aide_weekday: '*'
+
+# Set maximum number of simultaneous system logins (RHEL-07-040000)
+rhel7stig_maxlogins: 10
diff --git a/filter_plugins/filters.py b/filter_plugins/filters.py
@@ -1,9 +1,9 @@
 import crypt
 from random import SystemRandom, shuffle
-from passlib.hash import grub_pbkdf2_sha512
 import string
 try:
     import passlib.hash
+    from passlib.hash import grub_pbkdf2_sha512
     HAS_PASSLIB = True
 except:
     HAS_PASSLIB = False

diff --git a/handlers/main.yml b/handlers/main.yml
@@ -21,3 +21,10 @@
   service:
       name: "{{ rhel7stig_time_service }}"
       state: restarted
+
+- name: init aide
+  command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz'
+  async: 45
+  poll: 0
+  tags:
+    - aide
diff --git a/tasks/audit-cat1.yml b/tasks/audit-cat1.yml
@@ -1,5 +1,7 @@
 - name: "HIGH | RHEL-07-010010 | AUDIT | The file permissions, ownership, and group membership of system files and commands must match the vendor values."
   shell: 'rpm -Va | grep ''^.M'''
+  args:
+    warn: no
   failed_when: no
   changed_when: no
   ignore_errors: yes
@@ -9,7 +11,6 @@
       - high
       - audit
       - RHEL-07-010010
-      - always
       - rpm
 
 - name: "HIGH | RHEL-07-010020 | AUDIT | The cryptographic hash of system files and commands must match vendor values."
@@ -23,7 +24,6 @@
       - high
       - audit
       - RHEL-07-010020
-      - always
 
 - name: "HIGH | RHEL-07-010460 | AUDIT | Systems with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes."
   command: grep -i ^password_pbkdf2 /boot/grub2/grub.cfg
@@ -36,7 +36,6 @@
       - high
       - audit
       - RHEL-07-010460
-      - always
 
 - name: "HIGH | RHEL-07-010470 | AUDIT | Systems using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes."
   command: grep -i ^password_pbkdf2 /boot/efi/EFI/redhat/grub.cfg
@@ -74,48 +73,44 @@
       - high
       - audit
       - RHEL-07-020310
-      - always
 
-- name: "HIGH | RHEL-07-040330 | AUDIT | There must be no .shosts files on the system."
+- name: "HIGH | RHEL-07-040540 | AUDIT | There must be no .shosts files on the system."
   find:
       paths: /
       recurse: yes
       hidden: yes
       patterns: '*.shosts'
-  register: rhel_07_040330_audit
+  register: rhel_07_040540_audit
   tags:
       - cat1
       - high
       - audit
-      - RHEL-07-040330
-      - always
+      - RHEL-07-040540
 
-- name: "HIGH | RHEL-07-040331 | AUDIT | There must be no shosts.equiv files on the system."
+- name: "HIGH | RHEL-07-040550 | AUDIT | There must be no shosts.equiv files on the system."
   find:
       paths: /
       recurse: yes
       patterns: shosts.equiv
-  register: rhel_07_040331_audit
+  register: rhel_07_040550_audit
   tags:
       - cat1
       - high
       - audit
-      - RHEL-07-040331
-      - always
+      - RHEL-07-040550
 
-- name: "HIGH | RHEL-07-040580 | AUDIT | SNMP community strings must be changed from the default."
+- name: "HIGH | RHEL-07-040800 | AUDIT | SNMP community strings must be changed from the default."
   command: grep {{ item }} /etc/snmp/snmpd.conf
   failed_when: no
   changed_when: no
   ignore_errors: yes
   with_items:
       - public
       - private
-  register: rhel_07_040580_audit
+  register: rhel_07_040800_audit
   tags:
       - cat1
       - high
       - audit
-      - RHEL-07-040580
-      - always
+      - RHEL-07-040800
       - snmp
diff --git a/tasks/audit-cat2.yml b/tasks/audit-cat2.yml
@@ -1,26 +1,50 @@
-- name: "MEDIUM | RHEL-07-010210 | AUDIT | Passwords must be restricted to a 24 hours/1 day minimum lifetime."
+- name: "MEDIUM | RHEL-07-010240 | AUDIT | Passwords must be restricted to a 24 hours/1 day minimum lifetime."
   command: "awk -F: '$4 < 1 {print $1}' /etc/shadow"
-  register: rhel_07_010210_audit
+  register: rhel_07_010240_audit
   failed_when: no
   changed_when: no
   ignore_errors: yes
   tags:
       - cat2
       - medium
       - audit
-      - RHEL-07-010210
+      - RHEL-07-010240
 
-- name: "MEDIUM | RHEL-07-010230 | AUDIT | Passwords must be restricted to a 24 hours/1 day minimum lifetime."
+- name: "MEDIUM | RHEL-07-010260 | AUDIT | Existing passwords must be restricted to a 60-day maximum lifetime."
   command: "awk -F: '$5 > 60 {print $1}' /etc/shadow"
-  register: rhel_07_010230_audit
+  register: rhel_07_010260_audit
   failed_when: no
   changed_when: no
   ignore_errors: yes
   tags:
       - cat2
       - medium
       - audit
-      - RHEL-07-010230
+      - RHEL-07-010260
+
+- name: "MEDIUM | RHEL-07-020320 | AUDIT | All files and directories must have a valid owner."
+  command: find / -xdev -fstype xfs -nouser
+  register: rhel_07_020320_audit
+  failed_when: no
+  changed_when: no
+  ignore_errors: yes
+  tags:
+      - cat2
+      - medium
+      - audit
+      - RHEL-07-020320
+
+- name: "MEDIUM | RHEL-07-020330 | AUDIT | All files and directories must have a valid group owner."
+  command: find / -xdev -fstype xfs -nogroup
+  register: rhel_07_020330_audit
+  failed_when: no
+  changed_when: no
+  ignore_errors: yes
+  tags:
+      - cat2
+      - medium
+      - audit
+      - RHEL-07-020330
 
 - name: "MEDIUM | RHEL-07-040180 | AUDIT | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications."
   command: grep -i useldapauth /etc/sysconfig/authconfig
@@ -35,18 +59,19 @@
       - RHEL-07-040180
       - ldap
 
-- name: "MEDIUM | RHEL-07-040210 | AUDIT | The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."
+- name: "MEDIUM | RHEL-07-040500 | AUDIT | The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."
   stat:
       path: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].conf }}"
-  register: rhel_07_040210_audit
+  register: rhel_07_040500_audit
   failed_when: no
   changed_when: no
   ignore_errors: yes
   tags:
       - cat2
       - medium
       - audit
-      - RHEL-07-040210
+      - RHEL-07-040500
+      - ntp
       - ntpd
       - chronyd
       - time
@@ -63,10 +88,9 @@
       - medium
       - audit
       - RHEL-07-040230
-      - always
       - pki
 
-- name: "MEDIUM | RHEL-07-040650 | AUDIT | The SSH private host key files must have mode 0600 or less permissive."
+- name: "MEDIUM | RHEL-07-040420 | AUDIT | The SSH private host key files must have mode 0600 or less permissive."
   find:
       paths: /
       recurse: yes
@@ -76,16 +100,15 @@
   failed_when: no
   changed_when: no
   ignore_errors: yes
-  register: rhel_07_040650_audit
+  register: rhel_07_040420_audit
   tags:
       - cat2
       - high
       - audit
-      - RHEL-07-040650
-      - always
+      - RHEL-07-040420
       - ssh
 
-- name: "MEDIUM | RHEL-07-040640 | AUDIT | The SSH public host key files must have mode 0644 or less permissive."
+- name: "MEDIUM | RHEL-07-040410 | AUDIT | The SSH public host key files must have mode 0644 or less permissive."
   find:
       paths: /
       recurse: yes
@@ -95,11 +118,22 @@
   failed_when: no
   changed_when: no
   ignore_errors: yes
-  register: rhel_07_040640_audit
+  register: rhel_07_040410_audit
   tags:
       - cat2
       - high
       - audit
-      - RHEL-07-040640
-      - always
+      - RHEL-07-040410
       - ssh
+
+- name: "MEDIUM | RHEL-07-041010 | AUDIT | Wireless network adapters must be disabled."
+  command: nmcli radio wifi
+  failed_when: no
+  changed_when: no
+  ignore_errors: yes
+  register: rhel_07_041010_audit
+  tags:
+      - cat2
+      - high
+      - audit
+      - RHEL-07-041010
diff --git a/tasks/audit-cat3.yml b/tasks/audit-cat3.yml
@@ -1,5 +1,6 @@
 - name: "Place holder for Cat III Audits"
   command: "true"
+  changed_when: no
   tags:
       - cat3
       - low