diff --git a/.gitignore b/.gitignore index 0d20b64..ca4bbfd 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ *.pyc + +*.retry diff --git a/README.md b/README.md index 56aa2e0..3994a73 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,8 @@ RHEL 7 DISA STIG Configure a RHEL 7 system to be DISA STIG compliant. CAT I findings will be corrected and audited by default. CAT II and III findings can be enabled by setting the appropriate variables to `yes`. -The RHEL 7 STIG is currently in draft form. This role is based on [Version 1, Revision 0.2 released on July 15, 2016](http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx). + +This role is based on RHEL 7 DISA STIG: [Version 1, Rel 1 released on March 13, 2017](http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx). Requirements @@ -26,6 +27,7 @@ Role Variables | `rhel7stig_cat3_patch` | `no` | Correct CAT III findings | | `rhel7stig_gui` | `no` | Whether or not to run tasks related to auditing/patching the desktop environment | | `rhel7stig_av_package` | `no` | Anti-virus package(s) to install and service to start and enable. | +| `rhel7stig_antivirus_required` | `no` | Weather or not an antivirus must be installed | | `rhel7stig_time_service` | `chronyd` | Set to `ntpd` or `chronyd`. | | `rhel7stig_lftpd_required` | `no` | If set to `no`, remove `lftpd`. | | `rhel7stig_tftp_required` | `no` | If set to `no`, remove `tftp` client and server packages. | diff --git a/defaults/main.yml b/defaults/main.yml index d61e4c2..a65cc60 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ rhel7stig_cat1_patch: yes -rhel7stig_cat2_patch: no -rhel7stig_cat3_patch: no +rhel7stig_cat2_patch: yes +rhel7stig_cat3_patch: yes # These values match patch values by defaults. To override these values, # set them in group_vars, host_vars, or with the -e flag via CLI @@ -11,14 +11,19 @@ rhel7stig_cat3_audit: "{{ rhel7stig_cat3_patch }}" # Whether or not to run tasks related to auditing/patching the desktop environment rhel7stig_gui: no -# RHEL-07-040730 +# RHEL-07-040740 # If system is not router, run tasks that disable router functions. rhel7stig_system_is_router: no -# RHEL-07-030810 +# RHEL-07-032000 # Install and enable a DOD-approved AV program. ClamAV and McAfee (nails) # are the currently approved applications. This variable is used in two separate # tasks that will install the package and start and enable the service. + +# Only set this to true if you have a valid +# antivirus solution in your repositories, else it will fail every time. +rhel7stig_antivirus_required: no + rhel7stig_av_package: package: - clamav @@ -50,3 +55,14 @@ rhel7stig_boot_password_config: - regexp: ^password_pbkdf2 root line: password_pbkdf2 root {{ rhel7stig_bootloader_password | grub2_hash(salt='KeokpkECTJeoDhEA5XtiLQ') }} +# AIDE settings +rhel7stig_aide_cron: + aide_job: '/usr/sbin/aide --check' + aide_minute: '05' + aide_hour: '4' + aide_day: '*' + aide_month: '*' + aide_weekday: '*' + +# Set maximum number of simultaneous system logins (RHEL-07-040000) +rhel7stig_maxlogins: 10 diff --git a/filter_plugins/filters.py b/filter_plugins/filters.py index 3f88dba..b8c0d81 100644 --- a/filter_plugins/filters.py +++ b/filter_plugins/filters.py @@ -1,9 +1,9 @@ import crypt from random import SystemRandom, shuffle -from passlib.hash import grub_pbkdf2_sha512 import string try: import passlib.hash + from passlib.hash import grub_pbkdf2_sha512 HAS_PASSLIB = True except: HAS_PASSLIB = False diff --git a/handlers/main.yml b/handlers/main.yml index 94c06c2..9b690f6 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -21,3 +21,10 @@ service: name: "{{ rhel7stig_time_service }}" state: restarted + +- name: init aide + command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' + async: 45 + poll: 0 + tags: + - aide diff --git a/tasks/audit-cat1.yml b/tasks/audit-cat1.yml index d0820aa..5edb64f 100644 --- a/tasks/audit-cat1.yml +++ b/tasks/audit-cat1.yml @@ -1,5 +1,7 @@ - name: "HIGH | RHEL-07-010010 | AUDIT | The file permissions, ownership, and group membership of system files and commands must match the vendor values." shell: 'rpm -Va | grep ''^.M''' + args: + warn: no failed_when: no changed_when: no ignore_errors: yes @@ -9,7 +11,6 @@ - high - audit - RHEL-07-010010 - - always - rpm - name: "HIGH | RHEL-07-010020 | AUDIT | The cryptographic hash of system files and commands must match vendor values." @@ -23,7 +24,6 @@ - high - audit - RHEL-07-010020 - - always - name: "HIGH | RHEL-07-010460 | AUDIT | Systems with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes." command: grep -i ^password_pbkdf2 /boot/grub2/grub.cfg @@ -36,7 +36,6 @@ - high - audit - RHEL-07-010460 - - always - name: "HIGH | RHEL-07-010470 | AUDIT | Systems using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes." command: grep -i ^password_pbkdf2 /boot/efi/EFI/redhat/grub.cfg @@ -74,36 +73,33 @@ - high - audit - RHEL-07-020310 - - always -- name: "HIGH | RHEL-07-040330 | AUDIT | There must be no .shosts files on the system." +- name: "HIGH | RHEL-07-040540 | AUDIT | There must be no .shosts files on the system." find: paths: / recurse: yes hidden: yes patterns: '*.shosts' - register: rhel_07_040330_audit + register: rhel_07_040540_audit tags: - cat1 - high - audit - - RHEL-07-040330 - - always + - RHEL-07-040540 -- name: "HIGH | RHEL-07-040331 | AUDIT | There must be no shosts.equiv files on the system." +- name: "HIGH | RHEL-07-040550 | AUDIT | There must be no shosts.equiv files on the system." find: paths: / recurse: yes patterns: shosts.equiv - register: rhel_07_040331_audit + register: rhel_07_040550_audit tags: - cat1 - high - audit - - RHEL-07-040331 - - always + - RHEL-07-040550 -- name: "HIGH | RHEL-07-040580 | AUDIT | SNMP community strings must be changed from the default." +- name: "HIGH | RHEL-07-040800 | AUDIT | SNMP community strings must be changed from the default." command: grep {{ item }} /etc/snmp/snmpd.conf failed_when: no changed_when: no @@ -111,11 +107,10 @@ with_items: - public - private - register: rhel_07_040580_audit + register: rhel_07_040800_audit tags: - cat1 - high - audit - - RHEL-07-040580 - - always + - RHEL-07-040800 - snmp diff --git a/tasks/audit-cat2.yml b/tasks/audit-cat2.yml index 4e3af62..e0443f4 100644 --- a/tasks/audit-cat2.yml +++ b/tasks/audit-cat2.yml @@ -1,6 +1,6 @@ -- name: "MEDIUM | RHEL-07-010210 | AUDIT | Passwords must be restricted to a 24 hours/1 day minimum lifetime." +- name: "MEDIUM | RHEL-07-010240 | AUDIT | Passwords must be restricted to a 24 hours/1 day minimum lifetime." command: "awk -F: '$4 < 1 {print $1}' /etc/shadow" - register: rhel_07_010210_audit + register: rhel_07_010240_audit failed_when: no changed_when: no ignore_errors: yes @@ -8,11 +8,11 @@ - cat2 - medium - audit - - RHEL-07-010210 + - RHEL-07-010240 -- name: "MEDIUM | RHEL-07-010230 | AUDIT | Passwords must be restricted to a 24 hours/1 day minimum lifetime." +- name: "MEDIUM | RHEL-07-010260 | AUDIT | Existing passwords must be restricted to a 60-day maximum lifetime." command: "awk -F: '$5 > 60 {print $1}' /etc/shadow" - register: rhel_07_010230_audit + register: rhel_07_010260_audit failed_when: no changed_when: no ignore_errors: yes @@ -20,7 +20,31 @@ - cat2 - medium - audit - - RHEL-07-010230 + - RHEL-07-010260 + +- name: "MEDIUM | RHEL-07-020320 | AUDIT | All files and directories must have a valid owner." + command: find / -xdev -fstype xfs -nouser + register: rhel_07_020320_audit + failed_when: no + changed_when: no + ignore_errors: yes + tags: + - cat2 + - medium + - audit + - RHEL-07-020320 + +- name: "MEDIUM | RHEL-07-020330 | AUDIT | All files and directories must have a valid group owner." + command: find / -xdev -fstype xfs -nogroup + register: rhel_07_020330_audit + failed_when: no + changed_when: no + ignore_errors: yes + tags: + - cat2 + - medium + - audit + - RHEL-07-020330 - name: "MEDIUM | RHEL-07-040180 | AUDIT | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications." command: grep -i useldapauth /etc/sysconfig/authconfig @@ -35,10 +59,10 @@ - RHEL-07-040180 - ldap -- name: "MEDIUM | RHEL-07-040210 | AUDIT | The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." +- name: "MEDIUM | RHEL-07-040500 | AUDIT | The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." stat: path: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].conf }}" - register: rhel_07_040210_audit + register: rhel_07_040500_audit failed_when: no changed_when: no ignore_errors: yes @@ -46,7 +70,8 @@ - cat2 - medium - audit - - RHEL-07-040210 + - RHEL-07-040500 + - ntp - ntpd - chronyd - time @@ -63,10 +88,9 @@ - medium - audit - RHEL-07-040230 - - always - pki -- name: "MEDIUM | RHEL-07-040650 | AUDIT | The SSH private host key files must have mode 0600 or less permissive." +- name: "MEDIUM | RHEL-07-040420 | AUDIT | The SSH private host key files must have mode 0600 or less permissive." find: paths: / recurse: yes @@ -76,16 +100,15 @@ failed_when: no changed_when: no ignore_errors: yes - register: rhel_07_040650_audit + register: rhel_07_040420_audit tags: - cat2 - high - audit - - RHEL-07-040650 - - always + - RHEL-07-040420 - ssh -- name: "MEDIUM | RHEL-07-040640 | AUDIT | The SSH public host key files must have mode 0644 or less permissive." +- name: "MEDIUM | RHEL-07-040410 | AUDIT | The SSH public host key files must have mode 0644 or less permissive." find: paths: / recurse: yes @@ -95,11 +118,22 @@ failed_when: no changed_when: no ignore_errors: yes - register: rhel_07_040640_audit + register: rhel_07_040410_audit tags: - cat2 - high - audit - - RHEL-07-040640 - - always + - RHEL-07-040410 - ssh + +- name: "MEDIUM | RHEL-07-041010 | AUDIT | Wireless network adapters must be disabled." + command: nmcli radio wifi + failed_when: no + changed_when: no + ignore_errors: yes + register: rhel_07_041010_audit + tags: + - cat2 + - high + - audit + - RHEL-07-041010 diff --git a/tasks/audit-cat3.yml b/tasks/audit-cat3.yml index 39d6a49..ef4a88c 100644 --- a/tasks/audit-cat3.yml +++ b/tasks/audit-cat3.yml @@ -1,5 +1,6 @@ - name: "Place holder for Cat III Audits" command: "true" + changed_when: no tags: - cat3 - low diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index b9114f1..4d8c0e8 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -12,13 +12,14 @@ shell: yum reinstall -y $(rpm -qf {{ item.split(' ')[-1] }}) with_items: "{{ rhel_07_010020_audit.stdout_lines }}" when: rhel_07_010020_audit.stdout_lines | length > 0 + ignore_errors: yes tags: - cat1 - high - patch - RHEL-07-010020 -- name: "HIGH | RHEL-07-010260 | PATCH | The system must not have accounts configured with blank or null passwords." +- name: "HIGH | RHEL-07-010290 | PATCH | The system must not have accounts configured with blank or null passwords." replace: dest: /etc/pam.d/system-auth regexp: 'nullok ?' @@ -26,9 +27,9 @@ - cat1 - high - patch - - RHEL-07-010260 + - RHEL-07-010290 -- name: "HIGH | RHEL-07-010270 | PATCH | The SSH daemon must not allow authentication using an empty password." +- name: "HIGH | RHEL-07-010300 | PATCH | The SSH daemon must not allow authentication using an empty password." lineinfile: state: present dest: /etc/ssh/sshd_config @@ -40,10 +41,10 @@ - cat1 - high - patch - - RHEL-07-010270 + - RHEL-07-010300 - sshd -- name: "HIGH | RHEL-07-010430 | PATCH | The operating system must not allow an unattended or automatic logon to the system." +- name: "HIGH | RHEL-07-010440 | PATCH | The operating system must not allow an unattended or automatic logon to the system." lineinfile: dest: /etc/gdm/custom.conf regexp: (?i)automaticloginenable @@ -54,9 +55,22 @@ - cat1 - high - patch - - RHEL-07-010430 + - RHEL-07-010440 - gui +- name: "HIGH | RHEL-07-010450 | PATCH | The operating system must not allow an unrestricted logon to the system." + lineinfile: + dest: /etc/gdm/custom.conf + regexp: (?i)timedloginenable + line: TimedLoginEnable=false + insertafter: '\[daemon\]' + when: rhel7stig_gui + tags: + - cat1 + - high + - patch + - RHEL-07-010450 + - name: "HIGH | RHEL-07-010431 | PATCH | The operating system must not allow guest logon to the system." lineinfile: dest: /etc/gdm/custom.conf @@ -87,8 +101,8 @@ - name: | - "HIGH | RHEL-07-010460 | PATCH | Systems with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes." - "HIGH | RHEL-07-010470 | PATCH | Systems using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes." + "HIGH | RHEL-07-010480 | PATCH | Systems with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes." + "HIGH | RHEL-07-010490 | PATCH | Systems using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes." lineinfile: dest: /etc/grub.d/40_custom insertafter: EOF @@ -100,12 +114,12 @@ - cat1 - high - patch - - RHEL-07-010460 - - RHEL-07-010470 + - RHEL-07-010480 + - RHEL-07-010490 - grub - bootloader -- name: "HIGH | RHEL-07-020000 | PATCH | The rsh-server package including rexecd and rlogind must not be installed." +- name: "HIGH | RHEL-07-020000 | PATCH | The rsh-server package must not be installed" yum: name: rsh-server state: absent @@ -127,7 +141,7 @@ - RHEL-07-020010 - ypserv -- name: "HIGH | RHEL-07-020150 | PATCH | The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." +- name: "HIGH | RHEL-07-020050 | PATCH | The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." lineinfile: dest: /etc/yum.conf regexp: gpgcheck @@ -137,10 +151,10 @@ - cat1 - high - patch - - RHEL-07-020150 + - RHEL-07-020050 - yum -- name: "HIGH | RHEL-07-020151 | PATCH | The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." +- name: "HIGH | RHEL-07-020060 | PATCH | The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." lineinfile: dest: /etc/yum.conf regexp: localpkg_gpgcheck @@ -150,10 +164,10 @@ - cat1 - high - patch - - RHEL-07-020151 + - RHEL-07-020060 - yum -- name: "HIGH | RHEL-07-020152 | PATCH | The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of packages without verification of the repository metadata." +- name: "HIGH | RHEL-07-020070 | PATCH | The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of packages without verification of the repository metadata." lineinfile: dest: /etc/yum.conf regexp: repo_gpgcheck @@ -163,7 +177,7 @@ - cat1 - high - patch - - RHEL-07-020152 + - RHEL-07-020070 - yum # HIGH | RHEL-07-020170 | PATCH | Operating systems handling data requiring data-at-rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. @@ -172,7 +186,7 @@ - name: | "HIGH | RHEL-07-020210 | PATCH | The operating system must enable SELinux." - "HIGH | RHEL-07-020211 | PATCH | The operating system must enable the SELinux targeted policy." + "HIGH | RHEL-07-020220 | PATCH | The operating system must enable the SELinux targeted policy." selinux: state: enforcing policy: targeted @@ -181,13 +195,13 @@ - high - patch - RHEL-07-020210 - - RHEL-07-020211 + - RHEL-07-020220 - selinux # The fix in the STIG for this is incorrect. Symlinking this unit file to /dev/null obtains the required result # which is to disable this function and log when the keystroke is issued. # https://access.redhat.com/solutions/1123873 -- name: "HIGH | RHEL-07-020220 | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled." +- name: "HIGH | RHEL-07-020230 | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled." file: src: /dev/null dest: /etc/systemd/system/ctrl-alt-del.target @@ -196,15 +210,15 @@ - cat1 - high - patch - - RHEL-07-020220 + - RHEL-07-020230 -# RHEL-07-020240 | PATCH | The operating system must be a supported release." +# RHEL-07-020250 | PATCH | The operating system must be a supported release." # Not automated since current end of life for RHEL 7 is 2024-06-30 # RHEL-07-020310 | PATCH | The root account must be the only account having unrestricted access to the system # Audited but not automated. -- name: "HIGH | RHEL-07-021280 | PATCH | The operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." +- name: "HIGH | RHEL-07-021350 | PATCH | The operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." yum: name: dracut-fips state: present @@ -214,7 +228,19 @@ - patch - RHEL-07-021280 -- name: "HIGH | RHEL-07-021910 | PATCH | The telnet-server package must not be installed." +- name: "HIGH | RHEL-07-021350 | PATCH | The operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." + lineinfile: + create: yes + dest: /etc/sysconfig/prelink + regexp: ^#?PRELINKING + line: PRELINKING=no + tags: + - cat1 + - high + - patch + - RHEL-07-021280 + +- name: "HIGH | RHEL-07-021710 | PATCH | The telnet-server package must not be installed." yum: name: telnet-server state: absent @@ -222,10 +248,10 @@ - cat1 - high - patch - - RHEL-07-021910 + - RHEL-07-021710 - telnet -- name: "HIGH | RHEL-07-030010 | PATCH | Auditing must be configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users." +- name: "HIGH | RHEL-07-030000 | PATCH | Auditing must be configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users." service: name: auditd state: started @@ -234,58 +260,60 @@ - cat1 - high - patch - - RHEL-07-030010 + - RHEL-07-030000 - auditd -- name: "HIGH | RHEL-07-030810 | PATCH | The system must use a DoD-approved virus scan program." +- name: "HIGH | RHEL-07-032000 | PATCH | The system must use a DoD-approved virus scan program." yum: name: "{{ rhel7stig_av_package.package }}" state: present + when: rhel7stig_antivirus_required tags: - cat1 - high - patch - - RHEL-07-030810 + - RHEL-07-032000 - antivirus -- name: "HIGH | RHEL-07-030810 | PATCH | The system must use a DoD-approved virus scan program." +- name: "HIGH | RHEL-07-032000 | PATCH | The system must use a DoD-approved virus scan program." service: name: "{{ rhel7stig_av_package.service }}" state: started enabled: yes ignore_errors: yes + when: rhel7stig_antivirus_required tags: - cat1 - high - patch - - RHEL-07-030810 + - RHEL-07-032000 - antivirus -- name: "HIGH | RHEL-07-040330 | PATCH | There must be no .shosts files on the system." +- name: "HIGH | RHEL-07-040540 | PATCH | There must be no .shosts files on the system." file: path: "{{ item.path }}" state: absent - with_items: "{{ rhel_07_040330_audit.files }}" + with_items: "{{ rhel_07_040540_audit.files }}" tags: - cat1 - high - patch - - RHEL-07-040330 + - RHEL-07-040540 - shosts -- name: "HIGH | RHEL-07-040331 | PATCH | There must be no shosts.equiv files on the system." +- name: "HIGH | RHEL-07-040550 | PATCH | There must be no shosts.equiv files on the system." file: path: "{{ item.path }}" state: absent - with_items: "{{ rhel_07_040331_audit.files }}" + with_items: "{{ rhel_07_040550_audit.files }}" tags: - cat1 - high - patch - - RHEL-07-040331 + - RHEL-07-040550 - shosts -- name: "HIGH | RHEL-07-040490 | PATCH | A File Transfer Protocol (FTP) server package must not be installed unless needed." +- name: "HIGH | RHEL-07-040690 | PATCH | A File Transfer Protocol (FTP) server package must not be installed unless needed." yum: name: lftpd state: absent @@ -294,10 +322,10 @@ - cat1 - high - patch - - RHEL-07-040490 + - RHEL-07-040690 - ftp -- name: "HIGH | RHEL-07-040500 | PATCH | The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for operational support." +- name: "HIGH | RHEL-07-040700 | PATCH | The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for operational support." yum: name: - tftp @@ -308,39 +336,40 @@ - cat1 - high - patch - - RHEL-07-040500 + - RHEL-07-040700 - tftp -- name: "HIGH | RHEL-07-040540 | PATCH | Remote X connections for interactive users must be encrypted." +- name: "HIGH | RHEL-07-040710 | PATCH | Remote X connections for interactive users must be encrypted." lineinfile: + create: yes dest: /etc/ssh/sshd_config regexp: (?i)^#?x11forwarding line: X11Forwarding yes validate: sshd -t -f %s - notify: restart ssh + notify: restart sshd tags: - cat1 - high - patch - - RHEL-07-040540 + - RHEL-07-040710 - ssh -- name: "HIGH | RHEL-07-040580 | PATCH | SNMP community strings must be changed from the default." +- name: "HIGH | RHEL-07-040800 | PATCH | SNMP community strings must be changed from the default." replace: dest: /etc/snmp/snmpd.conf regexp: (^com2sec.*default\s+)(public|private) replace: \1{{ rhel7stig_snmp_community }} when: item.stdout_lines | length > 0 - with_items: "{{ rhel_07_040580_audit.results }}" + with_items: "{{ rhel_07_040800_audit.results }}" notify: restart snmpd tags: - cat1 - high - patch - - RHEL-07-040580 + - RHEL-07-040800 - snmp -- name: "HIGH | RHEL-07-040590 | PATCH | The SSH daemon must be configured to only use the SSHv2 protocol." +- name: "HIGH | RHEL-07-040390 | PATCH | The SSH daemon must be configured to only use the SSHv2 protocol." lineinfile: dest: /etc/ssh/sshd_config regexp: (?i)^#?protocol @@ -351,6 +380,6 @@ - cat1 - high - patch - - RHEL-07-040590 + - RHEL-07-040390 - ssh diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index b458c75..d51cb08 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6,27 +6,48 @@ - medium - patch - RHEL-07-010030 + - dod_logon_banner -- name: "MEDIUM | RHEL-07-010031 | PATCH | The operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." +- name: "MEDIUM | RHEL-07-010040 | PATCH | The operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." command: "true" changed_when: no + when: rhel7stig_gui tags: - cat2 - medium - patch - - RHEL-07-010031 + - RHEL-07-010040 + - dod_logon_banner -- name: "MEDIUM | RHEL-07-010040 | PATCH | The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon." +- name: "MEDIUM | RHEL-07-010050 | PATCH | The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon." copy: src: issue dest: /etc/issue owner: root + group: root mode: 0644 tags: - cat2 - medium - patch - - RHEL-07-010040 + - RHEL-07-010050 + - ssh + - dod_logon_banner + +- name: "MEDIUM | RHEL-07-010050 | PATCH | The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon." + lineinfile: + dest: /etc/ssh/sshd_config + regexp: '^#?Banner' + line: Banner /etc/issue + validate: sshd -tf %s + notify: restart ssh + tags: + - cat2 + - medium + - patch + - RHEL-07-010050 + - ssh + - dod_logon_banner - name: "MEDIUM | RHEL-07-010060 | PATCH | The operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures." command: "true" @@ -46,199 +67,248 @@ - patch - RHEL-07-010070 -- name: "MEDIUM | RHEL-07-010074 | PATCH | The operating system must initiate a session lock for graphical user interfaces when the screensaver is activated." +- name: "MEDIUM | RHEL-07-010080 | PATCH | The operating system must set the idle delay setting for all connection types." + command: "true" + changed_when: no + tags: + - cat2 + - medium + - patch + - RHEL-07-010080 + +- name: "MEDIUM | RHEL-07-010081 | PATCH | The operating system must set the lock delay setting for all connection types." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-010074 + - RHEL-07-010081 -- name: "MEDIUM | RHEL-07-010071 | PATCH | The operating system must initiate a session lock after a 15-minute period of inactivity for all connection types." +- name: "MEDIUM | RHEL-07-010082 | PATCH | The operating system must set the session idle delay setting for all connection types." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-010071 + - RHEL-07-010082 + +- name: "MEDIUM | RHEL-07-010090 | PATCH | The operating system must have the screen package installed." + yum: + name: screen + state: present + tags: + - cat2 + - medium + - patch + - RHEL-07-010090 -- name: "MEDIUM | RHEL-07-010072 | PATCH | The operating system must have the screen package installed." +- name: "MEDIUM | RHEL-07-010100 | PATCH | The operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces." + when: rhel7stig_gui command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-010072 + - RHEL-07-010100 -- name: "MEDIUM | RHEL-07-010073 | PATCH | The operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces." +- name: "MEDIUM | RHEL-07-010110 | PATCH | The operating system must initiate a session lock for graphical user interfaces when the screensaver is activated." + when: rhel7stig_gui command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-010073 + - RHEL-07-010110 + +- name: "MEDIUM | RHEL-07-010119 | PATCH | When passwords are changed or new passwords are established, pwquality must be used" + lineinfile: + create: yes + dest: /etc/pam.d/passwd + regexp: '^#?password required pam_pwquality.so retry' + line: password required pam_pwquality.so retry=3 + tags: + - cat2 + - medium + - patch + - RHEL-07-010119 -- name: "MEDIUM | RHEL-07-010090 | PATCH | When passwords are changed or new passwords are established, the new password must contain at least one upper-case character." +- name: "MEDIUM | RHEL-07-010120 | PATCH | When passwords are changed or new passwords are established, the new password must contain at least one upper-case character." lineinfile: + create: yes dest: /etc/security/pwquality.conf - regexp: ^#?\s?ucredit + regexp: '^#?\s*ucredit' line: ucredit = -1 tags: - cat2 - medium - patch - - RHEL-07-010090 + - RHEL-07-010120 -- name: "MEDIUM | RHEL-07-010100 | PATCH | When passwords are changed or new passwords are established, the new password must contain at least one lower-case character." +- name: "MEDIUM | RHEL-07-010130 | PATCH | When passwords are changed or new passwords are established, the new password must contain at least one lower-case character." lineinfile: + create: yes dest: /etc/security/pwquality.conf - regexp: ^#?\s?lcredit + regexp: '^#?\s*lcredit' line: lcredit = -1 tags: - cat2 - medium - patch - - RHEL-07-010100 + - RHEL-07-010130 -- name: "MEDIUM | RHEL-07-010110 | PATCH | When passwords are changed or new passwords are assigned, the new password must contain at least one numeric character." +- name: "MEDIUM | RHEL-07-010140 | PATCH | When passwords are changed or new passwords are assigned, the new password must contain at least one numeric character." lineinfile: + create: yes dest: /etc/security/pwquality.conf - regexp: ^#?\s?dcredit + regexp: '^#?\s*dcredit' line: dcredit = -1 tags: - cat2 - medium - patch - - RHEL-07-010110 + - RHEL-07-010140 -- name: "MEDIUM | RHEL-07-010120 | PATCH | When passwords are changed or new passwords are assigned, the new password must contain at least one special character." +- name: "MEDIUM | RHEL-07-010150 | PATCH | When passwords are changed or new passwords are assigned, the new password must contain at least one special character." lineinfile: + create: yes dest: /etc/security/pwquality.conf - regexp: ^#?\s?ocredit + regexp: '^#?\s*ocredit' line: ocredit = -1 tags: - cat2 - medium - patch - - RHEL-07-010120 + - RHEL-07-010150 -- name: "MEDIUM | RHEL-07-010130 | PATCH | When passwords are changed a minimum of eight of the total number of characters must be changed." +- name: "MEDIUM | RHEL-07-010160 | PATCH | When passwords are changed a minimum of eight of the total number of characters must be changed." lineinfile: + create: yes dest: /etc/security/pwquality.conf - regexp: ^#?\s?difok + regexp: '^#?\s*difok' line: difok = 8 tags: - cat2 - medium - patch - - RHEL-07-010130 + - RHEL-07-010160 -- name: "MEDIUM | RHEL-07-010140 | PATCH | When passwords are changed a minimum of four character classes must be changed." +- name: "MEDIUM | RHEL-07-010170 | PATCH | When passwords are changed a minimum of four character classes must be changed." lineinfile: + create: yes dest: /etc/security/pwquality.conf - regexp: ^#?\s?minclass + regexp: '^#?\s*minclass' line: minclass = 4 tags: - cat2 - medium - patch - - RHEL-07-010140 + - RHEL-07-010170 -- name: "MEDIUM | RHEL-07-010150 | PATCH | When passwords are changed the number of repeating consecutive characters must not be more than four characters." +#note there is a typo in the fix steps in the STIG +- name: "MEDIUM | RHEL-07-010180 | PATCH | When passwords are changed the number of repeating consecutive characters must not be more than four characters." lineinfile: + create: yes dest: /etc/security/pwquality.conf - regexp: ^#?\s?maxrepeat - line: maxrepeat = 2 + regexp: '^#?\s*maxrepeat' + line: maxrepeat = 4 tags: - cat2 - medium - patch - - RHEL-07-010150 + - RHEL-07-010180 -- name: "MEDIUM | RHEL-07-010160 | PATCH | When passwords are changed the number of repeating characters of the same character class must not be more than four characters." +- name: "MEDIUM | RHEL-07-010190 | PATCH | When passwords are changed the number of repeating characters of the same character class must not be more than four characters." lineinfile: + create: yes dest: /etc/security/pwquality.conf - regexp: ^#?\s?maxclassrepeat + regexp: '^#?\s*maxclassrepeat' line: maxclassrepeat = 4 tags: - cat2 - medium - patch - - RHEL-07-010160 + - RHEL-07-010190 -- name: "MEDIUM | RHEL-07-010170 | PATCH | The PAM system service must be configured to store only encrypted representations of passwords." +- name: "MEDIUM | RHEL-07-010200 | PATCH | The PAM system service must be configured to store only encrypted representations of passwords." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-010170 + - RHEL-07-010200 -- name: "MEDIUM | RHEL-07-010180 | PATCH | The shadow file must be configured to store only encrypted representations of passwords." - command: "true" - changed_when: no +- name: "MEDIUM | RHEL-07-010210 | PATCH | The shadow file must be configured to store only encrypted representations of passwords." + lineinfile: + dest: /etc/login.defs + regexp: ^#?ENCRYPT_METHOD + line: ENCRYPT_METHOD SHA512 tags: - cat2 - medium - patch - - RHEL-07-010180 + - RHEL-07-010210 -- name: "MEDIUM | RHEL-07-010190 | PATCH | User and group account administration utilities must be configured to store only encrypted representations of passwords." - command: "true" - changed_when: no +- name: "MEDIUM | RHEL-07-010220 | PATCH | User and group account administration utilities must be configured to store only encrypted representations of passwords." + lineinfile: + dest: /etc/libuser.conf + regexp: ^#?crypt_style + line: crypt_style = sha512 tags: - cat2 - medium - patch - - RHEL-07-010190 + - RHEL-07-010220 -- name: "MEDIUM | RHEL-07-010200 | PATCH | Passwords for new users must be restricted to a 24 hours/1 day minimum lifetime." +- name: "MEDIUM | RHEL-07-010230 | PATCH | Passwords for new users must be restricted to a 24 hours/1 day minimum lifetime." lineinfile: + create: yes dest: /etc/login.defs - regexp: (?i)^#?PASS_MIN_DAYS + regexp: ^#?PASS_MIN_DAYS line: PASS_MIN_DAYS 1 tags: - cat2 - medium - patch - - RHEL-07-010200 + - RHEL-07-010230 -- name: "MEDIUM | RHEL-07-010210 | PATCH | Passwords must be restricted to a 24 hours/1 day minimum lifetime." +- name: "MEDIUM | RHEL-07-010240 | PATCH | Passwords must be restricted to a 24 hours/1 day minimum lifetime." command: chage -m 1 {{ item }} - with_items: "{{ rhel_07_010210_audit.stdout_lines | default([]) }}" + with_items: "{{ rhel_07_010240_audit.stdout_lines | default([]) }}" tags: - cat2 - medium - patch - - RHEL-07-010210 + - RHEL-07-010240 -- name: "MEDIUM | RHEL-07-010220 | PATCH | Passwords for new users must be restricted to a 60-day maximum lifetime." +- name: "MEDIUM | RHEL-07-010250 | PATCH | Passwords for new users must be restricted to a 60-day maximum lifetime." lineinfile: + create: yes dest: /etc/login.defs - regexp: (?i)^#?PASS_MAX_DAYS + regexp: ^#?PASS_MAX_DAYS line: PASS_MAX_DAYS 60 tags: - cat2 - medium - patch - - RHEL-07-010220 + - RHEL-07-010250 -- name: "MEDIUM | RHEL-07-010230 | PATCH | Existing passwords must be restricted to a 60-day maximum lifetime." +- name: "MEDIUM | RHEL-07-010260 | PATCH | Existing passwords must be restricted to a 60-day maximum lifetime." command: chage -M 60 {{ item }} - with_items: "{{ rhel_07_010230_audit.stdout_lines | default([]) }}" + with_items: "{{ rhel_07_010260_audit.stdout_lines | default([]) }}" tags: - cat2 - medium - patch - - RHEL-07-010230 + - RHEL-07-010260 -- name: "MEDIUM | RHEL-07-010240 | PATCH | Passwords must be prohibited from reuse for a minimum of five generations." +- name: "MEDIUM | RHEL-07-010270 | PATCH | Passwords must be prohibited from reuse for a minimum of five generations." lineinfile: + create: yes dest: /etc/pam.d/system-auth regexp: password\s*sufficient\s*pam_unix.so line: password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=5 @@ -246,230 +316,242 @@ - cat2 - medium - patch - - RHEL-07-010240 + - RHEL-07-010270 -- name: "MEDIUM | RHEL-07-010250 | PATCH | Passwords must be a minimum of 15 characters in length." +- name: "MEDIUM | RHEL-07-010280 | PATCH | Passwords must be a minimum of 15 characters in length." lineinfile: + create: yes dest: /etc/security/pwquality.conf - regexp: ^#?\s?minlen + regexp: '^#?minlen' line: minlen = 15 - tags: - - cat2 - - medium - - patch - - RHEL-07-010250 - -- name: "MEDIUM | RHEL-07-010280 | PATCH | The operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires." - command: "true" - changed_when: no tags: - cat2 - medium - patch - RHEL-07-010280 -- name: "MEDIUM | RHEL-07-010371 | PATCH | If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked." - command: "true" - changed_when: no +- name: "MEDIUM | RHEL-07-010310 | PATCH | The operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires." + lineinfile: + dest: /etc/default/useradd + regexp: ^#?INACTIVE + line: INACTIVE=0 tags: - cat2 - medium - patch - - RHEL-07-010371 + - RHEL-07-010310 -- name: "MEDIUM | RHEL-07-010372 | PATCH | Accounts subject to three unsuccessful login attempts within 15 minutes must be locked for the maximum configurable period." +- name: "MEDIUM | RHEL-07-010320 | PATCH | Accounts subject to three unsuccessful login attempts within 15 minutes must be locked for the maximum configurable period." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-010372 + - RHEL-07-010320 -- name: "MEDIUM | RHEL-07-010373 | PATCH | If three unsuccessful root logon attempts within 15 minutes occur the associated account must be locked." +- name: "MEDIUM | RHEL-07-010330 | PATCH | If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-010373 + - RHEL-07-010330 -- name: "MEDIUM | RHEL-07-010380 | PATCH | Users must provide a password for privilege escalation." +- name: "MEDIUM | RHEL-07-010340 | PATCH | Users must provide a password for privilege escalation." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-010380 + - RHEL-07-010340 -- name: "MEDIUM | RHEL-07-010381 | PATCH | Users must re-authenticate for privilege escalation." +- name: "MEDIUM | RHEL-07-010350 | PATCH | Users must re-authenticate for privilege escalation." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-010381 + - RHEL-07-010350 -- name: "MEDIUM | RHEL-07-010400 | PATCH | The operating system must prohibit the use of cached nss authenticators after one day." - command: "true" - changed_when: no +- name: "MEDIUM | RHEL-07-010430 | PATCH | The delay between logon prompts following a failed console logon attempt must be at least four seconds." + lineinfile: + dest: /etc/login.defs + regexp: ^#?FAIL_DELAY + line: FAIL_DELAY 4 tags: - cat2 - medium - patch - - RHEL-07-010400 + - RHEL-07-010430 -- name: "MEDIUM | RHEL-07-010401 | PATCH | The operating system must prohibit the use of cached PAM authenticators after one day." - command: "true" - changed_when: no +- name: "MEDIUM | RHEL-07-010460 | PATCH | The operating system must not allow users to override SSH environment variables." + lineinfile: + dest: /etc/ssh/sshd_config + regexp: ^#?permituserenvironment + line: permituserenvironment no + validate: sshd -t -f %s + notify: restart ssh tags: - cat2 - medium - patch - - RHEL-07-010401 + - RHEL-07-010460 + - ssh -- name: "MEDIUM | RHEL-07-010402 | PATCH | The operating system must prohibit the use of cached SSH authenticators after one day." +- name: "MEDIUM | RHEL-07-010470 | PATCH | The operating system must not allow a non-certificate trusted host SSH logon to the system." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-010402 + - RHEL-07-010470 - ssh -- name: "MEDIUM | RHEL-07-010420 | PATCH | The delay between logon prompts following a failed console logon attempt must be at least four seconds." +- name: "MEDIUM | RHEL-07-010500 | PATCH | The operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-010420 + - RHEL-07-010500 -- name: "MEDIUM | RHEL-07-010441 | PATCH | The operating system must not allow users to override SSH environment variables." +- name: "MEDIUM | RHEL-07-020020 | PATCH | The operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-010441 - - ssh + - RHEL-07-020020 -- name: "MEDIUM | RHEL-07-010442 | PATCH | The operating system must not allow a non-certificate trusted host SSH logon to the system." - command: "true" - changed_when: no +- name: "MEDIUM | RHEL-07-020030 | PATCH | A file integrity tool must verify the baseline operating system configuration at least weekly." + cron: + name='Run AIDE integrity check weekly' + minute={{ rhel7stig_aide_cron["aide_minute"] | default('05') }} + hour={{ rhel7stig_aide_cron["aide_hour"] | default('04') }} + day={{ rhel7stig_aide_cron["aide_day"] | default('*') }} + month={{ rhel7stig_aide_cron["aide_month"] | default('*') }} + weekday={{ rhel7stig_aide_cron["aide_weekday"] | default('*') }} + job="{{ rhel7stig_aide_cron["aide_job"] }}" tags: - cat2 - medium - patch - - RHEL-07-010442 - - ssh + - RHEL-07-020030 + - aide -- name: "MEDIUM | RHEL-07-010500 | PATCH | The operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multi-factor authentication." - command: "true" - changed_when: no +- name: "MEDIUM | RHEL-07-020040 | PATCH | Designated personnel must be notified if baseline configurations are changed in an unauthorized manner." + yum: + name: aide + state: present + notify: init aide tags: - cat2 - medium - patch - - RHEL-07-010500 + - RHEL-07-020040 + - aide -- name: "MEDIUM | RHEL-07-020090 | PATCH | The operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." - command: "true" - changed_when: no +- name: "MEDIUM | RHEL-07-020100 | PATCH | USB mass storage must be disabled." + lineinfile: + state: present + create: yes + line: install usb-storage /bin/true + dest: /etc/modprobe.d/disable-usb.conf + owner: root + group: root + mode: "0644" tags: - cat2 - medium - patch - - RHEL-07-020090 + - RHEL-07-020100 + - usb_devices -- name: "MEDIUM | RHEL-07-020130 | PATCH | A file integrity tool must verify the baseline operating system configuration at least weekly." - command: "true" - changed_when: no - tags: - - cat2 - - medium - - patch - - RHEL-07-020130 -- name: "MEDIUM | RHEL-07-020140 | PATCH | Designated personnel must be notified if baseline configurations are changed in an unauthorized manner." +- name: "MEDIUM | RHEL-07-020110 | PATCH | File system automounter must be disabled unless required." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-020140 + - RHEL-07-020110 -- name: "MEDIUM | RHEL-07-020160 | PATCH | USB mass storage must be disabled." +- name: "MEDIUM | RHEL-07-020240 | PATCH | The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-020160 + - RHEL-07-020240 -- name: "MEDIUM | RHEL-07-020161 | PATCH | File system automounter must be disabled unless required." +- name: "MEDIUM | RHEL-07-020260 | PATCH | Vendor packaged system security patches and updates must be installed and up to date." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-020161 + - RHEL-07-020260 -- name: "MEDIUM | RHEL-07-020230 | PATCH | The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files." +- name: "MEDIUM | RHEL-07-020270 | PATCH | The system must not have unnecessary accounts." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-020230 + - RHEL-07-020270 -- name: "MEDIUM | RHEL-07-020250 | PATCH | System security patches and updates must be installed and up to date." - command: "true" - changed_when: no +- name: "MEDIUM | RHEL-07-020320 | PATCH | All files and directories must have a valid owner." + assert: + that: item == '' + msg: File is missing a User - Manual intervention is required + with_items: "{{ rhel_07_020320_audit.stdout_lines | default([]) }}" tags: - cat2 - medium - patch - - RHEL-07-020250 + - RHEL-07-020320 -- name: "MEDIUM | RHEL-07-020290 | PATCH | The system must not have unnecessary accounts." - command: "true" - changed_when: no +- name: "MEDIUM | RHEL-07-020330 | PATCH | All files and directories must have a valid group owner." + assert: + that: item == '' + msg: File is missing a Group - Manual intervention is required + with_items: "{{ rhel_07_020330_audit.stdout_lines | default([]) }}" tags: - cat2 - medium - patch - - RHEL-07-020290 + - RHEL-07-020330 -- name: "MEDIUM | RHEL-07-020360 | PATCH | All files and directories must have a valid owner." +- name: "MEDIUM | RHEL-07-020600 | PATCH | All local interactive users must have a home directory assigned in the /etc/passwd file." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-020360 + - RHEL-07-020600 -- name: "MEDIUM | RHEL-07-020370 | PATCH | All files and directories must have a valid group owner." +- name: "MEDIUM | RHEL-07-020610 | PATCH | All local interactive user accounts, upon creation, must be assigned a home directory." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-020370 + - RHEL-07-020610 -- name: "MEDIUM | RHEL-07-020620 | PATCH | All local interactive users must have a home directory assigned in the /etc/passwd file." +- name: "MEDIUM | RHEL-07-020620 | PATCH | All local interactive user home directories defined in the /etc/passwd file must exist." command: "true" changed_when: no tags: @@ -478,7 +560,7 @@ - patch - RHEL-07-020620 -- name: "MEDIUM | RHEL-07-020630 | PATCH | All local interactive user accounts, upon creation, must be assigned a home directory." +- name: "MEDIUM | RHEL-07-020630 | PATCH | All local interactive user home directories must have mode 0750 or less permissive." command: "true" changed_when: no tags: @@ -487,34 +569,34 @@ - patch - RHEL-07-020630 -- name: "MEDIUM | RHEL-07-020640 | PATCH | All local interactive user home directories defined in the /etc/passwd file must exist." +- name: "MEDIUM | RHEL-07-020640 | PATCH | All local interactive user home directories must be owned by their respective users." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-020640 + - RHEL-07-020660 -- name: "MEDIUM | RHEL-07-020650 | PATCH | All local interactive user home directories must have mode 0750 or less permissive." +- name: "MEDIUM | RHEL-07-020650 | PATCH | All local interactive user home directories must be group-owned by the home directory owners primary group." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-020650 + - RHEL-07-020670 -- name: "MEDIUM | RHEL-07-020660 | PATCH | All local interactive user home directories must be owned by their respective users." +- name: "MEDIUM | RHEL-07-020660 | PATCH | All files and directories contained in local interactive user home directories must be owned by the owner of the home directory." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-020660 + - RHEL-07-020680 -- name: "MEDIUM | RHEL-07-020670 | PATCH | All local interactive user home directories must be group-owned by the home directory owners primary group." +- name: "MEDIUM | RHEL-07-020670 | PATCH | All files and directories contained in local interactive user home directories must be group-owned by a group of which the home directory owner is a member." command: "true" changed_when: no tags: @@ -523,7 +605,7 @@ - patch - RHEL-07-020670 -- name: "MEDIUM | RHEL-07-020680 | PATCH | All files and directories contained in local interactive user home directories must be owned by the owner of the home directory." +- name: "MEDIUM | RHEL-07-020680 | PATCH | All files and directories contained in local interactive user home directories must have mode 0750 or less permissive." command: "true" changed_when: no tags: @@ -532,7 +614,7 @@ - patch - RHEL-07-020680 -- name: "MEDIUM | RHEL-07-020690 | PATCH | All files and directories contained in local interactive user home directories must be group-owned by a group of which the home directory owner is a member." +- name: "MEDIUM | RHEL-07-020690 | PATCH | All local initialization files for interactive users must be owned by the home directory user or root." command: "true" changed_when: no tags: @@ -541,7 +623,7 @@ - patch - RHEL-07-020690 -- name: "MEDIUM | RHEL-07-020700 | PATCH | All files and directories contained in local interactive user home directories must have mode 0750 or less permissive." +- name: "MEDIUM | RHEL-07-020700 | PATCH | Local initialization files for local interactive users must be group-owned by the users primary group or root." command: "true" changed_when: no tags: @@ -550,61 +632,52 @@ - patch - RHEL-07-020700 -- name: "MEDIUM | RHEL-07-020840 | PATCH | All local initialization files for interactive users must be owned by the home directory user or root." - command: "true" - changed_when: no - tags: - - cat2 - - medium - - patch - - RHEL-07-020840 - -- name: "MEDIUM | RHEL-07-020850 | PATCH | Local initialization files for local interactive users must be group-owned by the users primary group or root." +- name: "MEDIUM | RHEL-07-020710 | PATCH | All local initialization files must have mode 0740 or less permissive." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-020850 + - RHEL-07-020710 -- name: "MEDIUM | RHEL-07-020860 | PATCH | All local initialization files must have mode 0740 or less permissive." +- name: "MEDIUM | RHEL-07-020720 | PATCH | All local initialization files must have mode 0740 or less permissive." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-020860 + - RHEL-07-020720 -- name: "MEDIUM | RHEL-07-020870 | PATCH | All local interactive user initialization files executable search paths must contain only absolute paths." +- name: "MEDIUM | RHEL-07-020730 | PATCH | Local initialization files must not execute world-writable programs." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-020870 + - RHEL-07-020730 -- name: "MEDIUM | RHEL-07-020880 | PATCH | Local initialization files must not execute world-writable programs." +- name: "MEDIUM | RHEL-07-020900 | PATCH | All system device files must be correctly labeled to prevent unauthorized modification." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-020880 + - RHEL-07-020900 -- name: "MEDIUM | RHEL-07-020940 | PATCH | All system device files must be correctly labeled to prevent unauthorized modification." +- name: "MEDIUM | RHEL-07-021000 | PATCH | File systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-020940 + - RHEL-07-021000 -- name: "MEDIUM | RHEL-07-021010 | PATCH | Files systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed." +- name: "MEDIUM | RHEL-07-021010 | PATCH | File systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed." command: "true" changed_when: no tags: @@ -613,77 +686,79 @@ - patch - RHEL-07-021010 -- name: "MEDIUM | RHEL-07-021011 | PATCH | Files systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed." +- name: "MEDIUM | RHEL-07-021020 | PATCH | File systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-021011 + - RHEL-07-021020 -- name: "MEDIUM | RHEL-07-021012 | PATCH | Files systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed." +- name: "MEDIUM | RHEL-07-021021 | PATCH | File systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-021012 + - RHEL-07-021021 -- name: "MEDIUM | RHEL-07-021050 | PATCH | All world-writable directories must be group-owned by root, sys, bin, or an application group." +- name: "MEDIUM | RHEL-07-021030 | PATCH | All world-writable directories must be group-owned by root, sys, bin, or an application group." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-021050 + - RHEL-07-021030 -- name: "MEDIUM | RHEL-07-021060 | PATCH | The umask must be set to 077 for all local interactive user accounts." +- name: "MEDIUM | RHEL-07-021040 | PATCH | The umask must be set to 077 for all local interactive user accounts." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-021060 + - RHEL-07-021040 -- name: "MEDIUM | RHEL-07-021160 | PATCH | Cron logging must be implemented." +- name: "MEDIUM | RHEL-07-021100 | PATCH | Cron logging must be implemented." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-021160 + - RHEL-07-021100 -- name: "MEDIUM | RHEL-07-021190 | PATCH | If the cron.allow file exists it must be owned by root." +- name: "MEDIUM | RHEL-07-021110 | PATCH | If the cron.allow file exists it must be owned by root." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-021190 + - RHEL-07-021110 -- name: "MEDIUM | RHEL-07-021200 | PATCH | If the cron.allow file exists it must be group-owned by root." +- name: "MEDIUM | RHEL-07-021120 | PATCH | If the cron.allow file exists it must be group-owned by root." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-021200 + - RHEL-07-021120 -- name: "MEDIUM | RHEL-07-021230 | PATCH | Kernel core dumps must be disabled unless needed." - command: "true" - changed_when: no +- name: "MEDIUM | RHEL-07-021300 | PATCH | Kernel core dumps must be disabled unless needed." + service: + name: kdump + enabled: no + state: stopped tags: - cat2 - medium - patch - - RHEL-07-021230 + - RHEL-07-021300 - name: "MEDIUM | RHEL-07-021620 | PATCH | The file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents and directories." command: "true" @@ -694,124 +769,115 @@ - patch - RHEL-07-021620 -- name: "MEDIUM | RHEL-07-021760 | PATCH | The system must not allow removable media to be used as the boot loader unless approved." - command: "true" - changed_when: no - tags: - - cat2 - - medium - - patch - - RHEL-07-021760 - -- name: "MEDIUM | RHEL-07-030090 | PATCH | The operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure." +- name: "MEDIUM | RHEL-07-021700 | PATCH | The system must not allow removable media to be used as the boot loader unless approved." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030090 + - RHEL-07-021700 -- name: "MEDIUM | RHEL-07-030310 | PATCH | All privileged function executions must be audited." +- name: "MEDIUM | RHEL-07-030010 | PATCH | The operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030310 + - RHEL-07-030010 -- name: "MEDIUM | RHEL-07-030330 | PATCH | The operating system must off-load audit records onto a different system or media from the system being audited." +- name: "MEDIUM | RHEL-07-030300 | PATCH | The operating system must off-load audit records onto a different system or media from the system being audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030330 + - RHEL-07-030300 -- name: "MEDIUM | RHEL-07-030331 | PATCH | The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited." +- name: "MEDIUM | RHEL-07-030310 | PATCH | The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030331 + - RHEL-07-030310 -- name: "MEDIUM | RHEL-07-030340 | PATCH | The audit system must take appropriate action when the audit storage volume is full." +- name: "MEDIUM | RHEL-07-030320 | PATCH | The audit system must take appropriate action when the audit storage volume is full." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030340 + - RHEL-07-030320 -- name: "MEDIUM | RHEL-07-030350 | PATCH | The operating system must immediately notify the System Administrator (SA) and Information System Security Officer ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity." +- name: "MEDIUM | RHEL-07-030321 | PATCH | The audit system must take appropriate action when there is an error sending audit records to a remote system." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030350 + - RHEL-07-030321 -- name: "MEDIUM | RHEL-07-030351 | PATCH | The operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached." +- name: "MEDIUM | RHEL-07-030330 | PATCH | The operating system must immediately notify the System Administrator (SA) and Information System Security Officer ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030351 + - RHEL-07-030330 -- name: "MEDIUM | RHEL-07-030352 | PATCH | The operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached." +- name: "MEDIUM | RHEL-07-030340 | PATCH | The operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030352 + - RHEL-07-030340 -- name: "MEDIUM | RHEL-07-030380 | PATCH | All uses of the chown command must be audited." +- name: "MEDIUM | RHEL-07-030350 | PATCH | The operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030380 + - RHEL-07-030350 -- name: "MEDIUM | RHEL-07-030381 | PATCH | All uses of the fchown command must be audited." +- name: "MEDIUM | RHEL-07-030360 | PATCH | All privileged function executions must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030381 + - RHEL-07-030360 -- name: "MEDIUM | RHEL-07-030382 | PATCH | All uses of the lchown command must be audited." +- name: "MEDIUM | RHEL-07-030370 | PATCH | All uses of the chown command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030382 + - RHEL-07-030370 -- name: "MEDIUM | RHEL-07-030383 | PATCH | All uses of the fchownat command must be audited." +- name: "MEDIUM | RHEL-07-030380 | PATCH | All uses of the fchown command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030383 + - RHEL-07-030380 -- name: "MEDIUM | RHEL-07-030390 | PATCH | All uses of the chmod command must be audited." +- name: "MEDIUM | RHEL-07-030390 | PATCH | All uses of the lchown command must be audited." command: "true" changed_when: no tags: @@ -820,25 +886,7 @@ - patch - RHEL-07-030390 -- name: "MEDIUM | RHEL-07-030391 | PATCH | All uses of the fchmod command must be audited." - command: "true" - changed_when: no - tags: - - cat2 - - medium - - patch - - RHEL-07-030391 - -- name: "MEDIUM | RHEL-07-030392 | PATCH | All uses of the fchmodat command must be audited." - command: "true" - changed_when: no - tags: - - cat2 - - medium - - patch - - RHEL-07-030392 - -- name: "MEDIUM | RHEL-07-030400 | PATCH | All uses of the setxattr command must be audited." +- name: "MEDIUM | RHEL-07-030400 | PATCH | All uses of the fchownat command must be audited." command: "true" changed_when: no tags: @@ -847,527 +895,529 @@ - patch - RHEL-07-030400 -- name: "MEDIUM | RHEL-07-030401 | PATCH | All uses of the fsetxattr command must be audited." +- name: "MEDIUM | RHEL-07-030410 | PATCH | All uses of the chmod command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030401 + - RHEL-07-030410 -- name: "MEDIUM | RHEL-07-030402 | PATCH | All uses of the lsetxattr command must be audited." +- name: "MEDIUM | RHEL-07-030420 | PATCH | All uses of the fchmod command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030402 + - RHEL-07-030420 -- name: "MEDIUM | RHEL-07-030403 | PATCH | All uses of the removexattr command must be audited." +- name: "MEDIUM | RHEL-07-030430 | PATCH | All uses of the fchmodat command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030403 + - RHEL-07-030430 -- name: "MEDIUM | RHEL-07-030404 | PATCH | All uses of the fremovexattr command must be audited." +- name: "MEDIUM | RHEL-07-030440 | PATCH | All uses of the setxattr command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030404 + - RHEL-07-030440 -- name: "MEDIUM | RHEL-07-030405 | PATCH | All uses of the lremovexattr command must be audited." +- name: "MEDIUM | RHEL-07-030450 | PATCH | All uses of the fsetxattr command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030405 + - RHEL-07-030450 -- name: "MEDIUM | RHEL-07-030420 | PATCH | All uses of the creat command must be audited." +- name: "MEDIUM | RHEL-07-030460 | PATCH | All uses of the lsetxattr command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030420 + - RHEL-07-030460 -- name: "MEDIUM | RHEL-07-030421 | PATCH | All uses of the open command must be audited." +- name: "MEDIUM | RHEL-07-030470 | PATCH | All uses of the removexattr command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030421 + - RHEL-07-030470 -- name: "MEDIUM | RHEL-07-030422 | PATCH | All uses of the openat command must be audited." +- name: "MEDIUM | RHEL-07-030480 | PATCH | All uses of the fremovexattr command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030422 + - RHEL-07-030480 -- name: "MEDIUM | RHEL-07-030423 | PATCH | All uses of the open_by_handle_at command must be audited." +- name: "MEDIUM | RHEL-07-030490 | PATCH | All uses of the lremovexattr command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030423 + - RHEL-07-030490 -- name: "MEDIUM | RHEL-07-030424 | PATCH | All uses of the truncate command must be audited." +- name: "MEDIUM | RHEL-07-030500 | PATCH | All uses of the creat command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030424 + - RHEL-07-030500 -- name: "MEDIUM | RHEL-07-030425 | PATCH | All uses of the ftruncate command must be audited." +- name: "MEDIUM | RHEL-07-030510 | PATCH | All uses of the open command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030425 + - RHEL-07-030510 -- name: "MEDIUM | RHEL-07-030441 | PATCH | All uses of the semanage command must be audited." +- name: "MEDIUM | RHEL-07-030520 | PATCH | All uses of the openat command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030441 + - RHEL-07-030520 -- name: "MEDIUM | RHEL-07-030442 | PATCH | All uses of the setsebool command must be audited." +- name: "MEDIUM | RHEL-07-030530 | PATCH | All uses of the open_by_handle_at command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030442 + - RHEL-07-030530 -- name: "MEDIUM | RHEL-07-030443 | PATCH | All uses of the chcon command must be audited." +- name: "MEDIUM | RHEL-07-030540 | PATCH | All uses of the truncate command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030443 + - RHEL-07-030540 -- name: "MEDIUM | RHEL-07-030444 | PATCH | All uses of the restorecon command must be audited." +- name: "MEDIUM | RHEL-07-030550 | PATCH | All uses of the ftruncate command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030444 + - RHEL-07-030550 -- name: "MEDIUM | RHEL-07-030490 | PATCH | The operating system must generate audit records for all successful/unsuccessful account access count events." +- name: "MEDIUM | RHEL-07-030560 | PATCH | All uses of the semanage command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030490 + - RHEL-07-030560 -- name: "MEDIUM | RHEL-07-030491 | PATCH | The operating system must generate audit records for all unsuccessful account access events." +- name: "MEDIUM | RHEL-07-030570 | PATCH | All uses of the setsebool command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030491 + - RHEL-07-030570 -- name: "MEDIUM | RHEL-07-030492 | PATCH | The operating system must generate audit records for all successful account access events." +- name: "MEDIUM | RHEL-07-030580 | PATCH | All uses of the chcon command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030492 + - RHEL-07-030580 -- name: "MEDIUM | RHEL-07-030510 | PATCH | All uses of the passwd command must be audited." +- name: "MEDIUM | RHEL-07-030590 | PATCH | All uses of the restorecon command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030510 + - RHEL-07-030590 -- name: "MEDIUM | RHEL-07-030511 | PATCH | All uses of the unix_chkpwd command must be audited." +- name: "MEDIUM | RHEL-07-030600 | PATCH | The operating system must generate audit records for all successful/unsuccessful account access count events." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030511 + - RHEL-07-030600 -- name: "MEDIUM | RHEL-07-030512 | PATCH | All uses of the gpasswd command must be audited." +- name: "MEDIUM | RHEL-07-030610 | PATCH | The operating system must generate audit records for all unsuccessful account access events." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030512 + - RHEL-07-030610 -- name: "MEDIUM | RHEL-07-030513 | PATCH | All uses of the chage command must be audited." +- name: "MEDIUM | RHEL-07-030620 | PATCH | The operating system must generate audit records for all successful account access events." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030513 + - RHEL-07-030620 -- name: "MEDIUM | RHEL-07-030514 | PATCH | All uses of the userhelper command must be audited." +- name: "MEDIUM | RHEL-07-030630 | PATCH | All uses of the passwd command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030514 + - RHEL-07-030630 -- name: "MEDIUM | RHEL-07-030521 | PATCH | All uses of the su command must be audited." +- name: "MEDIUM | RHEL-07-030640 | PATCH | All uses of the unix_chkpwd command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030521 + - RHEL-07-030640 -- name: "MEDIUM | RHEL-07-030522 | PATCH | All uses of the sudo command must be audited." +- name: "MEDIUM | RHEL-07-030650 | PATCH | All uses of the gpasswd command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030522 + - RHEL-07-030650 -- name: "MEDIUM | RHEL-07-030526 | PATCH | All uses of the sudoedit command must be audited." +- name: "MEDIUM | RHEL-07-030660 | PATCH | All uses of the chage command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030526 + - RHEL-07-030660 -- name: "MEDIUM | RHEL-07-030523 | PATCH | The operating system must generate audit records containing the full-text recording of modifications to sudo configuration files." +- name: "MEDIUM | RHEL-07-030670 | PATCH | All uses of the userhelper command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030523 + - RHEL-07-030670 -- name: "MEDIUM | RHEL-07-030524 | PATCH | All uses of the newgrp command must be audited." +- name: "MEDIUM | RHEL-07-030680 | PATCH | All uses of the su command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030524 + - RHEL-07-030680 -- name: "MEDIUM | RHEL-07-030525 | PATCH | All uses of the chsh command must be audited." +- name: "MEDIUM | RHEL-07-030690 | PATCH | All uses of the sudo command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030525 + - RHEL-07-030690 -- name: "MEDIUM | RHEL-07-030530 | PATCH | All uses of the mount command must be audited." +- name: "MEDIUM | RHEL-07-030700 | PATCH | All uses of the sudo command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030530 + - RHEL-07-030700 -- name: "MEDIUM | RHEL-07-030531 | PATCH | All uses of the umount command must be audited." +- name: "MEDIUM | RHEL-07-030710 | PATCH | All uses of the newgrp command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030531 + - RHEL-07-030710 -- name: "MEDIUM | RHEL-07-030540 | PATCH | All uses of the postdrop command must be audited." +- name: "MEDIUM | RHEL-07-030720 | PATCH | All uses of the chsh command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030540 + - RHEL-07-030720 -- name: "MEDIUM | RHEL-07-030541 | PATCH | All uses of the postqueue command must be audited." +- name: "MEDIUM | RHEL-07-030730 | PATCH | All uses of the sudoedit command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030541 + - RHEL-07-030730 -- name: "MEDIUM | RHEL-07-030550 | PATCH | All uses of the ssh-keysign command must be audited." +- name: "MEDIUM | RHEL-07-030740 | PATCH | All uses of the mount command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030550 + - RHEL-07-030740 -- name: "MEDIUM | RHEL-07-030560 | PATCH | All uses of the pt_chown command must be audited." +- name: "MEDIUM | RHEL-07-030750 | PATCH | All uses of the umount command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030560 + - RHEL-07-030750 -- name: "MEDIUM | RHEL-07-030561 | PATCH | All uses of the crontab command must be audited." +- name: "MEDIUM | RHEL-07-030760 | PATCH | All uses of the postdrop command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030561 + - RHEL-07-030760 -- name: "MEDIUM | RHEL-07-030630 | PATCH | All uses of the pam_timestamp_check command must be audited." +- name: "MEDIUM | RHEL-07-030770 | PATCH | All uses of the postqueue command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030630 + - RHEL-07-030770 -- name: "MEDIUM | RHEL-07-030670 | PATCH | All uses of the init_module command must be audited." +- name: "MEDIUM | RHEL-07-030780 | PATCH | All uses of the ssh-keysign command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030670 + - RHEL-07-030780 -- name: "MEDIUM | RHEL-07-030671 | PATCH | All uses of the delete_module command must be audited." +- name: "MEDIUM | RHEL-07-030790 | PATCH | All uses of the pt_chown command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030671 + - RHEL-07-030790 -- name: "MEDIUM | RHEL-07-030672 | PATCH | All uses of the insmod command must be audited." +- name: "MEDIUM | RHEL-07-030800 | PATCH | All uses of the crontab command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030672 + - RHEL-07-030800 -- name: "MEDIUM | RHEL-07-030673 | PATCH | All uses of the rmmod command must be audited." +- name: "MEDIUM | RHEL-07-030810 | PATCH | All uses of the pam_timestamp_check command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030673 + - RHEL-07-030810 -- name: "MEDIUM | RHEL-07-030674 | PATCH | All uses of the modprobe command must be audited." +- name: "MEDIUM | RHEL-07-030820 | PATCH | All uses of the init_module command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030674 + - RHEL-07-030820 -- name: "MEDIUM | RHEL-07-030710 | PATCH | The operating system must generate audit records for all account creations, modifications, disabling, and termination events." +- name: "MEDIUM | RHEL-07-030830 | PATCH | All uses of the delete_module command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030710 + - RHEL-07-030830 -- name: "MEDIUM | RHEL-07-030750 | PATCH | All uses of the rename command must be audited." +- name: "MEDIUM | RHEL-07-030840 | PATCH | All uses of the insmod command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030750 + - RHEL-07-030840 -- name: "MEDIUM | RHEL-07-030751 | PATCH | All uses of the renameat command must be audited." +- name: "MEDIUM | RHEL-07-030850 | PATCH | All uses of the rmmod command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030751 + - RHEL-07-030850 -- name: "MEDIUM | RHEL-07-030752 | PATCH | All uses of the rmdir command must be audited." +- name: "MEDIUM | RHEL-07-030860 | PATCH | All uses of the modprobe command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030752 + - RHEL-07-030860 -- name: "MEDIUM | RHEL-07-030753 | PATCH | All uses of the unlink command must be audited." +- name: "MEDIUM | RHEL-07-030870 | PATCH | The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030753 + - RHEL-07-030870 -- name: "MEDIUM | RHEL-07-030754 | PATCH | All uses of the unlinkat command must be audited." +- name: "MEDIUM | RHEL-07-030871 | PATCH | The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030754 + - RHEL-07-030871 -- name: "MEDIUM | RHEL-07-030770 | PATCH | The system must send rsyslog output to a log aggregation server." +- name: "MEDIUM | RHEL-07-030872 | PATCH | The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030770 + - RHEL-07-030872 -- name: "MEDIUM | RHEL-07-030780 | PATCH | The rsyslog daemon must not accept log messages from other servers unless the server is being used for log aggregation." +- name: "MEDIUM | RHEL-07-030873 | PATCH | The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030780 + - RHEL-07-030873 -- name: "MEDIUM | RHEL-07-030820 | PATCH | The system must update the DoD-approved virus scan program every seven days or more frequently." +- name: "MEDIUM | RHEL-07-030874 | PATCH | The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-030820 + - RHEL-07-030874 -- name: "MEDIUM | RHEL-07-040020 | PATCH | The system must log informational authentication data." +- name: "MEDIUM | RHEL-07-030880 | PATCH | All uses of the rename command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-040020 + - RHEL-07-030880 -- name: "MEDIUM | RHEL-07-040030 | PATCH | The operating system, for PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation." +- name: "MEDIUM | RHEL-07-030890 | PATCH | All uses of the renameat command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-040030 + - RHEL-07-030890 -- name: "MEDIUM | RHEL-07-040040 | PATCH | The operating system, for PKI-based authentication, must enforce authorized access to all PKI private keys stored or used by the operating system." +- name: "MEDIUM | RHEL-07-030900 | PATCH | All uses of the rmdir command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-040040 + - RHEL-07-030900 -- name: "MEDIUM | RHEL-07-040050 | PATCH | The operating system must map the authenticated identity to the user or group account for PKI-based authentication." +- name: "MEDIUM | RHEL-07-030920 | PATCH | All uses of the unlinkat command must be audited." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-040050 + - RHEL-07-030920 -- name: "MEDIUM | RHEL-07-040060 | PATCH | The cn_map file must have mode 0644 or less permissive." +- name: "MEDIUM | RHEL-07-031000 | PATCH | The system must send rsyslog output to a log aggregation server." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-040060 + - RHEL-07-031000 + - rsyslog -- name: "MEDIUM | RHEL-07-040070 | PATCH | The cn_map file must be owned by root." +- name: "MEDIUM | RHEL-07-031010 | PATCH | The rsyslog daemon must not accept log messages from other servers unless the server is being used for log aggregation." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-040070 + - RHEL-07-031010 + - rsyslog -- name: "MEDIUM | RHEL-07-040080 | PATCH | The cn_map file must be group owned by root." +- name: "MEDIUM | RHEL-07-032010 | PATCH | The system must update the DoD-approved virus scan program every seven days or more frequently." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-040080 + - RHEL-07-032010 - name: "MEDIUM | RHEL-07-040100 | PATCH | The host must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." command: "true" @@ -1379,16 +1429,21 @@ - RHEL-07-040100 - name: "MEDIUM | RHEL-07-040110 | PATCH | A FIPS 140-2 approved cryptographic algorithm must be used for SSH communications." - command: "true" - changed_when: no + lineinfile: + dest: /etc/ssh/sshd_config + regexp: (?i)^#?Ciphers + line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr + validate: sshd -t -f %s + notify: restart ssh tags: - cat2 - medium - patch - RHEL-07-040110 -- name: "MEDIUM | RHEL-07-040160 | PATCH | All network connections associated with a communication session must be terminated at the end of the session or after 10 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements." +- name: "MEDIUM | RHEL-07-040160 | PATCH | All network connections associated with a communication session must be terminated at the the session or after 10 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements." lineinfile: + create: yes dest: /etc/profile regexp: ^#?TMOUT line: TMOUT=600 @@ -1418,26 +1473,52 @@ - patch - RHEL-07-040180 -- name: "MEDIUM | RHEL-07-040181 | PATCH | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications." +- name: "MEDIUM | RHEL-07-040190 | PATCH | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-040181 + - RHEL-07-040190 -- name: "MEDIUM | RHEL-07-040182 | PATCH | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications." +- name: "MEDIUM | RHEL-07-040200 | PATCH | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-040182 + - RHEL-07-040200 + +- name: "MEDIUM | RHEL-07-040300 | PATCH | All networked systems must have SSH installed." + yum: + name: + - openssh-clients + - openssh-server + state: present + tags: + - cat2 + - medium + - patch + - RHEL-07-040300 + - ssh + +- name: "MEDIUM | RHEL-07-040310 | PATCH | All networked systems must use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission." + service: + name: sshd + state: started + enabled: yes + tags: + - cat2 + - medium + - patch + - RHEL-07-040310 + - ssh -- name: "MEDIUM | RHEL-07-040190 | PATCH | All network connections associated with SSH traffic must terminate at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements." +- name: "MEDIUM | RHEL-07-040320 | PATCH | All network connections associated with SSH traffic must terminate at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements." lineinfile: + create: yes dest: /etc/ssh/sshd_config regexp: ^#?ClientAliveInterval line: ClientAliveInterval 600 @@ -1447,242 +1528,329 @@ - cat2 - medium - patch - - RHEL-07-040190 + - RHEL-07-040320 - ssh -- name: "MEDIUM | RHEL-07-040191 | PATCH | All network connections associated with SSH traffic must terminate after a period of inactivity." +#note there is a typo in the fix steps in the STIG +- name: "MEDIUM | RHEL-07-040330 | PATCH | The SSH daemon must not allow authentication using RSA rhosts authentication." lineinfile: dest: /etc/ssh/sshd_config - regexp: ^#?ClientAliveCountMax - line: ClientAliveCountMax 0 + regexp: ^#?RhostsRSAAuthentication + line: RhostsRSAAuthentication no validate: sshd -t -f %s notify: restart ssh tags: - cat2 - medium - patch - - RHEL-07-040191 + - RHEL-07-040330 - ssh -- name: "MEDIUM | RHEL-07-040210 | PATCH | The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." +- name: "MEDIUM | RHEL-07-040340 | PATCH | All network connections associated with SSH traffic must terminate after a period of inactivity." lineinfile: - dest: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].conf }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - notify: restart {{ rhel7stig_time_service }} - with_items: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].lines }}" - when: - - rhel7stig_time_service == 'ntpd' - - rhel_07_040210_audit.stat.exists + create: yes + dest: /etc/ssh/sshd_config + regexp: ^#?ClientAliveCountMax + line: ClientAliveCountMax 0 + validate: sshd -t -f %s + notify: restart ssh tags: - cat2 - medium - patch - - RHEL-07-040210 - - ntp - - ntpd + - RHEL-07-040340 + - ssh -- name: "MEDIUM | RHEL-07-040210 | PATCH | The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." - replace: - dest: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].conf }}" - regexp: '^server \S+( \w+)?$' - notify: restart {{ rhel7stig_time_service }} - when: - - rhel7stig_time_service == 'chronyd' - - rhel_07_040210_audit.stat.exists +- name: "MEDIUM | RHEL-07-040350 | PATCH | The SSH daemon must not allow authentication using rhosts authentication." + lineinfile: + dest: /etc/ssh/sshd_config + regexp: ^#?IgnoreRhosts + line: IgnoreRhosts yes + validate: sshd -t -f %s + notify: restart ssh tags: - cat2 - medium - patch - - RHEL-07-040210 - - chronyd + - RHEL-07-040350 + - ssh -- name: "MEDIUM | RHEL-07-040210 | PATCH | The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." - blockinfile: +- name: "MEDIUM | RHEL-07-040360 | PATCH | The system must display the date and time of the last successful account logon upon an SSH logon." + lineinfile: + dest: "{{ item.dest }}" + regexp: "{{ item.regexp}}" + line: "{{ item.line }}" insertbefore: BOF - dest: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].conf }}" - block: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].block }}" - state: present - notify: restart {{ rhel7stig_time_service }} - when: - - rhel7stig_time_service == 'chronyd' - - rhel_07_040210_audit.stat.exists + with_items: + - dest: '/etc/ssh/sshd_config' + regexp: '^#?PrintLastLog' + line: 'PrintLastLog yes' + - dest: '/etc/pam.d/sshd' + regexp: '^#?session required pam_lastlog.so' + line: 'session required pam_lastlog.so showfailed' + notify: restart ssh tags: - cat2 - medium - patch - - RHEL-07-040210 - - chronyd + - RHEL-07-040360 + - ssh -- name: "MEDIUM | RHEL-07-040230 | PATCH | The operating system, if using PKI-based authentication, must implement a local cache of revocation data to certificate validation in case of the inability to access revocation information via the network." +- name: "MEDIUM | RHEL-07-040370 | PATCH | The system must not permit direct logons to the root account using remote access via SSH." lineinfile: - dest: /var/lib/pki-kra/conf/server.xml - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - when: rhel_07_040230_audit.stat.exists - with_items: - - regexp: '^#?auths.revocationChecking.bufferSize' - line: 'auths.revocationChecking.bufferSize=50' - - - regexp: '^#?auths.revocationChecking.enabled' - line: 'auths.revocationChecking.enabled=true' - - - regexp: '^#?enableOCSP' - line: 'enableOCSP="true"' - - - regexp: '^#?ocspCacheSize' - line: 'ocspCacheSize="50"' + create: yes + dest: /etc/ssh/sshd_config + regexp: ^#?PermitRootLogin + line: PermitRootLogin no + insertafter: '(?i)^#?authentication' + validate: sshd -t -f %s + notify: restart ssh tags: - cat2 - medium - patch - - RHEL-07-040230 - - pki + - RHEL-07-040370 + - ssh -- name: "MEDIUM | RHEL-07-040250 | PATCH | The operating system must protect against or limit the effects of Denial of Service (DoS) attacks by validating the operating system is implementing rate-limiting measures on impacted network interfaces." - command: "true" - changed_when: no +- name: "MEDIUM | RHEL-07-040380 | PATCH | The SSH daemon must not allow authentication using known hosts authentication." + lineinfile: + create: yes + dest: /etc/ssh/sshd_config + regexp: ^#?IgnoreUserKnownHosts + line: IgnoreUserKnownHosts yes + validate: sshd -t -f %s + notify: restart ssh tags: - cat2 - medium - patch - - RHEL-07-040250 - - firewalld + - RHEL-07-040380 + - ssh -- name: "MEDIUM | RHEL-07-040260 | PATCH | All networked systems must have SSH installed." - yum: - name: - - openssh-clients - - openssh-server - state: latest +- name: "MEDIUM | RHEL-07-040400 | PATCH | The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms." + lineinfile: + create: yes + dest: /etc/ssh/sshd_config + regexp: (?i)^#?MACs + line: MACs hmac-sha2-256,hmac-sha2-512 + validate: sshd -t -f %s + notify: restart ssh tags: - cat2 - medium - patch - - RHEL-07-040260 - - ssh + - RHEL-07-040400 -- name: "MEDIUM | RHEL-07-040261 | PATCH | All networked systems must use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission." - service: - name: sshd - state: started - enabled: yes +- name: "MEDIUM | RHEL-07-040410 | PATCH | The SSH public host key files must have mode 0644 or less permissive." + file: + dest: "{{ item.path }}" + mode: 0644 + state: file + with_items: "{{ rhel_07_040410_audit.files | default([]) }}" tags: - cat2 - medium - patch - - RHEL-07-040261 + - RHEL-07-040410 - ssh -- name: "MEDIUM | RHEL-07-040290 | PATCH | The system must use a local firewall." - yum: - name: firewalld - state: latest +- name: "MEDIUM | RHEL-07-040420 | PATCH | The SSH private host key files must have mode 0600 or less permissive." + file: + dest: "{{ item.path }}" + mode: 0600 + state: file + with_items: "{{ rhel_07_040420_audit.files | default([]) }}" tags: - cat2 - medium - patch - - RHEL-07-040290 - - firewalld + - RHEL-07-040420 + - ssh -- name: "MEDIUM | RHEL-07-040290 | PATCH | The system must use a local firewall." - service: - name: firewalld - state: started - enabled: yes +- name: "MEDIUM | RHEL-07-040430 | PATCH | The SSH daemon must not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed." + lineinfile: + create: yes + dest: /etc/ssh/sshd_config + regexp: (?i)^#?gssapiauthentication + line: GSSAPIAuthentication no + validate: sshd -t -f %s + notify: restart ssh tags: - cat2 - medium - patch - - RHEL-07-040290 - - firewalld + - RHEL-07-040430 + - ssh -- name: "MEDIUM | RHEL-07-040920 | PATCH | The system must not permit direct logons to the root account using remote access via SSH." +- name: "MEDIUM | RHEL-07-040440 | PATCH | The SSH daemon must not permit Kerberos authentication unless needed." lineinfile: dest: /etc/ssh/sshd_config - regexp: ^#?PermitRootLogin - line: PermitRootLogin no - insertafter: '(?i)^#?authentication' + regexp: (?i)^#?kerberosauthentication + line: KerberosAuthentication no validate: sshd -t -f %s notify: restart ssh tags: - cat2 - medium - patch - - RHEL-07-040310 + - RHEL-07-040440 - ssh -- name: "MEDIUM | RHEL-07-040334 | PATCH | The SSH daemon must not allow authentication using rhosts authentication." +- name: "MEDIUM | RHEL-07-040450 | PATCH | The SSH daemon must perform strict mode checking of home directory configuration files." lineinfile: dest: /etc/ssh/sshd_config - regexp: ^#?IgnoreRhosts - line: IgnoreRhosts yes + regexp: (?i)^#?strictmodes + line: StrictModes yes validate: sshd -t -f %s notify: restart ssh tags: - cat2 - medium - patch - - RHEL-07-040334 + - RHEL-07-040450 - ssh -- name: "MEDIUM | RHEL-07-040332 | PATCH | The SSH daemon must not allow authentication using known hosts authentication." +- name: "MEDIUM | RHEL-07-040460 | PATCH | The SSH daemon must use privilege separation." lineinfile: dest: /etc/ssh/sshd_config - regexp: ^#?IgnoreUserKnownHosts - line: IgnoreUserKnownHosts yes + regexp: (?i)^#?useprivilegeseparation + line: UsePrivilegeSeparation yes validate: sshd -t -f %s notify: restart ssh tags: - cat2 - medium - patch - - RHEL-07-040332 + - RHEL-07-040460 - ssh -- name: "MEDIUM | RHEL-07-040333 | PATCH | The SSH daemon must not allow authentication using RSA rhosts authentication." +- name: "MEDIUM | RHEL-07-040470 | PATCH | The SSH daemon must not allow compression or must only allow compression after successful authentication." lineinfile: dest: /etc/ssh/sshd_config - regexp: ^#?RhostsRSAAuthentication - line: RhostsRSAAuthentication yes + regexp: (?i)^#?compression + line: Compression no validate: sshd -t -f %s notify: restart ssh tags: - cat2 - medium - patch - - RHEL-07-040333 + - RHEL-07-040470 - ssh -- name: "MEDIUM | RHEL-07-040350 | PATCH | The system must not forward Internet Protocol version 4 (IPv4) source-routed packets." +- name: "MEDIUM | RHEL-07-040500 | PATCH | The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." + lineinfile: + create: yes + dest: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].conf }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + notify: restart {{ rhel7stig_time_service }} + with_items: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].lines }}" + when: + - rhel7stig_time_service == 'ntpd' + - rhel_07_040500_audit.stat.exists + tags: + - cat2 + - medium + - patch + - RHEL-07-040500 + - ntp + - ntpd + +- name: "MEDIUM | RHEL-07-040500 | PATCH | The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." + replace: + dest: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].conf }}" + regexp: '^server \S+( \w+)?$' + notify: restart {{ rhel7stig_time_service }} + when: + - rhel7stig_time_service == 'chronyd' + - rhel_07_040500_audit.stat.exists + tags: + - cat2 + - medium + - patch + - RHEL-07-040500 + - chronyd + +- name: "MEDIUM | RHEL-07-040500 | PATCH | The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." + blockinfile: + insertbefore: BOF + dest: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].conf }}" + block: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].block }}" + state: present + notify: restart {{ rhel7stig_time_service }} + when: + - rhel7stig_time_service == 'chronyd' + - rhel_07_040500_audit.stat.exists + tags: + - cat2 + - medium + - patch + - RHEL-07-040500 + - chronyd + +- name: "MEDIUM | RHEL-07-040510 | PATCH | The operating system must protect against or limit the effects of Denial of Service (DoS) attacks by validating the operating system is implementing rate-limiting measures on impacted network interfaces." + command: "true" + changed_when: no + tags: + - cat2 + - medium + - patch + - RHEL-07-040510 + - firewalld + +- name: "MEDIUM | RHEL-07-040520 | PATCH | The operating system must enable an application firewall, if available." + yum: + name: firewalld + state: present + tags: + - cat2 + - medium + - patch + - RHEL-07-040520 + - firewalld + +- name: "MEDIUM | RHEL-07-040520 | PATCH | The system must use a local firewall." + service: + name: firewalld + state: started + enabled: yes + tags: + - cat2 + - medium + - patch + - RHEL-07-040520 + - firewalld + +- name: "MEDIUM | RHEL-07-040610 | PATCH | The system must not forward Internet Protocol version 4 (IPv4) source-routed packets." sysctl: name: net.ipv4.conf.all.accept_source_route state: present - value: 1 + value: 0 reload: yes ignoreerrors: yes tags: - cat2 - medium - patch - - RHEL-07-040350 - - ssh + - RHEL-07-040610 + - ipv4 -- name: "MEDIUM | RHEL-07-040351 | PATCH | The system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default." +- name: "MEDIUM | RHEL-07-040620 | PATCH | The system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default." sysctl: name: net.ipv4.conf.default.accept_source_route state: present - value: 1 + value: 0 reload: yes ignoreerrors: yes tags: - cat2 - medium - patch - - RHEL-07-040351 + - RHEL-07-040620 - ipv4 -- name: "MEDIUM | RHEL-07-040380 | PATCH | The system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." +- name: "MEDIUM | RHEL-07-040630 | PATCH | The system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." sysctl: name: net.ipv4.icmp_echo_ignore_broadcasts state: present @@ -1694,12 +1862,12 @@ - cat2 - medium - patch - - RHEL-07-040380 + - RHEL-07-040630 - ipv4 -- name: "MEDIUM | RHEL-07-040410 | PATCH | The system must ignore to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages." +- name: "MEDIUM | RHEL-07-040640 | PATCH | The system must ignore to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages." sysctl: - name: net.ipv4.conf.default.send_redirects + name: net.ipv4.conf.default.accept_redirects state: present value: 0 reload: yes @@ -1708,12 +1876,12 @@ - cat2 - medium - patch - - RHEL-07-040410 + - RHEL-07-040640 - ipv4 -- name: "MEDIUM | RHEL-07-040410 | PATCH | The system must ignore to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages." +- name: "MEDIUM | RHEL-07-040641 | PATCH | The system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages." sysctl: - name: net.ipv4.conf.default.accept_redirects + name: net.ipv4.conf.all.accept_redirects state: present value: 0 reload: yes @@ -1722,10 +1890,10 @@ - cat2 - medium - patch - - RHEL-07-040410 + - RHEL-07-040641 - ipv4 -- name: "MEDIUM | RHEL-07-040420 | PATCH | The system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default." +- name: "MEDIUM | RHEL-07-040650 | PATCH | The system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default." sysctl: name: net.ipv4.conf.default.send_redirects state: present @@ -1736,9 +1904,10 @@ - cat2 - medium - patch - - RHEL-07-040420 + - RHEL-07-040650 + - ipv4 -- name: "MEDIUM | RHEL-07-040421 | PATCH | The system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects." +- name: "MEDIUM | RHEL-07-040660 | PATCH | The system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects." sysctl: name: net.ipv4.conf.all.send_redirects state: present @@ -1749,37 +1918,37 @@ - cat2 - medium - patch - - RHEL-07-040421 + - RHEL-07-040660 - ipv4 -- name: "MEDIUM | RHEL-07-040470 | PATCH | Network interfaces must not be in promiscuous mode." +- name: "MEDIUM | RHEL-07-040670 | PATCH | Network interfaces must not be in promiscuous mode." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-040470 + - RHEL-07-040670 -- name: "MEDIUM | RHEL-07-040480 | PATCH | The system must be configured to prevent unrestricted mail relaying." +- name: "MEDIUM | RHEL-07-040680 | PATCH | The system must be configured to prevent unrestricted mail relaying." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-040480 + - RHEL-07-040680 -- name: "MEDIUM | RHEL-07-040520 | PATCH | If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode." +- name: "MEDIUM | RHEL-07-040720 | PATCH | If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-040520 + - RHEL-07-040720 -- name: "MEDIUM | RHEL-07-040560 | PATCH | An X Windows display manager must not be installed unless approved." +- name: "MEDIUM | RHEL-07-040730 | PATCH | An X Windows display manager must not be installed unless approved." yum: name: - "@X Windows System" @@ -1790,193 +1959,114 @@ - cat2 - medium - patch - - RHEL-07-040560 + - RHEL-07-040730 - x11 -- name: "MEDIUM | RHEL-07-040620 | PATCH | The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms." - lineinfile: - dest: /etc/ssh/sshd_config - regexp: (?i)^#?MACs - line: MACs hmac-sha2-256,hmac-sha2-512 - validate: sshd -t -f %s - notify: restart ssh - tags: - - cat2 - - medium - - patch - - RHEL-07-040620 - -- name: "MEDIUM | RHEL-07-040640 | PATCH | The SSH public host key files must have mode 0644 or less permissive." - file: - dest: "{{ item.path }}" - mode: 0644 - state: file - with_items: "{{ rhel_07_040640_audit.files | default([]) }}" - tags: - - cat2 - - medium - - patch - - RHEL-07-040640 - - ssh - -- name: "MEDIUM | RHEL-07-040650 | PATCH | The SSH private host key files must have mode 0600 or less permissive." - file: - dest: "{{ item.path }}" - mode: 0600 - state: file - with_items: "{{ rhel_07_040650_audit.files | default([]) }}" - tags: - - cat2 - - medium - - patch - - RHEL-07-040650 - - ssh - -- name: "MEDIUM | RHEL-07-040660 | PATCH | The SSH daemon must not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed." - lineinfile: - dest: /etc/ssh/sshd_config - regexp: (?i)^#?gssapiauthentication - line: GSSAPIAuthentication no - validate: sshd -t -f %s - notify: restart ssh - tags: - - cat2 - - medium - - patch - - RHEL-07-040660 - - ssh - -- name: "MEDIUM | RHEL-07-040670 | PATCH | The SSH daemon must not permit Kerberos authentication unless needed." - lineinfile: - dest: /etc/ssh/sshd_config - regexp: (?i)^#?kerberosauthentication - line: KerberosAuthentication no - validate: sshd -t -f %s - notify: restart ssh +- name: "MEDIUM | RHEL-07-040740 | PATCH | The system must not be performing packet forwarding unless the system is a router." + sysctl: + name: net.ipv4.ip_forward + state: present + value: 0 + reload: yes + ignoreerrors: yes + when: not rhel7stig_system_is_router tags: - cat2 - medium - patch - - RHEL-07-040670 - - ssh + - RHEL-07-040740 + - ipv4 -- name: "MEDIUM | RHEL-07-040680 | PATCH | The SSH daemon must perform strict mode checking of home directory configuration files." - lineinfile: - dest: /etc/ssh/sshd_config - regexp: (?i)^#?strictmodes - line: StrictModes yes - validate: sshd -t -f %s - notify: restart ssh +- name: "MEDIUM | RHEL-07-040750 | PATCH | The Network File System (NFS) must be configured to use RPCSEC_GSS." + command: "true" + changed_when: no tags: - cat2 - medium - patch - - RHEL-07-040680 - - ssh + - RHEL-07-040750 -- name: "MEDIUM | RHEL-07-040690 | PATCH | The SSH daemon must use privilege separation." - lineinfile: - dest: /etc/ssh/sshd_config - regexp: (?i)^#?useprivilegeseparation - line: UsePrivilegeSeparation yes - validate: sshd -t -f %s - notify: restart ssh +- name: "MEDIUM | RHEL-07-040810 | PATCH | The system's access control program must be configured to grant or deny system access to specific hosts and services." + command: "true" + changed_when: no tags: - cat2 - medium - patch - - RHEL-07-040690 - - ssh + - RHEL-07-040810 -- name: "MEDIUM | RHEL-07-040700 | PATCH | The SSH daemon must not allow compression or must only allow compression after successful authentication." - lineinfile: - dest: /etc/ssh/sshd_config - regexp: (?i)^#?compression - line: Compression no - validate: sshd -t -f %s - notify: restart ssh +- name: "MEDIUM | RHEL-07-040820 | PATCH | The system must not have unauthorized IP tunnels configured." + command: "true" + changed_when: no tags: - cat2 - medium - patch - - RHEL-07-040700 - - ssh + - RHEL-07-040820 -- name: "MEDIUM | RHEL-07-040730 | PATCH | The system must not be performing packet forwarding unless the system is a router." +- name: "MEDIUM | RHEL-07-040830 | PATCH | The system must not forward IPv6 source-routed packets." sysctl: - name: net.ipv4.ip_forward + name: net.ipv6.conf.all.accept_source_route state: present value: 0 reload: yes ignoreerrors: yes - when: not rhel7stig_system_is_router - tags: - - cat2 - - medium - - patch - - RHEL-07-040730 - - ipv4 - -- name: "MEDIUM | RHEL-07-040740 | PATCH | The Network File System (NFS) must be configured to use AUTH_GSS." - command: "true" - changed_when: no tags: - cat2 - medium - patch - - RHEL-07-040740 + - RHEL-07-040830 + - ipv6 -- name: "MEDIUM | RHEL-07-040810 | PATCH | The system must use a local firewall." +- name: "MEDIUM | RHEL-07-041001 | PATCH | The operating system must have the required packages for multifactor authentication installed." yum: - name: firewalld - state: latest + name: + - esc + - pam_pkcs11 + - authconfig-gtk + state: present + when: rhel7stig_gui tags: - cat2 - medium - patch - - RHEL-07-040810 - - firewalld + - RHEL-07-041001 + - multifactor -- name: "MEDIUM | RHEL-07-040810 | PATCH | The system must use a local firewall." - service: - name: firewalld - state: started - enabled: yes +- name: "MEDIUM | RHEL-07-041002 | PATCH | The operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM)." + command: "true" + changed_when: no tags: - cat2 - medium - patch - - RHEL-07-040810 - - firewalld + - RHEL-07-041002 -- name: "MEDIUM | RHEL-07-040820 | PATCH | The system's access control program must be configured to grant or deny system access to specific hosts and services." +- name: "MEDIUM | RHEL-07-041003 | PATCH | The operating system must implement certificate status checking for PKI authentication." command: "true" changed_when: no tags: - cat2 - medium - patch - - RHEL-07-040820 + - RHEL-07-041003 -- name: "MEDIUM | RHEL-07-040830 | PATCH | The system must not have unauthorized IP tunnels configured." +- name: "MEDIUM | RHEL-07-041004 | PATCH | The operating system must implement smart card logons for multifactor authentication for access to privileged accounts." command: "true" changed_when: no + when: rhel7stig_gui tags: - cat2 - medium - patch - - RHEL-07-040830 + - RHEL-07-041004 + - multifactor -- name: "MEDIUM | RHEL-07-040860 | PATCH | The system must not forward IPv6 source-routed packets." - sysctl: - name: net.ipv6.conf.all.accept_source_route - state: present - value: 0 - reload: yes - ignoreerrors: yes +- name: "MEDIUM | RHEL-07-041010 | PATCH | Wireless network adapters must be disabled." + command: nmcli radio wifi off + when: "'enabled' in rhel_07_041010_audit.stdout" tags: - cat2 - medium - patch - - RHEL-07-040860 - - ipv6 + - RHEL-07-041010 diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 660dca7..36e9adf 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -8,8 +8,11 @@ - RHEL-07-010490 - name: "LOW | RHEL-07-020200 | PATCH | The operating system must remove all software components after updated versions have been installed." - command: "true" - changed_when: no + lineinfile: + dest: /etc/yum.conf + regexp: ^#?clean_requirements_on_remove + line: clean_requirements_on_remove=1 + insertafter: '\[main\]' tags: - cat3 - low @@ -79,14 +82,18 @@ - patch - RHEL-07-021610 -- name: "LOW | RHEL-07-040010 | PATCH | The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types." - command: "true" - changed_when: no +- name: "LOW | RHEL-07-040000 | PATCH | The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types." + lineinfile: + state: present + dest: /etc/security/limits.conf + insertbefore: '^# End of file' + regexp: '^#?\\*.*maxlogins' + line: '* hard maxlogins {{ rhel7stig_maxlogins }}' tags: - cat3 - low - patch - - RHEL-07-040010 + - RHEL-07-040000 - name: "LOW | RHEL-07-040300 | PATCH | The system must display the date and time of the last successful account logon upon logon." command: "true" diff --git a/tasks/main.yml b/tasks/main.yml index 72d167d..98b1861 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -17,15 +17,17 @@ - name: Run CAT I audits include: audit-cat1.yml static: no - when: rhel7stig_cat1_audit + check_mode: no + when: rhel7stig_cat1_audit | bool tags: - cat1 - audit - name: Run CAT II audits include: audit-cat2.yml + check_mode: no static: no - when: rhel7stig_cat2_audit + when: rhel7stig_cat2_audit | bool tags: - cat2 - audit @@ -33,7 +35,8 @@ - name: Run CAT III audits include: audit-cat3.yml static: no - when: rhel7stig_cat3_audit + check_mode: no + when: rhel7stig_cat3_audit | bool tags: - cat2 - audit @@ -41,7 +44,7 @@ - name: Include CAT I patches include: fix-cat1.yml static: no - when: rhel7stig_cat1_patch + when: rhel7stig_cat1_patch | bool tags: - cat1 - patch @@ -49,7 +52,7 @@ - name: Include CAT II patches include: fix-cat2.yml static: no - when: rhel7stig_cat2_patch + when: rhel7stig_cat2_patch | bool tags: - cat2 - patch @@ -57,7 +60,7 @@ - name: Include CAT III patches include: fix-cat3.yml static: no - when: rhel7stig_cat3_patch + when: rhel7stig_cat3_patch | bool tags: - cat3 - patch diff --git a/tests/test.yml b/tests/test.yml new file mode 100644 index 0000000..dc63d9c --- /dev/null +++ b/tests/test.yml @@ -0,0 +1,13 @@ +- hosts: all + become: yes + become_method: sudo + roles: + - ../RHEL7-STIG + + pre_tasks: + - name: OS + debug: + var: "{{item}}" + with_items: + - ansible_os_family + - ansible_distribution_major_version \ No newline at end of file