From cb8033072e2e9776af9be1d4540064624f779767 Mon Sep 17 00:00:00 2001 From: jspringer Date: Wed, 27 Jul 2016 19:22:44 -0500 Subject: [PATCH 01/12] Started working on CAT II Added entry to include CAT II in main.yml and added some audits/patches. --- tasks/audit-cat2.yml | 25 +++++++++++++++ tasks/fix-cat2.yml | 73 ++++++++++++++++++++++++++++++++++++-------- tasks/main.yml | 6 ++++ 3 files changed, 91 insertions(+), 13 deletions(-) create mode 100644 tasks/audit-cat2.yml diff --git a/tasks/audit-cat2.yml b/tasks/audit-cat2.yml new file mode 100644 index 0000000..87da654 --- /dev/null +++ b/tasks/audit-cat2.yml @@ -0,0 +1,25 @@ +- name: "MEDIUM | RHEL-07-040640 | AUDIT | The SSH public host key files must have mode 0644 or less permissive." + command: find / -name '*ssh_host*key' + failed_when: no + changed_when: no + ignore_errors: yes + register: rhel_07_040650_audit + tags: + - cat2 + - high + - audit + - RHEL-07-040640 + - always + +- name: "MEDIUM | RHEL-07-040650 | AUDIT | The SSH private host key files must have mode 0600 or less permissive." + command: find / -name '*ssh_host*key' + failed_when: no + changed_when: no + ignore_errors: yes + register: rhel_07_040650_audit + tags: + - cat2 + - high + - audit + - RHEL-07-040650 + - always diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 344ae2a..7f067a4 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1439,7 +1439,11 @@ - RHEL-07-040620 - name: "MEDIUM | RHEL-07-040640 | PATCH | The SSH public host key files must have mode 0644 or less permissive." - command: "true" + file: + dest: "{{ item }}" + mode: 0644 + state: file + with_items: "{{ rhel_07_040640_audit.stdout_lines }}" tags: - cat2 - medium @@ -1447,7 +1451,11 @@ - RHEL-07-040640 - name: "MEDIUM | RHEL-07-040650 | PATCH | The SSH private host key files must have mode 0600 or less permissive." - command: "true" + file: + dest: "{{ item }}" + mode: 0600 + state: file + with_items: "{{ rhel_07_040650_audit.stdout_lines }}" tags: - cat2 - medium @@ -1455,47 +1463,80 @@ - RHEL-07-040650 - name: "MEDIUM | RHEL-07-040660 | PATCH | The SSH daemon must not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed." - command: "true" + lineinfile: + dest: /etc/ssh/sshd_config + regexp: (?i)^#?gssapiauthentication + line: GSSAPIAuthentication no + validate: sshd -t -f %s + notify: restart ssh tags: - cat2 - medium - patch - RHEL-07-040660 + - ssh - name: "MEDIUM | RHEL-07-040670 | PATCH | The SSH daemon must not permit Kerberos authentication unless needed." - command: "true" + lineinfile: + dest: /etc/ssh/sshd_config + regexp: (?i)^#?kerberosauthentication + line: KerberosAuthentication no + validate: sshd -t -f %s + notify: restart ssh tags: - cat2 - medium - patch - RHEL-07-040670 + - ssh - name: "MEDIUM | RHEL-07-040680 | PATCH | The SSH daemon must perform strict mode checking of home directory configuration files." - command: "true" + lineinfile: + dest: /etc/ssh/sshd_config + regexp: (?i)^#?strictmodes + line: StrictModes yes + validate: sshd -t -f %s + notify: restart ssh tags: - cat2 - medium - patch - RHEL-07-040680 + - ssh - name: "MEDIUM | RHEL-07-040690 | PATCH | The SSH daemon must use privilege separation." - command: "true" + lineinfile: + dest: /etc/ssh/sshd_config + regexp: (?i)^#?useprivilegeseparation + line: UsePrivilegeSeparation yes + validate: sshd -t -f %s + notify: restart ssh tags: - cat2 - medium - patch - RHEL-07-040690 + - ssh - name: "MEDIUM | RHEL-07-040700 | PATCH | The SSH daemon must not allow compression or must only allow compression after successful authentication." - command: "true" + lineinfile: + dest: /etc/ssh/sshd_config + regexp: (?i)^#?compression + line: Compression no + validate: sshd -t -f %s + notify: restart ssh tags: - cat2 - medium - patch - RHEL-07-040700 + - ssh - name: "MEDIUM | RHEL-07-040730 | PATCH | The system must not be performing packet forwarding unless the system is a router." - command: "true" + sysctl: + name: net.ipv4.ip_forward + present: yes + value: 0 tags: - cat2 - medium @@ -1511,12 +1552,15 @@ - RHEL-07-040740 - name: "MEDIUM | RHEL-07-040810 | PATCH | The system must use a local firewall." - command: "true" + yum: + name: firewalld + state: latest tags: - cat2 - medium - patch - RHEL-07-040810 + - firewalld - name: "MEDIUM | RHEL-07-040820 | PATCH | The system's access control program must be configured to grant or deny system access to specific hosts and services." command: "true" @@ -1527,7 +1571,8 @@ - RHEL-07-040820 - name: "MEDIUM | RHEL-07-040830 | PATCH | The system must not have unauthorized IP tunnels configured." - command: "true" + yum: + name: libreswan tags: - cat2 - medium @@ -1535,10 +1580,12 @@ - RHEL-07-040830 - name: "MEDIUM | RHEL-07-040860 | PATCH | The system must not forward IPv6 source-routed packets." - command: "true" + sysctl: + name: net.ipv6.conf.all.accept_source_route + present: yes + value: 0 tags: - cat2 - medium - patch - - RHEL-07-040860 - + - RHEL-07-010860 diff --git a/tasks/main.yml b/tasks/main.yml index ee727b9..a8d24ab 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -20,6 +20,12 @@ - cat1 - audit +- name: Run CAT II audits + include: audit-cat2.yml + tags: + - cat2 + - audit + - name: Include CAT I patches include: fix-cat1.yml when: rhel7stig_cat1_patch From 72cfb9b6badefcb09e161c38a1c3d054bb8cc751 Mon Sep 17 00:00:00 2001 From: jspringer Date: Wed, 27 Jul 2016 19:27:28 -0500 Subject: [PATCH 02/12] Tweaked formatting on my changes. --- tasks/fix-cat2.yml | 47 +++++++++++++++++++++++----------------------- 1 file changed, 23 insertions(+), 24 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 7f067a4..37cbbfa 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1463,12 +1463,12 @@ - RHEL-07-040650 - name: "MEDIUM | RHEL-07-040660 | PATCH | The SSH daemon must not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed." - lineinfile: - dest: /etc/ssh/sshd_config - regexp: (?i)^#?gssapiauthentication - line: GSSAPIAuthentication no - validate: sshd -t -f %s - notify: restart ssh + lineinfile: + dest: /etc/ssh/sshd_config + regexp: (?i)^#?gssapiauthentication + line: GSSAPIAuthentication no + validate: sshd -t -f %s + notify: restart ssh tags: - cat2 - medium @@ -1477,12 +1477,12 @@ - ssh - name: "MEDIUM | RHEL-07-040670 | PATCH | The SSH daemon must not permit Kerberos authentication unless needed." - lineinfile: - dest: /etc/ssh/sshd_config - regexp: (?i)^#?kerberosauthentication - line: KerberosAuthentication no - validate: sshd -t -f %s - notify: restart ssh + lineinfile: + dest: /etc/ssh/sshd_config + regexp: (?i)^#?kerberosauthentication + line: KerberosAuthentication no + validate: sshd -t -f %s + notify: restart ssh tags: - cat2 - medium @@ -1491,12 +1491,12 @@ - ssh - name: "MEDIUM | RHEL-07-040680 | PATCH | The SSH daemon must perform strict mode checking of home directory configuration files." - lineinfile: - dest: /etc/ssh/sshd_config - regexp: (?i)^#?strictmodes - line: StrictModes yes - validate: sshd -t -f %s - notify: restart ssh + lineinfile: + dest: /etc/ssh/sshd_config + regexp: (?i)^#?strictmodes + line: StrictModes yes + validate: sshd -t -f %s + notify: restart ssh tags: - cat2 - medium @@ -1533,10 +1533,10 @@ - ssh - name: "MEDIUM | RHEL-07-040730 | PATCH | The system must not be performing packet forwarding unless the system is a router." - sysctl: - name: net.ipv4.ip_forward - present: yes - value: 0 + sysctl: + name: net.ipv4.ip_forward + present: yes + value: 0 tags: - cat2 - medium @@ -1571,8 +1571,7 @@ - RHEL-07-040820 - name: "MEDIUM | RHEL-07-040830 | PATCH | The system must not have unauthorized IP tunnels configured." - yum: - name: libreswan + command: "true" tags: - cat2 - medium From 3544356f142d302118de4e9d3fdd19eea7f352ce Mon Sep 17 00:00:00 2001 From: jspringer Date: Fri, 29 Jul 2016 13:34:54 -0500 Subject: [PATCH 03/12] Made corrective changes to previous commit. --- defaults/main.yml | 5 +++++ tasks/audit-cat2.yml | 11 ++++++++--- tasks/fix-cat2.yml | 30 +++++++++++++++++++++++------- 3 files changed, 36 insertions(+), 10 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index c5a0666..0d67ddd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -24,3 +24,8 @@ rhel7stig_tftp_required: no # RHEL-07-040580 Set the SNMP community string to this from the default of # public or private rhel7stig_snmp_community: Endgam3Ladyb0g + +# RHEL-07-040730 The system must not be performing packet forwarding unless the +# system is a router. This variable is used in tasks that should not be run +# if the OS is run as a router. (must override to yes) +rhel7stig_system_is_router: no diff --git a/tasks/audit-cat2.yml b/tasks/audit-cat2.yml index 87da654..9c25fcb 100644 --- a/tasks/audit-cat2.yml +++ b/tasks/audit-cat2.yml @@ -1,9 +1,9 @@ - name: "MEDIUM | RHEL-07-040640 | AUDIT | The SSH public host key files must have mode 0644 or less permissive." - command: find / -name '*ssh_host*key' + command: find / -name '*.pub' failed_when: no changed_when: no ignore_errors: yes - register: rhel_07_040650_audit + register: rhel_07_040640_audit tags: - cat2 - high @@ -12,7 +12,12 @@ - always - name: "MEDIUM | RHEL-07-040650 | AUDIT | The SSH private host key files must have mode 0600 or less permissive." - command: find / -name '*ssh_host*key' + find: + paths: / + recurse: yes + file_type: file + patterns: '*ssh_host*key' + hidden: true failed_when: no changed_when: no ignore_errors: yes diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 37cbbfa..7ef2cea 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1440,9 +1440,9 @@ - name: "MEDIUM | RHEL-07-040640 | PATCH | The SSH public host key files must have mode 0644 or less permissive." file: - dest: "{{ item }}" - mode: 0644 - state: file + dest: "{{ item }}" + mode: 0644 + state: file with_items: "{{ rhel_07_040640_audit.stdout_lines }}" tags: - cat2 @@ -1452,10 +1452,10 @@ - name: "MEDIUM | RHEL-07-040650 | PATCH | The SSH private host key files must have mode 0600 or less permissive." file: - dest: "{{ item }}" - mode: 0600 - state: file - with_items: "{{ rhel_07_040650_audit.stdout_lines }}" + dest: "{{ item }}" + mode: 0600 + state: file + with_items: "{{ rhel_07_040650_audit.files | map(attribute='path') | list }}" tags: - cat2 - medium @@ -1524,6 +1524,7 @@ regexp: (?i)^#?compression line: Compression no validate: sshd -t -f %s + ignore_errors: yes notify: restart ssh tags: - cat2 @@ -1537,6 +1538,8 @@ name: net.ipv4.ip_forward present: yes value: 0 + ignore_errors: yes + when: not rhel7stig_system_is_router tags: - cat2 - medium @@ -1562,6 +1565,18 @@ - RHEL-07-040810 - firewalld +- name: "MEDIUM | RHEL-07-040810 | PATCH | The system must use a local firewall." + service: + name: firewalld + state: started + enabled: yes + tags: + - cat2 + - medium + - patch + - RHEL-07-040810 + - firewalld + - name: "MEDIUM | RHEL-07-040820 | PATCH | The system's access control program must be configured to grant or deny system access to specific hosts and services." command: "true" tags: @@ -1583,6 +1598,7 @@ name: net.ipv6.conf.all.accept_source_route present: yes value: 0 + ignore_errors: yes tags: - cat2 - medium From 5c66e010be3973c3b1d0ce203141581997c2346a Mon Sep 17 00:00:00 2001 From: jspringer Date: Fri, 29 Jul 2016 13:59:54 -0500 Subject: [PATCH 04/12] Spacing... --- tasks/fix-cat2.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 7ef2cea..44772f3 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1440,9 +1440,9 @@ - name: "MEDIUM | RHEL-07-040640 | PATCH | The SSH public host key files must have mode 0644 or less permissive." file: - dest: "{{ item }}" - mode: 0644 - state: file + dest: "{{ item }}" + mode: 0644 + state: file with_items: "{{ rhel_07_040640_audit.stdout_lines }}" tags: - cat2 @@ -1452,9 +1452,9 @@ - name: "MEDIUM | RHEL-07-040650 | PATCH | The SSH private host key files must have mode 0600 or less permissive." file: - dest: "{{ item }}" - mode: 0600 - state: file + dest: "{{ item }}" + mode: 0600 + state: file with_items: "{{ rhel_07_040650_audit.files | map(attribute='path') | list }}" tags: - cat2 From 45ac122103a0dc5844b87c0199e1350bcf2d372c Mon Sep 17 00:00:00 2001 From: jspringer Date: Fri, 29 Jul 2016 20:19:32 -0500 Subject: [PATCH 05/12] Made some updates to audit,main,patch, and defaults - Added & Updated Cat II Audit - Added CAT II Patches - Added a default item - Removed rhel7stig_cat1_patch from main.yml (fails on condition), will correct later --- defaults/main.yml | 3 + tasks/audit-cat2.yml | 21 ++++- tasks/fix-cat2.yml | 203 +++++++++++++++++++++++++++++++++++++------ tasks/main.yml | 3 - 4 files changed, 200 insertions(+), 30 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0d67ddd..3e168eb 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -29,3 +29,6 @@ rhel7stig_snmp_community: Endgam3Ladyb0g # system is a router. This variable is used in tasks that should not be run # if the OS is run as a router. (must override to yes) rhel7stig_system_is_router: no + +#RHEL-07-040560 An X Windows display manager must not be installed unless approved. +rhel7stig_x11: no diff --git a/tasks/audit-cat2.yml b/tasks/audit-cat2.yml index 9c25fcb..8eb2009 100644 --- a/tasks/audit-cat2.yml +++ b/tasks/audit-cat2.yml @@ -1,5 +1,10 @@ - name: "MEDIUM | RHEL-07-040640 | AUDIT | The SSH public host key files must have mode 0644 or less permissive." - command: find / -name '*.pub' + find: + paths: / + recurse: yes + file_type: file + patterns: '*.pub' + hidden: true failed_when: no changed_when: no ignore_errors: yes @@ -10,6 +15,7 @@ - audit - RHEL-07-040640 - always + - ssh - name: "MEDIUM | RHEL-07-040650 | AUDIT | The SSH private host key files must have mode 0600 or less permissive." find: @@ -28,3 +34,16 @@ - audit - RHEL-07-040650 - always + - ssh + +- name: "MEDIUM | RHEL-07-040230 | AUDIT | The operating system, if using PKI-based authentication, must implement a local cache of revocation data to certificate validation in case of the inability to access revocation information via the network." + stat: + path: /var/lib/pki-kra/conf/server.xml + register: rhel_07_040230_audit + tags: + - cat2 + - medium + - audit + - RHEL-07-040230 + - always + - pki diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 44772f3..2cdb1cd 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -277,6 +277,7 @@ - medium - patch - RHEL-07-010402 + - ssh - name: "MEDIUM | RHEL-07-010420 | PATCH | The delay between logon prompts following a failed console logon attempt must be at least four seconds." command: "true" @@ -293,6 +294,7 @@ - medium - patch - RHEL-07-010441 + - ssh - name: "MEDIUM | RHEL-07-010442 | PATCH | The operating system must not allow a non-certificate trusted host SSH logon to the system." command: "true" @@ -301,6 +303,7 @@ - medium - patch - RHEL-07-010442 + - ssh - name: "MEDIUM | RHEL-07-010500 | PATCH | The operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multi-factor authentication." command: "true" @@ -1271,12 +1274,56 @@ - RHEL-07-040210 - name: "MEDIUM | RHEL-07-040230 | PATCH | The operating system, if using PKI-based authentication, must implement a local cache of revocation data to certificate validation in case of the inability to access revocation information via the network." - command: "true" + lineinfile: + dest: /var/lib/pki-kra/conf/server.xml + regexp: ^#?auths.revocationChecking.bufferSize + line: auths.revocationChecking.bufferSize=50 + when: rhel_07_040230_audit.stat.exists == True + tags: + - cat2 + - medium + - patch + - RHEL-07-040230 + - pki + +- name: "MEDIUM | RHEL-07-040230 | PATCH | The operating system, if using PKI-based authentication, must implement a local cache of revocation data to certificate validation in case of the inability to access revocation information via the network." + lineinfile: + dest: /var/lib/pki-kra/conf/server.xml + regexp: ^#?auths.revocationChecking.enabled + line: auths.revocationChecking.enabled=true + when: rhel_07_040230_audit.stat.exists == True + tags: + - cat2 + - medium + - patch + - RHEL-07-040230 + - pki + +- name: "MEDIUM | RHEL-07-040230 | PATCH | The operating system, if using PKI-based authentication, must implement a local cache of revocation data to certificate validation in case of the inability to access revocation information via the network." + lineinfile: + dest: /var/lib/pki-kra/conf/server.xml + regexp: ^#?enableOCSP + line: enableOCSP="true" + when: rhel_07_040230_audit.stat.exists == True + tags: + - cat2 + - medium + - patch + - RHEL-07-040230 + - pki + +- name: "MEDIUM | RHEL-07-040230 | PATCH | The operating system, if using PKI-based authentication, must implement a local cache of revocation data to certificate validation in case of the inability to access revocation information via the network." + lineinfile: + dest: /var/lib/pki-kra/conf/server.xml + regexp: ^#?ocspCacheSize + line: ocspCacheSize="50" + when: rhel_07_040230_audit.stat.exists == True tags: - cat2 - medium - patch - RHEL-07-040230 + - pki - name: "MEDIUM | RHEL-07-040250 | PATCH | The operating system must protect against or limit the effects of Denial of Service (DoS) attacks by validating the operating system is implementing rate-limiting measures on impacted network interfaces." command: "true" @@ -1285,105 +1332,191 @@ - medium - patch - RHEL-07-040250 + - firewalld - name: "MEDIUM | RHEL-07-040260 | PATCH | All networked systems must have SSH installed." - command: "true" + yum: + name: + - openssh-clients + - openssh-server + state: latest tags: - cat2 - medium - patch - RHEL-07-040260 + - ssh - name: "MEDIUM | RHEL-07-040261 | PATCH | All networked systems must use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission." - command: "true" + service: + name: sshd + state: started + enabled: yes tags: - cat2 - medium - patch - RHEL-07-040261 + - ssh -- name: "MEDIUM | RHEL-07-040290 | PATCH | The operating system must enable an application firewall, if available." - command: "true" +- name: "MEDIUM | RHEL-07-040290 | PATCH | The system must use a local firewall." + yum: + name: firewalld + state: latest tags: - cat2 - medium - patch - RHEL-07-040290 + - firewalld -- name: "MEDIUM | RHEL-07-040301 | PATCH | The system must display the date and time of the last successful account logon upon an SSH logon." - command: "true" +- name: "MEDIUM | RHEL-07-040290 | PATCH | The system must use a local firewall." + service: + name: firewalld + state: started + enabled: yes tags: - cat2 - medium - patch - - RHEL-07-040301 + - RHEL-07-040290 + - firewalld -- name: "MEDIUM | RHEL-07-040310 | PATCH | The system must not permit direct logons to the root account using remote access via SSH." - command: "true" +- name: "MEDIUM | RHEL-07-040920 | PATCH | The system must not permit direct logons to the root account using remote access via SSH." + lineinfile: + dest: /etc/ssh/sshd_config + regexp: ^#?PermitRootLogin + line: PermitRootLogin no + insertafter: '(?i)^#?authentication' + validate: sshd -t -f %s + notify: restart ssh tags: - cat2 - medium - patch - RHEL-07-040310 + - ssh - name: "MEDIUM | RHEL-07-040334 | PATCH | The SSH daemon must not allow authentication using rhosts authentication." - command: "true" + lineinfile: + dest: /etc/ssh/sshd_config + regexp: ^#?IgnoreRhosts + line: IgnoreRhosts yes + validate: sshd -t -f %s + notify: restart ssh tags: - cat2 - medium - patch - RHEL-07-040334 + - ssh - name: "MEDIUM | RHEL-07-040332 | PATCH | The SSH daemon must not allow authentication using known hosts authentication." - command: "true" + lineinfile: + dest: /etc/ssh/sshd_config + regexp: ^#?IgnoreUserKnownHosts + line: IgnoreUserKnownHosts yes + validate: sshd -t -f %s + notify: restart ssh tags: - cat2 - medium - patch - RHEL-07-040332 + - ssh - name: "MEDIUM | RHEL-07-040333 | PATCH | The SSH daemon must not allow authentication using RSA rhosts authentication." - command: "true" + lineinfile: + dest: /etc/ssh/sshd_config + regexp: ^#?RhostsRSAAuthentication + line: RhostsRSAAuthentication yes + validate: sshd -t -f %s + notify: restart ssh tags: - cat2 - medium - patch - RHEL-07-040333 + - ssh - name: "MEDIUM | RHEL-07-040350 | PATCH | The system must not forward Internet Protocol version 4 (IPv4) source-routed packets." - command: "true" + sysctl: + name: net.ipv4.conf.all.accept_source_route + state: present + value: 1 + reload: yes + ignore_errors: yes tags: - cat2 - medium - patch - RHEL-07-040350 + - ssh - name: "MEDIUM | RHEL-07-040351 | PATCH | The system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default." - command: "true" + sysctl: + name: net.ipv4.conf.default.accept_source_route + state: present + value: 1 + reload: yes + ignore_errors: yes tags: - cat2 - medium - patch - RHEL-07-040351 + - ipv4 - name: "MEDIUM | RHEL-07-040380 | PATCH | The system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." - command: "true" + sysctl: + name: net.ipv4.icmp_echo_ignore_broadcasts + state: present + value: 1 + sysctl_set: yes + reload: yes + ignore_errors: yes tags: - cat2 - medium - patch - RHEL-07-040380 + - ipv4 - name: "MEDIUM | RHEL-07-040410 | PATCH | The system must ignore to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages." - command: "true" + sysctl: + name: net.ipv4.conf.default.send_redirects + state: present + value: 0 + reload: yes + ignore_errors: yes tags: - cat2 - medium - patch - RHEL-07-040410 + - ipv4 + +- name: "MEDIUM | RHEL-07-040410 | PATCH | The system must ignore to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages." + sysctl: + name: net.ipv4.conf.default.accept_redirects + state: present + value: 0 + reload: yes + ignore_errors: yes + tags: + - cat2 + - medium + - patch + - RHEL-07-040410 + - ipv4 - name: "MEDIUM | RHEL-07-040420 | PATCH | The system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default." - command: "true" + sysctl: + name: net.ipv4.conf.default.send_redirects + state: present + value: 0 + reload: yes + ignore_errors: yes tags: - cat2 - medium @@ -1391,12 +1524,18 @@ - RHEL-07-040420 - name: "MEDIUM | RHEL-07-040421 | PATCH | The system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects." - command: "true" + sysctl: + name: net.ipv4.conf.all.send_redirects + state: present + value: 0 + reload: yes + ignore_errors: yes tags: - cat2 - medium - patch - RHEL-07-040421 + - ipv4 - name: "MEDIUM | RHEL-07-040470 | PATCH | Network interfaces must not be in promiscuous mode." command: "true" @@ -1423,12 +1562,18 @@ - RHEL-07-040520 - name: "MEDIUM | RHEL-07-040560 | PATCH | An X Windows display manager must not be installed unless approved." - command: "true" + yum: + name: + - "@X Windows System" + - xorg-x11-server-common + state: absent + when: not rhel7stig_x11 tags: - cat2 - medium - patch - RHEL-07-040560 + - x11 - name: "MEDIUM | RHEL-07-040620 | PATCH | The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms." command: "true" @@ -1440,27 +1585,29 @@ - name: "MEDIUM | RHEL-07-040640 | PATCH | The SSH public host key files must have mode 0644 or less permissive." file: - dest: "{{ item }}" + dest: "{{ item.path }}" mode: 0644 state: file - with_items: "{{ rhel_07_040640_audit.stdout_lines }}" + with_items: "{{ rhel_07_040640_audit.files }}" tags: - cat2 - medium - patch - RHEL-07-040640 + - ssh - name: "MEDIUM | RHEL-07-040650 | PATCH | The SSH private host key files must have mode 0600 or less permissive." file: - dest: "{{ item }}" + dest: "{{ item.path }}" mode: 0600 state: file - with_items: "{{ rhel_07_040650_audit.files | map(attribute='path') | list }}" + with_items: "{{ rhel_07_040650_audit.files }}" tags: - cat2 - medium - patch - RHEL-07-040650 + - ssh - name: "MEDIUM | RHEL-07-040660 | PATCH | The SSH daemon must not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed." lineinfile: @@ -1536,8 +1683,9 @@ - name: "MEDIUM | RHEL-07-040730 | PATCH | The system must not be performing packet forwarding unless the system is a router." sysctl: name: net.ipv4.ip_forward - present: yes + state: present value: 0 + reload: yes ignore_errors: yes when: not rhel7stig_system_is_router tags: @@ -1545,6 +1693,7 @@ - medium - patch - RHEL-07-040730 + - ipv4 - name: "MEDIUM | RHEL-07-040740 | PATCH | The Network File System (NFS) must be configured to use AUTH_GSS." command: "true" @@ -1596,11 +1745,13 @@ - name: "MEDIUM | RHEL-07-040860 | PATCH | The system must not forward IPv6 source-routed packets." sysctl: name: net.ipv6.conf.all.accept_source_route - present: yes + state: present value: 0 + reload: yes ignore_errors: yes tags: - cat2 - medium - patch - RHEL-07-010860 + - ipvr diff --git a/tasks/main.yml b/tasks/main.yml index a8d24ab..ef95bf3 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -28,21 +28,18 @@ - name: Include CAT I patches include: fix-cat1.yml - when: rhel7stig_cat1_patch tags: - cat1 - patch - name: Include CAT II patches include: fix-cat2.yml - when: rhel7stig_cat1_patch tags: - cat1 - patch - name: Include CAT III patches include: fix-cat3.yml - when: rhel7stig_cat1_patch tags: - cat1 - patch From fd40aeea8e511486a2310fff5b0cb7b0e6cc9e3c Mon Sep 17 00:00:00 2001 From: jspringer Date: Fri, 29 Jul 2016 20:23:21 -0500 Subject: [PATCH 06/12] Updated a label. Fixed a label typo. --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 2cdb1cd..725725c 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1754,4 +1754,4 @@ - medium - patch - RHEL-07-010860 - - ipvr + - ipv6 From aed18a0492407ff3c958938e7979cbe7371368d9 Mon Sep 17 00:00:00 2001 From: jspringer Date: Fri, 29 Jul 2016 20:24:45 -0500 Subject: [PATCH 07/12] Corrected finding label --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 725725c..9f59590 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1753,5 +1753,5 @@ - cat2 - medium - patch - - RHEL-07-010860 + - RHEL-07-040860 - ipv6 From 240e4843827a834f7ae9b9553dfed851ab44aeb5 Mon Sep 17 00:00:00 2001 From: jspringer Date: Mon, 1 Aug 2016 13:03:30 -0500 Subject: [PATCH 08/12] Made fixes with suggestions, added some vars, and a placeholder for cat3 audits. --- defaults/main.yml | 6 ++++ tasks/audit-cat3.yml | 6 ++++ tasks/fix-cat2.yml | 72 ++++++++++++++------------------------------ tasks/main.yml | 12 ++++++++ 4 files changed, 46 insertions(+), 50 deletions(-) create mode 100644 tasks/audit-cat3.yml diff --git a/defaults/main.yml b/defaults/main.yml index 3e168eb..be21af2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,6 +2,12 @@ rhel7stig_cat1_patch: yes rhel7stig_cat2_patch: no rhel7stig_cat3_patch: no +# These values match patch values by defaults. To override these values, +# set them in group_vars, host_sars, or with the -e flag via CLI +rhel7stig_cat1_audit: yes +rhel7stig_cat2_audit: no +rhel7stig_cat3_audit: no + # Whether or not to run tasks related to auditing/patching the desktop environment rhel7stig_gui: no diff --git a/tasks/audit-cat3.yml b/tasks/audit-cat3.yml new file mode 100644 index 0000000..39d6a49 --- /dev/null +++ b/tasks/audit-cat3.yml @@ -0,0 +1,6 @@ +- name: "Place holder for Cat III Audits" + command: "true" + tags: + - cat3 + - low + - audit diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 9f59590..61d39c3 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1276,48 +1276,21 @@ - name: "MEDIUM | RHEL-07-040230 | PATCH | The operating system, if using PKI-based authentication, must implement a local cache of revocation data to certificate validation in case of the inability to access revocation information via the network." lineinfile: dest: /var/lib/pki-kra/conf/server.xml - regexp: ^#?auths.revocationChecking.bufferSize - line: auths.revocationChecking.bufferSize=50 - when: rhel_07_040230_audit.stat.exists == True - tags: - - cat2 - - medium - - patch - - RHEL-07-040230 - - pki - -- name: "MEDIUM | RHEL-07-040230 | PATCH | The operating system, if using PKI-based authentication, must implement a local cache of revocation data to certificate validation in case of the inability to access revocation information via the network." - lineinfile: - dest: /var/lib/pki-kra/conf/server.xml - regexp: ^#?auths.revocationChecking.enabled - line: auths.revocationChecking.enabled=true - when: rhel_07_040230_audit.stat.exists == True - tags: - - cat2 - - medium - - patch - - RHEL-07-040230 - - pki + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + when: rhel_07_040230_audit.stat.exists + with_items: + - regexp: '^#?auths.revocationChecking.bufferSize' + line: 'auths.revocationChecking.bufferSize=50' -- name: "MEDIUM | RHEL-07-040230 | PATCH | The operating system, if using PKI-based authentication, must implement a local cache of revocation data to certificate validation in case of the inability to access revocation information via the network." - lineinfile: - dest: /var/lib/pki-kra/conf/server.xml - regexp: ^#?enableOCSP - line: enableOCSP="true" - when: rhel_07_040230_audit.stat.exists == True - tags: - - cat2 - - medium - - patch - - RHEL-07-040230 - - pki + - regexp: '^#?auths.revocationChecking.enabled' + line: 'auths.revocationChecking.enabled=true' -- name: "MEDIUM | RHEL-07-040230 | PATCH | The operating system, if using PKI-based authentication, must implement a local cache of revocation data to certificate validation in case of the inability to access revocation information via the network." - lineinfile: - dest: /var/lib/pki-kra/conf/server.xml - regexp: ^#?ocspCacheSize - line: ocspCacheSize="50" - when: rhel_07_040230_audit.stat.exists == True + - regexp: '^#?enableOCSP' + line: 'enableOCSP="true"' + + - regexp: '^#?ocspCacheSize' + line: 'ocspCacheSize="50"' tags: - cat2 - medium @@ -1445,7 +1418,7 @@ state: present value: 1 reload: yes - ignore_errors: yes + ignoreerrors: yes tags: - cat2 - medium @@ -1459,7 +1432,7 @@ state: present value: 1 reload: yes - ignore_errors: yes + ignoreerrors: yes tags: - cat2 - medium @@ -1474,7 +1447,7 @@ value: 1 sysctl_set: yes reload: yes - ignore_errors: yes + ignoreerrors: yes tags: - cat2 - medium @@ -1488,7 +1461,7 @@ state: present value: 0 reload: yes - ignore_errors: yes + ignoreerrors: yes tags: - cat2 - medium @@ -1502,7 +1475,7 @@ state: present value: 0 reload: yes - ignore_errors: yes + ignoreerrors: yes tags: - cat2 - medium @@ -1516,7 +1489,7 @@ state: present value: 0 reload: yes - ignore_errors: yes + ignoreerrors: yes tags: - cat2 - medium @@ -1529,7 +1502,7 @@ state: present value: 0 reload: yes - ignore_errors: yes + ignoreerrors: yes tags: - cat2 - medium @@ -1671,7 +1644,6 @@ regexp: (?i)^#?compression line: Compression no validate: sshd -t -f %s - ignore_errors: yes notify: restart ssh tags: - cat2 @@ -1686,7 +1658,7 @@ state: present value: 0 reload: yes - ignore_errors: yes + ignoreerrors: yes when: not rhel7stig_system_is_router tags: - cat2 @@ -1748,7 +1720,7 @@ state: present value: 0 reload: yes - ignore_errors: yes + ignoreerrors: yes tags: - cat2 - medium diff --git a/tasks/main.yml b/tasks/main.yml index ef95bf3..a731762 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -16,30 +16,42 @@ - name: Run CAT I audits include: audit-cat1.yml + when: rhel7stig_cat1_audit tags: - cat1 - audit - name: Run CAT II audits include: audit-cat2.yml + when: rhel7stig_cat2_audit + tags: + - cat2 + - audit + +- name: Run CAT III audits + include: audit-cat3.yml + when: rhel7stig_cat3_audit tags: - cat2 - audit - name: Include CAT I patches include: fix-cat1.yml + when: rhel7stig_cat1_patch tags: - cat1 - patch - name: Include CAT II patches include: fix-cat2.yml + when: rhel7stig_cat2_patch tags: - cat1 - patch - name: Include CAT III patches include: fix-cat3.yml + when: rhel7stig_cat3_patch tags: - cat1 - patch From 421d3d746cb7a2ba894f204ff879632678462263 Mon Sep 17 00:00:00 2001 From: jspringer Date: Mon, 1 Aug 2016 13:55:01 -0500 Subject: [PATCH 09/12] Made some slight changes. Created the audit for 040180, 040181, and 04182. Need to get with you to figure out how we want to handle LDAP key files. --- README.md | 10 +++++++--- handlers/main.yml | 5 +++++ tasks/audit-cat2.yml | 21 +++++++++++++++++++++ tasks/fix-cat2.yml | 27 +++++++++++++++++++++++---- 4 files changed, 56 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index be783ef..7ee44d1 100644 --- a/README.md +++ b/README.md @@ -14,9 +14,13 @@ Role Variables | Name | Default Value | Description | |-------------------|---------------------|----------------------| -| `rhel7stig_cat1_patch` | True | Correct CAT I findings | -| `rhel7stig_cat2_patch` | False | Correct CAT II findings | -| `rhel7stig_cat3_patch` | False | Correct CAT III findings | +| `rhel7stig_cat1_audit` | True | Audit for CAT I findings | +| `rhel7stig_cat2_audit` | False | Audit for CAT II findings | +| `rhel7stig_cat3_audit` | False | Audit for CAT III findings | +| `rhel7stig_cat1_patch` | True | Correct CAT I findings | +| `rhel7stig_cat2_patch` | False | Correct CAT II findings | +| `rhel7stig_cat3_patch` | False | Correct CAT III findings | + Dependencies ------------ diff --git a/handlers/main.yml b/handlers/main.yml index ae35921..7d7ef96 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -13,3 +13,8 @@ service: name: snmpd state: restarted + +- name: restart ntpd + service: + name: ntpd + state: restarted diff --git a/tasks/audit-cat2.yml b/tasks/audit-cat2.yml index 8eb2009..425ee91 100644 --- a/tasks/audit-cat2.yml +++ b/tasks/audit-cat2.yml @@ -47,3 +47,24 @@ - RHEL-07-040230 - always - pki + +- name: "MEDIUM | RHEL-07-040210 | AUDIT | The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." + stat: + path: /etc/ntp.conf + register: rhel_07_040210_audit + tags: + - cat2 + - medium + - audit + - RHEL-07-040210 + - ntp + +- name: "MEDIUM | RHEL-07-040180 | PATCH | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications." + command: grep -i useldapauth /etc/sysconfig/authconfig + register: rhel_07_040180_audit + tags: + - cat2 + - medium + - patch + - RHEL-07-040180 + - ldap diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 61d39c3..a757ad1 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1227,6 +1227,7 @@ - name: "MEDIUM | RHEL-07-040180 | PATCH | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications." command: "true" + when: '"yes" in "{{ rhel_07_040180_audit.stdout_lines }}"' tags: - cat2 - medium @@ -1250,28 +1251,46 @@ - RHEL-07-040182 - name: "MEDIUM | RHEL-07-040190 | PATCH | All network connections associated with SSH traffic must terminate at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements." - command: "true" + lineinfile: + dest: /etc/ssh/sshd_config + regexp: ^#?ClientAliveInterval + line: ClientAliveInterval 600 + validate: sshd -t -f %s + notify: restart ssh tags: - cat2 - medium - patch - RHEL-07-040190 + - ssh - name: "MEDIUM | RHEL-07-040191 | PATCH | All network connections associated with SSH traffic must terminate after a period of inactivity." - command: "true" + lineinfile: + dest: /etc/ssh/sshd_config + regexp: ^#?ClientAliveCountMax + line: ClientAliveCountMax 0 + validate: sshd -t -f %s + notify: restart ssh tags: - cat2 - medium - patch - RHEL-07-040191 + - ssh - name: "MEDIUM | RHEL-07-040210 | PATCH | The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." - command: "true" + lineinfile: + dest: /etc/ntp.conf + regexp: ^#?maxpoll + line: maxpoll 10 + notify: restart ntpd + when: rhel_07_040210_audit.stat.exists tags: - cat2 - medium - patch - RHEL-07-040210 + - ntp - name: "MEDIUM | RHEL-07-040230 | PATCH | The operating system, if using PKI-based authentication, must implement a local cache of revocation data to certificate validation in case of the inability to access revocation information via the network." lineinfile: @@ -1288,7 +1307,7 @@ - regexp: '^#?enableOCSP' line: 'enableOCSP="true"' - + - regexp: '^#?ocspCacheSize' line: 'ocspCacheSize="50"' tags: From 205ca42bbabd8dd8c1e11cc7cbe8726a5235abc8 Mon Sep 17 00:00:00 2001 From: jspringer Date: Mon, 1 Aug 2016 14:52:59 -0500 Subject: [PATCH 10/12] Minor text fix (tags) change ntp to ntpd i ntags --- tasks/audit-cat2.yml | 14 ++++++++++++-- tasks/fix-cat2.yml | 7 ++++++- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/tasks/audit-cat2.yml b/tasks/audit-cat2.yml index 425ee91..a4230a7 100644 --- a/tasks/audit-cat2.yml +++ b/tasks/audit-cat2.yml @@ -59,12 +59,22 @@ - RHEL-07-040210 - ntp -- name: "MEDIUM | RHEL-07-040180 | PATCH | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications." +- name: "MEDIUM | RHEL-07-040180 | AUDIT | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications." command: grep -i useldapauth /etc/sysconfig/authconfig register: rhel_07_040180_audit tags: - cat2 - medium - - patch + - audit + - RHEL-07-040180 + - ldap + +- name: "MEDIUM | RHEL-07-040180 | AUDIT | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications." + command: systemctl status nails + register: rhel_07_040180_audit + tags: + - cat2 + - medium + - audit - RHEL-07-040180 - ldap diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index a757ad1..dd9a722 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1210,12 +1210,16 @@ - RHEL-07-040110 - name: "MEDIUM | RHEL-07-040160 | PATCH | All network connections associated with a communication session must be terminated at the end of the session or after 10 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements." - command: "true" + lineinfile: + dest: /etc/profile + regexp: ^#?TMOUT + line: TMOUT=600 tags: - cat2 - medium - patch - RHEL-07-040160 + - profile - name: "MEDIUM | RHEL-07-040170 | PATCH | The Standard Mandatory DoD Notice and Consent Banner must be displayed immediately prior to, or as part of, remote access logon prompts." command: "true" @@ -1291,6 +1295,7 @@ - patch - RHEL-07-040210 - ntp + - ntpd - name: "MEDIUM | RHEL-07-040230 | PATCH | The operating system, if using PKI-based authentication, must implement a local cache of revocation data to certificate validation in case of the inability to access revocation information via the network." lineinfile: From cd83f09f88de9354ae3f85ca1a47ae8f066ca593 Mon Sep 17 00:00:00 2001 From: jspringer Date: Wed, 3 Aug 2016 11:01:04 -0500 Subject: [PATCH 11/12] Made adjustments based on suggestions. --- README.md | 12 +++--- defaults/main.yml | 6 +-- tasks/audit-cat2.yml | 93 ++++++++++++++++++++++---------------------- tasks/fix-cat2.yml | 2 +- 4 files changed, 56 insertions(+), 57 deletions(-) diff --git a/README.md b/README.md index 7ee44d1..ba402b8 100644 --- a/README.md +++ b/README.md @@ -14,12 +14,12 @@ Role Variables | Name | Default Value | Description | |-------------------|---------------------|----------------------| -| `rhel7stig_cat1_audit` | True | Audit for CAT I findings | -| `rhel7stig_cat2_audit` | False | Audit for CAT II findings | -| `rhel7stig_cat3_audit` | False | Audit for CAT III findings | -| `rhel7stig_cat1_patch` | True | Correct CAT I findings | -| `rhel7stig_cat2_patch` | False | Correct CAT II findings | -| `rhel7stig_cat3_patch` | False | Correct CAT III findings | +| `rhel7stig_cat1_audit` | 'yes' | Audit for CAT I findings | +| `rhel7stig_cat2_audit` | 'no' | Audit for CAT II findings | +| `rhel7stig_cat3_audit` | 'no' | Audit for CAT III findings | +| `rhel7stig_cat1_patch` | 'yes' | Correct CAT I findings | +| `rhel7stig_cat2_patch` | 'no' | Correct CAT II findings | +| `rhel7stig_cat3_patch` | 'no' | Correct CAT III findings | Dependencies diff --git a/defaults/main.yml b/defaults/main.yml index be21af2..94df0f8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -4,9 +4,9 @@ rhel7stig_cat3_patch: no # These values match patch values by defaults. To override these values, # set them in group_vars, host_sars, or with the -e flag via CLI -rhel7stig_cat1_audit: yes -rhel7stig_cat2_audit: no -rhel7stig_cat3_audit: no +rhel7stig_cat1_audit: "{{ rhel7stig_cat1_patch }}" +rhel7stig_cat2_audit: "{{ rhel7stig_cat2_patch }}" +rhel7stig_cat3_audit: "{{ rhel7stig_cat3_patch }}" # Whether or not to run tasks related to auditing/patching the desktop environment rhel7stig_gui: no diff --git a/tasks/audit-cat2.yml b/tasks/audit-cat2.yml index a4230a7..ea7f9ef 100644 --- a/tasks/audit-cat2.yml +++ b/tasks/audit-cat2.yml @@ -1,45 +1,37 @@ -- name: "MEDIUM | RHEL-07-040640 | AUDIT | The SSH public host key files must have mode 0644 or less permissive." - find: - paths: / - recurse: yes - file_type: file - patterns: '*.pub' - hidden: true +- name: "MEDIUM | RHEL-07-040180 | AUDIT | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications." + command: grep -i useldapauth /etc/sysconfig/authconfig + register: rhel_07_040180_audit failed_when: no changed_when: no ignore_errors: yes - register: rhel_07_040640_audit tags: - cat2 - - high + - medium - audit - - RHEL-07-040640 - - always - - ssh + - RHEL-07-040180 + - ldap -- name: "MEDIUM | RHEL-07-040650 | AUDIT | The SSH private host key files must have mode 0600 or less permissive." - find: - paths: / - recurse: yes - file_type: file - patterns: '*ssh_host*key' - hidden: true +- name: "MEDIUM | RHEL-07-040210 | AUDIT | The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." + stat: + path: /etc/ntp.conf + register: rhel_07_040210_audit failed_when: no changed_when: no ignore_errors: yes - register: rhel_07_040650_audit tags: - cat2 - - high + - medium - audit - - RHEL-07-040650 - - always - - ssh + - RHEL-07-040210 + - ntpd - name: "MEDIUM | RHEL-07-040230 | AUDIT | The operating system, if using PKI-based authentication, must implement a local cache of revocation data to certificate validation in case of the inability to access revocation information via the network." stat: path: /var/lib/pki-kra/conf/server.xml register: rhel_07_040230_audit + failed_when: no + changed_when: no + ignore_errors: yes tags: - cat2 - medium @@ -48,33 +40,40 @@ - always - pki -- name: "MEDIUM | RHEL-07-040210 | AUDIT | The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." - stat: - path: /etc/ntp.conf - register: rhel_07_040210_audit - tags: - - cat2 - - medium - - audit - - RHEL-07-040210 - - ntp - -- name: "MEDIUM | RHEL-07-040180 | AUDIT | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications." - command: grep -i useldapauth /etc/sysconfig/authconfig - register: rhel_07_040180_audit +- name: "MEDIUM | RHEL-07-040650 | AUDIT | The SSH private host key files must have mode 0600 or less permissive." + find: + paths: / + recurse: yes + file_type: file + patterns: '*ssh_host*key' + hidden: true + failed_when: no + changed_when: no + ignore_errors: yes + register: rhel_07_040650_audit tags: - cat2 - - medium + - high - audit - - RHEL-07-040180 - - ldap + - RHEL-07-040650 + - always + - ssh -- name: "MEDIUM | RHEL-07-040180 | AUDIT | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications." - command: systemctl status nails - register: rhel_07_040180_audit +- name: "MEDIUM | RHEL-07-040640 | AUDIT | The SSH public host key files must have mode 0644 or less permissive." + find: + paths: / + recurse: yes + file_type: file + patterns: '*.pub' + hidden: true + failed_when: no + changed_when: no + ignore_errors: yes + register: rhel_07_040640_audit tags: - cat2 - - medium + - high - audit - - RHEL-07-040180 - - ldap + - RHEL-07-040640 + - always + - ssh diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index dd9a722..b54c9fc 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1231,7 +1231,7 @@ - name: "MEDIUM | RHEL-07-040180 | PATCH | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications." command: "true" - when: '"yes" in "{{ rhel_07_040180_audit.stdout_lines }}"' + when: "'yes' in rhel_07_040180_audit.stdout" tags: - cat2 - medium From 47278c7c57dcc8499df337c1a9d7fdfdb6ef51b6 Mon Sep 17 00:00:00 2001 From: Josh Date: Wed, 3 Aug 2016 20:38:33 -0500 Subject: [PATCH 12/12] Updated the README Fixed with backticks. --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index ba402b8..04c4e78 100644 --- a/README.md +++ b/README.md @@ -14,12 +14,12 @@ Role Variables | Name | Default Value | Description | |-------------------|---------------------|----------------------| -| `rhel7stig_cat1_audit` | 'yes' | Audit for CAT I findings | -| `rhel7stig_cat2_audit` | 'no' | Audit for CAT II findings | -| `rhel7stig_cat3_audit` | 'no' | Audit for CAT III findings | -| `rhel7stig_cat1_patch` | 'yes' | Correct CAT I findings | -| `rhel7stig_cat2_patch` | 'no' | Correct CAT II findings | -| `rhel7stig_cat3_patch` | 'no' | Correct CAT III findings | +| `rhel7stig_cat1_audit` | `yes` | Audit for CAT I findings | +| `rhel7stig_cat2_audit` | `no` | Audit for CAT II findings | +| `rhel7stig_cat3_audit` | `no` | Audit for CAT III findings | +| `rhel7stig_cat1_patch` | `yes` | Correct CAT I findings | +| `rhel7stig_cat2_patch` | `no` | Correct CAT II findings | +| `rhel7stig_cat3_patch` | `no` | Correct CAT III findings | Dependencies