Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Made some changes to CAT II #4

Merged
merged 14 commits into from
Aug 6, 2016
Merged

Made some changes to CAT II #4

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
5600b67
Merge pull request #1 from jdspringr07/devel
johannes-cabal Jul 27, 2016
cb80330
Started working on CAT II
johannes-cabal Jul 28, 2016
72cfb9b
Tweaked formatting on my changes.
johannes-cabal Jul 28, 2016
3544356
Made corrective changes to previous commit.
johannes-cabal Jul 29, 2016
5c66e01
Spacing...
johannes-cabal Jul 29, 2016
45ac122
Made some updates to audit,main,patch, and defaults
johannes-cabal Jul 30, 2016
fd40aee
Updated a label.
johannes-cabal Jul 30, 2016
aed18a0
Corrected finding label
johannes-cabal Jul 30, 2016
240e484
Made fixes with suggestions, added some vars, and a placeholder for c…
johannes-cabal Aug 1, 2016
421d3d7
Made some slight changes.
johannes-cabal Aug 1, 2016
205ca42
Minor text fix (tags)
johannes-cabal Aug 1, 2016
cd83f09
Made adjustments based on suggestions.
johannes-cabal Aug 3, 2016
47278c7
Updated the README
johannes-cabal Aug 4, 2016
0a41091
Merge remote-tracking branch 'upstream/devel'
johannes-cabal Aug 4, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions tasks/audit-cat2.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
- name: "MEDIUM | RHEL-07-040640 | AUDIT | The SSH public host key files must have mode 0644 or less permissive."
command: find / -name '*ssh_host*key'
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use the find module rather than command.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed. Will commit when finished with other changes.

failed_when: no
changed_when: no
ignore_errors: yes
register: rhel_07_040650_audit
tags:
- cat2
- high
- audit
- RHEL-07-040640
- always

- name: "MEDIUM | RHEL-07-040650 | AUDIT | The SSH private host key files must have mode 0600 or less permissive."
command: find / -name '*ssh_host*key'
failed_when: no
changed_when: no
ignore_errors: yes
register: rhel_07_040650_audit
tags:
- cat2
- high
- audit
- RHEL-07-040650
- always
70 changes: 58 additions & 12 deletions tasks/fix-cat2.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1439,63 +1439,104 @@
- RHEL-07-040620

- name: "MEDIUM | RHEL-07-040640 | PATCH | The SSH public host key files must have mode 0644 or less permissive."
command: "true"
file:
dest: "{{ item }}"
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please indent four spaces.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed. Will commit when finished with other changes.

mode: 0644
state: file
with_items: "{{ rhel_07_040640_audit.stdout_lines }}"
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use rhel_07_040640_audit.files.

tags:
- cat2
- medium
- patch
- RHEL-07-040640

- name: "MEDIUM | RHEL-07-040650 | PATCH | The SSH private host key files must have mode 0600 or less permissive."
command: "true"
file:
dest: "{{ item }}"
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please indent four spaces.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed. Will commit when finished with other changes.

mode: 0600
state: file
with_items: "{{ rhel_07_040650_audit.stdout_lines }}"
tags:
- cat2
- medium
- patch
- RHEL-07-040650

- name: "MEDIUM | RHEL-07-040660 | PATCH | The SSH daemon must not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed."
command: "true"
lineinfile:
dest: /etc/ssh/sshd_config
regexp: (?i)^#?gssapiauthentication
line: GSSAPIAuthentication no
validate: sshd -t -f %s
notify: restart ssh
tags:
- cat2
- medium
- patch
- RHEL-07-040660
- ssh

- name: "MEDIUM | RHEL-07-040670 | PATCH | The SSH daemon must not permit Kerberos authentication unless needed."
command: "true"
lineinfile:
dest: /etc/ssh/sshd_config
regexp: (?i)^#?kerberosauthentication
line: KerberosAuthentication no
validate: sshd -t -f %s
notify: restart ssh
tags:
- cat2
- medium
- patch
- RHEL-07-040670
- ssh

- name: "MEDIUM | RHEL-07-040680 | PATCH | The SSH daemon must perform strict mode checking of home directory configuration files."
command: "true"
lineinfile:
dest: /etc/ssh/sshd_config
regexp: (?i)^#?strictmodes
line: StrictModes yes
validate: sshd -t -f %s
notify: restart ssh
tags:
- cat2
- medium
- patch
- RHEL-07-040680
- ssh

- name: "MEDIUM | RHEL-07-040690 | PATCH | The SSH daemon must use privilege separation."
command: "true"
lineinfile:
dest: /etc/ssh/sshd_config
regexp: (?i)^#?useprivilegeseparation
line: UsePrivilegeSeparation yes
validate: sshd -t -f %s
notify: restart ssh
tags:
- cat2
- medium
- patch
- RHEL-07-040690
- ssh

- name: "MEDIUM | RHEL-07-040700 | PATCH | The SSH daemon must not allow compression or must only allow compression after successful authentication."
command: "true"
lineinfile:
dest: /etc/ssh/sshd_config
regexp: (?i)^#?compression
line: Compression no
validate: sshd -t -f %s
notify: restart ssh
tags:
- cat2
- medium
- patch
- RHEL-07-040700
- ssh

- name: "MEDIUM | RHEL-07-040730 | PATCH | The system must not be performing packet forwarding unless the system is a router."
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably should add a variable, e.g.,rhel7stig_system_is_router, with a default of no and add a conditional to this task. This will allow it to be skipped if the system is a router.

when: not rhel7stig_system_is_router

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed, will commit when other changes complete.

command: "true"
sysctl:
name: net.ipv4.ip_forward
present: yes
value: 0
tags:
- cat2
- medium
Expand All @@ -1511,12 +1552,15 @@
- RHEL-07-040740

- name: "MEDIUM | RHEL-07-040810 | PATCH | The system must use a local firewall."
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need an additional task that starts and enables the firewall to meet the full requirement.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed, will commit when other changes are complete.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, this is a duplicate of RHEL-07-040290. Slightly different wording on the requirement but the fix action for both is identical. We can remove these tasks and just leave a comment in line with the finding ID stating it's a duplicate.

Hooray for working from the draft STIG.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, was actually curious if we should leave it now and remove it when the final rev is complete? Not sure which one they will remove. Figured once the final release is out, do a final check for the actual findings, add those that are missing, and remove those that are taken out.

Thoughts?

command: "true"
yum:
name: firewalld
state: latest
tags:
- cat2
- medium
- patch
- RHEL-07-040810
- firewalld

- name: "MEDIUM | RHEL-07-040820 | PATCH | The system's access control program must be configured to grant or deny system access to specific hosts and services."
command: "true"
Expand All @@ -1535,10 +1579,12 @@
- RHEL-07-040830

- name: "MEDIUM | RHEL-07-040860 | PATCH | The system must not forward IPv6 source-routed packets."
command: "true"
sysctl:
name: net.ipv6.conf.all.accept_source_route
present: yes
value: 0
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For sysctl tasks, we generally add ignoreerrors: yes task parameter to prevent failure due to unknown keys.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed on each sysctl task. Getting ready to commit changes now.

tags:
- cat2
- medium
- patch
- RHEL-07-040860

- RHEL-07-010860
6 changes: 6 additions & 0 deletions tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,12 @@
- cat1
- audit

- name: Run CAT II audits
include: audit-cat2.yml
tags:
Copy link
Owner

@samdoran samdoran Aug 1, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These conditionals so should not be removed. They are what allow remediation based in severity.

- cat2
- audit

- name: Include CAT I patches
include: fix-cat1.yml
when: rhel7stig_cat1_patch
Expand Down