diff --git a/tasks/main.yml b/tasks/main.yml index 618cc57..a03cb14 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -17,6 +17,7 @@ - DISA-STIG-RHEL-08-010359 - NIST-800-53-CM-6(a) - PCI-DSS-Req-11.5 + - PCI-DSSv4-11.5.2 - enable_strategy - low_complexity - low_disruption @@ -359,6 +360,7 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SC-13 - PCI-DSS-Req-2.2 + - PCI-DSSv4-2.2 - configure_libreswan_crypto_policy - high_severity - low_complexity @@ -377,7 +379,7 @@ - name: Test for crypto_policy group command: grep '^\s*\[\s*crypto_policy\s*]' /etc/pki/tls/openssl.cnf register: test_crypto_policy_group - ignore_errors: true + failed_when: test_crypto_policy_group.rc not in [0, 1] changed_when: false check_mode: false tags: @@ -391,6 +393,7 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SC-13 - PCI-DSS-Req-2.2 + - PCI-DSSv4-2.2 - configure_openssl_crypto_policy - low_complexity - medium_disruption @@ -433,6 +436,7 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SC-13 - PCI-DSS-Req-2.2 + - PCI-DSSv4-2.2 - configure_openssl_crypto_policy - low_complexity - medium_disruption @@ -468,6 +472,7 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SC-13 - PCI-DSS-Req-2.2 + - PCI-DSSv4-2.2 - configure_openssl_crypto_policy - low_complexity - medium_disruption @@ -489,6 +494,7 @@ - NIST-800-53-MA-4(6) - NIST-800-53-SC-13 - PCI-DSS-Req-2.2 + - PCI-DSSv4-2.2 - configure_ssh_crypto_policy - disable_strategy - low_complexity @@ -545,7 +551,7 @@ tags: - CCE-82214-8 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1.5 + - PCI-DSSv4-10.2.1.5 - enable_strategy - low_complexity - low_disruption @@ -961,6 +967,7 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 + - PCI-DSSv4-6.3.3 - configure_strategy - ensure_gpgcheck_globally_activated - high_severity @@ -1008,6 +1015,7 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 + - PCI-DSSv4-6.3.3 - configure_strategy - ensure_gpgcheck_globally_activated - high_severity @@ -1095,7 +1103,7 @@ ' register: repo_grep_results - ignore_errors: true + failed_when: repo_grep_results.rc not in [0, 1] changed_when: false tags: - CCE-80792-5 @@ -1112,6 +1120,7 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 + - PCI-DSSv4-6.3.3 - enable_strategy - ensure_gpgcheck_never_disabled - high_severity @@ -1150,6 +1159,7 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 + - PCI-DSSv4-6.3.3 - enable_strategy - ensure_gpgcheck_never_disabled - high_severity @@ -1341,11 +1351,11 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Select authselect profile +- name: Enable authselect - Select authselect profile ansible.builtin.command: cmd: authselect select "{{ var_authselect_profile }}" - ignore_errors: true register: result_authselect_select + failed_when: false tags: - CCE-88248-0 - NIST-800-53-AC-3 @@ -1363,11 +1373,11 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Verify if PAM has been altered +- name: Enable authselect - Verify if PAM has been altered ansible.builtin.command: cmd: rpm -qV pam register: result_altered_authselect - ignore_errors: true + failed_when: false when: - configure_strategy | bool - enable_authselect | bool @@ -1375,7 +1385,7 @@ - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - result_authselect_select is failed + - result_authselect_select.rc != 0 tags: - CCE-88248-0 - NIST-800-53-AC-3 @@ -1386,10 +1396,10 @@ - medium_severity - no_reboot_needed -- name: Informative message based on the authselect integrity check +- name: Enable authselect - Informative message based on the authselect integrity check ansible.builtin.assert: that: - - result_altered_authselect is success + - result_altered_authselect is skipped or result_altered_authselect.rc == 0 fail_msg: - Files in the 'pam' package have been altered, so the authselect configuration won't be forced. tags: @@ -1409,7 +1419,7 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Force authselect profile select +- name: Enable authselect - Force authselect profile select ansible.builtin.command: cmd: authselect select --force "{{ var_authselect_profile }}" when: @@ -1419,8 +1429,8 @@ - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - result_altered_authselect is success - - result_authselect_select is failed + - result_authselect_select.rc != 0 + - result_altered_authselect is skipped or result_altered_authselect.rc == 0 tags: - CCE-88248-0 - NIST-800-53-AC-3 @@ -1441,6 +1451,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_unix_remember - configure_strategy - low_complexity @@ -1474,6 +1485,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_unix_remember - configure_strategy - low_complexity @@ -1502,6 +1514,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_unix_remember - configure_strategy - low_complexity @@ -1516,11 +1529,11 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Limit Password Reuse - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not @@ -1566,6 +1579,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_unix_remember - configure_strategy - low_complexity @@ -1589,11 +1603,11 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Limit Password Reuse - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -1720,10 +1734,11 @@ - name: Limit Password Reuse - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b - when: 'result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is - defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed)) - - ' + when: + - result_authselect_present is defined + - result_authselect_present.stat.exists + - "(result_pam_module_add is defined and result_pam_module_add.changed)\n or (result_pam_module_edit is defined and\ + \ result_pam_module_edit.changed)" when: - result_pam_line_present.found is defined - result_pam_line_present.found == 0 @@ -1746,6 +1761,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_unix_remember - configure_strategy - low_complexity @@ -1772,6 +1788,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_unix_remember - configure_strategy - low_complexity @@ -1809,11 +1826,11 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Limit Password Reuse - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile @@ -1935,6 +1952,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_unix_remember - configure_strategy - low_complexity @@ -1958,11 +1976,11 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Limit Password Reuse - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -2088,10 +2106,11 @@ - name: Limit Password Reuse - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b - when: 'result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is - defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed)) - - ' + when: + - result_authselect_present is defined + - result_authselect_present.stat.exists + - "(result_pam_module_add is defined and result_pam_module_add.changed)\n or (result_pam_module_edit is defined and\ + \ result_pam_module_edit.changed)" when: - result_pam_line_present.found is defined - result_pam_line_present.found == 0 @@ -2146,6 +2165,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_unix_remember - configure_strategy - low_complexity @@ -2164,6 +2184,7 @@ - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.6 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption @@ -2200,6 +2221,7 @@ - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.6 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption @@ -2214,11 +2236,11 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Lock Accounts After Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not @@ -2265,6 +2287,7 @@ - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.6 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption @@ -2333,6 +2356,7 @@ - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.6 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption @@ -2361,6 +2385,7 @@ - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.6 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption @@ -2392,6 +2417,7 @@ - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.6 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption @@ -2421,11 +2447,11 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Lock Accounts After Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -2553,11 +2579,11 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Lock Accounts After Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -2683,6 +2709,7 @@ - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.6 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption @@ -2771,6 +2798,7 @@ - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.6 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption @@ -2833,12 +2861,12 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Set Interval For Counting Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not @@ -3032,12 +3060,12 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Set Interval For Counting Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -3168,12 +3196,12 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Set Interval For Counting Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -3401,6 +3429,7 @@ - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.7 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption @@ -3437,6 +3466,7 @@ - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.7 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption @@ -3451,11 +3481,11 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Set Lockout Time for Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not @@ -3502,6 +3532,7 @@ - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.7 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption @@ -3570,6 +3601,7 @@ - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.7 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption @@ -3598,6 +3630,7 @@ - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.7 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption @@ -3629,6 +3662,7 @@ - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.7 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption @@ -3658,12 +3692,12 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Set Lockout Time for Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -3791,12 +3825,12 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Set Lockout Time for Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -3922,6 +3956,7 @@ - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.7 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption @@ -4010,6 +4045,7 @@ - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.7 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption @@ -4028,6 +4064,8 @@ - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 + - PCI-DSSv4-8.3.6 + - PCI-DSSv4-8.3.9 - accounts_password_pam_dcredit - low_complexity - low_disruption @@ -4066,6 +4104,8 @@ - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 + - PCI-DSSv4-8.3.6 + - PCI-DSSv4-8.3.9 - accounts_password_pam_dcredit - low_complexity - low_disruption @@ -4140,6 +4180,8 @@ - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 + - PCI-DSSv4-8.3.6 + - PCI-DSSv4-8.3.9 - accounts_password_pam_lcredit - low_complexity - low_disruption @@ -4178,6 +4220,8 @@ - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 + - PCI-DSSv4-8.3.6 + - PCI-DSSv4-8.3.9 - accounts_password_pam_lcredit - low_complexity - low_disruption @@ -4304,6 +4348,8 @@ - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 + - PCI-DSSv4-8.3.6 + - PCI-DSSv4-8.3.9 - accounts_password_pam_minlen - low_complexity - low_disruption @@ -4343,6 +4389,8 @@ - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 + - PCI-DSSv4-8.3.6 + - PCI-DSSv4-8.3.9 - accounts_password_pam_minlen - low_complexity - low_disruption @@ -4415,6 +4463,8 @@ - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 + - PCI-DSSv4-8.3.6 + - PCI-DSSv4-8.3.9 - accounts_password_pam_ucredit - low_complexity - low_disruption @@ -4453,6 +4503,8 @@ - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 + - PCI-DSSv4-8.3.6 + - PCI-DSSv4-8.3.9 - accounts_password_pam_ucredit - low_complexity - low_disruption @@ -4460,15 +4512,19 @@ - no_reboot_needed - restrict_strategy -- name: Disable service debug-shell +- name: Block Disable service debug-shell block: - name: Disable service debug-shell - systemd: - name: debug-shell.service - enabled: 'no' - state: stopped - masked: 'yes' - ignore_errors: 'yes' + block: + - name: Disable service debug-shell + systemd: + name: debug-shell.service + enabled: 'no' + state: stopped + masked: 'yes' + rescue: + - name: Intentionally ignored previous 'Disable service debug-shell' failure, service was already disabled + meta: noop when: - DISA_STIG_RHEL_08_040180 | bool - disable_strategy | bool @@ -4494,7 +4550,7 @@ command: systemctl list-unit-files debug-shell.socket register: socket_file_exists changed_when: false - ignore_errors: true + failed_when: socket_file_exists.rc not in [0, 1] check_mode: false when: - DISA_STIG_RHEL_08_040180 | bool @@ -4628,7 +4684,7 @@ - low_disruption - no_reboot_needed -- name: require single user mode password +- name: Require single user mode password lineinfile: create: true dest: /usr/lib/systemd/system/rescue.service @@ -4683,6 +4739,96 @@ - no_reboot_needed - package_tmux_installed +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-82266-8 + - configure_bashrc_exec_tmux + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_bashrc_exec_tmux | bool + - configure_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: 'Support session locking with tmux: Determine If the Tmux Launch Script Is Present in /etc/bashrc' + ansible.builtin.find: + paths: /etc + patterns: bashrc + contains: .*case "$name" in sshd|login) exec tmux ;; esac.* + register: tmux_in_bashrc + when: + - configure_bashrc_exec_tmux | bool + - configure_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"tmux" in ansible_facts.packages' + tags: + - CCE-82266-8 + - configure_bashrc_exec_tmux + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: 'Support session locking with tmux: Determine If the Tmux Launch Script Is Present in /etc/profile.d/*.sh' + ansible.builtin.find: + paths: /etc/profile.d + patterns: '*.sh' + contains: .*case "$name" in sshd|login) exec tmux ;; esac.* + register: tmux_in_profile_d + when: + - configure_bashrc_exec_tmux | bool + - configure_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"tmux" in ansible_facts.packages' + tags: + - CCE-82266-8 + - configure_bashrc_exec_tmux + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: 'Support session locking with tmux: Insert the Correct Script into /etc/profile.d/tmux.sh' + ansible.builtin.blockinfile: + path: /etc/profile.d/tmux.sh + block: "if [ \"$PS1\" ]; then\n parent=$(ps -o ppid= -p $$)\n name=$(ps -o comm= -p $parent)\n case \"$name\" in sshd|login)\ + \ exec tmux ;; esac\nfi\n" + create: true + when: + - configure_bashrc_exec_tmux | bool + - configure_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"tmux" in ansible_facts.packages' + - tmux_in_bashrc is defined and tmux_in_bashrc.matched == 0 + - tmux_in_profile_d is defined and tmux_in_profile_d.matched == 0 + tags: + - CCE-82266-8 + - configure_bashrc_exec_tmux + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Configure tmux to lock session after inactivity block: - name: Check for duplicate values @@ -4803,6 +4949,8 @@ - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 + - PCI-DSSv4-8.3.6 + - PCI-DSSv4-8.3.9 - configure_strategy - high_severity - low_complexity @@ -4817,11 +4965,11 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Prevent Login to Accounts With Empty Password - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not @@ -4870,6 +5018,8 @@ - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 + - PCI-DSSv4-8.3.6 + - PCI-DSSv4-8.3.9 - configure_strategy - high_severity - low_complexity @@ -4904,6 +5054,8 @@ - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 + - PCI-DSSv4-8.3.6 + - PCI-DSSv4-8.3.9 - configure_strategy - high_severity - low_complexity @@ -4922,7 +5074,7 @@ - NIST-800-171-3.1.5 - NIST-800-53-AC-6 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.6.1 + - PCI-DSSv4-8.6.1 - low_complexity - low_disruption - medium_severity @@ -4942,7 +5094,7 @@ manager: auto tags: - CCE-83318-6 - - PCI-DSS-Req-8.6.1 + - PCI-DSSv4-8.6.1 - low_complexity - low_disruption - medium_severity @@ -4957,7 +5109,7 @@ - restrict_strategy | bool - use_pam_wheel_for_su | bool -- name: restrict usage of su command only to members of wheel group +- name: Restrict usage of su command only to members of wheel group replace: path: /etc/pam.d/su regexp: ^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$ @@ -4972,7 +5124,7 @@ - '"pam" in ansible_facts.packages' tags: - CCE-83318-6 - - PCI-DSS-Req-8.6.1 + - PCI-DSSv4-8.6.1 - low_complexity - low_disruption - medium_severity @@ -5105,7 +5257,7 @@ - DISA-STIG-RHEL-08-020353 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.6.1 + - PCI-DSSv4-8.6.1 - accounts_umask_etc_bashrc - low_complexity - low_disruption @@ -5140,7 +5292,7 @@ - DISA-STIG-RHEL-08-020353 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.6.1 + - PCI-DSSv4-8.6.1 - accounts_umask_etc_bashrc - low_complexity - low_disruption @@ -5167,7 +5319,7 @@ - DISA-STIG-RHEL-08-020353 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.6.1 + - PCI-DSSv4-8.6.1 - accounts_umask_etc_bashrc - low_complexity - low_disruption @@ -5255,20 +5407,21 @@ - no_reboot_needed - restrict_strategy -- name: Check if umask is already set - ansible.builtin.lineinfile: - path: /etc/profile - regexp: (^[\s]*umask)\s+(\d+) - state: absent - check_mode: true - changed_when: false - register: result_umask_is_set +- name: Ensure the Default Umask is Set Correctly in /etc/profile - Locate Profile Configuration Files Where umask Is Defined + ansible.builtin.find: + paths: + - /etc/profile.d + patterns: + - sh.local + - '*.sh' + contains: ^[\s]*umask\s+\d+ + register: result_profile_d_files tags: - CCE-81035-8 - DISA-STIG-RHEL-08-020353 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.6.1 + - PCI-DSSv4-8.6.1 - accounts_umask_etc_profile - low_complexity - low_disruption @@ -5284,35 +5437,40 @@ - no_reboot_needed | bool - restrict_strategy | bool -- name: Replace user umask in /etc/profile +- name: Ensure the Default Umask is Set Correctly in /etc/profile - Replace Existing umask Value in Files From /etc/profile.d ansible.builtin.replace: - path: /etc/profile + path: '{{ item.path }}' regexp: ^(\s*)umask\s+\d+ replace: \1umask {{ var_accounts_user_umask }} + loop: '{{ result_profile_d_files.files }}' + register: result_umask_replaced_profile_d + when: + - DISA_STIG_RHEL_08_020353 | bool + - accounts_umask_etc_profile | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - result_profile_d_files.matched tags: - CCE-81035-8 - DISA-STIG-RHEL-08-020353 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.6.1 + - PCI-DSSv4-8.6.1 - accounts_umask_etc_profile - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - when: - - DISA_STIG_RHEL_08_020353 | bool - - accounts_umask_etc_profile | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool -- name: Append user umask in /etc/profile +- name: Ensure the Default Umask is Set Correctly in /etc/profile - Ensure umask Is Set in /etc/profile if Not Already Set + Elsewhere ansible.builtin.lineinfile: create: true + mode: 420 path: /etc/profile line: umask {{ var_accounts_user_umask }} when: @@ -5323,19 +5481,47 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - result_umask_is_set.found == 0 + - not result_profile_d_files.matched + tags: + - CCE-81035-8 + - DISA-STIG-RHEL-08-020353 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-8.6.1 + - accounts_umask_etc_profile + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Ensure the Default Umask is Set Correctly in /etc/profile - Ensure umask Value For All Existing umask Definition in + /etc/profile + ansible.builtin.replace: + path: /etc/profile + regexp: ^(\s*)umask\s+\d+ + replace: \1umask {{ var_accounts_user_umask }} + register: result_umask_replaced_profile tags: - CCE-81035-8 - DISA-STIG-RHEL-08-020353 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.6.1 + - PCI-DSSv4-8.6.1 - accounts_umask_etc_profile - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy + when: + - DISA_STIG_RHEL_08_020353 | bool + - accounts_umask_etc_profile | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool - name: Ensure audit is installed package: @@ -5360,7 +5546,8 @@ - NIST-800-53-AU-7(1) - NIST-800-53-AU-7(2) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.1 + - PCI-DSSv4-10.2.1 - enable_strategy - low_complexity - low_disruption @@ -5388,6 +5575,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-SI-4(23) - PCI-DSS-Req-10.1 + - PCI-DSSv4-10.2.1 - enable_strategy - low_complexity - low_disruption @@ -5409,7 +5597,7 @@ package_facts: manager: auto - name: Enable service auditd - service: + systemd: name: auditd enabled: 'yes' state: started @@ -5443,6 +5631,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-SI-4(23) - PCI-DSS-Req-10.1 + - PCI-DSSv4-10.2.1 - enable_strategy - low_complexity - low_disruption @@ -5464,6 +5653,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-IR-5(1) - PCI-DSS-Req-10.3 + - PCI-DSSv4-10.7 - grub2_audit_argument - low_disruption - low_severity @@ -5502,6 +5692,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-IR-5(1) - PCI-DSS-Req-10.3 + - PCI-DSSv4-10.7 - grub2_audit_argument - low_disruption - low_severity @@ -7518,7 +7709,7 @@ package_facts: manager: auto - name: Enable service firewalld - service: + systemd: name: firewalld enabled: 'yes' state: started @@ -7617,6 +7808,7 @@ sysctl: name: net.ipv6.conf.all.accept_ra value: '{{ sysctl_net_ipv6_conf_all_accept_ra_value }}' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -7712,6 +7904,7 @@ sysctl: name: net.ipv6.conf.all.accept_redirects value: '{{ sysctl_net_ipv6_conf_all_accept_redirects_value }}' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -7805,6 +7998,7 @@ sysctl: name: net.ipv6.conf.all.accept_source_route value: '{{ sysctl_net_ipv6_conf_all_accept_source_route_value }}' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -7896,6 +8090,7 @@ sysctl: name: net.ipv6.conf.default.accept_ra value: '{{ sysctl_net_ipv6_conf_default_accept_ra_value }}' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -7987,6 +8182,7 @@ sysctl: name: net.ipv6.conf.default.accept_redirects value: '{{ sysctl_net_ipv6_conf_default_accept_redirects_value }}' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -8084,6 +8280,7 @@ sysctl: name: net.ipv6.conf.default.accept_source_route value: '{{ sysctl_net_ipv6_conf_default_accept_source_route_value }}' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -8182,6 +8379,7 @@ sysctl: name: net.ipv4.conf.all.accept_redirects value: '{{ sysctl_net_ipv4_conf_all_accept_redirects_value }}' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -8279,6 +8477,7 @@ sysctl: name: net.ipv4.conf.all.accept_source_route value: '{{ sysctl_net_ipv4_conf_all_accept_source_route_value }}' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -8368,6 +8567,7 @@ sysctl: name: net.ipv4.conf.all.log_martians value: '{{ sysctl_net_ipv4_conf_all_log_martians_value }}' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -8461,6 +8661,7 @@ sysctl: name: net.ipv4.conf.all.rp_filter value: '{{ sysctl_net_ipv4_conf_all_rp_filter_value }}' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -8554,6 +8755,7 @@ sysctl: name: net.ipv4.conf.all.secure_redirects value: '{{ sysctl_net_ipv4_conf_all_secure_redirects_value }}' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -8651,6 +8853,7 @@ sysctl: name: net.ipv4.conf.default.accept_redirects value: '{{ sysctl_net_ipv4_conf_default_accept_redirects_value }}' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -8749,6 +8952,7 @@ sysctl: name: net.ipv4.conf.default.accept_source_route value: '{{ sysctl_net_ipv4_conf_default_accept_source_route_value }}' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -8838,6 +9042,7 @@ sysctl: name: net.ipv4.conf.default.log_martians value: '{{ sysctl_net_ipv4_conf_default_log_martians_value }}' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -8925,6 +9130,7 @@ sysctl: name: net.ipv4.conf.default.rp_filter value: '{{ sysctl_net_ipv4_conf_default_rp_filter_value }}' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -9013,6 +9219,7 @@ sysctl: name: net.ipv4.conf.default.secure_redirects value: '{{ sysctl_net_ipv4_conf_default_secure_redirects_value }}' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -9107,6 +9314,7 @@ sysctl: name: net.ipv4.icmp_echo_ignore_broadcasts value: '{{ sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value }}' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -9198,6 +9406,7 @@ sysctl: name: net.ipv4.icmp_ignore_bogus_error_responses value: '{{ sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value }}' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -9294,6 +9503,7 @@ sysctl: name: net.ipv4.tcp_syncookies value: '{{ sysctl_net_ipv4_tcp_syncookies_value }}' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -9351,6 +9561,7 @@ - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) + - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption @@ -9383,6 +9594,7 @@ - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) + - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption @@ -9394,6 +9606,7 @@ sysctl: name: net.ipv4.conf.all.send_redirects value: '0' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -9415,6 +9628,7 @@ - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) + - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption @@ -9494,6 +9708,7 @@ sysctl: name: net.ipv4.conf.default.send_redirects value: '0' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -9550,6 +9765,7 @@ - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.3.1 - PCI-DSS-Req-1.3.2 + - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption @@ -9581,6 +9797,7 @@ - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.3.1 - PCI-DSS-Req-1.3.2 + - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption @@ -9592,6 +9809,7 @@ sysctl: name: net.ipv4.ip_forward value: '0' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -9612,6 +9830,7 @@ - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.3.1 - PCI-DSS-Req-1.3.2 + - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption @@ -9797,6 +10016,7 @@ - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSS-Req-1.4.2 + - PCI-DSSv4-1.4.2 - disable_strategy - kernel_module_sctp_disabled - low_complexity @@ -9828,6 +10048,7 @@ - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSS-Req-1.4.2 + - PCI-DSSv4-1.4.2 - disable_strategy - kernel_module_sctp_disabled - low_complexity @@ -10019,6 +10240,7 @@ sysctl: name: fs.protected_hardlinks value: '1' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -10104,6 +10326,7 @@ sysctl: name: fs.protected_symlinks value: '1' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -13441,6 +13664,7 @@ sysctl: name: kernel.core_pattern value: '|/bin/false' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -13527,6 +13751,7 @@ sysctl: name: kernel.dmesg_restrict value: '1' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -13611,6 +13836,7 @@ sysctl: name: kernel.kexec_load_disabled value: '1' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -13693,6 +13919,7 @@ sysctl: name: kernel.perf_event_paranoid value: '2' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -13777,6 +14004,7 @@ sysctl: name: kernel.unprivileged_bpf_disabled value: '1' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -13860,6 +14088,7 @@ sysctl: name: kernel.yama.ptrace_scope value: '1' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -13944,6 +14173,7 @@ sysctl: name: net.core.bpf_jit_harden value: '2' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -14029,6 +14259,7 @@ sysctl: name: user.max_user_namespaces value: '0' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -14052,15 +14283,19 @@ - reboot_required - sysctl_user_max_user_namespaces -- name: Disable service systemd-coredump +- name: Block Disable service systemd-coredump block: - name: Disable service systemd-coredump - systemd: - name: systemd-coredump.service - enabled: 'no' - state: stopped - masked: 'yes' - ignore_errors: 'yes' + block: + - name: Disable service systemd-coredump + systemd: + name: systemd-coredump.service + enabled: 'no' + state: stopped + masked: 'yes' + rescue: + - name: Intentionally ignored previous 'Disable service systemd-coredump' failure, service was already disabled + meta: noop when: - DISA_STIG_RHEL_08_010672 | bool - disable_strategy | bool @@ -14085,7 +14320,7 @@ command: systemctl list-unit-files systemd-coredump.socket register: socket_file_exists changed_when: false - ignore_errors: true + failed_when: socket_file_exists.rc not in [0, 1] check_mode: false when: - DISA_STIG_RHEL_08_010672 | bool @@ -14141,6 +14376,10 @@ - CCE-82251-0 - DISA-STIG-RHEL-08-010675 - NIST-800-53-CM-6 + - PCI-DSS-Req-3.2 + - PCI-DSSv4-3.3.1.1 + - PCI-DSSv4-3.3.1.2 + - PCI-DSSv4-3.3.1.3 - coredump_disable_backtraces - low_complexity - low_disruption @@ -14194,6 +14433,10 @@ - CCE-82251-0 - DISA-STIG-RHEL-08-010675 - NIST-800-53-CM-6 + - PCI-DSS-Req-3.2 + - PCI-DSSv4-3.3.1.1 + - PCI-DSSv4-3.3.1.2 + - PCI-DSSv4-3.3.1.3 - coredump_disable_backtraces - low_complexity - low_disruption @@ -14208,6 +14451,10 @@ - CCE-82252-8 - DISA-STIG-RHEL-08-010674 - NIST-800-53-CM-6 + - PCI-DSS-Req-3.2 + - PCI-DSSv4-3.3.1.1 + - PCI-DSSv4-3.3.1.2 + - PCI-DSSv4-3.3.1.3 - coredump_disable_storage - low_complexity - low_disruption @@ -14261,6 +14508,10 @@ - CCE-82252-8 - DISA-STIG-RHEL-08-010674 - NIST-800-53-CM-6 + - PCI-DSS-Req-3.2 + - PCI-DSSv4-3.3.1.1 + - PCI-DSSv4-3.3.1.2 + - PCI-DSSv4-3.3.1.3 - coredump_disable_storage - low_complexity - low_disruption @@ -14276,6 +14527,9 @@ - DISA-STIG-RHEL-08-010673 - NIST-800-53-CM-6 - NIST-800-53-SC-7(10) + - PCI-DSSv4-3.3.1.1 + - PCI-DSSv4-3.3.1.2 + - PCI-DSSv4-3.3.1.3 - disable_users_coredumps - low_complexity - low_disruption @@ -14291,7 +14545,7 @@ - no_reboot_needed | bool - restrict_strategy | bool -- name: disable core dumps with limits +- name: Disable core dumps with limits lineinfile: dest: /etc/security/limits.conf regexp: ^[^#].*core @@ -14311,6 +14565,9 @@ - DISA-STIG-RHEL-08-010673 - NIST-800-53-CM-6 - NIST-800-53-SC-7(10) + - PCI-DSSv4-3.3.1.1 + - PCI-DSSv4-3.3.1.2 + - PCI-DSSv4-3.3.1.3 - disable_users_coredumps - low_complexity - low_disruption @@ -14384,6 +14641,7 @@ sysctl: name: kernel.kptr_restrict value: '{{ sysctl_kernel_kptr_restrict_value }}' + sysctl_file: /etc/sysctl.conf state: present reload: true when: @@ -14665,15 +14923,19 @@ - no_reboot_needed | bool - package_abrt_removed | bool -- name: Disable service kdump +- name: Block Disable service kdump block: - name: Disable service kdump - systemd: - name: kdump.service - enabled: 'no' - state: stopped - masked: 'yes' - ignore_errors: 'yes' + block: + - name: Disable service kdump + systemd: + name: kdump.service + enabled: 'no' + state: stopped + masked: 'yes' + rescue: + - name: Intentionally ignored previous 'Disable service kdump' failure, service was already disabled + meta: noop when: - DISA_STIG_RHEL_08_010670 | bool - disable_strategy | bool @@ -14700,7 +14962,7 @@ command: systemctl list-unit-files kdump.socket register: socket_file_exists changed_when: false - ignore_errors: true + failed_when: socket_file_exists.rc not in [0, 1] check_mode: false when: - DISA_STIG_RHEL_08_010670 | bool @@ -14784,7 +15046,7 @@ package_facts: manager: auto - name: Enable service fapolicyd - service: + systemd: name: fapolicyd enabled: 'yes' state: started @@ -14892,6 +15154,7 @@ state: absent tags: - CCE-82932-5 + - PCI-DSSv4-2.2.4 - disable_strategy - low_complexity - low_disruption @@ -14920,7 +15183,8 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-82874-9 - - PCI-DSS-Req-10.6.1 + - PCI-DSS-Req-10.4 + - PCI-DSSv4-10.6.1 - enable_strategy - low_complexity - low_disruption @@ -15294,6 +15558,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-SC-10 - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - low_complexity - low_disruption - medium_severity @@ -15337,6 +15602,7 @@ - restrict_strategy | bool - sshd_set_idle_timeout | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ansible_distribution == 'RedHat' and ansible_distribution_version is version('8.5', '<=') tags: - CCE-80906-1 - CJIS-5.5.6 @@ -15350,6 +15616,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-SC-10 - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - low_complexity - low_disruption - medium_severity @@ -15401,6 +15668,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) + - PCI-DSSv4-8.3.1 - disable_host_auth - low_complexity - low_disruption @@ -15454,7 +15722,8 @@ - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - - PCI-DSS-Req-2.2.6 + - PCI-DSS-Req-2.2.4 + - PCI-DSSv4-2.2.6 - high_severity - low_complexity - low_disruption @@ -15613,7 +15882,8 @@ - NIST-800-53-CM-7(b) - NIST-800-53-IA-2 - NIST-800-53-IA-2(5) - - PCI-DSS-Req-2.2.6 + - PCI-DSS-Req-2.2.4 + - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity @@ -15716,7 +15986,8 @@ - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(c) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-2.2.6 + - PCI-DSS-Req-2.2.4 + - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity @@ -15848,7 +16119,7 @@ package_facts: manager: auto - name: Enable service usbguard - service: + systemd: name: usbguard enabled: 'yes' state: started @@ -15877,7 +16148,7 @@ - no_reboot_needed - service_usbguard_enabled -- name: allow HID devices and hubs +- name: Allow HID devices and hubs lineinfile: path: /etc/usbguard/rules.conf create: true