From 84e8b339f8000f1090d9c402e988326d9c3269b2 Mon Sep 17 00:00:00 2001 From: ComplianceAsCode development team Date: Wed, 5 Oct 2022 07:32:26 -0400 Subject: [PATCH] Updated tasks/main.yml --- tasks/main.yml | 343 +++++++++++++++++++++++-------------------------- 1 file changed, 159 insertions(+), 184 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 376327c..d7d153c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -397,7 +397,7 @@ lineinfile: create: true insertafter: ^\s*\[\s*crypto_policy\s*]\s* - line: .include /etc/crypto-policies/back-ends/opensslcnf.config + line: .include = /etc/crypto-policies/back-ends/opensslcnf.config path: /etc/pki/tls/openssl.cnf when: - DISA_STIG_RHEL_08_010293 | bool @@ -431,7 +431,7 @@ create: true line: '[crypto_policy] - .include /etc/crypto-policies/back-ends/opensslcnf.config' + .include = /etc/crypto-policies/back-ends/opensslcnf.config' path: /etc/pki/tls/openssl.cnf when: - DISA_STIG_RHEL_08_010293 | bool @@ -1607,7 +1607,7 @@ - name: Limit Password Reuse - Ensure the required PAM module line is included in {{ pam_file_path }} ansible.builtin.lineinfile: dest: '{{ pam_file_path }}' - insertafter: ^password.*requisite.*pam_pwquality.so + insertafter: ^password.*requisite.*pam_pwquality\.so line: password requisite pam_pwhistory.so register: result_pam_module_add when: @@ -1615,9 +1615,10 @@ - name: Limit Password Reuse - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b - when: - - result_authselect_present.stat.exists - - (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed) + when: 'result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is + defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed)) + + ' when: - result_pam_line_present.found is defined - result_pam_line_present.found == 0 @@ -1844,7 +1845,7 @@ - name: Limit Password Reuse - Ensure the required PAM module line is included in {{ pam_file_path }} ansible.builtin.lineinfile: dest: '{{ pam_file_path }}' - insertafter: ^password.*requisite.*pam_pwquality.so + insertafter: ^password.*requisite.*pam_pwquality\.so line: password requisite pam_pwhistory.so register: result_pam_module_add when: @@ -1852,9 +1853,10 @@ - name: Limit Password Reuse - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b - when: - - result_authselect_present.stat.exists - - (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed) + when: 'result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is + defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed)) + + ' when: - result_pam_line_present.found is defined - result_pam_line_present.found == 0 @@ -2040,7 +2042,7 @@ - name: Lock Accounts After Failed Password Attempts - Check if pam_faillock.so is already enabled ansible.builtin.lineinfile: path: /etc/pam.d/system-auth - regexp: .*auth.*pam_faillock.so (preauth|authfail) + regexp: .*auth.*pam_faillock\.so (preauth|authfail) state: absent check_mode: true changed_when: false @@ -2049,7 +2051,7 @@ ansible.builtin.lineinfile: path: '{{ item }}' line: auth required pam_faillock.so preauth - insertbefore: ^auth.*sufficient.*pam_unix.so.* + insertbefore: ^auth.*sufficient.*pam_unix\.so.* state: present loop: - /etc/pam.d/system-auth @@ -2060,7 +2062,7 @@ ansible.builtin.lineinfile: path: '{{ item }}' line: auth required pam_faillock.so authfail - insertbefore: ^auth.*required.*pam_deny.so.* + insertbefore: ^auth.*required.*pam_deny\.so.* state: present loop: - /etc/pam.d/system-auth @@ -2071,7 +2073,7 @@ ansible.builtin.lineinfile: path: '{{ item }}' line: account required pam_faillock.so - insertbefore: ^account.*required.*pam_unix.so.* + insertbefore: ^account.*required.*pam_unix\.so.* state: present loop: - /etc/pam.d/system-auth @@ -2459,7 +2461,7 @@ files ansible.builtin.lineinfile: path: /etc/pam.d/system-auth - regexp: .*auth.*pam_faillock.so (preauth|authfail).*deny + regexp: .*auth.*pam_faillock\.so (preauth|authfail).*deny state: absent check_mode: true changed_when: false @@ -2658,7 +2660,7 @@ - name: Set Interval For Counting Failed Password Attempts - Check if pam_faillock.so is already enabled ansible.builtin.lineinfile: path: /etc/pam.d/system-auth - regexp: .*auth.*pam_faillock.so (preauth|authfail) + regexp: .*auth.*pam_faillock\.so (preauth|authfail) state: absent check_mode: true changed_when: false @@ -2667,7 +2669,7 @@ ansible.builtin.lineinfile: path: '{{ item }}' line: auth required pam_faillock.so preauth - insertbefore: ^auth.*sufficient.*pam_unix.so.* + insertbefore: ^auth.*sufficient.*pam_unix\.so.* state: present loop: - /etc/pam.d/system-auth @@ -2678,7 +2680,7 @@ ansible.builtin.lineinfile: path: '{{ item }}' line: auth required pam_faillock.so authfail - insertbefore: ^auth.*required.*pam_deny.so.* + insertbefore: ^auth.*required.*pam_deny\.so.* state: present loop: - /etc/pam.d/system-auth @@ -2689,7 +2691,7 @@ ansible.builtin.lineinfile: path: '{{ item }}' line: account required pam_faillock.so - insertbefore: ^account.*required.*pam_unix.so.* + insertbefore: ^account.*required.*pam_unix\.so.* state: present loop: - /etc/pam.d/system-auth @@ -3072,7 +3074,7 @@ enabled in pam files ansible.builtin.lineinfile: path: /etc/pam.d/system-auth - regexp: .*auth.*pam_faillock.so (preauth|authfail).*fail_interval + regexp: .*auth.*pam_faillock\.so (preauth|authfail).*fail_interval state: absent check_mode: true changed_when: false @@ -3275,7 +3277,7 @@ - name: Set Lockout Time for Failed Password Attempts - Check if pam_faillock.so is already enabled ansible.builtin.lineinfile: path: /etc/pam.d/system-auth - regexp: .*auth.*pam_faillock.so (preauth|authfail) + regexp: .*auth.*pam_faillock\.so (preauth|authfail) state: absent check_mode: true changed_when: false @@ -3284,7 +3286,7 @@ ansible.builtin.lineinfile: path: '{{ item }}' line: auth required pam_faillock.so preauth - insertbefore: ^auth.*sufficient.*pam_unix.so.* + insertbefore: ^auth.*sufficient.*pam_unix\.so.* state: present loop: - /etc/pam.d/system-auth @@ -3295,7 +3297,7 @@ ansible.builtin.lineinfile: path: '{{ item }}' line: auth required pam_faillock.so authfail - insertbefore: ^auth.*required.*pam_deny.so.* + insertbefore: ^auth.*required.*pam_deny\.so.* state: present loop: - /etc/pam.d/system-auth @@ -3306,7 +3308,7 @@ ansible.builtin.lineinfile: path: '{{ item }}' line: account required pam_faillock.so - insertbefore: ^account.*required.*pam_unix.so.* + insertbefore: ^account.*required.*pam_unix\.so.* state: present loop: - /etc/pam.d/system-auth @@ -3696,7 +3698,7 @@ in pam files ansible.builtin.lineinfile: path: /etc/pam.d/system-auth - regexp: .*auth.*pam_faillock.so (preauth|authfail).*unlock_time + regexp: .*auth.*pam_faillock\.so (preauth|authfail).*unlock_time state: absent check_mode: true changed_when: false @@ -4390,128 +4392,6 @@ - low_disruption - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80826-1 - - NIST-800-171-3.1.2 - - NIST-800-171-3.4.5 - - NIST-800-53-CM-6(a) - - NIST-800-53-SC-2(1) - - grub2_disable_interactive_boot - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - grub2_disable_interactive_boot | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - -- name: Verify GRUB_DISABLE_RECOVERY=true - lineinfile: - path: /etc/default/grub - regexp: ^GRUB_DISABLE_RECOVERY=.* - line: GRUB_DISABLE_RECOVERY=true - state: present - when: - - grub2_disable_interactive_boot | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - '"grub2-common" in ansible_facts.packages' - tags: - - CCE-80826-1 - - NIST-800-171-3.1.2 - - NIST-800-171-3.4.5 - - NIST-800-53-CM-6(a) - - NIST-800-53-SC-2(1) - - grub2_disable_interactive_boot - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Verify that Interactive Boot is Disabled in /etc/default/grub - replace: - dest: /etc/default/grub - regexp: systemd.confirm_spawn(=(1|yes|true|on)|\b) - replace: systemd.confirm_spawn=no - when: - - grub2_disable_interactive_boot | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - '"grub2-common" in ansible_facts.packages' - tags: - - CCE-80826-1 - - NIST-800-171-3.1.2 - - NIST-800-171-3.4.5 - - NIST-800-53-CM-6(a) - - NIST-800-53-SC-2(1) - - grub2_disable_interactive_boot - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Verify that Interactive Boot is Disabled (runtime) - command: /sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn" - when: - - grub2_disable_interactive_boot | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - '"grub2-common" in ansible_facts.packages' - tags: - - CCE-80826-1 - - NIST-800-171-3.1.2 - - NIST-800-171-3.4.5 - - NIST-800-53-CM-6(a) - - NIST-800-53-SC-2(1) - - grub2_disable_interactive_boot - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Regen grub.cfg handle updated GRUB_DISABLE_RECOVERY and confirm_spawn - command: grub2-mkconfig -o /boot/grub2/grub.cfg - when: - - grub2_disable_interactive_boot | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - '"grub2-common" in ansible_facts.packages' - tags: - - CCE-80826-1 - - NIST-800-171-3.1.2 - - NIST-800-171-3.4.5 - - NIST-800-53-CM-6(a) - - NIST-800-53-SC-2(1) - - grub2_disable_interactive_boot - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - - name: require single user mode password lineinfile: create: true @@ -5060,7 +4940,7 @@ - name: Check if umask is already set ansible.builtin.lineinfile: path: /etc/profile - regexp: (^[\s]*[^#]umask)\s+(\d+) + regexp: (^[\s]*umask)\s+(\d+) state: absent check_mode: true changed_when: false @@ -5389,6 +5269,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80680-2 - NIST-800-171-3.3.1 @@ -5454,6 +5335,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-82258-5 - NIST-800-53-CM-6 @@ -5520,6 +5402,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-82233-8 - DISA-STIG-RHEL-08-030061 @@ -5588,6 +5471,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-82201-5 - DISA-STIG-RHEL-08-030063 @@ -5657,6 +5541,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-82897-0 - DISA-STIG-RHEL-08-030062 @@ -5722,6 +5607,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-82366-6 - NIST-800-53-CM-6 @@ -6804,6 +6690,67 @@ - no_reboot_needed - restrict_strategy +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86006-4 + - grub2_disable_recovery + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + when: + - grub2_disable_recovery | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + +- name: Verify GRUB_DISABLE_RECOVERY=true + lineinfile: + path: /etc/default/grub + regexp: ^GRUB_DISABLE_RECOVERY=.* + line: GRUB_DISABLE_RECOVERY=true + state: present + when: + - grub2_disable_recovery | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - '"grub2-common" in ansible_facts.packages' + tags: + - CCE-86006-4 + - grub2_disable_recovery + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Update grub defaults and the bootloader menu + command: /sbin/grubby --update-kernel=ALL + when: + - grub2_disable_recovery | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - '"grub2-common" in ansible_facts.packages' + tags: + - CCE-86006-4 + - grub2_disable_recovery + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + - name: Gather the package facts package_facts: manager: auto @@ -9219,7 +9166,6 @@ file_type: any register: find_sysctl_d when: - - DISA_STIG_RHEL_08_040259 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -9229,7 +9175,6 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-81024-2 - - DISA-STIG-RHEL-08-040259 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) @@ -9250,7 +9195,6 @@ replace: '#net.ipv4.ip_forward' loop: '{{ find_sysctl_d.files }}' when: - - DISA_STIG_RHEL_08_040259 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -9260,7 +9204,6 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-81024-2 - - DISA-STIG-RHEL-08-040259 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) @@ -9281,7 +9224,6 @@ state: present reload: true when: - - DISA_STIG_RHEL_08_040259 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -9291,7 +9233,6 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-81024-2 - - DISA-STIG-RHEL-08-040259 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) @@ -11014,7 +10955,8 @@ - medium_severity | bool - mount_option_tmp_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/tmp" in ansible_mounts | + map(attribute="mount") | list ) tags: - CCE-82623-0 - DISA-STIG-RHEL-08-040123 @@ -11045,7 +10987,8 @@ - medium_severity | bool - mount_option_tmp_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/tmp" in ansible_mounts | + map(attribute="mount") | list ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -11084,7 +11027,8 @@ - medium_severity | bool - mount_option_tmp_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/tmp" in ansible_mounts | + map(attribute="mount") | list ) - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: @@ -11114,7 +11058,8 @@ - medium_severity | bool - mount_option_tmp_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/tmp" in ansible_mounts | + map(attribute="mount") | list ) - mount_info is defined and "nodev" not in mount_info.options tags: - CCE-82623-0 @@ -11147,7 +11092,8 @@ - medium_severity | bool - mount_option_tmp_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/tmp" in ansible_mounts | + map(attribute="mount") | list ) - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-82623-0 @@ -11178,7 +11124,8 @@ - medium_severity | bool - mount_option_tmp_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/tmp" in ansible_mounts | + map(attribute="mount") | list ) tags: - CCE-82139-7 - DISA-STIG-RHEL-08-040125 @@ -11209,7 +11156,8 @@ - medium_severity | bool - mount_option_tmp_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/tmp" in ansible_mounts | + map(attribute="mount") | list ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -11248,7 +11196,8 @@ - medium_severity | bool - mount_option_tmp_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/tmp" in ansible_mounts | + map(attribute="mount") | list ) - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: @@ -11278,7 +11227,8 @@ - medium_severity | bool - mount_option_tmp_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/tmp" in ansible_mounts | + map(attribute="mount") | list ) - mount_info is defined and "noexec" not in mount_info.options tags: - CCE-82139-7 @@ -11311,7 +11261,8 @@ - medium_severity | bool - mount_option_tmp_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/tmp" in ansible_mounts | + map(attribute="mount") | list ) - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-82139-7 @@ -11342,7 +11293,8 @@ - medium_severity | bool - mount_option_tmp_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/tmp" in ansible_mounts | + map(attribute="mount") | list ) tags: - CCE-82140-5 - DISA-STIG-RHEL-08-040124 @@ -11373,7 +11325,8 @@ - medium_severity | bool - mount_option_tmp_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/tmp" in ansible_mounts | + map(attribute="mount") | list ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -11412,7 +11365,8 @@ - medium_severity | bool - mount_option_tmp_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/tmp" in ansible_mounts | + map(attribute="mount") | list ) - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: @@ -11442,7 +11396,8 @@ - medium_severity | bool - mount_option_tmp_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/tmp" in ansible_mounts | + map(attribute="mount") | list ) - mount_info is defined and "nosuid" not in mount_info.options tags: - CCE-82140-5 @@ -11475,7 +11430,8 @@ - medium_severity | bool - mount_option_tmp_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/tmp" in ansible_mounts | + map(attribute="mount") | list ) - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-82140-5 @@ -12644,7 +12600,8 @@ - medium_severity | bool - mount_option_var_tmp_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/tmp" in ansible_mounts + | map(attribute="mount") | list ) tags: - CCE-82068-8 - DISA-STIG-RHEL-08-040132 @@ -12669,7 +12626,8 @@ - medium_severity | bool - mount_option_var_tmp_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/tmp" in ansible_mounts + | map(attribute="mount") | list ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -12702,7 +12660,8 @@ - medium_severity | bool - mount_option_var_tmp_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/tmp" in ansible_mounts + | map(attribute="mount") | list ) - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: @@ -12726,7 +12685,8 @@ - medium_severity | bool - mount_option_var_tmp_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/tmp" in ansible_mounts + | map(attribute="mount") | list ) - mount_info is defined and "nodev" not in mount_info.options tags: - CCE-82068-8 @@ -12753,7 +12713,8 @@ - medium_severity | bool - mount_option_var_tmp_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/tmp" in ansible_mounts + | map(attribute="mount") | list ) - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-82068-8 @@ -12778,7 +12739,8 @@ - medium_severity | bool - mount_option_var_tmp_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/tmp" in ansible_mounts + | map(attribute="mount") | list ) tags: - CCE-82151-2 - DISA-STIG-RHEL-08-040134 @@ -12803,7 +12765,8 @@ - medium_severity | bool - mount_option_var_tmp_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/tmp" in ansible_mounts + | map(attribute="mount") | list ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -12836,7 +12799,8 @@ - medium_severity | bool - mount_option_var_tmp_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/tmp" in ansible_mounts + | map(attribute="mount") | list ) - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: @@ -12860,7 +12824,8 @@ - medium_severity | bool - mount_option_var_tmp_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/tmp" in ansible_mounts + | map(attribute="mount") | list ) - mount_info is defined and "noexec" not in mount_info.options tags: - CCE-82151-2 @@ -12887,7 +12852,8 @@ - medium_severity | bool - mount_option_var_tmp_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/tmp" in ansible_mounts + | map(attribute="mount") | list ) - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-82151-2 @@ -12912,7 +12878,8 @@ - medium_severity | bool - mount_option_var_tmp_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/tmp" in ansible_mounts + | map(attribute="mount") | list ) tags: - CCE-82154-6 - DISA-STIG-RHEL-08-040133 @@ -12937,7 +12904,8 @@ - medium_severity | bool - mount_option_var_tmp_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/tmp" in ansible_mounts + | map(attribute="mount") | list ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -12970,7 +12938,8 @@ - medium_severity | bool - mount_option_var_tmp_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/tmp" in ansible_mounts + | map(attribute="mount") | list ) - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: @@ -12994,7 +12963,8 @@ - medium_severity | bool - mount_option_var_tmp_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/tmp" in ansible_mounts + | map(attribute="mount") | list ) - mount_info is defined and "nosuid" not in mount_info.options tags: - CCE-82154-6 @@ -13021,7 +12991,8 @@ - medium_severity | bool - mount_option_var_tmp_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/tmp" in ansible_mounts + | map(attribute="mount") | list ) - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-82154-6 @@ -14877,6 +14848,7 @@ insertbefore: ^[#\s]*Match validate: /usr/sbin/sshd -t -f %s when: + - DISA_STIG_RHEL_08_010200 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -14887,6 +14859,7 @@ tags: - CCE-83405-1 - CJIS-5.5.6 + - DISA-STIG-RHEL-08-010200 - NIST-800-171-3.1.11 - NIST-800-53-AC-12 - NIST-800-53-AC-17(a) @@ -14929,6 +14902,7 @@ insertbefore: ^[#\s]*Match validate: /usr/sbin/sshd -t -f %s when: + - DISA_STIG_RHEL_08_010201 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -14939,6 +14913,7 @@ tags: - CCE-80906-1 - CJIS-5.5.6 + - DISA-STIG-RHEL-08-010201 - NIST-800-171-3.1.11 - NIST-800-53-AC-12 - NIST-800-53-AC-17(a)