V1r16 updates (#114)

* removed V-38635 per V1R16

* add vagrant testing for local dev/etc

* add fix for #112 - non idempotent task

* update README to reflect V1R16 change

README.md

@@ -14,7 +14,7 @@ To install this role with `ansible-galaxy` use the following command:
 
 `ansible-galaxy install -p roles nousdefions.STIG-RHEL6`
 
-Based on [Red Hat Enterprise Linux 6 STIG Version 1 Release 15 - 2017-04-28](http://iasecontent.disa.mil/stigs/zip/U_RedHat_6_V1R15_STIG.zip).
+Based on [Red Hat Enterprise Linux 6 STIG Version 1 Release 16 - 2017-07-28](http://iasecontent.disa.mil/stigs/zip/U_RedHat_6_V1R16_STIG.zip).
 
 This repo originated from work done by [Sam Doran](https://github.com/samdoran/ansible-role-rhel6stig)
 

tasks/cat3.yml

@@ -1154,12 +1154,18 @@
       - access
       - patch
 
-- name: "LOW | V-38567 | PATCH | The audit system must be configured to audit all use of setuid and setgid programs."
-  lineinfile:
-      line: "-a always,exit -F path={{ item }} -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged"
-      state: present
-      dest: /etc/audit/audit.rules
-  with_items: "{{ setugid_programs.stdout_lines }}"
+- block:
+    - name: "LOW | V-38567 | PATCH | The audit system must be configured to audit all use of setuid and setgid programs."
+      shell: find $(lsblk -o MOUNTPOINT -n | grep '^/') -xdev -type f -perm /6000 2>/dev/null
+      changed_when: false
+      register: setugid_programs
+
+    - name: "LOW | V-38567 | PATCH | The audit system must be configured to audit all use of setuid and setgid programs."
+      lineinfile:
+          line: "-a always,exit -F path={{ item }} -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged"
+          state: present
+          dest: /etc/audit/audit.rules
+      with_items: "{{ setugid_programs.stdout_lines }}"
   tags:
       - cat3
       - low
@@ -1456,19 +1462,6 @@
       - openldap_server
       - audit
 
-- name: "LOW | V-38635 | PATCH | The audit system must be configured to audit all attempts to alter system time through adjtimex."
-  lineinfile:
-      line: -a always,exit -F arch={{ audit_arch }} -S adjtimex -k audit_time_rules
-      dest: /etc/audit/audit.rules
-      state: present
-  tags:
-      - cat3
-      - low
-      - V-38627
-      - auditd
-      - system_time
-      - patch
-
 - name: "LOW | V-38639 | AUDIT | The system must display a publicly-viewable pattern during a graphical desktop environment session lock."
   command: gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode
   register: gconftool_pattern_audit
@@ -2306,6 +2299,7 @@
 
 - name: "LOW | V-51369 | PATCH | The system must use a Linux Security Module configured to limit the privileges of system services."
   selinux:
+      conf: /etc/selinux/config
       policy: "{{ rhel6stig_selinux_pol }}"
       state: enforcing
   tags:

tasks/prelim.yml

@@ -210,17 +210,6 @@
       - auditd
       - patch
 
-- name: "PRELIM | List setuid / setgid programs on all mounted filesystems"
-  shell: find $(lsblk -o MOUNTPOINT -n | grep '^/') -xdev -type f -perm /6000 2>/dev/null
-  changed_when: false
-  register: setugid_programs
-  tags:
-      - cat3
-      - low
-      - V-38567
-      - auditd
-      - patch
-
 - name: "PRELIM | List /etc/fstab mount points"
   shell: 'awk ''/^[^#]/ { print $2; }'' /etc/fstab'
   changed_when: false

tests/README.md

@@ -0,0 +1,91 @@
+RHEL 6 DISA STIG Testing
+================
+Local testing of this role can be accomplished easily by using Vagrant. The included Vagrantfile has box definitions for a CentOS 6 and RHEL 6 based test machine. Additionally there are various playbooks in this directory for applying the STIG role to the boxes and there is a provision step in the Vagrantfile that will apply the role when the machine boots.
+
+Testing the idempotence of the role can be acomplished by running the role_idempotent_check.yml playbook 
+
+Requirements
+------------
+vagrant>=2.0
+
+ansible>=2.4.0.0
+
+Galaxy Roles
+
+samdoran.redhat-subscription
+
+```shell
+ansible-galaxy install -r requirements.yml
+```
+
+`vagrant-inventory` file with proper values in it.
+```ini
+[baseline_hosts]
+centos6 ansible_port=2200  ansible_ssh_private_key_file=.vagrant/machines/centos6-stig/virtualbox/private_key
+rhel6 ansible_port=2201 ansible_ssh_private_key_file=.vagrant/machines/rhel6-stig/virtualbox/private_key
+
+[baseline_hosts:vars]
+ansible_host=127.0.0.1
+ansible_user=vagrant
+```
+
+Example Testing
+-----------------
+
+Spin up a new CentOS and RHEL box in Vagrant to run the tests on and apply the STIG.
+
+```shell
+vagrant up
+```
+
+Or if you don't want to run the initial provision steps at this time.
+
+```shell
+vagrant up --no-provision
+```
+
+Not running the provision steps in vagrant is sometimes preferred because vagrant will not run the play in parallel on both hosts, it will run on each host in serial. 
+
+If you did not provision in the above step then run Ansible to provision the host.
+
+```shell
+ansible-playbook -i vagrant-inventory apply_role.yml -e @extra_vars_vagrant.yml
+```
+
+If there are no failures then we want apply the role again and test for idempotence.
+
+```shell
+ansible-playbook -i vagrant-inventory role_idempotent_check.yml
+```
+The idempotence check playbook runs the STIG role in silent mode (redirecting play/task output to JSON). You will not see each individual task run and it will take ~5min to complete.
+
+After you are done you may see output like below if the idempotence check fails. The `assert` tasks give pass or fail for CentOS 6 and RHEL 6 respectively and give a list of the non-idempotent tasks from the run.
+
+```
+TASK [assert] ******************************************************************
+fatal: [centos6]: FAILED! => {
+    "assertion": "play_output.stats.centos6.changed == 0", 
+    "changed": false, 
+    "evaluated_to": false, 
+    "failed": true, 
+    "msg": "Role FAILED idempotent test on CentOS6: [u'MEDIUM | V-51363 | PATCH | The system must use a Linux Security Module configured to enforce limits on system services.', u'LOW | V-51369 | PATCH | The system must use a Linux Security Module configured to limit the privileges of system services.'] tasks reported change on second run."
+}
+fatal: [rhel6]: FAILED! => {
+    "assertion": "play_output.stats.centos6.changed == 0", 
+    "changed": false, 
+    "evaluated_to": false, 
+    "failed": true, 
+    "msg": "Role FAILED idempotent test on CentOS6: [u'MEDIUM | V-51363 | PATCH | The system must use a Linux Security Module configured to enforce limits on system services.', u'LOW | V-38567 | PATCH | The audit system must be configured to audit all use of setuid and setgid programs.', u'LOW | V-51369 | PATCH | The system must use a Linux Security Module configured to limit the privileges of system services.'] tasks reported change on second run."
+}
+
+PLAY RECAP ******************************************************************
+centos6                    : ok=5    changed=1    unreachable=0    failed=1   
+rhel6                      : ok=5    changed=1    unreachable=0    failed=1   
+```
+
+After you are done you should clean up.
+
+```shell
+ansible-playbook -i vagrant-inventory deregister.yml
+vagrant destroy -f
+```

tests/apply_role.yml

@@ -0,0 +1,18 @@
+- name: Apply STIG
+  hosts: baseline_hosts
+  become: yes
+
+  tasks:
+    - name: Register system with RedHat
+      include_role:
+        name: redhat-subscription
+      when: ansible_distribution == 'RedHat'
+
+    - name: Remove EPEL
+      yum:
+        name: epel-release
+        state: absent
+
+    - name: Apply STIG
+      include_role:
+        name: ../../RHEL6-STIG

tests/deregister.yml

@@ -0,0 +1,11 @@
+- name: Red Hat subscription state
+  hosts: all
+  become: yes
+
+  vars:
+    rhsub_state: absent
+
+  tasks:
+    - include_role:
+        name: redhat-subscription
+      when: ansible_distribution == 'RedHat'

tests/extra_vars_vagrant.yml

@@ -0,0 +1,5 @@
+rhel6stig_cat1: yes
+rhel6stig_cat2: yes
+rhel6stig_cat3: yes
+
+rhel6stig_antivirus_required: no

tests/requirements.yml

@@ -0,0 +1,2 @@
+- src: samdoran.redhat-subscription
+  name: redhat-subscription

tests/role_idempotent_check.yml

@@ -0,0 +1,34 @@
+- name: Tets role idempotence
+  hosts: baseline_hosts
+  become: yes
+
+  vars:
+    extra_vars_file: extra_vars_vagrant.yml
+
+  tasks:
+    - name: Apply STIG - idempotence test - SILENT OUTPUT
+      shell: "ansible-playbook -i vagrant-inventory apply_role.yml -e @{{extra_vars_file}}"
+      environment:
+        ANSIBLE_STDOUT_CALLBACK: json
+      delegate_to: localhost
+      become: no
+      register: run_result
+
+    - set_fact:
+        play_output: "{{run_result.stdout|from_json}}"
+
+    - set_fact:
+        centos6_changed: "{{play_output|json_query('plays[].tasks[?hosts.centos6.changed].task.name')}}"
+
+    - set_fact:
+        rhel6_changed: "{{play_output|json_query('plays[].tasks[?hosts.centos6.changed].task.name')}}"
+
+    - assert:
+        that:
+          - "play_output.stats.centos6.changed == 0"
+        msg: "Role FAILED idempotent test on CentOS6: {{centos6_changed|join('\n')}} tasks reported change on second run."
+
+    - assert:
+        that:
+          - "play_output.stats.rhel6.changed == 0"
+        msg: "Role FAILED idempotent test on RHEL6: {{rhel6_changed|join('\n')}} tasks reported change on second run."

tests/vagrant-inventory

@@ -0,0 +1,7 @@
+[baseline_hosts]
+centos6 ansible_port=2200  ansible_ssh_private_key_file=.vagrant/machines/centos6-stig/virtualbox/private_key
+rhel6 ansible_port=2201 ansible_ssh_private_key_file=.vagrant/machines/rhel6-stig/virtualbox/private_key
+
+[baseline_hosts:vars]
+ansible_host=127.0.0.1
+ansible_user=vagrant

tests/vagrant_provision.yml

@@ -0,0 +1,18 @@
+- name: Setup hosts and apply STIG
+  hosts: all
+  become: yes
+
+  tasks:
+    - name: Register system with RedHat
+      include_role:
+        name: redhat-subscription
+      when: ansible_distribution == 'RedHat'
+
+    - name: Remove EPEL
+      yum:
+        name: epel-release
+        state: absent
+
+    - name: Apply STIG
+      include_role:
+        name: ../../RHEL6-STIG