Merge pull request #384 from ansible-lockdown/devel

Devel to Main release Stig V3R4 Signed-off-by: George Nalen <[email protected]>
ansible-lockdown · Sep 15, 2021 · 2b4a30c · 2b4a30c
2 parents 03a9d19 + ebfb668
commit 2b4a30c
Show file tree

Hide file tree

Showing 9 changed files with 365 additions and 316 deletions.
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -1,9 +1,12 @@
-**Overall Review of Changes**
+**Overall Review of Changes:**
 A general description of the changes made that are being requested for merge
 
-**Any Related Open Issues**
-Please list any open issues this PR addresses
+**Issue Fixes:**
+Please list (using linking) any open issues this PR addresses
 
-**How as this been tested?**
+**Enhancements:**
+Please list any enhancements/features that are not open issue tickets
+
+**How has this been tested?:**
 Please give an overview of how these changes were tested. If they were not please use N/A
 
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -1,3 +1,11 @@
+### Release 1.3.0
+# Release STIG Version
+[Version 3, Rel 4 released on Jul 23, 2021](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R4_STIG.zip)
+
+## What's new
+- Updated to match Version 3 release 4 benchmarks from Jul 2021
+- Refined controls to use package_facts to shorten blocks
+
 ### Release 1.2.0
 # Release STIG Version
 [Version 3, Rel 3 released on Jan 22, 2021](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R3_STIG.zip)

diff --git a/README.md b/README.md
@@ -7,7 +7,7 @@ RHEL 7 DISA STIG
 
 Configure a RHEL 7 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel7stig_disruption_high` to `yes`.
 
-This role is based on RHEL 7 DISA STIG: [Version 3, Rel 3 released on Apr 23, 2021](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R3_STIG.zip).
+This role is based on RHEL 7 DISA STIG: [Version 3, Rel 4 released on Jul 23, 2021](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R4_STIG.zip).
 
 Updating
 --------

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -33,7 +33,7 @@ run_audit: false
 # Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
 audit_run_heavy_tests: true
 # Timeout for those cmds that take longer to run where timeout set
-audit_cmd_timeout: 30000
+audit_cmd_timeout: 60000
 
 ### End Audit enablements ####
 #### Detailed settings found at the end of this document ####
@@ -139,11 +139,16 @@ rhel_07_010310: true
 rhel_07_010320: true
 rhel_07_010330: true
 rhel_07_010340: true
+rhel_07_010341: true
+rhel_07_010342: true
+rhel_07_010343: true
 rhel_07_010350: true
 rhel_07_010430: true
 rhel_07_010460: true
 rhel_07_010470: true
 rhel_07_010481: true
+rhel_07_010483: true
+rhel_07_010492: true
 rhel_07_010500: true
 rhel_07_020019: true
 rhel_07_020020: true
@@ -314,9 +319,7 @@ rhel_07_041002: true
 rhel_07_041003: true
 rhel_07_041010: true
 rhel_07_910055: true
-rhel_07_010341: true
-rhel_07_010342: true
-rhel_07_010343: true
+
 # CAT 3 rules
 rhel_07_020200: true
 rhel_07_020300: true
@@ -473,6 +476,9 @@ rhel7stig_overwrite_aide_db: true
 rhel7stig_aide_temp_db_file: /var/lib/aide/aide.db.new.gz
 rhel7stig_aide_db_file: /var/lib/aide/aide.db.gz
 
+# RHEL-07-010483 & RHEL-07-010492
+rhel7stig_grub_superusers: su_mode_superuser
+
 rhel7stig_aide_cron:
     user: root
     cron_file: aide

diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml
@@ -44,6 +44,9 @@
       - RHEL-07-010010
       - CAT1
       - CCI-001494
+      - CCI-001496
+      - CCI-002165
+      - CCI-002235
       - SRG-OS-000257-GPOS-00098
       - SV-204392r646841_rule
       - V-204392
@@ -80,6 +83,7 @@
       - RHEL-07-010020
       - CAT1
       - CCI-001749
+      - SRG-OS-000480-GPOS-00227
       - SV-214799r603261_rule
       - V-214799
       - packages
@@ -230,20 +234,20 @@
         when:
             - rhel7stig_machine_uses_uefi
 
-      - name: |
-          "HIGH | RHEL-07-010482 | Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes."
-          "HIGH | RHEL-07-010491 | Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes."
-        lineinfile:
-            path: /etc/grub.d/01_users
-            regexp: "{{ item.regexp }}"
-            line: "{{ item.line }}"
-        notify:
-            - make grub2 config
-        with_items:
-            - regexp: ^\s*set superusers=
-              line: '    set superusers="{{ rhel7stig_boot_superuser }}"'
-            - regexp: ^\s*export superusers
-              line: '    export superusers'
+      # - name: |
+      #     "HIGH | RHEL-07-010482 | Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes."
+      #     "HIGH | RHEL-07-010491 | Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes."
+      #   lineinfile:
+      #       path: /etc/grub.d/01_users
+      #       regexp: "{{ item.regexp }}"
+      #       line: "{{ item.line }}"
+      #   notify:
+      #       - make grub2 config
+      #   with_items:
+      #       - regexp: ^\s*set superusers=
+      #         line: '    set superusers="{{ rhel7stig_boot_superuser }}"'
+      #       - regexp: ^\s*export superusers
+      #         line: '    export superusers'
   when:
       - rhel_07_010482 or
         rhel_07_010491
@@ -253,12 +257,12 @@
       - RHEL-07-010482
       - CCI-000213
       - SRG-OS-000080-GPOS-00048
-      - SV-204438r603261_rule
+      - SV-204438r744095_rule
       - V-204438
       - RHEL-07-010491
       - CCI-000213
       - SRG-OS-000080-GPOS-00048
-      - SV-204440r603261_rule
+      - SV-204440r744098_rule
       - V-204440
       - grub
       - bootloader
@@ -386,7 +390,7 @@
       - CAT1
       - CCI-000366
       - SRG-OS-000480-GPOS-00227
-      - SV-204458r603261_rule
+      - SV-204458r744100_rule
       - V-204458
       - complexity-high
 
@@ -574,6 +578,7 @@
       - RHEL-07-032000
       - CAT1
       - CCI-001668
+      - SRG-OS-000480-GPOS-00227
       - SV-214801r603261_rule
       - V-214801
       - antivirus
@@ -619,6 +624,7 @@
       - RHEL-07-040540
       - CAT1
       - CCI-000366
+      - SRG-OS-000480-GPOS-00227
       - SV-204606r603261_rule
       - V-204606
       - shosts